Fix fsverity root hash format

Only fsverity header and extension are included in fsverity hash calculation, not salt, nor the paddings. Test: fsverity measure ioctl returns successfully Bug: 30972906 Change-Id: I06fd82d96dfde21d05367caad5c54257a0e4d6ab
author: Victor Hsieh <victorhsieh@google.com> 2018-01-29 15:10:56 -0800
committer: Victor Hsieh <victorhsieh@google.com> 2018-02-02 10:01:53 -0800
commit: 2120323fb8f47351ea37cfa4632273adf05e0eb6 (patch)
tree: 4102523d3ff80acdeccd0788bc6cb941ae9475a2
parent: 6f2e062c9ffb0dac8137a15a56235d5710b6a8d6 (diff)
1 files changed, 12 insertions, 9 deletions
diff --git a/core/java/android/util/apk/ApkVerityBuilder.java b/core/java/android/util/apk/ApkVerityBuilder.java
index 4c6e511ede46..a3eeb275064a 100644
--- a/core/java/android/util/apk/ApkVerityBuilder.java
+++ b/core/java/android/util/apk/ApkVerityBuilder.java
@@ -106,18 +106,22 @@ abstract class ApkVerityBuilder {
         calculateFsveritySignatureInternal(apk, signatureInfo, null, null, header, extensions);
 
         MessageDigest md = MessageDigest.getInstance(JCA_DIGEST_ALGORITHM);
-        md.update(DEFAULT_SALT);
-        md.update(verityBlock);
+        md.update(header);
+        md.update(extensions);
         md.update(apkDigest);
         return md.digest();
     }
 
+    /**
+     * Internal method to generate various parts of FSVerity constructs, including the header,
+     * extensions, Merkle tree, and the tree's root hash.  The output buffer is flipped to the
+     * generated data size and is readey for consuming.
+     */
     private static void calculateFsveritySignatureInternal(
             RandomAccessFile apk, SignatureInfo signatureInfo, ByteBuffer treeOutput,
             ByteBuffer rootHashOutput, ByteBuffer headerOutput, ByteBuffer extensionsOutput)
             throws IOException, NoSuchAlgorithmException, DigestException {
         assertSigningBlockAlignedAndHasFullPages(signatureInfo);
-
         long signingBlockSize =
                 signatureInfo.centralDirOffset - signatureInfo.apkSigningBlockOffset;
         long dataSize = apk.length() - signingBlockSize - ZIP_EOCD_CENTRAL_DIR_OFFSET_FIELD_SIZE;
@@ -128,6 +132,7 @@ abstract class ApkVerityBuilder {
                     levelOffset, treeOutput);
             if (rootHashOutput != null) {
                 rootHashOutput.put(apkRootHash);
+                rootHashOutput.flip();
             }
         }
 
@@ -333,9 +338,9 @@ abstract class ApkVerityBuilder {
         buffer.put((byte) 0);               // auth block offset, disabled here
         buffer.put((byte) 2);               // extension count
         buffer.put(salt);                   // salt (8 bytes)
-        // skip(buffer, 22);                // reserved
+        skip(buffer, 22);                   // reserved
 
-        buffer.rewind();
+        buffer.flip();
         return buffer;
     }
 
@@ -396,12 +401,10 @@ abstract class ApkVerityBuilder {
             buffer.put((byte) ZIP_EOCD_CENTRAL_DIR_OFFSET_FIELD_SIZE);  // length
             skip(buffer, 7);                                            // reserved
             buffer.putInt(Math.toIntExact(signingBlockOffset));         // databytes
-
-            // There are extra kPadding bytes of 0s here, included in the total size field of the
-            // extension header. The output ByteBuffer is assumed to be initialized to 0.
+            skip(buffer, kPadding);                                     // padding
         }
 
-        buffer.rewind();
+        buffer.flip();
         return buffer;
     }
author	Victor Hsieh <victorhsieh@google.com>	2018-01-29 15:10:56 -0800
committer	Victor Hsieh <victorhsieh@google.com>	2018-02-02 10:01:53 -0800
commit	2120323fb8f47351ea37cfa4632273adf05e0eb6 (patch)
tree	4102523d3ff80acdeccd0788bc6cb941ae9475a2
parent	6f2e062c9ffb0dac8137a15a56235d5710b6a8d6 (diff)