From df8efb2e43def2353d55927f1bfd9971b76be1f5 Mon Sep 17 00:00:00 2001 From: Dionna Glaze Date: Wed, 23 Oct 2024 18:06:05 +0000 Subject: [PATCH 01/18] Drop top level tagging requirement Tagged type choices are not typical. I would go so far as to drop the 500 tag as the entrypoint to CoRIM altogether. NVIDIA is creating CoRIMs this way, but they are using a different content-type in the protected header. I think we can drop it in an follow-up. This patch drops * the need to tag the type choice * the extensibility of concise-rim-type-choice, since extensibility is governed by a profile, and the profile is not known at this point in parsing. * the need to tag the signed corim, since it is a COSE-sign1 with an unambigiuous content-type, and COSE-sign1 already has its own tag. Addresses Issue #333, but 500 removal is TBD. Signed-off-by: Dionna Glaze --- cddl/corim.cddl | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/cddl/corim.cddl b/cddl/corim.cddl index 71835670..5fccd5f7 100644 --- a/cddl/corim.cddl +++ b/cddl/corim.cddl @@ -1,4 +1,5 @@ -corim = tagged-concise-rim-type-choice +corim = tagged-concise-rim-type-choice / concise-rim-type-choice -$concise-rim-type-choice /= tagged-corim-map -$concise-rim-type-choice /= tagged-signed-corim +concise-rim-type-choice /= tagged-corim-map +concise-rim-type-choice /= tagged-signed-corim +concise-rim-type-choice /= cose-sign1-corim From 630b205008e57612c9aad4570e4f7f5c5a1e86cd Mon Sep 17 00:00:00 2001 From: nedmsmith Date: Wed, 23 Oct 2024 11:48:23 -0700 Subject: [PATCH 02/18] Update corim.cddl Fixed PR so that it builds. --- cddl/corim.cddl | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/cddl/corim.cddl b/cddl/corim.cddl index 5fccd5f7..be6a1b4b 100644 --- a/cddl/corim.cddl +++ b/cddl/corim.cddl @@ -1,5 +1,5 @@ -corim = tagged-concise-rim-type-choice / concise-rim-type-choice +corim = tagged-concise-rim-type-choice / $concise-rim-type-choice -concise-rim-type-choice /= tagged-corim-map -concise-rim-type-choice /= tagged-signed-corim -concise-rim-type-choice /= cose-sign1-corim +$concise-rim-type-choice /= tagged-corim-map +$concise-rim-type-choice /= tagged-signed-corim +$concise-rim-type-choice /= COSE-Sign1-corim From fc033f85580fbb38cd67450a911842e7b6795ad7 Mon Sep 17 00:00:00 2001 From: Dionna Glaze Date: Wed, 18 Dec 2024 19:29:44 +0000 Subject: [PATCH 03/18] Change tags and content type to match errata1 Tagged type choices are not typical. I would go so far as to drop the 500 tag as the entrypoint to CoRIM altogether. NVIDIA is creating CoRIMs this way, but they are using a different content-type in the protected header. I think we can drop it in an follow-up. This patch drops the need to tag the type choice the extensibility of concise-rim-type-choice, since extensibility is governed by a profile, and the profile is not known at this point in parsing. the need to tag the signed corim, since it is a COSE-sign1 with an unambigiuous content-type, and COSE-sign1 already has its own tag. Addresses Issue #333, but 500 removal is TBD. --- cddl/cbor-tags.txt | 2 - cddl/corim.cddl | 6 +- cddl/cose-sign1-corim.cddl | 2 +- cddl/protected-corim-header-map.cddl | 2 +- cddl/tagged-concise-rim-type-choice.cddl | 2 - cddl/tagged-signed-corim.cddl | 1 - draft-ietf-rats-corim.md | 84 +++--------------------- 7 files changed, 15 insertions(+), 84 deletions(-) delete mode 100644 cddl/tagged-concise-rim-type-choice.cddl delete mode 100644 cddl/tagged-signed-corim.cddl diff --git a/cddl/cbor-tags.txt b/cddl/cbor-tags.txt index 16071038..f52fdebb 100644 --- a/cddl/cbor-tags.txt +++ b/cddl/cbor-tags.txt @@ -1,6 +1,4 @@ -tagged-concise-rim-type-choice = #6.500($concise-rim-type-choice) tagged-corim-map = #6.501(corim-map) -tagged-signed-corim = #6.502(signed-corim) tagged-concise-swid-tag = #6.505(bytes .cbor concise-swid-tag) tagged-concise-mid-tag = #6.506(bytes .cbor concise-mid-tag) tagged-concise-bom-tag = #6.508(bytes .cbor concise-bom-tag) diff --git a/cddl/corim.cddl b/cddl/corim.cddl index 71835670..f2636c66 100644 --- a/cddl/corim.cddl +++ b/cddl/corim.cddl @@ -1,4 +1,4 @@ -corim = tagged-concise-rim-type-choice +corim = concise-rim-type-choice -$concise-rim-type-choice /= tagged-corim-map -$concise-rim-type-choice /= tagged-signed-corim +concise-rim-type-choice /= tagged-corim-map +concise-rim-type-choice /= signed-corim diff --git a/cddl/cose-sign1-corim.cddl b/cddl/cose-sign1-corim.cddl index 0e574015..cfa916e1 100644 --- a/cddl/cose-sign1-corim.cddl +++ b/cddl/cose-sign1-corim.cddl @@ -1,6 +1,6 @@ COSE-Sign1-corim = [ protected: bstr .cbor protected-corim-header-map unprotected: unprotected-corim-header-map - payload: bstr .cbor (tagged-corim-map / corim-map) + payload: bstr .cbor tagged-corim-map signature: bstr ] diff --git a/cddl/protected-corim-header-map.cddl b/cddl/protected-corim-header-map.cddl index 2815f7b2..b9760ef7 100644 --- a/cddl/protected-corim-header-map.cddl +++ b/cddl/protected-corim-header-map.cddl @@ -1,6 +1,6 @@ protected-corim-header-map = { &(alg: 1) => int - &(content-type: 3) => "application/corim-unsigned+cbor" + &(content-type: 3) => "application/rim+cbor" &(kid: 4) => bstr &(corim-meta: 8) => bstr .cbor corim-meta-map * cose-label => cose-value diff --git a/cddl/tagged-concise-rim-type-choice.cddl b/cddl/tagged-concise-rim-type-choice.cddl deleted file mode 100644 index 38a7c983..00000000 --- a/cddl/tagged-concise-rim-type-choice.cddl +++ /dev/null @@ -1,2 +0,0 @@ - -tagged-concise-rim-type-choice = #6.500($concise-rim-type-choice) \ No newline at end of file diff --git a/cddl/tagged-signed-corim.cddl b/cddl/tagged-signed-corim.cddl deleted file mode 100644 index 799728ea..00000000 --- a/cddl/tagged-signed-corim.cddl +++ /dev/null @@ -1 +0,0 @@ -tagged-signed-corim = #6.502(signed-corim) \ No newline at end of file diff --git a/draft-ietf-rats-corim.md b/draft-ietf-rats-corim.md index 335486fa..765bf2e9 100644 --- a/draft-ietf-rats-corim.md +++ b/draft-ietf-rats-corim.md @@ -266,7 +266,7 @@ For more detail, see {{sec-corim-profile-types}}. A CoRIM can be signed ({{sec-corim-signed}}) using COSE Sign1 to provide end-to-end security to the CoRIM contents. When CoRIM is signed, the protected header carries further identifying information about the CoRIM signer. -Alternatively, CoRIM can be encoded as a CBOR-tagged payload ({{sec-corim-map}}) and transported over a secure channel. +Alternatively, CoRIM can be encoded as a #6.501 CBOR-tagged payload ({{sec-corim-map}}) and transported over a secure channel. The following CDDL describes the top-level CoRIM. @@ -363,8 +363,7 @@ Exercised extension points should preserve the intent of the original semantics. CoRIM profiles SHOULD be specified in a publicly available document. -A CoRIM profile can use one of the base CoRIM media types defined in {{sec-mt-corim-signed}} and -{{sec-mt-corim-unsigned}} with the `profile` parameter set to the appropriate value. +A CoRIM profile can use one of the base CoRIM media type defined in {{sec-mt-rim-cbor}} with the `profile` parameter set to the appropriate value. Alternatively, it MAY define and register its own media type. A profile identifier is either an OID {{-cbor-oids}} or a URL {{-uri}}. @@ -1183,13 +1182,13 @@ If the search criteria are satisfied, the `endorsements` entries are asserted wi #### Conditional Endorsement Series Triple {#sec-comid-triple-cond-series} -A Conditional Endorsement Series triple uses a "stateful environment" that identifies a Target Environment plus the measurements that have matching Evidence. +A Conditional Endorsement Series triple uses a "stateful environment" that identifies a Target Environment plus the measurements that have matching Evidence. The series object is an array of `conditional-series-record` that has both Reference and Endorsed Values. Each conditional-series-record record is evaluated in the order it appears in the series array. The Endorsed Values are accepted if the series condition in a `conditional-series-record` matches the attester's actual state. The first `conditional-series-record` that