commit a66b5c053b6bd2d381ddbd995031987e2cf7bcf0
author Alice Wang <aliceywang@google.com> Fri Sep 16 07:25:17 2022 +0000
committer Alice Wang <aliceywang@google.com> Fri Sep 16 10:51:31 2022 +0000
tree 32802917335eb258b00d30e35cfe1823427af4d4
parent 381af701d6ded0c68b08bbd58e1094f8f9aa620e

[apkverify] Refactor verify_signed_data to use SignatureAlgorithmID

This CL refactor verify_signed_data to use SignatureAlgorithmID
enum instead of the raw integers. There's no behavior change in
this CL.

Bug: 246254355
Test: libapkverify.integration_test
Change-Id: I1296efb9a700d2fe3f6ec93f69cdc407a6882a0d

libs/apkverify/src/v3.rs

diff --git a/libs/apkverify/src/v3.rs b/libs/apkverify/src/v3.rs
index c86696f..2f13837 100644
--- a/libs/apkverify/src/v3.rs
+++ b/libs/apkverify/src/v3.rs
@@ -21,10 +21,7 @@
 use anyhow::{anyhow, bail, ensure, Context, Result};
 use bytes::Bytes;
 use num_traits::FromPrimitive;
-use openssl::hash::MessageDigest;
 use openssl::pkey::{self, PKey};
-use openssl::rsa::Padding;
-use openssl::sign::Verifier;
 use openssl::x509::X509;
 use std::fs::File;
 use std::io::{Read, Seek};
@@ -223,39 +220,14 @@
     }
 }
 
-fn verify_signed_data(data: &Bytes, signature: &Signature, key: &PKey<pkey::Public>) -> Result<()> {
-    let (pkey_id, padding, digest) = match signature.signature_algorithm_id {
-        SIGNATURE_RSA_PSS_WITH_SHA256 => {
-            (pkey::Id::RSA, Padding::PKCS1_PSS, MessageDigest::sha256())
-        }
-        SIGNATURE_RSA_PSS_WITH_SHA512 => {
-            (pkey::Id::RSA, Padding::PKCS1_PSS, MessageDigest::sha512())
-        }
-        SIGNATURE_RSA_PKCS1_V1_5_WITH_SHA256 | SIGNATURE_VERITY_RSA_PKCS1_V1_5_WITH_SHA256 => {
-            (pkey::Id::RSA, Padding::PKCS1, MessageDigest::sha256())
-        }
-        SIGNATURE_RSA_PKCS1_V1_5_WITH_SHA512 => {
-            (pkey::Id::RSA, Padding::PKCS1, MessageDigest::sha512())
-        }
-        SIGNATURE_ECDSA_WITH_SHA256 | SIGNATURE_VERITY_ECDSA_WITH_SHA256 => {
-            (pkey::Id::EC, Padding::NONE, MessageDigest::sha256())
-        }
-        // TODO(b/190343842) not implemented signature algorithm
-        SIGNATURE_ECDSA_WITH_SHA512
-        | SIGNATURE_DSA_WITH_SHA256
-        | SIGNATURE_VERITY_DSA_WITH_SHA256 => {
-            bail!(
-                "TODO(b/190343842) not implemented signature algorithm: {:#x}",
-                signature.signature_algorithm_id
-            );
-        }
-        _ => bail!("Unsupported signature algorithm: {:#x}", signature.signature_algorithm_id),
-    };
-    ensure!(key.id() == pkey_id, "Public key has the wrong ID");
-    let mut verifier = Verifier::new(digest, key)?;
-    if pkey_id == pkey::Id::RSA {
-        verifier.set_rsa_padding(padding)?;
-    }
+fn verify_signed_data(
+    data: &Bytes,
+    signature: &Signature,
+    public_key: &PKey<pkey::Public>,
+) -> Result<()> {
+    let mut verifier = SignatureAlgorithmID::from_u32(signature.signature_algorithm_id)
+        .context("Unsupported algorithm")?
+        .new_verifier(public_key)?;
     verifier.update(data)?;
     let verified = verifier.verify(&signature.signature)?;
     ensure!(verified, "Signature is invalid ");