Fix oversight in example cert chain verification

embediver · embediver · commit eccfdbea082b · 2026-02-23T17:00:04.000+01:00
The CA cert was skipped by mistake.
This would allow an attacker to supply a forged chain,
where the CA certs signature is still the expected.
diff --git a/examples/spdm_requester.rs b/examples/spdm_requester.rs
@@ -589,7 +589,7 @@ fn verify_cert_chain(chain: &[Certificate]) -> bool {
             .unwrap(),
     )
     .unwrap();
-    for cert in chain.iter().skip(1) {
+    for cert in chain.iter() {
         let sig = Signature::from_der(cert.signature().as_bytes().unwrap()).unwrap();
         if !pub_key
             .verify(&cert.tbs_certificate().to_der().unwrap(), &sig)

Original file line number	Diff line number	Diff line change
`@@ -589,7 +589,7 @@ fn verify_cert_chain(chain: &[Certificate]) -> bool {`
`589`	`589`	`.unwrap(),`
`590`	`590`	`)`
`591`	`591`	`.unwrap();`
`592`		`- for cert in chain.iter().skip(1) {`
	`592`	`+ for cert in chain.iter() {`
`593`	`593`	`let sig = Signature::from_der(cert.signature().as_bytes().unwrap()).unwrap();`
`594`	`594`	`if !pub_key`
`595`	`595`	`.verify(&cert.tbs_certificate().to_der().unwrap(), &sig)`