TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / TF-M / tf-m-tools / f4e1ca341cf7fdb45b79fa4ce975766f80672e67 / . / iat-verifier / tests / test_synthetic.py
blob: 89d529d8b5f3f19debefb9721497843772906bd8 [file] [log] [blame]
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame]1#-------------------------------------------------------------------------------
2# Copyright (c) 2022, Arm Limited. All rights reserved.
3#
4# SPDX-License-Identifier: BSD-3-Clause
5#
6#-------------------------------------------------------------------------------
7
8"""
9This test is used to test features that are not used by the PSA IoT profile1
10tokens
11"""
12
13import os
14import unittest
15
Thomas Fossatif4e1ca32024-08-16 16:01:31 +0000[diff] [blame^]16from pycose.algorithms import Es256, Es384
17
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame]18from iatverifier.util import read_token_map, read_keyfile
19from iatverifier.attest_token_verifier import VerifierConfiguration, AttestationTokenVerifier
Mate Toth-Pale589c452022-07-27 22:02:40 +0200[diff] [blame]20from tests.synthetic_token_verifier import SyntheticTokenVerifier2, SyntheticTokenVerifier
Mate Toth-Pale305e552022-10-07 14:04:53 +0200[diff] [blame]21from tests.test_utils import read_iat, create_and_read_iat
22from tests.test_utils import convert_map_to_token_bytes, bytes_equal_to_file
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame]23
24
25THIS_DIR = os.path.dirname(__file__)
26
27DATA_DIR = os.path.join(THIS_DIR, 'synthetic_data')
28KEY_DIR = os.path.join(THIS_DIR, 'data')
29KEYFILE = os.path.join(KEY_DIR, 'key.pem')
30KEYFILE_ALT = os.path.join(KEY_DIR, 'key-alt.pem')
31
32class TestSynthetic(unittest.TestCase):
33 """Test iat-verifier's nested IAT feature"""
34 def setUp(self):
35 self.config = VerifierConfiguration()
36
37 def test_composite(self):
38 """Test cross claim checking in composite claim"""
39 method=AttestationTokenVerifier.SIGN_METHOD_SIGN1
Thomas Fossatif4e1ca32024-08-16 16:01:31 +0000[diff] [blame^]40 cose_alg=Es256
Mate Toth-Palb2508d52022-04-30 14:10:06 +0200[diff] [blame]41 signing_key = read_keyfile(KEYFILE, method)
42
43 create_and_read_iat(
44 DATA_DIR,
45 'synthetic_token.yaml',
46 SyntheticTokenVerifier(
47 method=method,
48 cose_alg=cose_alg,
49 signing_key=signing_key,
50 configuration=self.config,
51 internal_signing_key=signing_key))
52
53 with self.assertRaises(ValueError) as test_ctx:
54 create_and_read_iat(
55 DATA_DIR,
56 'synthetic_token_missing_box_dim.yaml',
57 SyntheticTokenVerifier(
58 method=method,
59 cose_alg=cose_alg,
60 signing_key=signing_key,
61 configuration=self.config,
62 internal_signing_key=signing_key))
63 self.assertIn(
64 'Invalid IAT: Box size must have all 3 dimensions', test_ctx.exception.args[0])
65
66 create_and_read_iat(
67 DATA_DIR,
68 'synthetic_token_another_token.yaml',
69 SyntheticTokenVerifier(
70 method=method,
71 cose_alg=cose_alg,
72 signing_key=signing_key,
73 configuration=self.config,
74 internal_signing_key=signing_key))
75
76 with self.assertRaises(ValueError) as test_ctx:
77 create_and_read_iat(
78 DATA_DIR,
79 'synthetic_token_another_token_missing_box_dim.yaml',
80 SyntheticTokenVerifier(method=method,
81 cose_alg=cose_alg,
82 signing_key=signing_key,
83 configuration=self.config,
84 internal_signing_key=signing_key))
85 self.assertIn(
86 'Invalid IAT: Box size must have all 3 dimensions', test_ctx.exception.args[0])
87
Mate Toth-Pale589c452022-07-27 22:02:40 +0200[diff] [blame]88 def test_tagging_support(self):
89 method=AttestationTokenVerifier.SIGN_METHOD_SIGN1
Thomas Fossatif4e1ca32024-08-16 16:01:31 +0000[diff] [blame^]90 cose_alg=Es256
Mate Toth-Pale589c452022-07-27 22:02:40 +0200[diff] [blame]91
92 signing_key = read_keyfile(KEYFILE, method)
Mate Toth-Pal138637a2022-07-28 10:57:06 +0200[diff] [blame]93 config = VerifierConfiguration(keep_going=True, strict=True)
Mate Toth-Pale589c452022-07-27 22:02:40 +0200[diff] [blame]94
95 # test with unexpected tag
96 with self.assertLogs() as test_ctx:
97 read_iat(
98 DATA_DIR,
99 'unexpected_tags.cbor',
100 SyntheticTokenVerifier(method=method,
101 cose_alg=cose_alg,
102 signing_key=signing_key,
Mate Toth-Pal138637a2022-07-28 10:57:06 +0200[diff] [blame]103 configuration=config,
Mate Toth-Pale589c452022-07-27 22:02:40 +0200[diff] [blame]104 internal_signing_key=signing_key))
Thomas Fossatif4e1ca32024-08-16 16:01:31 +0000[diff] [blame^]105 self.assertEquals(2, len(test_ctx.output))
Mate Toth-Pale589c452022-07-27 22:02:40 +0200[diff] [blame]106 self.assertIn('Unexpected tag (0xcdcd) in token SYNTHETIC_TOKEN', test_ctx.output[0])
Thomas Fossatif4e1ca32024-08-16 16:01:31 +0000[diff] [blame^]107 self.assertIn('Unexpected tag (0xabab) in token SYNTHETIC_INTERNAL_TOKEN', test_ctx.output[1])
Mate Toth-Pale589c452022-07-27 22:02:40 +0200[diff] [blame]108
109 # test with missing tag
110 with self.assertLogs() as test_ctx:
111 read_iat(
112 DATA_DIR,
113 'missing_tags.cbor',
114 SyntheticTokenVerifier2(method=method,
115 cose_alg=cose_alg,
116 signing_key=signing_key,
Mate Toth-Pal138637a2022-07-28 10:57:06 +0200[diff] [blame]117 configuration=config,
Mate Toth-Pale589c452022-07-27 22:02:40 +0200[diff] [blame]118 internal_signing_key=signing_key))
119 self.assertEquals(2, len(test_ctx.output))
120 self.assertIn('token SYNTHETIC_TOKEN_2 should be wrapped in tag 0xaabb', test_ctx.output[0])
121 self.assertIn('token SYNTHETIC_INTERNAL_TOKEN_2 should be wrapped in tag 0xbbaa', test_ctx.output[1])
122
123 # Test Invalid tag values
124 with self.assertLogs() as test_ctx:
125 read_iat(
126 DATA_DIR,
127 'invalid_tags.cbor',
128 SyntheticTokenVerifier2(method=method,
129 cose_alg=cose_alg,
130 signing_key=signing_key,
Mate Toth-Pal138637a2022-07-28 10:57:06 +0200[diff] [blame]131 configuration=config,
Mate Toth-Pale589c452022-07-27 22:02:40 +0200[diff] [blame]132 internal_signing_key=signing_key))
133 self.assertEquals(2, len(test_ctx.output))
134 self.assertIn('token SYNTHETIC_TOKEN_2 is wrapped in tag 0xabab instead of 0xaabb', test_ctx.output[0])
135 self.assertIn('token SYNTHETIC_INTERNAL_TOKEN_2 is wrapped in tag 0xbaba instead of 0xbbaa', test_ctx.output[1])
136
137 # Test proper tagging
138 read_iat(
139 DATA_DIR,
140 'correct_tagging.cbor',
141 SyntheticTokenVerifier2(method=method,
142 cose_alg=cose_alg,
143 signing_key=signing_key,
144 configuration=self.config,
145 internal_signing_key=signing_key))
Mate Toth-Pal1093a8a2022-08-23 09:48:41 +0200[diff] [blame]146
147 def test_unknown_claims(self):
148
149 method=AttestationTokenVerifier.SIGN_METHOD_SIGN1
Thomas Fossatif4e1ca32024-08-16 16:01:31 +0000[diff] [blame^]150 cose_alg=Es256
Mate Toth-Pal1093a8a2022-08-23 09:48:41 +0200[diff] [blame]151 signing_key = read_keyfile(KEYFILE, method)
152 config = VerifierConfiguration(keep_going=True, strict=False)
153
