Merge "Make signapk use Conscrypt." am: 7884a63731
am: dfd2199ef6
* commit 'dfd2199ef66dcc162a0165f9a34652ae2877538d':
Make signapk use Conscrypt.
This commit is contained in:
commit
c1b31821ef
6 changed files with 34 additions and 14 deletions
|
@ -1399,7 +1399,8 @@ OTATOOLS += \
|
|||
$(HOST_LIBRARY_PATH)/libext2_e2p-host$(HOST_SHLIB_SUFFIX) \
|
||||
$(HOST_LIBRARY_PATH)/libext2_profile-host$(HOST_SHLIB_SUFFIX) \
|
||||
$(HOST_LIBRARY_PATH)/libext2_quota-host$(HOST_SHLIB_SUFFIX) \
|
||||
$(HOST_LIBRARY_PATH)/libext2_uuid-host$(HOST_SHLIB_SUFFIX)
|
||||
$(HOST_LIBRARY_PATH)/libext2_uuid-host$(HOST_SHLIB_SUFFIX) \
|
||||
$(HOST_LIBRARY_PATH)/libconscrypt_openjdk_jni$(HOST_SHLIB_SUFFIX)
|
||||
|
||||
.PHONY: otatools
|
||||
otatools: $(OTATOOLS)
|
||||
|
|
|
@ -459,6 +459,7 @@ AIDL := $(HOST_OUT_EXECUTABLES)/aidl
|
|||
AAPT := $(HOST_OUT_EXECUTABLES)/aapt
|
||||
ZIPALIGN := $(HOST_OUT_EXECUTABLES)/zipalign
|
||||
SIGNAPK_JAR := $(HOST_OUT_JAVA_LIBRARIES)/signapk$(COMMON_JAVA_PACKAGE_SUFFIX)
|
||||
SIGNAPK_JNI_LIBRARY_PATH := $(HOST_OUT_SHARED_LIBRARIES)
|
||||
LLVM_RS_CC := $(HOST_OUT_EXECUTABLES)/llvm-rs-cc
|
||||
BCC_COMPAT := $(HOST_OUT_EXECUTABLES)/bcc_compat
|
||||
|
||||
|
@ -475,6 +476,8 @@ AIDL := $(prebuilt_sdk_tools_bin)/aidl
|
|||
AAPT := $(prebuilt_sdk_tools_bin)/aapt
|
||||
ZIPALIGN := $(prebuilt_sdk_tools_bin)/zipalign
|
||||
SIGNAPK_JAR := $(prebuilt_sdk_tools)/lib/signapk$(COMMON_JAVA_PACKAGE_SUFFIX)
|
||||
# Use 64-bit libraries unconditionally because 32-bit JVMs are no longer supported
|
||||
SIGNAPK_JNI_LIBRARY_PATH := $(prebuilt_sdk_tools)/$(HOST_OS)/lib64
|
||||
|
||||
DX := $(prebuilt_sdk_tools)/dx
|
||||
MAINDEXCLASSES := $(prebuilt_sdk_tools)/mainDexClasses
|
||||
|
|
|
@ -2166,7 +2166,7 @@ endef
|
|||
#
|
||||
define sign-package
|
||||
$(hide) mv $@ $@.unsigned
|
||||
$(hide) java -jar $(SIGNAPK_JAR) \
|
||||
$(hide) java -Djava.library.path=$(SIGNAPK_JNI_LIBRARY_PATH) -jar $(SIGNAPK_JAR) \
|
||||
$(PRIVATE_CERTIFICATE) $(PRIVATE_PRIVATE_KEY) \
|
||||
$(PRIVATE_ADDITIONAL_CERTIFICATES) $@.unsigned $@.signed
|
||||
$(hide) mv $@.signed $@
|
||||
|
|
|
@ -44,6 +44,7 @@ class Options(object):
|
|||
|
||||
self.search_path = platform_search_path.get(sys.platform, None)
|
||||
self.signapk_path = "framework/signapk.jar" # Relative to search_path
|
||||
self.signapk_shared_library_path = "lib64" # Relative to search_path
|
||||
self.extra_signapk_args = []
|
||||
self.java_path = "java" # Use the one on the path by default.
|
||||
self.java_args = "-Xmx2048m" # JVM Args
|
||||
|
@ -598,7 +599,12 @@ def SignFile(input_name, output_name, key, password, whole_file=False):
|
|||
zip file.
