Source release 17.1.0

2022-07-07 17:14:31 -07:00
parent 8c17574083
commit 694cf6fb25
2233 changed files with 272026 additions and 223371 deletions
--- a/oem_certificate_generator/oem_certificate.py
+++ b/oem_certificate_generator/oem_certificate.py
@@ -1,3 +1,4 @@
+#!/usr/bin/python3
 # Copyright 2017 Google LLC. All Rights Reserved.

 """OEM certificate generation tool.
@@ -110,7 +111,7 @@ class X509CertificateChain(object):

    x509_stack = pkcs7.d.sign.cert
    certificates = []
-    for i in xrange(backend._lib.sk_X509_num(x509_stack)):
+    for i in range(backend._lib.sk_X509_num(x509_stack)):
      x509_value = backend._ffi.gc(
          backend._lib.X509_dup(backend._lib.sk_X509_value(x509_stack, i)),
          backend._lib.X509_free)
@@ -134,6 +135,10 @@ class X509CertificateChain(object):
    return backend._read_mem_bio(bio)


+# Type for argparse to accept byte buffers on the command line
+def utf8_bytes(utf8_str):
+  return utf8_str.encode('utf-8')
+
 def _multiple_of_1024(key_size_str):
  """argparse custom type function for key size."""
  key_size = int(key_size_str)
@@ -299,9 +304,9 @@ def generate_leaf_certificate(args):
 def secure_erase(args):
  """Subparser handler for secure erasing of a file."""
  length = args.file.tell()
-  for _ in xrange(args.passes):
+  for _ in range(args.passes):
    args.file.seek(0)
-    for _ in xrange(length):
+    for _ in range(length):
      args.file.write(os.urandom(1))
  args.file.close()
  os.remove(args.file.name)
@@ -403,6 +408,7 @@ def create_parser():
      '--output_private_key_file', type=argparse.FileType('wb'), required=True)
  parser_csr.add_argument(
      '--passphrase',
+      type=utf8_bytes,
      help=('specify an optional passphrase to encrypt the private key. The '
            'private key is not encrypted if omitted.'))
  parser_csr.set_defaults(func=generate_csr)
@@ -429,7 +435,7 @@ def create_parser():
      '--root_certificate_file', type=argparse.FileType('rb'), required=True)
  parser_intermediate_cert.add_argument(
      '--root_private_key_file', type=argparse.FileType('rb'), required=True)
-  parser_intermediate_cert.add_argument('--root_private_key_passphrase')
+  parser_intermediate_cert.add_argument('--root_private_key_passphrase', type=utf8_bytes)
  parser_intermediate_cert.add_argument(
      '--output_certificate_file', type=argparse.FileType('wb'), required=True)
  parser_intermediate_cert.set_defaults(func=generate_intermediate_certificate)
@@ -460,13 +466,14 @@ def create_parser():
      '--intermediate_private_key_file',
      type=argparse.FileType('rb'),
      required=True)
-  parser_leaf_cert.add_argument('--intermediate_private_key_passphrase')
+  parser_leaf_cert.add_argument('--intermediate_private_key_passphrase', type=utf8_bytes)
  parser_leaf_cert.add_argument(
      '--output_certificate_file', type=argparse.FileType('wb'), required=True)
  parser_leaf_cert.add_argument(
      '--output_private_key_file', type=argparse.FileType('wb'), required=True)
  parser_leaf_cert.add_argument(
      '--passphrase',
+      type=utf8_bytes,
      help=('specify an optional passphrase to encrypt the private key. The '
            'private key is not encrypted if omitted.'))
  parser_leaf_cert.set_defaults(func=generate_leaf_certificate)
@@ -497,7 +504,7 @@ def main():
  args = sys.argv[1:]
  config_file_name = 'oem_certificate.cfg'
  if os.path.isfile(config_file_name):
-    print 'Load from args default configuration file: ', config_file_name
+    print('Load from args default configuration file: ', config_file_name)
    args.append('@' + config_file_name)
  parser_args = create_parser().parse_args(args)
  parser_args.func(parser_args)
--- a/oem_certificate_generator/oem_certificate_test.py
+++ b/oem_certificate_generator/oem_certificate_test.py
@@ -1,10 +1,11 @@
+#!/usr/bin/python3
 # Copyright 2017 Google LLC. All Rights Reserved.

