Open jritter opened 6 months ago
debug-ito
commented
4 weeks ago I encounter this bug, too. If I let manufacturer-server extend the OV (by setting owner_cert_path and manufacturer_private_key config items), the owner-onboarding-server's directory module was able to parse it.
So, maybe this is a bug in fdo-owner-tool...
debug-ito
commented
4 weeks ago I think I found the cause. Looks like fdo-owner-tool extend-ownership-voucher command writes the result in PEM format, regardless of the format of the input OV. To import the OV to the owner onboarding server, you need to convert it into COSE format.
$ fdo-owner-tool dump-ownership-voucher --outform cose extended-ov > extended-ov.coseThe owner onboarding server was able to parse the extended-ov.cose.
Problem
I was unable to onboard devices after extending the Owner Voucher ownership. After some digging, I found the following trace message in the owner-onboarding-server:
2024-03-24T15:37:40.059Z TRACE fdo_store::directory > Error deserializing data "/etc/fdo/stores/owner_vouchers/b1413d43-2572-45bf-31e2-c0b80231feb5": Array parse error: Invalid top level type encountered: must be array (was Negative)How to reproduce
fdo-admin-tool generate-key-and-certfdo-owner-tool extend-ownership-voucher --current-owner-private-key <path-to-owner-key-set-A> --new-owner-cert <path-to-owner-cert-set-B>If the voucher is located in a directory that is polled by the owner-onboarding-server, the following message appears:
2024-03-24T15:37:40.059Z TRACE fdo_store::directory > Error deserializing data "/etc/fdo/stores/owner_vouchers/b1413d43-2572-45bf-31e2-c0b80231feb5": Array parse error: Invalid top level type encountered: must be array (was Negative)The device doesn't get registered to the rendez-vous server, and the onboarding therefore fails.