Convert the app signature check to use SHA-256 instead of SHA1.
Test:atest cts/tests/tests/telephony/current/src/android/telephony/cts/TelephonyManagerTest.java
Test2:atest cts/tests/tests/telephony/current/src/android/telephony/cts/TelephonyManagerTestOnMockModem.java
Test3: manual test with Fi's TychoApk-debug.apk
Bug: 321868791
Bug: 326325598
Change-Id: I96cb01864b3db3640664d549337fbe30aee262c9
diff --git a/assets/CarrierRestrictionOperatorDetails.json b/assets/CarrierRestrictionOperatorDetails.json
index 596ab75..68d066e 100644
--- a/assets/CarrierRestrictionOperatorDetails.json
+++ b/assets/CarrierRestrictionOperatorDetails.json
@@ -1,10 +1,10 @@
{
- "_comment": "Operator should register with its application package name, carrierId and all the corresponding SHAIDs",
- "_comment": "Example format :: << \"packageName\" : {\"carrierId\":<int>, \"callerSHA1Id\":[<SHAID1>, <SHAID2>]} >>",
- "com.vzw.hss.myverizon":{"carrierIds":[1839],"callerSHA1Id":["C58EE7871896786F8BF70EBDB137DE10074043E9","AE23A03436DF07B0CD70FE881CDA2EC1D21215D7B7B0CC68E67B67F5DF89526A"]},
- "com.google.android.apps.tycho":{"carrierIds":[1989],"callerSHA1Id":["B9CFCE1C47A6AC713442718F15EF55B00B3A6D1A6D48CB46249FA8EB51465350","4C36AF4A5BDAD97C1F3D8B283416D244496C2AC5EAFE8226079EF6F676FD1859"]},
- "com.comcast.mobile.mxs":{"carrierIds": [2032, 2532, 2556],"callerSHA1Id":["CB16D6A0BEA2F4ED808107408104B2DB3258DF52","914C26403B57D2D482359FC235CC825AD00D52B0121C18EF2B2B9D4DDA4B8996"]},
- "com.xfinity.digitalhome": {"carrierIds": [2032],"callerSHA1Id":["be268ab5b6126ce1abd6c3131b33b6d02e44d717","31b4c17315c2269040d535f7b6a79cf4d11517c664d9de8f1ddf4f8a785aad47"]},
- "com.xfinity.digitalhome.debug":{"carrierIds": [2032],"callerSHA1Id":["611f61225138a566428f34e927ad5f2a02fd151e","c9133e8168f97573c8c567f46777dff74ade0c015ecf2c5e91be3e4e76ddcae2"]},
- "com.xfinity.dh.xm.app": {"carrierIds": [2032],"callerSHA1Id":["611f61225138a566428f34e927ad5f2a02fd151e","c9133e8168f97573c8c567f46777dff74ade0c015ecf2c5e91be3e4e76ddcae2"]}
+ "_comment": "Operator should register with its application package name, carrierId and all the corresponding SHA256IDs",
+ "_comment": "Example format :: << \"packageName\" : {\"carrierId\":[<int>], \"callerSHA256Ids\":[<SHAID1>, <SHAID2>]} >>",
+ "com.vzw.hss.myverizon":{"carrierIds":[1839],"callerSHA256Ids":["AE23A03436DF07B0CD70FE881CDA2EC1D21215D7B7B0CC68E67B67F5DF89526A"]},
+ "com.google.android.apps.tycho":{"carrierIds":[1989],"callerSHA256Ids":["B9CFCE1C47A6AC713442718F15EF55B00B3A6D1A6D48CB46249FA8EB51465350","4C36AF4A5BDAD97C1F3D8B283416D244496C2AC5EAFE8226079EF6F676FD1859"]},
+ "com.comcast.mobile.mxs":{"carrierIds": [2032, 2532, 2556],"callerSHA256Ids":["914C26403B57D2D482359FC235CC825AD00D52B0121C18EF2B2B9D4DDA4B8996"]},
+ "com.xfinity.digitalhome": {"carrierIds": [2032],"callerSHA256Ids":["31b4c17315c2269040d535f7b6a79cf4d11517c664d9de8f1ddf4f8a785aad47"]},
+ "com.xfinity.digitalhome.debug":{"carrierIds": [2032],"callerSHA256Ids":["c9133e8168f97573c8c567f46777dff74ade0c015ecf2c5e91be3e4e76ddcae2"]},
+ "com.xfinity.dh.xm.app": {"carrierIds": [2032],"callerSHA256Ids":["c9133e8168f97573c8c567f46777dff74ade0c015ecf2c5e91be3e4e76ddcae2"]}
}
\ No newline at end of file
diff --git a/src/com/android/phone/TelephonyShellCommand.java b/src/com/android/phone/TelephonyShellCommand.java
index 429b7cc..80304b2 100644
--- a/src/com/android/phone/TelephonyShellCommand.java
