| #!/usr/bin/env python3 |
| #------------------------------------------------------------------------------- |
| # Copyright (c) 2019-2022, Arm Limited. All rights reserved. |
| # |
| # SPDX-License-Identifier: BSD-3-Clause |
| # |
| #------------------------------------------------------------------------------- |
| |
| """CLI tool for compiling token from a yaml file""" |
| |
| import argparse |
| import logging |
| import os |
| import sys |
| |
| from iatverifier.util import read_token_map, convert_map_to_token, read_keyfile |
| from iatverifier.util import get_cose_alg_from_key |
| from iatverifier.psa_iot_profile1_token_verifier import PSAIoTProfile1TokenVerifier |
| from iatverifier.attest_token_verifier import AttestationTokenVerifier |
| |
| |
| if __name__ == '__main__': |
| logging.basicConfig(level=logging.INFO) |
| |
| token_verifiers = { |
| "PSA-IoT-Profile1-token": PSAIoTProfile1TokenVerifier, |
| } |
| |
| parser = argparse.ArgumentParser() |
| parser.add_argument('source', help='Token source in YAML format') |
| parser.add_argument('-o', '--outfile', |
| help='''Output file for the compiled token. If this is not |
| specified, the token will be written to standard output.''') |
| parser.add_argument('-k', '--keyfile', |
| help='''Path to the key in PEM format that should be used to |
| sign the token. If this is not specified, the token will be |
| unsigned.''') |
| group = parser.add_mutually_exclusive_group() |
| parser.add_argument('-a', '--add-protected-header', action='store_true', |
| help=''' |
| Add protected header to the COSE wrapper. |
| ''') |
| group.add_argument('-r', '--raw', action='store_true', |
| help='''Generate raw CBOR and do not create a signature |
| or COSE wrapper.''') |
| group.add_argument('-m', '--hmac', action='store_true', |
| help='''Generate a token wrapped in a Mac0 rather than |
| Sign1 COSE structure.''') |
| parser.add_argument('-t', '--token-type', |
| help='''The type of the Token.''', |
| choices=token_verifiers.keys(), |
| required=True) |
| |
| args = parser.parse_args() |
| |
| if args.hmac: |
| METHOD = AttestationTokenVerifier.SIGN_METHOD_MAC0 |
| elif args.raw: |
| if args.keyfile: |
| raise ValueError('A keyfile cannot be specified with --raw.') |
| METHOD = AttestationTokenVerifier.SIGN_METHOD_RAW |
| else: |
| METHOD = AttestationTokenVerifier.SIGN_METHOD_SIGN1 |
| |
| key = read_keyfile(args.keyfile, METHOD) |
| |
| COSE_ALG = None |
| if args.hmac: |
| COSE_ALG = AttestationTokenVerifier.COSE_ALG_HS256 |
| elif not args.raw: |
| COSE_ALG = get_cose_alg_from_key(key) |
| |
| verifier_class = token_verifiers[args.token_type] |
| if verifier_class == PSAIoTProfile1TokenVerifier: |
| verifier = PSAIoTProfile1TokenVerifier( |
| method=METHOD, |
| cose_alg=COSE_ALG, |
| signing_key=key, |
| configuration=None) |
| else: |
| logging.error(f'Invalid token type:{verifier_class}\n\t') |
| sys.exit(1) |
| token_map = read_token_map(args.source) |
| |
| if args.outfile: |
| with open(args.outfile, 'wb') as wfh: |
| convert_map_to_token( |
| token_map, |
| verifier, |
| wfh, |
| add_p_header=args.add_protected_header, |
| name_as_key=True, |
| parse_raw_value=True) |
| else: |
| with os.fdopen(sys.stdout.fileno(), 'wb') as wfh: |
| convert_map_to_token( |
| token_map, |
| verifier, |
| wfh, |
| add_p_header=args.add_protected_header, |
| name_as_key=True, |
| parse_raw_value=True) |