-
Notifications
You must be signed in to change notification settings - Fork 6
corim henkgen
Henk Birkholz edited this page Jun 25, 2024
·
7 revisions
There is also a new CDDL fragment: Endorsement-Record
corim = tagged-concise-rim-type-choice
$concise-rim-type-choice /= tagged-corim-map
$concise-rim-type-choice /= tagged-signed-corim
concise-bom-tag = {
&(tag-identity: 0) => tag-identity-map
&(tags-list: 1) => [ + tag-identity-map ],
&(bom-validity: 2) => validity-map
* $$concise-bom-tag-extension
}
$concise-tag-type-choice /= tagged-concise-swid-tag
$concise-tag-type-choice /= tagged-concise-mid-tag
$concise-tag-type-choice /= tagged-concise-bom-tag
corim-entity-map =
entity-map<$corim-role-type-choice, $$corim-entity-map-extension>
$corim-id-type-choice /= tstr
$corim-id-type-choice /= uuid-type
corim-locator-map = {
&(href: 0) => uri
? &(thumbprint: 1) => digest
}
corim-map = {
&(id: 0) => $corim-id-type-choice
&(tags: 1) => [ + $concise-tag-type-choice ]
? &(dependent-rims: 2) => [ + corim-locator-map ]
? &(profile: 3) => $profile-type-choice
? &(rim-validity: 4) => validity-map
? &(entities: 5) => [ + corim-entity-map ]
* $$corim-map-extension
}
corim-meta-map = {
&(signer: 0) => corim-signer-map
? &(signature-validity: 1) => validity-map
}
$corim-role-type-choice /= &(manifest-creator: 1)
corim-signer-map = {
&(signer-name: 0) => $entity-name-type-choice
? &(signer-uri: 1) => uri
* $$corim-signer-map-extension
}
COSE-Sign1-corim = [
protected: bstr .cbor protected-corim-header-map
unprotected: unprotected-corim-header-map
payload: bstr .cbor tagged-corim-map
signature: bstr
]
$profile-type-choice /= uri
$profile-type-choice /= tagged-oid-type
protected-corim-header-map = {
&(alg: 1) => int
&(content-type: 3) => "application/corim-unsigned+cbor"
&(kid: 4) => bstr
&(corim-meta: 8) => bstr .cbor corim-meta-map
* cose-label => cose-value
}
signed-corim = #6.18(COSE-Sign1-corim)
tagged-corim-map = #6.501(corim-map)
tagged-concise-rim-type-choice = #6.500($concise-rim-type-choice)
tagged-signed-corim = #6.502(signed-corim)
tagged-concise-swid-tag = #6.505(bytes .cbor concise-swid-tag)
tagged-concise-mid-tag = #6.506(bytes .cbor concise-mid-tag)
tagged-concise-bom-tag = #6.508(bytes .cbor concise-bom-tag)
unprotected-corim-header-map = {
* cose-label => cose-value
}
validity-map = {
? &(not-before: 0) => time
&(not-after: 1) => time
}
concise-mid-tag = {
? &(language: 0) => text
&(tag-identity: 1) => tag-identity-map
? &(entities: 2) => [ + comid-entity-map ]
? &(linked-tags: 3) => [ + linked-tag-map ]
&(triples: 4) => triples-map
* $$concise-mid-tag-extension
}
accepted-claims-set = {
&(state-triples: 0) => [ + endorsed-triple-record ]
? &(identity-triples: 1) => [ + identity-triple-record ]
? &(coswid-triples: 2) => [ + ev-coswid-triple-record ]
* $$accepted-claims-set-extension
}
attest-key-triple-record = [
environment-map
[ + $crypto-key-type-choice ]
]
$class-id-type-choice /= tagged-oid-type
$class-id-type-choice /= tagged-uuid-type
$class-id-type-choice /= tagged-bytes
class-map = non-empty<{
? &(class-id: 0) => $class-id-type-choice
? &(vendor: 1) => tstr
? &(model: 2) => tstr
? &(layer: 3) => uint
? &(index: 4) => uint
}>
comid-entity-map =
entity-map<$comid-role-type-choice, $$comid-entity-map-extension>
$comid-role-type-choice /= &(tag-creator: 0)
$comid-role-type-choice /= &(creator: 1)
$comid-role-type-choice /= &(maintainer: 2)
conditional-endorsement-triple-record = [
condition: ECT / [ + ECT ]
addition: measurement-values-map / [ + ECT ]
]
conditional-endorsement-series-triple-record = [
condition: ECT / [ + ECT ]
