blob: 622df3b9151efee00c7bd1016deeaddab651d5f4 [file] [log] [blame]
Alice Wang5d0f89a2022-09-15 15:06:10 +00001/*
2 * Copyright (C) 2022 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17//! Algorithms used for APK Signature Scheme.
18
Alice Wang1ffff622022-09-16 13:45:47 +000019use anyhow::{ensure, Result};
Alice Wang0a293bb2022-09-19 08:41:40 +000020use num_derive::{FromPrimitive, ToPrimitive};
Alice Wang2ef30742022-09-19 11:59:17 +000021use num_traits::ToPrimitive;
Alice Wang5d0f89a2022-09-15 15:06:10 +000022use openssl::hash::MessageDigest;
Alice Wanga66b5c02022-09-16 07:25:17 +000023use openssl::pkey::{self, PKey};
24use openssl::rsa::Padding;
25use openssl::sign::Verifier;
Alice Wang2ef30742022-09-19 11:59:17 +000026use serde::{Deserialize, Serialize};
Alice Wang5d0f89a2022-09-15 15:06:10 +000027
28/// [Signature Algorithm IDs]: https://source.android.com/docs/security/apksigning/v2#signature-algorithm-ids
Alice Wang0a293bb2022-09-19 08:41:40 +000029/// [SignatureAlgorithm.java]: (tools/apksig/src/main/java/com/android/apksig/internal/apk/SignatureAlgorithm.java)
Alice Wang5d0f89a2022-09-15 15:06:10 +000030///
31/// Some of the algorithms are not implemented. See b/197052981.
Alice Wang2ef30742022-09-19 11:59:17 +000032#[derive(Serialize, Deserialize, Clone, Debug, Eq, PartialEq, FromPrimitive, ToPrimitive)]
Alice Wang5d0f89a2022-09-15 15:06:10 +000033#[repr(u32)]
34pub enum SignatureAlgorithmID {
Alice Wang0a293bb2022-09-19 08:41:40 +000035 /// RSASSA-PSS with SHA2-256 digest, SHA2-256 MGF1, 32 bytes of salt, trailer: 0xbc, content
36 /// digested using SHA2-256 in 1 MB chunks.
Alice Wang5d0f89a2022-09-15 15:06:10 +000037 RsaPssWithSha256 = 0x0101,
Alice Wang0a293bb2022-09-19 08:41:40 +000038
39 /// RSASSA-PSS with SHA2-512 digest, SHA2-512 MGF1, 64 bytes of salt, trailer: 0xbc, content
40 /// digested using SHA2-512 in 1 MB chunks.
Alice Wang5d0f89a2022-09-15 15:06:10 +000041 RsaPssWithSha512 = 0x0102,
Alice Wang0a293bb2022-09-19 08:41:40 +000042
43 /// RSASSA-PKCS1-v1_5 with SHA2-256 digest, content digested using SHA2-256 in 1 MB chunks.
Alice Wang5d0f89a2022-09-15 15:06:10 +000044 RsaPkcs1V15WithSha256 = 0x0103,
Alice Wang0a293bb2022-09-19 08:41:40 +000045
46 /// RSASSA-PKCS1-v1_5 with SHA2-512 digest, content digested using SHA2-512 in 1 MB chunks.
Alice Wang5d0f89a2022-09-15 15:06:10 +000047 RsaPkcs1V15WithSha512 = 0x0104,
Alice Wang0a293bb2022-09-19 08:41:40 +000048
49 /// ECDSA with SHA2-256 digest, content digested using SHA2-256 in 1 MB chunks.
Alice Wang5d0f89a2022-09-15 15:06:10 +000050 EcdsaWithSha256 = 0x0201,
Alice Wang0a293bb2022-09-19 08:41:40 +000051
52 /// ECDSA with SHA2-512 digest, content digested using SHA2-512 in 1 MB chunks.
Alice Wang5d0f89a2022-09-15 15:06:10 +000053 EcdsaWithSha512 = 0x0202,
Alice Wang0a293bb2022-09-19 08:41:40 +000054
55 /// DSA with SHA2-256 digest, content digested using SHA2-256 in 1 MB chunks.
56 /// Signing is done deterministically according to RFC 6979.
