The signing path is currently needlessly complex and also, as a consequence, more error prone.
The user has to:
- instantiate an evidence object
- add the platform claims-set to the evidence object
- add the realm claims-set to the evidence object
- sign the evidence object supplying the RAK and IAK
(note: in #11 we merged 2. and 3. together)
There is no real reason for splitting the add and sign operations (and therefore for the evidence object to exist as a temporary state holder): the two steps can be performed atomically by a standalone function like this:
// Sign returns the signed CCA collection in CBOR format
func Sign(
platformClaims psatoken.IClaims,
IClaims realmClaims,
cose.Signer IAK,
cose.Signer RAK,
) ([]byte, error)Note: Doing so also makes it easy to set the realm's public key claim as well as the platform's nonce from the supplied RAK, thus avoiding
- any potential intra-collection mismatch
- the user to compute the (very) raw public key from the signer
The signing path is currently needlessly complex and also, as a consequence, more error prone.
The user has to:
(note: in #11 we merged 2. and 3. together)
There is no real reason for splitting the add and sign operations (and therefore for the evidence object to exist as a temporary state holder): the two steps can be performed atomically by a standalone function like this:
Note: Doing so also makes it easy to set the realm's public key claim as well as the platform's nonce from the supplied RAK, thus avoiding