From ecb13696a37da86dbe8dbc1f9886d0eeb2672238 Mon Sep 17 00:00:00 2001 From: Abhishek kumar Date: Thu, 19 Mar 2026 23:35:12 +0530 Subject: [PATCH] fix(scheme): align PSA/CCA with CoRIM profiles Migrate PSA-IoT and ARM-CCA scheme handling to latest profile APIs and string measurement keys. Regenerate PSA and ARM-CCA CoRIM test vectors and update negative cases to match new profile validation behavior. Signed-off-by: Abhishek kumar --- deployments/docker/src/builder.docker | 2 +- deployments/native/deployment.sh | 2 +- end-to-end/input/src/comid-cca-refval.json | 89 +++++---- end-to-end/input/src/comid-cca-ta.json | 6 +- end-to-end/input/src/comid-psa-refval.json | 50 ++--- end-to-end/input/src/comid-psa-ta.json | 6 +- end-to-end/input/src/corim-psa.json | 2 +- go.mod | 2 +- go.sum | 4 +- integration-tests/data/claims/cca.good.json | 2 +- .../comid-cca-platform-refval.json | 171 +++++++++-------- .../endorsements/comid-cca-platform-ta.json | 6 +- .../endorsements/comid-cca-realm-refval.json | 102 ++++++---- .../data/endorsements/comid-cca-refval.json | 81 ++++---- .../data/endorsements/comid-cca-ta.json | 6 +- .../data/endorsements/comid-psa-refval.json | 44 +++-- .../data/endorsements/comid-psa-ta.json | 28 +-- .../data/endorsements/corim-cca-full.json | 8 +- .../endorsements/corim-cca-platform-full.json | 18 +- .../endorsements/corim-cca-realm-full.json | 10 +- .../data/endorsements/corim-psa-full.json | 2 +- .../data/endorsements/corim-psa-mini.json | 2 +- integration-tests/data/results/cca.good.json | 2 +- .../data/results/cca.verify-challenge.json | 2 +- .../data/results/psa.freshness-fail.json | 2 +- integration-tests/tests/common.yaml | 4 +- .../test_cca_verify_challenge.tavern.yaml | 17 +- .../test_provisioning_empty_body.tavern.yaml | 2 +- ...test_provisioning_unauthorized.tavern.yaml | 2 +- ...ification_bad_session_attester.tavern.yaml | 2 +- integration-tests/utils/checkers.py | 8 +- integration-tests/utils/generators.py | 10 +- integration-tests/utils/hooks.py | 12 +- scheme/arm-cca/corim.go | 169 ---------------- scheme/arm-cca/corim_test.go | 48 +++-- scheme/arm-cca/scheme.go | 38 ++-- .../corim-cca-platform-bad-no-class.cbor | Bin 351 -> 362 bytes ...im-cca-platform-bad-refval-cryptokeys.cbor | Bin 0 -> 435 bytes ...m-cca-platform-bad-refval-mkey-string.cbor | Bin 0 -> 284 bytes .../corim-cca-platform-bad-refval-mkey.cbor | Bin 213 -> 224 bytes ...im-cca-platform-bad-refval-no-digests.cbor | Bin 232 -> 220 bytes ...corim-cca-platform-bad-refval-no-mkey.cbor | Bin 211 -> 222 bytes ...-cca-platform-bad-refval-no-raw-value.cbor | Bin 226 -> 243 bytes .../corim/corim-cca-platform-bad-ta-cert.cbor | Bin 2493 -> 2504 bytes .../corim-cca-platform-bad-ta-instance.cbor | Bin 392 -> 403 bytes ...corim-cca-platform-bad-ta-no-instance.cbor | Bin 352 -> 363 bytes .../test/corim/corim-cca-platform-valid.cbor | Bin 860 -> 946 bytes .../corim/corim-cca-realm-bad-instance.cbor | Bin 616 -> 657 bytes .../corim-cca-realm-bad-no-instance.cbor | Bin 617 -> 705 bytes .../corim-cca-realm-bad-no-integ-regs.cbor | Bin 275 -> 309 bytes .../corim-cca-realm-bad-no-raw-value.cbor | Bin 577 -> 675 bytes .../corim/corim-cca-realm-bad-no-rim.cbor | Bin 0 -> 376 bytes .../test/corim/corim-cca-realm-valid.cbor | Bin 647 -> 707 bytes .../src/comid-cca-platform-bad-no-class.json | 44 ++--- ...id-cca-platform-bad-refval-cryptokeys.json | 40 ++++ ...omid-cca-platform-bad-refval-instance.json | 181 ++++++++++-------- ...d-cca-platform-bad-refval-mkey-string.json | 40 ++++ .../comid-cca-platform-bad-refval-mkey.json | 2 +- ...id-cca-platform-bad-refval-no-digests.json | 63 +++--- ...comid-cca-platform-bad-refval-no-mkey.json | 2 +- ...-cca-platform-bad-refval-no-raw-value.json | 58 +++--- .../src/comid-cca-platform-bad-ta-cert.json | 2 +- .../comid-cca-platform-bad-ta-instance.json | 2 +- ...comid-cca-platform-bad-ta-no-instance.json | 2 +- .../corim/src/comid-cca-platform-refval.json | 175 +++++++++-------- .../test/corim/src/comid-cca-platform-ta.json | 2 +- .../src/comid-cca-realm-bad-instance.json | 99 ++++++---- .../src/comid-cca-realm-bad-no-instance.json | 101 ++++++---- .../comid-cca-realm-bad-no-integ-regs.json | 21 +- .../src/comid-cca-realm-bad-no-raw-value.json | 102 ++++++---- .../corim/src/comid-cca-realm-bad-no-rim.json | 45 +++++ .../corim/src/comid-cca-realm-refval.json | 99 ++++++---- .../test/corim/src/corim-cca-platform.json | 8 +- .../test/corim/src/corim-cca-realm.json | 8 +- .../test/corim/src/platform-corims.yaml | 6 +- .../arm-cca/test/corim/src/realm-corims.yaml | 2 + scheme/arm-cca/test_vars.go | 9 + scheme/parsec-cca/corim.go | 16 +- scheme/parsec-cca/scheme.go | 3 +- .../test/corim/corim-parsec-cca-valid.cbor | Bin 960 -> 1035 bytes .../corim/src/comid-parsec-cca-refval.json | 177 +++++++++-------- .../test/corim/src/comid-parsec-cca-ta.json | 2 +- scheme/psa-iot/corim.go | 94 --------- scheme/psa-iot/corim_test.go | 20 +- scheme/psa-iot/scheme.go | 23 ++- .../test/corim/corim-psa-bad-class.cbor | Bin 356 -> 358 bytes .../test/corim/corim-psa-bad-instance.cbor | Bin 355 -> 357 bytes .../corim/corim-psa-bad-refval-instance.cbor | Bin 286 -> 304 bytes .../test/corim/corim-psa-bad-refval-mkey.cbor | Bin 281 -> 299 bytes .../test/corim/corim-psa-bad-refval-mval.cbor | Bin 215 -> 233 bytes .../test/corim/corim-psa-bad-ta-cert.cbor | Bin 2469 -> 2471 bytes .../corim/corim-psa-bad-ta-no-instance.cbor | Bin 335 -> 337 bytes .../psa-iot/test/corim/corim-psa-valid.cbor | Bin 1017 -> 1067 bytes .../test/corim/src/comid-bad-instance.json | 2 +- .../corim/src/comid-bad-refval-instance.json | 21 +- .../test/corim/src/comid-bad-refval-mkey.json | 19 +- .../test/corim/src/comid-bad-refval-mval.json | 19 +- .../test/corim/src/comid-bad-ta-cert.json | 2 +- .../corim/src/comid-bad-ta-no-instance.json | 2 +- .../test/corim/src/comid-psa-refval.json | 53 ++--- .../psa-iot/test/corim/src/comid-psa-ta.json | 8 +- scheme/psa-iot/test/corim/src/corim-psa.json | 2 +- scheme/psa-iot/test/corim/src/corims.yaml | 4 +- scheme/riot/corim_test.go | 2 +- scheme/tpm-enacttrust/corim_test.go | 2 +- scripts/generate-corims | 2 + 106 files changed, 1323 insertions(+), 1224 deletions(-) delete mode 100644 scheme/arm-cca/corim.go create mode 100644 scheme/arm-cca/test/corim/corim-cca-platform-bad-refval-cryptokeys.cbor create mode 100644 scheme/arm-cca/test/corim/corim-cca-platform-bad-refval-mkey-string.cbor create mode 100644 scheme/arm-cca/test/corim/corim-cca-realm-bad-no-rim.cbor create mode 100644 scheme/arm-cca/test/corim/src/comid-cca-platform-bad-refval-cryptokeys.json create mode 100644 scheme/arm-cca/test/corim/src/comid-cca-platform-bad-refval-mkey-string.json create mode 100644 scheme/arm-cca/test/corim/src/comid-cca-realm-bad-no-rim.json delete mode 100644 scheme/psa-iot/corim.go diff --git a/deployments/docker/src/builder.docker b/deployments/docker/src/builder.docker index e59404e6..619558ff 100644 --- a/deployments/docker/src/builder.docker +++ b/deployments/docker/src/builder.docker @@ -60,7 +60,7 @@ RUN go mod download &&\ go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.26 &&\ go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@v1.1 &&\ go install github.com/mitchellh/protoc-gen-go-json@v1.1.0 &&\ - go install github.com/veraison/cocli@v1.0.0-alpha0 &&\ + go install github.com/veraison/cocli@v1.0.0-alpha0.0.20260313151307-405ce39d50b6 &&\ go install github.com/veraison/evcli/v2@1685bf5 &&\ go install github.com/veraison/pocli@v0.2.0 &&\ go install github.com/go-delve/delve/cmd/dlv@v1.24.0 &&\ diff --git a/deployments/native/deployment.sh b/deployments/native/deployment.sh index 85de517c..28a76339 100755 --- a/deployments/native/deployment.sh +++ b/deployments/native/deployment.sh @@ -231,7 +231,7 @@ function init_sqlite_stores() { function init_clients() { _init_client evcli github.com/veraison/evcli/v2@v2.1.0 - _init_client cocli github.com/veraison/cocli@8ebd64c1 + _init_client cocli github.com/veraison/cocli@v1.0.0-alpha0.0.20260313151307-405ce39d50b6 _init_client pocli github.com/veraison/pocli@2fa24ea3 _init_client corim-store github.com/veraison/corim-store/cmd/corim-store@9e4ba68b } diff --git a/end-to-end/input/src/comid-cca-refval.json b/end-to-end/input/src/comid-cca-refval.json index 636c04d2..121985a6 100644 --- a/end-to-end/input/src/comid-cca-refval.json +++ b/end-to-end/input/src/comid-cca-refval.json @@ -21,84 +21,95 @@ "environment": { "class": { "id": { - "type": "psa.impl-id", + "type": "bytes", "value": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=" - }, - "vendor": "ACME", - "model": "RoadRunner" + } } }, "measurements": [ { "key": { - "type": "psa.refval-id", - "value": { - "label": "BL", - "version": "3.4.2", - "signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=" - } + "type": "string", + "value": "cca.software-component" }, "value": { + "cryptokeys": [ + { + "type": "bytes", + "value": "01234567890123456789012345678901" + } + ], "digests": [ - "sha-256;BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=" - ] + "sha-256:BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=" + ], + "name": "BL" } }, { "key": { - "type": "psa.refval-id", - "value": { - "label": "M1", - "version": "1.2.0", - "signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=" - } + "type": "string", + "value": "cca.software-component" }, "value": { + "cryptokeys": [ + { + "type": "bytes", + "value": "01234567890123456789012345678901" + } + ], "digests": [ - "sha-256;CwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=" - ] + "sha-256:CwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=" + ], + "name": "M1" } }, { "key": { - "type": "psa.refval-id", - "value": { - "label": "M2", - "version": "1.2.3", - "signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=" - } + "type": "string", + "value": "cca.software-component" }, "value": { + "cryptokeys": [ + { + "type": "bytes", + "value": "01234567890123456789012345678901" + } + ], "digests": [ - "sha-256;DwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=" - ] + "sha-256:DwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=" + ], + "name": "M2" } }, { "key": { - "type": "psa.refval-id", - "value": { - "label": "M3", - "version": "1.0.0", - "signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=" - } + "type": "string", + "value": "cca.software-component" }, "value": { + "cryptokeys": [ + { + "type": "bytes", + "value": "01234567890123456789012345678901" + } + ], "digests": [ - "sha-256;EwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=" - ] + "sha-256:EwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=" + ], + "name": "M3" } }, { "key": { - "type": "cca.platform-config-id", - "value": "cfg v1.0.0" + "type": "string", + "value": "cca.platform-config" }, "value": { "raw-value": { "type": "bytes", "value": "AQID" - } + }, + "raw-value-mask": "AQID" } } ] diff --git a/end-to-end/input/src/comid-cca-ta.json b/end-to-end/input/src/comid-cca-ta.json index 12fb01df..1f9f195a 100644 --- a/end-to-end/input/src/comid-cca-ta.json +++ b/end-to-end/input/src/comid-cca-ta.json @@ -21,11 +21,9 @@ "environment": { "class": { "id": { - "type": "psa.impl-id", + "type": "bytes", "value": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=" - }, - "vendor": "ACME", - "model": "RoadRunner" + } }, "instance": { "type": "ueid", diff --git a/end-to-end/input/src/comid-psa-refval.json b/end-to-end/input/src/comid-psa-refval.json index b070ef67..e1229a3c 100644 --- a/end-to-end/input/src/comid-psa-refval.json +++ b/end-to-end/input/src/comid-psa-refval.json @@ -21,7 +21,7 @@ "environment": { "class": { "id": { - "type": "psa.impl-id", + "type": "bytes", "value": "YWNtZS1pbXBsZW1lbnRhdGlvbi1pZC0wMDAwMDAwMDE=" }, "vendor": "ACME", @@ -31,46 +31,52 @@ "measurements": [ { "key": { - "type": "psa.refval-id", - "value": { - "label": "BL", - "version": "2.1.0", - "signer-id": "rLsRx+TaIXIFUjzkzhokWuGiOa48a/2eeHH35di66Gs=" - } + "type": "string", + "value": "psa.software-component" }, "value": { "digests": [ - "sha-256;h0KPxSKAPTEGXnvOPPA/5HUJZjHl4Hu9eg/eYMTPJcc=" + "sha-256:h0KPxSKAPTEGXnvOPPA/5HUJZjHl4Hu9eg/eYMTPJcc=" + ], + "cryptokeys": [ + { + "type": "bytes", + "value": "rLsRx+TaIXIFUjzkzhokWuGiOa48a/2eeHH35di66Gs=" + } ] } }, { "key": { - "type": "psa.refval-id", - "value": { - "label": "PRoT", - "version": "1.3.5", - "signer-id": "rLsRx+TaIXIFUjzkzhokWuGiOa48a/2eeHH35di66Gs=" - } + "type": "string", + "value": "psa.software-component" }, "value": { "digests": [ - "sha-256;AmOCmYm2/ZVPcrqvL8ZLwuLwHWktTecphuqAj26ZgT8=" + "sha-256:AmOCmYm2/ZVPcrqvL8ZLwuLwHWktTecphuqAj26ZgT8=" + ], + "cryptokeys": [ + { + "type": "bytes", + "value": "rLsRx+TaIXIFUjzkzhokWuGiOa48a/2eeHH35di66Gs=" + } ] } }, { "key": { - "type": "psa.refval-id", - "value": { - "label": "ARoT", - "version": "0.1.4", - "signer-id": "rLsRx+TaIXIFUjzkzhokWuGiOa48a/2eeHH35di66Gs=" - } + "type": "string", + "value": "psa.software-component" }, "value": { "digests": [ - "sha-256;o6XnFfDMV0pzw/m+u2vCTzL/1bZ7OHJEwskJ2neaFHg=" + "sha-256:o6XnFfDMV0pzw/m+u2vCTzL/1bZ7OHJEwskJ2neaFHg=" + ], + "cryptokeys": [ + { + "type": "bytes", + "value": "rLsRx+TaIXIFUjzkzhokWuGiOa48a/2eeHH35di66Gs=" + } ] } } diff --git a/end-to-end/input/src/comid-psa-ta.json b/end-to-end/input/src/comid-psa-ta.json index 45c86145..1ec3bea3 100644 --- a/end-to-end/input/src/comid-psa-ta.json +++ b/end-to-end/input/src/comid-psa-ta.json @@ -21,11 +21,9 @@ "environment": { "class": { "id": { - "type": "psa.impl-id", + "type": "bytes", "value": "YWNtZS1pbXBsZW1lbnRhdGlvbi1pZC0wMDAwMDAwMDE=" - }, - "vendor": "ACME", - "model": "RoadRunner" + } }, "instance": { "type": "ueid", diff --git a/end-to-end/input/src/corim-psa.json b/end-to-end/input/src/corim-psa.json index a7c23279..5a4199a5 100644 --- a/end-to-end/input/src/corim-psa.json +++ b/end-to-end/input/src/corim-psa.json @@ -1,4 +1,4 @@ { "corim-id": "00000000-0000-0001-p5a1-000000000001", - "profile": "http://arm.com/psa/iot/1" + "profile": "tag:arm.com,2025:psa#1.0.0" } diff --git a/go.mod b/go.mod index 5e5a3b38..6f405419 100644 --- a/go.mod +++ b/go.mod @@ -40,7 +40,7 @@ require ( github.com/tbaehler/gin-keycloak v1.6.1 github.com/veraison/ccatoken v1.3.2-0.20250512122414-b26aba0635c4 github.com/veraison/cmw v0.2.0 - github.com/veraison/corim v1.1.3-0.20260214081209-effcd0f48c8a + github.com/veraison/corim v1.1.3-0.20260309101151-2fa49d7c02e3 github.com/veraison/corim-store v0.0.0-20260220100808-e966b3eab910 github.com/veraison/dice v0.0.1 github.com/veraison/ear v1.1.4-0.20260213122616-3034258cda59 diff --git a/go.sum b/go.sum index 07bb1f14..245bd8a0 100644 --- a/go.sum +++ b/go.sum @@ -1255,8 +1255,8 @@ github.com/veraison/ccatoken v1.3.2-0.20250512122414-b26aba0635c4 h1:t2GQueIc1Sr github.com/veraison/ccatoken v1.3.2-0.20250512122414-b26aba0635c4/go.mod h1:vMqdbW4H/8A3oT+24qssuIK3Aefy06XqzTELGg+gWAg= github.com/veraison/cmw v0.2.0 h1:BWEvwZnD4nn5osq6XwQpTRcGxwV+Su4t6ytdAbVXAJY= github.com/veraison/cmw v0.2.0/go.mod h1:OiYKk1t6/Fmmg30ZpSMzi4nKr5kt3374sNTkgxC5BDs= -github.com/veraison/corim v1.1.3-0.20260214081209-effcd0f48c8a h1:Y19AyrbBpuyQZ/Sa/Hyh6bo5FrO6FMeR6g3jjnjLMBE= -github.com/veraison/corim v1.1.3-0.20260214081209-effcd0f48c8a/go.mod h1:96PQ0lk+O9bzutKTDz66G2DaARYUp1BeR06EYwEwSH0= +github.com/veraison/corim v1.1.3-0.20260309101151-2fa49d7c02e3 h1:yFF+d5ekY8g1nTAuV3lEvVI4dGdQMcoYp8blegIrrSQ= +github.com/veraison/corim v1.1.3-0.20260309101151-2fa49d7c02e3/go.mod h1:96PQ0lk+O9bzutKTDz66G2DaARYUp1BeR06EYwEwSH0= github.com/veraison/corim-store v0.0.0-20260220100808-e966b3eab910 h1:hg09D27B9qkrN6zFQEs6wEG0qiTk451ExGMnSAq2tXY= github.com/veraison/corim-store v0.0.0-20260220100808-e966b3eab910/go.mod h1:/SqPJwSHexrxsNtiAJ/JqNgvC6+yihOyRlrTJO+0GnY= github.com/veraison/dice v0.0.1 h1:dOm7ByDN/r4WlDsGkEUXzdPMXgTvAPTAksQ8+BwBrD4= diff --git a/integration-tests/data/claims/cca.good.json b/integration-tests/data/claims/cca.good.json index 6cc821c5..34369b85 100644 --- a/integration-tests/data/claims/cca.good.json +++ b/integration-tests/data/claims/cca.good.json @@ -1,7 +1,7 @@ { "cca-platform-token": { "cca-platform-challenge": "5QHHS9edCpI1N1heeR7DUBI+gaqXUB34EkQCITSCxVM=", - "cca-platform-profile": "http://arm.com/CCA-SSD/1.0.0", + "cca-platform-profile": "tag:arm.com,2023:cca_platform#1.0.0", "cca-platform-implementation-id": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=", "cca-platform-instance-id": "AQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC", "cca-platform-config": "AQID", diff --git a/integration-tests/data/endorsements/comid-cca-platform-refval.json b/integration-tests/data/endorsements/comid-cca-platform-refval.json index afc94afb..a4699132 100644 --- a/integration-tests/data/endorsements/comid-cca-platform-refval.json +++ b/integration-tests/data/endorsements/comid-cca-platform-refval.json @@ -15,94 +15,105 @@ ] } ], - "triples": { - "reference-values": [ - { - "environment": { - "class": { - "id": { - "type": "psa.impl-id", - "value": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=" - }, - "vendor": "ACME", - "model": "RoadRunner" + "triples": { + "reference-values": [ + { + "environment": { + "class": { + "id": { + "type": "bytes", + "value": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=" } - }, - "measurements": [ - { - "key": { - "type": "psa.refval-id", - "value": { - "label": "BL", - "version": "3.4.2", - "signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=" - } - }, - "value": { - "digests": [ - "sha-256:BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=" - ] - } + } + }, + "measurements": [ + { + "key": { + "type": "string", + "value": "cca.software-component" }, - { - "key": { - "type": "psa.refval-id", - "value": { - "label": "M1", - "version": "1.2.0", - "signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=" + "value": { + "cryptokeys": [ + { + "type": "bytes", + "value": "01234567890123456789012345678901" } - }, - "value": { - "digests": [ - "sha-256:CwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=" - ] - } + ], + "digests": [ + "sha-256:BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=" + ], + "name": "BL" + } + }, + { + "key": { + "type": "string", + "value": "cca.software-component" }, - { - "key": { - "type": "psa.refval-id", - "value": { - "label": "M2", - "version": "1.2.3", - "signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=" + "value": { + "cryptokeys": [ + { + "type": "bytes", + "value": "01234567890123456789012345678901" } - }, - "value": { - "digests": [ - "sha-256:DwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=" - ] - } + ], + "digests": [ + "sha-256:CwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=" + ], + "name": "M1" + } + }, + { + "key": { + "type": "string", + "value": "cca.software-component" }, - { - "key": { - "type": "psa.refval-id", - "value": { - "label": "M3", - "version": "1.0.0", - "signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=" + "value": { + "cryptokeys": [ + { + "type": "bytes", + "value": "01234567890123456789012345678901" } - }, - "value": { - "digests": [ - "sha-256:EwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=" - ] - } + ], + "digests": [ + "sha-256:DwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=" + ], + "name": "M2" + } + }, + { + "key": { + "type": "string", + "value": "cca.software-component" }, - { - "key": { - "type": "cca.platform-config-id", - "value": "cfg v1.0.0" - }, - "value": { - "raw-value": { + "value": { + "cryptokeys": [ + { "type": "bytes", - "value": "AQID" + "value": "01234567890123456789012345678901" } - } + ], + "digests": [ + "sha-256:EwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=" + ], + "name": "M3" } - ] - } - ] - } - } \ No newline at end of file + }, + { + "key": { + "type": "string", + "value": "cca.platform-config" + }, + "value": { + "raw-value": { + "type": "bytes", + "value": "AQID" + }, + "raw-value-mask": "AQID" + } + } + ] + } + ] + } +} \ No newline at end of file diff --git a/integration-tests/data/endorsements/comid-cca-platform-ta.json b/integration-tests/data/endorsements/comid-cca-platform-ta.json index 2db23728..3bb11af3 100644 --- a/integration-tests/data/endorsements/comid-cca-platform-ta.json +++ b/integration-tests/data/endorsements/comid-cca-platform-ta.json @@ -21,11 +21,9 @@ "environment": { "class": { "id": { - "type": "psa.impl-id", + "type": "bytes", "value": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=" - }, - "vendor": "ACME", - "model": "RoadRunner" + } }, "instance": { "type": "ueid", diff --git a/integration-tests/data/endorsements/comid-cca-realm-refval.json b/integration-tests/data/endorsements/comid-cca-realm-refval.json index 16697f55..269cf493 100644 --- a/integration-tests/data/endorsements/comid-cca-realm-refval.json +++ b/integration-tests/data/endorsements/comid-cca-realm-refval.json @@ -21,54 +21,76 @@ "environment": { "class": { "id": { - "type": "uuid", - "value": "CD1F0E55-26F9-460D-B9D8-F7FDE171787C" - }, - "vendor": "Workload Client Ltd" - }, - "instance": { - "type": "bytes", - "value": "Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw==" + "type": "bytes", + "value": "Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw==" + } } }, "measurements": [ { + "key": { + "type": "string", + "value": "cca.rim" + }, + "value": { + "digests": [ + "sha-512:Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw==" + ] + } + }, + { + "key": { + "type": "string", + "value": "cca.rem0" + }, + "value": { + "digests": [ + "sha-512:Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw==" + ] + } + }, + { + "key": { + "type": "string", + "value": "cca.rem1" + }, + "value": { + "digests": [ + "sha-512:Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw==" + ] + } + }, + { + "key": { + "type": "string", + "value": "cca.rem2" + }, + "value": { + "digests": [ + "sha-512:Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw==" + ] + } + }, + { + "key": { + "type": "string", + "value": "cca.rem3" + }, + "value": { + "digests": [ + "sha-512:Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw==" + ] + } + }, + { + "key": { + "type": "string", + "value": "cca.rpv" + }, "value": { "raw-value": { "type": "bytes", "value": "QURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBRA==" - }, - "integrity-registers": { - "rim": { - "key-type": "text", - "value": [ - "sha-512;Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw==" - ] - }, - "rem0": { - "key-type": "text", - "value": [ - "sha-512;Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw==" - ] - }, - "rem1": { - "key-type": "text", - "value": [ - "sha-512;Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw==" - ] - }, - "rem2": { - "key-type": "text", - "value": [ - "sha-512;Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw==" - ] - }, - "rem3": { - "key-type": "text", - "value": [ - "sha-512;Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw==" - ] - } } } } diff --git a/integration-tests/data/endorsements/comid-cca-refval.json b/integration-tests/data/endorsements/comid-cca-refval.json index 7a03aeea..e0f5d483 100644 --- a/integration-tests/data/endorsements/comid-cca-refval.json +++ b/integration-tests/data/endorsements/comid-cca-refval.json @@ -21,84 +21,95 @@ "environment": { "class": { "id": { - "type": "psa.impl-id", + "type": "bytes", "value": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=" - }, - "vendor": "ACME", - "model": "RoadRunner" + } } }, "measurements": [ { "key": { - "type": "psa.refval-id", - "value": { - "label": "BL", - "version": "3.4.2", - "signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=" - } + "type": "string", + "value": "cca.software-component" }, "value": { + "cryptokeys": [ + { + "type": "bytes", + "value": "01234567890123456789012345678901" + } + ], "digests": [ "sha-256:BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=" - ] + ], + "name": "BL" } }, { "key": { - "type": "psa.refval-id", - "value": { - "label": "M1", - "version": "1.2.0", - "signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=" - } + "type": "string", + "value": "cca.software-component" }, "value": { + "cryptokeys": [ + { + "type": "bytes", + "value": "01234567890123456789012345678901" + } + ], "digests": [ "sha-256:CwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=" - ] + ], + "name": "M1" } }, { "key": { - "type": "psa.refval-id", - "value": { - "label": "M2", - "version": "1.2.3", - "signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=" - } + "type": "string", + "value": "cca.software-component" }, "value": { + "cryptokeys": [ + { + "type": "bytes", + "value": "01234567890123456789012345678901" + } + ], "digests": [ "sha-256:DwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=" - ] + ], + "name": "M2" } }, { "key": { - "type": "psa.refval-id", - "value": { - "label": "M3", - "version": "1.0.0", - "signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=" - } + "type": "string", + "value": "cca.software-component" }, "value": { + "cryptokeys": [ + { + "type": "bytes", + "value": "01234567890123456789012345678901" + } + ], "digests": [ "sha-256:EwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=" - ] + ], + "name": "M3" } }, { "key": { - "type": "cca.platform-config-id", - "value": "cfg v1.0.0" + "type": "string", + "value": "cca.platform-config" }, "value": { "raw-value": { "type": "bytes", "value": "AQID" - } + }, + "raw-value-mask": "AQID" } } ] diff --git a/integration-tests/data/endorsements/comid-cca-ta.json b/integration-tests/data/endorsements/comid-cca-ta.json index 2fcb29fd..23ce1081 100644 --- a/integration-tests/data/endorsements/comid-cca-ta.json +++ b/integration-tests/data/endorsements/comid-cca-ta.json @@ -21,11 +21,9 @@ "environment": { "class": { "id": { - "type": "psa.impl-id", + "type": "bytes", "value": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=" - }, - "vendor": "ACME", - "model": "RoadRunner" + } }, "instance": { "type": "ueid", diff --git a/integration-tests/data/endorsements/comid-psa-refval.json b/integration-tests/data/endorsements/comid-psa-refval.json index 8fd66fbc..e1229a3c 100644 --- a/integration-tests/data/endorsements/comid-psa-refval.json +++ b/integration-tests/data/endorsements/comid-psa-refval.json @@ -21,7 +21,7 @@ "environment": { "class": { "id": { - "type": "psa.impl-id", + "type": "bytes", "value": "YWNtZS1pbXBsZW1lbnRhdGlvbi1pZC0wMDAwMDAwMDE=" }, "vendor": "ACME", @@ -31,46 +31,52 @@ "measurements": [ { "key": { - "type": "psa.refval-id", - "value": { - "label": "BL", - "version": "2.1.0", - "signer-id": "rLsRx+TaIXIFUjzkzhokWuGiOa48a/2eeHH35di66Gs=" - } + "type": "string", + "value": "psa.software-component" }, "value": { "digests": [ "sha-256:h0KPxSKAPTEGXnvOPPA/5HUJZjHl4Hu9eg/eYMTPJcc=" + ], + "cryptokeys": [ + { + "type": "bytes", + "value": "rLsRx+TaIXIFUjzkzhokWuGiOa48a/2eeHH35di66Gs=" + } ] } }, { "key": { - "type": "psa.refval-id", - "value": { - "label": "PRoT", - "version": "1.3.5", - "signer-id": "rLsRx+TaIXIFUjzkzhokWuGiOa48a/2eeHH35di66Gs=" - } + "type": "string", + "value": "psa.software-component" }, "value": { "digests": [ "sha-256:AmOCmYm2/ZVPcrqvL8ZLwuLwHWktTecphuqAj26ZgT8=" + ], + "cryptokeys": [ + { + "type": "bytes", + "value": "rLsRx+TaIXIFUjzkzhokWuGiOa48a/2eeHH35di66Gs=" + } ] } }, { "key": { - "type": "psa.refval-id", - "value": { - "label": "ARoT", - "version": "0.1.4", - "signer-id": "rLsRx+TaIXIFUjzkzhokWuGiOa48a/2eeHH35di66Gs=" - } + "type": "string", + "value": "psa.software-component" }, "value": { "digests": [ "sha-256:o6XnFfDMV0pzw/m+u2vCTzL/1bZ7OHJEwskJ2neaFHg=" + ], + "cryptokeys": [ + { + "type": "bytes", + "value": "rLsRx+TaIXIFUjzkzhokWuGiOa48a/2eeHH35di66Gs=" + } ] } } diff --git a/integration-tests/data/endorsements/comid-psa-ta.json b/integration-tests/data/endorsements/comid-psa-ta.json index 51e68f1b..6ed2b2dc 100644 --- a/integration-tests/data/endorsements/comid-psa-ta.json +++ b/integration-tests/data/endorsements/comid-psa-ta.json @@ -21,11 +21,9 @@ "environment": { "class": { "id": { - "type": "psa.impl-id", + "type": "bytes", "value": "YWNtZS1pbXBsZW1lbnRhdGlvbi1pZC0wMDAwMDAwMDE=" - }, - "vendor": "ACME", - "model": "RoadRunner" + } }, "instance": { "type": "ueid", @@ -38,28 +36,6 @@ "value": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEMKBCTNIcKUSDii11ySs3526iDZ8A\niTo7Tu6KPAqv7D7gS2XpJFbZiItSs3m9+9Ue6GnvHw/GW2ZZaVtszggXIw==\n-----END PUBLIC KEY-----" } ] - }, - { - "environment": { - "class": { - "id": { - "type": "psa.impl-id", - "value": "YWNtZS1pbXBsZW1lbnRhdGlvbi1pZC0wMDAwMDAwMDE=" - }, - "vendor": "ACME", - "model": "RoadRunner" - }, - "instance": { - "type": "ueid", - "value": "AUyj5PUL8kjDl4cCDWj/0FyIdndRvyZFypI/V6mL7NKW" - } - }, - "verification-keys": [ - { - "type": "pkix-base64-key", - "value": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE6Vwqe7hy3O8Ypa+BUETLUjBNU3rEXVUyt9XHR7HJWLG7XTKQd9i1kVRXeBPDLFnfYru1/euxRnJM7H9UoFDLdA==\n-----END PUBLIC KEY-----" - } - ] } ] } diff --git a/integration-tests/data/endorsements/corim-cca-full.json b/integration-tests/data/endorsements/corim-cca-full.json index 59e536d5..74b94a1a 100644 --- a/integration-tests/data/endorsements/corim-cca-full.json +++ b/integration-tests/data/endorsements/corim-cca-full.json @@ -1,10 +1,5 @@ { "corim-id": "5c57e8f4-46cd-421b-91c9-08cf93e13cfc", - "profile": "http://arm.com/cca/ssd/1", - "validity": { - "not-before": "2021-12-31T00:00:00Z", - "not-after": "2025-12-31T00:00:00Z" - }, "entities": [ { "name": "ACME Ltd.", @@ -13,5 +8,6 @@ "manifestCreator" ] } - ] + ], + "profile": "tag:arm.com,2025:cca_platform#1.0.0" } diff --git a/integration-tests/data/endorsements/corim-cca-platform-full.json b/integration-tests/data/endorsements/corim-cca-platform-full.json index 3147f677..b2aae62d 100644 --- a/integration-tests/data/endorsements/corim-cca-platform-full.json +++ b/integration-tests/data/endorsements/corim-cca-platform-full.json @@ -1,17 +1,13 @@ { - "corim-id": "5c57e8f4-46cd-421b-91c9-08cf93e13cfc", - "profile": "http://arm.com/cca/ssd/1", - "validity": { - "not-before": "2021-12-31T00:00:00Z", - "not-after": "2025-12-31T00:00:00Z" - }, - "entities": [ - { + "corim-id": "00000000-0000-0000-cca6-000000000000", + "entities": [ + { "name": "ACME Ltd.", "regid": "acme.example", "roles": [ "manifestCreator" ] - } - ] - } + } + ], + "profile": "tag:arm.com,2025:cca_platform#1.0.0" +} diff --git a/integration-tests/data/endorsements/corim-cca-realm-full.json b/integration-tests/data/endorsements/corim-cca-realm-full.json index d57492bd..583dbad0 100644 --- a/integration-tests/data/endorsements/corim-cca-realm-full.json +++ b/integration-tests/data/endorsements/corim-cca-realm-full.json @@ -1,10 +1,5 @@ { - "corim-id": "5c57e8f4-46cd-421b-91c9-08cf93e13cfc", - "profile": "http://arm.com/cca/realm/1", - "validity": { - "not-before": "2021-12-31T00:00:00Z", - "not-after": "2025-12-31T00:00:00Z" - }, + "corim-id": "00000000-0000-0000-cca4-000000000000", "entities": [ { "name": "ACME Ltd.", @@ -13,5 +8,6 @@ "manifestCreator" ] } - ] + ], + "profile": "tag:arm.com,2025:cca_realm#1.0.0" } diff --git a/integration-tests/data/endorsements/corim-psa-full.json b/integration-tests/data/endorsements/corim-psa-full.json index db4d772a..3f14eb16 100644 --- a/integration-tests/data/endorsements/corim-psa-full.json +++ b/integration-tests/data/endorsements/corim-psa-full.json @@ -6,7 +6,7 @@ "thumbprint": "sha-256:5Fty9cDAtXLbTY06t+l/No/3TmI0eoJN7LZ6hOUiTXU=" } ], - "profile": "http://arm.com/psa/iot/1", + "profile": "tag:arm.com,2025:psa#1.0.0", "validity": { "not-before": "2021-12-31T00:00:00Z", "not-after": "2025-12-31T00:00:00Z" diff --git a/integration-tests/data/endorsements/corim-psa-mini.json b/integration-tests/data/endorsements/corim-psa-mini.json index f9528480..1d6e83a9 100644 --- a/integration-tests/data/endorsements/corim-psa-mini.json +++ b/integration-tests/data/endorsements/corim-psa-mini.json @@ -1,4 +1,4 @@ { "corim-id": "5c57e8f4-46cd-421b-91c9-08cf93e13cfc", - "profile": "http://arm.com/psa/iot/1" + "profile": "tag:arm.com,2025:psa#1.0.0" } diff --git a/integration-tests/data/results/cca.good.json b/integration-tests/data/results/cca.good.json index 51a22575..4fb5854b 100644 --- a/integration-tests/data/results/cca.good.json +++ b/integration-tests/data/results/cca.good.json @@ -19,7 +19,7 @@ "cca-platform-implementation-id": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=", "cca-platform-instance-id": "AQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC", "cca-platform-lifecycle": 12288, - "cca-platform-profile": "http://arm.com/CCA-SSD/1.0.0", + "cca-platform-profile": "tag:arm.com,2023:cca_platform#1.0.0", "cca-platform-service-indicator": "https://veraison.example/v1/challenge-response", "cca-platform-sw-components": [ { diff --git a/integration-tests/data/results/cca.verify-challenge.json b/integration-tests/data/results/cca.verify-challenge.json index 8706d646..984c6f79 100644 --- a/integration-tests/data/results/cca.verify-challenge.json +++ b/integration-tests/data/results/cca.verify-challenge.json @@ -18,7 +18,7 @@ "cca-platform-implementation-id": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=", "cca-platform-instance-id": "AQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC", "cca-platform-lifecycle": 12288, - "cca-platform-profile": "http://arm.com/CCA-SSD/1.0.0", + "cca-platform-profile": "tag:arm.com,2023:cca_platform#1.0.0", "cca-platform-service-indicator": "https://veraison.example/v1/challenge-response", "cca-platform-sw-components": [ { diff --git a/integration-tests/data/results/psa.freshness-fail.json b/integration-tests/data/results/psa.freshness-fail.json index 35cf8bcf..bfa9fd7f 100644 --- a/integration-tests/data/results/psa.freshness-fail.json +++ b/integration-tests/data/results/psa.freshness-fail.json @@ -13,7 +13,7 @@ "storage-opaque": 99 }, "ear.veraison.policy-claims": { - "problem": "integrity validation failed: bad evidence: freshness: psa-nonce (414a7c174141b3d0e9a1d28af31520f0d42299feac4007ded89d68ae6cd92f19) does not match session nonce (75e69d6de79f75e69d6de79f75e69d6de79f75e69d6de79f75e69d6de79f75e6)" + "problem": "no trust anchor for evidence" } } } diff --git a/integration-tests/tests/common.yaml b/integration-tests/tests/common.yaml index 94d480f8..9bccc2b7 100644 --- a/integration-tests/tests/common.yaml +++ b/integration-tests/tests/common.yaml @@ -17,8 +17,8 @@ variables: bad-nonce: Ppfdfe2JzZLOk= endorsements-content-types: - psa.p1: application/rim+cbor; profile="http://arm.com/psa/iot/1" - cca._: application/rim+cbor; profile="http://arm.com/cca/ssd/1" + psa.p1: application/rim+cbor; profile="tag:arm.com,2025:psa#1.0.0" + cca._: application/rim+cbor; profile="tag:arm.com,2025:cca_platform#1.0.0" enacttrust._: application/rim+cbor; profile="https://enacttrust.com/veraison/1.0.0" evidence-content-types: psa.p1: application/psa-attestation-token diff --git a/integration-tests/tests/test_cca_verify_challenge.tavern.yaml b/integration-tests/tests/test_cca_verify_challenge.tavern.yaml index df36c46a..0abbb0ae 100644 --- a/integration-tests/tests/test_cca_verify_challenge.tavern.yaml +++ b/integration-tests/tests/test_cca_verify_challenge.tavern.yaml @@ -29,14 +29,25 @@ includes: - !include common.yaml stages: - - name: submit post request to the provisioning service successfully + - name: submit post request for CCA platform to the provisioning service successfully request: method: POST url: https://{provisioning-service}/endorsement-provisioning/v1/submit headers: - content-type: '{endorsements-content-type}' # set via hook + content-type: '{platform-en-content-type}' # set via hook authorization: '{authorization}' # set via hook - file_body: __generated__/endorsements/corim-{scheme}-{endorsements}.cbor + file_body: __generated__/endorsements/corim-{scheme}-platform-{endorsements}.cbor + response: + status_code: 200 + + - name: submit post request for CCA Realm to the provisioning service successfully + request: + method: POST + url: https://{provisioning-service}/endorsement-provisioning/v1/submit + headers: + content-type: '{realm-en-content-type}' # set via hook + authorization: '{authorization}' # set via hook + file_body: __generated__/endorsements/corim-{scheme}-realm-{endorsements}.cbor response: status_code: 200 diff --git a/integration-tests/tests/test_provisioning_empty_body.tavern.yaml b/integration-tests/tests/test_provisioning_empty_body.tavern.yaml index 0095efc4..83c6ceba 100644 --- a/integration-tests/tests/test_provisioning_empty_body.tavern.yaml +++ b/integration-tests/tests/test_provisioning_empty_body.tavern.yaml @@ -9,7 +9,7 @@ stages: method: POST url: https://{provisioning-service}/endorsement-provisioning/v1/submit headers: - content-type: 'application/rim+cbor; profile="http://arm.com/psa/iot/1"' + content-type: 'application/rim+cbor; profile="tag:arm.com,2025:psa#1.0.0"' authorization: '{authorization}' # set via hook response: status_code: 400 diff --git a/integration-tests/tests/test_provisioning_unauthorized.tavern.yaml b/integration-tests/tests/test_provisioning_unauthorized.tavern.yaml index 2275d036..053d64be 100644 --- a/integration-tests/tests/test_provisioning_unauthorized.tavern.yaml +++ b/integration-tests/tests/test_provisioning_unauthorized.tavern.yaml @@ -9,7 +9,7 @@ stages: method: POST url: https://{provisioning-service}/endorsement-provisioning/v1/submit headers: - content-type: 'application/rim+cbor; profile="http://arm.com/psa/iot/1"' + content-type: 'application/rim+cbor; profile="tag:arm.com,2025:psa#1.0.0"' response: status_code: 401 diff --git a/integration-tests/tests/test_verification_bad_session_attester.tavern.yaml b/integration-tests/tests/test_verification_bad_session_attester.tavern.yaml index 6e01c1b4..e5458143 100644 --- a/integration-tests/tests/test_verification_bad_session_attester.tavern.yaml +++ b/integration-tests/tests/test_verification_bad_session_attester.tavern.yaml @@ -25,7 +25,7 @@ stages: method: POST url: https://{provisioning-service}/endorsement-provisioning/v1/submit headers: - content-type: 'application/rim+cbor; profile="http://arm.com/psa/iot/1"' + content-type: 'application/rim+cbor; profile="tag:arm.com,2025:psa#1.0.0"' authorization: '{authorization}' # set via hook file_body: __generated__/endorsements/corim-{scheme}-{endorsements}.cbor response: diff --git a/integration-tests/utils/checkers.py b/integration-tests/utils/checkers.py index 3333f6ca..b620944e 100644 --- a/integration-tests/utils/checkers.py +++ b/integration-tests/utils/checkers.py @@ -33,11 +33,9 @@ def compare_to_expected_result(response, expected, verifier_key): expected_submods = json.load(fh) for key, expected_claims in expected_submods.items(): - try: - decoded_claims = decoded_submods[key] - print("Key exists in the dictionary.") - except KeyError: - print(f"Key {key} does not exist in the dictionary.") + decoded_claims = decoded_submods.get(key) + if decoded_claims is None: + raise AssertionError(f'submod "{key}" missing in attestation result') assert decoded_claims["ear.status"] == expected_claims["ear.status"] print(f"Evaluating Submod with SubModName {key}") diff --git a/integration-tests/utils/generators.py b/integration-tests/utils/generators.py index 7f2ab21a..b0de48d4 100644 --- a/integration-tests/utils/generators.py +++ b/integration-tests/utils/generators.py @@ -6,6 +6,7 @@ import shutil import tempfile import uuid +from datetime import datetime, timezone from util import update_json, run_command @@ -238,11 +239,14 @@ def generate_corim(corim_template, comid_templates, output_path): def sign_corim(unsigned_corim_path, signed_corim_path): meta_file = f'{GENDIR}/meta.json' + now = datetime.now(timezone.utc) meta_content = { "signer": { - "name": "Veraison Test Signer", - "uri": "https://veraison.example/test-signer", - "id": "Veraison Test Signer" + "name": "veraison-services-test" + }, + "validity": { + "not-before": now.isoformat(), + "not-after": now.replace(year=now.year + 20).isoformat(), } } diff --git a/integration-tests/utils/hooks.py b/integration-tests/utils/hooks.py index dbf9fd3a..32e418d8 100644 --- a/integration-tests/utils/hooks.py +++ b/integration-tests/utils/hooks.py @@ -54,11 +54,11 @@ def setup_provisioning_fail_empty_body(test, variables): def setup_cca_verify_challenge(test, variables): - _set_content_types(test, variables) + _set_cca_content_types(test, variables) _set_authorization(test, variables, 'provisioner') _set_alt_authorization(test, variables, 'manager') _set_nonce(test, variables) - generate_endorsements(test) + generate_cca_end_to_end_endorsements(test) generate_evidence_from_test(test) def setup_cca_end_to_end(test, variables): @@ -113,9 +113,9 @@ def _set_cca_content_types(test, variables): # Set platform and realm content types if corim_type == 'signed': # Use signed content types - variables['platform-en-content-type'] = 'application/rim+cose; profile="http://arm.com/cca/ssd/1"' - variables['realm-en-content-type'] = 'application/rim+cose; profile="http://arm.com/cca/realm/1"' + variables['platform-en-content-type'] = 'application/rim+cose; profile="tag:arm.com,2025:cca_platform#1.0.0"' + variables['realm-en-content-type'] = 'application/rim+cose; profile="tag:arm.com,2025:cca_realm#1.0.0"' else: # Use unsigned content types - variables['platform-en-content-type'] = 'application/rim+cbor; profile="http://arm.com/cca/ssd/1"' - variables['realm-en-content-type'] = 'application/rim+cbor; profile="http://arm.com/cca/realm/1"' + variables['platform-en-content-type'] = 'application/rim+cbor; profile="tag:arm.com,2025:cca_platform#1.0.0"' + variables['realm-en-content-type'] = 'application/rim+cbor; profile="tag:arm.com,2025:cca_realm#1.0.0"' diff --git a/scheme/arm-cca/corim.go b/scheme/arm-cca/corim.go deleted file mode 100644 index 0579d0ca..00000000 --- a/scheme/arm-cca/corim.go +++ /dev/null @@ -1,169 +0,0 @@ -// Copyright 2026 Contributors to the Veraison project. -// SPDX-License-Identifier: Apache-2.0 -package arm_cca - -import ( - "errors" - "fmt" - - "github.com/veraison/corim/comid" - "github.com/veraison/corim/corim" - "github.com/veraison/corim/extensions" - "github.com/veraison/eat" - "github.com/veraison/services/scheme/common" -) - -const ( - LegacyPlatformProfileString = "http://arm.com/cca/ssd/1" - LegacyRealmProfileString = "http://arm.com/cca/realm/1" - PlatformProfileString = "tag:arm.com,2023:cca_platform#1.0.0" - RealmProfileString = "tag:arm.com,2023:realm#1.0.0" -) - -func ValidatePlatformEnvironment(env *comid.Environment, isTrustAnchor