1#!/usr/bin/env python 2# 3# This Source Code Form is subject to the terms of the Mozilla Public 4# License, v. 2.0. If a copy of the MPL was not distributed with this 5# file, You can obtain one at http://mozilla.org/MPL/2.0/. 6 7""" 8This utility is used by the build system to create test inputs for the 9signed tree head decoding and verification implementation. The format is 10generally lines of <key>:<value> pairs except for the to-be-signed 11section, which consists of one or more lines of hex bytes. Comments may 12appear at the end of lines and begin with '//'. 13The following keys are valid: 14signingKey: A pykey key identifier to use to sign the to-be-signed data. 15 Required. 16spki: A pykey key identifier to create an encoded SubjectPublicKeyInfo 17 to be included with the test data. The tests will use this spki to 18 validate the signature. Required. 19prefix: Hex bytes to include at the beginning of the signed tree head 20 data. This data is not covered by the signature (typically this 21 is used for the log_id field). Optional. Defaults to the empty 22 string. 23hash: The name of a hash algorithm to use when signing. Optional. 24 Defaults to 'sha256'. 25""" 26 27from pyasn1.codec.der import encoder 28import binascii 29 30import os 31import sys 32 33sys.path.append( 34 os.path.join(os.path.dirname(__file__), "..", "..", "..", "manager", "tools") 35) 36import pykey 37 38 39def sign(signingKey, hashAlgorithm, hexToSign): 40 """Given a pykey, the name of a hash function, and hex bytes to 41 sign, signs the data (as binary) and returns a hex string consisting 42 of the signature.""" 43 # key.sign returns a hex string in the format "'<hex bytes>'H", 44 # so we have to strip off the "'"s and trailing 'H' 45 return signingKey.sign(binascii.unhexlify(hexToSign), "hash:%s" % hashAlgorithm)[ 46 1:-2 47 ] 48 49 50class Error(Exception): 51 """Base class for exceptions in this module.""" 52 53 pass 54 55 56class UnknownParameterTypeError(Error): 57 """Base class for handling unexpected input in this module.""" 58 59 def __init__(self, value): 60 super(Error, self).__init__() 61 self.value = value 62 self.category = "key" 63 64 def __str__(self): 65 return 'Unknown %s type "%s"' % (self.category, repr(self.value)) 66 67 68class InputTooLongError(Error): 69 """Helper exception type for inputs that are too long.""" 70 71 def __init__(self, length): 72 super(InputTooLongError, self).__init__() 73 self.length = length 74 75 def __str__(self): 76 return "Input too long: %s > 65535" % self.length 77 78 79def getTwoByteLenAsHex(callLenOnMe): 80 """Given something that len can be called on, returns a hex string 81 representing the two-byte length of the something, in network byte 82 order (the length must be less than or equal to 65535).""" 83 length = len(callLenOnMe) 84 if length > 65535: 85 raise InputTooLongError(length) 86 return bytes([length // 256, length % 256]).hex() 87 88 89def createSTH(configStream): 90 """Given a stream that will provide the specification for a signed 91 tree head (see the comment at the top of this file), creates the 92 corresponding signed tree head. Returns a string that can be 93 compiled as C/C++ that declares two const char*s kSTHHex and 94 kSPKIHex corresponding to the hex encoding of the signed tree head 95 and the hex encoding of the subject public key info from the 96 specification, respectively.""" 97 toSign = "" 98 prefix = "" 99 hashAlgorithm = "sha256" 100 for line in configStream.readlines(): 101 if ":" in line: 102 param = line.split(":")[0] 103 arg = line.split(":")[1].split("//")[0].strip() 104 if param == "signingKey": 105 signingKey = pykey.keyFromSpecification(arg) 106 elif param == "spki": 107 spki = pykey.keyFromSpecification(arg) 108 elif param == "prefix": 109 prefix = arg 110 elif param == "hash": 111 hashAlgorithm = arg 112 else: 113 raise UnknownParameterTypeError(param) 114 else: 115 toSign = toSign + line.split("//")[0].strip() 116 signature = sign(signingKey, hashAlgorithm, toSign) 117 lengthBytesHex = getTwoByteLenAsHex(binascii.unhexlify(signature)) 118 sth = prefix + toSign + lengthBytesHex + signature 119 spkiHex = encoder.encode(spki.asSubjectPublicKeyInfo()).hex() 120 return 'const char* kSTHHex = "%s";\nconst char* kSPKIHex = "%s";\n' % ( 121 sth, 122 spkiHex, 123 ) 124 125 126def main(output, inputPath): 127 """Given a file-like output and the path to a signed tree head 128 specification (see the comment at the top of this file), reads the 129 specification, creates the signed tree head, and outputs test data 130 that can be included by a gtest corresponding to the 131 specification.""" 132 with open(inputPath) as configStream: 133 output.write(createSTH(configStream)) 134