How can an attestation statement in tpm format be verified?

[kimura-ym]

I am trying to register a Windows Hello authenticator, but when I specify "attestation": "direct" in the return when issuing a challenge,
"unknown keyword: :curve" error occurs.
The stack trace at the time of the error is as follows

/home/user/.rbenv/versions/3.1.4/lib/ruby/gems/3.1.0/gems/openssl-signature_algorithm-1.3.0/lib/openssl/signature_algorithm/rsa.rb:39:in `initialize'
/home/user/.rbenv/versions/3.1.4/lib/ruby/gems/3.1.0/gems/tpm-key_attestation-0.12.1/lib/tpm/certify_validator.rb:47:in `new'
/home/user/.rbenv/versions/3.1.4/lib/ruby/gems/3.1.0/gems/tpm-key_attestation-0.12.1/lib/tpm/certify_validator.rb:47:in `valid_signature?'
/home/user/.rbenv/versions/3.1.4/lib/ruby/gems/3.1.0/gems/tpm-key_attestation-0.12.1/lib/tpm/certify_validator.rb:34:in `valid?'
/home/user/.rbenv/versions/3.1.4/lib/ruby/gems/3.1.0/gems/tpm-key_attestation-0.12.1/lib/tpm/key_attestation.rb:64:in `valid?'
/home/user/.rbenv/versions/3.1.4/lib/ruby/gems/3.1.0/gems/webauthn-3.1.0/lib/webauthn/attestation_statement/tpm.rb:48:in `valid_key_attestation?'
/home/user/.rbenv/versions/3.1.4/lib/ruby/gems/3.1.0/gems/webauthn-3.1.0/lib/webauthn/attestation_statement/tpm.rb:23:in `valid?'
/home/user/.rbenv/versions/3.1.4/lib/ruby/gems/3.1.0/gems/webauthn-3.1.0/lib/webauthn/attestation_object.rb:41:in `valid_attestation_statement?'
/home/user/.rbenv/versions/3.1.4/lib/ruby/gems/3.1.0/gems/webauthn-3.1.0/lib/webauthn/authenticator_attestation_response.rb:80:in `valid_attestation_statement?'
/home/user/.rbenv/versions/3.1.4/lib/ruby/gems/3.1.0/gems/webauthn-3.1.0/lib/webauthn/authenticator_response.rb:64:in `verify_item'
/home/user/.rbenv/versions/3.1.4/lib/ruby/gems/3.1.0/gems/webauthn-3.1.0/lib/webauthn/authenticator_attestation_response.rb:45:in `verify'
/home/user/.rbenv/versions/3.1.4/lib/ruby/gems/3.1.0/gems/webauthn-3.1.0/lib/webauthn/public_key_credential_with_attestation.rb:15:in `verify'
/home/user/.rbenv/versions/3.1.4/lib/ruby/gems/3.1.0/gems/webauthn-3.1.0/lib/webauthn/relying_party.rb:87:in `verify_registration'
/mnt/c/source/extic-fido2-sample/app/controllers/registrations_controller.rb:36:in `callback'

I just followed the code below in debugging,
https://github.com/cedarcode/tpm-key_attestation/blob/c84b4513a5f4fbcced370c48400ab30a9d028351/lib/tpm/certify_validator.rb#L47
The initialization parameters for openssl_signature_algorithm_class were as follows

parameters
{:hash_function=>"SHA1", :curve=>"prime256v1"}

On the other hand, the openssl side only accepts hash_function, so I assume you are getting an "unknown keyword: :curve" error.
https://github.com/cedarcode/openssl-signature_algorithm/blob/323447bf039c769462b25c89d0df0e9e10dcc5a0/lib/openssl/signature_ algorithm/rsa.rb#L39

Maybe,
https://github.com/cedarcode/openssl-signature_algorithm/blob/323447bf039c769462b25c89d0df0e9e10dcc5a0/lib/openssl/signature_ algorithm/ecdsa.rb#L69
but since the hash_function is "SHA1", I don't think this one works either.

How can an attestation statement in tpm format be verified?

[santiagorodriguez96]

Hi @kimura-ym! Sorry for the late response!

This is interesting! I'll try to reproduce the issue with a Windows Hello authenticator but it seems it might be an issue with tpm-key_attestation 😕

[santiagorodriguez96]

FYI indeed it was! I've opened an issue in cedarcode/tpm-key_attestation#28 if you want to keep an eye on it.