| Mate Toth-Pal | 51b6198 | 2022-03-17 14:19:30 +0100 | [diff] [blame] | 1 | #!/usr/bin/env python3 |
| 2 | #------------------------------------------------------------------------------- |
| 3 | # Copyright (c) 2019-2022, Arm Limited. All rights reserved. |
| 4 | # |
| 5 | # SPDX-License-Identifier: BSD-3-Clause |
| 6 | # |
| 7 | #------------------------------------------------------------------------------- |
| 8 | |
| 9 | import argparse |
| 10 | import logging |
| 11 | import os |
| 12 | import sys |
| 13 | |
| 14 | from ecdsa import SigningKey |
| 15 | from iatverifier.util import read_token_map, convert_map_to_token |
| 16 | from iatverifier.psa_iot_profile1_token_verifier import PSAIoTProfile1TokenVerifier |
| 17 | from iatverifier.verifiers import AttestationTokenVerifier |
| 18 | |
| 19 | |
| 20 | if __name__ == '__main__': |
| 21 | logging.basicConfig(level=logging.INFO) |
| 22 | |
| 23 | parser = argparse.ArgumentParser() |
| 24 | parser.add_argument('source', help='Token source in YAML format') |
| 25 | parser.add_argument('-o', '--outfile', |
| 26 | help='''Output file for the compiled token. If this is not |
| 27 | specified, the token will be written to standard output.''') |
| 28 | parser.add_argument('-k', '--keyfile', |
| 29 | help='''Path to the key in PEM format that should be used to |
| 30 | sign the token. If this is not specified, the token will be |
| 31 | unsigned.''') |
| 32 | group = parser.add_mutually_exclusive_group() |
| 33 | group.add_argument('-r', '--raw', action='store_true', |
| 34 | help='''Generate raw CBOR and do not create a signature |
| 35 | or COSE wrapper.''') |
| 36 | group.add_argument('-m', '--hmac', action='store_true', |
| 37 | help='''Generate a token wrapped in a Mac0 rather than |
| 38 | Sign1 COSE structure.''') |
| 39 | |
| 40 | args = parser.parse_args() |
| 41 | signing_key = None |
| 42 | |
| 43 | cose_alg = None |
| 44 | if args.hmac: |
| 45 | method = AttestationTokenVerifier.SIGN_METHOD_MAC0 |
| 46 | cose_alg = AttestationTokenVerifier.COSE_ALG_HS256 |
| 47 | |
| 48 | if args.keyfile: |
| 49 | with open(args.keyfile, 'rb') as fh: |
| 50 | signing_key = fh.read() |
| 51 | elif args.raw: |
| 52 | if args.keyfile: |
| 53 | raise ValueError('A keyfile cannot be specified with --raw.') |
| 54 | method = AttestationTokenVerifier.SIGN_METHOD_RAW |
| 55 | else: |
| 56 | method = AttestationTokenVerifier.SIGN_METHOD_SIGN1 |
| 57 | if args.keyfile: |
| 58 | with open(args.keyfile) as fh: |
| 59 | signing_key = SigningKey.from_pem(fh.read()) |
| 60 | |
| 61 | verifier = PSAIoTProfile1TokenVerifier.get_verifier() |
| 62 | if verifier.method != method: |
| 63 | verifier.method = method |
| 64 | if cose_alg is not None and verifier.cose_alg != cose_alg: |
| 65 | verifier.cose_alg = cose_alg |
| 66 | token_map = read_token_map(args.source) |
| 67 | |
| 68 | if args.outfile: |
| 69 | with open(args.outfile, 'wb') as wfh: |
| 70 | convert_map_to_token(token_map, signing_key, verifier, wfh) |
| 71 | else: |
| 72 | with os.fdopen(sys.stdout.fileno(), 'wb') as wfh: |
| 73 | convert_map_to_token(token_map, signing_key, verifier, wfh) |