#!/usr/bin/python

# vim:set et sw=4:

#

# certdata2pem.py - splits certdata.txt into multiple files

#

# Copyright (C) 2009 Philipp Kern <pkern@debian.org>

# Copyright (C) 2013 Kai Engert <kaie@redhat.com>

#

# This program is free software; you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation; either version 2 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program; if not, write to the Free Software

# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301,

# USA.

import base64

import os.path

import re

import sys

import textwrap

import subprocess

import getopt

import asn1

from cryptography import x509

from cryptography.hazmat.primitives import hashes

from datetime import datetime

from dateutil.parser import parse

objects = []

pemcerts = []

certdata='./certdata.txt'

pem='./cert.pem'

output='./certdata_out.txt'

trust='CKA_TRUST_CODE_SIGNING'

merge_label="Non-Mozilla Object Signing Only Certificate"

dateString='thisyear'

trust_types = {

  "CKA_TRUST_SERVER_AUTH",

  "CKA_TRUST_EMAIL_PROTECTION",

  "CKA_TRUST_CODE_SIGNING"

}

attribute_types = {

    "CKA_CLASS" : "CK_OBJECT_CLASS",

    "CKA_TOKEN" : "CK_BBOOL",

    "CKA_PRIVATE" : "CK_BBOOL",

    "CKA_MODIFIABLE" : "CK_BBOOL",

    "CKA_LABEL" : "UTF8",

    "CKA_CERTIFICATE_TYPE" : "CK_CERTIFICATE_TYPE",

    "CKA_SUBJECT" : "MULTILINE_OCTAL",

    "CKA_ID" : "UTF8",

    "CKA_CERT_SHA1_HASH" : "MULTILINE_OCTAL",

    "CKA_CERT_MD5_HASH" : "MULTILINE_OCTAL",

    "CKA_ISSUER" : "MULTILINE_OCTAL",

    "CKA_SERIAL_NUMBER" : "MULTILINE_OCTAL",

    "CKA_VALUE" : "MULTILINE_OCTAL",

    "CKA_NSS_MOZILLA_CA_POLICY" : "CK_BBOOL",

    "CKA_NSS_SERVER_DISTRUST_AFTER" : "Distrust",

    "CKA_NSS_EMAIL_DISTRUST_AFTER" : "Distrust",

    "CKA_TRUST_SERVER_AUTH" : "CK_TRUST",

    "CKA_TRUST_EMAIL_PROTECTION" : "CK_TRUST",

    "CKA_TRUST_CODE_SIGNING" : "CK_TRUST",

    "CKA_TRUST_STEP_UP_APPROVED" : "CK_BBOOL"

}

def printable_serial(obj):

  return ".".join([str(x) for x in obj['CKA_SERIAL_NUMBER']])

def getSerial(cert):

    encoder = asn1.Encoder()

    encoder.start()

    encoder.write(cert.serial_number)

    return encoder.output()

def dumpOctal(f,value):

    for i in range(len(value)) :

        if  i % 16 == 0 :

            f.write("\n")

        f.write("\\%03o"%int.from_bytes(value[i:i+1],sys.byteorder))

    f.write("\nEND\n")

# in python 3.8 this can be replaced with return byteval.hex(':',1)

def formatHex(byteval) :

    string=byteval.hex()

    string_out=""

    for i in range(0,len(string)-2,2) :

         string_out += string[i:i+2] + ':'

    string_out += string[-2:]

    return string_out

def getdate(dateString):

    print("dateString= %s"%dateString)

    if dateString.upper() == "THISYEAR":

        return datetime(datetime.today().year,12,31,11,59,59,9999)

    if dateString.upper() == "TODAY":

        return datetime.today()

    return parse(dateString, fuzzy=True);

def getTrust(objlist, serial, issuer) :

    for obj in objlist:

        if obj['CKA_CLASS'] == 'CKO_NSS_TRUST' and obj['CKA_SERIAL_NUMBER'] == serial and obj['CKA_ISSUER'] == issuer:

            return obj

    return None

def isDistrusted(obj) :

    if (obj == None):

        return False

    return obj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_NOT_TRUSTED' and obj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_NOT_TRUSTED' and obj['CKA_TRUST_CODE_SIGNING'] == 'CKT_NSS_NOT_TRUSTED'

try:

    opts, args = getopt.getopt(sys.argv[1:],"c:o:p:t:l:x:",)

except getopt.GetoptError as err:

    print(err)

    print(sys.argv[0] + ' [-c certdata] [-p pem] [-o certdata_target] [-t trustvalue] [-l merge_label]')

    print('-c certdata         certdata file to merge to (default="'+certdata+'")');

    print('-p pem              pem file with CAs to merge from (default="'+pem+'")');

    print('-o certdata_target  resulting output file (default="'+output+'")');

    print('-t trustvalue       what these CAs are trusted for (default="'+trust+'")');

    print('-l merge_label      what label CAs that aren\'t in certdata (default="'+merge_label+'")');

    print('-x date             remove all certs that expire before data (default='+dateString+')');

    sys.exit(2)

for opt, arg in opts:

    if opt == '-c' :

        certdata = arg

    elif opt == '-p' :

        pem = arg

    elif opt == '-o' :

        output = arg

    elif opt == '-t' :

        trust = arg

    elif opt == '-l' :

        merge_label = arg

    elif opt == '-x' :

        dateString = arg

# parse dateString

verifyDate = True

if dateString.upper() == "NEVER":

   verifyDate = False

else:

   date = getdate(dateString)

