blob: fabb8e6bdabd0a5ea2dd2c945182c2bce6182915 [file] [log] [blame]
Jooyung Han12a0b702021-08-05 23:20:31 +09001/*
2 * Copyright (C) 2021 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17//! Utilities for Signature Verification
18
Alice Wanga66b5c02022-09-16 07:25:17 +000019// TODO(b/246254355): Remove this once we migrate all the usages of
20// raw signature algorithm id to the enum.
21#![allow(dead_code)]
22
Alice Wang5d0f89a2022-09-15 15:06:10 +000023use anyhow::{anyhow, ensure, Error, Result};
Jooyung Han12a0b702021-08-05 23:20:31 +090024use byteorder::{LittleEndian, ReadBytesExt};
Andrew Walbran117cd5e2021-08-13 11:42:13 +000025use bytes::{Buf, BufMut, Bytes, BytesMut};
Andrew Scullc208eb42022-05-22 16:17:52 +000026use openssl::hash::{DigestBytes, Hasher, MessageDigest};
Jooyung Hand8397852021-08-10 16:29:36 +090027use std::cmp::min;
Alice Wangaf1d15b2022-09-09 11:09:51 +000028use std::io::{self, Cursor, ErrorKind, Read, Seek, SeekFrom, Take};
Jooyung Han5d94bfc2021-08-06 14:07:49 +090029
Alice Wang5d0f89a2022-09-15 15:06:10 +000030use crate::algorithms::SignatureAlgorithmID;
Jooyung Hand8397852021-08-10 16:29:36 +090031use crate::ziputil::{set_central_directory_offset, zip_sections};
Jooyung Han12a0b702021-08-05 23:20:31 +090032
33const APK_SIG_BLOCK_MIN_SIZE: u32 = 32;
34const APK_SIG_BLOCK_MAGIC: u128 = 0x3234206b636f6c4220676953204b5041;
35
Alice Wang5d0f89a2022-09-15 15:06:10 +000036// TODO(b/246254355): Migrates usages of raw signature algorithm id to the enum.
Jooyung Han5b4c70e2021-08-09 16:36:13 +090037pub const SIGNATURE_RSA_PSS_WITH_SHA256: u32 = 0x0101;
38pub const SIGNATURE_RSA_PSS_WITH_SHA512: u32 = 0x0102;
39pub const SIGNATURE_RSA_PKCS1_V1_5_WITH_SHA256: u32 = 0x0103;
40pub const SIGNATURE_RSA_PKCS1_V1_5_WITH_SHA512: u32 = 0x0104;
41pub const SIGNATURE_ECDSA_WITH_SHA256: u32 = 0x0201;
42pub const SIGNATURE_ECDSA_WITH_SHA512: u32 = 0x0202;
43pub const SIGNATURE_DSA_WITH_SHA256: u32 = 0x0301;
44pub const SIGNATURE_VERITY_RSA_PKCS1_V1_5_WITH_SHA256: u32 = 0x0421;
45pub const SIGNATURE_VERITY_ECDSA_WITH_SHA256: u32 = 0x0423;
46pub const SIGNATURE_VERITY_DSA_WITH_SHA256: u32 = 0x0425;
Jooyung Han12a0b702021-08-05 23:20:31 +090047
Jooyung Hand8397852021-08-10 16:29:36 +090048const CHUNK_SIZE_BYTES: u64 = 1024 * 1024;
49
Alice Wanged79eab2022-09-08 11:16:31 +000050/// The [APK structure] has four major sections:
51///
52/// | Zip contents | APK Signing Block | Central directory | EOCD(End of Central Directory) |
53///
54/// This structure contains the offset/size information of all the sections except the Zip contents.
55///
56/// [APK structure]: https://source.android.com/docs/security/apksigning/v2#apk-signing-block
Jooyung Hand8397852021-08-10 16:29:36 +090057pub struct ApkSections<R> {
58 inner: R,
59 signing_block_offset: u32,
60 signing_block_size: u32,
61 central_directory_offset: u32,
62 central_directory_size: u32,
63 eocd_offset: u32,
64 eocd_size: u32,
Jooyung Han12a0b702021-08-05 23:20:31 +090065}
66
Jooyung Hand8397852021-08-10 16:29:36 +090067impl<R: Read + Seek> ApkSections<R> {
68 pub fn new(reader: R) -> Result<ApkSections<R>> {
Andrew Walbran117cd5e2021-08-13 11:42:13 +000069 let (mut reader, zip_sections) = zip_sections(reader)?;
Jooyung Hand8397852021-08-10 16:29:36 +090070 let (signing_block_offset, signing_block_size) =
Andrew Walbran117cd5e2021-08-13 11:42:13 +000071 find_signing_block(&mut reader, zip_sections.central_directory_offset)?;
Jooyung Hand8397852021-08-10 16:29:36 +090072 Ok(ApkSections {
Andrew Walbran117cd5e2021-08-13 11:42:13 +000073 inner: reader,
Jooyung Hand8397852021-08-10 16:29:36 +090074 signing_block_offset,
75 signing_block_size,
76 central_directory_offset: zip_sections.central_directory_offset,
77 central_directory_size: zip_sections.central_directory_size,
78 eocd_offset: zip_sections.eocd_offset,
79 eocd_size: zip_sections.eocd_size,
80 })
81 }
Jooyung Han5d94bfc2021-08-06 14:07:49 +090082
Jooyung Hand8397852021-08-10 16:29:36 +090083 /// Returns the APK Signature Scheme block contained in the provided file for the given ID
84 /// and the additional information relevant for verifying the block against the file.
85 pub fn find_signature(&mut self, block_id: u32) -> Result<Bytes> {
86 let signing_block = self.bytes(self.signing_block_offset, self.signing_block_size)?;
Jooyung Hand8397852021-08-10 16:29:36 +090087 find_signature_scheme_block(Bytes::from(signing_block), block_id)
88 }
Jooyung Han12a0b702021-08-05 23:20:31 +090089
Jooyung Hand8397852021-08-10 16:29:36 +090090 /// Computes digest with "signature algorithm" over APK contents, central directory, and EOCD.
91 /// 1. The digest of each chunk is computed over the concatenation of byte 0xa5, the chunk’s
92 /// length in bytes (little-endian uint32), and the chunk’s contents.
93 /// 2. The top-level digest is computed over the concatenation of byte 0x5a, the number of
94 /// chunks (little-endian uint32), and the concatenation of digests of the chunks in the
95 /// order the chunks appear in the APK.
96 /// (see https://source.android.com/security/apksigning/v2#integrity-protected-contents)
Alice Wang62353c52022-09-19 12:47:20 +000097 pub(crate) fn compute_digest(
98 &mut self,
99 signature_algorithm_id: SignatureAlgorithmID,
100 ) -> Result<Vec<u8>> {
Alice Wang1ffff622022-09-16 13:45:47 +0000101 let digester = Digester { message_digest: signature_algorithm_id.new_message_digest() };
Andrew Walbran117cd5e2021-08-13 11:42:13 +0000102 let mut digests_of_chunks = BytesMut::new();
Jooyung Hand8397852021-08-10 16:29:36 +0900103 let mut chunk_count = 0u32;
104 let mut chunk = vec![0u8; CHUNK_SIZE_BYTES as usize];
105 for data in &[
106 ApkSections::zip_entries,
107 ApkSections::central_directory,
108 ApkSections::eocd_for_verification,
109 ] {
110 let mut data = data(self)?;
111 while data.limit() > 0 {
112 let chunk_size = min(CHUNK_SIZE_BYTES, data.limit());
Chris Wailes641fc4a2021-12-01 15:03:21 -0800113 let slice = &mut chunk[..(chunk_size as usize)];
114 data.read_exact(slice)?;
Jooyung Hand8397852021-08-10 16:29:36 +0900115 digests_of_chunks.put_slice(
Andrew Scullc208eb42022-05-22 16:17:52 +0000116 digester.digest(slice, CHUNK_HEADER_MID, chunk_size as u32)?.as_ref(),
Jooyung Hand8397852021-08-10 16:29:36 +0900117 );
118 chunk_count += 1;
119 }
120 }
Andrew Scullc208eb42022-05-22 16:17:52 +0000121 Ok(digester.digest(&digests_of_chunks, CHUNK_HEADER_TOP, chunk_count)?.as_ref().into())
Jooyung Hand8397852021-08-10 16:29:36 +0900122 }
123
124 fn zip_entries(&mut self) -> Result<Take<Box<dyn Read + '_>>> {
125 scoped_read(&mut self.inner, 0, self.signing_block_offset as u64)
126 }
Andrew Walbran117cd5e2021-08-13 11:42:13 +0000127
Jooyung Hand8397852021-08-10 16:29:36 +0900128 fn central_directory(&mut self) -> Result<Take<Box<dyn Read + '_>>> {
129 scoped_read(
130 &mut self.inner,
131 self.central_directory_offset as u64,
132 self.central_directory_size as u64,
133 )
134 }
Andrew Walbran117cd5e2021-08-13 11:42:13 +0000135
Jooyung Hand8397852021-08-10 16:29:36 +0900136 fn eocd_for_verification(&mut self) -> Result<Take<Box<dyn Read + '_>>> {
137 let mut eocd = self.bytes(self.eocd_offset, self.eocd_size)?;
138 // Protection of section 4 (ZIP End of Central Directory) is complicated by the section
139 // containing the offset of ZIP Central Directory. The offset changes when the size of the
140 // APK Signing Block changes, for instance, when a new signature is added. Thus, when
141 // computing digest over the ZIP End of Central Directory, the field containing the offset
142 // of ZIP Central Directory must be treated as containing the offset of the APK Signing
143 // Block.
144 set_central_directory_offset(&mut eocd, self.signing_block_offset)?;
145 Ok(Read::take(Box::new(Cursor::new(eocd)), self.eocd_size as u64))
146 }
Andrew Walbran117cd5e2021-08-13 11:42:13 +0000147
Jooyung Hand8397852021-08-10 16:29:36 +0900148 fn bytes(&mut self, offset: u32, size: u32) -> Result<Vec<u8>> {
149 self.inner.seek(SeekFrom::Start(offset as u64))?;
150 let mut buf = vec![0u8; size as usize];
151 self.inner.read_exact(&mut buf)?;
152 Ok(buf)
153 }
154}
155
156fn scoped_read<'a, R: Read + Seek>(
157 src: &'a mut R,
158 offset: u64,
159 size: u64,
160) -> Result<Take<Box<dyn Read + 'a>>> {
161 src.seek(SeekFrom::Start(offset))?;
162 Ok(Read::take(Box::new(src), size))
163}
164
165struct Digester {
Alice Wang5d0f89a2022-09-15 15:06:10 +0000166 message_digest: MessageDigest,
Jooyung Hand8397852021-08-10 16:29:36 +0900167}
168
169const CHUNK_HEADER_TOP: &[u8] = &[0x5a];
170const CHUNK_HEADER_MID: &[u8] = &[0xa5];
Andrew Walbran117cd5e2021-08-13 11:42:13 +0000171
Jooyung Hand8397852021-08-10 16:29:36 +0900172impl Digester {
Jooyung Hand8397852021-08-10 16:29:36 +0900173 // v2/v3 digests are computed after prepending "header" byte and "size" info.
Andrew Scullc208eb42022-05-22 16:17:52 +0000174 fn digest(&self, data: &[u8], header: &[u8], size: u32) -> Result<DigestBytes> {
Alice Wang5d0f89a2022-09-15 15:06:10 +0000175 let mut hasher = Hasher::new(self.message_digest)?;
Alice Wang98073222022-09-09 14:08:19 +0000176 hasher.update(header)?;
177 hasher.update(&size.to_le_bytes())?;
178 hasher.update(data)?;
179 Ok(hasher.finish()?)
Jooyung Hand8397852021-08-10 16:29:36 +0900180 }
Jooyung Han12a0b702021-08-05 23:20:31 +0900181}
182
Jooyung Han5d94bfc2021-08-06 14:07:49 +0900183fn find_signing_block<T: Read + Seek>(
Jooyung Han12a0b702021-08-05 23:20:31 +0900184 reader: &mut T,
185 central_directory_offset: u32,
Jooyung Hand8397852021-08-10 16:29:36 +0900186) -> Result<(u32, u32)> {
Jooyung Han12a0b702021-08-05 23:20:31 +0900187 // FORMAT:
188 // OFFSET DATA TYPE DESCRIPTION
189 // * @+0 bytes uint64: size in bytes (excluding this field)
190 // * @+8 bytes payload
191 // * @-24 bytes uint64: size in bytes (same as the one above)
192 // * @-16 bytes uint128: magic
Alice Wangaf1d15b2022-09-09 11:09:51 +0000193 ensure!(
194 central_directory_offset >= APK_SIG_BLOCK_MIN_SIZE,
195 "APK too small for APK Signing Block. ZIP Central Directory offset: {}",
196 central_directory_offset
197 );
Jooyung Han5d94bfc2021-08-06 14:07:49 +0900198 reader.seek(SeekFrom::Start((central_directory_offset - 24) as u64))?;
Jooyung Han12a0b702021-08-05 23:20:31 +0900199 let size_in_footer = reader.read_u64::<LittleEndian>()? as u32;
Alice Wangaf1d15b2022-09-09 11:09:51 +0000200 ensure!(
201 reader.read_u128::<LittleEndian>()? == APK_SIG_BLOCK_MAGIC,
202 "No APK Signing Block before ZIP Central Directory"
203 );
Jooyung Han12a0b702021-08-05 23:20:31 +0900204 let total_size = size_in_footer + 8;
205 let signing_block_offset = central_directory_offset
206 .checked_sub(total_size)
207 .ok_or_else(|| anyhow!("APK Signing Block size out of range: {}", size_in_footer))?;
Jooyung Han5d94bfc2021-08-06 14:07:49 +0900208 reader.seek(SeekFrom::Start(signing_block_offset as u64))?;
Jooyung Han12a0b702021-08-05 23:20:31 +0900209 let size_in_header = reader.read_u64::<LittleEndian>()? as u32;
Alice Wangaf1d15b2022-09-09 11:09:51 +0000210 // This corresponds to APK Signature Scheme v3 verification step 1a.
211 ensure!(
212 size_in_header == size_in_footer,
213 "APK Signing Block sizes in header and footer do not match: {} vs {}",
214 size_in_header,
215 size_in_footer
216 );
Jooyung Hand8397852021-08-10 16:29:36 +0900217 Ok((signing_block_offset, total_size))
Jooyung Han12a0b702021-08-05 23:20:31 +0900218}
219
220fn find_signature_scheme_block(buf: Bytes, block_id: u32) -> Result<Bytes> {
221 // FORMAT:
222 // OFFSET DATA TYPE DESCRIPTION
223 // * @+0 bytes uint64: size in bytes (excluding this field)
224 // * @+8 bytes pairs
225 // * @-24 bytes uint64: size in bytes (same as the one above)
226 // * @-16 bytes uint128: magic
227 let mut pairs = buf.slice(8..(buf.len() - 24));
228 let mut entry_count = 0;
229 while pairs.has_remaining() {
230 entry_count += 1;
Alice Wangaf1d15b2022-09-09 11:09:51 +0000231 ensure!(
232 pairs.remaining() >= 8,
233 "Insufficient data to read size of APK Signing Block entry #{}",
234 entry_count
235 );
Jooyung Han12a0b702021-08-05 23:20:31 +0900236 let length = pairs.get_u64_le();
237 let mut pair = pairs.split_to(length as usize);
238 let id = pair.get_u32_le();
239 if id == block_id {
240 return Ok(pair);
241 }
242 }
Alice Wangaf1d15b2022-09-09 11:09:51 +0000243 let context =
244 format!("No APK Signature Scheme block in APK Signing Block with ID: {}", block_id);
245 Err(Error::new(io::Error::from(ErrorKind::NotFound)).context(context))
Jooyung Han12a0b702021-08-05 23:20:31 +0900246}
247
Alice Wanged79eab2022-09-08 11:16:31 +0000248#[cfg(test)]
249mod tests {
250 use super::*;
251 use byteorder::LittleEndian;
252 use std::fs::File;
253 use std::mem::size_of_val;
254
Alice Wangaf1d15b2022-09-09 11:09:51 +0000255 use crate::v3::{to_hex_string, APK_SIGNATURE_SCHEME_V3_BLOCK_ID};
Alice Wang98073222022-09-09 14:08:19 +0000256
Alice Wanged79eab2022-09-08 11:16:31 +0000257 const CENTRAL_DIRECTORY_HEADER_SIGNATURE: u32 = 0x02014b50;
258
259 #[test]
260 fn test_apk_sections() {
261 let apk_file = File::open("tests/data/v3-only-with-ecdsa-sha512-p521.apk").unwrap();
262 let apk_sections = ApkSections::new(apk_file).unwrap();
263 let mut reader = &apk_sections.inner;
264
265 // Checks APK Signing Block.
266 assert_eq!(
267 apk_sections.signing_block_offset + apk_sections.signing_block_size,
268 apk_sections.central_directory_offset
269 );
270 let apk_signature_offset = SeekFrom::Start(
271 apk_sections.central_directory_offset as u64 - size_of_val(&APK_SIG_BLOCK_MAGIC) as u64,
272 );
273 reader.seek(apk_signature_offset).unwrap();
274 assert_eq!(reader.read_u128::<LittleEndian>().unwrap(), APK_SIG_BLOCK_MAGIC);
275
276 // Checks Central directory.
277 assert_eq!(reader.read_u32::<LittleEndian>().unwrap(), CENTRAL_DIRECTORY_HEADER_SIGNATURE);
278 assert_eq!(
279 apk_sections.central_directory_offset + apk_sections.central_directory_size,
280 apk_sections.eocd_offset
281 );
282
283 // Checks EOCD.
284 assert_eq!(
285 reader.metadata().unwrap().len(),
286 (apk_sections.eocd_offset + apk_sections.eocd_size) as u64
287 );
288 }
Alice Wang98073222022-09-09 14:08:19 +0000289
290 #[test]
291 fn test_apk_digest() {
292 let apk_file = File::open("tests/data/v3-only-with-dsa-sha256-1024.apk").unwrap();
293 let mut apk_sections = ApkSections::new(apk_file).unwrap();
Alice Wang62353c52022-09-19 12:47:20 +0000294 let digest = apk_sections.compute_digest(SignatureAlgorithmID::DsaWithSha256).unwrap();
Alice Wang98073222022-09-09 14:08:19 +0000295 assert_eq!(
296 "0DF2426EA33AEDAF495D88E5BE0C6A1663FF0A81C5ED12D5B2929AE4B4300F2F",
297 to_hex_string(&digest[..])
298 );
299 }
Alice Wangaf1d15b2022-09-09 11:09:51 +0000300
301 #[test]
302 fn test_apk_sections_cannot_find_signature() {
303 let apk_file = File::open("tests/data/v2-only-two-signers.apk").unwrap();
304 let mut apk_sections = ApkSections::new(apk_file).unwrap();
305 let result = apk_sections.find_signature(APK_SIGNATURE_SCHEME_V3_BLOCK_ID);
306
307 assert!(result.is_err());
308 let error = result.unwrap_err();
309 assert_eq!(error.downcast_ref::<io::Error>().unwrap().kind(), ErrorKind::NotFound);
310 assert!(
311 error.to_string().contains(&APK_SIGNATURE_SCHEME_V3_BLOCK_ID.to_string()),
312 "Error should contain the block ID: {}",
313 error
314 );
315 }
316
317 #[test]
318 fn test_apk_sections_find_signature() {
319 let apk_file = File::open("tests/data/v3-only-with-dsa-sha256-1024.apk").unwrap();
320 let mut apk_sections = ApkSections::new(apk_file).unwrap();
321 let signature = apk_sections.find_signature(APK_SIGNATURE_SCHEME_V3_BLOCK_ID).unwrap();
322
323 let expected_v3_signature_block_size = 1289; // Only for this specific APK
324 assert_eq!(signature.len(), expected_v3_signature_block_size);
325 }
Alice Wanged79eab2022-09-08 11:16:31 +0000326}