[swugenerator,V2] add option to encrypt sw-description

Signed-off-by: Ayoub Zaki <ayoub.zaki@embexus.com>
---
 swugenerator/generator.py | 20 ++++++++++++++++----
 swugenerator/main.py      | 10 ++++++++++
 2 files changed, 26 insertions(+), 4 deletions(-)

Hallo Ayoub,

On 22.07.22 14:31, Ayoub Zaki wrote:
> Signed-off-by: Ayoub Zaki <ayoub.zaki@embexus.com>
> ---
>   swugenerator/generator.py | 20 ++++++++++++++++----
>   swugenerator/main.py      | 10 ++++++++++
>   2 files changed, 26 insertions(+), 4 deletions(-)
> 
> diff --git a/swugenerator/generator.py b/swugenerator/generator.py
> index c6b55e8..3f03b1d 100644
> --- a/swugenerator/generator.py
> +++ b/swugenerator/generator.py
> @@ -3,6 +3,7 @@
>   # SPDX-License-Identifier: GPLv3
>   import logging
>   import os
> +import shutil
>   import re
>   import codecs
>   import libconf
> @@ -15,7 +16,7 @@ from swugenerator.artifact import Artifact
>   
>   
>   class SWUGenerator:
> -    def __init__(self, template, out, confvars, dirs, crypt, aeskey, firstiv, no_compress=False):
> +    def __init__(self, template, out, confvars, dirs, crypt, aeskey, firstiv, encrypt_swdesc=False, no_compress=False):
>           self.swdescription = template
>           self.artifacts = []
>           self.out = open(out, 'wb')
> @@ -29,6 +30,7 @@ class SWUGenerator:
>           self.signtool = crypt
>           self.aeskey = aeskey
>           self.aesiv = firstiv
> +        self.encryptswdesc = encrypt_swdesc
>           self.nocompress = no_compress
>   
>       @staticmethod
> @@ -61,7 +63,7 @@ class SWUGenerator:
>   
>               # Encrypt if required
>               if 'encrypted' in entry and self.aeskey:
> -                iv = self.generate_iv()
> +                iv = self.aesiv
>                   new_path = os.path.join(self.temp.name, entry['filename'])
>                   new.encrypt(new_path, self.aeskey, iv)
>                   new.fullfilename = new_path
> @@ -146,8 +148,18 @@ class SWUGenerator:
>   
>           self.save_swdescription(os.path.join(self.temp.name, sw.filename), swdesc)
>   
> -        if self.signtool:
> -            sw_desc_in = os.path.join(self.temp.name, sw.filename)
> +        # Encrypt sw-description if required
> +        if self.aeskey and self.encryptswdesc:
> +            iv = self.aesiv
> +            sw_desc_plain  = os.path.join(self.temp.name, 'sw-description.plain')
> +            sw_desc_enc    = os.path.join(self.temp.name, 'sw-description.enc')
> +            shutil.copyfile(sw.fullfilename, sw_desc_plain)
> +            sw.encrypt(sw_desc_enc, self.aeskey, iv)
> +            shutil.copyfile(sw_desc_enc, sw.fullfilename)
> +

Do we still need both "plain" and "enc" after encryption ? What about to 
have just "sw-description", and the code for signing remains untouched ? 
I think that at this point, sw-description was completely processed and 
we just need to save it and we do not need to have both (plain and 
encrypted).

> +        if self.signtool:
> +            sw_desc_in =  os.path.join(self.temp.name, 'sw-description.plain'
> +                                                if self.aeskey and self.encryptswdesc else 'sw-description')
>               sw_desc_out = os.path.join(self.temp.name, 'sw-description.sig')
>               self.signtool.prepare_cmd(sw_desc_in, sw_desc_out)
>               self.signtool.sign()
> diff --git a/swugenerator/main.py b/swugenerator/main.py
> index 318e333..f6173ff 100644
> --- a/swugenerator/main.py
> +++ b/swugenerator/main.py
> @@ -78,6 +78,15 @@ def main() -> None:
>           help="sw-description template",
>       )
>   
> +    parser.add_argument(
> +        "-t",
> +        "--encrypt-swdesc",
> +        action='store_const',
> +        const=True,
> +        default=False,
> +        help="Encrypt sw-description",
> +    )
> +
>       parser.add_argument(
>           "-a",
>           "--artifactory",
> @@ -172,6 +181,7 @@ def main() -> None:
>                                        artidirs,
>                                        sign_option,
>                                        key, iv,
> +                                     args.encrypt_swdesc,
>                                        args.no_compress)
>           swu.process()
>           swu.close()

Regards,
Stefano

Hallo Stefano,

I don't get your point ?

after the encryption "sw-description" file is encrypted and we need to the 
sign the plain one.






On Friday, August 5, 2022 at 11:00:06 AM UTC+2 Stefano Babic wrote:

> Hallo Ayoub,
>
> On 22.07.22 14:31, Ayoub Zaki wrote:
> > Signed-off-by: Ayoub Zaki <ayoub...@embexus.com>
> > ---
> > swugenerator/generator.py | 20 ++++++++++++++++----
> > swugenerator/main.py | 10 ++++++++++
> > 2 files changed, 26 insertions(+), 4 deletions(-)
> > 
> > diff --git a/swugenerator/generator.py b/swugenerator/generator.py
> > index c6b55e8..3f03b1d 100644
> > --- a/swugenerator/generator.py
> > +++ b/swugenerator/generator.py
> > @@ -3,6 +3,7 @@
> > # SPDX-License-Identifier: GPLv3
> > import logging
> > import os
> > +import shutil
> > import re
> > import codecs
> > import libconf
> > @@ -15,7 +16,7 @@ from swugenerator.artifact import Artifact
> > 
> > 
> > class SWUGenerator:
> > - def __init__(self, template, out, confvars, dirs, crypt, aeskey, 
> firstiv, no_compress=False):
> > + def __init__(self, template, out, confvars, dirs, crypt, aeskey, 
> firstiv, encrypt_swdesc=False, no_compress=False):
> > self.swdescription = template
> > self.artifacts = []
> > self.out = open(out, 'wb')
> > @@ -29,6 +30,7 @@ class SWUGenerator:
> > self.signtool = crypt
> > self.aeskey = aeskey
> > self.aesiv = firstiv
> > + self.encryptswdesc = encrypt_swdesc
> > self.nocompress = no_compress
> > 
> > @staticmethod
> > @@ -61,7 +63,7 @@ class SWUGenerator:
> > 
> > # Encrypt if required
> > if 'encrypted' in entry and self.aeskey:
> > - iv = self.generate_iv()
> > + iv = self.aesiv
> > new_path = os.path.join(self.temp.name, entry['filename'])
> > new.encrypt(new_path, self.aeskey, iv)
> > new.fullfilename = new_path
> > @@ -146,8 +148,18 @@ class SWUGenerator:
> > 
> > self.save_swdescription(os.path.join(self.temp.name, sw.filename), 
> swdesc)
> > 
> > - if self.signtool:
> > - sw_desc_in = os.path.join(self.temp.name, sw.filename)
> > + # Encrypt sw-description if required
> > + if self.aeskey and self.encryptswdesc:
> > + iv = self.aesiv
> > + sw_desc_plain = os.path.join(self.temp.name, 'sw-description.plain')
> > + sw_desc_enc = os.path.join(self.temp.name, 'sw-description.enc')
> > + shutil.copyfile(sw.fullfilename, sw_desc_plain)
> > + sw.encrypt(sw_desc_enc, self.aeskey, iv)
> > + shutil.copyfile(sw_desc_enc, sw.fullfilename)
> > +
>
> Do we still need both "plain" and "enc" after encryption ? What about to 
> have just "sw-description", and the code for signing remains untouched ? 
> I think that at this point, sw-description was completely processed and 
> we just need to save it and we do not need to have both (plain and 
> encrypted).
>
> > + if self.signtool:
> > + sw_desc_in = os.path.join(self.temp.name, 'sw-description.plain'
> > + if self.aeskey and self.encryptswdesc else 'sw-description')
> > sw_desc_out = os.path.join(self.temp.name, 'sw-description.sig')
> > self.signtool.prepare_cmd(sw_desc_in, sw_desc_out)
> > self.signtool.sign()
> > diff --git a/swugenerator/main.py b/swugenerator/main.py
> > index 318e333..f6173ff 100644
> > --- a/swugenerator/main.py
> > +++ b/swugenerator/main.py
> > @@ -78,6 +78,15 @@ def main() -> None:
> > help="sw-description template",
> > )
> > 
> > + parser.add_argument(
> > + "-t",
> > + "--encrypt-swdesc",
> > + action='store_const',
> > + const=True,
> > + default=False,
> > + help="Encrypt sw-description",
> > + )
> > +
> > parser.add_argument(
> > "-a",
> > "--artifactory",
> > @@ -172,6 +181,7 @@ def main() -> None:
> > artidirs,
> > sign_option,
> > key, iv,
> > + args.encrypt_swdesc,
> > args.no_compress)
> > swu.process()
> > swu.close()
>
> Regards,
> Stefano
>
> -- 
> =====================================================================
> DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
> HRB 165235 Munich, Office: Kirchenstr.5, 82194 Groebenzell, Germany
> Phone: +49-8142-66989-53 <+49%208142%206698953> Fax: +49-8142-66989-80 
> <+49%208142%206698980> Email: sba...@denx.de
> =====================================================================
>

