diff --git a/corim/signedcorim_test.go b/corim/signedcorim_test.go index 27a821d..23d8705 100644 --- a/corim/signedcorim_test.go +++ b/corim/signedcorim_test.go @@ -118,28 +118,13 @@ func certChain() []byte { } func TestSignedCorim_TaggedFromCOSE_ok(t *testing.T) { - /* - 500( - 502( - 18( - [ - / protected h'a10126' / << { - / alg / 1: -7, / ECDSA 256 / - / content-type / 3: "application/rim+cbor", - / issuer-key-id / 4: 'meriadoc.brandybuck@buckland.example', - / corim-meta / 8: h'a200a1006941434d45204c74642e01a101c11a5fad2056' - } >>, - / unprotected / {}, - / payload / << 501({ - 0: "test corim id", - 1: [ - 506(h'A40065656E2D474201A1005043BBE37F2E614B33AED353CFF1428B160281A3006941434D45204C74642E01D8207468747470733A2F2F61636D652E6578616D706C65028300010204A1008182A100A300D90258582061636D652D696D706C656D656E746174696F6E2D69642D303030303030303031016441434D45026A526F616452756E6E657283A200D90258A30162424C0465322E312E30055820ACBB11C7E4DA217205523CE4CE1A245AE1A239AE3C6BFD9E7871F7E5D8BAE86B01A102818201582087428FC522803D31065E7BCE3CF03FE475096631E5E07BBD7A0FDE60C4CF25C7A200D90258A3016450526F540465312E332E35055820ACBB11C7E4DA217205523CE4CE1A245AE1A239AE3C6BFD9E7871F7E5D8BAE86B01A10281820158200263829989B6FD954F72BAAF2FC64BC2E2F01D692D4DE72986EA808F6E99813FA200D90258A3016441526F540465302E312E34055820ACBB11C7E4DA217205523CE4CE1A245AE1A239AE3C6BFD9E7871F7E5D8BAE86B01A1028182015820A3A5E715F0CC574A73C3F9BEBB6BC24F32FFD5B67B387244C2C909DA779A1478') - ] - }) >>, - / signature / h'deadbeef' - ] - ))) - */ + var actual SignedCorim + err := actual.FromCOSE(testGoodSignedCorimCBOR) + + assert.Nil(t, err) +} + +func TestSignedCorim_TaggedFromCOSE_bad(t *testing.T) { tv := []byte{0xd9, 0x01, 0xf4, 0xd9, 0x01, 0xf6, 0xd2, 0x84, 0x58, 0x59, 0xa4, 0x01, 0x26, 0x03, 0x74, 0x61, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, @@ -213,7 +198,7 @@ func TestSignedCorim_TaggedFromCOSE_ok(t *testing.T) { var actual SignedCorim err := actual.FromCOSE(tv) - assert.Nil(t, err) + assert.ErrorContains(t, err, "tag validation failed") } func TestSignedCorim_FromCOSE_fail_no_tag(t *testing.T) { diff --git a/corim/unsignedcorim.go b/corim/unsignedcorim.go index c30d6ae..29f4e1b 100644 --- a/corim/unsignedcorim.go +++ b/corim/unsignedcorim.go @@ -342,12 +342,55 @@ type Tag struct { Content []byte } +// Valid validates the tag content based on its tag number. +// For CoMID tags (506), it unmarshals and validates the content. +// For CoSWID tags (505), it validates the CoSWID structure. +// For other tags, it ensures the content is valid CBOR. func (o Tag) Valid() error { - // there is no much we can check here, except making sure that the tag is - // not zero-length if len(o.Content) == 0 { return errors.New("empty tag") } + + switch o.Number { + case ComidTag: + return o.validateComidTag() + case CoswidTag: + return o.validateCoswidTag() + default: + return o.validateGenericCBOR() + } +} + +// validateComidTag unmarshals and validates CoMID tag content. +func (o Tag) validateComidTag() error { + var c comid.Comid + if err := dm.Unmarshal(o.Content, &c); err != nil { + return fmt.Errorf("invalid CoMID content: %w", err) + } + + if err := c.Valid(); err != nil { + return fmt.Errorf("CoMID validation failed: %w", err) + } + + return nil +} + +// validateCoswidTag validates CoSWID tag content by attempting to unmarshal it. +func (o Tag) validateCoswidTag() error { + var s swid.SoftwareIdentity + if err := dm.Unmarshal(o.Content, &s); err != nil { + return fmt.Errorf("invalid CoSWID content: %w", err) + } + + return nil +} + +// validateGenericCBOR ensures the tag content is valid CBOR for unknown tag types. +func (o Tag) validateGenericCBOR() error { + var raw interface{} + if err := dm.Unmarshal(o.Content, &raw); err != nil { + return fmt.Errorf("invalid CBOR content: %w", err) + } return nil }