diff options
author | Robert Craig <rpcraig@tycho.ncsc.mil> | 2013-04-19 10:59:22 -0400 |
---|---|---|
committer | Nick Kralevich <nnk@google.com> | 2013-10-22 13:54:46 -0700 |
commit | a6e0466ab5771ab1b9f806b9411015b5ff9852f6 (patch) | |
tree | ed373c5d60dcda39db36a97c06f337742f075cdd | |
parent | 0068d25b4895162993118fe3b61d2775fa575e70 (diff) | |
download | build-a6e0466ab5771ab1b9f806b9411015b5ff9852f6.zip build-a6e0466ab5771ab1b9f806b9411015b5ff9852f6.tar.gz build-a6e0466ab5771ab1b9f806b9411015b5ff9852f6.tar.bz2 |
Modify release tools to replace certs in MMAC files.
Added support to perform a string replace of specified
dev keys with release keys when using the release tool
scripts.
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
(cherry picked from commit 817c574d753191c52acd5787da02bb853d4ac090)
Change-Id: I51be8d62945436d3f374f51867295c5b792d4b53
Bug: 11334314
-rwxr-xr-x | tools/releasetools/check_target_files_signatures | 19 | ||||
-rw-r--r-- | tools/releasetools/common.py | 15 | ||||
-rwxr-xr-x | tools/releasetools/sign_target_files_apks | 36 |
3 files changed, 53 insertions, 17 deletions
diff --git a/tools/releasetools/check_target_files_signatures b/tools/releasetools/check_target_files_signatures index ae372ba..45d30a6 100755 --- a/tools/releasetools/check_target_files_signatures +++ b/tools/releasetools/check_target_files_signatures @@ -135,7 +135,7 @@ class CertDB(object): for i in to_load: f = open(i) - cert = ParseCertificate(f.read()) + cert = common.ParseCertificate(f.read()) f.close() name, _ = os.path.splitext(i) name, _ = os.path.splitext(name) @@ -144,21 +144,6 @@ class CertDB(object): ALL_CERTS = CertDB() -def ParseCertificate(data): - """Parse a PEM-format certificate.""" - cert = [] - save = False - for line in data.split("\n"): - if "--END CERTIFICATE--" in line: - break - if save: - cert.append(line) - if "--BEGIN CERTIFICATE--" in line: - save = True - cert = "".join(cert).decode('base64') - return cert - - def CertFromPKCS7(data, filename): """Read the cert out of a PKCS#7-format file (which is what is stored in a signed .apk).""" @@ -175,7 +160,7 @@ def CertFromPKCS7(data, filename): AddProblem("error reading cert:\n" + err) return None - cert = ParseCertificate(out) + cert = common.ParseCertificate(out) if not cert: AddProblem("error parsing cert output") return None diff --git a/tools/releasetools/common.py b/tools/releasetools/common.py index 58582ba..a3217dd 100644 --- a/tools/releasetools/common.py +++ b/tools/releasetools/common.py @@ -954,3 +954,18 @@ def GetTypeAndDevice(mount_point, info): return PARTITION_TYPES[fstab[mount_point].fs_type], fstab[mount_point].device else: return None + + +def ParseCertificate(data): + """Parse a PEM-format certificate.""" + cert = [] + save = False + for line in data.split("\n"): + if "--END CERTIFICATE--" in line: + break + if save: + cert.append(line) + if "--BEGIN CERTIFICATE--" in line: + save = True + cert = "".join(cert).decode('base64') + return cert diff --git a/tools/releasetools/sign_target_files_apks b/tools/releasetools/sign_target_files_apks index 5556573..00693b8 100755 --- a/tools/releasetools/sign_target_files_apks +++ b/tools/releasetools/sign_target_files_apks @@ -71,8 +71,10 @@ if sys.hexversion < 0x02040000: print >> sys.stderr, "Python 2.4 or newer is required." sys.exit(1) +import base64 import cStringIO import copy +import errno import os import re import subprocess @@ -161,11 +163,45 @@ def SignApks(input_tf_zip, output_tf_zip, apk_key_map, key_passwords): print "rewriting %s:" % (info.filename,) new_data = RewriteProps(data) output_tf_zip.writestr(out_info, new_data) + elif info.filename.endswith("mac_permissions.xml"): + print "rewriting %s with new keys." % (info.filename,) + new_data = ReplaceCerts(data) + output_tf_zip.writestr(out_info, new_data) else: # a non-APK file; copy it verbatim output_tf_zip.writestr(out_info, data) +def ReplaceCerts(data): + """Given a string of data, replace all occurences of a set + of X509 certs with a newer set of X509 certs and return + the updated data string.""" + for old, new in OPTIONS.key_map.iteritems(): + try: + if OPTIONS.verbose: + print " Replacing %s.x509.pem with %s.x509.pem" % (old, new) + f = open(old + ".x509.pem") + old_cert16 = base64.b16encode(common.ParseCertificate(f.read())).lower() + f.close() + f = open(new + ".x509.pem") + new_cert16 = base64.b16encode(common.ParseCertificate(f.read())).lower() + f.close() + # Only match entire certs. + pattern = "\\b"+old_cert16+"\\b" + (data, num) = re.subn(pattern, new_cert16, data, flags=re.IGNORECASE) + if OPTIONS.verbose: + print " Replaced %d occurence(s) of %s.x509.pem with " \ + "%s.x509.pem" % (num, old, new) + except IOError, e: + if (e.errno == errno.ENOENT and not OPTIONS.verbose): + continue + + print " Error accessing %s. %s. Skip replacing %s.x509.pem " \ + "with %s.x509.pem." % (e.filename, e.strerror, old, new) + + return data + + def EditTags(tags): """Given a string containing comma-separated tags, apply the edits specified in OPTIONS.tag_changes and return the updated string.""" |