Support for signing with multiple signature files, key sizes.
If we do a key-rotation in the future, we'll want to sign updates with
two keys. This CL changes the delta generator in a
backwards-compatible way to take multiple key lengths and signature
files: On a command line where one could be given before, now multiple
may be given by colon-delimiting them.
Also, adds two unittests to show that old and new clients can
successfully verify a payload when it's signed by old and new keys.
BUG=chromium-os:19873
TEST=unittests; tested on device
Change-Id: I2063095773a5c71c32704c30b12d6eab2a5f3b80
Reviewed-on: http://gerrit.chromium.org/gerrit/6999
Reviewed-by: Andrew de los Reyes <adlr@chromium.org>
Tested-by: Andrew de los Reyes <adlr@chromium.org>
diff --git a/payload_signer_unittest.cc b/payload_signer_unittest.cc
index f7c59a6..0a5a883 100644
--- a/payload_signer_unittest.cc
+++ b/payload_signer_unittest.cc
@@ -15,11 +15,14 @@
// Note: the test key was generated with the following command:
// openssl genrsa -out unittest_key.pem 2048
+// The public-key version is created by the build system.
namespace chromeos_update_engine {
const char* kUnittestPrivateKeyPath = "unittest_key.pem";
const char* kUnittestPublicKeyPath = "unittest_key.pub.pem";
+const char* kUnittestPrivateKey2Path = "unittest_key2.pem";
+const char* kUnittestPublicKey2Path = "unittest_key2.pub.pem";
// Some data and its corresponding hash and signature:
const char kDataToSign[] = "This is some data to sign.";
@@ -86,12 +89,14 @@
kDataToSign,
strlen(kDataToSign)));
uint64_t length = 0;
- EXPECT_TRUE(PayloadSigner::SignatureBlobLength(kUnittestPrivateKeyPath,
- &length));
+ EXPECT_TRUE(PayloadSigner::SignatureBlobLength(
+ vector<string> (1, kUnittestPrivateKeyPath),
+ &length));
EXPECT_GT(length, 0);
- EXPECT_TRUE(PayloadSigner::SignPayload(data_path,
- kUnittestPrivateKeyPath,
- out_signature_blob));
+ EXPECT_TRUE(PayloadSigner::SignPayload(
+ data_path,
+ vector<string>(1, kUnittestPrivateKeyPath),
+ out_signature_blob));
EXPECT_EQ(length, out_signature_blob->size());
}
}
@@ -106,7 +111,7 @@
signature_blob.size()));
EXPECT_EQ(1, signatures.signatures_size());
const Signatures_Signature& signature = signatures.signatures(0);
- EXPECT_EQ(kSignatureMessageVersion, signature.version());
+ EXPECT_EQ(kSignatureMessageOriginalVersion, signature.version());
const string sig_data = signature.data();
ASSERT_EQ(arraysize(kDataSignature), sig_data.size());
for (size_t i = 0; i < arraysize(kDataSignature); i++) {