releasetools: Clean up ReplaceVerityKeyId and add tests.
Test: python -m unittest test_sign_target_files_apks
Test: Run sign_target_files_apks.py on marlin target_files.zip.
Change-Id: Ic3c3f4f14c73f8f8e48a8341e024e0861e665989
diff --git a/tools/releasetools/sign_target_files_apks.py b/tools/releasetools/sign_target_files_apks.py
index 73d77e7..7a1126c 100755
--- a/tools/releasetools/sign_target_files_apks.py
+++ b/tools/releasetools/sign_target_files_apks.py
@@ -577,31 +577,39 @@
misc_info["verity_key"] = key_path
-def ReplaceVerityKeyId(targetfile_input_zip, targetfile_output_zip, key_path):
- in_cmdline = targetfile_input_zip.read("BOOT/cmdline")
- # copy in_cmdline to output_zip if veritykeyid is not present in in_cmdline
+def ReplaceVerityKeyId(input_zip, output_zip, key_path):
+ """Replaces the veritykeyid parameter in BOOT/cmdline.
+
+ Args:
+ input_zip: The input target_files zip, which should be already open.
+ output_zip: The output target_files zip, which should be already open and
+ writable.
+ key_path: The path to the PEM encoded X.509 certificate.
+ """
+ in_cmdline = input_zip.read("BOOT/cmdline")
+ # Copy in_cmdline to output_zip if veritykeyid is not present.
if "veritykeyid" not in in_cmdline:
- common.ZipWriteStr(targetfile_output_zip, "BOOT/cmdline", in_cmdline)
- return in_cmdline
+ common.ZipWriteStr(output_zip, "BOOT/cmdline", in_cmdline)
+ return
+
out_buffer = []
for param in in_cmdline.split():
- if "veritykeyid" in param:
- # extract keyid using openssl command
- p = common.Run(
- ["openssl", "x509", "-in", key_path, "-text"],
- stdout=subprocess.PIPE)
- keyid, stderr = p.communicate()
- keyid = re.search(
- r'keyid:([0-9a-fA-F:]*)', keyid).group(1).replace(':', '').lower()
- print("Replacing verity keyid with %s error=%s" % (keyid, stderr))
- out_buffer.append("veritykeyid=id:%s" % (keyid,))
- else:
+ if "veritykeyid" not in param:
out_buffer.append(param)
+ continue
- out_cmdline = ' '.join(out_buffer)
- out_cmdline = out_cmdline.strip()
- print("out_cmdline %s" % (out_cmdline))
- common.ZipWriteStr(targetfile_output_zip, "BOOT/cmdline", out_cmdline)
+ # Extract keyid using openssl command.
+ p = common.Run(["openssl", "x509", "-in", key_path, "-text"],
+ stdout=subprocess.PIPE)
+ keyid, stderr = p.communicate()
+ assert p.returncode == 0, "Failed to dump certificate: {}".format(stderr)
+ keyid = re.search(
+ r'keyid:([0-9a-fA-F:]*)', keyid).group(1).replace(':', '').lower()
+ print("Replacing verity keyid with {}".format(keyid))
+ out_buffer.append("veritykeyid=id:%s" % (keyid,))
+
+ out_cmdline = ' '.join(out_buffer).strip() + '\n'
+ common.ZipWriteStr(output_zip, "BOOT/cmdline", out_cmdline)
def ReplaceMiscInfoTxt(input_zip, output_zip, misc_info):
diff --git a/tools/releasetools/test_sign_target_files_apks.py b/tools/releasetools/test_sign_target_files_apks.py
index 90afdc7..726d6b9 100644
--- a/tools/releasetools/test_sign_target_files_apks.py
+++ b/tools/releasetools/test_sign_target_files_apks.py
@@ -16,13 +16,22 @@
from __future__ import print_function
+import tempfile
import unittest
+import zipfile
-from sign_target_files_apks import EditTags, RewriteProps
+import common
+from sign_target_files_apks import EditTags, ReplaceVerityKeyId, RewriteProps
class SignTargetFilesApksTest(unittest.TestCase):
+ def setUp(self):
+ self.tempdir = common.MakeTempDir()
+
+ def tearDown(self):
+ common.Cleanup()
+
def test_EditTags(self):
self.assertEqual(EditTags('dev-keys'), ('release-keys'))
self.assertEqual(EditTags('test-keys'), ('release-keys'))
@@ -59,9 +68,132 @@
)
