In this document we describe how to use Corim Command Line Interface tool cocli
To install the cocli
command, do:
$ go install github.com/veraison/cocli@latest
To configure auto-completion, use the completion
subcommand. For example, if bash
is your shell, you would do something like:
$ cocli completion bash > ~/.bash_completion.d/cocli
$ . ~/.bash_completion
If you are using Git Bash or a similar environment, you would do something like:
$ mkdir -p ~/.local/share/bash-completion/completions
$ cocli completion bash > ~/.local/share/bash-completion/completions/cocli
$ source ~/.local/share/bash-completion/completions/cocli
to get automatic command completion and suggestions using the TAB key.
To get a list of the supported shells, do:
$ cocli completion --help
This document provides step-by-step instructions for how to use the cocli
tool to manipulate CoRIMs, CoMIDs and CoTS.
flowchart TD
subgraph COCLI["<b>COCLI COMMANDS</b>"]
style COCLI fill:#ffffff, stroke:#333,stroke-width:4px
subgraph CORIMCMD["<b>CORIM COMMANDS</b> \n
cocli corim create \n cocli corim display \n cocli corim sign \n cocli corim verify\n cocli corim extract\n cocli corim submit"]
end
subgraph COMIDCMD["<b>COMID COMMANDS</b> \n cocli comid create \n cocli comid display"]
end
subgraph COTSCMD["<b>COTS COMMANDS</b> \n cocli cots create \n cocli cots display"]
end
end
CORIM ---> CORIMCMD
subgraph CORIM["<b>CoRIM</b>"]
subgraph CoMID["COMIDs\n"]
CM3["CoMID-N"]
CM2["CoMID-2"]
CM1["CoMID-1"]
CM1 -.- CM2
CM2 -.- CM3
CM3 ---> COMIDCMD
end
subgraph CoSWID["CoSWID\n"]
CSW1["CoSWID-1"]
CSW2["CoSWID-2"]
CSW3["CoSWID-N"]
CSW1 -.- CSW2
CSW2 -.- CSW3
end
subgraph CoTS["COTS\n"]
CS3["CoTS-N"]
CS2["CoTS-2"]
CS1["CoTS-1"]
CS1 -.- CS2
CS2 -.- CS3
CS3 ---> COTSCMD
end
end
This section describes all the available commands supported by cocli
tool
The comid
subcommand allows you to create, display and validate CoMIDs.
Use the comid create
subcommand to create a CBOR-encoded CoMID, passing its
JSON representation via the --template
switch (or equivalently its -t
shorthand):
- Please inspect
comid
JSON templates as examples underdata/comid/templates
comid-*.json
$ cocli comid create --template data/comid/templates/comid-dice-refval.json
On success, you should see something like the following printed to stdout:
>> created "comid-dice-refval.cbor" from "comid-dice-refval.json"
The CBOR-encoded CoMID file is stored in the current working directory with a
name derived from its template. If you want, you can specify a different
target directory using the --output-dir
command line switch (abbrev. -o
)
$ cocli comid create --template data/comid/templates/comid-dice-refval.json --output-dir /tmp
>> created "/tmp/comid-dice-refval.cbor" from "comid-dice-refval.json"
Note that the output directory, as well as all its parent directories, MUST pre-exist.
You can also create multiple CoMIDs in one go. Suppose all your templates are
stored in the templates/
folder:
$ tree templates/
templates/
├── comid-dice-refval1.json
├── comid-dice-refval2.json
...
└── comid-dice-refvaln.json
Then, you can use the --template-dir
(abbrev. -T
), and let the tool load,
validate, and CBOR-encode the templates one by one:
$ cocli comid create --template-dir templates
>> created "comid-dice-refval1.cbor" from "templates/comid-dice-refval1.json"
>> created "comid-dice-refval2.cbor" from "templates/comid-dice-refval2.json"
...
>> created "comid-dice-refvaln.cbor" from "templates/comid-dice-refvaln.json"
You can specify both the -T
and -t
switches as many times as needed, and
even combine them in one invocation:
$ cocli comid create -T comid-templates/ \
-T comid-templates-aux/ \
-t extra-comid.json \
-t yet-another-comid.json \
-o /var/spool/comid
NOTE that since the output file name is deterministically generated from the template file name, all the template files (when from different directories) MUST have different base names.
Use the comid display
subcommand to print to stdout one or more CBOR-encoded
CoMIDs in human readable (JSON) format.
You can supply individual files using the --file
switch (abbrev. -f
), or
directories that may (or may not) contain CoMID files using the --dir
switch
(abbrev. -d
). Only valid CoMIDs will be displayed, and any decoding or
validation error will be printed alongside the corresponding file name.
For example:
$ cocli comid display --file data/comid/comid-dice-refval.cbor
provided the comid-dice-refval.cbor
file contains valid CoMID, would print something like:
>> [comid-dice-refval.cbor]
{
"tag-identity": {
"id": "1d5a8c7c-1c70-4c56-937e-3c5713ae5a83"
},
"triples": {}
[...]
}
While a data/comid/
folder with the following contents:
$ tree data/comid/
data/comid/
├── rubbish.cbor
├── 1.cbor
└── 2.cbor
could be inspected in one go using:
$ cocli comid display --dir data/comid/
which would output something like:
>> failed displaying "comids.d/rubbish.cbor": CBOR decoding failed: EOF
>> [data/comid/1.cbor]
{
"tag-identity": {
"id": "43bbe37f-2e61-4b33-aed3-53cff1428b16"
},
[...]
}
>> [data/comid/2.cbor]
{
"tag-identity": {
"id": "366d0a0a-5988-45ed-8488-2f2a544f6242"
},
[...]
}
Error: 1/3 display(s) failed
One or more files and directories can be supplied in the same invocation, e.g.:
$ cocli comid display -f m1.cbor \
-f comids.d/m2.cbor \
-d /var/spool/comids \
-d yet-another-comid-folder/
The cots
subcommand allows you to create, display and validate CoTSs.
Use the cots create
subcommand to create a CBOR-encoded CoTS. The environment
switch takes in a JSON template specifiying the environments that are valid for the keys specified and the tas
switch takes in a directory of trust anchors files:
- Please inspect
data/cots/templates
JSON templates as examples forenvironment
andclaims
$ cocli cots create --environment data/cots/templates/env/vendor.json --tafile data/cots/shared_ta.ta
On success, you should see something like the following printed to stdout:
>> created "vendor.cbor"
The CBOR-encoded CoTS file is stored in the current working directory with a
name derived from its environment template. If you want, you can specify a different
target directory and file name using the --output
command line switch (abbrev. -o
)
$ cocli cots create --environment data/cots/templates/env/vendor.json --tafile data/cots/shared_ta.ta --output /tmp/myCots.cbor
>> created "/tmp/myCots.cbor"
Note that the output directory, as well as all its parent directories, MUST pre-exist.
Use the cots display
subcommand to print to stdout one or more CBOR-encoded
CoTSs in human readable (JSON) format.
You can supply individual files using the --file
switch (abbrev. -f
), or
directories that may (or may not) contain CoTS files using the --dir
switch
(abbrev. -d
). Only valid CoTSs will be displayed, and any decoding or
validation error will be printed alongside the corresponding file name.
For example:
$ cocli cots display --file vendor.cbor
provided the vendor.cbor
file contains valid CoTS, would print something like:
>> [vendor.cbor]
{
"environments": [
{
"environment": {
"class": {
"vendor": "Zesty Hands, Inc."
}
}
}
],
"keys": {
"tas": [
{
"format": 1,
"data": "ooICejCCAnYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATjUaoQOSQHpL0DfKC8EVTQ5wHwZ085yyxPkhBpLOu+7B0nl33FYWV1Hg4je/37FTbpmohFkUKWYd81z8C/K1DMBBQBXEXJrLBGKnFd1xCgeMAVSfEBPzCCAgEwPjELMAkGA1UEBgwCVVMxEDAOBgNVBAoMB0V4YW1wbGUxHTAbBgNVBAMMFEV4YW1wbGUgVHJ1c3QgQW5jaG9yoIIBvTCCAWSgAwIBAgIVANCdkL89UlzHc9Ui7XfVniK7pFuIMAoGCCqGSM49BAMCMD4xCzAJBgNVBAYMAlVTMRAwDgYDVQQKDAdFeGFtcGxlMR0wGwYDVQQDDBRFeGFtcGxlIFRydXN0IEFuY2hvcjAeFw0yMjA1MTkxNTEzMDdaFw0zMjA1MTYxNTEzMDdaMD4xCzAJBgNVBAYMAlVTMRAwDgYDVQQKDAdFeGFtcGxlMR0wGwYDVQQDDBRFeGFtcGxlIFRydXN0IEFuY2hvcjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABONRqhA5JAekvQN8oLwRVNDnAfBnTznLLE+SEGks677sHSeXfcVhZXUeDiN7/fsVNumaiEWRQpZh3zXPwL8rUMyjPzA9MB0GA1UdDgQWBBQBXEXJrLBGKnFd1xCgeMAVSfEBPzALBgNVHQ8EBAMCAoQwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiALBidABsfpzG0lTL9Eh9b6AUbqnzF+koEZbgvppvvt9QIgVoE+bhEN0j6wSPzePjLrEdD+PEgyjHJ5rbA11SPq/1M="
}
]
}
}
While a data/cots
folder with the following contents:
$ tree cots/
cots/
├── rubbish.cbor
├── namedtastore.cbor
├── vendor.cbor
could be inspected in one go using:
$ cocli cots display --dir data/cots/
which would output something like:
>> [data/cots/namedtastore.cbor]
{
"environments": [
{
"namedtastore": "Miscellaneous TA Store"
}
],
"keys": {
"tas": [
{
"format": 1,
"data": "ooIC1TCCAtEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATN0f5kzywEzZOYbaV23O3N8cku39JoLNjlHPwECbXDDWp0LpAO1z248/hoy6UW/TZMTPPR/93XwHsG16mSFy8XBBSKhM/5gJWjvDbW7qUY1peNm9cfYDCCAlwwXDELMAkGA1UEBgwCVVMxHzAdBgNVBAoMFlNub2JiaXNoIEFwcGFyZWwsIEluYy4xLDAqBgNVBAMMI1Nub2JiaXNoIEFwcGFyZWwsIEluYy4gVHJ1c3QgQW5jaG9yoIIB+jCCAZ+gAwIBAgIUEBuTRGXAEEVEHhu4xafAnqm+qYgwCgYIKoZIzj0EAwIwXDELMAkGA1UEBgwCVVMxHzAdBgNVBAoMFlNub2JiaXNoIEFwcGFyZWwsIEluYy4xLDAqBgNVBAMMI1Nub2JiaXNoIEFwcGFyZWwsIEluYy4gVHJ1c3QgQW5jaG9yMB4XDTIyMDUxOTE1MTMwOFoXDTMyMDUxNjE1MTMwOFowXDELMAkGA1UEBgwCVVMxHzAdBgNVBAoMFlNub2JiaXNoIEFwcGFyZWwsIEluYy4xLDAqBgNVBAMMI1Nub2JiaXNoIEFwcGFyZWwsIEluYy4gVHJ1c3QgQW5jaG9yMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEzdH+ZM8sBM2TmG2ldtztzfHJLt/SaCzY5Rz8BAm1ww1qdC6QDtc9uPP4aMulFv02TEzz0f/d18B7BtepkhcvF6M/MD0wHQYDVR0OBBYEFIqEz/mAlaO8NtbupRjWl42b1x9gMAsGA1UdDwQEAwIChDAPBgNVHRMBAf8EBTADAQH/MAoGCCqGSM49BAMCA0kAMEYCIQC2cf43f3PPlCO6/dxv40ftIgxxToKHF72UzENv7+y4ygIhAIGtC/r6SGaFMaP7zD2EloBuIXTtyWu8Hwl+YGdXRY93"
}
]
}
}
>> failed displaying "data/cots/rubbish.cbor": CBOR decoding failed: cbor: cannot unmarshal primitives into Go value of type cots.ConciseTaStore
>> [data/cots/vendor.cbor]
{
"environments": [
{
"environment": {
"class": {
"vendor": "Zesty Hands, Inc."
}
}
}
],
"keys": {
"tas": [
{
"format": 1,
"data": "ooICejCCAnYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATjUaoQOSQHpL0DfKC8EVTQ5wHwZ085yyxPkhBpLOu+7B0nl33FYWV1Hg4je/37FTbpmohFkUKWYd81z8C/K1DMBBQBXEXJrLBGKnFd1xCgeMAVSfEBPzCCAgEwPjELMAkGA1UEBgwCVVMxEDAOBgNVBAoMB0V4YW1wbGUxHTAbBgNVBAMMFEV4YW1wbGUgVHJ1c3QgQW5jaG9yoIIBvTCCAWSgAwIBAgIVANCdkL89UlzHc9Ui7XfVniK7pFuIMAoGCCqGSM49BAMCMD4xCzAJBgNVBAYMAlVTMRAwDgYDVQQKDAdFeGFtcGxlMR0wGwYDVQQDDBRFeGFtcGxlIFRydXN0IEFuY2hvcjAeFw0yMjA1MTkxNTEzMDdaFw0zMjA1MTYxNTEzMDdaMD4xCzAJBgNVBAYMAlVTMRAwDgYDVQQKDAdFeGFtcGxlMR0wGwYDVQQDDBRFeGFtcGxlIFRydXN0IEFuY2hvcjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABONRqhA5JAekvQN8oLwRVNDnAfBnTznLLE+SEGks677sHSeXfcVhZXUeDiN7/fsVNumaiEWRQpZh3zXPwL8rUMyjPzA9MB0GA1UdDgQWBBQBXEXJrLBGKnFd1xCgeMAVSfEBPzALBgNVHQ8EBAMCAoQwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNHADBEAiALBidABsfpzG0lTL9Eh9b6AUbqnzF+koEZbgvppvvt9QIgVoE+bhEN0j6wSPzePjLrEdD+PEgyjHJ5rbA11SPq/1M="
}
]
}
}
Note: One of more files and directories can be supplied in the same invocation, using -f and -d directive:
Tooling to manipulate CoSWID
is not currently available under Project Veraison.
However CoSWID can be part of CoRIM by constructing CoSWID CBOR by other indistry available
tools such as swid-tools and including them
as mentioned under CORIM Construction
The corim
subcommand allows you to create, display, sign, verify CoRIMs or submit
a CoRIM using the Veraison provisioning API.
It also provides a means to extract as-is the embedded CoSWIDs, CoMIDs and CoTSs and save
them as separate files.
Use the corim create
subcommand to create a CBOR-encoded, unsigned CoRIM, by
passing its JSON representation via the --template
switch (or equivalently its -t
shorthand)
together with the CBOR-encoded CoMIDs, CoSWIDs and/or CoTS to be embedded.
- Please inspect
corim
JSON templates as examples underdata/corim/templates
corim-*.json
$ cocli corim create --template data/corim/templates/corim-full.json --comid data/comid/comid-dice-refval.cbor --coswid data/coswid/1.cbor --cots data/cots/vendor.cbor
On success, you should see something like the following printed to stdout:
>> created "corim-full.cbor" from "corim-full.json"
The CBOR-encoded CoRIM file is stored in the current working directory with a
name derived from its template. If you want, you can specify a different
file name using the --output
command line switch (abbrev. -o
):
$ cocli corim create -t data/corim/templates/corim-full.json -m data/comid/comid-dice-refval.cbor -s data/coswid/1.cbor -c data/cots/c1.cbor -o unsigned-corim.cbor
>> created "unsigned-corim.cbor" from "corim-full.json"
CoMIDs, CoSWIDs and CoTSs can be either supplied as individual files, using the
--comid
(abbrev. -m
), --coswid
(abbrev. -s
) and --cots
(abbrev. -c
) switches respectively, or
as "per-folder" blocks using the --comid-dir
(abbrev. -M
), --coswid-dir
and --cots-dir
(abbrev. -C
) switch. For example:
$ cocli corim create --template data/corim/templates/corim-full.json --comid-dir data/comid/cbor/
Creation will fail if any of the inputs is non conformant. For example, if
data/comid/cbor/
contains an invalid CoMID file rubbish.cbor
, an attempt to create a
CoRIM:
$ cocli corim create -t data/corim/templates/corim-full.json -M data/comid/cbor/
will fail with:
Error: error loading CoMID from data/comid/cbor/rubbish.cbor: EOF
Use the corim sign
subcommand to cryptographically seal the unsigned CoRIM
supplied via the --file
switch (abbrev. -f
). The signature is produced
using the key supplied via the --key
switch (abbrev. -k
), which is expected
to be in JWK format. On success, the
resulting COSE Sign1 payload is saved to file whose name can be controlled using
the --output
switch (abbrev. -o
). A CoRIM Meta template in JSON format must
also be provided using the --meta
switch (abbrev.-m
).
- Please inspect the
data/corim/templates
directory formeta
JSON templates.
For example, with the default output file:
$ cocli corim sign --file corim.cbor --key ec-p256.jwk --meta meta.json
>> "corim.cbor" signed and saved to "signed-corim.cbor"
Or, the same but with a custom output file:
$ cocli corim sign --file data/corim/corim-full.cbor \
--key data/keys/ec-p256.jwk \
--meta data/corim/templates/meta-full.json \
--output /var/spool/signed-corim.cbor
>> "corim-full.cbor" signed and saved to "/var/spool/signed-corim.cbor"
Use the corim verify
subcommand to cryptographically verify the signed CoRIM
supplied via the --file
switch (abbrev. -f
). The signature is checked
using the key supplied via the --key
switch (abbrev. -k
), which is expected
to be in JWK format. For example:
$ cocli corim verify --file data/corim/signed-corim.cbor --key data/keys/ec-p256.jwk
>> "signed-corim.cbor" verified
Verification can fail either because the cryptographic processing fails or because the signed payload or protected headers are themselves invalid. For example:
$ cocli corim verify --file data/corim/signed-corim-bad-signature.cbor --key data/keys/ec-p256.jwk
will give
Error: error verifying signed-corim-bad-signature.cbor with key ec-p256.jwk: verification failed ecdsa.Verify
Use the corim display
subcommand to print to stdout a signed CoRIM in human
readable (JSON) format.
You must supply the file you want to display using the --file
switch (abbrev.
-f
). Only a valid CoRIM will be displayed, and any occurring decoding or
validation errors will be printed instead.
The output has two logical sections: one for Meta and one for the (unsigned) CoRIM:
$ cocli corim display --file data/corim/signed-corim.cbor
Meta:
{
"signer": {
"name": "ACME Ltd signing key",
"uri": "https://acme.example/signing-key.pub"
},
[...]
}
Corim:
{
"corim-id": "5c57e8f4-46cd-421b-91c9-08cf93e13cfc",
"tags": [
"2QH...",
[...]
]
}
By default, the embedded CoMID, CoSWID and CoTS tags are not expanded, and what you
will see is the base64 encoding of their CBOR serialisation. If you want to
peek at the tags' content, supply the --show-tags
(abbrev. -v
) switch, which
will add a further Tags section with one entry per each expanded tag:
$ cocli corim display --file data/corim/signed-corim.cbor --show-tags
Meta:
{
[...]
}
Corim:
{
[...]
}
Tags:
>> [ 0 ]
{
"tag-identity": {
"id": "366d0a0a-5988-45ed-8488-2f2a544f6242"
},
[...]
}
>> [ 1 ]
{
"tag-identity": {
"id": "43bbe37f-2e61-4b33-aed3-53cff1428b16"
},
[...]
}
>> [ 2 ]
{
"tag-id": "com.acme.rrd2013-ce-sp1-v4-1-5-0",
[...]
}
Use the corim extract
subcommand to extract the embedded CoMIDs, CoSWIDs and CoTSs
from a signed CoRIM.
You must supply a signed CoRIM file using the --file
switch (abbrev. -f
) and
an optional output folder (default is the current working directory) using the
--output-dir
switch (abbrev. -o
). Make sure that the output directory as
well as any parent folder exists prior to issuing the command.
On success, the found CoMIDs, CoSWIDs, CoTS are saved in CBOR format:
$ cocli corim extract --file data/corim/signed-corim.cbor --output-dir output.d/
$ tree output.d/
output.d/
├── 000000-comid.cbor
├── 000001-comid.cbor
├── 000002-coswid.cbor
└── 000003-cots.cbor
Use the corim submit
subcommand to upload a CoRIM using the Veraison provisioning API.
The CoRIM file containing the CoRIM data in CBOR format is supplied via the
--corim-file
switch (abbrev. -f
). The server URL where to upload the CoRIM
payload is supplied via the --api-server
switch (abbrev. -s
).
Further, it is required to supply the media type of the content via the
--media-type
switch (abbrev. -m
)
$ cocli corim submit \
--corim-file data/corim/unsigned-corim.cbor \
--api-server "https://veraison.example/endorsement-provisioning/v1/submit" \
--media-type "application/corim-unsigned+cbor; profile=http://arm.com/psa/iot/1"
>> "unsigned-corim.cbor" submit ok
The above will work if the remote service does not authenticate
endorsement-provisioning API calls. If the service does authenticate, then
cocli must be configured appropriately. This can be done using a config.yaml
file located in the current working directory, or in the standard config
path (usually ~/.config/cocli/config.yaml
on XDG-compliant systems). Please
see ./data/config/example-config.yaml
file for details of the configuration
that needs to be provided.
If the scheme in the API server URL is HTTPS, cocli
will attempt to establish
a TLS connection to the server, validating the server certificate using system CA
certs. It is possible to disable server certificate validation with
-i
/--insecure
flag. Alternatively, if the CA cert for the server is
available but is not installed in the system, it may be specified using
-E
/--ca-cert
flag.
graph LR
OEM[(OEM/ODM \n DB)]
JSONTmplCoMID[["JSON \n template \n (CoMID)"]]
JSONTmplCoSWID[["JSON \n template \n (CoSWID)"]]
style JSONTmplCoSWID fill:#71797E
click JSONTmplCoSWID "https://github.com/veraison/corim/issues/81"
JSONTmplCoRIM[["JSON \n template \n (CoRIM)"]]
JSONTmplMeta[["JSON \n template \n (Meta)"]]
key((key))
%% Cots nodes
environments[["Environments"]]
tas(("Trust \n anchors"))
cas(("CA \n certificates"))
permClaims[["Permanant claims"]]
exclClaims[["Excluded claims"]]
cliComidCreate($ cocli comid create)
cliComidDisplay($ cocli comid display)
style cliComidCreate fill:#00758f
style cliComidDisplay fill:#00758f
cliCotsCreate($ cocli cots create)
cliCotsDisplay($ cocli cots display)
style cliCotsCreate fill:#00758f
style cliCotsDisplay fill:#00758f
cliCoswidCreate($ cocli coswid create)
cliCoswidDisplay($ cocli coswid display)
style cliCoswidCreate fill:#71797E
style cliCoswidDisplay fill:#71797E
cliCorimCreate($ cocli corim create)
cliCorimSign($ cocli corim sign)
cliCorimVerify($ cocli corim verify)
cliCorimExtract($ cocli corim extract)
cliCorimDisplay($ cocli corim display)
cliCorimSubmit($ cocli corim submit)
style cliCorimCreate fill:#00758f
style cliCorimSign fill:#00758f
style cliCorimVerify fill:#00758f
style cliCorimExtract fill:#00758f
style cliCorimDisplay fill:#00758f
style cliCorimSubmit fill:#00758f
provisioningEndpoint{{Veraison \n Provisioning \n Service}}
CBORComid1((CBOR <br /> CoMID))
CBORSwid1((CBOR <br /> SWID))
CBORCots1((CBOR <br /> CoTS))
CBORComid2((CBOR <br /> CoMID))
CBORSwid2((CBOR <br /> SWID))
CBORCots2((CBOR <br /> CoTS))
CBORCorim((CBOR CoRIM))
CoseSign1((COSE Sign1 CoRIM))
signBool((T/F))
OEM --> JSONTmplCoMID
OEM --> JSONTmplCoSWID
%% Cots items provisioning
OEM --> environments
OEM --> tas
OEM --> cas
OEM --> permClaims
OEM --> exclClaims
OEM --> JSONTmplCoRIM
OEM --> JSONTmplMeta
OEM --> key
%% Cots individual items
environments --> cliCotsCreate
tas --> cliCotsCreate
cas --> cliCotsCreate
permClaims --> cliCotsCreate
exclClaims --> cliCotsCreate
JSONTmplCoMID --> cliComidCreate
JSONTmplCoSWID --> cliCoswidCreate
JSONTmplCoRIM --> cliCorimCreate
JSONTmplMeta --> cliCorimSign
key --> cliCorimSign
key --> cliCorimVerify
cliComidCreate --> CBORComid1
cliCotsCreate --> CBORCots1
cliCoswidCreate --> CBORSwid1
cliCorimCreate --> CBORCorim
cliCorimSign --> CoseSign1
cliCorimVerify --> signBool
cliCorimSubmit -- to--> provisioningEndpoint
CBORComid1 --> cliComidDisplay
CBORComid1 --> cliCorimCreate
CBORCots1 --> cliCorimCreate
CBORCots1 --> cliCotsDisplay
CBORSwid1 --> cliCoswidDisplay
CBORSwid1 --> cliCorimCreate
CBORCorim --> cliCorimSubmit
CBORCorim --> cliCorimSign
CoseSign1 --> cliCorimExtract
CoseSign1 --> cliCorimVerify
CoseSign1 --> cliCorimDisplay
cliCorimExtract --> CBORComid2
cliCorimExtract --> CBORSwid2
cliCorimExtract --> CBORCots2