Enhanced trust anchor validation

- Update corim package dependency to latest, which feature updated trust anchor representations that allow for tighter validation based on a set of predefined types. - In addition to the validation we get "for free" form the above, add checks to endorsement decoders to make sure that the TAs are of the expected type for the scheme. Signed-off-by: Sergei Trofimov <[email protected]>
veraison · Sep 18, 2023 · b93231b · b93231b
1 parent ba3a555
commit b93231b
Show file tree

Hide file tree

Showing 65 changed files with 788 additions and 425 deletions.
diff --git a/.github/workflows/linters.yml b/.github/workflows/linters.yml
@@ -25,7 +25,7 @@ jobs:
     - name: Install golangci-lint
       run: |
         go version
-        curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.48.0
+        curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.51.1
     - name: Install Protoc
       uses: arduino/setup-protoc@v1
       with:

diff --git a/.gitignore b/.gitignore
@@ -36,3 +36,5 @@ tags
 
 .ipynb_checkpoints
 
+# generated by build-test-vector scripts
+scheme/**/*Comid*.cbor
diff --git a/end-to-end/input/cca-endorsements.cbor b/end-to-end/input/cca-endorsements.cbor
diff --git a/end-to-end/input/corim-src/build-endorsements.sh b/end-to-end/input/corim-src/build-endorsements.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+set -e
+
+TEMP_DIR=/tmp/veraison-end-to-end
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+
+mkdir -p $TEMP_DIR
+
+for scheme in psa cca; do
+    cocli comid create --template ${SCRIPT_DIR}/comid-${scheme}-ta.json \
+                       --template ${SCRIPT_DIR}/comid-${scheme}-refval.json \
+                       --output-dir $TEMP_DIR
+    cocli corim create --template ${SCRIPT_DIR}/corim-${scheme}.json \
+                       --comid ${TEMP_DIR}/comid-${scheme}-refval.cbor \
+                       --comid ${TEMP_DIR}/comid-${scheme}-ta.cbor \
+                       --output ${SCRIPT_DIR}/../${scheme}-endorsements.cbor
+done
+
diff --git a/end-to-end/input/corim-src/comid-cca-refval.json b/end-to-end/input/corim-src/comid-cca-refval.json
@@ -0,0 +1,109 @@
+{
+  "lang": "en-GB",
+  "tag-identity": {
+    "id": "43BBE37F-2E61-4B33-AED3-53CFF1428B16",
+    "version": 0
+  },
+  "entities": [
+    {
+      "name": "ACME Ltd.",
+      "regid": "https://acme.example",
+      "roles": [
+        "tagCreator",
+        "creator",
+        "maintainer"
+      ]
+    }
+  ],
+  "triples": {
+    "reference-values": [
+      {
+        "environment": {
+          "class": {
+            "id": {
+              "type": "psa.impl-id",
+              "value": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
+            },
+            "vendor": "ACME",
+            "model": "RoadRunner"
+          }
+        },
+        "measurements": [
+          {
+            "key": {
+              "type": "psa.refval-id",
+              "value": {
+                "label": "BL",
+                "version": "3.4.2",
+                "signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg="
+              }
+            },
+            "value": {
+              "digests": [
+                "sha-256;BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg="
+              ]
+            }
+          },
+          {
+            "key": {
+              "type": "psa.refval-id",
+              "value": {
+                "label": "M1",
+                "version": "1.2.0",
+                "signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg="
+              }
+            },
+            "value": {
+              "digests": [
