TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / TF-M / tf-m-tools / b21ae522d869d3e7fb47c21d91ebe077192238f7^! / . / iat-verifier / tests / test_verifier.py
commitb21ae522d869d3e7fb47c21d91ebe077192238f7[log] [tgz]
authorMate Toth-Pal <mate.toth-pal@arm.com>Thu Sep 01 12:02:21 2022 +0200
committerAnton Komlev <Anton.Komlev@arm.com>Wed Oct 05 17:46:05 2022 +0200
tree34989e5a126a4986c56ec5cc0b9dfa7d15d85ac0
parentc7404e97c53a5c33dfd537ef2e278a6492d5dd08 [diff] [blame]
Check Realm signature against Realm pub key claim

This commit removes the `--cca-realm-token-keyfile` parameter from the
`check_iat` script as the key is read from the token claim.

Change-Id: I04c5b59e7669239c57b14cfc95ab90f794aa8d16
Signed-off-by: Mate Toth-Pal <mate.toth-pal@arm.com>

diff --git a/iat-verifier/tests/test_verifier.py b/iat-verifier/tests/test_verifier.py
index bb03513..2f45d66 100644
--- a/iat-verifier/tests/test_verifier.py
+++ b/iat-verifier/tests/test_verifier.py

@@ -24,6 +24,7 @@
 KEYFILE = os.path.join(DATA_DIR, 'key.pem')
 KEYFILE_CCA_PLAT = os.path.join(DATA_DIR, 'cca_platform.pem')
 KEYFILE_CCA_REALM = os.path.join(DATA_DIR, 'cca_realm.pem')
+KEYFILE_CCA_REALM2= os.path.join(DATA_DIR, 'cca_realm2.pem')
 KEYFILE_ALT = os.path.join(DATA_DIR, 'key-alt.pem')
 
 class TestIatVerifier(unittest.TestCase):
@@ -81,6 +82,7 @@
         cose_alg=AttestationTokenVerifier.COSE_ALG_ES256
         signing_key = read_keyfile(KEYFILE, method)
         realm_token_key = read_keyfile(KEYFILE_CCA_REALM, method)
+        realm_token_key2 = read_keyfile(KEYFILE_CCA_REALM2, method)
         platform_token_key = read_keyfile(KEYFILE_CCA_PLAT, method)
 
         create_and_read_iat(
@@ -91,6 +93,7 @@
                 cose_alg=cose_alg,
                 signing_key=signing_key,
                 configuration=self.config))
+
         create_and_read_iat(
             DATA_DIR,
             'valid-cca-token.yaml',
@@ -115,6 +118,20 @@
 
         with self.assertRaises(ValueError) as test_ctx:
             create_and_read_iat(
+                DATA_DIR,
+                'valid-cca-token.yaml',
+                CCATokenVerifier(
+                    realm_token_method=method,
+                    realm_token_cose_alg=AttestationTokenVerifier.COSE_ALG_ES384,
+                    realm_token_key=realm_token_key2,
+                    platform_token_method=method,
+                    platform_token_cose_alg=AttestationTokenVerifier.COSE_ALG_ES384,
+                    platform_token_key=platform_token_key,
+                    configuration=self.config))
+        self.assertIn("Realm signature doesn't match Realm Public Key claim in Realm token", test_ctx.exception.args[0])
+
+        with self.assertRaises(ValueError) as test_ctx:
+            create_and_read_iat(
             DATA_DIR,
                 'invalid-profile-id.yaml',
                 PSAIoTProfile1TokenVerifier(method=method,