Esempio n. 1
0
    def test_finalize(self):
        _READER_BASE_test = _READER_BASE(self._args, self._hsm_manager,
                                         self._config)
        bs = mocksign.bitstream.create(database.CONTENT_SR)
        block0 = common_util.BYTE_ARRAY()
        block0.data = array.array('B', bs.block0)
        block1 = common_util.BYTE_ARRAY()
        block1.data = array.array('B', bs.block0)
        payload = common_util.BYTE_ARRAY()
        payload.data = array.array('B', bs.payload)

        with tempfile.NamedTemporaryFile(mode='w+b') as tmp:
            _READER_BASE_test.finalize(tmp, block0, block1, payload)
Esempio n. 2
0
 def test_make_csk_entry_dc(self):
     self._args.input_file = self._dummy_key_file.name
     up = UPDATE_reader(self._args, self._hsm_manager, self._config)
     root_key = 'root_key'
     csk_pub_key = common_util.BYTE_ARRAY()
     up.make_csk_entry_dc(root_key, csk_pub_key)
     up.run()
Esempio n. 3
0
 def __init__(self, xy, key_info):
     self.xy = common_util.BYTE_ARRAY()
     self.xy.append_data(xy)
     log.debug("Got key info")
     log.debug("".join("{:02x} ".format(x) for x in self.xy.data))
     log.debug(self.xy)
     self.key_info = key_info
Esempio n. 4
0
    def __init__(self, args):
        self.args = args
        self.database = database.FAMILY_LIST["PAC_CARD"]
        log.debug(args.main_command)
        self.bitstream_type = self.database.SUPPORTED_TYPES[
            args.main_command].ENUM
        self.verify = True if args.root_bitstream else False
        if self.verify:
            offset = 0
            self.reh = common_util.BYTE_ARRAY("FILE", args.root_bitstream)
            con_type = self.reh.get_dword(offset + 8)

            if (self.reh.get_dword(offset) !=
                    database.DESCRIPTOR_BLOCK_MAGIC_NUM
                    or self.reh.get_dword(offset + 4) != 128
                    or (con_type >> 8) & 0xFF != database.BITSTREAM_TYPE_RK_256
                    or self.reh.get_dword(offset + 128) !=
                    database.SIGNATURE_BLOCK_MAGIC_NUM):
                common_util.assert_in_error(
                    False,
                    "File '{}' is not a root entry hash programming bitstream".
                    format(args.root_bitstream),
                )

            if con_type & 0xFF != self.bitstream_type:
                log.warn("File '{}' different type than bitstream."
                         "  Validation impossible".format(args.root_bitstream))
                self.verify = False

        if self.verify:
            self.val_root_hash = int.from_bytes(self.reh.data[1024:1056],
                                                byteorder="big")
            self.val_root_hash_dc = int.from_bytes(self.reh.data[1072:1104],
                                                   byteorder="big")
Esempio n. 5
0
    def test_is_Rush_BMC(self):
        UPDATE_reader_test = UPDATE_reader(self._args, self._hsm_manager,
                                           self._config)

        payload = common_util.BYTE_ARRAY()
        payload.data = self._bitstream.payload

        assert not UPDATE_reader_test.is_Rush_BMC(payload, 0)
Esempio n. 6
0
 def test_make_block0_dc(self):
     _READER_BASE_test = _READER_BASE(self._args, self._hsm_manager,
                                      self._config)
     payload = common_util.BYTE_ARRAY()
     bs = self._bitstream
     payload.data = array.array('B', bs.payload)
     b0 = _READER_BASE_test.make_block0_dc(payload, len(bs.payload))
     assert bytearray(b0.data[0:4]) == bs.block0[0:4]
Esempio n. 7
0
 def test_is_Darby_PR(self):
     _READER_BASE_test = _READER_BASE(self._args, self._hsm_manager,
                                      self._config)
     with tempfile.NamedTemporaryFile(mode='w+b') as fp:
         fp.write(self._bitstream.payload)
         fp.seek(0)
         ba = common_util.BYTE_ARRAY("FILE", fp.name)
         assert _READER_BASE_test.is_Darby_PR(ba, 0)
Esempio n. 8
0
 def test_already_signed(self):
     UPDATE_reader_test = UPDATE_reader(self._args, self._hsm_manager,
                                        self._config)
     already_signed_contents = common_util.BYTE_ARRAY()
     already_signed_contents.data = self._bitstream.payload
     already_signed_offset = 0
     UPDATE_reader_test.already_signed(already_signed_contents,
                                       already_signed_offset)
Esempio n. 9
0
 def __init__(self, file, openssl, key_info):
     self.key_info = key_info
     assert openssl is not None
     self.file = file
     self.openssl = openssl
     self.xy = common_util.BYTE_ARRAY()
     self.key = None
     self.curve_info = None
Esempio n. 10
0
    def sign(self, sha, key):
        private_key = self.get_private_key(key)
        data = common_util.BYTE_ARRAY()
        private_key.sign(sha, data)
        log.debug("Signature len={}".format(data.size()))
        log.debug("".join("{:02x} ".format(x) for x in data.data))

        return data
Esempio n. 11
0
    def test_is_Darby_PR(self):
        bs = mocksign.d5005_pr.create()
        data = bs.getbuffer()

        with tempfile.NamedTemporaryFile(mode='w+b') as bsfile:
            bsfile.write(data)
            bsfile.seek(0)
            ba = common_util.BYTE_ARRAY("FILE", bsfile.name)
            assert _VERIFIER_BASE.is_Darby_PR(mock.MagicMock(), ba,
                                              bs.payload_offset)
Esempio n. 12
0
    def test_make_csk_entry(self):
        up = UPDATE_reader(self._args, self._hsm_manager, self._config)
        make_csk_entry_root_key = 'root_key'
        make_csk_entry_CSK_pub_key = common_util.BYTE_ARRAY()

        up.make_csk_entry(make_csk_entry_root_key, make_csk_entry_CSK_pub_key)

        self._args.csk_id = 0
        can = CANCEL_reader(self._args, self._hsm_manager, self._config)
        can.run()
Esempio n. 13
0
    def sign(self, sha, key):
        try:
            key_, _ = self.get_key(key, ObjectClass.PRIVATE_KEY)
        except pkcs11.NoSuchKey:
            log.error("No such key")
        except pkcs11.MultipleObjectsReturned:
            log.error("multiple")

        rs = common_util.BYTE_ARRAY()
        rs.append_data(key_.sign(sha, mechanism=Mechanism.ECDSA))
        log.debug("RS length is {}".format(rs.size()))
        log.debug("".join("{:02x} ".format(x) for x in rs.data))

        return rs
Esempio n. 14
0
    def run(self, fname, file_offset, block0, block1, payload):
        log.info("Starting verification")
        payload_content = common_util.BYTE_ARRAY("FILE", fname)

        # Skip JSON and old signature if they exist
        has_json = self.is_JSON(payload_content)
        log.debug("has_json = {}".format(has_json))
        sig_offset = 0 if not has_json else self.skip_JSON(payload_content)

        # Determine if platform is RC or DC
        self.dc_pr = self.is_Darby_PR(payload_content, sig_offset)

        fd = open(fname, "rb")
        fd.seek(file_offset, 0)

        b0 = fd.read(block0.size())
        b1 = fd.read(block1.size())
        if self.dc_pr:
            pay = fd.read(len(payload))
            pay_good = pay == bytes(payload)
        else:
            pay = fd.read(payload.size())
            pay_good = pay == bytes(payload.data)

        fd.close()
        common_util.assert_in_error(
            b0 == bytes(block0.data) and b1 == bytes(block1.data) and pay_good,
            "File not written properly",
        )

        log.info("Bitstream file written properly (bits match expected)")

        pay_sha256_v = int.from_bytes(sha256(pay).digest(), byteorder="big")
        pay_sha384_v = int.from_bytes(sha384(pay).digest(), byteorder="big")

        if not self.dc_pr:
            if pay_sha256_v != int.from_bytes(b0[16:16 + 32], byteorder="big"):
                log.error("SHA-256 in Block 0 does not match")

            if pay_sha384_v != int.from_bytes(b0[48:48 + 48], byteorder="big"):
                log.error("SHA-384 in Block 0 does not match")

        # Check root hash
        if self.dc_pr:
            hash = int.from_bytes(sha256(b1[152:152 + 64]).digest(),
                                  byteorder="big")
            good = hash == self.val_root_hash_dc
        else:
            hash = int.from_bytes(sha256(b1[20:148]).digest(), byteorder="big")
            good = hash == self.val_root_hash

        if good:
            log.info("Root hash matches")
        else:
            log.error("Root hash mismatch:")
            log.error("Signed bitstream:                   {}".format(
                hex(hash)))
            log.error("Root entry hash bitstream provided: {}".format(
                hex(self.val_root_hash_dc if self.dc_pr else self.val_root_hash
                    )))

        if self.dc_pr:
            root_pub_key_x = int.from_bytes(b1[152:152 + 32], byteorder="big")
            root_pub_key_y = int.from_bytes(b1[152 + 32:152 + 64],
                                            byteorder="big")
            root_pub_key_v = (root_pub_key_x, root_pub_key_y)
            csk_pub_key_x = int.from_bytes(b1[264:264 + 32], byteorder="big")
            csk_pub_key_y = int.from_bytes(b1[264 + 32:264 + 64],
                                           byteorder="big")
            csk_pub_key_v = (csk_pub_key_x, csk_pub_key_y)
            csk_rs_r = int.from_bytes(b1[344:344 + 32], byteorder="big")
            csk_rs_s = int.from_bytes(b1[344 + 32:344 + 64], byteorder="big")
            csk_rs_v = (csk_rs_r, csk_rs_s)
            b0e_rs_r = int.from_bytes(b1[448:448 + 32], byteorder="big")
            b0e_rs_s = int.from_bytes(b1[448 + 32:448 + 64], byteorder="big")
            b0e_rs_v = (b0e_rs_r, b0e_rs_s)

            root_sha_v = hash
            csk_sha_v = int.from_bytes(sha256(b1[240:240 + 88]).digest(),
                                       byteorder="big")
            b0_sha_v = int.from_bytes(sha256(b0).digest(), byteorder="big")
        else:
            if self.cert_type == database.BITSTREAM_TYPE_CANCEL:
                b0e_off = 156
                csk_pub_key_v = (0, 0)
                csk_rs_v = (0, 0)
                csk_sha_v = 0
            else:
                b0e_off = 388
                csk_pub_key_x = int.from_bytes(b1[164:164 + 32],
                                               byteorder="big")
                csk_pub_key_y = int.from_bytes(b1[212:212 + 32],
                                               byteorder="big")
                csk_pub_key_v = (csk_pub_key_x, csk_pub_key_y)
                csk_rs_r = int.from_bytes(b1[284:284 + 32], byteorder="big")
                csk_rs_s = int.from_bytes(b1[332:332 + 32], byteorder="big")
                csk_rs_v = (csk_rs_r, csk_rs_s)
                csk_sha_v = int.from_bytes(sha256(b1[152:152 + 128]).digest(),
                                           byteorder="big")

            root_pub_key_x = int.from_bytes(b1[32:32 + 32], byteorder="big")
            root_pub_key_y = int.from_bytes(b1[80:80 + 32], byteorder="big")
            root_pub_key_v = (root_pub_key_x, root_pub_key_y)
            b0e_rs_r = int.from_bytes(b1[b0e_off:b0e_off + 32],
                                      byteorder="big")
            b0e_rs_s = int.from_bytes(b1[b0e_off + 48:b0e_off + 48 + 32],
                                      byteorder="big")
            b0e_rs_v = (b0e_rs_r, b0e_rs_s)
            root_sha_v = hash
            b0_sha_v = int.from_bytes(sha256(b0).digest(), byteorder="big")

        # validate signatures
        if self.cert_type != database.BITSTREAM_TYPE_CANCEL:
            if ecdsa.verify_signature(root_pub_key_v, csk_sha_v, csk_rs_v):
                log.info("Signature of CSK with root key OK")
            else:
                log.error("Signature of CSK with root key mismatch")

            if ecdsa.verify_signature(csk_pub_key_v, b0_sha_v, b0e_rs_v):
                log.info("Signature of Block 0 with CSK OK")
            else:
                log.error("Signature of Block 0 with CSK mismatch")
        else:
            if ecdsa.verify_signature(root_pub_key_v, b0_sha_v, b0e_rs_v):
                log.info("Signature of Block 0 with root key OK")
            else:
                log.error("Signature of Block 0 with root key mismatch")
        return
Esempio n. 15
0
 def test_make_root_entry(self):
     rhp = RHP_reader(self._args, self._hsm_manager, self._config)
     ba = common_util.BYTE_ARRAY()
     ba.data = array.array('B', self._pkdata)
     rhp.make_root_entry(ba)
Esempio n. 16
0
 def test_make_root_entry_dc(self):
     rhp = RHP_reader(self._args, self._hsm_manager, self._config)
     make_root_entry_dc_pub_key = common_util.BYTE_ARRAY()
     make_root_entry_dc_pub_key.data = self._pkdata
     rhp.make_root_entry_dc(make_root_entry_dc_pub_key)
Esempio n. 17
0
 def test_is_JSON(self):
     UPDATE_reader_test = UPDATE_reader(self._args, self._hsm_manager,
                                        self._config)
     contents = common_util.BYTE_ARRAY()
     contents.data = self._bitstream.payload
     UPDATE_reader_test.is_JSON(contents)