Update SignedCorim Sign method to include certificates

Signed-off-by: Akhilesh Kr. Yadav <[email protected]>
veraison · Feb 14, 2025 · ca113db · ca113db
1 parent f0fb974
commit ca113db
Show file tree

Hide file tree

Showing 2 changed files with 53 additions and 20 deletions.
diff --git a/corim/signedcorim.go b/corim/signedcorim.go
@@ -11,6 +11,7 @@ import (
 	"fmt"
 	"strings"
 
+	cbor "github.com/fxamacker/cbor/v2"
 	"github.com/veraison/corim/extensions"
 	cose "github.com/veraison/go-cose"
 )
@@ -28,6 +29,9 @@ type SignedCorim struct {
 	Meta          Meta
 	message       *cose.Sign1Message
 }
+type ProtectedHeader struct {
+	X5Chain [][]byte `cbor:"33,keyasint,omitempty"`
+}
 
 // NewSignedCorim instantiates an empty SignedCorim
 func NewSignedCorim() *SignedCorim {
@@ -127,13 +131,16 @@ func (o *SignedCorim) FromCOSE(buf []byte) error {
 }
 
 // Sign returns the serialized signed-corim, signed by the supplied cose Signer.
-// The target SignedCorim must have its UnsignedCorim field correctly
-// populated.
-func (o *SignedCorim) Sign(signer cose.Signer) ([]byte, error) {
+// The target SignedCorim must have its UnsignedCorim field correctly populated.
+func (o *SignedCorim) Sign(signer cose.Signer, leafCert, intermediateCert []byte) ([]byte, error) {
 	if signer == nil {
 		return nil, errors.New("nil signer")
 	}
 
+	if leafCert == nil || intermediateCert == nil {
+		return nil, errors.New("nil certs")
+	}
+
 	if err := o.UnsignedCorim.Valid(); err != nil {
 		return nil, fmt.Errorf("failed validation of unsigned CoRIM: %w", err)
 	}
@@ -157,9 +164,19 @@ func (o *SignedCorim) Sign(signer cose.Signer) ([]byte, error) {
 		return nil, errors.New("signer has no algorithm")
 	}
 
+	protectedHeaders := ProtectedHeader{
+		X5Chain: [][]byte{leafCert, intermediateCert},
+	}
+
+	protectedHeadersCBOR, err := cbor.Marshal(protectedHeaders)
+	if err != nil {
+		return nil, fmt.Errorf("failed CBOR encoding of protected headers: %w", err)
+	}
+
 	o.message.Headers.Protected.SetAlgorithm(alg)
 	o.message.Headers.Protected[cose.HeaderLabelContentType] = ContentType
 	o.message.Headers.Protected[HeaderLabelCorimMeta] = metaCBOR
+	o.message.Headers.Protected[33] = protectedHeadersCBOR
 
 	err = o.message.Sign(rand.Reader, NoExternalData, signer)
 	if err != nil {

diff --git a/corim/signedcorim_test.go b/corim/signedcorim_test.go
@@ -441,7 +441,11 @@ func TestSignedCorim_SignVerify_ok(t *testing.T) {
 		SignedCorimIn.UnsignedCorim = *unsignedCorimFromCBOR(t, testGoodUnsignedCorimCBOR)
 		SignedCorimIn.Meta = *metaGood(t)
 
-		cbor, err := SignedCorimIn.Sign(signer)
+		// WIP
+		leafCert := []byte("leaf certificate")
+		intermediateCert := []byte("intermediate certificate")
+
+		cbor, err := SignedCorimIn.Sign(signer, leafCert, intermediateCert)
 		assert.Nil(t, err)
 
 		var SignedCorimOut SignedCorim
@@ -467,8 +471,12 @@ func TestSignedCorim_SignVerify_fail_tampered(t *testing.T) {
 
 	SignedCorimIn.UnsignedCorim = *unsignedCorimFromCBOR(t, testGoodUnsignedCorimCBOR)
 
-	cbor, err := SignedCorimIn.Sign(signer)
-	assert.Nil(t, err)
+		// WIP
+		leafCert := []byte("leaf certificate")
+		intermediateCert := []byte("intermediate certificate")
+
+		cbor, err := SignedCorimIn.Sign(signer, leafCert, intermediateCert)
+		assert.Nil(t, err)
 
 	var SignedCorimOut SignedCorim
 
@@ -491,30 +499,38 @@ func TestSignedCorim_SignVerify_fail_tampered(t *testing.T) {
 }
 
 func TestSignedCorim_Sign_fail_bad_corim(t *testing.T) {
-	signer, err := NewSignerFromJWK(testES256Key)
-	require.NoError(t, err)
+    signer, err := NewSignerFromJWK(testES256Key)
+    require.NoError(t, err)
 
-	var SignedCorimIn SignedCorim
+    var SignedCorimIn SignedCorim
+
+    emptyCorim := NewUnsignedCorim()
+    require.NotNil(t, emptyCorim)
 
-	emptyCorim := NewUnsignedCorim()
-	require.NotNil(t, emptyCorim)
+    SignedCorimIn.UnsignedCorim = *emptyCorim
 
-	SignedCorimIn.UnsignedCorim = *emptyCorim
+    // wip
+    leafCert := []byte("leaf certificate")
+    intermediateCert := []byte("intermediate certificate")
 
-	_, err = SignedCorimIn.Sign(signer)
-	assert.EqualError(t, err, "failed validation of unsigned CoRIM: empty id")
+    _, err = SignedCorimIn.Sign(signer, leafCert, intermediateCert)
+    assert.EqualError(t, err, "failed validation of unsigned CoRIM: empty id")
 }
 
 func TestSignedCorim_Sign_fail_no_signer(t *testing.T) {
-	var SignedCorimIn SignedCorim
+    var SignedCorimIn SignedCorim
+
+    emptyCorim := NewUnsignedCorim()
+    require.NotNil(t, emptyCorim)
 
-	emptyCorim := NewUnsignedCorim()
-	require.NotNil(t, emptyCorim)
+    SignedCorimIn.UnsignedCorim = *emptyCorim
 
-	SignedCorimIn.UnsignedCorim = *emptyCorim
+    // wip
+    leafCert := []byte("leaf certificate")
+    intermediateCert := []byte("intermediate certificate")
 
-	_, err := SignedCorimIn.Sign(nil)
-	assert.EqualError(t, err, "nil signer")
+    _, err := SignedCorimIn.Sign(nil, leafCert, intermediateCert)
+    assert.EqualError(t, err, "nil signer")
 }
 
 func TestSignedCorim_extensions(t *testing.T) {