Example 26 with ApkFormatException
use of com.android.apksig.apk.ApkFormatException in project apksig by venshine.
the class SigningCertificateLineage method read.
private static SigningCertificateLineage read(ByteBuffer inputByteBuffer, int version) throws IOException {
switch(version) {
case FIRST_VERSION:
try {
List<SigningCertificateNode> nodes = V3SigningCertificateLineage.readSigningCertificateLineage(getLengthPrefixedSlice(inputByteBuffer));
int minSdkVersion = calculateMinSdkVersion(nodes);
return new SigningCertificateLineage(minSdkVersion, nodes);
} catch (ApkFormatException e) {
// unable to get a proper length-prefixed lineage slice
throw new IOException("Unable to read list of signing certificate nodes in " + "SigningCertificateLineage", e);
}
default:
throw new IllegalArgumentException("Improper SigningCertificateLineage format: unrecognized version.");
}
}
Also used :
V3SigningCertificateLineage(com.android.apksig.internal.apk.v3.V3SigningCertificateLineage)
ApkFormatException(com.android.apksig.apk.ApkFormatException)
SigningCertificateNode(com.android.apksig.internal.apk.v3.V3SigningCertificateLineage.SigningCertificateNode)
IOException(java.io.IOException)
Example 27 with ApkFormatException
use of com.android.apksig.apk.ApkFormatException in project apksig by venshine.
the class ApkVerifier method getApkContentDigestFromV1SigningScheme.
private static Map<ContentDigestAlgorithm, byte[]> getApkContentDigestFromV1SigningScheme(List<CentralDirectoryRecord> cdRecords, DataSource apk, ApkUtils.ZipSections zipSections) throws IOException, ApkFormatException {
CentralDirectoryRecord manifestCdRecord = null;
Map<ContentDigestAlgorithm, byte[]> v1ContentDigest = new EnumMap<>(ContentDigestAlgorithm.class);
for (CentralDirectoryRecord cdRecord : cdRecords) {
if (MANIFEST_ENTRY_NAME.equals(cdRecord.getName())) {
manifestCdRecord = cdRecord;
break;
}
}
if (manifestCdRecord == null) {
// thus an empty digest will invalidate that signature.
return v1ContentDigest;
}
try {
byte[] manifestBytes = LocalFileRecord.getUncompressedData(apk, manifestCdRecord, zipSections.getZipCentralDirectoryOffset());
v1ContentDigest.put(ContentDigestAlgorithm.SHA256, computeSha256DigestBytes(manifestBytes));
return v1ContentDigest;
} catch (ZipFormatException e) {
throw new ApkFormatException("Failed to read APK", e);
}
}
Also used :
CentralDirectoryRecord(com.android.apksig.internal.zip.CentralDirectoryRecord)
ApkFormatException(com.android.apksig.apk.ApkFormatException)
ZipFormatException(com.android.apksig.zip.ZipFormatException)
ContentDigestAlgorithm(com.android.apksig.internal.apk.ContentDigestAlgorithm)
EnumMap(java.util.EnumMap)
Example 28 with ApkFormatException
use of com.android.apksig.apk.ApkFormatException in project apksig by venshine.
the class ApkVerifier method verify.
/**
* Verifies the APK's signatures and returns the result of verification. The APK can be
* considered verified iff the result's {@link Result#isVerified()} returns {@code true}.
* The verification result also includes errors, warnings, and information about signers.
