blob: 2282a71f8c889c042777826d63fa458981039adb [file] [log] [blame]
// Copyright (C) 2019 The Android Open Source Project
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// Build rules to build shim apexes.
genrule {
name: "com.android.apex.cts.shim.pem",
out: ["com.android.apex.cts.shim.pem"],
cmd: "openssl genrsa -out $(out) 4096",
}
genrule {
name: "com.android.apex.cts.shim.pubkey",
srcs: [":com.android.apex.cts.shim.pem"],
out: ["com.android.apex.cts.shim.pubkey"],
tools: ["avbtool"],
cmd: "$(location avbtool) extract_public_key --key $(in) --output $(out)",
}
apex_key {
name: "com.android.apex.cts.shim.key",
private_key: ":com.android.apex.cts.shim.pem",
public_key: ":com.android.apex.cts.shim.pubkey",
installable: false,
}
genrule {
name: "generate_hash_of_dev_null",
out: ["hash.txt"],
cmd: "sha512sum -b /dev/null | cut -d' ' -f1 | tee $(out)",
}
prebuilt_etc {
name: "hash_of_dev_null",
src: ":generate_hash_of_dev_null",
filename: "hash.txt",
installable: false,
}
apex {
name: "com.android.apex.cts.shim.v3",
manifest: "manifest_v3.json",
androidManifest: "AndroidManifest.xml",
file_contexts: "apex.test",
key: "com.android.apex.cts.shim.key",
prebuilts: ["hash_of_dev_null"],
installable: false,
whitelisted_files: "default_shim_whitelist.txt",
}
apex {
name: "com.android.apex.cts.shim.v2",
manifest: "manifest_v2.json",
androidManifest: "AndroidManifest.xml",
file_contexts: "apex.test",
key: "com.android.apex.cts.shim.key",
prebuilts: ["hash_of_dev_null"],
installable: false,
whitelisted_files: "default_shim_whitelist.txt",
}
genrule {
name: "generate_empty_hash",
out: ["hash.txt"],
cmd: "touch $(out)",
}
prebuilt_etc {
name: "empty_hash",
src: ":generate_empty_hash",
filename: "hash.txt",
installable: false,
}
// Use empty hash.txt to make sure that this apex has wrong SHA512, hence trying
// to stage it should fail.
apex {
name: "com.android.apex.cts.shim.v2_wrong_sha",
manifest: "manifest_v2.json",
androidManifest: "AndroidManifest.xml",
file_contexts: "apex.test",
key: "com.android.apex.cts.shim.key",
prebuilts: ["empty_hash"],
installable: false,
}
prebuilt_etc {
name: "apex_shim_additional_file",
src: "additional_file",
filename: "additional_file",
installable: false,
}
apex {
name: "com.android.apex.cts.shim.v2_additional_file",
manifest: "manifest_v2.json",
androidManifest: "AndroidManifest.xml",
file_contexts: "apex.test",
key: "com.android.apex.cts.shim.key",
prebuilts: ["hash_of_dev_null", "apex_shim_additional_file"],
installable: false,
}
prebuilt_etc {
name: "apex_shim_additional_folder",
src: "additional_file",
filename: "additional_file",
sub_dir: "additional_folder",
installable: false,
}
apex {
name: "com.android.apex.cts.shim.v2_additional_folder",
manifest: "manifest_v2.json",
androidManifest: "AndroidManifest.xml",
file_contexts: "apex.test",
key: "com.android.apex.cts.shim.key",
prebuilts: ["hash_of_dev_null", "apex_shim_additional_folder"],
installable: false,
}
apex {
name: "com.android.apex.cts.shim.v2_with_pre_install_hook",
manifest: "manifest_v2_with_pre_install_hook.json",
androidManifest: "AndroidManifest.xml",
file_contexts: "apex.test",
key: "com.android.apex.cts.shim.key",
prebuilts: ["hash_of_dev_null"],
installable: false,
}
apex {
name: "com.android.apex.cts.shim.v2_with_post_install_hook",
manifest: "manifest_v2_with_post_install_hook.json",
androidManifest: "AndroidManifest.xml",
file_contexts: "apex.test",
key: "com.android.apex.cts.shim.key",
prebuilts: ["hash_of_dev_null"],
installable: false,
}
genrule {
name: "generate_hash_v1",
srcs: [
":com.android.apex.cts.shim.v2",
":com.android.apex.cts.shim.v2_additional_file",
":com.android.apex.cts.shim.v2_additional_folder",
":com.android.apex.cts.shim.v2_different_certificate",
":com.android.apex.cts.shim.v2_signed_bob",
":com.android.apex.cts.shim.v2_signed_bob_rot",
":com.android.apex.cts.shim.v2_signed_eve",
":com.android.apex.cts.shim.v2_with_pre_install_hook",
":com.android.apex.cts.shim.v2_with_post_install_hook",
":com.android.apex.cts.shim.v3",
":com.android.apex.cts.shim.v3_signed_bob",
":com.android.apex.cts.shim.v3_signed_bob_rot",
