def _invoke_jarsigner(self): for input_path in self.input_paths: command = [ 'jarsigner', '-verbose', '-keystore', 'NONE', '-storetype', 'PKCS11', '-storepass', 'none', '-providerclass', 'sun.security.pkcs11.SunPKCS11', '-providerArg', self._pkcs11_provider_config_path(), '-certs' ] if len(self.config.timestamping_servers) > 0: command.append('-tsa') command.append(random.choice(self.config.timestamping_servers)) command += self.config.extra_args command.append(input_path) command.append(self.config.certificate_label) utils.invoke_command(self.logger, 'Signing with jarsigner: %s' % (input_path, ), "Successfully signed '%s'." % (input_path, ), "Error signing '%s'" % (input_path, ), 'jarsigner', print_output_on_success=False, command=command, env=self.session_env)
def _login_tpp(self): utils.invoke_command( self.logger, 'Logging into TPP: configuring client: requesting grant from server.', 'Successfully obtained grant from TPP.', 'Error requesting grant from TPP', 'pkcs11config getgrant', print_output_on_success=False, command=[ utils.get_pkcs11config_tool_path( self.config.venafi_client_tools_dir), 'getgrant', '--force', '--authurl=' + self.config.tpp_auth_url, '--hsmurl=' + self.config.tpp_hsm_url, '--username='******'--password', self._get_tpp_password() ], masks=[ False, False, False, False, False, False, False, True ], env=self.session_env )
def _logout_tpp(self): if not self.config.isolate_sessions: return try: command = [ utils.get_cspconfig_tool_path( self.config.venafi_client_tools_dir), 'revokegrant', '-force', '-clear' ] if self.config.machine_configuration: command.append('-machine') utils.invoke_command(self.logger, 'Logging out of TPP: revoking server grant.', 'Successfully revoked server grant.', 'Error revoking grant from TPP', 'cspconfig revokegrant', print_output_on_success=False, command=command, env=self.session_env) except utils.AbortException: # utils.invoke_command() already logged an error message. pass except Exception: # Don't reraise exception: preserve original exception in # run()'s try block logging.exception('Unexpected exception during TPP logout')
def _invoke_signtool(self): signtool_path = utils.get_signtool_path(self.config.signtool_path) # With VENAFICSPSilent, when an error occurs at the Venafi CSP driver level, # that error is printed as part of the console output, instead of shown # in a dialog box that requires the user to click OK. env = {'VENAFICSPSilent': '1', **self.session_env} for i, signature_digest_algo in enumerate( self.config.signature_digest_algos): should_append_signature = self.config.append_signatures or i > 0 command = [ signtool_path, 'sign', '/v', '/fd', signature_digest_algo ] if len(self.config.timestamping_servers) > 0: command.append('/tr') command.append(random.choice(self.config.timestamping_servers)) command.append('/td') command.append(signature_digest_algo) if should_append_signature: command.append('/as') if self.config.certificate_subject_name is not None: command.append('/n') command.append(self.config.certificate_subject_name) else: command.append('/sha1') command.append(self.config.certificate_sha1) if self.config.machine_configuration: command.append('/sm') command += self.config.extra_args command.append(self.config.input_path) utils.invoke_command( self.logger, f'Signing with signtool: {self.config.input_path}', f"Successfully signed '{self.config.input_path}'.", f"Error signing '{self.config.input_path}'", 'signtool', print_output_on_success=True, command=command, env=env)
def _invoke_jarsigner_verify(self): for input_path in self.input_paths: output = utils.invoke_command( self.logger, 'Verifying with jarsigner: %s' % (input_path,), None, "Error verifying '%s'" % (input_path,), 'jarsigner -verify', print_output_on_success=True, command=[ 'jarsigner', '-verify', '-verbose', '-certs', '-providerclass', 'sun.security.pkcs11.SunPKCS11', '-providerArg', self._pkcs11_provider_config_path(), '-keystore', 'NONE', '-storetype', 'PKCS11', '-storepass', 'none', input_path, ] ) if 'jar is unsigned' not in output: self.logger.info("Successfully verified '%s'." % (input_path,)) else: self.logger.error( "Verification of '%s' failed: file is unsigned" % (input_path,) ) raise utils.AbortException()
def _invoke_csp_config_sync(self): command = [ utils.get_cspconfig_tool_path(self.config.venafi_client_tools_dir), 'sync' ] if self.config.machine_configuration: command.append('-machine') utils.invoke_command( self.logger, 'Synchronizing local certificate store with TPP.', 'Successfully synchronized local certificate store with TPP.', 'Error synchronizing local certificate store with TPP', 'cspconfig sync', print_output_on_success=False, command=command, env=self.session_env)
def _invoke_signtool_verify(self): signtool_path = utils.get_signtool_path(self.config.signtool_path) utils.invoke_command( self.logger, f'Verifying with signtool: {self.config.input_path}', f"Successfully verified '{self.config.input_path}'.", f"Error verifying '{self.config.input_path}'", 'signtool', print_output_on_success=True, command=[signtool_path, 'verify', '/pa', self.config.input_path], env={ # With VENAFICSPSilent, when an error occurs at the Venafi CSP driver level, # that error is printed as part of the console output, instead of shown # in a dialog box that requires the user to click OK. 'VENAFICSPSilent': '1', **self.session_env })
def _logout_tpp(self): try: utils.invoke_command(self.logger, 'Logging out of TPP: revoking server grant.', 'Successfully revoked server grant.', 'Error revoking grant from TPP', 'pkcs11config revokegrant', print_output_on_success=False, command=[ utils.get_pkcs11config_tool_path( self.config.venafi_client_tools_dir), 'revokegrant', '-force', '-clear' ], env=self.session_env) except utils.AbortException: # utils.invoke_command() already logged an error message. pass except Exception: # Don't reraise exception: allow temp_dir to be cleaned up logging.exception('Unexpected exception during TPP logout')
def _maybe_trust_chain_with_label(self): if self.config.trusted_chain_label is None: return trusted_chain_path = os.path.join(self.temp_dir.name, 'chain.crt') command = [ 'cspconfig', 'getcert', '-label', self.config.trusted_chain_label, '-chainfile', trusted_chain_path ] utils.invoke_command( self.logger, f"Fetching trusted chain '{self.config.trusted_chain_label}' from TPP.", f"Successfully fetched chain '{self.config.trusted_chain_label}' from TPP.", f"Error fetching chain '{self.config.trusted_chain_label}' from TPP", 'cspconfig getcert', print_output_on_success=False, command=command, env=self.session_env) utils.add_ca_cert_to_truststore(self.logger, trusted_chain_path)
def _login_tpp(self): command = [ utils.get_cspconfig_tool_path(self.config.venafi_client_tools_dir), 'getgrant', '-force', '-authurl:' + self.config.tpp_auth_url, '-hsmurl:' + self.config.tpp_hsm_url, '-username:'******'-password', self._get_tpp_password() ] masks = [False, False, False, False, False, False, False, True] if self.config.machine_configuration: command.append('-machine') masks.append(False) utils.invoke_command( self.logger, 'Logging into TPP: configuring client: requesting grant from server.', 'Successfully obtained grant from TPP.', 'Error requesting grant from TPP', 'cspconfig getgrant', print_output_on_success=False, command=command, masks=masks, env=self.session_env)