On 08.08.22 14:11, 'ayoub...@googlemail.com' via swupdate wrote:
> Hallo Stefano,
> 
> I don't get your point ?
> 
> after the encryption "sw-description" file is encrypted and we need to 
> the sign the plain one.
> 

Sorry for noise, you're right !

Best regards,
Stefano

> 
> 
> 
> 
> 
> On Friday, August 5, 2022 at 11:00:06 AM UTC+2 Stefano Babic wrote:
> 
>     Hallo Ayoub,
> 
>     On 22.07.22 14:31, Ayoub Zaki wrote:
>      > Signed-off-by: Ayoub Zaki <ayoub...@embexus.com>
>      > ---
>      > swugenerator/generator.py | 20 ++++++++++++++++----
>      > swugenerator/main.py | 10 ++++++++++
>      > 2 files changed, 26 insertions(+), 4 deletions(-)
>      >
>      > diff --git a/swugenerator/generator.py b/swugenerator/generator.py
>      > index c6b55e8..3f03b1d 100644
>      > --- a/swugenerator/generator.py
>      > +++ b/swugenerator/generator.py
>      > @@ -3,6 +3,7 @@
>      > # SPDX-License-Identifier: GPLv3
>      > import logging
>      > import os
>      > +import shutil
>      > import re
>      > import codecs
>      > import libconf
>      > @@ -15,7 +16,7 @@ from swugenerator.artifact import Artifact
>      >
>      >
>      > class SWUGenerator:
>      > - def __init__(self, template, out, confvars, dirs, crypt,
>     aeskey, firstiv, no_compress=False):
>      > + def __init__(self, template, out, confvars, dirs, crypt,
>     aeskey, firstiv, encrypt_swdesc=False, no_compress=False):
>      > self.swdescription = template
>      > self.artifacts = []
>      > self.out = open(out, 'wb')
>      > @@ -29,6 +30,7 @@ class SWUGenerator:
>      > self.signtool = crypt
>      > self.aeskey = aeskey
>      > self.aesiv = firstiv
>      > + self.encryptswdesc = encrypt_swdesc
>      > self.nocompress = no_compress
>      >
>      > @staticmethod
>      > @@ -61,7 +63,7 @@ class SWUGenerator:
>      >
>      > # Encrypt if required
>      > if 'encrypted' in entry and self.aeskey:
>      > - iv = self.generate_iv()
>      > + iv = self.aesiv
>      > new_path = os.path.join(self.temp.name <http://self.temp.name>,
>     entry['filename'])
>      > new.encrypt(new_path, self.aeskey, iv)
>      > new.fullfilename = new_path
>      > @@ -146,8 +148,18 @@ class SWUGenerator:
>      >
>      > self.save_swdescription(os.path.join(self.temp.name
>     <http://self.temp.name>, sw.filename), swdesc)
>      >
>      > - if self.signtool:
>      > - sw_desc_in = os.path.join(self.temp.name
>     <http://self.temp.name>, sw.filename)
>      > + # Encrypt sw-description if required
>      > + if self.aeskey and self.encryptswdesc:
>      > + iv = self.aesiv
>      > + sw_desc_plain = os.path.join(self.temp.name
>     <http://self.temp.name>, 'sw-description.plain')
>      > + sw_desc_enc = os.path.join(self.temp.name