# read the pem file

in_cert, certvalue = False, ""

for line in open(pem, 'r'):

    if not in_cert:

       if line.find("BEGIN CERTIFICATE") != -1:

            in_cert = True;

       continue

    # Ignore comment lines and blank lines.

    if line.startswith('#'):

        continue

    if len(line.strip()) == 0:

        continue

    if line.find("END CERTIFICATE") != -1 :

       pemcerts.append(certvalue);

       certvalue = "";

       in_cert = False;

       continue

    certvalue += line;

# read the certdata.txt file

in_data, in_multiline, in_obj = False, False, False

field, ftype, value, binval, obj = None, None, None, bytearray(), dict()

header, comment = "", ""

for line in open(certdata, 'r'):

    # Ignore the file header.

    if not in_data:

        header += line

        if line.startswith('BEGINDATA'):

            in_data = True

        continue

    # Ignore comment lines. 

    if line.startswith('#'):

        comment += line

        continue

    # Empty lines are significant if we are inside an object.

    if in_obj and len(line.strip()) == 0:

        # collect all the inline comments in this object

        obj['Comment'] += comment

        comment = ""

        objects.append(obj)

        obj = dict()

        in_obj = False

        continue

    if len(line.strip()) == 0:

        continue

    if in_multiline:

        if not line.startswith('END'):

            if ftype == 'MULTILINE_OCTAL':

                line = line.strip()

                for i in re.finditer(r'\\([0-3][0-7][0-7])', line):

                    integ = int(i.group(1), 8)

                    binval.extend((integ).to_bytes(1, sys.byteorder))

                obj[field] = binval

            else:

                value += line

                obj[field] = value

            continue

        in_multiline = False

        continue

    if line.startswith('CKA_CLASS'):

        in_obj = True

        obj['Comment'] = comment

        comment = ""

    line_parts = line.strip().split(' ', 2)

    if len(line_parts) > 2:

        field, ftype = line_parts[0:2]

        value = ' '.join(line_parts[2:])

    elif len(line_parts) == 2:

        field, ftype = line_parts

        value = None

    else:

        raise NotImplementedError('line_parts < 2 not supported.\n' + line)

    if ftype == 'MULTILINE_OCTAL':

        in_multiline = True

        value = ""

        binval = bytearray()

        continue

    obj[field] = value

if len(list(obj.items())) > 0:

    objects.append(obj)

# strip out expired certificates from certdata.txt

if verifyDate :

    for obj in objects:

        if obj['CKA_CLASS'] == 'CKO_CERTIFICATE' :

            cert = x509.load_der_x509_certificate(obj['CKA_VALUE'])

            if (cert.not_valid_after <= date) :

                trust_obj = getTrust(objects,obj['CKA_SERIAL_NUMBER'],obj['CKA_ISSUER'])

                # we don't remove distrusted expired certificates

                if  not isDistrusted(trust_obj) :

                    print("  Remove cert %s"%obj['CKA_LABEL'])

                    print("     Expires: %s"%cert.not_valid_after.strftime("%m/%d/%Y"))

                    print("     Prune time %s: "%date.strftime("%m/%d/%Y"))

                    obj['Comment'] = None;

                    if (trust_obj != None):

                        trust_obj['Comment'] = None;

# now merge the results

for certval in pemcerts:

    certder = base64.b64decode(certval)

    cert = x509.load_der_x509_certificate(certder)

    try:

        label=cert.subject.get_attributes_for_oid(x509.oid.NameOID.COMMON_NAME)[0].value

    except:

        try:

            label=cert.subject.get_attributes_for_oid(x509.oid.NameOID.ORGANIZATION_UNIT_NAME)[0].value

        except:

            try:

                label=cert.subject.get_attributes_for_oid(x509.oid.NameOID.ORGANIZATION_NAME)[0].value

            except:

                label="Unknown Certificate"

    if cert.not_valid_after <= date:

        print("  Skipping code signing cert %s"%label)

        print("     Expires: %s"%cert.not_valid_after.strftime("%m/%d/%Y"))

        print("     Prune time %s: "%date.strftime("%m/%d/%Y"))

        continue

    certhashsha1 = cert.fingerprint(hashes.SHA1())

    certhashmd5 =  cert.fingerprint(hashes.MD5())

    found = False

    # see if it exists in certdata.txt

    for obj in objects:

        # we only need to check the trust objects, because

        # that is the object we would modify if it exists

        if obj['CKA_CLASS'] != 'CKO_NSS_TRUST':

            continue

        # explicitly distrusted certs don't have a hash value

        if not 'CKA_CERT_SHA1_HASH' in obj:

            continue

        if obj['CKA_CERT_SHA1_HASH'] != certhashsha1:

            continue

        obj[trust] = 'CKT_NSS_TRUSTED_DELEGATOR'

        found = True

        print('Updating "'+label+'" with code signing');

        break

    if  found :

        continue

    # append this certificate

    obj=dict()

    time='%a %b %d %H:%M:%S %Y'

    comment  = '# ' + merge_label + '\n# %s "'+label+'"\n'

    comment +=  '# Issuer: ' + cert.issuer.rfc4514_string() + '\n'

    comment +=  '# Serial Number:'

    sn=cert.serial_number

    if sn < 0x100000:

        comment +=  ' %d (0x%x)\n'%(sn,sn)

    else:

        comment +=  formatHex(sn.to_bytes((sn.bit_length()+7)//8,"big")) + '\n'

    comment +=  '# Subject: ' + cert.subject.rfc4514_string() + '\n'

    comment +=  '# Not Valid Before: ' + cert.not_valid_before.strftime(time) + '\n'

    comment +=  '# Not Valid After: ' + cert.not_valid_after.strftime(time) + '\n'

    comment +=  '# Fingerprint (MD5): ' + formatHex(certhashmd5) + '\n'

    comment +=  '# Fingerprint (SHA1): ' + formatHex(certhashsha1) + '\n'

    obj['Comment']= comment%"Certificate"

    obj['CKA_CLASS'] = 'CKO_CERTIFICATE'

    obj['CKA_TOKEN'] = 'CK_TRUE'

    obj['CKA_PRIVATE'] = 'CK_FALSE'

    obj['CKA_MODIFIABLE'] = 'CK_FALSE'

    obj['CKA_LABEL'] = '"' + label + '"'

    obj['CKA_CERTIFICATE_TYPE'] = 'CKC_X_509'

    obj['CKA_SUBJECT'] = cert.subject.public_bytes()

    obj['CKA_ID'] = '"0"'

    obj['CKA_ISSUER'] = cert.issuer.public_bytes()

    obj['CKA_SERIAL_NUMBER'] = getSerial(cert)

    obj['CKA_VALUE'] = certder

    obj['CKA_NSS_MOZILLA_CA_POLICY'] = 'CK_FALSE'

    obj['CKA_NSS_SERVER_DISTRUST_AFTER'] = 'CK_FALSE'

    obj['CKA_NSS_EMAIL_DISTRUST_AFTER'] = 'CK_FALSE'

    objects.append(obj)

    # append the trust values

    obj=dict()

    obj['Comment']= comment%"Trust for"

    obj['CKA_CLASS'] = 'CKO_NSS_TRUST'

    obj['CKA_TOKEN'] = 'CK_TRUE'

    obj['CKA_PRIVATE'] = 'CK_FALSE'

    obj['CKA_MODIFIABLE'] = 'CK_FALSE'

    obj['CKA_LABEL'] = '"' + label + '"'

    obj['CKA_CERT_SHA1_HASH'] = certhashsha1

    obj['CKA_CERT_MD5_HASH'] = certhashmd5

    obj['CKA_ISSUER'] = cert.issuer.public_bytes()

    obj['CKA_SERIAL_NUMBER'] = getSerial(cert)

    for t in list(trust_types):

       if t == trust:

          obj[t] = 'CKT_NSS_TRUSTED_DELEGATOR'

       else:

          obj[t] = 'CKT_NSS_MUST_VERIFY_TRUST'

    obj['CKA_TRUST_STEP_UP_APPROVED'] = 'CK_FALSE'

    objects.append(obj)

    print('Adding code signing cert "'+label+'"');

# now dump the results

f = open(output, 'w')

f.write(header)

for obj in objects:

    if 'Comment' in obj:

        # if comment is None, we've deleted the entry above

        if obj['Comment'] == None:

            continue

        f.write(obj['Comment'])

    else:

        print("Object with no comment!!")

        print(obj)

    for field in list(attribute_types.keys()):

        if not field in obj:

            continue

        ftype = attribute_types[field];

        if ftype == 'Distrust':

            if obj[field] == 'CK_FALSE':

                ftype = 'CK_BBOOL'

            else:

                ftype = 'MULTILINE_OCTAL'

        f.write("%s %s"%(field,ftype));

        if ftype == 'MULTILINE_OCTAL':

           dumpOctal(f,obj[field])

        else:

           f.write(" %s\n"%obj[field])

    f.write("\n")

f.close