| author | Yiteng Zhang <yiteng.zhang@oracle.com> |
| Tue, 17 Mar 2015 18:19:09 -0700 | |
| changeset 3177 | 173c3b46334b |
| parent 3171 | 525f5bdb3f62 |
| child 3194 | 185fd0ebde38 |
| permissions | -rw-r--r-- |
|
3177
173c3b46334b
18735388 pkg utilities should switch to Python 2.7
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3171
diff
changeset
|
1 |
#!/usr/bin/python |
|
1423
06e5797f2786
11965 stub signature action needed
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
2 |
# |
|
06e5797f2786
11965 stub signature action needed
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
3 |
# CDDL HEADER START |
|
06e5797f2786
11965 stub signature action needed
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
4 |
# |
|
06e5797f2786
11965 stub signature action needed
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
5 |
# The contents of this file are subject to the terms of the |
|
06e5797f2786
11965 stub signature action needed
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
6 |
# Common Development and Distribution License (the "License"). |
|
06e5797f2786
11965 stub signature action needed
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
7 |
# You may not use this file except in compliance with the License. |
|
06e5797f2786
11965 stub signature action needed
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
8 |
# |
|
06e5797f2786
11965 stub signature action needed
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
9 |
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE |
|
06e5797f2786
11965 stub signature action needed
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
10 |
# or http://www.opensolaris.org/os/licensing. |
|
06e5797f2786
11965 stub signature action needed
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
11 |
# See the License for the specific language governing permissions |
|
06e5797f2786
11965 stub signature action needed
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
12 |
# and limitations under the License. |
|
06e5797f2786
11965 stub signature action needed
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
13 |
# |
|
06e5797f2786
11965 stub signature action needed
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
14 |
# When distributing Covered Code, include this CDDL HEADER in each |
|
06e5797f2786
11965 stub signature action needed
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
15 |
# file and include the License file at usr/src/OPENSOLARIS.LICENSE. |
|
06e5797f2786
11965 stub signature action needed
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
16 |
# If applicable, add the following below this CDDL HEADER, with the |
|
06e5797f2786
11965 stub signature action needed
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
17 |
# fields enclosed by brackets "[]" replaced with your own identifying |
|
06e5797f2786
11965 stub signature action needed
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
18 |
# information: Portions Copyright [yyyy] [name of copyright owner] |
|
06e5797f2786
11965 stub signature action needed
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
19 |
# |
|
06e5797f2786
11965 stub signature action needed
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
20 |
# CDDL HEADER END |
|
06e5797f2786
11965 stub signature action needed
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
21 |
# |
|
06e5797f2786
11965 stub signature action needed
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
22 |
|
|
06e5797f2786
11965 stub signature action needed
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
23 |
# |
|
3158
58c9c2c21e67
20177033 change string formatting for python 3 migration
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
2962
diff
changeset
|
24 |
# Copyright (c) 2009, 2015, Oracle and/or its affiliates. All rights reserved. |
|
1423
06e5797f2786
11965 stub signature action needed
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
25 |
# |
|
06e5797f2786
11965 stub signature action needed
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
26 |
|
|
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
27 |
import os |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
28 |
import shutil |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
29 |
import tempfile |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
30 |
|
|
1423
06e5797f2786
11965 stub signature action needed
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
31 |
import generic |
|
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
32 |
import pkg.actions |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
33 |
import pkg.client.api_errors as apx |
|
2962
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
34 |
import pkg.digest as digest |
|
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
35 |
import pkg.misc as misc |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
36 |
import M2Crypto as m2 |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
37 |
|
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
38 |
valid_hash_algs = ("sha256", "sha384", "sha512")
|
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
39 |
valid_sig_algs = ("rsa",)
|
|
1423
06e5797f2786
11965 stub signature action needed
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
40 |
|
|
06e5797f2786
11965 stub signature action needed
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
41 |
class SignatureAction(generic.Action): |
|
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
42 |
"""Class representing the signature-type packaging object.""" |
|
1423
06e5797f2786
11965 stub signature action needed
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
43 |
|
|
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
44 |
__slots__ = ["hash", "hash_alg", "sig_alg", "cert_ident", |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
45 |
"chain_cert_openers"] |
|
1846
37cc4d517320
15386 action fromstr could pool attribute names to reduce memory usage
Shawn Walker <shawn.walker@oracle.com>
parents:
1516
diff
changeset
|
46 |
|
|
1423
06e5797f2786
11965 stub signature action needed
Brock Pytlik <bpytlik@sun.com>
parents:
diff
changeset
|
47 |
name = "signature" |
|
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
48 |
key_attr = "value" |
|
2639
06a370373267
7145683 explore general pkg performance improvements
Shawn Walker <shawn.walker@oracle.com>
parents:
2627
diff
changeset
|
49 |
ordinality = generic._orderdict[name] |
|
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
50 |
|
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
51 |
def __init__(self, data, **attrs): |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
52 |
generic.Action.__init__(self, data, **attrs) |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
53 |
|
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
54 |
self.hash = None |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
55 |
self.chain_cert_openers = [] |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
56 |
|
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
57 |
try: |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
58 |
self.sig_alg, self.hash_alg = self.decompose_sig_alg( |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
59 |
self.attrs["algorithm"]) |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
60 |
except KeyError: |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
61 |
raise pkg.actions.InvalidActionError(str(self), |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
62 |
_("Missing algorithm attribute"))
|
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
63 |
if "value" not in self.attrs: |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
64 |
self.attrs["value"] = "" |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
65 |
if "version" not in self.attrs: |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
66 |
self.attrs["version"] = \ |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
