Skip to content

Add software-enforced android-key test vector#2397

Open
Unknown-Robot wants to merge 2 commits into
w3c:mainfrom
Unknown-Robot:feat/android-key-software-enforcement
Open

Add software-enforced android-key test vector#2397
Unknown-Robot wants to merge 2 commits into
w3c:mainfrom
Unknown-Robot:feat/android-key-software-enforcement

Conversation

@Unknown-Robot

Copy link
Copy Markdown

Context

This PR adds a dedicated test vector to allow relying parties to test the rejection of software-backed
keys when a Trusted Execution Environment (TEE) is strictly required.

The WebAuthn Level 3 specification (Verification Procedure for Android Key Attestation) mandates:

For the following, use only the teeEnforced authorization list if the RP wants to accept only keys from a trusted execution environment, otherwise use the union of teeEnforced and softwareEnforced.

Changes

  • Updated webauthn-test-vectors.py to dynamically inject the AuthorizationList into either the softwareEnforced or hardwareEnforced sequence based on an enforcement argument.

Notes to Maintainers

My previous contribution (PR [#2379]) which added the base teeEnforced and softwareEnforced structures was merged into L3-CR. Since that code has not yet been merged to main, this PR includes those base ASN.1 structures alongside the new softwareEnforced test vector, targeting main.

The `softwareEnforced` and `teeEnforced` values in the `attestation` extension (OID `1.3.6.1.4.1.11129.2.1.17`) of the generated certificate are currently empty sequences.

However, the WebAuthn Level 3 specification (Verification Procedure for Android Key Attestation) mandates verifying that:
- The value in the `AuthorizationList.origin` field is equal to `KM_ORIGIN_GENERATED`.
- The value in the `AuthorizationList.purpose` field is equal to `KM_PURPOSE_SIGN`.

This commit populates the `teeEnforced` list with these mandatory fields to ensure the test vector complies with the verification procedure for hardware-backed keys.
This commit adds a dedicated test vector to allow relying parties to test the rejection of software-backed keys when a Trusted Execution Environment (TEE) is strictly required.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants