Sign with PKCS file instead of raw key/cert

- delta-generation argument is changed
  - delta-generation.sh TOTA_UPG_PATH TARGET SIGN_PKCS_FILE SIGN_PKCS_PASSWORD

Change-Id: Ifcf092f4df87638ea31ea5d96aa3aeb90990ece2
Signed-off-by: Kichan Kwon <k_c.kwon@samsung.com>

diff --git a/mk_delta/common/bin/mk_delta.sh b/mk_delta/common/bin/mk_delta.sh
index 5e7e71f..529e261 100755 (executable)
--- a/mk_delta/common/bin/mk_delta.sh
+++ b/mk_delta/common/bin/mk_delta.sh
@@ -358,10 +358,10 @@ cd ${DELTA_DIR}
 sudo cp ${COMMON_BINDIR}/unpack.sh ./
 sudo tar --overwrite -cf ../delta.tar *
 
-SIGN_KEY=$1
-SIGN_CERT=$2
-if [ "z${SIGN_KEY}" != "z" ] && [ "z${SIGN_CERT}" != "z" ]; then
-       sudo ${COMMON_BINDIR}/sign_upg.sh ${SIGN_KEY} ${SIGN_CERT} ../delta.tar
+SIGN_PKCS_FILE=$1
+SIGN_PKCS_PASSWORD=$2
+if [ "z${SIGN_PKCS_FILE}" != "z" ] && [ "z${SIGN_PKCS_PASSWORD}" != "z" ]; then
+       sudo ${COMMON_BINDIR}/sign_upg.sh ${SIGN_PKCS_FILE} ${SIGN_PKCS_PASSWORD} ../delta.tar
 fi
 cd -
 

diff --git a/mk_delta/common/bin/sign_upg.sh b/mk_delta/common/bin/sign_upg.sh
index 4db3105..f3b9677 100755 (executable)
--- a/mk_delta/common/bin/sign_upg.sh
+++ b/mk_delta/common/bin/sign_upg.sh
@@ -31,14 +31,13 @@ CheckNull() {
        fi
 }
 
-KEY=$1
-CERT=$2
+PKCS=$1
+PKCS_PASSWORD=$2
 FILE=$3
 SIGNED_FILE=$4
 CheckArgument() {
        ArgumentList=(
-               ${KEY}
-               ${CERT}
+               ${PKCS}
                ${FILE}
        )
 
@@ -72,6 +71,20 @@ CheckTool() {
        done
 }
 
+KEY=""
+CERT=""
+ExtractFromPKCSFile() {
+       echo "Extract from PKCS file..."
+
+       KEY=${TMP_DIR}/key.pem
+       ${OPENSSL} pkcs12 -in ${PKCS} -nocerts -passin pass:${PKCS_PASSWORD} -passout pass:${PKCS_PASSWORD} -out ${KEY}
+       CheckFile ${KEY}
+
+       CERT=${TMP_DIR}/cert.pem
+       ${OPENSSL} pkcs12 -in ${PKCS} -clcerts -nokeys -passin pass:${PKCS_PASSWORD} -out ${CERT}
+       CheckFile ${CERT}
+}
+
 SIGNATURE=""
 SIGNATURE_SIZE=""
 SignFile() {
@@ -80,7 +93,7 @@ SignFile() {
        SIGNATURE=${TMP_DIR}/$(${BASENAME} ${FILE}).sign
        CheckNull ${SIGNATURE} "Failed to name signature"
 
-       ${OPENSSL} dgst -sha256 -sign ${KEY} -out ${SIGNATURE} ${FILE}
+       ${OPENSSL} dgst -sha256 -sign ${KEY} -passin pass:${PKCS_PASSWORD} -out ${SIGNATURE} ${FILE}
        CheckFile ${SIGNATURE} "Failed to sign"
 
        SIGNATURE_SIZE=$(${STAT} -c %s ${SIGNATURE})
@@ -142,8 +155,8 @@ InsertSignature() {
 echo "********** Package Signing Start **********"
 
 if [ "$#" -lt 3 ]; then
-       echo "Usage : sign_upg.sh KEY CERT FILE_NAME [SIGNED_FILE_NAME]"
-       echo "  - KEY and CERT should be PEM format"
+       echo "Usage : sign_upg.sh PKCS_FILE PKCS_PASSWORD FILE_NAME [SIGNED_FILE_NAME]"
+       echo "  - PKCS_FILE should include private key and certificate"
        echo "  - If SIGNED_FILE_NAME is NULL, signature will be overwritten to FILE_NAME"
        exit
 fi
@@ -152,6 +165,7 @@ CheckArgument
 CheckTool
 
 Initialize
+ExtractFromPKCSFile
 SignFile
 ConvertCert
 AttachSignature

diff --git a/scripts/delta-generation.sh b/scripts/delta-generation.sh
index 8e5223b..e83268e 100755 (executable)
--- a/scripts/delta-generation.sh
+++ b/scripts/delta-generation.sh
@@ -21,15 +21,15 @@
 
 # Get argument
 if [ $# -lt 2 ]; then
-       echo "Usage: delta-generation.sh TOTA_UPG_PATH TARGET [SIGN_KEY SIGN_CERT]"
+       echo "Usage: delta-generation.sh TOTA_UPG_PATH TARGET [SIGN_PKCS_FILE SIGN_PKCS_PASSWORD]"
        echo " TARGET> rpi3 | tw1"
        exit
 fi
 
 TOTA_UPG_PATH=$1
 TARGET=$2
-SIGN_KEY=$3
-SIGN_CERT=$4
+SIGN_PKCS_FILE=$3
+SIGN_PKCS_PASSWORD=$4
 
 # Path of downloaded images (old, new)
 TOTA_UPG_WORK=${TOTA_UPG_PATH}/mk_delta/${TARGET}
@@ -57,5 +57,5 @@ cd ${CWD}
 # Execute mk_delta script
 CWD=${PWD}
 cd ${TOTA_UPG_WORK}
-../common/bin/mk_delta.sh ${SIGN_KEY} ${SIGN_CERT}
+../common/bin/mk_delta.sh ${SIGN_PKCS_FILE} ${SIGN_PKCS_PASSWORD}
 cd ${CWD}