67 |
str(generic.Action.sig_version) |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
68 |
|
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
69 |
@property |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
70 |
def has_payload(self): |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
71 |
# If there's a hash, then there's a certificate to deliver |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
72 |
# with this action. |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
73 |
if not self.hash: |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
74 |
return False |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
75 |
return True |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
76 |
|
|
2286
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
77 |
def needsdata(self, orig, pkgplan): |
|
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
78 |
return self.has_payload |
|
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
79 |
|
|
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
80 |
@staticmethod |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
81 |
def make_opener(pth): |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
82 |
def file_opener(): |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
83 |
return open(pth, "rb") |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
84 |
return file_opener |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
85 |
|
|
2286
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
86 |
def __set_chain_certs_data(self, chain_certs, chash_dir): |
|
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
87 |
"""Store the information about the certs needed to validate |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
88 |
this signature in the signature. |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
89 |
|
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
90 |
The 'chain_certs' parameter is a list of paths to certificates. |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
91 |
""" |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
92 |
|
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
93 |
self.chain_cert_openers = [] |
|
2962
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
94 |
|
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
95 |
# chain_hshes and chain_chshes are dictionaries which map a |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
96 |
# given hash or compressed hash attribute to a list of the hash |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
97 |
# values for each path in chain_certs. |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
98 |
chain_hshes = {}
|
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
99 |
chain_chshes = {}
|
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
100 |
chain_csizes = [] |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
101 |
chain_sizes = [] |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
102 |
|
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
103 |
for attr in digest.DEFAULT_CHAIN_ATTRS: |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
104 |
chain_hshes[attr] = [] |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
105 |
for attr in digest.DEFAULT_CHAIN_CHASH_ATTRS: |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
106 |
chain_chshes[attr] = [] |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
107 |
|
|
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
108 |
for pth in chain_certs: |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
109 |
if not os.path.exists(pth): |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
110 |
raise pkg.actions.ActionDataError( |
|
3158
58c9c2c21e67
20177033 change string formatting for python 3 migration
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
2962
diff
changeset
|
111 |
_("No such file: '{0}'.").format(pth),
|
|
58c9c2c21e67
20177033 change string formatting for python 3 migration
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
2962
diff
changeset
|
112 |
path=pth) |
|
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
113 |
elif os.path.isdir(pth): |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
114 |
raise pkg.actions.ActionDataError( |
|
3158
58c9c2c21e67
20177033 change string formatting for python 3 migration
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
2962
diff
changeset
|
115 |
_("'{0}' is not a file.").format(pth),
|
|
58c9c2c21e67
20177033 change string formatting for python 3 migration
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
2962
diff
changeset
|
116 |
path=pth) |
|
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
117 |
file_opener = self.make_opener(pth) |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
118 |
self.chain_cert_openers.append(file_opener) |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
119 |
self.attrs.setdefault("chain.sizes", [])
|
|
2962
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
120 |
self.attrs.setdefault("chain.csizes", [])
|
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
121 |
|
|
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
122 |
try: |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
123 |
fs = os.stat(pth) |
|
2962
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
124 |
chain_sizes.append(str(fs.st_size)) |
|
3171
525f5bdb3f62
20434301 change exception handling syntax for python 3 migration
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3164
diff
changeset
|
125 |
except EnvironmentError as e: |
|
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
126 |
raise pkg.actions.ActionDataError(e, path=pth) |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
127 |
# misc.get_data_digest takes care of closing the file |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
128 |
# that's opened below. |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
129 |
with file_opener() as fh: |
|
2962
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
130 |
hshes, data = misc.get_data_digest(fh, |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
131 |
length=fs.st_size, return_content=True, |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
132 |
hash_attrs=digest.DEFAULT_CHAIN_ATTRS, |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
133 |
hash_algs=digest.CHAIN_ALGS) |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
134 |
|
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
135 |
for attr in hshes: |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
136 |
chain_hshes[attr].append(hshes[attr]) |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
137 |
|
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
138 |
# We need a filename to use for the uncompressed chain |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
139 |
# cert, so get the preferred chain hash value from the |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
140 |
# chain_hshes |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
141 |
chain_val = None |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
142 |
for attr in digest.RANKED_CHAIN_ATTRS: |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
143 |
if not chain_val and attr in hshes: |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
144 |
chain_val = hshes[attr] |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
145 |
|
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
146 |
csize, chashes = misc.compute_compressed_attrs( |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
147 |
chain_val, None, data, fs.st_size, chash_dir, |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
148 |
chash_attrs=digest.DEFAULT_CHAIN_CHASH_ATTRS, |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
149 |
chash_algs=digest.CHAIN_CHASH_ALGS) |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
150 |
|
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
151 |
chain_csizes.append(csize) |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
152 |
for attr in chashes: |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
153 |
chain_chshes[attr].append( |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
154 |
chashes[attr].hexdigest()) |
|
3164
21e62efb9dd7
19381136 signature consumers assume chain present causing traceback
saurabh.vyas@oracle.com
parents:
3158
diff
changeset
|
155 |
|
|
21e62efb9dd7
19381136 signature consumers assume chain present causing traceback
saurabh.vyas@oracle.com
parents:
3158
diff
changeset
|
156 |
# Remove any unused hash attributes. |
|
21e62efb9dd7
19381136 signature consumers assume chain present causing traceback
saurabh.vyas@oracle.com
parents:
3158
diff
changeset
|
157 |
for cattrs in (chain_hshes, chain_chshes): |
|
21e62efb9dd7
19381136 signature consumers assume chain present causing traceback
saurabh.vyas@oracle.com
parents:
3158
diff
changeset
|
158 |
for attr in list(cattrs.keys()): |
|
21e62efb9dd7
19381136 signature consumers assume chain present causing traceback
saurabh.vyas@oracle.com
parents:
3158
diff
changeset
|
159 |
if not cattrs[attr]: |
|
21e62efb9dd7
19381136 signature consumers assume chain present causing traceback
saurabh.vyas@oracle.com
parents:
3158
diff
changeset
|
160 |
cattrs.pop(attr, None) |
|
21e62efb9dd7
19381136 signature consumers assume chain present causing traceback
saurabh.vyas@oracle.com
parents:
3158
diff
changeset
|
161 |
|
|
2962
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
162 |
if chain_hshes: |
|
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
163 |
# These attributes are stored as a single value with |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
164 |
# spaces in it rather than multiple values to ensure |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
165 |
# the ordering remains consistent. |
|
2962
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
166 |
self.attrs["chain.sizes"] = " ".join(chain_sizes) |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
167 |
self.attrs["chain.csizes"] = " ".join(chain_csizes) |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
168 |
|
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
169 |
for attr in digest.DEFAULT_CHAIN_ATTRS: |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
170 |
self.attrs[attr] = " ".join(chain_hshes[attr]) |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
171 |
for attr in digest.DEFAULT_CHAIN_CHASH_ATTRS: |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
172 |
self.attrs[attr] = " ".join(chain_chshes[attr]) |
|
2286
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
173 |
|
|
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
174 |
def get_size(self): |
|
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
175 |
res = generic.Action.get_size(self) |
|
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
176 |
for s in self.attrs.get("chain.sizes", "").split():
|
|
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
177 |
res += int(s) |
|
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
178 |
return res |
|
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
179 |
|
|
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
180 |
def get_action_chain_csize(self): |
|
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
181 |
res = 0 |
|
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
182 |
for s in self.attrs.get("chain.csizes", "").split():
|
|
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
183 |
res += int(s) |
|
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
184 |
return res |
|
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
185 |
|
|
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
186 |
def get_chain_csize(self, chain): |
|
2962
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
187 |
# The length of 'chain' is also going to be the length |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
188 |
# of pkg.chain.<hash alg>, so there's no need to look for |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
189 |
# other hash attributes here. |
|
2286
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
190 |
for c, s in zip(self.attrs.get("chain", "").split(),
|
|
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
191 |
self.attrs.get("chain.csizes", "").split()):
|
|
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
192 |
if c == chain: |
|
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
193 |
return int(s) |
|
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
194 |
return None |
|
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
195 |
|
|
2539
82d3275709e9
18533 pkgrecv -a stack traces when pulling packages
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2514
diff
changeset
|
196 |
def get_chain_size(self, chain): |
|
82d3275709e9
18533 pkgrecv -a stack traces when pulling packages
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2514
diff
changeset
|
197 |
for c, s in zip(self.attrs.get("chain", "").split(),
|
|
82d3275709e9
18533 pkgrecv -a stack traces when pulling packages
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2514
diff
changeset
|
198 |
self.attrs.get("chain.sizes", "").split()):
|
|
82d3275709e9
18533 pkgrecv -a stack traces when pulling packages
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2514
diff
changeset
|
199 |
if c == chain: |
|
82d3275709e9
18533 pkgrecv -a stack traces when pulling packages
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2514
diff
changeset
|
200 |
return int(s) |
|
82d3275709e9
18533 pkgrecv -a stack traces when pulling packages
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2514
diff
changeset
|
201 |
return None |
|
82d3275709e9
18533 pkgrecv -a stack traces when pulling packages
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2514
diff
changeset
|
202 |
|
|
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
203 |
def sig_str(self, a, version): |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
204 |
"""Create a stable string representation of an action that |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
205 |
is deterministic in its creation. If creating a string from an |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
206 |
action is non-deterministic, then manifest signing cannot work. |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
207 |
|
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
208 |
The parameter 'a' is the signature action that's going to use |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
209 |
the string produced. It's needed for the signature string |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
210 |
action, and is here to keep the method signature the same. |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
211 |
""" |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
212 |
|
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
213 |
# Any changes to this function mean Action.sig_version must be |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
214 |
# incremented. |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
215 |
|
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
216 |
if version != generic.Action.sig_version: |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
217 |
raise apx.UnsupportedSignatureVersion(version, sig=self) |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
218 |
# Signature actions don't sign other signature actions. So if |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
219 |
# the action that's doing the signing isn't ourself, return |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
220 |
# nothing. |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
221 |
if str(a) != str(self): |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
222 |
return None |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
223 |
|
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
224 |
