fix(coserv): expiry + config refactor

setrofim · setrofim · commit b57361049903 · 2026-05-28T10:18:08.000+01:00
- Update to v0.2.1 of corim-store that implements MaxExpiry, which is
  used when CoRIMs do not specify validity, and serves as a maximum
  limit on expiry when they do.
- In order allow configuration of MaxExpiry, refactor how configuration
  for CoSERV is handled inside VTS:
  - Create CoservContext which contains configuration for CoSERVService
    prior to its creation, and also contains the signer (which is not
    part of the service, but is related to it).
  - Configuration for the context is taken from "coserv" section of
    config files (the same as the front-end: all coserv-related
    configuration is now in the same place in the config tree).
    Configuration for the signer is moved to "signer" sub-section under
    it.
- FallbackAuthority for the service is now configured based on the
  signer's public key, rather than being hard-coded to a nonsense value.

Signed-off-by: Sergei Trofimov &lt;sergei.trofimov@arm.com&gt;
diff --git a/coserv/cmd/coserv-service/main.go b/coserv/cmd/coserv-service/main.go
@@ -65,7 +65,7 @@ func main() {
 
 	log.Infow("Initializing Endorsement Distribution Service", "version", config.Version)
 
-	loader := config.NewLoader(&cfg)
+	loader := config.NewNonExclusiveLoader(&cfg)
 	if err := loader.LoadFromViper(subs["coserv"]); err != nil {
 		log.Fatalf("Could not load coserv config: %v", err)
 	}
diff --git a/deployments/docker/src/config.yaml.template b/deployments/docker/src/config.yaml.template
@@ -23,8 +23,10 @@ coserv:
   protocol: https
   cert: /opt/veraison/coserv.crt
   cert-key: /opt/veraison/coserv.key
-coserv-signer:
-  key: /opt/veraison/coserv-signer.jwk
+  max-expiry: 5 mins
+  signer:
+    alg: ES256
+    key: /opt/veraison/coserv-signer.jwk
 vts:
   server-addr: vts-service:${VTS_PORT}
   tls: true
diff --git a/deployments/docker/src/vts.docker b/deployments/docker/src/vts.docker
@@ -41,7 +41,7 @@ RUN mkdir -p --mode=0775 stores/vts
 ADD --chown=veraison:nogroup plugins plugins
 ADD --chown=veraison:veraison --chmod=0660 stores/* stores/vts
 ADD --chown=veraison:nogroup config.yaml skey.jwk vts-service service-entrypoint \
-	certs/vts.crt certs/vts.key ./
+	certs/vts.crt certs/vts.key coserv-signer.jwk ./
 
