Simplify vendor/model implementation per review feedback

- Remove sanitization files (sanitize.go, sanitize_test.go)
- Extract vendor/model directly without validation
- Simplify README: keep one example, remove Security section
- Add vendor/model support to SwAttr for supply chain

Addresses feedback from sir @yogeshbdeshpande

Signed-off-by: Sukuna0007Abhi <[email protected]>

Author: Sukuna0007Abhi

scheme/parsec-tpm/README.md

@@ -43,9 +43,9 @@ Both fields support:
 - Special characters (allowed in both fields)
 - Variable length strings (no artificial length restrictions)
 
-### CORIM Example
+### CoRIM Example
 
-To include vendor and model information in your CORIM manifest, add them to the `environment.class` section (following standard CoRIM specification). Here are several examples:
+To include vendor and model information in your CoRIM manifest, add them to the `environment.class` section (following standard CoRIM specification):
 
 ```json
 {
@@ -74,116 +74,3 @@ To include vendor and model information in your CORIM manifest, add them to the
   ]
 }
 ```
-
-Additional Examples:
-
-1. International Vendor (with Unicode characters):
-```json
-{
-  "comid.verification-keys": [
-    {
-      "environment": {
-        "class": {
-          "id": {
-            "class-id": "cd1f0e55-26f9-460d-b9d8-f7fde171787c"
-          },
-          "vendor": "富士通株式会社",
-          "model": "FUJITSU TPM 2.0"
-        },
-        "instance": {
-          "instance-id": {
-            "type": "ueid",
-            "value": "AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
-          }
-        }
-      },
-      "key": [{
-        "type": "pkix-base64-key",
-        "value": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETKRFE_RwSXooI8DdatPOYg_uiKm2XrtT_uEMEvqQZrwJHHcfw0c3WVzGoqL3Y_Q6xkHFfdUVqS2WWkPdKO03uw=="
-      }]
-    }
-  ]
-}
-```
-
-2. Minimal Example (vendor only):
-```json
-{
-  "comid.verification-keys": [
-    {
-      "environment": {
-        "class": {
-          "id": {
-            "class-id": "cd1f0e55-26f9-460d-b9d8-f7fde171787c"
-          },
-          "vendor": "Intel Corporation"
-        },
-        "instance": {
-          "instance-id": {
-            "type": "ueid",
-            "value": "AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
-          }
-        }
-      },
-      "key": [{
-        "type": "pkix-base64-key",
-        "value": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETKRFE_RwSXooI8DdatPOYg_uiKm2XrtT_uEMEvqQZrwJHHcfw0c3WVzGoqL3Y_Q6xkHFfdUVqS2WWkPdKO03uw=="
-      }]
-    }
-  ]
-}
-```
-
-3. Complex Example (with special characters):
-```json
-{
-  "comid.verification-keys": [
-    {
-      "environment": {
-        "class": {
-          "id": {
-            "class-id": "cd1f0e55-26f9-460d-b9d8-f7fde171787c"
-          },
-          "vendor": "Company & Co., Ltd.",
-          "model": "TPM.v2-Enhanced+"
-        },
-        "instance": {
-          "instance-id": {
-            "type": "ueid",
-            "value": "AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
-          }
-        }
-      },
-      "key": [{
-        "type": "pkix-base64-key",
-        "value": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETKRFE_RwSXooI8DdatPOYg_uiKm2XrtT_uEMEvqQZrwJHHcfw0c3WVzGoqL3Y_Q6xkHFfdUVqS2WWkPdKO03uw=="
-      }]
-    }
-  ]
-}
-```
-
-### Security Considerations
-
-When using vendor and model fields:
-
-1. **Input Validation**:
-   - Maximum length: 1024 characters
-   - Strings are trimmed of leading/trailing whitespace
-   - Basic sanitization is applied to prevent injection attacks
-   - Control characters are removed (except newline and tab)
-
-2. **Storage**:
-   - Fields are optional and won't affect TPM validation
-   - Unicode characters are preserved for international vendor names
-   - Dangerous characters are escaped to prevent injection
-
-3. **Best Practices**:
-   - Use consistent vendor/model identifiers
-   - Prefer official vendor names and model numbers
-   - Keep strings concise and meaningful
-   - Test with various character encodings if using international names
-
-Note: The vendor and model fields are always optional and are meant for informational purposes only. The TPM's security validation is based solely on its cryptographic identity and measurements.
-```
-```

scheme/parsec-tpm/corim_extractor.go

@@ -6,7 +6,6 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"strings"
 
