aboutsummaryrefslogtreecommitdiff
path: root/tools
diff options
context:
space:
mode:
authorSergei Trofimov <sergei.trofimov@arm.com>2019-10-09 08:42:32 +0100
committerTamas Ban <tamas.ban@arm.com>2019-10-17 09:27:02 +0000
commit21f5bf6127bee8ae8f1976ca186dbc7f8dcb5082 (patch)
tree732be508dcc1af87524a01ed94fa85ca4e38b2b8 /tools
parentfb38d5683d8693fb3c3f1fbc387d08364418d028 (diff)
downloadtrusted-firmware-m-21f5bf6127bee8ae8f1976ca186dbc7f8dcb5082.tar.gz
Tools: allow IAT verification with public key
Due to an issue with pycose library, signature verification needed to be done using the signing (private) key. The fix for this issue has been recently merged: https://github.com/TimothyClaeys/COSE-PYTHON/commit/64cea44a4a81dd8b02a86eae8798962d4afbb148 This allows the use of the verifying (public) key to verify signatures. This commit updates iat-verifier to enable it to use either key for signature verification. Change-Id: Ia4b228adec8b2b56935af1737f6f1bd99302959b Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>
Diffstat (limited to 'tools')
-rw-r--r--tools/iat-verifier/iatverifier/util.py45
-rw-r--r--tools/iat-verifier/sample/key.pub.pem4
-rw-r--r--tools/iat-verifier/setup.py2
3 files changed, 34 insertions, 17 deletions
diff --git a/tools/iat-verifier/iatverifier/util.py b/tools/iat-verifier/iatverifier/util.py
index c5ce7ebb2d..14a00cf2e5 100644
--- a/tools/iat-verifier/iatverifier/util.py
+++ b/tools/iat-verifier/iatverifier/util.py
@@ -10,7 +10,7 @@ from copy import deepcopy
import cbor
import yaml
-from ecdsa import SigningKey
+from ecdsa import SigningKey, VerifyingKey
from pycose.sign1message import Sign1Message
from iatverifier import const
@@ -64,32 +64,25 @@ def read_token_map(f):
def extract_iat_from_cose(keyfile, tokenfile, keep_going=False):
- if keyfile:
- try:
- sk = SigningKey.from_pem(open(keyfile, 'rb').read())
- except Exception as e:
- msg = 'Bad key file "{}": {}'
- raise ValueError(msg.format(keyfile, e))
- else: # no keyfile
- sk = None
+ key = read_keyfile(keyfile)
try:
with open(tokenfile, 'rb') as wfh:
- return get_cose_payload(wfh.read(), sk)
+ return get_cose_payload(wfh.read(), key)
except Exception as e:
msg = 'Bad COSE file "{}": {}'
raise ValueError(msg.format(tokenfile, e))
-def get_cose_payload(cose, sk=None):
+def get_cose_payload(cose, key=None):
msg = Sign1Message.decode(cose)
- if sk:
- msg.key = sk
+ if key:
+ msg.key = key
msg.signature = msg.signers
try:
msg.verify_signature(alg='ES256')
- except Exception:
- raise ValueError('Bad signature')
+ except Exception as e:
+ raise ValueError('Bad signature ({})'.format(e))
return msg.payload
@@ -112,6 +105,26 @@ def recursive_bytes_to_strings(d, in_place=False):
return result
+def read_keyfile(keyfile):
+ if keyfile:
+ try:
+ key = SigningKey.from_pem(open(keyfile, 'rb').read())
+ except Exception as e:
+ signing_key_error = str(e)
+
+ try:
+ key = VerifyingKey.from_pem(open(keyfile, 'rb').read())
+ except Exception as e:
+ verifying_key_error = str(e)
+
+ msg = 'Bad key file "{}":\n\tpubkey error: {}\n\tprikey error: {}'
+ raise ValueError(msg.format(keyfile, verifying_key_error, signing_key_error))
+ else: # no keyfile
+ key = None
+
+ return key
+
+
def _parse_raw_token(raw):
result = {}
for raw_key, raw_value in raw.items():
@@ -122,7 +135,7 @@ def _parse_raw_token(raw):
try:
key = FIELD_NAMES[field_name]
except KeyError:
- mag = 'Unknown field "{}" in token.'.format(field_name)
+ msg = 'Unknown field "{}" in token.'.format(field_name)
raise ValueError(msg)
if key == const.SECURITY_LIFECYCLE:
diff --git a/tools/iat-verifier/sample/key.pub.pem b/tools/iat-verifier/sample/key.pub.pem
new file mode 100644
index 0000000000..924db30de3
--- /dev/null
+++ b/tools/iat-verifier/sample/key.pub.pem
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETl4iCZ47zrRbRG0TVf0dw7VFlHtv
+18HInYhnmMNybo+A1wuECyVqrDSmLt4QQzZPBECV8ANHS5HgGCCSr7E/Lg==
+-----END PUBLIC KEY-----
diff --git a/tools/iat-verifier/setup.py b/tools/iat-verifier/setup.py
index 7013262175..587e50f422 100644
--- a/tools/iat-verifier/setup.py
+++ b/tools/iat-verifier/setup.py
@@ -23,7 +23,7 @@ setup(
'cbor',
'cryptography',
'ecdsa',
- 'pycose',
+ 'pycose>=0.1.2',
'pyyaml',
],
)