def generate_trustzone_binary(tzm_conf: click.File) -> None: """Generate TrustZone binary from json configuration file.""" config_data = load_configuration(tzm_conf.name) check_config(config_data, TrustZone.get_validation_schemas()) trustzone = TrustZone.from_config(config_data) tz_data = trustzone.export() output_file = config_data["tzpOutputFile"] write_file(tz_data, output_file, mode="wb") click.echo(f"Success. (Trustzone binary: {output_file} created.)")
def test_export_invalid(sample_tz_data): tz = TrustZone(family="lpc55xx", tz_type=TrustZoneType.CUSTOM, customizations=sample_tz_data) tz.presets = None with pytest.raises(SPSDKError, match="Preset data not present"): tz.export() tz = TrustZone(family="lpc55xx", tz_type=TrustZoneType.CUSTOM, customizations=sample_tz_data) tz.customs = None with pytest.raises(SPSDKError, match="Data not present"): tz.export()
def _get_trustzone(config: elftosb_helper.MasterBootImageConfig) -> TrustZone: """Create appropriate TrustZone instance.""" if not config.trustzone_preset_file: return TrustZone.disabled() try: tz_config_data = json.loads(load_file(config.trustzone_preset_file)) tz_config = elftosb_helper.TrustZoneConfig(tz_config_data) return TrustZone.custom( family=tz_config.family, revision=tz_config.revision, customizations=tz_config.presets ) except ValueError: tz_raw_data = load_binary(config.trustzone_preset_file) return TrustZone.from_binary( family=config.family, revision=config.revision, raw_data=tz_raw_data )
def test_signed_xip_multiple_certificates_invalid_input(data_dir): """Test invalid input for multiple certificates""" # indexed certificate is not specified der_file_names = ['selfsign_4096_v3.der.crt', 'selfsign_3072_v3.der.crt', 'selfsign_2048_v3.der.crt'] with pytest.raises(IndexError): certificate_block(data_dir, der_file_names, 3) # indexed certificate is not specified der_file_names = ['selfsign_4096_v3.der.crt', None, 'selfsign_3072_v3.der.crt', 'selfsign_2048_v3.der.crt'] with pytest.raises(ValueError): certificate_block(data_dir, der_file_names, 1) # public key in certificate and private key does not match der_file_names = ['selfsign_4096_v3.der.crt'] cert_block = certificate_block(data_dir, der_file_names, 0) priv_key_pem_data = _load_private_key(data_dir, 'selfsign_privatekey_rsa2048.pem') with pytest.raises(ValueError): MasterBootImage(app=bytes(range(128)), load_addr=0, image_type=MasterBootImageType.SIGNED_XIP_IMAGE, trust_zone=TrustZone.disabled(), cert_block=cert_block, priv_key_pem_data=priv_key_pem_data).export() # chain of certificates does not match der_file_names = ['selfsign_4096_v3.der.crt'] chain_certificates = ['ch3_crt2_v3.der.crt'] with pytest.raises(ValueError): certificate_block(data_dir, der_file_names, 0, chain_certificates)
def test_multiple_images_with_relocation_table(data_dir): """Test image that contains multiple binary images and relocation table :param data_dir: absolute path, where test data are located """ with open(os.path.join(data_dir, 'multicore', "testfffffff.bin"), "rb") as f: img_data = f.read() with open(os.path.join(data_dir, 'multicore', "normal_boot.bin"), "rb") as f: img1_data = f.read() with open(os.path.join(data_dir, 'multicore', "special_boot.bin"), "rb") as f: img2_data = f.read() with open(os.path.join(data_dir, 'multicore', "rt5xxA0.json"), "rb") as f: trust_zone_data = json.loads(f.read())['trustZonePreset'] table = MultipleImageTable() table.add_entry(MultipleImageEntry(img1_data, 0x80000)) table.add_entry(MultipleImageEntry(img2_data, 0x80600)) mbi = MasterBootImage(app=img_data, app_table=table, load_addr=0, image_type=MasterBootImageType.CRC_RAM_IMAGE, trust_zone=TrustZone.custom('rt5xx', trust_zone_data)) assert _compare_image(mbi, os.path.join(data_dir, 'multicore'), 'expected_output.bin')
def test_ram_signed_keystore(data_dir: str, image_file_name: str, ram_addr: int) -> None: """Create signed load-to-RAM image with keys stored in key-store :param data_dir: absolute path with data files :param image_file_name: name of the input image file (including extension) :param ram_addr: address in RAM, where the image should be located """ # read unsigned image (must be built without boot header) path = os.path.join(data_dir, INPUT_IMAGES_SUBDIR, image_file_name) org_data = load_binary(path) cert_block, priv_key_pem_data = create_cert_block(data_dir) key_store = get_keystore(data_dir) with open(os.path.join(data_dir, KEYSTORE_SUBDIR, 'userkey.txt'), 'r') as f: hmac_user_key = f.readline() mbi = MasterBootImage(app=org_data, image_type=MasterBootImageType.SIGNED_RAM_IMAGE, load_addr=ram_addr, trust_zone=TrustZone.disabled(), key_store=key_store, cert_block=cert_block, priv_key_pem_data=priv_key_pem_data, hmac_key=hmac_user_key) out_image_file_name = image_file_name.replace('_unsigned.bin', '_signed_keystore.bin') write_image(data_dir, out_image_file_name, mbi.export())
def generate_config_templates(family: str, output_folder: str) -> None: """Generate all possible configuration for selected family.""" if not family: raise SPSDKError("The chip family must be specified.") templates: Dict[str, str] = {} # 1: Generate all configuration for MBI templates.update(mbi_generate_config_templates(family)) # 2: Add TrustZone Configuration file templates.update(TrustZone.generate_config_template(family)) # 3: Optionally add Secure Binary v3.1 Configuration file templates.update(SecureBinary31.generate_config_template(family)) # And generate all config templates files for template in templates: file_name = f"{template}.yml" if os.path.isfile(output_folder): raise SPSDKError(f"The specified path {output_folder} is file.") if not os.path.isdir(output_folder): os.mkdir(output_folder) full_file_name = os.path.join(output_folder, file_name) if not os.path.isfile(full_file_name): click.echo(f"Creating {file_name} template file.") with open(full_file_name, "w") as f: f.write(templates[template]) else: click.echo(f"Skip creating {file_name}, this file already exists.")
def test_encrypted_ram_single_certificate_no_tz(data_dir, keysource: KeySourceType, keystore_fn: Optional[str], ctr_iv: str, expected_mbi: str): """Test encrypted image with fixed counter init vector""" with open(os.path.join(data_dir, 'testfffffff.bin'), "rb") as f: org_data = f.read() user_key = 'E39FD7AB61AE6DDDA37158A0FC3008C6D61100A03C7516EA1BE55A39F546BAD5' key_store_bin = None if keystore_fn: with open(os.path.join(data_dir, keystore_fn), "rb") as f: key_store_bin = f.read() key_store = KeyStore(keysource, key_store_bin) ctr_init_vector = bytes.fromhex(ctr_iv) # create certification block cert_block = certificate_block(data_dir, ['selfsign_2048_v3.der.crt']) priv_key_pem_data = _load_private_key(data_dir, 'selfsign_privatekey_rsa2048.pem') mbi = MasterBootImage(app=org_data, image_type=MasterBootImageType.ENCRYPTED_RAM_IMAGE, load_addr=0x12345678, trust_zone=TrustZone.disabled(), cert_block=cert_block, priv_key_pem_data=priv_key_pem_data, hmac_key=user_key, key_store=key_store, ctr_init_vector=ctr_init_vector) assert _compare_image(mbi, data_dir, expected_mbi)
