FAPI: Support intermediate certificates stored in NV ram.

src/tss2-fapi/api/Fapi_GetPlatformCertificates.c

@@ -211,7 +211,6 @@ Fapi_GetPlatformCertificates_Finish(
 {
     LOG_TRACE("called for context:%p", context);
 
-    NODE_OBJECT_T *cert_list = NULL;
     TSS2_RC r;
 
     /* Check for NULL parameters */
@@ -224,59 +223,22 @@ Fapi_GetPlatformCertificates_Finish(
             /* Retrieve the certificates from the TPM's NV space. */
             r = ifapi_get_certificates(context, MIN_PLATFORM_CERT_HANDLE,
                                        MAX_PLATFORM_CERT_HANDLE,
-                                       &cert_list);
+                                       certificates,
+                                       certificatesSize);
             return_try_again(r);
             goto_if_error(r, "Get certificates.", error);
 
-            if (cert_list) {
-                /* Concatenate the found certificates */
-                size_t size;
-                NODE_OBJECT_T *cert = cert_list;
-                size = 0;
-                while (cert) {
-                    size += cert->size;
-                    cert = cert->next;
-                }
-                if (certificatesSize)
-                    *certificatesSize = size;
-                *certificates = malloc(size);
-                goto_if_null2(*certificates, "Out of memory.",
-                        r, TSS2_FAPI_RC_MEMORY, error);
-
-                cert = cert_list;
-                size = 0;
-                while (cert) {
-                    memcpy(&*(certificates)[size], cert->object, cert->size);
-                    size += cert->size;
-                    SAFE_FREE(cert->object);
-                    cert = cert->next;
-                }
-            } else {
-                *certificates = NULL;
-                if (certificatesSize)
-                    *certificatesSize = 0;
-                goto_error(r, TSS2_FAPI_RC_NO_CERT,
-                        "No platform certificates available.", error);
-            }
             break;
         statecasedefault(context->state);
     }
 
     /* Cleanup any intermediate results and state stored in the context. */
-    ifapi_free_node_list(cert_list);
     context->state =  FAPI_STATE_INIT;
     LOG_TRACE("finished");
     return TSS2_RC_SUCCESS;
 
 error:
     /* Cleanup any intermediate results and state stored in the context. */
     context->state =  FAPI_STATE_INIT;
-    NODE_OBJECT_T *cert = cert_list;
-    while (cert) {
-        SAFE_FREE(cert->object);
-        cert = cert->next;
-    }
-    ifapi_free_node_list(cert_list);
-    SAFE_FREE(*certificates);
     return r;
 }

src/tss2-fapi/api/Fapi_Provision.c

@@ -22,7 +22,8 @@
 #include "ifapi_helpers.h"       // for ifapi_init_hierarchy_object, ifapi_c...
 #include "ifapi_io.h"            // for ifapi_io_read_async, ifapi_io_read_f...
 #include "ifapi_keystore.h"      // for IFAPI_OBJECT, IFAPI_OBJECT_UNION
-#include "ifapi_macros.h"        // for statecase, fallthrough, goto_if_erro...
+#include "ifapi_macros.h"        // for statecase, fallthrough, goto_if_erro..
+#include "ifapi_verify_cert_chain.h" // for ifapi_verify_cert_chain
 #include "ifapi_profiles.h"      // for IFAPI_PROFILE, IFAPI_PROFILES
 #include "tss2_common.h"         // for TSS2_FAPI_RC_TRY_AGAIN, BYTE, TSS2_RC
 #include "tss2_esys.h"           // for ESYS_TR_NONE, Esys_GetCapability_Async
@@ -36,6 +37,8 @@
 #include "util/log.h"            // for goto_if_error, SAFE_FREE, goto_error
 
 #define EK_CERT_RANGE (0x01c07fff)
+#define EK_CERT_CHAIN_MIN 0x01c00100
+#define EK_CERT_CHAIN_MAX 0x01c001ff
 #define RSA_EK_NONCE_NV_INDEX 0x01c00003
 #define RSA_EK_TEMPLATE_NV_INDEX 0x01c00004
 #define ECC_EK_NONCE_NV_INDEX 0x01c0000b
@@ -784,6 +787,11 @@ Fapi_Provision_Finish(FAPI_CONTEXT *context)
 
             /* Filter out NV handles beyond the EK cert range */
             for (size_t i = 0; i < command->cert_count; i++) {
+                /* Check whether a cert chain exists. */
+                if (command->capabilityData->data.handles.handle[i] >= EK_CERT_CHAIN_MIN &&
+                    command->capabilityData->data.handles.handle[i] <= EK_CERT_CHAIN_MAX) {
+                    command->cert_chain_exists = true;
+                }
                 if (command->capabilityData->data.handles.handle[i] > EK_CERT_RANGE) {
                     command->cert_count = i;
                 }
@@ -796,6 +804,7 @@ Fapi_Provision_Finish(FAPI_CONTEXT *context)
                 context->state = PROVISION_CHECK_FOR_VENDOR_CERT;
                 return TSS2_FAPI_RC_TRY_AGAIN;
             }
+
             fallthrough;
 
         statecase(context->state, PROVISION_GET_CERT_NV);
@@ -884,9 +893,13 @@ Fapi_Provision_Finish(FAPI_CONTEXT *context)
             SAFE_FREE(certData);
             goto_if_error(r, "Convert certificate to pem.", error_cleanup);
 
-            /* Check whether the EKs public key corresponds to the certificate. */
+            /* Check whether the EKs pifapi_cmp_public_keyublic key corresponds to the certificate. */
             if (ifapi_cmp_public_key(&pkeyObject->misc.key.public, &public_key)) {
-                context->state = PROVISION_PREPARE_READ_ROOT_CERT;
+                if (command->cert_chain_exists) {
+                    context->state = PROVISION_READ_CERT_CHAIN;
+                } else {
+                    context->state = PROVISION_PREPARE_READ_ROOT_CERT;
+                }
                 return TSS2_FAPI_RC_TRY_AGAIN;
             } else {
                 /* Certificate not appropriate for current EK key type */
@@ -902,6 +915,16 @@ Fapi_Provision_Finish(FAPI_CONTEXT *context)
             goto_error(r, TSS2_FAPI_RC_NO_CERT, "No EK certificate found.",
                        error_cleanup);
 
+        statecase(context->state, PROVISION_READ_CERT_CHAIN);
+            /* Retrieve the certificate chains from the TPM's NV space . */
+            r = ifapi_get_certificates(context, EK_CERT_CHAIN_MIN ,
+                                       EK_CERT_CHAIN_MAX,
+                                       &command->certs,
+                                       &command->cert_list_size);
+            return_try_again(r);
+            goto_if_error(r, "Get certificates.", error_cleanup);
+            fallthrough;
+
         statecase(context->state, PROVISION_PREPARE_READ_ROOT_CERT);
             /* Prepare reading of root certificate. */
             root_ca_file = NULL;
@@ -967,11 +990,18 @@ Fapi_Provision_Finish(FAPI_CONTEXT *context)
             fallthrough;
 
         statecase(context->state, PROVISION_EK_CHECK_CERT);
-            /* The EK certificate will be verified against the FAPI list of root certificates. */
-            r = ifapi_curl_verify_ek_cert(command->root_crt, command->intermed_crt, command->pem_cert);
-            SAFE_FREE(command->root_crt);
-            SAFE_FREE(command->intermed_crt);
-            goto_if_error2(r, "Verify EK certificate", error_cleanup);
+            if (command->cert_chain_exists) {
+                /* Verify the EK certificate with the cert chain. */
+                r = ifapi_verify_cert_chain(command->pem_cert, command->certs,
+                                            command->cert_list_size);
+                goto_if_error(r, "Failed to verify certificate chain.", error_cleanup);
+            } else {
+                /* The EK certificate will be verified against the FAPI list of root certificates. */
+                r = ifapi_curl_verify_ek_cert(command->root_crt, command->intermed_crt, command->pem_cert);
+                SAFE_FREE(command->root_crt);
+                SAFE_FREE(command->intermed_crt);
+                goto_if_error2(r, "Verify EK certificate", error_cleanup);
+            }
 
