Fix the string encoding issues with logging the signature
The signature should be logged _before_ decoded from the Base64
encoding in order to properly compare with what is published on gstatic.
Bug: 391327942
Bug: 378626065
Flag: com.android.net.ct.flags.certificate_transparency_service
Test: atest NetworkSecurityUnitTests
Change-Id: Ibde2d4f45b998f764e2cb8d0772a0536ff763a4a
diff --git a/networksecurity/service/src/com/android/server/net/ct/SignatureVerifier.java b/networksecurity/service/src/com/android/server/net/ct/SignatureVerifier.java
index 3ba56db..6040ef6 100644
--- a/networksecurity/service/src/com/android/server/net/ct/SignatureVerifier.java
+++ b/networksecurity/service/src/com/android/server/net/ct/SignatureVerifier.java
@@ -32,7 +32,6 @@
import java.io.IOException;
import java.io.InputStream;
-import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.KeyFactory;
@@ -105,9 +104,9 @@
verifier.update(fileStream.readAllBytes());
byte[] signatureBytes = signatureStream.readAllBytes();
+ statusBuilder.setSignature(new String(signatureBytes));
try {
byte[] decodedSigBytes = Base64.getDecoder().decode(signatureBytes);
- statusBuilder.setSignature(new String(decodedSigBytes, StandardCharsets.UTF_8));
if (!verifier.verify(decodedSigBytes)) {
// Leave the UpdateState as UNKNOWN_STATE if successful as there are other
@@ -116,7 +115,6 @@
}
} catch (IllegalArgumentException e) {
Log.w(TAG, "Invalid signature base64 encoding", e);
- statusBuilder.setSignature(new String(signatureBytes, StandardCharsets.UTF_8));
statusBuilder.setState(SIGNATURE_INVALID);
return statusBuilder.build();
}
diff --git a/networksecurity/tests/unit/src/com/android/server/net/ct/CertificateTransparencyDownloaderTest.java b/networksecurity/tests/unit/src/com/android/server/net/ct/CertificateTransparencyDownloaderTest.java
index 5443298..2af0122 100644
--- a/networksecurity/tests/unit/src/com/android/server/net/ct/CertificateTransparencyDownloaderTest.java
+++ b/networksecurity/tests/unit/src/com/android/server/net/ct/CertificateTransparencyDownloaderTest.java
@@ -24,8 +24,6 @@
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.when;
-import static java.nio.charset.StandardCharsets.UTF_8;
-
import android.app.DownloadManager;
import android.app.DownloadManager.Query;
import android.app.DownloadManager.Request;
@@ -56,7 +54,6 @@
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
-import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
@@ -399,14 +396,12 @@
mContext, makeContentDownloadCompleteIntent(mCompatVersion, logListFile));
// Assert
- byte[] signatureBytes = Base64.getDecoder().decode(toByteArray(metadataFile));
verify(mLogger, times(1))
.logCTLogListUpdateStateChangedEvent(mUpdateStatusCaptor.capture());
LogListUpdateStatus statusValue = mUpdateStatusCaptor.getValue();
assertThat(statusValue.state())
.isEqualTo(CTLogListUpdateState.SIGNATURE_VERIFICATION_FAILED);
- assertThat(statusValue.signature())
- .isEqualTo(new String(signatureBytes, StandardCharsets.UTF_8));
+ assertThat(statusValue.signature()).isEqualTo(new String(toByteArray(metadataFile)));
}
@Test
@@ -423,13 +418,11 @@
mCertificateTransparencyDownloader.onReceive(
mContext, makeContentDownloadCompleteIntent(mCompatVersion, invalidLogListFile));
- byte[] signatureBytes = Base64.getDecoder().decode(toByteArray(metadataFile));
verify(mLogger, times(1))
.logCTLogListUpdateStateChangedEvent(mUpdateStatusCaptor.capture());
LogListUpdateStatus statusValue = mUpdateStatusCaptor.getValue();
assertThat(statusValue.state()).isEqualTo(CTLogListUpdateState.LOG_LIST_INVALID);
- assertThat(statusValue.signature())
- .isEqualTo(new String(signatureBytes, StandardCharsets.UTF_8));
+ assertThat(statusValue.signature()).isEqualTo(new String(toByteArray(metadataFile)));
}
@Test
@@ -501,11 +494,7 @@
LogListUpdateStatus statusValue = mUpdateStatusCaptor.getValue();
assertThat(statusValue.state()).isEqualTo(CTLogListUpdateState.SUCCESS);
- assertThat(statusValue.signature())
- .isEqualTo(
- new String(
- Base64.getDecoder().decode(toByteArray(metadataFile)),
- StandardCharsets.UTF_8));
+ assertThat(statusValue.signature()).isEqualTo(new String(toByteArray(metadataFile)));
assertThat(statusValue.logListTimestamp()).isEqualTo(LOG_LIST_TIMESTAMP);
}
@@ -619,7 +608,7 @@
new JSONObject()
.put("version", version)
.put("log_list_timestamp", LOG_LIST_TIMESTAMP);
- outputStream.write(contentJson.toString().getBytes(UTF_8));
+ outputStream.write(contentJson.toString().getBytes());
}
return logListFile;