cca/psa create: add flag to bypass validation

Add -I/--allow-invalid flag to bypass validation during token creation.
This allows creating in some way invalid, but otherwise well-constructed
tokens for testing.

Signed-off-by: Sergei Trofimov <[email protected]>

Author: setrofim

cmd/cca/common.go

@@ -12,15 +12,21 @@ import (
 	"github.com/veraison/psatoken"
 )
 
-func loadCCAClaimsFromFile(fs afero.Fs, fn string) (*ccatoken.Evidence, error) {
+func loadCCAClaimsFromFile(fs afero.Fs, fn string, validate bool) (*ccatoken.Evidence, error) {
 	buf, err := afero.ReadFile(fs, fn)
 	if err != nil {
 		return nil, err
 	}
 
 	var e ccatoken.Evidence
-	if err := e.UnmarshalJSON(buf); err != nil {
-		return nil, err
+	if validate {
+		if err := e.UnmarshalJSON(buf); err != nil {
+			return nil, err
+		}
+	} else {
+		if err := e.UnmarshalUnvalidatedJSON(buf); err != nil {
+			return nil, err
+		}
 	}
 
 	return &e, nil

cmd/cca/create.go

@@ -12,10 +12,11 @@ import (
 )
 
 var (
-	createClaimsFile *string
-	createRAKFile    *string
-	createPAKFile    *string
-	createTokenFile  *string
+	createClaimsFile   *string
+	createRAKFile      *string
+	createPAKFile      *string
+	createTokenFile    *string
+	allowInvalidClaims *bool
 )
 
 var createCmd = NewCreateCmd(common.Fs)
@@ -26,14 +27,16 @@ func NewCreateCmd(fs afero.Fs) *cobra.Command {
 		Short: "create a CCA attestation token from the supplied claims and keys",
 		Long: `Create a CCA attestation token from the JSON-encoded claims and
 keys (PAK and RAK)
-		
+
 Create a CCA attestation token from claims contained in claims.json, sign
 with pak.jwk and rak.jwk and save the result to my.cbor:
-	
+
 	evcli cca create --claims=claims.json --pak=pak.jwk --rak=rak.jwk --token=my.cbor
 	`,
 		RunE: func(cmd *cobra.Command, args []string) error {
-			evidence, err := loadCCAClaimsFromFile(fs, *createClaimsFile)
+			validate := !*allowInvalidClaims
+
+			evidence, err := loadCCAClaimsFromFile(fs, *createClaimsFile, validate)
 			if err != nil {
 				return fmt.Errorf(
 					"error loading CCA claims from %s: %w",
@@ -73,7 +76,14 @@ with pak.jwk and rak.jwk and save the result to my.cbor:
 				)
 			}
 
-			b, err := evidence.Sign(pSigner, rSigner)
+			var b []byte
+			if validate {
+				b, err = evidence.Sign(pSigner, rSigner)
+
+			} else {
+				b, err = evidence.SignUnvalidated(pSigner, rSigner)
+			}
+
 			if err != nil {
 				return fmt.Errorf("error signing evidence: %w", err)
 			}
@@ -110,6 +120,12 @@ with pak.jwk and rak.jwk and save the result to my.cbor:
 		"token", "t", "", "name of the file where the produced CCA attestation token will be stored",
 	)
 
+	allowInvalidClaims = cmd.Flags().BoolP(
+		"allow-invalid", "I", false,
+		"Do not validate provided claims, allowing invalid tokens to be generated. "+
+			"This is intended for testing.",
+	)
+
 	return cmd
 }
 

cmd/psa/create.go

@@ -18,6 +18,7 @@ var (
 	createKeyFile      *string
 	createTokenFile    *string
 	createTokenProfile *string
+	allowInvalidClaims *bool
 )
 
 var createCmd = NewCreateCmd(common.Fs)
@@ -28,12 +29,12 @@ func NewCreateCmd(fs afero.Fs) *cobra.Command {
 		Short: "create a PSA attestation token from the supplied claims and IAK",
 		Long: `Create a PSA attestation token from the JSON-encoded claims and
 Initial Attestation Key, optionally specifying the wanted profile
-		
+
 Create a PSA attestation token from claims contained in claims.json, sign
 with es256.jwk and save the result to my.cbor:
-	
+
 	evcli psa create --claims=claims.json --key=es256.jwk --token=my.cbor
-	
+
 Or, equivalently:
 
 	evcli psa create -c claims.json -k es256.jwk -t my.cbor
@@ -47,12 +48,13 @@ te-profile1.cbor:
 Note that the default profile is http://arm.com/psa/2.0.0.
 	`,
 		RunE: func(cmd *cobra.Command, args []string) error {
+			validate := !*allowInvalidClaims
+
 			if err := checkProfile(createTokenProfile); err != nil {
 				return err
 			}
 