# It's necessary to sign the action as the client will see it, |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
225 |
# post publication. To do that, it's necessary to simulate the |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
226 |
# publication process on a copy of the action, converting |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
227 |
# paths to hashes and adding size information. |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
228 |
tmp_a = SignatureAction(None, **self.attrs) |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
229 |
# The signature action can't sign the value of the value |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
230 |
# attribute, but it can sign that attribute's name. |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
231 |
tmp_a.attrs["value"] = "" |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
232 |
if callable(self.data): |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
233 |
size = int(self.attrs.get("pkg.size", 0))
|
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
234 |
tmp_dir = tempfile.mkdtemp() |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
235 |
with self.data() as fh: |
|
2962
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
236 |
hashes, data = misc.get_data_digest(fh, |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
237 |
size, return_content=True, |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
238 |
hash_attrs=digest.DEFAULT_HASH_ATTRS, |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
239 |
hash_algs=digest.HASH_ALGS) |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
240 |
tmp_a.attrs.update(hashes) |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
241 |
# "hash" is special since it shouldn't appear in |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
242 |
# the action attributes, it gets set as a member |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
243 |
# instead. |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
244 |
if "hash" in tmp_a.attrs: |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
245 |
tmp_a.hash = tmp_a.attrs["hash"] |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
246 |
del tmp_a.attrs["hash"] |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
247 |
|
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
248 |
# The use of self.hash here is just to point to a |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
249 |
# filename, the type of hash used for self.hash is |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
250 |
# irrelevant. Note that our use of self.hash for the |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
251 |
# basename will need to be modified when we finally move |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
252 |
# off SHA-1 hashes. |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
253 |
csize, chashes = misc.compute_compressed_attrs( |
|
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
254 |
os.path.basename(self.hash), self.hash, data, size, |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
255 |
tmp_dir) |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
256 |
shutil.rmtree(tmp_dir) |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
257 |
tmp_a.attrs["pkg.csize"] = csize |
|
2962
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
258 |
for attr in chashes: |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
259 |
tmp_a.attrs[attr] = chashes[attr].hexdigest() |
|
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
260 |
elif self.hash: |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
261 |
tmp_a.hash = self.hash |
|
2962
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
262 |
for attr in digest.DEFAULT_HASH_ATTRS: |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
263 |
if attr in self.attrs: |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
264 |
tmp_a.attrs[attr] = self.attrs[attr] |
|
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
265 |
|
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
266 |
csizes = [] |
|
2962
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
267 |
chain_hashes = {}
|
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
268 |
chain_chashes = {}
|
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
269 |
for attr in digest.DEFAULT_CHAIN_ATTRS: |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
270 |
chain_hashes[attr] = [] |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
271 |
for attr in digest.DEFAULT_CHAIN_CHASH_ATTRS: |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
272 |
chain_chashes[attr] = [] |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
273 |
|
|
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
274 |
sizes = self.attrs.get("chain.sizes", "").split()
|
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
275 |
for i, c in enumerate(self.chain_cert_openers): |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
276 |
size = int(sizes[i]) |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
277 |
tmp_dir = tempfile.mkdtemp() |
|
2962
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
278 |
hshes, data = misc.get_data_digest(c(), size, |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
279 |
return_content=True, |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
280 |
hash_attrs=digest.DEFAULT_CHAIN_ATTRS, |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
281 |
hash_algs=digest.CHAIN_ALGS) |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
282 |
|
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
283 |
for attr in hshes: |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
284 |
chain_hashes[attr].append(hshes[attr]) |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
285 |
|
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
286 |
csize, chashes = misc.compute_compressed_attrs("tmp",
|
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
287 |
None, data, size, tmp_dir, |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
288 |
chash_attrs=digest.DEFAULT_CHAIN_CHASH_ATTRS, |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
289 |
chash_algs=digest.CHAIN_CHASH_ALGS) |
|
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
290 |
shutil.rmtree(tmp_dir) |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
291 |
csizes.append(csize) |
|
2962
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
292 |
for attr in chashes: |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
293 |
chain_chashes[attr].append( |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
294 |
chashes[attr].hexdigest()) |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
295 |
|
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
296 |
if chain_hashes: |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
297 |
for attr in digest.DEFAULT_CHAIN_ATTRS: |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
298 |
if chain_hashes[attr]: |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
299 |
tmp_a.attrs[attr] = " ".join( |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
300 |
chain_hashes[attr]) |
|
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
301 |
|
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
302 |
# Now that tmp_a looks like the post-published action, transform |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
303 |
# it into a string using the generic sig_str method. |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
304 |
return generic.Action.sig_str(tmp_a, tmp_a, version) |
|
2962
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
305 |
|
|
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
306 |
def actions_to_str(self, acts, version): |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
307 |
"""Transforms a collection of actions into a string that is |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
308 |
used to sign those actions.""" |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
309 |
|
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
310 |
# If a is None, then the action was another signature action so |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
311 |
# discard it from the information to be signed. |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
312 |
return "\n".join(sorted( |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
313 |
(a for a in |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
314 |
(b.sig_str(self, version) for b in acts) |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
315 |
if a is not None))) |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
316 |
|
|
2286
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
317 |
def retrieve_chain_certs(self, pub): |
|
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
318 |
"""Retrieve the chain certificates needed to validate this |
|
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
319 |
signature.""" |
|
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
320 |
|
|
2962
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
321 |
chain_attr, chain_val, hash_func = \ |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
322 |
digest.get_least_preferred_hash(self, |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
323 |
hash_type=digest.CHAIN) |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
324 |
# We may not have any chain certs for this signature |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
325 |
if not chain_val: |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
326 |
return |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
327 |
for c in chain_val.split(): |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
328 |
pub.get_cert_by_hash(c, only_retrieve=True, |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
329 |
hash_func=hash_func) |
|
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
330 |
|
|
2962
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
331 |
def get_chain_certs(self, least_preferred=False): |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
332 |
"""Return a list of the chain certificates needed to validate |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
333 |
this signature. When retrieving the content from the |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
334 |
repository, we use the "least preferred" hash for backwards |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
335 |
compatibility, but when verifying the content, we use the |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
336 |
"most preferred" hash.""" |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
337 |
|
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
338 |
if least_preferred: |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
339 |
chain_attr, chain_val, hash_func = \ |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
340 |
digest.get_least_preferred_hash(self, |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
341 |
hash_type=digest.CHAIN) |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
342 |
else: |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
343 |
chain_attr, chain_val, hash_func = \ |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
344 |
digest.get_preferred_hash(self, |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
345 |
hash_type=digest.CHAIN) |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
346 |
if not chain_val: |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
347 |
return [] |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
348 |
return chain_val.split() |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
349 |
|
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
350 |
def get_chain_certs_chashes(self, least_preferred=False): |
|
2286
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
351 |
"""Return a list of the chain certificates needed to validate |
|
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
352 |
this signature.""" |
|
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
353 |
|
|
2962
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
354 |
if least_preferred: |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
355 |
chain_chash_attr, chain_chash_val, hash_func = \ |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
356 |
digest.get_least_preferred_hash(self, |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
357 |
hash_type=digest.CHAIN_CHASH) |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
358 |
else: |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
359 |
chain_chash_attr, chain_chash_val, hash_func = \ |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
360 |
digest.get_preferred_hash(self, |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
361 |
hash_type=digest.CHAIN_CHASH) |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
362 |
if not chain_chash_val: |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
363 |
return [] |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
364 |
return chain_chash_val.split() |
|
2286
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
365 |
|
|
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
366 |
def is_signed(self): |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
367 |
"""Returns True if this action is signed using a key, instead |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
368 |
of simply being a hash. Since variant tagged signature |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
369 |
actions are not handled yet, it also returns False in that |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
370 |
case.""" |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
371 |
|
|
2091
824491c11ff3
15958 generate gets partially satisfied internal dependencies wrong
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2026
diff
changeset
|
372 |
return self.hash is not None and not self.get_variant_template() |
|
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
373 |
|
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
374 |
@staticmethod |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
375 |
def decompose_sig_alg(val): |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
376 |
"""Split the sig_alg attribute up in to something useful.""" |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
377 |
|
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
378 |
for s in valid_sig_algs: |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
379 |
for h in valid_hash_algs: |
|
3158
58c9c2c21e67
20177033 change string formatting for python 3 migration
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
2962
diff
changeset
|
380 |
t = "{0}-{1}".format(s, h)
|
|
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
381 |
if val == t: |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
382 |
return s, h |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
383 |
for h in valid_hash_algs: |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
384 |
if h == val: |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
385 |
return None, h |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
386 |
return None, None |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
387 |
|
|
2458
7c1227ad555e
18466 pkg needs an option to skip crl verification
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2339
diff
changeset
|
388 |
def verify_sig(self, acts, pub, trust_anchors, use_crls, |
|
7c1227ad555e
18466 pkg needs an option to skip crl verification
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2339
diff
changeset
|
389 |
required_names=None): |
|
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
390 |
"""Try to verify this signature. It can return True or |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
391 |
None. None means we didn't know how to verify this signature. |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
392 |
