Merge pull request #2193 from mwiseman-byid/main

Clarify use creating and verifying TPM attestation statements.
w3c · Nov 13, 2024 · 0633494 · 0633494
2 parents 92e1015 + 9618b97
commit 0633494
Showing 1 changed file with 28 additions and 14 deletions.
diff --git a/index.bs b/index.bs
@@ -6560,8 +6560,11 @@ engine.
     setting the `extraData` parameter to the digest of |attToBeSigned| using the hash algorithm corresponding to the "alg" signature algorithm.
     (For the "RS256" algorithm, this would be a SHA-256 digest.)
 
-    Set the |pubArea| field to the public area of the credential public key, the |certInfo| field to the output parameter of the
-    same name, and the |sig| field to the signature obtained from the above procedure.
+    Set the |pubArea| field to the public area of the credential public key (the TPMT_PUBLIC structure), the |certInfo| field (the TPMS_ATTEST structure)
+    to the output parameter of the same name, and the |sig| field to the signature obtained from the above procedure.
+
+    Note: If the |pubArea| is read from the TPM using the TPM2_ReadPublic command, that command returns a TPM2B_PUBLIC structure. TPM2B_PUBLIC
+    is two bytes of length followed by the TPMT_PUBLIC structure. The two bytes of length must be removed prior to putting this into the |pubArea|.
 
 : Verification procedure
 :: Given the [=verification procedure inputs=] |attStmt|, |authenticatorData| and |clientDataHash|, the [=verification procedure=] is
@@ -6575,24 +6578,30 @@ engine.
 
     Concatenate |authenticatorData| and |clientDataHash| to form |attToBeSigned|.
 
+    Verify integrity of |certInfo|
+    - Verify that |x5c| is present.
+    - Verify that |aikCert| meets the requirements in [[#sctn-tpm-cert-requirements]].
+    - If |aikCert| contains an extension with OID `1.3.6.1.4.1.45724.1.1.4` (`id-fido-gen-ce-aaguid`) verify that the value of this
+        extension matches the <code>[=authData/attestedCredentialData/aaguid=]</code> in |authenticatorData|.
+    - Verify the |sig| is a valid signature over |certInfo| using the attestation public key in |aikCert| with the
+        algorithm specified in |alg|.
+
     Validate that |certInfo| is valid:
+    Note: |certInfo| is a TPMS_ATTEST structure.
     - Verify that `magic` is set to `TPM_GENERATED_VALUE`.
     - Verify that `type` is set to `TPM_ST_ATTEST_CERTIFY`.
     - Verify that `extraData` is set to the hash of |attToBeSigned| using the hash algorithm employed in "alg".
     - Verify that `attested` contains a `TPMS_CERTIFY_INFO` structure as specified in [[!TPMv2-Part2]] section 10.12.3,
-        whose `name` field contains a valid Name for |pubArea|,
-        as computed using the procedure specified in [[!TPMv2-Part1]]
-        section 16. Note that the hash algorithm is included within the attested `name` field of the TPMS_CERTIFY_INFO structure.
-    - Verify that |x5c| is present.
-    - Note that the remaining fields in the "Standard Attestation Structure" [[!TPMv2-Part1]]
+        whose `name` field contains a valid Name for |pubArea|, as computed using the procedure specified in [[!TPMv2-Part1]] section 16 using the nameAlg in the |pubArea|.
+
+        Note: The TPM will always return TPMS_CERTIFY_INFO structure with the same nameAlg in the `name` as the nameAlg
+        in |pubArea|.
+
+        Note: The remaining fields in the "Standard Attestation Structure" [[!TPMv2-Part1]]
         section 31.2, i.e., `qualifiedSigner`, `clockInfo` and `firmwareVersion` are ignored.
-        These fields MAY be used as an input to risk engines.
+        Depending on the properties of the |aikCert| key used, these fields may be obfuscated.
+        If valid, these MAY be used as an input to risk engines.
 
-    - Verify the |sig| is a valid signature over |certInfo| using the attestation public key in |aikCert| with the
-        algorithm specified in |alg|.
-    - Verify that |aikCert| meets the requirements in [[#sctn-tpm-cert-requirements]].
-    - If |aikCert| contains an extension with OID `1.3.6.1.4.1.45724.1.1.4` (`id-fido-gen-ce-aaguid`) verify that the value of this
-        extension matches the <code>[=authData/attestedCredentialData/aaguid=]</code> in |authenticatorData|.
     - If successful, return implementation-specific values representing [=attestation type=] [=AttCA=] and [=attestation trust
         path=] |x5c|.
 
@@ -6606,6 +6615,11 @@ TPM [=attestation certificate=] MUST have the following fields/extensions:
 
 - The Subject Alternative Name extension MUST be set as defined in [[!TPMv2-EK-Profile]] section 3.2.9.
 
+        Note: Previous versions of [[!TPMv2-EK-Profile]] allowed the inclusion of an optional attribute,
+        called HardwareModuleName, that contains the TPM serial number in the EK certificate.
+        HardwareModuleName SHOULD NOT be placed in in the [=attestation certificate=]
+        Subject Alternative Name.
+
 - The Extended Key Usage extension MUST contain the OID `2.23.133.8.3`
     ("joint-iso-itu-t(2) internationalorganizations(23) 133 tcg-kp(8) tcg-kp-AIKCertificate(3)").
 
@@ -9439,7 +9453,7 @@ for their contributions as our W3C Team Contacts.
   "TPMv2-EK-Profile": {
     "title": "TCG EK Credential Profile for TPM Family 2.0",
     "publisher": "Trusted Computing Group",
-    "href": "https://www.trustedcomputinggroup.org/wp-content/uploads/Credential_Profile_EK_V2.0_R14_published.pdf"
+    "href": "https://trustedcomputinggroup.org/wp-content/uploads/TCG-EK-Credential-Profile-V-2.5-R2_published.pdf"
   },
 
   "FIDOAuthnrSecReqs": {