Alice Wang | 5d0f89a | 2022-09-15 15:06:10 +0000 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2022 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | //! Algorithms used for APK Signature Scheme. |
| 18 | |
Alice Wang | 1ffff62 | 2022-09-16 13:45:47 +0000 | [diff] [blame] | 19 | use anyhow::{ensure, Result}; |
Alice Wang | 0a293bb | 2022-09-19 08:41:40 +0000 | [diff] [blame] | 20 | use num_derive::{FromPrimitive, ToPrimitive}; |
Alice Wang | 2ef3074 | 2022-09-19 11:59:17 +0000 | [diff] [blame^] | 21 | use num_traits::ToPrimitive; |
Alice Wang | 5d0f89a | 2022-09-15 15:06:10 +0000 | [diff] [blame] | 22 | use openssl::hash::MessageDigest; |
Alice Wang | a66b5c0 | 2022-09-16 07:25:17 +0000 | [diff] [blame] | 23 | use openssl::pkey::{self, PKey}; |
| 24 | use openssl::rsa::Padding; |
| 25 | use openssl::sign::Verifier; |
Alice Wang | 2ef3074 | 2022-09-19 11:59:17 +0000 | [diff] [blame^] | 26 | use serde::{Deserialize, Serialize}; |
Alice Wang | 5d0f89a | 2022-09-15 15:06:10 +0000 | [diff] [blame] | 27 | |
| 28 | /// [Signature Algorithm IDs]: https://source.android.com/docs/security/apksigning/v2#signature-algorithm-ids |
Alice Wang | 0a293bb | 2022-09-19 08:41:40 +0000 | [diff] [blame] | 29 | /// [SignatureAlgorithm.java]: (tools/apksig/src/main/java/com/android/apksig/internal/apk/SignatureAlgorithm.java) |
Alice Wang | 5d0f89a | 2022-09-15 15:06:10 +0000 | [diff] [blame] | 30 | /// |
| 31 | /// Some of the algorithms are not implemented. See b/197052981. |
Alice Wang | 2ef3074 | 2022-09-19 11:59:17 +0000 | [diff] [blame^] | 32 | #[derive(Serialize, Deserialize, Clone, Debug, Eq, PartialEq, FromPrimitive, ToPrimitive)] |
Alice Wang | 5d0f89a | 2022-09-15 15:06:10 +0000 | [diff] [blame] | 33 | #[repr(u32)] |
| 34 | pub enum SignatureAlgorithmID { |
Alice Wang | 0a293bb | 2022-09-19 08:41:40 +0000 | [diff] [blame] | 35 | /// RSASSA-PSS with SHA2-256 digest, SHA2-256 MGF1, 32 bytes of salt, trailer: 0xbc, content |
| 36 | /// digested using SHA2-256 in 1 MB chunks. |
Alice Wang | 5d0f89a | 2022-09-15 15:06:10 +0000 | [diff] [blame] | 37 | RsaPssWithSha256 = 0x0101, |
Alice Wang | 0a293bb | 2022-09-19 08:41:40 +0000 | [diff] [blame] | 38 | |
| 39 | /// RSASSA-PSS with SHA2-512 digest, SHA2-512 MGF1, 64 bytes of salt, trailer: 0xbc, content |
| 40 | /// digested using SHA2-512 in 1 MB chunks. |
Alice Wang | 5d0f89a | 2022-09-15 15:06:10 +0000 | [diff] [blame] | 41 | RsaPssWithSha512 = 0x0102, |
Alice Wang | 0a293bb | 2022-09-19 08:41:40 +0000 | [diff] [blame] | 42 | |
| 43 | /// RSASSA-PKCS1-v1_5 with SHA2-256 digest, content digested using SHA2-256 in 1 MB chunks. |
Alice Wang | 5d0f89a | 2022-09-15 15:06:10 +0000 | [diff] [blame] | 44 | RsaPkcs1V15WithSha256 = 0x0103, |
Alice Wang | 0a293bb | 2022-09-19 08:41:40 +0000 | [diff] [blame] | 45 | |
