Skip to content

Add peer_used_cert_chain_slot_id to session_info #3435

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
steven-bellock merged 1 commit into from
Dec 19, 2025
Merged

Add peer_used_cert_chain_slot_id to session_info #3435

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions include/internal/libspdm_common_lib.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -474,6 +474,7 @@ typedef struct {
void *secured_message_context;
/* Only present in session info as it is currently only used within a secure session. */
uint8_t local_used_cert_chain_slot_id;
uint8_t peer_used_cert_chain_slot_id;
} libspdm_session_info_t;

#define LIBSPDM_MAX_ENCAP_REQUEST_OP_CODE_SEQUENCE_COUNT 3
Expand Down Expand Up @@ -1036,6 +1037,7 @@ bool libspdm_generate_challenge_auth_signature(libspdm_context_t *spdm_context,
* @retval false hash verification fail.
**/
bool libspdm_verify_certificate_chain_hash(libspdm_context_t *spdm_context,
uint8_t slot_id,
const void *certificate_chain_hash,
size_t certificate_chain_hash_size);

Expand Down Expand Up @@ -1066,6 +1068,7 @@ bool libspdm_verify_public_key_hash(libspdm_context_t *spdm_context,
**/
bool libspdm_verify_challenge_auth_signature(libspdm_context_t *spdm_context,
bool is_requester,
uint8_t slot_id,
const void *sign_data,
size_t sign_data_size);

Expand Down Expand Up @@ -1115,6 +1118,7 @@ bool libspdm_generate_endpoint_info_signature(libspdm_context_t *spdm_context,
bool libspdm_verify_endpoint_info_signature(libspdm_context_t *spdm_context,
libspdm_session_info_t *session_info,
bool is_requester,
uint8_t slot_id,
const void *sign_data,
size_t sign_data_size);

Expand Down
8 changes: 6 additions & 2 deletions include/library/spdm_common_lib.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -845,6 +845,7 @@ void *libspdm_get_secured_message_context_via_session_id(void *spdm_context, uin
**/
void *libspdm_get_secured_message_context_via_session_info(void *spdm_session_info);

#if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
/**
* This function returns peer certificate chain buffer including spdm_cert_chain_t header.
*
Expand All @@ -855,7 +856,8 @@ void *libspdm_get_secured_message_context_via_session_info(void *spdm_session_in
* @retval true Peer certificate chain buffer including spdm_cert_chain_t header is returned.
* @retval false Peer certificate chain buffer including spdm_cert_chain_t header is not found.
**/
bool libspdm_get_peer_cert_chain_buffer(void *spdm_context,
void libspdm_get_peer_cert_chain_buffer(void *spdm_context,
uint8_t slot_id,
const void **cert_chain_buffer,
size_t *cert_chain_buffer_size);

Expand All @@ -869,9 +871,11 @@ bool libspdm_get_peer_cert_chain_buffer(void *spdm_context,
* @retval true Peer certificate chain data without spdm_cert_chain_t header is returned.
* @retval false Peer certificate chain data without spdm_cert_chain_t header is not found.
**/
bool libspdm_get_peer_cert_chain_data(void *spdm_context,
void libspdm_get_peer_cert_chain_data(void *spdm_context,
uint8_t slot_id,
const void **cert_chain_data,
size_t *cert_chain_data_size);
#endif /* LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT */

/**
* This function returns local used certificate chain buffer including spdm_cert_chain_t header.
Expand Down
4 changes: 2 additions & 2 deletions library/spdm_common_lib/libspdm_com_context_data.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1969,7 +1969,7 @@ libspdm_return_t libspdm_append_message_k(libspdm_context_t *spdm_context,
if (spdm_session_info->session_transcript.digest_context_th == NULL) {
if (!spdm_session_info->use_psk) {
if (is_requester) {
slot_id = spdm_context->connection_info.peer_used_cert_chain_slot_id;
slot_id = spdm_session_info->peer_used_cert_chain_slot_id;
LIBSPDM_ASSERT((slot_id < SPDM_MAX_SLOT_COUNT) || (slot_id == 0xFF));
if (slot_id == 0xFF) {
result = libspdm_get_peer_public_key_buffer(
Expand Down Expand Up @@ -2171,7 +2171,7 @@ libspdm_return_t libspdm_append_message_f(libspdm_context_t *spdm_context,
return LIBSPDM_STATUS_CRYPTO_ERROR;
}
} else {
slot_id = spdm_context->connection_info.peer_used_cert_chain_slot_id;
slot_id = spdm_session_info->peer_used_cert_chain_slot_id;
LIBSPDM_ASSERT((slot_id < SPDM_MAX_SLOT_COUNT) || (slot_id == 0xFF));
if (slot_id == 0xFF) {
result = libspdm_get_peer_public_key_buffer(
Expand Down
102 changes: 25 additions & 77 deletions library/spdm_common_lib/libspdm_com_crypto_service.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,71 +39,39 @@ uint8_t libspdm_slot_id_to_key_pair_id (
return context->local_context.local_key_pair_id[slot_id];
}

/**
* This function returns peer certificate chain buffer including spdm_cert_chain_t header.
*
* @param spdm_context A pointer to the SPDM context.
* @param cert_chain_buffer Certificate chain buffer including spdm_cert_chain_t header.
* @param cert_chain_buffer_size size in bytes of the certificate chain buffer.
*
* @retval true Peer certificate chain buffer including spdm_cert_chain_t header is returned.
* @retval false Peer certificate chain buffer including spdm_cert_chain_t header is not found.
**/
bool libspdm_get_peer_cert_chain_buffer(void *spdm_context,
#if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
void libspdm_get_peer_cert_chain_buffer(void *spdm_context,
uint8_t slot_id,
const void **cert_chain_buffer,
size_t *cert_chain_buffer_size)
{
#if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT

libspdm_context_t *context;
uint8_t slot_id;

context = spdm_context;
slot_id = context->connection_info.peer_used_cert_chain_slot_id;

LIBSPDM_ASSERT(slot_id < SPDM_MAX_SLOT_COUNT);
if (context->connection_info.peer_used_cert_chain[slot_id].buffer_size != 0) {
*cert_chain_buffer = context->connection_info.peer_used_cert_chain[slot_id].buffer;
*cert_chain_buffer_size = context->connection_info
.peer_used_cert_chain[slot_id].buffer_size;
return true;
}
#endif
return false;

*cert_chain_buffer = context->connection_info.peer_used_cert_chain[slot_id].buffer;
*cert_chain_buffer_size = context->connection_info.peer_used_cert_chain[slot_id].buffer_size;
}

/**
* This function returns peer certificate chain data without spdm_cert_chain_t header.
*
* @param spdm_context A pointer to the SPDM context.
* @param cert_chain_data Certificate chain data without spdm_cert_chain_t header.
* @param cert_chain_data_size size in bytes of the certificate chain data.
*
* @retval true Peer certificate chain data without spdm_cert_chain_t header is returned.
* @retval false Peer certificate chain data without spdm_cert_chain_t header is not found.
**/
bool libspdm_get_peer_cert_chain_data(void *spdm_context,
void libspdm_get_peer_cert_chain_data(void *spdm_context,
uint8_t slot_id,
const void **cert_chain_data,
size_t *cert_chain_data_size)
{
#if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
libspdm_context_t *context;
size_t hash_size;
bool result;

context = spdm_context;
hash_size = libspdm_get_hash_size(context->connection_info.algorithm.base_hash_algo);

result = libspdm_get_peer_cert_chain_buffer(context, cert_chain_data,
cert_chain_data_size);
if (result) {
*cert_chain_data =
(const uint8_t *)*cert_chain_data + sizeof(spdm_cert_chain_t) + hash_size;
*cert_chain_data_size =
*cert_chain_data_size - (sizeof(spdm_cert_chain_t) + hash_size);
return true;
}
#endif
return false;
libspdm_get_peer_cert_chain_buffer(context, slot_id, cert_chain_data, cert_chain_data_size);
*cert_chain_data = (const uint8_t *)*cert_chain_data + sizeof(spdm_cert_chain_t) + hash_size;
*cert_chain_data_size = *cert_chain_data_size - (sizeof(spdm_cert_chain_t) + hash_size);
}
#endif /* LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT */

/**
* This function returns local used certificate chain buffer including spdm_cert_chain_t header.
Expand Down Expand Up @@ -1038,6 +1006,7 @@ bool libspdm_generate_challenge_auth_signature(libspdm_context_t *spdm_context,
* @retval false hash verification fail.
**/
bool libspdm_verify_certificate_chain_hash(libspdm_context_t *spdm_context,
uint8_t slot_id,
const void *certificate_chain_hash,
size_t certificate_chain_hash_size)
{
Expand All @@ -1047,17 +1016,11 @@ bool libspdm_verify_certificate_chain_hash(libspdm_context_t *spdm_context,
const uint8_t *cert_chain_buffer;
size_t cert_chain_buffer_size;
bool result;
#else
uint8_t slot_id;
#endif

