def sign(self,
data_to_sign,
imageinfo,
debug_dir=None,
is_hash=False,
**kwargs):
"""
This function returns a SignerOutput object which has all the security assets generated
by the signer.
"""
# Set the input information
self.set_input(data_to_sign,
imageinfo,
debug_dir=debug_dir,
is_hash=is_hash,
**kwargs)
# Set the certificates and keys for output
signer_output = self.sign_hash(self.hash_to_sign,
imageinfo,
data_to_sign,
debug_dir=debug_dir,
hash_algo=self.hash_algo)
# Get the hmac params from attestation cert or hash segment
extracted_image_attributes = self._attribute_extractor(
cert_data=signer_output.attestation_cert,
attributes=self.signing_attributes_class(),
**kwargs).attributes
hmac_from_image = HMAC()
hmac_from_image.init_from_image_attributes(extracted_image_attributes,
self.signing_attributes)
# Get the hmac params from config
hmac_from_config = HMAC()
hmac_from_config.init_from_config(self.signing_attributes)
# Recreate the hash to sign if necessary
if hmac_from_config.hmac_type == hmac_from_config.HMAC_TYPE_QTI and not hmac_from_image.is_equal(
hmac_from_config):
if self.data_to_sign is not None:
self.hash_to_sign = hmac_from_image.hmac(self.data_to_sign)
else:
raise RuntimeError(
'HMAC params from image cannot be used with pre-generated hash.'
)
# Set the signature
signer_output.signature = self.get_signature()
signer_output.unsigned_hash = self.hash_to_sign
self._print_attestation_cert_props(signer_output.attestation_cert,
**kwargs)
return signer_output
def sign(self, data_to_sign, imageinfo, debug_dir=None, is_hash=False):
'''
This function returns a SignerOutput object which has all the security assets generated
by the signer.
'''
# Set the input information
self.set_input(data_to_sign, imageinfo, debug_dir, is_hash)
# Set the certificates and keys for output
signer_output = SignerOutput()
signer_output.root_cert, signer_output.root_key = self.get_root_cert_key()
if self.CA in self.certs:
signer_output.attestation_ca_cert, signer_output.attestation_ca_key = self.get_ca_cert_key()
signer_output.attestation_cert, signer_output.attestation_key = self.get_attest_cert_key()
# Set the root certs for MRC
signer_output.root_cert_list = self.get_root_cert_list()
# Get the hmac params from attestation cert
hmac_from_cert = HMAC()
hmac_from_cert.init_from_cert(signer_output.attestation_cert)
# Get the hmac params from config
hmac_from_config = HMAC()
hmac_from_config.init_from_config(self.signing_attributes)
# Recreate the hash to sign if necessary
if (hmac_from_config.hmac_type == hmac_from_config.HMAC_TYPE_QC and
not hmac_from_cert.is_equal(hmac_from_config)):
if self.data_to_sign is not None:
self.hash_to_sign = hmac_from_cert.hmac(self.data_to_sign)
else:
raise RuntimeError('HMAC params from attestation certificate cannot be used with pre-generated hash.')
# Set the signature
signer_output.signature = self.get_signature()
signer_output.unsigned_hash = self.hash_to_sign
# Update the certs
signer_output.update_certs_format()
# Set the cert chain
signer_output.generate_cert_chain()
# Print certificate properties (to make tests pass and give good debug information)
logger.info('\nAttestation Certificate Properties:\n' +
str(Certificate(signer_output.attestation_cert)))
return signer_output
def create_subject_params_attest(self, in_params):
# Set exfile
self.certs[self.ATTEST].extfile = self.openssl_info.attest_ca_xts
# GET SIGNING ATTRIBUTE DATA
debug_val = int(self.signing_attributes.debug, 16)
oem_id = int(self.signing_attributes.oem_id, 16) & 0xFFFF
model_id = int(self.signing_attributes.model_id, 16) & 0xFFFF
in_use_soc_hw_version = self.signing_attributes.in_use_soc_hw_version
use_serial_number_in_signing = self.signing_attributes.use_serial_number_in_signing
# Get the binary to sign length
if self.data_to_sign_len is None:
if self.hash_to_sign is not None:
self.data_to_sign_len = len(self.hash_to_sign)
else:
raise RuntimeError('Length of binary could not be computed')
logger.debug('Generating new Attestation certificate and a random key')
hmac_params = HMAC()
hmac_params.init_from_config(self.signing_attributes)
certificate_ou_sw_id = '01 ' + '%.16X' % hmac_params.sw_id + ' SW_ID'
certificate_ou_hw_id = '02 ' + '%.16X' % hmac_params.msm_id + ' HW_ID'
certificate_ou_oem_id = '04 ' + '%0.4X' % oem_id + ' OEM_ID'
certificate_ou_sw_size = '05 ' + '%0.8X' % self.data_to_sign_len + ' SW_SIZE'
certificate_ou_model_id = '06 ' + '%0.4X' % model_id + ' MODEL_ID'
certificate_hash_alg = self.SHA_OU_MAP[
self.signing_attributes.hash_algorithm]
certificate_ou_debug_id = '03 ' + '%0.16X' % debug_val + ' DEBUG'
certificate_ou = [
certificate_ou_sw_id, certificate_ou_hw_id, certificate_ou_oem_id,
certificate_ou_sw_size, certificate_ou_model_id,
certificate_hash_alg, certificate_ou_debug_id
]
# Optional attributes
if in_use_soc_hw_version == 1:
certificate_in_use_soc_hw_version = '13 ' + '%0.4X' % in_use_soc_hw_version + ' IN_USE_SOC_HW_VERSION'
certificate_ou.append(certificate_in_use_soc_hw_version)
if use_serial_number_in_signing == 1:
certificate_use_serial_number_in_signing = '14 ' + '%0.4X' % use_serial_number_in_signing +\
' USE_SERIAL_NUMBER_IN_SIGNING'
certificate_ou.append(certificate_use_serial_number_in_signing)
# Handle OU property binding
params = dict(in_params)
if 'OU' in params.keys():
if type(params['OU']) == list:
for item in params['OU']:
certificate_ou.append(item)
else:
certificate_ou.append(params['OU'])
# Add OU fields
params['OU'] = certificate_ou
logger.debug("Adding OU fields to attest certificate.")
return params
def sign(self, data_to_sign, imageinfo, debug_dir=None, is_hash=False, hash_segment_metadata=None):
"""
This function returns a SignerOutput object which has all the security assets generated
by the signer.
"""
# Set the input information
self.set_input(data_to_sign, imageinfo, debug_dir, is_hash)
signer_output = self.sign_hash(self.hash_to_sign, imageinfo, data_to_sign, debug_dir=debug_dir, hash_algo=self.hash_algo)
# Get the hmac params from attestation cert or hash segment
extracted_image_attributes = AttributeExtractor(cert_data=signer_output.attestation_cert, hash_segment_metadata=hash_segment_metadata).attributes
hmac_from_image = HMAC()
hmac_from_image.init_from_image_attributes(extracted_image_attributes)
# Get the hmac params from config
hmac_from_config = HMAC()
hmac_from_config.init_from_config(self.signing_attributes)
# Recreate the hash to sign if necessary
if hmac_from_config.hmac_type == hmac_from_config.HMAC_TYPE_QTI and not hmac_from_image.is_equal(hmac_from_config):
if self.data_to_sign is not None:
self.hash_to_sign = hmac_from_image.hmac(self.data_to_sign)
else:
raise RuntimeError('HMAC params from image cannot be used with pre-generated hash.')
# Set the signature
signer_output.signature = self.get_signature()
signer_output.unsigned_hash = self.hash_to_sign
# Print certificate properties (to make tests pass and give good debug information)
if hash_segment_metadata is None:
logger.info('\nAttestation Certificate Properties:\n' +
str(Certificate(signer_output.attestation_cert)))
return signer_output
def set_input_impl(self,
data_to_sign,
imageinfo,
debug_dir=None,
is_hash=False,
**kwargs):
"""Set the input.
:type data_to_sign: str
:type imageinfo: ImageInfo
"""
# Validate the image info
self.validate_config(imageinfo)
# Set public variables for this session
self.debug_dir = debug_dir
sa = self.signing_attributes = imageinfo.general_properties
# Set the certificates dictionary
self.certs = dict()
self.certs[self.ROOT] = CertKeyPair()
self.certs[self.ATTEST] = CertKeyPair()
if sa.num_certs_in_certchain == 3:
self.certs[self.CA] = CertKeyPair()
# Set the data to sign and the hash to sign
if is_hash:
self.hash_to_sign = data_to_sign
self.data_to_sign = None
else:
hasher = HMAC()
hasher.init_from_config(sa)
self.hash_to_sign = hasher.hmac(data_to_sign)
self.data_to_sign = data_to_sign
self.data_to_sign_len = len(data_to_sign)
self.padding = (self.PAD_PSS if
(sa.rsa_padding and sa.rsa_padding.lower() == 'pss')
else self.PAD_PKCS)
self.hash_algo = sa.hash_algorithm
# Initialize the secure assets
self.initialize(imageinfo, **kwargs)
return sa
def set_input(self, data_to_sign, imageinfo, debug_dir=None, is_hash=False):
"""Set the input.
:type data_to_sign: str
:type imageinfo: ImageInfo
"""
# Validate the image info
self.validate_config(imageinfo)
# Set public variables for this session
self.debug_dir = debug_dir
sa = self.signing_attributes = imageinfo.general_properties
# Set the certificates dictionary
self.certs = {}
self.certs[self.ROOT] = CertKeyPair()
self.certs[self.ATTEST] = CertKeyPair()
if sa.num_certs_in_certchain == 3:
self.certs[self.CA] = CertKeyPair()
# Set the data to sign and the hash to sign
if is_hash:
self.hash_to_sign = data_to_sign
self.data_to_sign = None
else:
hasher = HMAC()
hasher.init_from_config(sa)
self.hash_to_sign = hasher.hmac(data_to_sign)
self.data_to_sign = data_to_sign
self.data_to_sign_len = len(data_to_sign)
logger.info('Using ' + hasher.hmac_type + ' (' + hasher.hash_algo + ') for hash segment')
self.padding = (self.PAD_PSS if (sa.rsa_padding and sa.rsa_padding.lower() == 'pss') else self.PAD_PKCS)
self.hash_algo = sa.hash_algorithm if sa.hash_algorithm is not None else 'sha256'
if self.using_ecdsa:
logger.info("Using ECDSA with {0} curve".format(sa.ecdsa_curve))
else:
logger.info('Using ' + self.padding.upper() + ' RSA padding')
# Initialize the secure assets
self.initialize(imageinfo)
def create_subject_params_attest(self, in_params):
def create_ou_field_from_hex_list(ou_num, ou_name, hex_list, remove_0x, max_num_items_in_ou):
item_length = 0
ou_field = str(ou_num)
for val in hex_list:
item_length = len(val)-2 if remove_0x else len(val)
ou_field += " " + (val[2:] if remove_0x else val)
# fill remainder of OU field with zeros
zeros = (" " + "0" * item_length) * (max_num_items_in_ou - len(hex_list))
ou_field += zeros
ou_field += " " + ou_name
return ou_field
# GET SIGNING ATTRIBUTE DATA
num_root_certs = int(self.signing_attributes.num_root_certs) if self.signing_attributes.num_root_certs is not None else None
debug_val = int(self.signing_attributes.debug, 16) if self.signing_attributes.debug is not None else None
debug_serials = self.signing_attributes.debug_serials.serial if self.signing_attributes.debug_serials is not None else []
oem_id = int(self.signing_attributes.oem_id, 16) & 0xFFFF
model_id = int(self.signing_attributes.model_id, 16) & 0xFFFF
app_id = int(self.signing_attributes.app_id, 16) if self.signing_attributes.app_id is not None else None
crash_dump = int(self.signing_attributes.crash_dump, 16) if self.signing_attributes.crash_dump is not None else None
rot_en = int(self.signing_attributes.rot_en, 16) if self.signing_attributes.rot_en is not None else None
mask_soc_hw_version = int(self.signing_attributes.mask_soc_hw_version, 16) if self.signing_attributes.mask_soc_hw_version is not None else None
in_use_soc_hw_version = self.signing_attributes.in_use_soc_hw_version if self.signing_attributes.in_use_soc_hw_version is not None else None
soc_vers = self.signing_attributes.soc_vers
use_serial_number_in_signing = self.signing_attributes.use_serial_number_in_signing if self.signing_attributes.use_serial_number_in_signing is not None else None
oem_id_independent = self.signing_attributes.oem_id_independent if self.signing_attributes.oem_id_independent is not None else None
revocation_enablement = int(self.signing_attributes.revocation_enablement, 16) if self.signing_attributes.revocation_enablement is not None else None
activation_enablement = int(self.signing_attributes.activation_enablement, 16) if self.signing_attributes.activation_enablement is not None else None
if self._is_oid_supported(self.signing_attributes) is True:
if self.validate_oid_from_config(self.certs_info.ca.cert_path, self.signing_attributes) is False:
raise ConfigError('{0} min and max are not set correctly in configuration.' \
'Signing will not continue.'.format(self.signing_attributes.object_id.name)
)
self.certs[self.ATTEST].extfile = self._generate_attestation_certificate_extensions(
self.openssl_info.attest_ca_xts,
self.signing_attributes.object_id.name,
self.signing_attributes.object_id.min,
self.signing_attributes.object_id.max)
else:
self.certs[self.ATTEST].extfile = self.openssl_info.attest_ca_xts
# Get the binary to sign length
if self.data_to_sign_len is None:
if self.hash_to_sign is not None:
self.data_to_sign_len = len(self.hash_to_sign)
else:
raise RuntimeError('Length of binary could not be computed')
logger.info('Generating new Attestation certificate and a random key')
hmac_params = HMAC()
hmac_params.init_from_config(self.signing_attributes)
certificate_ou_sw_id = '01 ' + '%.16X' % hmac_params.sw_id + ' SW_ID'
certificate_ou_hw_id = '02 ' + '%.16X' % hmac_params.msm_id + ' HW_ID'
certificate_ou_oem_id = '04 ' + '%0.4X' % oem_id + ' OEM_ID'
certificate_ou_sw_size = '05 ' + '%0.8X' % self.data_to_sign_len + ' SW_SIZE'
certificate_ou_model_id = '06 ' + '%0.4X' % model_id + ' MODEL_ID'
certificate_hash_alg = certificate_hash_alg_map[self.signing_attributes.hash_algorithm]
certificate_ou = [
certificate_ou_sw_id,
certificate_ou_hw_id,
certificate_ou_oem_id,
certificate_ou_sw_size,
certificate_ou_model_id,
certificate_hash_alg
]
# Optional attributes
if debug_val is not None:
certificate_ou_debug_id = '03 ' + '%0.16X' % debug_val + ' DEBUG'
certificate_ou.append(certificate_ou_debug_id)
if app_id is not None:
certificate_app_id = '08 ' + '%0.16X' % app_id + ' APP_ID'
certificate_ou.append(certificate_app_id)
if crash_dump is not None:
certificate_crash_dump = '09 ' + '%0.16X' % crash_dump + ' CRASH_DUMP'
certificate_ou.append(certificate_crash_dump)
if rot_en is not None:
certificate_rot_en = '10 ' + '%0.16X' % rot_en + ' ROT_EN'
certificate_ou.append(certificate_rot_en)
if mask_soc_hw_version is not None:
certificate_mask_soc_hw_version = '12 ' + '%0.4X' % mask_soc_hw_version + ' MASK_SOC_HW_VERSION'
certificate_ou.append(certificate_mask_soc_hw_version)
if in_use_soc_hw_version == 1:
certificate_in_use_soc_hw_version = '13 ' + '%0.4X' % in_use_soc_hw_version + ' IN_USE_SOC_HW_VERSION'
certificate_ou.append(certificate_in_use_soc_hw_version)
if use_serial_number_in_signing == 1:
certificate_use_serial_number_in_signing = '14 ' + '%0.4X' % use_serial_number_in_signing + ' USE_SERIAL_NUMBER_IN_SIGNING'
certificate_ou.append(certificate_use_serial_number_in_signing)
if oem_id_independent == 1:
certificate_oem_id_independent = '15 ' + '%0.4X' % oem_id_independent + ' OEM_ID_INDEPENDENT'
certificate_ou.append(certificate_oem_id_independent)
# multiple debug serial use case
certificate_ou_sn_list = []
for index in xrange(0, len(debug_serials), 6):
serial_sublist = debug_serials[index: index+6]
certificate_ou_sn_list.append(create_ou_field_from_hex_list(16, "SN", serial_sublist, True, 6))
certificate_ou_sn_list.reverse()
certificate_ou.extend(certificate_ou_sn_list)
# multiple soc hw version use case
if soc_vers:
if self.padding != self.PAD_PSS:
logger.warning("soc_vers should be used with RSAPSS")
certificate_ou.append(create_ou_field_from_hex_list(11, "SOC_VERS", soc_vers, True, 10))
# IOT MRC use case
if num_root_certs > 1 and self.config.metadata.chipset in IOT_MRC_CHIPSETS:
certificate_root_cert_sel = '17 ' + '%0.4X' % self.signing_attributes.mrc_index + ' ROOT_CERT_SEL'
certificate_ou.append(certificate_root_cert_sel)
if revocation_enablement is not None and revocation_enablement != 0:
certificate_revocation_enablement = '18 ' + '%0.16X' % revocation_enablement + ' REVOCATION_ENABLEMENT'
certificate_ou.append(certificate_revocation_enablement)
if activation_enablement is not None and activation_enablement != 0:
certificate_activation_enablement = '19 ' + '%0.16X' % activation_enablement + ' ACTIVATION_ENABLEMENT'
certificate_ou.append(certificate_activation_enablement)
# Handle OU property binding
params = dict(in_params)
if 'OU' in params.keys():
if type(params['OU']) == list:
for item in params['OU']:
certificate_ou.append(item)
else:
certificate_ou.append(params['OU'])
params['OU'] = certificate_ou
return params
def create_subject_params_attest(self, in_params):
# Set exfile
if self._is_oid_supported(self.signing_attributes):
if not self.validate_oid_from_config(self.certs_info.ca.cert_path,
self.signing_attributes):
raise ConfigError(
'{0} min and max are not set correctly in configuration.'
'Signing will not continue.'.format(
self.signing_attributes.object_id.name))
self.certs[
self.
