fix: enhance Tag validation to detect schema issues in signedcorim_test

corim/signedcorim_test.go

@@ -118,28 +118,13 @@ func certChain() []byte {
 }
 
 func TestSignedCorim_TaggedFromCOSE_ok(t *testing.T) {
-	/*
-	   500(
-	   502(
-	   18(
-	     [
-	       / protected h'a10126' / << {
-	         / alg / 1: -7, / ECDSA 256 /
-	         / content-type / 3: "application/rim+cbor",
-	         / issuer-key-id / 4: 'meriadoc.brandybuck@buckland.example',
-	         / corim-meta / 8: h'a200a1006941434d45204c74642e01a101c11a5fad2056'
-	       } >>,
-	       / unprotected / {},
-	       / payload / << 501({
-	         0: "test corim id",
-	         1: [
-	           506(h'A40065656E2D474201A1005043BBE37F2E614B33AED353CFF1428B160281A3006941434D45204C74642E01D8207468747470733A2F2F61636D652E6578616D706C65028300010204A1008182A100A300D90258582061636D652D696D706C656D656E746174696F6E2D69642D303030303030303031016441434D45026A526F616452756E6E657283A200D90258A30162424C0465322E312E30055820ACBB11C7E4DA217205523CE4CE1A245AE1A239AE3C6BFD9E7871F7E5D8BAE86B01A102818201582087428FC522803D31065E7BCE3CF03FE475096631E5E07BBD7A0FDE60C4CF25C7A200D90258A3016450526F540465312E332E35055820ACBB11C7E4DA217205523CE4CE1A245AE1A239AE3C6BFD9E7871F7E5D8BAE86B01A10281820158200263829989B6FD954F72BAAF2FC64BC2E2F01D692D4DE72986EA808F6E99813FA200D90258A3016441526F540465302E312E34055820ACBB11C7E4DA217205523CE4CE1A245AE1A239AE3C6BFD9E7871F7E5D8BAE86B01A1028182015820A3A5E715F0CC574A73C3F9BEBB6BC24F32FFD5B67B387244C2C909DA779A1478')
-	         ]
-	       }) >>,
-	       / signature / h'deadbeef'
-	     ]
-	   )))
-	*/
+	var actual SignedCorim
+	err := actual.FromCOSE(testGoodSignedCorimCBOR)
+
+	assert.Nil(t, err)
+}
+
+func TestSignedCorim_TaggedFromCOSE_bad(t *testing.T) {
 	tv := []byte{0xd9, 0x01, 0xf4, 0xd9, 0x01, 0xf6, 0xd2,
 		0x84, 0x58, 0x59, 0xa4, 0x01, 0x26, 0x03, 0x74,
 		0x61, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74,
@@ -213,7 +198,7 @@ func TestSignedCorim_TaggedFromCOSE_ok(t *testing.T) {
 	var actual SignedCorim
 	err := actual.FromCOSE(tv)
 
-	assert.Nil(t, err)
+	assert.ErrorContains(t, err, "tag validation failed")
 }
 
 func TestSignedCorim_FromCOSE_fail_no_tag(t *testing.T) {

corim/unsignedcorim.go

@@ -342,12 +342,55 @@ type Tag struct {
 	Content []byte
 }
 
+// Valid validates the tag content based on its tag number.
+// For CoMID tags (506), it unmarshals and validates the content.
+// For CoSWID tags (505), it validates the CoSWID structure.
+// For other tags, it ensures the content is valid CBOR.
 func (o Tag) Valid() error {
-	// there is no much we can check here, except making sure that the tag is
-	// not zero-length
 	if len(o.Content) == 0 {
 		return errors.New("empty tag")
 	}
+
+	switch o.Number {
+	case ComidTag:
+		return o.validateComidTag()
+	case CoswidTag:
+		return o.validateCoswidTag()
+	default:
+		return o.validateGenericCBOR()
+	}
+}
+
+// validateComidTag unmarshals and validates CoMID tag content.
+func (o Tag) validateComidTag() error {
+	var c comid.Comid
+	if err := dm.Unmarshal(o.Content, &c); err != nil {
+		return fmt.Errorf("invalid CoMID content: %w", err)
+	}
+
+	if err := c.Valid(); err != nil {
+		return fmt.Errorf("CoMID validation failed: %w", err)
+	}
+
+	return nil
+}
+
+// validateCoswidTag validates CoSWID tag content by attempting to unmarshal it.
+func (o Tag) validateCoswidTag() error {
+	var s swid.SoftwareIdentity
+	if err := dm.Unmarshal(o.Content, &s); err != nil {
+		return fmt.Errorf("invalid CoSWID content: %w", err)
+	}
+
+	return nil
+}
+
+// validateGenericCBOR ensures the tag content is valid CBOR for unknown tag types.
+func (o Tag) validateGenericCBOR() error {
+	var raw interface{}
+	if err := dm.Unmarshal(o.Content, &raw); err != nil {
+		return fmt.Errorf("invalid CBOR content: %w", err)
+	}
 	return nil
 }