*
* @param apk APK file contents
* @throws IOException if an I/O error is encountered while reading the APK
* @throws ApkFormatException if the APK is malformed
* @throws NoSuchAlgorithmException if the APK's signatures cannot be verified because a
* required cryptographic algorithm implementation is missing
*/
private Result verify(DataSource apk) throws IOException, ApkFormatException, NoSuchAlgorithmException {
int maxSdkVersion = mMaxSdkVersion;
ApkUtils.ZipSections zipSections;
try {
zipSections = ApkUtils.findZipSections(apk);
} catch (ZipFormatException e) {
throw new ApkFormatException("Malformed APK: not a ZIP archive", e);
}
ByteBuffer androidManifest = null;
int minSdkVersion = verifyAndGetMinSdkVersion(apk, zipSections);
Result result = new Result();
Map<Integer, Map<ContentDigestAlgorithm, byte[]>> signatureSchemeApkContentDigests = new HashMap<>();
// The SUPPORTED_APK_SIG_SCHEME_NAMES contains the mapping from version number to scheme
// name, but the verifiers use this parameter as the schemes supported by the target SDK
// range. Since the code below skips signature verification based on max SDK the mapping of
// supported schemes needs to be modified to ensure the verifiers do not report a stripped
// signature for an SDK range that does not support that signature version. For instance an
// APK with V1, V2, and V3 signatures and a max SDK of O would skip the V3 signature
// verification, but the SUPPORTED_APK_SIG_SCHEME_NAMES contains version 3, so when the V2
// verification is performed it would see the stripping protection attribute, see that V3
// is in the list of supported signatures, and report a stripped signature.
Map<Integer, String> supportedSchemeNames = getSupportedSchemeNames(maxSdkVersion);
// Android N and newer attempts to verify APKs using the APK Signing Block, which can
// include v2 and/or v3 signatures. If none is found, it falls back to JAR signature
// verification. If the signature is found but does not verify, the APK is rejected.
Set<Integer> foundApkSigSchemeIds = new HashSet<>(2);
if (maxSdkVersion >= AndroidSdkVersion.N) {
RunnablesExecutor executor = RunnablesExecutor.SINGLE_THREADED;
// Android P and newer attempts to verify APKs using APK Signature Scheme v3
if (maxSdkVersion >= AndroidSdkVersion.P) {
try {
ApkSigningBlockUtils.Result v3Result = V3SchemeVerifier.verify(executor, apk, zipSections, Math.max(minSdkVersion, AndroidSdkVersion.P), maxSdkVersion);
foundApkSigSchemeIds.add(ApkSigningBlockUtils.VERSION_APK_SIGNATURE_SCHEME_V3);
result.mergeFrom(v3Result);
signatureSchemeApkContentDigests.put(ApkSigningBlockUtils.VERSION_APK_SIGNATURE_SCHEME_V3, getApkContentDigestsFromSigningSchemeResult(v3Result));
} catch (ApkSigningBlockUtils.SignatureNotFoundException ignored) {
// v3 signature not required
}
if (result.containsErrors()) {
return result;
}
}
// no APK Signature Scheme v3 (or newer scheme) signatures were found.
if (minSdkVersion < AndroidSdkVersion.P || foundApkSigSchemeIds.isEmpty()) {
try {
ApkSigningBlockUtils.Result v2Result = V2SchemeVerifier.verify(executor, apk, zipSections, supportedSchemeNames, foundApkSigSchemeIds, Math.max(minSdkVersion, AndroidSdkVersion.N), maxSdkVersion);
foundApkSigSchemeIds.add(ApkSigningBlockUtils.VERSION_APK_SIGNATURE_SCHEME_V2);
result.mergeFrom(v2Result);
signatureSchemeApkContentDigests.put(ApkSigningBlockUtils.VERSION_APK_SIGNATURE_SCHEME_V2, getApkContentDigestsFromSigningSchemeResult(v2Result));
} catch (ApkSigningBlockUtils.SignatureNotFoundException ignored) {
// v2 signature not required
}
if (result.containsErrors()) {
return result;
}
}
// If v4 file is specified, use additional verification on it
if (mV4SignatureFile != null) {
final ApkSigningBlockUtils.Result v4Result = V4SchemeVerifier.verify(apk, mV4SignatureFile);
foundApkSigSchemeIds.add(ApkSigningBlockUtils.VERSION_APK_SIGNATURE_SCHEME_V4);
result.mergeFrom(v4Result);
if (result.containsErrors()) {
return result;
}
}
}
// are signed using APK Signature Scheme v2 or newer.
