diff --git a/sw/device/silicon_creator/lib/cert/cdi_0.hjson b/sw/device/silicon_creator/lib/cert/cdi_0.hjson index dfe516d503693..54e64bab19210 100644 --- a/sw/device/silicon_creator/lib/cert/cdi_0.hjson +++ b/sw/device/silicon_creator/lib/cert/cdi_0.hjson @@ -79,7 +79,7 @@ // https://pigweed.googlesource.com/open-dice/+/refs/heads/main/docs/specification.md#certificate-details // The standard extensions are fixed by the specification. basic_constraints: { ca: true }, - extensions: [ + private_extensions: [ { type: "dice_tcb_info", vendor: "OpenTitan", diff --git a/sw/device/silicon_creator/lib/cert/cdi_1.hjson b/sw/device/silicon_creator/lib/cert/cdi_1.hjson index fc8af5730a8c6..f36ce6161bac6 100644 --- a/sw/device/silicon_creator/lib/cert/cdi_1.hjson +++ b/sw/device/silicon_creator/lib/cert/cdi_1.hjson @@ -84,7 +84,7 @@ // https://pigweed.googlesource.com/open-dice/+/refs/heads/main/docs/specification.md#certificate-details // The standard extensions are fixed by the specification. basic_constraints: { ca: true }, - extensions: [ + private_extensions: [ { type: "dice_tcb_info", vendor: "OpenTitan", diff --git a/sw/device/silicon_creator/lib/cert/tpm_cek.hjson b/sw/device/silicon_creator/lib/cert/tpm_cek.hjson index 5c0881923634e..e4ced49c18202 100644 --- a/sw/device/silicon_creator/lib/cert/tpm_cek.hjson +++ b/sw/device/silicon_creator/lib/cert/tpm_cek.hjson @@ -69,7 +69,6 @@ }, authority_key_identifier: { var: "auth_key_key_id" }, subject_key_identifier: { var: "tpm_cek_pub_key_id" }, - extensions: [], signature: { algorithm: "ecdsa-with-sha256", value: { diff --git a/sw/device/silicon_creator/lib/cert/tpm_cik.hjson b/sw/device/silicon_creator/lib/cert/tpm_cik.hjson index 6eb36d8529861..104413171aaeb 100644 --- a/sw/device/silicon_creator/lib/cert/tpm_cik.hjson +++ b/sw/device/silicon_creator/lib/cert/tpm_cik.hjson @@ -69,7 +69,6 @@ }, authority_key_identifier: { var: "auth_key_key_id" }, subject_key_identifier: { var: "tpm_cik_pub_key_id" }, - extensions: [], signature: { algorithm: "ecdsa-with-sha256", value: { diff --git a/sw/device/silicon_creator/lib/cert/tpm_ek.hjson b/sw/device/silicon_creator/lib/cert/tpm_ek.hjson index 7b8eb431afae8..fcfa17a276d6a 100644 --- a/sw/device/silicon_creator/lib/cert/tpm_ek.hjson +++ b/sw/device/silicon_creator/lib/cert/tpm_ek.hjson @@ -87,7 +87,6 @@ tpm_model: { var: "tpm_model" }, tpm_version: { var: "tpm_version" }, }, - extensions: [], signature: { algorithm: "ecdsa-with-sha256", value: { diff --git a/sw/device/silicon_creator/lib/cert/uds.hjson b/sw/device/silicon_creator/lib/cert/uds.hjson index 501c9c7ab8a59..2825020933b93 100644 --- a/sw/device/silicon_creator/lib/cert/uds.hjson +++ b/sw/device/silicon_creator/lib/cert/uds.hjson @@ -105,7 +105,7 @@ // https://pigweed.googlesource.com/open-dice/+/refs/heads/main/docs/specification.md#certificate-details // The standard extensions are fixed by the specification. basic_constraints: { ca: true }, - extensions: [ + private_extensions: [ { type: "dice_tcb_info", vendor: "OpenTitan", diff --git a/sw/host/ot_certs/src/asn1/x509.rs b/sw/host/ot_certs/src/asn1/x509.rs index 8850637ee7a94..ec48922f53d7c 100644 --- a/sw/host/ot_certs/src/asn1/x509.rs +++ b/sw/host/ot_certs/src/asn1/x509.rs @@ -154,7 +154,7 @@ impl X509 { Self::push_key_usage_ext(builder)?; Self::push_auth_key_id_ext(builder, &cert.authority_key_identifier)?; Self::push_subject_key_id_ext(builder, &cert.subject_key_identifier)?; - for