 	"github.com/veraison/corim/comid"
 	"github.com/veraison/eat"
@@ -40,19 +39,19 @@ func (o CorimExtractor) RefValExtractor(
 				return nil, fmt.Errorf("measurement[%d]: %w", i, err)
 			}
 
-			for j, digest := range digests {
-				attrs, err := makeRefValAttrs(id.class, pcr, digest)
-				if err != nil {
-					return nil, fmt.Errorf("measurement[%d].digest[%d]: %w", i, j, err)
-				}
-
-				refval = &handler.Endorsement{
-					Scheme:     SchemeName,
-					Type:       handler.EndorsementType_REFERENCE_VALUE,
-					Attributes: attrs,
-				}
+		for j, digest := range digests {
+			attrs, err := makeRefValAttrs(id.class, pcr, digest, rv.Environment)
+			if err != nil {
+				return nil, fmt.Errorf("measurement[%d].digest[%d]: %w", i, j, err)
+			}
+
+			refval = &handler.Endorsement{
+				Scheme:     SchemeName,
+				Type:       handler.EndorsementType_REFERENCE_VALUE,
+				Attributes: attrs,
 			}
-			refVals = append(refVals, refval)
+		}
+		refVals = append(refVals, refval)
 		}
 	}
 
@@ -96,14 +95,26 @@ func (o CorimExtractor) TaExtractor(
 	return ta, nil
 }
 
-func makeRefValAttrs(class string, pcr uint64, digest swid.HashEntry) (json.RawMessage, error) {
+func makeRefValAttrs(class string, pcr uint64, digest swid.HashEntry, env comid.Environment) (json.RawMessage, error) {
 
 	var attrs = map[string]interface{}{
 		"parsec-tpm.class-id": class,
 		"parsec-tpm.pcr":      pcr,
 		"parsec-tpm.digest":   digest.HashValue,
 		"parsec-tpm.alg-id":   digest.HashAlgID,
 	}
+
+	// Extract optional vendor and model from environment.class
+	// Following CoRIM specification - vendor/model are stored in environment, not key parameters
+	if env.Class != nil {
+		if env.Class.Vendor != nil {
+			attrs["parsec-tpm.vendor"] = string(*env.Class.Vendor)
+		}
+		if env.Class.Model != nil {
+			attrs["parsec-tpm.model"] = string(*env.Class.Model)
+		}
+	}
+
 	data, err := json.Marshal(attrs)
 	if err != nil {
 		return nil, fmt.Errorf("unable to marshal reference value attributes: %w", err)
@@ -126,20 +137,10 @@ func makeTaAttrs(id ID, key *comid.CryptoKey, env comid.Environment) (json.RawMe
 	// Following CoRIM specification - vendor/model are stored in environment, not key parameters
 	if env.Class != nil {
 		if env.Class.Vendor != nil {
-			vendor := string(*env.Class.Vendor)
-			// Trim and validate
-			vendor = sanitizeAndValidate(vendor)
-			if vendor != "" {
-				attrs["parsec-tpm.vendor"] = vendor
-			}
+			attrs["parsec-tpm.vendor"] = string(*env.Class.Vendor)
 		}
 		if env.Class.Model != nil {
-			model := string(*env.Class.Model)
-			// Trim and validate
-			model = sanitizeAndValidate(model)
-			if model != "" {
-				attrs["parsec-tpm.model"] = model
-			}
+			attrs["parsec-tpm.model"] = string(*env.Class.Model)
 		}
 	}
 
@@ -210,22 +211,3 @@ func (o *ID) FromEnvironment(e comid.Environment) error {
 func (o *CorimExtractor) SetProfile(profile string) {
 	o.Profile = profile
 }
-
-// sanitizeAndValidate trims and validates vendor/model strings
-func sanitizeAndValidate(input string) string {
-	// Trim whitespace
-	trimmed := strings.TrimSpace(input)
-	
-	// Check length limit (1024 characters)
-	if len(trimmed) > 1024 {
-		return ""
-	}
-	
-	// If empty after trimming, return empty
-	if trimmed == "" {
-		return ""
-	}
-	
-	// Apply sanitization
-	return sanitizeString(trimmed)
-}

scheme/parsec-tpm/evidence_handler.go

@@ -26,6 +26,10 @@ type SwAttr struct {
 	ClassID *string `json:"parsec-tpm.class-id"`
 	Digest  *[]byte `json:"parsec-tpm.digest"`
 	PCR     *uint   `json:"parsec-tpm.pcr"`
+	// Optional vendor information for the TPM
+	Vendor *string `json:"parsec-tpm.vendor,omitempty"`
+	// Optional model information for the TPM
+	Model *string `json:"parsec-tpm.model,omitempty"`
 }
 
 type Endorsements struct {