TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / TF-M / tf-m-tools / 1093a8a1d898e22be3bcb6e881c8cf8abc27f227 / . / iat-verifier / tests / test_synthetic.py
blob: 37775f3e486b75e546c7ff61852a1653f36a9d1b [file] [log] [blame]
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame]1#-------------------------------------------------------------------------------
2# Copyright (c) 2022, Arm Limited. All rights reserved.
3#
4# SPDX-License-Identifier: BSD-3-Clause
5#
6#-------------------------------------------------------------------------------
7
8"""
9This test is used to test features that are not used by the PSA IoT profile1
10tokens
11"""
12
13import os
14import unittest
15
16from iatverifier.util import read_token_map, read_keyfile
17from iatverifier.attest_token_verifier import VerifierConfiguration, AttestationTokenVerifier
Mate Toth-Pale589c452022-07-27 22:02:40 +0200[diff] [blame]18from tests.synthetic_token_verifier import SyntheticTokenVerifier2, SyntheticTokenVerifier
19from test_utils import read_iat, create_and_read_iat, convert_map_to_token_bytes, bytes_equal_to_file
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame]20
21
22THIS_DIR = os.path.dirname(__file__)
23
24DATA_DIR = os.path.join(THIS_DIR, 'synthetic_data')
25KEY_DIR = os.path.join(THIS_DIR, 'data')
26KEYFILE = os.path.join(KEY_DIR, 'key.pem')
27KEYFILE_ALT = os.path.join(KEY_DIR, 'key-alt.pem')
28
29class TestSynthetic(unittest.TestCase):
30 """Test iat-verifier's nested IAT feature"""
31 def setUp(self):
32 self.config = VerifierConfiguration()
33
34 def test_composite(self):
35 """Test cross claim checking in composite claim"""
36 method=AttestationTokenVerifier.SIGN_METHOD_SIGN1
37 cose_alg=AttestationTokenVerifier.COSE_ALG_ES256
38 signing_key = read_keyfile(KEYFILE, method)
39
40 create_and_read_iat(
41 DATA_DIR,
42 'synthetic_token.yaml',
43 SyntheticTokenVerifier(
44 method=method,
45 cose_alg=cose_alg,
46 signing_key=signing_key,
47 configuration=self.config,
48 internal_signing_key=signing_key))
49
50 with self.assertRaises(ValueError) as test_ctx:
51 create_and_read_iat(
52 DATA_DIR,
53 'synthetic_token_missing_box_dim.yaml',
54 SyntheticTokenVerifier(
55 method=method,
56 cose_alg=cose_alg,
57 signing_key=signing_key,
58 configuration=self.config,
59 internal_signing_key=signing_key))
60 self.assertIn(
61 'Invalid IAT: Box size must have all 3 dimensions', test_ctx.exception.args[0])
62
63 create_and_read_iat(
64 DATA_DIR,
65 'synthetic_token_another_token.yaml',
66 SyntheticTokenVerifier(
67 method=method,
68 cose_alg=cose_alg,
69 signing_key=signing_key,
70 configuration=self.config,
71 internal_signing_key=signing_key))
72
73 with self.assertRaises(ValueError) as test_ctx:
74 create_and_read_iat(
75 DATA_DIR,
76 'synthetic_token_another_token_missing_box_dim.yaml',
77 SyntheticTokenVerifier(method=method,
78 cose_alg=cose_alg,
79 signing_key=signing_key,
80 configuration=self.config,
81 internal_signing_key=signing_key))
82 self.assertIn(
83 'Invalid IAT: Box size must have all 3 dimensions', test_ctx.exception.args[0])
84
85 def test_protected_header(self):
86 """Test protected header detection"""
87 source_path = os.path.join(DATA_DIR, 'synthetic_token_another_token.yaml')
88 token_map = read_token_map(source_path)
89
90 method=AttestationTokenVerifier.SIGN_METHOD_SIGN1
91 cose_alg=AttestationTokenVerifier.COSE_ALG_ES256
92 signing_key = read_keyfile(KEYFILE, method)
Mate Toth-Pal138637a2022-07-28 10:57:06 +0200[diff] [blame]93 config = VerifierConfiguration(keep_going=True, strict=True)
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame]94
95 verifier = SyntheticTokenVerifier(
