1. 工具make_key

生成x509.pem(公钥) 和pk8 (私钥)

openssl req -new -x509 -sha1 -key ${two} -out $1.x509.pem \  -days 10000 -subj "$2" &  openssl pkcs8 -in ${one} -topk8 -outform DER -out $1.pk8 -nocrypt
#development/tools/make_key#!/bin/bash## Copyright (C) 2009 The Android Open Source Project## Licensed under the Apache License, Version 2.0 (the "License");# you may not use this file except in compliance with the License.# You may obtain a copy of the License at##      http://www.apache.org/licenses/LICENSE-2.0## Unless required by applicable law or agreed to in writing, software# distributed under the License is distributed on an "AS IS" BASIS,# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.# See the License for the specific language governing permissions and# limitations under the License.# Generates a public/private key pair suitable for use in signing# android .apks and OTA update packages.if [ "$#" -ne 2 ]; then  cat < Creates .pk8 key and .x509.pem cert.  Cert contains thegiven .EOF  exit 2fiif [[ -e $1.pk8 || -e $1.x509.pem ]]; then  echo "$1.pk8 and/or $1.x509.pem already exist; please delete them first"  echo "if you want to replace them."  exit 1fi# Use named pipes to connect get the raw RSA private key to the cert-# and .pk8-creating programs, to avoid having the private key ever# touch the disk.tmpdir=$(mktemp -d)trap 'rm -rf ${tmpdir}; echo; exit 1' EXIT INT QUITone=${tmpdir}/onetwo=${tmpdir}/twomknod ${one} pmknod ${two} pchmod 0600 ${one} ${two}read -p "Enter password for '$1' (blank for none; password will be visible): " \  password( openssl genrsa -f4 2048 | tee ${one} > ${two} ) &openssl req -new -x509 -sha1 -key ${two} -out $1.x509.pem \  -days 10000 -subj "$2" &if [ "${password}" == "" ]; then  echo "creating ${1}.pk8 with no password"  openssl pkcs8 -in ${one} -topk8 -outform DER -out $1.pk8 -nocryptelse  echo "creating ${1}.pk8 with password [${password}]"  echo $password | openssl pkcs8 -in ${one} -topk8 -outform DER -out $1.pk8 \    -passout stdinfiwaitwait
2.参数
C ---> Country Name (2 letter code)ST ---> State or Province Name (full name)L ---> Locality Name (eg, city)O ---> Organization Name (eg, company)OU ---> Organizational Unit Name (eg, section)CN ---> Common Name (eg, your name or your server’s hostname)emailAddress ---> Contact email address
  development/tools/make_key testkey  '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/[email protected]'    development/tools/make_key platform '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/[email protected]'    development/tools/make_key shared   '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/[email protected]'    development/tools/make_key media    '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/[email protected]'    The following standard test keys are currently included:    testkey -- a generic key for packages that do not otherwise specify a key.  platform -- a test key for packages that are part of the core platform.  shared -- a test key for things that are shared in the home/contacts process.  media -- a test key for packages that are part of the media/download system.    These test keys are used strictly in development, and should never be assumed  to convey any sort of validity.  When $BUILD_SECURE=true, the code should not  honor these keys in any context.
3.build releasekey

/build/core/config.mk中定义变量:

    DEFAULT_SYSTEM_DEV_CERTIFICATE := build/target/product/security/releasekey

主makefile文件里面:

    ifeq ($(DEFAULT_SYSTEM_DEV_CERTIFICATE),build/target/product/security/releasekey)      BUILD_VERSION_TAGS += release-keys
4.check

keytool

keytool -printcert -file verity.x509.pem Owner: [email protected], CN=Android, OU=Android, O=Android, L=Mountain View, ST=California, C=USIssuer: [email protected], CN=Android, OU=Android, O=Android, L=Mountain View, ST=California, C=USSerial number: 970f983909aa8949Valid from: Fri Nov 07 03:07:40 CST 2014 until: Tue Mar 25 03:07:40 CST 2042Certificate fingerprints: MD5:  DB:18:D3:11:F5:07:48:95:95:B5:A4:50:BB:2D:C4:95 SHA1: 14:A3:3C:EB:E3:E8:66:7B:40:9E:F8:14:2A:9D:56:25:9E:C8:32:8E SHA256: 8A:D1:27:AB:AE:82:85:B5:82:EA:36:74:5F:22:0A:B8:FE:39:7F:FB:3B:06:8D:F1:9C:A2:2D:12:2C:7B:3B:86 Signature algorithm name: SHA1withRSA

build.prop中可以查看到变量:

   ro.build.tags=release-keys
5.verity

以检测到 system “发生过” 改动,比如用户使用 root 软件强行植入 su 文件,但最后删除了 su, 这种情况也能检测出来。一旦检验不过,系统就不能正常启动.

./octopus-f1/fstab.sun8i

/dev/block/by-name/system               /system      ext4    ro,barrier=1                                                                              wait,verify

build/target/product/verity.mk

PRODUCT_SUPPORTS_BOOT_SIGNER := truePRODUCT_SUPPORTS_VERITY := true# The dev key is used to sign boot and recovery images, and the verity# metadata table. Actual product deliverables will be re-signed by hand.# We expect this file to exist with the suffixes ".x509.pem" and ".pk8".PRODUCT_VERITY_SIGNING_KEY := build/target/product/security/verityPRODUCT_PACKAGES += \        verity_key
生成verity_key
#!/bin/bash TARGET_PATH=device/softwinner/common/verity/rsa_keyDM_MERGE=$TARGET_PATH/./../dm_mergeTABLE=$TARGET_PATH/tableSIGN=$TARGET_PATH/signRSA_KEY=$TARGET_PATH/verity_keyJAVA_TOOL=$ANDROID_HOST_OUT/framework/dumpkey.jaropenssl genrsa -out $TARGET_PATH/rsa_key.pair 2048openssl rsa -in $TARGET_PATH/rsa_key.pair -pubout -out $TARGET_PATH/rsa.pkopenssl req -new -out $TARGET_PATH/CertReq.csr -key $TARGET_PATH/rsa_key.pair -subj "/C=NC/ST=GD/L=ZH/O=W/OU=W/CN=0"openssl x509 -req -in $TARGET_PATH/CertReq.csr -out $TARGET_PATH/Cert.pem -signkey $TARGET_PATH/rsa_key.pair -sha256openssl x509 -in $TARGET_PATH/Cert.pem -inform PEM -out $TARGET_PATH/Cert.der -outform DERjava -jar ${JAVA_TOOL} $TARGET_PATH/Cert.der > $TARGET_PATH/the_keyecho " Certificat key " >$TARGET_PATH/rsa_infocat $TARGET_PATH/the_key>>$TARGET_PATH/key_infoecho "****** Dm_meger debug info ******">>$TARGET_PATH/key_info${DM_MERGE} -c $TARGET_PATH/the_key ${RSA_KEY} -d >>$TARGET_PATH/key_infoecho "*********************************">>$TARGET_PATH/key_infoecho " RSA key format in android libmincrypt " >>$TARGET_PATH/key_infocat ${RSA_KEY} >> $TARGET_PATH/key_inform -f $TARGET_PATH/CertReq.csr $TARGET_PATH/Cert.pem echo "Dm-Verity Rsa key ready !"exit 0

更多相关文章

  1. Android判断有无外置SD卡(TF卡),并读写文件
  2. java拷贝文件夹和android设置文件权限
  3. android studio 将文件打包成jar文件
  4. java|android加载src路径下面的图片文件
  5. 卸载android system/app 目录下文件的应用程序
  6. 将Android项目打包成APK文件
  7. android之获取系统时间并作为文件名
  8. android(9)(使用pull解析xml文件)

随机推荐

  1. Android 文件保存与读取
  2. Android中onInterceptTouchEvent与onTouc
  3. Android调试笔记——FATAL EXCEPTION: ma
  4. Android UI学习系列
  5. android 开发 新建工程
  6. flutter包名,应用名称,图标,启动图片修改
  7. Android 彻底退出自己APP 并杀掉所有相关
  8. Android的版本的介绍
  9. android:name属性加不加“.”
  10. 技巧: 如何安装apk文件在android仿真器中