Add support for ID attestation to HID

transparency-dev · Mar 4, 2024 · fdd2b79 · fdd2b79
1 parent 770e8cc
commit fdd2b79
Show file tree

Hide file tree

Showing 5 changed files with 71 additions and 26 deletions.
diff --git a/api/api.go b/api/api.go
@@ -103,7 +103,9 @@ func (p *Status) Print() string {
 	status.WriteString(fmt.Sprintf("IdentityCounter ............: %d\n", p.IdentityCounter))
 	if p.Witness != nil {
 		status.WriteString(fmt.Sprintf("Witness/Identity ...........: %v\n", p.Witness.Identity))
-		status.WriteString(fmt.Sprintf("Witness/IP .................: %v", p.Witness.IP))
+		status.WriteString(fmt.Sprintf("Witness/IP .................: %v\n", p.Witness.IP))
+		status.WriteString(fmt.Sprintf("Witness/AttestationKey .....: %v\n", p.Witness.IDAttestPublicKey))
+		status.WriteString(fmt.Sprintf("Witness/AttestedID .........:\n%v", p.Witness.AttestedID))
 	} else {
 		status.WriteString(fmt.Sprint("Witness ....................: <no status>"))
 	}

diff --git a/api/api.pb.go b/api/api.pb.go
diff --git a/api/api.proto b/api/api.proto
@@ -149,6 +149,15 @@ message WitnessStatus {
   string Identity = 1;
   // IP is a string representation of the witness applet's current IP address.
   string IP = 2;
+  // IDAttestKey is the stable public key from this device, used to attest to all derived witness identities.
+  string IDAttestPublicKey = 3;
+  // AttestedID is a note-formatted signed attestation for the current witness identity.
+  // This attestation note contains:
+	//   "ArmoredWitness ID attestation v1"
+	//   <Device serial>
+	//   <Witness identity counter in decimal>
+	//   <Witness identity as a note verifier string>
+  string AttestedID = 4;
 }
 
 /*

diff --git a/api/rpc/rpc.go b/api/rpc/rpc.go
@@ -49,6 +49,10 @@ type WitnessStatus struct {
 	Identity string
 	// IP is the currently-assigned IP address of the witness applet.
 	IP string
+	// IDAttestPublicKey is the stable-derived use by this device to attest to witness IDs.
+	IDAttestPublicKey string
+	// AttestedID is a note formatted attestation for the current witness ID.
+	AttestedID string
 }
 
 // FirmwareUpdate represents a firmware update.

diff --git a/trusted_os/ctl.go b/trusted_os/ctl.go
@@ -77,8 +77,10 @@ func getStatus() (s *api.Status) {
 	}
 	if witnessStatus != nil {
 		s.Witness = &api.WitnessStatus{
-			Identity: witnessStatus.Identity,
-			IP:       witnessStatus.IP,
+			Identity:          witnessStatus.Identity,
+			IP:                witnessStatus.IP,
+			IDAttestPublicKey: witnessStatus.IDAttestPublicKey,
+			AttestedID:        witnessStatus.AttestedID,
 		}
 	}