96 method=method,
97 cose_alg=cose_alg,
98 signing_key=signing_key,
99 configuration=self.config,
100 internal_signing_key=signing_key)
101
102 token_p_header = convert_map_to_token_bytes(token_map, verifier, add_p_header=True)
103 token_no_p_header = convert_map_to_token_bytes(token_map, verifier, add_p_header=False)
104
105 self.assertTrue(
106 bytes_equal_to_file(token_p_header, os.path.join(DATA_DIR, 'p_header_on.cbor')))
107 self.assertTrue(
108 bytes_equal_to_file(token_no_p_header, os.path.join(DATA_DIR, 'p_header_off.cbor')))
Mate Toth-Pale589c452022-07-27 22:02:40 +0200[diff] [blame]109
Mate Toth-Pal138637a2022-07-28 10:57:06 +0200[diff] [blame]110 with self.assertLogs() as test_ctx:
111 read_iat(
112 DATA_DIR,
113 'inverted_p_header.cbor',
114 SyntheticTokenVerifier(method=method,
115 cose_alg=cose_alg,
116 signing_key=signing_key,
117 configuration=config,
118 internal_signing_key=signing_key),
119 check_p_header=True)
120 self.assertEquals(2, len(test_ctx.output))
121 self.assertIn('Unexpected protected header', test_ctx.output[0])
122 self.assertIn('Missing alg from protected header (expected ES256)', test_ctx.output[1])
123
124 with self.assertLogs() as test_ctx:
125 read_iat(
126 DATA_DIR,
127 'inverted_p_header2.cbor',
128 SyntheticTokenVerifier2(method=method,
129 cose_alg=cose_alg,
130 signing_key=signing_key,
131 configuration=config,
132 internal_signing_key=signing_key),
133 check_p_header=True)
134 self.assertEquals(2, len(test_ctx.output))
135 self.assertIn('Missing alg from protected header (expected ES256)', test_ctx.output[0])
136 self.assertIn('Unexpected protected header', test_ctx.output[1])
137
Mate Toth-Pale589c452022-07-27 22:02:40 +0200[diff] [blame]138 def test_tagging_support(self):
139 method=AttestationTokenVerifier.SIGN_METHOD_SIGN1
140 cose_alg=AttestationTokenVerifier.COSE_ALG_ES256
141
142 signing_key = read_keyfile(KEYFILE, method)
Mate Toth-Pal138637a2022-07-28 10:57:06 +0200[diff] [blame]143 config = VerifierConfiguration(keep_going=True, strict=True)
Mate Toth-Pale589c452022-07-27 22:02:40 +0200[diff] [blame]144
145 # test with unexpected tag
146 with self.assertLogs() as test_ctx:
147 read_iat(
148 DATA_DIR,
149 'unexpected_tags.cbor',
150 SyntheticTokenVerifier(method=method,
151 cose_alg=cose_alg,
152 signing_key=signing_key,
Mate Toth-Pal138637a2022-07-28 10:57:06 +0200[diff] [blame]153 configuration=config,
Mate Toth-Pale589c452022-07-27 22:02:40 +0200[diff] [blame]154 internal_signing_key=signing_key))
155 self.assertEquals(2, len(test_ctx.output))
156 self.assertIn('Unexpected tag (0xcdcd) in token SYNTHETIC_TOKEN', test_ctx.output[0])
157 self.assertIn('Unexpected tag (0xabab) in token SYNTHETIC_INTERNAL_TOKEN', test_ctx.output[1])
158
159 # test with missing tag
160 with self.assertLogs() as test_ctx:
161 read_iat(
162 DATA_DIR,
163 'missing_tags.cbor',
164 SyntheticTokenVerifier2(method=method,
165 cose_alg=cose_alg,
166 signing_key=signing_key,
Mate Toth-Pal138637a2022-07-28 10:57:06 +0200[diff] [blame]167 configuration=config,
Mate Toth-Pale589c452022-07-27 22:02:40 +0200[diff] [blame]168 internal_signing_key=signing_key))
169 self.assertEquals(2, len(test_ctx.output))
170 self.assertIn('token SYNTHETIC_TOKEN_2 should be wrapped in tag 0xaabb', test_ctx.output[0])
171 self.assertIn('token SYNTHETIC_INTERNAL_TOKEN_2 should be wrapped in tag 0xbbaa', test_ctx.output[1])
172
173 # Test Invalid tag values
174 with self.assertLogs() as test_ctx:
175 read_iat(
176 DATA_DIR,
177 'invalid_tags.cbor',
178 SyntheticTokenVerifier2(method=method,
179 cose_alg=cose_alg,
180 signing_key=signing_key,
