commit d73d0ff44cdcd1a6090b8dee6a231867315a8dcb
author Alice Wang <aliceywang@google.com> Tue Sep 20 11:33:30 2022 +0000
committer Alice Wang <aliceywang@google.com> Tue Sep 20 17:24:33 2022 +0000
tree f5aad8b0f2b9df74552793744eef7836732c8c81
parent 7eaeda0f33e3fd145224a8885f64a46573414db6

[apkverify] Use SignatureAlgorithmID in Digest/Signature

This CL uses SignatureAlgorithmID for the signature_algorithm_id
field in Digest/Signature.

Bug: 246254355
Test: libapkverify.integration_test
Change-Id: Ic36c001b007f80498479c2cc2cdf8991c548d1da

libs/apkverify/src/v3.rs

diff --git a/libs/apkverify/src/v3.rs b/libs/apkverify/src/v3.rs
index 0fe2f2b..a3e738b 100644
--- a/libs/apkverify/src/v3.rs
+++ b/libs/apkverify/src/v3.rs
@@ -20,7 +20,6 @@
 
 use anyhow::{ensure, Context, Result};
 use bytes::Bytes;
-use num_traits::FromPrimitive;
 use openssl::pkey::{self, PKey};
 use openssl::x509::X509;
 use std::fs::File;
@@ -70,13 +69,13 @@
 
 #[derive(Debug)]
 struct Signature {
-    /// TODO(b/246254355): Change the type of signature_algorithm_id to SignatureAlgorithmID
-    signature_algorithm_id: u32,
+    /// Option is used here to allow us to ignore unsupported algorithm.
+    signature_algorithm_id: Option<SignatureAlgorithmID>,
     signature: LengthPrefixed<Bytes>,
 }
 
 struct Digest {
-    signature_algorithm_id: u32,
+    signature_algorithm_id: Option<SignatureAlgorithmID>,
     digest: LengthPrefixed<Bytes>,
 }
 
@@ -142,12 +141,8 @@
         Ok(self
             .signatures
             .iter()
-            .filter(|sig| SignatureAlgorithmID::from_u32(sig.signature_algorithm_id).is_some())
-            .max_by_key(|sig| {
-                SignatureAlgorithmID::from_u32(sig.signature_algorithm_id)
-                    .unwrap()
-                    .to_content_digest_algorithm()
-            })
+            .filter(|sig| sig.signature_algorithm_id.is_some())
+            .max_by_key(|sig| sig.signature_algorithm_id.unwrap().content_digest_algorithm())
             .context("No supported signatures found")?)
     }
 
@@ -159,10 +154,10 @@
             .iter()
             .find(|&dig| dig.signature_algorithm_id == strongest.signature_algorithm_id)
             .context("Digest not found")?;
-        // TODO(b/246254355): Remove this conversion once Digest contains the enum SignatureAlgorithmID
-        let signature_algorithm_id = SignatureAlgorithmID::from_u32(digest.signature_algorithm_id)
-            .context("Unsupported algorithm")?;
-        Ok((signature_algorithm_id, digest.digest.as_ref().to_vec().into_boxed_slice()))
+        Ok((
+            digest.signature_algorithm_id.context("Unsupported algorithm")?,
+            digest.digest.as_ref().to_vec().into_boxed_slice(),
+        ))
     }
 
     /// The steps in this method implements APK Signature Scheme v3 verification step 3.
@@ -202,12 +197,8 @@
             .iter()
             .find(|&dig| dig.signature_algorithm_id == strongest.signature_algorithm_id)
             .unwrap(); // ok to unwrap since we check if two lists are the same above
-        let computed = sections.compute_digest(
-            // TODO(b/246254355): Removes the conversion once Digest contains the enum
-            // SignatureAlgorithmID.
-            SignatureAlgorithmID::from_u32(digest.signature_algorithm_id)
-                .context("Unsupported algorithm")?,
-        )?;
+        let computed = sections
+            .compute_digest(digest.signature_algorithm_id.context("Unsupported algorithm")?)?;
 
         // 6. Verify that the computed digest is identical to the corresponding digest from digests.
         ensure!(
@@ -238,7 +229,8 @@
     signature: &Signature,
     public_key: &PKey<pkey::Public>,
 ) -> Result<()> {
-    let mut verifier = SignatureAlgorithmID::from_u32(signature.signature_algorithm_id)
+    let mut verifier = signature
+        .signature_algorithm_id
         .context("Unsupported algorithm")?
         .new_verifier(public_key)?;
     verifier.update(data)?;