feat(profiles/psa): extract and consolidate PSA logic into profile package

Author: abhiraj-ku

comid/bytes.go

@@ -48,14 +48,3 @@ func (o TaggedBytes) Bytes() []byte {
 
 	return o
 }
-
-// ValidatePSASignerID checks that TaggedBytes conforms to PSA Signer ID requirements.
-// Signer IDs must be 32, 48, or 64 bytes (SHA-256, SHA-384, or SHA-512).
-func (o TaggedBytes) ValidatePSASignerID() error {
-	switch len(o) {
-	case 32, 48, 64:
-		return nil
-	default:
-		return fmt.Errorf("PSA signer ID must be 32, 48, or 64 bytes (got %d)", len(o))
-	}
-}

comid/bytes_test.go

@@ -0,0 +1,140 @@
+// Copyright 2026 Contributors to the Veraison project.
+// SPDX-License-Identifier: Apache-2.0
+
+package psa
+
+import (
+	"os"
+	"path/filepath"
+	"runtime"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/veraison/corim/comid"
+	"github.com/veraison/corim/corim"
+	"github.com/veraison/eat"
+)
+
+// getTestcasePath returns the absolute path to a testcase file
+func getTestcasePath(filename string) string {
+	_, thisFile, _, ok := runtime.Caller(0)
+	if !ok {
+		panic("failed to get current file path")
+	}
+	testcasesDir := filepath.Join(filepath.Dir(thisFile), "testcases")
+	return filepath.Join(testcasesDir, filename)
+}
+
+// loadTestcase loads a CBOR testcase file
+func loadTestcase(t *testing.T, filename string) []byte {
+	path := getTestcasePath(filename)
+	data, err := os.ReadFile(path)
+	require.NoError(t, err, "failed to load testcase %s", filename)
+	return data
+}
+
+// getComidFromCorim extracts and decodes the first CoMID from a CoRIM
+// using the PSA profile extensions
+func getComidFromCorim(t *testing.T, corimData []byte) *comid.Comid {
+	// First, parse the CoRIM to extract the tags
+	var c corim.UnsignedCorim
+	err := c.FromCBOR(corimData)
+	require.NoError(t, err, "failed to parse CoRIM")
+	require.Greater(t, len(c.Tags), 0, "CoRIM must have at least one tag")
+
+	// Get a CoMID with PSA profile extensions registered
+	profileID, err := eat.NewProfile(ProfileURI)
+	require.NoError(t, err)
+
+	manifest, found := corim.GetProfileManifest(profileID)
+	require.True(t, found, "PSA profile should be registered")
+
+	// Create a Comid with extensions
+	m := manifest.GetComid()
+
+	// Decode the first tag (which should be a CoMID, tag 506)
+	require.Equal(t, uint64(506), c.Tags[0].Number, "first tag should be a CoMID (506)")
+	err = m.FromCBOR(c.Tags[0].Content)
+	require.NoError(t, err, "failed to decode CoMID from tag")
+
+	return m
+}
+
+// TestCoRIMIntegration_ValidPSA tests that a valid PSA CoRIM:
+// - Parses successfully
+// - The PSA profile is recognized and loaded
+// - CoMID validation passes with PSA constraints
+func TestCoRIMIntegration_ValidPSA(t *testing.T) {
+	data := loadTestcase(t, "psa-valid.cbor")
+
+	// Extract and decode CoMID with PSA extensions
+	m := getComidFromCorim(t, data)
+
+	// Validate the CoMID (should pass all PSA constraints)
+	err := m.Valid()
+	assert.NoError(t, err, "valid PSA CoMID should pass validation")
+}
+
+// TestCoRIMIntegration_InvalidImplementationID tests that a CoRIM with invalid
+// Implementation ID (wrong length) is rejected by PSA profile validation.
+// The CoRIM structure itself is valid, but fails PSA profile constraints.
+func TestCoRIMIntegration_InvalidImplementationID(t *testing.T) {
+	data := loadTestcase(t, "psa-invalid-impl-id.cbor")
+
+	// Extract and decode CoMID with PSA extensions
+	m := getComidFromCorim(t, data)
+
+	// Validation should FAIL due to invalid Implementation ID
+	err := m.Valid()
+	require.Error(t, err, "PSA validation should fail for invalid implementation-id")
+	assert.Contains(t, err.Error(), "implementation-id",
+		"error should mention implementation-id")
+	assert.Contains(t, err.Error(), "32 bytes",
+		"error should mention expected length")
+}
+
+// TestCoRIMIntegration_InvalidAttestVerifKey tests that a CoRIM with invalid
+// AttestVerifKeys (multiple keys instead of one) is rejected by PSA profile validation.
+// The CoRIM structure itself is valid, but fails PSA profile constraints.
+func TestCoRIMIntegration_InvalidAttestVerifKey(t *testing.T) {
+	data := loadTestcase(t, "psa-invalid-attest-key.cbor")
+
+	// Extract and decode CoMID with PSA extensions
+	m := getComidFromCorim(t, data)
+
+	// Validation should FAIL due to multiple attestation keys
+	err := m.Valid()
+	require.Error(t, err, "PSA validation should fail for multiple attest keys")
+	assert.Contains(t, err.Error(), "verification-keys",
+		"error should mention verification-keys")
+	assert.Contains(t, err.Error(), "exactly one",
+		"error should mention exactly one key required")
+}
+
+// TestCoRIMIntegration_NoProfile tests that a CoRIM without a profile:
+// - Parses successfully
+// - Validation passes without PSA extensions (base validation only)
+// This serves as a control case - the same CoMID that fails with PSA profile
+// should pass without it.
+func TestCoRIMIntegration_NoProfile(t *testing.T) {
+	data := loadTestcase(t, "no-profile.cbor")
+
+	// Parse the CoRIM
+	var c corim.UnsignedCorim
+	err := c.FromCBOR(data)
+	require.NoError(t, err, "profile-less CoRIM should parse without error")
+
+	// Verify no profile is set
+	assert.Nil(t, c.Profile, "profile should not be present")
+
+	// Decode CoMID WITHOUT PSA extensions (plain CoMID)
+	require.Greater(t, len(c.Tags), 0, "CoRIM must have at least one tag")
+	m := comid.NewComid()
+	err = m.FromCBOR(c.Tags[0].Content)
+	require.NoError(t, err, "failed to decode CoMID")
+
+	// Validation should pass (no PSA profile constraints applied)
+	err = m.Valid()
+	assert.NoError(t, err, "profile-less CoMID should pass base validation")
+}

