Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Virtualization / 3bae36ceec768e58f4b3c5ff1a9e05e940f0c25b / . / libs / apkverify / src / algorithms.rs
blob: a1cf368e07c3161b80e80d536d3f9ebea67affe5 [file] [log] [blame]
Alice Wang5d0f89a2022-09-15 15:06:10 +0000[diff] [blame]1/*
2 * Copyright (C) 2022 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17//! Algorithms used for APK Signature Scheme.
18
Alice Wang1ffff622022-09-16 13:45:47 +0000[diff] [blame]19use anyhow::{ensure, Result};
Alice Wangd73d0ff2022-09-20 11:33:30 +0000[diff] [blame]20use bytes::{Buf, Bytes};
Alice Wang0a293bb2022-09-19 08:41:40 +0000[diff] [blame]21use num_derive::{FromPrimitive, ToPrimitive};
Alice Wangd73d0ff2022-09-20 11:33:30 +0000[diff] [blame]22use num_traits::{FromPrimitive, ToPrimitive};
Alice Wang5d0f89a2022-09-15 15:06:10 +0000[diff] [blame]23use openssl::hash::MessageDigest;
Alice Wanga66b5c02022-09-16 07:25:17 +0000[diff] [blame]24use openssl::pkey::{self, PKey};
25use openssl::rsa::Padding;
26use openssl::sign::Verifier;
Alice Wang2ef30742022-09-19 11:59:17 +0000[diff] [blame]27use serde::{Deserialize, Serialize};
Alice Wang5d0f89a2022-09-15 15:06:10 +0000[diff] [blame]28
Alice Wangd73d0ff2022-09-20 11:33:30 +0000[diff] [blame]29use crate::bytes_ext::ReadFromBytes;
30
Alice Wang5d0f89a2022-09-15 15:06:10 +0000[diff] [blame]31/// [Signature Algorithm IDs]: https://source.android.com/docs/security/apksigning/v2#signature-algorithm-ids
Alice Wang0a293bb2022-09-19 08:41:40 +0000[diff] [blame]32/// [SignatureAlgorithm.java]: (tools/apksig/src/main/java/com/android/apksig/internal/apk/SignatureAlgorithm.java)
Alice Wang5d0f89a2022-09-15 15:06:10 +0000[diff] [blame]33///
34/// Some of the algorithms are not implemented. See b/197052981.
Alice Wangd73d0ff2022-09-20 11:33:30 +0000[diff] [blame]35#[derive(Serialize, Deserialize, Clone, Copy, Debug, Eq, PartialEq, FromPrimitive, ToPrimitive)]
Alice Wang5d0f89a2022-09-15 15:06:10 +0000[diff] [blame]36#[repr(u32)]
37pub enum SignatureAlgorithmID {
Alice Wang0a293bb2022-09-19 08:41:40 +0000[diff] [blame]38 /// RSASSA-PSS with SHA2-256 digest, SHA2-256 MGF1, 32 bytes of salt, trailer: 0xbc, content
39 /// digested using SHA2-256 in 1 MB chunks.
Alice Wang5d0f89a2022-09-15 15:06:10 +0000[diff] [blame]40 RsaPssWithSha256 = 0x0101,
Alice Wang0a293bb2022-09-19 08:41:40 +0000[diff] [blame]41
42 /// RSASSA-PSS with SHA2-512 digest, SHA2-512 MGF1, 64 bytes of salt, trailer: 0xbc, content
43 /// digested using SHA2-512 in 1 MB chunks.
Alice Wang5d0f89a2022-09-15 15:06:10 +0000[diff] [blame]44 RsaPssWithSha512 = 0x0102,
Alice Wang0a293bb2022-09-19 08:41:40 +0000[diff] [blame]45
46 /// RSASSA-PKCS1-v1_5 with SHA2-256 digest, content digested using SHA2-256 in 1 MB chunks.
Alice Wang5d0f89a2022-09-15 15:06:10 +0000[diff] [blame]47 RsaPkcs1V15WithSha256 = 0x0103,
Alice Wang0a293bb2022-09-19 08:41:40 +0000[diff] [blame]48
49 /// RSASSA-PKCS1-v1_5 with SHA2-512 digest, content digested using SHA2-512 in 1 MB chunks.
Alice Wang5d0f89a2022-09-15 15:06:10 +0000[diff] [blame]50 RsaPkcs1V15WithSha512 = 0x0104,
Alice Wang0a293bb2022-09-19 08:41:40 +0000[diff] [blame]51
52 /// ECDSA with SHA2-256 digest, content digested using SHA2-256 in 1 MB chunks.
Alice Wang5d0f89a2022-09-15 15:06:10 +0000[diff] [blame]53 EcdsaWithSha256 = 0x0201,
Alice Wang0a293bb2022-09-19 08:41:40 +0000[diff] [blame]54
55 /// ECDSA with SHA2-512 digest, content digested using SHA2-512 in 1 MB chunks.