series: [ + conditional-series-record ]
]
conditional-series-record = [
selection: measurement-values-map / [ + ECT ]
addition: measurement-values-map / [ + ECT ]
]
ECT = non-empty<{
? environment: environment-map
? claims: measurement-map
? authority: [+ $crypto-key-type-choice]
? message-type: cm-type
? profile: $profile-type-choice
}>
cm-type = &(
reference-values: 0
endorsements: 1
evidence: 2
attestation-result: 3
verifier: 4
policy: 5
)
COSE_KeySet = [ + COSE_Key ]
COSE_Key = {
1 => tstr / int
? 2 => bstr
? 3 => tstr / int
? 4 => [+ (tstr / int) ]
? 5 => bstr
* cose-label => cose-value
}
cose-label = int / tstr
cose-value = any
coswid-triple-record = [
condition: environment-map / [ + ECT ]
addition: [ + concise-swid-tag-id ]
]
concise-swid-tag-id = text / bstr .size 16
$crypto-key-type-choice /= tagged-pkix-base64-key-type
$crypto-key-type-choice /= tagged-pkix-base64-cert-type
$crypto-key-type-choice /= tagged-pkix-base64-cert-path-type
$crypto-key-type-choice /= tagged-cose-key-type
$crypto-key-type-choice /= tagged-thumbprint-type
$crypto-key-type-choice /= tagged-cert-thumbprint-type
$crypto-key-type-choice /= tagged-cert-path-thumbprint-type
tagged-pkix-base64-key-type = #6.554(tstr)
tagged-pkix-base64-cert-type = #6.555(tstr)
tagged-pkix-base64-cert-path-type = #6.556(tstr)
tagged-thumbprint-type = #6.557(digest)
tagged-cose-key-type = #6.558(COSE_KeySet / COSE_Key)
tagged-cert-thumbprint-type = #6.559(digest)
tagged-cert-path-thumbprint-type = #6.561(digest)
domain-dependency-triple-record = [
trusted-te: $domain-type-choice / [ + ECT ]
trusting-te: [ + $domain-type-choice ]
]
domain-membership-triple-record = [
parent-te: $domain-type-choice / ECT
child-te: [ + environment-map / ECT ]
]
mec-endorsement-triple-record = ev
ev = [
condition: [ + ECT ]
addition: [ + ECT ]
]
$domain-type-choice /= uint
$domain-type-choice /= text
$domain-type-choice /= tagged-uuid-type
$domain-type-choice /= tagged-oid-type
endorsed-triple-record = ECT
entity-map<role-type-choice, extension-socket> = {
&(entity-name: 0) => $entity-name-type-choice
? &(reg-id: 1) => uri
&(role: 2) => [ + role-type-choice ]
* extension-socket
}
$entity-name-type-choice /= text
environment-map = non-empty<{
? &(class: 0) => class-map
? &(instance: 1) => $instance-id-type-choice
? &(group: 2) => $group-id-type-choice
}>
flags-map = {
? &(is-configured: 0) => bool
? &(is-secure: 1) => bool
? &(is-recovery: 2) => bool
? &(is-debug: 3) => bool
? &(is-replay-protected: 4) => bool
? &(is-integrity-protected: 5) => bool
? &(is-runtime-meas: 6) => bool
? &(is-immutable: 7) => bool
? &(is-tcb: 8) => bool
? &(is-confidentiality-protected: 9) => bool
* $$flags-map-extension
}
$group-id-type-choice /= tagged-uuid-type
$group-id-type-choice /= tagged-bytes
identity-triple-record = [
environment-map
[ + $crypto-key-type-choice ]
]
$instance-id-type-choice /= tagged-ueid-type
$instance-id-type-choice /= tagged-uuid-type
$instance-id-type-choice /= $crypto-key-type-choice
$instance-id-type-choice /= tagged-bytes
ip-addr-type-choice = ip4-addr-type / ip6-addr-type
ip4-addr-type = bytes .size 4
ip6-addr-type = bytes .size 16
linked-tag-map = {
&(linked-tag-id: 0) => $tag-id-type-choice
&(tag-rel: 1) => $tag-rel-type-choice
}
mac-addr-type-choice = eui48-addr-type / eui64-addr-type
eui48-addr-type = bytes .size 6
eui64-addr-type = bytes .size 8
$measured-element-type-choice /= tagged-oid-type
$measured-element-type-choice /= tagged-uuid-type
$measured-element-type-choice /= uint
measurement-map = {
? &(mkey: 0) => $measured-element-type-choice
