From ac9d13ad70681adcc566d808b761033dc9b04998 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miguel=20Mart=C3=ADn?= Date: Tue, 2 Apr 2024 12:05:35 +0200 Subject: [PATCH] fix: check the device certificate chain MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Currently all the device certificates are trusted as long as the certificate chain is correct but it's not possible to decide which root CA certifcates are trusted or not. This patch loads the manufacturer trusted CA certs when specified in `trusted_manufacturer_keys` configuration variable and verifies that the device certificate chain is signed by a trusted CA failing otherwise. If no `trusted_manufacturer_keys` is configured the previous behavior is maintained. Signed-off-by: Miguel Martín --- rendezvous-server/src/handlers_to0.rs | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/rendezvous-server/src/handlers_to0.rs b/rendezvous-server/src/handlers_to0.rs index 5775d0b0d..8c5c7d0cf 100644 --- a/rendezvous-server/src/handlers_to0.rs +++ b/rendezvous-server/src/handlers_to0.rs @@ -136,8 +136,15 @@ pub(super) async fn ownersign( } Some(v) => v, }; - //let device_pubkey = match device_cert_chain.verify_from_x5bag(&user_data.trusted_device_keys) { - let device_pubkey = match device_cert_chain.insecure_verify_without_root_verification() { + + let device_pubkey_verification = + if let Some(trusted_manufacturer_certs) = &user_data.trusted_manufacturer_keys { + device_cert_chain.verify_from_x5bag(trusted_manufacturer_certs) + } else { + device_cert_chain.insecure_verify_without_root_verification() + }; + + let device_pubkey = match device_pubkey_verification { Err(cert_chain_err) => { log::debug!("Error verifying device certificate: {:?}", cert_chain_err); return Err(Error::new(