commit 5ebca5131a0d0a78f273897cde2112c18939f032
author Mate Toth-Pal <mate.toth-pal@arm.com> Thu Mar 24 16:45:51 2022 +0100
committer Anton Komlev <Anton.Komlev@arm.com> Wed Oct 05 17:46:05 2022 +0200
tree 0ac3fda325cf34a54d7efe0b50a0c8f18885738c
parent 1709b14264daeae8b0e71daf17006448b0c68642

Add CCA attestation token verifier

This commit adds classes to verify CCA attestation token. A CCA
attestation token is defined by the document DEN0137 Realm Management
Monitor specification found here:
https://developer.arm.com/documentation/den0137/a/?lang=en

The commit
* Adds claim classes for CCA attestation token claims.
* Adds verifier classes CCA attestation token
* Adds CCA tokens to CLI scripts and change parameters to be possible to
  specify multiple signing keys
* Adds sample cbor and yaml and key files to demonstrate CCA attestation
  token

Change-Id: Ia88a5ce4af334143452e87d29975826165502409
Signed-off-by: Mate Toth-Pal <mate.toth-pal@arm.com>

iat-verifier/tests/test_verifier.py

diff --git a/iat-verifier/tests/test_verifier.py b/iat-verifier/tests/test_verifier.py
index 5f8380e..ed3a725 100644
--- a/iat-verifier/tests/test_verifier.py
+++ b/iat-verifier/tests/test_verifier.py
@@ -11,8 +11,10 @@
 import unittest
 
 from iatverifier.psa_iot_profile1_token_verifier import PSAIoTProfile1TokenVerifier
+from iatverifier.cca_token_verifier import CCATokenVerifier, CCAPlatformTokenVerifier
 from iatverifier.util import read_keyfile
-from iatverifier.attest_token_verifier import VerifierConfiguration, AttestationTokenVerifier
+from iatverifier.attest_token_verifier import AttestationClaim, VerifierConfiguration
+from iatverifier.attest_token_verifier import AttestationTokenVerifier
 from test_utils import create_and_read_iat, read_iat, create_token_tmp_file
 
 
@@ -20,6 +22,8 @@
 
 DATA_DIR = os.path.join(THIS_DIR, 'data')
 KEYFILE = os.path.join(DATA_DIR, 'key.pem')
+KEYFILE_CCA_PLAT = os.path.join(DATA_DIR, 'cca_platform.pem')
+KEYFILE_CCA_REALM = os.path.join(DATA_DIR, 'cca_realm.pem')
 KEYFILE_ALT = os.path.join(DATA_DIR, 'key-alt.pem')
 
 class TestIatVerifier(unittest.TestCase):
@@ -77,14 +81,38 @@
         method=AttestationTokenVerifier.SIGN_METHOD_SIGN1
         cose_alg=AttestationTokenVerifier.COSE_ALG_ES256
         signing_key = read_keyfile(KEYFILE, method)
+        realm_token_key = read_keyfile(KEYFILE_CCA_REALM, method)
+        platform_token_key = read_keyfile(KEYFILE_CCA_PLAT, method)
 
         create_and_read_iat(
             DATA_DIR,
             'valid-iat.yaml',
-            PSAIoTProfile1TokenVerifier(method=method,
-            cose_alg=cose_alg,
-            signing_key=signing_key,
-            configuration=self.config))
+            PSAIoTProfile1TokenVerifier(
+                method=method,
+                cose_alg=cose_alg,
+                signing_key=signing_key,
+                configuration=self.config))
+        create_and_read_iat(
+            DATA_DIR,
+            'valid-cca-token.yaml',
+            CCATokenVerifier(
+                realm_token_method=method,
+                realm_token_cose_alg=AttestationTokenVerifier.COSE_ALG_ES384,
+                realm_token_key=realm_token_key,
+                platform_token_method=method,
+                platform_token_cose_alg=AttestationTokenVerifier.COSE_ALG_ES384,
+                platform_token_key=platform_token_key,
+                configuration=self.config))
+
+        create_and_read_iat(
+            DATA_DIR,
+            'cca_platform_token.yaml',
+            CCAPlatformTokenVerifier(
+                method=method,
+                cose_alg=AttestationTokenVerifier.COSE_ALG_ES384,
+                signing_key=platform_token_key,
+                configuration=self.config,
+                necessity=AttestationClaim.MANDATORY))
 
         with self.assertRaises(ValueError) as test_ctx:
             create_and_read_iat(