TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / TF-M / tf-m-tools / f4e1ca341cf7fdb45b79fa4ce975766f80672e67 / . / iat-verifier / scripts / check_iat
blob: 5cd1e81633123a5140f2cadfb6ca97af0d95d320 [file] [log] [blame]
Mate Toth-Pal530106f2022-05-03 15:29:49 +0200[diff] [blame]1#!/usr/bin/env python3
Mate Toth-Pal1cb66cd2022-04-26 15:40:07 +0200[diff] [blame]2# -----------------------------------------------------------------------------
3# Copyright (c) 2019-2022, Arm Limited. All rights reserved.
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]4#
5# SPDX-License-Identifier: BSD-3-Clause
6#
Mate Toth-Pal1cb66cd2022-04-26 15:40:07 +0200[diff] [blame]7# -----------------------------------------------------------------------------
Mate Toth-Pal51b61982022-03-17 14:19:30 +0100[diff] [blame]8
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]9"""CLI script for verifying an IAT."""
10
Mate Toth-Pal1cb66cd2022-04-26 15:40:07 +0200[diff] [blame]11import argparse
12import json
13import logging
14import sys
15
Thomas Fossatif4e1ca32024-08-16 16:01:31 +0000[diff] [blame^]16from pycose.algorithms import Es256, Es384, HMAC256
17
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]18from iatverifier.util import recursive_bytes_to_strings, read_keyfile, get_cose_alg_from_key
Mate Toth-Pal1cb66cd2022-04-26 15:40:07 +0200[diff] [blame]19from iatverifier.psa_iot_profile1_token_verifier import PSAIoTProfile1TokenVerifier
Tamas Ban1e7944a2022-07-04 13:09:03 +0200[diff] [blame]20from iatverifier.psa_2_0_0_token_verifier import PSA_2_0_0_TokenVerifier
Mate Toth-Palbb187d02022-04-26 16:01:51 +0200[diff] [blame]21from iatverifier.attest_token_verifier import VerifierConfiguration, AttestationTokenVerifier
Mate Toth-Pal5ebca512022-03-24 16:45:51 +0100[diff] [blame]22from iatverifier.cca_token_verifier import CCATokenVerifier, CCAPlatformTokenVerifier
Mate Toth-Pal1cb66cd2022-04-26 15:40:07 +0200[diff] [blame]23
24logger = logging.getLogger('iat-verify')
25
26def main():
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]27 """Main function for verifying an IAT"""
Mate Toth-Pal1cb66cd2022-04-26 15:40:07 +0200[diff] [blame]28
29 token_verifiers = {
30 "PSA-IoT-Profile1-token": PSAIoTProfile1TokenVerifier,
Mate Toth-Pal5ebca512022-03-24 16:45:51 +0100[diff] [blame]31 "CCA-token": CCATokenVerifier,
32 "CCA-plat-token": CCAPlatformTokenVerifier,
Tamas Ban1e7944a2022-07-04 13:09:03 +0200[diff] [blame]33 "PSA-2.0.0-token": PSA_2_0_0_TokenVerifier,
Mate Toth-Pal1cb66cd2022-04-26 15:40:07 +0200[diff] [blame]34 }
35
36 parser = argparse.ArgumentParser(
37 description='''
38 Validates a signed Initial Attestation Token (IAT), checking
39 that the signature is valid, the token contian the required
40 fields, and those fields are in a valid format.
41 ''')
Mate Toth-Pala8b46b12022-10-07 13:30:54 +0200[diff] [blame]42 parser.add_argument('-k', '--key',
Mate Toth-Pal5ebca512022-03-24 16:45:51 +0100[diff] [blame]43 help='''Path to the key in PEM format that should be used to
44 verify the token. If this is not specified, the token signature
45 will not be checked.''')
Mate Toth-Pal1cb66cd2022-04-26 15:40:07 +0200[diff] [blame]46 parser.add_argument('tokenfile',
47 help='''
48 path to a file containing a signed IAT.
