def _invoke_jarsigner(self):
for input_path in self.input_paths:
command = [
'jarsigner', '-verbose', '-keystore', 'NONE', '-storetype',
'PKCS11', '-storepass', 'none', '-providerclass',
'sun.security.pkcs11.SunPKCS11', '-providerArg',
self._pkcs11_provider_config_path(), '-certs'
]
if len(self.config.timestamping_servers) > 0:
command.append('-tsa')
command.append(random.choice(self.config.timestamping_servers))
command += self.config.extra_args
command.append(input_path)
command.append(self.config.certificate_label)
utils.invoke_command(self.logger,
'Signing with jarsigner: %s' % (input_path, ),
"Successfully signed '%s'." % (input_path, ),
"Error signing '%s'" % (input_path, ),
'jarsigner',
print_output_on_success=False,
command=command,
env=self.session_env)
def _login_tpp(self):
utils.invoke_command(
self.logger,
'Logging into TPP: configuring client: requesting grant from server.',
'Successfully obtained grant from TPP.',
'Error requesting grant from TPP',
'pkcs11config getgrant',
print_output_on_success=False,
command=[
utils.get_pkcs11config_tool_path(
self.config.venafi_client_tools_dir),
'getgrant',
'--force',
'--authurl=' + self.config.tpp_auth_url,
'--hsmurl=' + self.config.tpp_hsm_url,
'--username='******'--password',
self._get_tpp_password()
],
masks=[
False,
False,
False,
False,
False,
False,
False,
True
],
env=self.session_env
)
def _logout_tpp(self):
if not self.config.isolate_sessions:
return
try:
command = [
utils.get_cspconfig_tool_path(
self.config.venafi_client_tools_dir), 'revokegrant',
'-force', '-clear'
]
if self.config.machine_configuration:
command.append('-machine')
utils.invoke_command(self.logger,
'Logging out of TPP: revoking server grant.',
'Successfully revoked server grant.',
'Error revoking grant from TPP',
'cspconfig revokegrant',
print_output_on_success=False,
command=command,
env=self.session_env)
except utils.AbortException:
# utils.invoke_command() already logged an error message.
pass
except Exception:
# Don't reraise exception: preserve original exception in
# run()'s try block
logging.exception('Unexpected exception during TPP logout')
def _invoke_signtool(self):
signtool_path = utils.get_signtool_path(self.config.signtool_path)
# With VENAFICSPSilent, when an error occurs at the Venafi CSP driver level,
# that error is printed as part of the console output, instead of shown
# in a dialog box that requires the user to click OK.
env = {'VENAFICSPSilent': '1', **self.session_env}
for i, signature_digest_algo in enumerate(
self.config.signature_digest_algos):
should_append_signature = self.config.append_signatures or i > 0
command = [
signtool_path, 'sign', '/v', '/fd', signature_digest_algo
]
if len(self.config.timestamping_servers) > 0:
command.append('/tr')
command.append(random.choice(self.config.timestamping_servers))
command.append('/td')
command.append(signature_digest_algo)
if should_append_signature:
command.append('/as')
if self.config.certificate_subject_name is not None:
command.append('/n')
command.append(self.config.certificate_subject_name)
else:
command.append('/sha1')
command.append(self.config.certificate_sha1)
if self.config.machine_configuration:
command.append('/sm')
command += self.config.extra_args
command.append(self.config.input_path)
utils.invoke_command(
self.logger,
f'Signing with signtool: {self.config.input_path}',
f"Successfully signed '{self.config.input_path}'.",
f"Error signing '{self.config.input_path}'",
'signtool',
print_output_on_success=True,
command=command,
env=env)
def _invoke_jarsigner_verify(self):
for input_path in self.input_paths:
output = utils.invoke_command(
self.logger,
'Verifying with jarsigner: %s' % (input_path,),
None,
"Error verifying '%s'" % (input_path,),
'jarsigner -verify',
print_output_on_success=True,
command=[
'jarsigner',
'-verify',
'-verbose',
'-certs',
'-providerclass', 'sun.security.pkcs11.SunPKCS11',
'-providerArg', self._pkcs11_provider_config_path(),
'-keystore', 'NONE',
'-storetype', 'PKCS11',
'-storepass', 'none',
input_path,
]
)
if 'jar is unsigned' not in output:
self.logger.info("Successfully verified '%s'." % (input_path,))
else:
self.logger.error(
"Verification of '%s' failed: file is unsigned" %
(input_path,)
)
raise utils.AbortException()
def _invoke_csp_config_sync(self):
command = [
utils.get_cspconfig_tool_path(self.config.venafi_client_tools_dir),
'sync'
]
if self.config.machine_configuration:
command.append('-machine')
utils.invoke_command(
self.logger,
'Synchronizing local certificate store with TPP.',
'Successfully synchronized local certificate store with TPP.',
'Error synchronizing local certificate store with TPP',
'cspconfig sync',
print_output_on_success=False,
command=command,
env=self.session_env)
def _invoke_signtool_verify(self):
signtool_path = utils.get_signtool_path(self.config.signtool_path)
utils.invoke_command(
self.logger,
f'Verifying with signtool: {self.config.input_path}',
f"Successfully verified '{self.config.input_path}'.",
f"Error verifying '{self.config.input_path}'",
'signtool',
print_output_on_success=True,
command=[signtool_path, 'verify', '/pa', self.config.input_path],
env={
# With VENAFICSPSilent, when an error occurs at the Venafi CSP driver level,
# that error is printed as part of the console output, instead of shown
# in a dialog box that requires the user to click OK.
'VENAFICSPSilent': '1',
**self.session_env
})
def _logout_tpp(self):
try:
utils.invoke_command(self.logger,
'Logging out of TPP: revoking server grant.',
'Successfully revoked server grant.',
'Error revoking grant from TPP',
'pkcs11config revokegrant',
print_output_on_success=False,
command=[
utils.get_pkcs11config_tool_path(
self.config.venafi_client_tools_dir),
'revokegrant', '-force', '-clear'
],
env=self.session_env)
except utils.AbortException:
# utils.invoke_command() already logged an error message.
pass
except Exception:
# Don't reraise exception: allow temp_dir to be cleaned up
logging.exception('Unexpected exception during TPP logout')
def _maybe_trust_chain_with_label(self):
if self.config.trusted_chain_label is None:
return
trusted_chain_path = os.path.join(self.temp_dir.name, 'chain.crt')
command = [
'cspconfig', 'getcert', '-label', self.config.trusted_chain_label,
'-chainfile', trusted_chain_path
]
utils.invoke_command(
self.logger,
f"Fetching trusted chain '{self.config.trusted_chain_label}' from TPP.",
f"Successfully fetched chain '{self.config.trusted_chain_label}' from TPP.",
f"Error fetching chain '{self.config.trusted_chain_label}' from TPP",
'cspconfig getcert',
print_output_on_success=False,
command=command,
env=self.session_env)
utils.add_ca_cert_to_truststore(self.logger, trusted_chain_path)
def _login_tpp(self):
command = [
utils.get_cspconfig_tool_path(self.config.venafi_client_tools_dir),
'getgrant', '-force', '-authurl:' + self.config.tpp_auth_url,
'-hsmurl:' + self.config.tpp_hsm_url,
'-username:'******'-password',
self._get_tpp_password()
]
masks = [False, False, False, False, False, False, False, True]
if self.config.machine_configuration:
command.append('-machine')
masks.append(False)
utils.invoke_command(
self.logger,
'Logging into TPP: configuring client: requesting grant from server.',
'Successfully obtained grant from TPP.',
'Error requesting grant from TPP',
'cspconfig getgrant',
print_output_on_success=False,
command=command,
masks=masks,
env=self.session_env)
