Pass the correct signature size to payload generator

The signature size will be 512 bytes when signing the payload with 4096 bits key. This cl determines the key size with "openssl rsa -modulus" The new key in testdata is generated by "openssl genrsa -out testkey 4096" Bug: 129163830 Test: generate and verify an OTA package Change-Id: I6662b0a0c553dc0fd84711312a1256b887e332fd
2019-04-08 23:04:58 -07:00 · 2019-04-08 23:04:58 -07:00 · 376cc7c452
parent d7d6e9d671
commit 376cc7c452
3 changed files with 95 additions and 2 deletions
--- a/tools/releasetools/ota_from_target_files.py
+++ b/tools/releasetools/ota_from_target_files.py
@ -168,6 +168,9 @@ A/B OTA specific options
  --payload_signer_args <args>
      Specify the arguments needed for payload signer.

+  --payload_signer_key_size <key_size>
+      Specify the key size in bytes of the payload signer.
+
  --skip_postinstall
      Skip the postinstall hooks when generating an A/B OTA package (default:
      False). Note that this discards ALL the hooks, including non-optional
@ -224,6 +227,7 @@ OPTIONS.stash_threshold = 0.8
 OPTIONS.log_diff = None
 OPTIONS.payload_signer = None
 OPTIONS.payload_signer_args = []
+OPTIONS.payload_signer_key_size = None
 OPTIONS.extracted_input = None
 OPTIONS.key_passwords = []
 OPTIONS.skip_postinstall = False
@ -468,9 +472,35 @@ class PayloadSigner(object):
      self.signer = "openssl"
      self.signer_args = ["pkeyutl", "-sign", "-inkey", signing_key,
                          "-pkeyopt", "digest:sha256"]
+      self.key_size = self._GetKeySizeInBytes(signing_key)
    else:
      self.signer = OPTIONS.payload_signer
      self.signer_args = OPTIONS.payload_signer_args
+      if OPTIONS.payload_signer_key_size:
+        self.key_size = int(OPTIONS.payload_signer_key_size)
+        assert self.key_size == 256 or self.key_size == 512, \
+            "Unsupported key size {}".format(OPTIONS.payload_signer_key_size)
+      else:
+        self.key_size = 256
+
+  @staticmethod
+  def _GetKeySizeInBytes(signing_key):
+    modulus_file = common.MakeTempFile(prefix="modulus-")
+    cmd = ["openssl", "rsa", "-inform", "PEM", "-in", signing_key, "-modulus",
+           "-noout", "-out", modulus_file]
+    common.RunAndCheckOutput(cmd, verbose=False)
+
+    with open(modulus_file) as f:
+      modulus_string = f.read()
+    # The modulus string has the format "Modulus=$data", where $data is the
+    # concatenation of hex dump of the modulus.
+    MODULUS_PREFIX = "Modulus="
+    assert modulus_string.startswith(MODULUS_PREFIX)
+    modulus_string = modulus_string[len(MODULUS_PREFIX):]
+    key_size = len(modulus_string) / 2
+    assert key_size == 256 or key_size == 512, \
+        "Unsupported key size {}".format(key_size)
+    return key_size

  def Sign(self, in_file):
    """Signs the given input file. Returns the output filename."""
@ -539,7 +569,7 @@ class Payload(object):
    metadata_sig_file = common.MakeTempFile(prefix="sig-", suffix=".bin")
    cmd = ["brillo_update_payload", "hash",
           "--unsigned_payload", self.payload_file,
-           "--signature_size", "256",
+           "--signature_size", str(payload_signer.key_size),
           "--metadata_hash_file", metadata_sig_file,
           "--payload_hash_file", payload_sig_file]
    common.RunAndCheckOutput(cmd)
@ -554,7 +584,7 @@ class Payload(object):
    cmd = ["brillo_update_payload", "sign",
           "--unsigned_payload", self.payload_file,
           "--payload", signed_payload_file,
-           "--signature_size", "256",
+           "--signature_size", str(payload_signer.key_size),
           "--metadata_signature_file", signed_metadata_sig_file,
           "--payload_signature_file", signed_payload_sig_file]
    common.RunAndCheckOutput(cmd)
@ -2087,6 +2117,8 @@ def main(argv):
      OPTIONS.payload_signer = a
    elif o == "--payload_signer_args":
      OPTIONS.payload_signer_args = shlex.split(a)
+    elif o == "--payload_signer_key_size":
+      OPTIONS.payload_signer_key_size = a
    elif o == "--extracted_input_target_files":
      OPTIONS.extracted_input = a
    elif o == "--skip_postinstall":
@ -2125,6 +2157,7 @@ def main(argv):
                                 "log_diff=",
                                 "payload_signer=",
                                 "payload_signer_args=",
+                                 "payload_signer_key_size=",
                                 "extracted_input_target_files=",
                                 "skip_postinstall",
                                 "retrofit_dynamic_partitions",
--- a/tools/releasetools/test_ota_from_target_files.py
+++ b/tools/releasetools/test_ota_from_target_files.py
@ -1182,6 +1182,7 @@ class PayloadSignerTest(test_utils.ReleaseToolsTestCase):
  def test_init(self):
    payload_signer = PayloadSigner()
    self.assertEqual('openssl', payload_signer.signer)
+    self.assertEqual(256, payload_signer.key_size)

  def test_init_withPassword(self):
    common.OPTIONS.package_key = os.path.join(
@ -1195,9 +1196,16 @@ class PayloadSignerTest(test_utils.ReleaseToolsTestCase):
  def test_init_withExternalSigner(self):
    common.OPTIONS.payload_signer = 'abc'
    common.OPTIONS.payload_signer_args = ['arg1', 'arg2']
+    common.OPTIONS.payload_signer_key_size = '512'
    payload_signer = PayloadSigner()
    self.assertEqual('abc', payload_signer.signer)
    self.assertEqual(['arg1', 'arg2'], payload_signer.signer_args)
+    self.assertEqual(512, payload_signer.key_size)
+
+  def test_GetKeySizeInBytes_512Bytes(self):
+    signing_key = os.path.join(self.testdata_dir, 'testkey_RSA4096.key')
+    key_size = PayloadSigner._GetKeySizeInBytes(signing_key)
+    self.assertEqual(512, key_size)

  def test_Sign(self):
    payload_signer = PayloadSigner()
--- a/tools/releasetools/testdata/testkey_RSA4096.key
+++ b/tools/releasetools/testdata/testkey_RSA4096.key
@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQC7y8EH4O8M9aA7
+UhaWLlW5ceQxZi0P7DNOgog/82SIZh1/Vv0S8KCu9LcngK60oIejPU3k9zb0Mpl2
+4OEtupbOq9SV0nyRIp33rs9EJ0zm8keZ2jEfwTubdhE4GumlwkbfYHlMPmpufqOq
+uxKfCOUZk3ZEC5RFDBqVLGrf9m22ITMQwNGj/u/mtAg2UXRGy534eU1evHOFH8tD
+IxXd378m+gRY+bPi6fOkrJgAw6N01NwwsHRxxQsVgp8m1EKpPJ+ARRtP6YYtNsNB
+KTOXqZw18OD7eG7yVONAf7oSOMNRK7qg6ZU6YN/y1k+YZF3D/1HU9THoDXIpBHoW
+R2SpEM63Ua8ilSmx9PfoaDn27VrpjIcq50HqKAXOvclxOCyVD0pRkrryPpevYCVu
+x9/InmW3K4dPiAy0KmmS4ZSLUJnr6Lnkt8C3VxXHqZ4T7MlgrjrO70YqCxeDvYE0
+KL/e/UeJ69nANybkDThhBkxkOC1vvik3VXO4ITPEKCnLHdvdj8rwkjqf3Ex5A0g8
+XaH0l6I72pqxXi8nnU9udLrUEdHUT1KHzjnZBVP6aomcDy5Gnbb6wXTBTkB7fdQB
+nGcqT0DH67PqJE/rCUguVSmX4KGyOVrr5S1GQTg1EmHbF2Kf6P0YJpcVU7PHRE8s
+BisP39wzoE5XsIpn/aKpWdpcfqxjTQIDAQABAoICAQCB/vtyLryLpgPyzFIiR5TD
+uBkUMPyEhybE9ArI6fzvhnBo05h/4d34/iFC0QsesfjygN9I3fBGfjhJWEXH19/I
+1J1l0Ly14taiu3lyXhoXzCLQV3+l0acnaEVnJwoR2jghLLEKnDIkprk42CJ9wDSG
+zdMSK0nJuiU0mfipa/ZqGvU0ZaU49qKuenUs1Jm+3/hMJfvu1ljJEEcuBD2Axv+V
+RYB47vEc5IHpvifCb6rYlviNI7iXgKS5kSAGSuySJgrrSessGCTva3chxhmWpKwj
+ksjKioWSbjyZS1FMh8p8h966wLayIJklikCy5tcZc8X7und/gL9DsXuprGX7uky8
+3ZS2cJjiVimkwoROq5VPa+0SBmNJWRBNvRfARiaKkyyidVxIsvjFNDFPQp1jYlzM
+fvGJwgnCiUQP56hvri3irriWN8Le2U8lqQQ7YaDLKcsf6iiMGwfxcK+6E4MUv797
+V5CZXSC7RrPd9wdj6UIqtgSGVUH3BV7kB+fYYfvV15kpj6IXYTxElfAZ2ak3g9sv
+JZ6moKbRN0xSufkDftMGv77cH13v97Iy3Whp8zEPMBnbsdpPp6DpIH8sl2R7O+zr
+uMty6vXw0Ux69LEpz4b4HyD7t65zTSwpou5YhfZt/yRzovawsQIRGlc4E1FJDFjf
+e9LvazMXo/us3T5LNv5pAQKCAQEA5Kq1RJgMlvKOfGaEah1xu65s3I1lGuz+9c1x
+geYFlta9H2vG1aADUtgmIBjjC+1z4KLD9jrjrwwbqKnisu7/qUOR6Qf8BHFbrMSs
+J8IMOD3Vw/UVc/8LCjoI4n1XaKYJtOyIxKJtWKAbgtvgVOAGSt47LEOOchXNnAKv
+C3Flak3ADYaUQFLoiwmp6WdSL+uiLisukKNjmYu8vxhg9255p31PB6xixd0raoF/
+oDTfgY1fG/OFXvQd+GcjrTJ2Lqk1GtZqau5MEkS5jsKKnPJ6+ozd2t+QVkMrIQER
+WeTtZ7gimJo6QF8uyyG8WqT1qxbO2zV4Nrwak6ozRFhEJdnJrQKCAQEA0j5hY6sr
+apIvEUFsK6k1rEb77+1p85eyCOSYZpHEIe0hy89MjMUFA5IKhsXnUqhkiuJURUrD
+VtccWWJt5DUgS6HzJUGjeXo07wkqVz+10l+l+RSHleNBYlbxSpZQtvkKQkISF56c
+bSjLzOGM4RE8NxBdFg6EijwlKlZ8kW1ZJaQv9fuR+QS9DFXSiYUJSDiwLF0F6ogQ
+i1h3RN3RIKYc9kizYqBKaksg8EfQEyJs2Rhl5JrPmdZvDTpSeGRqz66WbdL4gSNv
+ud64BYY+Uhec9yH2HDal1l/j1dFbh+Nzs2v4b5TYmCO/zX5GfucUrZaGHbZcovlo
+/abKhURKW/N0IQKCAQEAhz0PCAqFJ6E89AYNulS/tyhp6ecWLN6NzAI9Z34LQDKw
+l6y+ZAnG7XA43DLb1WoSZoDdNPuPPTAEC7SuBvWi7xCvcwrt2hLRDVUkHD9/yqOH
+keWZUok8lkfMiWdoEtRgWUireuA1m3zVyIcSHiCAmDbm+D7cOEz81ZAgxrvCJyTk
+uRsnAwQF1HVasFgTG5RYzsVrPM/lUCJ89ugMMUp9WLmbzAYARNWRn+QG/1FF/vEF
+lxpnfskSEJ+vUffOPbqFVeIJ/kQBaayLsgsMv9YJNbWqYJBoZRxEnbhr8qaaYgVd
+MLPGT9v7aNgC9fkp8o4CuVLeTkDh1wOKXpl1dI1h4QKCAQEAgfNExxI517lbllLV
+xXblUgLeHkKkxofw50ZEXMGkdUPZK9yJ+Eie/MH796nDfXfQDXgvllTLwJVdVHJe
+cjvUJmuHmnOj06YRqd4EacFbZRjxwa9Kzv6Un3AV3IBki3QLP0EPZcIH9gDNV2ni
+Zgr9KRvYLZXznm3mmvCyNkFcZMPDUUuZwk2HfGRfqditEBLZ8dHdokVP1JFtxwdE
+B+Yk6KWvGzrwRBsD1QDOP8V7egR2loKJ5xB/u7Fc4EVRL+U93cwVBd0dZcmf/Oop
+AxzNTIOVV4L/pi3G6ZZp+OhBz5jhCjb6Wa9fEmkGsdGrGlB7vUnGoIWAu6eobg7z
+1zn3gQKCAQBwyViGs7b5HuYQ8UNkvBK9MxUE6h/qHEshbw+QtD/wcdNNpwLTawoW
+JH3bWzD01p1DsbRx/bcV5yaiWDhuslSH2xB6+N1gx2ohg8lPmFhKQiR1OTQ3L603
+Y+3h8FNO/c3YPcNr/k4N+tVKPSJvz0NcbkNs9qGUUsiEppVtc17VFAv/yPicV/wP
+0vC4Qw4xitSlIzD1QtPl0HfhA3ZM6fBb0lYx3tpJjmkrWPVjwWhYIAVLD6j7Jark
+NtMW9wSG21atSgWX1jFOiVsu3qzDpMvLXbH2FpAO9t+9GSDcSzfUMQLymWyW1+Dl
+L0rBGoJyEopSbtycAkWEHb/YLolfaTRd
+-----END PRIVATE KEY-----