From 0caf4704fd4b6ba9131b93344800440651374d34 Mon Sep 17 00:00:00 2001 From: DGonzalezVillal Date: Wed, 11 Dec 2024 19:48:41 +0000 Subject: [PATCH] Fix certificate fetch bug for Turin Adding the new from_pem_bytes function to the fetch function for the CA in order to solve the issue of different sized certificates for Turin. Signed-off-by: DGonzalezVillal --- Cargo.lock | 4 ++-- Cargo.toml | 2 +- src/fetch.rs | 11 +++++------ 3 files changed, 8 insertions(+), 9 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index a7710c9..c348636 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1494,9 +1494,9 @@ dependencies = [ [[package]] name = "sev" -version = "4.0.0" +version = "5.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a97bd0b2e2d937951add10c8512a2dacc6ad29b39e5c5f26565a3e443329857d" +checksum = "b06afe5192a43814047ea0072f4935f830a1de3c8cb43b56c90ae6918468b94d" dependencies = [ "base64 0.22.1", "bincode", diff --git a/Cargo.toml b/Cargo.toml index 1eac50e..f459bc6 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -22,7 +22,7 @@ hyperv = ["tss-esapi"] clap = { version = "4.5", features = [ "derive" ] } env_logger = "0.10.0" anyhow = "1.0.69" -sev = { version = "4.0", default-features = false, features = ['openssl','snp']} +sev = { version = "5.0.0", default-features = false, features = ['openssl','snp']} nix = "^0.23" serde = { version = "1.0", features = ["derive"] } bincode = "^1.2.1" diff --git a/src/fetch.rs b/src/fetch.rs index bd4e2ce..9b10c7b 100644 --- a/src/fetch.rs +++ b/src/fetch.rs @@ -9,7 +9,7 @@ use std::{fs, path::PathBuf, str::FromStr}; use reqwest::blocking::{get, Response}; -use sev::firmware::host::CertType; +use sev::{certs::snp::ca::Chain, firmware::host::CertType}; use certs::{write_cert, CertFormat}; @@ -114,7 +114,6 @@ pub fn cmd(cmd: FetchCmd) -> Result<()> { mod cert_authority { use super::*; - use openssl::x509::X509; use reqwest::StatusCode; #[derive(Parser)] @@ -140,7 +139,7 @@ mod cert_authority { pub fn request_ca_kds( processor_model: ProcType, endorser: &Endorsement, - ) -> Result, anyhow::Error> { + ) -> Result { const KDS_CERT_SITE: &str = "https://kdsintf.amd.com"; const KDS_CERT_CHAIN: &str = "cert_chain"; @@ -161,7 +160,7 @@ mod cert_authority { .context("Unable to parse AMD certificate chain")? .to_vec(); - let certificates = X509::stack_from_pem(&body)?; + let certificates = Chain::from_pem_bytes(&body)?; Ok(certificates) } @@ -179,8 +178,8 @@ mod cert_authority { fs::create_dir(&args.certs_dir).context("Could not create certs folder")?; } - let ark_cert = &certificates[1]; - let ask_cert = &certificates[0]; + let ark_cert = certificates.ark; + let ask_cert = certificates.ask; write_cert( &args.certs_dir,