TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / TF-M / tf-m-tools / 872830317b7277476a3a88af68da17c9d3384230 / . / iat-verifier / scripts / compile_token
blob: 8ac2ccdb3b5cc6362ff550170c1848045da8a2fc [file] [log] [blame]
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]1#!/usr/bin/env python3
2#-------------------------------------------------------------------------------
3# Copyright (c) 2019-2022, Arm Limited. All rights reserved.
4#
5# SPDX-License-Identifier: BSD-3-Clause
6#
7#-------------------------------------------------------------------------------
8
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]9"""CLI tool for compiling token from a yaml file"""
10
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]11import argparse
12import logging
13import os
14import sys
15
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]16from iatverifier.util import read_token_map, convert_map_to_token, read_keyfile
17from iatverifier.util import get_cose_alg_from_key
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]18from iatverifier.psa_iot_profile1_token_verifier import PSAIoTProfile1TokenVerifier
Tamas Ban1e7944a2022-07-04 13:09:03 +0200[diff] [blame]19from iatverifier.psa_2_0_0_token_verifier import PSA_2_0_0_TokenVerifier
Mate Toth-Pal5ebca512022-03-24 16:45:51 +0100[diff] [blame]20from iatverifier.attest_token_verifier import AttestationTokenVerifier, VerifierConfiguration
21from iatverifier.cca_token_verifier import CCATokenVerifier, CCAPlatformTokenVerifier
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]22
23if __name__ == '__main__':
24 logging.basicConfig(level=logging.INFO)
25
Mate Toth-Pal6978f7c2022-03-30 14:38:55 +0200[diff] [blame]26 token_verifiers = {
27 "PSA-IoT-Profile1-token": PSAIoTProfile1TokenVerifier,
Mate Toth-Pal5ebca512022-03-24 16:45:51 +0100[diff] [blame]28 "CCA-token": CCATokenVerifier,
29 "CCA-plat-token": CCAPlatformTokenVerifier,
Tamas Ban1e7944a2022-07-04 13:09:03 +0200[diff] [blame]30 "PSA-2.0.0-token": PSA_2_0_0_TokenVerifier,
Mate Toth-Pal6978f7c2022-03-30 14:38:55 +0200[diff] [blame]31 }
32
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]33 parser = argparse.ArgumentParser()
34 parser.add_argument('source', help='Token source in YAML format')
35 parser.add_argument('-o', '--outfile',
36 help='''Output file for the compiled token. If this is not
37 specified, the token will be written to standard output.''')
Mate Toth-Pala8b46b12022-10-07 13:30:54 +0200[diff] [blame]38 parser.add_argument('-k', '--key',
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]39 help='''Path to the key in PEM format that should be used to
40 sign the token. If this is not specified, the token will be
41 unsigned.''')
Mate Toth-Pala8b46b12022-10-07 13:30:54 +0200[diff] [blame]42 parser.add_argument('--platform-key',
Mate Toth-Pal5ebca512022-03-24 16:45:51 +0100[diff] [blame]43 help='''Path to the key in PEM format that should be used to
44 sign the CCA platform token. If this is not specified,
45 the token will be unsigned.''')
Mate Toth-Pala8b46b12022-10-07 13:30:54 +0200[diff] [blame]46 parser.add_argument('--realm-key',
Mate Toth-Pal5ebca512022-03-24 16:45:51 +0100[diff] [blame]47 help='''Path to the key in PEM format that should be used to
48 sign the CCA Realm token. If this is not specified, the
49 token will be unsigned.''')
Mate Toth-Pal1527a3c2022-11-30 11:27:54 +0100[diff] [blame]50 parser.add_argument('-m', '--method', choices=['sign', 'mac', 'raw'], default='sign',
51 help='''
52 Specify how this token is to be wrapped -- whether Sign1Message or
53 Mac0Message COSE structure is to be used. In case of 'raw' no COSE envelope is
54 added to the compiled token.
55 ''')
Mate Toth-Pal6978f7c2022-03-30 14:38:55 +0200[diff] [blame]56 parser.add_argument('-t', '--token-type',
57 help='''The type of the Token.''',
58 choices=token_verifiers.keys(),
59 required=True)
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]60
61 args = parser.parse_args()
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]62
Mate Toth-Pal1527a3c2022-11-30 11:27:54 +0100[diff] [blame]63 if args.method == 'mac':
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]64 METHOD = AttestationTokenVerifier.SIGN_METHOD_MAC0
Mate Toth-Pal1527a3c2022-11-30 11:27:54 +0100[diff] [blame]65 elif args.method == 'raw':
Mate Toth-Pala8b46b12022-10-07 13:30:54 +0200[diff] [blame]66 if args.key:
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]67 raise ValueError('A keyfile cannot be specified with --raw.')
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]68 METHOD = AttestationTokenVerifier.SIGN_METHOD_RAW
Mate Toth-Pal1527a3c2022-11-30 11:27:54 +0100[diff] [blame]69 elif args.method == 'sign':
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]70 METHOD = AttestationTokenVerifier.SIGN_METHOD_SIGN1
Mate Toth-Pal1527a3c2022-11-30 11:27:54 +0100[diff] [blame]71 else:
72 assert False
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]73
Mate Toth-Pal5ebca512022-03-24 16:45:51 +0100[diff] [blame]74 configuration = VerifierConfiguration(strict=True, keep_going=False)
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]75
76 verifier_class = token_verifiers[args.token_type]
77 if verifier_class == PSAIoTProfile1TokenVerifier:
Mate Toth-Pala8b46b12022-10-07 13:30:54 +0200[diff] [blame]78 key = read_keyfile(args.key, METHOD)
Mate Toth-Pal5ebca512022-03-24 16:45:51 +0100[diff] [blame]79 if METHOD == AttestationTokenVerifier.SIGN_METHOD_SIGN1:
80 cose_alg = get_cose_alg_from_key(
81 key,
82 AttestationTokenVerifier.COSE_ALG_ES256)
83 else:
84 cose_alg = AttestationTokenVerifier.COSE_ALG_HS256
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]85 verifier = PSAIoTProfile1TokenVerifier(
86 method=METHOD,
Mate Toth-Pal5ebca512022-03-24 16:45:51 +0100[diff] [blame]87 cose_alg=cose_alg,
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]88 signing_key=key,
Mate Toth-Pal5ebca512022-03-24 16:45:51 +0100[diff] [blame]89 configuration=configuration)
90 elif verifier_class == CCATokenVerifier:
91 if METHOD != AttestationTokenVerifier.SIGN_METHOD_SIGN1:
92 logging.error('Only sign1 method is supported by this token type.\n\t')
93 sys.exit(1)
Mate Toth-Pala8b46b12022-10-07 13:30:54 +0200[diff] [blame]94 platform_token_key = read_keyfile(args.platform_key, METHOD)
95 realm_token_key = read_keyfile(args.realm_key, METHOD)
Mate Toth-Pal5ebca512022-03-24 16:45:51 +0100[diff] [blame]96 realm_token_method = AttestationTokenVerifier.SIGN_METHOD_SIGN1
97 platform_token_method = AttestationTokenVerifier.SIGN_METHOD_SIGN1
98 realm_token_cose_alg = get_cose_alg_from_key(
99 realm_token_key,
100 AttestationTokenVerifier.COSE_ALG_ES384)
101 platform_token_cose_alg = get_cose_alg_from_key(
102 platform_token_key,
103 AttestationTokenVerifier.COSE_ALG_ES384)
104 verifier = CCATokenVerifier(
105 realm_token_method=realm_token_method,
106 realm_token_cose_alg=realm_token_cose_alg,
107 realm_token_key=realm_token_key,
108 platform_token_method=platform_token_method,
109 platform_token_cose_alg=platform_token_cose_alg,
110 platform_token_key=platform_token_key,
111 configuration=configuration)
112 elif verifier_class == CCAPlatformTokenVerifier:
Mate Toth-Pala8b46b12022-10-07 13:30:54 +0200[diff] [blame]113 key_checked = args.platform_key
114 key = read_keyfile(args.platform_key, METHOD)
Mate Toth-Pal5ebca512022-03-24 16:45:51 +0100[diff] [blame]115 cose_alg = get_cose_alg_from_key(key, AttestationTokenVerifier.COSE_ALG_ES384)
116 verifier = CCAPlatformTokenVerifier(
117 method=AttestationTokenVerifier.SIGN_METHOD_SIGN1,
118 cose_alg=cose_alg,
119 signing_key=key,
120 configuration=configuration,
121 necessity=None)
Tamas Ban1e7944a2022-07-04 13:09:03 +0200[diff] [blame]122 elif verifier_class == PSA_2_0_0_TokenVerifier:
Mate Toth-Pala8b46b12022-10-07 13:30:54 +0200[diff] [blame]123 key_checked = args.key
124 key = read_keyfile(keyfile=args.key, method=METHOD)
Tamas Ban1e7944a2022-07-04 13:09:03 +0200[diff] [blame]125 if METHOD == AttestationTokenVerifier.SIGN_METHOD_SIGN1:
126 cose_alg = get_cose_alg_from_key(key, AttestationTokenVerifier.COSE_ALG_ES256)
127 else:
128 cose_alg = AttestationTokenVerifier.COSE_ALG_HS256
129 verifier = PSA_2_0_0_TokenVerifier(
130 method=METHOD,
131 cose_alg=cose_alg,
132 signing_key=key,
133 configuration=configuration)
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]134 else:
135 logging.error(f'Invalid token type:{verifier_class}\n\t')
136 sys.exit(1)
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]137 token_map = read_token_map(args.source)
138
139 if args.outfile:
140 with open(args.outfile, 'wb') as wfh:
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]141 convert_map_to_token(
142 token_map,
143 verifier,
144 wfh,
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]145 name_as_key=True,
146 parse_raw_value=True)
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]147 else:
148 with os.fdopen(sys.stdout.fileno(), 'wb') as wfh:
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]149 convert_map_to_token(
150 token_map,
151 verifier,
152 wfh,
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]153 name_as_key=True,
154 parse_raw_value=True)