 
 ENTRYPOINT ["/opt/veraison/service-entrypoint"]
diff --git a/go.mod b/go.mod
@@ -41,7 +41,7 @@ require (
 	github.com/veraison/ccatoken v1.3.2-0.20250512122414-b26aba0635c4
 	github.com/veraison/cmw v0.2.0
 	github.com/veraison/corim v1.1.3-0.20260430132037-b8653a7359da
-	github.com/veraison/corim-store v0.1.0
+	github.com/veraison/corim-store v0.2.1
 	github.com/veraison/dice v0.0.1
 	github.com/veraison/ear v1.1.4-0.20260213122616-3034258cda59
 	github.com/veraison/eat v0.0.0-20220117140849-ddaf59d69f53
diff --git a/go.sum b/go.sum
@@ -893,6 +893,8 @@ github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeN
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/google/go-configfs-tsm v0.3.2 h1:ZYmHkdQavfsvVGDtX7RRda0gamelUNUhu0A9fbiuLmE=
+github.com/google/go-configfs-tsm v0.3.2/go.mod h1:EL1GTDFMb5PZQWDviGfZV9n87WeGTR/JUg13RfwkgRo=
 github.com/google/go-sev-guest v0.14.2-0.20251119154202-af1c107a648f h1:UVLafZ3h85JE5e0QU5dUixIJa2PO5G51THLMuXrtnTw=
 github.com/google/go-sev-guest v0.14.2-0.20251119154202-af1c107a648f/go.mod h1:SK9vW+uyfuzYdVN0m8BShL3OQCtXZe/JPF7ZkpD3760=
 github.com/google/go-tpm v0.1.2-0.20190725015402-ae6dd98980d4/go.mod h1:H9HbmUG2YgV/PHITkO7p6wxEEj/v5nlsVWIwumwH2NI=
@@ -1260,8 +1262,8 @@ github.com/veraison/cmw v0.2.0 h1:BWEvwZnD4nn5osq6XwQpTRcGxwV+Su4t6ytdAbVXAJY=
 github.com/veraison/cmw v0.2.0/go.mod h1:OiYKk1t6/Fmmg30ZpSMzi4nKr5kt3374sNTkgxC5BDs=
 github.com/veraison/corim v1.1.3-0.20260430132037-b8653a7359da h1:HY6eZqJXjTIs0jQ3W47Aj+AzMitmR/Jjx5lld58yE48=
 github.com/veraison/corim v1.1.3-0.20260430132037-b8653a7359da/go.mod h1:tB4fHouhmQBL8JIt8TkYviA/xmmUBAWruwrR5YBHvn0=
-github.com/veraison/corim-store v0.1.0 h1:zu7kYtvnle01PHz6UKB2SfVypcZV6bWPHpDBBvxkwLk=
-github.com/veraison/corim-store v0.1.0/go.mod h1:eU8AECLQL+GQpEYksKDlom3HHXWzo/M6qR2gHXjjnR4=
+github.com/veraison/corim-store v0.2.1 h1:i2Sa/WCWhIQBt3kalYa0yIjUBIGXrl2TamEDVoKqS+0=
+github.com/veraison/corim-store v0.2.1/go.mod h1:eU8AECLQL+GQpEYksKDlom3HHXWzo/M6qR2gHXjjnR4=
 github.com/veraison/dice v0.0.1 h1:dOm7ByDN/r4WlDsGkEUXzdPMXgTvAPTAksQ8+BwBrD4=
 github.com/veraison/dice v0.0.1/go.mod h1:QPMLc5LVMj08VZ+HNMYk4XxWoVYGAUBVm8Rd5V1hzxs=
 github.com/veraison/ear v1.1.4-0.20260213122616-3034258cda59 h1:tynt7VXUc7uVAsN3RyWySaAJZpdQv0Eyru+7Wgwi72s=
diff --git a/vts/cmd/vts-service/config-docker.yaml b/vts/cmd/vts-service/config-docker.yaml
@@ -24,9 +24,10 @@ vts:
 ear-signer:
   alg: ES256
   key: ./skey.jwk
-coserv-signer:
-  use: true
-  alg: ES256
-  key: ./skey.jwk
+coserv:
+  max-expiry: 5 mins
+  signer:
+    alg: ES256
+    key: ./skey.jwk
 logging:
   level: debug
diff --git a/vts/cmd/vts-service/config.yaml b/vts/cmd/vts-service/config.yaml
@@ -26,10 +26,11 @@ vts:
 ear-signer:
   alg: ES256
   key: ./skey.jwk
-coserv-signer:
-  use: true
-  alg: ES256
-  key: ./skey.jwk
+coserv:
+  max-expiry: 5 mins
+  signer:
+    alg: ES256
+    key: ./skey.jwk
 logging:
   level: debug
 # Scheme configuration Example
diff --git a/vts/cmd/vts-service/main.go b/vts/cmd/vts-service/main.go
@@ -16,7 +16,7 @@ import (
 	"github.com/veraison/services/log"
 	"github.com/veraison/services/plugin"
 	"github.com/veraison/services/policy"
-	"github.com/veraison/services/vts/coservsigner"
+	"github.com/veraison/services/vts/coserv"
 	"github.com/veraison/services/vts/earsigner"
 	"github.com/veraison/services/vts/policymanager"
 	"github.com/veraison/services/vts/store"
@@ -32,7 +32,7 @@ func main() {
 	}
 
 	subs, err := config.GetSubs(v, "store", "po-store",
-		"*po-agent", "plugin", "*vts", "ear-signer", "*coserv-signer", "*logging", "*scheme")
+		"*po-agent", "plugin", "*vts", "ear-signer", "*coserv", "*logging", "*scheme")
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -146,13 +146,11 @@ func main() {
 		log.Fatalf("EAR signer initialization failed: %v", err)
 	}
 
-	var coservSigner coservsigner.ICoservSigner
-
-	if subs["coserv-signer"].GetBool("use") {
-		log.Info("loading CoSERV signer")
-		coservSigner, err = coservsigner.New(subs["coserv-signer"], afero.NewOsFs())
+	var coservContext *coserv.Context
+	if subs["coserv"].IsSet("signer") {
+		coservContext, err = coserv.NewCoservContextFromViper(subs["coserv"])
 		if err != nil {
-			log.Fatalf("CoSERV signer initialization failed: %v", err)
+			log.Fatal("CoSERV config initialization: %v", err)
 		}
 
