TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / TF-M / tf-m-tools / 8cbeed5482781ec9a5efd2fde35f9c870a079917 / . / iat-verifier / tests / test_verifier.py
blob: 8f64be8a4d6b2963baf650060083ac9696ba1746 [file] [log] [blame]
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]1# -----------------------------------------------------------------------------
2# Copyright (c) 2019-2022, Arm Limited. All rights reserved.
3#
4# SPDX-License-Identifier: BSD-3-Clause
5#
6# -----------------------------------------------------------------------------
7
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]8"""Unittests for iat-verifier using PSAIoTProfile1TokenVerifier"""
9
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]10import os
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]11import unittest
12
Mate Toth-Pal1cb66cd2022-04-26 15:40:07 +0200[diff] [blame]13from iatverifier.psa_iot_profile1_token_verifier import PSAIoTProfile1TokenVerifier
Mate Toth-Pal5ebca512022-03-24 16:45:51 +0100[diff] [blame]14from iatverifier.cca_token_verifier import CCATokenVerifier, CCAPlatformTokenVerifier
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame]15from iatverifier.util import read_keyfile
Mate Toth-Pal5ebca512022-03-24 16:45:51 +0100[diff] [blame]16from iatverifier.attest_token_verifier import AttestationClaim, VerifierConfiguration
17from iatverifier.attest_token_verifier import AttestationTokenVerifier
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame]18from test_utils import create_and_read_iat, read_iat, create_token_tmp_file
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]19
20
21THIS_DIR = os.path.dirname(__file__)
22
23DATA_DIR = os.path.join(THIS_DIR, 'data')
24KEYFILE = os.path.join(DATA_DIR, 'key.pem')
Mate Toth-Pal5ebca512022-03-24 16:45:51 +0100[diff] [blame]25KEYFILE_CCA_PLAT = os.path.join(DATA_DIR, 'cca_platform.pem')
26KEYFILE_CCA_REALM = os.path.join(DATA_DIR, 'cca_realm.pem')
Mate Toth-Palb21ae522022-09-01 12:02:21 +0200[diff] [blame]27KEYFILE_CCA_REALM2= os.path.join(DATA_DIR, 'cca_realm2.pem')
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]28KEYFILE_ALT = os.path.join(DATA_DIR, 'key-alt.pem')
29
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]30class TestIatVerifier(unittest.TestCase):
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]31 """A class used for testing iat-verifier.
32
33 This class uses the claim and token definitions for PSA Attestation Token"""
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]34
35 def setUp(self):
36 self.config = VerifierConfiguration()
37
38 def test_validate_signature(self):
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]39 """Testing Signature validation"""
40 method=AttestationTokenVerifier.SIGN_METHOD_SIGN1
41 cose_alg=AttestationTokenVerifier.COSE_ALG_ES256
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]42
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]43 signing_key = read_keyfile(KEYFILE, method)
44 verifier_good_sig = PSAIoTProfile1TokenVerifier(
45 method=method,
46 cose_alg=cose_alg,
47 signing_key=signing_key,
48 configuration=self.config)
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame]49 good_sig = create_token_tmp_file(DATA_DIR, 'valid-iat.yaml', verifier_good_sig)
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]50
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]51 signing_key = read_keyfile(KEYFILE_ALT, method)
52 verifier_bad_sig = PSAIoTProfile1TokenVerifier(
53 method=method,
54 cose_alg=cose_alg,
55 signing_key=signing_key,
56 configuration=self.config)
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame]57 bad_sig = create_token_tmp_file(DATA_DIR, 'valid-iat.yaml', verifier_bad_sig)
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]58
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]59 #dump_file_binary(good_sig)
60
61 with open(good_sig, 'rb') as wfh:
Mate Toth-Palc7404e92022-07-15 11:11:13 +0200[diff] [blame]62 token_item = verifier_good_sig.parse_token(
63 token=wfh.read(),
Mate Toth-Palc7404e92022-07-15 11:11:13 +0200[diff] [blame]64 lower_case_key=False)
65 token_item.verify()
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]66
67 with self.assertRaises(ValueError) as test_ctx:
68 with open(bad_sig, 'rb') as wfh:
Mate Toth-Palc7404e92022-07-15 11:11:13 +0200[diff] [blame]69 token_item = verifier_good_sig.parse_token(
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]70 token=wfh.read(),
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]71 lower_case_key=False)
Mate Toth-Palc7404e92022-07-15 11:11:13 +0200[diff] [blame]72 token_item.verify()
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]73
74 self.assertIn('Bad signature', test_ctx.exception.args[0])
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]75
76 def test_validate_iat_structure(self):
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]77 """Testing IAT structure validation"""
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]78 keep_going_conf = VerifierConfiguration(keep_going=True)
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]79 method=AttestationTokenVerifier.SIGN_METHOD_SIGN1
80 cose_alg=AttestationTokenVerifier.COSE_ALG_ES256
81 signing_key = read_keyfile(KEYFILE, method)
Mate Toth-Pal5ebca512022-03-24 16:45:51 +0100[diff] [blame]82 realm_token_key = read_keyfile(KEYFILE_CCA_REALM, method)
