aboutsummaryrefslogtreecommitdiff
path: root/tools/iat-verifier
AgeCommit message (Collapse)Author
2022-03-24Tools: Migrate iat-verifier to the tf-m-tools repoMate Toth-Pal
Change-Id: Ibd1bdaf9716139da1d3f40ee491da64bbdcf9171 Signed-off-by: Mate Toth-Pal <mate.toth-pal@arm.com>
2022-03-17Tools: Add option to wrap compiled token in tagMate Toth-Pal
Add the option of wrapping the compiled token in a CBOR tag. Change-Id: I586d38a3b699c8000616cbf0cbdaf2f79b108ab5 Signed-off-by: Mate Toth-Pal <mate.toth-pal@arm.com>
2022-03-17Tools: Add verifier for HardwareVersionClaimMate Toth-Pal
Change-Id: Ib1263afdbd1f126fbf086a2fc1b76ed9de498515 Signed-off-by: Mate Toth-Pal <mate.toth-pal@arm.com>
2022-03-17Tools: Expect minimum len for some sw comp fieldsMate Toth-Pal
Expect only a minimum number of bytes for 'Signer ID' and 'Measurement' Change-Id: I6c94c3778e9fe01a31f3a06dfa92fb30f825e16f Signed-off-by: Mate Toth-Pal <mate.toth-pal@arm.com>
2022-03-17Tools: Rename 'Hardware ID' to 'Hardware Version'Mate Toth-Pal
Signed-off-by: Mate Toth-Pal <mate.toth-pal@arm.com> Change-Id: I53a5d0a092269c28d10bb1ac34cca8d1d53d2d69
2022-03-17Tools: Add 'RECOMMENDED' claim necessityMate Toth-Pal
This commit replaces the boolean 'mandatory' property of a claim to be a 3 state necessity. Necessity can be one of 'OPTIONAL', 'RECOMMENDED', 'MANDATORY'. Change-Id: Id5988d1f15f620a0ae0c23323cbd2eb19d3fb000 Signed-off-by: Mate Toth-Pal <mate.toth-pal@arm.com>
2022-03-17Tools: Generalise claimsMate Toth-Pal
This commit adds extra parameters to certain claims so that creating new token formats reusing existing claims becomes easier. Change-Id: Ib51dd0c21b72ad92874aabba320adbb041f0dd66 Signed-off-by: Mate Toth-Pal <mate.toth-pal@arm.com>
2022-03-17Tools: Change *Verifier to *ClaimMate Toth-Pal
Change the name of 'Verifier' classes to 'Claim' where appropriate. This commit also fixes pylint issues. Pylint was run on this particular commit, to get some help from tooling not to miss any code errors caused by a missing rename. Change-Id: I4292a5025e740810c6ac7798eeedc0f81a226fcc Signed-off-by: Mate Toth-Pal <mate.toth-pal@arm.com>
2022-03-17Tools: Remove globals from const.pyMate Toth-Pal
Remove all the global constants from const.py Change-Id: I0e5948de8268979fced83741c8554d7c2786c19f Signed-off-by: Mate Toth-Pal <mate.toth-pal@arm.com>
2022-03-17Tools: Make verify use verifier hierarchyMate Toth-Pal
Change the way the verification runs, so that the process expects a "hierarchy" of verifiers. This points into the direction that new token formats could be assembled from basic verifier building blocks. This would allow to reuse existing code more easily, and extend the number of token formats recognised by the tool more easily. Change-Id: Ia4a2b7f8442f1f47e3e613cd1fc68c20e7b74b5a Signed-off-by: Mate Toth-Pal <mate.toth-pal@arm.com>
2022-03-07Tools: Split verify.pyMate Toth-Pal
Refactor individual claim verifier classes to their own python module. Change-Id: Ie3b5fee560b003cfeba570840777b7b17bb305d5 Signed-off-by: Mate Toth-Pal <mate.toth-pal@arm.com>
2022-03-07Tools: Make verifier functions to classesMate Toth-Pal
This is a start of a refactoring work to be able to build a tree of claims. This change is expected to make esaier to add custom token formats to iat_verifier. Change-Id: Icce9ecaa816a0e7f3311c81680f06fba8825964d Signed-off-by: Mate Toth-Pal <mate.toth-pal@arm.com>
2022-03-07Tools: Fix compile_token signing with hmacMate Toth-Pal
Change-Id: I08bb28d2aa90fbc3269a355b2a221aba4f9754b7 Signed-off-by: Mate Toth-Pal <mate.toth-pal@arm.com>
2022-03-07Tools: Fix challenge validationMate Toth-Pal
The code validating the challenge was never run due to a typo in the function name. Instead an empty function was used by the tool Change-Id: Ia5d1945a386b967eeb5aaa51910ed911747e5d67 Signed-off-by: Mate Toth-Pal <mate.toth-pal@arm.com>
2021-11-11Tools: port iat-verifier to cbor2Ross Burton
The cbor module is unmaintained, with the last release in 2016[1]. The cbor2 module however is under active development and was last released just last month[2]. [1] https://pypi.org/project/cbor/#history [2] https://pypi.org/project/cbor2/#history Signed-off-by: Ross Burton <ross.burton@arm.com> Change-Id: Ib24a88f19dea05fb9143afaa4bdf7ebdd5a2dda6
2020-10-29Tools: iat-verifier fixessetrofim
- key was not being returned by read_sign1_key(), resulting in an automatic success on key verification. Return it so that the signature is actually verified. - convert_map_to_token_files() was still passing the now non-existent "raw" parameter to convert_map_to_token(), instead of "method" that "raw" was replaced with. Update the parameter name. - The underlying CBOR library's decoder has become more tolerant, and is able to decode the slightly tweaked "malformed.cbor" test file. Tweak it further, so that it continues to fail to decode. Change-Id: I597d19c1109a432c451f27eb1fc1cf8e26d8675a Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>
2020-08-26Tools: update iat-verifier README and samplesSergei Trofimov
Update the README for iat-verifier to describe the compile_token and decompile_token scripts, and update the samples to include a YAML token description that can be used with compile_token. Change-Id: Ibf8a88c6ca57fa5a76d05f552ad657db665d7cf5 Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>
2020-08-14Tools: iatverifier display bytes field in hexa formatMichel Jaouen
The field bytes are more understandable in hex format Change-Id: I27c421ebe8b534af562a60faf41dead172c6e2d8 Signed-off-by: Michel Jaouen <michel.jaouen@st.com>
2020-06-19Tools: add Mac0Message support to iatverifierSergei Trofimov
Add support for the Mac0Message COSE format to iatverifier, as the alternative to the Sign1Message currently used. Change-Id: I6baa87209fd17afe52ff1c6f936693e3b9dc9b9f Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>
2020-03-12Tools: fix dev_scripts/generate-sample-iat.pySergei Trofimov
- Replace not-existing security level value with an existing one. - Add validation for the number of arguments for the script. Change-Id: Iec30435a05ceebd6117f507daad0482ecc3814a6 Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>
2019-10-17Tools: allow IAT verification with public keySergei Trofimov
Due to an issue with pycose library, signature verification needed to be done using the signing (private) key. The fix for this issue has been recently merged: https://github.com/TimothyClaeys/COSE-PYTHON/commit/64cea44a4a81dd8b02a86eae8798962d4afbb148 This allows the use of the verifying (public) key to verify signatures. This commit updates iat-verifier to enable it to use either key for signature verification. Change-Id: Ia4b228adec8b2b56935af1737f6f1bd99302959b Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>
2019-10-07Tools: Update the list of mandatory claimsDavid Vincze
Update the list of mandatory software component claims - based on the description (version 02) of the PSA attestation token format, more information: https://tools.ietf.org/html/draft-tschofenig-rats-psa-token-02 Change-Id: I86ccfc7c9dc0708e304ff910bb58b74cb4063594 Signed-off-by: David Vincze <david.vincze@arm.com>
2019-09-09Tools: iat-verifier make PROFILE_ID optionalSergei Trofimov
As per PSA attestation API, PROFILE_ID is supposed to be optional, so remove it from the mandatory claims list. Change-Id: Ica09106b1db4c059e1cffce5ac8d7d26f7ee8bba Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>
2019-09-03Tools: remove EPOCH references from iat-verifierSergei Trofimov
Remove left-over references to the no longer existing EPOCH field from iat-verifier. Change-Id: I5c12ece0edd253285f8686f3f2587805ed0b1163 Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>
2019-09-03Tools: relax unexpected claim handling by iatverifierSergei Trofimov
Unexpected claims will no longer result in an error when verifying a token. When reporting plain text representation, unknown claims will remain as their numeric values, rather than being replaced with their names. The old behavior can be obtained when invoking with -s/--strict flag. Change-Id: I663db8ef5b7abf33d5d1663556b9c6722817d8e5 Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>
2019-09-03Tools: add --raw option to compile_token.Sergei Trofimov
Add --raw option that allows compile_token to generate raw CBOR without COSE wrapper. Change-Id: I2802ca0d96cdbd4db69e96568e6e1ea46032aa95 Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>
2019-09-03Tools: use safe_load instead of load for YAMLSergei Trofimov
yaml.load() without specifying a Loader has been deprecated in the recent versions of PyYAML, generating a warning. See https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation Switch to using yaml.safe_load() instead, which utilises yaml.SafeLoader. Change-Id: I8ab01afcf6fef625ccc3401921c06e2cce4eb59b Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>
2019-07-17Tools: update sample token.Sergei Trofimov
Update sample valid IAT token to remove an old claim. (Claim 3, "EPOC" has been removed from the spec). Change-Id: If9ebc96cf38d1b8bd6be5159d7d96b4bb49b5f96
2019-07-17Tools: fix error reporting for iatverifierSergei Trofimov
Fix error reporting in case of an invalid key. Change-Id: I0bbdcde4d61b4fdf018e373e8c1fc8aa7608a44b Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>
2019-07-17Tools: iatverifier PEP 8 fixesSergei Trofimov
Change-Id: Idc659c6e6c5f96f150ef68384256f459bf14635d Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>
2019-07-17Tools: do not stringify bytes in tokenSergei Trofimov
Keep byte strings as bytes in token. Instead, convert to strings just prior to dumping JSON. Change-Id: I524f24680f1e9ab21f7f1a040acaf0957e6f9831 Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>
2019-07-17Tools: add IAT verifier.Sergei Trofimov
Add a script for verifying the signatures and structure of Initial Attestation Tokens. Change-Id: Ic3649f25c32edd9b08793eb8a77c8b40dd71e8c8 Signed-off-by: Sergei Trofimov <sergei.trofimov@arm.com>