forked from openkylin/platform_build
releasetools: Add apex_utils.py.
The added `testdata/testkey_with_passwd.key` is generated with:
$ openssl pkcs8 -inform DER -in testdata/testkey_with_passwd.pk8 \
-out testdata/testkey_with_passwd.key -passin pass:foo
Bug: 123716522
Test: python -m unittest test_apex_utils
Change-Id: I7b7f00178ecab35c3e41ecf4d10295fe9bf480ab
(cherry picked from commit 1cd59f2a26
)
This commit is contained in:
parent
9d9de37999
commit
315f19d548
|
@ -0,0 +1,147 @@
|
|||
#!/usr/bin/env python
|
||||
#
|
||||
# Copyright (C) 2019 The Android Open Source Project
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
import logging
|
||||
import os.path
|
||||
import re
|
||||
import shlex
|
||||
import sys
|
||||
|
||||
import common
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
|
||||
class ApexInfoError(Exception):
|
||||
"""An Exception raised during Apex Information command."""
|
||||
|
||||
def __init__(self, message):
|
||||
Exception.__init__(self, message)
|
||||
|
||||
|
||||
class ApexSigningError(Exception):
|
||||
"""An Exception raised during Apex Payload signing."""
|
||||
|
||||
def __init__(self, message):
|
||||
Exception.__init__(self, message)
|
||||
|
||||
|
||||
def SignApexPayload(payload_file, payload_key_path, payload_key_name, algorithm,
|
||||
salt, signing_args=None):
|
||||
"""Signs a given payload_file with the payload key."""
|
||||
# Add the new footer. Old footer, if any, will be replaced by avbtool.
|
||||
cmd = ['avbtool', 'add_hashtree_footer',
|
||||
'--do_not_generate_fec',
|
||||
'--algorithm', algorithm,
|
||||
'--key', payload_key_path,
|
||||
'--prop', 'apex.key:{}'.format(payload_key_name),
|
||||
'--image', payload_file,
|
||||
'--salt', salt]
|
||||
if signing_args:
|
||||
cmd.extend(shlex.split(signing_args))
|
||||
|
||||
try:
|
||||
common.RunAndCheckOutput(cmd)
|
||||
except common.ExternalError as e:
|
||||
raise ApexSigningError, \
|
||||
'Failed to sign APEX payload {} with {}:\n{}'.format(
|
||||
payload_file, payload_key_path, e), sys.exc_info()[2]
|
||||
|
||||
# Verify the signed payload image with specified public key.
|
||||
logger.info('Verifying %s', payload_file)
|
||||
VerifyApexPayload(payload_file, payload_key_path)
|
||||
|
||||
|
||||
def VerifyApexPayload(payload_file, payload_key):
|
||||
"""Verifies the APEX payload signature with the given key."""
|
||||
cmd = ['avbtool', 'verify_image', '--image', payload_file,
|
||||
'--key', payload_key]
|
||||
try:
|
||||
common.RunAndCheckOutput(cmd)
|
||||
except common.ExternalError as e:
|
||||
raise ApexSigningError, \
|
||||
'Failed to validate payload signing for {} with {}:\n{}'.format(
|
||||
payload_file, payload_key, e), sys.exc_info()[2]
|
||||
|
||||
|
||||
def ParseApexPayloadInfo(payload_path):
|
||||
"""Parses the APEX payload info.
|
||||
|
||||
Args:
|
||||
payload_path: The path to the payload image.
|
||||
|
||||
Raises:
|
||||
ApexInfoError on parsing errors.
|
||||
|
||||
Returns:
|
||||
A dict that contains payload property-value pairs. The dict should at least
|
||||
contain Algorithm, Salt and apex.key.
|
||||
"""
|
||||
if not os.path.exists(payload_path):
|
||||
raise ApexInfoError('Failed to find image: {}'.format(payload_path))
|
||||
|
||||
cmd = ['avbtool', 'info_image', '--image', payload_path]
|
||||
try:
|
||||
output = common.RunAndCheckOutput(cmd)
|
||||
except common.ExternalError as e:
|
||||
raise ApexInfoError, \
|
||||
'Failed to get APEX payload info for {}:\n{}'.format(
|
||||
payload_path, e), sys.exc_info()[2]
|
||||
|
||||
# Extract the Algorithm / Salt / Prop info from payload (i.e. an image signed
|
||||
# with avbtool). For example,
|
||||
# Algorithm: SHA256_RSA4096
|
||||
PAYLOAD_INFO_PATTERN = (
|
||||
r'^\s*(?P<key>Algorithm|Salt|Prop)\:\s*(?P<value>.*?)$')
|
||||
payload_info_matcher = re.compile(PAYLOAD_INFO_PATTERN)
|
||||
|
||||
payload_info = {}
|
||||
for line in output.split('\n'):
|
||||
line_info = payload_info_matcher.match(line)
|
||||
if not line_info:
|
||||
continue
|
||||
|
||||
key, value = line_info.group('key'), line_info.group('value')
|
||||
|
||||
if key == 'Prop':
|
||||
# Further extract the property key-value pair, from a 'Prop:' line. For
|
||||
# example,
|
||||
# Prop: apex.key -> 'com.android.runtime'
|
||||
# Note that avbtool writes single or double quotes around values.
|
||||
PROPERTY_DESCRIPTOR_PATTERN = r'^\s*(?P<key>.*?)\s->\s*(?P<value>.*?)$'
|
||||
|
||||
prop_matcher = re.compile(PROPERTY_DESCRIPTOR_PATTERN)
|
||||
prop = prop_matcher.match(value)
|
||||
if not prop:
|
||||
raise ApexInfoError(
|
||||
'Failed to parse prop string {}'.format(value))
|
||||
|
||||
prop_key, prop_value = prop.group('key'), prop.group('value')
|
||||
if prop_key == 'apex.key':
|
||||
# avbtool dumps the prop value with repr(), which contains single /
|
||||
# double quotes that we don't want.
|
||||
payload_info[prop_key] = prop_value.strip('\"\'')
|
||||
|
||||
else:
|
||||
payload_info[key] = value
|
||||
|
||||
# Sanity check.
|
||||
for key in ('Algorithm', 'Salt', 'apex.key'):
|
||||
if key not in payload_info:
|
||||
raise ApexInfoError(
|
||||
'Failed to find {} prop in {}'.format(key, payload_path))
|
||||
|
||||
return payload_info
|
|
@ -0,0 +1,87 @@
|
|||
#
|
||||
# Copyright (C) 2019 The Android Open Source Project
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
|
||||
import os
|
||||
import os.path
|
||||
|
||||
import apex_utils
|
||||
import common
|
||||
import test_utils
|
||||
|
||||
|
||||
class ApexUtilsTest(test_utils.ReleaseToolsTestCase):
|
||||
|
||||
# echo "foo" | sha256sum
|
||||
SALT = 'b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c'
|
||||
|
||||
def setUp(self):
|
||||
self.testdata_dir = test_utils.get_testdata_dir()
|
||||
# The default payload signing key.
|
||||
self.payload_key = os.path.join(self.testdata_dir, 'testkey.key')
|
||||
|
||||
@staticmethod
|
||||
def _GetTestPayload():
|
||||
payload_file = common.MakeTempFile(prefix='apex-', suffix='.img')
|
||||
with open(payload_file, 'wb') as payload_fp:
|
||||
payload_fp.write(os.urandom(8192))
|
||||
return payload_file
|
||||
|
||||
def test_ParseApexPayloadInfo(self):
|
||||
payload_file = self._GetTestPayload()
|
||||
apex_utils.SignApexPayload(
|
||||
payload_file, self.payload_key, 'testkey', 'SHA256_RSA2048', self.SALT)
|
||||
payload_info = apex_utils.ParseApexPayloadInfo(payload_file)
|
||||
self.assertEqual('SHA256_RSA2048', payload_info['Algorithm'])
|
||||
self.assertEqual(self.SALT, payload_info['Salt'])
|
||||
self.assertEqual('testkey', payload_info['apex.key'])
|
||||
|
||||
def test_SignApexPayload(self):
|
||||
payload_file = self._GetTestPayload()
|
||||
apex_utils.SignApexPayload(
|
||||
payload_file, self.payload_key, 'testkey', 'SHA256_RSA2048', self.SALT)
|
||||
apex_utils.VerifyApexPayload(payload_file, self.payload_key)
|
||||
|
||||
def test_SignApexPayload_withSignerHelper(self):
|
||||
payload_file = self._GetTestPayload()
|
||||
payload_signer_args = '--signing_helper_with_files {}'.format(
|
||||
os.path.join(self.testdata_dir, 'signing_helper.sh'))
|
||||
apex_utils.SignApexPayload(
|
||||
payload_file,
|
||||
self.payload_key,
|
||||
'testkey', 'SHA256_RSA2048', self.SALT,
|
||||
payload_signer_args)
|
||||
apex_utils.VerifyApexPayload(payload_file, self.payload_key)
|
||||
|
||||
def test_SignApexPayload_invalidKey(self):
|
||||
self.assertRaises(
|
||||
apex_utils.ApexSigningError,
|
||||
apex_utils.SignApexPayload,
|
||||
self._GetTestPayload(),
|
||||
os.path.join(self.testdata_dir, 'testkey.x509.pem'),
|
||||
'testkey',
|
||||
'SHA256_RSA2048',
|
||||
self.SALT)
|
||||
|
||||
def test_VerifyApexPayload_wrongKey(self):
|
||||
payload_file = self._GetTestPayload()
|
||||
apex_utils.SignApexPayload(
|
||||
payload_file, self.payload_key, 'testkey', 'SHA256_RSA2048', self.SALT)
|
||||
apex_utils.VerifyApexPayload(payload_file, self.payload_key)
|
||||
self.assertRaises(
|
||||
apex_utils.ApexSigningError,
|
||||
apex_utils.VerifyApexPayload,
|
||||
payload_file,
|
||||
os.path.join(self.testdata_dir, 'testkey_with_passwd.key'))
|
|
@ -0,0 +1,21 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# Copyright (C) 2019 The Android Open Source Project
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
|
||||
tmpfile=$(mktemp)
|
||||
cat $3 | openssl rsautl -sign -inkey $2 -raw > $tmpfile
|
||||
cat $tmpfile > $3
|
||||
rm $tmpfile
|
|
@ -0,0 +1,28 @@
|
|||
-----BEGIN PRIVATE KEY-----
|
||||
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCwaAOHPqgkCmqU
|
||||
AFRnJW6LrAuSfy9EzWSRHSkltp811ByMIE0N6/Nttu8ZCL456lzArHNKt/zdoBik
|
||||
eLB6gN9CTvQ8n4LMdSEmkRl3uXBtOPJuVObJ6ZUILz6L7WofWcr8DT81j2At7nHi
|
||||
Wg8SkCsFXbFfpjljOlpqUG3Szt+48X8rcgG82s97BuRwNxUgfK1/8QzOiH9fDbMU
|
||||
h6XI2jo2VwuBYOsJadJJWOf6oRRHZonrts0FXpV46CXykpLvLT2u5GXg1Pxd7i1K
|
||||
v1P8bxZOzVbEVfkL2DnUCtUBAnP98r9UyjQDd4blk4Mwl+mzB5otPTacNzEGhmNK
|
||||
Et+HB/cdAgMBAAECggEATsn2IXa7tHUuivHmwLb4O8vY01KY8xrleubSVPTPAUS+
|
||||
h1t57ujerbcR7VV5WPay/J9JUyr/9qClwPfioqRikwQek+EOk3ERIF+YR1/8tdvE
|
||||
c8DZ337DQIeRYP/l8SCyx4bHH43tADbKiLV+m+TmQhxJt5XPdeE/NtK7andZdwkv
|
||||
xEoG9l2aONE4z9pY1x+c1SdDSsq92/iLHLgSkQJmWo+lrfeh6gshXgQgDY8n6rgY
|
||||
GsCgSawLphvd8Tvo86CL04l0pWtY1gEW3s6sdYo1YDkpWQzSRCtGm0GlhEt2fyq5
|
||||
coTK2sLHguE7NL5VZo4zlGtM3QBdvRksTO1mJOt6JQKBgQDaT4oGjZp1rtKdObvn
|
||||
ElaUo5EOyJjmXkRBBndrbiG3078eOqTJHXx45DJUv8hj9+g6vSULiIeFk1FiiMQD
|
||||
vcnsBEaGaSc886wXY6TQgIIzvVfzDHGYTuQydiYQbLClH6S28HLqdlZjUIlHwxb9
|
||||
wBm8JwmTiVeAEvO8LTzeEqfkLwKBgQDO3He8Ei8XDeqtIK0lzcZ83yw9OGP23/gK
|
||||
8GDaf8J+cOtOyYkDlcV0rBNFvE8+TzIpIUlo47b2RSaART3iPSfRJTaySZjKWCVo
|
||||
s2A0/zQcrj7GgD2gaHRrgI9bmnWW1j95a9n/6AUEyEIJ6K8tYK819Vl4GAyhNHEQ
|
||||
sRbxa69qcwKBgQC5F8jxx2tXLdM6JLIQtzabLZcWTrN8Vh5Od3oWpriF0EzxB02h
|
||||
ipN3OBsISdZQE+dcrfNTtP0aHo5ZGZX/ihFCP1nAKjVvczXMWtppQRujXHzOABXr
|
||||
ya+mrQ+Wy2B1j7+qr3DvI0gZSjYqltjOaeon4X04DrEWUHtAZ6Z8rpqUVwKBgQCB
|
||||
o8mmI/8/A4m/Vmss9fke6P5gn6aGYXah5GPOi6Loevv9NHCZvpMwu2aYnZtMAXX+
|
||||
MM5A3fUcAdpPKRXPY2RAvoG42kbXCMbpBwGUNRwDnW/aFySIEu5jMP6m+fYXwc2l
|
||||
2uGUb2Q1ywsYCqs+VQl5V3nquaewn5z8SP+H7WTR4QKBgQCO5CRpyNOjEwMxTPR1
|
||||
GYUKAEiVtmzknHAxUE6drTgGEZSquAXiau0B5+7+/G5gwqxCLGpnstMByI+dhkR6
|
||||
+ybAc/bzb2aoGK4pZf/PuwxQQsHBnG0oaSFU6RZlbVV20j7FZ04+cYnKHwCYkKjN
|
||||
DwA1Ae+H+u95raB4vYhk7IzD4A==
|
||||
-----END PRIVATE KEY-----
|
Loading…
Reference in New Issue