summaryrefslogtreecommitdiff
path: root/tools/signedconfig
diff options
context:
space:
mode:
authorMathew Inwood <mathewi@google.com>2018-12-04 11:52:42 +0000
committerMathew Inwood <mathewi@google.com>2018-12-11 17:06:27 +0000
commit96c419f90686ea7f16cde37cf1a137ae6cddf4c6 (patch)
tree621d63aa561fb72a4ca02d5fb2c8e6adf06686c0 /tools/signedconfig
parent9a7fdeb32beab2863f234941773c2bc77cd9bd4c (diff)
Implement signature check.
Currently, we just have debug keys, and always fail verification on user builds. Production keys will be added later. This CL also includes some helper scripts: - Used to generate debug keys, for the record - To sign data using the debug keys - To verify base64 encoded data, used for debugging Test: atest CtsSignedConfigHostTestCases Note: The test also relies on some other changes going in too; it has been verified with all relevant change in place, but will not pass at HEAD quite yet. Bug: 110509075 Change-Id: I8bd420c44a0a523cbefb21f90c49550c25beb0a6
Diffstat (limited to 'tools/signedconfig')
-rw-r--r--tools/signedconfig/debug_key.pem5
-rw-r--r--tools/signedconfig/debug_public.pem4
-rwxr-xr-xtools/signedconfig/debug_sign.sh6
-rwxr-xr-xtools/signedconfig/gen_priv_key.sh7
-rwxr-xr-xtools/signedconfig/verify_b64.sh10
5 files changed, 32 insertions, 0 deletions
diff --git a/tools/signedconfig/debug_key.pem b/tools/signedconfig/debug_key.pem
new file mode 100644
index 000000000000..0af577bf81e1
--- /dev/null
+++ b/tools/signedconfig/debug_key.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIEfgtO+KPOoqJqTnqkDDKkAcOzyvtovsUO/ShLE6y4XRoAoGCCqGSM49
+AwEHoUQDQgAEaAn2XVifsLTHg616nTsOMVmlhBoECGbTEBTKKvdd2hO60pj1pnU8
+SMkhYfaNxZuKgw9LNvOwlFwStboIYeZ3lQ==
+-----END EC PRIVATE KEY-----
diff --git a/tools/signedconfig/debug_public.pem b/tools/signedconfig/debug_public.pem
new file mode 100644
index 000000000000..f61f81322b94
--- /dev/null
+++ b/tools/signedconfig/debug_public.pem
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEaAn2XVifsLTHg616nTsOMVmlhBoE
+CGbTEBTKKvdd2hO60pj1pnU8SMkhYfaNxZuKgw9LNvOwlFwStboIYeZ3lQ==
+-----END PUBLIC KEY-----
diff --git a/tools/signedconfig/debug_sign.sh b/tools/signedconfig/debug_sign.sh
new file mode 100755
index 000000000000..28e54289f8f8
--- /dev/null
+++ b/tools/signedconfig/debug_sign.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# Script to sign data with the debug keys. Outputs base64 for embedding into
+# APK metadata.
+
+openssl dgst -sha256 -sign $(dirname $0)/debug_key.pem $1 | base64 -w 0
+echo
diff --git a/tools/signedconfig/gen_priv_key.sh b/tools/signedconfig/gen_priv_key.sh
new file mode 100755
index 000000000000..834c86bc8c12
--- /dev/null
+++ b/tools/signedconfig/gen_priv_key.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+# This script acts as a record of how the debug key was generated. There should
+# be no need to run it again.
+
+openssl ecparam -name prime256v1 -genkey -noout -out debug_key.pem
+openssl ec -in debug_key.pem -pubout -out debug_public.pem
diff --git a/tools/signedconfig/verify_b64.sh b/tools/signedconfig/verify_b64.sh
new file mode 100755
index 000000000000..8e1f58ce7b45
--- /dev/null
+++ b/tools/signedconfig/verify_b64.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# Script to verify signatures, with both signature & data given in b64
+# Args:
+# 1. data (base64 encoded)
+# 2. signature (base64 encoded)
+# The arg values can be taken from the debug log for SignedConfigService when verbose logging is
+# enabled.
+
+openssl dgst -sha256 -verify $(dirname $0)/debug_public.pem -signature <(echo $2 | base64 -d) <(echo $1 | base64 -d)
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-03 02:25:17 +0000