Remove check for PermanentIdentifier from tpm format validation

This commit is contained in:
Herman Slatman 2023-03-24 12:55:42 +01:00
parent f91a31f9b6
commit 094f0521e2
No known key found for this signature in database
GPG key ID: F4D8A44EA0A75A4F
3 changed files with 22 additions and 12 deletions

View file

@ -28,8 +28,8 @@ import (
"github.com/fxamacker/cbor/v2" "github.com/fxamacker/cbor/v2"
"github.com/google/go-attestation/attest" "github.com/google/go-attestation/attest"
x509ext "github.com/google/go-attestation/x509"
"github.com/google/go-tpm/tpm2" "github.com/google/go-tpm/tpm2"
"github.com/ryboe/q"
"golang.org/x/exp/slices" "golang.org/x/exp/slices"
"go.step.sm/crypto/jose" "go.step.sm/crypto/jose"
@ -420,6 +420,7 @@ func deviceAttest01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose
case "step": case "step":
data, err := doStepAttestationFormat(ctx, prov, ch, jwk, &att) data, err := doStepAttestationFormat(ctx, prov, ch, jwk, &att)
if err != nil { if err != nil {
q.Q(err)
var acmeError *Error var acmeError *Error
if errors.As(err, &acmeError) { if errors.As(err, &acmeError) {
if acmeError.Status == 500 { if acmeError.Status == 500 {
@ -451,6 +452,7 @@ func deviceAttest01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose
if err != nil { if err != nil {
// TODO(hs): we should provide more details in the error reported to the client; // TODO(hs): we should provide more details in the error reported to the client;
// "Attestation statement cannot be verified" is VERY generic. Also holds true for the other formats. // "Attestation statement cannot be verified" is VERY generic. Also holds true for the other formats.
q.Q(err)
var acmeError *Error var acmeError *Error
if errors.As(err, &acmeError) { if errors.As(err, &acmeError) {
if acmeError.Status == 500 { if acmeError.Status == 500 {
@ -598,6 +600,7 @@ func doTPMAttestationFormat(ctx context.Context, ch *Challenge, db DB, jwk *jose
for _, ext := range akCert.Extensions { for _, ext := range akCert.Extensions {
if ext.Id.Equal(oidSubjectAlternativeName) { if ext.Id.Equal(oidSubjectAlternativeName) {
sanExtension = ext sanExtension = ext
break
} }
} }
@ -605,15 +608,17 @@ func doTPMAttestationFormat(ctx context.Context, ch *Challenge, db DB, jwk *jose
return nil, NewError(ErrorBadAttestationStatementType, "AK certificate is missing Subject Alternative Name extension") return nil, NewError(ErrorBadAttestationStatementType, "AK certificate is missing Subject Alternative Name extension")
} }
san, err := x509ext.ParseSubjectAltName(sanExtension) // TODO(hs): move to a package under our control? // TODO(hs): below code fails if there's a URI SAN, for example. Needs more complete parsing of SANS,
if err != nil { // or skip ASN1 tags that can't be parsed.
return nil, WrapError(ErrorBadAttestationStatementType, err, "failed parsing Subject Alternative Name extension") // san, err := x509ext.ParseSubjectAltName(sanExtension) // TODO(hs): move to a package under our control?
} // if err != nil {
// return nil, WrapError(ErrorBadAttestationStatementType, err, "failed parsing Subject Alternative Name extension")
// }
var permanentIdentifiers = make([]string, len(san.PermanentIdentifiers)) // var permanentIdentifiers = make([]string, len(san.PermanentIdentifiers))
for i, p := range san.PermanentIdentifiers { // for i, p := range san.PermanentIdentifiers {
permanentIdentifiers[i] = p.IdentifierValue // permanentIdentifiers[i] = p.IdentifierValue
} // }
// TODO(hs): reenable this check when we want to enforce a PermanentIdentifier to be present in // TODO(hs): reenable this check when we want to enforce a PermanentIdentifier to be present in
// the AK certificate. // the AK certificate.
@ -710,7 +715,7 @@ func doTPMAttestationFormat(ctx context.Context, ch *Challenge, db DB, jwk *jose
data := &tpmAttestationData{ data := &tpmAttestationData{
Certificate: akCert, Certificate: akCert,
VerifiedChains: verifiedChains, VerifiedChains: verifiedChains,
PermanentIdentifiers: permanentIdentifiers, //PermanentIdentifiers: permanentIdentifiers,
} }
if data.Fingerprint, err = keyutil.Fingerprint(publicKey); err != nil { if data.Fingerprint, err = keyutil.Fingerprint(publicKey); err != nil {

3
go.mod
View file

@ -53,6 +53,7 @@ require (
require ( require (
github.com/google/go-attestation v0.4.4-0.20220404204839-8820d49b18d9 github.com/google/go-attestation v0.4.4-0.20220404204839-8820d49b18d9
github.com/ryboe/q v1.0.19
golang.org/x/exp v0.0.0-20230310171629-522b1b587ee0 golang.org/x/exp v0.0.0-20230310171629-522b1b587ee0
) )
@ -111,6 +112,7 @@ require (
github.com/jackc/pgx/v4 v4.18.0 // indirect github.com/jackc/pgx/v4 v4.18.0 // indirect
github.com/jmespath/go-jmespath v0.4.0 // indirect github.com/jmespath/go-jmespath v0.4.0 // indirect
github.com/klauspost/compress v1.15.11 // indirect github.com/klauspost/compress v1.15.11 // indirect
github.com/kr/text v0.2.0 // indirect
github.com/kylelemons/godebug v1.1.0 // indirect github.com/kylelemons/godebug v1.1.0 // indirect
github.com/manifoldco/promptui v0.9.0 // indirect github.com/manifoldco/promptui v0.9.0 // indirect
github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
@ -121,6 +123,7 @@ require (
github.com/mitchellh/reflectwalk v1.0.2 // indirect github.com/mitchellh/reflectwalk v1.0.2 // indirect
github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/rogpeppe/go-internal v1.9.0 // indirect
github.com/russross/blackfriday/v2 v2.1.0 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect
github.com/ryanuber/go-glob v1.0.0 // indirect github.com/ryanuber/go-glob v1.0.0 // indirect
github.com/shopspring/decimal v1.2.0 // indirect github.com/shopspring/decimal v1.2.0 // indirect

2
go.sum
View file

@ -845,6 +845,8 @@ github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb
github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk= github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk=
github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc= github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
github.com/ryboe/q v1.0.19 h1:1dO1anK4gorZRpXBD/edBZkMxIC1tFIwN03nfyOV13A=
github.com/ryboe/q v1.0.19/go.mod h1:IoEB3Q2/p6n1qbhIQVuNyakxtnV4rNJ/XJPK+jsEa0M=
github.com/samuel/go-zookeeper v0.0.0-20190923202752-2cc03de413da/go.mod h1:gi+0XIa01GRL2eRQVjQkKGqKF3SF9vZR/HnPullcV2E= github.com/samuel/go-zookeeper v0.0.0-20190923202752-2cc03de413da/go.mod h1:gi+0XIa01GRL2eRQVjQkKGqKF3SF9vZR/HnPullcV2E=
github.com/sassoftware/go-rpmutils v0.0.0-20190420191620-a8f1baeba37b/go.mod h1:am+Fp8Bt506lA3Rk3QCmSqmYmLMnPDhdDUcosQCAx+I= github.com/sassoftware/go-rpmutils v0.0.0-20190420191620-a8f1baeba37b/go.mod h1:am+Fp8Bt506lA3Rk3QCmSqmYmLMnPDhdDUcosQCAx+I=
github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=