Verify key triples (#341)

* Added sections for key verification triples Added sections for key verification triples including updates to external representations, transformation section and processing section. Issue #330 also describes issue related to key type specific verification and how to represent it in internal representation. * Update attest-key-triple-record.cddl Update external representations to include authority and mkey as optional but useful condition information. * Update identity-triple-record.cddl Updated to include optional but useful condition information. * Update draft-ietf-rats-corim.md Co-authored-by: Dionna Amalie Glaze <[email protected]> * Update draft-ietf-rats-corim.md Co-authored-by: Dionna Amalie Glaze <[email protected]> * Update draft-ietf-rats-corim.md revert plural to singular voice * Update draft-ietf-rats-corim.md reverted text * change the order of fields in the record Avoids conflicts with exsiting fields. * Update draft-ietf-rats-corim.md Co-authored-by: Dionna Amalie Glaze <[email protected]> * Update draft-ietf-rats-corim.md Co-authored-by: Dionna Amalie Glaze <[email protected]> * Apply suggestions from code review Co-authored-by: Dionna Amalie Glaze <[email protected]> * Update cddl/attest-key-triple-record.cddl Co-authored-by: Henk Birkholz <[email protected]> * Added conditions map Added map containing mkey and authorized-by conditions. * Update comid-5.diag added examples for identity and attest-key triples that exercises the optional conditions map * Update spec to reflect cddl changes Added option map to attest-key and identity triples to include conditions for mkey and authorized-by * Update comid-5.diag Added section for reference-values triple that identifies keys as being measurements. A subsequent identity-triple example matches it so that key verify process will be applied. * Apply suggestions from code review * Create intrep-key.cddl add file to define typed keys * Create intrep-start.cddl added start file for intrep * Update corim-frags.mk added intrep-start.cddl and intrep-key.cddl to corim-frags.mk * Update corim-frags.mk Added frags to enable intrep autogen to build * Update intrep-ect.cddl Modified ECT to use code points as the alternative wouldn't build * Update intrep-key.cddl Created extension to measurement-values-map to support attest and identity key types. * Update intrep-start.cddl created a start cddl file to focus testing on ECT * ECT examples created Created examples to test ECT structure * Update Makefile Added target for internal representation examples * Update intrep-3.diag changed cmtype to be endorsements * Update intrep-key.cddl Added 's' to intrep-key to indicate it is a list of keys. * Updated key verification sections ...to reflect use of internal representation of attest-keys and identity-keys. * Update Makefile Fixing a tooling error * Update Gemfile Changed to use latest cddl version * Update draft-ietf-rats-corim.md Co-authored-by: Dionna Amalie Glaze <[email protected]> * Update draft-ietf-rats-corim.md Co-authored-by: Thomas Fossati <[email protected]> * Update draft-ietf-rats-corim.md restructured identity and attest key triples to accommodate Dionna's feedback and to improve readability. Updated Phase 5 wording to be less prescriptive and more conceptual. * revert intrep-ect.cddl Signed-off-by: Thomas Fossati <[email protected]> * intrep-key changes to follow convention Changed intrep-key to follow internal representation convention that uses text keys instead of numeric. --------- Signed-off-by: Thomas Fossati <[email protected]> Co-authored-by: Dionna Amalie Glaze <[email protected]> Co-authored-by: Yogesh Deshpande <[email protected]> Co-authored-by: Henk Birkholz <[email protected]> Co-authored-by: Thomas Fossati <[email protected]>
ietf-rats-wg · Dec 11, 2024 · 9895d55 · 9895d55
1 parent 50960a3
commit 9895d55
Show file tree

Hide file tree

Showing 12 changed files with 342 additions and 37 deletions.
diff --git a/Gemfile b/Gemfile
@@ -1,5 +1,5 @@
 source 'https://rubygems.org'
 
 gem 'json_pure'
-gem 'cddl', '>=0.12.5'
+gem 'cddl', '>=0.12.6'
 gem 'cbor-diag', '>=0.8.7'
diff --git a/Makefile b/Makefile
@@ -14,7 +14,7 @@ include cddl/corim-frags.mk
 
 define cddl_targets
 
-$(drafts_xml):: cddl/$(1)-autogen.cddl
+$(drafts_xml): cddl/$(1)-autogen.cddl
 
 cddl/$(1)-autogen.cddl: $(addprefix cddl/,$(2))
 	$(MAKE) -C cddl check-$(1)
@@ -24,6 +24,7 @@ endef # cddl_targets
 