+                "sha-256;CwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg="
+              ]
+            }
+          },
+          {
+            "key": {
+              "type": "psa.refval-id",
+              "value": {
+                "label": "M2",
+                "version": "1.2.3",
+                "signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg="
+              }
+            },
+            "value": {
+              "digests": [
+                "sha-256;DwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg="
+              ]
+            }
+          },
+          {
+            "key": {
+              "type": "psa.refval-id",
+              "value": {
+                "label": "M3",
+                "version": "1.0.0",
+                "signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg="
+              }
+            },
+            "value": {
+              "digests": [
+                "sha-256;EwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg="
+              ]
+            }
+          },
+          {
+            "key": {
+              "type": "cca.platform-config-id",
+              "value": "cfg v1.0.0"
+            },
+            "value": {
+              "raw-value": {
+                "type": "bytes",
+                "value": "cmF3dmFsdWUKcmF3dmFsdWUK"
+              }
+            }
+          }
+        ]
+      }
+    ]
+  }
+}
+
diff --git a/end-to-end/input/corim-src/comid-cca-ta.json b/end-to-end/input/corim-src/comid-cca-ta.json
@@ -0,0 +1,44 @@
+{
+  "lang": "en-GB",
+  "tag-identity": {
+    "id": "366D0A0A-5988-45ED-8488-2F2A544F6242",
+    "version": 0
+  },
+  "entities": [
+    {
+      "name": "ACME Ltd.",
+      "regid": "https://acme.example",
+      "roles": [
+        "tagCreator",
+        "creator",
+        "maintainer"
+      ]
+    }
+  ],
+  "triples": {
+    "attester-verification-keys": [
+      {
+        "environment": {
+          "class": {
+            "id": {
+              "type": "psa.impl-id",
+              "value": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
+            },
+            "vendor": "ACME",
+            "model": "RoadRunner"
+          },
+          "instance": {
+            "type": "ueid",
+            "value": "AQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC"
+          }
+        },
+        "verification-keys": [
+          {
+            "type": "pkix-base64-key",
+	    "value": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEMKBCTNIcKUSDii11ySs3526iDZ8A\niTo7Tu6KPAqv7D7gS2XpJFbZiItSs3m9+9Ue6GnvHw/GW2ZZaVtszggXIw==\n-----END PUBLIC KEY-----"
+          }
+        ]
+      }
+    ]
+  }
+}
diff --git a/end-to-end/input/corim-src/comid-psa-refval.json b/end-to-end/input/corim-src/comid-psa-refval.json
@@ -0,0 +1,81 @@
+{
+  "lang": "en-GB",
+  "tag-identity": {
+    "id": "43BBE37F-2E61-4B33-AED3-53CFF1428B16",
+    "version": 0
+  },
+  "entities": [
+    {
+      "name": "ACME Ltd.",
+      "regid": "https://acme.example",
+      "roles": [
+        "tagCreator",
+        "creator",
+        "maintainer"
+      ]
+    }
+  ],
+  "triples": {
+    "reference-values": [
+      {
+        "environment": {
+          "class": {
+            "id": {
+              "type": "psa.impl-id",
+              "value": "YWNtZS1pbXBsZW1lbnRhdGlvbi1pZC0wMDAwMDAwMDE="
+            },
+            "vendor": "ACME",
+            "model": "RoadRunner"
+          }
+        },
+        "measurements": [
+          {
+            "key": {
+              "type": "psa.refval-id",
+              "value": {
+                "label": "BL",
+                "version": "2.1.0",
