Hi,
Per https://datatracker.ietf.org/doc/html/draft-tschofenig-rats-psa-token-07 (which is latest spec I can find for profile 1 token):
The Certification Reference claim is used to link the class of chip and PSA RoT of the attesting device to an associated entry in the PSA Certification database. It MUST be represented as a thirteen-digit [EAN-13https://www.gs1.org/standards/barcodes/ean-upc].¶https://datatracker.ietf.org/doc/html/draft-tschofenig-rats-psa-token-07#section-3.2.3-1
Linking to the PSA Certification entry can still be achieved if this claim is not present in the token by making an association at a Verifier between the reference value and other token claim values - for example, the Implementation ID.¶https://datatracker.ietf.org/doc/html/draft-tschofenig-rats-psa-token-07#section-3.2.3-2
psa-certification-reference-type = text .regexp "[0-9]{13}"
psa-certification-reference = (
? psa-certification-reference-key =>
psa-certification-reference-type
)
But in the tf-m-tools repo:
iat-verifier\iatverifier\psa_iot_profile1_token_claims.py it checks for PSA 2.0 profile HW version which is EAN-13 + 5.
class HardwareVersionClaim(AttestationClaim): """Class representing a PSA Attestation Token Hardware version claim""" def verify(self, token_item): self._check_type('HARDWARE_VERSION', token_item.value, str)
value_len = len(token_item.value) expected_len = 19 # 'EAN13-Version' 13 + 1 + 5. e.g.:0604565272829-10010 if len(token_item.value) != expected_len: msg = 'Invalid HARDWARE_VERSION length; must be {} characters, found {} characters' self.verifier.error(msg.format(expected_len, value_len)) for idx, character in enumerate(token_item.value): if character not in string.digits: if idx != 13 or character not in '-': msg = 'Invalid character {} at position {}' self.verifier.error(msg.format(character, idx+1))
It seems like this was changed 3yrs ago: SHA-1: 8ac8d17d15353c7f7933ae8065646946ae47f993 * Fix HW Version claim expected length www.psacertified.org issuing HW versions of format '[0-9]{13}-[0-9]{5}'. It is called 'certification reference': https://www.psacertified.org/certified-products/ Signed-off-by: Tamas Ban tamas.ban@arm.com Change-Id: I0417e1ce76896f1128864676f29a4314b3fd1fb8
When I run "check_iat" script, I get these errors:
./scripts/check_iat -k public_key.pem -K -p -t PSA-IoT-Profile1-token cc27xx.cbor ERROR:iat-verifiers:Invalid HARDWARE_VERSION length; must be 19 characters, found 13 characters ERROR:iat-verifiers:Invalid character i at position 1 ERROR:iat-verifiers:Invalid character r at position 2 ERROR:iat-verifiers:Invalid character m at position 3 ERROR:iat-verifiers:Invalid character w at position 4 ERROR:iat-verifiers:Invalid character a at position 5 ERROR:iat-verifiers:Invalid character r at position 6 ERROR:iat-verifiers:Invalid character e at position 7 ERROR:iat-verifiers:Invalid character . at position 8 ERROR:iat-verifiers:Invalid character o at position 9 ERROR:iat-verifiers:Invalid character r at position 10 ERROR:iat-verifiers:Invalid character g at position 11 ERROR:iat-verifiers:Invalid character at position 12 ERROR:iat-verifiers:Invalid character at position 13
Is the verifier tool incorrect or should I be following "EAN13-Version' 13 + 1 + 5" even for profile 1 token?
Regards,
Brian Quach SimpleLink MCU Texas Instruments Inc. 12500 TI Blvd, MS F-4000 Dallas, TX 75243 214-479-4076
Hi Brian,
The PSA_IOT_PROFILE_1 profile is actually deprecated and has been superseded by the PSA 2.0 profile. We intended to remove support for it last year, but were unable to do so due to incompatibility with the psa-arch test suite.
Strictly speaking, the iat-verifier should still accept tokens using the EAN-13 format, as noted here: https://datatracker.ietf.org/doc/html/draft-tschofenig-rats-psa-token-24#nam...
However, once the version incompatibility between TF-M and psa-arch is resolved, we will proceed with removing support for PSA_IOT_PROFILE_1.
Do you plan to migrate to the new profile? Do you have any concerns about the removal of support for PSA_IOT_PROFILE_1?
We shared this plan on the mailing list previously, but so far haven't received any feedback.
Best regards, Tamas
From: Quach, Brian via TF-M tf-m@lists.trustedfirmware.org Sent: Monday, May 12, 2025 10:12 PM To: tf-m@lists.trustedfirmware.org Subject: [TF-M] PSA_IOT_PROFILE_1 attestation Certification Reference
Hi,
Per https://datatracker.ietf.org/doc/html/draft-tschofenig-rats-psa-token-07 (which is latest spec I can find for profile 1 token):
The Certification Reference claim is used to link the class of chip and PSA RoT of the attesting device to an associated entry in the PSA Certification database. It MUST be represented as a thirteen-digit [EAN-13https://www.gs1.org/standards/barcodes/ean-upc].¶https://datatracker.ietf.org/doc/html/draft-tschofenig-rats-psa-token-07#section-3.2.3-1
Linking to the PSA Certification entry can still be achieved if this claim is not present in the token by making an association at a Verifier between the reference value and other token claim values - for example, the Implementation ID.¶https://datatracker.ietf.org/doc/html/draft-tschofenig-rats-psa-token-07#section-3.2.3-2
psa-certification-reference-type = text .regexp "[0-9]{13}"
psa-certification-reference = (
? psa-certification-reference-key =>
psa-certification-reference-type
)
But in the tf-m-tools repo:
iat-verifier\iatverifier\psa_iot_profile1_token_claims.py it checks for PSA 2.0 profile HW version which is EAN-13 + 5.
class HardwareVersionClaim(AttestationClaim): """Class representing a PSA Attestation Token Hardware version claim""" def verify(self, token_item): self._check_type('HARDWARE_VERSION', token_item.value, str)
value_len = len(token_item.value) expected_len = 19 # 'EAN13-Version' 13 + 1 + 5. e.g.:0604565272829-10010 if len(token_item.value) != expected_len: msg = 'Invalid HARDWARE_VERSION length; must be {} characters, found {} characters' self.verifier.error(msg.format(expected_len, value_len)) for idx, character in enumerate(token_item.value): if character not in string.digits: if idx != 13 or character not in '-': msg = 'Invalid character {} at position {}' self.verifier.error(msg.format(character, idx+1))
It seems like this was changed 3yrs ago: SHA-1: 8ac8d17d15353c7f7933ae8065646946ae47f993
* Fix HW Version claim expected length
www.psacertified.orghttp://www.psacertified.org issuing HW versions of format '[0-9]{13}-[0-9]{5}'. It is called 'certification reference': https://www.psacertified.org/certified-products/
Signed-off-by: Tamas Ban <tamas.ban@arm.commailto:tamas.ban@arm.com> Change-Id: I0417e1ce76896f1128864676f29a4314b3fd1fb8
When I run "check_iat" script, I get these errors:
./scripts/check_iat -k public_key.pem -K -p -t PSA-IoT-Profile1-token cc27xx.cbor ERROR:iat-verifiers:Invalid HARDWARE_VERSION length; must be 19 characters, found 13 characters ERROR:iat-verifiers:Invalid character i at position 1 ERROR:iat-verifiers:Invalid character r at position 2 ERROR:iat-verifiers:Invalid character m at position 3 ERROR:iat-verifiers:Invalid character w at position 4 ERROR:iat-verifiers:Invalid character a at position 5 ERROR:iat-verifiers:Invalid character r at position 6 ERROR:iat-verifiers:Invalid character e at position 7 ERROR:iat-verifiers:Invalid character . at position 8 ERROR:iat-verifiers:Invalid character o at position 9 ERROR:iat-verifiers:Invalid character r at position 10 ERROR:iat-verifiers:Invalid character g at position 11 ERROR:iat-verifiers:Invalid character at position 12 ERROR:iat-verifiers:Invalid character at position 13
Is the verifier tool incorrect or should I be following "EAN13-Version' 13 + 1 + 5" even for profile 1 token?
Regards,
Brian Quach SimpleLink MCU Texas Instruments Inc. 12500 TI Blvd, MS F-4000 Dallas, TX 75243 214-479-4076
tf-m@lists.trustedfirmware.org
-
Quach, Brian -
Tamas Ban