shim/build/Android.bp

// Copyright (C) 2019 The Android Open Source Project
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

// Build rules to build shim apexes.

genrule {
  name: "com.android.apex.cts.shim.pem",
  out: ["com.android.apex.cts.shim.pem"],
  cmd: "openssl genrsa -out $(out) 4096",
}

genrule {
  name: "com.android.apex.cts.shim.pubkey",
  srcs: [":com.android.apex.cts.shim.pem"],
  out: ["com.android.apex.cts.shim.pubkey"],
  tools: ["avbtool"],
  cmd: "$(location avbtool) extract_public_key --key $(in) --output $(out)",
}

apex_key {
  name: "com.android.apex.cts.shim.key",
  private_key: ":com.android.apex.cts.shim.pem",
  public_key: ":com.android.apex.cts.shim.pubkey",
  installable: false,
}

genrule {
  name: "generate_hash_of_dev_null",
  out: ["hash.txt"],
  cmd: "sha512sum -b /dev/null | cut -d' ' -f1 | tee $(out)",
}

prebuilt_etc {
  name: "hash_of_dev_null",
  src: ":generate_hash_of_dev_null",
  filename: "hash.txt",
  installable: false,
}

apex {
  name: "com.android.apex.cts.shim.v3",
  manifest: "manifest_v3.json",
  androidManifest: "AndroidManifest.xml",
  file_contexts: ":apex.test-file_contexts",
  key: "com.android.apex.cts.shim.key",
  prebuilts: ["hash_of_dev_null"],
  apps: ["CtsShim", "CtsShimPriv"],
  installable: false,
  allowed_files: "default_shim_allowed_list.txt",
}

apex {
  name: "com.android.apex.cts.shim.v2",
  manifest: "manifest_v2.json",
  androidManifest: "AndroidManifest.xml",
  file_contexts: ":apex.test-file_contexts",
  key: "com.android.apex.cts.shim.key",
  prebuilts: ["hash_of_dev_null"],
  apps: ["CtsShim", "CtsShimPriv"],
  installable: false,
  allowed_files: "default_shim_allowed_list.txt",
}

apex {
  name: "com.android.apex.cts.shim.v2_without_apk_in_apex",
  manifest: "manifest_v2.json",
  androidManifest: "AndroidManifest.xml",
  file_contexts: ":apex.test-file_contexts",
  key: "com.android.apex.cts.shim.key",
  prebuilts: ["hash_of_dev_null"],
  installable: false,
  allowed_files: "default_shim_allowed_list.txt",
}

apex {
  name: "com.android.apex.cts.shim.v2_no_hashtree",
  manifest: "manifest_v2.json",
  androidManifest: "AndroidManifest.xml",
  file_contexts: ":apex.test-file_contexts",
  key: "com.android.apex.cts.shim.key",
  prebuilts: ["hash_of_dev_null"],
  apps: ["CtsShim", "CtsShimPriv"],
  installable: false,
  allowed_files: "default_shim_allowed_list.txt",
  test_only_no_hashtree: true,
}

apex {
  name: "com.android.apex.cts.shim.v2_unsigned_payload",
  manifest: "manifest_v2.json",
  androidManifest: "AndroidManifest.xml",
  file_contexts: ":apex.test-file_contexts",
  key: "com.android.apex.cts.shim.key",
  prebuilts: ["hash_of_dev_null"],
  apps: ["CtsShim", "CtsShimPriv"],
  installable: false,
  allowed_files: "default_shim_allowed_list.txt",
  test_only_unsigned_payload: true,
}

override_apex {
    name: "com.android.apex.cts.shim.v2_different_package_name",
    package_name: "com.android.apex.cts.shim.different",
    base: "com.android.apex.cts.shim.v2",
}

genrule {
  name: "generate_empty_hash",
  out: ["hash.txt"],
  cmd: "touch $(out)",
}

prebuilt_etc {
  name: "empty_hash",
  src: ":generate_empty_hash",
  filename: "hash.txt",
  installable: false,
}

// Use empty hash.txt to make sure that this apex has wrong SHA512, hence trying
// to stage it should fail.
apex {
  name: "com.android.apex.cts.shim.v2_wrong_sha",
  manifest: "manifest_v2.json",
  androidManifest: "AndroidManifest.xml",
  file_contexts: ":apex.test-file_contexts",
  key: "com.android.apex.cts.shim.key",
  prebuilts: ["empty_hash"],
  installable: false,
}

prebuilt_etc {
  name: "apex_shim_additional_file",
  src: "additional_file",
  filename: "additional_file",
  installable: false,
}

apex {
  name: "com.android.apex.cts.shim.v2_additional_file",
  manifest: "manifest_v2.json",
  androidManifest: "AndroidManifest.xml",
  file_contexts: ":apex.test-file_contexts",
  key: "com.android.apex.cts.shim.key",
  prebuilts: ["hash_of_dev_null", "apex_shim_additional_file"],
  installable: false,
}

prebuilt_etc {
  name: "apex_shim_additional_folder",
  src: "additional_file",
  filename: "additional_file",
  sub_dir: "additional_folder",
  installable: false,
}

apex {
  name: "com.android.apex.cts.shim.v2_additional_folder",
  manifest: "manifest_v2.json",
  androidManifest: "AndroidManifest.xml",
  file_contexts: ":apex.test-file_contexts",
  key: "com.android.apex.cts.shim.key",
  prebuilts: ["hash_of_dev_null", "apex_shim_additional_folder"],
  installable: false,
}

apex {
  name: "com.android.apex.cts.shim.v2_with_pre_install_hook",
  manifest: "manifest_v2_with_pre_install_hook.json",
  androidManifest: "AndroidManifest.xml",
  file_contexts: ":apex.test-file_contexts",
  key: "com.android.apex.cts.shim.key",
  prebuilts: ["hash_of_dev_null"],
  installable: false,
}

apex {
  name: "com.android.apex.cts.shim.v2_with_post_install_hook",
  manifest: "manifest_v2_with_post_install_hook.json",
  androidManifest: "AndroidManifest.xml",
  file_contexts: ":apex.test-file_contexts",
  key: "com.android.apex.cts.shim.key",
  prebuilts: ["hash_of_dev_null"],
  installable: false,
}

genrule {
  name: "generate_hash_v1",
  srcs: [
    ":com.android.apex.cts.shim.v2",
    ":com.android.apex.cts.shim.v2_without_apk_in_apex",
    ":com.android.apex.cts.shim.v2_additional_file",
    ":com.android.apex.cts.shim.v2_additional_folder",
    ":com.android.apex.cts.shim.v2_different_certificate",
    ":com.android.apex.cts.shim.v2_different_package_name",
    ":com.android.apex.cts.shim.v2_no_hashtree",
    ":com.android.apex.cts.shim.v2_signed_bob",
    ":com.android.apex.cts.shim.v2_signed_bob_rot",
    ":com.android.apex.cts.shim.v2_signed_bob_rot_rollback",
    ":com.android.apex.cts.shim.v2_with_pre_install_hook",
    ":com.android.apex.cts.shim.v2_with_post_install_hook",
    ":com.android.apex.cts.shim.v2_sdk_target_p",
    ":com.android.apex.cts.shim.v2_apk_in_apex_sdk_target_p",
    ":com.android.apex.cts.shim.v3",
    ":com.android.apex.cts.shim.v3_signed_bob",
    ":com.android.apex.cts.shim.v3_signed_bob_rot",
  ],
  out: ["hash.txt"],
  cmd: "sha512sum -b $(in) | cut -d' ' -f1 | tee $(out)",
}

prebuilt_etc {
  name: "hash_v1",
  src: ":generate_hash_v1",
  filename: "hash.txt",
  installable: false,
}

apex {
  name: "com.android.apex.cts.shim.v1",
  manifest: "manifest.json",
  androidManifest: "AndroidManifest.xml",
  file_contexts: ":apex.test-file_contexts",
  key: "com.android.apex.cts.shim.key",
  prebuilts: ["hash_v1"],
  apps: ["CtsShim", "CtsShimPriv"],
  allowed_files: "default_shim_allowed_list.txt",
}

// This is to install the flattened version of com.android.apex.cts.shim.
// Because com.android.apex.cts.shim is provided as prebuilt and the build system
// doesn't support install "flattened" version from "prebult" yet, GSI, which should
// have both "flatttened" and "unflattened" APEXes, is missing the flattened version
// of com.android.apex.cts.shim.
// TODO(b/159426728):  When the build system can install "flattened" from "prebuilts",
// this can be removed.
override_apex {
  name: "com.android.apex.cts.shim.v1_with_prebuilts",
  base: "com.android.apex.cts.shim.v1",
  apps: ["CtsShimPrebuilt", "CtsShimPrivPrebuilt"],
  allowed_files: "prebuilts_shim_allowed_list.txt",
}

genrule {
  name: "com.android.apex.cts.shim_not_pre_installed.pem",
  out: ["com.android.apex.cts.shim_not_pre_installed.pem"],
  cmd: "openssl genrsa -out $(out) 4096",
}

genrule {
  name: "com.android.apex.cts.shim_not_pre_installed.pubkey",
  srcs: [":com.android.apex.cts.shim_not_pre_installed.pem"],
  out: ["com.android.apex.cts.shim_not_pre_installed.pubkey"],
  tools: ["avbtool"],
  cmd: "$(location avbtool) extract_public_key --key $(in) --output $(out)",
}

apex_key {
  name: "com.android.apex.cts.shim_not_pre_installed.key",
  private_key: ":com.android.apex.cts.shim_not_pre_installed.pem",
  public_key: ":com.android.apex.cts.shim_not_pre_installed.pubkey",
  installable: false,
}

apex {
  name: "com.android.apex.cts.shim_not_pre_installed",
  manifest: "manifest_not_pre_installed.json",
  file_contexts: ":apex.test-file_contexts",
  key: "com.android.apex.cts.shim_not_pre_installed.key",
  prebuilts: ["hash_of_dev_null"],
  installable: false,
}

apex {
  name: "com.android.apex.cts.shim.v2_different_certificate",
  manifest: "manifest_v2.json",
  androidManifest: "AndroidManifest.xml",
  file_contexts: ":apex.test-file_contexts",
  key: "com.android.apex.cts.shim.key",
  prebuilts: ["hash_of_dev_null"],
  installable: false,
  certificate: ":com.android.apex.cts.shim.debug.cert",
}

android_app_certificate {
  name: "com.android.apex.cts.shim.debug.cert",
  certificate: "com.android.apex.cts.shim.debug.cert",
}

// Build rules to build shim apex with rotated keys

// We name the original key used to sign cts.shim.v1 package as alice.
// We then create a second key called bob. The second key bob is used to rotate the
// original key alice.

// Create private key bob in pem format
genrule {
  name: "com.android.apex.rotation.key.bob.pem",
  out: ["bob.pem"],
  cmd: "openssl req -x509 -newkey rsa:4096 -nodes -days 999999 -subj '/DN=/EMAILADDRESS=android@android.com/CN=Android/OU=Android/O=Android/L=Mountain View/ST=California/C=US' -keyout $(out)",
}

// Converts bob's private key to pk8 format
genrule {
  name: "com.android.apex.rotation.key.bob.pk8",
  srcs: [":com.android.apex.rotation.key.bob.pem"],
  out: ["bob.pk8"],
  cmd: "openssl pkcs8 -topk8 -inform PEM -outform DER -in $(in) -out $(out) -nocrypt",
}

// Extract bob's public key from its private key
genrule {
    name: "com.android.apex.rotation.key.bob.x509.pem",
    srcs: [":com.android.apex.rotation.key.bob.pem"],
    out: ["bob.x509.pem"],
    cmd: "openssl req -x509 -key $(in) -newkey rsa:4096 -nodes -days 999999 -subj '/DN=/EMAILADDRESS=android@android.com/CN=Android/OU=Android/O=Android/L=Mountain View/ST=California/C=US' -out $(out)",
}

// Create lineage file for rotating alice to bob
genrule {
  name: "com.android.apex.rotation.key.bob.rot",
  srcs: [
    "alice.pk8",
    "alice.x509.pem",
    ":com.android.apex.rotation.key.bob.pk8",
    ":com.android.apex.rotation.key.bob.x509.pem",
  ],
  out: ["bob.rot"],
  tools: [":apksigner"],
  cmd: "$(location :apksigner) rotate --out $(out) --old-signer --key $(location alice.pk8) --cert $(location alice.x509.pem) --new-signer --key $(location :com.android.apex.rotation.key.bob.pk8) --cert $(location :com.android.apex.rotation.key.bob.x509.pem)",
}

