From cbd948679e683488ab528f04ba32f4417f16c107 Mon Sep 17 00:00:00 2001 From: Xavier Chapron Date: Mon, 15 Apr 2024 15:42:27 +0200 Subject: [PATCH] attestations: Make sure subject and authority key identifier extensions are not embedded in certificates They were previously not embbeded by default, but something changes in openssl probably. They are useless and increase the size of the ceritificate which is already big enough, especially over NFC... --- attestations/cnf/FIDO2/openssl_cert_nanos.cnf | 2 ++ attestations/cnf/FIDO2/openssl_cert_nanosp.cnf | 2 ++ attestations/cnf/FIDO2/openssl_cert_nanox.cnf | 2 ++ attestations/cnf/FIDO2/openssl_cert_stax.cnf | 2 ++ attestations/cnf/U2F/openssl_cert_nanos.cnf | 2 ++ attestations/cnf/U2F/openssl_cert_nanosp.cnf | 2 ++ attestations/cnf/U2F/openssl_cert_nanox.cnf | 2 ++ attestations/cnf/U2F/openssl_cert_stax.cnf | 2 ++ 8 files changed, 16 insertions(+) diff --git a/attestations/cnf/FIDO2/openssl_cert_nanos.cnf b/attestations/cnf/FIDO2/openssl_cert_nanos.cnf index 56502dba..39f6e468 100644 --- a/attestations/cnf/FIDO2/openssl_cert_nanos.cnf +++ b/attestations/cnf/FIDO2/openssl_cert_nanos.cnf @@ -9,5 +9,7 @@ OU = Authenticator Attestation CN = Ledger Nano-S FIDO 2 Attestation Batch 1 [v3_req] +subjectKeyIdentifier = none +authorityKeyIdentifier = none 1.3.6.1.4.1.45724.1.1.4=ASN1:FORMAT:HEX,OCTETSTRING:341e4da93c2e81035a9faad887135200 basicConstraints=critical,CA:FALSE diff --git a/attestations/cnf/FIDO2/openssl_cert_nanosp.cnf b/attestations/cnf/FIDO2/openssl_cert_nanosp.cnf index 0234921a..7cd75478 100644 --- a/attestations/cnf/FIDO2/openssl_cert_nanosp.cnf +++ b/attestations/cnf/FIDO2/openssl_cert_nanosp.cnf @@ -9,5 +9,7 @@ OU = Authenticator Attestation CN = Ledger Nano-SP FIDO 2 Attestation Batch 1 [v3_req] +subjectKeyIdentifier = none +authorityKeyIdentifier = none 1.3.6.1.4.1.45724.1.1.4=ASN1:FORMAT:HEX,OCTETSTRING:58b44d0b0a7cf33afd48f7153c871352 basicConstraints=critical,CA:FALSE diff --git a/attestations/cnf/FIDO2/openssl_cert_nanox.cnf b/attestations/cnf/FIDO2/openssl_cert_nanox.cnf index 4ff905c6..e5b232f9 100644 --- a/attestations/cnf/FIDO2/openssl_cert_nanox.cnf +++ b/attestations/cnf/FIDO2/openssl_cert_nanox.cnf @@ -9,5 +9,7 @@ OU = Authenticator Attestation CN = Ledger Nano-X FIDO 2 Attestation Batch 1 [v3_req] +subjectKeyIdentifier = none +authorityKeyIdentifier = none 1.3.6.1.4.1.45724.1.1.4=ASN1:FORMAT:HEX,OCTETSTRING:fcb1bcb4f370078c6993bc24d0ae3fbe basicConstraints=critical,CA:FALSE diff --git a/attestations/cnf/FIDO2/openssl_cert_stax.cnf b/attestations/cnf/FIDO2/openssl_cert_stax.cnf index c9b260cf..6ea25e56 100644 --- a/attestations/cnf/FIDO2/openssl_cert_stax.cnf +++ b/attestations/cnf/FIDO2/openssl_cert_stax.cnf @@ -9,6 +9,8 @@ OU = Authenticator Attestation CN = Ledger Stax FIDO 2 Attestation Batch 1 [v3_req] +subjectKeyIdentifier = none +authorityKeyIdentifier = none 1.3.6.1.4.1.45724.1.1.4=ASN1:FORMAT:HEX,OCTETSTRING:6e24d385004a16a07bfeefd963845b34 basicConstraints=critical,CA:FALSE diff --git a/attestations/cnf/U2F/openssl_cert_nanos.cnf b/attestations/cnf/U2F/openssl_cert_nanos.cnf index 311de774..9efa4a2c 100644 --- a/attestations/cnf/U2F/openssl_cert_nanos.cnf +++ b/attestations/cnf/U2F/openssl_cert_nanos.cnf @@ -9,4 +9,6 @@ OU = Authenticator Attestation CN = Ledger Nano-S FIDO 1 Attestation Batch 1 [v3_req] +subjectKeyIdentifier = none +authorityKeyIdentifier = none 1.3.6.1.4.1.45724.2.1.1=DER:03:02:05:20 # USB diff --git a/attestations/cnf/U2F/openssl_cert_nanosp.cnf b/attestations/cnf/U2F/openssl_cert_nanosp.cnf index 37c6e8d2..e6425457 100644 --- a/attestations/cnf/U2F/openssl_cert_nanosp.cnf +++ b/attestations/cnf/U2F/openssl_cert_nanosp.cnf @@ -9,4 +9,6 @@ OU = Authenticator Attestation CN = Ledger Nano-SP FIDO 1 Attestation Batch 1 [v3_req] +subjectKeyIdentifier = none +authorityKeyIdentifier = none 1.3.6.1.4.1.45724.2.1.1=DER:03:02:05:20 # USB diff --git a/attestations/cnf/U2F/openssl_cert_nanox.cnf b/attestations/cnf/U2F/openssl_cert_nanox.cnf index 2d1820b9..503d1f1d 100644 --- a/attestations/cnf/U2F/openssl_cert_nanox.cnf +++ b/attestations/cnf/U2F/openssl_cert_nanox.cnf @@ -9,4 +9,6 @@ OU = Authenticator Attestation CN = Ledger Nano-X FIDO 1 Attestation Batch 1 [v3_req] +subjectKeyIdentifier = none +authorityKeyIdentifier = none 1.3.6.1.4.1.45724.2.1.1=DER:03:02:05:20 # USB diff --git a/attestations/cnf/U2F/openssl_cert_stax.cnf b/attestations/cnf/U2F/openssl_cert_stax.cnf index 43c1581a..0dcebb76 100644 --- a/attestations/cnf/U2F/openssl_cert_stax.cnf +++ b/attestations/cnf/U2F/openssl_cert_stax.cnf @@ -9,4 +9,6 @@ OU = Authenticator Attestation CN = Ledger Stax FIDO 1 Attestation Batch 1 [v3_req] +subjectKeyIdentifier = none +authorityKeyIdentifier = none 1.3.6.1.4.1.45724.2.1.1=DER:03:02:05:20 # USB