Alice Wang5d0f89a2022-09-15 15:06:10 +0000[diff] [blame]56 EcdsaWithSha512 = 0x0202,
Alice Wang0a293bb2022-09-19 08:41:40 +0000[diff] [blame]57
58 /// DSA with SHA2-256 digest, content digested using SHA2-256 in 1 MB chunks.
59 /// Signing is done deterministically according to RFC 6979.
Alice Wang5d0f89a2022-09-15 15:06:10 +0000[diff] [blame]60 DsaWithSha256 = 0x0301,
Alice Wang0a293bb2022-09-19 08:41:40 +0000[diff] [blame]61
62 /// RSASSA-PKCS1-v1_5 with SHA2-256 digest, content digested using SHA2-256 in 4 KB
63 /// chunks, in the same way fsverity operates. This digest and the content length
64 /// (before digestion, 8 bytes in little endian) construct the final digest.
Alice Wang5d0f89a2022-09-15 15:06:10 +0000[diff] [blame]65 VerityRsaPkcs1V15WithSha256 = 0x0421,
Alice Wang0a293bb2022-09-19 08:41:40 +0000[diff] [blame]66
67 /// ECDSA with SHA2-256 digest, content digested using SHA2-256 in 4 KB chunks, in the
68 /// same way fsverity operates. This digest and the content length (before digestion,
69 /// 8 bytes in little endian) construct the final digest.
Alice Wang5d0f89a2022-09-15 15:06:10 +0000[diff] [blame]70 VerityEcdsaWithSha256 = 0x0423,
Alice Wang0a293bb2022-09-19 08:41:40 +0000[diff] [blame]71
72 /// DSA with SHA2-256 digest, content digested using SHA2-256 in 4 KB chunks, in the
73 /// same way fsverity operates. This digest and the content length (before digestion,
74 /// 8 bytes in little endian) construct the final digest.
Alice Wang5d0f89a2022-09-15 15:06:10 +0000[diff] [blame]75 VerityDsaWithSha256 = 0x0425,
76}
77
Alice Wang0a293bb2022-09-19 08:41:40 +0000[diff] [blame]78impl Default for SignatureAlgorithmID {
79 fn default() -> Self {
80 SignatureAlgorithmID::DsaWithSha256
81 }
82}
83
Alice Wangd73d0ff2022-09-20 11:33:30 +0000[diff] [blame]84impl ReadFromBytes for Option<SignatureAlgorithmID> {
85 fn read_from_bytes(buf: &mut Bytes) -> Result<Self> {
86 Ok(SignatureAlgorithmID::from_u32(buf.get_u32_le()))
87 }
88}
89
Alice Wang5d0f89a2022-09-15 15:06:10 +0000[diff] [blame]90impl SignatureAlgorithmID {
Alice Wang2ef30742022-09-19 11:59:17 +0000[diff] [blame]91 /// Converts the signature algorithm ID to the corresponding u32.
92 pub fn to_u32(&self) -> u32 {
93 ToPrimitive::to_u32(self).expect("Unsupported algorithm for to_u32.")
94 }
95
Alice Wanga66b5c02022-09-16 07:25:17 +0000[diff] [blame]96 pub(crate) fn new_verifier<'a>(
97 &self,
98 public_key: &'a PKey<pkey::Public>,
99 ) -> Result<Verifier<'a>> {
Andrew Scull3bae36c2022-09-21 21:55:42 +0000[diff] [blame^]100 ensure!(
101 !matches!(
102 self,
103 SignatureAlgorithmID::DsaWithSha256 | SignatureAlgorithmID::VerityDsaWithSha256
104 ),
105 "TODO(b/197052981): Algorithm '{:?}' is not implemented.",
106 self
107 );
Alice Wanga66b5c02022-09-16 07:25:17 +0000[diff] [blame]108 ensure!(public_key.id() == self.pkey_id(), "Public key has the wrong ID");
109 let mut verifier = Verifier::new(self.new_message_digest(), public_key)?;
110 if public_key.id() == pkey::Id::RSA {
111 verifier.set_rsa_padding(self.rsa_padding())?;
112 }
113 Ok(verifier)
114 }
115
116 /// Returns the message digest corresponding to the signature algorithm
117 /// according to the spec [Signature Algorithm IDs].
Alice Wang1ffff622022-09-16 13:45:47 +0000[diff] [blame]118 pub(crate) fn new_message_digest(&self) -> MessageDigest {
Alice Wanga66b5c02022-09-16 07:25:17 +0000[diff] [blame]119 match self {
120 SignatureAlgorithmID::RsaPssWithSha256
121 | SignatureAlgorithmID::RsaPkcs1V15WithSha256
122 | SignatureAlgorithmID::EcdsaWithSha256
123 | SignatureAlgorithmID::DsaWithSha256
124 | SignatureAlgorithmID::VerityRsaPkcs1V15WithSha256
125 | SignatureAlgorithmID::VerityEcdsaWithSha256
126 | SignatureAlgorithmID::VerityDsaWithSha256 => MessageDigest::sha256(),
127 SignatureAlgorithmID::RsaPssWithSha512
128 | SignatureAlgorithmID::RsaPkcs1V15WithSha512
129 | SignatureAlgorithmID::EcdsaWithSha512 => MessageDigest::sha512(),
130 }
131 }
132
133 fn pkey_id(&self) -> pkey::Id {
134 match self {
135 SignatureAlgorithmID::RsaPssWithSha256
136 | SignatureAlgorithmID::RsaPssWithSha512
137 | SignatureAlgorithmID::RsaPkcs1V15WithSha256
138 | SignatureAlgorithmID::RsaPkcs1V15WithSha512
139 | SignatureAlgorithmID::VerityRsaPkcs1V15WithSha256 => pkey::Id::RSA,
140 SignatureAlgorithmID::EcdsaWithSha256
141 | SignatureAlgorithmID::EcdsaWithSha512
142 | SignatureAlgorithmID::VerityEcdsaWithSha256 => pkey::Id::EC,
143 SignatureAlgorithmID::DsaWithSha256 | SignatureAlgorithmID::VerityDsaWithSha256 => {
144 pkey::Id::DSA
145 }
146 }
147 }
148
149 fn rsa_padding(&self) -> Padding {
150 match self {
151 SignatureAlgorithmID::RsaPssWithSha256 | SignatureAlgorithmID::RsaPssWithSha512 => {
152 Padding::PKCS1_PSS
153 }
154 SignatureAlgorithmID::RsaPkcs1V15WithSha256
155 | SignatureAlgorithmID::VerityRsaPkcs1V15WithSha256
156 | SignatureAlgorithmID::RsaPkcs1V15WithSha512 => Padding::PKCS1,
157 SignatureAlgorithmID::EcdsaWithSha256
158 | SignatureAlgorithmID::EcdsaWithSha512
159 | SignatureAlgorithmID::VerityEcdsaWithSha256
160 | SignatureAlgorithmID::DsaWithSha256
161 | SignatureAlgorithmID::VerityDsaWithSha256 => Padding::NONE,
162 }
163 }
Alice Wang1ffff622022-09-16 13:45:47 +0000[diff] [blame]164
Alice Wangd73d0ff2022-09-20 11:33:30 +0000[diff] [blame]165 pub(crate) fn content_digest_algorithm(&self) -> ContentDigestAlgorithm {
Alice Wang1ffff622022-09-16 13:45:47 +0000[diff] [blame]166 match self {
167 SignatureAlgorithmID::RsaPssWithSha256
168 | SignatureAlgorithmID::RsaPkcs1V15WithSha256
169 | SignatureAlgorithmID::EcdsaWithSha256
170 | SignatureAlgorithmID::DsaWithSha256 => ContentDigestAlgorithm::ChunkedSha256,
171 SignatureAlgorithmID::RsaPssWithSha512
172 | SignatureAlgorithmID::RsaPkcs1V15WithSha512
173 | SignatureAlgorithmID::EcdsaWithSha512 => ContentDigestAlgorithm::ChunkedSha512,
174 SignatureAlgorithmID::VerityRsaPkcs1V15WithSha256
175 | SignatureAlgorithmID::VerityEcdsaWithSha256
176 | SignatureAlgorithmID::VerityDsaWithSha256 => {
177 ContentDigestAlgorithm::VerityChunkedSha256
178 }
179 }
180 }
Alice Wang5d0f89a2022-09-15 15:06:10 +0000[diff] [blame]181}
182
183/// The rank of the content digest algorithm in this enum is used to help pick
184/// v4 apk digest.
185/// According to APK Signature Scheme v4, [apk digest] is the first available
186/// content digest of the highest rank (rank N).
187///
188/// This rank was also used for step 3a of the v3 signature verification.
189///
190/// [apk digest]: https://source.android.com/docs/security/features/apksigning/v4#apk-digest
191/// [v3 verification]: https://source.android.com/docs/security/apksigning/v3#v3-verification
192#[derive(Clone, Debug, PartialEq, Eq, PartialOrd, Ord)]
Alice Wangb1e15ca2022-09-19 11:06:11 +0000[diff] [blame]193pub(crate) enum ContentDigestAlgorithm {
Alice Wang5d0f89a2022-09-15 15:06:10 +0000[diff] [blame]194 ChunkedSha256 = 1,
195 VerityChunkedSha256,
196 ChunkedSha512,
197}