1#!/usr/bin/env python
2#
3# Copyright (C) 2019 The Android Open Source Project
4#
5# Licensed under the Apache License, Version 2.0 (the "License");
6# you may not use this file except in compliance with the License.
7# You may obtain a copy of the License at
8#
9#      http://www.apache.org/licenses/LICENSE-2.0
10#
11# Unless required by applicable law or agreed to in writing, software
12# distributed under the License is distributed on an "AS IS" BASIS,
13# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14# See the License for the specific language governing permissions and
15# limitations under the License.
16
17import logging
18import os.path
19import re
20import shlex
21import shutil
22import zipfile
23
24import common
25
26logger = logging.getLogger(__name__)
27
28OPTIONS = common.OPTIONS
29
30APEX_PAYLOAD_IMAGE = 'apex_payload.img'
31
32
33class ApexInfoError(Exception):
34  """An Exception raised during Apex Information command."""
35
36  def __init__(self, message):
37    Exception.__init__(self, message)
38
39
40class ApexSigningError(Exception):
41  """An Exception raised during Apex Payload signing."""
42
43  def __init__(self, message):
44    Exception.__init__(self, message)
45
46
47class ApexApkSigner(object):
48  """Class to sign the apk files in a apex payload image and repack the apex"""
49
50  def __init__(self, apex_path, key_passwords, codename_to_api_level_map):
51    self.apex_path = apex_path
52    self.key_passwords = key_passwords
53    self.codename_to_api_level_map = codename_to_api_level_map
54
55  def ProcessApexFile(self, apk_keys, payload_key, signing_args=None):
56    """Scans and signs the apk files and repack the apex
57
58    Args:
59      apk_keys: A dict that holds the signing keys for apk files.
60
61    Returns:
62      The repacked apex file containing the signed apk files.
63    """
64    list_cmd = ['deapexer', 'list', self.apex_path]
65    entries_names = common.RunAndCheckOutput(list_cmd).split()
66    apk_entries = [name for name in entries_names if name.endswith('.apk')]
67
68    # No need to sign and repack, return the original apex path.
69    if not apk_entries:
70      logger.info('No apk file to sign in %s', self.apex_path)
71      return self.apex_path
72
73    for entry in apk_entries:
74      apk_name = os.path.basename(entry)
75      if apk_name not in apk_keys:
76        raise ApexSigningError('Failed to find signing keys for apk file {} in'
77                               ' apex {}.  Use "-e <apkname>=" to specify a key'
78                               .format(entry, self.apex_path))
79      if not any(dirname in entry for dirname in ['app/', 'priv-app/',
80                                                  'overlay/']):
81        logger.warning('Apk path does not contain the intended directory name:'
82                       ' %s', entry)
83
84    payload_dir, has_signed_apk = self.ExtractApexPayloadAndSignApks(
85        apk_entries, apk_keys)
86    if not has_signed_apk:
87      logger.info('No apk file has been signed in %s', self.apex_path)
88      return self.apex_path
89
90    return self.RepackApexPayload(payload_dir, payload_key, signing_args)
91
92  def ExtractApexPayloadAndSignApks(self, apk_entries, apk_keys):
93    """Extracts the payload image and signs the containing apk files."""
94    payload_dir = common.MakeTempDir()
95    extract_cmd = ['deapexer', 'extract', self.apex_path, payload_dir]
96    common.RunAndCheckOutput(extract_cmd)
97
98    has_signed_apk = False
99    for entry in apk_entries:
100      apk_path = os.path.join(payload_dir, entry)
101      assert os.path.exists(self.apex_path)
102
103      key_name = apk_keys.get(os.path.basename(entry))
104      if key_name in common.SPECIAL_CERT_STRINGS:
105        logger.info('Not signing: %s due to special cert string', apk_path)
106        continue
107
108      logger.info('Signing apk file %s in apex %s', apk_path, self.apex_path)
109      # Rename the unsigned apk and overwrite the original apk path with the
110      # signed apk file.
111      unsigned_apk = common.MakeTempFile()
112      os.rename(apk_path, unsigned_apk)
113      common.SignFile(unsigned_apk, apk_path, key_name, self.key_passwords,
114                      codename_to_api_level_map=self.codename_to_api_level_map)
115      has_signed_apk = True
116    return payload_dir, has_signed_apk
117
118  def RepackApexPayload(self, payload_dir, payload_key, signing_args=None):
119    """Rebuilds the apex file with the updated payload directory."""
120    apex_dir = common.MakeTempDir()
121    # Extract the apex file and reuse its meta files as repack parameters.
122    common.UnzipToDir(self.apex_path, apex_dir)
123    arguments_dict = {
124        'manifest': os.path.join(apex_dir, 'apex_manifest.pb'),
125        'build_info': os.path.join(apex_dir, 'apex_build_info.pb'),
126        'key': payload_key,
127    }
128    for filename in arguments_dict.values():
129      assert os.path.exists(filename), 'file {} not found'.format(filename)
130
131    # The repack process will add back these files later in the payload image.
132    for name in ['apex_manifest.pb', 'apex_manifest.json', 'lost+found']:
133      path = os.path.join(payload_dir, name)
134      if os.path.isfile(path):
135        os.remove(path)
136      elif os.path.isdir(path):
137        shutil.rmtree(path)
138
139    # TODO(xunchang) the signing process can be improved by using
140    # '--unsigned_payload_only'. But we need to parse the vbmeta earlier for
141    # the signing arguments, e.g. algorithm, salt, etc.
142    payload_img = os.path.join(apex_dir, APEX_PAYLOAD_IMAGE)
143    generate_image_cmd = ['apexer', '--force', '--payload_only',
144                          '--do_not_check_keyname', '--apexer_tool_path',
145                          os.getenv('PATH')]
146    for key, val in arguments_dict.items():
147      generate_image_cmd.extend(['--' + key, val])
148
149    # Add quote to the signing_args as we will pass
150    # --signing_args "--signing_helper_with_files=%path" to apexer
151    if signing_args:
152      generate_image_cmd.extend(['--signing_args', '"{}"'.format(signing_args)])
153
154    # optional arguments for apex repacking
155    manifest_json = os.path.join(apex_dir, 'apex_manifest.json')
156    if os.path.exists(manifest_json):
157      generate_image_cmd.extend(['--manifest_json', manifest_json])
158    generate_image_cmd.extend([payload_dir, payload_img])
159    if OPTIONS.verbose:
160      generate_image_cmd.append('-v')
161    common.RunAndCheckOutput(generate_image_cmd)
162
163    # Add the payload image back to the apex file.
164    common.ZipDelete(self.apex_path, APEX_PAYLOAD_IMAGE)
165    with zipfile.ZipFile(self.apex_path, 'a') as output_apex:
166      common.ZipWrite(output_apex, payload_img, APEX_PAYLOAD_IMAGE,
167                      compress_type=zipfile.ZIP_STORED)
168    return self.apex_path
169
170
171def SignApexPayload(avbtool, payload_file, payload_key_path, payload_key_name,
172                    algorithm, salt, hash_algorithm, no_hashtree, signing_args=None):
173  """Signs a given payload_file with the payload key."""
174  # Add the new footer. Old footer, if any, will be replaced by avbtool.
175  cmd = [avbtool, 'add_hashtree_footer',
176         '--do_not_generate_fec',
177         '--algorithm', algorithm,
178         '--key', payload_key_path,
179         '--prop', 'apex.key:{}'.format(payload_key_name),
180         '--image', payload_file,
181         '--salt', salt,
182         '--hash_algorithm', hash_algorithm]
183  if no_hashtree:
184    cmd.append('--no_hashtree')
185  if signing_args:
186    cmd.extend(shlex.split(signing_args))
187
188  try:
189    common.RunAndCheckOutput(cmd)
190  except common.ExternalError as e:
191    raise ApexSigningError(
192        'Failed to sign APEX payload {} with {}:\n{}'.format(
193            payload_file, payload_key_path, e))
194
195  # Verify the signed payload image with specified public key.
196  logger.info('Verifying %s', payload_file)
197  VerifyApexPayload(avbtool, payload_file, payload_key_path, no_hashtree)
198
199
200def VerifyApexPayload(avbtool, payload_file, payload_key, no_hashtree=False):
201  """Verifies the APEX payload signature with the given key."""
202  cmd = [avbtool, 'verify_image', '--image', payload_file,
203         '--key', payload_key]
204  if no_hashtree:
205    cmd.append('--accept_zeroed_hashtree')
206  try:
207    common.RunAndCheckOutput(cmd)
208  except common.ExternalError as e:
209    raise ApexSigningError(
210        'Failed to validate payload signing for {} with {}:\n{}'.format(
211            payload_file, payload_key, e))
212
213
214def ParseApexPayloadInfo(avbtool, payload_path):
215  """Parses the APEX payload info.
216
217  Args:
218    avbtool: The AVB tool to use.
219    payload_path: The path to the payload image.
220
221  Raises:
222    ApexInfoError on parsing errors.
223
224  Returns:
225    A dict that contains payload property-value pairs. The dict should at least
226    contain Algorithm, Salt, Tree Size and apex.key.
227  """
228  if not os.path.exists(payload_path):
229    raise ApexInfoError('Failed to find image: {}'.format(payload_path))
230
231  cmd = [avbtool, 'info_image', '--image', payload_path]
232  try:
233    output = common.RunAndCheckOutput(cmd)
234  except common.ExternalError as e:
235    raise ApexInfoError(
236        'Failed to get APEX payload info for {}:\n{}'.format(
237            payload_path, e))
238
239  # Extract the Algorithm / Hash Algorithm / Salt / Prop info / Tree size from
240  # payload (i.e. an image signed with avbtool). For example,
241  # Algorithm:                SHA256_RSA4096
242  PAYLOAD_INFO_PATTERN = (
243      r'^\s*(?P<key>Algorithm|Hash Algorithm|Salt|Prop|Tree Size)\:\s*(?P<value>.*?)$')
244  payload_info_matcher = re.compile(PAYLOAD_INFO_PATTERN)
245
246  payload_info = {}
247  for line in output.split('\n'):
248    line_info = payload_info_matcher.match(line)
249    if not line_info:
250      continue
251
252    key, value = line_info.group('key'), line_info.group('value')
253
254    if key == 'Prop':
255      # Further extract the property key-value pair, from a 'Prop:' line. For
256      # example,
257      #   Prop: apex.key -> 'com.android.runtime'
258      # Note that avbtool writes single or double quotes around values.
