def test_finalize(self):
_READER_BASE_test = _READER_BASE(self._args, self._hsm_manager,
self._config)
bs = mocksign.bitstream.create(database.CONTENT_SR)
block0 = common_util.BYTE_ARRAY()
block0.data = array.array('B', bs.block0)
block1 = common_util.BYTE_ARRAY()
block1.data = array.array('B', bs.block0)
payload = common_util.BYTE_ARRAY()
payload.data = array.array('B', bs.payload)
with tempfile.NamedTemporaryFile(mode='w+b') as tmp:
_READER_BASE_test.finalize(tmp, block0, block1, payload)
def test_make_csk_entry_dc(self):
self._args.input_file = self._dummy_key_file.name
up = UPDATE_reader(self._args, self._hsm_manager, self._config)
root_key = 'root_key'
csk_pub_key = common_util.BYTE_ARRAY()
up.make_csk_entry_dc(root_key, csk_pub_key)
up.run()
def __init__(self, xy, key_info):
self.xy = common_util.BYTE_ARRAY()
self.xy.append_data(xy)
log.debug("Got key info")
log.debug("".join("{:02x} ".format(x) for x in self.xy.data))
log.debug(self.xy)
self.key_info = key_info
def __init__(self, args):
self.args = args
self.database = database.FAMILY_LIST["PAC_CARD"]
log.debug(args.main_command)
self.bitstream_type = self.database.SUPPORTED_TYPES[
args.main_command].ENUM
self.verify = True if args.root_bitstream else False
if self.verify:
offset = 0
self.reh = common_util.BYTE_ARRAY("FILE", args.root_bitstream)
con_type = self.reh.get_dword(offset + 8)
if (self.reh.get_dword(offset) !=
database.DESCRIPTOR_BLOCK_MAGIC_NUM
or self.reh.get_dword(offset + 4) != 128
or (con_type >> 8) & 0xFF != database.BITSTREAM_TYPE_RK_256
or self.reh.get_dword(offset + 128) !=
database.SIGNATURE_BLOCK_MAGIC_NUM):
common_util.assert_in_error(
False,
"File '{}' is not a root entry hash programming bitstream".
format(args.root_bitstream),
)
if con_type & 0xFF != self.bitstream_type:
log.warn("File '{}' different type than bitstream."
" Validation impossible".format(args.root_bitstream))
self.verify = False
if self.verify:
self.val_root_hash = int.from_bytes(self.reh.data[1024:1056],
byteorder="big")
self.val_root_hash_dc = int.from_bytes(self.reh.data[1072:1104],
byteorder="big")
def test_is_Rush_BMC(self):
UPDATE_reader_test = UPDATE_reader(self._args, self._hsm_manager,
self._config)
payload = common_util.BYTE_ARRAY()
payload.data = self._bitstream.payload
assert not UPDATE_reader_test.is_Rush_BMC(payload, 0)
def test_make_block0_dc(self):
_READER_BASE_test = _READER_BASE(self._args, self._hsm_manager,
self._config)
payload = common_util.BYTE_ARRAY()
bs = self._bitstream
payload.data = array.array('B', bs.payload)
b0 = _READER_BASE_test.make_block0_dc(payload, len(bs.payload))
assert bytearray(b0.data[0:4]) == bs.block0[0:4]
def test_is_Darby_PR(self):
_READER_BASE_test = _READER_BASE(self._args, self._hsm_manager,
self._config)
with tempfile.NamedTemporaryFile(mode='w+b') as fp:
fp.write(self._bitstream.payload)
fp.seek(0)
ba = common_util.BYTE_ARRAY("FILE", fp.name)
assert _READER_BASE_test.is_Darby_PR(ba, 0)
def test_already_signed(self):
UPDATE_reader_test = UPDATE_reader(self._args, self._hsm_manager,
self._config)
already_signed_contents = common_util.BYTE_ARRAY()
already_signed_contents.data = self._bitstream.payload
already_signed_offset = 0
UPDATE_reader_test.already_signed(already_signed_contents,
already_signed_offset)
def __init__(self, file, openssl, key_info):
self.key_info = key_info
assert openssl is not None
self.file = file
self.openssl = openssl
self.xy = common_util.BYTE_ARRAY()
self.key = None
self.curve_info = None
def sign(self, sha, key):
private_key = self.get_private_key(key)
data = common_util.BYTE_ARRAY()
private_key.sign(sha, data)
log.debug("Signature len={}".format(data.size()))
log.debug("".join("{:02x} ".format(x) for x in data.data))
return data
def test_is_Darby_PR(self):
bs = mocksign.d5005_pr.create()
data = bs.getbuffer()
with tempfile.NamedTemporaryFile(mode='w+b') as bsfile:
bsfile.write(data)
bsfile.seek(0)
ba = common_util.BYTE_ARRAY("FILE", bsfile.name)
assert _VERIFIER_BASE.is_Darby_PR(mock.MagicMock(), ba,
bs.payload_offset)
def test_make_csk_entry(self):
up = UPDATE_reader(self._args, self._hsm_manager, self._config)
make_csk_entry_root_key = 'root_key'
make_csk_entry_CSK_pub_key = common_util.BYTE_ARRAY()
up.make_csk_entry(make_csk_entry_root_key, make_csk_entry_CSK_pub_key)
self._args.csk_id = 0
can = CANCEL_reader(self._args, self._hsm_manager, self._config)
can.run()
def sign(self, sha, key):
try:
key_, _ = self.get_key(key, ObjectClass.PRIVATE_KEY)
except pkcs11.NoSuchKey:
log.error("No such key")
except pkcs11.MultipleObjectsReturned:
log.error("multiple")
rs = common_util.BYTE_ARRAY()
rs.append_data(key_.sign(sha, mechanism=Mechanism.ECDSA))
log.debug("RS length is {}".format(rs.size()))
log.debug("".join("{:02x} ".format(x) for x in rs.data))
return rs
def run(self, fname, file_offset, block0, block1, payload):
log.info("Starting verification")
payload_content = common_util.BYTE_ARRAY("FILE", fname)
# Skip JSON and old signature if they exist
has_json = self.is_JSON(payload_content)
log.debug("has_json = {}".format(has_json))
sig_offset = 0 if not has_json else self.skip_JSON(payload_content)
# Determine if platform is RC or DC
self.dc_pr = self.is_Darby_PR(payload_content, sig_offset)
fd = open(fname, "rb")
fd.seek(file_offset, 0)
b0 = fd.read(block0.size())
b1 = fd.read(block1.size())
if self.dc_pr:
pay = fd.read(len(payload))
pay_good = pay == bytes(payload)
else:
pay = fd.read(payload.size())
pay_good = pay == bytes(payload.data)
fd.close()
common_util.assert_in_error(
b0 == bytes(block0.data) and b1 == bytes(block1.data) and pay_good,
"File not written properly",
)
log.info("Bitstream file written properly (bits match expected)")
pay_sha256_v = int.from_bytes(sha256(pay).digest(), byteorder="big")
pay_sha384_v = int.from_bytes(sha384(pay).digest(), byteorder="big")
if not self.dc_pr:
if pay_sha256_v != int.from_bytes(b0[16:16 + 32], byteorder="big"):
log.error("SHA-256 in Block 0 does not match")
if pay_sha384_v != int.from_bytes(b0[48:48 + 48], byteorder="big"):
log.error("SHA-384 in Block 0 does not match")
# Check root hash
if self.dc_pr:
hash = int.from_bytes(sha256(b1[152:152 + 64]).digest(),
byteorder="big")
good = hash == self.val_root_hash_dc
else:
hash = int.from_bytes(sha256(b1[20:148]).digest(), byteorder="big")
good = hash == self.val_root_hash
if good:
log.info("Root hash matches")
else:
log.error("Root hash mismatch:")
log.error("Signed bitstream: {}".format(
hex(hash)))
