ocp cosesign decode/verify

.github/workflows/spdm-validator.yml

@@ -135,6 +135,17 @@ jobs:
             exit 1
           fi
 
+
+      - name: Verify EAT from measurement block for SPDM-MCTP
+        working-directory: ocp-eat-verifier
+        env:
+          SPDM_VALIDATOR_DIR: ${{ github.workspace }}/spdm-emu/build/bin
+        run: |
+          cargo build --release -p ocptoken
+          ./target/release/ocptoken verify \
+          -e $SPDM_VALIDATOR_DIR/measurement_block_fd.bin 
+
+
       - name: Run SPDM validator tests on DOE transport
         env:
           SPDM_VALIDATOR_DIR: ${{ github.workspace }}/spdm-emu/build/bin

.gitignore

@@ -1,4 +1,5 @@
-/target*/
+*target*/
+**/target/
 test_key
 
 # By default, ignore Cargo.lock files in non-workspace directories.

ocp-eat-verifier/Cargo.toml

@@ -0,0 +1,19 @@
+# Licensed under the Apache-2.0 license
+
+[workspace]
+members = [
+    "ocptoken-rs",
+]
+resolver = "2"
+
+[workspace.package]
+version = "0.1.0"
+edition = "2021"
+authors = ["Caliptra contributors"]
+
+[workspace.dependencies]
+coset = { git = "https://github.com/google/coset",rev = "3ebd2d7d0dafe2b6856934ea2b4fa28ea3d9a373"}
+hex = "0.4"
+thiserror = "2.0"
+openssl = { version = "0.10", features = ["vendored"] }
+clap = { version = "4", features = ["derive"] }

ocp-eat-verifier/ocptoken-rs/Cargo.toml

@@ -0,0 +1,16 @@
+# Licensed under the Apache-2.0 license
+
+[package]
+name = "ocptoken"
+version = "0.1.0"
+edition = "2021"
+authors = ["Caliptra Contributors"]
+
+[dependencies]
+coset.workspace = true
+hex.workspace = true
+thiserror.workspace = true
+openssl.workspace = true
+clap.workspace = true
+
+

ocp-eat-verifier/ocptoken-rs/src/error.rs

@@ -0,0 +1,34 @@
+// Licensed under the Apache-2.0 license
+
+use thiserror::Error;
+/// Errors that can occur when working with OCP EAT tokens
+#[derive(Error, Debug)]
+pub enum OcpEatError {
+    /// COSE parsing or validation error
+    #[error("COSE error: {0:?}")]
+    CoseSign1(coset::CoseError),
+
+    #[error("Invalid token: {0}")]
+    InvalidToken(&'static str),
+
+    /// Certificate parsing error
+    #[error("Certificate error: {0}")]
+    Certificate(String),
+
+    /// Signature verification failure
+    #[error("Signature verification failed")]
+    SignatureVerification,
+
+    /// Crypto backend error
+    #[error("Crypto error: {0}")]
+    Crypto(String),
+}
+
+impl From<coset::CoseError> for OcpEatError {
+    fn from(err: coset::CoseError) -> Self {
+        OcpEatError::CoseSign1(err)
+    }
+}
+
+/// Result type for OCP EAT operations
+pub type OcpEatResult<T> = std::result::Result<T, OcpEatError>;

ocp-eat-verifier/ocptoken-rs/src/lib.rs

@@ -0,0 +1,4 @@
+// Licensed under the Apache-2.0 license
+
+pub mod token;
+pub mod error;

ocp-eat-verifier/ocptoken-rs/src/main.rs

@@ -0,0 +1,103 @@
+// Licensed under the Apache-2.0 license
+
+use clap::{Parser, Subcommand};
+use std::fs;
+use std::path::PathBuf;
+
+use ocptoken::token::evidence::Evidence;
+
+#[derive(Parser, Debug)]
+#[command(
+    name = "ocptoken",
+    author,
+    version,
+    about = "Verify an OCP TOKEN COSE_Sign1 token",
+    long_about = None
+)]
+struct Cli {
+    #[command(subcommand)]
+    command: Commands,
+}
+
+#[derive(Subcommand, Debug)]
+enum Commands {
+    /// Cryptographically verify the supplied OCP token using the EAT attestation key
+    Verify(VerifyArgs),
+}
+
+#[derive(Parser, Debug)]
+#[command(
+    author,
+    version,
+    about = "Cryptographically verify the supplied OCP token using the EAT attestation key"
+)]
+struct VerifyArgs {
+    #[arg(
+        short = 'e',
+        long = "evidence",
+        value_name = "EVIDENCE",
+        default_value = "ocp_eat.cbor"
+    )]
+    evidence: PathBuf,
+}
+
+fn main() {
+    let cli = Cli::parse();
+
+    match cli.command {
+        Commands::Verify(args) => run_verify(&args),
+    }
+}
+
+fn run_verify(args: &VerifyArgs) {
+    // 1. Load the binary file
+    let encoded = match fs::read(&args.evidence) {
+        Ok(b) => b,
+        Err(e) => {
+            eprintln!(
+                "Failed to read evidence file '{}': {}",
+                args.evidence.display(),
+                e
+            );
+            std::process::exit(1);
+        }
+    };
+
+    println!(
+        "Loaded evidence file '{}' ({} bytes)",
+        args.evidence.display(),
+        encoded.len()
+    );
+
+    // 2. Decode the evidence
+    let ev = match Evidence::decode(&encoded) {
+        Ok(ev) => {
+            println!("Decode successful");
+            ev
+        }
+        Err(e) => {
+            eprintln!("Evidence::decode failed: {:?}", e);
+
+            // Optional debug dump
+            let prefix_len = encoded.len().min(32);
+            eprintln!(
+                "First {} bytes of input: {:02x?}",
+                prefix_len,
+                &encoded[..prefix_len]
+            );
+
+            std::process::exit(1);
+        }
+    };
+
+    // 3. Cryptographically verify
+    match ev.verify() {
+        Ok(()) => {
+            println!("Signature verification successful");
+        }
+        Err(e) => {
+            eprintln!("Evidence::verify failed: {:?}", e);
+            std::process::exit(1);
+        }
+    }
+}