// Create lineage file for rotating alice to bob with rollback capability
genrule {
  name: "com.android.apex.rotation.key.bob.rot.rollback",
  srcs: [
    "alice.pk8",
    "alice.x509.pem",
    ":com.android.apex.rotation.key.bob.pk8",
    ":com.android.apex.rotation.key.bob.x509.pem",
  ],
  out: ["bob.rot"],
  tools: [":apksigner"],
  cmd: "$(location :apksigner) rotate --out $(out) --old-signer --key $(location alice.pk8) --cert $(location alice.x509.pem) --set-rollback true --new-signer --key $(location :com.android.apex.rotation.key.bob.pk8) --cert $(location :com.android.apex.rotation.key.bob.x509.pem)",
}

// v2 cts shim package signed by bob, without lineage
genrule {
  name: "com.android.apex.cts.shim.v2_signed_bob",
  out: ["com.android.apex.cts.shim.v2_signed_bob"],
  tools: [":apksigner"],
  srcs: [
    ":com.android.apex.cts.shim.v2",
    ":com.android.apex.rotation.key.bob.x509.pem",
    ":com.android.apex.rotation.key.bob.pk8",
  ],
  dist: {
    targets: ["com.android.apex.cts.shim.v2_signed_bob"],
    dest: "com.android.apex.cts.shim.v2_signed_bob.apex",
  },
  cmd: "$(location :apksigner) sign --v1-signing-enabled false --v2-signing-enabled false --key $(location :com.android.apex.rotation.key.bob.pk8) --cert $(location :com.android.apex.rotation.key.bob.x509.pem) --out $(out) $(location :com.android.apex.cts.shim.v2)",
}

// v2 cts shim package signed by bob + lineage
genrule {
  name: "com.android.apex.cts.shim.v2_signed_bob_rot",
  out: ["com.android.apex.cts.shim.v2_signed_bob_rot"],
  tools: [":apksigner"],
  srcs: [
    ":com.android.apex.cts.shim.v2",
    ":com.android.apex.rotation.key.bob.x509.pem",
    ":com.android.apex.rotation.key.bob.pk8",
    ":com.android.apex.rotation.key.bob.rot",
  ],
  dist: {
    targets: ["com.android.apex.cts.shim.v2_signed_bob_rot"],
    dest: "com.android.apex.cts.shim.v2_signed_bob_rot.apex",
  },
  cmd: "$(location :apksigner) sign --v1-signing-enabled false --v2-signing-enabled false --key $(location :com.android.apex.rotation.key.bob.pk8) --cert $(location :com.android.apex.rotation.key.bob.x509.pem) --lineage $(location :com.android.apex.rotation.key.bob.rot) --out $(out) $(location :com.android.apex.cts.shim.v2)",
}

// v2 cts shim package signed by bob + lineage + rollback capability
genrule {
  name: "com.android.apex.cts.shim.v2_signed_bob_rot_rollback",
  out: ["com.android.apex.cts.shim.v2_signed_bob_rot_rollback"],
  tools: [":apksigner"],
  srcs: [
    ":com.android.apex.cts.shim.v2",
    ":com.android.apex.rotation.key.bob.x509.pem",
    ":com.android.apex.rotation.key.bob.pk8",
    ":com.android.apex.rotation.key.bob.rot.rollback",
  ],
  dist: {
    targets: ["com.android.apex.cts.shim.v2_signed_bob_rot_rollback"],
    dest: "com.android.apex.cts.shim.v2_signed_bob_rot_rollback.apex",
  },
  cmd: "$(location :apksigner) sign --v1-signing-enabled false --v2-signing-enabled false --key $(location :com.android.apex.rotation.key.bob.pk8) --cert $(location :com.android.apex.rotation.key.bob.x509.pem) --lineage $(location :com.android.apex.rotation.key.bob.rot.rollback) --out $(out) $(location :com.android.apex.cts.shim.v2)",
}

