def validate_oid_from_certs(self, ca_cert_der, attest_cert_der):
attest_cert_obj = Certificate(attest_cert_der)
ca_cert_obj = Certificate(ca_cert_der)
is_valid = self._validate_attributes_with_oid_rule(attest_cert_obj) and self._validate_oid_raw(attest_cert_obj.tcg_min,
attest_cert_obj.tcg_max,
ca_cert_obj.tcg_min,
ca_cert_obj.tcg_max)
return is_valid
def _create_attributes_to_add(self):
additions = {}
# DEBUG
if self.signing_attributes.debug is not None:
OidSigningRequest._validate_oid_config_attribute(
"debug", self.signing_attributes.debug,
OidSigningRequest.OID_DEBUG)
additions.update(
{Certificate.SIGNATTR_DEBUG: OidSigningRequest.OID_DEBUG})
else:
raise RuntimeError(
"CASS OID Signing Request requires a debug value.")
# TCG_MIN
attr_min, attr_max = Certificate.GetOIDAttrName(
self.signing_attributes.object_id.name)
if self.signing_attributes.object_id.min:
additions.update({attr_min: self.signing_attributes.object_id.min})
# TCG_MAX
if self.signing_attributes.object_id.max:
additions.update({attr_max: self.signing_attributes.object_id.max})
return additions
def sign(self, binary_to_sign, imageinfo, debug_dir=None, is_hash=False, parsegen=None):
'''
This function returns a SignerOutput object which has all the security assets generated
by the signer.
'''
self.validate_config(imageinfo)
sha_algo = signerutils.get_sha_algo_from_config(imageinfo.signing_attributes)
if is_hash:
hash_to_sign = binary_to_sign
binary_to_sign = None
else:
is_hmac = ishmac(imageinfo)
logger.debug('Using ' + ('QTI HMAC' if is_hmac else 'SHA') + ' for hash segment')
hmacParams = signerutils.get_hmac_params_from_config(imageinfo.signing_attributes)
hash_to_sign = Hasher().get_hash(binary_to_sign,
hmac_params=hmacParams if is_hmac else None,
sha_algo=sha_algo)
signer_output = self.sign_hash(hash_to_sign, imageinfo, binary_to_sign, debug_dir, sha_algo)
# print certificate properties
attestation_cert_obj = Certificate(signer_output.attestation_cert)
logger.info('\nAttestation Certificate Properties:\n' + str(attestation_cert_obj))
return signer_output
def _generate_oid_config(self, oid_name, min_str, max_str):
min_attr = Attribute.init(num_bits=32, string=min_str)
max_attr = Attribute.init(num_bits=32, string=max_str)
oid_str = "%.8X%.8X" % (min_attr.value, max_attr.value)
oid_cfg = "\n%s=DER:%s:%s:%s:%s:%s:%s:%s:%s" % \
(Certificate.GetOIDByName(oid_name), oid_str[0:2], oid_str[2:4], oid_str[4:6], oid_str[6:8], \
oid_str[8:10], oid_str[10:12], oid_str[12:14], oid_str[14:16])
return oid_cfg
def sign(self, data_to_sign, imageinfo, debug_dir=None, is_hash=False):
'''
This function returns a SignerOutput object which has all the security assets generated
by the signer.
'''
# Set the input information
self.set_input(data_to_sign, imageinfo, debug_dir, is_hash)
# Set the certificates and keys for output
signer_output = SignerOutput()
signer_output.root_cert, signer_output.root_key = self.get_root_cert_key()
if self.CA in self.certs:
signer_output.attestation_ca_cert, signer_output.attestation_ca_key = self.get_ca_cert_key()
signer_output.attestation_cert, signer_output.attestation_key = self.get_attest_cert_key()
# Set the root certs for MRC
signer_output.root_cert_list = self.get_root_cert_list()
# Get the hmac params from attestation cert
hmac_from_cert = HMAC()
hmac_from_cert.init_from_cert(signer_output.attestation_cert)
# Get the hmac params from config
hmac_from_config = HMAC()
hmac_from_config.init_from_config(self.signing_attributes)
# Recreate the hash to sign if necessary
if (hmac_from_config.hmac_type == hmac_from_config.HMAC_TYPE_QC and
not hmac_from_cert.is_equal(hmac_from_config)):
if self.data_to_sign is not None:
self.hash_to_sign = hmac_from_cert.hmac(self.data_to_sign)
else:
raise RuntimeError('HMAC params from attestation certificate cannot be used with pre-generated hash.')
