Revert "[apkverify] Skip DSA SHA256 during apk verification"

This reverts commit c68b95b84d. Reason for revert: b/248068872 Test: atest libidsig.test Change-Id: Ib978f23954fe6d901b4806d230e3067c4572083f
2022-09-21 21:55:42 +00:00 · 2022-09-21 21:55:42 +00:00 · 3bae36ceec
parent be9493c894
commit 3bae36ceec
6 changed files with 40 additions and 15 deletions
--- a/libs/apkverify/src/algorithms.rs
+++ b/libs/apkverify/src/algorithms.rs
@ -97,6 +97,14 @@ impl SignatureAlgorithmID {
        &self,
        public_key: &'a PKey<pkey::Public>,
    ) -> Result<Verifier<'a>> {
+        ensure!(
+            !matches!(
+                self,
+                SignatureAlgorithmID::DsaWithSha256 | SignatureAlgorithmID::VerityDsaWithSha256
+            ),
+            "TODO(b/197052981): Algorithm '{:?}' is not implemented.",
+            self
+        );
        ensure!(public_key.id() == self.pkey_id(), "Public key has the wrong ID");
        let mut verifier = Verifier::new(self.new_message_digest(), public_key)?;
        if public_key.id() == pkey::Id::RSA {
@ -122,14 +130,6 @@ impl SignatureAlgorithmID {
        }
    }

-    /// DSA is not directly supported in openssl today. See b/197052981.
-    pub(crate) fn is_supported(&self) -> bool {
-        !matches!(
-            self,
-            SignatureAlgorithmID::DsaWithSha256 | SignatureAlgorithmID::VerityDsaWithSha256,
-        )
-    }
-
    fn pkey_id(&self) -> pkey::Id {
        match self {
            SignatureAlgorithmID::RsaPssWithSha256
--- a/libs/apkverify/src/v3.rs
+++ b/libs/apkverify/src/v3.rs
@ -139,7 +139,7 @@ impl Signer {
        Ok(self
            .signatures
            .iter()
-            .filter(|sig| sig.signature_algorithm_id.map_or(false, |algo| algo.is_supported()))
+            .filter(|sig| sig.signature_algorithm_id.is_some())
            .max_by_key(|sig| sig.signature_algorithm_id.unwrap().content_digest_algorithm())
            .context("No supported signatures found")?)
    }
--- a/libs/apkverify/tests/apkverify_test.rs
+++ b/libs/apkverify/tests/apkverify_test.rs
@ -40,11 +40,22 @@ fn apex_signed_with_v3_rsa_pkcs1_sha512_is_valid() {
 }

 #[test]
-fn apks_signed_with_v3_dsa_sha256_are_not_supported() {
+fn test_verify_v3_dsa_sha256() {
    for key_name in KEY_NAMES_DSA.iter() {
        let res = verify(format!("tests/data/v3-only-with-dsa-sha256-{}.apk", key_name));
-        assert!(res.is_err(), "DSA algorithm is not supported for verification. See b/197052981.");
-        assert_contains(&res.unwrap_err().to_string(), "No supported signatures found");
+        assert!(res.is_err());
+        assert_contains(&res.unwrap_err().to_string(), "not implemented");
+    }
+}
+
+/// TODO(b/197052981): DSA algorithm is not yet supported.
+#[test]
+fn apks_signed_with_v3_dsa_sha256_have_valid_apk_digest() {
+    for key_name in KEY_NAMES_DSA.iter() {
+        validate_apk_digest(
+            format!("tests/data/v3-only-with-dsa-sha256-{}.apk", key_name),
+            SignatureAlgorithmID::DsaWithSha256,
+        );
    }
 }

@ -91,6 +102,7 @@ fn apks_signed_with_v3_rsa_pkcs1_sha512_are_valid() {
 #[test]
 fn test_verify_v3_sig_does_not_verify() {
    let path_list = [
+        "tests/data/v3-only-with-dsa-sha256-2048-sig-does-not-verify.apk",
        "tests/data/v3-only-with-ecdsa-sha512-p521-sig-does-not-verify.apk",
        "tests/data/v3-only-with-rsa-pkcs1-sha256-3072-sig-does-not-verify.apk",
    ];
@ -106,9 +118,16 @@ fn test_verify_v3_sig_does_not_verify() {

 #[test]
 fn test_verify_v3_digest_mismatch() {
-    let res = verify("tests/data/v3-only-with-rsa-pkcs1-sha512-8192-digest-mismatch.apk");
-    assert!(res.is_err());
-    assert_contains(&res.unwrap_err().to_string(), "Digest mismatch");
+    let path_list = [
+        "tests/data/v3-only-with-dsa-sha256-3072-digest-mismatch.apk",
+        "tests/data/v3-only-with-rsa-pkcs1-sha512-8192-digest-mismatch.apk",
+    ];
+    for path in path_list.iter() {
+        let res = verify(path);
+        assert!(res.is_err());
+        let error_msg = &res.unwrap_err().to_string();
+        assert!(error_msg.contains("Digest mismatch") || error_msg.contains("not implemented"));
+    }
 }

 #[test]
--- a/libs/apkverify/tests/data/v3-only-with-dsa-sha256-1024.apk.apk_digest
+++ b/libs/apkverify/tests/data/v3-only-with-dsa-sha256-1024.apk.apk_digest
@ -0,0 +1,2 @@
+
òBn£:í¯I]ˆå¾jcÿ
+<EFBFBD>ÅíÕ²’šä´0/
--- a/libs/apkverify/tests/data/v3-only-with-dsa-sha256-2048.apk.apk_digest
+++ b/libs/apkverify/tests/data/v3-only-with-dsa-sha256-2048.apk.apk_digest
@ -0,0 +1,2 @@
+
òBn£:í¯I]ˆå¾jcÿ
+<EFBFBD>ÅíÕ²’šä´0/
--- a/libs/apkverify/tests/data/v3-only-with-dsa-sha256-3072.apk.apk_digest
+++ b/libs/apkverify/tests/data/v3-only-with-dsa-sha256-3072.apk.apk_digest
@ -0,0 +1,2 @@
+
òBn£:í¯I]ˆå¾jcÿ
+<EFBFBD>ÅíÕ²’šä´0/