def _validate_oid_values(self, signing_attributes, general_properties, mandatory=True): if self._is_oid_supported(signing_attributes) is False: return oid_name = signing_attributes.object_id.name oid_min = signing_attributes.object_id.min oid_max = signing_attributes.object_id.max config_params_32bits = { "min": oid_min, "max": oid_max, } for key in config_params_32bits.keys(): valid = False if config_params_32bits[key] and \ (Attribute.validate(num_bits=32, string=config_params_32bits[key]) is True): valid = True elif (not config_params_32bits[key]) and \ (mandatory is False): valid = True if valid == False: raise ConfigError(self.MSG_INVALID_32_INTEGER. format(oid_name, key, config_params_32bits[key])) if oid_min and oid_max and \ (Attribute.init(num_bits=32, string=oid_min).value > \ Attribute.init(num_bits=32, string=oid_max).value): valid = False raise ConfigError('{0} min must be less than max, min={1} max={2}' \ .format(oid_name, oid_min, oid_max))
def _generate_oid_config(self, oid_name, min_str, max_str): min_attr = Attribute.init(num_bits=32, string=min_str) max_attr = Attribute.init(num_bits=32, string=max_str) oid_str = "%.8X%.8X" % (min_attr.value, max_attr.value) oid_cfg = "\n%s=DER:%s:%s:%s:%s:%s:%s:%s:%s" % \ (Certificate.GetOIDByName(oid_name), oid_str[0:2], oid_str[2:4], oid_str[4:6], oid_str[6:8], \ oid_str[8:10], oid_str[10:12], oid_str[12:14], oid_str[14:16]) return oid_cfg
def _generate_tcg_config(self, tcg_min_str, tcg_max_str): tcg_min = Attribute.init(num_bits=32, string=tcg_min_str) tcg_max = Attribute.init(num_bits=32, string=tcg_max_str) tcg_str = "%.8X%.8X" % (tcg_min.value, tcg_max.value) tcg_cfg = "\n%s=DER:%s:%s:%s:%s:%s:%s:%s:%s" % \ (Certificate.TCG_OID, tcg_str[0:2], tcg_str[2:4], tcg_str[4:6], tcg_str[6:8], \ tcg_str[8:10], tcg_str[10:12], tcg_str[12:14], tcg_str[14:16]) return tcg_cfg
def validate_tcg_from_config(self, ca_cert_path, signing_attributes): ca_cert_obj = Certificate(path=ca_cert_path) tcg_min_str = signing_attributes.tcg_min tcg_max_str = signing_attributes.tcg_max tcg_min_attest = Attribute.init(num_bits=32, string=tcg_min_str) tcg_max_attest = Attribute.init(num_bits=32, string=tcg_max_str) return self._validate_tcg_raw(tcg_min_attest, tcg_max_attest, ca_cert_obj.tcg_min, ca_cert_obj.tcg_max)
def validate_oid_from_config(self, ca_cert_path, signing_attributes): ca_cert_obj = Certificate(path=ca_cert_path) min_str = signing_attributes.object_id.min max_str = signing_attributes.object_id.max min_attest = Attribute.init(num_bits=32, string=min_str) max_attest = Attribute.init(num_bits=32, string=max_str) min_ca = None max_ca = None if signing_attributes.object_id.name == "tcg": min_ca = ca_cert_obj.tcg_min max_ca = ca_cert_obj.tcg_max return self._validate_oid_raw(min_attest, max_attest, min_ca, max_ca)
def _get_oid(self, asn1_text, name): _min = None _max = None oid = self.GetOIDByName(name) oid_ext = asn1_text.find(oid) if oid_ext > -1: oid_pattern=re.compile(r'\[HEX DUMP\]:([a-fA-F\d]+)') oid_match=oid_pattern.search(asn1_text[oid_ext:]) if oid_match is not None: #tcg_str = tcg_match.group(1).replace(' ', '') #remove spaces oid_str = oid_match.group(1) _min = Attribute.init(num_bits=32, string="0x"+oid_str[0:8]) _max = Attribute.init(num_bits=32, string="0x"+oid_str[8:16]) return _min, _max
def _get_tcg(self, asn1_text): _tcg_min = None _tcg_max = None tcg_ext = asn1_text.find(self.TCG_OID) if tcg_ext > -1: tcg_pattern = re.compile(r'\[HEX DUMP\]:([a-fA-F\d]+)') tcg_match = tcg_pattern.search(asn1_text[tcg_ext:]) if tcg_match is not None: #tcg_str = tcg_match.group(1).replace(' ', '') #remove spaces tcg_str = tcg_match.group(1) _tcg_min = Attribute.init(num_bits=32, string="0x" + tcg_str[0:8]) _tcg_max = Attribute.init(num_bits=32, string="0x" + tcg_str[8:16]) return _tcg_min, _tcg_max
def validate_inputs(self, signing_attributes, general_properties): config_params_32bits = { "tcg_min": signing_attributes.tcg_min, "tcg_max": signing_attributes.tcg_max, } for key in config_params_32bits.keys(): if Attribute.validate(num_bits=32, string=config_params_32bits[key]) is False: raise ConfigError("{0}:{1} is not a valid 32 bit integer". format(key, config_params_32bits[key]))
