feat(profiles): add cca endorsement profiles #257
Conversation
abhiraj-ku
changed the title
setrofim
left a comment
setrofim
left a comment
There was a problem hiding this comment.
As a general note -- there are a number of elements whose validation is identical to the PSA profile (e.g. implementation id, instance id, cryptokeys, etc). You can probably re-use the PSA validator functions for those, rather than duplicating them here.
| } | ||
|
|
||
| // At least one software component is required | ||
| if !hasSoftwareComponent { |
There was a problem hiding this comment.
You need an analogous check for the platform-config -- there must be one present.
Expose neutral validators from the PSA package that can be reused across profiles. This eliminates code duplication and ensures consistent validation across different profiles. Signed-off-by: Abhishek kumar <abhirajabhi312@gmail.com>
abhiraj-ku
force-pushed
the
cca-platform-profile
branch
3 times, most recently
from
fdc97ac to
0381366
Compare
abhiraj-ku
changed the title
setrofim
left a comment
setrofim
left a comment
There was a problem hiding this comment.
(note: you have a duplicate Signed-off-by line in the "add cca platform and realm profiles" commit)
Some minor nits, but overall looks really good!
profiles/cca/corim_test.go
Outdated
|
|
||
| // getComidFromCorim extracts and decodes the first CoMID from a CoRIM | ||
| // using the CCA Platform profile extensions | ||
| func getComidFromCorim(t *testing.T, corimData []byte) *comid.Comid { |
There was a problem hiding this comment.
This is equivalent to calling getComidFromCorimWithProfile with PlatformProfileURI as the profileURI argument, and so doesn't need to be a separate function.
profiles/cca/identifiers.go
Outdated
| // NewClassPlatformImplID creates a new CCA Platform Implementation ID as a Class. | ||
| // The Implementation ID MUST be exactly 32 bytes. | ||
| func NewClassPlatformImplID(val []byte) (*comid.Class, error) { | ||
| if len(val) != PlatformImplIDSize { |
There was a problem hiding this comment.
This can be implemented in terms of `ValidatePlatformImplID) below.
profiles/cca/identifiers.go
Outdated
| // NewPlatformInstanceID creates a new CCA Platform Instance ID. | ||
| // The Instance ID MUST be exactly 33 bytes and start with 0x01. | ||
| func NewPlatformInstanceID(val []byte) (*comid.Instance, error) { | ||
| if len(val) != PlatformInstanceIDSize { |
There was a problem hiding this comment.
This can be implemented in terms of `ValidateInstanceID) below.
profiles/cca/identifiers.go
Outdated
| // The RIM can be 32, 48, or 64 bytes (SHA-256, SHA-384, or SHA-512 hash digest). | ||
| // RIM uniquely identifies a Realm Target Environment. | ||
| func NewRealmRIMClassID(val []byte) (*comid.ClassID, error) { | ||
| if len(val) != 32 && len(val) != 48 && len(val) != 64 { |
There was a problem hiding this comment.
This can be implemented in terms of ValidateRealmRIM below.
profiles/cca/identifiers.go
Outdated
| // The RIM can be 32, 48, or 64 bytes (SHA-256, SHA-384, or SHA-512 hash digest). | ||
| // RIM uniquely identifies a Realm Target Environment. | ||
| func NewClassRealmRIM(val []byte) (*comid.Class, error) { | ||
| if len(val) != 32 && len(val) != 48 && len(val) != 64 { |
There was a problem hiding this comment.
This can be implemented in terms of ValidateRealmRIM below.
profiles/cca/identifiers.go
Outdated
| // NewPlatformImplIDClassID creates a new CCA Platform Implementation ID as a ClassID. | ||
| // The Implementation ID MUST be exactly 32 bytes. | ||
| func NewPlatformImplIDClassID(val []byte) (*comid.ClassID, error) { | ||
| if len(val) != PlatformImplIDSize { |
There was a problem hiding this comment.
This can be implemented in terms of `ValidatePlatformImplID) below.
profiles/cca/platform.go
Outdated
|
|
||
| // validateCCAPlatformReferenceValue validates a Reference Value of CCA Platform Endorsements. | ||
| func validateCCAPlatformReferenceValue(refVal *comid.ValueTriple, tripleIndex int) error { | ||
| prefix := fmt.Sprintf("platform reference value at index %d", tripleIndex) |
There was a problem hiding this comment.
Rather than passing additional context for the error message as arguments to functions, it is better to simply augment the error at the level where the context is already available before propagating it upwards.
In this case, you do not need to pass tripleIndex to this function, or the prefix to the functions it calls. Instead, inside the for loop on lines 55-59 above, you can change the for loop to be
for i, avk := range *triples.AttestVerifKeys {
if err := validateCCAPlatformAttestVerifKey(&avk); err != nil {
return fmt.Errorf("platform reference value at index %d: %w", i, err)
}
}This both cleaner/easier to follow, and has better performance (less state being shuffled across function calls, and string formatting only happens if the error actually occurs).
(note: this also applies to the other validator functions where you're passing additional context to be used in error messages).
profiles/cca/realm.go
Outdated
| rimBytes := classID.Bytes() | ||
|
|
||
| // RIM should be a valid hash digest (32, 48, or 64 bytes for SHA-256, SHA-384, SHA-512) | ||
| if len(rimBytes) != 32 && len(rimBytes) != 48 && len(rimBytes) != 64 { |
There was a problem hiding this comment.
You're doing this same check in a number of places (e.g. for impl-id above). It's probably worth to factor this out into a common ValidatePSAHash or something.
abhiraj-ku
force-pushed
the
cca-platform-profile
branch
from
0381366 to
2e17b89
Compare
profiles/cca/realm.go
Outdated
| // 2. Realm Extended Measurements (REMs) - OPTIONAL | ||
| // 3. Realm Personalization Value (RPV) - OPTIONAL | ||
| func validateCCARealmReferenceValue(refVal *comid.ValueTriple, tripleIndex int) error { | ||
| prefix := fmt.Sprintf("realm reference value at index %d", tripleIndex) |
There was a problem hiding this comment.
You're still passing the index as an argument and constructing the "prefix" here -- this should be handled by the caller wrapping the returned error, rather than here.
(note: this happens else where in the code as well).
profiles/cca/identifiers.go
Outdated
| // ValidateRealmRIM validates that the given bytes represent a valid CCA Realm Initial Measurement. | ||
| // The RIM can be 32, 48, or 64 bytes (SHA-256, SHA-384, or SHA-512 hash digest). | ||
| func ValidateRealmRIM(val []byte) error { | ||
| if len(val) != 32 && len(val) != 48 && len(val) != 64 { |
There was a problem hiding this comment.
This can be implemented in terms of ValidateHashDigestSize
Implement CCA endorsement platform and realm profiles as defined in the IETF draft specification. Includes validation logic, tests, fixtures, and shared identifier helpers. Signed-off-by: Abhishek Kumar <abhirajabhi312@gmail.com>
abhiraj-ku
force-pushed
the
cca-platform-profile
branch
from
2e17b89 to
93a6cc3
Compare
github-project-automation
bot
moved this from In review
to Done
in CoRIM Profiles Refresh
2 participants
Implement CCA endorsements profile following the IETF draft specification. Provides validation for reference values and attestation verification keys with proper identifier handling.
Includes complete test coverage with unit and integration tests, plus test fixtures for profile validation.