TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / TF-M / tf-m-tools / b2508d50f181bc25143dccb00c2d0ba4807ef393 / . / iat-verifier / tests / test_verifier.py
blob: 417e2207fe526e67903ce674a7be67a0c620f60a [file] [log] [blame]
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]1# -----------------------------------------------------------------------------
2# Copyright (c) 2019-2022, Arm Limited. All rights reserved.
3#
4# SPDX-License-Identifier: BSD-3-Clause
5#
6# -----------------------------------------------------------------------------
7
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]8"""Unittests for iat-verifier using PSAIoTProfile1TokenVerifier"""
9
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]10import os
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]11import unittest
12
Mate Toth-Pal1cb66cd2022-04-26 15:40:07 +0200[diff] [blame]13from iatverifier.psa_iot_profile1_token_verifier import PSAIoTProfile1TokenVerifier
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame^]14from iatverifier.util import read_keyfile
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]15from iatverifier.attest_token_verifier import VerifierConfiguration, AttestationTokenVerifier
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame^]16from test_utils import create_and_read_iat, read_iat, create_token_tmp_file
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]17
18
19THIS_DIR = os.path.dirname(__file__)
20
21DATA_DIR = os.path.join(THIS_DIR, 'data')
22KEYFILE = os.path.join(DATA_DIR, 'key.pem')
23KEYFILE_ALT = os.path.join(DATA_DIR, 'key-alt.pem')
24
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]25class TestIatVerifier(unittest.TestCase):
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]26 """A class used for testing iat-verifier.
27
28 This class uses the claim and token definitions for PSA Attestation Token"""
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]29
30 def setUp(self):
31 self.config = VerifierConfiguration()
32
33 def test_validate_signature(self):
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]34 """Testing Signature validation"""
35 method=AttestationTokenVerifier.SIGN_METHOD_SIGN1
36 cose_alg=AttestationTokenVerifier.COSE_ALG_ES256
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]37
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]38 signing_key = read_keyfile(KEYFILE, method)
39 verifier_good_sig = PSAIoTProfile1TokenVerifier(
40 method=method,
41 cose_alg=cose_alg,
42 signing_key=signing_key,
43 configuration=self.config)
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame^]44 good_sig = create_token_tmp_file(DATA_DIR, 'valid-iat.yaml', verifier_good_sig)
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]45
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]46 signing_key = read_keyfile(KEYFILE_ALT, method)
47 verifier_bad_sig = PSAIoTProfile1TokenVerifier(
48 method=method,
49 cose_alg=cose_alg,
50 signing_key=signing_key,
51 configuration=self.config)
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame^]52 bad_sig = create_token_tmp_file(DATA_DIR, 'valid-iat.yaml', verifier_bad_sig)
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]53
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]54 #dump_file_binary(good_sig)
55
56 with open(good_sig, 'rb') as wfh:
57 verifier_good_sig.parse_token(
58 token=wfh.read(),
59 verify=True,
60 check_p_header=False,
61 lower_case_key=False)
62
63
64 with self.assertRaises(ValueError) as test_ctx:
65 with open(bad_sig, 'rb') as wfh:
66 verifier_good_sig.parse_token(
67 token=wfh.read(),
68 verify=True,
69 check_p_header=False,
70 lower_case_key=False)
71
72 self.assertIn('Bad signature', test_ctx.exception.args[0])
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]73
74 def test_validate_iat_structure(self):
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]75 """Testing IAT structure validation"""
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]76 keep_going_conf = VerifierConfiguration(keep_going=True)
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]77 method=AttestationTokenVerifier.SIGN_METHOD_SIGN1
78 cose_alg=AttestationTokenVerifier.COSE_ALG_ES256
79 signing_key = read_keyfile(KEYFILE, method)
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]80
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]81 create_and_read_iat(
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame^]82 DATA_DIR,
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]83 'valid-iat.yaml',
84 PSAIoTProfile1TokenVerifier(method=method,
85 cose_alg=cose_alg,
86 signing_key=signing_key,
87 configuration=self.config))
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]88
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]89 with self.assertRaises(ValueError) as test_ctx:
90 create_and_read_iat(
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame^]91 DATA_DIR,
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]92 'invalid-profile-id.yaml',
93 PSAIoTProfile1TokenVerifier(method=method,
94 cose_alg=cose_alg,
95 signing_key=signing_key,
96 configuration=self.config))
97 self.assertIn('Invalid PROFILE_ID', test_ctx.exception.args[0])
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]98
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]99 with self.assertRaises(ValueError) as test_ctx:
100 read_iat(
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame^]101 DATA_DIR,
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]102 'malformed.cbor',
103 PSAIoTProfile1TokenVerifier(method=method,
104 cose_alg=cose_alg,
105 signing_key=signing_key,
106 configuration=self.config))
107 self.assertIn('Bad COSE', test_ctx.exception.args[0])
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]108
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]109 with self.assertRaises(ValueError) as test_ctx:
110 create_and_read_iat(
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame^]111 DATA_DIR,
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]112 'missing-claim.yaml',
113 PSAIoTProfile1TokenVerifier(method=method,
114 cose_alg=cose_alg,
115 signing_key=signing_key,
116 configuration=self.config))
