def command(cls, args, data=None, expect_err=False):
""" Given array of args, and optionally data to write,
return results of openssl command.
Some commands always write something to stderr, so allow
for that with the expect_err param. """
cmd = [OPENSSL] + args
cmd_str = ' '.join(cmd)
log.debug('running openssl command ' + cmd_str)
proc = subprocess.Popen(cmd,
stdin=subprocess.PIPE,
stderr=subprocess.PIPE,
stdout=subprocess.PIPE)
if data is not None:
proc.stdin.write(data)
out, err = proc.communicate()
if not expect_err:
if err is not None and err != '':
log.error("Command `{0}` returned error:\n{1}".format(cmd_str, err))
if proc.returncode != 0:
msg = "openssl command `{0}` failed, see log for error".format(cmd_str)
raise OpenSslFailure(msg)
if expect_err:
return (out, err)
else:
return out
def sign(self, data):
""" sign data, return filehandle """
cmd = [
"cms", "-sign", "-binary", "-nosmimecap", "-certfile",
self.apple_cert_file, "-signer", self.signer_cert_file, "-inkey",
self.signer_key_file, "-keyform", "pem", "-outform", "DER"
]
signature = openssl_command(cmd, data)
# in some cases we've seen this return a zero length file.
# Misconfigured machines?
if len(signature) < 128:
too_small_msg = "Command `{0}` returned success, but signature "
"seems too small ({1} bytes)"
raise OpenSslFailure(
too_small_msg.format(' '.join(cmd), len(signature)))
return signature