Search in sources :

Example 1 with ApkSigResult

use of com.android.apksig.internal.apk.ApkSigResult in project apksig by venshine.

the class SourceStampVerifier method verifySourceStamp.

/**
 * Verifies the provided {@code apk}'s source stamp signature, including verification of the
 * SHA-256 digest of the stamp signing certificate matches the {@code expectedCertDigest}, and
 * returns the result of the verification.
 *
 * @see #verifySourceStamp(String)
 */
private SourceStampVerifier.Result verifySourceStamp(DataSource apk, String expectedCertDigest) {
    Result result = new Result();
    try {
        ZipSections zipSections = ApkUtilsLite.findZipSections(apk);
        // Attempt to obtain the source stamp's certificate digest from the APK.
        List<CentralDirectoryRecord> cdRecords = ZipUtils.parseZipCentralDirectory(apk, zipSections);
        CentralDirectoryRecord sourceStampCdRecord = null;
        for (CentralDirectoryRecord cdRecord : cdRecords) {
            if (SOURCE_STAMP_CERTIFICATE_HASH_ZIP_ENTRY_NAME.equals(cdRecord.getName())) {
                sourceStampCdRecord = cdRecord;
                break;
            }
        }
        // APK's signature block to determine the appropriate status to return.
        if (sourceStampCdRecord == null) {
            boolean stampSigningBlockFound;
            try {
                ApkSigningBlockUtilsLite.findSignature(apk, zipSections, SourceStampConstants.V2_SOURCE_STAMP_BLOCK_ID);
                stampSigningBlockFound = true;
            } catch (SignatureNotFoundException e) {
                stampSigningBlockFound = false;
            }
            result.addVerificationError(stampSigningBlockFound ? ApkVerificationIssue.SOURCE_STAMP_SIGNATURE_BLOCK_WITHOUT_CERT_DIGEST : ApkVerificationIssue.SOURCE_STAMP_CERT_DIGEST_AND_SIG_BLOCK_MISSING);
            return result;
        }
        // Verify that the contents of the source stamp certificate digest match the expected
        // value, if provided.
        byte[] sourceStampCertificateDigest = LocalFileRecord.getUncompressedData(apk, sourceStampCdRecord, zipSections.getZipCentralDirectoryOffset());
        if (expectedCertDigest != null) {
            String actualCertDigest = ApkSigningBlockUtilsLite.toHex(sourceStampCertificateDigest);
            if (!expectedCertDigest.equalsIgnoreCase(actualCertDigest)) {
                result.addVerificationError(ApkVerificationIssue.SOURCE_STAMP_EXPECTED_DIGEST_MISMATCH, actualCertDigest, expectedCertDigest);
                return result;
            }
        }
        Map<Integer, Map<ContentDigestAlgorithm, byte[]>> signatureSchemeApkContentDigests = new HashMap<>();
        if (mMaxSdkVersion >= AndroidSdkVersion.P) {
            SignatureInfo signatureInfo;
            try {
                signatureInfo = ApkSigningBlockUtilsLite.findSignature(apk, zipSections, V3SchemeConstants.APK_SIGNATURE_SCHEME_V3_BLOCK_ID);
            } catch (SignatureNotFoundException e) {
                signatureInfo = null;
            }
            if (signatureInfo != null) {
                Map<ContentDigestAlgorithm, byte[]> apkContentDigests = new EnumMap<>(ContentDigestAlgorithm.class);
                parseSigners(signatureInfo.signatureBlock, VERSION_APK_SIGNATURE_SCHEME_V3, apkContentDigests, result);
                signatureSchemeApkContentDigests.put(VERSION_APK_SIGNATURE_SCHEME_V3, apkContentDigests);
            }
        }
        if (mMaxSdkVersion >= AndroidSdkVersion.N && (mMinSdkVersion < AndroidSdkVersion.P || signatureSchemeApkContentDigests.isEmpty())) {
            SignatureInfo signatureInfo;
            try {
                signatureInfo = ApkSigningBlockUtilsLite.findSignature(apk, zipSections, V2SchemeConstants.APK_SIGNATURE_SCHEME_V2_BLOCK_ID);
            } catch (SignatureNotFoundException e) {
                signatureInfo = null;
            }
            if (signatureInfo != null) {
                Map<ContentDigestAlgorithm, byte[]> apkContentDigests = new EnumMap<>(ContentDigestAlgorithm.class);
                parseSigners(signatureInfo.signatureBlock, VERSION_APK_SIGNATURE_SCHEME_V2, apkContentDigests, result);
                signatureSchemeApkContentDigests.put(VERSION_APK_SIGNATURE_SCHEME_V2, apkContentDigests);
            }
        }
        if (mMinSdkVersion < AndroidSdkVersion.N || signatureSchemeApkContentDigests.isEmpty()) {
            Map<ContentDigestAlgorithm, byte[]> apkContentDigests = getApkContentDigestFromV1SigningScheme(cdRecords, apk, zipSections, result);
            signatureSchemeApkContentDigests.put(VERSION_JAR_SIGNATURE_SCHEME, apkContentDigests);
        }
        ApkSigResult sourceStampResult = V2SourceStampVerifier.verify(apk, zipSections, sourceStampCertificateDigest, signatureSchemeApkContentDigests, mMinSdkVersion, mMaxSdkVersion);
        result.mergeFrom(sourceStampResult);
        return result;
    } catch (ApkFormatException | IOException | ZipFormatException e) {
        result.addVerificationError(ApkVerificationIssue.MALFORMED_APK, e);
    } catch (NoSuchAlgorithmException e) {
        result.addVerificationError(ApkVerificationIssue.UNEXPECTED_EXCEPTION, e);
    } catch (SignatureNotFoundException e) {
        result.addVerificationError(ApkVerificationIssue.SOURCE_STAMP_SIG_MISSING);
    }
    return result;
}
Also used : CentralDirectoryRecord(com.android.apksig.internal.zip.CentralDirectoryRecord) HashMap(java.util.HashMap) ApkSigResult(com.android.apksig.internal.apk.ApkSigResult) ZipFormatException(com.android.apksig.zip.ZipFormatException) IOException(java.io.IOException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) ApkSigResult(com.android.apksig.internal.apk.ApkSigResult) SignatureInfo(com.android.apksig.internal.apk.SignatureInfo) ApkFormatException(com.android.apksig.apk.ApkFormatException) SignatureNotFoundException(com.android.apksig.internal.apk.SignatureNotFoundException) ContentDigestAlgorithm(com.android.apksig.internal.apk.ContentDigestAlgorithm) HashMap(java.util.HashMap) Map(java.util.Map) EnumMap(java.util.EnumMap) EnumMap(java.util.EnumMap) ZipSections(com.android.apksig.zip.ZipSections)