+                "signer-id": "rLsRx+TaIXIFUjzkzhokWuGiOa48a/2eeHH35di66Gs="
+              }
+            },
+            "value": {
+              "digests": [
+                "sha-256;h0KPxSKAPTEGXnvOPPA/5HUJZjHl4Hu9eg/eYMTPJcc="
+              ]
+            }
+          },
+          {
+            "key": {
+              "type": "psa.refval-id",
+              "value": {
+                "label": "PRoT",
+                "version": "1.3.5",
+                "signer-id": "rLsRx+TaIXIFUjzkzhokWuGiOa48a/2eeHH35di66Gs="
+              }
+            },
+            "value": {
+              "digests": [
+                "sha-256;AmOCmYm2/ZVPcrqvL8ZLwuLwHWktTecphuqAj26ZgT8="
+              ]
+            }
+          },
+          {
+            "key": {
+              "type": "psa.refval-id",
+              "value": {
+                "label": "ARoT",
+                "version": "0.1.4",
+                "signer-id": "rLsRx+TaIXIFUjzkzhokWuGiOa48a/2eeHH35di66Gs="
+              }
+            },
+            "value": {
+              "digests": [
+                "sha-256;o6XnFfDMV0pzw/m+u2vCTzL/1bZ7OHJEwskJ2neaFHg="
+              ]
+            }
+          }
+        ]
+      }
+    ]
+  }
+}
diff --git a/end-to-end/input/corim-src/comid-psa-ta.json b/end-to-end/input/corim-src/comid-psa-ta.json
@@ -0,0 +1,44 @@
+{
+  "lang": "en-GB",
+  "tag-identity": {
+    "id": "366D0A0A-5988-45ED-8488-2F2A544F6242",
+    "version": 0
+  },
+  "entities": [
+    {
+      "name": "ACME Ltd.",
+      "regid": "https://acme.example",
+      "roles": [
+        "tagCreator",
+        "creator",
+        "maintainer"
+      ]
+    }
+  ],
+  "triples": {
+    "attester-verification-keys": [
+      {
+        "environment": {
+          "class": {
+            "id": {
+              "type": "psa.impl-id",
+              "value": "YWNtZS1pbXBsZW1lbnRhdGlvbi1pZC0wMDAwMDAwMDE="
+            },
+            "vendor": "ACME",
+            "model": "RoadRunner"
+          },
+          "instance": {
+            "type": "ueid",
+            "value": "Ac7rrnuJJ6MiflMDz14PH3s0u1Qq1yUKwD+83jbsLxUI"
+          }
+        },
+        "verification-keys": [
+          {
+            "type": "pkix-base64-key",
+	    "value": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEMKBCTNIcKUSDii11ySs3526iDZ8A\niTo7Tu6KPAqv7D7gS2XpJFbZiItSs3m9+9Ue6GnvHw/GW2ZZaVtszggXIw==\n-----END PUBLIC KEY-----"
+          }
+        ]
+      }
+    ]
+  }
+}
diff --git a/end-to-end/input/corim-src/corim-cca.json b/end-to-end/input/corim-src/corim-cca.json
@@ -0,0 +1,25 @@
+{
+  "corim-id": "5c57e8f4-46cd-421b-91c9-08cf93e13cfc",
+  "dependent-rims": [
+    {
+      "href": "https://parent.example/rims/ccb3aa85-61b4-40f1-848e-02ad6e8a254b",
+      "thumbprint": "sha-256:5Fty9cDAtXLbTY06t+l/No/3TmI0eoJN7LZ6hOUiTXU="
+    }
+  ],
+  "profiles": [
+    "http://arm.com/cca/ssd/1"
+  ],
+  "validity": {
+    "not-before": "2021-12-31T00:00:00Z",
+    "not-after": "2025-12-31T00:00:00Z"
+  },
+  "entities": [
+    {
+      "name": "ACME Ltd.",
+      "regid": "acme.example",
+      "roles": [
+        "manifestCreator"
+      ]
+    }
+  ]
+}
diff --git a/end-to-end/input/corim-src/corim-psa.json b/end-to-end/input/corim-src/corim-psa.json
@@ -0,0 +1,6 @@
+{
+  "corim-id": "5c57e8f4-46cd-421b-91c9-08cf93e13cfc",
+  "profiles": [
+    "http://arm.com/psa/iot/1"
+  ]
+}
diff --git a/end-to-end/input/psa-endorsements.cbor b/end-to-end/input/psa-endorsements.cbor
Original file line number	Diff line number	Diff line change
Expand Up		@@ -36,3 +36,5 @@ tags

		.ipynb_checkpoints

		# generated by build-test-vector scripts
		scheme/*/Comid*.cbor