Snap for 8426163 from 9fe47730c4f32b233986dbb55fe5a70dbe480d0e to mainline-tzdata2-release
Change-Id: I403cd810c2b453874d7da1e1d9ac9070efb6468e
diff --git a/Android.bp b/Android.bp
index 09cddbf..ec57fb3 100644
--- a/Android.bp
+++ b/Android.bp
@@ -16,23 +16,6 @@
// apksig library, for signing APKs and verifying signatures of APKs
// ============================================================
-package {
- default_applicable_licenses: ["tools_apksig_license"],
-}
-
-// Added automatically by a large-scale-change
-// http://go/android-license-faq
-license {
- name: "tools_apksig_license",
- visibility: [":__subpackages__"],
- license_kinds: [
- "SPDX-license-identifier-Apache-2.0",
- ],
- license_text: [
- "LICENSE",
- ],
-}
-
java_library_host {
name: "apksig",
srcs: [
@@ -53,6 +36,6 @@
"apksig",
"conscrypt-unbundled",
],
- jni_libs: ["libconscrypt_openjdk_jni"],
+ required: ["libconscrypt_openjdk_jni"],
java_version: "1.8",
}
diff --git a/build.gradle b/build.gradle
index 4c05a77..12c0d32 100644
--- a/build.gradle
+++ b/build.gradle
@@ -21,7 +21,6 @@
dependencies {
implementation 'com.google.protobuf:protobuf-javalite:3.8.0'
testImplementation 'junit:junit:4.13'
- testImplementation 'org.bouncycastle:bcprov-jdk15on:1.68'
}
protobuf {
diff --git a/src/apksigner/java/com/android/apksigner/ApkSignerTool.java b/src/apksigner/java/com/android/apksigner/ApkSignerTool.java
index 9fd0c34..c7cb660 100644
--- a/src/apksigner/java/com/android/apksigner/ApkSignerTool.java
+++ b/src/apksigner/java/com/android/apksigner/ApkSignerTool.java
@@ -25,6 +25,8 @@
import com.android.apksig.util.DataSource;
import com.android.apksig.util.DataSources;
+import org.conscrypt.OpenSSLProvider;
+
import java.io.BufferedReader;
import java.io.File;
import java.io.IOException;
@@ -78,9 +80,7 @@
return;
}
- // BEGIN-AOSP
addProviders();
- // END-AOSP
String cmd = params[0];
try {
@@ -113,20 +113,18 @@
}
}
- // BEGIN-AOSP
/**
* Adds additional security providers to add support for signature algorithms not covered by
* the default providers.
*/
private static void addProviders() {
try {
- Security.addProvider(new org.conscrypt.OpenSSLProvider());
+ Security.addProvider(new OpenSSLProvider());
} catch (UnsatisfiedLinkError e) {
// This is expected if the library path does not include the native conscrypt library;
// the default providers support all but PSS algorithms.
}
}
- // END-AOSP
private static void sign(String[] params) throws Exception {
if (params.length == 0) {
@@ -159,8 +157,6 @@
String optionOriginalForm = null;
boolean v4SigningFlagFound = false;
boolean sourceStampFlagFound = false;
- boolean deterministicDsaSigning = false;
- boolean otherSignersSignaturesPreserved = false;
while ((optionName = optionsParser.nextOption()) != null) {
optionOriginalForm = optionsParser.getOptionOriginalForm();
if (("help".equals(optionName)) || ("h".equals(optionName))) {
@@ -261,10 +257,6 @@
File stampLineageFile = new File(
optionsParser.getRequiredValue("Stamp Lineage File"));
sourceStampLineage = getLineageFromInputFile(stampLineageFile);
- } else if ("deterministic-dsa-signing".equals(optionName)) {
- deterministicDsaSigning = optionsParser.getOptionalBooleanValue(false);
- } else if ("append-signature".equals(optionName)) {
- otherSignersSignaturesPreserved = optionsParser.getOptionalBooleanValue(true);
} else {
throw new ParameterException(
"Unsupported option: " + optionOriginalForm + ". See --help for supported"
@@ -321,8 +313,7 @@
for (SignerParams signer : signers) {
signerNumber++;
signer.setName("signer #" + signerNumber);
- ApkSigner.SignerConfig signerConfig = getSignerConfig(signer, passwordRetriever,
- deterministicDsaSigning);
+ ApkSigner.SignerConfig signerConfig = getSignerConfig(signer, passwordRetriever);
if (signerConfig == null) {
return;
}
@@ -331,8 +322,7 @@
if (sourceStampFlagFound) {
sourceStampSignerParams.setName("stamp signer");
sourceStampSignerConfig =
- getSignerConfig(sourceStampSignerParams, passwordRetriever,
- deterministicDsaSigning);
+ getSignerConfig(sourceStampSignerParams, passwordRetriever);
if (sourceStampSignerConfig == null) {
return;
}
@@ -353,7 +343,7 @@
new ApkSigner.Builder(signerConfigs)
.setInputApk(inputApk)
.setOutputApk(tmpOutputApk)
- .setOtherSignersSignaturesPreserved(otherSignersSignaturesPreserved)
+ .setOtherSignersSignaturesPreserved(false)
.setV1SigningEnabled(v1SigningEnabled)
.setV2SigningEnabled(v2SigningEnabled)
.setV3SigningEnabled(v3SigningEnabled)
@@ -399,8 +389,8 @@
}
}
- private static ApkSigner.SignerConfig getSignerConfig(SignerParams signer,
- PasswordRetriever passwordRetriever, boolean deterministicDsaSigning) {
+ private static ApkSigner.SignerConfig getSignerConfig(
+ SignerParams signer, PasswordRetriever passwordRetriever) {
try {
signer.loadPrivateKeyAndCerts(passwordRetriever);
} catch (ParameterException e) {
@@ -432,8 +422,7 @@
}
ApkSigner.SignerConfig signerConfig =
new ApkSigner.SignerConfig.Builder(
- v1SigBasename, signer.getPrivateKey(), signer.getCerts(),
- deterministicDsaSigning)
+ v1SigBasename, signer.getPrivateKey(), signer.getCerts())
.build();
return signerConfig;
}
@@ -1102,19 +1091,10 @@
}
Provider provider;
if (constructorParam != null) {
- try {
- // Single-arg Provider constructor
- provider =
- (Provider) providerClass.getConstructor(String.class)
- .newInstance(constructorParam);
- } catch (NoSuchMethodException e) {
- // Starting from JDK 9 the single-arg constructor accepting the configuration
- // has been replaced by a configure(String) method to be invoked after
- // instantiating the Provider with the no-arg constructor.
- provider = (Provider) providerClass.getConstructor().newInstance();
- provider = (Provider) providerClass.getMethod("configure", String.class)
- .invoke(provider, constructorParam);
- }
+ // Single-arg Provider constructor
+ provider =
+ (Provider) providerClass.getConstructor(String.class)
+ .newInstance(constructorParam);
} else {
// No-arg Provider constructor
provider = (Provider) providerClass.getConstructor().newInstance();
diff --git a/src/apksigner/java/com/android/apksigner/SignerParams.java b/src/apksigner/java/com/android/apksigner/SignerParams.java
index 515cd41..8c8b550 100644
--- a/src/apksigner/java/com/android/apksigner/SignerParams.java
+++ b/src/apksigner/java/com/android/apksigner/SignerParams.java
@@ -209,19 +209,10 @@
}
Provider ksProvider;
if (keystoreProviderArg != null) {
- try {
- // Single-arg Provider constructor
- ksProvider =
- (Provider) ksProviderClass.getConstructor(String.class)
- .newInstance(keystoreProviderArg);
- } catch (NoSuchMethodException e) {
- // Starting from JDK 9 the single-arg constructor accepting the configuration
- // has been replaced by a configure(String) method to be invoked after
- // instantiating the Provider with the no-arg constructor.
- ksProvider = (Provider) ksProviderClass.getConstructor().newInstance();
- ksProvider = (Provider) ksProviderClass.getMethod("configure",
- String.class).invoke(ksProvider, keystoreProviderArg);
- }
+ // Single-arg Provider constructor
+ ksProvider =
+ (Provider) ksProviderClass.getConstructor(String.class)
+ .newInstance(keystoreProviderArg);
} else {
// No-arg Provider constructor
ksProvider = (Provider) ksProviderClass.getConstructor().newInstance();
diff --git a/src/apksigner/java/com/android/apksigner/help_sign.txt b/src/apksigner/java/com/android/apksigner/help_sign.txt
index d66b7a3..1285810 100644
--- a/src/apksigner/java/com/android/apksigner/help_sign.txt
+++ b/src/apksigner/java/com/android/apksigner/help_sign.txt
@@ -90,18 +90,6 @@
can also be specified; the lineage will then be read from
the signed data in the APK.
---deterministic-dsa-signing When signing with the DSA signature algorithm,
- whether to use the deterministic version as specified in
- RFC 6979.
-
---append-signature Appends the current signature to any signatures that
- already exist within the APK. This option can be used
- when an APK is signed by multiple independent signers to
- allow each to add their own signature without needing to
- share their private key. This option can also be used to
- preserve existing key / value blocks that exist within the
- APK signing block.
-
-h, --help Show help about this command and exit
diff --git a/src/main/java/com/android/apksig/ApkSigner.java b/src/main/java/com/android/apksig/ApkSigner.java
index ca792c4..d4da569 100644
--- a/src/main/java/com/android/apksig/ApkSigner.java
+++ b/src/main/java/com/android/apksig/ApkSigner.java
@@ -284,8 +284,7 @@
new DefaultApkSignerEngine.SignerConfig.Builder(
signerConfig.getName(),
signerConfig.getPrivateKey(),
- signerConfig.getCertificates(),
- signerConfig.getDeterministicDsaSigning())
+ signerConfig.getCertificates())
.build());
}
DefaultApkSignerEngine.Builder signerEngineBuilder =
@@ -305,8 +304,7 @@
new DefaultApkSignerEngine.SignerConfig.Builder(
mSourceStampSignerConfig.getName(),
mSourceStampSignerConfig.getPrivateKey(),
- mSourceStampSignerConfig.getCertificates(),
- mSourceStampSignerConfig.getDeterministicDsaSigning())
+ mSourceStampSignerConfig.getCertificates())
.build());
}
if (mSourceStampSigningCertificateLineage != null) {
@@ -512,28 +510,6 @@
}
}
- // Step 7.5. Generate pinlist.meta file if necessary.
- // This has to be before the step 8 so that the file is signed.
- if (pinByteRanges != null) {
- // Covers JAR signature and zip central dir entry.
- // The signature files don't have to be pinned, but pinning them isn't that wasteful
- // since the total size is small.
