【问题标题】:Is asn1 definition proivided by Google valid one?Google 提供的 asn1 定义是否有效?
【发布时间】:2019-11-21 20:21:16
【问题描述】:

google在https://developer.android.com/training/articles/security-key-attestation#attestation-v3上提供的ASN.1定义是否有效?

KeyDescription ::= SEQUENCE {
    attestationVersion  3,
    attestationSecurityLevel  SecurityLevel,
    keymasterVersion  INTEGER,
    keymasterSecurityLevel  SecurityLevel,
    attestationChallenge  OCTET_STRING,
    uniqueId  OCTET_STRING,
    softwareEnforced  AuthorizationList,
    teeEnforced  AuthorizationList,
}

SecurityLevel ::= ENUMERATED {
    Software  (0),
    TrustedEnvironment  (1),
    StrongBox  (2),
}

AuthorizationList ::= SEQUENCE {
    purpose  [1] EXPLICIT SET OF INTEGER OPTIONAL,
    algorithm  [2] EXPLICIT INTEGER OPTIONAL,
    keySize  [3] EXPLICIT INTEGER OPTIONAL,
    digest  [5] EXPLICIT SET OF INTEGER OPTIONAL,
    padding  [6] EXPLICIT SET OF INTEGER OPTIONAL,
    ecCurve  [10] EXPLICIT INTEGER OPTIONAL,
    rsaPublicExponent  [200] EXPLICIT INTEGER OPTIONAL,
    rollbackResistance  [303] EXPLICIT NULL OPTIONAL,
    activeDateTime  [400] EXPLICIT INTEGER OPTIONAL,
    originationExpireDateTime  [401] EXPLICIT INTEGER OPTIONAL,
    usageExpireDateTime  [402] EXPLICIT INTEGER OPTIONAL,
    noAuthRequired  [503] EXPLICIT NULL OPTIONAL,
    userAuthType  [504] EXPLICIT INTEGER OPTIONAL,
    authTimeout  [505] EXPLICIT INTEGER OPTIONAL,
    allowWhileOnBody  [506] EXPLICIT NULL OPTIONAL,
    trustedUserPresenceRequired  [507] EXPLICIT NULL OPTIONAL,
    trustedConfirmationRequired  [508] EXPLICIT NULL OPTIONAL,
    unlockedDeviceRequired  [509] EXPLICIT NULL OPTIONAL,
    allApplications  [600] EXPLICIT NULL OPTIONAL,
    applicationId  [601] EXPLICIT OCTET_STRING OPTIONAL,
    creationDateTime  [701] EXPLICIT INTEGER OPTIONAL,
    origin  [702] EXPLICIT INTEGER OPTIONAL,
    rootOfTrust  [704] EXPLICIT RootOfTrust OPTIONAL,
    osVersion  [705] EXPLICIT INTEGER OPTIONAL,
    osPatchLevel  [706] EXPLICIT INTEGER OPTIONAL,
    attestationApplicationId  [709] EXPLICIT OCTET_STRING OPTIONAL,
    attestationIdBrand  [710] EXPLICIT OCTET_STRING OPTIONAL,
    attestationIdDevice  [711] EXPLICIT OCTET_STRING OPTIONAL,
    attestationIdProduct  [712] EXPLICIT OCTET_STRING OPTIONAL,
    attestationIdSerial  [713] EXPLICIT OCTET_STRING OPTIONAL,
    attestationIdImei  [714] EXPLICIT OCTET_STRING OPTIONAL,
    attestationIdMeid  [715] EXPLICIT OCTET_STRING OPTIONAL,
    attestationIdManufacturer  [716] EXPLICIT OCTET_STRING OPTIONAL,
    attestationIdModel  [717] EXPLICIT OCTET_STRING OPTIONAL,
    vendorPatchLevel  [718] EXPLICIT INTEGER OPTIONAL,
    bootPatchLevel  [719] EXPLICIT INTEGER OPTIONAL,
}

RootOfTrust ::= SEQUENCE {
    verifiedBootKey  OCTET_STRING,
    deviceLocked  BOOLEAN,
    verifiedBootState  VerifiedBootState,
    verifiedBootHash OCTET_STRING,
}

VerifiedBootState ::= ENUMERATED {
    Verified  (0),
    SelfSigned  (1),
    Unverified  (2),
    Failed  (3),
}

为了让它与 python asn1toolshttps://asn1.io/asn1playground/ 一起工作,我不得不:

  • 消除悬空昏迷,
  • attestationVersion 3更改为attestationVersion INTEGER
  • OCTET_STRINGOCTET STRING,
  • 以及所有camelCase的枚举键。
ASN1 DEFINITIONS ::= BEGIN
    KeyDescription ::= SEQUENCE {
        attestationVersion  INTEGER,
        attestationSecurityLevel  SecurityLevel,
        keymasterVersion  INTEGER,
        keymasterSecurityLevel  SecurityLevel,
        attestationChallenge  OCTET STRING,
        uniqueId  OCTET STRING,
        softwareEnforced  AuthorizationList,
        teeEnforced  AuthorizationList
    }

    SecurityLevel ::= ENUMERATED {
        software  (0),
        trustedEnvironment  (1),
        strongBox  (2)
    }

    AuthorizationList ::= SEQUENCE {
        purpose  [1] EXPLICIT SET OF INTEGER OPTIONAL,
        algorithm  [2] EXPLICIT INTEGER OPTIONAL,
        keySize  [3] EXPLICIT INTEGER OPTIONAL,
        digest  [5] EXPLICIT SET OF INTEGER OPTIONAL,
        padding  [6] EXPLICIT SET OF INTEGER OPTIONAL,
        ecCurve  [10] EXPLICIT INTEGER OPTIONAL,
        rsaPublicExponent  [200] EXPLICIT INTEGER OPTIONAL,
        rollbackResistance  [303] EXPLICIT NULL OPTIONAL,
        activeDateTime  [400] EXPLICIT INTEGER OPTIONAL,
        originationExpireDateTime  [401] EXPLICIT INTEGER OPTIONAL,
        usageExpireDateTime  [402] EXPLICIT INTEGER OPTIONAL,
        noAuthRequired  [503] EXPLICIT NULL OPTIONAL,
        userAuthType  [504] EXPLICIT INTEGER OPTIONAL,
        authTimeout  [505] EXPLICIT INTEGER OPTIONAL,
        allowWhileOnBody  [506] EXPLICIT NULL OPTIONAL,
        trustedUserPresenceRequired  [507] EXPLICIT NULL OPTIONAL,
        trustedConfirmationRequired  [508] EXPLICIT NULL OPTIONAL,
        unlockedDeviceRequired  [509] EXPLICIT NULL OPTIONAL,
        allApplications  [600] EXPLICIT NULL OPTIONAL,
        applicationId  [601] EXPLICIT OCTET STRING OPTIONAL,
        creationDateTime  [701] EXPLICIT INTEGER OPTIONAL,
        origin  [702] EXPLICIT INTEGER OPTIONAL,
        rootOfTrust  [704] EXPLICIT RootOfTrust OPTIONAL,
        osVersion  [705] EXPLICIT INTEGER OPTIONAL,
        osPatchLevel  [706] EXPLICIT INTEGER OPTIONAL,
        attestationApplicationId  [709] EXPLICIT OCTET STRING OPTIONAL,
        attestationIdBrand  [710] EXPLICIT OCTET STRING OPTIONAL,
        attestationIdDevice  [711] EXPLICIT OCTET STRING OPTIONAL,
        attestationIdProduct  [712] EXPLICIT OCTET STRING OPTIONAL,
        attestationIdSerial  [713] EXPLICIT OCTET STRING OPTIONAL,
        attestationIdImei  [714] EXPLICIT OCTET STRING OPTIONAL,
        attestationIdMeid  [715] EXPLICIT OCTET STRING OPTIONAL,
        attestationIdManufacturer  [716] EXPLICIT OCTET STRING OPTIONAL,
        attestationIdModel  [717] EXPLICIT OCTET STRING OPTIONAL,
        vendorPatchLevel  [718] EXPLICIT INTEGER OPTIONAL,
        bootPatchLevel  [719] EXPLICIT INTEGER OPTIONAL
    }

    RootOfTrust ::= SEQUENCE {
        verifiedBootKey  OCTET STRING,
        deviceLocked  BOOLEAN,
        verifiedBootState  VerifiedBootState,
        verifiedBootHash OCTET STRING
    }

    VerifiedBootState ::= ENUMERATED {
        verified  (0),
        selfSigned  (1),
        unverified  (2),
        failed  (3)
    }
END

【问题讨论】:

    标签: android language-lawyer asn.1


    【解决方案1】:

    您所做的更正是必要的。上面的第一个 ASN.1 规范包含您列出的所有错误。

    【讨论】:

    • 所以,这不是什么奇怪的扩展,也不是下一个版本的符号,而只是一个无效的代码?
    • 亚历山德罗是正确的。如果某处 OCTET-STRING 被定义为类型,则使用 OCTET-STRING 将是有效的,但内置类型是“OCTET STRING”。 OCTET_STRING 无效,因为 ASN.1 中未使用下划线
    【解决方案2】:

    您必须修复此规范的原因不是为了工具,而只是为了人类读者。

    在您提到的错误之前,您会注意到没有模块定义(只是分配),这是一个非常糟糕的开始。标记默认值对于标记的验证至关重要。

    此规范是纯文本,不用作任何地方的 asn.1 工具的输入文件。

    在他们的sample 中,Google 正在使用 Bouncycastle 库(因此他们不需要有效的规范)

    不过,在文章中发布时验证 asn.1 规范或 asn.1 分配(在这种情况下)并没有什么坏处...

    【讨论】:

      猜你喜欢
      • 2014-03-12
      • 1970-01-01
      • 1970-01-01
      • 2012-02-06
      • 2012-04-14
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 2012-08-13
      相关资源
      最近更新 更多