mirror of
https://github.com/mollyim/webrtc.git
synced 2025-05-13 05:40:42 +01:00
c7ff896999
OpenSSL removed ability to generate C code:
a18cf8fc63
CL rewrites generation script to use pure Python asn1crypto library.
The changes in generated code leading to huge diff in generated file:
- Certificate array names are based on certificate fingerprints instead
of semi-human readable names, which were not referenced externally;
- Order of arrays in generated file matches the order of certificates
as they are appeared in source pem file. Previously re-ordering happen
due to writing temporary files on disk;
Bug: webrtc:11710
Change-Id: Ie7a97b3658f6ccb397f0fd0c21d341934a2cc12e
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/304642
Commit-Queue: Yury Yarashevich <yura.yaroshevich@gmail.com>
Reviewed-by: Mirko Bonadei <mbonadei@webrtc.org>
Reviewed-by: Harald Alvestrand <hta@webrtc.org>
Cr-Commit-Position: refs/heads/main@{#40039}
244 lines
9.1 KiB
Python
244 lines
9.1 KiB
Python
#!/usr/bin/env vpython3
|
|
|
|
# -*- coding:utf-8 -*-
|
|
# Copyright (c) 2023 The WebRTC project authors. All Rights Reserved.
|
|
#
|
|
# Use of this source code is governed by a BSD-style license
|
|
# that can be found in the LICENSE file in the root of the source
|
|
# tree. An additional intellectual property rights grant can be found
|
|
# in the file PATENTS. All contributing project authors may
|
|
# be found in the AUTHORS file in the root of the source tree.
|
|
import argparse
|
|
import logging
|
|
from pathlib import Path
|
|
import tempfile
|
|
from typing import Tuple, Any, List, ByteString
|
|
from datetime import datetime, timezone
|
|
from hashlib import sha256
|
|
from urllib.request import urlopen
|
|
from asn1crypto import pem, x509
|
|
|
|
_GENERATED_FILE = 'ssl_roots.h'
|
|
|
|
def main():
|
|
parser = argparse.ArgumentParser(
|
|
description='This is a tool to transform a crt file '
|
|
f'into a C/C++ header: {_GENERATED_FILE}.')
|
|
|
|
parser.add_argument('source_path_or_url',
|
|
help='File path or URL to PEM storage file. '
|
|
'The supported cert files are: '
|
|
'- Google: https://pki.goog/roots.pem; '
|
|
'- Mozilla: https://curl.se/ca/cacert.pem')
|
|
parser.add_argument('-v',
|
|
'--verbose',
|
|
dest='verbose',
|
|
action='store_true',
|
|
help='Print output while running')
|
|
parser.add_argument('-f',
|
|
'--full_cert',
|
|
dest='full_cert',
|
|
action='store_true',
|
|
help='Add public key and certificate name. '
|
|
'Default is to skip and reduce generated file size.')
