Add parsing handler for Subject Directory Attributes

[salrashid123]

FR for x509ext to support a parsing handler if the subject directory attribute is set.

It seems it can hold arbitrary data so this FR is initially to accomodate the TPM Specification component.

from pg 25 : https://trustedcomputinggroup.org/wp-content/uploads/TCG_IWG_Credential_Profile_EK_V2.1_R13.pdf

3.2.11 Subject Directory Attributes
The extension includes miscellaneous properties and security assertions about the entity. This
extension MUST be non-critical.

The following attribute MAY be included in a subject directory attributes extension in the EK
certificate:

*  The “TPM Specification” attribute that identifies the family, level and revision of the TCG
TPM specification to which the TPM was designed. The ASN.1 encoding is specified in
section 3.1.3 TPM Specification Attributes.

If the subject directory can contain arbitrary data, maybe an enhancement is for the caller to supply a type struct to unmarshall to

[liamjm]

Do you have an example EK cert with the data you'd like to see parsed? This would help ensure any code developed meets your needs?

[salrashid123]

her'es one from a swtpm (most actual TPM have these too)

i parsed it like with something like this:

https://github.com/salrashid123/tls_ak/blob/main/client/grpc_verifier.go#L192-L224

---

            X509v3 Subject Directory Attributes: 
                TPM Specification:
    0:d=0  hl=2 l=  12 cons: SEQUENCE          
    2:d=1  hl=2 l=   3 prim:  UTF8STRING        :2.0           TPM Version=2
    7:d=1  hl=2 l=   1 prim:  INTEGER           :00
   10:d=1  hl=2 l=   2 prim:  INTEGER           :A4

rm -rf myvtpm && mkdir myvtpm  && swtpm_setup --tpmstate myvtpm --tpm2 --create-ek-cert &&    swtpm socket --tpmstate dir=myvtpm --tpm2 --server type=tcp,port=2321 --ctrl type=tcp,port=2322 --flags not-need-init,startup-clear --log level=2

export TPM2TOOLS_TCTI="swtpm:port=2321"

tpm2_getekcertificate -X -o ECcert.bin
openssl x509 -in ECcert.bin -inform DER -out ECCert.pem

openssl x509 -in ECCert.pem -inform PEM -noout -text 

-----BEGIN CERTIFICATE-----
MIID9TCCAl2gAwIBAgICAjQwDQYJKoZIhvcNAQELBQAwGDEWMBQGA1UEAxMNc3d0
cG0tbG9jYWxjYTAgFw0yNTEwMjAwNTIwNDBaGA85OTk5MTIzMTIzNTk1OVowEjEQ
MA4GA1UEAxMHdW5rbm93bjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
APG60TvWMjUhk7jW0dxVZ1/QQ4ZwJFDLhNLWFYUvvyWdxSpwwJouMWXNslbPboHW
4BbAzyQng0GAjEoLAfQz7qQF8It4Lb3A92w6gzByRM8Yvu1ymiCYSWi9pah8Scwb
eYlBR7gPvTrcjo2fVm4IRRWYRX4UNHzwXs+evUYyJs20BsPLFeaGPtbBvzA7nL6v
2gDkMlj59f5RAIsnuJUzeMyfOTRseqgDAATFj6fkyqF3B6QE0qI61sQQ9mBHh1aM
H6HJgXGs36Cw7H3gMJ3YZJkcpk3mYOt8le0KZCMd0ToEI4Cuw2P9QrGPEQ2WvI0G
Zg7z72FdKjGjYKG+V8wEfdUCAwEAAaOBzDCByTAQBgNVHSUECTAHBgVngQUIATBS
BgNVHREBAf8ESDBGpEQwQjEWMBQGBWeBBQIBDAtpZDowMDAwMTAxNDEQMA4GBWeB
BQICDAVzd3RwbTEWMBQGBWeBBQIDDAtpZDoyMDE5MTAyMzAMBgNVHRMBAf8EAjAA
MCIGA1UdCQQbMBkwFwYFZ4EFAhAxDjAMDAMyLjACAQACAgCkMB8GA1UdIwQYMBaA
FC9tUdt3Nuy5Lc3iJ4AxyLHsw4e0MA4GA1UdDwEB/wQEAwIFIDANBgkqhkiG9w0B
AQsFAAOCAYEAvFdhuK2x3VlMueCvUTGhd4i4Z+cGsZJvYFoK6cdq21o5tx6mZCVi
L/dMexV+oQBJ/sKh9JSTtYBhQj+YG9f8ttISHefnTIhaQhUxYHY4ozyn6bsZMoA+
GDG4wuvljW8+i3QGoSXE40i52fLHve/7hNGRVHJO0PU4tuQeATEgN+HpZxHQ0Nko
7ED8PDP1uUukqUWYrJ8gBgW2KHgPKv2i0QwQXG9rztrIaGk2z9tGuiAE+X1Vh1Yf
VTemxz+XSWOcswdId9SBdpwAeA4RH9yQdAVMrc2oiKxPREF6Zb/CZYf4xn4FoFld
fm0n+0JWjmGf+Y+FSjvmnwEYBozEVO32fJK52O9qHKjHNZ0pIHAsBwVSwJlR79a1
x8tauwAGVXJleSuSSybYLe640Wwc5+heIthk92q8TaGA7Nq0gRRbygycXoff3CYQ
oNs1+nk3YWMF0HhBOAI0fxp+G682p/RYNaPzvqaLRPWeGfQHFqDkrg9ZhsoMaOtw
oT5EXyFDLLYc
-----END CERTIFICATE-----

---

$ openssl x509 -in ECCert.pem -inform PEM -noout -text 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 564 (0x234)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=swtpm-localca
        Validity
            Not Before: Oct 20 05:20:40 2025 GMT
            Not After : Dec 31 23:59:59 9999 GMT
        Subject: CN=unknown
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:f1:ba:d1:3b:d6:32:35:21:93:b8:d6:d1:dc:55:
                    67:5f:d0:43:86:70:24:50:cb:84:d2:d6:15:85:2f:
                    bf:25:9d:c5:2a:70:c0:9a:2e:31:65:cd:b2:56:cf:
                    6e:81:d6:e0:16:c0:cf:24:27:83:41:80:8c:4a:0b:
                    01:f4:33:ee:a4:05:f0:8b:78:2d:bd:c0:f7:6c:3a:
                    83:30:72:44:cf:18:be:ed:72:9a:20:98:49:68:bd:
                    a5:a8:7c:49:cc:1b:79:89:41:47:b8:0f:bd:3a:dc:
                    8e:8d:9f:56:6e:08:45:15:98:45:7e:14:34:7c:f0:
                    5e:cf:9e:bd:46:32:26:cd:b4:06:c3:cb:15:e6:86:
                    3e:d6:c1:bf:30:3b:9c:be:af:da:00:e4:32:58:f9:
                    f5:fe:51:00:8b:27:b8:95:33:78:cc:9f:39:34:6c:
                    7a:a8:03:00:04:c5:8f:a7:e4:ca:a1:77:07:a4:04:
                    d2:a2:3a:d6:c4:10:f6:60:47:87:56:8c:1f:a1:c9:
                    81:71:ac:df:a0:b0:ec:7d:e0:30:9d:d8:64:99:1c:
                    a6:4d:e6:60:eb:7c:95:ed:0a:64:23:1d:d1:3a:04:
                    23:80:ae:c3:63:fd:42:b1:8f:11:0d:96:bc:8d:06:
                    66:0e:f3:ef:61:5d:2a:31:a3:60:a1:be:57:cc:04:
                    7d:d5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Extended Key Usage: 
                Endorsement Key Certificate
            X509v3 Subject Alternative Name: critical
                DirName:/tcg-at-tpmManufacturer=id:00001014/tcg-at-tpmModel=swtpm/tcg-at-tpmVersion=id:20191023
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Directory Attributes: 
                TPM Specification:
    0:d=0  hl=2 l=  12 cons: SEQUENCE          
    2:d=1  hl=2 l=   3 prim:  UTF8STRING        :2.0
    7:d=1  hl=2 l=   1 prim:  INTEGER           :00
   10:d=1  hl=2 l=   2 prim:  INTEGER           :A4


            X509v3 Authority Key Identifier: 
                2F:6D:51:DB:77:36:EC:B9:2D:CD:E2:27:80:31:C8:B1:EC:C3:87:B4
            X509v3 Key Usage: critical
                Key Encipherment
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        bc:57:61:b8:ad:b1:dd:59:4c:b9:e0:af:51:31:a1:77:88:b8:
        67:e7:06:b1:92:6f:60:5a:0a:e9:c7:6a:db:5a:39:b7:1e:a6:
        64:25:62:2f:f7:4c:7b:15:7e:a1:00:49:fe:c2:a1:f4:94:93:
        b5:80:61:42:3f:98:1b:d7:fc:b6:d2:12:1d:e7:e7:4c:88:5a:
        42:15:31:60:76:38:a3:3c:a7:e9:bb:19:32:80:3e:18:31:b8:
        c2:eb:e5:8d:6f:3e:8b:74:06:a1:25:c4:e3:48:b9:d9:f2:c7:
        bd:ef:fb:84:d1:91:54:72:4e:d0:f5:38:b6:e4:1e:01:31:20:
        37:e1:e9:67:11:d0:d0:d9:28:ec:40:fc:3c:33:f5:b9:4b:a4:
        a9:45:98:ac:9f:20:06:05:b6:28:78:0f:2a:fd:a2:d1:0c:10:
        5c:6f:6b:ce:da:c8:68:69:36:cf:db:46:ba:20:04:f9:7d:55:
        87:56:1f:55:37:a6:c7:3f:97:49:63:9c:b3:07:48:77:d4:81:
        76:9c:00:78:0e:11:1f:dc:90:74:05:4c:ad:cd:a8:88:ac:4f:
        44:41:7a:65:bf:c2:65:87:f8:c6:7e:05:a0:59:5d:7e:6d:27:
        fb:42:56:8e:61:9f:f9:8f:85:4a:3b:e6:9f:01:18:06:8c:c4:
        54:ed:f6:7c:92:b9:d8:ef:6a:1c:a8:c7:35:9d:29:20:70:2c:
        07:05:52:c0:99:51:ef:d6:b5:c7:cb:5a:bb:00:06:55:72:65:
        79:2b:92:4b:26:d8:2d:ee:b8:d1:6c:1c:e7:e8:5e:22:d8:64:
        f7:6a:bc:4d:a1:80:ec:da:b4:81:14:5b:ca:0c:9c:5e:87:df:
        dc:26:10:a0:db:35:fa:79:37:61:63:05:d0:78:41:38:02:34:
        7f:1a:7e:1b:af:36:a7:f4:58:35:a3:f3:be:a6:8b:44:f5:9e:
        19:f4:07:16:a0:e4:ae:0f:59:86:ca:0c:68:eb:70:a1:3e:44:
        5f:21:43:2c:b6:1c

[liamjm]

Thanks for the details.

We (Google) already have written an improved parser for EK certs, so we can migrate this code to this package as a first step. If this code doesn't meet the exact needs you have, we can work on that in subsequent PRs.

[liamjm]

#471 is the start of this work.