117 self.assertIn('missing MANDATORY claim', test_ctx.exception.args[0])
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]118
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]119 with self.assertRaises(ValueError) as test_ctx:
120 create_and_read_iat(
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame^]121 DATA_DIR,
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]122 'submod-missing-claim.yaml',
123 PSAIoTProfile1TokenVerifier(method=method,
124 cose_alg=cose_alg,
125 signing_key=signing_key,
126 configuration=self.config))
127 self.assertIn('missing MANDATORY claim', test_ctx.exception.args[0])
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]128
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]129 with self.assertRaises(ValueError) as test_ctx:
130 create_and_read_iat(
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame^]131 DATA_DIR,
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]132 'missing-sw-comps.yaml',
133 PSAIoTProfile1TokenVerifier(method=method,
134 cose_alg=cose_alg,
135 signing_key=signing_key,
136 configuration=self.config))
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]137 self.assertIn('NO_MEASUREMENTS claim is not present',
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]138 test_ctx.exception.args[0])
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]139
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]140 with self.assertLogs() as test_ctx:
141 create_and_read_iat(
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame^]142 DATA_DIR,
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]143 'missing-signer-id.yaml',
144 PSAIoTProfile1TokenVerifier(method=method,
145 cose_alg=cose_alg,
146 signing_key=signing_key,
147 configuration=self.config))
Mate Toth-Pald10a9142022-04-28 15:34:13 +0200[diff] [blame]148 self.assertIn('Missing RECOMMENDED claim "SIGNER_ID" from SW_COMPONENTS',
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]149 test_ctx.records[0].getMessage())
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]150
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]151 with self.assertLogs() as test_ctx:
152 create_and_read_iat(
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame^]153 DATA_DIR,
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]154 'invalid-type-length.yaml',
155 PSAIoTProfile1TokenVerifier(method=method,
156 cose_alg=cose_alg,
157 signing_key=signing_key,
158 configuration=keep_going_conf))
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]159 self.assertIn("Invalid PROFILE_ID: must be a(n) <class 'str'>: found <class 'int'>",
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]160 test_ctx.records[0].getMessage())
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]161 self.assertIn("Invalid SIGNER_ID: must be a(n) <class 'bytes'>: found <class 'str'>",
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]162 test_ctx.records[1].getMessage())
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]163 self.assertIn("Invalid SIGNER_ID length: must be at least 32 bytes, found 12 bytes",
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]164 test_ctx.records[2].getMessage())
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]165 self.assertIn("Invalid MEASUREMENT length: must be at least 32 bytes, found 28 bytes",
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]166 test_ctx.records[3].getMessage())
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]167
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]168 with self.assertLogs() as test_ctx:
169 create_and_read_iat(
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame^]170 DATA_DIR,
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]171 'invalid-hw-version.yaml',
172 PSAIoTProfile1TokenVerifier(method=method,
173 cose_alg=cose_alg,
174 signing_key=signing_key,
175 configuration=keep_going_conf))
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]176 self.assertIn("Invalid HARDWARE_VERSION length; must be 13 digits, found 10 characters",
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]177 test_ctx.records[0].getMessage())
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]178 self.assertIn("Invalid digit at position 1",
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]179 test_ctx.records[1].getMessage())
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]180 self.assertIn("Invalid digit - at position 4",
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]181 test_ctx.records[2].getMessage())
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]182 self.assertIn("Invalid digit a at position 10",
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]183 test_ctx.records[3].getMessage())
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]184
185 def test_binary_string_decoding(self):
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]186 """Test binary_string decoding"""
187 method=AttestationTokenVerifier.SIGN_METHOD_SIGN1
188 cose_alg=AttestationTokenVerifier.COSE_ALG_ES256
189 signing_key = read_keyfile(KEYFILE, method)
190 iat = create_and_read_iat(
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame^]191 DATA_DIR,
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]192 'valid-iat.yaml',
193 PSAIoTProfile1TokenVerifier(method=method,
194 cose_alg=cose_alg,
195 signing_key=signing_key,
196 configuration=self.config))
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]197 self.assertEqual(iat['SECURITY_LIFECYCLE'], 'SL_SECURED')
198
199 def test_security_lifecycle_decoding(self):
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]200 """Test security lifecycle decoding"""
201 method=AttestationTokenVerifier.SIGN_METHOD_SIGN1
202 cose_alg=AttestationTokenVerifier.COSE_ALG_ES256
203 signing_key = read_keyfile(KEYFILE, method)
204 iat = create_and_read_iat(
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame^]205 DATA_DIR,
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]206 'valid-iat.yaml',
207 PSAIoTProfile1TokenVerifier(method=method,
208 cose_alg=cose_alg,
209 signing_key=signing_key,
210 configuration=self.config))
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]211 self.assertEqual(iat['SECURITY_LIFECYCLE'], 'SL_SECURED')