|
||||
"""
|
||||
|
||||
cmd = [OPTIONS.java_path, OPTIONS.java_args, "-jar",
|
||||
java_library_path = os.path.join(
|
||||
OPTIONS.search_path, OPTIONS.signapk_shared_library_path)
|
||||
|
||||
cmd = [OPTIONS.java_path, OPTIONS.java_args,
|
||||
"-Djava.library.path=" + java_library_path,
|
||||
"-jar",
|
||||
os.path.join(OPTIONS.search_path, OPTIONS.signapk_path)]
|
||||
cmd.extend(OPTIONS.extra_signapk_args)
|
||||
if whole_file:
|
||||
|
@ -718,7 +724,8 @@ def ParseOptions(argv,
|
|||
try:
|
||||
opts, args = getopt.getopt(
|
||||
argv, "hvp:s:x:" + extra_opts,
|
||||
["help", "verbose", "path=", "signapk_path=", "extra_signapk_args=",
|
||||
["help", "verbose", "path=", "signapk_path=",
|
||||
"signapk_shared_library_path=", "extra_signapk_args=",
|
||||
"java_path=", "java_args=", "public_key_suffix=",
|
||||
"private_key_suffix=", "boot_signer_path=", "boot_signer_args=",
|
||||
"verity_signer_path=", "verity_signer_args=", "device_specific=",
|
||||
|
@ -739,6 +746,8 @@ def ParseOptions(argv,
|
|||
OPTIONS.search_path = a
|
||||
elif o in ("--signapk_path",):
|
||||
OPTIONS.signapk_path = a
|
||||
elif o in ("--signapk_shared_library_path",):
|
||||
OPTIONS.signapk_shared_library_path = a
|
||||
elif o in ("--extra_signapk_args",):
|
||||
OPTIONS.extra_signapk_args = shlex.split(a)
|
||||
elif o in ("--java_path",):
|
||||
|
|
|
@ -21,11 +21,16 @@ include $(CLEAR_VARS)
|
|||
LOCAL_MODULE := signapk
|
||||
LOCAL_SRC_FILES := SignApk.java
|
||||
LOCAL_JAR_MANIFEST := SignApk.mf
|
||||
LOCAL_STATIC_JAVA_LIBRARIES := bouncycastle-host bouncycastle-bcpkix-host
|
||||
LOCAL_STATIC_JAVA_LIBRARIES := bouncycastle-host bouncycastle-bcpkix-host conscrypt-host
|
||||
LOCAL_REQUIRED_MODULES := libconscrypt_openjdk_jni
|
||||
include $(BUILD_HOST_JAVA_LIBRARY)
|
||||
|
||||
ifeq ($(TARGET_BUILD_APPS),)
|
||||
# The post-build signing tools need signapk.jar, but we don't
|
||||
# need this if we're just doing unbundled apps.
|
||||
$(call dist-for-goals,droidcore,$(LOCAL_INSTALLED_MODULE))
|
||||
# The post-build signing tools need signapk.jar and its shared libraries,
|
||||
# but we don't need this if we're just doing unbundled apps.
|
||||
my_dist_files := $(LOCAL_INSTALLED_MODULE) \
|
||||
$(HOST_OUT_SHARED_LIBRARIES)/libconscrypt_openjdk_jni$(HOST_SHLIB_SUFFIX)
|
||||
|
||||
$(call dist-for-goals,droidcore,$(my_dist_files))
|
||||
my_dist_files :=
|
||||
endif
|
||||
|
|
|
@ -34,6 +34,7 @@ import org.bouncycastle.operator.OperatorCreationException;
|
|||
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
|
||||
import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
|
||||
import org.bouncycastle.util.encoders.Base64;
|
||||
import org.conscrypt.OpenSSLProvider;
|
||||
|
||||
import java.io.Console;
|
||||
import java.io.BufferedReader;
|
||||
|
@ -110,8 +111,6 @@ class SignApk {
|
|||
|
||||
private static final String OTACERT_NAME = "META-INF/com/android/otacert";
|
||||
|
||||
private static Provider sBouncyCastleProvider;
|
||||
|
||||
// bitmasks for which hash algorithms we need the manifest to include.
|
||||
private static final int USE_SHA1 = 1;
|
||||
private static final int USE_SHA256 = 2;
|
||||
|
@ -451,12 +450,10 @@ class SignApk {
|
|||
|
||||
CMSSignedDataGenerator gen = new CMSSignedDataGenerator();
|
||||
ContentSigner signer = new JcaContentSignerBuilder(getSignatureAlgorithm(publicKey))
|
||||
.setProvider(sBouncyCastleProvider)
|
||||
.build(privateKey);
|
||||
gen.addSignerInfoGenerator(
|
||||
new JcaSignerInfoGeneratorBuilder(
|
||||
new JcaDigestCalculatorProviderBuilder()
|
||||
.setProvider(sBouncyCastleProvider)
|
||||
.build())
|
||||
.setDirectSignature(true)
|
||||
.build(signer, publicKey));
|
||||
|
@ -879,8 +876,13 @@ class SignApk {
|
|||
public static void main(String[] args) {
|
||||
if (args.length < 4) usage();
|
||||
|
||||
sBouncyCastleProvider = new BouncyCastleProvider();
|
||||
Security.addProvider(sBouncyCastleProvider);
|
||||
// Install Conscrypt as the highest-priority provider. Its crypto primitives are faster than
|
||||
// the standard or Bouncy Castle ones.
|
||||
Security.insertProviderAt(new OpenSSLProvider(), 1);
|
||||
// Install Bouncy Castle (as the lowest-priority provider) because Conscrypt does not offer
|
||||
// DSA which may still be needed.
|
||||
// TODO: Stop installing Bouncy Castle provider once DSA is no longer needed.
|
||||
Security.addProvider(new BouncyCastleProvider());
|
||||
|
||||
boolean signWholeFile = false;
|
||||
String providerClass = null;
|
||||
|
|
Loading…
Reference in a new issue