Merge "Add error context during payload preparation in VS"
diff --git a/TEST_MAPPING b/TEST_MAPPING
index 11648c4..8cce099 100644
--- a/TEST_MAPPING
+++ b/TEST_MAPPING
@@ -47,6 +47,9 @@
"path": "packages/modules/Virtualization/libs/apkverify"
},
{
+ "path": "packages/modules/Virtualization/libs/idsig"
+ },
+ {
"path": "packages/modules/Virtualization/libs/vbmeta"
},
{
diff --git a/libs/apkverify/src/algorithms.rs b/libs/apkverify/src/algorithms.rs
index ecca7ed..a1cf368 100644
--- a/libs/apkverify/src/algorithms.rs
+++ b/libs/apkverify/src/algorithms.rs
@@ -97,6 +97,14 @@
&self,
public_key: &'a PKey<pkey::Public>,
) -> Result<Verifier<'a>> {
+ ensure!(
+ !matches!(
+ self,
+ SignatureAlgorithmID::DsaWithSha256 | SignatureAlgorithmID::VerityDsaWithSha256
+ ),
+ "TODO(b/197052981): Algorithm '{:?}' is not implemented.",
+ self
+ );
ensure!(public_key.id() == self.pkey_id(), "Public key has the wrong ID");
let mut verifier = Verifier::new(self.new_message_digest(), public_key)?;
if public_key.id() == pkey::Id::RSA {
@@ -122,14 +130,6 @@
}
}
- /// DSA is not directly supported in openssl today. See b/197052981.
- pub(crate) fn is_supported(&self) -> bool {
- !matches!(
- self,
- SignatureAlgorithmID::DsaWithSha256 | SignatureAlgorithmID::VerityDsaWithSha256,
- )
- }
-
fn pkey_id(&self) -> pkey::Id {
match self {
SignatureAlgorithmID::RsaPssWithSha256
diff --git a/libs/apkverify/src/v3.rs b/libs/apkverify/src/v3.rs
index 5272834..2a16cb1 100644
--- a/libs/apkverify/src/v3.rs
+++ b/libs/apkverify/src/v3.rs
@@ -139,7 +139,7 @@
Ok(self
.signatures
.iter()
- .filter(|sig| sig.signature_algorithm_id.map_or(false, |algo| algo.is_supported()))
+ .filter(|sig| sig.signature_algorithm_id.is_some())
.max_by_key(|sig| sig.signature_algorithm_id.unwrap().content_digest_algorithm())
.context("No supported signatures found")?)
}
diff --git a/libs/apkverify/tests/apkverify_test.rs b/libs/apkverify/tests/apkverify_test.rs
index f2018a1..5bd901d 100644
--- a/libs/apkverify/tests/apkverify_test.rs
+++ b/libs/apkverify/tests/apkverify_test.rs
@@ -40,11 +40,22 @@
}
#[test]
-fn apks_signed_with_v3_dsa_sha256_are_not_supported() {
+fn test_verify_v3_dsa_sha256() {
for key_name in KEY_NAMES_DSA.iter() {
let res = verify(format!("tests/data/v3-only-with-dsa-sha256-{}.apk", key_name));
- assert!(res.is_err(), "DSA algorithm is not supported for verification. See b/197052981.");
- assert_contains(&res.unwrap_err().to_string(), "No supported signatures found");
+ assert!(res.is_err());
+ assert_contains(&res.unwrap_err().to_string(), "not implemented");
+ }
+}
+
+/// TODO(b/197052981): DSA algorithm is not yet supported.
+#[test]
+fn apks_signed_with_v3_dsa_sha256_have_valid_apk_digest() {
+ for key_name in KEY_NAMES_DSA.iter() {
+ validate_apk_digest(
+ format!("tests/data/v3-only-with-dsa-sha256-{}.apk", key_name),
+ SignatureAlgorithmID::DsaWithSha256,
+ );
}
}
@@ -91,6 +102,7 @@
#[test]
fn test_verify_v3_sig_does_not_verify() {
let path_list = [
+ "tests/data/v3-only-with-dsa-sha256-2048-sig-does-not-verify.apk",
"tests/data/v3-only-with-ecdsa-sha512-p521-sig-does-not-verify.apk",
"tests/data/v3-only-with-rsa-pkcs1-sha256-3072-sig-does-not-verify.apk",
];
@@ -106,9 +118,16 @@
#[test]
fn test_verify_v3_digest_mismatch() {
- let res = verify("tests/data/v3-only-with-rsa-pkcs1-sha512-8192-digest-mismatch.apk");
- assert!(res.is_err());
- assert_contains(&res.unwrap_err().to_string(), "Digest mismatch");
+ let path_list = [
+ "tests/data/v3-only-with-dsa-sha256-3072-digest-mismatch.apk",
+ "tests/data/v3-only-with-rsa-pkcs1-sha512-8192-digest-mismatch.apk",
+ ];
+ for path in path_list.iter() {
+ let res = verify(path);
+ assert!(res.is_err());
+ let error_msg = &res.unwrap_err().to_string();
+ assert!(error_msg.contains("Digest mismatch") || error_msg.contains("not implemented"));
+ }
}
#[test]
diff --git a/libs/apkverify/tests/data/v3-only-with-dsa-sha256-1024.apk.apk_digest b/libs/apkverify/tests/data/v3-only-with-dsa-sha256-1024.apk.apk_digest
new file mode 100644
index 0000000..c5aec18
--- /dev/null
+++ b/libs/apkverify/tests/data/v3-only-with-dsa-sha256-1024.apk.apk_digest
Binary files differ
diff --git a/libs/apkverify/tests/data/v3-only-with-dsa-sha256-2048.apk.apk_digest b/libs/apkverify/tests/data/v3-only-with-dsa-sha256-2048.apk.apk_digest
new file mode 100644
index 0000000..c5aec18
--- /dev/null
+++ b/libs/apkverify/tests/data/v3-only-with-dsa-sha256-2048.apk.apk_digest
Binary files differ
diff --git a/libs/apkverify/tests/data/v3-only-with-dsa-sha256-3072.apk.apk_digest b/libs/apkverify/tests/data/v3-only-with-dsa-sha256-3072.apk.apk_digest
new file mode 100644
index 0000000..c5aec18
--- /dev/null
+++ b/libs/apkverify/tests/data/v3-only-with-dsa-sha256-3072.apk.apk_digest
Binary files differ
diff --git a/libs/idsig/TEST_MAPPING b/libs/idsig/TEST_MAPPING
new file mode 100644
index 0000000..eb57380
--- /dev/null
+++ b/libs/idsig/TEST_MAPPING
@@ -0,0 +1,7 @@
+{
+ "avf-presubmit" : [
+ {
+ "name" : "libidsig.test"
+ }
+ ]
+}