Add prod key for serverless config.
Integrate this into SignatureVerifier too. Bug: 110509075 Test: atest CtsSignedConfigHostTestCases Test: atest SignedConfigTest Change-Id: I816598c3332f9577c802109053d0d0b9b1f2a699
This commit is contained in:
Mathew Inwood
@@ -43,13 +43,18 @@ public class SignatureVerifier {
|
||||
private static final String DEBUG_KEY =
|
||||
"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEaAn2XVifsLTHg616nTsOMVmlhBoECGbTEBTKKvdd2hO60"
|
||||
+ "pj1pnU8SMkhYfaNxZuKgw9LNvOwlFwStboIYeZ3lQ==";
|
||||
private static final String PROD_KEY =
|
||||
"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE+lky6wKyGL6lE1VrD0YTMHwb0Xwc+tzC8MvnrzVxodvTp"
|
||||
+ "VY/jV7V+Zktcx+pry43XPABFRXtbhTo+qykhyBA1g==";
|
||||
|
||||
private final SignedConfigEvent mEvent;
|
||||
private final PublicKey mDebugKey;
|
||||
private final PublicKey mProdKey;
|
||||
|
||||
public SignatureVerifier(SignedConfigEvent event) {
|
||||
mEvent = event;
|
||||
mDebugKey = createKey(DEBUG_KEY);
|
||||
mDebugKey = Build.IS_DEBUGGABLE ? createKey(DEBUG_KEY) : null;
|
||||
mProdKey = createKey(PROD_KEY);
|
||||
}
|
||||
|
||||
private static PublicKey createKey(String base64) {
|
||||
@@ -70,6 +75,14 @@ public class SignatureVerifier {
|
||||
}
|
||||
}
|
||||
|
||||
private boolean verifyWithPublicKey(PublicKey key, byte[] data, byte[] signature)
|
||||
throws NoSuchAlgorithmException, InvalidKeyException, SignatureException {
|
||||
Signature verifier = Signature.getInstance("SHA256withECDSA");
|
||||
verifier.initVerify(key);
|
||||
verifier.update(data);
|
||||
return verifier.verify(signature);
|
||||
}
|
||||
|
||||
/**
|
||||
* Verify a signature for signed config.
|
||||
*
|
||||
@@ -93,10 +106,7 @@ public class SignatureVerifier {
|
||||
if (Build.IS_DEBUGGABLE) {
|
||||
if (mDebugKey != null) {
|
||||
if (DBG) Slog.w(TAG, "Trying to verify signature using debug key");
|
||||
Signature verifier = Signature.getInstance("SHA256withECDSA");
|
||||
verifier.initVerify(mDebugKey);
|
||||
verifier.update(data);
|
||||
if (verifier.verify(signature)) {
|
||||
if (verifyWithPublicKey(mDebugKey, data, signature)) {
|
||||
Slog.i(TAG, "Verified config using debug key");
|
||||
mEvent.verifiedWith = StatsLog.SIGNED_CONFIG_REPORTED__VERIFIED_WITH__DEBUG;
|
||||
return true;
|
||||
@@ -107,9 +117,18 @@ public class SignatureVerifier {
|
||||
Slog.w(TAG, "Debuggable build, but have no debug key");
|
||||
}
|
||||
}
|
||||
// TODO verify production key.
|
||||
Slog.w(TAG, "NO PRODUCTION KEY YET, FAILING VERIFICATION");
|
||||
mEvent.status = StatsLog.SIGNED_CONFIG_REPORTED__STATUS__SIGNATURE_CHECK_FAILED;
|
||||
return false;
|
||||
if (mProdKey == null) {
|
||||
Slog.e(TAG, "No prod key; construction failed?");
|
||||
return false;
|
||||
}
|
||||
if (verifyWithPublicKey(mProdKey, data, signature)) {
|
||||
Slog.i(TAG, "Verified config using production key");
|
||||
mEvent.verifiedWith = StatsLog.SIGNED_CONFIG_REPORTED__VERIFIED_WITH__PRODUCTION;
|
||||
return true;
|
||||
} else {
|
||||
if (DBG) Slog.i(TAG, "Verification failed using production key");
|
||||
mEvent.status = StatsLog.SIGNED_CONFIG_REPORTED__STATUS__SIGNATURE_CHECK_FAILED;
|
||||
return false;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
5
tools/signedconfig/prod_public.pem
Normal file
5
tools/signedconfig/prod_public.pem
Normal file
@@ -0,0 +1,5 @@
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE+lky6wKyGL6lE1VrD0YTMHwb0Xwc
|
||||
+tzC8MvnrzVxodvTpVY/jV7V+Zktcx+pry43XPABFRXtbhTo+qykhyBA1g==
|
||||
-----END PUBLIC KEY-----
|
||||
|
||||
@@ -7,4 +7,30 @@
|
||||
# The arg values can be taken from the debug log for SignedConfigService when verbose logging is
|
||||
# enabled.
|
||||
|
||||
openssl dgst -sha256 -verify $(dirname $0)/debug_public.pem -signature <(echo $2 | base64 -d) <(echo $1 | base64 -d)
|
||||
function verify() {
|
||||
D=${1}
|
||||
S=${2}
|
||||
K=${3}
|
||||
echo Trying ${K}
|
||||
openssl dgst -sha256 -verify $(dirname $0)/${K} -signature <(echo ${S} | base64 -d) <(echo ${D} | base64 -d)
|
||||
}
|
||||
|
||||
|
||||
PROD_KEY_NAME=prod_public.pem
|
||||
DEBUG_KEY_NAME=debug_public.pem
|
||||
SIGNATURE="$2"
|
||||
DATA="$1"
|
||||
|
||||
echo DATA: ${DATA}
|
||||
echo SIGNATURE: ${SIGNATURE}
|
||||
|
||||
if verify "${DATA}" "${SIGNATURE}" "${PROD_KEY_NAME}"; then
|
||||
echo Verified with ${PROD_KEY_NAME}
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if verify "${DATA}" "${SIGNATURE}" "${DEBUG_KEY_NAME}"; then
|
||||
echo Verified with ${DEBUG_KEY_NAME}
|
||||
exit 0
|
||||
fi
|
||||
exit 1
|
||||
|
||||
Reference in New Issue
Block a user