From 74cd2da6eac7caccaf49fdbb2f80df7d864d5b19 Mon Sep 17 00:00:00 2001 From: Dionna Glaze Date: Wed, 23 Oct 2024 18:06:05 +0000 Subject: [PATCH] Drop top level tagging requirement Tagged type choices are not typical. I would go so far as to drop the 500 tag as the entrypoint to CoRIM altogether. NVIDIA is creating CoRIMs this way, but they are using a different content-type in the protected header. I think we can drop it in an follow-up. This patch drops * the need to tag the type choice * the extensibility of concise-rim-type-choice, since extensibility is governed by a profile, and the profile is not known at this point in parsing. * the need to tag the signed corim, since it is a COSE-sign1 with an unambigiuous content-type, and COSE-sign1 already has its own tag. Addresses Issue #333, but 500 and 502 removal is TBD. Signed-off-by: Dionna Glaze --- cddl/cbor-tags.txt | 2 +- cddl/corim.cddl | 8 +-- cddl/examples/corim-3.diag | 48 ++++++++++++++++++ cddl/examples/corim-4.diag | 62 ++++++++++++++++++++++++ cddl/examples/testcert.pem | 14 ++++++ cddl/examples/testkey.pem | 6 +++ cddl/tagged-concise-rim-type-choice.cddl | 2 +- draft-ietf-rats-corim.md | 2 +- 8 files changed, 137 insertions(+), 7 deletions(-) create mode 100644 cddl/examples/corim-3.diag create mode 100644 cddl/examples/corim-4.diag create mode 100644 cddl/examples/testcert.pem create mode 100644 cddl/examples/testkey.pem diff --git a/cddl/cbor-tags.txt b/cddl/cbor-tags.txt index 16071038..b8a15396 100644 --- a/cddl/cbor-tags.txt +++ b/cddl/cbor-tags.txt @@ -1,4 +1,4 @@ -tagged-concise-rim-type-choice = #6.500($concise-rim-type-choice) +tagged-concise-rim-type-choice = #6.500(concise-rim-type-choice) tagged-corim-map = #6.501(corim-map) tagged-signed-corim = #6.502(signed-corim) tagged-concise-swid-tag = #6.505(bytes .cbor concise-swid-tag) diff --git a/cddl/corim.cddl b/cddl/corim.cddl index 71835670..3fe87c2f 100644 --- a/cddl/corim.cddl +++ b/cddl/corim.cddl @@ -1,4 +1,4 @@ -corim = tagged-concise-rim-type-choice - -$concise-rim-type-choice /= tagged-corim-map -$concise-rim-type-choice /= tagged-signed-corim +corim = (tagged-concise-rim-type-choice / concise-rim-type-choice) +concise-rim-type-choice /= tagged-corim-map +concise-rim-type-choice /= tagged-signed-corim +concise-rim-type-choice /= signed-corim diff --git a/cddl/examples/corim-3.diag b/cddl/examples/corim-3.diag new file mode 100644 index 00000000..500d2f5c --- /dev/null +++ b/cddl/examples/corim-3.diag @@ -0,0 +1,48 @@ +/ corim-map / 501({ + / corim.id / 0 : h'284e6c3e5d9f4f6b851f5a4247f243a7', + / corim.tags / 1 : [ + / concise-mid-tag / 506( << + / concise-mid-tag / { + / comid.tag-identity / 1 : { + / comid.tag-id / 0 : h'3f06af63a93c11e4979700505690773f' + }, + / comid.entity / 2 : [ { + / comid.entity-name / 0 : "ACME Inc.", + / comid.reg-id / 1 : 32("https://acme.example"), + / comid.role / 2 : [ 0 ] / tag-creator / + } ], + / comid.triples / 4 : { + / comid.reference-triples / 0 : [ [ + / environment-map / { + / comid.class / 0 : { + / comid.class-id / 0 : + / tagged-uuid-type / 37( + h'67b28b6c34cc40a19117ab5b05911e37' + ), + / comid.vendor / 1 : "ACME Inc.", + / comid.model / 2 : "ACME RoadRunner", + / comid.layer / 3 : 1 + } + }, + [ + / measurement-map / { + / comid.mval / 1 : { + / comid.ver / 0 : { + / comid.version / 0 : "1.0.0", + / comid.version-scheme / 1 : 16384 / semver / + }, + / comid.digests / 2 : [ [ + / hash-alg-id / 1, / sha256 / + / hash-value / h'44aa336af4cb14a879432e53dd6571c7fa9bccafb75f488259262d6ea3a4d91b' + ] ] + } + } + ] + ] ] + } + } + >> ) + ] + } +) + diff --git a/cddl/examples/corim-4.diag b/cddl/examples/corim-4.diag new file mode 100644 index 00000000..30fd3f09 --- /dev/null +++ b/cddl/examples/corim-4.diag @@ -0,0 +1,62 @@ +/ signed-corim / 18([ + / protected / << + { + / alg: / 1: / ECDSA with SHA-384 / -35, + / content-type: / 3: "application/corim-unsigned+cbor", + / kid: / 4: h'f8ccd2b49fdba32cd94498030fdc8e5010358919', + / corim-meta: / 8: << { + / signer: / 0: { + / signer-name: / 0: "ACME