From f0f33adb7ce6557459306ce03576af4d79c0c9ef Mon Sep 17 00:00:00 2001 From: Sami Tolvanen Date: Thu, 6 Nov 2014 20:29:22 -0800 Subject: [PATCH] DO NOT MERGE: Update keystore and verity metadata signers Use the same PKCS8 format as every other signing tool, and update the signature format to use SHA-256 instead of SHA-1. Bug: 15984840 Bug: 18120110 Change-Id: I6ac9e3594b5ae572f5b6763f3bd5b1bdb6ba2ad2 (cherry picked from commit 19c6bb5fe97c877976ef79762c6051223b8d2213) --- verity/KeystoreSigner.java | 7 +++++-- verity/VeritySigner.java | 5 ++++- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/verity/KeystoreSigner.java b/verity/KeystoreSigner.java index c020fb60..3d946a69 100644 --- a/verity/KeystoreSigner.java +++ b/verity/KeystoreSigner.java @@ -19,6 +19,7 @@ package com.android.verity; import java.io.IOException; import java.security.PrivateKey; import java.security.PublicKey; +import java.security.Security; import java.security.Signature; import org.bouncycastle.asn1.ASN1Encodable; import org.bouncycastle.asn1.ASN1EncodableVector; @@ -32,6 +33,7 @@ import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; import org.bouncycastle.asn1.pkcs.RSAPublicKey; import org.bouncycastle.asn1.util.ASN1Dump; import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.jce.provider.BouncyCastleProvider; /** * AndroidVerifiedBootKeystore DEFINITIONS ::= @@ -114,7 +116,7 @@ class BootKeystore extends ASN1Object byte[] rawSignature = Utils.sign(privateKey, innerKeystore); signature = new BootSignature("keystore", innerKeystore.length); signature.setSignature(rawSignature, - new AlgorithmIdentifier(PKCSObjectIdentifiers.sha1WithRSAEncryption)); + Utils.getSignatureAlgorithmIdentifier(privateKey)); } public void dump() throws Exception { @@ -126,13 +128,14 @@ class BootKeystore extends ASN1Object // EG: // java -cp ../../../out/host/common/obj/JAVA_LIBRARIES/AndroidVerifiedBootKeystoreSigner_intermediates/classes/ com.android.verity.AndroidVerifiedBootKeystoreSigner ../../../build/target/product/security/verity_private_dev_key /tmp/keystore.out /tmp/k public static void main(String[] args) throws Exception { + Security.addProvider(new BouncyCastleProvider()); String privkeyFname = args[0]; String outfileFname = args[1]; BootKeystore ks = new BootKeystore(); for (int i=2; i < args.length; i++) { ks.addPublicKey(Utils.read(args[i])); } - ks.sign(Utils.loadPEMPrivateKeyFromFile(privkeyFname)); + ks.sign(Utils.loadDERPrivateKeyFromFile(privkeyFname)); Utils.write(ks.getEncoded(), outfileFname); } } diff --git a/verity/VeritySigner.java b/verity/VeritySigner.java index 44c56028..d11878ab 100644 --- a/verity/VeritySigner.java +++ b/verity/VeritySigner.java @@ -17,6 +17,8 @@ package com.android.verity; import java.security.PrivateKey; +import java.security.Security; +import org.bouncycastle.jce.provider.BouncyCastleProvider; public class VeritySigner { @@ -25,8 +27,9 @@ public class VeritySigner { // To verify that this has correct output: // openssl rsautl -raw -inkey -encrypt -in > /tmp/dump public static void main(String[] args) throws Exception { + Security.addProvider(new BouncyCastleProvider()); byte[] content = Utils.read(args[0]); - PrivateKey privateKey = Utils.loadPEMPrivateKey(Utils.read(args[1])); + PrivateKey privateKey = Utils.loadDERPrivateKey(Utils.read(args[1])); byte[] signature = Utils.sign(privateKey, content); Utils.write(signature, args[2]); } -- 2.11.0