Align CCA naming in README to CCA specs (#27)

Fix #15

Signed-off-by: Yogesh Deshpande <[email protected]>

Author: yogeshbdeshpande

README-CCA.md

@@ -1,18 +1,18 @@
 ## CCA attestation tokens manipulation
 
 The `cca` subcommand allows you to [create](#create), [check](#check) and
-[verify](#verify) CCA attestation tokens.
+[verify](#verify) [CCA attestation tokens](https://github.com/veraison/ccatoken).
 
 ### Create
 
 Use the `cca create` subcommand to create a CCA attestation token from the
-supplied claims in JSON format, the Platform Attestation Key (PAK) and Realm
+supplied claims in JSON format, the Initial Attestation Key (IAK) and Realm
 Attestation Key (RAK) in JSON Web Key (JWK) format<sup>[1](#inputs-ex)</sup>.
 
 ```shell
 evcli cca create \
     --claims=cca-claims.json \
-    --pak=ec256.json \
+    --iak=ec256.json \
     --rak=ec384.json
 ```
 
@@ -31,7 +31,7 @@ For example:
 ```shell
 evcli cca create \
     --claims=cca-claims.json \
-    --pak=ec256.json \
+    --iak=ec256.json \
     --rak=ec384.json
     --token=my.cbor
 ```
@@ -41,7 +41,7 @@ evcli cca create \
 Use the `cca check` subcommand to verify the cryptographic signature on the
 supplied CCA attestation token as well as checking whether all claim sets
 within CCA token are well-formed. Please note that only one key (the public
-part of platform IAK) needs to be supplied, as the public part of RAK, present
+part of IAK) needs to be supplied, as the public part of RAK, present
 in the token is used for signature verification.
 
 To check the CCA attestation token in my.cbor using the public key in
@@ -128,7 +128,7 @@ claims, platform signing (IAK) and realm signing key (RAK).
 evcli cca verify-as attester \
     --api-server=https://veraison.example/challenge-response/v1/newSession \
     --claims=cca-claims-without-realm-challenge.json \
-    --pak=es256.json \
+    --iak=es256.json \
     --rak=ec384.json
 ```
 

cmd/cca/check.go

@@ -27,7 +27,7 @@ func NewCheckCmd(fs afero.Fs) *cobra.Command {
 		Long: `Run the syntactic and cryptographic signature checks over the
 supplied CCA attestation token.
 
-Check a CCA attestation token contained in my.cbor using the public PAK in
+Check a CCA attestation token contained in my.cbor using the public IAK in
 es256.jwk and save the embedded claims to claims.json:
 
 	evcli cca check --token=my.cbor --key=es256.jwk --claims=claims.json
@@ -36,7 +36,7 @@ Or, equivalently:
 
 	evcli cca check -t my.cbor -k es256.jwt -c claims.json
 
-check a CCA attestation token contained in te.cbor using the public PAK in
+check a CCA attestation token contained in te.cbor using the public IAK in
 es256.jwk and dump the embedded claims to standard output:
 
 	evcli cca check -t te.cbor -k es256.jwk

cmd/cca/check_test.go

@@ -17,7 +17,7 @@ func Test_CheckCmd_claims_to_stdout_ok(t *testing.T) {
 	err := afero.WriteFile(fs, "ccatoken.CBOR", testValidCCAToken, 0644)
 	require.NoError(t, err)
 
-	err = afero.WriteFile(fs, "es256.jwk", testValidPAKPub, 0644)
+	err = afero.WriteFile(fs, "es256.jwk", testValidIAKPub, 0644)
 	require.NoError(t, err)
 
 	cmd := NewCheckCmd(fs)
@@ -38,7 +38,7 @@ func Test_CheckCmd_claims_to_file_ok(t *testing.T) {
 	err := afero.WriteFile(fs, "ccatoken.CBOR", testValidCCAToken, 0644)
 	require.NoError(t, err)
 
-	err = afero.WriteFile(fs, "es256.jwk", testValidPAKPub, 0644)
+	err = afero.WriteFile(fs, "es256.jwk", testValidIAKPub, 0644)
 	require.NoError(t, err)
 
 	cmd := NewCheckCmd(fs)
@@ -63,7 +63,7 @@ func Test_CheckCmd_claims_to_file_fail(t *testing.T) {
 	err := afero.WriteFile(fs, "ccatoken.CBOR", testValidCCAToken, 0644)
 	require.NoError(t, err)
 
-	err = afero.WriteFile(fs, "es256.jwk", testValidPAKPub, 0644)
+	err = afero.WriteFile(fs, "es256.jwk", testValidIAKPub, 0644)
 	require.NoError(t, err)
 
 	// freeze the FS so that writing is not possible any more
@@ -153,7 +153,7 @@ func Test_CheckCmd_key_not_found(t *testing.T) {
 func Test_CheckCmd_token_not_found(t *testing.T) {
 	fs := afero.NewMemMapFs()
 
-	err := afero.WriteFile(fs, "es256.jwk", testValidPAKPub, 0644)
+	err := afero.WriteFile(fs, "es256.jwk", testValidIAKPub, 0644)
 	require.NoError(t, err)
 
 	cmd := NewCheckCmd(fs)
@@ -176,7 +176,7 @@ func Test_CheckCmd_token_invalid_format(t *testing.T) {
 	err := afero.WriteFile(fs, "ccatoken.cbor", testInvalidCCAToken, 0644)
 	require.NoError(t, err)
 
-	err = afero.WriteFile(fs, "es256.jwk", testValidPAKPub, 0644)
+	err = afero.WriteFile(fs, "es256.jwk", testValidIAKPub, 0644)
 	require.NoError(t, err)
 
 	cmd := NewCheckCmd(fs)
@@ -199,7 +199,7 @@ func Test_CheckCmd_regression_bug_18(t *testing.T) {
 	err := afero.WriteFile(fs, "ccatoken.cbor", testValidCCAToken, 0644)
 	require.NoError(t, err)
 
-	err = afero.WriteFile(fs, "not-a-public-key.jwk", testValidPAK, 0644)
+	err = afero.WriteFile(fs, "not-a-public-key.jwk", testValidIAK, 0644)
 	require.NoError(t, err)
 
 	cmd := NewCheckCmd(fs)

cmd/cca/create.go

@@ -14,7 +14,7 @@ import (
 var (
 	createClaimsFile   *string
 	createRAKFile      *string
-	createPAKFile      *string
+	createIAKFile      *string
 	createTokenFile    *string
 	allowInvalidClaims *bool
 )
@@ -26,12 +26,12 @@ func NewCreateCmd(fs afero.Fs) *cobra.Command {
 		Use:   "create",
 		Short: "create a CCA attestation token from the supplied claims and keys",
 		Long: `Create a CCA attestation token from the JSON-encoded claims and
-keys (PAK and RAK)
+keys (IAK and RAK)
 
 Create a CCA attestation token from claims contained in claims.json, sign
-with pak.jwk and rak.jwk and save the result to my.cbor:
