Merge "Adding tests using Domain::KEY_ID."
diff --git a/fsverity/Android.bp b/fsverity/Android.bp
index 2fc3c01..040c99b 100644
--- a/fsverity/Android.bp
+++ b/fsverity/Android.bp
@@ -42,6 +42,12 @@
},
}
+python_binary_host {
+ name: "fsverity_manifest_generator",
+ srcs: ["fsverity_manifest_generator.py"],
+ libs: ["fsverity_digests_proto_python"],
+}
+
rust_protobuf {
name: "libfsverity_digests_proto_rust",
crate_name: "fsverity_digests_proto",
diff --git a/fsverity/fsverity_manifest_generator.py b/fsverity/fsverity_manifest_generator.py
new file mode 100644
index 0000000..0b01a55
--- /dev/null
+++ b/fsverity/fsverity_manifest_generator.py
@@ -0,0 +1,68 @@
+#!/usr/bin/env python3
+#
+# Copyright 2022 Google Inc. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""
+`fsverity_manifest_generator` generates the a manifest file containing digests
+of target files.
+"""
+
+import argparse
+import os
+import subprocess
+import sys
+from fsverity_digests_pb2 import FSVerityDigests
+
+HASH_ALGORITHM = 'sha256'
+
+def _digest(fsverity_path, input_file):
+ cmd = [fsverity_path, 'digest', input_file]
+ cmd.extend(['--compact'])
+ cmd.extend(['--hash-alg', HASH_ALGORITHM])
+ out = subprocess.check_output(cmd, universal_newlines=True).strip()
+ return bytes(bytearray.fromhex(out))
+
+if __name__ == '__main__':
+ p = argparse.ArgumentParser()
+ p.add_argument(
+ '--output',
+ help='Path to the output manifest',
+ required=True)
+ p.add_argument(
+ '--fsverity-path',
+ help='path to the fsverity program',
+ required=True)
+ p.add_argument(
+ '--base-dir',
+ help='directory to use as a relative root for the inputs',
+ required=True)
+ p.add_argument(
+ 'inputs',
+ nargs='+',
+ help='input file for the build manifest')
+ args = p.parse_args(sys.argv[1:])
+
+ digests = FSVerityDigests()
+ for f in sorted(args.inputs):
+ # f is a full path for now; make it relative so it starts with {mount_point}/
+ digest = digests.digests[os.path.relpath(f, args.base_dir)]
+ print(f"{os.path.relpath(f, args.base_dir)}")
+ digest.digest = _digest(args.fsverity_path, f)
+ digest.hash_alg = HASH_ALGORITHM
+
+ manifest = digests.SerializeToString()
+
+ with open(args.output, "wb") as f:
+ f.write(manifest)
diff --git a/keystore2/src/database.rs b/keystore2/src/database.rs
index baa3b12..5cdfbe9 100644
--- a/keystore2/src/database.rs
+++ b/keystore2/src/database.rs
@@ -324,7 +324,7 @@
0x41, 0xe3, 0xb9, 0xce, 0x27, 0x58, 0x4e, 0x91, 0xbc, 0xfd, 0xa5, 0x5d, 0x91, 0x85, 0xab, 0x11,
]);
-static EXPIRATION_BUFFER_MS: i64 = 20000;
+static EXPIRATION_BUFFER_MS: i64 = 12 * 60 * 60 * 1000;
/// Indicates how the sensitive part of this key blob is encrypted.
#[derive(Debug, Eq, PartialEq, Ord, PartialOrd)]
diff --git a/keystore2/src/permission.rs b/keystore2/src/permission.rs
index 7b3199c..3cc116b 100644
--- a/keystore2/src/permission.rs
+++ b/keystore2/src/permission.rs
@@ -19,6 +19,7 @@
//! defined by keystore2 and keystore2_key respectively.
use crate::error::Error as KsError;
+use crate::error::ResponseCode;
use android_system_keystore2::aidl::android::system::keystore2::{
Domain::Domain, KeyDescriptor::KeyDescriptor, KeyPermission::KeyPermission,
};
@@ -390,7 +391,7 @@
tctx
}
_ => {
- return Err(KsError::sys())
+ return Err(KsError::Rc(ResponseCode::INVALID_ARGUMENT))
.context(format!("Unknown domain value: \"{:?}\".", key.domain))
}
};