Diff
Not logged in
Home Help Timeline Files Branches Tags Forum Tickets Wiki More... Login
Annotate Patch Unified Diff

Differences From Artifact [e2b78aa09a]:

To Artifact [835320f8bb]:

17
18
19
20
21
22
23
24

25
26
27
28
29
30































31
32
33
34
35
36
37

proc usage { error } {
  if {[string length $error] > 0} then {puts stdout $error}

  puts stdout "usage:\
[file tail [getShellExecutableName]]\
[file tail [info script]] <fileName> \[vendor\] \[embed\]\
\[duration\] \[entityType\] \[encoding\] \[publicKeyFile\]\
\[privateKeyFile\] \[importFirst\] \[quantity\]"


  #
  # NOTE: Indicate to the caller, if any, that we have failed.
  #
  exit 1
}
































proc maybeForceHashAlgorithm { certificate keyPair } {
  #
  # HACK: Some key pair types, e.g. DSA v1, require hard-coded
  #       hash algorithms, e.g. SHA1.  Do that now, if needed.
  #
  if {[isNonNullObjectHandle $keyPair] && \








|
>






>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>








17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69

proc usage { error } {
  if {[string length $error] > 0} then {puts stdout $error}

  puts stdout "usage:\
[file tail [getShellExecutableName]]\
[file tail [info script]] <fileName> \[vendor\] \[embed\]\
\[duration\] \[entityType\] \[encoding\] \[publicKeyFile\]\
\[privateKeyFile\] \[importFirst\] \[quantity\] \[id\]\
\[timeStamp\]"

  #
  # NOTE: Indicate to the caller, if any, that we have failed.
  #
  exit 1
}

proc maybeInvokeHook { type phase } {
  set name [appendArgs $type _hook]

  if {[llength [info commands $name]] > 0} then {
    if {[catch {$name $phase} result] == 0} then {
      if {[string length $result] == 0} then {set result <none>}
      emitNotice [appendArgs $name " hook ok: " $result]
    } else {
      if {[string length $result] == 0} then {set result <none>}
      emitWarning [appendArgs $name " hook error: " $result]
    }
  }
}

proc emitNotice { message } {
  set message [string trim $message]
  catch {host result Ok [appendArgs $message \n]}
}

proc emitWarning { message } {
  emitNotice $message
  set message [string trim $message]
  catch {tclLog $message}
}

proc emitError { message } {
  emitWarning $message
  set message [string trim $message]
  error $message
}

proc maybeForceHashAlgorithm { certificate keyPair } {
  #
  # HACK: Some key pair types, e.g. DSA v1, require hard-coded
  #       hash algorithms, e.g. SHA1.  Do that now, if needed.
  #
  if {[isNonNullObjectHandle $keyPair] && \

177
178
179
180
181
182
183
184
185
186
187
188
189
190
191


      puts stdout [appendArgs \
          "removed embedded certificate from file \"" $fileName \"]
    }
  }
}

if {[llength $argv] >= 1 && [llength $argv] <= 10} then {
  #
  # NOTE: This tool requires Eagle.
  #
  package require Eagle

  #
  # NOTE: Needed for the [getTemporaryPath] script procedure.








|








209
210
211
212
213
214
215
216
217
218
219
220
221
222
223


      puts stdout [appendArgs \
          "removed embedded certificate from file \"" $fileName \"]
    }
  }
}

if {[llength $argv] >= 1 && [llength $argv] <= 12} then {
  #
  # NOTE: This tool requires Eagle.
  #
  package require Eagle

  #
  # NOTE: Needed for the [getTemporaryPath] script procedure.

362
363
364
365
366
367
368
























369
370
371
372
373
374
375

  #
  if {[llength $argv] >= 10} then {
    set quantity [lindex $argv 9]
  } else {
    set quantity -1; # NOTE: Unlimited.
  }

























  #
  # NOTE: If the configuration file exists, load it now.
  #
  set configFileName [file join $path sign.settings.eagle]
  if {[file exists $configFileName]} then {source $configFileName}

  #








>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>








394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431

  #
  if {[llength $argv] >= 10} then {
    set quantity [lindex $argv 9]
  } else {
    set quantity -1; # NOTE: Unlimited.
  }

