Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(fsim-csr): implement the CSR FSIM #562

Draft
wants to merge 4 commits into
base: main
Choose a base branch
from

Conversation

mmartinv
Copy link
Contributor

@mmartinv mmartinv commented Oct 18, 2023

Implement the 'CSR' (certificate signing request) FDO serviceinfo module (FSIM) for the purpose of certificate enrollment described by the FIDO alliance at https://github.com/fido-alliance/fdo-sim/blob/main/fsim-repository/fdo.csr.md

This initial PR implements the operations related to the 'Distribution of CA Certificates' only.

Add a new 'certificates_enrollment' configuration section under
'service_info'. All the new CSR configuration variables will go
under it.

The first variable will be 'trusted_cacerts' which must contain
the path to a PKCS7 file encoded in PEM or DER format.

Signed-off-by: Miguel Martín <[email protected]>
The new FDO service info module will contain all the FDO FSIM
implementations being CSR[1] the first one.

[1] https://github.com/fido-alliance/fdo-sim/blob/main/fsim-repository/fdo.csr.md

Signed-off-by: Miguel Martín <[email protected]>
… side

The service info API server finds the active modules sent by the device.
If the CSR module is among the active modules, the server will send the
'fdo.csr.cacerts-res' message to the device encoded as described in the
specification[1]

https://github.com/fido-alliance/fdo-sim/blob/main/fsim-repository/fdo.csr.md

Signed-off-by: Miguel Martín <[email protected]>
… side

The device sends the active modules to the owner's onboarding server.
If the CSR module is among the active modules, the owner's onboarding server
 will send back the 'fdo.csr.cacerts-res' message to the device encoded
as described in the specification[1]. Te device will decode the message,
save the file in the system's trusted anchors and update the certificates
trusted by the system.

[1] https://github.com/fido-alliance/fdo-sim/blob/main/fsim-repository/fdo.csr.md

Signed-off-by: Miguel Martín <[email protected]>
@mmartinv mmartinv changed the title Implement the CA certs enrollment operations described at the CSR FSIM feat(fsim-csr) Implement the CSR FSIM Oct 23, 2023
@mmartinv mmartinv changed the title feat(fsim-csr) Implement the CSR FSIM feat(fsim-csr): implement the CSR FSIM Oct 23, 2023
@runcom
Copy link
Contributor

runcom commented Sep 12, 2024

This is blocked because the interaction between clients and servers in our implementation is unidirectional. We need a two way communication in order to comply with the protocol.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants