Add ADAC 1.1 serialization, validation, and CLI support#9
Open
mathias-arm wants to merge 10 commits into
Open
Conversation
- Parse and validate certificate policies from configuration file, allowing nonzero values only for ADAC 1.1 certificates. - Emit policies from online and offline certificate signing flows. - Report the effective policy bitmask during verification when it is nonzero. Signed-off-by: Mathias Brossard <mathias.brossard@arm.com>
- Add explicit little-endian serialization and deserialization helpers for certificate, token, and TLV headers. - Centralize validation of header versions, reserved fields, crypto consistency, and ADAC 1.0 policy constraints. - Keep the old packed-layout path temporarily behind the serialization feature boundary. Signed-off-by: Mathias Brossard <mathias.brossard@arm.com>
- Remove the native packed-layout serialization fallback and the associated feature gating. - Route certificate, token, and TLV encoding through the explicit serialization helpers unconditionally. - Rename serialized-size constants to the simpler SIZE form. Signed-off-by: Mathias Brossard <mathias.brossard@arm.com>
- Replace the public deterministic constructor with an explicitly named test-only constructor. - Gate deterministic signing behind hazmat-deterministic so normal consumers cannot accidentally enable deterministic RSA-PSS signing. - Enable the hazmat feature only for tests that require byte-for-byte stable signatures. Signed-off-by: Mathias Brossard <mathias.brossard@arm.com>
- Update TLV headers to include ADAC 1.1 flags, including the critical-extension flag. - Add shared TLV sequence parsing that advances over padded values and rejects nonzero padding. - Use the shared parser for certificate-chain decoding so TLV padding and alignment rules are applied consistently. Signed-off-by: Mathias Brossard <mathias.brossard@arm.com>
- Add encoding validators for TLV sequences, certificate chains, individual certificates, and tokens. - Report all detectable encoding issues with byte offsets and context instead of failing at the first parse error. - Cover malformed TLVs, invalid padding, token header issues, and nested certificate/token extension encodings. Signed-off-by: Mathias Brossard <mathias.brossard@arm.com>
- Introduce a reusable chain validator that tracks certificate order, role constraints, signatures, and effective chain constraints. - Rework adac-cli verify and verify_chain to use the shared validation logic. - Add token validation through the same validator so token permissions are combined with the effective certificate-chain constraints. Signed-off-by: Mathias Brossard <mathias.brossard@arm.com>
- Split adac-cli command implementation into a library-backed binary so command functions can be tested from integration tests. - Move most command-level tests out of module unit tests and into adac-cli/tests. - Add shared integration-test scaffolding for certificate chains, token signing, offline signing, and verify diagnostics. Signed-off-by: Mathias Brossard <mathias.brossard@arm.com>
- Add verify --strict to enable stricter diagnostic checks for token validation and critical extensions. - Reject ADAC 1.0 artifacts that carry ADAC 1.1 TLV flags and reject unknown TLV flag bits. - Distinguish token signature verification from full token validation when the certificate chain is invalid. Signed-off-by: Mathias Brossard <mathias.brossard@arm.com>
- Add structured extension syntax for certificate and token config, while retaining legacy base16 TLV input. - Support critical token soc_id extensions and fold them into effective verification output. - Add CLI shell coverage for effective constraints, token SoC ID extensions, and offline token signing. Signed-off-by: Mathias Brossard <mathias.brossard@arm.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR adds ADAC 1.1 support and tightens encoding, validation, and CLI verification behavior. The main changes are:
adac-cli verify --strictfor stricter local diagnostics, including requiring token validation to terminate at a leaf certificate and rejecting unknown/unprocessed critical extensions.soc_idextension support.hazmat-deterministicfeature.adac-clicommand tests into integration tests and add shell coverage for CLI/offline flows.