initial commit

Signed-off-by: Maik Riechert <maik.riechert@microsoft.com>

Author: letmaik

.github/workflows/ci.yml

@@ -0,0 +1,21 @@
+name: CI
+on:
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - '**.md'
+  pull_request:
+    paths-ignore:
+      - '**.md'
+  workflow_dispatch:
+
+jobs:
+  ci:
+    name: CI
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+
+    - run: ./run-tests.sh
+    

.gitignore

@@ -0,0 +1,148 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+pip-wheel-metadata/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+.python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+Pipfile
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# history cache
+.history/
+
+
+#redis cache file
+.dump.rdb
+dump.rdb
+.rdb
+
+#vscode configure
+vscode/
+.vscode/
+vscode
+
+workspace/
+*.cbor
+*.cose

CODE_OF_CONDUCT.md

@@ -0,0 +1,9 @@
+# Microsoft Open Source Code of Conduct
+
+This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
+
+Resources:
+
+- [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/)
+- [Microsoft Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/)
+- Contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with questions or concerns

CONTRIBUTING.md

@@ -0,0 +1,14 @@
+# Contributing
+
+This project welcomes contributions and suggestions. Most contributions require you to
+agree to a Contributor License Agreement (CLA) declaring that you have the right to,
+and actually do, grant us the rights to use your contribution. For details, visit
+https://cla.microsoft.com.
+
+When you submit a pull request, a CLA-bot will automatically determine whether you need
+to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the
+instructions provided by the bot. You will only need to do this once across all repositories using our CLA.
+
+This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
+For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/)
+or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.

LICENSE.txt

@@ -0,0 +1,21 @@
+Copyright (c) Microsoft Corporation.
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED *AS IS*, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,138 @@
+# SCITT API emulator
+
+This repository contains the source code for the SCITT API emulator. It is meant to allow experimenting with [SCITT](https://datatracker.ietf.org/wg/scitt/about/) APIs and formats. It is not meant to be used in production code.
+
+## Prerequisites
+
+The emulator assumes a Linux environment with Python 3.8 or higher.
+On Ubuntu, run the following to install Python:
+
+```sh
+sudo apt install python3.8 python3.8-venv
+```
+
+## Clone the emulator
+
+Clone the scitt-api-emulator repository and change into the scitt-api-emulator folder:
+
+```sh
+git clone https://github.com/microsoft/scitt-api-emulator
+cd scitt-api-emulator
+```
+
+## Use the emulator
+
+### Start a fake SCITT service
+
+```sh
+./scitt-emulator.sh server --workspace workspace/ --tree-alg CCF
+```
+
+`--tree-alg` is currently `CCF` only. 
+
+The default port is 8000 but can be changed with the `--port` argument.
+
+Now the server is running at http://localhost:8000/ and uses `workspace/` to store the service parameters and service state.
+
+The service has the following REST API:
+
+- `POST /entries` - submit a COSE_Sign1 claim to the emulator and return an entry id
+- `GET /entries/<entry_id>` - retrieve the COSE_Sign1 claim for the corresponding entry id
+- `GET /entries/<entry_id>/receipt` - retrieve the SCITT receipt for corresponding entry id
+
+The following steps should be done from a different terminal, leaving the service running in the background.
+
+### Create claims
+
+```sh
+./scitt-emulator.sh client create-claim --issuer did:web:example.com --content-type application/json --payload '{"sun": "yellow"}' --out claim.cose
+```
+
+Note: The emulator does not verify claim signatures and generates an ad-hoc key pair to sign the claim.
+
+### Submit claims and retrieve receipts
+
+```sh
+./scitt-emulator.sh client submit-claim --claim claim.cose --out claim.receipt.cbor
+```
+
+The `submit-claim` command uses the default service URL `http://127.0.0.1:8000` which can be changed with the `--url` argument. It can be used with the built-in server or an external service implementation.
+
+This command sends the following two requests:
+
+1. `POST /entries` with the claim file as HTTP body. The response is JSON containing `"entry_id"`.
+2. `GET /entries/<entry_id>/receipt` to retrieve the SCITT receipt.
+
+### Retrieve claims
+
+```sh
+./scitt-emulator.sh client retrieve-claim --entry-id 123 --out claim.cose
+```
+
+The `retrieve-claim` command uses the default service URL `http://127.0.0.1:8000` which can be changed with the `--url` argument. It can be used with the built-in server or an external service implementation.
+
+This command sends the following request:
+
+- `GET /entries/<entry_id>` to retrieve the claim.
+
+### Retrieve receipts
+
+```sh
+./scitt-emulator.sh client retrieve-receipt --entry-id 123 --out receipt.cbor
+```
+
+The `retrieve-receipt` command uses the default service URL `http://127.0.0.1:8000` which can be changed with the `--url` argument. It can be used with the built-in server or an external service implementation.
+
+This command sends the following request:
+
+- `GET /entries/<entry_id>/receipt` to retrieve the receipt.
+
+### Validate receipts 
+
+```sh
+./scitt-emulator.sh client verify-receipt --claim claim.cose --receipt claim.receipt.cbor --service-parameters workspace/service_parameters.json
+```
+
+The `verify-receipt` command verifies a SCITT receipt given a SCITT claim and a service parameters file. This command can be used to verify receipts generated by other implementations.
+
+The `service_parameters.json` file gets created when starting a service using `./scitt-emulator.sh server`. The format of this file is not standardized and is currently:
+
+```json
+{
+    "serviceId": "emulator",
+    "treeAlgorithm": "CCF",
+    "signatureAlgorithm": "ES256",
+    "serviceCertificate": "-----BEGIN CERTIFICATE-----..."
+}
+```
+
+`"signatureAlgorithm"` and `"serviceCertificate"` are additional parameters specific to the [`CCF` tree algorithm](https://ietf-scitt.github.io/draft-birkholz-scitt-receipts/draft-birkholz-scitt-receipts.html#name-additional-parameters).
+
+### COSE and CBOR debugging
+
+The following websites can be used to inspect COSE and CBOR files:
+
+- https://gluecose.github.io/cose-viewer/
+- https://cbor.me/
+
+## Code structure
+
+`scitt_emulator/scitt.py` contains the core SCITT algorithms that are agnostic of a specific tree algorithm.
+
+`scitt_emulator/ccf.py` is the implementation of the [CCF tree algorithm](https://ietf-scitt.github.io/draft-birkholz-scitt-receipts/draft-birkholz-scitt-receipts.html#name-ccf-tree-algorithm). For each claim, a receipt is generated using a fake but valid Merkle tree that is independent of other submitted claims. A real CCF service would maintain a single Merkle tree covering all submitted claims and auxiliarly entries.
+
+`scitt_emulator/server.py` is a simple Flask server that acts as a SCITT transparency service.
+
+`scitt_emulator/client.py` is a CLI that supports creating claims, submitting claims to and retrieving receipts from the server, and verifying receipts.
+
+In order to add a new tree algorithm, a file like `scitt_emulator/ccf.py` must be created and the containing class be added in `scitt_emulator/tree_algs.py`.
+
+## Run tests
+
+```
+./run-tests.sh
+```
+
+## Contributing
+
+This project welcomes contributions and suggestions. Please see the [Contribution guidelines](CONTRIBUTING.md).