Example 2 with ApkSigResult

use of com.android.apksig.internal.apk.ApkSigResult in project apksig by venshine.

the class V2SourceStampVerifier method verify.

/**
 * Verifies the provided APK's SourceStamp signatures and returns the result of verification.
 * The APK must be considered verified only if {@link ApkSigResult#verified} is
 * {@code true}. If verification fails, the result will contain errors -- see {@link
 * ApkSigResult#getErrors()}.
 *
 * @throws NoSuchAlgorithmException if the APK's signatures cannot be verified because a
 *     required cryptographic algorithm implementation is missing
 * @throws SignatureNotFoundException if no SourceStamp signatures are
 *     found
 * @throws IOException if an I/O error occurs when reading the APK
 */
public static ApkSigResult verify(DataSource apk, ZipSections zipSections, byte[] sourceStampCertificateDigest, Map<Integer, Map<ContentDigestAlgorithm, byte[]>> signatureSchemeApkContentDigests, int minSdkVersion, int maxSdkVersion) throws IOException, NoSuchAlgorithmException, SignatureNotFoundException {
    ApkSigResult result = new ApkSigResult(Constants.VERSION_SOURCE_STAMP);
    SignatureInfo signatureInfo = ApkSigningBlockUtilsLite.findSignature(apk, zipSections, V2_SOURCE_STAMP_BLOCK_ID);
    verify(signatureInfo.signatureBlock, sourceStampCertificateDigest, signatureSchemeApkContentDigests, minSdkVersion, maxSdkVersion, result);
    return result;
}
Also used : SignatureInfo(com.android.apksig.internal.apk.SignatureInfo) ApkSigResult(com.android.apksig.internal.apk.ApkSigResult)

Example 3 with ApkSigResult

use of com.android.apksig.internal.apk.ApkSigResult in project apksig by venshine.

the class ApkVerifier method verify.

