Skip to content

feat: Add real mldas87 cert and csr to rom #2060

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 12 commits into from
May 16, 2025
Merged

Conversation

ArthurHeymans
Copy link
Contributor

@ArthurHeymans ArthurHeymans commented Mar 31, 2025

The previous certificates were handcrafted and most certainly not correct.

For now this uses out of tree code to generate cert and csr based on existing code, but using rustcrypto instead of openssl. Later work will try to integrate that code into caliptra-x509 build.rs.

The repo for generating these tbs is
"https://github.com/ArthurHeymans/test-rustcrypto-mldsa"

A difference is that x509-cert from rustcrypto always uses UTC time rather than General time which has a 2049 date limit and uses 13 instead of 15 bytes.

This also updates the smoke test for idev_id. It uses rustcrypto to verify the signature.

Copy link
Collaborator

@jhand2 jhand2 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please check in the code used to generate these templates. It's ok if it's in a separate crate (even a separate workspace if necessary), but we shouldn't check in binaries without also reviewing how they were generated.

@ArthurHeymans ArthurHeymans force-pushed the RealMldsa87CsrAndCert branch 2 times, most recently from db4ea23 to 3617b2c Compare March 31, 2025 17:13
@ArthurHeymans
Copy link
Contributor Author

Please check in the code used to generate these templates. It's ok if it's in a separate crate (even a separate workspace if necessary), but we shouldn't check in binaries without also reviewing how they were generated.

Alright that turned out to be easier than expected :-D

@ArthurHeymans ArthurHeymans force-pushed the RealMldsa87CsrAndCert branch from 3617b2c to e2764e1 Compare March 31, 2025 17:42
@mhatrevi mhatrevi added the Caliptra v2.0 Items slated for v2.0 Release label Apr 3, 2025
@ArthurHeymans ArthurHeymans force-pushed the RealMldsa87CsrAndCert branch 2 times, most recently from fb82048 to 9909bfc Compare April 9, 2025 13:38
@ArthurHeymans ArthurHeymans force-pushed the RealMldsa87CsrAndCert branch 4 times, most recently from e4c25f4 to 3010c7c Compare April 23, 2025 20:09
jhand2
jhand2 previously approved these changes Apr 24, 2025
Copy link
Collaborator

@jhand2 jhand2 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving to remove block since I will be out for a couple weeks. But I would appreciate if you can address the couple comments before merging.

@ArthurHeymans ArthurHeymans force-pushed the RealMldsa87CsrAndCert branch 2 times, most recently from 292adce to ca6f2df Compare April 26, 2025 12:57
mhatrevi
mhatrevi previously approved these changes Apr 28, 2025
@ArthurHeymans ArthurHeymans force-pushed the RealMldsa87CsrAndCert branch 4 times, most recently from f2434f7 to 6f6dfa6 Compare May 7, 2025 14:01
@ArthurHeymans ArthurHeymans force-pushed the RealMldsa87CsrAndCert branch from d2b388e to 41b5574 Compare May 13, 2025 04:41
@mhatrevi mhatrevi force-pushed the RealMldsa87CsrAndCert branch from 41b5574 to 0bd7f58 Compare May 15, 2025 19:56
The previous certificates were handcrafted and most certainly not
correct.

For now this uses out of tree code to generate cert and csr based on
existing code, but using rustcrypto instead of openssl. Later work will
try to integrate that code into caliptra-x509 build.rs.

The repo for generating these tbs is
"https://github.com/ArthurHeymans/test-rustcrypto-mldsa"

A difference is that x509-cert from rustcrypto always uses UTC time
rather than General time which has a 2049 date limit and uses 13 instead
of 15 bytes.

Signed-off-by: Arthur Heymans <[email protected]>
Signed-off-by: Arthur Heymans <[email protected]>
To avoid conflicting dependencies that we already use for rustcrypto add
this empty workspace crate that can generate all the cert and csr
templates.

To run it and update existing TBS templates:
cd x509/ml-dsa
OUT_DIR=../build cargo run

Signed-off-by: Arthur Heymans <[email protected]>
Signed-off-by: Arthur Heymans <[email protected]>
This will be used by rustcrypto cert generation

Signed-off-by: Arthur Heymans <[email protected]>
The DER filed is separatly valided and txt is generated with openssl
3.5.0. (No rust bindings for now)

Signed-off-by: Arthur Heymans <[email protected]>
The openssl binding don't support using MLDSA directly but the
abstracted version can still verify the self signed CSR and print out a
text format so do that.

Signed-off-by: Arthur Heymans <[email protected]>
@mhatrevi mhatrevi force-pushed the RealMldsa87CsrAndCert branch from 0bd7f58 to 6f61cc5 Compare May 15, 2025 20:13
@mhatrevi mhatrevi enabled auto-merge (squash) May 15, 2025 20:44
@mhatrevi mhatrevi merged commit fe0ac50 into main-2.x May 16, 2025
8 of 9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Caliptra v2.0 Items slated for v2.0 Release
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants