diff --git a/README.md b/README.md index eacda1e..98006eb 100644 --- a/README.md +++ b/README.md @@ -45,7 +45,7 @@ exp | 4 | ✅ nbf | 5 | ✅ iat | 6 | ✅ cti | 7 | ⚠️ no jti support -cnf | 8 | ⚠️ supports only OKP and EC2 COSE_Key, no EncryptedKey support +cnf | 8 | ⚠️ no jwk support (see [cnf support](#cnf-support)) ## Supported Type for Manifests and Measurements @@ -59,3 +59,9 @@ coap-conent-type | id | Supported? `application/swid+cbor` (untagged-coswid) | 258 | ✅ `application/measured-component+cbor` | TBD1 in [draft-ietf-rats-eat-measured-component](https://datatracker.ietf.org/doc/draft-ietf-rats-eat-measured-component/) | ✅ e.g. `cbor.Unmarshal(measurement.Format, &mc)` `application/measured-component+json` | TBD2 in [draft-ietf-rats-eat-measured-component](https://datatracker.ietf.org/doc/draft-ietf-rats-eat-measured-component/) | ✅ e.g. `json.Unmarshal(measurement.Format, &mc)` + +## cnf support + +> [!WARNING] JWK in key confirmation is NOT supported + +This package depends on [`veraison/go-cose`](https://github.com/veraison/go-cose) for marshaling and unmarshaling the `cnf` claim. Since `go-cose` supports only COSE/CBOR serialization ([COSE Key](https://datatracker.ietf.org/doc/html/rfc9052#section-7)), using `FromJSON` and `ToJSON` with JWK key confirmation may produce unexpected results. diff --git a/eat.go b/eat.go index fc88a93..4ab5bab 100644 --- a/eat.go +++ b/eat.go @@ -1,6 +1,7 @@ // Copyright 2020 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 +//nolint:staticcheck // json.Marshal triggers a warning because go-cose Key.Params uses map[any]any package eat import ( diff --git a/key_confirmation.go b/key_confirmation.go index 3d29a21..21556af 100644 --- a/key_confirmation.go +++ b/key_confirmation.go @@ -6,34 +6,8 @@ package eat import cose "github.com/veraison/go-cose" type KeyConfirmation struct { - Key *COSEKey `cbor:"1,keyasint,omitempty" json:"jwk,omitempty"` + Key *cose.Key `cbor:"1,keyasint,omitempty" json:"jwk,omitempty"` // TODO: EncryptedKey (currently go-cose doesn't support COSE_Encrypt0 / COSE_Encrypt) Kid *[]byte `cbor:"3,keyasint,omitempty" json:"kid,omitempty"` KeyThumbprint *[]byte `cbor:"5,keyasint,omitempty" json:"jkt,omitempty"` } - -/* -NOTE: supports only OKP and EC2 key - - COSE_Key = { - 1 => tstr / int, ; kty - ? 2 => bstr, ; kid - ? 3 => tstr / int, ; alg - ? 4 => [+ (tstr / int) ], ; key_ops - ? 5 => bstr, ; Base IV - * label => values - } -*/ -type COSEKey struct { - Type cose.KeyType `cbor:"1,keyasint" json:"kty"` - ID []byte `cbor:"2,keyasint,omitempty" json:"kid,omitempty"` - Algorithm cose.Algorithm `cbor:"3:keyasint,omitempty" json:"alg,omitempty"` - Ops []cose.KeyOp `cbor:"4,keyasint,omitempty" json:"ops,omitempty"` - BaseIV []byte `cbor:"5,keyasint,omitempty"` - - // Additional parameter pairs for OKP and EC2. - Crv cose.Curve `cbor:"-1,keyasint,omitempty" json:"crv,omitempty"` - X []byte `cbor:"-2,keyasint,omitempty" json:"x,omitempty"` - Y []byte `cbor:"-3,keyasint,omitempty" json:"y,omitempty"` - D []byte `cbor:"-4,keyasint,omitempty" json:"d,omitempty"` -} diff --git a/key_confirmation_test.go b/key_confirmation_test.go