Re: [webauthn] Add packed attestation optional firmware version attribute (#1953) from Emil Lundberg via GitHub on 2023-09-29 (public-webauthn@w3.org from September 2023)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Fri, 29 Sep 2023 11:31:19 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1740742591-1695987076-sysbot+gh@w3.org>
Here is an example with all three extensions, as I understand their specification:

- `1.3.6.1.4.1.45724.1.1.2` (`id-fido-gen-ce-sernum`)
- `1.3.6.1.4.1.45724.1.1.4` (`id-fido-gen-ce-aaguid`)
- `1.3.6.1.4.1.45724.1.1.5` (`id-fido-gen-ce-fw-version`)

```
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 16909060 (0x1020304)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = Example attestation certificate
        Validity
            Not Before: Aug  1 00:00:00 2014 GMT
            Not After : Sep  4 00:00:00 2050 GMT
        Subject: C = US, O = WebAuthn WG, CN = Attestation example
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:79:ea:3b:2c:7c:49:70:10:62:23:0c:d2:3f:eb:
                    60:e5:29:31:71:d4:83:f1:00:be:85:9d:6b:0f:83:
                    97:03:01:b5:46:cd:d4:6e:cf:ca:e3:e3:f3:0f:81:
                    e9:ed:62:bd:26:8d:4c:1e:bd:37:b3:bc:be:92:a8:
                    c2:ae:eb:4e:3a
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            1.3.6.1.4.1.45724.1.1.2: 
                ..k.[}..e
            1.3.6.1.4.1.45724.1.1.4: 
                ....9\&...e;.y}..<
            1.3.6.1.4.1.45724.1.1.5: 
                ..*
            X509v3 Basic Constraints: critical
                CA:FALSE
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        97:9d:03:97:d8:60:f8:2e:e1:5d:31:1c:79:6e:ba:fb:22:fa:
        a7:e0:84:d9:ba:b4:c6:1b:bb:57:f3:e6:b4:c1:8a:48:37:b8:
        5c:3c:4e:db:e4:83:43:f4:d6:a5:d9:b1:ce:da:8a:e1:fe:d4:
        91:29:21:73:05:8e:5e:e1:cb:dd:6b:da:c0:75:57:c6:a0:e8:
        d3:68:25:ba:15:9e:7f:b5:ad:8c:da:f8:04:86:8c:f9:0e:8f:
        1f:8a:ea:17:c0:16:b5:5c:2a:7a:d4:97:c8:94:fb:71:d7:53:
        d7:9b:9a:48:4b:6c:37:6d:72:3b:99:8d:2e:1d:43:06:bf:10:
        33:b5:ae:f8:cc:a5:cb:b2:56:8b:69:24:22:6d:22:a3:58:ab:
        7d:87:e4:ac:5f:2e:09:1a:a7:15:79:f3:a5:69:09:49:7d:72:
        f5:4e:06:ba:c1:c3:b4:41:3b:ba:5e:af:94:c3:b6:4f:34:f9:
        eb:a4:1a:cb:6a:e2:83:77:6d:36:46:53:78:48:fe:e8:84:bd:
        dd:f5:b1:ba:57:98:54:cf:fd:ce:ba:c3:44:05:95:27:e5:6d:
        d5:98:f8:f5:66:71:5a:be:43:01:dd:19:11:30:e6:b9:f0:c6:
        40:39:12:53:e2:29:80:3f:3a:ef:27:4b:ed:bf:de:3f:cb:bd:
        42:ea:d6:79
-----BEGIN CERTIFICATE-----
MIICgTCCAWmgAwIBAgIEAQIDBDANBgkqhkiG9w0BAQsFADAqMSgwJgYDVQQDEx9F
eGFtcGxlIGF0dGVzdGF0aW9uIGNlcnRpZmljYXRlMCAXDTE0MDgwMTAwMDAwMFoY
DzIwNTAwOTA0MDAwMDAwWjBBMQswCQYDVQQGEwJVUzEUMBIGA1UECgwLV2ViQXV0
aG4gV0cxHDAaBgNVBAMME0F0dGVzdGF0aW9uIGV4YW1wbGUwWTATBgcqhkjOPQIB
BggqhkjOPQMBBwNCAAR56jssfElwEGIjDNI/62DlKTFx1IPxAL6FnWsPg5cDAbVG
zdRuz8rj4/MPgentYr0mjUwevTezvL6SqMKu6046o2EwXzAYBgsrBgEEAYLlHAEB
AgQJBAdrEFt9tvxlMCEGCysGAQQBguUcAQEEBBIEEM2MOVwm7e7eZTsAeX0Dyjww
EgYLKwYBBAGC5RwBAQUEAwIBKjAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUA
A4IBAQCXnQOX2GD4LuFdMRx5brr7Ivqn4ITZurTGG7tX8+a0wYpIN7hcPE7b5IND
9Nal2bHO2orh/tSRKSFzBY5e4cvda9rAdVfGoOjTaCW6FZ5/ta2M2vgEhoz5Do8f
iuoXwBa1XCp61JfIlPtx11PXm5pIS2w3bXI7mY0uHUMGvxAzta74zKXLslaLaSQi
bSKjWKt9h+SsXy4JGqcVefOlaQlJfXL1Tga6wcO0QTu6Xq+Uw7ZPNPnrpBrLauKD
d202RlN4SP7ohL3d9bG6V5hUz/3OusNEBZUn5W3VmPj1ZnFavkMB3RkRMOa58MZA
ORJT4imAPzrvJ0vtv94/y71C6tZ5
-----END CERTIFICATE-----
```

Case in point: while making this example, I too forgot at first to wrap the `id-fido-gen-ce-sernum` extension value in two layers of OCTET STRING, not just one. :smile:

Here are the extensions formatted similar to the current `id-fido-gen-ce-aaguid` example:

```
30  18                                      -- SEQUENCE
  06  0b  2b 06 01 04 01 82 e5 1c 01 01 02  -- OID 1.3.6.1.4.1.45724.1.1.2
  04  09                                    -- OCTET STRING
    04  07                                  -- OCTET STRING
      6b 10 5b 7d b6 fc 65                  -- Serial number: 30135807645252709

30  21                                      -- SEQUENCE
  06  0b  2b 06 01 04 01 82 e5 1c 01 01 04  -- OID 1.3.6.1.4.1.45724.1.1.4
  04  12                                    -- OCTET STRING
    04  10                                  -- OCTET STRING
      cd 8c 39 5c 26 ed ee de               -- AAGUID: cd8c395c-26ed-eede-653b-00797d03ca3c
      65 3b 00 79 7d 03 ca 3c

30  12                                      -- SEQUENCE
  06  0b  2b 06 01 04 01 82 e5 1c 01 01 05  -- OID 1.3.6.1.4.1.45724.1.1.5
  04  03                                    -- OCTET STRING
    02  01                                  -- INTEGER
        2a                                  -- Firmware version: 42
```

The serial number example assumes the answer to [my question about serial number format](https://github.com/w3c/webauthn/pull/1954/files#r1311514087) is that serial numbers are positive integers represented in big-endian two's complement notation (but of any length), not opaque byte strings.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1953#issuecomment-1740742591 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 29 September 2023 11:31:20 UTC