Warrant example

This secton outlines the process of reading a nShield KLF2 module warrant file and extracting information from it. Warrants are typically encoded in hex format, which can be processed using the nchex library. The outputs have been reformatted slightly for readability.

We can unpack the warrant with the nfddds module:

> import nfddds
> import nchex
> file_data = open("/opt/nfast/kmdata/warrants/ABCD-ABCD-ABCD", "rb").read()
> (klftype, warrant_data) = nchex.parse(str(file_data, "UTF-8"))
> warrant = nfddds.decode(warrant_data)
> print(klftype)
KLF2Warrant
> print(warrant)
[
  'KWARN-1',
  {
    'Payload':
      """b33b4465 6c656761 74654b65 79943545 43445341 36507562 6c696338 4e495354
      50353231 92f4c542 01ce51e1 6a7187d2 9a61842f 271be758 36d00405 e24ef3e9
      88a2e49d 8ad6e653 1ddd7cb9 bb0c62c9 1536dc16 f183c10e 4ec53de9 66404026
      6b86b472 42433f09 4829f4c5 410c97f2 5beebdee dc81aa2e 147159df 495ae0aa
      3ba20d22 2fcbb271 b4e62d68 bd0b18ee 6007a610 cf356f2f 7e9d94c7 337c818a
      ddc2ccbf 1934898e 699b3ff5 cc733753 69674d65 63689235 45434453 41923545
      4d534131 36534841 353132c4 16576172 72616e74 43657274 69666963 61746554
      7970653a 44656c65 67617469 6f6e""",
    'Signature':
      """00d01425 60724466 7afccb06 e168c6d3 77be0623 d7253fd4 0de6bffc 1a394eaf
      a1bda0af e850eca6 c0587eb1 f6c271dd 2602f6ec 16e2963c 281118c5 67817c01
      aaa901ad 6f5c9427 7342bd4b 59ade2b9 d7f6d86d 6e46a445 7d201d56 3537390c
      b0979cfc ef5baa20 95f6c4bc af35c1b9 17a051de c5889620 6cf5dec4 44d8407e
      ad7b89f8"""
  },
  {
    'Payload':
      """b6394170 70726f76 616c7391 94374649 50533134 300203c4 114d756c 74694368
      6970456d 62656464 6564c416 456c6563 74726f6e 69635365 7269616c 4e756d62
      65722e41 4243442d 41424344 2d414243 44384b4c 46326d65 63689235 45434453
      41923545 4d534131 36534841 35313237 4b4c4632 70756294 35454344 53413650
      75626c69 63384e49 53545035 323192f4 c5410f45 cd4f61d5 318de1ff 4bc56405
      d6d36a3a c3ab966e ddc7f228 ff71a23e 929a10e3 513c4d2b bcc51e5f a1ef5129
      57c66cfb a2731e44 7894e470 a315bbe2 8acb59f4 c5412838 e5947737 0789ea09
      d1b83542 a2d4aaf8 3db54847 275cba0f ebb773d8 c45a60be 6fd6efee 0656cafe
      e0b580e0 96e5baf1 bdfb81e5 8df760ee dd2f8865 36727cc4 14506879 73696361
      6c536572 69616c4e 756d6265 72293031 2d323334 353637c4 16576172 72616e74
      43657274 69666963 61746554 797065c4 114d6f64 756c6549 6e666f72 6d617469
      6f6e""",
    'Signature':
      """018f257b 8adfa961 2223d4e3 abd0921e 00b79749 cd49a320 bf5990f5 a4f325ea
      2913c2ef f19d0544 f36c9310 4dade3b3 10fe0779 819a3ea6 6b2be718 46acaceb
      b90f0106 13c23118 bb4f23db 7d12b6b4 8fc3c7ec 4c452cf5 022bef2e c0bc24d1
      6dd5d57c abf9d77c 6a769b4b 0cc6ee78 9cfe39c6 7280eca9 baf4317c fee59ff3
      a951beb0"""
  }
]

The basic structure is as described in the Warrant format section: a list consisting of a root key name, one delegation certificate and a module information certificate.

We can unpack the payload of the delegation certificate:

> delegation_cert = warrant[1][nfddds.Symbol('Payload')]
> print(nfddds.decode(delegation_cert))
{
  'DelegateKey': [
    'ECDSA', 'Public', 'NISTP521',
    [
      6198695694982919313396658679251394353656599166217197479575050845945356429577955031095261406004526864171061636427742600024188562547686432295676893803810736169,
      168851790370479162603327826894762014276575457671531073025230026616996041091987680751434932025755737810417296484254014405915751348478117063721036878705970291
    ]
  ],
  'SigMech': ['ECDSA', ['EMSA1', 'SHA512']],
  'WarrantCertificateType': 'Delegation'
}

Similarly for the module information certificate:

> module_cert = (warrant[2][nfddds.Symbol('Payload')])
> print(nfddds.decode(module_cert))
{
  'ElectronicSerialNumber': 'ABCD-ABCD-ABCD',
  'PhysicalSerialNumber': '01-234567',
  'Approvals': [['FIPS140', 2, 3, 'MultiChipEmbedded']],
  'WarrantCertificateType': 'ModuleInformation',
  'KLF2pub': [
    'ECDSA', 'Public', 'NISTP521',
    [
      204772945937072010226860998619571494264264799010175099002158797896809774651276304246398533131554228909781887253956881741534001231085622044477444946293082969,
      539292244234422539754545398145607083325398812601271805090001462425588071401713689513940584061317769068587981621988409982003420521563484566472379191365366396
    ]
  ],
  'KLF2mech': ['ECDSA', ['EMSA1', 'SHA512']]
}