Make protected header mandatory
This means that the common iat-verifier logic always call the protected
header checker in the verifier classes. In case of token compilation it
also includes the protected header returned by the verifier class in
the resulting token.
It is still possible for a verifier to make the protected header
optional by implementing _get_p_header and _parse_p_header accordingly.
Change-Id: Ib802e4e30c4c9d2c85addcb7311ab92da3962b99
Signed-off-by: Mate Toth-Pal <mate.toth-pal@arm.com>
diff --git a/iat-verifier/tests/data/cca_platform_token.cbor b/iat-verifier/tests/data/cca_platform_token.cbor
index 8d97a0c..a5f7a97 100644
--- a/iat-verifier/tests/data/cca_platform_token.cbor
+++ b/iat-verifier/tests/data/cca_platform_token.cbor
Binary files differ
diff --git a/iat-verifier/tests/data/iat-hmac.cbor b/iat-verifier/tests/data/iat-hmac.cbor
index 1ea3018..eb163b0 100644
--- a/iat-verifier/tests/data/iat-hmac.cbor
+++ b/iat-verifier/tests/data/iat-hmac.cbor
Binary files differ
diff --git a/iat-verifier/tests/data/iat.cbor b/iat-verifier/tests/data/iat.cbor
index 38d2ec4..9809c3e 100644
--- a/iat-verifier/tests/data/iat.cbor
+++ b/iat-verifier/tests/data/iat.cbor
Binary files differ
diff --git a/iat-verifier/tests/synthetic_data/unknown_claims.cbor b/iat-verifier/tests/synthetic_data/unknown_claims.cbor
index 1c9507d..58987a2 100644
--- a/iat-verifier/tests/synthetic_data/unknown_claims.cbor
+++ b/iat-verifier/tests/synthetic_data/unknown_claims.cbor
Binary files differ
diff --git a/iat-verifier/tests/test_synthetic.py b/iat-verifier/tests/test_synthetic.py
index 413703d..796e845 100644
--- a/iat-verifier/tests/test_synthetic.py
+++ b/iat-verifier/tests/test_synthetic.py
@@ -16,7 +16,8 @@
from iatverifier.util import read_token_map, read_keyfile
from iatverifier.attest_token_verifier import VerifierConfiguration, AttestationTokenVerifier
from tests.synthetic_token_verifier import SyntheticTokenVerifier2, SyntheticTokenVerifier
-from test_utils import read_iat, create_and_read_iat, convert_map_to_token_bytes, bytes_equal_to_file
+from tests.test_utils import read_iat, create_and_read_iat
+from tests.test_utils import convert_map_to_token_bytes, bytes_equal_to_file
THIS_DIR = os.path.dirname(__file__)
@@ -99,13 +100,10 @@
configuration=self.config,
internal_signing_key=signing_key)
- token_p_header = convert_map_to_token_bytes(token_map, verifier, add_p_header=True)
- token_no_p_header = convert_map_to_token_bytes(token_map, verifier, add_p_header=False)
+ token_p_header = convert_map_to_token_bytes(token_map, verifier)
self.assertTrue(
bytes_equal_to_file(token_p_header, os.path.join(DATA_DIR, 'p_header_on.cbor')))
- self.assertTrue(
- bytes_equal_to_file(token_no_p_header, os.path.join(DATA_DIR, 'p_header_off.cbor')))
with self.assertLogs() as test_ctx:
read_iat(
@@ -115,8 +113,7 @@
cose_alg=cose_alg,
signing_key=signing_key,
configuration=config,
- internal_signing_key=signing_key),
- check_p_header=True)
+ internal_signing_key=signing_key))
self.assertEquals(2, len(test_ctx.output))
self.assertIn('Unexpected protected header', test_ctx.output[0])
self.assertIn('Missing alg from protected header (expected ES256)', test_ctx.output[1])
@@ -129,8 +126,7 @@
cose_alg=cose_alg,
signing_key=signing_key,
configuration=config,
- internal_signing_key=signing_key),
- check_p_header=True)
+ internal_signing_key=signing_key))
self.assertEquals(2, len(test_ctx.output))
self.assertIn('Missing alg from protected header (expected ES256)', test_ctx.output[0])
self.assertIn('Unexpected protected header', test_ctx.output[1])
@@ -152,9 +148,10 @@
signing_key=signing_key,
configuration=config,
internal_signing_key=signing_key))
- self.assertEquals(2, len(test_ctx.output))
+ self.assertEquals(3, len(test_ctx.output))
self.assertIn('Unexpected tag (0xcdcd) in token SYNTHETIC_TOKEN', test_ctx.output[0])
- self.assertIn('Unexpected tag (0xabab) in token SYNTHETIC_INTERNAL_TOKEN', test_ctx.output[1])
+ self.assertIn('Invalid Protected header: Missing alg from protected header (expected ES256)', test_ctx.output[1])
+ self.assertIn('Unexpected tag (0xabab) in token SYNTHETIC_INTERNAL_TOKEN', test_ctx.output[2])
# test with missing tag
with self.assertLogs() as test_ctx:
diff --git a/iat-verifier/tests/test_utils.py b/iat-verifier/tests/test_utils.py
index e08d3a2..c769644 100644
--- a/iat-verifier/tests/test_utils.py
+++ b/iat-verifier/tests/test_utils.py
@@ -26,33 +26,31 @@
return False
return True
-def convert_map_to_token_bytes(token_map, verifier, add_p_header):
+def convert_map_to_token_bytes(token_map, verifier):
"""Converts a map to cbor token"""
with BytesIO() as bytes_io:
encoder = CBOREncoder(bytes_io)
verifier.convert_map_to_token(
encoder,
token_map,
- add_p_header=add_p_header,
name_as_key=True,
parse_raw_value=True,
root=True)
return bytes_io.getvalue()
-def create_token(data_dir, source_name, verifier, add_p_header):
+def create_token(data_dir, source_name, verifier):
"""Creats a cbor token from a yaml file."""
source_path = os.path.join(data_dir, source_name)
token_map = read_token_map(source_path)
- return convert_map_to_token_bytes(token_map, verifier, add_p_header)
+ return convert_map_to_token_bytes(token_map, verifier)
-def create_token_file(data_dir, source_name, verifier, dest_path, *, add_p_header=True):
+def create_token_file(data_dir, source_name, verifier, dest_path):
"""Create a cbor token from a yaml file and write it to a file
"""
token = create_token(
data_dir=data_dir,
source_name=source_name,
- verifier=verifier,
- add_p_header=add_p_header)
+ verifier=verifier)
with open(dest_path, 'wb') as wfh:
wfh.write(token)
@@ -67,13 +65,12 @@
return dest_path
-def read_iat(data_dir, filename, verifier, *, check_p_header=False):
+def read_iat(data_dir, filename, verifier):
"""Read a cbor file and returns the parsed dictionary"""
filepath = os.path.join(data_dir, filename)
with open(filepath, 'rb') as file:
token_item = verifier.parse_token(
token=file.read(),
- check_p_header=check_p_header,
lower_case_key=False)
token_item.verify()
token_item.get_token_map()
diff --git a/iat-verifier/tests/test_verifier.py b/iat-verifier/tests/test_verifier.py
index 2ea1b5e..8f64be8 100644
--- a/iat-verifier/tests/test_verifier.py
+++ b/iat-verifier/tests/test_verifier.py
@@ -61,7 +61,6 @@
with open(good_sig, 'rb') as wfh:
token_item = verifier_good_sig.parse_token(
token=wfh.read(),
- check_p_header=False,
lower_case_key=False)
token_item.verify()
@@ -69,7 +68,6 @@
with open(bad_sig, 'rb') as wfh:
token_item = verifier_good_sig.parse_token(
token=wfh.read(),
- check_p_header=False,
lower_case_key=False)
token_item.verify()