# Assert the case for each individual line.
- for input, output in props:
- self.assertEqual(RewriteProps(input), output)
+ for prop, output in props:
+ self.assertEqual(RewriteProps(prop), output)
# Concatenate all the input lines.
self.assertEqual(RewriteProps('\n'.join([prop[0] for prop in props])),
''.join([prop[1] for prop in props]))
+
+ def test_ReplaceVerityKeyId(self):
+ BOOT_CMDLINE1 = (
+ "console=ttyHSL0,115200,n8 androidboot.console=ttyHSL0 "
+ "androidboot.hardware=marlin user_debug=31 ehci-hcd.park=3 "
+ "lpm_levels.sleep_disabled=1 cma=32M@0-0xffffffff loop.max_part=7 "
+ "buildvariant=userdebug "
+ "veritykeyid=id:7e4333f9bba00adfe0ede979e28ed1920492b40f\n")
+
+ BOOT_CMDLINE2 = (
+ "console=ttyHSL0,115200,n8 androidboot.console=ttyHSL0 "
+ "androidboot.hardware=marlin user_debug=31 ehci-hcd.park=3 "
+ "lpm_levels.sleep_disabled=1 cma=32M@0-0xffffffff loop.max_part=7 "
+ "buildvariant=userdebug "
+ "veritykeyid=id:485900563d272c46ae118605a47419ac09ca8c11\n")
+
+ # From build/target/product/security/verity.x509.pem.
+ VERITY_CERTIFICATE1 = """-----BEGIN CERTIFICATE-----
+MIID/TCCAuWgAwIBAgIJAJcPmDkJqolJMA0GCSqGSIb3DQEBBQUAMIGUMQswCQYD
+VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4g
+VmlldzEQMA4GA1UECgwHQW5kcm9pZDEQMA4GA1UECwwHQW5kcm9pZDEQMA4GA1UE
+AwwHQW5kcm9pZDEiMCAGCSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbTAe
+Fw0xNDExMDYxOTA3NDBaFw00MjAzMjQxOTA3NDBaMIGUMQswCQYDVQQGEwJVUzET
+MBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzEQMA4G
+A1UECgwHQW5kcm9pZDEQMA4GA1UECwwHQW5kcm9pZDEQMA4GA1UEAwwHQW5kcm9p
+ZDEiMCAGCSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbTCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBAOjreE0vTVSRenuzO9vnaWfk0eQzYab0gqpi
+6xAzi6dmD+ugoEKJmbPiuE5Dwf21isZ9uhUUu0dQM46dK4ocKxMRrcnmGxydFn6o
+fs3ODJMXOkv2gKXL/FdbEPdDbxzdu8z3yk+W67udM/fW7WbaQ3DO0knu+izKak/3
+T41c5uoXmQ81UNtAzRGzGchNVXMmWuTGOkg6U+0I2Td7K8yvUMWhAWPPpKLtVH9r
+AL5TzjYNR92izdKcz3AjRsI3CTjtpiVABGeX0TcjRSuZB7K9EK56HV+OFNS6I1NP
+jdD7FIShyGlqqZdUOkAUZYanbpgeT5N7QL6uuqcGpoTOkalu6kkCAwEAAaNQME4w
+HQYDVR0OBBYEFH5DM/m7oArf4O3peeKO0ZIEkrQPMB8GA1UdIwQYMBaAFH5DM/m7
+oArf4O3peeKO0ZIEkrQPMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEB
+AHO3NSvDE5jFvMehGGtS8BnFYdFKRIglDMc4niWSzhzOVYRH4WajxdtBWc5fx0ix
+NF/+hVKVhP6AIOQa+++sk+HIi7RvioPPbhjcsVlZe7cUEGrLSSveGouQyc+j0+m6
+JF84kszIl5GGNMTnx0XRPO+g8t6h5LWfnVydgZfpGRRg+WHewk1U2HlvTjIceb0N
+dcoJ8WKJAFWdcuE7VIm4w+vF/DYX/A2Oyzr2+QRhmYSv1cusgAeC1tvH4ap+J1Lg
+UnOu5Kh/FqPLLSwNVQp4Bu7b9QFfqK8Moj84bj88NqRGZgDyqzuTrFxn6FW7dmyA
+yttuAJAEAymk1mipd9+zp38=
+-----END CERTIFICATE-----
+"""
+
+ # From build/target/product/security/testkey.x509.pem.
