blob: 9701d417fc3ddbe20ae60fd92a93d9cb89ed24cb [file] [log] [blame]
#!/bin/bash
# Copyright 2016 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
# Load common constants and functions.
. "$(dirname "$0")/common.sh"
usage() {
cat <<EOF
Usage: ${PROG} [FLAGS] DIR
Generate Android's set of framework key pairs at DIR. For detail, please refer
to "Certificates and private keys" and "Manually generating keys" in
https://source.android.com/devices/tech/ota/sign_builds.html.
FLAGS:
--rotate-from Directory containing a set of old key pairs to rotate from
EOF
if [[ $# -ne 0 ]]; then
die "$*"
else
exit 0
fi
}
# Use the same SUBJECT used in Nexus.
SUBJECT='/C=US/ST=California/L=Mountain View/O=Google Inc./OU=Android/CN=Android'
# Generate .pk8 and .x509.pem at the given directory.
make_pair() {
local dir=$1
local name=$2
# Generate RSA key.
openssl genrsa -3 -out "${dir}/temp.pem" 2048
# Create a certificate with the public part of the key.
openssl req -new -x509 -key "${dir}/temp.pem" -out "${dir}/${name}.x509.pem" \
-days 10000 -subj "${SUBJECT}"
# Create a PKCS#8-formatted version of the private key.
openssl pkcs8 -in "${dir}/temp.pem" -topk8 -outform DER \
-out "${dir}/${name}.pk8" -nocrypt
# Best attempt to securely delete the temp.pem file.
shred --remove "${dir}/temp.pem"
}
main() {
set -e
local dir
local old_dir
while [[ $# -gt 0 ]]; do
case $1 in
-h|--help)
usage
;;
--rotate-from)
old_dir="$2"
shift 2
;;
-*)
usage "Unknown option: $1"
;;
*)
break
;;
esac
done
if [[ $# -ne 1 ]]; then
usage "Missing output directory"
fi
dir=$1
for name in platform shared media releasekey networkstack; do
make_pair "${dir}" "${name}"
if [ -d "${old_dir}" ]; then
apksigner rotate --out "${dir}/${name}.lineage" \
--old-signer --key "${old_dir}/${name}.pk8" \
--cert "${old_dir}/${name}.x509.pem" \
--new-signer --key "${dir}/${name}.pk8" --cert "${dir}/${name}.x509.pem"
fi
done
}
main "$@"