[apkverify][test] Verify public key in apk verification tests

Prior to this cl, we only checked if the verification result exists in tests. Bug: 197052981 Bug: 239534874 Test: libapkverify.integration_test Change-Id: I59dc53148a06dc9aa1e152b4152274a4ed9bd30e
2022-09-16 10:08:25 +00:00 · 2022-09-16 10:08:25 +00:00 · 67d3c00e50
parent c6076c55be
commit 67d3c00e50
24 changed files with 41 additions and 14 deletions
--- a/libs/apkverify/tests/apkverify_test.rs
+++ b/libs/apkverify/tests/apkverify_test.rs
@ -15,7 +15,7 @@
 */

 use apkverify::{testing::assert_contains, verify};
-use std::matches;
+use std::{fs, matches, path::Path};

 const KEY_NAMES_DSA: &[&str] = &["1024", "2048", "3072"];
 const KEY_NAMES_ECDSA: &[&str] = &["p256", "p384", "p521"];
@ -34,7 +34,7 @@ fn test_verify_truncated_cd() {

 #[test]
 fn test_verify_v3() {
-    assert!(verify("tests/data/test.apex").is_ok());
+    validate_apk_public_key("tests/data/test.apex");
 }

 #[test]
@ -49,32 +49,34 @@ fn test_verify_v3_dsa_sha256() {
 #[test]
 fn test_verify_v3_ecdsa_sha256() {
    for key_name in KEY_NAMES_ECDSA.iter() {
-        assert!(verify(format!("tests/data/v3-only-with-ecdsa-sha256-{}.apk", key_name)).is_ok());
+        validate_apk_public_key(format!("tests/data/v3-only-with-ecdsa-sha256-{}.apk", key_name));
    }
 }

 #[test]
 fn test_verify_v3_ecdsa_sha512() {
    for key_name in KEY_NAMES_ECDSA.iter() {
-        assert!(verify(format!("tests/data/v3-only-with-ecdsa-sha512-{}.apk", key_name)).is_ok());
+        validate_apk_public_key(format!("tests/data/v3-only-with-ecdsa-sha512-{}.apk", key_name));
    }
 }

 #[test]
 fn test_verify_v3_rsa_sha256() {
    for key_name in KEY_NAMES_RSA.iter() {
-        assert!(
-            verify(format!("tests/data/v3-only-with-rsa-pkcs1-sha256-{}.apk", key_name)).is_ok()
-        );
+        validate_apk_public_key(format!(
+            "tests/data/v3-only-with-rsa-pkcs1-sha256-{}.apk",
+            key_name
+        ));
    }
 }

 #[test]
 fn test_verify_v3_rsa_sha512() {
    for key_name in KEY_NAMES_RSA.iter() {
-        assert!(
-            verify(format!("tests/data/v3-only-with-rsa-pkcs1-sha512-{}.apk", key_name)).is_ok()
-        );
+        validate_apk_public_key(format!(
+            "tests/data/v3-only-with-rsa-pkcs1-sha512-{}.apk",
+            key_name
+        ));
    }
 }

@ -167,20 +169,45 @@ fn test_verify_v3_signatures_and_digests_block_mismatch() {

 #[test]
 fn test_verify_v3_unknown_additional_attr() {
-    assert!(verify("tests/data/v3-only-unknown-additional-attr.apk").is_ok());
+    validate_apk_public_key("tests/data/v3-only-unknown-additional-attr.apk");
 }

 #[test]
 fn test_verify_v3_unknown_pair_in_apk_sig_block() {
-    assert!(verify("tests/data/v3-only-unknown-pair-in-apk-sig-block.apk").is_ok());
+    validate_apk_public_key("tests/data/v3-only-unknown-pair-in-apk-sig-block.apk");
 }

 #[test]
 fn test_verify_v3_ignorable_unsupported_sig_algs() {
-    assert!(verify("tests/data/v3-only-with-ignorable-unsupported-sig-algs.apk").is_ok());
+    validate_apk_public_key("tests/data/v3-only-with-ignorable-unsupported-sig-algs.apk");
 }

 #[test]
 fn test_verify_v3_stamp() {
-    assert!(verify("tests/data/v3-only-with-stamp.apk").is_ok());
+    validate_apk_public_key("tests/data/v3-only-with-stamp.apk");
+}
+
+fn validate_apk_public_key<P: AsRef<Path>>(apk_path: P) {
+    // Validates public key from verification == expected public key.
+    let public_key_from_verification = verify(apk_path.as_ref());
+    let public_key_from_verification =
+        public_key_from_verification.expect("Error in verification result");
+
+    let expected_public_key_path = format!("{}.der", apk_path.as_ref().to_str().unwrap());
+    assert!(
+        fs::metadata(&expected_public_key_path).is_ok(),
+        "File does not exist. You can re-create it with:\n$ echo -en {} > {}\n",
+        public_key_from_verification.iter().map(|b| format!("\\\\x{:02x}", b)).collect::<String>(),
+        expected_public_key_path
+    );
+    let expected_public_key = fs::read(&expected_public_key_path).unwrap();
+    assert_eq!(
+        expected_public_key,
+        public_key_from_verification.as_ref(),
+        "{}",
+        expected_public_key_path
+    );
+
+    // TODO(b/239534874): Validates public key extracted directly from apk
+    // (without verification) == expected public key.
 }
--- a/libs/apkverify/tests/data/test.apex.der
+++ b/libs/apkverify/tests/data/test.apex.der
--- a/libs/apkverify/tests/data/v3-only-unknown-additional-attr.apk.der
+++ b/libs/apkverify/tests/data/v3-only-unknown-additional-attr.apk.der
--- a/libs/apkverify/tests/data/v3-only-unknown-pair-in-apk-sig-block.apk.der
+++ b/libs/apkverify/tests/data/v3-only-unknown-pair-in-apk-sig-block.apk.der
--- a/libs/apkverify/tests/data/v3-only-with-ecdsa-sha256-p256.apk.der
+++ b/libs/apkverify/tests/data/v3-only-with-ecdsa-sha256-p256.apk.der
--- a/libs/apkverify/tests/data/v3-only-with-ecdsa-sha256-p384.apk.der
+++ b/libs/apkverify/tests/data/v3-only-with-ecdsa-sha256-p384.apk.der
--- a/libs/apkverify/tests/data/v3-only-with-ecdsa-sha256-p521.apk.der
+++ b/libs/apkverify/tests/data/v3-only-with-ecdsa-sha256-p521.apk.der
--- a/libs/apkverify/tests/data/v3-only-with-ecdsa-sha512-p256.apk.der
+++ b/libs/apkverify/tests/data/v3-only-with-ecdsa-sha512-p256.apk.der
--- a/libs/apkverify/tests/data/v3-only-with-ecdsa-sha512-p384.apk.der
+++ b/libs/apkverify/tests/data/v3-only-with-ecdsa-sha512-p384.apk.der
--- a/libs/apkverify/tests/data/v3-only-with-ecdsa-sha512-p521.apk.der
+++ b/libs/apkverify/tests/data/v3-only-with-ecdsa-sha512-p521.apk.der
--- a/libs/apkverify/tests/data/v3-only-with-ignorable-unsupported-sig-algs.apk.der
+++ b/libs/apkverify/tests/data/v3-only-with-ignorable-unsupported-sig-algs.apk.der
--- a/libs/apkverify/tests/data/v3-only-with-rsa-pkcs1-sha256-1024.apk.der
+++ b/libs/apkverify/tests/data/v3-only-with-rsa-pkcs1-sha256-1024.apk.der
--- a/libs/apkverify/tests/data/v3-only-with-rsa-pkcs1-sha256-16384.apk.der
+++ b/libs/apkverify/tests/data/v3-only-with-rsa-pkcs1-sha256-16384.apk.der
--- a/libs/apkverify/tests/data/v3-only-with-rsa-pkcs1-sha256-2048.apk.der
+++ b/libs/apkverify/tests/data/v3-only-with-rsa-pkcs1-sha256-2048.apk.der
--- a/libs/apkverify/tests/data/v3-only-with-rsa-pkcs1-sha256-3072.apk.der
+++ b/libs/apkverify/tests/data/v3-only-with-rsa-pkcs1-sha256-3072.apk.der
--- a/libs/apkverify/tests/data/v3-only-with-rsa-pkcs1-sha256-4096.apk.der
+++ b/libs/apkverify/tests/data/v3-only-with-rsa-pkcs1-sha256-4096.apk.der
--- a/libs/apkverify/tests/data/v3-only-with-rsa-pkcs1-sha256-8192.apk.der
+++ b/libs/apkverify/tests/data/v3-only-with-rsa-pkcs1-sha256-8192.apk.der
--- a/libs/apkverify/tests/data/v3-only-with-rsa-pkcs1-sha512-1024.apk.der
+++ b/libs/apkverify/tests/data/v3-only-with-rsa-pkcs1-sha512-1024.apk.der
--- a/libs/apkverify/tests/data/v3-only-with-rsa-pkcs1-sha512-16384.apk.der
+++ b/libs/apkverify/tests/data/v3-only-with-rsa-pkcs1-sha512-16384.apk.der
--- a/libs/apkverify/tests/data/v3-only-with-rsa-pkcs1-sha512-2048.apk.der
+++ b/libs/apkverify/tests/data/v3-only-with-rsa-pkcs1-sha512-2048.apk.der
--- a/libs/apkverify/tests/data/v3-only-with-rsa-pkcs1-sha512-3072.apk.der
+++ b/libs/apkverify/tests/data/v3-only-with-rsa-pkcs1-sha512-3072.apk.der
--- a/libs/apkverify/tests/data/v3-only-with-rsa-pkcs1-sha512-4096.apk.der
+++ b/libs/apkverify/tests/data/v3-only-with-rsa-pkcs1-sha512-4096.apk.der
--- a/libs/apkverify/tests/data/v3-only-with-rsa-pkcs1-sha512-8192.apk.der
+++ b/libs/apkverify/tests/data/v3-only-with-rsa-pkcs1-sha512-8192.apk.der
--- a/libs/apkverify/tests/data/v3-only-with-stamp.apk.der
+++ b/libs/apkverify/tests/data/v3-only-with-stamp.apk.der