| Mate Toth-Pal | b2508d5 | 2022-04-30 14:10:06 +0200 | [diff] [blame] | 1 | #------------------------------------------------------------------------------- |
| 2 | # Copyright (c) 2022, Arm Limited. All rights reserved. |
| 3 | # |
| 4 | # SPDX-License-Identifier: BSD-3-Clause |
| 5 | # |
| 6 | #------------------------------------------------------------------------------- |
| 7 | |
| 8 | """ |
| 9 | This test is used to test features that are not used by the PSA IoT profile1 |
| 10 | tokens |
| 11 | """ |
| 12 | |
| 13 | import os |
| 14 | import unittest |
| 15 | |
| 16 | from iatverifier.util import read_token_map, read_keyfile |
| 17 | from iatverifier.attest_token_verifier import VerifierConfiguration, AttestationTokenVerifier |
| Mate Toth-Pal | e589c45 | 2022-07-27 22:02:40 +0200 | [diff] [blame] | 18 | from tests.synthetic_token_verifier import SyntheticTokenVerifier2, SyntheticTokenVerifier |
| Mate Toth-Pal | e305e55 | 2022-10-07 14:04:53 +0200 | [diff] [blame] | 19 | from tests.test_utils import read_iat, create_and_read_iat |
| 20 | from tests.test_utils import convert_map_to_token_bytes, bytes_equal_to_file |
| Mate Toth-Pal | b2508d5 | 2022-04-30 14:10:06 +0200 | [diff] [blame] | 21 | |
| 22 | |
| 23 | THIS_DIR = os.path.dirname(__file__) |
| 24 | |
| 25 | DATA_DIR = os.path.join(THIS_DIR, 'synthetic_data') |
| 26 | KEY_DIR = os.path.join(THIS_DIR, 'data') |
| 27 | KEYFILE = os.path.join(KEY_DIR, 'key.pem') |
| 28 | KEYFILE_ALT = os.path.join(KEY_DIR, 'key-alt.pem') |
| 29 | |
| 30 | class TestSynthetic(unittest.TestCase): |
| 31 | """Test iat-verifier's nested IAT feature""" |
| 32 | def setUp(self): |
| 33 | self.config = VerifierConfiguration() |
| 34 | |
| 35 | def test_composite(self): |
| 36 | """Test cross claim checking in composite claim""" |
| 37 | method=AttestationTokenVerifier.SIGN_METHOD_SIGN1 |
| 38 | cose_alg=AttestationTokenVerifier.COSE_ALG_ES256 |
| 39 | signing_key = read_keyfile(KEYFILE, method) |
| 40 | |
| 41 | create_and_read_iat( |
| 42 | DATA_DIR, |
| 43 | 'synthetic_token.yaml', |
| 44 | SyntheticTokenVerifier( |
| 45 | method=method, |
| 46 | cose_alg=cose_alg, |
| 47 | signing_key=signing_key, |
| 48 | configuration=self.config, |
| 49 | internal_signing_key=signing_key)) |
| 50 | |
| 51 | with self.assertRaises(ValueError) as test_ctx: |
| 52 | create_and_read_iat( |
| 53 | DATA_DIR, |
| 54 | 'synthetic_token_missing_box_dim.yaml', |
| 55 | SyntheticTokenVerifier( |
| 56 | method=method, |
| 57 | cose_alg=cose_alg, |
| 58 | signing_key=signing_key, |
| 59 | configuration=self.config, |
| 60 | internal_signing_key=signing_key)) |
| 61 | self.assertIn( |
| 62 | 'Invalid IAT: Box size must have all 3 dimensions', test_ctx.exception.args[0]) |
| 63 | |
| 64 | create_and_read_iat( |
| 65 | DATA_DIR, |
| 66 | 'synthetic_token_another_token.yaml', |