| 46 | /// RSASSA-PKCS1-v1_5 with SHA2-512 digest, content digested using SHA2-512 in 1 MB chunks. |
Alice Wang | 5d0f89a | 2022-09-15 15:06:10 +0000 | [diff] [blame] | 47 | RsaPkcs1V15WithSha512 = 0x0104, |
Alice Wang | 0a293bb | 2022-09-19 08:41:40 +0000 | [diff] [blame] | 48 | |
| 49 | /// ECDSA with SHA2-256 digest, content digested using SHA2-256 in 1 MB chunks. |
Alice Wang | 5d0f89a | 2022-09-15 15:06:10 +0000 | [diff] [blame] | 50 | EcdsaWithSha256 = 0x0201, |
Alice Wang | 0a293bb | 2022-09-19 08:41:40 +0000 | [diff] [blame] | 51 | |
| 52 | /// ECDSA with SHA2-512 digest, content digested using SHA2-512 in 1 MB chunks. |
Alice Wang | 5d0f89a | 2022-09-15 15:06:10 +0000 | [diff] [blame] | 53 | EcdsaWithSha512 = 0x0202, |
Alice Wang | 0a293bb | 2022-09-19 08:41:40 +0000 | [diff] [blame] | 54 | |
| 55 | /// DSA with SHA2-256 digest, content digested using SHA2-256 in 1 MB chunks. |
| 56 | /// Signing is done deterministically according to RFC 6979. |
Alice Wang | 5d0f89a | 2022-09-15 15:06:10 +0000 | [diff] [blame] | 57 | DsaWithSha256 = 0x0301, |
Alice Wang | 0a293bb | 2022-09-19 08:41:40 +0000 | [diff] [blame] | 58 | |
| 59 | /// RSASSA-PKCS1-v1_5 with SHA2-256 digest, content digested using SHA2-256 in 4 KB |
| 60 | /// chunks, in the same way fsverity operates. This digest and the content length |
| 61 | /// (before digestion, 8 bytes in little endian) construct the final digest. |
Alice Wang | 5d0f89a | 2022-09-15 15:06:10 +0000 | [diff] [blame] | 62 | VerityRsaPkcs1V15WithSha256 = 0x0421, |
Alice Wang | 0a293bb | 2022-09-19 08:41:40 +0000 | [diff] [blame] | 63 | |
| 64 | /// ECDSA with SHA2-256 digest, content digested using SHA2-256 in 4 KB chunks, in the |
| 65 | /// same way fsverity operates. This digest and the content length (before digestion, |
| 66 | /// 8 bytes in little endian) construct the final digest. |
Alice Wang | 5d0f89a | 2022-09-15 15:06:10 +0000 | [diff] [blame] | 67 | VerityEcdsaWithSha256 = 0x0423, |
Alice Wang | 0a293bb | 2022-09-19 08:41:40 +0000 | [diff] [blame] | 68 | |
| 69 | /// DSA with SHA2-256 digest, content digested using SHA2-256 in 4 KB chunks, in the |
| 70 | /// same way fsverity operates. This digest and the content length (before digestion, |
| 71 | /// 8 bytes in little endian) construct the final digest. |
Alice Wang | 5d0f89a | 2022-09-15 15:06:10 +0000 | [diff] [blame] | 72 | VerityDsaWithSha256 = 0x0425, |
| 73 | } |
| 74 | |
Alice Wang | 0a293bb | 2022-09-19 08:41:40 +0000 | [diff] [blame] | 75 | impl Default for SignatureAlgorithmID { |
| 76 | fn default() -> Self { |
| 77 | SignatureAlgorithmID::DsaWithSha256 |
| 78 | } |
| 79 | } |
| 80 | |
Alice Wang | 5d0f89a | 2022-09-15 15:06:10 +0000 | [diff] [blame] | 81 | impl SignatureAlgorithmID { |
Alice Wang | 2ef3074 | 2022-09-19 11:59:17 +0000 | [diff] [blame^] | 82 | /// Converts the signature algorithm ID to the corresponding u32. |
