Initial work for key rotation.
Introduces the upgrade-keyset tag to AndroidManifest.xml. This specifies a
KeySet by which an apk must be signed in order to update the app. Multiple
upgrade KeySets may be specified, in which case one of them must be used to
sign the updating apk. If no upgrade-keyset is specified, the current logic
involving signatures is used.
Current Key Rotation Design Decisions:
-Apps using a shared user id may not rotate keys.
-All acceptable upgrade keysets must be specified, including the key signing
the app. This enables key rotation in one update, but also 'locks' an app if
an incorrect upgrade keyset is specified.
-Minimal changes to existing KeySet code.
Bug: 6967056
Change-Id: Ib9bb693d4e9ea1aec375291ecdc182554890d29c
diff --git a/core/java/android/content/pm/PackageParser.java b/core/java/android/content/pm/PackageParser.java
index b40a441..f176dfb 100644
--- a/core/java/android/content/pm/PackageParser.java
+++ b/core/java/android/content/pm/PackageParser.java
@@ -828,8 +828,8 @@
if (pkg.mCertificates == null) {
pkg.mCertificates = entryCerts;
pkg.mSignatures = convertToSignatures(entryCerts);
- pkg.mSigningKeys = new ArraySet<>();
- for (int i = 0; i < entryCerts.length; i++) {
+ pkg.mSigningKeys = new ArraySet<PublicKey>();
+ for (int i=0; i < entryCerts.length; i++) {
pkg.mSigningKeys.add(entryCerts[i][0].getPublicKey());
}
} else {
@@ -1222,6 +1222,17 @@
if (parsePermissionTree(pkg, res, parser, attrs, outError) == null) {
return null;
}
+ } else if (tagName.equals("upgrade-keyset")) {
+ sa = res.obtainAttributes(attrs,
+ com.android.internal.R.styleable.AndroidManifestUpgradeKeySet);
+ String name = sa.getNonResourceString(
+ com.android.internal.R.styleable.AndroidManifestUpgradeKeySet_name);
+ sa.recycle();
+ if (pkg.mUpgradeKeySets == null) {
+ pkg.mUpgradeKeySets = new ArraySet<String>();
+ }
+ pkg.mUpgradeKeySets.add(name);
+ XmlUtils.skipCurrentTag(parser);
} else if (tagName.equals("uses-permission")) {
if (!parseUsesPermission(pkg, res, parser, attrs, outError)) {
return null;
@@ -1795,7 +1806,7 @@
}
}
- owner.mKeySetMapping = new ArrayMap<String, ArraySet<PublicKey>>();
+ owner.mKeySetMapping = new ArrayMap<String, Set<PublicKey>>();
for (Map.Entry<PublicKey, Set<String>> e : definedKeySets.entrySet()) {
PublicKey key = e.getKey();
Set<String> keySetNames = e.getValue();
@@ -1803,7 +1814,7 @@
if (owner.mKeySetMapping.containsKey(alias)) {
owner.mKeySetMapping.get(alias).add(key);
} else {
- ArraySet<PublicKey> keys = new ArraySet<PublicKey>();
+ Set<PublicKey> keys = new ArraySet<PublicKey>();
keys.add(key);
owner.mKeySetMapping.put(alias, keys);
}
@@ -3795,8 +3806,9 @@
/**
* Data used to feed the KeySetManager
*/
- public ArraySet<PublicKey> mSigningKeys;
- public ArrayMap<String, ArraySet<PublicKey>> mKeySetMapping;
+ public Set<PublicKey> mSigningKeys;
+ public Set<String> mUpgradeKeySets;
+ public Map<String, Set<PublicKey>> mKeySetMapping;
public Package(String packageName) {
this.packageName = packageName;
diff --git a/core/res/res/values/attrs_manifest.xml b/core/res/res/values/attrs_manifest.xml
index fc1d0df..afaf2e9 100644
--- a/core/res/res/values/attrs_manifest.xml
+++ b/core/res/res/values/attrs_manifest.xml
@@ -2019,4 +2019,10 @@
<declare-styleable name="KeySet">
<attr name="name" />
</declare-styleable>
+
+ <!-- Associate declared KeySets with upgrading capability -->
+ <declare-styleable name="AndroidManifestUpgradeKeySet" parent="AndroidManifest">
+ <attr name="name" />
+ </declare-styleable>
+
</resources>
diff --git a/core/tests/coretests/apks/keyset/Android.mk b/core/tests/coretests/apks/keyset/Android.mk
