Update AttestedClaims OID and externalize hardcoded defaults (Tasks 13b, 15b)

Author: ramkri123

hybrid-cloud-poc/README-arch-sovereign-unified-identity.md

@@ -860,7 +860,7 @@ After workloads receive their SPIRE SVIDs, they can use these certificates to ac
 
 - **WASM Filter Extracts Sensor Information**:
   - Parses the certificate chain.
-  - Extracts Unified Identity extension (OID `1.3.6.1.4.1.99999.2`) from Agent SVID (second certificate in chain).
+  - Extracts Unified Identity extension (OID `1.3.6.1.4.1.55744.1.1`) from Agent SVID (second certificate in chain).
   - Extracts sensor metadata: `sensor_id`, `sensor_type`, `sensor_imei`, `sensor_imsi`, `sensor_msisdn`.
   - **Coordinate Propagation**: Extracts `latitude`, `longitude`, and `accuracy` if present in SVID claims to enable the **DB-less verification flow**.
   - **No Filter Caching**: The WASM filter is stateless; all result caching is centralized in the mobile location microservice.
@@ -1514,7 +1514,7 @@ typed_config:
 
 The WASM filter extracts claims from the SPIRE certificate chain:
 
-1. **Extract Unified Identity Extension** (OID `1.3.6.1.4.1.99999.2`) from Agent SVID
+1. **Extract Unified Identity Extension** (OID `1.3.6.1.4.1.55744.1.1`) from Agent SVID
 2. **Parse JSON claims**: `sensor_id`, `sensor_type`, `sensor_imei`, `sensor_imsi`, **`msisdn`** ← NEW
 3. **Apply policy**:
    - GPS/GNSS sensors: Always bypass (trusted hardware)

hybrid-cloud-poc/enterprise-private-cloud/README.md

@@ -335,7 +335,7 @@ tail -f /tmp/mobile-sensor.log
 
 ### Certificate Chain Parsing
 - **Location**: Unified Identity extension is in the **agent SVID** (second certificate in chain)
-- **OID**: 1.3.6.1.4.1.99999.2 (or legacy 1.3.6.1.4.1.99999.1)
+- **OID**: 1.3.6.1.4.1.55744.1.1
 - **Format**: JSON with `grc.geolocation.sensor_id` field
 - **Extraction**: WASM filter parses full certificate chain from `x-forwarded-client-cert` header
 

hybrid-cloud-poc/enterprise-private-cloud/wasm-plugin/README.md

@@ -53,7 +53,7 @@ configuration:
 ## How It Works
 
 1. **Certificate Extraction**: Gets client certificate from TLS connection
-2. **Sensor Info Extraction**: Parses X.509 Unified Identity extension (OID `1.3.6.1.4.1.99999.2`)
+2. **Sensor Info Extraction**: Parses X.509 Unified Identity extension (OID `1.3.6.1.4.1.55744.1.1`)
 3. **Claim Parsing**: Extracts sensor metadata from nested `grc.geolocation` structure:
    - **Mobile**: `grc.geolocation.mobile` → `sensor_id`, `sensor_imei`, `sim_imsi`, `sim_msisdn`, and `location_verification` (lat/lon/acc)
    - **GNSS**: `grc.geolocation.gnss` → `sensor_id`, `sensor_serial_number`, and `retrieved_location` (lat/lon/acc)

hybrid-cloud-poc/enterprise-private-cloud/wasm-plugin/src/lib.rs

@@ -18,10 +18,9 @@ use serde::{Deserialize, Serialize};
 use std::time::Duration;
 
 // Unified Identity extension OIDs (as ASN.1 OID bytes)
-// 1.3.6.1.4.1.99999.2 = 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x63, 0x02
-// 1.3.6.1.4.1.99999.1 = 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x63, 0x01
-const UNIFIED_IDENTITY_OID_STR: &str = "1.3.6.1.4.1.99999.2";
-const LEGACY_OID_STR: &str = "1.3.6.1.4.1.99999.1";
+// 1.3.6.1.4.1.55744.1.1 = 0x2b, 0x06, 0x01, 0x04, 0x01, 0x83, 0xb3, 0x40, 0x01, 0x01
+const UNIFIED_IDENTITY_OID_STR: &str = "1.3.6.1.4.1.55744.1.1";
+const LEGACY_OID_STR: &str = "1.3.6.1.4.1.55744.1.1";
 
 #[derive(Serialize, Deserialize)]
 struct VerifyRequest {

hybrid-cloud-poc/mobile-sensor-microservice/README.md

@@ -32,7 +32,15 @@ This installs both runtime dependencies (Flask, requests) and the `pytest` tooli
 | `CAMARA_SCOPE` | Scope used in `/bc-authorize` | `dpv:FraudPreventionAndDetection#device-location-read` |
 | `CAMARA_BYPASS` | Set to `true` to skip CAMARA API calls (for testing only) | `false` |
 | `DEMO_MODE` | Set to `true` to suppress CAMARA_BYPASS log messages (useful for demos). Defaults to `true` when `CAMARA_BYPASS` is enabled. | `false` (or `true` if `CAMARA_BYPASS=true`) |
-| `CAMARA_VERIFY_CACHE_TTL_SECONDS` | Cache TTL for `verify_location` API results. The actual CAMARA API is called at most once per TTL period; subsequent calls return the cached result. | `900` (15 minutes) |
+| `CAMARA_VERIFY_CACHE_TTL_SECONDS` | Cache TTL for `verify_location` API results. | `900` (15 minutes) |
+| `MOBILE_SENSOR_ID` | Default sensor ID for mapping | `12d1:1433` |
+| `MOBILE_SENSOR_MSISDN` | Default MSISDN for mapping | `+34696810912` |
+| `MOBILE_SENSOR_LAT_DEFAULT` | Default latitude for mapping | `40.33` |
+| `MOBILE_SENSOR_LON_DEFAULT` | Default longitude for mapping | `-3.7707` |
+| `MOBILE_SENSOR_ACC_DEFAULT` | Default accuracy for mapping | `7.0` |
+| `CAMARA_AUTHORIZE_PATH` | Path for CAMARA authorize endpoint | `/bc-authorize` |
+| `CAMARA_TOKEN_PATH` | Path for CAMARA token endpoint | `/token` |
+| `CAMARA_VERIFY_PATH` | Path for CAMARA verify endpoint | `/location/v0/verify` |
 
 ### Obtaining CAMARA Credentials
 

hybrid-cloud-poc/mobile-sensor-microservice/service.py

@@ -38,14 +38,14 @@
 
 LOG = logging.getLogger("mobile_sensor_service")
 
-DEFAULT_SCOPE = "dpv:FraudPreventionAndDetection#device-location-read"
-DEFAULT_SENSOR_ID = "12d1:1433"
-DEFAULT_SENSOR_IMEI = "356345043865103"
-DEFAULT_SENSOR_IMSI = "214070610960475"
-DEFAULT_MSISDN = "+34696810912"
-DEFAULT_LATITUDE = 40.33
-DEFAULT_LONGITUDE = -3.7707
-DEFAULT_ACCURACY = 7.0
+DEFAULT_SCOPE = os.getenv("MOBILE_SENSOR_SCOPE", "dpv:FraudPreventionAndDetection#device-location-read")
+DEFAULT_SENSOR_ID = os.getenv("MOBILE_SENSOR_ID", "12d1:1433")
+DEFAULT_SENSOR_IMEI = os.getenv("MOBILE_SENSOR_IMEI_DEFAULT", "356345043865103")
+DEFAULT_SENSOR_IMSI = os.getenv("MOBILE_SENSOR_IMSI_DEFAULT", "214070610960475")
+DEFAULT_MSISDN = os.getenv("MOBILE_SENSOR_MSISDN", "+34696810912")
+DEFAULT_LATITUDE = float(os.getenv("MOBILE_SENSOR_LAT_DEFAULT", "40.33"))
+DEFAULT_LONGITUDE = float(os.getenv("MOBILE_SENSOR_LON_DEFAULT", "-3.7707"))
+DEFAULT_ACCURACY = float(os.getenv("MOBILE_SENSOR_ACC_DEFAULT", "7.0"))
 
 # Prometheus metrics (Task 18: Observability)
 REQUEST_COUNT = Counter(
@@ -70,9 +70,9 @@
 CAMARA_BASE = os.getenv(
     "CAMARA_BASE_URL", "https://sandbox.opengateway.telefonica.com/apigateway"
 )
-AUTHORIZE_PATH = "/bc-authorize"
-TOKEN_PATH = "/token"
-VERIFY_PATH = "/location/v0/verify"
+AUTHORIZE_PATH = os.getenv("CAMARA_AUTHORIZE_PATH", "/bc-authorize")
+TOKEN_PATH = os.getenv("CAMARA_TOKEN_PATH", "/token")
+VERIFY_PATH = os.getenv("CAMARA_VERIFY_PATH", "/location/v0/verify")
 
 
 def _get_default_latitude() -> float:

hybrid-cloud-poc/python-app-demo/fetch-sovereign-svid-grpc.py

@@ -534,19 +534,19 @@ def fetch_from_workload_api_grpc(max_wait_seconds=60):
         print()
 
         # Unified-Identity - Verification: Extract Unified Identity claims from certificate extension
-        # Try new Unified Identity extension (OID 1.3.6.1.4.1.99999.2) first, then legacy (1.3.6.1.4.1.99999.1)
+        # Try Unified Identity extension (OID 1.3.6.1.4.1.55744.1.1)
         claims_json = None
         extension_claims = None
         try:
             # Try new Unified Identity extension (Verification)
-            oid = x509.ObjectIdentifier("1.3.6.1.4.1.99999.2")
+            oid = x509.ObjectIdentifier("1.3.6.1.4.1.55744.1.1")
             ext = cert.extensions.get_extension_for_oid(oid)
             ext_value = ext.value.value if hasattr(ext.value, "value") else ext.value
             extension_claims = json.loads(ext_value)
         except Exception:
             try:
                 # Fall back to legacy AttestedClaims extension (if present)
-                oid = x509.ObjectIdentifier("1.3.6.1.4.1.99999.1")
+                oid = x509.ObjectIdentifier("1.3.6.1.4.1.55744.1.1")
                 ext = cert.extensions.get_extension_for_oid(oid)
                 ext_value = ext.value.value if hasattr(ext.value, "value") else ext.value
                 extension_claims = json.loads(ext_value)

hybrid-cloud-poc/scripts/demo.sh

@@ -158,7 +158,7 @@ if [ -f "./fetch-sovereign-svid-grpc.py" ]; then
             if [ -f "${PHASE2_DIR}/dump-svid-attested-claims.sh" ]; then
                 echo "  ${PHASE2_DIR}/dump-svid-attested-claims.sh /tmp/svid-dump/svid.pem"
             else
-                echo "  openssl x509 -in /tmp/svid-dump/svid.pem -text -noout | grep -A 2 \"1.3.6.1.4.1.99999\""
+                echo "  openssl x509 -in /tmp/svid-dump/svid.pem -text -noout | grep -A 2 \"1.3.6.1.4.1.55744.1.1\""
             fi
         fi
 

hybrid-cloud-poc/scripts/dump-svid-attested-claims.sh

@@ -514,7 +514,7 @@ for idx, cert in enumerate(certs):
 
     # Check for AttestedClaims extension
     for ext in cert.extensions:
-        if ext.oid.dotted_string == "1.3.6.1.4.1.99999.1":
+        if ext.oid.dotted_string == "1.3.6.1.4.1.55744.1.1":
             attested_extension = ext
             try:
                 data = ext.value.value if hasattr(ext.value, "value") else ext.value

hybrid-cloud-poc/spire/pkg/server/credtemplate/attested_claims_extension.go

@@ -10,9 +10,8 @@ import (
 )
 
 // Unified-Identity - Verification: Hardware Integration & Delegated Certification
-// OID for AttestedClaims extension: 1.3.6.1.4.1.99999.1 (Private Enterprise Number - placeholder)
-// In production, this should use a registered OID from IANA
-var AttestedClaimsExtensionOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 99999, 1}
+// OID for AttestedClaims extension: 1.3.6.1.4.1.55744.1.1 (Sovereign Unified Identity Claims)
+var AttestedClaimsExtensionOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 55744, 1, 1}
 
 // AttestedClaimsExtension embeds Unified Identity claims as a certificate extension.
 // If unifiedJSON is provided it is embedded verbatim; otherwise the legacy