Key attestation support for cloud secure area keys. #777
Conversation
sorotokin
force-pushed
the
cloud-secure-area-attestation
branch
from
aa6eec9 to
3055c5a
Compare
| nonce: String, | ||
| trustedRootKeys: Set<ByteString> | ||
| ) { | ||
| val x509Certs = chain.certificates |
There was a problem hiding this comment.
Optional:
We have this same code block in validateKeyAttestation (and several other functions, such as validateCloudBindingKeyAttestation). Could we move it into a shared verifyCertChain function?
Actually, it looks like most of this is identical to validateCloudBindingKeyAttestation (except for some handling of the root cert). Is there a clean way to move most of it to shared functions?
There was a problem hiding this comment.
Factored out verifyCertChain. Extension processing is going probably to be more sophisticated and different for different attestations (we need to extract some data as we validate as well). For iOS it will probably be a different format (not a cert chain) altogether. Not sure how much more common we want this to be.
Signed-off-by: Peter Sorotokin <[email protected]>
sorotokin
force-pushed
the
cloud-secure-area-attestation
branch
from
3055c5a to
36e8e61
Compare
Support openid4vci key attestations for cloud secure area.
Follow the logic for Android key attestations.
Other options considered: let cloud secure area create openid4vci-compatible attestation JWT. Rejected because we would need to modify CSA APIs to specifically accommodate openid4vci parameters (i.e. client id) and idiosyncrasies (i.e. openid4vci attestations are per-batch, not per-key).
Tested with both cloud and android keys.