# get the keystore location
if not options.KEYSTORE_LOCATION:
options.KEYSTORE_LOCATION = get_keystore_location()
# build the keystore
key_db = keystore.KeyStore(options.KEYSTORE_LOCATION)
key_ids = {}
for k in ["root", "targets", "release", "timestamp"]:
threshold = getattr(options, k.upper() + "_THRESHOLD")
if not threshold and not options.DEFAULT_THRESHOLD:
threshold = get_threshold(k)
elif options.DEFAULT_THRESHOLD:
threshold = options.DEFAULT_THRESHOLD
for i in range(threshold):
key = signerlib.generate_key(options.DEFAULT_KEY_SIZE)
if TEST: password = '******'
else: password = signercli._get_password()
key_db.add_key(key, password)
try:
key_ids[k][0].append(key.get_key_id())
except KeyError:
key_ids[k] = ([key.get_key_id()], threshold)
key_db.save()
# get the server root
if not options.SERVER_ROOT_LOCATION:
options.SERVER_ROOT_LOCATION = get_server_root()
# build the server root
metadata_loc = options.SERVER_ROOT_LOCATION + pathsep + "meta"
print metadata_loc
def genkey(args):
options, args = getopt.getopt(args, "", ["keystore="])
keystore = _get_keystore(options)
# TODO: Allow specifying key length.
signerlib.generate_key(bits=None, keystore=keystore)
def update_metadata(keystore_path, project_root, root_cfg_path, server_dir, add_keys, remove_keys, thresholds, keysize, state=BUILD_ROOT):
logger.info(state)
# normalize the paths
metadata_root = os.path.join(server_dir, "meta")
targets_root = os.path.join(server_dir, "targets")
# build the keydb
key_db = keystore.KeyStore(keystore_path)
if TEST: key_db.load(['test'])
while True:
if TEST: break
line = signercli._get_password("Please input a decryption password for the keystore, or -- to stop: ")
if line != '--':
key_db.load([line])
else:
break
# these are the keys we'll sign with and those that will wind up in the
# root.cfg when we're done
fuzzy_keys = {'root': set(), 'targets': set(), 'release': set(), 'timestamp': set()}
if not thresholds:
thresholds = { 'root': 1,
'targets': 1,
'release': 1,
'timestamp': 1}
# generate any new keys
for role, add in add_keys.items():
if add:
key = signerlib.generate_key(keysize)
pw = signercli._get_password()
key_db.add_key(key, pw)
fuzzy_keys[role].add(key.get_key_id())
key_db.save()
# get the config data
root_cfg = ConfigParser()
root_cfg.read(root_cfg_path)
# read the config data
known_keys = list(key_db._keys)
for role in fuzzy_keys:
for key_id in root_cfg.get(role, "keyids").split(","):
if key_id in known_keys:
fuzzy_keys[role].add(key_id)
if not thresholds[role]:
thresholds[role] = root_cfg.get(role, 'threshold')
# remove any removed keys
for role in fuzzy_keys:
fuzzy_keys[role].discard(remove_keys[role])
# write the results back to the root.cfg
expiration = root_cfg.get('expiration', 'days')
keydata = {}
for role in fuzzy_keys:
previous_keys = set(root_cfg.get(role, 'keyids').split(','))
previous_keys.discard(remove_keys[role])
previous_keys |= set(fuzzy_keys[role])
if len(previous_keys) < thresholds[role]:
msg = "Number of keys for %s is less then threshold."
msg += "Threshold set: %s, keys provided: %s"
msg = msg % (role, thresholds[role], previous_keys)
log.error(msg)
return
keydata[role] = (previous_keys, thresholds[role])
build_root_cfg(server_dir, expiration, keydata)
# copy the project over to the targets root
if project_root != targets_root:
rmtree(targets_root)
logger.info("removed the tree")
copytree(project_root, targets_root)
logger.info("copied the tree")
# started
if state == BUILD_ROOT:
try:
build_root_txt(root_cfg_path, fuzzy_keys['root'], key_db, metadata_root)
state += 1
except Exception, e:
print e
logger.info('Quickstart was unable to build root.txt. Please send the incomplete update to your root key holder.')
logger.info('They can continue the update process by running quickstart with the \'-step build_root\' argument')
state = FINISH
def genkey(args):
options, args = getopt.getopt(args, "", ["keystore="])
keystore = _get_keystore(options)
# TODO: Allow specifying key length.
signerlib.generate_key(bits=None, keystore=keystore)