Check that signatureMask isn't an empty array (#26)

* Check that signatureMask isn't an empty array

If for some reason signatureMask turned out to be an empty array,
verify() would always return true and the verification logic could be
bypassed. This change ensures that the code throws an exception in the
unlikely case that signatureMask is an empty array.

* Update digitalassetlinks/src/test/java/com/solana/digitalassetlinks/AndroidAppPackageVerifierUnitTests.java

Co-authored-by: sdlaver <103003665+sdlaver@users.noreply.github.com>

Author: matias-la

digitalassetlinks/src/main/java/com/solana/digitalassetlinks/AndroidAppPackageVerifier.java

@@ -95,6 +95,10 @@ public boolean verify(@NonNull String packageName, @NonNull URI uri)
             requireAllSignatures = true;
         }
 
+        if (signatureMask.length == 0) {
+            throw new CouldNotVerifyPackageException("Failed reading signatures for package " + packageName);
+        }
+
         // Create and configure an AssetLinksJSONParser object
         final StatementMatcher androidAppMatcher = StatementMatcher
                 .createAndroidAppStatementMatcher(

digitalassetlinks/src/test/java/com/solana/digitalassetlinks/AndroidAppPackageVerifierUnitTests.java

@@ -69,6 +69,24 @@ public void testAppPackageVerificationSuccess()
         assertTrue(verified);
     }
 
+    @Test
+    public void testAppPackageVerificationNoCertificates() {
+        ArrayList<MockWebContentServer.Content> mockWebContent = new ArrayList<>();
+        mockWebContent.add(new MockWebContentServer.Content(
+                URI.create("https://www.test.com/.well-known/assetlinks.json"),
+                HttpURLConnection.HTTP_OK,
+                "application/json",
+                ANDROID_APP_STATEMENT_LIST_CERTS_2_3));
+
+        final PackageManager pm = mockPackageManagerFactory(
+                "com.test.sample", new byte[][] {}, true);
+
+        final AndroidAppPackageVerifierHarness verifier =
+                new AndroidAppPackageVerifierHarness(pm, mockWebContent);
+        assertThrows(AndroidAppPackageVerifier.CouldNotVerifyPackageException.class,
+                () ->verifier.verify("com.test.sample", URI.create("https://www.test.com")));
+    }
+
     @Test
     public void testAppPackageVerificationNoAssetLinks() {
         ArrayList<MockWebContentServer.Content> mockWebContent = new ArrayList<>();
@@ -205,11 +223,8 @@ public void testAppPackageVerificationNoMatchingPackageInPackageManager() {
     private static PackageManager mockPackageManagerFactory(@NonNull String packageName,
                                                             @NonNull byte[][] certificates,
                                                             boolean multipleSigners) {
-        if (certificates.length == 0) {
-            throw new IllegalArgumentException("at least 1 certificate required");
-        } else if (multipleSigners && certificates.length == 1) {
-            throw new IllegalArgumentException("multipleSigners requires at least 2 certificates");
-        }
+        // NOTE: empty certificates would normally be an error, but we want to exercise unit tests
+        // for this case, so allow it when constructing a mock PackageManager
 
         final PackageInfo pi = new PackageInfo();
         final int piFlags;