chore(iatverifier): update pycose (0.0.1->1.1.0)
This change is in preparation for updating the CCA realm token to encode
the RAK as COSE_Key.
Change-Id: I745207a8d2d1d20e36503cbbc4ad38b6379e3a28
Co-authored-by: Mate Toth-Pal <mate.toth-pal@arm.com>
Co-authored-by: Thomas Fossati <thomas.fossati@linaro.org>
Signed-off-by: Thomas Fossati <thomas.fossati@linaro.org>
diff --git a/iat-verifier/tests/data/hmac.key b/iat-verifier/tests/data/hmac.key
index e9569f1..daca3d9 100644
--- a/iat-verifier/tests/data/hmac.key
+++ b/iat-verifier/tests/data/hmac.key
Binary files differ
diff --git a/iat-verifier/tests/data/iat-hmac.cbor b/iat-verifier/tests/data/iat-hmac.cbor
index eb163b0..afd8828 100644
--- a/iat-verifier/tests/data/iat-hmac.cbor
+++ b/iat-verifier/tests/data/iat-hmac.cbor
Binary files differ
diff --git a/iat-verifier/tests/data/iat.yaml b/iat-verifier/tests/data/iat.yaml
index 8c53d1a..7554a99 100644
--- a/iat-verifier/tests/data/iat.yaml
+++ b/iat-verifier/tests/data/iat.yaml
@@ -15,7 +15,7 @@
instance_id: !!binary |
AQcGBQQDAgEADw4NDAsKCQgXFhUUExIREB8eHRwbGhkY
profile_id: http://example.com
-security_lifecycle: SL_SECURED
+security_lifecycle: sl_secured
sw_components:
- measurement_description: TF-M_SHA256MemPreXIP
measurement_value: !!binary |
diff --git a/iat-verifier/tests/data/psa-2_0_0_token.yaml b/iat-verifier/tests/data/psa-2_0_0_token.yaml
index 166ab3b..9b180b7 100644
--- a/iat-verifier/tests/data/psa-2_0_0_token.yaml
+++ b/iat-verifier/tests/data/psa-2_0_0_token.yaml
@@ -10,7 +10,7 @@
instance_id: !!binary |
AfpYdV9lhifOVGDym3UpZxMkjK562eKYS5AoDvy8tQJI
profile_id: http://arm.com/psa/2.0.0
-security_lifecycle: SL_SECURED
+security_lifecycle: sl_secured
sw_components:
- measurement_description: sha-256
measurement_value: !!binary |
diff --git a/iat-verifier/tests/synthetic_data/correct_tagging.cbor b/iat-verifier/tests/synthetic_data/correct_tagging.cbor
index e25fcdb..db837a3 100644
--- a/iat-verifier/tests/synthetic_data/correct_tagging.cbor
+++ b/iat-verifier/tests/synthetic_data/correct_tagging.cbor
Binary files differ
diff --git a/iat-verifier/tests/synthetic_data/invalid_tags.cbor b/iat-verifier/tests/synthetic_data/invalid_tags.cbor
index d155d1a..9f56e3e 100644
--- a/iat-verifier/tests/synthetic_data/invalid_tags.cbor
+++ b/iat-verifier/tests/synthetic_data/invalid_tags.cbor
Binary files differ
diff --git a/iat-verifier/tests/synthetic_data/inverted_p_header.cbor b/iat-verifier/tests/synthetic_data/inverted_p_header.cbor
deleted file mode 100644
index f5c2bb0..0000000
--- a/iat-verifier/tests/synthetic_data/inverted_p_header.cbor
+++ /dev/null
Binary files differ
diff --git a/iat-verifier/tests/synthetic_data/inverted_p_header2.cbor b/iat-verifier/tests/synthetic_data/inverted_p_header2.cbor
deleted file mode 100644
index 7969e64..0000000
--- a/iat-verifier/tests/synthetic_data/inverted_p_header2.cbor
+++ /dev/null
Binary files differ
diff --git a/iat-verifier/tests/synthetic_data/missing_tags.cbor b/iat-verifier/tests/synthetic_data/missing_tags.cbor
index f9f2fb6..f964449 100644
--- a/iat-verifier/tests/synthetic_data/missing_tags.cbor
+++ b/iat-verifier/tests/synthetic_data/missing_tags.cbor
Binary files differ
diff --git a/iat-verifier/tests/synthetic_data/p_header_on.cbor b/iat-verifier/tests/synthetic_data/p_header_on.cbor
deleted file mode 100644
index 3b628c0..0000000
--- a/iat-verifier/tests/synthetic_data/p_header_on.cbor
+++ /dev/null
Binary files differ
diff --git a/iat-verifier/tests/synthetic_data/unexpected_tags.cbor b/iat-verifier/tests/synthetic_data/unexpected_tags.cbor
index 172bf82..b514754 100644
--- a/iat-verifier/tests/synthetic_data/unexpected_tags.cbor
+++ b/iat-verifier/tests/synthetic_data/unexpected_tags.cbor
Binary files differ
diff --git a/iat-verifier/tests/synthetic_data/unknown_claims.cbor b/iat-verifier/tests/synthetic_data/unknown_claims.cbor
index 58987a2..3bd8ac4 100644
--- a/iat-verifier/tests/synthetic_data/unknown_claims.cbor
+++ b/iat-verifier/tests/synthetic_data/unknown_claims.cbor
Binary files differ
diff --git a/iat-verifier/tests/synthetic_token_verifier.py b/iat-verifier/tests/synthetic_token_verifier.py
index 96d9a8c..80d9f8a 100644
--- a/iat-verifier/tests/synthetic_token_verifier.py
+++ b/iat-verifier/tests/synthetic_token_verifier.py
@@ -10,6 +10,9 @@
token types.
"""
+from pycose.headers import Algorithm
+from pycose.algorithms import Es256
+
from iatverifier.attest_token_verifier import AttestationTokenVerifier as Verifier
from iatverifier.attest_token_verifier import AttestationClaim as Claim
from tests.synthetic_token_claims import SynClaimInt, SynBoxesClaim, BoxWidthClaim
@@ -24,14 +27,19 @@
return 'SYNTHETIC_TOKEN'
def _get_p_header(self):
- return None
+ return {Algorithm: self._get_cose_alg()}
def _get_wrapping_tag(self):
return None
def _parse_p_header(self, msg):
- if (len(msg.protected_header) > 0):
- raise ValueError('Unexpected protected header')
+ alg = self._get_cose_alg()
+ try:
+ msg_alg = msg.get_attr(Algorithm)
+ except AttributeError:
+ raise ValueError('Missing alg from protected header (expected {})'.format(alg))
+ if alg != msg_alg:
+ raise ValueError('Unexpected alg in protected header (expected {} instead of {})'.format(alg, msg_alg))
def __init__(self, *, method, cose_alg, signing_key, configuration, internal_signing_key):
# First prepare the claim hierarchy for this token
@@ -61,7 +69,7 @@
(BoxColorClaim, {'verifier': self, 'necessity': Claim.MANDATORY}),
(SyntheticInternalTokenVerifier, {'necessity': Claim.OPTIONAL,
'method': Verifier.SIGN_METHOD_SIGN1,
- 'cose_alg': Verifier.COSE_ALG_ES256,
+ 'cose_alg': Es256,
'claims': internal_verifier_claims,
'configuration': configuration,
'signing_key': internal_signing_key}),
@@ -94,13 +102,13 @@
return 'SYNTHETIC_TOKEN_2'
def _get_p_header(self):
- return {'alg': self.cose_alg}
+ return {Algorithm: self._get_cose_alg()}
def _parse_p_header(self, msg):
alg = self._get_cose_alg()
try:
- msg_alg = msg.protected_header['alg']
- except KeyError as exc:
+ msg_alg = msg.get_attr(Algorithm)
+ except AttributeError as exc:
raise ValueError(f'Missing alg from protected header (expected {alg})') from exc
if alg != msg_alg:
raise ValueError('Unexpected alg in protected header ' +
@@ -137,7 +145,7 @@
(BoxColorClaim, {'verifier': self, 'necessity': Claim.MANDATORY}),
(SyntheticInternalTokenVerifier2, {'necessity': Claim.OPTIONAL,
'method': Verifier.SIGN_METHOD_SIGN1,
- 'cose_alg': Verifier.COSE_ALG_ES256,
+ 'cose_alg': Es256,
'claims': internal_verifier_claims,
'configuration': configuration,
'signing_key': internal_signing_key}),
@@ -171,13 +179,13 @@
return 'SYNTHETIC_INTERNAL_TOKEN'
def _get_p_header(self):
- return {'alg': self.cose_alg}
+ return {Algorithm: self._get_cose_alg()}
def _parse_p_header(self, msg):
alg = self._get_cose_alg()
try:
- msg_alg = msg.protected_header['alg']
- except KeyError as exc:
+ msg_alg = msg.get_attr(Algorithm)
+ except AttributeError as exc:
raise ValueError(f'Missing alg from protected header (expected {alg})') from exc
if alg != msg_alg:
raise ValueError('Unexpected alg in protected header ' +
@@ -213,11 +221,16 @@
return 'SYNTHETIC_INTERNAL_TOKEN_2'
def _get_p_header(self):
- return None
+ return {Algorithm: self._get_cose_alg()}
def _parse_p_header(self, msg):
- if (len(msg.protected_header) > 0):
- raise ValueError('Unexpected protected header')
+ alg = self._get_cose_alg()
+ try:
+ msg_alg = msg.get_attr(Algorithm)
+ except AttributeError:
+ raise ValueError('Missing alg from protected header (expected {})'.format(alg))
+ if alg != msg_alg:
+ raise ValueError('Unexpected alg in protected header (expected {} instead of {})'.format(alg, msg_alg))
def _get_wrapping_tag(self):
return 0xbbaa
diff --git a/iat-verifier/tests/test_synthetic.py b/iat-verifier/tests/test_synthetic.py
index 796e845..89d529d 100644
--- a/iat-verifier/tests/test_synthetic.py
+++ b/iat-verifier/tests/test_synthetic.py
@@ -13,6 +13,8 @@
import os
import unittest
+from pycose.algorithms import Es256, Es384
+
from iatverifier.util import read_token_map, read_keyfile
from iatverifier.attest_token_verifier import VerifierConfiguration, AttestationTokenVerifier
from tests.synthetic_token_verifier import SyntheticTokenVerifier2, SyntheticTokenVerifier
@@ -35,7 +37,7 @@
def test_composite(self):
"""Test cross claim checking in composite claim"""
method=AttestationTokenVerifier.SIGN_METHOD_SIGN1
- cose_alg=AttestationTokenVerifier.COSE_ALG_ES256
+ cose_alg=Es256
signing_key = read_keyfile(KEYFILE, method)
create_and_read_iat(
@@ -83,57 +85,9 @@
self.assertIn(
'Invalid IAT: Box size must have all 3 dimensions', test_ctx.exception.args[0])
- def test_protected_header(self):
- """Test protected header detection"""
- source_path = os.path.join(DATA_DIR, 'synthetic_token_another_token.yaml')
- token_map = read_token_map(source_path)
-
- method=AttestationTokenVerifier.SIGN_METHOD_SIGN1
- cose_alg=AttestationTokenVerifier.COSE_ALG_ES256
- signing_key = read_keyfile(KEYFILE, method)
- config = VerifierConfiguration(keep_going=True, strict=True)
-
- verifier = SyntheticTokenVerifier(
- method=method,
- cose_alg=cose_alg,
- signing_key=signing_key,
- configuration=self.config,
- internal_signing_key=signing_key)
-
- token_p_header = convert_map_to_token_bytes(token_map, verifier)
-
- self.assertTrue(
- bytes_equal_to_file(token_p_header, os.path.join(DATA_DIR, 'p_header_on.cbor')))
-
- with self.assertLogs() as test_ctx:
- read_iat(
- DATA_DIR,
- 'inverted_p_header.cbor',
- SyntheticTokenVerifier(method=method,
- cose_alg=cose_alg,
- signing_key=signing_key,
- configuration=config,
- internal_signing_key=signing_key))
- self.assertEquals(2, len(test_ctx.output))
- self.assertIn('Unexpected protected header', test_ctx.output[0])
- self.assertIn('Missing alg from protected header (expected ES256)', test_ctx.output[1])
-
- with self.assertLogs() as test_ctx:
- read_iat(
- DATA_DIR,
- 'inverted_p_header2.cbor',
- SyntheticTokenVerifier2(method=method,
- cose_alg=cose_alg,
- signing_key=signing_key,
- configuration=config,
- internal_signing_key=signing_key))
- self.assertEquals(2, len(test_ctx.output))
- self.assertIn('Missing alg from protected header (expected ES256)', test_ctx.output[0])
- self.assertIn('Unexpected protected header', test_ctx.output[1])
-
def test_tagging_support(self):
method=AttestationTokenVerifier.SIGN_METHOD_SIGN1
- cose_alg=AttestationTokenVerifier.COSE_ALG_ES256
+ cose_alg=Es256
signing_key = read_keyfile(KEYFILE, method)
config = VerifierConfiguration(keep_going=True, strict=True)
@@ -148,10 +102,9 @@
signing_key=signing_key,
configuration=config,
internal_signing_key=signing_key))
- self.assertEquals(3, len(test_ctx.output))
+ self.assertEquals(2, len(test_ctx.output))
self.assertIn('Unexpected tag (0xcdcd) in token SYNTHETIC_TOKEN', test_ctx.output[0])
- self.assertIn('Invalid Protected header: Missing alg from protected header (expected ES256)', test_ctx.output[1])
- self.assertIn('Unexpected tag (0xabab) in token SYNTHETIC_INTERNAL_TOKEN', test_ctx.output[2])
+ self.assertIn('Unexpected tag (0xabab) in token SYNTHETIC_INTERNAL_TOKEN', test_ctx.output[1])
# test with missing tag
with self.assertLogs() as test_ctx:
@@ -194,7 +147,7 @@
def test_unknown_claims(self):
method=AttestationTokenVerifier.SIGN_METHOD_SIGN1
- cose_alg=AttestationTokenVerifier.COSE_ALG_ES256
+ cose_alg=Es256
signing_key = read_keyfile(KEYFILE, method)
config = VerifierConfiguration(keep_going=True, strict=False)
diff --git a/iat-verifier/tests/test_utils.py b/iat-verifier/tests/test_utils.py
index c769644..ab7c182 100644
--- a/iat-verifier/tests/test_utils.py
+++ b/iat-verifier/tests/test_utils.py
@@ -39,7 +39,7 @@
return bytes_io.getvalue()
def create_token(data_dir, source_name, verifier):
- """Creats a cbor token from a yaml file."""
+ """Create a cbor token from a yaml file."""