ext in &cert.extensions { + for ext in &cert.private_extensions { Self::push_cert_extension(builder, ext)? } Ok(()) diff --git a/sw/host/ot_certs/src/template/mod.rs b/sw/host/ot_certs/src/template/mod.rs index e0b535e0ceea5..a7de761611d28 100644 --- a/sw/host/ot_certs/src/template/mod.rs +++ b/sw/host/ot_certs/src/template/mod.rs @@ -456,7 +456,7 @@ mod tests { }, authority_key_identifier: { var: "signing_pub_key_id" }, subject_key_identifier: { var: "owner_pub_key_id" }, - extensions: [ + private_extensions: [ { type: "dice_tcb_info", vendor: "OpenTitan", @@ -553,7 +553,7 @@ mod tests { subject_key_identifier: Value::variable("owner_pub_key_id"), basic_constraints: None, subject_alt_name: IndexMap::from([]), - extensions: vec![CertificateExtension::DiceTcbInfo(DiceTcbInfoExtension { + private_extensions: vec![CertificateExtension::DiceTcbInfo(DiceTcbInfoExtension { vendor: Some(Value::literal("OpenTitan")), model: Some(Value::literal("ROM_EXT")), svn: Some(Value::variable("rom_ext_security_version")), diff --git a/sw/host/ot_certs/src/template/subst.rs b/sw/host/ot_certs/src/template/subst.rs index 74c1b97347562..42c3012dd1adb 100644 --- a/sw/host/ot_certs/src/template/subst.rs +++ b/sw/host/ot_certs/src/template/subst.rs @@ -362,8 +362,8 @@ impl Subst for Certificate { .basic_constraints .subst(data) .context("cannot substitute basic constraints")?, - extensions: self - .extensions + private_extensions: self + .private_extensions .iter() .map(|ext| ext.subst(data)) .collect::>>() diff --git a/sw/host/ot_certs/src/x509.rs b/sw/host/ot_certs/src/x509.rs index 65bc74e81cd46..4b2fe2ecc3a7a 100644 --- a/sw/host/ot_certs/src/x509.rs +++ b/sw/host/ot_certs/src/x509.rs @@ -233,7 +233,7 @@ pub fn parse_certificate(cert: &[u8]) -> Result { let x509 = X509::from_der(cert).context("could not parse certificate with openssl")?; let raw_extensions = extension::x509_get_extensions(&x509).context("could not parse X509 extensions")?; - let mut extensions = Vec::new(); + let mut private_extensions = Vec::new(); let mut basic_constraints = None; for ext in raw_extensions { match ext.object.nid() { @@ -252,7 +252,7 @@ pub fn parse_certificate(cert: &[u8]) -> Result { Nid::AUTHORITY_KEY_IDENTIFIER => (), Nid::SUBJECT_ALT_NAME => (), Nid::SUBJECT_KEY_IDENTIFIER => (), - _ => extensions + _ => private_extensions .push(extension::parse_extension(&ext).context("could not parse X509 extension")?), } } @@ -281,7 +281,7 @@ pub fn parse_certificate(cert: &[u8]) -> Result { ), basic_constraints, subject_alt_name: get_subject_alt_name(&x509)?, - extensions, + private_extensions, signature: extract_signature(&x509)?, }) } diff --git a/sw/host/ot_certs/tests/example.hjson b/sw/host/ot_certs/tests/example.hjson index 37e43d5ebecba..8b55e448e5f79 100644 --- a/sw/host/ot_certs/tests/example.hjson +++ b/sw/host/ot_certs/tests/example.hjson @@ -40,7 +40,7 @@ tpm_model: "TPM Model", tpm_version: "TPM Version", }, - extensions: [ + private_extensions: [ { type: "dice_tcb_info", vendor: "lowRISC", diff --git a/sw/host/ot_certs/tests/generic.hjson b/sw/host/ot_certs/tests/generic.hjson index fda9056badb99..c3101f391fb60 100644 --- a/sw/host/ot_certs/tests/generic.hjson +++ b/sw/host/ot_certs/tests/generic.hjson @@ -135,7 +135,7 @@ tpm_model: { var: "tpm_model" }, tpm_version: { var: "tpm_version" }, }, - extensions: [ + private_extensions: [ { type: "dice_tcb_info", vendor: { var: "vendor" },