|
|
args = parser.parse_args()
|
|
logging.basicConfig(level=logging.DEBUG if args.verbose else logging.WARNING)
|
|
|
|
with tempfile.TemporaryDirectory() as temp_dir:
|
|
cert_file = Path(temp_dir) / "cacert.pem"
|
|
|
|
if args.source_path_or_url.startswith(
|
|
'https://') or args.source_path_or_url.startswith('http://'):
|
|
_DownloadCertificatesStore(args.source_path_or_url, cert_file)
|
|
destination_dir = Path.cwd()
|
|
else:
|
|
source_path = Path(args.source_path_or_url)
|
|
cert_file.write_bytes(source_path.read_bytes())
|
|
destination_dir = source_path.parent
|
|
|
|
logging.debug('Stored certificate from %s into %s', args.source_path_or_url,
|
|
cert_file)
|
|
|
|
header_file = destination_dir / _GENERATED_FILE
|
|
|
|
digest, certificates = _LoadCertificatesStore(cert_file)
|
|
_GenerateCHeader(header_file, args.source_path_or_url, digest, certificates,
|
|
args.full_cert)
|
|
|
|
logging.debug('Did generate %s from %s [%s]', header_file,
|
|
args.source_path_or_url, digest)
|
|
|
|
|
|
def _DownloadCertificatesStore(pem_url: str, destination_file: Path):
|
|
with urlopen(pem_url) as response:
|
|
pem_file = response.read()
|
|
logging.info('Got response with status [%d]: %s', response.status, pem_url)
|
|
|
|
if destination_file.parent.exists():
|
|
logging.debug('Creating directory and it\'s parents %s',
|
|
destination_file.parent)
|
|
destination_file.parent.mkdir(parents=True, exist_ok=True)
|
|
if destination_file.exists():
|
|
logging.debug('Unlink existing file %s', destination_file)
|
|
destination_file.unlink(missing_ok=True)
|
|
|
|
destination_file.write_bytes(pem_file)
|
|
logging.info('Stored downloaded %d bytes pem file to `%s`', len(pem_file),
|
|
destination_file)
|
|
|
|
|
|
def _LoadCertificatesStore(
|
|
source_file: Path) -> Tuple[str, List[x509.Certificate]]:
|
|
pem_bytes = source_file.read_bytes()
|
|
|
|
certificates = [
|
|
x509.Certificate.load(der)
|
|
for type, _, der in pem.unarmor(pem_bytes, True) if type == 'CERTIFICATE'
|
|
]
|
|
digest = f'sha256:{sha256(pem_bytes).hexdigest()}'
|
|
logging.debug('Loaded %d certificates from %s [%s] ', len(certificates),
|
|
source_file, digest)
|
|
return digest, certificates
|
|
|
|
|
|
def _GenerateCHeader(header_file: Path, source: str, source_digest: str,
|
|
certificates: List[x509.Certificate], full_cert: bool):
|
|
header_file.parent.mkdir(parents=True, exist_ok=True)
|
|
with header_file.open('w') as output:
|
|
output.write(_CreateOutputHeader(source, source_digest))
|
|
|
|
named_certificates = [(cert,
|
|
f'kCertificateWithFingerprint_{cert.sha256.hex()}')
|
|
for cert in certificates]
|
|
|
|
names = list(map(lambda x: x[1], named_certificates))
|
|
unique_names = list(set(names))
|
|
if len(names) != len(unique_names):
|
|
raise RuntimeError(
|
|
f'There are {len(names) - len(unique_names)} non-unique '
|
|
'certificate names generated. Generator script must be '
|
|
'fixed to handle collision.')
|
|
|
|
for cert, name in named_certificates:
|
|
|
|
output.write(_CreateCertificateMetadataHeader(cert))
|
|
|
|
if full_cert:
|
|
output.write(
|
|
_CArrayConstantDefinition('unsigned char',
|
|
f'{name}_subject_name',
|
|
_CreateHexList(cert.subject.dump()),
|
|
max_items_per_line=16))
|
|
output.write('\n')
|
|
output.write(
|
|
_CArrayConstantDefinition('unsigned char',
|
|
f'{name}_public_key',
|
|
_CreateHexList(cert.public_key.dump()),
|
|
max_items_per_line=16))
|
|
output.write('\n')
|
|
|
|
output.write(
|
|
