From 8e6c6a22156baa12245f80220ece650f40f96bf2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miguel=20Mart=C3=ADn?= Date: Tue, 2 Apr 2024 12:05:35 +0200 Subject: [PATCH] fix: check the device certificate chain MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Currently all the device certificates are trusted as long as the certificate chain is correct but it's not possible to decide which root CA certifcates are trusted or not. This patch loads the manufacturer trusted CA certs when specified in `trusted_manufacturer_keys` configuration variable and verifies that the device certificate chain is signed by a trusted CA failing otherwise. If no `trusted_manufacturer_keys` is configured the previous behavior is maintained. Signed-off-by: Miguel Martín --- rendezvous-server/src/handlers_to0.rs | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/rendezvous-server/src/handlers_to0.rs b/rendezvous-server/src/handlers_to0.rs index 5775d0b0d..5ee2a602a 100644 --- a/rendezvous-server/src/handlers_to0.rs +++ b/rendezvous-server/src/handlers_to0.rs @@ -136,8 +136,15 @@ pub(super) async fn ownersign( } Some(v) => v, }; - //let device_pubkey = match device_cert_chain.verify_from_x5bag(&user_data.trusted_device_keys) { - let device_pubkey = match device_cert_chain.insecure_verify_without_root_verification() { + + let device_pubkey_verification = + if let Some(trusted_manufacturer_certs) = &user_data.trusted_manufacturer_keys { + device_cert_chain.verify_from_x5bag(trusted_manufacturer_certs) + } else { + device_cert_chain.insecure_verify_without_root_verification() + }; + + let device_pubkey = match device_pubkey_verification { Err(cert_chain_err) => { log::debug!("Error verifying device certificate: {:?}", cert_chain_err); return Err(Error::new(