usr/src/tools/codesign/signit.pl

   1 #!/usr/perl5/bin/perl
   2 #
   3 # CDDL HEADER START
   4 #
   5 # The contents of this file are subject to the terms of the
   6 # Common Development and Distribution License (the "License").
   7 # You may not use this file except in compliance with the License.
   8 #
   9 # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
  10 # or http://www.opensolaris.org/os/licensing.
  11 # See the License for the specific language governing permissions
  12 # and limitations under the License.
  13 #
  14 # When distributing Covered Code, include this CDDL HEADER in each
  15 # file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  16 # If applicable, add the following below this CDDL HEADER, with the
  17 # fields enclosed by brackets "[]" replaced with your own identifying
  18 # information: Portions Copyright [yyyy] [name of copyright owner]
  19 #
  20 # CDDL HEADER END
  21 #
  22 #
  23 # ident "%Z%%M% %I%     %E% SMI"
  24 #
  25 # Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
  26 # Use is subject to license terms.
  27 #
  28
  29 # signit [-q] [-i dir][-o dir] [-l user]
  30 #
  31 # Client program for use with code signing server.
  32 # Reads a list of signing credential names and file pathnames
  33 # from standard input. Each file is read from the input directory,
  34 # sent to the signing server, signed with the specified credential,
  35 # and written to the output directory.
  36 #
  37 # Options:
  38 #       -q      quiet operation: avoid printing files successfully signed
  39 #       -i dir  input directory (defaults to current dir)
  40 #       -o dir  output directory (defautls to input dir)
  41 #       -l user user account on signing server (defaults to current user)
  42 #
  43 # The CODESIGN_SERVER environment variable can be used to
  44 # specify the hostname or IP address of the signing server
  45 # (defaults to quill.sfbay).
  46
  47 use strict;
  48 use Cwd;
  49 use File::Temp 'tempdir';
  50 use Getopt::Std;
  51 use IPC::Open2;
  52
  53 #
  54 # Global variables
  55 #
  56 my ($Indir, $Outdir);   # Input and output directories (may be the same)
  57 my $Server;             # Signing server hostname
  58 my $Quiet;              # Suppress printing each file successfully signed
  59 my ($pid);              # Process id for ssh client
  60 my @cred_rules;         # Array of path prefixes and credentials to use
  61 my $Tmpdir = tempdir(CLEANUP => 1);     # Temporary directory
  62 my $Warnings = 0;       # Count of warnings returned
  63
  64
  65 #
  66 # Main program
  67 #
  68
  69 $Server = $ENV{CODESIGN_SERVER} || "quill.sfbay";
  70
  71 # Get command-line arguments
  72 our($opt_c, $opt_i, $opt_o, $opt_l, $opt_q);
  73 if (!getopts("i:o:c:l:q")) {
  74         die "Usage: $0 [-i dir] [-o dir] [-l user]\n";
  75 }
  76 $Quiet = $opt_q;
  77
  78 # Get input/output directories
  79 $Indir = $opt_i || getcwd();    # default to current dir
  80 $Outdir = $opt_o || $Indir;     # default to input dir
  81 $Indir = getcwd() . "/$Indir" if (substr($Indir, 0, 1) ne "/");
  82 $Outdir = getcwd() . "/$Outdir" if (substr($Outdir, 0, 1) ne "/");
  83
  84 # Ignore SIGPIPE to allow proper error messages
  85 $SIG{PIPE} = 'IGNORE';
  86
  87 # Create ssh connection to server
  88 my(@args);
  89 if (defined($opt_l)) {
  90         push @args, "-l", $opt_l;
  91 }
  92 push @args, "-s", $Server, "codesign";
  93 $pid = open2(*SRV_OUT, *SRV_IN, "/usr/bin/ssh", @args) or
  94         die "ERROR Connection to server $Server failed\n";
  95 select(SRV_IN); $| = 1; select(STDOUT); # unbuffered writes
  96
  97 # Sign each file with the specified credential
  98 chdir($Indir);
  99 while (<>) {
 100         my ($cred, $path) = split;
 101
 102         sign_file($cred, $path);
 103 }
 104 exit($Warnings > 0);
 105
 106 #
 107 # END()
 108 #
 109 # Clean up after normal or abnormal exit.
 110 #
 111 sub END {
 112         my $old_status = $?;
 113
 114         $? = 0;
 115         close(SRV_IN);
 116         close(SRV_OUT);
 117         waitpid($pid, 0) if ($pid);
 118         if ($?) {
 119                 print STDERR "ERROR Connection to server $Server failed\n";
 120                 $? = 1;
 121         }
 122         $? = $old_status if ($? == 0);
 123 }
 124
 125 #
 126 # debug(msg)
 127 #
 128 # Print debug message to standard error.
 129 #
 130 sub debug {
 131         print STDERR "### @_";
 132 }
 133
 134 #
 135 # check_response(str)
 136 #
 137 # Validate response from server. Print messages for warnings or errors,
 138 # and exit in the case of an error. If the response indicates a successful
 139 # signing operation, return the size of the output data.
 140 #
 141 sub check_response {
 142         my ($str) = @_;
 143
 144         if ($str =~ /^OK SIGN (\d+)/) {
 145                 return ($1);
 146         }
 147         elsif ($str =~ /^OK/) {
 148                 return (0);
 149         }
 150         elsif ($str =~ /^WARNING/) {
 151                 print STDERR $str;
 152                 $Warnings++;
 153                 return (-1);
 154         }
 155         elsif ($str =~ /^ERROR/) {
 156                 print STDERR $str;
 157                 exit(1);
 158         }
 159         else {
 160                 printf STDERR "ERROR Protocol failure (%d)\n", length($str);
 161                 exit(1);
 162         }
 163 }
 164
 165 #
 166 # sign_file(credential, filename)
 167 #
 168 # Send the file to the server for signing. Package the file into a
 169 # ZIP archive, send to the server, and extract the ZIP archive that
 170 # is returned. The input ZIP archive always contains a single file,
 171 # but the returned archive may contain one or more files.
 172 #
 173 sub sign_file {
 174         my ($cred, $path) = @_;
 175         my ($res, $size);
 176
 177         $path =~ s:^\./::g; # remove leading "./"
 178         unlink("$Tmpdir/in.zip");
 179         system("cd $Indir; /usr/bin/zip -q $Tmpdir/in.zip $path");
 180
 181         sendfile("$Tmpdir/in.zip", "$cred $path") || return;
 182
 183         $res = <SRV_OUT>;
 184         $size = check_response($res);
 185         if ($size > 0) {
 186                 recvfile("$Tmpdir/out.zip", $size) || return;
 187
 188                 if (system("cd $Outdir; /usr/bin/unzip -qo $Tmpdir/out.zip")) {
 189                         $Warnings++;
 190                 } else {
 191                         print "$cred\t$path\n" unless $Quiet;
 192                 }
 193         }
 194 }
 195
 196 #
 197 # sendfile(file, args)
 198 #
 199 # Send a ZIP archive file to the signing server. This involves
 200 # sending a SIGN command with the given arguments, followed by
 201 # the contents of the archive itself.
 202 #
 203 sub sendfile {
 204         my ($file, $args) = @_;
 205         my ($size, $bytes);
 206
 207         $size = -s $file;
 208         print SRV_IN "SIGN $size $args\n";
 209         if (!open(F, "<$file")) {
 210                 print STDERR "$file: $!\n";
 211                 return (0);
 212         }
 213         read(F, $bytes, $size);
 214         close(F);
 215         if (!syswrite(SRV_IN, $bytes, $size)) {
 216                 print STDERR "Can't send to server: $!\n";
 217                 return (0);
 218         }
 219         return (1);
 220 }
 221
 222 #
 223 # recvfile(file, size)
 224 #
 225 # Receive a ZIP archive from the signing server. The caller
 226 # provides the size argument previously obtained from the
 227 # server response.
 228 #
 229 sub recvfile {
 230         my ($file, $size) = @_;
 231         my $bytes;
 232
 233         if (!read(SRV_OUT, $bytes, $size)) {
 234                 print STDERR "Can't read from server: $!\n";
 235                 return (0);
 236         }
 237         if (!open(F, ">$file")) {
 238                 print STDERR "$file: $!\n";
 239                 return (0);
 240         }
 241         syswrite(F, $bytes, $size);
 242         close(F);
 243         return (1);
 244 }