1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
|
#!/usr/bin/env python
from xml.sax import saxutils, handler, make_parser
from optparse import OptionParser
import ConfigParser
import logging
import base64
import sys
import os
__VERSION = (0, 1)
'''
This tool reads a mac_permissions.xml and replaces keywords in the signature
clause with keys provided by pem files.
'''
class GenerateKeys(object):
def __init__(self, path):
'''
Generates an object with Base16 and Base64 encoded versions of the keys
found in the supplied pem file argument. PEM files can contain multiple
certs, however this seems to be unused in Android as pkg manager grabs
the first cert in the APK. This will however support multiple certs in
the resulting generation with index[0] being the first cert in the pem
file.
'''
self._base64Key = list()
self._base16Key = list()
if not os.path.isfile(path):
sys.exit("Path " + path + " does not exist or is not a file!")
pkFile = open(path, 'rb').readlines()
base64Key = ""
lineNo = 1
certNo = 1
inCert = False
for line in pkFile:
line = line.strip()
# Are we starting the certificate?
if line == "-----BEGIN CERTIFICATE-----":
if inCert:
sys.exit("Encountered another BEGIN CERTIFICATE without END CERTIFICATE on " +
"line: " + str(lineNo))
inCert = True
# Are we ending the ceritifcate?
elif line == "-----END CERTIFICATE-----":
if not inCert:
sys.exit("Encountered END CERTIFICATE before BEGIN CERTIFICATE on line: "
+ str(lineNo))
# If we ended the certificate trip the flag
inCert = False
# Sanity check the input
if len(base64Key) == 0:
sys.exit("Empty certficate , certificate "+ str(certNo) + " found in file: "
+ path)
# ... and append the certificate to the list
# Base 64 includes uppercase. DO NOT tolower()
self._base64Key.append(base64Key)
try:
# Pkgmanager and setool see hex strings with lowercase, lets be consistent
self._base16Key.append(base64.b16encode(base64.b64decode(base64Key)).lower())
except TypeError:
sys.exit("Invalid certificate, certificate "+ str(certNo) + " found in file: "
+ path)
# After adding the key, reset the accumulator as pem files may have subsequent keys
base64Key=""
# And increment your cert number
certNo = certNo + 1
# If we haven't started the certificate, then we should not encounter any data
elif not inCert:
if line is not "":
sys.exit("Detected erroneous line \""+ line + "\" on " + str(lineNo)
+ " in pem file: " + path)
# else we have started the certicate and need to append the data
elif inCert:
base64Key += line
else:
# We should never hit this assert, if we do then an unaccounted for state
# was entered that was NOT addressed by the if/elif statements above
assert(False == True)
# The last thing to do before looping up is to increment line number
lineNo = lineNo + 1
def __len__(self):
return len(self._base16Key)
def __str__(self):
return str(self.getBase16Keys())
def getBase16Keys(self):
return self._base16Key
def getBase64Keys(self):
return self._base64Key
class ParseConfig(ConfigParser.ConfigParser):
# This must be lowercase
OPTION_WILDCARD_TAG = "all"
def generateKeyMap(self, target_build_variant, key_directory):
keyMap = dict()
for tag in self.sections():
options = self.options(tag)
for option in options:
# Only generate the key map for debug or release,
# not both!
if option != target_build_variant and \
option != ParseConfig.OPTION_WILDCARD_TAG:
logging.info("Skipping " + tag + " : " + option +
" because target build variant is set to " +
str(target_build_variant))
continue
if tag in keyMap:
sys.exit("Duplicate tag detected " + tag)
tag_path = os.path.expandvars(self.get(tag, option))
path = os.path.join(key_directory, tag_path)
keyMap[tag] = GenerateKeys(path)