new file mode 100644
index 0000000..e44ac6c
--- /dev/null
+++ b/core/tests/coretests/apks/keyset/Android.mk
@@ -0,0 +1,91 @@
+LOCAL_PATH:= $(call my-dir)
+
+#apks signed by keyset_A
+include $(CLEAR_VARS)
+LOCAL_SRC_FILES := $(call all-subdir-java-files)
+LOCAL_PACKAGE_NAME := keyset_sa_unone
+LOCAL_CERTIFICATE := $(LOCAL_PATH)/../../certs/keyset_A
+LOCAL_MANIFEST_FILE := uNone/AndroidManifest.xml
+include $(FrameworkCoreTests_BUILD_PACKAGE)
+
+include $(CLEAR_VARS)
+LOCAL_SRC_FILES := $(call all-subdir-java-files)
+LOCAL_PACKAGE_NAME := keyset_sa_ua
+LOCAL_CERTIFICATE := $(LOCAL_PATH)/../../certs/keyset_A
+LOCAL_MANIFEST_FILE := uA/AndroidManifest.xml
+include $(FrameworkCoreTests_BUILD_PACKAGE)
+
+include $(CLEAR_VARS)
+LOCAL_SRC_FILES := $(call all-subdir-java-files)
+LOCAL_PACKAGE_NAME := keyset_sa_ub
+LOCAL_CERTIFICATE := $(LOCAL_PATH)/../../certs/keyset_A
+LOCAL_MANIFEST_FILE := uB/AndroidManifest.xml
+include $(FrameworkCoreTests_BUILD_PACKAGE)
+
+include $(CLEAR_VARS)
+LOCAL_SRC_FILES := $(call all-subdir-java-files)
+LOCAL_PACKAGE_NAME := keyset_sa_uab
+LOCAL_CERTIFICATE := $(LOCAL_PATH)/../../certs/keyset_A
+LOCAL_MANIFEST_FILE := uAB/AndroidManifest.xml
+include $(FrameworkCoreTests_BUILD_PACKAGE)
+
+include $(CLEAR_VARS)
+LOCAL_SRC_FILES := $(call all-subdir-java-files)
+LOCAL_PACKAGE_NAME := keyset_sa_ua_ub
+LOCAL_CERTIFICATE := $(LOCAL_PATH)/../../certs/keyset_A
+LOCAL_MANIFEST_FILE := uAuB/AndroidManifest.xml
+include $(FrameworkCoreTests_BUILD_PACKAGE)
+
+include $(CLEAR_VARS)
+LOCAL_SRC_FILES := $(call all-subdir-java-files)
+LOCAL_PACKAGE_NAME := keyset_permdef_sa_unone
+LOCAL_CERTIFICATE := $(LOCAL_PATH)/../../certs/keyset_A
+LOCAL_MANIFEST_FILE := permDef/AndroidManifest.xml
+include $(FrameworkCoreTests_BUILD_PACKAGE)
+
+include $(CLEAR_VARS)
+LOCAL_SRC_FILES := $(call all-subdir-java-files)
+LOCAL_PACKAGE_NAME := keyset_permuse_sa_ua_ub
+LOCAL_CERTIFICATE := $(LOCAL_PATH)/../../certs/keyset_A
+LOCAL_MANIFEST_FILE := permUse/AndroidManifest.xml
+include $(FrameworkCoreTests_BUILD_PACKAGE)
+
+#apks signed by keyset_B
+include $(CLEAR_VARS)
+LOCAL_SRC_FILES := $(call all-subdir-java-files)
+LOCAL_PACKAGE_NAME := keyset_sb_ua
+LOCAL_CERTIFICATE := $(LOCAL_PATH)/../../certs/keyset_B
+LOCAL_MANIFEST_FILE := uA/AndroidManifest.xml
+include $(FrameworkCoreTests_BUILD_PACKAGE)
+
+include $(CLEAR_VARS)
+LOCAL_SRC_FILES := $(call all-subdir-java-files)
+LOCAL_PACKAGE_NAME := keyset_sb_ub
+LOCAL_CERTIFICATE := $(LOCAL_PATH)/../../certs/keyset_B
+LOCAL_MANIFEST_FILE := uB/AndroidManifest.xml
+include $(FrameworkCoreTests_BUILD_PACKAGE)
+
+include $(CLEAR_VARS)
+LOCAL_SRC_FILES := $(call all-subdir-java-files)
+LOCAL_PACKAGE_NAME := keyset_permuse_sb_ua_ub
+LOCAL_CERTIFICATE := $(LOCAL_PATH)/../../certs/keyset_B
+LOCAL_MANIFEST_FILE := permUse/AndroidManifest.xml
+include $(FrameworkCoreTests_BUILD_PACKAGE)
+
+#apks signed by keyset_A and keyset_B
+include $(CLEAR_VARS)
+LOCAL_SRC_FILES := $(call all-subdir-java-files)
+LOCAL_PACKAGE_NAME := keyset_sab_ua
+LOCAL_CERTIFICATE := $(LOCAL_PATH)/../../certs/keyset_A
+LOCAL_ADDITIONAL_CERTIFICATES := $(LOCAL_PATH)/../../certs/keyset_B
+LOCAL_MANIFEST_FILE := uA/AndroidManifest.xml
+include $(FrameworkCoreTests_BUILD_PACKAGE)
+
+#apks signed by keyset_A and unit_test
+include $(CLEAR_VARS)
+LOCAL_SRC_FILES := $(call all-subdir-java-files)
+LOCAL_PACKAGE_NAME := keyset_sau_ub
+LOCAL_CERTIFICATE := $(LOCAL_PATH)/../../certs/keyset_A
+LOCAL_ADDITIONAL_CERTIFICATES := $(LOCAL_PATH)/../../certs/keyset_B
+LOCAL_MANIFEST_FILE := uB/AndroidManifest.xml
