infinisil
commented
2 years ago One missing part is the decoding of the CRL Distribution Points extension of X.509, described in https://datatracker.ietf.org/doc/html/rfc3280.html#section-4.2.1.14, which is used to convey the URL location of CRLs. The x509 library currently has an unimplemented stub for the decoding and encoding of that. I have started implementing the decoding in https://github.com/tweag/hs-certificate/tree/crl-distribution-points, intended to be upstreamed once done
With #11, the trust anchor for attestation will be established, comprising of the certificates of each authenticator as specified by the MDS metadata service, the certificate chain used to sign the Metadata blob, along with a hardcoded root certificate for that chain. The standard specifies (rightly so) that the certificate revocation list (CRL) should be checked for each of the certificates in the chain in order to verify their integrity. However, it turns out that support for CRL's in Haskell is close to non-existant, so we need to implement that.