154 test_verifier=SyntheticTokenVerifier2(method=method,
155 cose_alg=cose_alg,
156 signing_key=signing_key,
157 configuration=config,
158 internal_signing_key=signing_key)
159
160 with self.assertLogs() as test_ctx:
161 read_iat(
162 DATA_DIR,
163 'unknown_claims.cbor',
164 test_verifier)
165 self.assertEquals(4, len(test_ctx.output))
Mate Toth-Palc7404e92022-07-15 11:11:13 +0200[diff] [blame]166 self.assertIn('Unexpected TOKEN_ROOT_CLAIMS claim: 9901, skipping', test_ctx.output[0])
Mate Toth-Pal1093a8a2022-08-23 09:48:41 +0200[diff] [blame]167 self.assertIn('Unexpected SYN_BOXES claim: 9902, skipping', test_ctx.output[1])
Mate Toth-Palc7404e92022-07-15 11:11:13 +0200[diff] [blame]168 self.assertIn('Unexpected TOKEN_ROOT_CLAIMS claim: 9903, skipping', test_ctx.output[2])
Mate Toth-Pal1093a8a2022-08-23 09:48:41 +0200[diff] [blame]169 self.assertIn('Unexpected SYN_BOXES claim: 9904, skipping', test_ctx.output[3])
170
171 config = VerifierConfiguration(keep_going=True, strict=True)
172
173 test_verifier=SyntheticTokenVerifier2(method=method,
174 cose_alg=cose_alg,
175 signing_key=signing_key,
176 configuration=config,
177 internal_signing_key=signing_key)
178
179 with self.assertLogs() as test_ctx:
180 read_iat(
181 DATA_DIR,
182 'unknown_claims.cbor',
183 test_verifier)
184 self.assertEquals(4, len(test_ctx.output))
Mate Toth-Palc7404e92022-07-15 11:11:13 +0200[diff] [blame]185 self.assertIn('ERROR:iat-verifiers:Unexpected TOKEN_ROOT_CLAIMS claim: 9901', test_ctx.output[0])
Mate Toth-Pal1093a8a2022-08-23 09:48:41 +0200[diff] [blame]186 self.assertIn('ERROR:iat-verifiers:Unexpected SYN_BOXES claim: 9902', test_ctx.output[1])
Mate Toth-Palc7404e92022-07-15 11:11:13 +0200[diff] [blame]187 self.assertIn('ERROR:iat-verifiers:Unexpected TOKEN_ROOT_CLAIMS claim: 9903', test_ctx.output[2])
Mate Toth-Pal1093a8a2022-08-23 09:48:41 +0200[diff] [blame]188 self.assertIn('ERROR:iat-verifiers:Unexpected SYN_BOXES claim: 9904', test_ctx.output[3])
189
190 config = VerifierConfiguration(keep_going=False, strict=False)
191
192 test_verifier=SyntheticTokenVerifier2(method=method,
193 cose_alg=cose_alg,
194 signing_key=signing_key,
195 configuration=config,
196 internal_signing_key=signing_key)
197
198 with self.assertLogs() as test_ctx:
199 read_iat(
200 DATA_DIR,
201 'unknown_claims.cbor',
202 test_verifier)
Mate Toth-Palc7404e92022-07-15 11:11:13 +0200[diff] [blame]203 self.assertIn('Unexpected TOKEN_ROOT_CLAIMS claim: 9901, skipping', test_ctx.output[0])
Mate Toth-Pal1093a8a2022-08-23 09:48:41 +0200[diff] [blame]204 self.assertIn('Unexpected SYN_BOXES claim: 9902, skipping', test_ctx.output[1])
Mate Toth-Palc7404e92022-07-15 11:11:13 +0200[diff] [blame]205 self.assertIn('Unexpected TOKEN_ROOT_CLAIMS claim: 9903, skipping', test_ctx.output[2])
Mate Toth-Pal1093a8a2022-08-23 09:48:41 +0200[diff] [blame]206 self.assertIn('Unexpected SYN_BOXES claim: 9904, skipping', test_ctx.output[3])
207
208 config = VerifierConfiguration(keep_going=False, strict=True)
209
210 test_verifier=SyntheticTokenVerifier2(method=method,
211 cose_alg=cose_alg,
212 signing_key=signing_key,
213 configuration=config,
214 internal_signing_key=signing_key)
215
216 with self.assertRaises(ValueError) as test_ctx:
217 read_iat(
218 DATA_DIR,
219 'unknown_claims.cbor',
220 test_verifier)
221 self.assertIn(
Mate Toth-Palc7404e92022-07-15 11:11:13 +0200[diff] [blame]222 'Unexpected TOKEN_ROOT_CLAIMS claim: 9901', test_ctx.exception.args[0])