From 727578f7b10d5c8df659f971c00e975c70196b37 Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Thu, 17 Dec 2020 12:05:27 -0600 Subject: [PATCH] asn1: Add TCG module This is in preparation for adding support for TPM-related functionality in lib/hx509 and, eventually, in bx509d. --- lib/asn1/Makefile.am | 16 +++- lib/asn1/NTMakefile | 17 +++- lib/asn1/libasn1-exports.def | 79 +++++++++++++++++ lib/asn1/oid_resolution.c | 2 + lib/asn1/tcg.asn1 | 161 +++++++++++++++++++++++++++++++++++ 5 files changed, 271 insertions(+), 4 deletions(-) create mode 100644 lib/asn1/tcg.asn1 diff --git a/lib/asn1/Makefile.am b/lib/asn1/Makefile.am index ee3702957..4ce5da62e 100644 --- a/lib/asn1/Makefile.am +++ b/lib/asn1/Makefile.am @@ -25,9 +25,10 @@ BUILT_SOURCES = \ $(gen_files_rfc2459:.x=.c) \ $(gen_files_rfc4043:.x=.c) \ $(gen_files_rfc4108:.x=.c) \ + $(gen_files_tcg:.x=.c) \ $(gen_files_cms:.x=.c) \ $(gen_files_krb5:.x=.c) \ - $(gen_files_ocsp:.x=.c) \ + $(gen_files_ocsp:.x=.c) \ $(gen_files_pkinit:.x=.c) \ $(gen_files_pkcs8:.x=.c) \ $(gen_files_pkcs9:.x=.c) \ @@ -42,6 +43,7 @@ gen_files_crmf = asn1_crmf_asn1.x gen_files_rfc2459 = asn1_rfc2459_asn1.x gen_files_rfc4043 = asn1_rfc4043_asn1.x gen_files_rfc4108 = asn1_rfc4108_asn1.x +gen_files_tcg = asn1_tcg_asn1.x gen_files_ocsp = asn1_ocsp_asn1.x gen_files_pkinit = asn1_pkinit_asn1.x gen_files_pkcs10 = asn1_pkcs10_asn1.x @@ -52,8 +54,7 @@ gen_files_test_template = test_template_asn1-template.x gen_files_test = asn1_test_asn1.x gen_files_digest = asn1_digest_asn1.x gen_files_kx509 = asn1_kx509_asn1.x -gen_files_rfc4043 = asn1_rfc4043_asn1.x -gen_files_rfc4108 = asn1_rfc4108_asn1.x +gen_files_tcg = asn1_tcg_asn1.x oid_resolution.lo: $(BUILT_SOURCES) @@ -147,6 +148,7 @@ CLEANFILES = \ $(gen_files_rfc2459) \ $(gen_files_rfc4043) \ $(gen_files_rfc4108) \ + $(gen_files_tcg) \ $(gen_files_cms) \ $(gen_files_krb5) \ $(gen_files_ocsp) \ @@ -164,6 +166,7 @@ CLEANFILES = \ rfc2459_asn1_files rfc2459_asn1*.h* \ rfc4043_asn1_files rfc4043_asn1*.h* \ rfc4108_asn1_files rfc4108_asn1*.h* \ + tcg_asn1_files tcg_asn1*.h* \ cms_asn1_files cms_asn1*.h* \ crmf_asn1_files crmf_asn1*.h* \ krb5_asn1_files krb5_asn1*.h* \ @@ -191,6 +194,7 @@ nodist_include_HEADERS += crmf_asn1.h nodist_include_HEADERS += rfc2459_asn1.h nodist_include_HEADERS += rfc4043_asn1.h nodist_include_HEADERS += rfc4108_asn1.h +nodist_include_HEADERS += tcg_asn1.h nodist_include_HEADERS += ocsp_asn1.h nodist_include_HEADERS += pkcs8_asn1.h nodist_include_HEADERS += pkcs9_asn1.h @@ -206,6 +210,7 @@ priv_headers += crmf_asn1-priv.h priv_headers += rfc2459_asn1-priv.h priv_headers += rfc4043_asn1-priv.h priv_headers += rfc4108_asn1-priv.h +priv_headers += tcg_asn1-priv.h priv_headers += ocsp_asn1-priv.h priv_headers += pkcs8_asn1-priv.h priv_headers += pkcs9_asn1-priv.h @@ -239,6 +244,7 @@ $(gen_files_kx509) kx509_asn1.hx kx509_asn1-priv.hx: kx509_asn1_files $(gen_files_rfc2459) rfc2459_asn1.hx rfc2459_asn1-priv.hx: rfc2459_asn1_files $(gen_files_rfc4043) rfc4043_asn1.hx rfc4043_asn1-priv.hx: rfc4043_asn1_files $(gen_files_rfc4108) rfc4108_asn1.hx rfc4108_asn1-priv.hx: rfc4108_asn1_files +$(gen_files_tcg) tcg_asn1.hx tcg_asn1-priv.hx: tcg_asn1_files $(gen_files_cms) cms_asn1.hx cms_asn1-priv.hx: cms_asn1_files $(gen_files_crmf) crmf_asn1.hx crmf_asn1-priv.hx: crmf_asn1_files $(gen_files_test) test_asn1.hx test_asn1-priv.hx: test_asn1_files @@ -253,6 +259,9 @@ rfc4043_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/rfc4043.asn1 rfc4108_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/rfc4108.asn1 $(ASN1_COMPILE) --one-code-file $(srcdir)/rfc4108.asn1 rfc4108_asn1 || (rm -f rfc4108_asn1_files ; exit 1) +tcg_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/tcg.asn1 + $(ASN1_COMPILE) --prefix-enum --one-code-file $(srcdir)/tcg.asn1 tcg_asn1 || (rm -f tcg_asn1_files ; exit 1) + cms_asn1_files: asn1_compile$(EXEEXT) $(srcdir)/cms.asn1 $(srcdir)/cms.opt $(ASN1_COMPILE) --one-code-file --option-file=$(srcdir)/cms.opt $(srcdir)/cms.asn1 cms_asn1 || (rm -f cms_asn1_files ; exit 1) @@ -317,6 +326,7 @@ EXTRA_DIST = \ rfc2459.asn1 \ rfc4043.asn1 \ rfc4108.asn1 \ + tcg.asn1 \ setchgpw2.asn1 \ test.asn1 \ test.gen \ diff --git a/lib/asn1/NTMakefile b/lib/asn1/NTMakefile index c45436b9e..4fae2453e 100644 --- a/lib/asn1/NTMakefile +++ b/lib/asn1/NTMakefile @@ -47,6 +47,8 @@ gen_files_rfc4043 = $(OBJ)\asn1_rfc4043_asn1.x gen_files_rfc4108 = $(OBJ)\asn1_rfc4108_asn1.x +gen_files_tcg = $(OBJ)\asn1_tcg_asn1.x + gen_files_ocsp = $(OBJ)\asn1_ocsp_asn1.x gen_files_pkinit = $(OBJ)\asn1_pkinit_asn1.x @@ -123,9 +125,10 @@ LIBASN1_OBJS= \ $(gen_files_rfc2459:.x=.obj) \ $(gen_files_rfc4043:.x=.obj) \ $(gen_files_rfc4108:.x=.obj) \ + $(gen_files_tcg:.x=.obj) \ $(gen_files_cms:.x=.obj) \ $(gen_files_crmf:.x=.obj) \ - $(gen_files_krb5:.x=.obj) \ + $(gen_files_krb5:.x=.obj) \ $(gen_files_ocsp:.x=.obj) \ $(gen_files_pkinit:.x=.obj) \ $(gen_files_pkcs8:.x=.obj) \ @@ -185,6 +188,8 @@ $(gen_files_rfc4043:.x=.c) : $$(@R).x $(gen_files_rfc4108:.x=.c) : $$(@R).x +$(gen_files_tcg:.x=.c) : $$(@R).x + $(gen_files_cms:.x=.c) : $$(@R).x $(gen_files_crmf:.x=.c) : $$(@R).x @@ -281,6 +286,14 @@ $(gen_files_rfc4108) $(OBJ)\rfc4108_asn1.hx: $(BINDIR)\asn1_compile.exe rfc4108. || ($(RM) $(OBJ)\rfc4108_asn1.h ; exit /b 1) cd $(SRCDIR) +$(gen_files_tcg) $(OBJ)\tcg_asn1.hx: $(BINDIR)\asn1_compile.exe tcg.asn1 + cd $(OBJ) + $(BINDIR)\asn1_compile.exe \ + --one-code-file \ + $(SRCDIR)\tcg.asn1 tcg_asn1 \ + || ($(RM) $(OBJ)\tcg_asn1.h ; exit /b 1) + cd $(SRCDIR) + $(gen_files_cms) $(OBJ)\cms_asn1.hx: $(BINDIR)\asn1_compile.exe cms.asn1 cms.opt cd $(OBJ) $(BINDIR)\asn1_compile.exe \ @@ -332,6 +345,7 @@ GENINCFILES= \ $(INCDIR)\rfc2459_asn1.h \ $(INCDIR)\rfc4043_asn1.h \ $(INCDIR)\rfc4108_asn1.h \ + $(INCDIR)\tcg_asn1.h \ $(OBJ)\krb5_asn1-priv.h \ $(OBJ)\ocsp_asn1-priv.h \ $(OBJ)\pkinit_asn1-priv.h \ @@ -340,6 +354,7 @@ GENINCFILES= \ $(OBJ)\rfc2459_asn1-priv.h \ $(OBJ)\rfc4043_asn1-priv.h \ $(OBJ)\rfc4108_asn1-priv.h \ + $(OBJ)\tcg_asn1-priv.h \ $(OBJ)\pkcs8_asn1-priv.h \ $(OBJ)\pkcs9_asn1-priv.h \ $(OBJ)\pkcs10_asn1-priv.h \ diff --git a/lib/asn1/libasn1-exports.def b/lib/asn1/libasn1-exports.def index d0fcae4e3..733891c15 100644 --- a/lib/asn1/libasn1-exports.def +++ b/lib/asn1/libasn1-exports.def @@ -241,6 +241,20 @@ EXPORTS asn1_oid_id_x509_ce_subjectKeyIdentifier DATA asn1_oid_id_x520_at DATA asn1_oid_id_x9_57 DATA + asn1_oid_tcg_at_tpmManufacturer DATA + asn1_oid_tcg_at_tpmModel DATA + asn1_oid_tcg_at_tpmSecurityAssertions DATA + asn1_oid_tcg_at_tpmSpecification DATA + asn1_oid_tcg_at_tpmVersion DATA + asn1_oid_tcg_attribute DATA + asn1_oid_tcg_cap_verifiedTPMFixed DATA + asn1_oid_tcg_cap_verifiedTPMResidency DATA + asn1_oid_tcg_cap_verifiedTPMRestricted DATA + asn1_oid_tcg DATA + asn1_oid_tcg_kp DATA + asn1_oid_tcg_kp_EKCertificate DATA + asn1_oid_tcg_on_ekPermIdSha256 DATA + asn1_oid_tcg_tpm20 DATA asn1_SAMFlags_units asn1_TicketFlags_units copy_AccessDescription @@ -288,6 +302,7 @@ EXPORTS copy_CMSIdentifier copy_CMSRC2CBCParameter copy_CMSVersion + copy_CommonCriteriaMeasures copy_CommunityIdentifier copy_CommunityIdentifiers copy_ContentEncryptionAlgorithmIdentifier @@ -326,6 +341,9 @@ EXPORTS copy_ECDSA_Sig_Value copy_ECParameters copy_ECPoint + copy_EKCertificateGenerationLocation + copy_EKGenerationLocation + copy_EKGenerationType copy_EncAPRepPart copy_EncapsulatedContentInfo copy_EncASRepPart @@ -346,12 +364,15 @@ EXPORTS copy_ETYPE_INFO2_ENTRY copy_ETYPE_INFO_ENTRY copy_EtypeList + copy_EvaluationAssuranceLevel + copy_EvaluationStatus copy_Extension copy_Extensions copy_ExternalPrincipalIdentifier copy_ExternalPrincipalIdentifiers copy_ExtKeyUsage copy_FastOptions + copy_FIPSLevel copy_FirmwarePackageIdentifier copy_FirmwarePackageInfo copy_FirmwarePackageLoadError @@ -517,12 +538,14 @@ EXPORTS copy_RSAPrivateKey copy_RSAPublicKey copy_SAMFlags + copy_SecurityLevel copy_SignatureAlgorithmIdentifier copy_SignatureValue copy_SignedData copy_SignerIdentifier copy_SignerInfo copy_SignerInfos + copy_StrengthOfFunction copy_SubjectInfoAccessSyntax copy_SubjectKeyIdentifier copy_SubjectPublicKeyInfo @@ -537,6 +560,9 @@ EXPORTS copy_Ticket copy_TicketFlags copy_Time + copy_TPMSecurityAssertions + copy_TPMSpecification + copy_TPMVersion copy_TransitedEncoding copy_TrustedCA copy_TrustedCA_Win2k @@ -544,6 +570,7 @@ EXPORTS copy_TYPED_DATA copy_UniqueIdentifier copy_UnprotectedAttributes + copy_URIReference copy_ValidationParms copy_Validity copy_VendorLoadErrorCode @@ -594,6 +621,7 @@ EXPORTS decode_CMSIdentifier decode_CMSRC2CBCParameter decode_CMSVersion + decode_CommonCriteriaMeasures decode_CommunityIdentifier decode_CommunityIdentifiers decode_ContentEncryptionAlgorithmIdentifier @@ -632,6 +660,9 @@ EXPORTS decode_ECDSA_Sig_Value decode_ECParameters decode_ECPoint + decode_EKCertificateGenerationLocation + decode_EKGenerationLocation + decode_EKGenerationType decode_EncAPRepPart decode_EncapsulatedContentInfo decode_EncASRepPart @@ -652,12 +683,15 @@ EXPORTS decode_ETYPE_INFO2_ENTRY decode_ETYPE_INFO_ENTRY decode_EtypeList + decode_EvaluationAssuranceLevel + decode_EvaluationStatus decode_Extension decode_Extensions decode_ExternalPrincipalIdentifier decode_ExternalPrincipalIdentifiers decode_ExtKeyUsage decode_FastOptions + decode_FIPSLevel decode_FirmwarePackageIdentifier decode_FirmwarePackageInfo decode_FirmwarePackageLoadError @@ -823,12 +857,14 @@ EXPORTS decode_RSAPrivateKey decode_RSAPublicKey decode_SAMFlags + decode_SecurityLevel decode_SignatureAlgorithmIdentifier decode_SignatureValue decode_SignedData decode_SignerIdentifier decode_SignerInfo decode_SignerInfos + decode_StrengthOfFunction decode_SubjectInfoAccessSyntax decode_SubjectKeyIdentifier decode_SubjectPublicKeyInfo @@ -843,6 +879,9 @@ EXPORTS decode_Ticket decode_TicketFlags decode_Time + decode_TPMSecurityAssertions + decode_TPMSpecification + decode_TPMVersion decode_TransitedEncoding decode_TrustedCA decode_TrustedCA_Win2k @@ -850,6 +889,7 @@ EXPORTS decode_TYPED_DATA decode_UniqueIdentifier decode_UnprotectedAttributes + decode_URIReference decode_ValidationParms decode_Validity decode_VendorLoadErrorCode @@ -1027,6 +1067,7 @@ EXPORTS encode_CMSIdentifier encode_CMSRC2CBCParameter encode_CMSVersion + encode_CommonCriteriaMeasures encode_CommunityIdentifier encode_CommunityIdentifiers encode_ContentEncryptionAlgorithmIdentifier @@ -1065,6 +1106,9 @@ EXPORTS encode_ECDSA_Sig_Value encode_ECParameters encode_ECPoint + encode_EKCertificateGenerationLocation + encode_EKGenerationLocation + encode_EKGenerationType encode_EncAPRepPart encode_EncapsulatedContentInfo encode_EncASRepPart @@ -1085,12 +1129,15 @@ EXPORTS encode_ETYPE_INFO2_ENTRY encode_ETYPE_INFO_ENTRY encode_EtypeList + encode_EvaluationAssuranceLevel + encode_EvaluationStatus encode_Extension encode_Extensions encode_ExternalPrincipalIdentifier encode_ExternalPrincipalIdentifiers