Implement signature check.

Currently, we just have debug keys, and always fail verification on user builds. Production keys will be added later. This CL also includes some helper scripts: - Used to generate debug keys, for the record - To sign data using the debug keys - To verify base64 encoded data, used for debugging Test: atest CtsSignedConfigHostTestCases Note: The test also relies on some other changes going in too; it has been verified with all relevant change in place, but will not pass at HEAD quite yet. Bug: 110509075 Change-Id: I8bd420c44a0a523cbefb21f90c49550c25beb0a6
author: Mathew Inwood <mathewi@google.com> 2018-12-04 11:52:42 +0000
committer: Mathew Inwood <mathewi@google.com> 2018-12-11 17:06:27 +0000
commit: 96c419f90686ea7f16cde37cf1a137ae6cddf4c6 (patch)
tree: 621d63aa561fb72a4ca02d5fb2c8e6adf06686c0
parent: 9a7fdeb32beab2863f234941773c2bc77cd9bd4c (diff)
7 files changed, 150 insertions, 2 deletions
diff --git a/services/core/java/com/android/server/signedconfig/SignatureVerifier.java b/services/core/java/com/android/server/signedconfig/SignatureVerifier.java
new file mode 100644
index 000000000000..944db84acc71
--- /dev/null
+++ b/services/core/java/com/android/server/signedconfig/SignatureVerifier.java
@@ -0,0 +1,109 @@
+/*
+ * Copyright (C) 2018 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.server.signedconfig;
+
+import android.os.Build;
+import android.util.Slog;
+
+import java.nio.charset.StandardCharsets;
+import java.security.InvalidKeyException;
+import java.security.KeyFactory;
+import java.security.NoSuchAlgorithmException;
+import java.security.PublicKey;
+import java.security.Signature;
+import java.security.SignatureException;
+import java.security.spec.EncodedKeySpec;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.X509EncodedKeySpec;
+import java.util.Base64;
+
+/**
+ * Helper class for verifying config signatures.
+ */
+public class SignatureVerifier {
+
+    private static final String TAG = "SignedConfig";
+    private static final boolean DBG = false;
+
+    private static final String DEBUG_KEY =
+            "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEaAn2XVifsLTHg616nTsOMVmlhBoECGbTEBTKKvdd2hO60"
+            + "pj1pnU8SMkhYfaNxZuKgw9LNvOwlFwStboIYeZ3lQ==";
+
+    private final PublicKey mDebugKey;
+
+    public SignatureVerifier() {
+        mDebugKey = createKey(DEBUG_KEY);
+    }
+
+    private static PublicKey createKey(String base64) {
+        EncodedKeySpec keySpec;
+        try {
+            byte[] key = Base64.getDecoder().decode(base64);
+            keySpec = new X509EncodedKeySpec(key);
+        } catch (IllegalArgumentException e) {
+            Slog.e(TAG, "Failed to base64 decode public key", e);
+            return null;
+        }
+        try {
+            KeyFactory factory = KeyFactory.getInstance("EC");
+            return factory.generatePublic(keySpec);
+        } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
+            Slog.e(TAG, "Failed to construct public key", e);
+            return null;
+        }
+    }
+
+    /**
+     * Verify a signature for signed config.
+     *
+     * @param config Config as read from APK meta-data.
+     * @param base64Signature Signature as read from APK meta-data.
+     * @return {@code true} iff the signature was successfully verified.
+     */
+    public boolean verifySignature(String config, String base64Signature)
+            throws NoSuchAlgorithmException, InvalidKeyException, SignatureException {
+        byte[] signature;
+        try {
+            signature = Base64.getDecoder().decode(base64Signature);
+        } catch (IllegalArgumentException e) {
+            Slog.e(TAG, "Failed to base64 decode signature");
+            return false;
+        }
+        byte[] data = config.getBytes(StandardCharsets.UTF_8);
+        if (DBG) Slog.i(TAG, "Data: " + Base64.getEncoder().encodeToString(data));
+
+        if (Build.IS_DEBUGGABLE) {
+            if (mDebugKey != null) {
+                if (DBG) Slog.w(TAG, "Trying to verify signature using debug key");
+                Signature verifier = Signature.getInstance("SHA256withECDSA");
+                verifier.initVerify(mDebugKey);
+                verifier.update(data);
+                if (verifier.verify(signature)) {
+                    Slog.i(TAG, "Verified config using debug key");
+                    return true;
+                } else {
+                    if (DBG) Slog.i(TAG, "Config verification failed using debug key");
+                }
+            } else {
+                Slog.w(TAG, "Debuggable build, but have no debug key");
+            }
+        }
+        // TODO verify production key.
+        Slog.w(TAG, "NO PRODUCTION KEY YET, FAILING VERIFICATION");
+        return false;
+    }
+}
diff --git a/services/core/java/com/android/server/signedconfig/SignedConfigApplicator.java b/services/core/java/com/android/server/signedconfig/SignedConfigApplicator.java
index e4d799a2e3b7..4908964109ad 100644
--- a/services/core/java/com/android/server/signedconfig/SignedConfigApplicator.java
+++ b/services/core/java/com/android/server/signedconfig/SignedConfigApplicator.java
@@ -24,6 +24,7 @@ import android.util.ArrayMap;
 import android.util.ArraySet;
 import android.util.Slog;
 
+import java.security.GeneralSecurityException;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.Map;
@@ -65,15 +66,21 @@ class SignedConfigApplicator {
 
     private final Context mContext;
     private final String mSourcePackage;
+    private final SignatureVerifier mVerifier;
 
     SignedConfigApplicator(Context context, String sourcePackage) {
         mContext = context;
         mSourcePackage = sourcePackage;
+        mVerifier = new SignatureVerifier();
     }
 
     private boolean checkSignature(String data, String signature) {
-        Slog.w(TAG, "SIGNATURE CHECK NOT IMPLEMENTED YET!");
-        return false;
+        try {
+            return mVerifier.verifySignature(data, signature);
+        } catch (GeneralSecurityException e) {
+            Slog.e(TAG, "Failed to verify signature", e);
+            return false;
+        }
     }
 
     private int getCurrentConfigVersion() {
diff --git a/tools/signedconfig/debug_key.pem b/tools/signedconfig/debug_key.pem
new file mode 100644
index 000000000000..0af577bf81e1
--- /dev/null
+++ b/tools/signedconfig/debug_key.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIEfgtO+KPOoqJqTnqkDDKkAcOzyvtovsUO/ShLE6y4XRoAoGCCqGSM49
+AwEHoUQDQgAEaAn2XVifsLTHg616nTsOMVmlhBoECGbTEBTKKvdd2hO60pj1pnU8
+SMkhYfaNxZuKgw9LNvOwlFwStboIYeZ3lQ==
+-----END EC PRIVATE KEY-----
diff --git a/tools/signedconfig/debug_public.pem b/tools/signedconfig/debug_public.pem
new file mode 100644
index 000000000000..f61f81322b94
--- /dev/null
+++ b/tools/signedconfig/debug_public.pem
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEaAn2XVifsLTHg616nTsOMVmlhBoE
+CGbTEBTKKvdd2hO60pj1pnU8SMkhYfaNxZuKgw9LNvOwlFwStboIYeZ3lQ==
+-----END PUBLIC KEY-----
diff --git a/tools/signedconfig/debug_sign.sh b/tools/signedconfig/debug_sign.sh
new file mode 100755
index 000000000000..28e54289f8f8
--- /dev/null
+++ b/tools/signedconfig/debug_sign.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# Script to sign data with the debug keys. Outputs base64 for embedding into
+# APK metadata.
+
+openssl dgst -sha256 -sign $(dirname $0)/debug_key.pem  $1 | base64 -w 0
+echo
diff --git a/tools/signedconfig/gen_priv_key.sh b/tools/signedconfig/gen_priv_key.sh
new file mode 100755
index 000000000000..834c86bc8c12
--- /dev/null
+++ b/tools/signedconfig/gen_priv_key.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+# This script acts as a record of how the debug key was generated. There should
+# be no need to run it again.
+
+openssl ecparam -name prime256v1 -genkey -noout -out debug_key.pem
+openssl ec -in debug_key.pem -pubout -out debug_public.pem
diff --git a/tools/signedconfig/verify_b64.sh b/tools/signedconfig/verify_b64.sh
new file mode 100755
index 000000000000..8e1f58ce7b45
--- /dev/null
+++ b/tools/signedconfig/verify_b64.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# Script to verify signatures, with both signature & data given in b64
+# Args:
+# 1. data (base64 encoded)
+# 2. signature (base64 encoded)
+# The arg values can be taken from the debug log for SignedConfigService when verbose logging is
+# enabled.
+
+openssl dgst -sha256 -verify $(dirname $0)/debug_public.pem -signature <(echo $2 | base64 -d) <(echo $1 | base64 -d)
author	Mathew Inwood <mathewi@google.com>	2018-12-04 11:52:42 +0000
committer	Mathew Inwood <mathewi@google.com>	2018-12-11 17:06:27 +0000
commit	96c419f90686ea7f16cde37cf1a137ae6cddf4c6 (patch)
tree	621d63aa561fb72a4ca02d5fb2c8e6adf06686c0
parent	9a7fdeb32beab2863f234941773c2bc77cd9bd4c (diff)