 $(eval $(call cddl_targets,corim,$(CORIM_FRAGS)))
 $(eval $(call cddl_targets,comid,$(COMID_FRAGS)))
+$(eval $(call cddl_targets,intrep,$(INTREP_FRAGS)))
 
 cddl/concise-swid-tag.cddl: ; $(MAKE) -C cddl $(notdir $@)
 

diff --git a/cddl/attest-key-triple-record.cddl b/cddl/attest-key-triple-record.cddl
@@ -1,4 +1,8 @@
 attest-key-triple-record = [
-  environment-map
-  [ + $crypto-key-type-choice ]
+  environment: environment-map
+  key-list: [ + $crypto-key-type-choice ]
+  ? conditions: non-empty< {
+    ? &(mkey: 0) => $measured-element-type-choice,
+    ? &(authorized-by: 1) => [ + $crypto-key-type-choice ]
+  }>
 ]
diff --git a/cddl/corim-frags.mk b/cddl/corim-frags.mk
@@ -77,7 +77,8 @@ CORIM_FRAGS += $(COMID_FRAGS)
 
 CORIM_EXAMPLES := $(wildcard examples/corim-*.diag)
 
-INTREP_FRAGS := intrep-acs.cddl
+INTREP_FRAGS := intrep-start.cddl
+INTREP_FRAGS += intrep-acs.cddl
 INTREP_FRAGS += intrep-ae.cddl
 INTREP_FRAGS += intrep-ar.cddl
 INTREP_FRAGS += intrep-ars.cddl
@@ -86,6 +87,7 @@ INTREP_FRAGS += intrep-ev.cddl
 INTREP_FRAGS += intrep-policy.cddl
 INTREP_FRAGS += intrep-rv.cddl
 INTREP_FRAGS += intrep-claims-map.cddl
+INTREP_FRAGS += intrep-key.cddl
 # deps
 INTREP_FRAGS += non-empty.cddl
 INTREP_FRAGS += environment-map.cddl
@@ -102,5 +104,11 @@ INTREP_FRAGS += ip-addr-type-choice.cddl
 INTREP_FRAGS += ueid.cddl
 INTREP_FRAGS += uuid.cddl
 INTREP_FRAGS += integrity-registers.cddl
+INTREP_FRAGS += crypto-key-type-choice.cddl
+INTREP_FRAGS += profile-type-choice.cddl
+INTREP_FRAGS += cose-key.cddl
+INTREP_FRAGS += cose-label-and-value.cddl
+INTREP_FRAGS += class-id-type-choice.cddl
+INTREP_FRAGS += oid.cddl
 
