ibmse: use optional root_ca when launch kbs

Signed-off-by: Qi Feng Huo <[email protected]>
huoqifeng · Jun 19, 2024 · 7579187 · 7579187
1 parent a533ee9
commit 7579187
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 13 deletions.
diff --git a/attestation-service/verifier/src/se/README.md b/attestation-service/verifier/src/se/README.md
@@ -11,19 +11,17 @@ openssl rsa -in encrypt_key-psw.pem -out encrypt_key.pem
 ```
 
 
-## Download Certs, CRLs, Root CA
+## Download Certs, CRLs
 Donwload these materials from: https://www.ibm.com/support/resourcelink/api/content/public/secure-execution-gen2.html
 Which includes:
 
 ### Certs
 ibm-z-host-key-signing-gen2.crt
+DigiCertCA.crt
 
 ### CRL
 ibm-z-host-key-gen2.crl
 
-### Root CA
-DigiCertCA.crt 
-
 ## Download HKD
 Download IBM Secure Execution Host Key Document following: https://www.ibm.com/docs/en/linux-on-z?topic=execution-verify-host-key-document
 
@@ -42,20 +40,20 @@ openssl genpkey -algorithm ed25519 > kbs.key
 openssl pkey -in kbs.key -pubout -out kbs.pem
 ```
 
-## Build KBS
+## (Option 1) Launch KBS as a program
+
+- Build KBS
 ```
 cargo install --locked --path kbs/src/kbs --no-default-features --features coco-as-builtin,openssl,resource,opa 
 ```
 
-## (Option 1) Launch KBS as a program
-
 - Prepare the material retrieved above, similar as:
 ```
 /run/confidential-containers/ibmse#
 .
-├── DigiCertCA.crt
 ├── certs
-│   └── ibm-z-host-key-signing-gen2.crt
+│   ├── ibm-z-host-key-signing-gen2.crt
+|   └── DigiCertCA.crt
 ├── crls
 │   └── ibm-z-host-key-gen2.crl
 ├── hdr

diff --git a/attestation-service/verifier/src/se/ibmse.rs b/attestation-service/verifier/src/se/ibmse.rs
@@ -25,7 +25,7 @@ const DEFAULT_SE_HOST_KEY_DOCUMENTS_ROOT: &str = "/run/confidential-containers/i
 
 const DEFAULT_SE_CERTIFICATES_ROOT: &str = "/run/confidential-containers/ibmse/certs";
 
-const DEFAULT_SE_CERTIFICATE_ROOT_CA: &str = "/run/confidential-containers/ibmse/DigiCertCA.crt";
+const DEFAULT_SE_CERTIFICATE_ROOT_CA: &str = "/run/confidential-containers/ibmse/root_ca.crt";
 
 const DEFAULT_SE_CERTIFICATE_REVOCATION_LISTS_ROOT: &str =
     "/run/confidential-containers/ibmse/crls";
@@ -239,8 +239,6 @@ impl SeVerifierImpl {
         );
         let crls = list_files_in_folder(&crl_root)?;
 
-        let root_ca_path =
-            env_or_default!("SE_CERTIFICATE_ROOT_CA", DEFAULT_SE_CERTIFICATE_ROOT_CA);
         let mut attestation_flags = AttestationFlags::default();
         attestation_flags.set_image_phkh();
         attestation_flags.set_attest_phkh();
@@ -260,6 +258,15 @@ impl SeVerifierImpl {
             DEFAULT_SE_SKIP_CERTS_VERIFICATION
         );
         let skip_certs: bool = skip_certs_env.parse::<bool>().unwrap_or(false);
+        let root_ca_path =
+            env_or_default!("SE_CERTIFICATE_ROOT_CA", DEFAULT_SE_CERTIFICATE_ROOT_CA);
+        let caOption: Option<String>;
+        if std::path::Path::new(root_ca_path).exists() {
+            caOption = Some(String::from(root_ca_path));
+        } else {
+            caOption = None::<String>;
+        }
+
         for hkd in &hkds {
             let hk = std::fs::read(hkd).context("read host-key document")?;
             let certs = read_certs(&hk)?;
@@ -275,7 +282,7 @@ impl SeVerifierImpl {
             if skip_certs {
                 warn!("SE_SKIP_CERTS_VERIFICATION set '{skip_certs}' never use it in production!")
             } else {
-                let verifier = CertVerifier::new(ca_certs.as_slice(), crls.as_slice(), Some(root_ca_path.clone()), false)?;
+                let verifier = CertVerifier::new(ca_certs.as_slice(), crls.as_slice(), caOption, true)?;
                 verifier.verify(c)?;
             }
             arcb.add_hostkey(c.public_key()?);