88 Commits

Author	SHA1	Message	Date
Herman Slatman	d9aa2c110f	Increase test coverage for AK certificate properties	2023-04-06 14:35:48 +02:00
Herman Slatman	ed1a62206e	Add additional verification of AK certificate	2023-04-05 01:02:44 +02:00
Herman Slatman	1c38e252a6	Cast alg to a valid COSEAlgorithmIdentifier	2023-04-04 12:22:58 +02:00
Herman Slatman	e25acff13c	Simplify alg validity check	2023-04-03 22:32:26 +02:00
Herman Slatman	9cd4b362f7	Extract the ParseSubjectAlternativeNames function	2023-04-03 22:21:29 +02:00
Herman Slatman	b6957358fc	Fix PR remarks ... - Root CA error message improved - Looping through intermediate certs - Change checking unhandled extensions to using `if`	2023-04-03 11:54:22 +02:00
Herman Slatman	09bd7705cd	Fix linting issues	2023-03-31 17:41:43 +02:00
Herman Slatman	f88ef6621f	Add PermanentIdentifier SAN parsing and tests	2023-03-31 17:39:18 +02:00
Herman Slatman	52023d6083	Add tests for doTPMAttestationFormat	2023-03-31 14:57:25 +02:00
Herman Slatman	ae30f6e96b	Add failing TPM simulator test	2023-03-30 13:02:04 +02:00
Herman Slatman	094f0521e2	Remove check for PermanentIdentifier from tpm format validation	2023-03-24 12:55:42 +01:00
Herman Slatman	589a62df74	Make validation of tpm format stricter	2023-03-14 13:59:16 +01:00
Herman Slatman	213b31bc2c	Simplify processing logic for unhandled critical extension	2023-03-14 09:48:44 +01:00
Herman Slatman	e1c7e8f00b	Return the CSR public key fingerprint for tpm format	2023-03-13 23:30:39 +01:00
Herman Slatman	6297bace1a	Merge branch 'master' into herman/acme-da-tpm	2023-03-13 17:27:40 +01:00
Herman Slatman	69489480ab	Add more complete tpm format validation	2023-03-13 17:21:09 +01:00
Mariano Cano	6ba20209c2	Verify CSR key fingerprint with attestation certificate key ... This commit makes sure that the attestation certificate key matches the key used on the CSR on an ACME device attestation flow.	2023-02-09 16:48:43 -08:00
Herman Slatman	0f9128c873	Fix linting issue and order of test SUT	2023-01-27 15:43:57 +01:00
Herman Slatman	2ab9beb7ed	Add tests for deviceAttest01Validate	2023-01-27 15:36:48 +01:00
Herman Slatman	ed61c5df5f	Cleanup some leftover debug statements	2023-01-26 15:36:15 +01:00
Herman Slatman	edee01c80c	Refactor debug utility	2023-01-26 13:41:01 +01:00
Herman Slatman	1c38113e44	Add ACME Subproblem for more detailed ACME client-side errors ... When validating an ACME challenge (`device-attest-01` in this case, but it's also true for others), and validation fails, the CA didn't return a lot of information about why the challenge had failed. By introducing the ACME `Subproblem` type, an ACME `Error` can include some additional information about what went wrong when validating the challenge. This is a WIP commit. The `Subproblem` isn't created in many code paths yet, just for the `step` format at the moment. Will probably follow up with some more improvements to how the ACME error is handled. Also need to cleanup some debug things (q.Q)	2023-01-26 13:29:31 +01:00
Herman Slatman	4cf25ede24	Merge branch 'master' into herman/acme-da-tpm	2022-11-08 12:07:46 +01:00
Mariano Cano	e27c6c529b	Add support for custom acme ports ... This change adds the flags --acme-http-port, --acme-tls-port, that combined with --insecure can be used to set custom ports for ACME http-01 and tls-alpn-01 challenges. These flags should only be used for testing purposes. Fixes #1015	2022-11-03 16:58:25 -07:00
Mariano Cano	21666ba887	Revert "Set timestamp when marking an acme challenge invalid" ... This reverts commit 5f130895f3.	2022-10-03 12:56:23 -07:00
Mariano Cano	5f130895f3	Set timestamp when marking an acme challenge invalid	2022-10-03 11:35:51 -07:00
Herman Slatman	a8125846dd	Add TPM attestation	2022-09-21 14:58:03 +02:00
max furman	f3d1863ec6	A few more linter errors	2022-09-20 21:01:55 -07:00
Mariano Cano	2b3b2c283a	Add attestation certificate validation for Apple devices	2022-09-20 18:51:43 -07:00
Brandon Weeks	5f5315260a	iOS 16 beta 1 support	2022-09-20 16:53:08 -07:00
Brandon Weeks	de5b0ef5c2	Verify key authorization is contained within the TPM quote extraData field	2022-09-20 16:51:55 -07:00
max furman	ab0d2503ae	Standardize linting file and fix or ignore lots of linting errors	2022-09-20 16:35:41 -07:00
Mariano Cano	6b73a020e3	Add unit tests for apple and step attestations	2022-09-15 18:19:52 -07:00
Mariano Cano	0f651799d0	Reject not enabled attestation formats	2022-09-08 17:38:05 -07:00
Mariano Cano	08815c5e90	Reneame attestation statement error	2022-09-08 10:46:58 -07:00
Mariano Cano	3cd72ac72a	Remove debug statements	2022-09-08 10:44:48 -07:00
Mariano Cano	e75e7e7cd6	Fix linter warnings	2022-09-01 16:18:13 -07:00
Mariano Cano	54d92095ac	Validate proof of possession signature ... On the step format, validate proof of possession of the private key validating the signature in the attestation statement.	2022-09-01 10:45:31 -07:00
Mariano Cano	ca412e77cc	Return error on attestation validation ... The method storeError returns a nil error	2022-08-29 20:03:34 -07:00
Mariano Cano	735c9d49b0	Add support for yubikey attestation	2022-08-29 19:37:30 -07:00
Mariano Cano	693dc39481	Merge branch 'master' into device-attestation	2022-08-22 17:59:17 -07:00
Mariano Cano	23b8f45b37	Address gosec warnings ... Most if not all false positives	2022-08-18 17:46:20 -07:00
Mariano Cano	2ab1e6658e	Fix nonce validation ... The attestation certificate contains the nonce as raw bytes in the extension 1.2.840.113635.100.8.11.1	2022-08-09 15:06:52 -07:00
Mariano Cano	66356cff43	Add attestation certificate validation for Apple devices	2022-07-14 17:10:03 -07:00
Brandon Weeks	274f6ccb41	iOS 16 beta 2 support	2022-06-23 05:43:24 +10:00
Brandon Weeks	7e1b0bebd9	iOS 16 beta 1 support	2022-06-23 05:19:36 +10:00
Brandon Weeks	77c6d10fd6	Verify key authorization is contained within the TPM quote extraData field	2022-06-23 05:19:36 +10:00
Brandon Weeks	e1ec31c0ed	Implement TPM attestation statement verification	2022-06-23 05:19:36 +10:00
Brandon Weeks	aacd6f4cc6	Add device-attest-01 challenge type	2022-06-23 05:19:36 +10:00
Mariano Cano	d1f75f1720	Refactor ACME api.	2022-04-28 19:15:18 -07:00