[apkverify] Merge idsig into apkverify package

This CL merges idsig into apkverify package as apkverify is
supposed to cover apk signature verification v3 and v4.

Bug: 248999133
Test: libapkverify.test apkdmverity.test microdroid_manager_test
Change-Id: Ieef2dcf93496164f8bb72cd4ee819ebb822f6142
diff --git a/libs/apkverify/src/hashtree.rs b/libs/apkverify/src/hashtree.rs
new file mode 100644
index 0000000..00d8292
--- /dev/null
+++ b/libs/apkverify/src/hashtree.rs
@@ -0,0 +1,218 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+use openssl::hash::{DigestBytes, Hasher, MessageDigest};
+use std::io::{Cursor, Read, Result, Write};
+
+/// `HashTree` is a merkle tree (and its root hash) that is compatible with fs-verity.
+pub struct HashTree {
+    /// Binary presentation of the merkle tree
+    pub tree: Vec<u8>,
+    /// Root hash
+    pub root_hash: Vec<u8>,
+}
+
+impl HashTree {
+    /// Creates merkle tree from `input`, using the given `salt` and hashing `algorithm`. `input`
+    /// is divided into `block_size` chunks.
+    pub fn from<R: Read>(
+        input: &mut R,
+        input_size: usize,
+        salt: &[u8],
+        block_size: usize,
+        algorithm: MessageDigest,
+    ) -> Result<Self> {
+        let salt = zero_pad_salt(salt, algorithm);
+        let tree = generate_hash_tree(input, input_size, &salt, block_size, algorithm)?;
+
+        // Root hash is from the first block of the hash or the input data if there is no hash tree
+        // generated which can happen when input data is smaller than block size
+        let root_hash = if tree.is_empty() {
+            let mut data = Vec::new();
+            input.read_to_end(&mut data)?;
+            hash_one_block(&data, &salt, block_size, algorithm)?.as_ref().to_vec()
+        } else {
+            let first_block = &tree[0..block_size];
+            hash_one_block(first_block, &salt, block_size, algorithm)?.as_ref().to_vec()
+        };
+        Ok(HashTree { tree, root_hash })
+    }
+}
+
+/// Calculate hash tree for the blocks in `input`.
+///
+/// This function implements: https://www.kernel.org/doc/html/latest/filesystems/fsverity.html#merkle-tree
+///
+/// The file contents is divided into blocks, where the block size is configurable but is usually
+/// 4096 bytes. The end of the last block is zero-padded if needed. Each block is then hashed,
+/// producing the first level of hashes. Then, the hashes in this first level are grouped into
+/// blocksize-byte blocks (zero-padding the ends as needed) and these blocks are hashed,
+/// producing the second level of hashes. This proceeds up the tree until only a single block
+/// remains.
+pub fn generate_hash_tree<R: Read>(
+    input: &mut R,
+    input_size: usize,
+    salt: &[u8],
+    block_size: usize,
+    algorithm: MessageDigest,
+) -> Result<Vec<u8>> {
+    let digest_size = algorithm.size();
+    let levels = calc_hash_levels(input_size, block_size, digest_size);
+    let tree_size = levels.iter().map(|r| r.len()).sum();
+
+    // The contiguous memory that holds the entire merkle tree
+    let mut hash_tree = vec![0; tree_size];
+
+    for (n, cur) in levels.iter().enumerate() {
+        if n == 0 {
+            // Level 0: the (zero-padded) input stream is hashed into level 0
+            let pad_size = round_to_multiple(input_size, block_size) - input_size;
+            let mut input = input.chain(Cursor::new(vec![0; pad_size]));
+            let mut level0 = Cursor::new(&mut hash_tree[cur.start..cur.end]);
+
+            let mut a_block = vec![0; block_size];
+            let mut num_blocks = (input_size + block_size - 1) / block_size;
+            while num_blocks > 0 {
+                input.read_exact(&mut a_block)?;
+                let h = hash_one_block(&a_block, salt, block_size, algorithm)?;
+                level0.write_all(h.as_ref()).unwrap();
+                num_blocks -= 1;
+            }
+        } else {
+            // Intermediate levels: level n - 1 is hashed into level n
+            // Both levels belong to the same `hash_tree`. In order to have a mutable slice for
+            // level n while having a slice for level n - 1, take the mutable slice for both levels
+            // and split it.
