dbfdg 3 wh[@s ddlZddlZddlZddlZddlZddlZddlZdgZdd1iZd Z e d Z e d Z e d Z Gd d d eZd2ddZddZd3ddZddZddZddZddZddZd d!Zejd"d#Zejd$d%Zd&d'Zd(d)Zd4d+d,Zd5d-d.Zd6d/d0Z dS)7NZrsa4096gpgtypekindroleserialkeyz/dev/shmc@s eZdZdS)ErrorN)__name__ __module__ __qualname__rr)/usr/libexec/kcare/python/kcsig_verify.pyr sr latin1cCsNt|}|tkr|S|tkr&|j|S|tkr:tt|Stdt|dS)NzUnsupported pae type )rbtypeutypeencodeintto_bytesstr ValueError)dataencodingdtyperrrrs  rcCs@t|}|tkr|S|tkr&|jdS|tkr8|jdStdS)Nzutf-8)rntyperdecoderrNotImplementedError)rrrrrnstr's  rwc Cs8|d}t||}|j|WdQRXtj||dS)Nz.tmp)openwriteosrename)fnamecontentmode tmp_fnamefrrr atomic_write2s r)c Cst| }|jSQRXdS)N)r read)r$r(rrr read_file:s r+cCstjt|S)N)jsonloadsr+)r$rrr read_json?sr.cGs:dt|}x(|D] }t|}|dt||f7}qW|S)Ns%ds%d%s)lenr)partsresultpZbprrrpaeCs   r3cstfdd|DS)Ncsg|] }|qSrr).0r()rrr Nszpae_fields..)r3)rZfieldsr)rr pae_fieldsLsr6cCst|t|dS)Nr)r6 PAE_FIELDS)rrrrpae_typeQsr8cCs$|dtkr tdt|ddS)Nrzinvalid key type: )r7rr)rrrr check_keyUs r9c csH|r |Vn8tjtdd$}|jt||j|jVWdQRXdS)Nz kcsig-data-)dirprefix)tempfileNamedTemporaryFileTMPDIRr!rflushname)r data_is_filer(rrr temp_datafileZs rBc cs*tj||d}z |VWdtj|XdS)N)r;r:)r<mkdtempshutilrmtree)r;r:Ztemp_dirrrrtemp_directoryes rFcCs|ttddf}dd|d|dd|g}tj|tjtjtjd}|j|\}}|jd krntd t|d t|WdQRXdS) Nz kcsig-gpgtmp-)r:r;rz --homedirz --keyringz--verify-)stdinstdoutstderrrzVerify error:  ) rFr> subprocessPopenPIPE communicate returncode Exceptionr)keyfiledatafilesigdataZtmp_dircmdr2rIrJrrrrun_gpg_verifyns  rVcCsxt|tjtddX}|jtjt|d|jt ||"}tjt|}t |j ||WdQRXWdQRXdS)Nz kcsig-key-)r:r;r) r9r<r=r>r!base64 b64decoderr?rBrVr@) signaturerrrAkey_filerSrTrrr verify_keyxs r[Fc Csd}i}xt|jD]h\}}||kr,d||<qyt|||||Wn.tk rp}zt|||<WYdd}~XqX|d7}qW||fS)Nrzno corresponding root key)itemsr[rQr) signatureskeysrrAcounterrorskeyidsigerrr verify_counts recCs|jdd}|jdd}i}|p"t}i}x|djD]\}} yXt| | d|krjdj| d|||<n*| d|krd j| d|||<n| ||<Wq6tk r} zt| ||<w6WYdd} ~ Xq6Xq6Wi} xN|jD]B\}} t| d |dt| d \} } | |kr| ||<q| | |<qWd } xl| jD]`\}} yt |d || |d dWn0tk r} zt| ||<WYdd} ~ Xn X| d7} q.W| st dt j |dS)N thresholdi' min_serialir_rz&invalid kind {0}, accepted list is {1}rz"invalid serial {0}, current is {1}r^)rrT)rrAr\z!Error validating file signature: ) getAVAILABLE_KINDSr]r9formatrQrrer8r[r r,dumps)rTrS root_keyskindsrfrgraZapplicable_keysrbrrdZ verified_keysr`Z root_errorsrrr_verifys>         rncCs$t|}t|}t||||ddS)N)rm)r.rn)ZsigfilerSZrootfilermrTrlrrrverifysro)rrrrr)r)r)F)N)N)!r"rWr<rLr,rD contextlibrir7r>rrrrrQr rrr)r+r.r3r6r8r9contextmanagerrBrFrVr[rernrorrrrs:        +