TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / TF-M / tf-m-tools / 8ac8d17d15353c7f7933ae8065646946ae47f993 / . / iat-verifier / tests / test_verifier.py
blob: 5f8380e3547687824e868e5113c5026dfaa6618d [file] [log] [blame]
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]1# -----------------------------------------------------------------------------
2# Copyright (c) 2019-2022, Arm Limited. All rights reserved.
3#
4# SPDX-License-Identifier: BSD-3-Clause
5#
6# -----------------------------------------------------------------------------
7
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]8"""Unittests for iat-verifier using PSAIoTProfile1TokenVerifier"""
9
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]10import os
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]11import unittest
12
Mate Toth-Pal1cb66cd2022-04-26 15:40:07 +0200[diff] [blame]13from iatverifier.psa_iot_profile1_token_verifier import PSAIoTProfile1TokenVerifier
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame]14from iatverifier.util import read_keyfile
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]15from iatverifier.attest_token_verifier import VerifierConfiguration, AttestationTokenVerifier
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame]16from test_utils import create_and_read_iat, read_iat, create_token_tmp_file
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]17
18
19THIS_DIR = os.path.dirname(__file__)
20
21DATA_DIR = os.path.join(THIS_DIR, 'data')
22KEYFILE = os.path.join(DATA_DIR, 'key.pem')
23KEYFILE_ALT = os.path.join(DATA_DIR, 'key-alt.pem')
24
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]25class TestIatVerifier(unittest.TestCase):
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]26 """A class used for testing iat-verifier.
27
28 This class uses the claim and token definitions for PSA Attestation Token"""
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]29
30 def setUp(self):
31 self.config = VerifierConfiguration()
32
33 def test_validate_signature(self):
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]34 """Testing Signature validation"""
35 method=AttestationTokenVerifier.SIGN_METHOD_SIGN1
36 cose_alg=AttestationTokenVerifier.COSE_ALG_ES256
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]37
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]38 signing_key = read_keyfile(KEYFILE, method)
39 verifier_good_sig = PSAIoTProfile1TokenVerifier(
40 method=method,
41 cose_alg=cose_alg,
42 signing_key=signing_key,
43 configuration=self.config)
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame]44 good_sig = create_token_tmp_file(DATA_DIR, 'valid-iat.yaml', verifier_good_sig)
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]45
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]46 signing_key = read_keyfile(KEYFILE_ALT, method)
47 verifier_bad_sig = PSAIoTProfile1TokenVerifier(
48 method=method,
49 cose_alg=cose_alg,
50 signing_key=signing_key,
51 configuration=self.config)
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame]52 bad_sig = create_token_tmp_file(DATA_DIR, 'valid-iat.yaml', verifier_bad_sig)
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]53
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]54 #dump_file_binary(good_sig)
55
56 with open(good_sig, 'rb') as wfh:
57 verifier_good_sig.parse_token(
58 token=wfh.read(),
59 verify=True,
60 check_p_header=False,
61 lower_case_key=False)
62
63
64 with self.assertRaises(ValueError) as test_ctx:
65 with open(bad_sig, 'rb') as wfh:
66 verifier_good_sig.parse_token(
67 token=wfh.read(),
68 verify=True,
69 check_p_header=False,
70 lower_case_key=False)
71
72 self.assertIn('Bad signature', test_ctx.exception.args[0])
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]73
74 def test_validate_iat_structure(self):
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]75 """Testing IAT structure validation"""
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]76 keep_going_conf = VerifierConfiguration(keep_going=True)
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]77 method=AttestationTokenVerifier.SIGN_METHOD_SIGN1
78 cose_alg=AttestationTokenVerifier.COSE_ALG_ES256
79 signing_key = read_keyfile(KEYFILE, method)
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]80
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]81 create_and_read_iat(
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame]82 DATA_DIR,
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]83 'valid-iat.yaml',
84 PSAIoTProfile1TokenVerifier(method=method,
85 cose_alg=cose_alg,
86 signing_key=signing_key,
87 configuration=self.config))
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]88
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]89 with self.assertRaises(ValueError) as test_ctx:
90 create_and_read_iat(
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame]91 DATA_DIR,
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]92 'invalid-profile-id.yaml',
93 PSAIoTProfile1TokenVerifier(method=method,
94 cose_alg=cose_alg,
95 signing_key=signing_key,
96 configuration=self.config))
97 self.assertIn('Invalid PROFILE_ID', test_ctx.exception.args[0])
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]98
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]99 with self.assertRaises(ValueError) as test_ctx:
100 read_iat(
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame]101 DATA_DIR,
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]102 'malformed.cbor',
103 PSAIoTProfile1TokenVerifier(method=method,
104 cose_alg=cose_alg,
105 signing_key=signing_key,
106 configuration=self.config))
107 self.assertIn('Bad COSE', test_ctx.exception.args[0])
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]108
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]109 with self.assertRaises(ValueError) as test_ctx:
110 create_and_read_iat(
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame]111 DATA_DIR,
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]112 'missing-claim.yaml',
113 PSAIoTProfile1TokenVerifier(method=method,
114 cose_alg=cose_alg,
115 signing_key=signing_key,
116 configuration=self.config))
117 self.assertIn('missing MANDATORY claim', test_ctx.exception.args[0])
