feat: draft-ffm-rats-cca-token-00 support

Fix #31

Signed-off-by: Thomas Fossati <[email protected]>

go.mod

@@ -7,7 +7,7 @@ require (
 	github.com/lestrrat-go/jwx/v2 v2.0.8
 	github.com/stretchr/testify v1.8.1
 	github.com/veraison/eat v0.0.0-20220117140849-ddaf59d69f53
-	github.com/veraison/go-cose v1.1.0
+	github.com/veraison/go-cose v1.2.1
 	github.com/veraison/psatoken v1.2.1-0.20240719122628-26fe500fd5d4
 )
 

go.sum

@@ -37,8 +37,8 @@ github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKs
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/veraison/eat v0.0.0-20220117140849-ddaf59d69f53 h1:5gnX2TrGd/Xz8DOp2OaLtg/jLoIubSUTrgz6iZ58pJ4=
 github.com/veraison/eat v0.0.0-20220117140849-ddaf59d69f53/go.mod h1:+kxt8iuFiVvKRs2VQ1Ho7bbAScXAB/kHFFuP5Biw19I=
-github.com/veraison/go-cose v1.1.0 h1:AalPS4VGiKavpAzIlBjrn7bhqXiXi4jbMYY/2+UC+4o=
-github.com/veraison/go-cose v1.1.0/go.mod h1:7ziE85vSq4ScFTg6wyoMXjucIGOf4JkFEZi/an96Ct4=
+github.com/veraison/go-cose v1.2.1 h1:Gj4x20D0YP79J2+cK3anjGEMwIkg2xX+TKVVGUXwNAc=
+github.com/veraison/go-cose v1.2.1/go.mod h1:t6V8WJzHm1PD5HNsuDjW3KLv577uWb6UTzbZGvdQHD8=
 github.com/veraison/psatoken v1.2.1-0.20240719122628-26fe500fd5d4 h1:N7qg7vDF2mUg7I+8AoU+ieJ20cgcShwFHXHkV5b2YAA=
 github.com/veraison/psatoken v1.2.1-0.20240719122628-26fe500fd5d4/go.mod h1:6+WZzXr0ACXYiUAJJqTaCxW43gY2+gEaCoVNdDv3+Bw=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=

platform/claims.go

@@ -11,7 +11,8 @@ import (
 	"github.com/veraison/psatoken"
 )
 
-const ProfileName = "http://arm.com/CCA-SSD/1.0.0"
+const ProfileNameLegacy = "http://arm.com/CCA-SSD/1.0.0"
+const ProfileName = "tag:arm.com,2023:cca_platform#1.0.0"
 
 // Profile is the psatoken.IProfile implementation for CCA claims. It is
 // registered to associate the claims with the profile name, so that it can be
@@ -22,6 +23,10 @@ func (o Profile) GetName() string {
 	return ProfileName
 }
 
+func (o Profile) GetNameLegacy() string {
+	return ProfileNameLegacy
+}
+
 func (o Profile) GetClaims() psatoken.IClaims {
 	return NewClaims()
 }
@@ -212,7 +217,7 @@ func (c *Claims) GetProfile() (string, error) {
 		return "", err
 	}
 
-	if profileString != c.CanonicalProfile {
+	if profileString != c.CanonicalProfile && profileString != ProfileNameLegacy {
 		return "", fmt.Errorf("%w: expecting %q, got %q",
 			psatoken.ErrWrongProfile, c.CanonicalProfile, profileString)
 	}

platform/claims_test.go

@@ -182,7 +182,6 @@ func Test_CCAPlatform_UnmarshalCBOR_ok_mandatory_only(t *testing.T) {
 	actualSwComp, err := c.GetSoftwareComponents()
 	assert.NoError(t, err)
 	assert.Equal(t, expectedSwComp, actualSwComp)
-
 }
 
 func Test_CCAPlatform_Claims_UnmarshalCBOR_bad_input(t *testing.T) {
@@ -216,7 +215,7 @@ func Test_CCAPlatform_MarshalJSON_ok(t *testing.T) {
 	c := mustBuildValidClaims(t, true)
 
