def refresh_trust_stores() -> None:
"""Fetch the trust store of each supported platform and update the corresponding local YAML file at ./trust_stores.
"""
# Also pass the local certs repo so it gets updated when fetching the trust stores
certs_repo = RootCertificatesRepository.get_default()
# For each supported platform, fetch the trust store
store_fetcher = TrustStoreFetcher()
for platform in PlatformEnum:
if platform in [PlatformEnum.ORACLE_JAVA, PlatformEnum.OPENJDK]:
# TODO: Fix this
print(f"Skipping {platform.name}... TODO: Fixme")
continue
print(f"Refreshing {platform.name}...")
fetched_store = store_fetcher.fetch(platform, certs_repo)
# Compare the existing trust store with the one we fetched
has_store_changed = False
store_path = Path(ROOT_PATH) / "trust_stores" / f"{fetched_store.platform.name.lower()}.yaml"
try:
existing_store = TrustStore.from_yaml(store_path)
if existing_store != fetched_store:
has_store_changed = True
except FileNotFoundError:
# The store does not exist in the repo yet
has_store_changed = True
if has_store_changed:
print(f"Detected changes for {platform.name}; updating store...")
with open(store_path, mode="w") as store_file:
yaml.dump(fetched_store, store_file, encoding="utf-8", default_flow_style=False)
else:
print(f"No changes detected for {platform.name}")
def test_online(self):
certs_repo = RootCertificatesRepository.get_default()
store_fetcher = AppleTrustStoreFetcher()
fetched_store = store_fetcher.fetch(certs_repo)
assert fetched_store
assert 100 < len(fetched_store.trusted_certificates)
assert 6 < len(fetched_store.blocked_certificates)
def test_online(self):
certs_repo = RootCertificatesRepository.get_default()
store_fetcher = MacosTrustStoreFetcher()
fetched_store = store_fetcher.fetch(certs_repo)
self.assertTrue(fetched_store)
self.assertGreater(len(fetched_store.trusted_certificates), 100)
self.assertGreater(len(fetched_store.blocked_certificates), 6)
def refresh_trust_stores() -> None:
"""Fetch the trust store of each supported platform and update the corresponding local YAML file at ./trust_stores.
"""
# Also pass the local certs repo so it gets updated when fetching the trust stores
certs_repo = RootCertificatesRepository.get_default()
# For each supported platform, fetch the trust store
has_any_store_changed = False
store_fetcher = TrustStoreFetcher()
for platform in PlatformEnum:
if platform == PlatformEnum.ORACLE_JAVA:
# TODO: Fix this
print(f"Skipping {platform.name}... TODO: Fixme")
continue
print(f"Refreshing {platform.name}...")
fetched_store = store_fetcher.fetch(platform, certs_repo)
# Compare the existing trust store with the one we fetched
has_store_changed = False
store_path = Path(
ROOT_PATH
) / "trust_stores" / f"{fetched_store.platform.name.lower()}.yaml"
try:
existing_store = TrustStore.from_yaml(store_path)
if existing_store != fetched_store:
has_store_changed = True
except FileNotFoundError:
# The store does not exist in the repo yet
has_store_changed = True
if has_store_changed:
has_any_store_changed = True
print(f"Detected changes for {platform.name}; updating store...")
with open(store_path, mode="w") as store_file:
yaml.dump(fetched_store,
store_file,
encoding="utf-8",
default_flow_style=False)
else:
print(f"No changes detected for {platform.name}")
# If we are running on travis
if "TRAVIS" in environ:
print("Running on Travis...")
# Enable the deploy step if a change was detected
with open("should_travis_deploy", mode="w") as travis_file:
travis_flag = "1" if has_any_store_changed else "0"
travis_file.write(f"export SHOULD_TRAVIS_DEPLOY={travis_flag}\n")
def export_trust_stores() -> None:
"""Export the content of the trust store of each supported platform to a PEM file at ./export.
