Enable COSE Sign1 authentication for governance endpoints

CHANGELOG.md

@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## Unreleased
 
+### Experimental
+
+- Governance endpoints now support [COSE Sign1](https://www.rfc-editor.org/rfc/rfc8152#page-18) input, as well as signed HTTP requests (#4392).
+
 ### Removed
 
 - The functions `starts_with`, `ends_with`, `remove_prefix`, and `remove_suffix`, and the type `remove_cvref` have been removed from `nonstd::`. The C++20 equivalents should be used instead.

CMakeLists.txt

@@ -632,16 +632,25 @@ if(BUILD_TESTS)
     PYTHON_SCRIPT ${CMAKE_SOURCE_DIR}/tests/e2e_suite.py
     CONSENSUS cft
     LABEL suite
-    ADDITIONAL_ARGS --test-duration 150 --test-suite rekey_recovery
-                    --test-suite membership_recovery
+    ADDITIONAL_ARGS
+      --test-duration
+      150
+      --test-suite
+      rekey_recovery
+      --test-suite
+      membership_recovery
+      --jinja-templates-path
+      ${CMAKE_SOURCE_DIR}/samples/templates
   )
 
   add_e2e_test(
     NAME reconfiguration_test_suite
     PYTHON_SCRIPT ${CMAKE_SOURCE_DIR}/tests/e2e_suite.py
     CONSENSUS cft
     LABEL suite
-    ADDITIONAL_ARGS --test-duration 200 --test-suite reconfiguration
+    ADDITIONAL_ARGS
+      --test-duration 200 --test-suite reconfiguration --jinja-templates-path
+      ${CMAKE_SOURCE_DIR}/samples/templates
   )
 
   add_e2e_test(
@@ -658,6 +667,8 @@ if(BUILD_TESTS)
       200
       --test-suite
       all
+      --jinja-templates-path
+      ${CMAKE_SOURCE_DIR}/samples/templates
   )
 
   add_e2e_test(

doc/audit/builtin_maps.rst

@@ -365,14 +365,23 @@ Service constitution: JavaScript module, exporting ``validate()``, ``resolve()``
 ``history``
 ~~~~~~~~~~~
 
-Governance history of the service, captures all governance requests submitted by members.
+Governance history of the service, captures signed governance requests submitted by members.
 
 **Key** Member ID: SHA-256 fingerprint of the member certificate, represented as a hex-encoded string.
 
 **Value** Represented as JSON.
 
 See :cpp:struct:`ccf::SignedReq`
 
+``cose_history``
+~~~~~~~~~~~~~~~~
+
+Governance history of the service, captures all COSE Sign 1 governance requests submitted by members.
+
+**Key** Member ID: SHA-256 fingerprint of the member certificate, represented as a hex-encoded string.
+
+**Value** COSE Sign1
+
 ``public:ccf.internal.``
 ------------------------
 

doc/schemas/gov_openapi.json

@@ -463,6 +463,11 @@
       }
     },
     "securitySchemes": {
+      "member_cose_sign1": {
+        "description": "Request payload must be a COSE Sign1 document, with expected protected headers.Signer must be a member identity registered with this service.",
+        "scheme": "cose_sign1",
+        "type": "http"
+      },
       "member_signature": {
         "description": "Request must be signed according to the HTTP Signature scheme. The signer must be a member identity registered with this service.",
         "scheme": "signature",
@@ -487,7 +492,7 @@
   "info": {
     "description": "This API is used to submit and query proposals which affect CCF's public governance tables.",
     "title": "CCF Governance API",
-    "version": "2.9.8"
+    "version": "2.11.0"
   },
   "openapi": "3.0.0",
   "paths": {
@@ -514,6 +519,9 @@
         "security": [
           {
             "member_signature": []
+          },
+          {
+            "member_cose_sign1": []
           }
         ],
         "x-ccf-forwarding": {
@@ -541,6 +549,9 @@
         "security": [
           {
             "member_signature": []
+          },
+          {
+            "member_cose_sign1": []
           }
         ],
         "x-ccf-forwarding": {
@@ -729,11 +740,6 @@
             "$ref": "#/components/responses/default"
           }
         },
-        "security": [
-          {
-            "member_signature": []
-          }
-        ],
         "x-ccf-forwarding": {
           "$ref": "#/components/x-ccf-forwarding/sometimes"
         }
@@ -767,6 +773,9 @@
         "security": [
           {
             "member_signature": []
+          },
+          {
+            "member_cose_sign1": []
           }
         ],
         "x-ccf-forwarding": {
@@ -791,11 +800,6 @@
             "$ref": "#/components/responses/default"
           }
         },
-        "security": [
-          {
-            "member_signature": []
-          }
-        ],
         "x-ccf-forwarding": {
           "$ref": "#/components/x-ccf-forwarding/sometimes"
         }
@@ -828,11 +832,6 @@
             "$ref": "#/components/responses/default"
           }
         },
-        "security": [
-          {
-            "member_signature": []
-          }
-        ],
         "x-ccf-forwarding": {
           "$ref": "#/components/x-ccf-forwarding/sometimes"
         }
@@ -888,6 +887,9 @@
         "security": [
           {
             "member_signature": []
+          },
+          {
+            "member_cose_sign1": []
           }
         ],
         "x-ccf-forwarding": {
@@ -912,11 +914,6 @@
             "$ref": "#/components/responses/default"
           }
         },
-        "security": [
-          {
-            "member_signature": []
-          }
-        ],
         "x-ccf-forwarding": {
           "$ref": "#/components/x-ccf-forwarding/sometimes"
         }
@@ -970,6 +967,9 @@
         "security": [
           {
             "member_signature": []
+          },
+          {
+            "member_cose_sign1": []
           }
         ],
         "x-ccf-forwarding": {
@@ -1029,6 +1029,9 @@
         "security": [
           {
             "member_signature": []
+          },
+          {
+            "member_cose_sign1": []
           }
         ],
         "x-ccf-forwarding": {
@@ -1064,6 +1067,9 @@
         "security": [
           {
             "member_signature": []
+          },
+          {
+            "member_cose_sign1": []
           }
         ],
         "x-ccf-forwarding": {

include/ccf/service/tables/members.h

@@ -109,6 +109,9 @@ namespace ccf
     /// Signed request containing the last state digest.
     std::optional<SignedReq> signed_req = std::nullopt;
 
+    /// COSE Sign1 containing the last state digest
+    std::optional<std::vector<uint8_t>> cose_sign1_req = std::nullopt;
+
     MemberAck() {}
 
     MemberAck(const crypto::Sha256Hash& root) : StateDigest(root) {}
@@ -117,14 +120,21 @@ namespace ccf
       StateDigest(root),
       signed_req(signed_req_)
     {}
+
+    MemberAck(
+      const crypto::Sha256Hash& root,
+      const std::vector<uint8_t>& cose_sign1_req_) :
+      StateDigest(root),
+      cose_sign1_req(cose_sign1_req_)
+    {}
   };
   DECLARE_JSON_TYPE_WITH_BASE_AND_OPTIONAL_FIELDS(MemberAck, StateDigest)
 #pragma clang diagnostic push
 #pragma clang diagnostic ignored "-Wunused-parameter"
 #pragma clang diagnostic ignored "-Wgnu-zero-variadic-macro-arguments"
   DECLARE_JSON_REQUIRED_FIELDS(MemberAck)
 #pragma clang diagnostic pop
-  DECLARE_JSON_OPTIONAL_FIELDS(MemberAck, signed_req)
+  DECLARE_JSON_OPTIONAL_FIELDS(MemberAck, signed_req, cose_sign1_req)
   using MemberAcks = ServiceMap<MemberId, MemberAck>;
   namespace Tables
   {