def _sign(self, binary_to_sign, image_tosign_filename, cert_folder): c_path.create_dir(cert_folder) c_misc.store_data_to_file(image_tosign_filename, binary_to_sign) sig_package = signerutils.getSigPackage(cert_folder) if sig_package is not None: [signature, cert_chain_list] = signerutils.\ readSigFromZip(sig_package) if self.validate_sig(binary_to_sign, signature, cert_chain_list) is False: raise ExternalSignerError( self.MESG_INVALID_SIG.format(image_tosign_filename, sig_package)) else: raise ExternalSignerError( self.MESG_ASKUSERTOSIGN.format(image_tosign_filename, cert_folder)) signer_output = self._get_signer_output(signature, cert_chain_list) self._cleanup(cert_folder) return signer_output
def process_signature_response(self): self.signature_package = SignaturePackage( self.connector_response, self.signing_package.get_digest().lower(), self.signature_result_file_name) [signature, cert_chain_list ] = signerutils.readSigFromZip(self.signature_result_file_name) if not self.validate_sig_using_hash(self.hash_to_sign, signature, cert_chain_list): raise ExternalSignerError( self.MESG_INVALID_SIG.format(self.signature_result_file_name)) # Validate padding cert_text = crypto.cert.get_text(cert_chain_list[0]) use_pss = crypto.cert.get_sign_algo( cert_text) == crypto.cert.SIGN_ALGO_RSA_PSS cass_padding = self.PAD_PSS if use_pss else self.PAD_PKCS if cass_padding != self.padding: raise ExternalSignerError( self.MESG_INVALID_PADDING.format(cass_padding.upper(), self.padding.upper())) # Clean up/save signing package and signature response if self.debug_dir is None: c_path.clean_file(self.signing_package_file_name) c_path.clean_file(self.signature_result_file_name) c_misc.store_debug_data_to_file(self.SIGNATURE_PACKAGE_FILENAME, self.connector_response, self.debug_dir) # Extract certificates to create signer output out_root_cert = None out_attest_ca_cert = None out_attest_cert = cert_chain_list[0] if len(cert_chain_list) == 3: out_attest_ca_cert = cert_chain_list[1] out_root_cert = cert_chain_list[2] elif len(cert_chain_list) == 2: out_root_cert = cert_chain_list[1] signer_output = SignerOutput() signer_output.root_cert = out_root_cert signer_output.attestation_ca_cert = out_attest_ca_cert signer_output.attestation_cert = out_attest_cert signer_output.signature = signature return signer_output
def _executeCmds(self, cmds): # Need to run in cass-client-refapp directory returnValue, returnError, f_timeout, f_retcode, f_output = CassCoreSubprocess.executeCommand( launchCommand=cmds, retcode=0, timeout=self.TIMEOUT, successString="SUCCESS", workingDir=self.CASS_CLIENT_REFAPP_DIR, stderr=CoreSubprocess.STDERR_STDOUT) if returnValue is False: if f_timeout is True: raise ExternalSignerError(self.MESG_TIMEOUT.format(self.TIMEOUT)) else: error_mesg = self._process_error(f_output) raise ExternalSignerError(error_mesg) return f_output
def getSigPackage(cert_folder): from sectools.features.isc.signer.base_signer import ExternalSignerError sig_package = None zipfiles = glob.glob(c_path.join(cert_folder, '*.zip')) if len(zipfiles) == 1: sig_package = zipfiles[0] elif len(zipfiles) > 1: raise ExternalSignerError(MESG_MULTIPLE_ZIP.format(cert_folder)) return sig_package
def save(self): if self.status_code != "1": raise ExternalSignerError( "Error returned from signature response:\n{0}".format( self._get_tag("Error").text)) result = self._get_result() path, f = os.path.split(self.signature_result_file) if not os.path.exists(path): os.makedirs(path) c_misc.store_data_to_file(self.signature_result_file, result)
def _validate(self): if self.count != 1: raise RuntimeError("Signature package has an invalid count of {0}.".format(self.count)) if self.digest is None: raise RuntimeError("Signature package digest is missing.") else: logger.debug("Signature package digest is: \"{0}\"".format(self.digest)) if self.digest.lower() != self.signing_package_digest.lower(): raise ExternalSignerError("Signing package digest mismatched signature package digest.")
