rpms/ca-certificates
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Ported scripts to python3

Browse Source
This commit is contained in:
Kai Engert 2018-06-28 22:36:01 +02:00
parent 34c0da9058
commit 1a2c011ba4
3 changed files with 64 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
ca-certificates.spec
View File

@ -38,7 +38,7 @@ Name: ca-certificates
Version: 2018.2.24 Version: 2018.2.24
# for Rawhide, please always use release >= 2 # for Rawhide, please always use release >= 2
# for Fedora release branches, please use release < 2 (1.0, 1.1, ...) # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
Release: 4%{?dist} Release: 5%{?dist}
License: Public Domain License: Public Domain
Group: System Environment/Base Group: System Environment/Base
@ -78,7 +78,7 @@ Requires: p11-kit >= 0.23.10
Requires: p11-kit-trust >= 0.23.10 Requires: p11-kit-trust >= 0.23.10
BuildRequires: perl-interpreter BuildRequires: perl-interpreter
BuildRequires: python2 BuildRequires: python3
BuildRequires: openssl BuildRequires: openssl
BuildRequires: asciidoc BuildRequires: asciidoc
BuildRequires: libxslt BuildRequires: libxslt
@ -99,7 +99,7 @@ mkdir %{name}/java
pushd %{name}/certs pushd %{name}/certs
pwd pwd
cp %{SOURCE0} . cp %{SOURCE0} .
python %{SOURCE4} >c2p.log 2>c2p.err python3 %{SOURCE4} >c2p.log 2>c2p.err
popd popd
pushd %{name} pushd %{name}
( (
@ -372,6 +372,9 @@ fi
%changelog %changelog
* Thu Jun 28 2018 Kai Engert <kaie@redhat.com> - 2018.2.24-5
- Ported scripts to python3
* Mon Jun 11 2018 Daiki Ueno <dueno@redhat.com> - 2018.2.24-4 * Mon Jun 11 2018 Daiki Ueno <dueno@redhat.com> - 2018.2.24-4
- Extract certificate bundle in EDK2 format, suggested by Laszlo Ersek - Extract certificate bundle in EDK2 format, suggested by Laszlo Ersek

90
certdata2pem.py
View File

@ -26,17 +26,17 @@ import os.path
import re import re
import sys import sys
import textwrap import textwrap
import urllib import urllib.request, urllib.parse, urllib.error
import subprocess import subprocess
objects = [] objects = []
def printable_serial(obj): def printable_serial(obj):
return ".".join(map(lambda x:str(ord(x)), obj['CKA_SERIAL_NUMBER'])) return ".".join([str(x) for x in obj['CKA_SERIAL_NUMBER']])
# Dirty file parser. # Dirty file parser.
in_data, in_multiline, in_obj = False, False, False in_data, in_multiline, in_obj = False, False, False
field, type, value, obj = None, None, None, dict() field, ftype, value, binval, obj = None, None, None, bytearray(), dict()
for line in open('certdata.txt', 'r'): for line in open('certdata.txt', 'r'):
# Ignore the file header. # Ignore the file header.
if not in_data: if not in_data:
@ -56,33 +56,36 @@ for line in open('certdata.txt', 'r'):
continue continue
if in_multiline: if in_multiline:
if not line.startswith('END'): if not line.startswith('END'):
if type == 'MULTILINE_OCTAL': if ftype == 'MULTILINE_OCTAL':
line = line.strip() line = line.strip()
for i in re.finditer(r'\\([0-3][0-7][0-7])', line): for i in re.finditer(r'\\([0-3][0-7][0-7])', line):
value += chr(int(i.group(1), 8)) integ = int(i.group(1), 8)
binval.extend((integ).to_bytes(1, sys.byteorder))
obj[field] = binval
else: else:
value += line value += line
obj[field] = value
continue continue
obj[field] = value
in_multiline = False in_multiline = False
continue continue
if line.startswith('CKA_CLASS'): if line.startswith('CKA_CLASS'):
in_obj = True in_obj = True
line_parts = line.strip().split(' ', 2) line_parts = line.strip().split(' ', 2)
if len(line_parts) > 2: if len(line_parts) > 2:
field, type = line_parts[0:2] field, ftype = line_parts[0:2]
value = ' '.join(line_parts[2:]) value = ' '.join(line_parts[2:])
elif len(line_parts) == 2: elif len(line_parts) == 2:
field, type = line_parts field, ftype = line_parts
value = None value = None
else: else:
raise NotImplementedError, 'line_parts < 2 not supported.\n' + line raise NotImplementedError('line_parts < 2 not supported.\n' + line)
if type == 'MULTILINE_OCTAL': if ftype == 'MULTILINE_OCTAL':
in_multiline = True in_multiline = True
value = "" value = ""
binval = bytearray()
continue continue
obj[field] = value obj[field] = value
if len(obj.items()) > 0: if len(list(obj.items())) > 0:
objects.append(obj) objects.append(obj)
