Retrieve a list of AAGUIDs from the FIDO metadata service

Makefile

# install dependencies:
# brew install step jq

.PHONY: all
all: aaguid.tsv
	cat aaguid.tsv | sort -k2

md.jwt:
	curl -Ls https://mds3.fidoalliance.org/ --output md.jwt

md.jwt.json: md.jwt root-r3.pem intermediates.pem mds.pem
	openssl verify -CAfile root-r3.pem -untrusted intermediates.pem mds.pem
	cat md.jwt | step crypto jwt verify --key mds.pem --alg RS256 --subtle > md.jwt.json

md.json: md.jwt.json
	cat md.jwt.json | jq .payload > md.json

aaguid.tsv: md.json
	cat md.json | jq -r '.entries[] | select(.aaguid) | .metadataStatement | [.aaguid,.description] | @tsv' > aaguid.tsv

# retrieve certificate chain

root-r3.crt:
	wget -q http://secure.globalsign.com/cacert/root-r3.crt

root-r3.pem: root-r3.crt
	openssl x509 -inform der -in root-r3.crt -out root-r3.pem

mds.pem: md.jwt
	cat md.jwt | step crypto jwt inspect --insecure | jq -r '.header.x5c[0]' | base64 -d | openssl x509 -inform der -out mds.pem 

intermediates.pem: md.jwt
	cat md.jwt | step crypto jwt inspect --insecure | jq -r '.header.x5c[1:][]' | while read pem; do echo $$pem | base64 -d | openssl x509 -inform der; done > intermediates.pem

.PHONY: clean
clean:
	-rm md.jwt md.json aaguid.tsv md.jwt.json root-r3.pem root-r3.crt intermediates.pem mds.pem