releasetools: Add apex_utils.py.

#!/usr/bin/env python

#

# Copyright (C) 2019 The Android Open Source Project

#

# Licensed under the Apache License, Version 2.0 (the "License");

# you may not use this file except in compliance with the License.

# You may obtain a copy of the License at

#

#      http://www.apache.org/licenses/LICENSE-2.0

#

# Unless required by applicable law or agreed to in writing, software

# distributed under the License is distributed on an "AS IS" BASIS,

# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

# See the License for the specific language governing permissions and

# limitations under the License.

import logging

import os.path

import re

import shlex

import sys

import common

logger = logging.getLogger(__name__)

class ApexInfoError(Exception):

  """An Exception raised during Apex Information command."""

  def __init__(self, message):

    Exception.__init__(self, message)

class ApexSigningError(Exception):

  """An Exception raised during Apex Payload signing."""

  def __init__(self, message):

    Exception.__init__(self, message)

def SignApexPayload(payload_file, payload_key_path, payload_key_name, algorithm,

                    salt, signing_args=None):

  """Signs a given payload_file with the payload key."""

  # Add the new footer. Old footer, if any, will be replaced by avbtool.

  cmd = ['avbtool', 'add_hashtree_footer',

         '--do_not_generate_fec',

         '--algorithm', algorithm,

         '--key', payload_key_path,

         '--prop', 'apex.key:{}'.format(payload_key_name),

         '--image', payload_file,

         '--salt', salt]

  if signing_args:

    cmd.extend(shlex.split(signing_args))

  try:

    common.RunAndCheckOutput(cmd)

  except common.ExternalError as e:

    raise ApexSigningError, \

        'Failed to sign APEX payload {} with {}:\n{}'.format(

            payload_file, payload_key_path, e), sys.exc_info()[2]

  # Verify the signed payload image with specified public key.

  logger.info('Verifying %s', payload_file)

  VerifyApexPayload(payload_file, payload_key_path)

def VerifyApexPayload(payload_file, payload_key):

  """Verifies the APEX payload signature with the given key."""

  cmd = ['avbtool', 'verify_image', '--image', payload_file,

         '--key', payload_key]

  try:

    common.RunAndCheckOutput(cmd)

  except common.ExternalError as e:

    raise ApexSigningError, \

        'Failed to validate payload signing for {} with {}:\n{}'.format(

            payload_file, payload_key, e), sys.exc_info()[2]

def ParseApexPayloadInfo(payload_path):

  """Parses the APEX payload info.

  Args:

    payload_path: The path to the payload image.

  Raises:

    ApexInfoError on parsing errors.

  Returns:

    A dict that contains payload property-value pairs. The dict should at least

    contain Algorithm, Salt and apex.key.

  """

  if not os.path.exists(payload_path):

    raise ApexInfoError('Failed to find image: {}'.format(payload_path))

  cmd = ['avbtool', 'info_image', '--image', payload_path]

  try:

    output = common.RunAndCheckOutput(cmd)

  except common.ExternalError as e:

    raise ApexInfoError, \

        'Failed to get APEX payload info for {}:\n{}'.format(

            payload_path, e), sys.exc_info()[2]

  # Extract the Algorithm / Salt / Prop info from payload (i.e. an image signed

  # with avbtool). For example,

  # Algorithm:                SHA256_RSA4096

  PAYLOAD_INFO_PATTERN = (

      r'^\s*(?P<key>Algorithm|Salt|Prop)\:\s*(?P<value>.*?)$')

  payload_info_matcher = re.compile(PAYLOAD_INFO_PATTERN)

  payload_info = {}

  for line in output.split('\n'):

    line_info = payload_info_matcher.match(line)

    if not line_info:

      continue

    key, value = line_info.group('key'), line_info.group('value')

    if key == 'Prop':

      # Further extract the property key-value pair, from a 'Prop:' line. For

      # example,

      #   Prop: apex.key -> 'com.android.runtime'

      # Note that avbtool writes single or double quotes around values.

      PROPERTY_DESCRIPTOR_PATTERN = r'^\s*(?P<key>.*?)\s->\s*(?P<value>.*?)$'

      prop_matcher = re.compile(PROPERTY_DESCRIPTOR_PATTERN)

      prop = prop_matcher.match(value)

      if not prop:

        raise ApexInfoError(

            'Failed to parse prop string {}'.format(value))

      prop_key, prop_value = prop.group('key'), prop.group('value')

      if prop_key == 'apex.key':

        # avbtool dumps the prop value with repr(), which contains single /

        # double quotes that we don't want.

        payload_info[prop_key] = prop_value.strip('\"\'')

    else:

      payload_info[key] = value

  # Sanity check.

  for key in ('Algorithm', 'Salt', 'apex.key'):

    if key not in payload_info:

      raise ApexInfoError(

          'Failed to find {} prop in {}'.format(key, payload_path))

  return payload_info

#

# Copyright (C) 2019 The Android Open Source Project

#

# Licensed under the Apache License, Version 2.0 (the "License");

# you may not use this file except in compliance with the License.

# You may obtain a copy of the License at

#

#      http://www.apache.org/licenses/LICENSE-2.0

#

# Unless required by applicable law or agreed to in writing, software

# distributed under the License is distributed on an "AS IS" BASIS,

# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

# See the License for the specific language governing permissions and

# limitations under the License.

#

import os

import os.path

import apex_utils

import common

import test_utils

class ApexUtilsTest(test_utils.ReleaseToolsTestCase):

  # echo "foo" | sha256sum

  SALT = 'b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c'

  def setUp(self):

    self.testdata_dir = test_utils.get_testdata_dir()

    # The default payload signing key.

    self.payload_key = os.path.join(self.testdata_dir, 'testkey.key')

  @staticmethod

  def _GetTestPayload():

    payload_file = common.MakeTempFile(prefix='apex-', suffix='.img')

    with open(payload_file, 'wb') as payload_fp:

      payload_fp.write(os.urandom(8192))

    return payload_file

  def test_ParseApexPayloadInfo(self):

    payload_file = self._GetTestPayload()

    apex_utils.SignApexPayload(

        payload_file, self.payload_key, 'testkey', 'SHA256_RSA2048', self.SALT)

    payload_info = apex_utils.ParseApexPayloadInfo(payload_file)

    self.assertEqual('SHA256_RSA2048', payload_info['Algorithm'])

    self.assertEqual(self.SALT, payload_info['Salt'])

    self.assertEqual('testkey', payload_info['apex.key'])

  def test_SignApexPayload(self):

    payload_file = self._GetTestPayload()

    apex_utils.SignApexPayload(

        payload_file, self.payload_key, 'testkey', 'SHA256_RSA2048', self.SALT)

    apex_utils.VerifyApexPayload(payload_file, self.payload_key)

  def test_SignApexPayload_withSignerHelper(self):

    payload_file = self._GetTestPayload()

    payload_signer_args = '--signing_helper_with_files {}'.format(

        os.path.join(self.testdata_dir, 'signing_helper.sh'))

    apex_utils.SignApexPayload(

        payload_file,

        self.payload_key,

        'testkey', 'SHA256_RSA2048', self.SALT,

        payload_signer_args)

    apex_utils.VerifyApexPayload(payload_file, self.payload_key)

  def test_SignApexPayload_invalidKey(self):

    self.assertRaises(

        apex_utils.ApexSigningError,

        apex_utils.SignApexPayload,

        self._GetTestPayload(),

        os.path.join(self.testdata_dir, 'testkey.x509.pem'),

        'testkey',

        'SHA256_RSA2048',

        self.SALT)

  def test_VerifyApexPayload_wrongKey(self):

    payload_file = self._GetTestPayload()

    apex_utils.SignApexPayload(

        payload_file, self.payload_key, 'testkey', 'SHA256_RSA2048', self.SALT)

    apex_utils.VerifyApexPayload(payload_file, self.payload_key)

    self.assertRaises(

        apex_utils.ApexSigningError,

        apex_utils.VerifyApexPayload,

        payload_file,

        os.path.join(self.testdata_dir, 'testkey_with_passwd.key'))

