Merge "Extract source stamp during app install" into rvc-dev am: 759dbb7c

    private final List<String> mInstallerCertificates;

    private final long mVersionCode;

    private final boolean mIsPreInstalled;

    private final boolean mIsStampPresent;

    private final boolean mIsStampVerified;

    private final boolean mIsStampTrusted;

    // Raw string encoding for the SHA-256 hash of the certificate of the stamp.

    private final String mStampCertificateHash;

        this.mInstallerCertificates = builder.mInstallerCertificates;

        this.mVersionCode = builder.mVersionCode;

        this.mIsPreInstalled = builder.mIsPreInstalled;

        this.mIsStampPresent = builder.mIsStampPresent;

        this.mIsStampVerified = builder.mIsStampVerified;

        this.mIsStampTrusted = builder.mIsStampTrusted;

        this.mStampCertificateHash = builder.mStampCertificateHash;

        this.mAllowedInstallersAndCertificates = builder.mAllowedInstallersAndCertificates;

        return mIsPreInstalled;

    }

    /** @see AppInstallMetadata.Builder#setIsStampPresent(boolean) */

    public boolean isStampPresent() {

        return mIsStampPresent;

    }

    /** @see AppInstallMetadata.Builder#setIsStampVerified(boolean) */

    public boolean isStampVerified() {

        return mIsStampVerified;

    }

    /** @see AppInstallMetadata.Builder#setIsStampTrusted(boolean) */

    public boolean isStampTrusted() {

        return mIsStampTrusted;

    public String toString() {

        return String.format(

                "AppInstallMetadata { PackageName = %s, AppCerts = %s, InstallerName = %s,"

                        + " InstallerCerts = %s, VersionCode = %d, PreInstalled = %b, "

                        + "StampTrusted = %b, StampCert = %s }",

                    + " InstallerCerts = %s, VersionCode = %d, PreInstalled = %b, StampPresent ="

                    + " %b, StampVerified = %b, StampTrusted = %b, StampCert = %s }",

                mPackageName,

                mAppCertificates,

                mInstallerName == null ? "null" : mInstallerName,

                mInstallerCertificates == null ? "null" : mInstallerCertificates,

                mVersionCode,

                mIsPreInstalled,

                mIsStampPresent,

                mIsStampVerified,

                mIsStampTrusted,

                mStampCertificateHash == null ? "null" : mStampCertificateHash);

    }

        private List<String> mInstallerCertificates;

        private long mVersionCode;

        private boolean mIsPreInstalled;

        private boolean mIsStampPresent;

        private boolean mIsStampVerified;

        private boolean mIsStampTrusted;

        private String mStampCertificateHash;

        private Map<String, String> mAllowedInstallersAndCertificates;

        }

        /**

         * Set certificate hash of the stamp embedded in the APK.

         * Set whether the stamp embedded in the APK is present or not.

         *

         * <p>It is represented as the raw string encoding for the SHA-256 hash of the certificate

         * of the stamp.

         * @see AppInstallMetadata#isStampPresent()

         */

        @NonNull

        public Builder setIsStampPresent(boolean isStampPresent) {

            this.mIsStampPresent = isStampPresent;

            return this;

        }

        /**

         * Set whether the stamp embedded in the APK is verified or not.

         *

         * @see AppInstallMetadata#getStampCertificateHash()

         * @see AppInstallMetadata#isStampVerified()

         */

        @NonNull

        public Builder setStampCertificateHash(@NonNull String stampCertificateHash) {

            this.mStampCertificateHash = Objects.requireNonNull(stampCertificateHash);

        public Builder setIsStampVerified(boolean isStampVerified) {

            this.mIsStampVerified = isStampVerified;

            return this;

        }

            return this;

        }

        /**

         * Set certificate hash of the stamp embedded in the APK.

         *

         * <p>It is represented as the raw string encoding for the SHA-256 hash of the certificate

         * of the stamp.

         *

         * @see AppInstallMetadata#getStampCertificateHash()

         */

        @NonNull

        public Builder setStampCertificateHash(@NonNull String stampCertificateHash) {

            this.mStampCertificateHash = Objects.requireNonNull(stampCertificateHash);

            return this;

        }

        /**

         * Build {@link AppInstallMetadata}.

         *

                            "Key %s cannot be used with StringAtomicFormula", keyToString(key)));

            mValue = hashValue(key, value);

            mIsHashedValue =

                    key == APP_CERTIFICATE

                    (key == APP_CERTIFICATE

                                    || key == INSTALLER_CERTIFICATE

                                    || key == STAMP_CERTIFICATE_HASH

                            ? true

                            : !mValue.equals(value);

                                    || key == STAMP_CERTIFICATE_HASH)

                            || !mValue.equals(value);

        }

        StringAtomicFormula(Parcel in) {

import android.os.HandlerThread;

import android.os.UserHandle;

import android.provider.Settings;

import android.security.FileIntegrityManager;

import android.util.Slog;

import android.util.apk.SourceStampVerificationResult;

import android.util.apk.SourceStampVerifier;

import com.android.internal.R;

import com.android.internal.annotations.VisibleForTesting;

    private static final String ALLOWED_INSTALLER_DELIMITER = ",";

    private static final String INSTALLER_PACKAGE_CERT_DELIMITER = "\\|";

    private static final Set<String> PACKAGE_INSTALLER = new HashSet<>(

            Arrays.asList("com.google.android.packageinstaller", "com.android.packageinstaller"));

    private static final Set<String> PACKAGE_INSTALLER =

            new HashSet<>(

                    Arrays.asList(

                            "com.google.android.packageinstaller", "com.android.packageinstaller"));

    // Access to files inside mRulesDir is protected by mRulesLock;

    private final Context mContext;

    private final PackageManagerInternal mPackageManagerInternal;

    private final RuleEvaluationEngine mEvaluationEngine;

    private final IntegrityFileManager mIntegrityFileManager;

    private final FileIntegrityManager mFileIntegrityManager;

    /** Create an instance of {@link AppIntegrityManagerServiceImpl}. */

    public static AppIntegrityManagerServiceImpl create(Context context) {

                LocalServices.getService(PackageManagerInternal.class),

                RuleEvaluationEngine.getRuleEvaluationEngine(),

                IntegrityFileManager.getInstance(),

                (FileIntegrityManager) context.getSystemService(Context.FILE_INTEGRITY_SERVICE),

                handlerThread.getThreadHandler());

    }

            PackageManagerInternal packageManagerInternal,

            RuleEvaluationEngine evaluationEngine,

            IntegrityFileManager integrityFileManager,

            FileIntegrityManager fileIntegrityManager,

            Handler handler) {

        mContext = context;

        mPackageManagerInternal = packageManagerInternal;

        mEvaluationEngine = evaluationEngine;

        mIntegrityFileManager = integrityFileManager;

        mFileIntegrityManager = fileIntegrityManager;

        mHandler = handler;

        IntentFilter integrityVerificationFilter = new IntentFilter();

                        success = false;

                    }

                    FrameworkStatsLog.write(FrameworkStatsLog.INTEGRITY_RULES_PUSHED, success,

                            ruleProvider, version);

                    FrameworkStatsLog.write(

                            FrameworkStatsLog.INTEGRITY_RULES_PUSHED,

                            success,

                            ruleProvider,

                            version);

                    Intent intent = new Intent();

                    intent.putExtra(EXTRA_STATUS, success ? STATUS_SUCCESS : STATUS_FAILURE);

            String installerPackageName = getInstallerPackageName(intent);

            // Skip integrity verification if the verifier is doing the install.

            if (!integrityCheckIncludesRuleProvider()

                    && isRuleProvider(installerPackageName)) {

            if (!integrityCheckIncludesRuleProvider() && isRuleProvider(installerPackageName)) {

                Slog.i(TAG, "Verifier doing the install. Skipping integrity check.");

                mPackageManagerInternal.setIntegrityVerificationResult(

                        verificationId, PackageManagerInternal.INTEGRITY_VERIFICATION_ALLOW);

            builder.setInstallerCertificates(installerCertificates);

            builder.setIsPreInstalled(isSystemApp(packageName));

            builder.setAllowedInstallersAndCert(getAllowedInstallers(packageInfo));

            extractSourceStamp(intent.getData(), builder);

            AppInstallMetadata appInstallMetadata = builder.build();

            Slog.i(

                    TAG,

                    "To be verified: " + appInstallMetadata + " installers " + getAllowedInstallers(

                            packageInfo));

            IntegrityCheckResult result =

                    mEvaluationEngine.evaluate(appInstallMetadata);

                    "To be verified: "

                            + appInstallMetadata

                            + " installers "

                            + getAllowedInstallers(packageInfo));

            IntegrityCheckResult result = mEvaluationEngine.evaluate(appInstallMetadata);

            Slog.i(

                    TAG,

                    "Integrity check result: "

                        String cert = packageAndCert[1];

                        packageCertMap.put(packageName, cert);

                    } else if (packageAndCert.length == 1) {

                        packageCertMap.put(getPackageNameNormalized(packageAndCert[0]),

                        packageCertMap.put(

                                getPackageNameNormalized(packageAndCert[0]),

                                INSTALLER_CERTIFICATE_NOT_EVALUATED);

                    }

                }

        return packageCertMap;

    }

    /** Extract the source stamp embedded in the APK, if present. */

    private void extractSourceStamp(Uri dataUri, AppInstallMetadata.Builder appInstallMetadata) {

        File installationPath = getInstallationPath(dataUri);

        if (installationPath == null) {

            throw new IllegalArgumentException("Installation path is null, package not found");

        }

        SourceStampVerificationResult sourceStampVerificationResult =

                SourceStampVerifier.verify(installationPath.getAbsolutePath());

        appInstallMetadata.setIsStampPresent(sourceStampVerificationResult.isPresent());

        appInstallMetadata.setIsStampVerified(sourceStampVerificationResult.isVerified());

        if (sourceStampVerificationResult.isVerified()) {

            X509Certificate sourceStampCertificate =

                    (X509Certificate) sourceStampVerificationResult.getCertificate();

            // Sets source stamp certificate digest.

            try {

                MessageDigest digest = MessageDigest.getInstance("SHA-256");

                byte[] certificateDigest = digest.digest(sourceStampCertificate.getEncoded());

                appInstallMetadata.setStampCertificateHash(getHexDigest(certificateDigest));

            } catch (NoSuchAlgorithmException | CertificateEncodingException e) {

                throw new IllegalArgumentException(

                        "Error computing source stamp certificate digest", e);

            }

            // Checks if the source stamp certificate is trusted.

            try {

                appInstallMetadata.setIsStampTrusted(

                        mFileIntegrityManager.isApkVeritySupported()

                                && mFileIntegrityManager.isAppSourceCertificateTrusted(

                                        sourceStampCertificate));

            } catch (CertificateEncodingException e) {

                throw new IllegalArgumentException(

                        "Error checking if source stamp certificate is trusted", e);

            }

        }

    }

    private static Signature[] getSignatures(@NonNull PackageInfo packageInfo) {

        SigningInfo signingInfo = packageInfo.signingInfo;

            ParsedPackage pkg = parser.parsePackage(installationPath, 0, false);

            int flags = PackageManager.GET_SIGNING_CERTIFICATES | PackageManager.GET_META_DATA;

            pkg.setSigningDetails(ParsingPackageUtils.collectCertificates(pkg, false));

            return PackageInfoUtils.generate(pkg, null, flags, 0, 0, null, new PackageUserState(),

                    UserHandle.getCallingUserId(), null);

            return PackageInfoUtils.generate(

                    pkg,

                    null,

                    flags,

                    0,

                    0,

                    null,

                    new PackageUserState(),

                    UserHandle.getCallingUserId(),

                    null);

        } catch (Exception e) {

            Slog.w(TAG, "Exception reading " + dataUri, e);

            return null;

import static org.junit.Assert.assertEquals;

import static org.junit.Assert.assertFalse;

import static org.junit.Assert.assertTrue;

import static org.mockito.ArgumentMatchers.any;

import static org.mockito.ArgumentMatchers.anyInt;

import static org.mockito.ArgumentMatchers.anyLong;

import android.os.Handler;

import android.os.Message;

import android.provider.Settings;

import android.security.FileIntegrityManager;

import androidx.test.InstrumentationRegistry;

    private static final String TEST_APP_TWO_CERT_PATH =

            "AppIntegrityManagerServiceImplTest/DummyAppTwoCerts.apk";

    private static final String TEST_APP_SOURCE_STAMP_PATH =

            "AppIntegrityManagerServiceImplTest/SourceStampTestApk.apk";

    private static final String PACKAGE_MIME_TYPE = "application/vnd.android.package-archive";

    private static final String VERSION = "version";

    private static final String TEST_FRAMEWORK_PACKAGE = "com.android.frameworks.servicestests";

    // We use SHA256 for package names longer than 32 characters.

    private static final String INSTALLER_SHA256 =

            "30F41A7CBF96EE736A54DD6DF759B50ED3CC126ABCEF694E167C324F5976C227";

    private static final String SOURCE_STAMP_CERTIFICATE_HASH =

            "681B0E56A796350C08647352A4DB800CC44B2ADC8F4C72FA350BD05D4D50264D";

    private static final String DUMMY_APP_TWO_CERTS_CERT_1 =

            "C0369C2A1096632429DFA8433068AECEAD00BAC337CA92A175036D39CC9AFE94";

    private static final String ADB_INSTALLER = "adb";

    private static final String PLAY_STORE_CERT = "play_store_cert";

    @org.junit.Rule

    public MockitoRule mMockitoRule = MockitoJUnit.rule();

    @Mock

    PackageManagerInternal mPackageManagerInternal;

    @Mock

    Context mMockContext;

    @Mock

    Resources mMockResources;

    @Mock

    RuleEvaluationEngine mRuleEvaluationEngine;

    @Mock

    IntegrityFileManager mIntegrityFileManager;

    @Mock

    Handler mHandler;

    @org.junit.Rule public MockitoRule mMockitoRule = MockitoJUnit.rule();

    @Mock PackageManagerInternal mPackageManagerInternal;

    @Mock Context mMockContext;

    @Mock Resources mMockResources;

    @Mock RuleEvaluationEngine mRuleEvaluationEngine;

    @Mock IntegrityFileManager mIntegrityFileManager;

    @Mock Handler mHandler;

    FileIntegrityManager mFileIntegrityManager;

    private final Context mRealContext = InstrumentationRegistry.getTargetContext();

    private PackageManager mSpyPackageManager;

    private File mTestApk;

    private File mTestApkTwoCerts;

    private File mTestApkSourceStamp;

    // under test

    private AppIntegrityManagerServiceImpl mService;

            Files.copy(inputStream, mTestApkTwoCerts.toPath(), REPLACE_EXISTING);

        }

        mTestApkSourceStamp = File.createTempFile("AppIntegritySourceStamp", ".apk");

        try (InputStream inputStream = mRealContext.getAssets().open(TEST_APP_SOURCE_STAMP_PATH)) {

            Files.copy(inputStream, mTestApkSourceStamp.toPath(), REPLACE_EXISTING);

        }

        mFileIntegrityManager =

                (FileIntegrityManager)

                        mRealContext.getSystemService(Context.FILE_INTEGRITY_SERVICE);

        mService =

                new AppIntegrityManagerServiceImpl(

                        mMockContext,

                        mPackageManagerInternal,

                        mRuleEvaluationEngine,

                        mIntegrityFileManager,

                        mFileIntegrityManager,

                        mHandler);

        mSpyPackageManager = spy(mRealContext.getPackageManager());

    public void tearDown() throws Exception {

        mTestApk.delete();

        mTestApkTwoCerts.delete();

        mTestApkSourceStamp.delete();

    }

    @Test

        IntentSender mockReceiver = mock(IntentSender.class);

        List<Rule> rules =

                Arrays.asList(

                        new Rule(IntegrityFormula.Application.packageNameEquals(PACKAGE_NAME),

                        new Rule(

                                IntegrityFormula.Application.packageNameEquals(PACKAGE_NAME),

                                Rule.DENY));

        mService.updateRuleSet(VERSION, new ParceledListSlice<>(rules), mockReceiver);

        IntentSender mockReceiver = mock(IntentSender.class);

        List<Rule> rules =

                Arrays.asList(

                        new Rule(IntegrityFormula.Application.packageNameEquals(PACKAGE_NAME),

                        new Rule(

                                IntegrityFormula.Application.packageNameEquals(PACKAGE_NAME),

                                Rule.DENY));

        mService.updateRuleSet(VERSION, new ParceledListSlice<>(rules), mockReceiver);

        ArgumentCaptor<AppInstallMetadata> metadataCaptor =

                ArgumentCaptor.forClass(AppInstallMetadata.class);

        verify(mRuleEvaluationEngine)

