diff options
| author | Paul Lawrence <paullawrence@google.com> | 2014-11-13 22:03:31 +0000 |
|---|---|---|
| committer | Paul Lawrence <paullawrence@google.com> | 2014-11-13 22:03:31 +0000 |
| commit | 7377e002421ed9a04cc94cd808c234f48d93924d (patch) | |
| tree | 8f0ab4d558b0b681800892b40063a9331be73470 /verity/BootSignature.java | |
| parent | b62eabde2db40f01dfed1cef48ac2cbabdff4d03 (diff) | |
| download | extras-7377e002421ed9a04cc94cd808c234f48d93924d.tar.gz | |
Revert "Update boot image signature format to version 1"
This reverts commit b62eabde2db40f01dfed1cef48ac2cbabdff4d03.
Change-Id: I98019b7990c5436fe6ad5ef1052729478bccbe17
Diffstat (limited to 'verity/BootSignature.java')
| -rw-r--r-- | verity/BootSignature.java | 112 |
1 files changed, 17 insertions, 95 deletions
diff --git a/verity/BootSignature.java b/verity/BootSignature.java index 4ee3309d..740e226a 100644 --- a/verity/BootSignature.java +++ b/verity/BootSignature.java @@ -17,58 +17,50 @@ package com.android.verity; import java.io.IOException; -import java.nio.ByteBuffer; -import java.nio.ByteOrder; import java.security.PrivateKey; -import java.security.Security; -import java.security.cert.X509Certificate; -import java.security.cert.CertificateEncodingException; import java.util.Arrays; import org.bouncycastle.asn1.ASN1Encodable; import org.bouncycastle.asn1.ASN1EncodableVector; import org.bouncycastle.asn1.ASN1Integer; import org.bouncycastle.asn1.ASN1Object; import org.bouncycastle.asn1.ASN1Primitive; -import org.bouncycastle.asn1.ASN1InputStream; import org.bouncycastle.asn1.DEROctetString; import org.bouncycastle.asn1.DERPrintableString; import org.bouncycastle.asn1.DERSequence; +import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; import org.bouncycastle.asn1.util.ASN1Dump; import org.bouncycastle.asn1.x509.AlgorithmIdentifier; -import org.bouncycastle.jce.provider.BouncyCastleProvider; /** * AndroidVerifiedBootSignature DEFINITIONS ::= * BEGIN - * formatVersion ::= INTEGER - * certificate ::= Certificate - * algorithmIdentifier ::= SEQUENCE { + * FormatVersion ::= INTEGER + * AlgorithmIdentifier ::= SEQUENCE { * algorithm OBJECT IDENTIFIER, * parameters ANY DEFINED BY algorithm OPTIONAL * } - * authenticatedAttributes ::= SEQUENCE { + * AuthenticatedAttributes ::= SEQUENCE { * target CHARACTER STRING, * length INTEGER * } - * signature ::= OCTET STRING + * Signature ::= OCTET STRING * END */ public class BootSignature extends ASN1Object { private ASN1Integer formatVersion; - private ASN1Encodable certificate; private AlgorithmIdentifier algorithmIdentifier; private DERPrintableString target; private ASN1Integer length; private DEROctetString signature; - private static final int FORMAT_VERSION = 1; - public BootSignature(String target, int length) { - this.formatVersion = new ASN1Integer(FORMAT_VERSION); + this.formatVersion = new ASN1Integer(0); this.target = new DERPrintableString(target); this.length = new ASN1Integer(length); + this.algorithmIdentifier = new AlgorithmIdentifier( + PKCSObjectIdentifiers.sha1WithRSAEncryption); } public ASN1Object getAuthenticatedAttributes() { @@ -82,17 +74,10 @@ public class BootSignature extends ASN1Object return getAuthenticatedAttributes().getEncoded(); } - public void setSignature(byte[] sig, AlgorithmIdentifier algId) { - algorithmIdentifier = algId; + public void setSignature(byte[] sig) { signature = new DEROctetString(sig); } - public void setCertificate(X509Certificate cert) - throws Exception, IOException, CertificateEncodingException { - ASN1InputStream s = new ASN1InputStream(cert.getEncoded()); - certificate = s.readObject(); - } - public byte[] generateSignableImage(byte[] image) throws IOException { byte[] attrs = getEncodedAuthenticatedAttributes(); byte[] signable = Arrays.copyOf(image, image.length + attrs.length); @@ -110,93 +95,30 @@ public class BootSignature extends ASN1Object public ASN1Primitive toASN1Primitive() { ASN1EncodableVector v = new ASN1EncodableVector(); v.add(formatVersion); - v.add(certificate); v.add(algorithmIdentifier); v.add(getAuthenticatedAttributes()); v.add(signature); return new DERSequence(v); } - public static int getSignableImageSize(byte[] data) throws Exception { - if (!Arrays.equals(Arrays.copyOfRange(data, 0, 8), - "ANDROID!".getBytes("US-ASCII"))) { - throw new IllegalArgumentException("Invalid image header: missing magic"); - } - - ByteBuffer image = ByteBuffer.wrap(data); - image.order(ByteOrder.LITTLE_ENDIAN); - - image.getLong(); // magic - int kernelSize = image.getInt(); - image.getInt(); // kernel_addr - int ramdskSize = image.getInt(); - image.getInt(); // ramdisk_addr - int secondSize = image.getInt(); - image.getLong(); // second_addr + tags_addr - int pageSize = image.getInt(); - - int length = pageSize // include the page aligned image header - + ((kernelSize + pageSize - 1) / pageSize) * pageSize - + ((ramdskSize + pageSize - 1) / pageSize) * pageSize - + ((secondSize + pageSize - 1) / pageSize) * pageSize; - - length = ((length + pageSize - 1) / pageSize) * pageSize; - - if (length <= 0) { - throw new IllegalArgumentException("Invalid image header: invalid length"); - } - - return length; - } - public static void doSignature( String target, String imagePath, String keyPath, - String certPath, String outPath) throws Exception { - byte[] image = Utils.read(imagePath); - int signableSize = getSignableImageSize(image); - - if (signableSize < image.length) { - System.err.println("NOTE: truncating file " + imagePath + - " from " + image.length + " to " + signableSize + " bytes"); - image = Arrays.copyOf(image, signableSize); - } else if (signableSize > image.length) { - throw new IllegalArgumentException("Invalid image: too short, expected " + - signableSize + " bytes"); - } - BootSignature bootsig = new BootSignature(target, image.length); - - X509Certificate cert = Utils.loadPEMCertificate(certPath); - bootsig.setCertificate(cert); - - PrivateKey key = Utils.loadDERPrivateKeyFromFile(keyPath); - bootsig.setSignature(bootsig.sign(image, key), - Utils.getSignatureAlgorithmIdentifier(key)); - + PrivateKey key = Utils.loadPEMPrivateKeyFromFile(keyPath); + bootsig.setSignature(bootsig.sign(image, key)); byte[] encoded_bootsig = bootsig.getEncoded(); byte[] image_with_metadata = Arrays.copyOf(image, image.length + encoded_bootsig.length); - - System.arraycopy(encoded_bootsig, 0, image_with_metadata, - image.length, encoded_bootsig.length); - + for (int i=0; i < encoded_bootsig.length; i++) { + image_with_metadata[i+image.length] = encoded_bootsig[i]; + } Utils.write(image_with_metadata, outPath); } - /* java -cp - ../../../out/host/common/obj/JAVA_LIBRARIES/BootSignature_intermediates/\ - classes/com.android.verity.BootSignature \ - boot \ - ../../../out/target/product/flounder/boot.img \ - ../../../build/target/product/security/verity_private_dev_key \ - ../../../build/target/product/security/verity.pk8 \ - ../../../build/target/product/security/verity.x509.pem \ - /tmp/boot.img.signed - */ + // java -cp ../../../out/host/common/obj/JAVA_LIBRARIES/AndroidVerifiedBootSigner_intermediates/classes/ com.android.verity.AndroidVerifiedBootSigner boot ../../../out/target/product/flounder/boot.img ../../../build/target/product/security/verity_private_dev_key /tmp/boot.img.signed public static void main(String[] args) throws Exception { - Security.addProvider(new BouncyCastleProvider()); - doSignature(args[0], args[1], args[2], args[3], args[4]); + doSignature(args[0], args[1], args[2], args[3]); } -} +}
\ No newline at end of file |