def _sign(self, binary_to_sign, image_tosign_filename, cert_folder):
c_path.create_dir(cert_folder)
c_misc.store_data_to_file(image_tosign_filename, binary_to_sign)
sig_package = signerutils.getSigPackage(cert_folder)
if sig_package is not None:
[signature, cert_chain_list] = signerutils.\
readSigFromZip(sig_package)
if self.validate_sig(binary_to_sign, signature,
cert_chain_list) is False:
raise ExternalSignerError(
self.MESG_INVALID_SIG.format(image_tosign_filename,
sig_package))
else:
raise ExternalSignerError(
self.MESG_ASKUSERTOSIGN.format(image_tosign_filename,
cert_folder))
signer_output = self._get_signer_output(signature, cert_chain_list)
self._cleanup(cert_folder)
return signer_output
def process_signature_response(self):
self.signature_package = SignaturePackage(
self.connector_response,
self.signing_package.get_digest().lower(),
self.signature_result_file_name)
[signature, cert_chain_list
] = signerutils.readSigFromZip(self.signature_result_file_name)
if not self.validate_sig_using_hash(self.hash_to_sign, signature,
cert_chain_list):
raise ExternalSignerError(
self.MESG_INVALID_SIG.format(self.signature_result_file_name))
# Validate padding
cert_text = crypto.cert.get_text(cert_chain_list[0])
use_pss = crypto.cert.get_sign_algo(
cert_text) == crypto.cert.SIGN_ALGO_RSA_PSS
cass_padding = self.PAD_PSS if use_pss else self.PAD_PKCS
if cass_padding != self.padding:
raise ExternalSignerError(
self.MESG_INVALID_PADDING.format(cass_padding.upper(),
self.padding.upper()))
# Clean up/save signing package and signature response
if self.debug_dir is None:
c_path.clean_file(self.signing_package_file_name)
c_path.clean_file(self.signature_result_file_name)
c_misc.store_debug_data_to_file(self.SIGNATURE_PACKAGE_FILENAME,
self.connector_response,
self.debug_dir)
# Extract certificates to create signer output
out_root_cert = None
out_attest_ca_cert = None
out_attest_cert = cert_chain_list[0]
if len(cert_chain_list) == 3:
out_attest_ca_cert = cert_chain_list[1]
out_root_cert = cert_chain_list[2]
elif len(cert_chain_list) == 2:
out_root_cert = cert_chain_list[1]
signer_output = SignerOutput()
signer_output.root_cert = out_root_cert
signer_output.attestation_ca_cert = out_attest_ca_cert
signer_output.attestation_cert = out_attest_cert
signer_output.signature = signature
return signer_output
def _executeCmds(self, cmds):
# Need to run in cass-client-refapp directory
returnValue, returnError, f_timeout, f_retcode, f_output = CassCoreSubprocess.executeCommand(
launchCommand=cmds,
retcode=0,
timeout=self.TIMEOUT,
successString="SUCCESS",
workingDir=self.CASS_CLIENT_REFAPP_DIR,
stderr=CoreSubprocess.STDERR_STDOUT)
if returnValue is False:
if f_timeout is True:
raise ExternalSignerError(self.MESG_TIMEOUT.format(self.TIMEOUT))
else:
error_mesg = self._process_error(f_output)
raise ExternalSignerError(error_mesg)
return f_output
def getSigPackage(cert_folder):
from sectools.features.isc.signer.base_signer import ExternalSignerError
sig_package = None
zipfiles = glob.glob(c_path.join(cert_folder, '*.zip'))
if len(zipfiles) == 1:
sig_package = zipfiles[0]
elif len(zipfiles) > 1:
raise ExternalSignerError(MESG_MULTIPLE_ZIP.format(cert_folder))
return sig_package
def save(self):
if self.status_code != "1":
raise ExternalSignerError(
"Error returned from signature response:\n{0}".format(
self._get_tag("Error").text))
result = self._get_result()
path, f = os.path.split(self.signature_result_file)
if not os.path.exists(path):
os.makedirs(path)
c_misc.store_data_to_file(self.signature_result_file, result)
def _validate(self):
if self.count != 1:
raise RuntimeError("Signature package has an invalid count of {0}.".format(self.count))
if self.digest is None:
raise RuntimeError("Signature package digest is missing.")
