Add conscrypt provider to apksigner to support PSS
The platform supports APKs signed with a PSS signature algorithm, but
the default providers used by apksigner do not include this support.
This commit adds the conscrypt provider to apksigner to allow
verification of APKs signed with a PSS signature algorithm. Note the
changes to the apksigner script only support including the native
conscrypt library as part of the Android tree; additional work is
required to include the native library in an sdk build-tools release.
Bug: 161323964
Test: gradlew test
Test: Manually verified an APK signed with a PSS signature algorithm
Change-Id: I0ba7e93cc8792760590c3a98eb87127d0df71ce3
diff --git a/Android.bp b/Android.bp
index 89654a6..c46629f 100644
--- a/Android.bp
+++ b/Android.bp
@@ -31,5 +31,9 @@
java_resource_dirs: ["src/apksigner/java"],
wrapper: "etc/apksigner",
manifest: "src/apksigner/apksigner.mf",
- static_libs: ["apksig"],
+ static_libs: [
+ "apksig",
+ "conscrypt-unbundled",
+ ],
+ required: ["libconscrypt_openjdk_jni"],
}
diff --git a/etc/apksigner b/etc/apksigner
index 11a7529..d13afc4 100755
--- a/etc/apksigner
+++ b/etc/apksigner
@@ -46,6 +46,8 @@
if [ ! -r "$libdir/$jarfile" ]; then
# set apksigner.jar location for the Android tree case
libdir=`dirname "$progdir"`/framework
+ # also include the library directory for any provider native libraries
+ providerLibdir=`dirname "$progdir"`/lib64
fi
if [ ! -r "$libdir/$jarfile" ]; then
@@ -71,6 +73,8 @@
javaOpts="${javaOpts} -${opt}"
if expr "x${opt}" : "xXmx[0-9]" >/dev/null; then
defaultMx="no"
+ elif expr "x${opt}" : "xDjava.library.path=" >/dev/null; then
+ defaultLibdir="no"
fi
shift
done
@@ -79,6 +83,10 @@
javaOpts="${javaOpts} ${defaultMx}"
fi
+if [ "${defaultLibdir}" != "no" ] && [ -n $providerLibdir ]; then
+ javaOpts="${javaOpts} -Djava.library.path=$providerLibdir"
+fi
+
if [ "$OSTYPE" = "cygwin" ]; then
# For Cygwin, convert the jarfile path into native Windows style.
jarpath=`cygpath -w "$libdir/$jarfile"`
diff --git a/src/apksigner/java/com/android/apksigner/ApkSignerTool.java b/src/apksigner/java/com/android/apksigner/ApkSignerTool.java
index 5783518..2f4e680 100644
--- a/src/apksigner/java/com/android/apksigner/ApkSignerTool.java
+++ b/src/apksigner/java/com/android/apksigner/ApkSignerTool.java
@@ -25,6 +25,8 @@
import com.android.apksig.util.DataSource;
import com.android.apksig.util.DataSources;
+import org.conscrypt.OpenSSLProvider;
+
import java.io.BufferedReader;
import java.io.File;
import java.io.IOException;
@@ -78,6 +80,8 @@
return;
}
+ addProviders();
+
String cmd = params[0];
try {
if ("sign".equals(cmd)) {
@@ -109,6 +113,19 @@
}
}
+ /**
+ * Adds additional security providers to add support for signature algorithms not covered by
+ * the default providers.
+ */
+ private static void addProviders() {
+ try {
+ Security.addProvider(new OpenSSLProvider());
+ } catch (UnsatisfiedLinkError e) {
+ // This is expected if the library path does not include the native conscrypt library;
+ // the default providers support all but PSS algorithms.
+ }
+ }
+
private static void sign(String[] params) throws Exception {
if (params.length == 0) {
printUsage(HELP_PAGE_SIGN);