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]118
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]119 with self.assertRaises(ValueError) as test_ctx:
120 create_and_read_iat(
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame]121 DATA_DIR,
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]122 'submod-missing-claim.yaml',
123 PSAIoTProfile1TokenVerifier(method=method,
124 cose_alg=cose_alg,
125 signing_key=signing_key,
126 configuration=self.config))
127 self.assertIn('missing MANDATORY claim', test_ctx.exception.args[0])
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]128
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]129 with self.assertRaises(ValueError) as test_ctx:
130 create_and_read_iat(
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame]131 DATA_DIR,
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]132 'missing-sw-comps.yaml',
133 PSAIoTProfile1TokenVerifier(method=method,
134 cose_alg=cose_alg,
135 signing_key=signing_key,
136 configuration=self.config))
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]137 self.assertIn('NO_MEASUREMENTS claim is not present',
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]138 test_ctx.exception.args[0])
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]139
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]140 with self.assertLogs() as test_ctx:
141 create_and_read_iat(
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame]142 DATA_DIR,
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]143 'missing-signer-id.yaml',
144 PSAIoTProfile1TokenVerifier(method=method,
145 cose_alg=cose_alg,
146 signing_key=signing_key,
147 configuration=self.config))
Mate Toth-Pald10a9142022-04-28 15:34:13 +0200[diff] [blame]148 self.assertIn('Missing RECOMMENDED claim "SIGNER_ID" from SW_COMPONENTS',
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]149 test_ctx.records[0].getMessage())
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]150
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]151 with self.assertLogs() as test_ctx:
152 create_and_read_iat(
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame]153 DATA_DIR,
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]154 'invalid-type-length.yaml',
155 PSAIoTProfile1TokenVerifier(method=method,
156 cose_alg=cose_alg,
157 signing_key=signing_key,
158 configuration=keep_going_conf))
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]159 self.assertIn("Invalid PROFILE_ID: must be a(n) <class 'str'>: found <class 'int'>",
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]160 test_ctx.records[0].getMessage())
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]161 self.assertIn("Invalid SIGNER_ID: must be a(n) <class 'bytes'>: found <class 'str'>",
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]162 test_ctx.records[1].getMessage())
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]163 self.assertIn("Invalid SIGNER_ID length: must be at least 32 bytes, found 12 bytes",
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]164 test_ctx.records[2].getMessage())
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]165 self.assertIn("Invalid MEASUREMENT length: must be at least 32 bytes, found 28 bytes",
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]166 test_ctx.records[3].getMessage())
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]167
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]168 with self.assertLogs() as test_ctx:
169 create_and_read_iat(
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame]170 DATA_DIR,
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]171 'invalid-hw-version.yaml',
Tamas Ban8ac8d172022-07-04 13:01:08 +0200[diff] [blame^]172 PSAIoTProfile1TokenVerifier(
173 method=method,
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]174 cose_alg=cose_alg,
175 signing_key=signing_key,
176 configuration=keep_going_conf))
Tamas Ban8ac8d172022-07-04 13:01:08 +0200[diff] [blame^]177 self.assertIn("Invalid HARDWARE_VERSION length; "
178 "must be 19 characters, found 10 characters",
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]179 test_ctx.records[0].getMessage())
Tamas Ban8ac8d172022-07-04 13:01:08 +0200[diff] [blame^]180 self.assertIn("Invalid character at position 1",
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]181 test_ctx.records[1].getMessage())
Tamas Ban8ac8d172022-07-04 13:01:08 +0200[diff] [blame^]182 self.assertIn("Invalid character - at position 4",
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]183 test_ctx.records[2].getMessage())
Tamas Ban8ac8d172022-07-04 13:01:08 +0200[diff] [blame^]184 self.assertIn("Invalid character a at position 10",
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]185 test_ctx.records[3].getMessage())
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]186
187 def test_binary_string_decoding(self):
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]188 """Test binary_string decoding"""
189 method=AttestationTokenVerifier.SIGN_METHOD_SIGN1
190 cose_alg=AttestationTokenVerifier.COSE_ALG_ES256
191 signing_key = read_keyfile(KEYFILE, method)
192 iat = create_and_read_iat(
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame]193 DATA_DIR,
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]194 'valid-iat.yaml',
195 PSAIoTProfile1TokenVerifier(method=method,
196 cose_alg=cose_alg,
197 signing_key=signing_key,
198 configuration=self.config))
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]199 self.assertEqual(iat['SECURITY_LIFECYCLE'], 'SL_SECURED')
200
201 def test_security_lifecycle_decoding(self):
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]202 """Test security lifecycle decoding"""
203 method=AttestationTokenVerifier.SIGN_METHOD_SIGN1
204 cose_alg=AttestationTokenVerifier.COSE_ALG_ES256
205 signing_key = read_keyfile(KEYFILE, method)
206 iat = create_and_read_iat(
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame]207 DATA_DIR,
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]208 'valid-iat.yaml',
209 PSAIoTProfile1TokenVerifier(method=method,
210 cose_alg=cose_alg,
211 signing_key=signing_key,
212 configuration=self.config))
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]213 self.assertEqual(iat['SECURITY_LIFECYCLE'], 'SL_SECURED')