1 /*
2 * Copyright (C) 2021 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 //! Utilities for Signature Verification
18
19 use anyhow::{anyhow, bail, Result};
20 use byteorder::{LittleEndian, ReadBytesExt};
21 use bytes::{Buf, BufMut, Bytes, BytesMut};
22 use ring::digest;
23 use std::cmp::min;
24 use std::io::{Cursor, Read, Seek, SeekFrom, Take};
25
26 use crate::ziputil::{set_central_directory_offset, zip_sections};
27
28 const APK_SIG_BLOCK_MIN_SIZE: u32 = 32;
29 const APK_SIG_BLOCK_MAGIC: u128 = 0x3234206b636f6c4220676953204b5041;
30
31 // TODO(jooyung): introduce type
32 pub const SIGNATURE_RSA_PSS_WITH_SHA256: u32 = 0x0101;
33 pub const SIGNATURE_RSA_PSS_WITH_SHA512: u32 = 0x0102;
34 pub const SIGNATURE_RSA_PKCS1_V1_5_WITH_SHA256: u32 = 0x0103;
35 pub const SIGNATURE_RSA_PKCS1_V1_5_WITH_SHA512: u32 = 0x0104;
36 pub const SIGNATURE_ECDSA_WITH_SHA256: u32 = 0x0201;
37 pub const SIGNATURE_ECDSA_WITH_SHA512: u32 = 0x0202;
38 pub const SIGNATURE_DSA_WITH_SHA256: u32 = 0x0301;
39 pub const SIGNATURE_VERITY_RSA_PKCS1_V1_5_WITH_SHA256: u32 = 0x0421;
40 pub const SIGNATURE_VERITY_ECDSA_WITH_SHA256: u32 = 0x0423;
41 pub const SIGNATURE_VERITY_DSA_WITH_SHA256: u32 = 0x0425;
42
43 // TODO(jooyung): introduce type
44 const CONTENT_DIGEST_CHUNKED_SHA256: u32 = 1;
45 const CONTENT_DIGEST_CHUNKED_SHA512: u32 = 2;
46 const CONTENT_DIGEST_VERITY_CHUNKED_SHA256: u32 = 3;
47 #[allow(unused)]
48 const CONTENT_DIGEST_SHA256: u32 = 4;
49
50 const CHUNK_SIZE_BYTES: u64 = 1024 * 1024;
51
52 pub struct ApkSections<R> {
53 inner: R,
54 signing_block_offset: u32,
55 signing_block_size: u32,
56 central_directory_offset: u32,
57 central_directory_size: u32,
58 eocd_offset: u32,
59 eocd_size: u32,
60 }
61
62 impl<R: Read + Seek> ApkSections<R> {
new(reader: R) -> Result<ApkSections<R>>63 pub fn new(reader: R) -> Result<ApkSections<R>> {
64 let (mut reader, zip_sections) = zip_sections(reader)?;
65 let (signing_block_offset, signing_block_size) =
66 find_signing_block(&mut reader, zip_sections.central_directory_offset)?;
67 Ok(ApkSections {
68 inner: reader,
69 signing_block_offset,
70 signing_block_size,
71 central_directory_offset: zip_sections.central_directory_offset,
72 central_directory_size: zip_sections.central_directory_size,
73 eocd_offset: zip_sections.eocd_offset,
74 eocd_size: zip_sections.eocd_size,
75 })
76 }
77
78 /// Returns the APK Signature Scheme block contained in the provided file for the given ID
79 /// and the additional information relevant for verifying the block against the file.
find_signature(&mut self, block_id: u32) -> Result<Bytes>80 pub fn find_signature(&mut self, block_id: u32) -> Result<Bytes> {
81 let signing_block = self.bytes(self.signing_block_offset, self.signing_block_size)?;
82 // TODO(jooyung): propagate NotFound error so that verification can fallback to V2
83 find_signature_scheme_block(Bytes::from(signing_block), block_id)
84 }
85
86 /// Computes digest with "signature algorithm" over APK contents, central directory, and EOCD.
