forked from ItsVixano/android_vendor_lineage-priv_keys
-
Notifications
You must be signed in to change notification settings - Fork 0
/
gen_keys
executable file
·103 lines (94 loc) · 3.67 KB
/
gen_keys
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
#!/bin/bash
# ENV
certs_path="/home/$USER/.android-certs"
hash="-sha256"
# Functions
function generate_overrides_mk() {
echo "" >> keys.mk
if grep -q "PRODUCT_CERTIFICATE_OVERRIDES" keys.mk; then
echo "PRODUCT_CERTIFICATE_OVERRIDES += \\" >> keys.mk
else
echo "PRODUCT_CERTIFICATE_OVERRIDES := \\" >> keys.mk
fi
for key in $(cat ${1}); do
if [[ $key == *".override"* ]]; then
echo " ${key} \\" >> keys.mk
else
echo " ${key}:${key}.certificate.override \\" >> keys.mk
fi
done
# Remove trailing `/`
sed -i '$ s/ \\$//' keys.mk
}
# Setup
mkdir -p ${certs_path}
# Platform keys
subject="/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/[email protected]"
for cert in $(cat .data/platform_keys.txt); do
key_platform="${certs_path}/${cert}.pem"
cert_file="$(pwd)/${cert}.x509.pem"
# Platform keys
if [ ! -f ${key_platform} ]; then
openssl genrsa -f4 4096 > ${key_platform}
fi
# Certificates
if ! openssl x509 -checkend 86400 -noout -in ${cert_file} &> /dev/null; then
openssl req -new -x509 ${hash} -key ${key_platform} -out ${cert_file} -days 10000 -subj "$subject"
openssl pkcs8 -in ${key_platform} -topk8 -outform DER -out $(pwd)/${cert}.pk8 -nocrypt
fi
done
# APEX keys
for apex in $(cat .data/apex_keys.txt); do
subject="/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=${apex}/[email protected]"
key_apex="$(pwd)/${apex}.pem"
cert_file="$(pwd)/${apex}.certificate.override.x509.pem"
avbpubkey_file="$(pwd)/${apex}.avbpubkey"
pubkey_file="$(pwd)/${apex}.pubkey"
# APEX keys
if [ ! -f ${key_apex} ]; then
openssl genrsa -f4 4096 > ${key_apex}
fi
# AVB Keys
if [ ! -f ${avbpubkey_file} ] && [ ! -f ${pubkey_file} ]; then
if [ ${apex} == "com.android.vndk" ]; then
avbtool extract_public_key --key ${key_apex} --output ${pubkey_file}
else
avbtool extract_public_key --key ${key_apex} --output ${avbpubkey_file}
fi
fi
# Certificates
if ! openssl x509 -checkend 86400 -noout -in ${cert_file} &> /dev/null; then
openssl req -new -x509 ${hash} -key ${key_apex} -out ${cert_file} -days 10000 -subj "$subject"
openssl pkcs8 -in ${key_apex} -topk8 -outform DER -out $(pwd)/${apex}.certificate.override.pk8 -nocrypt
fi
done
# Generate Makefiles
## Android.bp
echo "// DO NOT EDIT THIS FILE MANUALLY" > Android.bp
for apex in $(cat .data/apex_keys.txt); do
echo "" >> Android.bp
echo "android_app_certificate {" >> Android.bp
echo " name: \"${apex}.certificate.override\"," >> Android.bp
echo " certificate: \"${apex}.certificate.override\"," >> Android.bp
echo "}" >> Android.bp
done
for platform in cts_uicc_2021; do # ToDo: Migrate it into a list as soon new entries comes in
echo "" >> Android.bp
echo "android_app_certificate {" >> Android.bp
echo " name: \"${platform}.certificate.override\"," >> Android.bp
echo " certificate: \"${platform}.certificate.override\"," >> Android.bp
echo "}" >> Android.bp
done
## keys.mk
echo "# DO NOT EDIT THIS FILE MANUALLY" > keys.mk
# APEX certificates override
generate_overrides_mk .data/apex_keys.txt
generate_overrides_mk .data/apex_hardware_keys.txt
# APEX app certificates override
generate_overrides_mk .data/apex_app_keys.txt
# Platform app certificates override
generate_overrides_mk .data/platform_app_keys.txt
# Platform signature
echo "" >> keys.mk
echo "PRODUCT_DEFAULT_DEV_CERTIFICATE := vendor/lineage-priv/keys/releasekey" >> keys.mk
echo "PRODUCT_EXTRA_RECOVERY_KEYS += vendor/lineage-priv/keys/signed" >> keys.mk