 import base64
 import datetime
+import io
 import os
 import shutil
-import StringIO
 import tempfile
 import textwrap
 import unittest
@@ -105,11 +106,11 @@ class OemCertificateTest(unittest.TestCase):

  def test_generate_csr_with_keysize4096_and_passphrase(self):
    args = oem_cert_test_helper.setup_csr_args(
-        key_size=4096, passphrase='passphrase_4096')
+        key_size=4096, passphrase=b'passphrase_4096')
    oem_certificate.generate_csr(args)
    private_key = serialization.load_der_private_key(
        args.output_private_key_file.getvalue(),
-        'passphrase_4096',
+        b'passphrase_4096',
        backend=backends.default_backend())
    csr = x509.load_pem_x509_csr(args.output_csr_file.getvalue(),
                                 backends.default_backend())
@@ -155,7 +156,7 @@ class OemCertificateTest(unittest.TestCase):
    _, root_certificate2 = oem_cert_test_helper.create_root_certificate_and_key(
    )
    args = oem_cert_test_helper.setup_intermediate_cert_args(
-        'some csr data', root_key1, root_certificate2)
+        b'some csr data', root_key1, root_certificate2)
    with self.assertRaises(ValueError) as context:
      oem_certificate.generate_intermediate_certificate(args)
    self.assertTrue('certificate does not match' in str(context.exception))
@@ -232,19 +233,19 @@ class OemCertificateTest(unittest.TestCase):
        intermediate_key_bytes,
        intermediate_certificate_bytes,
        key_size=4096,
-        passphrase='leaf passphrase')
+        passphrase=b'leaf passphrase')
    oem_certificate.generate_leaf_certificate(args)
    leaf_key = serialization.load_der_private_key(
        args.output_private_key_file.getvalue(),
-        'leaf passphrase',
+        b'leaf passphrase',
        backend=backends.default_backend())
    self.assertEqual(4096, leaf_key.key_size)

  def test_get_csr_info(self):
    args = oem_cert_test_helper.setup_csr_args()
    oem_certificate.generate_csr(args)
-    args.file = StringIO.StringIO(args.output_csr_file.getvalue())
-    output = StringIO.StringIO()
+    args.file = io.BytesIO(args.output_csr_file.getvalue())
+    output = io.StringIO()
    oem_certificate.get_info(args, output)
    expected_info = """\
        CSR Subject Name:
@@ -261,8 +262,8 @@ class OemCertificateTest(unittest.TestCase):
        oem_cert_test_helper.create_intermediate_certificate_and_key_bytes(
            pem_format=True))
    args = ArgParseObject()
-    args.file = StringIO.StringIO(intermediate_certificate_bytes)
-    output = StringIO.StringIO()
+    args.file = io.BytesIO(intermediate_certificate_bytes)
+    output = io.StringIO()
    oem_certificate.get_info(args, output)
    expected_info = """\
      Certificate Subject Name:
@@ -284,8 +285,8 @@ class OemCertificateTest(unittest.TestCase):
        oem_cert_test_helper.create_intermediate_certificate_and_key_bytes(
            pem_format=False))
    args = ArgParseObject()
-    args.file = StringIO.StringIO(intermediate_certificate_bytes)
-    output = StringIO.StringIO()
+    args.file = io.BytesIO(intermediate_certificate_bytes)
+    output = io.StringIO()
    oem_certificate.get_info(args, output)
    expected_info = """\
      Certificate Subject Name:
@@ -308,8 +309,8 @@ class OemCertificateTest(unittest.TestCase):
    args = oem_cert_test_helper.setup_leaf_cert_args(
        intermediate_key_bytes, intermediate_certificate_bytes)
    oem_certificate.generate_leaf_certificate(args)
-    args.file = StringIO.StringIO(args.output_certificate_file.getvalue())
-    output = StringIO.StringIO()
+    args.file = io.BytesIO(args.output_certificate_file.getvalue())
+    output = io.StringIO()
    oem_certificate.get_info(args, output)
    expected_info = """\
      Certificate Subject Name:
@@ -394,8 +395,8 @@ class OemCertificateTest(unittest.TestCase):
        'nm0mTbNTgcC673L5YA8qpQkAzk9vLg4UaslMbPfeKM8rqduJFcjTyVY3C4jBC0qxf6z6'
        'vpWbEO7UpHHdfvWe9DEBODFbyXMxAA==')
    args = oem_cert_test_helper.ArgParseObject()
-    args.file = StringIO.StringIO(base64.b64decode(data_b64))
-    output = StringIO.StringIO()
+    args.file = io.BytesIO(base64.b64decode(data_b64))
+    output = io.StringIO()
    oem_certificate.get_info(args, output)
    expected_info = """\
      Certificate Subject Name:
@@ -469,7 +470,7 @@ class OemCertificateArgParseTest(unittest.TestCase):
    self.assertEqual(args.output_csr_file.mode, 'wb')
    self.assertEqual(args.output_private_key_file.name, output_private_key_file)
    self.assertEqual(args.output_private_key_file.mode, 'wb')
-    self.assertEqual(args.passphrase, 'pass')
+    self.assertEqual(args.passphrase, b'pass')
    self.assertEqual(args.func, oem_certificate.generate_csr)
    self.assertIsNone(args.common_name)

@@ -494,13 +495,13 @@ class OemCertificateArgParseTest(unittest.TestCase):
    self.assertEqual(args.output_csr_file.mode, 'wb')
    self.assertEqual(args.output_private_key_file.name, output_private_key_file)
    self.assertEqual(args.output_private_key_file.mode, 'wb')
-    self.assertEqual(args.passphrase, 'pass')
+    self.assertEqual(args.passphrase, b'pass')
    self.assertEqual(args.common_name, 'MyCommonName')
    self.assertEqual(args.func, oem_certificate.generate_csr)

  def _fill_file_with_dummy_contents(self, file_name):
    with open(file_name, 'wb') as f:
-      f.write('dummy')
+      f.write(b'dummy')

  def test_generate_csr_invalid_key_size(self):
    cmds = ('generate_csr --key_size unknown -C USA -ST WA '
@@ -548,7 +549,7 @@ class OemCertificateArgParseTest(unittest.TestCase):
    self.assertEqual(args.root_certificate_file.mode, 'rb')
    self.assertEqual(args.root_private_key_file.name, root_private_key_file)
    self.assertEqual(args.root_private_key_file.mode, 'rb')
-    self.assertEqual(args.root_private_key_passphrase, 'root_key')
+    self.assertEqual(args.root_private_key_passphrase, b'root_key')
    self.assertEqual(args.output_certificate_file.name, output_certificate_file)
    self.assertEqual(args.output_certificate_file.mode, 'wb')
    self.assertEqual(args.func,
@@ -586,12 +587,12 @@ class OemCertificateArgParseTest(unittest.TestCase):
                     intermediate_private_key_file)
    self.assertEqual(args.intermediate_private_key_file.mode, 'rb')
    self.assertEqual(args.intermediate_private_key_passphrase,
-                     'intermediate_key')
+                     b'intermediate_key')
    self.assertEqual(args.output_certificate_file.name, output_certificate_file)
    self.assertEqual(args.output_certificate_file.mode, 'wb')
    self.assertEqual(args.output_private_key_file.name, output_private_key_file)
    self.assertEqual(args.output_private_key_file.mode, 'wb')
-    self.assertEqual(args.passphrase, 'leaf_key')
+    self.assertEqual(args.passphrase, b'leaf_key')
    self.assertEqual(args.func, oem_certificate.generate_leaf_certificate)

  def test_generate_leaf_cert_invalid_date(self):
--- a/oem_certificate_generator/oem_certificate_test_helper.py
+++ b/oem_certificate_generator/oem_certificate_test_helper.py
@@ -1,9 +1,10 @@
+#!/usr/bin/python3
 # Copyright 2017 Google LLC. All Rights Reserved.

 """Common test utility functions for OEM certificate generation."""

 import datetime
-import StringIO
+import io

 from cryptography import x509
 from cryptography.hazmat import backends
@@ -24,7 +25,7 @@ _NOT_VALID_BEFORE = datetime.datetime(2001, 8, 9)
 _VALID_DURATION = 100
 _LEAF_CERT_VALID_DURATION = 8000
 _SYSTEM_ID = 2001
-_ROOT_PRIVATE_KEY_PASSPHRASE = 'root_passphrase'
+_ROOT_PRIVATE_KEY_PASSPHRASE = b'root_passphrase'


 class ArgParseObject(object):
@@ -67,11 +68,11 @@ def setup_csr_args(country_name=_COUNTRY_NAME,
  if output_csr_file:
    args.output_csr_file = output_csr_file
  else:
-    args.output_csr_file = StringIO.StringIO()
+    args.output_csr_file = io.BytesIO()
  if output_private_key_file:
    args.output_private_key_file = output_private_key_file
  else:
-    args.output_private_key_file = StringIO.StringIO()
+    args.output_private_key_file = io.BytesIO()
  args.passphrase = passphrase
  return args

@@ -86,12 +87,12 @@ def setup_intermediate_cert_args(
  args.not_valid_before = not_valid_before
  args.valid_duration = valid_duration
  args.system_id = system_id
-  args.csr_file = StringIO.StringIO(csr_bytes)
+  args.csr_file = io.BytesIO(csr_bytes)
  args.root_private_key_passphrase = root_private_key_passphrase
  if output_certificate_file:
    args.output_certificate_file = output_certificate_file
  else:
-    args.output_certificate_file = StringIO.StringIO()
+    args.output_certificate_file = io.BytesIO()

  serialized_private_key = root_key.private_bytes(
      serialization.Encoding.DER,
@@ -100,8 +101,8 @@ def setup_intermediate_cert_args(
          args.root_private_key_passphrase))
  serialized_certificate = root_certificate.public_bytes(
      serialization.Encoding.DER)
-  args.root_certificate_file = StringIO.StringIO(serialized_certificate)
-  args.root_private_key_file = StringIO.StringIO(serialized_private_key)
+  args.root_certificate_file = io.BytesIO(serialized_certificate)
+  args.root_private_key_file = io.BytesIO(serialized_private_key)
  return args


@@ -122,16 +123,16 @@ def setup_leaf_cert_args(intermediate_key_bytes,
  if output_certificate_file:
    args.output_certificate_file = output_certificate_file
  else:
-    args.output_certificate_file = StringIO.StringIO()
+    args.output_certificate_file = io.BytesIO()
  if output_private_key_file:
    args.output_private_key_file = output_private_key_file
  else:
-    args.output_private_key_file = StringIO.StringIO()
+    args.output_private_key_file = io.BytesIO()
  args.passphrase = passphrase

-  args.intermediate_private_key_file = StringIO.StringIO(
+  args.intermediate_private_key_file = io.BytesIO(
      intermediate_key_bytes)
-  args.intermediate_certificate_file = StringIO.StringIO(
+  args.intermediate_certificate_file = io.BytesIO(
      intermediate_certificate_bytes)
  return args