| # ----------------------------------------------------------------------------- |
| # Copyright (c) 2019-2022, Arm Limited. All rights reserved. |
| # |
| # SPDX-License-Identifier: BSD-3-Clause |
| # |
| # ----------------------------------------------------------------------------- |
| |
| """CLI script for verifying an IAT.""" |
| |
| import argparse |
| import json |
| import logging |
| import sys |
| |
| from iatverifier.util import recursive_bytes_to_strings, read_keyfile, get_cose_alg_from_key |
| from iatverifier.psa_iot_profile1_token_verifier import PSAIoTProfile1TokenVerifier |
| from iatverifier.attest_token_verifier import VerifierConfiguration, AttestationTokenVerifier |
| |
| logger = logging.getLogger('iat-verify') |
| |
| def main(): |
| """Main function for verifying an IAT""" |
| |
| token_verifiers = { |
| "PSA-IoT-Profile1-token": PSAIoTProfile1TokenVerifier, |
| } |
| |
| parser = argparse.ArgumentParser( |
| description=''' |
| Validates a signed Initial Attestation Token (IAT), checking |
| that the signature is valid, the token contian the required |
| fields, and those fields are in a valid format. |
| ''') |
| parser.add_argument('-k', '--keyfile', |
| help=''' |
| Path to a file containing signing key in PEM format. |
| ''') |
| parser.add_argument('tokenfile', |
| help=''' |
| path to a file containing a signed IAT. |
| ''') |
| parser.add_argument('-K', '--keep-going', action='store_true', |
| help=''' |
| Do not stop upon encountering a validation error. |
| ''') |
| parser.add_argument('-p', '--print-iat', action='store_true', |
| help=''' |
| Print the decoded token in JSON format. |
| ''') |
| parser.add_argument('-s', '--strict', action='store_true', |
| help=''' |
| Report failure if unknown claim is encountered. |
| ''') |
| parser.add_argument('-c', '--check-protected-header', action='store_true', |
| help=''' |
| Check the presence and content of COSE protected header. |
| ''') |
| parser.add_argument('-m', '--method', choices=['sign', 'mac'], default='sign', |
| help=''' |
| Specify how this token is wrapped -- whether Sign1Message or |
| Mac0Message COSE structure is used. |
| ''') |
| parser.add_argument('-t', '--token-type', |
| help='''The type of the Token.''', |
| choices=token_verifiers.keys(), |
| required=True) |
| |
| args = parser.parse_args() |
| |
| logging.basicConfig(level=logging.INFO) |
| |
| config = VerifierConfiguration(keep_going=args.keep_going, strict=args.strict) |
| if args.method == 'mac': |
| method = AttestationTokenVerifier.SIGN_METHOD_MAC0 |
| else: |
| method = AttestationTokenVerifier.SIGN_METHOD_SIGN1 |
| |
| key = read_keyfile(keyfile=args.keyfile, method=method) |
| |
| if args.method == 'mac': |
| cose_alg = AttestationTokenVerifier.COSE_ALG_HS256 |
| else: |
| if key is not None: |
| cose_alg = get_cose_alg_from_key(key) |
| else: |
| cose_alg = AttestationTokenVerifier.COSE_ALG_ES256 |
| |
| verifier_class = token_verifiers[args.token_type] |
| if verifier_class == PSAIoTProfile1TokenVerifier: |
| verifier = PSAIoTProfile1TokenVerifier( |
| method=method, |
| cose_alg=cose_alg, |
| signing_key=key, |
| configuration=config) |
| else: |
| logger.error(f'Invalid token type:{verifier_class}\n\t') |
| sys.exit(1) |
| |
| try: |
| with open(args.tokenfile, 'rb') as token_file: |
| token = verifier.parse_token( |
| token=token_file.read(), |
| verify=True, |
| check_p_header=args.check_protected_header, |
| lower_case_key=False) |
| if args.keyfile: |
| print('Signature OK') |
| print('Token format OK') |
| except ValueError as exc: |
| logger.error(f'Could not extract IAT from COSE:\n\t{exc}') |
| sys.exit(1) |
| |
| if args.print_iat: |
| print('Token:') |
| json.dump(recursive_bytes_to_strings(token, in_place=True), |
| sys.stdout, indent=4) |
| print('') |
| |
| if __name__ == '__main__': |
| main() |