From d12f9400178fd4818fb9f2abaf88c3679c879967 Mon Sep 17 00:00:00 2001 From: Yogesh Deshpande Date: Thu, 14 Dec 2023 07:40:11 -0500 Subject: [PATCH] Refactor `cocli` documentation Fixes #102 Signed-off-by: Yogesh Deshpande --- cocli/COMID.md | 129 +++++ cocli/CORIM.md | 184 +++++++ cocli/COTS.md | 122 +++++ cocli/README.md | 477 ++---------------- cocli/cmd/cotsCreate.go | 12 +- cocli/cmd/cotsCreate_test.go | 14 +- cocli/data/comid/comid-dice-refval.cbor | Bin 0 -> 224 bytes .../templates/comid-cca-mult-refval.json | 0 .../templates/comid-cca-refval.json | 0 .../templates/comid-dice-refval.json | 0 .../templates/comid-psa-iakpub.json | 0 .../templates/comid-psa-integ-iakpub.json | 0 .../templates/comid-psa-refval.json | 0 cocli/data/corim/corim-full.cbor | Bin 0 -> 436 bytes .../corim/signed-corim-bad-signature.cbor | Bin 0 -> 922 bytes cocli/data/corim/signed-corim.cbor | Bin 0 -> 603 bytes .../data/{ => corim}/templates/corim-cca.json | 0 .../{ => corim}/templates/corim-full.json | 0 .../{ => corim}/templates/corim-mini.json | 0 .../data/{ => corim}/templates/meta-full.json | 0 .../data/{ => corim}/templates/meta-mini.json | 0 cocli/data/corim/unsigned-corim.cbor | Bin 0 -> 436 bytes cocli/data/cots/namedtastore.cbor | Bin 0 -> 766 bytes cocli/data/cots/rubbish.cbor | Bin 0 -> 1078 bytes .../{ => templates}/claims/exclclaim.json | 0 .../{ => templates}/claims/permclaim.json | 0 .../data/cots/{ => templates}/env/comid.json | 0 .../data/cots/{ => templates}/env/coswid.json | 0 .../{ => templates}/env/namedtastore.json | 0 .../data/cots/{ => templates}/env/vendor.json | 0 .../cots/{ => templates}/env/vendor2.json | 0 .../cots/{ => templates}/env/vendors.json | 0 cocli/data/cots/vendor.cbor | Bin 0 -> 674 bytes 33 files changed, 508 insertions(+), 430 deletions(-) create mode 100644 cocli/COMID.md create mode 100644 cocli/CORIM.md create mode 100644 cocli/COTS.md create mode 100644 cocli/data/comid/comid-dice-refval.cbor rename cocli/data/{ => comid}/templates/comid-cca-mult-refval.json (100%) rename cocli/data/{ => comid}/templates/comid-cca-refval.json (100%) rename cocli/data/{ => comid}/templates/comid-dice-refval.json (100%) rename cocli/data/{ => comid}/templates/comid-psa-iakpub.json (100%) rename cocli/data/{ => comid}/templates/comid-psa-integ-iakpub.json (100%) rename cocli/data/{ => comid}/templates/comid-psa-refval.json (100%) create mode 100644 cocli/data/corim/corim-full.cbor create mode 100644 cocli/data/corim/signed-corim-bad-signature.cbor create mode 100644 cocli/data/corim/signed-corim.cbor rename cocli/data/{ => corim}/templates/corim-cca.json (100%) rename cocli/data/{ => corim}/templates/corim-full.json (100%) rename cocli/data/{ => corim}/templates/corim-mini.json (100%) rename cocli/data/{ => corim}/templates/meta-full.json (100%) rename cocli/data/{ => corim}/templates/meta-mini.json (100%) create mode 100644 cocli/data/corim/unsigned-corim.cbor create mode 100644 cocli/data/cots/namedtastore.cbor create mode 100644 cocli/data/cots/rubbish.cbor rename cocli/data/cots/{ => templates}/claims/exclclaim.json (100%) rename cocli/data/cots/{ => templates}/claims/permclaim.json (100%) rename cocli/data/cots/{ => templates}/env/comid.json (100%) rename cocli/data/cots/{ => templates}/env/coswid.json (100%) rename cocli/data/cots/{ => templates}/env/namedtastore.json (100%) rename cocli/data/cots/{ => templates}/env/vendor.json (100%) rename cocli/data/cots/{ => templates}/env/vendor2.json (100%) rename cocli/data/cots/{ => templates}/env/vendors.json (100%) create mode 100644 cocli/data/cots/vendor.cbor diff --git a/cocli/COMID.md b/cocli/COMID.md new file mode 100644 index 00000000..50ea1db2 --- /dev/null +++ b/cocli/COMID.md @@ -0,0 +1,129 @@ + +# CoMIDs manipulation + +The `comid` subcommand allows you to create, display and validate CoMIDs. + +## Create + +Use the `comid create` subcommand to create a CBOR-encoded CoMID, passing its +JSON representation via the `--template` switch (or equivalently its `-t` shorthand): + +* Please inspect `comid` JSON templates as examples under `data/comid/templates` `comid-*.json` + +``` +$ cocli comid create --template data/comid/templates/comid-dice-refval.json +``` +On success, you should see something like the following printed to stdout: +``` +>> created "comid-dice-refval.cbor" from "comid-dice-refval.json" +``` + +The CBOR-encoded CoMID file is stored in the current working directory with a +name derived from its template. If you want, you can specify a different +target directory using the `--output-dir` command line switch (abbrev. `-o`) +``` +$ cocli comid create --template data/comid/templates/comid-dice-refval.json --output-dir /tmp +>> created "/tmp/comid-dice-refval.cbor" from "comid-dice-refval.json" +``` +Note that the output directory, as well as all its parent directories, MUST +pre-exist. + +You can also create multiple CoMIDs in one go. Suppose all your templates are +stored in the `templates/` folder: +``` +$ tree templates/ +templates/ +├── comid-dice-refval1.json +├── comid-dice-refval2.json +... +└── comid-dice-refvaln.json +``` +Then, you can use the `--template-dir` (abbrev. `-T`), and let the tool load, +validate, and CBOR-encode the templates one by one: +``` +$ cocli comid create --template-dir templates +>> created "comid-dice-refval1.cbor" from "templates/comid-dice-refval1.json" +>> created "comid-dice-refval2.cbor" from "templates/comid-dice-refval2.json" +... +>> created "comid-dice-refvaln.cbor" from "templates/comid-dice-refvaln.json" +``` + +You can specify both the `-T` and `-t` switches as many times as needed, and +even combine them in one invocation: +``` +$ cocli comid create -T comid-templates/ \ + -T comid-templates-aux/ \ + -t extra-comid.json \ + -t yet-another-comid.json \ + -o /var/spool/comid +``` + +**NOTE** that since the output file name is deterministically generated from the +template file name, all the template files (when from different directories) +MUST have different base names. + + +## Display + +Use the `comid display` subcommand to print to stdout one or more CBOR-encoded +CoMIDs in human readable (JSON) format. + +You can supply individual files using the `--file` switch (abbrev. `-f`), or +directories that may (or may not) contain CoMID files using the `--dir` switch +(abbrev. `-d`). Only valid CoMIDs will be displayed, and any decoding or +validation error will be printed alongside the corresponding file name. + +For example: +``` +$ cocli comid display --file data/comid/comid-dice-refval.cbor +``` +provided the `comid-dice-refval.cbor` file contains valid CoMID, would print something like: +``` +>> [comid-dice-refval.cbor] +{ + "tag-identity": { + "id": "1d5a8c7c-1c70-4c56-937e-3c5713ae5a83" + }, + "triples": {} +[...] +} +``` +While a `data/comid/` folder with the following contents: +``` +$ tree data/comid/ +data/comid/ +├── rubbish.cbor +├── 1.cbor +└── 2.cbor +``` +could be inspected in one go using: +``` +$ cocli comid display --dir data/comid/ +``` +which would output something like: +``` +>> failed displaying "comids.d/rubbish.cbor": CBOR decoding failed: EOF +>> [data/comid/1.cbor] +{ + "tag-identity": { + "id": "43bbe37f-2e61-4b33-aed3-53cff1428b16" + }, +[...] +} +>> [data/comid/2.cbor] +{ + "tag-identity": { + "id": "366d0a0a-5988-45ed-8488-2f2a544f6242" + }, +[...] +} +Error: 1/3 display(s) failed +``` + +One of more files and directories can be supplied in the same invocation, e.g.: +``` +$ cocli comid display -f m1.cbor \ + -f comids.d/m2.cbor \ + -d /var/spool/comids \ + -d yet-another-comid-folder/ +``` \ No newline at end of file diff --git a/cocli/CORIM.md b/cocli/CORIM.md new file mode 100644 index 00000000..fdd40255 --- /dev/null +++ b/cocli/CORIM.md @@ -0,0 +1,184 @@ +# CoRIMs manipulation + +The `corim` subcommand allows you to create, display, sign, verify CoRIMs or submit +a CoRIM using the [Veraison provisioning API](https://github.com/veraison/docs/tree/main/api/endorsement-provisioning). +It also provides a means to extract as-is the embedded CoSWIDs, CoMIDs and CoTSs and save +them as separate files. + +## Create + +Use the `corim create` subcommand to create a CBOR-encoded, unsigned CoRIM, by +passing its JSON representation via the `--template` switch (or equivalently its `-t` shorthand) +together with the CBOR-encoded CoMIDs, CoSWIDs and/or CoTS to be embedded. + +* Please inspect `corim` JSON templates as examples under `data/corim/templates` `corim-*.json` + +``` +$ cocli corim create --template data/corim/templates/corim-full.json --comid data/comid/comid-dice-refval.cbor --coswid data/coswid/1.cbor --cots data/cots/vendor.cbor +``` +On success, you should see something like the following printed to stdout: +``` +>> created "corim-full.cbor" from "corim-full.json" +``` + +The CBOR-encoded CoRIM file is stored in the current working directory with a +name derived from its template. If you want, you can specify a different +file name using the `--output` command line switch (abbrev. `-o`): +``` +$ cocli corim create -t data/corim/templates/corim-full.json -m data/comid/comid-dice-refval.cbor -s data/coswid/1.cbor -c data/cots/c1.cbor -o unsigned-corim.cbor +>> created "unsigned-corim.cbor" from "corim-full.json" +``` + +CoMIDs, CoSWIDs and CoTSs can be either supplied as individual files, using the +`--comid` (abbrev. `-m`), `--coswid` (abbrev. `-s`) and `--cots` (abbrev. `-c`) switches respectively, or +as "per-folder" blocks using the `--comid-dir` (abbrev. `-M`), `--coswid-dir` and `--cots-dir` +(abbrev. `-C`) switch. For example: +``` +$ cocli corim create --template data/corim/templates/corim-full.json --comid-dir data/comid/cbor/ +``` + +Creation will fail if *any* of the inputs is non conformant. For example, if +`data/comid/cbor/` contains an invalid CoMID file `rubbish.cbor`, an attempt to create a +CoRIM: +``` +$ cocli corim create -t data/corim/templates/corim-full.json -M data/comid/cbor/ +``` +will fail with: +``` +Error: error loading CoMID from data/comid/cbor/rubbish.cbor: EOF +``` + +## Sign + +Use the `corim sign` subcommand to cryptographically seal the unsigned CoRIM +supplied via the `--file` switch (abbrev. `-f`). The signature is produced +using the key supplied via the `--key` switch (abbrev. `-k`), which is expected +to be in [JWK](https://www.rfc-editor.org/rfc/rfc7517) format. On success, the +resulting COSE Sign1 payload is saved to file whose name can be controlled using +the `--output` switch (abbrev. `-o`). A CoRIM Meta template in JSON format must +also be provided using the `--meta` switch (abbrev.`-m`). + +* Please inspect the `data/corim/templates` directory for `meta` JSON templates. + +For example, with the default output file: +``` +$ cocli corim sign --file corim.cbor --key ec-p256.jwk --meta meta.json +>> "corim.cbor" signed and saved to "signed-corim.cbor" +``` +Or, the same but with a custom output file: +``` +$ cocli corim sign --file data/corim/corim-full.cbor \ + --key data/keys/ec-p256.jwk \ + --meta data/corim/templates/meta-full.json \ + --output /var/spool/signed-corim.cbor +>> "corim-full.cbor" signed and saved to "/var/spool/signed-corim.cbor" +``` + +## Verify + +Use the `corim verify` subcommand to cryptographically verify the signed CoRIM +supplied via the `--file` switch (abbrev. `-f`). The signature is checked +using the key supplied via the `--key` switch (abbrev. `-k`), which is expected +to be in [JWK](https://www.rfc-editor.org/rfc/rfc7517) format. For example: +``` +$ cocli corim verify --file data/corim/signed-corim.cbor --key data/keys/ec-p256.jwk +>> "signed-corim.cbor" verified +``` + +Verification can fail either because the cryptographic processing fails or +because the signed payload or protected headers are themselves invalid. For example: +``` +$ cocli corim verify --file data/corim/signed-corim-bad-signature.cbor --key data/keys/ec-p256.jwk +``` +will give +``` +Error: error verifying signed-corim-bad-signature.cbor with key ec-p256.jwk: verification failed ecdsa.Verify +``` + +## Display + +Use the `corim display` subcommand to print to stdout a signed CoRIM in human +readable (JSON) format. + +You must supply the file you want to display using the `--file` switch (abbrev. +`-f`). Only a valid CoRIM will be displayed, and any occurring decoding or +validation errors will be printed instead. + +The output has two logical sections: one for Meta and one for the (unsigned) +CoRIM: +``` +$ cocli corim display --file data/corim/signed-corim.cbor +Meta: +{ + "signer": { + "name": "ACME Ltd signing key", + "uri": "https://acme.example/signing-key.pub" + }, +[...] +} +Corim: +{ + "corim-id": "5c57e8f4-46cd-421b-91c9-08cf93e13cfc", + "tags": [ + "2QH...", +[...] + ] +} +``` + +By default, the embedded CoMID, CoSWID and CoTS tags are not expanded, and what you +will see is the base64 encoding of their CBOR serialisation. If you want to +peek at the tags' content, supply the `--show-tags` (abbrev. `-v`) switch, which +will add a further Tags section with one entry per each expanded tag: +``` +$ cocli corim display --file data/corim/signed-corim.cbor --show-tags +Meta: +{ +[...] +} +Corim: +{ +[...] +} +Tags: +>> [ 0 ] +{ + "tag-identity": { + "id": "366d0a0a-5988-45ed-8488-2f2a544f6242" + }, +[...] +} +>> [ 1 ] +{ + "tag-identity": { + "id": "43bbe37f-2e61-4b33-aed3-53cff1428b16" + }, +[...] +} +>> [ 2 ] +{ + "tag-id": "com.acme.rrd2013-ce-sp1-v4-1-5-0", +[...] +} +``` + +## Extract CoSWIDs, CoMIDs and CoTSs + +Use the `corim extract` subcommand to extract the embedded CoMIDs, CoSWIDs and CoTSs +from a signed CoRIM. + +You must supply a signed CoRIM file using the `--file` switch (abbrev. `-f`) and +an optional output folder (default is the current working directory) using the +`--output-dir` switch (abbrev. `-o`). Make sure that the output directory as +well as any parent folder exists prior to issuing the command. + +On success, the found CoMIDs, CoSWIDs, CoTS are saved in CBOR format: +``` +$ cocli corim extract --file data/corim/signed-corim.cbor --output-dir output.d/ +$ tree output.d/ +output.d/ +├── 000000-comid.cbor +├── 000001-comid.cbor +├── 000002-coswid.cbor +└── 000003-cots.cbor +``` \ No newline at end of file diff --git a/cocli/COTS.md b/cocli/COTS.md new file mode 100644 index 00000000..fc094820 --- /dev/null +++ b/cocli/COTS.md @@ -0,0 +1,122 @@ + +## CoTSs manipulation + +The `cots` subcommand allows you to create, display and validate CoTSs. + +### Create + +Use the `cots create` subcommand to create a CBOR-encoded CoTS. The `environment` switch takes in a JSON template specifiying the environments that are valid for the keys specified and the `tas` switch takes in a directory of trust anchors files: + +* Please inspect `data/cots/templates` JSON templates as examples for `environment` and `claims` + + +``` +$ cocli cots create --environment data/cots/env/vendor.json --tafile data/cots/shared_ta.ta +``` +On success, you should see something like the following printed to stdout: +``` +>> created "vendor.cbor" +``` + +The CBOR-encoded CoTS file is stored in the current working directory with a +name derived from its environment template. If you want, you can specify a different +target directory and file name using the `--output` command line switch (abbrev. `-o`) +``` +$ cocli cots create --environment data/cots/env/vendor.json --tafile data/cots/shared_ta.ta --output /tmp/myCots.cbor +>> created "/tmp/myCots.cbor" +``` +Note that the output directory, as well as all its parent directories, MUST pre-exist. + +### Display + +Use the `cots display` subcommand to print to stdout one or more CBOR-encoded +CoTSs in human readable (JSON) format. + +You can supply individual files using the `--file` switch (abbrev. `-f`), or +directories that may (or may not) contain CoTS files using the `--dir` switch +(abbrev. `-d`). Only valid CoTSs will be displayed, and any decoding or +validation error will be printed alongside the corresponding file name. + +For example: +``` +$ cocli cots display --file vendor.cbor +``` +provided the `vendor.cbor` file contains valid CoTS, would print something like: +``` +>> [vendor.cbor] +{ + "environments": [ + { + "environment": { + "class": { + "vendor": "Zesty Hands, Inc." + } + } + } + ], + "keys": { + "tas": [ + { + "format": 1, + "data": "ooICejCCAnYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATjUaoQOSQHpL0DfKC8EVTQ5wHwZ085yyxPkhBpLOu+7B0nl33FYWV1Hg4je/37FTbpmohFkUKWYd81z8C/K1DMBBQBXEXJrLBGKnFd1xCgeMAVSfEBPzCCAgEwPjELMAkGA1UEBgwCVVMxEDAOBgNVBAoMB0V4YW1wbGUxHTAbBgNVBAMMFEV4YW1wbGUgVHJ1c3QgQW5jaG9yoIIBvTCCAWSgAwIBAgIVANCdkL89UlzHc9Ui7XfVniK7pFuIMAoGCCqGSM49BAMCMD4xCzAJBgNVBAYMAlVTMRAwDgYDVQQKDAdFeGFtcGxlMR0wGwYDVQQDDBRFeGFtcGxlIFRydXN0IEFuY2hvcjAeFw0yMjA1MTkxNTEzMDdaFw0zMjA1MTYxNTEzMDdaMD4xCzAJBgNVBAYMAlVTMRAwDgYDVQQKDAdFeGFtcGxlMR0wGwYDVQQDDBRFeGFtcGxlIFRydXN0IEFuY2hvcjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABONRqhA5JAekvQN8oLwRVNDnAfBnTznLLE+SEGks677sHSeXfcVhZXUeDiN7/fsVNumaiEWRQpZh3zXPwL8rUMyjPzA9MB0GA1UdDgQWBBQBXEXJrLBGKnFd1xCgeMAVSfEBPzALBgNVHQ8EBAMCAoQwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiALBidABsfpzG0lTL9Eh9b6AUbqnzF+koEZbgvppvvt9QIgVoE+bhEN0j6wSPzePjLrEdD+PEgyjHJ5rbA11SPq/1M=" + } + ] + } +} + +``` +While a `data/cots` folder with the following contents: +``` +$ tree cots/ +cots/ +├── rubbish.cbor +├── namedtastore.cbor +├── vendor.cbor +``` +could be inspected in one go using: +``` +$ cocli cots display --dir data/cots/ +``` +which would output something like: +``` +>> [data/cots/namedtastore.cbor] +{ + "environments": [ + { + "namedtastore": "Miscellaneous TA Store" + } + ], + "keys": { + "tas": [ + { + "format": 1, + "data": "ooIC1TCCAtEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATN0f5kzywEzZOYbaV23O3N8cku39JoLNjlHPwECbXDDWp0LpAO1z248/hoy6UW/TZMTPPR/93XwHsG16mSFy8XBBSKhM/5gJWjvDbW7qUY1peNm9cfYDCCAlwwXDELMAkGA1UEBgwCVVMxHzAdBgNVBAoMFlNub2JiaXNoIEFwcGFyZWwsIEluYy4xLDAqBgNVBAMMI1Nub2JiaXNoIEFwcGFyZWwsIEluYy4gVHJ1c3QgQW5jaG9yoIIB+jCCAZ+gAwIBAgIUEBuTRGXAEEVEHhu4xafAnqm+qYgwCgYIKoZIzj0EAwIwXDELMAkGA1UEBgwCVVMxHzAdBgNVBAoMFlNub2JiaXNoIEFwcGFyZWwsIEluYy4xLDAqBgNVBAMMI1Nub2JiaXNoIEFwcGFyZWwsIEluYy4gVHJ1c3QgQW5jaG9yMB4XDTIyMDUxOTE1MTMwOFoXDTMyMDUxNjE1MTMwOFowXDELMAkGA1UEBgwCVVMxHzAdBgNVBAoMFlNub2JiaXNoIEFwcGFyZWwsIEluYy4xLDAqBgNVBAMMI1Nub2JiaXNoIEFwcGFyZWwsIEluYy4gVHJ1c3QgQW5jaG9yMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEzdH+ZM8sBM2TmG2ldtztzfHJLt/SaCzY5Rz8BAm1ww1qdC6QDtc9uPP4aMulFv02TEzz0f/d18B7BtepkhcvF6M/MD0wHQYDVR0OBBYEFIqEz/mAlaO8NtbupRjWl42b1x9gMAsGA1UdDwQEAwIChDAPBgNVHRMBAf8EBTADAQH/MAoGCCqGSM49BAMCA0kAMEYCIQC2cf43f3PPlCO6/dxv40ftIgxxToKHF72UzENv7+y4ygIhAIGtC/r6SGaFMaP7zD2EloBuIXTtyWu8Hwl+YGdXRY93" + } + ] + } +} +>> failed displaying "data/cots/rubbish.cbor": CBOR decoding failed: cbor: cannot unmarshal primitives into Go value of type cots.ConciseTaStore +>> [data/cots/vendor.cbor] +{ + "environments": [ + { + "environment": { + "class": { + "vendor": "Zesty Hands, Inc." + } + } + } + ], + "keys": { + "tas": [ + { + "format": 1, + "data": "ooICejCCAnYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATjUaoQOSQHpL0DfKC8EVTQ5wHwZ085yyxPkhBpLOu+7B0nl33FYWV1Hg4je/37FTbpmohFkUKWYd81z8C/K1DMBBQBXEXJrLBGKnFd1xCgeMAVSfEBPzCCAgEwPjELMAkGA1UEBgwCVVMxEDAOBgNVBAoMB0V4YW1wbGUxHTAbBgNVBAMMFEV4YW1wbGUgVHJ1c3QgQW5jaG9yoIIBvTCCAWSgAwIBAgIVANCdkL89UlzHc9Ui7XfVniK7pFuIMAoGCCqGSM49BAMCMD4xCzAJBgNVBAYMAlVTMRAwDgYDVQQKDAdFeGFtcGxlMR0wGwYDVQQDDBRFeGFtcGxlIFRydXN0IEFuY2hvcjAeFw0yMjA1MTkxNTEzMDdaFw0zMjA1MTYxNTEzMDdaMD4xCzAJBgNVBAYMAlVTMRAwDgYDVQQKDAdFeGFtcGxlMR0wGwYDVQQDDBRFeGFtcGxlIFRydXN0IEFuY2hvcjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABONRqhA5JAekvQN8oLwRVNDnAfBnTznLLE+SEGks677sHSeXfcVhZXUeDiN7/fsVNumaiEWRQpZh3zXPwL8rUMyjPzA9MB0GA1UdDgQWBBQBXEXJrLBGKnFd1xCgeMAVSfEBPzALBgNVHQ8EBAMCAoQwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiALBidABsfpzG0lTL9Eh9b6AUbqnzF+koEZbgvppvvt9QIgVoE+bhEN0j6wSPzePjLrEdD+PEgyjHJ5rbA11SPq/1M=" + } + ] + } +} + +Note: One of more files and directories can be supplied in the same invocation, using -f and -d directive: + +``` diff --git a/cocli/README.md b/cocli/README.md index 28c1395b..4f3e3fce 100644 --- a/cocli/README.md +++ b/cocli/README.md @@ -19,408 +19,68 @@ To get a list of the supported shells, do: ``` $ cocli completion --help ``` +# CoRIM Handling +A CoRIM consists of either one or more CoMID and/or CoSWID and/or CoTS. The below +picture and instructions provides a step by step approach to handle CoRIMs. + +``` mermaid +flowchart TD + subgraph CORIM["CoRIM"] + subgraph CoMID["\n"] + CM1["CoMID-1"] + CM2["CoMID-2"] + + CM3["CoMID-N"] + CM4["COMID COMMANDS \n cocli comid create \n cocli comid display"] + CM1 -.- CM2 + CM2 -.- CM3 + CM3 -.- CM4 + end + subgraph CoMID["Blank1"] + CSW1["CoSWID-1"] + CSW2["CoSWID-2"] + CSW3["CoSWID-N"] + + CSW1 -.- CSW2 + CSW2 -.- CSW3 + + end + + subgraph CoMID["Blank3"] + CS1["CoTS-1"] + CS2["CoTS-2"] + + CS3["CoTS-N"] + CS4["COTS COMMANDS \n cocli cots create \n cocli cots display"] + CS1 -.- CS2 + + CS2 -.- CS3 + CS3 -.- CS4 + end +end +CORIM ---> CMD +subgraph CMD["CORIM COMMANDS \n + 1.cocli corim create \n 2.cocli corim display \n 3.cocli corim sign \n4.cocli corim verify\n5.cocli corim extract\n 6.cocli corim submit"] +end -## CoMIDs manipulation - -The `comid` subcommand allows you to create, display and validate CoMIDs. - -### Create - -Use the `comid create` subcommand to create a CBOR-encoded CoMID, passing its -JSON representation[1](#templates-ex) via the `--template` switch (or -equivalently its `-t` shorthand): -``` -$ cocli comid create --template t1.json -``` -On success, you should see something like the following printed to stdout: -``` ->> created "t1.cbor" from "t1.json" -``` - -The CBOR-encoded CoMID file is stored in the current working directory with a -name derived from its template. If you want, you can specify a different -target directory using the `--output-dir` command line switch (abbrev. `-o`) -``` -$ cocli comid create --template t1.json --output-dir /tmp ->> created "/tmp/t1.cbor" from "t1.json" -``` -Note that the output directory, as well as all its parent directories, MUST -pre-exist. - -You can also create multiple CoMIDs in one go. Suppose all your templates are -stored in the `templates/` folder: -``` -$ tree templates/ -templates/ -├── t1.json -├── t2.json -... -└── tn.json -``` -Then, you can use the `--template-dir` (abbrev. `-T`), and let the tool load, -validate, and CBOR-encode the templates one by one: -``` -$ cocli comid create --template-dir templates ->> created "t1.cbor" from "templates/t1.json" ->> created "t2.cbor" from "templates/t2.json" -... ->> created "tn.cbor" from "templates/tn.json" -``` - -You can specify both the `-T` and `-t` switches as many times as needed, and -even combine them in one invocation: -``` -$ cocli comid create -T comid-templates/ \ - -T comid-templates-aux/ \ - -t extra-comid.json \ - -t yet-another-comid.json \ - -o /var/spool/comid -``` - -**NOTE** that since the output file name is deterministically generated from the -template file name, all the template files (when from different directories) -MUST have different base names. - - -### Display - -Use the `comid display` subcommand to print to stdout one or more CBOR-encoded -CoMIDs in human readable (JSON) format. - -You can supply individual files using the `--file` switch (abbrev. `-f`), or -directories that may (or may not) contain CoMID files using the `--dir` switch -(abbrev. `-d`). Only valid CoMIDs will be displayed, and any decoding or -validation error will be printed alongside the corresponding file name. - -For example: -``` -$ cocli comid display --file m1.cbor -``` -provided the `m1.cbor` file contains valid CoMID, would print something like: -``` ->> [m1.cbor] -{ - "lang": "en-GB", - "tag-identity": { - "id": "43bbe37f-2e61-4b33-aed3-53cff1428b16" - }, - "entities": [ - { - "name": "ACME Ltd.", - "regid": "https://acme.example", - "roles": [ - "tagCreator", - "creator", - "maintainer" - ] - } -[...] -``` -While a `comids.d` folder with the following contents: -``` -$ tree comids.d/ -comids.d/ -├── rubbish.cbor -├── valid-comid-1.cbor -└── valid-comid-2.cbor -``` -could be inspected in one go using: -``` -$ cocli comid display --dir comids.d/ -``` -which would output something like: -``` ->> failed displaying "comids.d/rubbish.cbor": CBOR decoding failed: EOF ->> [comids.d/valid-comid-1.cbor] -{ - "tag-identity": { - "id": "43bbe37f-2e61-4b33-aed3-53cff1428b16" - }, -[...] -} ->> [comids.d/valid-comid-2.cbor] -{ - "tag-identity": { - "id": "366d0a0a-5988-45ed-8488-2f2a544f6242" - }, -[...] -} -Error: 1/3 display(s) failed ``` -One of more files and directories can be supplied in the same invocation, e.g.: -``` -$ cocli comid display -f m1.cbor \ - -f comids.d/m2.cbor \ - -d /var/spool/comids \ - -d yet-another-comid-folder/ -``` +## CoMIDs manipulation +The instructions to manipulate CoMIDs are documented [here](COMID.md) ## CoTSs manipulation +The instructions to manipulate CoTSs are documented [here](COTS.md) -The `cots` subcommand allows you to create, display and validate CoTSs. - -### Create - -Use the `cots create` subcommand to create a CBOR-encoded CoTS. The `environment` switch takes in a JSON template specifiying the environments that are valid for the keys specified and the `tas` switch takes in a directory of trust anchors files: -``` -$ cocli cots create --environment c1.json --tas tas_dir -``` -On success, you should see something like the following printed to stdout: -``` ->> created "c1.cbor" -``` - -The CBOR-encoded CoTS file is stored in the current working directory with a -name derived from its environment template. If you want, you can specify a different -target directory and file name using the `--output` command line switch (abbrev. `-o`) -``` -$ cocli cots create --environment c1.json --tas tas_dir --output /tmp/myCots.cbor ->> created "/tmp/myCots.cbor" -``` -Note that the output directory, as well as all its parent directories, MUST pre-exist. - -### Display - -Use the `cots display` subcommand to print to stdout one or more CBOR-encoded -CoTSs in human readable (JSON) format. - -You can supply individual files using the `--file` switch (abbrev. `-f`), or -directories that may (or may not) contain CoTS files using the `--dir` switch -(abbrev. `-d`). Only valid CoTSs will be displayed, and any decoding or -validation error will be printed alongside the corresponding file name. - -For example: -``` -$ cocli cots display --file c1.cbor -``` -provided the `c1.cbor` file contains valid CoTS, would print something like: -``` ->> [c1.cbor] -{ - "tag-identity": { - "id": "ab0f44b1-bfdc-4604-ab4a-30f80407ebcc", - "version": 5 - }, - "environments": [ - { - "environment": { - "class": { - "vendor": "Worthless Sea, Inc." - } - } - } - ], - "keys": { - "tas": [ - { - "format": 2, - "data": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErYoMAdqe2gJT3CvCcifZxyE9+N8T6Jy5zbeo5LYtnOipmi1wXA9/gNtlwAbRCRQitH/GEcvUaGlzPZxIOITV/g==" - } - ] - } -} -``` -While a `cots` folder with the following contents: -``` -$ tree cots/ -cots/ -├── rubbish.cbor -├── valid-cots-1.cbor -├── valid-cots-2.cbor -``` -could be inspected in one go using: -``` -$ cocli cots display --dir cots/ -``` -which would output something like: -``` ->> failed displaying "cots/rubbish.cbor": CBOR decoding failed: EOF ->> [cots/valid-cots-1.cbor] -{ - "tag-identity": { - "id": "43bbe37f-2e61-4b33-aed3-53cff1428b16" - }, -[...] -} ->> [cots/valid-cots-2.cbor] -{ - "tag-identity": { - "id": "ab0f44b1-bfdc-4604-ab4a-30f80407ebcc" - }, -[...] -} -Error: 1/3 display(s) failed -``` - -One of more files and directories can be supplied in the same invocation, e.g.: -``` -$ cocli cots display -f c1.cbor \ - -f cots/c2.cbor \ - -d /var/spool/cots \ - -d yet-another-cots-folder/ -``` - +## CoSWID manipulation +Tooling to manipulate `CoSWID` is not currently available under Project Veraison. +However CoSWID can be part of CoRIM by constructing CoSWID CBOR by other indistry available +tools such as [swid-tools](https://github.com/usnistgov/swid-tools) and including them +as mentioned under [CORIM Construction](CORIM.md) ## CoRIMs manipulation +The instructions to manipulate CoRIMs are documented [here](CORIM.md) -The `corim` subcommand allows you to create, display, sign, verify CoRIMs or submit -a CoRIM using the [Veraison provisioning API](https://github.com/veraison/docs/tree/main/api/endorsement-provisioning). -It also provides a means to extract as-is the embedded CoSWIDs, CoMIDs and CoTSs and save -them as separate files. - -### Create - -Use the `corim create` subcommand to create a CBOR-encoded, unsigned CoRIM, by -passing its JSON representation[1](#templates-ex) via the -`--template` switch (or equivalently its `-t` shorthand) together with the -CBOR-encoded CoMIDs, CoSWIDs and/or CoTS to be embedded. For example: -``` -$ cocli corim create --template c1.json --comid m1.cbor --coswid s1.cbor --cots c1.cbor -``` -On success, you should see something like the following printed to stdout: -``` ->> created "c1.cbor" from "c1.json" -``` - -The CBOR-encoded CoRIM file is stored in the current working directory with a -name derived from its template. If you want, you can specify a different -file name using the `--output` command line switch (abbrev. `-o`): -``` -$ cocli corim create -t r1.json -m m1.cbor -s s1.cbor -c c1.cbor -o my.cbor ->> created "my.cbor" from "r1.json" -``` - -CoMIDs, CoSWIDs and CoTSs can be either supplied as individual files, using the -`--comid` (abbrev. `-m`), `--coswid` (abbrev. `-s`) and `--cots` (abbrev. `-c`) switches respectively, or -as "per-folder" blocks using the `--comid-dir` (abbrev. `-M`), `--coswid-dir` and `--cots-dir` -(abbrev. `-C`) switch. For example: -``` -$ cocli corim create --template c1.json --comid-dir comids.d/ -``` - -Creation will fail if *any* of the inputs is non conformant. For example, if -`comids.d` contains an invalid CoMID file `rubbish.cbor`, an attempt to create a -CoRIM: -``` -$ cocli corim create -t c1.json -M comids.d/ -``` -will fail with: -``` -Error: error loading CoMID from comids.d/rubbish.cbor: EOF -``` - -### Sign - -Use the `corim sign` subcommand to cryptographically seal the unsigned CoRIM -supplied via the `--file` switch (abbrev. `-f`). The signature is produced -using the key supplied via the `--key` switch (abbrev. `-k`), which is expected -to be in [JWK](https://www.rfc-editor.org/rfc/rfc7517) format. On success, the -resulting COSE Sign1 payload is saved to file whose name can be controlled using -the `--output` switch (abbrev. `-o`). A CoRIM Meta[1](#templates-ex) -template in JSON format must also be provided using the `--meta` switch (abbrev. -`-m`). For example, with the default output file: -``` -$ cocli corim sign --file corim.cbor --key ec-p256.jwk --meta meta.json ->> "corim.cbor" signed and saved to "signed-corim.cbor" -``` -Or, the same but with a custom output file: -``` -$ cocli corim sign --file corim.cbor \ - --key ec-p256.jwk \ - --meta meta.json \ - --output /var/spool/signed-corim.cbor ->> "corim.cbor" signed and saved to "/var/spool/signed-corim.cbor" -``` - -### Verify - -Use the `corim verify` subcommand to cryptographically verify the signed CoRIM -supplied via the `--file` switch (abbrev. `-f`). The signature is checked -using the key supplied via the `--key` switch (abbrev. `-k`), which is expected -to be in [JWK](https://www.rfc-editor.org/rfc/rfc7517) format. For example: -``` -$ cocli corim verify --file signed-corim.cbor --key ec-p256.jwk ->> "corim.cbor" verified -``` - -Verification can fail either because the cryptographic processing fails or -because the signed payload or protected headers are themselves invalid. For example: -``` -$ cocli corim verify --file signed-corim-bad-signature.cbor --key ec-p256.jwk -``` -will give -``` -Error: error verifying signed-corim-bad-signature.cbor with key ec-p256.jwk: verification failed ecdsa.Verify -``` - -### Display - -Use the `corim display` subcommand to print to stdout a signed CoRIM in human -readable (JSON) format. - -You must supply the file you want to display using the `--file` switch (abbrev. -`-f`). Only a valid CoRIM will be displayed, and any occurring decoding or -validation errors will be printed instead. - -The output has two logical sections: one for Meta and one for the (unsigned) -CoRIM: -``` -$ cocli corim display --file signed-corim.cbor -Meta: -{ - "signer": { - "name": "ACME Ltd signing key", - "uri": "https://acme.example/signing-key.pub" - }, -[...] -} -Corim: -{ - "corim-id": "5c57e8f4-46cd-421b-91c9-08cf93e13cfc", - "tags": [ - "2QH...", -[...] - ] -} -``` - -By default, the embedded CoMID, CoSWID and CoTS tags are not expanded, and what you -will see is the base64 encoding of their CBOR serialisation. If you want to -peek at the tags' content, supply the `--show-tags` (abbrev. `-v`) switch, which -will add a further Tags section with one entry per each expanded tag: -``` -$ cocli corim display --file signed-corim.cbor --show-tags -Meta: -{ -[...] -} -Corim: -{ -[...] -} -Tags: ->> [ 0 ] -{ - "tag-identity": { - "id": "366d0a0a-5988-45ed-8488-2f2a544f6242" - }, -[...] -} ->> [ 1 ] -{ - "tag-identity": { - "id": "43bbe37f-2e61-4b33-aed3-53cff1428b16" - }, -[...] -} ->> [ 2 ] -{ - "tag-id": "com.acme.rrd2013-ce-sp1-v4-1-5-0", -[...] -} -``` -### Submit +## CoRIM Submission to Veraison Use the `corim submit` subcommand to upload a CoRIM using the Veraison provisioning API. The CoRIM file containing the CoRIM data in CBOR format is supplied via the @@ -430,11 +90,11 @@ Further, it is required to supply the media type of the content via the `--media-type` switch (abbrev. `-m`) ``` $ cocli corim submit \ - --corim-file unsigned-corim.cbor \ + --corim-file data/corim/unsigned-corim.cbor \ --api-server "https://veraison.example/endorsement-provisioning/v1/submit" \ --media-type "application/corim-unsigned+cbor; profile=http://arm.com/psa/iot/1" ->> "corim.cbor" submit ok +>> "unsigned-corim.cbor" submit ok ``` #### Remote Service Authentication @@ -447,33 +107,6 @@ path (usually `~/.config/cocli/config.yaml` on XDG-compliant systems). Please see `./data/config/example-config.yaml` file for details of the configuration that needs to be provided. -### Extract CoSWIDs, CoMIDs and CoTSs - -Use the `corim extract` subcommand to extract the embedded CoMIDs, CoSWIDs and CoTSs -from a signed CoRIM. - -You must supply a signed CoRIM file using the `--file` switch (abbrev. `-f`) and -an optional output folder (default is the current working directory) using the -`--output-dir` switch (abbrev. `-o`). Make sure that the output directory as -well as any parent folder exists prior to issuing the command. - -On success, the found CoMIDs, CoSWIDs, CoTS are saved in CBOR format: -``` -$ cocli corim extract --file signed-corim.cbor --output-dir output.d/ -$ tree output.d/ -output.d/ -├── 000000-comid.cbor -├── 000001-comid.cbor -├── 000002-coswid.cbor -└── 000003-cots.cbor -``` - - - -1: A few examples of CoMID, CoRIM, CoTS, and Meta JSON -templates can be found in the [data/templates](data/templates) folder. - - ## Visual Synopsis of the Available Commands ```mermaid diff --git a/cocli/cmd/cotsCreate.go b/cocli/cmd/cotsCreate.go index eb3c52dd..af44bca9 100644 --- a/cocli/cmd/cotsCreate.go +++ b/cocli/cmd/cotsCreate.go @@ -54,6 +54,16 @@ func NewCotsCreateCtsCmd() *cobra.Command { --tas=tas_dir \ --cas=cas_dir \ --output=cots.cbor + + Alternatively one can specify individual TA files (in DER Format) or CA files (binary, DER-encoded X.509 Certificate) + + cocli cots create --environment=env-template.json \ + --purpose=eat \ + --purpose=corim \ + --permclaims=claims-template.json \ + --tafile=tas_dir \ + --cafile=cas_dir \ + --output=cots.cbor `, RunE: func(cmd *cobra.Command, args []string) error { @@ -100,7 +110,7 @@ func NewCotsCreateCtsCmd() *cobra.Command { &cotsCreateCtsTaDirs, "tas", "t", []string{}, "a directory containing binary DER-encoded trust anchor files", ) cmd.Flags().StringArrayVarP( - &cotsCreateCtsTaFiles, "tafile", "", []string{}, "a DER-encoded trust anchor file", + &cotsCreateCtsTaFiles, "tafile", "f", []string{}, "a DER-encoded trust anchor file", ) cmd.Flags().StringArrayVarP( diff --git a/cocli/cmd/cotsCreate_test.go b/cocli/cmd/cotsCreate_test.go index 21eff6a0..8faa976d 100644 --- a/cocli/cmd/cotsCreate_test.go +++ b/cocli/cmd/cotsCreate_test.go @@ -61,7 +61,7 @@ func Test_CotsCreateCtsCmd_too_many_ids(t *testing.T) { "--output=output.cbor", "--uuid", "--id=some_tag_identity", - "--environment=../data/cots/env/vendor.json", + "--environment=../data/cots/templates/env/vendor.json", "--tafile=../data/cots/shared_ta.ta", } cmd.SetArgs(args) @@ -76,7 +76,7 @@ func Test_CotsCreateCtsCmd_invalid_uuid(t *testing.T) { args := []string{ "--output=output.cbor", "--uuid-str=NotAUuid", - "--environment=../data/cots/env/vendor.json", + "--environment=../data/cots/templates/env/vendor.json", "--tafile=../data/cots/shared_ta.ta", } cmd.SetArgs(args) @@ -104,7 +104,7 @@ func Test_CotsCreateCtsCmd_loading_permclaims_template_fail(t *testing.T) { args := []string{ "--output=output.cbor", - "--environment=../data/cots/env/vendor.json", + "--environment=../data/cots/templates/env/vendor.json", "--permclaims=nonexistent.json", "--tafile=../data/cots/shared_ta.ta", } @@ -119,7 +119,7 @@ func Test_CotsCreateCtsCmd_loading_exclclaims_template_fail(t *testing.T) { args := []string{ "--output=output.cbor", - "--environment=../data/cots/env/vendor.json", + "--environment=../data/cots/templates/env/vendor.json", "--exclclaims=nonexistent.json", "--tafile=../data/cots/shared_ta.ta", } @@ -134,9 +134,9 @@ func Test_CotsCreateCtsCmd_ok(t *testing.T) { args := []string{ "--output=output.cbor", - "--environment=../data/cots/env/vendor.json", - "--exclclaims=../data/cots/claims/exclclaim.json", - "--permclaims=../data/cots/claims/permclaim.json", + "--environment=../data/cots/templates/env/vendor.json", + "--exclclaims=../data/cots/templates/claims/exclclaim.json", + "--permclaims=../data/cots/templates/claims/permclaim.json", "--tafile=../data/cots/shared_ta.ta", } cmd.SetArgs(args) diff --git a/cocli/data/comid/comid-dice-refval.cbor b/cocli/data/comid/comid-dice-refval.cbor new file mode 100644 index 0000000000000000000000000000000000000000..29a7c2aadd465c9e15367ddb3f9ad97f145feaad GIT binary patch literal 224 zcmZ3)xR4=0Hmavarobm`a-B`M@VcmGmW2#WO$!;8Fx*fLxSN*vfm6eUaawl7yybpI zMNG+VzRt`HEDVhc85c9&WYXYbYHVVRP;gmgob~0j$cjp5z2Lj4g~xx*KC^y%yhl@{ znr`0WB{!v+xnL&#zg6>D+1P91%oS{HY6@1Tn38-9nHdoVGBGuQ3~YDmKdRJVYseN? zea_~C{gYD8G{dJ4s`pm$-%B`hUiCOgO&IIBtWxW%r&Zi{Bu?+GIqkOmvo-Vky&H6< NDctItb-5a&nS!Vxonqu9;zyiLQx3nxU?RiAAcefl*?LS*k^% zk*P@%BgncZ(M4Ym9N1cP+qc(h`^$Q>{_lQCCRI(oZ?;vnJXP{7Wp1pH09gdIC$T73 zFF8L~zo0l#KQq5X-;iYy!$GOUa~=$g2cPC7c*o!I{UgR_>`pRG2T$fNlea7 Kg*l9=kr4p+52+jg literal 0 HcmV?d00001 diff --git a/cocli/data/corim/signed-corim-bad-signature.cbor b/cocli/data/corim/signed-corim-bad-signature.cbor new file mode 100644 index 0000000000000000000000000000000000000000..8116a8c37173a82225f4d23b70116effd29bace1 GIT binary patch literal 922 zcmZWnO-~b16rFZ}6c)OWh2bN4LEDh%beQSTGN_prAz++f5CHkGpHfC=bU@*`?~MG_w$YU?Ci^FA|r>~_gk*b zL$}jb1J}D{Tb&?fmM|(2!cw_@7CsL{zq_ES-1eNT)90Sw za%hCsO>oewT5hAn`TRz;H&m&-~1 zEeEq!#L5}SvNp1N0;P7{0eYi#4FaR=@m0{ih|}L*<1(AWhz@&;B6ss1lsW^WqUaf5 zi}Km&r`vGYuXiG|EXNI@yRd#SesiA(PCJZWojy)iwQVcMd0}43YnGuHb9GHA7zIa} z)A>Q(DR6z>u+BSeGHkXJh$943Pz9(NuvdAZ80hTx=<@|$*6w(! z-{q>?2~{or43~c(wE!l$@t4k0HLUgT|D}E>%p&+cAdIC?cHm`1h2qTg zyv)3Gh3wQy#v2MH86_nJ#a88bl^K%Wupp9g z%QA+5nD7^0+|D{lPdv$Se)2<`Ka7nLk8d*mTEw`JAwV{&r$(m0Cv0+^O}Oy7sAiUh z3{6c78I~~IPz|`7miU2F!-a8LcEr5penv%1$!@;R%nU3HjSCqUGu~v<;9_cQVvJC5 zS!JB{<+R9(N@u;`yQzi8f6YF#etWz}Q>2=1-r^-UrJ1>4CjP%w^I6&0YvRlmY;9@^ zR;QSfd<>Zx5e70bHGvFlcj`Z?)L?7K7FT`F=7ar{QqDBPrw^+4R`K6UIC5U~I7m$x z>$$8_>#L_#+;=2S@2xrQw*0d-^ZUIUbfziX>YH`ImKo@{MGQ9-DjZ-TRghSenpXk~ zD^Nfe>nA5C87C%MnChAtCYk7(7^E5MT9{a*>KYg&rkJH#BpR8TBr$@ldlFsr^}vCx zMYnx>t+v0cH|ziImt<1a(Klp4 zix$?##SEFSc+~?&W)5;BGBq+rIIQ-ZvTmM&YIXEQwcUNWhA#~-zBHP6WYU4R(Q_|z pv~1iI^v1}M@l*EcnmC7|`;R)eZI|7|x6th0q=Mh9OzSHWL;#3(?x6qx literal 0 HcmV?d00001 diff --git a/cocli/data/templates/corim-cca.json b/cocli/data/corim/templates/corim-cca.json similarity index 100% rename from cocli/data/templates/corim-cca.json rename to cocli/data/corim/templates/corim-cca.json diff --git a/cocli/data/templates/corim-full.json b/cocli/data/corim/templates/corim-full.json similarity index 100% rename from cocli/data/templates/corim-full.json rename to cocli/data/corim/templates/corim-full.json diff --git a/cocli/data/templates/corim-mini.json b/cocli/data/corim/templates/corim-mini.json similarity index 100% rename from cocli/data/templates/corim-mini.json rename to cocli/data/corim/templates/corim-mini.json diff --git a/cocli/data/templates/meta-full.json b/cocli/data/corim/templates/meta-full.json similarity index 100% rename from cocli/data/templates/meta-full.json rename to cocli/data/corim/templates/meta-full.json diff --git a/cocli/data/templates/meta-mini.json b/cocli/data/corim/templates/meta-mini.json similarity index 100% rename from cocli/data/templates/meta-mini.json rename to cocli/data/corim/templates/meta-mini.json diff --git a/cocli/data/corim/unsigned-corim.cbor b/cocli/data/corim/unsigned-corim.cbor new file mode 100644 index 0000000000000000000000000000000000000000..261316a478dd8340be49375f1f27c8554f4e9882 GIT binary patch literal 436 zcmZ3+5D*jo;)~l^C+UeNInGahX!D1$G2-z}#$SsV7cvCMM)lOl6!?TquCoajUKiEO zvXG&vX(7WBh8wB@cheF-aB8?PPRov%x7^RDh$-34*O{4tg`sgF<6_2}Od4EFjZKUZ z3NEXRv%Z`bSyAb%7koFh@c6IUXV!0z_h^b#)6HAF5a&nS!Vxonqu9;zyiLQx3nxU?RiAAcefl*?LS*k^% zk*P@%BgncZ(M4Ym9N1cP+qc(h`^$Q>{_lQCCRI(oZ?;vnJXP{7Wp1pH09gdIC$T73 zFF8L~zo0l#KQq5X-;iYy!$GOUa~=$g2cPC7c*o!I{UgR_>`pRG2T$fNlea7 Kg*l9=kr4p+52+jg literal 0 HcmV?d00001 diff --git a/cocli/data/cots/namedtastore.cbor b/cocli/data/cots/namedtastore.cbor new file mode 100644 index 0000000000000000000000000000000000000000..2bbbcc174136a5fc0abcfddf0f54a576907cc1dc GIT binary patch literal 766 zcmZ3))VPqj%r~<*IW;FIF)ua0v{)g;Q6ab_zbKV$Awy#mVL~jD$b=w`Ee`K6qD)!gR$LI6K|97t+sAjvqa+0{dIEzSE%lV%TQy1?syY_CW z#I@ZQ4CKUljf@OT4J{2#4UG*fqQrTPL0mH^m&Uf! zE_N5&8`y%QO_q;E3`bOR10zkAp9L7mOf3fdAdWC2<9`-b17;wF90$yv3+hZX$L?>HcnbZR+Qs)yIpduF{>_e4KqZZ9xqtogNNY7*{QHb;%e00( U#gextv-ikz)+MBeyY`m@0M@k!{{R30 literal 0 HcmV?d00001 diff --git a/cocli/data/cots/rubbish.cbor b/cocli/data/cots/rubbish.cbor new file mode 100644 index 0000000000000000000000000000000000000000..336db72d08713f4f738746202ae0aabe61c3bb8e GIT binary patch literal 1078 zcmaFAe=pPf{d<9kxvaPX0u@3W6@p9hi&EKu!VC~u#z>}{i-1g!Vgnc*X&}tTt_9?I z0I@9-BO3>t!_3Ie?8LwV6o;S`Af>}{b~2F41>!P@D4f)TurhQYv<#49;e@ccvPwX* zd_Zgq5do4JrTjv_ciE|kl8JHSc8k!m!8(2h%a~XrUW>7ATZ6E9j3>Y`|2Dab?BFo1jMrwNF z2BsTXeimRXg0mGrh%3wpN)#-t2FzdvdUP{;G8niqDS~okArPC_7oVS^3}ir1K9F(; zVkMqJKZuApgaVSzAV~;<=m)a7A$*TCAZ-X?14&yrD^IZm!p;U#@|<-E>EW(GRyhFI C(GRTv literal 0 HcmV?d00001 diff --git a/cocli/data/cots/claims/exclclaim.json b/cocli/data/cots/templates/claims/exclclaim.json similarity index 100% rename from cocli/data/cots/claims/exclclaim.json rename to cocli/data/cots/templates/claims/exclclaim.json diff --git a/cocli/data/cots/claims/permclaim.json b/cocli/data/cots/templates/claims/permclaim.json similarity index 100% rename from cocli/data/cots/claims/permclaim.json rename to cocli/data/cots/templates/claims/permclaim.json diff --git a/cocli/data/cots/env/comid.json b/cocli/data/cots/templates/env/comid.json similarity index 100% rename from cocli/data/cots/env/comid.json rename to cocli/data/cots/templates/env/comid.json diff --git a/cocli/data/cots/env/coswid.json b/cocli/data/cots/templates/env/coswid.json similarity index 100% rename from cocli/data/cots/env/coswid.json rename to cocli/data/cots/templates/env/coswid.json diff --git a/cocli/data/cots/env/namedtastore.json b/cocli/data/cots/templates/env/namedtastore.json similarity index 100% rename from cocli/data/cots/env/namedtastore.json rename to cocli/data/cots/templates/env/namedtastore.json diff --git a/cocli/data/cots/env/vendor.json b/cocli/data/cots/templates/env/vendor.json similarity index 100% rename from cocli/data/cots/env/vendor.json rename to cocli/data/cots/templates/env/vendor.json diff --git a/cocli/data/cots/env/vendor2.json b/cocli/data/cots/templates/env/vendor2.json similarity index 100% rename from cocli/data/cots/env/vendor2.json rename to cocli/data/cots/templates/env/vendor2.json diff --git a/cocli/data/cots/env/vendors.json b/cocli/data/cots/templates/env/vendors.json similarity index 100% rename from cocli/data/cots/env/vendors.json rename to cocli/data/cots/templates/env/vendors.json diff --git a/cocli/data/cots/vendor.cbor b/cocli/data/cots/vendor.cbor new file mode 100644 index 0000000000000000000000000000000000000000..8996a35a32efaf6d3a32955c4a071879b5de8064 GIT binary patch literal 674 zcmZ3))VPpwA;Ut(!l=~Zl1c@S#JrSZ9R<(4WIeWp42?~UkxX@qnwY8#nwZKAA`OJu z*tOa`&e<|CvT=YJ%#7^JP7ExM16K)Hs<1EF%UrWyk6_4!=ZqiH{Vh-H_)ikZ)Oo${ zjja0g+M|i7rE+}A)qj7Bn!TLW;X2W2TH<}v^9S~82b^IMVT^G-xn_f#R$=UQfdv%@ zL_I$;+5;_RG_W(|HsEAq4rO8EVG0d46foceakzNcT`LlE3vyBoWeuc3BFsD@P!WZY zqSE3L1;@PPjQpYnO^kaDnix|SFf%bSF^Mu*d> z21)a?00WAt#eg5g5oTok&%$cJ45X05k=dQWz=cVHn@!z;?fA_~{qhucU%Vodceq~Y!YqZM~