Convert the app signature check to use SHA-256 instead of SHA1.
Test:atest cts/tests/tests/telephony/current/src/android/telephony/cts/TelephonyManagerTest.java
Test2:atest cts/tests/tests/telephony/current/src/android/telephony/cts/TelephonyManagerTestOnMockModem.java
Test3: manual test with Fi's TychoApk-debug.apk
Bug: 321868791
Bug: 326325598
Change-Id: I96cb01864b3db3640664d549337fbe30aee262c9
diff --git a/src/com/android/phone/TelephonyShellCommand.java b/src/com/android/phone/TelephonyShellCommand.java
index 429b7cc..80304b2 100644
--- a/src/com/android/phone/TelephonyShellCommand.java
+++ b/src/com/android/phone/TelephonyShellCommand.java
@@ -3883,7 +3883,7 @@
/**
* Building the string that can be used to build the JsonObject which supports to stub the data
* in CarrierAllowListInfo for CTS testing. sample format is like
- * {"com.android.example":{"carrierIds":[10000],"callerSHA1Id":["XXXXXXXXXXXXXX"]}}
+ * {"com.android.example":{"carrierIds":[10000],"callerSHA256Ids":["XXXXXXXXXXXXXX"]}}
*/
private String convertToJsonString(int index, String param) {
diff --git a/src/com/android/phone/utils/CarrierAllowListInfo.java b/src/com/android/phone/utils/CarrierAllowListInfo.java
index 62b71ff..3ab9733 100644
--- a/src/com/android/phone/utils/CarrierAllowListInfo.java
+++ b/src/com/android/phone/utils/CarrierAllowListInfo.java
@@ -23,7 +23,6 @@
import android.content.pm.Signature;
import android.telephony.Rlog;
import android.text.TextUtils;
-import android.util.Log;
import com.android.internal.telephony.uicc.IccUtils;
@@ -46,8 +45,8 @@
private static final String LOG_TAG = "CarrierAllowListInfo";
private JSONObject mDataJSON;
private static final String JSON_CHARSET = "UTF-8";
- private static final String MESSAGE_DIGEST_ALGORITHM = "SHA1";
- private static final String CALLER_SHA_1_ID = "callerSHA1Id";
+ private static final String MESSAGE_DIGEST_256_ALGORITHM = "SHA-256";
+ private static final String CALLER_SHA256_ID = "callerSHA256Ids";
private static final String CALLER_CARRIER_ID = "carrierIds";
public static final int INVALID_CARRIER_ID = -1;
@@ -96,7 +95,7 @@
try {
if (mDataJSON != null && callerPackage != null) {
JSONObject callerJSON = mDataJSON.getJSONObject(callerPackage.trim());
- JSONArray callerJSONArray = callerJSON.getJSONArray(CALLER_SHA_1_ID);
+ JSONArray callerJSONArray = callerJSON.getJSONArray(CALLER_SHA256_ID);
JSONArray carrierIdArray = callerJSON.getJSONArray(CALLER_CARRIER_ID);
Set<Integer> carrierIds = new HashSet<>();
@@ -142,7 +141,7 @@
/**
* API fetches all the related signatures of the given package from the packageManager
- * and validate all the signatures.
+ * and validate all the signatures using SHA-256.
*
* @param context context
* @param packageName package name of the caller to validate the signatures.
@@ -158,13 +157,13 @@
}
final PackageManager packageManager = context.getPackageManager();
try {
- MessageDigest sha1MDigest = MessageDigest.getInstance(MESSAGE_DIGEST_ALGORITHM);
+ MessageDigest sha256MDigest = MessageDigest.getInstance(MESSAGE_DIGEST_256_ALGORITHM);
final PackageInfo packageInfo = packageManager.getPackageInfo(packageName,
PackageManager.GET_SIGNATURES);
for (Signature signature : packageInfo.signatures) {
- final byte[] signatureSha1 = sha1MDigest.digest(signature.toByteArray());
- final String hexSignatureSha1 = IccUtils.bytesToHexString(signatureSha1);
- if (!allowListSignatures.contains(hexSignatureSha1)) {
+ final byte[] signatureSha256 = sha256MDigest.digest(signature.toByteArray());
+ final String hexSignatureSha256 = IccUtils.bytesToHexString(signatureSha256);
+ if (!allowListSignatures.contains(hexSignatureSha256)) {
return false;
}
}
@@ -214,7 +213,7 @@
if (carrierInfo != null && carrierInfo.getCallerCarrierIdList().contains(carrierId)) {
return carrierInfo.getSHAIdList();
}
- Rlog.e(LOG_TAG, "getShaIdList carrierId or shaIdList is empty");
+ Rlog.e(LOG_TAG, "getShaIdList: carrierId or shaIdList is empty");
return Collections.EMPTY_LIST;
}
}