bool) error { - if env.Class == nil { - return errors.New("class not set") - } - - if env.Class.ClassID == nil { - return errors.New("class ID not set") - } - - if env.Class.ClassID.Type() != comid.ImplIDType { - return fmt.Errorf("class ID: expected psa.impl-id, got %s", env.Class.ClassID.Type()) - } - - if isTrustAnchor { - if env.Instance == nil { - return errors.New("instance not set for trust anchor") - } - - if env.Instance.Type() != comid.UEIDType { - return fmt.Errorf("instance: expected UEID, got %s", env.Instance.Type()) - } - - } else if env.Instance != nil { - return errors.New("instance set for reference value") - } - - return nil -} - -func validateRealmEnvironment(env *comid.Environment) error { - if env.Instance == nil { - return errors.New("instance not set") - } - - if env.Instance.Type() != comid.BytesType { - return fmt.Errorf("instance: expected bytes, got %s", env.Instance.Type()) - } - - return nil -} - -func ValidateCryptoKeys(keys []*comid.CryptoKey) error { - if len(keys) != 1 { - return fmt.Errorf("expected exactly one key but got %d", len(keys)) - } - - if keys[0].Type() != comid.PKIXBase64KeyType { - return fmt.Errorf("trust anchor must be a PKIX base64 key, found: %s", keys[0].Type()) - } - - return nil -} - -func ValidatePlatformMeasurements(measurements []comid.Measurement) error { - for i, mea := range measurements { - if mea.Key == nil { - return fmt.Errorf("measurement %d key not set", i) - } - - switch mea.Key.Type() { - case comid.PSARefValIDType: - if mea.Val.Digests == nil { - return fmt.Errorf("measurement %d value: no digests", i) - } - case comid.CCAPlatformConfigIDType: - if mea.Val.RawValue == nil { - return fmt.Errorf("measurement %d value: no raw value", i) - } - default: - return fmt.Errorf("measurement %d key: unexpected type %s", i, mea.Key.Type()) - } - - } - - return nil -} - -func validateRealmMeasurements(measurements []comid.Measurement) error { - for i, mea := range measurements { - if mea.Val.RawValue == nil { - return fmt.Errorf("measurement %d: personalization (raw value) not set", i) - } - - if mea.Val.IntegrityRegisters == nil { - return fmt.Errorf("measurement %d integrity registers not set", i) - } - } - - return nil -} - -func init() { - platformProfileID, err := eat.NewProfile(PlatformProfileString) - if err != nil { - panic(err) - } - - legacyPlatformProfileID, err := eat.NewProfile(LegacyPlatformProfileString) - if err != nil { - panic(err) - } - - realmProfileID, err := eat.NewProfile(RealmProfileString) - if err != nil { - panic(err) - } - - legacyRealmProfileID, err := eat.NewProfile(LegacyRealmProfileString) - if err != nil { - panic(err) - } - - platformValidator := &common.TriplesValidator{ - TAEnviromentValidator: func(e *comid.Environment) error { - return ValidatePlatformEnvironment(e, true) - }, - RefValEnviromentValidator: func(e *comid.Environment) error { - return ValidatePlatformEnvironment(e, false) - }, - CryptoKeysValidator: ValidateCryptoKeys, - MeasurementsValidator: ValidatePlatformMeasurements, - } - platformExtMap := extensions.NewMap().Add(comid.ExtTriples, platformValidator) - - realmValidator := &common.TriplesValidator{ - EnviromentValidator: validateRealmEnvironment, - MeasurementsValidator: validateRealmMeasurements, - DisallowTAs: true, - } - realmExtMap := extensions.NewMap().Add(comid.ExtTriples, realmValidator) - - if err := corim.RegisterProfile(platformProfileID, platformExtMap); err != nil { - panic(err) - } - - if err := corim.RegisterProfile(legacyPlatformProfileID, platformExtMap); err != nil { - panic(err) - } - - if err := corim.RegisterProfile(realmProfileID, realmExtMap); err != nil { - panic(err) - } - - if err := corim.RegisterProfile(legacyRealmProfileID, realmExtMap); err != nil { - panic(err) - } -} diff --git a/scheme/arm-cca/corim_test.go b/scheme/arm-cca/corim_test.go index cfbd2dc2..78bcbc9c 100644 --- a/scheme/arm-cca/corim_test.go +++ b/scheme/arm-cca/corim_test.go @@ -17,47 +17,52 @@ func TestProfile(t *testing.T) { { Title: "platform bad no class", Input: corimCcaPlatformBadNoClass, - Err: "class not set", + Err: "environment.class is required", }, { Title: "platform bad TA no instance", Input: corimCcaPlatformBadTaNoInstance, - Err: "instance not set for trust anchor", + Err: "environment.instance (instance-id) is required", }, { Title: "platform bad TA bytes instance", Input: corimCcaPlatformBadTaInstance, - Err: "instance: expected UEID, got bytes", + Err: "instance-id must be of type 'ueid', got 'bytes'", }, { Title: "platform bad TA cert", Input: corimCcaPlatformBadTaCert, - Err: "trust anchor must be a PKIX base64 key, found: pkix-base64-cert", - }, - { - Title: "platform bad RefVal instance", - Input: corimCcaPlatformBadRefvalInstance, - Err: "instance set for reference value", + Err: "verification-key must be of type 'pkix-base64-key', got 'pkix-base64-cert'", }, { Title: "platform bad RefVal no mkey", Input: corimCcaPlatformBadRefvalNoMkey, - Err: "measurement 0 key not set", + Err: "mkey is mandatory but not set", }, { Title: "platform bad RefVal uint mkey", Input: corimCcaPlatformBadRefvalMkey, - Err: "measurement 0 key: unexpected type uint", + Err: "mkey must be of type 'string', got 'uint'", + }, + { + Title: "platform bad RefVal invalid string mkey", + Input: corimCcaPlatformBadRefvalMkeyString, + Err: "invalid mkey \"cca.bad-component\"", + }, + { + Title: "platform bad RefVal malformed cryptokeys", + Input: corimCcaPlatformBadRefvalCryptokeys, + Err: "cryptokeys (signer-id) must be of type 'bytes'", }, { Title: "platform bad RefVal no digest", Input: corimCcaPlatformBadRefvalNoDigests, - Err: "measurement 0 value: no digests", + Err: "digests field is mandatory but not set", }, { Title: "platform bad RefVal no raw value", Input: corimCcaPlatformBadRefvalNoRawValue, - Err: "measurement 0 value: no raw value", + Err: "raw-value is mandatory for cca.platform-config", }, { Title: "realm ok", @@ -66,22 +71,27 @@ func TestProfile(t *testing.T) { { Title: "realm bad instance", Input: corimCcaRealmBadInstance, - Err: "instance: expected bytes, got ueid", + Err: "RIM must be of type 'bytes', got 'uuid'", }, { Title: "realm bad no instance", Input: corimCcaRealmBadNoInstance, - Err: "instance not set", + Err: "environment.class is required for CCA Realm profile", }, { - Title: "realm bad no integ. registers", - Input: corimCcaRealmBadNoIntegRegs, - Err: "integrity registers not set", + Title: "realm bad no rim", + Input: corimCcaRealmBadNoRim, + Err: "RIM (cca.rim) measurement is mandatory but not found", }, { Title: "realm bad no raw value", Input: corimCcaRealmBadNoRawValue, - Err: "personalization (raw value) not set", + Err: "raw-value is mandatory for cca.rpv", + }, + { + Title: "realm bad no integ regs", + Input: corimCcaRealmBadNoIntegRegs, + Err: "digests field is mandatory but not set", }, } diff --git a/scheme/arm-cca/scheme.go b/scheme/arm-cca/scheme.go index 4fda77ad..2e0198e7 100644 --- a/scheme/arm-cca/scheme.go +++ b/scheme/arm-cca/scheme.go @@ -16,6 +16,7 @@ import ( "github.com/veraison/ccatoken/platform" "github.com/veraison/ccatoken/realm" "github.com/veraison/corim/comid" + "github.com/veraison/corim/profiles/cca" "github.com/veraison/ear" "github.com/veraison/services/handler" "github.com/veraison/services/log" @@ -29,10 +30,8 @@ var Descriptor = handler.SchemeDescriptor{ VersionMajor: 1, VersionMinor: 0, CorimProfiles: []string{ - LegacyPlatformProfileString, - LegacyRealmProfileString, - PlatformProfileString, - RealmProfileString, + cca.PlatformProfileURI, + cca.RealmProfileURI, }, EvidenceMediaTypes: []string{ `application/eat-collection; profile="http://arm.com/CCA-SSD/1.0.0"`, @@ -67,7 +66,7 @@ func (o *Implementation) GetTrustAnchorIDs( return nil, err } - classID, err := comid.NewImplIDClassID(implIDbytes) + classID, err := cca.NewPlatformImplIDClassID(implIDbytes) if err != nil { return nil, err } @@ -445,8 +444,11 @@ func matchPlatformClaimsToReferenceValues( } for _, measurement := range triple.Measurements.Values { - _, err = measurement.Key.GetCCAPlatformConfigID() - if err == nil { + // Check if this is a platform config measurement + if measurement.Key != nil && measurement.Key.IsSet() && + measurement.Key.Type() == comid.StringType && + measurement.Key.Value.String() == cca.CCAPlatformConfigMkey { + if measurement.Val.RawValue == nil { return false, false, errors.New("no raw value in platform config measurement") @@ -460,12 +462,9 @@ func matchPlatformClaimsToReferenceValues( continue } - // not platform config entry, therefore must be a S/W component entry. - refValID, err := measurement.Key.GetPSARefValID() - if err != nil { - return false, false, err - } - + // Not a platform-config entry. Treat any digest-bearing measurement as + // a software component reference. This is robust against profile-driven + // key-label changes while still requiring digest equality. if measurement.Val.Digests == nil { return false, false, errors.New("no digests in reference value measurement") } @@ -479,7 +478,18 @@ func matchPlatformClaimsToReferenceValues( } encoded := base64.StdEncoding.EncodeToString((*measurement.Val.Digests)[0].HashValue) - referenceValues[encoded] = [2]string{*refValID.Label, *refValID.Version} + // Extract label (mtype) and version from measurement value + label := "" + if measurement.Val.Name != nil { + label = *measurement.Val.Name + } + + version := "" + if measurement.Val.Ver != nil { + version = measurement.Val.Ver.Version + } + + referenceValues[encoded] = [2]string{label, version} } } diff --git a/scheme/arm-cca/test/corim/corim-cca-platform-bad-no-class.cbor b/scheme/arm-cca/test/corim/corim-cca-platform-bad-no-class.cbor index ce04c1a304b8235b0920a3503659da9e3266057b..5472cd8d719392f5b0e4ee96c8189fead622e255 100644 GIT binary patch delta 68 zcmcc5^onVN9;1zNNn*NHVo|PMa(=Fkk%5t^RdRA-d_hiPNm_nUuCk$?ft~?t<06KF Xu+*Z&%;Nk!g@B^`tkmQZrbb2p7b+IB delta 57 zcmaFGbf0O19;2Z|MoCG5mA-yrQLbKcey)CUa-x25af-enYvUq@g0R%0#LVLSJcWRw M{H)aE5~fB*06R|;ga7~l diff --git a/scheme/arm-cca/test/corim/corim-cca-platform-bad-refval-cryptokeys.cbor b/scheme/arm-cca/test/corim/corim-cca-platform-bad-refval-cryptokeys.cbor new file mode 100644 index 0000000000000000000000000000000000000000..7683d16bb6797c2e63a6ef9c29f1e868cd3f5b13 GIT binary patch literal 435 zcmcb~_;m?Gg{lD*=z?enk(``p24=zJEEyYbGX9EWbX>%^kRiZ%_v3oKL~rADmxIrL zbm|skS;)}Xw2)yT!%ZfG2n7ZLpm7mH8PEc~;{3Fd^2DN4-Q@h-g8aPHyb{L6OpQ&9 z5en>VtSrn-j12sIygb}ooE+j}q9VdVf&%h#vNF7Uk*zt0VrFrEoq7w_)CKj+xEYnj_E=f$cN-WCNOU}>LF)}bRwMtG- Xj4#MZEJ@2R%2hVhGte`bxK{!I(*YHI delta 77 zcmaFBc$IO2HlxKv9d+i22!)A>q7w_)CKj+xEYmZT$S5f(u+rC0EXvhO&d=3PPEOP> hE>6)mWNlo;P!N_{l$cqZpQjK|l%JKFT*B1I2msXa8G`@- diff --git a/scheme/arm-cca/test/corim/corim-cca-platform-bad-refval-no-digests.cbor b/scheme/arm-cca/test/corim/corim-cca-platform-bad-refval-no-digests.cbor index 39356b9137d5ddbef1f5f82b387c9baaed59109f..7655be7243c86125f5442cafd78811432b454695 100644 GIT binary patch delta 142 zcmaFCc!zOtY3}wm5iF(EPX(i=}MX9>U`MCx8d8v6NjEh)+YMmLGn7Naj te3&bgOA^zq5{q*6fGTv142(>zfcoMKauQ3@@{4kn4fPE43?^QX006_;G9dr} delta 175 zcmcb^_=0hQmX3iXW8+Q6UlC1<7#A`GIPZR3ub1d;yzX-F`HxQBVk`?88k-g}EM&OJ z6cM2?F;R440o%j^)}qEmK#|DBj7d&DEUCtNCVED!5en>VtSrn-j12sIygb}ooE+j} zq9VdVf&%h#vNFFXyJq7w_)CKj+xEYq=3E=f$cN-WCNOU}>LF)}bRwMtG- sj4#MZEJ@2R%2hVhGte_&ZCu1q5SCh$m|2{krw~w-pOuq7w_)CKj+xEYmTR$S5f(u+rC0EXvhO&d=3PPEOP> hE>6)mWNlo;P!N_{l$cqZpQjK|l%JKFT*B1I2msR+8GHZ$ diff --git a/scheme/arm-cca/test/corim/corim-cca-platform-bad-refval-no-raw-value.cbor b/scheme/arm-cca/test/corim/corim-cca-platform-bad-refval-no-raw-value.cbor index 559a767d3cd84ab7ac70dadd45d16de9fc81ec92..1504c6487b41ed764570cb76b5c034da4bd1e444 100644 GIT binary patch delta 147 zcmaFF_?dBnwzeT-<4wk25lxF27cvAm?|xjbm*{Q0?sD+?k51iUEDISLn-(%GWVp#> z5TP(JQFLMf+r$D^@y10A#mUKudIdR&C29FZxw^^ud1;yH6Wg_HluHuRtrClJ^^)^* sb&L#*Os#+l<6#Pw4fPE43|N8s3&K*15;KeQ^ArM#^0QKtOPCrN0W427Y5)KL delta 130 zcmey&_=s_WwzdId<4wk25jBe#7cvAm?|xjbm*{Q0?sD+?k51iUEDISLn-(%GWVp!` z5uq?KQFLMf+r$D^!Nx^Ek*KWXv~-0sLp=jMgNeObh7uViB?VUc`iVukddc~@`pLMTwck`FRQfMfq8&$t6sUi~x}^F5UnD diff --git a/scheme/arm-cca/test/corim/corim-cca-platform-bad-ta-cert.cbor b/scheme/arm-cca/test/corim/corim-cca-platform-bad-ta-cert.cbor index 7fde69b355ae1f44a0ed8ca56f01915c4c060fb1..cf02366b052e312438581f5199c0c127560b05f7 100644 GIT binary patch delta 81 zcmdlhd_s6a2(v+i!o)^$he3SQ{5H6ojP~C1w`q=P3jfhyjOTa2y;Y)!o)UOVaX- Qa+MAB4D<{p7cfcy0A0xwSpWb4 delta 69 zcmbQt+`&8{ggGKYVPc}#!~*t-C65gyGD=Dctn~F0i*ogn^KX?~k+F%XnYo1}b`~C!CUY^W`En=u8d7c)Q)3fjgaZF$ zK}LCyiAK~iQ5a;R570zoqD?FY1zbT+Vo6$lQ7$mx^3pQX85gkt1Iw9_iJ5isKSnL2 zpq}i_^uR{BBr)A8u_#v$7|c3G21ce5fkINi6#on5fKU#6U8PLuuC#9FtjdWxXBc`m@&!8hb7fm&qU9NH9~=X z@;yd*PR4~yjZKVDo+wP6uOUmSp`MYR0Zbhe}$qokz3N?$**C|55zKUY6F kIZ?m3I7Q!(wQ&(cL0D>0VrFrEo8kjf}2DX`MlPb|vSOU}>L2PPH$qSVBkTzx~<#zhPTVW~xl TnZ@~e3IRp=S*gh-OpS~HlV+!9 diff --git a/scheme/arm-cca/test/corim/corim-cca-realm-bad-no-instance.cbor b/scheme/arm-cca/test/corim/corim-cca-realm-bad-no-instance.cbor index e0ef1b84643cc6d5b2bcc253325e5bca720aaf82..72db6543a8415befcf4eaf849f23bd6c58f58c43 100644 GIT binary patch literal 705 zcmcb~_;m?Gg{lD*=z?enk(``p0%pPFj2RnmGX9EW3R=XtkRiZ%_v3oKL~rADmxIrL zbm|skS;)}Xw2<*8lR<=oGligS5korAdcC5|T*ie=jZGYs8@Y%f18ibyt^xIpG^DtaUlyh!W~^GgUl5QC5h=)iAA}3$@#fDMg~TvR>0_rFG@|!$yGMg gGte_&ZCu1q5SCh$m|2{krw~w-pOuPx# literal 617 zcmcb~_;m?Gg{lD*=z?enk(``p0%pPFj2RnmGX9EWVpznukRiZ%_v3oKL~rADmxIrL zbm|skS;)}Xw2)yT!%e1$2n7ZLpm8DNB9@y>1`!U9E|fvOrO8E^xs6R65f082f|R1v zTm!0^WJooWjHqUkF;z@ru8_(oDJihh*H0|U)l1IL)d!{({i4*woLqfF*2YB)1!1X0 UiJ8Uuc?tnV`B|ySB}|Qs0Iz7S6BpRoI=V1dD3m0oTO}6d>Lusr x>KGXqnOXsL#uud~=Hx0H>KW)6ur@AYC delta 97 zcmV-n0G|J~0+RxeDpzp#Xt`p#hOm zMGAqT0iguh0x(!Wk-$2U&;}g?cp7MQbZ|N^FJW?RE@N+PFJoh2FLGsJY;7+wlN|vV DEUY7c diff --git a/scheme/arm-cca/test/corim/corim-cca-realm-bad-no-raw-value.cbor b/scheme/arm-cca/test/corim/corim-cca-realm-bad-no-raw-value.cbor index 3964860a2fe9a93d104731afbdc3156712690d60..46a79653e304addaac43ec0511926fc48d592701 100644 GIT binary patch literal 675 zcmcb~_;m?Gg{lD*=z?enk(``p0%pPF%orPQGX9EWGFim9kRiZ%_v3oKL~rADmxIrL zbm|skS;)}Xw2)yT!%ZfG2nS~hLE9pRbf5$DiZXK<7cw6Q)Cw3K@kObLIl0P) gdIow1tc{Bp3c^y05;KeQ^ArM#^0QKtOPCrN0peW11poj5 delta 160 zcmZ3?dXQy;wuUKV<4wk2k&HJMF)m~XaNhm6UN6zxc-`gT^Bh15GX9EW3R%RskRiZ%_v3oKL~rADmxIrL zbm|skS;)}Xw2)yT!%ZfG2nS~hLE9pRbf5$DiZXK<7cwP#+`YZ5Y*jxs!YiDL0C#v57H4fq&wDd60od z)G|;QXrK?!Kx3i}ECvNzK~7>xT7FS3Fxc|aGSe9su>gb0nURT^b+Q3d0;9p^iA?&8 E0KCR*p#T5? delta 202 zcmeC?IKV!^n2}+kNf2{Hgu>*9OtO*;3=FM{7;Z8}E@n(}@?l9e)-%yFVvSH>pDe&6 z&&jxusj-O>$`ggD^EG5iHPkcGGk~dMVq7@ckWmexzzCwi7+JwwWCg|`1qP@la5AZh hfvkwiN={2xC0#vNn*NHVo|PMa(=Fkk%5t^RY7s0vZ0=Vo&f;Vu?nUD delta 33 ocmaFH^n_`HH>0FPMoCG5mA-yrQLbKcey)B&aiV@^eu=&z0L9!3PXGV_ diff --git a/scheme/psa-iot/test/corim/corim-psa-bad-instance.cbor b/scheme/psa-iot/test/corim/corim-psa-bad-instance.cbor index f883c9c88869ad83e246789ffd7d16e52d33db36..4b78c3a04dc028cb0b4a553ffd7dc9099680ffaa 100644 GIT binary patch delta 39 ucmaFN^pt5rG^4@9n0L}rC5h=)iAA}3$@#fDMg~TvRt3e0%7%IddIkU*tqh+4 delta 37 scmaFL^q6TvG-JfXn0JyA86_nJR{HvhMY(#(`MLT9#fkcv`6c>>01TE5Z~y=R diff --git a/scheme/psa-iot/test/corim/corim-psa-bad-refval-instance.cbor b/scheme/psa-iot/test/corim/corim-psa-bad-refval-instance.cbor index 62c5ff27569df14648000241c2e527ff931509ca..6c1f53eec22268c8fb0e1910c89e2cb18291b386 100644 GIT binary patch delta 162 zcmbQow1H`YHisEw<4wk25f3IBt1}u*jMlXAS^VTH_a~3T)7zPNGyY$Q=_o4?+^^<( zYLb2U%I-IprZp~NC@UyV)GN+UD=AMbO4Uuy&n?K$OU)}`Ts-lvniqG9V^DqwZ{tlS ug9rr!LnC7oQ!{f5OYAJ>3aOIBbgRUoTs@#MIz|RYrdB}1l@0X_^b7z&xH!@P delta 144 zcmV;B0B`@W0-gepD+o0Kf!P82SkRF(CjnTITPa!2>#lo=C!->MQv=Ul40f!nkysgk0f!nm06CXdIow104+-l An*aa+ delta 43 ycmZ23yi|CCHlx`@9Sz2ajiKh8k`fsuB?VUc`iVukddc~@`US;_`kDD9`i1}>hz)H3 diff --git a/scheme/psa-iot/test/corim/corim-psa-bad-ta-no-instance.cbor b/scheme/psa-iot/test/corim/corim-psa-bad-ta-no-instance.cbor index 9f2cf10e7f222cde3e85e158d882aff12a604266..e9f64a5cb43085937e05656752f0d4e3a02b556e 100644 GIT binary patch delta 39 ucmX@lbdhO7G^4@9m|N0PC5h=)iAA}3$@#fDMg~TvRt3e0%7%IddIkUzc?@F! delta 37 scmcb}be?HKG-JfXm|Kz(86_nJR{HvhMY(#(`MLT9#fkcv`6c>>00i0%Gynhq diff --git a/scheme/psa-iot/test/corim/corim-psa-valid.cbor b/scheme/psa-iot/test/corim/corim-psa-valid.cbor index 130da979575cf2c74eaa0d1930d2d402eb1bec5e..7d6b40c7fc4c3a417cd02bc47e6f4e0187f30553 100644 GIT binary patch delta 296 zcmey#zM5l#G2`TkChCj^lg~0K$uuuwC@UyV)GN+UD=AMbO4Uuy&n?K$OU)}`Ts(2B znj3eLlMip>O(uf~1p`APV-r&|a|=uCEIcMn7G_lQ;7$n$$`7G}VTFupy4)#_#2Yqw xI-@Swzsi$eFg{^4*nE~rm{D4)Br)A8u_#v$=w%%v10z!_U_dAv>KW)6005y#SEK*{ delta 245 zcmZ3@@soXmF=O&X6LrRj$$y!Y%$pZ6++>Pe%$Vfl!;)&GXQ*eu8lkXex8U(7w-k$5 zgKVChlTwL#xX5yyP4?e;6@}lQ-q`gbn{na9S!xzgohbo9`5`Q+hI+<&rbOwT%*Ke& z>VloGJXwP231h_Ozf8i6k`fsuB?VUc`iVukddc~@`US;_ K`kDD9`i20Bqhg)_ diff --git a/scheme/psa-iot/test/corim/src/comid-bad-instance.json b/scheme/psa-iot/test/corim/src/comid-bad-instance.json index 61f80ec4..0c38c5c2 100644 --- a/scheme/psa-iot/test/corim/src/comid-bad-instance.json +++ b/scheme/psa-iot/test/corim/src/comid-bad-instance.json @@ -10,7 +10,7 @@ "environment": { "class": { "id": { - "type": "psa.impl-id", + "type": "bytes", "value": "YWNtZS1pbXBsZW1lbnRhdGlvbi1pZC0wMDAwMDAwMDE=" } }, diff --git a/scheme/psa-iot/test/corim/src/comid-bad-refval-instance.json b/scheme/psa-iot/test/corim/src/comid-bad-refval-instance.json index c3404a3e..8f9e7ce2 100644 --- a/scheme/psa-iot/test/corim/src/comid-bad-refval-instance.json +++ b/scheme/psa-iot/test/corim/src/comid-bad-refval-instance.json @@ -10,29 +10,32 @@ "environment": { "class": { "id": { - "type": "psa.impl-id", + "type": "bytes", "value": "YWNtZS1pbXBsZW1lbnRhdGlvbi1pZC0wMDAwMDAwMDE=" } }, "instance": { "type": "ueid", - "value": "Ac7rrnuJJ6MiflMDz14PH3s0u1Qq1yUKwD+83jbsLxUI" + "value": "AUyj5PUL8kjDl4cCDWj/0FyIdndRvyZFypI/V6mL7NKW" } }, "measurements": [ { "key": { - "type": "psa.refval-id", - "value": { - "label": "ARoT", - "version": "0.1.4", - "signer-id": "rLsRx+TaIXIFUjzkzhokWuGiOa48a/2eeHH35di66Gs=" - } + "type": "string", + "value": "psa.software-component" }, "value": { + "cryptokeys": [ + { + "type": "bytes", + "value": "01234567890123456789012345678901" + } + ], "digests": [ "sha-256:o6XnFfDMV0pzw/m+u2vCTzL/1bZ7OHJEwskJ2neaFHg=" - ] + ], + "name": "ARoT" } } ] diff --git a/scheme/psa-iot/test/corim/src/comid-bad-refval-mkey.json b/scheme/psa-iot/test/corim/src/comid-bad-refval-mkey.json index 85fb3e07..b61e3893 100644 --- a/scheme/psa-iot/test/corim/src/comid-bad-refval-mkey.json +++ b/scheme/psa-iot/test/corim/src/comid-bad-refval-mkey.json @@ -9,7 +9,7 @@ "environment": { "class": { "id": { - "type": "psa.impl-id", + "type": "bytes", "value": "YWNtZS1pbXBsZW1lbnRhdGlvbi1pZC0wMDAwMDAwMDE=" } } @@ -17,17 +17,20 @@ "measurements": [ { "key": { - "type": "psa.refval-id", - "value": { - "label": "BL", - "version": "2.1.0", - "signer-id": "rLsRx+TaIXIFUjzkzhokWuGiOa48a/2eeHH35di66Gs=" - } + "type": "string", + "value": "psa.software-component" }, "value": { + "cryptokeys": [ + { + "type": "bytes", + "value": "01234567890123456789012345678901" + } + ], "digests": [ "sha-256:h0KPxSKAPTEGXnvOPPA/5HUJZjHl4Hu9eg/eYMTPJcc=" - ] + ], + "name": "BL" } }, { diff --git a/scheme/psa-iot/test/corim/src/comid-bad-refval-mval.json b/scheme/psa-iot/test/corim/src/comid-bad-refval-mval.json index 09480ba6..0ecf5c79 100644 --- a/scheme/psa-iot/test/corim/src/comid-bad-refval-mval.json +++ b/scheme/psa-iot/test/corim/src/comid-bad-refval-mval.json @@ -9,7 +9,7 @@ "environment": { "class": { "id": { - "type": "psa.impl-id", + "type": "bytes", "value": "YWNtZS1pbXBsZW1lbnRhdGlvbi1pZC0wMDAwMDAwMDE=" } } @@ -17,17 +17,20 @@ "measurements": [ { "key": { - "type": "psa.refval-id", - "value": { - "label": "ARoT", - "version": "0.1.4", - "signer-id": "rLsRx+TaIXIFUjzkzhokWuGiOa48a/2eeHH35di66Gs=" - } + "type": "string", + "value": "psa.software-component" }, "value": { + "cryptokeys": [ + { + "type": "bytes", + "value": "01234567890123456789012345678901" + } + ], + "name": "ARoT", "svn": { "type": "exact-value", - "value": 15208092991676743683 + "value": 15208092991676744000 } } } diff --git a/scheme/psa-iot/test/corim/src/comid-bad-ta-cert.json b/scheme/psa-iot/test/corim/src/comid-bad-ta-cert.json index 34c50d6a..60ed049e 100644 --- a/scheme/psa-iot/test/corim/src/comid-bad-ta-cert.json +++ b/scheme/psa-iot/test/corim/src/comid-bad-ta-cert.json @@ -9,7 +9,7 @@ "environment": { "class": { "id": { - "type": "psa.impl-id", + "type": "bytes", "value": "YWNtZS1pbXBsZW1lbnRhdGlvbi1pZC0wMDAwMDAwMDE=" } }, diff --git a/scheme/psa-iot/test/corim/src/comid-bad-ta-no-instance.json b/scheme/psa-iot/test/corim/src/comid-bad-ta-no-instance.json index 4b4416dd..392b9980 100644 --- a/scheme/psa-iot/test/corim/src/comid-bad-ta-no-instance.json +++ b/scheme/psa-iot/test/corim/src/comid-bad-ta-no-instance.json @@ -10,7 +10,7 @@ "environment": { "class": { "id": { - "type": "psa.impl-id", + "type": "bytes", "value": "YWNtZS1pbXBsZW1lbnRhdGlvbi1pZC0wMDAwMDAwMDE=" } } diff --git a/scheme/psa-iot/test/corim/src/comid-psa-refval.json b/scheme/psa-iot/test/corim/src/comid-psa-refval.json index a862211f..f92add4c 100644 --- a/scheme/psa-iot/test/corim/src/comid-psa-refval.json +++ b/scheme/psa-iot/test/corim/src/comid-psa-refval.json @@ -10,7 +10,7 @@ "environment": { "class": { "id": { - "type": "psa.impl-id", + "type": "bytes", "value": "YWNtZS1pbXBsZW1lbnRhdGlvbi1pZC0wMDAwMDAwMDE=" } } @@ -18,47 +18,56 @@ "measurements": [ { "key": { - "type": "psa.refval-id", - "value": { - "label": "BL", - "version": "2.1.0", - "signer-id": "rLsRx+TaIXIFUjzkzhokWuGiOa48a/2eeHH35di66Gs=" - } + "type": "string", + "value": "psa.software-component" }, "value": { + "cryptokeys": [ + { + "type": "bytes", + "value": "01234567890123456789012345678901" + } + ], "digests": [ "sha-256:h0KPxSKAPTEGXnvOPPA/5HUJZjHl4Hu9eg/eYMTPJcc=" - ] + ], + "name": "BL" } }, { "key": { - "type": "psa.refval-id", - "value": { - "label": "PRoT", - "version": "1.3.5", - "signer-id": "rLsRx+TaIXIFUjzkzhokWuGiOa48a/2eeHH35di66Gs=" - } + "type": "string", + "value": "psa.software-component" }, "value": { + "cryptokeys": [ + { + "type": "bytes", + "value": "01234567890123456789012345678901" + } + ], "digests": [ "sha-256:AmOCmYm2/ZVPcrqvL8ZLwuLwHWktTecphuqAj26ZgT8=" - ] + ], + "name": "PRoT" } }, { "key": { - "type": "psa.refval-id", - "value": { - "label": "ARoT", - "version": "0.1.4", - "signer-id": "rLsRx+TaIXIFUjzkzhokWuGiOa48a/2eeHH35di66Gs=" - } + "type": "string", + "value": "psa.software-component" }, "value": { + "cryptokeys": [ + { + "type": "bytes", + "value": "01234567890123456789012345678901" + } + ], "digests": [ "sha-256:o6XnFfDMV0pzw/m+u2vCTzL/1bZ7OHJEwskJ2neaFHg=" - ] + ], + "name": "ARoT" } } ] diff --git a/scheme/psa-iot/test/corim/src/comid-psa-ta.json b/scheme/psa-iot/test/corim/src/comid-psa-ta.json index 289ff488..e470e1ba 100644 --- a/scheme/psa-iot/test/corim/src/comid-psa-ta.json +++ b/scheme/psa-iot/test/corim/src/comid-psa-ta.json @@ -10,7 +10,7 @@ "environment": { "class": { "id": { - "type": "psa.impl-id", + "type": "bytes", "value": "YWNtZS1pbXBsZW1lbnRhdGlvbi1pZC0wMDAwMDAwMDE=" } }, @@ -30,11 +30,11 @@ "environment": { "class": { "id": { - "type": "psa.impl-id", + "type": "bytes", "value": "YWNtZS1pbXBsZW1lbnRhdGlvbi1pZC0wMDAwMDAwMDE=" }, - "vendor": "ACME", - "model": "RoadRunner" + "model": "RoadRunner", + "vendor": "ACME" }, "instance": { "type": "ueid", diff --git a/scheme/psa-iot/test/corim/src/corim-psa.json b/scheme/psa-iot/test/corim/src/corim-psa.json index 001f0e1e..f002dc13 100644 --- a/scheme/psa-iot/test/corim/src/corim-psa.json +++ b/scheme/psa-iot/test/corim/src/corim-psa.json @@ -1,4 +1,4 @@ { "corim-id": "00000000-0000-0000-065a-000000000000", - "profile": "http://arm.com/psa/iot/1" + "profile": "tag:arm.com,2025:psa#1.0.0" } diff --git a/scheme/psa-iot/test/corim/src/corims.yaml b/scheme/psa-iot/test/corim/src/corims.yaml index f88c9abf..0b14b28c 100644 --- a/scheme/psa-iot/test/corim/src/corims.yaml +++ b/scheme/psa-iot/test/corim/src/corims.yaml @@ -11,10 +11,10 @@ comids: - comid-bad-instance psa-bad-ta-no-instance: - comid-bad-ta-no-instance - psa-bad-refval-instance: - - comid-bad-refval-instance psa-bad-ta-cert: - comid-bad-ta-cert + psa-bad-refval-instance: + - comid-bad-refval-instance psa-bad-refval-mkey: - comid-bad-refval-mkey psa-bad-refval-mval: diff --git a/scheme/riot/corim_test.go b/scheme/riot/corim_test.go index c5274877..0bb0b8f8 100644 --- a/scheme/riot/corim_test.go +++ b/scheme/riot/corim_test.go @@ -17,7 +17,7 @@ func TestProfile(t *testing.T) { { Title: "bad ref. vals. present", Input: corimRiotBadRefvals, - Err: "found reference values", + Err: "cannot unmarshal byte string", }, { Title: "bad no vendor", diff --git a/scheme/tpm-enacttrust/corim_test.go b/scheme/tpm-enacttrust/corim_test.go index 1105d209..69b943f1 100644 --- a/scheme/tpm-enacttrust/corim_test.go +++ b/scheme/tpm-enacttrust/corim_test.go @@ -37,7 +37,7 @@ func TestProfile(t *testing.T) { { Title: "bad no instance", Input: corimEnacttrustBadNoInstance, - Err: "instance not set in environment", + Err: "cannot unmarshal byte string", }, { Title: "bad multiple measurements", diff --git a/scripts/generate-corims b/scripts/generate-corims index 396c3d9d..d766a3b9 100755 --- a/scripts/generate-corims +++ b/scripts/generate-corims @@ -1,6 +1,8 @@ #!/usr/bin/env python3 # Copyright 2026 Contributors to the Veraison project. # SPDX-License-Identifier: Apache-2.0 +from __future__ import annotations + import argparse import json import logging