resolve merge conflicts of 9cbe37e to nyc-mr1-dev-plus-aosp

Change-Id: I9643386f714fe520e5732d0e6dbe821131ea6d02

diff --cc tools/releasetools/ota_from_target_files.py
index cfcc28c,0a0173d..7f77012
--- 1/tools/releasetools/ota_from_target_files.py
--- 2/tools/releasetools/ota_from_target_files.py
+++ b/tools/releasetools/ota_from_target_files.py
@@@ -1167,17 -1172,19 +1176,19 @@@ def WriteABOTAPackageWithBrilloScript(t
          "default_system_dev_certificate",
          "build/target/product/security/testkey")
  
-   # A/B updater expects key in RSA format.
-   cmd = ["openssl", "pkcs8",
-          "-in", OPTIONS.package_key + OPTIONS.private_key_suffix,
-          "-inform", "DER", "-nocrypt"]
-   rsa_key = common.MakeTempFile(prefix="key-", suffix=".key")
-   cmd.extend(["-out", rsa_key])
-   p1 = common.Run(cmd, stdout=log_file, stderr=subprocess.STDOUT)
-   p1.communicate()
-   assert p1.returncode == 0, "openssl pkcs8 failed"
- 
-   # Stage the output zip package for signing.
+   # A/B updater expects a signing key in RSA format. Gets the key ready for
+   # later use in step 3, unless a payload_signer has been specified.
+   if OPTIONS.payload_signer is None:
+     cmd = ["openssl", "pkcs8",
+            "-in", OPTIONS.package_key + OPTIONS.private_key_suffix,
+            "-inform", "DER", "-nocrypt"]
+     rsa_key = common.MakeTempFile(prefix="key-", suffix=".key")
+     cmd.extend(["-out", rsa_key])
 -    p1 = common.Run(cmd, stdout=subprocess.PIPE)
 -    p1.wait()
++    p1 = common.Run(cmd, stdout=log_file, stderr=subprocess.STDOUT)
++    p1.communicate()
+     assert p1.returncode == 0, "openssl pkcs8 failed"
+ 
+   # Stage the output zip package for package signing.
    temp_zip_file = tempfile.NamedTemporaryFile()
    output_zip = zipfile.ZipFile(temp_zip_file, "w",
                                 compression=zipfile.ZIP_DEFLATED)
@@@ -1238,23 -1245,31 +1249,31 @@@
    signed_metadata_sig_file = common.MakeTempFile(prefix="signed-sig-",
                                                   suffix=".bin")
    # 3a. Sign the payload hash.
-   cmd = ["openssl", "pkeyutl", "-sign",
-          "-inkey", rsa_key,
-          "-pkeyopt", "digest:sha256",
-          "-in", payload_sig_file,
-          "-out", signed_payload_sig_file]
+   if OPTIONS.payload_signer is not None:
+     cmd = [OPTIONS.payload_signer,
+            "-inkey", OPTIONS.package_key + OPTIONS.private_key_suffix]
+   else:
+     cmd = ["openssl", "pkeyutl", "-sign",
+            "-inkey", rsa_key,
+            "-pkeyopt", "digest:sha256"]
+   cmd.extend(["-in", payload_sig_file,
+               "-out", signed_payload_sig_file])
 -  p1 = common.Run(cmd, stdout=subprocess.PIPE)
 -  p1.wait()
 +  p1 = common.Run(cmd, stdout=log_file, stderr=subprocess.STDOUT)
 +  p1.communicate()
    assert p1.returncode == 0, "openssl sign payload failed"
  
    # 3b. Sign the metadata hash.
-   cmd = ["openssl", "pkeyutl", "-sign",
-          "-inkey", rsa_key,
-          "-pkeyopt", "digest:sha256",
-          "-in", metadata_sig_file,
-          "-out", signed_metadata_sig_file]
+   if OPTIONS.payload_signer is not None:
+     cmd = [OPTIONS.payload_signer,
+            "-inkey", OPTIONS.package_key + OPTIONS.private_key_suffix]
+   else:
+     cmd = ["openssl", "pkeyutl", "-sign",
+            "-inkey", rsa_key,
+            "-pkeyopt", "digest:sha256"]
+   cmd.extend(["-in", metadata_sig_file,
+               "-out", signed_metadata_sig_file])
 -  p1 = common.Run(cmd, stdout=subprocess.PIPE)
 -  p1.wait()
 +  p1 = common.Run(cmd, stdout=log_file, stderr=subprocess.STDOUT)
 +  p1.communicate()
    assert p1.returncode == 0, "openssl sign metadata failed"
  
    # 3c. Insert the signatures back into the payload file.