+include $(FrameworkCoreTests_BUILD_PACKAGE)
\ No newline at end of file
diff --git a/core/tests/coretests/apks/keyset/permDef/AndroidManifest.xml b/core/tests/coretests/apks/keyset/permDef/AndroidManifest.xml
new file mode 100644
index 0000000..8f7ad4a
--- /dev/null
+++ b/core/tests/coretests/apks/keyset/permDef/AndroidManifest.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (C) 2010 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+ package="com.android.frameworks.coretests.keysets_permdef">
+ <application android:hasCode="false">
+ </application>
+ <permission android:description="@string/keyset_perm_desc"
+ android:label="@string/keyset_perm_label"
+ android:name="com.android.frameworks.coretests.keysets_permdef.keyset_perm"
+ android:protectionLevel="signature" />
+</manifest>
diff --git a/core/tests/coretests/apks/keyset/permUse/AndroidManifest.xml b/core/tests/coretests/apks/keyset/permUse/AndroidManifest.xml
new file mode 100644
index 0000000..41a2974
--- /dev/null
+++ b/core/tests/coretests/apks/keyset/permUse/AndroidManifest.xml
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (C) 2010 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+ package="com.android.frameworks.coretests.keysets">
+ <application android:hasCode="false">
+ </application>
+ <uses-permission android:name="com.android.frameworks.coretests.keysets_permdef.keyset_perm" />
+ <keys>
+ <publicKey android:value="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJoN1Nsgqf0V4C/bbN8wo8O2X/S5D76+5Mb9mlIsHkUTUTbHCNk+LxHIUYLm89YbP9zImrV0bUHLUAZUyoMUCiMCAwEAAQ==">
+ <keyset android:name="A" />
+ </publicKey>
+ <publicKey android:value="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMTfQsY8UuXiXmvw/y7Tpr7HoyfAC0nE/8Qdk3ZtEr9asa5qqP0F6xzCI1PGVFV+WLVRwm6FdB9StENL5EKyQFcCAwEAAQ==">
+ <keyset android:name="B" />
+ </publicKey>
+ </keys>
+ <upgrade-keyset android:name="A"/>
+ <upgrade-keyset android:name="B"/>
+</manifest>
diff --git a/core/tests/coretests/apks/keyset/res/values/strings.xml b/core/tests/coretests/apks/keyset/res/values/strings.xml
new file mode 100644
index 0000000..ff99ffa
--- /dev/null
+++ b/core/tests/coretests/apks/keyset/res/values/strings.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<!-- Just need this dummy file to have something to build. -->
+<resources xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+ <string name="dummy">dummy</string>
+ <string name="keyset_perm_desc">keyset_perm_description</string>
+ <string name="keyset_perm_label">keyset_perm_label</string>
+</resources>
diff --git a/core/tests/coretests/apks/keyset/uA/AndroidManifest.xml b/core/tests/coretests/apks/keyset/uA/AndroidManifest.xml
new file mode 100644
index 0000000..87c420e
--- /dev/null
+++ b/core/tests/coretests/apks/keyset/uA/AndroidManifest.xml
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (C) 2010 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+ package="com.android.frameworks.coretests.keysets">
+ <application android:hasCode="false">
+ </application>
+ <keys>
+ <publicKey android:value="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJoN1Nsgqf0V4C/bbN8wo8O2X/S5D76+5Mb9mlIsHkUTUTbHCNk+LxHIUYLm89YbP9zImrV0bUHLUAZUyoMUCiMCAwEAAQ==">
+ <keyset android:name="A" />
+ </publicKey>
+ </keys>
+ <upgrade-keyset android:name="A"/>
+</manifest>
diff --git a/core/tests/coretests/apks/keyset/uAB/AndroidManifest.xml b/core/tests/coretests/apks/keyset/uAB/AndroidManifest.xml
new file mode 100644
index 0000000..a65f085
--- /dev/null
+++ b/core/tests/coretests/apks/keyset/uAB/AndroidManifest.xml