Mate Toth-Palb21ae522022-09-01 12:02:21 +0200[diff] [blame]83 realm_token_key2 = read_keyfile(KEYFILE_CCA_REALM2, method)
Mate Toth-Pal5ebca512022-03-24 16:45:51 +0100[diff] [blame]84 platform_token_key = read_keyfile(KEYFILE_CCA_PLAT, method)
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]85
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]86 create_and_read_iat(
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame]87 DATA_DIR,
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]88 'valid-iat.yaml',
Mate Toth-Pal5ebca512022-03-24 16:45:51 +0100[diff] [blame]89 PSAIoTProfile1TokenVerifier(
90 method=method,
91 cose_alg=cose_alg,
92 signing_key=signing_key,
93 configuration=self.config))
Mate Toth-Palb21ae522022-09-01 12:02:21 +0200[diff] [blame]94
Mate Toth-Pal5ebca512022-03-24 16:45:51 +0100[diff] [blame]95 create_and_read_iat(
96 DATA_DIR,
97 'valid-cca-token.yaml',
98 CCATokenVerifier(
99 realm_token_method=method,
100 realm_token_cose_alg=AttestationTokenVerifier.COSE_ALG_ES384,
101 realm_token_key=realm_token_key,
102 platform_token_method=method,
103 platform_token_cose_alg=AttestationTokenVerifier.COSE_ALG_ES384,
104 platform_token_key=platform_token_key,
105 configuration=self.config))
106
107 create_and_read_iat(
108 DATA_DIR,
109 'cca_platform_token.yaml',
110 CCAPlatformTokenVerifier(
111 method=method,
112 cose_alg=AttestationTokenVerifier.COSE_ALG_ES384,
113 signing_key=platform_token_key,
114 configuration=self.config,
115 necessity=AttestationClaim.MANDATORY))
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]116
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]117 with self.assertRaises(ValueError) as test_ctx:
118 create_and_read_iat(
Mate Toth-Palb21ae522022-09-01 12:02:21 +0200[diff] [blame]119 DATA_DIR,
Mate Toth-Palc5dbad02022-09-01 22:17:26 +0200[diff] [blame]120 'cca-invalid-plat-challenge.yaml',
121 CCATokenVerifier(
122 realm_token_method=method,
123 realm_token_cose_alg=AttestationTokenVerifier.COSE_ALG_ES384,
124 realm_token_key=realm_token_key,
125 platform_token_method=method,
126 platform_token_cose_alg=AttestationTokenVerifier.COSE_ALG_ES384,
127 platform_token_key=platform_token_key,
128 configuration=self.config))
129 self.assertIn("Invalid CCA_PLATFORM_CHALLENGE byte at 16: 0x00 instead of 0xe4", test_ctx.exception.args[0])
130
131 with self.assertRaises(ValueError) as test_ctx:
132 create_and_read_iat(
133 DATA_DIR,
Mate Toth-Palb21ae522022-09-01 12:02:21 +0200[diff] [blame]134 'valid-cca-token.yaml',
135 CCATokenVerifier(
136 realm_token_method=method,
137 realm_token_cose_alg=AttestationTokenVerifier.COSE_ALG_ES384,
138 realm_token_key=realm_token_key2,
139 platform_token_method=method,
140 platform_token_cose_alg=AttestationTokenVerifier.COSE_ALG_ES384,
141 platform_token_key=platform_token_key,
142 configuration=self.config))
143 self.assertIn("Realm signature doesn't match Realm Public Key claim in Realm token", test_ctx.exception.args[0])
144
145 with self.assertRaises(ValueError) as test_ctx:
146 create_and_read_iat(
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame]147 DATA_DIR,
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]148 'invalid-profile-id.yaml',
149 PSAIoTProfile1TokenVerifier(method=method,
150 cose_alg=cose_alg,
151 signing_key=signing_key,
152 configuration=self.config))
153 self.assertIn('Invalid PROFILE_ID', test_ctx.exception.args[0])
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]154
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]155 with self.assertRaises(ValueError) as test_ctx:
156 read_iat(
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame]157 DATA_DIR,
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]158 'malformed.cbor',
159 PSAIoTProfile1TokenVerifier(method=method,
160 cose_alg=cose_alg,
161 signing_key=signing_key,
162 configuration=self.config))
163 self.assertIn('Bad COSE', test_ctx.exception.args[0])
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]164
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]165 with self.assertRaises(ValueError) as test_ctx:
166 create_and_read_iat(
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame]167 DATA_DIR,
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]168 'missing-claim.yaml',
169 PSAIoTProfile1TokenVerifier(method=method,
170 cose_alg=cose_alg,
171 signing_key=signing_key,
172 configuration=self.config))
173 self.assertIn('missing MANDATORY claim', test_ctx.exception.args[0])
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]174
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]175 with self.assertRaises(ValueError) as test_ctx:
176 create_and_read_iat(
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame]177 DATA_DIR,
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]178 'submod-missing-claim.yaml',
179 PSAIoTProfile1TokenVerifier(method=method,
180 cose_alg=cose_alg,
181 signing_key=signing_key,
182 configuration=self.config))
183 self.assertIn('missing MANDATORY claim', test_ctx.exception.args[0])
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]184
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]185 with self.assertRaises(ValueError) as test_ctx:
186 create_and_read_iat(
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame]187 DATA_DIR,
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]188 'missing-sw-comps.yaml',
189 PSAIoTProfile1TokenVerifier(method=method,
190 cose_alg=cose_alg,
191 signing_key=signing_key,
