support for attestation extension #252
Conversation
|
Just for my information: this OID is in a private arc owned by Google, and the documentation you cite is Android-specific. Is this attestation extension format also used by other vendors? Is it standardised somewhere? I can't check right now, but IIRC YubiKeys use a slightly different mechanism. Not that that's a problem, but if it's really something specific to Google, then maybe the generic |
|
It's an Android standard, shared by all OEM, i.e. all manufacturer / vendors of Android powered devices. Attestation will become important for all HW generated / based keys. FIDO2 defines also attestation extensions. Attestation extensions will always belong to the x509v3 certificate extensions. Where would be the right place? |
|
How should the different versions of the attestation structure be handled? E.g. I have a certificate with |
It is an Android standard. As such, all OEM producing Android powered phones comply to it. Android Key Attestation holds significant relevance within the mobile device landscape, particularly for approximately 85% of devices, reflecting the dominant market share occupied by Android-powered smartphones and tablets. |
Ideally, all 6 versions of the key attestation extension has OID 1.3.6.1.4.1.11129.2.1.17 would be implemented:
All schemas corresponding to the attestation version are given on the android dev web site: |
I would like to extend x509.py to support the X509v3 Extension «AttestationExtension» (OID «1.3.6.1.4.1.11129.2.1.17»).
The definition is outlined under https://developer.android.com/training/articles/security-key-attestation.html.
Most added classes are straight forward. However, there are 2 classes which are hacky and need to be improved (they might be even at the wrong place):
•
class AttestationApplicationIdWrapper(ParsableOctetString)•
class UnixTimestamp(Integer)Please advise.