Google Git
Sign in
webrtc / src / refs/heads/main / . / tools_webrtc / sslroots / generate_sslroots.py
blob: 14acff92fb26d421525eb6503f73a341e5509c69 [file] [log] [blame]
#!/usr/bin/env vpython3
# -*- coding:utf-8 -*-
# Copyright (c) 2023 The WebRTC project authors. All Rights Reserved.
#
# Use of this source code is governed by a BSD-style license
# that can be found in the LICENSE file in the root of the source
# tree. An additional intellectual property rights grant can be found
# in the file PATENTS. All contributing project authors may
# be found in the AUTHORS file in the root of the source tree.
import argparse
import logging
from pathlib import Path
import tempfile
from typing import Tuple, Any, List, ByteString
from datetime import datetime, timezone
from hashlib import sha256
from urllib.request import urlopen
from asn1crypto import pem, x509
_GENERATED_FILE = 'ssl_roots.h'
def main():
parser = argparse.ArgumentParser(
description='This is a tool to transform a crt file '
f'into a C/C++ header: {_GENERATED_FILE}.')
parser.add_argument('source_path_or_url',
help='File path or URL to PEM storage file. '
'The supported cert files are: '
'- Google: https://pki.goog/roots.pem; '
'- Mozilla: https://curl.se/ca/cacert.pem')
parser.add_argument('-v',
'--verbose',
dest='verbose',
action='store_true',
help='Print output while running')
parser.add_argument('-f',
'--full_cert',
dest='full_cert',
action='store_true',
help='Add public key and certificate name. '
'Default is to skip and reduce generated file size.')
args = parser.parse_args()
logging.basicConfig(level=logging.DEBUG if args.verbose else logging.WARNING)
with tempfile.TemporaryDirectory() as temp_dir:
cert_file = Path(temp_dir) / "cacert.pem"
if args.source_path_or_url.startswith(
'https://') or args.source_path_or_url.startswith('http://'):
_DownloadCertificatesStore(args.source_path_or_url, cert_file)
destination_dir = Path.cwd()
else:
source_path = Path(args.source_path_or_url)
cert_file.write_bytes(source_path.read_bytes())
destination_dir = source_path.parent
logging.debug('Stored certificate from %s into %s', args.source_path_or_url,
cert_file)
header_file = destination_dir / _GENERATED_FILE
digest, certificates = _LoadCertificatesStore(cert_file)
_GenerateCHeader(header_file, args.source_path_or_url, digest, certificates,
args.full_cert)
logging.debug('Did generate %s from %s [%s]', header_file,
args.source_path_or_url, digest)
def _DownloadCertificatesStore(pem_url: str, destination_file: Path):
with urlopen(pem_url) as response:
pem_file = response.read()
logging.info('Got response with status [%d]: %s', response.status, pem_url)
if destination_file.parent.exists():
logging.debug('Creating directory and it\'s parents %s',
destination_file.parent)
destination_file.parent.mkdir(parents=True, exist_ok=True)
if destination_file.exists():
logging.debug('Unlink existing file %s', destination_file)
destination_file.unlink(missing_ok=True)
destination_file.write_bytes(pem_file)
logging.info('Stored downloaded %d bytes pem file to `%s`', len(pem_file),
destination_file)
def _LoadCertificatesStore(
source_file: Path) -> Tuple[str, List[x509.Certificate]]:
pem_bytes = source_file.read_bytes()
certificates = [
x509.Certificate.load(der)
for type, _, der in pem.unarmor(pem_bytes, True) if type == 'CERTIFICATE'
]
digest = f'sha256:{sha256(pem_bytes).hexdigest()}'
logging.debug('Loaded %d certificates from %s [%s] ', len(certificates),
source_file, digest)
return digest, certificates
def _GenerateCHeader(header_file: Path, source: str, source_digest: str,
certificates: List[x509.Certificate], full_cert: bool):
header_file.parent.mkdir(parents=True, exist_ok=True)
with header_file.open('w') as output:
output.write(_CreateOutputHeader(source, source_digest))
named_certificates = [(cert,
f'kCertificateWithFingerprint_{cert.sha256.hex()}')
for cert in certificates]
names = list(map(lambda x: x[1], named_certificates))
unique_names = list(set(names))
if len(names) != len(unique_names):
raise RuntimeError(
f'There are {len(names) - len(unique_names)} non-unique '
'certificate names generated. Generator script must be '
'fixed to handle collision.')
