1// Copyright (C) 2019 The Android Open Source Project 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15// Build rules to build shim apexes. 16 17genrule { 18 name: "com.android.apex.cts.shim.pem", 19 out: ["com.android.apex.cts.shim.pem"], 20 cmd: "openssl genrsa -out $(out) 4096", 21} 22 23genrule { 24 name: "com.android.apex.cts.shim.pubkey", 25 srcs: [":com.android.apex.cts.shim.pem"], 26 out: ["com.android.apex.cts.shim.pubkey"], 27 tools: ["avbtool"], 28 cmd: "$(location avbtool) extract_public_key --key $(in) --output $(out)", 29} 30 31apex_key { 32 name: "com.android.apex.cts.shim.key", 33 private_key: ":com.android.apex.cts.shim.pem", 34 public_key: ":com.android.apex.cts.shim.pubkey", 35 installable: false, 36} 37 38genrule { 39 name: "generate_hash_of_dev_null", 40 out: ["hash.txt"], 41 cmd: "sha512sum -b /dev/null | cut -d' ' -f1 | tee $(out)", 42} 43 44prebuilt_etc { 45 name: "hash_of_dev_null", 46 src: ":generate_hash_of_dev_null", 47 filename: "hash.txt", 48 installable: false, 49} 50 51apex { 52 name: "com.android.apex.cts.shim.v3", 53 manifest: "manifest_v3.json", 54 androidManifest: "AndroidManifest.xml", 55 file_contexts: ":apex.test-file_contexts", 56 key: "com.android.apex.cts.shim.key", 57 prebuilts: ["hash_of_dev_null"], 58 apps: ["CtsShim", "CtsShimPriv"], 59 installable: false, 60 allowed_files: "default_shim_allowed_list.txt", 61} 62 63apex { 64 name: "com.android.apex.cts.shim.v2", 65 manifest: "manifest_v2.json", 66 androidManifest: "AndroidManifest.xml", 67 file_contexts: ":apex.test-file_contexts", 68 key: "com.android.apex.cts.shim.key", 69 prebuilts: ["hash_of_dev_null"], 70 apps: ["CtsShim", "CtsShimPriv"], 71 installable: false, 72 allowed_files: "default_shim_allowed_list.txt", 73} 74 75apex { 76 name: "com.android.apex.cts.shim.v2_without_apk_in_apex", 77 manifest: "manifest_v2.json", 78 androidManifest: "AndroidManifest.xml", 79 file_contexts: ":apex.test-file_contexts", 80 key: "com.android.apex.cts.shim.key", 81 prebuilts: ["hash_of_dev_null"], 82 installable: false, 83 allowed_files: "default_shim_allowed_list.txt", 84} 85 86apex { 87 name: "com.android.apex.cts.shim.v2_no_hashtree", 88 manifest: "manifest_v2.json", 89 androidManifest: "AndroidManifest.xml", 90 file_contexts: ":apex.test-file_contexts", 91 key: "com.android.apex.cts.shim.key", 92 prebuilts: ["hash_of_dev_null"], 93 apps: ["CtsShim", "CtsShimPriv"], 94 installable: false, 95 allowed_files: "default_shim_allowed_list.txt", 96 test_only_no_hashtree: true, 97} 98 99apex { 100 name: "com.android.apex.cts.shim.v2_unsigned_payload", 101 manifest: "manifest_v2.json", 102 androidManifest: "AndroidManifest.xml", 103 file_contexts: ":apex.test-file_contexts", 104 key: "com.android.apex.cts.shim.key", 105 prebuilts: ["hash_of_dev_null"], 106 apps: ["CtsShim", "CtsShimPriv"], 107 installable: false, 108 allowed_files: "default_shim_allowed_list.txt", 109 test_only_unsigned_payload: true, 110} 111 112override_apex { 113 name: "com.android.apex.cts.shim.v2_different_package_name", 114 package_name: "com.android.apex.cts.shim.different", 115 base: "com.android.apex.cts.shim.v2", 116} 117 118genrule { 119 name: "generate_empty_hash", 120 out: ["hash.txt"], 121 cmd: "touch $(out)", 122} 123 124prebuilt_etc { 125 name: "empty_hash", 126 src: ":generate_empty_hash", 127 filename: "hash.txt", 128 installable: false, 129} 130 131// Use empty hash.txt to make sure that this apex has wrong SHA512, hence trying 132// to stage it should fail. 133apex { 134 name: "com.android.apex.cts.shim.v2_wrong_sha", 135 manifest: "manifest_v2.json", 136 androidManifest: "AndroidManifest.xml", 137 file_contexts: ":apex.test-file_contexts", 138 key: "com.android.apex.cts.shim.key", 139 prebuilts: ["empty_hash"], 140 installable: false, 141} 142 143prebuilt_etc { 144 name: "apex_shim_additional_file", 145 src: "additional_file", 146 filename: "additional_file", 147 installable: false, 148} 149 150apex { 151 name: "com.android.apex.cts.shim.v2_additional_file", 152 manifest: "manifest_v2.json", 153 androidManifest: "AndroidManifest.xml", 154 file_contexts: ":apex.test-file_contexts", 155 key: "com.android.apex.cts.shim.key", 156 prebuilts: ["hash_of_dev_null", "apex_shim_additional_file"], 157 installable: false, 158} 159 160prebuilt_etc { 161 name: "apex_shim_additional_folder", 162 src: "additional_file", 163 filename: "additional_file", 164 sub_dir: "additional_folder", 165 installable: false, 166} 167 168apex { 169 name: "com.android.apex.cts.shim.v2_additional_folder", 170 manifest: "manifest_v2.json", 171 androidManifest: "AndroidManifest.xml", 172 file_contexts: ":apex.test-file_contexts", 173 key: "com.android.apex.cts.shim.key", 174 prebuilts: ["hash_of_dev_null", "apex_shim_additional_folder"], 175 installable: false, 176} 177 178apex { 179 name: "com.android.apex.cts.shim.v2_with_pre_install_hook", 180 manifest: "manifest_v2_with_pre_install_hook.json", 181 androidManifest: "AndroidManifest.xml", 182 file_contexts: ":apex.test-file_contexts", 183 key: "com.android.apex.cts.shim.key", 184 prebuilts: ["hash_of_dev_null"], 185 installable: false, 186} 187 188apex { 189 name: "com.android.apex.cts.shim.v2_with_post_install_hook", 190 manifest: "manifest_v2_with_post_install_hook.json", 191 androidManifest: "AndroidManifest.xml", 192 file_contexts: ":apex.test-file_contexts", 193 key: "com.android.apex.cts.shim.key", 194 prebuilts: ["hash_of_dev_null"], 195 installable: false, 196} 197 198genrule { 199 name: "generate_hash_v1", 200 srcs: [ 201 ":com.android.apex.cts.shim.v2", 202 ":com.android.apex.cts.shim.v2_without_apk_in_apex", 203 ":com.android.apex.cts.shim.v2_additional_file", 204 ":com.android.apex.cts.shim.v2_additional_folder", 205 ":com.android.apex.cts.shim.v2_different_certificate", 206 ":com.android.apex.cts.shim.v2_different_package_name", 207 ":com.android.apex.cts.shim.v2_no_hashtree", 208 ":com.android.apex.cts.shim.v2_signed_bob", 209 ":com.android.apex.cts.shim.v2_signed_bob_rot", 210 ":com.android.apex.cts.shim.v2_signed_bob_rot_rollback", 211 ":com.android.apex.cts.shim.v2_with_pre_install_hook", 212 ":com.android.apex.cts.shim.v2_with_post_install_hook", 213 ":com.android.apex.cts.shim.v2_sdk_target_p", 214 ":com.android.apex.cts.shim.v2_apk_in_apex_sdk_target_p", 215 ":com.android.apex.cts.shim.v3", 216 ":com.android.apex.cts.shim.v3_signed_bob", 217 ":com.android.apex.cts.shim.v3_signed_bob_rot", 218 ], 219 out: ["hash.txt"], 220 cmd: "sha512sum -b $(in) | cut -d' ' -f1 | tee $(out)", 221} 222 223prebuilt_etc { 224 name: "hash_v1", 225 src: ":generate_hash_v1", 226 filename: "hash.txt", 227 installable: false, 228} 229 230apex { 231 name: "com.android.apex.cts.shim.v1", 232 manifest: "manifest.json", 233 androidManifest: "AndroidManifest.xml", 234 file_contexts: ":apex.test-file_contexts", 235 key: "com.android.apex.cts.shim.key", 236 prebuilts: ["hash_v1"], 237 apps: ["CtsShim", "CtsShimPriv"], 238 allowed_files: "default_shim_allowed_list.txt", 239} 240 241// This is to install the flattened version of com.android.apex.cts.shim. 242// Because com.android.apex.cts.shim is provided as prebuilt and the build system 243// doesn't support install "flattened" version from "prebult" yet, GSI, which should 244// have both "flatttened" and "unflattened" APEXes, is missing the flattened version 245// of com.android.apex.cts.shim. 246// TODO(b/159426728): When the build system can install "flattened" from "prebuilts", 247// this can be removed. 