Complete attestation verification support #280
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Implements most of https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-metadata-service-v2.0-rd-20180702.html Interestingly the MDS server currently does not correctly implement the standard; TOC entry hashes for statements are padded base64url while they should be unpadded. The conformance server however uses unpadded encoding correctly.
With this commit, all the metadata server tests in the FIDO conformance tools pass
…e for known manufacturer Found via https://github.com/abergs/fido2-net-lib/blob/b44db521ee487f7d29b2de34f8c6b57f1bc9700e/Src/Fido2/AttestationFormat/Tpm.cs#L506-L540 https://www.trustedcomputinggroup.org/wp-content/uploads/Credential_Profile_EK_V2.0_R14_published.pdf specifies how and what exactly must be encoded.
…icate trustworthiness Hat-tip to Alex Seigler for pointing me to https://docs.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-install-trusted-tpm-root-certificates Downloaded version of TrustedTpm.cab has "22-May-2019" as last changelog entry.
Verify TPM attestation certificate trustworthiness
grzuy
changed the title
grzuy
changed the title
Metadata service support
… on Metadata::Statement This allows ActiveSupport::Cache instances to be easily configured for WebAuthn.configuration.cache_backend
Lazy load X509::Certificates instead of during parsing/setting values on Metadata::Statement
grzuy
commented
Nov 8, 2019
|
|
||
| module WebAuthn | ||
| module Metadata | ||
| class Client |
There was a problem hiding this comment.
For the record: #208 (comment).
|
Closing in favor of #283 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
closes #66
closes #170
closes #175
fido-u2fstatement trustworthiness verification (Metadata service support #208)packedstatement trustworthiness verification (Metadata service support #208)tpmstatement trustworthiness verification (Verify TPM attestation certificate trustworthiness #253)android-safetynetstatement trustworthiness verificationandroid-keystatement trustworthiness verification (feat: verify android-key attestation trustworthiness #277)tpmconformance tests againfido-u2fconformance tests again (related: FIDO2 tool metadata missing attestationCertificateKeyIdentifiers for U2F tests fido-alliance/conformance-test-tools-resources#504)