1 /*
2 * Copyright (C) 2021 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 //! Verifies APK Signature Scheme V3
18 //!
19 //! [v3 verification]: https://source.android.com/security/apksigning/v3#verification
20
21 use anyhow::{ensure, Context, Result};
22 use bytes::Bytes;
23 use openssl::pkey::{self, PKey};
24 use openssl::x509::X509;
25 use std::fs::File;
26 use std::io::{Read, Seek};
27 use std::ops::RangeInclusive;
28 use std::path::Path;
29
30 use crate::algorithms::SignatureAlgorithmID;
31 use crate::bytes_ext::{BytesExt, LengthPrefixed, ReadFromBytes};
32 use crate::sigutil::*;
33
34 pub const APK_SIGNATURE_SCHEME_V3_BLOCK_ID: u32 = 0xf05368c0;
35
36 type Signers = LengthPrefixed<Vec<LengthPrefixed<Signer>>>;
37
38 #[derive(Debug)]
39 pub(crate) struct Signer {
40 signed_data: LengthPrefixed<Bytes>, // not verified yet
41 min_sdk: u32,
42 max_sdk: u32,
43 signatures: LengthPrefixed<Vec<LengthPrefixed<Signature>>>,
44 public_key: PKey<pkey::Public>,
45 }
46
47 impl Signer {
sdk_range(&self) -> RangeInclusive<u32>48 fn sdk_range(&self) -> RangeInclusive<u32> {
49 self.min_sdk..=self.max_sdk
50 }
51 }
52
53 struct SignedData {
54 digests: LengthPrefixed<Vec<LengthPrefixed<Digest>>>,
55 certificates: LengthPrefixed<Vec<LengthPrefixed<X509Certificate>>>,
56 min_sdk: u32,
57 max_sdk: u32,
58 #[allow(dead_code)]
59 additional_attributes: LengthPrefixed<Vec<LengthPrefixed<AdditionalAttributes>>>,
60 }
61
62 impl SignedData {
sdk_range(&self) -> RangeInclusive<u32>63 fn sdk_range(&self) -> RangeInclusive<u32> {
64 self.min_sdk..=self.max_sdk
65 }
66
find_digest_by_algorithm(&self, algorithm_id: SignatureAlgorithmID) -> Result<&Digest>67 fn find_digest_by_algorithm(&self, algorithm_id: SignatureAlgorithmID) -> Result<&Digest> {
68 Ok(self
69 .digests
70 .iter()
71 .find(|&dig| dig.signature_algorithm_id == Some(algorithm_id))
72 .context(format!("Digest not found for algorithm: {:?}", algorithm_id))?)
73 }
74 }
75
76 #[derive(Debug)]
77 pub(crate) struct Signature {
78 /// Option is used here to allow us to ignore unsupported algorithm.
79 pub(crate) signature_algorithm_id: Option<SignatureAlgorithmID>,
80 signature: LengthPrefixed<Bytes>,
81 }
82
83 struct Digest {
84 signature_algorithm_id: Option<SignatureAlgorithmID>,
85 digest: LengthPrefixed<Bytes>,
86 }
87
88 type X509Certificate = Bytes;
89 type AdditionalAttributes = Bytes;
90
91 /// Verifies APK Signature Scheme v3 signatures of the provided APK and returns the public key
92 /// associated with the signer in DER format.
verify<P: AsRef<Path>>(apk_path: P, current_sdk: u32) -> Result<Box<[u8]>>93 pub fn verify<P: AsRef<Path>>(apk_path: P, current_sdk: u32) -> Result<Box<[u8]>> {
94 let apk = File::open(apk_path.as_ref())?;
95 let (signer, mut sections) = extract_signer_and_apk_sections(apk, current_sdk)?;
96 signer.verify(&mut sections)
97 }
98
99 /// Gets the public key (in DER format) that was used to sign the given APK/APEX file
get_public_key_der<P: AsRef<Path>>(apk_path: P, current_sdk: u32) -> Result<Box<[u8]>>100 pub fn get_public_key_der<P: AsRef<Path>>(apk_path: P, current_sdk: u32) -> Result<Box<[u8]>> {
101 let apk = File::open(apk_path.as_ref())?;
102 let (signer, _) = extract_signer_and_apk_sections(apk, current_sdk)?;
103 Ok(signer.public_key.public_key_to_der()?.into_boxed_slice())
104 }
105
extract_signer_and_apk_sections<R: Read + Seek>( apk: R, current_sdk: u32, ) -> Result<(Signer, ApkSections<R>)>106 pub(crate) fn extract_signer_and_apk_sections<R: Read + Seek>(
107 apk: R,
108 current_sdk: u32,
109 ) -> Result<(Signer, ApkSections<R>)> {
110 let mut sections = ApkSections::new(apk)?;
111 let mut block = sections.find_signature(APK_SIGNATURE_SCHEME_V3_BLOCK_ID).context(
112 "Fallback to v2 when v3 block not found is not yet implemented.", // b/197052981
113 )?;
114 let signers = block.read::<Signers>()?.into_inner();
115 let mut supported =
116 signers.into_iter().filter(|s| s.sdk_range().contains(¤t_sdk)).collect::<Vec<_>>();
117 ensure!(
118 supported.len() == 1,
119 "APK Signature Scheme V3 only supports one signer: {} signers found.",
120 supported.len()
121 );
122 Ok((supported.pop().unwrap().into_inner(), sections))
123 }
124
125 impl Signer {
126 /// Selects the signature that has the strongest supported `SignatureAlgorithmID`.
127 /// The strongest signature is used in both v3 verification and v4 apk digest computation.
strongest_signature(&self) -> Result<&Signature>128 pub(crate) fn strongest_signature(&self) -> Result<&Signature> {
129 Ok(self
130 .signatures
131 .iter()
132 .filter(|sig| sig.signature_algorithm_id.map_or(false, |algo| algo.is_supported()))
133 .max_by_key(|sig| sig.signature_algorithm_id.unwrap().content_digest_algorithm())
134 .context("No supported APK signatures found; DSA is not supported")?)
135 }
136
find_digest_by_algorithm( &self, algorithm_id: SignatureAlgorithmID, ) -> Result<Box<[u8]>>137 pub(crate) fn find_digest_by_algorithm(
138 &self,
139 algorithm_id: SignatureAlgorithmID,
140 ) -> Result<Box<[u8]>> {
141 let signed_data: SignedData = self.signed_data.slice(..).read()?;
142 let digest = signed_data.find_digest_by_algorithm(algorithm_id)?;
143 Ok(digest.digest.as_ref().to_vec().into_boxed_slice())
144 }
145
146 /// Verifies the strongest signature from signatures against signed data using public key.
147 /// Returns the verified signed data.
verify_signature(&self, strongest: &Signature) -> Result<SignedData>148 fn verify_signature(&self, strongest: &Signature) -> Result<SignedData> {
149 let mut verifier = strongest
150 .signature_algorithm_id
151 .context("Unsupported algorithm")?
152 .new_verifier(&self.public_key)?;
153 verifier.update(&self.signed_data)?;
154 ensure!(verifier.verify(&strongest.signature)?, "Signature is invalid.");
155 // It is now safe to parse signed data.
156 self.signed_data.slice(..).read()
157 }
158
159 /// The steps in this method implements APK Signature Scheme v3 verification step 3.
verify<R: Read + Seek>(&self, sections: &mut ApkSections<R>) -> Result<Box<[u8]>>160 fn verify<R: Read + Seek>(&self, sections: &mut ApkSections<R>) -> Result<Box<[u8]>> {
161 // 1. Choose the strongest supported signature algorithm ID from signatures.
162 let strongest = self.strongest_signature()?;
163
164 // 2. Verify the corresponding signature from signatures against signed data using public key.
165 let verified_signed_data = self.verify_signature(strongest)?;
166
167 // 3. Verify the min and max SDK versions in the signed data match those specified for the
168 // signer.
