platform_build/tools/releasetools/apex_utils.py
Tao Bao 1cd59f2a26 releasetools: Add apex_utils.py.
The added `testdata/testkey_with_passwd.key` is generated with:

$ openssl pkcs8 -inform DER -in testdata/testkey_with_passwd.pk8 \
    -out testdata/testkey_with_passwd.key -passin pass:foo

Bug: 123716522
Test: python -m unittest test_apex_utils
Change-Id: I7b7f00178ecab35c3e41ecf4d10295fe9bf480ab
2019-03-15 22:08:42 -07:00

147 lines
4.7 KiB
Python

#!/usr/bin/env python
#
# Copyright (C) 2019 The Android Open Source Project
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import logging
import os.path
import re
import shlex
import sys
import common
logger = logging.getLogger(__name__)
class ApexInfoError(Exception):
"""An Exception raised during Apex Information command."""
def __init__(self, message):
Exception.__init__(self, message)
class ApexSigningError(Exception):
"""An Exception raised during Apex Payload signing."""
def __init__(self, message):
Exception.__init__(self, message)
def SignApexPayload(payload_file, payload_key_path, payload_key_name, algorithm,
salt, signing_args=None):
"""Signs a given payload_file with the payload key."""
# Add the new footer. Old footer, if any, will be replaced by avbtool.
cmd = ['avbtool', 'add_hashtree_footer',
'--do_not_generate_fec',
'--algorithm', algorithm,
'--key', payload_key_path,
'--prop', 'apex.key:{}'.format(payload_key_name),
'--image', payload_file,
'--salt', salt]
if signing_args:
cmd.extend(shlex.split(signing_args))
try:
common.RunAndCheckOutput(cmd)
except common.ExternalError as e:
raise ApexSigningError, \
'Failed to sign APEX payload {} with {}:\n{}'.format(
payload_file, payload_key_path, e), sys.exc_info()[2]
# Verify the signed payload image with specified public key.
logger.info('Verifying %s', payload_file)
VerifyApexPayload(payload_file, payload_key_path)
def VerifyApexPayload(payload_file, payload_key):
"""Verifies the APEX payload signature with the given key."""
cmd = ['avbtool', 'verify_image', '--image', payload_file,
'--key', payload_key]
try:
common.RunAndCheckOutput(cmd)
except common.ExternalError as e:
raise ApexSigningError, \
'Failed to validate payload signing for {} with {}:\n{}'.format(
payload_file, payload_key, e), sys.exc_info()[2]
def ParseApexPayloadInfo(payload_path):
"""Parses the APEX payload info.
Args:
payload_path: The path to the payload image.
Raises:
ApexInfoError on parsing errors.
Returns:
A dict that contains payload property-value pairs. The dict should at least
contain Algorithm, Salt and apex.key.
"""
if not os.path.exists(payload_path):
raise ApexInfoError('Failed to find image: {}'.format(payload_path))
cmd = ['avbtool', 'info_image', '--image', payload_path]
try:
output = common.RunAndCheckOutput(cmd)
except common.ExternalError as e:
raise ApexInfoError, \
'Failed to get APEX payload info for {}:\n{}'.format(
payload_path, e), sys.exc_info()[2]
# Extract the Algorithm / Salt / Prop info from payload (i.e. an image signed
# with avbtool). For example,
# Algorithm: SHA256_RSA4096
PAYLOAD_INFO_PATTERN = (
r'^\s*(?P<key>Algorithm|Salt|Prop)\:\s*(?P<value>.*?)$')
payload_info_matcher = re.compile(PAYLOAD_INFO_PATTERN)
payload_info = {}
for line in output.split('\n'):
line_info = payload_info_matcher.match(line)
if not line_info:
continue
key, value = line_info.group('key'), line_info.group('value')
if key == 'Prop':
# Further extract the property key-value pair, from a 'Prop:' line. For
# example,
# Prop: apex.key -> 'com.android.runtime'
# Note that avbtool writes single or double quotes around values.
PROPERTY_DESCRIPTOR_PATTERN = r'^\s*(?P<key>.*?)\s->\s*(?P<value>.*?)$'
prop_matcher = re.compile(PROPERTY_DESCRIPTOR_PATTERN)
prop = prop_matcher.match(value)
if not prop:
raise ApexInfoError(
'Failed to parse prop string {}'.format(value))
prop_key, prop_value = prop.group('key'), prop.group('value')
if prop_key == 'apex.key':
# avbtool dumps the prop value with repr(), which contains single /
# double quotes that we don't want.
payload_info[prop_key] = prop_value.strip('\"\'')
else:
payload_info[key] = value
# Sanity check.
for key in ('Algorithm', 'Salt', 'apex.key'):
if key not in payload_info:
raise ApexInfoError(
'Failed to find {} prop in {}'.format(key, payload_path))
return payload_info