diff options
author | Sami Tolvanen <samitolvanen@google.com> | 2015-09-15 10:41:16 +0100 |
---|---|---|
committer | Sami Tolvanen <samitolvanen@google.com> | 2015-09-15 17:22:40 +0100 |
commit | 53e790468c3ce7d094f1003648e7766395912ddb (patch) | |
tree | 6144cb59c9ba2ed6cd67cf09ccb5617e4d12a2c6 /verity | |
parent | 12f454e24a518d81fe42043b7142582b81694363 (diff) | |
download | extras-53e790468c3ce7d094f1003648e7766395912ddb.tar.gz |
boot_signer: allow verification using an external certificate
Add a -certificate parameter, which allows one to specify an external
public key certificate to use for verifying boot image signatures:
boot_signer -verify boot.img -certificate cert.x509.pem
This makes it possible to confirm that the boot image has been signed
with a specific key.
Change-Id: I41f1a05e1c8be3bfac2a86678d81beaae0e371bb
Diffstat (limited to 'verity')
-rw-r--r-- | verity/BootSignature.java | 17 |
1 files changed, 15 insertions, 2 deletions
diff --git a/verity/BootSignature.java b/verity/BootSignature.java index 03eb32a7..3cf94990 100644 --- a/verity/BootSignature.java +++ b/verity/BootSignature.java @@ -149,6 +149,7 @@ public class BootSignature extends ASN1Object throws Exception, IOException, CertificateEncodingException { ASN1InputStream s = new ASN1InputStream(cert.getEncoded()); certificate = s.readObject(); + publicKey = cert.getPublicKey(); } public byte[] generateSignableImage(byte[] image) throws IOException { @@ -253,7 +254,7 @@ public class BootSignature extends ASN1Object Utils.write(image_with_metadata, outPath); } - public static void verifySignature(String imagePath) throws Exception { + public static void verifySignature(String imagePath, String certPath) throws Exception { byte[] image = Utils.read(imagePath); int signableSize = getSignableImageSize(image); @@ -264,6 +265,11 @@ public class BootSignature extends ASN1Object byte[] signature = Arrays.copyOfRange(image, signableSize, image.length); BootSignature bootsig = new BootSignature(signature); + if (!certPath.isEmpty()) { + System.err.println("NOTE: verifying using public key from " + certPath); + bootsig.setCertificate(Utils.loadPEMCertificate(certPath)); + } + try { if (bootsig.verify(Arrays.copyOf(image, signableSize))) { System.err.println("Signature is VALID"); @@ -291,8 +297,15 @@ public class BootSignature extends ASN1Object Security.addProvider(new BouncyCastleProvider()); if ("-verify".equals(args[0])) { + String certPath = ""; + + if (args.length >= 4 && "-certificate".equals(args[2])) { + /* args[3] is the path to a public key certificate */ + certPath = args[3]; + } + /* args[1] is the path to a signed boot image */ - verifySignature(args[1]); + verifySignature(args[1], certPath); } else { /* args[0] is the target name, typically /boot args[1] is the path to a boot image to sign |