feat: add missing is-confidentiality-protected operational flag (#228)

This commit adds the missing 'is-confidentiality-protected' flag to the
FlagsMap structure, completing the implementation to match the latest
IETF CoRIM specification.

The flag is positioned at CBOR index 9 and JSON field 'is-confidentiality-protected'
as specified in the IETF draft-ietf-rats-corim specification.

Fixes #44

Signed-off-by: Kallal Mukherjee <[email protected]>

Author: kallal79

comid/flagsmap.go

@@ -28,6 +28,7 @@ const (
 	FlagIsRuntimeMeasured
 	FlagIsImmutable
 	FlagIsTcb
+	FlagIsConfidentialityProtected
 )
 
 // FlagsMap describes a number of boolean operational modes. If a value is nil,
@@ -60,6 +61,10 @@ type FlagsMap struct {
 	// IsTcb indicates whether the measured environment is a trusted
 	// computing base.
 	IsTcb *bool `cbor:"8,keyasint,omitempty" json:"is-tcb,omitempty"`
+	// IsConfidentialityProtected indicates whether the measured environment
+	// is confidentiality protected. For example, if the measured environment consists of memory,
+	// the sensitive values in memory are encrypted.
+	IsConfidentialityProtected *bool `cbor:"9,keyasint,omitempty" json:"is-confidentiality-protected,omitempty"`
 
 	Extensions
 }
@@ -72,7 +77,8 @@ func NewFlagsMap() *FlagsMap {
 func (o FlagsMap) IsEmpty() bool {
 	if o.IsConfigured != nil || o.IsSecure != nil || o.IsRecovery != nil ||
 		o.IsDebug != nil || o.IsReplayProtected != nil || o.IsIntegrityProtected != nil ||
-		o.IsRuntimeMeasured != nil || o.IsImmutable != nil || o.IsTcb != nil {
+		o.IsRuntimeMeasured != nil || o.IsImmutable != nil || o.IsTcb != nil ||
+		o.IsConfidentialityProtected != nil {
 		return false
 	}
 
@@ -82,7 +88,8 @@ func (o FlagsMap) IsEmpty() bool {
 func (o *FlagsMap) AnySet() bool {
 	if o.IsConfigured != nil || o.IsSecure != nil || o.IsRecovery != nil || o.IsDebug != nil ||
 		o.IsReplayProtected != nil || o.IsIntegrityProtected != nil ||
-		o.IsRuntimeMeasured != nil || o.IsImmutable != nil || o.IsTcb != nil {
+		o.IsRuntimeMeasured != nil || o.IsImmutable != nil || o.IsTcb != nil ||
+		o.IsConfidentialityProtected != nil {
 		return true
 	}
 
@@ -110,6 +117,8 @@ func (o *FlagsMap) setFlag(value *bool, flags ...Flag) {
 			o.IsImmutable = value
 		case FlagIsTcb:
 			o.IsTcb = value
+		case FlagIsConfidentialityProtected:
+			o.IsConfidentialityProtected = value
 		default:
 			if value == &True {
 				o.setTrue(flag)
@@ -149,6 +158,8 @@ func (o *FlagsMap) Clear(flags ...Flag) {
 			o.IsImmutable = nil
 		case FlagIsTcb:
 			o.IsTcb = nil
+		case FlagIsConfidentialityProtected:
+			o.IsConfidentialityProtected = nil
 		default:
 			o.clear(flag)
 		}
@@ -175,6 +186,8 @@ func (o *FlagsMap) Get(flag Flag) *bool {
 		return o.IsImmutable
 	case FlagIsTcb:
 		return o.IsTcb
+	case FlagIsConfidentialityProtected:
+		return o.IsConfidentialityProtected
 	default:
 		return o.get(flag)
 	}

comid/flagsmap_confidentiality_test.go

@@ -0,0 +1,59 @@
+// Copyright 2025 Contributors to the Veraison project.
+// SPDX-License-Identifier: Apache-2.0
+
+package comid
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_FlagsMap_IsConfidentialityProtected(t *testing.T) {
+	fm := NewFlagsMap()
+
+	// Test initial state - should be nil (unset)
+	assert.Nil(t, fm.Get(FlagIsConfidentialityProtected))
+	assert.False(t, fm.AnySet())
+
+	// Test setting to true
+	fm.SetTrue(FlagIsConfidentialityProtected)
+	assert.True(t, fm.AnySet())
+	assert.Equal(t, true, *fm.Get(FlagIsConfidentialityProtected))
+
+	// Test setting to false
+	fm.SetFalse(FlagIsConfidentialityProtected)
+	assert.True(t, fm.AnySet())
+	assert.Equal(t, false, *fm.Get(FlagIsConfidentialityProtected))
+
+	// Test clearing
+	fm.Clear(FlagIsConfidentialityProtected)
+	assert.False(t, fm.AnySet())
+	assert.Nil(t, fm.Get(FlagIsConfidentialityProtected))
+}
+
+func Test_FlagsMap_IsConfidentialityProtected_Serialization(t *testing.T) {
+	fm := NewFlagsMap()
+	fm.SetTrue(FlagIsConfidentialityProtected)
+
+	// Test CBOR serialization
+	cbor, err := fm.MarshalCBOR()
+	assert.NoError(t, err)
+	assert.NotNil(t, cbor)
+
+	var fm2 FlagsMap
+	err = fm2.UnmarshalCBOR(cbor)
+	assert.NoError(t, err)
+	assert.Equal(t, true, *fm2.Get(FlagIsConfidentialityProtected))
+
+	// Test JSON serialization
+	json, err := fm.MarshalJSON()
+	assert.NoError(t, err)
+	assert.NotNil(t, json)
+	assert.Contains(t, string(json), "is-confidentiality-protected")
+
+	var fm3 FlagsMap
+	err = fm3.UnmarshalJSON(json)
+	assert.NoError(t, err)
+	assert.Equal(t, true, *fm3.Get(FlagIsConfidentialityProtected))
+}

comid/flagsmap_test.go

@@ -22,6 +22,7 @@ func Test_FlagsMap(t *testing.T) {
 		FlagIsRuntimeMeasured,
 		FlagIsImmutable,
 		FlagIsTcb,
+		FlagIsConfidentialityProtected,
 	} {
 		fm.SetTrue(flag)
 		assert.True(t, fm.AnySet())