  #
  # NOTE: Do we want to manually override the unique Id?
  #
  if {[llength $argv] >= 11} then {
    set id [lindex $argv 10]
  } else {
    set id ""; # NOTE: Guid.NewGuid (?)
  }

  #
  # NOTE: Do we want to manually override the timestamp?
  #
  if {[llength $argv] >= 12} then {
    set timeStamp [object invoke \
        -create -alias DateTime ParseExact \
        [lindex $argv 11] yyyy-MM-ddTHH:mm:ss.fffffffK \
        null {AdjustToUniversal AssumeUniversal}]

    set timeStamp [object invoke \
        -create DateTime SpecifyKind $timeStamp Utc]
  } else {
    set timeStamp ""; # NOTE: DateTime.UtcNow (?)
  }

  #
  # NOTE: If the configuration file exists, load it now.
  #
  set configFileName [file join $path sign.settings.eagle]
  if {[file exists $configFileName]} then {source $configFileName}

  #

410
411
412
413
414
415
416
417
418
419
420
421
422
423
424

  } else {
    set shouldEmbed false
  }

  #
  # HOOK: After all arguments have been parsed and processed.
  #
  catch {certificate_hook phase0}

  #
  # NOTE: The existing embedded certificate, if any, must be
  #       removed prior to signing the (script?) file.
  #
  if {$shouldEmbed && \
      ![info exists no(removeEmbeddedCertificate)]} then {








|








466
467
468
469
470
471
472
473
474
475
476
477
478
479
480

  } else {
    set shouldEmbed false
  }

  #
  # HOOK: After all arguments have been parsed and processed.
  #
  maybeInvokeHook certificate phase0

  #
  # NOTE: The existing embedded certificate, if any, must be
  #       removed prior to signing the (script?) file.
  #
  if {$shouldEmbed && \
      ![info exists no(removeEmbeddedCertificate)]} then {

455
456
457
458
459
460
461
462
463
464
465
466
467
468

469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487

    #
    set certificate [certificate import $fileName]
    maybeForceHashAlgorithm $certificate $privateKey

    #
    # HOOK: Post-certificate object creation (import).
    #
    catch {certificate_hook phase1}

    #
    # NOTE: Attempt to re-sign the license certificate file.  Skip
    #       setting the Id as it should already be set correctly.
    #
    if {[certificate sign -encoding $encoding -settimestamp \

            -setkey $certificate $privateKey] ne "SignedOk"} then {
      error [appendArgs \
          "failed to create updated signature for " $fileType \
          " \"" $fileName \"]
    }

    #
    # NOTE: Attempt to re-verify the license certificate file.
    #
    if {[certificate verify -encoding $encoding $certificate \
            $privateKey] ne "VerifiedOk"} then {
      error [appendArgs \
          "failed to verify signature for " $fileType " \"" $fileName \"]
    }
  } else {
    #
    # NOTE: Set the file type for error messages.
    #
    if {[isKeyRingFile $fileName]} then {








|





|
>

|









|








511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544

    #
    set certificate [certificate import $fileName]
    maybeForceHashAlgorithm $certificate $privateKey

    #
    # HOOK: Post-certificate object creation (import).
    #
    maybeInvokeHook certificate phase1

    #
    # NOTE: Attempt to re-sign the license certificate file.  Skip
    #       setting the Id as it should already be set correctly.
    #
    if {[certificate sign -encoding $encoding \
            -settimestamp -maybesettimestamp $timeStamp \
            -setkey $certificate $privateKey] ne "SignedOk"} then {
      emitError [appendArgs \
          "failed to create updated signature for " $fileType \
          " \"" $fileName \"]
    }

    #
    # NOTE: Attempt to re-verify the license certificate file.
    #
    if {[certificate verify -encoding $encoding $certificate \
            $privateKey] ne "VerifiedOk"} then {
      emitError [appendArgs \
          "failed to verify signature for " $fileType " \"" $fileName \"]
    }
  } else {
    #
    # NOTE: Set the file type for error messages.
    #
    if {[isKeyRingFile $fileName]} then {

510
511
512
513
514
515
516
517
518
519
520
521
522
523
524

    }

    maybeForceHashAlgorithm $certificate $privateKey

    #
    # HOOK: Post-certificate object creation (create).
    #
    catch {certificate_hook phase1}

    #
    # NOTE: If the certificate vendor is available, set it.
    #
    if {[string length $vendor] > 0} then {
      $certificate Vendor $vendor
    }








|








567
568
569
570
571
572
573
574
575
576
577
578
579
580
581

    }

    maybeForceHashAlgorithm $certificate $privateKey

    #
    # HOOK: Post-certificate object creation (create).
    #
    maybeInvokeHook certificate phase1

    #
    # NOTE: If the certificate vendor is available, set it.
    #
    if {[string length $vendor] > 0} then {
      $certificate Vendor $vendor
    }

558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581


582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621


622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643

      #       some point, be seen by the script policy callback.
      #
      $certificate EntityValue [readEntityValue $fileName]

      #
      # HOOK: Post-certificate property setup (embedded).
      #
      catch {certificate_hook phase2}

      #
      # NOTE: Attempt to sign the embedded file certificate and place
      #       the Id, timestamp, public key token, and signature bytes
      #       into the certificate we created above.
      #
      if {$importFirst} then {
        if {[certificate sign -encoding $encoding \
                -setkey -hashflags {+Basic Embedded} $certificate \
                $privateKey] ne "SignedOk"} then {
          error [appendArgs \
              "failed to create updated embedded signature for " \
              $fileType " \"" $fileName \"]
        }
      } else {
        if {[certificate sign -encoding $encoding -setid -settimestamp \


                -setkey -hashflags {+Basic Embedded} $certificate \
                $privateKey] ne "SignedOk"} then {
          error [appendArgs \
              "failed to create embedded signature for " $fileType \
              " \"" $fileName \"]
        }
      }

      #
      # NOTE: Sanity check that the embedded file certificate we just
      #       created validates properly.
      #
      if {[certificate verify -encoding $encoding \
              -hashflags {+Basic Embedded} $certificate \
              $publicKey] ne "VerifiedOk"} then {
        error [appendArgs \
            "failed to verify embedded signature for " $fileType \
            " \"" $fileName \"]
      }
    } else {
      #
      # HOOK: Post-certificate property setup (non-embedded).
      #
      catch {certificate_hook phase2}

      #
      # NOTE: Attempt to sign the data file and place the Id, timestamp,
      #       public key token, and signature bytes into the blank
      #       certificate we created above.
      #
      if {$importFirst} then {
        if {[certificate signfile -encoding $encoding \
                -setkey $certificate $privateKey \
                $fileName] ne "SignedOk"} then {
          error [appendArgs \
              "failed to create updated signature for " $fileType \
              " \"" $fileName \"]
        }
      } else {
        if {[certificate signfile -encoding $encoding -setid \


                -settimestamp -setkey $certificate $privateKey \
                $fileName] ne "SignedOk"} then {
          error [appendArgs \
              "failed to create signature for " $fileType \
              " \"" $fileName \"]
        }
      }

      #
      # NOTE: Sanity check that the data file certificate we just
      #       created validates properly.
      #
      if {[certificate verifyfile -encoding $encoding \
              $certificate $publicKey $fileName] ne "VerifiedOk"} then {
        error [appendArgs \
            "failed to verify signature for " $fileType \
            " \"" $fileName \"]
      }
    }
  }

  #








|










|




|
>
>
|

|












|







|










|




|
>
>
|

|











|








615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704

      #       some point, be seen by the script policy callback.
      #
      $certificate EntityValue [readEntityValue $fileName]

      #
      # HOOK: Post-certificate property setup (embedded).
      #
      maybeInvokeHook certificate phase2

      #
      # NOTE: Attempt to sign the embedded file certificate and place
      #       the Id, timestamp, public key token, and signature bytes
      #       into the certificate we created above.
      #
      if {$importFirst} then {
        if {[certificate sign -encoding $encoding \
                -setkey -hashflags {+Basic Embedded} $certificate \
                $privateKey] ne "SignedOk"} then {
          emitError [appendArgs \
              "failed to create updated embedded signature for " \
              $fileType " \"" $fileName \"]
        }
      } else {
        if {[certificate sign -encoding $encoding \
                -setid -maybesetid $id -settimestamp \
                -maybesettimestamp $timeStamp -setkey \
                -hashflags {+Basic Embedded} $certificate \
                $privateKey] ne "SignedOk"} then {
          emitError [appendArgs \
              "failed to create embedded signature for " $fileType \
              " \"" $fileName \"]
        }
      }