49 ''')
50 parser.add_argument('-K', '--keep-going', action='store_true',
51 help='''
52 Do not stop upon encountering a validation error.
53 ''')
54 parser.add_argument('-p', '--print-iat', action='store_true',
55 help='''
56 Print the decoded token in JSON format.
57 ''')
58 parser.add_argument('-s', '--strict', action='store_true',
59 help='''
60 Report failure if unknown claim is encountered.
61 ''')
Mate Toth-Pal1527a3c2022-11-30 11:27:54 +0100[diff] [blame]62 parser.add_argument('-m', '--method', choices=['sign', 'mac', 'raw'], default='sign',
Mate Toth-Pal1cb66cd2022-04-26 15:40:07 +0200[diff] [blame]63 help='''
64 Specify how this token is wrapped -- whether Sign1Message or
Mate Toth-Pal1527a3c2022-11-30 11:27:54 +0100[diff] [blame]65 Mac0Message COSE structure is used. In case of 'raw' no COSE envelope is
66 expected.
Mate Toth-Pal1cb66cd2022-04-26 15:40:07 +0200[diff] [blame]67 ''')
68 parser.add_argument('-t', '--token-type',
69 help='''The type of the Token.''',
70 choices=token_verifiers.keys(),
71 required=True)
72
73 args = parser.parse_args()
74
75 logging.basicConfig(level=logging.INFO)
76
77 config = VerifierConfiguration(keep_going=args.keep_going, strict=args.strict)
Mate Toth-Pal1cb66cd2022-04-26 15:40:07 +0200[diff] [blame]78 if args.method == 'mac':
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]79 method = AttestationTokenVerifier.SIGN_METHOD_MAC0
Mate Toth-Pal1527a3c2022-11-30 11:27:54 +0100[diff] [blame]80 elif args.method == 'raw':
81 if args.key:
82 raise ValueError('A keyfile cannot be specified with --raw.')
83 method = AttestationTokenVerifier.SIGN_METHOD_RAW
84 elif args.method == 'sign':
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]85 method = AttestationTokenVerifier.SIGN_METHOD_SIGN1
Mate Toth-Pal1527a3c2022-11-30 11:27:54 +0100[diff] [blame]86 else:
87 assert False
Mate Toth-Pal1cb66cd2022-04-26 15:40:07 +0200[diff] [blame]88
Mate Toth-Pal5ebca512022-03-24 16:45:51 +0100[diff] [blame]89 key_checked = False
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]90
91 verifier_class = token_verifiers[args.token_type]
92 if verifier_class == PSAIoTProfile1TokenVerifier:
Mate Toth-Pala8b46b12022-10-07 13:30:54 +0200[diff] [blame]93 key_checked = args.key
94 key = read_keyfile(keyfile=args.key, method=method)
Mate Toth-Pal5ebca512022-03-24 16:45:51 +0100[diff] [blame]95 if method == AttestationTokenVerifier.SIGN_METHOD_SIGN1:
Thomas Fossatif4e1ca32024-08-16 16:01:31 +0000[diff] [blame^]96 cose_alg = get_cose_alg_from_key(key, Es256)
Mate Toth-Pal5ebca512022-03-24 16:45:51 +0100[diff] [blame]97 else:
Thomas Fossatif4e1ca32024-08-16 16:01:31 +0000[diff] [blame^]98 cose_alg = HMAC256
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]99 verifier = PSAIoTProfile1TokenVerifier(
100 method=method,
101 cose_alg=cose_alg,
102 signing_key=key,
103 configuration=config)
Mate Toth-Pal5ebca512022-03-24 16:45:51 +0100[diff] [blame]104 elif verifier_class == CCATokenVerifier:
105 if method != AttestationTokenVerifier.SIGN_METHOD_SIGN1:
106 logger.error('Only sign1 method is supported by this token type.\n\t'.format(verifier_class))
107 sys.exit(1)
Mate Toth-Pala8b46b12022-10-07 13:30:54 +0200[diff] [blame]108 key_checked = args.key
109 platform_token_key = read_keyfile(args.key, method)
Mate Toth-Pal5ebca512022-03-24 16:45:51 +0100[diff] [blame]110 realm_token_method = AttestationTokenVerifier.SIGN_METHOD_SIGN1