def test_signed_xip_certificates_chain_no_tz(data_dir, der_certificates, chain_certificates, priv_key, expected_mbi): """Test signed image with multiple certificates, different key length :param data_dir: absolute path, where test data are located :param der_certificates: list of filenames of der root certificates :param chain_certificates: list of filenames of der cerificates :param priv_key: private key filename :param expected_mbi: filename of expected bootable image """ with open(os.path.join(data_dir, 'testfffffff.bin'), "rb") as f: org_data = f.read() # create certification block cert_block = certificate_block(data_dir, der_certificates, 0, chain_certificates) priv_key_pem_data = _load_private_key(data_dir, priv_key) mbi = MasterBootImage(app=org_data, load_addr=0, image_type=MasterBootImageType.SIGNED_XIP_IMAGE, trust_zone=TrustZone.disabled(), cert_block=cert_block, priv_key_pem_data=priv_key_pem_data) assert _compare_image(mbi, data_dir, expected_mbi)
def test_ram_encrypted_otp(data_dir: str, image_file_name: str, ram_addr: int) -> None: """Test encrypted load-to-RAM image with key stored in OTP :param data_dir: absolute path with data files :param image_file_name: name of the input image file (including extension) :param ram_addr: address in RAM, where the image should be located """ path = os.path.join(data_dir, INPUT_IMAGES_SUBDIR, image_file_name) org_data = load_binary(path) key_store = KeyStore(KeySourceType.OTP) cert_block, priv_key_pem_data = create_cert_block(data_dir) with open(os.path.join(data_dir, KEYSTORE_SUBDIR, 'userkey.txt'), 'r') as f: hmac_user_key = f.readline() mbi = MasterBootImage(app=org_data, image_type=MasterBootImageType.ENCRYPTED_RAM_IMAGE, load_addr=ram_addr, trust_zone=TrustZone.disabled(), cert_block=cert_block, priv_key_pem_data=priv_key_pem_data, hmac_key=hmac_user_key, key_store=key_store, ctr_init_vector=ENCR_CTR_IV) out_image_file_name = image_file_name.replace('_unsigned.bin', '_encr_otp.bin') write_image(data_dir, out_image_file_name, mbi.export())
def test_signed_ram_single_certificate_no_tz(data_dir, user_key, key_store_filename, expected_mbi): """Test non-XIP signed image with single certificate :param data_dir: absolute path, where test data are located """ with open(os.path.join(data_dir, 'testfffffff.bin'), "rb") as f: org_data = f.read() # create certification block cert_block = certificate_block(data_dir, ['selfsign_2048_v3.der.crt']) priv_key_pem_data = _load_private_key(data_dir, 'selfsign_privatekey_rsa2048.pem') key_store = None if key_store_filename: with open(os.path.join(data_dir, key_store_filename), "rb") as f: key_store_bin = f.read() key_store = KeyStore(KeySourceType.KEYSTORE, key_store_bin) mbi = MasterBootImage(app=org_data, image_type=MasterBootImageType.SIGNED_RAM_IMAGE, load_addr=0x12345678, trust_zone=TrustZone.disabled(), cert_block=cert_block, priv_key_pem_data=priv_key_pem_data, hmac_key=user_key, key_store=key_store) assert _compare_image(mbi, data_dir, expected_mbi)
def test_multiple_images_with_relocation_table(data_dir): """Test image that contains multiple binary images and relocation table :param data_dir: absolute path, where test data are located """ with open(os.path.join(data_dir, "multicore", "testfffffff.bin"), "rb") as f: img_data = f.read() with open(os.path.join(data_dir, "multicore", "normal_boot.bin"), "rb") as f: img1_data = f.read() with open(os.path.join(data_dir, "multicore", "special_boot.bin"), "rb") as f: img2_data = f.read() with open(os.path.join(data_dir, "multicore", "rt5xxA0.json"), "rb") as f: trust_zone_data = json.loads(f.read())["trustZonePreset"] table = MultipleImageTable() table.add_entry(MultipleImageEntry(img1_data, 0x80000)) table.add_entry(MultipleImageEntry(img2_data, 0x80600)) mbi = Mbi_CrcRamRtxxx( app=img_data, app_table=table, load_addr=0, trust_zone=TrustZone.custom("rt5xx", trust_zone_data), ) assert _compare_image(mbi, os.path.join(data_dir, "multicore"), "expected_output.bin")
