Merge "releasetools: Support using payload_signer." into nyc-mr1-dev

      Generate a log file that shows the differences in the source and target

      builds for an incremental package. This option is only meaningful when

      -i is specified.

  --payload_signer <signer>

      Specify the signer when signing the payload and metadata for A/B OTAs.

      By default (i.e. without this flag), it calls 'openssl pkeyutl' to sign

      with the package private key. If the private key cannot be accessed

      directly, a payload signer that knows how to do that should be specified.

      The signer will be supplied with "-inkey <path_to_key>",

      "-in <input_file>" and "-out <output_file>" parameters.

"""

import sys

OPTIONS.stash_threshold = 0.8

OPTIONS.gen_verify = False

OPTIONS.log_diff = None

OPTIONS.payload_signer = None

def MostPopularKey(d, default):

  """Given a dict, return the key corresponding to the largest

        "default_system_dev_certificate",

        "build/target/product/security/testkey")

  # A/B updater expects key in RSA format.

  # A/B updater expects a signing key in RSA format. Gets the key ready for

  # later use in step 3, unless a payload_signer has been specified.

  if OPTIONS.payload_signer is None:

    cmd = ["openssl", "pkcs8",

           "-in", OPTIONS.package_key + OPTIONS.private_key_suffix,

           "-inform", "DER", "-nocrypt"]

    p1.wait()

    assert p1.returncode == 0, "openssl pkcs8 failed"

  # Stage the output zip package for signing.

  # Stage the output zip package for package signing.

  temp_zip_file = tempfile.NamedTemporaryFile()

  output_zip = zipfile.ZipFile(temp_zip_file, "w",

                               compression=zipfile.ZIP_DEFLATED)

  signed_metadata_sig_file = common.MakeTempFile(prefix="signed-sig-",

                                                 suffix=".bin")

  # 3a. Sign the payload hash.

  if OPTIONS.payload_signer is not None:

    cmd = [OPTIONS.payload_signer,

           "-inkey", OPTIONS.package_key + OPTIONS.private_key_suffix]

  else:

    cmd = ["openssl", "pkeyutl", "-sign",

           "-inkey", rsa_key,

         "-pkeyopt", "digest:sha256",

         "-in", payload_sig_file,

         "-out", signed_payload_sig_file]

           "-pkeyopt", "digest:sha256"]

  cmd.extend(["-in", payload_sig_file,

              "-out", signed_payload_sig_file])

  p1 = common.Run(cmd, stdout=subprocess.PIPE)

  p1.wait()

  assert p1.returncode == 0, "openssl sign payload failed"

  # 3b. Sign the metadata hash.

  if OPTIONS.payload_signer is not None:

    cmd = [OPTIONS.payload_signer,

           "-inkey", OPTIONS.package_key + OPTIONS.private_key_suffix]

  else:

    cmd = ["openssl", "pkeyutl", "-sign",

           "-inkey", rsa_key,

         "-pkeyopt", "digest:sha256",

         "-in", metadata_sig_file,

         "-out", signed_metadata_sig_file]

           "-pkeyopt", "digest:sha256"]

  cmd.extend(["-in", metadata_sig_file,

              "-out", signed_metadata_sig_file])

  p1 = common.Run(cmd, stdout=subprocess.PIPE)

  p1.wait()

  assert p1.returncode == 0, "openssl sign metadata failed"

      OPTIONS.gen_verify = True

    elif o == "--log_diff":

      OPTIONS.log_diff = a

    elif o == "--payload_signer":

      OPTIONS.payload_signer = a

    else:

      return False

    return True

                                 "stash_threshold=",

                                 "gen_verify",

                                 "log_diff=",

                                 "payload_signer=",

                             ], extra_option_handler=option_handler)

  if len(args) != 2: