Add Open DICE cert chains and TCB Info

- Add validation and claim extraction for Open DICE X.509 and CBOR
  certificate chains.
- Add TCB into claim extension definition.

Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>

.github/workflows/ci-go-cover.yml

@@ -14,20 +14,23 @@
 # 1. Change workflow name from "cover 100%" to "cover ≥92.5%". Script will automatically use 92.5%.
 # 2. Update README.md to use the new path to badge.svg because the path includes the workflow name.
 
-name: cover ≥75%
-on: [push]
+name: cover ≥80.0%
+on: [push, pull_request]
 jobs:
-
- # Verify minimum coverage is reached using `go test -short -cover` on latest-ubuntu with default version of Go.
- # The grep expression can't be too strict, it needed to be relaxed to work with different versions of Go.
  cover:
  name: Coverage
  runs-on: ubuntu-latest
+ env:
+ GO111MODULE: on
  steps:
+ - uses: actions/setup-go@v3
+ with:
+ go-version: "1.18"
  - name: Checkout code
  uses: actions/checkout@v2
  - name: Go Coverage
  run: |
  go version
- go test -short -cover | grep "^.*coverage:.*of statements$" | python -c "import os,re,sys; cover_rpt = sys.stdin.read(); print(cover_rpt) if len(cover_rpt) != 0 and len(cover_rpt.splitlines()) == 1 else sys.exit(1); min_cover = float(re.findall(r'\d*\.\d+|\d+', os.environ['GITHUB_WORKFLOW'])[0]); cover = float(re.findall(r'\d*\.\d+|\d+', cover_rpt)[0]); sys.exit(1) if (cover > 100) or (cover < min_cover) else sys.exit(0)"
+ make test-cover | grep -o "coverage:.*of statements$" | python scripts/cov.py
+
  shell: bash

.github/workflows/linters.yml

@@ -1,20 +1,21 @@
 # Go Linters - GitHub Actions
 name: linters
-on: [push]
+on: [push, pull_request]
 jobs:
-
- # Check linters on latest-ubuntu with default version of Go.
  lint:
  name: Lint
  runs-on: ubuntu-latest
+ env:
+ GO111MODULE: on
  steps:
+ - uses: actions/setup-go@v3
+ with:
+ go-version: "1.18"
  - name: Checkout code
  uses: actions/checkout@v2
- - name: Install golangci-lint
+ - name: Install golangci-lint 
  run: |
  go version
- curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s -- -b $(go env GOPATH)/bin v1.23.8
+ curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.53.2
  - name: Run required linters in .golangci.yml plus hard-coded ones here
- run: $(go env GOPATH)/bin/golangci-lint run --timeout=3m
- - name: Run optional linters (not required to pass)
- run: $(go env GOPATH)/bin/golangci-lint run --timeout=3m --issues-exit-code=0 -E dupl -E gocritic -E gosimple -E lll -E prealloc
+ run: make -w GOLINT=$(go env GOPATH)/bin/golangci-lint lint

.golangci.yml

@@ -0,0 +1,87 @@
+# Do not delete linter settings. Linters like gocritic can be enabled on the command line.
+
+linters-settings:
+ dupl:
+ threshold: 100
+ funlen:
+ lines: 100
+ statements: 50
+ goconst:
+ min-len: 2
+ min-occurrences: 3
+ gocritic:
+ enabled-tags:
+ - diagnostic
+ - experimental
+ - opinionated
+ - style
+ disabled-checks:
+ - dupImport # https://github.com/go-critic/go-critic/issues/845
+ - ifElseChain
+ - octalLiteral
+ - paramTypeCombine
+ - whyNoLint
+ - wrapperFunc 
+ gofmt:
+ simplify: false 
+ goimports:
+ golint:
+ min-confidence: 0
+ govet:
+ check-shadowing: true
+ lll:
+ line-length: 140
+ maligned:
+ suggest-new: true
+ misspell:
+ locale: US
+
+linters:
+ disable-all: true
+ enable:
+ - deadcode
+ - errcheck
+ - goconst
+ - gocyclo
+ - gofmt
+ - goimports
+ - golint
+ - gosec
+ - govet
+ - ineffassign
+ - maligned
+ - misspell
+ - staticcheck
+ - structcheck
+ - typecheck
+ - unconvert
+ - unused
+ - varcheck
+
+
+issues:
+ # max-issues-per-linter default is 50. Set to 0 to disable limit.
+ max-issues-per-linter: 0
+ # max-same-issues default is 3. Set to 0 to disable limit.
+ max-same-issues: 0
+ # Excluding configuration per-path, per-linter, per-text and per-source
+ exclude-rules:
+ - path: _test\.go
+ linters:
+ - goconst
+ - dupl
+ - gomnd
+ - lll 
+ - path: doc\.go
+ linters:
+ - goimports
+ - gomnd
+ - lll
+ - path: pretty_test_vectors.go
+ linters:
+ - lll
+
+# golangci.com configuration
+# https://github.com/golangci/golangci/wiki/Configuration
+service:
+ golangci-lint-version: 1.23.x # use the fixed version to not introduce new linters unexpectedly

LICENSE

@@ -186,7 +186,7 @@
  same "printed page" as the copyright notice for easier
  identification within third-party archives.
 
- Copyright [yyyy] [name of copyright owner]
+ Copyright 2023 Contributors to the Veraison Project
 
  Licensed under the Apache License, Version 2.0 (the "License");
  you may not use this file except in compliance with the License.

Makefile

@@ -3,7 +3,8 @@
 export GO111MODULE := on
 export SHELL := /bin/bash
 
-GOPKG := github.com/veraison/dice/tcg
+GOPKG := github.com/veraison/dice/open
+GOPKG += github.com/veraison/dice/tcg
 
 GOLINT ?= golangci-lint
 

README.md

@@ -1,6 +1,9 @@
 # Features
 
-Implementation of the attestation extension defined in [TCG DICE Attestation Architecture](https://trustedcomputinggroup.org/wp-content/uploads/TCG_DICE_Attestation_Architecture_r22_02dec2020.pdf).
+- Implementation of the attestation extension defined in [TCG DICE Attestation Architecture](https://trustedcomputinggroup.org/wp-content/uploads/TCG_DICE_Attestation_Architecture_r22_02dec2020.pdf).
+- Implementation of TCG DICE TCB Info evidence extension.
+- Implementation of [Open
+ DICE](https://pigweed.googlesource.com/open-dice/+/refs/heads/master/docs/specification.md) certificate (CBOR and X.509) chain validation and claim extraction.
 
 
 # Make targets

go.mod

@@ -1,5 +1,17 @@
 module github.com/veraison/dice
 
-go 1.15
+go 1.18
 
-require github.com/stretchr/testify v1.6.1
+require (
+ github.com/fxamacker/cbor/v2 v2.4.0
+ github.com/stretchr/testify v1.8.3
+ github.com/veraison/go-cose v1.2.0
+ golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1
+)
+
+require (
+ github.com/davecgh/go-spew v1.1.1 // indirect
+ github.com/pmezard/go-difflib v1.0.0 // indirect
+ github.com/x448/float16 v0.8.4 // indirect
+ gopkg.in/yaml.v3 v3.0.1 // indirect
+)

go.sum

@@ -1,10 +1,18 @@
-github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
-github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/fxamacker/cbor/v2 v2.4.0 h1:ri0ArlOR+5XunOP8CRUowT0pSJOwhW098ZCUyskZD88=
+github.com/fxamacker/cbor/v2 v2.4.0/go.mod h1:TA1xS00nchWmaBnEIxPSE5oHLuJBAVvqrtAnWBwBCVo=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
-github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.3 h1:RP3t2pwF7cMEbC1dqtB6poj3niw/9gnV4Cjg5oW5gtY=
+github.com/stretchr/testify v1.8.3/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/veraison/go-cose v1.2.0 h1:Ok0Hr3GMAf8K/1NB4sV65QGgCiukG1w1QD+H5tmt0Ow=
+github.com/veraison/go-cose v1.2.0/go.mod h1:7ziE85vSq4ScFTg6wyoMXjucIGOf4JkFEZi/an96Ct4=
+github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
+github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
+golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1 h1:k/i9J1pBpvlfR+9QsetwPyERsqu1GIbi967PQMq3Ivc=
+golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1/go.mod h1:V1LtkGg67GoY2N1AnLN78QLrzxkLyJw7RJb1gzOOz9w=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=