TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / TF-M / tf-m-tools / e305e55b3a70b4796bb2f90f3173bf1e93fa4301 / . / iat-verifier / scripts / compile_token
blob: e060529c76dc11426b51263f36f83763615f4631 [file] [log] [blame]
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]1#!/usr/bin/env python3
2#-------------------------------------------------------------------------------
3# Copyright (c) 2019-2022, Arm Limited. All rights reserved.
4#
5# SPDX-License-Identifier: BSD-3-Clause
6#
7#-------------------------------------------------------------------------------
8
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]9"""CLI tool for compiling token from a yaml file"""
10
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]11import argparse
12import logging
13import os
14import sys
15
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]16from iatverifier.util import read_token_map, convert_map_to_token, read_keyfile
17from iatverifier.util import get_cose_alg_from_key
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]18from iatverifier.psa_iot_profile1_token_verifier import PSAIoTProfile1TokenVerifier
Tamas Ban1e7944a2022-07-04 13:09:03 +0200[diff] [blame]19from iatverifier.psa_2_0_0_token_verifier import PSA_2_0_0_TokenVerifier
Mate Toth-Pal5ebca512022-03-24 16:45:51 +0100[diff] [blame]20from iatverifier.attest_token_verifier import AttestationTokenVerifier, VerifierConfiguration
21from iatverifier.cca_token_verifier import CCATokenVerifier, CCAPlatformTokenVerifier
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]22
23if __name__ == '__main__':
24 logging.basicConfig(level=logging.INFO)
25
Mate Toth-Pal6978f7c2022-03-30 14:38:55 +0200[diff] [blame]26 token_verifiers = {
27 "PSA-IoT-Profile1-token": PSAIoTProfile1TokenVerifier,
Mate Toth-Pal5ebca512022-03-24 16:45:51 +0100[diff] [blame]28 "CCA-token": CCATokenVerifier,
29 "CCA-plat-token": CCAPlatformTokenVerifier,
Tamas Ban1e7944a2022-07-04 13:09:03 +0200[diff] [blame]30 "PSA-2.0.0-token": PSA_2_0_0_TokenVerifier,
Mate Toth-Pal6978f7c2022-03-30 14:38:55 +0200[diff] [blame]31 }
32
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]33 parser = argparse.ArgumentParser()
34 parser.add_argument('source', help='Token source in YAML format')
35 parser.add_argument('-o', '--outfile',
36 help='''Output file for the compiled token. If this is not
37 specified, the token will be written to standard output.''')
Mate Toth-Pala8b46b12022-10-07 13:30:54 +0200[diff] [blame]38 parser.add_argument('-k', '--key',
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]39 help='''Path to the key in PEM format that should be used to
40 sign the token. If this is not specified, the token will be
41 unsigned.''')
Mate Toth-Pala8b46b12022-10-07 13:30:54 +0200[diff] [blame]42 parser.add_argument('--platform-key',
Mate Toth-Pal5ebca512022-03-24 16:45:51 +0100[diff] [blame]43 help='''Path to the key in PEM format that should be used to
44 sign the CCA platform token. If this is not specified,
45 the token will be unsigned.''')
Mate Toth-Pala8b46b12022-10-07 13:30:54 +0200[diff] [blame]46 parser.add_argument('--realm-key',
Mate Toth-Pal5ebca512022-03-24 16:45:51 +0100[diff] [blame]47 help='''Path to the key in PEM format that should be used to
48 sign the CCA Realm token. If this is not specified, the
49 token will be unsigned.''')
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]50 group = parser.add_mutually_exclusive_group()
51 group.add_argument('-r', '--raw', action='store_true',
52 help='''Generate raw CBOR and do not create a signature
53 or COSE wrapper.''')
54 group.add_argument('-m', '--hmac', action='store_true',
55 help='''Generate a token wrapped in a Mac0 rather than
56 Sign1 COSE structure.''')
Mate Toth-Pal6978f7c2022-03-30 14:38:55 +0200[diff] [blame]57 parser.add_argument('-t', '--token-type',
58 help='''The type of the Token.''',
59 choices=token_verifiers.keys(),
60 required=True)
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]61
62 args = parser.parse_args()
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]63
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]64 if args.hmac:
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]65 METHOD = AttestationTokenVerifier.SIGN_METHOD_MAC0
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]66 elif args.raw:
Mate Toth-Pala8b46b12022-10-07 13:30:54 +0200[diff] [blame]67 if args.key:
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]68 raise ValueError('A keyfile cannot be specified with --raw.')