 INTREP_EXAMPLES := $(wildcard examples/intrep-*.diag)
diff --git a/cddl/examples/comid-5.diag b/cddl/examples/comid-5.diag
@@ -3,6 +3,27 @@
     / comid.tag-id / 0 : h'3f06af63a93c11e4979700505690773f'
   },
   / comid.triples / 4 : {
+    / reference-triples / 0 : [
+      [
+        / environment-map / {
+          / class / 0 : {
+            / class-id / 0 :
+              / tagged-uuid-type / 37( h'67b28b6c34cc40a19117ab5b05911e39' )
+          }
+        },
+        [
+          / measurement-map / {
+            / mkey / 0 : "thing 2",
+            / mval / 1 : {
+              / cryptokeys / 13 : [
+                / tagged-pkix-base64-cert-path-type / 556("base64_cert_path_X"),
+                / tagged-pkix-base64-cert-path-type / 556("base64_cert_path_Y")
+              ]
+            }
+          }
+        ]
+      ]
+    ],
     / identity-triples / 2 : [ 
       [
         / environment-map / {
@@ -16,10 +37,10 @@
             / layer / 3 : 1
           }
         },
-        [
+        / key-list / [
           / tagged-pkix-base64-key-type / 554("base64_key_X"),
-          / tagged-pkix-base64-cert-type / 555("base64_cert"),
-          / tagged-pkix-base64-cert-path-type / 556("base64_cert_path"),
+          / tagged-pkix-base64-cert-type / 555("base64_cert_Y"),
+          / tagged-pkix-base64-cert-path-type / 556("base64_cert_path_Z"),
           / tagged-thumbprint-type / 557([
             / alg / 1, / sha256 /
             / value / h'44aa336af4cb14a879432e53dd6571c7fa9bccafb75f488259262d6ea3a4d91b'
@@ -38,6 +59,130 @@
             / value / h'66aa336af4cb14a879432e53dd6571c7fa9bccafb75f488259262d6ea3a4d91b'
           ])
         ]
+      ],
+      [
+        / environment-map / {
+          / class / 0 : {
+            / class-id / 0 :
+              / tagged-uuid-type / 37( h'67b28b6c34cc40a19117ab5b05911e38' )
+          }
+        },
+        / key-list / [
+          / tagged-pkix-base64-cert-path-type / 556("base64_cert_path_X"),
+          / tagged-pkix-base64-cert-path-type / 556("base64_cert_path_Y")
+        ],
+        / conditions / {
+          / mkey / 0 : "thing 1"
+        }
+      ],
+      [
+        / environment-map / {
+          / class / 0 : {
+            / class-id / 0 :
+              / tagged-uuid-type / 37( h'67b28b6c34cc40a19117ab5b05911e39' )
+          }
+        },
+        / key-list / [
+          / tagged-pkix-base64-cert-path-type / 556("base64_cert_path_X"),
+          / tagged-pkix-base64-cert-path-type / 556("base64_cert_path_Y")
+        ],
+        / conditions / {
+          / mkey / 0 : "thing 2",
+          / authorized-by / 1: [
+            / tagged-pkix-base64-cert-path-type / 556("base64_cert_path_A"),
+            / tagged-pkix-base64-cert-path-type / 556("base64_cert_path_B")
+          ]
+        }
+      ],
+      [
+        / environment-map / {
+          / class / 0 : {
+            / class-id / 0 :
+              / tagged-uuid-type / 37( h'67b28b6c34cc40a19117ab5b05911e40' )
+          }
+        },
+        / key-list / [
+          / tagged-pkix-base64-cert-path-type / 556("base64_cert_path_X"),
+          / tagged-pkix-base64-cert-path-type / 556("base64_cert_path_Y")
+        ],
+        / conditions / {
+          / authorized-by / 1: [
+            / tagged-pkix-base64-cert-path-type / 556("base64_cert_path_A"),
+            / tagged-pkix-base64-cert-path-type / 556("base64_cert_path_B")
+          ]
+        }
+      ]
+    ],
+    / attest-key-triples / 3 : [ 
+      [
+        / environment-map / {
+          / class / 0 : {
+            / class-id / 0 :
+              / tagged-uuid-type / 37(
+                h'67b28b6c34cc40a19117ab5b05911e37'
+              ),
+            / vendor / 1 : "ACME Inc.",
+            / model / 2 : "ACME RoadRunner",
+            / layer / 3 : 1
+          }
+        },
+        / key-list / [
+          / tagged-pkix-base64-key-type / 554("base64_key_X"),
+          / tagged-pkix-base64-cert-type / 555("base64_cert_Y"),
+          / tagged-pkix-base64-cert-path-type / 556("base64_cert_path_Z")
+        ]
+      ],
+      [
+        / environment-map / {
+          / class / 0 : {
+            / class-id / 0 :
+              / tagged-uuid-type / 37( h'67b28b6c34cc40a19117ab5b05911e30' )
+          }
+        },
+        / key-list / [
+          / tagged-pkix-base64-cert-path-type / 556("base64_cert_path_X"),
+          / tagged-pkix-base64-cert-path-type / 556("base64_cert_path_Y")
+        ],
+        / conditions / {
+          / mkey / 0 : "thing 1"
+        }
+      ],
+      [
+        / environment-map / {
+          / class / 0 : {
+            / class-id / 0 :
+              / tagged-uuid-type / 37( h'67b28b6c34cc40a19117ab5b05911e31' )
+          }
+        },
+        / key-list / [
+          / tagged-pkix-base64-cert-path-type / 556("base64_cert_path_X"),
+          / tagged-pkix-base64-cert-path-type / 556("base64_cert_path_Y")
+        ],
+        / conditions / {
+          / mkey / 0 : "thing 2",
+          / authorized-by / 1: [
+            / tagged-pkix-base64-cert-path-type / 556("base64_cert_path_A"),
+            / tagged-pkix-base64-cert-path-type / 556("base64_cert_path_B")
+          ]
+        }
+      ],
+      [
+        / environment-map / {
+          / class / 0 : {
+            / class-id / 0 :
+              / tagged-uuid-type / 37( h'67b28b6c34cc40a19117ab5b05911e32' )
+          }
+        },
+        / key-list / [
+          / tagged-pkix-base64-cert-path-type / 556("base64_cert_path_X"),
+          / tagged-pkix-base64-cert-path-type / 556("base64_cert_path_Y")
+        ],
+        / conditions / {
+          / authorized-by / 1: [
+            / tagged-pkix-base64-cert-path-type / 556("base64_cert_path_A"),
+            / tagged-pkix-base64-cert-path-type / 556("base64_cert_path_B")
+          ]
+        }
       ]
     ]
   }