def get_testsig_from_args(self, args): serial_num_str = None if args.validate: testsig_index = args.image_file.find(TESTSIG_PREFIX) if testsig_index >= 0: filename, ext = os.path.splitext(args.image_file) serial_num_str = filename[testsig_index + len(TESTSIG_PREFIX):] elif args.testsig: serial_num_str = args.testsig return Attribute.init(num_bits=32, string=serial_num_str)
def validate_inputs(self, signing_attributes, general_properties): config_params_32bits = { "tcg_min": signing_attributes.tcg_min, "tcg_max": signing_attributes.tcg_max, } for key in config_params_32bits.keys(): if Attribute.validate(num_bits=32, string=config_params_32bits[key]) is False: raise ConfigError( "{0}:{1} is not a valid 32 bit integer".format( key, config_params_32bits[key]))
def _get_ou_attr(self, attr_name, certificate_text): attr = None ou_id = Certificate_OU.GetID(attr_name) attr_pattern=re.compile(r'OU={0} ([a-fA-F\d]+) {1}'.format(ou_id, attr_name)) attr_match=attr_pattern.search(certificate_text) if attr_match is not None: attr_str = attr_match.group(1) if len(attr_str) in [4, 8, 16]: attr = Attribute.init(num_bits = len(attr_str)*4, string="0x"+attr_str) else: attr = attr_str return attr
def validate_serial_num(self, value): if Attribute.validate(num_bits=32, string=value) is False: raise RuntimeError('testsig serial number ' + str(value) + ' is not a valid 32 bit number')
def serial_num(self, value): if value is not None: self.validate_serial_num(value) value = Attribute.init(num_bits=32, string=value).value self._serial_num = value
def c_validate(self): """Validates the command line args provided by the user. :raises: RuntimeError if any error occurs. """ args = self.parsed_args err = [] config_params_32bits = { "tcg min": args.tcg_min, "tcg max": args.tcg_max, 'testsig': args.testsig, "tcg fix": args.tcg_fix, } #import pdb; pdb.set_trace() if (args.input_dir or args.image_file) and args.testsig: err.append( 'Generate testsig (-t) and sign with image_file (-i or -r) cannot be used together' ) if args.capability and (args.cass is False): err.append( 'Capability (-p) is only supported when CASS (-c) is used') if not (args.image_file or args.input_dir) and not args.testsig: err.append( 'Either generate testsig (-t) or sign with image_file (-i or -r) must be specified' ) if args.validate and (args.testsig or args.input_dir): err.append( 'Validate (-a) should be used with image_file (-i). An input signed image should be referenced by -i.' ) if args.validate is False and args.image_file: path, filename = os.path.split(args.image_file) if filename.startswith(TESTSIG_PREFIX): err.append( 'Cannot sign testsig file {0}. Please use -t to generate testsig instead.' .format(args.image_file)) if args.tcg_fix: for key in ["tcg min", "tcg max"]: if config_params_32bits[key]: err.append( "{0} should not be specified when tcg_fix is specified" .format(key)) for key in config_params_32bits: if Attribute.validate(num_bits=32, string=config_params_32bits[key]) is False: err.append('{0}:{1} is not a valid 32 bit integer'.format( key, config_params_32bits[key])) # Check and sanitize any paths for read access for path in ['image_file', 'config']: path_val = getattr(args, path, None) if path_val: path_val = c_path.normalize(path_val) if not c_path.validate_file(path_val): err.append('Cannot access ' + path + ' at: ' + path_val) setattr(args, path, path_val) for path in ['input_dir']: path_val = getattr(args, path, None) if path_val: path_val = c_path.normalize(path_val) if not c_path.validate_dir(path_val): err.append('Cannot access ' + path + ' at: ' + path_val) setattr(args, path, path_val) # Check and sanitize paths for write access for path in ['output_dir']: path_val = getattr(args, path, None) if path_val: path_val = c_path.normalize(path_val) try: c_path.create_dir(path_val) except Exception as e: err.append('Cannot write at: ' + path_val + '\n' ' ' + 'Error: ' + str(e)) setattr(args, path, path_val) # Raise error if any if err: if len(err) > 1: err = [(' ' + str(idx + 1) + '. ' + error) for idx, error in enumerate(err)] err = 'Please check the command line args:\n\n' + '\n'.join( err) else: err = err[0] raise RuntimeError(err)