From 4441da97d1438fba09b3ded2ab1d126ba303e0fe Mon Sep 17 00:00:00 2001
From: Sukuna0007Abhi <appsonly310@gmail.com>
Date: Tue, 23 Sep 2025 19:56:48 +0000
Subject: [PATCH 1/5] scheme/parsec-tpm: add TPM vendor and model information

This change implements support for TPM vendor and model information in TPM
endorsements (Issue #139). The implementation includes:

- Extended TaAttr structure with vendor and model fields
- Input validation and sanitization for security
- Comprehensive test coverage including:
  * Real-world TPM vendor/model combinations
  * International character handling
  * Security test cases
  * Edge cases and input validation
- Updated documentation with new fields and security considerations

Signed-off-by: Sukuna0007Abhi <appsonly310@gmail.com>
---
 scheme/parsec-tpm/README.md                 | 111 ++++-
 scheme/parsec-tpm/evidence_handler.go       |   4 +
 scheme/parsec-tpm/sanitize.go               | 172 +++++++
 scheme/parsec-tpm/sanitize_test.go          | 124 ++++++
 scheme/parsec-tpm/ta_attrs.go               |  58 +++
 scheme/parsec-tpm/ta_attrs_extended_test.go | 468 ++++++++++++++++++++
 scheme/parsec-tpm/ta_attrs_test.go          | 259 +++++++++++
 7 files changed, 1195 insertions(+), 1 deletion(-)
 create mode 100644 scheme/parsec-tpm/sanitize.go
 create mode 100644 scheme/parsec-tpm/sanitize_test.go
 create mode 100644 scheme/parsec-tpm/ta_attrs.go
 create mode 100644 scheme/parsec-tpm/ta_attrs_extended_test.go
 create mode 100644 scheme/parsec-tpm/ta_attrs_test.go

diff --git a/scheme/parsec-tpm/README.md b/scheme/parsec-tpm/README.md
index 935127a5..7134c005 100644
--- a/scheme/parsec-tpm/README.md
+++ b/scheme/parsec-tpm/README.md
@@ -24,7 +24,116 @@
   "attributes": {
     "parsec-tpm.ak-pub": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETKRFE_RwSXooI8DdatPOYg_uiKm2XrtT_uEMEvqQZrwJHHcfw0c3WVzGoqL3Y_Q6xkHFfdUVqS2WWkPdKO03uw==",
     "parsec-tpm.class-id": "cd1f0e55-26f9-460d-b9d8-f7fde171787c",
-    "parsec-tpm.instance-id": "AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+    "parsec-tpm.instance-id": "AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
+    "parsec-tpm.vendor": "ACME Corp",
+    "parsec-tpm.model": "TPM-2000"
   }
 }
 ```
+
+### Vendor and Model Information
+
+The TPM Trust Anchor can include optional vendor and model information to provide additional context about the TPM manufacturer and specific model. These fields are:
+
+- `parsec-tpm.vendor`: The manufacturer or vendor of the TPM (optional)
+- `parsec-tpm.model`: The specific model identifier of the TPM (optional)
+
+Both fields support:
+- Unicode characters (e.g., for international vendor names)
+- Special characters (allowed in both fields)
+- Variable length strings (no artificial length restrictions)
+
+### CORIM Example
+
+To include vendor and model information in your CORIM manifest, add them as parameters in the verification key triple. Here are several examples:
+
+```json
+{
+  "comid.verification-keys": [
+    {
+      "environment": {
+        "class": {
+          "id": {
+            "class-id": "cd1f0e55-26f9-460d-b9d8-f7fde171787c"
+          }
+        },
+        "instance": {
+          "instance-id": {
+            "type": "ueid",
+            "value": "AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+          }
+        }
+      },
+      "key": [{
+        "type": "pkix-base64-key",
+        "value": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETKRFE_RwSXooI8DdatPOYg_uiKm2XrtT_uEMEvqQZrwJHHcfw0c3WVzGoqL3Y_Q6xkHFfdUVqS2WWkPdKO03uw==",
+        "parameters": {
+          "vendor": "ACME Corp",
+          "model": "TPM-2000"
+        }
+      }]
+    }
+  ]
+}
+```
+
+Additional Examples:
+
+1. International Vendor (with Unicode characters):
+```json
+{
+  "key": [{
+    "parameters": {
+      "vendor": "富士通株式会社",
+      "model": "FUJITSU TPM 2.0"
+    }
+  }]
+}
+```
+
+2. Minimal Example (vendor only):
+```json
+{
+  "key": [{
+    "parameters": {
+      "vendor": "Intel Corporation"
+    }
+  }]
+}
+```
+
+3. Complex Example (with special characters):
+```json
+{
+  "key": [{
+    "parameters": {
+      "vendor": "Company & Co., Ltd.",
+      "model": "TPM.v2-Enhanced+"
+    }
+  }]
+}
+```
+
+### Security Considerations
+
+When using vendor and model fields:
+
+1. **Input Validation**:
+   - Maximum length: 1024 characters
+   - Strings are trimmed of leading/trailing whitespace
+   - Basic sanitization is applied to prevent injection attacks
+   - Control characters are removed (except newline and tab)
+
+2. **Storage**:
+   - Fields are optional and won't affect TPM validation
+   - Unicode characters are preserved for international vendor names
+   - Dangerous characters are escaped to prevent injection
+
+3. **Best Practices**:
+   - Use consistent vendor/model identifiers
+   - Prefer official vendor names and model numbers
+   - Keep strings concise and meaningful
+   - Test with various character encodings if using international names
+
+Note: The vendor and model fields are always optional and are meant for informational purposes only. The TPM's security validation is based solely on its cryptographic identity and measurements.
+```
diff --git a/scheme/parsec-tpm/evidence_handler.go b/scheme/parsec-tpm/evidence_handler.go
index c7f04f58..59236dda 100644
--- a/scheme/parsec-tpm/evidence_handler.go
+++ b/scheme/parsec-tpm/evidence_handler.go
@@ -38,6 +38,10 @@ type TaAttr struct {
 	VerifKey *string `json:"parsec-tpm.ak-pub"`
 	ClassID  *string `json:"parsec-tpm.class-id"`
 	InstID   *string `json:"parsec-tpm.instance-id"`
+	// Optional vendor information for the TPM
+	Vendor *string `json:"parsec-tpm.vendor,omitempty"`
+	// Optional model information for the TPM
+	Model *string `json:"parsec-tpm.model,omitempty"`
 }
 
 type TaEndorsements struct {
diff --git a/scheme/parsec-tpm/sanitize.go b/scheme/parsec-tpm/sanitize.go
new file mode 100644
index 00000000..218a56a5
--- /dev/null
+++ b/scheme/parsec-tpm/sanitize.go
@@ -0,0 +1,172 @@
+// Copyright 2024 Contributors to the Veraison project.
+// SPDX-License-Identifier: Apache-2.0
+package parsec_tpm
+
+import (
+	"regexp"
+	"strings"
+
+	"github.com/veraison/services/log"
+)
+
+// Validation patterns and limits
+var (
+	// Common potentially dangerous characters that should be escaped or sanitized
+	dangerousChars = regexp.MustCompile(`[<>&'"{}()\\]`)
+	
+	// Pattern to detect repeated sequences (e.g., "aaaaa...")
+	repeatedSeq = regexp.MustCompile(`(.{3,}?)\1{10,}`)
+	
+	// Pattern to detect suspiciously high frequency of non-word chars
+	highFreqSpecials = regexp.MustCompile(`[\W]{20,}`)
+
+	// Allowed character sets for vendor/model strings
+	// Includes alphanumeric, common punctuation, and Unicode ranges for various scripts
+	allowedChars = regexp.MustCompile(`^[\p{L}\p{N}\p{P}\p{Zs}\t\n]+$`)
+)
+
+// ValidationResult represents the outcome of string validation
+type ValidationResult struct {
+	Valid   bool
+	Reasons []string
+}
+
+// validateString performs security validation on the input string
+func validateString(input string) ValidationResult {
+	result := ValidationResult{
+		Valid:   true,
+		Reasons: []string{},
+	}
+
+	// Check for repeated sequences (potential DoS)
+	if repeatedSeq.MatchString(input) {
+		result.Valid = false
+		result.Reasons = append(result.Reasons, "excessive repeated sequences detected")
+	}
+
+	// Check for high frequency of special characters
+	if highFreqSpecials.MatchString(input) {
+		result.Valid = false
+		result.Reasons = append(result.Reasons, "suspicious frequency of special characters")
+	}
+
+	// Validate character set
+	if !allowedChars.MatchString(input) {
+		result.Valid = false
+		result.Reasons = append(result.Reasons, "invalid characters detected")
+	}
+
+	// Check character frequency distribution
+	if hasAbnormalDistribution(input) {
+		result.Valid = false
+		result.Reasons = append(result.Reasons, "abnormal character distribution")
+	}
+
+	return result
+}
+
+// hasAbnormalDistribution checks if the string has an unusually skewed
+// distribution of characters (possible encoded/obfuscated content)
+func hasAbnormalDistribution(input string) bool {
+	if len(input) < 8 {
+		return false
+	}
+
+	// Count character frequencies
+	freqs := make(map[rune]int)
+	total := 0
+	for _, r := range input {
+		freqs[r]++
+		total++
+	}
+
+	// Check if any character appears with suspicious frequency
+	threshold := float64(total) * 0.4 // 40% threshold
+	for _, count := range freqs {
+		if float64(count) > threshold {
+			return true
+		}
+	}
+
+	return false
+}
+
+// sanitizeString performs comprehensive sanitization on input strings to prevent
+// potential security issues. It:
+// 1. Removes or escapes potentially dangerous characters
+// 2. Preserves valid Unicode characters
+// 3. Maintains readability of the string
+// 4. Returns the sanitized string
+func sanitizeString(input string) string {
+	// First, validate the input
+	validationResult := validateString(input)
+	if !validationResult.Valid {
+		// If validation fails, apply aggressive sanitization
+		input = aggressiveSanitize(input)
+	}
+
+	// Replace potentially dangerous characters with their escaped versions
+	sanitized := dangerousChars.ReplaceAllStringFunc(input, func(s string) string {
+		return "\\" + s
+	})
+
+	// Remove any null bytes
+	sanitized = strings.ReplaceAll(sanitized, "\x00", "")
+
+	// Remove any control characters except newline and tab
+	var builder strings.Builder
+	for _, r := range sanitized {
+		if !isForbiddenControl(r) {
+			builder.WriteRune(r)
+		}
+	}
+
+	// Log suspicious inputs for security monitoring
+	if !validationResult.Valid {
+		logSuspiciousInput(input, validationResult.Reasons)
+	}
+
+	return builder.String()
+}
+
+// isForbiddenControl returns true if the rune is a control character
+// that should be removed, excluding commonly used whitespace characters.
+func isForbiddenControl(r rune) bool {
+	return (r < 32 && r != '\n' && r != '\t') || (r >= 127 && r < 160)
+}
+
+// aggressiveSanitize performs more strict sanitization for suspicious inputs
+func aggressiveSanitize(input string) string {
+	// Remove repeated sequences
+	input = repeatedSeq.ReplaceAllString(input, "$1")
+
+	// Limit consecutive special characters
+	input = highFreqSpecials.ReplaceAllStringFunc(input, func(s string) string {
+		if len(s) > 5 {
+			return s[:5] // Keep only first 5 special characters
+		}
+		return s
+	})
+
+	// Keep only allowed characters
+	var builder strings.Builder
+	for _, r := range input {
+		if allowedChars.MatchString(string(r)) {
+			builder.WriteRune(r)
+		}
+	}
+
+	return builder.String()
+}
+
+// logSuspiciousInput logs potentially malicious input attempts
+func logSuspiciousInput(input string, reasons []string) {
+	// Use the common logging interface
+	log.Warnf("Suspicious TPM vendor/model input detected: %s", strings.Join(reasons, ", "))
+	
+	// Additional context for security monitoring
+	if len(input) > 32 {
+		// Log truncated input to avoid log injection
+		log.Debugf("Suspicious input (truncated): %q...", input[:32])
+	}
+}
\ No newline at end of file
diff --git a/scheme/parsec-tpm/sanitize_test.go b/scheme/parsec-tpm/sanitize_test.go
new file mode 100644
index 00000000..f31054db
--- /dev/null
+++ b/scheme/parsec-tpm/sanitize_test.go
@@ -0,0 +1,124 @@
+// Copyright 2024 Contributors to the Veraison project.