&(mval: 1) => measurement-values-map / [ + ECT ]
? &(authorized-by: 2) => [ + $crypto-key-type-choice ]
}
measurement-values-map = non-empty<{
? &(version: 0) => version-map
? &(svn: 1) => svn-type-choice
? &(digests: 2) => digests-type
? &(flags: 3) => flags-map
? (
&(raw-value: 4) => $raw-value-type-choice,
? &(raw-value-mask: 5) => raw-value-mask-type
)
? &(mac-addr: 6) => mac-addr-type-choice
? &(ip-addr: 7) => ip-addr-type-choice
? &(serial-number: 8) => text
? &(ueid: 9) => ueid-type
? &(uuid: 10) => uuid-type
? &(name: 11) => text
? &(cryptokeys: 13) => [ + $crypto-key-type-choice ]
? &(integrity-registers: 14) => integrity-registers
* $$measurement-values-map-extension
}>
non-empty<M> = (M) .and ({ + any => any })
non-empty-array<N> = (N) .and ([ + any ])
oid-type = bytes
tagged-oid-type = #6.111(oid-type)
$raw-value-type-choice /= tagged-bytes
raw-value-mask-type = bytes
; reference-triple-record = ECT
; stateful-environment-record = ECT
svn-type = uint
svn = svn-type
min-svn = svn-type
tagged-svn = #6.552(svn)
tagged-min-svn = #6.553(min-svn)
svn-type-choice = tagged-svn / tagged-min-svn
$tag-id-type-choice /= tstr
$tag-id-type-choice /= uuid-type
tag-identity-map = {
&(tag-id: 0) => $tag-id-type-choice
? &(tag-version: 1) => tag-version-type
}
$tag-rel-type-choice /= &(supplements: 0)
$tag-rel-type-choice /= &(replaces: 1)
tag-version-type = uint .default 0
tagged-bytes = #6.560(bytes)
triples-map = non-empty<{
? &(reference-triples: 0) =>
[ + reference-triple-record ]
? &(endorsed-triples: 1) =>
[ + endorsed-triple-record ]
? &(identity-triples: 2) =>
[ + identity-triple-record ]
? &(attest-key-triples: 3) =>
[ + attest-key-triple-record ]
? &(dependency-triples: 4) =>
[ + domain-dependency-triple-record ]
? &(membership-triples: 5) =>
[ + domain-membership-triple-record ]
? &(coswid-triples: 6) =>
[ + coswid-triple-record ]
? &(conditional-endorsement-series-triples: 8) =>
[ + conditional-endorsement-series-triple-record ]
? &(conditional-endorsement-triples: 9) =>
[ + conditional-endorsement-triple-record ]
? &(mec-endorsement-triples: 10) =>
[ + mec-endorsement-triple-record ]
? &(endorsed-claims-tuple: 11) =>
[ + ECT ]
* $$triples-map-extension
}>
ueid-type = bytes .size 33
tagged-ueid-type = #6.550(ueid-type)
uuid-type = bytes .size 16
tagged-uuid-type = #6.37(uuid-type)
version-map = {
&(version: 0) => text
? &(version-scheme: 1) => $version-scheme
}
digest = [
alg: (int / text),
val: bytes
]
digests-type = [ + digest ]
integrity-register-id-type-choice = uint / text
integrity-registers = {
+ integrity-register-id-type-choice => digests-type
}
concise-swid-tag = {
tag-id => text / bstr .size 16,
tag-version => integer,
? corpus => bool,
? patch => bool,
? supplemental => bool,
software-name => text,
? software-version => text,
? version-scheme => $version-scheme,
? media => text,
? software-meta => one-or-more<software-meta-entry>,
entity => one-or-more<entity-entry>,
? link => one-or-more<link-entry>,
? payload-or-evidence,
* $$coswid-extension,
global-attributes,
}
payload-or-evidence //= ( payload => payload-entry )
payload-or-evidence //= ( evidence => evidence-entry )
any-uri = uri
label = text / int
$version-scheme /= multipartnumeric
$version-scheme /= multipartnumeric-suffix
$version-scheme /= alphanumeric
$version-scheme /= decimal
$version-scheme /= semver
$version-scheme /= int / text
any-attribute = (
label => one-or-more<text> / one-or-more<int>
)
one-or-more<T> = T / [ 2* T ]
global-attributes = (
? lang => text,
* any-attribute,
)
hash-entry = [
hash-alg-id: int,
hash-value: bytes,
]
entity-entry = {
