veraison · thomas-fossati · Nov 29, 2024 · Nov 28, 2024 · Nov 28, 2024 · Nov 28, 2024
diff --git a/.github/workflows/ci-go-cover.yml b/.github/workflows/ci-go-cover.yml
@@ -26,7 +26,7 @@ jobs:
     steps:
     - uses: actions/setup-go@v3
       with:
-        go-version: "1.19"
+        go-version: "1.22"
     - name: Checkout code
       uses: actions/checkout@v2
     - name: Install mockgen

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -14,7 +14,7 @@ jobs:
     steps:
     - uses: actions/setup-go@v3
       with:
-        go-version: "1.19"
+        go-version: "1.22"
     - name: Checkout code
       uses: actions/checkout@v2
       with:

diff --git a/.github/workflows/linters.yml b/.github/workflows/linters.yml
@@ -10,7 +10,7 @@ jobs:
     steps:
     - uses: actions/setup-go@v3
       with:
-        go-version: "1.19"
+        go-version: "1.22"
     - name: Checkout code
       uses: actions/checkout@v2
     - name: Install golangci-lint

diff --git a/README-CCA.md b/README-CCA.md
@@ -64,7 +64,7 @@ In such case, the claim set is printed to stdout in JSON format:
 ```json
 {
   "cca-platform-token": {
-    "cca-platform-profile": "http://arm.com/CCA-SSD/1.0.0",
+    "cca-platform-profile": "tag:arm.com,2023:cca_platform#1.0.0",
     "cca-platform-challenge": "Bea1iETGoM0ZOCBpuv2w5JRmKjrc+P3hFHjpM5Ua8XkP9d5ceOPbESPaCiB6i2ZVbgoi8Z7mS9wviZU7azJVXw==",
     "cca-platform-implementation-id": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",
     "cca-platform-instance-id": "AQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC",
@@ -127,7 +127,7 @@ The claim set is printed to stdout in JSON format:
 ```json
 {
   "cca-platform-token": {
-    "cca-platform-profile": "http://arm.com/CCA-SSD/1.0.0",
+    "cca-platform-profile": "tag:arm.com,2023:cca_platform#1.0.0",
     "cca-platform-challenge": "Bea1iETGoM0ZOCBpuv2w5JRmKjrc+P3hFHjpM5Ua8XkP9d5ceOPbESPaCiB6i2ZVbgoi8Z7mS9wviZU7azJVXw==",
     "cca-platform-implementation-id": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",
     "cca-platform-instance-id": "AQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC",

diff --git a/cmd/cca/README.md b/cmd/cca/README.md
@@ -15,7 +15,7 @@
 
 ```json
 {
-  "cca-platform-profile": "http://arm.com/CCA-SSD/1.0.0",
+  "cca-platform-profile": "tag:arm.com,2023:cca_platform#1.0.0",
   "cca-platform-challenge": "AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQE=",
   "cca-platform-implementation-id": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",
   "cca-platform-instance-id": "AQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC",

diff --git a/cmd/cca/common.go b/cmd/cca/common.go
@@ -9,7 +9,8 @@ import (
 
 	"github.com/spf13/afero"
 	"github.com/veraison/ccatoken"
-	"github.com/veraison/psatoken"
+	"github.com/veraison/ccatoken/platform"
+	"github.com/veraison/ccatoken/realm"
 )
 
 func loadCCAClaimsFromFile(fs afero.Fs, fn string, validate bool) (*ccatoken.Evidence, error) {
@@ -18,21 +19,14 @@ func loadCCAClaimsFromFile(fs afero.Fs, fn string, validate bool) (*ccatoken.Evi
 		return nil, err
 	}
 
-	var e ccatoken.Evidence
 	if validate {
-		if err := e.UnmarshalJSON(buf); err != nil {
-			return nil, err
-		}
-	} else {
-		if err := e.UnmarshalUnvalidatedJSON(buf); err != nil {
-			return nil, err
-		}
+		return ccatoken.DecodeAndValidateEvidenceFromJSON(buf)
 	}
 
-	return &e, nil
+	return ccatoken.DecodeEvidenceFromJSON(buf)
 }
 
-func loadUnValidatedCCAClaimsFromFile(fs afero.Fs, fn string) (psatoken.IClaims, ccatoken.IClaims, error) {
+func loadUnValidatedCCAClaimsFromFile(fs afero.Fs, fn string) (platform.IClaims, realm.IClaims, error) {
 	var c ccatoken.JSONCollection
 
