Support OCP Endorsed CSR as EAT CWT, and remove support for conveying all available CSRs at once (#39)

Signed-off-by: Fabrizio Damato <[email protected]>

Author: fdamato

specifications/device-identity-provisioning/cddl/ocp-endorsed-csr.cddl

@@ -0,0 +1,47 @@
+cwt-enveloped-csr-eat = {  
+  ; The EAT Profile for Endorsed CSR OCP will register
+  &(eat-profile : 265 ) => ~oid ; "2.16.840.1.113741.1.16.1" - note: `~` strips CBOR tag #6.111(oid) from `oid`
+
+  ; Issuer claim is StringOrURI (tstr)
+  &(iss : 1) => tstr
+
+  ; Nonce claim is nonce-type = bstr .size (8..64)
+  ? &(nonce : 10) => bstr
+  
+  ; Private Claims (they have to be < -65536 for rfc8392)
+  
+  ; KeyPair Id
+  &(id: -70001) => uint
+
+  ; CSR bytestring
+  &(csr: -70002) => bstr
+
+  ; Attribute List of OIDs
+  &(attrib: -70003) => [+ $key-attributes-type]
+}
+
+$key-attributes-type = tagged-oid-type
+
+signed-cwt = #6.18(COSE-Sign1-concise-evidence)
+
+COSE-Sign1-concise-evidence = [
+  protected: bstr .cbor protected-ce-header-map
+  unprotected: unprotected-ce-header-map
+  payload: bstr .cbor cwt-enveloped-csr-eat
+  signature: bstr
+]
+
+protected-ce-header-map = {
+  ; Well-defined header fields
+  &(alg-id: 1) => int
+  &(content-type: 3) => tstr / int
+  &(issuer-key-id: 4) => bstr
+  ; User-defined fields
+  * cose-label => cose-value
+}
+
+unprotected-ce-header-map = {
+  ? &(x5-chain: 33) => bstr / [ 2*certs: bstr ]
+  * cose-label => cose-value
+}
+

specifications/device-identity-provisioning/cddl/ocp-enveloped-csr-eat.cddl

@@ -0,0 +1,19 @@
+signed-cwt / 18([
+  / protected / <<{
+    / alg-id / 1 : 7,
+    / content-type / 3 : "application/eat+cbor",
+    / kid / 4 : 'Example OCP Enveloped-Signed CSR CWT'
+  }>>,
+/ unprotected / {/ x5-chain / 33 : h'59025630820252308201d9a003020102021431a4ef62e5244e4d952ea485976098090d5f242f300a06082a8648ce3d040303307b310b30090603550406130255533113301106035504080c0a43616c69666f726e69613116301406035504070c0d53616e204672616e636973636f311d301b060355040a0c144578616d706c65204f7267616e697a6174696f6e3120301e06035504030c174578616d706c652043575420456e646f7273656d656e74301e170d3235303231333139303230345a170d3236303231343139303230345a307b310b30090603550406130255533113301106035504080c0a43616c69666f726e69613116301406035504070c0d53616e204672616e636973636f311d301b060355040a0c144578616d706c65204f7267616e697a6174696f6e3120301e06035504030c174578616d706c652043575420456e646f7273656d656e743076301006072a8648ce3d020106052b8104002203620004fcd3fad48575addceee9638583aa7054f71a402f35993901923cc0ee9763b85b1e729c740331f4e91079559bce17d5c3b706748333faeb192120e32d815f88f7310ae05df55060f96fbdb2d0acb19e710d25ec27cfa8945fe5dda73332813feda31e301c301a0603551d1104133011820f7777772e6578616d706c652e636f6d300a06082a8648ce3d040303036700306402306e1166a8a3132d4a20e0200a26d1eba0937fec54fdb7547eb7c5ccca0370170853294cdd6b3a1eb0fe649f12446d8b17023071219daf2b7c1aa6f7727d053e1027309594fd8cab9f820fa89d8f88fc7e551c0d30781b12aea48b53fde200e6cf082b' },
+/ payload / <<{
+      / eat-profile / 265 : h'88378952',
+      / iss / 1 : "RT Alias Key",
+      / nonce / 10: h'AAAABBBBAAAABBBBAAAABBBB', 
+      / id / -70001 : 0,
+      / csr / -70002 :  h'59025630820252308201d9a003020102021431a4e0',
+      / attrib / -70003: [
+      / tagged-oid-type / 111(h'6086480186F84D010F046301')
+      ]
+  }>>,
+  / signature / h'FA45AAB345AB4988' 
+])

specifications/device-identity-provisioning/diag/endorsed-csr-unsigned-all.diag

@@ -216,8 +216,7 @@ Table: GET_ENDORSED_CSR VendorDefinedReqPayload {#tbl:ecsr-req}
 | 6                   | Param1              | 1                   | KeyPairID. The value of this field           |
 |                     |                     |                     | shall be the keypair ID identifying          |
 |                     |                     |                     | the desired asymmetric key pair for          |
-|                     |                     |                     | which the CSR should be issued. if 0xFF      |
-|                     |                     |                     | returns a list of all availabe CSRs          |
+|                     |                     |                     | which the CSR should be issued.              |
 +---------------------+---------------------+---------------------+----------------------------------------------+
 | 7                   | Param2              | 1                   | Request Attributes. Shall adhere to          |
 |                     |                     |                     | Table 91 of SPDM 1.3.                        |