search

fdo-rs / fido-device-onboard-rs

An implementation of the FIDO Device Onboard (FDO) spec written in Rust.
BSD 3-Clause "New" or "Revised" License
58 stars 32 forks source link

Fix hashing of Device Certificate Chain in Ownership Voucher #601

Closed ben-krieger closed 7 months ago

ben-krieger commented 7 months ago

The specification states that “OVDevCertChainHash is the Hash of the concatenation of the contents of each byte string in OwnershipVoucher.OVDevCertChain, in the presented order."

The current behavior is to serialize the X5CHAIN to CBOR (i.e. [ bstr[cert1] ... bstr[certN] ] instead of cert1 || ... || certN).

See https://fidoalliance.org/specs/FDO/FIDO-Device-Onboard-PS-v1.1-20220419/FIDO-Device-Onboard-PS-v1.1-20220419.html#OwnershipVoucher

BREAKING CHANGE: The device certificate chain hash in ownership voucher is now calculated from the concatenation of certificate ASN.1 DER contents rather than the CBOR serialization of an array of byte strings.

ben-krieger commented 7 months ago

Two additional points:

  1. I couldn't find any code that performed device certificate chain hash verification for the ownership voucher. If I missed it, it may need updating. (And if it doesn't exist, maybe it should?)
  2. This still doesn't properly cover the fact that a null certificate chain should be encoded as CBOR null. I don't think this missing case matters, though, because a null certificate chain is only for Intel EPID and similar device identities, which this library does not support.