>     <http://self.temp.name>, 'sw-description.enc')
>      > + shutil.copyfile(sw.fullfilename, sw_desc_plain)
>      > + sw.encrypt(sw_desc_enc, self.aeskey, iv)
>      > + shutil.copyfile(sw_desc_enc, sw.fullfilename)
>      > +
> 
>     Do we still need both "plain" and "enc" after encryption ? What
>     about to
>     have just "sw-description", and the code for signing remains
>     untouched ?
>     I think that at this point, sw-description was completely processed and
>     we just need to save it and we do not need to have both (plain and
>     encrypted).
> 
>      > + if self.signtool:
>      > + sw_desc_in = os.path.join(self.temp.name
>     <http://self.temp.name>, 'sw-description.plain'
>      > + if self.aeskey and self.encryptswdesc else 'sw-description')
>      > sw_desc_out = os.path.join(self.temp.name
>     <http://self.temp.name>, 'sw-description.sig')
>      > self.signtool.prepare_cmd(sw_desc_in, sw_desc_out)
>      > self.signtool.sign()
>      > diff --git a/swugenerator/main.py b/swugenerator/main.py
>      > index 318e333..f6173ff 100644
>      > --- a/swugenerator/main.py
>      > +++ b/swugenerator/main.py
>      > @@ -78,6 +78,15 @@ def main() -> None:
>      > help="sw-description template",
>      > )
>      >
>      > + parser.add_argument(
>      > + "-t",
>      > + "--encrypt-swdesc",
>      > + action='store_const',
>      > + const=True,
>      > + default=False,
>      > + help="Encrypt sw-description",
>      > + )
>      > +
>      > parser.add_argument(
>      > "-a",
>      > "--artifactory",
>      > @@ -172,6 +181,7 @@ def main() -> None:
>      > artidirs,
>      > sign_option,
>      > key, iv,
>      > + args.encrypt_swdesc,
>      > args.no_compress)
>      > swu.process()
>      > swu.close()
> 
>     Regards,
>     Stefano
> 
>     -- 
>     =====================================================================
>     DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
>     HRB 165235 Munich, Office: Kirchenstr.5, 82194 Groebenzell, Germany
>     Phone: +49-8142-66989-53 <tel:+49%208142%206698953> Fax:
>     +49-8142-66989-80 <tel:+49%208142%206698980> Email: sba...@denx.de
>     =====================================================================
> 
> -- 
> You received this message because you are subscribed to the Google 
> Groups "swupdate" group.
> To unsubscribe from this group and stop receiving emails from it, send 
> an email to swupdate+unsubscribe@googlegroups.com 
> <mailto:swupdate+unsubscribe@googlegroups.com>.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/swupdate/020f13ad-8b87-48c7-9f05-653683af0f9fn%40googlegroups.com 
> <https://groups.google.com/d/msgid/swupdate/020f13ad-8b87-48c7-9f05-653683af0f9fn%40googlegroups.com?utm_medium=email&utm_source=footer>.