Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Virtualization / 928893549a8519d5b73ec2759e1f8cfc54669b27 / . / libs / apkverify / src / v3.rs
blob: e4ad661ffb423ce86bcaf7cb7164b403cccc60d2 [file] [log] [blame]
Jooyung Han12a0b702021-08-05 23:20:31 +0900[diff] [blame]1/*
2 * Copyright (C) 2021 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17//! Verifies APK Signature Scheme V3
Alice Wangaf1d15b2022-09-09 11:09:51 +0000[diff] [blame]18//!
19//! [v3 verification]: https://source.android.com/security/apksigning/v3#verification
Jooyung Han12a0b702021-08-05 23:20:31 +0900[diff] [blame]20
Andrew Scullc208eb42022-05-22 16:17:52 +0000[diff] [blame]21use anyhow::{anyhow, bail, ensure, Context, Result};
Jooyung Han12a0b702021-08-05 23:20:31 +0900[diff] [blame]22use bytes::Bytes;
Alice Wang5d0f89a2022-09-15 15:06:10 +0000[diff] [blame]23use num_traits::FromPrimitive;
Andrew Scullc208eb42022-05-22 16:17:52 +0000[diff] [blame]24use openssl::hash::MessageDigest;
25use openssl::pkey::{self, PKey};
26use openssl::rsa::Padding;
27use openssl::sign::Verifier;
Alice Wang79713d92022-07-14 15:10:03 +0000[diff] [blame]28use openssl::x509::X509;
Jooyung Han12a0b702021-08-05 23:20:31 +0900[diff] [blame]29use std::fs::File;
Jooyung Hand8397852021-08-10 16:29:36 +0900[diff] [blame]30use std::io::{Read, Seek};
Jooyung Han12a0b702021-08-05 23:20:31 +0900[diff] [blame]31use std::ops::Range;
32use std::path::Path;
33
Alice Wang5d0f89a2022-09-15 15:06:10 +0000[diff] [blame]34use crate::algorithms::SignatureAlgorithmID;
Jooyung Han12a0b702021-08-05 23:20:31 +0900[diff] [blame]35use crate::bytes_ext::{BytesExt, LengthPrefixed, ReadFromBytes};
Jooyung Han5b4c70e2021-08-09 16:36:13 +0900[diff] [blame]36use crate::sigutil::*;
Jooyung Han12a0b702021-08-05 23:20:31 +0900[diff] [blame]37
38pub const APK_SIGNATURE_SCHEME_V3_BLOCK_ID: u32 = 0xf05368c0;
39
Alice Wang92889352022-09-16 10:42:52 +0000[diff] [blame^]40// TODO(b/190343842): get "ro.build.version.sdk"
Jooyung Han12a0b702021-08-05 23:20:31 +0900[diff] [blame]41const SDK_INT: u32 = 31;
42
Jooyung Han12a0b702021-08-05 23:20:31 +0900[diff] [blame]43type Signers = LengthPrefixed<Vec<LengthPrefixed<Signer>>>;
44
45struct Signer {
46 signed_data: LengthPrefixed<Bytes>, // not verified yet
47 min_sdk: u32,
48 max_sdk: u32,
49 signatures: LengthPrefixed<Vec<LengthPrefixed<Signature>>>,
Andrew Walbran117cd5e2021-08-13 11:42:13 +0000[diff] [blame]50 public_key: LengthPrefixed<Bytes>,
Jooyung Han12a0b702021-08-05 23:20:31 +0900[diff] [blame]51}
52
53impl Signer {
54 fn sdk_range(&self) -> Range<u32> {
55 self.min_sdk..self.max_sdk
56 }
57}
58
59struct SignedData {
60 digests: LengthPrefixed<Vec<LengthPrefixed<Digest>>>,
61 certificates: LengthPrefixed<Vec<LengthPrefixed<X509Certificate>>>,
62 min_sdk: u32,
63 max_sdk: u32,
Alice Wang4b7c0ba2022-09-07 15:12:36 +0000[diff] [blame]64 #[allow(dead_code)]
Jooyung Han12a0b702021-08-05 23:20:31 +0900[diff] [blame]65 additional_attributes: LengthPrefixed<Vec<LengthPrefixed<AdditionalAttributes>>>,
66}
67
68impl SignedData {
69 fn sdk_range(&self) -> Range<u32> {
70 self.min_sdk..self.max_sdk
71 }
72}
73
Jooyung Han5b4c70e2021-08-09 16:36:13 +0900[diff] [blame]74#[derive(Debug)]
Jooyung Han12a0b702021-08-05 23:20:31 +0900[diff] [blame]75struct Signature {
Alice Wang5d0f89a2022-09-15 15:06:10 +0000[diff] [blame]76 /// TODO(b/246254355): Change the type of signature_algorithm_id to SignatureAlgorithmID
Jooyung Han12a0b702021-08-05 23:20:31 +0900[diff] [blame]77 signature_algorithm_id: u32,
78 signature: LengthPrefixed<Bytes>,
79}
80
81struct Digest {
82 signature_algorithm_id: u32,
83 digest: LengthPrefixed<Bytes>,
84}
85
86type X509Certificate = Bytes;
87type AdditionalAttributes = Bytes;
88
Jiyong Parka41535b2021-09-10 19:31:48 +0900[diff] [blame]89/// Verifies APK Signature Scheme v3 signatures of the provided APK and returns the public key
Andrew Scullf3fd4c62022-05-22 14:41:21 +0000[diff] [blame]90/// associated with the signer in DER format.
