From c8f21bf0e0e1ff8cc33821b4bb56692a1f5c7ea4 Mon Sep 17 00:00:00 2001 From: Hans-Christoph Steiner Date: Thu, 20 Aug 2020 14:57:57 +0200 Subject: [PATCH] add some example plugins for repo key extraction and migration --- MANIFEST.in | 5 ++ .../fdroid_export_keystore_to_nitrokey.py | 61 +++++++++++++++++++ examples/fdroid_exportkeystore.py | 48 +++++++++++++++ examples/fdroid_extract_repo_pubkey.py | 22 +++++++ examples/fdroid_nitrokeyimport.py | 41 +++++++++++++ 5 files changed, 177 insertions(+) create mode 100644 examples/fdroid_export_keystore_to_nitrokey.py create mode 100644 examples/fdroid_exportkeystore.py create mode 100644 examples/fdroid_extract_repo_pubkey.py create mode 100644 examples/fdroid_nitrokeyimport.py diff --git a/MANIFEST.in b/MANIFEST.in index 948d8fc7..49e08dbc 100644 --- a/MANIFEST.in +++ b/MANIFEST.in @@ -9,7 +9,12 @@ include buildserver/Vagrantfile include CHANGELOG.md include completion/bash-completion include examples/config.yml +include examples/fdroid_exportkeystore.py +include examples/fdroid_export_keystore_to_nitrokey.py +include examples/fdroid_extract_repo_pubkey.py +include examples/fdroid_fetchsrclibs.py include examples/fdroid-icon.png +include examples/fdroid_nitrokeyimport.py include examples/makebuildserver.config.py include examples/opensc-fdroid.cfg include examples/public-read-only-s3-bucket-policy.json diff --git a/examples/fdroid_export_keystore_to_nitrokey.py b/examples/fdroid_export_keystore_to_nitrokey.py new file mode 100644 index 00000000..92de2b30 --- /dev/null +++ b/examples/fdroid_export_keystore_to_nitrokey.py @@ -0,0 +1,61 @@ +#!/usr/bin/env python3 +# +# an fdroid plugin for exporting a repo's keystore in standard PEM format + +import os +from argparse import ArgumentParser +from fdroidserver import common +from fdroidserver.common import FDroidPopen +from fdroidserver.exception import BuildException + +fdroid_summary = "export the repo's keystore file to a NitroKey HSM" + + +def run(cmd, error): + envs = {'LC_ALL': 'C.UTF-8', + 'PIN': config['smartcard_pin'], + 'FDROID_KEY_STORE_PASS': config['keystorepass'], + 'FDROID_KEY_PASS': config['keypass']} + p = FDroidPopen(cmd, envs=envs) + if p.returncode != 0: + raise BuildException(error, p.output) + + +def main(): + global config + parser = ArgumentParser() + common.setup_global_opts(parser) + options = parser.parse_args() + config = common.read_config(options) + destkeystore = config['keystore'].replace('.jks', '.p12').replace('/', '_') + exportkeystore = config['keystore'].replace('.jks', '.pem').replace('/', '_') + if os.path.exists(destkeystore) or os.path.exists(exportkeystore): + raise BuildException('%s exists!' % exportkeystore) + run([config['keytool'], '-importkeystore', + '-srckeystore', config['keystore'], + '-srcalias', config['repo_keyalias'], + '-srcstorepass:env', 'FDROID_KEY_STORE_PASS', + '-srckeypass:env', 'FDROID_KEY_PASS', + '-destkeystore', destkeystore, + '-deststorepass:env', 'FDROID_KEY_STORE_PASS', + '-deststoretype', 'PKCS12'], + 'Failed to convert to PKCS12!') +# run(['openssl', 'pkcs12', '-in', destkeystore, +# '-passin', 'env:FDROID_KEY_STORE_PASS', '-nokeys', +# '-out', exportkeystore, +# '-passout', 'env:FDROID_KEY_STORE_PASS'], +# 'Failed to convert to PEM!') + run(['pkcs15-init', '--delete-objects', 'privkey,pubkey', + '--id', '3', '--store-private-key', destkeystore, + '--format', 'pkcs12', '--auth-id', '3', + '--verify-pin', '--pin', 'env:PIN'], + '') + run(['pkcs15-init', '--delete-objects', 'privkey,pubkey', + '--id', '2', '--store-private-key', destkeystore, + '--format', 'pkcs12', '--auth-id', '3', + '--verify-pin', '--pin', 'env:PIN'], + '') + + +if __name__ == "__main__": + main() diff --git a/examples/fdroid_exportkeystore.py b/examples/fdroid_exportkeystore.py new file mode 100644 index 00000000..9e54e397 --- /dev/null +++ b/examples/fdroid_exportkeystore.py @@ -0,0 +1,48 @@ +#!/usr/bin/env python3 +# +# an fdroid plugin for exporting a repo's keystore in standard PEM format + +import os +from argparse import ArgumentParser +from fdroidserver import common +from fdroidserver.common import FDroidPopen +from fdroidserver.exception import BuildException + +fdroid_summary = 'export the keystore in standard PEM format' + + +def main(): + parser = ArgumentParser() + common.setup_global_opts(parser) + options = parser.parse_args() + config = common.read_config(options) + env_vars = {'LC_ALL': 'C.UTF-8', + 'FDROID_KEY_STORE_PASS': config['keystorepass'], + 'FDROID_KEY_PASS': config['keypass']} + destkeystore = config['keystore'].replace('.jks', '.p12').replace('/', '_') + exportkeystore = config['keystore'].replace('.jks', '.pem').replace('/', '_') + if os.path.exists(destkeystore) or os.path.exists(exportkeystore): + raise BuildException('%s exists!' % exportkeystore) + p = FDroidPopen([config['keytool'], '-importkeystore', + '-srckeystore', config['keystore'], + '-srcalias', config['repo_keyalias'], + '-srcstorepass:env', 'FDROID_KEY_STORE_PASS', + '-srckeypass:env', 'FDROID_KEY_PASS', + '-destkeystore', destkeystore, + '-deststoretype', 'PKCS12', + '-deststorepass:env', 'FDROID_KEY_STORE_PASS', + '-destkeypass:env', 'FDROID_KEY_PASS'], + envs=env_vars) + if p.returncode != 0: + raise BuildException("Failed to convert to PKCS12!", p.output) + p = FDroidPopen(['openssl', 'pkcs12', '-in', destkeystore, + '-passin', 'env:FDROID_KEY_STORE_PASS', '-nokeys', + '-out', exportkeystore, + '-passout', 'env:FDROID_KEY_STORE_PASS'], + envs=env_vars) + if p.returncode != 0: + raise BuildException("Failed to convert to PEM!", p.output) + + +if __name__ == "__main__": + main() diff --git a/examples/fdroid_extract_repo_pubkey.py b/examples/fdroid_extract_repo_pubkey.py new file mode 100644 index 00000000..de13d267 --- /dev/null +++ b/examples/fdroid_extract_repo_pubkey.py @@ -0,0 +1,22 @@ +#!/usr/bin/env python3 +# +# an fdroid plugin print the repo_pubkey from a repo's keystore +# + +from argparse import ArgumentParser +from fdroidserver import common, index + +fdroid_summary = 'export the keystore in standard PEM format' + + +def main(): + parser = ArgumentParser() + common.setup_global_opts(parser) + options = parser.parse_args() + common.config = common.read_config(options) + pubkey, repo_pubkey_fingerprint = index.extract_pubkey() + print('repo_pubkey = "%s"' % pubkey.decode()) + + +if __name__ == "__main__": + main() diff --git a/examples/fdroid_nitrokeyimport.py b/examples/fdroid_nitrokeyimport.py new file mode 100644 index 00000000..44ec299c --- /dev/null +++ b/examples/fdroid_nitrokeyimport.py @@ -0,0 +1,41 @@ +#!/usr/bin/env python3 + +from argparse import ArgumentParser +from fdroidserver import common +from fdroidserver.common import FDroidPopen +from fdroidserver.exception import BuildException + +fdroid_summary = 'import the local keystore into a SmartCard HSM' + + +def main(): + parser = ArgumentParser() + common.setup_global_opts(parser) + options = parser.parse_args() + config = common.read_config(options) + env_vars = { + 'LC_ALL': 'C.UTF-8', + 'FDROID_KEY_STORE_PASS': config['keystorepass'], + 'FDROID_KEY_PASS': config['keypass'], + 'SMARTCARD_PIN': str(config['smartcard_pin']), + } + p = FDroidPopen([config['keytool'], '-importkeystore', + '-srcalias', config['repo_keyalias'], + '-srckeystore', config['keystore'], + '-srcstorepass:env', 'FDROID_KEY_STORE_PASS', + '-srckeypass:env', 'FDROID_KEY_PASS', + '-destalias', config['repo_keyalias'], + '-destkeystore', 'NONE', + '-deststoretype', 'PKCS11', + '-providerName', 'SunPKCS11-OpenSC', + '-providerClass', 'sun.security.pkcs11.SunPKCS11', + '-providerArg', 'opensc-fdroid.cfg', + '-deststorepass:env', 'SMARTCARD_PIN', + '-J-Djava.security.debug=sunpkcs11'], + envs=env_vars) + if p.returncode != 0: + raise BuildException("Failed to import into HSM!", p.output) + + +if __name__ == "__main__": + main()