123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267 |
- #!/usr/bin/env python
- from xml.sax import saxutils, handler, make_parser
- from optparse import OptionParser
- import ConfigParser
- import logging
- import base64
- import sys
- import os
- __VERSION = (0, 1)
- '''
- This tool reads a mac_permissions.xml and replaces keywords in the signature
- clause with keys provided by pem files.
- '''
- class GenerateKeys(object):
- def __init__(self, path):
- '''
- Generates an object with Base16 and Base64 encoded versions of the keys
- found in the supplied pem file argument. PEM files can contain multiple
- certs, however this seems to be unused in Android as pkg manager grabs
- the first cert in the APK. This will however support multiple certs in
- the resulting generation with index[0] being the first cert in the pem
- file.
- '''
- self._base64Key = list()
- self._base16Key = list()
- if not os.path.isfile(path):
- sys.exit("Path " + path + " does not exist or is not a file!")
- pkFile = open(path, 'rb').readlines()
- base64Key = ""
- lineNo = 1
- certNo = 1
- inCert = False
- for line in pkFile:
- line = line.strip()
- # Are we starting the certificate?
- if line == "-----BEGIN CERTIFICATE-----":
- if inCert:
- sys.exit("Encountered another BEGIN CERTIFICATE without END CERTIFICATE on " +
- "line: " + str(lineNo))
- inCert = True
- # Are we ending the ceritifcate?
- elif line == "-----END CERTIFICATE-----":
- if not inCert:
- sys.exit("Encountered END CERTIFICATE before BEGIN CERTIFICATE on line: "
- + str(lineNo))
- # If we ended the certificate trip the flag
- inCert = False
- # Sanity check the input
- if len(base64Key) == 0:
- sys.exit("Empty certficate , certificate "+ str(certNo) + " found in file: "
- + path)
- # ... and append the certificate to the list
- # Base 64 includes uppercase. DO NOT tolower()
- self._base64Key.append(base64Key)
- try:
- # Pkgmanager and setool see hex strings with lowercase, lets be consistent
- self._base16Key.append(base64.b16encode(base64.b64decode(base64Key)).lower())
- except TypeError:
- sys.exit("Invalid certificate, certificate "+ str(certNo) + " found in file: "
- + path)
- # After adding the key, reset the accumulator as pem files may have subsequent keys
- base64Key=""
- # And increment your cert number
- certNo = certNo + 1
- # If we haven't started the certificate, then we should not encounter any data
- elif not inCert:
- if line is not "":
- sys.exit("Detected erroneous line \""+ line + "\" on " + str(lineNo)
- + " in pem file: " + path)
- # else we have started the certicate and need to append the data
- elif inCert:
- base64Key += line
- else:
- # We should never hit this assert, if we do then an unaccounted for state
- # was entered that was NOT addressed by the if/elif statements above
- assert(False == True)
- # The last thing to do before looping up is to increment line number
- lineNo = lineNo + 1
- def __len__(self):
- return len(self._base16Key)
- def __str__(self):
- return str(self.getBase16Keys())
- def getBase16Keys(self):
- return self._base16Key
- def getBase64Keys(self):
- return self._base64Key
- class ParseConfig(ConfigParser.ConfigParser):
- # This must be lowercase
- OPTION_WILDCARD_TAG = "all"
- def generateKeyMap(self, target_build_variant, key_directory):
- keyMap = dict()
- for tag in self.sections():
- options = self.options(tag)
- for option in options:
- # Only generate the key map for debug or release,
- # not both!
- if option != target_build_variant and \
- option != ParseConfig.OPTION_WILDCARD_TAG:
- logging.info("Skipping " + tag + " : " + option +
- " because target build variant is set to " +
- str(target_build_variant))
- continue
- if tag in keyMap:
- sys.exit("Duplicate tag detected " + tag)
- tag_path = os.path.expandvars(self.get(tag, option))
- path = os.path.join(key_directory, tag_path)
- keyMap[tag] = GenerateKeys(path)
- # Multiple certificates may exist in
- # the pem file. GenerateKeys supports
- # this however, the mac_permissions.xml
- # as well as PMS do not.