- pinByteRanges.add(new Hints.ByteRange(outputOffset, Long.MAX_VALUE));
- String entryName = Hints.PIN_BYTE_RANGE_ZIP_ENTRY_NAME;
- byte[] uncompressedData = Hints.encodeByteRangeList(pinByteRanges);
-
- requestOutputEntryInspection(signerEngine, entryName, uncompressedData);
- outputOffset +=
- outputDataToOutputApk(
- entryName,
- uncompressedData,
- outputOffset,
- outputCdRecords,
- lastModifiedTimeForNewEntries,
- lastModifiedDateForNewEntries,
- outputApkOut);
- }
-
// Step 8. Generate and output JAR signatures, if necessary. This may output more Local File
// Header + data entries and add to the list of output Central Directory records.
ApkSignerEngine.OutputJarSignatureRequest outputJarSignatureRequest =
@@ -544,7 +520,15 @@
String entryName = entry.getName();
byte[] uncompressedData = entry.getData();
- requestOutputEntryInspection(signerEngine, entryName, uncompressedData);
+ ApkSignerEngine.InspectJarEntryRequest inspectEntryRequest =
+ signerEngine.outputJarEntry(entryName);
+ if (inspectEntryRequest != null) {
+ inspectEntryRequest
+ .getDataSink()
+ .consume(uncompressedData, 0, uncompressedData.length);
+ inspectEntryRequest.done();
+ }
+
outputOffset +=
outputDataToOutputApk(
entryName,
@@ -558,6 +542,21 @@
outputJarSignatureRequest.done();
}
+ if (pinByteRanges != null) {
+ pinByteRanges.add(new Hints.ByteRange(outputOffset, Long.MAX_VALUE)); // central dir
+ String entryName = Hints.PIN_BYTE_RANGE_ZIP_ENTRY_NAME;
+ byte[] uncompressedData = Hints.encodeByteRangeList(pinByteRanges);
+ outputOffset +=
+ outputDataToOutputApk(
+ entryName,
+ uncompressedData,
+ outputOffset,
+ outputCdRecords,
+ lastModifiedTimeForNewEntries,
+ lastModifiedDateForNewEntries,
+ outputApkOut);
+ }
+
// Step 9. Construct output ZIP Central Directory in an in-memory buffer
long outputCentralDirSizeBytes = 0;
for (CentralDirectoryRecord record : outputCdRecords) {
@@ -617,20 +616,6 @@
}
}
- private static void requestOutputEntryInspection(
- ApkSignerEngine signerEngine,
- String entryName,
- byte[] uncompressedData)
- throws IOException {
- ApkSignerEngine.InspectJarEntryRequest inspectEntryRequest =
- signerEngine.outputJarEntry(entryName);
- if (inspectEntryRequest != null) {
- inspectEntryRequest.getDataSink().consume(
- uncompressedData, 0, uncompressedData.length);
- inspectEntryRequest.done();
- }
- }
-
private static long outputDataToOutputApk(
String entryName,
byte[] uncompressedData,
@@ -969,18 +954,14 @@
private final String mName;
private final PrivateKey mPrivateKey;
private final List<X509Certificate> mCertificates;
- private boolean mDeterministicDsaSigning;
private SignerConfig(
- String name,
- PrivateKey privateKey,
- List<X509Certificate> certificates,
- boolean deterministicDsaSigning) {
+ String name, PrivateKey privateKey, List<X509Certificate> certificates) {
mName = name;
mPrivateKey = privateKey;
mCertificates = Collections.unmodifiableList(new ArrayList<>(certificates));
- mDeterministicDsaSigning = deterministicDsaSigning;
}
+
/** Returns the name of this signer. */
public String getName() {
return mName;
@@ -999,20 +980,11 @@
return mCertificates;
}
-
- /**
- * If this signer is a DSA signer, whether or not the signing is done deterministically.
- */
- public boolean getDeterministicDsaSigning() {
- return mDeterministicDsaSigning;
- }
-
/** Builder of {@link SignerConfig} instances. */
public static class Builder {
private final String mName;
private final PrivateKey mPrivateKey;
private final List<X509Certificate> mCertificates;
- private final boolean mDeterministicDsaSigning;
/**
* Constructs a new {@code Builder}.
@@ -1023,36 +995,13 @@
* @param certificates list of one or more X.509 certificates. The subject public key of
* the first certificate must correspond to the {@code privateKey}.
*/
- public Builder(
- String name,
- PrivateKey privateKey,
- List<X509Certificate> certificates) {
- this(name, privateKey, certificates, false);
- }
-
- /**
- * Constructs a new {@code Builder}.
- *
- * @param name signer's name. The name is reflected in the name of files comprising the
- * JAR signature of the APK.
- * @param privateKey signing key
- * @param certificates list of one or more X.509 certificates. The subject public key of
- * the first certificate must correspond to the {@code privateKey}.
- * @param deterministicDsaSigning When signing using DSA, whether or not the
- * deterministic variant (RFC6979) should be used.
- */
- public Builder(
- String name,
- PrivateKey privateKey,
- List<X509Certificate> certificates,
- boolean deterministicDsaSigning) {
+ public Builder(String name, PrivateKey privateKey, List<X509Certificate> certificates) {
if (name.isEmpty()) {
throw new IllegalArgumentException("Empty name");
}
mName = name;
mPrivateKey = privateKey;
mCertificates = new ArrayList<>(certificates);
- mDeterministicDsaSigning = deterministicDsaSigning;
}
/**
@@ -1060,8 +1009,7 @@
* this builder.
*/
public SignerConfig build() {
- return new SignerConfig(mName, mPrivateKey, mCertificates,
- mDeterministicDsaSigning);
+ return new SignerConfig(mName, mPrivateKey, mCertificates);
}
}
}
diff --git a/src/main/java/com/android/apksig/DefaultApkSignerEngine.java b/src/main/java/com/android/apksig/DefaultApkSignerEngine.java
index e2256da..90f2a6d 100644
--- a/src/main/java/com/android/apksig/DefaultApkSignerEngine.java
+++ b/src/main/java/com/android/apksig/DefaultApkSignerEngine.java
@@ -18,7 +18,6 @@
import static com.android.apksig.apk.ApkUtils.SOURCE_STAMP_CERTIFICATE_HASH_ZIP_ENTRY_NAME;
import static com.android.apksig.apk.ApkUtils.computeSha256DigestBytes;
-import static com.android.apksig.internal.apk.ApkSigningBlockUtils.VERITY_PADDING_BLOCK_ID;
import static com.android.apksig.internal.apk.ApkSigningBlockUtils.VERSION_APK_SIGNATURE_SCHEME_V2;
import static com.android.apksig.internal.apk.ApkSigningBlockUtils.VERSION_APK_SIGNATURE_SCHEME_V3;
import static com.android.apksig.internal.apk.ApkSigningBlockUtils.VERSION_JAR_SIGNATURE_SCHEME;
@@ -65,7 +64,6 @@
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
-import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
@@ -105,9 +103,6 @@
private final int mMinSdkVersion;
private final SigningCertificateLineage mSigningCertificateLineage;
- private List<byte[]> mPreservedV2Signers = Collections.emptyList();
- private List<Pair<byte[], Integer>> mPreservedSignatureBlocks = Collections.emptyList();
-
private List<V1SchemeSigner.SignerConfig> mV1SignerConfigs = Collections.emptyList();
private DigestAlgorithm mV1ContentDigestAlgorithm;
@@ -164,21 +159,6 @@
private RunnablesExecutor mExecutor = RunnablesExecutor.MULTI_THREADED;
- /**
- * A Set of block IDs to be discarded when requesting to preserve the original signatures.
- */
- private static final Set<Integer> DISCARDED_SIGNATURE_BLOCK_IDS;
- static {
- DISCARDED_SIGNATURE_BLOCK_IDS = new HashSet<>(3);
- // The verity padding block is recomputed on an
- // ApkSigningBlockUtils.ANDROID_COMMON_PAGE_ALIGNMENT_BYTES boundary.
- DISCARDED_SIGNATURE_BLOCK_IDS.add(VERITY_PADDING_BLOCK_ID);
- // The source stamp block is not currently preserved; appending a new signature scheme
- // block will invalidate the previous source stamp.
- DISCARDED_SIGNATURE_BLOCK_IDS.add(Constants.V1_SOURCE_STAMP_BLOCK_ID);
- DISCARDED_SIGNATURE_BLOCK_IDS.add(Constants.V2_SOURCE_STAMP_BLOCK_ID);
- }
-
private DefaultApkSignerEngine(
List<SignerConfig> signerConfigs,
SignerConfig sourceStampSignerConfig,
@@ -196,6 +176,10 @@
if (signerConfigs.isEmpty()) {
throw new IllegalArgumentException("At least one signer config must be provided");
}
+ if (otherSignersSignaturesPreserved) {
+ throw new UnsupportedOperationException(
+ "Preserving other signer's signatures is not yet implemented");
+ }
mV1SigningEnabled = v1SigningEnabled;
mV2SigningEnabled = v2SigningEnabled;
@@ -271,7 +255,6 @@
v1SignerConfig.privateKey = signerConfig.getPrivateKey();
v1SignerConfig.certificates = certificates;
v1SignerConfig.signatureDigestAlgorithm = v1SignatureDigestAlgorithm;
- v1SignerConfig.deterministicDsaSigning = signerConfig.getDeterministicDsaSigning();
// For digesting contents of APK entries and of MANIFEST.MF, pick the algorithm
// of comparable strength to the digest algorithm used for computing the signature.
