You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Current example implementation of DeviceAttestationVerifier employs a very simplistic built-in PAA root store. This root store should be abstracted to let attestation verifiers get a list in a platform-specific way.
Proposed Solution
Create a AttestationTrustStore interface used by the DeviceAttestationVerifier interface. Require capabilities:
Look-up PAA by SKID
Determine if a PAA is revoked, by SKID
Determine if a PAI is revoked, by TBD
Determine if a DAC is revoked, by TBD
Interface should be asynchronous (since it's IO that may include look-ups)
Implement a "fixed trust store" version (i.e. the current example code with known single dev root)
Implement a POSIX version that can search through DER files in a particular directory for PAAs
The text was updated successfully, but these errors were encountered:
PAA store used by DefaultDeviceAttestationVerifier could not be
replaced, forcing a few fixed test roots to always be used and
nothing else, unless completely forking the
DefaultDeviceAttestationVerifier.
- This PR introduces the `PaaRootStore` interface, which the
default `DeviceAttestationVerifier` expects to get configured
at in constructor.
- Examples were modified to use the default test PAA root store
- Unit tests updated to use the testing root store
- Refactored simple array-based Root store to self-extract
the SKID
Testing done: added new units tests which pass, ran cert tests,
validated attestation succeeds the same as before with test keys.
Fixedproject-chip#11913
* Make PAA store configurable
PAA store used by DefaultDeviceAttestationVerifier could not be
replaced, forcing a few fixed test roots to always be used and
nothing else, unless completely forking the
DefaultDeviceAttestationVerifier.
- This PR introduces the `PaaRootStore` interface, which the
default `DeviceAttestationVerifier` expects to get configured
at in constructor.
- Examples were modified to use the default test PAA root store
- Unit tests updated to use the testing root store
- Refactored simple array-based Root store to self-extract
the SKID
Testing done: added new units tests which pass, ran cert tests,
validated attestation succeeds the same as before with test keys.
Fixed#11913
* Restyled by clang-format
* Address review comments
- Rename PaaRootStore to AttestationTrustStore
- Add comments about ArrayAttestationtTrustStore lifecycle
- Remove debug print
* Fix python build
* Fix tv-app scoping issue
* Attempt to debug Darwin error
* Restyled by clang-format
* Remove debug logging used to diagnose CI
Co-authored-by: Restyled.io <commits@restyled.io>
Problem
Current example implementation of DeviceAttestationVerifier employs a very simplistic built-in PAA root store. This root store should be abstracted to let attestation verifiers get a list in a platform-specific way.
Proposed Solution
The text was updated successfully, but these errors were encountered: