Skip priv app full apk verification if has verify

When ro.apk_verity.mode is on, full apk verification is only skipped if the apk already has verity enabled in the file system, and if the apk contains the Merkle tree root hash we need. Since the configuration in the file system is duplicated from the apk (including the offset and size of Signing Block and the Merkle tree), in order to prevent offline attacker from changing it, we need to measure the observed configuration and make sure it matches the kernel's view. Test: observed package manager's requeset to installd (only) for updated priv apps. Bug: 30972906 Change-Id: I33531a3f6148232b777ea8bfd02f13700649e317
author: Victor Hsieh <victorhsieh@google.com> 2018-01-20 10:30:12 -0800
committer: Victor Hsieh <victorhsieh@google.com> 2018-01-24 16:30:55 -0800
commit: 5f76124551aa6582bb82034f8423b9d84f633d70 (patch)
tree: 308775d5b408e67c1405f238868faa6d66f316ce /core/java/android/util
parent: d93a795945076ef407542bb6945832e3024ce3d7 (diff)
3 files changed, 49 insertions, 0 deletions
diff --git a/core/java/android/util/apk/ApkSignatureSchemeV2Verifier.java b/core/java/android/util/apk/ApkSignatureSchemeV2Verifier.java
index 5a09dab552e3..62222b5764e7 100644
--- a/core/java/android/util/apk/ApkSignatureSchemeV2Verifier.java
+++ b/core/java/android/util/apk/ApkSignatureSchemeV2Verifier.java
@@ -412,6 +412,20 @@ public class ApkSignatureSchemeV2Verifier {
         }
     }
 
+    static byte[] generateFsverityRootHash(String apkPath)
+            throws IOException, SignatureNotFoundException, DigestException,
+                   NoSuchAlgorithmException {
+        try (RandomAccessFile apk = new RandomAccessFile(apkPath, "r")) {
+            SignatureInfo signatureInfo = findSignature(apk);
+            VerifiedSigner vSigner = verify(apk, false);
+            if (vSigner.verityRootHash == null) {
+                return null;
+            }
+            return ApkVerityBuilder.generateFsverityRootHash(
+                    apk, ByteBuffer.wrap(vSigner.verityRootHash), signatureInfo);
+        }
+    }
+
     private static boolean isSupportedSignatureAlgorithm(int sigAlgorithm) {
         switch (sigAlgorithm) {
             case SIGNATURE_RSA_PSS_WITH_SHA256:
diff --git a/core/java/android/util/apk/ApkSignatureSchemeV3Verifier.java b/core/java/android/util/apk/ApkSignatureSchemeV3Verifier.java
index 1b04eb2f7d44..ee6fc072765f 100644
--- a/core/java/android/util/apk/ApkSignatureSchemeV3Verifier.java
+++ b/core/java/android/util/apk/ApkSignatureSchemeV3Verifier.java
@@ -523,6 +523,20 @@ public class ApkSignatureSchemeV3Verifier {
         }
     }
 
+    static byte[] generateFsverityRootHash(String apkPath)
+            throws NoSuchAlgorithmException, DigestException, IOException,
+                   SignatureNotFoundException {
+        try (RandomAccessFile apk = new RandomAccessFile(apkPath, "r")) {
+            SignatureInfo signatureInfo = findSignature(apk);
+            VerifiedSigner vSigner = verify(apk, false);
+            if (vSigner.verityRootHash == null) {
+                return null;
+            }
+            return ApkVerityBuilder.generateFsverityRootHash(
+                    apk, ByteBuffer.wrap(vSigner.verityRootHash), signatureInfo);
+        }
+    }
+
     private static boolean isSupportedSignatureAlgorithm(int sigAlgorithm) {
         switch (sigAlgorithm) {
             case SIGNATURE_RSA_PSS_WITH_SHA256:
diff --git a/core/java/android/util/apk/ApkSignatureVerifier.java b/core/java/android/util/apk/ApkSignatureVerifier.java
index 87943725ba21..de9f55b09200 100644
--- a/core/java/android/util/apk/ApkSignatureVerifier.java
+++ b/core/java/android/util/apk/ApkSignatureVerifier.java
@@ -427,6 +427,27 @@ public class ApkSignatureVerifier {
     }
 
     /**
+     * Generates the FSVerity root hash from FSVerity header, extensions and Merkle tree root hash
+     * in Signing Block.
+     *
+     * @return FSverity root hash
+     */
+    public static byte[] generateFsverityRootHash(String apkPath)
+            throws NoSuchAlgorithmException, DigestException, IOException {
+        // first try v3
+        try {
+            return ApkSignatureSchemeV3Verifier.generateFsverityRootHash(apkPath);
+        } catch (SignatureNotFoundException e) {
+            // try older version
+        }
+        try {
+            return ApkSignatureSchemeV2Verifier.generateFsverityRootHash(apkPath);
+        } catch (SignatureNotFoundException e) {
+            return null;
+        }
+    }
+
+    /**
      * Result of a successful APK verification operation.
      */
     public static class Result {
author	Victor Hsieh <victorhsieh@google.com>	2018-01-20 10:30:12 -0800
committer	Victor Hsieh <victorhsieh@google.com>	2018-01-24 16:30:55 -0800
commit	5f76124551aa6582bb82034f8423b9d84f633d70 (patch)
tree	308775d5b408e67c1405f238868faa6d66f316ce /core/java/android/util
parent	d93a795945076ef407542bb6945832e3024ce3d7 (diff)