arno/trezor-firmware
1
0
Fork 0
mirror of https://github.com/trezor/trezor-firmware.git synced 2024-11-26 09:28:13 +00:00
Code Issues Releases Wiki Activity

tools.codegen: use certifi in gen_cert_bundle.py

Browse Source
This commit is contained in:
Pavol Rusnak 2018-01-08 23:56:08 +01:00
parent f806488536
commit 30b0863725
No known key found for this signature in database
GPG Key ID: 91F3B339B9A02A3D
1 changed files with 24 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
tools/codegen/gen_cert_bundle.py
View File

@ -1,20 +1,20 @@
#!/usr/bin/python3 #!/usr/bin/python3
from pyblake2 import blake2s from base64 import b64decode
from hashlib import sha256
import pem
import requests import requests
CERTDATA = 'https://hg.mozilla.org/releases/mozilla-beta' REPO = 'certifi/python-certifi'
CERTDATA_HASH = CERTDATA + '/?cmd=lookup&key=tip'
CERTDATA_TXT = CERTDATA + '/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt'
def fetch_certdata(): def fetch_certdata():
r = requests.get(CERTDATA_HASH) r = requests.get('https://api.github.com/repos/%s/git/refs/heads/master' % REPO)
assert(r.status_code == 200) assert(r.status_code == 200)
commithash = r.text.strip().split(' ')[1] commithash = r.json()['object']['sha']
r = requests.get(CERTDATA_TXT) r = requests.get('https://raw.githubusercontent.com/%s/%s/certifi/cacert.pem' % (REPO, commithash))
assert(r.status_code == 200) assert(r.status_code == 200)
certdata = r.text certdata = r.text
@ -27,26 +27,30 @@ def process_certdata(data):
label = None label = None
value = None value = None
for line in lines: for line in lines:
if line == 'END': if line.startswith('# Label: '):
if label is not None and value is not None: assert(label is None)
certs[label] = bytes([int(x, 8) for x in value.split('\\')[1:]]) assert(value is None)
label = None
value = None
elif line.startswith('CKA_LABEL UTF8 '):
label = line.split('"')[1] label = line.split('"')[1]
elif line == 'CKA_VALUE MULTILINE_OCTAL': elif line == '-----BEGIN CERTIFICATE-----':
assert(label is not None) assert(label is not None)
assert(value is None)
value = '' value = ''
elif value is not None: elif line == '-----END CERTIFICATE-----':
assert(label is not None) assert(label is not None)
value += line assert(value is not None)
certs[label] = b64decode(value)
label, value = None, None
else:
if value is not None:
value += line
return certs return certs
def main(): def main():
commithash, certdata = fetch_certdata() commithash, certdata = fetch_certdata()
print('# fetched from %s (default branch)' % CERTDATA) print('# fetched from https://github.com/%s' % REPO)
print('# commit %s' % commithash) print('# commit %s' % commithash)
certs = process_certdata(certdata) certs = process_certdata(certdata)
@ -56,8 +60,10 @@ def main():
print('cert_bundle = [') print('cert_bundle = [')
for k, v in certs.items(): for k, v in certs.items():
h = sha256(v)
print(' # %s' % k) print(' # %s' % k)
print(' %s,' % blake2s(v).digest()) print(' # %s' % h.hexdigest())
print(' %s,' % h.digest())
print(']') print(']')