# Build up trust database. # Build up trust database.
@ -92,7 +95,7 @@ for obj in objects:
continue continue
key = obj['CKA_LABEL'] + printable_serial(obj) key = obj['CKA_LABEL'] + printable_serial(obj)
trustmap[key] = obj trustmap[key] = obj
print " added trust", key print(" added trust", key)
# Build up cert database. # Build up cert database.
certmap = dict() certmap = dict()
@ -101,7 +104,7 @@ for obj in objects:
continue continue
key = obj['CKA_LABEL'] + printable_serial(obj) key = obj['CKA_LABEL'] + printable_serial(obj)
certmap[key] = obj certmap[key] = obj
print " added cert", key print(" added cert", key)
def obj_to_filename(obj): def obj_to_filename(obj):
label = obj['CKA_LABEL'][1:-1] label = obj['CKA_LABEL'][1:-1]
@ -110,7 +113,18 @@ def obj_to_filename(obj):
.replace('(', '=')\ .replace('(', '=')\
.replace(')', '=')\ .replace(')', '=')\
.replace(',', '_') .replace(',', '_')
label = re.sub(r'\\x[0-9a-fA-F]{2}', lambda m:chr(int(m.group(0)[2:], 16)), label) labelbytes = bytearray()
i = 0
imax = len(label)
while i < imax:
if i < imax-3 and label[i] == '\\' and label[i+1] == 'x':
labelbytes.extend(bytes.fromhex(label[i+2:i+4]))
i += 4
continue
labelbytes.extend(str.encode(label[i]))
i = i+1
continue
label = labelbytes.decode('utf-8')
serial = printable_serial(obj) serial = printable_serial(obj)
return label + ":" + serial return label + ":" + serial
@ -166,31 +180,31 @@ openssl_trust = {
for tobj in objects: for tobj in objects:
if tobj['CKA_CLASS'] == 'CKO_NSS_TRUST': if tobj['CKA_CLASS'] == 'CKO_NSS_TRUST':
key = tobj['CKA_LABEL'] + printable_serial(tobj) key = tobj['CKA_LABEL'] + printable_serial(tobj)
print "producing trust for " + key print("producing trust for " + key)
trustbits = [] trustbits = []
distrustbits = [] distrustbits = []
openssl_trustflags = [] openssl_trustflags = []
openssl_distrustflags = [] openssl_distrustflags = []
legacy_trustbits = [] legacy_trustbits = []
legacy_openssl_trustflags = [] legacy_openssl_trustflags = []
for t in trust_types.keys(): for t in list(trust_types.keys()):
if tobj.has_key(t) and tobj[t] == 'CKT_NSS_TRUSTED_DELEGATOR': if t in tobj and tobj[t] == 'CKT_NSS_TRUSTED_DELEGATOR':
trustbits.append(t) trustbits.append(t)
if t in openssl_trust: if t in openssl_trust:
openssl_trustflags.append(openssl_trust[t]) openssl_trustflags.append(openssl_trust[t])
if tobj.has_key(t) and tobj[t] == 'CKT_NSS_NOT_TRUSTED': if t in tobj and tobj[t] == 'CKT_NSS_NOT_TRUSTED':
distrustbits.append(t) distrustbits.append(t)
if t in openssl_trust: if t in openssl_trust:
openssl_distrustflags.append(openssl_trust[t]) openssl_distrustflags.append(openssl_trust[t])
for t in legacy_trust_types.keys(): for t in list(legacy_trust_types.keys()):
if tobj.has_key(t) and tobj[t] == 'CKT_NSS_TRUSTED_DELEGATOR': if t in tobj and tobj[t] == 'CKT_NSS_TRUSTED_DELEGATOR':
real_t = legacy_to_real_trust_types[t] real_t = legacy_to_real_trust_types[t]
legacy_trustbits.append(real_t) legacy_trustbits.append(real_t)
if real_t in openssl_trust: if real_t in openssl_trust:
legacy_openssl_trustflags.append(openssl_trust[real_t]) legacy_openssl_trustflags.append(openssl_trust[real_t])
if tobj.has_key(t) and tobj[t] == 'CKT_NSS_NOT_TRUSTED': if t in tobj and tobj[t] == 'CKT_NSS_NOT_TRUSTED':
raise NotImplementedError, 'legacy distrust not supported.\n' + line raise NotImplementedError('legacy distrust not supported.\n' + line)
fname = obj_to_filename(tobj) fname = obj_to_filename(tobj)
try: try:
@ -206,10 +220,10 @@ for tobj in objects:
#dumpf.close(); #dumpf.close();
