Merge "Separate logic for alg selection for OTA and APK signing."

am: cc3440cc1d

* commit 'cc3440cc1d101c225cbe2a42fe4046d3a44b3927':
  Separate logic for alg selection for OTA and APK signing.

Change-Id: Iaed58ff5398ac0637129b3f45eb3a1226e891226
This commit is contained in:
Alex Klyubin
2016-05-03 20:57:58 +00:00
committed by android-build-merger

View File

@@ -132,10 +132,15 @@ class SignApk {
private static final int MIN_API_LEVEL_FOR_SHA256_JAR_SIGNATURES = 18; private static final int MIN_API_LEVEL_FOR_SHA256_JAR_SIGNATURES = 18;
/** /**
* Return one of USE_SHA1 or USE_SHA256 according to the signature * Returns the digest algorithm ID (one of {@code USE_SHA1} or {@code USE_SHA256}) to be used
* algorithm specified in the cert. * for v1 signing (using JAR Signature Scheme) an APK using the private key corresponding to the
* provided certificate.
*
* @param minSdkVersion minimum Android platform API Level supported by the APK (see
* minSdkVersion attribute in AndroidManifest.xml). The higher the minSdkVersion, the
* stronger hash may be used for signing the APK.
*/ */
private static int getDigestAlgorithm(X509Certificate cert, int minSdkVersion) { private static int getV1DigestAlgorithmForApk(X509Certificate cert, int minSdkVersion) {
String sigAlg = cert.getSigAlgName().toUpperCase(Locale.US); String sigAlg = cert.getSigAlgName().toUpperCase(Locale.US);
if ("SHA1WITHRSA".equals(sigAlg) || "MD5WITHRSA".equals(sigAlg)) { if ("SHA1WITHRSA".equals(sigAlg) || "MD5WITHRSA".equals(sigAlg)) {
// see "HISTORICAL NOTE" above. // see "HISTORICAL NOTE" above.
@@ -152,20 +157,50 @@ class SignApk {
} }
} }
/** Returns the expected signature algorithm for this key type. */ /**
private static String getSignatureAlgorithm(X509Certificate cert, int minSdkVersion) { * Returns the digest algorithm ID (one of {@code USE_SHA1} or {@code USE_SHA256}) to be used
String keyType = cert.getPublicKey().getAlgorithm().toUpperCase(Locale.US); * for signing an OTA update package using the private key corresponding to the provided
if ("RSA".equalsIgnoreCase(keyType)) { * certificate.
if ((minSdkVersion >= MIN_API_LEVEL_FOR_SHA256_JAR_SIGNATURES) */
|| (getDigestAlgorithm(cert, minSdkVersion) == USE_SHA256)) { private static int getDigestAlgorithmForOta(X509Certificate cert) {
return "SHA256withRSA"; String sigAlg = cert.getSigAlgName().toUpperCase(Locale.US);
if ("SHA1WITHRSA".equals(sigAlg) || "MD5WITHRSA".equals(sigAlg)) {
// see "HISTORICAL NOTE" above.
return USE_SHA1;
} else if (sigAlg.startsWith("SHA256WITH")) {
return USE_SHA256;
} else { } else {
return "SHA1withRSA"; throw new IllegalArgumentException("unsupported signature algorithm \"" + sigAlg +
"\" in cert [" + cert.getSubjectDN());
} }
} else if ("EC".equalsIgnoreCase(keyType)) { }
return "SHA256withECDSA";
/**
* Returns the JCA {@link java.security.Signature} algorithm to be used for signing and OTA
* or v1 signing an APK using the private key corresponding to the provided certificate and the
* provided digest algorithm (see {@code USE_SHA1} and {@code USE_SHA256} constants).
*/
private static String getJcaSignatureAlgorithmForV1SigningOrOta(
X509Certificate cert, int hash) {
String sigAlgDigestPrefix;
switch (hash) {
case USE_SHA1:
sigAlgDigestPrefix = "SHA1";
break;
case USE_SHA256:
sigAlgDigestPrefix = "SHA256";
break;
default:
throw new IllegalArgumentException("Unknown hash ID: " + hash);
}
String keyAlgorithm = cert.getPublicKey().getAlgorithm();
if ("RSA".equalsIgnoreCase(keyAlgorithm)) {
return sigAlgDigestPrefix + "withRSA";
} else if ("EC".equalsIgnoreCase(keyAlgorithm)) {
return sigAlgDigestPrefix + "withECDSA";
} else { } else {
throw new IllegalArgumentException("unsupported key type: " + keyType); throw new IllegalArgumentException("Unsupported key algorithm: " + keyAlgorithm);
} }
} }
@@ -483,7 +518,7 @@ class SignApk {
/** Sign data and write the digital signature to 'out'. */ /** Sign data and write the digital signature to 'out'. */
private static void writeSignatureBlock( private static void writeSignatureBlock(
CMSTypedData data, X509Certificate publicKey, PrivateKey privateKey, int minSdkVersion, CMSTypedData data, X509Certificate publicKey, PrivateKey privateKey, int hash,
OutputStream out) OutputStream out)
throws IOException, throws IOException,
