Closed 424778940z closed 4 years ago
You can use openssl to generate your own attestation certificate. It's a X.509 cert. The only thing you have to mention is to use the NIST P256 curve.
Here is the openssl output for the example certificate I used in this projekt:
openssl asn1parse -inform DER -in FIDO-attestation_cert.der
0:d=0 hl=4 l= 316 cons: SEQUENCE
4:d=1 hl=3 l= 228 cons: SEQUENCE
7:d=2 hl=2 l= 3 cons: cont [ 0 ]
9:d=3 hl=2 l= 1 prim: INTEGER :02
12:d=2 hl=2 l= 10 prim: INTEGER :47901280001155957352
24:d=2 hl=2 l= 10 cons: SEQUENCE
26:d=3 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256
36:d=2 hl=2 l= 23 cons: SEQUENCE
38:d=3 hl=2 l= 21 cons: SET
40:d=4 hl=2 l= 19 cons: SEQUENCE
42:d=5 hl=2 l= 3 prim: OBJECT :commonName
47:d=5 hl=2 l= 12 prim: PRINTABLESTRING :Gnubby Pilot
61:d=2 hl=2 l= 30 cons: SEQUENCE
63:d=3 hl=2 l= 13 prim: UTCTIME :120814182932Z
78:d=3 hl=2 l= 13 prim: UTCTIME :130814182932Z
93:d=2 hl=2 l= 49 cons: SEQUENCE
95:d=3 hl=2 l= 47 cons: SET
97:d=4 hl=2 l= 45 cons: SEQUENCE
99:d=5 hl=2 l= 3 prim: OBJECT :commonName
104:d=5 hl=2 l= 38 prim: PRINTABLESTRING :PilotGnubby-0.4.1-47901280001155957352
144:d=2 hl=2 l= 89 cons: SEQUENCE
146:d=3 hl=2 l= 19 cons: SEQUENCE
148:d=4 hl=2 l= 7 prim: OBJECT :id-ecPublicKey
157:d=4 hl=2 l= 8 prim: OBJECT :prime256v1
167:d=3 hl=2 l= 66 prim: BIT STRING
235:d=1 hl=2 l= 10 cons: SEQUENCE
237:d=2 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256
247:d=1 hl=2 l= 71 prim: BIT STRING
openssl x509 -inform DER -in FIDO-attestation_cert.der -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
47:90:12:80:00:11:55:95:73:52
Signature Algorithm: ecdsa-with-SHA256
Issuer: CN = Gnubby Pilot
Validity
Not Before: Aug 14 18:29:32 2012 GMT
Not After : Aug 14 18:29:32 2013 GMT
Subject: CN = PilotGnubby-0.4.1-47901280001155957352
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:8d:61:7e:65:c9:50:8e:64:bc:c5:67:3a:c8:2a:
67:99:da:3c:14:46:68:2c:25:8c:46:3f:ff:df:58:
df:d2:fa:3e:6c:37:8b:53:d7:95:c4:a4:df:fb:41:
99:ed:d7:86:2f:23:ab:af:02:03:b4:b8:91:1b:a0:
56:99:94:e1:01
ASN1 OID: prime256v1
NIST CURVE: P-256
Signature Algorithm: ecdsa-with-SHA256
30:44:02:20:60:cd:b6:06:1e:9c:22:26:2d:1a:ac:1d:96:d8:
c7:08:29:b2:36:65:31:dd:a2:68:83:2c:b8:36:bc:d3:0d:fa:
02:20:63:1b:14:59:f0:9e:63:30:05:57:22:c8:d8:9b:7f:48:
88:3b:90:89:b8:8d:60:d1:d9:79:59:02:b3:04:10:df
-----BEGIN CERTIFICATE-----
MIIBPDCB5KADAgECAgpHkBKAABFVlXNSMAoGCCqGSM49BAMCMBcxFTATBgNVBAMT
DEdudWJieSBQaWxvdDAeFw0xMjA4MTQxODI5MzJaFw0xMzA4MTQxODI5MzJaMDEx
LzAtBgNVBAMTJlBpbG90R251YmJ5LTAuNC4xLTQ3OTAxMjgwMDAxMTU1OTU3MzUy
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEjWF+ZclQjmS8xWc6yCpnmdo8FEZo
LCWMRj//31jf0vo+bDeLU9eVxKTf+0GZ7deGLyOrrwIDtLiRG6BWmZThATAKBggq
hkjOPQQDAgNHADBEAiBgzbYGHpwiJi0arB2W2McIKbI2ZTHdomiDLLg2vNMN+gIg
YxsUWfCeYzAFVyLI2Jt/SIg7kIm4jWDR2XlZArMEEN8=
-----END CERTIFICATE-----
Hello, I would like to know how to get the raw hexadecimal form of the certificate - is it the whole ASN structure (the whole certificate file in hex string) or some part within? I am stuck with .der
certificate, unable to find out what format the applet expects...