def readSigFromZip(zipfilename): from sectools.features.isc.signer.base_signer import ExternalSignerError if os.path.isfile(zipfilename) is False: raise ExternalSignerError(MESG_SIG_NOT_FOUND.format(zipfilename)) [zipfp, sigFiles] = getSigFilesFromZip(zipfilename) [signature, cert_chain_list] = readFilesFromZip(zipfp, sigFiles.signature, sigFiles.attestation_cert, sigFiles.attestation_ca_cert, sigFiles.root_cert_list) zipfp.close() return [signature, cert_chain_list]
def sign_hash(self, hash_to_sign, imageinfo, binary_to_sign=None, debug_dir=None, sha_algo=None): cass_signer_attributes = self.config.signing.signer_attributes.cass_signer_attributes if debug_dir is not None: cass_output_dir = debug_dir else: cass_output_dir = imageinfo.dest_image.image_dir signingpackage_fname = os.path.join(cass_output_dir, self.SIGNINGPACKAGE_FILENAME) signature_result_fname = os.path.join(cass_output_dir, self.SIGNATURE_RESULT_FILENAME) signing_package = self._generate_signing_package( hash_to_sign, imageinfo.signing_attributes, cass_signer_attributes, imageinfo.dest_image.image_path, signingpackage_fname, binary_to_sign) connector = CassConnector(cass_signer_attributes) signature_package_blob = connector.sign(signingpackage_fname, imageinfo.dest_image.image_dir) self._process_signature_package(signature_package_blob, signing_package, signature_result_fname) [signature, cert_chain_list] = signerutils.\ readSigFromZip(signature_result_fname) if self.validate_sig(binary_to_sign, signature, cert_chain_list) is False: raise ExternalSignerError( self.MESG_INVALID_SIG.format(signature_result_fname)) signer_output = self._get_signer_output(signature, cert_chain_list) # Clean up/save signing package and signature response if debug_dir is None: c_path.clean_file(signingpackage_fname) c_path.clean_file(signature_result_fname) c_misc.store_debug_data_to_file(self.SIGNATUREPACKAGE_FILENAME, signature_package_blob, debug_dir) return signer_output
def process_signature_response(self): self.signature_package = SignaturePackage( self.connector_response, self.signing_package.get_digest().lower(), self.signature_result_file_name) [signature, cert_chain_list ] = signerutils.readSigFromZip(self.signature_result_file_name) if self.validate_sig_using_hash(self.hash_to_sign, signature, cert_chain_list) is False: raise ExternalSignerError( self.MESG_INVALID_SIG.format(self.signature_result_file_name)) # Clean up/save signing package and signature response if self.debug_dir is None: c_path.clean_file(self.signing_package_file_name) c_path.clean_file(self.signature_result_file_name) c_misc.store_debug_data_to_file(self.SIGNATURE_PACKAGE_FILENAME, self.connector_response, self.debug_dir) # Extract certificates to create signer output out_root_cert = None out_attest_ca_cert = None out_attest_cert = cert_chain_list[0] if len(cert_chain_list) == 3: out_attest_ca_cert = cert_chain_list[1] out_root_cert = cert_chain_list[2] elif len(cert_chain_list) == 2: out_root_cert = cert_chain_list[1] signer_output = SignerOutput() signer_output.root_cert = out_root_cert signer_output.attestation_ca_cert = out_attest_ca_cert signer_output.attestation_cert = out_attest_cert signer_output.signature = signature return signer_output