87 /// 1. The digest of each chunk is computed over the concatenation of byte 0xa5, the chunk’s
88 /// length in bytes (little-endian uint32), and the chunk’s contents.
89 /// 2. The top-level digest is computed over the concatenation of byte 0x5a, the number of
90 /// chunks (little-endian uint32), and the concatenation of digests of the chunks in the
91 /// order the chunks appear in the APK.
92 /// (see https://source.android.com/security/apksigning/v2#integrity-protected-contents)
compute_digest(&mut self, signature_algorithm_id: u32) -> Result<Vec<u8>>93 pub fn compute_digest(&mut self, signature_algorithm_id: u32) -> Result<Vec<u8>> {
94 let digester = Digester::new(signature_algorithm_id)?;
95
96 let mut digests_of_chunks = BytesMut::new();
97 let mut chunk_count = 0u32;
98 let mut chunk = vec![0u8; CHUNK_SIZE_BYTES as usize];
99 for data in &[
100 ApkSections::zip_entries,
101 ApkSections::central_directory,
102 ApkSections::eocd_for_verification,
103 ] {
104 let mut data = data(self)?;
105 while data.limit() > 0 {
106 let chunk_size = min(CHUNK_SIZE_BYTES, data.limit());
107 let slice = &mut chunk[..(chunk_size as usize)];
108 data.read_exact(slice)?;
109 digests_of_chunks.put_slice(
110 digester.digest(slice, CHUNK_HEADER_MID, chunk_size as u32).as_ref(),
111 );
112 chunk_count += 1;
113 }
114 }
115 Ok(digester.digest(&digests_of_chunks, CHUNK_HEADER_TOP, chunk_count).as_ref().into())
116 }
117
zip_entries(&mut self) -> Result<Take<Box<dyn Read + '_>>>118 fn zip_entries(&mut self) -> Result<Take<Box<dyn Read + '_>>> {
119 scoped_read(&mut self.inner, 0, self.signing_block_offset as u64)
120 }
121
central_directory(&mut self) -> Result<Take<Box<dyn Read + '_>>>122 fn central_directory(&mut self) -> Result<Take<Box<dyn Read + '_>>> {
123 scoped_read(
124 &mut self.inner,
125 self.central_directory_offset as u64,
126 self.central_directory_size as u64,
127 )
128 }
129
eocd_for_verification(&mut self) -> Result<Take<Box<dyn Read + '_>>>130 fn eocd_for_verification(&mut self) -> Result<Take<Box<dyn Read + '_>>> {
131 let mut eocd = self.bytes(self.eocd_offset, self.eocd_size)?;
132 // Protection of section 4 (ZIP End of Central Directory) is complicated by the section
133 // containing the offset of ZIP Central Directory. The offset changes when the size of the
134 // APK Signing Block changes, for instance, when a new signature is added. Thus, when
135 // computing digest over the ZIP End of Central Directory, the field containing the offset
136 // of ZIP Central Directory must be treated as containing the offset of the APK Signing
137 // Block.
138 set_central_directory_offset(&mut eocd, self.signing_block_offset)?;
139 Ok(Read::take(Box::new(Cursor::new(eocd)), self.eocd_size as u64))
140 }
141
bytes(&mut self, offset: u32, size: u32) -> Result<Vec<u8>>142 fn bytes(&mut self, offset: u32, size: u32) -> Result<Vec<u8>> {
143 self.inner.seek(SeekFrom::Start(offset as u64))?;
144 let mut buf = vec![0u8; size as usize];
145 self.inner.read_exact(&mut buf)?;
146 Ok(buf)
147 }
148 }
149
scoped_read<'a, R: Read + Seek>( src: &'a mut R, offset: u64, size: u64, ) -> Result<Take<Box<dyn Read + 'a>>>150 fn scoped_read<'a, R: Read + Seek>(
151 src: &'a mut R,
152 offset: u64,
153 size: u64,
154 ) -> Result<Take<Box<dyn Read + 'a>>> {
155 src.seek(SeekFrom::Start(offset))?;
156 Ok(Read::take(Box::new(src), size))
157 }
158
159 struct Digester {
160 algorithm: &'static digest::Algorithm,
161 }
162
163 const CHUNK_HEADER_TOP: &[u8] = &[0x5a];
164 const CHUNK_HEADER_MID: &[u8] = &[0xa5];
165
166 impl Digester {
new(signature_algorithm_id: u32) -> Result<Digester>167 fn new(signature_algorithm_id: u32) -> Result<Digester> {
168 let digest_algorithm_id = to_content_digest_algorithm(signature_algorithm_id)?;
169 let algorithm = match digest_algorithm_id {
170 CONTENT_DIGEST_CHUNKED_SHA256 => &digest::SHA256,
171 CONTENT_DIGEST_CHUNKED_SHA512 => &digest::SHA512,
172 // TODO(jooyung): implement
173 CONTENT_DIGEST_VERITY_CHUNKED_SHA256 => {
174 bail!("TODO(b/190343842): CONTENT_DIGEST_VERITY_CHUNKED_SHA256: not implemented")
175 }
176 _ => bail!("Unknown digest algorithm: {}", digest_algorithm_id),
177 };
178 Ok(Digester { algorithm })
179 }
180
181 // v2/v3 digests are computed after prepending "header" byte and "size" info.
digest(&self, data: &[u8], header: &[u8], size: u32) -> digest::Digest182 fn digest(&self, data: &[u8], header: &[u8], size: u32) -> digest::Digest {
183 let mut ctx = digest::Context::new(self.algorithm);
184 ctx.update(header);
185 ctx.update(&size.to_le_bytes());
186 ctx.update(data);
187 ctx.finish()
188 }
189 }
190
find_signing_block<T: Read + Seek>( reader: &mut T, central_directory_offset: u32, ) -> Result<(u32, u32)>191 fn find_signing_block<T: Read + Seek>(
192 reader: &mut T,
193 central_directory_offset: u32,
194 ) -> Result<(u32, u32)> {
195 // FORMAT:
196 // OFFSET DATA TYPE DESCRIPTION
197 // * @+0 bytes uint64: size in bytes (excluding this field)
198 // * @+8 bytes payload
199 // * @-24 bytes uint64: size in bytes (same as the one above)
200 // * @-16 bytes uint128: magic
201 if central_directory_offset < APK_SIG_BLOCK_MIN_SIZE {
202 bail!(
203 "APK too small for APK Signing Block. ZIP Central Directory offset: {}",
204 central_directory_offset
205 );
206 }
207 reader.seek(SeekFrom::Start((central_directory_offset - 24) as u64))?;
208 let size_in_footer = reader.read_u64::<LittleEndian>()? as u32;
209 if reader.read_u128::<LittleEndian>()? != APK_SIG_BLOCK_MAGIC {
210 bail!("No APK Signing Block before ZIP Central Directory")
211 }
212 let total_size = size_in_footer + 8;
213 let signing_block_offset = central_directory_offset
214 .checked_sub(total_size)
215 .ok_or_else(|| anyhow!("APK Signing Block size out of range: {}", size_in_footer))?;
