Skip to content

paccor

Create, sign, inspect, and validate TCG Platform Certificates from documented JSON inputs.

paccor is built around the TCG Platform Certificate specifications and supports the v2.1, v1.1, and v1.0 families, including both attribute-certificate and public-key-certificate flows where the profile allows them.

The docs are organized around one practical question: how do you get from hardware facts and policy JSON to a certificate you can inspect and trust?

Start Here

  • Run the golden path

    Start with pc_certgen to see the whole system work end to end on one machine.

    Getting Started

  • Pick a certificate flow

    Use the profile tutorials when you already know the spec family or need a reproducible command sequence.

    Certificate Flows

  • Pick a signing strategy

    Choose between local keys, PKCS#11, remote signing, and detached signatures.

    Signing Algorithms

  • Read the exact CLI

    Use the command reference and generated Picocli help when you need precise options and behavior.

    CLI Commands

What You Can Do

  • Follow the pipeline

    Understand how manifests, policy, extensions, signing, and validation fit together.

    Pipeline

  • Map JSON to ASN.1

    Compare field names, aliases, OIDs, and generated schema-backed references.

    Field Sets

  • Collect hardware data

    Feed ManifestV2 JSON from the .NET collection libraries directly into paccor.

    Collect with .NET

  • Validate and inspect output

    See representative validate and view output before you wire paccor into a larger flow.

    Output Snapshots

The pipeline

flowchart LR
    spec["TCG Platform<br/>Certificate Profiles<br/>v1.0 / v1.1 / v2.1"]
    ccr["paccor.smbios<br/>paccor.pcie<br/>paccor.storage<br/>(Component Class<br/>Registry tools)"]
    proto["HardwareManifest.proto"]
    json["Hardware Manifest JSON"]
    paccor["PACCOR"]
    cert["Signed Platform<br/>Certificate"]
    spec --> json
    ccr --> proto
    proto --> json
    json --> paccor
    paccor --> cert
    classDef spec fill:#1f6feb,stroke:#0b3d8c,color:#fff
    classDef tool fill:#0e7c66,stroke:#06463a,color:#fff
    classDef artifact fill:#bf8700,stroke:#6e4d00,color:#fff
    classDef output fill:#8957e5,stroke:#4f31a3,color:#fff
    class spec spec
    class ccr,paccor tool
    class proto,json artifact
    class cert output

Why this site is structured this way

The generated reference pages are backed by ASN.1 notation and code-level metadata so they stay close to the implementation. The curated pages are there to make the implementation easier to use: a first-run path, profile-specific walkthroughs, signing choices, and compact output examples.

Status

paccor is maintained by NSA Cybersecurity Directorate. Downloadable distributions are published on the GitHub releases page.

The original v1.1 user guide remains available as a PDF reference. The MkDocs site complements that guide with generated schema reference pages, profile-oriented tutorials, and implementation notes tied directly to the current codebase.