CertificateEncodingException, CertificateEncodingException,
@@ -495,7 +530,8 @@ class SignApk {
CMSSignedDataGenerator gen = new CMSSignedDataGenerator(); CMSSignedDataGenerator gen = new CMSSignedDataGenerator();
ContentSigner signer = ContentSigner signer =
new JcaContentSignerBuilder(getSignatureAlgorithm(publicKey, minSdkVersion)) new JcaContentSignerBuilder(
getJcaSignatureAlgorithmForV1SigningOrOta(publicKey, hash))
.build(privateKey); .build(privateKey);
gen.addSignerInfoGenerator( gen.addSignerInfoGenerator(
new JcaSignerInfoGeneratorBuilder( new JcaSignerInfoGeneratorBuilder(
@@ -686,21 +722,21 @@ class SignApk {
private final File publicKeyFile; private final File publicKeyFile;
private final X509Certificate publicKey; private final X509Certificate publicKey;
private final PrivateKey privateKey; private final PrivateKey privateKey;
private final int hash;
private final long timestamp; private final long timestamp;
private final int minSdkVersion;
private final OutputStream outputStream; private final OutputStream outputStream;
private final ASN1ObjectIdentifier type; private final ASN1ObjectIdentifier type;
private WholeFileSignerOutputStream signer; private WholeFileSignerOutputStream signer;
public CMSSigner(JarFile inputJar, File publicKeyFile, public CMSSigner(JarFile inputJar, File publicKeyFile,
X509Certificate publicKey, PrivateKey privateKey, long timestamp, X509Certificate publicKey, PrivateKey privateKey, int hash,
int minSdkVersion, OutputStream outputStream) { long timestamp, OutputStream outputStream) {
this.inputJar = inputJar; this.inputJar = inputJar;
this.publicKeyFile = publicKeyFile; this.publicKeyFile = publicKeyFile;
this.publicKey = publicKey; this.publicKey = publicKey;
this.privateKey = privateKey; this.privateKey = privateKey;
this.hash = hash;
this.timestamp = timestamp; this.timestamp = timestamp;
this.minSdkVersion = minSdkVersion;
this.outputStream = outputStream; this.outputStream = outputStream;
this.type = new ASN1ObjectIdentifier(CMSObjectIdentifiers.data.getId()); this.type = new ASN1ObjectIdentifier(CMSObjectIdentifiers.data.getId());
} }
@@ -725,8 +761,6 @@ class SignApk {
signer = new WholeFileSignerOutputStream(out, outputStream); signer = new WholeFileSignerOutputStream(out, outputStream);
JarOutputStream outputJar = new JarOutputStream(signer); JarOutputStream outputJar = new JarOutputStream(signer);
int hash = getDigestAlgorithm(publicKey, minSdkVersion);
Manifest manifest = addDigestsToManifest(inputJar, hash); Manifest manifest = addDigestsToManifest(inputJar, hash);
copyFiles(manifest, inputJar, outputJar, timestamp, 0); copyFiles(manifest, inputJar, outputJar, timestamp, 0);
addOtacert(outputJar, publicKeyFile, timestamp, manifest, hash); addOtacert(outputJar, publicKeyFile, timestamp, manifest, hash);
@@ -734,8 +768,8 @@ class SignApk {
signFile(manifest, signFile(manifest,
new X509Certificate[]{ publicKey }, new X509Certificate[]{ publicKey },
new PrivateKey[]{ privateKey }, new PrivateKey[]{ privateKey },
new int[] { hash },
timestamp, timestamp,
minSdkVersion,
false, // Don't sign using APK Signature Scheme v2 false, // Don't sign using APK Signature Scheme v2
outputJar); outputJar);
@@ -753,7 +787,7 @@ class SignApk {
CertificateEncodingException, CertificateEncodingException,
OperatorCreationException, OperatorCreationException,
CMSException { CMSException {
SignApk.writeSignatureBlock(this, publicKey, privateKey, minSdkVersion, temp); SignApk.writeSignatureBlock(this, publicKey, privateKey, hash, temp);
} }
public WholeFileSignerOutputStream getSigner() { public WholeFileSignerOutputStream getSigner() {
@@ -763,10 +797,10 @@ class SignApk {
private static void signWholeFile(JarFile inputJar, File publicKeyFile, private static void signWholeFile(JarFile inputJar, File publicKeyFile,
X509Certificate publicKey, PrivateKey privateKey, X509Certificate publicKey, PrivateKey privateKey,
long timestamp, int minSdkVersion, int hash, long timestamp,
OutputStream outputStream) throws Exception { OutputStream outputStream) throws Exception {
CMSSigner cmsOut = new CMSSigner(inputJar, publicKeyFile, CMSSigner cmsOut = new CMSSigner(inputJar, publicKeyFile,
publicKey, privateKey, timestamp, minSdkVersion, outputStream); publicKey, privateKey, hash, timestamp, outputStream);