259      PROPERTY_DESCRIPTOR_PATTERN = r'^\s*(?P<key>.*?)\s->\s*(?P<value>.*?)$'
260
261      prop_matcher = re.compile(PROPERTY_DESCRIPTOR_PATTERN)
262      prop = prop_matcher.match(value)
263      if not prop:
264        raise ApexInfoError(
265            'Failed to parse prop string {}'.format(value))
266
267      prop_key, prop_value = prop.group('key'), prop.group('value')
268      if prop_key == 'apex.key':
269        # avbtool dumps the prop value with repr(), which contains single /
270        # double quotes that we don't want.
271        payload_info[prop_key] = prop_value.strip('\"\'')
272
273    else:
274      payload_info[key] = value
275
276  # Validation check.
277  for key in ('Algorithm', 'Salt', 'apex.key', 'Hash Algorithm'):
278    if key not in payload_info:
279      raise ApexInfoError(
280          'Failed to find {} prop in {}'.format(key, payload_path))
281
282  return payload_info
283
284
285def SignApex(avbtool, apex_data, payload_key, container_key, container_pw,
286             apk_keys, codename_to_api_level_map,
287             no_hashtree, signing_args=None):
288  """Signs the current APEX with the given payload/container keys.
289
290  Args:
291    apex_data: Raw APEX data.
292    payload_key: The path to payload signing key (w/ extension).
293    container_key: The path to container signing key (w/o extension).
294    container_pw: The matching password of the container_key, or None.
295    apk_keys: A dict that holds the signing keys for apk files.
296    codename_to_api_level_map: A dict that maps from codename to API level.
297    no_hashtree: Don't include hashtree in the signed APEX.
298    signing_args: Additional args to be passed to the payload signer.
299
300  Returns:
301    The path to the signed APEX file.
302  """
303  apex_file = common.MakeTempFile(prefix='apex-', suffix='.apex')
304  with open(apex_file, 'wb') as apex_fp:
305    apex_fp.write(apex_data)
306
307  APEX_PUBKEY = 'apex_pubkey'
308
309  # 1. Extract the apex payload image and sign the containing apk files. Repack
310  # the apex file after signing.
311  apk_signer = ApexApkSigner(apex_file, container_pw,
312                             codename_to_api_level_map)
313  apex_file = apk_signer.ProcessApexFile(apk_keys, payload_key, signing_args)
314
315  # 2a. Extract and sign the APEX_PAYLOAD_IMAGE entry with the given
316  # payload_key.
317  payload_dir = common.MakeTempDir(prefix='apex-payload-')
318  with zipfile.ZipFile(apex_file) as apex_fd:
319    payload_file = apex_fd.extract(APEX_PAYLOAD_IMAGE, payload_dir)
320    zip_items = apex_fd.namelist()
321
322  payload_info = ParseApexPayloadInfo(avbtool, payload_file)
323  SignApexPayload(
324      avbtool,
325      payload_file,
326      payload_key,
327      payload_info['apex.key'],
328      payload_info['Algorithm'],
329      payload_info['Salt'],
330      payload_info['Hash Algorithm'],
331      no_hashtree,
332      signing_args)
333
334  # 2b. Update the embedded payload public key.
335  payload_public_key = common.ExtractAvbPublicKey(avbtool, payload_key)
336  common.ZipDelete(apex_file, APEX_PAYLOAD_IMAGE)
337  if APEX_PUBKEY in zip_items:
338    common.ZipDelete(apex_file, APEX_PUBKEY)
339  apex_zip = zipfile.ZipFile(apex_file, 'a')
340  common.ZipWrite(apex_zip, payload_file, arcname=APEX_PAYLOAD_IMAGE)
341  common.ZipWrite(apex_zip, payload_public_key, arcname=APEX_PUBKEY)
342  common.ZipClose(apex_zip)
343
344  # 3. Align the files at page boundary (same as in apexer).
345  aligned_apex = common.MakeTempFile(prefix='apex-container-', suffix='.apex')
346  common.RunAndCheckOutput(['zipalign', '-f', '4096', apex_file, aligned_apex])
347
348  # 4. Sign the APEX container with container_key.
349  signed_apex = common.MakeTempFile(prefix='apex-container-', suffix='.apex')
350
351  # Specify the 4K alignment when calling SignApk.
352  extra_signapk_args = OPTIONS.extra_signapk_args[:]
353  extra_signapk_args.extend(['-a', '4096'])
354
355  common.SignFile(
356      aligned_apex,
357      signed_apex,
358      container_key,
359      container_pw,
360      codename_to_api_level_map=codename_to_api_level_map,
361      extra_signapk_args=extra_signapk_args)
362
363  return signed_apex
364