evcli fails to parse CCA token with new CMW tag 907 #50
Description
Summary
The evcli tool produces a parse error when it tries to process Arm CCA evidence that is structured according to the CMW tagging scheme (tag 907) as opposed to the legacy EAT collection scheme (tag 399).
Repro
- Download the example CCA CBOR token from the TF-M tools repo here
- Run
evcli cca print --token <path>/cca_example_token.cbor - Expected: Token should be parsed and claims should be displayed in human-readable form for both realm and platform token
- Observed: The following error is reported -
CBOR decoding of CCA evidence failed: cbor: wrong tag number for ccatoken.CBORCollection, got [907], expected [399].
Root Cause Analysis
Appears to be an outdated dependency on ccatoken.
go.mod is using ccatoken at release v1.3.1.
This release is dated Sept 12 2024.
The release is therefore missing this commit, which would allow both legacy EAT collections (tag 399) and the CMW (tag 907) to be processed.
Impact
This error means that the steps in this Learning Path from Arm are broken for readers.
Fix
Probably we need a new release of ccatoken, and update the dependency in go.mod, or we change go.mod to refer to a more recent commit rather than the released version.