#if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
result = libspdm_get_peer_cert_chain_buffer(spdm_context,
(const void **)&cert_chain_buffer,
&cert_chain_buffer_size);
if (!result) {
return false;
}
libspdm_get_peer_cert_chain_buffer(spdm_context,
slot_id,
(const void **)&cert_chain_buffer,
&cert_chain_buffer_size);

hash_size = libspdm_get_hash_size(spdm_context->connection_info.algorithm.base_hash_algo);

Expand All @@ -1080,9 +1043,6 @@ bool libspdm_verify_certificate_chain_hash(libspdm_context_t *spdm_context,
return false;
}
#else
slot_id = spdm_context->connection_info.peer_used_cert_chain_slot_id;
LIBSPDM_ASSERT(slot_id < SPDM_MAX_SLOT_COUNT);

LIBSPDM_ASSERT(
spdm_context->connection_info.peer_used_cert_chain[slot_id].buffer_hash_size != 0);

Expand Down Expand Up @@ -1160,12 +1120,12 @@ bool libspdm_verify_public_key_hash(libspdm_context_t *spdm_context,
**/
bool libspdm_verify_challenge_auth_signature(libspdm_context_t *spdm_context,
bool is_requester,
uint8_t slot_id,
const void *sign_data,
size_t sign_data_size)
{
bool result;
void *context;
uint8_t slot_id;
#if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
libspdm_m1m2_managed_buffer_t m1m2;
uint8_t *m1m2_buffer;
Expand Down Expand Up @@ -1198,9 +1158,6 @@ bool libspdm_verify_challenge_auth_signature(libspdm_context_t *spdm_context,
return false;
}

slot_id = spdm_context->connection_info.peer_used_cert_chain_slot_id;
LIBSPDM_ASSERT((slot_id < SPDM_MAX_SLOT_COUNT) || (slot_id == 0xFF));

if (slot_id == 0xFF) {
if (is_requester) {
if (spdm_context->connection_info.algorithm.pqc_asym_algo != 0) {
Expand Down Expand Up @@ -1236,11 +1193,8 @@ bool libspdm_verify_challenge_auth_signature(libspdm_context_t *spdm_context,
}
} else {
#if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
result = libspdm_get_peer_cert_chain_data(
spdm_context, (const void **)&cert_chain_data, &cert_chain_data_size);
if (!result) {
return false;
}
libspdm_get_peer_cert_chain_data(
spdm_context, slot_id, (const void **)&cert_chain_data, &cert_chain_data_size);

/* Get leaf cert from cert chain*/
result = libspdm_x509_get_cert_from_cert_chain(
Expand Down Expand Up @@ -1543,12 +1497,12 @@ bool libspdm_generate_endpoint_info_signature(libspdm_context_t *spdm_context,
bool libspdm_verify_endpoint_info_signature(libspdm_context_t *spdm_context,
libspdm_session_info_t *session_info,
bool is_requester,
uint8_t slot_id,
const void *sign_data,
size_t sign_data_size)
{
bool result;
void *context;
uint8_t slot_id;
#if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
libspdm_il1il2_managed_buffer_t il1il2;
uint8_t *il1il2_buffer;
Expand Down Expand Up @@ -1580,9 +1534,6 @@ bool libspdm_verify_endpoint_info_signature(libspdm_context_t *spdm_context,
return false;
}

slot_id = spdm_context->connection_info.peer_used_cert_chain_slot_id;
LIBSPDM_ASSERT((slot_id < SPDM_MAX_SLOT_COUNT) || (slot_id == 0xF));

if (slot_id == 0xF) {
if (is_requester) {
if (spdm_context->connection_info.algorithm.base_asym_algo != 0) {
Expand Down Expand Up @@ -1620,11 +1571,8 @@ bool libspdm_verify_endpoint_info_signature(libspdm_context_t *spdm_context,
}
} else {
#if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
result = libspdm_get_peer_cert_chain_data(
spdm_context, (const void **)&cert_chain_data, &cert_chain_data_size);
if (!result) {
return false;
}
libspdm_get_peer_cert_chain_data(
spdm_context, slot_id, (const void **)&cert_chain_data, &cert_chain_data_size);