/**
 * Verifies the APK's signatures and returns the result of verification. The APK can be
 * considered verified iff the result's {@link Result#isVerified()} returns {@code true}.
 * The verification result also includes errors, warnings, and information about signers.
 *
 * @param apk APK file contents
 * @throws IOException              if an I/O error is encountered while reading the APK
 * @throws ApkFormatException       if the APK is malformed
 * @throws NoSuchAlgorithmException if the APK's signatures cannot be verified because a
 *                                  required cryptographic algorithm implementation is missing
 */
private Result verify(DataSource apk) throws IOException, ApkFormatException, NoSuchAlgorithmException {
    int maxSdkVersion = mMaxSdkVersion;
    ApkUtils.ZipSections zipSections;
    try {
        zipSections = ApkUtils.findZipSections(apk);
    } catch (ZipFormatException e) {
        throw new ApkFormatException("Malformed APK: not a ZIP archive", e);
    }
    ByteBuffer androidManifest = null;
    int minSdkVersion = verifyAndGetMinSdkVersion(apk, zipSections);
    Result result = new Result();
    Map<Integer, Map<ContentDigestAlgorithm, byte[]>> signatureSchemeApkContentDigests = new HashMap<>();
    // The SUPPORTED_APK_SIG_SCHEME_NAMES contains the mapping from version number to scheme
    // name, but the verifiers use this parameter as the schemes supported by the target SDK
    // range. Since the code below skips signature verification based on max SDK the mapping of
    // supported schemes needs to be modified to ensure the verifiers do not report a stripped
    // signature for an SDK range that does not support that signature version. For instance an
    // APK with V1, V2, and V3 signatures and a max SDK of O would skip the V3 signature
    // verification, but the SUPPORTED_APK_SIG_SCHEME_NAMES contains version 3, so when the V2
    // verification is performed it would see the stripping protection attribute, see that V3
    // is in the list of supported signatures, and report a stripped signature.
    Map<Integer, String> supportedSchemeNames = getSupportedSchemeNames(maxSdkVersion);
    // Android N and newer attempts to verify APKs using the APK Signing Block, which can
    // include v2 and/or v3 signatures.  If none is found, it falls back to JAR signature
    // verification. If the signature is found but does not verify, the APK is rejected.
    Set<Integer> foundApkSigSchemeIds = new HashSet<>(2);
    if (maxSdkVersion >= AndroidSdkVersion.N) {
        RunnablesExecutor executor = RunnablesExecutor.SINGLE_THREADED;
        // Android P and newer attempts to verify APKs using APK Signature Scheme v3
        if (maxSdkVersion >= AndroidSdkVersion.P) {
            try {
                ApkSigningBlockUtils.Result v3Result = V3SchemeVerifier.verify(executor, apk, zipSections, Math.max(minSdkVersion, AndroidSdkVersion.P), maxSdkVersion);
                foundApkSigSchemeIds.add(ApkSigningBlockUtils.VERSION_APK_SIGNATURE_SCHEME_V3);
                result.mergeFrom(v3Result);
                signatureSchemeApkContentDigests.put(ApkSigningBlockUtils.VERSION_APK_SIGNATURE_SCHEME_V3, getApkContentDigestsFromSigningSchemeResult(v3Result));
            } catch (ApkSigningBlockUtils.SignatureNotFoundException ignored) {
            // v3 signature not required
            }
            if (result.containsErrors()) {
                return result;
            }
        }
        // no APK Signature Scheme v3 (or newer scheme) signatures were found.
        if (minSdkVersion < AndroidSdkVersion.P || foundApkSigSchemeIds.isEmpty()) {
            try {
                ApkSigningBlockUtils.Result v2Result = V2SchemeVerifier.verify(executor, apk, zipSections, supportedSchemeNames, foundApkSigSchemeIds, Math.max(minSdkVersion, AndroidSdkVersion.N), maxSdkVersion);
                foundApkSigSchemeIds.add(ApkSigningBlockUtils.VERSION_APK_SIGNATURE_SCHEME_V2);
                result.mergeFrom(v2Result);
                signatureSchemeApkContentDigests.put(ApkSigningBlockUtils.VERSION_APK_SIGNATURE_SCHEME_V2, getApkContentDigestsFromSigningSchemeResult(v2Result));
            } catch (ApkSigningBlockUtils.SignatureNotFoundException ignored) {
            // v2 signature not required
            }
            if (result.containsErrors()) {
                return result;
            }
        }
        // If v4 file is specified, use additional verification on it
        if (mV4SignatureFile != null) {
            final ApkSigningBlockUtils.Result v4Result = V4SchemeVerifier.verify(apk, mV4SignatureFile);
            foundApkSigSchemeIds.add(ApkSigningBlockUtils.VERSION_APK_SIGNATURE_SCHEME_V4);
            result.mergeFrom(v4Result);
            if (result.containsErrors()) {
                return result;
            }
        }
    }
    // are signed using APK Signature Scheme v2 or newer.
    if (maxSdkVersion >= AndroidSdkVersion.O) {
        if (androidManifest == null) {
            androidManifest = getAndroidManifestFromApk(apk, zipSections);
        }
        int targetSandboxVersion = getTargetSandboxVersionFromBinaryAndroidManifest(androidManifest.slice());
        if (targetSandboxVersion > 1) {
            if (foundApkSigSchemeIds.isEmpty()) {
                result.addError(Issue.NO_SIG_FOR_TARGET_SANDBOX_VERSION, targetSandboxVersion);
            }
        }
    }
    List<CentralDirectoryRecord> cdRecords = V1SchemeVerifier.parseZipCentralDirectory(apk, zipSections);
    // scheme) signatures were found.
    if ((minSdkVersion < AndroidSdkVersion.N) || (foundApkSigSchemeIds.isEmpty())) {
        V1SchemeVerifier.Result v1Result = V1SchemeVerifier.verify(apk, zipSections, supportedSchemeNames, foundApkSigSchemeIds, minSdkVersion, maxSdkVersion);
        result.mergeFrom(v1Result);
        signatureSchemeApkContentDigests.put(ApkSigningBlockUtils.VERSION_JAR_SIGNATURE_SCHEME, getApkContentDigestFromV1SigningScheme(cdRecords, apk, zipSections));
    }
    if (result.containsErrors()) {
        return result;
    }
    // Verify the SourceStamp, if found in the APK.
    try {
        CentralDirectoryRecord sourceStampCdRecord = null;
        for (CentralDirectoryRecord cdRecord : cdRecords) {
            if (SOURCE_STAMP_CERTIFICATE_HASH_ZIP_ENTRY_NAME.equals(cdRecord.getName())) {
                sourceStampCdRecord = cdRecord;
                break;
            }
        }
        // block in the APK signing block as well.
        if (sourceStampCdRecord != null) {
            byte[] sourceStampCertificateDigest = LocalFileRecord.getUncompressedData(apk, sourceStampCdRecord, zipSections.getZipCentralDirectoryOffset());
            ApkSigResult sourceStampResult = V2SourceStampVerifier.verify(apk, zipSections, sourceStampCertificateDigest, signatureSchemeApkContentDigests, Math.max(minSdkVersion, AndroidSdkVersion.R), maxSdkVersion);
            result.mergeFrom(sourceStampResult);
        }
    } catch (SignatureNotFoundException ignored) {
        result.addWarning(Issue.SOURCE_STAMP_SIG_MISSING);
    } catch (ZipFormatException e) {
        throw new ApkFormatException("Failed to read APK", e);
    }
    if (result.containsErrors()) {
        return result;
    }
    // signatures verified.
    if ((result.isVerifiedUsingV1Scheme()) && (result.isVerifiedUsingV2Scheme())) {
        ArrayList<Result.V1SchemeSignerInfo> v1Signers = new ArrayList<>(result.getV1SchemeSigners());
        ArrayList<Result.V2SchemeSignerInfo> v2Signers = new ArrayList<>(result.getV2SchemeSigners());
        ArrayList<ByteArray> v1SignerCerts = new ArrayList<>();
        ArrayList<ByteArray> v2SignerCerts = new ArrayList<>();
        for (Result.V1SchemeSignerInfo signer : v1Signers) {
            try {
                v1SignerCerts.add(new ByteArray(signer.getCertificate().getEncoded()));
            } catch (CertificateEncodingException e) {
                throw new IllegalStateException("Failed to encode JAR signer " + signer.getName() + " certs", e);
            }
        }
        for (Result.V2SchemeSignerInfo signer : v2Signers) {
            try {
                v2SignerCerts.add(new ByteArray(signer.getCertificate().getEncoded()));
            } catch (CertificateEncodingException e) {
                throw new IllegalStateException("Failed to encode APK Signature Scheme v2 signer (index: " + signer.getIndex() + ") certs", e);
            }
        }
        for (int i = 0; i < v1SignerCerts.size(); i++) {
            ByteArray v1Cert = v1SignerCerts.get(i);
            if (!v2SignerCerts.contains(v1Cert)) {
                Result.V1SchemeSignerInfo v1Signer = v1Signers.get(i);
