Add a way for devserver to transmit public key and signed metadata hash.
The option --public-key which can be used with a public RSA key (in
PEM format) to have it be included as the value (base64 encoded) of
the PublicKeyRsa value in the XML response.
The option --private_key_for_metadata_hash_signature can be used with
a private RSA key to have devserver sign the metadata hash and include
it as the value of the MetadataSignatureRsa in the XML response, just
like the Omaha server.
Combined with CL:175285 for update_engine, this can be used to write
tests to assure that update_engine works correctly, e.g. that it
- Accepts payloads where both the metadata hash and the payload is
signed by a trusted key:
$ ./devserver.py --test_image \
--private_key unittest_key.pem \
--private_key_for_metadata_hash_signature unittest_key.pem \
--public_key unittest_key.pub.pem
- Rejects payloads where the metadata hash is signed by an untrusted
key and the payload is signed by a trusted key:
$ ./devserver.py --test_image \
--private_key unittest_key.pem \
--private_key_for_metadata_hash_signature unittest_key2.pem \
--public_key unittest_key.pub.pem
- Rejects payloads where the metadata hash is signed by a trusted key,
but the payload is signed by an untrusted key:
$ ./devserver.py --test_image \
--private_key unittest_key.pem \
--private_key_for_metadata_hash_signature unittest_key2.pem \
--public_key unittest_key2.pub.pem
BUG=chromium:264352
TEST=Unit tests pass + manual testing (see above.)
Change-Id: I4a0297549a61a559d074de4f2bf45b3c4012f58d
Reviewed-on: https://chromium-review.googlesource.com/175283
Commit-Queue: David Zeuthen <[email protected]>
Tested-by: David Zeuthen <[email protected]>
Reviewed-by: David Zeuthen <[email protected]>
diff --git a/devserver.py b/devserver.py
index 1971ee6..9094264 100755
--- a/devserver.py
+++ b/devserver.py
@@ -915,6 +915,16 @@
help='path to the private key in pem format. If this is set '
'the devserver will generate update payloads that are '
'signed with this key.')
+ group.add_option('--private_key_for_metadata_hash_signature',
+ metavar='PATH', default=None,
+ help='path to the private key in pem format. If this is set '
+ 'the devserver will sign the metadata hash with the given '
+ 'key and transmit in the Omaha-style XML response.')
+ group.add_option('--public_key',
+ metavar='PATH', default=None,
+ help='path to the public key in pem format. If this is set '
+ 'the devserver will transmit a base64 encoded version of '
+ 'the content in the Omaha-style XML response.')
group.add_option('--proxy_port',
metavar='PORT', default=None, type='int',
help='port to have the client connect to -- basically the '
@@ -1089,6 +1099,9 @@
board=options.board,
copy_to_static_root=not options.exit,
private_key=options.private_key,
+ private_key_for_metadata_hash_signature=
+ options.private_key_for_metadata_hash_signature,
+ public_key=options.public_key,
critical_update=options.critical_update,
remote_payload=options.remote_payload,
max_updates=options.max_updates,