for cert, name in named_certificates:
output.write(_CreateCertificateMetadataHeader(cert))
if full_cert:
output.write(
_CArrayConstantDefinition('unsigned char',
f'{name}_subject_name',
_CreateHexList(cert.subject.dump()),
max_items_per_line=16))
output.write('\n')
output.write(
_CArrayConstantDefinition('unsigned char',
f'{name}_public_key',
_CreateHexList(cert.public_key.dump()),
max_items_per_line=16))
output.write('\n')
output.write(
_CArrayConstantDefinition('unsigned char',
f'{name}_certificate',
_CreateHexList(cert.dump()),
max_items_per_line=16))
output.write('\n\n')
if full_cert:
output.write(
_CArrayConstantDefinition('unsigned char* const',
'kSSLCertSubjectNameList',
[f'{name}_subject_name' for name in names]))
output.write('\n\n')
output.write(
_CArrayConstantDefinition('unsigned char* const',
'kSSLCertPublicKeyList',
[f'{name}_public_key' for name in names]))
output.write('\n\n')
output.write(
_CArrayConstantDefinition('unsigned char* const',
'kSSLCertCertificateList',
[f'{name}_certificate' for name in names]))
output.write('\n\n')
output.write(
_CArrayConstantDefinition(
'size_t', 'kSSLCertCertificateSizeList',
[f'{len(cert.dump())}' for cert, _ in named_certificates]))
output.write('\n\n')
output.write(_CreateOutputFooter())
def _CreateHexList(items: ByteString) -> List[str]:
"""
Produces list of strings each item is hex literal of byte of source sequence
"""
return [f'0x{item:02X}' for item in items]
def _CArrayConstantDefinition(type_name: str,
array_name: str,
items: List[Any],
max_items_per_line: int = 1) -> str:
"""
Produces C array definition like: `const type_name array_name = { items };`
"""
return (f'const {type_name} {array_name}[{len(items)}]='
f'{_CArrayInitializerList(items, max_items_per_line)};')
def _CArrayInitializerList(items: List[Any],
max_items_per_line: int = 1) -> str:
"""
Produces C initializer list like: `{\\nitems[0], \\n ...}`
"""
return '{\n' + '\n'.join([
','.join(items[i:i + max_items_per_line]) + ','
for i in range(0, len(items), max_items_per_line)
]) + '\n}'
def _CreateCertificateMetadataHeader(cert: x509.Certificate) -> str:
return (f'/* subject: {cert.subject.human_friendly} */\n'
f'/* issuer: {cert.issuer.human_friendly} */\n'
f'/* link: https://crt.sh/?q={cert.sha256.hex()} */\n')
def _CreateOutputHeader(source_path_or_url: str, source_digest: str) -> str:
now_utc = datetime.now(timezone.utc).replace(microsecond=0)
output = (
'/*\n'
f' * Copyright {now_utc.year} The WebRTC Project Authors. All rights '
'reserved.\n'
' *\n'
' * Use of this source code is governed by a BSD-style license\n'
' * that can be found in the LICENSE file in the root of the '
'source\n'
' * tree. An additional intellectual property rights grant can be '
'found\n'
' * in the file PATENTS. All contributing project authors may\n'
' * be found in the AUTHORS file in the root of the source tree.\n'
' */\n\n'
'#ifndef RTC_BASE_SSL_ROOTS_H_\n'
'#define RTC_BASE_SSL_ROOTS_H_\n\n'
'// This file is the root certificates in C form.\n\n'
f'// It was generated at {now_utc.isoformat()} by the following script:\n'
'// `tools_webrtc/sslroots/generate_sslroots.py '
f'{source_path_or_url}`\n\n'
'// clang-format off\n'
'// Don\'t bother formatting generated code,\n'
'// also it would breaks subject/issuer lines.\n\n'
f'// Source bundle `{source_path_or_url}` digest is [{source_digest}]\n\n'
)
return output
def _CreateOutputFooter():
return '// clang-format on\n\n#endif // RTC_BASE_SSL_ROOTS_H_\n'
if __name__ == '__main__':
main()