248override_apex { 249 name: "com.android.apex.cts.shim.v1_with_prebuilts", 250 base: "com.android.apex.cts.shim.v1", 251 apps: ["CtsShimPrebuilt", "CtsShimPrivPrebuilt"], 252 allowed_files: "prebuilts_shim_allowed_list.txt", 253} 254 255genrule { 256 name: "com.android.apex.cts.shim_not_pre_installed.pem", 257 out: ["com.android.apex.cts.shim_not_pre_installed.pem"], 258 cmd: "openssl genrsa -out $(out) 4096", 259} 260 261genrule { 262 name: "com.android.apex.cts.shim_not_pre_installed.pubkey", 263 srcs: [":com.android.apex.cts.shim_not_pre_installed.pem"], 264 out: ["com.android.apex.cts.shim_not_pre_installed.pubkey"], 265 tools: ["avbtool"], 266 cmd: "$(location avbtool) extract_public_key --key $(in) --output $(out)", 267} 268 269apex_key { 270 name: "com.android.apex.cts.shim_not_pre_installed.key", 271 private_key: ":com.android.apex.cts.shim_not_pre_installed.pem", 272 public_key: ":com.android.apex.cts.shim_not_pre_installed.pubkey", 273 installable: false, 274} 275 276apex { 277 name: "com.android.apex.cts.shim_not_pre_installed", 278 manifest: "manifest_not_pre_installed.json", 279 file_contexts: ":apex.test-file_contexts", 280 key: "com.android.apex.cts.shim_not_pre_installed.key", 281 prebuilts: ["hash_of_dev_null"], 282 installable: false, 283} 284 285apex { 286 name: "com.android.apex.cts.shim.v2_different_certificate", 287 manifest: "manifest_v2.json", 288 androidManifest: "AndroidManifest.xml", 289 file_contexts: ":apex.test-file_contexts", 290 key: "com.android.apex.cts.shim.key", 291 prebuilts: ["hash_of_dev_null"], 292 installable: false, 293 certificate: ":com.android.apex.cts.shim.debug.cert", 294} 295 296android_app_certificate { 297 name: "com.android.apex.cts.shim.debug.cert", 298 certificate: "com.android.apex.cts.shim.debug.cert", 299} 300 301// Build rules to build shim apex with rotated keys 302 303// We name the original key used to sign cts.shim.v1 package as alice. 304// We then create a second key called bob. The second key bob is used to rotate the 305// original key alice. 306 307// Create private key bob in pem format 308genrule { 309 name: "com.android.apex.rotation.key.bob.pem", 310 out: ["bob.pem"], 311 cmd: "openssl req -x509 -newkey rsa:4096 -nodes -days 999999 -subj '/DN=/EMAILADDRESS=android@android.com/CN=Android/OU=Android/O=Android/L=Mountain View/ST=California/C=US' -keyout $(out)", 312} 313 314// Converts bob's private key to pk8 format 315genrule { 316 name: "com.android.apex.rotation.key.bob.pk8", 317 srcs: [":com.android.apex.rotation.key.bob.pem"], 318 out: ["bob.pk8"], 319 cmd: "openssl pkcs8 -topk8 -inform PEM -outform DER -in $(in) -out $(out) -nocrypt", 320} 321 322// Extract bob's public key from its private key 323genrule { 324 name: "com.android.apex.rotation.key.bob.x509.pem", 325 srcs: [":com.android.apex.rotation.key.bob.pem"], 326 out: ["bob.x509.pem"], 327 cmd: "openssl req -x509 -key $(in) -newkey rsa:4096 -nodes -days 999999 -subj '/DN=/EMAILADDRESS=android@android.com/CN=Android/OU=Android/O=Android/L=Mountain View/ST=California/C=US' -out $(out)", 328} 329 330// Create lineage file for rotating alice to bob 331genrule { 332 name: "com.android.apex.rotation.key.bob.rot", 333 srcs: [ 334 "alice.pk8", 335 "alice.x509.pem", 336 ":com.android.apex.rotation.key.bob.pk8", 337 ":com.android.apex.rotation.key.bob.x509.pem", 338 ], 339 out: ["bob.rot"], 340 tools: [":apksigner"], 341 cmd: "$(location :apksigner) rotate --out $(out) --old-signer --key $(location alice.pk8) --cert $(location alice.x509.pem) --new-signer --key $(location :com.android.apex.rotation.key.bob.pk8) --cert $(location :com.android.apex.rotation.key.bob.x509.pem)", 342} 343 344// Create lineage file for rotating alice to bob with rollback capability 345genrule { 346 name: "com.android.apex.rotation.key.bob.rot.rollback", 347 srcs: [ 348 "alice.pk8", 349 "alice.x509.pem", 350 ":com.android.apex.rotation.key.bob.pk8", 351 ":com.android.apex.rotation.key.bob.x509.pem", 352 ], 353 out: ["bob.rot"], 354 tools: [":apksigner"], 355 cmd: "$(location :apksigner) rotate --out $(out) --old-signer --key $(location alice.pk8) --cert $(location alice.x509.pem) --set-rollback true --new-signer --key $(location :com.android.apex.rotation.key.bob.pk8) --cert $(location :com.android.apex.rotation.key.bob.x509.pem)", 356} 357 358// v2 cts shim package signed by bob, without lineage 359genrule { 360 name: "com.android.apex.cts.shim.v2_signed_bob", 361 out: ["com.android.apex.cts.shim.v2_signed_bob"], 362 tools: [":apksigner"], 363 srcs: [ 364 ":com.android.apex.cts.shim.v2", 365 ":com.android.apex.rotation.key.bob.x509.pem", 366 ":com.android.apex.rotation.key.bob.pk8", 367 ], 368 dist: { 369 targets: ["com.android.apex.cts.shim.v2_signed_bob"], 370 dest: "com.android.apex.cts.shim.v2_signed_bob.apex", 371 }, 372 cmd: "$(location :apksigner) sign --v1-signing-enabled false --v2-signing-enabled false --key $(location :com.android.apex.rotation.key.bob.pk8) --cert $(location :com.android.apex.rotation.key.bob.x509.pem) --out $(out) $(location :com.android.apex.cts.shim.v2)", 373} 374 375// v2 cts shim package signed by bob + lineage 376genrule { 377 name: "com.android.apex.cts.shim.v2_signed_bob_rot", 378 out: ["com.android.apex.cts.shim.v2_signed_bob_rot"], 379 tools: [":apksigner"], 380 srcs: [ 381 ":com.android.apex.cts.shim.v2", 382 ":com.android.apex.rotation.key.bob.x509.pem", 383 ":com.android.apex.rotation.key.bob.pk8", 384 ":com.android.apex.rotation.key.bob.rot", 385 ], 386 dist: { 387 targets: ["com.android.apex.cts.shim.v2_signed_bob_rot"], 388 dest: "com.android.apex.cts.shim.v2_signed_bob_rot.apex", 389 }, 390 cmd: "$(location :apksigner) sign --v1-signing-enabled false --v2-signing-enabled false --key $(location :com.android.apex.rotation.key.bob.pk8) --cert $(location :com.android.apex.rotation.key.bob.x509.pem) --lineage $(location :com.android.apex.rotation.key.bob.rot) --out $(out) $(location :com.android.apex.cts.shim.v2)", 391} 392 393// v2 cts shim package signed by bob + lineage + rollback capability 394genrule { 395 name: "com.android.apex.cts.shim.v2_signed_bob_rot_rollback", 396 out: ["com.android.apex.cts.shim.v2_signed_bob_rot_rollback"], 397 tools: [":apksigner"], 398 srcs: [ 399 ":com.android.apex.cts.shim.v2", 400 ":com.android.apex.rotation.key.bob.x509.pem", 401 ":com.android.apex.rotation.key.bob.pk8", 402 ":com.android.apex.rotation.key.bob.rot.rollback", 403 ], 404 dist: { 405 targets: ["com.android.apex.cts.shim.v2_signed_bob_rot_rollback"], 406 dest: "com.android.apex.cts.shim.v2_signed_bob_rot_rollback.apex", 407 }, 408 cmd: "$(location :apksigner) sign --v1-signing-enabled false --v2-signing-enabled false --key $(location :com.android.apex.rotation.key.bob.pk8) --cert $(location :com.android.apex.rotation.key.bob.x509.pem) --lineage $(location :com.android.apex.rotation.key.bob.rot.rollback) --out $(out) $(location :com.android.apex.cts.shim.v2)", 409} 410 411// v3 cts shim package signed by bob 412genrule { 413 name: "com.android.apex.cts.shim.v3_signed_bob", 414 out: ["com.android.apex.cts.shim.v3_signed_bob"], 415 tools: [":apksigner"], 416 srcs: [ 417 ":com.android.apex.cts.shim.v3", 418 ":com.android.apex.rotation.key.bob.x509.pem", 419 ":com.android.apex.rotation.key.bob.pk8", 420 ], 421 dist: { 422 targets: ["com.android.apex.cts.shim.v3_signed_bob"], 423 dest: "com.android.apex.cts.shim.v3_signed_bob.apex", 424 }, 425 cmd: "$(location :apksigner) sign --v1-signing-enabled false --v2-signing-enabled false --key $(location :com.android.apex.rotation.key.bob.pk8) --cert $(location :com.android.apex.rotation.key.bob.x509.pem) --out $(out) $(location :com.android.apex.cts.shim.v3)", 426} 427 428// v3 cts shim package signed by bob + lineage 429genrule { 430 name: "com.android.apex.cts.shim.v3_signed_bob_rot", 431 out: ["com.android.apex.cts.shim.v3_signed_bob_rot"], 432 tools: [":apksigner"], 433 srcs: [ 434 ":com.android.apex.cts.shim.v3", 435 ":com.android.apex.rotation.key.bob.x509.pem", 436 ":com.android.apex.rotation.key.bob.pk8", 437 ":com.android.apex.rotation.key.bob.rot", 438 ], 439 dist: { 440 targets: ["com.android.apex.cts.shim.v3_signed_bob_rot"], 441 dest: "com.android.apex.cts.shim.v3_signed_bob_rot.apex", 442 }, 443 cmd: "$(location :apksigner) sign --v1-signing-enabled false --v2-signing-enabled false --key $(location :com.android.apex.rotation.key.bob.pk8) --cert $(location :com.android.apex.rotation.key.bob.x509.pem) --lineage $(location :com.android.apex.rotation.key.bob.rot) --out $(out) $(location :com.android.apex.cts.shim.v3)", 444} 445 446// This one is only used in ApexdHostTest and not meant to be installed 447// and hence shouldn't be allowed in hash.txt of v1 shim APEX. 448apex { 449 name: "com.android.apex.cts.shim.v2_legacy", 450 manifest: "manifest_v2.json", 451 androidManifest: "AndroidManifest.xml", 452 file_contexts: ":apex.test-file_contexts", 453 key: "com.android.apex.cts.shim.key", 454 prebuilts: ["hash_of_dev_null"], 455 apps: ["CtsShim", "CtsShimPriv"], 456 installable: false, 457 min_sdk_version: "29", 458} 459 460genrule { 461 name: "com.android.apex.cts.shim.v2_no_pb", 462 srcs: [":com.android.apex.cts.shim.v2_legacy"], 463 out: ["com.android.apex.cts.shim.v2_no_pb.apex"], 464 tools: ["zip2zip"], 465 cmd: "$(location zip2zip) -i $(in) -x apex_manifest.pb -o $(out)", 466} 467 468// Apex shim that targets an old sdk (P) 469apex { 470 name: "com.android.apex.cts.shim.v2_sdk_target_p", 471 manifest: "manifest_v2.json", 472 androidManifest: "AndroidManifestSdkTargetP.xml", 473 file_contexts: ":apex.test-file_contexts", 474 key: "com.android.apex.cts.shim.key", 475 prebuilts: ["hash_of_dev_null"], 476 installable: false, 477 apps: ["CtsShim", "CtsShimPriv"], 478} 479 480// Apex shim with apk-in-apex that targets sdk P 481apex { 482 name: "com.android.apex.cts.shim.v2_apk_in_apex_sdk_target_p", 483 manifest: "manifest_v2.json", 484 androidManifest: "AndroidManifest.xml", 485 file_contexts: ":apex.test-file_contexts", 486 key: "com.android.apex.cts.shim.key", 487 prebuilts: ["hash_of_dev_null"], 488 apps: ["CtsShimTargetPSdk"], 489 installable: false, 490} 491 492// Apex shim with unsigned apk 493genrule { 494 name: "com.android.apex.cts.shim.v2_unsigned_apk_container", 495 srcs: [":com.android.apex.cts.shim.v2"], 496 out: ["com.android.apex.cts.shim.v2_unsigned_apk_container.apex"], 497 cmd: "cp -v $(in) $(out) && zip -d $(out) META-INF*", 498 dist: { 499 targets: ["apps_only"], 500 } 501} 502