Jiyong Parka41535b2021-09-10 19:31:48 +0900[diff] [blame]91pub fn verify<P: AsRef<Path>>(path: P) -> Result<Box<[u8]>> {
Jooyung Han5d94bfc2021-08-06 14:07:49 +0900[diff] [blame]92 let f = File::open(path.as_ref())?;
Jooyung Hand8397852021-08-10 16:29:36 +0900[diff] [blame]93 let mut sections = ApkSections::new(f)?;
Jiyong Parka41535b2021-09-10 19:31:48 +0900[diff] [blame]94 find_signer_and_then(&mut sections, |(signer, sections)| signer.verify(sections))
Jooyung Han12a0b702021-08-05 23:20:31 +0900[diff] [blame]95}
96
Jiyong Parka41535b2021-09-10 19:31:48 +0900[diff] [blame]97/// Finds the supported signer and execute a function on it.
98fn find_signer_and_then<R, U, F>(sections: &mut ApkSections<R>, f: F) -> Result<U>
99where
100 R: Read + Seek,
101 F: FnOnce((&Signer, &mut ApkSections<R>)) -> Result<U>,
102{
Jooyung Hand8397852021-08-10 16:29:36 +0900[diff] [blame]103 let mut block = sections.find_signature(APK_SIGNATURE_SCHEME_V3_BLOCK_ID)?;
Jooyung Han12a0b702021-08-05 23:20:31 +0900[diff] [blame]104 // parse v3 scheme block
Jooyung Hand8397852021-08-10 16:29:36 +0900[diff] [blame]105 let signers = block.read::<Signers>()?;
Jooyung Han12a0b702021-08-05 23:20:31 +0900[diff] [blame]106
107 // find supported by platform
Jiyong Parka41535b2021-09-10 19:31:48 +0900[diff] [blame]108 let supported = signers.iter().filter(|s| s.sdk_range().contains(&SDK_INT)).collect::<Vec<_>>();
Jooyung Han12a0b702021-08-05 23:20:31 +0900[diff] [blame]109
110 // there should be exactly one
111 if supported.len() != 1 {
Jiyong Parka41535b2021-09-10 19:31:48 +0900[diff] [blame]112 bail!(
113 "APK Signature Scheme V3 only supports one signer: {} signers found.",
114 supported.len()
115 )
Jooyung Han12a0b702021-08-05 23:20:31 +0900[diff] [blame]116 }
117
Jiyong Parka41535b2021-09-10 19:31:48 +0900[diff] [blame]118 // Call the supplied function
119 f((supported[0], sections))
120}
Jooyung Han12a0b702021-08-05 23:20:31 +0900[diff] [blame]121
Jiyong Parka41535b2021-09-10 19:31:48 +0900[diff] [blame]122/// Gets the public key (in DER format) that was used to sign the given APK/APEX file
123pub fn get_public_key_der<P: AsRef<Path>>(path: P) -> Result<Box<[u8]>> {
124 let f = File::open(path.as_ref())?;
125 let mut sections = ApkSections::new(f)?;
126 find_signer_and_then(&mut sections, |(signer, _)| {
127 Ok(signer.public_key.to_vec().into_boxed_slice())
128 })
Jooyung Han12a0b702021-08-05 23:20:31 +0900[diff] [blame]129}
130
Alice Wanga94ba172022-09-08 15:25:31 +0000[diff] [blame]131/// Gets the v4 [apk_digest].
132///
133/// [apk_digest]: https://source.android.com/docs/security/apksigning/v4#apk-digest
Andrew Sculla11b83a2022-06-01 09:23:13 +0000[diff] [blame]134pub fn pick_v4_apk_digest<R: Read + Seek>(apk: R) -> Result<(u32, Box<[u8]>)> {
135 let mut sections = ApkSections::new(apk)?;
136 let mut block = sections.find_signature(APK_SIGNATURE_SCHEME_V3_BLOCK_ID)?;
137 let signers = block.read::<Signers>()?;
Alice Wanga94ba172022-09-08 15:25:31 +0000[diff] [blame]138 ensure!(signers.len() == 1, "should only have one signer");
Andrew Sculla11b83a2022-06-01 09:23:13 +0000[diff] [blame]139 signers[0].pick_v4_apk_digest()
140}
141
Jooyung Han12a0b702021-08-05 23:20:31 +0900[diff] [blame]142impl Signer {
Andrew Scull9173eb82022-06-01 09:17:14 +0000[diff] [blame]143 /// Select the signature that uses the strongest algorithm according to the preferences of the
144 /// v4 signing scheme.
145 fn strongest_signature(&self) -> Result<&Signature> {
146 Ok(self
Jooyung Han12a0b702021-08-05 23:20:31 +0900[diff] [blame]147 .signatures
148 .iter()
Alice Wang5d0f89a2022-09-15 15:06:10 +0000[diff] [blame]149 .filter(|sig| SignatureAlgorithmID::from_u32(sig.signature_algorithm_id).is_some())
150 .max_by_key(|sig| SignatureAlgorithmID::from_u32(sig.signature_algorithm_id).unwrap())
Andrew Scull9173eb82022-06-01 09:17:14 +0000[diff] [blame]151 .ok_or_else(|| anyhow!("No supported signatures found"))?)
152 }
153
Andrew Sculla11b83a2022-06-01 09:23:13 +0000[diff] [blame]154 fn pick_v4_apk_digest(&self) -> Result<(u32, Box<[u8]>)> {
155 let strongest = self.strongest_signature()?;
156 let signed_data: SignedData = self.signed_data.slice(..).read()?;
157 let digest = signed_data
158 .digests
159 .iter()
160 .find(|&dig| dig.signature_algorithm_id == strongest.signature_algorithm_id)
161 .ok_or_else(|| anyhow!("Digest not found"))?;
162 Ok((digest.signature_algorithm_id, digest.digest.as_ref().to_vec().into_boxed_slice()))
163 }
164
Alice Wangaf1d15b2022-09-09 11:09:51 +0000[diff] [blame]165 /// The steps in this method implements APK Signature Scheme v3 verification step 3.
Andrew Scull9173eb82022-06-01 09:17:14 +0000[diff] [blame]166 fn verify<R: Read + Seek>(&self, sections: &mut ApkSections<R>) -> Result<Box<[u8]>> {
167 // 1. Choose the strongest supported signature algorithm ID from signatures.
168 let strongest = self.strongest_signature()?;
Jooyung Han12a0b702021-08-05 23:20:31 +0900[diff] [blame]169
170 // 2. Verify the corresponding signature from signatures against signed data using public key.
171 // (It is now safe to parse signed data.)
Alice Wang79713d92022-07-14 15:10:03 +0000[diff] [blame]172 let public_key = PKey::public_key_from_der(self.public_key.as_ref())?;
173 verify_signed_data(&self.signed_data, strongest, &public_key)?;
Jooyung Han12a0b702021-08-05 23:20:31 +0900[diff] [blame]174
175 // It is now safe to parse signed data.
176 let signed_data: SignedData = self.signed_data.slice(..).read()?;
177
178 // 3. Verify the min and max SDK versions in the signed data match those specified for the
179 // signer.
180 if self.sdk_range() != signed_data.sdk_range() {
181 bail!("SDK versions mismatch between signed and unsigned in v3 signer block.");
182 }
Jooyung Hand8397852021-08-10 16:29:36 +0900[diff] [blame]183
184 // 4. Verify that the ordered list of signature algorithm IDs in digests and signatures is
185 // identical. (This is to prevent signature stripping/addition.)
186 if !self
187 .signatures
188 .iter()
189 .map(|sig| sig.signature_algorithm_id)
190 .eq(signed_data.digests.iter().map(|dig| dig.signature_algorithm_id))
191 {
192 bail!("Signature algorithms don't match between digests and signatures records");
193 }
194
195 // 5. Compute the digest of APK contents using the same digest algorithm as the digest
196 // algorithm used by the signature algorithm.
197 let digest = signed_data
198 .digests
199 .iter()
200 .find(|&dig| dig.signature_algorithm_id == strongest.signature_algorithm_id)
201 .unwrap(); // ok to unwrap since we check if two lists are the same above
202 let computed = sections.compute_digest(digest.signature_algorithm_id)?;
203
204 // 6. Verify that the computed digest is identical to the corresponding digest from digests.
205 if computed != digest.digest.as_ref() {
206 bail!(
Jooyung Han543e7122021-08-11 01:48:45 +0900[diff] [blame]207 "Digest mismatch: computed={:?} vs expected={:?}",
Jooyung Hand8397852021-08-10 16:29:36 +0900[diff] [blame]208 to_hex_string(&computed),
209 to_hex_string(&digest.digest),
210 );
211 }
212
Alice Wang79713d92022-07-14 15:10:03 +0000[diff] [blame]213 // 7. Verify that public key of the first certificate of certificates is identical
Jooyung Han543e7122021-08-11 01:48:45 +0900[diff] [blame]214 // to public key.
215 let cert = signed_data.certificates.first().context("No certificates listed")?;
Alice Wang79713d92022-07-14 15:10:03 +0000[diff] [blame]216 let cert = X509::from_der(cert.as_ref())?;
217 if !cert.public_key()?.public_eq(&public_key) {
Jooyung Han543e7122021-08-11 01:48:45 +0900[diff] [blame]218 bail!("Public key mismatch between certificate and signature record");
219 }
220
Alice Wang92889352022-09-16 10:42:52 +0000[diff] [blame^]221 // TODO(b/245914104)
222 // 8. If the proof-of-rotation attribute exists for the signer verify that the
223 // struct is valid and this signer is the last certificate in the list.
Jiyong Parka41535b2021-09-10 19:31:48 +0900[diff] [blame]224 Ok(self.public_key.to_vec().into_boxed_slice())
Jooyung Han12a0b702021-08-05 23:20:31 +0900[diff] [blame]225 }
226}
227
Alice Wang79713d92022-07-14 15:10:03 +0000[diff] [blame]228fn verify_signed_data(data: &Bytes, signature: &Signature, key: &PKey<pkey::Public>) -> Result<()> {
Andrew Scullc208eb42022-05-22 16:17:52 +0000[diff] [blame]229 let (pkey_id, padding, digest) = match signature.signature_algorithm_id {
230 SIGNATURE_RSA_PSS_WITH_SHA256 => {
231 (pkey::Id::RSA, Padding::PKCS1_PSS, MessageDigest::sha256())
Andrew Walbran117cd5e2021-08-13 11:42:13 +0000[diff] [blame]232 }
Andrew Scullc208eb42022-05-22 16:17:52 +0000[diff] [blame]233 SIGNATURE_RSA_PSS_WITH_SHA512 => {
234 (pkey::Id::RSA, Padding::PKCS1_PSS, MessageDigest::sha512())
235 }
236 SIGNATURE_RSA_PKCS1_V1_5_WITH_SHA256 | SIGNATURE_VERITY_RSA_PKCS1_V1_5_WITH_SHA256 => {
237 (pkey::Id::RSA, Padding::PKCS1, MessageDigest::sha256())
238 }
239 SIGNATURE_RSA_PKCS1_V1_5_WITH_SHA512 => {
240 (pkey::Id::RSA, Padding::PKCS1, MessageDigest::sha512())
241 }
242 SIGNATURE_ECDSA_WITH_SHA256 | SIGNATURE_VERITY_ECDSA_WITH_SHA256 => {
243 (pkey::Id::EC, Padding::NONE, MessageDigest::sha256())
244 }
Andrew Walbran117cd5e2021-08-13 11:42:13 +0000[diff] [blame]245 // TODO(b/190343842) not implemented signature algorithm
246 SIGNATURE_ECDSA_WITH_SHA512
247 | SIGNATURE_DSA_WITH_SHA256
248 | SIGNATURE_VERITY_DSA_WITH_SHA256 => {
249 bail!(
250 "TODO(b/190343842) not implemented signature algorithm: {:#x}",
251 signature.signature_algorithm_id
252 );
253 }
254 _ => bail!("Unsupported signature algorithm: {:#x}", signature.signature_algorithm_id),
255 };
Andrew Scullc208eb42022-05-22 16:17:52 +0000[diff] [blame]256 ensure!(key.id() == pkey_id, "Public key has the wrong ID");
Alice Wang79713d92022-07-14 15:10:03 +0000[diff] [blame]257 let mut verifier = Verifier::new(digest, key)?;
Andrew Scullc208eb42022-05-22 16:17:52 +0000[diff] [blame]258 if pkey_id == pkey::Id::RSA {
259 verifier.set_rsa_padding(padding)?;
260 }
261 verifier.update(data)?;
262 let verified = verifier.verify(&signature.signature)?;
263 ensure!(verified, "Signature is invalid ");
Jooyung Han12a0b702021-08-05 23:20:31 +0900[diff] [blame]264 Ok(())
265}
266
267// ReadFromBytes implementations
Alice Wang92889352022-09-16 10:42:52 +0000[diff] [blame^]268// TODO(b/190343842): add derive macro: #[derive(ReadFromBytes)]
Jooyung Han12a0b702021-08-05 23:20:31 +0900[diff] [blame]269
270impl ReadFromBytes for Signer {
271 fn read_from_bytes(buf: &mut Bytes) -> Result<Self> {
272 Ok(Self {
273 signed_data: buf.read()?,
274 min_sdk: buf.read()?,
275 max_sdk: buf.read()?,
276 signatures: buf.read()?,
277 public_key: buf.read()?,
278 })
279 }
280}
281
282impl ReadFromBytes for SignedData {
283 fn read_from_bytes(buf: &mut Bytes) -> Result<Self> {
284 Ok(Self {
285 digests: buf.read()?,
286 certificates: buf.read()?,
287 min_sdk: buf.read()?,
288 max_sdk: buf.read()?,
289 additional_attributes: buf.read()?,
290 })
291 }
292}
293
294impl ReadFromBytes for Signature {
295 fn read_from_bytes(buf: &mut Bytes) -> Result<Self> {
296 Ok(Signature { signature_algorithm_id: buf.read()?, signature: buf.read()? })
297 }
298}
299
300impl ReadFromBytes for Digest {
301 fn read_from_bytes(buf: &mut Bytes) -> Result<Self> {
302 Ok(Self { signature_algorithm_id: buf.read()?, digest: buf.read()? })
303 }
304}
Jooyung Hand8397852021-08-10 16:29:36 +0900[diff] [blame]305
306#[inline]
Alice Wang98073222022-09-09 14:08:19 +0000[diff] [blame]307pub(crate) fn to_hex_string(buf: &[u8]) -> String {
Jooyung Hand8397852021-08-10 16:29:36 +0900[diff] [blame]308 buf.iter().map(|b| format!("{:02X}", b)).collect()
309}
Alice Wanga94ba172022-09-08 15:25:31 +0000[diff] [blame]310
311#[cfg(test)]
312mod tests {
313 use super::*;
314 use std::fs::File;
315
316 #[test]
317 fn test_pick_v4_apk_digest_only_with_v3_dsa_sha256() {
318 check_v4_apk_digest(
319 "tests/data/v3-only-with-dsa-sha256-1024.apk",
320 SIGNATURE_DSA_WITH_SHA256,
321 "0DF2426EA33AEDAF495D88E5BE0C6A1663FF0A81C5ED12D5B2929AE4B4300F2F",
322 );
323 }
324
325 #[test]
326 fn test_pick_v4_apk_digest_only_with_v3_pkcs1_sha512() {
327 check_v4_apk_digest(
328 "tests/data/v3-only-with-rsa-pkcs1-sha512-1024.apk",
329 SIGNATURE_RSA_PKCS1_V1_5_WITH_SHA512,
330 "9B9AE02DA60B18999BF541790F00D380006FDF0655C3C482AA0BB0AF17CF7A42\
331 ECF56B973518546C9080B2FEF83027E895ED2882BFC88EA19790BBAB29AF53B3",
332 );
333 }
334
335 fn check_v4_apk_digest(apk_filename: &str, expected_algorithm: u32, expected_digest: &str) {
336 let apk_file = File::open(apk_filename).unwrap();
337 let (signature_algorithm_id, apk_digest) = pick_v4_apk_digest(apk_file).unwrap();
338
339 assert_eq!(expected_algorithm, signature_algorithm_id);
340 assert_eq!(expected_digest, to_hex_string(apk_digest.as_ref()));
341 }
342}