                v1Signer.addError(Issue.V2_SIG_MISSING);
                break;
            }
        }
        for (int i = 0; i < v2SignerCerts.size(); i++) {
            ByteArray v2Cert = v2SignerCerts.get(i);
            if (!v1SignerCerts.contains(v2Cert)) {
                Result.V2SchemeSignerInfo v2Signer = v2Signers.get(i);
                v2Signer.addError(Issue.JAR_SIG_MISSING);
                break;
            }
        }
    }
    // matches the oldest signing certificate in the provided SigningCertificateLineage
    if (result.isVerifiedUsingV3Scheme() && (result.isVerifiedUsingV1Scheme() || result.isVerifiedUsingV2Scheme())) {
        SigningCertificateLineage lineage = result.getSigningCertificateLineage();
        X509Certificate oldSignerCert;
        if (result.isVerifiedUsingV1Scheme()) {
            List<Result.V1SchemeSignerInfo> v1Signers = result.getV1SchemeSigners();
            if (v1Signers.size() != 1) {
                // APK Signature Scheme v3 only supports single-signers, error to sign with
                // multiple and then only one
                result.addError(Issue.V3_SIG_MULTIPLE_PAST_SIGNERS);
            }
            oldSignerCert = v1Signers.get(0).mCertChain.get(0);
        } else {
            List<Result.V2SchemeSignerInfo> v2Signers = result.getV2SchemeSigners();
            if (v2Signers.size() != 1) {
                // APK Signature Scheme v3 only supports single-signers, error to sign with
                // multiple and then only one
                result.addError(Issue.V3_SIG_MULTIPLE_PAST_SIGNERS);
            }
            oldSignerCert = v2Signers.get(0).mCerts.get(0);
        }
        if (lineage == null) {
            // no signing certificate history with which to contend, just make sure that v3
            // matches previous versions
            List<Result.V3SchemeSignerInfo> v3Signers = result.getV3SchemeSigners();
            if (v3Signers.size() != 1) {
                // multiple v3 signers should never exist without rotation history, since
                // multiple signers implies a different signer for different platform versions
                result.addError(Issue.V3_SIG_MULTIPLE_SIGNERS);
            }
            try {
                if (!Arrays.equals(oldSignerCert.getEncoded(), v3Signers.get(0).mCerts.get(0).getEncoded())) {
                    result.addError(Issue.V3_SIG_PAST_SIGNERS_MISMATCH);
                }
            } catch (CertificateEncodingException e) {
                // we just go the encoding for the v1/v2 certs above, so must be v3
                throw new RuntimeException("Failed to encode APK Signature Scheme v3 signer cert", e);
            }
        } else {
            // as our v1/v2 signer
            try {
                lineage = lineage.getSubLineage(oldSignerCert);
                if (lineage.size() != 1) {
                    // the v1/v2 signer was found, but not at the root of the lineage
                    result.addError(Issue.V3_SIG_PAST_SIGNERS_MISMATCH);
                }
            } catch (IllegalArgumentException e) {
                // the v1/v2 signer was not found in the lineage
                result.addError(Issue.V3_SIG_PAST_SIGNERS_MISMATCH);
            }
        }
    }
    // The apkDigest field in the v4 signature should match the selected v2/v3.
    if (result.isVerifiedUsingV4Scheme()) {
        List<Result.V4SchemeSignerInfo> v4Signers = result.getV4SchemeSigners();
        if (v4Signers.size() != 1) {
            result.addError(Issue.V4_SIG_MULTIPLE_SIGNERS);
        }
        List<ApkSigningBlockUtils.Result.SignerInfo.ContentDigest> digestsFromV4 = v4Signers.get(0).getContentDigests();
        if (digestsFromV4.size() != 1) {
            result.addError(Issue.V4_SIG_V2_V3_DIGESTS_MISMATCH);
        }
        final byte[] digestFromV4 = digestsFromV4.get(0).getValue();
        if (result.isVerifiedUsingV3Scheme()) {
            List<Result.V3SchemeSignerInfo> v3Signers = result.getV3SchemeSigners();
            if (v3Signers.size() != 1) {
                result.addError(Issue.V4_SIG_MULTIPLE_SIGNERS);
            }
            // Compare certificates.
            checkV4Certificate(v4Signers.get(0).mCerts, v3Signers.get(0).mCerts, result);
            // Compare digests.
