fix(iatverifier): fix pem2cose and redo CCA tokens
Instruct the pem2cose script to automatically strip off the private part
from the input key. Recompute the example CCA tokens accordingly.
Change-Id: I337d94977603bd8512427f3e5bda952c4f72c350
Signed-off-by: Thomas Fossati <thomas.fossati@linaro.org>
diff --git a/iat-verifier/dev_scripts/pem2cose.py b/iat-verifier/dev_scripts/pem2cose.py
index f6c62c7..90ee6ad 100755
--- a/iat-verifier/dev_scripts/pem2cose.py
+++ b/iat-verifier/dev_scripts/pem2cose.py
@@ -7,20 +7,27 @@
# -----------------------------------------------------------------------------
"""
-Convert a PEM key into an equivalent COSE_Key, and optionally compute the CCA hash-lock claims
+Convert a PEM key into an equivalent COSE_Key, and optionally compute the CCA hash-lock claims.
+The default is to strip the private part off the transformed key. Pass the '--no-strip-private'
+argument if the desired behaviour is to convert a private key as-is. Note that this mode is
+incompatible with CCA claims generation.
Examples:
./pem2cose.py -h
- ./pem2cose.py ../tests/data/cca_realm.pem cca_realm.cbor
+ ./pem2cose.py --no-strip-private ../tests/data/cca_realm.pem cca_realm.cbor
./pem2cose.py --hash-alg sha-256 ../tests/data/cca_realm.pem - > hashlock-claims.yaml
"""
+import sys
import argparse
from iatverifier.util import read_keyfile
from iatverifier.attest_token_verifier import AttestationTokenVerifier
from hashlib import sha256, sha384, sha512
from base64 import b64encode
+from pycose.keys import CoseKey
+from pycose.keys.keyparam import EC2KpD
+
hash_algorithms = {
'sha-256': sha256,
@@ -37,12 +44,26 @@
'cosefile', type=str, help='output COSE_Key file (pass "-" to write to stdout)')
parser.add_argument('--hash-alg', type=str, help='compute the hash lock using the specified algorithm',
choices=hash_algorithms.keys())
+ parser.add_argument('--no-strip-private', help='do not strip the private key',
+ dest='strip_private', action='store_false')
args = parser.parse_args()
cose_key = read_keyfile(
args.pemfile, AttestationTokenVerifier.SIGN_METHOD_SIGN1).encode()
+ if not args.strip_private and args.hash_alg is not None:
+ print('Private key conversion and CCA claims generation are mutually exclusive')
+ sys.exit(1)
+
+ if args.strip_private:
+ tmp = CoseKey.decode(cose_key)
+ try:
+ del tmp[EC2KpD]
+ except KeyError:
+ pass
+ cose_key = CoseKey.encode(tmp)
+
if args.cosefile == '-':
b64_cose_key = b64encode(cose_key).decode()
print(f'cca_realm_pub_key: !!binary {b64_cose_key}')
diff --git a/iat-verifier/tests/data/cca_example_platform_token.cbor b/iat-verifier/tests/data/cca_example_platform_token.cbor
index b22d3f9..2220cc3 100644
--- a/iat-verifier/tests/data/cca_example_platform_token.cbor
+++ b/iat-verifier/tests/data/cca_example_platform_token.cbor
Binary files differ
diff --git a/iat-verifier/tests/data/cca_example_platform_token.yaml b/iat-verifier/tests/data/cca_example_platform_token.yaml
index cf67b60..3830522 100644
--- a/iat-verifier/tests/data/cca_example_platform_token.yaml
+++ b/iat-verifier/tests/data/cca_example_platform_token.yaml
@@ -10,7 +10,7 @@
# Hash of the public key used to sign the Realm token. Its length depends on
# the public key hash algorithm identifier claim in the Realm token.
-cca_platform_challenge: !!binary uIHLIBvuo5OR1W8V2mww7I30v4LDFzZVjVbaFoU1p9Y=
+cca_platform_challenge: !!binary DSLgiphGkFhIYxgoNIm9s28J2+/rGGTfQz+m5U6i1xE=
# Unique identifier of the implementation of the CCA platform.
# The semantics of the CCA platform Implementation ID value are defined by the
diff --git a/iat-verifier/tests/data/cca_example_token.cbor b/iat-verifier/tests/data/cca_example_token.cbor
index b3dbcdc..cb74944 100644
--- a/iat-verifier/tests/data/cca_example_token.cbor
+++ b/iat-verifier/tests/data/cca_example_token.cbor
Binary files differ
diff --git a/iat-verifier/tests/data/cca_example_token.yaml b/iat-verifier/tests/data/cca_example_token.yaml
index 80acdc3..79cf532 100644
--- a/iat-verifier/tests/data/cca_example_token.yaml
+++ b/iat-verifier/tests/data/cca_example_token.yaml
@@ -31,8 +31,7 @@
# The Realm public key claim carries the public portion of the RAK which is
# used to sign the Realm token. The RAK value is encoded as a COSE_Key (see
# Section 7 of RFC9052)
- cca_realm_pub_key: !!binary |
- pQECIAIhWDB2+YgJG+WF7UGAGuz6uFhUjGMFfhaw5nYSC70NL5wp4FbF1BoBMOucIVF4mdwjFGsiWDAo4bBivT6ksxX9IZ8cu1KMtudMpJvhZ3NzT2GhymEDGyu/PZGPL5T/xCKOUJGVRK4jWDAgEcfwPO5DJRduUk8DPAzh4hp25sGk8Lg5qh32Hg6KXIoFdA+bae+n6xpBhb0Rf2g=
+ cca_realm_pub_key: !!binary pAECIAIhWDB2+YgJG+WF7UGAGuz6uFhUjGMFfhaw5nYSC70NL5wp4FbF1BoBMOucIVF4mdwjFGsiWDAo4bBivT6ksxX9IZ8cu1KMtudMpJvhZ3NzT2GhymEDGyu/PZGPL5T/xCKOUJGVRK4=
# The Realm Initial Measurement claim contains the value of the RIM (see
# Section A7.1.1 of DEN0137 for the details).
cca_realm_initial_measurement: !!binary |