                .evaluate(metadataCaptor.capture());

        verify(mRuleEvaluationEngine).evaluate(metadataCaptor.capture());

        AppInstallMetadata appInstallMetadata = metadataCaptor.getValue();

        assertEquals(PACKAGE_NAME, appInstallMetadata.getPackageName());

        assertThat(appInstallMetadata.getAppCertificates()).containsExactly(APP_CERT);

                ArgumentCaptor.forClass(AppInstallMetadata.class);

        verify(mRuleEvaluationEngine).evaluate(metadataCaptor.capture());

        AppInstallMetadata appInstallMetadata = metadataCaptor.getValue();

        assertThat(appInstallMetadata.getAppCertificates()).containsExactly(

                DUMMY_APP_TWO_CERTS_CERT_1, DUMMY_APP_TWO_CERTS_CERT_2);

        assertThat(appInstallMetadata.getAppCertificates())

                .containsExactly(DUMMY_APP_TWO_CERTS_CERT_1, DUMMY_APP_TWO_CERTS_CERT_2);

    }

    @Test

    public void handleBroadcast_correctArgs_sourceStamp() throws Exception {

        whitelistUsAsRuleProvider();

        makeUsSystemApp();

        ArgumentCaptor<BroadcastReceiver> broadcastReceiverCaptor =

                ArgumentCaptor.forClass(BroadcastReceiver.class);

        verify(mMockContext)

                .registerReceiver(broadcastReceiverCaptor.capture(), any(), any(), any());

        Intent intent = makeVerificationIntent();

        intent.setDataAndType(Uri.fromFile(mTestApkSourceStamp), PACKAGE_MIME_TYPE);

        when(mRuleEvaluationEngine.evaluate(any())).thenReturn(IntegrityCheckResult.allow());

        broadcastReceiverCaptor.getValue().onReceive(mMockContext, intent);

        runJobInHandler();

        ArgumentCaptor<AppInstallMetadata> metadataCaptor =

                ArgumentCaptor.forClass(AppInstallMetadata.class);

        verify(mRuleEvaluationEngine).evaluate(metadataCaptor.capture());

        AppInstallMetadata appInstallMetadata = metadataCaptor.getValue();

        assertTrue(appInstallMetadata.isStampPresent());

        assertTrue(appInstallMetadata.isStampVerified());

        assertFalse(appInstallMetadata.isStampTrusted());

        assertEquals(SOURCE_STAMP_CERTIFICATE_HASH, appInstallMetadata.getStampCertificateHash());

    }

    @Test

        PackageInfo packageInfo =

                mRealContext

                        .getPackageManager()

                        .getPackageInfo(TEST_FRAMEWORK_PACKAGE,

                                PackageManager.GET_SIGNING_CERTIFICATES);

                        .getPackageInfo(

                                TEST_FRAMEWORK_PACKAGE, PackageManager.GET_SIGNING_CERTIFICATES);

        doReturn(packageInfo).when(mSpyPackageManager).getPackageInfo(eq(INSTALLER), anyInt());

        doReturn(1).when(mSpyPackageManager).getPackageUid(eq(INSTALLER), anyInt());

        return makeVerificationIntent(INSTALLER);

    private void setIntegrityCheckIncludesRuleProvider(boolean shouldInclude) throws Exception {

        int value = shouldInclude ? 1 : 0;

        Settings.Global.putInt(mRealContext.getContentResolver(),

                Settings.Global.INTEGRITY_CHECK_INCLUDES_RULE_PROVIDER, value);

        assertThat(Settings.Global.getInt(mRealContext.getContentResolver(),

                Settings.Global.INTEGRITY_CHECK_INCLUDES_RULE_PROVIDER, -1) == 1).isEqualTo(

                shouldInclude);

        Settings.Global.putInt(

                mRealContext.getContentResolver(),

                Settings.Global.INTEGRITY_CHECK_INCLUDES_RULE_PROVIDER,

                value);

        assertThat(

                        Settings.Global.getInt(

                                        mRealContext.getContentResolver(),

                                        Settings.Global.INTEGRITY_CHECK_INCLUDES_RULE_PROVIDER,

                                        -1)

                                == 1)

                .isEqualTo(shouldInclude);

    }

}