Add Microsoft TPM root

[AdamUCF]

This adds the Microsoft TPM root certificate authority to all TPM manufacturer IDs listed in the Microsoft TPM bundle as using the Microsoft TPM root CA.

[aseigler]

Maybe I am missing something, but I am confused here.

The way that static list of TPM roots came to be was taking the list of vendor IDs from TCG, then associating known roots for that vendor ID. I was never able to find a better TPM root bundle than the one linked in that HGS article. I was hoping to find a TCG sourced bundle of roots, but that doesn't seem to exist.

If we are looking to add a set of root certs for MSFT, I would expect to see a new cert array with the MSFT ID "id:4D534654", along with one or more roots added to the TPMManufacturerRootMap dictionary. This seems to add a MSFT root cert outside of the dictionary, and then append it to the list of roots for a bunch of other manufacturers, and I don't really understand why.

[AdamUCF]

Yeah I was thrown for a loop too when I first started digging into this. If you look in the Microsoft TPM bundle under Microsoft\IntermediateCA you'll notice intermediate CAs for many different vendors. Each of these intermediate CAs chain up to the Microsoft TPM Root Certificate Authority 2014 and are what I've included in this PR. On the devices I've tested against (HP EliteBook/Infineon and Microsoft Surface Pro X/Qualcomm) both chain up through intermediates signed by the Microsoft root but the intermediate is one owned by the vendor and the vendor ID in the TPM cert is the one of the TPM vendor, not Microsoft. I don't have any direct information but I'm assuming that they do this as part of the Microsoft Secure Boot program.

I included the certs below. I dumped these using https://fidoattestation.azurewebsites.net/ that I wrote to dump the attestation info of an authenticator.

HP/Infineon...
MIIFvzCCA6egAwIBAgIQBVLF0k6SQCi9GtxWM0DU6DANBgkqhkiG9w0BAQsFADBBMT8wPQYDVQQDEzZOQ1UtSUZYLUtFWUlELTM3QUUzNDZCQUE1NEM1MTNDRkYwMjkwQkIzMjFBMjJBMzRBNEE4QzQwHhcNMjAwMTE1MTMxMjU0WhcNMjUwMzIxMjAyOTI4WjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwss/r7z03JJlgyX75B3HdYIxhCiAvB13Onl8rOrlUWhMQ6kB6U44pDTo57cIQQ7FLSoyiEvhNx8spCLFHyYXmOR50yD7FRk+kdCi0NGZcKgYHQy6T+wa3YnnFS+dxWeFp9ibpZB3xN2iXickWgBBcz2yGv5trut3lrDKl0qb8RPNm7asFL1EKcSg5qfhfO4LHWiD7U3hqDOa7s4Nnj2K3kM1d5CACT1kse4+QYOkttKbQzdZfIcbvzRhR+lGEpDBymmWD7/BTGXw6N8sf/0wJ70HPqoqdgRtN5/XA+G4SoUDJqEb3Iymu9BiJ1+AMJvEFEkzTkx+czI4PcHN6VdrNQIDAQABo4IB8jCCAe4wDgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwbQYDVR0gAQH/BGMwYTBfBgkrBgEEAYI3FR8wUjBQBggrBgEFBQcCAjBEHkIAVABDAFAAQQAgACAAVAByAHUAcwB0AGUAZAAgACAAUABsAGEAdABmAG8AcgBtACAAIABJAGQAZQBuAHQAaQB0AHkwEAYDVR0lBAkwBwYFZ4EFCAMwWAYDVR0RAQH/BE4wTKRKMEgxFjAUBgVngQUCAQwLaWQ6NDk0NjU4MDAxGjAYBgVngQUCAgwPU0xCIDk2NzAgVFBNMi4wMRIwEAYFZ4EFAgMMB2lkOjA3M0UwHwYDVR0jBBgwFoAUDaJfLnNTRptqhLvxt8yO/oRstsEwHQYDVR0OBBYEFEviOIAUlXY4TSZBx5giKhvhDGSPMIGyBggrBgEFBQcBAQSBpTCBojCBnwYIKwYBBQUHMAKGgZJodHRwOi8vYXpjc3Byb2RuY3VhaWtwdWJsaXNoLmJsb2IuY29yZS53aW5kb3dzLm5ldC9uY3UtaWZ4LWtleWlkLTM3YWUzNDZiYWE1NGM1MTNjZmYwMjkwYmIzMjFhMjJhMzRhNGE4YzQvZDdmNDcxZWEtNTFiZS00N2IwLWFmZWYtZjkzYmE1YTUzMjIxLmNlcjANBgkqhkiG9w0BAQsFAAOCAgEAAg9xtJMKS7Xb6rXKNdG0sncPLSrgvQN3lsihRCdqE42sH407SfjuPEuWfiLR/98Dod7bx89uW5ZeV9mRhGDFVhH7vHlw2FrqsrDDmuzKZVKaTWRO0NHssi7MiuwPukK4RYqmapOb1tE16lJkTPyIiwu52KdW2mwiQ+T73eEIO1h9Ys5oVz80aH36JCnxyHncQTOF2ACmWR3fJtvdXutZdhdUYsGPjyvRlYKGIG5/Iv531ZUoBNftdaMLMPlaRidQj3i5jsEXncocaZuIQFtSfIc3P2ieGDIpzkEwyITqWq/4i6kGGrcDqssxenhgfEPuR0+kuYTUkLU0GMNMh2OpFJouG+aUQd3QY5s4gr12e/uytvF7s+HQDE+4YZ2j4nUjGyCtujVWahOksJY/2tVGtdlYHsLmRGmdrjy9U/VZmCDl59qD0nCeo6yPoR9pWU3L57+BWzwn/fLlwIU3bh5yBGvGEumhEx16JkqpJ9zZrnZacD31Zg/Xmpl279tUPbXoIRXibHKmiHWMm8F0u8ozq3wxc+Qhn4LHZ3ckOnzI3DaeqojogvYziTX0bCAuBr7Lo7+Z9xJbCUrp/ImJFRT8Rwh3lpFR7p68xibJewWLSPBbdPg9gouSnC0AAFwd6sC79AUiyS0HhkzbOrJ9AIhRg6GwzwFJkbtPg9xzRDSSRqg=

Surface Pro X/Qualcomm
MIIEnTCCA4WgAwIBAgIQQIudDWoXQUmoSZXzZjEnYDANBgkqhkiG9w0BAQsFADBCMUAwPgYDVQQDEzdFVVMtUUNPTS1LZXlJZC03OTEwMEMyRUEzNUM0RkMxNEJERTE1OUI1NjMyNkZCNzMxRDFENTEyMB4XDTIwMDIyNzAyMDI1MFoXDTI5MTIzMTIwNTgxMVowADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALNxyUEK3uK/vDGylW8sLCYUuUxX9lkRFtTMRiYIvLlK/9Ufknei0ZOO+dv84TmnkTbC+cTmI7CBzw8EQGDO8go5dXO41mT+Cm+WhtOrbCPSR/slbHwyTx5x7Nxm4GGPBlMcJx1zHtKVCympDAvRq9sxUAGLg8e7Wfo/MIRq4gSuMAdLlk7jNxGKXyYB4GZvaDcEEYmTOpkIiT8LEQNwew6sSHAlStwNdFrwbE2zxfdMvuwDIyPS4E4JiWwcL0Eoawke30oTE7uLFJIaOqIi8blawqhANf3Bj306A0JIslk4Wo/O0vT78D1aGOy15nBctfjCoRTCypJDH4s0YH1jxfkCAwEAAaOCAc8wggHLMA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMG0GA1UdIAEB/wRjMGEwXwYJKwYBBAGCNxUfMFIwUAYIKwYBBQUHAgIwRB5CAFQAQwBQAEEAIAAgAFQAcgB1AHMAdABlAGQAIAAgAFAAbABhAHQAZgBvAHIAbQAgACAASQBkAGUAbgB0AGkAdAB5MBAGA1UdJQQJMAcGBWeBBQgDME4GA1UdEQEB/wREMEKkQDA+MRYwFAYFZ4EFAgEMC2lkOjUxNDM0RjREMQwwCgYFZ4EFAgIMATExFjAUBgVngQUCAwwLaWQ6MDAwMzAwMDYwHwYDVR0jBBgwFoAUY69QVkFIn5n/tAa7NNdVpNfM20EwHQYDVR0OBBYEFCxHjE4wWZyopCxBqNVQM+Yb4OBfMIGZBggrBgEFBQcBAQSBjDCBiTCBhgYIKwYBBQUHMAKGemh0dHA6Ly9hemNzcHJvZGV1c2Fpa3B1Ymxpc2guYmxvYi5jb3JlLndpbmRvd3MubmV0L2V1cy1xY29tLWtleWlkLTc5MTAwYzJlYTM1YzRmYzE0YmRlMTU5YjU2MzI2ZmI3MzFkMWQ1MTIvY2VydGlmaWNhdGUuY2VyMA0GCSqGSIb3DQEBCwUAA4IBAQB8xhmMP7mEJXKsokGO5ENzTQwQ0vEk2k4h3clPrS6zesp5ebIqjghbRzRhOmJZp1UckTdjPXQOaCIcHRr2gzxI9GTWn9sZj5hhHsI99gHWQpc/QJktnNzX8+jB0QjGJc4rN4iFnMa+442HeNA05HorLqMKsykbWz8iEXwABLgiLleinkzvvzLQE+iW4Oe2cqWZ7242iPixEwyj4EBHUVUl5IS3ODyhHui5PeDIC1uClRqp5A4UPC6eFF2WbaNvLu2KCR+4tfDZoS2f00MSd3M68Tll8YF/ndRCGGApqN7IVZ8WzqMYquwjyQxVm3R0c058p6/wSYSnY3l9hvkbWp6b

[aseigler]

Yeah I was thrown for a loop too when I first started digging into this. If you look in the Microsoft TPM bundle under Microsoft\IntermediateCA you'll notice intermediate CAs for many different vendors. Each of these intermediate CAs chain up to the Microsoft TPM Root Certificate Authority 2014 and are what I've included in this PR. On the devices I've tested against (HP EliteBook/Infineon and Microsoft Surface Pro X/Qualcomm) both chain up through intermediates signed by the Microsoft root but the intermediate is one owned by the vendor and the vendor ID in the TPM cert is the one of the TPM vendor, not Microsoft. I don't have any direct information but I'm assuming that they do this as part of the Microsoft Secure Boot program.

I included the certs below. I dumped these using https://fidoattestation.azurewebsites.net/ that I wrote to dump the attestation info of an authenticator.

When you run these tests, is the authenticator always Windows Hello? It's been a bit since I have dug into this area, but it seems things have changed considerably. With Hello, it seems like the attestation is no longer chaining back to the EK issuuer (Get-TpmEndorsementKeyInfo), but rather to the Microsoft root like you describe, via the intermediates which you describe, but those intermediates are not owned by the vendor, they are owned by Microsoft. The roots and intermediates in the other folders are owned by the TPM vendors. The TPM vendor ID in the subject of the Microsoft intermediates matches the TCG vendor ID (except some of them are lower case). The value after the KEYID in the intermediate subject is the subject key identifier of the real TPM endorsement key root.

It seems like what is happening is Hello is generating the aikCert with the SAN matching the real TPMv2-EK-Profile section 3.2.9 information. The way the code is written, it is supposed to take the TPMManufacturer string from the TPM_PT_MANUFACTURER in the SAN, then look at the known roots issued by that manufacturer, and try to build a chain back to one of them. What Hello seems to be doing, this code would consider spoofing, since the aikCert doesn't chain back to the TPM manufacturer, but rather to Microsoft.

This is an attempted implementation of step 8 in this writeup by @herrjemand. Instead of trying every single known TPM root, we narrow it down by trying only roots related to the TPM manufacturer from the aikCert. Rather than add Microsoft root to all of the known vendor roots, I wonder if the right answer is to just chuck the whole narrowing down plan, and instead build one big attestationRootCertificates array. We would validate the aikCert SAN, and that the manufacturer is in the TCG list, and that the aikCert successfully chains back to one of the attestationRoot in attestationRootCertificates and call it a day.

[AdamUCF]

The authenticator being Windows Hello comes from the AAGUID which is specific to Windows Hello. Theoretically a TPM attestation could come with some other AAGUID besides those provided by Microsoft but I'm unaware of any other vendor that has implemented TPM attestation.

Wouldn't the TPM need to have the private key associated with the cert burned into it? Is Microsoft really signing the attestation with a software key or something? I can't imagine that.

I had asked Microsoft about their metadata and was sent the following. The only public references I've seen are here. Would be nice if they'd provide more information publicly.

{
    "aaguid": "6028b017-b1d4-4c02-b4b3-afcdafc96bb2",
    "description": "Windows Hello Software Authenticator",
    "attestationRootCertificates": [],
    "authenticatorVersion": 1,
    "protocolFamily": "fido2",
    "upv": [{"major": 1, "minor": 0}],
    "assertionScheme": "FIDOV2",
    "authenticationAlgorithm": 12,
    "publicKeyAlgAndEncoding": 260,
    "attestationTypes": [15880],
    "userVerificationDetails": [
        [{ "userVerification": 2 }],
        [{ "userVerification": 4 }],
        [{ "userVerification": 16 }],
        [{ "userVerification": 64 }]
    ],
    "keyProtection": 1,
    "matcherProtection": 1,
    "attachmentHint": 1,
    "isSecondFactorOnly": false,
    "tcDisplay": 0,
    "icon": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEgAAABICAYAAABV7bNHAAACkUlEQVR42uyai3GDMAyGQyegGzACnaCMkBHoBhkhnSAj0A2SDaAT0E6QbEA3cOXW6XEpBtnImMv9utOllxjF/qKHLTdRSm0gdnkAAgACIAACIAACIAACIAgAARAAARAAARAAARBEAFCSJINKkpLuSTtSZbQz76W25zhKkpFWPbtaz6Q75vPuoluuPmqxlZK2yi76s9RznjlpN2K7CrFWaUAHNS0HT0Atw3YpDSjxbdoPuaziG3uk579cvIdeWsbQD7L7NAYoWpKmLy8chueO5reB7KKKrQnQJdDYn9AJZHc5QBT7enINY2hjxrqItsvJWSdxFxKuYlOlWJmE6zPPcsJuN7WFiF7me5DOAws4OyZyG6TOsr/KQziDaJm/mcy2V1V0+T0JeXxqqlrWC9mGGy3O6wwFaI0SdR+EMg9AEAACIAByqViZb+/prgFdN6qb306j3lTWs0BJ76Qjw0ktO+3ad60PQhMrfM9YwqK7lUPe4j+/OR40cDaqJeJ+xo80JsWih1WTBAcb8ysKrb+TfowQKy3v55wbBkk49FJbQusqr4snadL9hEtXC3nO1G1HG6UfxIj5oDnJlHPOVVAerWGmvYQxwc70hiTh7Bidy3/3ZFE6isxf8epNhUCl4n5ftYqWKzMP3IIquaFnquXO0sZ1yn/RWq69SuK6GdPXORfSz4HPnk1bNXO0+UZze5HqKIodNYwnHVVcOUivNcStxj4CGFYhWAWgXgmuF4JzdMhn6wDUm1DpmFyVY7IvQqeTRdod2v2F8lNn/gcpW+rUsOi9mAmFwlSo3Pw9JQ3p+8bhgnAMkPM613BxOBQqc2FEB4SmPQSAAAiAAAiAAAiAAAiAIAAEQAAEQAAEQPco3wIMADOXgFhOTghuAAAAAElFTkSuQmCC"
}

{
    "aaguid": "08987058-cadc-4b81-b6e1-30de50dcbe96",
    "description": "Windows Hello Hardware Authenticator",
    "attestationRootCertificates": ["MIIF9TCCA92gAwIBAgIQXbYwTgy/J79JuMhpUB5dyzANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjE2MDQGA1UEAxMtTWljcm9zb2Z0IFRQTSBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAyMDE0MB4XDTE0MTIxMDIxMzExOVoXDTM5MTIxMDIxMzkyOFowgYwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xNjA0BgNVBAMTLU1pY3Jvc29mdCBUUE0gUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgMjAxNDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJ+n+bnKt/JHIRC/oI/xgkgsYdPzP0gpvduDA2GbRtth+L4WUyoZKGBw7uz5bjjP8Aql4YExyjR3EZQ4LqnZChMpoCofbeDR4MjCE1TGwWghGpS0mM3GtWD9XiME4rE2K0VW3pdN0CLzkYbvZbs2wQTFfE62yNQiDjyHFWAZ4BQH4eWa8wrDMUxIAneUCpU6zCwM+l6Qh4ohX063BHzXlTSTc1fDsiPaKuMMjWjK9vp5UHFPa+dMAWr6OljQZPFIg3aZ4cUfzS9y+n77Hs1NXPBn6E4Db679z4DThIXyoKeZTv1aaWOWl/exsDLGt2mTMTyykVV8uD1eRjYriFpmoRDwJKAEMOfaURarzp7hka9TOElGyD2gOV4Fscr2MxAYCywLmOLzA4VDSYLuKAhPSp7yawET30AvY1HRfMwBxetSqWP2+yZRNYJlHpor5QTuRDgzR+Zej+aWx6rWNYx43kLthozeVJ3QCsD5iEI/OZlmWn5WYf7O8LB/1A7scrYv44FD8ck3Z+hxXpkklAsjJMsHZa9mBqh+VR1AicX4uZG8m16x65ZU2uUpBa3rn8CTNmw17ZHOiuSWJtS9+PrZVA8ljgf4QgA1g6NPOEiLG2fn8Gm+r5Ak+9tqv72KDd2FPBJ7Xx4stYj/WjNPtEUhW4rcLK3ktLfcy6ea7Rocw5y5AgMBAAGjUTBPMAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBR6jArOL0hiF+KU0a5VwVLscXSkVjAQBgkrBgEEAYI3FQEEAwIBADANBgkqhkiG9w0BAQsFAAOCAgEAW4ioo1+J9VWC0UntSBXcXRm1ePTVamtsxVy/GpP4EmJd3Ub53JzNBfYdgfUL51CppS3ZY6BoagB+DqoA2GbSL+7sFGHBl5ka6FNelrwsH6VVw4xV/8klIjmqOyfatPYsz0sUdZev+reeiGpKVoXrK6BDnUU27/mgPtem5YKWvHB/soofUrLKzZV3WfGdx9zBr8V0xW6vO3CKaqkqU9y6EsQw34n7eJCbEVVQ8VdFd9iV1pmXwaBAfBwkviPTKEP9Cm+zbFIOLr3V3CL9hJj+gkTUuXWlJJ6wVXEG5i4rIbLAV59UrW4LonP+seqvWMJYUFxu/niF0R3fSGM+NU11DtBVkhRZt1u0kFhZqjDz1dWyfT/N7Hke3WsDqUFsBi+8SEw90rWx2aUkLvKo83oU4Mx4na+2I3l9F2a2VNGk4K7l3a00g51miPiq0Da0jqw30PaLluTMTGY5+RnZVh50JD6nk+Ea3wRkU8aiYFnpIxfKBZ72whmYYa/egj9IKeqpR0vuLebbU0fJBf880K1jWD3Z5SFyJXo057Mv0OPw5mttytE585ZIy5JsaRXlsOoWGRXE3kUT/MKR1UoAgR54c8Bsh+9Dq2wqIK9mRn15zvBDeyHG6+czurLopziOUeWokxZN1syrEdKlhFoPYavm6t+PzIcpdxZwHA+V3jLJPfI="],
    "authenticatorVersion": 1,
    "protocolFamily": "fido2",
    "upv": [{"major": 1, "minor": 0}],
    "assertionScheme": "FIDOV2",
    "authenticationAlgorithm": 12,
    "publicKeyAlgAndEncoding": 260,
    "attestationTypes": [15888],
    "userVerificationDetails": [
        [{ "userVerification": 2 }],
        [{ "userVerification": 4 }],
        [{ "userVerification": 16 }],
        [{ "userVerification": 64 }]
    ],
    "keyProtection": 2,
    "matcherProtection": 1,
    "attachmentHint": 1,
    "isSecondFactorOnly": false,
    "tcDisplay": 0,
    "icon": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEgAAABICAYAAABV7bNHAAACkUlEQVR42uyai3GDMAyGQyegGzACnaCMkBHoBhkhnSAj0A2SDaAT0E6QbEA3cOXW6XEpBtnImMv9utOllxjF/qKHLTdRSm0gdnkAAgACIAACIAACIAACIAgAARAAARAAARAAARBEAFCSJINKkpLuSTtSZbQz76W25zhKkpFWPbtaz6Q75vPuoluuPmqxlZK2yi76s9RznjlpN2K7CrFWaUAHNS0HT0Atw3YpDSjxbdoPuaziG3uk579cvIdeWsbQD7L7NAYoWpKmLy8chueO5reB7KKKrQnQJdDYn9AJZHc5QBT7enINY2hjxrqItsvJWSdxFxKuYlOlWJmE6zPPcsJuN7WFiF7me5DOAws4OyZyG6TOsr/KQziDaJm/mcy2V1V0+T0JeXxqqlrWC9mGGy3O6wwFaI0SdR+EMg9AEAACIAByqViZb+/prgFdN6qb306j3lTWs0BJ76Qjw0ktO+3ad60PQhMrfM9YwqK7lUPe4j+/OR40cDaqJeJ+xo80JsWih1WTBAcb8ysKrb+TfowQKy3v55wbBkk49FJbQusqr4snadL9hEtXC3nO1G1HG6UfxIj5oDnJlHPOVVAerWGmvYQxwc70hiTh7Bidy3/3ZFE6isxf8epNhUCl4n5ftYqWKzMP3IIquaFnquXO0sZ1yn/RWq69SuK6GdPXORfSz4HPnk1bNXO0+UZze5HqKIodNYwnHVVcOUivNcStxj4CGFYhWAWgXgmuF4JzdMhn6wDUm1DpmFyVY7IvQqeTRdod2v2F8lNn/gcpW+rUsOi9mAmFwlSo3Pw9JQ3p+8bhgnAMkPM613BxOBQqc2FEB4SmPQSAAAiAAAiAAAiAAAiAIAAEQAAEQAAEQPco3wIMADOXgFhOTghuAAAAAElFTkSuQmCC"
}

{
    "aaguid": "9ddd1817-af5a-4672-a2b9-3e3dd95000a9",
    "description": "Windows Hello VBS Hardware Authenticator",
    "attestationRootCertificates": ["MIIF9TCCA92gAwIBAgIQXbYwTgy/J79JuMhpUB5dyzANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjE2MDQGA1UEAxMtTWljcm9zb2Z0IFRQTSBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAyMDE0MB4XDTE0MTIxMDIxMzExOVoXDTM5MTIxMDIxMzkyOFowgYwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xNjA0BgNVBAMTLU1pY3Jvc29mdCBUUE0gUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgMjAxNDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJ+n+bnKt/JHIRC/oI/xgkgsYdPzP0gpvduDA2GbRtth+L4WUyoZKGBw7uz5bjjP8Aql4YExyjR3EZQ4LqnZChMpoCofbeDR4MjCE1TGwWghGpS0mM3GtWD9XiME4rE2K0VW3pdN0CLzkYbvZbs2wQTFfE62yNQiDjyHFWAZ4BQH4eWa8wrDMUxIAneUCpU6zCwM+l6Qh4ohX063BHzXlTSTc1fDsiPaKuMMjWjK9vp5UHFPa+dMAWr6OljQZPFIg3aZ4cUfzS9y+n77Hs1NXPBn6E4Db679z4DThIXyoKeZTv1aaWOWl/exsDLGt2mTMTyykVV8uD1eRjYriFpmoRDwJKAEMOfaURarzp7hka9TOElGyD2gOV4Fscr2MxAYCywLmOLzA4VDSYLuKAhPSp7yawET30AvY1HRfMwBxetSqWP2+yZRNYJlHpor5QTuRDgzR+Zej+aWx6rWNYx43kLthozeVJ3QCsD5iEI/OZlmWn5WYf7O8LB/1A7scrYv44FD8ck3Z+hxXpkklAsjJMsHZa9mBqh+VR1AicX4uZG8m16x65ZU2uUpBa3rn8CTNmw17ZHOiuSWJtS9+PrZVA8ljgf4QgA1g6NPOEiLG2fn8Gm+r5Ak+9tqv72KDd2FPBJ7Xx4stYj/WjNPtEUhW4rcLK3ktLfcy6ea7Rocw5y5AgMBAAGjUTBPMAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBR6jArOL0hiF+KU0a5VwVLscXSkVjAQBgkrBgEEAYI3FQEEAwIBADANBgkqhkiG9w0BAQsFAAOCAgEAW4ioo1+J9VWC0UntSBXcXRm1ePTVamtsxVy/GpP4EmJd3Ub53JzNBfYdgfUL51CppS3ZY6BoagB+DqoA2GbSL+7sFGHBl5ka6FNelrwsH6VVw4xV/8klIjmqOyfatPYsz0sUdZev+reeiGpKVoXrK6BDnUU27/mgPtem5YKWvHB/soofUrLKzZV3WfGdx9zBr8V0xW6vO3CKaqkqU9y6EsQw34n7eJCbEVVQ8VdFd9iV1pmXwaBAfBwkviPTKEP9Cm+zbFIOLr3V3CL9hJj+gkTUuXWlJJ6wVXEG5i4rIbLAV59UrW4LonP+seqvWMJYUFxu/niF0R3fSGM+NU11DtBVkhRZt1u0kFhZqjDz1dWyfT/N7Hke3WsDqUFsBi+8SEw90rWx2aUkLvKo83oU4Mx4na+2I3l9F2a2VNGk4K7l3a00g51miPiq0Da0jqw30PaLluTMTGY5+RnZVh50JD6nk+Ea3wRkU8aiYFnpIxfKBZ72whmYYa/egj9IKeqpR0vuLebbU0fJBf880K1jWD3Z5SFyJXo057Mv0OPw5mttytE585ZIy5JsaRXlsOoWGRXE3kUT/MKR1UoAgR54c8Bsh+9Dq2wqIK9mRn15zvBDeyHG6+czurLopziOUeWokxZN1syrEdKlhFoPYavm6t+PzIcpdxZwHA+V3jLJPfI="],
    "authenticatorVersion": 1,
    "protocolFamily": "fido2",
    "upv": [{"major": 1, "minor": 0}],
    "assertionScheme": "FIDOV2",
    "authenticationAlgorithm": 12,
    "publicKeyAlgAndEncoding": 260,
    "attestationTypes": [15879],
    "userVerificationDetails": [
        [{ "userVerification": 2 }],
        [{ "userVerification": 4 }],
        [{ "userVerification": 16 }],
        [{ "userVerification": 64 }]
    ],
    "keyProtection": 6,
    "matcherProtection": 2,
    "attachmentHint": 1,
    "isSecondFactorOnly": false,
    "tcDisplay": 0,
    "icon": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEgAAABICAYAAABV7bNHAAACkUlEQVR42uyai3GDMAyGQyegGzACnaCMkBHoBhkhnSAj0A2SDaAT0E6QbEA3cOXW6XEpBtnImMv9utOllxjF/qKHLTdRSm0gdnkAAgACIAACIAACIAACIAgAARAAARAAARAAARBEAFCSJINKkpLuSTtSZbQz76W25zhKkpFWPbtaz6Q75vPuoluuPmqxlZK2yi76s9RznjlpN2K7CrFWaUAHNS0HT0Atw3YpDSjxbdoPuaziG3uk579cvIdeWsbQD7L7NAYoWpKmLy8chueO5reB7KKKrQnQJdDYn9AJZHc5QBT7enINY2hjxrqItsvJWSdxFxKuYlOlWJmE6zPPcsJuN7WFiF7me5DOAws4OyZyG6TOsr/KQziDaJm/mcy2V1V0+T0JeXxqqlrWC9mGGy3O6wwFaI0SdR+EMg9AEAACIAByqViZb+/prgFdN6qb306j3lTWs0BJ76Qjw0ktO+3ad60PQhMrfM9YwqK7lUPe4j+/OR40cDaqJeJ+xo80JsWih1WTBAcb8ysKrb+TfowQKy3v55wbBkk49FJbQusqr4snadL9hEtXC3nO1G1HG6UfxIj5oDnJlHPOVVAerWGmvYQxwc70hiTh7Bidy3/3ZFE6isxf8epNhUCl4n5ftYqWKzMP3IIquaFnquXO0sZ1yn/RWq69SuK6GdPXORfSz4HPnk1bNXO0+UZze5HqKIodNYwnHVVcOUivNcStxj4CGFYhWAWgXgmuF4JzdMhn6wDUm1DpmFyVY7IvQqeTRdod2v2F8lNn/gcpW+rUsOi9mAmFwlSo3Pw9JQ3p+8bhgnAMkPM613BxOBQqc2FEB4SmPQSAAAiAAAiAAAiAAAiAIAAEQAAEQAAEQPco3wIMADOXgFhOTghuAAAAAElFTkSuQmCC"
}

[aseigler]

The authenticator being Windows Hello comes from the AAGUID which is specific to Windows Hello. Theoretically a TPM attestation could come with some other AAGUID besides those provided by Microsoft but I'm unaware of any other vendor that has implemented TPM attestation.

Wouldn't the TPM need to have the private key associated with the cert burned into it? Is Microsoft really signing the attestation with a software key or something? I can't imagine that.

If I had to guess, I would guess they are doing some trickery involving the real TPM and some sort of cloud service that does the signing. I wonder if this works in an offline scenario? I seriously doubt they are using software backed keys and calling them hardware, but it certainly seems that the TPM attestation generated by Hello is not signed by the actual TPM directly.

I had asked Microsoft about their metadata and was sent the following. The only public references I've seen are here. Would be nice if they'd provide more information publicly.

This looks EXACTLY like metadata straight out of the MDS, but Hello is not published in MDS (there are 25 that are). It's more complete static data that what we currently have available.

[aseigler]

The more I think about this, the more I think we should scrap the static TPM roots and the custom validation logic entirely. Then, merge the Hello authenticator metadata in with our existing metadata solution, [validate the aikCert per the WebAuthn spec],(https://www.w3.org/TR/webauthn/#tpm-cert-requirements) and then do chain validation of aikCert in the exact same manner we do for packed and U2F attestations. Adding the conformance TPM authenticator metadata in the testing case would be trivial and we could add other TPM authenticators if and when they appear.

[aseigler]

{
    "aaguid": "08987058-cadc-4b81-b6e1-30de50dcbe96",
    "description": "Windows Hello Hardware Authenticator",
    ...
    "attestationTypes": [15888],
    ...
}

Interestingly, that attestationTypes value doesn't match any of the ones in https://fidoalliance.org/specs/common-specs/fido-registry-v2.1-ps-20191217.html#authenticator-attestation-types. It's either a typo and should be basic full, or it's a new type that has not been defined yet (or I can't find it).

Also, check out this branch where I've implemented the above ideas previously mentioned.

[aseigler]

Closing this in favor of #180.