1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
|
#!/usr/bin/env python
#
# Copyright (C) 2019 The Android Open Source Project
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import logging
import os.path
import re
import shlex
import sys
import common
logger = logging.getLogger(__name__)
class ApexInfoError(Exception):
"""An Exception raised during Apex Information command."""
def __init__(self, message):
Exception.__init__(self, message)
class ApexSigningError(Exception):
"""An Exception raised during Apex Payload signing."""
def __init__(self, message):
Exception.__init__(self, message)
def SignApexPayload(payload_file, payload_key_path, payload_key_name, algorithm,
salt, signing_args=None):
"""Signs a given payload_file with the payload key."""
# Add the new footer. Old footer, if any, will be replaced by avbtool.
cmd = ['avbtool', 'add_hashtree_footer',
'--do_not_generate_fec',
'--algorithm', algorithm,
'--key', payload_key_path,
'--prop', 'apex.key:{}'.format(payload_key_name),
'--image', payload_file,
'--salt', salt]
if signing_args:
cmd.extend(shlex.split(signing_args))
try:
common.RunAndCheckOutput(cmd)
except common.ExternalError as e:
raise ApexSigningError, \
'Failed to sign APEX payload {} with {}:\n{}'.format(
payload_file, payload_key_path, e), sys.exc_info()[2]
# Verify the signed payload image with specified public key.
logger.info('Verifying %s', payload_file)
VerifyApexPayload(payload_file, payload_key_path)
def VerifyApexPayload(payload_file, payload_key):
"""Verifies the APEX payload signature with the given key."""
cmd = ['avbtool', 'verify_image', '--image', payload_file,
'--key', payload_key]
try:
common.RunAndCheckOutput(cmd)
except common.ExternalError as e:
raise ApexSigningError, \
'Failed to validate payload signing for {} with {}:\n{}'.format(
payload_file, payload_key, e), sys.exc_info()[2]
def ParseApexPayloadInfo(payload_path):
"""Parses the APEX payload info.
Args:
payload_path: The path to the payload image.
Raises:
ApexInfoError on parsing errors.
Returns:
A dict that contains payload property-value pairs. The dict should at least
contain Algorithm, Salt and apex.key.
"""
if not os.path.exists(payload_path):
raise ApexInfoError('Failed to find image: {}'.format(payload_path))
cmd = ['avbtool', 'info_image', '--image', payload_path]
try:
output = common.RunAndCheckOutput(cmd)
except common.ExternalError as e:
raise ApexInfoError, \
'Failed to get APEX payload info for {}:\n{}'.format(
payload_path, e), sys.exc_info()[2]
# Extract the Algorithm / Salt / Prop info from payload (i.e. an image signed
# with avbtool). For example,
# Algorithm: SHA256_RSA4096
PAYLOAD_INFO_PATTERN = (
r'^\s*(?P<key>Algorithm|Salt|Prop)\:\s*(?P<value>.*?)$')
payload_info_matcher = re.compile(PAYLOAD_INFO_PATTERN)
payload_info = {}
for line in output.split('\n'):
line_info = payload_info_matcher.match(line)
if not line_info:
continue
key, value = line_info.group('key'), line_info.group('value')
if key == 'Prop':
# Further extract the property key-value pair, from a 'Prop:' line. For
# example,
# Prop: apex.key -> 'com.android.runtime'
# Note that avbtool writes single or double quotes around values.
PROPERTY_DESCRIPTOR_PATTERN = r'^\s*(?P<key>.*?)\s->\s*(?P<value>.*?)$'
prop_matcher = re.compile(PROPERTY_DESCRIPTOR_PATTERN)
prop = prop_matcher.match(value)
if not prop:
raise ApexInfoError(
'Failed to parse prop string {}'.format(value))
prop_key, prop_value = prop.group('key'), prop.group('value')
if prop_key == 'apex.key':
# avbtool dumps the prop value with repr(), which contains single /
# double quotes that we don't want.
payload_info[prop_key] = prop_value.strip('\"\'')
else:
payload_info[key] = value
# Sanity check.
for key in ('Algorithm', 'Salt', 'apex.key'):
if key not in payload_info:
raise ApexInfoError(
'Failed to find {} prop in {}'.format(key, payload_path))
return payload_info
|