1.0 Introduction
Fortanix DSM can issue key provenance attestation statements that are cryptographically verifiable proofs about certain types of asymmetric keys that are managed in DSM.
This document describes the steps to verify DSM key attestation statements and extract claims about the target key. The claims about the target key can then be used by a certificate authority (CA) for whatever purposes they see fit.
The following types of claims can be extracted from a Fortanix DSM key attestation statement and a certificate path:
- The protection properties of the DSM cluster holding the key, for example: the cluster is running on hardware with physical protection.
- The allowed key usages.
- Whether the key was generated in Fortanix DSM.
- Whether the key has ever been exportable.
2.0 Fortanix Attestation and Provisioning Key Hierarchy
Figure 1: Fortanix Attestation and Provisioning PKI Hierarchy
3.0 Fortanix DSM Key Attestation Statement Format
This section provides a description of the key attestation statements in JSON format that Fortanix DSM has issued. This format is the same as the output of the KeyAttestation
API (POST /crypto/v1/keys/key_attestation
) in DSM SaaS. For more information, refer to the Fortanix Open API documentation.
The key attestation statement is a JSON object with the following fields:
-
authority_chain
: An array of base64-encoded blobs; each blob is a DER-encoded X.509 certificate. -
attestation_statement
: An object with the following fields:-
format
: A string describing the format of the statement field. See below for a list of possible formats. -
statement
: A base64-encoded blob.
-
The supported formats for attestation statements are:
x509_certificate
: the statement
field contains an attestation statement formatted as a DER-encoded X.509 certificate. The following is an example key attestation statement JSON object:
{
"authority_chain": [
"MIIF3TCCA8WgAwIBAgIVAMSEK+w2k7qWvIeDsRrdD2d3mJAsMA0GCSqGSIb3DQEBCwUAMHcxCzAJBgNVBAYMAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQHDAtTYW50YSBDbGFyYTEXMBUGA1UECgwORm9ydGFuaXgsIEluYy4xJDAiBgNVBAMMG0ZvcnRhbml4IEtleSBBdHRlc3RhdGlvbiBDQTAeFw0yMzA5MDUxNDA4MTNaFw0yMzEwMDUxNDA4MTNaMDYxNDAyBgNVBAMMK0ZvcnRhbml4IERTTSBTYWFTIEtleSBBdHRlc3RhdGlvbiBBdXRob3JpdHkwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCyjT2N2em/CAu5Y0ZGzz8ECc+nZH7ku8tP+19MAQ0tWV57XLZJjdD2XG5duahG+DZalpscO6xnEKW+GkBrIK49/fbRWxeB2oZklDN3V+bVM3cJ5IjzFqVNciCGDIyc1s4AjezsIdsFRNm63yR7XCT7EnaDT50k9c00GwE0wVmQGO804s/N8L9MOnn0AS+k7Srf+p9+M2qjyk7S6KYeeNPyd/psaHcTze01MFzuclVpLmoG8qgWNxL8D2MaSa2WbRRQeTi2j6L/vy0mSK3IDIGHohVVCvhtgv9RX/f788KB0lkzrMQ5HyaczK+ceYSIyDdfvFjJ3Cqu6StDp0raH6fpkDePx2o7534FLa9J7HFQj+OGEEYjEtmEQ2O4s1Mtn16zY1+WolqE3Nw4ZKEGqfbNEVRUFltUMPZrCFRAhA7ks03FxHvsEWB2kfX/+NI9qTcO4gw7vsv8gsYI5CmFM271euDNi8+xfl/Xwi1oSiMdviKauzTEYoptO5g1oGzwtDMCAwEAAaOCAR8wggEbMA4GA1UdDwEB/wQEAwIBgDAPBgNVHRMBAf8EBTADAQEAMB0GA1UdDgQWBBQ+Q7S5GyBsvO6unPK0qjFZz+EqVTAVBgNVHSUEDjAMBgorBgEEAYOEGggBMDwGCisGAQQBg4QaAgUELjAsMBsGCysGAQQBg4QaAgUBBgwrBgEEAYOEGgIFAQEwDQYLKwYBBAGDhBoCBQIwSQYDVR0fBEIwQDA+oDygOoY4aHR0cHM6Ly9wa2kuZm9ydGFuaXguY29tL0ZvcnRhbml4X0tleV9BdHRlc3RhdGlvbl9DQS5jcmwwGAYDVR0gBBEwDzANBgsrBgEEAYOEGgYBAjAfBgNVHSMEGDAWgBRWzAkGGL14+SsKm5+z3dAgTfl5WTANBgkqhkiG9w0BAQsFAAOCAgEAk3LH9PfAWoY6X84k/pedXZ7/68J9TzboZSNRpVX3a2rD2UoW//nU+oxjaT9jngDA7z4p8iJQMgrrDew5xGvCGYXRXmu51kjfuvFF9SwkCEXRFQH1sTEhJZH71AZNYNTB+xtVa0gaAJL35N1iEAu8oxDUycWtaMMFa9OXVMClk6XIzmRzvsc/ZlEgHZuPLbgVrB6xlaYezRCFxlLxs9myuV1NHEwCybkYzfgyqLbAYuT0QqdHVRmmylQbTf+4n8S2MWKGVLRfZ9ixVM5AQomxuVVNS4lS2trva7PB+DO8KlptQn2NDnLL7vPfEI6CzPtE1lP/2XmwPsRF/2E265fzHQjxukK84ady8EMlPwcSeP5/UwCwtMejcmUcTkXQGIB356EKjHzzE82pvD35e4wWmzk/KJuZwYtJ7dNvJTTLr+XlJ9eNm68K7NBfa5xP0zbl5tNDe9NzJPFztV8Cr0Zm1fkDJUisPaAlbl9RcA98+h0GLDyXottIPQO8YBEQ/c80iXaK+xVOvQzPVaqzHbDB0++dV6xT3SUa1UO79mtbrV0mlJsMregQUuW6/gUeTz0ePlyHyML3Ni6iTDoPpySLfBz0yPF3fAI/afx11lymzilnzKh8zWawzQHiqZfNiDMmDq+EW4gGuX/dEi4MH5Q778ZAEIiREtGFSb04esozeis=",
"MIIGbDCCBFSgAwIBAgIVAKeDDqNESVKW2FrSlg8SJjvOhS8EMA0GCSqGSIb3DQEBCwUAMIGJMQswCQYDVQQGDAJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExFzAVBgNVBAoMDkZvcnRhbml4LCBJbmMuMTYwNAYDVQQDDC1Gb3J0YW5peCBBdHRlc3RhdGlvbiBhbmQgUHJvdmlzaW9uaW5nIFJvb3QgQ0EwHhcNMjMwOTAxMTY1MTI1WhcNMjYwODMxMTY1MTI1WjB3MQswCQYDVQQGDAJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExFzAVBgNVBAoMDkZvcnRhbml4LCBJbmMuMSQwIgYDVQQDDBtGb3J0YW5peCBLZXkgQXR0ZXN0YXRpb24gQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCz1sUR0U9+tQefHJa/2aPLh9o3zJyKTnqrBMzxPbQyA/xd0knozV2cWEAG/olg1EnRe/lSKwg6QCT6OFSjls9Fw1omnau4UyZyvJIlpPiSeC+QS0WMWOxLnY17adT5KTVaACm5pzMen8y3vYvnWyWUllqjME/B88nixhe8AFQ3bKKXxY54AUQQcWojLZKNjx3MRzaJyPt5Gw4zc075nF115kpFH/7tiYqGw8qfOAHUH7sSApAGYIR6PH8CC+H69U8po2KBpGxW9ifCZsoBDp19xS5gKkqQ+cXdOq19ybtcaLw1cuSJbI7mOQhBclvPQUksiy5IFU2D/JF1BOZR+Tq++O9M39DOib/0S5xkparAKhJL5kuxgzX+9P+KmhDrHxfVw5LJ+umU89rvXLOs20wqR64Ix+bwZON1n/fMzLx50IUArGrW8pCH/8yT86r1tpTfSECC882ahQxN2E04Yg2uTi5muM4YyNlaf0MXkUayg1iTP2r+xY7xTw4/48Qim6dJMEiT/w/MyseKLDl+2OZ1Y2oLX80LmB1adXG3hgoNt98RiktSEA1URIfi2jeTmx1brKLicUOd+9tiMhybwTQjOEdoWaOzt/+SSE9i+81ZaseqKtdKu2myclMwIgFCvX1OnMmtImFcHPjcyHdv6HEIUgTvQS2X/JtJJNwjgg1f1QIDAQABo4HbMIHYMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRWzAkGGL14+SsKm5+z3dAgTfl5WTBbBgNVHR8EVDBSMFCgTqBMhkpodHRwczovL3BraS5mb3J0YW5peC5jb20vRm9ydGFuaXhfQXR0ZXN0YXRpb25fYW5kX1Byb3Zpc2lvbmluZ19Sb290X0NBLmNybDAYBgNVHSAEETAPMA0GCysGAQQBg4QaBgECMB8GA1UdIwQYMBaAFAPRP1h71MGugK6zLKGtM+Q3tqhUMA0GCSqGSIb3DQEBCwUAA4ICAQCcIC2VvZKE2KMP68lh5oD1IUxDijAsQLI5n01fpcNlMDD3kqZQY9tllIrXtC32z/osSqIGxPS2gw3h7bHL5xHUboidyK5J3lrfW2vfsoL6ZHp9Z3lZ+sY3M5f/vwYzEvaEnbpGH2SJpWVoBv0DzS+kv9EGFYTQN5KxZnsEDYCK03g9twfhE/hWQXo2B5bg70i6t4qR38k7nuCDKP76ksCnVjFdoM96LUuMlwYstFbjzg1WebhJVksxNynaP+jYCKv2LSoq5/OZmmz6qjyF9Qce9McGDKDndL3+L/cWO+QndBF9/zsNZpF9HtcaH+XjCE7i/KtAHxuGGxEkhh6YJl9LfchJa/e9aravZ6LZ3IgyjxCPTcQb8WrQjoIO9G0CSjtJAFjDXRq9V5LhvL7W+s/Mj6GsetBQxSkJTBZHLrprEnlzj7B8iE7ysOhvUtynlMrHcyXsHm7bbB2o+tw58DszSnZvIdZJXuopYZHGEwMiHASkwqRlqToUVGfrqdp++HyIIlB74PijrbrH51uNa/LEf/14Ym5LBN48y9kPmRtrwzQ1KGN+I1+J1niNk4Bx3Hb16e+Bbyd/FuTsCCjBBSioGhkRHaYP7z+qPBydnoEIBMBCYcjCouctMOuFqYqAO9PSKgkHxmOkGQ167jKdROhxIZLnN2lovNKhHdU88LeIqQ==",
"MIIF5DCCA8ygAwIBAgIUbJke8FQ1Waqplu/N/rDpkRD6+3wwDQYJKoZIhvcNAQELBQAwgYkxCzAJBgNVBAYMAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQHDAtTYW50YSBDbGFyYTEXMBUGA1UECgwORm9ydGFuaXgsIEluYy4xNjA0BgNVBAMMLUZvcnRhbml4IEF0dGVzdGF0aW9uIGFuZCBQcm92aXNpb25pbmcgUm9vdCBDQTAeFw0yMzA5MDExNjM4MTJaFw0zMzA4MjkxNjM4MTJaMIGJMQswCQYDVQQGDAJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExFzAVBgNVBAoMDkZvcnRhbml4LCBJbmMuMTYwNAYDVQQDDC1Gb3J0YW5peCBBdHRlc3RhdGlvbiBhbmQgUHJvdmlzaW9uaW5nIFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCmjKH3KAHI03MrY5MBt7ENpn11pT4RJFC1A89xVknimcYpVnAUKq4oKSv8OyBiGXPXVVmr7n6FyY2Zmgv8FlQKvc8S0yCuJ171IEB0AQSXSWXk6E6Kw7WpUUNMGXAoCBuKB17IxqrM8MR/RztfIjWyrABmFHN+DSrzleuRbQgi8R4J6RvDzZVYnLzNE8xg86ZYbf2+n2vZlA0LIb6J1V+6lQcwFUBPepDX7NRgepnpMoawsMeiZLb0YQ4nuwRTSzwwy/5L25ME8p+4drGkC01MZ0R7nr60AAHRonWJrG41AfHmgZ9fApiByIWWWdFgUikHgMl4mGpONuCyI0PozUWrrQvsYbV77LJVOnv4QqS+F7epZR8BhunXyoANunm8qKW+JkKcRn93t7Q8JDDKhlTN20RjFGTxrrnMIDdQhsh8FCWuE7cQFFKDFksPeyTzMKALws582UM3bFuljxZk1TGyYjrwnAKX6H+t9SS7Dmw5Gb0hAG4JQGdFe1E2N7KcvI80gOiTG11N0WVVHoBkgWI7/r6kA/P5exsbqe+DZjRcx+FuK4ynWww/Fq1qzsOOiAq2Yd6dtu7GXWiQeTfWyJBH5HJ8Z5ZPxGsYEFdHH51X1s2czkI4VZ+ddnQ6lr1HeBgnMjS/GgtTIDk8D0rDY83wexfUyG6mo2VDMbCS5ayvGwIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA9E/WHvUwa6ArrMsoa0z5De2qFQwDQYJKoZIhvcNAQELBQADggIBAD7g0wzncoD6xgucFkkw9CUPBW3R7aj5sWE7ETTDa7+m7/O3RTEZT/TJkO8r8XWcDbsUYWLI4ftsya+q1D4BNZbo8TODPTObdKFzj9W0NBkgJmInuNqQpGC+7sIrO90ua74Zs5TJIf79u0ae4lLBOUsP012UINzyL5ciAVf7Q2PUNCGt7k1Rye9QU23qOc7CZXksd9NkHIqX5eZ/YEComTr68iMX3Thn3KMqbA2hxp+5EHNy/LhOcrYJSmCqmNQk6tNqs1aqOvI8gpNHwN9G/pIY2+AAzIBuY9JYf06gspBVrPIJyNJuv2aYQeoK8tN9t/QisLHdmyH9q+/cIlJIK8fQ6w86ZzTQWJLhjrlsJnU3sR5ThAUk4GAS02BEca6i1HWjuv2iQvJtMy1Das2A1zyybYxxF373FEtD1a8ogOHYM5e6wtgs+SFFc+K4AM97bLcVHJ9iPN0aq/NnWfn2jMPj1G3XLA5KPFpmbkRM0EGULK2gm19/8qis1lsEqYTdfxHk4tW/HGC2WxZTi53gKyOosEcwEwjaDO3qwgNHBuRxXp6d0VoNkN9yt0aku58yjW0ytOtXO4+BYXcSA5mOkETzDBYhA+BhdXgu3ieRB5f62peMh5fjuXjiUZZ0BuAs0FGfSmL31xHHVy7C0XDshbtkYyLwng8do2UtM4FT0fYV"
],
"attestation_statement": {
"format": "x509_certificate",
"statement": "MIID/zCCAmegAwIBAgIUFfMF1u5hM+1tXXYUXWOqNKS7xx4wDQYJKoZIhvcNAQELBQAwNjE0MDIGA1UEAwwrRm9ydGFuaXggRFNNIFNhYVMgS2V5IEF0dGVzdGF0aW9uIEF1dGhvcml0eTAgFw0yMzA5MDUxODExNTFaGA85OTk5MTIzMTIzNTk1OVowXjElMCMGA1UEAwwcRm9ydGFuaXggRFNNIEtleSBBdHRlc3RhdGlvbjE1MDMGCysGAQQBg4QaAQICDCQxOGVjOGI5Ni04ODQ1LTRjZTMtOWZkMS01MDQwN2I0YjFmYzAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8UHvIrnFPGD6B5uCihVW/H9MqL8NWJ7qvfrelsvON/PkZIuYmpSrQUvzQpy/5rk+07V91BSKAAtUMap3ALe9CCKca+gugq+VqBP8c7MzTeYmI8QPDz4bD5dKNEnLgdn42c2onxqVRk52eJeJ5f1WT+g/INi4V3LSYJEvkgs2aQiZ9c6wCByvMlmNax1NpidnAlp8uuFKJtB3wf5Gu1HPi4mgFZ4Hbg+aAdH2EHpdP7HvvvmhJ6+Nt0oB7N68i4c+T366bc+LwCvYHz3fON54k2izilXhbooRgfxksKvjpYYPIRtXZIDHJ8cCkQIZfshZRFb3tBM2ihfJNj4X2byFzAgMBAAGjWzBZMA4GA1UdDwEB/wQEAwIHgDASBgwrBgEEAYOEGgIEAQEEAjAAMBIGDCsGAQQBg4QaAgQBAgQCMAAwHwYDVR0jBBgwFoAUPkO0uRsgbLzurpzytKoxWc/hKlUwDQYJKoZIhvcNAQELBQADggGBABLOIVpgH9SMPxN7qLl18dKiznqM2mfdO7InpPQmivbCDNw8QWdqmgJNxtMG4HtJpEOeSVkcIiFIXLuQghjehk5Q246vf9HAVMnTU7vn2MDAtP4gTxruIOJeOunnGwFugEKsLy6nfBEbkcip5X0jY07KLtKXjQDXEeDBsIhr9VD6nnN8ySs7RVxb2VuT9crDdSx6yLC4OBwylayvDk3BZzIKeW4qKh11vkJaSoJJni4XkTTeQnR0hWHgOW9/l+nVV2jxqCSN03T92lsojkVC/5B3dqClqO1y45FdHgmIDq7zyzdBYLFVSKV7H8MiUgfHlBr+e0kC/tu+WBnEGGuzCk/PVXxLg4Ly3baLLc0egOSdzUtGuovS6sntFjwkdKezDPlADFFIb93jnwi/oRLsc0BBWCE90idVxpr2sx2h6QCs0Yxigyx19ZtsVzHIOtfEHVQ5bcT8EWhS8kkZynK/6xhNj7jKv5fuDX/WCSvZJISvx1kKb6yTlv5c8vI6xoxyKw=="
}
}
3.1 Authority Chain Certificates
The authority_chain
field contains the following certificates:
-
Key Attestation Authority Certificate
: This is the end-entry certificate in the authority_chain field. -
Key Attestation CA Certificate
: this refers to any non-self-signed CA certificates in the authority_chain field. -
Fortanix Attestation and Provisioning Root CA Certificate
: This certificate can be obtained from https://pki.fortanix.com/Fortanix_Attestation_and_Provisioning_Root_CA.crt.
The Subject
of the Key Attestation Authority Certificate identifies the DSM cluster. The Key Attestation Authority Certificate will have the following extended key usage:
fortanixKeyAttestationSigning = 1.3.6.1.4.1.49690.8.1
The Key Attestation Authority Certificate will have the following certificate policy:
fortanixKeyAttestationPkiCertificatePolicy = 1.3.6.1.4.1.49690.6.1.2
The Key Attestation Authority Certificate will have the following certificate extension, containing claims:
fortanixClusterNodeEnrollmentPolicy = 1.3.6.1.4.1.49690.2.5
3.2 Key Attestation Statement
The attestation_statement
specifies in format
the format of the Key Attestation Statement in statement
.
-
x509_certificate format
A Key Attestation Statement is not a public-key certificate, but the same format is used. The fields in the certificate have the following meaning:- The
Subject Public Key Info
specifies the public key of the Target Key. - The
Subject
contains the following DN attribute, uniquely identifying the Target Key object in DSM:- Attribute type:
fortanixKeyId = 1.3.6.1.4.1.49690.1.2.2
- Attribute value:
-- The value should contain a human-readable UUID -- of form `xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx` -- Example: 3cc1bec3-4fc1-4df9-9538-8f40577d126e KeyID ::= UTF8String
- Attribute type:
- The
Issuer
andAuthority Key Identifier
extension identifies the authority that issued the Key Attestation Statement. TheSignature Algorithm
andSignature
describe the cryptographic signature from the Key Attestation Authority. - The Validity "not before" time indicates when the Key Attestation Statement was signed.
- The
Key Usage
extension may contain the following bits:-
Digital Signature
: sign key usage claim -
Key Encipherment
: unwrap key usage claim -
Data Encipherment
: decrypt key usage claim -
Key Agreement
: agree key usage claim
The following extensions may be included, containing claims:
fortanixKeyGeneratedInDSM = 1.3.6.1.4.1.49690.2.4.1.1 fortanixKeyNeverExportable = 1.3.6.1.4.1.49690.2.4.1.2
-
- The
3.3 Claims
3.3.1 Claims About the Protection Properties of the DSM Cluster
The fortanixClusterNodeEnrollmentPolicy
extension
This claim indicates the policy that applies to nodes in the DSM cluster. The policy is a list of policy items, all of which must be met in order for a node to become part of the cluster.