192 configuration=self.config))
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]193 self.assertIn('NO_MEASUREMENTS claim is not present',
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]194 test_ctx.exception.args[0])
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]195
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]196 with self.assertLogs() as test_ctx:
197 create_and_read_iat(
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame]198 DATA_DIR,
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]199 'missing-signer-id.yaml',
200 PSAIoTProfile1TokenVerifier(method=method,
201 cose_alg=cose_alg,
202 signing_key=signing_key,
203 configuration=self.config))
Mate Toth-Pald10a9142022-04-28 15:34:13 +0200[diff] [blame]204 self.assertIn('Missing RECOMMENDED claim "SIGNER_ID" from SW_COMPONENTS',
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]205 test_ctx.records[0].getMessage())
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]206
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]207 with self.assertLogs() as test_ctx:
208 create_and_read_iat(
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame]209 DATA_DIR,
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]210 'invalid-type-length.yaml',
211 PSAIoTProfile1TokenVerifier(method=method,
212 cose_alg=cose_alg,
213 signing_key=signing_key,
214 configuration=keep_going_conf))
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]215 self.assertIn("Invalid PROFILE_ID: must be a(n) <class 'str'>: found <class 'int'>",
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]216 test_ctx.records[0].getMessage())
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]217 self.assertIn("Invalid SIGNER_ID: must be a(n) <class 'bytes'>: found <class 'str'>",
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]218 test_ctx.records[1].getMessage())
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]219 self.assertIn("Invalid SIGNER_ID length: must be at least 32 bytes, found 12 bytes",
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]220 test_ctx.records[2].getMessage())
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]221 self.assertIn("Invalid MEASUREMENT length: must be at least 32 bytes, found 28 bytes",
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]222 test_ctx.records[3].getMessage())
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]223
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]224 with self.assertLogs() as test_ctx:
225 create_and_read_iat(
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame]226 DATA_DIR,
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]227 'invalid-hw-version.yaml',
Tamas Ban8ac8d172022-07-04 13:01:08 +0200[diff] [blame]228 PSAIoTProfile1TokenVerifier(
229 method=method,
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]230 cose_alg=cose_alg,
231 signing_key=signing_key,
232 configuration=keep_going_conf))
Tamas Ban8ac8d172022-07-04 13:01:08 +0200[diff] [blame]233 self.assertIn("Invalid HARDWARE_VERSION length; "
234 "must be 19 characters, found 10 characters",
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]235 test_ctx.records[0].getMessage())
Tamas Ban8ac8d172022-07-04 13:01:08 +0200[diff] [blame]236 self.assertIn("Invalid character at position 1",
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]237 test_ctx.records[1].getMessage())
Tamas Ban8ac8d172022-07-04 13:01:08 +0200[diff] [blame]238 self.assertIn("Invalid character - at position 4",
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]239 test_ctx.records[2].getMessage())
Tamas Ban8ac8d172022-07-04 13:01:08 +0200[diff] [blame]240 self.assertIn("Invalid character a at position 10",
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]241 test_ctx.records[3].getMessage())
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]242
243 def test_binary_string_decoding(self):
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]244 """Test binary_string decoding"""
245 method=AttestationTokenVerifier.SIGN_METHOD_SIGN1
246 cose_alg=AttestationTokenVerifier.COSE_ALG_ES256
247 signing_key = read_keyfile(KEYFILE, method)
248 iat = create_and_read_iat(
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame]249 DATA_DIR,
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]250 'valid-iat.yaml',
251 PSAIoTProfile1TokenVerifier(method=method,
252 cose_alg=cose_alg,
253 signing_key=signing_key,
Mate Toth-Palc7404e92022-07-15 11:11:13 +0200[diff] [blame]254 configuration=self.config)).get_token_map()
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]255 self.assertEqual(iat['SECURITY_LIFECYCLE'], 'SL_SECURED')
256
257 def test_security_lifecycle_decoding(self):
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]258 """Test security lifecycle decoding"""
259 method=AttestationTokenVerifier.SIGN_METHOD_SIGN1
260 cose_alg=AttestationTokenVerifier.COSE_ALG_ES256
261 signing_key = read_keyfile(KEYFILE, method)
262 iat = create_and_read_iat(
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame]263 DATA_DIR,
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]264 'valid-iat.yaml',
265 PSAIoTProfile1TokenVerifier(method=method,
266 cose_alg=cose_alg,
267 signing_key=signing_key,
Mate Toth-Palc7404e92022-07-15 11:11:13 +0200[diff] [blame]268 configuration=self.config)).get_token_map()
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]269 self.assertEqual(iat['SECURITY_LIFECYCLE'], 'SL_SECURED')