def test_parse(data_dir, dc_file_name, class_name):
"""Verifies the parse mechanisms on DC files."""
with use_working_directory(data_dir):
with open(dc_file_name, "rb") as f:
dc_file = f.read()
dc = DebugCredential.parse(dc_file)
assert dc.__class__.__name__ == class_name
def test_debugcredential_ecc_compare_with_reference(data_dir):
"""Loads the yaml file, creates the debug credential, saves to a file and compares with reference."""
with use_working_directory(data_dir):
with open("new_dck_secp256.yml", 'r') as f:
yaml_config = yaml.safe_load(f)
dc = DebugCredential.create_from_yaml_config(
version='2.0', yaml_config=yaml_config)
dc.sign()
data = dc.export()
pub_key = load_private_key(yaml_config['rotk']).public_key()
data_without_singature = data[:-132]
signature_bytes = data[-132:]
with open('new_dck_secp256r1.cert', 'rb') as f:
data_loaded = f.read()
ref_data_without_signature = data_loaded[:-132]
ref_signature_bytes = data_loaded[-132:]
assert data_without_singature == ref_data_without_signature, \
"The generated dc binary and the referenced one are not the same."
signature = utils.reconstruct_signature(signature_bytes)
ref_signature = utils.reconstruct_signature(ref_signature_bytes)
try:
pub_key.verify(signature, data_without_singature,
ec.ECDSA(hashes.SHA256()))
pub_key.verify(ref_signature, data_without_singature,
ec.ECDSA(hashes.SHA256()))
assert True
except InvalidSignature:
assert False
def test_lpc55s3x_export_parse_invalid(data_dir):
with use_working_directory(data_dir):
with open("new_dck_secp256_lpc55s3x.yml", "r") as f:
yaml_config = yaml.safe_load(f)
dc = DebugCredential.create_from_yaml_config(version="2.0", yaml_config=yaml_config)
dc.sign()
with pytest.raises(SPSDKError, match="Invalid flag"):
dc.parse(bytes(232))
def auth(pass_obj: dict, beacon: int, certificate: str, key: str,
no_exit: bool) -> None:
"""Perform the Debug Authentication."""
try:
logger.info("Starting Debug Authentication")
with _open_debugmbox(pass_obj) as mail_box:
with open(certificate, "rb") as f:
debug_cred_data = f.read()
debug_cred = DebugCredential.parse(debug_cred_data)
dac_rsp_len = 30 if debug_cred.HASH_LENGTH == 48 and debug_cred.socc == 4 else 26
dac_data = dm_commands.DebugAuthenticationStart(
dm=mail_box, resplen=dac_rsp_len).run()
# convert List[int] to bytes
dac_data_bytes = struct.pack(f"<{len(dac_data)}I", *dac_data)
dac = DebugAuthenticationChallenge.parse(dac_data_bytes)
logger.debug(f"DAC: \n{dac.info()}")
dar = DebugAuthenticateResponse.create(
version=pass_obj["protocol"],
socc=dac.socc,
dc=debug_cred,
auth_beacon=beacon,
dac=dac,
dck=key,
)
logger.debug(f"DAR:\n{dar.info()}")
dar_data = dar.export()
# convert bytes to List[int]
dar_data_words = list(
struct.unpack(f"<{len(dar_data) // 4}I", dar_data))
dar_response = dm_commands.DebugAuthenticationResponse(
dm=mail_box, paramlen=len(dar_data_words)).run(dar_data_words)
logger.debug(f"DAR response: {dar_response}")
if not no_exit:
exit_response = dm_commands.ExitDebugMailbox(dm=mail_box).run()
logger.debug(f"Exit response: {exit_response}")
# Re-open debug probe
mail_box.debug_probe.close()
mail_box.debug_probe.open()
# Do test of access to AHB bus
ahb_access_granted = test_ahb_access(mail_box.debug_probe)
res_str = ((colorama.Fore.GREEN +
"successfully") if ahb_access_granted else
(colorama.Fore.RED + "without AHB access"))
logger.info(
f"Debug Authentication ends {res_str}{colorama.Fore.RESET}."
)
if not ahb_access_granted:
click.get_current_context().exit(1)
else:
logger.info(
"Debug Authentication ends without exit and without test of AHB access."
