def test_SignApexPayload_withSignerHelper(self):
payload_file = self._GetTestPayload()
payload_signer_args = '--signing_helper_with_files {}'.format(
os.path.join(self.testdata_dir, 'signing_helper.sh'))
apex_utils.SignApexPayload(payload_file, self.payload_key, 'testkey',
'SHA256_RSA2048', self.SALT,
payload_signer_args)
apex_utils.VerifyApexPayload(payload_file, self.payload_key)
def test_ParseApexPayloadInfo(self):
payload_file = self._GetTestPayload()
apex_utils.SignApexPayload('avbtool', payload_file, self.payload_key,
'testkey', 'SHA256_RSA2048', self.SALT)
payload_info = apex_utils.ParseApexPayloadInfo('avbtool', payload_file)
self.assertEqual('SHA256_RSA2048', payload_info['Algorithm'])
self.assertEqual(self.SALT, payload_info['Salt'])
self.assertEqual('testkey', payload_info['apex.key'])
def SignApex(apex_data,
payload_key,
container_key,
container_pw,
codename_to_api_level_map,
signing_args=None):
"""Signs the current APEX with the given payload/container keys.
Args:
apex_data: Raw APEX data.
payload_key: The path to payload signing key (w/o extension).
container_key: The path to container signing key (w/o extension).
container_pw: The matching password of the container_key, or None.
codename_to_api_level_map: A dict that maps from codename to API level.
signing_args: Additional args to be passed to the payload signer.
Returns:
(signed_apex, payload_key_name): signed_apex is the path to the signed APEX
file; payload_key_name is a str of the payload signing key name (e.g.
com.android.tzdata).
"""
apex_file = common.MakeTempFile(prefix='apex-', suffix='.apex')
with open(apex_file, 'wb') as apex_fp:
apex_fp.write(apex_data)
APEX_PAYLOAD_IMAGE = 'apex_payload.img'
# Signing an APEX is a two step process.
# 1. Extract and sign the APEX_PAYLOAD_IMAGE entry with the given payload_key.
payload_dir = common.MakeTempDir(prefix='apex-payload-')
with zipfile.ZipFile(apex_file) as apex_fd:
payload_file = apex_fd.extract(APEX_PAYLOAD_IMAGE, payload_dir)
payload_info = apex_utils.ParseApexPayloadInfo(payload_file)
apex_utils.SignApexPayload(payload_file, payload_key,
payload_info['apex.key'],
payload_info['Algorithm'], payload_info['Salt'],
signing_args)
common.ZipDelete(apex_file, APEX_PAYLOAD_IMAGE)
apex_zip = zipfile.ZipFile(apex_file, 'a')
common.ZipWrite(apex_zip, payload_file, arcname=APEX_PAYLOAD_IMAGE)
common.ZipClose(apex_zip)
# 2. Sign the overall APEX container with container_key.
signed_apex = common.MakeTempFile(prefix='apex-container-', suffix='.apex')
common.SignFile(apex_file,
signed_apex,
container_key,
container_pw,
codename_to_api_level_map=codename_to_api_level_map)
signed_and_aligned_apex = common.MakeTempFile(prefix='apex-container-',
suffix='.apex')
common.RunAndCheckOutput(
['zipalign', '-f', '4096', signed_apex, signed_and_aligned_apex])
return (signed_and_aligned_apex, payload_info['apex.key'])
def test_VerifyApexPayload_wrongKey(self):
payload_file = self._GetTestPayload()
apex_utils.SignApexPayload('avbtool', payload_file, self.payload_key,
'testkey', 'SHA256_RSA2048', self.SALT)
apex_utils.VerifyApexPayload('avbtool', payload_file, self.payload_key)
self.assertRaises(
apex_utils.ApexSigningError, apex_utils.VerifyApexPayload,
'avbtool', payload_file,
os.path.join(self.testdata_dir, 'testkey_with_passwd.key'))
def test_SignApexPayload_withSignerHelper(self):
payload_file = self._GetTestPayload()
signing_helper = os.path.join(self.testdata_dir, 'signing_helper.sh')
os.chmod(signing_helper, 0o700)
payload_signer_args = '--signing_helper_with_files {}'.format(
signing_helper)
apex_utils.SignApexPayload('avbtool', payload_file, self.payload_key,
'testkey', 'SHA256_RSA2048', self.SALT,
'sha256', True, payload_signer_args)
apex_utils.VerifyApexPayload('avbtool', payload_file, self.payload_key,
True)