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]69 METHOD = AttestationTokenVerifier.SIGN_METHOD_RAW
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]70 else:
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]71 METHOD = AttestationTokenVerifier.SIGN_METHOD_SIGN1
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]72
Mate Toth-Pal5ebca512022-03-24 16:45:51 +0100[diff] [blame]73 configuration = VerifierConfiguration(strict=True, keep_going=False)
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]74
75 verifier_class = token_verifiers[args.token_type]
76 if verifier_class == PSAIoTProfile1TokenVerifier:
Mate Toth-Pala8b46b12022-10-07 13:30:54 +0200[diff] [blame]77 key = read_keyfile(args.key, METHOD)
Mate Toth-Pal5ebca512022-03-24 16:45:51 +0100[diff] [blame]78 if METHOD == AttestationTokenVerifier.SIGN_METHOD_SIGN1:
79 cose_alg = get_cose_alg_from_key(
80 key,
81 AttestationTokenVerifier.COSE_ALG_ES256)
82 else:
83 cose_alg = AttestationTokenVerifier.COSE_ALG_HS256
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]84 verifier = PSAIoTProfile1TokenVerifier(
85 method=METHOD,
Mate Toth-Pal5ebca512022-03-24 16:45:51 +0100[diff] [blame]86 cose_alg=cose_alg,
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]87 signing_key=key,
Mate Toth-Pal5ebca512022-03-24 16:45:51 +0100[diff] [blame]88 configuration=configuration)
89 elif verifier_class == CCATokenVerifier:
90 if METHOD != AttestationTokenVerifier.SIGN_METHOD_SIGN1:
91 logging.error('Only sign1 method is supported by this token type.\n\t')
92 sys.exit(1)
Mate Toth-Pala8b46b12022-10-07 13:30:54 +0200[diff] [blame]93 platform_token_key = read_keyfile(args.platform_key, METHOD)
94 realm_token_key = read_keyfile(args.realm_key, METHOD)
Mate Toth-Pal5ebca512022-03-24 16:45:51 +0100[diff] [blame]95 realm_token_method = AttestationTokenVerifier.SIGN_METHOD_SIGN1
96 platform_token_method = AttestationTokenVerifier.SIGN_METHOD_SIGN1
97 realm_token_cose_alg = get_cose_alg_from_key(
98 realm_token_key,
99 AttestationTokenVerifier.COSE_ALG_ES384)
100 platform_token_cose_alg = get_cose_alg_from_key(
101 platform_token_key,
102 AttestationTokenVerifier.COSE_ALG_ES384)
103 verifier = CCATokenVerifier(
104 realm_token_method=realm_token_method,
105 realm_token_cose_alg=realm_token_cose_alg,
106 realm_token_key=realm_token_key,
107 platform_token_method=platform_token_method,
108 platform_token_cose_alg=platform_token_cose_alg,
109 platform_token_key=platform_token_key,
110 configuration=configuration)
111 elif verifier_class == CCAPlatformTokenVerifier:
Mate Toth-Pala8b46b12022-10-07 13:30:54 +0200[diff] [blame]112 key_checked = args.platform_key
113 key = read_keyfile(args.platform_key, METHOD)
Mate Toth-Pal5ebca512022-03-24 16:45:51 +0100[diff] [blame]114 cose_alg = get_cose_alg_from_key(key, AttestationTokenVerifier.COSE_ALG_ES384)
115 verifier = CCAPlatformTokenVerifier(
116 method=AttestationTokenVerifier.SIGN_METHOD_SIGN1,
117 cose_alg=cose_alg,
118 signing_key=key,
119 configuration=configuration,
120 necessity=None)
Tamas Ban1e7944a2022-07-04 13:09:03 +0200[diff] [blame]121 elif verifier_class == PSA_2_0_0_TokenVerifier:
Mate Toth-Pala8b46b12022-10-07 13:30:54 +0200[diff] [blame]122 key_checked = args.key
123 key = read_keyfile(keyfile=args.key, method=METHOD)
Tamas Ban1e7944a2022-07-04 13:09:03 +0200[diff] [blame]124 if METHOD == AttestationTokenVerifier.SIGN_METHOD_SIGN1:
125 cose_alg = get_cose_alg_from_key(key, AttestationTokenVerifier.COSE_ALG_ES256)
126 else:
127 cose_alg = AttestationTokenVerifier.COSE_ALG_HS256
128 verifier = PSA_2_0_0_TokenVerifier(
129 method=METHOD,
130 cose_alg=cose_alg,
131 signing_key=key,
132 configuration=configuration)
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]133 else:
134 logging.error(f'Invalid token type:{verifier_class}\n\t')
135 sys.exit(1)
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]136 token_map = read_token_map(args.source)
137
138 if args.outfile:
139 with open(args.outfile, 'wb') as wfh:
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]140 convert_map_to_token(
141 token_map,
142 verifier,
143 wfh,
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]144 name_as_key=True,
145 parse_raw_value=True)
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]146 else:
147 with os.fdopen(sys.stdout.fileno(), 'wb') as wfh:
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]148 convert_map_to_token(
149 token_map,
150 verifier,
151 wfh,
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]152 name_as_key=True,
153 parse_raw_value=True)