if (maxSdkVersion >= AndroidSdkVersion.O) {
if (androidManifest == null) {
androidManifest = getAndroidManifestFromApk(apk, zipSections);
}
int targetSandboxVersion = getTargetSandboxVersionFromBinaryAndroidManifest(androidManifest.slice());
if (targetSandboxVersion > 1) {
if (foundApkSigSchemeIds.isEmpty()) {
result.addError(Issue.NO_SIG_FOR_TARGET_SANDBOX_VERSION, targetSandboxVersion);
}
}
}
List<CentralDirectoryRecord> cdRecords = V1SchemeVerifier.parseZipCentralDirectory(apk, zipSections);
// scheme) signatures were found.
if ((minSdkVersion < AndroidSdkVersion.N) || (foundApkSigSchemeIds.isEmpty())) {
V1SchemeVerifier.Result v1Result = V1SchemeVerifier.verify(apk, zipSections, supportedSchemeNames, foundApkSigSchemeIds, minSdkVersion, maxSdkVersion);
result.mergeFrom(v1Result);
signatureSchemeApkContentDigests.put(ApkSigningBlockUtils.VERSION_JAR_SIGNATURE_SCHEME, getApkContentDigestFromV1SigningScheme(cdRecords, apk, zipSections));
}
if (result.containsErrors()) {
return result;
}
// Verify the SourceStamp, if found in the APK.
try {
CentralDirectoryRecord sourceStampCdRecord = null;
for (CentralDirectoryRecord cdRecord : cdRecords) {
if (SOURCE_STAMP_CERTIFICATE_HASH_ZIP_ENTRY_NAME.equals(cdRecord.getName())) {
sourceStampCdRecord = cdRecord;
break;
}
}
// block in the APK signing block as well.
if (sourceStampCdRecord != null) {
byte[] sourceStampCertificateDigest = LocalFileRecord.getUncompressedData(apk, sourceStampCdRecord, zipSections.getZipCentralDirectoryOffset());
ApkSigResult sourceStampResult = V2SourceStampVerifier.verify(apk, zipSections, sourceStampCertificateDigest, signatureSchemeApkContentDigests, Math.max(minSdkVersion, AndroidSdkVersion.R), maxSdkVersion);
result.mergeFrom(sourceStampResult);
}
} catch (SignatureNotFoundException ignored) {
result.addWarning(Issue.SOURCE_STAMP_SIG_MISSING);
} catch (ZipFormatException e) {
throw new ApkFormatException("Failed to read APK", e);
}
if (result.containsErrors()) {
return result;
}
// signatures verified.
if ((result.isVerifiedUsingV1Scheme()) && (result.isVerifiedUsingV2Scheme())) {
ArrayList<Result.V1SchemeSignerInfo> v1Signers = new ArrayList<>(result.getV1SchemeSigners());
ArrayList<Result.V2SchemeSignerInfo> v2Signers = new ArrayList<>(result.getV2SchemeSigners());
ArrayList<ByteArray> v1SignerCerts = new ArrayList<>();
ArrayList<ByteArray> v2SignerCerts = new ArrayList<>();
for (Result.V1SchemeSignerInfo signer : v1Signers) {
try {
v1SignerCerts.add(new ByteArray(signer.getCertificate().getEncoded()));
} catch (CertificateEncodingException e) {
throw new IllegalStateException("Failed to encode JAR signer " + signer.getName() + " certs", e);
}
}
for (Result.V2SchemeSignerInfo signer : v2Signers) {
try {
v2SignerCerts.add(new ByteArray(signer.getCertificate().getEncoded()));
} catch (CertificateEncodingException e) {
throw new IllegalStateException("Failed to encode APK Signature Scheme v2 signer (index: " + signer.getIndex() + ") certs", e);
}
}
for (int i = 0; i < v1SignerCerts.size(); i++) {
ByteArray v1Cert = v1SignerCerts.get(i);
if (!v2SignerCerts.contains(v1Cert)) {
Result.V1SchemeSignerInfo v1Signer = v1Signers.get(i);
v1Signer.addError(Issue.V2_SIG_MISSING);
break;
}
}
