iat-verifier/scripts/compile_token

#!/usr/bin/env python3
#-------------------------------------------------------------------------------
# Copyright (c) 2019-2022, Arm Limited. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
#-------------------------------------------------------------------------------

"""CLI tool for compiling token from a yaml file"""

import argparse
import logging
import os
import sys

from iatverifier.util import read_token_map, convert_map_to_token, read_keyfile
from iatverifier.util import get_cose_alg_from_key
from iatverifier.psa_iot_profile1_token_verifier import PSAIoTProfile1TokenVerifier
from iatverifier.attest_token_verifier import AttestationTokenVerifier


if __name__ == '__main__':
    logging.basicConfig(level=logging.INFO)

    token_verifiers = {
        "PSA-IoT-Profile1-token": PSAIoTProfile1TokenVerifier,
    }

    parser = argparse.ArgumentParser()
    parser.add_argument('source', help='Token source in YAML format')
    parser.add_argument('-o', '--outfile',
                        help='''Output file for the compiled token. If this is not
                        specified, the token will be written to standard output.''')
    parser.add_argument('-k', '--keyfile',
                        help='''Path to the key in PEM format that should be used to
                        sign the token. If this is not specified, the token will be
                        unsigned.''')
    group = parser.add_mutually_exclusive_group()
    parser.add_argument('-a', '--add-protected-header', action='store_true',
                        help='''
                        Add protected header to the COSE wrapper.
                        ''')
    group.add_argument('-r', '--raw', action='store_true',
                       help='''Generate raw CBOR and do not create a signature
                       or COSE wrapper.''')
    group.add_argument('-m', '--hmac', action='store_true',
                       help='''Generate a token wrapped in a Mac0 rather than
                       Sign1 COSE structure.''')
    parser.add_argument('-t', '--token-type',
                        help='''The type of the Token.''',
                        choices=token_verifiers.keys(),
                        required=True)

    args = parser.parse_args()

    if args.hmac:
        METHOD = AttestationTokenVerifier.SIGN_METHOD_MAC0
    elif args.raw:
        if args.keyfile:
            raise ValueError('A keyfile cannot be specified with --raw.')
        METHOD = AttestationTokenVerifier.SIGN_METHOD_RAW
    else:
        METHOD = AttestationTokenVerifier.SIGN_METHOD_SIGN1

    key = read_keyfile(args.keyfile, METHOD)

    COSE_ALG = None
    if args.hmac:
        COSE_ALG = AttestationTokenVerifier.COSE_ALG_HS256
    elif not args.raw:
        COSE_ALG = get_cose_alg_from_key(key)

    verifier_class = token_verifiers[args.token_type]
    if verifier_class == PSAIoTProfile1TokenVerifier:
        verifier = PSAIoTProfile1TokenVerifier(
            method=METHOD,
            cose_alg=COSE_ALG,
            signing_key=key,
            configuration=None)
    else:
        logging.error(f'Invalid token type:{verifier_class}\n\t')
        sys.exit(1)
    token_map = read_token_map(args.source)

    if args.outfile:
        with open(args.outfile, 'wb') as wfh:
            convert_map_to_token(
                token_map,
                verifier,
                wfh,
                add_p_header=args.add_protected_header,
                name_as_key=True,
                parse_raw_value=True)
    else:
        with os.fdopen(sys.stdout.fileno(), 'wb') as wfh:
            convert_map_to_token(
                token_map,
                verifier,
                wfh,
                add_p_header=args.add_protected_header,
                name_as_key=True,
                parse_raw_value=True)