Merge pull request #38 from LedgerHQ/xch/attestations

attestations: Make sure subject and authority key identifier extensions are not embedded in certificates
LedgerHQ · May 2, 2024 · 86131c7 · 86131c7
2 parents 699a5dd + cbd9486
commit 86131c7
Show file tree

Hide file tree

Showing 8 changed files with 16 additions and 0 deletions.
diff --git a/attestations/cnf/FIDO2/openssl_cert_nanos.cnf b/attestations/cnf/FIDO2/openssl_cert_nanos.cnf
@@ -9,5 +9,7 @@ OU = Authenticator Attestation
 CN = Ledger Nano-S FIDO 2 Attestation Batch 1  
 
 [v3_req]
+subjectKeyIdentifier = none
+authorityKeyIdentifier = none
 1.3.6.1.4.1.45724.1.1.4=ASN1:FORMAT:HEX,OCTETSTRING:341e4da93c2e81035a9faad887135200
 basicConstraints=critical,CA:FALSE
diff --git a/attestations/cnf/FIDO2/openssl_cert_nanosp.cnf b/attestations/cnf/FIDO2/openssl_cert_nanosp.cnf
@@ -9,5 +9,7 @@ OU = Authenticator Attestation
 CN = Ledger Nano-SP FIDO 2 Attestation Batch 1
 
 [v3_req]
+subjectKeyIdentifier = none
+authorityKeyIdentifier = none
 1.3.6.1.4.1.45724.1.1.4=ASN1:FORMAT:HEX,OCTETSTRING:58b44d0b0a7cf33afd48f7153c871352
 basicConstraints=critical,CA:FALSE
diff --git a/attestations/cnf/FIDO2/openssl_cert_nanox.cnf b/attestations/cnf/FIDO2/openssl_cert_nanox.cnf
@@ -9,5 +9,7 @@ OU = Authenticator Attestation
 CN = Ledger Nano-X FIDO 2 Attestation Batch 1  
 
 [v3_req]
+subjectKeyIdentifier = none
+authorityKeyIdentifier = none
 1.3.6.1.4.1.45724.1.1.4=ASN1:FORMAT:HEX,OCTETSTRING:fcb1bcb4f370078c6993bc24d0ae3fbe
 basicConstraints=critical,CA:FALSE
diff --git a/attestations/cnf/FIDO2/openssl_cert_stax.cnf b/attestations/cnf/FIDO2/openssl_cert_stax.cnf
@@ -9,6 +9,8 @@ OU = Authenticator Attestation
 CN = Ledger Stax FIDO 2 Attestation Batch 1
 
 [v3_req]
+subjectKeyIdentifier = none
+authorityKeyIdentifier = none
 1.3.6.1.4.1.45724.1.1.4=ASN1:FORMAT:HEX,OCTETSTRING:6e24d385004a16a07bfeefd963845b34
 basicConstraints=critical,CA:FALSE
 
diff --git a/attestations/cnf/U2F/openssl_cert_nanos.cnf b/attestations/cnf/U2F/openssl_cert_nanos.cnf
@@ -9,4 +9,6 @@ OU = Authenticator Attestation
 CN = Ledger Nano-S FIDO 1 Attestation Batch 1
 
 [v3_req]
+subjectKeyIdentifier = none
+authorityKeyIdentifier = none
 1.3.6.1.4.1.45724.2.1.1=DER:03:02:05:20 # USB
diff --git a/attestations/cnf/U2F/openssl_cert_nanosp.cnf b/attestations/cnf/U2F/openssl_cert_nanosp.cnf
@@ -9,4 +9,6 @@ OU = Authenticator Attestation
 CN = Ledger Nano-SP FIDO 1 Attestation Batch 1
 
 [v3_req]
+subjectKeyIdentifier = none
+authorityKeyIdentifier = none
 1.3.6.1.4.1.45724.2.1.1=DER:03:02:05:20 # USB
diff --git a/attestations/cnf/U2F/openssl_cert_nanox.cnf b/attestations/cnf/U2F/openssl_cert_nanox.cnf
@@ -9,4 +9,6 @@ OU = Authenticator Attestation
 CN = Ledger Nano-X FIDO 1 Attestation Batch 1
 
 [v3_req]
+subjectKeyIdentifier = none
+authorityKeyIdentifier = none
 1.3.6.1.4.1.45724.2.1.1=DER:03:02:05:20 # USB
diff --git a/attestations/cnf/U2F/openssl_cert_stax.cnf b/attestations/cnf/U2F/openssl_cert_stax.cnf
@@ -9,4 +9,6 @@ OU = Authenticator Attestation
 CN = Ledger Stax FIDO 1 Attestation Batch 1
 
 [v3_req]
+subjectKeyIdentifier = none
+authorityKeyIdentifier = none
 1.3.6.1.4.1.45724.2.1.1=DER:03:02:05:20 # USB