+with iak.jwk and rak.jwk and save the result to my.cbor:
 
-	evcli cca create --claims=claims.json --pak=pak.jwk --rak=rak.jwk --token=my.cbor
+	evcli cca create --claims=claims.json --iak=iak.jwk --rak=rak.jwk --token=my.cbor
 	`,
 		RunE: func(cmd *cobra.Command, args []string) error {
 			validate := !*allowInvalidClaims
@@ -60,19 +60,19 @@ with pak.jwk and rak.jwk and save the result to my.cbor:
 				)
 			}
 
-			pak, err := afero.ReadFile(fs, *createPAKFile)
+			iak, err := afero.ReadFile(fs, *createIAKFile)
 			if err != nil {
 				return fmt.Errorf(
-					"error loading PAK signing key from %s: %w",
-					*createPAKFile, err,
+					"error loading IAK signing key from %s: %w",
+					*createIAKFile, err,
 				)
 			}
 
-			pSigner, err := common.SignerFromJWK(pak)
+			pSigner, err := common.SignerFromJWK(iak)
 			if err != nil {
 				return fmt.Errorf(
-					"error decoding PAK signing key from %s: %w",
-					*createPAKFile, err,
+					"error decoding IAK signing key from %s: %w",
+					*createIAKFile, err,
 				)
 			}
 
@@ -112,8 +112,8 @@ with pak.jwk and rak.jwk and save the result to my.cbor:
 		"rak", "r", "", "JWK file with the key used for signing the realm token",
 	)
 
-	createPAKFile = cmd.Flags().StringP(
-		"pak", "p", "", "JWK file with the key used for signing the platform token",
+	createIAKFile = cmd.Flags().StringP(
+		"iak", "p", "", "JWK file with the key used for signing the platform token",
 	)
 
 	createTokenFile = cmd.Flags().StringP(
@@ -130,7 +130,7 @@ with pak.jwk and rak.jwk and save the result to my.cbor:
 }
 
 func init() {
-	for _, param := range []string{"claims", "rak", "pak"} {
+	for _, param := range []string{"claims", "rak", "iak"} {
 		if err := createCmd.MarkFlagRequired(param); err != nil {
 			panic(err)
 		}

cmd/cca/create_test.go

@@ -14,7 +14,7 @@ import (
 func Test_CreateCmd_default_token_name_ok(t *testing.T) {
 	fs := afero.NewMemMapFs()
 
-	err := afero.WriteFile(fs, "es256.jwk", testValidPAK, 0644)
+	err := afero.WriteFile(fs, "es256.jwk", testValidIAK, 0644)
 	require.NoError(t, err)
 
 	err = afero.WriteFile(fs, "es384.jwk", testValidRAK, 0644)
@@ -27,7 +27,7 @@ func Test_CreateCmd_default_token_name_ok(t *testing.T) {
 	cmd.SetArgs(
 		[]string{
 			"--claims=claims.json",
-			"--pak=es256.jwk",
+			"--iak=es256.jwk",
 			"--rak=es384.jwk",
 		},
 	)
@@ -42,7 +42,7 @@ func Test_CreateCmd_default_token_name_ok(t *testing.T) {
 func Test_CreateCmd_custom_token_name_ok(t *testing.T) {
 	fs := afero.NewMemMapFs()
 
-	err := afero.WriteFile(fs, "es256.jwk", testValidPAK, 0644)
+	err := afero.WriteFile(fs, "es256.jwk", testValidIAK, 0644)
 	require.NoError(t, err)
 
 	err = afero.WriteFile(fs, "es384.jwk", testValidRAK, 0644)
@@ -55,7 +55,7 @@ func Test_CreateCmd_custom_token_name_ok(t *testing.T) {
 	cmd.SetArgs(
 		[]string{
 			"--claims=claims.json",
-			"--pak=es256.jwk",
+			"--iak=es256.jwk",
 			"--rak=es384.jwk",
 			"--token=my.cbor",
 		},
@@ -71,7 +71,7 @@ func Test_CreateCmd_custom_token_name_ok(t *testing.T) {
 func Test_CreateCmd_save_token_fail(t *testing.T) {
 	fs := afero.NewMemMapFs()
 
-	err := afero.WriteFile(fs, "es256.jwk", testValidPAK, 0644)
+	err := afero.WriteFile(fs, "es256.jwk", testValidIAK, 0644)
 	require.NoError(t, err)
 
 	err = afero.WriteFile(fs, "es384.jwk", testValidRAK, 0644)
@@ -87,7 +87,7 @@ func Test_CreateCmd_save_token_fail(t *testing.T) {
 	cmd.SetArgs(
 		[]string{
 			"--claims=claims.json",
-			"--pak=es256.jwk",
+			"--iak=es256.jwk",
 			"--rak=es384.jwk",
 		},
 	)
@@ -101,7 +101,7 @@ func Test_CreateCmd_save_token_fail(t *testing.T) {
 func Test_CreateCmd_RAK_invalid(t *testing.T) {
 	fs := afero.NewMemMapFs()
 
-	err := afero.WriteFile(fs, "es256.jwk", testValidPAK, 0644)
+	err := afero.WriteFile(fs, "es256.jwk", testValidIAK, 0644)
 	require.NoError(t, err)
 
 	err = afero.WriteFile(fs, "es384.jwk", testInvalidKey, 0644)
@@ -114,7 +114,7 @@ func Test_CreateCmd_RAK_invalid(t *testing.T) {
 	cmd.SetArgs(
 		[]string{
 			"--claims=claims.json",
-			"--pak=es256.jwk",
+			"--iak=es256.jwk",