for (int i = 0; i < v2SignerCerts.size(); i++) {
ByteArray v2Cert = v2SignerCerts.get(i);
if (!v1SignerCerts.contains(v2Cert)) {
Result.V2SchemeSignerInfo v2Signer = v2Signers.get(i);
v2Signer.addError(Issue.JAR_SIG_MISSING);
break;
}
}
}
// matches the oldest signing certificate in the provided SigningCertificateLineage
if (result.isVerifiedUsingV3Scheme() && (result.isVerifiedUsingV1Scheme() || result.isVerifiedUsingV2Scheme())) {
SigningCertificateLineage lineage = result.getSigningCertificateLineage();
X509Certificate oldSignerCert;
if (result.isVerifiedUsingV1Scheme()) {
List<Result.V1SchemeSignerInfo> v1Signers = result.getV1SchemeSigners();
if (v1Signers.size() != 1) {
// APK Signature Scheme v3 only supports single-signers, error to sign with
// multiple and then only one
result.addError(Issue.V3_SIG_MULTIPLE_PAST_SIGNERS);
}
oldSignerCert = v1Signers.get(0).mCertChain.get(0);
} else {
List<Result.V2SchemeSignerInfo> v2Signers = result.getV2SchemeSigners();
if (v2Signers.size() != 1) {
// APK Signature Scheme v3 only supports single-signers, error to sign with
// multiple and then only one
result.addError(Issue.V3_SIG_MULTIPLE_PAST_SIGNERS);
}
oldSignerCert = v2Signers.get(0).mCerts.get(0);
}
if (lineage == null) {
// no signing certificate history with which to contend, just make sure that v3
// matches previous versions
List<Result.V3SchemeSignerInfo> v3Signers = result.getV3SchemeSigners();
if (v3Signers.size() != 1) {
// multiple v3 signers should never exist without rotation history, since
// multiple signers implies a different signer for different platform versions
result.addError(Issue.V3_SIG_MULTIPLE_SIGNERS);
}
try {
if (!Arrays.equals(oldSignerCert.getEncoded(), v3Signers.get(0).mCerts.get(0).getEncoded())) {
result.addError(Issue.V3_SIG_PAST_SIGNERS_MISMATCH);
}
} catch (CertificateEncodingException e) {
// we just go the encoding for the v1/v2 certs above, so must be v3
throw new RuntimeException("Failed to encode APK Signature Scheme v3 signer cert", e);
}
} else {
// as our v1/v2 signer
try {
lineage = lineage.getSubLineage(oldSignerCert);
if (lineage.size() != 1) {
// the v1/v2 signer was found, but not at the root of the lineage
result.addError(Issue.V3_SIG_PAST_SIGNERS_MISMATCH);
}
} catch (IllegalArgumentException e) {
// the v1/v2 signer was not found in the lineage
result.addError(Issue.V3_SIG_PAST_SIGNERS_MISMATCH);
}
}
}
// The apkDigest field in the v4 signature should match the selected v2/v3.
if (result.isVerifiedUsingV4Scheme()) {
List<Result.V4SchemeSignerInfo> v4Signers = result.getV4SchemeSigners();
if (v4Signers.size() != 1) {
result.addError(Issue.V4_SIG_MULTIPLE_SIGNERS);
}
List<ApkSigningBlockUtils.Result.SignerInfo.ContentDigest> digestsFromV4 = v4Signers.get(0).getContentDigests();
if (digestsFromV4.size() != 1) {
result.addError(Issue.V4_SIG_V2_V3_DIGESTS_MISMATCH);
}
final byte[] digestFromV4 = digestsFromV4.get(0).getValue();
if (result.isVerifiedUsingV3Scheme()) {
List<Result.V3SchemeSignerInfo> v3Signers = result.getV3SchemeSigners();
if (v3Signers.size() != 1) {
result.addError(Issue.V4_SIG_MULTIPLE_SIGNERS);
}
// Compare certificates.
checkV4Certificate(v4Signers.get(0).mCerts, v3Signers.get(0).mCerts, result);
// Compare digests.
final byte[] digestFromV3 = pickBestDigestForV4(v3Signers.get(0).getContentDigests());
if (!Arrays.equals(digestFromV4, digestFromV3)) {
result.addError(Issue.V4_SIG_V2_V3_DIGESTS_MISMATCH);
}
} else if (result.isVerifiedUsingV2Scheme()) {
List<Result.V2SchemeSignerInfo> v2Signers = result.getV2SchemeSigners();
if (v2Signers.size() != 1) {
result.addError(Issue.V4_SIG_MULTIPLE_SIGNERS);
}
// Compare certificates.
checkV4Certificate(v4Signers.get(0).mCerts, v2Signers.get(0).mCerts, result);
// Compare digests.
final byte[] digestFromV2 = pickBestDigestForV4(v2Signers.get(0).getContentDigests());
if (!Arrays.equals(digestFromV4, digestFromV2)) {
result.addError(Issue.V4_SIG_V2_V3_DIGESTS_MISMATCH);
}
} else {
throw new RuntimeException("V4 signature must be also verified with V2/V3");
}
}
// that the APK was signed with at least that version.
try {
if (androidManifest == null) {
androidManifest = getAndroidManifestFromApk(apk, zipSections);
}
} catch (ApkFormatException e) {
// If the manifest is not available then skip the minimum signature scheme requirement
// to support bundle verification.
}
if (androidManifest != null) {
int targetSdkVersion = getTargetSdkVersionFromBinaryAndroidManifest(androidManifest.slice());
int minSchemeVersion = getMinimumSignatureSchemeVersionForTargetSdk(targetSdkVersion);
// expanded to verify the minimum based on the target and maximum SDK version.
if (minSchemeVersion > VERSION_JAR_SIGNATURE_SCHEME && maxSdkVersion >= targetSdkVersion) {
switch(minSchemeVersion) {
case VERSION_APK_SIGNATURE_SCHEME_V2:
if (result.isVerifiedUsingV2Scheme()) {
break;
}
// later scheme version will also satisfy this requirement.
case VERSION_APK_SIGNATURE_SCHEME_V3:
if (result.isVerifiedUsingV3Scheme()) {
break;
}
result.addError(Issue.MIN_SIG_SCHEME_FOR_TARGET_SDK_NOT_MET, targetSdkVersion, minSchemeVersion);
}
}
}
if (result.containsErrors()) {
return result;
}
// Verified
result.setVerified();
if (result.isVerifiedUsingV3Scheme()) {
List<Result.V3SchemeSignerInfo> v3Signers = result.getV3SchemeSigners();
result.addSignerCertificate(v3Signers.get(v3Signers.size() - 1).getCertificate());
} else if (result.isVerifiedUsingV2Scheme()) {
for (Result.V2SchemeSignerInfo signerInfo : result.getV2SchemeSigners()) {
result.addSignerCertificate(signerInfo.getCertificate());
}
} else if (result.isVerifiedUsingV1Scheme()) {
for (Result.V1SchemeSignerInfo signerInfo : result.getV1SchemeSigners()) {
result.addSignerCertificate(signerInfo.getCertificate());
}
} else {
throw new RuntimeException("APK verified, but has not verified using any of v1, v2 or v3 schemes");
}
return result;
}
Also used :
HashMap(java.util.HashMap)
ArrayList(java.util.ArrayList)
ApkSigResult(com.android.apksig.internal.apk.ApkSigResult)
ApkSigResult(com.android.apksig.internal.apk.ApkSigResult)
List(java.util.List)
ArrayList(java.util.ArrayList)
HashSet(java.util.HashSet)
V1SchemeVerifier(com.android.apksig.internal.apk.v1.V1SchemeVerifier)
X509Certificate(java.security.cert.X509Certificate)
SignatureNotFoundException(com.android.apksig.internal.apk.SignatureNotFoundException)
Map(java.util.Map)
EnumMap(java.util.EnumMap)
HashMap(java.util.HashMap)
CentralDirectoryRecord(com.android.apksig.internal.zip.CentralDirectoryRecord)
ZipFormatException(com.android.apksig.zip.ZipFormatException)
ApkSigningBlockUtils(com.android.apksig.internal.apk.ApkSigningBlockUtils)
ApkFormatException(com.android.apksig.apk.ApkFormatException)
RunnablesExecutor(com.android.apksig.util.RunnablesExecutor)
CertificateEncodingException(java.security.cert.CertificateEncodingException)
ByteBuffer(java.nio.ByteBuffer)
ApkUtils(com.android.apksig.apk.ApkUtils)
Example 29 with ApkFormatException
use of com.android.apksig.apk.ApkFormatException in project apksig by venshine.