Ltd." + } + } >> + } + >>, + / unprotected-corim-header-map / {}, + / payload / << / corim-map / { + / corim.id / 0 : h'284e6c3e5d9f4f6b851f5a4247f243a7', + / corim.tags / 1 : [ + / concise-mid-tag / 506( << + / concise-mid-tag / { + / comid.tag-identity / 1 : { + / comid.tag-id / 0 : h'3f06af63a93c11e4979700505690773f' + }, + / comid.entity / 2 : [ { + / comid.entity-name / 0 : "ACME Inc.", + / comid.reg-id / 1 : 32("https://acme.example"), + / comid.role / 2 : [ 0 ] / tag-creator / + } ], + / comid.triples / 4 : { + / comid.reference-triples / 0 : [ [ + / environment-map / { + / comid.class / 0 : { + / comid.class-id / 0 : + / tagged-uuid-type / 37( + h'67b28b6c34cc40a19117ab5b05911e37' + ), + / comid.vendor / 1 : "ACME Inc.", + / comid.model / 2 : "ACME RoadRunner", + / comid.layer / 3 : 1 + } + }, + [ + / measurement-map / { + / comid.mval / 1 : { + / comid.ver / 0 : { + / comid.version / 0 : "1.0.0", + / comid.version-scheme / 1 : 16384 / semver / + }, + / comid.digests / 2 : [ [ + / hash-alg-id / 1, / sha256 / + / hash-value / h'44aa336af4cb14a879432e53dd6571c7fa9bccafb75f488259262d6ea3a4d91b' + ] ] + } + } + ] + ] ] + } + } + >> ) + ] + } >>, + / signature / h'30650231009b98c7426d49d565c14df770dd3c0844a2b61d3573bdef2cea8495109b2e7f1d7e16d9109c70bc003d8a10b90787ec5e0230654242537fe8194ce8666d3fd907931329722dd065df11e14d6125b5f30dce54a26f7c7f69faa9dd977cee48a6bd087a' +]) diff --git a/cddl/examples/testcert.pem b/cddl/examples/testcert.pem new file mode 100644 index 00000000..7d556387 --- /dev/null +++ b/cddl/examples/testcert.pem @@ -0,0 +1,14 @@ +-----BEGIN CERTIFICATE----- +MIICHzCCAaWgAwIBAgIUSqLyKszXuswGerHhgl6QpGUq68IwCgYIKoZIzj0EAwMw +PDETMBEGA1UECAwKVGVzdCBTdGF0ZTESMBAGA1UECgwJQUNNRSBMdGQuMREwDwYD +VQQDDAhUZXN0IGtleTAeFw0yNDEwMjMyMDEwMzlaFw0yNTEwMjMyMDEwMzlaMDwx +EzARBgNVBAgMClRlc3QgU3RhdGUxEjAQBgNVBAoMCUFDTUUgTHRkLjERMA8GA1UE +AwwIVGVzdCBrZXkwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAASZHfQ1cN6CZPoEBc2N +AhhwULJVVuXOQ5H/EAC9SWHMYA9a5geCLjCH6xuNWUdYpvFagaa+YOEOA0wh6aNH +0eujJ9d8aGp9qaWCAgB4Ojpt2Tz2/Sx9uMIBZ1EiTZTK/7SjaDBmMB0GA1UdDgQW +BBT4zNK0n9ujLNlEmAMP3I5QEDWJGTAfBgNVHSMEGDAWgBT4zNK0n9ujLNlEmAMP +3I5QEDWJGTAPBgNVHRMBAf8EBTADAQH/MBMGA1UdJQQMMAoGCCsGAQUFBwMDMAoG +CCqGSM49BAMDA2gAMGUCMQCog6Xv+HWlQucSceLN04jOuv7CT/jAtsEdE+QcgRmB +yntTntSiYh72QlaqailaoRwCMFClkUId76JG13C3qlRe8JAwuH7ofWDC3nzBH0CD +cMqrMt8lCAKK7ZT5YvWrD7lNIQ== +-----END CERTIFICATE----- diff --git a/cddl/examples/testkey.pem b/cddl/examples/testkey.pem new file mode 100644 index 00000000..06eefc94 --- /dev/null +++ b/cddl/examples/testkey.pem @@ -0,0 +1,6 @@ +-----BEGIN PRIVATE KEY----- +MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDCY7ga4U2WsZVOoDHvk +rbcUumkt7N0QTSdCUIVyFzLkSO3X15uty74E4djA2Vrg8GKhZANiAASZHfQ1cN6C +ZPoEBc2NAhhwULJVVuXOQ5H/EAC9SWHMYA9a5geCLjCH6xuNWUdYpvFagaa+YOEO +A0wh6aNH0eujJ9d8aGp9qaWCAgB4Ojpt2Tz2/Sx9uMIBZ1EiTZTK/7Q= +-----END PRIVATE KEY----- diff --git a/cddl/tagged-concise-rim-type-choice.cddl b/cddl/tagged-concise-rim-type-choice.cddl index 38a7c983..6bd36a64 100644 --- a/cddl/tagged-concise-rim-type-choice.cddl +++ b/cddl/tagged-concise-rim-type-choice.cddl @@ -1,2 +1,2 @@ -tagged-concise-rim-type-choice = #6.500($concise-rim-type-choice) \ No newline at end of file +tagged-concise-rim-type-choice = #6.500(concise-rim-type-choice) \ No newline at end of file diff --git a/draft-ietf-rats-corim.md b/draft-ietf-rats-corim.md index d4db4631..0462b8ff 100644 --- a/draft-ietf-rats-corim.md +++ b/draft-ietf-rats-corim.md @@ -259,7 +259,7 @@ For more detail, see {{sec-corim-profile-types}}. A CoRIM can be signed ({{sec-corim-signed}}) using COSE Sign1 to provide end-to-end security to the CoRIM contents. When CoRIM is signed, the protected header carries further identifying information about the CoRIM signer. -Alternatively, CoRIM can be encoded as a CBOR-tagged payload ({{sec-corim-map}}) and transported over a secure channel. +Alternatively, CoRIM can be encoded as a #6.501 CBOR-tagged payload ({{sec-corim-map}}) and transported over a secure channel. The following CDDL describes the top-level CoRIM.