Merge "Verify APKs using APK Signature Scheme v2."

import android.util.Pair;

import android.util.Slog;

import android.util.TypedValue;

import android.util.apk.ApkSignatureSchemeV2Verifier;

import android.util.jar.StrictJarFile;

import android.view.Gravity;

        final boolean requireCode = ((parseFlags & PARSE_ENFORCE_CODE) != 0) && hasCode;

        final String apkPath = apkFile.getAbsolutePath();

        // Try to verify the APK using APK Signature Scheme v2.

        boolean verified = false;

        {

            Certificate[][] allSignersCerts = null;

            Signature[] signatures = null;

            try {

                allSignersCerts = ApkSignatureSchemeV2Verifier.verify(apkPath);

                signatures = convertToSignatures(allSignersCerts);

                // APK verified using APK Signature Scheme v2.

                verified = true;

            } catch (ApkSignatureSchemeV2Verifier.SignatureNotFoundException e) {

                // No APK Signature Scheme v2 signature found

            } catch (Exception e) {

                // APK Signature Scheme v2 signature was found but did not verify

                throw new PackageParserException(INSTALL_PARSE_FAILED_NO_CERTIFICATES,

                        "Failed to collect certificates from " + apkPath

                                + " using APK Signature Scheme v2",

                        e);

            }

            if (verified) {

                if (pkg.mCertificates == null) {

                    pkg.mCertificates = allSignersCerts;

                    pkg.mSignatures = signatures;

                    pkg.mSigningKeys = new ArraySet<>(allSignersCerts.length);

                    for (int i = 0; i < allSignersCerts.length; i++) {

                        Certificate[] signerCerts = allSignersCerts[i];

                        Certificate signerCert = signerCerts[0];

                        pkg.mSigningKeys.add(signerCert.getPublicKey());

                    }

                } else {

                    if (!Signature.areExactMatch(pkg.mSignatures, signatures)) {

                        throw new PackageParserException(

                                INSTALL_PARSE_FAILED_INCONSISTENT_CERTIFICATES,

                                apkPath + " has mismatched certificates");

                    }

                }

                // Not yet done, because we need to confirm that AndroidManifest.xml exists and,

                // if requested, that classes.dex exists.

            }

        }

        boolean codeFound = false;

        StrictJarFile jarFile = null;

        try {

            Trace.traceBegin(TRACE_TAG_PACKAGE_MANAGER, "strictJarFileCtor");

            jarFile = new StrictJarFile(apkPath);

            jarFile = new StrictJarFile(

                    apkPath,

                    !verified // whether to verify JAR signature

                    );

            Trace.traceEnd(TRACE_TAG_PACKAGE_MANAGER);

            // Always verify manifest, regardless of source

                        "Package " + apkPath + " has no manifest");

            }

            // Optimization: early termination when APK already verified

            if (verified) {

                if ((requireCode) && (jarFile.findEntry(BYTECODE_FILENAME) == null)) {

                    throw new PackageParserException(INSTALL_PARSE_FAILED_MANIFEST_MALFORMED,

                            "Package " + apkPath + " code is missing");

                }

                return;

            }

            // APK's integrity needs to be verified using JAR signature scheme.

            Trace.traceBegin(TRACE_TAG_PACKAGE_MANAGER, "buildVerifyList");

            final List<ZipEntry> toVerify = new ArrayList<>();

            toVerify.add(manifestEntry);

/*

 * Copyright (C) 2016 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *      http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

package android.util.apk;

import java.nio.ByteBuffer;

import java.nio.ByteOrder;

/**

 * Assorted ZIP format helpers.

 *

 * <p>NOTE: Most helper methods operating on {@code ByteBuffer} instances except that the byte

 * order of these buffers is little-endian.

 */

abstract class ZipUtils {

    private ZipUtils() {}

    private static final int ZIP_EOCD_REC_MIN_SIZE = 22;

    private static final int ZIP_EOCD_REC_SIG = 0x06054b50;

    private static final int ZIP_EOCD_CENTRAL_DIR_SIZE_FIELD_OFFSET = 12;

    private static final int ZIP_EOCD_CENTRAL_DIR_OFFSET_FIELD_OFFSET = 16;

    private static final int ZIP_EOCD_COMMENT_LENGTH_FIELD_OFFSET = 20;

    private static final int ZIP64_EOCD_LOCATOR_SIZE = 20;

    private static final int ZIP64_EOCD_LOCATOR_SIG = 0x07064b50;

    private static final int UINT32_MAX_VALUE = 0xffff;

    /**

     * Returns the position at which ZIP End of Central Directory record starts in the provided

     * buffer or {@code -1} if the record is not present.

