def sign(self,
data_to_sign,
imageinfo,
debug_dir=None,
is_hash=False,
**kwargs):
"""
This function returns a SignerOutput object which has all the security assets generated
by the signer.
"""
# Set the input information
self.set_input(data_to_sign,
imageinfo,
debug_dir=debug_dir,
is_hash=is_hash,
**kwargs)
# Set the certificates and keys for output
signer_output = self.sign_hash(self.hash_to_sign,
imageinfo,
data_to_sign,
debug_dir=debug_dir,
hash_algo=self.hash_algo)
# Get the hmac params from attestation cert or hash segment
extracted_image_attributes = self._attribute_extractor(
cert_data=signer_output.attestation_cert,
attributes=self.signing_attributes_class(),
**kwargs).attributes
hmac_from_image = HMAC()
hmac_from_image.init_from_image_attributes(extracted_image_attributes,
self.signing_attributes)
# Get the hmac params from config
hmac_from_config = HMAC()
hmac_from_config.init_from_config(self.signing_attributes)
# Recreate the hash to sign if necessary
if hmac_from_config.hmac_type == hmac_from_config.HMAC_TYPE_QTI and not hmac_from_image.is_equal(
hmac_from_config):
if self.data_to_sign is not None:
self.hash_to_sign = hmac_from_image.hmac(self.data_to_sign)
else:
raise RuntimeError(
'HMAC params from image cannot be used with pre-generated hash.'
)
# Set the signature
signer_output.signature = self.get_signature()
signer_output.unsigned_hash = self.hash_to_sign
self._print_attestation_cert_props(signer_output.attestation_cert,
**kwargs)
return signer_output
def sign(self, data_to_sign, imageinfo, debug_dir=None, is_hash=False):
'''
This function returns a SignerOutput object which has all the security assets generated
by the signer.
'''
# Set the input information
self.set_input(data_to_sign, imageinfo, debug_dir, is_hash)
# Set the certificates and keys for output
signer_output = SignerOutput()
signer_output.root_cert, signer_output.root_key = self.get_root_cert_key()
if self.CA in self.certs:
signer_output.attestation_ca_cert, signer_output.attestation_ca_key = self.get_ca_cert_key()
signer_output.attestation_cert, signer_output.attestation_key = self.get_attest_cert_key()
# Set the root certs for MRC
signer_output.root_cert_list = self.get_root_cert_list()
# Get the hmac params from attestation cert
hmac_from_cert = HMAC()
hmac_from_cert.init_from_cert(signer_output.attestation_cert)
# Get the hmac params from config
hmac_from_config = HMAC()
hmac_from_config.init_from_config(self.signing_attributes)
# Recreate the hash to sign if necessary
if (hmac_from_config.hmac_type == hmac_from_config.HMAC_TYPE_QC and
not hmac_from_cert.is_equal(hmac_from_config)):
if self.data_to_sign is not None:
self.hash_to_sign = hmac_from_cert.hmac(self.data_to_sign)
else:
raise RuntimeError('HMAC params from attestation certificate cannot be used with pre-generated hash.')
# Set the signature
signer_output.signature = self.get_signature()
signer_output.unsigned_hash = self.hash_to_sign
# Update the certs
signer_output.update_certs_format()
# Set the cert chain
signer_output.generate_cert_chain()
# Print certificate properties (to make tests pass and give good debug information)
logger.info('\nAttestation Certificate Properties:\n' +
str(Certificate(signer_output.attestation_cert)))
return signer_output
def set_input_impl(self,
data_to_sign,
imageinfo,
debug_dir=None,
is_hash=False,
**kwargs):
"""Set the input.