encode_ExtKeyUsage encode_FastOptions + encode_FIPSLevel encode_FirmwarePackageIdentifier encode_FirmwarePackageInfo encode_FirmwarePackageLoadError @@ -1256,12 +1303,14 @@ EXPORTS encode_RSAPrivateKey encode_RSAPublicKey encode_SAMFlags + encode_SecurityLevel encode_SignatureAlgorithmIdentifier encode_SignatureValue encode_SignedData encode_SignerIdentifier encode_SignerInfo encode_SignerInfos + encode_StrengthOfFunction encode_SubjectInfoAccessSyntax encode_SubjectKeyIdentifier encode_SubjectPublicKeyInfo @@ -1276,6 +1325,9 @@ EXPORTS encode_Ticket encode_TicketFlags encode_Time + encode_TPMSecurityAssertions + encode_TPMSpecification + encode_TPMVersion encode_TransitedEncoding encode_TrustedCA encode_TrustedCA_Win2k @@ -1283,6 +1335,7 @@ EXPORTS encode_TYPED_DATA encode_UniqueIdentifier encode_UnprotectedAttributes + encode_URIReference encode_ValidationParms encode_Validity encode_VendorLoadErrorCode @@ -1334,6 +1387,7 @@ EXPORTS free_CMSIdentifier free_CMSRC2CBCParameter free_CMSVersion + free_CommonCriteriaMeasures free_CommunityIdentifier free_CommunityIdentifiers free_ContentEncryptionAlgorithmIdentifier @@ -1372,6 +1426,9 @@ EXPORTS free_ECDSA_Sig_Value free_ECParameters free_ECPoint + free_EKCertificateGenerationLocation + free_EKGenerationLocation + free_EKGenerationType free_EncAPRepPart free_EncapsulatedContentInfo free_EncASRepPart @@ -1392,12 +1449,15 @@ EXPORTS free_ETYPE_INFO2_ENTRY free_ETYPE_INFO_ENTRY free_EtypeList + free_EvaluationAssuranceLevel + free_EvaluationStatus free_Extension free_Extensions free_ExternalPrincipalIdentifier free_ExternalPrincipalIdentifiers free_ExtKeyUsage free_FastOptions + free_FIPSLevel free_FirmwarePackageIdentifier free_FirmwarePackageInfo free_FirmwarePackageLoadError @@ -1563,12 +1623,14 @@ EXPORTS free_RSAPrivateKey free_RSAPublicKey free_SAMFlags + free_SecurityLevel free_SignatureAlgorithmIdentifier free_SignatureValue free_SignedData free_SignerIdentifier free_SignerInfo free_SignerInfos + free_StrengthOfFunction free_SubjectInfoAccessSyntax free_SubjectKeyIdentifier free_SubjectPublicKeyInfo @@ -1583,6 +1645,9 @@ EXPORTS free_Ticket free_TicketFlags free_Time + free_TPMSecurityAssertions + free_TPMSpecification + free_TPMVersion free_TransitedEncoding free_TrustedCA free_TrustedCA_Win2k @@ -1590,6 +1655,7 @@ EXPORTS free_TYPED_DATA free_UniqueIdentifier free_UnprotectedAttributes + free_URIReference free_ValidationParms free_Validity free_VendorLoadErrorCode @@ -1662,6 +1728,7 @@ EXPORTS length_CMSIdentifier length_CMSRC2CBCParameter length_CMSVersion + length_CommonCriteriaMeasures length_CommunityIdentifier length_CommunityIdentifiers length_ContentEncryptionAlgorithmIdentifier @@ -1700,6 +1767,9 @@ EXPORTS