| 8d1553b9b1be06100ce4f4cc4c8c5088b48995a2 |
|
21-Apr-2018 |
Victor Hsieh <victorhsieh@google.com> |
Verify best signature algorithms of all signers
The previous implementation does not verify signature algorithms of all
signers. It's possible that the attacker can take an old apk (with
digest and signature of old algorithm) and add their own signer block
with new/P digest and signature. In this case, the old implementation
only verifies the attacker's signature, thus the attacker can change apk
content easily.
The solution here is to verify digests of all best signature algorithms
by all signers.
It is expected to increase verification time, if the apk does have
multiple signers with different type of digests.
Test: apks still install
Bug: 78359754
Change-Id: I607edf219c25a2a7adfa27a21a94e9bfefbb6cec
Merged-In: I607edf219c25a2a7adfa27a21a94e9bfefbb6cec
(cherry picked from commit 2f2ced93e3176d71dbd23e7f71a3d78b6dc09830)
/frameworks/base/core/java/android/util/apk/ApkSigningBlockUtils.java
|
| 4ba1eeaa0e0468131da08a5c5f461361cac79ff1 |
|
02-Mar-2018 |
Victor Hsieh <victorhsieh@google.com> |
Verify the content length in the verity digest
When generating digest for verity, for the last incomplete 4k chunk, the
data is padded with 0s. This implies that we can not tell from the
digest whether the file contains 0 or not, or how many 0s.
Since the verity hash is used by the kernel, the definition cannot be
change. Instead, the actual hashed content length is appended to the
original digest and is verified before used.
Also uprev algorithm IDs.
Test: use new apksigner to sign an apk, apk can be installed on device
Bug: 30972906
Change-Id: I382af6e4090c7dc3f92d5acb5ac5d02d1f496992
/frameworks/base/core/java/android/util/apk/ApkSigningBlockUtils.java
|
| 3a0032f30fe34e1f70d67f12af87a7c960ad8110 |
|
21-Feb-2018 |
Victor Hsieh <victorhsieh@google.com> |
Change verity hash algorithm to pad the last chunk
As the result, all existing cases takes complete chunk for hashing.
Also bump to version number.
Test: without also bumping the version, apk with 0x401 hash won't install
Test: apk with 0x411 hash installs
Bug: 30972906
Change-Id: I48c15c886ac6eab4512f1b2b9744b07e746c6211
/frameworks/base/core/java/android/util/apk/ApkSigningBlockUtils.java
|
| 07bc80c51b1c099bd1ac5f3056ae739778753af1 |
|
12-Jan-2018 |
Victor Hsieh <victorhsieh@google.com> |
ApkSignatureVerifier: expose verity interfaces
Test: the verity install request goes through to installd
Bug: 30972906
Change-Id: I3683d6483880291200cd963b7aa4da81c8097724
/frameworks/base/core/java/android/util/apk/ApkSigningBlockUtils.java
|
| 4acad4c01406c50902733e7a70503c06f0d54dbb |
|
04-Jan-2018 |
Victor Hsieh <victorhsieh@google.com> |
Support 4k chunk based signature algorithms
This change makes APK signature verifier accept the 4k-based signature
algorithms.
Test: build, install apk with such algorithm by apksig
Bug: 30972906
Change-Id: I90f32a6779f258605668e44f0d66f53e6890cfa7
/frameworks/base/core/java/android/util/apk/ApkSigningBlockUtils.java
|
| 67096e08a72beea85979a3aa9fc5b376b2c2b5ad |
|
28-Dec-2017 |
Daniel Cashman <dcashman@google.com> |
Add APK Signature Scheme v3.
Add ApkSignatureSchemeV3Verifier to enable APKs to be signed with
the new signature scheme. Update the ApkSignatureVerifier to process
the results, but only pass on what's needed for the existing interface.
In the process, move the ApkSignatureSchemeV2 code into a common
area for use by any scheme that makes use of the APK Signature Block.
The primary purpose of APK Signature Scheme v3 is to enable applications
to rotate their signing key. This is accomplished by augmenting APK
Signature Scheme v2 to also include a new Proof-of-rotation struct, which
is fundamentally a singly linked list where each of the APK's signing
certificates is included in order, along with a signature over the next
certificate. Thus, each certificate contains proof that the private key
corresponding to the previous one blessed it. This provides evidence to
the platform that the new signing certificate should be as trusted as
the previously trusted one. This structure also includes some flags for
each certificate to indicate to the platform how the APK itself would
like to interract/trust the old certificates.
Bug: 64686581
Test: Builds, boots, passes
android.appsecurity.cts.PkgInstallSignatureVerificationTest
Change-Id: I0f98ff13950af78f5d9b269f80d13af8891f7a2d
/frameworks/base/core/java/android/util/apk/ApkSigningBlockUtils.java
|