@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (C) 2010 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+ package="com.android.frameworks.coretests.keysets">
+ <application android:hasCode="false">
+ </application>
+ <keys>
+ <publicKey android:value="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJoN1Nsgqf0V4C/bbN8wo8O2X/S5D76+5Mb9mlIsHkUTUTbHCNk+LxHIUYLm89YbP9zImrV0bUHLUAZUyoMUCiMCAwEAAQ==">
+ <keyset android:name="AB" />
+ </publicKey>
+ <publicKey android:value="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMTfQsY8UuXiXmvw/y7Tpr7HoyfAC0nE/8Qdk3ZtEr9asa5qqP0F6xzCI1PGVFV+WLVRwm6FdB9StENL5EKyQFcCAwEAAQ==">
+ <keyset android:name="AB" />
+ </publicKey>
+ </keys>
+ <upgrade-keyset android:name="AB"/>
+</manifest>
diff --git a/core/tests/coretests/apks/keyset/uAuB/AndroidManifest.xml b/core/tests/coretests/apks/keyset/uAuB/AndroidManifest.xml
new file mode 100644
index 0000000..5b0b864
--- /dev/null
+++ b/core/tests/coretests/apks/keyset/uAuB/AndroidManifest.xml
@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (C) 2010 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+ package="com.android.frameworks.coretests.keysets">
+ <application android:hasCode="false">
+ </application>
+ <keys>
+ <publicKey android:value="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJoN1Nsgqf0V4C/bbN8wo8O2X/S5D76+5Mb9mlIsHkUTUTbHCNk+LxHIUYLm89YbP9zImrV0bUHLUAZUyoMUCiMCAwEAAQ==">
+ <keyset android:name="A" />
+ </publicKey>
+ <publicKey android:value="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMTfQsY8UuXiXmvw/y7Tpr7HoyfAC0nE/8Qdk3ZtEr9asa5qqP0F6xzCI1PGVFV+WLVRwm6FdB9StENL5EKyQFcCAwEAAQ==">
+ <keyset android:name="B" />
+ </publicKey>
+ </keys>
+ <upgrade-keyset android:name="A"/>
+ <upgrade-keyset android:name="B"/>
+</manifest>
diff --git a/core/tests/coretests/apks/keyset/uB/AndroidManifest.xml b/core/tests/coretests/apks/keyset/uB/AndroidManifest.xml
new file mode 100644
index 0000000..9b89961
--- /dev/null
+++ b/core/tests/coretests/apks/keyset/uB/AndroidManifest.xml
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (C) 2010 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+ package="com.android.frameworks.coretests.keysets">
+ <application android:hasCode="false">
+ </application>
+ <keys>
+ <publicKey android:value="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMTfQsY8UuXiXmvw/y7Tpr7HoyfAC0nE/8Qdk3ZtEr9asa5qqP0F6xzCI1PGVFV+WLVRwm6FdB9StENL5EKyQFcCAwEAAQ==">
+ <keyset android:name="B" />
+ </publicKey>
+ </keys>
+ <upgrade-keyset android:name="B"/>
+</manifest>
diff --git a/core/tests/coretests/apks/keyset/uNone/AndroidManifest.xml b/core/tests/coretests/apks/keyset/uNone/AndroidManifest.xml
new file mode 100644
index 0000000..9c9ef2b
--- /dev/null
+++ b/core/tests/coretests/apks/keyset/uNone/AndroidManifest.xml
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (C) 2010 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+ package="com.android.frameworks.coretests.keysets">
+ <application android:hasCode="false">
+ </application>
+</manifest>
diff --git a/core/tests/coretests/certs/keyset_A.pk8 b/core/tests/coretests/certs/keyset_A.pk8
new file mode 100644
index 0000000..3976b94
--- /dev/null
+++ b/core/tests/coretests/certs/keyset_A.pk8
Binary files differ
diff --git a/core/tests/coretests/certs/keyset_A.x509.pem b/core/tests/coretests/certs/keyset_A.x509.pem
new file mode 100644
index 0000000..0fe334e
--- /dev/null
+++ b/core/tests/coretests/certs/keyset_A.x509.pem
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICKjCCAdQCCQCpDXPnNpO5UjANBgkqhkiG9w0BAQUFADCBmzELMAkGA1UEBhMC
+VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcx
+DzANBgNVBAoTBkdvb2dsZTEQMA4GA1UECxMHQW5kcm9pZDEYMBYGA1UEAxMPd3d3
+LmV4YW1wbGUuY29tMSIwIAYJKoZIhvcNAQkBFhNkY2FzaG1hbkBnb29nbGUuY29t
+MB4XDTE0MDQyMTE4MTkwM1oXDTE3MDQyMDE4MTkwM1owgZsxCzAJBgNVBAYTAlVT
+MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MQ8w
+DQYDVQQKEwZHb29nbGUxEDAOBgNVBAsTB0FuZHJvaWQxGDAWBgNVBAMTD3d3dy5l
+eGFtcGxlLmNvbTEiMCAGCSqGSIb3DQEJARYTZGNhc2htYW5AZ29vZ2xlLmNvbTBc
+MA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCaDdTbIKn9FeAv22zfMKPDtl/0uQ++vuTG
+/ZpSLB5FE1E2xwjZPi8RyFGC5vPWGz/cyJq1dG1By1AGVMqDFAojAgMBAAEwDQYJ
+KoZIhvcNAQEFBQADQQCPTVDKxVZpxFH6Nm7sxpRplLzxbs/xyGELLIjEBVrgB0CM
+HAxFpPRHDSFpTxGG2mBCSrf+lD2Bf+WiIojx+RLY
+-----END CERTIFICATE-----
diff --git a/core/tests/coretests/certs/keyset_B.pk8 b/core/tests/coretests/certs/keyset_B.pk8
new file mode 100644
index 0000000..a44ebb3
--- /dev/null
+++ b/core/tests/coretests/certs/keyset_B.pk8
Binary files differ
diff --git a/core/tests/coretests/certs/keyset_B.x509.pem b/core/tests/coretests/certs/keyset_B.x509.pem
new file mode 100644
index 0000000..2806de5
--- /dev/null
+++ b/core/tests/coretests/certs/keyset_B.x509.pem
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICKjCCAdQCCQC+5GnAgmYS6DANBgkqhkiG9w0BAQUFADCBmzELMAkGA1UEBhMC
+VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcx
+DzANBgNVBAoTBkdvb2dsZTEQMA4GA1UECxMHQW5kcm9pZDEYMBYGA1UEAxMPd3d3
+LmV4YW1wbGUuY29tMSIwIAYJKoZIhvcNAQkBFhNkY2FzaG1hbkBnb29nbGUuY29t
+MB4XDTE0MDQyMTE4MjczM1oXDTE3MDQyMDE4MjczM1owgZsxCzAJBgNVBAYTAlVT
+MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MQ8w
+DQYDVQQKEwZHb29nbGUxEDAOBgNVBAsTB0FuZHJvaWQxGDAWBgNVBAMTD3d3dy5l
+eGFtcGxlLmNvbTEiMCAGCSqGSIb3DQEJARYTZGNhc2htYW5AZ29vZ2xlLmNvbTBc
+MA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDE30LGPFLl4l5r8P8u06a+x6MnwAtJxP/E
+HZN2bRK/WrGuaqj9BescwiNTxlRVfli1UcJuhXQfUrRDS+RCskBXAgMBAAEwDQYJ
+KoZIhvcNAQEFBQADQQCYYyur2/sMB88MOhQE8RHNmdO0zEQYAz66z3ctTNqiNsbK
+T9iKj0CT3cjqgfN5ex4onhnoIIPtON7DIHFWke5x
+-----END CERTIFICATE-----
diff --git a/core/tests/coretests/src/android/content/pm/PackageManagerTests.java b/core/tests/coretests/src/android/content/pm/PackageManagerTests.java
index 7f41ac1c..0244425 100644
--- a/core/tests/coretests/src/android/content/pm/PackageManagerTests.java
+++ b/core/tests/coretests/src/android/content/pm/PackageManagerTests.java
@@ -61,7 +61,10 @@
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
+import java.util.HashSet;
import java.util.List;
+import java.util.Set;
+
import java.util.concurrent.CountDownLatch;
import java.util.concurrent.TimeUnit;
@@ -3069,6 +3072,262 @@
}
/**
+ * The following tests are related to testing KeySets-based key rotation
+ */
+ /*
+ * Check if an apk which does not specify an upgrade-keyset may be upgraded
+ * by an apk which does
+ */
+ public void testNoKSToUpgradeKS() throws Exception {
+ replaceCerts(R.raw.keyset_sa_unone, R.raw.keyset_sa_ua, true, false, -1);
+ }
+
+ /*
+ * Check if an apk which does specify an upgrade-keyset may be downgraded to
+ * an apk which does not
+ */
+ public void testUpgradeKSToNoKS() throws Exception {
+ replaceCerts(R.raw.keyset_sa_ua, R.raw.keyset_sa_unone, true, false, -1);
+ }
+
+ /*
+ * Check if an apk signed by a key other than the upgrade keyset can update
+ * an app
+ */
+ public void testUpgradeKSWithWrongKey() throws Exception {
+ replaceCerts(R.raw.keyset_sa_ua, R.raw.keyset_sb_ua, true, true,
+ PackageManager.INSTALL_PARSE_FAILED_INCONSISTENT_CERTIFICATES);
+ }
+
+ /*
+ * Check if an apk signed by its signing key, which is not an upgrade key,
+ * can upgrade an app.