+            let prev = &levels[n - 1];
+            let cur_and_prev = &mut hash_tree[cur.start..prev.end];
+            let (cur, prev) = cur_and_prev.split_at_mut(prev.start - cur.start);
+            let mut cur = Cursor::new(cur);
+            for data in prev.chunks(block_size) {
+                let h = hash_one_block(data, salt, block_size, algorithm)?;
+                cur.write_all(h.as_ref()).unwrap();
+            }
+        }
+    }
+    Ok(hash_tree)
+}
+
+/// Hash one block of input using the given hash algorithm and the salt. Input might be smaller
+/// than a block, in which case zero is padded.
+fn hash_one_block(
+    input: &[u8],
+    salt: &[u8],
+    block_size: usize,
+    algorithm: MessageDigest,
+) -> Result<DigestBytes> {
+    let mut ctx = Hasher::new(algorithm)?;
+    ctx.update(salt)?;
+    ctx.update(input)?;
+    let pad_size = block_size - input.len();
+    ctx.update(&vec![0; pad_size])?;
+    Ok(ctx.finish()?)
+}
+
+type Range = std::ops::Range<usize>;
+
+/// Calculate the ranges of hash for each level
+fn calc_hash_levels(input_size: usize, block_size: usize, digest_size: usize) -> Vec<Range> {
+    // The input is split into multiple blocks and each block is hashed, which becomes the input
+    // for the next level. Size of a single hash is `digest_size`.
+    let mut level_sizes = Vec::new();
+    loop {
+        // Input for this level is from either the last level (if exists), or the input parameter.
+        let input_size = *level_sizes.last().unwrap_or(&input_size);
+        if input_size <= block_size {
+            break;
+        }
+        let num_blocks = (input_size + block_size - 1) / block_size;
+        let hashes_size = round_to_multiple(num_blocks * digest_size, block_size);
+        level_sizes.push(hashes_size);
+    }
+
+    // The hash tree is stored upside down. The top level is at offset 0. The second level comes
+    // next, and so on. Level 0 is located at the end.
+    //
+    // Given level_sizes [10, 3, 1], the offsets for each label are ...
+    //
+    // Level 2 is at offset 0
+    // Level 1 is at offset 1 (because Level 2 is of size 1)
+    // Level 0 is at offset 4 (because Level 1 is of size 3)
+    //
+    // This is done by scanning the sizes in reverse order
+    let mut ranges = level_sizes
+        .iter()
+        .rev()
+        .scan(0, |prev_end, size| {
+            let range = *prev_end..*prev_end + size;
+            *prev_end = range.end;
+            Some(range)
+        })
+        .collect::<Vec<_>>();
+    ranges.reverse(); // reverse again so that index N is for level N
+    ranges
+}
+
+/// Round `n` up to the nearest multiple of `unit`
+fn round_to_multiple(n: usize, unit: usize) -> usize {
+    (n + unit - 1) & !(unit - 1)
+}
+
+/// Pad zero to salt if necessary.
+///
+/// According to https://www.kernel.org/doc/html/latest/filesystems/fsverity.html:
+///
+/// If a salt was specified, then it’s zero-padded to the closest multiple of the input size of the
+/// hash algorithm’s compression function, e.g. 64 bytes for SHA-256 or 128 bytes for SHA-512. The
+/// padded salt is prepended to every data or Merkle tree block that is hashed.