| 67 | SyntheticTokenVerifier( |
| 68 | method=method, |
| 69 | cose_alg=cose_alg, |
| 70 | signing_key=signing_key, |
| 71 | configuration=self.config, |
| 72 | internal_signing_key=signing_key)) |
| 73 | |
| 74 | with self.assertRaises(ValueError) as test_ctx: |
| 75 | create_and_read_iat( |
| 76 | DATA_DIR, |
| 77 | 'synthetic_token_another_token_missing_box_dim.yaml', |
| 78 | SyntheticTokenVerifier(method=method, |
| 79 | cose_alg=cose_alg, |
| 80 | signing_key=signing_key, |
| 81 | configuration=self.config, |
| 82 | internal_signing_key=signing_key)) |
| 83 | self.assertIn( |
| 84 | 'Invalid IAT: Box size must have all 3 dimensions', test_ctx.exception.args[0]) |
| 85 | |
| 86 | def test_protected_header(self): |
| 87 | """Test protected header detection""" |
| 88 | source_path = os.path.join(DATA_DIR, 'synthetic_token_another_token.yaml') |
| 89 | token_map = read_token_map(source_path) |
| 90 | |
| 91 | method=AttestationTokenVerifier.SIGN_METHOD_SIGN1 |
| 92 | cose_alg=AttestationTokenVerifier.COSE_ALG_ES256 |
| 93 | signing_key = read_keyfile(KEYFILE, method) |
| Mate Toth-Pal | 138637a | 2022-07-28 10:57:06 +0200 | [diff] [blame] | 94 | config = VerifierConfiguration(keep_going=True, strict=True) |
| Mate Toth-Pal | b2508d5 | 2022-04-30 14:10:06 +0200 | [diff] [blame] | 95 | |
| 96 | verifier = SyntheticTokenVerifier( |
| 97 | method=method, |
| 98 | cose_alg=cose_alg, |
| 99 | signing_key=signing_key, |
| 100 | configuration=self.config, |
| 101 | internal_signing_key=signing_key) |
| 102 | |
| Mate Toth-Pal | e305e55 | 2022-10-07 14:04:53 +0200 | [diff] [blame] | 103 | token_p_header = convert_map_to_token_bytes(token_map, verifier) |
| Mate Toth-Pal | b2508d5 | 2022-04-30 14:10:06 +0200 | [diff] [blame] | 104 | |
| 105 | self.assertTrue( |
| 106 | bytes_equal_to_file(token_p_header, os.path.join(DATA_DIR, 'p_header_on.cbor'))) |
| Mate Toth-Pal | e589c45 | 2022-07-27 22:02:40 +0200 | [diff] [blame] | 107 | |
| Mate Toth-Pal | 138637a | 2022-07-28 10:57:06 +0200 | [diff] [blame] | 108 | with self.assertLogs() as test_ctx: |
| 109 | read_iat( |
| 110 | DATA_DIR, |
| 111 | 'inverted_p_header.cbor', |
| 112 | SyntheticTokenVerifier(method=method, |
| 113 | cose_alg=cose_alg, |
| 114 | signing_key=signing_key, |
| 115 | configuration=config, |
| Mate Toth-Pal | e305e55 | 2022-10-07 14:04:53 +0200 | [diff] [blame] | 116 | internal_signing_key=signing_key)) |
| Mate Toth-Pal | 138637a | 2022-07-28 10:57:06 +0200 | [diff] [blame] | 117 | self.assertEquals(2, len(test_ctx.output)) |
| 118 | self.assertIn('Unexpected protected header', test_ctx.output[0]) |
| 119 | self.assertIn('Missing alg from protected header (expected ES256)', test_ctx.output[1]) |
| 120 | |
| 121 | with self.assertLogs() as test_ctx: |
| 122 | read_iat( |
| 123 | DATA_DIR, |
| 124 | 'inverted_p_header2.cbor', |
| 125 | SyntheticTokenVerifier2(method=method, |
| 126 | cose_alg=cose_alg, |
| 127 | signing_key=signing_key, |
| 128 | configuration=config, |
| Mate Toth-Pal | e305e55 | 2022-10-07 14:04:53 +0200 | [diff] [blame] | 129 | internal_signing_key=signing_key)) |
| Mate Toth-Pal | 138637a | 2022-07-28 10:57:06 +0200 | [diff] [blame] | 130 | self.assertEquals(2, len(test_ctx.output)) |
| 131 | self.assertIn('Missing alg from protected header (expected ES256)', test_ctx.output[0]) |
| 132 | self.assertIn('Unexpected protected header', test_ctx.output[1]) |
| 133 | |
| Mate Toth-Pal | e589c45 | 2022-07-27 22:02:40 +0200 | [diff] [blame] | 134 | def test_tagging_support(self): |
| 135 | method=AttestationTokenVerifier.SIGN_METHOD_SIGN1 |
| 136 | cose_alg=AttestationTokenVerifier.COSE_ALG_ES256 |
| 137 | |
| 138 | signing_key = read_keyfile(KEYFILE, method) |
| Mate Toth-Pal | 138637a | 2022-07-28 10:57:06 +0200 | [diff] [blame] | 139 | config = VerifierConfiguration(keep_going=True, strict=True) |
| Mate Toth-Pal | e589c45 | 2022-07-27 22:02:40 +0200 | [diff] [blame] | 140 | |
| 141 | # test with unexpected tag |
| 142 | with self.assertLogs() as test_ctx: |
| 143 | read_iat( |
| 144 | DATA_DIR, |
| 145 | 'unexpected_tags.cbor', |
| 146 | SyntheticTokenVerifier(method=method, |
| 147 | cose_alg=cose_alg, |
| 148 | signing_key=signing_key, |
| Mate Toth-Pal | 138637a | 2022-07-28 10:57:06 +0200 | [diff] [blame] | 149 | configuration=config, |
| Mate Toth-Pal | e589c45 | 2022-07-27 22:02:40 +0200 | [diff] [blame] | 150 | internal_signing_key=signing_key)) |
| Mate Toth-Pal | e305e55 | 2022-10-07 14:04:53 +0200 | [diff] [blame] | 151 | self.assertEquals(3, len(test_ctx.output)) |
| Mate Toth-Pal | e589c45 | 2022-07-27 22:02:40 +0200 | [diff] [blame] | 152 | self.assertIn('Unexpected tag (0xcdcd) in token SYNTHETIC_TOKEN', test_ctx.output[0]) |
| Mate Toth-Pal | e305e55 | 2022-10-07 14:04:53 +0200 | [diff] [blame] | 153 | self.assertIn('Invalid Protected header: Missing alg from protected header (expected ES256)', test_ctx.output[1]) |
| 154 | self.assertIn('Unexpected tag (0xabab) in token SYNTHETIC_INTERNAL_TOKEN', test_ctx.output[2]) |
| Mate Toth-Pal | e589c45 | 2022-07-27 22:02:40 +0200 | [diff] [blame] | 155 | |
| 156 | # test with missing tag |
| 157 | with self.assertLogs() as test_ctx: |
| 158 | read_iat( |
| 159 | DATA_DIR, |
| 160 | 'missing_tags.cbor', |
| 161 | SyntheticTokenVerifier2(method=method, |
| 162 | cose_alg=cose_alg, |
| 163 | signing_key=signing_key, |
| Mate Toth-Pal | 138637a | 2022-07-28 10:57:06 +0200 | [diff] [blame] | 164 | configuration=config, |
| Mate Toth-Pal | e589c45 | 2022-07-27 22:02:40 +0200 | [diff] [blame] | 165 | internal_signing_key=signing_key)) |
| 166 | self.assertEquals(2, len(test_ctx.output)) |
