From f9991c97e71b0fa68d3ba37d0b5d9175414eb5e4 Mon Sep 17 00:00:00 2001 From: Tim Trippel Date: Wed, 30 Oct 2024 16:18:43 -0700 Subject: [PATCH] [manuf] remove the fake CA pathlen constraint Eliminate the pathlen constraint from the fake CA certificate and allow certificate chains of arbitrary lenth. This allows us to verify the certificate chain from CA->UDS->CDI0->CDI1. This is a manual cherry-pick from 87e0070443d0220424f078bdfeaee981afae1d32. Eventually, two CAs should be able to be specified for the perso flow. See #24955 for more details. Co-authored-by: Chris Frantz Signed-off-by: Tim Trippel (cherry picked from commit 87e0070443d0220424f078bdfeaee981afae1d32) (cherry picked from commit e741bb6a667b6489e1ef6b3666c9e11716b90ce4) --- .../silicon_creator/manuf/keys/fake/fake_ca.conf | 2 +- .../silicon_creator/manuf/keys/fake/fake_ca.csr | 6 +++--- .../silicon_creator/manuf/keys/fake/fake_ca.pem | 14 +++++++------- 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/sw/device/silicon_creator/manuf/keys/fake/fake_ca.conf b/sw/device/silicon_creator/manuf/keys/fake/fake_ca.conf index 4227cb90ecba5..41f4f1ee280a7 100644 --- a/sw/device/silicon_creator/manuf/keys/fake/fake_ca.conf +++ b/sw/device/silicon_creator/manuf/keys/fake/fake_ca.conf @@ -15,5 +15,5 @@ CN=Google Engineering ICA [v3_ca] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always -basicConstraints = critical,CA:true,pathlen:0 +basicConstraints = critical,CA:true keyUsage = digitalSignature, keyCertSign, cRLSign diff --git a/sw/device/silicon_creator/manuf/keys/fake/fake_ca.csr b/sw/device/silicon_creator/manuf/keys/fake/fake_ca.csr index 97276d69e3d63..fb7706335e578 100644 --- a/sw/device/silicon_creator/manuf/keys/fake/fake_ca.csr +++ b/sw/device/silicon_creator/manuf/keys/fake/fake_ca.csr @@ -3,7 +3,7 @@ MIIBHTCBxAIBADBiMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExDzANBgNVBAoM Bkdvb2dsZTEUMBIGA1UECwwLRW5naW5lZXJpbmcxHzAdBgNVBAMMFkdvb2dsZSBF bmdpbmVlcmluZyBJQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARhCQgjUnab iUu5ivmebhjhb+4TQuX/A2SWLfzDeQGDuCjsezqPTEP1OHqu3GlW3ovZhyp40Ju5 -IwR1vy/vNJkVoAAwCgYIKoZIzj0EAwIDSAAwRQIhAKI+sbyTTTJ+QkEONzrsHCw1 -UJ0YBDRjC29TqzWxicGJAiA0GEOXSPxoUnGqk7uZVY/D4GWCbtS1wQSu4aJ7WaMM -ig== +IwR1vy/vNJkVoAAwCgYIKoZIzj0EAwIDSAAwRQIhANepinY8fzxEZ3EyxMymfFjk +9X+Rd9HbyxPkzSD8vi7wAiAWLyR99Lk9wc2GgXKcA6COmQzCB9bzlGAdYJSDrMVM +jg== -----END CERTIFICATE REQUEST----- diff --git a/sw/device/silicon_creator/manuf/keys/fake/fake_ca.pem b/sw/device/silicon_creator/manuf/keys/fake/fake_ca.pem index 144dfdae99aea..c427e064bfe36 100644 --- a/sw/device/silicon_creator/manuf/keys/fake/fake_ca.pem +++ b/sw/device/silicon_creator/manuf/keys/fake/fake_ca.pem @@ -1,17 +1,17 @@ -----BEGIN CERTIFICATE----- -MIICrTCCAlKgAwIBAgIUR7zbZxY2lxH6tUOJcmi1PJX9G5cwCgYIKoZIzj0EAwIw +MIICqjCCAk+gAwIBAgIUG0NwWZ6+cxC7v+kO6zyiRNjbB64wCgYIKoZIzj0EAwIw YjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQ8wDQYDVQQKDAZHb29nbGUxFDAS BgNVBAsMC0VuZ2luZWVyaW5nMR8wHQYDVQQDDBZHb29nbGUgRW5naW5lZXJpbmcg -SUNBMB4XDTI0MDUxNDE3NDUwNVoXDTM0MDUxMjE3NDUwNVowYjELMAkGA1UEBhMC +SUNBMB4XDTI0MTAzMDIyNTYxMloXDTM0MTAyODIyNTYxMlowYjELMAkGA1UEBhMC VVMxCzAJBgNVBAgMAkNBMQ8wDQYDVQQKDAZHb29nbGUxFDASBgNVBAsMC0VuZ2lu ZWVyaW5nMR8wHQYDVQQDDBZHb29nbGUgRW5naW5lZXJpbmcgSUNBMFkwEwYHKoZI zj0CAQYIKoZIzj0DAQcDQgAEYQkII1J2m4lLuYr5nm4Y4W/uE0Ll/wNkli38w3kB -g7go7Hs6j0xD9Th6rtxpVt6L2YcqeNCbuSMEdb8v7zSZFaOB5TCB4jAdBgNVHQ4E +g7go7Hs6j0xD9Th6rtxpVt6L2YcqeNCbuSMEdb8v7zSZFaOB4jCB3zAdBgNVHQ4E FgQU/lhK51N5DP2GAaMS+zLTwbgi0RIwgZ8GA1UdIwSBlzCBlIAU/lhK51N5DP2G AaMS+zLTwbgi0RKhZqRkMGIxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEPMA0G A1UECgwGR29vZ2xlMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEfMB0GA1UEAwwWR29v -Z2xlIEVuZ2luZWVyaW5nIElDQYIUR7zbZxY2lxH6tUOJcmi1PJX9G5cwEgYDVR0T -AQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAYYwCgYIKoZIzj0EAwIDSQAwRgIhANhC -yBYH+QFtpyUTDJpNOYHqpYEDq2G2YbX8TqrrEKM7AiEA+ScDPRVz54Ra2fKi7Ggz -oquz3y9HDoQycPLiNihm5TM= +Z2xlIEVuZ2luZWVyaW5nIElDQYIUG0NwWZ6+cxC7v+kO6zyiRNjbB64wDwYDVR0T +AQH/BAUwAwEB/zALBgNVHQ8EBAMCAYYwCgYIKoZIzj0EAwIDSQAwRgIhAJiPs5uH +cbsQqf5sL33xJP2QjgqiAl1SuQn3axk3OxmLAiEAi85Nj0coqJ46qdSdQ78msnMf +a75PcoVcLy67k6leXuw= -----END CERTIFICATE-----