 	expected := `{
-	   "cca-platform-profile": "http://arm.com/CCA-SSD/1.0.0",
+	   "cca-platform-profile": "tag:arm.com,2023:cca_platform#1.0.0",
 	   "cca-platform-challenge":  "AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQE=",
 	   "cca-platform-implementation-id":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",
 	   "cca-platform-instance-id": "AQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC",
@@ -309,18 +308,16 @@ func Test_CCAPlatform_UnmarshalJSON_negatives(t *testing.T) {
 func Test_DecodeClaims_CCAPlatform_ok(t *testing.T) {
 	tvs := []string{
 		testEncodedCcaPlatformClaimsAll,
+		testEncodedCcaPlatformLegacyClaimsAll,
 		testEncodedCcaPlatformClaimsMandatoryOnly,
+		testEncodedCcaPlatformLegacyClaimsMandatoryOnly,
 	}
 
 	for _, tv := range tvs {
 		buf := mustHexDecode(t, tv)
-		c, err := DecodeAndValidateClaimsFromCBOR(buf)
-
-		assert.NoError(t, err)
+		_, err := DecodeAndValidateClaimsFromCBOR(buf)
 
-		actualProfile, err := c.GetProfile()
 		assert.NoError(t, err)
-		assert.Equal(t, ProfileName, actualProfile)
 	}
 }
 
@@ -374,7 +371,7 @@ func Test_DecodeJSONClaims_CcaPlatform(t *testing.T) {
 	assert.NoError(t, err)
 	actualProfile, err := c.GetProfile()
 	assert.NoError(t, err)
-	assert.Equal(t, ProfileName, actualProfile)
+	assert.Equal(t, ProfileNameLegacy, actualProfile)
 }
 
 func Test_DecodeUnvalidatedJSONCCAClaims(t *testing.T) {

platform/pretty_test_vectors.go

@@ -1,10 +1,22 @@
-// Copyright 2021-2024 Contributors to the Veraison project.
-// SPDX-License-Identifier: Apache-2.0
-
 package platform
 
 // automatically generated from CcaPlatformClaimsAll.diag
 var testEncodedCcaPlatformClaimsAll = `
+a919010978237461673a61726d2e636f6d2c323032333a6363615f706c61
+74666f726d23312e302e300a582001010101010101010101010101010101
+0101010101010101010101010101010119095c5820000000000000000000
+000000000000000000000000000000000000000000000019010058210102
+020202020202020202020202020202020202020202020202020202020202
+021909614301020319095b19300019095f81a20258200303030303030303
+030303030303030303030303030303030303030303030303055820040404
+040404040404040404040404040404040404040404040404040404040419
+0960782e68747470733a2f2f7665726169736f6e2e6578616d706c652f76
+312f6368616c6c656e67652d726573706f6e7365190962677368612d3235
+36
+`
+
+// automatically generated from CcaPlatformLegacyClaimsAll.diag
+var testEncodedCcaPlatformLegacyClaimsAll = `
 a9190109781c687474703a2f2f61726d2e636f6d2f4343412d5353442f31
 2e302e300a58200101010101010101010101010101010101010101010101
 01010101010101010119095c582000000000000000000000000000000000
@@ -17,6 +29,32 @@ a9190109781c687474703a2f2f61726d2e636f6d2f4343412d5353442f31
 656e67652d726573706f6e7365190962677368612d323536
 `
 
+// automatically generated from CcaPlatformClaimsMandatoryOnly.diag
+var testEncodedCcaPlatformClaimsMandatoryOnly = `
+a819010978237461673a61726d2e636f6d2c323032333a6363615f706c61
+74666f726d23312e302e300a582001010101010101010101010101010101
+0101010101010101010101010101010119095c5820000000000000000000
+000000000000000000000000000000000000000000000019010058210102
+020202020202020202020202020202020202020202020202020202020202
+021909614301020319095b19300019095f81a20258200303030303030303
+030303030303030303030303030303030303030303030303055820040404
+040404040404040404040404040404040404040404040404040404040419
+0962677368612d323536
+`
+
+// automatically generated from CcaPlatformLegacyClaimsMandatoryOnly.diag
+var testEncodedCcaPlatformLegacyClaimsMandatoryOnly = `
+a8190109781c687474703a2f2f61726d2e636f6d2f4343412d5353442f31
+2e302e300a58200101010101010101010101010101010101010101010101
+01010101010101010119095c582000000000000000000000000000000000
+000000000000000000000000000000001901005821010202020202020202
+020202020202020202020202020202020202020202020202190961430102
+0319095b19300019095f81a2025820030303030303030303030303030303
+030303030303030303030303030303030305582004040404040404040404
+04040404040404040404040404040404040404040404190962677368612d
+323536
+`
+
 // automatically generated from CcaPlatformClaimsInvalidMultiNonce.diag
 var testEncodedCcaPlatformClaimsInvalidMultiNonce = `
 a9190109781c687474703a2f2f61726d2e636f6d2f4343412d5353442f31
@@ -32,19 +70,6 @@ a9190109781c687474703a2f2f61726d2e636f6d2f4343412d5353442f31
 6368616c6c656e67652d726573706f6e7365190962677368612d323536
 `
 