length_ECDSA_Sig_Value length_ECParameters length_ECPoint + length_EKCertificateGenerationLocation + length_EKGenerationLocation + length_EKGenerationType length_EncAPRepPart length_EncapsulatedContentInfo length_EncASRepPart @@ -1720,12 +1790,15 @@ EXPORTS length_ETYPE_INFO2_ENTRY length_ETYPE_INFO_ENTRY length_EtypeList + length_EvaluationAssuranceLevel + length_EvaluationStatus length_Extension length_Extensions length_ExternalPrincipalIdentifier length_ExternalPrincipalIdentifiers length_ExtKeyUsage length_FastOptions + length_FIPSLevel length_FirmwarePackageIdentifier length_FirmwarePackageInfo length_FirmwarePackageLoadError @@ -1891,12 +1964,14 @@ EXPORTS length_RSAPrivateKey length_RSAPublicKey length_SAMFlags + length_SecurityLevel length_SignatureAlgorithmIdentifier length_SignatureValue length_SignedData length_SignerIdentifier length_SignerInfo length_SignerInfos + length_StrengthOfFunction length_SubjectInfoAccessSyntax length_SubjectKeyIdentifier length_SubjectPublicKeyInfo @@ -1911,6 +1986,9 @@ EXPORTS length_Ticket length_TicketFlags length_Time + length_TPMSecurityAssertions + length_TPMSpecification + length_TPMVersion length_TransitedEncoding length_TrustedCA length_TrustedCA_Win2k @@ -1918,6 +1996,7 @@ EXPORTS length_TYPED_DATA length_UniqueIdentifier length_UnprotectedAttributes + length_URIReference length_ValidationParms length_Validity length_VendorLoadErrorCode diff --git a/lib/asn1/oid_resolution.c b/lib/asn1/oid_resolution.c index caa28e326..0e230676b 100644 --- a/lib/asn1/oid_resolution.c +++ b/lib/asn1/oid_resolution.c @@ -46,6 +46,7 @@ #include "pkcs9_asn1.h" #include "pkinit_asn1.h" #include "rfc2459_asn1.h" +#include "tcg_asn1.h" struct sym_oid { @@ -70,6 +71,7 @@ static const struct sym_oid sym_oids[] = { #include "pkcs9_asn1_oids.x" #include "pkinit_asn1_oids.x" #include "rfc2459_asn1_oids.x" +#include "tcg_asn1_oids.x" }; static size_t num_sym_oids = sizeof(sym_oids) / sizeof(sym_oids[0]); diff --git a/lib/asn1/tcg.asn1 b/lib/asn1/tcg.asn1 new file mode 100644 index 000000000..fc6bde3d7 --- /dev/null +++ b/lib/asn1/tcg.asn1 @@ -0,0 +1,161 @@ +TCG DEFINITIONS ::= BEGIN + +IMPORTS CertificateSerialNumber, AlgorithmIdentifier, Name, + Attribute, Certificate, SubjectKeyIdentifier FROM rfc2459 + heim_any, heim_any_set FROM heim; + + +-- BEGIN Heimdal commentary +-- +-- Copy-pasted from section 4 of +-- https://trustedcomputinggroup.org/wp-content/uploads/TCG_IWG_EKCredentialProfile_v2p3_r2_pub.pdf +-- https://trustedcomputinggroup.org/wp-content/uploads/Credential_Profile_EK_V2.0_R14_published.pdf +-- and adjusted to compile as follows: +-- +-- - Extensibility markers added to all SEQUENCEs as per the TCG's spec they +-- reserve the right