def sign(self,
data_to_sign,
imageinfo,
debug_dir=None,
is_hash=False,
**kwargs):
"""
This function returns a SignerOutput object which has all the security assets generated
by the signer.
"""
# Set the input information
self.set_input(data_to_sign,
imageinfo,
debug_dir=debug_dir,
is_hash=is_hash,
**kwargs)
# Set the certificates and keys for output
signer_output = self.sign_hash(self.hash_to_sign,
imageinfo,
data_to_sign,
debug_dir=debug_dir,
hash_algo=self.hash_algo)
# Get the hmac params from attestation cert or hash segment
extracted_image_attributes = self._attribute_extractor(
cert_data=signer_output.attestation_cert,
attributes=self.signing_attributes_class(),
**kwargs).attributes
hmac_from_image = HMAC()
hmac_from_image.init_from_image_attributes(extracted_image_attributes,
self.signing_attributes)
# Get the hmac params from config
hmac_from_config = HMAC()
hmac_from_config.init_from_config(self.signing_attributes)
# Recreate the hash to sign if necessary
if hmac_from_config.hmac_type == hmac_from_config.HMAC_TYPE_QTI and not hmac_from_image.is_equal(
hmac_from_config):
if self.data_to_sign is not None:
self.hash_to_sign = hmac_from_image.hmac(self.data_to_sign)
else:
raise RuntimeError(
'HMAC params from image cannot be used with pre-generated hash.'
)
# Set the signature
signer_output.signature = self.get_signature()
signer_output.unsigned_hash = self.hash_to_sign
self._print_attestation_cert_props(signer_output.attestation_cert,
**kwargs)
return signer_output
def sign(self, data_to_sign, imageinfo, debug_dir=None, is_hash=False):
'''
This function returns a SignerOutput object which has all the security assets generated
by the signer.
'''
# Set the input information
self.set_input(data_to_sign, imageinfo, debug_dir, is_hash)
# Set the certificates and keys for output
signer_output = SignerOutput()
signer_output.root_cert, signer_output.root_key = self.get_root_cert_key()
if self.CA in self.certs:
signer_output.attestation_ca_cert, signer_output.attestation_ca_key = self.get_ca_cert_key()
signer_output.attestation_cert, signer_output.attestation_key = self.get_attest_cert_key()
# Set the root certs for MRC
signer_output.root_cert_list = self.get_root_cert_list()
# Get the hmac params from attestation cert
hmac_from_cert = HMAC()
hmac_from_cert.init_from_cert(signer_output.attestation_cert)
# Get the hmac params from config
hmac_from_config = HMAC()
hmac_from_config.init_from_config(self.signing_attributes)
# Recreate the hash to sign if necessary
if (hmac_from_config.hmac_type == hmac_from_config.HMAC_TYPE_QC and
not hmac_from_cert.is_equal(hmac_from_config)):
if self.data_to_sign is not None:
self.hash_to_sign = hmac_from_cert.hmac(self.data_to_sign)
else:
raise RuntimeError('HMAC params from attestation certificate cannot be used with pre-generated hash.')
# Set the signature
signer_output.signature = self.get_signature()
signer_output.unsigned_hash = self.hash_to_sign
# Update the certs
signer_output.update_certs_format()
# Set the cert chain
signer_output.generate_cert_chain()
# Print certificate properties (to make tests pass and give good debug information)
logger.info('\nAttestation Certificate Properties:\n' +
str(Certificate(signer_output.attestation_cert)))
return signer_output
def sign(self, data_to_sign, imageinfo, debug_dir=None, is_hash=False, hash_segment_metadata=None):
"""
This function returns a SignerOutput object which has all the security assets generated
by the signer.
"""
# Set the input information
self.set_input(data_to_sign, imageinfo, debug_dir, is_hash)
signer_output = self.sign_hash(self.hash_to_sign, imageinfo, data_to_sign, debug_dir=debug_dir, hash_algo=self.hash_algo)
# Get the hmac params from attestation cert or hash segment
extracted_image_attributes = AttributeExtractor(cert_data=signer_output.attestation_cert, hash_segment_metadata=hash_segment_metadata).attributes
hmac_from_image = HMAC()
hmac_from_image.init_from_image_attributes(extracted_image_attributes)
# Get the hmac params from config
hmac_from_config = HMAC()
hmac_from_config.init_from_config(self.signing_attributes)
# Recreate the hash to sign if necessary
if hmac_from_config.hmac_type == hmac_from_config.HMAC_TYPE_QTI and not hmac_from_image.is_equal(hmac_from_config):
if self.data_to_sign is not None:
self.hash_to_sign = hmac_from_image.hmac(self.data_to_sign)
else:
raise RuntimeError('HMAC params from image cannot be used with pre-generated hash.')
# Set the signature
signer_output.signature = self.get_signature()
signer_output.unsigned_hash = self.hash_to_sign
# Print certificate properties (to make tests pass and give good debug information)
if hash_segment_metadata is None:
logger.info('\nAttestation Certificate Properties:\n' +
str(Certificate(signer_output.attestation_cert)))
return signer_output