            final byte[] digestFromV3 = pickBestDigestForV4(v3Signers.get(0).getContentDigests());
            if (!Arrays.equals(digestFromV4, digestFromV3)) {
                result.addError(Issue.V4_SIG_V2_V3_DIGESTS_MISMATCH);
            }
        } else if (result.isVerifiedUsingV2Scheme()) {
            List<Result.V2SchemeSignerInfo> v2Signers = result.getV2SchemeSigners();
            if (v2Signers.size() != 1) {
                result.addError(Issue.V4_SIG_MULTIPLE_SIGNERS);
            }
            // Compare certificates.
            checkV4Certificate(v4Signers.get(0).mCerts, v2Signers.get(0).mCerts, result);
            // Compare digests.
            final byte[] digestFromV2 = pickBestDigestForV4(v2Signers.get(0).getContentDigests());
            if (!Arrays.equals(digestFromV4, digestFromV2)) {
                result.addError(Issue.V4_SIG_V2_V3_DIGESTS_MISMATCH);
            }
        } else {
            throw new RuntimeException("V4 signature must be also verified with V2/V3");
        }
    }
    // that the APK was signed with at least that version.
    try {
        if (androidManifest == null) {
            androidManifest = getAndroidManifestFromApk(apk, zipSections);
        }
    } catch (ApkFormatException e) {
    // If the manifest is not available then skip the minimum signature scheme requirement
    // to support bundle verification.
    }
    if (androidManifest != null) {
        int targetSdkVersion = getTargetSdkVersionFromBinaryAndroidManifest(androidManifest.slice());
        int minSchemeVersion = getMinimumSignatureSchemeVersionForTargetSdk(targetSdkVersion);
        // expanded to verify the minimum based on the target and maximum SDK version.
        if (minSchemeVersion > VERSION_JAR_SIGNATURE_SCHEME && maxSdkVersion >= targetSdkVersion) {
            switch(minSchemeVersion) {
                case VERSION_APK_SIGNATURE_SCHEME_V2:
                    if (result.isVerifiedUsingV2Scheme()) {
                        break;
                    }
                // later scheme version will also satisfy this requirement.
                case VERSION_APK_SIGNATURE_SCHEME_V3:
                    if (result.isVerifiedUsingV3Scheme()) {
                        break;
                    }
                    result.addError(Issue.MIN_SIG_SCHEME_FOR_TARGET_SDK_NOT_MET, targetSdkVersion, minSchemeVersion);
            }
        }
    }
    if (result.containsErrors()) {
        return result;
    }
    // Verified
    result.setVerified();
    if (result.isVerifiedUsingV3Scheme()) {
        List<Result.V3SchemeSignerInfo> v3Signers = result.getV3SchemeSigners();
        result.addSignerCertificate(v3Signers.get(v3Signers.size() - 1).getCertificate());
    } else if (result.isVerifiedUsingV2Scheme()) {
        for (Result.V2SchemeSignerInfo signerInfo : result.getV2SchemeSigners()) {
            result.addSignerCertificate(signerInfo.getCertificate());
        }
    } else if (result.isVerifiedUsingV1Scheme()) {
        for (Result.V1SchemeSignerInfo signerInfo : result.getV1SchemeSigners()) {
            result.addSignerCertificate(signerInfo.getCertificate());
        }
    } else {
        throw new RuntimeException("APK verified, but has not verified using any of v1, v2 or v3 schemes");
    }
    return result;
}
Also used : HashMap(java.util.HashMap) ArrayList(java.util.ArrayList) ApkSigResult(com.android.apksig.internal.apk.ApkSigResult) ApkSigResult(com.android.apksig.internal.apk.ApkSigResult) List(java.util.List) ArrayList(java.util.ArrayList) HashSet(java.util.HashSet) V1SchemeVerifier(com.android.apksig.internal.apk.v1.V1SchemeVerifier) X509Certificate(java.security.cert.X509Certificate) SignatureNotFoundException(com.android.apksig.internal.apk.SignatureNotFoundException) Map(java.util.Map) EnumMap(java.util.EnumMap) HashMap(java.util.HashMap) CentralDirectoryRecord(com.android.apksig.internal.zip.CentralDirectoryRecord) ZipFormatException(com.android.apksig.zip.ZipFormatException) ApkSigningBlockUtils(com.android.apksig.internal.apk.ApkSigningBlockUtils) ApkFormatException(com.android.apksig.apk.ApkFormatException) RunnablesExecutor(com.android.apksig.util.RunnablesExecutor) CertificateEncodingException(java.security.cert.CertificateEncodingException) ByteBuffer(java.nio.ByteBuffer) ApkUtils(com.android.apksig.apk.ApkUtils)

