oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

asn1: Some TPM fields have to be EXPLICIT

Browse Source 
The TCG EK cert profile says that the context tags in the
TPMSecurityAssertions type are IMPLICIT.  The sample EK cert we have
has them as EXPLICIT.

What to do?
This commit is contained in:
Nicolas Williams
2021-03-07 00:31:47 -06:00
parent f7a018f002
commit be61d72be3
2 changed files with 50 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

84
lib/asn1/check-gen.c
View File

@@ -2296,48 +2296,48 @@ test_ios(void)
"1030A0100A2030A0100A310300E1603332E310A01040A01020101FFA40F300D1"
"6053134302D320A0102010100\"],\"_values_choice\":\"\",\"_values\":[{\"_ty"
"pe\":\"TPMSecurityAssertions\",\"version\":\"0\",\"fieldUpgradable\":true"
",\"ekGenerationType\":\"655617\",\"ekGenerationLocation\":\"655616\",\"ek"
"CertificateGenerationLocation\":\"655616\",\"ccInfo\":{\"_type\":\"Commo"
"nCriteriaMeasures\",\"version\":\"3.1\",\"assurancelevel\":\"4\",\"evaluat"
"ionStatus\":\"2\",\"plus\":true,\"strengthOfFunction\":null,\"profileOid"
"\":null,\"profileUri\":null,\"targetOid\":null,\"targetUri\":null},\"fip"
"sLevel\":{\"_type\":\"FIPSLevel\",\"version\":\"140-2\",\"level\":\"2\",\"plus"
"\":false},\"iso9000Certified\":false,\"iso9000Uri\":null}]}]},{\"_type"
"\":\"Extension\",\"extnID\":{\"_type\":\"OBJECT IDENTIFIER\",\"oid\":\"2.5.2"
"9.15\",\"components\":[2,5,29,15],\"name\":\"id-x509-ce-keyUsage\"},\"cr"
"itical\":true,\"extnValue\":\"03020520\",\"_extnValue_choice\":\"\",\"_ext"
"nValue\":[\"keyEncipherment\"]},{\"_type\":\"Extension\",\"extnID\":{\"_ty"
"pe\":\"OBJECT IDENTIFIER\",\"oid\":\"2.5.29.19\",\"components\":[2,5,29,1"
"9],\"name\":\"id-x509-ce-basicConstraints\"},\"critical\":true,\"extnVa"
"lue\":\"3000\",\"_extnValue_choice\":\"\",\"_extnValue\":{\"_type\":\"BasicC"
"onstraints\",\"cA\":false,\"pathLenConstraint\":null}},{\"_type\":\"Exte"
"nsion\",\"extnID\":{\"_type\":\"OBJECT IDENTIFIER\",\"oid\":\"2.5.29.37\",\""
"components\":[2,5,29,37],\"name\":\"id-x509-ce-extKeyUsage\"},\"critic"
"al\":false,\"extnValue\":\"300706056781050801\",\"_extnValue_choice\":\""
"\",\"_extnValue\":[{\"_type\":\"OBJECT IDENTIFIER\",\"oid\":\"2.23.133.8.1"
"\",\"components\":[2,23,133,8,1],\"name\":\"tcg-kp-EKCertificate\"}]},{"
"\"_type\":\"Extension\",\"extnID\":{\"_type\":\"OBJECT IDENTIFIER\",\"oid\":"
"\"1.3.6.1.5.5.7.1.1\",\"components\":[1,3,6,1,5,5,7,1,1],\"name\":\"id-"
"pkix-pe-authorityInfoAccess\"},\"critical\":false,\"extnValue\":\"303C"
"303A06082B06010505073002862E687474703A2F2F7365637572652E676C6F62"
"616C7369676E2E636F6D2F73746D74706D656B696E7430352E637274\",\"_extn"
"Value_choice\":\"\",\"_extnValue\":[{\"_type\":\"AccessDescription\",\"acc"
"essMethod\":{\"_type\":\"OBJECT IDENTIFIER\",\"oid\":\"1.3.6.1.5.5.7.48."
"2\",\"components\":[1,3,6,1,5,5,7,48,2],\"name\":\"id-pkix-ad-caIssuer"
"s\"},\"accessLocation\":{\"_choice\":\"uniformResourceIdentifier\",\"val"
"ue\":\"http://secure.globalsign.com/stmtpmekint05.crt\"}}]}]},\"sign"
"atureAlgorithm\":{\"_type\":\"AlgorithmIdentifier\",\"algorithm\":{\"_ty"
"pe\":\"OBJECT IDENTIFIER\",\"oid\":\"1.2.840.113549.1.1.11\",\"component"
"s\":[1,2,840,113549,1,1,11],\"name\":\"id-pkcs1-sha256WithRSAEncrypt"
"ion\"},\"parameters\":\"0500\"},\"signatureValue\":\"2048:3D4C381E5B4F1B"
"CBE09C63D52F1F04570CAEA142FD9CD942043B11F8E3BDCF50007AE16CF88690"
"13041E92CDD3280BA4B51FBBD40582ED750219E261A695095674855AACEB520A"
