InstantAppRegistry: adjust backwards compat cookie sig check.

InstantAppRegistry used to store cookies based on the hash of only
one of the signing certificates out of potentially multiple signing
certificates.  To prevent loss of stored cookie info for an app which
has multiple signing certificates, it needs to check if the stored hash
value corresponded to only one of those certs before this was corrected.
Since the order of signing certificates is not specified, all cert hashes
should be compared to see if one of them matches the stored value.

Bug: 73739156
Test: android.appsecurity.cts.InstantCookieHostTest#testCookieValidWhenSingedWithTwoCerts
Change-Id: I2d616ca7ba60104f0b009d23e8eb4e7f525362fd

1 files changed, 6 insertions, 4 deletions

diff --git a/services/core/java/com/android/server/pm/InstantAppRegistry.java b/services/core/java/com/android/server/pm/InstantAppRegistry.java
index fb81ebfec67e..fde13acb8f38 100644
--- a/services/core/java/com/android/server/pm/InstantAppRegistry.java
+++ b/services/core/java/com/android/server/pm/InstantAppRegistry.java
@@ -312,12 +312,14 @@ class InstantAppRegistry {
                 return;
             }
 
-            // For backwards compatibility we accept match based on first signature only in the case
-            // of multiply-signed packagse
+            // For backwards compatibility we accept match based on any signature, since we may have
+            // recorded only the first for multiply-signed packages
             final String[] signaturesSha256Digests =
                     PackageUtils.computeSignaturesSha256Digests(pkg.mSigningDetails.signatures);
-            if (signaturesSha256Digests[0].equals(currentCookieSha256)) {
-                return;
+            for (String s : signaturesSha256Digests) {
+                if (s.equals(currentCookieSha256)) {
+                    return;
+                }
             }
 
             // Sorry, you are out of luck - different signatures - nuke data