iat-verifier/scripts/decompile_token

#!/usr/bin/env python3
#-------------------------------------------------------------------------------
# Copyright (c) 2019-2025, Arm Limited. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
#-------------------------------------------------------------------------------

"""CLI script for decompiling a cbor formatted IAT file"""

import argparse
import logging
import sys

from pycose.algorithms import Es256, Es384
import yaml
from iatverifier.psa_iot_profile1_token_verifier import PSAIoTProfile1TokenVerifier
from iatverifier.psa_2_0_0_token_verifier import PSA_2_0_0_TokenVerifier
from iatverifier.attest_token_verifier import AttestationTokenVerifier
from iatverifier.cca_token_verifier import CCATokenVerifier, CCAPlatformTokenVerifier


if __name__ == '__main__':
    logging.basicConfig(level=logging.INFO)

    token_verifiers = {
        "PSA-IoT-Profile1-token": PSAIoTProfile1TokenVerifier,
        "CCA-token": CCATokenVerifier,
        "CCA-plat-token": CCAPlatformTokenVerifier,
        "PSA-2.0.0-token": PSA_2_0_0_TokenVerifier,
    }

    parser = argparse.ArgumentParser()
    parser.add_argument('source', help='A compiled COSE IAT token.')
    parser.add_argument('-o', '--outfile',
                        help='''Output file for the depompiled claims. If this is not
                        specified, the claims will be written to standard output.''')
    parser.add_argument('-t', '--token-type',
                        help='''The type of the Token.''',
                        choices=token_verifiers.keys(),
                        required=True)
    parser.add_argument('--expect-token-indicator',
                        help='''Expect token indicator in the cbor.''',
                        action='store_true')
    args = parser.parse_args()

    verifier_class = token_verifiers[args.token_type]
    if verifier_class == PSAIoTProfile1TokenVerifier:
        verifier = PSAIoTProfile1TokenVerifier(
            method=AttestationTokenVerifier.SIGN_METHOD_SIGN1,
            cose_alg=Es256,
            signing_key=None,
            configuration=None)
    elif verifier_class == CCATokenVerifier:
        realm_token_method = AttestationTokenVerifier.SIGN_METHOD_SIGN1
        platform_token_method = AttestationTokenVerifier.SIGN_METHOD_SIGN1
        realm_token_cose_alg = Es384
        platform_token_cose_alg = Es384
        verifier = CCATokenVerifier(
            realm_token_method=realm_token_method,
            realm_token_cose_alg=realm_token_cose_alg,
            platform_token_method=platform_token_method,
            platform_token_cose_alg=platform_token_cose_alg,
            platform_token_key=None,
            configuration=None)
    elif verifier_class == CCAPlatformTokenVerifier:
        cose_alg = Es384
        verifier = CCAPlatformTokenVerifier(
            method=AttestationTokenVerifier.SIGN_METHOD_SIGN1,
            cose_alg=cose_alg,
            signing_key=None,
            configuration=None,
            necessity=None,
            has_type_indicator=args.expect_token_indicator)
    elif verifier_class == PSA_2_0_0_TokenVerifier:
        verifier = PSA_2_0_0_TokenVerifier(
            method=AttestationTokenVerifier.SIGN_METHOD_SIGN1,
            cose_alg=Es256,
            signing_key=None,
            configuration=None)
    else:
        logging.error(f'Invalid token type:{verifier_class}\n\t')
        sys.exit(1)
    with open(args.source, 'rb') as fh:
        token_map = verifier.parse_token(
            token=fh.read(),
            lower_case_key=True).get_token_map()

    if args.outfile:
        with open(args.outfile, 'w', encoding="UTF-8") as wfh:
            yaml.dump(token_map, wfh)
    else:
        yaml.dump(token_map, sys.stdout)