blob: a674ad79857d5db6a7a06dff8a72ef61d94d32c3 [file] [log] [blame]
Jooyung Han12a0b702021-08-05 23:20:31 +09001/*
2 * Copyright (C) 2021 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
Andrew Walbran117cd5e2021-08-13 11:42:13 +000017use apkverify::{testing::assert_contains, verify};
Jooyung Hancee6de62021-08-11 15:52:07 +090018use std::matches;
Jooyung Hand8397852021-08-10 16:29:36 +090019
Seungjae Yoo91e250a2022-06-07 02:21:56 +000020const KEY_NAMES_DSA: &[&str] = &["1024", "2048", "3072"];
21const KEY_NAMES_ECDSA: &[&str] = &["p256", "p384", "p521"];
22const KEY_NAMES_RSA: &[&str] = &["1024", "2048", "3072", "4096", "8192", "16384"];
Jooyung Hancee6de62021-08-11 15:52:07 +090023
24#[test]
25fn test_verify_truncated_cd() {
26 use zip::result::ZipError;
27 let res = verify("tests/data/v2-only-truncated-cd.apk");
28 // TODO(jooyung): consider making a helper for err assertion
29 assert!(matches!(
Andrew Walbran117cd5e2021-08-13 11:42:13 +000030 res.unwrap_err().root_cause().downcast_ref::<ZipError>().unwrap(),
Jooyung Hancee6de62021-08-11 15:52:07 +090031 ZipError::InvalidArchive(_),
32 ));
33}
Seungjae Yoo91e250a2022-06-07 02:21:56 +000034
35#[test]
36fn test_verify_v3() {
37 assert!(verify("tests/data/test.apex").is_ok());
38}
39
40// TODO(b/190343842)
41#[test]
42fn test_verify_v3_dsa_sha256() {
43 for key_name in KEY_NAMES_DSA.iter() {
44 let res = verify(format!("tests/data/v3-only-with-dsa-sha256-{}.apk", key_name));
45 assert!(res.is_err());
46 assert_contains(
47 &res.unwrap_err().to_string(),
48 "TODO(b/190343842) not implemented signature algorithm",
49 );
50 }
51}
52
53#[test]
54fn test_verify_v3_ecdsa_sha256() {
55 for key_name in KEY_NAMES_ECDSA.iter() {
56 assert!(verify(format!("tests/data/v3-only-with-ecdsa-sha256-{}.apk", key_name)).is_ok());
57 }
58}
59
60// TODO(b/190343842)
61#[test]
62fn test_verify_v3_ecdsa_sha512() {
63 for key_name in KEY_NAMES_ECDSA.iter() {
64 let res = verify(format!("tests/data/v3-only-with-ecdsa-sha512-{}.apk", key_name));
65 assert!(res.is_err());
66 assert_contains(
67 &res.unwrap_err().to_string(),
68 "TODO(b/190343842) not implemented signature algorithm",
69 );
70 }
71}
72
73#[test]
74fn test_verify_v3_rsa_sha256() {
75 for key_name in KEY_NAMES_RSA.iter() {
76 assert!(
77 verify(format!("tests/data/v3-only-with-rsa-pkcs1-sha256-{}.apk", key_name)).is_ok()
78 );
79 }
80}
81
82#[test]
83fn test_verify_v3_rsa_sha512() {
84 for key_name in KEY_NAMES_RSA.iter() {
85 assert!(
86 verify(format!("tests/data/v3-only-with-rsa-pkcs1-sha512-{}.apk", key_name)).is_ok()
87 );
88 }
89}
90
91// TODO(b/190343842)
92#[test]
93fn test_verify_v3_sig_does_not_verify() {
94 let path_list = [
95 "tests/data/v3-only-with-dsa-sha256-2048-sig-does-not-verify.apk",
96 "tests/data/v3-only-with-ecdsa-sha512-p521-sig-does-not-verify.apk",
97 "tests/data/v3-only-with-rsa-pkcs1-sha256-3072-sig-does-not-verify.apk",
98 ];
99 for path in path_list.iter() {
100 let res = verify(path);
101 assert!(res.is_err());
102 let error_msg = &res.unwrap_err().to_string();
103 assert!(
104 error_msg.contains("Signature is invalid")