ByteArrayOutputStream temp = new ByteArrayOutputStream(); ByteArrayOutputStream temp = new ByteArrayOutputStream();
@@ -831,9 +865,8 @@ class SignApk {
} }
private static void signFile(Manifest manifest, private static void signFile(Manifest manifest,
X509Certificate[] publicKey, PrivateKey[] privateKey, X509Certificate[] publicKey, PrivateKey[] privateKey, int[] hash,
long timestamp, long timestamp,
int minSdkVersion,
boolean additionallySignedUsingAnApkSignatureScheme, boolean additionallySignedUsingAnApkSignatureScheme,
JarOutputStream outputJar) JarOutputStream outputJar)
throws Exception { throws Exception {
@@ -855,7 +888,7 @@ class SignApk {
writeSignatureFile( writeSignatureFile(
manifest, manifest,
baos, baos,
getDigestAlgorithm(publicKey[k], minSdkVersion), hash[k],
additionallySignedUsingAnApkSignatureScheme); additionallySignedUsingAnApkSignatureScheme);
byte[] signedData = baos.toByteArray(); byte[] signedData = baos.toByteArray();
outputJar.write(signedData); outputJar.write(signedData);
@@ -868,7 +901,7 @@ class SignApk {
je.setTime(timestamp); je.setTime(timestamp);
outputJar.putNextEntry(je); outputJar.putNextEntry(je);
writeSignatureBlock(new CMSProcessableByteArray(signedData), writeSignatureBlock(new CMSProcessableByteArray(signedData),
publicKey[k], privateKey[k], minSdkVersion, outputJar); publicKey[k], privateKey[k], hash[k], outputJar);
} }
} }
@@ -1075,7 +1108,6 @@ class SignApk {
JarFile inputJar = null; JarFile inputJar = null;
FileOutputStream outputFile = null; FileOutputStream outputFile = null;
int hashes = 0;
try { try {
File firstPublicKeyFile = new File(args[argstart+0]); File firstPublicKeyFile = new File(args[argstart+0]);
@@ -1085,7 +1117,6 @@ class SignApk {
for (int i = 0; i < numKeys; ++i) { for (int i = 0; i < numKeys; ++i) {
int argNum = argstart + i*2; int argNum = argstart + i*2;
publicKey[i] = readPublicKey(new File(args[argNum])); publicKey[i] = readPublicKey(new File(args[argNum]));
hashes |= getDigestAlgorithm(publicKey[i], minSdkVersion);
} }
} catch (IllegalArgumentException e) { } catch (IllegalArgumentException e) {
System.err.println(e); System.err.println(e);
@@ -1111,9 +1142,10 @@ class SignApk {
// NOTE: Signing currently recompresses any compressed entries using Deflate (default // NOTE: Signing currently recompresses any compressed entries using Deflate (default
// compression level for OTA update files and maximum compession level for APKs). // compression level for OTA update files and maximum compession level for APKs).
if (signWholeFile) { if (signWholeFile) {
SignApk.signWholeFile(inputJar, firstPublicKeyFile, int digestAlgorithm = getDigestAlgorithmForOta(publicKey[0]);
publicKey[0], privateKey[0], signWholeFile(inputJar, firstPublicKeyFile,
timestamp, minSdkVersion, publicKey[0], privateKey[0], digestAlgorithm,
timestamp,
outputFile); outputFile);
} else { } else {
// Generate, in memory, an APK signed using standard JAR Signature Scheme. // Generate, in memory, an APK signed using standard JAR Signature Scheme.
@@ -1122,12 +1154,18 @@ class SignApk {
// Use maximum compression for compressed entries because the APK lives forever on // Use maximum compression for compressed entries because the APK lives forever on
// the system partition. // the system partition.
outputJar.setLevel(9); outputJar.setLevel(9);
Manifest manifest = addDigestsToManifest(inputJar, hashes); int v1DigestAlgorithmBitSet = 0;
int[] v1DigestAlgorithm = new int[numKeys];
for (int i = 0; i < numKeys; ++i) {
v1DigestAlgorithm[i] = getV1DigestAlgorithmForApk(publicKey[i], minSdkVersion);
v1DigestAlgorithmBitSet |= v1DigestAlgorithm[i];
}
Manifest manifest = addDigestsToManifest(inputJar, v1DigestAlgorithmBitSet);
copyFiles(manifest, inputJar, outputJar, timestamp, alignment); copyFiles(manifest, inputJar, outputJar, timestamp, alignment);
signFile( signFile(
manifest, manifest,
publicKey, privateKey, publicKey, privateKey, v1DigestAlgorithm,
timestamp, minSdkVersion, signUsingApkSignatureSchemeV2, timestamp, signUsingApkSignatureSchemeV2,
outputJar); outputJar);
outputJar.close(); outputJar.close();
ByteBuffer v1SignedApk = ByteBuffer.wrap(v1SignedApkBuf.toByteArray()); ByteBuffer v1SignedApk = ByteBuffer.wrap(v1SignedApkBuf.toByteArray());