fix: check the device certificate chain

Currently all the device certificates are trusted as long as the certificate chain is correct but it's not possible to decide which root CA certifcates are trusted or not. This patch loads the manufacturer trusted CA certs when specified in `trusted_manufacturer_keys` configuration variable and verifies that the device certificate chain is signed by a trusted CA failing otherwise. If no `trusted_manufacturer_keys` is configured the previous behavior is maintained. Signed-off-by: Miguel Martín <[email protected]>
mmartinv · Apr 2, 2024 · 8e6c6a2 · 8e6c6a2
1 parent df60316
commit 8e6c6a2
Showing 1 changed file with 9 additions and 2 deletions.
diff --git a/rendezvous-server/src/handlers_to0.rs b/rendezvous-server/src/handlers_to0.rs
@@ -136,8 +136,15 @@ pub(super) async fn ownersign(
         }
         Some(v) => v,
     };
-    //let device_pubkey = match device_cert_chain.verify_from_x5bag(&user_data.trusted_device_keys) {
-    let device_pubkey = match device_cert_chain.insecure_verify_without_root_verification() {
+
+    let device_pubkey_verification =
+        if let Some(trusted_manufacturer_certs) = &user_data.trusted_manufacturer_keys {
+            device_cert_chain.verify_from_x5bag(trusted_manufacturer_certs)
+        } else {
+            device_cert_chain.insecure_verify_without_root_verification()
+        };
+
+    let device_pubkey = match device_pubkey_verification {
         Err(cert_chain_err) => {
             log::debug!("Error verifying device certificate: {:?}", cert_chain_err);
             return Err(Error::new(