From 2d0349334144e69597d63ad62e21a267bc1f31ce Mon Sep 17 00:00:00 2001 From: Inseob Kim Date: Mon, 13 Dec 2021 14:04:00 +0900 Subject: [PATCH 1/2] Add fsverity_metadata_generator helper binary Making this a host tool will help users generate their own fsverity metadata easily. Bug: 205987437 Test: m fsverity_metadata_generator and run it Change-Id: Iafd228815a74d298d87ca1466c6909c0d24c5874 --- tools/releasetools/Android.bp | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/tools/releasetools/Android.bp b/tools/releasetools/Android.bp index a979a8ece5..bf7f9a063d 100644 --- a/tools/releasetools/Android.bp +++ b/tools/releasetools/Android.bp @@ -553,6 +553,19 @@ python_binary_host { ], } +python_binary_host { + name: "fsverity_metadata_generator", + srcs: [ + "fsverity_metadata_generator.py", + ], + libs: [ + "fsverity_digests_proto_python", + ], + required: [ + "fsverity", + ], +} + // // Tests. // From 067492988aa84522f54f0a57d0b6fc2530bbe18a Mon Sep 17 00:00:00 2001 From: Inseob Kim Date: Mon, 13 Dec 2021 15:41:48 +0900 Subject: [PATCH 2/2] fsverity_metadata: Support PEM key When we have a PEM key, we don't need the process converting a DER key to PEM format, but we just need to use the PEM key as-is. Bug: 205987437 Test: build and manual test Change-Id: I6f61a9088efc0f7193737d3c33b8cfde399b2b6f --- .../fsverity_metadata_generator.py | 30 +++++++++++++------ 1 file changed, 21 insertions(+), 9 deletions(-) diff --git a/tools/releasetools/fsverity_metadata_generator.py b/tools/releasetools/fsverity_metadata_generator.py index 666efd5d61..a300d2e932 100644 --- a/tools/releasetools/fsverity_metadata_generator.py +++ b/tools/releasetools/fsverity_metadata_generator.py @@ -55,6 +55,9 @@ class FSVerityMetadataGenerator: self.set_hash_alg("sha256") self.set_signature('none') + def set_key_format(self, key_format): + self._key_format = key_format + def set_key(self, key): self._key = key @@ -130,14 +133,17 @@ class FSVerityMetadataGenerator: cmd.append(input_file) cmd.append(sig_file) - # convert DER private key to PEM - pem_key = os.path.join(work_dir, 'key.pem') - key_cmd = ['openssl', 'pkcs8'] - key_cmd.extend(['-inform', 'DER']) - key_cmd.extend(['-in', self._key]) - key_cmd.extend(['-nocrypt']) - key_cmd.extend(['-out', pem_key]) - subprocess.check_call(key_cmd) + # If key is DER, convert DER private key to PEM + if self._key_format == 'der': + pem_key = os.path.join(work_dir, 'key.pem') + key_cmd = ['openssl', 'pkcs8'] + key_cmd.extend(['-inform', 'DER']) + key_cmd.extend(['-in', self._key]) + key_cmd.extend(['-nocrypt']) + key_cmd.extend(['-out', pem_key]) + subprocess.check_call(key_cmd) + else: + pem_key = self._key cmd.extend(['--key', pem_key]) cmd.extend(['--cert', self._cert]) @@ -195,9 +201,14 @@ if __name__ == '__main__': p.add_argument( 'input', help='input file to be signed') + p.add_argument( + '--key-format', + choices=['pem', 'der'], + default='der', + help='format of the input key. Default is der') p.add_argument( '--key', - help='PKCS#8 private key file in DER format') + help='PKCS#8 private key file') p.add_argument( '--cert', help='x509 certificate file in PEM format') @@ -227,5 +238,6 @@ if __name__ == '__main__': raise ValueError("To generate signature, key and cert must be set") generator.set_key(args.key) generator.set_cert(args.cert) + generator.set_key_format(args.key_format) generator.set_hash_alg(args.hash_alg) generator.generate(args.input, args.output)