Skip to content

RFC9783 support #54

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
thomas-fossati merged 3 commits into from
Dec 11, 2025
Merged

RFC9783 support #54

thomas-fossati merged 3 commits into from
Dec 11, 2025
+342 −5

Conversation

@thomas-fossati
Copy link
Contributor

@thomas-fossati thomas-fossati commented Dec 9, 2025

Address #53

cc @kentakayama

@thomas-fossati
RFC9783 support
5aa6c00 
Signed-off-by: Thomas Fossati <[email protected]>
@thomas-fossati
update doc
65cb8bd 
Signed-off-by: Thomas Fossati <[email protected]>
setrofim
setrofim approved these changes Dec 9, 2025
View reviewed changes
Copy link
Contributor

@setrofim setrofim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@kentakayama
Copy link

kentakayama commented Dec 10, 2025

@thomas-fossati thank you so much.
It seems that the psa-boot-seed is still encoded as 2397 for CBOR.

diff --git a/claims_9783_test.go b/claims_9783_test.go
index 2e2bae7..0b1d4fc 100644
--- a/claims_9783_test.go
+++ b/claims_9783_test.go
@@ -6,6 +6,8 @@ package psatoken
 import (
        "fmt"
        "log"
+
+       cbor "github.com/fxamacker/cbor/v2"
 )
 
 func ExampleRFC9783Claims_unmarshalCBOR() {
@@ -83,6 +85,15 @@ func ExampleRFC9783Claims_unmarshalJSON() {
                log.Fatalf("not a *RFC9783Claims: %T", claims)
        }
 
+       // Verify that psa-boot-seed is encoded with the expected key.
+       // This check will fail if it is still encoded as 2397 instead of 268.
+       encoded, err := EncodeClaimsToCBOR(claims)
+       var m map[int64]any
+       err = cbor.Unmarshal(encoded, &m)
+       if m[int64(268)] == nil && m[int64(2397)] != nil {
+               log.Fatalf("psa-boot-seed appears to be encoded as 2397")
+       }
+
        // output:
        // Profile: tag:psacertified.org,2023:psa#tfm
 }

@thomas-fossati
override bootseed handling
a33d5a1 
Signed-off-by: Thomas Fossati <[email protected]>
@thomas-fossati
Copy link
Contributor Author

thomas-fossati commented Dec 10, 2025

@thomas-fossati thank you so much. It seems that the psa-boot-seed is still encoded as 2397 for CBOR.

Thanks for catching this, @kentakayama!

It should be fixed in a33d5a1

@kentakayama
Copy link

kentakayama commented Dec 11, 2025

@thomas-fossati
It works perfect. Thanks a lot.

@thomas-fossati thomas-fossati merged commit a6e4612 into main Dec 11, 2025
5 checks passed
@thomas-fossati thomas-fossati deleted the rfc9783 branch December 11, 2025 08:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@setrofim setrofim setrofim approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@thomas-fossati @kentakayama @setrofim