],
out: ["hash.txt"],
cmd: "sha512sum -b $(in) | cut -d' ' -f1 | tee $(out)",
}
prebuilt_etc {
name: "hash_v1",
src: ":generate_hash_v1",
filename: "hash.txt",
installable: false,
}
apex {
name: "com.android.apex.cts.shim.v1",
manifest: "manifest.json",
androidManifest: "AndroidManifest.xml",
file_contexts: "apex.test",
key: "com.android.apex.cts.shim.key",
prebuilts: ["hash_v1"],
installable: false,
whitelisted_files: "default_shim_whitelist.txt",
}
genrule {
name: "com.android.apex.cts.shim_not_pre_installed.pem",
out: ["com.android.apex.cts.shim_not_pre_installed.pem"],
cmd: "openssl genrsa -out $(out) 4096",
}
genrule {
name: "com.android.apex.cts.shim_not_pre_installed.pubkey",
srcs: [":com.android.apex.cts.shim_not_pre_installed.pem"],
out: ["com.android.apex.cts.shim_not_pre_installed.pubkey"],
tools: ["avbtool"],
cmd: "$(location avbtool) extract_public_key --key $(in) --output $(out)",
}
apex_key {
name: "com.android.apex.cts.shim_not_pre_installed.key",
private_key: ":com.android.apex.cts.shim_not_pre_installed.pem",
public_key: ":com.android.apex.cts.shim_not_pre_installed.pubkey",
installable: false,
}
apex {
name: "com.android.apex.cts.shim_not_pre_installed",
manifest: "manifest_not_pre_installed.json",
file_contexts: "apex.test",
key: "com.android.apex.cts.shim_not_pre_installed.key",
prebuilts: ["hash_of_dev_null"],
installable: false,
}
apex {
name: "com.android.apex.cts.shim.v2_different_certificate",
manifest: "manifest_v2.json",
androidManifest: "AndroidManifest.xml",
file_contexts: "apex.test",
key: "com.android.apex.cts.shim.key",
prebuilts: ["hash_of_dev_null"],
installable: false,
certificate: ":com.android.apex.cts.shim.debug.cert",
}
android_app_certificate {
name: "com.android.apex.cts.shim.debug.cert",
certificate: "com.android.apex.cts.shim.debug.cert",
}
// Build rules to build shim apex with rotated keys
// We name the original key used to sign cts.shim.v1 package as alice.
// We then create a second key called bob. The second key bob is used to rotate the
// original key alice.
// Create private key bob in pem format
genrule {
name: "com.android.apex.rotation.key.bob.pem",
out: ["bob.pem"],
cmd: "openssl req -x509 -newkey rsa:4096 -nodes -days 999999 -subj '/DN=/EMAILADDRESS=android@android.com/CN=Android/OU=Android/O=Android/L=Mountain View/ST=California/C=US' -keyout $(out)",
}
// Converts bob's private key to pk8 format
genrule {
name: "com.android.apex.rotation.key.bob.pk8",
srcs: [":com.android.apex.rotation.key.bob.pem"],
out: ["bob.pk8"],
cmd: "openssl pkcs8 -topk8 -inform PEM -outform DER -in $(in) -out $(out) -nocrypt",
}
// Extract bob's public key from its private key
genrule {
name: "com.android.apex.rotation.key.bob.x509.pem",
srcs: [":com.android.apex.rotation.key.bob.pem"],
out: ["bob.x509.pem"],
cmd: "openssl req -x509 -key $(in) -newkey rsa:4096 -nodes -days 999999 -subj '/DN=/EMAILADDRESS=android@android.com/CN=Android/OU=Android/O=Android/L=Mountain View/ST=California/C=US' -out $(out)",
}
// Create lineage file for rotating alice to bob
genrule {
name: "com.android.apex.rotation.key.bob.rot",
srcs: [
"alice.pk8",
"alice.x509.pem",
":com.android.apex.rotation.key.bob.pk8",
":com.android.apex.rotation.key.bob.x509.pem",
],
out: ["bob.rot"],
tools: [":apksigner"],
cmd: "$(location :apksigner) rotate --out $(out) --old-signer --key $(location alice.pk8) --cert $(location alice.x509.pem) --new-signer --key $(location :com.android.apex.rotation.key.bob.pk8) --cert $(location :com.android.apex.rotation.key.bob.x509.pem)",
}
// Create another key called eve
genrule {
name: "com.android.apex.rotation.key.eve.pem",
out: ["eve.pem"],
cmd: "openssl req -x509 -newkey rsa:4096 -nodes -days 999999 -subj '/DN=/EMAILADDRESS=android@android.com/CN=Android/OU=Android/O=Android/L=Mountain View/ST=California/C=US' -keyout $(out)",
}
// Converts eve's private key to pk8 format
genrule {
name: "com.android.apex.rotation.key.eve.pk8",
srcs: [":com.android.apex.rotation.key.eve.pem"],
out: ["eve.pk8"],
cmd: "openssl pkcs8 -topk8 -inform PEM -outform DER -in $(in) -out $(out) -nocrypt",
