Certificate Chain Validation Tool

[steven-bellock]

This is a proposal for a certificate chain validation tool for device vendors generating certificate chains that follow DMTF / TCG / OCP Security specifications. In this context "standalone" means that the certificate chain itself is the primary input to the tool. The tool would perform standard certificate chain checks. In addition it would also check

• for the presence of mandatory OIDs and fields
• for the absence of forbidden OIDs and fields
• that the certificate chain is encoded correctly

against the relevant DMTF / TCG / OCP Security specifications. The specifications of interest include

1. IETF RFC5280
2. DMTF DSP274
3. TCG DICE Attestation Architecture
4. TCG DICE Concise Evidence Binding for SPDM

[alistair23]

SPDM-Utils has support for this, it's not standalone, but it shouldn't be too hard to make it standalone

[steven-bellock]

Does x509_parser have strict DER checking? Ie, it would flag something like DMTF/libspdm#3419 if it was improperly DER-encoded?

[alistair23]

Ah, that's interesting.

We wouldn't catch that, we leave SPDM spec checks to libspdm and are only checking "TCG DICE Concise Evidence Binding for SPDM" compliance.

x509_parser doesn't seem to have strict checking, but we could implement a validator to check things like that.

[steven-bellock]

chipsalliance/caliptra-dpe#513 provides additional motivation.

[bluegate010]

+1 to using an existing foundation if one is nearly there.