add some example plugins for repo key extraction and migration

2020-08-20 14:57:57 +02:00 · 2020-08-20 14:57:57 +02:00 · c8f21bf0e0
parent d16ccc6d6c
commit c8f21bf0e0
5 changed files with 177 additions and 0 deletions
--- a/MANIFEST.in
+++ b/MANIFEST.in
@ -9,7 +9,12 @@ include buildserver/Vagrantfile
 include CHANGELOG.md
 include completion/bash-completion
 include examples/config.yml
+include examples/fdroid_exportkeystore.py
+include examples/fdroid_export_keystore_to_nitrokey.py
+include examples/fdroid_extract_repo_pubkey.py
+include examples/fdroid_fetchsrclibs.py
 include examples/fdroid-icon.png
+include examples/fdroid_nitrokeyimport.py
 include examples/makebuildserver.config.py
 include examples/opensc-fdroid.cfg
 include examples/public-read-only-s3-bucket-policy.json
--- a/examples/fdroid_export_keystore_to_nitrokey.py
+++ b/examples/fdroid_export_keystore_to_nitrokey.py
@ -0,0 +1,61 @@
+#!/usr/bin/env python3
+#
+# an fdroid plugin for exporting a repo's keystore in standard PEM format
+
+import os
+from argparse import ArgumentParser
+from fdroidserver import common
+from fdroidserver.common import FDroidPopen
+from fdroidserver.exception import BuildException
+
+fdroid_summary = "export the repo's keystore file to a NitroKey HSM"
+
+
+def run(cmd, error):
+    envs = {'LC_ALL': 'C.UTF-8',
+            'PIN': config['smartcard_pin'],
+            'FDROID_KEY_STORE_PASS': config['keystorepass'],
+            'FDROID_KEY_PASS': config['keypass']}
+    p = FDroidPopen(cmd, envs=envs)
+    if p.returncode != 0:
+        raise BuildException(error, p.output)
+
+
+def main():
+    global config
+    parser = ArgumentParser()
+    common.setup_global_opts(parser)
+    options = parser.parse_args()
+    config = common.read_config(options)
+    destkeystore = config['keystore'].replace('.jks', '.p12').replace('/', '_')
+    exportkeystore = config['keystore'].replace('.jks', '.pem').replace('/', '_')
+    if os.path.exists(destkeystore) or os.path.exists(exportkeystore):
+        raise BuildException('%s exists!' % exportkeystore)
+    run([config['keytool'], '-importkeystore',
+         '-srckeystore', config['keystore'],
+         '-srcalias', config['repo_keyalias'],
+         '-srcstorepass:env', 'FDROID_KEY_STORE_PASS',
+         '-srckeypass:env', 'FDROID_KEY_PASS',
+         '-destkeystore', destkeystore,
+         '-deststorepass:env', 'FDROID_KEY_STORE_PASS',
+         '-deststoretype', 'PKCS12'],
+        'Failed to convert to PKCS12!')
+#    run(['openssl', 'pkcs12', '-in', destkeystore,
+#         '-passin', 'env:FDROID_KEY_STORE_PASS', '-nokeys',
+#         '-out', exportkeystore,
+#         '-passout', 'env:FDROID_KEY_STORE_PASS'],
+#        'Failed to convert to PEM!')
