TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / TF-M / tf-m-tools / bdb475e3a7fa24bae37fe0d7720d2f7f16c3230f / . / iat-verifier / scripts / compile_token
blob: 1272ad49636a3e964873e89e9ad026fa7f8ad88b [file] [log] [blame]
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]1#!/usr/bin/env python3
2#-------------------------------------------------------------------------------
3# Copyright (c) 2019-2022, Arm Limited. All rights reserved.
4#
5# SPDX-License-Identifier: BSD-3-Clause
6#
7#-------------------------------------------------------------------------------
8
9import argparse
10import logging
11import os
12import sys
13
14from ecdsa import SigningKey
15from iatverifier.util import read_token_map, convert_map_to_token
16from iatverifier.psa_iot_profile1_token_verifier import PSAIoTProfile1TokenVerifier
17from iatverifier.verifiers import AttestationTokenVerifier
18
19
20if __name__ == '__main__':
21 logging.basicConfig(level=logging.INFO)
22
Mate Toth-Pal6978f7c2022-03-30 14:38:55 +0200[diff] [blame]23 token_verifiers = {
24 "PSA-IoT-Profile1-token": PSAIoTProfile1TokenVerifier,
25 }
26
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]27 parser = argparse.ArgumentParser()
28 parser.add_argument('source', help='Token source in YAML format')
29 parser.add_argument('-o', '--outfile',
30 help='''Output file for the compiled token. If this is not
31 specified, the token will be written to standard output.''')
32 parser.add_argument('-k', '--keyfile',
33 help='''Path to the key in PEM format that should be used to
34 sign the token. If this is not specified, the token will be
35 unsigned.''')
36 group = parser.add_mutually_exclusive_group()
Mate Toth-Palbdb475e2022-04-24 12:11:22 +0200[diff] [blame^]37 parser.add_argument('-a', '--add-protected-header', action='store_true',
38 help='''
39 Add protected header to the COSE wrapper.
40 ''')
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]41 group.add_argument('-r', '--raw', action='store_true',
42 help='''Generate raw CBOR and do not create a signature
43 or COSE wrapper.''')
44 group.add_argument('-m', '--hmac', action='store_true',
45 help='''Generate a token wrapped in a Mac0 rather than
46 Sign1 COSE structure.''')
Mate Toth-Pal6978f7c2022-03-30 14:38:55 +0200[diff] [blame]47 parser.add_argument('-t', '--token-type',
48 help='''The type of the Token.''',
49 choices=token_verifiers.keys(),
50 required=True)
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]51
52 args = parser.parse_args()
53 signing_key = None
54
55 cose_alg = None
56 if args.hmac:
57 method = AttestationTokenVerifier.SIGN_METHOD_MAC0
58 cose_alg = AttestationTokenVerifier.COSE_ALG_HS256
59
60 if args.keyfile:
61 with open(args.keyfile, 'rb') as fh:
62 signing_key = fh.read()
63 elif args.raw:
64 if args.keyfile:
65 raise ValueError('A keyfile cannot be specified with --raw.')
66 method = AttestationTokenVerifier.SIGN_METHOD_RAW
67 else:
68 method = AttestationTokenVerifier.SIGN_METHOD_SIGN1
69 if args.keyfile:
70 with open(args.keyfile) as fh:
71 signing_key = SigningKey.from_pem(fh.read())
72
Mate Toth-Pal6978f7c2022-03-30 14:38:55 +0200[diff] [blame]73 verifier = token_verifiers[args.token_type].get_verifier()
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]74 if verifier.method != method:
75 verifier.method = method
76 if cose_alg is not None and verifier.cose_alg != cose_alg:
77 verifier.cose_alg = cose_alg
78 token_map = read_token_map(args.source)
79
80 if args.outfile:
81 with open(args.outfile, 'wb') as wfh:
Mate Toth-Palbdb475e2022-04-24 12:11:22 +0200[diff] [blame^]82 convert_map_to_token(token_map, signing_key, verifier, wfh, args.add_protected_header)
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]83 else:
84 with os.fdopen(sys.stdout.fileno(), 'wb') as wfh:
Mate Toth-Palbdb475e2022-04-24 12:11:22 +0200[diff] [blame^]85 convert_map_to_token(token_map, signing_key, verifier, wfh, args.add_protected_header)