| /* |
| * Copyright 2016, The Android Open Source Project |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| package com.android.managedprovisioning.task; |
| |
| import static com.android.internal.util.Preconditions.checkNotNull; |
| |
| import android.content.Context; |
| import android.content.pm.PackageInfo; |
| import android.content.pm.PackageManager; |
| import android.content.pm.Signature; |
| import android.text.TextUtils; |
| |
| import com.android.internal.annotations.VisibleForTesting; |
| import com.android.managedprovisioning.common.ProvisionLogger; |
| import com.android.managedprovisioning.R; |
| import com.android.managedprovisioning.common.StoreUtils; |
| import com.android.managedprovisioning.common.Utils; |
| import com.android.managedprovisioning.model.PackageDownloadInfo; |
| import com.android.managedprovisioning.model.ProvisioningParams; |
| |
| import java.util.Arrays; |
| import java.util.LinkedList; |
| import java.util.List; |
| |
| /** |
| * Verifies the management app apk downloaded previously in {@link DownloadPackageTask}. |
| * |
| * <p>The first check verifies that a {@link android.app.admin.DeviceAdminReceiver} is present in |
| * the apk and that it corresponds to the one provided via |
| * {@link ProvisioningParams#deviceAdminComponentName}.</p> |
| * |
| * <p>The second check verifies that the package or signature checksum matches the ones given via |
| * {@link PackageDownloadInfo#packageChecksum} or {@link PackageDownloadInfo#signatureChecksum} |
| * respectively. The package checksum takes priority in case both are present.</p> |
| */ |
| public class VerifyPackageTask extends AbstractProvisioningTask { |
| public static final int ERROR_HASH_MISMATCH = 0; |
| public static final int ERROR_DEVICE_ADMIN_MISSING = 1; |
| |
| private final Utils mUtils; |
| private final DownloadPackageTask mDownloadPackageTask; |
| private final PackageManager mPackageManager; |
| private final PackageDownloadInfo mDownloadInfo; |
| |
| public VerifyPackageTask( |
| DownloadPackageTask downloadPackageTask, |
| Context context, |
| ProvisioningParams params, |
| Callback callback) { |
| this(new Utils(), downloadPackageTask, context, params, callback); |
| } |
| |
| @VisibleForTesting |
| VerifyPackageTask( |
| Utils utils, |
| DownloadPackageTask downloadPackageTask, |
| Context context, |
| ProvisioningParams params, |
| Callback callback) { |
| super(context, params, callback); |
| |
| mUtils = checkNotNull(utils); |
| mDownloadPackageTask = checkNotNull(downloadPackageTask); |
| mPackageManager = mContext.getPackageManager(); |
| mDownloadInfo = checkNotNull(params.deviceAdminDownloadInfo); |
| } |
| |
| @Override |
| public void run(int userId) { |
| final String downloadLocation = mDownloadPackageTask.getDownloadedPackageLocation(); |
| if (TextUtils.isEmpty(downloadLocation)) { |
| ProvisionLogger.logw("VerifyPackageTask invoked, but download location is null"); |
| success(); |
| return; |
| } |
| |
| PackageInfo packageInfo = mPackageManager.getPackageArchiveInfo(downloadLocation, |
| PackageManager.GET_SIGNATURES | PackageManager.GET_RECEIVERS); |
| if (mUtils.findDeviceAdminInPackage(mProvisioningParams.inferDeviceAdminPackageName(), |
| packageInfo) == null) { |
| error(ERROR_DEVICE_ADMIN_MISSING); |
| return; |
| } |
| |
| if (mDownloadInfo.packageChecksum.length > 0) { |
| if (!doesPackageHashMatch(downloadLocation, mDownloadInfo.packageChecksum, |
| mDownloadInfo.packageChecksumSupportsSha1)) { |
| error(ERROR_HASH_MISMATCH); |
| return; |
| } |
| } else { |
| if (!doesASignatureHashMatch(packageInfo, mDownloadInfo.signatureChecksum)) { |
| error(ERROR_HASH_MISMATCH); |
| return; |
| } |
| } |
| |
| success(); |
| } |
| |
| @Override |
| public int getStatusMsgId() { |
| return R.string.progress_install; |
| } |
| |
| private List<byte[]> computeHashesOfAllSignatures(Signature[] signatures) { |
| if (signatures == null) { |
| return null; |
| } |
| |
| List<byte[]> hashes = new LinkedList<>(); |
| for (Signature signature : signatures) { |
| byte[] hash = mUtils.computeHashOfByteArray(signature.toByteArray()); |
| hashes.add(hash); |
| } |
| return hashes; |
| } |
| |
| private boolean doesASignatureHashMatch(PackageInfo packageInfo, byte[] signatureChecksum) { |
| // Check whether a signature hash of downloaded apk matches the hash given in constructor. |
| ProvisionLogger.logd("Checking " + Utils.SHA256_TYPE |
| + "-hashes of all signatures of downloaded package."); |
| List<byte[]> sigHashes = computeHashesOfAllSignatures(packageInfo.signatures); |
| if (sigHashes == null || sigHashes.isEmpty()) { |
| ProvisionLogger.loge("Downloaded package does not have any signatures."); |
| return false; |
| } |
| |
| for (byte[] sigHash : sigHashes) { |
| if (Arrays.equals(sigHash, signatureChecksum)) { |
| return true; |
| } |
| } |
| |
| ProvisionLogger.loge("Provided hash does not match any signature hash."); |
| ProvisionLogger.loge("Hash provided by programmer: " |
| + StoreUtils.byteArrayToString(signatureChecksum)); |
| ProvisionLogger.loge("Hashes computed from package signatures: "); |
| for (byte[] sigHash : sigHashes) { |
| if (sigHash != null) { |
| ProvisionLogger.loge(StoreUtils.byteArrayToString(sigHash)); |
| } |
| } |
| |
| return false; |
| } |
| |
| /** |
| * Check whether package hash of downloaded file matches the hash given in PackageDownloadInfo. |
| * By default, SHA-256 is used to verify the file hash. |
| * If mPackageDownloadInfo.packageChecksumSupportsSha1 == true, SHA-1 hash is also supported for |
| * backwards compatibility. |
| */ |
| private boolean doesPackageHashMatch(String downloadLocation, byte[] packageChecksum, |
| boolean supportsSha1) { |
| byte[] packageSha256Hash, packageSha1Hash = null; |
| |
| ProvisionLogger.logd("Checking file hash of entire apk file."); |
| packageSha256Hash = mUtils.computeHashOfFile(downloadLocation, Utils.SHA256_TYPE); |
| if (Arrays.equals(packageChecksum, packageSha256Hash)) { |
| return true; |
| } |
| |
| // Fall back to SHA-1 |
| if (supportsSha1) { |
| packageSha1Hash = mUtils.computeHashOfFile(downloadLocation, Utils.SHA1_TYPE); |
| if (Arrays.equals(packageChecksum, packageSha1Hash)) { |
| return true; |
| } |
| } |
| |
| ProvisionLogger.loge("Provided hash does not match file hash."); |
| ProvisionLogger.loge("Hash provided by programmer: " |
| + StoreUtils.byteArrayToString(packageChecksum)); |
| if (packageSha256Hash != null) { |
| ProvisionLogger.loge("SHA-256 Hash computed from file: " |
| + StoreUtils.byteArrayToString(packageSha256Hash)); |
| } |
| if (packageSha1Hash != null) { |
| ProvisionLogger.loge("SHA-1 Hash computed from file: " |
| + StoreUtils.byteArrayToString(packageSha1Hash)); |
| } |
| return false; |
| } |
| } |