def test_SignApexPayload(self):
payload_file = self._GetTestPayload()
apex_utils.SignApexPayload('avbtool',
payload_file,
self.payload_key,
'testkey',
'SHA256_RSA2048',
self.SALT,
no_hashtree=True)
apex_utils.VerifyApexPayload('avbtool', payload_file, self.payload_key,
True)
def test_SignApexPayload_withHashtree(self):
payload_file = self._GetTestPayload()
apex_utils.SignApexPayload('avbtool',
payload_file,
self.payload_key,
'testkey',
'SHA256_RSA2048',
self.SALT,
no_hashtree=False)
apex_utils.VerifyApexPayload('avbtool', payload_file, self.payload_key)
payload_info = apex_utils.ParseApexPayloadInfo('avbtool', payload_file)
self.assertEqual('4096 bytes', payload_info['Tree Size'])
def test_ParseApexPayloadInfo(self):
payload_file = self._GetTestPayload()
apex_utils.SignApexPayload('avbtool',
payload_file,
self.payload_key,
'testkey',
'SHA256_RSA2048',
self.SALT,
'sha256',
no_hashtree=True)
payload_info = apex_utils.ParseApexPayloadInfo('avbtool', payload_file)
self.assertEqual('SHA256_RSA2048', payload_info['Algorithm'])
self.assertEqual(self.SALT, payload_info['Salt'])
self.assertEqual('testkey', payload_info['apex.key'])
self.assertEqual('sha256', payload_info['Hash Algorithm'])
self.assertEqual('0 bytes', payload_info['Tree Size'])
def SignApex(apex_data,
payload_key,
container_key,
container_pw,
codename_to_api_level_map,
signing_args=None):
"""Signs the current APEX with the given payload/container keys.
Args:
apex_data: Raw APEX data.
payload_key: The path to payload signing key (w/ extension).
container_key: The path to container signing key (w/o extension).
container_pw: The matching password of the container_key, or None.
codename_to_api_level_map: A dict that maps from codename to API level.
signing_args: Additional args to be passed to the payload signer.
Returns:
The path to the signed APEX file.
"""
apex_file = common.MakeTempFile(prefix='apex-', suffix='.apex')
with open(apex_file, 'wb') as apex_fp:
apex_fp.write(apex_data)
APEX_PAYLOAD_IMAGE = 'apex_payload.img'
APEX_PUBKEY = 'apex_pubkey'
# 1a. Extract and sign the APEX_PAYLOAD_IMAGE entry with the given
# payload_key.
payload_dir = common.MakeTempDir(prefix='apex-payload-')
with zipfile.ZipFile(apex_file) as apex_fd:
payload_file = apex_fd.extract(APEX_PAYLOAD_IMAGE, payload_dir)
payload_info = apex_utils.ParseApexPayloadInfo(payload_file)
apex_utils.SignApexPayload(payload_file, payload_key,
payload_info['apex.key'],
payload_info['Algorithm'], payload_info['Salt'],
signing_args)
# 1b. Update the embedded payload public key.
payload_public_key = common.ExtractAvbPublicKey(payload_key)
common.ZipDelete(apex_file, APEX_PAYLOAD_IMAGE)
common.ZipDelete(apex_file, APEX_PUBKEY)
apex_zip = zipfile.ZipFile(apex_file, 'a')
common.ZipWrite(apex_zip, payload_file, arcname=APEX_PAYLOAD_IMAGE)
common.ZipWrite(apex_zip, payload_public_key, arcname=APEX_PUBKEY)
common.ZipClose(apex_zip)
# 2. Align the files at page boundary (same as in apexer).
aligned_apex = common.MakeTempFile(prefix='apex-container-',
suffix='.apex')
common.RunAndCheckOutput(
['zipalign', '-f', '4096', apex_file, aligned_apex])
# 3. Sign the APEX container with container_key.
signed_apex = common.MakeTempFile(prefix='apex-container-', suffix='.apex')
# Specify the 4K alignment when calling SignApk.
extra_signapk_args = OPTIONS.extra_signapk_args[:]
extra_signapk_args.extend(['-a', '4096'])
common.SignFile(aligned_apex,
signed_apex,
container_key,
container_pw,
codename_to_api_level_map=codename_to_api_level_map,
extra_signapk_args=extra_signapk_args)
return signed_apex
def test_SignApexPayload(self):
payload_file = self._GetTestPayload()
apex_utils.SignApexPayload(payload_file, self.payload_key, 'testkey',
'SHA256_RSA2048', self.SALT)
apex_utils.VerifyApexPayload(payload_file, self.payload_key)