class TPM::AIKCertificate

Section 3.2 in www.trustedcomputinggroup.org/wp-content/uploads/Credential_Profile_EK_V2.0_R14_published.pdf

Constants

ASN_V3
EMPTY_NAME
OID_TCG
OID_TCG_AT_TPM_MANUFACTURER
OID_TCG_AT_TPM_MODEL
OID_TCG_AT_TPM_VERSION
OID_TCG_KP_AIK_CERTIFICATE
SAN_DIRECTORY_NAME

Public Class Methods

from_der(certificate_der) click to toggle source
# File lib/tpm/aik_certificate.rb, line 19
def self.from_der(certificate_der)
  new(OpenSSL::X509::Certificate.new(certificate_der))
end

Public Instance Methods

conformant?() click to toggle source
# File lib/tpm/aik_certificate.rb, line 23
def conformant?
  in_use? &&
    valid_version? &&
    valid_extended_key_usage? &&
    valid_basic_constraints? &&
    empty_subject? &&
    valid_subject_alternative_name?
end

Private Instance Methods

empty_subject?() click to toggle source
# File lib/tpm/aik_certificate.rb, line 56
def empty_subject?
  subject.eql?(EMPTY_NAME)
end
extension(oid) click to toggle source
# File lib/tpm/aik_certificate.rb, line 70
def extension(oid)
  extensions.detect { |ext| ext.oid == oid }
end
in_use?() click to toggle source
# File lib/tpm/aik_certificate.rb, line 34
def in_use?
  now = Time.now

  not_before < now && now < not_after
end
san_extension() click to toggle source
# File lib/tpm/aik_certificate.rb, line 108
def san_extension
  extension("subjectAltName")
end
san_name() click to toggle source
# File lib/tpm/aik_certificate.rb, line 92
def san_name
  if san_extension
    san_asn1 =
      OpenSSL::ASN1.decode(san_extension).find do |val|
        val.tag_class == :UNIVERSAL && val.tag == OpenSSL::ASN1::OCTET_STRING
      end

    directory_name =
      OpenSSL::ASN1.decode(san_asn1.value).find do |val|
        val.tag_class == :CONTEXT_SPECIFIC && val.tag == SAN_DIRECTORY_NAME
      end

    OpenSSL::X509::Name.new(directory_name.value.first).to_a
  end
end
tpm_manufacturer() click to toggle source
# File lib/tpm/aik_certificate.rb, line 74
def tpm_manufacturer
  if san_name
    san_name.assoc(OID_TCG_AT_TPM_MANUFACTURER).at(1)
  end
end
tpm_model() click to toggle source
# File lib/tpm/aik_certificate.rb, line 80
def tpm_model
  if san_name
    san_name.assoc(OID_TCG_AT_TPM_MODEL).at(1)
  end
end
tpm_version() click to toggle source
# File lib/tpm/aik_certificate.rb, line 86
def tpm_version
  if san_name
    san_name.assoc(OID_TCG_AT_TPM_VERSION).at(1)
  end
end
valid_basic_constraints?() click to toggle source
# File lib/tpm/aik_certificate.rb, line 44
def valid_basic_constraints?
  basic_constraints = extension("basicConstraints")

  basic_constraints && basic_constraints.value == "CA:FALSE" && basic_constraints.critical?
end
valid_extended_key_usage?() click to toggle source
# File lib/tpm/aik_certificate.rb, line 50
def valid_extended_key_usage?
  extended_key_usage = extension("extendedKeyUsage")

  extended_key_usage && extended_key_usage.value == OID_TCG_KP_AIK_CERTIFICATE && !extended_key_usage.critical?
end
valid_subject_alternative_name?() click to toggle source
# File lib/tpm/aik_certificate.rb, line 60
def valid_subject_alternative_name?
  if san_extension
    san_extension.critical? &&
      !tpm_manufacturer.empty? &&
      TPM::VENDOR_IDS[tpm_manufacturer] &&
      !tpm_model.empty? &&
      !tpm_version.empty?
  end
end
valid_version?() click to toggle source
# File lib/tpm/aik_certificate.rb, line 40
def valid_version?
  version == ASN_V3
end