Google 提供的 asn1 定义是否有效?
Is asn1 definition proivided by Google valid one?
google 在 https://developer.android.com/training/articles/security-key-attestation#attestation-v3 上提供的 ASN.1 定义是否有效?
KeyDescription ::= SEQUENCE {
attestationVersion 3,
attestationSecurityLevel SecurityLevel,
keymasterVersion INTEGER,
keymasterSecurityLevel SecurityLevel,
attestationChallenge OCTET_STRING,
uniqueId OCTET_STRING,
softwareEnforced AuthorizationList,
teeEnforced AuthorizationList,
}
SecurityLevel ::= ENUMERATED {
Software (0),
TrustedEnvironment (1),
StrongBox (2),
}
AuthorizationList ::= SEQUENCE {
purpose [1] EXPLICIT SET OF INTEGER OPTIONAL,
algorithm [2] EXPLICIT INTEGER OPTIONAL,
keySize [3] EXPLICIT INTEGER OPTIONAL,
digest [5] EXPLICIT SET OF INTEGER OPTIONAL,
padding [6] EXPLICIT SET OF INTEGER OPTIONAL,
ecCurve [10] EXPLICIT INTEGER OPTIONAL,
rsaPublicExponent [200] EXPLICIT INTEGER OPTIONAL,
rollbackResistance [303] EXPLICIT NULL OPTIONAL,
activeDateTime [400] EXPLICIT INTEGER OPTIONAL,
originationExpireDateTime [401] EXPLICIT INTEGER OPTIONAL,
usageExpireDateTime [402] EXPLICIT INTEGER OPTIONAL,
noAuthRequired [503] EXPLICIT NULL OPTIONAL,
userAuthType [504] EXPLICIT INTEGER OPTIONAL,
authTimeout [505] EXPLICIT INTEGER OPTIONAL,
allowWhileOnBody [506] EXPLICIT NULL OPTIONAL,
trustedUserPresenceRequired [507] EXPLICIT NULL OPTIONAL,
trustedConfirmationRequired [508] EXPLICIT NULL OPTIONAL,
unlockedDeviceRequired [509] EXPLICIT NULL OPTIONAL,
allApplications [600] EXPLICIT NULL OPTIONAL,
applicationId [601] EXPLICIT OCTET_STRING OPTIONAL,
creationDateTime [701] EXPLICIT INTEGER OPTIONAL,
origin [702] EXPLICIT INTEGER OPTIONAL,
rootOfTrust [704] EXPLICIT RootOfTrust OPTIONAL,
osVersion [705] EXPLICIT INTEGER OPTIONAL,
osPatchLevel [706] EXPLICIT INTEGER OPTIONAL,
attestationApplicationId [709] EXPLICIT OCTET_STRING OPTIONAL,
attestationIdBrand [710] EXPLICIT OCTET_STRING OPTIONAL,
attestationIdDevice [711] EXPLICIT OCTET_STRING OPTIONAL,
attestationIdProduct [712] EXPLICIT OCTET_STRING OPTIONAL,
attestationIdSerial [713] EXPLICIT OCTET_STRING OPTIONAL,
attestationIdImei [714] EXPLICIT OCTET_STRING OPTIONAL,
attestationIdMeid [715] EXPLICIT OCTET_STRING OPTIONAL,
attestationIdManufacturer [716] EXPLICIT OCTET_STRING OPTIONAL,
attestationIdModel [717] EXPLICIT OCTET_STRING OPTIONAL,
vendorPatchLevel [718] EXPLICIT INTEGER OPTIONAL,
bootPatchLevel [719] EXPLICIT INTEGER OPTIONAL,
}
RootOfTrust ::= SEQUENCE {
verifiedBootKey OCTET_STRING,
deviceLocked BOOLEAN,
verifiedBootState VerifiedBootState,
verifiedBootHash OCTET_STRING,
}
VerifiedBootState ::= ENUMERATED {
Verified (0),
SelfSigned (1),
Unverified (2),
Failed (3),
}
因为要让它与 python asn1tools 和 https://asn1.io/asn1playground/ 一起工作,我必须:
- 删除悬挂的逗号,
- 将
attestationVersion 3 更改为 attestationVersion INTEGER,
OCTET_STRING 到 OCTET STRING,- 以及驼峰式命名的所有枚举键。
ASN1 DEFINITIONS ::= BEGIN
