Update IP phone app teams signature constants to use SHA-512 format #2700
Conversation
|
❌ Work item link check failed. Description does not contain AB#{ID}. Click here to Learn more. |
There was a problem hiding this comment.
Pull Request Overview
This PR migrates IP phone app signature verification from SHA-1 to SHA-512 for Teams Phone integration.
- Replaces SHA-1 signature constants with SHA-512 debug and release variants.
- Updates signature retrieval and comparison in
PackageHelperandAzureActiveDirectoryWebViewClient. - Renames and adjusts imports in
AuthenticationConstantsaccordingly.
Reviewed Changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| common/.../AzureActiveDirectoryWebViewClient.java | Swapped SHA-1 import and check for SHA-512 import and getSha512SignatureForPackage |
| common/.../broker/PackageHelper.java | Replaced SHA-1 constants, aligned digest algorithm, updated verification to SHA-512 |
| common/.../AuthenticationConstants.java | Renamed IP phone app signature constants to SHA-512 debug/release |
Comments suppressed due to low confidence (3)
common/src/main/java/com/microsoft/identity/common/adal/internal/AuthenticationConstants.java:1197
- The Javadoc above this constant still refers generically to the app signature; please update it to mention that this is now the SHA-512 thumbprint for release builds and rename any references to IPPHONE_APP_SIGNATURE in comments.
public static final String IPPHONE_APP_SHA512_RELEASE_SIGNATURE = "iPULpH0pq8ms1Qy7cOzGsVRQN7/zW4IbW+UKcajvtrTrzM5o5VcaghNEA1Ho4Wq7ay0efqqJcalxa8eHxVnHKA==";
common/src/main/java/com/microsoft/identity/common/internal/broker/PackageHelper.java:127
- [nitpick] The comment mentions SHA-1 but the code now supports SHA-512; please clarify or update this remark to avoid confusion about which algorithm is actually being used in each branch.
MessageDigest md = MessageDigest.getInstance(useSha512 ? "SHA-512" : "SHA"); // CodeQL [SM05136] MSAL still uses SHA-1 format in redirect url.
common/src/main/java/com/microsoft/identity/common/internal/broker/PackageHelper.java:288
- Consider adding unit tests for
verifyIfValidTeamsPackageto cover both the new SHA-512 release and debug signature branches to ensure verification logic remains correct.
public boolean verifyIfValidTeamsPackage(final String packageName) {
p3dr0rv
added
skip AB ID validation
Skip-Consumers-Check
|
|
|
||
| /** | ||
| * Signing certificate thumbprint of the DEBUG-signed Teams IP Phones (Sakurai devices) | ||
| * to unblock any teams local debug development. | ||
| */ | ||
| public static final String IPPHONE_APP_DEBUG_SIGNATURE = "VCpKgbYCXucoq1mZ4BZPsh5taNE="; | ||
| public static final String IPPHONE_APP_SHA512_DEBUG_SIGNATURE = "FOoI98kyj+dXPZYW191TjF6017ljKj47G+RCQPYjIcXD7uhhTpw7pqznTABB0ZjB1/DZetRgr284pyLumvXN6A=="; |
There was a problem hiding this comment.
How are these signatures generated?
There was a problem hiding this comment.
teams provided the APKS, and we run package inspector (package-inspector/src/main/java/com/microsoft/inspector/MainActivity.java) a test app inside MSAL.
More details in this PR
https://github.com/AzureAD/microsoft-authentication-library-for-android/pull/2324/files
| @@ -124,7 +124,7 @@ private static String getSigningCertificateThumbprintForPackage(final PackageInf | |||
| final Signature[] signatures = getSignatures(packageInfo); | |||
| if (signatures != null && signatures.length > 0) { | |||
| final Signature signature = signatures[0]; | |||
| MessageDigest md = MessageDigest.getInstance(useSha512 ? "SHA-512" : "SHA"); | |||
| MessageDigest md = MessageDigest.getInstance(useSha512 ? "SHA-512" : "SHA"); // CodeQL [SM05136] MSAL still uses SHA-1 format in redirect url. | |||
There was a problem hiding this comment.
"SHA" is a standard alias for SHA-1 in Android.
This PR
1- updates Teams IP phone app signature verification from SHA-1 to SHA-512.
2- Suppresses some CodeQL issues regarding SHA-verification for redirect urls and SK decryption.