Merge "Update PM#checkSignatures by uid to support pre-key rotation behavior" into rvc-dev

author: Michael Groover <mpgroover@google.com> 2020-05-07 21:36:41 +0000
committer: Android (Google) Code Review <android-gerrit@google.com> 2020-05-07 21:36:41 +0000
commit: 3369bbd82a5498e50b39a1f3fdc78f9c3f5022ef (patch)
tree: 1d6206a16d9975e8f8716cf86b601a6b45d93365
parent: 75aeabdd8a5113987545a4d4ff3bcfc14b45a1b2 (diff)
parent: fb2a5241839df8d6f37492ce8522a4c7fa40bace (diff)
2 files changed, 50 insertions, 29 deletions
diff --git a/core/tests/coretests/src/android/content/pm/PackageManagerTests.java b/core/tests/coretests/src/android/content/pm/PackageManagerTests.java
index 6720ed6b7bf9..04906788f4cb 100644
--- a/core/tests/coretests/src/android/content/pm/PackageManagerTests.java
+++ b/core/tests/coretests/src/android/content/pm/PackageManagerTests.java
@@ -2548,9 +2548,18 @@ public class PackageManagerTests extends AndroidTestCase {
             } else {
                 installFromRawResource(apk2Name, apk2, 0, false, false, -1,
                         PackageInfo.INSTALL_LOCATION_UNSPECIFIED);
-                int match = mContext.getPackageManager().checkSignatures(pkg1.getPackageName(),
-                        pkg2.getPackageName());
-                assertEquals(expMatchResult, match);
+                // TODO: All checkSignatures tests should return the same result regardless of
+                // querying by package name or uid; however if there are any edge cases where
+                // individual packages within a shareduid are compared with signatures that do not
+                // match the full lineage of the shareduid this method should be overloaded to
+                // accept the expected response for the uid query.
+                PackageManager pm = getPm();
+                int matchByName = pm.checkSignatures(pkg1.getPackageName(), pkg2.getPackageName());
+                int pkg1Uid = pm.getApplicationInfo(pkg1.getPackageName(), 0).uid;
+                int pkg2Uid = pm.getApplicationInfo(pkg2.getPackageName(), 0).uid;
+                int matchByUid = pm.checkSignatures(pkg1Uid, pkg2Uid);
+                assertEquals(expMatchResult, matchByName);
+                assertEquals(expMatchResult, matchByUid);
             }
         } finally {
             if (cleanUp) {
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index f31dbbf077bb..bde9d5735960 100644
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -5966,25 +5966,7 @@ public class PackageManagerService extends IPackageManager.Stub
                     || shouldFilterApplicationLocked(ps2, callingUid, callingUserId)) {
                 return PackageManager.SIGNATURE_UNKNOWN_PACKAGE;
             }
-            SigningDetails p1SigningDetails = p1.getSigningDetails();
-            SigningDetails p2SigningDetails = p2.getSigningDetails();
-            int result = compareSignatures(p1SigningDetails.signatures,
-                    p2SigningDetails.signatures);
-            // To support backwards compatibility with clients of this API expecting pre-key
-            // rotation results if either of the packages has a signing lineage the oldest signer
-            // in the lineage is used for signature verification.
-            if (result != PackageManager.SIGNATURE_MATCH && (
-                    p1SigningDetails.hasPastSigningCertificates()
-                            || p2SigningDetails.hasPastSigningCertificates())) {
-                Signature[] p1Signatures = p1SigningDetails.hasPastSigningCertificates()
-                        ? new Signature[]{p1SigningDetails.pastSigningCertificates[0]}
-                        : p1SigningDetails.signatures;
-                Signature[] p2Signatures = p2SigningDetails.hasPastSigningCertificates()
-                        ? new Signature[]{p2SigningDetails.pastSigningCertificates[0]}
-                        : p2SigningDetails.signatures;
-                result = compareSignatures(p1Signatures, p2Signatures);
-            }
-            return result;
+            return checkSignaturesInternal(p1.getSigningDetails(), p2.getSigningDetails());
         }
     }
 