+    run(['pkcs15-init', '--delete-objects', 'privkey,pubkey',
+         '--id', '3', '--store-private-key', destkeystore,
+         '--format', 'pkcs12', '--auth-id', '3',
+         '--verify-pin', '--pin', 'env:PIN'],
+        '')
+    run(['pkcs15-init', '--delete-objects', 'privkey,pubkey',
+         '--id', '2', '--store-private-key', destkeystore,
+         '--format', 'pkcs12', '--auth-id', '3',
+         '--verify-pin', '--pin', 'env:PIN'],
+        '')
+
+
+if __name__ == "__main__":
+    main()
--- a/examples/fdroid_exportkeystore.py
+++ b/examples/fdroid_exportkeystore.py
@ -0,0 +1,48 @@
+#!/usr/bin/env python3
+#
+# an fdroid plugin for exporting a repo's keystore in standard PEM format
+
+import os
+from argparse import ArgumentParser
+from fdroidserver import common
+from fdroidserver.common import FDroidPopen
+from fdroidserver.exception import BuildException
+
+fdroid_summary = 'export the keystore in standard PEM format'
+
+
+def main():
+    parser = ArgumentParser()
+    common.setup_global_opts(parser)
+    options = parser.parse_args()
+    config = common.read_config(options)
+    env_vars = {'LC_ALL': 'C.UTF-8',
+                'FDROID_KEY_STORE_PASS': config['keystorepass'],
+                'FDROID_KEY_PASS': config['keypass']}
+    destkeystore = config['keystore'].replace('.jks', '.p12').replace('/', '_')
+    exportkeystore = config['keystore'].replace('.jks', '.pem').replace('/', '_')
+    if os.path.exists(destkeystore) or os.path.exists(exportkeystore):
+        raise BuildException('%s exists!' % exportkeystore)
+    p = FDroidPopen([config['keytool'], '-importkeystore',
+                     '-srckeystore', config['keystore'],
+                     '-srcalias', config['repo_keyalias'],
+                     '-srcstorepass:env', 'FDROID_KEY_STORE_PASS',
+                     '-srckeypass:env', 'FDROID_KEY_PASS',
+                     '-destkeystore', destkeystore,
+                     '-deststoretype', 'PKCS12',
+                     '-deststorepass:env', 'FDROID_KEY_STORE_PASS',
+                     '-destkeypass:env', 'FDROID_KEY_PASS'],
+                    envs=env_vars)
+    if p.returncode != 0:
+        raise BuildException("Failed to convert to PKCS12!", p.output)
+    p = FDroidPopen(['openssl', 'pkcs12', '-in', destkeystore,
+                     '-passin', 'env:FDROID_KEY_STORE_PASS', '-nokeys',
+                     '-out', exportkeystore,
+                     '-passout', 'env:FDROID_KEY_STORE_PASS'],
+                    envs=env_vars)
+    if p.returncode != 0:
+        raise BuildException("Failed to convert to PEM!", p.output)
+
+
+if __name__ == "__main__":
+    main()
--- a/examples/fdroid_extract_repo_pubkey.py
+++ b/examples/fdroid_extract_repo_pubkey.py
@ -0,0 +1,22 @@
+#!/usr/bin/env python3
+#
+# an fdroid plugin print the repo_pubkey from a repo's keystore
+#
+
+from argparse import ArgumentParser
+from fdroidserver import common, index
+
+fdroid_summary = 'export the keystore in standard PEM format'
+
+
+def main():
+    parser = ArgumentParser()
+    common.setup_global_opts(parser)
+    options = parser.parse_args()
+    common.config = common.read_config(options)
+    pubkey, repo_pubkey_fingerprint = index.extract_pubkey()
+    print('repo_pubkey = "%s"' % pubkey.decode())
+
+
+if __name__ == "__main__":
+    main()
--- a/examples/fdroid_nitrokeyimport.py
+++ b/examples/fdroid_nitrokeyimport.py
@ -0,0 +1,41 @@
+#!/usr/bin/env python3
+
+from argparse import ArgumentParser
+from fdroidserver import common
+from fdroidserver.common import FDroidPopen
+from fdroidserver.exception import BuildException
+
+fdroid_summary = 'import the local keystore into a SmartCard HSM'
+
+
+def main():
+    parser = ArgumentParser()
+    common.setup_global_opts(parser)
+    options = parser.parse_args()
+    config = common.read_config(options)
+    env_vars = {
+        'LC_ALL': 'C.UTF-8',
+        'FDROID_KEY_STORE_PASS': config['keystorepass'],
+        'FDROID_KEY_PASS': config['keypass'],
+        'SMARTCARD_PIN': str(config['smartcard_pin']),
+    }
+    p = FDroidPopen([config['keytool'], '-importkeystore',
+                     '-srcalias', config['repo_keyalias'],
+                     '-srckeystore', config['keystore'],
+                     '-srcstorepass:env', 'FDROID_KEY_STORE_PASS',
+                     '-srckeypass:env', 'FDROID_KEY_PASS',
+                     '-destalias', config['repo_keyalias'],
+                     '-destkeystore', 'NONE',
+                     '-deststoretype', 'PKCS11',
+                     '-providerName', 'SunPKCS11-OpenSC',
+                     '-providerClass', 'sun.security.pkcs11.SunPKCS11',
+                     '-providerArg', 'opensc-fdroid.cfg',
+                     '-deststorepass:env', 'SMARTCARD_PIN',
+                     '-J-Djava.security.debug=sunpkcs11'],
+                    envs=env_vars)
+    if p.returncode != 0:
+        raise BuildException("Failed to import into HSM!", p.output)
+
+
+if __name__ == "__main__":
+    main()