-			validateClaims := true
-			claims, err := loadClaimsFromFile(fs, *createClaimsFile, validateClaims)
+			claims, err := loadClaimsFromFile(fs, *createClaimsFile, validate)
 			if err != nil {
 				return err
 			}
@@ -68,8 +70,12 @@ Note that the default profile is http://arm.com/psa/2.0.0.
 
 			evidence := psatoken.Evidence{}
 
-			if err = evidence.SetClaims(claims); err != nil {
-				return err
+			if validate {
+				if err = evidence.SetClaims(claims); err != nil {
+					return err
+				}
+			} else {
+				evidence.Claims = claims
 			}
 
 			key, err := afero.ReadFile(fs, *createKeyFile)
@@ -82,7 +88,12 @@ Note that the default profile is http://arm.com/psa/2.0.0.
 				return fmt.Errorf("error decoding signing key from %s: %w", *createKeyFile, err)
 			}
 
-			cwt, err := evidence.Sign(signer)
+			var cwt []byte
+			if validate {
+				cwt, err = evidence.Sign(signer)
+			} else {
+				cwt, err = evidence.SignUnvalidated(signer)
+			}
 			if err != nil {
 				return fmt.Errorf("signature failed: %w", err)
 			}
@@ -116,6 +127,12 @@ Note that the default profile is http://arm.com/psa/2.0.0.
 		"profile", "p", psatoken.PsaProfile2, "name of the PSA profile to use",
 	)
 
+	allowInvalidClaims = cmd.Flags().BoolP(
+		"allow-invalid", "I", false,
+		"Do not validate provided claims, allowing invalid tokens to be generated. "+
+			"This is intended for testing.",
+	)
+
 	return cmd
 }
 

cmd/psa/create_test.go

@@ -54,6 +54,28 @@ func Test_CreateCmd_WithP1Claims_ok(t *testing.T) {
 	assert.NoError(t, err)
 }
 
+func Test_CreateCmd_allowInivalid_ok(t *testing.T) {
+	fs := afero.NewMemMapFs()
+
+	err := afero.WriteFile(fs, "es256.jwk", testValidKey, 0644)
+	require.NoError(t, err)
+
+	err = afero.WriteFile(fs, "claims.json", testValidP2PSAClaimsWithNonce, 0644)
+	require.NoError(t, err)
+
+	cmd := NewCreateCmd(fs)
+	cmd.SetArgs(
+		[]string{
+			"--claims=claims.json",
+			"--key=es256.jwk",
+			"--allow-invalid",
+		},
+	)
+
+	err = cmd.Execute()
+	assert.NoError(t, err)
+}
+
 func Test_CreateCmd_claims_not_found(t *testing.T) {
 	fs := afero.NewMemMapFs()
 

misc/cca-claims-bad-norealm.json

@@ -0,0 +1,17 @@
+{
+  "cca-platform-token": {
+    "cca-platform-profile": "http://arm.com/CCA-SSD/1.0.0",
+    "cca-platform-implementation-id": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",
+    "cca-platform-instance-id": "AQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC",
+    "cca-platform-config": "AQID",
+    "cca-platform-lifecycle": 12288,
+    "cca-platform-sw-components": [
+      {
+        "measurement-value": "AwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwM=",
+        "signer-id": "BAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQ="
+      }
+    ],
+    "cca-platform-service-indicator": "https://veraison.example/v1/challenge-response",
+    "cca-platform-hash-algo-id": "sha-256"
+  }
+}

misc/psa-claims-bad-no-implid.json

@@ -0,0 +1,22 @@
+{
+  "eat-profile": "http://arm.com/psa/2.0.0",
+  "psa-client-id": 1,
+  "psa-security-lifecycle": 12288,
+  "psa-boot-seed": "3q2+796tvu/erb7v3q2+796tvu/erb7v3q2+796tvu8=",
+  "psa-hardware-version": "1234567890123",
+  "psa-software-components": [
+    {
+      "measurement-type": "BL",
+      "measurement-value": "AAECBAABAgQAAQIEAAECBAABAgQAAQIEAAECBAABAgQ=",
+      "signer-id": "UZIA/1GSAP9RkgD/UZIA/1GSAP9RkgD/UZIA/1GSAP8="
+    },
+    {
+      "measurement-type": "PRoT",
+      "measurement-value": "BQYHCAUGBwgFBgcIBQYHCAUGBwgFBgcIBQYHCAUGBwg=",
+      "signer-id": "UZIA/1GSAP9RkgD/UZIA/1GSAP9RkgD/UZIA/1GSAP8="
+    }
+  ],
+  "psa-instance-id": "AaChoqOgoaKjoKGio6ChoqOgoaKjoKGio6ChoqOgoaKj",
+  "psa-verification-service-indicator": "https://psa-verifier.org",
+  "psa-nonce": "QUp8F0FBs9DpodKK8xUg8NQimf6sQAfe2J1ormzZLxk="
+}