+ VERITY_CERTIFICATE2 = """-----BEGIN CERTIFICATE-----
+MIIEqDCCA5CgAwIBAgIJAJNurL4H8gHfMA0GCSqGSIb3DQEBBQUAMIGUMQswCQYD
+VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4g
+VmlldzEQMA4GA1UEChMHQW5kcm9pZDEQMA4GA1UECxMHQW5kcm9pZDEQMA4GA1UE
+AxMHQW5kcm9pZDEiMCAGCSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbTAe
+Fw0wODAyMjkwMTMzNDZaFw0zNTA3MTcwMTMzNDZaMIGUMQswCQYDVQQGEwJVUzET
+MBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEQMA4G
+A1UEChMHQW5kcm9pZDEQMA4GA1UECxMHQW5kcm9pZDEQMA4GA1UEAxMHQW5kcm9p
+ZDEiMCAGCSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbTCCASAwDQYJKoZI
+hvcNAQEBBQADggENADCCAQgCggEBANaTGQTexgskse3HYuDZ2CU+Ps1s6x3i/waM
+qOi8qM1r03hupwqnbOYOuw+ZNVn/2T53qUPn6D1LZLjk/qLT5lbx4meoG7+yMLV4
+wgRDvkxyGLhG9SEVhvA4oU6Jwr44f46+z4/Kw9oe4zDJ6pPQp8PcSvNQIg1QCAcy
+4ICXF+5qBTNZ5qaU7Cyz8oSgpGbIepTYOzEJOmc3Li9kEsBubULxWBjf/gOBzAzU
+RNps3cO4JFgZSAGzJWQTT7/emMkod0jb9WdqVA2BVMi7yge54kdVMxHEa5r3b97s
+zI5p58ii0I54JiCUP5lyfTwE/nKZHZnfm644oLIXf6MdW2r+6R8CAQOjgfwwgfkw
+HQYDVR0OBBYEFEhZAFY9JyxGrhGGBaR0GawJyowRMIHJBgNVHSMEgcEwgb6AFEhZ
+AFY9JyxGrhGGBaR0GawJyowRoYGapIGXMIGUMQswCQYDVQQGEwJVUzETMBEGA1UE
+CBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEQMA4GA1UEChMH
+QW5kcm9pZDEQMA4GA1UECxMHQW5kcm9pZDEQMA4GA1UEAxMHQW5kcm9pZDEiMCAG
+CSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbYIJAJNurL4H8gHfMAwGA1Ud
+EwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAHqvlozrUMRBBVEY0NqrrwFbinZa
+J6cVosK0TyIUFf/azgMJWr+kLfcHCHJsIGnlw27drgQAvilFLAhLwn62oX6snb4Y
+LCBOsVMR9FXYJLZW2+TcIkCRLXWG/oiVHQGo/rWuWkJgU134NDEFJCJGjDbiLCpe
++ZTWHdcwauTJ9pUbo8EvHRkU3cYfGmLaLfgn9gP+pWA7LFQNvXwBnDa6sppCccEX
+31I828XzgXpJ4O+mDL1/dBd+ek8ZPUP0IgdyZm5MTYPhvVqGCHzzTy3sIeJFymwr
+sBbmg2OAUNLEMO6nwmocSdN2ClirfxqCzJOLSDE4QyS9BAH6EhY6UFcOaE0=
+-----END CERTIFICATE-----
+"""
+
+ input_file = tempfile.NamedTemporaryFile(
+ delete=False, suffix='.zip', dir=self.tempdir)
+ with zipfile.ZipFile(input_file.name, 'w') as input_zip:
+ input_zip.writestr('BOOT/cmdline', BOOT_CMDLINE1)
+
+ # Test with the first certificate.
+ cert_file = tempfile.NamedTemporaryFile(
+ delete=False, suffix='.x509.pem', dir=self.tempdir)
+ cert_file.write(VERITY_CERTIFICATE1)
+ cert_file.close()
+
+ output_file = tempfile.NamedTemporaryFile(
+ delete=False, suffix='.zip', dir=self.tempdir)
+ with zipfile.ZipFile(input_file.name, 'r') as input_zip, \
+ zipfile.ZipFile(output_file.name, 'w') as output_zip:
+ ReplaceVerityKeyId(input_zip, output_zip, cert_file.name)
+
+ with zipfile.ZipFile(output_file.name) as output_zip:
+ self.assertEqual(BOOT_CMDLINE1, output_zip.read('BOOT/cmdline'))
+
+ # Test with the second certificate.
+ with open(cert_file.name, 'w') as cert_file_fp:
+ cert_file_fp.write(VERITY_CERTIFICATE2)
+
+ with zipfile.ZipFile(input_file.name, 'r') as input_zip, \
+ zipfile.ZipFile(output_file.name, 'w') as output_zip:
+ ReplaceVerityKeyId(input_zip, output_zip, cert_file.name)
+
+ with zipfile.ZipFile(output_file.name) as output_zip:
+ self.assertEqual(BOOT_CMDLINE2, output_zip.read('BOOT/cmdline'))
+
+ def test_ReplaceVerityKeyId_no_veritykeyid(self):
+ BOOT_CMDLINE = (
+ "console=ttyHSL0,115200,n8 androidboot.hardware=bullhead boot_cpus=0-5 "
+ "lpm_levels.sleep_disabled=1 msm_poweroff.download_mode=0 "
+ "loop.max_part=7\n")
+
+ input_file = tempfile.NamedTemporaryFile(
+ delete=False, suffix='.zip', dir=self.tempdir)
+ with zipfile.ZipFile(input_file.name, 'w') as input_zip:
+ input_zip.writestr('BOOT/cmdline', BOOT_CMDLINE)
+
+ output_file = tempfile.NamedTemporaryFile(
+ delete=False, suffix='.zip', dir=self.tempdir)
+ with zipfile.ZipFile(input_file.name, 'r') as input_zip, \
+ zipfile.ZipFile(output_file.name, 'w') as output_zip:
+ ReplaceVerityKeyId(input_zip, output_zip, None)
+
+ with zipfile.ZipFile(output_file.name) as output_zip:
+ self.assertEqual(BOOT_CMDLINE, output_zip.read('BOOT/cmdline'))