def test_ram_encrypted_keystore(data_dir: str, image_file_name: str, ram_addr: int) -> None: """Test encrypted load-to-RAM image with key stored in key-store :param data_dir: absolute path with data files :param image_file_name: name of the input image file (including extension) :param ram_addr: address in RAM, where the image should be located """ path = os.path.join(data_dir, INPUT_IMAGES_SUBDIR, image_file_name) org_data = load_binary(path) # load keystore with HMAC user key key_store = get_keystore(data_dir) cert_block, priv_key_pem_data = create_cert_block(data_dir) with open(os.path.join(data_dir, KEYSTORE_SUBDIR, "userkey.txt"), "r") as f: hmac_user_key = f.readline() mbi = Mbi_EncryptedRamRtxxx( app=org_data, load_addr=ram_addr, trust_zone=TrustZone.disabled(), cert_block=cert_block, priv_key_data=priv_key_pem_data, hmac_key=hmac_user_key, key_store=key_store, ctr_init_vector=ENCR_CTR_IV, ) out_image_file_name = image_file_name.replace("_unsigned.bin", "_encr_keystore.bin") write_image(data_dir, out_image_file_name, mbi.export())
def test_invalid_export_mbi(data_dir): with open(os.path.join(data_dir, "testfffffff.bin"), "rb") as f: org_data = f.read() user_key = "E39FD7AB61AE6DDDA37158A0FC3008C6D61100A03C7516EA1BE55A39F546BAD5" key_store_bin = None key_store = KeyStore(KeySourceType.KEYSTORE, key_store_bin) cert_block = certificate_block(data_dir, ["selfsign_2048_v3.der.crt"]) priv_key_pem_data = _load_private_key(data_dir, "selfsign_privatekey_rsa2048.pem") mbi = Mbi_EncryptedRamRtxxx( app=org_data, load_addr=0x12345678, trust_zone=TrustZone.disabled(), cert_block=cert_block, priv_key_data=priv_key_pem_data, hmac_key=user_key, key_store=key_store, ctr_init_vector=bytes(16), ) mbi.priv_key_data = None with pytest.raises(SPSDKError): mbi.export() mbi.priv_key_data = priv_key_pem_data mbi.cert_block = None with pytest.raises(SPSDKError): mbi.export()
def test_ram_signed_otp(data_dir: str, image_file_name: str, ram_addr: int) -> None: """Create signed load-to-RAM image with keys stored in OTP :param data_dir: absolute path with data files :param image_file_name: name of the input image file (including extension) :param ram_addr: address in RAM, where the image should be located """ # read unsigned image (must be built without boot header) path = os.path.join(data_dir, INPUT_IMAGES_SUBDIR, image_file_name) unsigned_img = load_binary(path) keystore = KeyStore(KeySourceType.OTP) cert_block, priv_key_pem_data = create_cert_block(data_dir) mbi = Mbi_PlainSignedRamRtxxx( app=unsigned_img, load_addr=ram_addr, key_store=keystore, hmac_key=MASTER_KEY, trust_zone=TrustZone.disabled(), cert_block=cert_block, priv_key_data=priv_key_pem_data, ) out_image_file_name = image_file_name.replace("_unsigned.bin", "_signed_otp.bin") write_image(data_dir, out_image_file_name, mbi.export())
def generate_trustzone_binary(tzm_conf: click.File) -> None: """Generate TrustZone binary from json configuration file.""" config_data = json.load(tzm_conf) config = elftosb_helper.TrustZoneConfig(config_data) trustzone = TrustZone.custom(family=config.family, revision=config.revision, customizations=config.presets) tz_data = trustzone.export() with open(config.output_file, 'wb') as f: f.write(tz_data)
def test_tz_incorrect_data(sample_tz_data): with pytest.raises(SPSDKError): TrustZone( family="lpc55xx", raw_data=bytes(4), tz_type=TrustZoneType.CUSTOM, customizations=sample_tz_data, )
