Add ADAC 1.1 serialization, validation, and CLI support#9
Merged
Conversation
- Parse and validate certificate policies from configuration file, allowing nonzero values only for ADAC 1.1 certificates. - Emit policies from online and offline certificate signing flows. - Report the effective policy bitmask during verification when it is nonzero. Signed-off-by: Mathias Brossard <mathias.brossard@arm.com>
- Add explicit little-endian serialization and deserialization helpers for certificate, token, and TLV headers. - Centralize validation of header versions, reserved fields, crypto consistency, and ADAC 1.0 policy constraints. - Keep the old packed-layout path temporarily behind the serialization feature boundary. Signed-off-by: Mathias Brossard <mathias.brossard@arm.com>
- Remove the native packed-layout serialization fallback and the associated feature gating. - Route certificate, token, and TLV encoding through the explicit serialization helpers unconditionally. - Rename serialized-size constants to the simpler SIZE form. Signed-off-by: Mathias Brossard <mathias.brossard@arm.com>
- Replace the public deterministic constructor with an explicitly named test-only constructor. - Gate deterministic signing behind hazmat-deterministic so normal consumers cannot accidentally enable deterministic RSA-PSS signing. - Enable the hazmat feature only for tests that require byte-for-byte stable signatures. Signed-off-by: Mathias Brossard <mathias.brossard@arm.com>
- Update TLV headers to include ADAC 1.1 flags, including the critical-extension flag. - Add shared TLV sequence parsing that advances over padded values and rejects nonzero padding. - Use the shared parser for certificate-chain decoding so TLV padding and alignment rules are applied consistently. Signed-off-by: Mathias Brossard <mathias.brossard@arm.com>
- Add encoding validators for TLV sequences, certificate chains, individual certificates, and tokens. - Report all detectable encoding issues with byte offsets and context instead of failing at the first parse error. - Cover malformed TLVs, invalid padding, token header issues, and nested certificate/token extension encodings. Signed-off-by: Mathias Brossard <mathias.brossard@arm.com>
- Introduce a reusable chain validator that tracks certificate order, role constraints, signatures, and effective chain constraints. - Rework adac-cli verify and verify_chain to use the shared validation logic. - Add token validation through the same validator so token permissions are combined with the effective certificate-chain constraints. Signed-off-by: Mathias Brossard <mathias.brossard@arm.com>
- Split adac-cli command implementation into a library-backed binary so command functions can be tested from integration tests. - Move most command-level tests out of module unit tests and into adac-cli/tests. - Add shared integration-test scaffolding for certificate chains, token signing, offline signing, and verify diagnostics. Signed-off-by: Mathias Brossard <mathias.brossard@arm.com>
- Add verify --strict to enable stricter diagnostic checks for token validation and critical extensions. - Reject ADAC 1.0 artifacts that carry ADAC 1.1 TLV flags and reject unknown TLV flag bits. - Distinguish token signature verification from full token validation when the certificate chain is invalid. Signed-off-by: Mathias Brossard <mathias.brossard@arm.com>
- Add structured extension syntax for certificate and token config, while retaining legacy base16 TLV input. - Support critical token soc_id extensions and fold them into effective verification output. - Add CLI shell coverage for effective constraints, token SoC ID extensions, and offline token signing. Signed-off-by: Mathias Brossard <mathias.brossard@arm.com>
Reject TOML section-level certificate policies when the value is present but not an integer instead of silently treating it as zero. Reported-by: Metis (https://github.com/arm/metis) Signed-off-by: Mathias Brossard <mathias.brossard@arm.com>
Reject TOML section-level certificate policies when the value is present but not an integer instead of silently treating it as zero. Reported-by: Metis (https://github.com/arm/metis) Signed-off-by: Mathias Brossard <mathias.brossard@arm.com>
Make the helper for deterministic RSA-PSS test output crate-private to avoid from being used by outside tests by mistake. Reported-by: Metis (https://github.com/arm/metis) Signed-off-by: Mathias Brossard <mathias.brossard@arm.com>
Move RSA modulus sizing policy into the shared adac crate and use it from RustCrypto, PKCS11, and public-key parsing paths. The shared policy keeps ADAC RSA public-key encodings fixed-width while accepting decoded RSA modulus bit lengths within a one-byte leading-bit tolerance for 3072-bit and 4096-bit profiles. Reject mismatched RSA private keys on load/import and clean up the public PKCS11 object if private-object creation fails. Reported-by: Metis (https://github.com/arm/metis) Signed-off-by: Mathias Brossard <mathias.brossard@arm.com>
Align adac-crypto key loading with the shared RSA profile policy introduced for provider validation. Decode RSA PKCS8 private keys and infer the ADAC RSA profile from the actual modulus size instead of relying on representation-dependent private-key DER payload lengths. Reported-by: Metis (https://github.com/arm/metis) Signed-off-by: Mathias Brossard <mathias.brossard@arm.com>
Align adac-crypto key loading with the shared RSA profile policy introduced for provider validation. Decode RSA PKCS8 private keys and infer the ADAC RSA profile from the actual modulus size instead of relying on representation-dependent private-key DER payload lengths. Reported-by: Metis (https://github.com/arm/metis) Signed-off-by: Mathias Brossard <mathias.brossard@arm.com>
Derive the Ed448 public key from the PKCS8 private key material and use that derived value for SPKI and ADAC public-key output. If the PKCS8 structure also embeds a public key, validate that it matches the derived key and reject mismatched keypairs to avoid private/public key-binding confusion. Reported-by: Metis (https://github.com/arm/metis) Signed-off-by: Mathias Brossard <mathias.brossard@arm.com>
Avoid duplicated versions of the crate. Signed-off-by: Mathias Brossard <mathias.brossard@arm.com>
Signed-off-by: Mathias Brossard <mathias.brossard@arm.com>
Update the RustCrypto ed448 (0.5.0) and ml-dsa (0.1.0) from release candidates to their stable releases. Signed-off-by: Mathias Brossard <mathias.brossard@arm.com>
Signed-off-by: Mathias Brossard <mathias.brossard@arm.com>
CaseyHillers
approved these changes
Jun 5, 2026
Collaborator
CaseyHillers
left a comment
CaseyHillers
left a comment
There was a problem hiding this comment.
LGTM! Thanks for moving the tests to a dedicated directory. It made it much easier to review these PRs.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR adds ADAC 1.1 support and tightens encoding, validation, and CLI verification behavior. The main changes are:
adac-cli verify --strictfor stricter local diagnostics, including requiring token validation to terminate at a leaf certificate and rejecting unknown/unprocessed critical extensions.soc_idextension support.hazmat-deterministicfeature.adac-clicommand tests into integration tests and add shell coverage for CLI/offline flows.hybrid-arraydependency versions to avoid duplicate versions.aws-lc-rsto1.17.0andaws-lc-systo0.41.0.ed448andml-dsadependencies from release candidates to stable versions.cli-test.shto CI/check coverage.A few fixes raised by Metis:
policiesvalues in TOML instead of silently treating malformed values as zero.