|
|
@ -11,7 +11,6 @@ import (
|
|
|
|
"crypto/subtle"
|
|
|
|
"crypto/subtle"
|
|
|
|
"crypto/tls"
|
|
|
|
"crypto/tls"
|
|
|
|
"crypto/x509"
|
|
|
|
"crypto/x509"
|
|
|
|
"crypto/x509/pkix"
|
|
|
|
|
|
|
|
"encoding/asn1"
|
|
|
|
"encoding/asn1"
|
|
|
|
"encoding/base64"
|
|
|
|
"encoding/base64"
|
|
|
|
"encoding/hex"
|
|
|
|
"encoding/hex"
|
|
|
@ -582,29 +581,14 @@ func doTPMAttestationFormat(ctx context.Context, prov Provisioner, ch *Challenge
|
|
|
|
|
|
|
|
|
|
|
|
// TODO(hs): implement revocation check; Verify() doesn't perform CRL check nor OCSP lookup.
|
|
|
|
// TODO(hs): implement revocation check; Verify() doesn't perform CRL check nor OCSP lookup.
|
|
|
|
|
|
|
|
|
|
|
|
// extract and validate Subject Alternative Name extension to contain at least one PermanentIdentifier
|
|
|
|
sans, err := x509util.ParseSubjectAlternativeNames(akCert)
|
|
|
|
var sanExtension pkix.Extension
|
|
|
|
|
|
|
|
for _, ext := range akCert.Extensions {
|
|
|
|
|
|
|
|
if ext.Id.Equal(oidSubjectAlternativeName) {
|
|
|
|
|
|
|
|
sanExtension = ext
|
|
|
|
|
|
|
|
break
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if sanExtension.Value == nil {
|
|
|
|
|
|
|
|
return nil, NewError(ErrorBadAttestationStatementType, "AK certificate is missing Subject Alternative Name extension")
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
sans, err := parseSANs(sanExtension)
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
if err != nil {
|
|
|
|
return nil, WrapError(ErrorBadAttestationStatementType, err, "failed parsing AK certificate SAN extension")
|
|
|
|
return nil, WrapError(ErrorBadAttestationStatementType, err, "failed parsing AK certificate Subject Alternative Names")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
var permanentIdentifiers []string
|
|
|
|
permanentIdentifiers := make([]string, len(sans.PermanentIdentifiers))
|
|
|
|
for _, san := range sans {
|
|
|
|
for i, pi := range sans.PermanentIdentifiers {
|
|
|
|
if san.Type == x509util.PermanentIdentifierType {
|
|
|
|
permanentIdentifiers[i] = pi.Identifier
|
|
|
|
permanentIdentifiers = append(permanentIdentifiers, san.Value)
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// extract and validate pubArea, sig, certInfo and alg properties from the request body
|
|
|
|
// extract and validate pubArea, sig, certInfo and alg properties from the request body
|
|
|
@ -705,122 +689,6 @@ func doTPMAttestationFormat(ctx context.Context, prov Provisioner, ch *Challenge
|
|
|
|
return data, nil
|
|
|
|
return data, nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// RFC 4043
|
|
|
|
|
|
|
|
//
|
|
|
|
|
|
|
|
// https://tools.ietf.org/html/rfc4043
|
|
|
|
|
|
|
|
var (
|
|
|
|
|
|
|
|
oidPermanentIdentifier = []int{1, 3, 6, 1, 5, 5, 7, 8, 3}
|
|
|
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// PermanentIdentifier represents an ASN.1 encoded "permanent identifier" as
|
|
|
|
|
|
|
|
// defined by RFC4043.