-// automatically generated from CcaPlatformClaimsMandatoryOnly.diag
-var testEncodedCcaPlatformClaimsMandatoryOnly = `
-a8190109781c687474703a2f2f61726d2e636f6d2f4343412d5353442f31
-2e302e300a58200101010101010101010101010101010101010101010101
-01010101010101010119095c582000000000000000000000000000000000
-000000000000000000000000000000001901005821010202020202020202
-020202020202020202020202020202020202020202020202190961430102
-0319095b19300019095f81a2025820030303030303030303030303030303
-030303030303030303030303030303030305582004040404040404040404
-04040404040404040404040404040404040404040404190962677368612d
-323536
-`
-
 // automatically generated from CcaPlatformClaimsMissingMandatoryNonce.diag
 var testEncodedCcaPlatformClaimsMissingMandatoryNonce = `
 a8190109781c687474703a2f2f61726d2e636f6d2f4343412d5353442f31

platform/testvectors/cbor/CcaPlatformClaimsAll.diag

@@ -1,5 +1,5 @@
 {
-  265: "http://arm.com/CCA-SSD/1.0.0",
+  265: "tag:arm.com,2023:cca_platform#1.0.0",
   10: h'0101010101010101010101010101010101010101010101010101010101010101',
   2396: h'0000000000000000000000000000000000000000000000000000000000000000',
   256: h'010202020202020202020202020202020202020202020202020202020202020202',

platform/testvectors/cbor/CcaPlatformClaimsMandatoryOnly.diag

@@ -1,5 +1,5 @@
 {
-  265: "http://arm.com/CCA-SSD/1.0.0",
+  265: "tag:arm.com,2023:cca_platform#1.0.0",
   10: h'0101010101010101010101010101010101010101010101010101010101010101',
   2396: h'0000000000000000000000000000000000000000000000000000000000000000',
   256: h'010202020202020202020202020202020202020202020202020202020202020202',

platform/testvectors/cbor/CcaPlatformExample.diag

@@ -0,0 +1,25 @@
+{
+    265: "tag:arm.com,2023:cca_platform#1.0.0",
+    10: h'0D22E08A98469058486318283489BDB36F09DBEFEB1864DF433FA6E54EA2D711',
+    2396: h'7F454C4602010100000000000000000003003E00010000005058000000000000',
+    256: h'0107060504030201000F0E0D0C0B0A090817161514131211101F1E1D1C1B1A1918',
+    2401: h'CFCFCFCF',
+    2395: 12291,
+    2402: "sha-256",
+    2400: "https://veraison.example/.well-known/veraison/verification",
+    2399: [
+        { 1: "RSE_BL1_2", 5: h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', 2: h'9A271F2A916B0B6EE6CECB2426F0B3206EF074578BE55D9BC94F6F3FE3AB86AA', 6: "sha-256" },
+        { 1: "RSE_BL2", 5: h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', 2: h'53C234E5E8472B6AC51C1AE1CAB3FE06FAD053BEB8EBFD8977B010655BFDD3C3', 6: "sha-256" },
+        { 1: "RSE_S", 5: h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', 2: h'1121CFCCD5913F0A63FEC40A6FFD44EA64F9DC135C66634BA001D10BCF4302A2', 6: "sha-256" },
+        { 1: "AP_BL1", 5: h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', 2: h'1571B5EC78BD68512BF7830BB6A2A44B2047C7DF57BCE79EB8A1C0E5BEA0A501', 6: "sha-256" },
+        { 1: "AP_BL2", 5: h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', 2: h'10159BAF262B43A92D95DB59DAE1F72C645127301661E0A3CE4E38B295A97C58', 6: "sha-256" },
+        { 1: "SCP_BL1", 5: h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', 2: h'10122E856B3FCD49F063636317476149CB730A1AA1CFAAD818552B72F56D6F68', 6: "sha-256" },
+        { 1: "SCP_BL2", 5: h'F14B4987904BCB5814E4459A057ED4D20F58A633152288A761214DCD28780B56', 2: h'AA67A169B0BBA217AA0AA88A65346920C84C42447C36BA5F7EA65F422C1FE5D8', 6: "sha-256" },
+        { 1: "AP_BL31", 5: h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', 2: h'2E6D31A5983A91251BFAE5AEFA1C0A19D8BA3CF601D0E8A706B4CFA9661A6B8A', 6: "sha-256" },
+        { 1: "RMM", 5: h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', 2: h'A1FB50E6C86FAE1679EF3351296FD6713411A08CF8DD1790A4FD05FAE8688164', 6: "sha-256" },
+        { 1: "HW_CONFIG", 5: h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', 2: h'1A252402972F6057FA53CC172B52B9FFCA698E18311FACD0F3B06ECAAEF79E17', 6: "sha-256" },
+        { 1: "FW_CONFIG", 5: h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', 2: h'9A92ADBC0CEE38EF658C71CE1B1BF8C65668F166BFB213644C895CCB1AD07A25', 6: "sha-256" },
+        { 1: "TB_FW_CONFIG", 5: h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', 2: h'238903180CC104EC2C5D8B3F20C5BC61B389EC0A967DF8CC208CDC7CD454174F', 6: "sha-256" },
+        { 1: "SOC_FW_CONFIG", 5: h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', 2: h'E6C21E8D260FE71882DEBDB339D2402A2CA7648529BC2303F48649BCE0380017', 6: "sha-256" }
+    ]
+}

