Enchanced TA validation + CLI auth in docker deployment #197
Conversation
| @@ -57,7 +57,7 @@ RUN go mod download &&\ | |||
| go install google.golang.org/protobuf/cmd/[email protected] &&\ | |||
| go install google.golang.org/grpc/cmd/[email protected] &&\ | |||
| go install github.com/mitchellh/[email protected] &&\ | |||
| go install github.com/veraison/corim/cocli@latest &&\ | |||
| go install github.com/veraison/corim/cocli@eeb7bd48 &&\ | |||
There was a problem hiding this comment.
I thought we strongly enforce revisions now?
There was a problem hiding this comment.
That hash is assocated with a v2.0.0rc0 tag, however because it's a v2 tag for a modules without a /v2, using it won't work. (conversely, moving to /v2 without publishing a release won't work either), it's a catch22 in the go module versioning system, it seems. So have to use the hash here.
| @@ -21,7 +21,7 @@ | |||
| "environment": { | |||
| "class": { | |||
| "id": { | |||
| "type": "PSA_IOT.impl-id", | |||
| "type": "psa.impl-id", | |||
There was a problem hiding this comment.
is there a specific reason for this change?
This kind of breaks the nice alignment of the Store key-value symmetry for PSA_IOT?
Please reconsider!
There was a problem hiding this comment.
This change is required by corim (I think I mentioned this in our discussions earlier?). For whatever reason, corim templates explect psa. This is hard-coded:
https://github.com/veraison/corim/blob/main/comid/classid.go#L168
I agree that we should align how we represent things in the stores vs the templeas (and better yet, we should get rid of these entirely unnecessary prefixes). However that would require making further changes to corim that orthogonal to what is being implemented here.
- Update corim package dependency to latest, which feature updated trust anchor representations that allow for tighter validation based on a set of predefined types. - In addition to the validation we get "for free" form the above, add checks to endorsement decoders to make sure that the TAs are of the expected type for the scheme. Signed-off-by: Sergei Trofimov <[email protected]>
Upgrade the CLI tools in the docker deployment to the latest versions that have auth support. This fixes end-to-end script which did not work since the deployment had auth enabled. Signed-off-by: Sergei Trofimov <[email protected]>
setrofim
force-pushed
the
deploy-update
branch
from
68f72df to
c6824b6
Compare
anchor representations that allow for tighter validation based on a
set of predefined types.
checks to endorsement decoders to make sure that the TA's are of the
expected type for the scheme.
that have auth support. This fixes end-to-end script which did not work
since the deployment had auth enabled.