summaryrefslogtreecommitdiffstats
path: root/images/generate_key_migration_script/generate_key_migration_script.py
blob: 1476d4d8e54b757a51787a1905606700b05d9f46 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
#!/usr/bin/env python3
# Copyright (C) 2020 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program.  If not, see <https://www.gnu.org/licenses/>.

import os
import sys

# Etree isn't subject to any data leak vulnerabilities:
# +---------------------------+------------+---------------------------------------------+
# | Issue                     | Etree      | Issue description                           |
# +---------------------------+------------+---------------------------------------------+
# | billion laughs            | Vulnerable | DDOS: can use huge amount of CPU and memory |
# +---------------------------+------------+---------------------------------------------+
# | quadratic blowup          | Vulnerable | DDOS: can use huge amount of CPU and memory |
# +---------------------------+------------+---------------------------------------------+
# | external entity expansion | Safe (1)   | Data leak                                   |
# +---------------------------+------------+---------------------------------------------+
# | DTD retrieval             | Safe       | Data leak                                   |
# +---------------------------+------------+---------------------------------------------+
# | decompression bomb        | Safe       | DDOS: can use huge amount of CPU            |
# +---------------------------+------------+---------------------------------------------+
# (1) xml.etree.ElementTree doesn’t expand external entities and raises a
#     ParserError when an entity occurs.
#
# Other XML parsers like sax, minidom, pulldom, xmlrpc have similar security
# properties: they are not vulnerable (anymore) to data leaks but they are still
# vulnerable to DDOS attacks.
# Reference: https://docs.python.org/3.8/library/xml.html#xml-vulnerabilities
import xml.etree.ElementTree

import jinja2

def usage(progname):
    print ("{}"
           " <path/to/key-migration.sh>"
           " <path/to/old/packages.xml>"
           " [path/to/new/packages.xml]".format(progname))
    sys.exit(1)

def generate_key_migration_sh_file(path, result_dict):
    templates_dir = str(os.path.dirname(os.path.realpath(__file__)))
    templates_dir += os.sep
    templates_dir += 'templates'

    env = jinja2.Environment(
        loader=jinja2.FileSystemLoader(templates_dir),
        trim_blocks=True,
        lstrip_blocks=True,
    )

    template = env.get_template('key-migrations.sh')
    output = template.render(
        certs=result_dict['certs'],
        keys=result_dict['keys'],
    )

    key_migration_sh_file = open(path, 'w')
    key_migration_sh_file.write(output)
    key_migration_sh_file.close()

def find_keys(root):
    results = {}

    # Error if there is no keyset-settings or keys
    keyset_settings = root.findall('keyset-settings')
    assert (len(keyset_settings) == 1)

    keys = keyset_settings[0].findall('keys')
    assert (len(keys) == 1)

    public_key_entries = keys[0].findall('public-key')
    assert (len(public_key_entries) >= 1)

    for public_key in public_key_entries:
        identifier = public_key.get('identifier')
        value = public_key.get('value')
        results[identifier] = value

    return results

def parse_packages_xml_file(results, old_packages_xml_path, file_type='old'):
    packages_xml_file = open(old_packages_xml_path, 'r')
    packages_xml_tree = xml.etree.ElementTree.parse(packages_xml_file)
    root = packages_xml_tree.getroot()

    keys = find_keys(root)

    # elm.iter(<tag>) iterates over the elm element and all elements below it
    for package in root.iter('package'):
        # Package names have dots like that: com.android.providers.media
        # However we want to use the package name inside the name of the
        # variable holding the certificate in the resulting shell script
        # like that: com_android_providers_media='<cert_key>'
        # So we need to replace the dots with underscore to be
        # consistent with shell variable naming conventions.
        escaped_package_name = package.get('name').replace('.', '_')

        found_cert_key = False
        for cert in package.iter('cert'):
            if 'key' in cert.keys():
                found_cert_key = True
                cert_key = cert.get('key')

                if escaped_package_name not in results['certs'].keys():
                    results['certs'][escaped_package_name] = {
                        file_type : cert_key,
                    }
                else:
                    results['certs'][escaped_package_name][file_type] = cert_key


        # In the stock Replicant 6.0 0003 image:
        # - There are about 5 <public-key> that don't have a name
        # - There are 90 packages that reference the <public-key> via
        #   <proper-signing-keyset>.
        # - There are 5 packages with a certificate which also reference
        #   a distinct <public-key> via <proper-signing-keyset>.
        # To name them we try to use the proper-signing-keyset on packages
        # that have a certificate.
        if found_cert_key:
            proper_signing_keyset = package.findall('proper-signing-keyset')
            assert (len(proper_signing_keyset) == 1)
            # Fail if no 'identifier is found'
            identifier = proper_signing_keyset[0].get('identifier')
            # Fail if we have the same key identifier twice
            if escaped_package_name not in results['keys'].keys():
                results['keys'][escaped_package_name] = {
                    file_type : keys.pop(identifier),
                }
            else:
                results['keys'][escaped_package_name][file_type] = \
                    keys.pop(identifier),

    # Verify that the package name is the same between certs and keys
    assert (len(results['certs']) == len(results['keys']))
    for package in results['certs'].keys():
        assert (package in results['keys'].keys())

    # TODO: verify that old is populated and that new is populated if we have 3
    # command line arguments

    packages_xml_file.close()

def filter_out_non_replicant_apps(result_dict):
    non_replicant_packages = [
        'org.fdroid.fdroid',
    ]

    to_be_removed = []

    # Verify that the package name is the same between certs and keys
    assert (len(result_dict['certs']) == len(result_dict['keys']))
    for package in result_dict['certs'].keys():
        assert (package in result_dict['keys'].keys())
        if package.replace('_', '.') in non_replicant_packages:
            to_be_removed.append(package)

    for package in to_be_removed:
        result_dict['certs'].pop(package)
        result_dict['keys'].pop(package)

if __name__ == '__main__':
    if len(sys.argv) not in [3,4]:
        usage(sys.argv[0])

    key_migration_sh_path = os.path.realpath(sys.argv[1])
    old_packages_xml_path = os.path.realpath(sys.argv[2])
    new_packages_xml_path = None
    if len(sys.argv) == 4:
        new_packages_xml_path = os.path.realpath(sys.argv[3])

    cert_and_keys = {
        # 'certs|keys' : {
        #   # package_name has '.' replaced by '_'
        #   'package_name' : {
        #     'old' : '<cert|key>',
        #     'new' : '<cert|key>',
        #   }
        # }
        'certs' : {},
        'keys' : {},
    }
    parse_packages_xml_file(cert_and_keys, old_packages_xml_path, 'old')
    if len(sys.argv) == 4:
        parse_packages_xml_file(cert_and_keys, new_packages_xml_path, 'new')

    filter_out_non_replicant_apps(cert_and_keys)

    generate_key_migration_sh_file(key_migration_sh_path, cert_and_keys)