Appendix#
Flow based on TE Summary
Login to obtain accessToken
+--------+--------------------------------------+------+------------+
| Client | |Server| Notes |
+--------+--------------------------------------+------+------------+
| |POST to /login or similar with | | |
| |appropriate credentials | | |
| |--------------------------------> | | |
| | | | |
| |200 OK receive the access token | | |
| |<- - - - - - - - - - - | | |
| | | | |
POST: {"amvVersion": "0.1", "passcode":"21887897"}
200 OK: {"accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9....}
POST certRequests - request a module validation certificate
+--------+-----------------------------------+------+------------+
| Client | |Server| Notes |
+--------+-----------------------------------+------+------------+
| |POST certRequests | | Submit |
| |---------------------------------->| |Module Cert |
| | w/URIs to bind modules, vendors, | | Request |
| | and contacts | | |
| | | | |
| |200 OK | | Returns |
| |<- - - - - - - - - - - -| | CR ID |
| | "url": "/amvp/v1/certRequests/550"| | |
| | "vendorId": 137, | | |
| | "status": "initial", | | |
| | "accessToken": "" | | |
| | | | |
| | | | |
| |GET | | |
| |/certRequests/1 | | Retrieve |
| |---------------------------------->| | CR ID |
| | | | TE List |
| |200 OK with List of TEs, moduleId | | |
| |<- - - - - - - - - - - -| | |
| | | | |
| |POST Test Evidence | | |
| |/certRequests/1/evidence | | Submit |
| |---------------------------------->| | Response |
| | | | |
| |200 OK | | |
| |<- - - - - - - - - - - -| | |
| | vendorId : 1 | | |
| | status: processing | | |
| |GET | | |
| |/certRequests/1 | | GET |
| |---------------------------------->| | Results |
| | | | |
| |<----------------------------------| | |
| | 200 OK "status": "submitted" | | |
| | "Url": | | |
| | "/amvp/v1/certRequests/41763" | | |
The binding will look something like this:
[{ "moduleId" : 121, <-- a single module
"vendorId" : 12345, <-- vendor ID from resource submission not shown above
"contacts" : ["CVP-012345", "CVP-67890"] <-- CVP numbers represent people that have lab accredidation
}]
The Functional Test TE list sent from server to client will look like this
{
"amvVersion": "0.1",
"functionalTest":
{
"document":
{
"base-catalogVersion": "3.0",
"base-lastUpdated": "October-16-2023",
"functionalTesting-EC": "0.6",
"functionalTesting-lastUpdated": "October-29-2024"
},
"testEvidence":
[
{
"teList":
[
"TE02.12.01","TE02.10.01"
],
"description": "Verify that versioning info identifies distinct components.",
"access": "physical",
"technique": "debugger simulation emulation harness manual other",
"setup": "reference into Catalog",
"errorInduction": "description of",
"results":
{
"summary": "sample summary",
"digest": "000000",
"fileLocation": "location of test evidence",
"integrityMechanism": "SHA2-512"
}
}
]
}
}
The Souce Code evidence sent from server to client will look like this
{
"amvVersion": "0.1",
"sourceCode": {
"document": {
"base-catalogVersion": "3.0",
"base-lastUpdated": "October-16-2023",
"sourceCode-EC": "0.6",
"sourceCode-lastUpdated": "October-29-2024"
},
"testEvidence": [
{
"teList": [
"TE02.10.01",
"TE02.07.01",
"TE02.07.02"
],
"file": [
"full path to file"
],
"function": "Source code method/function(s)",
"lines": "Source code line numbers",
"description": "Summarize how the source code review aspect of the TE was accomplished.",
"input": "may not always be applicable",
"output": "may not always be applicable",
"status": "",
"results":
{
"summary": "sample summary",
"digest": "000000",
"fileLocation": "location of test evidence",
"integrityMechanism": "SHA2-512"
}
}
]
}
}
The Other Documentation evidence sent from server to client will look like this
{
"amvVersion": "0.1",
"otherDocumentation": {
"document": {
"base-catalogVersion": "3.0",
"base-lastUpdated": "October-16-2023",
"otherDocumentation-EC": "0.6",
"otherDocumentation-lastUpdated": "October-29-2024"
},
"testEvidence": [
{
"teList": [
"TE02.03.02"
],
"documents":
[
{
"sectionName": "sample",
"documentName": "sampleDocument"
}
],
"results":
{
"summary": "sample summary",
"digest": "000000",
"fileLocation": "location of test evidence",
"integrityMechanism": "SHA2-512"
}
}
]
}
}
The Security Policy sent from server to client will look like this
{
"amvVersion": "0.1",
"securityPolicy": {
"schemaVersion": "2.8.4",
"cavpCertSet": {
"cavpCertList": [
{
"vendorName": "Duis ea",
"certName": "in sed nulla do dolor",
"validationId": 11023992,
"implName": "exercitation tempor ad",
"implVersion": "ut sed cillum",
"implType": "esse est ea quis cillum",
"implOrganization": "magna ipsum aliqua proident sit"
}
],
"cavpOeList": [
{
"name": "consectetur do cupidatat Ut",
"oeId": 3
}
],
"cavpOeAlgoList": [
{
"validationOeAlgorithmId": 1,
"algoDisplayName": "exercitation ad",
"canonicalAlgorithmId": 1,
"validationId": 1,
"certName": "anim fugiat nisi Lorem enim",
"implName": "velit exercitation irure magna eu",
"oeId": 8308,
"selectedCapList": [
{
"capabilityId": 31642322,
"displayText": "esse",
"childCapabilities": []
}
]
}
],
"cavpImplAlgoList": [
{
"algoDisplayName": "AES-CBC",
"canonicalAlgorithmId": 1,
"implName": "in Lorem",
"validationId": 7,
"certName": "nisi ex sint",
"category": "laboris velit"
}
],
"cavpItarAlgoList": [
{
"certName": "elit esse est",
"algoDisplayName": "AES-CBC-CS3",
"canonicalAlgorithmId": 4,
"capabilities": "deserunt est sed ad eiusmod",
"category": "Duis mollit magna"
}
]
},
"esvCertList": [
{
"esvCertName": "laboris veniam sunt dolore reprehenderit",
"certId": 33293608,
"vendorName": "cupidatat sit amet sunt"
}
],
"esvItarCertList": [
"pariatur",
"Lorem"
],
"testedHwList": [
{
"modelPartNum": "sint aute cillum quis",
"hwVersion": "et cupidatat",
"fwVersion": "consequat",
"processors": "consequat",
"features": "laborum id exercitation laboris veniam"
}
],
"testedSwFwHyList": [
{
"packageFileName": "laborum commodo consectetur nulla",
"swFwVersion": "magna",
"features": "anim Ut dolor occaecat in",
"integrityTest": "consequat ipsum dolor elit"
}
],
"testedHyHwList": [
{
"modelPartNum": "quis ullamco",
"hwVersion": "nisi laboris",
"fwVersion": "aliquip Lorem est in tempor",
"processors": "mollit sunt",
"features": "cupidatat"
}
],
"opEnvSwFwHyTestedList": [
{
"operatingSystem": "nostrud aliquip proident",
"hardwarePlatform": "in ut enim quis irure",
"processors": "nulla cupidatat",
"paaPai": "esse",
"hypervisorHostOs": "Excepteur ipsum labore elit",
"swFwVersionList": [
"deserunt est consequat pariatur ex",
"tempor dolor eiusmod",
"ipsum dolor",
"Ut cupidatat",
"et consequat"
]
}
],
"opEnvSwFwHyVAList": [
{
"operatingSystem": "reprehenderit culpa ut",
"hardwarePlatform": "pariatur esse in consectetur"
}
],
"modeOfOpList": [
{
"name": "officia commodo",
"description": "in ipsum",
"type": "aliquip",
"statusIndicator": "laborum"
}
],
"vendorAffirmedAlgoList": [
{
"name": "in ad in",
"algoPropList": [
{
"name": "id velit anim Ut veniam",
"value": "enim voluptate",
"propertyId": 11387443
}
],
"implName": "sed Excepteur",
"reference": "ullamco culpa"
}
],
"nonApprovedAllowedAlgoList": [
{
"name": "deserunt laboris non",
"algoPropList": [
{
"name": "ea aute consectetur Duis",
"value": "in ut",
"propertyId": -57056207
}
],
"implName": "incididunt enim anim",
"reference": "consectetur"
}
],
"nonApprovedAllowedAlgoNSCList": [
{
"name": "quis in",
"caveat": "ut adipisicing",
"useFunction": "non eu"
}
],
"nonApprovedNotAllowedAlgoList": [
{
"name": "in Ut incididunt",
"useFunction": "irure"
}
],
"secFunImplList": [
{
"name": "nostrud ex",
"sfTypeList": [
{
"sfAbbrev": "ad Excepteur sed id",
"sfId": 53184293
}
],
"description": "ad quis irure nisi",
"sfPropList": [
{
"name": "non veniam sint tempor occaecat",
"value": "et",
"propertyId": -30179093
}
],
"algorithmList": [
{
"algoDisplayName": "magna cupidatat laborum Ut in",
"canonicalAlgorithmId": 47899832,
"implName": "velit laborum sint id nostrud",
"validationId": 5,
"algoPropList": [],
"certName": "et"
}
]
}
],
"entropySourceList": [
{
"name": "labore ex",
"type": "reprehenderit",
"opEnv": "eu est",
"sampleSize": "exercitation",
"entropyPerSample": "cillum laborum",
"conditioningComp": "fugiat"
}
],
"portInterfaceList": [
{
"physicalPort": "ullamco",
"logicalInterfaceList": [
"ex qui velit eu",
"est",
"Duis sit labore aute ex",
"laborum fugiat adipisicing"
],
"dataPasses": "ullamco voluptate in ut veniam"
}
],
"authMethodList": [
{
"name": "labore exercitation dolore do dolore",
"description": "deserunt non ut",
"mechanism": "nostrud culpa",
"strengthEachAttempt": "exercitation reprehenderit dolor sed cillum",
"strengthPerMin": "deserunt"
}
],
"roleList": [
{
"name": "aliquip fugiat",
"type": "sint ut dolore Duis veniam",
"operatorType": "ea elit aliquip officia",
"authMethodList": [
"adipisicing Ut in",
"velit cillum cupidatat consectetur",
"labore adipisicing",
"Ut"
]
}
],
"approvedServiceList": [
{
"name": "ut",
"description": "labore eu irure",
"indicator": "qui",
"inputs": "ea cupidatat ullamco pariatur irure",
"outputs": "Ut aute",
"secFunImplList": [
"in",
"minim sed",
"ad pariatur"
],
"roleSspAccessList": [
{
"roleName": "aute esse do laborum",
"sspAccessList": [
{
"sspName": "quis consequat tempor laboris reprehenderit",
"accessType": [
"veniam laborum tempor",
"cupidatat aute",
"ut esse sint Lorem",
"culpa nulla",
"sit consequat incididunt occaecat"
]
}
]
},
{
"roleName": "incididunt id adipisicing et",
"sspAccessList": [
{
"sspName": "amet esse",
"accessType": [
"sunt dolore mollit",
"ipsum incididunt nisi in"
]
}
]
},
{
"roleName": "non Lorem est incididunt sit",
"sspAccessList": [
{
"sspName": "reprehenderit pariatur nisi sed",
"accessType": [
"consequat",
"amet"
]
}
]
},
{
"roleName": "non enim proident ex",
"sspAccessList": [
{
"sspName": "dolor voluptate",
"accessType": [
"aliquip esse",
"et laborum eiusmod veniam"
]
}
]
},
{
"roleName": "elit",
"sspAccessList": [
{
"sspName": "do sit dolor",
"accessType": [
"veniam ad do",
"irure"
]
}
]
}
]
}
],
"nonApprovedServiceList": [
{
"name": "anim quis elit",
"description": "commodo et deserunt",
"nonApprovedAlgoList": [
"nisi ea incididunt deserunt",
"Duis cillum",
"voluptate elit aute in",
"veniam"
],
"role": "exercitation aliquip"
}
],
"phSecMechanismList": [
{
"mechanism": "sunt",
"inspectFreq": "quis cupidatat in",
"inspectGuidance": "ullamco nulla in commodo sit"
}
],
"efpEftInfoList": [
{
"tempVoltType": "ullamco non",
"tempVolt": "non irure consectetur mollit",
"efpOrEft": "consectetur",
"result": "ad"
}
],
"hardnessTestTempList": [
{
"tempType": "aute veniam",
"temp": "culpa in"
}
],
"storageAreaList": [
{
"name": "sit exercitation nostrud veniam",
"description": "aliquip amet dolor deserunt Lorem",
"persistenceType": "sit consectetur ad ipsum irure"
}
],
"sspInputOutputList": [
{
"name": "aliquip do",
"from": "eu sint amet Duis Excepteur",
"to": "Excepteur commodo",
"formatType": "magna",
"distributionType": "dolor ea nostrud laboris ut",
"entryType": "officia voluptate ipsum adipisicing",
"relatedSFI": "non irure"
}
],
"sspZeroizationList": [
{
"method": "sint in",
"description": "veniam",
"rationale": "nostrud",
"operatorInitiation": "culpa cillum proident"
}
],
"sspList": [
{
"name": "nulla",
"description": "in non minim",
"size": "id",
"strength": "Lorem consequat sunt mollit",
"type": "id",
"generatedByList": [
"est",
"mollit in dolor eu Duis",
"irure exercitation est commodo",
"anim eu aliqua Excepteur",
"ullamco ad mollit"
],
"establishedByList": [
"anim eiusmod",
"sed enim tempor",
"officia cillum ex nostrud",
"elit voluptate amet laborum labore",
"Duis amet culpa"
],
"usedByList": [
"quis",
"proident",
"adipisicing ea mollit",
"cupidatat nisi incididunt dolore",
"voluptate tempor"
],
"inputOutputList": [
"aliqua ut nisi consequat",
"nulla in cillum est"
],
"storageItemList": [
{
"areaName": "est consequat dolore",
"format": "in",
"algorithmName": "ad"
}
],
"storageDuration": "nostrud",
"zeroizationList": [
"ad nostrud occaecat",
"minim ad incididunt irure",
"aute eiusmod"
],
"category": "elit do aliquip",
"relatedSspList": [
{
"sspName": "quis laborum qui",
"relationship": "mollit laborum nostrud in ut"
}
]
}
],
"preOpSelfTestList": [
{
"algorithmOrTest": "reprehenderit exercitation commodo velit",
"testProps": "ullamco nostrud",
"testMethod": "amet sit minim",
"type": "veniam",
"indicator": "ut irure pariatur adipisicing",
"details": "labore voluptate nisi",
"period": "in eu ex",
"periodicMethod": "in eu officia minim"
}
],
"condSelfTestList": [
{
"algorithmOrTest": "sed laboris Ut",
"testProps": "culpa",
"testMethod": "ea",
"type": "laborum dolore tempor nisi",
"indicator": "sit sed cillum qui",
"details": "enim adipisicing eu cupidatat amet",
"conditions": "amet laboris",
"coverage": [],
"coverageNotes": "velit culpa officia",
"period": "sit",
"periodicMethod": "dolor reprehenderit Duis"
}
],
"errorStateList": [
{
"name": "velit in",
"description": "ex",
"conditions": [
"reprehenderit nostrud cillum anim labore",
"do dolor officia",
"adipisicing voluptate do tempor"
],
"recoveryMethod": "aliquip",
"indicator": "irure amet"
}
],
"referenceList": [
"do occaecat sunt",
"irure velit"
]
}
}
[AMVP]: POST Response Submission...
{
"url": "/amvp/v1/certRequests/8",
"moduleId": 2,
"vendorId": 1,
"status": "ready",
"securityPolicyStatus": "acceptingSubmissions",
"evidenceStatus": "acceptingSubmissions"
"entropyCertificates": [],
"algorithmCertificates": [],
"missingSPTemplate": true,
"missingSecurityPolicySubmission": true,
"evidenceList": [
{
"te": "TE02.10.01",
"required": [],
"oneOf": [
{
"types": [
"SC-TE",
"FT-TE"
],
"submitted": []
}
],
"complete": false
},
{
"te": "TE02.12.01",
"required": [
{
"types": [
"FT-TE"
],
"submitted": []
}
],
"oneOf": [],
"complete": false
},
{
"te": "TE02.19.02",
"required": [
{
"types": [
"FT-TE"
],
"submitted": []
}
],
"oneOf": [],
"complete": false
},
{
"te": "TE02.22.02",
"required": [
{
"types": [
"FT-TE"
],
"submitted": []
}
],
"oneOf": [],
"complete": false
},
],
"amvVersion": "0.1"
}
Once the validation is approved the functionalTest evidence, source code evidence, and security policy, draft certificate can be requested.
| |GET | | |
| |/certRequests/1/securityPolicy | | Retrieve |
| |---------------------------------->| |Sec Policy |
| | | | ID = 1 |
| |<--------------------------------- | | Retry as |
| | | | needed |
| | | | |
| |GET | | |
| |/certRequests/1/securityPolicy | | Retrieve |
| |---------------------------------->| |Sec Policy |
| | | | |
| | | | |
| |200 OK | | |
| |<- - - - - - - - - - - -| | |
| | Security Policy | | |
Module certificate is fully approved.
| |POST | | |
| |/certRequests/1/certify | | Request |
| |---------------------------------->| | |
| | | | ID = 1 |
| |<--------------------------------- | | Retry as |
| | | | needed |
| | | | |
| |GET | | |
| |/certRequests/1 | | Retrieve |
| |---------------------------------->| | cert status|
| | | | |
| | | | |
| |200 OK | | |
| |<- - - - - - - - - - - -| | |
| | Certificate request status | | |
[AMVP]: GET Response
{
"certRequestId": 549,
"moduleId": 190,
"status": "approved",
"validationCertificate": "AMV-10",
"amvVersion": "0.1"
}
Appendix B
Proof of Concept Flows(outdated, remaining here for reference)
The initial Proof of Concept(PoC) developed will be limited to communication flows that are needed to demo the protocol. Separate auotmated and non-automated evidence will not be included in the PoC. These flows can also be used to define the exact testing that will be required for the various server and client milestones. Some milestones are server centric thus testing is limited here since minimal external communication flows are exercised. Error codes and retries will be tested when possible in all test flows.
V0.1 Test Flows
Prerequiste for V0.1 testing is VPN between client and server, TOTP and client certificate.
Workflow authorization flows.
+--------+--------------------------------------+------+------------+
| Client | |Server| Notes |
+--------+--------------------------------------+------+------------+
| |POST to /login or similar with | | |
| |appropriate credentials | | |
| |--------------------------------> | | |
| | | | |
| |200 OK receive the access token | | |
| |<- - - - - - - - - - - | | |
| | | | |
| |POST /amvp/v1/vendors | | POST |
| |----------------------------------> | | vendor | *** vendor resource as an example
| | | | resource | *** flow is to show login sequence
| | | | |
| | | | |
| |200 OK vendors URI | | |
POST: [{"passcode":"21887897"}]
200 OK: [{"accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9....}]
Vendor POST prior to login(should fail) and after login(should be accepted). Server shall respond to valid vendor POST with 200 OK.
Expected Client Log(failing case)
[AMVP]: POST...
Status: 404
Url: https://localhost:8085/amvp/v1/vendors
Resp: The path specified is not recognized.
[AMVP][ERROR]: 404 error received from server. Message:
[AMVP][ERROR]: The path specified is not recognized.
Expected Client Log(successful case)
[AMVP]: Logging in...
[AMVP]: Login info: [{"passcode":"21887897"}]
[AMVP]: POST Login...
Status: 200
Url: https://localhost:8085/amvp/v1/login
Resp: [{ "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...."}]
[AMVP]: Login successful
[AMVP]: POST...
Status: 200
Url: https://localhost:8085/amvp/v1/vendors
JWT Expiration/Renewal
The JWT access tokens received from either the /login server endpoint SHALL be set to expire after a pre-defined period. The specific length of the expiration period is out of scope for this specification. However, the expiration period length impacts both the security and protocol overhead. Longer expiration periods reduce the overhead but increase the window for attacks. Attempting to access a service with an expired JWT SHALL result in a "401 Unauthorized" HTTP status code.
A client may renew an expired JWT access token using the mechanism shown in [xml_figureRenewalFlows]below.
JWT access token renewal flows. All exchanges shown are over HTTP.
+--------+---------------------------------+------+--------+
| Client | |Server| Notes |
+--------+---------------------------------+------+--------+
| |POST to /login or similar with | | |
| |appropriate credentials | | |
| |and expired JWT access token | | |
| |-------------------------------->| |session |
| | | |or |
| | | |login |
| | | |JWT |
| |receive the renewed access token | | |
| |<- - - - - - - - - - - | | |
| | | | |
JWT authorization has timed out, curl rc=401
POST: [{"passcode":"47682787","accessToken":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9....}]
200 OK: [{"accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.....}]
Log
[AMVP]: Logging in...
[AMVP]: Login info: [{"passcode":"63127656"}]
[AMVP]: POST Login...
Status: 200
Url: https://localhost:8085/amvp/v1/login
Resp: [{ "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...."}]
[AMVP]: Login successful
[AMVP]: POST Data: /amvp/v1/vendors
[AMVP][WARNING]: JWT authorization has timed out, curl rc=401. Refreshing session...
[AMVP]: Logging in...
[AMVP]: Login info: [{"passcode":"12345678","accessToken":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...."}]
[AMVP]: POST Login...
Status: 200
Url: https://localhost:8085/amvp/v1/login
Resp: [{ "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...."}]
[AMVP]: Login successful
[AMVP]: Refresh successful, attempting to continue...
[AMVP]: POST...
Status: 200
Url: https://localhost:8085/amvp/v1/vendors
V0.2 Test Flows
Metadata creation and update example. The list of available reseource metadata endpoints can be found in [xml_uriResources]. An example minimum message flow between client and server after receiving the JWT is seen in the figure below.
Test vendors, modules and evidence catalog.
+--------+-----------------------------------+------+------------+
| Client | |Server| Notes |
+--------+-----------------------------------+------+------------+
| |POST /amvp/v1/modules | | Create |
| |---------------------------------->| | Metadata |
| | | | |
| |receive request identifier | | |
| |<- - - - - - - - - - - -| | |
| | | | |
| |PUT /modules | | Update |
| |---------------------------------->| | Metadata |
| | | | |
| |receive request identifier | | |
| |<- - - - - - - - - - - -| | |
| | | | |
Log
[AMVP]: Logging in...
[AMVP]: Login info: [{"passcode":"37362840"}]
[AMVP]: POST Login...
Status: 200
Url: https://localhost:8085/amvp/v1/login
Resp: [{ "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."}]
[AMVP]: Login successful
[AMVP]: POST...
Status: 200
Url: https://localhost:8085/amvp/v1/modules
Resp: [{ "url": "/amvp/v1/requests/28665", "status": "approved", "approvedUrl": "/amvp/v1/modules/13780" }] ** Immediate approval or just 200 OK ?
V0.3 Test Flows
Re-test V0.1 and V0.2 verify server creates objects. Use GET for resource objects and evidence.
After re-running V0.2 perform GET on objects following POST.
| |GET | | |
| |/requests/1 | | Retrieve |
| |---------------------------------->| | Request |
| | | | |
| |receive module URL | | |
| |<- - - - - - - - - - - -| | |
| | /amvp/v1/modules/11208 | | |
| | | | |
After re-running V0.2 perform GET on objects following PUT.
| |GET | | |
| |/requests/2 | | Retrieve |
| |---------------------------------->| | Request |
| | | | |
| |module URL: | | updated |
| |<- - - - - - - - - - - -| | or new |
| | /amvp/v1/modules/11208 | | |
| | | | |
GET after POST or PUT log
[AMVP]: Logging in...
[AMVP]: Login info: [{"passcode":"25008415"}]
[AMVP]: POST Login...
Status: 200
Url: https://localhost:8085/amvp/v1/login
Resp: [{ "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...."}]
[AMVP]: Login successful
[AMVP]: GET...
Status: 200
Url: https://localhost:8085/amvp/v1/modules/13780
Resp: [{
{
"schemaVersion": "initial",
"moduleInfo": {
"name": "OpenSSL FIPS Provider",
"count": 1,
"description": "FIPS Provider V3.0.0",
"embodiment": "Single Chip",
"type": "software",
"opEnvType": "Intel X86_64",
"submissionLevel": "Level 1",
"itar": false,
"overallSecurityLevel": 1
},
"secLevels": [
{
"section": 1,
"level": 1
},
{
"section": 2,
"level": 1
},
{
"section": 3,
"level": 1
},
{
"section": 4,
"level": 1
},
{
"section": 5,
"level": 1
},
{
"section": 6,
"level": 1
},
{
"section": 7,
"level": 1
},
{
"section": 8,
"level": 1
},
{
"section": 9,
"level": 1
},
{
"section": 10,
"level": 1
},
{
"section": 11,
"level": 1
},
{
"section": 12,
"level": 1
}
],
"implementsOtar": true,
"hasNonApprovedMode": true,
"requiresInitialization": true,
"hasExcludedComponents": true,
"hasDegradedMode": false,
"hasPPAorPAI": false,
"hasEmbeddedOrBoundModule": false,
"hasCriticalFunctions": false,
"hasNonApprovedAlgorithmsInApprovedMode": false,
"hasExternalInputDevice": false,
"hasExternalOutputDevice": false,
"usesTrustedChannel": true,
"supportsConcurrentOperators": true,
"usesIdentityBasedAuthentication": true,
"hasMaintenanceRole": true,
"allowsOperatorToChangeRoles": false,
"hasDefaultAuthenticationData": true,
"usesEDC": true,
"allowsExternalLoadingOfSoftwareOrFirmware": false,
"containsNonReconfigurableMemory": true,
"usesOpenSource": false,
"providesMaintenanceAccessInterface": false,
"hasVentilationOrSlits": false,
"hasRemovableCover": false,
"hasTamperSeals": false,
"hasOperatorAppliedTamperSeals": false,
"hasEFPorEFT": false,
"outputsSensitiveDataAsPlaintext": false,
"supportsManualSSPEntry": true,
"usesSplitKnowledge": true,
"hasCVE": true,
"hasAdditionalMitigations": false,
"usesOtherCurve": true,
"supportsBypassCapability": false,
"hasOTPMemory": false
}
V0.4 Test Flows
Submit evidence to server and return results.
+--------+-----------------------------------+------+------------+
| Client | |Server| Notes |
+--------+-----------------------------------+------+------------+
| |POST certRequests | | Submit |
| |---------------------------------->| |Module Cert |
| | w/URIs to bind modules, vendors, | | Request |
| | and contacts | | |
| | | | |
| |200 OK certRequests URLs | | |
| |<- - - - - - - - - - - -| | |
| | certRequests/1/evidence | | |
| | | | |
| |GET (automatable evidence) | | |
| |/certRequests/1/evidence | | Retrieve | ** GET supported in V0.5 ?
| |---------------------------------->| |Cert Request|
| | | | assertions |
| |200 OK assertions for evidence 1 | | |
| |<- - - - - - - - - - - -| | |
| | | | |
| |POST Test Evidence for assertions | | |
| |for automatable evidence | | Submit |
| |---------------------------------->| | Response |
| | | | |
| |200 OK | | |
| |<- - - - - - - - - - - -| | |
| | state: autoInReview | | |
| | | | |
Log
[AMVP]: Logging in...
[AMVP]: Login info: [{"passcode":"33222621"}]
[AMVP]: POST Login...
Status: 200
Url: https://localhost:8085/amvp/v1/login
Resp: [{ "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...."}]
[AMVP]: Login successful
[AMVP]: Reading module cert request file...
[AMVP]: Sending module cert request...
[AMVP]: POST...
Status: 200
Url: https://localhost:8085/amvp/v1/certRequests
{
"moduleId" : 121,
"vendorId" : 12345,
"contacts" : ["CVP-012345", "CVP-67890"]
}
Resp: [{ "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9....",
"url": "/amvp/v1/certRequests/287357", "crUrls": [ "/amvp/v1/certRequests/287357/evidence/1146094" ]}]
[AMVP]: Successfully sent mod cert req and received list of TE URLs
[AMVP]: GET /amvp/v1/certRequests/287357/evidence/1146094
[AMVP]: GET Vector Set...
Status: 200
Url: https://localhost:8085/amvp/v1/certRequests/287357/evidence/1146094
Resp:
[{ "evidenceId": 1146094, "revision": "1.0", "teGroups": [ { "teId": 1, "autoTE": ["TE02.20.01", "TE02.20.02", "TE11.16.01","TE04.11.01", "TE04.11.02"]}]}]
[AMVP]: Processing ie set: 1146094
[AMVP]: Successfully processed vector set
[AMVP]: Posting ie set responses for vsId 1146094 to URL: /amvp/v1/certRequests/287357/evidence/1146094...
[AMVP]: POST Response Submission...
Status: 200
Url: https://localhost:8085/amvp/v1/certRequests/287357/evidence/1146094/results
V0.5 Test Flows
Server will complete processing of evidence and return status.
+--------+-----------------------------------+------+------------+
| Client | |Server| Notes |
+--------+-----------------------------------+------+------------+
| |POST certRequests | | Submit |
| |---------------------------------->| |Module Cert |
| | w/URIs to bind modules, vendors, | | Request |
| | and contacts | | |
| | | | |
| |200 OK certRequests URLs | | |
| |<- - - - - - - - - - - -| | |
| | state: IUT | | |
| | certRequests/1/evidence/1 | | |
| | | | |
| |GET | | |
| |/certRequests/1/evidence/1 | | Retrieve |
| |---------------------------------->| |Cert Request|
| | | | assertions |
| |200 OK assertions for evidence 1 | | |
| |<- - - - - - - - - - - -| | |
| | | | |
| |POST Test Evidence for assertions | | Submit |
| |---------------------------------->| | Response |
| | | | |
| |200 OK | | |
| |<- - - - - - - - - - - -| | |
| | state: autoInReview | | |
| | | | |
| |GET | | |
| |certRequests/1/results | | Retrieve |
| |---------------------------------->| |Disposition |
| | | | |
| |200 OK receive results | | |
| |<- - - - - - - - - - - -| | |
| | state: autoInReview | | |
--- Poll periodically ---
| |GET | | |
| |certRequests/1/results | | Retrieve |
| |---------------------------------->| |Disposition |
| | | | |
| |200 OK receive results | | |
| |<- - - - - - - - - - - -| | |
| | state: autoCoordination | | |
| | "passed": true | | |
| | | | |
| | PUT | | |
| | certRequests/1/evidence/1 | | |
| |---------------------------------->| | |
| | | | |
| |200 OK receive results | | |
| |<- - - - - - - - - - - -| | |
| | state: autoCoordination | | |
| | "url": "/amvp/v1/requests/1", | | |
| | "status": "initial"} | | |
| | | | |
| |GET | | |
| |certRequests/1/results | | Retrieve |
| |---------------------------------->| |Disposition |
| | | | |
| |200 OK receive results | | |
| |<- - - - - - - - - - - -| | |
| | state: pendingAudit | | |
| | "url" : "/amvp/v1/requests/1" | | |
| | | | |
| |GET | | |
| |/requests/1 | | |
| |---------------------------------->| | Retrieve |
| | | | Request |
| |200 OK receive cert | | |
| |<- - - - - - - - - - - -| | |
| | state: finalization | | Complete |
| | "approvedUrl" : "/amvp/v1/validations/1",
| | “modValidationId": "M1"
Optional Flow:
Independently GET docs as needed
| |GET | | |
| |certRequests/1/docs | | Retrieve |
| |---------------------------------->| | Docs |
| | | | |
--- Poll periodically ---
| |200 OK receive results | | |
| |<- - - - - - - - - - - -| | Doc URLs |
| |"secPolicy" : "/amvp/v1/sp0001" | | |
| |"draftCert" : "/amvp/v1/dc0001" | | |
| | | | |
[AMVP]: Logging in...
[AMVP]: Login info: [{"passcode":"03363978"}]
[AMVP]: POST Login...
Status: 200
Url: https://localhost:8085/amvp/v1/login
Resp: [{ "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...."}]
[AMVP]: Login successful
[AMVP]: Reading module cert request file...
[AMVP]: Sending module cert request...
[AMVP]: POST...
Status: 200
Url: https://localhost:8085/amvp/v1/certRequest
POST /amvp/v1/certRequests/1
[{"moduleId" : [{"/amvp/v1/modules/0918273546"}]
},{ "vendorId" : {"/amvp/v1/vendors/12345"}
}, { "contacts" : [{"John Smith", {"CVP" : "012345"}}, {"Jane Smith", {"CVP" : "67890"}}]
}]
Resp: [{ "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...."},
"url": "/amvp/v1/certRequests/287357", "crUrls": [ "/amvp/v1/certRequests/287357/evidence/1146094" ]}]
[AMVP]: Successfully sent mod cert req and received list of TE URLs
[AMVP]: GET /amvp/v1/certRequests/287357/evidence/1146094
[AMVP]: GET Vector Set...
Status: 200
Url: https://localhost:8085/amvp/v1/certRequests/287357/evidence/1146094
Resp:
[{ "evidenceId": 1146094, "revision": "1.0", "teGroups": [ { "teId": 1, "autoTE": ["TE02.20.01", "TE02.20.02", "TE11.16.01","TE04.11.01", "TE04.11.02"]}]}]
[AMVP]: Processing ie set: 1146094
[AMVP]: Successfully processed vector set
[AMVP]: Posting ie set responses for vsId 1146094 to URL: /amvp/v1/certRequests/287357/evidence/1146094...
[AMVP]: POST Response Submission...
{
"evidenceSet": [
{
"testRequirement": "TE02.20.01",
"evidence": "\/acvp\/v1\/validations\/99999",
"note": "this is a fake endpoint"
},
{
"testRequirement": "TE02.20.02",
"evidence": "none"
},
{
"testRequirement": "TE11.16.01",
"evidence": "Version X.Y.Z of the module meets the assertion"
},
{
"testRequirement": "TE04.11.01",
"evidence": "<BASE64(table of services.pdf) compliant with SP800-140Br>"
},
{
"testRequirement": "TE04.11.02",
"evidence": "\/www.cisco.com\/amvpevidence\/log_te041102.txt",
"note": "this is a fake endpoint"
},
{
"testRequirement": "TE10.10.01",
"evidence": "Degraded mode not supported, no algorithms can be used...goes directly into SP."
},
{
"testRequirement": "TE10.10.02",
"evidence": "\/www.cisco.com\/amvpevidence\/log_te041102.txt",
"note": "this is a fake endpoint"
},
{
"testRequirement": "TE11.08.01",
"evidence": "\/www.cisco.com\/amvpevidence\/FSM.pdf",
"note": "this is a fake endpoint"
},
{
"testRequirement": "TE11.08.02",
"evidence": "See TE11.08.01"
}
]
}
Status: 200
Url: https://localhost:8085/amvp/v1/certRequests/287357/evidence/1146094/results
[AMVP]: GET Vector Set Result...
Status: 200
Url: https://localhost:8085/amvp/v1/certRequests/287357/results
Resp:
[ { "passed": true, "results": [ { "evSetUrl": "/amvp/v1/certRequests/287357/evidence/1146094", "status": "passed" }]} ]
[AMVP]: Passed all evidence in test session!
--optional--
[AMVP]: Tests complete, request SP and DC...
[AMVP]: GET SP and DC...
Status: 200
Url: https://localhost:8085/amvp/v1/certRequests/287357/docs
Resp:
[ {"secPolicyUrl" : "/amvp/v1/requests/287355", "draftCertUrl" : "/amvp/v1/requests/287356"}]
[AMVP]: Security Policy url: /amvp/v1/requests/287355
[AMVP]: Draft Certificate url: /amvp/v1/requests/287356
[AMVP]: PUT testSession Validation...
Status: 200
Url: https://localhost:8085/amvp/v1/certRequests/287357
{"moduleUrl": "/amvp/v1/modules/11630}
Resp: [ { "url": "/amvp/v1/requests/27358", "status": "initial"}]
[AMVP]: Validation requested -- status initial -- url: /amvp/v1/requests/27358
Once audit completed, GET request approval.
[AMVP]: Logging in...
[AMVP]: Login info: [{"passcode":"85380204"}]
[AMVP]: POST Login...
Status: 200
Url: https://localhost:8085/amvp/v1/login
Resp: [{ "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...."}]
[AMVP]: Login successful
[AMVP]: GET Response:
[ { "url": "/amvp/v1/requests/27358", "status": "approved", "approvedUrl": "/amvp/v1/validations/41763"}]
V1.0 Test Flows
Full flow support through validation completion.
JSON for UT
Lab
Vendor
POSTed to /amvp/v1/vendors
{
"vendor": {
"name": "Cisco Systems, Inc.",
"addresses": [
{
"street": "170 West Tasman Dr.",
"locality": "San Jose",
"region": "CA",
"country": "USA",
"postalCode": "95134"
}
],
"website": "www.cisco.com",
"productLink": "www.cisco.com/product/cr9000",
"contacts": [
{
"name": "Tom Smith",
"phoneNumbers": [
"123-456-7890"
],
"emails": [
"[email protected]"
]
}
]
}
}
ModuleSpec
POSTed to /amvp/v1/modules