# Set the signature
signer_output.signature = self.get_signature()
signer_output.unsigned_hash = self.hash_to_sign
# Update the certs
signer_output.update_certs_format()
# Set the cert chain
signer_output.generate_cert_chain()
# Print certificate properties (to make tests pass and give good debug information)
logger.info('\nAttestation Certificate Properties:\n' +
str(Certificate(signer_output.attestation_cert)))
return signer_output
def validate_oid_from_config(self, ca_cert_path, signing_attributes):
ca_cert_obj = Certificate(path=ca_cert_path)
min_str = signing_attributes.object_id.min
max_str = signing_attributes.object_id.max
min_attest = Attribute.init(num_bits=32, string=min_str)
max_attest = Attribute.init(num_bits=32, string=max_str)
min_ca = None
max_ca = None
if signing_attributes.object_id.name == "tcg":
min_ca = ca_cert_obj.tcg_min
max_ca = ca_cert_obj.tcg_max
return self._validate_oid_raw(min_attest, max_attest, min_ca, max_ca)
def _create_attributes_to_add(self):
additions = {}
# DEBUG
OidSigningRequest._validate_oid_config_attribute(
"debug", self.signing_attributes.debug,
OidSigningRequest.OID_DEBUG)
additions.update({SignAttr.DEBUG: OidSigningRequest.OID_DEBUG})
# TCG_MIN
attr_min, attr_max = Certificate.GetOIDAttrName(
self.signing_attributes.object_id.name)
if self.signing_attributes.object_id.min:
additions.update({attr_min: self.signing_attributes.object_id.min})
# TCG_MAX
if self.signing_attributes.object_id.max:
additions.update({attr_max: self.signing_attributes.object_id.max})
return additions
def sign(self, data_to_sign, imageinfo, debug_dir=None, is_hash=False, hash_segment_metadata=None):
"""
This function returns a SignerOutput object which has all the security assets generated
by the signer.
"""
# Set the input information
self.set_input(data_to_sign, imageinfo, debug_dir, is_hash)
signer_output = self.sign_hash(self.hash_to_sign, imageinfo, data_to_sign, debug_dir=debug_dir, hash_algo=self.hash_algo)
# Get the hmac params from attestation cert or hash segment
extracted_image_attributes = AttributeExtractor(cert_data=signer_output.attestation_cert, hash_segment_metadata=hash_segment_metadata).attributes
hmac_from_image = HMAC()
hmac_from_image.init_from_image_attributes(extracted_image_attributes)
# Get the hmac params from config
hmac_from_config = HMAC()
hmac_from_config.init_from_config(self.signing_attributes)
# Recreate the hash to sign if necessary
if hmac_from_config.hmac_type == hmac_from_config.HMAC_TYPE_QTI and not hmac_from_image.is_equal(hmac_from_config):
if self.data_to_sign is not None:
self.hash_to_sign = hmac_from_image.hmac(self.data_to_sign)
else:
raise RuntimeError('HMAC params from image cannot be used with pre-generated hash.')
