Beispiel #1
0
 def test_SignApexPayload_withSignerHelper(self):
     payload_file = self._GetTestPayload()
     payload_signer_args = '--signing_helper_with_files {}'.format(
         os.path.join(self.testdata_dir, 'signing_helper.sh'))
     apex_utils.SignApexPayload(payload_file, self.payload_key, 'testkey',
                                'SHA256_RSA2048', self.SALT,
                                payload_signer_args)
     apex_utils.VerifyApexPayload(payload_file, self.payload_key)
Beispiel #2
0
 def test_ParseApexPayloadInfo(self):
     payload_file = self._GetTestPayload()
     apex_utils.SignApexPayload('avbtool', payload_file, self.payload_key,
                                'testkey', 'SHA256_RSA2048', self.SALT)
     payload_info = apex_utils.ParseApexPayloadInfo('avbtool', payload_file)
     self.assertEqual('SHA256_RSA2048', payload_info['Algorithm'])
     self.assertEqual(self.SALT, payload_info['Salt'])
     self.assertEqual('testkey', payload_info['apex.key'])
Beispiel #3
0
def SignApex(apex_data,
             payload_key,
             container_key,
             container_pw,
             codename_to_api_level_map,
             signing_args=None):
    """Signs the current APEX with the given payload/container keys.

  Args:
    apex_data: Raw APEX data.
    payload_key: The path to payload signing key (w/o extension).
    container_key: The path to container signing key (w/o extension).
    container_pw: The matching password of the container_key, or None.
    codename_to_api_level_map: A dict that maps from codename to API level.
    signing_args: Additional args to be passed to the payload signer.

  Returns:
    (signed_apex, payload_key_name): signed_apex is the path to the signed APEX
        file; payload_key_name is a str of the payload signing key name (e.g.
        com.android.tzdata).
  """
    apex_file = common.MakeTempFile(prefix='apex-', suffix='.apex')
    with open(apex_file, 'wb') as apex_fp:
        apex_fp.write(apex_data)

    APEX_PAYLOAD_IMAGE = 'apex_payload.img'

    # Signing an APEX is a two step process.
    # 1. Extract and sign the APEX_PAYLOAD_IMAGE entry with the given payload_key.
    payload_dir = common.MakeTempDir(prefix='apex-payload-')
    with zipfile.ZipFile(apex_file) as apex_fd:
        payload_file = apex_fd.extract(APEX_PAYLOAD_IMAGE, payload_dir)

    payload_info = apex_utils.ParseApexPayloadInfo(payload_file)
    apex_utils.SignApexPayload(payload_file, payload_key,
                               payload_info['apex.key'],
                               payload_info['Algorithm'], payload_info['Salt'],
                               signing_args)

    common.ZipDelete(apex_file, APEX_PAYLOAD_IMAGE)
    apex_zip = zipfile.ZipFile(apex_file, 'a')
    common.ZipWrite(apex_zip, payload_file, arcname=APEX_PAYLOAD_IMAGE)
    common.ZipClose(apex_zip)

    # 2. Sign the overall APEX container with container_key.
    signed_apex = common.MakeTempFile(prefix='apex-container-', suffix='.apex')
    common.SignFile(apex_file,
                    signed_apex,
                    container_key,
                    container_pw,
                    codename_to_api_level_map=codename_to_api_level_map)

    signed_and_aligned_apex = common.MakeTempFile(prefix='apex-container-',
                                                  suffix='.apex')
    common.RunAndCheckOutput(
        ['zipalign', '-f', '4096', signed_apex, signed_and_aligned_apex])

