Reland "[apkverify] Skip DSA SHA256 during apk verification"
Reland this change as the broken idsig test has been fixed.
Test: libapkverify.integration_test
Bug: 197052981
Change-Id: Ic7c18915b33c506f09a8e821f613668a0600cac2
diff --git a/libs/apkverify/src/algorithms.rs b/libs/apkverify/src/algorithms.rs
index 6d4362b..ed2c1fc 100644
--- a/libs/apkverify/src/algorithms.rs
+++ b/libs/apkverify/src/algorithms.rs
@@ -102,7 +102,7 @@
self,
SignatureAlgorithmID::DsaWithSha256 | SignatureAlgorithmID::VerityDsaWithSha256
),
- "TODO(b/197052981): Algorithm '{:?}' is not implemented.",
+ "Algorithm '{:?}' is not supported in openssl to build this verifier (b/197052981).",
self
);
ensure!(public_key.id() == self.pkey_id(), "Public key has the wrong ID");
@@ -130,6 +130,14 @@
}
}
+ /// DSA is not directly supported in openssl today. See b/197052981.
+ pub(crate) fn is_supported(&self) -> bool {
+ !matches!(
+ self,
+ SignatureAlgorithmID::DsaWithSha256 | SignatureAlgorithmID::VerityDsaWithSha256,
+ )
+ }
+
fn pkey_id(&self) -> pkey::Id {
match self {
SignatureAlgorithmID::RsaPssWithSha256
diff --git a/libs/apkverify/src/v3.rs b/libs/apkverify/src/v3.rs
index 2a16cb1..5272834 100644
--- a/libs/apkverify/src/v3.rs
+++ b/libs/apkverify/src/v3.rs
@@ -139,7 +139,7 @@
Ok(self
.signatures
.iter()
- .filter(|sig| sig.signature_algorithm_id.is_some())
+ .filter(|sig| sig.signature_algorithm_id.map_or(false, |algo| algo.is_supported()))
.max_by_key(|sig| sig.signature_algorithm_id.unwrap().content_digest_algorithm())
.context("No supported signatures found")?)
}
diff --git a/libs/apkverify/tests/apkverify_test.rs b/libs/apkverify/tests/apkverify_test.rs
index 5bd901d..e17ba5c 100644
--- a/libs/apkverify/tests/apkverify_test.rs
+++ b/libs/apkverify/tests/apkverify_test.rs
@@ -40,22 +40,11 @@
}
#[test]
-fn test_verify_v3_dsa_sha256() {
+fn apks_signed_with_v3_dsa_sha256_are_not_supported() {
for key_name in KEY_NAMES_DSA.iter() {
let res = verify(format!("tests/data/v3-only-with-dsa-sha256-{}.apk", key_name));
- assert!(res.is_err());
- assert_contains(&res.unwrap_err().to_string(), "not implemented");
- }
-}
-
-/// TODO(b/197052981): DSA algorithm is not yet supported.
-#[test]
-fn apks_signed_with_v3_dsa_sha256_have_valid_apk_digest() {
- for key_name in KEY_NAMES_DSA.iter() {
- validate_apk_digest(
- format!("tests/data/v3-only-with-dsa-sha256-{}.apk", key_name),
- SignatureAlgorithmID::DsaWithSha256,
- );
+ assert!(res.is_err(), "DSA algorithm is not supported for verification. See b/197052981.");
+ assert_contains(&res.unwrap_err().to_string(), "No supported signatures found");
}
}
@@ -102,32 +91,21 @@
#[test]
fn test_verify_v3_sig_does_not_verify() {
let path_list = [
- "tests/data/v3-only-with-dsa-sha256-2048-sig-does-not-verify.apk",
"tests/data/v3-only-with-ecdsa-sha512-p521-sig-does-not-verify.apk",
"tests/data/v3-only-with-rsa-pkcs1-sha256-3072-sig-does-not-verify.apk",
];
for path in path_list.iter() {
let res = verify(path);
assert!(res.is_err());
- let error_msg = &res.unwrap_err().to_string();
- assert!(
- error_msg.contains("Signature is invalid") || error_msg.contains("not implemented")
- );
+ assert_contains(&res.unwrap_err().to_string(), "Signature is invalid");
}
}
#[test]
fn test_verify_v3_digest_mismatch() {
- let path_list = [
- "tests/data/v3-only-with-dsa-sha256-3072-digest-mismatch.apk",
- "tests/data/v3-only-with-rsa-pkcs1-sha512-8192-digest-mismatch.apk",
- ];
- for path in path_list.iter() {
- let res = verify(path);
- assert!(res.is_err());
- let error_msg = &res.unwrap_err().to_string();
- assert!(error_msg.contains("Digest mismatch") || error_msg.contains("not implemented"));
- }
+ let res = verify("tests/data/v3-only-with-rsa-pkcs1-sha512-8192-digest-mismatch.apk");
+ assert!(res.is_err());
+ assert_contains(&res.unwrap_err().to_string(), "Digest mismatch");
}
#[test]
diff --git a/libs/apkverify/tests/data/v3-only-with-dsa-sha256-1024.apk.apk_digest b/libs/apkverify/tests/data/v3-only-with-dsa-sha256-1024.apk.apk_digest
deleted file mode 100644
index c5aec18..0000000
--- a/libs/apkverify/tests/data/v3-only-with-dsa-sha256-1024.apk.apk_digest
+++ /dev/null
Binary files differ
diff --git a/libs/apkverify/tests/data/v3-only-with-dsa-sha256-2048.apk.apk_digest b/libs/apkverify/tests/data/v3-only-with-dsa-sha256-2048.apk.apk_digest
deleted file mode 100644
index c5aec18..0000000
--- a/libs/apkverify/tests/data/v3-only-with-dsa-sha256-2048.apk.apk_digest
+++ /dev/null
Binary files differ
diff --git a/libs/apkverify/tests/data/v3-only-with-dsa-sha256-3072.apk.apk_digest b/libs/apkverify/tests/data/v3-only-with-dsa-sha256-3072.apk.apk_digest
deleted file mode 100644
index c5aec18..0000000
--- a/libs/apkverify/tests/data/v3-only-with-dsa-sha256-3072.apk.apk_digest
+++ /dev/null
Binary files differ