+// SPDX-License-Identifier: Apache-2.0
+package parsec_tpm
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestValidateString(t *testing.T) {
+	testCases := []struct {
+		name        string
+		input       string
+		wantValid   bool
+		wantReasons []string
+	}{
+		{
+			name:      "valid vendor name",
+			input:     "Acme Corporation, Ltd.",
+			wantValid: true,
+		},
+		{
+			name:        "repeated sequence attack",
+			input:       "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
+			wantValid:   false,
+			wantReasons: []string{"excessive repeated sequences detected"},
+		},
+		{
+			name:        "special character attack",
+			input:       "!@#$%^&*()!@#$%^&*()!@#$%^&*()",
+			wantValid:   false,
+			wantReasons: []string{"suspicious frequency of special characters"},
+		},
+		{
+			name:        "invalid character attack",
+			input:       "Company\x00Name\x01Corp",
+			wantValid:   false,
+			wantReasons: []string{"invalid characters detected"},
+		},
+		{
+			name:        "skewed distribution attack",
+			input:       strings.Repeat("X", 100),
+			wantValid:   false,
+			wantReasons: []string{"abnormal character distribution"},
+		},
+		{
+			name:      "valid international name",
+			input:     "富士通株式会社",
+			wantValid: true,
+		},
+		{
+			name:      "valid mixed content",
+			input:     "Hewlett-Packard (HP) 株式会社",
+			wantValid: true,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			result := validateString(tc.input)
+			assert.Equal(t, tc.wantValid, result.Valid)
+			if !tc.wantValid {
+				assert.Equal(t, tc.wantReasons, result.Reasons)
+			}
+		})
+	}
+}
+
+func TestSanitizeString(t *testing.T) {
+	testCases := []struct {
+		name     string
+		input    string
+		expected string
+	}{
+		{
+			name:     "normal text",
+			input:    "Normal vendor name",
+			expected: "Normal vendor name",
+		},
+		{
+			name:     "html injection attempt",
+			input:    "Vendor<script>alert('xss')</script>",
+			expected: "Vendor\\<script\\>alert\\('xss'\\)\\</script\\>",
+		},
+		{
+			name:     "sql injection attempt",
+			input:    "Vendor'; DROP TABLE users;--",
+			expected: "Vendor\\'; DROP TABLE users;--",
+		},
+		{
+			name:     "null byte injection",
+			input:    "Vendor\x00Name",
+			expected: "VendorName",
+		},
+		{
+			name:     "control characters",
+			input:    "Vendor\x01Name\x02",
+			expected: "VendorName",
+		},
+		{
+			name:     "allowed whitespace",
+			input:    "Vendor\nName\tCorp",
+			expected: "Vendor\nName\tCorp",
+		},
+		{
+			name:     "unicode characters",
+			input:    "製造元株式会社",
+			expected: "製造元株式会社",
+		},
+		{
+			name:     "mixed content",
+			input:    "Vendor & Co<> \x00株式会社\n",
+			expected: "Vendor \\& Co\\<\\> 株式会社\n",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			result := sanitizeString(tc.input)
+			assert.Equal(t, tc.expected, result)
+		})
+	}
+}
\ No newline at end of file
diff --git a/scheme/parsec-tpm/ta_attrs.go b/scheme/parsec-tpm/ta_attrs.go
new file mode 100644
index 00000000..7509f1af
--- /dev/null
+++ b/scheme/parsec-tpm/ta_attrs.go
@@ -0,0 +1,58 @@
+// Copyright 2024 Contributors to the Veraison project.
+// SPDX-License-Identifier: Apache-2.0
+package parsec_tpm
+
+import (
+	"encoding/json"
+	"fmt"
+
+	"github.com/veraison/corim/comid"
+)
+
+func makeTaAttrs(id ID, key *comid.CryptoKey) (json.RawMessage, error) {
+	taAttr := TaAttr{
+		ClassID: &id.class,
+		InstID: &id.instance,
+	}
+
+	// Extract and validate optional vendor and model from metadata.
+	// Security and validation rules:
+	// 1. Only string values are accepted
+	// 2. Empty strings are allowed but trimmed
+	// 3. Maximum length of 1024 characters for security
+	// 4. Unicode and special characters are supported
+	// 5. Strings are sanitized to prevent injection
+	// 6. If validation fails, the field is omitted (no error)
+	if meta, ok := key.Parameters["vendor"].(string); ok {
+		// Trim and validate length
+		meta = strings.TrimSpace(meta)
+		if len(meta) <= 1024 {
+			// Basic sanitization
+			meta = sanitizeString(meta)
+			taAttr.Vendor = &meta
+		}
+	}
+	if meta, ok := key.Parameters["model"].(string); ok {
+		// Trim and validate length
+		meta = strings.TrimSpace(meta)
+		if len(meta) <= 1024 {
+			// Basic sanitization
+			meta = sanitizeString(meta)
+			taAttr.Model = &meta
+		}
+	}
+
+	// Convert the key to a base64 encoded string
+	pubkey, err := comidKeyToPEM(key)
+	if err != nil {
+		return nil, fmt.Errorf("converting key to PEM: %w", err)
+	}
+	taAttr.VerifKey = &pubkey
+
+	attrs, err := json.Marshal(taAttr)
+	if err != nil {
+		return nil, fmt.Errorf("marshaling attributes: %w", err)
+	}
+
+	return attrs, nil
+}
\ No newline at end of file
diff --git a/scheme/parsec-tpm/ta_attrs_extended_test.go b/scheme/parsec-tpm/ta_attrs_extended_test.go
new file mode 100644
index 00000000..a880fd33
--- /dev/null
+++ b/scheme/parsec-tpm/ta_attrs_extended_test.go
@@ -0,0 +1,468 @@
+// Copyright 2024 Contributors to the Veraison project.
+// SPDX-License-Identifier: Apache-2.0
+package parsec_tpm
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+	"unicode"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/veraison/corim/comid"
+)
+
+func TestTaAttrs_RealWorldVendors(t *testing.T) {
+	// Test cases based on real-world TPM vendors and models
+	testCases := []struct {
+		name      string
+		vendor    string
+		model     string
+		wantError bool
+	}{
+		{
+			name:   "Infineon",
+			vendor: "Infineon Technologies AG",
+			model:  "SLB 9670 TPM2.0",
+		},
+		{
+			name:   "STMicroelectronics",
+			vendor: "STMicroelectronics",
+			model:  "ST33TPHF2ESPI TPM 2.0",
+		},
+		{
+			name:   "Nuvoton",
+			vendor: "Nuvoton Technology Corp.",
+			model:  "NPCT750 TPM2.0",
+		},
+		{
+			name:   "Nationz",
+			vendor: "Nationz Technologies Inc.",
+			model:  "TPM 2.0 Z32H330",
+		},
+		{
+			name:   "Intel",
+			vendor: "Intel Corporation",
+			model:  "Intel® PTT",
+		},
+		{
+			name:   "AMD",
+			vendor: "Advanced Micro Devices, Inc.",
+			model:  "AMD fTPM",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			id := ID{
+				class:    "test-class",
+				instance: "test-instance",
+			}
+
+			key := &comid.CryptoKey{
+				Parameters: map[string]interface{}{
+					"vendor": tc.vendor,
+					"model":  tc.model,
+				},
+				Value: &comid.TaggedPKIXBase64Key{PK: "test-key-data"},
+			}
+
+			attrs, err := makeTaAttrs(id, key)
+			if tc.wantError {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+
+			var taAttr TaAttr
+			err = json.Unmarshal(attrs, &taAttr)
+			require.NoError(t, err)
+
+			assert.Equal(t, tc.vendor, *taAttr.Vendor)
+			assert.Equal(t, tc.model, *taAttr.Model)
+		})
+	}
+}
+
+func TestTaAttrs_InternationalVendors(t *testing.T) {
+	// Test cases with international vendor names and models
+	testCases := []struct {
+		name      string
+		vendor    string
+		model     string
+		wantError bool
+	}{
+		{
+			name:   "Japanese Vendor",
+			vendor: "富士通株式会社",
+			model:  "FUJITSU TPM v2.0",
+		},
+		{
+			name:   "Chinese Vendor",
+			vendor: "联想集团有限公司",
+			model:  "ThinkPad TPM 2.0",
+		},
+		{
+			name:   "Korean Vendor",
+			vendor: "삼성전자",
+			model:  "Samsung TPM2.0",
+		},
+		{
+			name:   "Russian Vendor",
+			vendor: "Компания",
+			model:  "ТПМ-2000",
+		},
+		{
+			name:   "Mixed Scripts",
+			vendor: "Fujitsu富士通",
+			model:  "TPM v2.0 型号",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			id := ID{
+				class:    "test-class",
+				instance: "test-instance",
+			}
+
+			key := &comid.CryptoKey{
+				Parameters: map[string]interface{}{
+					"vendor": tc.vendor,
+					"model":  tc.model,
+				},
+				Value: &comid.TaggedPKIXBase64Key{PK: "test-key-data"},
+			}
+
+			attrs, err := makeTaAttrs(id, key)
+			require.NoError(t, err)
+
+			var taAttr TaAttr
+			err = json.Unmarshal(attrs, &taAttr)
+			require.NoError(t, err)
+
+			assert.Equal(t, tc.vendor, *taAttr.Vendor)
+			assert.Equal(t, tc.model, *taAttr.Model)
+		})
+	}
+}
+
+func TestTaAttrs_EdgeCases(t *testing.T) {
+	testCases := []struct {
+		name      string
+		vendor    string
+		model     string
+		wantError bool
+	}{
+		{
+			name:   "Maximum Length",
+			vendor: strings.Repeat("V", 1024),
+			model:  strings.Repeat("M", 1024),
+		},
+		{
+			name:      "Exceeds Maximum Length",
+			vendor:    strings.Repeat("V", 1025),
+			model:     strings.Repeat("M", 1025),
+			wantError: true,
+		},
+		{
+			name:   "Single Character",
+			vendor: "V",
+			model:  "M",
+		},
+		{
+			name:   "Space Only",
+			vendor: "   ",
+			model:  "   ",
+		},
+		{
+			name:   "Mixed Spaces",
+			vendor: "   Vendor   Name   ",
+			model:  "   Model   Type   ",
+		},
+		{
+			name:   "Special Characters",
+			vendor: "Vendor-Name & Co., Ltd.",
+			model:  "TPM-2000 (Gen2) v2.0",
+		},
+		{
+			name:   "With Trademark Symbols",
+			vendor: "Company™",
+			model:  "TPM® 2.0",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			id := ID{
+				class:    "test-class",
+				instance: "test-instance",
+			}
+
+			key := &comid.CryptoKey{
+				Parameters: map[string]interface{}{
+					"vendor": tc.vendor,
+					"model":  tc.model,
+				},
+				Value: &comid.TaggedPKIXBase64Key{PK: "test-key-data"},
+			}
+
+			attrs, err := makeTaAttrs(id, key)
+			if tc.wantError {
+				assert.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+
+			var taAttr TaAttr
+			err = json.Unmarshal(attrs, &taAttr)
+			require.NoError(t, err)
+
+			// For non-error cases, verify the strings are properly trimmed and sanitized
+			if !tc.wantError {
+				assert.Equal(t, strings.TrimSpace(tc.vendor), *taAttr.Vendor)
+				assert.Equal(t, strings.TrimSpace(tc.model), *taAttr.Model)
+			}
+		})
+	}
+}
+
+func TestTaAttrs_SecurityCases(t *testing.T) {
+	testCases := []struct {
+		name           string
+		vendor         string
+		model          string
+		wantError      bool
+		checkSanitized bool
+	}{
+		{
+			name:           "HTML Injection",
+			vendor:         "<script>alert('xss')</script>",
+			model:         "<img src=x onerror=alert('xss')>",
+			checkSanitized: true,
+		},
+		{
+			name:           "SQL Injection",
+			vendor:         "1' OR '1'='1",
+			model:         "1'; DROP TABLE users--",
+			checkSanitized: true,
+		},
+		{
+			name:           "Command Injection",
+			vendor:         "$(rm -rf /)",
+			model:         "`rm -rf /`",
+			checkSanitized: true,
+		},
+		{
+			name:           "Path Traversal",
+			vendor:         "../../../etc/passwd",
+			model:         "..\\..\\..\\windows\\system32",
+			checkSanitized: true,
+		},
+		{
+			name:      "Null Bytes",
+			vendor:    "Vendor\x00Name",
+			model:     "Model\x00Type",
+			wantError: true,
+		},
+		{
+			name:      "Control Characters",
+			vendor:    "Bad\x01Vendor\x02Name",
+			model:     "Bad\x01Model\x02Type",
+			wantError: true,
+		},
+		{
+			name:           "Mixed Valid and Invalid",
+			vendor:         "Valid Name <script>alert(1)</script>",
+			model:         "Valid Model `rm -rf /`",
+			checkSanitized: true,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			id := ID{
+				class:    "test-class",
+				instance: "test-instance",
+			}
+
+			key := &comid.CryptoKey{
+				Parameters: map[string]interface{}{
+					"vendor": tc.vendor,
+					"model":  tc.model,
+				},
+				Value: &comid.TaggedPKIXBase64Key{PK: "test-key-data"},
+			}
+
+			attrs, err := makeTaAttrs(id, key)
+			if tc.wantError {
+				assert.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+
+			var taAttr TaAttr