the class ApkVerifier method verifySourceStamp.
/**
* Verifies the provided {@code apk}'s source stamp signature, including verification of the
* SHA-256 digest of the stamp signing certificate matches the {@code expectedCertDigest}, and
* returns the result of the verification.
*
* @see #verifySourceStamp(String)
*/
private Result verifySourceStamp(DataSource apk, String expectedCertDigest) {
try {
ApkUtils.ZipSections zipSections = ApkUtils.findZipSections(apk);
int minSdkVersion = verifyAndGetMinSdkVersion(apk, zipSections);
// Attempt to obtain the source stamp's certificate digest from the APK.
List<CentralDirectoryRecord> cdRecords = V1SchemeVerifier.parseZipCentralDirectory(apk, zipSections);
CentralDirectoryRecord sourceStampCdRecord = null;
for (CentralDirectoryRecord cdRecord : cdRecords) {
if (SOURCE_STAMP_CERTIFICATE_HASH_ZIP_ENTRY_NAME.equals(cdRecord.getName())) {
sourceStampCdRecord = cdRecord;
break;
}
}
// APK's signature block to determine the appropriate status to return.
if (sourceStampCdRecord == null) {
boolean stampSigningBlockFound;
try {
ApkSigningBlockUtils.Result result = new ApkSigningBlockUtils.Result(ApkSigningBlockUtils.VERSION_SOURCE_STAMP);
ApkSigningBlockUtils.findSignature(apk, zipSections, SourceStampConstants.V2_SOURCE_STAMP_BLOCK_ID, result);
stampSigningBlockFound = true;
} catch (ApkSigningBlockUtils.SignatureNotFoundException e) {
stampSigningBlockFound = false;
}
if (stampSigningBlockFound) {
return createSourceStampResultWithError(Result.SourceStampInfo.SourceStampVerificationStatus.STAMP_NOT_VERIFIED, Issue.SOURCE_STAMP_SIGNATURE_BLOCK_WITHOUT_CERT_DIGEST);
} else {
return createSourceStampResultWithError(Result.SourceStampInfo.SourceStampVerificationStatus.STAMP_MISSING, Issue.SOURCE_STAMP_CERT_DIGEST_AND_SIG_BLOCK_MISSING);
}
}
// Verify that the contents of the source stamp certificate digest match the expected
// value, if provided.
byte[] sourceStampCertificateDigest = LocalFileRecord.getUncompressedData(apk, sourceStampCdRecord, zipSections.getZipCentralDirectoryOffset());
if (expectedCertDigest != null) {
String actualCertDigest = ApkSigningBlockUtils.toHex(sourceStampCertificateDigest);
if (!expectedCertDigest.equalsIgnoreCase(actualCertDigest)) {
return createSourceStampResultWithError(Result.SourceStampInfo.SourceStampVerificationStatus.CERT_DIGEST_MISMATCH, Issue.SOURCE_STAMP_EXPECTED_DIGEST_MISMATCH, actualCertDigest, expectedCertDigest);
}
}
Map<Integer, Map<ContentDigestAlgorithm, byte[]>> signatureSchemeApkContentDigests = new HashMap<>();
Map<Integer, String> supportedSchemeNames = getSupportedSchemeNames(mMaxSdkVersion);
Set<Integer> foundApkSigSchemeIds = new HashSet<>(2);
Result result = new Result();
ApkSigningBlockUtils.Result v3Result = null;
if (mMaxSdkVersion >= AndroidSdkVersion.P) {
v3Result = getApkContentDigests(apk, zipSections, foundApkSigSchemeIds, supportedSchemeNames, signatureSchemeApkContentDigests, VERSION_APK_SIGNATURE_SCHEME_V3, Math.max(minSdkVersion, AndroidSdkVersion.P));
if (v3Result != null && v3Result.containsErrors()) {
result.mergeFrom(v3Result);
return mergeSourceStampResult(Result.SourceStampInfo.SourceStampVerificationStatus.VERIFICATION_ERROR, result);
}
}
ApkSigningBlockUtils.Result v2Result = null;
if (mMaxSdkVersion >= AndroidSdkVersion.N && (minSdkVersion < AndroidSdkVersion.P || foundApkSigSchemeIds.isEmpty())) {
v2Result = getApkContentDigests(apk, zipSections, foundApkSigSchemeIds, supportedSchemeNames, signatureSchemeApkContentDigests, VERSION_APK_SIGNATURE_SCHEME_V2, Math.max(minSdkVersion, AndroidSdkVersion.N));
if (v2Result != null && v2Result.containsErrors()) {
result.mergeFrom(v2Result);
return mergeSourceStampResult(Result.SourceStampInfo.SourceStampVerificationStatus.VERIFICATION_ERROR, result);
}
}
if (minSdkVersion < AndroidSdkVersion.N || foundApkSigSchemeIds.isEmpty()) {
signatureSchemeApkContentDigests.put(VERSION_JAR_SIGNATURE_SCHEME, getApkContentDigestFromV1SigningScheme(cdRecords, apk, zipSections));
}
ApkSigResult sourceStampResult = V2SourceStampVerifier.verify(apk, zipSections, sourceStampCertificateDigest, signatureSchemeApkContentDigests, minSdkVersion, mMaxSdkVersion);
result.mergeFrom(sourceStampResult);
// as verified if the source stamp verification was successful.
if (sourceStampResult.verified) {
result.setVerified();
} else {
// To prevent APK signature verification with a failed / missing source stamp the
// source stamp verification will only log warnings; to allow the caller to capture
// the failure reason treat all warnings as errors.
result.setWarningsAsErrors(true);
}
return result;
} catch (ApkFormatException | IOException | ZipFormatException e) {
return createSourceStampResultWithError(Result.SourceStampInfo.SourceStampVerificationStatus.VERIFICATION_ERROR, Issue.MALFORMED_APK, e);
} catch (NoSuchAlgorithmException e) {
return createSourceStampResultWithError(Result.SourceStampInfo.SourceStampVerificationStatus.VERIFICATION_ERROR, Issue.UNEXPECTED_EXCEPTION, e);
} catch (SignatureNotFoundException e) {
return createSourceStampResultWithError(Result.SourceStampInfo.SourceStampVerificationStatus.STAMP_NOT_VERIFIED, Issue.SOURCE_STAMP_SIG_MISSING);
}
}
Also used :
CentralDirectoryRecord(com.android.apksig.internal.zip.CentralDirectoryRecord)
HashMap(java.util.HashMap)
ApkSigResult(com.android.apksig.internal.apk.ApkSigResult)
ZipFormatException(com.android.apksig.zip.ZipFormatException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
ApkSigningBlockUtils(com.android.apksig.internal.apk.ApkSigningBlockUtils)
ApkSigResult(com.android.apksig.internal.apk.ApkSigResult)
ApkFormatException(com.android.apksig.apk.ApkFormatException)
HashSet(java.util.HashSet)
IOException(java.io.IOException)
ApkUtils(com.android.apksig.apk.ApkUtils)
SignatureNotFoundException(com.android.apksig.internal.apk.SignatureNotFoundException)
Map(java.util.Map)
EnumMap(java.util.EnumMap)
HashMap(java.util.HashMap)
Example 30 with ApkFormatException
use of com.android.apksig.apk.ApkFormatException in project apksig by venshine.
the class V2SchemeVerifier method parseSigners.
/**
* Parses each signer in the provided APK Signature Scheme v2 block and populates corresponding
* {@code signerInfos} of the provided {@code result}.