- assert len(keyMap[tag]) == 1
- return keyMap
- class ReplaceTags(handler.ContentHandler):
- DEFAULT_TAG = "default"
- PACKAGE_TAG = "package"
- POLICY_TAG = "policy"
- SIGNER_TAG = "signer"
- SIGNATURE_TAG = "signature"
- TAGS_WITH_CHILDREN = [ DEFAULT_TAG, PACKAGE_TAG, POLICY_TAG, SIGNER_TAG ]
- XML_ENCODING_TAG = '<?xml version="1.0" encoding="iso-8859-1"?>'
- def __init__(self, keyMap, out=sys.stdout):
- handler.ContentHandler.__init__(self)
- self._keyMap = keyMap
- self._out = out
- self._out.write(ReplaceTags.XML_ENCODING_TAG)
- self._out.write("<!-- AUTOGENERATED FILE DO NOT MODIFY -->")
- self._out.write("<policy>")
- def __del__(self):
- self._out.write("</policy>")
- def startElement(self, tag, attrs):
- if tag == ReplaceTags.POLICY_TAG:
- return
- self._out.write('<' + tag)
- for (name, value) in attrs.items():
- if name == ReplaceTags.SIGNATURE_TAG and value in self._keyMap:
- for key in self._keyMap[value].getBase16Keys():
- logging.info("Replacing " + name + " " + value + " with " + key)
- self._out.write(' %s="%s"' % (name, saxutils.escape(key)))
- else:
- self._out.write(' %s="%s"' % (name, saxutils.escape(value)))
- if tag in ReplaceTags.TAGS_WITH_CHILDREN:
- self._out.write('>')
- else:
- self._out.write('/>')
- def endElement(self, tag):
- if tag == ReplaceTags.POLICY_TAG:
- return
- if tag in ReplaceTags.TAGS_WITH_CHILDREN:
- self._out.write('</%s>' % tag)
- def characters(self, content):
- if not content.isspace():
- self._out.write(saxutils.escape(content))
- def ignorableWhitespace(self, content):
- pass
- def processingInstruction(self, target, data):
- self._out.write('<?%s %s?>' % (target, data))
- if __name__ == "__main__":
- # Intentional double space to line up equls signs and opening " for
- # readability.
- usage = "usage: %prog [options] CONFIG_FILE MAC_PERMISSIONS_FILE [MAC_PERMISSIONS_FILE...]\n"
- usage += "This tool allows one to configure an automatic inclusion\n"
- usage += "of signing keys into the mac_permision.xml file(s) from the\n"
- usage += "pem files. If mulitple mac_permision.xml files are included\n"
- usage += "then they are unioned to produce a final version."
- version = "%prog " + str(__VERSION)
- parser = OptionParser(usage=usage, version=version)
- parser.add_option("-v", "--verbose",
- action="store_true", dest="verbose", default=False,
- help="Print internal operations to stdout")
- parser.add_option("-o", "--output", default="stdout", dest="output_file",
- metavar="FILE", help="Specify an output file, default is stdout")
- parser.add_option("-c", "--cwd", default=os.getcwd(), dest="root",
- metavar="DIR", help="Specify a root (CWD) directory to run this from, it" \
- "chdirs' AFTER loading the config file")
- parser.add_option("-t", "--target-build-variant", default="eng", dest="target_build_variant",
- help="Specify the TARGET_BUILD_VARIANT, defaults to eng")
- parser.add_option("-d", "--key-directory", default="", dest="key_directory",
- help="Specify a parent directory for keys")
- (options, args) = parser.parse_args()
- if len(args) < 2:
- parser.error("Must specify a config file (keys.conf) AND mac_permissions.xml file(s)!")
- logging.basicConfig(level=logging.INFO if options.verbose == True else logging.WARN)
- # Read the config file
- config = ParseConfig()
- config.read(args[0])
- os.chdir(options.root)
- output_file = sys.stdout if options.output_file == "stdout" else open(options.output_file, "w")
- logging.info("Setting output file to: " + options.output_file)
- # Generate the key list
- key_map = config.generateKeyMap(options.target_build_variant.lower(), options.key_directory)
- logging.info("Generate key map:")
- for k in key_map:
- logging.info(k + " : " + str(key_map[k]))
- # Generate the XML file with markup replaced with keys
- parser = make_parser()
- parser.setContentHandler(ReplaceTags(key_map, output_file))
- for f in args[1:]:
- parser.parse(f)
|