chore(deps): update ccatoken, go-cose, psatoken and parsec deps

Signed-off-by: Thomas Fossati <[email protected]>

go.mod

@@ -31,14 +31,14 @@ require (
  github.com/spf13/viper v1.13.0
  github.com/stretchr/testify v1.9.0
  github.com/tbaehler/gin-keycloak v1.6.1
- github.com/veraison/ccatoken v1.3.0
+ github.com/veraison/ccatoken v1.3.1
  github.com/veraison/cmw v0.1.0
- github.com/veraison/corim v1.1.3-0.20240814105452-be7ec4829479
+ github.com/veraison/corim v1.1.3-0.20240911154934-4f141ee6d1e7
  github.com/veraison/dice v0.0.1
  github.com/veraison/ear v1.1.2
  github.com/veraison/eat v0.0.0-20220117140849-ddaf59d69f53
- github.com/veraison/parsec v0.1.1-0.20230915122508-f31e6c9be40e
- github.com/veraison/psatoken v1.2.1-0.20240719122628-26fe500fd5d4
+ github.com/veraison/parsec v0.2.1-0.20240912163334-0368b9c16228
+ github.com/veraison/psatoken v1.2.1-0.20240912124429-aec3ece7886e
  go.uber.org/zap v1.23.0
  golang.org/x/text v0.14.0
  google.golang.org/grpc v1.64.0
@@ -101,7 +101,7 @@ require (
  github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
  github.com/ugorji/go/codec v1.2.11 // indirect
  github.com/vektah/gqlparser/v2 v2.4.6 // indirect
- github.com/veraison/go-cose v1.2.1
+ github.com/veraison/go-cose v1.3.0-rc.1
  github.com/veraison/swid v1.1.1-0.20230911094910-8ffdd07a22ca
  github.com/x448/float16 v0.8.4 // indirect
  github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect

go.sum

@@ -1725,24 +1725,24 @@ github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtX
 github.com/urfave/cli v1.22.2/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
 github.com/vektah/gqlparser/v2 v2.4.6 h1:Yjzp66g6oVq93Jihbi0qhGnf/6zIWjcm8H6gA27zstE=
 github.com/vektah/gqlparser/v2 v2.4.6/go.mod h1:flJWIR04IMQPGz+BXLrORkrARBxv/rtyIAFvd/MceW0=
-github.com/veraison/ccatoken v1.3.0 h1:2XWwqPQkWqXRu3ksmS6MQAGjWz4vtnEPBZxFxP8GA4A=
-github.com/veraison/ccatoken v1.3.0/go.mod h1:wJayl8O7PLm77BV+b/Vng28nGtNoFZVrixtcvLmjivc=
+github.com/veraison/ccatoken v1.3.1 h1:zUHXr2mPprxMYv5Mm2mumxzQZ3I9wy7QGayXqa9Rv/E=
+github.com/veraison/ccatoken v1.3.1/go.mod h1:vMqdbW4H/8A3oT+24qssuIK3Aefy06XqzTELGg+gWAg=
 github.com/veraison/cmw v0.1.0 h1:vD6tBlGPROCW/HlDcG1jh+XUJi5ihrjXatKZBjrv8mU=
 github.com/veraison/cmw v0.1.0/go.mod h1:WoBrlgByc6C1FeHhdze1/bQx1kv5d1sWKO5ezEf4Hs4=
-github.com/veraison/corim v1.1.3-0.20240814105452-be7ec4829479 h1:dcKW+Nugh2Cs/ihz6xAmmTfi4v5flaLTg6MiZ8gN3N8=
-github.com/veraison/corim v1.1.3-0.20240814105452-be7ec4829479/go.mod h1:sYmwruIqD5+83OcvMg6WUDTTWq8AWM6QbVQhbE9VFQM=
+github.com/veraison/corim v1.1.3-0.20240911154934-4f141ee6d1e7 h1:sq9OVQgwpRJDFrQDGAOMs5p22Hp1zfDYRkeb+EVJWTU=
+github.com/veraison/corim v1.1.3-0.20240911154934-4f141ee6d1e7/go.mod h1:Wj3a6bSo7+3peVGjwGayHDALILh4PHMngDhgBYUbVLk=
 github.com/veraison/dice v0.0.1 h1:dOm7ByDN/r4WlDsGkEUXzdPMXgTvAPTAksQ8+BwBrD4=
 github.com/veraison/dice v0.0.1/go.mod h1:QPMLc5LVMj08VZ+HNMYk4XxWoVYGAUBVm8Rd5V1hzxs=
 github.com/veraison/ear v1.1.2 h1:Xs41FqAG8IyJaceqNFcX2+nf51Et1uyhmCJV8SZqw/8=
 github.com/veraison/ear v1.1.2/go.mod h1:O3yKgZR04DWKHHiNxfXCMX9ky0cLVoC67TFks6JwEhI=
 github.com/veraison/eat v0.0.0-20220117140849-ddaf59d69f53 h1:5gnX2TrGd/Xz8DOp2OaLtg/jLoIubSUTrgz6iZ58pJ4=
 github.com/veraison/eat v0.0.0-20220117140849-ddaf59d69f53/go.mod h1:+kxt8iuFiVvKRs2VQ1Ho7bbAScXAB/kHFFuP5Biw19I=
-github.com/veraison/go-cose v1.2.1 h1:Gj4x20D0YP79J2+cK3anjGEMwIkg2xX+TKVVGUXwNAc=
-github.com/veraison/go-cose v1.2.1/go.mod h1:t6V8WJzHm1PD5HNsuDjW3KLv577uWb6UTzbZGvdQHD8=
-github.com/veraison/parsec v0.1.1-0.20230915122508-f31e6c9be40e h1:6flWRGWeW9X2GOtegx2MqwRzO4z2DIrk3nm5FH7sGyM=
-github.com/veraison/parsec v0.1.1-0.20230915122508-f31e6c9be40e/go.mod h1:IXiVM4dsJNsB2PB1NkK5AE0gUvOzsxLgOpuPo9KHs0M=
-github.com/veraison/psatoken v1.2.1-0.20240719122628-26fe500fd5d4 h1:N7qg7vDF2mUg7I+8AoU+ieJ20cgcShwFHXHkV5b2YAA=
-github.com/veraison/psatoken v1.2.1-0.20240719122628-26fe500fd5d4/go.mod h1:6+WZzXr0ACXYiUAJJqTaCxW43gY2+gEaCoVNdDv3+Bw=
+github.com/veraison/go-cose v1.3.0-rc.1 h1:j7mMBdwkbq4c+pgEZVbbWG8UwVIgGHPp6+TAAYJj+UY=
+github.com/veraison/go-cose v1.3.0-rc.1/go.mod h1:df09OV91aHoQWLmy1KsDdYiagtXgyAwAl8vFeFn1gMc=
+github.com/veraison/parsec v0.2.1-0.20240912163334-0368b9c16228 h1:oMCBfNZ8yxeMHelMg/H8uLrBLRvipjAwBL0d5/F9bvY=
+github.com/veraison/parsec v0.2.1-0.20240912163334-0368b9c16228/go.mod h1:hobpAGxGmjCyluLHTNMdgJYficPXno4HZWKJSuUwZ7w=
+github.com/veraison/psatoken v1.2.1-0.20240912124429-aec3ece7886e h1:W1OWcrRvfN0EWyldcpFgwl9xdKBbZUlk5pnbLTcR8Ec=
+github.com/veraison/psatoken v1.2.1-0.20240912124429-aec3ece7886e/go.mod h1:bXUwdYAGcRoclxe73JmO8Z9ngV9KDHqW20afM9Q0FKo=
 github.com/veraison/swid v1.1.1-0.20230911094910-8ffdd07a22ca h1:osmCKwWO/xM68Kz+rIXio1DNzEY2NdJOpGpoy5r8NlE=
 github.com/veraison/swid v1.1.1-0.20230911094910-8ffdd07a22ca/go.mod h1:d5jt76uMNbTfQ+f2qU4Lt8RvWOTsv6PFgstIM1QdMH0=
 github.com/vishvananda/netlink v0.0.0-20181108222139-023a6dafdcdf/go.mod h1:+SR5DhBJrl6ZM7CoCKvpw5BKroDKQ+PJqOg65H/2ktk=

provisioning/api/handler.go

@@ -1,4 +1,4 @@
-// Copyright 2022-2023 Contributors to the Veraison project.
+// Copyright 2022-2024 Contributors to the Veraison project.
 // SPDX-License-Identifier: Apache-2.0
 package api
 

provisioning/provisioner/provisioner.go

@@ -1,4 +1,4 @@
-// Copyright 2022-2023 Contributors to the Veraison project.
+// Copyright 2022-2024 Contributors to the Veraison project.
 // SPDX-License-Identifier: Apache-2.0
 
 package provisioner

scheme/arm-cca/evidence_handler.go

@@ -36,20 +36,18 @@ func (s EvidenceHandler) ExtractClaims(
  token *proto.AttestationToken,
  trustAnchors []string,
 ) (map[string]interface{}, error) {
-
- var ccaToken ccatoken.Evidence
-
- if err := ccaToken.FromCBOR(token.Data); err != nil {
+ ccaToken, err := ccatoken.DecodeAndValidateEvidenceFromCBOR(token.Data)
+ if err != nil {
  return nil, handler.BadEvidence(err)
  }
 
- platformClaimsSet, err := common.ClaimsToMap(ccaToken.PlatformClaims)
+ platformClaimsSet, err := common.ClaimsToMap(common.CcaPlatformWrapper{ccaToken.PlatformClaims})
  if err != nil {
  return nil, handler.BadEvidence(fmt.Errorf(
  "could not convert platform claims: %w", err))
  }
 
- realmClaimsSet, err := common.ClaimsToMap(ccaToken.RealmClaims)
+ realmClaimsSet, err := common.ClaimsToMap(common.CcaRealmWrapper{ccaToken.RealmClaims})
  if err != nil {
  return nil, handler.BadEvidence(fmt.Errorf(
  "could not convert realm claims: %w", err))
@@ -72,11 +70,8 @@ func (s EvidenceHandler) ValidateEvidenceIntegrity(
  trustAnchors []string,
  endorsementsStrings []string,
 ) error {
- var (
- ccaToken ccatoken.Evidence
- )
-
- if err := ccaToken.FromCBOR(token.Data); err != nil {
+ ccaToken, err := ccatoken.DecodeAndValidateEvidenceFromCBOR(token.Data)
+ if err != nil {
  return handler.BadEvidence(err)
  }
 

scheme/arm-cca/platform.go

@@ -6,8 +6,8 @@ package arm_cca
 import (
  "fmt"
 
+ "github.com/veraison/ccatoken/platform"
  "github.com/veraison/ear"
- "github.com/veraison/psatoken"
  "github.com/veraison/services/handler"
  "github.com/veraison/services/scheme/common"
  "github.com/veraison/services/scheme/common/arm"
@@ -17,7 +17,7 @@ func platformAppraisal(
  claimsMap map[string]interface{},
  endorsements []handler.Endorsement,
 ) (*ear.Appraisal, error) {
- claims, err := common.MapToClaims(claimsMap)
+ claims, err := common.MapToCCAPlatformClaims(claimsMap)
  if err != nil {
  return nil, fmt.Errorf("unable to get claims from platform claims map: %w", err)
  }
@@ -31,9 +31,9 @@ func platformAppraisal(
  return nil, handler.BadEvidence(err)
  }
 
- lifeCycle := psatoken.CcaLifeCycleToState(rawLifeCycle)
- if lifeCycle == psatoken.CcaStateSecured ||
- lifeCycle == psatoken.CcaStateNonCcaPlatformDebug {
+ lifeCycle := platform.LifeCycleToState(rawLifeCycle)
+ if lifeCycle == platform.StateSecured ||
+ lifeCycle == platform.StateNonCCAPlatformDebug {
  trustVector.InstanceIdentity = ear.TrustworthyInstanceClaim
  trustVector.RuntimeOpaque = ear.ApprovedRuntimeClaim
  trustVector.StorageOpaque = ear.HwKeysEncryptedSecretsClaim

scheme/arm-cca/realm.go

@@ -9,7 +9,7 @@ import (
  "errors"
  "fmt"
 
- "github.com/veraison/ccatoken"
+ ccatokenrealm "github.com/veraison/ccatoken/realm"
  "github.com/veraison/ear"
  "github.com/veraison/services/handler"
  "github.com/veraison/services/log"
@@ -79,7 +79,7 @@ func realmAppraisal(
  return &appraisal, nil
 }
 
-func matchRim(claims ccatoken.IClaims, endorsement *handler.Endorsement) bool {
+func matchRim(claims ccatokenrealm.IClaims, endorsement *handler.Endorsement) bool {
  // get RIM Claim from Evidence Claims
  rimClaim, err := claims.GetInitialMeasurement()
  if err != nil {
@@ -104,7 +104,7 @@ func matchRim(claims ccatoken.IClaims, endorsement *handler.Endorsement) bool {
  return true
 }
 
-func matchRpv(claims ccatoken.IClaims, endorsement *handler.Endorsement) error {
+func matchRpv(claims ccatokenrealm.IClaims, endorsement *handler.Endorsement) error {
  pvClaim, err := claims.GetPersonalizationValue()
  if err != nil {
  return fmt.Errorf("matchRpv failed: %w", err)
@@ -122,7 +122,7 @@ func matchRpv(claims ccatoken.IClaims, endorsement *handler.Endorsement) error {
  return nil
 }
 
-func matchREMs(claims ccatoken.IClaims, endorsement *handler.Endorsement) bool {
+func matchREMs(claims ccatokenrealm.IClaims, endorsement *handler.Endorsement) bool {
  remMatch := false
  remsClaim, err := claims.GetExtensibleMeasurements()
  if err != nil {

scheme/arm-cca/store_handler.go

@@ -46,8 +46,7 @@ func (s StoreHandler) SynthKeysFromTrustAnchor(tenantID string, ta *handler.Endo
 }
 
 func (s StoreHandler) GetTrustAnchorIDs(token *proto.AttestationToken) ([]string, error) {
- var evidence ccatoken.Evidence
- err := evidence.FromCBOR(token.Data)
+ evidence, err := ccatoken.DecodeAndValidateEvidenceFromCBOR(token.Data)
  if err != nil {
  return []string{""}, handler.BadEvidence(err)
  }

scheme/common/arm/handlers.go

@@ -10,6 +10,7 @@ import (
  "encoding/json"
  "fmt"
 
+ "github.com/veraison/ccatoken/platform"
  "github.com/veraison/psatoken"
  "github.com/veraison/services/handler"
  "github.com/veraison/services/log"
@@ -63,7 +64,9 @@ func GetPlatformReferenceIDs(
  tenantID string,
  claims map[string]interface{},
 ) ([]string, error) {
- platformClaims, err := common.MapToClaims(claims)
+ // Using the PSA specialisation here is ok because Implementation ID is
+ // mandatory and shared by both PSA and CCA platform.
+ platformClaims, err := common.MapToPSAClaims(claims)
  if err != nil {
  return nil, err
  }
@@ -105,13 +108,21 @@ func GetTrustAnchorID(scheme string, tenantID string, claims psatoken.IClaims) (
 func MatchSoftware(scheme string, evidence psatoken.IClaims, endorsements []handler.Endorsement) bool {
  var attr SwAttr
 
- evidenceComponents := make(map[string]psatoken.SwComponent)
+ evidenceComponents := make(map[string]psatoken.ISwComponent)
  swComps, err := evidence.GetSoftwareComponents()
  if err != nil {
  return false
  }
  for _, c := range swComps {
- key := base64.StdEncoding.EncodeToString(*c.MeasurementValue) + (*c.MeasurementType)
+ mval, err := c.GetMeasurementValue()
+ if err != nil {
+ return false
+ }
+ mtyp, err := c.GetMeasurementType()
+ if err != nil {
+ return false
+ }
+ key := base64.StdEncoding.EncodeToString(mval) + mtyp
  evidenceComponents[key] = c
  }
  matched := false
@@ -131,10 +142,14 @@ func MatchSoftware(scheme string, evidence psatoken.IClaims, endorsements []hand
  break
  }
 
- log.Debugf("MeasurementType Evidence: %s, Endorsement: %s", *evComp.MeasurementType, attr.MeasurementType)
- typeMatched := attr.MeasurementType == "" || attr.MeasurementType == *evComp.MeasurementType
- sigMatched := attr.SignerID == nil || bytes.Equal(attr.SignerID, *evComp.SignerID)
- versionMatched := attr.Version == "" || attr.Version == *evComp.Version
+ evCompMeasurementType, _ := evComp.GetMeasurementType()
+ evCompSignerID, _ := evComp.GetSignerID()
+ evCompVersion, _ := evComp.GetVersion()
+
+ log.Debugf("MeasurementType Evidence: %s, Endorsement: %s", evCompMeasurementType, attr.MeasurementType)
+ typeMatched := attr.MeasurementType == "" || attr.MeasurementType == evCompMeasurementType
+ sigMatched := attr.SignerID == nil || bytes.Equal(attr.SignerID, evCompSignerID)
+ versionMatched := attr.Version == "" || attr.Version == evCompVersion
 
  if !(typeMatched && sigMatched && versionMatched) {
  matched = false
@@ -176,7 +191,7 @@ func GetPublicKeyFromTA(scheme string, trustAnchor string) (crypto.PublicKey, er
  return pk, nil
 }
 
-func MatchPlatformConfig(scheme string, evidence psatoken.IClaims, endorsements []handler.Endorsement) bool {
+func MatchPlatformConfig(scheme string, evidence platform.IClaims, endorsements []handler.Endorsement) bool {
  var attr CcaPlatformCfg
  pfConfig, err := evidence.GetConfig()
  if err != nil {

scheme/common/cca/realm/realm_utils.go

@@ -10,7 +10,7 @@ import (
  "net/url"
  "strings"
 
- "github.com/veraison/ccatoken"
+ "github.com/veraison/ccatoken/realm"
  "github.com/veraison/services/log"
 )
 
@@ -72,15 +72,17 @@ func GetREMs(attr json.RawMessage) ([][]byte, error) {
  return rems, nil
 }
 
-func MapToRealmClaims(in map[string]interface{}) (ccatoken.IClaims, error) {
- realmClaims := &ccatoken.RealmClaims{}
+func MapToRealmClaims(in map[string]interface{}) (realm.IClaims, error) {
  data, err := json.Marshal(in)
  if err != nil {
  return nil, err
  }
- if err := realmClaims.FromJSON(data); err != nil {
+
+ realmClaims, err := realm.DecodeClaimsFromJSON(data)
+ if err != nil {
  return nil, err
  }
+
  return realmClaims, nil
 }