// When there are multiple signers, pick the strongest digest algorithm out of their
@@ -458,8 +441,7 @@
V2SchemeSigner.getSuggestedSignatureAlgorithms(
publicKey,
mMinSdkVersion,
- apkSigningBlockPaddingSupported && mVerityEnabled,
- signerConfig.getDeterministicDsaSigning());
+ apkSigningBlockPaddingSupported && mVerityEnabled);
break;
case ApkSigningBlockUtils.VERSION_APK_SIGNATURE_SCHEME_V3:
try {
@@ -467,8 +449,7 @@
V3SchemeSigner.getSuggestedSignatureAlgorithms(
publicKey,
mMinSdkVersion,
- apkSigningBlockPaddingSupported && mVerityEnabled,
- signerConfig.getDeterministicDsaSigning());
+ apkSigningBlockPaddingSupported && mVerityEnabled);
} catch (InvalidKeyException e) {
// It is possible for a signer used for v1/v2 signing to not be allowed for use
@@ -482,8 +463,7 @@
try {
newSignerConfig.signatureAlgorithms =
V4SchemeSigner.getSuggestedSignatureAlgorithms(
- publicKey, mMinSdkVersion, apkSigningBlockPaddingSupported,
- signerConfig.getDeterministicDsaSigning());
+ publicKey, mMinSdkVersion, apkSigningBlockPaddingSupported);
} catch (InvalidKeyException e) {
// V4 is an optional signing schema, ok to proceed without.
newSignerConfig.signatureAlgorithms = null;
@@ -522,9 +502,9 @@
@Override
@SuppressWarnings("AndroidJdkLibsChecker")
public Set<String> initWith(byte[] manifestBytes, Set<String> entryNames) {
- V1SchemeVerifier.Result result = new V1SchemeVerifier.Result();
+ V1SchemeVerifier.Result dummyResult = new V1SchemeVerifier.Result();
Pair<ManifestParser.Section, Map<String, ManifestParser.Section>> sections =
- V1SchemeVerifier.parseManifest(manifestBytes, entryNames, result);
+ V1SchemeVerifier.parseManifest(manifestBytes, entryNames, dummyResult);
String alg = V1SchemeSigner.getJcaMessageDigestAlgorithm(mV1ContentDigestAlgorithm);
for (Map.Entry<String, ManifestParser.Section> entry : sections.getSecond().entrySet()) {
String entryName = entry.getKey();
@@ -563,92 +543,11 @@
}
if (mOtherSignersSignaturesPreserved) {
- boolean schemeSignatureBlockPreserved = false;
- mPreservedSignatureBlocks = new ArrayList<>();
- try {
- List<Pair<byte[], Integer>> signatureBlocks =
- ApkSigningBlockUtils.getApkSignatureBlocks(apkSigningBlock);
- for (Pair<byte[], Integer> signatureBlock : signatureBlocks) {
- if (signatureBlock.getSecond() == Constants.APK_SIGNATURE_SCHEME_V2_BLOCK_ID) {
- // If a V2 signature block is found and the engine is configured to use V2
- // then save any of the previous signers that are not part of the current
- // signing request.
- if (mV2SigningEnabled) {
- List<Pair<List<X509Certificate>, byte[]>> v2Signers =
- ApkSigningBlockUtils.getApkSignatureBlockSigners(
- signatureBlock.getFirst());
- mPreservedV2Signers = new ArrayList<>(v2Signers.size());
- for (Pair<List<X509Certificate>, byte[]> v2Signer : v2Signers) {
- if (!isConfiguredWithSigner(v2Signer.getFirst())) {
- mPreservedV2Signers.add(v2Signer.getSecond());
- schemeSignatureBlockPreserved = true;
- }
- }
- } else {
- // else V2 signing is not enabled; save the entire signature block to be
- // added to the final APK signing block.
- mPreservedSignatureBlocks.add(signatureBlock);
- schemeSignatureBlockPreserved = true;
- }
- } else if (signatureBlock.getSecond()
- == Constants.APK_SIGNATURE_SCHEME_V3_BLOCK_ID) {
- // Preserving other signers in the presence of a V3 signature block is only
- // supported if the engine is configured to resign the APK with the V3
- // signature scheme, and the V3 signer in the signature block is the same
- // as the engine is configured to use.
- if (!mV3SigningEnabled) {
- throw new IllegalStateException(
- "Preserving an existing V3 signature is not supported");
- }
- List<Pair<List<X509Certificate>, byte[]>> v3Signers =
- ApkSigningBlockUtils.getApkSignatureBlockSigners(
- signatureBlock.getFirst());
- if (v3Signers.size() > 1) {
- throw new IllegalArgumentException(
- "The provided APK signing block contains " + v3Signers.size()
- + " V3 signers; the V3 signature scheme only supports"
- + " one signer");
- }
- // If there is only a single V3 signer then ensure it is the signer
- // configured to sign the APK.
- if (v3Signers.size() == 1
- && !isConfiguredWithSigner(v3Signers.get(0).getFirst())) {
- throw new IllegalStateException(
- "The V3 signature scheme only supports one signer; a request "
- + "was made to preserve the existing V3 signature, "
- + "but the engine is configured to sign with a "
- + "different signer");
- }
- } else if (!DISCARDED_SIGNATURE_BLOCK_IDS.contains(
- signatureBlock.getSecond())) {
- mPreservedSignatureBlocks.add(signatureBlock);
- }
- }
- } catch (ApkFormatException | CertificateException | IOException e) {
- throw new IllegalArgumentException("Unable to parse the provided signing block", e);
- }
- // Signature scheme V3+ only support a single signer; if the engine is configured to
- // sign with V3+ then ensure no scheme signature blocks have been preserved.
- if (mV3SigningEnabled && schemeSignatureBlockPreserved) {
- throw new IllegalStateException(
- "Signature scheme V3+ only supports a single signer and cannot be "
- + "appended to the existing signature scheme blocks");
- }
+ // TODO: Preserve blocks other than APK Signature Scheme v2 blocks of signers configured
+ // in this engine.
return;
}
- }
-
- /**
- * Returns whether the engine is configured to sign the APK with a signer using the specified
- * {@code signerCerts}.
- */
- private boolean isConfiguredWithSigner(List<X509Certificate> signerCerts) {
- for (SignerConfig signerConfig : mSignerConfigs) {
- if (signerCerts.containsAll(signerConfig.getCertificates())) {
- return true;
- }
- }
- return false;
+ // TODO: Preserve blocks other than APK Signature Scheme v2 blocks.
}
@Override
@@ -965,13 +864,6 @@
List<Pair<byte[], Integer>> signingSchemeBlocks = new ArrayList<>();
ApkSigningBlockUtils.SigningSchemeBlockAndDigests v2SigningSchemeBlockAndDigests = null;
ApkSigningBlockUtils.SigningSchemeBlockAndDigests v3SigningSchemeBlockAndDigests = null;
- // If the engine is configured to preserve previous signature blocks and any were found in
- // the existing APK signing block then add them to the list to be used to generate the
- // new APK signing block.
- if (mOtherSignersSignaturesPreserved && mPreservedSignatureBlocks != null
- && !mPreservedSignatureBlocks.isEmpty()) {
- signingSchemeBlocks.addAll(mPreservedSignatureBlocks);
- }
// create APK Signature Scheme V2 Signature if requested
if (mV2SigningEnabled) {
@@ -985,8 +877,7 @@
zipCentralDirectory,
eocd,
v2SignerConfigs,
- mV3SigningEnabled,
- mOtherSignersSignaturesPreserved ? mPreservedV2Signers : null);
+ mV3SigningEnabled);
signingSchemeBlocks.add(v2SigningSchemeBlockAndDigests.signingSchemeBlock);
}
if (mV3SigningEnabled) {
@@ -1531,15 +1422,12 @@
private final String mName;
private final PrivateKey mPrivateKey;
private final List<X509Certificate> mCertificates;
- private final boolean mDeterministicDsaSigning;
private SignerConfig(
- String name, PrivateKey privateKey, List<X509Certificate> certificates,
- boolean deterministicDsaSigning) {
+ String name, PrivateKey privateKey, List<X509Certificate> certificates) {
mName = name;
mPrivateKey = privateKey;
mCertificates = Collections.unmodifiableList(new ArrayList<>(certificates));
- mDeterministicDsaSigning = deterministicDsaSigning;
}
/** Returns the name of this signer. */
@@ -1560,19 +1448,11 @@
return mCertificates;
}
- /**
- * If this signer is a DSA signer, whether or not the signing is done deterministically.
- */
- public boolean getDeterministicDsaSigning() {
- return mDeterministicDsaSigning;
- }
-
/** Builder of {@link SignerConfig} instances. */
public static class Builder {
private final String mName;
private final PrivateKey mPrivateKey;
private final List<X509Certificate> mCertificates;
- private final boolean mDeterministicDsaSigning;
/**
* Constructs a new {@code Builder}.
@@ -1584,29 +1464,12 @@
* the first certificate must correspond to the {@code privateKey}.
*/
public Builder(String name, PrivateKey privateKey, List<X509Certificate> certificates) {
- this(name, privateKey, certificates, false);
- }
-
- /**
- * Constructs a new {@code Builder}.
- *
- * @param name signer's name. The name is reflected in the name of files comprising the
- * JAR signature of the APK.
- * @param privateKey signing key
- * @param certificates list of one or more X.509 certificates. The subject public key of
- * the first certificate must correspond to the {@code privateKey}.
- * @param deterministicDsaSigning When signing using DSA, whether or not the
- * deterministic signing algorithm variant (RFC6979) should be used.
- */
- public Builder(String name, PrivateKey privateKey, List<X509Certificate> certificates,
- boolean deterministicDsaSigning) {
if (name.isEmpty()) {
throw new IllegalArgumentException("Empty name");
}
mName = name;
mPrivateKey = privateKey;
mCertificates = new ArrayList<>(certificates);
- mDeterministicDsaSigning = deterministicDsaSigning;
}
/**
@@ -1614,8 +1477,7 @@
* this builder.
*/
public SignerConfig build() {
- return new SignerConfig(mName, mPrivateKey, mCertificates,
- mDeterministicDsaSigning);
+ return new SignerConfig(mName, mPrivateKey, mCertificates);
}
}
}
diff --git a/src/main/java/com/android/apksig/SigningCertificateLineage.java b/src/main/java/com/android/apksig/SigningCertificateLineage.java
index 6c505be..b8f1f8b 100644
--- a/src/main/java/com/android/apksig/SigningCertificateLineage.java
+++ b/src/main/java/com/android/apksig/SigningCertificateLineage.java
@@ -124,11 +124,6 @@
return signingCertificateLineage.spawnDescendant(parent, child, childCapabilities);
}
- public static SigningCertificateLineage readFromBytes(byte[] lineageBytes)
- throws IOException {
- return readFromDataSource(DataSources.asDataSource(ByteBuffer.wrap(lineageBytes)));
- }
-
public static SigningCertificateLineage readFromFile(File file)
throws IOException {
if (file == null) {
@@ -288,10 +283,6 @@
return result;
}
- public byte[] getBytes() {
- return write().array();
- }
-
public void writeToFile(File file) throws IOException {
if (file == null) {
throw new NullPointerException("file == null");
@@ -411,8 +402,7 @@
// TODO switch to one signature algorithm selection, or add support for multiple algorithms
List<SignatureAlgorithm> algorithms = V3SchemeSigner.getSuggestedSignatureAlgorithms(
- publicKey, mMinSdkVersion, false /* verityEnabled */,
- false /* deterministicDsaSigning */);
+ publicKey, mMinSdkVersion, false /* padding support */);
return algorithms.get(0);
}
diff --git a/src/main/java/com/android/apksig/apk/ApkUtils.java b/src/main/java/com/android/apksig/apk/ApkUtils.java
index 426f0be..69399a7 100644
--- a/src/main/java/com/android/apksig/apk/ApkUtils.java
+++ b/src/main/java/com/android/apksig/apk/ApkUtils.java
@@ -97,27 +97,6 @@
}
/**
- * Returns the APK Signing Block of the provided {@code apk}.