| 167 | self.assertIn('token SYNTHETIC_TOKEN_2 should be wrapped in tag 0xaabb', test_ctx.output[0]) |
| 168 | self.assertIn('token SYNTHETIC_INTERNAL_TOKEN_2 should be wrapped in tag 0xbbaa', test_ctx.output[1]) |
| 169 | |
| 170 | # Test Invalid tag values |
| 171 | with self.assertLogs() as test_ctx: |
| 172 | read_iat( |
| 173 | DATA_DIR, |
| 174 | 'invalid_tags.cbor', |
| 175 | SyntheticTokenVerifier2(method=method, |
| 176 | cose_alg=cose_alg, |
| 177 | signing_key=signing_key, |
| Mate Toth-Pal | 138637a | 2022-07-28 10:57:06 +0200 | [diff] [blame] | 178 | configuration=config, |
| Mate Toth-Pal | e589c45 | 2022-07-27 22:02:40 +0200 | [diff] [blame] | 179 | internal_signing_key=signing_key)) |
| 180 | self.assertEquals(2, len(test_ctx.output)) |
| 181 | self.assertIn('token SYNTHETIC_TOKEN_2 is wrapped in tag 0xabab instead of 0xaabb', test_ctx.output[0]) |
| 182 | self.assertIn('token SYNTHETIC_INTERNAL_TOKEN_2 is wrapped in tag 0xbaba instead of 0xbbaa', test_ctx.output[1]) |
| 183 | |
| 184 | # Test proper tagging |
| 185 | read_iat( |
| 186 | DATA_DIR, |
| 187 | 'correct_tagging.cbor', |
| 188 | SyntheticTokenVerifier2(method=method, |
| 189 | cose_alg=cose_alg, |
| 190 | signing_key=signing_key, |
| 191 | configuration=self.config, |
| 192 | internal_signing_key=signing_key)) |
| Mate Toth-Pal | 1093a8a | 2022-08-23 09:48:41 +0200 | [diff] [blame] | 193 | |
| 194 | def test_unknown_claims(self): |
| 195 | |
| 196 | method=AttestationTokenVerifier.SIGN_METHOD_SIGN1 |
| 197 | cose_alg=AttestationTokenVerifier.COSE_ALG_ES256 |
| 198 | signing_key = read_keyfile(KEYFILE, method) |
| 199 | config = VerifierConfiguration(keep_going=True, strict=False) |
| 200 | |
| 201 | test_verifier=SyntheticTokenVerifier2(method=method, |
| 202 | cose_alg=cose_alg, |
| 203 | signing_key=signing_key, |
| 204 | configuration=config, |
| 205 | internal_signing_key=signing_key) |
| 206 | |
| 207 | with self.assertLogs() as test_ctx: |
| 208 | read_iat( |
| 209 | DATA_DIR, |
| 210 | 'unknown_claims.cbor', |
| 211 | test_verifier) |
| 212 | self.assertEquals(4, len(test_ctx.output)) |
| Mate Toth-Pal | c7404e9 | 2022-07-15 11:11:13 +0200 | [diff] [blame] | 213 | self.assertIn('Unexpected TOKEN_ROOT_CLAIMS claim: 9901, skipping', test_ctx.output[0]) |
| Mate Toth-Pal | 1093a8a | 2022-08-23 09:48:41 +0200 | [diff] [blame] | 214 | self.assertIn('Unexpected SYN_BOXES claim: 9902, skipping', test_ctx.output[1]) |
| Mate Toth-Pal | c7404e9 | 2022-07-15 11:11:13 +0200 | [diff] [blame] | 215 | self.assertIn('Unexpected TOKEN_ROOT_CLAIMS claim: 9903, skipping', test_ctx.output[2]) |
| Mate Toth-Pal | 1093a8a | 2022-08-23 09:48:41 +0200 | [diff] [blame] | 216 | self.assertIn('Unexpected SYN_BOXES claim: 9904, skipping', test_ctx.output[3]) |
| 217 | |
| 218 | config = VerifierConfiguration(keep_going=True, strict=True) |
| 219 | |
