How to generate x5c parameter if fmt is "packed"

[William]

Hi there,

The syntax of a Packed Attestation statement is defined by the following :

$$attStmtType //= (

                                 fmt: "packed",

                                 attStmt: packedStmtFormat

                             )

    packedStmtFormat = {
                           alg: COSEAlgorithmIdentifier,
                           sig: bytes,
                           x5c: [ attestnCert: bytes, * (caCert: bytes) ]
                       }

I don't understand what is attestnCert, caCert?
How to generate x5c parameter with attestnCert contains an extension with OID 1.3.6.1.4.1.45724.1.1.4 (id-fido-gen-ce-aaguid)
Can you explain to me.
Thank for your help.

[Bảo Hoa Quốc]

attestnCert (attestation certificate) is authenticator vendor trust certificate which is optionally registered to FIDO METADATA SERVICE.
let's say we are an authenticator vendor, we develop an authenticator (can be hard authenticator like Yubico key, Feitain key,... or soft authenticator which is mobile app), we need to define a provisioning mechanism so that attestation certificate chain & attestation private key is injected into authenticator (we are talking about full basic model) that prepares for registration.
FIDO Server must know of attestation certificates by 2 ways:
1) know of authenticator vendor & import authenticator vendor's attestation certificate chain
2) download authenticator vendor's certificate chain from FIDO metadata service

About creating x5c:
If you are making fido authenticator, you can generate a self-sign certificate, treat it as attestation certificate and only need one certificate, not need ca certificates.
x5c is array of certificate chain (in case of full basic attestation model). The first certificate is used for registered signature verification. CA certificate is to validate the first certificate.

This answer is to clarify x5c. For raw registration response (which is contain attestation statement) we need to follow this document: https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html

[William]

Hi Bảo Hoa Quốc

Thank for your information.

As your information, If I generate attestation certificate by the following ( I use OpenSSL) :

- generate rootCA -> generate certificate signature request (CSR) -> Generate certificate for CSR use rootCA ( "final result")

rootCA is caCert and "final result" is attestnCert, is it right?

If It right, how can I embedded "OID 1.3.6.1.4.1.45724.1.1.4" and my AAGUID to caCert?

If you know another method to generate caCert and attestnCert , please let's me know.

Thank you.

[Krishnan]

Hi all,

Can someone please help me to resolve this below issues.

 how can I embedded "OID 1.3.6.1.4.1.45724.1.1.4"  to caCert?

Regards,

Krishnan.G

[Ackermann Yuriy]

https://stackoverflow.com/questions/36007663/how-to-add-custom-field-to-certificate-using-openssl

Yuriy Ackermann

FIDO, Identity, Standards

skype: ackermann.yuriy

github: @herrjemand

twitter: @herrjemand

medium: @herrjemand

This mail contains confidential information intended only for the individual(s) named. If you’re not the named addressee, don’t disseminate, distribute or copy this e-mail. Please notify the sender immediately and delete it from your system.If you wish not to receive such e-mails you may reply with text “Unsubscribe”.

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/983063c3-d8f9-4d4f-8606-57d8cf754c0b%40fidoalliance.org.