blob: a295f5e94c568a65761159b709092bc137eb3278 [file] [log] [blame]
Jooyung Han12a0b702021-08-05 23:20:31 +09001/*
2 * Copyright (C) 2021 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
Andrew Walbran117cd5e2021-08-13 11:42:13 +000017use apkverify::{testing::assert_contains, verify};
Jooyung Hancee6de62021-08-11 15:52:07 +090018use std::matches;
Jooyung Hand8397852021-08-10 16:29:36 +090019
Seungjae Yoo91e250a2022-06-07 02:21:56 +000020const KEY_NAMES_DSA: &[&str] = &["1024", "2048", "3072"];
21const KEY_NAMES_ECDSA: &[&str] = &["p256", "p384", "p521"];
22const KEY_NAMES_RSA: &[&str] = &["1024", "2048", "3072", "4096", "8192", "16384"];
Jooyung Hancee6de62021-08-11 15:52:07 +090023
24#[test]
25fn test_verify_truncated_cd() {
26 use zip::result::ZipError;
27 let res = verify("tests/data/v2-only-truncated-cd.apk");
Alice Wang92889352022-09-16 10:42:52 +000028 // TODO(b/190343842): consider making a helper for err assertion
Jooyung Hancee6de62021-08-11 15:52:07 +090029 assert!(matches!(
Andrew Walbran117cd5e2021-08-13 11:42:13 +000030 res.unwrap_err().root_cause().downcast_ref::<ZipError>().unwrap(),
Jooyung Hancee6de62021-08-11 15:52:07 +090031 ZipError::InvalidArchive(_),
32 ));
33}
Seungjae Yoo91e250a2022-06-07 02:21:56 +000034
35#[test]
36fn test_verify_v3() {
37 assert!(verify("tests/data/test.apex").is_ok());
38}
39
Seungjae Yoo91e250a2022-06-07 02:21:56 +000040#[test]
41fn test_verify_v3_dsa_sha256() {
42 for key_name in KEY_NAMES_DSA.iter() {
43 let res = verify(format!("tests/data/v3-only-with-dsa-sha256-{}.apk", key_name));
44 assert!(res.is_err());
45 assert_contains(
46 &res.unwrap_err().to_string(),
47 "TODO(b/190343842) not implemented signature algorithm",
48 );
49 }
50}
51
52#[test]
53fn test_verify_v3_ecdsa_sha256() {
54 for key_name in KEY_NAMES_ECDSA.iter() {
55 assert!(verify(format!("tests/data/v3-only-with-ecdsa-sha256-{}.apk", key_name)).is_ok());
56 }
57}
58
Seungjae Yoo91e250a2022-06-07 02:21:56 +000059#[test]
60fn test_verify_v3_ecdsa_sha512() {
61 for key_name in KEY_NAMES_ECDSA.iter() {
62 let res = verify(format!("tests/data/v3-only-with-ecdsa-sha512-{}.apk", key_name));
63 assert!(res.is_err());
64 assert_contains(
65 &res.unwrap_err().to_string(),
66 "TODO(b/190343842) not implemented signature algorithm",
67 );
68 }
69}
70
71#[test]
72fn test_verify_v3_rsa_sha256() {
73 for key_name in KEY_NAMES_RSA.iter() {
74 assert!(
75 verify(format!("tests/data/v3-only-with-rsa-pkcs1-sha256-{}.apk", key_name)).is_ok()
76 );
77 }
78}
79
80#[test]
81fn test_verify_v3_rsa_sha512() {
82 for key_name in KEY_NAMES_RSA.iter() {
83 assert!(
84 verify(format!("tests/data/v3-only-with-rsa-pkcs1-sha512-{}.apk", key_name)).is_ok()
85 );
86 }
87}
88
Seungjae Yoo91e250a2022-06-07 02:21:56 +000089#[test]
90fn test_verify_v3_sig_does_not_verify() {
91 let path_list = [
92 "tests/data/v3-only-with-dsa-sha256-2048-sig-does-not-verify.apk",
93 "tests/data/v3-only-with-ecdsa-sha512-p521-sig-does-not-verify.apk",
94 "tests/data/v3-only-with-rsa-pkcs1-sha256-3072-sig-does-not-verify.apk",
95 ];
96 for path in path_list.iter() {
97 let res = verify(path);
98 assert!(res.is_err());
99 let error_msg = &res.unwrap_err().to_string();
100 assert!(