to add fields in the future. +-- - Information Object System annotations commented out (Heimdal does not +-- support them) +-- - Types sorted topologically (at the time I did that the Heimdal ASN.1 +-- compiler wouldn't do that on its own) +-- - Two otherwise equal ENUMERATED types share a definition now (at the time +-- the Heimdal ASN.1 compiler did not prefix labels of ENUMERATED types) +-- +-- A small note for anyone whoever finds this: do not add complex structures as +-- DN attributes, or, indeed, never add DN attributes again. If some metadata +-- is name-like, then add a subjectAlternativeName otherName for it, otherwise +-- add a certificate extension to carry that metadata. And, for any name-like +-- metadata, always always include query and display syntax for it. +-- +-- Anyone designing anything but the simplest schema in ASN.1 should have to +-- learn a bit more about ASN.1 and/or get a review from ASN.1 experts. +-- +-- Anyone designing anything but the simplest x.509 extensions should have to +-- learn a bit more about ASN.1 and x.509 and/or get a review from x.509 +-- experts. +-- +-- Note that a module OID was not provided. Indeed, a valid, complete ASN.1 +-- module was not provided. +-- +-- END Heimdal commentary (though some minor Heimdal commentary appears below) + +--TCG specific OIDs +tcg OBJECT IDENTIFIER ::= {joint-iso-itu-t(2) international-organizations(23) tcg(133)} +tcg-attribute OBJECT IDENTIFIER ::= {tcg 2} +tcg-kp OBJECT IDENTIFIER ::= {tcg 8} + +--TCG Attribute OIDs +tcg-at-tpmManufacturer OBJECT IDENTIFIER ::= {tcg-attribute 1} +tcg-at-tpmModel OBJECT IDENTIFIER ::= {tcg-attribute 2} +tcg-at-tpmVersion OBJECT IDENTIFIER ::= {tcg-attribute 3} +tcg-at-tpmSpecification OBJECT IDENTIFIER ::= {tcg-attribute 16} +tcg-at-tpmSecurityAssertions OBJECT IDENTIFIER ::= {tcg-attribute 18} + +--TCG Key Purposes OIDs +tcg-kp-EKCertificate OBJECT IDENTIFIER ::= {tcg-kp 1} + +-- OIDs not in the module in TCG_IWG_EKCredentialProfile_v2p3_r2_pub but in +-- TCG_IWG_DevID_v1r2_02dec2020 (missing arc names not mentioned in the TCG +-- specs): +tcg-tpm20 OBJECT IDENTIFIER ::= {tcg 1 2} -- this OID is not named in the TCG specs +tcg-on-ekPermIdSha256 OBJECT IDENTIFIER ::= {tcg 12 1} +tcg-cap-verifiedTPMResidency OBJECT IDENTIFIER ::= {tcg 11 1 1} -- policy OID +tcg-cap-verifiedTPMFixed OBJECT IDENTIFIER ::= {tcg 11 1 2} -- policy OID +tcg-cap-verifiedTPMRestricted OBJECT IDENTIFIER ::= {tcg 11 1 3} -- policy OID + +EKGenerationType ::= ENUMERATED { + internal (0), + injected (1), + internalRevocable(2), + injectedRevocable(3) + } +EKGenerationLocation ::= ENUMERATED { + tpmManufacturer (0), + platformManufacturer (1), + ekCertSigner (2) +} +EKCertificateGenerationLocation ::= EKGenerationLocation -- XXX +EvaluationAssuranceLevel ::= ENUMERATED { + ealevell (1), + ealevel2 (2), + ealevel3 (3), + ealevel4 (4), + ealevel5 (5), + ealevel6 (6), + ealevel7 (7) +} +SecurityLevel ::= ENUMERATED { + sllevel1 (1), + sllevel2 (2), + sllevel3 (3), + sllevel4 (4) +} +StrengthOfFunction ::= ENUMERATED { + basic (0), + medium (1), + high (2) +} +URIReference ::= SEQUENCE { + uniformResourceIdentifier IA5String, -- (SIZE (1..URIMAX)) + hashAlgorithm AlgorithmIdentifier OPTIONAL, + hashValue BIT STRING OPTIONAL +} +EvaluationStatus ::= ENUMERATED { + designedToMeet (0), + evaluationInProgress (1), + evaluationCompleted (2) +} + +--tcg specification attributes for tpm +-- tPMSpecification ATTRIBUTE ::= {WITH SYNTAX TPMSpecification ID tcg-at-tpmSpecification } +TPMSpecification ::= SEQUENCE { + family UTF8String, -- (SIZE (1..STRMAX)) + level INTEGER, + revision INTEGER, + ... +} + +--manufacturer implementation model and version attributes +-- TPMManufacturer ATTRIBUTE ::= {WITH SYNTAX UTF8String (SIZE (1..STRMAX)) ID tcg-at-tpmManufacturer } +-- TPMModel ATTRIBUTE ::= {WITH SYNTAX UTF8String (SIZE (1..STRMAX)) ID tcg-at-tpmModel } +-- TPMVersion ATTRIBUTE ::= {WITH SYNTAX UTF8String (SIZE (1..STRMAX)) ID tcg-at-tpmVersion } + +--common criteria evaluation +CommonCriteriaMeasures ::= SEQUENCE { + version IA5String, -- (SIZE (1..STRMAX)) “2.2” or “3.1”;future syntax defined by CC + assurancelevel EvaluationAssuranceLevel, + evaluationStatus EvaluationStatus, + plus BOOLEAN DEFAULT FALSE, + strengthOfFunction [0] IMPLICIT StrengthOfFunction OPTIONAL, + profileOid [1] IMPLICIT OBJECT IDENTIFIER OPTIONAL, + profileUri [2] IMPLICIT URIReference OPTIONAL, + targetOid [3] IMPLICIT OBJECT IDENTIFIER OPTIONAL, + targetUri [4] IMPLICIT URIReference OPTIONAL, + ... +} + +--fips evaluation +FIPSLevel ::= SEQUENCE { + version IA5String, -- (SIZE (1..STRMAX)) “140-1” or “140-2” + level SecurityLevel, + plus BOOLEAN DEFAULT FALSE, + ... +} + +--tpm security assertions +TPMVersion ::= INTEGER { tpm-v1(0) } +--tPMSecurityAssertions ATTRIBUTE ::= {WITH SYNTAX TPMSecurityAssertions ID tcg—at-tpmSecurityAssertions} +TPMSecurityAssertions ::= SEQUENCE { + version TPMVersion DEFAULT 0, -- v1 + fieldUpgradable BOOLEAN DEFAULT FALSE, + ekGenerationType [0] IMPLICIT EKGenerationType OPTIONAL, + ekGenerationLocation [1] IMPLICIT EKGenerationLocation OPTIONAL, + ekCertificateGenerationLocation [2] IMPLICIT EKCertificateGenerationLocation OPTIONAL, + ccInfo [3] IMPLICIT CommonCriteriaMeasures OPTIONAL, + fipsLevel [4] IMPLICIT FIPSLevel OPTIONAL, + iso9000Certified [5] IMPLICIT BOOLEAN DEFAULT FALSE, + iso9000Uri IA5String OPTIONAL, -- (SIZE (1..URIMAX)) + ... +} + +END