Merge \\"releasetools: Support using payload_signer.\\" am: 983a42bd

      Generate a log file that shows the differences in the source and target

      Generate a log file that shows the differences in the source and target

      builds for an incremental package. This option is only meaningful when

      builds for an incremental package. This option is only meaningful when

      -i is specified.

      -i is specified.

  --payload_signer <signer>

      Specify the signer when signing the payload and metadata for A/B OTAs.

      By default (i.e. without this flag), it calls 'openssl pkeyutl' to sign

      with the package private key. If the private key cannot be accessed

      directly, a payload signer that knows how to do that should be specified.

      The signer will be supplied with "-inkey <path_to_key>",

      "-in <input_file>" and "-out <output_file>" parameters.

"""

"""

import sys

import sys

OPTIONS.stash_threshold = 0.8

OPTIONS.stash_threshold = 0.8

OPTIONS.gen_verify = False

OPTIONS.gen_verify = False

OPTIONS.log_diff = None

OPTIONS.log_diff = None

OPTIONS.payload_signer = None

def MostPopularKey(d, default):

def MostPopularKey(d, default):

  """Given a dict, return the key corresponding to the largest

  """Given a dict, return the key corresponding to the largest

        "default_system_dev_certificate",

        "default_system_dev_certificate",

        "build/target/product/security/testkey")

        "build/target/product/security/testkey")

  # A/B updater expects key in RSA format.

  # A/B updater expects a signing key in RSA format. Gets the key ready for

  # later use in step 3, unless a payload_signer has been specified.

  if OPTIONS.payload_signer is None:

    cmd = ["openssl", "pkcs8",

    cmd = ["openssl", "pkcs8",

           "-in", OPTIONS.package_key + OPTIONS.private_key_suffix,

           "-in", OPTIONS.package_key + OPTIONS.private_key_suffix,

           "-inform", "DER", "-nocrypt"]

           "-inform", "DER", "-nocrypt"]

    p1.communicate()

    p1.communicate()

    assert p1.returncode == 0, "openssl pkcs8 failed"

    assert p1.returncode == 0, "openssl pkcs8 failed"

  # Stage the output zip package for signing.

  # Stage the output zip package for package signing.

  temp_zip_file = tempfile.NamedTemporaryFile()

  temp_zip_file = tempfile.NamedTemporaryFile()

  output_zip = zipfile.ZipFile(temp_zip_file, "w",

  output_zip = zipfile.ZipFile(temp_zip_file, "w",

                               compression=zipfile.ZIP_DEFLATED)

                               compression=zipfile.ZIP_DEFLATED)

  signed_metadata_sig_file = common.MakeTempFile(prefix="signed-sig-",

  signed_metadata_sig_file = common.MakeTempFile(prefix="signed-sig-",

                                                 suffix=".bin")

                                                 suffix=".bin")

  # 3a. Sign the payload hash.

  # 3a. Sign the payload hash.

  if OPTIONS.payload_signer is not None:

    cmd = [OPTIONS.payload_signer,

           "-inkey", OPTIONS.package_key + OPTIONS.private_key_suffix]

  else:

    cmd = ["openssl", "pkeyutl", "-sign",

    cmd = ["openssl", "pkeyutl", "-sign",

           "-inkey", rsa_key,

           "-inkey", rsa_key,

         "-pkeyopt", "digest:sha256",

           "-pkeyopt", "digest:sha256"]

         "-in", payload_sig_file,

  cmd.extend(["-in", payload_sig_file,

         "-out", signed_payload_sig_file]

              "-out", signed_payload_sig_file])

  p1 = common.Run(cmd, stdout=log_file, stderr=subprocess.STDOUT)

  p1 = common.Run(cmd, stdout=log_file, stderr=subprocess.STDOUT)

  p1.communicate()

  p1.communicate()

  assert p1.returncode == 0, "openssl sign payload failed"

  assert p1.returncode == 0, "openssl sign payload failed"

  # 3b. Sign the metadata hash.

  # 3b. Sign the metadata hash.

  if OPTIONS.payload_signer is not None:

    cmd = [OPTIONS.payload_signer,

           "-inkey", OPTIONS.package_key + OPTIONS.private_key_suffix]

  else:

    cmd = ["openssl", "pkeyutl", "-sign",

    cmd = ["openssl", "pkeyutl", "-sign",

           "-inkey", rsa_key,

           "-inkey", rsa_key,

         "-pkeyopt", "digest:sha256",

           "-pkeyopt", "digest:sha256"]

         "-in", metadata_sig_file,

  cmd.extend(["-in", metadata_sig_file,

         "-out", signed_metadata_sig_file]

              "-out", signed_metadata_sig_file])

  p1 = common.Run(cmd, stdout=log_file, stderr=subprocess.STDOUT)

  p1 = common.Run(cmd, stdout=log_file, stderr=subprocess.STDOUT)

  p1.communicate()

  p1.communicate()

  assert p1.returncode == 0, "openssl sign metadata failed"

  assert p1.returncode == 0, "openssl sign metadata failed"

      OPTIONS.gen_verify = True

      OPTIONS.gen_verify = True

    elif o == "--log_diff":

    elif o == "--log_diff":

      OPTIONS.log_diff = a

      OPTIONS.log_diff = a

    elif o == "--payload_signer":

      OPTIONS.payload_signer = a

    else:

    else:

      return False

      return False

    return True

    return True

                                 "stash_threshold=",

                                 "stash_threshold=",

                                 "gen_verify",

                                 "gen_verify",

                                 "log_diff=",

                                 "log_diff=",

                                 "payload_signer=",

                             ], extra_option_handler=option_handler)

                             ], extra_option_handler=option_handler)

  if len(args) != 2:

  if len(args) != 2: