From c47d0a259f147a312c2e8b303117ce00c3ca03c7 Mon Sep 17 00:00:00 2001 From: Thomas Fossati Date: Fri, 7 Feb 2025 18:59:40 +0100 Subject: [PATCH 1/2] JSON examples Signed-off-by: Thomas Fossati --- cddl/Makefile | 7 ++++- cddl/common-types.cddl | 3 +++ cddl/component-id.cddl | 11 +++++--- cddl/ex1.json | 18 +++++++++++++ cddl/ex2.json | 14 ++++++++++ cddl/jc.cddl | 3 --- cddl/labels.cddl | 7 ++--- cddl/mc.cddl | 8 ++++-- cddl/measured-component.cddlc | 32 ++++++++++++----------- cddl/profile-flags.cddl | 2 +- cddl/signer.cddl | 2 +- draft-ietf-rats-eat-measured-component.md | 6 +++++ 12 files changed, 84 insertions(+), 29 deletions(-) create mode 100644 cddl/common-types.cddl create mode 100644 cddl/ex1.json create mode 100644 cddl/ex2.json delete mode 100644 cddl/jc.cddl diff --git a/cddl/Makefile b/cddl/Makefile index c7856bb..386a3d1 100644 --- a/cddl/Makefile +++ b/cddl/Makefile @@ -6,6 +6,7 @@ SHELL := /bin/bash CDDL := measured-component.cddl DIAG_EXAMPLES := $(wildcard ex*.diag) CBOR_EXAMPLES := $(DIAG_EXAMPLES:.diag=.cbor) +JSON_EXAMPLES := $(wildcard ex*.json) all: check-schema check-examples mceat-check-examples @@ -21,13 +22,17 @@ CLEANFILES += $(MCEAT_CBOR_EXAMPLES) clean:: ; -rm -f $(CLEANFILES) .PHONY: clean -check-examples: $(CBOR_EXAMPLES) $(CDDL) +check-examples: $(JSON_EXAMPLES) $(CBOR_EXAMPLES) $(CDDL) @for f in $(CBOR_EXAMPLES); do \ echo ">> validating $$f against $(CDDL)" ; \ cddl $(CDDL) validate $$f &>/dev/null || exit 1 ; \ echo ">> saving prettified CBOR to $${f%.cbor}.pretty" ; \ cbor2pretty.rb $$f > $${f%.cbor}.pretty ; \ done + @for f in $(JSON_EXAMPLES); do \ + echo ">> validating $$f against $(CDDL)" ; \ + cddl $(CDDL) validate $$f &>/dev/null || exit 1 ; \ + done .PHONY: check-examples MCEAT_CDDL := mc+eat.cddl diff --git a/cddl/common-types.cddl b/cddl/common-types.cddl new file mode 100644 index 0000000..93ec4c6 --- /dev/null +++ b/cddl/common-types.cddl @@ -0,0 +1,3 @@ +bytes-b64u = text .b64u bytes +bytes4 = bytes .size 4 +bytes4-b64u = text .b64u bytes4 diff --git a/cddl/component-id.cddl b/cddl/component-id.cddl index 304be52..ae1ca34 100644 --- a/cddl/component-id.cddl +++ b/cddl/component-id.cddl @@ -1,6 +1,11 @@ -;# import sw-version-type from RFCXXXX as eat - component-id = [ name: text - ? version: eat.sw-version-type + ? version: version +] + +;# import coswid.$version-scheme from rfc9393 as coswid + +version = [ + val: text + ? scheme: coswid.$version-scheme ] diff --git a/cddl/ex1.json b/cddl/ex1.json new file mode 100644 index 0000000..ae2d9f2 --- /dev/null +++ b/cddl/ex1.json @@ -0,0 +1,18 @@ +{ + "id": [ + "boot loader X", + [ + "1.2.3rc2", + 16384 + ] + ], + "measurement": [ + "sha-256", + "OZYAPUhvuR_7BW99A_KymSshWzHb569LNzQx_H0xnaM" + ], + "signers": [ + "SS6bZ2wh9gErHO65Ay_rQUGogHlzVfZnUBXsWcUcoew", + "Qne7l7p7UVd6DTgVHT4ItAvflGdT9bW964FNb_V6il4" + ], + "flags": "AAABAQ" +} diff --git a/cddl/ex2.json b/cddl/ex2.json new file mode 100644 index 0000000..1ec779c --- /dev/null +++ b/cddl/ex2.json @@ -0,0 +1,14 @@ +{ + "id": [ + "boot loader X", + [ + "1.2.3rc2", + 16384 + ] + ], + "measurement": [ + "sha-256", + "OZYAPUhvuR_7BW99A_KymSshWzHb569LNzQx_H0xnaM" + ], + "flags": "AAABAQ" +} diff --git a/cddl/jc.cddl b/cddl/jc.cddl deleted file mode 100644 index 8a65aaf..0000000 --- a/cddl/jc.cddl +++ /dev/null @@ -1,3 +0,0 @@ -JSON-ONLY = J .feature "json" -CBOR-ONLY = C .feature "cbor" -JC = JSON-ONLY / CBOR-ONLY diff --git a/cddl/labels.cddl b/cddl/labels.cddl index 061e39b..5b1fd30 100644 --- a/cddl/labels.cddl +++ b/cddl/labels.cddl @@ -1,3 +1,4 @@ -id-label = JC<"id", 1> -measurement-label = JC<"measurements", 2> -signers-label = JC<"signers", 3> +id-label = eat.JC<"id", 1> +measurement-label = eat.JC<"measurement", 2> +signers-label = eat.JC<"signers", 