-
Notifications
You must be signed in to change notification settings - Fork 242
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Extend certcheck to cope with Android attestation extension #865
base: master
Are you sure you want to change the base?
Conversation
90cdc93
to
a5762f1
Compare
@daviddrysdale Could you add some background/motivation for this PR in the description? |
/gcbrun |
Updated the text above. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A couple of style nits.
@daviddrysdale Are these certs related to CT? Or is the idea of |
No, they're not in the Web PKI.
The |
a5762f1
to
05b4aa3
Compare
/gcbrun |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is some trouble with the CI build. Could you rebase to see if it helps to fix it?
Is this functional already in upstream x509
? If not, any reason to have it in the fork first (except maybe convenience)? I'm happy to approve this PR, but I'm not sure who of this repo maintainers would follow further updates, particularly given they are defined in Andriod docs.
@AlCutter @getagit What is your view on this PR and the state of x509
fork? We previously discussed factoring it out to a separate repo, and/or finding an owner. I guess this discussion is relevant too.
Rebased on |
/gcbrun |
|
@@ -0,0 +1,405 @@ | |||
// Copyright 2021 Google LLC. All Rights Reserved. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a way to unit-test this file (and this PR in general)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I normally just manually run certcheck --verbose
over some cert files…
76081e0
to
2590b09
Compare
/gcbrun |
2590b09
to
2eb8a14
Compare
65e6436
to
285f1dc
Compare
285f1dc
to
3fd4d32
Compare
cfdee22
to
f94dae6
Compare
71737a1
to
f2fa8cb
Compare
Extra field that is being added for Android U
f2fa8cb
to
ef5db9e
Compare
Android includes support for hardware-backed cryptographic keys. When asymmetric keys are generated in this system, the public key is exported in an X.509 certificate, which may be signed by hardware-protected device keys. The exported X.509 certificate may also include an Android-specific extension that attests to various features of the key and the device, described at https://developer.android.com/training/articles/security-key-attestation
This PR adds support for parsing this Android-specific extension, and along the way also improves support for dealing with certificates holding curve 25519 keys (Ed25519 or X25519).