If we do know how to verify the signature but it doesn't verify, |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
393 |
then an exception is raised. |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
394 |
|
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
395 |
The 'acts' parameter is the iterable of actions against which |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
396 |
to verify the signature. |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
397 |
|
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
398 |
The 'pub' parameter is the publisher that published the |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
399 |
package this action signed. |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
400 |
|
|
2286
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
401 |
The 'trust_anchors' parameter contains the trust anchors to use |
|
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
402 |
when verifying the signature. |
|
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
403 |
|
|
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
404 |
The 'required_names' parameter is a set of strings that must |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
405 |
be seen as a CN in the chain of trust for the certificate.""" |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
406 |
|
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
407 |
ver = int(self.attrs["version"]) |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
408 |
# If this signature is tagged with variants, if the version is |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
409 |
# higher than one we know about, or it uses an unrecognized |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
410 |
# hash algorithm, we can't handle it yet. |
|
2091
824491c11ff3
15958 generate gets partially satisfied internal dependencies wrong
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2026
diff
changeset
|
411 |
if self.get_variant_template() or \ |
|
824491c11ff3
15958 generate gets partially satisfied internal dependencies wrong
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2026
diff
changeset
|
412 |
ver > generic.Action.sig_version or not self.hash_alg: |
|
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
413 |
return None |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
414 |
# Turning this into a list makes debugging vastly more |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
415 |
# tractable. |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
416 |
acts = list(acts) |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
417 |
# If self.hash is None, then the signature is storing a hash |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
418 |
# of the actions, not a signed value. |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
419 |
if self.hash is None: |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
420 |
assert self.sig_alg is None |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
421 |
dgst = m2.EVP.MessageDigest(self.hash_alg) |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
422 |
res = dgst.update(self.actions_to_str(acts, ver)) |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
423 |
assert res == 1, \ |
|
3158
58c9c2c21e67
20177033 change string formatting for python 3 migration
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
2962
diff
changeset
|
424 |
"Res was expected to be 1, but was {0}".format(res)
|
|
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
425 |
computed_hash = dgst.final() |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
426 |
# The attrs value is stored in hex so that it's easy |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
427 |
# to read. |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
428 |
if misc.hex_to_binary(self.attrs["value"]) != \ |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
429 |
computed_hash: |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
430 |
raise apx.UnverifiedSignature(self, |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
431 |
_("The signature value did not match the "
|
|
3158
58c9c2c21e67
20177033 change string formatting for python 3 migration
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
2962
diff
changeset
|
432 |
"expected value. action: {0}").format(self))
|
|
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
433 |
return True |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
434 |
# Verify a signature that's not just a hash. |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
435 |
if self.sig_alg is None: |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
436 |
return None |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
437 |
# Get the certificate paired with the key which signed this |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
438 |
# action. |
|
2962
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
439 |
attr, hash_val, hash_func = \ |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
440 |
digest.get_least_preferred_hash(self) |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
441 |
cert = pub.get_cert_by_hash(hash_val, verify_hash=True, |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
442 |
hash_func=hash_func) |
|
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
443 |
# Make sure that the intermediate certificates that are needed |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
444 |
# to validate this signature are present. |
|
2286
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
445 |
self.retrieve_chain_certs(pub) |
|
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
446 |
try: |
|
2215
b4355e8c5097
16856 need to check keyUsage for leaf certs
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2091
diff
changeset
|
447 |
# This import is placed here to break a circular |
|
b4355e8c5097
16856 need to check keyUsage for leaf certs
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2091
diff
changeset
|
448 |
# import seen when merge.py is used. |
|
b4355e8c5097
16856 need to check keyUsage for leaf certs
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2091
diff
changeset
|
449 |
from pkg.client.publisher import CODE_SIGNING_USE |
|
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
450 |
# Verify the certificate whose key created this |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
451 |
# signature action. |
|
2458
7c1227ad555e
18466 pkg needs an option to skip crl verification
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2339
diff
changeset
|
452 |
pub.verify_chain(cert, trust_anchors, 0, use_crls, |
|
2286
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
453 |
required_names=required_names, |
|
2215
b4355e8c5097
16856 need to check keyUsage for leaf certs
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2091
diff
changeset
|
454 |
usages=CODE_SIGNING_USE) |
|
3171
525f5bdb3f62
20434301 change exception handling syntax for python 3 migration
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
3164
diff
changeset
|
455 |
except apx.SigningException as e: |
|
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
456 |
e.act = self |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
457 |
raise |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
458 |
# Check that the certificate verifies against this signature. |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
459 |
pub_key = cert.get_pubkey(md=self.hash_alg) |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
460 |
pub_key.verify_init() |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
461 |
pub_key.verify_update(self.actions_to_str(acts, ver)) |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
462 |
res = pub_key.verify_final( |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
463 |
misc.hex_to_binary(self.attrs["value"])) |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
464 |
