Create signed example in Makefile.

cddl/Makefile

@@ -42,6 +42,20 @@ CLEANFILES += $(3:.diag=.pretty)
 
 endef # cddl_check_template
 
+examples/sig-structure.diag: examples/sig-structure.diag.tmpl examples/payload-corim-4.diag examples/protected-header-map.diag
+	payload="$$(cat examples/payload-corim-4.diag)" \
+	protected="$$(cat examples/protected-header-map.diag)" \
+	envsubst < examples/sig-structure.diag.tmpl > examples/sig-structure.diag
+
+examples/corim-4.sig: examples/sig-structure.cbor examples/testkey.pem
+	openssl dgst -sha384 -sign examples/testkey.pem -out examples/corim-4.sig examples/sig-structure.cbor
+
+examples/corim-4.diag: examples/corim-4.sig examples/corim-4.diag.tmpl examples/payload-corim-4.diag examples/protected-header-map.diag
+	payload="$$(cat examples/payload-corim-4.diag)" \
+	protected="$$(cat examples/protected-header-map.diag)" \
+	signature="h'$$(cat examples/corim-4.sig | xxd -p -c 128)'" \
+	envsubst < examples/corim-4.diag.tmpl > examples/corim-4.diag
+
 include corim-frags.mk
 
 $(eval $(call cddl_check_template,comid,$(COMID_FRAGS),$(COMID_EXAMPLES)))

cddl/cbor-tags.txt

@@ -1,6 +1,6 @@
 tagged-concise-rim-type-choice = #6.500(concise-rim-type-choice)
 tagged-corim-map = #6.501(corim-map)
-tagged-signed-corim = #6.502(signed-corim)
+tagged-signed-corim = #6.502($signed-corim)
 tagged-concise-swid-tag = #6.505(bytes .cbor concise-swid-tag)
 tagged-concise-mid-tag = #6.506(bytes .cbor concise-mid-tag)
 tagged-concise-bom-tag = #6.508(bytes .cbor concise-bom-tag)

cddl/corim.cddl

@@ -2,4 +2,4 @@ corim = (tagged-concise-rim-type-choice / concise-rim-type-choice)
 
 concise-rim-type-choice /= tagged-corim-map
 concise-rim-type-choice /= tagged-signed-corim
-concise-rim-type-choice /= signed-corim
+

cddl/cose-sign1-corim.cddl

@@ -1,6 +1,6 @@
 COSE-Sign1-corim = [
   protected: bstr .cbor protected-corim-header-map
   unprotected: unprotected-corim-header-map
-  payload: bstr .cbor (tagged-corim-map / corim-map)
+  payload: bstr .cbor tagged-corim-map
   signature: bstr
 ]

cddl/examples/corim-4.diag

@@ -1,18 +1,16 @@
-/ signed-corim / 18([
-  / protected / <<
-    {
-      / alg: / 1: / ECDSA with SHA-384 / -35,
-      / content-type: / 3: "application/corim-unsigned+cbor",
-      / kid: / 4: h'f8ccd2b49fdba32cd94498030fdc8e5010358919',
-      / corim-meta: / 8: << {
-        / signer: / 0: {
-	  / signer-name: / 0: "ACME Ltd."
-	}
-      } >>
+/ tagged-signed-corim / 502(/ signed-corim / 18([
+  / protected / << / header_map / {
+  / alg: / 1 : -35,
+  / content-type: / 3 : "application/corim-unsigned+cbor",
+  / corim-meta: / 8 : << / corim-meta / {
+    / signer: / 0 : / corim-signer-map / {
+      / signer: / 0 : "ACME Ltd."
     }
-  >>,
+  } >>,
+  / kid: / 4 : h'f8ccd2b49fdba32cd94498030fdc8e5010358919'
+} >>,
   / unprotected-corim-header-map / {},
-  / payload / << / corim-map / {
+  / payload / << 501(/ corim-map / {
     / corim.id / 0 : h'284e6c3e5d9f4f6b851f5a4247f243a7',
     / corim.tags / 1 : [
       / concise-mid-tag / 506( <<
@@ -57,6 +55,6 @@
         }
       >> )
       ]
-    } >>,
-  / signature / h'30650231009b98c7426d49d565c14df770dd3c0844a2b61d3573bdef2cea8495109b2e7f1d7e16d9109c70bc003d8a10b90787ec5e0230654242537fe8194ce8666d3fd907931329722dd065df11e14d6125b5f30dce54a26f7c7f69faa9dd977cee48a6bd087a'
-])
+    }) >>,
+  / signature / h'306502302f7503a689e612736fc4cd12977b47e5e3d6401dce20913b7b718924ef5bb72600471dab554a0d10c7d8da601e8f1c52023100b9458cccd479fcb63e169675bdd43b90f6088b63d81224449e8a6ba059b7d8e4985703d2659a14bfc7f77aea46a6f9bf'
+]))

