xref: /macosx-10.9.5/Security-55471.14.18/libsecurity_codesigning/gke/gkgenerate

#!/usr/bin/python
#
# gkgenerate - produce Gatekeeper explicit allow data
#
# gkgenerate [--output name] files...
#	will collect GKE data from all files and write two output files (name.auth and name.sigs)
#	that are ready to drop into a /var/db for pickup.
#
import sys
import os
import signal
import errno
import subprocess
import argparse
import plistlib
import uuid


#
# Parameters and constants
#
authfile = "gke.auth"
sigfile = "gke.dsig"

#
# Usage and fail
#
def usage():
	print >>sys.stderr, "Usage: %s sourcedir" % sys.argv[0]
	sys.exit(2)

def fail(whatever):
	print >>sys.stderr, "%s: %s" % (sys.argv[0], whatever)
	sys.exit(1)


#
# Argument processing
#
parser = argparse.ArgumentParser()
parser.add_argument("--output", default="./gke", help="name of output files")
parser.add_argument("--uuid", default=uuid.uuid4(), help="explicitly specify the uuid stamp")
parser.add_argument("--empty", action='store_true', help="allow empty output sets")
parser.add_argument('source', nargs='+', help='files generated by the gkrecord command')
args = parser.parse_args()

authfile = args.output + ".auth"
sigsfile = args.output + ".sigs"


#
# Augment a snippet record
#
def augment(data):
	for auth in data.authority.values():
		if auth.path in data.signatures:
			signature = data.signatures[auth.path].signature.data
			unpack = subprocess.Popen(["/usr/local/bin/gkunpack"], stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
			(stdout, stderr) = unpack.communicate(input=signature)
			if stderr:
				fail("signature unpack failed for %s" % auth.path)
			auth.screen = stdout.rstrip();


#
# Start by collecting authority evidence from the authority records
#
auth = { }
sigs = { }
for source in args.source:
	if source[0] == '+':
		data = plistlib.readPlist(source[1:])
		augment(data)
		auth.update(data["authority"])
		sigs.update(data["signatures"])
	else:
		data = plistlib.readPlist(source)
		augment(data)
		auth.update(data["authority"])

if not auth and not args.empty:
	fail("No authority records (nothing to do)")


#
# Scrub the authority records to remove incriminating evidence
#
new_auth = { }
for rec in auth.values():
	u = uuid.uuid4()
	rec["path"] = "(gke)"
	del rec["status"]
	new_auth[str(u)] = rec
auth = new_auth


#
# The authority file is written as-is, as a plist
#
wrap = dict(
	authority=auth,
	uuid=str(args.uuid)
)
plistlib.writePlist(wrap, authfile)
print "Wrote %d authority record(s) to %s" % (len(auth), authfile)


#
# The signatures are written as tightly packed signature blobs
#
sigblobs = open(sigsfile, "w")
for sig in sigs:
	sigdata = sigs[sig]
	sigblobs.write(sigdata["signature"].data)
sigblobs.close()
print "Wrote %d signature record(s) to %s" % (len(sigs), sigsfile)