111 platform_token_method = AttestationTokenVerifier.SIGN_METHOD_SIGN1
Thomas Fossatif4e1ca32024-08-16 16:01:31 +0000[diff] [blame^]112 realm_token_cose_alg = get_cose_alg_from_key(None, Es384)
113 platform_token_cose_alg = get_cose_alg_from_key(platform_token_key, Es384)
Mate Toth-Pal5ebca512022-03-24 16:45:51 +0100[diff] [blame]114 verifier = CCATokenVerifier(
115 realm_token_method=realm_token_method,
116 realm_token_cose_alg=realm_token_cose_alg,
Mate Toth-Pal5ebca512022-03-24 16:45:51 +0100[diff] [blame]117 platform_token_method=platform_token_method,
118 platform_token_cose_alg=platform_token_cose_alg,
119 platform_token_key=platform_token_key,
120 configuration=config)
121 elif verifier_class == CCAPlatformTokenVerifier:
Mate Toth-Pala8b46b12022-10-07 13:30:54 +0200[diff] [blame]122 key_checked = args.key
123 key = read_keyfile(args.key, method)
Thomas Fossatif4e1ca32024-08-16 16:01:31 +0000[diff] [blame^]124 cose_alg = get_cose_alg_from_key(key, Es384)
Mate Toth-Pal5ebca512022-03-24 16:45:51 +0100[diff] [blame]125 verifier = CCAPlatformTokenVerifier(
126 method=AttestationTokenVerifier.SIGN_METHOD_SIGN1,
127 cose_alg=cose_alg,
128 signing_key=key,
129 configuration=config,
130 necessity=None)
Tamas Ban1e7944a2022-07-04 13:09:03 +0200[diff] [blame]131 elif verifier_class == PSA_2_0_0_TokenVerifier:
Mate Toth-Pala8b46b12022-10-07 13:30:54 +0200[diff] [blame]132 key_checked = args.key
133 key = read_keyfile(keyfile=args.key, method=method)
Tamas Ban1e7944a2022-07-04 13:09:03 +0200[diff] [blame]134 if method == AttestationTokenVerifier.SIGN_METHOD_SIGN1:
Thomas Fossatif4e1ca32024-08-16 16:01:31 +0000[diff] [blame^]135 cose_alg = get_cose_alg_from_key(key, Es256)
Tamas Ban1e7944a2022-07-04 13:09:03 +0200[diff] [blame]136 else:
Thomas Fossatif4e1ca32024-08-16 16:01:31 +0000[diff] [blame^]137 cose_alg = HMAC256
Tamas Ban1e7944a2022-07-04 13:09:03 +0200[diff] [blame]138 verifier = PSA_2_0_0_TokenVerifier(method=method, cose_alg=cose_alg, signing_key=key, configuration=config)
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]139 else:
140 logger.error(f'Invalid token type:{verifier_class}\n\t')
Mate Toth-Pal1cb66cd2022-04-26 15:40:07 +0200[diff] [blame]141 sys.exit(1)
142
143 try:
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]144 with open(args.tokenfile, 'rb') as token_file:
145 token = verifier.parse_token(
146 token=token_file.read(),
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]147 lower_case_key=False)
Mate Toth-Palc7404e92022-07-15 11:11:13 +0200[diff] [blame]148 token.verify()
Mate Toth-Pal5ebca512022-03-24 16:45:51 +0100[diff] [blame]149 if key_checked:
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]150 print('Signature OK')
151 print('Token format OK')
152 except ValueError as exc:
Mate Toth-Pal5ebca512022-03-24 16:45:51 +0100[diff] [blame]153 logger.error(f'Token verification failed:\n\t{exc}')
Mate Toth-Pal1cb66cd2022-04-26 15:40:07 +0200[diff] [blame]154 sys.exit(1)
155
156 if args.print_iat:
157 print('Token:')
Mate Toth-Palc7404e92022-07-15 11:11:13 +0200[diff] [blame]158 token_map = token.get_token_map()
159 json.dump(recursive_bytes_to_strings(token_map, in_place=True),
Mate Toth-Pal1cb66cd2022-04-26 15:40:07 +0200[diff] [blame]160 sys.stdout, indent=4)
161 print('')
162
163if __name__ == '__main__':
Mate Toth-Palb9057ff2022-04-29 16:03:21 +0200[diff] [blame]164 main()