 	buf, err := afero.ReadFile(fs, fn)
@@ -45,18 +39,17 @@ func loadUnValidatedCCAClaimsFromFile(fs afero.Fs, fn string) (psatoken.IClaims,
 	}
 
 	// platform
-	p := &psatoken.CcaPlatformClaims{}
-
-	if err := json.Unmarshal(c.PlatformToken, &p); err != nil {
+	p, err := platform.DecodeClaimsFromJSON(c.PlatformToken)
+	if err != nil {
 		return nil, nil, fmt.Errorf("unmarshaling platform claims: %w", err)
 	}
 
 	// realm
-	r := &ccatoken.RealmClaims{}
-
-	if err := json.Unmarshal(c.RealmToken, &r); err != nil {
+	r, err := realm.DecodeClaimsFromJSON(c.RealmToken)
+	if err != nil {
 		return nil, nil, fmt.Errorf("unmarshaling realm claims: %w", err)
 	}
+
 	return p, r, nil
 }
 
@@ -66,11 +59,5 @@ func loadTokenFromFile(fs afero.Fs, fn string) (*ccatoken.Evidence, error) {
 		return nil, err
 	}
 
-	e := ccatoken.Evidence{}
-
-	if err = e.FromCBOR(buf); err != nil {
-		return nil, err
-	}
-
-	return &e, nil
+	return ccatoken.DecodeAndValidateEvidenceFromCBOR(buf)
 }
diff --git a/cmd/cca/create.go b/cmd/cca/create.go
@@ -78,10 +78,10 @@ with iak.jwk and rak.jwk and save the result to my.cbor:
 
 			var b []byte
 			if validate {
-				b, err = evidence.Sign(pSigner, rSigner)
+				b, err = evidence.ValidateAndSign(pSigner, rSigner)
 
 			} else {
-				b, err = evidence.SignUnvalidated(pSigner, rSigner)
+				b, err = evidence.Sign(pSigner, rSigner)
 			}
 
 			if err != nil {

diff --git a/cmd/cca/create_test.go b/cmd/cca/create_test.go
@@ -245,7 +245,7 @@ func Test_CreateCmd_claims_invalid(t *testing.T) {
 		},
 	)
 
-	expectedErr := `error loading CCA claims from claims.json: unmarshaling CCA claims: missing platform claims`
+	expectedErr := `error loading CCA claims from claims.json: claims not set in evidence`
 
 	err = cmd.Execute()
 	assert.EqualError(t, err, expectedErr)

diff --git a/cmd/cca/test_common.go b/cmd/cca/test_common.go
@@ -37,7 +37,7 @@ var (
 	testInvalidCCAClaims = []byte(`{}`)
 	testValidCCAClaims   = []byte(`{
 		"cca-platform-token": {
-			"cca-platform-profile": "http://arm.com/CCA-SSD/1.0.0",
+			"cca-platform-profile": "tag:arm.com,2023:cca_platform#1.0.0",
 			"cca-platform-implementation-id": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",
 			"cca-platform-instance-id": "AQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC",
 			"cca-platform-config": "AQID",
@@ -62,13 +62,13 @@ var (
 				"Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw=="
 			],
 			"cca-realm-hash-algo-id": "sha-256",
-			"cca-realm-public-key": "BIL70TKptcOWh5+7FTQNkFCXjlXHnVJ5oroOlYVPN+IM0vZPO3K1cLvXc+7iznaEJe31Re2+if+v4OlrvUbicPIHlsRIuY2vRqdk0nRC5ubthPjOyBfm7ManHTo959Z+zQ==",
-			"cca-realm-public-key-hash-algo-id": "sha-512"
+			"cca-realm-public-key": "pAECIAIhWDB2+YgJG+WF7UGAGuz6uFhUjGMFfhaw5nYSC70NL5wp4FbF1BoBMOucIVF4mdwjFGsiWDAo4bBivT6ksxX9IZ8cu1KMtudMpJvhZ3NzT2GhymEDGyu/PZGPL5T/xCKOUJGVRK4=",
+			"cca-realm-public-key-hash-algo-id": "sha-256"
 		}
 	}`)
 	testValidCCAClaimsNoNonce = []byte(`{
 		"cca-platform-token": {
-			"cca-platform-profile": "http://arm.com/CCA-SSD/1.0.0",
+			"cca-platform-profile": "tag:arm.com,2023:cca_platform#1.0.0",
 			"cca-platform-implementation-id": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",
 			"cca-platform-instance-id": "AQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC",
 			"cca-platform-config": "AQID",
@@ -92,8 +92,8 @@ var (
 				"Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw=="
 			],
 			"cca-realm-hash-algo-id": "sha-256",
-			"cca-realm-public-key": "BIL70TKptcOWh5+7FTQNkFCXjlXHnVJ5oroOlYVPN+IM0vZPO3K1cLvXc+7iznaEJe31Re2+if+v4OlrvUbicPIHlsRIuY2vRqdk0nRC5ubthPjOyBfm7ManHTo959Z+zQ==",
-			"cca-realm-public-key-hash-algo-id": "sha-512"
+			"cca-realm-public-key": "pAECIAIhWDB2+YgJG+WF7UGAGuz6uFhUjGMFfhaw5nYSC70NL5wp4FbF1BoBMOucIVF4mdwjFGsiWDAo4bBivT6ksxX9IZ8cu1KMtudMpJvhZ3NzT2GhymEDGyu/PZGPL5T/xCKOUJGVRK4=",
+			"cca-realm-public-key-hash-algo-id": "sha-256"
 		}
 	}`)
 	testSessionURI      = "http://veraison.example/challenge-response/v1"

diff --git a/cmd/cca/verify_as.go b/cmd/cca/verify_as.go
@@ -11,7 +11,7 @@ import (
 
 var verifyValidArgs = []string{"attester", "relying-party"}
 
-const CCATokenMediaType = `application/eat-collection; profile="http://arm.com/CCA-SSD/1.0.0"`
+const CCATokenMediaType = `application/eat-collection; profile="tag:arm.com,2023:cca_platform#1.0.0"`
 
 var verifyAsCmd = &cobra.Command{
 	Use:   "verify-as",

diff --git a/cmd/cca/verify_as_attester.go b/cmd/cca/verify_as_attester.go
@@ -14,14 +14,15 @@ import (
 	"github.com/spf13/viper"
 	"github.com/veraison/apiclient/verification"
 	"github.com/veraison/ccatoken"
+	"github.com/veraison/ccatoken/platform"
+	"github.com/veraison/ccatoken/realm"
 	"github.com/veraison/evcli/v2/common"
-	"github.com/veraison/go-cose"
-	"github.com/veraison/psatoken"
+	cose "github.com/veraison/go-cose"
 )
 
 type attesterEvidenceBuilder struct {
-	Pclaims psatoken.IClaims
-	Rclaims ccatoken.IClaims
+	Pclaims platform.IClaims
+	Rclaims realm.IClaims
 	Psigner cose.Signer
 	Rsigner cose.Signer
 }
@@ -185,7 +186,7 @@ func (eb attesterEvidenceBuilder) BuildEvidence(nonce []byte, accept []string) (
 			return nil, "", fmt.Errorf("setting claims: %w", err)
 		}
 
-		cwt, err := evidence.Sign(eb.Psigner, eb.Rsigner)
+		cwt, err := evidence.ValidateAndSign(eb.Psigner, eb.Rsigner)
 		if err != nil {
 			return nil, "", fmt.Errorf("signature failed: %w", err)
 		}

diff --git a/cmd/cca/verify_as_relyingparty.go b/cmd/cca/verify_as_relyingparty.go
@@ -55,9 +55,8 @@ previous invocation to "evcli cca create" command.
 				return err
 			}
 
-			var e ccatoken.Evidence
-
-			if err = e.FromCBOR(token); err != nil {
+			e, err := ccatoken.DecodeAndValidateEvidenceFromCBOR(token)
+			if err != nil {
 				return fmt.Errorf("ingesting %s: %v", *relyingPartyTokenFile, err)
 			}
 

diff --git a/cmd/psa/common.go b/cmd/psa/common.go
@@ -4,9 +4,6 @@
 package psa
 
 import (
-	"encoding/json"
-	"fmt"
-
 	"github.com/spf13/afero"
 	"github.com/veraison/psatoken"
 )
@@ -17,13 +14,7 @@ func loadTokenFromFile(fs afero.Fs, fn string) (*psatoken.Evidence, error) {
 		return nil, err
 	}
 
-	e := &psatoken.Evidence{}
-	err = e.FromCOSE(buf)
-	if err != nil {
-		return nil, err
-	}
-
-	return e, nil
+	return psatoken.DecodeAndValidateEvidenceFromCOSE(buf)
 }
 
 func loadClaimsFromFile(fs afero.Fs, fn string, validate bool) (psatoken.IClaims, error) {
@@ -36,35 +27,8 @@ func loadClaimsFromFile(fs afero.Fs, fn string, validate bool) (psatoken.IClaims
 }
 
 func claimsFromJSON(j []byte, validate bool) (psatoken.IClaims, error) {
-	var (
-		err1, err2 error
-		p2         psatoken.P2Claims
-		p1         psatoken.P1Claims
-	)
-
-	err2 = json.Unmarshal(j, &p2)
-	if err2 == nil {
-		if validate {
-			err2 = p2.Validate()
-			if err2 == nil {
-				return &p2, nil
-			}
-		} else {
-			return &p2, nil
-		}
-	}
-
-	err1 = json.Unmarshal(j, &p1)
-	if err1 == nil {
-		if validate {
-			err1 = p1.Validate()
-			if err1 == nil {
-				return &p1, nil
-			}
-		} else {
-			return &p1, nil
-		}
+	if validate {
+		return psatoken.DecodeAndValidateClaimsFromJSON(j)
 	}
-
-	return nil, fmt.Errorf("p1 error: (%v) and p2 error: (%v)", err1, err2)
+	return psatoken.DecodeClaimsFromJSON(j)
 }
diff --git a/cmd/psa/create.go b/cmd/psa/create.go
@@ -90,9 +90,9 @@ Note that the default profile is http://arm.com/psa/2.0.0.
 
 			var cwt []byte
 			if validate {
-				cwt, err = evidence.Sign(signer)
+				cwt, err = evidence.ValidateAndSign(signer)
 			} else {
-				cwt, err = evidence.SignUnvalidated(signer)
+				cwt, err = evidence.Sign(signer)
 			}
 			if err != nil {
 				return fmt.Errorf("signature failed: %w", err)
@@ -124,7 +124,7 @@ Note that the default profile is http://arm.com/psa/2.0.0.
 	)
 
 	createTokenProfile = cmd.Flags().StringP(
-		"profile", "p", psatoken.PsaProfile2, "name of the PSA profile to use",
+		"profile", "p", psatoken.Profile2Name, "name of the PSA profile to use",
 	)
 
 	allowInvalidClaims = cmd.Flags().BoolP(
@@ -142,13 +142,13 @@ func checkProfile(profile *string) error {
 	}
 
 	switch *profile {
-	case psatoken.PsaProfile1, psatoken.PsaProfile2:
+	case psatoken.Profile1Name, psatoken.Profile2Name:
 		return nil
 	}
 
 	return fmt.Errorf(
 		"wrong profile %s: allowed profiles are %s and %s",
-		*profile, psatoken.PsaProfile2, psatoken.PsaProfile1,
+		*profile, psatoken.Profile2Name, psatoken.Profile1Name,
 	)
 }
 

diff --git a/cmd/psa/verify_as_attester.go b/cmd/psa/verify_as_attester.go
@@ -14,7 +14,7 @@ import (
 	"github.com/spf13/viper"
 	"github.com/veraison/apiclient/verification"
 	"github.com/veraison/evcli/v2/common"
-	"github.com/veraison/go-cose"
+	cose "github.com/veraison/go-cose"
 	"github.com/veraison/psatoken"
 )
 
@@ -195,7 +195,7 @@ func (eb attesterEvidenceBuilder) BuildEvidence(nonce []byte, accept []string) (
 			return nil, "", fmt.Errorf("setting claims: %w", err)
 		}
 
-		cwt, err := evidence.Sign(eb.Signer)
+		cwt, err := evidence.ValidateAndSign(eb.Signer)
 		if err != nil {
 			return nil, "", fmt.Errorf("signature failed: %w", err)
 		}

diff --git a/cmd/psa/verify_as_attester_test.go b/cmd/psa/verify_as_attester_test.go
@@ -76,8 +76,7 @@ func Test_AttesterCmd_claims_invalid(t *testing.T) {
 			"--key=es256.jwk",
 		},
 	)
-	comErr := `(json: cannot unmarshal array into Go value of type psatoken.`
-	expectedErr := `p1 error: ` + comErr + `P1Claims)` + ` and p2 error: ` + comErr + `P2Claims)`
+	expectedErr := `json: cannot unmarshal array into Go value of type map[string]interface {}`
 
 	err = cmd.Execute()
 	assert.EqualError(t, err, expectedErr)

diff --git a/cmd/psa/verify_as_relyingparty.go b/cmd/psa/verify_as_relyingparty.go
@@ -55,9 +55,8 @@ previous invocation to "evcli psa create".
 				return err
 			}
 
-			var e psatoken.Evidence
-
-			if err = e.FromCOSE(token); err != nil {
+			e, err := psatoken.DecodeAndValidateEvidenceFromCOSE(token)
+			if err != nil {
 				return err
 			}