From 2b1d413b0d62a7c1915c3b9a6cb63c64154525fa Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Tue, 26 Dec 2023 23:29:28 +0100
Subject: [PATCH] FAPI: Fix intermediate self signed certificate.

If a certificate which is downloaded from the uri defined
in the EK certificate is self signed it can't be verified.
It will not be stored in the certificate store. Self
signed certificates have to be defined in the list of
root certificates of FAPI.
Fixes #2738

Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
 src/tss2-fapi/ifapi_curl.c | 52 +++++++++++++++++++++++++-------------
 1 file changed, 34 insertions(+), 18 deletions(-)

diff --git a/src/tss2-fapi/ifapi_curl.c b/src/tss2-fapi/ifapi_curl.c
index 01f6e139f..c07f06907 100644
--- a/src/tss2-fapi/ifapi_curl.c
+++ b/src/tss2-fapi/ifapi_curl.c
@@ -118,6 +118,19 @@ get_crl_from_cert(X509 *cert, X509_CRL **crl)
     return r;
 }
 
+static bool
+is_self_signed(X509 *cert) {
+    X509_NAME *issuer = X509_get_issuer_name(cert);
+    X509_NAME *subject = X509_get_subject_name(cert);
+
+    /* Compare the issuer and subject names */
+    if (X509_NAME_cmp(issuer, subject) == 0) {
+        return true;
+    } else {
+        return false;
+    }
+}
+
 /**
  * Verify EK certificate read from TPM.
  *
@@ -256,25 +269,28 @@ ifapi_curl_verify_ek_cert(
     }
 
     /* Verify intermediate certificate */
-    ctx = X509_STORE_CTX_new();
-    goto_if_null2(ctx, "Failed to create X509 store context.",
-                  r, TSS2_FAPI_RC_GENERAL_FAILURE, cleanup);
-    if (1 != X509_STORE_CTX_init(ctx, store, intermed_cert, NULL)) {
-        goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE,
-                   "Failed to initialize X509 context.", cleanup);
-    }
-    if (1 != X509_verify_cert(ctx)) {
-        LOG_ERROR("%s", X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)));
-        goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE,
-                   "Failed to verify intermediate certificate", cleanup);
-    }
-    if (1 != X509_STORE_add_cert(store, intermed_cert)) {
-        goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE,
-                   "Failed to add intermediate certificate", cleanup);
-    }
+    if (!is_self_signed(intermed_cert)) {
+        ctx = X509_STORE_CTX_new();
+        goto_if_null2(ctx, "Failed to create X509 store context.",
+                      r, TSS2_FAPI_RC_GENERAL_FAILURE, cleanup);
 
-    X509_STORE_CTX_cleanup(ctx);
-    X509_STORE_CTX_free(ctx);
+        if (1 != X509_STORE_CTX_init(ctx, store, intermed_cert, NULL)) {
+            goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE,
+                       "Failed to initialize X509 context.", cleanup);
+        }
+        if (1 != X509_verify_cert(ctx)) {
+            LOG_ERROR("%s", X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)));
+            goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE,
+                       "Failed to verify intermediate certificate", cleanup);
+        }
+        if (1 != X509_STORE_add_cert(store, intermed_cert)) {
+            goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE,
+                       "Failed to add intermediate certificate", cleanup);
+        }
+
+        X509_STORE_CTX_cleanup(ctx);
+        X509_STORE_CTX_free(ctx);
+    }
     ctx = NULL;
     ctx = X509_STORE_CTX_new();
     goto_if_null2(ctx, "Failed to create X509 store context.",