platform/testvectors/cbor/CcaPlatformLegacyClaimsAll.diag

@@ -0,0 +1,16 @@
+{
+  265: "http://arm.com/CCA-SSD/1.0.0",
+  10: h'0101010101010101010101010101010101010101010101010101010101010101',
+  2396: h'0000000000000000000000000000000000000000000000000000000000000000',
+  256: h'010202020202020202020202020202020202020202020202020202020202020202',
+  2401: h'010203',
+  2395: 12288,
+  2399: [
+    {
+      2: h'0303030303030303030303030303030303030303030303030303030303030303',
+      5: h'0404040404040404040404040404040404040404040404040404040404040404'
+    }
+  ],
+  2400: "https://veraison.example/v1/challenge-response",
+  2402: "sha-256"
+}

platform/testvectors/cbor/CcaPlatformLegacyClaimsMandatoryOnly.diag

@@ -0,0 +1,15 @@
+{
+  265: "http://arm.com/CCA-SSD/1.0.0",
+  10: h'0101010101010101010101010101010101010101010101010101010101010101',
+  2396: h'0000000000000000000000000000000000000000000000000000000000000000',
+  256: h'010202020202020202020202020202020202020202020202020202020202020202',
+  2401: h'010203',
+  2395: 12288,
+  2399: [
+    {
+      2: h'0303030303030303030303030303030303030303030303030303030303030303',
+      5: h'0404040404040404040404040404040404040404040404040404040404040404'
+    }
+  ],
+  2402: "sha-256"
+}

platform/testvectors/cbor/build-test-vectors.sh

@@ -7,13 +7,15 @@ set -o pipefail
 
 DIAG_FILES=
 DIAG_FILES="${DIAG_FILES} CcaPlatformClaimsAll"
-DIAG_FILES="${DIAG_FILES} CcaPlatformClaimsInvalidMultiNonce"
+DIAG_FILES="${DIAG_FILES} CcaPlatformLegacyClaimsAll"
 DIAG_FILES="${DIAG_FILES} CcaPlatformClaimsMandatoryOnly"
+DIAG_FILES="${DIAG_FILES} CcaPlatformLegacyClaimsMandatoryOnly"
+DIAG_FILES="${DIAG_FILES} CcaPlatformClaimsInvalidMultiNonce"
 DIAG_FILES="${DIAG_FILES} CcaPlatformClaimsMissingMandatoryNonce"
 
 TV_DOT_GO=${TV_DOT_GO?must be set in the environment.}
 
-printf "package psatoken\n\n" > ${TV_DOT_GO}
+printf "package platform\n\n" > ${TV_DOT_GO}
 
 for t in ${DIAG_FILES}
 do

realm/claims.go

@@ -8,16 +8,30 @@ import (
 	"github.com/veraison/psatoken"
 )
 