Alice Wang5d0f89a2022-09-15 15:06:10 +000057 DsaWithSha256 = 0x0301,
Alice Wang0a293bb2022-09-19 08:41:40 +000058
59 /// RSASSA-PKCS1-v1_5 with SHA2-256 digest, content digested using SHA2-256 in 4 KB
60 /// chunks, in the same way fsverity operates. This digest and the content length
61 /// (before digestion, 8 bytes in little endian) construct the final digest.
Alice Wang5d0f89a2022-09-15 15:06:10 +000062 VerityRsaPkcs1V15WithSha256 = 0x0421,
Alice Wang0a293bb2022-09-19 08:41:40 +000063
64 /// ECDSA with SHA2-256 digest, content digested using SHA2-256 in 4 KB chunks, in the
65 /// same way fsverity operates. This digest and the content length (before digestion,
66 /// 8 bytes in little endian) construct the final digest.
Alice Wang5d0f89a2022-09-15 15:06:10 +000067 VerityEcdsaWithSha256 = 0x0423,
Alice Wang0a293bb2022-09-19 08:41:40 +000068
69 /// DSA with SHA2-256 digest, content digested using SHA2-256 in 4 KB chunks, in the
70 /// same way fsverity operates. This digest and the content length (before digestion,
71 /// 8 bytes in little endian) construct the final digest.
Alice Wang5d0f89a2022-09-15 15:06:10 +000072 VerityDsaWithSha256 = 0x0425,
73}
74
Alice Wang0a293bb2022-09-19 08:41:40 +000075impl Default for SignatureAlgorithmID {
76 fn default() -> Self {
77 SignatureAlgorithmID::DsaWithSha256
78 }
79}
80
Alice Wang5d0f89a2022-09-15 15:06:10 +000081impl SignatureAlgorithmID {
Alice Wang2ef30742022-09-19 11:59:17 +000082 /// Converts the signature algorithm ID to the corresponding u32.
83 pub fn to_u32(&self) -> u32 {
84 ToPrimitive::to_u32(self).expect("Unsupported algorithm for to_u32.")
85 }
86
Alice Wanga66b5c02022-09-16 07:25:17 +000087 pub(crate) fn new_verifier<'a>(
88 &self,
89 public_key: &'a PKey<pkey::Public>,
90 ) -> Result<Verifier<'a>> {
91 ensure!(
92 !matches!(
93 self,
Alice Wang455b02b2022-09-16 13:32:13 +000094 SignatureAlgorithmID::DsaWithSha256 | SignatureAlgorithmID::VerityDsaWithSha256
Alice Wanga66b5c02022-09-16 07:25:17 +000095 ),
Alice Wang2ef30742022-09-19 11:59:17 +000096 "TODO(b/197052981): Algorithm '{:?}' is not implemented.",
Alice Wanga66b5c02022-09-16 07:25:17 +000097 self
98 );
99 ensure!(public_key.id() == self.pkey_id(), "Public key has the wrong ID");
100 let mut verifier = Verifier::new(self.new_message_digest(), public_key)?;
101 if public_key.id() == pkey::Id::RSA {
102 verifier.set_rsa_padding(self.rsa_padding())?;
103 }
104 Ok(verifier)
105 }
106
107 /// Returns the message digest corresponding to the signature algorithm
108 /// according to the spec [Signature Algorithm IDs].