+++ b/src/com/android/phone/TelephonyShellCommand.java
@@ -3883,7 +3883,7 @@
/**
* Building the string that can be used to build the JsonObject which supports to stub the data
* in CarrierAllowListInfo for CTS testing. sample format is like
- * {"com.android.example":{"carrierIds":[10000],"callerSHA1Id":["XXXXXXXXXXXXXX"]}}
+ * {"com.android.example":{"carrierIds":[10000],"callerSHA256Ids":["XXXXXXXXXXXXXX"]}}
*/
private String convertToJsonString(int index, String param) {
diff --git a/src/com/android/phone/utils/CarrierAllowListInfo.java b/src/com/android/phone/utils/CarrierAllowListInfo.java
index 62b71ff..3ab9733 100644
--- a/src/com/android/phone/utils/CarrierAllowListInfo.java
+++ b/src/com/android/phone/utils/CarrierAllowListInfo.java
@@ -23,7 +23,6 @@
import android.content.pm.Signature;
import android.telephony.Rlog;
import android.text.TextUtils;
-import android.util.Log;
import com.android.internal.telephony.uicc.IccUtils;
@@ -46,8 +45,8 @@
private static final String LOG_TAG = "CarrierAllowListInfo";
private JSONObject mDataJSON;
private static final String JSON_CHARSET = "UTF-8";
- private static final String MESSAGE_DIGEST_ALGORITHM = "SHA1";
- private static final String CALLER_SHA_1_ID = "callerSHA1Id";
+ private static final String MESSAGE_DIGEST_256_ALGORITHM = "SHA-256";
+ private static final String CALLER_SHA256_ID = "callerSHA256Ids";
private static final String CALLER_CARRIER_ID = "carrierIds";
public static final int INVALID_CARRIER_ID = -1;
@@ -96,7 +95,7 @@
try {
if (mDataJSON != null && callerPackage != null) {
JSONObject callerJSON = mDataJSON.getJSONObject(callerPackage.trim());
- JSONArray callerJSONArray = callerJSON.getJSONArray(CALLER_SHA_1_ID);
+ JSONArray callerJSONArray = callerJSON.getJSONArray(CALLER_SHA256_ID);
JSONArray carrierIdArray = callerJSON.getJSONArray(CALLER_CARRIER_ID);
Set<Integer> carrierIds = new HashSet<>();
@@ -142,7 +141,7 @@
/**
* API fetches all the related signatures of the given package from the packageManager
- * and validate all the signatures.
+ * and validate all the signatures using SHA-256.
*
* @param context context
* @param packageName package name of the caller to validate the signatures.
@@ -158,13 +157,13 @@
}
final PackageManager packageManager = context.getPackageManager();
try {
- MessageDigest sha1MDigest = MessageDigest.getInstance(MESSAGE_DIGEST_ALGORITHM);
+ MessageDigest sha256MDigest = MessageDigest.getInstance(MESSAGE_DIGEST_256_ALGORITHM);
final PackageInfo packageInfo = packageManager.getPackageInfo(packageName,
PackageManager.GET_SIGNATURES);
for (Signature signature : packageInfo.signatures) {
- final byte[] signatureSha1 = sha1MDigest.digest(signature.toByteArray());
- final String hexSignatureSha1 = IccUtils.bytesToHexString(signatureSha1);
- if (!allowListSignatures.contains(hexSignatureSha1)) {
+ final byte[] signatureSha256 = sha256MDigest.digest(signature.toByteArray());
+ final String hexSignatureSha256 = IccUtils.bytesToHexString(signatureSha256);
+ if (!allowListSignatures.contains(hexSignatureSha256)) {
return false;
}
}
@@ -214,7 +213,7 @@
if (carrierInfo != null && carrierInfo.getCallerCarrierIdList().contains(carrierId)) {
return carrierInfo.getSHAIdList();
}
- Rlog.e(LOG_TAG, "getShaIdList carrierId or shaIdList is empty");
+ Rlog.e(LOG_TAG, "getShaIdList: carrierId or shaIdList is empty");
return Collections.EMPTY_LIST;
}
}