     *

     * <p>NOTE: Byte order of {@code zipContents} must be little-endian.

     */

    public static int findZipEndOfCentralDirectoryRecord(ByteBuffer zipContents) {

        assertByteOrderLittleEndian(zipContents);

        // ZIP End of Central Directory (EOCD) record is located at the very end of the ZIP archive.

        // The record can be identified by its 4-byte signature/magic which is located at the very

        // beginning of the record. A complication is that the record is variable-length because of

        // the comment field.

        // The algorithm for locating the ZIP EOCD record is as follows. We search backwards from

        // end of the buffer for the EOCD record signature. Whenever we find a signature, we check

        // the candidate record's comment length is such that the remainder of the record takes up

        // exactly the remaining bytes in the buffer. The search is bounded because the maximum

        // size of the comment field is 65535 bytes because the field is an unsigned 32-bit number.

        int archiveSize = zipContents.capacity();

        if (archiveSize < ZIP_EOCD_REC_MIN_SIZE) {

            System.out.println("File size smaller than EOCD min size");

            return -1;

        }

        int maxCommentLength = Math.min(archiveSize - ZIP_EOCD_REC_MIN_SIZE, UINT32_MAX_VALUE);

        int eocdWithEmptyCommentStartPosition = archiveSize - ZIP_EOCD_REC_MIN_SIZE;

        for (int expectedCommentLength = 0; expectedCommentLength < maxCommentLength;

                expectedCommentLength++) {

            int eocdStartPos = eocdWithEmptyCommentStartPosition - expectedCommentLength;

            if (zipContents.getInt(eocdStartPos) == ZIP_EOCD_REC_SIG) {

                int actualCommentLength =

                        getUnsignedInt16(

                                zipContents, eocdStartPos + ZIP_EOCD_COMMENT_LENGTH_FIELD_OFFSET);

                if (actualCommentLength == expectedCommentLength) {

                    return eocdStartPos;

                }

            }

        }

        return -1;

    }

    /**

     * Returns {@code true} if the provided buffer contains a ZIP64 End of Central Directory

     * Locator.

     *

     * <p>NOTE: Byte order of {@code zipContents} must be little-endian.

     */

    public static final boolean isZip64EndOfCentralDirectoryLocatorPresent(

            ByteBuffer zipContents, int zipEndOfCentralDirectoryPosition) {

        assertByteOrderLittleEndian(zipContents);

        // ZIP64 End of Central Directory Locator immediately precedes the ZIP End of Central

        // Directory Record.

        int locatorPosition = zipEndOfCentralDirectoryPosition - ZIP64_EOCD_LOCATOR_SIZE;

        if (locatorPosition < 0) {

            return false;

        }

        return zipContents.getInt(locatorPosition) == ZIP64_EOCD_LOCATOR_SIG;

    }

    /**

     * Returns the offset of the start of the ZIP Central Directory in the archive.

     *

     * <p>NOTE: Byte order of {@code zipEndOfCentralDirectory} must be little-endian.

     */

    public static long getZipEocdCentralDirectoryOffset(ByteBuffer zipEndOfCentralDirectory) {

        assertByteOrderLittleEndian(zipEndOfCentralDirectory);

        return getUnsignedInt32(

                zipEndOfCentralDirectory,

                zipEndOfCentralDirectory.position() + ZIP_EOCD_CENTRAL_DIR_OFFSET_FIELD_OFFSET);

    }

    /**

     * Sets the offset of the start of the ZIP Central Directory in the archive.

     *

     * <p>NOTE: Byte order of {@code zipEndOfCentralDirectory} must be little-endian.

     */

    public static void setZipEocdCentralDirectoryOffset(

            ByteBuffer zipEndOfCentralDirectory, long offset) {

        assertByteOrderLittleEndian(zipEndOfCentralDirectory);

        setUnsignedInt32(

                zipEndOfCentralDirectory,

                zipEndOfCentralDirectory.position() + ZIP_EOCD_CENTRAL_DIR_OFFSET_FIELD_OFFSET,

                offset);

    }

    /**

     * Returns the size (in bytes) of the ZIP Central Directory.

     *

     * <p>NOTE: Byte order of {@code zipEndOfCentralDirectory} must be little-endian.

