def test_finalize(self): _READER_BASE_test = _READER_BASE(self._args, self._hsm_manager, self._config) bs = mocksign.bitstream.create(database.CONTENT_SR) block0 = common_util.BYTE_ARRAY() block0.data = array.array('B', bs.block0) block1 = common_util.BYTE_ARRAY() block1.data = array.array('B', bs.block0) payload = common_util.BYTE_ARRAY() payload.data = array.array('B', bs.payload) with tempfile.NamedTemporaryFile(mode='w+b') as tmp: _READER_BASE_test.finalize(tmp, block0, block1, payload)
def test_make_csk_entry_dc(self): self._args.input_file = self._dummy_key_file.name up = UPDATE_reader(self._args, self._hsm_manager, self._config) root_key = 'root_key' csk_pub_key = common_util.BYTE_ARRAY() up.make_csk_entry_dc(root_key, csk_pub_key) up.run()
def __init__(self, xy, key_info): self.xy = common_util.BYTE_ARRAY() self.xy.append_data(xy) log.debug("Got key info") log.debug("".join("{:02x} ".format(x) for x in self.xy.data)) log.debug(self.xy) self.key_info = key_info
def __init__(self, args): self.args = args self.database = database.FAMILY_LIST["PAC_CARD"] log.debug(args.main_command) self.bitstream_type = self.database.SUPPORTED_TYPES[ args.main_command].ENUM self.verify = True if args.root_bitstream else False if self.verify: offset = 0 self.reh = common_util.BYTE_ARRAY("FILE", args.root_bitstream) con_type = self.reh.get_dword(offset + 8) if (self.reh.get_dword(offset) != database.DESCRIPTOR_BLOCK_MAGIC_NUM or self.reh.get_dword(offset + 4) != 128 or (con_type >> 8) & 0xFF != database.BITSTREAM_TYPE_RK_256 or self.reh.get_dword(offset + 128) != database.SIGNATURE_BLOCK_MAGIC_NUM): common_util.assert_in_error( False, "File '{}' is not a root entry hash programming bitstream". format(args.root_bitstream), ) if con_type & 0xFF != self.bitstream_type: log.warn("File '{}' different type than bitstream." " Validation impossible".format(args.root_bitstream)) self.verify = False if self.verify: self.val_root_hash = int.from_bytes(self.reh.data[1024:1056], byteorder="big") self.val_root_hash_dc = int.from_bytes(self.reh.data[1072:1104], byteorder="big")
def test_is_Rush_BMC(self): UPDATE_reader_test = UPDATE_reader(self._args, self._hsm_manager, self._config) payload = common_util.BYTE_ARRAY() payload.data = self._bitstream.payload assert not UPDATE_reader_test.is_Rush_BMC(payload, 0)
def test_make_block0_dc(self): _READER_BASE_test = _READER_BASE(self._args, self._hsm_manager, self._config) payload = common_util.BYTE_ARRAY() bs = self._bitstream payload.data = array.array('B', bs.payload) b0 = _READER_BASE_test.make_block0_dc(payload, len(bs.payload)) assert bytearray(b0.data[0:4]) == bs.block0[0:4]
def test_is_Darby_PR(self): _READER_BASE_test = _READER_BASE(self._args, self._hsm_manager, self._config) with tempfile.NamedTemporaryFile(mode='w+b') as fp: fp.write(self._bitstream.payload) fp.seek(0) ba = common_util.BYTE_ARRAY("FILE", fp.name) assert _READER_BASE_test.is_Darby_PR(ba, 0)
def test_already_signed(self): UPDATE_reader_test = UPDATE_reader(self._args, self._hsm_manager, self._config) already_signed_contents = common_util.BYTE_ARRAY() already_signed_contents.data = self._bitstream.payload already_signed_offset = 0 UPDATE_reader_test.already_signed(already_signed_contents, already_signed_offset)
def __init__(self, file, openssl, key_info): self.key_info = key_info assert openssl is not None self.file = file self.openssl = openssl self.xy = common_util.BYTE_ARRAY() self.key = None self.curve_info = None
def sign(self, sha, key): private_key = self.get_private_key(key) data = common_util.BYTE_ARRAY() private_key.sign(sha, data) log.debug("Signature len={}".format(data.size())) log.debug("".join("{:02x} ".format(x) for x in data.data)) return data
def test_is_Darby_PR(self): bs = mocksign.d5005_pr.create() data = bs.getbuffer() with tempfile.NamedTemporaryFile(mode='w+b') as bsfile: bsfile.write(data) bsfile.seek(0) ba = common_util.BYTE_ARRAY("FILE", bsfile.name) assert _VERIFIER_BASE.is_Darby_PR(mock.MagicMock(), ba, bs.payload_offset)
def test_make_csk_entry(self): up = UPDATE_reader(self._args, self._hsm_manager, self._config) make_csk_entry_root_key = 'root_key' make_csk_entry_CSK_pub_key = common_util.BYTE_ARRAY() up.make_csk_entry(make_csk_entry_root_key, make_csk_entry_CSK_pub_key) self._args.csk_id = 0 can = CANCEL_reader(self._args, self._hsm_manager, self._config) can.run()
def sign(self, sha, key): try: key_, _ = self.get_key(key, ObjectClass.PRIVATE_KEY) except pkcs11.NoSuchKey: log.error("No such key") except pkcs11.MultipleObjectsReturned: log.error("multiple") rs = common_util.BYTE_ARRAY() rs.append_data(key_.sign(sha, mechanism=Mechanism.ECDSA)) log.debug("RS length is {}".format(rs.size())) log.debug("".join("{:02x} ".format(x) for x in rs.data)) return rs
def run(self, fname, file_offset, block0, block1, payload): log.info("Starting verification") payload_content = common_util.BYTE_ARRAY("FILE", fname) # Skip JSON and old signature if they exist has_json = self.is_JSON(payload_content) log.debug("has_json = {}".format(has_json)) sig_offset = 0 if not has_json else self.skip_JSON(payload_content) # Determine if platform is RC or DC self.dc_pr = self.is_Darby_PR(payload_content, sig_offset) fd = open(fname, "rb") fd.seek(file_offset, 0) b0 = fd.read(block0.size()) b1 = fd.read(block1.size()) if self.dc_pr: pay = fd.read(len(payload)) pay_good = pay == bytes(payload) else: pay = fd.read(payload.size()) pay_good = pay == bytes(payload.data) fd.close() common_util.assert_in_error( b0 == bytes(block0.data) and b1 == bytes(block1.data) and pay_good, "File not written properly", ) log.info("Bitstream file written properly (bits match expected)") pay_sha256_v = int.from_bytes(sha256(pay).digest(), byteorder="big") pay_sha384_v = int.from_bytes(sha384(pay).digest(), byteorder="big") if not self.dc_pr: if pay_sha256_v != int.from_bytes(b0[16:16 + 32], byteorder="big"): log.error("SHA-256 in Block 0 does not match") if pay_sha384_v != int.from_bytes(b0[48:48 + 48], byteorder="big"): log.error("SHA-384 in Block 0 does not match") # Check root hash if self.dc_pr: hash = int.from_bytes(sha256(b1[152:152 + 64]).digest(), byteorder="big") good = hash == self.val_root_hash_dc else: hash = int.from_bytes(sha256(b1[20:148]).digest(), byteorder="big") good = hash == self.val_root_hash if good: log.info("Root hash matches") else: log.error("Root hash mismatch:") log.error("Signed bitstream: {}".format( hex(hash))) log.error("Root entry