Add CCA attestation token verifier
This commit adds classes to verify CCA attestation token. A CCA
attestation token is defined by the document DEN0137 Realm Management
Monitor specification found here:
https://developer.arm.com/documentation/den0137/a/?lang=en
The commit
* Adds claim classes for CCA attestation token claims.
* Adds verifier classes CCA attestation token
* Adds CCA tokens to CLI scripts and change parameters to be possible to
specify multiple signing keys
* Adds sample cbor and yaml and key files to demonstrate CCA attestation
token
Change-Id: Ia88a5ce4af334143452e87d29975826165502409
Signed-off-by: Mate Toth-Pal <mate.toth-pal@arm.com>
diff --git a/iat-verifier/tests/data/cca_platform.pem b/iat-verifier/tests/data/cca_platform.pem
new file mode 100644
index 0000000..3645669
--- /dev/null
+++ b/iat-verifier/tests/data/cca_platform.pem
@@ -0,0 +1,6 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDCKwJDJlYafYawTWPArAhomq26zhiA6xzXXzphVU4uR90xEsNWAJD77
+eZopPcuqCJmgBwYFK4EEACKhZANiAAQhKGfFLiuVCLCkIKkFYPOU0t+qIb3XUU/x
+qQGv5+H3i7EdTmb4qKOK+navajHE3oyEzi2vyZZCWLU/rXGHdPRWINERsXboMY4R
+h9sCNaMY03ull/7oDg5MdioSvLPqbtQ=
+-----END EC PRIVATE KEY-----
diff --git a/iat-verifier/tests/data/cca_platform_token.yaml b/iat-verifier/tests/data/cca_platform_token.yaml
new file mode 100644
index 0000000..cdf3819
--- /dev/null
+++ b/iat-verifier/tests/data/cca_platform_token.yaml
@@ -0,0 +1,33 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2022, Arm Limited. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+#-------------------------------------------------------------------------------
+
+cca_attestation_profile: http://arm.com/CCA-SSD/1.0.0
+cca_platform_challenge: !!binary BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=
+cca_platform_implementation_id: !!binary f0VMRgIBAQAAAAAAAAAAAAMAPgABAAAAUFgAAAAAAAA=
+cca_platform_instance_id: !!binary AQcGBQQDAgEADw4NDAsKCQgXFhUUExIREB8eHRwbGhkY
+cca_platform_config: !!binary AQcGBQQDAgEADw4NDAsKCQgXFhUUExIREB8eHRwbGhkY
+cca_platform_lifecycle: secured_0x3003
+cca_platform_hash_algo_id: sha-256
+cca_platform_sw_components:
+ - sw_component_type: BL
+ signer_id: !!binary BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=
+ sw_component_version: "3.4.2"
+ measurement_value: !!binary BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=
+ cca_sw_component_hash_id: TF-M_SHA256MemPreXIP
+ - sw_component_type: M1
+ signer_id: !!binary BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=
+ sw_component_version: "1.2"
+ measurement_value: !!binary BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=
+ - sw_component_type: M2
+ signer_id: !!binary BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=
+ sw_component_version: "1.2.3"
+ measurement_value: !!binary BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=
+ - sw_component_type: M3
+ signer_id: !!binary BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=
+ sw_component_version: "1"
+ measurement_value: !!binary BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=
+cca_platform_verification_service: whatever.com
\ No newline at end of file
diff --git a/iat-verifier/tests/data/cca_realm.pem b/iat-verifier/tests/data/cca_realm.pem
new file mode 100644
index 0000000..1a8d3a5
--- /dev/null
+++ b/iat-verifier/tests/data/cca_realm.pem
@@ -0,0 +1,6 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDAgEcfwPO5DJRduUk8DPAzh4hp25sGk8Lg5qh32Hg6KXIoFdA+bae+n
+6xpBhb0Rf2igBwYFK4EEACKhZANiAAR2+YgJG+WF7UGAGuz6uFhUjGMFfhaw5nYS
+C70NL5wp4FbF1BoBMOucIVF4mdwjFGso4bBivT6ksxX9IZ8cu1KMtudMpJvhZ3Nz
+T2GhymEDGyu/PZGPL5T/xCKOUJGVRK4=
+-----END EC PRIVATE KEY-----
\ No newline at end of file
diff --git a/iat-verifier/tests/data/valid-cca-token.yaml b/iat-verifier/tests/data/valid-cca-token.yaml
new file mode 100644
index 0000000..9d1f354
--- /dev/null
+++ b/iat-verifier/tests/data/valid-cca-token.yaml
@@ -0,0 +1,55 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2022, Arm Limited. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+#-------------------------------------------------------------------------------
+
+cca_platform_token:
+ cca_attestation_profile: http://arm.com/CCA-SSD/1.0.0
+ cca_platform_challenge: !!binary tZc8touqn8VVWHhrfsZ/aeQN9bpaqSHNDCf0BYegEeo=
+ cca_platform_implementation_id: !!binary f0VMRgIBAQAAAAAAAAAAAAMAPgABAAAAUFgAAAAAAAA=
+ cca_platform_instance_id: !!binary AQcGBQQDAgEADw4NDAsKCQgXFhUUExIREB8eHRwbGhkY
+ cca_platform_config: !!binary AQcGBQQDAgEADw4NDAsKCQgXFhUUExIREB8eHRwbGhkY
+ cca_platform_lifecycle: secured_0x3003
+ cca_platform_hash_algo_id: sha-256
+ cca_platform_sw_components:
+ - sw_component_type: BL
+ signer_id: !!binary BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=
+ sw_component_version: "3.4.2"
+ measurement_value: !!binary BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=
+ cca_sw_component_hash_id: sha-256
+ - sw_component_type: M1
+ signer_id: !!binary BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=
+ sw_component_version: "1.2"
+ measurement_value: !!binary BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=
+ - sw_component_type: M2
+ signer_id: !!binary BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=
+ sw_component_version: "1.2.3"
+ measurement_value: !!binary BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=
+ - sw_component_type: M3
+ signer_id: !!binary BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=
+ sw_component_version: "1"
+ measurement_value: !!binary BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=
+ cca_platform_verification_service: whatever.com
+cca_realm_delegated_token:
+ cca_realm_challenge: !!binary |
+ q6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6ur
+ q6urq6urqw==
+ cca_realm_hash_algm_id: sha-256
+ cca_realm_pub_key_hash_algo_id: sha-256
+ cca_realm_personalization_value: !!binary |
+ VGhlIHF1aWNrIGJyb3duIGZveCBqdW1wcyBvdmVyIDEzIGxhenkgZG9ncy5UaGUgcXVpY2sgYnJvd24gZm94IA==
+ cca_realm_pub_key: !!binary |
+ BHb5iAkb5YXtQYAa7Pq4WFSMYwV+FrDmdhILvQ0vnCngVsXUGgEw65whUXiZ3CMUayjhsGK9PqSzFf0hnxy7Uoy250ykm+Fnc3NPYaHKYQMbK789kY8vlP/EIo5QkZVErg==
+ cca_realm_initial_measurement: !!binary |
+ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
+ cca_realm_extensible_measurements:
+ - !!binary |
+ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
+ - !!binary |
+ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
+ - !!binary |
+ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
+ - !!binary |
+ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
diff --git a/iat-verifier/tests/test_verifier.py b/iat-verifier/tests/test_verifier.py
index 5f8380e..ed3a725 100644
--- a/iat-verifier/tests/test_verifier.py
+++ b/iat-verifier/tests/test_verifier.py
@@ -11,8 +11,10 @@
import unittest
from iatverifier.psa_iot_profile1_token_verifier import PSAIoTProfile1TokenVerifier
+from iatverifier.cca_token_verifier import CCATokenVerifier, CCAPlatformTokenVerifier
from iatverifier.util import read_keyfile
-from iatverifier.attest_token_verifier import VerifierConfiguration, AttestationTokenVerifier
+from iatverifier.attest_token_verifier import AttestationClaim, VerifierConfiguration
+from iatverifier.attest_token_verifier import AttestationTokenVerifier
from test_utils import create_and_read_iat, read_iat, create_token_tmp_file
@@ -20,6 +22,8 @@
DATA_DIR = os.path.join(THIS_DIR, 'data')
KEYFILE = os.path.join(DATA_DIR, 'key.pem')
+KEYFILE_CCA_PLAT = os.path.join(DATA_DIR, 'cca_platform.pem')
+KEYFILE_CCA_REALM = os.path.join(DATA_DIR, 'cca_realm.pem')
KEYFILE_ALT = os.path.join(DATA_DIR, 'key-alt.pem')
class TestIatVerifier(unittest.TestCase):
@@ -77,14 +81,38 @@
method=AttestationTokenVerifier.SIGN_METHOD_SIGN1
cose_alg=AttestationTokenVerifier.COSE_ALG_ES256
signing_key = read_keyfile(KEYFILE, method)
+ realm_token_key = read_keyfile(KEYFILE_CCA_REALM, method)
+ platform_token_key = read_keyfile(KEYFILE_CCA_PLAT, method)
create_and_read_iat(
DATA_DIR,
'valid-iat.yaml',
- PSAIoTProfile1TokenVerifier(method=method,
- cose_alg=cose_alg,
- signing_key=signing_key,
- configuration=self.config))
+ PSAIoTProfile1TokenVerifier(
+ method=method,
+ cose_alg=cose_alg,
+ signing_key=signing_key,
+ configuration=self.config))
+ create_and_read_iat(
+ DATA_DIR,
+ 'valid-cca-token.yaml',
+ CCATokenVerifier(
+ realm_token_method=method,
+ realm_token_cose_alg=AttestationTokenVerifier.COSE_ALG_ES384,
+ realm_token_key=realm_token_key,
+ platform_token_method=method,
+ platform_token_cose_alg=AttestationTokenVerifier.COSE_ALG_ES384,
+ platform_token_key=platform_token_key,
+ configuration=self.config))
+
+ create_and_read_iat(
+ DATA_DIR,
+ 'cca_platform_token.yaml',
+ CCAPlatformTokenVerifier(
+ method=method,
+ cose_alg=AttestationTokenVerifier.COSE_ALG_ES384,
+ signing_key=platform_token_key,
+ configuration=self.config,
+ necessity=AttestationClaim.MANDATORY))
with self.assertRaises(ValueError) as test_ctx:
create_and_read_iat(