| 83 | pub fn to_u32(&self) -> u32 { |
| 84 | ToPrimitive::to_u32(self).expect("Unsupported algorithm for to_u32.") |
| 85 | } |
| 86 | |
Alice Wang | a66b5c0 | 2022-09-16 07:25:17 +0000 | [diff] [blame] | 87 | pub(crate) fn new_verifier<'a>( |
| 88 | &self, |
| 89 | public_key: &'a PKey<pkey::Public>, |
| 90 | ) -> Result<Verifier<'a>> { |
| 91 | ensure!( |
| 92 | !matches!( |
| 93 | self, |
Alice Wang | 455b02b | 2022-09-16 13:32:13 +0000 | [diff] [blame] | 94 | SignatureAlgorithmID::DsaWithSha256 | SignatureAlgorithmID::VerityDsaWithSha256 |
Alice Wang | a66b5c0 | 2022-09-16 07:25:17 +0000 | [diff] [blame] | 95 | ), |
Alice Wang | 2ef3074 | 2022-09-19 11:59:17 +0000 | [diff] [blame^] | 96 | "TODO(b/197052981): Algorithm '{:?}' is not implemented.", |
Alice Wang | a66b5c0 | 2022-09-16 07:25:17 +0000 | [diff] [blame] | 97 | self |
| 98 | ); |
| 99 | ensure!(public_key.id() == self.pkey_id(), "Public key has the wrong ID"); |
| 100 | let mut verifier = Verifier::new(self.new_message_digest(), public_key)?; |
| 101 | if public_key.id() == pkey::Id::RSA { |
| 102 | verifier.set_rsa_padding(self.rsa_padding())?; |
| 103 | } |
| 104 | Ok(verifier) |
| 105 | } |
| 106 | |
| 107 | /// Returns the message digest corresponding to the signature algorithm |
| 108 | /// according to the spec [Signature Algorithm IDs]. |
Alice Wang | 1ffff62 | 2022-09-16 13:45:47 +0000 | [diff] [blame] | 109 | pub(crate) fn new_message_digest(&self) -> MessageDigest { |
Alice Wang | a66b5c0 | 2022-09-16 07:25:17 +0000 | [diff] [blame] | 110 | match self { |
| 111 | SignatureAlgorithmID::RsaPssWithSha256 |
| 112 | | SignatureAlgorithmID::RsaPkcs1V15WithSha256 |
| 113 | | SignatureAlgorithmID::EcdsaWithSha256 |
| 114 | | SignatureAlgorithmID::DsaWithSha256 |
| 115 | | SignatureAlgorithmID::VerityRsaPkcs1V15WithSha256 |
| 116 | | SignatureAlgorithmID::VerityEcdsaWithSha256 |
| 117 | | SignatureAlgorithmID::VerityDsaWithSha256 => MessageDigest::sha256(), |
| 118 | SignatureAlgorithmID::RsaPssWithSha512 |
| 119 | | SignatureAlgorithmID::RsaPkcs1V15WithSha512 |
| 120 | | SignatureAlgorithmID::EcdsaWithSha512 => MessageDigest::sha512(), |
| 121 | } |
| 122 | } |
| 123 | |
| 124 | fn pkey_id(&self) -> pkey::Id { |
| 125 | match self { |
| 126 | SignatureAlgorithmID::RsaPssWithSha256 |
| 127 | | SignatureAlgorithmID::RsaPssWithSha512 |
| 128 | | SignatureAlgorithmID::RsaPkcs1V15WithSha256 |
| 129 | | SignatureAlgorithmID::RsaPkcs1V15WithSha512 |
| 130 | | SignatureAlgorithmID::VerityRsaPkcs1V15WithSha256 => pkey::Id::RSA, |
| 131 | SignatureAlgorithmID::EcdsaWithSha256 |
| 132 | | SignatureAlgorithmID::EcdsaWithSha512 |
| 133 | | SignatureAlgorithmID::VerityEcdsaWithSha256 => pkey::Id::EC, |
| 134 | SignatureAlgorithmID::DsaWithSha256 | SignatureAlgorithmID::VerityDsaWithSha256 => { |