# Multiple certificates may exist in
# the pem file. GenerateKeys supports
# this however, the mac_permissions.xml
# as well as PMS do not.
assert len(keyMap[tag]) == 1
return keyMap
class ReplaceTags(handler.ContentHandler):
DEFAULT_TAG = "default"
PACKAGE_TAG = "package"
POLICY_TAG = "policy"
SIGNER_TAG = "signer"
SIGNATURE_TAG = "signature"
TAGS_WITH_CHILDREN = [ DEFAULT_TAG, PACKAGE_TAG, POLICY_TAG, SIGNER_TAG ]
XML_ENCODING_TAG = '<?xml version="1.0" encoding="iso-8859-1"?>'
def __init__(self, keyMap, out=sys.stdout):
handler.ContentHandler.__init__(self)
self._keyMap = keyMap
self._out = out
self._out.write(ReplaceTags.XML_ENCODING_TAG)
self._out.write("<!-- AUTOGENERATED FILE DO NOT MODIFY -->")
self._out.write("<policy>")
def __del__(self):
self._out.write("</policy>")
def startElement(self, tag, attrs):
if tag == ReplaceTags.POLICY_TAG:
return
self._out.write('<' + tag)
for (name, value) in attrs.items():
if name == ReplaceTags.SIGNATURE_TAG and value in self._keyMap:
for key in self._keyMap[value].getBase16Keys():
logging.info("Replacing " + name + " " + value + " with " + key)
self._out.write(' %s="%s"' % (name, saxutils.escape(key)))
else:
self._out.write(' %s="%s"' % (name, saxutils.escape(value)))
if tag in ReplaceTags.TAGS_WITH_CHILDREN:
self._out.write('>')
else:
self._out.write('/>')
def endElement(self, tag):
if tag == ReplaceTags.POLICY_TAG:
return
if tag in ReplaceTags.TAGS_WITH_CHILDREN:
self._out.write('</%s>' % tag)
def characters(self, content):
if not content.isspace():
self._out.write(saxutils.escape(content))
def ignorableWhitespace(self, content):
pass
def processingInstruction(self, target, data):
self._out.write('<?%s %s?>' % (target, data))
if __name__ == "__main__":
# Intentional double space to line up equls signs and opening " for
# readability.
usage = "usage: %prog [options] CONFIG_FILE MAC_PERMISSIONS_FILE [MAC_PERMISSIONS_FILE...]\n"
usage += "This tool allows one to configure an automatic inclusion\n"
usage += "of signing keys into the mac_permision.xml file(s) from the\n"
usage += "pem files. If mulitple mac_permision.xml files are included\n"
usage += "then they are unioned to produce a final version."
version = "%prog " + str(__VERSION)
parser = OptionParser(usage=usage, version=version)
parser.add_option("-v", "--verbose",
action="store_true", dest="verbose", default=False,
help="Print internal operations to stdout")
parser.add_option("-o", "--output", default="stdout", dest="output_file",
metavar="FILE", help="Specify an output file, default is stdout")
parser.add_option("-c", "--cwd", default=os.getcwd(), dest="root",
metavar="DIR", help="Specify a root (CWD) directory to run this from, it" \
"chdirs' AFTER loading the config file")
parser.add_option("-t", "--target-build-variant", default="eng", dest="target_build_variant",
help="Specify the TARGET_BUILD_VARIANT, defaults to eng")
parser.add_option("-d", "--key-directory", default="", dest="key_directory",
help="Specify a parent directory for keys")
(options, args) = parser.parse_args()
if len(args) < 2:
parser.error("Must specify a config file (keys.conf) AND mac_permissions.xml file(s)!")
logging.basicConfig(level=logging.INFO if options.verbose == True else logging.WARN)
# Read the config file
config = ParseConfig()
config.read(args[0])
os.chdir(options.root)
output_file = sys.stdout if options.output_file == "stdout" else open(options.output_file, "w")
logging.info("Setting output file to: " + options.output_file)
# Generate the key list
key_map = config.generateKeyMap(options.target_build_variant.lower(), options.key_directory)
logging.info("Generate key map:")
for k in key_map:
logging.info(k + " : " + str(key_map[k]))
# Generate the XML file with markup replaced with keys
parser = make_parser()
parser.setContentHandler(ReplaceTags(key_map, output_file))
for f in args[1:]:
parser.parse(f)
|
