Add support for the DiceTcbInfo x509 extension.

flihp · flihp · commit 75c57b9680c7 · 2025-03-17T11:37:43.000-07:00
This extension is defined in the TCG Dice Attestation Architecture spec
v1.0.0 in §6.1.1. We only support the `fwids` data field from the
DiceTcbInfo extension. Additional fields may be implemented as needed.

The TCG spec states that certs with the DiceTcbInfo extension MUST
include the RFC 5288 AuthorityKeyIdentifier. We do not enforce this
restriction but our implementation does not preclude the generation of a
conformant cert chain from the KDL.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -9,6 +9,7 @@ license = "MPL-2.0"
 [dependencies]
 clap = { version = "4.5.31", features = ["derive"] }
 const-oid = { version = "0.9.6", features = ["db"] }
+der = { version = "0.7.9", features = ["std"] }
 digest = "0.10.7"
 ed25519-dalek = { version = "2.1.1", features = ["pem", "rand_core", "std", "zeroize"] }
 flagset = "0.4.6"
diff --git a/examples/dice-tcb-info/config.kdl b/examples/dice-tcb-info/config.kdl
@@ -0,0 +1,111 @@
+key-pair "root" {
+    ed25519
+}
+
+entity "root" {
+    country-name "US"
+    organization-name "foo"
+    common-name "root"
+}
+
+certificate "root" {
+    issuer-entity "root"
+    issuer-key "root"
+
+    subject-entity "root"
+    subject-key "root"
+
+    not-after "9999-12-31T23:59:59Z"
+    serial-number "00"
+
+    extensions {
+        basic-constraints critical=true ca=true
+        subject-key-identifier critical=false
+
+        key-usage critical=true {
+            key-cert-sign
+            crl-sign
+        }
+
+        certificate-policies critical=true {
+            tcg-dice-kp-identity-init
+            tcg-dice-kp-attest-init
+            tcg-dice-kp-eca
+        }
+    }
+}
+
+key-pair "device-id" {
+    ed25519
+}
+
+entity "device-id" {
+    country-name "US"
+    organization-name "foo"
+    common-name "device-id"
+}
+
+certificate "device-id" {
+    issuer-certificate "root"
+    issuer-key "root"
+
+    subject-entity "device-id"
+    subject-key "device-id"
+
+    not-after "9999-12-31T23:59:59Z"
+    serial-number "00"
+
+    extensions {
+        basic-constraints critical=true ca=true
+        key-usage critical=true {
+            key-cert-sign
+        }
+        certificate-policies critical=true {
+            tcg-dice-kp-attest-init
+            tcg-dice-kp-eca
+        }
+    }
+}
+
+key-pair "alias" {
+    ed25519
+}
+
+entity "alias" {
+    country-name "US"
+    organization-name "foo"
+    common-name "alias"
+}
+
+certificate "alias" {
+    issuer-certificate "device-id"
+    issuer-key "device-id"
+
+    subject-entity "alias"
+    subject-key "alias"
+
+    not-after "9999-12-31T23:59:59Z"
+    serial-number "00"
+
+    extensions {
+        basic-constraints critical=true ca=true
+        key-usage critical=true {
+            digital-signature
+        }
+        certificate-policies critical=true {
+            tcg-dice-kp-attest-init
+        }
+        dice-tcb-info critical=true {
+            fwid-list {
+                fwid {
+                    digest-algorithm "sha-256"
+                    digest "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+                }
+                fwid {
+                    digest-algorithm "sha-384"
+                    digest "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+                }
+            }
+        }
+    }
+}
diff --git a/src/config.rs b/src/config.rs
@@ -125,6 +125,7 @@ pub enum X509Extensions {
     AuthorityKeyIdentifier(AuthorityKeyIdentifierExtension),
     ExtendedKeyUsage(ExtendedKeyUsageExtension),
     CertificatePolicies(CertificatePoliciesExtension),
+    DiceTcbInfo(DiceTcbInfoExtension),
 }
 
 #[derive(knuffel::Decode, Debug)]
@@ -255,6 +256,24 @@ pub enum CertificatePolicy {
     Oid(#[knuffel(argument)] String),
 }
 
+#[derive(knuffel::Decode, Debug)]
+pub struct DiceTcbInfoExtension {
+    #[knuffel(property)]
+    pub critical: bool,
+
+    #[knuffel(child, unwrap(children(name = "fwid")))]
+    pub fwid_list: Vec<Fwid>,
+}
+
+#[derive(knuffel::Decode, Debug)]
+pub struct Fwid {
+    #[knuffel(child, unwrap(argument))]
+    pub digest_algorithm: DigestAlgorithm,
+
+    #[knuffel(child, unwrap(argument))]
+    pub digest: String,
+}
+
 impl TryFrom<&CertificatePolicy> for PolicyInformation {
     type Error = miette::Error;
 
diff --git a/src/lib.rs b/src/lib.rs
@@ -3,14 +3,17 @@
 // file, You can obtain one at https://mozilla.org/MPL/2.0/.
 