+fn zero_pad_salt(salt: &[u8], algorithm: MessageDigest) -> Vec<u8> {
+    if salt.is_empty() {
+        salt.to_vec()
+    } else {
+        let padded_len = round_to_multiple(salt.len(), algorithm.block_size());
+        let mut salt = salt.to_vec();
+        salt.resize(padded_len, 0);
+        salt
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use openssl::hash::MessageDigest;
+    use std::fs::{self, File};
+
+    #[test]
+    fn compare_with_golden_output() -> Result<()> {
+        // The golden outputs are generated by using the `fsverity` utility.
+        let sizes = ["512", "4K", "1M", "10000000", "272629760"];
+        for size in sizes.iter() {
+            let input_name = format!("tests/data/input.{}", size);
+            let mut input = File::open(&input_name)?;
+            let golden_hash_tree = fs::read(format!("{}.hash", input_name))?;
+            let golden_descriptor = fs::read(format!("{}.descriptor", input_name))?;
+            let golden_root_hash = &golden_descriptor[16..16 + 32];
+
+            let size = std::fs::metadata(&input_name)?.len() as usize;
+            let salt = vec![1, 2, 3, 4, 5, 6];
+            let ht = HashTree::from(&mut input, size, &salt, 4096, MessageDigest::sha256())?;
+
+            assert_eq!(golden_hash_tree.as_slice(), ht.tree.as_slice());
+            assert_eq!(golden_root_hash, ht.root_hash.as_slice());
+        }
+        Ok(())
+    }
+}
diff --git a/libs/apkverify/src/lib.rs b/libs/apkverify/src/lib.rs
index 1e0bd77..359d963 100644
--- a/libs/apkverify/src/lib.rs
+++ b/libs/apkverify/src/lib.rs
@@ -18,6 +18,7 @@
 
 mod algorithms;
 mod bytes_ext;
+mod hashtree;
 mod sigutil;
 #[allow(dead_code)]
 pub mod testing;
@@ -27,4 +28,4 @@
 
 pub use algorithms::SignatureAlgorithmID;
 pub use v3::{get_public_key_der, verify};
-pub use v4::get_apk_digest;
+pub use v4::{get_apk_digest, HashAlgorithm, V4Signature};
diff --git a/libs/apkverify/src/v4.rs b/libs/apkverify/src/v4.rs
index 9012479..33e666f 100644
--- a/libs/apkverify/src/v4.rs
+++ b/libs/apkverify/src/v4.rs
@@ -18,10 +18,16 @@
 //!
 //! [v4]: https://source.android.com/security/apksigning/v4
 
-use anyhow::{ensure, Context, Result};
-use std::io::{Read, Seek};
+use anyhow::{anyhow, bail, ensure, Context, Result};
+use byteorder::{LittleEndian, ReadBytesExt, WriteBytesExt};
+use num_derive::{FromPrimitive, ToPrimitive};
+use num_traits::{FromPrimitive, ToPrimitive};
+use std::fs;
+use std::io::{copy, Cursor, Read, Seek, SeekFrom, Write};
+use std::path::Path;
 
 use crate::algorithms::SignatureAlgorithmID;
+use crate::hashtree::*;
 use crate::v3::extract_signer_and_apk_sections;
 
 /// Gets the v4 [apk_digest]. If `verify` is true, we verify that digest computed
@@ -48,3 +54,353 @@
     }
     Ok((strongest_algorithm_id, extracted_digest))
 }
+
+/// `V4Signature` provides access to the various fields in an idsig file.
+#[derive(Default)]
+pub struct V4Signature<R: Read + Seek> {
+    /// Version of the header. Should be 2.
+    pub version: Version,
+    /// Provides access to the information about how the APK is hashed.
+    pub hashing_info: HashingInfo,
+    /// Provides access to the information that can be used to verify this file
+    pub signing_info: SigningInfo,
+    /// Total size of the merkle tree
+    pub merkle_tree_size: u32,
+    /// Offset of the merkle tree in the idsig file
+    pub merkle_tree_offset: u64,
+
+    // Provides access to the underlying data
+    data: R,
+}
+
+/// `HashingInfo` provides information about how the APK is hashed.