KeyDescription ::= SEQUENCE {
attestationVersion INTEGER,
attestationSecurityLevel SecurityLevel,
keymasterVersion INTEGER,
keymasterSecurityLevel SecurityLevel,
attestationChallenge OCTET STRING,
uniqueId OCTET STRING,
softwareEnforced AuthorizationList,
teeEnforced AuthorizationList
}
SecurityLevel ::= ENUMERATED {
software (0),
trustedEnvironment (1),
strongBox (2)
}
AuthorizationList ::= SEQUENCE {
purpose [1] EXPLICIT SET OF INTEGER OPTIONAL,
algorithm [2] EXPLICIT INTEGER OPTIONAL,
keySize [3] EXPLICIT INTEGER OPTIONAL,
digest [5] EXPLICIT SET OF INTEGER OPTIONAL,
padding [6] EXPLICIT SET OF INTEGER OPTIONAL,
ecCurve [10] EXPLICIT INTEGER OPTIONAL,
rsaPublicExponent [200] EXPLICIT INTEGER OPTIONAL,
rollbackResistance [303] EXPLICIT NULL OPTIONAL,
activeDateTime [400] EXPLICIT INTEGER OPTIONAL,
originationExpireDateTime [401] EXPLICIT INTEGER OPTIONAL,
usageExpireDateTime [402] EXPLICIT INTEGER OPTIONAL,
noAuthRequired [503] EXPLICIT NULL OPTIONAL,
userAuthType [504] EXPLICIT INTEGER OPTIONAL,
authTimeout [505] EXPLICIT INTEGER OPTIONAL,
allowWhileOnBody [506] EXPLICIT NULL OPTIONAL,
trustedUserPresenceRequired [507] EXPLICIT NULL OPTIONAL,
trustedConfirmationRequired [508] EXPLICIT NULL OPTIONAL,
unlockedDeviceRequired [509] EXPLICIT NULL OPTIONAL,
allApplications [600] EXPLICIT NULL OPTIONAL,
applicationId [601] EXPLICIT OCTET STRING OPTIONAL,
creationDateTime [701] EXPLICIT INTEGER OPTIONAL,
origin [702] EXPLICIT INTEGER OPTIONAL,
rootOfTrust [704] EXPLICIT RootOfTrust OPTIONAL,
osVersion [705] EXPLICIT INTEGER OPTIONAL,
osPatchLevel [706] EXPLICIT INTEGER OPTIONAL,
attestationApplicationId [709] EXPLICIT OCTET STRING OPTIONAL,
attestationIdBrand [710] EXPLICIT OCTET STRING OPTIONAL,
attestationIdDevice [711] EXPLICIT OCTET STRING OPTIONAL,
attestationIdProduct [712] EXPLICIT OCTET STRING OPTIONAL,
attestationIdSerial [713] EXPLICIT OCTET STRING OPTIONAL,
attestationIdImei [714] EXPLICIT OCTET STRING OPTIONAL,
attestationIdMeid [715] EXPLICIT OCTET STRING OPTIONAL,
attestationIdManufacturer [716] EXPLICIT OCTET STRING OPTIONAL,
attestationIdModel [717] EXPLICIT OCTET STRING OPTIONAL,
vendorPatchLevel [718] EXPLICIT INTEGER OPTIONAL,
bootPatchLevel [719] EXPLICIT INTEGER OPTIONAL
}
RootOfTrust ::= SEQUENCE {
verifiedBootKey OCTET STRING,
deviceLocked BOOLEAN,
verifiedBootState VerifiedBootState,
verifiedBootHash OCTET STRING
}
VerifiedBootState ::= ENUMERATED {
verified (0),
selfSigned (1),
unverified (2),
failed (3)
}
END
您所做的更正是必要的。上面的第一个 ASN.1 规范包含您列出的所有错误。
您必须修正此规范的原因是它不是针对工具而仅针对人类 reader。
在你提到的错误之前,你会注意到没有模块定义(只是赋值),这是一个非常糟糕的开始。标签默认值对于标签的验证至关重要。
此规范是纯文本,未在任何地方用作 asn.1 工具的输入文件。
在他们的 sample 中,Google 正在使用 Bouncycastle 库(因此他们不需要有效的规范)
不过,在文章中发布时验证 asn.1 规范或 asn.1 分配(在这种情况下)并没有坏处...
google 在 https://developer.android.com/training/articles/security-key-attestation#attestation-v3 上提供的 ASN.1 定义是否有效?
