Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change PKI so that attestation certs are fully compliant. #668

Merged
merged 4 commits into from
Dec 18, 2023
Merged

Change PKI so that attestation certs are fully compliant. #668

merged 4 commits into from
Dec 18, 2023

Conversation

jmichelp
Copy link
Collaborator

Fixes #457

Initially we generated the smallest certificate possible.
Unfortunately sometimes attestation certificates are thoroughly checked and the FIDO x509v3 extensions must be present.
This PR now creates a PKI (root CA and signing CA) with corresponding CRLs and also allows to create multiple batch certificates for the keys instead of a single one.
The latest generated batch cert/key is automatically symlinked so that the previous documentation still holds.

  • Local tests pass (running run_desktop_tests.sh)
  • Tested against boards
    • Nordic nRF52840 DK
    • Nordic nRF52840 Dongle (JTAG programmed)
    • Nordic nRF52840 Dongle (DFU programmed)
    • Makerdiary nRF52840 MDK USB Dongle
  • Appropriate changes to README are included in PR

@jmichelp
Change PKI so that attestation certs are fully compliant.
33e24e1 
Initially we generated the smallest certificate possible.
Unfortunately sometimes attestation certificates are
thoroughly checked and the FIDO x509v3 extensions must be present.
This PR now creates a PKI (root CA and signing CA) with corresponding
CRLs and also allows to create multiple batch certificates for the keys
instead of a single one.
The latest generated batch cert/key is automatically symlinked so that
the previous documentation still holds.
@jmichelp
Change openssl options to support older versions
69026f1
@jmichelp
OSX doesn't support long options
a3967bb
@coveralls
Copy link

Coverage Status

coverage: 96.323% (+0.004%) from 96.319%
when pulling a3967bb on jmichelp:develop
into af76345 on google:develop.

@kaczmarczyck kaczmarczyck linked an issue Dec 15, 2023 that may be closed by this pull request
Create correct certificates #457
Closed
@kaczmarczyck
Copy link
Collaborator

I tested on the dev board, with batch attestation enabled. No regressions.

@kaczmarczyck kaczmarczyck merged commit 6b8aa3a into google:develop Dec 18, 2023
9 checks passed
@kaczmarczyck kaczmarczyck mentioned this pull request Dec 18, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kaczmarczyck kaczmarczyck kaczmarczyck approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Create correct certificates
3 participants
@jmichelp @coveralls @kaczmarczyck