# # Copyright 2019,2020 NXP # SPDX-License-Identifier: Apache-2.0 # """ Validation of Sign Verify with OpenSSL engine using EC Keys This example showcases sign using reference key, then verify using openssl and vice versa. Precondition: - Inject keys using ``openssl_provisionEC.py``. """ import argparse from openssl_util import * log = logging.getLogger(__name__) example_text = ''' Example invocation:: python %s --key_type prime256v1 python %s --key_type secp160k1 --connection_data 127.0.0.1:8050 ''' % (__file__, __file__,) def parse_in_args(): parser = argparse.ArgumentParser( description=__doc__, epilog=example_text, formatter_class=argparse.RawTextHelpFormatter) required = parser.add_argument_group('required arguments') optional = parser.add_argument_group('optional arguments') required.add_argument( '--key_type', default="", help='Supported key types => ``%s``' % ("``, ``".join(SUPPORTED_EC_KEY_TYPES)), required=True) optional.add_argument( '--connection_data', default="none", help='Parameter to connect to SE => eg. ``COM3``, ``127.0.0.1:8050``, ``none``. Default: ``none``') optional.add_argument( '--disable_sha1', default="False", help='Parameter to disable SHA1 => eg. ``True``, ``False``. Default: ``False``') optional.add_argument( '--output_dirname', default="output", help='Directory name of directory storing calculated signatures (used in case of concurrent invocation)') if len(sys.argv) == 1: parser.print_help(sys.stderr) return None args = parser.parse_args() if args.key_type not in SUPPORTED_EC_KEY_TYPES: parser.print_help(sys.stderr) return None if args.disable_sha1 not in ["True", "False"]: parser.print_help(sys.stderr) return None if args.connection_data.find(':') >= 0: port_data = args.connection_data.split(':') jrcp_host_name = port_data[0] jrcp_port = port_data[1] os.environ['JRCP_HOSTNAME'] = jrcp_host_name os.environ['JRCP_PORT'] = jrcp_port os.environ['EX_SSS_BOOT_SSS_PORT'] = args.connection_data log.info("JRCP_HOSTNAME: %s" % jrcp_host_name) log.info("JRCP_PORT: %s" % jrcp_port) log.info("EX_SSS_BOOT_SSS_PORT: %s" % args.connection_data) return args def main(): key_type_hash_map = { "prime192v1": "sha1", "secp224r1": "sha224", "prime256v1": "sha256", "secp384r1": "sha384", "secp521r1": "sha512", } args = parse_in_args() if args is None: return if args.disable_sha1 == "True": for (key, value) in key_type_hash_map.items(): if value == 'sha1': key_type_hash_map.pop(key) break # HASH = key_type_hash_map.get(args.key_type, "sha256") keys_dir = os.path.join(cur_dir, '..', 'keys', args.key_type) output_dir = cur_dir + os.sep + args.output_dirname if not os.path.exists(output_dir): os.mkdir(output_dir) SIGN_KEY_REF_0 = keys_dir + os.sep + "ecc_key_kp_0_ref.pem" VERIFY_KEY_0 = keys_dir + os.sep + "ecc_key_kp_0.pem" SIGN_KEY_REF_1 = keys_dir + os.sep + "ecc_key_kp_1_ref.pem" VERIFY_KEY_1 = keys_dir + os.sep + "ecc_key_kp_1.pem" SIGN_KEY_REF_2 = keys_dir + os.sep + "ecc_key_kp_2_ref.pem" VERIFY_KEY_2 = keys_dir + os.sep + "ecc_key_kp_2.pem" SIGN_KEY_REF_3 = keys_dir + os.sep + "ecc_key_kp_3_ref.pem" VERIFY_KEY_3 = keys_dir + os.sep + "ecc_key_kp_3.pem" SIGN_KEY_0 = keys_dir + os.sep + "ecc_key_pub_0.pem" VERIFY_KEY_REF_0 = keys_dir + os.sep + "ecc_key_pub_0_ref.pem" SIGN_KEY_1 = keys_dir + os.sep + "ecc_key_pub_1.pem" VERIFY_KEY_REF_1 = keys_dir + os.sep + "ecc_key_pub_1_ref.pem" SIGN_KEY_2 = keys_dir + os.sep + "ecc_key_pub_2.pem" VERIFY_KEY_REF_2 = keys_dir + os.sep + "ecc_key_pub_2_ref.pem" ECC_KEY_KP_A = keys_dir + os.sep + "ecc_key_kp_A.pem" ECC_KEY_KP_PUBONLY_A = keys_dir + os.sep + "ecc_key_kp_pubonly_A.pem" SIGNATURE_0 = output_dir + os.sep + "signature_hash_0.bin" SIGNATURE_1 = output_dir + os.sep + "signature_hash_1.bin" SIGNATURE_2 = output_dir + os.sep + "signature_hash_2.bin" SIGNATURE_3 = output_dir + os.sep + "signature_hash_3.bin" SIGNATURE_V_0 = output_dir + os.sep + "signature_v_hash_0.bin" SIGNATURE_V_1 = output_dir + os.sep + "signature_v_hash_1.bin" SIGNATURE_V_2 = output_dir + os.sep + "signature_v_hash_2.bin" SIGNATURE_A_0 = output_dir + os.sep + "signature_a_hash_0.bin" TO_SIGN = cur_dir + os.sep + "readme.rst" for HASH in key_type_hash_map.values(): log.info("###########################################################") log.info("Positive signing tests (hash=%s)" % HASH) log.info("###########################################################") log.info("Sign the file %s with SE %s" % (TO_SIGN, SIGN_KEY_REF_0)) log.info("###########################################################") run("%s dgst -engine %s -%s -sign %s -out %s %s" % (openssl, openssl_engine, HASH, SIGN_KEY_REF_0, SIGNATURE_0, TO_SIGN)) log.info("###########################################################") log.info("Now verify the signature with Host") log.info("###########################################################") run("%s dgst -%s -prverify %s -signature %s %s" % (openssl, HASH, VERIFY_KEY_0, SIGNATURE_0, TO_SIGN)) log.info("###########################################################") log.info("###########################################################") log.info("Sign the file %s with SE %s" % (TO_SIGN, SIGN_KEY_REF_1)) log.info("###########################################################") run("%s dgst -engine %s -%s -sign %s -out %s %s" % (openssl, openssl_engine, HASH, SIGN_KEY_REF_1, SIGNATURE_1, TO_SIGN)) log.info("###########################################################") log.info("Now verify the signature with Host") log.info("###########################################################") run("%s dgst -%s -prverify %s -signature %s %s" % (openssl, HASH, VERIFY_KEY_1, SIGNATURE_1, TO_SIGN)) log.info("###########################################################") log.info("###########################################################") log.info("Sign the file %s with SE %s" % (TO_SIGN, SIGN_KEY_REF_2)) log.info("###########################################################") run("%s dgst -engine %s -%s -sign %s -out %s %s" % (openssl, openssl_engine, HASH, SIGN_KEY_REF_2, SIGNATURE_2, TO_SIGN)) log.info("###########################################################") log.info("Now verify the signature with Host") log.info("###########################################################") run("%s dgst -%s -prverify %s -signature %s %s" % (openssl, HASH, VERIFY_KEY_2, SIGNATURE_2, TO_SIGN)) log.info("###########################################################") log.info("###########################################################") log.info("Sign the file %s with SE %s" % (TO_SIGN, SIGN_KEY_REF_3)) log.info("###########################################################") run("%s dgst -engine %s -%s -sign %s -out %s %s" % (openssl, openssl_engine, HASH, SIGN_KEY_REF_3, SIGNATURE_3, TO_SIGN)) log.info("###########################################################") log.info("Now verify the signature with Host") log.info("###########################################################") run("%s dgst -%s -prverify %s -signature %s %s" % (openssl, HASH, VERIFY_KEY_3, SIGNATURE_3, TO_SIGN)) log.info("###########################################################") log.info("###########################################################") log.info("Positive verification tests (hash=%s)" % HASH) log.info("###########################################################") log.info("Sign the file %s with Host" % (TO_SIGN,)) run("%s dgst -%s -sign %s -out %s %s" % (openssl, HASH, SIGN_KEY_0, SIGNATURE_V_0, TO_SIGN)) log.info("###########################################################") log.info("Now verify the signature with SE (%s)" % (VERIFY_KEY_REF_0,)) run("%s dgst -engine %s -%s -prverify %s -signature %s %s" % (openssl, openssl_engine, HASH, VERIFY_KEY_REF_0, SIGNATURE_V_0, TO_SIGN)) log.info("###########################################################") log.info("Sign the file %s with Host" % (TO_SIGN,)) run("%s dgst -%s -sign %s -out %s %s" % (openssl, HASH, SIGN_KEY_1, SIGNATURE_V_1, TO_SIGN)) log.info("###########################################################") log.info("Now verify the signature with SE (%s)" % (VERIFY_KEY_REF_1,)) run("%s dgst -engine %s -%s -prverify %s -signature %s %s" % (openssl, openssl_engine, HASH, VERIFY_KEY_REF_1, SIGNATURE_V_1, TO_SIGN)) log.info("###########################################################") log.info("Sign the file %s with Host" % (TO_SIGN,)) run("%s dgst -%s -sign %s -out %s %s" % (openssl, HASH, SIGN_KEY_2, SIGNATURE_V_2, TO_SIGN)) log.info("###########################################################") log.info("Now verify the signature with SE (%s)" % (VERIFY_KEY_REF_2,)) run("%s dgst -engine %s -%s -prverify %s -signature %s %s" % (openssl, openssl_engine, HASH, VERIFY_KEY_REF_2, SIGNATURE_V_2, TO_SIGN)) log.info("###########################################################") log.info("Negative verification tests") log.info("Verify a signature with SE with a verification key (%s)" % (VERIFY_KEY_REF_0,)) log.info("that does not match signer (%s)" % (SIGN_KEY_2,)) log.info("###########################################################") ignore_result = 0 exp_return_code = 1 run("%s dgst -engine %s -%s -prverify %s -signature %s %s" % (openssl, openssl_engine, HASH, VERIFY_KEY_REF_0, SIGNATURE_V_2, TO_SIGN), ignore_result, exp_return_code) log.info("###########################################################") log.info("Validate Key Handover (hash=%s)" % HASH) log.info("###########################################################") log.info("Validate Key Handover from Engine to OpenSSL SW implementation") log.info("Sign the file %s with Host" % (TO_SIGN,)) log.info("###########################################################") run("%s dgst -engine %s -%s -sign %s -out %s %s" % (openssl, openssl_engine, HASH, ECC_KEY_KP_A, SIGNATURE_A_0, TO_SIGN,)) log.info("Now verify the signature with SE (%s)" % (SIGNATURE_A_0,)) log.info("###########################################################") run("%s dgst -engine %s -%s -prverify %s -signature %s %s" % (openssl, openssl_engine, HASH, ECC_KEY_KP_A, SIGNATURE_A_0, TO_SIGN)) log.info("###########################################################") log.info("##############################################################") log.info("# #") log.info("# Program completed successfully #") log.info("# #") log.info("##############################################################") if __name__ == '__main__': logging.basicConfig(level=logging.DEBUG) main()