 			"--rak=es384.jwk",
 		},
 	)
@@ -128,7 +128,7 @@ func Test_CreateCmd_RAK_invalid(t *testing.T) {
 func Test_CreateCmd_RAK_not_found(t *testing.T) {
 	fs := afero.NewMemMapFs()
 
-	err := afero.WriteFile(fs, "es256.jwk", testValidPAK, 0644)
+	err := afero.WriteFile(fs, "es256.jwk", testValidIAK, 0644)
 	require.NoError(t, err)
 
 	err = afero.WriteFile(fs, "claims.json", testValidCCAClaims, 0644)
@@ -138,7 +138,7 @@ func Test_CreateCmd_RAK_not_found(t *testing.T) {
 	cmd.SetArgs(
 		[]string{
 			"--claims=claims.json",
-			"--pak=es256.jwk",
+			"--iak=es256.jwk",
 			"--rak=es384.jwk",
 		},
 	)
@@ -149,7 +149,7 @@ func Test_CreateCmd_RAK_not_found(t *testing.T) {
 	assert.EqualError(t, err, expectedErr)
 }
 
-func Test_CreateCmd_PAK_invalid(t *testing.T) {
+func Test_CreateCmd_IAK_invalid(t *testing.T) {
 	fs := afero.NewMemMapFs()
 
 	err := afero.WriteFile(fs, "es256.jwk", testInvalidKey, 0644)
@@ -165,18 +165,18 @@ func Test_CreateCmd_PAK_invalid(t *testing.T) {
 	cmd.SetArgs(
 		[]string{
 			"--claims=claims.json",
-			"--pak=es256.jwk",
+			"--iak=es256.jwk",
 			"--rak=es384.jwk",
 		},
 	)
 
-	expectedErr := `error decoding PAK signing key from es256.jwk: failed to parse key: invalid key type from JSON ()`
+	expectedErr := `error decoding IAK signing key from es256.jwk: failed to parse key: invalid key type from JSON ()`
 
 	err = cmd.Execute()
 	assert.EqualError(t, err, expectedErr)
 }
 
-func Test_CreateCmd_PAK_not_found(t *testing.T) {
+func Test_CreateCmd_IAK_not_found(t *testing.T) {
 	fs := afero.NewMemMapFs()
 
 	err := afero.WriteFile(fs, "es384.jwk", testValidRAK, 0644)
@@ -189,12 +189,12 @@ func Test_CreateCmd_PAK_not_found(t *testing.T) {
 	cmd.SetArgs(
 		[]string{
 			"--claims=claims.json",
-			"--pak=es256.jwk",
+			"--iak=es256.jwk",
 			"--rak=es384.jwk",
 		},
 	)
 
-	expectedErr := `error loading PAK signing key from es256.jwk: open es256.jwk: file does not exist`
+	expectedErr := `error loading IAK signing key from es256.jwk: open es256.jwk: file does not exist`
 
 	err = cmd.Execute()
 	assert.EqualError(t, err, expectedErr)
@@ -203,7 +203,7 @@ func Test_CreateCmd_PAK_not_found(t *testing.T) {
 func Test_CreateCmd_claims_not_found(t *testing.T) {
 	fs := afero.NewMemMapFs()
 
-	err := afero.WriteFile(fs, "es256.jwk", testValidPAK, 0644)
+	err := afero.WriteFile(fs, "es256.jwk", testValidIAK, 0644)
 	require.NoError(t, err)
 
 	err = afero.WriteFile(fs, "es384.jwk", testValidRAK, 0644)
@@ -213,7 +213,7 @@ func Test_CreateCmd_claims_not_found(t *testing.T) {
 	cmd.SetArgs(
 		[]string{
 			"--claims=claims.json",
-			"--pak=es256.jwk",
+			"--iak=es256.jwk",
 			"--rak=es384.jwk",
 		},
 	)
@@ -227,7 +227,7 @@ func Test_CreateCmd_claims_not_found(t *testing.T) {
 func Test_CreateCmd_claims_invalid(t *testing.T) {
 	fs := afero.NewMemMapFs()
 
-	err := afero.WriteFile(fs, "es256.jwk", testValidPAK, 0644)
+	err := afero.WriteFile(fs, "es256.jwk", testValidIAK, 0644)
 	require.NoError(t, err)
 
 	err = afero.WriteFile(fs, "es384.jwk", testValidRAK, 0644)
@@ -240,7 +240,7 @@ func Test_CreateCmd_claims_invalid(t *testing.T) {
 	cmd.SetArgs(
 		[]string{
 			"--claims=claims.json",
-			"--pak=es256.jwk",
+			"--iak=es256.jwk",
 			"--rak=es384.jwk",
 		},
 	)

cmd/cca/test_common.go

@@ -12,8 +12,8 @@ var (
 		"y": "7fVF7b6J_6_g6Wu9RuJw8geWxEi5ja9Gp2TSdELm5u2E-M7IF-bsxqcdOj3n1n7N",
 		"d": "ODkwMTIzNDU2Nzg5MDEyMz7deMbyLt8g4cjcxozuIoygLLlAeoQ1AfM9TSvxkFHJ"
 	}`)
-	testValidPAK = []byte(`{
-		"kid": "valid-pak",
+	testValidIAK = []byte(`{
+		"kid": "valid-iak",
 		"kty": "EC",
 		"crv": "P-256",
 		"x": "MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4",
@@ -27,8 +27,8 @@ var (
 		"x": "gvvRMqm1w5aHn7sVNA2QUJeOVcedUnmiug6VhU834gzS9k87crVwu9dz7uLOdoQl",
 		"y": "7fVF7b6J_6_g6Wu9RuJw8geWxEi5ja9Gp2TSdELm5u2E-M7IF-bsxqcdOj3n1n7N"
 	}`)
-	testValidPAKPub = []byte(`{
-		"kid": "valid-pak-pub",
+	testValidIAKPub = []byte(`{
+		"kid": "valid-iak-pub",
 		"kty": "EC",
 		"crv": "P-256",
 		"x": "MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4",