Google Git
Sign in
android/platform/system/apex/9181a2d0f99441d6d5585af1d4fc71aa3debdc51^!/./apexd/apex_file.cpp
commit
9181a2d0f99441d6d5585af1d4fc71aa3debdc51
[log]
author
Jiyong Park <[email protected]>
Thu Dec 27 15:14:45 2018 +0900
committer
Jiyong Park <[email protected]>
Fri Jan 04 03:23:45 2019 +0900
tree
bf3d9bf2d753dcf1063e6bc48cd04902c9ca51cd
parent
c49c8cf0f044a0ab87319e9257b04cfc4c9f8a2c [diff] [blame]
Use the bundled public key for debuggable builds

In debuggable builds, when it has failed to find a matching public key
in the built-in partitions (e.g. /system/etc/security/apex), the public
key bundled in the APEX is used as a fallback, if it exists.

Bug: 122047804
Test: add 'installable: false' to the apex_key
'com.android.apex.test_package.key'.
Install the APEX 'com.android.apex.test_package'. The APEX is activated.
Change-Id: I7824a69478ef55e91d75e1c76d2cfda5e23e8926

diff --git a/apexd/apex_file.cpp b/apexd/apex_file.cpp
index 063e96f..419a9dd 100644
--- a/apexd/apex_file.cpp
+++ b/apexd/apex_file.cpp

@@ -41,6 +41,12 @@
 
 constexpr const char* kImageFilename = "apex_payload.img";
 constexpr const char* kManifestFilename = "apex_manifest.json";
+constexpr const char* kBundledPublicKeyFilename = "apex_pubkey";
+#ifdef DEBUG_ALLOW_BUNDLED_KEY
+constexpr const bool kDebugAllowBundledKey = true;
+#else
+constexpr const bool kDebugAllowBundledKey = false;
+#endif
 
 // Tests if <path>/manifest.json file exists.
 bool isFlattenedApex(const std::string& path) {
@@ -72,6 +78,7 @@
   int32_t image_offset;
   size_t image_size;
   std::string manifest_content;
+  std::string pubkey;
 
   if (isFlattenedApex(path)) {
     flattened = true;
@@ -127,6 +134,23 @@
                         << ": " << ErrorCodeString(ret);
       return StatusOr<ApexFile>::MakeError(err);
     }
+
+    if (kDebugAllowBundledKey) {
+      ret = FindEntry(handle, ZipString(kBundledPublicKeyFilename), &entry);
+      if (ret >= 0) {
+        LOG(VERBOSE) << "Found bundled key in package " << path;
+        length = entry.uncompressed_length;
+        pubkey.resize(length, '\0');
+        ret = ExtractToMemory(handle, &entry,
+                              reinterpret_cast<uint8_t*>(&(pubkey)[0]), length);
+        if (ret != 0) {
+          std::string err = StringLog()
+                            << "Failed to extract public key from package "
+                            << path << ": " << ErrorCodeString(ret);
+          return StatusOr<ApexFile>::MakeError(err);
+        }
+      }
+    }
   }
 
   StatusOr<ApexManifest> manifest = ApexManifest::Parse(manifest_content);
@@ -134,7 +158,8 @@
     return StatusOr<ApexFile>::MakeError(manifest.ErrorMessage());
   }
 
-  ApexFile apexFile(path, flattened, image_offset, image_size, *manifest);
+  ApexFile apexFile(path, flattened, image_offset, image_size, *manifest,
+                    pubkey);
   return StatusOr<ApexFile>(std::move(apexFile));
 }
 
@@ -230,12 +255,25 @@
     return Status::Fail(StringLog() << "Can't read from " << acceptedKeyFile);
   }
 
-  if (memcmp(&verifiedKey[0], key, length) != 0) {
+  if (verifiedKey.length() != length ||
+      memcmp(&verifiedKey[0], key, length) != 0) {
     return Status::Fail("Failed to compare verified key with key");
   }
   return Status::Success();
 }
 
+Status verifyBundledPublicKey(const uint8_t* key, size_t length,
+                              std::string bundledPublicKey) {
+  if (!kDebugAllowBundledKey) {
+    return Status::Fail("Bundled key must not be used in production builds");
+  }
+  if (bundledPublicKey.length() != length ||
+      memcmp(&bundledPublicKey[0], key, length) != 0) {
+    return Status::Fail("Failed to compare the bundled public key with key");
+  }
+  return Status::Success();
+}
+
 StatusOr<std::string> getPublicKeyFilePath(const ApexFile& apex,
                                            const uint8_t* data, size_t length,
                                            const std::string& apex_key_dir) {
@@ -309,18 +347,27 @@
       break;
     }
   }
-  if (!keyFilePath.Ok()) {
+
+  Status st;
+  if (keyFilePath.Ok()) {
+    // TODO(b/115718846)
+    // We need to decide whether we need rollback protection, and whether
+    // we can use the rollback protection provided by libavb.
+    st = verifyPublicKey(pk, pk_len, *keyFilePath);
+  } else if (kDebugAllowBundledKey) {
+    // Failing to find the matching public key in the built-in partitions
+    // is a hard error for non-debuggable build. For debuggable builds,
+    // the public key bundled in the APEX is used as a fallback.
+    st = verifyBundledPublicKey(pk, pk_len, apex.GetBundledPublicKey());
+  } else {
     return keyFilePath.ErrorStatus();
   }
 
-  // TODO(b/115718846)
-  // We need to decide whether we need rollback protection, and whether
-  // we can use the rollback protection provided by libavb.
-  Status st = verifyPublicKey(pk, pk_len, *keyFilePath);
   if (st.Ok()) {
     LOG(VERBOSE) << apex.GetPath() << ": public key matches.";
     return st;
   }
+
   return Status::Fail(StringLog()
                       << "Error verifying " << apex.GetPath() << ": "
                       << "couldn't verify public key: " << st.ErrorMessage());