| blob | 012a3721740a111ee26bc25484475f8188477e67 |
1 #!/usr/bin/env python3
2 #
3 # This Source Code Form is subject to the terms of the Mozilla Public
4 # License, v. 2.0. If a copy of the MPL was not distributed with this
5 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
7 """
8 Given a directory of files, packages them up and signs the
9 resulting zip file. Mainly for creating test inputs to the
10 nsIX509CertDB.openSignedAppFileAsync API.
11 """
16 import argparse
18 import os
19 import re
20 import six
21 import sys
22 import zipfile
24 # These libraries moved to security/manager/tools/ in bug 1699294.
26 import pycert
27 import pycms
28 import pykey
39 """Helper function that takes one of (ES256, ES384, ES512)
40 and returns the corresponding pykey.HASH_* identifier."""
50 # COSE_Signature = [
51 # protected : serialized_map,
52 # unprotected : {},
53 # signature : bstr
54 # ]
58 """Returns a COSE_Signature structure.
59 payload is a string representing the data to be signed
60 algorithm is one of (ES256, ES384, ES512)
61 signingKey is a pykey.ECKey to sign the data with
62 signingCertificate is a byte string
63 bodyProtected is the serialized byte string of the protected body header
64 """
67 # Sig_structure = [
68 # context : "Signature"
69 # body_protected : bodyProtected
70 # sign_protected : protectedEncoded
71 # external_aad : nil
72 # payload : bstr
73 # ]
81 # COSE_Sign = [
82 # protected : serialized_map,
83 # unprotected : {},
84 # payload : nil,
85 # signatures : [+ COSE_Signature]
86 # ]
90 """Returns the entire (tagged) COSE_Sign structure.
91 payload is a string representing the data to be signed
92 intermediates is an array of byte strings
93 signatures is an array of (algorithm, signingKey,
94 signingCertificate) triplets to be passed to
95 coseSignature
96 """
99 coseSignatures = []
104 )
105 )
111 """Given a relative path to a directory, enumerates the
112 files in the tree rooted at that location. Returns a list
113 of pairs of paths to those files. The first in each pair
114 is the full path to the file. The second in each pair is
115 the path to the file relative to the directory itself."""
116 paths = []
122 return paths
126 """Helper function to fill out a manifest entry.
127 Takes the filename, a list of (hash function, hash function name)
128 pairs to use, the contents of the file, and the current list
129 of manifest entries."""
138 """Helper function to create an X509 cert from a specification.
139 Takes the subject, the subject key name to use, the issuer name,
140 a bool whether this is an EE cert or not, and optionally an issuer key
141 name."""
142 certSpecification = (
145 + subject
148 )
152 certSpecification += (
155 )
167 """Given a COSE algorithm ('ES256', 'ES384', 'ES512'), an issuer
168 name, the name of the issuer's key, and a validity period, returns a
169 (algorithm id, pykey.ECCKey, encoded certificate) triplet for use
170 with coseSig.
171 """
174 algId = ES256
177 algId = ES384
180 algId = ES512
184 # The subject must differ to avoid errors when importing into NSS later.
187 keyName,
188 issuerName,
190 issuerKey,
191 certValidity,
192 )
197 appDirectory,
198 outputFile,
199 issuerName,
200 rootName,
201 rootKey,
202 certValidity,
203 manifestHashes,
204 signatureHashes,
205 pkcs7Hashes,
206 coseAlgorithms,
207 emptySignerInfos,
208 headerPaddingFactor,
209 ):
210 """Given a directory containing the files to package up, an output
211 filename to write to, the name of the issuer of the signing
212 certificate, the name of trust anchor, the name of the trust
213 anchor's key, a list of hash algorithms to use in the manifest file,
214 a similar list for the signature file, a similar list for the pkcs#7
215 signature, a list of COSE signature algorithms to include, whether
216 the pkcs#7 signer info should be kept empty, and how many MB to pad
217 the manifests by (to test handling large manifest files), packages
218 up the files in the directory and creates the output as
219 appropriate."""
220 # The header of each manifest starts with the magic string
221 # 'Manifest-Version: 1.0' and ends with a blank line. There can be
222 # essentially anything after the first line before the blank line.
225 # In this format, each line can only be 72 bytes long. We make
226 # our padding 50 bytes per line (49 of content and one newline)
227 # so the math is easy.
229 # 1000000 / 50 = 20000
232 # Append the blank line.
235 issuerKey = rootKey
242 # Add the entry to the manifest we're building
251 )
252 intermediates = []
253 coseIssuerName = issuerName
258 coseIssuerName,
259 issuerKey,
260 rootName,
262 rootKey,
263 certValidity,
264 )
267 signatures = [
269 coseAlgorithm,
270 coseIssuerName,
271 issuerKey,
272 certValidity,
273 )
275 ]
280 )
294 name,
296 )
297 cmsSpecification += (
302 )
318 """Base class for exceptions in this module."""
320 pass
324 """Helper exception type to handle unknown hash algorithms."""
335 """Helper exception type to handle unknown COSE algorithms."""
354 """Main entrypoint. Given an already-opened file-like
355 object, a path to the app directory to sign, and some
356 optional arguments, signs the contents of the directory and
357 writes the resulting package to the 'file'."""
365 )
373 )
379 )
385 default=[],
386 )
392 default=[],
393 )
400 default=[],
401 )
409 )
416 default=[],
417 )
423 )
430 appPath,
431 outputFile,
442 )