216 reader.seek(SeekFrom::Start(signing_block_offset as u64))?;
217 let size_in_header = reader.read_u64::<LittleEndian>()? as u32;
218 if size_in_header != size_in_footer {
219 bail!(
220 "APK Signing Block sizes in header and footer do not match: {} vs {}",
221 size_in_header,
222 size_in_footer
223 );
224 }
225 Ok((signing_block_offset, total_size))
226 }
227
find_signature_scheme_block(buf: Bytes, block_id: u32) -> Result<Bytes>228 fn find_signature_scheme_block(buf: Bytes, block_id: u32) -> Result<Bytes> {
229 // FORMAT:
230 // OFFSET DATA TYPE DESCRIPTION
231 // * @+0 bytes uint64: size in bytes (excluding this field)
232 // * @+8 bytes pairs
233 // * @-24 bytes uint64: size in bytes (same as the one above)
234 // * @-16 bytes uint128: magic
235 let mut pairs = buf.slice(8..(buf.len() - 24));
236 let mut entry_count = 0;
237 while pairs.has_remaining() {
238 entry_count += 1;
239 if pairs.remaining() < 8 {
240 bail!("Insufficient data to read size of APK Signing Block entry #{}", entry_count);
241 }
242 let length = pairs.get_u64_le();
243 let mut pair = pairs.split_to(length as usize);
244 let id = pair.get_u32_le();
245 if id == block_id {
246 return Ok(pair);
247 }
248 }
249 // TODO(jooyung): return NotFound error
250 bail!("No APK Signature Scheme block in APK Signing Block with ID: {}", block_id)
251 }
252
is_supported_signature_algorithm(algorithm_id: u32) -> bool253 pub fn is_supported_signature_algorithm(algorithm_id: u32) -> bool {
254 matches!(
255 algorithm_id,
256 SIGNATURE_RSA_PSS_WITH_SHA256
257 | SIGNATURE_RSA_PSS_WITH_SHA512
258 | SIGNATURE_RSA_PKCS1_V1_5_WITH_SHA256
259 | SIGNATURE_RSA_PKCS1_V1_5_WITH_SHA512
260 | SIGNATURE_ECDSA_WITH_SHA256
261 | SIGNATURE_ECDSA_WITH_SHA512
262 | SIGNATURE_DSA_WITH_SHA256
263 | SIGNATURE_VERITY_RSA_PKCS1_V1_5_WITH_SHA256
264 | SIGNATURE_VERITY_ECDSA_WITH_SHA256
265 | SIGNATURE_VERITY_DSA_WITH_SHA256
266 )
267 }
268
to_content_digest_algorithm(algorithm_id: u32) -> Result<u32>269 fn to_content_digest_algorithm(algorithm_id: u32) -> Result<u32> {
270 match algorithm_id {
271 SIGNATURE_RSA_PSS_WITH_SHA256
272 | SIGNATURE_RSA_PKCS1_V1_5_WITH_SHA256
273 | SIGNATURE_ECDSA_WITH_SHA256
274 | SIGNATURE_DSA_WITH_SHA256 => Ok(CONTENT_DIGEST_CHUNKED_SHA256),
275 SIGNATURE_RSA_PSS_WITH_SHA512
276 | SIGNATURE_RSA_PKCS1_V1_5_WITH_SHA512
277 | SIGNATURE_ECDSA_WITH_SHA512 => Ok(CONTENT_DIGEST_CHUNKED_SHA512),
278 SIGNATURE_VERITY_RSA_PKCS1_V1_5_WITH_SHA256
279 | SIGNATURE_VERITY_ECDSA_WITH_SHA256
280 | SIGNATURE_VERITY_DSA_WITH_SHA256 => Ok(CONTENT_DIGEST_VERITY_CHUNKED_SHA256),
281 _ => bail!("Unknown signature algorithm: {}", algorithm_id),
282 }
283 }
284
rank_signature_algorithm(algo: u32) -> Result<u32>285 pub fn rank_signature_algorithm(algo: u32) -> Result<u32> {
286 rank_content_digest_algorithm(to_content_digest_algorithm(algo)?)
287 }
288
rank_content_digest_algorithm(id: u32) -> Result<u32>289 fn rank_content_digest_algorithm(id: u32) -> Result<u32> {
290 match id {
291 CONTENT_DIGEST_CHUNKED_SHA256 => Ok(0),
292 CONTENT_DIGEST_VERITY_CHUNKED_SHA256 => Ok(1),
293 CONTENT_DIGEST_CHUNKED_SHA512 => Ok(2),
294 _ => bail!("Unknown digest algorithm: {}", id),
295 }
296 }
297