Comments (5)
// EKCertVerifier checks that EK certificates chain up to a set of intermediates
// and root certificates.
type EKCertVerifier struct {
roots, intermediates *x509.CertPool
}
// NewEKCertVerifier builds an EKCertVerifier object from the given set
// of root & intermediate certificates.
func NewEKCertVerifier(roots, intermediates []byte) (*EKCertVerifier, error) {
// parse certs --> respective cert pools
}
// Verify checks the EK cert chains up to a known set of root & intermediate
// certificates.
func (v *EKCertVerifier) Verify(cert []byte) (chains [][]*x509.Certificate, err error) {
// ...
}
@ericchiang WDYT?
from go-attestation.
This functionality is already available via "crypto/x509".Certificate.Verify
https://golang.org/pkg/crypto/x509/#Certificate.Verify
I don't see the benefit of adding duplicate API here. Would this be better as documentation?
from go-attestation.
We could get away with documentation if we specify:
- Youre gonna need to use the cert-transparency x509 package
- Set
cert.UnhandledCriticalExtensions
to nil in the EKCert before verifying - Set
VerifyOptions.KeyUsages
to[]x509.ExtKeyUsage{x509.ExtKeyUsageAny}
from go-attestation.
sgtm
I think that'd be a good place to start anyway. We should also document why you need to use cert-transparency x509, and why UnhandledCriticalExtensions
has to be set to nil. Ideally, we'd actually parse those extensions in the future too.
I feel like it might be reasonable to add a higher level API, expressing different trust models: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/tpm-key-attestation#BKMK_DeploymentOverview
But I think it'd be good to prototype that outside of attest, see what works and what doesn't, then propose the API here.
from go-attestation.
Do we not want to bundle the canonical trusted TPM roots?
https://go.microsoft.com/fwlink/?linkid=2097925
from go-attestation.
Related Issues (20)
- Attest-tool throws error in linux system HOT 2
- Revert of tspi build tag HOT 1
- Infinity Loop in EKs() method HOT 1
- Cannot set key attributes in NewKey and RSA template doesnt allow for "decrypt" - mTLS in Chrome not possible HOT 2
- Implicit platform attestation (question) HOT 2
- A question about EK,SRK HOT 5
- rhshim introduced a MokListTrusted event, leading to failed parsing of the SecureBootState
- error code 0x04: value is out of range or is not for the correct context when Activating credentials HOT 11
- OSS-Fuzz issue 52044 HOT 1
- Wrong decoding of ints in win_events.go HOT 1
- OSS-Fuzz issue 52520 HOT 1
- OSS-Fuzz issue 53008 HOT 1
- [Windows] Guidance around access management for key-attestation on TPMs via the Windows PCP library HOT 4
- OSS-Fuzz issue 54576
- EC Nist P521 key size too short? HOT 2
- suggest go.mod version bump HOT 1
- Proposal to add tpm_event package in an experimental directory HOT 2
- Handle "AttestedCertifyInfo" in ActivationParameter checks for TPM2.0 Challenges HOT 3
- Make AttestationParameters.CreateData an optional field HOT 3
- Support using AK from NV
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from go-attestation.