Open jritter opened 6 months ago
I encounter this bug, too. If I let manufacturer-server extend the OV (by setting owner_cert_path
and manufacturer_private_key
config items), the owner-onboarding-server's directory module was able to parse it.
So, maybe this is a bug in fdo-owner-tool...
I think I found the cause. Looks like fdo-owner-tool extend-ownership-voucher
command writes the result in PEM format, regardless of the format of the input OV. To import the OV to the owner onboarding server, you need to convert it into COSE format.
$ fdo-owner-tool dump-ownership-voucher --outform cose extended-ov > extended-ov.cose
The owner onboarding server was able to parse the extended-ov.cose.
Problem
I was unable to onboard devices after extending the Owner Voucher ownership. After some digging, I found the following trace message in the owner-onboarding-server:
2024-03-24T15:37:40.059Z TRACE fdo_store::directory > Error deserializing data "/etc/fdo/stores/owner_vouchers/b1413d43-2572-45bf-31e2-c0b80231feb5": Array parse error: Invalid top level type encountered: must be array (was Negative)
How to reproduce
fdo-admin-tool generate-key-and-cert
fdo-owner-tool extend-ownership-voucher --current-owner-private-key <path-to-owner-key-set-A> --new-owner-cert <path-to-owner-cert-set-B>
If the voucher is located in a directory that is polled by the owner-onboarding-server, the following message appears:
2024-03-24T15:37:40.059Z TRACE fdo_store::directory > Error deserializing data "/etc/fdo/stores/owner_vouchers/b1413d43-2572-45bf-31e2-c0b80231feb5": Array parse error: Invalid top level type encountered: must be array (was Negative)
The device doesn't get registered to the rendez-vous server, and the onboarding therefore fails.