boot_signer: allow verification using an external certificate

Add a -certificate parameter, which allows one to specify an external
public key certificate to use for verifying boot image signatures:

  boot_signer -verify boot.img -certificate cert.x509.pem

This makes it possible to confirm that the boot image has been signed
with a specific key.

Change-Id: I41f1a05e1c8be3bfac2a86678d81beaae0e371bb

diff --git a/verity/BootSignature.java b/verity/BootSignature.java
index 03eb32a..3cf9499 100644 (file)
--- a/verity/BootSignature.java
+++ b/verity/BootSignature.java
@@ -149,6 +149,7 @@ public class BootSignature extends ASN1Object
             throws Exception, IOException, CertificateEncodingException {
         ASN1InputStream s = new ASN1InputStream(cert.getEncoded());
         certificate = s.readObject();
+        publicKey = cert.getPublicKey();
     }
 
     public byte[] generateSignableImage(byte[] image) throws IOException {
@@ -253,7 +254,7 @@ public class BootSignature extends ASN1Object
         Utils.write(image_with_metadata, outPath);
     }
 
-    public static void verifySignature(String imagePath) throws Exception {
+    public static void verifySignature(String imagePath, String certPath) throws Exception {
         byte[] image = Utils.read(imagePath);
         int signableSize = getSignableImageSize(image);
 
@@ -264,6 +265,11 @@ public class BootSignature extends ASN1Object
         byte[] signature = Arrays.copyOfRange(image, signableSize, image.length);
         BootSignature bootsig = new BootSignature(signature);
 
+        if (!certPath.isEmpty()) {
+            System.err.println("NOTE: verifying using public key from " + certPath);
+            bootsig.setCertificate(Utils.loadPEMCertificate(certPath));
+        }
+
         try {
             if (bootsig.verify(Arrays.copyOf(image, signableSize))) {
                 System.err.println("Signature is VALID");
@@ -291,8 +297,15 @@ public class BootSignature extends ASN1Object
         Security.addProvider(new BouncyCastleProvider());
 
         if ("-verify".equals(args[0])) {
+            String certPath = "";
+
+            if (args.length >= 4 && "-certificate".equals(args[2])) {
+                /* args[3] is the path to a public key certificate */
+                certPath = args[3];
+            }
+
             /* args[1] is the path to a signed boot image */
-            verifySignature(args[1]);
+            verifySignature(args[1], certPath);
         } else {
             /* args[0] is the target name, typically /boot
                args[1] is the path to a boot image to sign