169 ensure!(
170 self.sdk_range() == verified_signed_data.sdk_range(),
171 "SDK versions mismatch between signed and unsigned in v3 signer block."
172 );
173
174 // 4. Verify that the ordered list of signature algorithm IDs in digests and signatures is
175 // identical. (This is to prevent signature stripping/addition.)
176 ensure!(
177 self.signatures
178 .iter()
179 .map(|sig| sig.signature_algorithm_id)
180 .eq(verified_signed_data.digests.iter().map(|dig| dig.signature_algorithm_id)),
181 "Signature algorithms don't match between digests and signatures records"
182 );
183
184 // 5. Compute the digest of APK contents using the same digest algorithm as the digest
185 // algorithm used by the signature algorithm.
186 let digest = verified_signed_data.find_digest_by_algorithm(
187 strongest.signature_algorithm_id.context("Unsupported algorithm")?,
188 )?;
189 let computed = sections.compute_digest(digest.signature_algorithm_id.unwrap())?;
190
191 // 6. Verify that the computed digest is identical to the corresponding digest from digests.
192 ensure!(
193 computed == digest.digest.as_ref(),
194 "Digest mismatch: computed={:?} vs expected={:?}",
195 hex::encode(&computed),
196 hex::encode(digest.digest.as_ref()),
197 );
198
199 // 7. Verify that public key of the first certificate of certificates is identical
200 // to public key.
201 let cert = verified_signed_data.certificates.first().context("No certificates listed")?;
202 let cert = X509::from_der(cert.as_ref())?;
203 ensure!(
204 cert.public_key()?.public_eq(&self.public_key),
205 "Public key mismatch between certificate and signature record"
206 );
207
208 // TODO(b/245914104)
209 // 8. If the proof-of-rotation attribute exists for the signer verify that the
210 // struct is valid and this signer is the last certificate in the list.
211 Ok(self.public_key.public_key_to_der()?.into_boxed_slice())
212 }
213 }
214
215 // ReadFromBytes implementations
216 // TODO(b/190343842): add derive macro: #[derive(ReadFromBytes)]
217
218 impl ReadFromBytes for Signer {
read_from_bytes(buf: &mut Bytes) -> Result<Self>219 fn read_from_bytes(buf: &mut Bytes) -> Result<Self> {
220 Ok(Self {
221 signed_data: buf.read()?,
222 min_sdk: buf.read()?,
223 max_sdk: buf.read()?,
224 signatures: buf.read()?,
225 public_key: buf.read()?,
226 })
227 }
228 }
229
230 impl ReadFromBytes for SignedData {
read_from_bytes(buf: &mut Bytes) -> Result<Self>231 fn read_from_bytes(buf: &mut Bytes) -> Result<Self> {
232 Ok(Self {
233 digests: buf.read()?,
234 certificates: buf.read()?,
235 min_sdk: buf.read()?,
236 max_sdk: buf.read()?,
237 additional_attributes: buf.read()?,
238 })
239 }
240 }
241
242 impl ReadFromBytes for Signature {
read_from_bytes(buf: &mut Bytes) -> Result<Self>243 fn read_from_bytes(buf: &mut Bytes) -> Result<Self> {
244 Ok(Signature { signature_algorithm_id: buf.read()?, signature: buf.read()? })
245 }
246 }
247
248 impl ReadFromBytes for Digest {
read_from_bytes(buf: &mut Bytes) -> Result<Self>249 fn read_from_bytes(buf: &mut Bytes) -> Result<Self> {
250 Ok(Self { signature_algorithm_id: buf.read()?, digest: buf.read()? })
251 }
252 }
253
254 impl ReadFromBytes for PKey<pkey::Public> {
read_from_bytes(buf: &mut Bytes) -> Result<Self>255 fn read_from_bytes(buf: &mut Bytes) -> Result<Self> {
256 let raw_public_key = buf.read::<LengthPrefixed<Bytes>>()?;
257 Ok(PKey::public_key_from_der(raw_public_key.as_ref())?)
258 }
259 }
260