if not res: |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
465 |
raise apx.UnverifiedSignature(self, |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
466 |
_("The signature value did not match the expected "
|
|
3158
58c9c2c21e67
20177033 change string formatting for python 3 migration
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
2962
diff
changeset
|
467 |
"value. Res: {0}").format(res))
|
|
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
468 |
return True |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
469 |
|
|
2286
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
470 |
def set_signature(self, acts, key_path=None, chain_paths=misc.EmptyI, |
|
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
471 |
chash_dir=None): |
|
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
472 |
"""Sets the signature value for this action. |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
473 |
|
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
474 |
The 'acts' parameter is the iterable of actions this action |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
475 |
should sign. |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
476 |
|
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
477 |
The 'key_path' parameter is the path to the file containing the |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
478 |
private key which is used to sign the actions. |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
479 |
|
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
480 |
The 'chain_paths' parameter is an iterable of paths to |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
481 |
certificates which are needed to form the chain of trust from |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
482 |
the certificate associated with the key in 'key_path' to one of |
|
2286
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
483 |
the CAs for the publisher of the actions. |
|
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
484 |
|
|
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
485 |
The 'chash_dir' parameter is the temporary directory to use |
|
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
486 |
while calculating the compressed hashes for chain certs.""" |
|
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
487 |
|
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
488 |
# Turning this into a list makes debugging vastly more |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
489 |
# tractable. |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
490 |
acts = list(acts) |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
491 |
|
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
492 |
# If key_path is None, then set value to be the hash |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
493 |
# of the actions. |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
494 |
if key_path is None: |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
495 |
# If no private key is set, then no certificate should |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
496 |
# have been given. |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
497 |
assert self.data is None |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
498 |
dgst = m2.EVP.MessageDigest(self.hash_alg) |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
499 |
res = dgst.update(self.actions_to_str(acts, |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
500 |
generic.Action.sig_version)) |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
501 |
assert res == 1, \ |
|
3158
58c9c2c21e67
20177033 change string formatting for python 3 migration
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
2962
diff
changeset
|
502 |
"Res was expected to be 1, it was {0}".format(res)
|
|
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
503 |
self.attrs["value"] = \ |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
504 |
misc.binary_to_hex(dgst.final()) |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
505 |
else: |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
506 |
# If a private key is used, then the certificate it's |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
507 |
# paired with must be provided. |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
508 |
assert self.data is not None |
|
2286
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
509 |
self.__set_chain_certs_data(chain_paths, chash_dir) |
|
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
510 |
|
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
511 |
try: |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
512 |
priv_key = m2.RSA.load_key(key_path) |
|
2286
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
513 |
except m2.RSA.RSAError: |
|
3158
58c9c2c21e67
20177033 change string formatting for python 3 migration
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
2962
diff
changeset
|
514 |
raise apx.BadFileFormat(_("{0} was expected to "
|
|
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
515 |
"be a RSA key but could not be read " |
|
3158
58c9c2c21e67
20177033 change string formatting for python 3 migration
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
2962
diff
changeset
|
516 |
"correctly.").format(key_path)) |
|
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
517 |
signer = m2.EVP.PKey(md=self.hash_alg) |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
518 |
signer.assign_rsa(priv_key, 1) |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
519 |
del priv_key |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
520 |
signer.sign_init() |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
521 |
signer.sign_update(self.actions_to_str(acts, |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
522 |
generic.Action.sig_version)) |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
523 |
|
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
524 |
self.attrs["value"] = \ |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
525 |
misc.binary_to_hex(signer.sign_final()) |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
526 |
|
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
527 |
def generate_indices(self): |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
528 |
"""Generates the indices needed by the search dictionary. See |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
529 |
generic.py for a more detailed explanation.""" |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
530 |
|
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
531 |
res = [] |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
532 |
if self.hash is not None: |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
533 |
res.append((self.name, "certificate", self.hash, |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
534 |
self.hash)) |
|
2514
41eafed9cc11
18829 indexing for signature actions seems broken
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2476
diff
changeset
|
535 |
res.append((self.name, "algorithm", |
|
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
536 |
self.attrs["algorithm"], self.attrs["algorithm"])) |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
537 |
res.append((self.name, "signature", self.attrs["value"], |
|
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
538 |
self.attrs["value"])) |
|
2962
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
539 |
for attr in digest.DEFAULT_HASH_ATTRS: |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
540 |
# we already have an index entry for self.hash |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
541 |
if attr == "hash": |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
542 |
continue |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
543 |
hash = self.attrs[attr] |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
544 |
res.append((self.name, attr, hash, None)) |
|
2026