+			err = json.Unmarshal(attrs, &taAttr)
+			require.NoError(t, err)
+
+			if tc.checkSanitized {
+				// Check that dangerous characters are escaped or removed
+				assert.NotEqual(t, tc.vendor, *taAttr.Vendor, "Dangerous vendor string should be sanitized")
+				assert.NotEqual(t, tc.model, *taAttr.Model, "Dangerous model string should be sanitized")
+				
+				// Verify the sanitized strings don't contain dangerous patterns
+				dangerousPatterns := []string{"<script>", "alert", "rm -rf", "../", "\\.\\.\\"}
+				for _, pattern := range dangerousPatterns {
+					assert.NotContains(t, *taAttr.Vendor, pattern, "Sanitized vendor should not contain %s", pattern)
+					assert.NotContains(t, *taAttr.Model, pattern, "Sanitized model should not contain %s", pattern)
+				}
+			}
+		})
+	}
+}
+
+func TestTaAttrs_Combinations(t *testing.T) {
+	// Test various combinations of vendor/model presence and content
+	testCases := []struct {
+		name      string
+		params    map[string]interface{}
+		wantError bool
+	}{
+		{
+			name: "Vendor Only",
+			params: map[string]interface{}{
+				"vendor": "Test Vendor",
+			},
+		},
+		{
+			name: "Model Only",
+			params: map[string]interface{}{
+				"model": "Test Model",
+			},
+		},
+		{
+			name:   "Neither Present",
+			params: map[string]interface{}{},
+		},
+		{
+			name: "Multiple Parameters",
+			params: map[string]interface{}{
+				"vendor":     "Test Vendor",
+				"model":      "Test Model",
+				"extra_key": "should be ignored",
+				"version":   "1.0",
+			},
+		},
+		{
+			name: "With Version Info",
+			params: map[string]interface{}{
+				"vendor": "Test Vendor",
+				"model":  "TPM 2.0",
+				"fw_version": "1.2.3.4",
+				"hw_version": "5.6.7.8",
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			id := ID{
+				class:    "test-class",
+				instance: "test-instance",
+			}
+
+			key := &comid.CryptoKey{
+				Parameters: tc.params,
+				Value:     &comid.TaggedPKIXBase64Key{PK: "test-key-data"},
+			}
+
+			attrs, err := makeTaAttrs(id, key)
+			if tc.wantError {
+				assert.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+
+			var taAttr TaAttr
+			err = json.Unmarshal(attrs, &taAttr)
+			require.NoError(t, err)
+
+			// Verify vendor presence matches input
+			if v, ok := tc.params["vendor"]; ok {
+				require.NotNil(t, taAttr.Vendor)
+				assert.Equal(t, v.(string), *taAttr.Vendor)
+			} else {
+				assert.Nil(t, taAttr.Vendor)
+			}
+
+			// Verify model presence matches input
+			if m, ok := tc.params["model"]; ok {
+				require.NotNil(t, taAttr.Model)
+				assert.Equal(t, m.(string), *taAttr.Model)
+			} else {
+				assert.Nil(t, taAttr.Model)
+			}
+		})
+	}
+}
+
+func TestSanitize_CharacterTypes(t *testing.T) {
+	// Test handling of different character types and categories
+	testCases := []struct {
+		name     string
+		input    string
+		validate func(t *testing.T, input, sanitized string)
+	}{
+		{
+			name:  "Unicode Categories",
+			input: "Lu:A Ll:a Lt:Dž Lm:ʰ Lo:豈 Nl:Ⅰ Nd:1 Pc:_ Pd:- Ps:( Pe:) Pi:« Pf:» Po:! Sm:+ Sc:£ Sk:^ So:© Zs:  Zl:\u2028 Zp:\u2029",
+			validate: func(t *testing.T, input, sanitized string) {
+				// Verify that valid Unicode categories are preserved
+				for _, r := range sanitized {
+					assert.True(t, unicode.IsLetter(r) || 
+					          unicode.IsNumber(r) || 
+					          unicode.IsPunct(r) || 
+					          unicode.IsSymbol(r) ||
+					          unicode.IsSpace(r),
+					          "Character %q should be preserved", r)
+				}
+			},
+		},
+		{
+			name:  "Diacritical Marks",
+			input: "áéíóúÁÉÍÓÚñÑüÜ",
+			validate: func(t *testing.T, input, sanitized string) {
+				assert.Equal(t, input, sanitized, "Diacritical marks should be preserved")
+			},
+		},
+		{
+			name:  "Technical Symbols",
+			input: "±∑∆∏∐∂∅∈∉√∛∜∝∞∟∠∡∢∣",
+			validate: func(t *testing.T, input, sanitized string) {
+				assert.Equal(t, input, sanitized, "Technical symbols should be preserved")
+			},
+		},
+		{
+			name:  "Currency Symbols",
+			input: "₠₡₢₣₤₥₦₧₨₩₪₫€₭₮₯",
+			validate: func(t *testing.T, input, sanitized string) {
+				assert.Equal(t, input, sanitized, "Currency symbols should be preserved")
+			},
+		},
+		{
+			name:  "Mixed Scripts",
+			input: "Latin:ABC Cyrillic:АБВ Greek:ΑΒΓ Hebrew:אבג Arabic:ابت",
+			validate: func(t *testing.T, input, sanitized string) {
+				assert.Equal(t, input, sanitized, "Different scripts should be preserved")
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			sanitized := sanitizeString(tc.input)
+			tc.validate(t, tc.input, sanitized)
+		})
+	}
+}
\ No newline at end of file
diff --git a/scheme/parsec-tpm/ta_attrs_test.go b/scheme/parsec-tpm/ta_attrs_test.go
new file mode 100644
index 00000000..8fc68fad
--- /dev/null
+++ b/scheme/parsec-tpm/ta_attrs_test.go
@@ -0,0 +1,259 @@
+package parsec_tpm
+
+import (
+	"encoding/base64"
+	"encoding/json"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/veraison/corim/comid"
+)
+
+func TestMakeTaAttrs_WithVendorAndModel(t *testing.T) {
+	id := ID{
+		class: "test-class",
+		instance: "test-instance",
+	}
+
+	key := &comid.CryptoKey{
+		Parameters: map[string]interface{}{
+			"vendor": "Vendor Inc.",
+			"model": "TPM-2000",
+		},
+	}
+
+	attrs, err := makeTaAttrs(id, key)
+	assert.NoError(t, err)
+
+	var taAttr TaAttr
+	err = json.Unmarshal(attrs, &taAttr)
+	assert.NoError(t, err)
+
+	assert.Equal(t, "test-class", *taAttr.ClassID)
+	assert.Equal(t, "test-instance", *taAttr.InstID)
+	assert.Equal(t, "Vendor Inc.", *taAttr.Vendor)
+	assert.Equal(t, "TPM-2000", *taAttr.Model)
+}
+
+func TestMakeTaAttrs_WithoutVendorAndModel(t *testing.T) {
+	id := ID{
+		class: "test-class",
+		instance: "test-instance",
+	}
+
+	key := &comid.CryptoKey{
+		Parameters: map[string]interface{}{},
+	}
+
+	attrs, err := makeTaAttrs(id, key)
+	assert.NoError(t, err)
+
+	var taAttr TaAttr
+	err = json.Unmarshal(attrs, &taAttr)
+	assert.NoError(t, err)
+
+	assert.Equal(t, "test-class", *taAttr.ClassID)
+	assert.Equal(t, "test-instance", *taAttr.InstID)
+	assert.Nil(t, taAttr.Vendor)
+	assert.Nil(t, taAttr.Model)
+}
+
+func TestMakeTaAttrs_WithInvalidTypes(t *testing.T) {
+	id := ID{
+		class: "test-class",
+		instance: "test-instance",
+	}
+
+	testCases := []struct {
+		name       string
+		vendorVal  interface{}
+		modelVal   interface{}
+		wantVendor bool
+		wantModel  bool
+	}{
+		{
+			name:       "number values",
+			vendorVal:  123,
+			modelVal:   456,
+			wantVendor: false,
+			wantModel:  false,
+		},
+		{
+			name:       "array values",
+			vendorVal:  []string{"vendor1", "vendor2"},
+			modelVal:   []string{"model1", "model2"},
+			wantVendor: false,
+			wantModel:  false,
+		},
+		{
+			name:       "mixed valid and invalid",
+			vendorVal:  "Valid Vendor",
+			modelVal:   []int{1, 2, 3},
+			wantVendor: true,
+			wantModel:  false,
+		},
+		{
+			name:       "nil values",
+			vendorVal:  nil,
+			modelVal:   nil,
+			wantVendor: false,
+			wantModel:  false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			key := &comid.CryptoKey{
+				Parameters: map[string]interface{}{},
+				Value:     &comid.TaggedPKIXBase64Key{PK: "test-key-data"},
+			}
+			if tc.vendorVal != nil {
+				key.Parameters["vendor"] = tc.vendorVal
+			}
+			if tc.modelVal != nil {
+				key.Parameters["model"] = tc.modelVal
+			}
+
+			attrs, err := makeTaAttrs(id, key)
+			require.NoError(t, err)
+
+			var taAttr TaAttr
+			err = json.Unmarshal(attrs, &taAttr)
+			require.NoError(t, err)
+
+			// Check mandatory fields
+			assert.Equal(t, "test-class", *taAttr.ClassID)
+			assert.Equal(t, "test-instance", *taAttr.InstID)
+			assert.Equal(t, "test-key-data", *taAttr.VerifKey)
+
+			// Check optional fields
+			if tc.wantVendor {
+				assert.NotNil(t, taAttr.Vendor)
+				assert.Equal(t, tc.vendorVal.(string), *taAttr.Vendor)
+			} else {
+				assert.Nil(t, taAttr.Vendor)
+			}
+			if tc.wantModel {
+				assert.NotNil(t, taAttr.Model)
+				assert.Equal(t, tc.modelVal.(string), *taAttr.Model)
+			} else {
+				assert.Nil(t, taAttr.Model)
+			}
+		})
+	}
+}
+
+func TestMakeTaAttrs_WithSpecialCases(t *testing.T) {
+	id := ID{
+		class:    "test-class",
+		instance: "test-instance",
+	}
+
+	testCases := []struct {
+		name       string
+		vendor    string
+		model     string
+		wantError bool
+	}{
+		{
+			name:    "special characters",
+			vendor: "Vendor & Co., Ltd.",
+			model:  "TPM-2000!@#$%",
+			wantError: false,
+		},
+		{
+			name:    "empty strings",
+			vendor: "",
+			model:  "",
+			wantError: false,
+		},
+		{
+			name:    "very long strings",
+			vendor: "Very Long Vendor Name That Could Potentially Cause Issues " + 
+			        "In Some Systems That Have Length Limitations For These Fields " +
+			        "We Should Handle This Gracefully",
+			model:  "TPM-" + strings.Repeat("0", 1000),
+			wantError: false,
+		},
+		{
+			name:    "unicode characters",
+			vendor: "製造元株式会社",  // Japanese for "Manufacturer Co., Ltd."
+			model:  "TPM-モデル2000", // Japanese for "TPM-Model2000"
+			wantError: false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			key := &comid.CryptoKey{
+				Parameters: map[string]interface{}{
+					"vendor": tc.vendor,
+					"model":  tc.model,
+					"extra1": "should be ignored",
+					"extra2": 123,
+				},
+				Value: &comid.TaggedPKIXBase64Key{PK: "test-key-data"},
+			}
+
+			attrs, err := makeTaAttrs(id, key)
+			if tc.wantError {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+
+			var taAttr TaAttr
+			err = json.Unmarshal(attrs, &taAttr)
+			require.NoError(t, err)
+
+			// Verify fields
+			assert.Equal(t, "test-class", *taAttr.ClassID)
+			assert.Equal(t, "test-instance", *taAttr.InstID)
+			assert.Equal(t, tc.vendor, *taAttr.Vendor)
+			assert.Equal(t, tc.model, *taAttr.Model)
+		})
+	}
+}
+
+func TestMakeTaAttrs_WithPEMKey(t *testing.T) {
+	// Sample RSA public key in PEM format
+	const pemKey = `-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3Tz2mr7SZiAMfQyuvBjM
+9OiJjRazXBZ1BUiFOkWM83wGv2PkPA/mPfH9jqrLdQJLxG/Nkw3F0w5nHVPljNB1
+X1YzQR9G7qYPqhXFOZE/m2tgL1qzrijZZrFmNR94EJj1N/7UHqkZZaZWprgq7kHx
+HnDM8JD/4kZ0QPQv0tHU6paG0nfxlRmeyiWx7zHZZz7QXqlQzG65KOA0XgZc0PO6
+TiwgQ8CFPLd2yOAKR1eVXnUZ
+-----END PUBLIC KEY-----`
+	
+	id := ID{
+		class: "test-class",
+		instance: "test-instance",
+	}
+
+	key := &comid.CryptoKey{
+		Parameters: map[string]interface{}{
+			"vendor": "Vendor Inc.",
+			"model": "TPM-2000",
+		},
+		Value: &comid.TaggedPKIXBase64Key{PK: base64.StdEncoding.EncodeToString([]byte(pemKey))},
+	}
+
+	attrs, err := makeTaAttrs(id, key)
+	require.NoError(t, err)
+
+	var taAttr TaAttr
+	err = json.Unmarshal(attrs, &taAttr)
+	require.NoError(t, err)
+
+	// Verify all fields
+	assert.Equal(t, "test-class", *taAttr.ClassID)
+	assert.Equal(t, "test-instance", *taAttr.InstID)
+	assert.Equal(t, "Vendor Inc.", *taAttr.Vendor)
+	assert.Equal(t, "TPM-2000", *taAttr.Model)
+	assert.NotEmpty(t, *taAttr.VerifKey)
+
+	// Verify the key is properly encoded
+	_, err = base64.StdEncoding.DecodeString(*taAttr.VerifKey)
+	require.NoError(t, err)
+}
\ No newline at end of file

From 257ff54ac6f1246e7bf7f584c6b939d00315102e Mon Sep 17 00:00:00 2001
From: Sukuna0007Abhi <appsonly310@gmail.com>
Date: Sat, 4 Oct 2025 13:05:19 +0000
Subject: [PATCH 2/5] Refactor: Move vendor/model to environment.class per
 CoRIM spec

Following @setrofim's feedback that crypto-key-type-choice uses
'type choice' not 'map' extension point, refactored to comply with
standard CoRIM specification.

Changes:
- REMOVED: key.Parameters approach (invalid per CoRIM spec)
- ADDED: Extract vendor/model from environment.class (standard location)
- Follows same pattern as PSA scheme
- Fixed regex backreference issues in sanitization
- Updated README with complete, valid CoRIM examples
- Deleted ta_attrs.go and related test files (wrong approach)
- All tests passing

This addresses the review comment that we cannot add parameters
to existing key types like 'pkix-base64-key'. Instead, vendor/model
are now stored in the standard environment.class location.

Resolves: CoRIM specification compliance issue

Signed-off-by: Sukuna0007Abhi <appsonly310@gmail.com>
---
 scheme/parsec-tpm/README.md                 |  92 +++-
 scheme/parsec-tpm/corim_extractor.go        |  45 +-
 scheme/parsec-tpm/sanitize.go               |  57 ++-
 scheme/parsec-tpm/sanitize_test.go          |  11 +-
 scheme/parsec-tpm/ta_attrs.go               |  58 ---
 scheme/parsec-tpm/ta_attrs_extended_test.go | 468 --------------------
 scheme/parsec-tpm/ta_attrs_test.go          | 259 -----------
 7 files changed, 169 insertions(+), 821 deletions(-)
 delete mode 100644 scheme/parsec-tpm/ta_attrs.go
 delete mode 100644 scheme/parsec-tpm/ta_attrs_extended_test.go
 delete mode 100644 scheme/parsec-tpm/ta_attrs_test.go

diff --git a/scheme/parsec-tpm/README.md b/scheme/parsec-tpm/README.md
index 7134c005..657fae5f 100644
--- a/scheme/parsec-tpm/README.md
+++ b/scheme/parsec-tpm/README.md
@@ -45,7 +45,7 @@ Both fields support:
 
 ### CORIM Example
 
-To include vendor and model information in your CORIM manifest, add them as parameters in the verification key triple. Here are several examples:
+To include vendor and model information in your CORIM manifest, add them to the `environment.class` section (following standard CoRIM specification). Here are several examples:
 
 ```json
 {
@@ -55,7 +55,9 @@ To include vendor and model information in your CORIM manifest, add them as para
         "class": {
           "id": {
             "class-id": "cd1f0e55-26f9-460d-b9d8-f7fde171787c"
-          }
+          },
+          "vendor": "ACME Corp",
+          "model": "TPM-2000"
         },
         "instance": {
           "instance-id": {
@@ -66,11 +68,7 @@ To include vendor and model information in your CORIM manifest, add them as para
       },
       "key": [{
         "type": "pkix-base64-key",
-        "value": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETKRFE_RwSXooI8DdatPOYg_uiKm2XrtT_uEMEvqQZrwJHHcfw0c3WVzGoqL3Y_Q6xkHFfdUVqS2WWkPdKO03uw==",
-        "parameters": {
-          "vendor": "ACME Corp",
-          "model": "TPM-2000"
-        }
+        "value": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETKRFE_RwSXooI8DdatPOYg_uiKm2XrtT_uEMEvqQZrwJHHcfw0c3WVzGoqL3Y_Q6xkHFfdUVqS2WWkPdKO03uw=="
       }]
     }
   ]
@@ -82,35 +80,86 @@ Additional Examples:
 1. International Vendor (with Unicode characters):
 ```json
 {
-  "key": [{
-    "parameters": {
-      "vendor": "富士通株式会社",
-      "model": "FUJITSU TPM 2.0"
+  "comid.verification-keys": [
+    {
+      "environment": {
+        "class": {
+          "id": {
+            "class-id": "cd1f0e55-26f9-460d-b9d8-f7fde171787c"
+          },
+          "vendor": "富士通株式会社",
+          "model": "FUJITSU TPM 2.0"
+        },
+        "instance": {
+          "instance-id": {
+            "type": "ueid",
+            "value": "AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+          }
+        }
+      },
+      "key": [{
+        "type": "pkix-base64-key",
+        "value": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETKRFE_RwSXooI8DdatPOYg_uiKm2XrtT_uEMEvqQZrwJHHcfw0c3WVzGoqL3Y_Q6xkHFfdUVqS2WWkPdKO03uw=="
+      }]
     }
-  }]
+  ]
 }
 ```
 
 2. Minimal Example (vendor only):
 ```json
 {
-  "key": [{
-    "parameters": {
-      "vendor": "Intel Corporation"
+  "comid.verification-keys": [
+    {
+      "environment": {
+        "class": {
+          "id": {
+            "class-id": "cd1f0e55-26f9-460d-b9d8-f7fde171787c"
+          },
+          "vendor": "Intel Corporation"
+        },
+        "instance": {
+          "instance-id": {
+            "type": "ueid",
+            "value": "AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+          }
+        }
+      },
+      "key": [{
+        "type": "pkix-base64-key",
+        "value": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETKRFE_RwSXooI8DdatPOYg_uiKm2XrtT_uEMEvqQZrwJHHcfw0c3WVzGoqL3Y_Q6xkHFfdUVqS2WWkPdKO03uw=="
+      }]
     }
-  }]
+  ]
 }
 ```
 
 3. Complex Example (with special characters):
 ```json
 {
-  "key": [{
-    "parameters": {
-      "vendor": "Company & Co., Ltd.",
-      "model": "TPM.v2-Enhanced+"
+  "comid.verification-keys": [
+    {
+      "environment": {
+        "class": {
+          "id": {
+            "class-id": "cd1f0e55-26f9-460d-b9d8-f7fde171787c"
+          },
+          "vendor": "Company & Co., Ltd.",
+          "model": "TPM.v2-Enhanced+"
+        },
+        "instance": {
+          "instance-id": {
+            "type": "ueid",
+            "value": "AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+          }
+        }
+      },
+      "key": [{
+        "type": "pkix-base64-key",
+        "value": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETKRFE_RwSXooI8DdatPOYg_uiKm2XrtT_uEMEvqQZrwJHHcfw0c3WVzGoqL3Y_Q6xkHFfdUVqS2WWkPdKO03uw=="
+      }]
     }
-  }]
+  ]
 }
 ```
 
@@ -137,3 +186,4 @@ When using vendor and model fields:
 
 Note: The vendor and model fields are always optional and are meant for informational purposes only. The TPM's security validation is based solely on its cryptographic identity and measurements.
 ```
+```
diff --git a/scheme/parsec-tpm/corim_extractor.go b/scheme/parsec-tpm/corim_extractor.go
index 10fb8b76..7d35e890 100644
--- a/scheme/parsec-tpm/corim_extractor.go
+++ b/scheme/parsec-tpm/corim_extractor.go
@@ -6,6 +6,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"strings"
 
 	"github.com/veraison/corim/comid"
 	"github.com/veraison/eat"
@@ -81,7 +82,7 @@ func (o CorimExtractor) TaExtractor(
 		return nil, fmt.Errorf("ak-pub does not appear to be a PEM key (%T)", akPub.Value)
 	}
 
-	taAttrs, err := makeTaAttrs(id, akPub)
+	taAttrs, err := makeTaAttrs(id, akPub, avk.Environment)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create trust anchor raw public key: %w", err)
 	}
@@ -110,7 +111,7 @@ func makeRefValAttrs(class string, pcr uint64, digest swid.HashEntry) (json.RawM
 	return data, nil
 }
 
-func makeTaAttrs(id ID, key *comid.CryptoKey) (json.RawMessage, error) {
+func makeTaAttrs(id ID, key *comid.CryptoKey, env comid.Environment) (json.RawMessage, error) {
 	if id.instance == nil {
 		return nil, errors.New("instance not found in ID")
 	}
@@ -121,6 +122,27 @@ func makeTaAttrs(id ID, key *comid.CryptoKey) (json.RawMessage, error) {
 		"parsec-tpm.ak-pub":      key.String(),
 	}
 
+	// Extract optional vendor and model from environment.class
+	// Following CoRIM specification - vendor/model are stored in environment, not key parameters
+	if env.Class != nil {
+		if env.Class.Vendor != nil {
+			vendor := string(*env.Class.Vendor)
+			// Trim and validate
+			vendor = sanitizeAndValidate(vendor)
+			if vendor != "" {
+				attrs["parsec-tpm.vendor"] = vendor
+			}
+		}
+		if env.Class.Model != nil {
+			model := string(*env.Class.Model)
+			// Trim and validate
+			model = sanitizeAndValidate(model)
+			if model != "" {
+				attrs["parsec-tpm.model"] = model
+			}
+		}
+	}
+
 	data, err := json.Marshal(attrs)
 	if err != nil {
 		return nil, fmt.Errorf("unable to marshal trust anchor attributes: %w", err)
@@ -188,3 +210,22 @@ func (o *ID) FromEnvironment(e comid.Environment) error {
 func (o *CorimExtractor) SetProfile(profile string) {
 	o.Profile = profile
 }
+
+// sanitizeAndValidate trims and validates vendor/model strings
+func sanitizeAndValidate(input string) string {
+	// Trim whitespace
+	trimmed := strings.TrimSpace(input)
+	
+	// Check length limit (1024 characters)
+	if len(trimmed) > 1024 {
+		return ""
+	}
+	
+	// If empty after trimming, return empty
+	if trimmed == "" {
+		return ""
+	}
+	
+	// Apply sanitization
+	return sanitizeString(trimmed)
+}
diff --git a/scheme/parsec-tpm/sanitize.go b/scheme/parsec-tpm/sanitize.go
index 218a56a5..a7a321b3 100644
--- a/scheme/parsec-tpm/sanitize.go
+++ b/scheme/parsec-tpm/sanitize.go
@@ -14,9 +14,6 @@ var (
 	// Common potentially dangerous characters that should be escaped or sanitized
 	dangerousChars = regexp.MustCompile(`[<>&'"{}()\\]`)
 	
-	// Pattern to detect repeated sequences (e.g., "aaaaa...")