+ */
+ public void testUpgradeKSWithWrongSigningKey() throws Exception {
+ replaceCerts(R.raw.keyset_sa_ub, R.raw.keyset_sa_ub, true, true,
+ PackageManager.INSTALL_PARSE_FAILED_INCONSISTENT_CERTIFICATES);
+ }
+
+ /*
+ * Check if an apk signed by its upgrade key, which is not its signing key,
+ * can upgrade an app.
+ */
+ public void testUpgradeKSWithUpgradeKey() throws Exception {
+ replaceCerts(R.raw.keyset_sa_ub, R.raw.keyset_sb_ub, true, false, -1);
+ }
+ /*
+ * Check if an apk signed by its upgrade key, which is its signing key, can
+ * upgrade an app.
+ */
+ public void testUpgradeKSWithSigningUpgradeKey() throws Exception {
+ replaceCerts(R.raw.keyset_sa_ua, R.raw.keyset_sa_ua, true, false, -1);
+ }
+
+ /*
+ * Check if an apk signed by multiple keys, one of which is its upgrade key,
+ * can upgrade an app.
+ */
+ public void testMultipleUpgradeKSWithUpgradeKey() throws Exception {
+ replaceCerts(R.raw.keyset_sa_ua, R.raw.keyset_sab_ua, true, false, -1);
+ }
+
+ /*
+ * Check if an apk signed by multiple keys, one of which is its signing key,
+ * but none of which is an upgrade key, can upgrade an app.
+ */
+ public void testMultipleUpgradeKSWithSigningKey() throws Exception {
+ replaceCerts(R.raw.keyset_sau_ub, R.raw.keyset_sa_ua, true, true,
+ PackageManager.INSTALL_PARSE_FAILED_INCONSISTENT_CERTIFICATES);
+ }
+
+ /*
+ * Check if an apk which defines multiple (two) upgrade keysets is
+ * upgrade-able by either.
+ */
+ public void testUpgradeKSWithMultipleUpgradeKeySets() throws Exception {
+ replaceCerts(R.raw.keyset_sa_ua_ub, R.raw.keyset_sa_ua, true, false, -1);
+ replaceCerts(R.raw.keyset_sa_ua_ub, R.raw.keyset_sb_ub, true, false, -1);
+ }
+
+ /*
+ * Check if an apk's sigs are changed after upgrading with a non-signing
+ * key.
+ *
+ * TODO: consider checking against hard-coded Signatures in the Sig-tests
+ */
+ public void testSigChangeAfterUpgrade() throws Exception {
+ // install original apk and grab sigs
+ installFromRawResource("tmp.apk", R.raw.keyset_sa_ub,
+ 0, false, false, -1, PackageInfo.INSTALL_LOCATION_UNSPECIFIED);
+ PackageManager pm = getPm();
+ String pkgName = "com.android.frameworks.coretests.keysets";
+ PackageInfo pi = pm.getPackageInfo(pkgName, PackageManager.GET_SIGNATURES);
+ assertTrue("Package should only have one signature, sig A",
+ pi.signatures.length == 1);
+ String sigBefore = pi.signatures[0].toCharsString();
+ // install apk signed by different upgrade KeySet
+ installFromRawResource("tmp2.apk", R.raw.keyset_sb_ub,
+ PackageManager.INSTALL_REPLACE_EXISTING, false, false, -1,
+ PackageInfo.INSTALL_LOCATION_UNSPECIFIED);
+ pi = pm.getPackageInfo(pkgName, PackageManager.GET_SIGNATURES);
+ assertTrue("Package should only have one signature, sig B",
+ pi.signatures.length == 1);
+ String sigAfter = pi.signatures[0].toCharsString();
+ assertFalse("Package signatures did not change after upgrade!",
+ sigBefore.equals(sigAfter));
+ cleanUpInstall(pkgName);
+ }
+
+ /*
+ * Check if an apk's sig is the same after upgrading with a signing
+ * key.