successfully matches an attester's actual state terminates the matching and the corresponding Endorsed Values are accepted. -If none of the series conditions match the attester's actual state, the triple is not matched, and no Endorsed values are accepted. +If none of the series conditions match the attester's actual state, the triple is not matched, and no Endorsed values are accepted. More clarification about the usage and matching order will be resolved by: [^tracked-at] https://github.com/ietf-rats-wg/draft-ietf-rats-corim/issues/321 @@ -2576,10 +2575,9 @@ IANA is requested to allocate the following tags in the "CBOR Tags" registry {{! | Tag | Data Item | Semantics | Reference | | --- | --------- | --------- | --------- | -| 500 | `tag` | A tagged-concise-rim-type-choice, see {{sec-corim-tags}} | {{&SELF}} | +| 500 | `tag` | Earmarked for CoRIM | {{&SELF}} | | 501 | `map` | A tagged-corim-map, see {{sec-corim-map}} | {{&SELF}} | -| 502 | `tag` | A tagged-signed-corim, see {{sec-corim-signed}} | {{&SELF}} | -| 503-504 | `any` | Earmarked for CoRIM | {{&SELF}} | +| 502-504 | `any` | Earmarked for CoRIM | {{&SELF}} | | 505 | `bytes` | A tagged-concise-swid-tag, see {{sec-corim-tags}} | {{&SELF}} | | 506 | `bytes` | A tagged-concise-mid-tag, see {{sec-corim-tags}} | {{&SELF}} | | 507 | `any` | Earmarked for CoRIM | {{&SELF}} | @@ -2690,78 +2688,17 @@ IANA is requested to add the following media types to the "Media Types" registry {{!IANA.media-types}}. | Name | Template | Reference | -| corim-signed+cbor | application/corim-signed+cbor | {{&SELF}}, ({{sec-mt-corim-signed}}) | -| corim-unsigned+cbor | application/corim-unsigned+cbor | {{&SELF}}, ({{sec-mt-corim-unsigned}}) | +| rim+cbor | application/rim+cbor | {{&SELF}}, ({{sec-mt-rim-cbor}}) | {: #tbl-media-type align="left" title="New Media Types"} -### corim-signed+cbor {#sec-mt-corim-signed} +### rim+cbor {#sec-mt-rim-cbor} {:compact} Type name: : `application` Subtype name: -: `corim-signed+cbor` - -Required parameters: -: n/a - -Optional parameters: -: "profile" (CoRIM profile in string format. OIDs MUST use the dotted-decimal - notation.) - -Encoding considerations: -: binary - -Security considerations: -: ({{sec-sec}}) of {{&SELF}} - -Interoperability considerations: -: n/a - -Published specification: -: {{&SELF}} - -Applications that use this media type: -: Attestation Verifiers, Endorsers and Reference-Value providers that need to - transfer COSE Sign1 wrapped CoRIM payloads over HTTP(S), CoAP(S), and other - transports. - -Fragment identifier considerations: -: n/a - -Magic number(s): -: `D9 01 F6 D2`, `D9 01 F4 D9 01 F6 D2` - -File extension(s): -: n/a - -Macintosh file type code(s): -: n/a - -Person and email address to contact for further information: -: RATS WG mailing list (rats@ietf.org) - -Intended usage: -: COMMON - -Restrictions on usage: -: none - -Author/Change controller: -: IETF - -Provisional registration? -: Maybe - -### corim-unsigned+cbor {#sec-mt-corim-unsigned} - -{:compact} -Type name: -: `application` - -Subtype name: -: `corim-unsigned+cbor` +: `rim+cbor` Required parameters: : n/a @@ -2822,8 +2759,7 @@ Environments (CoRE) Parameters" Registry {{!IANA.core-parameters}}: | Content-Type | Content Coding | ID | Reference | |--- -| application/corim-signed+cbor | - | TBD1 | {{&SELF}} | -| application/corim-unsigned+cbor | - | TBD2 | {{&SELF}} | +| application/rim+cbor | - | TBD1 | {{&SELF}} | {: align="left" title="New Content-Formats"} --- back From d401fbfbec870f91bee80572d97bb5b7af8e33e2 Mon Sep 17 00:00:00 2001 From: Dionna Glaze Date: Wed, 18 Dec 2024 19:53:17 +0000 Subject: [PATCH 04/18] Fix CoRIM examples with CDDL changes. --- cddl/corim-frags.mk | 2 - cddl/examples/corim-1.diag | 90 +++++++------ cddl/examples/corim-2.diag | 187 +++++++++++++-------------- cddl/examples/corim-design-cd.diag | 6 +- cddl/examples/corim-firmware-cd.diag | 6 +- 5 files changed, 141 insertions(+), 150 deletions(-) diff --git a/cddl/corim-frags.mk b/cddl/corim-frags.mk index 70e85aa1..ca4b8f09 100644 --- a/cddl/corim-frags.mk +++ b/cddl/corim-frags.mk @@ -65,8 +65,6 @@ CORIM_FRAGS += profile-type-choice.cddl CORIM_FRAGS += protected-corim-header-map.cddl CORIM_FRAGS += signed-corim.cddl CORIM_FRAGS += tagged-corim-map.cddl -CORIM_FRAGS += tagged-concise-rim-type-choice.cddl -CORIM_FRAGS += tagged-signed-corim.cddl CORIM_FRAGS += tagged-concise-swid-tag.cddl CORIM_FRAGS += tagged-concise-mid-tag.cddl CORIM_FRAGS += tagged-concise-bom-tag.cddl diff --git a/cddl/examples/corim-1.diag b/cddl/examples/corim-1.diag index 67e1cefe..05f446eb 100644 --- a/cddl/examples/corim-1.diag +++ b/cddl/examples/corim-1.diag @@ -1,49 +1,47 @@ -/ corim / 500( - / corim-map / 501({ - / corim.id / 0 : h'284e6c3e5d9f4f6b851f5a4247f243a7', - / corim.tags / 1 : [ - / concise-mid-tag / 506( << - / concise-mid-tag / { - / comid.tag-identity / 1 : { - / comid.tag-id / 0 : h'3f06af63a93c11e4979700505690773f' - }, - / comid.entity / 2 : [ { - / comid.entity-name / 0 : "ACME Inc.", - / comid.reg-id / 1 : 32("https://acme.example"), - / comid.role / 2 : [ 0 ] / tag-creator / - } ], - / comid.triples / 4 : { - / comid.reference-triples / 0 : [ [ - / environment-map / { - / comid.class / 0 : { - / comid.class-id / 0 : - / tagged-uuid-type / 37( - h'67b28b6c34cc40a19117ab5b05911e37' - ), - / comid.vendor / 1 : "ACME Inc.", - / comid.model / 2 : "ACME RoadRunner", - / comid.layer / 3 : 1 +/ tagged-corim-map / 501({ + / corim.id / 0 : h'284e6c3e5d9f4f6b851f5a4247f243a7', + / corim.tags / 1 : [ + / concise-mid-tag / 506( << + / concise-mid-tag / { + / comid.tag-identity / 1 : { + / comid.tag-id / 0 : h'3f06af63a93c11e4979700505690773f' + }, + / comid.entity / 2 : [ { + / comid.entity-name / 0 : "ACME Inc.", + / comid.reg-id / 1 : 32("https://acme.example"), + / comid.role / 2 : [ 0 ] / tag-creator / + } ], + / comid.triples / 4 : { + / comid.reference-triples / 0 : [ [ + / environment-map / { + / comid.class / 0 : { + / comid.class-id / 0 : + / tagged-uuid-type / 37( + h'67b28b6c34cc40a19117ab5b05911e37' + ), + / comid.vendor / 1 : "ACME Inc.", + / comid.model / 2 : "ACME RoadRunner", + / comid.layer / 3 : 1 + } + }, + [ + / measurement-map / { + / comid.mval / 1 : { + / comid.ver / 0 : { + / comid.version / 0 : "1.0.0", + / comid.version-scheme / 1 : 16384 / semver / + }, + / comid.digests / 2 : [ [ + / hash-alg-id / 1, / sha256 / + / hash-value / h'44aa336af4cb14a879432e53dd6571c7fa9bccafb75f488259262d6ea3a4d91b' + ] ] } - }, - [ - / measurement-map / { - / comid.mval / 1 : { - / comid.ver / 0 : { - / comid.version / 0 : "1.0.0", - / comid.version-scheme / 1 : 16384 / semver / - }, - / comid.digests / 2 : [ [ - / hash-alg-id / 1, / sha256 / - / hash-value / h'44aa336af4cb14a879432e53dd6571c7fa9bccafb75f488259262d6ea3a4d91b' - ] ] - } - } - ] - ] ] - } + } + ] + ] ] } - >> ) - ] - } - ) + } + >> ) + ] + } ) diff --git a/cddl/examples/corim-2.diag b/cddl/examples/corim-2.diag index 502d1645..09bf6630 100644 --- a/cddl/examples/corim-2.diag +++ b/cddl/examples/corim-2.diag @@ -1,115 +1,114 @@ -/ corim / 500( - / corim-map / 501({ - / corim.id / 0 : h'284e6c3e5d9f4f6b851f5a4247f243a7', - / corim.tags / 1 : [ - / concise-mid-tag / 506( << - / concise-mid-tag / { - / comid.tag-identity / 1 : { - / comid.tag-id / 0 : h'3f06af63a93c11e4979700505690773f' - }, - / comid.entity / 2 : [ { - / comid.entity-name / 0 : "ACME Inc.", - / comid.reg-id / 1 : 32("https://acme.example"), - / comid.role / 2 : [ 0 ] / tag-creator / - } ], - / comid.triples / 4 : { - / comid.reference-triples / 0 : [ - [ - / environment-map / { - / comid.class / 0 : { - / comid.class-id / 0 : - / tagged-uuid-type / 37( - h'67b28b6c34cc40a19117ab5b05911e37' - ), - / comid.vendor / 1 : "ACME Inc.", - / comid.model / 2 : "ACME RoadRunner Firmware", - / comid.layer / 3 : 1 - } - }, - [ - / measurement-map / { - / comid.mval / 1 : { - / comid.digests / 2 : [ [ - / hash-alg-id / 1, / sha256 / - / hash-value / h'44aa336af4cb14a879432e53dd6571c7fa9bccafb75f488259262d6ea3a4d91b' - ] ] - } - } - ] - ], +/ tagged-corim-map / 501({ + / corim.id / 0 : h'284e6c3e5d9f4f6b851f5a4247f243a7', + / corim.tags / 1 : [ + / concise-mid-tag / 506( << + / concise-mid-tag / { + / comid.tag-identity / 1 : { + / comid.tag-id / 0 : h'3f06af63a93c11e4979700505690773f' + }, + / comid.entity / 2 : [ { + / comid.entity-name / 0 : "ACME Inc.", + / comid.reg-id / 1 : 32("https://acme.example"), + / comid.role / 2 : [ 0 ] / tag-creator / + } ], + / comid.triples / 4 : { + / comid.reference-triples / 0 : [ + [ + / environment-map / { + / comid.class / 0 : { + / comid.class-id / 0 : + / tagged-uuid-type / 37( + h'67b28b6c34cc40a19117ab5b05911e37' + ), + / comid.vendor / 1 : "ACME Inc.", + / comid.model / 2 : "ACME RoadRunner Firmware", + / comid.layer / 3 : 1 + } + }, [ - / environment-map / { - / comid.class / 0 : { - / comid.class-id / 0 : - / tagged-uuid-type / 37( - h'a71b3e388d454a0581f352e58c832c5c' - ), - / comid.vendor / 1 : "WYLIE Inc.", - / comid.model / 2 : "WYLIE Coyote Trusted OS", - / comid.layer / 3 : 2, - / comid.index / 4 : 0 - } - }, - [ - / measurement-map / { - / comid.mval / 1 : { - / comid.digests / 2 : [ [ - / hash-alg-id / 1, / sha256 / - / hash-value / h'bb71198ed60a95dc3c619e555c2c0b8d7564a38031b034a195892591c65365b0' - ] ] - } + / measurement-map / { + / comid.mval / 1 : { + / comid.digests / 2 : [ [ + / hash-alg-id / 1, / sha256 / + / hash-value / h'44aa336af4cb14a879432e53dd6571c7fa9bccafb75f488259262d6ea3a4d91b' + ] ] } - ] - ], + } + ] + ], + [ + / environment-map / { + / comid.class / 0 : { + / comid.class-id / 0 : + / tagged-uuid-type / 37( + h'a71b3e388d454a0581f352e58c832c5c' + ), + / comid.vendor / 1 : "WYLIE Inc.", + / comid.model / 2 : "WYLIE Coyote Trusted OS", + / comid.layer / 3 : 2, + / comid.index / 4 : 0 + } + }, [ - / environment-map / { - / comid.class / 0 : { - / comid.class-id / 0 : - / tagged-uuid-type / 37( - h'a71b3e388d454a0581f352e58c832c5c' - ), - / comid.vendor / 1 : "WYLIE Inc.", - / comid.model / 2 : "WYLIE Coyote Trusted OS", - / comid.layer / 3 : 2, - / comid.index / 4 : 1 - } - }, - [ - / measurement-map / { - / comid.mval / 1 : { - / comid.digests / 2 : [ [ - / hash-alg-id / 1, / sha256 / - / hash-value / h'bb71198ed60a95dc3c619e555c2c0b8d7564a38031b034a195892591c65365b0' - ] ] - } + / measurement-map / { + / comid.mval / 1 : { + / comid.digests / 2 : [ [ + / hash-alg-id / 1, / sha256 / + / hash-value / h'bb71198ed60a95dc3c619e555c2c0b8d7564a38031b034a195892591c65365b0' + ] ] } - ] + } ] ], - / comid.endorsed-triples / 1 : [ [ + [ / environment-map / { / comid.class / 0 : { / comid.class-id / 0 : / tagged-uuid-type / 37( - h'67b28b6c34cc40a19117ab5b05911e37' + h'a71b3e388d454a0581f352e58c832c5c' ), - / comid.vendor / 1 : "ACME Inc.", - / comid.model / 2 : "ACME RoadRunner Root of Trust", - / comid.layer / 3 : 0 + / comid.vendor / 1 : "WYLIE Inc.", + / comid.model / 2 : "WYLIE Coyote Trusted OS", + / comid.layer / 3 : 2, + / comid.index / 4 : 1 } }, [ / measurement-map / { / comid.mval / 1 : { - / comid.svn / 1 : 552(1) + / comid.digests / 2 : [ [ + / hash-alg-id / 1, / sha256 / + / hash-value / h'bb71198ed60a95dc3c619e555c2c0b8d7564a38031b034a195892591c65365b0' + ] ] } } ] - ] ] - } + ] + ], + / comid.endorsed-triples / 1 : [ [ + / environment-map / { + / comid.class / 0 : { + / comid.class-id / 0 : + / tagged-uuid-type / 37( + h'67b28b6c34cc40a19117ab5b05911e37' + ), + / comid.vendor / 1 : "ACME Inc.", + / comid.model / 2 : "ACME RoadRunner Root of Trust", + / comid.layer / 3 : 0 + } + }, + [ + / measurement-map / { + / comid.mval / 1 : { + / comid.svn / 1 : 552(1) + } + } + ] + ] ] } - >> ) - ] - } - ) + } + >> ) + ] + } ) + diff --git a/cddl/examples/corim-design-cd.diag b/cddl/examples/corim-design-cd.diag index fdf21201..3c47d17b 100644 --- a/cddl/examples/corim-design-cd.diag +++ b/cddl/examples/corim-design-cd.diag @@ -1,5 +1,4 @@ -/ corim / 500( - / corim-map / 501({ +/ tagged-corim-map / 501({ / corim.id / 0 : h'0A2D9D8C56F74071B4F38065C37E4ACF', / corim.tags / 1 : [ / concise-mid-tag / 506( << @@ -138,5 +137,4 @@ ], / corim.profile / 3 : 111(h'6086480186F84D010F06') / 2.16.840.1.113741.1.15.6 / - }) -) +}) \ No newline at end of file diff --git a/cddl/examples/corim-firmware-cd.diag b/cddl/examples/corim-firmware-cd.diag index 818259c4..fadb3e20 100644 --- a/cddl/examples/corim-firmware-cd.diag +++ b/cddl/examples/corim-firmware-cd.diag @@ -1,5 +1,4 @@ -/ corim / 500( - / corim-map / 501({ +/ tagged-corim-map / 501({ / corim.id / 0 : h'29B834181A5C4E4EA53E8F8786BC8C5B', / corim.tags / 1 : [ / concise-mid-tag / 506( << @@ -90,5 +89,4 @@ ], / corim.profile / 3 : 111( h'6086480186F84D010F06') / 2.16.840.1.113741.1.15.6 / - }) -) +}) From ae6544534dccc35a2b6bc60115bd4fe6b076c18b Mon Sep 17 00:00:00 2001 From: Dionna Glaze Date: Wed, 18 Dec 2024 19:41:40 +0000 Subject: [PATCH 05/18] Create signed example in Makefile. --- cddl/Makefile | 17 +++++++ cddl/cbor-tags.txt | 1 + cddl/examples/corim-4.diag | 60 +++++++++++++++++++++++++ cddl/examples/corim-4.diag.tmpl | 6 +++ cddl/examples/payload-corim-4.diag | 46 +++++++++++++++++++ cddl/examples/protected-header-map.diag | 10 +++++ cddl/examples/sig-structure.diag.tmpl | 6 +++ 7 files changed, 146 insertions(+) create mode 100644 cddl/examples/corim-4.diag create mode 100644 cddl/examples/corim-4.diag.tmpl create mode 100644 cddl/examples/payload-corim-4.diag create mode 100644 cddl/examples/protected-header-map.diag create mode 100644 cddl/examples/sig-structure.diag.tmpl diff --git a/cddl/Makefile b/cddl/Makefile index 983522e6..a28a9ab8 100644 --- a/cddl/Makefile +++ b/cddl/Makefile @@ -42,6 +42,23 @@ CLEANFILES += $(3:.diag=.pretty) endef # cddl_check_template +examples/sig-structure.diag: examples/sig-structure.diag.tmpl examples/payload-corim-4.diag examples/protected-header-map.diag + payload="$$(cat examples/payload-corim-4.diag)" \ + protected="$$(cat examples/protected-header-map.diag)" \ + envsubst < examples/sig-structure.diag.tmpl > examples/sig-structure.diag + +examples/testkey.pem: + openssl ecparam -name secp384r1 -genkey -noout -out examples/testkey.pem + +examples/corim-4.sig: examples/sig-structure.cbor examples/testkey.pem + openssl dgst -sha384 -sign examples/testkey.pem -out examples/corim-4.sig examples/sig-structure.cbor + +examples/corim-4.diag: examples/corim-4.sig examples/corim-4.diag.tmpl examples/payload-corim-4.diag examples/protected-header-map.diag + payload="$$(cat examples/payload-corim-4.diag)" \ + protected="$$(cat examples/protected-header-map.diag)" \ + signature="h'$$(cat examples/corim-4.sig | xxd -p -c 128)'" \ + envsubst < examples/corim-4.diag.tmpl > examples/corim-4.diag + include corim-frags.mk $(eval $(call cddl_check_template,comid,$(COMID_FRAGS),$(COMID_EXAMPLES))) diff --git a/cddl/cbor-tags.txt b/cddl/cbor-tags.txt index f52fdebb..c4916942 100644 --- a/cddl/cbor-tags.txt +++ b/cddl/cbor-tags.txt @@ -14,3 +14,4 @@ tagged-cert-thumbprint-type = #6.559(digest) tagged-bytes = #6.560(bytes) tagged-cert-path-thumbprint-type = #6.561(digest) tagged-pkix-asn1der-cert-type = #6.562(bstr) +tagged-integral-predicate= #6.563(integral-predicate) diff --git a/cddl/examples/corim-4.diag b/cddl/examples/corim-4.diag new file mode 100644 index 00000000..068a898c --- /dev/null +++ b/cddl/examples/corim-4.diag @@ -0,0 +1,60 @@ +/ signed-corim / 18([ + / protected / << / header_map / { + / alg: / 1 : -35, + / content-type: / 3 : "application/rim+cbor", + / corim-meta: / 8 : << / corim-meta / { + / signer: / 0 : / corim-signer-map / { + / signer: / 0 : "ACME Ltd." + } + } >>, + / kid: / 4 : h'f8ccd2b49fdba32cd94498030fdc8e5010358919' +} >>, + / unprotected-corim-header-map / {}, + / payload / << 501(/ corim-map / { + / corim.id / 0 : h'284e6c3e5d9f4f6b851f5a4247f243a7', + / corim.tags / 1 : [ + / concise-mid-tag / 506( << + / concise-mid-tag / { + / comid.tag-identity / 1 : { + / comid.tag-id / 0 : h'3f06af63a93c11e4979700505690773f' + }, + / comid.entity / 2 : [ { + / comid.entity-name / 0 : "ACME Inc.", + / comid.reg-id / 1 : 32("https://acme.example"), + / comid.role / 2 : [ 0 ] / tag-creator / + } ], + / comid.triples / 4 : { + / comid.reference-triples / 0 : [ [ + / environment-map / { + / comid.class / 0 : { + / comid.class-id / 0 : + / tagged-uuid-type / 37( + h'67b28b6c34cc40a19117ab5b05911e37' + ), + / comid.vendor / 1 : "ACME Inc.", + / comid.model / 2 : "ACME RoadRunner", + / comid.layer / 3 : 1 + } + }, + [ + / measurement-map / { + / comid.mval / 1 : { + / comid.ver / 0 : { + / comid.version / 0 : "1.0.0", + / comid.version-scheme / 1 : 16384 / semver / + }, + / comid.digests / 2 : [ [ + / hash-alg-id / 1, / sha256 / + / hash-value / h'44aa336af4cb14a879432e53dd6571c7fa9bccafb75f488259262d6ea3a4d91b' + ] ] + } + } + ] + ] ] + } + } + >> ) + ] + }) >>, + / signature / h'30660231008520f6f6980ee6e702602450fba17ee151c479dc85cc8e55ecc31afe28eb4c50d8fd98230eef1bfc9d631a23a0bc76850231009df2d8656978d590aabefac29ebeedea18adc9de837ddf59b5d4348bd6ab15cef526de0b20c32db6b9fd8b7b49cd5b20' +]) diff --git a/cddl/examples/corim-4.diag.tmpl b/cddl/examples/corim-4.diag.tmpl new file mode 100644 index 00000000..d6421b04 --- /dev/null +++ b/cddl/examples/corim-4.diag.tmpl @@ -0,0 +1,6 @@ +/ signed-corim / 18([ + / protected / << ${protected} >>, + / unprotected-corim-header-map / {}, + / payload / << ${payload} >>, + / signature / ${signature} +]) diff --git a/cddl/examples/payload-corim-4.diag b/cddl/examples/payload-corim-4.diag new file mode 100644 index 00000000..91b8abc9 --- /dev/null +++ b/cddl/examples/payload-corim-4.diag @@ -0,0 +1,46 @@ +501(/ corim-map / { + / corim.id / 0 : h'284e6c3e5d9f4f6b851f5a4247f243a7', + / corim.tags / 1 : [ + / concise-mid-tag / 506( << + / concise-mid-tag / { + / comid.tag-identity / 1 : { + / comid.tag-id / 0 : h'3f06af63a93c11e4979700505690773f' + }, + / comid.entity / 2 : [ { + / comid.entity-name / 0 : "ACME Inc.", + / comid.reg-id / 1 : 32("https://acme.example"), + / comid.role / 2 : [ 0 ] / tag-creator / + } ], + / comid.triples / 4 : { + / comid.reference-triples / 0 : [ [ + / environment-map / { + / comid.class / 0 : { + / comid.class-id / 0 : + / tagged-uuid-type / 37( + h'67b28b6c34cc40a19117ab5b05911e37' + ), + / comid.vendor / 1 : "ACME Inc.", + / comid.model / 2 : "ACME RoadRunner", + / comid.layer / 3 : 1 + } + }, + [ + / measurement-map / { + / comid.mval / 1 : { + / comid.ver / 0 : { + / comid.version / 0 : "1.0.0", + / comid.version-scheme / 1 : 16384 / semver / + }, + / comid.digests / 2 : [ [ + / hash-alg-id / 1, / sha256 / + / hash-value / h'44aa336af4cb14a879432e53dd6571c7fa9bccafb75f488259262d6ea3a4d91b' + ] ] + } + } + ] + ] ] + } + } + >> ) + ] + }) diff --git a/cddl/examples/protected-header-map.diag b/cddl/examples/protected-header-map.diag new file mode 100644 index 00000000..9baf44db --- /dev/null +++ b/cddl/examples/protected-header-map.diag @@ -0,0 +1,10 @@ +/ header_map / { + / alg: / 1 : -35, + / content-type: / 3 : "application/rim+cbor", + / corim-meta: / 8 : << / corim-meta / { + / signer: / 0 : / corim-signer-map / { + / signer: / 0 : "ACME Ltd." + } + } >>, + / kid: / 4 : h'f8ccd2b49fdba32cd94498030fdc8e5010358919' +} diff --git a/cddl/examples/sig-structure.diag.tmpl b/cddl/examples/sig-structure.diag.tmpl new file mode 100644 index 00000000..3a81924c --- /dev/null +++ b/cddl/examples/sig-structure.diag.tmpl @@ -0,0 +1,6 @@ +/ Sig_structure / [ + / context: / "Signature1", + / body_protected: / << ${protected} >>, + / external_aad: / h'', + / payload: / << ${payload} >> +] From e11242b993aead325ba7070e55789cefb78a5e17 Mon Sep 17 00:00:00 2001 From: Dionna Glaze Date: Wed, 18 Dec 2024 23:03:53 +0000 Subject: [PATCH 06/18] Remove signing from Makefile CI doesn't have envsubst or openssl tools. --- cddl/Makefile | 33 +++++++++++++++++---------------- 1 file changed, 17 insertions(+), 16 deletions(-) diff --git a/cddl/Makefile b/cddl/Makefile index a28a9ab8..86bd75c8 100644 --- a/cddl/Makefile +++ b/cddl/Makefile @@ -42,22 +42,23 @@ CLEANFILES += $(3:.diag=.pretty) endef # cddl_check_template -examples/sig-structure.diag: examples/sig-structure.diag.tmpl examples/payload-corim-4.diag examples/protected-header-map.diag - payload="$$(cat examples/payload-corim-4.diag)" \ - protected="$$(cat examples/protected-header-map.diag)" \ - envsubst < examples/sig-structure.diag.tmpl > examples/sig-structure.diag - -examples/testkey.pem: - openssl ecparam -name secp384r1 -genkey -noout -out examples/testkey.pem - -examples/corim-4.sig: examples/sig-structure.cbor examples/testkey.pem - openssl dgst -sha384 -sign examples/testkey.pem -out examples/corim-4.sig examples/sig-structure.cbor - -examples/corim-4.diag: examples/corim-4.sig examples/corim-4.diag.tmpl examples/payload-corim-4.diag examples/protected-header-map.diag - payload="$$(cat examples/payload-corim-4.diag)" \ - protected="$$(cat examples/protected-header-map.diag)" \ - signature="h'$$(cat examples/corim-4.sig | xxd -p -c 128)'" \ - envsubst < examples/corim-4.diag.tmpl > examples/corim-4.diag +# Commented since CI doesn't have openssl +#examples/sig-structure.diag: examples/sig-structure.diag.tmpl examples/payload-corim-4.diag examples/protected-header-map.diag +# payload="$$(cat examples/payload-corim-4.diag)" \ +# protected="$$(cat examples/protected-header-map.diag)" \ +# envsubst < examples/sig-structure.diag.tmpl > examples/sig-structure.diag + +#examples/testkey.pem: +# openssl ecparam -name secp384r1 -genkey -noout -out examples/testkey.pem + +#examples/corim-4.sig: examples/sig-structure.cbor examples/testkey.pem +# openssl dgst -sha384 -sign examples/testkey.pem -out examples/corim-4.sig examples/sig-structure.cbor + +#examples/corim-4.diag: examples/corim-4.sig examples/corim-4.diag.tmpl examples/payload-corim-4.diag examples/protected-header-map.diag +# payload="$$(cat examples/payload-corim-4.diag)" \ +# protected="$$(cat examples/protected-header-map.diag)" \ +# signature="h'$$(cat examples/corim-4.sig | xxd -p -c 128)'" \ +# envsubst < examples/corim-4.diag.tmpl > examples/corim-4.diag include corim-frags.mk From 7e53fda00ae10216cfb5f22924a3145bddad85e3 Mon Sep 17 00:00:00 2001 From: Dionna Glaze Date: Wed, 18 Dec 2024 19:29:44 +0000 Subject: [PATCH 07/18] Change tags and content type to match errata1 Tagged type choices are not typical. I would go so far as to drop the 500 tag as the entrypoint to CoRIM altogether. NVIDIA is creating CoRIMs this way, but they are using a different content-type in the protected header. I think we can drop it in an follow-up. This patch drops the need to tag the type choice the extensibility of concise-rim-type-choice, since extensibility is governed by a profile, and the profile is not known at this point in parsing. the need to tag the signed corim, since it is a COSE-sign1 with an unambigiuous content-type, and COSE-sign1 already has its own tag. Addresses Issue #333, but 500 removal is TBD. --- cddl/cbor-tags.txt | 2 - cddl/corim.cddl | 6 +- cddl/cose-sign1-corim.cddl | 2 +- cddl/protected-corim-header-map.cddl | 2 +- cddl/tagged-concise-rim-type-choice.cddl | 2 - cddl/tagged-signed-corim.cddl | 1 - draft-ietf-rats-corim.md | 80 +++--------------------- 7 files changed, 13 insertions(+), 82 deletions(-) delete mode 100644 cddl/tagged-concise-rim-type-choice.cddl delete mode 100644 cddl/tagged-signed-corim.cddl diff --git a/cddl/cbor-tags.txt b/cddl/cbor-tags.txt index 16071038..f52fdebb 100644 --- a/cddl/cbor-tags.txt +++ b/cddl/cbor-tags.txt @@ -1,6 +1,4 @@ -tagged-concise-rim-type-choice = #6.500($concise-rim-type-choice) tagged-corim-map = #6.501(corim-map) -tagged-signed-corim = #6.502(signed-corim) tagged-concise-swid-tag = #6.505(bytes .cbor concise-swid-tag) tagged-concise-mid-tag = #6.506(bytes .cbor concise-mid-tag) tagged-concise-bom-tag = #6.508(bytes .cbor concise-bom-tag) diff --git a/cddl/corim.cddl b/cddl/corim.cddl index 71835670..f2636c66 100644 --- a/cddl/corim.cddl +++ b/cddl/corim.cddl @@ -1,4 +1,4 @@ -corim = tagged-concise-rim-type-choice +corim = concise-rim-type-choice -$concise-rim-type-choice /= tagged-corim-map -$concise-rim-type-choice /= tagged-signed-corim +concise-rim-type-choice /= tagged-corim-map +concise-rim-type-choice /= signed-corim diff --git a/cddl/cose-sign1-corim.cddl b/cddl/cose-sign1-corim.cddl index 0e574015..cfa916e1 100644 --- a/cddl/cose-sign1-corim.cddl +++ b/cddl/cose-sign1-corim.cddl @@ -1,6 +1,6 @@ COSE-Sign1-corim = [ protected: bstr .cbor protected-corim-header-map unprotected: unprotected-corim-header-map - payload: bstr .cbor (tagged-corim-map / corim-map) + payload: bstr .cbor tagged-corim-map signature: bstr ] diff --git a/cddl/protected-corim-header-map.cddl b/cddl/protected-corim-header-map.cddl index 2815f7b2..b9760ef7 100644 --- a/cddl/protected-corim-header-map.cddl +++ b/cddl/protected-corim-header-map.cddl @@ -1,6 +1,6 @@ protected-corim-header-map = { &(alg: 1) => int - &(content-type: 3) => "application/corim-unsigned+cbor" + &(content-type: 3) => "application/rim+cbor" &(kid: 4) => bstr &(corim-meta: 8) => bstr .cbor corim-meta-map * cose-label => cose-value diff --git a/cddl/tagged-concise-rim-type-choice.cddl b/cddl/tagged-concise-rim-type-choice.cddl deleted file mode 100644 index 38a7c983..00000000 --- a/cddl/tagged-concise-rim-type-choice.cddl +++ /dev/null @@ -1,2 +0,0 @@ - -tagged-concise-rim-type-choice = #6.500($concise-rim-type-choice) \ No newline at end of file diff --git a/cddl/tagged-signed-corim.cddl b/cddl/tagged-signed-corim.cddl deleted file mode 100644 index 799728ea..00000000 --- a/cddl/tagged-signed-corim.cddl +++ /dev/null @@ -1 +0,0 @@ -tagged-signed-corim = #6.502(signed-corim) \ No newline at end of file diff --git a/draft-ietf-rats-corim.md b/draft-ietf-rats-corim.md index 9c6a9c80..2b53c1c5 100644 --- a/draft-ietf-rats-corim.md +++ b/draft-ietf-rats-corim.md @@ -266,7 +266,7 @@ For more detail, see {{sec-corim-profile-types}}. A CoRIM can be signed ({{sec-corim-signed}}) using COSE Sign1 to provide end-to-end security to the CoRIM contents. When CoRIM is signed, the protected header carries further identifying information about the CoRIM signer. -Alternatively, CoRIM can be encoded as a CBOR-tagged payload ({{sec-corim-map}}) and transported over a secure channel. +Alternatively, CoRIM can be encoded as a #6.501 CBOR-tagged payload ({{sec-corim-map}}) and transported over a secure channel. The following CDDL describes the top-level CoRIM. @@ -363,8 +363,7 @@ Exercised extension points should preserve the intent of the original semantics. CoRIM profiles SHOULD be specified in a publicly available document. -A CoRIM profile can use one of the base CoRIM media types defined in {{sec-mt-corim-signed}} and -{{sec-mt-corim-unsigned}} with the `profile` parameter set to the appropriate value. +A CoRIM profile can use one of the base CoRIM media type defined in {{sec-mt-rim-cbor}} with the `profile` parameter set to the appropriate value. Alternatively, it MAY define and register its own media type. A profile identifier is either an OID {{-cbor-oids}} or a URL {{-uri}}. @@ -2591,10 +2590,9 @@ IANA is requested to allocate the following tags in the "CBOR Tags" registry {{! | Tag | Data Item | Semantics | Reference | | --- | --------- | --------- | --------- | -| 500 | `tag` | A tagged-concise-rim-type-choice, see {{sec-corim-tags}} | {{&SELF}} | +| 500 | `tag` | Earmarked for CoRIM | {{&SELF}} | | 501 | `map` | A tagged-corim-map, see {{sec-corim-map}} | {{&SELF}} | -| 502 | `tag` | A tagged-signed-corim, see {{sec-corim-signed}} | {{&SELF}} | -| 503-504 | `any` | Earmarked for CoRIM | {{&SELF}} | +| 502-504 | `any` | Earmarked for CoRIM | {{&SELF}} | | 505 | `bytes` | A tagged-concise-swid-tag, see {{sec-corim-tags}} | {{&SELF}} | | 506 | `bytes` | A tagged-concise-mid-tag, see {{sec-corim-tags}} | {{&SELF}} | | 507 | `any` | Earmarked for CoRIM | {{&SELF}} | @@ -2705,78 +2703,17 @@ IANA is requested to add the following media types to the "Media Types" registry {{!IANA.media-types}}. | Name | Template | Reference | -| corim-signed+cbor | application/corim-signed+cbor | {{&SELF}}, ({{sec-mt-corim-signed}}) | -| corim-unsigned+cbor | application/corim-unsigned+cbor | {{&SELF}}, ({{sec-mt-corim-unsigned}}) | +| rim+cbor | application/rim+cbor | {{&SELF}}, ({{sec-mt-rim-cbor}}) | {: #tbl-media-type align="left" title="New Media Types"} -### corim-signed+cbor {#sec-mt-corim-signed} +### rim+cbor {#sec-mt-rim-cbor} {:compact} Type name: : `application` Subtype name: -: `corim-signed+cbor` - -Required parameters: -: n/a - -Optional parameters: -: "profile" (CoRIM profile in string format. OIDs MUST use the dotted-decimal - notation.) - -Encoding considerations: -: binary - -Security considerations: -: ({{sec-sec}}) of {{&SELF}} - -Interoperability considerations: -: n/a - -Published specification: -: {{&SELF}} - -Applications that use this media type: -: Attestation Verifiers, Endorsers and Reference-Value providers that need to - transfer COSE Sign1 wrapped CoRIM payloads over HTTP(S), CoAP(S), and other - transports. - -Fragment identifier considerations: -: n/a - -Magic number(s): -: `D9 01 F6 D2`, `D9 01 F4 D9 01 F6 D2` - -File extension(s): -: n/a - -Macintosh file type code(s): -: n/a - -Person and email address to contact for further information: -: RATS WG mailing list (rats@ietf.org) - -Intended usage: -: COMMON - -Restrictions on usage: -: none - -Author/Change controller: -: IETF - -Provisional registration? -: Maybe - -### corim-unsigned+cbor {#sec-mt-corim-unsigned} - -{:compact} -Type name: -: `application` - -Subtype name: -: `corim-unsigned+cbor` +: `rim+cbor` Required parameters: : n/a @@ -2837,8 +2774,7 @@ Environments (CoRE) Parameters" Registry {{!IANA.core-parameters}}: | Content-Type | Content Coding | ID | Reference | |--- -| application/corim-signed+cbor | - | TBD1 | {{&SELF}} | -| application/corim-unsigned+cbor | - | TBD2 | {{&SELF}} | +| application/rim+cbor | - | TBD1 | {{&SELF}} | {: align="left" title="New Content-Formats"} --- back From 2f9134d8b20450136efe21e4226be71cfe97ca79 Mon Sep 17 00:00:00 2001 From: Dionna Glaze Date: Wed, 18 Dec 2024 19:53:17 +0000 Subject: [PATCH 08/18] Fix CoRIM examples with CDDL changes. --- cddl/corim-frags.mk | 2 - cddl/examples/corim-1.diag | 90 +++++++------ cddl/examples/corim-2.diag | 187 +++++++++++++-------------- cddl/examples/corim-design-cd.diag | 6 +- cddl/examples/corim-firmware-cd.diag | 6 +- 5 files changed, 141 insertions(+), 150 deletions(-) diff --git a/cddl/corim-frags.mk b/cddl/corim-frags.mk index 70e85aa1..ca4b8f09 100644 --- a/cddl/corim-frags.mk +++ b/cddl/corim-frags.mk @@ -65,8 +65,6 @@ CORIM_FRAGS += profile-type-choice.cddl CORIM_FRAGS += protected-corim-header-map.cddl CORIM_FRAGS += signed-corim.cddl CORIM_FRAGS += tagged-corim-map.cddl -CORIM_FRAGS += tagged-concise-rim-type-choice.cddl -CORIM_FRAGS += tagged-signed-corim.cddl CORIM_FRAGS += tagged-concise-swid-tag.cddl CORIM_FRAGS += tagged-concise-mid-tag.cddl CORIM_FRAGS += tagged-concise-bom-tag.cddl diff --git a/cddl/examples/corim-1.diag b/cddl/examples/corim-1.diag index 67e1cefe..05f446eb 100644 --- a/cddl/examples/corim-1.diag +++ b/cddl/examples/corim-1.diag @@ -1,49 +1,47 @@ -/ corim / 500( - / corim-map / 501({ - / corim.id / 0 : h'284e6c3e5d9f4f6b851f5a4247f243a7', - / corim.tags / 1 : [ - / concise-mid-tag / 506( << - / concise-mid-tag / { - / comid.tag-identity / 1 : { - / comid.tag-id / 0 : h'3f06af63a93c11e4979700505690773f' - }, - / comid.entity / 2 : [ { - / comid.entity-name / 0 : "ACME Inc.", - / comid.reg-id / 1 : 32("https://acme.example"), - / comid.role / 2 : [ 0 ] / tag-creator / - } ], - / comid.triples / 4 : { - / comid.reference-triples / 0 : [ [ - / environment-map / { - / comid.class / 0 : { - / comid.class-id / 0 : - / tagged-uuid-type / 37( - h'67b28b6c34cc40a19117ab5b05911e37' - ), - / comid.vendor / 1 : "ACME Inc.", - / comid.model / 2 : "ACME RoadRunner", - / comid.layer / 3 : 1 +/ tagged-corim-map / 501({ + / corim.id / 0 : h'284e6c3e5d9f4f6b851f5a4247f243a7', + / corim.tags / 1 : [ + / concise-mid-tag / 506( << + / concise-mid-tag / { + / comid.tag-identity / 1 : { + / comid.tag-id / 0 : h'3f06af63a93c11e4979700505690773f' + }, + / comid.entity / 2 : [ { + / comid.entity-name / 0 : "ACME Inc.", + / comid.reg-id / 1 : 32("https://acme.example"), + / comid.role / 2 : [ 0 ] / tag-creator / + } ], + / comid.triples / 4 : { + / comid.reference-triples / 0 : [ [ + / environment-map / { + / comid.class / 0 : { + / comid.class-id / 0 : + / tagged-uuid-type / 37( + h'67b28b6c34cc40a19117ab5b05911e37' + ), + / comid.vendor / 1 : "ACME Inc.", + / comid.model / 2 : "ACME RoadRunner", + / comid.layer / 3 : 1 + } + }, + [ + / measurement-map / { + / comid.mval / 1 : { + / comid.ver / 0 : { + / comid.version / 0 : "1.0.0", + / comid.version-scheme / 1 : 16384 / semver / + }, + / comid.digests / 2 : [ [ + / hash-alg-id / 1, / sha256 / + / hash-value / h'44aa336af4cb14a879432e53dd6571c7fa9bccafb75f488259262d6ea3a4d91b' + ] ] } - }, - [ - / measurement-map / { - / comid.mval / 1 : { - / comid.ver / 0 : { - / comid.version / 0 : "1.0.0", - / comid.version-scheme / 1 : 16384 / semver / - }, - / comid.digests / 2 : [ [ - / hash-alg-id / 1, / sha256 / - / hash-value / h'44aa336af4cb14a879432e53dd6571c7fa9bccafb75f488259262d6ea3a4d91b' - ] ] - } - } - ] - ] ] - } + } + ] + ] ] } - >> ) - ] - } - ) + } + >> ) + ] + } ) diff --git a/cddl/examples/corim-2.diag b/cddl/examples/corim-2.diag index 502d1645..09bf6630 100644 --- a/cddl/examples/corim-2.diag +++ b/cddl/examples/corim-2.diag @@ -1,115 +1,114 @@ -/ corim / 500( - / corim-map / 501({ - / corim.id / 0 : h'284e6c3e5d9f4f6b851f5a4247f243a7', - / corim.tags / 1 : [ - / concise-mid-tag / 506( << - / concise-mid-tag / { - / comid.tag-identity / 1 : { - / comid.tag-id / 0 : h'3f06af63a93c11e4979700505690773f' - }, - / comid.entity / 2 : [ { - / comid.entity-name / 0 : "ACME Inc.", - / comid.reg-id / 1 : 32("https://acme.example"), - / comid.role / 2 : [ 0 ] / tag-creator / - } ], - / comid.triples / 4 : { - / comid.reference-triples / 0 : [ - [ - / environment-map / { - / comid.class / 0 : { - / comid.class-id / 0 : - / tagged-uuid-type / 37( - h'67b28b6c34cc40a19117ab5b05911e37' - ), - / comid.vendor / 1 : "ACME Inc.", - / comid.model / 2 : "ACME RoadRunner Firmware", - / comid.layer / 3 : 1 - } - }, - [ - / measurement-map / { - / comid.mval / 1 : { - / comid.digests / 2 : [ [ - / hash-alg-id / 1, / sha256 / - / hash-value / h'44aa336af4cb14a879432e53dd6571c7fa9bccafb75f488259262d6ea3a4d91b' - ] ] - } - } - ] - ], +/ tagged-corim-map / 501({ + / corim.id / 0 : h'284e6c3e5d9f4f6b851f5a4247f243a7', + / corim.tags / 1 : [ + / concise-mid-tag / 506( << + / concise-mid-tag / { + / comid.tag-identity / 1 : { + / comid.tag-id / 0 : h'3f06af63a93c11e4979700505690773f' + }, + / comid.entity / 2 : [ { + / comid.entity-name / 0 : "ACME Inc.", + / comid.reg-id / 1 : 32("https://acme.example"), + / comid.role / 2 : [ 0 ] / tag-creator / + } ], + / comid.triples / 4 : { + / comid.reference-triples / 0 : [ + [ + / environment-map / { + / comid.class / 0 : { + / comid.class-id / 0 : + / tagged-uuid-type / 37( + h'67b28b6c34cc40a19117ab5b05911e37' + ), + / comid.vendor / 1 : "ACME Inc.", + / comid.model / 2 : "ACME RoadRunner Firmware", + / comid.layer / 3 : 1 + } + }, [ - / environment-map / { - / comid.class / 0 : { - / comid.class-id / 0 : - / tagged-uuid-type / 37( - h'a71b3e388d454a0581f352e58c832c5c' - ), - / comid.vendor / 1 : "WYLIE Inc.", - / comid.model / 2 : "WYLIE Coyote Trusted OS", - / comid.layer / 3 : 2, - / comid.index / 4 : 0 - } - }, - [ - / measurement-map / { - / comid.mval / 1 : { - / comid.digests / 2 : [ [ - / hash-alg-id / 1, / sha256 / - / hash-value / h'bb71198ed60a95dc3c619e555c2c0b8d7564a38031b034a195892591c65365b0' - ] ] - } + / measurement-map / { + / comid.mval / 1 : { + / comid.digests / 2 : [ [ + / hash-alg-id / 1, / sha256 / + / hash-value / h'44aa336af4cb14a879432e53dd6571c7fa9bccafb75f488259262d6ea3a4d91b' + ] ] } - ] - ], + } + ] + ], + [ + / environment-map / { + / comid.class / 0 : { + / comid.class-id / 0 : + / tagged-uuid-type / 37( + h'a71b3e388d454a0581f352e58c832c5c' + ), + / comid.vendor / 1 : "WYLIE Inc.", + / comid.model / 2 : "WYLIE Coyote Trusted OS", + / comid.layer / 3 : 2, + / comid.index / 4 : 0 + } + }, [ - / environment-map / { - / comid.class / 0 : { - / comid.class-id / 0 : - / tagged-uuid-type / 37( - h'a71b3e388d454a0581f352e58c832c5c' - ), - / comid.vendor / 1 : "WYLIE Inc.", - / comid.model / 2 : "WYLIE Coyote Trusted OS", - / comid.layer / 3 : 2, - / comid.index / 4 : 1 - } - }, - [ - / measurement-map / { - / comid.mval / 1 : { - / comid.digests / 2 : [ [ - / hash-alg-id / 1, / sha256 / - / hash-value / h'bb71198ed60a95dc3c619e555c2c0b8d7564a38031b034a195892591c65365b0' - ] ] - } + / measurement-map / { + / comid.mval / 1 : { + / comid.digests / 2 : [ [ + / hash-alg-id / 1, / sha256 / + / hash-value / h'bb71198ed60a95dc3c619e555c2c0b8d7564a38031b034a195892591c65365b0' + ] ] } - ] + } ] ], - / comid.endorsed-triples / 1 : [ [ + [ / environment-map / { / comid.class / 0 : { / comid.class-id / 0 : / tagged-uuid-type / 37( - h'67b28b6c34cc40a19117ab5b05911e37' + h'a71b3e388d454a0581f352e58c832c5c' ), - / comid.vendor / 1 : "ACME Inc.", - / comid.model / 2 : "ACME RoadRunner Root of Trust", - / comid.layer / 3 : 0 + / comid.vendor / 1 : "WYLIE Inc.", + / comid.model / 2 : "WYLIE Coyote Trusted OS", + / comid.layer / 3 : 2, + / comid.index / 4 : 1 } }, [ / measurement-map / { / comid.mval / 1 : { - / comid.svn / 1 : 552(1) + / comid.digests / 2 : [ [ + / hash-alg-id / 1, / sha256 / + / hash-value / h'bb71198ed60a95dc3c619e555c2c0b8d7564a38031b034a195892591c65365b0' + ] ] } } ] - ] ] - } + ] + ], + / comid.endorsed-triples / 1 : [ [ + / environment-map / { + / comid.class / 0 : { + / comid.class-id / 0 : + / tagged-uuid-type / 37( + h'67b28b6c34cc40a19117ab5b05911e37' + ), + / comid.vendor / 1 : "ACME Inc.", + / comid.model / 2 : "ACME RoadRunner Root of Trust", + / comid.layer / 3 : 0 + } + }, + [ + / measurement-map / { + / comid.mval / 1 : { + / comid.svn / 1 : 552(1) + } + } + ] + ] ] } - >> ) - ] - } - ) + } + >> ) + ] + } ) + diff --git a/cddl/examples/corim-design-cd.diag b/cddl/examples/corim-design-cd.diag index fdf21201..3c47d17b 100644 --- a/cddl/examples/corim-design-cd.diag +++ b/cddl/examples/corim-design-cd.diag @@ -1,5 +1,4 @@ -/ corim / 500( - / corim-map / 501({ +/ tagged-corim-map / 501({ / corim.id / 0 : h'0A2D9D8C56F74071B4F38065C37E4ACF', / corim.tags / 1 : [ / concise-mid-tag / 506( << @@ -138,5 +137,4 @@ ], / corim.profile / 3 : 111(h'6086480186F84D010F06') / 2.16.840.1.113741.1.15.6 / - }) -) +}) \ No newline at end of file diff --git a/cddl/examples/corim-firmware-cd.diag b/cddl/examples/corim-firmware-cd.diag index 818259c4..fadb3e20 100644 --- a/cddl/examples/corim-firmware-cd.diag +++ b/cddl/examples/corim-firmware-cd.diag @@ -1,5 +1,4 @@ -/ corim / 500( - / corim-map / 501({ +/ tagged-corim-map / 501({ / corim.id / 0 : h'29B834181A5C4E4EA53E8F8786BC8C5B', / corim.tags / 1 : [ / concise-mid-tag / 506( << @@ -90,5 +89,4 @@ ], / corim.profile / 3 : 111( h'6086480186F84D010F06') / 2.16.840.1.113741.1.15.6 / - }) -) +}) From f1c8825c367fe8b996d5ce1f787b054e5997b7c0 Mon Sep 17 00:00:00 2001 From: Dionna Glaze Date: Wed, 18 Dec 2024 19:41:40 +0000 Subject: [PATCH 09/18] Create signed example in Makefile. --- cddl/Makefile | 17 +++++++ cddl/cbor-tags.txt | 1 + cddl/examples/corim-4.diag | 60 +++++++++++++++++++++++++ cddl/examples/corim-4.diag.tmpl | 6 +++ cddl/examples/payload-corim-4.diag | 46 +++++++++++++++++++ cddl/examples/protected-header-map.diag | 10 +++++ cddl/examples/sig-structure.diag.tmpl | 6 +++ 7 files changed, 146 insertions(+) create mode 100644 cddl/examples/corim-4.diag create mode 100644 cddl/examples/corim-4.diag.tmpl create mode 100644 cddl/examples/payload-corim-4.diag create mode 100644 cddl/examples/protected-header-map.diag create mode 100644 cddl/examples/sig-structure.diag.tmpl diff --git a/cddl/Makefile b/cddl/Makefile index 983522e6..a28a9ab8 100644 --- a/cddl/Makefile +++ b/cddl/Makefile @@ -42,6 +42,23 @@ CLEANFILES += $(3:.diag=.pretty) endef # cddl_check_template +examples/sig-structure.diag: examples/sig-structure.diag.tmpl examples/payload-corim-4.diag examples/protected-header-map.diag + payload="$$(cat examples/payload-corim-4.diag)" \ + protected="$$(cat examples/protected-header-map.diag)" \ + envsubst < examples/sig-structure.diag.tmpl > examples/sig-structure.diag + +examples/testkey.pem: + openssl ecparam -name secp384r1 -genkey -noout -out examples/testkey.pem + +examples/corim-4.sig: examples/sig-structure.cbor examples/testkey.pem + openssl dgst -sha384 -sign examples/testkey.pem -out examples/corim-4.sig examples/sig-structure.cbor + +examples/corim-4.diag: examples/corim-4.sig examples/corim-4.diag.tmpl examples/payload-corim-4.diag examples/protected-header-map.diag + payload="$$(cat examples/payload-corim-4.diag)" \ + protected="$$(cat examples/protected-header-map.diag)" \ + signature="h'$$(cat examples/corim-4.sig | xxd -p -c 128)'" \ + envsubst < examples/corim-4.diag.tmpl > examples/corim-4.diag + include corim-frags.mk $(eval $(call cddl_check_template,comid,$(COMID_FRAGS),$(COMID_EXAMPLES))) diff --git a/cddl/cbor-tags.txt b/cddl/cbor-tags.txt index f52fdebb..c4916942 100644 --- a/cddl/cbor-tags.txt +++ b/cddl/cbor-tags.txt @@ -14,3 +14,4 @@ tagged-cert-thumbprint-type = #6.559(digest) tagged-bytes = #6.560(bytes) tagged-cert-path-thumbprint-type = #6.561(digest) tagged-pkix-asn1der-cert-type = #6.562(bstr) +tagged-integral-predicate= #6.563(integral-predicate) diff --git a/cddl/examples/corim-4.diag b/cddl/examples/corim-4.diag new file mode 100644 index 00000000..068a898c --- /dev/null +++ b/cddl/examples/corim-4.diag @@ -0,0 +1,60 @@ +/ signed-corim / 18([ + / protected / << / header_map / { + / alg: / 1 : -35, + / content-type: / 3 : "application/rim+cbor", + / corim-meta: / 8 : << / corim-meta / { + / signer: / 0 : / corim-signer-map / { + / signer: / 0 : "ACME Ltd." + } + } >>, + / kid: / 4 : h'f8ccd2b49fdba32cd94498030fdc8e5010358919' +} >>, + / unprotected-corim-header-map / {}, + / payload / << 501(/ corim-map / { + / corim.id / 0 : h'284e6c3e5d9f4f6b851f5a4247f243a7', + / corim.tags / 1 : [ + / concise-mid-tag / 506( << + / concise-mid-tag / { + / comid.tag-identity / 1 : { + / comid.tag-id / 0 : h'3f06af63a93c11e4979700505690773f' + }, + / comid.entity / 2 : [ { + / comid.entity-name / 0 : "ACME Inc.", + / comid.reg-id / 1 : 32("https://acme.example"), + / comid.role / 2 : [ 0 ] / tag-creator / + } ], + / comid.triples / 4 : { + / comid.reference-triples / 0 : [ [ + / environment-map / { + / comid.class / 0 : { + / comid.class-id / 0 : + / tagged-uuid-type / 37( + h'67b28b6c34cc40a19117ab5b05911e37' + ), + / comid.vendor / 1 : "ACME Inc.", + / comid.model / 2 : "ACME RoadRunner", + / comid.layer / 3 : 1 + } + }, + [ + / measurement-map / { + / comid.mval / 1 : { + / comid.ver / 0 : { + / comid.version / 0 : "1.0.0", + / comid.version-scheme / 1 : 16384 / semver / + }, + / comid.digests / 2 : [ [ + / hash-alg-id / 1, / sha256 / + / hash-value / h'44aa336af4cb14a879432e53dd6571c7fa9bccafb75f488259262d6ea3a4d91b' + ] ] + } + } + ] + ] ] + } + } + >> ) + ] + }) >>, + / signature / h'30660231008520f6f6980ee6e702602450fba17ee151c479dc85cc8e55ecc31afe28eb4c50d8fd98230eef1bfc9d631a23a0bc76850231009df2d8656978d590aabefac29ebeedea18adc9de837ddf59b5d4348bd6ab15cef526de0b20c32db6b9fd8b7b49cd5b20' +]) diff --git a/cddl/examples/corim-4.diag.tmpl b/cddl/examples/corim-4.diag.tmpl new file mode 100644 index 00000000..d6421b04 --- /dev/null +++ b/cddl/examples/corim-4.diag.tmpl @@ -0,0 +1,6 @@ +/ signed-corim / 18([ + / protected / << ${protected} >>, + / unprotected-corim-header-map / {}, + / payload / << ${payload} >>, + / signature / ${signature} +]) diff --git a/cddl/examples/payload-corim-4.diag b/cddl/examples/payload-corim-4.diag new file mode 100644 index 00000000..91b8abc9 --- /dev/null +++ b/cddl/examples/payload-corim-4.diag @@ -0,0 +1,46 @@ +501(/ corim-map / { + / corim.id / 0 : h'284e6c3e5d9f4f6b851f5a4247f243a7', + / corim.tags / 1 : [ + / concise-mid-tag / 506( << + / concise-mid-tag / { + / comid.tag-identity / 1 : { + / comid.tag-id / 0 : h'3f06af63a93c11e4979700505690773f' + }, + / comid.entity / 2 : [ { + / comid.entity-name / 0 : "ACME Inc.", + / comid.reg-id / 1 : 32("https://acme.example"), + / comid.role / 2 : [ 0 ] / tag-creator / + } ], + / comid.triples / 4 : { + / comid.reference-triples / 0 : [ [ + / environment-map / { + / comid.class / 0 : { + / comid.class-id / 0 : + / tagged-uuid-type / 37( + h'67b28b6c34cc40a19117ab5b05911e37' + ), + / comid.vendor / 1 : "ACME Inc.", + / comid.model / 2 : "ACME RoadRunner", + / comid.layer / 3 : 1 + } + }, + [ + / measurement-map / { + / comid.mval / 1 : { + / comid.ver / 0 : { + / comid.version / 0 : "1.0.0", + / comid.version-scheme / 1 : 16384 / semver / + }, + / comid.digests / 2 : [ [ + / hash-alg-id / 1, / sha256 / + / hash-value / h'44aa336af4cb14a879432e53dd6571c7fa9bccafb75f488259262d6ea3a4d91b' + ] ] + } + } + ] + ] ] + } + } + >> ) + ] + }) diff --git a/cddl/examples/protected-header-map.diag b/cddl/examples/protected-header-map.diag new file mode 100644 index 00000000..9baf44db --- /dev/null +++ b/cddl/examples/protected-header-map.diag @@ -0,0 +1,10 @@ +/ header_map / { + / alg: / 1 : -35, + / content-type: / 3 : "application/rim+cbor", + / corim-meta: / 8 : << / corim-meta / { + / signer: / 0 : / corim-signer-map / { + / signer: / 0 : "ACME Ltd." + } + } >>, + / kid: / 4 : h'f8ccd2b49fdba32cd94498030fdc8e5010358919' +} diff --git a/cddl/examples/sig-structure.diag.tmpl b/cddl/examples/sig-structure.diag.tmpl new file mode 100644 index 00000000..3a81924c --- /dev/null +++ b/cddl/examples/sig-structure.diag.tmpl @@ -0,0 +1,6 @@ +/ Sig_structure / [ + / context: / "Signature1", + / body_protected: / << ${protected} >>, + / external_aad: / h'', + / payload: / << ${payload} >> +] From c32e13da0234633fc6f36789e30b540b12fb4326 Mon Sep 17 00:00:00 2001 From: Dionna Glaze Date: Wed, 18 Dec 2024 23:03:53 +0000 Subject: [PATCH 10/18] Remove signing from Makefile CI doesn't have envsubst or openssl tools. --- cddl/Makefile | 33 +++++++++++++++++---------------- 1 file changed, 17 insertions(+), 16 deletions(-) diff --git a/cddl/Makefile b/cddl/Makefile index a28a9ab8..86bd75c8 100644 --- a/cddl/Makefile +++ b/cddl/Makefile @@ -42,22 +42,23 @@ CLEANFILES += $(3:.diag=.pretty) endef # cddl_check_template -examples/sig-structure.diag: examples/sig-structure.diag.tmpl examples/payload-corim-4.diag examples/protected-header-map.diag - payload="$$(cat examples/payload-corim-4.diag)" \ - protected="$$(cat examples/protected-header-map.diag)" \ - envsubst < examples/sig-structure.diag.tmpl > examples/sig-structure.diag - -examples/testkey.pem: - openssl ecparam -name secp384r1 -genkey -noout -out examples/testkey.pem - -examples/corim-4.sig: examples/sig-structure.cbor examples/testkey.pem - openssl dgst -sha384 -sign examples/testkey.pem -out examples/corim-4.sig examples/sig-structure.cbor - -examples/corim-4.diag: examples/corim-4.sig examples/corim-4.diag.tmpl examples/payload-corim-4.diag examples/protected-header-map.diag - payload="$$(cat examples/payload-corim-4.diag)" \ - protected="$$(cat examples/protected-header-map.diag)" \ - signature="h'$$(cat examples/corim-4.sig | xxd -p -c 128)'" \ - envsubst < examples/corim-4.diag.tmpl > examples/corim-4.diag +# Commented since CI doesn't have openssl +#examples/sig-structure.diag: examples/sig-structure.diag.tmpl examples/payload-corim-4.diag examples/protected-header-map.diag +# payload="$$(cat examples/payload-corim-4.diag)" \ +# protected="$$(cat examples/protected-header-map.diag)" \ +# envsubst < examples/sig-structure.diag.tmpl > examples/sig-structure.diag + +#examples/testkey.pem: +# openssl ecparam -name secp384r1 -genkey -noout -out examples/testkey.pem + +#examples/corim-4.sig: examples/sig-structure.cbor examples/testkey.pem +# openssl dgst -sha384 -sign examples/testkey.pem -out examples/corim-4.sig examples/sig-structure.cbor + +#examples/corim-4.diag: examples/corim-4.sig examples/corim-4.diag.tmpl