Fix missing ASN.1 values in android-key test vector

[Unknown-Robot]

Context

This PR fixes the Android Key Attestation test vector generation script.

Currently, the softwareEnforced and teeEnforced values in the attestation extension (OID 1.3.6.1.4.1.11129.2.1.17) of the generated certificate are empty sequences.

However, the WebAuthn Level 3 specification (Verification Procedure for Android Key Attestation) mandates verifying that:

• The value in the AuthorizationList.origin field is equal to KM_ORIGIN_GENERATED.
• The value in the AuthorizationList.purpose field is equal to KM_PURPOSE_SIGN.

Changes

• Updated webauthn-test-vectors.py to replace the generic empty list with ASN.1 SEQUENCE constructions:
  • softwareEnforced: Explicit construction of empty SEQUENCE to represent AuthorizationList
  • teeEnforced: Explicit construction of SEQUENCE to represent AuthorizationList with fields :
    • purpose [Tag 1] : Encoded as a EXPLICIT SET OF INTEGER containing KM_PURPOSE_SIGN (integer 2).
    • origin [Tag 702] : Encoded as an EXPLICIT INTEGER value KM_ORIGIN_GENERATED (integer 0).
• Regenerated the test vector artifact index.bs with test-vectors/inject-generated-content.sh.

References

• WebAuthn Spec : Section 8.4. - Android Key Attestation Statement Format - Verification procedure

  The value in the AuthorizationList.origin field is equal to KM_ORIGIN_GENERATED.
  The value in the AuthorizationList.purpose field is equal to KM_PURPOSE_SIGN.

• Android Documentation : Key attestation - Attestation extension - Schema

• Android Source :

  • KM_ORIGIN_GENERATED (0) : android.hardware.security.keymint.KeyOrigin
  • KM_PURPOSE_SIGN (2) : android.hardware.security.keymint.KeyPurpose

Notes to Maintainers

1. Stacked PR
This PR is based on the branch issue-2373-android-key-test-vectors (from PR #2373) to avoid merge conflicts, as suggested by @emlun.

2. Future Improvements
While reviewing the WebAuthn Level 3 spec (Section 8.4) regarding the "union of teeEnforced and softwareEnforced", I noticed we currently lack a test vector that exercises the "Software Only" or "Hybrid" path.

The current vector—once fixed by this PR—represents the "Ideal/Strict" path (TEE-backed). To fully validate the "Permissive Mode" logic in Relying Parties, it would be beneficial to add a separate test vector in the future where Purpose and Origin are located in softwareEnforced.

I would be happy to open a separate issue or follow-up PR to address this gap if the maintainers agree.

[emlun]

Very good, thanks!

[emlun]

I would merge this (into #2378) right away, but I notice the IPR bot has flagged an issue and I hesitate to call this non-substantive (even though it is non-normative). @simoneonofri what do you think is the proper course of action here?

Meanwhile @Unknown-Robot, your proposed future improvements sound great to me, please go ahead with that if you'd like. You can open a new PR and target this one as the base, GitHub will automatically update it to re-target #2378 when this PR is merged (or ultimately to main if #2378 also happens to be merged first).