[apkverify] Skip DSA SHA256 during apk verification
Test: libapkverify.integration_test
Bug: 197052981
Change-Id: Ia42864ab609b1dbe59e260bd330cbdc4079982d6
diff --git a/libs/apkverify/src/algorithms.rs b/libs/apkverify/src/algorithms.rs
index a1cf368..ecca7ed 100644
--- a/libs/apkverify/src/algorithms.rs
+++ b/libs/apkverify/src/algorithms.rs
@@ -97,14 +97,6 @@
&self,
public_key: &'a PKey<pkey::Public>,
) -> Result<Verifier<'a>> {
- ensure!(
- !matches!(
- self,
- SignatureAlgorithmID::DsaWithSha256 | SignatureAlgorithmID::VerityDsaWithSha256
- ),
- "TODO(b/197052981): Algorithm '{:?}' is not implemented.",
- self
- );
ensure!(public_key.id() == self.pkey_id(), "Public key has the wrong ID");
let mut verifier = Verifier::new(self.new_message_digest(), public_key)?;
if public_key.id() == pkey::Id::RSA {
@@ -130,6 +122,14 @@
}
}
+ /// DSA is not directly supported in openssl today. See b/197052981.
+ pub(crate) fn is_supported(&self) -> bool {
+ !matches!(
+ self,
+ SignatureAlgorithmID::DsaWithSha256 | SignatureAlgorithmID::VerityDsaWithSha256,
+ )
+ }
+
fn pkey_id(&self) -> pkey::Id {
match self {
SignatureAlgorithmID::RsaPssWithSha256
diff --git a/libs/apkverify/src/v3.rs b/libs/apkverify/src/v3.rs
index 05694ff..80ef687 100644
--- a/libs/apkverify/src/v3.rs
+++ b/libs/apkverify/src/v3.rs
@@ -141,7 +141,7 @@
Ok(self
.signatures
.iter()
- .filter(|sig| sig.signature_algorithm_id.is_some())
+ .filter(|sig| sig.signature_algorithm_id.map_or(false, |algo| algo.is_supported()))
.max_by_key(|sig| sig.signature_algorithm_id.unwrap().content_digest_algorithm())
.context("No supported signatures found")?)
}