d1b30615bc99
9196 pkg(5) should have support for cryptographic manifest signatures
Brock Pytlik <bpytlik@sun.com>
parents:
1846
diff
changeset
|
545 |
return res |
|
2286
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
546 |
|
|
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
547 |
def identical(self, other, hsh): |
|
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
548 |
"""Check whether another action is identical to this |
|
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
549 |
signature.""" |
|
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
550 |
# Only signature actions can be identical to other signature |
|
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
551 |
# actions. |
|
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
552 |
if self.name != other.name: |
|
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
553 |
return False |
|
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
554 |
# If the code signing certs are identical, the more checking is |
|
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
555 |
# needed. |
|
2962
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
556 |
# Determine if we share any hash attribute values with the other |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
557 |
# action. |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
558 |
matching_hash_attrs = set() |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
559 |
for attr in digest.DEFAULT_HASH_ATTRS: |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
560 |
if attr == "hash": |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
561 |
# we deal with the 'hash' member later |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
562 |
continue |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
563 |
if attr in self.attrs and attr in other.attrs and \ |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
564 |
self.attrs[attr] == other.attrs[attr] and \ |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
565 |
self.assrs[attr]: |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
566 |
matching_hash_attrs.add(attr) |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
567 |
if hsh and hsh == other.attrs.get(attr): |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
568 |
# Technically 'hsh' isn't a hash attr, it's |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
569 |
# a hash attr value, but that's enough for us |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
570 |
# to consider it as potentially identical. |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
571 |
matching_hash_attrs.add(hsh) |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
572 |
|
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
573 |
if hsh == other.hash or self.hash == other.hash or \ |
|
ce8cd4c07986
15433013 content hash handling should handle different hash functions
Tim Foster <tim.s.foster@oracle.com>
parents:
2639
diff
changeset
|
574 |
matching_hash_attrs: |
|
2286
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
575 |
# If the algorithms are using different algorithms or |
|
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
576 |
# have different versions, then they're not identical. |
|
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
577 |
if self.attrs["algorithm"] != \ |
|
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
578 |
other.attrs["algorithm"] or \ |
|
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
579 |
self.attrs["version"] != other.attrs["version"]: |
|
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
580 |
return False |
|
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
581 |
# If the values are the same, then they're identical. |
|
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
582 |
if self.attrs["value"] == other.attrs["value"]: |
|
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
583 |
return True |
|
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
584 |
raise apx.AlmostIdentical(hsh, |
|
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
585 |
self.attrs["algorithm"], self.attrs["version"]) |
|
938fbb350ad2
16867 pkgsign should handle existing signatures better
Brock Pytlik <brock.pytlik@oracle.com>
parents:
2215
diff
changeset
|
586 |
return False |
|
2476
25342deb3749
3262 symlink loops can cause operation traceback
Shawn Walker <shawn.walker@oracle.com>
parents:
2458
diff
changeset
|
587 |
|
|
25342deb3749
3262 symlink loops can cause operation traceback
Shawn Walker <shawn.walker@oracle.com>
parents:
2458
diff
changeset
|
588 |
def validate(self, fmri=None): |
|
25342deb3749
3262 symlink loops can cause operation traceback
Shawn Walker <shawn.walker@oracle.com>
parents:
2458
diff
changeset
|
589 |
"""Performs additional validation of action attributes that |
|
25342deb3749
3262 symlink loops can cause operation traceback
Shawn Walker <shawn.walker@oracle.com>
parents:
2458
diff
changeset
|
590 |
for performance or other reasons cannot or should not be done |
|
25342deb3749
3262 symlink loops can cause operation traceback
Shawn Walker <shawn.walker@oracle.com>
parents:
2458
diff
changeset
|
591 |
during Action object creation. An ActionError exception (or |
|
25342deb3749
3262 symlink loops can cause operation traceback
Shawn Walker <shawn.walker@oracle.com>
parents:
2458
diff
changeset
|
592 |
subclass of) will be raised if any attributes are not valid. |
|
25342deb3749
3262 symlink loops can cause operation traceback
Shawn Walker <shawn.walker@oracle.com>
parents:
2458
diff
changeset
|
593 |
This is primarily intended for use during publication or during |
|
25342deb3749
3262 symlink loops can cause operation traceback
Shawn Walker <shawn.walker@oracle.com>
parents:
2458
diff
changeset
|
594 |
error handling to provide additional diagonostics. |
|
25342deb3749
3262 symlink loops can cause operation traceback
Shawn Walker <shawn.walker@oracle.com>
parents:
2458
diff
changeset
|
595 |
|
|
25342deb3749
3262 symlink loops can cause operation traceback
Shawn Walker <shawn.walker@oracle.com>
parents:
2458
diff
changeset
|
596 |
'fmri' is an optional package FMRI (object or string) indicating |
|
25342deb3749
3262 symlink loops can cause operation traceback
Shawn Walker <shawn.walker@oracle.com>
parents:
2458
diff
changeset
|
597 |
what package contained this action. |
|
25342deb3749
3262 symlink loops can cause operation traceback
Shawn Walker <shawn.walker@oracle.com>
parents:
2458
diff
changeset
|
598 |
""" |
|
25342deb3749
3262 symlink loops can cause operation traceback
Shawn Walker <shawn.walker@oracle.com>
parents:
2458
diff
changeset
|
599 |
|
|
25342deb3749
3262 symlink loops can cause operation traceback
Shawn Walker <shawn.walker@oracle.com>
parents:
2458
diff
changeset
|
600 |
# 'value' can only be required at publication time since signing |
|
25342deb3749
3262 symlink loops can cause operation traceback
Shawn Walker <shawn.walker@oracle.com>
parents:
2458
diff
changeset
|
601 |
# relies on the ability to construct actions without one despite |
|
25342deb3749
3262 symlink loops can cause operation traceback
Shawn Walker <shawn.walker@oracle.com>
parents:
2458
diff
changeset
|
602 |
# the fact that it is the key attribute. |
|
25342deb3749
3262 symlink loops can cause operation traceback
Shawn Walker <shawn.walker@oracle.com>
parents:
2458
diff
changeset
|
603 |
generic.Action._validate(self, fmri=fmri, |
|
25342deb3749
3262 symlink loops can cause operation traceback
Shawn Walker <shawn.walker@oracle.com>
parents:
2458
diff
changeset
|
604 |
numeric_attrs=("pkg.csize", "pkg.size"),
|
|
25342deb3749
3262 symlink loops can cause operation traceback
Shawn Walker <shawn.walker@oracle.com>
parents:
2458
diff
changeset
|
605 |
required_attrs=("value",), single_attrs=("algorithm",
|
|
25342deb3749
3262 symlink loops can cause operation traceback
Shawn Walker <shawn.walker@oracle.com>
parents:
2458
diff
changeset
|
606 |
"chash", "value")) |