"""
certs_repo = RootCertificatesRepository.get_default()
out_pem_folder = ROOT_PATH / 'export'
out_pem_folder.mkdir(exist_ok=True)
# Export each trust store as a PEM file to ./export
print(f'Exporting stores as PEM to {out_pem_folder}...')
for platform in PlatformEnum:
print(f'Exporting {platform.name}...')
store = TrustStore.get_default_for_platform(platform)
all_certs_pem = store.export_trusted_certificates_as_pem(certs_repo)
out_pem_path = out_pem_folder / f'{platform.name.lower()}.pem'
with open(out_pem_path, mode='w') as out_pem_file:
out_pem_file.write(all_certs_pem)
def test_default_repository_integrity(self):
# Given the local repo of certificates
repo = RootCertificatesRepository.get_default()
# Each certificate that it returns is stored at the expected location
expected_repo_path = Path(os.path.abspath(
os.path.dirname(__file__))) / '..' / 'certificates'
for certificate in repo.get_all_certificates():
expected_file_name = hexlify(certificate.fingerprint(
SHA256())).decode('ascii')
expected_cert_path = expected_repo_path / f'{expected_file_name}.pem'
with open(expected_cert_path) as stored_cert_file:
stored_cert_pem = stored_cert_file.read()
stored_cert = load_pem_x509_certificate(
stored_cert_pem.encode(encoding='ascii'),
default_backend())
self.assertEqual(stored_cert, certificate)
def refresh_trust_stores() -> None:
"""Fetch the trust store of each supported platform and update the corresponding local YAML file at ./trust_stores.
"""
# Also pass the local certs repo so it gets updated when fetching the trust stores
certs_repo = RootCertificatesRepository.get_default()
# For each supported platform, fetch the trust store
has_any_store_changed = False
store_fetcher = TrustStoreFetcher()
for platform in PlatformEnum:
print(f'Refreshing {platform.name}...')
fetched_store = store_fetcher.fetch(platform, certs_repo)
# Compare the existing trust store with the one we fetched
has_store_changed = False
store_path = Path(
ROOT_PATH
) / 'trust_stores' / f'{fetched_store.platform.name.lower()}.yaml'
try:
existing_store = TrustStore.from_yaml(store_path)
if existing_store != fetched_store:
has_store_changed = True
except FileNotFoundError:
# The store does not exist in the repo yet
has_store_changed = True
if has_store_changed:
has_any_store_changed = True
print(f'Detected changes for {platform.name}; updating store...')
with open(store_path, mode='w') as store_file:
yaml.dump(fetched_store,
store_file,
encoding='utf-8',
default_flow_style=False)
else:
print(f'No changes detected for {platform.name}')
# If we are running on travis
if 'TRAVIS' in environ:
print('Running on Travis...')
# Enable the deploy step if a change was detected
with open('should_travis_deploy', mode='w') as travis_file:
travis_flag = '1' if has_any_store_changed else '0'
travis_file.write(f'export SHOULD_TRAVIS_DEPLOY={travis_flag}\n')
def test_default_repository_integrity(self):
# Given the local repo of certificates
repo = RootCertificatesRepository.get_default()
# Each certificate that it returns is stored at the expected location
expected_repo_path = Path(os.path.abspath(
os.path.dirname(__file__))) / ".." / "certificates"
all_certificates = repo.get_all_certificates()
assert all_certificates
for certificate in all_certificates:
expected_file_name = hexlify(certificate.fingerprint(
SHA256())).decode("ascii")
expected_cert_path = expected_repo_path / f"{expected_file_name}.pem"
with open(expected_cert_path) as stored_cert_file:
stored_cert_pem = stored_cert_file.read()
stored_cert = load_pem_x509_certificate(
stored_cert_pem.encode(encoding="ascii"),
default_backend())
assert stored_cert == certificate
import os
from pathlib import Path
from trust_stores_observatory.certificates_repository import RootCertificatesRepository
from trust_stores_observatory.trust_store import PlatformEnum, TrustStore
certs_repo = RootCertificatesRepository.get_default()
root_path = Path(os.path.abspath(os.path.dirname(__file__)))
out_pem_folder = root_path / 'export'
out_pem_folder.mkdir(exist_ok=True)
print(f'Exporting stores as PEM to {out_pem_folder}...')
# Export each trust store as a PEM file to ./export
for platform in PlatformEnum:
print(f'Exporting {platform.name}...')
store = TrustStore.get_default_for_platform(platform)
all_certs_pem = store.export_trusted_certificates_as_pem(certs_repo)
out_pem_path = out_pem_folder / f'{platform.name.lower()}.pem'
with open(out_pem_path, mode='w') as out_pem_file:
out_pem_file.write(all_certs_pem)