a i\@s ddlZddlZddlZddlZddlZddlZddlZdgZddiZdZedZedZedZGdd d eZd-d d Zd dZ d.ddZ!ddZ"ddZ#ddZ$ddZ%ddZ&ddZ'ej(ddZ)ej(d d!Z*d"d#Z+d$d%Z,d/d'd(Z-d0d)d*Z.d1d+d,Z/dS)2NZrsa4096gpg)typekindZroleserialkeyz/dev/shmc@s eZdZdS)ErrorN)__name__ __module__ __qualname__r r )/usr/libexec/kcare/python/kcsig_verify.pyr sr latin1cCsNt|}|tur|S|tur&||S|tur:tt|Stdt|dS)NzUnsupported pae type )rbtypeutypeencodeintto_bytesstr ValueError)dataencodingdtyper r rrs  rcCs@t|}|tur|S|tur&|dS|tur8|dStdS)Nzutf-8)rntyperdecoderrNotImplementedError)rrr r rnstr(s  rwcCsL|d}t||}||Wdn1s20Yt||dS)Nz.tmp)openwriteosrename)fnamecontentmode tmp_fnamefr r r atomic_write3s (r(cCs4t|}|WdS1s&0YdSN)rread)r#r'r r r read_file;s r+cCstt|Sr))jsonloadsr+)r#r r r read_json@sr.cGs6dt|}|D] }t|}|dt||f7}q|S)Ns%ds%d%s)lenr)partsresultpZbpr r rpaeDs  r3cstfdd|DS)Ncsg|] }|qSr r ).0r'rr r Orzpae_fields..)r3)rfieldsr r5r pae_fieldsMsr8cCst|t|dS)Nr)r8 PAE_FIELDSr5r r rpae_typeRsr:cCs$|dtvr tdt|ddS)Nrzinvalid key type: )r9rr)rr r r check_keyVs r;ccs\|r |VnLtjtdd.}|t|||jVWdn1sN0YdS)Nz kcsig-data-dirprefix)tempfileNamedTemporaryFileTMPDIRr rflushname)r data_is_filer'r r r temp_datafile[s rEc cs4tj||d}z|VWt|n t|0dS)N)r>r=)r?mkdtempshutilrmtree)r>r=Ztemp_dirr r rtemp_directoryfsrIc Csttddp}dd|d|dd|g}tj|tjtjtjd}||\}}|jd krntd t|d t|Wdn1s0YdS) Nz kcsig-gpgtmp-r<rz --homedirz --keyringz--verify-)stdinstdoutstderrrzVerify error:  ) rIrA subprocessPopenPIPE communicate returncode Exceptionr)keyfiledatafilesigdataZtmp_dircmdr2rLrMr r rrun_gpg_verifyos  rYc Cst|tjtddv}|tt|d|t ||,}tt|}t |j ||Wdn1st0YWdn1s0YdS)Nz kcsig-key-r<r) r;r?r@rAr base64 b64decoderrBrErYrC) signaturerrrDkey_filerVrWr r r verify_keyys r^Fc Csd}i}|D]j\}}||vr*d||<qzt|||||Wn0typ}zt|||<WYd}~qd}~00|d7}q||fS)Nrzno corresponding root key)itemsr^rTr) signatureskeysrrDcounterrorskeyidsiger r r verify_counts" rhc Cs|dd}|dd}i}|p"t}i}|dD]\}} zXt| | d|vrhd| d|||<n*| d|krd | d|||<n| ||<Wq4ty} z$t| ||<WYd} ~ q4WYd} ~ q4d} ~ 00q4i} |D]B\}} t| d |dt| d \} } | |kr| ||<q| | |<qd } | D]b\}} zt |d || |d dWn2ty} zt| ||<WYd} ~ nd} ~ 00| d7} q0| st dt |dS)N thresholdi' min_serialirbrz&invalid kind {0}, accepted list is {1}rz"invalid serial {0}, current is {1}rar5rT)rrDr_z!Error validating file signature: ) getAVAILABLE_KINDSr`r;formatrTrrhr:r^r r,dumps)rWrV root_keyskindsrirjrdZapplicable_keysrerrgZ verified_keysrcZ root_errorsr r r_verifys>      $   " rqcCs$t|}t|}t||||ddS)N)rp)r.rq)ZsigfilerVZrootfilerprWror r rverifysrr)r)r)F)N)N)0rZ contextlibr,r!rGrOr?AnyDictIteratorListMappingOptionalSequenceTupleUnionZAnyKeyZ ReleaseKeyZRootKeyZRootKeysZ SignatureZanystrrlr9rArrrrrTr rrr(r+r.r3r8r:r;contextmanagerrErIrYr^rhrqrrr r r rs>        +