)
except SPSDKError as e:
logger.error(f"Start Debug Mailbox failed!\n{e}")
click.get_current_context().exit(1)
def test_lpc55s3x_export_parse(data_dir, yml_file_name, version):
"""Verifies the signature for lpc55s3x for different versions."""
with use_working_directory(data_dir):
with open(yml_file_name, "r") as f:
yaml_config = yaml.safe_load(f)
dc = DebugCredential.create_from_yaml_config(version=version, yaml_config=yaml_config)
dc.sign()
data = dc.export()
dc_parsed = dc.parse(data)
assert dc == dc_parsed
def test_debugcredential_invalid(data_dir):
"""Evoke exceptions."""
with use_working_directory(data_dir):
with open("new_dck_rsa2048.yml", "r") as f:
yaml_config = yaml.safe_load(f)
dc = DebugCredential.create_from_yaml_config(version="1.0", yaml_config=yaml_config)
with pytest.raises(SPSDKError, match="Debug Credential Signature is not set"):
dc.export()
with pytest.raises(SPSDKError, match="Debug Credential Signature provider is not set"):
dc.signature_provider = None
dc.sign()
def gendc(
protocol: str,
plugin: click.Path,
dc_file_path: str,
config: click.File,
elf2sb_config: click.File,
force: bool,
) -> None:
"""Generate debug certificate (DC).
\b
PATH - path to dc file
"""
if plugin:
# if a plugin is present simply load it
# The SignatureProvider will automatically pick up any implementation(s)
from importlib.util import ( # pylint: disable=import-outside-toplevel
module_from_spec, spec_from_file_location,
)
spec = spec_from_file_location(name="plugin",
location=plugin) # type: ignore
assert spec
mod = module_from_spec(spec)
spec.loader.exec_module(mod) # type: ignore
is_rsa = determine_protocol_version(protocol)
check_destination_dir(dc_file_path, force)
check_file_exists(dc_file_path, force)
logger.info("Loading configuration from yml file...")
yaml_content = load_configuration(config.name)
if elf2sb_config:
logger.info("Loading configuration from elf2sb config file...")
rot_info = RootOfTrustInfo(load_configuration(
elf2sb_config.name)) # type: ignore
yaml_content["rot_meta"] = rot_info.public_keys
yaml_content["rotk"] = rot_info.private_key
yaml_content["rot_id"] = rot_info.public_key_index
# enforcing rot_id presence in yaml config...
assert "rot_id" in yaml_content, "Config file doesn't contain the 'rot_id' field"
logger.info(
f"Creating {'RSA' if is_rsa else 'ECC'} debug credential object...")
dc = DebugCredential.create_from_yaml_config(version=protocol,
yaml_config=yaml_content)
dc.sign()
data = dc.export()
logger.info("Saving the debug credential to a file...")
with open(dc_file_path, "wb") as f:
f.write(data)
print_output(True, "Creating Debug credential file")
def test_debugcredential_rot_meta_as_cert(data_dir):
"""Verifies the info message for debug authentication."""
with use_working_directory(data_dir):
with open("dck_rsa2048_rot_meta_cert.yml", "r") as f:
yaml_config = yaml.safe_load(f)
dc = DebugCredential.create_from_yaml_config(version="1.0", yaml_config=yaml_config)
dc.sign()
assert dc.VERSION == "1.0"
assert dc.cc_beacon == 0
assert dc.cc_socu == 1023
assert dc.cc_vu == 22136
assert dc.socc == 1
assert dc.uuid == b"\xe0\x04\t\x0ek\xdd!U\xbb\xce\x9e\x06e\x80[\xe3"
def test_debugcredential_rsa_compare_with_reference(data_dir):
"""Loads the yaml file, creates the debug credential, saves to a file and compares with reference."""
with use_working_directory(data_dir):
with open("new_dck_rsa2048.yml", 'r') as f:
yaml_config = yaml.safe_load(f)
dc = DebugCredential.create_from_yaml_config(
version='1.0', yaml_config=yaml_config)
dc.sign()
data = dc.export()
with open('sample.cert', 'wb') as f:
f.write(data)
with open('new_dck_rsa2048.cert', 'rb') as f:
data_loaded = f.read()
assert data == data_loaded, "The generated dc binary and the referenced one are not the same."
def test_debugcredential_info_lpc55s3x(data_dir, yml_file_name, version, required_values):
"""Verifies the info message for debug authentication."""
with use_working_directory(data_dir):
with open(yml_file_name, "r") as f:
yaml_config = yaml.safe_load(f)
dc = DebugCredential.create_from_yaml_config(version=version, yaml_config=yaml_config)
dc.sign()
output = dc.info()
req_strings = ["Version", "SOCC", "UUID", "UUID", "CC_SOCC", "CC_VU", "BEACON"]
req_values = required_values
for req_string in req_strings:
assert req_string in output, f"string {req_string} is not in the output: {output}"
for req_value in req_values:
assert req_value in output, f"string {req_value} is not in the output: {output}"
def test_verify_ecc_signature(data_dir):
"""Verifies the signature for ECC protocol."""
