InstantAppRegistry: adjust backwards compat cookie sig check.

InstantAppRegistry used to store cookies based on the hash of only
one of the signing certificates out of potentially multiple signing
certificates.  To prevent loss of stored cookie info for an app which
has multiple signing certificates, it needs to check if the stored hash
value corresponded to only one of those certs before this was corrected.
Since the order of signing certificates is not specified, all cert hashes
should be compared to see if one of them matches the stored value.

Bug: 73739156
Test: android.appsecurity.cts.InstantCookieHostTest#testCookieValidWhenSingedWithTwoCerts
Change-Id: I2d616ca7ba60104f0b009d23e8eb4e7f525362fd

diff --git a/services/core/java/com/android/server/pm/InstantAppRegistry.java b/services/core/java/com/android/server/pm/InstantAppRegistry.java
index fb81ebf..fde13ac 100644 (file)
--- a/services/core/java/com/android/server/pm/InstantAppRegistry.java
+++ b/services/core/java/com/android/server/pm/InstantAppRegistry.java
@@ -312,12 +312,14 @@ class InstantAppRegistry {
                 return;
             }
 
-            // For backwards compatibility we accept match based on first signature only in the case
-            // of multiply-signed packagse
+            // For backwards compatibility we accept match based on any signature, since we may have
+            // recorded only the first for multiply-signed packages
             final String[] signaturesSha256Digests =
                     PackageUtils.computeSignaturesSha256Digests(pkg.mSigningDetails.signatures);
-            if (signaturesSha256Digests[0].equals(currentCookieSha256)) {
-                return;
+            for (String s : signaturesSha256Digests) {
+                if (s.equals(currentCookieSha256)) {
+                    return;
+                }
             }
 
             // Sorry, you are out of luck - different signatures - nuke data