diff options
author | Michael Groover <mpgroover@google.com> | 2021-09-21 14:54:56 -0700 |
---|---|---|
committer | Michael Groover <mpgroover@google.com> | 2021-09-21 23:05:46 +0000 |
commit | 03c95f9f45ab4c3d952d7f7614b2785f263fd442 (patch) | |
tree | f31c5b8bfb5722da6091b03003d459c87d1914b5 | |
parent | 6ee679bee6cbb4d23ea3d9a1686a893a6d4ad8b0 (diff) | |
download | apksig-03c95f9f45ab4c3d952d7f7614b2785f263fd442.tar.gz |
Preserve the ApkVerifier.Result lineage from the v3.1 block
Bug: 200723313
Test: gradlew test
Change-Id: I570fddb6cad076b4df0ffcc0342e426b74794a4f
3 files changed, 32 insertions, 2 deletions
diff --git a/src/main/java/com/android/apksig/ApkVerifier.java b/src/main/java/com/android/apksig/ApkVerifier.java index d1014a3..6661e50 100644 --- a/src/main/java/com/android/apksig/ApkVerifier.java +++ b/src/main/java/com/android/apksig/ApkVerifier.java @@ -1267,7 +1267,10 @@ public class ApkVerifier { for (ApkSigningBlockUtils.Result.SignerInfo signer : source.signers) { mV3SchemeSigners.add(new V3SchemeSignerInfo(signer)); } - mSigningCertificateLineage = source.signingCertificateLineage; + // Do not overwrite a previously set lineage from a v3.1 signing block. + if (mSigningCertificateLineage == null) { + mSigningCertificateLineage = source.signingCertificateLineage; + } break; case ApkSigningBlockUtils.VERSION_APK_SIGNATURE_SCHEME_V31: mVerifiedUsingV31Scheme = source.verified; diff --git a/src/test/java/com/android/apksig/ApkVerifierTest.java b/src/test/java/com/android/apksig/ApkVerifierTest.java index 38cd84c..ac8061e 100644 --- a/src/test/java/com/android/apksig/ApkVerifierTest.java +++ b/src/test/java/com/android/apksig/ApkVerifierTest.java @@ -21,6 +21,7 @@ import static com.android.apksig.ApkSignerTest.SECOND_RSA_2048_SIGNER_RESOURCE_N import static com.android.apksig.ApkSignerTest.assertResultContainsSigners; import static com.android.apksig.ApkSignerTest.assertV31SignerTargetsMinApiLevel; import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertNotNull; import static org.junit.Assert.assertTrue; import static org.junit.Assert.fail; import static org.junit.Assume.assumeNoException; @@ -1441,6 +1442,19 @@ public class ApkVerifierTest { assertVerificationWarning(result, Issue.V31_ROTATION_TARGETS_DEV_RELEASE_ATTR_ON_V3_SIGNER); } + @Test + public void verifyV31_rotationTargets34_resultContainsExpectedLineage() throws Exception { + // During verification of the v3.1 and v3.0 signing blocks, ApkVerifier will set the + // signing certificate lineage in the Result object; this test verifies a null lineage from + // a v3.0 signer does not overwrite a valid lineage from a v3.1 signer. + ApkVerifier.Result result = verify("v31-rsa-2048_2-tgt-34-1-tgt-28.apk"); + + assertNotNull(result.getSigningCertificateLineage()); + SigningCertificateLineageTest.assertLineageContainsExpectedSigners( + result.getSigningCertificateLineage(), FIRST_RSA_2048_SIGNER_RESOURCE_NAME, + SECOND_RSA_2048_SIGNER_RESOURCE_NAME); + } + private ApkVerifier.Result verify(String apkFilenameInResources) throws IOException, ApkFormatException, NoSuchAlgorithmException { return verify(apkFilenameInResources, null, null); diff --git a/src/test/java/com/android/apksig/SigningCertificateLineageTest.java b/src/test/java/com/android/apksig/SigningCertificateLineageTest.java index 80b9641..07a48f1 100644 --- a/src/test/java/com/android/apksig/SigningCertificateLineageTest.java +++ b/src/test/java/com/android/apksig/SigningCertificateLineageTest.java @@ -550,7 +550,20 @@ public class SigningCertificateLineageTest { return lineage.spawnDescendant(oldSignerConfig, newSignerConfig); } - private void assertLineageContainsExpectedSigners(SigningCertificateLineage lineage, + /** + * Asserts the provided {@code lineage} contains the {@code expectedSigners} from the test's + * resources. + */ + static void assertLineageContainsExpectedSigners(SigningCertificateLineage lineage, + String... expectedSigners) throws Exception { + List<SignerConfig> signers = new ArrayList<>(); + for (String expectedSigner : expectedSigners) { + signers.add(getSignerConfigFromResources(expectedSigner)); + } + assertLineageContainsExpectedSigners(lineage, signers); + } + + private static void assertLineageContainsExpectedSigners(SigningCertificateLineage lineage, List<SignerConfig> signers) { assertEquals("The lineage does not contain the expected number of signers", signers.size(), lineage.size()); |