Merge branch 'main' into pr502-dmt-prose

Author: yogeshbdeshpande

Gemfile

@@ -5,3 +5,4 @@ gem 'cddl', '>=0.12.6'
 gem 'cbor-diag', '>=0.8.7'
 gem 'base64'
 gem 'pstore'
+gem 'cddlc', '>=0.3.4'

cddl/Makefile

@@ -3,78 +3,21 @@
 SHELL := /bin/bash
 
 include tools.mk
-
-%.cbor: %.diag
-	$(diag2cbor) $< > $@
+include check.mk
+include corim-frags.mk
 
 check:: cbor-tags-unique
 check:: check-intrep check-intrep-examples
 check:: check-corim check-corim-examples
 check:: check-comid check-comid-examples
 check:: check-cotl check-cotl-examples
 
-# $1: label
-# $2: cddl fragments
-# $3: diag test files
-define cddl_check_template
-
-check-$(1): $(1)-autogen.cddl
-	$$(cddl) $$< g 1 | $$(diag2diag) -e
-
-.PHONY: check-$(1)
-
-$(1)-autogen.cddl: $(2)
-	for f in $$^ ; do ( grep -v '^;' $$$$f ; echo ) ; done > $$@
-
-CLEANFILES += $(1)-autogen.cddl
-
-check-$(1)-examples: $(1)-autogen.cddl $(3:.diag=.cbor)
-	@for f in $(3:.diag=.cbor); do \
-		echo ">> validating $$$$f against $$<" ; \
-		$$(cddl) $$< validate $$$$f &>/dev/null || exit 1 ; \
-		echo ">> saving prettified CBOR to $$$${f%.cbor}.pretty" ; \
-		$$(cbor2pretty) $$$$f > $$$${f%.cbor}.pretty ; \
-	done
-
-.PHONY: check-$(1)-examples
-
-CLEANFILES += $(3:.diag=.cbor)
-CLEANFILES += $(3:.diag=.pretty)
-
-endef # cddl_check_template
-
-# Commented since CI doesn't have openssl
-examples/sig-structure.diag: examples/sig-structure.diag.tmpl examples/payload-corim-4.diag examples/protected-header-map-corim-meta.diag
-	payload="$$(cat examples/payload-corim-4.diag)" \
-	protected="$$(cat examples/protected-header-map-corim-meta.diag)" \
-	envsubst < examples/sig-structure.diag.tmpl > examples/sig-structure.diag
-
-examples/testkey.pem:
-	openssl ecparam -name secp384r1 -genkey -noout -out examples/testkey.pem
-
-examples/corim-4.sig: examples/sig-structure.cbor examples/testkey.pem
-	openssl dgst -sha384 -sign examples/testkey.pem -out examples/corim-4.sig examples/sig-structure.cbor
-
-examples/corim-4.diag: examples/corim-4.sig examples/corim-4.diag.tmpl examples/payload-corim-4.diag examples/protected-header-map-corim-meta.diag
-	payload="$$(cat examples/payload-corim-4.diag)" \
-	protected="$$(cat examples/protected-header-map-corim-meta.diag)" \
-	signature="h'$$(cat examples/corim-4.sig | xxd -p -c 128)'" \
-	envsubst < examples/corim-4.diag.tmpl > examples/corim-4.diag
-
-include corim-frags.mk
-
-$(eval $(call cddl_check_template,comid,$(COMID_FRAGS),$(COMID_EXAMPLES)))
-$(eval $(call cddl_check_template,cotl,$(COTL_FRAGS),$(COTL_EXAMPLES)))
-$(eval $(call cddl_check_template,corim,$(CORIM_FRAGS),$(CORIM_EXAMPLES)))
-$(eval $(call cddl_check_template,intrep,$(INTREP_FRAGS),$(INTREP_EXAMPLES)))
-
-GITHUB := https://raw.githubusercontent.com/
-COSWID_REPO := sacmwg/draft-ietf-sacm-coswid/master
-COSWID_REPO_URL := $(join $(GITHUB), $(COSWID_REPO))
-
-concise-swid-tag.cddl: ; $(curl) -O $(COSWID_REPO_URL)/$@
+include measured-component.mk
 
-CLEANFILES += concise-swid-tag.cddl
+$(eval $(call cddl_check_template,comid,$(COMID_FRAGS),$(COMID_EXAMPLES),$(COMID_IMPORTS)))
+$(eval $(call cddl_check_template,cotl,$(COTL_FRAGS),$(COTL_EXAMPLES),$(COTL_IMPORTS)))
+$(eval $(call cddl_check_template,corim,$(CORIM_FRAGS),$(CORIM_EXAMPLES),$(CORIM_IMPORTS)))
+$(eval $(call cddl_check_template,intrep,$(INTREP_FRAGS),$(INTREP_EXAMPLES),$(INTREP_IMPORTS)))
 
 clean: ; rm -f $(CLEANFILES)
 

cddl/cbor-tags.txt

@@ -1,5 +1,5 @@
 tagged-unsigned-corim-map = #6.501(unsigned-corim-map)
-tagged-concise-swid-tag = #6.505(bytes .cbor concise-swid-tag)
+tagged-concise-swid-tag = #6.505(bytes .cbor coswid.concise-swid-tag)
 tagged-concise-mid-tag = #6.506(bytes .cbor concise-mid-tag)
 tagged-concise-tl-tag = #6.508(bytes .cbor concise-tl-tag)
 tagged-ueid-type = #6.550(ueid-type)
@@ -8,11 +8,11 @@ tagged-min-svn = #6.553(min-svn)
 tagged-pkix-base64-key-type = #6.554(tstr)
 tagged-pkix-base64-cert-type = #6.555(tstr)
 tagged-pkix-base64-cert-path-type = #6.556(tstr)
-tagged-key-thumbprint-type = #6.557(digest)
+tagged-key-thumbprint-type = #6.557(eatmc.digest)
 tagged-cose-key-type = #6.558(COSE_Key)
-tagged-cert-thumbprint-type = #6.559(digest)
+tagged-cert-thumbprint-type = #6.559(eatmc.digest)
 tagged-bytes = #6.560(bytes)
-tagged-cert-path-thumbprint-type = #6.561(digest)
+tagged-cert-path-thumbprint-type = #6.561(eatmc.digest)
 tagged-pkix-asn1der-cert-type = #6.562(bstr)
 tagged-masked-raw-value = #6.563([
 tagged-int-range = #6.564(int-range)

cddl/check.mk

@@ -0,0 +1,31 @@
+%.cbor: %.diag ; $(diag2cbor) $< > $@
+
+# $1: label
+# $2: cddl fragments
+# $3: diag or json test files
+# $4: imports (namespace=basename ...)
+define cddl_check_template
+
+check-$(1): $(1)-autogen.cddl
+	$$(cddl) $$< g 1 | $$(diag2diag) -e
+
+.PHONY: check-$(1)
+
+$(1)-autogen.cddl: $(2) $(foreach i,$(4),$(lastword $(subst =, ,$(i)).cddl))
+	$$(cddlc) $(foreach i,$(4),-I $(i)) -t cddl -2 $(2) > $$@
+
+CLEANFILES += $(1)-autogen.cddl
+
+check-$(1)-examples: $(1)-autogen.cddl $(3:.diag=.cbor)
+	@for f in $(3:.diag=.cbor); do \
+    echo ">> validating $$$$f against $$<" ; \
+    $$(cddl) $$< validate $$$$f &>/dev/null || exit 1 ; \
+  done
+
+.PHONY: check-$(1)-examples
+
+# Only clean up the example CBOR files generated from the EDN files; leave the
+# JSON files alone.
+CLEANFILES += $(patsubst %.diag,%.cbor,$(filter %.diag,$(3)))
+
+endef # cddl_check_template

cddl/conditional-endorsement-series-triple-record.cddl

@@ -1,4 +1,8 @@
 conditional-endorsement-series-triple-record = [
-  condition: stateful-environment-record
+  condition: [
+    environment: environment-map
+    claims-list: [ * measurement-map ]
+    ? authorized-by: [ + $crypto-key-type-choice ]
+  ]
   series: [ + conditional-series-record ]
 ]

cddl/corim-frags.mk

@@ -47,7 +47,8 @@ COMID_FRAGS += uuid.cddl
 COMID_FRAGS += version-map.cddl
 COMID_FRAGS += digest.cddl
 COMID_FRAGS += integrity-registers.cddl
-COMID_FRAGS += concise-swid-tag.cddl
+
+COMID_IMPORTS += eatmc=measured-component
 
 COMID_EXAMPLES := $(wildcard examples/comid-*.diag)
 
@@ -58,7 +59,8 @@ COTL_FRAGS += tag-id-type-choice.cddl
 COTL_FRAGS += tag-identity-map.cddl
 COTL_FRAGS += uuid.cddl
 COTL_FRAGS += tag-version-type.cddl
-COTL_FRAGS += concise-swid-tag.cddl
+
+COTL_IMPORTS += eatmc=measured-component
 
 COTL_EXAMPLES := $(wildcard examples/cotl-*.diag)
 
@@ -78,6 +80,9 @@ CORIM_FRAGS += cwt-claims.cddl
 CORIM_FRAGS += protected-corim-header-map.cddl
 CORIM_FRAGS += signed-corim.cddl
 CORIM_FRAGS += tagged-concise-swid-tag.cddl
+
+CORIM_IMPORTS += eatmc=measured-component
+
 CORIM_FRAGS += tagged-concise-mid-tag.cddl
 CORIM_FRAGS += tagged-concise-tl-tag.cddl
 CORIM_FRAGS += tagged-unsigned-corim-map.cddl
@@ -125,4 +130,6 @@ INTREP_FRAGS += cose-label-and-value.cddl
 INTREP_FRAGS += class-id-type-choice.cddl
 INTREP_FRAGS += oid.cddl
 
+INTREP_IMPORTS += eatmc=measured-component
+
 INTREP_EXAMPLES := $(wildcard examples/intrep-*.diag)

cddl/corim-locator-map.cddl

@@ -1,4 +1,6 @@
+;# import measured-component as eatmc
+
 corim-locator-map = {
   &(href: 0) => uri / [ + uri ]
-  ? &(thumbprint: 1) => digest / [digest]
+  ? &(thumbprint: 1) => eatmc.digest / [ eatmc.digest ]
 }

cddl/cose-sign1-corim.cddl

@@ -5,4 +5,5 @@ COSE-Sign1-corim = [
   signature: bstr
 ]
 
-hash-envelope-digest = bstr
+hash-envelope-digest = bstr
+

cddl/coswid-triple-record.cddl

@@ -1,6 +1,6 @@
+;# import rfc9393 as coswid
+
 coswid-triple-record = [
   environment-map
-  [ + concise-swid-tag-id ]
+  [ + coswid.tag-id ]
 ]
-
-concise-swid-tag-id = text / bstr .size 16

cddl/crypto-key-type-choice.cddl

@@ -1,3 +1,5 @@
+;# import measured-component as eatmc
+
 $crypto-key-type-choice /= tagged-pkix-base64-key-type
 $crypto-key-type-choice /= tagged-pkix-base64-cert-type
 $crypto-key-type-choice /= tagged-pkix-base64-cert-path-type
@@ -10,8 +12,8 @@ $crypto-key-type-choice /= tagged-bytes
 tagged-pkix-base64-key-type = #6.554(tstr)
 tagged-pkix-base64-cert-type = #6.555(tstr)
 tagged-pkix-base64-cert-path-type = #6.556(tstr)
-tagged-key-thumbprint-type = #6.557(digest)
+tagged-key-thumbprint-type = #6.557(eatmc.digest)
 tagged-cose-key-type = #6.558(COSE_Key)
-tagged-cert-thumbprint-type = #6.559(digest)
-tagged-cert-path-thumbprint-type = #6.561(digest)
+tagged-cert-thumbprint-type = #6.559(eatmc.digest)
+tagged-cert-path-thumbprint-type = #6.561(eatmc.digest)
 tagged-pkix-asn1der-cert-type = #6.562(bstr)