fsverity_metadata: Support PEM key

When we have a PEM key, we don't need the process converting a DER key to PEM format, but we just need to use the PEM key as-is. Bug: 205987437 Test: build and manual test Change-Id: I6f61a9088efc0f7193737d3c33b8cfde399b2b6f
2021-12-13 15:41:48 +09:00
parent 2d03493341
commit 067492988a
1 changed files with 21 additions and 9 deletions
--- a/tools/releasetools/fsverity_metadata_generator.py
+++ b/tools/releasetools/fsverity_metadata_generator.py
@@ -55,6 +55,9 @@ class FSVerityMetadataGenerator:
    self.set_hash_alg("sha256")
    self.set_signature('none')

+  def set_key_format(self, key_format):
+    self._key_format = key_format
+
  def set_key(self, key):
    self._key = key

@@ -130,14 +133,17 @@ class FSVerityMetadataGenerator:
      cmd.append(input_file)
      cmd.append(sig_file)

-      # convert DER private key to PEM
-      pem_key = os.path.join(work_dir, 'key.pem')
-      key_cmd = ['openssl', 'pkcs8']
-      key_cmd.extend(['-inform', 'DER'])
-      key_cmd.extend(['-in', self._key])
-      key_cmd.extend(['-nocrypt'])
-      key_cmd.extend(['-out', pem_key])
-      subprocess.check_call(key_cmd)
+      # If key is DER, convert DER private key to PEM
+      if self._key_format == 'der':
+        pem_key = os.path.join(work_dir, 'key.pem')
+        key_cmd = ['openssl', 'pkcs8']
+        key_cmd.extend(['-inform', 'DER'])
+        key_cmd.extend(['-in', self._key])
+        key_cmd.extend(['-nocrypt'])
+        key_cmd.extend(['-out', pem_key])
+        subprocess.check_call(key_cmd)
+      else:
+        pem_key = self._key

      cmd.extend(['--key', pem_key])
      cmd.extend(['--cert', self._cert])
@@ -195,9 +201,14 @@ if __name__ == '__main__':
  p.add_argument(
      'input',
      help='input file to be signed')
+  p.add_argument(
+      '--key-format',
+      choices=['pem', 'der'],
+      default='der',
+      help='format of the input key. Default is der')
  p.add_argument(
      '--key',
-      help='PKCS#8 private key file in DER format')
+      help='PKCS#8 private key file')
  p.add_argument(
      '--cert',
      help='x509 certificate file in PEM format')
@@ -227,5 +238,6 @@ if __name__ == '__main__':
      raise ValueError("To generate signature, key and cert must be set")
    generator.set_key(args.key)
    generator.set_cert(args.cert)
+  generator.set_key_format(args.key_format)
  generator.set_hash_alg(args.hash_alg)
  generator.generate(args.input, args.output)