    return (signed_and_aligned_apex, payload_info['apex.key'])
Beispiel #4
0
 def test_VerifyApexPayload_wrongKey(self):
     payload_file = self._GetTestPayload()
     apex_utils.SignApexPayload('avbtool', payload_file, self.payload_key,
                                'testkey', 'SHA256_RSA2048', self.SALT)
     apex_utils.VerifyApexPayload('avbtool', payload_file, self.payload_key)
     self.assertRaises(
         apex_utils.ApexSigningError, apex_utils.VerifyApexPayload,
         'avbtool', payload_file,
         os.path.join(self.testdata_dir, 'testkey_with_passwd.key'))
Beispiel #5
0
 def test_SignApexPayload_withSignerHelper(self):
     payload_file = self._GetTestPayload()
     signing_helper = os.path.join(self.testdata_dir, 'signing_helper.sh')
     os.chmod(signing_helper, 0o700)
     payload_signer_args = '--signing_helper_with_files {}'.format(
         signing_helper)
     apex_utils.SignApexPayload('avbtool', payload_file, self.payload_key,
                                'testkey', 'SHA256_RSA2048', self.SALT,
                                'sha256', True, payload_signer_args)
     apex_utils.VerifyApexPayload('avbtool', payload_file, self.payload_key,
                                  True)
Beispiel #6
0
 def test_SignApexPayload(self):
     payload_file = self._GetTestPayload()
     apex_utils.SignApexPayload('avbtool',
                                payload_file,
                                self.payload_key,
                                'testkey',
                                'SHA256_RSA2048',
                                self.SALT,
                                no_hashtree=True)
     apex_utils.VerifyApexPayload('avbtool', payload_file, self.payload_key,
                                  True)
Beispiel #7
0
 def test_SignApexPayload_withHashtree(self):
     payload_file = self._GetTestPayload()
     apex_utils.SignApexPayload('avbtool',
                                payload_file,
                                self.payload_key,
                                'testkey',
                                'SHA256_RSA2048',
                                self.SALT,
                                no_hashtree=False)
     apex_utils.VerifyApexPayload('avbtool', payload_file, self.payload_key)
     payload_info = apex_utils.ParseApexPayloadInfo('avbtool', payload_file)
     self.assertEqual('4096 bytes', payload_info['Tree Size'])
Beispiel #8
0
 def test_ParseApexPayloadInfo(self):
     payload_file = self._GetTestPayload()
     apex_utils.SignApexPayload('avbtool',
                                payload_file,
                                self.payload_key,
                                'testkey',
                                'SHA256_RSA2048',
                                self.SALT,
                                'sha256',
                                no_hashtree=True)
     payload_info = apex_utils.ParseApexPayloadInfo('avbtool', payload_file)
     self.assertEqual('SHA256_RSA2048', payload_info['Algorithm'])
     self.assertEqual(self.SALT, payload_info['Salt'])
     self.assertEqual('testkey', payload_info['apex.key'])
     self.assertEqual('sha256', payload_info['Hash Algorithm'])
     self.assertEqual('0 bytes', payload_info['Tree Size'])
def SignApex(apex_data,
             payload_key,
             container_key,
             container_pw,
             codename_to_api_level_map,
             signing_args=None):
    """Signs the current APEX with the given payload/container keys.

  Args:
    apex_data: Raw APEX data.
    payload_key: The path to payload signing key (w/ extension).
    container_key: The path to container signing key (w/o extension).
    container_pw: The matching password of the container_key, or None.
    codename_to_api_level_map: A dict that maps from codename to API level.
    signing_args: Additional args to be passed to the payload signer.

  Returns:
    The path to the signed APEX file.
  """
    apex_file = common.MakeTempFile(prefix='apex-', suffix='.apex')
    with open(apex_file, 'wb') as apex_fp:
        apex_fp.write(apex_data)

    APEX_PAYLOAD_IMAGE = 'apex_payload.img'
    APEX_PUBKEY = 'apex_pubkey'

    # 1a. Extract and sign the APEX_PAYLOAD_IMAGE entry with the given
    # payload_key.
    payload_dir = common.MakeTempDir(prefix='apex-payload-')
    with zipfile.ZipFile(apex_file) as apex_fd:
        payload_file = apex_fd.extract(APEX_PAYLOAD_IMAGE, payload_dir)

    payload_info = apex_utils.ParseApexPayloadInfo(payload_file)
    apex_utils.SignApexPayload(payload_file, payload_key,
                               payload_info['apex.key'],
                               payload_info['Algorithm'], payload_info['Salt'],
                               signing_args)

    # 1b. Update the embedded payload public key.
    payload_public_key = common.ExtractAvbPublicKey(payload_key)

    common.ZipDelete(apex_file, APEX_PAYLOAD_IMAGE)
    common.ZipDelete(apex_file, APEX_PUBKEY)
    apex_zip = zipfile.ZipFile(apex_file, 'a')
    common.ZipWrite(apex_zip, payload_file, arcname=APEX_PAYLOAD_IMAGE)
    common.ZipWrite(apex_zip, payload_public_key, arcname=APEX_PUBKEY)
    common.ZipClose(apex_zip)

    # 2. Align the files at page boundary (same as in apexer).
    aligned_apex = common.MakeTempFile(prefix='apex-container-',
                                       suffix='.apex')
    common.RunAndCheckOutput(
        ['zipalign', '-f', '4096', apex_file, aligned_apex])

    # 3. Sign the APEX container with container_key.
    signed_apex = common.MakeTempFile(prefix='apex-container-', suffix='.apex')

    # Specify the 4K alignment when calling SignApk.
    extra_signapk_args = OPTIONS.extra_signapk_args[:]
    extra_signapk_args.extend(['-a', '4096'])

    common.SignFile(aligned_apex,
                    signed_apex,
                    container_key,
                    container_pw,
                    codename_to_api_level_map=codename_to_api_level_map,
                    extra_signapk_args=extra_signapk_args)

    return signed_apex
Beispiel #10
0
 def test_SignApexPayload(self):
     payload_file = self._GetTestPayload()
     apex_utils.SignApexPayload(payload_file, self.payload_key, 'testkey',
                                'SHA256_RSA2048', self.SALT)
     apex_utils.VerifyApexPayload(payload_file, self.payload_key)