3> +flags-label = eat.JC<"flags", 4> diff --git a/cddl/mc.cddl b/cddl/mc.cddl index 27ebd80..8bbe2db 100644 --- a/cddl/mc.cddl +++ b/cddl/mc.cddl @@ -1,8 +1,12 @@ -;# import corim.digest from RFCYYYY as corim +;# import corim.digest from rfcYYYY as corim +;# import eat.JC from rfc9711 as eat measured-component = { id-label => component-id measurement-label => corim.digest ? signers-label => [ + signer-type ] - ? flags-label => profile-flags + ? flags-label => flags-type } + +signer-type = eat.JC +flags-type = eat.JC diff --git a/cddl/measured-component.cddlc b/cddl/measured-component.cddlc index d15adf0..d516eb2 100644 --- a/cddl/measured-component.cddlc +++ b/cddl/measured-component.cddlc @@ -2,11 +2,9 @@ measured-component = { id-label => component-id measurement-label => corim.digest ? signers-label => [ + signer-type ] - ? flags-label => profile-flags + ? flags-label => flags-type } -signer-type = bytes - component-id = [ name: text ? version: version @@ -15,26 +13,30 @@ component-id = [ ;# import coswid.$version-scheme from rfc9393 as coswid version = [ - val: text + val: text ? scheme: coswid.$version-scheme ] -; eventually: ";#import digest from rfcxxxx as corim" - corim.digest = [ alg: (int / text) - val: bytes + val: digest-value-type ] -profile-flags = bytes .size 4 +signer-type = eat.JC +flags-type = eat.JC +digest-value-type = eat.JC + +bytes-b64u = text .b64u bytes +bytes4 = bytes .size 4 +bytes4-b64u = text .b64u bytes4 -id-label = JC<"id", 1> -measurement-label = JC<"measurements", 2> -signers-label = JC<"signers", 3> -flags-label = JC<"flags", 4> +id-label = eat.JC<"id", 1> +measurement-label = eat.JC<"measurement", 2> +signers-label = eat.JC<"signers", 3> +flags-label = eat.JC<"flags", 4> ; TODO import from rfc9711 -JSON-ONLY = J .feature "json" -CBOR-ONLY = C .feature "cbor" -JC = JSON-ONLY / CBOR-ONLY +eat.JSON-ONLY = J .feature "json" +eat.CBOR-ONLY = C .feature "cbor" +eat.JC = eat.JSON-ONLY / eat.CBOR-ONLY diff --git a/cddl/profile-flags.cddl b/cddl/profile-flags.cddl index 5858801..9048425 100644 --- a/cddl/profile-flags.cddl +++ b/cddl/profile-flags.cddl @@ -1 +1 @@ -profile-flags = bytes .size 4 +flags-type = eat.JC diff --git a/cddl/signer.cddl b/cddl/signer.cddl index a800f7d..ba41788 100644 --- a/cddl/signer.cddl +++ b/cddl/signer.cddl @@ -1 +1 @@ -signer-type = bytes +signer-type = eat.JC diff --git a/draft-ietf-rats-eat-measured-component.md b/draft-ietf-rats-eat-measured-component.md index 8f81820..f8823e1 100644 --- a/draft-ietf-rats-eat-measured-component.md +++ b/draft-ietf-rats-eat-measured-component.md @@ -111,6 +111,12 @@ The format SHOULD also allow a limited amount of extensibility to accommodate pr The data model is inspired by the "PSA software component" claim ({{Section 4.4.1 of -psa-token}}), which has been refactored to take into account the recommendations about new EAT claims design in {{Appendix E of -rats-eat}}. +### Common Types + +~~~ cddl +{::include cddl/common-types.cddl} +~~~ + ## The `measured-component` Data Item ~~~ cddl From acdcd56ee144972a8d47e92638dc1099e38ef162 Mon Sep 17 00:00:00 2001 From: Thomas Fossati Date: Mon, 10 Feb 2025 14:14:48 +0100 Subject: [PATCH 2/2] include JSON examples Signed-off-by: Thomas Fossati --- cddl/Makefile | 7 +++++++ cddl/eat-ex1-json.diag.in | 8 ++++++++ cddl/{eat-ex1.diag => eat-ex1.diag.in} | 2 +- draft-ietf-rats-eat-measured-component.md | 25 ++++++++++++++--------- 4 files changed, 31 insertions(+), 11 deletions(-) create mode 100644 cddl/eat-ex1-json.diag.in rename cddl/{eat-ex1.diag => eat-ex1.diag.in} (91%) diff --git a/cddl/Makefile b/cddl/Makefile index 386a3d1..96c5b01 100644 --- a/cddl/Makefile +++ b/cddl/Makefile @@ -37,11 +37,18 @@ check-examples: $(JSON_EXAMPLES) $(CBOR_EXAMPLES) $(CDDL) MCEAT_CDDL := mc+eat.cddl MCEAT_DIAG_EXAMPLES := eat-ex1.diag +MCEAT_DIAG_EXAMPLES += eat-ex1-json.diag MCEAT_CBOR_EXAMPLES := $(MCEAT_DIAG_EXAMPLES:.diag=.cbor) $(MCEAT_CDDL): minimal-eat.cddlc eat-plug.cddl $(CDDL) cddlc -2 -sClaims-Set -tcddl -Imeasured-component $< > $@ +eat-ex1.diag: eat-ex1.diag.in ; sed -e 's/TBD1/65000/' $< > $@ +eat-ex1-json.diag: eat-ex1-json.diag.in ; sed -e 's/TBD2/65001/' $< > $@ + +CLEANFILES += eat-ex1.diag +CLEANFILES += eat-ex1-json.diag + mceat-check-examples: $(MCEAT_CBOR_EXAMPLES) $(MCEAT_CDDL) @for f in $(MCEAT_CBOR_EXAMPLES); do \ echo ">> validating $$f against $(MCEAT_CDDL)" ; \ diff --git a/cddl/eat-ex1-json.diag.in b/cddl/eat-ex1-json.diag.in new file mode 100644 index 0000000..b73558f --- /dev/null +++ b/cddl/eat-ex1-json.diag.in @@ -0,0 +1,8 @@ +{ + "measurements": [ + [ + TBD2, / mc+json / + "{ \"id\": [ \"boot loader X\", [ \"1.2.3rc2\", 16384 ] ], \"measurement\": [ \"sha-256\", \"OZYAPUhvuR_7BW99A_KymSshWzHb569LNzQx_H0xnaM\" ], \"signers\": [ \"SS6bZ2wh9gErHO65Ay_rQUGogHlzVfZnUBXsWcUcoew\", \"Qne7l7p7UVd6DTgVHT4ItAvflGdT9bW964FNb_V6il4\" ] }" + ] + ] +} diff --git a/cddl/eat-ex1.diag b/cddl/eat-ex1.diag.in similarity index 91% rename from cddl/eat-ex1.diag rename to cddl/eat-ex1.diag.in index b15c977..7459192 100644 --- a/cddl/eat-ex1.diag +++ b/cddl/eat-ex1.diag.in @@ -1,7 +1,7 @@ { 273: [ [ - 65000, / using a CoAP C-F from the experimental range / + TBD1, / mc+cbor / << { / id / 1: [ diff --git a/draft-ietf-rats-eat-measured-component.md b/draft-ietf-rats-eat-measured-component.md index f8823e1..18c2ae6 100644 --- a/draft-ietf-rats-eat-measured-component.md +++ b/draft-ietf-rats-eat-measured-component.md @@ -218,12 +218,6 @@ Note the use of the "native" and "tunnel" formats from {{fig-eat-plug}}, and how # Examples -> **NOTE:** -> The examples are CBOR only. -> JSON examples will be added in a future version of this document. -> -> Tracking issue: https://github.com/ietf-rats-wg/draft-ietf-rats-eat-measured-component/issues/18 - The example in {{ex-1}} is a measured component with all the fields populated. ~~~ cbor-edn @@ -233,14 +227,25 @@ The example in {{ex-1}} is a measured component with all the fields populated. The example in {{ex-eat-1}} is the same measured component as above but used as the format of a `measurements` claim in a EAT claims-set. -Note that the example uses a CoAP Content-Format value from the experimental range (65000), which will change to the value assigned by IANA for the `application/measured-component+cbor` Content-Format. +The example uses TBD1 as the `content-type` value of the `measurements-format` entry. +(This will change to the value assigned by IANA to the `mc+cbor` Content-Format.) + +Note that the array contains only one measured component, but additional entries could be added if the measured TCB is made of multiple, individually measured components. + +~~~ cbor-edn +{::include cddl/eat-ex1.diag.in} +~~~ +{: #ex-eat-1 title="EAT Measurements Claim using a Measured Component (CBOR)"} + +The example in {{ex-eat-2}} illustrates the inclusion of a JSON measured component inside a JSON EAT. -Note also that the array contains only one measured component, but additional entries could be added if the measured TCB is made of multiple, individually measured components. +The example uses TBD2 as the `content-type` value of the `measurements-format` entry. +(This will change to the value assigned by IANA to the `mc+json` Content-Format.) ~~~ cbor-edn -{::include cddl/eat-ex1.diag} +{::include-fold cddl/eat-ex1-json.diag.in} ~~~ -{: #ex-eat-1 title="EAT Measurements Claim using a Measured Component"} +{: #ex-eat-2 title="EAT Measurements Claim using a Measured Component (JSON)"} # Security and Privacy Considerations {#seccons}