diff options
author | Xin Li <delphij@google.com> | 2021-08-14 06:31:11 +0000 |
---|---|---|
committer | Xin Li <delphij@google.com> | 2021-08-14 06:31:11 +0000 |
commit | f87eca1c750fe26a14780170f698bc64a3b916a0 (patch) | |
tree | a75503b811ea8492280210a66c9958891fc62663 | |
parent | 5adb7fead68cad1ca5977af90829c577d85ca1ab (diff) | |
parent | 7adce360a60dda02240fce4acdb099073885d866 (diff) | |
download | apksig-f87eca1c750fe26a14780170f698bc64a3b916a0.tar.gz |
Merge sc-dev-plus-aosp-without-vendor@7634622
Merged-In: Ibd5933cd1bd1b831e7eea5147eca3799faf0ad1a
Change-Id: I81da1fe802c2ce5be6058918e2d7cec2ec1a8890
9 files changed, 53 insertions, 10 deletions
diff --git a/src/apksigner/java/com/android/apksigner/ApkSignerTool.java b/src/apksigner/java/com/android/apksigner/ApkSignerTool.java index 6f239ba..9fd0c34 100644 --- a/src/apksigner/java/com/android/apksigner/ApkSignerTool.java +++ b/src/apksigner/java/com/android/apksigner/ApkSignerTool.java @@ -25,8 +25,6 @@ import com.android.apksig.apk.MinSdkVersionException; import com.android.apksig.util.DataSource; import com.android.apksig.util.DataSources; -import org.conscrypt.OpenSSLProvider; - import java.io.BufferedReader; import java.io.File; import java.io.IOException; @@ -80,7 +78,9 @@ public class ApkSignerTool { return; } + // BEGIN-AOSP addProviders(); + // END-AOSP String cmd = params[0]; try { @@ -113,18 +113,20 @@ public class ApkSignerTool { } } + // BEGIN-AOSP /** * Adds additional security providers to add support for signature algorithms not covered by * the default providers. */ private static void addProviders() { try { - Security.addProvider(new OpenSSLProvider()); + Security.addProvider(new org.conscrypt.OpenSSLProvider()); } catch (UnsatisfiedLinkError e) { // This is expected if the library path does not include the native conscrypt library; // the default providers support all but PSS algorithms. } } + // END-AOSP private static void sign(String[] params) throws Exception { if (params.length == 0) { diff --git a/src/main/java/com/android/apksig/SigningCertificateLineage.java b/src/main/java/com/android/apksig/SigningCertificateLineage.java index 767a1f6..6c505be 100644 --- a/src/main/java/com/android/apksig/SigningCertificateLineage.java +++ b/src/main/java/com/android/apksig/SigningCertificateLineage.java @@ -124,6 +124,11 @@ public class SigningCertificateLineage { return signingCertificateLineage.spawnDescendant(parent, child, childCapabilities); } + public static SigningCertificateLineage readFromBytes(byte[] lineageBytes) + throws IOException { + return readFromDataSource(DataSources.asDataSource(ByteBuffer.wrap(lineageBytes))); + } + public static SigningCertificateLineage readFromFile(File file) throws IOException { if (file == null) { @@ -283,6 +288,10 @@ public class SigningCertificateLineage { return result; } + public byte[] getBytes() { + return write().array(); + } + public void writeToFile(File file) throws IOException { if (file == null) { throw new NullPointerException("file == null"); diff --git a/src/main/java/com/android/apksig/internal/apk/stamp/SourceStampVerifier.java b/src/main/java/com/android/apksig/internal/apk/stamp/SourceStampVerifier.java index b4ae71a..9cd7b1f 100644 --- a/src/main/java/com/android/apksig/internal/apk/stamp/SourceStampVerifier.java +++ b/src/main/java/com/android/apksig/internal/apk/stamp/SourceStampVerifier.java @@ -26,7 +26,6 @@ import com.android.apksig.internal.apk.ApkSignerInfo; import com.android.apksig.internal.apk.ApkSupportedSignature; import