cddl/examples/corim-4.diag.tmpl

@@ -0,0 +1,6 @@
+/ tagged-signed-corim / 502(/ signed-corim / 18([
+  / protected / << ${protected} >>,
+  / unprotected-corim-header-map / {},
+  / payload / << ${payload} >>,
+  / signature / ${signature}
+]))

cddl/examples/payload-corim-4.diag

@@ -0,0 +1,46 @@
+501(/ corim-map / {
+    / corim.id / 0 : h'284e6c3e5d9f4f6b851f5a4247f243a7',
+    / corim.tags / 1 : [
+      / concise-mid-tag / 506( <<
+        / concise-mid-tag / {
+          / comid.tag-identity / 1 : {
+            / comid.tag-id / 0 : h'3f06af63a93c11e4979700505690773f'
+          },
+          / comid.entity / 2 : [ {
+            / comid.entity-name / 0 : "ACME Inc.",
+            / comid.reg-id / 1 : 32("https://acme.example"),
+            / comid.role / 2 : [ 0 ] / tag-creator /
+          } ],
+          / comid.triples / 4 : {
+            / comid.reference-triples / 0 : [ [
+              / environment-map / {
+                / comid.class / 0 : {
+                  / comid.class-id / 0 :
+                    / tagged-uuid-type / 37(
+                      h'67b28b6c34cc40a19117ab5b05911e37'
+                    ),
+                  / comid.vendor / 1 : "ACME Inc.",
+                  / comid.model / 2 : "ACME RoadRunner",
+                  / comid.layer / 3 : 1
+                }
+              },
+              [
+                / measurement-map / {
+                  / comid.mval / 1 : {
+                    / comid.ver / 0 : {
+                      / comid.version / 0 : "1.0.0",
+                      / comid.version-scheme / 1 : 16384 / semver /
+                    },
+                    / comid.digests / 2 : [ [
+                      / hash-alg-id / 1, / sha256 /
+                      / hash-value / h'44aa336af4cb14a879432e53dd6571c7fa9bccafb75f488259262d6ea3a4d91b'
+                    ] ]
+                  }
+                }
+              ]
+            ] ]
+          }
+        }
+      >> )
+      ]
+    })

cddl/examples/protected-header-map.diag

@@ -0,0 +1,10 @@
+/ header_map / {
+  / alg: / 1 : -35,
+  / content-type: / 3 : "application/corim-unsigned+cbor",
+  / corim-meta: / 8 : << / corim-meta / {
+    / signer: / 0 : / corim-signer-map / {
+      / signer: / 0 : "ACME Ltd."
+    }
+  } >>,
+  / kid: / 4 : h'f8ccd2b49fdba32cd94498030fdc8e5010358919'
+}

cddl/examples/sig-structure.diag.tmpl

@@ -0,0 +1,6 @@
+/ Sig_structure / [
+  / context: / "Signature1",
+  / body_protected: / << ${protected} >>,
+  / external_aad: / h'',
+  / payload: / << ${payload} >>
+]

cddl/signed-corim.cddl

@@ -1 +1 @@
-signed-corim = #6.18(COSE-Sign1-corim)
+$signed-corim = #6.18(COSE-Sign1-corim)

cddl/tagged-signed-corim.cddl

@@ -1 +1 @@
-tagged-signed-corim = #6.502(signed-corim)
+tagged-signed-corim = #6.502($signed-corim)

draft-ietf-rats-corim.md

@@ -394,10 +394,13 @@ specification.
 {::include cddl/signed-corim.cddl}
 ~~~
 
-Signing a CoRIM follows the procedures defined in CBOR Object Signing and
-Encryption {{-cose}}. A CoRIM tag MUST be wrapped in a COSE_Sign1 structure.
+A CoRIM MAY be signed with any signing envelope format and tagged with #6.502 to be recognized as a signed CoRIM.
+The payload of any signing envelope MUST be the binary encoding of a `tagged-corim-map`.
+It is RECOMMENDED to use a CBOR Object Signing and Encryption envelope {{-cose}}.
 The CoRIM MUST be signed by the CoRIM creator.
 
+### COSE_Sign1-corim
+
 The following CDDL specification defines a restrictive subset of COSE header
 parameters that MUST be used in the protected header alongside additional
 information about the CoRIM encoded in a `corim-meta-map` ({{sec-corim-meta}}).