The claim value is the following ASN.1 type:
ClusterNodeEnrollmentPolicy ::= SEQUENCE SIZE (1..MAX) OF NodeEnrollmentPolicyItem
NodeEnrollmentPolicyItem ::= SEQUENCE {
policyItem OBJECT IDENTIFIER,
qualifiers ANY DEFINED BY policyItem OPTIONAL
}
The following is a list of defined policy items:
- Minimum protection profile:
fortanixNodeEnrollmentPolicyItemMinimumProtectionProfile = 1.3.6.1.4.1.49690.2.5.1
MinimumProtectionProfile ::= CHOICE { wellKnown OBJECT IDENTIFIER, }
The following well-known protection profiles are defined:fortanixFX2200 = 1.3.6.1.4.1.49690.2.5.1.1
- The computing environment is protected using an Intel SGX Trusted Execution Environment of one of the following SGX types:
- Standard
- Scalable with Cryptographic Integrity
- The node is a Fortanix FX2200 appliance.
- The node is compliant with at least FIPS 140-2 or 140-3 hardware level 2.
- The computing environment is protected using an Intel SGX Trusted Execution Environment of one of the following SGX types:
- Site operator approval required
fortanixNodeEnrollmentPolicyItemSiteOperatorApprovalRequired = 1.3.6.1.4.1.49690.2.5.2
- This policy item has no qualifiers.
- This policy item indicates that a site operator must approve the enrollment of nodes into the cluster.
3.3.2 Claims About the Target Key
Key Usage Claims
Key usage claims indicate for which purposes the Target Key may be used. DSM will not use the Target Key for any purposes not claimed.
- sign: the Target Key can be used to generate digital signatures.
- unwrap: the Target Key can be used to decrypt (unwrap) other cryptographic keys.
- decrypt: the Target Key can be used to decrypt data.
- agree: the Target Key can be used for key agreement.
The following are the key usage claims:
-
fortanixKeyGeneratedInDSM
: This claim indicates that the Target Key was generated in DSM. The claim value is the empty ASN.1SEQUENCE
. -
fortanixKeyNeverExportable
: This claim indicates that the Target Key was never exported from DSM and may not be exported in the future. This prohibition also includes export in encrypted form. The claim value is the empty ASN.1SEQUENCE
.
4.0 Verify the Key Attestation Statements
All of the following steps should be performed prior to relying on the Target Key.
4.1 Validate the Authority Chain
The first step is to verify the authority chain. The objective is to ensure that the authority chain ends in Fortanix Attestation and Provisioning Root CA.
The authority chain must be built using the standard X.509 Certification path building procedure and the standard [ST1] X.509 Certification path validation procedure must be used to verify that the authority chain forms a valid path. The path-building and validation procedure should be called with the following inputs:
-
Target certificate: the
Key Attestation Authority Certificate
-
Collection of certificates that may be useful in building the path: the
Key Attestation CA Certificates
-
Trust list: the
Fortanix Attestation and Provisioning Root CA Certificate
-
Initial user acceptable policy set: initialized with
fortanixKeyAttestationPkiCertificatePolicy
4.2 Validate the Key Attestation Authority Certificate
- If the Key Attestation Authority Certificate contains a
Key Usage
extension, check thatdigital signature
is allowed. - If the Key Attestation Authority Certificate contains a
Basic Constraints
extension, check that CA is set tofalse
. - Check that the Key Attestation Authority Certificate contains an
Extended Key Usage extension
, and that extension includesfortanixKeyAttestationSigning
.
4.3 Validate the Key Attestation Statement
The next step is to ensure that the Fortanix DSM Key Attestation Statement is valid and properly signed by the Key Attestation Authority Certificate. The exact method for verifying this depends on the attestation statement format:
- For
x509_certificate
format, since the attestation statement is formatted as an X.509 certificate, the X.509 Certification path validation procedure can be used to verify that the attestation statement is signed by the Fortanix DSM Key Attestation Authority. The procedure should be called with the following inputs:- Certification path: the Key Attestation Statement
- Trust anchor information: the previously identified Key Attestation Authority Certificate
-
user-initial-policy-set
:any-policy
4.4. Validating the Claims
The Key Attestation Authority Certificate and Key Attestation Statement must be checked for claims that are of interest.
Comments
Please sign in to leave a comment.