From: Kichan Kwon <k_c.kwon@samsung.com>
Date: Mon, 1 Jun 2020 05:22:29 +0000 (+0900)
Subject: Introduce package signing
X-Git-Tag: accepted/tizen/unified/20240419.110853~87
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=748e94586c63d27b1b2497ef44d3bb2c9074147f;p=platform%2Fcore%2Fsystem%2Fupgrade-tools.git

Introduce package signing

- To sign delta, you can call delta-generation like this
  - delta-generation.sh TOTA_UPG_PATH TARGET SIGN_KEY SIGN_CERT

Change-Id: I783d2f081dbb81618a278d1673d451fa16cf05f4
Signed-off-by: Kichan Kwon <k_c.kwon@samsung.com>
---

diff --git a/mk_delta/common/bin/mk_delta.sh b/mk_delta/common/bin/mk_delta.sh
index 625a5d2..5e7e71f 100755
--- a/mk_delta/common/bin/mk_delta.sh
+++ b/mk_delta/common/bin/mk_delta.sh
@@ -357,6 +357,12 @@ fi
 cd ${DELTA_DIR}
 sudo cp ${COMMON_BINDIR}/unpack.sh ./
 sudo tar --overwrite -cf ../delta.tar *
+
+SIGN_KEY=$1
+SIGN_CERT=$2
+if [ "z${SIGN_KEY}" != "z" ] && [ "z${SIGN_CERT}" != "z" ]; then
+	sudo ${COMMON_BINDIR}/sign_upg.sh ${SIGN_KEY} ${SIGN_CERT} ../delta.tar
+fi
 cd -
 
