Use cert hash not public key for APK authority
Previously we were using the public key of an APK as the input to the
authority hash for the VM, and as the authority hash in its
Subcomponent - as we do for an APEX.
Instead, use a hash of the certificate. Android has always required
the certificate to be consistent over versions of an APK, not just the
public key, and a hash of the certificate (with the package name) is
widely used to uniquely identify an APK.
This triggered slightly more refactoring than was perhaps strictly
necessary. I didn't want libapkverify to force a choice of what the
relevant data was; instead we return the SignedData and let the client
request what they want.
I removed the RootHash typdef, as it seemed to me it was hiding
information rather than making it clear.
Bug: 305925597
Test: atest libapkverify.test libapkverify.integration_test
Test: atest microdroid_manager_test
Test: atest MicrodroidTests
Change-Id: I7669fc468802d25a422e81d344e6655df5b0e636
diff --git a/libs/apkverify/Android.bp b/libs/apkverify/Android.bp
index 1c18d2d..4c5a622 100644
--- a/libs/apkverify/Android.bp
+++ b/libs/apkverify/Android.bp
@@ -48,10 +48,12 @@
test_suites: ["general-tests"],
rustlibs: [
"libandroid_logger",
+ "libanyhow",
"libapkverify",
"libapkzip",
"libbyteorder",
"liblog_rust",
+ "libopenssl",
"libzip",
],
data: ["tests/data/*"],
diff --git a/libs/apkverify/src/lib.rs b/libs/apkverify/src/lib.rs
index 6af8122..1f3c74f 100644
--- a/libs/apkverify/src/lib.rs
+++ b/libs/apkverify/src/lib.rs
@@ -26,5 +26,5 @@
mod v4;
pub use algorithms::{HashAlgorithm, SignatureAlgorithmID};
-pub use v3::{get_public_key_der, verify};
+pub use v3::{extract_signed_data, verify, SignedData};
pub use v4::{get_apk_digest, V4Signature};
diff --git a/libs/apkverify/src/v3.rs b/libs/apkverify/src/v3.rs
index 8a8ad73..88644c7 100644
--- a/libs/apkverify/src/v3.rs
+++ b/libs/apkverify/src/v3.rs
@@ -44,13 +44,9 @@
public_key: PKey<pkey::Public>,
}
-impl Signer {
- fn sdk_range(&self) -> RangeInclusive<u32> {
- self.min_sdk..=self.max_sdk
- }
-}
-
-struct SignedData {
+/// Contains the signed data part of an APK v3 signature.
+#[derive(Debug)]
+pub struct SignedData {
digests: LengthPrefixed<Vec<LengthPrefixed<Digest>>>,
certificates: LengthPrefixed<Vec<LengthPrefixed<X509Certificate>>>,
min_sdk: u32,
@@ -59,20 +55,6 @@
additional_attributes: LengthPrefixed<Vec<LengthPrefixed<AdditionalAttributes>>>,
}
-impl SignedData {
- fn sdk_range(&self) -> RangeInclusive<u32> {
- self.min_sdk..=self.max_sdk
- }
-
- fn find_digest_by_algorithm(&self, algorithm_id: SignatureAlgorithmID) -> Result<&Digest> {
- Ok(self
- .digests
- .iter()
- .find(|&dig| dig.signature_algorithm_id == Some(algorithm_id))
- .context(format!("Digest not found for algorithm: {:?}", algorithm_id))?)
- }
-}
-
#[derive(Debug)]
pub(crate) struct Signature {
/// Option is used here to allow us to ignore unsupported algorithm.
@@ -80,6 +62,7 @@
signature: LengthPrefixed<Bytes>,
}
+#[derive(Debug)]
struct Digest {
signature_algorithm_id: Option<SignatureAlgorithmID>,
digest: LengthPrefixed<Bytes>,
@@ -88,19 +71,19 @@
type X509Certificate = Bytes;
type AdditionalAttributes = Bytes;
-/// Verifies APK Signature Scheme v3 signatures of the provided APK and returns the public key
-/// associated with the signer in DER format.
