TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / TF-M / tf-m-tools / f03ea6958ae6f794946b958cc32def8b253e4d16 / . / iat-verifier / tests / test_synthetic.py
blob: 376520942cc696917913dfdaf831439b672af7da [file] [log] [blame]
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame]1#-------------------------------------------------------------------------------
2# Copyright (c) 2022, Arm Limited. All rights reserved.
3#
4# SPDX-License-Identifier: BSD-3-Clause
5#
6#-------------------------------------------------------------------------------
7
8"""
9This test is used to test features that are not used by the PSA IoT profile1
10tokens
11"""
12
13import os
14import unittest
15
16from iatverifier.util import read_token_map, read_keyfile
17from iatverifier.attest_token_verifier import VerifierConfiguration, AttestationTokenVerifier
Mate Toth-Pale589c452022-07-27 22:02:40 +0200[diff] [blame]18from tests.synthetic_token_verifier import SyntheticTokenVerifier2, SyntheticTokenVerifier
19from test_utils import read_iat, create_and_read_iat, convert_map_to_token_bytes, bytes_equal_to_file
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame]20
21
22THIS_DIR = os.path.dirname(__file__)
23
24DATA_DIR = os.path.join(THIS_DIR, 'synthetic_data')
25KEY_DIR = os.path.join(THIS_DIR, 'data')
26KEYFILE = os.path.join(KEY_DIR, 'key.pem')
27KEYFILE_ALT = os.path.join(KEY_DIR, 'key-alt.pem')
28
29class TestSynthetic(unittest.TestCase):
30 """Test iat-verifier's nested IAT feature"""
31 def setUp(self):
32 self.config = VerifierConfiguration()
33
34 def test_composite(self):
35 """Test cross claim checking in composite claim"""
36 method=AttestationTokenVerifier.SIGN_METHOD_SIGN1
37 cose_alg=AttestationTokenVerifier.COSE_ALG_ES256
38 signing_key = read_keyfile(KEYFILE, method)
39
40 create_and_read_iat(
41 DATA_DIR,
42 'synthetic_token.yaml',
43 SyntheticTokenVerifier(
44 method=method,
45 cose_alg=cose_alg,
46 signing_key=signing_key,
47 configuration=self.config,
48 internal_signing_key=signing_key))
49
50 with self.assertRaises(ValueError) as test_ctx:
51 create_and_read_iat(
52 DATA_DIR,
53 'synthetic_token_missing_box_dim.yaml',
54 SyntheticTokenVerifier(
55 method=method,
56 cose_alg=cose_alg,
57 signing_key=signing_key,
58 configuration=self.config,
59 internal_signing_key=signing_key))
60 self.assertIn(
61 'Invalid IAT: Box size must have all 3 dimensions', test_ctx.exception.args[0])
62
63 create_and_read_iat(
64 DATA_DIR,
65 'synthetic_token_another_token.yaml',
66 SyntheticTokenVerifier(
67 method=method,
68 cose_alg=cose_alg,
69 signing_key=signing_key,
70 configuration=self.config,
71 internal_signing_key=signing_key))
72
73 with self.assertRaises(ValueError) as test_ctx:
74 create_and_read_iat(
75 DATA_DIR,
76 'synthetic_token_another_token_missing_box_dim.yaml',
77 SyntheticTokenVerifier(method=method,
78 cose_alg=cose_alg,
79 signing_key=signing_key,
80 configuration=self.config,
81 internal_signing_key=signing_key))
82 self.assertIn(
83 'Invalid IAT: Box size must have all 3 dimensions', test_ctx.exception.args[0])
84
85 def test_protected_header(self):
86 """Test protected header detection"""
87 source_path = os.path.join(DATA_DIR, 'synthetic_token_another_token.yaml')
88 token_map = read_token_map(source_path)
89
90 method=AttestationTokenVerifier.SIGN_METHOD_SIGN1
91 cose_alg=AttestationTokenVerifier.COSE_ALG_ES256
92 signing_key = read_keyfile(KEYFILE, method)
Mate Toth-Pal138637a2022-07-28 10:57:06 +0200[diff] [blame]93 config = VerifierConfiguration(keep_going=True, strict=True)
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame]94
95 verifier = SyntheticTokenVerifier(
96 method=method,
97 cose_alg=cose_alg,
98 signing_key=signing_key,
99 configuration=self.config,
100 internal_signing_key=signing_key)
101
102 token_p_header = convert_map_to_token_bytes(token_map, verifier, add_p_header=True)
103 token_no_p_header = convert_map_to_token_bytes(token_map, verifier, add_p_header=False)
104