 END_TIMESTAMP="$(date +%T)"
diff --git a/mk_delta/common/bin/sign_upg.sh b/mk_delta/common/bin/sign_upg.sh
new file mode 100755
index 0000000..4db3105
--- /dev/null
+++ b/mk_delta/common/bin/sign_upg.sh
@@ -0,0 +1,163 @@
+#!/bin/bash
+
+TMP_DIR=./sign_tmp
+Initialize() {
+	if [ ! -d ${TMP_DIR} ]; then
+		mkdir ${TMP_DIR}
+	fi
+}
+
+Finalize() {
+	if [ -d ${TMP_DIR} ]; then
+		rm -r ${TMP_DIR}
+	fi
+	echo "********** Package Signing End **********"
+	exit
+}
+
+# CheckFile FILE MESSAGE
+CheckFile() {
+	if [ ! -f $1 ]; then
+		echo $2
+		Finalize
+	fi
+}
+
+# CheckNull VAR MESSAGE
+CheckNull() {
+	if [ -z $1 ]; then
+		echo $2
+		Finalize
+	fi
+}
+
+KEY=$1
+CERT=$2
+FILE=$3
+SIGNED_FILE=$4
+CheckArgument() {
+	ArgumentList=(
+		${KEY}
+		${CERT}
+		${FILE}
+	)
+
+	echo "Checking argument..."
+
+	for ARGUMENT in ${ArgumentList[@]}; do
+		CheckFile ${ARGUMENT} ${ARGUMENT}" not exist"
+	done
+
+	if [ -z ${SIGNED_FILE} ]; then
+		SIGNED_FILE=${FILE}
+	fi
+}
+
+BASENAME=/usr/bin/basename
+OPENSSL=/usr/bin/openssl
+PERL=/usr/bin/perl
+STAT=/usr/bin/stat
+CheckTool() {
+	ToolList=(
+		${BASENAME}
+		${OPENSSL}
+		${PERL}
+		${STAT}
+	)
+
+	echo "Checking tool..."
+
+	for TOOL in ${ToolList[@]}; do
+		CheckFile ${TOOL} ${TOOL}" not exist"
+	done
+}
+
+SIGNATURE=""
+SIGNATURE_SIZE=""
+SignFile() {
+	echo "Signing file..."
+
+	SIGNATURE=${TMP_DIR}/$(${BASENAME} ${FILE}).sign
+	CheckNull ${SIGNATURE} "Failed to name signature"
+
+	${OPENSSL} dgst -sha256 -sign ${KEY} -out ${SIGNATURE} ${FILE}
+	CheckFile ${SIGNATURE} "Failed to sign"
+
+	SIGNATURE_SIZE=$(${STAT} -c %s ${SIGNATURE})
+	CheckNull ${SIGNATURE_SIZE} "Failed to get the size of signature"
+}
+
+CERT_CONVERTED=""
+CERT_CONVERTED_SIZE=""
+ConvertCert() {
+	echo "Converting certificate..."
+
+	CERT_CONVERTED=${TMP_DIR}/$(${BASENAME} ${CERT}).der
+	CheckNull ${CERT_CONVERTED} "Failed to name converted certificate"
+
+	${OPENSSL} x509 -in ${CERT} -outform DER -out ${CERT_CONVERTED}
+	CheckFile ${CERT_CONVERTED} "Failed to convert certificate"
+
+	CERT_CONVERTED_SIZE=$(${STAT} -c %s ${CERT_CONVERTED})
+	CheckNull ${CERT_CONVERTED_SIZE} "Failed to get the size of converted certificate"
+}
+
+RESULT_FILE=""
+MAGIC_NUMBER="TOTA_SIGNED"
+AttachSignature() {
+	echo "Attaching signature..."
+
+	RESULT_FILE=${TMP_DIR}/result
+
+	echo -n ${MAGIC_NUMBER} > ${RESULT_FILE}
+	cat ${SIGNATURE} ${CERT_CONVERTED} >> ${RESULT_FILE}
+	${PERL} -e "print pack('L', ${SIGNATURE_SIZE})" >> ${RESULT_FILE}
+	${PERL} -e "print pack('L', ${CERT_CONVERTED_SIZE})" >> ${RESULT_FILE}
+}
+
+VerifySignature() {
+	echo "Verifying signature..."
+
+	EXPECTED_SIZE=$(expr ${#MAGIC_NUMBER} + ${SIGNATURE_SIZE} + ${CERT_CONVERTED_SIZE} + 8)
+	REAL_SIZE=$(${STAT} -c %s ${RESULT_FILE})
+
+	if [ ${EXPECTED_SIZE} -ne ${REAL_SIZE} ]; then
+		echo "Invalid result size : Expected("${EXPECTED_SIZE}") Real("${REAL_SIZE}")"
+		Finalize
+	fi
+}
+
+InsertSignature() {
+	echo "Inserting signature..."
+
+	if [ ${FILE} != ${SIGNED_FILE} ]; then
+		cp ${FILE} ${SIGNED_FILE}
+	fi
+
+	cat ${RESULT_FILE} >> ${SIGNED_FILE}
+}
+
+# Main
+
+echo "********** Package Signing Start **********"
+
+if [ "$#" -lt 3 ]; then
+	echo "Usage : sign_upg.sh KEY CERT FILE_NAME [SIGNED_FILE_NAME]"
+	echo "  - KEY and CERT should be PEM format"
+	echo "  - If SIGNED_FILE_NAME is NULL, signature will be overwritten to FILE_NAME"
+	exit
+fi
+
+CheckArgument
+CheckTool
+
+Initialize
+SignFile
+ConvertCert
+AttachSignature
+VerifySignature
+InsertSignature
+
+echo "Succeed to sign file!"
+
+Finalize
diff --git a/scripts/delta-generation.sh b/scripts/delta-generation.sh
index 8453668..8e5223b 100755
--- a/scripts/delta-generation.sh
+++ b/scripts/delta-generation.sh
@@ -21,13 +21,15 @@
 
 # Get argument
 if [ $# -lt 2 ]; then
-	echo "Usage: delta-generation.sh TOTA_UPG_PATH TARGET"
+	echo "Usage: delta-generation.sh TOTA_UPG_PATH TARGET [SIGN_KEY SIGN_CERT]"
 	echo " TARGET> rpi3 | tw1"
 	exit
 fi
 
 TOTA_UPG_PATH=$1
 TARGET=$2
+SIGN_KEY=$3
+SIGN_CERT=$4
 
 # Path of downloaded images (old, new)
 TOTA_UPG_WORK=${TOTA_UPG_PATH}/mk_delta/${TARGET}
@@ -55,5 +57,5 @@ cd ${CWD}
 # Execute mk_delta script
 CWD=${PWD}
 cd ${TOTA_UPG_WORK}
-../common/bin/mk_delta.sh
+../common/bin/mk_delta.sh ${SIGN_KEY} ${SIGN_CERT}
 cd ${CWD}