ATTEST].extfile = self._generate_attestation_certificate_extensions(
self.openssl_info.attest_ca_xts,
self.signing_attributes.object_id.name,
self.signing_attributes.object_id.min,
self.signing_attributes.object_id.max)
else:
self.certs[self.ATTEST].extfile = self.openssl_info.attest_ca_xts
# Only allow OU fields to be added to attest cert if they are not being added to hash segment
if self.signing_attributes.secboot_version in [SECBOOT_VERSION_3_0]:
# Don't add OU fields
logger.debug("Skipping adding OU fields to attest certificate.")
return dict(in_params)
def create_ou_field_from_hex_list(ou_num, ou_name, hex_list, remove_0x,
max_num_items_in_ou):
item_length = 0
ou_field = str(ou_num)
for val in hex_list:
item_length = len(val) - 2 if remove_0x else len(val)
ou_field += " " + (val[2:] if remove_0x else val)
# fill remainder of OU field with zeros
zeros = (" " + "0" * item_length) * (max_num_items_in_ou -
len(hex_list))
ou_field += zeros
ou_field += " " + ou_name
return ou_field
# GET SIGNING ATTRIBUTE DATA
num_root_certs = int(self.signing_attributes.num_root_certs)
debug_val = int(self.signing_attributes.debug, 16)
oem_id = int(self.signing_attributes.oem_id, 16) & 0xFFFF
model_id = int(self.signing_attributes.model_id, 16) & 0xFFFF
crash_dump = int(self.signing_attributes.crash_dump, 16)
rot_en = int(self.signing_attributes.rot_en, 16)
soc_vers = self.signing_attributes.soc_vers
in_use_soc_hw_version = self.signing_attributes.in_use_soc_hw_version
use_serial_number_in_signing = self.signing_attributes.use_serial_number_in_signing
oem_id_independent = self.signing_attributes.oem_id_independent
revocation_enablement = int(
self.signing_attributes.revocation_enablement, 16)
activation_enablement = int(
self.signing_attributes.activation_enablement, 16)
root_revoke_activate_enable = int(
self.signing_attributes.root_revoke_activate_enable, 16)
uie_key_switch_enable = int(
self.signing_attributes.uie_key_switch_enable, 16)
# Signing attributes without default values
multi_serial_numbers = self.signing_attributes.multi_serial_numbers.serial if self.signing_attributes.multi_serial_numbers is not None else []
app_id = int(
self.signing_attributes.app_id,
16) if self.signing_attributes.app_id is not None else None
mask_soc_hw_version = int(
self.signing_attributes.mask_soc_hw_version, 16
) if self.signing_attributes.mask_soc_hw_version is not None else None
# Get the binary to sign length
if self.data_to_sign_len is None:
if self.hash_to_sign is not None:
self.data_to_sign_len = len(self.hash_to_sign)
else:
raise RuntimeError('Length of binary could not be computed')
logger.debug('Generating new Attestation certificate and a random key')
hmac_params = HMAC()
hmac_params.init_from_config(self.signing_attributes)
certificate_ou_sw_id = '01 ' + '%.16X' % hmac_params.sw_id + ' SW_ID'
certificate_ou_hw_id = '02 ' + '%.16X' % hmac_params.msm_id + ' HW_ID'
certificate_ou_debug_id = '03 ' + '%0.16X' % debug_val + ' DEBUG'
certificate_ou_oem_id = '04 ' + '%0.4X' % oem_id + ' OEM_ID'
certificate_ou_sw_size = '05 ' + '%0.8X' % self.data_to_sign_len + ' SW_SIZE'
certificate_ou_model_id = '06 ' + '%0.4X' % model_id + ' MODEL_ID'
certificate_hash_alg = self.SHA_OU_MAP[
self.signing_attributes.hash_algorithm]
certificate_ou = [
certificate_ou_sw_id,
certificate_ou_hw_id,
certificate_ou_debug_id,
certificate_ou_oem_id,
certificate_ou_sw_size,
certificate_ou_model_id,
certificate_hash_alg,
]
# Optional attributes
if app_id:
certificate_app_id = '08 ' + '%0.16X' % app_id + ' APP_ID'
certificate_ou.append(certificate_app_id)
if crash_dump:
# Include CRASH_DUMP when it's not zero.
certificate_crash_dump = '09 ' + '%0.16X' % crash_dump + ' CRASH_DUMP'
certificate_ou.append(certificate_crash_dump)
if rot_en:
# Include ROT_EN when it's not zero.
certificate_rot_en = '10 ' + '%0.16X' % rot_en + ' ROT_EN'
certificate_ou.append(certificate_rot_en)
if mask_soc_hw_version:
certificate_mask_soc_hw_version = '12 ' + '%0.4X' % mask_soc_hw_version + ' MASK_SOC_HW_VERSION'
certificate_ou.append(certificate_mask_soc_hw_version)
if in_use_soc_hw_version == 1:
# Include IN_USE_SOC_HW_VERSION when it's 1.
certificate_in_use_soc_hw_version = '13 ' + '%0.4X' % in_use_soc_hw_version + ' IN_USE_SOC_HW_VERSION'
certificate_ou.append(certificate_in_use_soc_hw_version)
if use_serial_number_in_signing == 1:
# Include USE_SERIAL_NUMBER_IN_SIGNING when it's 1.
certificate_use_serial_number_in_signing = '14 ' + '%0.4X' % use_serial_number_in_signing +\
' USE_SERIAL_NUMBER_IN_SIGNING'
certificate_ou.append(certificate_use_serial_number_in_signing)
if oem_id_independent == 1:
# Include OEM_ID_INDEPENDENT when it's 1.
certificate_oem_id_independent = '15 ' + '%0.4X' % oem_id_independent + ' OEM_ID_INDEPENDENT'
certificate_ou.append(certificate_oem_id_independent)
# multiple debug serial use case
certificate_ou_sn_list = []
for index in xrange(0, len(multi_serial_numbers), 6):
serial_sublist = multi_serial_numbers[index:index + 6]
certificate_ou_sn_list.append(
create_ou_field_from_hex_list(16, "SN", serial_sublist, True,
6))
certificate_ou_sn_list.reverse()
certificate_ou.extend(certificate_ou_sn_list)
# multiple soc hw version use case
if soc_vers:
if self.padding != self.PAD_PSS:
logger.warning("soc_vers should be used with RSAPSS")
certificate_ou.append(
create_ou_field_from_hex_list(11, "SOC_VERS", soc_vers, True,
10))
# MRC 1.0 use case
if num_root_certs > 1 and self.config.metadata.chipset in MRC_1_0_CHIPSETS:
certificate_root_cert_sel = '17 ' + '%0.4X' % self.signing_attributes.mrc_index + ' ROOT_CERT_SEL'
certificate_ou.append(certificate_root_cert_sel)
if revocation_enablement:
certificate_revocation_enablement = '18 ' + '%0.16X' % revocation_enablement + ' REVOCATION_ENABLEMENT'
certificate_ou.append(certificate_revocation_enablement)
if activation_enablement:
certificate_activation_enablement = '19 ' + '%0.16X' % activation_enablement + ' ACTIVATION_ENABLEMENT'
certificate_ou.append(certificate_activation_enablement)
# MRC 2.0 use case
if num_root_certs > 1 and self.config.metadata.chipset in MRC_2_0_CHIPSETS:
certificate_root_cert_sel = '17 ' + '%0.4X' % self.signing_attributes.mrc_index + ' ROOT_CERT_SEL'
certificate_ou.append(certificate_root_cert_sel)
if root_revoke_activate_enable:
certificate_root_revoke_activate_enable =\
'20 ' + '%0.16X' % root_revoke_activate_enable + ' ROOT_REVOKE_ACTIVATE_ENABLE'
certificate_ou.append(certificate_root_revoke_activate_enable)
if uie_key_switch_enable:
certificate_uie_key_switch_enable = '21 ' + '%0.16X' % uie_key_switch_enable + ' UIE_KEY_SWITCH_ENABLE'
certificate_ou.append(certificate_uie_key_switch_enable)
# Handle OU property binding
params = dict(in_params)
if 'OU' in params.keys():
if type(params['OU']) == list:
for item in params['OU']:
certificate_ou.append(item)
else:
certificate_ou.append(params['OU'])
# Add OU fields
params['OU'] = certificate_ou
logger.debug("Adding OU fields to attest certificate.")