entity-name => text,
? reg-id => any-uri,
role => one-or-more<$role>,
? thumbprint => hash-entry,
* $$entity-extension,
global-attributes,
}
$role /= tag-creator
$role /= software-creator
$role /= aggregator
$role /= distributor
$role /= licensor
$role /= maintainer
$role /= int / text
link-entry = {
? artifact => text,
href => any-uri,
? media => text,
? ownership => $ownership,
rel => $rel,
? media-type => text,
? use => $use,
* $$link-extension,
global-attributes,
}
$ownership /= shared
$ownership /= private
$ownership /= abandon
$ownership /= int / text
$rel /= ancestor
$rel /= component
$rel /= feature
$rel /= installationmedia
$rel /= packageinstaller
$rel /= parent
$rel /= patches
$rel /= requires
$rel /= see-also
$rel /= supersedes
$rel /= supplemental
$rel /= -256..64436 / text
$use /= optional
$use /= required
$use /= recommended
$use /= int / text
software-meta-entry = {
? activation-status => text,
? channel-type => text,
? colloquial-version => text,
? description => text,
? edition => text,
? entitlement-data-required => bool,
? entitlement-key => text,
? generator => text / bstr .size 16,
? persistent-id => text,
? product => text,
? product-family => text,
? revision => text,
? summary => text,
? unspsc-code => text,
? unspsc-version => text,
* $$software-meta-extension,
global-attributes,
}
path-elements-group = ( ? directory => one-or-more<directory-entry>,
? file => one-or-more<file-entry>,
)
resource-collection = (
path-elements-group,
? process => one-or-more<process-entry>,
? resource => one-or-more<resource-entry>,
* $$resource-collection-extension,
)
file-entry = {
filesystem-item,
? size => uint,
? file-version => text,
? hash => hash-entry,
* $$file-extension,
global-attributes,
}
directory-entry = {
filesystem-item,
? path-elements => { path-elements-group },
* $$directory-extension,
global-attributes,
}
process-entry = {
process-name => text,
? pid => integer,
* $$process-extension,
global-attributes,
}
resource-entry = {
type => text,
* $$resource-extension,
global-attributes,
}
filesystem-item = (
? key => bool,
? location => text,
fs-name => text,
? root => text,
)
payload-entry = {
resource-collection,
* $$payload-extension,
global-attributes,
}
evidence-entry = {
resource-collection,
? date => integer-time,
? device-id => text,
? location => text,
* $$evidence-extension,
global-attributes,
}
integer-time = #6.1(int)
tag-id = 0
software-name = 1
entity = 2
evidence = 3
link = 4
software-meta = 5
payload = 6
hash = 7
corpus = 8
patch = 9
media = 10
supplemental = 11
tag-version = 12
software-version = 13
version-scheme = 14
lang = 15
directory = 16
file = 17
process = 18
resource = 19
size = 20
file-version = 21
key = 22
location = 23
fs-name = 24
root = 25
path-elements = 26
process-name = 27
pid = 28
type = 29
entity-name = 31
reg-id = 32
role = 33
thumbprint = 34
date = 35
device-id = 36
artifact = 37
href = 38
ownership = 39
rel = 40
media-type = 41
use = 42
activation-status = 43
channel-type = 44
colloquial-version = 45
description = 46
edition = 47
entitlement-data-required = 48
entitlement-key = 49
generator = 50
persistent-id = 51
product = 52
product-family = 53
revision = 54
summary = 55
unspsc-code = 56
unspsc-version = 57
multipartnumeric = 1
multipartnumeric-suffix = 2
alphanumeric = 3
decimal = 4
semver = 16384
tag-creator=1
software-creator=2
aggregator=3
distributor=4
licensor=5
maintainer=6
abandon=1
private=2
shared=3
ancestor=1
component=2
feature=3
installationmedia=4
packageinstaller=5
parent=6
patches=7
requires=8
see-also=9
supersedes=10
optional=1
required=2
recommended=3