feat: support draft-ffm-rats-cca-token-00 encoding
Add support for the new CCA token profile(s) defined in
draft-ffm-rats-cca-token-00.
In particular, claim 44237 (`cca_realm_pub_key`') now encodes the RAK as
a CBOR-serialised COSE_Key rather than a raw public key.
This non-backwards compatible encoding is signalled by the new (in-band)
profile identifier `"tag:arm.com,2023:realm#1.0.0"`.
The legacy profile `"http://arm.com/CCA-SSD/1.0.0"` with the raw RAK
encoding is still fully processed, but its use triggers a deprecation
warning.
Change-Id: I381fb0a885cba99191622ba2f38688a357eaf736
Signed-off-by: Thomas Fossati <thomas.fossati@linaro.org>
diff --git a/iat-verifier/dev_scripts/generate-key.py b/iat-verifier/dev_scripts/generate-key.py
index 6c1eee7..ceb5cc6 100755
--- a/iat-verifier/dev_scripts/generate-key.py
+++ b/iat-verifier/dev_scripts/generate-key.py
@@ -6,14 +6,31 @@
#
# -----------------------------------------------------------------------------
-import sys
+import argparse
-from ecdsa import SigningKey, NIST256p
-
+from ecdsa import SigningKey, NIST256p, NIST384p
+from pycose.keys import EC2Key, CoseKey
+from ecdsa.curves import curve_by_name
if __name__ == '__main__':
- outfile = sys.argv[1]
+ parser = argparse.ArgumentParser(description='generate an ECDSA key')
- sk = SigningKey.generate(curve=NIST256p)
- with open(outfile, 'wb') as wfh:
- wfh.write(sk.to_pem())
+ parser.add_argument('outfile', type=str, help='output file')
+ parser.add_argument('--crv', type=str, help='ECDSA curve',
+ choices=[NIST256p.name, NIST384p.name], default='NIST256p')
+ parser.add_argument('--fmt', type=str, help='key format',
+ choices=['PEM', 'COSE'], default='PEM')
+
+ args = parser.parse_args()
+
+ sk = SigningKey.generate(curve_by_name(args.crv))
+
+ pem_key = sk.to_pem().decode('utf-8')
+
+ if args.fmt == 'PEM':
+ o = pem_key
+ elif args.fmt == 'COSE':
+ o = CoseKey.from_pem_private_key(pem_key)
+
+ with open(args.outfile, 'wb') as wfh:
+ wfh.write(o.encode())