"DAFF9E7E908480A39CDCF900462D9171960FFE55D3AC49E8C981341BBD2EFBCC"
"252A4C18A4F3B7C84CCE42CE70A208C84D2630A7ABFBE72D6271E75B9FF1C971"
"D20EB3DBD763F1E04D834EAA692D2E4001BBF4730A3E3FDA9711AE386524D91C"
"63BE0E516D00D5C6141FCCF6C539F3518E180049865BE16B69CAE1F8CB7FDC47"
"4B38F7EE56CBE7D8A89D9BA99B65D5265AEF32AA62426B10E6D75BB8677EC44F"
"755BBC2806FD2B4E04BDF5D44259DBEAA42B6F563DF7AA7506\"}"
",\"ekGenerationType\":\"1\",\"ekGenerationLocation\":\"0\",\"ekCertificat"
"eGenerationLocation\":\"0\",\"ccInfo\":{\"_type\":\"CommonCriteriaMeasur"
"es\",\"version\":\"3.1\",\"assurancelevel\":\"4\",\"evaluationStatus\":\"2\","
"\"plus\":true,\"strengthOfFunction\":null,\"profileOid\":null,\"profile"
"Uri\":null,\"targetOid\":null,\"targetUri\":null},\"fipsLevel\":{\"_type"
"\":\"FIPSLevel\",\"version\":\"140-2\",\"level\":\"2\",\"plus\":false},\"iso90"
"00Certified\":false,\"iso9000Uri\":null}]}]},{\"_type\":\"Extension\",\""
"extnID\":{\"_type\":\"OBJECT IDENTIFIER\",\"oid\":\"2.5.29.15\",\"componen"
"ts\":[2,5,29,15],\"name\":\"id-x509-ce-keyUsage\"},\"critical\":true,\"e"
"xtnValue\":\"03020520\",\"_extnValue_choice\":\"\",\"_extnValue\":[\"keyEn"
"cipherment\"]},{\"_type\":\"Extension\",\"extnID\":{\"_type\":\"OBJECT IDE"
"NTIFIER\",\"oid\":\"2.5.29.19\",\"components\":[2,5,29,19],\"name\":\"id-x"
"509-ce-basicConstraints\"},\"critical\":true,\"extnValue\":\"3000\",\"_e"
"xtnValue_choice\":\"\",\"_extnValue\":{\"_type\":\"BasicConstraints\",\"cA"
"\":false,\"pathLenConstraint\":null}},{\"_type\":\"Extension\",\"extnID\""
":{\"_type\":\"OBJECT IDENTIFIER\",\"oid\":\"2.5.29.37\",\"components\":[2,"
"5,29,37],\"name\":\"id-x509-ce-extKeyUsage\"},\"critical\":false,\"extn"
"Value\":\"300706056781050801\",\"_extnValue_choice\":\"\",\"_extnValue\":"
"[{\"_type\":\"OBJECT IDENTIFIER\",\"oid\":\"2.23.133.8.1\",\"components\":"
"[2,23,133,8,1],\"name\":\"tcg-kp-EKCertificate\"}]},{\"_type\":\"Extens"
"ion\",\"extnID\":{\"_type\":\"OBJECT IDENTIFIER\",\"oid\":\"1.3.6.1.5.5.7."
"1.1\",\"components\":[1,3,6,1,5,5,7,1,1],\"name\":\"id-pkix-pe-authori"
"tyInfoAccess\"},\"critical\":false,\"extnValue\":\"303C303A06082B06010"
"505073002862E687474703A2F2F7365637572652E676C6F62616C7369676E2E6"
"36F6D2F73746D74706D656B696E7430352E637274\",\"_extnValue_choice\":\""
"\",\"_extnValue\":[{\"_type\":\"AccessDescription\",\"accessMethod\":{\"_t"
"ype\":\"OBJECT IDENTIFIER\",\"oid\":\"1.3.6.1.5.5.7.48.2\",\"components\""
":[1,3,6,1,5,5,7,48,2],\"name\":\"id-pkix-ad-caIssuers\"},\"accessLoca"
"tion\":{\"_choice\":\"uniformResourceIdentifier\",\"value\":\"http://sec"
"ure.globalsign.com/stmtpmekint05.crt\"}}]}]},\"signatureAlgorithm\""
":{\"_type\":\"AlgorithmIdentifier\",\"algorithm\":{\"_type\":\"OBJECT IDE"
"NTIFIER\",\"oid\":\"1.2.840.113549.1.1.11\",\"components\":[1,2,840,113"
"549,1,1,11],\"name\":\"id-pkcs1-sha256WithRSAEncryption\"},\"paramete"
"rs\":\"0500\"},\"signatureValue\":\"2048:3D4C381E5B4F1BCBE09C63D52F1F0"
"4570CAEA142FD9CD942043B11F8E3BDCF50007AE16CF8869013041E92CDD3280"
"BA4B51FBBD40582ED750219E261A695095674855AACEB520ADAFF9E7E908480A"
"39CDCF900462D9171960FFE55D3AC49E8C981341BBD2EFBCC252A4C18A4F3B7C"
"84CCE42CE70A208C84D2630A7ABFBE72D6271E75B9FF1C971D20EB3DBD763F1E"
"04D834EAA692D2E4001BBF4730A3E3FDA9711AE386524D91C63BE0E516D00D5C"
"6141FCCF6C539F3518E180049865BE16B69CAE1F8CB7FDC474B38F7EE56CBE7D"
"8A89D9BA99B65D5265AEF32AA62426B10E6D75BB8677EC44F755BBC2806FD2B4"
"E04BDF5D44259DBEAA42B6F563DF7AA7506\"}"
};
heim_octet_string os;
Certificate c0, c1;