is_legacy = 0 is_legacy = 0
if tobj.has_key('LEGACY_CKA_TRUST_SERVER_AUTH') or tobj.has_key('LEGACY_CKA_TRUST_EMAIL_PROTECTION') or tobj.has_key('LEGACY_CKA_TRUST_CODE_SIGNING'): if 'LEGACY_CKA_TRUST_SERVER_AUTH' in tobj or 'LEGACY_CKA_TRUST_EMAIL_PROTECTION' in tobj or 'LEGACY_CKA_TRUST_CODE_SIGNING' in tobj:
is_legacy = 1 is_legacy = 1
if obj == None: if obj == None:
raise NotImplementedError, 'found legacy trust without certificate.\n' + line raise NotImplementedError('found legacy trust without certificate.\n' + line)
legacy_fname = "legacy-default/" + fname + ".crt" legacy_fname = "legacy-default/" + fname + ".crt"
f = open(legacy_fname, 'w') f = open(legacy_fname, 'w')
@ -218,11 +232,13 @@ for tobj in objects:
if legacy_openssl_trustflags: if legacy_openssl_trustflags:
f.write("# openssl-trust=" + " ".join(legacy_openssl_trustflags) + "\n") f.write("# openssl-trust=" + " ".join(legacy_openssl_trustflags) + "\n")
f.write("-----BEGIN CERTIFICATE-----\n") f.write("-----BEGIN CERTIFICATE-----\n")
f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']), 64))) temp_encoded_b64 = base64.b64encode(obj['CKA_VALUE'])
temp_wrapped = textwrap.wrap(temp_encoded_b64.decode(), 64)
f.write("\n".join(temp_wrapped))
f.write("\n-----END CERTIFICATE-----\n") f.write("\n-----END CERTIFICATE-----\n")
f.close() f.close()
if tobj.has_key('CKA_TRUST_SERVER_AUTH') or tobj.has_key('CKA_TRUST_EMAIL_PROTECTION') or tobj.has_key('CKA_TRUST_CODE_SIGNING'): if 'CKA_TRUST_SERVER_AUTH' in tobj or 'CKA_TRUST_EMAIL_PROTECTION' in tobj or 'CKA_TRUST_CODE_SIGNING' in tobj:
legacy_fname = "legacy-disable/" + fname + ".crt" legacy_fname = "legacy-disable/" + fname + ".crt"
f = open(legacy_fname, 'w') f = open(legacy_fname, 'w')
f.write("# alias=%s\n"%tobj['CKA_LABEL']) f.write("# alias=%s\n"%tobj['CKA_LABEL'])
@ -244,7 +260,9 @@ for tobj in objects:
cert_fname = "cert-" + fname cert_fname = "cert-" + fname
fc = open(cert_fname, 'w') fc = open(cert_fname, 'w')
fc.write("-----BEGIN CERTIFICATE-----\n") fc.write("-----BEGIN CERTIFICATE-----\n")
fc.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']), 64))) temp_encoded_b64 = base64.b64encode(obj['CKA_VALUE'])
temp_wrapped = textwrap.wrap(temp_encoded_b64.decode(), 64)
fc.write("\n".join(temp_wrapped))
fc.write("\n-----END CERTIFICATE-----\n") fc.write("\n-----END CERTIFICATE-----\n")
fc.close(); fc.close();
pk_fname = "pubkey-" + fname pk_fname = "pubkey-" + fname
@ -262,7 +280,7 @@ for tobj in objects:
fcout.close() fcout.close()
sed_command = ["sed", "--in-place", "s/^/#/", comment_fname] sed_command = ["sed", "--in-place", "s/^/#/", comment_fname]
subprocess.call(sed_command) subprocess.call(sed_command)
with open (comment_fname, "r") as myfile: with open (comment_fname, "r", errors = 'replace') as myfile:
cert_comment=myfile.read() cert_comment=myfile.read()
fname += ".tmp-p11-kit" fname += ".tmp-p11-kit"
@ -274,19 +292,19 @@ for tobj in objects:
has_email_trust = False has_email_trust = False
has_code_trust = False has_code_trust = False
if tobj.has_key('CKA_TRUST_SERVER_AUTH'): if 'CKA_TRUST_SERVER_AUTH' in tobj:
if tobj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_NOT_TRUSTED': if tobj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_NOT_TRUSTED':
is_distrusted = True is_distrusted = True
elif tobj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_TRUSTED_DELEGATOR': elif tobj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_TRUSTED_DELEGATOR':
has_server_trust = True has_server_trust = True
if tobj.has_key('CKA_TRUST_EMAIL_PROTECTION'): if 'CKA_TRUST_EMAIL_PROTECTION' in tobj:
if tobj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_NOT_TRUSTED': if tobj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_NOT_TRUSTED':
is_distrusted = True is_distrusted = True
elif tobj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_TRUSTED_DELEGATOR': elif tobj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_TRUSTED_DELEGATOR':
has_email_trust = True has_email_trust = True
if tobj.has_key('CKA_TRUST_CODE_SIGNING'): if 'CKA_TRUST_CODE_SIGNING' in tobj:
if tobj['CKA_TRUST_CODE_SIGNING'] == 'CKT_NSS_NOT_TRUSTED': if tobj['CKA_TRUST_CODE_SIGNING'] == 'CKT_NSS_NOT_TRUSTED':
is_distrusted = True is_distrusted = True
elif tobj['CKA_TRUST_CODE_SIGNING'] == 'CKT_NSS_TRUSTED_DELEGATOR': elif tobj['CKA_TRUST_CODE_SIGNING'] == 'CKT_NSS_TRUSTED_DELEGATOR':
@ -352,7 +370,9 @@ for tobj in objects:
f.write("modifiable: false\n"); f.write("modifiable: false\n");
f.write("-----BEGIN CERTIFICATE-----\n") f.write("-----BEGIN CERTIFICATE-----\n")
f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']), 64))) temp_encoded_b64 = base64.b64encode(obj['CKA_VALUE'])
temp_wrapped = textwrap.wrap(temp_encoded_b64.decode(), 64)
f.write("\n".join(temp_wrapped))
f.write("\n-----END CERTIFICATE-----\n") f.write("\n-----END CERTIFICATE-----\n")
f.write(cert_comment) f.write(cert_comment)
f.write("\n") f.write("\n")
@ -366,13 +386,13 @@ for tobj in objects:
f.write("certificate-type: x-509\n") f.write("certificate-type: x-509\n")
f.write("modifiable: false\n"); f.write("modifiable: false\n");
f.write("issuer: \""); f.write("issuer: \"");
f.write(urllib.quote(tobj['CKA_ISSUER'])); f.write(urllib.parse.quote(tobj['CKA_ISSUER']));
f.write("\"\n") f.write("\"\n")
f.write("serial-number: \""); f.write("serial-number: \"");
f.write(urllib.quote(tobj['CKA_SERIAL_NUMBER'])); f.write(urllib.parse.quote(tobj['CKA_SERIAL_NUMBER']));
f.write("\"\n") f.write("\"\n")
if (tobj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_NOT_TRUSTED') or (tobj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_NOT_TRUSTED') or (tobj['CKA_TRUST_CODE_SIGNING'] == 'CKT_NSS_NOT_TRUSTED'): if (tobj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_NOT_TRUSTED') or (tobj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_NOT_TRUSTED') or (tobj['CKA_TRUST_CODE_SIGNING'] == 'CKT_NSS_NOT_TRUSTED'):
f.write("x-distrusted: true\n") f.write("x-distrusted: true\n")
f.write("\n\n") f.write("\n\n")
f.close() f.close()
print " -> written as '%s', trust = %s, openssl-trust = %s, distrust = %s, openssl-distrust = %s" % (fname, trustbits, openssl_trustflags, distrustbits, openssl_distrustflags) print(" -> written as '%s', trust = %s, openssl-trust = %s, distrust = %s, openssl-distrust = %s" % (fname, trustbits, openssl_trustflags, distrustbits, openssl_distrustflags))

6
sort-blocks.py
View File

@ -1,4 +1,4 @@
#!/usr/bin/python #!/usr/bin/python3
# Expected input is a file, where blocks of lines are separated by newline. # Expected input is a file, where blocks of lines are separated by newline.
# Blocks will be sorted. # Blocks will be sorted.
@ -9,7 +9,7 @@ import sys
import string import string
if (len(sys.argv) != 2): if (len(sys.argv) != 2):
print "syntax: " + sys.argv[0] + " input-filename" print("syntax: " + sys.argv[0] + " input-filename")
sys.exit(1) sys.exit(1)
filename = sys.argv[1] filename = sys.argv[1]
@ -31,4 +31,4 @@ with open(filename, 'r') as f:
block_list.sort() block_list.sort()
for block in block_list: for block in block_list:
print block print(block)