- *
- * @throws ApkFormatException if the APK is not a valid ZIP archive
- * @throws IOException if an I/O error occurs
- * @throws ApkSigningBlockNotFoundException if there is no APK Signing Block in the APK
- *
- * @see <a href="https://source.android.com/security/apksigning/v2.html">APK Signature Scheme v2
- * </a>
- */
- public static ApkSigningBlock findApkSigningBlock(DataSource apk)
- throws ApkFormatException, IOException, ApkSigningBlockNotFoundException {
- ApkUtils.ZipSections inputZipSections;
- try {
- inputZipSections = ApkUtils.findZipSections(apk);
- } catch (ZipFormatException e) {
- throw new ApkFormatException("Malformed APK: not a ZIP archive", e);
- }
- return findApkSigningBlock(apk, inputZipSections);
- }
-
- /**
* Returns the APK Signing Block of the provided APK.
*
* @throws IOException if an I/O error occurs
diff --git a/src/main/java/com/android/apksig/internal/apk/ApkSigningBlockUtils.java b/src/main/java/com/android/apksig/internal/apk/ApkSigningBlockUtils.java
index 61b7b00..e8f6fc0 100644
--- a/src/main/java/com/android/apksig/internal/apk/ApkSigningBlockUtils.java
+++ b/src/main/java/com/android/apksig/internal/apk/ApkSigningBlockUtils.java
@@ -39,10 +39,8 @@
import com.android.apksig.internal.pkcs7.SignerInfo;
import com.android.apksig.internal.util.ByteBufferDataSource;
import com.android.apksig.internal.util.ChainedDataSource;
-import com.android.apksig.internal.util.GuaranteedEncodedFormX509Certificate;
import com.android.apksig.internal.util.Pair;
import com.android.apksig.internal.util.VerityTreeBuilder;
-import com.android.apksig.internal.util.X509CertificateUtils;
import com.android.apksig.internal.x509.RSAPublicKey;
import com.android.apksig.internal.x509.SubjectPublicKeyInfo;
import com.android.apksig.internal.zip.ZipUtils;
@@ -67,7 +65,6 @@
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertificateEncodingException;
-import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.spec.AlgorithmParameterSpec;
import java.security.spec.InvalidKeySpecException;
@@ -94,7 +91,7 @@
0x41, 0x50, 0x4b, 0x20, 0x53, 0x69, 0x67, 0x20,
0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x20, 0x34, 0x32,
};
- public static final int VERITY_PADDING_BLOCK_ID = 0x42726577;
+ private static final int VERITY_PADDING_BLOCK_ID = 0x42726577;
private static final ContentDigestAlgorithm[] V4_CONTENT_DIGEST_ALGORITHMS =
{CHUNKED_SHA512, VERITY_CHUNKED_SHA256, CHUNKED_SHA256};
@@ -846,7 +843,7 @@
// uint64: size (excluding this field)
// uint32: ID
// (size - 4) bytes: value
- // (extra verity ID-value for padding to make block size a multiple of 4096 bytes)
+ // (extra dummy ID-value for padding to make block size a multiple of 4096 bytes)
// uint64: size (same as the one above)
// uint128: magic
@@ -880,6 +877,7 @@
long blockSizeFieldValue = resultSize - 8L;
result.putLong(blockSizeFieldValue);
+
for (Pair<byte[], Integer> schemeBlockPair : apkSignatureSchemeBlockPairs) {
byte[] apkSignatureSchemeBlock = schemeBlockPair.getFirst();
int apkSignatureSchemeId = schemeBlockPair.getSecond();
@@ -900,116 +898,6 @@
}
/**
- * Returns the individual APK signature blocks within the provided {@code apkSigningBlock} in a
- * {@code List} of {@code Pair} instances where the first element in the {@code Pair} is the
- * contents / value of the signature block and the second element is the ID of the block.
- *
- * @throws IOException if an error is encountered reading the provided {@code apkSigningBlock}
- */
- public static List<Pair<byte[], Integer>> getApkSignatureBlocks(
- DataSource apkSigningBlock) throws IOException {
- // FORMAT:
- // uint64: size (excluding this field)
- // repeated ID-value pairs:
- // uint64: size (excluding this field)
- // uint32: ID
- // (size - 4) bytes: value
- // (extra verity ID-value for padding to make block size a multiple of 4096 bytes)
- // uint64: size (same as the one above)
- // uint128: magic
- long apkSigningBlockSize = apkSigningBlock.size();
- if (apkSigningBlock.size() > Integer.MAX_VALUE || apkSigningBlockSize < 32) {
- throw new IllegalArgumentException(
- "APK signing block size out of range: " + apkSigningBlockSize);
- }
- // Remove the header and footer from the signing block to iterate over only the repeated
- // ID-value pairs.
- ByteBuffer apkSigningBlockBuffer = apkSigningBlock.getByteBuffer(8,
- (int) apkSigningBlock.size() - 32);
- apkSigningBlockBuffer.order(ByteOrder.LITTLE_ENDIAN);
- List<Pair<byte[], Integer>> signatureBlocks = new ArrayList<>();
- while (apkSigningBlockBuffer.hasRemaining()) {
- long blockLength = apkSigningBlockBuffer.getLong();
- if (blockLength > Integer.MAX_VALUE || blockLength < 4) {
- throw new IllegalArgumentException(
- "Block index " + (signatureBlocks.size() + 1) + " size out of range: "
- + blockLength);
- }
- int blockId = apkSigningBlockBuffer.getInt();
- // Since the block ID has already been read from the signature block read the next
- // blockLength - 4 bytes as the value.
- byte[] blockValue = new byte[(int) blockLength - 4];
- apkSigningBlockBuffer.get(blockValue);
- signatureBlocks.add(Pair.of(blockValue, blockId));
- }
- return signatureBlocks;
- }
-
- /**
- * Returns the individual APK signers within the provided {@code signatureBlock} in a {@code
- * List} of {@code Pair} instances where the first element is a {@code List} of {@link
- * X509Certificate}s and the second element is a byte array of the individual signer's block.
- *
- * <p>This method supports any signature block that adheres to the following format up to the
- * signing certificate(s):
- * <pre>
- * * length-prefixed sequence of length-prefixed signers
- * * length-prefixed signed data
- * * length-prefixed sequence of length-prefixed digests:
- * * uint32: signature algorithm ID
- * * length-prefixed bytes: digest of contents
- * * length-prefixed sequence of certificates:
- * * length-prefixed bytes: X.509 certificate (ASN.1 DER encoded).
- * </pre>
- *
- * <p>Note, this is a convenience method to obtain any signers from an existing signature block;
- * the signature of each signer will not be verified.
- *
- * @throws ApkFormatException if an error is encountered while parsing the provided {@code
- * signatureBlock}
- * @throws CertificateException if the signing certificate(s) within an individual signer block
- * cannot be parsed
- */
- public static List<Pair<List<X509Certificate>, byte[]>> getApkSignatureBlockSigners(
- byte[] signatureBlock) throws ApkFormatException, CertificateException {
- ByteBuffer signatureBlockBuffer = ByteBuffer.wrap(signatureBlock);
- signatureBlockBuffer.order(ByteOrder.LITTLE_ENDIAN);
- ByteBuffer signersBuffer = getLengthPrefixedSlice(signatureBlockBuffer);
- List<Pair<List<X509Certificate>, byte[]>> signers = new ArrayList<>();
- while (signersBuffer.hasRemaining()) {
- // Parse the next signer block, save all of its bytes for the resulting List, and
- // rewind the buffer to allow the signing certificate(s) to be parsed.
- ByteBuffer signer = getLengthPrefixedSlice(signersBuffer);
- byte[] signerBytes = new byte[signer.remaining()];
- signer.get(signerBytes);
- signer.rewind();
-
- ByteBuffer signedData = getLengthPrefixedSlice(signer);
- // The first length prefixed slice is the sequence of digests which are not required
- // when obtaining the signing certificate(s).
- getLengthPrefixedSlice(signedData);
- ByteBuffer certificatesBuffer = getLengthPrefixedSlice(signedData);
- List<X509Certificate> certificates = new ArrayList<>();
- while (certificatesBuffer.hasRemaining()) {
- int certLength = certificatesBuffer.getInt();
- byte[] certBytes = new byte[certLength];
- if (certLength > certificatesBuffer.remaining()) {
- throw new IllegalArgumentException(
- "Cert index " + (certificates.size() + 1) + " under signer index "
- + (signers.size() + 1) + " size out of range: " + certLength);
- }
- certificatesBuffer.get(certBytes);
- GuaranteedEncodedFormX509Certificate signerCert =
- new GuaranteedEncodedFormX509Certificate(
- X509CertificateUtils.generateCertificate(certBytes), certBytes);
- certificates.add(signerCert);
- }
- signers.add(Pair.of(certificates, signerBytes));
- }
- return signers;
- }
-
- /**
* Computes the digests of the given APK components according to the algorithms specified in the
* given SignerConfigs.
*
diff --git a/src/main/java/com/android/apksig/internal/apk/SignatureAlgorithm.java b/src/main/java/com/android/apksig/internal/apk/SignatureAlgorithm.java
index 804eb37..d54f1e0 100644
--- a/src/main/java/com/android/apksig/internal/apk/SignatureAlgorithm.java
+++ b/src/main/java/com/android/apksig/internal/apk/SignatureAlgorithm.java
@@ -102,18 +102,6 @@
AndroidSdkVersion.INITIAL_RELEASE),
/**
- * DSA with SHA2-256 digest, content digested using SHA2-256 in 1 MB chunks. Signing is done
- * deterministically according to RFC 6979.
