Implement signature check.
Currently, we just have debug keys, and always fail verification on
user builds. Production keys will be added later.
This CL also includes some helper scripts:
- Used to generate debug keys, for the record
- To sign data using the debug keys
- To verify base64 encoded data, used for debugging
Test: atest CtsSignedConfigHostTestCases
Note: The test also relies on some other changes going in too; it has
been verified with all relevant change in place, but will not pass at
HEAD quite yet.
Bug: 110509075
Change-Id: I8bd420c44a0a523cbefb21f90c49550c25beb0a6
diff --git a/services/core/java/com/android/server/signedconfig/SignatureVerifier.java b/services/core/java/com/android/server/signedconfig/SignatureVerifier.java
new file mode 100644
index 0000000..944db84
--- /dev/null
+++ b/services/core/java/com/android/server/signedconfig/SignatureVerifier.java
@@ -0,0 +1,109 @@
+/*
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.server.signedconfig;
+
+import android.os.Build;
+import android.util.Slog;
+
+import java.nio.charset.StandardCharsets;
+import java.security.InvalidKeyException;
+import java.security.KeyFactory;
+import java.security.NoSuchAlgorithmException;
+import java.security.PublicKey;
+import java.security.Signature;
+import java.security.SignatureException;
+import java.security.spec.EncodedKeySpec;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.X509EncodedKeySpec;
+import java.util.Base64;
+
+/**
+ * Helper class for verifying config signatures.
+ */
+public class SignatureVerifier {
+
+ private static final String TAG = "SignedConfig";
+ private static final boolean DBG = false;
+
+ private static final String DEBUG_KEY =
+ "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEaAn2XVifsLTHg616nTsOMVmlhBoECGbTEBTKKvdd2hO60"
+ + "pj1pnU8SMkhYfaNxZuKgw9LNvOwlFwStboIYeZ3lQ==";
+
+ private final PublicKey mDebugKey;
+
+ public SignatureVerifier() {
+ mDebugKey = createKey(DEBUG_KEY);
+ }
+
+ private static PublicKey createKey(String base64) {
+ EncodedKeySpec keySpec;
+ try {
+ byte[] key = Base64.getDecoder().decode(base64);
+ keySpec = new X509EncodedKeySpec(key);
+ } catch (IllegalArgumentException e) {
+ Slog.e(TAG, "Failed to base64 decode public key", e);
+ return null;
+ }
+ try {
+ KeyFactory factory = KeyFactory.getInstance("EC");
+ return factory.generatePublic(keySpec);
+ } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
+ Slog.e(TAG, "Failed to construct public key", e);
+ return null;
+ }
+ }
+
+ /**
+ * Verify a signature for signed config.
+ *
+ * @param config Config as read from APK meta-data.
+ * @param base64Signature Signature as read from APK meta-data.
+ * @return {@code true} iff the signature was successfully verified.
+ */
+ public boolean verifySignature(String config, String base64Signature)
+ throws NoSuchAlgorithmException, InvalidKeyException, SignatureException {
+ byte[] signature;
+ try {
+ signature = Base64.getDecoder().decode(base64Signature);
+ } catch (IllegalArgumentException e) {
+ Slog.e(TAG, "Failed to base64 decode signature");
+ return false;
+ }
+ byte[] data = config.getBytes(StandardCharsets.UTF_8);
+ if (DBG) Slog.i(TAG, "Data: " + Base64.getEncoder().encodeToString(data));
+
+ if (Build.IS_DEBUGGABLE) {
+ if (mDebugKey != null) {
+ if (DBG) Slog.w(TAG, "Trying to verify signature using debug key");
+ Signature verifier = Signature.getInstance("SHA256withECDSA");
+ verifier.initVerify(mDebugKey);
+ verifier.update(data);
+ if (verifier.verify(signature)) {
+ Slog.i(TAG, "Verified config using debug key");
+ return true;
+ } else {
+ if (DBG) Slog.i(TAG, "Config verification failed using debug key");
+ }
+ } else {
+ Slog.w(TAG, "Debuggable build, but have no debug key");
+ }
+ }
+ // TODO verify production key.
