asn1: Some TPM fields have to be EXPLICIT

The TCG EK cert profile says that the context tags in the
TPMSecurityAssertions type are IMPLICIT.  The sample EK cert we have
has them as EXPLICIT.

What to do?
This commit is contained in:
Nicolas Williams
2021-03-07 00:31:47 -06:00
parent f7a018f002
commit be61d72be3
2 changed files with 50 additions and 49 deletions

View File

@@ -2296,48 +2296,48 @@ test_ios(void)
"1030A0100A2030A0100A310300E1603332E310A01040A01020101FFA40F300D1"
"6053134302D320A0102010100\"],\"_values_choice\":\"\",\"_values\":[{\"_ty"
"pe\":\"TPMSecurityAssertions\",\"version\":\"0\",\"fieldUpgradable\":true"
",\"ekGenerationType\":\"655617\",\"ekGenerationLocation\":\"655616\",\"ek"
"CertificateGenerationLocation\":\"655616\",\"ccInfo\":{\"_type\":\"Commo"
"nCriteriaMeasures\",\"version\":\"3.1\",\"assurancelevel\":\"4\",\"evaluat"
"ionStatus\":\"2\",\"plus\":true,\"strengthOfFunction\":null,\"profileOid"
"\":null,\"profileUri\":null,\"targetOid\":null,\"targetUri\":null},\"fip"
"sLevel\":{\"_type\":\"FIPSLevel\",\"version\":\"140-2\",\"level\":\"2\",\"plus"
"\":false},\"iso9000Certified\":false,\"iso9000Uri\":null}]}]},{\"_type"
"\":\"Extension\",\"extnID\":{\"_type\":\"OBJECT IDENTIFIER\",\"oid\":\"2.5.2"
"9.15\",\"components\":[2,5,29,15],\"name\":\"id-x509-ce-keyUsage\"},\"cr"
"itical\":true,\"extnValue\":\"03020520\",\"_extnValue_choice\":\"\",\"_ext"
"nValue\":[\"keyEncipherment\"]},{\"_type\":\"Extension\",\"extnID\":{\"_ty"
"pe\":\"OBJECT IDENTIFIER\",\"oid\":\"2.5.29.19\",\"components\":[2,5,29,1"
"9],\"name\":\"id-x509-ce-basicConstraints\"},\"critical\":true,\"extnVa"
"lue\":\"3000\",\"_extnValue_choice\":\"\",\"_extnValue\":{\"_type\":\"BasicC"
"onstraints\",\"cA\":false,\"pathLenConstraint\":null}},{\"_type\":\"Exte"
"nsion\",\"extnID\":{\"_type\":\"OBJECT IDENTIFIER\",\"oid\":\"2.5.29.37\",\""
"components\":[2,5,29,37],\"name\":\"id-x509-ce-extKeyUsage\"},\"critic"
"al\":false,\"extnValue\":\"300706056781050801\",\"_extnValue_choice\":\""
"\",\"_extnValue\":[{\"_type\":\"OBJECT IDENTIFIER\",\"oid\":\"2.23.133.8.1"
"\",\"components\":[2,23,133,8,1],\"name\":\"tcg-kp-EKCertificate\"}]},{"
"\"_type\":\"Extension\",\"extnID\":{\"_type\":\"OBJECT IDENTIFIER\",\"oid\":"
"\"1.3.6.1.5.5.7.1.1\",\"components\":[1,3,6,1,5,5,7,1,1],\"name\":\"id-"
"pkix-pe-authorityInfoAccess\"},\"critical\":false,\"extnValue\":\"303C"
"303A06082B06010505073002862E687474703A2F2F7365637572652E676C6F62"
"616C7369676E2E636F6D2F73746D74706D656B696E7430352E637274\",\"_extn"
"Value_choice\":\"\",\"_extnValue\":[{\"_type\":\"AccessDescription\",\"acc"
"essMethod\":{\"_type\":\"OBJECT IDENTIFIER\",\"oid\":\"1.3.6.1.5.5.7.48."
"2\",\"components\":[1,3,6,1,5,5,7,48,2],\"name\":\"id-pkix-ad-caIssuer"
"s\"},\"accessLocation\":{\"_choice\":\"uniformResourceIdentifier\",\"val"
"ue\":\"http://secure.globalsign.com/stmtpmekint05.crt\"}}]}]},\"sign"
"atureAlgorithm\":{\"_type\":\"AlgorithmIdentifier\",\"algorithm\":{\"_ty"
"pe\":\"OBJECT IDENTIFIER\",\"oid\":\"1.2.840.113549.1.1.11\",\"component"
"s\":[1,2,840,113549,1,1,11],\"name\":\"id-pkcs1-sha256WithRSAEncrypt"
"ion\"},\"parameters\":\"0500\"},\"signatureValue\":\"2048:3D4C381E5B4F1B"
"CBE09C63D52F1F04570CAEA142FD9CD942043B11F8E3BDCF50007AE16CF88690"
"13041E92CDD3280BA4B51FBBD40582ED750219E261A695095674855AACEB520A"
"DAFF9E7E908480A39CDCF900462D9171960FFE55D3AC49E8C981341BBD2EFBCC"
"252A4C18A4F3B7C84CCE42CE70A208C84D2630A7ABFBE72D6271E75B9FF1C971"
"D20EB3DBD763F1E04D834EAA692D2E4001BBF4730A3E3FDA9711AE386524D91C"
"63BE0E516D00D5C6141FCCF6C539F3518E180049865BE16B69CAE1F8CB7FDC47"
"4B38F7EE56CBE7D8A89D9BA99B65D5265AEF32AA62426B10E6D75BB8677EC44F"
"755BBC2806FD2B4E04BDF5D44259DBEAA42B6F563DF7AA7506\"}"
",\"ekGenerationType\":\"1\",\"ekGenerationLocation\":\"0\",\"ekCertificat"
"eGenerationLocation\":\"0\",\"ccInfo\":{\"_type\":\"CommonCriteriaMeasur"
"es\",\"version\":\"3.1\",\"assurancelevel\":\"4\",\"evaluationStatus\":\"2\","
"\"plus\":true,\"strengthOfFunction\":null,\"profileOid\":null,\"profile"
"Uri\":null,\"targetOid\":null,\"targetUri\":null},\"fipsLevel\":{\"_type"
"\":\"FIPSLevel\",\"version\":\"140-2\",\"level\":\"2\",\"plus\":false},\"iso90"
"00Certified\":false,\"iso9000Uri\":null}]}]},{\"_type\":\"Extension\",\""
"extnID\":{\"_type\":\"OBJECT IDENTIFIER\",\"oid\":\"2.5.29.15\",\"componen"
"ts\":[2,5,29,15],\"name\":\"id-x509-ce-keyUsage\"},\"critical\":true,\"e"
"xtnValue\":\"03020520\",\"_extnValue_choice\":\"\",\"_extnValue\":[\"keyEn"
"cipherment\"]},{\"_type\":\"Extension\",\"extnID\":{\"_type\":\"OBJECT IDE"
"NTIFIER\",\"oid\":\"2.5.29.19\",\"components\":[2,5,29,19],\"name\":\"id-x"
"509-ce-basicConstraints\"},\"critical\":true,\"extnValue\":\"3000\",\"_e"
"xtnValue_choice\":\"\",\"_extnValue\":{\"_type\":\"BasicConstraints\",\"cA"
"\":false,\"pathLenConstraint\":null}},{\"_type\":\"Extension\",\"extnID\""
":{\"_type\":\"OBJECT IDENTIFIER\",\"oid\":\"2.5.29.37\",\"components\":[2,"
"5,29,37],\"name\":\"id-x509-ce-extKeyUsage\"},\"critical\":false,\"extn"
"Value\":\"300706056781050801\",\"_extnValue_choice\":\"\",\"_extnValue\":"
"[{\"_type\":\"OBJECT IDENTIFIER\",\"oid\":\"2.23.133.8.1\",\"components\":"
"[2,23,133,8,1],\"name\":\"tcg-kp-EKCertificate\"}]},{\"_type\":\"Extens"
"ion\",\"extnID\":{\"_type\":\"OBJECT IDENTIFIER\",\"oid\":\"1.3.6.1.5.5.7."
"1.1\",\"components\":[1,3,6,1,5,5,7,1,1],\"name\":\"id-pkix-pe-authori"
"tyInfoAccess\"},\"critical\":false,\"extnValue\":\"303C303A06082B06010"
"505073002862E687474703A2F2F7365637572652E676C6F62616C7369676E2E6"
"36F6D2F73746D74706D656B696E7430352E637274\",\"_extnValue_choice\":\""
"\",\"_extnValue\":[{\"_type\":\"AccessDescription\",\"accessMethod\":{\"_t"
"ype\":\"OBJECT IDENTIFIER\",\"oid\":\"1.3.6.1.5.5.7.48.2\",\"components\""
":[1,3,6,1,5,5,7,48,2],\"name\":\"id-pkix-ad-caIssuers\"},\"accessLoca"
"tion\":{\"_choice\":\"uniformResourceIdentifier\",\"value\":\"http://sec"
"ure.globalsign.com/stmtpmekint05.crt\"}}]}]},\"signatureAlgorithm\""
":{\"_type\":\"AlgorithmIdentifier\",\"algorithm\":{\"_type\":\"OBJECT IDE"
"NTIFIER\",\"oid\":\"1.2.840.113549.1.1.11\",\"components\":[1,2,840,113"
"549,1,1,11],\"name\":\"id-pkcs1-sha256WithRSAEncryption\"},\"paramete"
"rs\":\"0500\"},\"signatureValue\":\"2048:3D4C381E5B4F1BCBE09C63D52F1F0"
"4570CAEA142FD9CD942043B11F8E3BDCF50007AE16CF8869013041E92CDD3280"
"BA4B51FBBD40582ED750219E261A695095674855AACEB520ADAFF9E7E908480A"
"39CDCF900462D9171960FFE55D3AC49E8C981341BBD2EFBCC252A4C18A4F3B7C"
"84CCE42CE70A208C84D2630A7ABFBE72D6271E75B9FF1C971D20EB3DBD763F1E"
"04D834EAA692D2E4001BBF4730A3E3FDA9711AE386524D91C63BE0E516D00D5C"
"6141FCCF6C539F3518E180049865BE16B69CAE1F8CB7FDC474B38F7EE56CBE7D"
"8A89D9BA99B65D5265AEF32AA62426B10E6D75BB8677EC44F755BBC2806FD2B4"
"E04BDF5D44259DBEAA42B6F563DF7AA7506\"}"
};
heim_octet_string os;
Certificate c0, c1;

