Hi,

 

Per https://datatracker.ietf.org/doc/html/draft-tschofenig-rats-psa-token-07 (which is latest spec I can find for profile 1 token):

The Certification Reference claim is used to link the class of chip and PSA RoT of the attesting device to an associated entry in the PSA Certification database. It MUST be represented as a thirteen-digit [EAN-13].¶

Linking to the PSA Certification entry can still be achieved if this claim is not present in the token by making an association at a Verifier between the reference value and other token claim values - for example, the Implementation ID.¶

psa-certification-reference-type = text .regexp "[0-9]{13}"

psa-certification-reference = (

    ? psa-certification-reference-key =>

        psa-certification-reference-type

)

 

But in the tf-m-tools repo:

 

iat-verifier\iatverifier\psa_iot_profile1_token_claims.py it checks for PSA 2.0 profile HW version which is EAN-13 + 5.   

 

class HardwareVersionClaim(AttestationClaim):

    """Class representing a PSA Attestation Token Hardware version claim"""

    def verify(self, token_item):

        self._check_type('HARDWARE_VERSION', token_item.value, str)

 

        value_len = len(token_item.value)

        expected_len = 19 # 'EAN13-Version' 13 + 1 + 5. e.g.:0604565272829-10010

        if len(token_item.value) != expected_len:

            msg = 'Invalid HARDWARE_VERSION length; must be {} characters, found {} characters'

            self.verifier.error(msg.format(expected_len, value_len))

        for idx, character in enumerate(token_item.value):

            if character not in string.digits:

                if idx != 13 or character not in '-':

                    msg = 'Invalid character {} at position {}'

                    self.verifier.error(msg.format(character, idx+1))

 

It seems like this was changed 3yrs ago:

SHA-1: 8ac8d17d15353c7f7933ae8065646946ae47f993

* Fix HW Version claim expected length

www.psacertified.org issuing HW versions of format '[0-9]{13}-[0-9]{5}'.

It is called 'certification reference':

https://www.psacertified.org/certified-products/

Signed-off-by: Tamas Ban <tamas.ban@arm.com>

Change-Id: I0417e1ce76896f1128864676f29a4314b3fd1fb8

 

When I run “check_iat” script, I get these errors:

 

./scripts/check_iat -k public_key.pem -K -p -t PSA-IoT-Profile1-token cc27xx.cbor

ERROR:iat-verifiers:Invalid HARDWARE_VERSION length; must be 19 characters, found 13 characters

ERROR:iat-verifiers:Invalid character i at position 1

ERROR:iat-verifiers:Invalid character r at position 2

ERROR:iat-verifiers:Invalid character m at position 3

ERROR:iat-verifiers:Invalid character w at position 4

ERROR:iat-verifiers:Invalid character a at position 5

ERROR:iat-verifiers:Invalid character r at position 6

ERROR:iat-verifiers:Invalid character e at position 7

ERROR:iat-verifiers:Invalid character . at position 8

ERROR:iat-verifiers:Invalid character o at position 9

ERROR:iat-verifiers:Invalid character r at position 10

ERROR:iat-verifiers:Invalid character g at position 11

ERROR:iat-verifiers:Invalid character  at position 12

ERROR:iat-verifiers:Invalid character  at position 13

 

 

Is the verifier tool incorrect or should I be following “EAN13-Version' 13 + 1 + 5” even for profile 1 token?

 

 

Regards,

 

Brian Quach

SimpleLink MCU

Texas Instruments Inc.

12500 TI Blvd, MS F-4000

Dallas, TX 75243

214-479-4076