log.error("Root entry hash bitstream provided: {}".format(
hex(self.val_root_hash_dc if self.dc_pr else self.val_root_hash
)))
if self.dc_pr:
root_pub_key_x = int.from_bytes(b1[152:152 + 32], byteorder="big")
root_pub_key_y = int.from_bytes(b1[152 + 32:152 + 64],
byteorder="big")
root_pub_key_v = (root_pub_key_x, root_pub_key_y)
csk_pub_key_x = int.from_bytes(b1[264:264 + 32], byteorder="big")
csk_pub_key_y = int.from_bytes(b1[264 + 32:264 + 64],
byteorder="big")
csk_pub_key_v = (csk_pub_key_x, csk_pub_key_y)
csk_rs_r = int.from_bytes(b1[344:344 + 32], byteorder="big")
csk_rs_s = int.from_bytes(b1[344 + 32:344 + 64], byteorder="big")
csk_rs_v = (csk_rs_r, csk_rs_s)
b0e_rs_r = int.from_bytes(b1[448:448 + 32], byteorder="big")
b0e_rs_s = int.from_bytes(b1[448 + 32:448 + 64], byteorder="big")
b0e_rs_v = (b0e_rs_r, b0e_rs_s)
root_sha_v = hash
csk_sha_v = int.from_bytes(sha256(b1[240:240 + 88]).digest(),
byteorder="big")
b0_sha_v = int.from_bytes(sha256(b0).digest(), byteorder="big")
else:
if self.cert_type == database.BITSTREAM_TYPE_CANCEL:
b0e_off = 156
csk_pub_key_v = (0, 0)
csk_rs_v = (0, 0)
csk_sha_v = 0
else:
b0e_off = 388
csk_pub_key_x = int.from_bytes(b1[164:164 + 32],
byteorder="big")
csk_pub_key_y = int.from_bytes(b1[212:212 + 32],
byteorder="big")
csk_pub_key_v = (csk_pub_key_x, csk_pub_key_y)
csk_rs_r = int.from_bytes(b1[284:284 + 32], byteorder="big")
csk_rs_s = int.from_bytes(b1[332:332 + 32], byteorder="big")
csk_rs_v = (csk_rs_r, csk_rs_s)
csk_sha_v = int.from_bytes(sha256(b1[152:152 + 128]).digest(),
byteorder="big")
root_pub_key_x = int.from_bytes(b1[32:32 + 32], byteorder="big")
root_pub_key_y = int.from_bytes(b1[80:80 + 32], byteorder="big")
root_pub_key_v = (root_pub_key_x, root_pub_key_y)
b0e_rs_r = int.from_bytes(b1[b0e_off:b0e_off + 32],
byteorder="big")
b0e_rs_s = int.from_bytes(b1[b0e_off + 48:b0e_off + 48 + 32],
byteorder="big")
b0e_rs_v = (b0e_rs_r, b0e_rs_s)
root_sha_v = hash
b0_sha_v = int.from_bytes(sha256(b0).digest(), byteorder="big")
# validate signatures
if self.cert_type != database.BITSTREAM_TYPE_CANCEL:
if ecdsa.verify_signature(root_pub_key_v, csk_sha_v, csk_rs_v):
log.info("Signature of CSK with root key OK")
else:
log.error("Signature of CSK with root key mismatch")
if ecdsa.verify_signature(csk_pub_key_v, b0_sha_v, b0e_rs_v):
log.info("Signature of Block 0 with CSK OK")
else:
log.error("Signature of Block 0 with CSK mismatch")
else:
if ecdsa.verify_signature(root_pub_key_v, b0_sha_v, b0e_rs_v):
log.info("Signature of Block 0 with root key OK")
else:
log.error("Signature of Block 0 with root key mismatch")
return
def test_make_root_entry(self):
rhp = RHP_reader(self._args, self._hsm_manager, self._config)
ba = common_util.BYTE_ARRAY()
ba.data = array.array('B', self._pkdata)
rhp.make_root_entry(ba)
def test_make_root_entry_dc(self):
rhp = RHP_reader(self._args, self._hsm_manager, self._config)
make_root_entry_dc_pub_key = common_util.BYTE_ARRAY()
make_root_entry_dc_pub_key.data = self._pkdata
rhp.make_root_entry_dc(make_root_entry_dc_pub_key)
def test_is_JSON(self):
UPDATE_reader_test = UPDATE_reader(self._args, self._hsm_manager,
self._config)
contents = common_util.BYTE_ARRAY()
contents.data = self._bitstream.payload
UPDATE_reader_test.is_JSON(contents)