with use_working_directory(data_dir):
with open("new_dck_secp256.yml", "r") as f:
yaml_config = yaml.safe_load(f)
dc = DebugCredential.create_from_yaml_config(version="2.0", yaml_config=yaml_config)
dc.sign()
data = dc.export()
priv_key = load_private_key(yaml_config["rotk"])
data_without_signature = data[:-132]
signature_bytes = data[-132:]
signature = utils.reconstruct_signature(signature_bytes)
pub_key = priv_key.public_key()
try:
pub_key.verify(signature, data_without_signature, ec.ECDSA(hashes.SHA256()))
assert True
except InvalidSignature:
assert False
def test_dar_packet_no_signature_provider(data_dir):
with use_working_directory(data_dir):
version = "1.0"
dac_bin_file = "sample_dac.bin"
yml_file_name = "new_dck_rsa2048.yml"
dac_bytes = load_binary(os.path.join(data_dir, dac_bin_file))
with open(os.path.join(data_dir, yml_file_name), "r") as f:
yaml_config = yaml.safe_load(f)
dc = DC.create_from_yaml_config(version=version,
yaml_config=yaml_config)
dc.sign()
dar = DebugAuthenticateResponse(
debug_credential=dc,
auth_beacon=0,
dac=DAC.parse(dac_bytes),
path_dck_private=os.path.join(data_dir, "new_dck_2048.pem"),
)
dar.sig_provider = None
with pytest.raises(SPSDKError, match="Signature provider is not set"):
dar.export()
def test_verify_ecc_signature_N4A_384(data_dir):
"""Verifies the signature for ECC protocol for Niobe4Analog 384."""
with use_working_directory(data_dir):
with open("new_dck_secp384_N4A.yml", 'r') as f:
yaml_config = yaml.safe_load(f)
dc = DebugCredential.create_from_yaml_config(version='2.1',
yaml_config=yaml_config)
dc.sign()
data = dc.export()
priv_key = load_private_key(yaml_config['rotk'])
data_without_signature = data[:-96]
signature_bytes = data[-96:]
signature = utils.reconstruct_signature(signature_bytes=signature_bytes,
size=48)
pub_key = priv_key.public_key()
try:
pub_key.verify(signature, data_without_signature,
ec.ECDSA(hashes.SHA384()))
assert True
except InvalidSignature:
assert False
def test_dar_packet_4_analog_256(tmpdir, data_dir, yml_file_name, version,
file_key, expected_length):
with use_working_directory(data_dir):
dac_bytes = load_binary(os.path.join(data_dir,
'sample_dac_analog.bin'))
with open(os.path.join(data_dir, yml_file_name), 'r') as f:
yaml_config = yaml.safe_load(f)
dc = DC.create_from_yaml_config(version=version,
yaml_config=yaml_config)
dc.sign()
dar = DebugAuthenticateResponse.create(version=version,
socc=dc.socc,
dc=dc,
auth_beacon=0,
dac=DAC.parse(dac_bytes),
dck=os.path.join(
data_dir, file_key))
dar_bytes = dar.export()
assert len(dar_bytes) == expected_length
assert isinstance(dar_bytes, bytes)
assert 'Authentication Beacon' in dar.info()
def test_dar_packet_rsa(tmpdir, data_dir, yml_file_name, version, dck_key_file,
expected_length, dac_bin_file):
with use_working_directory(data_dir):
dac_bytes = load_binary(os.path.join(data_dir, dac_bin_file))
with open(os.path.join(data_dir, yml_file_name), 'r') as f:
yaml_config = yaml.safe_load(f)
dc = DC.create_from_yaml_config(version=version,
yaml_config=yaml_config)
dc.sign()
assert dc.VERSION == DAC.parse(
dac_bytes).version, "Version of DC and DAC are different."
dar = DebugAuthenticateResponse.create(version=version,
socc=dc.socc,
dc=dc,
auth_beacon=0,
dac=DAC.parse(dac_bytes),
dck=os.path.join(
data_dir, dck_key_file))
dar_bytes = dar.export()
assert len(dar_bytes) == expected_length
assert isinstance(dar_bytes, bytes)
assert 'Authentication Beacon' in dar.info()
