fix the validation logic to compare the full DN

Signed-off-by: Jun Kimura <jun.kimura@datachain.jp>

Author: bluele

crates/collaterals/src/certs.rs

@@ -4,7 +4,9 @@ use crate::{
 };
 use anyhow::bail;
 use dcap_types::cert::{
-    SgxExtensions, SGX_PCK_CERT_CN, SGX_PCK_PLATFORM_CA_CN, SGX_PCK_PROCESSOR_CA_CN,
+    SgxExtensions, INTEL_SGX_COUNTRY_NAME, INTEL_SGX_LOCALITY_NAME, INTEL_SGX_ORGANIZATION_NAME,
+    INTEL_SGX_PCK_CERT_COMMON_NAME, INTEL_SGX_PCK_PLATFORM_CA_COMMON_NAME,
+    INTEL_SGX_PCK_PROCESSOR_CA_COMMON_NAME, INTEL_SGX_STATE_OR_PROVINCE_NAME,
 };
 use openssl::{
     asn1::{Asn1Integer, Asn1Object, Asn1OctetString, Asn1Time},
@@ -202,20 +204,20 @@ pub enum PckCa {
 impl PckCa {
     /// Create a PckCa from the CN of the certificate
     pub fn from_cn(cn: &str) -> Result<Self, anyhow::Error> {
-        if cn == SGX_PCK_PROCESSOR_CA_CN {
+        if cn == INTEL_SGX_PCK_PROCESSOR_CA_COMMON_NAME {
             Ok(PckCa::Processor)
-        } else if cn == SGX_PCK_PLATFORM_CA_CN {
+        } else if cn == INTEL_SGX_PCK_PLATFORM_CA_COMMON_NAME {
             Ok(PckCa::Platform)
         } else {
-            bail!("Invalid PCK CA CN: {}", cn)
+            bail!("Invalid PCK CA CN: {}", cn);
         }
     }
 
     /// Get the CN of the PckCa
     pub fn cn(&self) -> &'static str {
         match self {
-            PckCa::Processor => SGX_PCK_PROCESSOR_CA_CN,
-            PckCa::Platform => SGX_PCK_PLATFORM_CA_CN,
+            PckCa::Processor => INTEL_SGX_PCK_PROCESSOR_CA_COMMON_NAME,
+            PckCa::Platform => INTEL_SGX_PCK_PLATFORM_CA_COMMON_NAME,
         }
     }
 
@@ -298,7 +300,7 @@ pub fn gen_pck_cert(
         Asn1Integer::from_bn(BigNum::from_slice(calc_skid(pck_cert_pkey).as_slice())?.as_ref())?
             .as_ref(),
     )?;
-    builder.set_subject_name(build_x509_name(SGX_PCK_CERT_CN)?.as_ref())?;
+    builder.set_subject_name(build_x509_name(INTEL_SGX_PCK_CERT_COMMON_NAME)?.as_ref())?;
     builder.set_pubkey(pck_cert_pkey)?;
 
     builder.set_not_before(&validity.not_before())?;
@@ -463,10 +465,26 @@ impl Validity {
 pub fn build_x509_name(cn: &str) -> Result<X509Name, ErrorStack> {
     let mut builder = X509Name::builder()?;
     builder.append_entry_by_text("CN", cn)?;
-    builder.append_entry_by_text("O", "Intel Corporation")?;
-    builder.append_entry_by_text("L", "Santa Clara")?;
-    builder.append_entry_by_text("ST", "CA")?;
-    builder.append_entry_by_text("C", "US")?;
+    builder.append_entry_by_text("O", INTEL_SGX_ORGANIZATION_NAME)?;
+    builder.append_entry_by_text("L", INTEL_SGX_LOCALITY_NAME)?;
+    builder.append_entry_by_text("ST", INTEL_SGX_STATE_OR_PROVINCE_NAME)?;
+    builder.append_entry_by_text("C", INTEL_SGX_COUNTRY_NAME)?;
+    Ok(builder.build())
+}
+
+pub fn build_x509_name_with_values(
+    cn: &str,
+    o: &str,
+    l: &str,
+    st: &str,
+    c: &str,
+) -> Result<X509Name, ErrorStack> {
+    let mut builder = X509Name::builder()?;
+    builder.append_entry_by_text("CN", cn)?;
+    builder.append_entry_by_text("O", o)?;
+    builder.append_entry_by_text("L", l)?;
+    builder.append_entry_by_text("ST", st)?;
+    builder.append_entry_by_text("C", c)?;
     Ok(builder.build())
 }
 

crates/pcs/src/client.rs

@@ -1,5 +1,7 @@
 use anyhow::{anyhow, bail, Error};
-use dcap_quote_verifier::cert::{get_x509_subject_cn, parse_certchain};
+use dcap_quote_verifier::cert::{
+    is_sgx_pck_platform_ca_dn, is_sgx_pck_processor_ca_dn, parse_certchain,
+};
 use dcap_quote_verifier::collateral::QvCollateral;
 use dcap_quote_verifier::sgx_extensions::extract_sgx_extensions;
 use dcap_types::quotes::CertData;
@@ -97,17 +99,14 @@ impl PCSClient {
         let qe_identity_json =
             http_get(format!("{base_url}/qe/identity?update={update_policy}"))?.text()?;
 
-        let pck_crl_url = match get_x509_subject_cn(pck_cert_issuer).as_str() {
-            "Intel SGX PCK Platform CA" => {
-                format!("{pcs_url}/sgx/certification/v4/pckcrl?ca=platform&encoding=der")
-            }
-            "Intel SGX PCK Processor CA" => {
-                format!("{pcs_url}/sgx/certification/v4/pckcrl?ca=processor&encoding=der")
-            }
-            cn => {
-                bail!("unknown PCK issuer: {}", cn);
-            }
+        let pck_crl_url = if is_sgx_pck_platform_ca_dn(pck_cert_issuer.subject())? {
+            format!("{pcs_url}/sgx/certification/v4/pckcrl?ca=platform&encoding=der")
+        } else if is_sgx_pck_processor_ca_dn(pck_cert_issuer.subject())? {
+            format!("{pcs_url}/sgx/certification/v4/pckcrl?ca=processor&encoding=der")
+        } else {
+            bail!("unknown PCK issuer");
         };
+
         let sgx_pck_crl_der = http_get(pck_crl_url)?.bytes()?.to_vec();
 
         let sgx_root_cert_der = http_get(format!(