certificates
certificates copied to clipboard
smallstep
Device attestation
Description
Support for ACME device-attest-01 challenge. See:
- https://datatracker.ietf.org/doc/html/draft-bweeks-acme-device-attest-00
- https://developer.apple.com/documentation/devicemanagement/acmecertificate
- https://developer.apple.com/videos/play/wwdc2022/10143/
We need to add SAN support for permanent identifiers in go.step.sm/crypto. There's some work by @brandonweeks here. We can get rid of github.com/google/go-attestation dependency by encoding the SANs manually, extending the new SANs of https://github.com/smallstep/crypto/pull/27
It's possible to test this by installing a profile with the root certificate, it can be done by visiting the roots.pem endpoint (https://ca.local/roots.pem) and then installing the ACMECertificate profile (acme.mobileconfig) using the Apple Configurator app:
<?xml version=”1.0” encoding=”UTF-8”?>
<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd”>
<plist version=”1.0”>
<dict>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadUUID</key>
<string>Ignored</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadDisplayName</key>
<string>ACME</string>
<key>PayloadIdentifier</key>
<string>com.example.myprofile</string>
<key>PayloadContent</key>
<array>
<dict>
<key>ClientIdentifier</key>
<string>YOUR DEVICE UDID OR SERIAL NUMBER</string>
<key>ExtendedKeyUsage</key>
<array>
<string>1.3.6.1.5.5.7.3.2</string>
</array>
<key>HardwareBound</key>
<true/>
<key>Attest</key>
<true/>
<key>KeySize</key>
<integer>384</integer>
<key>KeyType</key>
<string>ECSECPrimeRandom</string>
<key>KeyUsage</key>
<integer>5</integer>
<key>PayloadIdentifier</key>
<string>com.example.myacmepayload</string>
<key>PayloadType</key>
<string>com.apple.security.acme</string>
<key>PayloadUUID</key>
<string>cbdc6238-feec-4171-878d-34e576bbb813</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Subject</key>
<array>
<array>
<array>
<string>C</string>
<string>US</string>
</array>
</array>
<array>
<array>
<string>O</string>
<string>Example Inc.</string>
</array>
</array>
<array>
<array>
<string>1.2.840.113635.100.6.99999.99999</string>
<string>test custom OID value</string>
</array>
</array>
</array>
<key>SubjectAltName</key>
<dict>
<key>dNSName</key>
<string>site.example.com</string>
<key>ntPrincipalName</key>
<string>site.example.com</string>
</dict>
<key>DirectoryURL</key>
<string>https://ca.local/acme/acme/directory</string>
</dict>
</array>
</dict>
</plist>
The ClientIdentifier will become the identifier value; the current implementation expects this to match the serial number of the UDID in the attestation certificate. But we might want to use an external service to check this and get the list of SANs to set. Currently, a PermanentIdentifier SAN is added with that value.
@hslatman I think it is a good idea to start merging this; it will make it easy to improve on it. For example, to add tests on the new methods it will be nice to merge the attestation roots part too and use minica to create fake attestation certificates.