com.android.apksig.internal.apk.NoApkSupportedSignaturesException; import com.android.apksig.internal.apk.SignatureAlgorithm; -import com.android.apksig.internal.apk.v3.V3SigningCertificateLineage; import com.android.apksig.internal.util.ByteBufferUtils; import com.android.apksig.internal.util.GuaranteedEncodedFormX509Certificate; diff --git a/src/main/java/com/android/apksig/internal/apk/stamp/V2SourceStampVerifier.java b/src/main/java/com/android/apksig/internal/apk/stamp/V2SourceStampVerifier.java index 5ba3618..a215b98 100644 --- a/src/main/java/com/android/apksig/internal/apk/stamp/V2SourceStampVerifier.java +++ b/src/main/java/com/android/apksig/internal/apk/stamp/V2SourceStampVerifier.java @@ -148,7 +148,12 @@ public abstract class V2SourceStampVerifier { apkContentDigests.entrySet()) { digests.add(Pair.of(apkContentDigest.getKey().getId(), apkContentDigest.getValue())); } - Collections.sort(digests, Comparator.comparing(Pair::getFirst)); + Collections.sort(digests, new Comparator<Pair<Integer, byte[]>>() { + @Override + public int compare(Pair<Integer, byte[]> pair1, Pair<Integer, byte[]> pair2) { + return pair1.getFirst() - pair2.getFirst(); + } + }); return digests; } } diff --git a/src/main/java/com/android/apksig/internal/apk/v4/V4SchemeSigner.java b/src/main/java/com/android/apksig/internal/apk/v4/V4SchemeSigner.java index 0a8b7ee..74aa629 100644 --- a/src/main/java/com/android/apksig/internal/apk/v4/V4SchemeSigner.java +++ b/src/main/java/com/android/apksig/internal/apk/v4/V4SchemeSigner.java @@ -171,7 +171,7 @@ public abstract class V4SchemeSigner { final V4Signature.SigningInfo signingInfoNoSignature = new V4Signature.SigningInfo(apkDigest, encodedCertificate, additionaData, publicKey.getEncoded(), -1, null); - final byte[] data = V4Signature.getSigningData(fileSize, hashingInfo, + final byte[] data = V4Signature.getSignedData(fileSize, hashingInfo, signingInfoNoSignature); // Signing. @@ -314,8 +314,6 @@ public abstract class V4SchemeSigner { return bestDigest; } - // Use the same order as in the ApkSignatureSchemeV3Verifier to make sure the digest - // verification in framework works. public static int digestAlgorithmSortingOrder(ContentDigestAlgorithm contentDigestAlgorithm) { switch (contentDigestAlgorithm) { case CHUNKED_SHA256: diff --git a/src/main/java/com/android/apksig/internal/apk/v4/V4SchemeVerifier.java b/src/main/java/com/android/apksig/internal/apk/v4/V4SchemeVerifier.java index 0a8484b..a6cd9db 100644 --- a/src/main/java/com/android/apksig/internal/apk/v4/V4SchemeVerifier.java +++ b/src/main/java/com/android/apksig/internal/apk/v4/V4SchemeVerifier.java @@ -93,7 +93,7 @@ public abstract class V4SchemeVerifier { V4Signature.SigningInfo signingInfo = V4Signature.SigningInfo.fromByteArray( signature.signingInfo); - final byte[] signedData = V4Signature.getSigningData(apk.size(), hashingInfo, signingInfo); + final byte[] signedData = V4Signature.getSignedData(apk.size(), hashingInfo, signingInfo); // First, verify the signature over signedData. ApkSigningBlockUtils.Result.SignerInfo signerInfo = parseAndVerifySignatureBlock( diff --git a/src/main/java/com/android/apksig/internal/apk/v4/V4Signature.java b/src/main/java/com/android/apksig/internal/apk/v4/V4Signature.java index e36ed60..deabe12 100644 --- a/src/main/java/com/android/apksig/internal/apk/v4/V4Signature.java +++ b/src/main/java/com/android/apksig/internal/apk/v4/V4Signature.java @@ -134,7 +134,7 @@ public class V4Signature { writeBytes(stream, this.signingInfo); } - static byte[] getSigningData(long fileSize, HashingInfo hashingInfo, SigningInfo signingInfo) { + static byte[] getSignedData(long fileSize, HashingInfo hashingInfo, SigningInfo signingInfo) { final int size = 4/*size*/ + 8/*fileSize*/ + 4/*hash_algorithm*/ + 1/*log2_blocksize*/ + bytesSize( hashingInfo.salt) + bytesSize(hashingInfo.rawRootHash) + bytesSize( diff --git a/src/main/java/com/android/apksig/internal/util/DelegatingX509Certificate.java b/src/main/java/com/android/apksig/internal/util/DelegatingX509Certificate.java index 8f9e1fd..2a890f6 100644 --- a/src/main/java/com/android/apksig/internal/util/DelegatingX509Certificate.java +++ b/src/main/java/com/android/apksig/internal/util/DelegatingX509Certificate.java @@ -34,6 +34,7 @@ import java.util.Collection; import java.util.Date; import java.util.List; import java.util.Set; + import javax.security.auth.x500.X500Principal; /** @@ -210,6 +211,7 @@ public class DelegatingX509Certificate extends X509Certificate { } @Override + @SuppressWarnings("AndroidJdkLibsChecker") public void verify(PublicKey key, Provider sigProvider) throws CertificateException, NoSuchAlgorithmException, InvalidKeyException, SignatureException { mDelegate.verify(key, sigProvider); diff --git a/src/test/java/com/android/apksig/SigningCertificateLineageTest.java b/src/test/java/com/android/apksig/SigningCertificateLineageTest.java index 14cab83..d5dc71d 100644 --- a/src/test/java/com/android/apksig/SigningCertificateLineageTest.java +++ b/src/test/java/com/android/apksig/SigningCertificateLineageTest.java @@ -90,6 +90,23 @@ public class SigningCertificateLineageTest { } @Test + public void testLineageFromBytesContainsExpectedSigners() throws Exception { + // This file contains the lineage with the three rsa-2048 signers + DataSource lineageDataSource = Resources.toDataSource(getClass(), + "rsa-2048-lineage-3-signers"); + SigningCertificateLineage lineage = SigningCertificateLineage.readFromBytes( + lineageDataSource.getByteBuffer(0, (int) lineageDataSource.size()).array()); + List<SignerConfig> signers = new ArrayList<>(3); + signers.add( + Resources.toLineageSignerConfig(getClass(), FIRST_RSA_2048_SIGNER_RESOURCE_NAME)); + signers.add( + Resources.toLineageSignerConfig(getClass(), SECOND_RSA_2048_SIGNER_RESOURCE_NAME)); + signers.add( + Resources.toLineageSignerConfig(getClass(), THIRD_RSA_2048_SIGNER_RESOURCE_NAME)); + assertLineageContainsExpectedSigners(lineage, signers); + } + + @Test public void testLineageFromFileContainsExpectedSigners() throws Exception { // This file contains the lineage with the three rsa-2048 signers DataSource lineageDataSource = Resources.toDataSource(getClass(), @@ -131,6 +148,17 @@ public class SigningCertificateLineageTest { } @Test + public void testLineageWrittenToBytesContainsExpectedSigners() throws Exception { + SigningCertificateLineage lineage = createLineageWithSignersFromResources( + FIRST_RSA_2048_SIGNER_RESOURCE_NAME, SECOND_RSA_2048_SIGNER_RESOURCE_NAME); + lineage = updateLineageWithSignerFromResources(lineage, + THIRD_RSA_2048_SIGNER_RESOURCE_NAME); + byte[] lineageBytes = lineage.getBytes(); + lineage = SigningCertificateLineage.readFromBytes(lineageBytes); + assertLineageContainsExpectedSigners(lineage, mSigners); + } + + @Test public void testLineageWrittenToFileContainsExpectedSigners() throws Exception { SigningCertificateLineage lineage = createLineageWithSignersFromResources( FIRST_RSA_2048_SIGNER_RESOURCE_NAME, SECOND_RSA_2048_SIGNER_RESOURCE_NAME); |