:type data_to_sign: str
:type imageinfo: ImageInfo
"""
# Validate the image info
self.validate_config(imageinfo)
# Set public variables for this session
self.debug_dir = debug_dir
sa = self.signing_attributes = imageinfo.general_properties
# Set the certificates dictionary
self.certs = dict()
self.certs[self.ROOT] = CertKeyPair()
self.certs[self.ATTEST] = CertKeyPair()
if sa.num_certs_in_certchain == 3:
self.certs[self.CA] = CertKeyPair()
# Set the data to sign and the hash to sign
if is_hash:
self.hash_to_sign = data_to_sign
self.data_to_sign = None
else:
hasher = HMAC()
hasher.init_from_config(sa)
self.hash_to_sign = hasher.hmac(data_to_sign)
self.data_to_sign = data_to_sign
self.data_to_sign_len = len(data_to_sign)
self.padding = (self.PAD_PSS if
(sa.rsa_padding and sa.rsa_padding.lower() == 'pss')
else self.PAD_PKCS)
self.hash_algo = sa.hash_algorithm
# Initialize the secure assets
self.initialize(imageinfo, **kwargs)
return sa
def set_input(self, data_to_sign, imageinfo, debug_dir=None, is_hash=False):
"""Set the input.
:type data_to_sign: str
:type imageinfo: ImageInfo
"""
# Validate the image info
self.validate_config(imageinfo)
# Set public variables for this session
self.debug_dir = debug_dir
sa = self.signing_attributes = imageinfo.general_properties
# Set the certificates dictionary
self.certs = {}
self.certs[self.ROOT] = CertKeyPair()
self.certs[self.ATTEST] = CertKeyPair()
if sa.num_certs_in_certchain == 3:
self.certs[self.CA] = CertKeyPair()
# Set the data to sign and the hash to sign
if is_hash:
self.hash_to_sign = data_to_sign
self.data_to_sign = None
else:
hasher = HMAC()
hasher.init_from_config(sa)
self.hash_to_sign = hasher.hmac(data_to_sign)
self.data_to_sign = data_to_sign
self.data_to_sign_len = len(data_to_sign)
logger.info('Using ' + hasher.hmac_type + ' (' + hasher.hash_algo + ') for hash segment')
self.padding = (self.PAD_PSS if (sa.rsa_padding and sa.rsa_padding.lower() == 'pss') else self.PAD_PKCS)
self.hash_algo = sa.hash_algorithm if sa.hash_algorithm is not None else 'sha256'
if self.using_ecdsa:
logger.info("Using ECDSA with {0} curve".format(sa.ecdsa_curve))
else:
logger.info('Using ' + self.padding.upper() + ' RSA padding')
# Initialize the secure assets
self.initialize(imageinfo)
def sign(self, data_to_sign, imageinfo, debug_dir=None, is_hash=False, hash_segment_metadata=None):
"""
This function returns a SignerOutput object which has all the security assets generated
by the signer.
"""
# Set the input information
self.set_input(data_to_sign, imageinfo, debug_dir, is_hash)
signer_output = self.sign_hash(self.hash_to_sign, imageinfo, data_to_sign, debug_dir=debug_dir, hash_algo=self.hash_algo)
# Get the hmac params from attestation cert or hash segment
extracted_image_attributes = AttributeExtractor(cert_data=signer_output.attestation_cert, hash_segment_metadata=hash_segment_metadata).attributes
hmac_from_image = HMAC()
hmac_from_image.init_from_image_attributes(extracted_image_attributes)
# Get the hmac params from config
hmac_from_config = HMAC()
hmac_from_config.init_from_config(self.signing_attributes)
# Recreate the hash to sign if necessary
if hmac_from_config.hmac_type == hmac_from_config.HMAC_TYPE_QTI and not hmac_from_image.is_equal(hmac_from_config):
if self.data_to_sign is not None:
self.hash_to_sign = hmac_from_image.hmac(self.data_to_sign)
else:
raise RuntimeError('HMAC params from image cannot be used with pre-generated hash.')
# Set the signature
signer_output.signature = self.get_signature()
signer_output.unsigned_hash = self.hash_to_sign
# Print certificate properties (to make tests pass and give good debug information)
if hash_segment_metadata is None:
logger.info('\nAttestation Certificate Properties:\n' +
str(Certificate(signer_output.attestation_cert)))
return signer_output