From be61d72be30981e10cbc2800f5a0f0ca89eb2c15 Mon Sep 17 00:00:00 2001
From: Nicolas Williams <nico@twosigma.com>
Date: Sun, 7 Mar 2021 00:31:47 -0600
Subject: [PATCH] asn1: Some TPM fields have to be EXPLICIT

The TCG EK cert profile says that the context tags in the
TPMSecurityAssertions type are IMPLICIT.  The sample EK cert we have
has them as EXPLICIT.

What to do?
---
 lib/asn1/check-gen.c  | 84 +++++++++++++++++++++++++--------------------------
 lib/asn1/rfc2459.asn1 | 15 ++++-----
 2 files changed, 50 insertions(+), 49 deletions(-)

diff --git a/lib/asn1/check-gen.c b/lib/asn1/check-gen.c
index 7da76177f..f3e5b060c 100644
--- a/lib/asn1/check-gen.c
+++ b/lib/asn1/check-gen.c
@@ -2296,48 +2296,48 @@ test_ios(void)
         "1030A0100A2030A0100A310300E1603332E310A01040A01020101FFA40F300D1"
         "6053134302D320A0102010100\"],\"_values_choice\":\"\",\"_values\":[{\"_ty"
         "pe\":\"TPMSecurityAssertions\",\"version\":\"0\",\"fieldUpgradable\":true"
-        ",\"ekGenerationType\":\"655617\",\"ekGenerationLocation\":\"655616\",\"ek"
-        "CertificateGenerationLocation\":\"655616\",\"ccInfo\":{\"_type\":\"Commo"
-        "nCriteriaMeasures\",\"version\":\"3.1\",\"assurancelevel\":\"4\",\"evaluat"
-        "ionStatus\":\"2\",\"plus\":true,\"strengthOfFunction\":null,\"profileOid"
-        "\":null,\"profileUri\":null,\"targetOid\":null,\"targetUri\":null},\"fip"
-        "sLevel\":{\"_type\":\"FIPSLevel\",\"version\":\"140-2\",\"level\":\"2\",\"plus"
-        "\":false},\"iso9000Certified\":false,\"iso9000Uri\":null}]}]},{\"_type"
-        "\":\"Extension\",\"extnID\":{\"_type\":\"OBJECT IDENTIFIER\",\"oid\":\"2.5.2"
-        "9.15\",\"components\":[2,5,29,15],\"name\":\"id-x509-ce-keyUsage\"},\"cr"
-        "itical\":true,\"extnValue\":\"03020520\",\"_extnValue_choice\":\"\",\"_ext"
-        "nValue\":[\"keyEncipherment\"]},{\"_type\":\"Extension\",\"extnID\":{\"_ty"
-        "pe\":\"OBJECT IDENTIFIER\",\"oid\":\"2.5.29.19\",\"components\":[2,5,29,1"
-        "9],\"name\":\"id-x509-ce-basicConstraints\"},\"critical\":true,\"extnVa"
-        "lue\":\"3000\",\"_extnValue_choice\":\"\",\"_extnValue\":{\"_type\":\"BasicC"
-        "onstraints\",\"cA\":false,\"pathLenConstraint\":null}},{\"_type\":\"Exte"
-        "nsion\",\"extnID\":{\"_type\":\"OBJECT IDENTIFIER\",\"oid\":\"2.5.29.37\",\""
-        "components\":[2,5,29,37],\"name\":\"id-x509-ce-extKeyUsage\"},\"critic"
-        "al\":false,\"extnValue\":\"300706056781050801\",\"_extnValue_choice\":\""
-        "\",\"_extnValue\":[{\"_type\":\"OBJECT IDENTIFIER\",\"oid\":\"2.23.133.8.1"
-        "\",\"components\":[2,23,133,8,1],\"name\":\"tcg-kp-EKCertificate\"}]},{"
-        "\"_type\":\"Extension\",\"extnID\":{\"_type\":\"OBJECT IDENTIFIER\",\"oid\":"
-        "\"1.3.6.1.5.5.7.1.1\",\"components\":[1,3,6,1,5,5,7,1,1],\"name\":\"id-"
-        "pkix-pe-authorityInfoAccess\"},\"critical\":false,\"extnValue\":\"303C"
-        "303A06082B06010505073002862E687474703A2F2F7365637572652E676C6F62"
-        "616C7369676E2E636F6D2F73746D74706D656B696E7430352E637274\",\"_extn"
-        "Value_choice\":\"\",\"_extnValue\":[{\"_type\":\"AccessDescription\",\"acc"
-        "essMethod\":{\"_type\":\"OBJECT IDENTIFIER\",\"oid\":\"1.3.6.1.5.5.7.48."