View File

@@ -863,13 +863,14 @@ TPMVersion ::= INTEGER { tpm-v1(0) }
TPMSecurityAssertions ::= SEQUENCE {
version TPMVersion DEFAULT 0, -- v1
fieldUpgradable BOOLEAN DEFAULT FALSE,
ekGenerationType [0] IMPLICIT EKGenerationType OPTIONAL,
ekGenerationLocation [1] IMPLICIT EKGenerationLocation OPTIONAL,
ekCertificateGenerationLocation [2] IMPLICIT EKCertificateGenerationLocation OPTIONAL,
-- These two are marked IMPLICIT, but...
ccInfo [3] CommonCriteriaMeasures OPTIONAL,
fipsLevel [4] FIPSLevel OPTIONAL,
iso9000Certified [5] IMPLICIT BOOLEAN DEFAULT FALSE,
-- The TCG EK cert profile spec says all these context tags are IMPLICIT,
-- but samples in the field have them as EXPLICIT.
ekGenerationType [0] EXPLICIT EKGenerationType OPTIONAL,
ekGenerationLocation [1] EXPLICIT EKGenerationLocation OPTIONAL,
ekCertificateGenerationLocation [2] EXPLICIT EKCertificateGenerationLocation OPTIONAL,
ccInfo [3] EXPLICIT CommonCriteriaMeasures OPTIONAL,
fipsLevel [4] EXPLICIT FIPSLevel OPTIONAL,
iso9000Certified [5] EXPLICIT BOOLEAN DEFAULT FALSE,
iso9000Uri IA5String OPTIONAL, -- (SIZE (1..URIMAX))
...
}