blob: d429ba15e7e682a43eed9480f944cd9857f072c1 [file] [log] [blame]
Jooyung Han12a0b702021-08-05 23:20:31 +09001/*
2 * Copyright (C) 2021 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17//! Verifies APK Signature Scheme V3
Alice Wangaf1d15b2022-09-09 11:09:51 +000018//!
19//! [v3 verification]: https://source.android.com/security/apksigning/v3#verification
Jooyung Han12a0b702021-08-05 23:20:31 +090020
Andrew Scullc208eb42022-05-22 16:17:52 +000021use anyhow::{anyhow, bail, ensure, Context, Result};
Jooyung Han12a0b702021-08-05 23:20:31 +090022use bytes::Bytes;
Andrew Scullc208eb42022-05-22 16:17:52 +000023use openssl::hash::MessageDigest;
24use openssl::pkey::{self, PKey};
25use openssl::rsa::Padding;
26use openssl::sign::Verifier;
Alice Wang79713d92022-07-14 15:10:03 +000027use openssl::x509::X509;
Jooyung Han12a0b702021-08-05 23:20:31 +090028use std::fs::File;
Jooyung Hand8397852021-08-10 16:29:36 +090029use std::io::{Read, Seek};
Jooyung Han12a0b702021-08-05 23:20:31 +090030use std::ops::Range;
31use std::path::Path;
32
33use crate::bytes_ext::{BytesExt, LengthPrefixed, ReadFromBytes};
Jooyung Han5b4c70e2021-08-09 16:36:13 +090034use crate::sigutil::*;
Jooyung Han12a0b702021-08-05 23:20:31 +090035
36pub const APK_SIGNATURE_SCHEME_V3_BLOCK_ID: u32 = 0xf05368c0;
37
38// TODO(jooyung): get "ro.build.version.sdk"
39const SDK_INT: u32 = 31;
40
Jooyung Han12a0b702021-08-05 23:20:31 +090041type Signers = LengthPrefixed<Vec<LengthPrefixed<Signer>>>;
42
43struct Signer {
44 signed_data: LengthPrefixed<Bytes>, // not verified yet
45 min_sdk: u32,
46 max_sdk: u32,
47 signatures: LengthPrefixed<Vec<LengthPrefixed<Signature>>>,
Andrew Walbran117cd5e2021-08-13 11:42:13 +000048 public_key: LengthPrefixed<Bytes>,
Jooyung Han12a0b702021-08-05 23:20:31 +090049}
50
51impl Signer {
52 fn sdk_range(&self) -> Range<u32> {
53 self.min_sdk..self.max_sdk
54 }
55}
56
57struct SignedData {
58 digests: LengthPrefixed<Vec<LengthPrefixed<Digest>>>,
59 certificates: LengthPrefixed<Vec<LengthPrefixed<X509Certificate>>>,
60 min_sdk: u32,
61 max_sdk: u32,
Alice Wang4b7c0ba2022-09-07 15:12:36 +000062 #[allow(dead_code)]
Jooyung Han12a0b702021-08-05 23:20:31 +090063 additional_attributes: LengthPrefixed<Vec<LengthPrefixed<AdditionalAttributes>>>,
64}
65
66impl SignedData {
67 fn sdk_range(&self) -> Range<u32> {
68 self.min_sdk..self.max_sdk
69 }
70}
71
Jooyung Han5b4c70e2021-08-09 16:36:13 +090072#[derive(Debug)]
Jooyung Han12a0b702021-08-05 23:20:31 +090073struct Signature {
74 signature_algorithm_id: u32,
75 signature: LengthPrefixed<Bytes>,
76}
77
78struct Digest {
79 signature_algorithm_id: u32,
80 digest: LengthPrefixed<Bytes>,
81}
82
83type X509Certificate = Bytes;
84type AdditionalAttributes = Bytes;
85
Jiyong Parka41535b2021-09-10 19:31:48 +090086/// Verifies APK Signature Scheme v3 signatures of the provided APK and returns the public key
Andrew Scullf3fd4c62022-05-22 14:41:21 +000087/// associated with the signer in DER format.