15
lib/asn1/rfc2459.asn1
View File

@@ -863,13 +863,14 @@ TPMVersion ::= INTEGER { tpm-v1(0) }
TPMSecurityAssertions ::= SEQUENCE {
version TPMVersion DEFAULT 0, -- v1
fieldUpgradable BOOLEAN DEFAULT FALSE,
ekGenerationType [0] IMPLICIT EKGenerationType OPTIONAL,
ekGenerationLocation [1] IMPLICIT EKGenerationLocation OPTIONAL,
ekCertificateGenerationLocation [2] IMPLICIT EKCertificateGenerationLocation OPTIONAL,
-- These two are marked IMPLICIT, but...
ccInfo [3] CommonCriteriaMeasures OPTIONAL,
fipsLevel [4] FIPSLevel OPTIONAL,
iso9000Certified [5] IMPLICIT BOOLEAN DEFAULT FALSE,
-- The TCG EK cert profile spec says all these context tags are IMPLICIT,
-- but samples in the field have them as EXPLICIT.
ekGenerationType [0] EXPLICIT EKGenerationType OPTIONAL,
ekGenerationLocation [1] EXPLICIT EKGenerationLocation OPTIONAL,
ekCertificateGenerationLocation [2] EXPLICIT EKCertificateGenerationLocation OPTIONAL,
ccInfo [3] EXPLICIT CommonCriteriaMeasures OPTIONAL,
fipsLevel [4] EXPLICIT FIPSLevel OPTIONAL,
iso9000Certified [5] EXPLICIT BOOLEAN DEFAULT FALSE,
iso9000Uri IA5String OPTIONAL, -- (SIZE (1..URIMAX))
...
}