def generate_trustzone() -> None: """Generate custom trustzone presets. For this example we have only few settings in configuration file. The full set is available in `spsdk/data/tz_presets` folder """ supperted_families = TrustZone().get_families() print("Supported families:") print("\n".join(supperted_families)) with open(os.path.join(DATA_DIR, "lpc55xx_tz.json")) as config_file: config_data = json.load(config_file) tz_presets = TrustZone.custom(family="lpc55xx", customizations=config_data) tz_data = tz_presets.export() with open(os.path.join(THIS_DIR, "tz.bin"), "wb") as binary_file: binary_file.write(tz_data)
def test_binary(data_dir, family, json_config, binary): with open(os.path.join(data_dir, json_config)) as json_config_file: json_config_data = json.load(json_config_file) with open(os.path.join(data_dir, binary), "rb") as binary_file: binary_data = binary_file.read() my_data = TrustZone( family=family, customizations=json_config_data["trustZonePreset"]).export() assert my_data == binary_data
def test_plain_xip_crc_default_tz(data_dir, input_img, expected_mbi): """Test plain image with CRC and default TZ-M :param data_dir: absolute path, where test data are located :param input_img: file name of input image (binary) :param expected_mbi: file name of MBI image file with expected data """ with open(os.path.join(data_dir, input_img), "rb") as f: org_data = f.read() mbi = MasterBootImage(app=org_data, load_addr=0, image_type=MasterBootImageType.CRC_XIP_IMAGE, trust_zone=TrustZone.enabled()) assert _compare_image(mbi, data_dir, expected_mbi)
def test_encrypted_random_ctr_single_certificate_no_tz(data_dir): """Test encrypted image with random counter init vector""" with open(os.path.join(data_dir, 'testfffffff.bin'), "rb") as f: org_data = f.read() user_key = 'E39FD7AB61AE6DDDA37158A0FC3008C6D61100A03C7516EA1BE55A39F546BAD5' key_store = KeyStore(KeySourceType.KEYSTORE, None) cert_block = certificate_block(data_dir, ['selfsign_2048_v3.der.crt']) priv_key_pem_data = _load_private_key(data_dir, 'selfsign_privatekey_rsa2048.pem') mbi = MasterBootImage(app=org_data, image_type=MasterBootImageType.ENCRYPTED_RAM_IMAGE, load_addr=0x12345678, trust_zone=TrustZone.disabled(), cert_block=cert_block, priv_key_pem_data=priv_key_pem_data, hmac_key=user_key, key_store=key_store) assert mbi.export() assert mbi.info()
def test_plain_xip_crc_default_tz(data_dir, input_img, expected_mbi): """Test plain image with CRC and default TZ-M :param data_dir: absolute path, where test data are located :param input_img: file name of input image (binary) :param expected_mbi: file name of MBI image file with expected data """ with open(os.path.join(data_dir, input_img), "rb") as f: org_data = f.read() mbi = Mbi_CrcXip( app=org_data, trust_zone=TrustZone.enabled(), ) assert _compare_image(mbi, data_dir, expected_mbi)
def test_master_boot_image_invalid_hmac(data_dir): with open(os.path.join(data_dir, "testfffffff.bin"), "rb") as f: org_data = f.read() user_key = "E39FD7AB61AE6DDDA37158A0FC3008C6D61100A03C7516EA1BE55A39F546BAD5" key_store = KeyStore(KeySourceType.KEYSTORE, None) cert_block = certificate_block(data_dir, ["selfsign_2048_v3.der.crt"]) priv_key_pem_data = _load_private_key(data_dir, "selfsign_privatekey_rsa2048.pem") mbi = Mbi_EncryptedRamRtxxx( app=org_data, load_addr=0x12345678, trust_zone=TrustZone.disabled(), cert_block=cert_block, priv_key_data=priv_key_pem_data, hmac_key=user_key, key_store=key_store, ) mbi.hmac_key = None assert mbi.compute_hmac(data=bytes(16)) == bytes()
