Preserve the ApkVerifier.Result lineage from the v3.1 block

Bug: 200723313 Test: gradlew test Change-Id: I570fddb6cad076b4df0ffcc0342e426b74794a4f
author: Michael Groover <mpgroover@google.com> 2021-09-21 14:54:56 -0700
committer: Michael Groover <mpgroover@google.com> 2021-09-21 23:05:46 +0000
commit: 03c95f9f45ab4c3d952d7f7614b2785f263fd442 (patch)
tree: f31c5b8bfb5722da6091b03003d459c87d1914b5
parent: 6ee679bee6cbb4d23ea3d9a1686a893a6d4ad8b0 (diff)
download: apksig-03c95f9f45ab4c3d952d7f7614b2785f263fd442.tar.gz
3 files changed, 32 insertions, 2 deletions
diff --git a/src/main/java/com/android/apksig/ApkVerifier.java b/src/main/java/com/android/apksig/ApkVerifier.java
index d1014a3..6661e50 100644
--- a/src/main/java/com/android/apksig/ApkVerifier.java
+++ b/src/main/java/com/android/apksig/ApkVerifier.java
@@ -1267,7 +1267,10 @@ public class ApkVerifier {
                     for (ApkSigningBlockUtils.Result.SignerInfo signer : source.signers) {
                         mV3SchemeSigners.add(new V3SchemeSignerInfo(signer));
                     }
-                    mSigningCertificateLineage = source.signingCertificateLineage;
+                    // Do not overwrite a previously set lineage from a v3.1 signing block.
+                    if (mSigningCertificateLineage == null) {
+                        mSigningCertificateLineage = source.signingCertificateLineage;
+                    }
                     break;
                 case ApkSigningBlockUtils.VERSION_APK_SIGNATURE_SCHEME_V31:
                     mVerifiedUsingV31Scheme = source.verified;
diff --git a/src/test/java/com/android/apksig/ApkVerifierTest.java b/src/test/java/com/android/apksig/ApkVerifierTest.java
index 38cd84c..ac8061e 100644
--- a/src/test/java/com/android/apksig/ApkVerifierTest.java
+++ b/src/test/java/com/android/apksig/ApkVerifierTest.java
@@ -21,6 +21,7 @@ import static com.android.apksig.ApkSignerTest.SECOND_RSA_2048_SIGNER_RESOURCE_N
 import static com.android.apksig.ApkSignerTest.assertResultContainsSigners;
 import static com.android.apksig.ApkSignerTest.assertV31SignerTargetsMinApiLevel;
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
 import static org.junit.Assume.assumeNoException;
@@ -1441,6 +1442,19 @@ public class ApkVerifierTest {
         assertVerificationWarning(result, Issue.V31_ROTATION_TARGETS_DEV_RELEASE_ATTR_ON_V3_SIGNER);
     }
 
+    @Test
+    public void verifyV31_rotationTargets34_resultContainsExpectedLineage() throws Exception {
+        // During verification of the v3.1 and v3.0 signing blocks, ApkVerifier will set the
+        // signing certificate lineage in the Result object; this test verifies a null lineage from
+        // a v3.0 signer does not overwrite a valid lineage from a v3.1 signer.
+        ApkVerifier.Result result = verify("v31-rsa-2048_2-tgt-34-1-tgt-28.apk");
+
+        assertNotNull(result.getSigningCertificateLineage());
+        SigningCertificateLineageTest.assertLineageContainsExpectedSigners(
+                result.getSigningCertificateLineage(), FIRST_RSA_2048_SIGNER_RESOURCE_NAME,
+                SECOND_RSA_2048_SIGNER_RESOURCE_NAME);
+    }
+
     private ApkVerifier.Result verify(String apkFilenameInResources)
             throws IOException, ApkFormatException, NoSuchAlgorithmException {
         return verify(apkFilenameInResources, null, null);
diff --git a/src/test/java/com/android/apksig/SigningCertificateLineageTest.java b/src/test/java/com/android/apksig/SigningCertificateLineageTest.java
index 80b9641..07a48f1 100644
--- a/src/test/java/com/android/apksig/SigningCertificateLineageTest.java
+++ b/src/test/java/com/android/apksig/SigningCertificateLineageTest.java
@@ -550,7 +550,20 @@ public class SigningCertificateLineageTest {
         return lineage.spawnDescendant(oldSignerConfig, newSignerConfig);
     }
 
-    private void assertLineageContainsExpectedSigners(SigningCertificateLineage lineage,
+    /**
+     * Asserts the provided {@code lineage} contains the {@code expectedSigners} from the test's
+     * resources.
+     */
+    static void assertLineageContainsExpectedSigners(SigningCertificateLineage lineage,
+            String... expectedSigners) throws Exception {
+        List<SignerConfig> signers = new ArrayList<>();
+        for (String expectedSigner : expectedSigners) {
+            signers.add(getSignerConfigFromResources(expectedSigner));
+        }
+        assertLineageContainsExpectedSigners(lineage, signers);
+    }
+
+    private static void assertLineageContainsExpectedSigners(SigningCertificateLineage lineage,
             List<SignerConfig> signers) {
         assertEquals("The lineage does not contain the expected number of signers",
                 signers.size(), lineage.size());
author	Michael Groover <mpgroover@google.com>	2021-09-21 14:54:56 -0700
committer	Michael Groover <mpgroover@google.com>	2021-09-21 23:05:46 +0000
commit	03c95f9f45ab4c3d952d7f7614b2785f263fd442 (patch)
tree	f31c5b8bfb5722da6091b03003d459c87d1914b5
parent	6ee679bee6cbb4d23ea3d9a1686a893a6d4ad8b0 (diff)
download	apksig-03c95f9f45ab4c3d952d7f7614b2785f263fd442.tar.gz