Alice Wang1ffff622022-09-16 13:45:47 +0000109 pub(crate) fn new_message_digest(&self) -> MessageDigest {
Alice Wanga66b5c02022-09-16 07:25:17 +0000110 match self {
111 SignatureAlgorithmID::RsaPssWithSha256
112 | SignatureAlgorithmID::RsaPkcs1V15WithSha256
113 | SignatureAlgorithmID::EcdsaWithSha256
114 | SignatureAlgorithmID::DsaWithSha256
115 | SignatureAlgorithmID::VerityRsaPkcs1V15WithSha256
116 | SignatureAlgorithmID::VerityEcdsaWithSha256
117 | SignatureAlgorithmID::VerityDsaWithSha256 => MessageDigest::sha256(),
118 SignatureAlgorithmID::RsaPssWithSha512
119 | SignatureAlgorithmID::RsaPkcs1V15WithSha512
120 | SignatureAlgorithmID::EcdsaWithSha512 => MessageDigest::sha512(),
121 }
122 }
123
124 fn pkey_id(&self) -> pkey::Id {
125 match self {
126 SignatureAlgorithmID::RsaPssWithSha256
127 | SignatureAlgorithmID::RsaPssWithSha512
128 | SignatureAlgorithmID::RsaPkcs1V15WithSha256
129 | SignatureAlgorithmID::RsaPkcs1V15WithSha512
130 | SignatureAlgorithmID::VerityRsaPkcs1V15WithSha256 => pkey::Id::RSA,
131 SignatureAlgorithmID::EcdsaWithSha256
132 | SignatureAlgorithmID::EcdsaWithSha512
133 | SignatureAlgorithmID::VerityEcdsaWithSha256 => pkey::Id::EC,
134 SignatureAlgorithmID::DsaWithSha256 | SignatureAlgorithmID::VerityDsaWithSha256 => {
135 pkey::Id::DSA
136 }
137 }
138 }
139
140 fn rsa_padding(&self) -> Padding {
141 match self {
142 SignatureAlgorithmID::RsaPssWithSha256 | SignatureAlgorithmID::RsaPssWithSha512 => {
143 Padding::PKCS1_PSS
144 }
145 SignatureAlgorithmID::RsaPkcs1V15WithSha256
146 | SignatureAlgorithmID::VerityRsaPkcs1V15WithSha256
147 | SignatureAlgorithmID::RsaPkcs1V15WithSha512 => Padding::PKCS1,
148 SignatureAlgorithmID::EcdsaWithSha256
149 | SignatureAlgorithmID::EcdsaWithSha512
150 | SignatureAlgorithmID::VerityEcdsaWithSha256
151 | SignatureAlgorithmID::DsaWithSha256
152 | SignatureAlgorithmID::VerityDsaWithSha256 => Padding::NONE,
153 }
154 }
Alice Wang1ffff622022-09-16 13:45:47 +0000155
Alice Wangb1e15ca2022-09-19 11:06:11 +0000156 pub(crate) fn to_content_digest_algorithm(&self) -> ContentDigestAlgorithm {
Alice Wang1ffff622022-09-16 13:45:47 +0000157 match self {
158 SignatureAlgorithmID::RsaPssWithSha256
159 | SignatureAlgorithmID::RsaPkcs1V15WithSha256
160 | SignatureAlgorithmID::EcdsaWithSha256
161 | SignatureAlgorithmID::DsaWithSha256 => ContentDigestAlgorithm::ChunkedSha256,
162 SignatureAlgorithmID::RsaPssWithSha512
163 | SignatureAlgorithmID::RsaPkcs1V15WithSha512
164 | SignatureAlgorithmID::EcdsaWithSha512 => ContentDigestAlgorithm::ChunkedSha512,
165 SignatureAlgorithmID::VerityRsaPkcs1V15WithSha256
166 | SignatureAlgorithmID::VerityEcdsaWithSha256
167 | SignatureAlgorithmID::VerityDsaWithSha256 => {
168 ContentDigestAlgorithm::VerityChunkedSha256
169 }
170 }
171 }
Alice Wang5d0f89a2022-09-15 15:06:10 +0000172}
173
174/// The rank of the content digest algorithm in this enum is used to help pick
175/// v4 apk digest.
176/// According to APK Signature Scheme v4, [apk digest] is the first available
177/// content digest of the highest rank (rank N).
178///
179/// This rank was also used for step 3a of the v3 signature verification.
180///
181/// [apk digest]: https://source.android.com/docs/security/features/apksigning/v4#apk-digest
182/// [v3 verification]: https://source.android.com/docs/security/apksigning/v3#v3-verification
183#[derive(Clone, Debug, PartialEq, Eq, PartialOrd, Ord)]
Alice Wangb1e15ca2022-09-19 11:06:11 +0000184pub(crate) enum ContentDigestAlgorithm {
Alice Wang5d0f89a2022-09-15 15:06:10 +0000185 ChunkedSha256 = 1,
186 VerityChunkedSha256,
187 ChunkedSha512,
188}