refactor(protocol): adjust formatting

james-d-elliott · james-d-elliott · commit 2df9bdbc25d4 · 2024-12-22T23:53:13.000+11:00
This addresses formatting styles from the previous commit.
diff --git a/metadata/metadata.go b/metadata/metadata.go
@@ -319,15 +319,26 @@ type Statement struct {
 	AuthenticatorGetInfo AuthenticatorGetInfo
 }
 
-func (s *Statement) Verifier() (opts x509.VerifyOptions) {
+func (s *Statement) Verifier(x5cis []*x509.Certificate) (opts x509.VerifyOptions) {
 	roots := x509.NewCertPool()
 
 	for _, root := range s.AttestationRootCertificates {
 		roots.AddCert(root)
 	}
 
+	var intermediates *x509.CertPool
+
+	if len(x5cis) > 0 {
+		intermediates = x509.NewCertPool()
+
+		for _, x5c := range x5cis {
+			intermediates.AddCert(x5c)
+		}
+	}
+
 	return x509.VerifyOptions{
-		Roots: roots,
+		Roots:         roots,
+		Intermediates: intermediates,
 	}
 }
 
diff --git a/protocol/attestation.go b/protocol/attestation.go
@@ -232,55 +232,55 @@ func (a *AttestationObject) VerifyAttestation(clientDataHash []byte, mds metadat
 		}
 
 		var (
-			x5c     *x509.Certificate
-			parents []*x509.Certificate
+			x5c, parsed *x509.Certificate
+			x5cis       []*x509.Certificate
+			raw         []byte
+			ok          bool
 		)
 
 		if len(x5cs) == 0 {
 			return ErrInvalidAttestation.WithDetails("Unable to parse attestation certificate from x5c during attestation validation").WithInfo("The attestation had no certificates")
 		}
 
 		for _, x5cAny := range x5cs {
-			x5cRaw, ok := x5cAny.([]byte)
-			if !ok {
+			if raw, ok = x5cAny.([]byte); !ok {
 				return ErrInvalidAttestation.WithDetails("Unable to parse attestation certificate from x5c during attestation validation").WithInfo(fmt.Sprintf("The first certificate in the attestation was type '%T' but '[]byte' was expected", x5cs[0]))
 			}
-			x5cParsed, err := x509.ParseCertificate(x5cRaw)
-			if err != nil {
+
+			if parsed, err = x509.ParseCertificate(raw); err != nil {
 				return ErrInvalidAttestation.WithDetails("Unable to parse attestation certificate from x5c during attestation validation").WithInfo(fmt.Sprintf("Error returned from x509.ParseCertificate: %+v", err))
 			}
+
 			if x5c == nil {
-				x5c = x5cParsed
+				x5c = parsed
 			} else {
-				parents = append(parents, x5cParsed)
+				x5cis = append(x5cis, parsed)
 			}
 		}
 
 		if attestationType == string(metadata.AttCA) {
 			if err = tpmParseSANExtension(x5c); err != nil {
 				return err
 			}
+
 			if err = tpmRemoveEKU(x5c); err != nil {
 				return err
 			}
-			for _, parent := range parents {
+
+			for _, parent := range x5cis {
 				if err = tpmRemoveEKU(parent); err != nil {
 					return err
 				}
 			}
 		}
 
-		if x5c.Subject.CommonName != x5c.Issuer.CommonName {
+		if x5c != nil && x5c.Subject.CommonName != x5c.Issuer.CommonName {
 			if !entry.MetadataStatement.AttestationTypes.HasBasicFull() {
 				return ErrInvalidAttestation.WithDetails("Unable to validate attestation statement signature during attestation validation: attestation with full attestation from authenticator that does not support full attestation")
 			}
-			verifier := entry.MetadataStatement.Verifier()
-			if len(parents) != 0 {
-				verifier.Intermediates = x509.NewCertPool()
-				for _, parent := range parents {
-					verifier.Intermediates.AddCert(parent)
-				}
-			}
+
+			verifier := entry.MetadataStatement.Verifier(x5cis)
+
 			if _, err = x5c.Verify(verifier); err != nil {
 				return ErrInvalidAttestation.WithDetails(fmt.Sprintf("Unable to validate attestation signature statement during attestation validation: invalid certificate chain from MDS: %v", err))
 			}
diff --git a/protocol/attestation_tpm.go b/protocol/attestation_tpm.go
@@ -395,35 +395,40 @@ var (
 	oidExtensionSubjectAltName   = []int{2, 5, 29, 17}
 	oidExtensionExtendedKeyUsage = []int{2, 5, 29, 37}
 	oidExtensionBasicConstraints = []int{2, 5, 29, 19}
-
-	// From wincrypt.h of Windows SDK.
-	// Enhanced Key Usage for Privacy CA encryption certificate
-	oidKpPrivacyCA = []int{1, 3, 6, 1, 4, 1, 311, 21, 36}
+	oidKpPrivacyCA               = []int{1, 3, 6, 1, 4, 1, 311, 21, 36}
 )
 
 type tpmBasicConstraints struct {
 	IsCA       bool `asn1:"optional"`
 	MaxPathLen int  `asn1:"optional,default:-1"`
 }
 
-// remove extension key usage to avoid ExtKeyUsage check failure
-// see also https://github.com/go-webauthn/webauthn/issues/342
+// Remove extension key usage to avoid ExtKeyUsage check failure.
 func tpmRemoveEKU(x5c *x509.Certificate) error {
-	var unknown []asn1.ObjectIdentifier
-	hasAiK := false
+	var (
+		unknown []asn1.ObjectIdentifier
+		hasAiK  bool
+	)
+
 	for _, eku := range x5c.UnknownExtKeyUsage {
 		if eku.Equal(tcgKpAIKCertificate) {
 			hasAiK = true
+
 			continue
 		}
+
 		if eku.Equal(oidKpPrivacyCA) {
 			continue
 		}
+
 		unknown = append(unknown, eku)
 	}
+
 	if !hasAiK {
 		return ErrAttestationFormat.WithDetails("AIK certificate missing EKU")
 	}
+
 	x5c.UnknownExtKeyUsage = unknown
+
 	return nil
 }

Original file line number	Diff line number	Diff line change
`@@ -232,55 +232,55 @@ func (a *AttestationObject) VerifyAttestation(clientDataHash []byte, mds metadat`
`232`	`232`	`}`
`233`	`233`
`234`	`234`	`var (`
`235`		`- x5c *x509.Certificate`
`236`		`- parents []*x509.Certificate`
	`235`	`+ x5c, parsed *x509.Certificate`
	`236`	`+ x5cis []*x509.Certificate`
	`237`	`+ raw []byte`
	`238`	`+ ok bool`
`237`	`239`	`)`
`238`	`240`
`239`	`241`	`if len(x5cs) == 0 {`
`240`	`242`	`return ErrInvalidAttestation.WithDetails("Unable to parse attestation certificate from x5c during attestation validation").WithInfo("The attestation had no certificates")`
`241`	`243`	`}`
`242`	`244`
`243`	`245`	`for _, x5cAny := range x5cs {`
`244`		`- x5cRaw, ok := x5cAny.([]byte)`
`245`		`- if !ok {`
	`246`	`+ if raw, ok = x5cAny.([]byte); !ok {`
`246`	`247`	`return ErrInvalidAttestation.WithDetails("Unable to parse attestation certificate from x5c during attestation validation").WithInfo(fmt.Sprintf("The first certificate in the attestation was type '%T' but '[]byte' was expected", x5cs[0]))`
`247`	`248`	`}`
`248`		`- x5cParsed, err := x509.ParseCertificate(x5cRaw)`
`249`		`- if err != nil {`
	`249`	`+`
	`250`	`+ if parsed, err = x509.ParseCertificate(raw); err != nil {`
`250`	`251`	`return ErrInvalidAttestation.WithDetails("Unable to parse attestation certificate from x5c during attestation validation").WithInfo(fmt.Sprintf("Error returned from x509.ParseCertificate: %+v", err))`
`251`	`252`	`}`
	`253`	`+`
`252`	`254`	`if x5c == nil {`
`253`		`- x5c = x5cParsed`
	`255`	`+ x5c = parsed`
`254`	`256`	`} else {`
`255`		`- parents = append(parents, x5cParsed)`
	`257`	`+ x5cis = append(x5cis, parsed)`
`256`	`258`	`}`
`257`	`259`	`}`
`258`	`260`
`259`	`261`	`if attestationType == string(metadata.AttCA) {`
`260`	`262`	`if err = tpmParseSANExtension(x5c); err != nil {`
`261`	`263`	`return err`
`262`	`264`	`}`
	`265`	`+`
`263`	`266`	`if err = tpmRemoveEKU(x5c); err != nil {`
`264`	`267`	`return err`
`265`	`268`	`}`
`266`		`- for _, parent := range parents {`
	`269`	`+`
	`270`	`+ for _, parent := range x5cis {`
`267`	`271`	`if err = tpmRemoveEKU(parent); err != nil {`
`268`	`272`	`return err`
`269`	`273`	`}`
`270`	`274`	`}`
`271`	`275`	`}`
`272`	`276`
`273`		`- if x5c.Subject.CommonName != x5c.Issuer.CommonName {`
	`277`	`+ if x5c != nil && x5c.Subject.CommonName != x5c.Issuer.CommonName {`
`274`	`278`	`if !entry.MetadataStatement.AttestationTypes.HasBasicFull() {`
`275`	`279`	`return ErrInvalidAttestation.WithDetails("Unable to validate attestation statement signature during attestation validation: attestation with full attestation from authenticator that does not support full attestation")`
`276`	`280`	`}`
`277`		`- verifier := entry.MetadataStatement.Verifier()`
`278`		`- if len(parents) != 0 {`
`279`		`- verifier.Intermediates = x509.NewCertPool()`
`280`		`- for _, parent := range parents {`
`281`		`- verifier.Intermediates.AddCert(parent)`
`282`		`- }`
`283`		`- }`
	`281`	`+`
	`282`	`+ verifier := entry.MetadataStatement.Verifier(x5cis)`
	`283`	`+`
`284`	`284`	`if _, err = x5c.Verify(verifier); err != nil {`
`285`	`285`	`return ErrInvalidAttestation.WithDetails(fmt.Sprintf("Unable to validate attestation signature statement during attestation validation: invalid certificate chain from MDS: %v", err))`
`286`	`286`	`}`