// v3 cts shim package signed by bob
genrule {
  name: "com.android.apex.cts.shim.v3_signed_bob",
  out: ["com.android.apex.cts.shim.v3_signed_bob"],
  tools: [":apksigner"],
  srcs: [
    ":com.android.apex.cts.shim.v3",
    ":com.android.apex.rotation.key.bob.x509.pem",
    ":com.android.apex.rotation.key.bob.pk8",
  ],
  dist: {
    targets: ["com.android.apex.cts.shim.v3_signed_bob"],
    dest: "com.android.apex.cts.shim.v3_signed_bob.apex",
  },
  cmd: "$(location :apksigner) sign --v1-signing-enabled false --v2-signing-enabled false --key $(location :com.android.apex.rotation.key.bob.pk8) --cert $(location :com.android.apex.rotation.key.bob.x509.pem) --out $(out) $(location :com.android.apex.cts.shim.v3)",
}

// v3 cts shim package signed by bob + lineage
genrule {
  name: "com.android.apex.cts.shim.v3_signed_bob_rot",
  out: ["com.android.apex.cts.shim.v3_signed_bob_rot"],
  tools: [":apksigner"],
  srcs: [
    ":com.android.apex.cts.shim.v3",
    ":com.android.apex.rotation.key.bob.x509.pem",
    ":com.android.apex.rotation.key.bob.pk8",
    ":com.android.apex.rotation.key.bob.rot",
  ],
  dist: {
    targets: ["com.android.apex.cts.shim.v3_signed_bob_rot"],
    dest: "com.android.apex.cts.shim.v3_signed_bob_rot.apex",
  },
  cmd: "$(location :apksigner) sign --v1-signing-enabled false --v2-signing-enabled false --key $(location :com.android.apex.rotation.key.bob.pk8) --cert $(location :com.android.apex.rotation.key.bob.x509.pem) --lineage $(location :com.android.apex.rotation.key.bob.rot) --out $(out) $(location :com.android.apex.cts.shim.v3)",
}

// This one is only used in ApexdHostTest and not meant to be installed
// and hence shouldn't be allowed in hash.txt of v1 shim APEX.
apex {
  name: "com.android.apex.cts.shim.v2_legacy",
  manifest: "manifest_v2.json",
  androidManifest: "AndroidManifest.xml",
  file_contexts: ":apex.test-file_contexts",
  key: "com.android.apex.cts.shim.key",
  prebuilts: ["hash_of_dev_null"],
  apps: ["CtsShim", "CtsShimPriv"],
  installable: false,
  min_sdk_version: "29",
}

genrule {
  name: "com.android.apex.cts.shim.v2_no_pb",
  srcs: [":com.android.apex.cts.shim.v2_legacy"],
  out: ["com.android.apex.cts.shim.v2_no_pb.apex"],
  tools: ["zip2zip"],
  cmd: "$(location zip2zip) -i $(in) -x apex_manifest.pb -o $(out)",
}

// Apex shim that targets an old sdk (P)
apex {
  name: "com.android.apex.cts.shim.v2_sdk_target_p",
  manifest: "manifest_v2.json",
  androidManifest: "AndroidManifestSdkTargetP.xml",
  file_contexts: ":apex.test-file_contexts",
  key: "com.android.apex.cts.shim.key",
  prebuilts: ["hash_of_dev_null"],
  installable: false,
  apps: ["CtsShim", "CtsShimPriv"],
}

// Apex shim with apk-in-apex that targets sdk P
apex {
  name: "com.android.apex.cts.shim.v2_apk_in_apex_sdk_target_p",
  manifest: "manifest_v2.json",
  androidManifest: "AndroidManifest.xml",
  file_contexts: ":apex.test-file_contexts",
  key: "com.android.apex.cts.shim.key",
  prebuilts: ["hash_of_dev_null"],
  apps: ["CtsShimTargetPSdk"],
  installable: false,
}

// Apex shim with unsigned apk
genrule {
  name: "com.android.apex.cts.shim.v2_unsigned_apk_container",
  srcs: [":com.android.apex.cts.shim.v2"],
  out: ["com.android.apex.cts.shim.v2_unsigned_apk_container.apex"],
  cmd: "cp -v $(in) $(out) && zip -d $(out) META-INF*",
  dist: {
    targets: ["apps_only"],
  }
}