Mate Toth-Pal138637a2022-07-28 10:57:06 +0200[diff] [blame]181 configuration=config,
Mate Toth-Pale589c452022-07-27 22:02:40 +0200[diff] [blame]182 internal_signing_key=signing_key))
183 self.assertEquals(2, len(test_ctx.output))
184 self.assertIn('token SYNTHETIC_TOKEN_2 is wrapped in tag 0xabab instead of 0xaabb', test_ctx.output[0])
185 self.assertIn('token SYNTHETIC_INTERNAL_TOKEN_2 is wrapped in tag 0xbaba instead of 0xbbaa', test_ctx.output[1])
186
187 # Test proper tagging
188 read_iat(
189 DATA_DIR,
190 'correct_tagging.cbor',
191 SyntheticTokenVerifier2(method=method,
192 cose_alg=cose_alg,
193 signing_key=signing_key,
194 configuration=self.config,
195 internal_signing_key=signing_key))
Mate Toth-Pal1093a8a2022-08-23 09:48:41 +0200[diff] [blame^]196
197 def test_unknown_claims(self):
198
199 method=AttestationTokenVerifier.SIGN_METHOD_SIGN1
200 cose_alg=AttestationTokenVerifier.COSE_ALG_ES256
201 signing_key = read_keyfile(KEYFILE, method)
202 config = VerifierConfiguration(keep_going=True, strict=False)
203
204 test_verifier=SyntheticTokenVerifier2(method=method,
205 cose_alg=cose_alg,
206 signing_key=signing_key,
207 configuration=config,
208 internal_signing_key=signing_key)
209
210 with self.assertLogs() as test_ctx:
211 read_iat(
212 DATA_DIR,
213 'unknown_claims.cbor',
214 test_verifier)
215 self.assertEquals(4, len(test_ctx.output))
216 self.assertIn('Unexpected TOKEN_CLAIM claim: 9901, skipping', test_ctx.output[0])
217 self.assertIn('Unexpected SYN_BOXES claim: 9902, skipping', test_ctx.output[1])
218 self.assertIn('Unexpected TOKEN_CLAIM claim: 9903, skipping', test_ctx.output[2])
219 self.assertIn('Unexpected SYN_BOXES claim: 9904, skipping', test_ctx.output[3])
220
221 config = VerifierConfiguration(keep_going=True, strict=True)
222
223 test_verifier=SyntheticTokenVerifier2(method=method,
224 cose_alg=cose_alg,
225 signing_key=signing_key,
226 configuration=config,
227 internal_signing_key=signing_key)
228
229 with self.assertLogs() as test_ctx:
230 read_iat(
231 DATA_DIR,
232 'unknown_claims.cbor',
233 test_verifier)
234 self.assertEquals(4, len(test_ctx.output))
235 self.assertIn('ERROR:iat-verifiers:Unexpected TOKEN_CLAIM claim: 9901', test_ctx.output[0])
236 self.assertIn('ERROR:iat-verifiers:Unexpected SYN_BOXES claim: 9902', test_ctx.output[1])
237 self.assertIn('ERROR:iat-verifiers:Unexpected TOKEN_CLAIM claim: 9903', test_ctx.output[2])
238 self.assertIn('ERROR:iat-verifiers:Unexpected SYN_BOXES claim: 9904', test_ctx.output[3])
239
240 config = VerifierConfiguration(keep_going=False, strict=False)
241
242 test_verifier=SyntheticTokenVerifier2(method=method,
243 cose_alg=cose_alg,
244 signing_key=signing_key,
245 configuration=config,
246 internal_signing_key=signing_key)
247
248 with self.assertLogs() as test_ctx:
249 read_iat(
250 DATA_DIR,
251 'unknown_claims.cbor',
252 test_verifier)
253 self.assertIn('Unexpected TOKEN_CLAIM claim: 9901, skipping', test_ctx.output[0])
254 self.assertIn('Unexpected SYN_BOXES claim: 9902, skipping', test_ctx.output[1])
255 self.assertIn('Unexpected TOKEN_CLAIM claim: 9903, skipping', test_ctx.output[2])
256 self.assertIn('Unexpected SYN_BOXES claim: 9904, skipping', test_ctx.output[3])
257
258 config = VerifierConfiguration(keep_going=False, strict=True)
259
260 test_verifier=SyntheticTokenVerifier2(method=method,
261 cose_alg=cose_alg,
262 signing_key=signing_key,
263 configuration=config,
264 internal_signing_key=signing_key)
265
266 with self.assertRaises(ValueError) as test_ctx:
267 read_iat(
268 DATA_DIR,
269 'unknown_claims.cbor',
270 test_verifier)
271 self.assertIn(
272 'Unexpected TOKEN_CLAIM claim: 9901', test_ctx.exception.args[0])