During Azure vTPM attestation verification, parse potentially several intermediaries from AK cert chain#48
Closed
ameba23 wants to merge 1 commit into
Closed
Conversation
ameba23
commented
Jun 5, 2026
| return Err(MaaError::AkFromClaimsNotEqualAkFromCertificate); | ||
| } | ||
|
|
||
| // Strip trailing data from AK certificate |
Collaborator
Author
There was a problem hiding this comment.
This was (i think) the issue - here we are potentially discarding intermediary certs which are needed for verification.
There was a problem hiding this comment.
Don't think you are discarding them. Afaict they aren't there in the first place. At least they weren't in my NV reponse. That's why in your link they mention "The AIA mechanism is the supported and expected way to validate the certificate hierarchy." They want you to fetch the certs dynamically from the URLs embedded in the leaf AK cert.
ameba23
commented
Jun 5, 2026
| let end_entity_cert = EndEntityCert::try_from(&ak_cert_der)?; | ||
|
|
||
| let mut intermediates = DOCUMENTED_AZURE_INTERMEDIATES.clone(); | ||
| intermediates.extend(parse_trailing_der_certificates(remaining_bytes)?); |
Collaborator
Author
There was a problem hiding this comment.
Im not sure if we should still be always adding this hard coded intermediary.
Collaborator
Author
|
Will close this as it does not fix the issue. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This [hopefully] fixes an issue with verifying AK certificate chain during Azure attestation.
In some cases Azure attestation have failed to verify due to AK certificate chain verification, but our hardcoded root certificate still matches what Microsoft publicly publishes.
My hunch is that the issue is because we currently only parse a single certificate from the AK chain given in the attestation, and use a hard coded intermediaries. But we should be parsing intermediaries given in the payload. This PR fixes that.
See this Q&A thread which i think discusses a similar issue:
https://learn.microsoft.com/en-us/answers/questions/5897616/download-intermediate-ca-cert-for-azure-cloud-virt
This is not yet tested on an Azure deployment, but tests pass against our existing fixtures.