blob: ed2c1fccf173472f58a4796f61cd49c5e30eddfc [file] [log] [blame]
Alice Wang5d0f89a2022-09-15 15:06:10 +00001/*
2 * Copyright (C) 2022 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17//! Algorithms used for APK Signature Scheme.
18
Alice Wang1ffff622022-09-16 13:45:47 +000019use anyhow::{ensure, Result};
Alice Wangd73d0ff2022-09-20 11:33:30 +000020use bytes::{Buf, Bytes};
Alice Wang0a293bb2022-09-19 08:41:40 +000021use num_derive::{FromPrimitive, ToPrimitive};
Alice Wangd73d0ff2022-09-20 11:33:30 +000022use num_traits::{FromPrimitive, ToPrimitive};
Alice Wang5d0f89a2022-09-15 15:06:10 +000023use openssl::hash::MessageDigest;
Alice Wanga66b5c02022-09-16 07:25:17 +000024use openssl::pkey::{self, PKey};
25use openssl::rsa::Padding;
26use openssl::sign::Verifier;
Alice Wang2ef30742022-09-19 11:59:17 +000027use serde::{Deserialize, Serialize};
Alice Wang5d0f89a2022-09-15 15:06:10 +000028
Alice Wangd73d0ff2022-09-20 11:33:30 +000029use crate::bytes_ext::ReadFromBytes;
30
Alice Wang5d0f89a2022-09-15 15:06:10 +000031/// [Signature Algorithm IDs]: https://source.android.com/docs/security/apksigning/v2#signature-algorithm-ids
Alice Wang0a293bb2022-09-19 08:41:40 +000032/// [SignatureAlgorithm.java]: (tools/apksig/src/main/java/com/android/apksig/internal/apk/SignatureAlgorithm.java)
Alice Wang5d0f89a2022-09-15 15:06:10 +000033///
34/// Some of the algorithms are not implemented. See b/197052981.
Alice Wangd73d0ff2022-09-20 11:33:30 +000035#[derive(Serialize, Deserialize, Clone, Copy, Debug, Eq, PartialEq, FromPrimitive, ToPrimitive)]
Alice Wang5d0f89a2022-09-15 15:06:10 +000036#[repr(u32)]
37pub enum SignatureAlgorithmID {
Alice Wang0a293bb2022-09-19 08:41:40 +000038 /// RSASSA-PSS with SHA2-256 digest, SHA2-256 MGF1, 32 bytes of salt, trailer: 0xbc, content
39 /// digested using SHA2-256 in 1 MB chunks.
Alice Wang5d0f89a2022-09-15 15:06:10 +000040 RsaPssWithSha256 = 0x0101,
Alice Wang0a293bb2022-09-19 08:41:40 +000041
42 /// RSASSA-PSS with SHA2-512 digest, SHA2-512 MGF1, 64 bytes of salt, trailer: 0xbc, content
43 /// digested using SHA2-512 in 1 MB chunks.
Alice Wang5d0f89a2022-09-15 15:06:10 +000044 RsaPssWithSha512 = 0x0102,
Alice Wang0a293bb2022-09-19 08:41:40 +000045
46 /// RSASSA-PKCS1-v1_5 with SHA2-256 digest, content digested using SHA2-256 in 1 MB chunks.
Alice Wang5d0f89a2022-09-15 15:06:10 +000047 RsaPkcs1V15WithSha256 = 0x0103,
Alice Wang0a293bb2022-09-19 08:41:40 +000048
49 /// RSASSA-PKCS1-v1_5 with SHA2-512 digest, content digested using SHA2-512 in 1 MB chunks.
Alice Wang5d0f89a2022-09-15 15:06:10 +000050 RsaPkcs1V15WithSha512 = 0x0104,
Alice Wang0a293bb2022-09-19 08:41:40 +000051
52 /// ECDSA with SHA2-256 digest, content digested using SHA2-256 in 1 MB chunks.
Alice Wang5d0f89a2022-09-15 15:06:10 +000053 EcdsaWithSha256 = 0x0201,
Alice Wang0a293bb2022-09-19 08:41:40 +000054
55 /// ECDSA with SHA2-512 digest, content digested using SHA2-512 in 1 MB chunks.
Alice Wang5d0f89a2022-09-15 15:06:10 +000056 EcdsaWithSha512 = 0x0202,
Alice Wang0a293bb2022-09-19 08:41:40 +000057
58 /// DSA with SHA2-256 digest, content digested using SHA2-256 in 1 MB chunks.
59 /// Signing is done deterministically according to RFC 6979.
Alice Wang5d0f89a2022-09-15 15:06:10 +000060 DsaWithSha256 = 0x0301,
Alice Wang0a293bb2022-09-19 08:41:40 +000061
62 /// RSASSA-PKCS1-v1_5 with SHA2-256 digest, content digested using SHA2-256 in 4 KB
63 /// chunks, in the same way fsverity operates. This digest and the content length
64 /// (before digestion, 8 bytes in little endian) construct the final digest.
Alice Wang5d0f89a2022-09-15 15:06:10 +000065 VerityRsaPkcs1V15WithSha256 = 0x0421,
Alice Wang0a293bb2022-09-19 08:41:40 +000066
67 /// ECDSA with SHA2-256 digest, content digested using SHA2-256 in 4 KB chunks, in the
68 /// same way fsverity operates. This digest and the content length (before digestion,
69 /// 8 bytes in little endian) construct the final digest.
Alice Wang5d0f89a2022-09-15 15:06:10 +000070 VerityEcdsaWithSha256 = 0x0423,
Alice Wang0a293bb2022-09-19 08:41:40 +000071
72 /// DSA with SHA2-256 digest, content digested using SHA2-256 in 4 KB chunks, in the
73 /// same way fsverity operates. This digest and the content length (before digestion,
74 /// 8 bytes in little endian) construct the final digest.
Alice Wang5d0f89a2022-09-15 15:06:10 +000075 VerityDsaWithSha256 = 0x0425,
76}
77
Alice Wang0a293bb2022-09-19 08:41:40 +000078impl Default for SignatureAlgorithmID {
79 fn default() -> Self {
Alice Wanga09156e2022-09-22 09:09:49 +000080 SignatureAlgorithmID::RsaPssWithSha256
Alice Wang0a293bb2022-09-19 08:41:40 +000081 }
82}
83
Alice Wangd73d0ff2022-09-20 11:33:30 +000084impl ReadFromBytes for Option<SignatureAlgorithmID> {
85 fn read_from_bytes(buf: &mut Bytes) -> Result<Self> {
86 Ok(SignatureAlgorithmID::from_u32(buf.get_u32_le()))
87 }
88}
89
Alice Wang5d0f89a2022-09-15 15:06:10 +000090impl SignatureAlgorithmID {
Alice Wang2ef30742022-09-19 11:59:17 +000091 /// Converts the signature algorithm ID to the corresponding u32.
92 pub fn to_u32(&self) -> u32 {
93 ToPrimitive::to_u32(self).expect("Unsupported algorithm for to_u32.")
94 }
95
Alice Wanga66b5c02022-09-16 07:25:17 +000096 pub(crate) fn new_verifier<'a>(
97 &self,
98 public_key: &'a PKey<pkey::Public>,
99 ) -> Result<Verifier<'a>> {
Andrew Scull3bae36c2022-09-21 21:55:42 +0000100 ensure!(
101 !matches!(
102 self,
103 SignatureAlgorithmID::DsaWithSha256 | SignatureAlgorithmID::VerityDsaWithSha256
104 ),
Alice Wang50701022022-09-21 08:51:38 +0000105 "Algorithm '{:?}' is not supported in openssl to build this verifier (b/197052981).",
Andrew Scull3bae36c2022-09-21 21:55:42 +0000106 self
107 );
Alice Wanga66b5c02022-09-16 07:25:17 +0000108 ensure!(public_key.id() == self.pkey_id(), "Public key has the wrong ID");
109 let mut verifier = Verifier::new(self.new_message_digest(), public_key)?;
110 if public_key.id() == pkey::Id::RSA {
111 verifier.set_rsa_padding(self.rsa_padding())?;
112 }
113 Ok(verifier)
114 }
115
116 /// Returns the message digest corresponding to the signature algorithm
117 /// according to the spec [Signature Algorithm IDs].
Alice Wang1ffff622022-09-16 13:45:47 +0000118 pub(crate) fn new_message_digest(&self) -> MessageDigest {
Alice Wanga66b5c02022-09-16 07:25:17 +0000119 match self {
120 SignatureAlgorithmID::RsaPssWithSha256
121 | SignatureAlgorithmID::RsaPkcs1V15WithSha256
122 | SignatureAlgorithmID::EcdsaWithSha256
123 | SignatureAlgorithmID::DsaWithSha256
124 | SignatureAlgorithmID::VerityRsaPkcs1V15WithSha256
125 | SignatureAlgorithmID::VerityEcdsaWithSha256
126 | SignatureAlgorithmID::VerityDsaWithSha256 => MessageDigest::sha256(),
127 SignatureAlgorithmID::RsaPssWithSha512
128 | SignatureAlgorithmID::RsaPkcs1V15WithSha512
129 | SignatureAlgorithmID::EcdsaWithSha512 => MessageDigest::sha512(),
130 }
131 }
132
Alice Wang50701022022-09-21 08:51:38 +0000133 /// DSA is not directly supported in openssl today. See b/197052981.
134 pub(crate) fn is_supported(&self) -> bool {
135 !matches!(
136 self,
137 SignatureAlgorithmID::DsaWithSha256 | SignatureAlgorithmID::VerityDsaWithSha256,
138 )
139 }
140
Alice Wanga66b5c02022-09-16 07:25:17 +0000141 fn pkey_id(&self) -> pkey::Id {
142 match self {
143 SignatureAlgorithmID::RsaPssWithSha256
144 | SignatureAlgorithmID::RsaPssWithSha512
145 | SignatureAlgorithmID::RsaPkcs1V15WithSha256
146 | SignatureAlgorithmID::RsaPkcs1V15WithSha512
147 | SignatureAlgorithmID::VerityRsaPkcs1V15WithSha256 => pkey::Id::RSA,
148 SignatureAlgorithmID::EcdsaWithSha256
149 | SignatureAlgorithmID::EcdsaWithSha512
150 | SignatureAlgorithmID::VerityEcdsaWithSha256 => pkey::Id::EC,
151 SignatureAlgorithmID::DsaWithSha256 | SignatureAlgorithmID::VerityDsaWithSha256 => {
152 pkey::Id::DSA
153 }
154 }
155 }
156
157 fn rsa_padding(&self) -> Padding {
158 match self {
159 SignatureAlgorithmID::RsaPssWithSha256 | SignatureAlgorithmID::RsaPssWithSha512 => {
160 Padding::PKCS1_PSS
161 }
162 SignatureAlgorithmID::RsaPkcs1V15WithSha256
163 | SignatureAlgorithmID::VerityRsaPkcs1V15WithSha256
164 | SignatureAlgorithmID::RsaPkcs1V15WithSha512 => Padding::PKCS1,
165 SignatureAlgorithmID::EcdsaWithSha256
166 | SignatureAlgorithmID::EcdsaWithSha512
167 | SignatureAlgorithmID::VerityEcdsaWithSha256
168 | SignatureAlgorithmID::DsaWithSha256
169 | SignatureAlgorithmID::VerityDsaWithSha256 => Padding::NONE,
170 }
171 }
Alice Wang1ffff622022-09-16 13:45:47 +0000172
Alice Wangd73d0ff2022-09-20 11:33:30 +0000173 pub(crate) fn content_digest_algorithm(&self) -> ContentDigestAlgorithm {
Alice Wang1ffff622022-09-16 13:45:47 +0000174 match self {
175 SignatureAlgorithmID::RsaPssWithSha256
176 | SignatureAlgorithmID::RsaPkcs1V15WithSha256
177 | SignatureAlgorithmID::EcdsaWithSha256
178 | SignatureAlgorithmID::DsaWithSha256 => ContentDigestAlgorithm::ChunkedSha256,
179 SignatureAlgorithmID::RsaPssWithSha512
180 | SignatureAlgorithmID::RsaPkcs1V15WithSha512
181 | SignatureAlgorithmID::EcdsaWithSha512 => ContentDigestAlgorithm::ChunkedSha512,
182 SignatureAlgorithmID::VerityRsaPkcs1V15WithSha256
183 | SignatureAlgorithmID::VerityEcdsaWithSha256
184 | SignatureAlgorithmID::VerityDsaWithSha256 => {
185 ContentDigestAlgorithm::VerityChunkedSha256
186 }
187 }
188 }
Alice Wang5d0f89a2022-09-15 15:06:10 +0000189}
190
191/// The rank of the content digest algorithm in this enum is used to help pick
192/// v4 apk digest.
193/// According to APK Signature Scheme v4, [apk digest] is the first available
194/// content digest of the highest rank (rank N).
195///
196/// This rank was also used for step 3a of the v3 signature verification.
197///
198/// [apk digest]: https://source.android.com/docs/security/features/apksigning/v4#apk-digest
199/// [v3 verification]: https://source.android.com/docs/security/apksigning/v3#v3-verification
200#[derive(Clone, Debug, PartialEq, Eq, PartialOrd, Ord)]
Alice Wangb1e15ca2022-09-19 11:06:11 +0000201pub(crate) enum ContentDigestAlgorithm {
Alice Wang5d0f89a2022-09-15 15:06:10 +0000202 ChunkedSha256 = 1,
203 VerityChunkedSha256,
204 ChunkedSha512,
205}