Skip to content

feat: Add real mldas87 cert and csr to rom #2060

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 8 commits into
base: main-2.x
Choose a base branch
from
Open

feat: Add real mldas87 cert and csr to rom #2060

wants to merge 8 commits into from

Conversation

ArthurHeymans
Copy link
Contributor

The previous certificates were handcrafted and most certainly not correct.

For now this uses out of tree code to generate cert and csr based on existing code, but using rustcrypto instead of openssl. Later work will try to integrate that code into caliptra-x509 build.rs.

The repo for generating these tbs is
"https://github.com/ArthurHeymans/test-rustcrypto-mldsa"

A difference is that x509-cert from rustcrypto always uses UTC time rather than General time which has a 2049 date limit and uses 13 instead of 15 bytes.

jhand2
jhand2 requested changes Mar 31, 2025
View reviewed changes
Copy link
Collaborator

@jhand2 jhand2 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please check in the code used to generate these templates. It's ok if it's in a separate crate (even a separate workspace if necessary), but we shouldn't check in binaries without also reviewing how they were generated.

@ArthurHeymans ArthurHeymans force-pushed the RealMldsa87CsrAndCert branch 2 times, most recently from db4ea23 to 3617b2c Compare March 31, 2025 17:13
@ArthurHeymans
Copy link
Contributor Author

Please check in the code used to generate these templates. It's ok if it's in a separate crate (even a separate workspace if necessary), but we shouldn't check in binaries without also reviewing how they were generated.

Alright that turned out to be easier than expected :-D

@ArthurHeymans ArthurHeymans force-pushed the RealMldsa87CsrAndCert branch from 3617b2c to e2764e1 Compare March 31, 2025 17:42
@mhatrevi mhatrevi added the Caliptra v2.0 Items to be considered for v2.0 Release label Apr 3, 2025
@ArthurHeymans ArthurHeymans force-pushed the RealMldsa87CsrAndCert branch 2 times, most recently from fb82048 to 9909bfc Compare April 9, 2025 13:38
@ArthurHeymans ArthurHeymans force-pushed the RealMldsa87CsrAndCert branch 4 times, most recently from e4c25f4 to 3010c7c Compare April 23, 2025 20:09
jhand2
jhand2 previously approved these changes Apr 24, 2025
View reviewed changes
Copy link
Collaborator

@jhand2 jhand2 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving to remove block since I will be out for a couple weeks. But I would appreciate if you can address the couple comments before merging.

@ArthurHeymans ArthurHeymans force-pushed the RealMldsa87CsrAndCert branch 2 times, most recently from 292adce to ca6f2df Compare April 26, 2025 12:57
mhatrevi
mhatrevi previously approved these changes Apr 28, 2025
View reviewed changes
@ArthurHeymans
feat: Add real mldas87 cert and csr to rom
38f500a 
The previous certificates were handcrafted and most certainly not
correct.

For now this uses out of tree code to generate cert and csr based on
existing code, but using rustcrypto instead of openssl. Later work will
try to integrate that code into caliptra-x509 build.rs.

The repo for generating these tbs is
"https://github.com/ArthurHeymans/test-rustcrypto-mldsa"

A difference is that x509-cert from rustcrypto always uses UTC time
rather than General time which has a 2049 date limit and uses 13 instead
of 15 bytes.

Signed-off-by: Arthur Heymans <[email protected]>
@ArthurHeymans
Delete unused tbs templates
16d2414 
Signed-off-by: Arthur Heymans <[email protected]>
@ArthurHeymans
Add code to generate x509 tbs for ml-dsa87
2108e73 
To avoid conflicting dependencies that we already use for rustcrypto add
this empty workspace crate that can generate all the cert and csr
templates.

To run it and update existing TBS templates:
cd x509/ml-dsa
OUT_DIR=../build cargo run

Signed-off-by: Arthur Heymans <[email protected]>
@ArthurHeymans
Update LDEVID_ID TBS size
69267ed 
Signed-off-by: Arthur Heymans <[email protected]>
@ArthurHeymans
move building ml-dsa certs into workspace
db3ab4b 
Signed-off-by: Arthur Heymans <[email protected]>
@ArthurHeymans
Move tbs code around
fc5f3e1 
This will be used by rustcrypto cert generation

Signed-off-by: Arthur Heymans <[email protected]>
@ArthurHeymans
Move ml-dsa generation code into x509 build.rs
693b7e4 
Signed-off-by: Arthur Heymans <[email protected]>
@ArthurHeymans
fix: Linting issues in tbs templates
dedaa1e 
Signed-off-by: Arthur Heymans <[email protected]>
@ArthurHeymans ArthurHeymans force-pushed the RealMldsa87CsrAndCert branch from ca6f2df to dedaa1e Compare April 30, 2025 14:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jhand2 jhand2 jhand2 left review comments

@mhatrevi mhatrevi mhatrevi left review comments

@FerralCoder FerralCoder Awaiting requested review from FerralCoder FerralCoder is a code owner

@rusty1968 rusty1968 Awaiting requested review from rusty1968 rusty1968 is a code owner

@bluegate010 bluegate010 Awaiting requested review from bluegate010 bluegate010 is a code owner

@swenson swenson Awaiting requested review from swenson swenson is a code owner

@vsonims vsonims Awaiting requested review from vsonims vsonims is a code owner

@ajisaxena ajisaxena Awaiting requested review from ajisaxena ajisaxena is a code owner

@jlmahowa-amd jlmahowa-amd Awaiting requested review from jlmahowa-amd jlmahowa-amd is a code owner

@korran korran Awaiting requested review from korran korran is a code owner

@JohnTraverAmd JohnTraverAmd Awaiting requested review from JohnTraverAmd JohnTraverAmd is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
Caliptra v2.0 Items to be considered for v2.0 Release
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ArthurHeymans @jhand2 @mhatrevi