Signature Verification based on Package (#320)

* Setup Environment Detection based on package

Signed-off-by: d067928 <jakob.moeller@sap.com>

* Setup Environment Detection based on package with Delimiting

Signed-off-by: d067928 <jakob.moeller@sap.com>

* add env again

Signed-off-by: d067928 <jakob.moeller@sap.com>

* Fix Logging

Signed-off-by: d067928 <jakob.moeller@sap.com>

Corona-Warn-App/build.gradle

@@ -39,7 +39,6 @@ android {
         buildConfigField "String", "DOWNLOAD_CDN_URL", "\"$DOWNLOAD_CDN_URL\""
         buildConfigField "String", "SUBMISSION_CDN_URL", "\"$SUBMISSION_CDN_URL\""
         buildConfigField "String", "VERIFICATION_CDN_URL", "\"$VERIFICATION_CDN_URL\""
-        buildConfigField "String", "EXPORT_SIGNATURE_ID", "\"de.rki.coronawarnapp-dev\""
 
         //override URLs. Use local.properties if exist.
         // If environment.properties also exist, override local.properties
@@ -87,14 +86,12 @@ android {
             minifyEnabled true
             shrinkResources true
             proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro'
-            buildConfigField "String", "EXPORT_SIGNATURE_ID", "\"de.rki.coronawarnapp\""
         }
         releaseForTest {
             applicationIdSuffix '.dev'
             minifyEnabled true
             shrinkResources true
             proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro'
-            buildConfigField "String", "EXPORT_SIGNATURE_ID", "\"de.rki.coronawarnapp-dev\""
         }
     }
 

Corona-Warn-App/src/main/assets/export-server-public-keys-for-verification.properties

-de.rki.coronawarnapp-dev=MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE3BYTxr2HuJYQG+d7Ezu6KS8GEbFkiEvyJFg0j+C839gTjT6j7Ho0EXXZ/a07ZfvKcC2cmc1SunsrqU9Jov1J5Q==
+de.rki.coronawarnapp.dev=MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE3BYTxr2HuJYQG+d7Ezu6KS8GEbFkiEvyJFg0j+C839gTjT6j7Ho0EXXZ/a07ZfvKcC2cmc1SunsrqU9Jov1J5Q==
 de.rki.coronawarnapp=MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEc7DEstcUIRcyk35OYDJ95/hTg3UVhsaDXKT0zK7NhHPXoyzipEnOp3GyNXDVpaPi3cAfQmxeuFMZAIX2+6A5Xg==
\ No newline at end of file

Corona-Warn-App/src/main/java/de/rki/coronawarnapp/util/security/SecurityConstants.kt

 package de.rki.coronawarnapp.util.security
 
-import de.rki.coronawarnapp.BuildConfig
-
 object SecurityConstants {
     const val DIGEST_ALGORITHM = "SHA-256"
     const val DB_PASSWORD_MIN_LENGTH = 32
@@ -11,6 +9,5 @@ object SecurityConstants {
 
     const val EXPORT_SIGNATURE_VERIFICATION_PUBLIC_KEYS =
         "export-server-public-keys-for-verification.properties"
-    const val EXPORT_ENVIRONMENT_IDENTIFIER = BuildConfig.EXPORT_SIGNATURE_ID
     const val EXPORT_FILE_SIGNATURE_VERIFICATION_ALGORITHM = "SHA256withECDSA"
 }

Corona-Warn-App/src/main/java/de/rki/coronawarnapp/util/security/VerificationKeys.kt

@@ -3,8 +3,8 @@ package de.rki.coronawarnapp.util.security
 import KeyExportFormat
 import android.security.keystore.KeyProperties
 import android.util.Base64
+import de.rki.coronawarnapp.BuildConfig
 import de.rki.coronawarnapp.CoronaWarnApplication
-import de.rki.coronawarnapp.util.security.SecurityConstants.EXPORT_ENVIRONMENT_IDENTIFIER
 import de.rki.coronawarnapp.util.security.SecurityConstants.EXPORT_SIGNATURE_VERIFICATION_PUBLIC_KEYS
 import timber.log.Timber
 import java.security.KeyFactory
@@ -46,23 +46,34 @@ class VerificationKeys {
         export: ByteArray?,
         signatures: ByteArray?
     ) = getKeysForSignatureVerificationFilteredByEnvironment()
-        .flatMap { filteredIdAndKeyBinary ->
-            getTEKSignaturesForEnvironment(signatures)
-                .filter { signatureBinary ->
-                    initVerify(filteredIdAndKeyBinary.value)
+        .filter { filteredIdAndPublicKeys ->
+            var verified = false
+            getTEKSignaturesForEnvironment(signatures).forEach { tek ->
+                filteredIdAndPublicKeys.value.forEach { publicKey ->
+                    initVerify(publicKey)
                     update(export)
-                    verify(signatureBinary)
+                    if (verify(tek)) verified = true
                 }
-                .toList()
+            }
+            verified
         }
         .also { Timber.v("${it.size} valid signatures found") }
 
     private fun getKeysForSignatureVerificationFilteredByEnvironment() = verificationKeyProperties
         .entries
-        .associate { it.key as String to Base64.decode(it.value as String, Base64.DEFAULT) }
-        .mapValues { keyFactory.generatePublic(X509EncodedKeySpec(it.value)) }
+        .associate {
+            it.key as String to (it.value as String).split(",").mapNotNull { delimitedString ->
+                Base64.decode(delimitedString, Base64.DEFAULT)
+            }.map { binaryPublicKey ->
+                keyFactory.generatePublic(
+                    X509EncodedKeySpec(
+                        binaryPublicKey
+                    )
+                )
+            }
+        }
+        .filterKeys { key -> key == BuildConfig.APPLICATION_ID }
         .onEach { Timber.v("$it") }
-        .filterKeys { publicKeyIdentifier -> publicKeyIdentifier == EXPORT_ENVIRONMENT_IDENTIFIER }
 
     private fun getTEKSignaturesForEnvironment(
         signatureListBinary: ByteArray?
@@ -70,7 +81,6 @@ class VerificationKeys {
         .parseFrom(signatureListBinary)
         .signaturesList
         .asSequence()
-        .filter { TEKSig -> TEKSig.signatureInfo.appBundleId == EXPORT_ENVIRONMENT_IDENTIFIER }
-        .onEach { Timber.v("$it") }
+        .onEach { Timber.v(it.toString()) }
         .mapNotNull { it.signature.toByteArray() }
 }