}
// Extract eve's public key from its private key
genrule {
name: "com.android.apex.rotation.key.eve.x509.pem",
srcs: [":com.android.apex.rotation.key.eve.pem"],
out: ["eve.x509.pem"],
cmd: "openssl req -x509 -key $(in) -newkey rsa:4096 -nodes -days 999999 -subj '/DN=/EMAILADDRESS=android@android.com/CN=Android/OU=Android/O=Android/L=Mountain View/ST=California/C=US' -out $(out)",
}
// v2 cts shim package signed by bob, without lineage
genrule {
name: "com.android.apex.cts.shim.v2_signed_bob",
out: ["com.android.apex.cts.shim.v2_signed_bob"],
tools: [":apksigner"],
srcs: [
":com.android.apex.cts.shim.v2",
":com.android.apex.rotation.key.bob.x509.pem",
":com.android.apex.rotation.key.bob.pk8",
],
dist: {
targets: ["com.android.apex.cts.shim.v2_signed_bob"],
dest: "com.android.apex.cts.shim.v2_signed_bob.apex",
},
cmd: "$(location :apksigner) sign --v1-signing-enabled false --v2-signing-enabled false --key $(location :com.android.apex.rotation.key.bob.pk8) --cert $(location :com.android.apex.rotation.key.bob.x509.pem) --out $(out) $(location :com.android.apex.cts.shim.v2)",
}
// v2 cts shim package signed by bob + lineage
genrule {
name: "com.android.apex.cts.shim.v2_signed_bob_rot",
out: ["com.android.apex.cts.shim.v2_signed_bob_rot"],
tools: [":apksigner"],
srcs: [
":com.android.apex.cts.shim.v2",
":com.android.apex.rotation.key.bob.x509.pem",
":com.android.apex.rotation.key.bob.pk8",
":com.android.apex.rotation.key.bob.rot",
],
dist: {
targets: ["com.android.apex.cts.shim.v2_signed_bob_rot"],
dest: "com.android.apex.cts.shim.v2_signed_bob_rot.apex",
},
cmd: "$(location :apksigner) sign --v1-signing-enabled false --v2-signing-enabled false --key $(location :com.android.apex.rotation.key.bob.pk8) --cert $(location :com.android.apex.rotation.key.bob.x509.pem) --lineage $(location :com.android.apex.rotation.key.bob.rot) --out $(out) $(location :com.android.apex.cts.shim.v2)",
}
// v2 cts shim package signed by eve
genrule {
name: "com.android.apex.cts.shim.v2_signed_eve",
out: ["com.android.apex.cts.shim.v2_signed_eve"],
tools: [":apksigner"],
srcs: [
":com.android.apex.cts.shim.v2",
":com.android.apex.rotation.key.eve.x509.pem",
":com.android.apex.rotation.key.eve.pk8",
],
dist: {
targets: ["com.android.apex.cts.shim.v2_signed_eve"],
dest: "com.android.apex.cts.shim.v2_signed_eve.apex",
},
cmd: "$(location :apksigner) sign --v1-signing-enabled false --v2-signing-enabled false --key $(location :com.android.apex.rotation.key.eve.pk8) --cert $(location :com.android.apex.rotation.key.eve.x509.pem) --out $(out) $(location :com.android.apex.cts.shim.v2)",
}
// v3 cts shim package signed by bob
genrule {
name: "com.android.apex.cts.shim.v3_signed_bob",
out: ["com.android.apex.cts.shim.v3_signed_bob"],
tools: [":apksigner"],
srcs: [
":com.android.apex.cts.shim.v3",
":com.android.apex.rotation.key.bob.x509.pem",
":com.android.apex.rotation.key.bob.pk8",
],
dist: {
targets: ["com.android.apex.cts.shim.v3_signed_bob"],
dest: "com.android.apex.cts.shim.v3_signed_bob.apex",
},
cmd: "$(location :apksigner) sign --v1-signing-enabled false --v2-signing-enabled false --key $(location :com.android.apex.rotation.key.bob.pk8) --cert $(location :com.android.apex.rotation.key.bob.x509.pem) --out $(out) $(location :com.android.apex.cts.shim.v3)",
}
// v3 cts shim package signed by bob + lineage
genrule {
name: "com.android.apex.cts.shim.v3_signed_bob_rot",
out: ["com.android.apex.cts.shim.v3_signed_bob_rot"],
tools: [":apksigner"],
srcs: [
":com.android.apex.cts.shim.v3",
":com.android.apex.rotation.key.bob.x509.pem",
":com.android.apex.rotation.key.bob.pk8",
":com.android.apex.rotation.key.bob.rot",
],
dist: {
targets: ["com.android.apex.cts.shim.v3_signed_bob_rot"],
dest: "com.android.apex.cts.shim.v3_signed_bob_rot.apex",
},
cmd: "$(location :apksigner) sign --v1-signing-enabled false --v2-signing-enabled false --key $(location :com.android.apex.rotation.key.bob.pk8) --cert $(location :com.android.apex.rotation.key.bob.x509.pem) --lineage $(location :com.android.apex.rotation.key.bob.rot) --out $(out) $(location :com.android.apex.cts.shim.v3)",
}