| #!/usr/bin/env python3 |
| #------------------------------------------------------------------------------- |
| # Copyright (c) 2019-2022, Arm Limited. All rights reserved. |
| # |
| # SPDX-License-Identifier: BSD-3-Clause |
| # |
| #------------------------------------------------------------------------------- |
| |
| import argparse |
| import logging |
| import os |
| import sys |
| |
| from ecdsa import SigningKey |
| from iatverifier.util import read_token_map, convert_map_to_token |
| from iatverifier.psa_iot_profile1_token_verifier import PSAIoTProfile1TokenVerifier |
| from iatverifier.attest_token_verifier import AttestationTokenVerifier |
| |
| |
| if __name__ == '__main__': |
| logging.basicConfig(level=logging.INFO) |
| |
| token_verifiers = { |
| "PSA-IoT-Profile1-token": PSAIoTProfile1TokenVerifier, |
| } |
| |
| parser = argparse.ArgumentParser() |
| parser.add_argument('source', help='Token source in YAML format') |
| parser.add_argument('-o', '--outfile', |
| help='''Output file for the compiled token. If this is not |
| specified, the token will be written to standard output.''') |
| parser.add_argument('-k', '--keyfile', |
| help='''Path to the key in PEM format that should be used to |
| sign the token. If this is not specified, the token will be |
| unsigned.''') |
| group = parser.add_mutually_exclusive_group() |
| parser.add_argument('-a', '--add-protected-header', action='store_true', |
| help=''' |
| Add protected header to the COSE wrapper. |
| ''') |
| group.add_argument('-r', '--raw', action='store_true', |
| help='''Generate raw CBOR and do not create a signature |
| or COSE wrapper.''') |
| group.add_argument('-m', '--hmac', action='store_true', |
| help='''Generate a token wrapped in a Mac0 rather than |
| Sign1 COSE structure.''') |
| parser.add_argument('-t', '--token-type', |
| help='''The type of the Token.''', |
| choices=token_verifiers.keys(), |
| required=True) |
| |
| args = parser.parse_args() |
| signing_key = None |
| |
| cose_alg = None |
| if args.hmac: |
| method = AttestationTokenVerifier.SIGN_METHOD_MAC0 |
| cose_alg = AttestationTokenVerifier.COSE_ALG_HS256 |
| |
| if args.keyfile: |
| with open(args.keyfile, 'rb') as fh: |
| signing_key = fh.read() |
| elif args.raw: |
| if args.keyfile: |
| raise ValueError('A keyfile cannot be specified with --raw.') |
| method = AttestationTokenVerifier.SIGN_METHOD_RAW |
| else: |
| method = AttestationTokenVerifier.SIGN_METHOD_SIGN1 |
| if args.keyfile: |
| with open(args.keyfile) as fh: |
| signing_key = SigningKey.from_pem(fh.read()) |
| |
| verifier = token_verifiers[args.token_type].get_verifier() |
| if verifier.method != method: |
| verifier.method = method |
| if cose_alg is not None and verifier.cose_alg != cose_alg: |
| verifier.cose_alg = cose_alg |
| token_map = read_token_map(args.source) |
| |
| if args.outfile: |
| with open(args.outfile, 'wb') as wfh: |
| convert_map_to_token(token_map, signing_key, verifier, wfh, args.add_protected_header) |
| else: |
| with os.fdopen(sys.stdout.fileno(), 'wb') as wfh: |
| convert_map_to_token(token_map, signing_key, verifier, wfh, args.add_protected_header) |