You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The spec has:
"tee": {
...
"cert": "",
"cacert": "",
...
}
and similar in various other places like here:
"signercert": "<The BASE64 encoded certificate data of the
TA binary application's signer certificate>",
"signercacerts": [ < The full list of CA certificate chain
including the root CA> ],
However, it also depends on JWS which has "x5c" defined as (in RFC 7515 section 4.1.6):
The "x5c" (X.509 certificate chain) Header Parameter contains the
X.509 public key certificate or certificate chain [RFC5280]
corresponding to the key used to digitally sign the JWS. The
certificate or certificate chain is represented as a JSON array of
certificate value strings. Each string in the array is a
base64-encoded (Section 4 of [RFC4648] -- not base64url-encoded) DER
[ITU.X690.2008] PKIX certificate value. The certificate containing
the public key corresponding to the key used to digitally sign the
JWS MUST be the first certificate. This MAY be followed by
additional certificates, with each subsequent certificate being the
one used to certify the previous one. …
So x5c requires a JSON array where the first entry is the leaf cert, and in contrast the rest of OTrP puts the leaf cert into a separate field and has the array only contain the rest of the chain.
This complicates the code by requiring two separate mechanisms for encoding/decoding the cert chain instead of using one common mechanism.
The text was updated successfully, but these errors were encountered:
The spec has:
"tee": {
...
"cert": "",
"cacert": "",
...
}
and similar in various other places like here:
"signercert": "<The BASE64 encoded certificate data of the
TA binary application's signer certificate>",
"signercacerts": [ < The full list of CA certificate chain
including the root CA> ],
However, it also depends on JWS which has "x5c" defined as (in RFC 7515 section 4.1.6):
The "x5c" (X.509 certificate chain) Header Parameter contains the
X.509 public key certificate or certificate chain [RFC5280]
corresponding to the key used to digitally sign the JWS. The
certificate or certificate chain is represented as a JSON array of
certificate value strings. Each string in the array is a
base64-encoded (Section 4 of [RFC4648] -- not base64url-encoded) DER
[ITU.X690.2008] PKIX certificate value. The certificate containing
the public key corresponding to the key used to digitally sign the
JWS MUST be the first certificate. This MAY be followed by
additional certificates, with each subsequent certificate being the
one used to certify the previous one. …
So x5c requires a JSON array where the first entry is the leaf cert, and in contrast the rest of OTrP puts the leaf cert into a separate field and has the array only contain the rest of the chain.
This complicates the code by requiring two separate mechanisms for encoding/decoding the cert chain instead of using one common mechanism.
The text was updated successfully, but these errors were encountered: