manifest: Include the PEM encoded SubjectPublicKeyInfo

Following the IETF spec [1], let's actually include the DER encoded [2] Subject Public Key Info in the authorised-by field. This is still encoded as a text field though, following [3]. The key used is the CA cert, which is the "public key identifier of the entity authorized to provide Reference Values." 1: https://www.ietf.org/archive/id/draft-ietf-rats-corim-01.html#section-3.1.4.1.6 2: https://www.rfc-editor.org/rfc/rfc7468#section-13 3: https://github.com/ietf-rats-wg/draft-ietf-rats-corim/blob/20fe75ebd7cb0b79c3b295b09bc59c0891f39247/cddl/crypto-key-type-choice.cddl#L9 Signed-off-by: Alistair Francis <[email protected]>
westerndigitalcorporation · Aug 26, 2024 · e2a51ca · e2a51ca
1 parent 08435f8
commit e2a51ca
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 3 deletions.
diff --git a/certs/generate_certs.sh b/certs/generate_certs.sh
@@ -23,6 +23,10 @@ openssl asn1parse -in inter.cert -out inter.cert.der
 openssl asn1parse -in inter.key -out inter.key.der
 cat inter.cert.der inter.key.der > inter.der
 
+# Generate the responder SubjectPublicKeyInfo
+openssl x509 -inform DER -in ca.cert.der -pubkey -noout -out ca.pub
+openssl asn1parse -in ca.pub -out ca.pub.der
+
 # Generate Leaf CSRs
 openssl req -nodes -newkey ec:param.pem \
        -keyout end_requester.key -out end_requester.req -sha384 -batch \

diff --git a/certs/slot0/ca.der b/certs/slot0/ca.der
diff --git a/certs/slot0/ca.pub b/certs/slot0/ca.pub
@@ -0,0 +1,5 @@
+-----BEGIN PUBLIC KEY-----
+MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEblIXPCYTxE7ZH8vTYINO5JO5+8vPTHZF
+098QaMaf/8Vahikbod4mC9e9pqlDR9a5Ylc9xVb02QfXQuMWJix4L8hckVsbw+dN
+R9wd07kaeQXruZAVs7c+zyMXeroWcMNN
+-----END PUBLIC KEY-----
diff --git a/manifest/manifest.in.cbor b/manifest/manifest.in.cbor
@@ -20,7 +20,7 @@
             }
           },
           / authorised-by / 2: [
-            / tagged-pkix-base64-key-type / 554("base64_key_X")
+            / tagged-pkix-base64-key-type / 554("3076301006072a8648ce3d020106052b81040022036200046e52173c2613c44ed91fcbd360834ee493b9fbcbcf4c7645d3df1068c69fffc55a86291ba1de260bd7bda6a94347d6b962573dc556f4d907d742e316262c782fc85c915b1bc3e74d47dc1dd3b91a7905ebb99015b3b73ecf23177aba1670c34d")
           ]
         },
         / measurement-map / {
@@ -31,7 +31,7 @@
             }
           },
           / authorised-by / 2: [
-            / tagged-pkix-base64-key-type / 554("base64_key_X")
+            / tagged-pkix-base64-key-type / 554("3076301006072a8648ce3d020106052b81040022036200046e52173c2613c44ed91fcbd360834ee493b9fbcbcf4c7645d3df1068c69fffc55a86291ba1de260bd7bda6a94347d6b962573dc556f4d907d742e316262c782fc85c915b1bc3e74d47dc1dd3b91a7905ebb99015b3b73ecf23177aba1670c34d")
           ]
         },
         / measurement-map / {
@@ -42,7 +42,7 @@
             }
           },
           / authorised-by / 2: [
-            / tagged-pkix-base64-key-type / 554("base64_key_X")
+            / tagged-pkix-base64-key-type / 554("3076301006072a8648ce3d020106052b81040022036200046e52173c2613c44ed91fcbd360834ee493b9fbcbcf4c7645d3df1068c69fffc55a86291ba1de260bd7bda6a94347d6b962573dc556f4d907d742e316262c782fc85c915b1bc3e74d47dc1dd3b91a7905ebb99015b3b73ecf23177aba1670c34d")
           ]
         }
         ]