hash bitstream provided: {}".format( hex(self.val_root_hash_dc if self.dc_pr else self.val_root_hash ))) if self.dc_pr: root_pub_key_x = int.from_bytes(b1[152:152 + 32], byteorder="big") root_pub_key_y = int.from_bytes(b1[152 + 32:152 + 64], byteorder="big") root_pub_key_v = (root_pub_key_x, root_pub_key_y) csk_pub_key_x = int.from_bytes(b1[264:264 + 32], byteorder="big") csk_pub_key_y = int.from_bytes(b1[264 + 32:264 + 64], byteorder="big") csk_pub_key_v = (csk_pub_key_x, csk_pub_key_y) csk_rs_r = int.from_bytes(b1[344:344 + 32], byteorder="big") csk_rs_s = int.from_bytes(b1[344 + 32:344 + 64], byteorder="big") csk_rs_v = (csk_rs_r, csk_rs_s) b0e_rs_r = int.from_bytes(b1[448:448 + 32], byteorder="big") b0e_rs_s = int.from_bytes(b1[448 + 32:448 + 64], byteorder="big") b0e_rs_v = (b0e_rs_r, b0e_rs_s) root_sha_v = hash csk_sha_v = int.from_bytes(sha256(b1[240:240 + 88]).digest(), byteorder="big") b0_sha_v = int.from_bytes(sha256(b0).digest(), byteorder="big") else: if self.cert_type == database.BITSTREAM_TYPE_CANCEL: b0e_off = 156 csk_pub_key_v = (0, 0) csk_rs_v = (0, 0) csk_sha_v = 0 else: b0e_off = 388 csk_pub_key_x = int.from_bytes(b1[164:164 + 32], byteorder="big") csk_pub_key_y = int.from_bytes(b1[212:212 + 32], byteorder="big") csk_pub_key_v = (csk_pub_key_x, csk_pub_key_y) csk_rs_r = int.from_bytes(b1[284:284 + 32], byteorder="big") csk_rs_s = int.from_bytes(b1[332:332 + 32], byteorder="big") csk_rs_v = (csk_rs_r, csk_rs_s) csk_sha_v = int.from_bytes(sha256(b1[152:152 + 128]).digest(), byteorder="big") root_pub_key_x = int.from_bytes(b1[32:32 + 32], byteorder="big") root_pub_key_y = int.from_bytes(b1[80:80 + 32], byteorder="big") root_pub_key_v = (root_pub_key_x, root_pub_key_y) b0e_rs_r = int.from_bytes(b1[b0e_off:b0e_off + 32], byteorder="big") b0e_rs_s = int.from_bytes(b1[b0e_off + 48:b0e_off + 48 + 32], byteorder="big") b0e_rs_v = (b0e_rs_r, b0e_rs_s) root_sha_v = hash b0_sha_v = int.from_bytes(sha256(b0).digest(), byteorder="big") # validate signatures if self.cert_type != database.BITSTREAM_TYPE_CANCEL: if ecdsa.verify_signature(root_pub_key_v, csk_sha_v, csk_rs_v): log.info("Signature of CSK with root key OK") else: log.error("Signature of CSK with root key mismatch") if ecdsa.verify_signature(csk_pub_key_v, b0_sha_v, b0e_rs_v): log.info("Signature of Block 0 with CSK OK") else: log.error("Signature of Block 0 with CSK mismatch") else: if ecdsa.verify_signature(root_pub_key_v, b0_sha_v, b0e_rs_v): log.info("Signature of Block 0 with root key OK") else: log.error("Signature of Block 0 with root key mismatch") return
def test_make_root_entry(self): rhp = RHP_reader(self._args, self._hsm_manager, self._config) ba = common_util.BYTE_ARRAY() ba.data = array.array('B', self._pkdata) rhp.make_root_entry(ba)
def test_make_root_entry_dc(self): rhp = RHP_reader(self._args, self._hsm_manager, self._config) make_root_entry_dc_pub_key = common_util.BYTE_ARRAY() make_root_entry_dc_pub_key.data = self._pkdata rhp.make_root_entry_dc(make_root_entry_dc_pub_key)
def test_is_JSON(self): UPDATE_reader_test = UPDATE_reader(self._args, self._hsm_manager, self._config) contents = common_util.BYTE_ARRAY() contents.data = self._bitstream.payload UPDATE_reader_test.is_JSON(contents)