return params
def _set_metadata(metadata, imageinfo, metadata_fields, flag_fields, major_version, minor_version, authority):
# Set metadata dictionary values
for field_id, field in metadata_fields.iteritems():
field_name = field[1]
if field_name == "hw_id":
if hasattr(imageinfo, field_name):
metadata[field_name] = getattr(imageinfo, field_name)
else:
from sectools.features.isc.signer.utils.hmac import HMAC
hmac = HMAC()
hmac.init_from_config(imageinfo)
metadata[field_name] = hmac.msm_id
elif field_name == "sw_size" and not hasattr(imageinfo, field_name):
# sw_size is calculated and set inside pack method
metadata[field_name] = None
elif field_name != "flags":
if hasattr(imageinfo, field_name):
metadata[field_name] = getattr(imageinfo, field_name)
else:
raise RuntimeError("Config does not contain {0} value which is required by MBN v6 {1} metadata version {2}.{3}".format(field_name, authority, major_version, minor_version))
# Set metadata dictionary flag values
for field in flag_fields:
field_name = field[2]
if hasattr(imageinfo, field_name):
metadata[field_name] = getattr(imageinfo, field_name)
else:
raise RuntimeError("Config does not contain {0} value which is required by MBN v6 {1} metadata version {2}.{3}".format(field_name, authority, major_version, minor_version))
# Sanitize metadata values
for field_id, field in metadata_fields.iteritems():
field_format = field[0]
field_count = len(field_format)
field_name = field[1]
if field_name != "flags" and field_name != "sw_size":
value = metadata[field_name]
# Sanitize non-flag metadata values
value_count = 1
if field_name in metadata.keys():
if value is None:
if field_name == "soc_vers" or field_name == "multi_serial_numbers":
value = list()
else:
value = 0
elif isinstance(value, int):
pass
elif isinstance(value, long):
pass
elif isinstance(value, list):
value = [int(x, 16) if isinstance(x, basestring) or isinstance(x, long) else x for x in value]
value_count = len(value)
elif field_name == "soc_vers":
value = [int(soc_ver, 16) for soc_ver in value.split()]
value_count = len(value)
elif field_name == "multi_serial_numbers":
value = [int(serial, 16) for serial in value.serial]
value_count = len(value)
elif isinstance(value, basestring):
value = int(value, 16)
else:
raise RuntimeError("Cannot pack {0} into MBN v6 {1} metadata because it is not of type int, str, or list. Type: {2}".format(field_name, authority, metadata[field_name].__class__.__name__))
if value_count > field_count:
raise RuntimeError("Config contains {0} {1} values but MBN v6 {2} metadata version {3}.{4} only supports {5} {1} values".format(value_count, field_name, authority, major_version, minor_version, field_count))
else:
raise RuntimeError("Config does not contain {0} value which is required by MBN v6 {1} metadata version {2}.{3}".format(field_name, authority, major_version, minor_version))
# Update metadata value to reflect integer value packed in header
metadata[field_name] = value
# Sanitize metadata flag values
for flag in flag_fields:
field_name = flag[2]
value = metadata[field_name]
if field_name in metadata.keys():
if value is None:
value = 0
elif isinstance(value, basestring):
value = int(value, 16)
elif isinstance(value, int):
pass
else:
raise RuntimeError("Cannot pack {0} into MBN v6 {1} metadata because it is not of type int or str".format(field_name, authority))
if field_name == "root_revoke_activate_enable" and value != 0 and imageinfo.num_root_certs < 2:
value = 0
else:
raise RuntimeError("Config does not contain {0} value which is required by MBN v6 {1} metadata version {2}.{3}".format(field_name, authority, major_version, minor_version))
# Update metadata flag value to reflect integer value packed in header
metadata[field_name] = value