diff options
| -rw-r--r-- | services/core/java/com/android/server/signedconfig/SignatureVerifier.java | 37 | ||||
| -rw-r--r-- | tools/signedconfig/prod_public.pem | 5 | ||||
| -rwxr-xr-x | tools/signedconfig/verify_b64.sh | 28 |
3 files changed, 60 insertions, 10 deletions
diff --git a/services/core/java/com/android/server/signedconfig/SignatureVerifier.java b/services/core/java/com/android/server/signedconfig/SignatureVerifier.java index 5ba57b50c439..fcf40cf3601b 100644 --- a/services/core/java/com/android/server/signedconfig/SignatureVerifier.java +++ b/services/core/java/com/android/server/signedconfig/SignatureVerifier.java @@ -43,13 +43,18 @@ public class SignatureVerifier { private static final String DEBUG_KEY = "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEaAn2XVifsLTHg616nTsOMVmlhBoECGbTEBTKKvdd2hO60" + "pj1pnU8SMkhYfaNxZuKgw9LNvOwlFwStboIYeZ3lQ=="; + private static final String PROD_KEY = + "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE+lky6wKyGL6lE1VrD0YTMHwb0Xwc+tzC8MvnrzVxodvTp" + + "VY/jV7V+Zktcx+pry43XPABFRXtbhTo+qykhyBA1g=="; private final SignedConfigEvent mEvent; private final PublicKey mDebugKey; + private final PublicKey mProdKey; public SignatureVerifier(SignedConfigEvent event) { mEvent = event; - mDebugKey = createKey(DEBUG_KEY); + mDebugKey = Build.IS_DEBUGGABLE ? createKey(DEBUG_KEY) : null; + mProdKey = createKey(PROD_KEY); } private static PublicKey createKey(String base64) { @@ -70,6 +75,14 @@ public class SignatureVerifier { } } + private boolean verifyWithPublicKey(PublicKey key, byte[] data, byte[] signature) + throws NoSuchAlgorithmException, InvalidKeyException, SignatureException { + Signature verifier = Signature.getInstance("SHA256withECDSA"); + verifier.initVerify(key); + verifier.update(data); + return verifier.verify(signature); + } + /** * Verify a signature for signed config. * @@ -93,10 +106,7 @@ public class SignatureVerifier { if (Build.IS_DEBUGGABLE) { if (mDebugKey != null) { if (DBG) Slog.w(TAG, "Trying to verify signature using debug key"); - Signature verifier = Signature.getInstance("SHA256withECDSA"); - verifier.initVerify(mDebugKey); - verifier.update(data); - if (verifier.verify(signature)) { + if (verifyWithPublicKey(mDebugKey, data, signature)) { Slog.i(TAG, "Verified config using debug key"); mEvent.verifiedWith = StatsLog.SIGNED_CONFIG_REPORTED__VERIFIED_WITH__DEBUG; return true; @@ -107,9 +117,18 @@ public class SignatureVerifier { Slog.w(TAG, "Debuggable build, but have no debug key"); } } - // TODO verify production key. - Slog.w(TAG, "NO PRODUCTION KEY YET, FAILING VERIFICATION"); - mEvent.status = StatsLog.SIGNED_CONFIG_REPORTED__STATUS__SIGNATURE_CHECK_FAILED; - return false; + if (mProdKey == null) { + Slog.e(TAG, "No prod key; construction failed?"); + return false; + } + if (verifyWithPublicKey(mProdKey, data, signature)) { + Slog.i(TAG, "Verified config using production key"); + mEvent.verifiedWith = StatsLog.SIGNED_CONFIG_REPORTED__VERIFIED_WITH__PRODUCTION; + return true; + } else { + if (DBG) Slog.i(TAG, "Verification failed using production key"); + mEvent.status = StatsLog.SIGNED_CONFIG_REPORTED__STATUS__SIGNATURE_CHECK_FAILED; + return false; + } } } diff --git a/tools/signedconfig/prod_public.pem b/tools/signedconfig/prod_public.pem new file mode 100644 index 000000000000..8c10215eb083 --- /dev/null +++ b/tools/signedconfig/prod_public.pem @@ -0,0 +1,5 @@ +-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE+lky6wKyGL6lE1VrD0YTMHwb0Xwc ++tzC8MvnrzVxodvTpVY/jV7V+Zktcx+pry43XPABFRXtbhTo+qykhyBA1g== +-----END PUBLIC KEY----- + diff --git a/tools/signedconfig/verify_b64.sh b/tools/signedconfig/verify_b64.sh index 8e1f58ce7b45..a4ac6a816d14 100755 --- a/tools/signedconfig/verify_b64.sh +++ b/tools/signedconfig/verify_b64.sh @@ -7,4 +7,30 @@ # The arg values can be taken from the debug log for SignedConfigService when verbose logging is # enabled. -openssl dgst -sha256 -verify $(dirname $0)/debug_public.pem -signature <(echo $2 | base64 -d) <(echo $1 | base64 -d) +function verify() { + D=${1} + S=${2} + K=${3} + echo Trying ${K} + openssl dgst -sha256 -verify $(dirname $0)/${K} -signature <(echo ${S} | base64 -d) <(echo ${D} | base64 -d) +} + + +PROD_KEY_NAME=prod_public.pem +DEBUG_KEY_NAME=debug_public.pem +SIGNATURE="$2" +DATA="$1" + +echo DATA: ${DATA} +echo SIGNATURE: ${SIGNATURE} + +if verify "${DATA}" "${SIGNATURE}" "${PROD_KEY_NAME}"; then + echo Verified with ${PROD_KEY_NAME} + exit 0 +fi + +if verify "${DATA}" "${SIGNATURE}" "${DEBUG_KEY_NAME}"; then + echo Verified with ${DEBUG_KEY_NAME} + exit 0 +fi +exit 1 |