microdroid_manager: verify APK/APEXes
Even though libapkverify doesn't do much verification for now, having
it in use would make CI detect errors in the future.
TODO:
- zipfuse should wait until APK is verified.
- boot should abort when verification fails.
Bug: 190343842
Test: MicrodroidHostTestCases
Change-Id: I221be1c7d9a0bfcd312593d3958f950311b67af5
diff --git a/apkverify/Android.bp b/apkverify/Android.bp
new file mode 100644
index 0000000..2187b77
--- /dev/null
+++ b/apkverify/Android.bp
@@ -0,0 +1,19 @@
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+rust_library {
+ name: "libapkverify",
+ host_supported: true,
+ crate_name: "apkverify",
+ srcs: ["src/lib.rs"],
+ prefer_rlib: true,
+ edition: "2018",
+ rustlibs: [
+ "libanyhow",
+ "libbyteorder",
+ "libbytes",
+ "liblog_rust",
+ "libzip",
+ ],
+}
diff --git a/apkverify/Cargo.toml b/apkverify/Cargo.toml
deleted file mode 100644
index 965dd9a..0000000
--- a/apkverify/Cargo.toml
+++ /dev/null
@@ -1,11 +0,0 @@
-[package]
-name = "apkverify"
-version = "0.1.0"
-authors = ["Jooyung Han <jooyung@google.com>"]
-edition = "2018"
-
-[dependencies]
-anyhow = { path = "../../../../external/rust/crates/anyhow" }
-bytes = { path = "../../../../external/rust/crates/bytes" }
-byteorder = { path = "../../../../external/rust/crates/byteorder" }
-zip = { version = "0.5", path = "../../../../external/rust/crates/zip" }
\ No newline at end of file
diff --git a/apkverify/src/sigutil.rs b/apkverify/src/sigutil.rs
index 564831f..43fbe67 100644
--- a/apkverify/src/sigutil.rs
+++ b/apkverify/src/sigutil.rs
@@ -128,19 +128,19 @@
}
pub fn is_supported_signature_algorithm(algorithm_id: u32) -> bool {
- match algorithm_id {
+ matches!(
+ algorithm_id,
SIGNATURE_RSA_PSS_WITH_SHA256
- | SIGNATURE_RSA_PSS_WITH_SHA512
- | SIGNATURE_RSA_PKCS1_V1_5_WITH_SHA256
- | SIGNATURE_RSA_PKCS1_V1_5_WITH_SHA512
- | SIGNATURE_ECDSA_WITH_SHA256
- | SIGNATURE_ECDSA_WITH_SHA512
- | SIGNATURE_DSA_WITH_SHA256
- | SIGNATURE_VERITY_RSA_PKCS1_V1_5_WITH_SHA256
- | SIGNATURE_VERITY_ECDSA_WITH_SHA256
- | SIGNATURE_VERITY_DSA_WITH_SHA256 => true,
- _ => false,
- }
+ | SIGNATURE_RSA_PSS_WITH_SHA512
+ | SIGNATURE_RSA_PKCS1_V1_5_WITH_SHA256
+ | SIGNATURE_RSA_PKCS1_V1_5_WITH_SHA512
+ | SIGNATURE_ECDSA_WITH_SHA256
+ | SIGNATURE_ECDSA_WITH_SHA512
+ | SIGNATURE_DSA_WITH_SHA256
+ | SIGNATURE_VERITY_RSA_PKCS1_V1_5_WITH_SHA256
+ | SIGNATURE_VERITY_ECDSA_WITH_SHA256
+ | SIGNATURE_VERITY_DSA_WITH_SHA256
+ )
}
fn to_content_digest_algorithm(algorithm_id: u32) -> Result<u32> {
diff --git a/apkverify/src/v3.rs b/apkverify/src/v3.rs
index 0a292df..1bf8a61 100644
--- a/apkverify/src/v3.rs
+++ b/apkverify/src/v3.rs
@@ -16,6 +16,9 @@
//! Verifies APK Signature Scheme V3
+// TODO(jooyung) remove this
+#![allow(dead_code)]
+
use anyhow::{anyhow, bail, Result};
use bytes::Bytes;
use std::fs::File;