/* Get leaf cert from cert chain*/
result = libspdm_x509_get_cert_from_cert_chain(cert_chain_data,
Expand Down
21 changes: 12 additions & 9 deletions library/spdm_common_lib/libspdm_com_crypto_service_session.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -459,16 +459,17 @@ bool libspdm_calculate_th1_hash(libspdm_context_t *spdm_context,
#if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
if (!session_info->use_psk) {
if (is_requester) {
slot_id = spdm_context->connection_info.peer_used_cert_chain_slot_id;
slot_id = session_info->peer_used_cert_chain_slot_id;
LIBSPDM_ASSERT((slot_id < SPDM_MAX_SLOT_COUNT) || (slot_id == 0xFF));
if (slot_id == 0xFF) {
result = libspdm_get_peer_public_key_buffer(
spdm_context, (const void **)&cert_chain_buffer,
&cert_chain_buffer_size);
} else {
result = libspdm_get_peer_cert_chain_buffer(
spdm_context, (const void **)&cert_chain_buffer,
libspdm_get_peer_cert_chain_buffer(
spdm_context, slot_id, (const void **)&cert_chain_buffer,
&cert_chain_buffer_size);
result = true;
}
} else {
slot_id = session_info->local_used_cert_chain_slot_id;
Expand Down Expand Up @@ -552,16 +553,17 @@ bool libspdm_calculate_th2_hash(libspdm_context_t *spdm_context,
#if LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
if (!session_info->use_psk) {
if (is_requester) {
slot_id = spdm_context->connection_info.peer_used_cert_chain_slot_id;
slot_id = session_info->peer_used_cert_chain_slot_id;
LIBSPDM_ASSERT((slot_id < SPDM_MAX_SLOT_COUNT) || (slot_id == 0xFF));
if (slot_id == 0xFF) {
result = libspdm_get_peer_public_key_buffer(
spdm_context, (const void **)&cert_chain_buffer,
&cert_chain_buffer_size);
} else {
result = libspdm_get_peer_cert_chain_buffer(
spdm_context, (const void **)&cert_chain_buffer,
libspdm_get_peer_cert_chain_buffer(
spdm_context, slot_id, (const void **)&cert_chain_buffer,
&cert_chain_buffer_size);
result = true;
}
} else {
slot_id = session_info->local_used_cert_chain_slot_id;
Expand Down Expand Up @@ -595,16 +597,17 @@ bool libspdm_calculate_th2_hash(libspdm_context_t *spdm_context,
result = true;
}
} else {
slot_id = spdm_context->connection_info.peer_used_cert_chain_slot_id;
slot_id = session_info->peer_used_cert_chain_slot_id;
LIBSPDM_ASSERT((slot_id < SPDM_MAX_SLOT_COUNT) || (slot_id == 0xFF));
if (slot_id == 0xFF) {
result = libspdm_get_peer_public_key_buffer(
spdm_context, (const void **)&mut_cert_chain_buffer,
&mut_cert_chain_buffer_size);
} else {
result = libspdm_get_peer_cert_chain_buffer(
spdm_context, (const void **)&mut_cert_chain_buffer,
libspdm_get_peer_cert_chain_buffer(
spdm_context, slot_id, (const void **)&mut_cert_chain_buffer,
&mut_cert_chain_buffer_size);
result = true;
}
}
if (!result) {
Expand Down
6 changes: 4 additions & 2 deletions library/spdm_requester_lib/libspdm_req_challenge.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -250,7 +250,8 @@ static libspdm_return_t libspdm_try_challenge(libspdm_context_t *spdm_context,
if (slot_id == 0xFF) {
result = libspdm_verify_public_key_hash(spdm_context, cert_chain_hash, hash_size);
} else {
result = libspdm_verify_certificate_chain_hash(spdm_context, cert_chain_hash, hash_size);
result = libspdm_verify_certificate_chain_hash(spdm_context, slot_id, cert_chain_hash,
hash_size);
}
if (!result) {
status = LIBSPDM_STATUS_VERIF_FAIL;
Expand Down Expand Up @@ -359,7 +360,8 @@ static libspdm_return_t libspdm_try_challenge(libspdm_context_t *spdm_context,
signature = ptr;
LIBSPDM_DEBUG((LIBSPDM_DEBUG_INFO, "signature (0x%zx):\n", signature_size));
LIBSPDM_INTERNAL_DUMP_HEX(signature, signature_size);
result = libspdm_verify_challenge_auth_signature(spdm_context, true, signature, signature_size);
result = libspdm_verify_challenge_auth_signature(spdm_context, true, slot_id,
signature, signature_size);
if (!result) {
libspdm_reset_message_c(spdm_context);
status = LIBSPDM_STATUS_VERIF_FAIL;
Expand Down
Loading