else:
logger.debug("Signature package digest is: \"{0}\"".format(self.digest))
if self.digest.lower() != self.signing_package_digest.lower():
raise ExternalSignerError("Signing package digest mismatched signature package digest.")
def readSigFromZip(zipfilename):
from sectools.features.isc.signer.base_signer import ExternalSignerError
if os.path.isfile(zipfilename) is False:
raise ExternalSignerError(MESG_SIG_NOT_FOUND.format(zipfilename))
[zipfp, sigFiles] = getSigFilesFromZip(zipfilename)
[signature,
cert_chain_list] = readFilesFromZip(zipfp, sigFiles.signature,
sigFiles.attestation_cert,
sigFiles.attestation_ca_cert,
sigFiles.root_cert_list)
zipfp.close()
return [signature, cert_chain_list]
def sign_hash(self,
hash_to_sign,
imageinfo,
binary_to_sign=None,
debug_dir=None,
sha_algo=None):
cass_signer_attributes = self.config.signing.signer_attributes.cass_signer_attributes
if debug_dir is not None:
cass_output_dir = debug_dir
else:
cass_output_dir = imageinfo.dest_image.image_dir
signingpackage_fname = os.path.join(cass_output_dir,
self.SIGNINGPACKAGE_FILENAME)
signature_result_fname = os.path.join(cass_output_dir,
self.SIGNATURE_RESULT_FILENAME)
signing_package = self._generate_signing_package(
hash_to_sign, imageinfo.signing_attributes, cass_signer_attributes,
imageinfo.dest_image.image_path, signingpackage_fname,
binary_to_sign)
connector = CassConnector(cass_signer_attributes)
signature_package_blob = connector.sign(signingpackage_fname,
imageinfo.dest_image.image_dir)
self._process_signature_package(signature_package_blob,
signing_package,
signature_result_fname)
[signature, cert_chain_list] = signerutils.\
readSigFromZip(signature_result_fname)
if self.validate_sig(binary_to_sign, signature,
cert_chain_list) is False:
raise ExternalSignerError(
self.MESG_INVALID_SIG.format(signature_result_fname))
signer_output = self._get_signer_output(signature, cert_chain_list)
# Clean up/save signing package and signature response
if debug_dir is None:
c_path.clean_file(signingpackage_fname)
c_path.clean_file(signature_result_fname)
c_misc.store_debug_data_to_file(self.SIGNATUREPACKAGE_FILENAME,
signature_package_blob, debug_dir)
return signer_output
def process_signature_response(self):
self.signature_package = SignaturePackage(
self.connector_response,
self.signing_package.get_digest().lower(),
self.signature_result_file_name)
[signature, cert_chain_list
] = signerutils.readSigFromZip(self.signature_result_file_name)
if self.validate_sig_using_hash(self.hash_to_sign, signature,
cert_chain_list) is False:
raise ExternalSignerError(
self.MESG_INVALID_SIG.format(self.signature_result_file_name))
# Clean up/save signing package and signature response
if self.debug_dir is None:
c_path.clean_file(self.signing_package_file_name)
c_path.clean_file(self.signature_result_file_name)
c_misc.store_debug_data_to_file(self.SIGNATURE_PACKAGE_FILENAME,
self.connector_response,
self.debug_dir)
# Extract certificates to create signer output
out_root_cert = None
out_attest_ca_cert = None
out_attest_cert = cert_chain_list[0]
if len(cert_chain_list) == 3:
out_attest_ca_cert = cert_chain_list[1]
out_root_cert = cert_chain_list[2]
elif len(cert_chain_list) == 2:
out_root_cert = cert_chain_list[1]
signer_output = SignerOutput()
signer_output.root_cert = out_root_cert
signer_output.attestation_ca_cert = out_attest_ca_cert
signer_output.attestation_cert = out_attest_cert
signer_output.signature = signature
return signer_output