examples/payload-corim-4.diag examples/protected-header-map.diag +# payload="$$(cat examples/payload-corim-4.diag)" \ +# protected="$$(cat examples/protected-header-map.diag)" \ +# signature="h'$$(cat examples/corim-4.sig | xxd -p -c 128)'" \ +# envsubst < examples/corim-4.diag.tmpl > examples/corim-4.diag include corim-frags.mk From 20c52223a2ecf0b2c1cb1a644658ac1e748d806e Mon Sep 17 00:00:00 2001 From: Dionna Glaze Date: Tue, 21 Jan 2025 17:09:24 +0000 Subject: [PATCH 11/18] Add rim+cose with CoAP registration and magic numbers --- draft-ietf-rats-corim.md | 64 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 63 insertions(+), 1 deletion(-) diff --git a/draft-ietf-rats-corim.md b/draft-ietf-rats-corim.md index 2b53c1c5..fbf15bdd 100644 --- a/draft-ietf-rats-corim.md +++ b/draft-ietf-rats-corim.md @@ -2704,6 +2704,7 @@ registry {{!IANA.media-types}}. | Name | Template | Reference | | rim+cbor | application/rim+cbor | {{&SELF}}, ({{sec-mt-rim-cbor}}) | +| rim+cose | application/rim+cose | {{&SELF}}, ({{sec-signed-rim}}) | {: #tbl-media-type align="left" title="New Media Types"} ### rim+cbor {#sec-mt-rim-cbor} @@ -2743,11 +2744,71 @@ Fragment identifier considerations: : n/a Magic number(s): -: `D9 01 F5`, `D9 01 F4 D9 01 F5` +: `D9 01 F5` File extension(s): +: .corim + +Macintosh file type code(s): +: n/a + +Person and email address to contact for further information: +: RATS WG mailing list (rats@ietf.org) + +Intended usage: +: COMMON + +Restrictions on usage: +: none + +Author/Change controller: +: IETF + +Provisional registration? +: Maybe + +### rim+cose {#sec-mt-rim-cose} + +{:compact} +Type name: +: `application` + +Subtype name: +: `rim+cose` + +Required parameters: : n/a +Optional parameters: +: "profile" (CoRIM profile in string format. OIDs MUST use the dotted-decimal + notation.) + +Encoding considerations: +: binary + +Security considerations: +: {{sec-sec}} of {{&SELF}} + +Interoperability considerations: +: n/a + +Published specification: +: {{&SELF}} + +Applications that use this media type: +: Attestation Verifiers, Endorsers and Reference-Value providers that need to + transfer protected CoRIM payloads over HTTP(S), CoAP(S), and other + transports. + +Fragment identifier considerations: +: n/a + +Magic number(s): +: `D2` (for COSE), and TBD given CoAP C-F assignment with TN transformation {{?RFC9277}} (e.g., for C-F 141 `D9 63 74 01 8F D2`). + +File extension(s): +: .corim + Macintosh file type code(s): : n/a @@ -2775,6 +2836,7 @@ Environments (CoRE) Parameters" Registry {{!IANA.core-parameters}}: | Content-Type | Content Coding | ID | Reference | |--- | application/rim+cbor | - | TBD1 | {{&SELF}} | +| application/rim+cose | - | TBD2 | {{&SELF}} | {: align="left" title="New Content-Formats"} --- back From 28b18d6099443350d7837bdae7c916980fb981e1 Mon Sep 17 00:00:00 2001 From: nedmsmith Date: Tue, 21 Jan 2025 14:01:12 -0800 Subject: [PATCH 12/18] Update draft-ietf-rats-corim.md fix broken section reference --- draft-ietf-rats-corim.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-rats-corim.md b/draft-ietf-rats-corim.md index fbf15bdd..7ccf92d4 100644 --- a/draft-ietf-rats-corim.md +++ b/draft-ietf-rats-corim.md @@ -2704,7 +2704,7 @@ registry {{!IANA.media-types}}. | Name | Template | Reference | | rim+cbor | application/rim+cbor | {{&SELF}}, ({{sec-mt-rim-cbor}}) | -| rim+cose | application/rim+cose | {{&SELF}}, ({{sec-signed-rim}}) | +| rim+cose | application/rim+cose | {{&SELF}}, ({{sec-mt-rim-cose}}) | {: #tbl-media-type align="left" title="New Media Types"} ### rim+cbor {#sec-mt-rim-cbor} From dd3a3028a3dc91c1809abc8e42652c628618f4ed Mon Sep 17 00:00:00 2001 From: Dionna Amalie Glaze Date: Wed, 22 Jan 2025 07:08:27 -0800 Subject: [PATCH 13/18] Update cddl/examples/payload-corim-4.diag Co-authored-by: Thomas Fossati --- cddl/examples/payload-corim-4.diag | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cddl/examples/payload-corim-4.diag b/cddl/examples/payload-corim-4.diag index 91b8abc9..62cdc279 100644 --- a/cddl/examples/payload-corim-4.diag +++ b/cddl/examples/payload-corim-4.diag @@ -1,4 +1,5 @@ -501(/ corim-map / { +501( + / corim-map / { / corim.id / 0 : h'284e6c3e5d9f4f6b851f5a4247f243a7', / corim.tags / 1 : [ / concise-mid-tag / 506( << From 7ed8759921587f80a106a613bea1c88319479d96 Mon Sep 17 00:00:00 2001 From: Dionna Glaze Date: Wed, 22 Jan 2025 15:10:47 +0000 Subject: [PATCH 14/18] Remove spurious cbor-tags addition. --- cddl/cbor-tags.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cddl/cbor-tags.txt b/cddl/cbor-tags.txt index c4916942..1132f90a 100644 --- a/cddl/cbor-tags.txt +++ b/cddl/cbor-tags.txt @@ -14,4 +14,4 @@ tagged-cert-thumbprint-type = #6.559(digest) tagged-bytes = #6.560(bytes) tagged-cert-path-thumbprint-type = #6.561(digest) tagged-pkix-asn1der-cert-type = #6.562(bstr) -tagged-integral-predicate= #6.563(integral-predicate) + From 2012592d1a018b0ad3d5ecff5c0b073fb3090b99 Mon Sep 17 00:00:00 2001 From: Dionna Amalie Glaze Date: Wed, 22 Jan 2025 07:26:26 -0800 Subject: [PATCH 15/18] Update rim+cose application copypasta Co-authored-by: Thomas Fossati --- draft-ietf-rats-corim.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-rats-corim.md b/draft-ietf-rats-corim.md index 7ccf92d4..ae1347c5 100644 --- a/draft-ietf-rats-corim.md +++ b/draft-ietf-rats-corim.md @@ -2797,7 +2797,7 @@ Published specification: Applications that use this media type: : Attestation Verifiers, Endorsers and Reference-Value providers that need to - transfer protected CoRIM payloads over HTTP(S), CoAP(S), and other + transfer CoRIM payloads protected using COSE Sign1 over HTTP(S), CoAP(S), and other transports. Fragment identifier considerations: From 004c1f2d70f540cf454b9dcdb434339314b1a7f9 Mon Sep 17 00:00:00 2001 From: Dionna Amalie Glaze Date: Wed, 22 Jan 2025 07:27:06 -0800 Subject: [PATCH 16/18] Update +cose magic number to #6.18, 4-elm array Co-authored-by: Thomas Fossati --- draft-ietf-rats-corim.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-rats-corim.md b/draft-ietf-rats-corim.md index ae1347c5..44c04aca 100644 --- a/draft-ietf-rats-corim.md +++ b/draft-ietf-rats-corim.md @@ -2804,7 +2804,7 @@ Fragment identifier considerations: : n/a Magic number(s): -: `D2` (for COSE), and TBD given CoAP C-F assignment with TN transformation {{?RFC9277}} (e.g., for C-F 141 `D9 63 74 01 8F D2`). +: `D2 84` File extension(s): : .corim From d23f325ee5f3a1ee17e70a5df4225b7158820948 Mon Sep 17 00:00:00 2001 From: Yogesh Deshpande Date: Wed, 22 Jan 2025 15:29:58 +0000 Subject: [PATCH 17/18] Update draft-ietf-rats-corim.md Co-authored-by: Andrew Draper --- draft-ietf-rats-corim.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-rats-corim.md b/draft-ietf-rats-corim.md index 44c04aca..f04c6637 100644 --- a/draft-ietf-rats-corim.md +++ b/draft-ietf-rats-corim.md @@ -2590,7 +2590,7 @@ IANA is requested to allocate the following tags in the "CBOR Tags" registry {{! | Tag | Data Item | Semantics | Reference | | --- | --------- | --------- | --------- | -| 500 | `tag` | Earmarked for CoRIM | {{&SELF}} | +| 500 | `tag` | Reserved for backward compatibility | {{&SELF}} | | 501 | `map` | A tagged-corim-map, see {{sec-corim-map}} | {{&SELF}} | | 502-504 | `any` | Earmarked for CoRIM | {{&SELF}} | | 505 | `bytes` | A tagged-concise-swid-tag, see {{sec-corim-tags}} | {{&SELF}} | From e216475ac3be7e8bc559771b275671d9ffd4aa66 Mon Sep 17 00:00:00 2001 From: Yogesh Deshpande Date: Wed, 22 Jan 2025 15:30:33 +0000 Subject: [PATCH 18/18] Update draft-ietf-rats-corim.md Co-authored-by: Dionna Amalie Glaze --- draft-ietf-rats-corim.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-rats-corim.md b/draft-ietf-rats-corim.md index f04c6637..7694810b 100644 --- a/draft-ietf-rats-corim.md +++ b/draft-ietf-rats-corim.md @@ -2777,7 +2777,7 @@ Subtype name: : `rim+cose` Required parameters: -: n/a +: n/a (cose-type is explicitly not supported, as it is understood to be "cose-sign1") Optional parameters: : "profile" (CoRIM profile in string format. OIDs MUST use the dotted-decimal