def verify()

in kms/attestations/verify_attestation_chains.py [0:0]

• 52 lines of code
• 9 McCabe index (conditional complexity)

def verify(certs_file, attestation_file):
    """Verifies that the certificate chains are valid.

    Args:
        certs_file: The certificate chains filename.
        attestation_file: The attestation filename.

    Returns:
        True if the certificate chains are valid.
    """
    mfr_root_cert = get_manufacturer_root_certificate()
    if (
        mfr_root_cert.subject.public_bytes(backends.default_backend())
        != MANUFACTURER_CERT_SUBJECT_BYTES
    ):
        return False

    untrusted_certs_pem = pem.parse_file(certs_file)
    untrusted_certs = {
        x509.load_pem_x509_certificate(
            str(cert_pem).encode("utf-8"), backends.default_backend()
        )
        for cert_pem in untrusted_certs_pem
    }

    # Build the manufacturer certificate chain.
    mfr_card_cert = get_issued_certificate(mfr_root_cert, untrusted_certs)
    mfr_partition_cert = get_issued_certificate(mfr_card_cert, untrusted_certs)
    if not mfr_card_cert or not mfr_partition_cert:
        print("Invalid HSM manufacturer certificate chain.")
        return False
    print("Successfully built HSM manufacturer certificate chain.")

    owner_root_cert = get_owner_root_certificate()

    # Build the owner card certificate chain.
    def _check_card_pub_key(cert):
        cert_pub_key_bytes = cert.public_key().public_bytes(
            serialization.Encoding.DER, serialization.PublicFormat.SubjectPublicKeyInfo
        )
        mfr_card_pub_key_bytes = mfr_card_cert.public_key().public_bytes(
            serialization.Encoding.DER, serialization.PublicFormat.SubjectPublicKeyInfo
        )
        return cert_pub_key_bytes == mfr_card_pub_key_bytes

    owner_card_cert = get_issued_certificate(
        owner_root_cert, untrusted_certs, predicate=_check_card_pub_key
    )

    # Build the owner partition certificate chain.
    def _check_partition_pub_key(cert):
        cert_pub_key_bytes = cert.public_key().public_bytes(
            serialization.Encoding.PEM, serialization.PublicFormat.SubjectPublicKeyInfo
        )
        mfr_partition_pub_key_bytes = mfr_partition_cert.public_key().public_bytes(
            serialization.Encoding.PEM, serialization.PublicFormat.SubjectPublicKeyInfo
        )
        return cert_pub_key_bytes == mfr_partition_pub_key_bytes

    owner_partition_cert = get_issued_certificate(
        owner_root_cert, untrusted_certs, predicate=_check_partition_pub_key
    )

    if not owner_card_cert or not owner_partition_cert or untrusted_certs:
        print("Invalid HSM owner certificate chain.")
        return False
    print("Successfully built HSM owner certificate chain.")

    with gzip.open(attestation_file, "rb") as f:
        attestation = f.read()
        return verify_attestation(
            mfr_partition_cert, attestation
        ) and verify_attestation(owner_partition_cert, attestation)