[manuf] only verify X.509 DICE chain with openssl

DICE certs can be generated in X.509 or CWT format during perso. OpenSSL can only verify X.509 cert chains. This updates the perso flow to only check if the DICE cert chain verifies successfully if the certs are X.509 format until a new tool (`hwtrust`) can be used to validate the CWT chain. Signed-off-by: Tim Trippel <[email protected]>
lowRISC · Nov 21, 2024 · adeff87 · adeff87
1 parent 080b32c
commit adeff87
Showing 1 changed file with 7 additions and 5 deletions.
diff --git a/sw/host/provisioning/ft_lib/src/lib.rs b/sw/host/provisioning/ft_lib/src/lib.rs
@@ -440,19 +440,21 @@ fn provision_certificates(
 
     // Validate the certificate endorsements with OpenSSL.
     // TODO(lowRISC/opentitan:#24281): Add CWT verifier
-    log::info!("Validating DICE certificate chain with OpenSSL ...");
-    validate_cert_chain(ca_certificate.to_str().unwrap(), &dice_cert_chain)?;
-    log::info!("Success.");
-    log::info!("Validating SKU-specific certificates with OpenSSL ...");
+    if !dice_cert_chain.is_empty() {
+        log::info!("Validating DICE certificate chain with OpenSSL ...");
+        validate_cert_chain(ca_certificate.to_str().unwrap(), &dice_cert_chain)?;
+        log::info!("Success.");
+    }
     if !sku_specific_certs.is_empty() {
+        log::info!("Validating SKU-specific certificates with OpenSSL ...");
         for sku_specific_cert in sku_specific_certs.iter() {
             validate_cert_chain(
                 ca_certificate.to_str().unwrap(),
                 &[sku_specific_cert.clone()],
             )?;
         }
+        log::info!("Success.");
     }
-    log::info!("Success.");
 
     Ok(())
 }