source_path = os.path.join(data_dir, source_name)
token_map = read_token_map(source_path)
return convert_map_to_token_bytes(token_map, verifier)
diff --git a/iat-verifier/tests/test_verifier.py b/iat-verifier/tests/test_verifier.py
index 2b7fe92..48604b1 100644
--- a/iat-verifier/tests/test_verifier.py
+++ b/iat-verifier/tests/test_verifier.py
@@ -10,6 +10,8 @@
import os
import unittest
+from pycose.algorithms import Es256, Es384
+
from iatverifier.psa_iot_profile1_token_verifier import PSAIoTProfile1TokenVerifier
from iatverifier.cca_token_verifier import CCATokenVerifier, CCAPlatformTokenVerifier
from iatverifier.util import read_keyfile
@@ -38,7 +40,7 @@
def test_validate_signature(self):
"""Testing Signature validation"""
method=AttestationTokenVerifier.SIGN_METHOD_SIGN1
- cose_alg=AttestationTokenVerifier.COSE_ALG_ES256
+ cose_alg=Es256
signing_key = read_keyfile(KEYFILE, method)
verifier_good_sig = PSAIoTProfile1TokenVerifier(
@@ -77,7 +79,7 @@
"""Testing IAT structure validation"""
keep_going_conf = VerifierConfiguration(keep_going=True)
method=AttestationTokenVerifier.SIGN_METHOD_SIGN1
- cose_alg=AttestationTokenVerifier.COSE_ALG_ES256
+ cose_alg=Es256
signing_key = read_keyfile(KEYFILE, method)
realm_token_key = read_keyfile(KEYFILE_CCA_REALM, method)
realm_token_key2 = read_keyfile(KEYFILE_CCA_REALM2, method)
@@ -97,10 +99,10 @@
'valid-cca-token.yaml',
CCATokenVerifier(
realm_token_method=method,
- realm_token_cose_alg=AttestationTokenVerifier.COSE_ALG_ES384,
+ realm_token_cose_alg=Es384,
realm_token_key=realm_token_key,
platform_token_method=method,
- platform_token_cose_alg=AttestationTokenVerifier.COSE_ALG_ES384,
+ platform_token_cose_alg=Es384,
platform_token_key=platform_token_key,
configuration=self.config))
@@ -109,7 +111,7 @@
'cca_platform_token.yaml',
CCAPlatformTokenVerifier(
method=method,
- cose_alg=AttestationTokenVerifier.COSE_ALG_ES384,
+ cose_alg=Es384,
signing_key=platform_token_key,
configuration=self.config,
necessity=AttestationClaim.MANDATORY))
@@ -120,10 +122,10 @@
'cca-invalid-plat-challenge.yaml',
CCATokenVerifier(
realm_token_method=method,
- realm_token_cose_alg=AttestationTokenVerifier.COSE_ALG_ES384,
+ realm_token_cose_alg=Es384,
realm_token_key=realm_token_key,
platform_token_method=method,
- platform_token_cose_alg=AttestationTokenVerifier.COSE_ALG_ES384,
+ platform_token_cose_alg=Es384,
platform_token_key=platform_token_key,
configuration=self.config))
self.assertIn("Invalid CCA_PLATFORM_CHALLENGE byte at 16: 0x00 instead of 0xe4", test_ctx.exception.args[0])
@@ -134,10 +136,10 @@
'valid-cca-token.yaml',
CCATokenVerifier(
realm_token_method=method,
- realm_token_cose_alg=AttestationTokenVerifier.COSE_ALG_ES384,
+ realm_token_cose_alg=Es384,
realm_token_key=realm_token_key2,
platform_token_method=method,
- platform_token_cose_alg=AttestationTokenVerifier.COSE_ALG_ES384,
+ platform_token_cose_alg=Es384,
platform_token_key=platform_token_key,
configuration=self.config))
self.assertIn("Realm signature doesn't match Realm Public Key claim in Realm token", test_ctx.exception.args[0])
@@ -243,7 +245,7 @@
def test_binary_string_decoding(self):
"""Test binary_string decoding"""
method=AttestationTokenVerifier.SIGN_METHOD_SIGN1
- cose_alg=AttestationTokenVerifier.COSE_ALG_ES256
+ cose_alg=Es256
signing_key = read_keyfile(KEYFILE, method)
iat = create_and_read_iat(
DATA_DIR,
@@ -257,7 +259,7 @@
def test_security_lifecycle_decoding(self):
"""Test security lifecycle decoding"""
method=AttestationTokenVerifier.SIGN_METHOD_SIGN1
- cose_alg=AttestationTokenVerifier.COSE_ALG_ES256
+ cose_alg=Es256
signing_key = read_keyfile(KEYFILE, method)
iat = create_and_read_iat(
DATA_DIR,