+ */
+ public void testSigSameAfterUpgrade() throws Exception {
+ // install original apk and grab sigs
+ installFromRawResource("tmp.apk", R.raw.keyset_sa_ua,
+ 0, false, false, -1, PackageInfo.INSTALL_LOCATION_UNSPECIFIED);
+ PackageManager pm = getPm();
+ String pkgName = "com.android.frameworks.coretests.keysets";
+ PackageInfo pi = pm.getPackageInfo(pkgName, PackageManager.GET_SIGNATURES);
+ assertTrue("Package should only have one signature, sig A",
+ pi.signatures.length == 1);
+ String sigBefore = pi.signatures[0].toCharsString();
+ // install apk signed by same upgrade KeySet
+ installFromRawResource("tmp2.apk", R.raw.keyset_sa_ua,
+ PackageManager.INSTALL_REPLACE_EXISTING, false, false, -1,
+ PackageInfo.INSTALL_LOCATION_UNSPECIFIED);
+ pi = pm.getPackageInfo(pkgName, PackageManager.GET_SIGNATURES);
+ assertTrue("Package should only have one signature, sig A",
+ pi.signatures.length == 1);
+ String sigAfter = pi.signatures[0].toCharsString();
+ assertTrue("Package signatures changed after upgrade!",
+ sigBefore.equals(sigAfter));
+ cleanUpInstall(pkgName);
+ }
+
+ /*
+ * Check if an apk's sigs are the same after upgrading with an app with
+ * a subset of the original signing keys.
+ */
+ public void testSigRemovedAfterUpgrade() throws Exception {
+ // install original apk and grab sigs
+ installFromRawResource("tmp.apk", R.raw.keyset_sab_ua,
+ 0, false, false, -1, PackageInfo.INSTALL_LOCATION_UNSPECIFIED);
+ PackageManager pm = getPm();
+ String pkgName = "com.android.frameworks.coretests.keysets";
+ PackageInfo pi = pm.getPackageInfo(pkgName, PackageManager.GET_SIGNATURES);
+ assertTrue("Package should have two signatures, sig A and sig B",
+ pi.signatures.length == 2);
+ Set<String> sigsBefore = new HashSet<String>();
+ for (int i = 0; i < pi.signatures.length; i++) {
+ sigsBefore.add(pi.signatures[i].toCharsString());
+ }
+ // install apk signed subset upgrade KeySet
+ installFromRawResource("tmp2.apk", R.raw.keyset_sa_ua,
+ PackageManager.INSTALL_REPLACE_EXISTING, false, false, -1,
+ PackageInfo.INSTALL_LOCATION_UNSPECIFIED);
+ pi = pm.getPackageInfo(pkgName, PackageManager.GET_SIGNATURES);
+ assertTrue("Package should only have one signature, sig A",
+ pi.signatures.length == 1);
+ String sigAfter = pi.signatures[0].toCharsString();
+ assertTrue("Original package signatures did not contain new sig",
+ sigsBefore.contains(sigAfter));
+ cleanUpInstall(pkgName);
+ }
+
+ /*
+ * Check if an apk's sigs are added to after upgrading with an app with
+ * a superset of the original signing keys.
+ */
+ public void testSigAddedAfterUpgrade() throws Exception {
+ // install original apk and grab sigs
+ installFromRawResource("tmp.apk", R.raw.keyset_sa_ua,
+ 0, false, false, -1, PackageInfo.INSTALL_LOCATION_UNSPECIFIED);
+ PackageManager pm = getPm();
+ String pkgName = "com.android.frameworks.coretests.keysets";
+ PackageInfo pi = pm.getPackageInfo(pkgName, PackageManager.GET_SIGNATURES);
+ assertTrue("Package should only have one signature, sig A",
+ pi.signatures.length == 1);
+ String sigBefore = pi.signatures[0].toCharsString();
+ // install apk signed subset upgrade KeySet
+ installFromRawResource("tmp2.apk", R.raw.keyset_sab_ua,
+ PackageManager.INSTALL_REPLACE_EXISTING, false, false, -1,
+ PackageInfo.INSTALL_LOCATION_UNSPECIFIED);
+ pi = pm.getPackageInfo(pkgName, PackageManager.GET_SIGNATURES);
+ assertTrue("Package should have two signatures, sig A and sig B",
+ pi.signatures.length == 2);
+ Set<String> sigsAfter = new HashSet<String>();
+ for (int i = 0; i < pi.signatures.length; i++) {
+ sigsAfter.add(pi.signatures[i].toCharsString());
+ }
+ assertTrue("Package signatures did not change after upgrade!",
+ sigsAfter.contains(sigBefore));
+ cleanUpInstall(pkgName);
+ }
+
+ /*
+ * Check if an apk gains signature-level permission after changing to the a
+ * new signature, for which a permission should be granted.
+ */
+ public void testUpgradeSigPermGained() throws Exception {
+ // install apk which defines permission
+ installFromRawResource("permDef.apk", R.raw.keyset_permdef_sa_unone,
+ 0, false, false, -1, PackageInfo.INSTALL_LOCATION_UNSPECIFIED);
+ // install apk which uses permission but does not have sig
+ installFromRawResource("permUse.apk", R.raw.keyset_permuse_sb_ua_ub,
+ 0, false, false, -1, PackageInfo.INSTALL_LOCATION_UNSPECIFIED);
+ // verify that package does not have perm before
+ PackageManager pm = getPm();
+ String permPkgName = "com.android.frameworks.coretests.keysets_permdef";
+ String pkgName = "com.android.frameworks.coretests.keysets";
+ String permName = "com.android.frameworks.coretests.keysets_permdef.keyset_perm";
+ assertFalse("keyset permission granted to app without same signature!",
+ pm.checkPermission(permName, pkgName)
+ == PackageManager.PERMISSION_GRANTED);
+ // upgrade to apk with perm signature
+ installFromRawResource("permUse2.apk", R.raw.keyset_permuse_sa_ua_ub,
+ PackageManager.INSTALL_REPLACE_EXISTING, false, false, -1,
+ PackageInfo.INSTALL_LOCATION_UNSPECIFIED);
+ assertTrue("keyset permission not granted to app after upgrade to same sig",
+ pm.checkPermission(permName, pkgName)
+ == PackageManager.PERMISSION_GRANTED);
+ cleanUpInstall(permPkgName);
+ cleanUpInstall(pkgName);
+ }
+
+ /*
+ * Check if an apk loses signature-level permission after changing to the a
+ * new signature, from one which a permission should be granted.
+ */
+ public void testUpgradeSigPermLost() throws Exception {
+ // install apk which defines permission
+ installFromRawResource("permDef.apk", R.raw.keyset_permdef_sa_unone,
+ 0, false, false, -1, PackageInfo.INSTALL_LOCATION_UNSPECIFIED);
+ // install apk which uses permission, signed by same sig
+ installFromRawResource("permUse.apk", R.raw.keyset_permuse_sa_ua_ub,
+ 0, false, false, -1, PackageInfo.INSTALL_LOCATION_UNSPECIFIED);
+ // verify that package does not have perm before
+ PackageManager pm = getPm();
+ String permPkgName = "com.android.frameworks.coretests.keysets_permdef";
+ String pkgName = "com.android.frameworks.coretests.keysets";
+ String permName = "com.android.frameworks.coretests.keysets_permdef.keyset_perm";
+ assertTrue("keyset permission not granted to app with same sig",
+ pm.checkPermission(permName, pkgName)
+ == PackageManager.PERMISSION_GRANTED);
+ // upgrade to apk without perm signature
+ installFromRawResource("permUse2.apk", R.raw.keyset_permuse_sb_ua_ub,
+ PackageManager.INSTALL_REPLACE_EXISTING, false, false, -1,
+ PackageInfo.INSTALL_LOCATION_UNSPECIFIED);
+
+ assertFalse("keyset permission not revoked from app which upgraded to a "
+ + "different signature",
+ pm.checkPermission(permName, pkgName)
+ == PackageManager.PERMISSION_GRANTED);
+ cleanUpInstall(permPkgName);
+ cleanUpInstall(pkgName);
+ }
+
+ /**
* The following tests are related to testing the checkSignatures api.
*/
private void checkSignatures(int apk1, int apk2, int expMatchResult) throws Exception {