[idsig] Use SignatureAlgorithmID from apkverify
This CL lets idsig uses the enum SignatureAlgorithmID from
apkverify instead of creating a duplicate enum.
Bug: 246254355
Test: libidsig.test libapkverify.integration_test
Change-Id: Id634e296f93018f15a8aa502c676706b7d52a7d2
diff --git a/libs/apkverify/src/algorithms.rs b/libs/apkverify/src/algorithms.rs
index edfa946..9e6c415 100644
--- a/libs/apkverify/src/algorithms.rs
+++ b/libs/apkverify/src/algorithms.rs
@@ -17,7 +17,7 @@
//! Algorithms used for APK Signature Scheme.
use anyhow::{ensure, Result};
-use num_derive::FromPrimitive;
+use num_derive::{FromPrimitive, ToPrimitive};
use openssl::hash::MessageDigest;
use openssl::pkey::{self, PKey};
use openssl::rsa::Padding;
@@ -25,23 +25,58 @@
use std::cmp::Ordering;
/// [Signature Algorithm IDs]: https://source.android.com/docs/security/apksigning/v2#signature-algorithm-ids
+/// [SignatureAlgorithm.java]: (tools/apksig/src/main/java/com/android/apksig/internal/apk/SignatureAlgorithm.java)
///
/// Some of the algorithms are not implemented. See b/197052981.
-#[derive(Clone, Debug, Eq, FromPrimitive)]
+#[derive(Clone, Debug, Eq, FromPrimitive, ToPrimitive)]
#[repr(u32)]
pub enum SignatureAlgorithmID {
+ /// RSASSA-PSS with SHA2-256 digest, SHA2-256 MGF1, 32 bytes of salt, trailer: 0xbc, content
+ /// digested using SHA2-256 in 1 MB chunks.
RsaPssWithSha256 = 0x0101,
+
+ /// RSASSA-PSS with SHA2-512 digest, SHA2-512 MGF1, 64 bytes of salt, trailer: 0xbc, content
+ /// digested using SHA2-512 in 1 MB chunks.
RsaPssWithSha512 = 0x0102,
+
+ /// RSASSA-PKCS1-v1_5 with SHA2-256 digest, content digested using SHA2-256 in 1 MB chunks.
RsaPkcs1V15WithSha256 = 0x0103,
+
+ /// RSASSA-PKCS1-v1_5 with SHA2-512 digest, content digested using SHA2-512 in 1 MB chunks.
RsaPkcs1V15WithSha512 = 0x0104,
+
+ /// ECDSA with SHA2-256 digest, content digested using SHA2-256 in 1 MB chunks.
EcdsaWithSha256 = 0x0201,
+
+ /// ECDSA with SHA2-512 digest, content digested using SHA2-512 in 1 MB chunks.
EcdsaWithSha512 = 0x0202,
+
+ /// DSA with SHA2-256 digest, content digested using SHA2-256 in 1 MB chunks.
+ /// Signing is done deterministically according to RFC 6979.
DsaWithSha256 = 0x0301,
+
+ /// RSASSA-PKCS1-v1_5 with SHA2-256 digest, content digested using SHA2-256 in 4 KB
+ /// chunks, in the same way fsverity operates. This digest and the content length
+ /// (before digestion, 8 bytes in little endian) construct the final digest.
VerityRsaPkcs1V15WithSha256 = 0x0421,
+
+ /// ECDSA with SHA2-256 digest, content digested using SHA2-256 in 4 KB chunks, in the
+ /// same way fsverity operates. This digest and the content length (before digestion,
+ /// 8 bytes in little endian) construct the final digest.
VerityEcdsaWithSha256 = 0x0423,
+
+ /// DSA with SHA2-256 digest, content digested using SHA2-256 in 4 KB chunks, in the
+ /// same way fsverity operates. This digest and the content length (before digestion,
+ /// 8 bytes in little endian) construct the final digest.
VerityDsaWithSha256 = 0x0425,
}
+impl Default for SignatureAlgorithmID {
+ fn default() -> Self {
+ SignatureAlgorithmID::DsaWithSha256
+ }
+}
+
impl Ord for SignatureAlgorithmID {
/// Ranks the signature algorithm according to the corresponding content
/// digest algorithm's rank.
