-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Certificate verification fails if the certificate being verified does not contain the relevant extensions #11042
Comments
The certificate can be verified by openssl
or pyOpenSSL
|
OK it turned out the verification fails even with openssl when strict mode is enabled ...
|
Since the issue is also detected by openssl, I've reported the issue in virtee/snpguest#57 (comment) . |
Our verifier currently is based on the WebPKI, which requires AKIs. This doesn't prohibit us having alternate verification options in the future (e.g., our client verifier), although some API discussion would be needed to determine what makes sense. One concern I have is that it's not clear to me that AMD did the diligence to understand X.509 and generate proper certificates as opposed to just doing some quick empirical checks against existing implementations. Separately, our error message would be more useful if it explained what required extensions were missing. cc @woodruffw for when he's back from vacation 😄 |
Thanks for the ping @reaperhulk! 100% agreed about improving the error message; I can take a poke at that sometime in the coming days. See also #10276 (comment) for a similar request (Intel SGX instead of AMD SEV, but also caused by profile variants). |
Looping back: #11162 improved the extension error messages here. |
I have this issue while using only cryptography. I made sure to have AKI in my root CA and certs (no intermediates in my application) and I still get this message "cryptography.hazmat.bindings._rust.x509.VerificationError: validation failed: Certificate is missing required extension" during verification. |
We're all volunteers working on an OSS project, no, we don't have an ETA. |
Problem description
I'm trying to verify the VCEK certificate published by AMD. According to the document VCEK is supposed to be verified by ARK (root certificate) and ASK (intermediate certificate).
However verification consistently fails because of
Certificate is missing required extension
.I suspect "the missing required extension" is Authority Key Identifier (or Subject Key Identifier) . RFC5280 states that
To facilitate certification path construction, this extension MUST appear in all conforming CA certificates
while it also states thatConforming CAs MUST mark this extension as non-critical.
I'm wondering if it makes sense that cryptography would ignore missing Subject Key Identifier field, if the field is supposed to be always non-critical.Versions
Certificate contents
certs/vcek.pem
certs/ask.pem
certs/ark.pem
The text was updated successfully, but these errors were encountered: