This workspace contains tooling for Arm Authenticated Debug an Access Control (ADAC) specification. It provides the core library, command-line utilities, cryptographic provider backends, and tests needed to create, sign, and validate ADAC certificates and attestation tokens.
Arm ADAC specifications (DEN0101) contain full normative definitions of ADAC data structures and processing rules.
adac: Core library with ADAC data structures, certificate parsing, and signing/verification primitives.adac-cli: Command-line utility for creating, inspecting, and verifying ADAC artifacts.adac-crypto-*: Cryptographic provider backends (RustCrypto, AWS-LC, PKCS#11, Cryptoki) that plug into the core library.adac-tests: Integration and conformance harnesses. Seeadac-tests/README.mdfor the full matrix and environment setup.
- Rust stable toolchain (install via
rustup); the workspace tracks the latest stable release, sorustup updatebeforehand is recommended. cargo(bundled with rustup) for building and running binaries.- Optional:
SoftHSM2or another PKCS#11 provider if you plan to exercise the PKCS#11 backends.
# Build the CLI (release builds live in target/release)
cargo build -p adac-cli
# Run the CLI; pass --help to see the available subcommands
cargo run -p adac-cli -- --help
# Install the CLI into ~/.cargo/bin
cargo install --path adac-cliMost CLI subcommands operate on ADAC certificates or tokens. Add the
appropriate flags (for example display, certificate-sign, verify, token-sign,
token-offline-prepare, and token-offline-merge) as documented by the
--help output.
Token generation uses a TOML config with token-specific fields:
[defaults]
version_major = 1
version_minor = 0
requested_permissions = "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
extensions = ""
[token]
version_minor = 1
requested_permissions = "0x0000000003FFFFFFFFFFFFFF00000000"
extensions = "01020304"Token challenges must be 32-byte base16 strings without a 0x prefix. Token
permission values remain 0x-prefixed 128-bit hexadecimal integers, and token
files written with --output are raw binary for compatibility with existing
tooling. Then sign a token directly or prepare it for offline signing:
cargo run -p adac-cli -- token-sign \
--config token.toml \
--section token \
--private-key adac-tests/resources/keys/EcdsaP384Key-0.pk8 \
--output token.bin \
000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
cargo run -p adac-cli -- token-offline-prepare \
--config token.toml \
--section token \
--output prepared-token.bin \
--tbs prepared-token.tbs \
--hash prepared-token.hash \
000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f \
EcdsaP384Sha384
cargo run -p adac-cli -- verify \
adac-tests/resources/roots/root.EcdsaP384 \
--token token.bin \
--challenge 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f# Run the default workspace test suite
cargo test
# Focus on a single crate (example: the CLI)
cargo test -p adac-cliAdvanced and cross-environment validation lives in adac-tests. Refer to
adac-tests/README.md for setup instructions
(SoftHSM2, hardware tokens) and the commands needed to execute the broader
matrix.
| CryptoSystem | Rust Crypto | AWS-LC | PKCS#11 |
|---|---|---|---|
| EcdsaP256Sha256 | ✅ | ✅ | ✅ |
| EcdsaP384Sha384 | ✅ | ✅ | ✅ |
| EcdsaP521Sha512 | 🚧 (1) | ✅ | ✅ |
| Ed25519Sha512 | ✅ | ❌ | 🚧 (2) |
| Ed448Shake256 | ✅ | ❌ | 🚧 (2) |
| MlDsa44Sha256 | ✅ | ✅ | ✅ (3) |
| MlDsa65Sha384 | ✅ | ✅ | ✅ (3) |
| MlDsa87Sha512 | ✅ | ✅ | ✅ (3) |
| Rsa3072Sha256 | ✅ | ✅ | ✅ |
| Rsa4096Sha256 | ✅ | ✅ | ✅ |
| SmSm2Sm3 | ✅ | ❌ | ❌ |
- (1): Only verification works. There is an issue with the p521 crate for signature.
- (2): Implementation untested,
SoftHSM2does not supportphFlag=1option for EdDSA signature or verification. - (3): Tested with Kryoptic. Provider support requires PKCS#11 v3 ML-DSA mechanisms. These ML-DSA PKCS#11 tests are not covered by the default PKCS#11 test harness or CI; run adac-tests/pkcs11-test-krypoptic.sh against a local Kryoptic installation.
Legend: ✅ implemented and tested, 🚧 planned or partially implemented, ❌ not currently available.
adac-rs is provided under the terms of the the BSD 3-Clause license. See LICENSE for more information.