105 || error_msg.contains("TODO(b/190343842) not implemented signature algorithm")
106 );
107 }
108}
109
110// TODO(b/190343842)
111#[test]
112fn test_verify_v3_digest_mismatch() {
113 let path_list = [
114 "tests/data/v3-only-with-dsa-sha256-3072-digest-mismatch.apk",
115 "tests/data/v3-only-with-rsa-pkcs1-sha512-8192-digest-mismatch.apk",
116 ];
117 for path in path_list.iter() {
118 let res = verify(path);
119 assert!(res.is_err());
120 let error_msg = &res.unwrap_err().to_string();
121 assert!(
122 error_msg.contains("Digest mismatch")
123 || error_msg.contains("TODO(b/190343842) not implemented signature algorithm")
124 );
125 }
126}
127
128#[test]
129fn test_verify_v3_wrong_apk_sig_block_magic() {
130 let res = verify("tests/data/v3-only-with-ecdsa-sha512-p384-wrong-apk-sig-block-magic.apk");
131 assert!(res.is_err());
132 assert_contains(&res.unwrap_err().to_string(), "No APK Signing Block");
133}
134
135#[test]
136fn test_verify_v3_apk_sig_block_size_mismatch() {
137 let res =
138 verify("tests/data/v3-only-with-rsa-pkcs1-sha512-4096-apk-sig-block-size-mismatch.apk");
139 assert!(res.is_err());
140 assert_contains(
141 &res.unwrap_err().to_string(),
142 "APK Signing Block sizes in header and footer do not match",
143 );
144}
145
146#[test]
147fn test_verify_v3_cert_and_public_key_mismatch() {
148 let res = verify("tests/data/v3-only-cert-and-public-key-mismatch.apk");
149 assert!(res.is_err());
150 assert_contains(&res.unwrap_err().to_string(), "Public key mismatch");
151}
152
153#[test]
154fn test_verify_v3_empty() {
155 let res = verify("tests/data/v3-only-empty.apk");
156 assert!(res.is_err());
157 assert_contains(&res.unwrap_err().to_string(), "APK too small for APK Signing Block");
158}
159
160#[test]
161fn test_verify_v3_no_certs_in_sig() {
162 let res = verify("tests/data/v3-only-no-certs-in-sig.apk");
163 assert!(res.is_err());
164 assert_contains(&res.unwrap_err().to_string(), "No certificates listed");
165}
166
167#[test]
168fn test_verify_v3_no_supported_sig_algs() {
169 let res = verify("tests/data/v3-only-no-supported-sig-algs.apk");
170 assert!(res.is_err());
171 assert_contains(&res.unwrap_err().to_string(), "No supported signatures found");
172}
173
174#[test]
175fn test_verify_v3_signatures_and_digests_block_mismatch() {
176 let res = verify("tests/data/v3-only-signatures-and-digests-block-mismatch.apk");
177 assert!(res.is_err());
178 assert_contains(
179 &res.unwrap_err().to_string(),
180 "Signature algorithms don't match between digests and signatures records",
181 );
182}
183
184#[test]
185fn test_verify_v3_unknown_additional_attr() {
186 assert!(verify("tests/data/v3-only-unknown-additional-attr.apk").is_ok());
187}
188
189#[test]
190fn test_verify_v3_unknown_pair_in_apk_sig_block() {
191 assert!(verify("tests/data/v3-only-unknown-pair-in-apk-sig-block.apk").is_ok());
192}
193
194#[test]
195fn test_verify_v3_ignorable_unsupported_sig_algs() {
196 assert!(verify("tests/data/v3-only-with-ignorable-unsupported-sig-algs.apk").is_ok());
197}
198
199#[test]
200fn test_verify_v3_stamp() {
201 assert!(verify("tests/data/v3-only-with-stamp.apk").is_ok());
202}