Introduce package signing

- To sign delta, you can call delta-generation like this
  - delta-generation.sh TOTA_UPG_PATH TARGET SIGN_KEY SIGN_CERT

Change-Id: I783d2f081dbb81618a278d1673d451fa16cf05f4
Signed-off-by: Kichan Kwon <k_c.kwon@samsung.com>

diff --git a/mk_delta/common/bin/mk_delta.sh b/mk_delta/common/bin/mk_delta.sh
index 625a5d2..5e7e71f 100755 (executable)
--- a/mk_delta/common/bin/mk_delta.sh
+++ b/mk_delta/common/bin/mk_delta.sh
@@ -357,6 +357,12 @@ fi
 cd ${DELTA_DIR}
 sudo cp ${COMMON_BINDIR}/unpack.sh ./
 sudo tar --overwrite -cf ../delta.tar *
+
+SIGN_KEY=$1
+SIGN_CERT=$2
+if [ "z${SIGN_KEY}" != "z" ] && [ "z${SIGN_CERT}" != "z" ]; then
+       sudo ${COMMON_BINDIR}/sign_upg.sh ${SIGN_KEY} ${SIGN_CERT} ../delta.tar
+fi
 cd -
 
 END_TIMESTAMP="$(date +%T)"

diff --git a/mk_delta/common/bin/sign_upg.sh b/mk_delta/common/bin/sign_upg.sh
new file mode 100755 (executable)
index 0000000..4db3105
--- /dev/null
+++ b/mk_delta/common/bin/sign_upg.sh
@@ -0,0 +1,163 @@
+#!/bin/bash
+
+TMP_DIR=./sign_tmp
+Initialize() {
+       if [ ! -d ${TMP_DIR} ]; then
+               mkdir ${TMP_DIR}
+       fi
+}
+
+Finalize() {
+       if [ -d ${TMP_DIR} ]; then
+               rm -r ${TMP_DIR}
+       fi
+       echo "********** Package Signing End **********"
+       exit
+}
+
+# CheckFile FILE MESSAGE
+CheckFile() {
+       if [ ! -f $1 ]; then
+               echo $2
+               Finalize
+       fi
+}
+
+# CheckNull VAR MESSAGE
+CheckNull() {
+       if [ -z $1 ]; then
+               echo $2
+               Finalize
+       fi
+}
+
+KEY=$1
+CERT=$2
+FILE=$3
+SIGNED_FILE=$4
+CheckArgument() {
+       ArgumentList=(
+               ${KEY}
+               ${CERT}
+               ${FILE}
+       )
+
+       echo "Checking argument..."
+
+       for ARGUMENT in ${ArgumentList[@]}; do
+               CheckFile ${ARGUMENT} ${ARGUMENT}" not exist"
+       done
+
+       if [ -z ${SIGNED_FILE} ]; then
+               SIGNED_FILE=${FILE}
+       fi
+}
+
+BASENAME=/usr/bin/basename
+OPENSSL=/usr/bin/openssl
+PERL=/usr/bin/perl
+STAT=/usr/bin/stat
+CheckTool() {
+       ToolList=(
+               ${BASENAME}
+               ${OPENSSL}
+               ${PERL}
+               ${STAT}
+       )
+
+       echo "Checking tool..."
+
+       for TOOL in ${ToolList[@]}; do
+               CheckFile ${TOOL} ${TOOL}" not exist"
+       done
+}
+
+SIGNATURE=""
+SIGNATURE_SIZE=""
+SignFile() {
+       echo "Signing file..."
+
+       SIGNATURE=${TMP_DIR}/$(${BASENAME} ${FILE}).sign
+       CheckNull ${SIGNATURE} "Failed to name signature"
+
+       ${OPENSSL} dgst -sha256 -sign ${KEY} -out ${SIGNATURE} ${FILE}
+       CheckFile ${SIGNATURE} "Failed to sign"
+
+       SIGNATURE_SIZE=$(${STAT} -c %s ${SIGNATURE})
+       CheckNull ${SIGNATURE_SIZE} "Failed to get the size of signature"
+}
+
+CERT_CONVERTED=""
+CERT_CONVERTED_SIZE=""
+ConvertCert() {
+       echo "Converting certificate..."
+
+       CERT_CONVERTED=${TMP_DIR}/$(${BASENAME} ${CERT}).der
+       CheckNull ${CERT_CONVERTED} "Failed to name converted certificate"
+
+       ${OPENSSL} x509 -in ${CERT} -outform DER -out ${CERT_CONVERTED}
+       CheckFile ${CERT_CONVERTED} "Failed to convert certificate"
+
+       CERT_CONVERTED_SIZE=$(${STAT} -c %s ${CERT_CONVERTED})
+       CheckNull ${CERT_CONVERTED_SIZE} "Failed to get the size of converted certificate"
+}
+
+RESULT_FILE=""
+MAGIC_NUMBER="TOTA_SIGNED"
+AttachSignature() {
+       echo "Attaching signature..."
+
+       RESULT_FILE=${TMP_DIR}/result
+
+       echo -n ${MAGIC_NUMBER} > ${RESULT_FILE}
+       cat ${SIGNATURE} ${CERT_CONVERTED} >> ${RESULT_FILE}
+       ${PERL} -e "print pack('L', ${SIGNATURE_SIZE})" >> ${RESULT_FILE}
+       ${PERL} -e "print pack('L', ${CERT_CONVERTED_SIZE})" >> ${RESULT_FILE}
+}
+
+VerifySignature() {
+       echo "Verifying signature..."
+
+       EXPECTED_SIZE=$(expr ${#MAGIC_NUMBER} + ${SIGNATURE_SIZE} + ${CERT_CONVERTED_SIZE} + 8)
+       REAL_SIZE=$(${STAT} -c %s ${RESULT_FILE})
+
+       if [ ${EXPECTED_SIZE} -ne ${REAL_SIZE} ]; then
+               echo "Invalid result size : Expected("${EXPECTED_SIZE}") Real("${REAL_SIZE}")"
+               Finalize
+       fi
+}
+
+InsertSignature() {
+       echo "Inserting signature..."
+
+       if [ ${FILE} != ${SIGNED_FILE} ]; then
+               cp ${FILE} ${SIGNED_FILE}
+       fi
+
+       cat ${RESULT_FILE} >> ${SIGNED_FILE}
+}
+
+# Main
+
+echo "********** Package Signing Start **********"
+
+if [ "$#" -lt 3 ]; then
+       echo "Usage : sign_upg.sh KEY CERT FILE_NAME [SIGNED_FILE_NAME]"
+       echo "  - KEY and CERT should be PEM format"
+       echo "  - If SIGNED_FILE_NAME is NULL, signature will be overwritten to FILE_NAME"
+       exit
+fi
+
+CheckArgument
+CheckTool
+
+Initialize
+SignFile
+ConvertCert
+AttachSignature
+VerifySignature
+InsertSignature
+
+echo "Succeed to sign file!"
+
+Finalize

diff --git a/scripts/delta-generation.sh b/scripts/delta-generation.sh
index 8453668..8e5223b 100755 (executable)
--- a/scripts/delta-generation.sh
+++ b/scripts/delta-generation.sh
@@ -21,13 +21,15 @@
 
 # Get argument
 if [ $# -lt 2 ]; then
-       echo "Usage: delta-generation.sh TOTA_UPG_PATH TARGET"
+       echo "Usage: delta-generation.sh TOTA_UPG_PATH TARGET [SIGN_KEY SIGN_CERT]"
        echo " TARGET> rpi3 | tw1"
        exit
 fi
 
 TOTA_UPG_PATH=$1
 TARGET=$2
+SIGN_KEY=$3
+SIGN_CERT=$4
 
 # Path of downloaded images (old, new)
 TOTA_UPG_WORK=${TOTA_UPG_PATH}/mk_delta/${TARGET}
@@ -55,5 +57,5 @@ cd ${CWD}
 # Execute mk_delta script
 CWD=${PWD}
 cd ${TOTA_UPG_WORK}
-../common/bin/mk_delta.sh
+../common/bin/mk_delta.sh ${SIGN_KEY} ${SIGN_CERT}
 cd ${CWD}