Skip to content

Commit

Permalink
Merge pull request #1953 from dwaite/packed-firmware-attribute
Browse files Browse the repository at this point in the history
Add packed attestation optional firmware version attribute
  • Loading branch information
dwaite authored Mar 13, 2024
2 parents 09c74bf + 27a8614 commit 354a717
Showing 1 changed file with 42 additions and 14 deletions.
56 changes: 42 additions & 14 deletions index.bs
Original file line number Diff line number Diff line change
Expand Up @@ -5826,23 +5826,51 @@ The attestation certificate MUST have the following fields/extensions:
is present, and if it is, then validate that it contains that same AAGUID as presented in the [=attestation object=].

Note that an X.509 Extension encodes the DER-encoding of the value in an OCTET STRING.
Thus, the AAGUID MUST be wrapped in <i>two</i> OCTET STRINGS to be valid. Here is a sample, encoded Extension structure:

<pre>
30 21 -- SEQUENCE
06 0b 2b 06 01 04 01 82 e5 1c 01 01 04 -- 1.3.6.1.4.1.45724.1.1.4
04 12 -- OCTET STRING
04 10 -- OCTET STRING
cd 8c 39 5c 26 ed ee de -- AAGUID
65 3b 00 79 7d 03 ca 3c
</pre>
Thus, the AAGUID MUST be wrapped in <i>two</i> OCTET STRINGS to be valid.

- The Basic Constraints extension MUST have the CA component set to [FALSE].

- An Authority Information Access (AIA) extension with entry `id-ad-ocsp` and a CRL Distribution Point extension [[RFC5280]]
are both OPTIONAL as the status of many attestation certificates is available through authenticator metadata services.
See, for example, the FIDO Metadata Service [[FIDOMetadataService]].

Additionally, an Authority Information Access (AIA) extension with entry `id-ad-ocsp` and a CRL Distribution Point extension
[[RFC5280]] are both OPTIONAL as the status of many attestation certificates is available through authenticator metadata
services. See, for example, the FIDO Metadata Service [[FIDOMetadataService]].

The firmware of a particular authenticator model MAY be differentiated using the Extension OID `1.3.6.1.4.1.45724.1.1.5`
(`id-fido-gen-ce-fw-version`). When present, this attribute contains an INTEGER with a non-negative value which is incremented for new
firmware release versions. The extension MUST NOT be marked as critical.

For example, the following is an attestation certificate containing the above extension OIDs as well as required fields:

~~~ pem
-----BEGIN CERTIFICATE----- <!-- bikeshed emdash workaround -->
MIIBzTCCAXOgAwIBAgIUYHS3FJEL/JTfFqafuAHvlAS+hDYwCgYIKoZIzj0EAwIw
QTELMAkGA1UEBhMCVVMxFDASBgNVBAoMC1dlYkF1dGhuIFdHMRwwGgYDVQQDDBNF
eGFtcGxlIEF0dGVzdGF0aW9uMCAXDTI0MDEwMzE3NDUyMVoYDzIwNTAwMTA2MTc0
NTIxWjBBMQswCQYDVQQGEwJVUzEUMBIGA1UECgwLV2ViQXV0aG4gV0cxHDAaBgNV
BAMME0V4YW1wbGUgQXR0ZXN0YXRpb24wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC
AATDQN9uaFFH4BKBjthHTM1drpb7gIuPod67qyF6UdL4qah6XUp6tE7Prl+DfQ7P
YH9yMOOcci3nr+Q/jOBaWVERo0cwRTAhBgsrBgEEAYLlHAEBBAQSBBDNjDlcJu3u
3mU7AHl9A8o8MBIGCysGAQQBguUcAQEFBAMCASowDAYDVR0TAQH/BAIwADAKBggq
hkjOPQQDAgNIADBFAiA3k3aAUVtLhDHLXOgY2kRnK2hrbRgf2EKdTDLJ1Ds/RAIh
AOmIblhI3ALCHOaO0IO7YlMpw/lSTvFYv3qwO3m7H8Dc
-----END CERTIFICATE----- <!-- bikeshed emdash workaround -->
~~~

The attributes above are structured within this certificate as such:

~~~ text
30 21 -- SEQUENCE
06 0B 2B 06 01 04 01 82 E5 1C 01 01 04 -- OID 1.3.6.1.4.1.45724.1.1.4
04 12 -- OCTET STRING
04 10 -- OCTET STRING
CD 8C 39 5C 26 ED EE DE -- AAGUID cd8c395c-26ed-eede-653b-00797d03ca3c
65 3B 00 79 7D 03 CA 3C

30 12 -- SEQUENCE
06 0B 2B 06 01 04 01 82 E5 1C 01 01 05 -- OID 1.3.6.1.4.1.45724.1.1.5
04 03 -- OCTET STRING
02 01 -- INTEGER
2A -- Firmware version: 42
~~~

## TPM Attestation Statement Format ## {#sctn-tpm-attestation}

Expand Down

0 comments on commit 354a717

Please sign in to comment.