diff options
author | Sergei Trofimov <sergei.trofimov@arm.com> | 2019-10-09 08:42:32 +0100 |
---|---|---|
committer | Tamas Ban <tamas.ban@arm.com> | 2019-10-17 09:27:02 +0000 |
commit | 21f5bf6127bee8ae8f1976ca186dbc7f8dcb5082 (patch) | |
tree | 732be508dcc1af87524a01ed94fa85ca4e38b2b8 /tools | |
parent | fb38d5683d8693fb3c3f1fbc387d08364418d028 (diff) | |
download | trusted-firmware-m-21f5bf6127bee8ae8f1976ca186dbc7f8dcb5082.tar.gz |
Tools: allow IAT verification with public key
Due to an issue with pycose library, signature verification needed to be
done using the signing (private) key. The fix for this issue has been
recently merged:
https://github.com/TimothyClaeys/COSE-PYTHON/commit/64cea44a4a81dd8b02a86eae8798962d4afbb148
This allows the use of the verifying (public) key to verify signatures.
This commit updates iat-verifier to enable it to use either key for
signature verification.
Change-Id: Ia4b228adec8b2b56935af1737f6f1bd99302959b
Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>
Diffstat (limited to 'tools')
-rw-r--r-- | tools/iat-verifier/iatverifier/util.py | 45 | ||||
-rw-r--r-- | tools/iat-verifier/sample/key.pub.pem | 4 | ||||
-rw-r--r-- | tools/iat-verifier/setup.py | 2 |
3 files changed, 34 insertions, 17 deletions
diff --git a/tools/iat-verifier/iatverifier/util.py b/tools/iat-verifier/iatverifier/util.py index c5ce7ebb2d..14a00cf2e5 100644 --- a/tools/iat-verifier/iatverifier/util.py +++ b/tools/iat-verifier/iatverifier/util.py @@ -10,7 +10,7 @@ from copy import deepcopy import cbor import yaml -from ecdsa import SigningKey +from ecdsa import SigningKey, VerifyingKey from pycose.sign1message import Sign1Message from iatverifier import const @@ -64,32 +64,25 @@ def read_token_map(f): def extract_iat_from_cose(keyfile, tokenfile, keep_going=False): - if keyfile: - try: - sk = SigningKey.from_pem(open(keyfile, 'rb').read()) - except Exception as e: - msg = 'Bad key file "{}": {}' - raise ValueError(msg.format(keyfile, e)) - else: # no keyfile - sk = None + key = read_keyfile(keyfile) try: with open(tokenfile, 'rb') as wfh: - return get_cose_payload(wfh.read(), sk) + return get_cose_payload(wfh.read(), key) except Exception as e: msg = 'Bad COSE file "{}": {}' raise ValueError(msg.format(tokenfile, e)) -def get_cose_payload(cose, sk=None): +def get_cose_payload(cose, key=None): msg = Sign1Message.decode(cose) - if sk: - msg.key = sk + if key: + msg.key = key msg.signature = msg.signers try: msg.verify_signature(alg='ES256') - except Exception: - raise ValueError('Bad signature') + except Exception as e: + raise ValueError('Bad signature ({})'.format(e)) return msg.payload @@ -112,6 +105,26 @@ def recursive_bytes_to_strings(d, in_place=False): return result +def read_keyfile(keyfile): + if keyfile: + try: + key = SigningKey.from_pem(open(keyfile, 'rb').read()) + except Exception as e: + signing_key_error = str(e) + + try: + key = VerifyingKey.from_pem(open(keyfile, 'rb').read()) + except Exception as e: + verifying_key_error = str(e) + + msg = 'Bad key file "{}":\n\tpubkey error: {}\n\tprikey error: {}' + raise ValueError(msg.format(keyfile, verifying_key_error, signing_key_error)) + else: # no keyfile + key = None + + return key + + def _parse_raw_token(raw): result = {} for raw_key, raw_value in raw.items(): @@ -122,7 +135,7 @@ def _parse_raw_token(raw): try: key = FIELD_NAMES[field_name] except KeyError: - mag = 'Unknown field "{}" in token.'.format(field_name) + msg = 'Unknown field "{}" in token.'.format(field_name) raise ValueError(msg) if key == const.SECURITY_LIFECYCLE: diff --git a/tools/iat-verifier/sample/key.pub.pem b/tools/iat-verifier/sample/key.pub.pem new file mode 100644 index 0000000000..924db30de3 --- /dev/null +++ b/tools/iat-verifier/sample/key.pub.pem @@ -0,0 +1,4 @@ +-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETl4iCZ47zrRbRG0TVf0dw7VFlHtv +18HInYhnmMNybo+A1wuECyVqrDSmLt4QQzZPBECV8ANHS5HgGCCSr7E/Lg== +-----END PUBLIC KEY----- diff --git a/tools/iat-verifier/setup.py b/tools/iat-verifier/setup.py index 7013262175..587e50f422 100644 --- a/tools/iat-verifier/setup.py +++ b/tools/iat-verifier/setup.py @@ -23,7 +23,7 @@ setup( 'cbor', 'cryptography', 'ecdsa', - 'pycose', + 'pycose>=0.1.2', 'pyyaml', ], ) |