+#[derive(Default)]
+pub struct HashingInfo {
+    /// Hash algorithm used when creating the merkle tree for the APK.
+    pub hash_algorithm: HashAlgorithm,
+    /// The log size of a block used when creating the merkle tree. 12 if 4k block was used.
+    pub log2_blocksize: u8,
+    /// The salt used when creating the merkle tree. 32 bytes max.
+    pub salt: Box<[u8]>,
+    /// The root hash of the merkle tree created.
+    pub raw_root_hash: Box<[u8]>,
+}
+
+/// `SigningInfo` provides information that can be used to verify the idsig file.
+#[derive(Default)]
+pub struct SigningInfo {
+    /// Digest of the APK that this idsig file is for.
+    pub apk_digest: Box<[u8]>,
+    /// Certificate of the signer that signed this idsig file. ASN.1 DER form.
+    pub x509_certificate: Box<[u8]>,
+    /// A free-form binary data
+    pub additional_data: Box<[u8]>,
+    /// Public key of the signer in ASN.1 DER form. This must match the `x509_certificate` field.
+    pub public_key: Box<[u8]>,
+    /// Signature algorithm used to sign this file.
+    pub signature_algorithm_id: SignatureAlgorithmID,
+    /// The signature of this file.
+    pub signature: Box<[u8]>,
+}
+
+/// Version of the idsig file format
+#[derive(Debug, PartialEq, Eq, FromPrimitive, ToPrimitive)]
+#[repr(u32)]
+pub enum Version {
+    /// Version 2, the only supported version.
+    V2 = 2,
+}
+
+impl Version {
+    fn from(val: u32) -> Result<Version> {
+        Self::from_u32(val).ok_or_else(|| anyhow!("{} is an unsupported version", val))
+    }
+}
+
+impl Default for Version {
+    fn default() -> Self {
+        Version::V2
+    }
+}
+
+/// Hash algorithm that can be used for idsig file.
+#[derive(Debug, PartialEq, Eq, FromPrimitive, ToPrimitive)]
+#[repr(u32)]
+pub enum HashAlgorithm {
+    /// SHA2-256
+    SHA256 = 1,
+}
+
+impl HashAlgorithm {
+    fn from(val: u32) -> Result<HashAlgorithm> {
+        Self::from_u32(val).ok_or_else(|| anyhow!("{} is an unsupported hash algorithm", val))
+    }
+}
+
+impl Default for HashAlgorithm {
+    fn default() -> Self {
+        HashAlgorithm::SHA256
+    }
+}
+
+impl V4Signature<fs::File> {
+    /// Creates a `V4Signature` struct from the given idsig path.
+    pub fn from_idsig_path<P: AsRef<Path>>(idsig_path: P) -> Result<Self> {
+        let idsig = fs::File::open(idsig_path).context("Cannot find idsig file")?;
+        Self::from_idsig(idsig)
+    }
+}
+
+impl<R: Read + Seek> V4Signature<R> {
+    /// Consumes a stream for an idsig file into a `V4Signature` struct.
+    pub fn from_idsig(mut r: R) -> Result<V4Signature<R>> {
+        Ok(V4Signature {
+            version: Version::from(r.read_u32::<LittleEndian>()?)?,
+            hashing_info: HashingInfo::from(&mut r)?,
+            signing_info: SigningInfo::from(&mut r)?,
+            merkle_tree_size: r.read_u32::<LittleEndian>()?,
+            merkle_tree_offset: r.stream_position()?,
+            data: r,
+        })
+    }
+
+    /// Read a stream for an APK file and creates a corresponding `V4Signature` struct that digests
+    /// the APK file. Note that the signing is not done.
