Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: verify TPM attestation statement #162

Merged
merged 9 commits into from
Apr 24, 2019
Merged

feat: verify TPM attestation statement #162

merged 9 commits into from
Apr 24, 2019

Conversation

grzuy
Copy link
Contributor

@grzuy grzuy commented Apr 17, 2019
edited
Loading

Closes #83

@grzuy grzuy changed the base branch from master to libcbor April 19, 2019 22:56
@grzuy grzuy changed the base branch from libcbor to master April 19, 2019 22:56
@grzuy grzuy marked this pull request as ready for review April 20, 2019 18:29
grzuy
grzuy commented Apr 20, 2019
View reviewed changes
lib/webauthn/attestation_statement/tpm/pub_area.rb Outdated
end

def valid_name
[t_public.name_alg].pack("n") + digest
Copy link
Contributor Author

@grzuy grzuy Apr 20, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This approach is what I understood should be done by reading W3C recommendation.
However, conformance tool fails with this approach. See discussion in fido-alliance/conformance-test-tools-resources#396.

The following PR implements the other approach which apparently is inconsistent with the W3C recommendation, but passes the conformance tool test: #164.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Merged #164 into this branch. Going with the conformance tool approach for now.

grzuy
grzuy commented Apr 20, 2019
View reviewed changes
lib/webauthn/attestation_statement/tpm.rb Outdated
aik_certificate.subject.eql?(CERTIFICATE_EMPTY_NAME) &&
certificate_in_use?(aik_certificate) &&
aik_certificate.extensions.find { |ext| ext.oid == 'basicConstraints' }&.value == "CA:FALSE" &&
aik_certificate.extensions.find { |ext| ext.oid == "extendedKeyUsage" }&.value == OID_TCG_KP_AIK_CERTIFICATE
Copy link
Contributor Author

@grzuy grzuy Apr 20, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am thinking it might be worth creating something like an AttestationCertificate object or something like that, to ease all the logic checking for certificate properties, here in TPM and in other formats also.

@grzuy grzuy merged commit cdeb169 into master Apr 24, 2019
@grzuy grzuy deleted the tpm branch April 24, 2019 01:50
@grzuy grzuy mentioned this pull request May 3, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Verify "tpm" attestation statement format
1 participant
@grzuy