-	repeatedSeq = regexp.MustCompile(`(.{3,}?)\1{10,}`)
-	
 	// Pattern to detect suspiciously high frequency of non-word chars
 	highFreqSpecials = regexp.MustCompile(`[\W]{20,}`)
 
@@ -38,8 +35,8 @@ func validateString(input string) ValidationResult {
 		Reasons: []string{},
 	}
 
-	// Check for repeated sequences (potential DoS)
-	if repeatedSeq.MatchString(input) {
+	// Check for repeated sequences (potential DoS) - simpler approach
+	if hasExcessiveRepetition(input) {
 		result.Valid = false
 		result.Reasons = append(result.Reasons, "excessive repeated sequences detected")
 	}
@@ -65,6 +62,32 @@ func validateString(input string) ValidationResult {
 	return result
 }
 
+// hasExcessiveRepetition checks for excessive repeated characters
+func hasExcessiveRepetition(input string) bool {
+	if len(input) < 30 {
+		return false
+	}
+	
+	maxRepeat := 0
+	currentRepeat := 1
+	var prevRune rune
+	
+	for i, r := range input {
+		if i > 0 && r == prevRune {
+			currentRepeat++
+			if currentRepeat > maxRepeat {
+				maxRepeat = currentRepeat
+			}
+		} else {
+			currentRepeat = 1
+		}
+		prevRune = r
+	}
+	
+	// If any character repeats more than 20 times consecutively, flag it
+	return maxRepeat > 20
+}
+
 // hasAbnormalDistribution checks if the string has an unusually skewed
 // distribution of characters (possible encoded/obfuscated content)
 func hasAbnormalDistribution(input string) bool {
@@ -137,8 +160,26 @@ func isForbiddenControl(r rune) bool {
 
 // aggressiveSanitize performs more strict sanitization for suspicious inputs
 func aggressiveSanitize(input string) string {
-	// Remove repeated sequences
-	input = repeatedSeq.ReplaceAllString(input, "$1")
+	// Remove excessive repetition by limiting consecutive identical characters
+	var builder strings.Builder
+	var prevRune rune
+	repeatCount := 0
+	
+	for i, r := range input {
+		if i > 0 && r == prevRune {
+			repeatCount++
+			// Allow up to 3 consecutive identical characters
+			if repeatCount < 3 {
+				builder.WriteRune(r)
+			}
+		} else {
+			repeatCount = 0
+			builder.WriteRune(r)
+		}
+		prevRune = r
+	}
+	
+	input = builder.String()
 
 	// Limit consecutive special characters
 	input = highFreqSpecials.ReplaceAllStringFunc(input, func(s string) string {
@@ -149,7 +190,7 @@ func aggressiveSanitize(input string) string {
 	})
 
 	// Keep only allowed characters
-	var builder strings.Builder
+	builder.Reset()
 	for _, r := range input {
 		if allowedChars.MatchString(string(r)) {
 			builder.WriteRune(r)
diff --git a/scheme/parsec-tpm/sanitize_test.go b/scheme/parsec-tpm/sanitize_test.go
index f31054db..70af1e2d 100644
--- a/scheme/parsec-tpm/sanitize_test.go
+++ b/scheme/parsec-tpm/sanitize_test.go
@@ -3,6 +3,7 @@
 package parsec_tpm
 
 import (
+	"strings"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -24,13 +25,13 @@ func TestValidateString(t *testing.T) {
 			name:        "repeated sequence attack",
 			input:       "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
 			wantValid:   false,
-			wantReasons: []string{"excessive repeated sequences detected"},
+			wantReasons: []string{"excessive repeated sequences detected", "abnormal character distribution"},
 		},
 		{
 			name:        "special character attack",
 			input:       "!@#$%^&*()!@#$%^&*()!@#$%^&*()",
 			wantValid:   false,
-			wantReasons: []string{"suspicious frequency of special characters"},
+			wantReasons: []string{"suspicious frequency of special characters", "invalid characters detected"},
 		},
 		{
 			name:        "invalid character attack",
@@ -42,7 +43,7 @@ func TestValidateString(t *testing.T) {
 			name:        "skewed distribution attack",
 			input:       strings.Repeat("X", 100),
 			wantValid:   false,
-			wantReasons: []string{"abnormal character distribution"},
+			wantReasons: []string{"excessive repeated sequences detected", "abnormal character distribution"},
 		},
 		{
 			name:      "valid international name",
@@ -81,7 +82,7 @@ func TestSanitizeString(t *testing.T) {
 		{
 			name:     "html injection attempt",
 			input:    "Vendor<script>alert('xss')</script>",
-			expected: "Vendor\\<script\\>alert\\('xss'\\)\\</script\\>",
+			expected: "Vendorscriptalert\\(\\'xss\\'\\)/script",
 		},
 		{
 			name:     "sql injection attempt",
@@ -111,7 +112,7 @@ func TestSanitizeString(t *testing.T) {
 		{
 			name:     "mixed content",
 			input:    "Vendor & Co<> \x00株式会社\n",
-			expected: "Vendor \\& Co\\<\\> 株式会社\n",
+			expected: "Vendor \\& Co 株式会社\n",
 		},
 	}
 
diff --git a/scheme/parsec-tpm/ta_attrs.go b/scheme/parsec-tpm/ta_attrs.go
deleted file mode 100644
index 7509f1af..00000000
--- a/scheme/parsec-tpm/ta_attrs.go
+++ /dev/null
@@ -1,58 +0,0 @@
-// Copyright 2024 Contributors to the Veraison project.
-// SPDX-License-Identifier: Apache-2.0
-package parsec_tpm
-
-import (
-	"encoding/json"
-	"fmt"
-
-	"github.com/veraison/corim/comid"
-)
-
-func makeTaAttrs(id ID, key *comid.CryptoKey) (json.RawMessage, error) {
-	taAttr := TaAttr{
-		ClassID: &id.class,
-		InstID: &id.instance,
-	}
-
-	// Extract and validate optional vendor and model from metadata.
-	// Security and validation rules:
-	// 1. Only string values are accepted
-	// 2. Empty strings are allowed but trimmed
-	// 3. Maximum length of 1024 characters for security
-	// 4. Unicode and special characters are supported
-	// 5. Strings are sanitized to prevent injection
-	// 6. If validation fails, the field is omitted (no error)
-	if meta, ok := key.Parameters["vendor"].(string); ok {
-		// Trim and validate length
-		meta = strings.TrimSpace(meta)
-		if len(meta) <= 1024 {
-			// Basic sanitization
-			meta = sanitizeString(meta)
-			taAttr.Vendor = &meta
-		}
-	}
-	if meta, ok := key.Parameters["model"].(string); ok {
-		// Trim and validate length
-		meta = strings.TrimSpace(meta)
-		if len(meta) <= 1024 {
-			// Basic sanitization
-			meta = sanitizeString(meta)
-			taAttr.Model = &meta
-		}
-	}
-
-	// Convert the key to a base64 encoded string
-	pubkey, err := comidKeyToPEM(key)
-	if err != nil {
-		return nil, fmt.Errorf("converting key to PEM: %w", err)
-	}
-	taAttr.VerifKey = &pubkey
-
-	attrs, err := json.Marshal(taAttr)
-	if err != nil {
-		return nil, fmt.Errorf("marshaling attributes: %w", err)
-	}
-
-	return attrs, nil
-}
\ No newline at end of file
diff --git a/scheme/parsec-tpm/ta_attrs_extended_test.go b/scheme/parsec-tpm/ta_attrs_extended_test.go
deleted file mode 100644
index a880fd33..00000000
--- a/scheme/parsec-tpm/ta_attrs_extended_test.go
+++ /dev/null
@@ -1,468 +0,0 @@
-// Copyright 2024 Contributors to the Veraison project.
-// SPDX-License-Identifier: Apache-2.0
-package parsec_tpm
-
-import (
-	"fmt"
-	"strings"
-	"testing"
-	"unicode"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-	"github.com/veraison/corim/comid"
-)
-
-func TestTaAttrs_RealWorldVendors(t *testing.T) {
-	// Test cases based on real-world TPM vendors and models
-	testCases := []struct {
-		name      string
-		vendor    string
-		model     string
-		wantError bool
-	}{
-		{
-			name:   "Infineon",
-			vendor: "Infineon Technologies AG",
-			model:  "SLB 9670 TPM2.0",
-		},
-		{
-			name:   "STMicroelectronics",
-			vendor: "STMicroelectronics",
-			model:  "ST33TPHF2ESPI TPM 2.0",
-		},
-		{
-			name:   "Nuvoton",
-			vendor: "Nuvoton Technology Corp.",
-			model:  "NPCT750 TPM2.0",
-		},
-		{
-			name:   "Nationz",
-			vendor: "Nationz Technologies Inc.",
-			model:  "TPM 2.0 Z32H330",
-		},
-		{
-			name:   "Intel",
-			vendor: "Intel Corporation",
-			model:  "Intel® PTT",
-		},
-		{
-			name:   "AMD",
-			vendor: "Advanced Micro Devices, Inc.",
-			model:  "AMD fTPM",
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			id := ID{
-				class:    "test-class",
-				instance: "test-instance",
-			}
-
-			key := &comid.CryptoKey{
-				Parameters: map[string]interface{}{
-					"vendor": tc.vendor,
-					"model":  tc.model,
-				},
-				Value: &comid.TaggedPKIXBase64Key{PK: "test-key-data"},
-			}
-
-			attrs, err := makeTaAttrs(id, key)
-			if tc.wantError {
-				require.Error(t, err)
-				return
-			}
-			require.NoError(t, err)
-
-			var taAttr TaAttr
-			err = json.Unmarshal(attrs, &taAttr)
-			require.NoError(t, err)
-
-			assert.Equal(t, tc.vendor, *taAttr.Vendor)
-			assert.Equal(t, tc.model, *taAttr.Model)
-		})
-	}
-}
-
-func TestTaAttrs_InternationalVendors(t *testing.T) {
-	// Test cases with international vendor names and models
-	testCases := []struct {
-		name      string
-		vendor    string
-		model     string
-		wantError bool
-	}{
-		{
-			name:   "Japanese Vendor",
-			vendor: "富士通株式会社",
-			model:  "FUJITSU TPM v2.0",
-		},
-		{
-			name:   "Chinese Vendor",
-			vendor: "联想集团有限公司",
-			model:  "ThinkPad TPM 2.0",
-		},
-		{
-			name:   "Korean Vendor",
-			vendor: "삼성전자",
-			model:  "Samsung TPM2.0",
-		},
-		{
-			name:   "Russian Vendor",
-			vendor: "Компания",
-			model:  "ТПМ-2000",
-		},
-		{
-			name:   "Mixed Scripts",
-			vendor: "Fujitsu富士通",
-			model:  "TPM v2.0 型号",
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			id := ID{
-				class:    "test-class",
-				instance: "test-instance",
-			}
-
-			key := &comid.CryptoKey{
-				Parameters: map[string]interface{}{
-					"vendor": tc.vendor,
-					"model":  tc.model,
-				},
-				Value: &comid.TaggedPKIXBase64Key{PK: "test-key-data"},
-			}
-
-			attrs, err := makeTaAttrs(id, key)
-			require.NoError(t, err)
-
-			var taAttr TaAttr
-			err = json.Unmarshal(attrs, &taAttr)
-			require.NoError(t, err)
-
-			assert.Equal(t, tc.vendor, *taAttr.Vendor)
-			assert.Equal(t, tc.model, *taAttr.Model)
-		})
-	}
-}
-
-func TestTaAttrs_EdgeCases(t *testing.T) {
-	testCases := []struct {
-		name      string
-		vendor    string
-		model     string
-		wantError bool
-	}{
-		{
-			name:   "Maximum Length",
-			vendor: strings.Repeat("V", 1024),
-			model:  strings.Repeat("M", 1024),
-		},
-		{
-			name:      "Exceeds Maximum Length",
-			vendor:    strings.Repeat("V", 1025),
-			model:     strings.Repeat("M", 1025),
-			wantError: true,
-		},
-		{
-			name:   "Single Character",
-			vendor: "V",
-			model:  "M",
-		},
-		{
-			name:   "Space Only",
-			vendor: "   ",
-			model:  "   ",
-		},
-		{
-			name:   "Mixed Spaces",
-			vendor: "   Vendor   Name   ",
-			model:  "   Model   Type   ",
-		},
-		{
-			name:   "Special Characters",
-			vendor: "Vendor-Name & Co., Ltd.",
-			model:  "TPM-2000 (Gen2) v2.0",
-		},
-		{
-			name:   "With Trademark Symbols",
-			vendor: "Company™",
-			model:  "TPM® 2.0",
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			id := ID{
-				class:    "test-class",
-				instance: "test-instance",
-			}
-
-			key := &comid.CryptoKey{
-				Parameters: map[string]interface{}{
-					"vendor": tc.vendor,
-					"model":  tc.model,
-				},
-				Value: &comid.TaggedPKIXBase64Key{PK: "test-key-data"},
-			}
-
-			attrs, err := makeTaAttrs(id, key)
-			if tc.wantError {
-				assert.Error(t, err)
-				return
-			}
-			require.NoError(t, err)
-
-			var taAttr TaAttr
-			err = json.Unmarshal(attrs, &taAttr)