Jiyong Parka41535b2021-09-10 19:31:48 +090088pub fn verify<P: AsRef<Path>>(path: P) -> Result<Box<[u8]>> {
Jooyung Han5d94bfc2021-08-06 14:07:49 +090089 let f = File::open(path.as_ref())?;
Jooyung Hand8397852021-08-10 16:29:36 +090090 let mut sections = ApkSections::new(f)?;
Jiyong Parka41535b2021-09-10 19:31:48 +090091 find_signer_and_then(&mut sections, |(signer, sections)| signer.verify(sections))
Jooyung Han12a0b702021-08-05 23:20:31 +090092}
93
Jiyong Parka41535b2021-09-10 19:31:48 +090094/// Finds the supported signer and execute a function on it.
95fn find_signer_and_then<R, U, F>(sections: &mut ApkSections<R>, f: F) -> Result<U>
96where
97 R: Read + Seek,
98 F: FnOnce((&Signer, &mut ApkSections<R>)) -> Result<U>,
99{
Jooyung Hand8397852021-08-10 16:29:36 +0900100 let mut block = sections.find_signature(APK_SIGNATURE_SCHEME_V3_BLOCK_ID)?;
Jooyung Han12a0b702021-08-05 23:20:31 +0900101 // parse v3 scheme block
Jooyung Hand8397852021-08-10 16:29:36 +0900102 let signers = block.read::<Signers>()?;
Jooyung Han12a0b702021-08-05 23:20:31 +0900103
104 // find supported by platform
Jiyong Parka41535b2021-09-10 19:31:48 +0900105 let supported = signers.iter().filter(|s| s.sdk_range().contains(&SDK_INT)).collect::<Vec<_>>();
Jooyung Han12a0b702021-08-05 23:20:31 +0900106
107 // there should be exactly one
108 if supported.len() != 1 {
Jiyong Parka41535b2021-09-10 19:31:48 +0900109 bail!(
110 "APK Signature Scheme V3 only supports one signer: {} signers found.",
111 supported.len()
112 )
Jooyung Han12a0b702021-08-05 23:20:31 +0900113 }
114
Jiyong Parka41535b2021-09-10 19:31:48 +0900115 // Call the supplied function
116 f((supported[0], sections))
117}
Jooyung Han12a0b702021-08-05 23:20:31 +0900118
Jiyong Parka41535b2021-09-10 19:31:48 +0900119/// Gets the public key (in DER format) that was used to sign the given APK/APEX file
120pub fn get_public_key_der<P: AsRef<Path>>(path: P) -> Result<Box<[u8]>> {
121 let f = File::open(path.as_ref())?;
122 let mut sections = ApkSections::new(f)?;
123 find_signer_and_then(&mut sections, |(signer, _)| {
124 Ok(signer.public_key.to_vec().into_boxed_slice())
125 })
Jooyung Han12a0b702021-08-05 23:20:31 +0900126}
127
Alice Wanga94ba172022-09-08 15:25:31 +0000128/// Gets the v4 [apk_digest].
129///
130/// [apk_digest]: https://source.android.com/docs/security/apksigning/v4#apk-digest
Andrew Sculla11b83a2022-06-01 09:23:13 +0000131pub fn pick_v4_apk_digest<R: Read + Seek>(apk: R) -> Result<(u32, Box<[u8]>)> {
132 let mut sections = ApkSections::new(apk)?;
133 let mut block = sections.find_signature(APK_SIGNATURE_SCHEME_V3_BLOCK_ID)?;
134 let signers = block.read::<Signers>()?;
Alice Wanga94ba172022-09-08 15:25:31 +0000135 ensure!(signers.len() == 1, "should only have one signer");
Andrew Sculla11b83a2022-06-01 09:23:13 +0000136 signers[0].pick_v4_apk_digest()
137}
138
Jooyung Han12a0b702021-08-05 23:20:31 +0900139impl Signer {
Andrew Scull9173eb82022-06-01 09:17:14 +0000140 /// Select the signature that uses the strongest algorithm according to the preferences of the
141 /// v4 signing scheme.
142 fn strongest_signature(&self) -> Result<&Signature> {
143 Ok(self
Jooyung Han12a0b702021-08-05 23:20:31 +0900144 .signatures
145 .iter()
146 .filter(|sig| is_supported_signature_algorithm(sig.signature_algorithm_id))
Alice Wanga94ba172022-09-08 15:25:31 +0000147 .max_by_key(|sig| get_signature_algorithm_rank(sig.signature_algorithm_id).unwrap())
Andrew Scull9173eb82022-06-01 09:17:14 +0000148 .ok_or_else(|| anyhow!("No supported signatures found"))?)
149 }
150
Andrew Sculla11b83a2022-06-01 09:23:13 +0000151 fn pick_v4_apk_digest(&self) -> Result<(u32, Box<[u8]>)> {
152 let strongest = self.strongest_signature()?;
153 let signed_data: SignedData = self.signed_data.slice(..).read()?;
154 let digest = signed_data
155 .digests
156 .iter()
157 .find(|&dig| dig.signature_algorithm_id == strongest.signature_algorithm_id)
158 .ok_or_else(|| anyhow!("Digest not found"))?;
159 Ok((digest.signature_algorithm_id, digest.digest.as_ref().to_vec().into_boxed_slice()))
160 }
161
Alice Wangaf1d15b2022-09-09 11:09:51 +0000162 /// The steps in this method implements APK Signature Scheme v3 verification step 3.
Andrew Scull9173eb82022-06-01 09:17:14 +0000163 fn verify<R: Read + Seek>(&self, sections: &mut ApkSections<R>) -> Result<Box<[u8]>> {
164 // 1. Choose the strongest supported signature algorithm ID from signatures.
165 let strongest = self.strongest_signature()?;
Jooyung Han12a0b702021-08-05 23:20:31 +0900166
167 // 2. Verify the corresponding signature from signatures against signed data using public key.
168 // (It is now safe to parse signed data.)
Alice Wang79713d92022-07-14 15:10:03 +0000169 let public_key = PKey::public_key_from_der(self.public_key.as_ref())?;
170 verify_signed_data(&self.signed_data, strongest, &public_key)?;
Jooyung Han12a0b702021-08-05 23:20:31 +0900171
172 // It is now safe to parse signed data.
173 let signed_data: SignedData = self.signed_data.slice(..).read()?;
174
175 // 3. Verify the min and max SDK versions in the signed data match those specified for the
176 // signer.
177 if self.sdk_range() != signed_data.sdk_range() {
178 bail!("SDK versions mismatch between signed and unsigned in v3 signer block.");
179 }
Jooyung Hand8397852021-08-10 16:29:36 +0900180
181 // 4. Verify that the ordered list of signature algorithm IDs in digests and signatures is
182 // identical. (This is to prevent signature stripping/addition.)
183 if !self
184 .signatures
185 .iter()
186 .map(|sig| sig.signature_algorithm_id)
187 .eq(signed_data.digests.iter().map(|dig| dig.signature_algorithm_id))
188 {
189 bail!("Signature algorithms don't match between digests and signatures records");
190 }
191
192 // 5. Compute the digest of APK contents using the same digest algorithm as the digest
193 // algorithm used by the signature algorithm.
194 let digest = signed_data
195 .digests
196 .iter()
197 .find(|&dig| dig.signature_algorithm_id == strongest.signature_algorithm_id)
198 .unwrap(); // ok to unwrap since we check if two lists are the same above
199 let computed = sections.compute_digest(digest.signature_algorithm_id)?;
200
201 // 6. Verify that the computed digest is identical to the corresponding digest from digests.
202 if computed != digest.digest.as_ref() {
203 bail!(
Jooyung Han543e7122021-08-11 01:48:45 +0900204 "Digest mismatch: computed={:?} vs expected={:?}",
Jooyung Hand8397852021-08-10 16:29:36 +0900205 to_hex_string(&computed),
206 to_hex_string(&digest.digest),
207 );
208 }
209
Alice Wang79713d92022-07-14 15:10:03 +0000210 // 7. Verify that public key of the first certificate of certificates is identical
Jooyung Han543e7122021-08-11 01:48:45 +0900211 // to public key.
212 let cert = signed_data.certificates.first().context("No certificates listed")?;
Alice Wang79713d92022-07-14 15:10:03 +0000213 let cert = X509::from_der(cert.as_ref())?;
214 if !cert.public_key()?.public_eq(&public_key) {
Jooyung Han543e7122021-08-11 01:48:45 +0900215 bail!("Public key mismatch between certificate and signature record");
216 }
217
Jooyung Han12a0b702021-08-05 23:20:31 +0900218 // TODO(jooyung) 8. If the proof-of-rotation attribute exists for the signer verify that the struct is valid and this signer is the last certificate in the list.
Jiyong Parka41535b2021-09-10 19:31:48 +0900219 Ok(self.public_key.to_vec().into_boxed_slice())
Jooyung Han12a0b702021-08-05 23:20:31 +0900220 }
221}
222
Alice Wang79713d92022-07-14 15:10:03 +0000223fn verify_signed_data(data: &Bytes, signature: &Signature, key: &PKey<pkey::Public>) -> Result<()> {
Andrew Scullc208eb42022-05-22 16:17:52 +0000224 let (pkey_id, padding, digest) = match signature.signature_algorithm_id {
225 SIGNATURE_RSA_PSS_WITH_SHA256 => {
226 (pkey::Id::RSA, Padding::PKCS1_PSS, MessageDigest::sha256())
Andrew Walbran117cd5e2021-08-13 11:42:13 +0000227 }
Andrew Scullc208eb42022-05-22 16:17:52 +0000228 SIGNATURE_RSA_PSS_WITH_SHA512 => {
229 (pkey::Id::RSA, Padding::PKCS1_PSS, MessageDigest::sha512())
230 }
231 SIGNATURE_RSA_PKCS1_V1_5_WITH_SHA256 | SIGNATURE_VERITY_RSA_PKCS1_V1_5_WITH_SHA256 => {
232 (pkey::Id::RSA, Padding::PKCS1, MessageDigest::sha256())
233 }
234 SIGNATURE_RSA_PKCS1_V1_5_WITH_SHA512 => {
235 (pkey::Id::RSA, Padding::PKCS1, MessageDigest::sha512())
236 }
237 SIGNATURE_ECDSA_WITH_SHA256 | SIGNATURE_VERITY_ECDSA_WITH_SHA256 => {
238 (pkey::Id::EC, Padding::NONE, MessageDigest::sha256())
239 }
Andrew Walbran117cd5e2021-08-13 11:42:13 +0000240 // TODO(b/190343842) not implemented signature algorithm
241 SIGNATURE_ECDSA_WITH_SHA512
242 | SIGNATURE_DSA_WITH_SHA256
243 | SIGNATURE_VERITY_DSA_WITH_SHA256 => {
244 bail!(
245 "TODO(b/190343842) not implemented signature algorithm: {:#x}",
246 signature.signature_algorithm_id
247 );
248 }
249 _ => bail!("Unsupported signature algorithm: {:#x}", signature.signature_algorithm_id),
250 };
Andrew Scullc208eb42022-05-22 16:17:52 +0000251 ensure!(key.id() == pkey_id, "Public key has the wrong ID");
Alice Wang79713d92022-07-14 15:10:03 +0000252 let mut verifier = Verifier::new(digest, key)?;