 use const_oid::{AssociatedOid, ObjectIdentifier};
-use digest::Digest;
+use der::Sequence;
+use digest::{typenum::Unsigned, Digest, OutputSizeUser};
 use flagset::FlagSet;
-use miette::{IntoDiagnostic, Result};
+use miette::{IntoDiagnostic, Result, WrapErr};
 use sha1::Sha1;
+use sha2::{Sha256, Sha384, Sha512};
 use x509_cert::{
     attr::AttributeTypeAndValue,
     der::{
-        asn1::{PrintableStringRef, SetOfVec, Utf8StringRef},
+        self,
+        asn1::{OctetString, PrintableStringRef, SetOfVec, Utf8StringRef},
         Decode as _, Encode as _,
     },
     ext::pkix::{certpolicy::PolicyInformation, BasicConstraints, KeyUsage},
@@ -26,6 +29,7 @@ pub mod ed25519;
 pub mod p384;
 pub mod rsa;
 
+use crate::config::DigestAlgorithm;
 use crate::p384::P384KeyPair;
 use crate::rsa::RsaKeyPair;
 use ed25519::Ed25519KeyPair;
@@ -176,6 +180,9 @@ impl dyn Extension {
             config::X509Extensions::CertificatePolicies(x) => {
                 Ok(Box::new(CertificatePoliciesExtension::from_config(x)?))
             }
+            config::X509Extensions::DiceTcbInfo(c) => {
+                Ok(Box::new(DiceTcbInfoExtension::from_config(c)?))
+            }
         }
     }
 }
@@ -501,3 +508,113 @@ impl CertificatePoliciesExtension {
         })
     }
 }
+
+// DICE Attestation Architecture §6.1.1:
+// FWID ::== SEQUENCE {
+#[derive(Debug, Sequence)]
+pub struct Fwid {
+    // hashAlg OBJECT IDENTIFIER,
+    hash_algorithm: ObjectIdentifier,
+    // digest OCTET STRING
+    digest: OctetString,
+}
+
+impl Fwid {
+    fn from_config(config: &config::Fwid) -> Result<Self> {
+        let (hash_algorithm, length) = match config.digest_algorithm {
+            DigestAlgorithm::Sha_256 => {
+                (Sha256::OID, <Sha256 as OutputSizeUser>::OutputSize::USIZE)
+            }
+            DigestAlgorithm::Sha_384 => {
+                (Sha384::OID, <Sha384 as OutputSizeUser>::OutputSize::USIZE)
+            }
+            DigestAlgorithm::Sha_512 => {
+                (Sha512::OID, <Sha512 as OutputSizeUser>::OutputSize::USIZE)
+            }
+        };
+
+        let digest = hex::decode(&config.digest)
+            .into_diagnostic()
+            .wrap_err("Decode FWID digest")?;
+
+        if digest.len() != length {
+            return Err(miette::miette!(
+                "Unexpected digest length: expected {}, got {}",
+                length,
+                digest.len(),
+            ));
+        }
+
+        let digest = OctetString::new(digest)
+            .into_diagnostic()
+            .wrap_err("digest to OctetString")?;
+
+        Ok(Fwid {
+            digest,
+            hash_algorithm,
+        })
+    }
+}
+
+// NOTE: All fields in this structure are optional and we only implement
+// support for the ones that we currently need. Additional fields should
+// be added as needed.
+//
+// DICE Attestation Architecture §6.1.1:
+// DiceTcbInfo ::== SEQUENCE {
+#[derive(Debug, Sequence)]
+pub struct DiceTcbInfo {
+    // fwids [6] IMPLICIT FWIDLIST OPTIONAL,
+    // where FWIDLIST ::== SEQUENCE SIZE (1..MAX) OF FWID
+    #[asn1(context_specific = "6", tag_mode = "IMPLICIT", optional = "true")]
+    fwids: Option<Vec<Fwid>>,
+}
+
+#[derive(Debug)]
+pub struct DiceTcbInfoExtension {
+    der: Vec<u8>,
+    is_critical: bool,
+}
+
+impl Extension for DiceTcbInfoExtension {
+    fn oid(&self) -> ObjectIdentifier {
+        Self::OID
+    }
+
+    fn is_critical(&self) -> bool {
+        self.is_critical
+    }
+
+    fn as_der(&self) -> &[u8] {
+        &self.der
+    }
+}
+
+impl DiceTcbInfoExtension {
+    // tcg-dice-TcbInfo from ASN.1 in DICE Attestation Architecture §6.1.1
+    const OID: ObjectIdentifier = ObjectIdentifier::new_unwrap("2.23.133.5.4.1");
+
+    pub fn from_config(config: &config::DiceTcbInfoExtension) -> Result<Self> {
+        let mut fwids: Vec<Fwid> = Vec::new();
+
+        for fwid in &config.fwid_list {
+            let fwid = Fwid::from_config(fwid).wrap_err("Fwid from config")?;
+
+            fwids.push(fwid);
+        }
+
+        let fwids = if !fwids.is_empty() { Some(fwids) } else { None };
+
+        let tcb_info = DiceTcbInfo { fwids };
+
+        let der = tcb_info
+            .to_der()
+            .into_diagnostic()
+            .wrap_err("fwid list to DER")?;
+
+        Ok(DiceTcbInfoExtension {
+            der,
+            is_critical: config.critical,
+        })
+    }
+}