 		// CoSERV media types.
@@ -165,7 +163,7 @@ func main() {
 	// policyManager and earSigner are owned by vts
 	vts := trustedservices.NewGRPC(enStore,
 		schemePluginManager, coservProxyPluginManager,
-		policyManager, earSigner, coservSigner, log.Named("vts"))
+		policyManager, earSigner, coservContext, log.Named("vts"))
 
 	if err = vts.Init(subs["vts"]); err != nil {
 		log.Fatalf("VTS initialisation failed: %v", err)
diff --git a/vts/coserv/Makefile b/vts/coserv/Makefile
diff --git a/vts/coserv/README.md b/vts/coserv/README.md
diff --git a/vts/coserv/context.go b/vts/coserv/context.go
@@ -0,0 +1,121 @@
+// Copyright 2026 Contributors to the Veraison project.
+// SPDX-License-Identifier: Apache-2.0
+package coserv
+
+import (
+	"fmt"
+	"regexp"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/spf13/afero"
+	"github.com/spf13/viper"
+	"github.com/veraison/corim/comid"
+	"github.com/veraison/services/config"
+)
+
+var FallbackMaxExpiry = 5 * time.Minute
+
+type Context struct {
+	Signer            ISigner
+	FallbackAuthority *comid.CryptoKey
+	MaxExpiry         time.Duration
+}
+
+func NewCoservContextFromViper(v *viper.Viper) (*Context, error) {
+	expiry, err := getMaxExpiry(v)
+	if err != nil {
+		return nil, fmt.Errorf("max expiry: %w", err)
+	}
+
+	subs, err := config.GetSubs(v, "signer")
+	if err != nil {
+		return nil, fmt.Errorf("accessing sub configs: %w", err)
+	}
+
+	signer, err := NewSigner(subs["signer"], afero.NewOsFs())
+	if err != nil {
+		return nil, fmt.Errorf("initializing signer: %w", err)
+	}
+
+	authority, err := signer.GetAuthority()
+	if err != nil {
+		return nil, fmt.Errorf("fallback authority: %w", err)
+	}
+
+	return &Context{
+		Signer:            signer,
+		MaxExpiry:         expiry,
+		FallbackAuthority: authority,
+	}, nil
+
+}
+
+func (o *Context) Close() error {
+	return o.Signer.Close()
+}
+
+func getMaxExpiry(v *viper.Viper) (time.Duration, error) {
+	if !v.IsSet("max-expiry") {
+		return FallbackMaxExpiry, nil
+	}
+
+	return parseDuration(v.GetString("max-expiry"))
+}
+
+func parseDuration(text string) (time.Duration, error) {
+	text = strings.ToLower(text)
+
+	re, err := regexp.Compile(`\s*(\d+)\s*(second|sec|s|minute|min|m|hour|h|day|d)s?\s*`)
+	if err != nil {
+		panic(err)
+	}
+
+	matches := re.FindAllStringSubmatch(text, -1)
+	if len(matches) == 0 {
+		return 0, fmt.Errorf("could not match time specifiers in %q", text)
+	}
+
+	// Ensure that match indexes cover the entire input; i.e. there is no
+	// unrecognized text left after matching.
+	indexes := re.FindAllStringIndex(text, -1)
+	pos := 0
+	for _, idx := range indexes {
+		if idx[0] != pos {
+			return 0, fmt.Errorf("parsing %q: unrecognized text between indexes %d and %d",
+				text, pos, idx[0])
+		}
+
+		pos = idx[1]
+	}
+	if pos != len(text) {
+		return 0, fmt.Errorf("parsing %q: unrecognized trailing text", text)
+	}
+
+	var ret time.Duration
+	for _, match := range matches {
+		val, err := strconv.Atoi(match[1])
+		if err != nil {
+			// cannot get here because we matched \d+
+			panic(err)
+		}
+		duration := time.Duration(val)
+
+		switch match[2] {
+		case "s", "sec", "second":
+			ret += duration * time.Second
+		case "m", "min", "minute":
+			ret += duration * time.Minute
+		case "h", "hour":
+			ret += duration * time.Hour
+		case "d", "day":
+			ret += duration * 24 * time.Hour
+		default:
+			// cannot get here because cases exhaust possible matches
+			panic(fmt.Errorf("unexpected time preiod specifier %q", match[2]))
+		}
+	}
+
+	return ret, nil
+}
diff --git a/vts/coserv/context_test.go b/vts/coserv/context_test.go
@@ -0,0 +1,64 @@
+// Copyright 2026 Contributors to the Veraison project.
+// SPDX-License-Identifier: Apache-2.0
+package coserv
+
+import (
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_parseDuration(t *testing.T) {
+	testCases := []struct {
+		title    string
+		text     string
+		expected time.Duration
+		err      string
+	}{
+		{
+			title:    "ok spaces",
+			text:     " 2 min 7 secs\n",
+			expected: 127 * time.Second,
+		},
+		{
+			title:    "ok no spaces",
+			text:     "1d2h3m4s",
+			expected: 26*time.Hour + 184*time.Second,
+		},
+		{
+			title:    "ok repeated",
+			text:     " 2 min 2 min\n",
+			expected: 4 * time.Minute,
+		},
+		{
+			title: "bad no matches",
+			text:  " foo",
+			err:   "could not match time specifiers",
+		},
+		{
+			title:    "bad unrecognized middle",
+			text:     " 2 min foo 1 sec",
+			expected: 4 * time.Minute,
+			err:      "unrecognized text between indexes 7 and 10",
+		},
+		{
+			title:    "bad unrecognized trailing",
+			text:     " 2 min 1 secfoo",
+			expected: 4 * time.Minute,
+			err:      "unrecognized trailing text",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.title, func(t *testing.T) {
+			duration, err := parseDuration(tc.text)
+			if tc.err == "" {
+				assert.NoError(t, err)
+				assert.EqualValues(t, tc.expected, duration)
+			} else {
+				assert.ErrorContains(t, err, tc.err)
+			}
+		})
+	}
+}
diff --git a/vts/coserv/isigner.go b/vts/coserv/isigner.go
@@ -1,15 +1,17 @@
-// Copyright 2025 Contributors to the Veraison project.
+// Copyright 2025-2026 Contributors to the Veraison project.
 // SPDX-License-Identifier: Apache-2.0
-package coservsigner
+package coserv
 