diff --git a/cddl/examples/intrep-1.diag b/cddl/examples/intrep-1.diag
@@ -0,0 +1,4 @@
+/ ECT / {
+  "cmtype" : 2
+}
+
diff --git a/cddl/examples/intrep-2.diag b/cddl/examples/intrep-2.diag
@@ -0,0 +1,9 @@
+/ ECT / {
+  "environment" : {
+    / class / 0 : {
+      / class-id / 0 :
+        / tagged-uuid-type / 37( h'67b28b6c34cc40a19117ab5b05911e37' )
+    }
+  },
+  "cmtype" : 1
+}
diff --git a/cddl/examples/intrep-3.diag b/cddl/examples/intrep-3.diag
@@ -0,0 +1,32 @@
+/ ECT / {
+  "environment" : {
+    / class / 0 : {
+      / class-id / 0 :
+        / tagged-uuid-type / 37( h'67b28b6c34cc40a19117ab5b05911e37' )
+    }
+  },
+  "element-list" : [
+    / element-map / {
+      "element-claims" : {
+        / ver / 0 : {
+          / version / 0 : "1.0.0"
+        },
+        / digests / 2 : [ [
+          / hash-alg-id / 1, / sha256 /
+          / hash-value / h'44aa336af4cb14a879432e53dd6571c7fa9bccafb75f488259262d6ea3a4d91b'
+        ] ],
+        / intrep-key / 65534 : [
+          / typed-crypto-key / {
+            "key": 556("base64_cert_path_X"),
+            "key-type": 1
+          },
+          / typed-crypto-key / {
+            "key": 554("base64_key_Y"),
+            "key-type": 2
+          }
+        ]
+      }
+    }
+  ],
+  "cmtype" : 2
+}
diff --git a/cddl/identity-triple-record.cddl b/cddl/identity-triple-record.cddl
@@ -1,4 +1,8 @@
 identity-triple-record = [
-  environment-map
-  [ + $crypto-key-type-choice ]
-]
+  environment: environment-map
+  key-list: [ + $crypto-key-type-choice ]
+  ? conditions: non-empty<{
+    ? &(mkey: 0) => $measured-element-type-choice,
+    ? &(authorized-by: 1) => [ + $crypto-key-type-choice ] 
+  }>
+]
diff --git a/cddl/intrep-key.cddl b/cddl/intrep-key.cddl
@@ -0,0 +1,14 @@
+$$measurement-values-map-extension //= (
+  &(intrep-keys: 65534) => [ + typed-crypto-key ]
+)
+
+typed-crypto-key = {
+  key: $crypto-key-type-choice
+  ? key-type: uint .bits key-type
+}
+
+key-type = &(
+  attest-key: 0
+  identity-key: 1
+)
+
diff --git a/cddl/intrep-start.cddl b/cddl/intrep-start.cddl
@@ -0,0 +1 @@
+start = ECT