profiles/psa/corim_integration_test.go

@@ -0,0 +1,122 @@
+// Copyright 2021-2024 Contributors to the Veraison project.
+// SPDX-License-Identifier: Apache-2.0
+
+package psa
+
+import (
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+
+	"github.com/veraison/corim/comid"
+)
+
+const ImplIDType = "psa.impl-id"
+
+// TaggedImplID is the PSA Implementation ID type (32 bytes) as a ClassID value.
+// It implements IClassIDValue interface with Type() returning "psa.impl-id".
+// See Section 3.2.2 of draft-tschofenig-rats-psa-token
+type TaggedImplID [32]byte
+
+// String returns the base64-encoded string representation of the ImplID
+func (o TaggedImplID) String() string {
+	return base64.StdEncoding.EncodeToString(o[:])
+}
+
+// Valid validates the ImplID (always returns nil as any 32-byte value is valid)
+func (o TaggedImplID) Valid() error {
+	return nil
+}
+
+// Type returns the type identifier for PSA Implementation ID
+func (o TaggedImplID) Type() string {
+	return ImplIDType
+}
+
+// Bytes returns the raw bytes of the ImplID
+func (o TaggedImplID) Bytes() []byte {
+	return o[:]
+}
+
+// MarshalJSON serializes the TaggedImplID to JSON
+func (o TaggedImplID) MarshalJSON() ([]byte, error) {
+	return json.Marshal(o[:])
+}
+
+// UnmarshalJSON deserializes JSON into TaggedImplID
+func (o *TaggedImplID) UnmarshalJSON(data []byte) error {
+	var b []byte
+	if err := json.Unmarshal(data, &b); err != nil {
+		return err
+	}
+	if len(b) != 32 {
+		return fmt.Errorf("bad psa.impl-id: got %d bytes, want 32", len(b))
+	}
+	copy(o[:], b)
+	return nil
+}
+
+// ImplID is an alias for backward compatibility
+type ImplID = TaggedImplID
+
+// NewImplIDClassID creates a new ClassID of type psa.impl-id
+func NewImplIDClassID(val any) (*comid.ClassID, error) {
+	var implID TaggedImplID
+
+	if val == nil {
+		return &comid.ClassID{
+			Value: &implID,
+		}, nil
+	}
+
+	switch t := val.(type) {
+	case []byte:
+		if nb := len(t); nb != 32 {
+			return nil, fmt.Errorf("bad psa.impl-id: got %d bytes, want 32", nb)
+		}
+
+		copy(implID[:], t)
+	case string:
+		v, err := base64.StdEncoding.DecodeString(t)
+		if err != nil {
+			return nil, fmt.Errorf("bad psa.impl-id: %w", err)
+		}
+
+		if nb := len(v); nb != 32 {
+			return nil, fmt.Errorf("bad psa.impl-id: decoded %d bytes, want 32", nb)
+		}
+
+		copy(implID[:], v)
+	case TaggedImplID:
+		copy(implID[:], t[:])
+	case *TaggedImplID:
+		copy(implID[:], (*t)[:])
+	default:
+		return nil, fmt.Errorf("unexpected type for psa.impl-id: %T", t)
+	}
+
+	return &comid.ClassID{
+		Value: &implID,
+	}, nil
+}
+
+// MustNewImplIDClassID is like NewImplIDClassID except it panics on error
+func MustNewImplIDClassID(val any) *comid.ClassID {
+	ret, err := NewImplIDClassID(val)
+	if err != nil {
+		panic(err)
+	}
+
+	return ret
+}
+
+// NewClassImplID instantiates a new Class object with the specified PSA Implementation ID
+// This is a convenience function for use in PSA profiles only
+func NewClassImplID(implID TaggedImplID) *comid.Class {
+	classID, err := NewImplIDClassID(implID)
+	if err != nil {
+		return nil
+	}
+
+	return &comid.Class{ClassID: classID}
+}