KeyDescription ::= SEQUENCE {
attestationVersion 3,
attestationSecurityLevel SecurityLevel,
keymasterVersion INTEGER,
keymasterSecurityLevel SecurityLevel,
attestationChallenge OCTET_STRING,
uniqueId OCTET_STRING,
softwareEnforced AuthorizationList,
teeEnforced AuthorizationList,
}
SecurityLevel ::= ENUMERATED {
Software (0),
TrustedEnvironment (1),
StrongBox (2),
}
AuthorizationList ::= SEQUENCE {
purpose [1] EXPLICIT SET OF INTEGER OPTIONAL,
algorithm [2] EXPLICIT INTEGER OPTIONAL,
keySize [3] EXPLICIT INTEGER OPTIONAL,
digest [5] EXPLICIT SET OF INTEGER OPTIONAL,
padding [6] EXPLICIT SET OF INTEGER OPTIONAL,
ecCurve [10] EXPLICIT INTEGER OPTIONAL,
rsaPublicExponent [200] EXPLICIT INTEGER OPTIONAL,
rollbackResistance [303] EXPLICIT NULL OPTIONAL,
activeDateTime [400] EXPLICIT INTEGER OPTIONAL,
originationExpireDateTime [401] EXPLICIT INTEGER OPTIONAL,
usageExpireDateTime [402] EXPLICIT INTEGER OPTIONAL,
noAuthRequired [503] EXPLICIT NULL OPTIONAL,
userAuthType [504] EXPLICIT INTEGER OPTIONAL,
authTimeout [505] EXPLICIT INTEGER OPTIONAL,
allowWhileOnBody [506] EXPLICIT NULL OPTIONAL,
trustedUserPresenceRequired [507] EXPLICIT NULL OPTIONAL,
trustedConfirmationRequired [508] EXPLICIT NULL OPTIONAL,
unlockedDeviceRequired [509] EXPLICIT NULL OPTIONAL,
allApplications [600] EXPLICIT NULL OPTIONAL,
applicationId [601] EXPLICIT OCTET_STRING OPTIONAL,
creationDateTime [701] EXPLICIT INTEGER OPTIONAL,
origin [702] EXPLICIT INTEGER OPTIONAL,
rootOfTrust [704] EXPLICIT RootOfTrust OPTIONAL,
osVersion [705] EXPLICIT INTEGER OPTIONAL,
osPatchLevel [706] EXPLICIT INTEGER OPTIONAL,
attestationApplicationId [709] EXPLICIT OCTET_STRING OPTIONAL,
attestationIdBrand [710] EXPLICIT OCTET_STRING OPTIONAL,
attestationIdDevice [711] EXPLICIT OCTET_STRING OPTIONAL,
attestationIdProduct [712] EXPLICIT OCTET_STRING OPTIONAL,
attestationIdSerial [713] EXPLICIT OCTET_STRING OPTIONAL,
attestationIdImei [714] EXPLICIT OCTET_STRING OPTIONAL,
attestationIdMeid [715] EXPLICIT OCTET_STRING OPTIONAL,
attestationIdManufacturer [716] EXPLICIT OCTET_STRING OPTIONAL,
attestationIdModel [717] EXPLICIT OCTET_STRING OPTIONAL,
vendorPatchLevel [718] EXPLICIT INTEGER OPTIONAL,
bootPatchLevel [719] EXPLICIT INTEGER OPTIONAL,
}
RootOfTrust ::= SEQUENCE {
verifiedBootKey OCTET_STRING,
deviceLocked BOOLEAN,
verifiedBootState VerifiedBootState,
verifiedBootHash OCTET_STRING,
}
VerifiedBootState ::= ENUMERATED {
Verified (0),
SelfSigned (1),
Unverified (2),
Failed (3),
}
因为要让它与 python asn1tools 和 https://asn1.io/asn1playground/ 一起工作,我必须:
- 删除悬挂的逗号,
- 将
attestationVersion 3更改为attestationVersion INTEGER, OCTET_STRING到OCTET STRING,- 以及驼峰式命名的所有枚举键。
ASN1 DEFINITIONS ::= BEGIN
KeyDescription ::= SEQUENCE {