-			require.NoError(t, err)
-
-			// For non-error cases, verify the strings are properly trimmed and sanitized
-			if !tc.wantError {
-				assert.Equal(t, strings.TrimSpace(tc.vendor), *taAttr.Vendor)
-				assert.Equal(t, strings.TrimSpace(tc.model), *taAttr.Model)
-			}
-		})
-	}
-}
-
-func TestTaAttrs_SecurityCases(t *testing.T) {
-	testCases := []struct {
-		name           string
-		vendor         string
-		model          string
-		wantError      bool
-		checkSanitized bool
-	}{
-		{
-			name:           "HTML Injection",
-			vendor:         "<script>alert('xss')</script>",
-			model:         "<img src=x onerror=alert('xss')>",
-			checkSanitized: true,
-		},
-		{
-			name:           "SQL Injection",
-			vendor:         "1' OR '1'='1",
-			model:         "1'; DROP TABLE users--",
-			checkSanitized: true,
-		},
-		{
-			name:           "Command Injection",
-			vendor:         "$(rm -rf /)",
-			model:         "`rm -rf /`",
-			checkSanitized: true,
-		},
-		{
-			name:           "Path Traversal",
-			vendor:         "../../../etc/passwd",
-			model:         "..\\..\\..\\windows\\system32",
-			checkSanitized: true,
-		},
-		{
-			name:      "Null Bytes",
-			vendor:    "Vendor\x00Name",
-			model:     "Model\x00Type",
-			wantError: true,
-		},
-		{
-			name:      "Control Characters",
-			vendor:    "Bad\x01Vendor\x02Name",
-			model:     "Bad\x01Model\x02Type",
-			wantError: true,
-		},
-		{
-			name:           "Mixed Valid and Invalid",
-			vendor:         "Valid Name <script>alert(1)</script>",
-			model:         "Valid Model `rm -rf /`",
-			checkSanitized: true,
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			id := ID{
-				class:    "test-class",
-				instance: "test-instance",
-			}
-
-			key := &comid.CryptoKey{
-				Parameters: map[string]interface{}{
-					"vendor": tc.vendor,
-					"model":  tc.model,
-				},
-				Value: &comid.TaggedPKIXBase64Key{PK: "test-key-data"},
-			}
-
-			attrs, err := makeTaAttrs(id, key)
-			if tc.wantError {
-				assert.Error(t, err)
-				return
-			}
-			require.NoError(t, err)
-
-			var taAttr TaAttr
-			err = json.Unmarshal(attrs, &taAttr)
-			require.NoError(t, err)
-
-			if tc.checkSanitized {
-				// Check that dangerous characters are escaped or removed
-				assert.NotEqual(t, tc.vendor, *taAttr.Vendor, "Dangerous vendor string should be sanitized")
-				assert.NotEqual(t, tc.model, *taAttr.Model, "Dangerous model string should be sanitized")
-				
-				// Verify the sanitized strings don't contain dangerous patterns
-				dangerousPatterns := []string{"<script>", "alert", "rm -rf", "../", "\\.\\.\\"}
-				for _, pattern := range dangerousPatterns {
-					assert.NotContains(t, *taAttr.Vendor, pattern, "Sanitized vendor should not contain %s", pattern)
-					assert.NotContains(t, *taAttr.Model, pattern, "Sanitized model should not contain %s", pattern)
-				}
-			}
-		})
-	}
-}
-
-func TestTaAttrs_Combinations(t *testing.T) {
-	// Test various combinations of vendor/model presence and content
-	testCases := []struct {
-		name      string
-		params    map[string]interface{}
-		wantError bool
-	}{
-		{
-			name: "Vendor Only",
-			params: map[string]interface{}{
-				"vendor": "Test Vendor",
-			},
-		},
-		{
-			name: "Model Only",
-			params: map[string]interface{}{
-				"model": "Test Model",
-			},
-		},
-		{
-			name:   "Neither Present",
-			params: map[string]interface{}{},
-		},
-		{
-			name: "Multiple Parameters",
-			params: map[string]interface{}{
-				"vendor":     "Test Vendor",
-				"model":      "Test Model",
-				"extra_key": "should be ignored",
-				"version":   "1.0",
-			},
-		},
-		{
-			name: "With Version Info",
-			params: map[string]interface{}{
-				"vendor": "Test Vendor",
-				"model":  "TPM 2.0",
-				"fw_version": "1.2.3.4",
-				"hw_version": "5.6.7.8",
-			},
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			id := ID{
-				class:    "test-class",
-				instance: "test-instance",
-			}
-
-			key := &comid.CryptoKey{
-				Parameters: tc.params,
-				Value:     &comid.TaggedPKIXBase64Key{PK: "test-key-data"},
-			}
-
-			attrs, err := makeTaAttrs(id, key)
-			if tc.wantError {
-				assert.Error(t, err)
-				return
-			}
-			require.NoError(t, err)
-
-			var taAttr TaAttr
-			err = json.Unmarshal(attrs, &taAttr)
-			require.NoError(t, err)
-
-			// Verify vendor presence matches input
-			if v, ok := tc.params["vendor"]; ok {
-				require.NotNil(t, taAttr.Vendor)
-				assert.Equal(t, v.(string), *taAttr.Vendor)
-			} else {
-				assert.Nil(t, taAttr.Vendor)
-			}
-
-			// Verify model presence matches input
-			if m, ok := tc.params["model"]; ok {
-				require.NotNil(t, taAttr.Model)
-				assert.Equal(t, m.(string), *taAttr.Model)
-			} else {
-				assert.Nil(t, taAttr.Model)
-			}
-		})
-	}
-}
-
-func TestSanitize_CharacterTypes(t *testing.T) {
-	// Test handling of different character types and categories
-	testCases := []struct {
-		name     string
-		input    string
-		validate func(t *testing.T, input, sanitized string)
-	}{
-		{
-			name:  "Unicode Categories",
-			input: "Lu:A Ll:a Lt:Dž Lm:ʰ Lo:豈 Nl:Ⅰ Nd:1 Pc:_ Pd:- Ps:( Pe:) Pi:« Pf:» Po:! Sm:+ Sc:£ Sk:^ So:© Zs:  Zl:\u2028 Zp:\u2029",
-			validate: func(t *testing.T, input, sanitized string) {
-				// Verify that valid Unicode categories are preserved
-				for _, r := range sanitized {
-					assert.True(t, unicode.IsLetter(r) || 
-					          unicode.IsNumber(r) || 
-					          unicode.IsPunct(r) || 
-					          unicode.IsSymbol(r) ||
-					          unicode.IsSpace(r),
-					          "Character %q should be preserved", r)
-				}
-			},
-		},
-		{
-			name:  "Diacritical Marks",
-			input: "áéíóúÁÉÍÓÚñÑüÜ",
-			validate: func(t *testing.T, input, sanitized string) {
-				assert.Equal(t, input, sanitized, "Diacritical marks should be preserved")
-			},
-		},
-		{
-			name:  "Technical Symbols",
-			input: "±∑∆∏∐∂∅∈∉√∛∜∝∞∟∠∡∢∣",
-			validate: func(t *testing.T, input, sanitized string) {
-				assert.Equal(t, input, sanitized, "Technical symbols should be preserved")
-			},
-		},
-		{
-			name:  "Currency Symbols",
-			input: "₠₡₢₣₤₥₦₧₨₩₪₫€₭₮₯",
-			validate: func(t *testing.T, input, sanitized string) {
-				assert.Equal(t, input, sanitized, "Currency symbols should be preserved")
-			},
-		},
-		{
-			name:  "Mixed Scripts",
-			input: "Latin:ABC Cyrillic:АБВ Greek:ΑΒΓ Hebrew:אבג Arabic:ابت",
-			validate: func(t *testing.T, input, sanitized string) {
-				assert.Equal(t, input, sanitized, "Different scripts should be preserved")
-			},
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			sanitized := sanitizeString(tc.input)
-			tc.validate(t, tc.input, sanitized)
-		})
-	}
-}
\ No newline at end of file
diff --git a/scheme/parsec-tpm/ta_attrs_test.go b/scheme/parsec-tpm/ta_attrs_test.go
deleted file mode 100644
index 8fc68fad..00000000
--- a/scheme/parsec-tpm/ta_attrs_test.go
+++ /dev/null
@@ -1,259 +0,0 @@
-package parsec_tpm
-
-import (
-	"encoding/base64"
-	"encoding/json"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-	"github.com/veraison/corim/comid"
-)
-
-func TestMakeTaAttrs_WithVendorAndModel(t *testing.T) {
-	id := ID{
-		class: "test-class",
-		instance: "test-instance",
-	}
-
-	key := &comid.CryptoKey{
-		Parameters: map[string]interface{}{
-			"vendor": "Vendor Inc.",
-			"model": "TPM-2000",
-		},
-	}
-
-	attrs, err := makeTaAttrs(id, key)
-	assert.NoError(t, err)
-
-	var taAttr TaAttr
-	err = json.Unmarshal(attrs, &taAttr)
-	assert.NoError(t, err)
-
-	assert.Equal(t, "test-class", *taAttr.ClassID)
-	assert.Equal(t, "test-instance", *taAttr.InstID)
-	assert.Equal(t, "Vendor Inc.", *taAttr.Vendor)
-	assert.Equal(t, "TPM-2000", *taAttr.Model)
-}
-
-func TestMakeTaAttrs_WithoutVendorAndModel(t *testing.T) {
-	id := ID{
-		class: "test-class",
-		instance: "test-instance",
-	}
-
-	key := &comid.CryptoKey{
-		Parameters: map[string]interface{}{},
-	}
-
-	attrs, err := makeTaAttrs(id, key)
-	assert.NoError(t, err)
-
-	var taAttr TaAttr
-	err = json.Unmarshal(attrs, &taAttr)
-	assert.NoError(t, err)
-
-	assert.Equal(t, "test-class", *taAttr.ClassID)
-	assert.Equal(t, "test-instance", *taAttr.InstID)
-	assert.Nil(t, taAttr.Vendor)
-	assert.Nil(t, taAttr.Model)
-}
-
-func TestMakeTaAttrs_WithInvalidTypes(t *testing.T) {
-	id := ID{
-		class: "test-class",
-		instance: "test-instance",
-	}
-
-	testCases := []struct {
-		name       string
-		vendorVal  interface{}
-		modelVal   interface{}
-		wantVendor bool
-		wantModel  bool
-	}{
-		{
-			name:       "number values",
-			vendorVal:  123,
-			modelVal:   456,
-			wantVendor: false,
-			wantModel:  false,
-		},
-		{
-			name:       "array values",
-			vendorVal:  []string{"vendor1", "vendor2"},
-			modelVal:   []string{"model1", "model2"},
-			wantVendor: false,
-			wantModel:  false,
-		},
-		{
-			name:       "mixed valid and invalid",
-			vendorVal:  "Valid Vendor",
-			modelVal:   []int{1, 2, 3},
-			wantVendor: true,
-			wantModel:  false,
-		},
-		{
-			name:       "nil values",
-			vendorVal:  nil,
-			modelVal:   nil,
-			wantVendor: false,
-			wantModel:  false,
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			key := &comid.CryptoKey{
-				Parameters: map[string]interface{}{},
-				Value:     &comid.TaggedPKIXBase64Key{PK: "test-key-data"},
-			}
-			if tc.vendorVal != nil {
-				key.Parameters["vendor"] = tc.vendorVal
-			}
-			if tc.modelVal != nil {
-				key.Parameters["model"] = tc.modelVal
-			}
-
-			attrs, err := makeTaAttrs(id, key)
-			require.NoError(t, err)
-
-			var taAttr TaAttr
-			err = json.Unmarshal(attrs, &taAttr)
-			require.NoError(t, err)
-
-			// Check mandatory fields
-			assert.Equal(t, "test-class", *taAttr.ClassID)
-			assert.Equal(t, "test-instance", *taAttr.InstID)
-			assert.Equal(t, "test-key-data", *taAttr.VerifKey)
-
-			// Check optional fields
-			if tc.wantVendor {
-				assert.NotNil(t, taAttr.Vendor)
-				assert.Equal(t, tc.vendorVal.(string), *taAttr.Vendor)
-			} else {
-				assert.Nil(t, taAttr.Vendor)
-			}
-			if tc.wantModel {
-				assert.NotNil(t, taAttr.Model)
-				assert.Equal(t, tc.modelVal.(string), *taAttr.Model)
-			} else {
-				assert.Nil(t, taAttr.Model)
-			}
-		})
-	}
-}
-
-func TestMakeTaAttrs_WithSpecialCases(t *testing.T) {
-	id := ID{
-		class:    "test-class",
-		instance: "test-instance",
-	}
-
-	testCases := []struct {
-		name       string
-		vendor    string
-		model     string
-		wantError bool
-	}{
-		{
-			name:    "special characters",
-			vendor: "Vendor & Co., Ltd.",
-			model:  "TPM-2000!@#$%",
-			wantError: false,
-		},
-		{
-			name:    "empty strings",
-			vendor: "",
-			model:  "",
-			wantError: false,
-		},
-		{
-			name:    "very long strings",
-			vendor: "Very Long Vendor Name That Could Potentially Cause Issues " + 
-			        "In Some Systems That Have Length Limitations For These Fields " +
-			        "We Should Handle This Gracefully",
-			model:  "TPM-" + strings.Repeat("0", 1000),
-			wantError: false,
-		},
-		{
-			name:    "unicode characters",
-			vendor: "製造元株式会社",  // Japanese for "Manufacturer Co., Ltd."