Example 4 with ApkSigResult

use of com.android.apksig.internal.apk.ApkSigResult in project apksig by venshine.

the class ApkVerifier method verifySourceStamp.

/**
 * Verifies the provided {@code apk}'s source stamp signature, including verification of the
 * SHA-256 digest of the stamp signing certificate matches the {@code expectedCertDigest}, and
 * returns the result of the verification.
 *
 * @see #verifySourceStamp(String)
 */
private Result verifySourceStamp(DataSource apk, String expectedCertDigest) {
    try {
        ApkUtils.ZipSections zipSections = ApkUtils.findZipSections(apk);
        int minSdkVersion = verifyAndGetMinSdkVersion(apk, zipSections);
        // Attempt to obtain the source stamp's certificate digest from the APK.
        List<CentralDirectoryRecord> cdRecords = V1SchemeVerifier.parseZipCentralDirectory(apk, zipSections);
        CentralDirectoryRecord sourceStampCdRecord = null;
        for (CentralDirectoryRecord cdRecord : cdRecords) {
            if (SOURCE_STAMP_CERTIFICATE_HASH_ZIP_ENTRY_NAME.equals(cdRecord.getName())) {
                sourceStampCdRecord = cdRecord;
                break;
            }
        }
        // APK's signature block to determine the appropriate status to return.
        if (sourceStampCdRecord == null) {
            boolean stampSigningBlockFound;
            try {
                ApkSigningBlockUtils.Result result = new ApkSigningBlockUtils.Result(ApkSigningBlockUtils.VERSION_SOURCE_STAMP);
                ApkSigningBlockUtils.findSignature(apk, zipSections, SourceStampConstants.V2_SOURCE_STAMP_BLOCK_ID, result);
                stampSigningBlockFound = true;
            } catch (ApkSigningBlockUtils.SignatureNotFoundException e) {
                stampSigningBlockFound = false;
            }
            if (stampSigningBlockFound) {
                return createSourceStampResultWithError(Result.SourceStampInfo.SourceStampVerificationStatus.STAMP_NOT_VERIFIED, Issue.SOURCE_STAMP_SIGNATURE_BLOCK_WITHOUT_CERT_DIGEST);
            } else {
                return createSourceStampResultWithError(Result.SourceStampInfo.SourceStampVerificationStatus.STAMP_MISSING, Issue.SOURCE_STAMP_CERT_DIGEST_AND_SIG_BLOCK_MISSING);
            }
        }
        // Verify that the contents of the source stamp certificate digest match the expected
        // value, if provided.
        byte[] sourceStampCertificateDigest = LocalFileRecord.getUncompressedData(apk, sourceStampCdRecord, zipSections.getZipCentralDirectoryOffset());
        if (expectedCertDigest != null) {
            String actualCertDigest = ApkSigningBlockUtils.toHex(sourceStampCertificateDigest);
            if (!expectedCertDigest.equalsIgnoreCase(actualCertDigest)) {
                return createSourceStampResultWithError(Result.SourceStampInfo.SourceStampVerificationStatus.CERT_DIGEST_MISMATCH, Issue.SOURCE_STAMP_EXPECTED_DIGEST_MISMATCH, actualCertDigest, expectedCertDigest);
            }
        }
        Map<Integer, Map<ContentDigestAlgorithm, byte[]>> signatureSchemeApkContentDigests = new HashMap<>();
        Map<Integer, String> supportedSchemeNames = getSupportedSchemeNames(mMaxSdkVersion);
        Set<Integer> foundApkSigSchemeIds = new HashSet<>(2);
        Result result = new Result();
        ApkSigningBlockUtils.Result v3Result = null;
        if (mMaxSdkVersion >= AndroidSdkVersion.P) {
            v3Result = getApkContentDigests(apk, zipSections, foundApkSigSchemeIds, supportedSchemeNames, signatureSchemeApkContentDigests, VERSION_APK_SIGNATURE_SCHEME_V3, Math.max(minSdkVersion, AndroidSdkVersion.P));
            if (v3Result != null && v3Result.containsErrors()) {
                result.mergeFrom(v3Result);
                return mergeSourceStampResult(Result.SourceStampInfo.SourceStampVerificationStatus.VERIFICATION_ERROR, result);
            }
        }
        ApkSigningBlockUtils.Result v2Result = null;
        if (mMaxSdkVersion >= AndroidSdkVersion.N && (minSdkVersion < AndroidSdkVersion.P || foundApkSigSchemeIds.isEmpty())) {
            v2Result = getApkContentDigests(apk, zipSections, foundApkSigSchemeIds, supportedSchemeNames, signatureSchemeApkContentDigests, VERSION_APK_SIGNATURE_SCHEME_V2, Math.max(minSdkVersion, AndroidSdkVersion.N));
            if (v2Result != null && v2Result.containsErrors()) {
                result.mergeFrom(v2Result);
                return mergeSourceStampResult(Result.SourceStampInfo.SourceStampVerificationStatus.VERIFICATION_ERROR, result);
            }
        }
        if (minSdkVersion < AndroidSdkVersion.N || foundApkSigSchemeIds.isEmpty()) {
            signatureSchemeApkContentDigests.put(VERSION_JAR_SIGNATURE_SCHEME, getApkContentDigestFromV1SigningScheme(cdRecords, apk, zipSections));
        }
        ApkSigResult sourceStampResult = V2SourceStampVerifier.verify(apk, zipSections, sourceStampCertificateDigest, signatureSchemeApkContentDigests, minSdkVersion, mMaxSdkVersion);
        result.mergeFrom(sourceStampResult);
        // as verified if the source stamp verification was successful.
        if (sourceStampResult.verified) {
            result.setVerified();
        } else {
            // To prevent APK signature verification with a failed / missing source stamp the
            // source stamp verification will only log warnings; to allow the caller to capture
            // the failure reason treat all warnings as errors.
            result.setWarningsAsErrors(true);
        }
        return result;
    } catch (ApkFormatException | IOException | ZipFormatException e) {
        return createSourceStampResultWithError(Result.SourceStampInfo.SourceStampVerificationStatus.VERIFICATION_ERROR, Issue.MALFORMED_APK, e);
    } catch (NoSuchAlgorithmException e) {
        return createSourceStampResultWithError(Result.SourceStampInfo.SourceStampVerificationStatus.VERIFICATION_ERROR, Issue.UNEXPECTED_EXCEPTION, e);
    } catch (SignatureNotFoundException e) {
        return createSourceStampResultWithError(Result.SourceStampInfo.SourceStampVerificationStatus.STAMP_NOT_VERIFIED, Issue.SOURCE_STAMP_SIG_MISSING);
    }
}
Also used : CentralDirectoryRecord(com.android.apksig.internal.zip.CentralDirectoryRecord) HashMap(java.util.HashMap) ApkSigResult(com.android.apksig.internal.apk.ApkSigResult) ZipFormatException(com.android.apksig.zip.ZipFormatException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) ApkSigningBlockUtils(com.android.apksig.internal.apk.ApkSigningBlockUtils) ApkSigResult(com.android.apksig.internal.apk.ApkSigResult) ApkFormatException(com.android.apksig.apk.ApkFormatException) HashSet(java.util.HashSet) IOException(java.io.IOException) ApkUtils(com.android.apksig.apk.ApkUtils) SignatureNotFoundException(com.android.apksig.internal.apk.SignatureNotFoundException) Map(java.util.Map) EnumMap(java.util.EnumMap) HashMap(java.util.HashMap)

