Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ProofOfBinding certificate extension #122

Closed
ceuser1 opened this issue Oct 11, 2022 · 2 comments
Closed

ProofOfBinding certificate extension #122

ceuser1 opened this issue Oct 11, 2022 · 2 comments

Comments

@ceuser1
Copy link

ceuser1 commented Oct 11, 2022

The 'Android Identity Credential Authentication Key' certificate contains a custom extension 1.3.6.1.4.1.11129.2.1.26 with the ProofOfBinding.

Example:

A3 44 (68)
	30 42 (66)
		30 40 (64)
			06 0A (10): 2B06010401D67902011A
			04 32 (50): 826E50726F6F664F6642696E64696E675820F6098091A6CCA59DA9512B262515440750B757C2E1EB30C7B5FA93E59127FAFB

Is this valid format according to X.509? I think the content should also be ASN.1 encoded, but currently it is just raw bytes of ProofOfContent.
The certificate is generated in CredentialData.java, generateAuthenticatoinKeyCert method.
@davidz25
Copy link
Contributor

For the record, this is defined here and it says DER encoded OCTET STRING with the bytes of the CBOR with the following CDDL where the CDDL is

ProofOfBinding = [
      "ProofOfBinding",
      bstr,              // Contains SHA-256(ProofOfProvisioning)
    ]

It's definitely valid to have a DER encoded OCTET STRING in an X.509 extension. Whatever you put in the OCTET STRING is up to you, in our case we decided to put CBOR in it...

@ceuser1
Copy link
Author

ceuser1 commented Oct 12, 2022

Thank you for clarification 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@davidz25 @ceuser1