index 2646f0f..e19f097 100644 --- a/key_confirmation_test.go +++ b/key_confirmation_test.go @@ -36,11 +36,13 @@ var ( } encodedCoseKey = []byte{ - 0xa5, // map(5) + 0xa6, // map(5) 0x01, // kty 0x02, // EC2 0x02, // kid 0x42, 0x31, 0x31, + 0x03, // alg + 0x26, // ES256 0x20, // crv 0x01, // P-256 0x21, // x @@ -58,13 +60,13 @@ var ( encodedKeyConfirmation = []byte{ 0xa2, // map(2) 0x01, // COSE_Key - 0xa5, 0x01, 0x02, 0x02, 0x42, 0x31, 0x31, 0x20, 0x01, 0x21, 0x58, 0x20, - 0xba, 0xc5, 0xb1, 0x1c, 0xad, 0x8f, 0x99, 0xf9, 0xc7, 0x2b, 0x05, 0xcf, - 0x4b, 0x9e, 0x26, 0xd2, 0x44, 0xdc, 0x18, 0x9f, 0x74, 0x52, 0x28, 0x25, - 0x5a, 0x21, 0x9a, 0x86, 0xd6, 0xa0, 0x9e, 0xff, 0x22, 0x58, 0x20, 0x20, - 0x13, 0x8b, 0xf8, 0x2d, 0xc1, 0xb6, 0xd5, 0x62, 0xbe, 0x0f, 0xa5, 0x4a, - 0xb7, 0x80, 0x4a, 0x3a, 0x64, 0xb6, 0xd7, 0x2c, 0xcf, 0xed, 0x6b, 0x6f, - 0xb6, 0xed, 0x28, 0xbb, 0xfc, 0x11, 0x7e, + 0xa6, 0x01, 0x02, 0x02, 0x42, 0x31, 0x31, 0x03, 0x26, 0x20, 0x01, 0x21, + 0x58, 0x20, 0xba, 0xc5, 0xb1, 0x1c, 0xad, 0x8f, 0x99, 0xf9, 0xc7, 0x2b, + 0x05, 0xcf, 0x4b, 0x9e, 0x26, 0xd2, 0x44, 0xdc, 0x18, 0x9f, 0x74, 0x52, + 0x28, 0x25, 0x5a, 0x21, 0x9a, 0x86, 0xd6, 0xa0, 0x9e, 0xff, 0x22, 0x58, + 0x20, 0x20, 0x13, 0x8b, 0xf8, 0x2d, 0xc1, 0xb6, 0xd5, 0x62, 0xbe, 0x0f, + 0xa5, 0x4a, 0xb7, 0x80, 0x4a, 0x3a, 0x64, 0xb6, 0xd7, 0x2c, 0xcf, 0xed, + 0x6b, 0x6f, 0xb6, 0xed, 0x28, 0xbb, 0xfc, 0x11, 0x7e, 0x05, // KeyThumbprint 0x58, 0x20, // bytes(32) 0xb7, 0x1d, 0x9f, 0xc2, 0x7e, 0xe9, 0xce, 0x61, 0xa6, 0x05, 0x60, 0xb2, @@ -100,21 +102,16 @@ var ( func TestKeyConfirmation_CBORMarshal_OK(t *testing.T) { // step 1: test COSEKey - key := COSEKey{ - Type: kty, - ID: kid, - Crv: crv, - X: x, - Y: y, - } - + key, err := cose.NewKeyEC2(cose.AlgorithmES256, x, y, nil) + assert.Nil(t, err) + key.ID = kid encoded, err := em.Marshal(key) assert.Nil(t, err) assert.Equal(t, encodedCoseKey, encoded) // step 2: test KeyConfirmation cnf := KeyConfirmation{ - Key: &key, + Key: key, KeyThumbprint: &keyThumbprint, } @@ -130,10 +127,10 @@ func TestKeyConfirmation_CBORUnmarshal_OK(t *testing.T) { assert.NotNil(t, cnf.Key) assert.Equal(t, kty, cnf.Key.Type) assert.Equal(t, kid, cnf.Key.ID) - assert.Equal(t, crv, cnf.Key.Crv) - assert.Equal(t, x, cnf.Key.X) - assert.Equal(t, y, cnf.Key.Y) - assert.Nil(t, cnf.Key.D) + assert.Equal(t, crv, cnf.Key.Params[cose.KeyLabelEC2Curve]) + assert.Equal(t, x, cnf.Key.Params[cose.KeyLabelEC2X]) + assert.Equal(t, y, cnf.Key.Params[cose.KeyLabelEC2Y]) + assert.Nil(t, cnf.Key.Params[cose.KeyLabelEC2D]) assert.NotNil(t, cnf.KeyThumbprint) assert.Equal(t, keyThumbprint, *cnf.KeyThumbprint) @@ -145,8 +142,8 @@ func TestKeyConfirmation_CBORUnmarshal_OK(t *testing.T) { assert.NotNil(t, cnf.Key) assert.Equal(t, kty, cnf.Key.Type) assert.Equal(t, kid, cnf.Key.ID) - assert.Equal(t, crv, cnf.Key.Crv) - assert.Equal(t, x, cnf.Key.X) - assert.Equal(t, y, cnf.Key.Y) - assert.Nil(t, cnf.Key.D) + assert.Equal(t, crv, cnf.Key.Params[cose.KeyLabelEC2Curve]) + assert.Equal(t, x, cnf.Key.Params[cose.KeyLabelEC2X]) + assert.Equal(t, y, cnf.Key.Params[cose.KeyLabelEC2Y]) + assert.Nil(t, cnf.Key.Params[cose.KeyLabelEC2D]) }