-pub fn verify<P: AsRef<Path>>(apk_path: P, current_sdk: u32) -> Result<Box<[u8]>> {
+/// Verifies APK Signature Scheme v3 signatures of the provided APK and returns the SignedData from
+/// the signature.
+pub fn verify<P: AsRef<Path>>(apk_path: P, current_sdk: u32) -> Result<SignedData> {
let apk = File::open(apk_path.as_ref())?;
let (signer, mut sections) = extract_signer_and_apk_sections(apk, current_sdk)?;
signer.verify(&mut sections)
}
-/// Gets the public key (in DER format) that was used to sign the given APK/APEX file
-pub fn get_public_key_der<P: AsRef<Path>>(apk_path: P, current_sdk: u32) -> Result<Box<[u8]>> {
+/// Extracts the SignedData from the signature of the given APK. (The signature is not verified.)
+pub fn extract_signed_data<P: AsRef<Path>>(apk_path: P, current_sdk: u32) -> Result<SignedData> {
let apk = File::open(apk_path.as_ref())?;
let (signer, _) = extract_signer_and_apk_sections(apk, current_sdk)?;
- Ok(signer.public_key.public_key_to_der()?.into_boxed_slice())
+ signer.parse_signed_data()
}
pub(crate) fn extract_signer_and_apk_sections<R: Read + Seek>(
@@ -123,6 +106,10 @@
}
impl Signer {
+ fn sdk_range(&self) -> RangeInclusive<u32> {
+ self.min_sdk..=self.max_sdk
+ }
+
/// Selects the signature that has the strongest supported `SignatureAlgorithmID`.
/// The strongest signature is used in both v3 verification and v4 apk digest computation.
pub(crate) fn strongest_signature(&self) -> Result<&Signature> {
@@ -143,27 +130,33 @@
Ok(digest.digest.as_ref().to_vec().into_boxed_slice())
}
- /// Verifies the strongest signature from signatures against signed data using public key.
- /// Returns the verified signed data.
- fn verify_signature(&self, strongest: &Signature) -> Result<SignedData> {
- let mut verifier = strongest
+ /// Verifies a signature over the signed data using the public key.
+ fn verify_signature(&self, signature: &Signature) -> Result<()> {
+ let mut verifier = signature
.signature_algorithm_id
.context("Unsupported algorithm")?
.new_verifier(&self.public_key)?;
verifier.update(&self.signed_data)?;
- ensure!(verifier.verify(&strongest.signature)?, "Signature is invalid.");
- // It is now safe to parse signed data.
+ ensure!(verifier.verify(&signature.signature)?, "Signature is invalid.");
+ Ok(())
+ }
+
+ /// Returns the signed data, converted from bytes.
+ fn parse_signed_data(&self) -> Result<SignedData> {
self.signed_data.slice(..).read()
}
/// The steps in this method implements APK Signature Scheme v3 verification step 3.
- fn verify<R: Read + Seek>(&self, sections: &mut ApkSections<R>) -> Result<Box<[u8]>> {
+ fn verify<R: Read + Seek>(&self, sections: &mut ApkSections<R>) -> Result<SignedData> {
// 1. Choose the strongest supported signature algorithm ID from signatures.
let strongest = self.strongest_signature()?;
// 2. Verify the corresponding signature from signatures against signed data using public
// key.
- let verified_signed_data = self.verify_signature(strongest)?;
+ self.verify_signature(strongest)?;
+
+ // It is now safe to parse signed data.
+ let verified_signed_data = self.parse_signed_data()?;
// 3. Verify the min and max SDK versions in the signed data match those specified for the
// signer.
@@ -199,8 +192,7 @@
// 7. Verify that public key of the first certificate of certificates is identical to public
// key.
- let cert = verified_signed_data.certificates.first().context("No certificates listed")?;
- let cert = X509::from_der(cert.as_ref())?;
+ let cert = X509::from_der(verified_signed_data.first_certificate_der()?)?;
ensure!(
cert.public_key()?.public_eq(&self.public_key),
"Public key mismatch between certificate and signature record"
@@ -209,7 +201,29 @@
// TODO(b/245914104)
// 8. If the proof-of-rotation attribute exists for the signer verify that the
// struct is valid and this signer is the last certificate in the list.