- */
- DETDSA_WITH_SHA256(
- 0x0301,
- ContentDigestAlgorithm.CHUNKED_SHA256,
- "DSA",
- Pair.of("SHA256withDetDSA", null),
- AndroidSdkVersion.N,
- AndroidSdkVersion.INITIAL_RELEASE),
-
- /**
* RSASSA-PKCS1-v1_5 with SHA2-256 digest, content digested using SHA2-256 in 4 KB chunks, in
* the same way fsverity operates. This digest and the content length (before digestion, 8 bytes
* in little endian) construct the final digest.
diff --git a/src/main/java/com/android/apksig/internal/apk/stamp/SourceStampVerifier.java b/src/main/java/com/android/apksig/internal/apk/stamp/SourceStampVerifier.java
index 9cd7b1f..b4ae71a 100644
--- a/src/main/java/com/android/apksig/internal/apk/stamp/SourceStampVerifier.java
+++ b/src/main/java/com/android/apksig/internal/apk/stamp/SourceStampVerifier.java
@@ -26,6 +26,7 @@
import com.android.apksig.internal.apk.ApkSupportedSignature;
import com.android.apksig.internal.apk.NoApkSupportedSignaturesException;
import com.android.apksig.internal.apk.SignatureAlgorithm;
+import com.android.apksig.internal.apk.v3.V3SigningCertificateLineage;
import com.android.apksig.internal.util.ByteBufferUtils;
import com.android.apksig.internal.util.GuaranteedEncodedFormX509Certificate;
diff --git a/src/main/java/com/android/apksig/internal/apk/stamp/V2SourceStampVerifier.java b/src/main/java/com/android/apksig/internal/apk/stamp/V2SourceStampVerifier.java
index a215b98..5ba3618 100644
--- a/src/main/java/com/android/apksig/internal/apk/stamp/V2SourceStampVerifier.java
+++ b/src/main/java/com/android/apksig/internal/apk/stamp/V2SourceStampVerifier.java
@@ -148,12 +148,7 @@
apkContentDigests.entrySet()) {
digests.add(Pair.of(apkContentDigest.getKey().getId(), apkContentDigest.getValue()));
}
- Collections.sort(digests, new Comparator<Pair<Integer, byte[]>>() {
- @Override
- public int compare(Pair<Integer, byte[]> pair1, Pair<Integer, byte[]> pair2) {
- return pair1.getFirst() - pair2.getFirst();
- }
- });
+ Collections.sort(digests, Comparator.comparing(Pair::getFirst));
return digests;
}
}
diff --git a/src/main/java/com/android/apksig/internal/apk/v1/V1SchemeSigner.java b/src/main/java/com/android/apksig/internal/apk/v1/V1SchemeSigner.java
index 85301ca..6e9e0c3 100644
--- a/src/main/java/com/android/apksig/internal/apk/v1/V1SchemeSigner.java
+++ b/src/main/java/com/android/apksig/internal/apk/v1/V1SchemeSigner.java
@@ -89,11 +89,6 @@
* Digest algorithm used for the signature.
*/
public DigestAlgorithm signatureDigestAlgorithm;
-
- /**
- * If DSA is the signing algorithm, whether or not deterministic DSA signing should be used.
- */
- public boolean deterministicDsaSigning;
}
/** Hidden constructor to prevent instantiation. */
@@ -500,8 +495,7 @@
PublicKey publicKey = signingCert.getPublicKey();
DigestAlgorithm digestAlgorithm = signerConfig.signatureDigestAlgorithm;
Pair<String, AlgorithmIdentifier> signatureAlgs =
- getSignerInfoSignatureAlgorithm(publicKey, digestAlgorithm,
- signerConfig.deterministicDsaSigning);
+ getSignerInfoSignatureAlgorithm(publicKey, digestAlgorithm);
String jcaSignatureAlgorithm = signatureAlgs.getFirst();
// Generate the cryptographic signature of the signature file
diff --git a/src/main/java/com/android/apksig/internal/apk/v2/V2SchemeSigner.java b/src/main/java/com/android/apksig/internal/apk/v2/V2SchemeSigner.java
index b69b7d3..c870a9e 100644
--- a/src/main/java/com/android/apksig/internal/apk/v2/V2SchemeSigner.java
+++ b/src/main/java/com/android/apksig/internal/apk/v2/V2SchemeSigner.java
@@ -86,8 +86,7 @@
* Signature Scheme v2
*/
public static List<SignatureAlgorithm> getSuggestedSignatureAlgorithms(PublicKey signingKey,
- int minSdkVersion, boolean verityEnabled, boolean deterministicDsaSigning)
- throws InvalidKeyException {
+ int minSdkVersion, boolean verityEnabled) throws InvalidKeyException {
String keyAlgorithm = signingKey.getAlgorithm();
if ("RSA".equalsIgnoreCase(keyAlgorithm)) {
// Use RSASSA-PKCS1-v1_5 signature scheme instead of RSASSA-PSS to guarantee
@@ -112,10 +111,7 @@
} else if ("DSA".equalsIgnoreCase(keyAlgorithm)) {
// DSA is supported only with SHA-256.
List<SignatureAlgorithm> algorithms = new ArrayList<>();
- algorithms.add(
- deterministicDsaSigning ?
- SignatureAlgorithm.DETDSA_WITH_SHA256 :
- SignatureAlgorithm.DSA_WITH_SHA256);
+ algorithms.add(SignatureAlgorithm.DSA_WITH_SHA256);
if (verityEnabled) {
algorithms.add(SignatureAlgorithm.VERITY_DSA_WITH_SHA256);
}
@@ -142,27 +138,13 @@
}
public static ApkSigningBlockUtils.SigningSchemeBlockAndDigests
- generateApkSignatureSchemeV2Block(RunnablesExecutor executor,
- DataSource beforeCentralDir,
- DataSource centralDir,
- DataSource eocd,
- List<SignerConfig> signerConfigs,
- boolean v3SigningEnabled)
- throws IOException, InvalidKeyException, NoSuchAlgorithmException,
- SignatureException {
- return generateApkSignatureSchemeV2Block(executor, beforeCentralDir, centralDir, eocd,
- signerConfigs, v3SigningEnabled, null);
- }
-
- public static ApkSigningBlockUtils.SigningSchemeBlockAndDigests
generateApkSignatureSchemeV2Block(
RunnablesExecutor executor,
DataSource beforeCentralDir,
DataSource centralDir,
DataSource eocd,
List<SignerConfig> signerConfigs,
- boolean v3SigningEnabled,
- List<byte[]> preservedV2SignerBlocks)
+ boolean v3SigningEnabled)
throws IOException, InvalidKeyException, NoSuchAlgorithmException,
SignatureException {
Pair<List<SignerConfig>, Map<ContentDigestAlgorithm, byte[]>> digestInfo =
@@ -170,24 +152,19 @@
executor, beforeCentralDir, centralDir, eocd, signerConfigs);
return new ApkSigningBlockUtils.SigningSchemeBlockAndDigests(
generateApkSignatureSchemeV2Block(
- digestInfo.getFirst(), digestInfo.getSecond(), v3SigningEnabled,
- preservedV2SignerBlocks),
+ digestInfo.getFirst(), digestInfo.getSecond(), v3SigningEnabled),
digestInfo.getSecond());
}
private static Pair<byte[], Integer> generateApkSignatureSchemeV2Block(
List<SignerConfig> signerConfigs,
Map<ContentDigestAlgorithm, byte[]> contentDigests,
- boolean v3SigningEnabled,
- List<byte[]> preservedV2SignerBlocks)
+ boolean v3SigningEnabled)
throws NoSuchAlgorithmException, InvalidKeyException, SignatureException {
// FORMAT:
// * length-prefixed sequence of length-prefixed signer blocks.
List<byte[]> signerBlocks = new ArrayList<>(signerConfigs.size());
- if (preservedV2SignerBlocks != null && preservedV2SignerBlocks.size() > 0) {
- signerBlocks.addAll(preservedV2SignerBlocks);
- }
int signerNumber = 0;
for (SignerConfig signerConfig : signerConfigs) {
signerNumber++;
diff --git a/src/main/java/com/android/apksig/internal/apk/v3/V3SchemeSigner.java b/src/main/java/com/android/apksig/internal/apk/v3/V3SchemeSigner.java
index 04260d5..cab2a47 100644
--- a/src/main/java/com/android/apksig/internal/apk/v3/V3SchemeSigner.java
+++ b/src/main/java/com/android/apksig/internal/apk/v3/V3SchemeSigner.java
@@ -74,8 +74,7 @@
* Signature Scheme v3
*/
public static List<SignatureAlgorithm> getSuggestedSignatureAlgorithms(PublicKey signingKey,
- int minSdkVersion, boolean verityEnabled, boolean deterministicDsaSigning)
- throws InvalidKeyException {
+ int minSdkVersion, boolean verityEnabled) throws InvalidKeyException {
String keyAlgorithm = signingKey.getAlgorithm();
if ("RSA".equalsIgnoreCase(keyAlgorithm)) {
// Use RSASSA-PKCS1-v1_5 signature scheme instead of RSASSA-PSS to guarantee
@@ -100,10 +99,7 @@
} else if ("DSA".equalsIgnoreCase(keyAlgorithm)) {
// DSA is supported only with SHA-256.
List<SignatureAlgorithm> algorithms = new ArrayList<>();
- algorithms.add(
- deterministicDsaSigning ?
- SignatureAlgorithm.DETDSA_WITH_SHA256 :
- SignatureAlgorithm.DSA_WITH_SHA256);
+ algorithms.add(SignatureAlgorithm.DSA_WITH_SHA256);
if (verityEnabled) {
algorithms.add(SignatureAlgorithm.VERITY_DSA_WITH_SHA256);
}
diff --git a/src/main/java/com/android/apksig/internal/apk/v3/V3SigningCertificateLineage.java b/src/main/java/com/android/apksig/internal/apk/v3/V3SigningCertificateLineage.java
index 4ae7a53..e1e01a9 100644
--- a/src/main/java/com/android/apksig/internal/apk/v3/V3SigningCertificateLineage.java
+++ b/src/main/java/com/android/apksig/internal/apk/v3/V3SigningCertificateLineage.java
@@ -45,7 +45,6 @@
import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
-import java.util.Objects;
/**
* APK Signer Lineage.
@@ -275,13 +274,6 @@
return true;
}
- @Override
- public int hashCode() {
- int result = Objects.hash(signingCert, parentSigAlgorithm, sigAlgorithm, flags);
- result = 31 * result + Arrays.hashCode(signature);
- return result;
- }
-
/**
* the signing cert for this node. This is part of the data signed by the parent node.
*/
diff --git a/src/main/java/com/android/apksig/internal/apk/v4/V4SchemeSigner.java b/src/main/java/com/android/apksig/internal/apk/v4/V4SchemeSigner.java
index 74aa629..1a1ad93 100644
--- a/src/main/java/com/android/apksig/internal/apk/v4/V4SchemeSigner.java
+++ b/src/main/java/com/android/apksig/internal/apk/v4/V4SchemeSigner.java
@@ -74,12 +74,11 @@
* Based on a public key, return a signing algorithm that supports verity.
*/
public static List<SignatureAlgorithm> getSuggestedSignatureAlgorithms(PublicKey signingKey,
- int minSdkVersion, boolean apkSigningBlockPaddingSupported,
- boolean deterministicDsaSigning)
+ int minSdkVersion, boolean apkSigningBlockPaddingSupported)
throws InvalidKeyException {
List<SignatureAlgorithm> algorithms = V3SchemeSigner.getSuggestedSignatureAlgorithms(
signingKey, minSdkVersion,
- apkSigningBlockPaddingSupported, deterministicDsaSigning);
+ apkSigningBlockPaddingSupported);
// Keeping only supported algorithms.
for (Iterator<SignatureAlgorithm> iter = algorithms.listIterator(); iter.hasNext(); ) {
final SignatureAlgorithm algorithm = iter.next();
@@ -171,7 +170,7 @@
final V4Signature.SigningInfo signingInfoNoSignature = new V4Signature.SigningInfo(apkDigest,
encodedCertificate, additionaData, publicKey.getEncoded(), -1, null);
- final byte[] data = V4Signature.getSignedData(fileSize, hashingInfo,
+ final byte[] data = V4Signature.getSigningData(fileSize, hashingInfo,
signingInfoNoSignature);
// Signing.
