diff --git a/tools/releasetools/sign_target_files_apks.py b/tools/releasetools/sign_target_files_apks.py index 73d77e7bc..7a1126c2d 100755 --- a/tools/releasetools/sign_target_files_apks.py +++ b/tools/releasetools/sign_target_files_apks.py @@ -577,31 +577,39 @@ def ReplaceVerityPrivateKey(misc_info, key_path): misc_info["verity_key"] = key_path -def ReplaceVerityKeyId(targetfile_input_zip, targetfile_output_zip, key_path): - in_cmdline = targetfile_input_zip.read("BOOT/cmdline") - # copy in_cmdline to output_zip if veritykeyid is not present in in_cmdline +def ReplaceVerityKeyId(input_zip, output_zip, key_path): + """Replaces the veritykeyid parameter in BOOT/cmdline. + + Args: + input_zip: The input target_files zip, which should be already open. + output_zip: The output target_files zip, which should be already open and + writable. + key_path: The path to the PEM encoded X.509 certificate. + """ + in_cmdline = input_zip.read("BOOT/cmdline") + # Copy in_cmdline to output_zip if veritykeyid is not present. if "veritykeyid" not in in_cmdline: - common.ZipWriteStr(targetfile_output_zip, "BOOT/cmdline", in_cmdline) - return in_cmdline + common.ZipWriteStr(output_zip, "BOOT/cmdline", in_cmdline) + return + out_buffer = [] for param in in_cmdline.split(): - if "veritykeyid" in param: - # extract keyid using openssl command - p = common.Run( - ["openssl", "x509", "-in", key_path, "-text"], - stdout=subprocess.PIPE) - keyid, stderr = p.communicate() - keyid = re.search( - r'keyid:([0-9a-fA-F:]*)', keyid).group(1).replace(':', '').lower() - print("Replacing verity keyid with %s error=%s" % (keyid, stderr)) - out_buffer.append("veritykeyid=id:%s" % (keyid,)) - else: + if "veritykeyid" not in param: out_buffer.append(param) + continue - out_cmdline = ' '.join(out_buffer) - out_cmdline = out_cmdline.strip() - print("out_cmdline %s" % (out_cmdline)) - common.ZipWriteStr(targetfile_output_zip, "BOOT/cmdline", out_cmdline) + # Extract keyid using openssl command. + p = common.Run(["openssl", "x509", "-in", key_path, "-text"], + stdout=subprocess.PIPE) + keyid, stderr = p.communicate() + assert p.returncode == 0, "Failed to dump certificate: {}".format(stderr) + keyid = re.search( + r'keyid:([0-9a-fA-F:]*)', keyid).group(1).replace(':', '').lower() + print("Replacing verity keyid with {}".format(keyid)) + out_buffer.append("veritykeyid=id:%s" % (keyid,)) + + out_cmdline = ' '.join(out_buffer).strip() + '\n' + common.ZipWriteStr(output_zip, "BOOT/cmdline", out_cmdline) def ReplaceMiscInfoTxt(input_zip, output_zip, misc_info): diff --git a/tools/releasetools/test_sign_target_files_apks.py b/tools/releasetools/test_sign_target_files_apks.py index 90afdc7d1..726d6b9bb 100644 --- a/tools/releasetools/test_sign_target_files_apks.py +++ b/tools/releasetools/test_sign_target_files_apks.py @@ -16,13 +16,22 @@ from __future__ import print_function +import tempfile import unittest +import zipfile -from sign_target_files_apks import EditTags, RewriteProps +import common +from sign_target_files_apks import EditTags, ReplaceVerityKeyId, RewriteProps class SignTargetFilesApksTest(unittest.TestCase): + def setUp(self): + self.tempdir = common.MakeTempDir() + + def tearDown(self): + common.Cleanup() + def test_EditTags(self): self.assertEqual(EditTags('dev-keys'), ('release-keys')) self.assertEqual(EditTags('test-keys'), ('release-keys')) @@ -59,9 +68,132 @@ class SignTargetFilesApksTest(unittest.TestCase): ) # Assert the case for each individual line. - for input, output in props: - self.assertEqual(RewriteProps(input), output) + for prop, output in props: + self.assertEqual(RewriteProps(prop), output) # Concatenate all the input lines. self.assertEqual(RewriteProps('\n'.join([prop[0] for prop in props])), ''.join([prop[1] for prop in props])) + + def test_ReplaceVerityKeyId(self): + BOOT_CMDLINE1 = ( + "console=ttyHSL0,115200,n8 androidboot.console=ttyHSL0 " + "androidboot.hardware=marlin user_debug=31 ehci-hcd.park=3 " + "lpm_levels.sleep_disabled=1 cma=32M@0-0xffffffff loop.max_part=7 " + "buildvariant=userdebug " + "veritykeyid=id:7e4333f9bba00adfe0ede979e28ed1920492b40f\n") + + BOOT_CMDLINE2 = ( + "console=ttyHSL0,115200,n8 androidboot.console=ttyHSL0 " + "androidboot.hardware=marlin user_debug=31 ehci-hcd.park=3 " + "lpm_levels.sleep_disabled=1 cma=32M@0-0xffffffff loop.max_part=7 " + "buildvariant=userdebug " + "veritykeyid=id:485900563d272c46ae118605a47419ac09ca8c11\n") + + # From build/target/product/security/verity.x509.pem. + VERITY_CERTIFICATE1 = """-----BEGIN CERTIFICATE----- +MIID/TCCAuWgAwIBAgIJAJcPmDkJqolJMA0GCSqGSIb3DQEBBQUAMIGUMQswCQYD +VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4g +VmlldzEQMA4GA1UECgwHQW5kcm9pZDEQMA4GA1UECwwHQW5kcm9pZDEQMA4GA1UE +AwwHQW5kcm9pZDEiMCAGCSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbTAe +Fw0xNDExMDYxOTA3NDBaFw00MjAzMjQxOTA3NDBaMIGUMQswCQYDVQQGEwJVUzET +MBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzEQMA4G +A1UECgwHQW5kcm9pZDEQMA4GA1UECwwHQW5kcm9pZDEQMA4GA1UEAwwHQW5kcm9p +ZDEiMCAGCSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbTCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBAOjreE0vTVSRenuzO9vnaWfk0eQzYab0gqpi +6xAzi6dmD+ugoEKJmbPiuE5Dwf21isZ9uhUUu0dQM46dK4ocKxMRrcnmGxydFn6o +fs3ODJMXOkv2gKXL/FdbEPdDbxzdu8z3yk+W67udM/fW7WbaQ3DO0knu+izKak/3 +T41c5uoXmQ81UNtAzRGzGchNVXMmWuTGOkg6U+0I2Td7K8yvUMWhAWPPpKLtVH9r +AL5TzjYNR92izdKcz3AjRsI3CTjtpiVABGeX0TcjRSuZB7K9EK56HV+OFNS6I1NP +jdD7FIShyGlqqZdUOkAUZYanbpgeT5N7QL6uuqcGpoTOkalu6kkCAwEAAaNQME4w +HQYDVR0OBBYEFH5DM/m7oArf4O3peeKO0ZIEkrQPMB8GA1UdIwQYMBaAFH5DM/m7 +oArf4O3peeKO0ZIEkrQPMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEB +AHO3NSvDE5jFvMehGGtS8BnFYdFKRIglDMc4niWSzhzOVYRH4WajxdtBWc5fx0ix +NF/+hVKVhP6AIOQa+++sk+HIi7RvioPPbhjcsVlZe7cUEGrLSSveGouQyc+j0+m6 +JF84kszIl5GGNMTnx0XRPO+g8t6h5LWfnVydgZfpGRRg+WHewk1U2HlvTjIceb0N +dcoJ8WKJAFWdcuE7VIm4w+vF/DYX/A2Oyzr2+QRhmYSv1cusgAeC1tvH4ap+J1Lg +UnOu5Kh/FqPLLSwNVQp4Bu7b9QFfqK8Moj84bj88NqRGZgDyqzuTrFxn6FW7dmyA +yttuAJAEAymk1mipd9+zp38= +-----END CERTIFICATE----- +""" + + # From build/target/product/security/testkey.x509.pem. + VERITY_CERTIFICATE2 = """-----BEGIN CERTIFICATE----- +MIIEqDCCA5CgAwIBAgIJAJNurL4H8gHfMA0GCSqGSIb3DQEBBQUAMIGUMQswCQYD +VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4g +VmlldzEQMA4GA1UEChMHQW5kcm9pZDEQMA4GA1UECxMHQW5kcm9pZDEQMA4GA1UE +AxMHQW5kcm9pZDEiMCAGCSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbTAe +Fw0wODAyMjkwMTMzNDZaFw0zNTA3MTcwMTMzNDZaMIGUMQswCQYDVQQGEwJVUzET +MBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEQMA4G +A1UEChMHQW5kcm9pZDEQMA4GA1UECxMHQW5kcm9pZDEQMA4GA1UEAxMHQW5kcm9p +ZDEiMCAGCSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbTCCASAwDQYJKoZI +hvcNAQEBBQADggENADCCAQgCggEBANaTGQTexgskse3HYuDZ2CU+Ps1s6x3i/waM +qOi8qM1r03hupwqnbOYOuw+ZNVn/2T53qUPn6D1LZLjk/qLT5lbx4meoG7+yMLV4 +wgRDvkxyGLhG9SEVhvA4oU6Jwr44f46+z4/Kw9oe4zDJ6pPQp8PcSvNQIg1QCAcy +4ICXF+5qBTNZ5qaU7Cyz8oSgpGbIepTYOzEJOmc3Li9kEsBubULxWBjf/gOBzAzU +RNps3cO4JFgZSAGzJWQTT7/emMkod0jb9WdqVA2BVMi7yge54kdVMxHEa5r3b97s +zI5p58ii0I54JiCUP5lyfTwE/nKZHZnfm644oLIXf6MdW2r+6R8CAQOjgfwwgfkw +HQYDVR0OBBYEFEhZAFY9JyxGrhGGBaR0GawJyowRMIHJBgNVHSMEgcEwgb6AFEhZ +AFY9JyxGrhGGBaR0GawJyowRoYGapIGXMIGUMQswCQYDVQQGEwJVUzETMBEGA1UE +CBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEQMA4GA1UEChMH +QW5kcm9pZDEQMA4GA1UECxMHQW5kcm9pZDEQMA4GA1UEAxMHQW5kcm9pZDEiMCAG +CSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbYIJAJNurL4H8gHfMAwGA1Ud +EwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAHqvlozrUMRBBVEY0NqrrwFbinZa +J6cVosK0TyIUFf/azgMJWr+kLfcHCHJsIGnlw27drgQAvilFLAhLwn62oX6snb4Y +LCBOsVMR9FXYJLZW2+TcIkCRLXWG/oiVHQGo/rWuWkJgU134NDEFJCJGjDbiLCpe ++ZTWHdcwauTJ9pUbo8EvHRkU3cYfGmLaLfgn9gP+pWA7LFQNvXwBnDa6sppCccEX +31I828XzgXpJ4O+mDL1/dBd+ek8ZPUP0IgdyZm5MTYPhvVqGCHzzTy3sIeJFymwr +sBbmg2OAUNLEMO6nwmocSdN2ClirfxqCzJOLSDE4QyS9BAH6EhY6UFcOaE0= +-----END CERTIFICATE----- +""" + + input_file = tempfile.NamedTemporaryFile( + delete=False, suffix='.zip', dir=self.tempdir) + with zipfile.ZipFile(input_file.name, 'w') as input_zip: + input_zip.writestr('BOOT/cmdline', BOOT_CMDLINE1) + + # Test with the first certificate. + cert_file = tempfile.NamedTemporaryFile( + delete=False, suffix='.x509.pem', dir=self.tempdir) + cert_file.write(VERITY_CERTIFICATE1) + cert_file.close() + + output_file = tempfile.NamedTemporaryFile( + delete=False, suffix='.zip', dir=self.tempdir) + with zipfile.ZipFile(input_file.name, 'r') as input_zip, \ + zipfile.ZipFile(output_file.name, 'w') as output_zip: + ReplaceVerityKeyId(input_zip, output_zip, cert_file.name) + + with zipfile.ZipFile(output_file.name) as output_zip: + self.assertEqual(BOOT_CMDLINE1, output_zip.read('BOOT/cmdline')) + + # Test with the second certificate. + with open(cert_file.name, 'w') as cert_file_fp: + cert_file_fp.write(VERITY_CERTIFICATE2) + + with zipfile.ZipFile(input_file.name, 'r') as input_zip, \ + zipfile.ZipFile(output_file.name, 'w') as output_zip: + ReplaceVerityKeyId(input_zip, output_zip, cert_file.name) + + with zipfile.ZipFile(output_file.name) as output_zip: + self.assertEqual(BOOT_CMDLINE2, output_zip.read('BOOT/cmdline')) + + def test_ReplaceVerityKeyId_no_veritykeyid(self): + BOOT_CMDLINE = ( + "console=ttyHSL0,115200,n8 androidboot.hardware=bullhead boot_cpus=0-5 " + "lpm_levels.sleep_disabled=1 msm_poweroff.download_mode=0 " + "loop.max_part=7\n") + + input_file = tempfile.NamedTemporaryFile( + delete=False, suffix='.zip', dir=self.tempdir) + with zipfile.ZipFile(input_file.name, 'w') as input_zip: + input_zip.writestr('BOOT/cmdline', BOOT_CMDLINE) + + output_file = tempfile.NamedTemporaryFile( + delete=False, suffix='.zip', dir=self.tempdir) + with zipfile.ZipFile(input_file.name, 'r') as input_zip, \ + zipfile.ZipFile(output_file.name, 'w') as output_zip: + ReplaceVerityKeyId(input_zip, output_zip, None) + + with zipfile.ZipFile(output_file.name) as output_zip: + self.assertEqual(BOOT_CMDLINE, output_zip.read('BOOT/cmdline'))