|
|
|
|
|
|
|
|
//
|
|
|
|
|
|
|
|
// PermanentIdentifier ::= SEQUENCE {
|
|
|
|
|
|
|
|
// identifierValue UTF8String OPTIONAL,
|
|
|
|
|
|
|
|
// assigner OBJECT IDENTIFIER OPTIONAL
|
|
|
|
|
|
|
|
// }
|
|
|
|
|
|
|
|
//
|
|
|
|
|
|
|
|
// https://datatracker.ietf.org/doc/html/rfc4043
|
|
|
|
|
|
|
|
type permanentIdentifier struct {
|
|
|
|
|
|
|
|
IdentifierValue string `asn1:"utf8,optional"`
|
|
|
|
|
|
|
|
Assigner asn1.ObjectIdentifier `asn1:"optional"`
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
func parsePermanentIdentifier(der []byte) (permanentIdentifier, error) {
|
|
|
|
|
|
|
|
var permID permanentIdentifier
|
|
|
|
|
|
|
|
if _, err := asn1.UnmarshalWithParams(der, &permID, "explicit,tag:0"); err != nil {
|
|
|
|
|
|
|
|
return permanentIdentifier{}, err
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
return permID, nil
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
func parseSANs(ext pkix.Extension) (sans []x509util.SubjectAlternativeName, err error) {
|
|
|
|
|
|
|
|
_, otherNames, err := parseSubjectAltName(ext)
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
|
|
return nil, fmt.Errorf("parseSubjectAltName: %w", err)
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
for _, otherName := range otherNames {
|
|
|
|
|
|
|
|
if otherName.TypeID.Equal(oidPermanentIdentifier) {
|
|
|
|
|
|
|
|
permID, err := parsePermanentIdentifier(otherName.Value.FullBytes)
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
|
|
return nil, fmt.Errorf("parsePermanentIdentifier: %w", err)
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
permanentIdentifier := x509util.SubjectAlternativeName{
|
|
|
|
|
|
|
|
Type: x509util.PermanentIdentifierType,
|
|
|
|
|
|
|
|
Value: permID.IdentifierValue, // TODO(hs): change how these are returned
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
sans = append(sans, permanentIdentifier)
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
return
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// OtherName ::= SEQUENCE {
|
|
|
|
|
|
|
|
// type-id OBJECT IDENTIFIER,
|
|
|
|
|
|
|
|
// value [0] EXPLICIT ANY DEFINED BY type-id }
|
|
|
|
|
|
|
|
type otherName struct {
|
|
|
|
|
|
|
|
TypeID asn1.ObjectIdentifier
|
|
|
|
|
|
|
|
Value asn1.RawValue
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// https://datatracker.ietf.org/doc/html/rfc5280#page-35
|
|
|
|
|
|
|
|
func parseSubjectAltName(ext pkix.Extension) (dirNames []pkix.Name, otherNames []otherName, err error) {
|
|
|
|
|
|
|
|
err = forEachSAN(ext.Value, func(generalName asn1.RawValue) error {
|
|
|
|
|
|
|
|
switch generalName.Tag {
|
|
|
|
|
|
|
|
case 0: // otherName
|
|
|
|
|
|
|
|
var on otherName
|
|
|
|
|
|
|
|
if _, err := asn1.UnmarshalWithParams(generalName.FullBytes, &on, "tag:0"); err != nil {
|
|
|
|
|
|
|
|
return fmt.Errorf("OtherName: asn1.UnmarshalWithParams: %w", err)
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
otherNames = append(otherNames, on)
|
|
|
|
|
|
|
|
case 4: // directoryName
|
|
|
|
|
|
|
|
var rdns pkix.RDNSequence
|
|
|
|
|
|
|
|
if _, err := asn1.Unmarshal(generalName.Bytes, &rdns); err != nil {
|
|
|
|
|
|
|
|
return fmt.Errorf("DirectoryName: asn1.Unmarshal: %w", err)
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
var dirName pkix.Name
|
|
|
|
|
|
|
|
dirName.FillFromRDNSequence(&rdns)
|
|
|
|
|
|
|
|
dirNames = append(dirNames, dirName)
|
|
|
|
|
|
|
|
default:
|
|
|
|
|
|
|
|
//return fmt.Errorf("expected tag %d", generalName.Tag)
|
|
|
|
|
|
|
|
// TODO(hs): implement the others ... skipping for now
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
|
|
|
})
|
|
|
|
|
|
|
|
return
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// Borrowed from the x509 package.
|
|
|
|
|
|
|
|
func forEachSAN(extension []byte, callback func(ext asn1.RawValue) error) error {
|
|
|
|
|
|
|
|
var seq asn1.RawValue
|
|
|
|
|
|
|
|
rest, err := asn1.Unmarshal(extension, &seq)
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
|
|
return err
|
|
|
|
|
|
|
|
} else if len(rest) != 0 {
|
|
|
|
|
|
|
|
return errors.New("x509: trailing data after X.509 extension")
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
if !seq.IsCompound || seq.Tag != 16 || seq.Class != 0 {
|
|
|
|
|
|
|
|
return asn1.StructuralError{Msg: "bad SAN sequence"}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
rest = seq.Bytes
|
|
|
|
|
|
|
|
for len(rest) > 0 {
|
|
|
|
|
|
|
|
var v asn1.RawValue
|
|
|
|
|
|
|
|
rest, err = asn1.Unmarshal(rest, &v)
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
|
|
return err
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if err := callback(v); err != nil {
|
|
|
|
|
|
|
|
return err
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// Apple Enterprise Attestation Root CA from
|
|
|
|
// Apple Enterprise Attestation Root CA from
|
|
|
|
// https://www.apple.com/certificateauthority/private/
|
|
|
|
// https://www.apple.com/certificateauthority/private/
|
|
|
|
const appleEnterpriseAttestationRootCA = `-----BEGIN CERTIFICATE-----
|
|
|
|
const appleEnterpriseAttestationRootCA = `-----BEGIN CERTIFICATE-----
|
|
|
|