@@ -314,6 +313,8 @@
return bestDigest;
}
+ // Use the same order as in the ApkSignatureSchemeV3Verifier to make sure the digest
+ // verification in framework works.
public static int digestAlgorithmSortingOrder(ContentDigestAlgorithm contentDigestAlgorithm) {
switch (contentDigestAlgorithm) {
case CHUNKED_SHA256:
diff --git a/src/main/java/com/android/apksig/internal/apk/v4/V4SchemeVerifier.java b/src/main/java/com/android/apksig/internal/apk/v4/V4SchemeVerifier.java
index a6cd9db..0a8484b 100644
--- a/src/main/java/com/android/apksig/internal/apk/v4/V4SchemeVerifier.java
+++ b/src/main/java/com/android/apksig/internal/apk/v4/V4SchemeVerifier.java
@@ -93,7 +93,7 @@
V4Signature.SigningInfo signingInfo = V4Signature.SigningInfo.fromByteArray(
signature.signingInfo);
- final byte[] signedData = V4Signature.getSignedData(apk.size(), hashingInfo, signingInfo);
+ final byte[] signedData = V4Signature.getSigningData(apk.size(), hashingInfo, signingInfo);
// First, verify the signature over signedData.
ApkSigningBlockUtils.Result.SignerInfo signerInfo = parseAndVerifySignatureBlock(
diff --git a/src/main/java/com/android/apksig/internal/apk/v4/V4Signature.java b/src/main/java/com/android/apksig/internal/apk/v4/V4Signature.java
index deabe12..e36ed60 100644
--- a/src/main/java/com/android/apksig/internal/apk/v4/V4Signature.java
+++ b/src/main/java/com/android/apksig/internal/apk/v4/V4Signature.java
@@ -134,7 +134,7 @@
writeBytes(stream, this.signingInfo);
}
- static byte[] getSignedData(long fileSize, HashingInfo hashingInfo, SigningInfo signingInfo) {
+ static byte[] getSigningData(long fileSize, HashingInfo hashingInfo, SigningInfo signingInfo) {
final int size =
4/*size*/ + 8/*fileSize*/ + 4/*hash_algorithm*/ + 1/*log2_blocksize*/ + bytesSize(
hashingInfo.salt) + bytesSize(hashingInfo.rawRootHash) + bytesSize(
diff --git a/src/main/java/com/android/apksig/internal/pkcs7/AlgorithmIdentifier.java b/src/main/java/com/android/apksig/internal/pkcs7/AlgorithmIdentifier.java
index 4185dbc..c27c487 100644
--- a/src/main/java/com/android/apksig/internal/pkcs7/AlgorithmIdentifier.java
+++ b/src/main/java/com/android/apksig/internal/pkcs7/AlgorithmIdentifier.java
@@ -77,8 +77,7 @@
* when signing with the specified key and digest algorithm.
*/
public static Pair<String, AlgorithmIdentifier> getSignerInfoSignatureAlgorithm(
- PublicKey publicKey, DigestAlgorithm digestAlgorithm, boolean deterministicDsaSigning)
- throws InvalidKeyException {
+ PublicKey publicKey, DigestAlgorithm digestAlgorithm) throws InvalidKeyException {
String keyAlgorithm = publicKey.getAlgorithm();
String jcaDigestPrefixForSigAlg;
switch (digestAlgorithm) {
@@ -116,9 +115,7 @@
throw new IllegalArgumentException(
"Unexpected digest algorithm: " + digestAlgorithm);
}
- String signingAlgorithmName =
- jcaDigestPrefixForSigAlg + (deterministicDsaSigning ? "withDetDSA" : "withDSA");
- return Pair.of(signingAlgorithmName, sigAlgId);
+ return Pair.of(jcaDigestPrefixForSigAlg + "withDSA", sigAlgId);
} else if ("EC".equalsIgnoreCase(keyAlgorithm)) {
return Pair.of(
jcaDigestPrefixForSigAlg + "withECDSA",
diff --git a/src/main/java/com/android/apksig/internal/util/DelegatingX509Certificate.java b/src/main/java/com/android/apksig/internal/util/DelegatingX509Certificate.java
index 2a890f6..8f9e1fd 100644
--- a/src/main/java/com/android/apksig/internal/util/DelegatingX509Certificate.java
+++ b/src/main/java/com/android/apksig/internal/util/DelegatingX509Certificate.java
@@ -34,7 +34,6 @@
import java.util.Date;
import java.util.List;
import java.util.Set;
-
import javax.security.auth.x500.X500Principal;
/**
@@ -211,7 +210,6 @@
}
@Override
- @SuppressWarnings("AndroidJdkLibsChecker")
public void verify(PublicKey key, Provider sigProvider) throws CertificateException,
NoSuchAlgorithmException, InvalidKeyException, SignatureException {
mDelegate.verify(key, sigProvider);
diff --git a/src/test/java/com/android/apksig/ApkSignerTest.java b/src/test/java/com/android/apksig/ApkSignerTest.java
index d799201..40255a4 100644
--- a/src/test/java/com/android/apksig/ApkSignerTest.java
+++ b/src/test/java/com/android/apksig/ApkSignerTest.java
@@ -37,7 +37,6 @@
import com.android.apksig.internal.apk.v3.V3SchemeConstants;
import com.android.apksig.internal.asn1.Asn1BerParser;
import com.android.apksig.internal.util.AndroidSdkVersion;
-import com.android.apksig.internal.util.Pair;
import com.android.apksig.internal.util.Resources;
import com.android.apksig.internal.x509.RSAPublicKey;
import com.android.apksig.internal.x509.SubjectPublicKeyInfo;
@@ -47,9 +46,6 @@
import com.android.apksig.util.DataSources;
import com.android.apksig.zip.ZipFormatException;
-import java.util.zip.ZipEntry;
-import java.util.zip.ZipInputStream;
-import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.TemporaryFolder;
@@ -63,20 +59,14 @@
import java.math.BigInteger;
import java.nio.ByteBuffer;
import java.nio.file.Files;
-import java.nio.file.Paths;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
-import java.security.Security;
import java.security.SignatureException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
-import java.util.ArrayList;
-import java.util.Collection;
import java.util.Collections;
import java.util.List;
-import java.util.HashSet;
-import java.util.Set;
@RunWith(JUnit4.class)
public class ApkSignerTest {
@@ -93,8 +83,6 @@
private static final String SECOND_RSA_2048_SIGNER_RESOURCE_NAME = "rsa-2048_2";
private static final String THIRD_RSA_2048_SIGNER_RESOURCE_NAME = "rsa-2048_3";
- private static final String EC_P256_SIGNER_RESOURCE_NAME = "ec-p256";
-
// This is the same cert as above with the modulus reencoded to remove the leading 0 sign bit.
private static final String FIRST_RSA_2048_SIGNER_CERT_WITH_NEGATIVE_MODULUS =
"rsa-2048_negmod.x509.der";
@@ -102,11 +90,6 @@
private static final String LINEAGE_RSA_2048_2_SIGNERS_RESOURCE_NAME =
"rsa-2048-lineage-2-signers";
- // These are the ID and value of an extra signature block within the APK signing block that
- // can be preserved through the setOtherSignersSignaturesPreserved API.
- private final int EXTRA_BLOCK_ID = 0x7e57c0de;
- private final byte[] EXTRA_BLOCK_VALUE = {0, 1, 2, 3, 4, 5, 6, 7};
-
@Rule
public TemporaryFolder mTemporaryFolder = new TemporaryFolder();
@@ -382,15 +365,6 @@
.setV2SigningEnabled(true)
.setV3SigningEnabled(true)
.setVerityEnabled(true));
-
- signGolden(
- "pinsapp-unsigned.apk",
- new File(outDir, "golden-pinsapp-signed.apk"),
- new ApkSigner.Builder(rsa2048SignerConfig)
- .setV1SigningEnabled(true)
- .setV2SigningEnabled(true)
- .setV3SigningEnabled(true)
- .setVerityEnabled(true));
}
private static void signGolden(
@@ -731,53 +705,10 @@
verifyForMinSdkVersion(out, 20), Issue.JAR_SIG_UNSUPPORTED_SIG_ALG);
}
-
- @Test
- public void testDeterministicDsaSignedVerifies() throws Exception {
- Security.addProvider(new BouncyCastleProvider());
- try {
- List<ApkSigner.SignerConfig> signers =
- Collections.singletonList(getDeterministicDsaSignerConfigFromResources("dsa-2048"));
- String in = "original.apk";
-
- // Sign so that the APK is guaranteed to verify on API Level 1+
- File out = sign(in, new ApkSigner.Builder(signers).setMinSdkVersion(1));
- assertVerified(verifyForMinSdkVersion(out, 1));
-
- // Sign so that the APK is guaranteed to verify on API Level 21+
- out = sign(in, new ApkSigner.Builder(signers).setMinSdkVersion(21));
- assertVerified(verifyForMinSdkVersion(out, 21));
- // Does not verify on API Level 20 because DSA with SHA-256 not supported
- assertVerificationFailure(
- verifyForMinSdkVersion(out, 20), Issue.JAR_SIG_UNSUPPORTED_SIG_ALG);
- } finally {
- Security.removeProvider(BouncyCastleProvider.PROVIDER_NAME);
- }
- }
-
- @Test
- public void testDeterministicDsaSigningIsDeterministic() throws Exception {
- Security.addProvider(new BouncyCastleProvider());
- try {
- List<ApkSigner.SignerConfig> signers =
- Collections.singletonList(getDeterministicDsaSignerConfigFromResources("dsa-2048"));
- String in = "original.apk";
-
- ApkSigner.Builder apkSignerBuilder = new ApkSigner.Builder(signers).setMinSdkVersion(1);
- File first = sign(in, apkSignerBuilder);
- File second = sign(in, apkSignerBuilder);
-
- assertFileContentsEqual(first, second);
- } finally {
- Security.removeProvider(BouncyCastleProvider.PROVIDER_NAME);
- }
- }
-
@Test
public void testEcSignedVerifies() throws Exception {
List<ApkSigner.SignerConfig> signers =
- Collections.singletonList(
- getDefaultSignerConfigFromResources(EC_P256_SIGNER_RESOURCE_NAME));
+ Collections.singletonList(getDefaultSignerConfigFromResources("ec-p256"));
String in = "original.apk";
// NOTE: EC APK signatures are not supported prior to API Level 18
@@ -1318,293 +1249,6 @@
assertSourceStampVerified(signedApk, sourceStampVerificationResult);
}
- @Test
- public void testSignApk_Pinlist() throws Exception {
- List<ApkSigner.SignerConfig> rsa2048SignerConfig =
- Collections.singletonList(
- getDefaultSignerConfigFromResources(FIRST_RSA_2048_SIGNER_RESOURCE_NAME));
- assertGolden(
- "pinsapp-unsigned.apk",
- "golden-pinsapp-signed.apk",
- new ApkSigner.Builder(rsa2048SignerConfig)
- .setV1SigningEnabled(true)
- .setV2SigningEnabled(true)
- .setV3SigningEnabled(true)
- .setVerityEnabled(true));
- assertTrue("pinlist.meta file must be in the signed APK.",
- resourceZipFileContains("golden-pinsapp-signed.apk", "pinlist.meta"));
- }
-
- @Test
- public void testOtherSignersSignaturesPreserved_extraSigBlock_signatureAppended()
- throws Exception {
- // The DefaultApkSignerEngine contains support to append a signature to an existing
- // signing block; any existing signature blocks within the APK signing block should be
- // left intact except for the original verity padding block (since this is regenerated) and
- // the source stamp. This test verifies that an extra signature block is still in
- // the APK signing block after appending a V2 signature.
- List<ApkSigner.SignerConfig> ecP256SignerConfig = Collections.singletonList(
- getDefaultSignerConfigFromResources(EC_P256_SIGNER_RESOURCE_NAME));
-
- File signedApk = sign("v2-rsa-2048-with-extra-sig-block.apk",
- new ApkSigner.Builder(ecP256SignerConfig)
- .setV1SigningEnabled(false)
- .setV2SigningEnabled(true)
- .setV3SigningEnabled(false)
- .setV4SigningEnabled(false)
- .setOtherSignersSignaturesPreserved(true));
-
- ApkVerifier.Result result = verify(signedApk, null);
- assertVerified(result);
- assertResultContainsSigners(result, FIRST_RSA_2048_SIGNER_RESOURCE_NAME,
- EC_P256_SIGNER_RESOURCE_NAME);
- assertSigningBlockContains(signedApk, Pair.of(EXTRA_BLOCK_VALUE, EXTRA_BLOCK_ID));
- }
-
- @Test
- public void testOtherSignersSignaturesPreserved_v1Only_signatureAppended() throws Exception {
- // This test verifies appending an additional V1 signature to an existing V1 signer behaves
- // similar to jarsigner where the APK is then verified as signed by both signers.
- List<ApkSigner.SignerConfig> ecP256SignerConfig = Collections.singletonList(
- getDefaultSignerConfigFromResources(EC_P256_SIGNER_RESOURCE_NAME));
-
- File signedApk = sign("v1-only-with-rsa-2048.apk",
- new ApkSigner.Builder(ecP256SignerConfig)
- .setV1SigningEnabled(true)
- .setV2SigningEnabled(false)
- .setV3SigningEnabled(false)
- .setV4SigningEnabled(false)
- .setOtherSignersSignaturesPreserved(true));
-
- ApkVerifier.Result result = verify(signedApk, null);
- assertVerified(result);
- assertResultContainsSigners(result, FIRST_RSA_2048_SIGNER_RESOURCE_NAME,
- EC_P256_SIGNER_RESOURCE_NAME);
- }
-
- @Test
- public void testOtherSignersSignaturesPreserved_v3OnlyDifferentSigner_throwsException()
- throws Exception {
- // The V3 Signature Scheme only supports a single signer; if an attempt is made to append
- // a different signer to a V3 signature then an exception should be thrown.
- // The APK used for this test is signed with the ec-p256 signer so use the rsa-2048 to
- // attempt to append a different signature.
- List<ApkSigner.SignerConfig> rsa2048SignerConfig = Collections.singletonList(
- getDefaultSignerConfigFromResources(FIRST_RSA_2048_SIGNER_RESOURCE_NAME));
-
- assertThrows(IllegalStateException.class, () ->
- sign("v3-only-with-stamp.apk",
- new ApkSigner.Builder(rsa2048SignerConfig)
- .setV1SigningEnabled(false)
- .setV2SigningEnabled(false)
- .setV3SigningEnabled(true)
- .setV4SigningEnabled(false)
- .setOtherSignersSignaturesPreserved(true))
- );
- }
-
- @Test
- public void testOtherSignersSignaturesPreserved_v2OnlyAppendV2V3SameSigner_signatureAppended()
- throws Exception {
- // A V2 and V3 signature can be appended to an existing V2 signature if the same signer is
- // used to resign the APK; this could be used in a case where an APK was previously signed
- // with just the V2 signature scheme along with additional non-APK signing scheme signature
- // blocks and the signer wanted to preserve those existing blocks.
- List<ApkSigner.SignerConfig> rsa2048SignerConfig = Collections.singletonList(
- getDefaultSignerConfigFromResources(FIRST_RSA_2048_SIGNER_RESOURCE_NAME));
-
- File signedApk = sign("v2-rsa-2048-with-extra-sig-block.apk",
- new ApkSigner.Builder(rsa2048SignerConfig)
- .setV1SigningEnabled(false)
- .setV2SigningEnabled(true)
- .setV3SigningEnabled(true)
- .setV4SigningEnabled(false)
- .setOtherSignersSignaturesPreserved(true));
-
- ApkVerifier.Result result = verify(signedApk, null);
- assertVerified(result);
- assertResultContainsSigners(result, FIRST_RSA_2048_SIGNER_RESOURCE_NAME);
- assertSigningBlockContains(signedApk, Pair.of(EXTRA_BLOCK_VALUE, EXTRA_BLOCK_ID));
- }
-
- @Test
- public void testOtherSignersSignaturesPreserved_v2OnlyAppendV3SameSigner_throwsException()
- throws Exception {
- // A V3 only signature cannot be appended to an existing V2 signature, even when using the
- // same signer, since the V2 signature would then not contain the stripping protection for
- // the V3 signature. If the same signer is being used then the signer should be configured
- // to resign using the V2 signature scheme as well as the V3 signature scheme.
- List<ApkSigner.SignerConfig> rsa2048SignerConfig = Collections.singletonList(
- getDefaultSignerConfigFromResources(FIRST_RSA_2048_SIGNER_RESOURCE_NAME));
-
- assertThrows(IllegalStateException.class, () ->
- sign("v2-rsa-2048-with-extra-sig-block.apk",
- new ApkSigner.Builder(rsa2048SignerConfig)
- .setV1SigningEnabled(false)
- .setV2SigningEnabled(false)
- .setV3SigningEnabled(true)
- .setV4SigningEnabled(false)
- .setOtherSignersSignaturesPreserved(true)));
- }
-
- @Test
- public void testOtherSignersSignaturesPreserved_v1v2IndividuallySign_signaturesAppended()
- throws Exception {
- // One of the primary requirements for appending signatures is when an APK has already
- // released with two signers; with the minimum signature scheme v2 requirement for target
- // SDK version 30+ each signer must be able to append their signature to the existing
- // signature block. This test verifies an APK with appended signatures verifies as expected
- // after a series of appending V1 and V2 signatures.
- List<ApkSigner.SignerConfig> rsa2048SignerConfig = Collections.singletonList(
- getDefaultSignerConfigFromResources(FIRST_RSA_2048_SIGNER_RESOURCE_NAME));
- List<ApkSigner.SignerConfig> ecP256SignerConfig = Collections.singletonList(
- getDefaultSignerConfigFromResources(EC_P256_SIGNER_RESOURCE_NAME));
-
- // When two parties are signing an APK the first must sign with both V1 and V2; this will
- // write the stripping-protection attribute to the V1 signature.
- File signedApk = sign("original.apk",
- new ApkSigner.Builder(rsa2048SignerConfig)
- .setV1SigningEnabled(true)
- .setV2SigningEnabled(true)
- .setV3SigningEnabled(false)
- .setV4SigningEnabled(false));
-
- // The second party can then append their signature with both the V1 and V2 signature; this
- // will invalidate the V2 signature of the initial signer since the APK itself will be
- // modified with this signers V1 / jar signature.
- signedApk = sign(signedApk,
- new ApkSigner.Builder(ecP256SignerConfig)
- .setV1SigningEnabled(true)
- .setV2SigningEnabled(true)
- .setV3SigningEnabled(false)
- .setV4SigningEnabled(false)
- .setOtherSignersSignaturesPreserved(true));
-
- // The first party will then need to resign with just the V2 signature after its previous
- // signature was invalidated by the V1 signature of the second signer; however since this
- // signature is appended its previous V2 signature should be removed from the signature
- // block and replaced with this new signature while preserving the V2 signature of the
- // other signer.
- signedApk = sign(signedApk,
- new ApkSigner.Builder(rsa2048SignerConfig)
- .setV1SigningEnabled(false)
- .setV2SigningEnabled(true)
- .setV3SigningEnabled(false)
- .setV4SigningEnabled(false)
- .setOtherSignersSignaturesPreserved(true));
-
- ApkVerifier.Result result = verify(signedApk, null);
- assertVerified(result);
- assertResultContainsSigners(result, FIRST_RSA_2048_SIGNER_RESOURCE_NAME,
- EC_P256_SIGNER_RESOURCE_NAME);
- }
-
- /**
- * Asserts the provided {@code signedApk} contains a signature block with the expected
- * {@code byte[]} value and block ID as specified in the {@code expectedBlock}.
- */
- private static void assertSigningBlockContains(File signedApk,
- Pair<byte[], Integer> expectedBlock) throws Exception {
- try (RandomAccessFile apkFile = new RandomAccessFile(signedApk, "r")) {
- ApkUtils.ApkSigningBlock apkSigningBlock = ApkUtils.findApkSigningBlock(
- DataSources.asDataSource(apkFile));
- List<Pair<byte[], Integer>> signatureBlocks =
- ApkSigningBlockUtils.getApkSignatureBlocks(apkSigningBlock.getContents());
- for (Pair<byte[], Integer> signatureBlock : signatureBlocks) {
- if (signatureBlock.getSecond().equals(expectedBlock.getSecond())) {
- if (Arrays.equals(signatureBlock.getFirst(), expectedBlock.getFirst())) {
- return;
- }
- }
- }
- fail(String.format(
- "The APK signing block did not contain the expected block with ID %08x",
- expectedBlock.getSecond()));
- }
- }
-
- /**
- * Asserts the provided verification {@code result} contains the expected {@code signers} for
- * each scheme that was used to verify the APK's signature.
- */
- private static void assertResultContainsSigners(ApkVerifier.Result result, String... signers)
- throws Exception {
- // A result must be successfully verified before verifying any of the result's signers.