+ Slog.w(TAG, "NO PRODUCTION KEY YET, FAILING VERIFICATION");
+ return false;
+ }
+}
diff --git a/services/core/java/com/android/server/signedconfig/SignedConfigApplicator.java b/services/core/java/com/android/server/signedconfig/SignedConfigApplicator.java
index e4d799a..4908964 100644
--- a/services/core/java/com/android/server/signedconfig/SignedConfigApplicator.java
+++ b/services/core/java/com/android/server/signedconfig/SignedConfigApplicator.java
@@ -24,6 +24,7 @@
import android.util.ArraySet;
import android.util.Slog;
+import java.security.GeneralSecurityException;
import java.util.Arrays;
import java.util.Collections;
import java.util.Map;
@@ -65,15 +66,21 @@
private final Context mContext;
private final String mSourcePackage;
+ private final SignatureVerifier mVerifier;
SignedConfigApplicator(Context context, String sourcePackage) {
mContext = context;
mSourcePackage = sourcePackage;
+ mVerifier = new SignatureVerifier();
}
private boolean checkSignature(String data, String signature) {
- Slog.w(TAG, "SIGNATURE CHECK NOT IMPLEMENTED YET!");
- return false;
+ try {
+ return mVerifier.verifySignature(data, signature);
+ } catch (GeneralSecurityException e) {
+ Slog.e(TAG, "Failed to verify signature", e);
+ return false;
+ }
}
private int getCurrentConfigVersion() {
diff --git a/tools/signedconfig/debug_key.pem b/tools/signedconfig/debug_key.pem
new file mode 100644
index 0000000..0af577b
--- /dev/null
+++ b/tools/signedconfig/debug_key.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIEfgtO+KPOoqJqTnqkDDKkAcOzyvtovsUO/ShLE6y4XRoAoGCCqGSM49
+AwEHoUQDQgAEaAn2XVifsLTHg616nTsOMVmlhBoECGbTEBTKKvdd2hO60pj1pnU8
+SMkhYfaNxZuKgw9LNvOwlFwStboIYeZ3lQ==
+-----END EC PRIVATE KEY-----
diff --git a/tools/signedconfig/debug_public.pem b/tools/signedconfig/debug_public.pem
new file mode 100644
index 0000000..f61f813
--- /dev/null
+++ b/tools/signedconfig/debug_public.pem
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEaAn2XVifsLTHg616nTsOMVmlhBoE
+CGbTEBTKKvdd2hO60pj1pnU8SMkhYfaNxZuKgw9LNvOwlFwStboIYeZ3lQ==
+-----END PUBLIC KEY-----
diff --git a/tools/signedconfig/debug_sign.sh b/tools/signedconfig/debug_sign.sh
new file mode 100755
index 0000000..28e5428
--- /dev/null
+++ b/tools/signedconfig/debug_sign.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# Script to sign data with the debug keys. Outputs base64 for embedding into
+# APK metadata.
+
+openssl dgst -sha256 -sign $(dirname $0)/debug_key.pem $1 | base64 -w 0
+echo
diff --git a/tools/signedconfig/gen_priv_key.sh b/tools/signedconfig/gen_priv_key.sh
new file mode 100755
index 0000000..834c86b
--- /dev/null
+++ b/tools/signedconfig/gen_priv_key.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+# This script acts as a record of how the debug key was generated. There should
+# be no need to run it again.
+
+openssl ecparam -name prime256v1 -genkey -noout -out debug_key.pem
+openssl ec -in debug_key.pem -pubout -out debug_public.pem
diff --git a/tools/signedconfig/verify_b64.sh b/tools/signedconfig/verify_b64.sh
new file mode 100755
index 0000000..8e1f58c
--- /dev/null
+++ b/tools/signedconfig/verify_b64.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# Script to verify signatures, with both signature & data given in b64
+# Args:
+# 1. data (base64 encoded)
+# 2. signature (base64 encoded)
+# The arg values can be taken from the debug log for SignedConfigService when verbose logging is
+# enabled.
+
+openssl dgst -sha256 -verify $(dirname $0)/debug_public.pem -signature <(echo $2 | base64 -d) <(echo $1 | base64 -d)