_CArrayConstantDefinition('unsigned char',
|
|
f'{name}_certificate',
|
|
_CreateHexList(cert.dump()),
|
|
max_items_per_line=16))
|
|
output.write('\n\n')
|
|
|
|
if full_cert:
|
|
output.write(
|
|
_CArrayConstantDefinition('unsigned char* const',
|
|
'kSSLCertSubjectNameList',
|
|
[f'{name}_subject_name' for name in names]))
|
|
output.write('\n\n')
|
|
|
|
output.write(
|
|
_CArrayConstantDefinition('unsigned char* const',
|
|
'kSSLCertPublicKeyList',
|
|
[f'{name}_public_key' for name in names]))
|
|
output.write('\n\n')
|
|
|
|
output.write(
|
|
_CArrayConstantDefinition('unsigned char* const',
|
|
'kSSLCertCertificateList',
|
|
[f'{name}_certificate' for name in names]))
|
|
output.write('\n\n')
|
|
|
|
output.write(
|
|
_CArrayConstantDefinition(
|
|
'size_t', 'kSSLCertCertificateSizeList',
|
|
[f'{len(cert.dump())}' for cert, _ in named_certificates]))
|
|
output.write('\n\n')
|
|
|
|
output.write(_CreateOutputFooter())
|
|
|
|
|
|
def _CreateHexList(items: ByteString) -> List[str]:
|
|
"""
|
|
Produces list of strings each item is hex literal of byte of source sequence
|
|
"""
|
|
return [f'0x{item:02X}' for item in items]
|
|
|
|
|
|
def _CArrayConstantDefinition(type_name: str,
|
|
array_name: str,
|
|
items: List[Any],
|
|
max_items_per_line: int = 1) -> str:
|
|
"""
|
|
Produces C array definition like: `const type_name array_name = { items };`
|
|
"""
|
|
return (f'const {type_name} {array_name}[{len(items)}]='
|
|
f'{_CArrayInitializerList(items, max_items_per_line)};')
|
|
|
|
|
|
def _CArrayInitializerList(items: List[Any],
|
|
max_items_per_line: int = 1) -> str:
|
|
"""
|
|
Produces C initializer list like: `{\\nitems[0], \\n ...}`
|
|
"""
|
|
return '{\n' + '\n'.join([
|
|
','.join(items[i:i + max_items_per_line]) + ','
|
|
for i in range(0, len(items), max_items_per_line)
|
|
]) + '\n}'
|
|
|
|
|
|
def _CreateCertificateMetadataHeader(cert: x509.Certificate) -> str:
|
|
return (f'/* subject: {cert.subject.human_friendly} */\n'
|
|
f'/* issuer: {cert.issuer.human_friendly} */\n'
|
|
f'/* link: https://crt.sh/?q={cert.sha256.hex()} */\n')
|
|
|
|
|
|
def _CreateOutputHeader(source_path_or_url: str, source_digest: str) -> str:
|
|
now_utc = datetime.now(timezone.utc).replace(microsecond=0)
|
|
output = (
|
|
'/*\n'
|
|
f' * Copyright {now_utc.year} The WebRTC Project Authors. All rights '
|
|
'reserved.\n'
|
|
' *\n'
|
|
' * Use of this source code is governed by a BSD-style license\n'
|
|
' * that can be found in the LICENSE file in the root of the '
|
|
'source\n'
|
|
' * tree. An additional intellectual property rights grant can be '
|
|
'found\n'
|
|
' * in the file PATENTS. All contributing project authors may\n'
|
|
' * be found in the AUTHORS file in the root of the source tree.\n'
|
|
' */\n\n'
|
|
'#ifndef RTC_BASE_SSL_ROOTS_H_\n'
|
|
'#define RTC_BASE_SSL_ROOTS_H_\n\n'
|
|
'// This file is the root certificates in C form.\n\n'
|
|
f'// It was generated at {now_utc.isoformat()} by the following script:\n'
|
|
'// `tools_webrtc/sslroots/generate_sslroots.py '
|
|
f'{source_path_or_url}`\n\n'
|
|
'// clang-format off\n'
|
|
'// Don\'t bother formatting generated code,\n'
|
|
'// also it would breaks subject/issuer lines.\n\n'
|
|
f'// Source bundle `{source_path_or_url}` digest is [{source_digest}]\n\n'
|
|
)
|
|
return output
|
|
|
|
|
|
def _CreateOutputFooter():
|
|
return '// clang-format on\n\n#endif // RTC_BASE_SSL_ROOTS_H_\n'
|
|
|
|
|
|
if __name__ == '__main__':
|
|
main()
|