key rotation script

2020-03-19 20:47:41 +01:00 · 2020-03-19 20:47:41 +01:00 · a739df85a3
parent e6f7ffe8f5
commit a739df85a3
4 changed files with 490 additions and 311 deletions
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@ -25,15 +25,17 @@
  },
  "homepage": "https://github.com/keeweb/keeweb-plugins#readme",
  "devDependencies": {
-    "eslint": "^6.1.0",
-    "eslint-config-standard": "^13.0.1",
-    "eslint-plugin-import": "^2.18.2",
-    "eslint-plugin-node": "^9.1.0",
+    "eslint": "^6.8.0",
+    "eslint-config-standard": "^14.1.0",
+    "eslint-plugin-import": "^2.20.1",
+    "eslint-plugin-node": "^11.0.0",
    "eslint-plugin-promise": "^4.2.1",
-    "eslint-plugin-standard": "^4.0.0"
+    "eslint-plugin-standard": "^4.0.1"
  },
  "optionalDependencies": {
-    "keytar": "^4.13.0",
-    "pkcs15-smartcard-sign": "^1.0.0"
+    "keytar": "^5.4.0"
+  },
+  "dependencies": {
+    "pkcs11-smartcard-sign": "^1.0.0"
  }
 }
--- a/scripts/rotate-key.js
+++ b/scripts/rotate-key.js
@ -0,0 +1,37 @@
+/* eslint-disable no-console */
+const fs = require('fs');
+const path = require('path');
+const ps = require('child_process');
+
+const oldKey = fs.readFileSync('keys/public-key-old.pem', 'utf8')
+    .match(/-+BEGIN PUBLIC KEY-+([\s\S]+?)-+END PUBLIC KEY-+/)[1]
+    .replace(/\s+/g, '');
+const newKey = fs.readFileSync('keys/public-key.pem', 'utf8')
+    .match(/-+BEGIN PUBLIC KEY-+([\s\S]+?)-+END PUBLIC KEY-+/)[1]
+    .replace(/\s+/g, '');
+
+const pluginDirs = ['docs/plugins', 'docs/translations'];
+for (const pluginDir of pluginDirs) {
+    for (const pluginName of fs.readdirSync(pluginDir).filter(dir => /^[\w-]+$/.test(dir))) {
+        console.log(pluginName);
+        const manifestPath = path.join(pluginDir, pluginName, 'manifest.json');
+        const manifest = JSON.parse(fs.readFileSync(manifestPath, 'utf8'));
+        if (manifest.publicKey !== oldKey) {
+            throw `Bad key in ${manifestPath}`;
+        }
+        manifest.publicKey = newKey;
+        fs.writeFileSync(manifestPath, JSON.stringify(manifest, null, 2));
+        const result = ps.spawnSync('node', [
+            '../keeweb/plugins/keeweb-plugin/keeweb-plugin.js',
+            'sign',
+            path.join(pluginDir, pluginName),
+            '--signer-module=../../../keeweb-plugins/scripts/sign',
+            '--bump-version=true'
+        ], {
+            stdio: 'inherit'
+        });
+        if (result.status) {
+            throw 'Sign error';
+        }
+    }
+}
--- a/scripts/sign.js
+++ b/scripts/sign.js
@ -1,9 +1,9 @@
 const fs = require('fs');
-const signer = require('pkcs15-smartcard-sign');
+const signer = require('pkcs11-smartcard-sign');
 const keytar = require('keytar');

 const verifyKey = fs.readFileSync('keys/public-key.pem');
-const key = '02';
+const signerOptions = JSON.parse(fs.readFileSync('keys/keeweb-sign.json', 'utf8'));

 function getPin() {
    if (getPin.pin) {
@ -20,5 +20,6 @@ function getPin() {
 }

 module.exports = function sign(data) {
-    return getPin().then(pin => signer.sign({ data, verifyKey, pin, key }).then(data => data.toString('base64')));
+    return getPin().then(pin => signer.sign({ data, verifyKey, pin, ...signerOptions })
+        .then(data => data.toString('base64')));
 };