Message ID | 20230919075318.27595-1-viktor.voronin@evologics.de |
---|---|
State | Accepted |
Delegated to: | Stefano Babic |
Headers | show |
Series | [swugenerator] CMS signing: add -certfile option | expand |
On 19.09.23 09:53, 'Victor Voronin' via swupdate wrote: > Signed-off-by: Victor Voronin <viktor.voronin@evologics.de> > --- > swugenerator/main.py | 17 +++++++++++------ > swugenerator/swu_sign.py | 14 +++++++++++++- > 2 files changed, 24 insertions(+), 7 deletions(-) > > diff --git a/swugenerator/main.py b/swugenerator/main.py > index 4531865..22ff0ee 100644 > --- a/swugenerator/main.py > +++ b/swugenerator/main.py > @@ -86,6 +86,7 @@ def parse_signing_option( > ) -> Union[SWUSignCMS, SWUSignRSA, SWUSignPKCS11, SWUSignCustom]: > """Parses signgning option passed by user. Valid options can be found below. > > + CMS,<private key>,<certificate used to sign>,<file with password>,<file with certs> > CMS,<private key>,<certificate used to sign>,<file with password> > CMS,<private key>,<certificate used to sign> > RSA,<private key>,<file with password> > @@ -105,15 +106,19 @@ def parse_signing_option( > sign_parms = sign_arg.split(",") > cmd = sign_parms[0] > if cmd == "CMS": > - if len(sign_parms) not in (3, 4) or not all(sign_parms): > + if len(sign_parms) not in (3, 4, 5) or not all(sign_parms[0:2]): > raise InvalidSigningOption( > - "CMS requires private key, certificate, and an optional password file" > + "CMS requires private key, certificate, an optional password file and an optional file with additional certificates" > ) > + # Format : CMS,<private key>,<certificate used to sign>,<file with password>,<file with certs> > + if len(sign_parms) == 5: > + return SWUSignCMS(sign_parms[1], sign_parms[2], sign_parms[3], sign_parms[4]) > # Format : CMS,<private key>,<certificate used to sign>,<file with password> > - if len(sign_parms) == 4: > - return SWUSignCMS(sign_parms[1], sign_parms[2], sign_parms[3]) > + elif len(sign_parms) == 4: > + return SWUSignCMS(sign_parms[1], sign_parms[2], sign_parms[3], None) > # Format : CMS,<private key>,<certificate used to sign> > - return SWUSignCMS(sign_parms[1], sign_parms[2], None) > + else: > + return SWUSignCMS(sign_parms[1], sign_parms[2], None, None) > if cmd == "RSA": > if len(sign_parms) not in (2, 3) or not all(sign_parms): > raise InvalidSigningOption( > @@ -236,7 +241,7 @@ def parse_args(args: List[str]) -> None: > """\ > RSA key or certificate to sign the SWU > One of : > - CMS,<private key>,<certificate used to sign>,<file with password if any> > + CMS,<private key>,<certificate used to sign>,<file with password if any>,<file with certs if any> > RSA,<private key>,<file with password if any> > PKCS11,<pin> > CUSTOM,<custom command> """ > diff --git a/swugenerator/swu_sign.py b/swugenerator/swu_sign.py > index 7097a9d..f73802e 100644 > --- a/swugenerator/swu_sign.py > +++ b/swugenerator/swu_sign.py > @@ -14,6 +14,7 @@ class SWUSign: > self.cert = None > self.cmd = None > self.passin = None > + self.certfile = None > self.signcmd = [] > > def get_passwd_file_args(self): > @@ -25,6 +26,15 @@ class SWUSign: > def set_password_file(self, passin): > self.passin = passin > > + def get_certfile_args(self): > + certfile_args = [] > + if self.certfile: > + certfile_args = ["-certfile", self.certfile] > + return certfile_args > + > + def set_certfile(self, certfile): > + self.certfile = certfile > + > def sign(self): > try: > subprocess.run(" ".join(self.signcmd), shell=True, check=True, text=True) > @@ -36,12 +46,13 @@ class SWUSign: > > > class SWUSignCMS(SWUSign): > - def __init__(self, key, cert, passin): > + def __init__(self, key, cert, passin, certfile): > super().__init__() > self.type = "CMS" > self.key = key > self.cert = cert > self.passin = passin > + self.certfile = certfile > > def prepare_cmd(self, sw_desc_in, sw_desc_sig): > self.signcmd = [ > @@ -64,6 +75,7 @@ class SWUSignCMS(SWUSign): > "-binary", > ] > self.signcmd += self.get_passwd_file_args() > + self.signcmd += self.get_certfile_args() > > > class SWUSignRSA(SWUSign): Applied to -main, thanks ! Best regards, Stefano Babic
diff --git a/swugenerator/main.py b/swugenerator/main.py index 4531865..22ff0ee 100644 --- a/swugenerator/main.py +++ b/swugenerator/main.py @@ -86,6 +86,7 @@ def parse_signing_option( ) -> Union[SWUSignCMS, SWUSignRSA, SWUSignPKCS11, SWUSignCustom]: """Parses signgning option passed by user. Valid options can be found below. + CMS,<private key>,<certificate used to sign>,<file with password>,<file with certs> CMS,<private key>,<certificate used to sign>,<file with password> CMS,<private key>,<certificate used to sign> RSA,<private key>,<file with password> @@ -105,15 +106,19 @@ def parse_signing_option( sign_parms = sign_arg.split(",") cmd = sign_parms[0] if cmd == "CMS": - if len(sign_parms) not in (3, 4) or not all(sign_parms): + if len(sign_parms) not in (3, 4, 5) or not all(sign_parms[0:2]): raise InvalidSigningOption( - "CMS requires private key, certificate, and an optional password file" + "CMS requires private key, certificate, an optional password file and an optional file with additional certificates" ) + # Format : CMS,<private key>,<certificate used to sign>,<file with password>,<file with certs> + if len(sign_parms) == 5: + return SWUSignCMS(sign_parms[1], sign_parms[2], sign_parms[3], sign_parms[4]) # Format : CMS,<private key>,<certificate used to sign>,<file with password> - if len(sign_parms) == 4: - return SWUSignCMS(sign_parms[1], sign_parms[2], sign_parms[3]) + elif len(sign_parms) == 4: + return SWUSignCMS(sign_parms[1], sign_parms[2], sign_parms[3], None) # Format : CMS,<private key>,<certificate used to sign> - return SWUSignCMS(sign_parms[1], sign_parms[2], None) + else: + return SWUSignCMS(sign_parms[1], sign_parms[2], None, None) if cmd == "RSA": if len(sign_parms) not in (2, 3) or not all(sign_parms): raise InvalidSigningOption( @@ -236,7 +241,7 @@ def parse_args(args: List[str]) -> None: """\ RSA key or certificate to sign the SWU One of : - CMS,<private key>,<certificate used to sign>,<file with password if any> + CMS,<private key>,<certificate used to sign>,<file with password if any>,<file with certs if any> RSA,<private key>,<file with password if any> PKCS11,<pin> CUSTOM,<custom command> """ diff --git a/swugenerator/swu_sign.py b/swugenerator/swu_sign.py index 7097a9d..f73802e 100644 --- a/swugenerator/swu_sign.py +++ b/swugenerator/swu_sign.py @@ -14,6 +14,7 @@ class SWUSign: self.cert = None self.cmd = None self.passin = None + self.certfile = None self.signcmd = [] def get_passwd_file_args(self): @@ -25,6 +26,15 @@ class SWUSign: def set_password_file(self, passin): self.passin = passin + def get_certfile_args(self): + certfile_args = [] + if self.certfile: + certfile_args = ["-certfile", self.certfile] + return certfile_args + + def set_certfile(self, certfile): + self.certfile = certfile + def sign(self): try: subprocess.run(" ".join(self.signcmd), shell=True, check=True, text=True) @@ -36,12 +46,13 @@ class SWUSign: class SWUSignCMS(SWUSign): - def __init__(self, key, cert, passin): + def __init__(self, key, cert, passin, certfile): super().__init__() self.type = "CMS" self.key = key self.cert = cert self.passin = passin + self.certfile = certfile def prepare_cmd(self, sw_desc_in, sw_desc_sig): self.signcmd = [ @@ -64,6 +75,7 @@ class SWUSignCMS(SWUSign): "-binary", ] self.signcmd += self.get_passwd_file_args() + self.signcmd += self.get_certfile_args() class SWUSignRSA(SWUSign):
Signed-off-by: Victor Voronin <viktor.voronin@evologics.de> --- swugenerator/main.py | 17 +++++++++++------ swugenerator/swu_sign.py | 14 +++++++++++++- 2 files changed, 24 insertions(+), 7 deletions(-)