+const ProfileName = "tag:arm.com,2023:realm#1.0.0"
+
 // Claims contains the CCA realm claims. It implements IClaims, which is an
 // extension of psatoken.IClaimBase.
 type Claims struct {
-	Challenge              *eat.Nonce `cbor:"10,keyasint" json:"cca-realm-challenge"`
-	PersonalizationValue   *[]byte    `cbor:"44235,keyasint" json:"cca-realm-personalization-value"`
-	InitialMeasurement     *[]byte    `cbor:"44238,keyasint" json:"cca-realm-initial-measurement"`
-	ExtensibleMeasurements *[][]byte  `cbor:"44239,keyasint" json:"cca-realm-extensible-measurements"`
-	HashAlgID              *string    `cbor:"44236,keyasint" json:"cca-realm-hash-algo-id"`
-	PublicKey              *[]byte    `cbor:"44237,keyasint" json:"cca-realm-public-key"`
-	PublicKeyHashAlgID     *string    `cbor:"44240,keyasint" json:"cca-realm-public-key-hash-algo-id"`
+	Profile                *eat.Profile `cbor:"265,keyasint" json:"cca-realm-profile,omitempty"`
+	Challenge              *eat.Nonce   `cbor:"10,keyasint" json:"cca-realm-challenge"`
+	PersonalizationValue   *[]byte      `cbor:"44235,keyasint" json:"cca-realm-personalization-value"`
+	InitialMeasurement     *[]byte      `cbor:"44238,keyasint" json:"cca-realm-initial-measurement"`
+	ExtensibleMeasurements *[][]byte    `cbor:"44239,keyasint" json:"cca-realm-extensible-measurements"`
+	HashAlgID              *string      `cbor:"44236,keyasint" json:"cca-realm-hash-algo-id"`
+	PublicKey              *[]byte      `cbor:"44237,keyasint" json:"cca-realm-public-key"`
+	PublicKeyHashAlgID     *string      `cbor:"44240,keyasint" json:"cca-realm-public-key-hash-algo-id"`
+}
+
+// NewClaims claims returns a new instance of Claims.
+func NewClaims() IClaims {
+	p := eat.Profile{}
+	if err := p.Set(ProfileName); err != nil {
+		// should never get here as using known good constant as input
+		panic(err)
+	}
+
+	return &Claims{Profile: &p}
 }
 
 // Setters
@@ -73,8 +87,14 @@ func (c *Claims) SetHashAlgID(v string) error {
 }
 
 func (c *Claims) SetPubKey(v []byte) error {
-	if err := ValidateRealmPubKey(v); err != nil {
-		return err
+	if c.Profile == nil {
+		if err := ValidateRealmPubKey(v); err != nil {
+			return err
+		}
+	} else {
+		if err := ValidateRealmPubKeyCOSE(v); err != nil {
+			return err
+		}
 	}
 
 	c.PublicKey = &v
@@ -110,6 +130,25 @@ func (c Claims) GetChallenge() ([]byte, error) {
 	return n, nil
 }
 
+// If profile is not found return ErrOptionalClaimMissing
+// func (c *Claims) GetProfile() (string, error) {
+// 	if c.Profile == nil {
+// 		return "", psatoken.ErrOptionalClaimMissing
+// 	}
+
+// 	profileString, err := c.Profile.Get()
+// 	if err != nil {
+// 		return "", err
+// 	}
+
+// 	if profileString != c.CanonicalProfile {
+// 		return "", fmt.Errorf("%w: expecting %q, got %q",
+// 			psatoken.ErrWrongProfile, c.CanonicalProfile, profileString)
+// 	}
+
+// 	return c.Profile.Get()
+// }
+
 func (c Claims) GetPersonalizationValue() ([]byte, error) {
 	v := c.PersonalizationValue
 
@@ -168,8 +207,14 @@ func (c Claims) GetPubKey() ([]byte, error) {
 		return nil, psatoken.ErrMandatoryClaimMissing
 	}
 
-	if err := ValidateRealmPubKey(*v); err != nil {
-		return nil, err
+	if c.Profile == nil {
+		if err := ValidateRealmPubKey(*v); err != nil {
+			return nil, err
+		}
+	} else {
+		if err := ValidateRealmPubKeyCOSE(*v); err != nil {
+			return nil, err
+		}
 	}
 
 	return *v, nil