+    pub fn create(
+        mut apk: &mut R,
+        block_size: usize,
+        salt: &[u8],
+        algorithm: HashAlgorithm,
+    ) -> Result<V4Signature<Cursor<Vec<u8>>>> {
+        // Determine the size of the apk
+        let start = apk.stream_position()?;
+        let size = apk.seek(SeekFrom::End(0))? as usize;
+        apk.seek(SeekFrom::Start(start))?;
+
+        // Create hash tree (and root hash)
+        let algorithm = match algorithm {
+            HashAlgorithm::SHA256 => openssl::hash::MessageDigest::sha256(),
+        };
+        let hash_tree = HashTree::from(&mut apk, size, salt, block_size, algorithm)?;
+
+        let mut ret = V4Signature {
+            version: Version::default(),
+            hashing_info: HashingInfo::default(),
+            signing_info: SigningInfo::default(),
+            merkle_tree_size: hash_tree.tree.len() as u32,
+            merkle_tree_offset: 0, // merkle tree starts from the beginning of `data`
+            data: Cursor::new(hash_tree.tree),
+        };
+        ret.hashing_info.raw_root_hash = hash_tree.root_hash.into_boxed_slice();
+        ret.hashing_info.log2_blocksize = log2(block_size);
+
+        apk.seek(SeekFrom::Start(start))?;
+        let (signature_algorithm_id, apk_digest) = get_apk_digest(apk, /*verify=*/ false)?;
+        ret.signing_info.signature_algorithm_id = signature_algorithm_id;
+        ret.signing_info.apk_digest = apk_digest;
+        // TODO(jiyong): add a signature to the signing_info struct
+
+        Ok(ret)
+    }
+
+    /// Writes the data into a writer
+    pub fn write_into<W: Write + Seek>(&mut self, mut w: &mut W) -> Result<()> {
+        // Writes the header part
+        w.write_u32::<LittleEndian>(self.version.to_u32().unwrap())?;
+        self.hashing_info.write_into(&mut w)?;
+        self.signing_info.write_into(&mut w)?;
+        w.write_u32::<LittleEndian>(self.merkle_tree_size)?;
+
+        // Writes the merkle tree
+        self.data.seek(SeekFrom::Start(self.merkle_tree_offset))?;
+        let copied_size = copy(&mut self.data, &mut w)?;
+        if copied_size != self.merkle_tree_size as u64 {
+            bail!(
+                "merkle tree is {} bytes, but only {} bytes are written.",
+                self.merkle_tree_size,
+                copied_size
+            );
+        }
+        Ok(())
+    }
+
+    /// Returns the bytes that represents the merkle tree
+    pub fn merkle_tree(&mut self) -> Result<Vec<u8>> {
+        self.data.seek(SeekFrom::Start(self.merkle_tree_offset))?;
+        let mut out = Vec::new();
+        self.data.read_to_end(&mut out)?;
+        Ok(out)
+    }
+}
+
+impl HashingInfo {
+    fn from(mut r: &mut dyn Read) -> Result<HashingInfo> {
+        // Size of the entire hashing_info struct. We don't need this because each variable-sized
+        // fields in the struct are also length encoded.
+        r.read_u32::<LittleEndian>()?;
+        Ok(HashingInfo {
+            hash_algorithm: HashAlgorithm::from(r.read_u32::<LittleEndian>()?)?,
+            log2_blocksize: r.read_u8()?,
+            salt: read_sized_array(&mut r)?,
+            raw_root_hash: read_sized_array(&mut r)?,
+        })
+    }
+
+    fn write_into<W: Write + Seek>(&self, mut w: &mut W) -> Result<()> {
+        let start = w.stream_position()?;
+        // Size of the entire hashing_info struct. Since we don't know the size yet, fill the place
+        // with 0. The exact size will then be written below.
+        w.write_u32::<LittleEndian>(0)?;
+
+        w.write_u32::<LittleEndian>(self.hash_algorithm.to_u32().unwrap())?;
+        w.write_u8(self.log2_blocksize)?;
+        write_sized_array(&mut w, &self.salt)?;
+        write_sized_array(&mut w, &self.raw_root_hash)?;
+
+        // Determine the size of hashing_info, and write it in front of the struct where the value
+        // was initialized to zero.
+        let end = w.stream_position()?;
+        let size = end - start - std::mem::size_of::<u32>() as u64;
+        w.seek(SeekFrom::Start(start))?;
+        w.write_u32::<LittleEndian>(size as u32)?;
+        w.seek(SeekFrom::Start(end))?;
+        Ok(())
+    }
+}
+
+impl SigningInfo {
+    fn from(mut r: &mut dyn Read) -> Result<SigningInfo> {
+        // Size of the entire signing_info struct. We don't need this because each variable-sized
+        // fields in the struct are also length encoded.
+        r.read_u32::<LittleEndian>()?;
+        Ok(SigningInfo {
+            apk_digest: read_sized_array(&mut r)?,
+            x509_certificate: read_sized_array(&mut r)?,
+            additional_data: read_sized_array(&mut r)?,
+            public_key: read_sized_array(&mut r)?,
+            signature_algorithm_id: SignatureAlgorithmID::from_u32(r.read_u32::<LittleEndian>()?)
+                .context("Unsupported signature algorithm")?,
+            signature: read_sized_array(&mut r)?,
+        })
+    }
+
+    fn write_into<W: Write + Seek>(&self, mut w: &mut W) -> Result<()> {
+        let start = w.stream_position()?;
+        // Size of the entire signing_info struct. Since we don't know the size yet, fill the place
+        // with 0. The exact size will then be written below.
+        w.write_u32::<LittleEndian>(0)?;
+
+        write_sized_array(&mut w, &self.apk_digest)?;
+        write_sized_array(&mut w, &self.x509_certificate)?;
+        write_sized_array(&mut w, &self.additional_data)?;
+        write_sized_array(&mut w, &self.public_key)?;
+        w.write_u32::<LittleEndian>(self.signature_algorithm_id.to_u32())?;
+        write_sized_array(&mut w, &self.signature)?;
+
+        // Determine the size of signing_info, and write it in front of the struct where the value
+        // was initialized to zero.
+        let end = w.stream_position()?;
+        let size = end - start - std::mem::size_of::<u32>() as u64;
+        w.seek(SeekFrom::Start(start))?;
+        w.write_u32::<LittleEndian>(size as u32)?;
+        w.seek(SeekFrom::Start(end))?;
+        Ok(())
+    }
+}
+
+fn read_sized_array(r: &mut dyn Read) -> Result<Box<[u8]>> {
+    let size = r.read_u32::<LittleEndian>()?;
+    let mut data = vec![0; size as usize];
+    r.read_exact(&mut data)?;
+    Ok(data.into_boxed_slice())
+}
+
+fn write_sized_array(w: &mut dyn Write, data: &[u8]) -> Result<()> {
+    w.write_u32::<LittleEndian>(data.len() as u32)?;
+    Ok(w.write_all(data)?)
+}
+
+fn log2(n: usize) -> u8 {
+    let num_bits = std::mem::size_of::<usize>() * 8;
+    (num_bits as u32 - n.leading_zeros() - 1) as u8
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use std::io::Cursor;
+
+    const TEST_APK_PATH: &str = "tests/data/v4-digest-v3-Sha256withEC.apk";
+
+    fn hexstring_from(s: &[u8]) -> String {
+        s.iter().map(|byte| format!("{:02x}", byte)).reduce(|i, j| i + &j).unwrap_or_default()
+    }
+
+    #[test]
+    fn parse_idsig_file() {
+        let parsed = V4Signature::from_idsig_path(format!("{}.idsig", TEST_APK_PATH)).unwrap();
+
+        assert_eq!(Version::V2, parsed.version);
+
+        let hi = parsed.hashing_info;
+        assert_eq!(HashAlgorithm::SHA256, hi.hash_algorithm);
+        assert_eq!(12, hi.log2_blocksize);
+        assert_eq!("", hexstring_from(hi.salt.as_ref()));
+        assert_eq!(
+            "77f063b48b63f846690fa76450a8d3b61a295b6158f50592e873f76dbeeb0201",
+            hexstring_from(hi.raw_root_hash.as_ref())
+        );
+
+        let si = parsed.signing_info;
+        assert_eq!(
+            "c02fe2eddeb3078801828b930de546ea4f98d37fb98b40c7c7ed169b0d713583",
+            hexstring_from(si.apk_digest.as_ref())
+        );
+        assert_eq!("", hexstring_from(si.additional_data.as_ref()));
+        assert_eq!(
+            "3046022100fb6383ba300dc7e1e6931a25b381398a16e5575baefd82afd12ba88660d9a6\
+            4c022100ebdcae13ab18c4e30bf6ae634462e526367e1ba26c2647a1d87a0f42843fc128",
+            hexstring_from(si.signature.as_ref())
+        );
+        assert_eq!(SignatureAlgorithmID::EcdsaWithSha256, si.signature_algorithm_id);
+
+        assert_eq!(4096, parsed.merkle_tree_size);
+        assert_eq!(648, parsed.merkle_tree_offset);
+    }
+
+    /// Parse an idsig file into V4Signature and write it. The written date must be the same as
+    /// the input file.
+    #[test]
+    fn parse_and_compose() {
+        let idsig_path = format!("{}.idsig", TEST_APK_PATH);
+        let mut v4_signature = V4Signature::from_idsig_path(&idsig_path).unwrap();
+
+        let mut output = Cursor::new(Vec::new());
+        v4_signature.write_into(&mut output).unwrap();
+
+        assert_eq!(fs::read(&idsig_path).unwrap(), output.get_ref().as_slice());
+    }
+
+    /// Create V4Signature by hashing an APK. Merkle tree and the root hash should be the same
+    /// as those in the idsig file created by the signapk tool.
+    #[test]
+    fn digest_from_apk() {
+        let mut input = Cursor::new(include_bytes!("../tests/data/v4-digest-v3-Sha256withEC.apk"));
+        let mut created =
+            V4Signature::create(&mut input, 4096, &[], HashAlgorithm::SHA256).unwrap();
+
+        let mut golden = V4Signature::from_idsig_path(format!("{}.idsig", TEST_APK_PATH)).unwrap();
+
+        // Compare the root hash
+        assert_eq!(
+            created.hashing_info.raw_root_hash.as_ref(),
+            golden.hashing_info.raw_root_hash.as_ref()
+        );
+
+        // Compare the merkle tree
+        assert_eq!(
+            created.merkle_tree().unwrap().as_slice(),
+            golden.merkle_tree().unwrap().as_slice()
+        );
+    }
+}
diff --git a/libs/apkverify/tests/data/create.sh b/libs/apkverify/tests/data/create.sh
new file mode 100755
index 0000000..1a15d2b
--- /dev/null
+++ b/libs/apkverify/tests/data/create.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+sizes="512 4K 1M 10000000 272629760"
+for size in $sizes; do
+  echo $size
+  dd if=/dev/random of=input.$size bs=$size count=1
+  fsverity digest input.$size \
+    --hash-alg=sha256 \
+    --salt=010203040506 \
+    --block-size=4096 \
+    --out-merkle-tree input.$size.hash \
+    --out-descriptor input.$size.descriptor
+done
diff --git a/libs/apkverify/tests/data/input.10000000 b/libs/apkverify/tests/data/input.10000000
new file mode 100644
index 0000000..6bc5a4b
--- /dev/null
+++ b/libs/apkverify/tests/data/input.10000000
Binary files differ
diff --git a/libs/apkverify/tests/data/input.10000000.descriptor b/libs/apkverify/tests/data/input.10000000.descriptor
new file mode 100644
index 0000000..dc0d096
--- /dev/null
+++ b/libs/apkverify/tests/data/input.10000000.descriptor
Binary files differ
diff --git a/libs/apkverify/tests/data/input.10000000.hash b/libs/apkverify/tests/data/input.10000000.hash
new file mode 100644
index 0000000..354c5c2
--- /dev/null
+++ b/libs/apkverify/tests/data/input.10000000.hash
Binary files differ
diff --git a/libs/apkverify/tests/data/input.1M b/libs/apkverify/tests/data/input.1M
new file mode 100644
index 0000000..7040ec3
--- /dev/null
+++ b/libs/apkverify/tests/data/input.1M
Binary files differ
diff --git a/libs/apkverify/tests/data/input.1M.descriptor b/libs/apkverify/tests/data/input.1M.descriptor
