Align with rev. 10 of the spec#268
Conversation
- Enable encoding of nil containers as empty arrays rather than null (we usually omitempty so this mostly doesn't matter, but there some exceptions (e.g. conditional endorsement series condition) where we want to encode the empty value correctly. - Enable deterministic sorting of map keys for CoTS. Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>
Rev. 10 of the spec[1] defines the condition art of
conditional-endorsement-series-triple-record as
condition: [
environment: environment-map
claims-list: [ * measurement-map ]
? authorized-by: [ + $crypto-key-type-choice ]
]
Previous implementation used a type-aliased ValueTriple. This had two
issues:
- It did not allow specifying authorized-by
- It did not allow an empty claims-list (reference and endorsement
triples require at least one measurement and this is enforced by
ValueTriple).
Implement CondEndorseSeriesCondition with correct CBOR marshalling and
use it instead of the ValueTriple.
[1]: https://www.ietf.org/archive/id/draft-ietf-rats-corim-10.html#name-conditional-endorsement-ser
Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>
Implement conditional endorsement triples as described in section 5.1.7 of rev. 10 of the spec[1]. [1]: https://www.ietf.org/archive/id/draft-ietf-rats-corim-10.html#name-conditional-endorsement-tri Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>
Update Locator to allow multiple href's and thumbprints. In both cases, if only one element is present in the field, it serializes as a single item, otherwise the field is serialized as an array. Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>
thomas-fossati
left a comment
thomas-fossati
left a comment
There was a problem hiding this comment.
Awesome work, thanks!
I have left a comment about the validation of membership triples, but it is non-blocking (i.e., we can address that separately)
There was a problem hiding this comment.
Note for self: this would come in handy in the x5chain header handling in signed corim.
|
|
||
| // Valid retursn an error if DomainMembershipTriples is empty or conatains | ||
| // invalid elements. | ||
| func (o DomainMembershipTriples) Valid() error { |
There was a problem hiding this comment.
Another validation criterion is that the graph described by the triples is acyclic. We have a similar check already in place for the domain dependency triples.
There was a problem hiding this comment.
According to the spec, acyclicity is a requirement only for domain dependency triples; it is not mentioned for domain membership.
There was a problem hiding this comment.
All right, that's probably a bug in the specification.
Logically, it makes no sense for the graph describing a domain's aggregate to be cyclical: it’d mean that an attester contains itself :-)
There was a problem hiding this comment.
Agreed, however, if the usage described in the spec does not rely on acyclicity, there is no reason for it to be explicitly stated. For domain dependencies, processing in section 9 requires acyclicity, hence the explicit constraint. (At least, that was my interpretation of why the spec is the way it is).
There was a problem hiding this comment.
I believe the current spec's asymmetrical behaviour is confusing.
Even for domain dependencies, we could allow the verifier to determine that a cycle is about to be entered, rather than making this a precondition of the processing step...
There was a problem hiding this comment.
Agreed, but does membership imply specifically a proper/strict subset? Can you not have a composite attester with exactly one constituent, so that there is a single RoT which is in fact a (non-proper) subset of itself?
There was a problem hiding this comment.
No. If it is a composite device, there must be one lead and at least one sub-attester. If it is a layered attester, there must be at least two layers.
In both cases, a composite attester requires at least two distinct components.
There was a problem hiding this comment.
OK, if it is forbidden for the lead and the sub-attester to be the same, then fair enough.
There was a problem hiding this comment.
I've updated the implementation to check for cycles in the same way as dependency triples.
There was a problem hiding this comment.
Thank you very much!
There was a problem hiding this comment.
note to self: if I'm not mistaken, this was the missing piece needed to finalise the alignment of the CCA profile implementation with the specification.
There was a problem hiding this comment.
note to self: veraison/eat’s measured component implementation (https://github.com/veraison/eat/blob/main/measured_component.go) can be updated accordingly.
Implement domain membership triples as described in section 5.1.1.11.1 of rev. 10 of the spec[1]. [1]: https://www.ietf.org/archive/id/draft-ietf-rats-corim-10.html#name-domain-membership-triple Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>
Integer has been removed as a valid class ID variant since rev. 5. BREAKING CHANGE: integer is no longer a valid type for class ID. Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>
Add support for ASN1 DER x509 certificate as a CryptoKey variant. This was introduced in rev. 6 of the spec. Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>
Re-implement raw value to add the masked variant plus support type extension. BREAKING CHANGE: the raw value API has been re-written to be more usable and aligned with the rest of the code base. Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>
- Add MustNewRawInteger, a panicking version of NewRawInteger. - Allow int as input into NewRawIntInteger (only int64 was accepted before). - Add int-range (code point 15) to Mval. Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>
Serialize the bytes variant as base64 strings. This is consistent with how bytes are serialized elsewhere. This fixes CryptoKey serialization more generally, making it consistent with how serialization is handled for other type-extended types; i.e. by relying on factory functions constructing the zero value for the type when given nil as input. Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>
Add conditions field to KeyTriple, which may be combined with the Environment field to identify the Target Environment the triple relates to. This field was first introduced in rev. 7 of the spec. Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>
Add CoswidTriples to the Triples struct. A CoSWID triple relates reference measurements contained in one or more CoSWIDs to a Target Environment. Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>
Rev. 8 of the spec added the existing CrypoKey types (sans chain types) to possible variants of the instance-id-type-choice. This updates Instance to support key types. Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>
Add tags to TaggedRawIntRange struct to ensure that it is marshaled as array in CBOR and uses lower-case fields in JSON. Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>
Move TaggedURI out of entity.go into its own file. Implement ITypeChoiceValue interface, allowing TaggedURI to be used as a type choice variant. Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>
Align definition of Profile with the CoRIM spec, which defines it as a uri or tagged-oid-type (or some extension variant). Up to this point, the implementation re-used EAT Profile. That is defined similarly, but both of its variants are untagged (it also does not allow extension). Define a new Profile type implementing the existing type choice pattern with TaggedOID and TaggedURI variants, and allowing registering of additional variants. BREAKING CHANGE: UnsignedCorim.Profile type changed form *eat.Profile to *Profile; both CBOR and JSON encodings now encode profile as a tagged value rather than string. Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>
Replace swid.HashEntry with a new Digest type. This need to accommodate text algorithm IDs supported by the CoRIM spec rev. 10[1], but not allowed by CoSWID. Note: CoRIM borrows the definition of Digest from EAT measured components spec[2]. The latter, unlike the CoRIM spec, defines a JSON representation, so the JSON serialization of digests has been changed to match that. [2]: https://datatracker.ietf.org/doc/html/draft-ietf-rats-corim-10 [2]: https://datatracker.ietf.org/doc/html/draft-ietf-rats-eat-measured-component-12 BREAKING CHANGE: swid.HashEntry is replaced with comid.Digest; their fields differ. Also JSON serialization for digests changed to be consistent with the one defined for eatmc.digest. Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>
Add tests to unmarshal compiled diag examples from the spec GitHub repository[1]. Specifically, all corim-*.diag and comid-*.diag are added as test case sources in the corim and comid sub-packages respectively, and a test added to each that runs through all compiled examples and ensures that they unmarshal without error. [1]: https://github.com/ietf-rats-wg/draft-ietf-rats-corim/tree/draft-ietf-rats-corim-10/cddl/examples Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>
3 participants
This adds missing triple types and brings the implementation in alignment with rev. 10 of the spec. This is verified by adding all
corim-*.cddlandcomid-*.cddlexamples from the spec repo and ensuring that they unmarshal without error.