add veraison extensions

Signed-off-by: Thomas Fossati <[email protected]>
thomas-fossati · Jan 31, 2023 · e9148d5 · e9148d5
1 parent e73df2e
commit e9148d5
Show file tree

Hide file tree

Showing 10 changed files with 147 additions and 117 deletions.
diff --git a/cddl/examples/ear-json-1.diag b/cddl/examples/ear-json-1.diag
@@ -14,7 +14,8 @@
         "executables": 96,
         "hardware": 2
       },
-      "ear.appraisal-policy-id": "https://veraison.example/policy/1/60a0068d"
+      "ear.appraisal-policy-id":
+        "https://veraison.example/policy/1/60a0068d"
     }
   }
-}
+}
diff --git a/cddl/examples/ear-json-2.diag b/cddl/examples/ear-json-2.diag
@@ -14,14 +14,16 @@
         "executables": 2,
         "hardware": 2
       },
-      "ear.appraisal-policy-id": "https://veraison.example/policy/1/60a0068d"
+      "ear.appraisal-policy-id":
+        "https://veraison.example/policy/1/60a0068d"
     },
     "CCA Realm": {
       "ear.status": "affirming",
       "ear.trustworthiness-vector": {
         "instance-identity": 2
       },
-      "ear.appraisal-policy-id": "https://veraison.example/policy/1/60a0068d"
+      "ear.appraisal-policy-id":
+        "https://veraison.example/policy/1/60a0068d"
     }
   }
 }
diff --git a/cddl/examples/ext-veraison-cbor-1.diag b/cddl/examples/ext-veraison-cbor-1.diag
@@ -0,0 +1,60 @@
+{
+  265: "tag:github.com,2023:veraison/ear",
+  6: 1666529184,
+  1004: {
+    0: "https://veraison-project.org",
+    1: "vts 0.0.1"
+  },
+  1002: h'6C696665626F61746D616E',
+  266: {
+    "PSA": {
+      1000: 0,
+      1001: {
+        0: 2,
+        1: 2,
+        2: 2,
+        4: 2
+      },
+      1003: "https://veraison.example/policy/1/60a0068d",
+      -70000: {
+        "eat-profile": "http://arm.com/psa/2.0.0",
+        "psa-client-id": 1,
+        "psa-security-lifecycle": 12288,
+        "psa-implementation-id":
+          "AQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRobHB0eHyA=",
+        "psa-software-components": [
+          {
+            "measurement-value":
+              "AQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRobHB0eHyA=",
+            "signer-id":
+              "AQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRobHB0eHyA="
+          },
+          {
+            "measurement-value":
+              "AQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRobHB0eHyA=",
+            "signer-id":
+              "AQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRobHB0eHyA="
+          }
+        ],
+        "psa-nonce":
+          "AQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRobHB0eHyA=",
+        "psa-instance-id":
+          "AQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRobHB0eHyAh",
+        "psa-certification-reference": "1234567890123-12345"
+      },
+      -70001: {
+        "psa-certified": {
+          "certificate-number": "1234567890123-12345",
+          "date-of-issue": "23/06/2022",
+          "test-lab": "Riscure",
+          "certification-holder": "ACME Inc.",
+          "certified-product": "RoadRunner",
+          "hardware-version": "Gizmo v1.0.2",
+          "software-version": "TrustedFirmware-M v1.0.6",
+          "certification-type": "PSA Certified Level 1 v2.1",
+          "developer-type": "PSA Certified – Device"
+        }
+      }
+    }
+  }
+}
diff --git a/cddl/examples/ext-veraison-cbor-1.diag__ b/cddl/examples/ext-veraison-cbor-1.diag__
diff --git a/cddl/examples/ext-veraison-json-1.diag b/cddl/examples/ext-veraison-json-1.diag
@@ -0,0 +1,60 @@
+{
+  "eat_profile": "tag:github.com,2023:veraison/ear",
+  "iat": 1666529184,
+  "ear.verifier-id": {
+    "developer": "https://veraison-project.org",
+    "build": "vts 0.0.1"
+  },
+  "ear.raw-evidence": "NzQ3MjY5NzM2NTYzNzQK",
+  "submods": {
+    "PSA": {
+      "ear.status": "contraindicated",
+      "ear.trustworthiness-vector": {
+        "instance-identity": 2,
+        "executables": 96,
+        "hardware": 2
+      },
+      "ear.appraisal-policy-id":
+        "https://veraison.example/policy/1/60a0068d",
+      "ear.veraison.annotated-evidence": {
+        "eat-profile": "http://arm.com/psa/2.0.0",
+        "psa-client-id": 1,
+        "psa-security-lifecycle": 12288,
+        "psa-implementation-id":
+          "AQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRobHB0eHyA=",
+        "psa-software-components": [
+          {
+            "measurement-value":
+              "AQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRobHB0eHyA=",
+            "signer-id":
+              "AQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRobHB0eHyA="
+          },
+          {
+            "measurement-value":
+              "AQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRobHB0eHyA=",
+            "signer-id":
+              "AQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRobHB0eHyA="
+          }
+        ],
+        "psa-nonce":
+          "AQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRobHB0eHyA=",
+        "psa-instance-id":
+          "AQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRobHB0eHyAh",
+        "psa-certification-reference": "1234567890123-12345"
+      },
+      "ear.veraison.policy-claims": {
+        "psa-certified": {
+          "certificate-number": "1234567890123-12345",
+          "date-of-issue": "23/06/2022",
+          "test-lab": "Riscure",
+          "certification-holder": "ACME Inc.",
+          "certified-product": "RoadRunner",
+          "hardware-version": "Gizmo v1.0.2",
+          "software-version": "TrustedFirmware-M v1.0.6",
+          "certification-type": "PSA Certified Level 1 v2.1",
+          "developer-type": "PSA Certified – Device"
+        }
+      }
+    }
+  }
+}
diff --git a/cddl/examples/ext-veraison-json-1.diag__ b/cddl/examples/ext-veraison-json-1.diag__
diff --git a/cddl/veraison-cbor-labels.cddl b/cddl/veraison-cbor-labels.cddl
@@ -1,2 +1,2 @@
-ear.veraison.processed-evidence = -70000
-ear.veraison.verifier-added-claims = -70001
+ear.veraison.annotated-evidence = -70000
+ear.veraison.policy-claims = -70001
diff --git a/cddl/veraison-json-labels.cddl b/cddl/veraison-json-labels.cddl
@@ -1,5 +1,2 @@
-ear.veraison.processed-evidence =
-  "ear.veraison.processed-evidence"
-
-ear.veraison.verifier-added-claims =
-  "ear.veraison.verifier-added-claims"
+ear.veraison.annotated-evidence = "ear.veraison.annotated-evidence"
+ear.veraison.policy-claims = "ear.veraison.policy-claims"
diff --git a/cddl/veraison.cddl b/cddl/veraison.cddl
@@ -1,17 +1,15 @@
-$$ear-extension //= (
-  ear.veraison.processed-evidence =>
-    ear-veraison-processed-evidence
+$$ear-appraisal-extension //= (
+  ear.veraison.annotated-evidence => ear-veraison-annotated-evidence
 )
 
-ear-veraison-processed-evidence = {
+ear-veraison-annotated-evidence = {
   + ear-label => any
 }
 
-$$ear-extension //= (
-  ear.veraison.verifier-added-claims =>
-    ear-veraison-verifier-added-claims
+$$ear-appraisal-extension //= (
+  ear.veraison.policy-claims => ear-veraison-policy-claims
 )
 
-ear-veraison-verifier-added-claims = {
+ear-veraison-policy-claims = {
   + ear-label => any
 }
diff --git a/draft-fv-rats-ear.md b/draft-fv-rats-ear.md
@@ -431,39 +431,40 @@ TODO
 The Veraison verifier defines two private, application-specific extensions:
 
 {:vspace}
-`ear.veraison.TODO1`
-: TODO
+`ear.veraison.annotated-evidence`
+: JSON representation of the evidence claims-set, including any annotations
+provided by the Veraison verifier.
 
-`ear.veraison.TODO2`
-: TODO
+`ear.veraison.policy-claims`
+: any extra claims added by the policy engine in the Veraison verifier.
 
 ~~~cddl
-TODO
+{::include cddl/veraison.cddl}
 ~~~
 {: #fig-cddl-veraison title="Veraison Extensions (CDDL Definition)" }
 
 ### JSON Serialization
 
 ~~~cddl
-TODO
+{::include cddl/veraison-json-labels.cddl}
 ~~~
 
 Example:
 
 ~~~cbor-diag
-TODO
+{::include cddl/examples/ext-veraison-json-1.diag}
 ~~~
 
 ### CBOR Serialization
 
 ~~~cddl
-TODO
+{::include cddl/veraison-cbor-labels.cddl}
 ~~~
 
 Example:
 
 ~~~cbor-diag
-TODO
+{::include cddl/examples/ext-veraison-cbor-1.diag}
 ~~~
 
 # Media Types