Skip to content

feat: Add real mldas87 cert and csr to rom #2060

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 12 commits into from
May 16, 2025
Merged

feat: Add real mldas87 cert and csr to rom #2060

merged 12 commits into from
May 16, 2025

Conversation

ArthurHeymans
Copy link
Contributor

@ArthurHeymans ArthurHeymans commented Mar 31, 2025
edited
Loading

The previous certificates were handcrafted and most certainly not correct.

For now this uses out of tree code to generate cert and csr based on existing code, but using rustcrypto instead of openssl. Later work will try to integrate that code into caliptra-x509 build.rs.

The repo for generating these tbs is
"https://github.com/ArthurHeymans/test-rustcrypto-mldsa"

A difference is that x509-cert from rustcrypto always uses UTC time rather than General time which has a 2049 date limit and uses 13 instead of 15 bytes.

This also updates the smoke test for idev_id. It uses rustcrypto to verify the signature.

jhand2
jhand2 requested changes Mar 31, 2025
View reviewed changes
Copy link
Collaborator

@jhand2 jhand2 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please check in the code used to generate these templates. It's ok if it's in a separate crate (even a separate workspace if necessary), but we shouldn't check in binaries without also reviewing how they were generated.

@ArthurHeymans ArthurHeymans force-pushed the RealMldsa87CsrAndCert branch 2 times, most recently from db4ea23 to 3617b2c Compare March 31, 2025 17:13
@ArthurHeymans
Copy link
Contributor Author

Please check in the code used to generate these templates. It's ok if it's in a separate crate (even a separate workspace if necessary), but we shouldn't check in binaries without also reviewing how they were generated.

Alright that turned out to be easier than expected :-D

@ArthurHeymans ArthurHeymans force-pushed the RealMldsa87CsrAndCert branch from 3617b2c to e2764e1 Compare March 31, 2025 17:42
@mhatrevi mhatrevi added the Caliptra v2.0 Items slated for v2.0 Release label Apr 3, 2025
@ArthurHeymans ArthurHeymans force-pushed the RealMldsa87CsrAndCert branch 2 times, most recently from fb82048 to 9909bfc Compare April 9, 2025 13:38
@ArthurHeymans ArthurHeymans force-pushed the RealMldsa87CsrAndCert branch 4 times, most recently from e4c25f4 to 3010c7c Compare April 23, 2025 20:09
jhand2
jhand2 reviewed Apr 24, 2025
View reviewed changes
jhand2
jhand2 reviewed Apr 24, 2025
View reviewed changes
jhand2
jhand2 reviewed Apr 24, 2025
View reviewed changes
jhand2
jhand2 previously approved these changes Apr 24, 2025
View reviewed changes
Copy link
Collaborator

@jhand2 jhand2 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving to remove block since I will be out for a couple weeks. But I would appreciate if you can address the couple comments before merging.

@ArthurHeymans ArthurHeymans force-pushed the RealMldsa87CsrAndCert branch 2 times, most recently from 292adce to ca6f2df Compare April 26, 2025 12:57
mhatrevi
mhatrevi previously approved these changes Apr 28, 2025
View reviewed changes
@ArthurHeymans ArthurHeymans force-pushed the RealMldsa87CsrAndCert branch 4 times, most recently from f2434f7 to 6f6dfa6 Compare May 7, 2025 14:01
mhatrevi
mhatrevi reviewed May 9, 2025
View reviewed changes
mhatrevi
mhatrevi reviewed May 9, 2025
View reviewed changes
@ArthurHeymans ArthurHeymans force-pushed the RealMldsa87CsrAndCert branch from d2b388e to 41b5574 Compare May 13, 2025 04:41
@mhatrevi mhatrevi force-pushed the RealMldsa87CsrAndCert branch from 41b5574 to 0bd7f58 Compare May 15, 2025 19:56
@ArthurHeymans @mhatrevi
feat: Add real mldas87 cert and csr to rom
dfd6f81 
The previous certificates were handcrafted and most certainly not
correct.

For now this uses out of tree code to generate cert and csr based on
existing code, but using rustcrypto instead of openssl. Later work will
try to integrate that code into caliptra-x509 build.rs.

The repo for generating these tbs is
"https://github.com/ArthurHeymans/test-rustcrypto-mldsa"

A difference is that x509-cert from rustcrypto always uses UTC time
rather than General time which has a 2049 date limit and uses 13 instead
of 15 bytes.

Signed-off-by: Arthur Heymans <[email protected]>
@ArthurHeymans @mhatrevi
Delete unused tbs templates
c2e3168 
Signed-off-by: Arthur Heymans <[email protected]>
@ArthurHeymans @mhatrevi
Add code to generate x509 tbs for ml-dsa87
e661a7b 
To avoid conflicting dependencies that we already use for rustcrypto add
this empty workspace crate that can generate all the cert and csr
templates.

To run it and update existing TBS templates:
cd x509/ml-dsa
OUT_DIR=../build cargo run

Signed-off-by: Arthur Heymans <[email protected]>
@ArthurHeymans @mhatrevi
Update LDEVID_ID TBS size
1660052 
Signed-off-by: Arthur Heymans <[email protected]>
@ArthurHeymans @mhatrevi
move building ml-dsa certs into workspace
063326c 
Signed-off-by: Arthur Heymans <[email protected]>
@ArthurHeymans @mhatrevi
Move tbs code around
64fd9ce 
This will be used by rustcrypto cert generation

Signed-off-by: Arthur Heymans <[email protected]>
@ArthurHeymans @mhatrevi
Move ml-dsa generation code into x509 build.rs
02e2398 
Signed-off-by: Arthur Heymans <[email protected]>
@ArthurHeymans @mhatrevi
fix: Linting issues in tbs templates
26c7d39 
Signed-off-by: Arthur Heymans <[email protected]>
@ArthurHeymans @mhatrevi
fix: Fix MLDSA signature DER encoding
4fa7f13 
Signed-off-by: Arthur Heymans <[email protected]>
@ArthurHeymans @mhatrevi
feat: add mldsa IDEV ID smoke tests using rustcrypto
e1fdf50 
The DER filed is separatly valided and txt is generated with openssl
3.5.0. (No rust bindings for now)

Signed-off-by: Arthur Heymans <[email protected]>
@ArthurHeymans @mhatrevi
Update openssl for IDEVID MLDSA smoke test
6f61cc5 
The openssl binding don't support using MLDSA directly but the
abstracted version can still verify the self signed CSR and print out a
text format so do that.

Signed-off-by: Arthur Heymans <[email protected]>
@mhatrevi mhatrevi force-pushed the RealMldsa87CsrAndCert branch from 0bd7f58 to 6f61cc5 Compare May 15, 2025 20:13
@mhatrevi mhatrevi enabled auto-merge (squash) May 15, 2025 20:44
@mhatrevi mhatrevi merged commit fe0ac50 into main-2.x May 16, 2025
8 of 9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jhand2 jhand2 jhand2 left review comments

@mhatrevi mhatrevi mhatrevi approved these changes

@FerralCoder FerralCoder Awaiting requested review from FerralCoder FerralCoder is a code owner

@rusty1968 rusty1968 Awaiting requested review from rusty1968 rusty1968 is a code owner

@bluegate010 bluegate010 Awaiting requested review from bluegate010 bluegate010 is a code owner

@swenson swenson Awaiting requested review from swenson swenson is a code owner

@vsonims vsonims Awaiting requested review from vsonims vsonims is a code owner

@ajisaxena ajisaxena Awaiting requested review from ajisaxena ajisaxena is a code owner

@jlmahowa-amd jlmahowa-amd Awaiting requested review from jlmahowa-amd jlmahowa-amd is a code owner

@korran korran Awaiting requested review from korran korran is a code owner

@JohnTraverAmd JohnTraverAmd Awaiting requested review from JohnTraverAmd JohnTraverAmd is a code owner

Assignees
No one assigned
Labels
Caliptra v2.0 Items slated for v2.0 Release
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ArthurHeymans @jhand2 @mhatrevi