Add AK cert support in VerifyAttestation #149
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
josephlr
reviewed
Dec 14, 2021
josephlr
reviewed
Dec 14, 2021
josephlr
reviewed
Dec 21, 2021
Attestation messages will use the ak_cert field as an alternative to establish trust in the quotes. The server must trust the root CAs that sign the given cert, otherwise attesation will fail. Regenerate the golang structs
Add cert field to a key, which will eventually allow users to manually set the cert (for EKs can try to fetch from the correct index). For GCE AKs, fetch the certs from the known NV indexes.
Embed known GCE root/intermediate CA certs for the server verifier to use on AK (and eventually EK) certs.
Add COS 85-generated attestation messages containing GCE AK certificates in the message.
VerifyAttestation can now take a pool of trusted AK cert roots and intermediates. VerifyAttestation will use these to validate a given ak_cert passed in the Attestation message. If validation is successful, VerifyAttestation will use then continue to validate the quote against the AK in the certificate.
Update names per code review and fetch the EK certs for known RSA and ECC certificates.
Signed-off-by: Joe Richey <joerichey@google.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
client: Added a cert field to client.Key and ak_cert to
Attestation. Eventually, users will be able to manually add a cert and we can add support for fetching EK certs from the known index. For GCE AKs, this fetches the cert from the known NV indexes.server: VerifyAttestation now takes in a Root and Intermediate CertPool. Used to verify the ak_cert against trusted CAs.
This adds a dependency on https://pkg.go.dev/github.com/google/certificate-transparency-go/x509 due to a different SAN extension and unknown OID extended key usage for EKs/AKs.