def initialize(self, imageinfo):
""" The following should be set at the end of the call
self.certs[BaseSignerV2.ROOT].cert
self.certs[BaseSignerV2.CA].cert
self.certs[BaseSignerV2.ATTEST].cert
self.signature
"""
# Initialize the base signer
BaseSignerV2.initialize(self, imageinfo)
# Create the request packet
attrs = SigningAttributes()
attrs.update_from_image_info_attrs(self.signing_attributes)
request = {
'machine': platform.node(),
'sign_id': imageinfo.sign_id,
'to_sign': BinString(self.hash_to_sign),
'authority': imageinfo.authority,
'signing_attributes': self.get_general_properties_dict(imageinfo.general_properties),
}
# Send the signing request
remote_host, remote_port = self.resolve_remote_server_info()
client = QcomRemoteClient(host=remote_host, port=remote_port)
logger.info('Signing with the remote server at ' + remote_host + ':' +
str(remote_port) + '. Please wait for signing to complete.')
response = client.sign_hash(request=request)
# Check return code
if response['retcode'] != 0:
raise RuntimeError('Qcom remote signing failed [' + str(response['retcode']) + ']: ' +
str(response['errstr']))
# Set the local vars
root_cert, ca_cert, attest_cert, signature = (str(response['sig_pkg']['root']), str(response['sig_pkg']['ca']),
str(response['sig_pkg']['attest']),
str(response['sig_pkg']['signature']))
# Make sure all assets are present
if signature is None:
raise RuntimeError("Signature is missing")
if attest_cert is None:
raise RuntimeError("Attestation Certificate is missing")
if ca_cert is None:
raise RuntimeError("CA Certificate is missing")
if root_cert is None:
raise RuntimeError("Root Certificate is missing")
# Set all the variables
self.certs[self.ROOT].cert = cert.get_cert_in_format(root_cert, utils.FORMAT_DER, utils.FORMAT_PEM)
self.certs[self.CA].cert = cert.get_cert_in_format(ca_cert, utils.FORMAT_DER, utils.FORMAT_PEM)
self.certs[self.ATTEST].cert = cert.get_cert_in_format(attest_cert, utils.FORMAT_DER, utils.FORMAT_PEM)
self.signature = signature
def _get_cert_key(self, cert_type):
cert_type_obj = self.certs[cert_type]
# Return existing cert
if cert_type_obj.cert is not None:
return cert_type_obj.cert, cert_type_obj.priv_key
# Get the previous cert
prev_type_obj = None
for k in self.CERT_LIST:
if k in self.certs:
v = self.certs[k]
if prev_type_obj is None:
prev_type_obj = v
if k == cert_type:
break
prev_type_obj = v
else:
raise RuntimeError('Cert type is invalid: ' + cert_type)
# Generate new cert
logger.info('Generating new certificate ' + cert_type)
cert, cert_type_obj.priv_key, cert_type_obj.pub_key = self.generate_new_cert(cert_type,
cert_type_obj,
prev_type_obj,
extfile=cert_type_obj.extfile,
self_sign=(cert_type == self.ROOT),
padding=self.padding)
# Check if the cert is in der format
if cert_functions.get_cert_format(cert) != utils.FORMAT_PEM:
cert = cert_functions.get_cert_in_format(cert, utils.FORMAT_DER,
utils.FORMAT_PEM)
cert_type_obj.cert = cert
return cert_type_obj.cert, cert_type_obj.priv_key
def _get_cert_key_from_property(self, cert_property, cert_type):
"""Gets the cert & key from dataprov info
:type cert_property: CertProperty
:type cert_type: str
"""
cert, priv_key, pub_key = None, None, None
# Validate the cert property
if not cert_property.validate():
raise RuntimeError(cert_type.title() + " certificate params are invalid! Please check config file.")
logger.info('Initialization with dataprov. These fields might not be used in final output if overridden')
# Extract the private and public key
if cert_property.priv_path and c_path.validate_file(cert_property.priv_path):
logger.info('Using a predefined ' + cert_type + ' private key from: ' + cert_property.priv_path)
with open(cert_property.priv_path, 'rb') as fp:
priv_key = fp.read()
if self.using_ecdsa:
priv_key = ecdsa_functions.get_key_in_format(priv_key, utils.FORMAT_PEM)
pub_key = ecdsa_functions.get_public_key_from_private(priv_key)
else:
priv_key = rsa_functions.get_key_in_format(priv_key, utils.FORMAT_PEM)
pub_key = rsa_functions.get_public_key_from_private(priv_key)
# Extract the certificate
if cert_property.cert_path and c_path.validate_file(cert_property.cert_path):
logger.info('Using a predefined ' + cert_type + ' certificate from: ' + cert_property.cert_path)
with open(cert_property.cert_path, 'rb') as fp:
cert = fp.read()
cert = cert_functions.get_cert_in_format(cert, utils.FORMAT_PEM)
return cert, priv_key, pub_key
def update_certs_format(self):
# Update basic certs
for tag in ['root_cert', 'attestation_ca_cert', 'attestation_cert']:
val = getattr(self, tag)
if val:
val = cert_functions.get_cert_in_format(val, utils.FORMAT_DER)
setattr(self, tag, val)
# Update root cert list
for idx in range(len(self.root_cert_list)):
val = self.root_cert_list[idx]
if val:
val = cert_functions.get_cert_in_format(val, utils.FORMAT_DER)
self.root_cert_list[idx] = val
# Update keys
for tag in ['root_key', 'attestation_ca_key', 'attestation_key']:
val = getattr(self, tag)
if val:
val = rsa_functions.get_key_in_format(val, utils.FORMAT_DER)
setattr(self, tag, val)