- assertTrue(result.isVerified());
-
- List<X509Certificate> expectedSigners = new ArrayList<>();
- for (String signer : signers) {
- ApkSigner.SignerConfig signerConfig = getDefaultSignerConfigFromResources(signer);
- expectedSigners.addAll(signerConfig.getCertificates());
- }
-
- if (result.isVerifiedUsingV1Scheme()) {
- Set<X509Certificate> v1Signers = new HashSet<>();
- for (ApkVerifier.Result.V1SchemeSignerInfo signer : result.getV1SchemeSigners()) {
- v1Signers.add(signer.getCertificate());
- }
- assertEquals(expectedSigners.size(), v1Signers.size());
- assertTrue("Expected V1 signers: " + getAllSubjectNamesFrom(expectedSigners)
- + ", actual V1 signers: " + getAllSubjectNamesFrom(v1Signers),
- v1Signers.containsAll(expectedSigners));
- }
-
- if (result.isVerifiedUsingV2Scheme()) {
- Set<X509Certificate> v2Signers = new HashSet<>();
- for (ApkVerifier.Result.V2SchemeSignerInfo signer : result.getV2SchemeSigners()) {
- v2Signers.add(signer.getCertificate());
- }
- assertEquals(expectedSigners.size(), v2Signers.size());
- assertTrue("Expected V2 signers: " + getAllSubjectNamesFrom(expectedSigners)
- + ", actual V2 signers: " + getAllSubjectNamesFrom(v2Signers),
- v2Signers.containsAll(expectedSigners));
- }
-
- if (result.isVerifiedUsingV3Scheme()) {
- Set<X509Certificate> v3Signers = new HashSet<>();
- for (ApkVerifier.Result.V3SchemeSignerInfo signer : result.getV3SchemeSigners()) {
- v3Signers.add(signer.getCertificate());
- }
- assertEquals(expectedSigners.size(), v3Signers.size());
- assertTrue("Expected V3 signers: " + getAllSubjectNamesFrom(expectedSigners)
- + ", actual V3 signers: " + getAllSubjectNamesFrom(v3Signers),
- v3Signers.containsAll(expectedSigners));
- }
- }
-
- /**
- * Returns a comma delimited {@code String} containing all of the Subject Names from the
- * provided {@code certificates}.
- */
- private static String getAllSubjectNamesFrom(Collection<X509Certificate> certificates) {
- StringBuilder result = new StringBuilder();
- for (X509Certificate certificate : certificates) {
- if (result.length() > 0) {
- result.append(", ");
- }
- result.append(certificate.getSubjectDN().getName());
- }
- return result.toString();
- }
-
- private static boolean resourceZipFileContains(String resourceName, String zipEntryName)
- throws IOException {
- ZipInputStream zip = new ZipInputStream(
- Resources.toInputStream(ApkSignerTest.class, resourceName));
- while (true) {
- ZipEntry entry = zip.getNextEntry();
- if (entry == null) {
- break;
- }
-
- if (entry.getName().equals(zipEntryName)) {
- return true;
- }
- }
-
- return false;
- }
-
private RSAPublicKey getRSAPublicKeyFromSigningBlock(File apk, int signatureVersionId)
throws Exception {
int signatureVersionBlockId;
@@ -1714,21 +1358,11 @@
}
}
- private File sign(File inApkFile, ApkSigner.Builder apkSignerBuilder) throws Exception {
- try (RandomAccessFile apkFile = new RandomAccessFile(inApkFile, "r")) {
- DataSource in = DataSources.asDataSource(apkFile);
- return sign(in, apkSignerBuilder);
- }
- }
-
- private File sign(String inResourceName, ApkSigner.Builder apkSignerBuilder) throws Exception {
+ private File sign(String inResourceName, ApkSigner.Builder apkSignerBuilder)
+ throws Exception {
DataSource in =
DataSources.asDataSource(
ByteBuffer.wrap(Resources.toByteArray(getClass(), inResourceName)));
- return sign(in, apkSignerBuilder);
- }
-
- private File sign(DataSource in, ApkSigner.Builder apkSignerBuilder) throws Exception {
File outFile = mTemporaryFolder.newFile();
apkSignerBuilder.setInputApk(in).setOutputApk(outFile);
@@ -1778,24 +1412,13 @@
ApkVerifierTest.assertVerificationFailure(result, expectedIssue);
}
- private void assertFileContentsEqual(File first, File second) throws IOException {
- assertArrayEquals(Files.readAllBytes(Paths.get(first.getPath())),
- Files.readAllBytes(Paths.get(second.getPath())));
- }
-
private static ApkSigner.SignerConfig getDefaultSignerConfigFromResources(
String keyNameInResources) throws Exception {
- return getDefaultSignerConfigFromResources(keyNameInResources, false);
- }
-
- private static ApkSigner.SignerConfig getDefaultSignerConfigFromResources(
- String keyNameInResources, boolean deterministicDsaSigning) throws Exception {
PrivateKey privateKey =
Resources.toPrivateKey(ApkSignerTest.class, keyNameInResources + ".pk8");
List<X509Certificate> certs =
Resources.toCertificateChain(ApkSignerTest.class, keyNameInResources + ".x509.pem");
- return new ApkSigner.SignerConfig.Builder(keyNameInResources, privateKey, certs,
- deterministicDsaSigning).build();
+ return new ApkSigner.SignerConfig.Builder(keyNameInResources, privateKey, certs).build();
}
private static ApkSigner.SignerConfig getDefaultSignerConfigFromResources(
@@ -1806,9 +1429,4 @@
Resources.toCertificateChain(ApkSignerTest.class, certNameInResources);
return new ApkSigner.SignerConfig.Builder(keyNameInResources, privateKey, certs).build();
}
-
- private static ApkSigner.SignerConfig getDeterministicDsaSignerConfigFromResources(
- String keyNameInResources) throws Exception {
- return getDefaultSignerConfigFromResources(keyNameInResources, true);
- }
}
diff --git a/src/test/java/com/android/apksig/SigningCertificateLineageTest.java b/src/test/java/com/android/apksig/SigningCertificateLineageTest.java
index d5dc71d..14cab83 100644
--- a/src/test/java/com/android/apksig/SigningCertificateLineageTest.java
+++ b/src/test/java/com/android/apksig/SigningCertificateLineageTest.java
@@ -90,23 +90,6 @@
}
@Test
- public void testLineageFromBytesContainsExpectedSigners() throws Exception {
- // This file contains the lineage with the three rsa-2048 signers
- DataSource lineageDataSource = Resources.toDataSource(getClass(),
- "rsa-2048-lineage-3-signers");
- SigningCertificateLineage lineage = SigningCertificateLineage.readFromBytes(
- lineageDataSource.getByteBuffer(0, (int) lineageDataSource.size()).array());
- List<SignerConfig> signers = new ArrayList<>(3);
- signers.add(
- Resources.toLineageSignerConfig(getClass(), FIRST_RSA_2048_SIGNER_RESOURCE_NAME));
- signers.add(
- Resources.toLineageSignerConfig(getClass(), SECOND_RSA_2048_SIGNER_RESOURCE_NAME));
- signers.add(
- Resources.toLineageSignerConfig(getClass(), THIRD_RSA_2048_SIGNER_RESOURCE_NAME));
- assertLineageContainsExpectedSigners(lineage, signers);
- }
-
- @Test
public void testLineageFromFileContainsExpectedSigners() throws Exception {
// This file contains the lineage with the three rsa-2048 signers
DataSource lineageDataSource = Resources.toDataSource(getClass(),
@@ -148,17 +131,6 @@
}
@Test
- public void testLineageWrittenToBytesContainsExpectedSigners() throws Exception {
- SigningCertificateLineage lineage = createLineageWithSignersFromResources(
- FIRST_RSA_2048_SIGNER_RESOURCE_NAME, SECOND_RSA_2048_SIGNER_RESOURCE_NAME);
- lineage = updateLineageWithSignerFromResources(lineage,
- THIRD_RSA_2048_SIGNER_RESOURCE_NAME);
- byte[] lineageBytes = lineage.getBytes();
- lineage = SigningCertificateLineage.readFromBytes(lineageBytes);
- assertLineageContainsExpectedSigners(lineage, mSigners);
- }
-
- @Test
public void testLineageWrittenToFileContainsExpectedSigners() throws Exception {
SigningCertificateLineage lineage = createLineageWithSignersFromResources(
FIRST_RSA_2048_SIGNER_RESOURCE_NAME, SECOND_RSA_2048_SIGNER_RESOURCE_NAME);
diff --git a/src/test/java/com/android/apksig/internal/util/VerityTreeBuilderTest.java b/src/test/java/com/android/apksig/internal/util/VerityTreeBuilderTest.java
index 8396d76..85e9e90 100644
--- a/src/test/java/com/android/apksig/internal/util/VerityTreeBuilderTest.java
+++ b/src/test/java/com/android/apksig/internal/util/VerityTreeBuilderTest.java
@@ -79,7 +79,7 @@
return DataSources.asDataSource(ByteBuffer.wrap(data.getBytes(UTF_8)));
}
- @Test public void generateVerityTreeRootHashFromPlaceholderDataSource() throws Exception {
+ @Test public void generateVerityTreeRootHashFromDummyDataSource() throws Exception {
// This sample was taken from src/test/resources/com/android/apksig/original.apk.
byte[] sampleEoCDFromDisk = new byte[] {
0x50, 0x4b, 0x05, 0x06, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x06, 0x00, 0x79, 0x01,
diff --git a/src/test/resources/com/android/apksig/golden-pinsapp-signed.apk b/src/test/resources/com/android/apksig/golden-pinsapp-signed.apk
deleted file mode 100644
index 43c39f1..0000000
--- a/src/test/resources/com/android/apksig/golden-pinsapp-signed.apk
+++ /dev/null
Binary files differ
diff --git a/src/test/resources/com/android/apksig/pinsapp-unsigned.apk b/src/test/resources/com/android/apksig/pinsapp-unsigned.apk
deleted file mode 100755
index b6a6e8f..0000000
--- a/src/test/resources/com/android/apksig/pinsapp-unsigned.apk
+++ /dev/null
Binary files differ
diff --git a/src/test/resources/com/android/apksig/v1-only-with-rsa-2048.apk b/src/test/resources/com/android/apksig/v1-only-with-rsa-2048.apk
deleted file mode 100644
index 61f4122..0000000
--- a/src/test/resources/com/android/apksig/v1-only-with-rsa-2048.apk
+++ /dev/null
Binary files differ
diff --git a/src/test/resources/com/android/apksig/v2-rsa-2048-with-extra-sig-block.apk b/src/test/resources/com/android/apksig/v2-rsa-2048-with-extra-sig-block.apk
deleted file mode 100644
index 94b54c9..0000000
--- a/src/test/resources/com/android/apksig/v2-rsa-2048-with-extra-sig-block.apk
+++ /dev/null
Binary files differ