IN PROGRESS: docs: registration policies: CWT decode

Signed-off-by: John Andersen <[email protected]>

docs/registration_policies.md

@@ -86,34 +86,43 @@ import json
 import pathlib
 import traceback
 
+import cwt
 import cbor2
 import pycose
+# TODO Remove this once we have a example flow for proper key verification
+import jwcrypto.jwk
 from jsonschema import validate, ValidationError
 from pycose.messages import CoseMessage, Sign1Message
 
-from scitt_emulator.scitt import ClaimInvalidError, COSE_Headers_Issuer
+from scitt_emulator.scitt import ClaimInvalidError, CWTClaims
 
 claim = sys.stdin.buffer.read()
 
 msg = CoseMessage.decode(claim)
 
 if pycose.headers.ContentType not in msg.phdr:
     raise ClaimInvalidError("Claim does not have a content type header parameter")
-if COSE_Headers_Issuer not in msg.phdr:
-    raise ClaimInvalidError("Claim does not have an issuer header parameter")
 
 if not msg.phdr[pycose.headers.ContentType].startswith("application/json"):
     raise TypeError(
         f"Claim content type does not start with application/json: {msg.phdr[pycose.headers.ContentType]!r}"
     )
 
+# TODO Key verification (KEYTRANS?)
+key = jwcrypto.jwk.JWK.generate(kty="EC", crv="P-384")
+kid = key.thumbprint()
+cwt_cose_key = cwt.COSEKey.from_pem(key.export_to_pem(private_key=True, password=None), kid=kid)
+
+cwt_claims = cwt.decode(msg.phdr[CWTClaims], cwt_cose_key, no_verify=True)
+
 SCHEMA = json.loads(pathlib.Path(os.environ["SCHEMA_PATH"]).read_text())
 
 try:
     validate(
         instance={
             "$schema": "https://schema.example.com/scitt-policy-engine-jsonschema.schema.json",
-            "issuer": msg.phdr[COSE_Headers_Issuer],
+            "issuer": cwt_claims[1],
+            "subject": cwt_claims[2],
             "claim": json.loads(msg.payload.decode()),
         },
         schema=SCHEMA,