Age | Commit message (Collapse) | Author |
|
Change-Id: Ibd1bdaf9716139da1d3f40ee491da64bbdcf9171
Signed-off-by: Mate Toth-Pal <mate.toth-pal@arm.com>
|
|
Add the option of wrapping the compiled token in a CBOR tag.
Change-Id: I586d38a3b699c8000616cbf0cbdaf2f79b108ab5
Signed-off-by: Mate Toth-Pal <mate.toth-pal@arm.com>
|
|
Change-Id: Ib1263afdbd1f126fbf086a2fc1b76ed9de498515
Signed-off-by: Mate Toth-Pal <mate.toth-pal@arm.com>
|
|
Expect only a minimum number of bytes for 'Signer ID' and 'Measurement'
Change-Id: I6c94c3778e9fe01a31f3a06dfa92fb30f825e16f
Signed-off-by: Mate Toth-Pal <mate.toth-pal@arm.com>
|
|
Signed-off-by: Mate Toth-Pal <mate.toth-pal@arm.com>
Change-Id: I53a5d0a092269c28d10bb1ac34cca8d1d53d2d69
|
|
This commit replaces the boolean 'mandatory' property of a claim to be
a 3 state necessity. Necessity can be one of 'OPTIONAL', 'RECOMMENDED',
'MANDATORY'.
Change-Id: Id5988d1f15f620a0ae0c23323cbd2eb19d3fb000
Signed-off-by: Mate Toth-Pal <mate.toth-pal@arm.com>
|
|
This commit adds extra parameters to certain claims so that creating new
token formats reusing existing claims becomes easier.
Change-Id: Ib51dd0c21b72ad92874aabba320adbb041f0dd66
Signed-off-by: Mate Toth-Pal <mate.toth-pal@arm.com>
|
|
Change the name of 'Verifier' classes to 'Claim' where appropriate.
This commit also fixes pylint issues. Pylint was run on this particular
commit, to get some help from tooling not to miss any code errors caused
by a missing rename.
Change-Id: I4292a5025e740810c6ac7798eeedc0f81a226fcc
Signed-off-by: Mate Toth-Pal <mate.toth-pal@arm.com>
|
|
Remove all the global constants from const.py
Change-Id: I0e5948de8268979fced83741c8554d7c2786c19f
Signed-off-by: Mate Toth-Pal <mate.toth-pal@arm.com>
|
|
Change the way the verification runs, so that the process expects a
"hierarchy" of verifiers. This points into the direction that new token
formats could be assembled from basic verifier building blocks.
This would allow to reuse existing code more easily, and extend the
number of token formats recognised by the tool more easily.
Change-Id: Ia4a2b7f8442f1f47e3e613cd1fc68c20e7b74b5a
Signed-off-by: Mate Toth-Pal <mate.toth-pal@arm.com>
|
|
Refactor individual claim verifier classes to their own python module.
Change-Id: Ie3b5fee560b003cfeba570840777b7b17bb305d5
Signed-off-by: Mate Toth-Pal <mate.toth-pal@arm.com>
|
|
This is a start of a refactoring work to be able to build a tree of
claims. This change is expected to make esaier to add custom token
formats to iat_verifier.
Change-Id: Icce9ecaa816a0e7f3311c81680f06fba8825964d
Signed-off-by: Mate Toth-Pal <mate.toth-pal@arm.com>
|
|
Change-Id: I08bb28d2aa90fbc3269a355b2a221aba4f9754b7
Signed-off-by: Mate Toth-Pal <mate.toth-pal@arm.com>
|
|
The code validating the challenge was never run due to a typo in the
function name. Instead an empty function was used by the tool
Change-Id: Ia5d1945a386b967eeb5aaa51910ed911747e5d67
Signed-off-by: Mate Toth-Pal <mate.toth-pal@arm.com>
|
|
The cbor module is unmaintained, with the last release in 2016[1]. The
cbor2 module however is under active development and was last released
just last month[2].
[1] https://pypi.org/project/cbor/#history
[2] https://pypi.org/project/cbor2/#history
Signed-off-by: Ross Burton <ross.burton@arm.com>
Change-Id: Ib24a88f19dea05fb9143afaa4bdf7ebdd5a2dda6
|
|
- key was not being returned by read_sign1_key(), resulting in an
automatic success on key verification. Return it so that the signature
is actually verified.
- convert_map_to_token_files() was still passing the now non-existent
"raw" parameter to convert_map_to_token(), instead of "method" that
"raw" was replaced with. Update the parameter name.
- The underlying CBOR library's decoder has become more tolerant, and is
able to decode the slightly tweaked "malformed.cbor" test file. Tweak
it further, so that it continues to fail to decode.
Change-Id: I597d19c1109a432c451f27eb1fc1cf8e26d8675a
Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>
|
|
Update the README for iat-verifier to describe the compile_token and
decompile_token scripts, and update the samples to include a YAML token
description that can be used with compile_token.
Change-Id: Ibf8a88c6ca57fa5a76d05f552ad657db665d7cf5
Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>
|
|
The field bytes are more understandable in hex format
Change-Id: I27c421ebe8b534af562a60faf41dead172c6e2d8
Signed-off-by: Michel Jaouen <michel.jaouen@st.com>
|
|
Add support for the Mac0Message COSE format to iatverifier, as the
alternative to the Sign1Message currently used.
Change-Id: I6baa87209fd17afe52ff1c6f936693e3b9dc9b9f
Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>
|
|
- Replace not-existing security level value with an existing one.
- Add validation for the number of arguments for the script.
Change-Id: Iec30435a05ceebd6117f507daad0482ecc3814a6
Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>
|
|
Due to an issue with pycose library, signature verification needed to be
done using the signing (private) key. The fix for this issue has been
recently merged:
https://github.com/TimothyClaeys/COSE-PYTHON/commit/64cea44a4a81dd8b02a86eae8798962d4afbb148
This allows the use of the verifying (public) key to verify signatures.
This commit updates iat-verifier to enable it to use either key for
signature verification.
Change-Id: Ia4b228adec8b2b56935af1737f6f1bd99302959b
Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>
|
|
Update the list of mandatory software component claims - based
on the description (version 02) of the PSA attestation token
format, more information:
https://tools.ietf.org/html/draft-tschofenig-rats-psa-token-02
Change-Id: I86ccfc7c9dc0708e304ff910bb58b74cb4063594
Signed-off-by: David Vincze <david.vincze@arm.com>
|
|
As per PSA attestation API, PROFILE_ID is supposed to be optional, so
remove it from the mandatory claims list.
Change-Id: Ica09106b1db4c059e1cffce5ac8d7d26f7ee8bba
Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>
|
|
Remove left-over references to the no longer existing EPOCH field from
iat-verifier.
Change-Id: I5c12ece0edd253285f8686f3f2587805ed0b1163
Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>
|
|
Unexpected claims will no longer result in an error when verifying a
token. When reporting plain text representation, unknown claims will
remain as their numeric values, rather than being replaced with their
names.
The old behavior can be obtained when invoking with -s/--strict flag.
Change-Id: I663db8ef5b7abf33d5d1663556b9c6722817d8e5
Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>
|
|
Add --raw option that allows compile_token to generate raw CBOR without
COSE wrapper.
Change-Id: I2802ca0d96cdbd4db69e96568e6e1ea46032aa95
Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>
|
|
yaml.load() without specifying a Loader has been deprecated in the
recent versions of PyYAML, generating a warning. See
https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation
Switch to using yaml.safe_load() instead, which utilises
yaml.SafeLoader.
Change-Id: I8ab01afcf6fef625ccc3401921c06e2cce4eb59b
Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>
|
|
Update sample valid IAT token to remove an old claim.
(Claim 3, "EPOC" has been removed from the spec).
Change-Id: If9ebc96cf38d1b8bd6be5159d7d96b4bb49b5f96
|
|
Fix error reporting in case of an invalid key.
Change-Id: I0bbdcde4d61b4fdf018e373e8c1fc8aa7608a44b
Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>
|
|
Change-Id: Idc659c6e6c5f96f150ef68384256f459bf14635d
Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>
|
|
Keep byte strings as bytes in token. Instead, convert to strings just
prior to dumping JSON.
Change-Id: I524f24680f1e9ab21f7f1a040acaf0957e6f9831
Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>
|
|
Add a script for verifying the signatures and structure of Initial
Attestation Tokens.
Change-Id: Ic3649f25c32edd9b08793eb8a77c8b40dd71e8c8
Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>
|