-        "2\",\"components\":[1,3,6,1,5,5,7,48,2],\"name\":\"id-pkix-ad-caIssuer"
-        "s\"},\"accessLocation\":{\"_choice\":\"uniformResourceIdentifier\",\"val"
-        "ue\":\"http://secure.globalsign.com/stmtpmekint05.crt\"}}]}]},\"sign"
-        "atureAlgorithm\":{\"_type\":\"AlgorithmIdentifier\",\"algorithm\":{\"_ty"
-        "pe\":\"OBJECT IDENTIFIER\",\"oid\":\"1.2.840.113549.1.1.11\",\"component"
-        "s\":[1,2,840,113549,1,1,11],\"name\":\"id-pkcs1-sha256WithRSAEncrypt"
-        "ion\"},\"parameters\":\"0500\"},\"signatureValue\":\"2048:3D4C381E5B4F1B"
-        "CBE09C63D52F1F04570CAEA142FD9CD942043B11F8E3BDCF50007AE16CF88690"
-        "13041E92CDD3280BA4B51FBBD40582ED750219E261A695095674855AACEB520A"
-        "DAFF9E7E908480A39CDCF900462D9171960FFE55D3AC49E8C981341BBD2EFBCC"
-        "252A4C18A4F3B7C84CCE42CE70A208C84D2630A7ABFBE72D6271E75B9FF1C971"
-        "D20EB3DBD763F1E04D834EAA692D2E4001BBF4730A3E3FDA9711AE386524D91C"
-        "63BE0E516D00D5C6141FCCF6C539F3518E180049865BE16B69CAE1F8CB7FDC47"
-        "4B38F7EE56CBE7D8A89D9BA99B65D5265AEF32AA62426B10E6D75BB8677EC44F"
-        "755BBC2806FD2B4E04BDF5D44259DBEAA42B6F563DF7AA7506\"}"
+        ",\"ekGenerationType\":\"1\",\"ekGenerationLocation\":\"0\",\"ekCertificat"
+        "eGenerationLocation\":\"0\",\"ccInfo\":{\"_type\":\"CommonCriteriaMeasur"
+        "es\",\"version\":\"3.1\",\"assurancelevel\":\"4\",\"evaluationStatus\":\"2\","
+        "\"plus\":true,\"strengthOfFunction\":null,\"profileOid\":null,\"profile"
+        "Uri\":null,\"targetOid\":null,\"targetUri\":null},\"fipsLevel\":{\"_type"
+        "\":\"FIPSLevel\",\"version\":\"140-2\",\"level\":\"2\",\"plus\":false},\"iso90"
+        "00Certified\":false,\"iso9000Uri\":null}]}]},{\"_type\":\"Extension\",\""
+        "extnID\":{\"_type\":\"OBJECT IDENTIFIER\",\"oid\":\"2.5.29.15\",\"componen"
+        "ts\":[2,5,29,15],\"name\":\"id-x509-ce-keyUsage\"},\"critical\":true,\"e"
+        "xtnValue\":\"03020520\",\"_extnValue_choice\":\"\",\"_extnValue\":[\"keyEn"
+        "cipherment\"]},{\"_type\":\"Extension\",\"extnID\":{\"_type\":\"OBJECT IDE"
+        "NTIFIER\",\"oid\":\"2.5.29.19\",\"components\":[2,5,29,19],\"name\":\"id-x"
+        "509-ce-basicConstraints\"},\"critical\":true,\"extnValue\":\"3000\",\"_e"
+        "xtnValue_choice\":\"\",\"_extnValue\":{\"_type\":\"BasicConstraints\",\"cA"
+        "\":false,\"pathLenConstraint\":null}},{\"_type\":\"Extension\",\"extnID\""
+        ":{\"_type\":\"OBJECT IDENTIFIER\",\"oid\":\"2.5.29.37\",\"components\":[2,"
+        "5,29,37],\"name\":\"id-x509-ce-extKeyUsage\"},\"critical\":false,\"extn"
+        "Value\":\"300706056781050801\",\"_extnValue_choice\":\"\",\"_extnValue\":"
+        "[{\"_type\":\"OBJECT IDENTIFIER\",\"oid\":\"2.23.133.8.1\",\"components\":"
+        "[2,23,133,8,1],\"name\":\"tcg-kp-EKCertificate\"}]},{\"_type\":\"Extens"
+        "ion\",\"extnID\":{\"_type\":\"OBJECT IDENTIFIER\",\"oid\":\"1.3.6.1.5.5.7."
+        "1.1\",\"components\":[1,3,6,1,5,5,7,1,1],\"name\":\"id-pkix-pe-authori"
+        "tyInfoAccess\"},\"critical\":false,\"extnValue\":\"303C303A06082B06010"
+        "505073002862E687474703A2F2F7365637572652E676C6F62616C7369676E2E6"
+        "36F6D2F73746D74706D656B696E7430352E637274\",\"_extnValue_choice\":\""
+        "\",\"_extnValue\":[{\"_type\":\"AccessDescription\",\"accessMethod\":{\"_t"
+        "ype\":\"OBJECT IDENTIFIER\",\"oid\":\"1.3.6.1.5.5.7.48.2\",\"components\""
+        ":[1,3,6,1,5,5,7,48,2],\"name\":\"id-pkix-ad-caIssuers\"},\"accessLoca"
+        "tion\":{\"_choice\":\"uniformResourceIdentifier\",\"value\":\"http://sec"
+        "ure.globalsign.com/stmtpmekint05.crt\"}}]}]},\"signatureAlgorithm\""
+        ":{\"_type\":\"AlgorithmIdentifier\",\"algorithm\":{\"_type\":\"OBJECT IDE"
+        "NTIFIER\",\"oid\":\"1.2.840.113549.1.1.11\",\"components\":[1,2,840,113"
+        "549,1,1,11],\"name\":\"id-pkcs1-sha256WithRSAEncryption\"},\"paramete"
+        "rs\":\"0500\"},\"signatureValue\":\"2048:3D4C381E5B4F1BCBE09C63D52F1F0"
+        "4570CAEA142FD9CD942043B11F8E3BDCF50007AE16CF8869013041E92CDD3280"
+        "BA4B51FBBD40582ED750219E261A695095674855AACEB520ADAFF9E7E908480A"
+        "39CDCF900462D9171960FFE55D3AC49E8C981341BBD2EFBCC252A4C18A4F3B7C"
+        "84CCE42CE70A208C84D2630A7ABFBE72D6271E75B9FF1C971D20EB3DBD763F1E"
+        "04D834EAA692D2E4001BBF4730A3E3FDA9711AE386524D91C63BE0E516D00D5C"
+        "6141FCCF6C539F3518E180049865BE16B69CAE1F8CB7FDC474B38F7EE56CBE7D"
+        "8A89D9BA99B65D5265AEF32AA62426B10E6D75BB8677EC44F755BBC2806FD2B4"
+        "E04BDF5D44259DBEAA42B6F563DF7AA7506\"}"
     };
     heim_octet_string os;
     Certificate c0, c1;
diff --git a/lib/asn1/rfc2459.asn1 b/lib/asn1/rfc2459.asn1
index f1de4dd81..bd6df0b67 100644
--- a/lib/asn1/rfc2459.asn1
+++ b/lib/asn1/rfc2459.asn1
@@ -863,13 +863,14 @@ TPMVersion ::= INTEGER { tpm-v1(0) }
 TPMSecurityAssertions ::= SEQUENCE {
     version TPMVersion DEFAULT 0, -- v1
     fieldUpgradable BOOLEAN DEFAULT FALSE,
-    ekGenerationType [0] IMPLICIT EKGenerationType OPTIONAL,
-    ekGenerationLocation [1] IMPLICIT EKGenerationLocation OPTIONAL,
-    ekCertificateGenerationLocation [2] IMPLICIT EKCertificateGenerationLocation OPTIONAL,
-    -- These two are marked IMPLICIT, but...
-    ccInfo [3] CommonCriteriaMeasures OPTIONAL,
-    fipsLevel [4] FIPSLevel OPTIONAL,
-    iso9000Certified [5] IMPLICIT BOOLEAN DEFAULT FALSE,
+    -- The TCG EK cert profile spec says all these context tags are IMPLICIT,
+    -- but samples in the field have them as EXPLICIT.
+    ekGenerationType [0] EXPLICIT EKGenerationType OPTIONAL,
+    ekGenerationLocation [1] EXPLICIT EKGenerationLocation OPTIONAL,
+    ekCertificateGenerationLocation [2] EXPLICIT EKCertificateGenerationLocation OPTIONAL,
+    ccInfo [3] EXPLICIT CommonCriteriaMeasures OPTIONAL,
+    fipsLevel [4] EXPLICIT FIPSLevel OPTIONAL,
+    iso9000Certified [5] EXPLICIT BOOLEAN DEFAULT FALSE,
     iso9000Uri IA5String OPTIONAL, -- (SIZE (1..URIMAX))
     ...
 }
-- 
2.11.4.GIT