xref: /aosp_15_r20/external/vboot_reference/scripts/keygeneration/create_new_android_keys.sh (revision 8617a60d3594060b7ecbd21bc622a7c14f3cf2bc) 
1#!/bin/bash
2
3# Copyright 2016 The ChromiumOS Authors
4# Use of this source code is governed by a BSD-style license that can be
5# found in the LICENSE file.
6
7# Load common constants and functions.
8# shellcheck source=common.sh
9. "$(dirname "$0")/common.sh"
10
11usage() {
12  cat <<EOF
13Usage: ${PROG} [FLAGS] DIR
14
15Generate Android's set of framework key pairs at DIR.  For detail, please refer
16to "Certificates and private keys" and "Manually generating keys" in
17https://source.android.com/devices/tech/ota/sign_builds.html.
18
19FLAGS:
20  --rotate-from  Directory containing a set of old key pairs to rotate from
21EOF
22
23  if [[ $# -ne 0 ]]; then
24    die "$*"
25  else
26    exit 0
27  fi
28}
29
30# Use the same SUBJECT used in Nexus.
31SUBJECT='/C=US/ST=California/L=Mountain View/O=Google Inc./OU=Android/CN=Android'
32
33# Generate .pk8 and .x509.pem at the given directory.
34make_pair() {
35  local dir=$1
36  local name=$2
37
38  # Generate RSA key.
39  openssl genrsa -3 -out "${dir}/temp.pem" 2048
40
41  # Create a certificate with the public part of the key.
42  openssl req -new -x509 -key "${dir}/temp.pem" -out "${dir}/${name}.x509.pem" \
43    -days 10000 -subj "${SUBJECT}"
44
45  # Create a PKCS#8-formatted version of the private key.
46  openssl pkcs8 -in "${dir}/temp.pem" -topk8 -outform DER \
47    -out "${dir}/${name}.pk8" -nocrypt
48
49  # Best attempt to securely delete the temp.pem file.
50  shred --remove "${dir}/temp.pem"
51}
52
53main() {
54  set -e
55
56  local dir
57  local old_dir
58
59  while [[ $# -gt 0 ]]; do
60    case $1 in
61    -h|--help)
62      usage
63      ;;
64    --rotate-from)
65      old_dir="$2"
66      shift 2
67      ;;
68    -*)
69      usage "Unknown option: $1"
70      ;;
71    *)
72      break
73      ;;
74    esac
75  done
76
77  if [[ $# -ne 1 ]]; then
78    usage "Missing output directory"
79  fi
80  dir=$1
81
82  for name in platform shared media releasekey networkstack; do
83    make_pair "${dir}" "${name}"
84
85    if [ -d "${old_dir}" ]; then
86      apksigner rotate --out "${dir}/${name}.lineage" \
87        --old-signer --key "${old_dir}/${name}.pk8" \
88            --cert "${old_dir}/${name}.x509.pem" \
89        --new-signer --key "${dir}/${name}.pk8" --cert "${dir}/${name}.x509.pem"
90    fi
91  done
92}
93
94main "$@"
95