cddlc 0.1.0 → 0.1.2

data/data/rfc8927.cddl

@@ -0,0 +1,96 @@
+
+; root-schema is identical to schema, but additionally allows for
+; definitions.
+;
+; definitions are prohibited from appearing on non-root schemas.
+root-schema = {
+  ? definitions: { * tstr => { schema}},
+  schema,
+}
+; schema is the main CDDL rule defining a JTD schema.
+;
+; All JTD schemas are JSON objects taking on one of eight forms
+; listed here.
+schema = (
+  ref //
+  type //
+  enum //
+  elements //
+  properties //
+  values //
+  discriminator //
+  empty //
+)
+; shared is a CDDL rule containing properties that all eight schema
+; forms share.
+shared = (
+  ? metadata: { * tstr => any },
+  ? nullable: bool,
+)
+; empty describes the "empty" schema form.
+empty = shared
+; ref describes the "ref" schema form.
+;
+; There are additional constraints on this form that cannot be
+; expressed in CDDL. Section 2.2.2 describes these additional
+; constraints in detail.
+ref = ( ref: tstr, shared )
+; type describes the "type" schema form.
+type = (
+  type: "boolean"
+    / "float32"
+    / "float64"
+    / "int8"
+    / "uint8"
+    / "int16"
+    / "uint16"
+    / "int32"
+    / "uint32"
+    / "string"
+    / "timestamp",
+  shared,
+)
+; enum describes the "enum" schema form.
+;
+; There are additional constraints on this form that cannot be
+; expressed in CDDL. Section 2.2.4 describes these additional
+; constraints in detail.
+enum = ( enum: [+ tstr], shared )
+; elements describes the "elements" schema form.
+elements = ( elements: { schema }, shared )
+; properties describes the "properties" schema form.
+;
+; This CDDL rule is defined so that a schema of the "properties" form
+; may omit a member named "properties" or a member named
+; "optionalProperties", but not both.
+;
+; There are additional constraints on this form that cannot be
+; expressed in CDDL. Section 2.2.6 describes these additional
+; constraints in detail.
+properties = (with-properties // with-optional-properties)
+with-properties = (
+  properties: { * tstr => { schema }},
+  ? optionalProperties: { * tstr => { schema }},
+  ? additionalProperties: bool,
+  shared,
+)
+with-optional-properties = (
+  ? properties: { * tstr => { schema }},
+  optionalProperties: { * tstr => { schema }},
+  ? additionalProperties: bool,
+  shared,
+)
+; values describes the "values" schema form.
+values = ( values: { schema }, shared )
+; discriminator describes the "discriminator" schema form.
+;
+; There are additional constraints on this form that cannot be
+; expressed in CDDL. Section 2.2.8 describes these additional
+; constraints in detail.
+discriminator = (
+  discriminator: tstr,
+  ; Note well: this rule is defined in terms of the "properties"
+  ; CDDL rule, not the "schema" CDDL rule.
+  mapping: { * tstr => { properties } }
+  shared,
+)

data/data/rfc8990.cddl

@@ -0,0 +1,213 @@
+
+  grasp-message = (message .within message-structure) / noop-message
+
+  message-structure = [MESSAGE_TYPE, session-id, ?initiator,
+                       *grasp-option]
+
+  MESSAGE_TYPE = 0..255
+  session-id = 0..4294967295 ; up to 32 bits
+  grasp-option = any
+
+
+  discovery-message = [M_DISCOVERY, session-id, initiator, objective]
+
+
+  response-message = [M_RESPONSE, session-id, initiator, ttl,
+                      (+locator-option // divert-option), ?objective]
+
+  ttl = 0..4294967295 ; in milliseconds
+
+
+request-negotiation-message = [M_REQ_NEG, session-id, objective]
+
+request-synchronization-message = [M_REQ_SYN, session-id, objective]
+
+
+  negotiation-message = [M_NEGOTIATE, session-id, objective]
+
+
+  end-message = [M_END, session-id, accept-option / decline-option]
+
+
+  wait-message = [M_WAIT, session-id, waiting-time]
+  waiting-time = 0..4294967295 ; in milliseconds
+
+
+  synch-message = [M_SYNCH, session-id, objective]
+
+
+  flood-message = [M_FLOOD, session-id, initiator, ttl,
+                   +[objective, (locator-option / [])]]
+
+  ttl = 0..4294967295 ; in milliseconds
+
+
+  invalid-message = [M_INVALID, session-id, ?any]
+
+
+  noop-message = [M_NOOP]
+
+
+  divert-option = [O_DIVERT, +locator-option]
+
+
+  accept-option = [O_ACCEPT]
+
+
+  decline-option = [O_DECLINE, ?reason]
+  reason = text  ; optional UTF-8 error message
+
+
+  ipv6-locator-option = [O_IPv6_LOCATOR, ipv6-address,
+                         transport-proto, port-number]
+  ipv6-address = bytes .size 16
+
+  transport-proto = IPPROTO_TCP / IPPROTO_UDP
+  IPPROTO_TCP = 6
+  IPPROTO_UDP = 17
+  port-number = 0..65535
+
+
+  ipv4-locator-option = [O_IPv4_LOCATOR, ipv4-address,
+                         transport-proto, port-number]
+  ipv4-address = bytes .size 4
+
+
+  fqdn-locator-option = [O_FQDN_LOCATOR, text,
+                         transport-proto, port-number]
+
+
+  uri-locator-option = [O_URI_LOCATOR, text,
+                        transport-proto / null, port-number / null]
+
+
+objective = [objective-name, objective-flags,
+             loop-count, ?objective-value]
+
+objective-name = text
+objective-value = any
+loop-count = 0..255
+
+
+  objective-flags = uint .bits objective-flag
+  objective-flag = &(
+    F_DISC: 0    ; valid for discovery
+    F_NEG: 1     ; valid for negotiation
+    F_SYNCH: 2   ; valid for synchronization
+    F_NEG_DRY: 3 ; negotiation is a dry run
+  )
+
+
+grasp-message = (message .within message-structure) / noop-message
+
+message-structure = [MESSAGE_TYPE, session-id, ?initiator,
+                     *grasp-option]
+
+MESSAGE_TYPE = 0..255
+session-id = 0..4294967295 ; up to 32 bits
+grasp-option = any
+
+message /= discovery-message
+discovery-message = [M_DISCOVERY, session-id, initiator, objective]
+
+message /= response-message ; response to Discovery
+response-message = [M_RESPONSE, session-id, initiator, ttl,
+                    (+locator-option // divert-option), ?objective]
+
+message /= synch-message ; response to Synchronization request
+synch-message = [M_SYNCH, session-id, objective]
+
+message /= flood-message
+flood-message = [M_FLOOD, session-id, initiator, ttl,
+                 +[objective, (locator-option / [])]]
+
+message /= request-negotiation-message
+request-negotiation-message = [M_REQ_NEG, session-id, objective]
+
+message /= request-synchronization-message
+request-synchronization-message = [M_REQ_SYN, session-id, objective]
+
+message /= negotiation-message
+negotiation-message = [M_NEGOTIATE, session-id, objective]
+
+message /= end-message
+end-message = [M_END, session-id, accept-option / decline-option]
+
+message /= wait-message
+wait-message = [M_WAIT, session-id, waiting-time]
+
+message /= invalid-message
+invalid-message = [M_INVALID, session-id, ?any]
+
+noop-message = [M_NOOP]
+
+divert-option = [O_DIVERT, +locator-option]
+
+accept-option = [O_ACCEPT]
+
+decline-option = [O_DECLINE, ?reason]
+reason = text  ; optional UTF-8 error message
+
+waiting-time = 0..4294967295 ; in milliseconds
+ttl = 0..4294967295 ; in milliseconds
+
+locator-option /= [O_IPv4_LOCATOR, ipv4-address,
+                   transport-proto, port-number]
+ipv4-address = bytes .size 4
+
+locator-option /= [O_IPv6_LOCATOR, ipv6-address,
+                   transport-proto, port-number]
+ipv6-address = bytes .size 16
+
+locator-option /= [O_FQDN_LOCATOR, text, transport-proto,
+                   port-number]
+
+locator-option /= [O_URI_LOCATOR, text,
+                   transport-proto / null, port-number / null]
+
+transport-proto = IPPROTO_TCP / IPPROTO_UDP
+IPPROTO_TCP = 6
+IPPROTO_UDP = 17
+port-number = 0..65535
+
+initiator = ipv4-address / ipv6-address
+
+objective-flags = uint .bits objective-flag
+
+objective-flag = &(
+  F_DISC: 0    ; valid for discovery
+  F_NEG: 1     ; valid for negotiation
+  F_SYNCH: 2   ; valid for synchronization
+  F_NEG_DRY: 3 ; negotiation is a dry run
+)
+
+objective = [objective-name, objective-flags,
+             loop-count, ?objective-value]
+
+objective-name = text ; see section "Format of Objective Options"
+
+objective-value = any
+
+loop-count = 0..255
+
+; Constants for message types and option types
+
+M_NOOP = 0
+M_DISCOVERY = 1
+M_RESPONSE = 2
+M_REQ_NEG = 3
+M_REQ_SYN = 4
+M_NEGOTIATE = 5
+M_END = 6
+M_WAIT = 7
+M_SYNCH = 8
+M_FLOOD = 9
+M_INVALID = 99
+
+O_DIVERT = 100
+O_ACCEPT = 101
+O_DECLINE = 102
+O_IPv6_LOCATOR = 103
+O_IPv4_LOCATOR = 104
+O_FQDN_LOCATOR = 105
+O_URI_LOCATOR = 106

data/data/rfc9052.cddl

@@ -0,0 +1,154 @@
+
+start = COSE_Messages / COSE_Key / COSE_KeySet / Internal_Types
+
+; This is defined to make the tool quieter:
+Internal_Types = Sig_structure / Enc_structure / MAC_structure
+
+
+label = int / tstr
+values = any
+
+
+COSE_Messages = COSE_Untagged_Message / COSE_Tagged_Message
+
+COSE_Untagged_Message = COSE_Sign / COSE_Sign1 /
+    COSE_Encrypt / COSE_Encrypt0 /
+    COSE_Mac / COSE_Mac0
+
+COSE_Tagged_Message = COSE_Sign_Tagged / COSE_Sign1_Tagged /
+    COSE_Encrypt_Tagged / COSE_Encrypt0_Tagged /
+    COSE_Mac_Tagged / COSE_Mac0_Tagged
+
+
+Headers = (
+    protected : empty_or_serialized_map,
+    unprotected : header_map
+)
+
+header_map = {
+    Generic_Headers,
+    * label => values
+}
+
+empty_or_serialized_map = bstr .cbor header_map / bstr .size 0
+
+
+
+Generic_Headers = (
+    ? 1 => int / tstr,  ; algorithm identifier
+    ? 2 => [+label],    ; criticality
+    ? 3 => tstr / int,  ; content type
+    ? 4 => bstr,        ; key identifier
+    ? ( 5 => bstr //    ; IV
+        6 => bstr )     ; Partial IV
+)
+
+
+COSE_Sign_Tagged = #6.98(COSE_Sign)
+
+
+COSE_Sign = [
+    Headers,
+    payload : bstr / nil,
+    signatures : [+ COSE_Signature]
+]
+
+
+COSE_Signature =  [
+    Headers,
+    signature : bstr
+]
+
+
+COSE_Sign1_Tagged = #6.18(COSE_Sign1)
+
+
+COSE_Sign1 = [
+    Headers,
+    payload : bstr / nil,
+    signature : bstr
+]
+
+
+Sig_structure = [
+    context : "Signature" / "Signature1",
+    body_protected : empty_or_serialized_map,
+    ? sign_protected : empty_or_serialized_map,
+    external_aad : bstr,
+    payload : bstr
+]
+
+
+COSE_Encrypt_Tagged = #6.96(COSE_Encrypt)
+
+
+COSE_Encrypt = [
+    Headers,
+    ciphertext : bstr / nil,
+    recipients : [+COSE_recipient]
+]
+
+
+COSE_recipient = [
+    Headers,
+    ciphertext : bstr / nil,
+    ? recipients : [+COSE_recipient]
+]
+
+
+COSE_Encrypt0_Tagged = #6.16(COSE_Encrypt0)
+
+
+COSE_Encrypt0 = [
+    Headers,
+    ciphertext : bstr / nil,
+]
+
+
+Enc_structure = [
+    context : "Encrypt" / "Encrypt0" / "Enc_Recipient" /
+        "Mac_Recipient" / "Rec_Recipient",
+    protected : empty_or_serialized_map,
+    external_aad : bstr
+]
+
+
+COSE_Mac_Tagged = #6.97(COSE_Mac)
+
+
+COSE_Mac = [
+   Headers,
+   payload : bstr / nil,
+   tag : bstr,
+   recipients : [+COSE_recipient]
+]
+
+
+COSE_Mac0_Tagged = #6.17(COSE_Mac0)
+
+
+COSE_Mac0 = [
+   Headers,
+   payload : bstr / nil,
+   tag : bstr,
+]
+
+
+MAC_structure = [
+     context : "MAC" / "MAC0",
+     protected : empty_or_serialized_map,
+     external_aad : bstr,
+     payload : bstr
+]
+
+
+COSE_Key = {
+    1 => tstr / int,          ; kty
+    ? 2 => bstr,              ; kid
+    ? 3 => tstr / int,        ; alg
+    ? 4 => [+ (tstr / int) ], ; key_ops
+    ? 5 => bstr,              ; Base IV
+    * label => values
+}
+
+COSE_KeySet = [+COSE_Key]

data/data/rfc9053.cddl

@@ -0,0 +1,21 @@
+
+COSE_KDF_Context = [
+    AlgorithmID : int / tstr,
+    PartyUInfo : [ PartyInfo ],
+    PartyVInfo : [ PartyInfo ],
+    SuppPubInfo : [
+        keyDataLength : uint,
+        protected : empty_or_serialized_map,
+        ? other : bstr
+    ],
+    ? SuppPrivInfo : bstr
+]
+
+
+PartyInfo = (
+    identity : bstr / nil,
+    nonce : bstr / int / nil,
+    other : bstr / nil
+)
+
+;# import rfc9052

data/data/rfc9054.cddl

@@ -0,0 +1,13 @@
+
+COSE_Hash_V = (
+    1 : int / tstr, ; Algorithm identifier
+    2 : bstr, ; Hash value
+    ? 3 : tstr, ; Location of object that was hashed
+    ? 4 : any   ; object containing other details and things
+    )
+
+
+COSE_Hash_Find = [
+    hashAlg : int / tstr,
+    hashValue : bstr
+]

data/data/rfc9090.cddl

@@ -0,0 +1,14 @@
+
+; country-rdn = {country-oid => country-value}
+; country-oid = bytes .sdnvseq [85, 4, 6]
+; country-value = text .size 2
+
+
+; country-rdn = {country-oid => country-value}
+; country-oid = bytes .oid [2, 5, 4, 6]
+; country-value = text .size 2
+
+
+oid = #6.111(bstr)
+roid = #6.110(bstr)
+pen = #6.112(bstr)

data/data/rfc9115.cddl

@@ -0,0 +1,99 @@
+
+csr-template-schema = {
+  keyTypes: [ + $keyType ]
+  ? subject: non-empty<distinguishedName>
+  extensions: extensions
+}
+
+non-empty<M> = (M) .and ({ + any => any })
+
+mandatory-wildcard = "**"
+optional-wildcard = "*"
+wildcard = mandatory-wildcard / optional-wildcard
+
+; regtext matches all text strings but "*" and "**"
+regtext = text .regexp "([^\\*].*)|([\\*][^\\*].*)|([\\*][\\*].+)"
+
+regtext-or-wildcard = regtext / wildcard
+
+distinguishedName = {
+  ? country: regtext-or-wildcard
+  ? stateOrProvince: regtext-or-wildcard
+  ? locality: regtext-or-wildcard
+  ? organization: regtext-or-wildcard
+  ? organizationalUnit: regtext-or-wildcard
+  ? emailAddress: regtext-or-wildcard
+  ? commonName: regtext-or-wildcard
+}
+
+$keyType /= rsaKeyType
+$keyType /= ecdsaKeyType
+
+rsaKeyType = {
+  PublicKeyType: "rsaEncryption" ; OID: 1.2.840.113549.1.1.1
+  PublicKeyLength: rsaKeySize
+  SignatureType: $rsaSignatureType
+}
+
+rsaKeySize = uint
+
+; RSASSA-PKCS1-v1_5 with SHA-256
+$rsaSignatureType /= "sha256WithRSAEncryption"
+; RSASSA-PCKS1-v1_5 with SHA-384
+$rsaSignatureType /= "sha384WithRSAEncryption"
+; RSASSA-PCKS1-v1_5 with SHA-512
+$rsaSignatureType /= "sha512WithRSAEncryption"
+; RSASSA-PSS with SHA-256, MGF-1 with SHA-256, and a 32 byte salt
+$rsaSignatureType /= "sha256WithRSAandMGF1"
+; RSASSA-PSS with SHA-384, MGF-1 with SHA-384, and a 48 byte salt
+$rsaSignatureType /= "sha384WithRSAandMGF1"
+; RSASSA-PSS with SHA-512, MGF-1 with SHA-512, and a 64 byte salt
+$rsaSignatureType /= "sha512WithRSAandMGF1"
+
+ecdsaKeyType = {
+  PublicKeyType: "id-ecPublicKey" ; OID: 1.2.840.10045.2.1
+  namedCurve: $ecdsaCurve
+  SignatureType: $ecdsaSignatureType
+}
+
+$ecdsaCurve /= "secp256r1" ; OID: 1.2.840.10045.3.1.7
+$ecdsaCurve /= "secp384r1" ; OID: 1.3.132.0.34
+$ecdsaCurve /= "secp521r1" ; OID: 1.3.132.0.3
+
+$ecdsaSignatureType /= "ecdsa-with-SHA256" ; paired with secp256r1
+$ecdsaSignatureType /= "ecdsa-with-SHA384" ; paired with secp384r1
+$ecdsaSignatureType /= "ecdsa-with-SHA512" ; paired with secp521r1
+
+subjectaltname = {
+  ? DNS: [ + regtext-or-wildcard ]
+  ? Email: [ + regtext ]
+  ? URI: [ + regtext ]
+  * $$subjectaltname-extension
+}
+
+extensions = {
+  ? keyUsage: [ + keyUsageType ]
+  ? extendedKeyUsage: [ + extendedKeyUsageType ]
+  subjectAltName: non-empty<subjectaltname>
+}
+
+keyUsageType /= "digitalSignature"
+keyUsageType /= "nonRepudiation"
+keyUsageType /= "keyEncipherment"
+keyUsageType /= "dataEncipherment"
+keyUsageType /= "keyAgreement"
+keyUsageType /= "keyCertSign"
+keyUsageType /= "cRLSign"
+keyUsageType /= "encipherOnly"
+keyUsageType /= "decipherOnly"
+
+extendedKeyUsageType /= "serverAuth"
+extendedKeyUsageType /= "clientAuth"
+extendedKeyUsageType /= "codeSigning"
+extendedKeyUsageType /= "emailProtection"
+extendedKeyUsageType /= "timeStamping"
+extendedKeyUsageType /= "OCSPSigning"
+extendedKeyUsageType /= oid
+
+oid = text .regexp "([0-2])((\\.0)|(\\.[1-9][0-9]*))*"
+

data/data/rfc9164.cddl

@@ -0,0 +1,32 @@
+
+ip-address-or-prefix = ipv6-address-or-prefix /
+                       ipv4-address-or-prefix
+
+ipv6-address-or-prefix = #6.54(ipv6-address /
+                               ipv6-address-with-prefix /
+                               ipv6-prefix)
+ipv4-address-or-prefix = #6.52(ipv4-address /
+                               ipv4-address-with-prefix /
+                               ipv4-prefix)
+
+ipv6-address = bytes .size 16
+ipv4-address = bytes .size 4
+
+ipv6-address-with-prefix = [ipv6-address,
+                            ipv6-prefix-length / null,
+                            ?ip-zone-identifier]
+ipv4-address-with-prefix = [ipv4-address,
+                            ipv4-prefix-length / null,
+                            ?ip-zone-identifier]
+
+ipv6-prefix-length = 0..128
+ipv4-prefix-length = 0..32
+
+ipv6-prefix = [ipv6-prefix-length, ipv6-prefix-bytes]
+ipv4-prefix = [ipv4-prefix-length, ipv4-prefix-bytes]
+
+ipv6-prefix-bytes = bytes .size (uint .le 16)
+ipv4-prefix-bytes = bytes .size (uint .le 4)
+
+ip-zone-identifier = uint / text
+

data/data/rfc9165.cddl

@@ -0,0 +1,35 @@
+; for RFC 8943
+Tag1004 = #6.1004(text .abnf full-date)
+; for RFC 8949
+Tag0 = #6.0(text .abnf date-time)
+
+full-date = "full-date" .cat rfc3339
+date-time = "date-time" .cat rfc3339
+
+; Note the trick of idiomatically starting with a newline, separating
+;   off the element in the concatenations above from the rule-list
+rfc3339 = '
+   date-fullyear   = 4DIGIT
+   date-month      = 2DIGIT  ; 01-12
+   date-mday       = 2DIGIT  ; 01-28, 01-29, 01-30, 01-31 based on
+                             ; month/year
+   time-hour       = 2DIGIT  ; 00-23
+   time-minute     = 2DIGIT  ; 00-59
+   time-second     = 2DIGIT  ; 00-58, 00-59, 00-60 based on leap sec
+                             ; rules
+   time-secfrac    = "." 1*DIGIT
+   time-numoffset  = ("+" / "-") time-hour ":" time-minute
+   time-offset     = "Z" / time-numoffset
+
+   partial-time    = time-hour ":" time-minute ":" time-second
+                     [time-secfrac]
+   full-date       = date-fullyear "-" date-month "-" date-mday
+   full-time       = partial-time time-offset
+
+   date-time       = full-date "T" full-time
+' .det rfc5234-core
+
+rfc5234-core = '
+   DIGIT          =  %x30-39 ; 0-9
+   ; abbreviated here
+'