TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / TF-M / tf-m-tools / e589c453f9b94136e57e7a894c73301b2a0db346 / . / iat-verifier / tests / test_synthetic.py
blob: c6caaa3844cb9fbb28a05b31387a0bd172f4396e [file] [log] [blame]
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame]1#-------------------------------------------------------------------------------
2# Copyright (c) 2022, Arm Limited. All rights reserved.
3#
4# SPDX-License-Identifier: BSD-3-Clause
5#
6#-------------------------------------------------------------------------------
7
8"""
9This test is used to test features that are not used by the PSA IoT profile1
10tokens
11"""
12
13import os
14import unittest
15
16from iatverifier.util import read_token_map, read_keyfile
17from iatverifier.attest_token_verifier import VerifierConfiguration, AttestationTokenVerifier
Mate Toth-Pale589c452022-07-27 22:02:40 +0200[diff] [blame^]18from tests.synthetic_token_verifier import SyntheticTokenVerifier2, SyntheticTokenVerifier
19from test_utils import read_iat, create_and_read_iat, convert_map_to_token_bytes, bytes_equal_to_file
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame]20
21
22THIS_DIR = os.path.dirname(__file__)
23
24DATA_DIR = os.path.join(THIS_DIR, 'synthetic_data')
25KEY_DIR = os.path.join(THIS_DIR, 'data')
26KEYFILE = os.path.join(KEY_DIR, 'key.pem')
27KEYFILE_ALT = os.path.join(KEY_DIR, 'key-alt.pem')
28
29class TestSynthetic(unittest.TestCase):
30 """Test iat-verifier's nested IAT feature"""
31 def setUp(self):
32 self.config = VerifierConfiguration()
33
34 def test_composite(self):
35 """Test cross claim checking in composite claim"""
36 method=AttestationTokenVerifier.SIGN_METHOD_SIGN1
37 cose_alg=AttestationTokenVerifier.COSE_ALG_ES256
38 signing_key = read_keyfile(KEYFILE, method)
39
40 create_and_read_iat(
41 DATA_DIR,
42 'synthetic_token.yaml',
43 SyntheticTokenVerifier(
44 method=method,
45 cose_alg=cose_alg,
46 signing_key=signing_key,
47 configuration=self.config,
48 internal_signing_key=signing_key))
49
50 with self.assertRaises(ValueError) as test_ctx:
51 create_and_read_iat(
52 DATA_DIR,
53 'synthetic_token_missing_box_dim.yaml',
54 SyntheticTokenVerifier(
55 method=method,
56 cose_alg=cose_alg,
57 signing_key=signing_key,
58 configuration=self.config,
59 internal_signing_key=signing_key))
60 self.assertIn(
61 'Invalid IAT: Box size must have all 3 dimensions', test_ctx.exception.args[0])
62
63 create_and_read_iat(
64 DATA_DIR,
65 'synthetic_token_another_token.yaml',
66 SyntheticTokenVerifier(
67 method=method,
68 cose_alg=cose_alg,
69 signing_key=signing_key,
70 configuration=self.config,
71 internal_signing_key=signing_key))
72
73 with self.assertRaises(ValueError) as test_ctx:
74 create_and_read_iat(
75 DATA_DIR,
76 'synthetic_token_another_token_missing_box_dim.yaml',
77 SyntheticTokenVerifier(method=method,
78 cose_alg=cose_alg,
79 signing_key=signing_key,
80 configuration=self.config,
81 internal_signing_key=signing_key))
82 self.assertIn(
83 'Invalid IAT: Box size must have all 3 dimensions', test_ctx.exception.args[0])
84
85 def test_protected_header(self):
86 """Test protected header detection"""
87 source_path = os.path.join(DATA_DIR, 'synthetic_token_another_token.yaml')
88 token_map = read_token_map(source_path)
89
90 method=AttestationTokenVerifier.SIGN_METHOD_SIGN1
91 cose_alg=AttestationTokenVerifier.COSE_ALG_ES256
92 signing_key = read_keyfile(KEYFILE, method)
93
94 verifier = SyntheticTokenVerifier(
95 method=method,
96 cose_alg=cose_alg,
97 signing_key=signing_key,
98 configuration=self.config,
99 internal_signing_key=signing_key)
100
101 token_p_header = convert_map_to_token_bytes(token_map, verifier, add_p_header=True)
102 token_no_p_header = convert_map_to_token_bytes(token_map, verifier, add_p_header=False)
103
104 self.assertTrue(
105 bytes_equal_to_file(token_p_header, os.path.join(DATA_DIR, 'p_header_on.cbor')))
106 self.assertTrue(
107 bytes_equal_to_file(token_no_p_header, os.path.join(DATA_DIR, 'p_header_off.cbor')))
Mate Toth-Pale589c452022-07-27 22:02:40 +0200[diff] [blame^]108
109 def test_tagging_support(self):
110 method=AttestationTokenVerifier.SIGN_METHOD_SIGN1
111 cose_alg=AttestationTokenVerifier.COSE_ALG_ES256
112
113 signing_key = read_keyfile(KEYFILE, method)
114
115 # test with unexpected tag
116 with self.assertLogs() as test_ctx:
117 read_iat(
118 DATA_DIR,
119 'unexpected_tags.cbor',
120 SyntheticTokenVerifier(method=method,
121 cose_alg=cose_alg,
122 signing_key=signing_key,
123 configuration=self.config,
124 internal_signing_key=signing_key))
125 self.assertEquals(2, len(test_ctx.output))
126 self.assertIn('Unexpected tag (0xcdcd) in token SYNTHETIC_TOKEN', test_ctx.output[0])
127 self.assertIn('Unexpected tag (0xabab) in token SYNTHETIC_INTERNAL_TOKEN', test_ctx.output[1])
128
129 # test with missing tag
130 with self.assertLogs() as test_ctx:
131 read_iat(
132 DATA_DIR,
133 'missing_tags.cbor',
134 SyntheticTokenVerifier2(method=method,
135 cose_alg=cose_alg,
136 signing_key=signing_key,
137 configuration=self.config,
138 internal_signing_key=signing_key))
139 self.assertEquals(2, len(test_ctx.output))
140 self.assertIn('token SYNTHETIC_TOKEN_2 should be wrapped in tag 0xaabb', test_ctx.output[0])
141 self.assertIn('token SYNTHETIC_INTERNAL_TOKEN_2 should be wrapped in tag 0xbbaa', test_ctx.output[1])
142
143 # Test Invalid tag values
144 with self.assertLogs() as test_ctx:
145 read_iat(
146 DATA_DIR,
147 'invalid_tags.cbor',
148 SyntheticTokenVerifier2(method=method,
149 cose_alg=cose_alg,
150 signing_key=signing_key,
151 configuration=self.config,
152 internal_signing_key=signing_key))
153 self.assertEquals(2, len(test_ctx.output))
154 self.assertIn('token SYNTHETIC_TOKEN_2 is wrapped in tag 0xabab instead of 0xaabb', test_ctx.output[0])
155 self.assertIn('token SYNTHETIC_INTERNAL_TOKEN_2 is wrapped in tag 0xbaba instead of 0xbbaa', test_ctx.output[1])
156
157 # Test proper tagging
158 read_iat(
159 DATA_DIR,
160 'correct_tagging.cbor',
161 SyntheticTokenVerifier2(method=method,
162 cose_alg=cose_alg,
163 signing_key=signing_key,
164 configuration=self.config,
165 internal_signing_key=signing_key))