      #
      # NOTE: Sanity check that the embedded file certificate we just
      #       created validates properly.
      #
      if {[certificate verify -encoding $encoding \
              -hashflags {+Basic Embedded} $certificate \
              $publicKey] ne "VerifiedOk"} then {
        emitError [appendArgs \
            "failed to verify embedded signature for " $fileType \
            " \"" $fileName \"]
      }
    } else {
      #
      # HOOK: Post-certificate property setup (non-embedded).
      #
      maybeInvokeHook certificate phase2

      #
      # NOTE: Attempt to sign the data file and place the Id, timestamp,
      #       public key token, and signature bytes into the blank
      #       certificate we created above.
      #
      if {$importFirst} then {
        if {[certificate signfile -encoding $encoding \
                -setkey $certificate $privateKey \
                $fileName] ne "SignedOk"} then {
          emitError [appendArgs \
              "failed to create updated signature for " $fileType \
              " \"" $fileName \"]
        }
      } else {
        if {[certificate signfile -encoding $encoding \
                -setid -maybesetid $id -settimestamp \
                -maybesettimestamp $timeStamp -setkey \
                $certificate $privateKey \
                $fileName] ne "SignedOk"} then {
          emitError [appendArgs \
              "failed to create signature for " $fileType \
              " \"" $fileName \"]
        }
      }

      #
      # NOTE: Sanity check that the data file certificate we just
      #       created validates properly.
      #
      if {[certificate verifyfile -encoding $encoding \
              $certificate $publicKey $fileName] ne "VerifiedOk"} then {
        emitError [appendArgs \
            "failed to verify signature for " $fileType \
            " \"" $fileName \"]
      }
    }
  }

  #

658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681

  catch {file delete -force $certificateFile}

  #
  # NOTE: Export the data file certificate to disk.
  #
  if {[certificate export $certificate $certificateFile] \
          ne "ExportedOk"} then {
    error [appendArgs \
        "failed to export signature for " $fileType " \"" $fileName \"]
  }

  #
  # NOTE: Add the standard XML comment to the file.
  #
  if {[certificate warning -type Script $certificateFile] \
          ne "WarningOk"} then {
    error [appendArgs \
        "failed to add warning for " $fileType " \"" $fileName \"]
  }

  #
  # HACK: Read the certificate file data into memory, fix the
  #       formatting how we want it, and then re-write the modified
  #       data back out to the same certificate file.








|








|








719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742

  catch {file delete -force $certificateFile}

  #
  # NOTE: Export the data file certificate to disk.
  #
  if {[certificate export $certificate $certificateFile] \
          ne "ExportedOk"} then {
    emitError [appendArgs \
        "failed to export signature for " $fileType " \"" $fileName \"]
  }

  #
  # NOTE: Add the standard XML comment to the file.
  #
  if {[certificate warning -type Script $certificateFile] \
          ne "WarningOk"} then {
    emitError [appendArgs \
        "failed to add warning for " $fileType " \"" $fileName \"]
  }

  #
  # HACK: Read the certificate file data into memory, fix the
  #       formatting how we want it, and then re-write the modified
  #       data back out to the same certificate file.

759
760
761
762
763
764
765
766
767
768
769
770
771
772
773

    puts stdout [appendArgs \
        "added embedded certificate to " $fileType " \"" $fileName \"]
  }

  #
  # HOOK: Script completion.
  #
  catch {certificate_hook phase3}

  #
  # NOTE: Cleanup the external embedded certificate file, if any.
  #
  if {$shouldEmbed} then {
    catch {file delete -force $certificateFile}
  }








|








820
821
822
823
824
825
826
827
828
829
830
831
832
833
834

    puts stdout [appendArgs \
        "added embedded certificate to " $fileType " \"" $fileName \"]
  }

  #
  # HOOK: Script completion.
  #
  maybeInvokeHook certificate phase3

  #
  # NOTE: Cleanup the external embedded certificate file, if any.
  #
  if {$shouldEmbed} then {
    catch {file delete -force $certificateFile}
  }
This page was generated in about 0.008s by Fossil version 2.20 Tcl version 8.6.12 [658547aa7c] 2022-10-09 01:11:55