Skip to content

Remove BASIC_CONSTRAINTS_STRING_FALSE_CASE2 #3422

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
steven-bellock wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Remove BASIC_CONSTRAINTS_STRING_FALSE_CASE2 #3422

steven-bellock wants to merge 1 commit into from

Conversation

@steven-bellock
Copy link
Contributor

@steven-bellock steven-bellock commented Dec 9, 2025

Fix #3419 and enforce strict DER checks.

@steven-bellock
Remove BASIC_CONSTRAINTS_STRING_FALSE_CASE2
a9e42b0 
Fix DMTF#3419 and enforce strict DER checks.

Signed-off-by: Steven Bellock <sbellock@nvidia.com>
jcahill0
jcahill0 reviewed Dec 9, 2025
View reviewed changes
library/spdm_crypt_lib/libspdm_crypt_cert.c
sizeof(basic_constraints_false_case)))) {
return true;
}

Copy link

@jcahill0 jcahill0 Dec 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I'm reading commit a9e42b0 correctly, then it appears this would trigger a "false"/failure of any existing/previous deployed leaf certificate with the Basic Constraints OID's CA:FALSE (len!=sizeof(basic_constraints_false_case fallout case), which libspdm_verify_leaf_cert_basic_constraints() used to pass.

Could the empty CA:FALSE check be made optional for SPDM Requesters that choose to handle this case?

Copy link
Contributor Author

@steven-bellock steven-bellock Dec 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could the empty CA:FALSE check be made optional for SPDM Requesters that choose to handle this case?

#3164 (comment) proposes to let the Integrator selectively disable specific checks, so when/if that gets implemented then they would be able to disable the Basic Constraints check if they so desire.

@steven-bellock steven-bellock marked this pull request as ready for review December 9, 2025 22:11
@steven-bellock steven-bellock requested a review from jyao1 as a code owner December 9, 2025 22:11
@steven-bellock
Copy link
Contributor Author

steven-bellock commented Dec 15, 2025

Converting to draft while we wait for the SPDM WG.

@steven-bellock steven-bellock marked this pull request as draft December 15, 2025 15:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jyao1 jyao1 Awaiting requested review from jyao1 jyao1 is a code owner

@lordaule lordaule Awaiting requested review from lordaule

@jcahill0 jcahill0 Awaiting requested review from jcahill0

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

BASIC_CONSTRAINTS_STRING_FALSE_CASE2 should (probably) not exist

2 participants

@steven-bellock @jcahill0