7f0349e1fb
In preparation for adding support for TPM attestations as an authentication method in bx509d for a host trust bootstrap mechanism based on TPMs and their endorsement keys and endorsement key certificates. The plan is to add support to libhx509 and hxtool for PermanentIdentifier (RFC4043) and HardwareModuleName (RFC4108) SANs, and then to add a query parameter to bx509d for passing an attestation and a proof-of-possession (either CMS or CSR), and add an authorizer plugin call for authorizing a device manufacturer and serial number to hostname. Support for TPMs w/o endorsement key certificates should also be possible based on a digest of the endorsement key as the "serial number".
31 lines
1018 B
Groff
31 lines
1018 B
Groff
PKIXpermanentidentifier88 {iso(1) identified-organization(3) dod(6)
|
|
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
|
|
id-mod-perm-id-88(28) }
|
|
|
|
DEFINITIONS EXPLICIT TAGS ::=
|
|
|
|
BEGIN
|
|
|
|
-- EXPORTS ALL --
|
|
-- IMPORTS id-pkix FROM rfc2459; but asn1_compile doesn't handle this
|
|
|
|
|
|
-- Permanent identifier Object Identifier and Syntax
|
|
|
|
id-on OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
|
|
dod(6) internet(1) security(5) mechanisms(5) pkix(7) 8 }
|
|
|
|
id-on-permanentIdentifier OBJECT IDENTIFIER ::= { id-on 3 }
|
|
|
|
PermanentIdentifier ::= SEQUENCE {
|
|
identifierValue UTF8String OPTIONAL,
|
|
-- if absent, use the serialNumber attribute
|
|
-- if there is a single such attribute present
|
|
-- in the subject DN
|
|
assigner OBJECT IDENTIFIER OPTIONAL
|
|
-- if absent, the assigner is
|
|
-- the certificate issuer
|
|
}
|
|
|
|
END
|