             fallthrough;
 

src/tss2-fapi/fapi_certificates.h

@@ -592,6 +592,25 @@ static char * root_cert_list[] = {
     "7r+i6q84W2nJdd+BoQQv4sk5GeuN2j2u4k1a8DkRPsVPc2I9QTtbzekchTK1GCXW\n"
     "ki3DKGkZUEuaoaa60Kgw55Q5rt1eK7HKEG5npmR8aEod7BDLWy4CMTNAWR5iabCW\n"
     "/KX28JbJL6Phau9j\n"
+    "-----END CERTIFICATE-----\n",
+
+    /* Intel ODCA Root Certificate */
+    "-----BEGIN CERTIFICATE-----\n"
+    "MIICujCCAj6gAwIBAgIUPLLiHTrwySRtWxR4lxKLlu7MJ7wwDAYIKoZIzj0EAwMF\n"
+    "ADCBiTELMAkGA1UEBgwCVVMxCzAJBgNVBAgMAkNBMRQwEgYDVQQHDAtTYW50YSBD\n"
+    "bGFyYTEaMBgGA1UECgwRSW50ZWwgQ29ycG9yYXRpb24xIzAhBgNVBAsMGk9uRGll\n"
+    "IENBIFJvb3QgQ2VydCBTaWduaW5nMRYwFAYDVQQDDA13d3cuaW50ZWwuY29tMB4X\n"
+    "DTE5MDQwMzAwMDAwMFoXDTQ5MTIzMTIzNTk1OVowgYkxCzAJBgNVBAYMAlVTMQsw\n"
+    "CQYDVQQIDAJDQTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExGjAYBgNVBAoMEUludGVs\n"
+    "IENvcnBvcmF0aW9uMSMwIQYDVQQLDBpPbkRpZSBDQSBSb290IENlcnQgU2lnbmlu\n"
+    "ZzEWMBQGA1UEAwwNd3d3LmludGVsLmNvbTB2MBAGByqGSM49AgEGBSuBBAAiA2IA\n"
+    "BK8SfB2UflvXZqb5Kc3+lokrABHWazvNER2axPURP64HILkXChPB0OEX5hLB7Okw\n"
+    "7Dy6oFqB5tQVDupgfvUX/SgYBEaDdG5rCVFrGAis6HX5TA2ewQmj14r2ncHBgnpp\n"
+    "B6NjMGEwHwYDVR0jBBgwFoAUtFjJ9uQIQKPyWMg5eG6ujgqNnDgwDwYDVR0TAQH/\n"
+    "BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFLRYyfbkCECj8ljIOXhu\n"
+    "ro4KjZw4MAwGCCqGSM49BAMDBQADaAAwZQIxAP9B4lFF86uvpHmkcp61cWaU565a\n"
+    "yE3p7ezu9haLE/lPLh5hFQfmTi1nm/sG3JEXMQIwNpKfHoDmUTrUyezhhfv3GG+1\n"
+    "CqBXstmCYH40buj9jKW3pHWc71s9arEmPWli7I8U\n"
     "-----END CERTIFICATE-----\n"
 
 };

src/tss2-fapi/fapi_int.h

@@ -559,6 +559,9 @@ typedef struct {
     bool srk_exists;
     TPM2_HANDLE template_nv_index;
     TPM2_HANDLE nonce_nv_index;
+    bool cert_chain_exists;
+    uint8_t *certs;
+    size_t cert_list_size;
 } IFAPI_Provision;
 
 /** The data structure holding internal state of regenerate primary key.
@@ -858,6 +861,7 @@ enum FAPI_STATE {
     PROVISION_GET_CERT_NV_FINISH,
     PROVISION_GET_CERT_READ_PUBLIC,
     PROVISION_READ_CERT,
+    PROVISION_READ_CERT_CHAIN,
     PROVISION_PREPARE_READ_ROOT_CERT,
     PROVISION_READ_ROOT_CERT,
     PROVISION_PREPARE_READ_INT_CERT,