#!/bin/sh

#

# Copyright (C) 2019 The Android Open Source Project

#

# Licensed under the Apache License, Version 2.0 (the "License");

# you may not use this file except in compliance with the License.

# You may obtain a copy of the License at

#

#      http://www.apache.org/licenses/LICENSE-2.0

#

# Unless required by applicable law or agreed to in writing, software

# distributed under the License is distributed on an "AS IS" BASIS,

# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

# See the License for the specific language governing permissions and

# limitations under the License.

#

tmpfile=$(mktemp)

cat $3 | openssl rsautl -sign -inkey $2 -raw > $tmpfile

cat $tmpfile > $3

rm $tmpfile

-----BEGIN PRIVATE KEY-----

MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCwaAOHPqgkCmqU

AFRnJW6LrAuSfy9EzWSRHSkltp811ByMIE0N6/Nttu8ZCL456lzArHNKt/zdoBik

eLB6gN9CTvQ8n4LMdSEmkRl3uXBtOPJuVObJ6ZUILz6L7WofWcr8DT81j2At7nHi

Wg8SkCsFXbFfpjljOlpqUG3Szt+48X8rcgG82s97BuRwNxUgfK1/8QzOiH9fDbMU

h6XI2jo2VwuBYOsJadJJWOf6oRRHZonrts0FXpV46CXykpLvLT2u5GXg1Pxd7i1K

v1P8bxZOzVbEVfkL2DnUCtUBAnP98r9UyjQDd4blk4Mwl+mzB5otPTacNzEGhmNK

Et+HB/cdAgMBAAECggEATsn2IXa7tHUuivHmwLb4O8vY01KY8xrleubSVPTPAUS+

h1t57ujerbcR7VV5WPay/J9JUyr/9qClwPfioqRikwQek+EOk3ERIF+YR1/8tdvE

c8DZ337DQIeRYP/l8SCyx4bHH43tADbKiLV+m+TmQhxJt5XPdeE/NtK7andZdwkv

xEoG9l2aONE4z9pY1x+c1SdDSsq92/iLHLgSkQJmWo+lrfeh6gshXgQgDY8n6rgY

GsCgSawLphvd8Tvo86CL04l0pWtY1gEW3s6sdYo1YDkpWQzSRCtGm0GlhEt2fyq5

coTK2sLHguE7NL5VZo4zlGtM3QBdvRksTO1mJOt6JQKBgQDaT4oGjZp1rtKdObvn

ElaUo5EOyJjmXkRBBndrbiG3078eOqTJHXx45DJUv8hj9+g6vSULiIeFk1FiiMQD

vcnsBEaGaSc886wXY6TQgIIzvVfzDHGYTuQydiYQbLClH6S28HLqdlZjUIlHwxb9

wBm8JwmTiVeAEvO8LTzeEqfkLwKBgQDO3He8Ei8XDeqtIK0lzcZ83yw9OGP23/gK

8GDaf8J+cOtOyYkDlcV0rBNFvE8+TzIpIUlo47b2RSaART3iPSfRJTaySZjKWCVo

s2A0/zQcrj7GgD2gaHRrgI9bmnWW1j95a9n/6AUEyEIJ6K8tYK819Vl4GAyhNHEQ

sRbxa69qcwKBgQC5F8jxx2tXLdM6JLIQtzabLZcWTrN8Vh5Od3oWpriF0EzxB02h

ipN3OBsISdZQE+dcrfNTtP0aHo5ZGZX/ihFCP1nAKjVvczXMWtppQRujXHzOABXr

ya+mrQ+Wy2B1j7+qr3DvI0gZSjYqltjOaeon4X04DrEWUHtAZ6Z8rpqUVwKBgQCB

o8mmI/8/A4m/Vmss9fke6P5gn6aGYXah5GPOi6Loevv9NHCZvpMwu2aYnZtMAXX+

MM5A3fUcAdpPKRXPY2RAvoG42kbXCMbpBwGUNRwDnW/aFySIEu5jMP6m+fYXwc2l

2uGUb2Q1ywsYCqs+VQl5V3nquaewn5z8SP+H7WTR4QKBgQCO5CRpyNOjEwMxTPR1

GYUKAEiVtmzknHAxUE6drTgGEZSquAXiau0B5+7+/G5gwqxCLGpnstMByI+dhkR6

+ybAc/bzb2aoGK4pZf/PuwxQQsHBnG0oaSFU6RZlbVV20j7FZ04+cYnKHwCYkKjN

DwA1Ae+H+u95raB4vYhk7IzD4A==

-----END PRIVATE KEY-----