Gitiles
Code Review Sign In
gerrit.omnirom.org / android_build / 32961d02033706d11ec258d09f32a31febce4f20^1..32961d02033706d11ec258d09f32a31febce4f20 / .
commit32961d02033706d11ec258d09f32a31febce4f20[log] [tgz]
authorInseob Kim <inseob@google.com>Wed Dec 15 06:03:31 2021 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Wed Dec 15 06:03:31 2021 +0000
treebc30929f5d8fcac9ccdbbf0ca509d89c79d1cc00
parent46c84edacf8b1fd0adc85a50ab59ee8f8c1e7b66 [diff]
parent067492988aa84522f54f0a57d0b6fc2530bbe18a [diff]
Merge changes I6f61a908,Iafd22881

* changes:
  fsverity_metadata: Support PEM key
  Add fsverity_metadata_generator helper binary

diff --git a/tools/releasetools/Android.bp b/tools/releasetools/Android.bp
index a979a8e..bf7f9a0 100644
--- a/tools/releasetools/Android.bp
+++ b/tools/releasetools/Android.bp

@@ -553,6 +553,19 @@
     ],
 }
 
+python_binary_host {
+    name: "fsverity_metadata_generator",
+    srcs: [
+        "fsverity_metadata_generator.py",
+    ],
+    libs: [
+        "fsverity_digests_proto_python",
+    ],
+    required: [
+        "fsverity",
+    ],
+}
+
 //
 // Tests.
 //

diff --git a/tools/releasetools/fsverity_metadata_generator.py b/tools/releasetools/fsverity_metadata_generator.py
index 666efd5..a300d2e 100644
--- a/tools/releasetools/fsverity_metadata_generator.py
+++ b/tools/releasetools/fsverity_metadata_generator.py

@@ -55,6 +55,9 @@
     self.set_hash_alg("sha256")
     self.set_signature('none')
 
+  def set_key_format(self, key_format):
+    self._key_format = key_format
+
   def set_key(self, key):
     self._key = key
 
@@ -130,14 +133,17 @@
       cmd.append(input_file)
       cmd.append(sig_file)
 
-      # convert DER private key to PEM
-      pem_key = os.path.join(work_dir, 'key.pem')
-      key_cmd = ['openssl', 'pkcs8']
-      key_cmd.extend(['-inform', 'DER'])
-      key_cmd.extend(['-in', self._key])
-      key_cmd.extend(['-nocrypt'])
-      key_cmd.extend(['-out', pem_key])
-      subprocess.check_call(key_cmd)
+      # If key is DER, convert DER private key to PEM
+      if self._key_format == 'der':
+        pem_key = os.path.join(work_dir, 'key.pem')
+        key_cmd = ['openssl', 'pkcs8']
+        key_cmd.extend(['-inform', 'DER'])
+        key_cmd.extend(['-in', self._key])
+        key_cmd.extend(['-nocrypt'])
+        key_cmd.extend(['-out', pem_key])
+        subprocess.check_call(key_cmd)
+      else:
+        pem_key = self._key
 
       cmd.extend(['--key', pem_key])
       cmd.extend(['--cert', self._cert])
@@ -196,8 +202,13 @@
       'input',
       help='input file to be signed')
   p.add_argument(
+      '--key-format',
+      choices=['pem', 'der'],
+      default='der',
+      help='format of the input key. Default is der')
+  p.add_argument(
       '--key',
-      help='PKCS#8 private key file in DER format')
+      help='PKCS#8 private key file')
   p.add_argument(
       '--cert',
       help='x509 certificate file in PEM format')
@@ -227,5 +238,6 @@
       raise ValueError("To generate signature, key and cert must be set")
     generator.set_key(args.key)
     generator.set_cert(args.cert)
+  generator.set_key_format(args.key_format)
   generator.set_hash_alg(args.hash_alg)
   generator.generate(args.input, args.output)