[framework] Extract v3 digest for v4 checking correctly
Use the same ordering of digest algorithms as the apksigner and
the general v3 checking do.
Test: adb install --incremental <apk> with v4 signature
Bug: b/151241461
Change-Id: I5c4c8339d7fd2ba127bd0f453efc9c04a8be7ac7
diff --git a/core/java/android/util/apk/ApkSignatureSchemeV3Verifier.java b/core/java/android/util/apk/ApkSignatureSchemeV3Verifier.java
index 79eb9f6..2437af2 100644
--- a/core/java/android/util/apk/ApkSignatureSchemeV3Verifier.java
+++ b/core/java/android/util/apk/ApkSignatureSchemeV3Verifier.java
@@ -213,15 +213,24 @@
verityDigest, apk.length(), signatureInfo);
}
- if (contentDigests.containsKey(CONTENT_DIGEST_CHUNKED_SHA512)) {
- result.digest = contentDigests.get(CONTENT_DIGEST_CHUNKED_SHA512);
- } else if (contentDigests.containsKey(CONTENT_DIGEST_CHUNKED_SHA256)) {
- result.digest = contentDigests.get(CONTENT_DIGEST_CHUNKED_SHA256);
- }
+ result.digest = pickBestV3DigestForV4(contentDigests);
return result;
}
+ // Keep in sync with pickBestV3DigestForV4 in apksigner.V3SchemeVerifier.
+ private static byte[] pickBestV3DigestForV4(Map<Integer, byte[]> contentDigests) {
+ final int[] orderedContentDigestTypes =
+ {CONTENT_DIGEST_CHUNKED_SHA512, CONTENT_DIGEST_VERITY_CHUNKED_SHA256,
+ CONTENT_DIGEST_CHUNKED_SHA256};
+ for (int contentDigestType : orderedContentDigestTypes) {
+ if (contentDigests.containsKey(contentDigestType)) {
+ return contentDigests.get(contentDigestType);
+ }
+ }
+ return null;
+ }
+
private static VerifiedSigner verifySigner(
ByteBuffer signerBlock,
Map<Integer, byte[]> contentDigests,