     */

    public static long getZipEocdCentralDirectorySizeBytes(ByteBuffer zipEndOfCentralDirectory) {

        assertByteOrderLittleEndian(zipEndOfCentralDirectory);

        return getUnsignedInt32(

                zipEndOfCentralDirectory,

                zipEndOfCentralDirectory.position() + ZIP_EOCD_CENTRAL_DIR_SIZE_FIELD_OFFSET);

    }

    private static void assertByteOrderLittleEndian(ByteBuffer buffer) {

        if (buffer.order() != ByteOrder.LITTLE_ENDIAN) {

            throw new IllegalArgumentException("ByteBuffer byte order must be little endian");

        }

    }

    private static int getUnsignedInt16(ByteBuffer buffer, int offset) {

        return buffer.getShort(offset) & 0xffff;

    }

    private static long getUnsignedInt32(ByteBuffer buffer, int offset) {

        return buffer.getInt(offset) & 0xffffffffL;

    }

    private static void setUnsignedInt32(ByteBuffer buffer, int offset, long value) {

        if ((value < 0) || (value > 0xffffffffL)) {

            throw new IllegalArgumentException("uint32 value of out range: " + value);

        }

        buffer.putInt(buffer.position() + offset, (int) value);

    }

}

package android.util.jar;

import dalvik.system.CloseGuard;

import java.io.ByteArrayInputStream;

import java.io.FilterInputStream;

import java.io.IOException;

import java.io.InputStream;

import java.util.zip.Inflater;

import java.util.zip.InflaterInputStream;

import java.util.zip.ZipEntry;

import java.util.zip.ZipFile;

import java.util.jar.JarFile;

import java.util.jar.Manifest;

import libcore.io.IoUtils;

import libcore.io.Streams;

    private final CloseGuard guard = CloseGuard.get();

    private boolean closed;

    public StrictJarFile(String fileName) throws IOException, SecurityException {

    public StrictJarFile(String fileName)

            throws IOException, SecurityException {

        this(fileName, true);

    }

    public StrictJarFile(String fileName, boolean verify)

            throws IOException, SecurityException {

        this.nativeHandle = nativeOpenJarFile(fileName);

        this.raf = new RandomAccessFile(fileName, "r");

            // Read the MANIFEST and signature files up front and try to

            // parse them. We never want to accept a JAR File with broken signatures

            // or manifests, so it's best to throw as early as possible.

            if (verify) {

                HashMap<String, byte[]> metaEntries = getMetaEntries();

                this.manifest = new StrictJarManifest(metaEntries.get(JarFile.MANIFEST_NAME), true);

                this.verifier = new StrictJarVerifier(fileName, manifest, metaEntries);

                }

                isSigned = verifier.readCertificates() && verifier.isSignedJar();

            } else {

                isSigned = false;

                this.manifest = null;

                this.verifier = null;

            }

        } catch (IOException | SecurityException e) {

            nativeClose(this.nativeHandle);

            IoUtils.closeQuietly(this.raf);

import java.util.Iterator;

import java.util.Locale;

import java.util.Map;

import java.util.Set;

import java.util.StringTokenizer;

import java.util.jar.Attributes;

import java.util.jar.JarFile;

import android.util.ArraySet;

import android.util.apk.ApkSignatureSchemeV2Verifier;

import libcore.io.Base64;

import sun.security.jca.Providers;

import sun.security.pkcs.PKCS7;

            return;

        }

        // Check whether APK Signature Scheme v2 signature was stripped.

        String apkSignatureSchemeIdList =

                attributes.getValue(

                        ApkSignatureSchemeV2Verifier.SF_ATTRIBUTE_ANDROID_APK_SIGNED_NAME);

        if (apkSignatureSchemeIdList != null) {

            // This field contains a comma-separated list of APK signature scheme IDs which were

            // used to sign this APK. If an ID is known to us, it means signatures of that scheme

            // were stripped from the APK because otherwise we wouldn't have fallen back to

            // verifying the APK using the JAR signature scheme.

            boolean v2SignatureGenerated = false;

            StringTokenizer tokenizer = new StringTokenizer(apkSignatureSchemeIdList, ",");

            while (tokenizer.hasMoreTokens()) {

                String idText = tokenizer.nextToken().trim();

                if (idText.isEmpty()) {

                    continue;

                }

                int id;

                try {

                    id = Integer.parseInt(idText);

                } catch (Exception ignored) {

                    continue;

                }

                if (id == ApkSignatureSchemeV2Verifier.SF_ATTRIBUTE_ANDROID_APK_SIGNED_ID) {

                    // This APK was supposed to be signed with APK Signature Scheme v2 but no such

                    // signature was found.

                    v2SignatureGenerated = true;

                    break;

                }

            }

            if (v2SignatureGenerated) {

                throw new SecurityException(signatureFile + " indicates " + jarName + " is signed"

                        + " using APK Signature Scheme v2, but no such signature was found."

                        + " Signature stripped?");

            }

        }

        // Do we actually have any signatures to look at?

        if (attributes.get(Attributes.Name.SIGNATURE_VERSION) == null) {

            return;