Oh, its just the DER representation... I was a bit confused because mine was like two times the size of example certificate, but it had only more custom data...
Here is a quick no-frills install script for Global Platform Pro: https://gist.github.com/darconeous/adb1b2c4b15d3d8fbc72a5097270cdaf
Installs the attestation cert, too. It just uses the original Google one from the spec.
Yeah its's DER encoded and nice install script. This eliminates the "scriptor" tool. This is perfect because it is not available for Windows.
Hi Tobias,
you can even shorten this when re-factoring the method to correct extended length handling:
private void handleSetAttestationCert(final APDU apdu) throws ISOException {
final byte[] buffer = apdu.getBuffer();
short len = apdu.setIncomingAndReceive();
final short copyOffset = Util.makeShort(buffer[ISO7816.OFFSET_P1], buffer[ISO7816.OFFSET_P2]),
ioSz = apdu.getIncomingLength();
if(copyOffset == 0 && ioSz == attestationCertificate.length) {
len = Util.arrayCopyNonAtomic(buffer, apdu.getOffsetCdata(), attestationCertificate, (short) 0, len);
while (len < ioSz) {
len = Util.arrayCopyNonAtomic(buffer, (short) 0, attestationCertificate, len, apdu.receiveBytes((short) 0));
}
attestationCertificateSet = true;
} else {
if ((short) (copyOffset + len) > attestationCertificate.length) {
ISOException.throwIt(ISO7816.SW_WRONG_DATA);
}
Util.arrayCopy(buffer, apdu.getOffsetCdata(), attestationCertificate, copyOffset, len);
if ((short) (copyOffset + len) == attestationCertificate.length) {
attestationCertificateSet = true;
}
}
}
to
00A4040008A0000006472F000100
800900000001403082013C3081E4A003020102020A47901280001155957352300A06082A8648CE3D0403023017311530130603550403130C476E756262792050696C6F74301E170D3132303831343138323933325A170D3133303831343138323933325A3031312F302D0603550403132650696C6F74476E756262792D302E342E312D34373930313238303030313135353935373335323059301306072A8648CE3D020106082A8648CE3D030107034200048D617E65C9508E64BCC5673AC82A6799DA3C1446682C258C463FFFDF58DFD2FA3E6C378B53D795C4A4DFFB4199EDD7862F23ABAF0203B4B8911BA0569994E101300A06082A8648CE3D0403020347003044022060CDB6061E9C22262D1AAC1D96D8C70829B2366531DDA268832CB836BCD30DFA0220631B1459F09E6330055722C8D89B7F48883B9089B88D60D1D9795902B30410DF
This is also part of the @c-base implementation variant including similar refactorings to Roberts.
Best regards & greeting to BN, Christian
Is there a standard process for obtaining or generating the attestation certificate? Just get in to Java Cards, mainly want use it for login to windows lol