DO NOT MERGE: Update keystore and verity metadata signers

Use the same PKCS8 format as every other signing tool, and update
the signature format to use SHA-256 instead of SHA-1.

Bug: 15984840
Bug: 18120110
Change-Id: I6ac9e3594b5ae572f5b6763f3bd5b1bdb6ba2ad2
(cherry picked from commit 19c6bb5fe97c877976ef79762c6051223b8d2213)

diff --git a/verity/KeystoreSigner.java b/verity/KeystoreSigner.java
index c020fb6..3d946a6 100644 (file)
--- a/verity/KeystoreSigner.java
+++ b/verity/KeystoreSigner.java
@@ -19,6 +19,7 @@ package com.android.verity;
 import java.io.IOException;
 import java.security.PrivateKey;
 import java.security.PublicKey;
+import java.security.Security;
 import java.security.Signature;
 import org.bouncycastle.asn1.ASN1Encodable;
 import org.bouncycastle.asn1.ASN1EncodableVector;
@@ -32,6 +33,7 @@ import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
 import org.bouncycastle.asn1.pkcs.RSAPublicKey;
 import org.bouncycastle.asn1.util.ASN1Dump;
 import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
 
 /**
  * AndroidVerifiedBootKeystore DEFINITIONS ::=
@@ -114,7 +116,7 @@ class BootKeystore extends ASN1Object
         byte[] rawSignature = Utils.sign(privateKey, innerKeystore);
         signature = new BootSignature("keystore", innerKeystore.length);
         signature.setSignature(rawSignature,
-                new AlgorithmIdentifier(PKCSObjectIdentifiers.sha1WithRSAEncryption));
+                Utils.getSignatureAlgorithmIdentifier(privateKey));
     }
 
     public void dump() throws Exception {
@@ -126,13 +128,14 @@ class BootKeystore extends ASN1Object
     // EG:
     //     java -cp ../../../out/host/common/obj/JAVA_LIBRARIES/AndroidVerifiedBootKeystoreSigner_intermediates/classes/ com.android.verity.AndroidVerifiedBootKeystoreSigner ../../../build/target/product/security/verity_private_dev_key /tmp/keystore.out /tmp/k
     public static void main(String[] args) throws Exception {
+        Security.addProvider(new BouncyCastleProvider());
         String privkeyFname = args[0];
         String outfileFname = args[1];
         BootKeystore ks = new BootKeystore();
         for (int i=2; i < args.length; i++) {
             ks.addPublicKey(Utils.read(args[i]));
         }
-        ks.sign(Utils.loadPEMPrivateKeyFromFile(privkeyFname));
+        ks.sign(Utils.loadDERPrivateKeyFromFile(privkeyFname));
         Utils.write(ks.getEncoded(), outfileFname);
     }
 }

diff --git a/verity/VeritySigner.java b/verity/VeritySigner.java
index 44c5602..d11878a 100644 (file)
--- a/verity/VeritySigner.java
+++ b/verity/VeritySigner.java
@@ -17,6 +17,8 @@
 package com.android.verity;
 
 import java.security.PrivateKey;
+import java.security.Security;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
 
 public class VeritySigner {
 
@@ -25,8 +27,9 @@ public class VeritySigner {
     // To verify that this has correct output:
     //     openssl rsautl -raw -inkey <key.pem> -encrypt -in <sigfile> > /tmp/dump
     public static void main(String[] args) throws Exception {
+        Security.addProvider(new BouncyCastleProvider());
         byte[] content = Utils.read(args[0]);
-        PrivateKey privateKey = Utils.loadPEMPrivateKey(Utils.read(args[1]));
+        PrivateKey privateKey = Utils.loadDERPrivateKey(Utils.read(args[1]));
         byte[] signature = Utils.sign(privateKey, content);
         Utils.write(signature, args[2]);
     }