Fix breakage if encryption is not set

Commit introduces the encryption into the swupdate class, but it breaks
builds if encryption is not used at all. Fix this and rework function
to retrieve key from a file.

Replace os.system() with subprocess.run() - this should be done for other
occurrencies od os.system() that is declared obsolete.

Signed-off-by: Stefano Babic <sbabic@denx.de>

classes/swupdate-common.bbclass

@@ -18,35 +18,35 @@ def swupdate_get_sha256(s, filename):
             m.update(data)
     return m.hexdigest()
 
-def swupdate_extract_keys(keyfile):
+def swupdate_extract_keys(keyfile_path):
     try:
-        keys = open(keyfile)
+        with open(keyfile_path, 'r') as f:
+            lines = f.readlines()
     except IOError:
         bb.fatal("Failed to open file with keys %s" % (keyfile))
-    lines = keys.read()
-    keys.close()
-    lines = lines.splitlines(True)
-    for line in lines:
-        line = line.replace('\n', '')
-        kv = line.split('=')
-        if kv[0] == 'salt':
-            salt = kv[1]
-        if kv[0] == 'key':
-            key = kv[1]
-        if kv[0] == 'iv' or kv[0] == 'iv ':
-            iv = kv[1]
+
+    data = {}
+    for _ in lines:
+        k,v = _.split('=',maxsplit=1)
+        data[k.rstrip()] = v
+
+    key = data['key']
+    iv = data['iv']
+    salt = data['salt']
+
     return key,iv,salt
 
 def swupdate_encrypt_file(f, out, key, ivt, salt):
+    import subprocess
+    encargs = ["openssl", "enc", "-aes-256-cbc", "-in", f, "-out", out]
+    encargs += ["-K", key, "-iv", ivt, "-S", salt]
     cmd = "openssl enc -aes-256-cbc -in '%s' -out '%s' -K '%s' -iv '%s' -S '%s'" % (
                 f,
                 out,
                 key,
                 ivt,
                 salt)
-    if os.system(cmd) != 0:
-        bb.fatal("Failed to encrypt %s" % (f))
-
+    subprocess.run(encargs, check=True)
 
 def swupdate_write_sha256(s, filename, hash):
     write_lines = []

classes/swupdate.bbclass

@@ -98,12 +98,16 @@ python do_swuimage () {
     for url in fetch.urls:
         local = fetch.localpath(url)
         filename = os.path.basename(local)
+        aes_file = d.getVar('SWUPDATE_AES_FILE', True)
+        if aes_file:
+            key,iv,salt = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True))
         if (filename != 'sw-description') and (os.path.isfile(local)):
             encrypted = (d.getVarFlag("SWUPDATE_IMAGES_ENCRYPTED", filename, True) or "")
-            key,iv,salt = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True))
             dst = os.path.join(s, "%s" % filename )
             if encrypted == '1':
                 bb.note("Encryption requested for %s" %(filename))
+                if not key or not iv or not salt:
+                    bb.fatal("Encryption required, but no key found")
                 swupdate_encrypt_file(local, dst, key, iv, salt)
             else:
                 shutil.copyfile(local, dst)
@@ -147,7 +151,7 @@ python do_swuimage () {
                 if not image_found:
                     bb.fatal("swupdate cannot find image file: %s" % os.path.join(deploydir, imagebase + fstype))
         else:  # Allow also complete entries like "image.ext4.gz" in SWUPDATE_IMAGES
-            if not add_image_to_swu(deploydir, image, s):
+            if not add_image_to_swu(deploydir, image, s, encrypted):
                 bb.fatal("swupdate cannot find %s image file" % image)
 
     prepare_sw_description(d, s, list_for_cpio)