attestationVersion INTEGER,
attestationSecurityLevel SecurityLevel,
keymasterVersion INTEGER,
keymasterSecurityLevel SecurityLevel,
attestationChallenge OCTET STRING,
uniqueId OCTET STRING,
softwareEnforced AuthorizationList,
teeEnforced AuthorizationList
}
SecurityLevel ::= ENUMERATED {
software (0),
trustedEnvironment (1),
strongBox (2)
}
AuthorizationList ::= SEQUENCE {
purpose [1] EXPLICIT SET OF INTEGER OPTIONAL,
algorithm [2] EXPLICIT INTEGER OPTIONAL,
keySize [3] EXPLICIT INTEGER OPTIONAL,
digest [5] EXPLICIT SET OF INTEGER OPTIONAL,
padding [6] EXPLICIT SET OF INTEGER OPTIONAL,
ecCurve [10] EXPLICIT INTEGER OPTIONAL,
rsaPublicExponent [200] EXPLICIT INTEGER OPTIONAL,
rollbackResistance [303] EXPLICIT NULL OPTIONAL,
activeDateTime [400] EXPLICIT INTEGER OPTIONAL,
originationExpireDateTime [401] EXPLICIT INTEGER OPTIONAL,
usageExpireDateTime [402] EXPLICIT INTEGER OPTIONAL,
noAuthRequired [503] EXPLICIT NULL OPTIONAL,
userAuthType [504] EXPLICIT INTEGER OPTIONAL,
authTimeout [505] EXPLICIT INTEGER OPTIONAL,
allowWhileOnBody [506] EXPLICIT NULL OPTIONAL,
trustedUserPresenceRequired [507] EXPLICIT NULL OPTIONAL,
trustedConfirmationRequired [508] EXPLICIT NULL OPTIONAL,
unlockedDeviceRequired [509] EXPLICIT NULL OPTIONAL,
allApplications [600] EXPLICIT NULL OPTIONAL,
applicationId [601] EXPLICIT OCTET STRING OPTIONAL,
creationDateTime [701] EXPLICIT INTEGER OPTIONAL,
origin [702] EXPLICIT INTEGER OPTIONAL,
rootOfTrust [704] EXPLICIT RootOfTrust OPTIONAL,
osVersion [705] EXPLICIT INTEGER OPTIONAL,
osPatchLevel [706] EXPLICIT INTEGER OPTIONAL,
attestationApplicationId [709] EXPLICIT OCTET STRING OPTIONAL,
attestationIdBrand [710] EXPLICIT OCTET STRING OPTIONAL,
attestationIdDevice [711] EXPLICIT OCTET STRING OPTIONAL,
attestationIdProduct [712] EXPLICIT OCTET STRING OPTIONAL,
attestationIdSerial [713] EXPLICIT OCTET STRING OPTIONAL,
attestationIdImei [714] EXPLICIT OCTET STRING OPTIONAL,
attestationIdMeid [715] EXPLICIT OCTET STRING OPTIONAL,
attestationIdManufacturer [716] EXPLICIT OCTET STRING OPTIONAL,
attestationIdModel [717] EXPLICIT OCTET STRING OPTIONAL,
vendorPatchLevel [718] EXPLICIT INTEGER OPTIONAL,
bootPatchLevel [719] EXPLICIT INTEGER OPTIONAL
}
RootOfTrust ::= SEQUENCE {
verifiedBootKey OCTET STRING,
deviceLocked BOOLEAN,
verifiedBootState VerifiedBootState,
verifiedBootHash OCTET STRING
}
VerifiedBootState ::= ENUMERATED {
verified (0),
selfSigned (1),
unverified (2),
failed (3)
}
END
您所做的更正是必要的。上面的第一个 ASN.1 规范包含您列出的所有错误。
您必须修正此规范的原因是它不是针对工具而仅针对人类 reader。
在你提到的错误之前,你会注意到没有模块定义(只是赋值),这是一个非常糟糕的开始。标签默认值对于标签的验证至关重要。
此规范是纯文本,未在任何地方用作 asn.1 工具的输入文件。
在他们的 sample 中,Google 正在使用 Bouncycastle 库(因此他们不需要有效的规范)
不过,在文章中发布时验证 asn.1 规范或 asn.1 分配(在这种情况下)并没有坏处...