[apk_digest] Move the logic of extracting v4 digest to v4 module
Bug: 248999133
Test: libapkverify.integration_test
Change-Id: Ib0424bef92708de8b2a9f9d9bfa53bce69f971c8
diff --git a/libs/apkverify/src/v3.rs b/libs/apkverify/src/v3.rs
index fac0a7f..db7d8cc 100644
--- a/libs/apkverify/src/v3.rs
+++ b/libs/apkverify/src/v3.rs
@@ -76,9 +76,9 @@
}
#[derive(Debug)]
-struct Signature {
+pub(crate) struct Signature {
/// Option is used here to allow us to ignore unsupported algorithm.
- signature_algorithm_id: Option<SignatureAlgorithmID>,
+ pub(crate) signature_algorithm_id: Option<SignatureAlgorithmID>,
signature: LengthPrefixed<Bytes>,
}
@@ -127,9 +127,9 @@
}
impl Signer {
- /// Select the signature that uses the strongest algorithm according to the preferences of the
- /// v4 signing scheme.
- fn strongest_signature(&self) -> Result<&Signature> {
+ /// Selects the signature that has the strongest supported `SignatureAlgorithmID`.
+ /// The strongest signature is used in both v3 verification and v4 apk digest computation.
+ pub(crate) fn strongest_signature(&self) -> Result<&Signature> {
Ok(self
.signatures
.iter()
@@ -138,14 +138,13 @@
.context("No supported signatures found")?)
}
- pub(crate) fn pick_v4_apk_digest(&self) -> Result<(SignatureAlgorithmID, Box<[u8]>)> {
- let strongest_algorithm_id = self
- .strongest_signature()?
- .signature_algorithm_id
- .context("Strongest signature should contain a valid signature algorithm.")?;
+ pub(crate) fn find_digest_by_algorithm(
+ &self,
+ algorithm_id: SignatureAlgorithmID,
+ ) -> Result<Box<[u8]>> {
let signed_data: SignedData = self.signed_data.slice(..).read()?;
- let digest = signed_data.find_digest_by_algorithm(strongest_algorithm_id)?;
- Ok((strongest_algorithm_id, digest.digest.as_ref().to_vec().into_boxed_slice()))
+ let digest = signed_data.find_digest_by_algorithm(algorithm_id)?;
+ Ok(digest.digest.as_ref().to_vec().into_boxed_slice())
}
/// Verifies the strongest signature from signatures against signed data using public key.
diff --git a/libs/apkverify/src/v4.rs b/libs/apkverify/src/v4.rs
index d0522a7..9012479 100644
--- a/libs/apkverify/src/v4.rs
+++ b/libs/apkverify/src/v4.rs
@@ -18,7 +18,7 @@
//!
//! [v4]: https://source.android.com/security/apksigning/v4
-use anyhow::{ensure, Result};
+use anyhow::{ensure, Context, Result};
use std::io::{Read, Seek};
use crate::algorithms::SignatureAlgorithmID;
@@ -34,13 +34,17 @@
verify: bool,
) -> Result<(SignatureAlgorithmID, Box<[u8]>)> {
let (signer, mut sections) = extract_signer_and_apk_sections(apk)?;
- let (signature_algorithm_id, extracted_digest) = signer.pick_v4_apk_digest()?;
+ let strongest_algorithm_id = signer
+ .strongest_signature()?
+ .signature_algorithm_id
+ .context("Strongest signature should contain a valid signature algorithm.")?;
+ let extracted_digest = signer.find_digest_by_algorithm(strongest_algorithm_id)?;
if verify {
- let computed_digest = sections.compute_digest(signature_algorithm_id)?;
+ let computed_digest = sections.compute_digest(strongest_algorithm_id)?;
ensure!(
computed_digest == extracted_digest.as_ref(),
"Computed digest does not match the extracted digest."
);
}
- Ok((signature_algorithm_id, extracted_digest))
+ Ok((strongest_algorithm_id, extracted_digest))
}