Aggregations

ApkSigResult (com.android.apksig.internal.apk.ApkSigResult)4 ApkFormatException (com.android.apksig.apk.ApkFormatException)3 SignatureNotFoundException (com.android.apksig.internal.apk.SignatureNotFoundException)3 CentralDirectoryRecord (com.android.apksig.internal.zip.CentralDirectoryRecord)3 ZipFormatException (com.android.apksig.zip.ZipFormatException)3 EnumMap (java.util.EnumMap)3 HashMap (java.util.HashMap)3 Map (java.util.Map)3 ApkUtils (com.android.apksig.apk.ApkUtils)2 ApkSigningBlockUtils (com.android.apksig.internal.apk.ApkSigningBlockUtils)2 SignatureInfo (com.android.apksig.internal.apk.SignatureInfo)2 IOException (java.io.IOException)2 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)2 HashSet (java.util.HashSet)2 ContentDigestAlgorithm (com.android.apksig.internal.apk.ContentDigestAlgorithm)1 V1SchemeVerifier (com.android.apksig.internal.apk.v1.V1SchemeVerifier)1 RunnablesExecutor (com.android.apksig.util.RunnablesExecutor)1 ZipSections (com.android.apksig.zip.ZipSections)1 ByteBuffer (java.nio.ByteBuffer)1 CertificateEncodingException (java.security.cert.CertificateEncodingException)1