@@ -5998,21 +5980,21 @@ public class PackageManagerService extends IPackageManager.Stub
         final int appId2 = UserHandle.getAppId(uid2);
         // reader
         synchronized (mLock) {
-            Signature[] s1;
-            Signature[] s2;
+            SigningDetails p1SigningDetails;
+            SigningDetails p2SigningDetails;
             Object obj = mSettings.getSettingLPr(appId1);
             if (obj != null) {
                 if (obj instanceof SharedUserSetting) {
                     if (isCallerInstantApp) {
                         return PackageManager.SIGNATURE_UNKNOWN_PACKAGE;
                     }
-                    s1 = ((SharedUserSetting)obj).signatures.mSigningDetails.signatures;
+                    p1SigningDetails = ((SharedUserSetting) obj).signatures.mSigningDetails;
                 } else if (obj instanceof PackageSetting) {
                     final PackageSetting ps = (PackageSetting) obj;
                     if (shouldFilterApplicationLocked(ps, callingUid, callingUserId)) {
                         return PackageManager.SIGNATURE_UNKNOWN_PACKAGE;
                     }
-                    s1 = ps.signatures.mSigningDetails.signatures;
+                    p1SigningDetails = ps.signatures.mSigningDetails;
                 } else {
                     return PackageManager.SIGNATURE_UNKNOWN_PACKAGE;
                 }
@@ -6025,21 +6007,51 @@ public class PackageManagerService extends IPackageManager.Stub
                     if (isCallerInstantApp) {
                         return PackageManager.SIGNATURE_UNKNOWN_PACKAGE;
                     }
-                    s2 = ((SharedUserSetting)obj).signatures.mSigningDetails.signatures;
+                    p2SigningDetails = ((SharedUserSetting) obj).signatures.mSigningDetails;
                 } else if (obj instanceof PackageSetting) {
                     final PackageSetting ps = (PackageSetting) obj;
                     if (shouldFilterApplicationLocked(ps, callingUid, callingUserId)) {
                         return PackageManager.SIGNATURE_UNKNOWN_PACKAGE;
                     }
-                    s2 = ps.signatures.mSigningDetails.signatures;
+                    p2SigningDetails = ps.signatures.mSigningDetails;
                 } else {
                     return PackageManager.SIGNATURE_UNKNOWN_PACKAGE;
                 }
             } else {
                 return PackageManager.SIGNATURE_UNKNOWN_PACKAGE;
             }
-            return compareSignatures(s1, s2);
+            return checkSignaturesInternal(p1SigningDetails, p2SigningDetails);
+        }
+    }
+
+    private int checkSignaturesInternal(SigningDetails p1SigningDetails,
+            SigningDetails p2SigningDetails) {
+        if (p1SigningDetails == null) {
+            return p2SigningDetails == null
+                    ? PackageManager.SIGNATURE_NEITHER_SIGNED
+                    : PackageManager.SIGNATURE_FIRST_NOT_SIGNED;
         }
+        if (p2SigningDetails == null) {
+            return PackageManager.SIGNATURE_SECOND_NOT_SIGNED;
+        }
+        int result = compareSignatures(p1SigningDetails.signatures, p2SigningDetails.signatures);
+        if (result == PackageManager.SIGNATURE_MATCH) {
+            return result;
+        }
+        // To support backwards compatibility with clients of this API expecting pre-key
+        // rotation results if either of the packages has a signing lineage the oldest signer
+        // in the lineage is used for signature verification.
+        if (p1SigningDetails.hasPastSigningCertificates()
+                || p2SigningDetails.hasPastSigningCertificates()) {
+            Signature[] p1Signatures = p1SigningDetails.hasPastSigningCertificates()
+                    ? new Signature[]{p1SigningDetails.pastSigningCertificates[0]}
+                    : p1SigningDetails.signatures;
+            Signature[] p2Signatures = p2SigningDetails.hasPastSigningCertificates()
+                    ? new Signature[]{p2SigningDetails.pastSigningCertificates[0]}
+                    : p2SigningDetails.signatures;
+            result = compareSignatures(p1Signatures, p2Signatures);
+        }
+        return result;
     }
 
     @Override
author	Michael Groover <mpgroover@google.com>	2020-05-07 21:36:41 +0000
committer	Android (Google) Code Review <android-gerrit@google.com>	2020-05-07 21:36:41 +0000
commit	3369bbd82a5498e50b39a1f3fdc78f9c3f5022ef (patch)
tree	1d6206a16d9975e8f8716cf86b601a6b45d93365
parent	75aeabdd8a5113987545a4d4ff3bcfc14b45a1b2 (diff)
parent	fb2a5241839df8d6f37492ce8522a4c7fa40bace (diff)