| 135 | pkey::Id::DSA |
| 136 | } |
| 137 | } |
| 138 | } |
| 139 | |
| 140 | fn rsa_padding(&self) -> Padding { |
| 141 | match self { |
| 142 | SignatureAlgorithmID::RsaPssWithSha256 | SignatureAlgorithmID::RsaPssWithSha512 => { |
| 143 | Padding::PKCS1_PSS |
| 144 | } |
| 145 | SignatureAlgorithmID::RsaPkcs1V15WithSha256 |
| 146 | | SignatureAlgorithmID::VerityRsaPkcs1V15WithSha256 |
| 147 | | SignatureAlgorithmID::RsaPkcs1V15WithSha512 => Padding::PKCS1, |
| 148 | SignatureAlgorithmID::EcdsaWithSha256 |
| 149 | | SignatureAlgorithmID::EcdsaWithSha512 |
| 150 | | SignatureAlgorithmID::VerityEcdsaWithSha256 |
| 151 | | SignatureAlgorithmID::DsaWithSha256 |
| 152 | | SignatureAlgorithmID::VerityDsaWithSha256 => Padding::NONE, |
| 153 | } |
| 154 | } |
Alice Wang | 1ffff62 | 2022-09-16 13:45:47 +0000 | [diff] [blame] | 155 | |
Alice Wang | b1e15ca | 2022-09-19 11:06:11 +0000 | [diff] [blame] | 156 | pub(crate) fn to_content_digest_algorithm(&self) -> ContentDigestAlgorithm { |
Alice Wang | 1ffff62 | 2022-09-16 13:45:47 +0000 | [diff] [blame] | 157 | match self { |
| 158 | SignatureAlgorithmID::RsaPssWithSha256 |
| 159 | | SignatureAlgorithmID::RsaPkcs1V15WithSha256 |
| 160 | | SignatureAlgorithmID::EcdsaWithSha256 |
| 161 | | SignatureAlgorithmID::DsaWithSha256 => ContentDigestAlgorithm::ChunkedSha256, |
| 162 | SignatureAlgorithmID::RsaPssWithSha512 |
| 163 | | SignatureAlgorithmID::RsaPkcs1V15WithSha512 |
| 164 | | SignatureAlgorithmID::EcdsaWithSha512 => ContentDigestAlgorithm::ChunkedSha512, |
| 165 | SignatureAlgorithmID::VerityRsaPkcs1V15WithSha256 |
| 166 | | SignatureAlgorithmID::VerityEcdsaWithSha256 |
| 167 | | SignatureAlgorithmID::VerityDsaWithSha256 => { |
| 168 | ContentDigestAlgorithm::VerityChunkedSha256 |
| 169 | } |
| 170 | } |
| 171 | } |
Alice Wang | 5d0f89a | 2022-09-15 15:06:10 +0000 | [diff] [blame] | 172 | } |
| 173 | |
| 174 | /// The rank of the content digest algorithm in this enum is used to help pick |
| 175 | /// v4 apk digest. |
| 176 | /// According to APK Signature Scheme v4, [apk digest] is the first available |
| 177 | /// content digest of the highest rank (rank N). |
| 178 | /// |
| 179 | /// This rank was also used for step 3a of the v3 signature verification. |
| 180 | /// |
| 181 | /// [apk digest]: https://source.android.com/docs/security/features/apksigning/v4#apk-digest |
| 182 | /// [v3 verification]: https://source.android.com/docs/security/apksigning/v3#v3-verification |
| 183 | #[derive(Clone, Debug, PartialEq, Eq, PartialOrd, Ord)] |
Alice Wang | b1e15ca | 2022-09-19 11:06:11 +0000 | [diff] [blame] | 184 | pub(crate) enum ContentDigestAlgorithm { |
Alice Wang | 5d0f89a | 2022-09-15 15:06:10 +0000 | [diff] [blame] | 185 | ChunkedSha256 = 1, |
| 186 | VerityChunkedSha256, |
| 187 | ChunkedSha512, |
| 188 | } |