scitt: create_claim: Update to rev a4645e4bc3e78ad5cfd9f8347c7e0ac8267c1079 of SCITT arch

Related: ietf-wg-scitt/draft-ietf-scitt-architecture@a4645e4
Signed-off-by: John Andersen <[email protected]>

Author: pdxjohnny

docs/registration_policies.md

@@ -153,7 +153,7 @@ scitt-emulator server --workspace workspace/ --tree-alg CCF --use-lro
 Create claim from allowed issuer (`.org`) and from non-allowed (`.com`).
 
 ```console
-$ scitt-emulator client create-claim --issuer did:web:example.com --content-type application/json --payload '{"sun": "yellow"}' --out claim.cose
+$ scitt-emulator client create-claim --issuer did:web:example.com --subject "solar" --content-type application/json --payload '{"sun": "yellow"}' --out claim.cose
 A COSE-signed Claim was written to:  claim.cose
 $ scitt-emulator client submit-claim --claim claim.cose --out claim.receipt.cbor
 Traceback (most recent call last):
@@ -175,7 +175,7 @@ Failed validating 'enum' in schema['properties']['issuer']:
 On instance['issuer']:
     'did:web:example.com'
 
-$ scitt-emulator client create-claim --issuer did:web:example.org --content-type application/json --payload '{"sun": "yellow"}' --out claim.cose
+$ scitt-emulator client create-claim --issuer did:web:example.org --subject "solar" --content-type application/json --payload '{"sun": "yellow"}' --out claim.cose
 A COSE signed Claim was written to:  claim.cose
 $ scitt-emulator client submit-claim --claim claim.cose --out claim.receipt.cbor
 Claim registered with entry ID 1

scitt_emulator/client.py

@@ -9,6 +9,7 @@
 import httpx
 
 import scitt_emulator.scitt as scitt
+from scitt_emulator import create_statement
 from scitt_emulator.tree_algs import TREE_ALGS
 
 DEFAULT_URL = "http://127.0.0.1:8000"
@@ -72,10 +73,6 @@ def post(self, *args, **kwargs):
         return self._request("POST", *args, **kwargs)
 
 
-def create_claim(issuer: str, content_type: str, payload: str, claim_path: Path):
-    scitt.create_claim(claim_path, issuer, content_type, payload)
-
-
 def submit_claim(
     url: str,
     claim_path: Path,
@@ -170,16 +167,7 @@ def cli(fn):
     parser = fn(description="Execute client commands")
     sub = parser.add_subparsers(dest="cmd", help="Command to execute", required=True)
 
-    p = sub.add_parser("create-claim", description="Create a fake SCITT claim")
-    p.add_argument("--out", required=True, type=Path)
-    p.add_argument("--issuer", required=True, type=str)
-    p.add_argument("--content-type", required=True, type=str)
-    p.add_argument("--payload", required=True, type=str)
-    p.set_defaults(
-        func=lambda args: scitt.create_claim(
-            args.out, args.issuer, args.content_type, args.payload
-        )
-    )
+    create_statement.cli(sub.add_parser)
 
     p = sub.add_parser(
         "submit-claim", description="Submit a SCITT claim and retrieve the receipt"

scitt_emulator/scitt.py

@@ -12,11 +12,8 @@
 import cbor2
 from pycose.messages import CoseMessage, Sign1Message
 import pycose.headers
-from pycose.keys.ec2 import EC2Key
-import pycose.keys.curves
 
-# temporary claim header labels, see draft-birkholz-scitt-architecture
-COSE_Headers_Issuer = 391
+from scitt_emulator.create_statement import CWTClaims
 
 # temporary receipt header labels, see draft-birkholz-scitt-receipts
 COSE_Headers_Service_Id = "service_id"
@@ -236,10 +233,10 @@ def _create_receipt(self, claim: bytes, entry_id: str):
             raise ClaimInvalidError(
                 "Claim does not have a content type header parameter"
             )
-        if COSE_Headers_Issuer not in msg.phdr:
-            raise ClaimInvalidError("Claim does not have an issuer header parameter")
-        if not isinstance(msg.phdr[COSE_Headers_Issuer], str):
-            raise ClaimInvalidError("Claim issuer is not a string")
+        if CWTClaims not in msg.phdr:
+            raise ClaimInvalidError("Claim does not have a CWTClaims header parameter")
+
+        # TODO Verify CWT
 
         # Extract fields of COSE_Sign1 for countersigning
         outer = cbor2.loads(claim)
@@ -304,28 +301,6 @@ def verify_receipt(self, cose_path: Path, receipt_path: Path):
         self.verify_receipt_contents(receipt_contents, countersign_tbi)
 
 
-def create_claim(claim_path: Path, issuer: str, content_type: str, payload: str):
-    # Create COSE_Sign1 structure
-    protected = {
-        pycose.headers.Algorithm: "ES256",
-        pycose.headers.ContentType: content_type,
-        COSE_Headers_Issuer: issuer,
-    }
-    msg = Sign1Message(phdr=protected, payload=payload.encode("utf-8"))
-
-    # Create an ad-hoc key
-    # Note: The emulator does not validate signatures, hence the short-cut.
-    key = EC2Key.generate_key(pycose.keys.curves.P256)
-
-    # Sign
-    msg.key = key
-    claim = msg.encode(tag=True)
-
-    with open(claim_path, "wb") as f:
-        f.write(claim)
-    print(f"A COSE signed Claim was written to:  {claim_path}")
-
-
 def create_countersign_to_be_included(
     body_protected, sign_protected, payload, signature
 ):

tests/test_cli.py

@@ -73,6 +73,8 @@ def test_client_cli(use_lro: bool, tmp_path):
             claim_path,
             "--issuer",
             issuer,
+            "--subject",
+            "test",
             "--content-type",
             content_type,
             "--payload",
@@ -248,6 +250,8 @@ def test_client_cli_token(tmp_path):
                 claim_path,
                 "--issuer",
                 issuer,
+                "--subject",
+                "test",
                 "--content-type",
                 content_type,
                 "--payload",

tests/test_docs.py

@@ -196,6 +196,8 @@ def test_docs_registration_policies(tmp_path):
             claim_path,
             "--issuer",
             non_allowlisted_issuer,
+            "--subject",
+            "test",
             "--content-type",
             content_type,
             "--payload",
@@ -236,6 +238,8 @@ def test_docs_registration_policies(tmp_path):
             claim_path,
             "--issuer",
             allowlisted_issuer,
+            "--subject",
+            "test",
             "--content-type",
             content_type,
             "--payload",