Add software-enforced android-key test vector#2397
Open
Unknown-Robot wants to merge 2 commits into
Open
Conversation
The `softwareEnforced` and `teeEnforced` values in the `attestation` extension (OID `1.3.6.1.4.1.11129.2.1.17`) of the generated certificate are currently empty sequences. However, the WebAuthn Level 3 specification (Verification Procedure for Android Key Attestation) mandates verifying that: - The value in the `AuthorizationList.origin` field is equal to `KM_ORIGIN_GENERATED`. - The value in the `AuthorizationList.purpose` field is equal to `KM_PURPOSE_SIGN`. This commit populates the `teeEnforced` list with these mandatory fields to ensure the test vector complies with the verification procedure for hardware-backed keys.
This commit adds a dedicated test vector to allow relying parties to test the rejection of software-backed keys when a Trusted Execution Environment (TEE) is strictly required.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Context
This PR adds a dedicated test vector to allow relying parties to test the rejection of software-backed
keys when a Trusted Execution Environment (TEE) is strictly required.
The WebAuthn Level 3 specification (Verification Procedure for Android Key Attestation) mandates:
Changes
webauthn-test-vectors.pyto dynamically inject theAuthorizationListinto either thesoftwareEnforcedorhardwareEnforcedsequence based on anenforcementargument.Notes to Maintainers
My previous contribution (PR [#2379]) which added the base
teeEnforcedandsoftwareEnforcedstructures was merged intoL3-CR. Since that code has not yet been merged tomain, this PR includes those base ASN.1 structures alongside the newsoftwareEnforcedtest vector, targetingmain.