def test_signed_xip_single_certificate_no_tz(data_dir, priv_key, der_certificate, expected_mbi): """Test signed XIP image with single certificate, different key length :param data_dir: absolute path, where test data are located :param priv_key: filename of private key used for signing :param der_certificate: filename of corresponding certificate in DER format :param expected_mbi: filename of expected bootable image """ with open(os.path.join(data_dir, 'testfffffff.bin'), "rb") as f: org_data = f.read() # create certification block cert_block = certificate_block(data_dir, [der_certificate]) priv_key_pem_data = _load_private_key(data_dir, priv_key) mbi = MasterBootImage(app=org_data, load_addr=0, image_type=MasterBootImageType.SIGNED_XIP_IMAGE, trust_zone=TrustZone.disabled(), cert_block=cert_block, priv_key_pem_data=priv_key_pem_data) assert _compare_image(mbi, data_dir, expected_mbi)
def test_encrypted_random_ctr_single_certificate_no_tz(data_dir): """Test encrypted image with random counter init vector""" with open(os.path.join(data_dir, "testfffffff.bin"), "rb") as f: org_data = f.read() user_key = "E39FD7AB61AE6DDDA37158A0FC3008C6D61100A03C7516EA1BE55A39F546BAD5" key_store = KeyStore(KeySourceType.KEYSTORE, None) cert_block = certificate_block(data_dir, ["selfsign_2048_v3.der.crt"]) priv_key_pem_data = _load_private_key(data_dir, "selfsign_privatekey_rsa2048.pem") mbi = Mbi_EncryptedRamRtxxx( app=org_data, load_addr=0x12345678, trust_zone=TrustZone.disabled(), cert_block=cert_block, priv_key_data=priv_key_pem_data, hmac_key=user_key, key_store=key_store, ) assert mbi.export()
def test_plain_xip_crc_custom_tz(data_dir, input_img, tz_config, family, expected_mbi): """Test plain image with CRC and custom TZ-M :param data_dir: absolute path, where test data are located :param input_img: file name of input image (binary) :param tz_config: file name of trust-zone configuration JSON file :param family: identification of the processor for conversion of trust-zone data :param expected_mbi: file name of MBI image file with expected data """ with open(os.path.join(data_dir, input_img), "rb") as f: org_data = f.read() with open(os.path.join(data_dir, expected_mbi), "rb") as f: expected_data = f.read() with open(os.path.join(data_dir, tz_config)) as f: tz_presets = json.load(f)["trustZonePreset"] mbi = MasterBootImage(app=org_data, load_addr=0, image_type=MasterBootImageType.CRC_XIP_IMAGE, trust_zone=TrustZone(family=family, customizations=tz_presets)) assert _compare_image(mbi, data_dir, expected_mbi)
def test_base_info(data_dir): """Basic test for MasterBootImage - information """ # plain image mbi = MasterBootImage(app=bytes(range(64)), load_addr=0, enable_hw_user_mode_keys=True) output = mbi.info() repr_strings = [ "Master Boot Image", "Image type", "Image length", "TrustZone", 'HW user mode keys' ] for req_string in repr_strings: assert req_string in output, f'string {req_string} is not in the output: {output}' # CRC image mbi = MasterBootImage(app=bytes(range(64)), image_type=MasterBootImageType.CRC_RAM_IMAGE, load_addr=0x1000) output = mbi.info() repr_strings = [ "Master Boot Image", "Image type", "Image length", "TrustZone" ] for req_string in repr_strings: assert req_string in output, f'string {req_string} is not in the output: {output}' # signed image priv_key_pem_data = _load_private_key(data_dir, 'private_rsa4096.pem') cert_block = certificate_block( data_dir, ['selfsign_4096_v3.der.crt', 'selfsign_3072_v3.der.crt'], 0) mbi = MasterBootImage(app=bytes(range(64)), load_addr=0x12345678, image_type=MasterBootImageType.SIGNED_XIP_IMAGE, trust_zone=TrustZone.custom( "lpc55xx", {"MPU Control Register.(cm33_mpu_ctrl)": "0x0"}), cert_block=cert_block, priv_key_pem_data=priv_key_pem_data) output = mbi.info() repr_strings = [ "Master Boot Image", "Image type", "Image length", "TrustZone" ] for req_string in repr_strings: assert req_string in output, f'string {req_string} is not in the output: {output}'
def test_errors(sample_tz_data): with pytest.raises(SPSDKError): TrustZone.custom(family="totaly_legit_family", customizations=sample_tz_data) # throw error when TZ is disabled, but tz data are present with pytest.raises(SPSDKError): TrustZone(tz_type=TrustZoneType.DISABLED, customizations=sample_tz_data) # throw error when TZ is set to CUSTOM but no data and no family are provided with pytest.raises(SPSDKError): TrustZone(tz_type=TrustZoneType.CUSTOM) # throw error when TZ is set to CUSTOM but no family is provided with pytest.raises(SPSDKError): TrustZone(tz_type=TrustZoneType.CUSTOM, customizations=sample_tz_data) # throw error when TZ is set to CUSTOM but no data are provided with pytest.raises(SPSDKError): TrustZone(tz_type=TrustZoneType.CUSTOM, family="lpc55xx") # throw error for invalid customization data with pytest.raises(SPSDKError): TrustZone(family="lpc55xx", customizations={"fake": "this is fake"}) # throw error when TZ type is custom and family is not set with pytest.raises(SPSDKError, match="Need to provide 'family' parameter"): TrustZone(tz_type=TrustZoneType.CUSTOM, family=None)
def test_signed_xip_multiple_certificates_invalid_input(data_dir): """Test invalid input for multiple certificates""" # indexed certificate is not specified der_file_names = [ "selfsign_4096_v3.der.crt", "selfsign_3072_v3.der.crt", "selfsign_2048_v3.der.crt", ] with pytest.raises(IndexError): certificate_block(data_dir, der_file_names, 3) # indexed certificate is not specified der_file_names = [ "selfsign_4096_v3.der.crt", None, "selfsign_3072_v3.der.crt", "selfsign_2048_v3.der.crt", ] with pytest.raises(SPSDKError): certificate_block(data_dir, der_file_names, 1) # public key in certificate and private key does not match der_file_names = ["selfsign_4096_v3.der.crt"] cert_block = certificate_block(data_dir, der_file_names, 0) priv_key_pem_data = _load_private_key(data_dir, "selfsign_privatekey_rsa2048.pem") with pytest.raises(SPSDKError): Mbi_SignedXip( app=bytes(range(128)), trust_zone=TrustZone.disabled(), cert_block=cert_block, priv_key_data=priv_key_pem_data, ).export() # chain of certificates does not match der_file_names = ["selfsign_4096_v3.der.crt"] chain_certificates = ["ch3_crt2_v3.der.crt"] with pytest.raises(SPSDKError): certificate_block(data_dir, der_file_names, 0, chain_certificates)
def test_errors(sample_tz_data): with pytest.raises(AssertionError): TrustZone.custom(family="totaly_legit_family", customizations=sample_tz_data) # throw error when TZ is disabled, but tz data are present with pytest.raises(ValueError): TrustZone(tz_type=TrustZoneType.DISABLED, customizations=sample_tz_data) # throw error when TZ is set to CUSTOM but no data and no family are provided with pytest.raises(AssertionError): TrustZone(tz_type=TrustZoneType.CUSTOM) # throw error when TZ is set to CUSTOM but no family is provided with pytest.raises(AssertionError): TrustZone(tz_type=TrustZoneType.CUSTOM, customizations=sample_tz_data) # throw error when TZ is set to CUSTOM but no data are provided with pytest.raises(AssertionError): TrustZone(tz_type=TrustZoneType.CUSTOM, family="lpc55xx") # throw error for invalid customization data with pytest.raises(ValueError): TrustZone(family="lpc55xx", customizations={"fake": "this is fake"})