new file mode 100644
index 0000000..f11753d
--- /dev/null
+++ b/libs/apkverify/tests/data/input.1M.descriptor
Binary files differ
diff --git a/libs/apkverify/tests/data/input.1M.hash b/libs/apkverify/tests/data/input.1M.hash
new file mode 100644
index 0000000..689790c
--- /dev/null
+++ b/libs/apkverify/tests/data/input.1M.hash
Binary files differ
diff --git a/libs/apkverify/tests/data/input.272629760 b/libs/apkverify/tests/data/input.272629760
new file mode 100644
index 0000000..5bb6753
--- /dev/null
+++ b/libs/apkverify/tests/data/input.272629760
Binary files differ
diff --git a/libs/apkverify/tests/data/input.272629760.descriptor b/libs/apkverify/tests/data/input.272629760.descriptor
new file mode 100644
index 0000000..70e0744
--- /dev/null
+++ b/libs/apkverify/tests/data/input.272629760.descriptor
Binary files differ
diff --git a/libs/apkverify/tests/data/input.272629760.hash b/libs/apkverify/tests/data/input.272629760.hash
new file mode 100644
index 0000000..f2c68cc
--- /dev/null
+++ b/libs/apkverify/tests/data/input.272629760.hash
Binary files differ
diff --git a/libs/apkverify/tests/data/input.4K b/libs/apkverify/tests/data/input.4K
new file mode 100644
index 0000000..99db32a
--- /dev/null
+++ b/libs/apkverify/tests/data/input.4K
Binary files differ
diff --git a/libs/apkverify/tests/data/input.4K.descriptor b/libs/apkverify/tests/data/input.4K.descriptor
new file mode 100644
index 0000000..b120e2f
--- /dev/null
+++ b/libs/apkverify/tests/data/input.4K.descriptor
Binary files differ
diff --git a/libs/apkverify/tests/data/input.4K.hash b/libs/apkverify/tests/data/input.4K.hash
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/libs/apkverify/tests/data/input.4K.hash
diff --git a/libs/apkverify/tests/data/input.512 b/libs/apkverify/tests/data/input.512
new file mode 100644
index 0000000..a57797f
--- /dev/null
+++ b/libs/apkverify/tests/data/input.512
Binary files differ
diff --git a/libs/apkverify/tests/data/input.512.descriptor b/libs/apkverify/tests/data/input.512.descriptor
new file mode 100644
index 0000000..805019b
--- /dev/null
+++ b/libs/apkverify/tests/data/input.512.descriptor
Binary files differ
diff --git a/libs/apkverify/tests/data/input.512.hash b/libs/apkverify/tests/data/input.512.hash
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/libs/apkverify/tests/data/input.512.hash
diff --git a/libs/apkverify/tests/data/v4-digest-v3-Sha256withEC.apk b/libs/apkverify/tests/data/v4-digest-v3-Sha256withEC.apk
new file mode 100644
index 0000000..b214336
--- /dev/null
+++ b/libs/apkverify/tests/data/v4-digest-v3-Sha256withEC.apk
Binary files differ
diff --git a/libs/apkverify/tests/data/v4-digest-v3-Sha256withEC.apk.idsig b/libs/apkverify/tests/data/v4-digest-v3-Sha256withEC.apk.idsig
new file mode 100644
index 0000000..19d38d5
--- /dev/null
+++ b/libs/apkverify/tests/data/v4-digest-v3-Sha256withEC.apk.idsig
Binary files differ