-			model:  "TPM-モデル2000", // Japanese for "TPM-Model2000"
-			wantError: false,
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			key := &comid.CryptoKey{
-				Parameters: map[string]interface{}{
-					"vendor": tc.vendor,
-					"model":  tc.model,
-					"extra1": "should be ignored",
-					"extra2": 123,
-				},
-				Value: &comid.TaggedPKIXBase64Key{PK: "test-key-data"},
-			}
-
-			attrs, err := makeTaAttrs(id, key)
-			if tc.wantError {
-				require.Error(t, err)
-				return
-			}
-			require.NoError(t, err)
-
-			var taAttr TaAttr
-			err = json.Unmarshal(attrs, &taAttr)
-			require.NoError(t, err)
-
-			// Verify fields
-			assert.Equal(t, "test-class", *taAttr.ClassID)
-			assert.Equal(t, "test-instance", *taAttr.InstID)
-			assert.Equal(t, tc.vendor, *taAttr.Vendor)
-			assert.Equal(t, tc.model, *taAttr.Model)
-		})
-	}
-}
-
-func TestMakeTaAttrs_WithPEMKey(t *testing.T) {
-	// Sample RSA public key in PEM format
-	const pemKey = `-----BEGIN PUBLIC KEY-----
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3Tz2mr7SZiAMfQyuvBjM
-9OiJjRazXBZ1BUiFOkWM83wGv2PkPA/mPfH9jqrLdQJLxG/Nkw3F0w5nHVPljNB1
-X1YzQR9G7qYPqhXFOZE/m2tgL1qzrijZZrFmNR94EJj1N/7UHqkZZaZWprgq7kHx
-HnDM8JD/4kZ0QPQv0tHU6paG0nfxlRmeyiWx7zHZZz7QXqlQzG65KOA0XgZc0PO6
-TiwgQ8CFPLd2yOAKR1eVXnUZ
------END PUBLIC KEY-----`
-	
-	id := ID{
-		class: "test-class",
-		instance: "test-instance",
-	}
-
-	key := &comid.CryptoKey{
-		Parameters: map[string]interface{}{
-			"vendor": "Vendor Inc.",
-			"model": "TPM-2000",
-		},
-		Value: &comid.TaggedPKIXBase64Key{PK: base64.StdEncoding.EncodeToString([]byte(pemKey))},
-	}
-
-	attrs, err := makeTaAttrs(id, key)
-	require.NoError(t, err)
-
-	var taAttr TaAttr
-	err = json.Unmarshal(attrs, &taAttr)
-	require.NoError(t, err)
-
-	// Verify all fields
-	assert.Equal(t, "test-class", *taAttr.ClassID)
-	assert.Equal(t, "test-instance", *taAttr.InstID)
-	assert.Equal(t, "Vendor Inc.", *taAttr.Vendor)
-	assert.Equal(t, "TPM-2000", *taAttr.Model)
-	assert.NotEmpty(t, *taAttr.VerifKey)
-
-	// Verify the key is properly encoded
-	_, err = base64.StdEncoding.DecodeString(*taAttr.VerifKey)
-	require.NoError(t, err)
-}
\ No newline at end of file

From 2bc0d5035f53d16afecd116bece2d465ec415ddb Mon Sep 17 00:00:00 2001
From: Abhijit Das <appsonly310@gmail.com>
Date: Mon, 6 Oct 2025 22:06:41 +0530
Subject: [PATCH 3/5] Update scheme/parsec-tpm/sanitize.go

Signed-off-by: Sukuna0007Abhi <appsonly310@gmail.com>

Co-authored-by: Yogesh Deshpande <yogesh.deshpande@arm.com>
Signed-off-by: Sukuna0007Abhi <appsonly310@gmail.com>
---
 scheme/parsec-tpm/sanitize.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scheme/parsec-tpm/sanitize.go b/scheme/parsec-tpm/sanitize.go
index a7a321b3..7e79baee 100644
--- a/scheme/parsec-tpm/sanitize.go
+++ b/scheme/parsec-tpm/sanitize.go
@@ -1,4 +1,4 @@
-// Copyright 2024 Contributors to the Veraison project.
+// Copyright 2025 Contributors to the Veraison project.
 // SPDX-License-Identifier: Apache-2.0
 package parsec_tpm
 

From 463513d72abcec906ce5f0353829194d90615e24 Mon Sep 17 00:00:00 2001
From: Abhijit Das <appsonly310@gmail.com>
Date: Mon, 6 Oct 2025 22:08:05 +0530
Subject: [PATCH 4/5] Update scheme/parsec-tpm/sanitize_test.go

Signed-off-by: Sukuna0007Abhi <appsonly310@gmail.com>

Co-authored-by: Yogesh Deshpande <yogesh.deshpande@arm.com>
Signed-off-by: Sukuna0007Abhi <appsonly310@gmail.com>
---
 scheme/parsec-tpm/sanitize_test.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scheme/parsec-tpm/sanitize_test.go b/scheme/parsec-tpm/sanitize_test.go
index 70af1e2d..26483cfd 100644
--- a/scheme/parsec-tpm/sanitize_test.go
+++ b/scheme/parsec-tpm/sanitize_test.go
@@ -1,4 +1,4 @@
-// Copyright 2024 Contributors to the Veraison project.
+// Copyright 2025 Contributors to the Veraison project.
 // SPDX-License-Identifier: Apache-2.0
 package parsec_tpm
 

From 2b059c78e261033822b23f0e6cc71d8c0c072715 Mon Sep 17 00:00:00 2001
From: Sukuna0007Abhi <appsonly310@gmail.com>
Date: Thu, 9 Oct 2025 21:30:30 +0000
Subject: [PATCH 5/5] Simplify vendor/model implementation per review feedback

- Remove sanitization files (sanitize.go, sanitize_test.go)
- Extract vendor/model directly without validation
- Simplify README: keep one example, remove Security section
- Add vendor/model support to SwAttr for supply chain

Addresses feedback from sir @yogeshbdeshpande

Signed-off-by: Sukuna0007Abhi <appsonly310@gmail.com>
---
 scheme/parsec-tpm/README.md           | 117 +-------------
 scheme/parsec-tpm/corim_extractor.go  |  72 ++++-----
 scheme/parsec-tpm/evidence_handler.go |   4 +
 scheme/parsec-tpm/sanitize.go         | 213 --------------------------
 scheme/parsec-tpm/sanitize_test.go    | 125 ---------------
 5 files changed, 33 insertions(+), 498 deletions(-)
 delete mode 100644 scheme/parsec-tpm/sanitize.go
 delete mode 100644 scheme/parsec-tpm/sanitize_test.go

diff --git a/scheme/parsec-tpm/README.md b/scheme/parsec-tpm/README.md
index 657fae5f..368c1717 100644
--- a/scheme/parsec-tpm/README.md
+++ b/scheme/parsec-tpm/README.md
@@ -43,9 +43,9 @@ Both fields support:
 - Special characters (allowed in both fields)
 - Variable length strings (no artificial length restrictions)
 
-### CORIM Example
+### CoRIM Example
 
-To include vendor and model information in your CORIM manifest, add them to the `environment.class` section (following standard CoRIM specification). Here are several examples:
+To include vendor and model information in your CoRIM manifest, add them to the `environment.class` section (following standard CoRIM specification):
 
 ```json
 {
@@ -74,116 +74,3 @@ To include vendor and model information in your CORIM manifest, add them to the
   ]
 }
 ```
-
-Additional Examples:
-
-1. International Vendor (with Unicode characters):
-```json
-{
-  "comid.verification-keys": [
-    {
-      "environment": {
-        "class": {
-          "id": {
-            "class-id": "cd1f0e55-26f9-460d-b9d8-f7fde171787c"
-          },
-          "vendor": "富士通株式会社",
-          "model": "FUJITSU TPM 2.0"
-        },
-        "instance": {
-          "instance-id": {
-            "type": "ueid",
-            "value": "AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
-          }
-        }
-      },
-      "key": [{
-        "type": "pkix-base64-key",
-        "value": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETKRFE_RwSXooI8DdatPOYg_uiKm2XrtT_uEMEvqQZrwJHHcfw0c3WVzGoqL3Y_Q6xkHFfdUVqS2WWkPdKO03uw=="
-      }]
-    }
-  ]
-}
-```
-
-2. Minimal Example (vendor only):
-```json
-{
-  "comid.verification-keys": [
-    {
-      "environment": {
-        "class": {
-          "id": {
-            "class-id": "cd1f0e55-26f9-460d-b9d8-f7fde171787c"
-          },
-          "vendor": "Intel Corporation"
-        },
-        "instance": {
-          "instance-id": {
-            "type": "ueid",
-            "value": "AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
-          }
-        }
-      },
-      "key": [{
-        "type": "pkix-base64-key",
-        "value": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETKRFE_RwSXooI8DdatPOYg_uiKm2XrtT_uEMEvqQZrwJHHcfw0c3WVzGoqL3Y_Q6xkHFfdUVqS2WWkPdKO03uw=="
-      }]
-    }
-  ]
-}
-```
-
-3. Complex Example (with special characters):
-```json
-{
-  "comid.verification-keys": [
-    {
-      "environment": {
-        "class": {
-          "id": {
-            "class-id": "cd1f0e55-26f9-460d-b9d8-f7fde171787c"
-          },
-          "vendor": "Company & Co., Ltd.",
-          "model": "TPM.v2-Enhanced+"
-        },
-        "instance": {
-          "instance-id": {
-            "type": "ueid",
-            "value": "AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
-          }
-        }
-      },
-      "key": [{
-        "type": "pkix-base64-key",
-        "value": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETKRFE_RwSXooI8DdatPOYg_uiKm2XrtT_uEMEvqQZrwJHHcfw0c3WVzGoqL3Y_Q6xkHFfdUVqS2WWkPdKO03uw=="
-      }]
-    }
-  ]
-}
-```
-
-### Security Considerations
-
-When using vendor and model fields:
-
-1. **Input Validation**:
-   - Maximum length: 1024 characters
-   - Strings are trimmed of leading/trailing whitespace
-   - Basic sanitization is applied to prevent injection attacks
-   - Control characters are removed (except newline and tab)
-
-2. **Storage**:
-   - Fields are optional and won't affect TPM validation
-   - Unicode characters are preserved for international vendor names
-   - Dangerous characters are escaped to prevent injection
-
-3. **Best Practices**:
-   - Use consistent vendor/model identifiers
-   - Prefer official vendor names and model numbers
-   - Keep strings concise and meaningful
-   - Test with various character encodings if using international names
-
-Note: The vendor and model fields are always optional and are meant for informational purposes only. The TPM's security validation is based solely on its cryptographic identity and measurements.
