| Mate Toth-Pal | 530106f | 2022-05-03 15:29:49 +0200 | [diff] [blame^] | 1 | #!/usr/bin/env python3 |
| Mate Toth-Pal | 1cb66cd | 2022-04-26 15:40:07 +0200 | [diff] [blame] | 2 | # ----------------------------------------------------------------------------- |
| 3 | # Copyright (c) 2019-2022, Arm Limited. All rights reserved. |
| Mate Toth-Pal | 51b6198 | 2022-03-17 14:19:30 +0100 | [diff] [blame] | 4 | # |
| 5 | # SPDX-License-Identifier: BSD-3-Clause |
| 6 | # |
| Mate Toth-Pal | 1cb66cd | 2022-04-26 15:40:07 +0200 | [diff] [blame] | 7 | # ----------------------------------------------------------------------------- |
| Mate Toth-Pal | 51b6198 | 2022-03-17 14:19:30 +0100 | [diff] [blame] | 8 | |
| Mate Toth-Pal | b9057ff | 2022-04-29 16:03:21 +0200 | [diff] [blame] | 9 | """CLI script for verifying an IAT.""" |
| 10 | |
| Mate Toth-Pal | 1cb66cd | 2022-04-26 15:40:07 +0200 | [diff] [blame] | 11 | import argparse |
| 12 | import json |
| 13 | import logging |
| 14 | import sys |
| 15 | |
| Mate Toth-Pal | b9057ff | 2022-04-29 16:03:21 +0200 | [diff] [blame] | 16 | from iatverifier.util import recursive_bytes_to_strings, read_keyfile, get_cose_alg_from_key |
| Mate Toth-Pal | 1cb66cd | 2022-04-26 15:40:07 +0200 | [diff] [blame] | 17 | from iatverifier.psa_iot_profile1_token_verifier import PSAIoTProfile1TokenVerifier |
| Mate Toth-Pal | bb187d0 | 2022-04-26 16:01:51 +0200 | [diff] [blame] | 18 | from iatverifier.attest_token_verifier import VerifierConfiguration, AttestationTokenVerifier |
| Mate Toth-Pal | 1cb66cd | 2022-04-26 15:40:07 +0200 | [diff] [blame] | 19 | |
| 20 | logger = logging.getLogger('iat-verify') |
| 21 | |
| 22 | def main(): |
| Mate Toth-Pal | b9057ff | 2022-04-29 16:03:21 +0200 | [diff] [blame] | 23 | """Main function for verifying an IAT""" |
| Mate Toth-Pal | 1cb66cd | 2022-04-26 15:40:07 +0200 | [diff] [blame] | 24 | |
| 25 | token_verifiers = { |
| 26 | "PSA-IoT-Profile1-token": PSAIoTProfile1TokenVerifier, |
| 27 | } |
| 28 | |
| 29 | parser = argparse.ArgumentParser( |
| 30 | description=''' |
| 31 | Validates a signed Initial Attestation Token (IAT), checking |
| 32 | that the signature is valid, the token contian the required |
| 33 | fields, and those fields are in a valid format. |
| 34 | ''') |
| 35 | parser.add_argument('-k', '--keyfile', |
| 36 | help=''' |
| 37 | Path to a file containing signing key in PEM format. |
| 38 | ''') |
| 39 | parser.add_argument('tokenfile', |
| 40 | help=''' |
| 41 | path to a file containing a signed IAT. |
| 42 | ''') |
| 43 | parser.add_argument('-K', '--keep-going', action='store_true', |
| 44 | help=''' |
| 45 | Do not stop upon encountering a validation error. |
| 46 | ''') |
| 47 | parser.add_argument('-p', '--print-iat', action='store_true', |
| 48 | help=''' |
| 49 | Print the decoded token in JSON format. |
| 50 | ''') |
| 51 | parser.add_argument('-s', '--strict', action='store_true', |
| 52 | help=''' |
| 53 | Report failure if unknown claim is encountered. |