105 self.assertTrue(
106 bytes_equal_to_file(token_p_header, os.path.join(DATA_DIR, 'p_header_on.cbor')))
107 self.assertTrue(
108 bytes_equal_to_file(token_no_p_header, os.path.join(DATA_DIR, 'p_header_off.cbor')))
Mate Toth-Pale589c452022-07-27 22:02:40 +0200[diff] [blame]109
Mate Toth-Pal138637a2022-07-28 10:57:06 +0200[diff] [blame]110 with self.assertLogs() as test_ctx:
111 read_iat(
112 DATA_DIR,
113 'inverted_p_header.cbor',
114 SyntheticTokenVerifier(method=method,
115 cose_alg=cose_alg,
116 signing_key=signing_key,
117 configuration=config,
118 internal_signing_key=signing_key),
119 check_p_header=True)
120 self.assertEquals(2, len(test_ctx.output))
121 self.assertIn('Unexpected protected header', test_ctx.output[0])
122 self.assertIn('Missing alg from protected header (expected ES256)', test_ctx.output[1])
123
124 with self.assertLogs() as test_ctx:
125 read_iat(
126 DATA_DIR,
127 'inverted_p_header2.cbor',
128 SyntheticTokenVerifier2(method=method,
129 cose_alg=cose_alg,
130 signing_key=signing_key,
131 configuration=config,
132 internal_signing_key=signing_key),
133 check_p_header=True)
134 self.assertEquals(2, len(test_ctx.output))
135 self.assertIn('Missing alg from protected header (expected ES256)', test_ctx.output[0])
136 self.assertIn('Unexpected protected header', test_ctx.output[1])
137
Mate Toth-Pale589c452022-07-27 22:02:40 +0200[diff] [blame]138 def test_tagging_support(self):
139 method=AttestationTokenVerifier.SIGN_METHOD_SIGN1
140 cose_alg=AttestationTokenVerifier.COSE_ALG_ES256
141
142 signing_key = read_keyfile(KEYFILE, method)
Mate Toth-Pal138637a2022-07-28 10:57:06 +0200[diff] [blame]143 config = VerifierConfiguration(keep_going=True, strict=True)
Mate Toth-Pale589c452022-07-27 22:02:40 +0200[diff] [blame]144
145 # test with unexpected tag
146 with self.assertLogs() as test_ctx:
147 read_iat(
148 DATA_DIR,
149 'unexpected_tags.cbor',
150 SyntheticTokenVerifier(method=method,
151 cose_alg=cose_alg,
152 signing_key=signing_key,
Mate Toth-Pal138637a2022-07-28 10:57:06 +0200[diff] [blame]153 configuration=config,
Mate Toth-Pale589c452022-07-27 22:02:40 +0200[diff] [blame]154 internal_signing_key=signing_key))
155 self.assertEquals(2, len(test_ctx.output))
156 self.assertIn('Unexpected tag (0xcdcd) in token SYNTHETIC_TOKEN', test_ctx.output[0])
157 self.assertIn('Unexpected tag (0xabab) in token SYNTHETIC_INTERNAL_TOKEN', test_ctx.output[1])
158
159 # test with missing tag
160 with self.assertLogs() as test_ctx:
161 read_iat(
162 DATA_DIR,
163 'missing_tags.cbor',
164 SyntheticTokenVerifier2(method=method,
165 cose_alg=cose_alg,
166 signing_key=signing_key,
Mate Toth-Pal138637a2022-07-28 10:57:06 +0200[diff] [blame]167 configuration=config,
Mate Toth-Pale589c452022-07-27 22:02:40 +0200[diff] [blame]168 internal_signing_key=signing_key))
169 self.assertEquals(2, len(test_ctx.output))
170 self.assertIn('token SYNTHETIC_TOKEN_2 should be wrapped in tag 0xaabb', test_ctx.output[0])
171 self.assertIn('token SYNTHETIC_INTERNAL_TOKEN_2 should be wrapped in tag 0xbbaa', test_ctx.output[1])
172
173 # Test Invalid tag values
174 with self.assertLogs() as test_ctx:
175 read_iat(
176 DATA_DIR,
177 'invalid_tags.cbor',
178 SyntheticTokenVerifier2(method=method,
179 cose_alg=cose_alg,
180 signing_key=signing_key,
Mate Toth-Pal138637a2022-07-28 10:57:06 +0200[diff] [blame]181 configuration=config,
Mate Toth-Pale589c452022-07-27 22:02:40 +0200[diff] [blame]182 internal_signing_key=signing_key))
183 self.assertEquals(2, len(test_ctx.output))
184 self.assertIn('token SYNTHETIC_TOKEN_2 is wrapped in tag 0xabab instead of 0xaabb', test_ctx.output[0])
185 self.assertIn('token SYNTHETIC_INTERNAL_TOKEN_2 is wrapped in tag 0xbaba instead of 0xbbaa', test_ctx.output[1])
186
187 # Test proper tagging
188 read_iat(
189 DATA_DIR,
190 'correct_tagging.cbor',
191 SyntheticTokenVerifier2(method=method,
192 cose_alg=cose_alg,
193 signing_key=signing_key,
194 configuration=self.config,
195 internal_signing_key=signing_key))