| 220 | test_verifier=SyntheticTokenVerifier2(method=method, |
| 221 | cose_alg=cose_alg, |
| 222 | signing_key=signing_key, |
| 223 | configuration=config, |
| 224 | internal_signing_key=signing_key) |
| 225 | |
| 226 | with self.assertLogs() as test_ctx: |
| 227 | read_iat( |
| 228 | DATA_DIR, |
| 229 | 'unknown_claims.cbor', |
| 230 | test_verifier) |
| 231 | self.assertEquals(4, len(test_ctx.output)) |
| Mate Toth-Pal | c7404e9 | 2022-07-15 11:11:13 +0200 | [diff] [blame] | 232 | self.assertIn('ERROR:iat-verifiers:Unexpected TOKEN_ROOT_CLAIMS claim: 9901', test_ctx.output[0]) |
| Mate Toth-Pal | 1093a8a | 2022-08-23 09:48:41 +0200 | [diff] [blame] | 233 | self.assertIn('ERROR:iat-verifiers:Unexpected SYN_BOXES claim: 9902', test_ctx.output[1]) |
| Mate Toth-Pal | c7404e9 | 2022-07-15 11:11:13 +0200 | [diff] [blame] | 234 | self.assertIn('ERROR:iat-verifiers:Unexpected TOKEN_ROOT_CLAIMS claim: 9903', test_ctx.output[2]) |
| Mate Toth-Pal | 1093a8a | 2022-08-23 09:48:41 +0200 | [diff] [blame] | 235 | self.assertIn('ERROR:iat-verifiers:Unexpected SYN_BOXES claim: 9904', test_ctx.output[3]) |
| 236 | |
| 237 | config = VerifierConfiguration(keep_going=False, strict=False) |
| 238 | |
| 239 | test_verifier=SyntheticTokenVerifier2(method=method, |
| 240 | cose_alg=cose_alg, |
| 241 | signing_key=signing_key, |
| 242 | configuration=config, |
| 243 | internal_signing_key=signing_key) |
| 244 | |
| 245 | with self.assertLogs() as test_ctx: |
| 246 | read_iat( |
| 247 | DATA_DIR, |
| 248 | 'unknown_claims.cbor', |
| 249 | test_verifier) |
| Mate Toth-Pal | c7404e9 | 2022-07-15 11:11:13 +0200 | [diff] [blame] | 250 | self.assertIn('Unexpected TOKEN_ROOT_CLAIMS claim: 9901, skipping', test_ctx.output[0]) |
| Mate Toth-Pal | 1093a8a | 2022-08-23 09:48:41 +0200 | [diff] [blame] | 251 | self.assertIn('Unexpected SYN_BOXES claim: 9902, skipping', test_ctx.output[1]) |
| Mate Toth-Pal | c7404e9 | 2022-07-15 11:11:13 +0200 | [diff] [blame] | 252 | self.assertIn('Unexpected TOKEN_ROOT_CLAIMS claim: 9903, skipping', test_ctx.output[2]) |
| Mate Toth-Pal | 1093a8a | 2022-08-23 09:48:41 +0200 | [diff] [blame] | 253 | self.assertIn('Unexpected SYN_BOXES claim: 9904, skipping', test_ctx.output[3]) |
| 254 | |
| 255 | config = VerifierConfiguration(keep_going=False, strict=True) |
| 256 | |
| 257 | test_verifier=SyntheticTokenVerifier2(method=method, |
| 258 | cose_alg=cose_alg, |
| 259 | signing_key=signing_key, |
| 260 | configuration=config, |
| 261 | internal_signing_key=signing_key) |
| 262 | |
| 263 | with self.assertRaises(ValueError) as test_ctx: |
| 264 | read_iat( |
| 265 | DATA_DIR, |
| 266 | 'unknown_claims.cbor', |
| 267 | test_verifier) |
| 268 | self.assertIn( |
| Mate Toth-Pal | c7404e9 | 2022-07-15 11:11:13 +0200 | [diff] [blame] | 269 | 'Unexpected TOKEN_ROOT_CLAIMS claim: 9901', test_ctx.exception.args[0]) |