Check Realm signature against Realm pub key claim
This commit removes the `--cca-realm-token-keyfile` parameter from the
`check_iat` script as the key is read from the token claim.
Change-Id: I04c5b59e7669239c57b14cfc95ab90f794aa8d16
Signed-off-by: Mate Toth-Pal <mate.toth-pal@arm.com>
diff --git a/iat-verifier/tests/data/cca_realm2.pem b/iat-verifier/tests/data/cca_realm2.pem
new file mode 100644
index 0000000..86a96fd
--- /dev/null
+++ b/iat-verifier/tests/data/cca_realm2.pem
@@ -0,0 +1,6 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDAUpTBCqGYMwJ/qywlXHrHwZec2dLYE9xNYjtR6BEjLEC1NYJMDlUfk
+gCQORURs0zigBwYFK4EEACKhZANiAASBGViAoiB/uVYDKjy5f12lr3Jv/LcV7hZH
+hKf7FsBglr3ZRioyZQspEqhVFXDW6h87LR99qKJ1+gAzDwB4YYvD4UlUnIFw0y7F
+WJCn+ex4nx8YrpLrFdIir5cdlxyWWvE=
+-----END EC PRIVATE KEY-----
diff --git a/iat-verifier/tests/test_utils.py b/iat-verifier/tests/test_utils.py
index e05c953..8059139 100644
--- a/iat-verifier/tests/test_utils.py
+++ b/iat-verifier/tests/test_utils.py
@@ -45,7 +45,7 @@
token_map = read_token_map(source_path)
return convert_map_to_token_bytes(token_map, verifier, add_p_header)
-def create_token_file(data_dir, source_name, verifier, dest_path, *, add_p_header=False):
+def create_token_file(data_dir, source_name, verifier, dest_path, *, add_p_header=True):
"""Create a cbor token from a yaml file and write it to a file
"""
token = create_token(
diff --git a/iat-verifier/tests/test_verifier.py b/iat-verifier/tests/test_verifier.py
index bb03513..2f45d66 100644
--- a/iat-verifier/tests/test_verifier.py
+++ b/iat-verifier/tests/test_verifier.py
@@ -24,6 +24,7 @@
KEYFILE = os.path.join(DATA_DIR, 'key.pem')
KEYFILE_CCA_PLAT = os.path.join(DATA_DIR, 'cca_platform.pem')
KEYFILE_CCA_REALM = os.path.join(DATA_DIR, 'cca_realm.pem')
+KEYFILE_CCA_REALM2= os.path.join(DATA_DIR, 'cca_realm2.pem')
KEYFILE_ALT = os.path.join(DATA_DIR, 'key-alt.pem')
class TestIatVerifier(unittest.TestCase):
@@ -81,6 +82,7 @@
cose_alg=AttestationTokenVerifier.COSE_ALG_ES256
signing_key = read_keyfile(KEYFILE, method)
realm_token_key = read_keyfile(KEYFILE_CCA_REALM, method)
+ realm_token_key2 = read_keyfile(KEYFILE_CCA_REALM2, method)
platform_token_key = read_keyfile(KEYFILE_CCA_PLAT, method)
create_and_read_iat(
@@ -91,6 +93,7 @@
cose_alg=cose_alg,
signing_key=signing_key,
configuration=self.config))
+
create_and_read_iat(
DATA_DIR,
'valid-cca-token.yaml',
@@ -115,6 +118,20 @@
with self.assertRaises(ValueError) as test_ctx:
create_and_read_iat(
+ DATA_DIR,
+ 'valid-cca-token.yaml',
+ CCATokenVerifier(
+ realm_token_method=method,
+ realm_token_cose_alg=AttestationTokenVerifier.COSE_ALG_ES384,
+ realm_token_key=realm_token_key2,
+ platform_token_method=method,
+ platform_token_cose_alg=AttestationTokenVerifier.COSE_ALG_ES384,
+ platform_token_key=platform_token_key,
+ configuration=self.config))
+ self.assertIn("Realm signature doesn't match Realm Public Key claim in Realm token", test_ctx.exception.args[0])
+
+ with self.assertRaises(ValueError) as test_ctx:
+ create_and_read_iat(
DATA_DIR,
'invalid-profile-id.yaml',
PSAIoTProfile1TokenVerifier(method=method,