*
* <p>This verifies signatures over {@code signed-data} block contained in each signer block.
* However, this does not verify the integrity of the rest of the APK but rather simply reports
* the expected digests of the rest of the APK (see {@code contentDigestsToVerify}).
*
* <p>This method adds one or more errors to the {@code result} if a verification error is
* expected to be encountered on an Android platform version in the
* {@code [minSdkVersion, maxSdkVersion]} range.
*/
public static void parseSigners(ByteBuffer apkSignatureSchemeV2Block, Set<ContentDigestAlgorithm> contentDigestsToVerify, Map<Integer, String> supportedApkSigSchemeNames, Set<Integer> foundApkSigSchemeIds, int minSdkVersion, int maxSdkVersion, ApkSigningBlockUtils.Result result) throws NoSuchAlgorithmException {
ByteBuffer signers;
try {
signers = ApkSigningBlockUtils.getLengthPrefixedSlice(apkSignatureSchemeV2Block);
} catch (ApkFormatException e) {
result.addError(Issue.V2_SIG_MALFORMED_SIGNERS);
return;
}
if (!signers.hasRemaining()) {
result.addError(Issue.V2_SIG_NO_SIGNERS);
return;
}
CertificateFactory certFactory;
try {
certFactory = CertificateFactory.getInstance("X.509");
} catch (CertificateException e) {
throw new RuntimeException("Failed to obtain X.509 CertificateFactory", e);
}
int signerCount = 0;
while (signers.hasRemaining()) {
int signerIndex = signerCount;
signerCount++;
ApkSigningBlockUtils.Result.SignerInfo signerInfo = new ApkSigningBlockUtils.Result.SignerInfo();
signerInfo.index = signerIndex;
result.signers.add(signerInfo);
try {
ByteBuffer signer = ApkSigningBlockUtils.getLengthPrefixedSlice(signers);
parseSigner(signer, certFactory, signerInfo, contentDigestsToVerify, supportedApkSigSchemeNames, foundApkSigSchemeIds, minSdkVersion, maxSdkVersion);
} catch (ApkFormatException | BufferUnderflowException e) {
signerInfo.addError(Issue.V2_SIG_MALFORMED_SIGNER);
return;
}
}
}
Also used :
ApkFormatException(com.android.apksig.apk.ApkFormatException)
CertificateException(java.security.cert.CertificateException)
ApkSigningBlockUtils(com.android.apksig.internal.apk.ApkSigningBlockUtils)
ByteBuffer(java.nio.ByteBuffer)
CertificateFactory(java.security.cert.CertificateFactory)
BufferUnderflowException(java.nio.BufferUnderflowException)
Aggregations
ApkFormatException (com.android.apksig.apk.ApkFormatException)36
IOException (java.io.IOException)18
ByteBuffer (java.nio.ByteBuffer)17
ArrayList (java.util.ArrayList)15
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)13
BufferUnderflowException (java.nio.BufferUnderflowException)12
ZipFormatException (com.android.apksig.zip.ZipFormatException)11
CertificateException (java.security.cert.CertificateException)11
ApkSigningBlockUtils (com.android.apksig.internal.apk.ApkSigningBlockUtils)9
CentralDirectoryRecord (com.android.apksig.internal.zip.CentralDirectoryRecord)9
X509Certificate (java.security.cert.X509Certificate)9
InvalidKeyException (java.security.InvalidKeyException)7
SignatureException (java.security.SignatureException)7
CertificateFactory (java.security.cert.CertificateFactory)7
SignatureAlgorithm (com.android.apksig.internal.apk.SignatureAlgorithm)6
GuaranteedEncodedFormX509Certificate (com.android.apksig.internal.util.GuaranteedEncodedFormX509Certificate)6
HashSet (java.util.HashSet)6
ApkSigResult (com.android.apksig.internal.apk.ApkSigResult)5
DataSource (com.android.apksig.util.DataSource)5
InvalidAlgorithmParameterException (java.security.InvalidAlgorithmParameterException)5
