platform_build/target/product/security
Sami Tolvanen 8d212ea873 DO NOT MERGE: Change verity key formats
Change boot, recovery, and verity metadata signing keys to use the
same PKCS8 / X.509 PEM format as the other signing keys, and update
build scripts to use correct arguments for the updated signing
tools.

Bug: 15984840
Bug: 18120110
Change-Id: I23ed5a004ecdad6cf7696487935ad5031eb8adf8
(cherry picked from commit 72d90eb189)
2014-11-13 23:23:31 +00:00
..
Android.mk Add support for verity builds to the build system. 2013-11-17 16:09:34 -08:00
media.pk8 auto import from //depot/cupcake/@135843 2009-03-03 19:28:42 -08:00
media.x509.pem auto import from //depot/cupcake/@135843 2009-03-03 19:28:42 -08:00
platform.pk8 auto import from //depot/cupcake/@135843 2009-03-03 19:28:42 -08:00
platform.x509.pem auto import from //depot/cupcake/@135843 2009-03-03 19:28:42 -08:00
README remove mkkey.sh from build 2009-12-01 12:42:30 -08:00
shared.pk8 auto import from //depot/cupcake/@135843 2009-03-03 19:28:42 -08:00
shared.x509.pem auto import from //depot/cupcake/@135843 2009-03-03 19:28:42 -08:00
testkey.pk8 auto import from //depot/cupcake/@135843 2009-03-03 19:28:42 -08:00
testkey.x509.pem auto import from //depot/cupcake/@135843 2009-03-03 19:28:42 -08:00
verity.pk8 DO NOT MERGE: Change verity key formats 2014-11-13 23:23:31 +00:00
verity.x509.pem DO NOT MERGE: Change verity key formats 2014-11-13 23:23:31 +00:00
verity_key DO NOT MERGE: Change verity key formats 2014-11-13 23:23:31 +00:00

The following commands were used to generate the test key pairs:

  development/tools/make_key testkey  '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'
  development/tools/make_key platform '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'
  development/tools/make_key shared   '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'
  development/tools/make_key media    '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'

The following standard test keys are currently included:

testkey -- a generic key for packages that do not otherwise specify a key.
platform -- a test key for packages that are part of the core platform.
shared -- a test key for things that are shared in the home/contacts process.
media -- a test key for packages that are part of the media/download system.

These test keys are used strictly in development, and should never be assumed
to convey any sort of validity.  When $BUILD_SECURE=true, the code should not
honor these keys in any context.


signing using the openssl commandline (for boot/system images)
--------------------------------------------------------------

1. convert pk8 format key to pem format
   % openssl pkcs8 -inform DER -nocrypt -in testkey.pk8 -out testkey.pem

2. create a signature using the pem format key
   % openssl dgst -binary -sha1 -sign testkey.pem FILE > FILE.sig

extracting public keys for embedding
------------------------------------
it's a Java tool
but it generates C code
take a look at commands/recovery/Android.mk
you'll see it running $(HOST_OUT_JAVA_LIBRARIES)/dumpkey.jar