Andrew Scullc208eb42022-05-22 16:17:52 +0000253 if pkey_id == pkey::Id::RSA {
254 verifier.set_rsa_padding(padding)?;
255 }
256 verifier.update(data)?;
257 let verified = verifier.verify(&signature.signature)?;
258 ensure!(verified, "Signature is invalid ");
Jooyung Han12a0b702021-08-05 23:20:31 +0900259 Ok(())
260}
261
262// ReadFromBytes implementations
263// TODO(jooyung): add derive macro: #[derive(ReadFromBytes)]
264
265impl ReadFromBytes for Signer {
266 fn read_from_bytes(buf: &mut Bytes) -> Result<Self> {
267 Ok(Self {
268 signed_data: buf.read()?,
269 min_sdk: buf.read()?,
270 max_sdk: buf.read()?,
271 signatures: buf.read()?,
272 public_key: buf.read()?,
273 })
274 }
275}
276
277impl ReadFromBytes for SignedData {
278 fn read_from_bytes(buf: &mut Bytes) -> Result<Self> {
279 Ok(Self {
280 digests: buf.read()?,
281 certificates: buf.read()?,
282 min_sdk: buf.read()?,
283 max_sdk: buf.read()?,
284 additional_attributes: buf.read()?,
285 })
286 }
287}
288
289impl ReadFromBytes for Signature {
290 fn read_from_bytes(buf: &mut Bytes) -> Result<Self> {
291 Ok(Signature { signature_algorithm_id: buf.read()?, signature: buf.read()? })
292 }
293}
294
295impl ReadFromBytes for Digest {
296 fn read_from_bytes(buf: &mut Bytes) -> Result<Self> {
297 Ok(Self { signature_algorithm_id: buf.read()?, digest: buf.read()? })
298 }
299}
Jooyung Hand8397852021-08-10 16:29:36 +0900300
301#[inline]
Alice Wang98073222022-09-09 14:08:19 +0000302pub(crate) fn to_hex_string(buf: &[u8]) -> String {
Jooyung Hand8397852021-08-10 16:29:36 +0900303 buf.iter().map(|b| format!("{:02X}", b)).collect()
304}
Alice Wanga94ba172022-09-08 15:25:31 +0000305
306#[cfg(test)]
307mod tests {
308 use super::*;
309 use std::fs::File;
310
311 #[test]
312 fn test_pick_v4_apk_digest_only_with_v3_dsa_sha256() {
313 check_v4_apk_digest(
314 "tests/data/v3-only-with-dsa-sha256-1024.apk",
315 SIGNATURE_DSA_WITH_SHA256,
316 "0DF2426EA33AEDAF495D88E5BE0C6A1663FF0A81C5ED12D5B2929AE4B4300F2F",
317 );
318 }
319
320 #[test]
321 fn test_pick_v4_apk_digest_only_with_v3_pkcs1_sha512() {
322 check_v4_apk_digest(
323 "tests/data/v3-only-with-rsa-pkcs1-sha512-1024.apk",
324 SIGNATURE_RSA_PKCS1_V1_5_WITH_SHA512,
325 "9B9AE02DA60B18999BF541790F00D380006FDF0655C3C482AA0BB0AF17CF7A42\
326 ECF56B973518546C9080B2FEF83027E895ED2882BFC88EA19790BBAB29AF53B3",
327 );
328 }
329
330 fn check_v4_apk_digest(apk_filename: &str, expected_algorithm: u32, expected_digest: &str) {
331 let apk_file = File::open(apk_filename).unwrap();
332 let (signature_algorithm_id, apk_digest) = pick_v4_apk_digest(apk_file).unwrap();
333
334 assert_eq!(expected_algorithm, signature_algorithm_id);
335 assert_eq!(expected_digest, to_hex_string(apk_digest.as_ref()));
336 }
337}