| 54 | ''') |
| 55 | parser.add_argument('-c', '--check-protected-header', action='store_true', |
| 56 | help=''' |
| 57 | Check the presence and content of COSE protected header. |
| 58 | ''') |
| 59 | parser.add_argument('-m', '--method', choices=['sign', 'mac'], default='sign', |
| 60 | help=''' |
| 61 | Specify how this token is wrapped -- whether Sign1Message or |
| 62 | Mac0Message COSE structure is used. |
| 63 | ''') |
| 64 | parser.add_argument('-t', '--token-type', |
| 65 | help='''The type of the Token.''', |
| 66 | choices=token_verifiers.keys(), |
| 67 | required=True) |
| 68 | |
| 69 | args = parser.parse_args() |
| 70 | |
| 71 | logging.basicConfig(level=logging.INFO) |
| 72 | |
| 73 | config = VerifierConfiguration(keep_going=args.keep_going, strict=args.strict) |
| Mate Toth-Pal | 1cb66cd | 2022-04-26 15:40:07 +0200 | [diff] [blame] | 74 | if args.method == 'mac': |
| Mate Toth-Pal | b9057ff | 2022-04-29 16:03:21 +0200 | [diff] [blame] | 75 | method = AttestationTokenVerifier.SIGN_METHOD_MAC0 |
| 76 | else: |
| 77 | method = AttestationTokenVerifier.SIGN_METHOD_SIGN1 |
| Mate Toth-Pal | 1cb66cd | 2022-04-26 15:40:07 +0200 | [diff] [blame] | 78 | |
| Mate Toth-Pal | b9057ff | 2022-04-29 16:03:21 +0200 | [diff] [blame] | 79 | key = read_keyfile(keyfile=args.keyfile, method=method) |
| 80 | |
| 81 | if args.method == 'mac': |
| 82 | cose_alg = AttestationTokenVerifier.COSE_ALG_HS256 |
| 83 | else: |
| 84 | if key is not None: |
| 85 | cose_alg = get_cose_alg_from_key(key) |
| 86 | else: |
| 87 | cose_alg = AttestationTokenVerifier.COSE_ALG_ES256 |
| 88 | |
| 89 | verifier_class = token_verifiers[args.token_type] |
| 90 | if verifier_class == PSAIoTProfile1TokenVerifier: |
| 91 | verifier = PSAIoTProfile1TokenVerifier( |
| 92 | method=method, |
| 93 | cose_alg=cose_alg, |
| 94 | signing_key=key, |
| 95 | configuration=config) |
| 96 | else: |
| 97 | logger.error(f'Invalid token type:{verifier_class}\n\t') |
| Mate Toth-Pal | 1cb66cd | 2022-04-26 15:40:07 +0200 | [diff] [blame] | 98 | sys.exit(1) |
| 99 | |
| 100 | try: |
| Mate Toth-Pal | b9057ff | 2022-04-29 16:03:21 +0200 | [diff] [blame] | 101 | with open(args.tokenfile, 'rb') as token_file: |
| 102 | token = verifier.parse_token( |
| 103 | token=token_file.read(), |
| 104 | verify=True, |
| 105 | check_p_header=args.check_protected_header, |
| 106 | lower_case_key=False) |
| 107 | if args.keyfile: |
| 108 | print('Signature OK') |
| 109 | print('Token format OK') |
| 110 | except ValueError as exc: |
| 111 | logger.error(f'Could not extract IAT from COSE:\n\t{exc}') |
| Mate Toth-Pal | 1cb66cd | 2022-04-26 15:40:07 +0200 | [diff] [blame] | 112 | sys.exit(1) |
| 113 | |
| 114 | if args.print_iat: |
| 115 | print('Token:') |
| 116 | json.dump(recursive_bytes_to_strings(token, in_place=True), |
| 117 | sys.stdout, indent=4) |
| 118 | print('') |
| 119 | |
| 120 | if __name__ == '__main__': |
| Mate Toth-Pal | b9057ff | 2022-04-29 16:03:21 +0200 | [diff] [blame] | 121 | main() |