diff --git a/libs/apkverify/src/lib.rs b/libs/apkverify/src/lib.rs
index 040c304..084a910 100644
--- a/libs/apkverify/src/lib.rs
+++ b/libs/apkverify/src/lib.rs
@@ -25,4 +25,5 @@
mod ziputil;
// TODO(b/197052981) fallback to v2 when v3 not found
+pub use algorithms::SignatureAlgorithmID;
pub use v3::{get_public_key_der, pick_v4_apk_digest, verify};
diff --git a/libs/idsig/src/apksigv4.rs b/libs/idsig/src/apksigv4.rs
index f8ca184..92f8963 100644
--- a/libs/idsig/src/apksigv4.rs
+++ b/libs/idsig/src/apksigv4.rs
@@ -15,7 +15,7 @@
*/
use anyhow::{anyhow, bail, Context, Result};
-use apkverify::pick_v4_apk_digest;
+use apkverify::{pick_v4_apk_digest, SignatureAlgorithmID};
use byteorder::{LittleEndian, ReadBytesExt, WriteBytesExt};
use num_derive::{FromPrimitive, ToPrimitive};
use num_traits::{FromPrimitive, ToPrimitive};
@@ -69,7 +69,7 @@
/// Public key of the signer in ASN.1 DER form. This must match the `x509_certificate` field.
pub public_key: Box<[u8]>,
/// Signature algorithm used to sign this file.
- pub signature_algorithm_id: SignatureAlgorithmId,
+ pub signature_algorithm_id: SignatureAlgorithmID,
/// The signature of this file.
pub signature: Box<[u8]>,
}
@@ -114,40 +114,6 @@
}
}
-/// Signature algorithm that can be used for idsig file
-#[derive(Debug, PartialEq, Eq, FromPrimitive, ToPrimitive)]
-#[allow(non_camel_case_types)]
-#[repr(u32)]
-pub enum SignatureAlgorithmId {
- /// RSASSA-PSS with SHA2-256 digest, SHA2-256 MGF1, 32 bytes of salt, trailer: 0xbc
- RSASSA_PSS_SHA2_256 = 0x0101,
- /// RSASSA-PSS with SHA2-512 digest, SHA2-512 MGF1, 64 bytes of salt, trailer: 0xbc
- RSASSA_PSS_SHA2_512 = 0x0102,
- /// RSASSA-PKCS1-v1_5 with SHA2-256 digest.
- RSASSA_PKCS1_SHA2_256 = 0x0103,
- /// RSASSA-PKCS1-v1_5 with SHA2-512 digest.
- RSASSA_PKCS1_SHA2_512 = 0x0104,
- /// ECDSA with SHA2-256 digest.
- ECDSA_SHA2_256 = 0x0201,
- /// ECDSA with SHA2-512 digest.
- ECDSA_SHA2_512 = 0x0202,
- /// DSA with SHA2-256 digest
- DSA_SHA2_256 = 0x0301,
-}
-
-impl SignatureAlgorithmId {
- fn from(val: u32) -> Result<SignatureAlgorithmId> {
- Self::from_u32(val)
- .with_context(|| format!("{:#06x} is an unsupported signature algorithm", val))
- }
-}
-
-impl Default for SignatureAlgorithmId {
- fn default() -> Self {
- SignatureAlgorithmId::DSA_SHA2_256
- }
-}
-
impl<R: Read + Seek> V4Signature<R> {
/// Consumes a stream for an idsig file into a `V4Signature` struct.
pub fn from(mut r: R) -> Result<V4Signature<R>> {
@@ -193,8 +159,11 @@
apk.seek(SeekFrom::Start(start))?;
let (signature_algorithm_id, apk_digest) = pick_v4_apk_digest(apk)?;
+ // TODO(b/246254355): Removes this conversion once pick_v4_apk_digest
+ // returns the enum SignatureAlgorithmID instead of raw integer.
ret.signing_info.signature_algorithm_id =
- SignatureAlgorithmId::from(signature_algorithm_id)?;
+ SignatureAlgorithmID::from_u32(signature_algorithm_id)
+ .context("Unsupported algorithm")?;
ret.signing_info.apk_digest = apk_digest;
// TODO(jiyong): add a signature to the signing_info struct
@@ -276,7 +245,8 @@
x509_certificate: read_sized_array(&mut r)?,
additional_data: read_sized_array(&mut r)?,
public_key: read_sized_array(&mut r)?,
- signature_algorithm_id: SignatureAlgorithmId::from(r.read_u32::<LittleEndian>()?)?,
+ signature_algorithm_id: SignatureAlgorithmID::from_u32(r.read_u32::<LittleEndian>()?)
+ .context("Unsupported signature algorithm")?,
signature: read_sized_array(&mut r)?,
})
}
@@ -358,7 +328,7 @@
a8585c38d7f654835eb219ae9e176b44e86dcb23153e3d9d6",
hexstring_from(si.signature.as_ref())
);
- assert_eq!(SignatureAlgorithmId::DSA_SHA2_256, si.signature_algorithm_id);
+ assert_eq!(SignatureAlgorithmID::DsaWithSha256, si.signature_algorithm_id);
assert_eq!(36864, parsed.merkle_tree_size);
assert_eq!(2251, parsed.merkle_tree_offset);