101 error_msg.contains("Signature is invalid")
102 || error_msg.contains("TODO(b/190343842) not implemented signature algorithm")
103 );
104 }
105}
106
Seungjae Yoo91e250a2022-06-07 02:21:56 +0000107#[test]
108fn test_verify_v3_digest_mismatch() {
109 let path_list = [
110 "tests/data/v3-only-with-dsa-sha256-3072-digest-mismatch.apk",
111 "tests/data/v3-only-with-rsa-pkcs1-sha512-8192-digest-mismatch.apk",
112 ];
113 for path in path_list.iter() {
114 let res = verify(path);
115 assert!(res.is_err());
116 let error_msg = &res.unwrap_err().to_string();
117 assert!(
118 error_msg.contains("Digest mismatch")
119 || error_msg.contains("TODO(b/190343842) not implemented signature algorithm")
120 );
121 }
122}
123
124#[test]
125fn test_verify_v3_wrong_apk_sig_block_magic() {
126 let res = verify("tests/data/v3-only-with-ecdsa-sha512-p384-wrong-apk-sig-block-magic.apk");
127 assert!(res.is_err());
128 assert_contains(&res.unwrap_err().to_string(), "No APK Signing Block");
129}
130
131#[test]
132fn test_verify_v3_apk_sig_block_size_mismatch() {
133 let res =
134 verify("tests/data/v3-only-with-rsa-pkcs1-sha512-4096-apk-sig-block-size-mismatch.apk");
135 assert!(res.is_err());
136 assert_contains(
137 &res.unwrap_err().to_string(),
138 "APK Signing Block sizes in header and footer do not match",
139 );
140}
141
142#[test]
143fn test_verify_v3_cert_and_public_key_mismatch() {
144 let res = verify("tests/data/v3-only-cert-and-public-key-mismatch.apk");
145 assert!(res.is_err());
146 assert_contains(&res.unwrap_err().to_string(), "Public key mismatch");
147}
148
149#[test]
150fn test_verify_v3_empty() {
151 let res = verify("tests/data/v3-only-empty.apk");
152 assert!(res.is_err());
153 assert_contains(&res.unwrap_err().to_string(), "APK too small for APK Signing Block");
154}
155
156#[test]
157fn test_verify_v3_no_certs_in_sig() {
158 let res = verify("tests/data/v3-only-no-certs-in-sig.apk");
159 assert!(res.is_err());
160 assert_contains(&res.unwrap_err().to_string(), "No certificates listed");
161}
162
163#[test]
164fn test_verify_v3_no_supported_sig_algs() {
165 let res = verify("tests/data/v3-only-no-supported-sig-algs.apk");
166 assert!(res.is_err());
167 assert_contains(&res.unwrap_err().to_string(), "No supported signatures found");
168}
169
170#[test]
171fn test_verify_v3_signatures_and_digests_block_mismatch() {
172 let res = verify("tests/data/v3-only-signatures-and-digests-block-mismatch.apk");
173 assert!(res.is_err());
174 assert_contains(
175 &res.unwrap_err().to_string(),
176 "Signature algorithms don't match between digests and signatures records",
177 );
178}
179
180#[test]
181fn test_verify_v3_unknown_additional_attr() {
182 assert!(verify("tests/data/v3-only-unknown-additional-attr.apk").is_ok());
183}
184
185#[test]
186fn test_verify_v3_unknown_pair_in_apk_sig_block() {
187 assert!(verify("tests/data/v3-only-unknown-pair-in-apk-sig-block.apk").is_ok());
188}
189
190#[test]
191fn test_verify_v3_ignorable_unsupported_sig_algs() {
192 assert!(verify("tests/data/v3-only-with-ignorable-unsupported-sig-algs.apk").is_ok());
193}
194
195#[test]
196fn test_verify_v3_stamp() {
197 assert!(verify("tests/data/v3-only-with-stamp.apk").is_ok());
198}