From 2b4616fe4a0e98a2c0b7a7af5d5db55c37a5f076 Mon Sep 17 00:00:00 2001 From: Kichan Kwon Date: Tue, 2 Jun 2020 20:34:06 +0900 Subject: [PATCH] Sign with PKCS file instead of raw key/cert - delta-generation argument is changed - delta-generation.sh TOTA_UPG_PATH TARGET SIGN_PKCS_FILE SIGN_PKCS_PASSWORD Change-Id: Ifcf092f4df87638ea31ea5d96aa3aeb90990ece2 Signed-off-by: Kichan Kwon --- mk_delta/common/bin/mk_delta.sh | 8 ++++---- mk_delta/common/bin/sign_upg.sh | 28 +++++++++++++++++++++------- scripts/delta-generation.sh | 8 ++++---- 3 files changed, 29 insertions(+), 15 deletions(-) diff --git a/mk_delta/common/bin/mk_delta.sh b/mk_delta/common/bin/mk_delta.sh index 5e7e71f..529e261 100755 --- a/mk_delta/common/bin/mk_delta.sh +++ b/mk_delta/common/bin/mk_delta.sh @@ -358,10 +358,10 @@ cd ${DELTA_DIR} sudo cp ${COMMON_BINDIR}/unpack.sh ./ sudo tar --overwrite -cf ../delta.tar * -SIGN_KEY=$1 -SIGN_CERT=$2 -if [ "z${SIGN_KEY}" != "z" ] && [ "z${SIGN_CERT}" != "z" ]; then - sudo ${COMMON_BINDIR}/sign_upg.sh ${SIGN_KEY} ${SIGN_CERT} ../delta.tar +SIGN_PKCS_FILE=$1 +SIGN_PKCS_PASSWORD=$2 +if [ "z${SIGN_PKCS_FILE}" != "z" ] && [ "z${SIGN_PKCS_PASSWORD}" != "z" ]; then + sudo ${COMMON_BINDIR}/sign_upg.sh ${SIGN_PKCS_FILE} ${SIGN_PKCS_PASSWORD} ../delta.tar fi cd - diff --git a/mk_delta/common/bin/sign_upg.sh b/mk_delta/common/bin/sign_upg.sh index 4db3105..f3b9677 100755 --- a/mk_delta/common/bin/sign_upg.sh +++ b/mk_delta/common/bin/sign_upg.sh @@ -31,14 +31,13 @@ CheckNull() { fi } -KEY=$1 -CERT=$2 +PKCS=$1 +PKCS_PASSWORD=$2 FILE=$3 SIGNED_FILE=$4 CheckArgument() { ArgumentList=( - ${KEY} - ${CERT} + ${PKCS} ${FILE} ) @@ -72,6 +71,20 @@ CheckTool() { done } +KEY="" +CERT="" +ExtractFromPKCSFile() { + echo "Extract from PKCS file..." + + KEY=${TMP_DIR}/key.pem + ${OPENSSL} pkcs12 -in ${PKCS} -nocerts -passin pass:${PKCS_PASSWORD} -passout pass:${PKCS_PASSWORD} -out ${KEY} + CheckFile ${KEY} + + CERT=${TMP_DIR}/cert.pem + ${OPENSSL} pkcs12 -in ${PKCS} -clcerts -nokeys -passin pass:${PKCS_PASSWORD} -out ${CERT} + CheckFile ${CERT} +} + SIGNATURE="" SIGNATURE_SIZE="" SignFile() { @@ -80,7 +93,7 @@ SignFile() { SIGNATURE=${TMP_DIR}/$(${BASENAME} ${FILE}).sign CheckNull ${SIGNATURE} "Failed to name signature" - ${OPENSSL} dgst -sha256 -sign ${KEY} -out ${SIGNATURE} ${FILE} + ${OPENSSL} dgst -sha256 -sign ${KEY} -passin pass:${PKCS_PASSWORD} -out ${SIGNATURE} ${FILE} CheckFile ${SIGNATURE} "Failed to sign" SIGNATURE_SIZE=$(${STAT} -c %s ${SIGNATURE}) @@ -142,8 +155,8 @@ InsertSignature() { echo "********** Package Signing Start **********" if [ "$#" -lt 3 ]; then - echo "Usage : sign_upg.sh KEY CERT FILE_NAME [SIGNED_FILE_NAME]" - echo " - KEY and CERT should be PEM format" + echo "Usage : sign_upg.sh PKCS_FILE PKCS_PASSWORD FILE_NAME [SIGNED_FILE_NAME]" + echo " - PKCS_FILE should include private key and certificate" echo " - If SIGNED_FILE_NAME is NULL, signature will be overwritten to FILE_NAME" exit fi @@ -152,6 +165,7 @@ CheckArgument CheckTool Initialize +ExtractFromPKCSFile SignFile ConvertCert AttachSignature diff --git a/scripts/delta-generation.sh b/scripts/delta-generation.sh index 8e5223b..e83268e 100755 --- a/scripts/delta-generation.sh +++ b/scripts/delta-generation.sh @@ -21,15 +21,15 @@ # Get argument if [ $# -lt 2 ]; then - echo "Usage: delta-generation.sh TOTA_UPG_PATH TARGET [SIGN_KEY SIGN_CERT]" + echo "Usage: delta-generation.sh TOTA_UPG_PATH TARGET [SIGN_PKCS_FILE SIGN_PKCS_PASSWORD]" echo " TARGET> rpi3 | tw1" exit fi TOTA_UPG_PATH=$1 TARGET=$2 -SIGN_KEY=$3 -SIGN_CERT=$4 +SIGN_PKCS_FILE=$3 +SIGN_PKCS_PASSWORD=$4 # Path of downloaded images (old, new) TOTA_UPG_WORK=${TOTA_UPG_PATH}/mk_delta/${TARGET} @@ -57,5 +57,5 @@ cd ${CWD} # Execute mk_delta script CWD=${PWD} cd ${TOTA_UPG_WORK} -../common/bin/mk_delta.sh ${SIGN_KEY} ${SIGN_CERT} +../common/bin/mk_delta.sh ${SIGN_PKCS_FILE} ${SIGN_PKCS_PASSWORD} cd ${CWD} -- 2.7.4