Improvement for JWT in CWT and vice versa; update to new CDDL build p…

…rocess

.travis.yml

@@ -14,6 +14,10 @@ env:
    - mmark_src=github.com/miekg/mmark/mmark
    - mmark=./mmark
 
+before_install:
+  - rvm default
+  - gem install cddl cbor-diag
+
 install:
  - pip install xml2rfc
  - if head -1 -q *.md | grep '^\-\-\-' >/dev/null 2>&1; then gem install --no-doc kramdown-rfc2629; fi

Makefile

@@ -1,3 +1,5 @@
+SHELL := /bin/bash
+
 LIBDIR := lib
 include $(LIBDIR)/main.mk
 
@@ -9,3 +11,20 @@ else
 	git clone -q --depth 10 $(CLONE_ARGS) \
 	    -b master https://github.com/martinthomson/i-d-template $(LIBDIR)
 endif
+
+include cddl/tools.mk
+include cddl/vars.mk
+
+CDDL_FULL := $(addprefix cddl/,$(CDDL_FULL))
+
+draft-ietf-rats-eat.md: $(CDDL_FULL) examples
+
+CDDL_FRAGS := $(addprefix cddl/,$(CDDL_FRAGS))
+
+$(CDDL_FULL): $(CDDL_FRAGS)
+	@for f in $^ ; do \
+		( cat $$f ; echo ) ; \
+	done > $@
+
+.PHONY: examples
+examples: ; $(MAKE) -C cddl check-examples

README.md

@@ -17,6 +17,11 @@ $ make
 This requires that you have the necessary software installed.  See
 [the instructions](https://github.com/martinthomson/i-d-template/blob/master/doc/SETUP.md).
 
+In addition, CDDL validation depends on the `cddl` and `diag2cbor` tools.  To install them:
+
+```sh
+# gem install cddl cbor-diag
+```
 
 ## Contributing
 

cddl/Makefile

@@ -0,0 +1,26 @@
+SHELL := /bin/bash
+
+include tools.mk
+include vars.mk
+
+%.cbor: %.diag ; @$(diag2cbor) $< > $@
+
+DIAG_EXAMPLES := $(wildcard examples/*.diag)
+CBOR_EXAMPLES := $(DIAG_EXAMPLES:.diag=.cbor)
+
+CLEANFILES += $(CBOR_EXAMPLES)
+
+.PHONY: check-examples
+check-examples: $(CDDL_FULL) $(CBOR_EXAMPLES)
+	@for f in $(CBOR_EXAMPLES); do \
+		echo ">> validating $$f" ; \
+		$(cddl) $< validate $$f ; \
+	done
+
+$(CDDL_FULL): $(CDDL_FRAGS)
+	@for f in $^ ; do \
+		( cat $$f ; echo ) ; \
+	done > $@
+
+.PHONY: clean
+clean: ; $(RM) $(CLEANFILES)

cddl/age.cddl

@@ -0,0 +1,3 @@
+age-claim = (
+    age => uint
+)

cddl/common-types.cddl

@@ -0,0 +1 @@
+string-or-uri = tstr / uri

cddl/cwt.cddl

@@ -0,0 +1,17 @@
+rfc8392-claim //= ( issuer => text )
+rfc8392-claim //= ( subject => text )
+rfc8392-claim //= ( audience => text )
+rfc8392-claim //= ( expiration => time )
+rfc8392-claim //= ( not-before => time )
+rfc8392-claim //= ( issued-at => time )
+rfc8392-claim //= ( cwt-id => bytes )
+
+issuer = 1
+subject = 2
+audience = 3
+expiration = 4
+not-before = 5
+issued-at = 6
+cwt-id = 7
+
+cwt-claim = rfc8392-claim

cddl/debug-disable.cddl

@@ -0,0 +1,11 @@
+debug-disable-type = &(
+    not-disabled: 0,
+    disabled: 1,
+    disabled-since-boot: 2,
+    permanent-disable: 3,
+    full-permanent-disable: 4
+)
+
+debug-disable-claim = (
+    debug-disable => debug-disable-type
+)

cddl/eat.cddl

@@ -0,0 +1,39 @@
+eat-claims = { ; the top-level payload that is signed using COSE or JOSE
+    * claim
+}
+
+claim = (
+    ueid-claim //
+    nonce-claim //
+    origination-claim //
+    oemid-claim //
+    security-level-claim //
+    secure-boot-claim //
+    debug-disable-claim //
+    location-claim //
+    age-claim //
+    uptime-claim //
+    submods-part //
+    cwt-claim //
+;    generic-claim-type //
+)
+
+
+eat-token = EAT_Tagged_Message / EAT_Untagged_Message / JOSE_Message; The JOSE/COSE payload or UCCS contains eat-claims
+
+EAT_Tagged_Message = #6.61(COSE_Tagged_Message) / UCCS_Tagged_Message ; CWT or UCCS tag
+
+EAT_Untagged_Message = COSE_Tagged_Message / COSE_Untagged_Message/ UCCS_Untagged_Message
+
+
+nonce = 10
+ueid = 11
+origination = 12
+oemid = 13
+security-level = 14
+secure-boot = 15
+debug-disable = 16
+location = 17
+age = 18
+uptime = 19
+submods = 20

cddl/examples/simple.diag

@@ -0,0 +1,7 @@
+{
+    / nonce /           10: h'948f8860d13a463e8e',
+    / UEID /            11: h'0198f50a4ff6c05861c8860d13a638ea4fe2fa',
+    / secure-boot /     15: true,
+    / debug-disable /   16: 3, / permanent-disable /
+    / timestamp (iat) /  6: 1(1526542894)
+}

cddl/examples/submods.diag

@@ -0,0 +1,24 @@
+{
+    / nonce /                 10: h'948f8860d13a463e8e',
+    / UEID /                  11: h'0198f50a4ff6c05861c8860d13a638ea4fe2fa',
+    / secure-boot /           15: true,
+    / debug-disable /         16: 3, / permanent-disable  /
+    / timestamp (iat) /        6: 1(1526542894),
+    / security-level /        14: 3, / secure restricted OS /
+    / submods / 20: {
+        / first submod, an Android Application /
+        "Android App Foo" :  {
+            / security-level /  14: 1 / unrestricted /
+        },
+
+        / 2nd submod, A nested EAT from a secure element /
+        "Secure Element Eat" :
+            / an embedded EAT, bytes of which are not shown /
+            h'420123',
+
+        / 3rd submod, information about Linux Android /
+        "Linux Android": {
+            / security-level /  14: 1 / unrestricted /
+        }
+    }
+}

cddl/json.cddl

@@ -0,0 +1,19 @@
+ueid /= "ueid"
+origination /= "origination"
+oemid /= "oemid"
+security-level /= "security-level"
+secure-boot /= "secure-boot"
+debug-disble /= "debug-disable"
+location /= "location"
+age /= "age"
+uptime /= "uptime"
+nested-eat /= "nested-eat"
+submods /= "submods"
+
+latitude /= "lat"
+longitude /= "long"
+altitude /= "alt"
+accuracy /= "accry"
+altitude-accuracy /= "alt-accry"
+heading /= "heading"
+speed /= "speed"

cddl/location.cddl

@@ -0,0 +1,21 @@
+location-type = {
+    latitude => number,
+    longitude => number,
+    ? altitude => number,
+    ? accuracy => number,
+    ? altitude-accuracy => number,
+    ? heading => number,
+    ? speed => number
+}
+
+latitude = 1
+longitude = 2
+altitude = 3
+accuracy = 4
+altitude-accuracy = 5
+heading = 6
+speed = 7
+
+location-claim = (
+    location => location-type
+)

cddl/nonce.cddl

@@ -0,0 +1,5 @@
+nonce-type = bstr .size (8..64)
+
+nonce-claim = (
+    nonce => nonce-type / [ 2* nonce-type ]
+)

cddl/oemid.cddl

@@ -0,0 +1,3 @@
+oemid-claim = (
+    oemid => bstr
+)

cddl/origination.cddl

@@ -0,0 +1,3 @@
+origination-claim = (
+    origination => string-or-uri
+)

cddl/secure-boot.cddl

@@ -0,0 +1,3 @@
+secure-boot-claim = (
+    secure-boot => bool
+)

cddl/security-level.cddl

@@ -0,0 +1,10 @@
+security-level-type = &(
+    unrestricted: 1,
+    restricted: 2,
+    secure-restricted: 3,
+    hardware: 4
+)
+
+security-level-claim = (
+    security-level => security-level-type
+)

cddl/submods.cddl

@@ -0,0 +1,13 @@
+submods-type = { + submodule }
+
+submodule = (
+    submod-name => eat-claims / nested-token
+)
+
+nested-token = bstr / tstr; a signed eat token, cbor for is bstr, json format if tstr
+
+submod-name = tstr / int
+
+submods-part = (
+    submods => submods-type
+)

cddl/tools.mk

@@ -0,0 +1,12 @@
+#
+# Tools (need cddl and diag2cbor to work)
+#
+cddl ?= $(shell command -v cddl)
+ifeq ($(strip $(cddl)),)
+  $(error cddl tool not found. To install cddl, run: 'gem install cddl')
+endif
+
+diag2cbor ?= $(shell command -v diag2cbor.rb)
+ifeq ($(strip $(diag2cbor)),)
+  $(error diag2cbor tool not found. To install diag2cbor, run: 'gem install cbor-diag')
+endif

cddl/ueid.cddl

@@ -0,0 +1,5 @@
+ueid-type = bstr .size (7..33)
+
+ueid-claim = (
+     ueid => ueid-type
+)

cddl/uptime.cddl

@@ -0,0 +1,3 @@
+uptime-claim = (
+    uptime => uint
+)

cddl/vars.mk

@@ -0,0 +1,19 @@
+CDDL_FRAGS := eat.cddl
+CDDL_FRAGS += age.cddl
+CDDL_FRAGS += common-types.cddl
+CDDL_FRAGS += cwt.cddl
+CDDL_FRAGS += debug-disable.cddl
+CDDL_FRAGS += location.cddl
+CDDL_FRAGS += nonce.cddl
+CDDL_FRAGS += oemid.cddl
+CDDL_FRAGS += origination.cddl
+CDDL_FRAGS += secure-boot.cddl
+CDDL_FRAGS += security-level.cddl
+CDDL_FRAGS += submods.cddl
+CDDL_FRAGS += ueid.cddl
+CDDL_FRAGS += uptime.cddl
+#CDDL_FRAGS += json.cddl
+
+CDDL_FULL := eat-token.cddl
+
+CLEANFILES += $(CDDL_FULL)