- Ok(self.public_key.public_key_to_der()?.into_boxed_slice())
+
+ Ok(verified_signed_data)
+ }
+}
+
+impl SignedData {
+ /// Returns the first X.509 certificate in the signed data, encoded in DER form. (All other
+ /// certificates are ignored for v3; this certificate describes the public key that was actually
+ /// used to sign the APK.)
+ pub fn first_certificate_der(&self) -> Result<&[u8]> {
+ Ok(self.certificates.first().context("No certificates listed")?)
+ }
+
+ fn sdk_range(&self) -> RangeInclusive<u32> {
+ self.min_sdk..=self.max_sdk
+ }
+
+ fn find_digest_by_algorithm(&self, algorithm_id: SignatureAlgorithmID) -> Result<&Digest> {
+ Ok(self
+ .digests
+ .iter()
+ .find(|&dig| dig.signature_algorithm_id == Some(algorithm_id))
+ .context(format!("Digest not found for algorithm: {:?}", algorithm_id))?)
}
}
diff --git a/libs/apkverify/tests/apkverify_test.rs b/libs/apkverify/tests/apkverify_test.rs
index 0d8e020..441b708 100644
--- a/libs/apkverify/tests/apkverify_test.rs
+++ b/libs/apkverify/tests/apkverify_test.rs
@@ -14,12 +14,14 @@
* limitations under the License.
*/
+use anyhow::Result;
use apkverify::{
- get_apk_digest, get_public_key_der, testing::assert_contains, verify, SignatureAlgorithmID,
+ extract_signed_data, get_apk_digest, testing::assert_contains, verify, SignatureAlgorithmID,
};
use apkzip::zip_sections;
use byteorder::{LittleEndian, ReadBytesExt};
use log::info;
+use openssl::x509::X509;
use std::fmt::Write;
use std::io::{Seek, SeekFrom};
use std::{fs, matches, path::Path};
@@ -286,22 +288,30 @@
/// * public key extracted from apk without verification
/// * expected public key from the corresponding .der file
fn validate_apk_public_key<P: AsRef<Path>>(apk_path: P) {
- let public_key_from_verification = verify(&apk_path, SDK_INT);
- let public_key_from_verification =
- public_key_from_verification.expect("Error in verification result");
+ let signed_data_from_verification =
+ verify(&apk_path, SDK_INT).expect("Error in verification result");
+ let cert_from_verification = signed_data_from_verification.first_certificate_der().unwrap();
+ let public_key_from_verification = public_key_der_from_cert(cert_from_verification).unwrap();
let expected_public_key_path = format!("{}.der", apk_path.as_ref().to_str().unwrap());
assert_bytes_eq_to_data_in_file(&public_key_from_verification, expected_public_key_path);
- let public_key_from_apk = get_public_key_der(&apk_path, SDK_INT);
- let public_key_from_apk =
- public_key_from_apk.expect("Error when extracting public key from apk");
+ let signed_data_from_apk = extract_signed_data(&apk_path, SDK_INT)
+ .expect("Error when extracting signed data from apk");
+ let cert_from_apk = signed_data_from_apk.first_certificate_der().unwrap();
+ // If the two certficiates are byte for byte identical (which they should be), then so are
+ // the public keys embedded in them.
assert_eq!(
- public_key_from_verification, public_key_from_apk,
- "Public key extracted directly from apk does not match the public key from verification."
+ cert_from_verification, cert_from_apk,
+ "Certificate extracted directly from apk does not match the certificate from verification."
);
}
+fn public_key_der_from_cert(cert_der: &[u8]) -> Result<Vec<u8>> {
+ let cert = X509::from_der(cert_der)?;
+ Ok(cert.public_key()?.public_key_to_der()?)
+}
+
/// Validates that the following apk_digest are equal:
/// * apk_digest directly extracted from apk without computation
/// * computed apk_digest