# Set the signature
signer_output.signature = self.get_signature()
signer_output.unsigned_hash = self.hash_to_sign
# Print certificate properties (to make tests pass and give good debug information)
if hash_segment_metadata is None:
logger.info('\nAttestation Certificate Properties:\n' +
str(Certificate(signer_output.attestation_cert)))
return signer_output
def _generate_signing_package(self, hash_to_sign, signing_attributes,
cass_signer_attributes, image_path,
signingpackage_fname, binary_to_sign):
signingpackage = SigningPackage(secimage.__version__)
signingrequest = signingpackage.createSigningRequest(
"image_to_sign=%s" % image_path)
hexbindigest = binascii.b2a_hex(hash_to_sign)
logger.debug("Digest to sign (hexbinary)= [%s]" % hexbindigest)
signingrequest.setDigest(hexbindigest)
signingrequest.setCapability(signing_attributes.cass_capability)
sw_size = len(hash_to_sign) if binary_to_sign is None else len(
binary_to_sign)
signingrequest.setSigningAttribute(Certificate.SIGNATTR_SW_SIZE,
"0x%.8X" % sw_size)
hmac_params = signerutils.get_hmac_params_from_config(
signing_attributes)
signingrequest.setSigningAttribute(Certificate.SIGNATTR_HW_ID,
"0x%s" % hmac_params.msm_id_str)
signingrequest.setSigningAttribute(Certificate.SIGNATTR_SW_ID,
signing_attributes.sw_id)
signingrequest.setSigningAttribute(Certificate.SIGNATTR_MODEL_ID,
signing_attributes.model_id)
signingrequest.setSigningAttribute(Certificate.SIGNATTR_OEM_ID,
signing_attributes.oem_id)
if signing_attributes.debug:
signingrequest.setSigningAttribute(Certificate.SIGNATTR_DEBUG,
signing_attributes.debug)
if signing_attributes.app_id:
signingrequest.setSigningAttribute(Certificate.SIGNATTR_APP_ID,
signing_attributes.app_id)
if signing_attributes.crash_dump:
signingrequest.setSigningAttribute(Certificate.SIGNATTR_CRASH_DUMP,
signing_attributes.crash_dump)
if self._is_oid_supported(signing_attributes) is True:
attr_min, attr_max = Certificate.GetOIDAttrName(
signing_attributes.object_id.name)
# Min/max can be supplied by CASS server and is optional
if signing_attributes.object_id.min:
signingrequest.setSigningAttribute(
attr_min, signing_attributes.object_id.min)
if signing_attributes.object_id.max:
signingrequest.setSigningAttribute(
attr_max, signing_attributes.object_id.max)
else:
# opendsp does not CASS_SIGNATTR_USE_EXP3 currently
if signing_attributes.exponent == 3:
signingrequest.setSigningAttribute(self.CASS_SIGNATTR_USE_EXP3,
'TRUE')
elif signing_attributes.exponent == 65537:
signingrequest.setSigningAttribute(self.CASS_SIGNATTR_USE_EXP3,
'FALSE')
else:
raise RuntimeError, "Exponent value of {0} is invalid!".format(
signing_attributes.exponent)
# Set signature algorithm
if signing_attributes.hash_algorithm and signing_attributes.hash_algorithm.lower(
) == 'sha1':
signingrequest.setSigningAttribute(Certificate.SIGNATTR_SHA256,
'FALSE')
elif signing_attributes.hash_algorithm is None or signing_attributes.hash_algorithm.lower(
) == 'sha256':
signingrequest.setSigningAttribute(Certificate.SIGNATTR_SHA256,
'TRUE')
else:
raise RuntimeError, "hash algorithm value of {0} is invalid!".format(
signing_attributes.hash_algorithm)
pathname, fname = os.path.split(signingpackage_fname)
c_path.create_dir(pathname)
signingpackage.toxml()
signingpackage.saveToFile(signingpackage_fname)
logger.info("Signing package created.")
logger.info("Signing package digest from Signing Package = [%s]" %
signingpackage.getDigest())
return signingpackage
def _print_attestation_cert_props(self, attestation_cert, parsegen=None):
# Print certificate properties (to make tests pass and give good debug information)
if (hasattr(parsegen, "get_hash_segment_metadata")
and parsegen.get_hash_segment_metadata() is None):
logger.info('\nAttestation Certificate Properties:\n' +
str(Certificate(attestation_cert)))