 import (
 	"github.com/lestrrat-go/jwx/v2/jwa"
 	"github.com/lestrrat-go/jwx/v2/jwk"
+	"github.com/veraison/corim/comid"
 	"github.com/veraison/corim/coserv"
 )
 
-type ICoservSigner interface {
+type ISigner interface {
 	Sign(coserv coserv.Coserv) ([]byte, error)
 	GetCoservSigningPublicKey() (jwa.KeyAlgorithm, jwk.Key, error)
+	GetAuthority() (*comid.CryptoKey, error)
 	Close() error
 }
diff --git a/vts/coserv/signer.go b/vts/coserv/signer.go
@@ -1,25 +1,20 @@
-// Copyright 2025 Contributors to the Veraison project.
+// Copyright 2025-2026 Contributors to the Veraison project.
 // SPDX-License-Identifier: Apache-2.0
-package coservsigner
+package coserv
 
 import (
 	"github.com/spf13/afero"
 	"github.com/spf13/viper"
 	"github.com/veraison/services/config"
 )
 
-type Cfg struct {
-	Use bool   `mapstructure:"use"`
+type SignerConfig struct {
 	Key string `mapstructure:"key"`
 	Alg string `mapstructure:"alg"`
 }
 
-func New(v *viper.Viper, fs afero.Fs) (ICoservSigner, error) {
-	if !v.GetBool("use") {
-		return nil, nil
-	}
-
-	cfg := Cfg{}
+func NewSigner(v *viper.Viper, fs afero.Fs) (ISigner, error) {
+	cfg := SignerConfig{}
 
 	configLoader := config.NewLoader(&cfg)
 	if err := configLoader.LoadFromViper(v); err != nil {
diff --git a/vts/coserv/signer_cose.go b/vts/coserv/signer_cose.go
diff --git a/vts/coserv/signer_cose_test.go b/vts/coserv/signer_cose_test.go
diff --git a/vts/trustedservices/trustedservices_grpc.go b/vts/trustedservices/trustedservices_grpc.go

Original file line number	Diff line number	Diff line change
`@@ -65,7 +65,7 @@ func main() {`
`65`	`65`
`66`	`66`	`log.Infow("Initializing Endorsement Distribution Service", "version", config.Version)`
`67`	`67`
`68`		`- loader := config.NewLoader(&cfg)`
	`68`	`+ loader := config.NewNonExclusiveLoader(&cfg)`
`69`	`69`	`if err := loader.LoadFromViper(subs["coserv"]); err != nil {`
`70`	`70`	`log.Fatalf("Could not load coserv config: %v", err)`
`71`	`71`	`}`