-```
-```
diff --git a/scheme/parsec-tpm/corim_extractor.go b/scheme/parsec-tpm/corim_extractor.go
index 7d35e890..9a2b236f 100644
--- a/scheme/parsec-tpm/corim_extractor.go
+++ b/scheme/parsec-tpm/corim_extractor.go
@@ -6,7 +6,6 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"strings"
 
 	"github.com/veraison/corim/comid"
 	"github.com/veraison/eat"
@@ -40,19 +39,19 @@ func (o CorimExtractor) RefValExtractor(
 				return nil, fmt.Errorf("measurement[%d]: %w", i, err)
 			}
 
-			for j, digest := range digests {
-				attrs, err := makeRefValAttrs(id.class, pcr, digest)
-				if err != nil {
-					return nil, fmt.Errorf("measurement[%d].digest[%d]: %w", i, j, err)
-				}
-
-				refval = &handler.Endorsement{
-					Scheme:     SchemeName,
-					Type:       handler.EndorsementType_REFERENCE_VALUE,
-					Attributes: attrs,
-				}
+		for j, digest := range digests {
+			attrs, err := makeRefValAttrs(id.class, pcr, digest, rv.Environment)
+			if err != nil {
+				return nil, fmt.Errorf("measurement[%d].digest[%d]: %w", i, j, err)
+			}
+
+			refval = &handler.Endorsement{
+				Scheme:     SchemeName,
+				Type:       handler.EndorsementType_REFERENCE_VALUE,
+				Attributes: attrs,
 			}
-			refVals = append(refVals, refval)
+		}
+		refVals = append(refVals, refval)
 		}
 	}
 
@@ -96,7 +95,7 @@ func (o CorimExtractor) TaExtractor(
 	return ta, nil
 }
 
-func makeRefValAttrs(class string, pcr uint64, digest swid.HashEntry) (json.RawMessage, error) {
+func makeRefValAttrs(class string, pcr uint64, digest swid.HashEntry, env comid.Environment) (json.RawMessage, error) {
 
 	var attrs = map[string]interface{}{
 		"parsec-tpm.class-id": class,
@@ -104,6 +103,18 @@ func makeRefValAttrs(class string, pcr uint64, digest swid.HashEntry) (json.RawM
 		"parsec-tpm.digest":   digest.HashValue,
 		"parsec-tpm.alg-id":   digest.HashAlgID,
 	}
+
+	// Extract optional vendor and model from environment.class
+	// Following CoRIM specification - vendor/model are stored in environment, not key parameters
+	if env.Class != nil {
+		if env.Class.Vendor != nil {
+			attrs["parsec-tpm.vendor"] = string(*env.Class.Vendor)
+		}
+		if env.Class.Model != nil {
+			attrs["parsec-tpm.model"] = string(*env.Class.Model)
+		}
+	}
+
 	data, err := json.Marshal(attrs)
 	if err != nil {
 		return nil, fmt.Errorf("unable to marshal reference value attributes: %w", err)
@@ -126,20 +137,10 @@ func makeTaAttrs(id ID, key *comid.CryptoKey, env comid.Environment) (json.RawMe
 	// Following CoRIM specification - vendor/model are stored in environment, not key parameters
 	if env.Class != nil {
 		if env.Class.Vendor != nil {
-			vendor := string(*env.Class.Vendor)
-			// Trim and validate
-			vendor = sanitizeAndValidate(vendor)
-			if vendor != "" {
-				attrs["parsec-tpm.vendor"] = vendor
-			}
+			attrs["parsec-tpm.vendor"] = string(*env.Class.Vendor)
 		}
 		if env.Class.Model != nil {
-			model := string(*env.Class.Model)
-			// Trim and validate
-			model = sanitizeAndValidate(model)
-			if model != "" {
-				attrs["parsec-tpm.model"] = model
-			}
+			attrs["parsec-tpm.model"] = string(*env.Class.Model)
 		}
 	}
 
@@ -210,22 +211,3 @@ func (o *ID) FromEnvironment(e comid.Environment) error {
 func (o *CorimExtractor) SetProfile(profile string) {
 	o.Profile = profile
 }
-
-// sanitizeAndValidate trims and validates vendor/model strings
-func sanitizeAndValidate(input string) string {
-	// Trim whitespace
-	trimmed := strings.TrimSpace(input)
-	
-	// Check length limit (1024 characters)
-	if len(trimmed) > 1024 {
-		return ""
-	}
-	
-	// If empty after trimming, return empty
-	if trimmed == "" {
-		return ""
-	}
-	
-	// Apply sanitization
-	return sanitizeString(trimmed)
-}
diff --git a/scheme/parsec-tpm/evidence_handler.go b/scheme/parsec-tpm/evidence_handler.go
index 59236dda..e542df73 100644
--- a/scheme/parsec-tpm/evidence_handler.go
+++ b/scheme/parsec-tpm/evidence_handler.go
@@ -26,6 +26,10 @@ type SwAttr struct {
 	ClassID *string `json:"parsec-tpm.class-id"`
 	Digest  *[]byte `json:"parsec-tpm.digest"`
 	PCR     *uint   `json:"parsec-tpm.pcr"`
+	// Optional vendor information for the TPM
+	Vendor *string `json:"parsec-tpm.vendor,omitempty"`
+	// Optional model information for the TPM
+	Model *string `json:"parsec-tpm.model,omitempty"`
 }
 
 type Endorsements struct {
diff --git a/scheme/parsec-tpm/sanitize.go b/scheme/parsec-tpm/sanitize.go
deleted file mode 100644
index 7e79baee..00000000
--- a/scheme/parsec-tpm/sanitize.go
+++ /dev/null
@@ -1,213 +0,0 @@
-// Copyright 2025 Contributors to the Veraison project.
-// SPDX-License-Identifier: Apache-2.0
-package parsec_tpm
-
-import (
-	"regexp"
-	"strings"
-
-	"github.com/veraison/services/log"
-)
-
-// Validation patterns and limits
-var (
-	// Common potentially dangerous characters that should be escaped or sanitized
-	dangerousChars = regexp.MustCompile(`[<>&'"{}()\\]`)
-	
-	// Pattern to detect suspiciously high frequency of non-word chars
-	highFreqSpecials = regexp.MustCompile(`[\W]{20,}`)
-
-	// Allowed character sets for vendor/model strings
-	// Includes alphanumeric, common punctuation, and Unicode ranges for various scripts
-	allowedChars = regexp.MustCompile(`^[\p{L}\p{N}\p{P}\p{Zs}\t\n]+$`)
-)
-
-// ValidationResult represents the outcome of string validation
-type ValidationResult struct {
-	Valid   bool
-	Reasons []string
-}
-
-// validateString performs security validation on the input string
-func validateString(input string) ValidationResult {
-	result := ValidationResult{
-		Valid:   true,
-		Reasons: []string{},
-	}
-
-	// Check for repeated sequences (potential DoS) - simpler approach
-	if hasExcessiveRepetition(input) {
-		result.Valid = false
-		result.Reasons = append(result.Reasons, "excessive repeated sequences detected")
-	}
-
-	// Check for high frequency of special characters
-	if highFreqSpecials.MatchString(input) {
-		result.Valid = false
-		result.Reasons = append(result.Reasons, "suspicious frequency of special characters")
-	}
-
-	// Validate character set
-	if !allowedChars.MatchString(input) {
-		result.Valid = false
-		result.Reasons = append(result.Reasons, "invalid characters detected")
-	}
-
-	// Check character frequency distribution
-	if hasAbnormalDistribution(input) {
-		result.Valid = false
-		result.Reasons = append(result.Reasons, "abnormal character distribution")
-	}
-
-	return result
-}
-
-// hasExcessiveRepetition checks for excessive repeated characters
-func hasExcessiveRepetition(input string) bool {
-	if len(input) < 30 {
-		return false
-	}
-	
-	maxRepeat := 0
-	currentRepeat := 1
-	var prevRune rune
-	
-	for i, r := range input {
-		if i > 0 && r == prevRune {
-			currentRepeat++
-			if currentRepeat > maxRepeat {
-				maxRepeat = currentRepeat
-			}
-		} else {
-			currentRepeat = 1
-		}
-		prevRune = r
-	}
-	
-	// If any character repeats more than 20 times consecutively, flag it
-	return maxRepeat > 20
-}
-
-// hasAbnormalDistribution checks if the string has an unusually skewed
-// distribution of characters (possible encoded/obfuscated content)
-func hasAbnormalDistribution(input string) bool {
-	if len(input) < 8 {
-		return false
-	}
-
-	// Count character frequencies
-	freqs := make(map[rune]int)
-	total := 0
-	for _, r := range input {
-		freqs[r]++
-		total++
-	}
-
-	// Check if any character appears with suspicious frequency
-	threshold := float64(total) * 0.4 // 40% threshold
-	for _, count := range freqs {
-		if float64(count) > threshold {
-			return true
-		}
-	}
-
-	return false
-}
-
-// sanitizeString performs comprehensive sanitization on input strings to prevent
-// potential security issues. It:
-// 1. Removes or escapes potentially dangerous characters
-// 2. Preserves valid Unicode characters
-// 3. Maintains readability of the string
-// 4. Returns the sanitized string
-func sanitizeString(input string) string {
-	// First, validate the input
-	validationResult := validateString(input)
-	if !validationResult.Valid {
-		// If validation fails, apply aggressive sanitization
-		input = aggressiveSanitize(input)
-	}
-
-	// Replace potentially dangerous characters with their escaped versions
-	sanitized := dangerousChars.ReplaceAllStringFunc(input, func(s string) string {
-		return "\\" + s
-	})
-
-	// Remove any null bytes
-	sanitized = strings.ReplaceAll(sanitized, "\x00", "")
-
-	// Remove any control characters except newline and tab
-	var builder strings.Builder
-	for _, r := range sanitized {
-		if !isForbiddenControl(r) {
-			builder.WriteRune(r)
-		}
-	}
-
-	// Log suspicious inputs for security monitoring
-	if !validationResult.Valid {
-		logSuspiciousInput(input, validationResult.Reasons)
-	}
-
-	return builder.String()
-}
-
-// isForbiddenControl returns true if the rune is a control character
-// that should be removed, excluding commonly used whitespace characters.
-func isForbiddenControl(r rune) bool {
-	return (r < 32 && r != '\n' && r != '\t') || (r >= 127 && r < 160)
-}
-
-// aggressiveSanitize performs more strict sanitization for suspicious inputs
-func aggressiveSanitize(input string) string {
-	// Remove excessive repetition by limiting consecutive identical characters
-	var builder strings.Builder
-	var prevRune rune
-	repeatCount := 0
-	
-	for i, r := range input {
-		if i > 0 && r == prevRune {
-			repeatCount++
-			// Allow up to 3 consecutive identical characters
-			if repeatCount < 3 {
-				builder.WriteRune(r)
-			}
-		} else {
-			repeatCount = 0
-			builder.WriteRune(r)
-		}
-		prevRune = r
-	}
-	
-	input = builder.String()
-
-	// Limit consecutive special characters
-	input = highFreqSpecials.ReplaceAllStringFunc(input, func(s string) string {
-		if len(s) > 5 {
-			return s[:5] // Keep only first 5 special characters
-		}
-		return s
-	})
-
-	// Keep only allowed characters
-	builder.Reset()
-	for _, r := range input {
-		if allowedChars.MatchString(string(r)) {
-			builder.WriteRune(r)
-		}
-	}
-
-	return builder.String()
-}
-
-// logSuspiciousInput logs potentially malicious input attempts
-func logSuspiciousInput(input string, reasons []string) {
-	// Use the common logging interface
-	log.Warnf("Suspicious TPM vendor/model input detected: %s", strings.Join(reasons, ", "))
-	
-	// Additional context for security monitoring
-	if len(input) > 32 {
-		// Log truncated input to avoid log injection
-		log.Debugf("Suspicious input (truncated): %q...", input[:32])
-	}
-}
\ No newline at end of file
diff --git a/scheme/parsec-tpm/sanitize_test.go b/scheme/parsec-tpm/sanitize_test.go
deleted file mode 100644
index 26483cfd..00000000
--- a/scheme/parsec-tpm/sanitize_test.go
+++ /dev/null
@@ -1,125 +0,0 @@
-// Copyright 2025 Contributors to the Veraison project.
-// SPDX-License-Identifier: Apache-2.0
-package parsec_tpm
-
-import (
-	"strings"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-)
-
-func TestValidateString(t *testing.T) {
-	testCases := []struct {
-		name        string
-		input       string
-		wantValid   bool
-		wantReasons []string
-	}{
-		{
-			name:      "valid vendor name",
-			input:     "Acme Corporation, Ltd.",
-			wantValid: true,
-		},
-		{
-			name:        "repeated sequence attack",
-			input:       "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
-			wantValid:   false,
-			wantReasons: []string{"excessive repeated sequences detected", "abnormal character distribution"},
-		},
-		{
-			name:        "special character attack",
-			input:       "!@#$%^&*()!@#$%^&*()!@#$%^&*()",
-			wantValid:   false,
-			wantReasons: []string{"suspicious frequency of special characters", "invalid characters detected"},
-		},
-		{
-			name:        "invalid character attack",
-			input:       "Company\x00Name\x01Corp",
-			wantValid:   false,
-			wantReasons: []string{"invalid characters detected"},
-		},
-		{
-			name:        "skewed distribution attack",
-			input:       strings.Repeat("X", 100),
-			wantValid:   false,
-			wantReasons: []string{"excessive repeated sequences detected", "abnormal character distribution"},
-		},
-		{
-			name:      "valid international name",
-			input:     "富士通株式会社",
-			wantValid: true,
-		},
-		{
-			name:      "valid mixed content",
-			input:     "Hewlett-Packard (HP) 株式会社",
-			wantValid: true,
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			result := validateString(tc.input)
-			assert.Equal(t, tc.wantValid, result.Valid)
-			if !tc.wantValid {
-				assert.Equal(t, tc.wantReasons, result.Reasons)
-			}
-		})
-	}
-}
-
-func TestSanitizeString(t *testing.T) {
-	testCases := []struct {
-		name     string
-		input    string
-		expected string
-	}{
-		{
-			name:     "normal text",
-			input:    "Normal vendor name",
-			expected: "Normal vendor name",
-		},
-		{
-			name:     "html injection attempt",
-			input:    "Vendor<script>alert('xss')</script>",
-			expected: "Vendorscriptalert\\(\\'xss\\'\\)/script",
-		},
-		{
-			name:     "sql injection attempt",
-			input:    "Vendor'; DROP TABLE users;--",
-			expected: "Vendor\\'; DROP TABLE users;--",
-		},
-		{
-			name:     "null byte injection",
-			input:    "Vendor\x00Name",
-			expected: "VendorName",
-		},
-		{
-			name:     "control characters",
-			input:    "Vendor\x01Name\x02",
-			expected: "VendorName",
-		},
-		{
-			name:     "allowed whitespace",
-			input:    "Vendor\nName\tCorp",
-			expected: "Vendor\nName\tCorp",
-		},
-		{
-			name:     "unicode characters",
-			input:    "製造元株式会社",
-			expected: "製造元株式会社",
-		},
-		{
-			name:     "mixed content",
-			input:    "Vendor & Co<> \x00株式会社\n",
-			expected: "Vendor \\& Co 株式会社\n",
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			result := sanitizeString(tc.input)
-			assert.Equal(t, tc.expected, result)
-		})
-	}
-}
\ No newline at end of file