AndroidApp签名(证书)校验过程源码分析
Android App安装是需要证书⽀持的,我们在Eclipse或者Android Studio中开发App时,并没有注意关于证书的事,也能正确安装App。这是因为使⽤了默认的debug证书。在Android App升级的时候,证书发挥的作⽤就尤为明显了。只有证书相同时,才能对App进⾏升级。证书也是为了防⽌App伪造的,属于Android安全策略的⼀部分。另外,Android沙箱机制中,也和证书有关。两个App如要共享⽂件,代码,或者资源时,需要使⽤shareUid属性,只有证书相同的App的才能shareUid。才外,如果⼀个App中申明了signature级别的权限,也是只有和那个App签名相同的App才能申请到对应的权限。
虽然之前也了解过Android App的签名校验过程,但都是根据别⼈总结的结果,没有⾃⼰动⼿分析Android源码。所以本篇Blog将从源码出发分析Android App的签名校验过程,分析完源码之后,也会和⽹上⼤多数的资料⼀样给出总结。
注意:由于签名校验过程是在App安装时进⾏的,所以源码分析的起始点是上篇Blog:。不过不想了解PackageInstall源码也没有关系,只要不纠结程序的起点,分析过程就是App 签名校验模块。
⼀、源码分析
上篇Blog中,程序安装过程调⽤了installPackageLI()⽅法。⽽在installPackageLI()⽅法内部,调⽤了co
llectCertificates()⽅法,从⽽进⼊了App的签名检验过程。下⾯我们查看collectCertificates()的源码实现,源码路
径:/frameworks/base/core/java/android/content/pm/PackageParser.java
public void collectCertificates(Package pkg, int flags) throws PackageParserException {
pkg.mCertificates = null;
pkg.mSignatures = null;
pkg.mSigningKeys = null;
collectCertificates(pkg, new File(pkg.baseCodePath), flags);
if (!ArrayUtils.isEmpty(pkg.splitCodePaths)) {
for (String splitCodePath : pkg.splitCodePaths) {
collectCertificates(pkg, new File(splitCodePath), flags);
}
}
}
private static void collectCertificates(Package pkg, File apkFile, int flags)
throws PackageParserException {
final String apkPath = AbsolutePath();
StrictJarFile jarFile = null;
try {
jarFile = new StrictJarFile(apkPath);
// Always verify manifest, regardless of source
final ZipEntry manifestEntry = jarFile.findEntry(ANDROID_MANIFEST_FILENAME);
if (manifestEntry == null) {
android获取真正的签名
throw new PackageParserException(INSTALL_PARSE_FAILED_BAD_MANIFEST,
"Package " + apkPath + " has no manifest");
}
final List<ZipEntry> toVerify = new ArrayList<>();
toVerify.add(manifestEntry);
// If we're parsing an untrusted package, verify all contents
if ((flags & PARSE_IS_SYSTEM) == 0) {
final Iterator<ZipEntry> i = jarFile.iterator();
while (i.hasNext()) {
final ZipEntry entry = i.next();
if (entry.isDirectory()) continue;
if (Name().startsWith("META-INF/")) continue;
if (Name().equals(ANDROID_MANIFEST_FILENAME)) continue;
toVerify.add(entry);
}
}
// Verify that entries are signed consistently with the first entry
// we encountered. Note that for splits, certificates may have
// already been populated during an earlier parse of a base APK.
for (ZipEntry entry : toVerify) {
final Certificate[][] entryCerts = loadCertificates(jarFile, entry);
if (ArrayUtils.isEmpty(entryCerts)) {
throw new PackageParserException(INSTALL_PARSE_FAILED_NO_CERTIFICATES,
"Package " + apkPath + " has no certificates at entry "
+ Name());
}
final Signature[] entrySignatures = convertToSignatures(entryCerts);
if (pkg.mCertificates == null) {
pkg.mCertificates = entryCerts;
pkg.mSignatures = entrySignatures;
pkg.mSigningKeys = new ArraySet<PublicKey>();
for (int i=0; i < entryCerts.length; i++) {
pkg.mSigningKeys.add(entryCerts[i][0].getPublicKey());
}
} else {
if (!Signature.areExactMatch(pkg.mSignatures, entrySignatures)) {
throw new PackageParserException(
INSTALL_PARSE_FAILED_INCONSISTENT_CERTIFICATES, "Package " + apkPath
+ " has mismatched certificates at entry "
+ Name());
}
}
}
} catch (GeneralSecurityException e) {
throw new PackageParserException(INSTALL_PARSE_FAILED_CERTIFICATE_ENCODING,
"Failed to collect certificates from " + apkPath, e);
} catch (IOException | RuntimeException e) {
throw new PackageParserException(INSTALL_PARSE_FAILED_NO_CERTIFICATES,
"Failed to collect certificates from " + apkPath, e);
} finally {
closeQuietly(jarFile);
}
}
在collectCertificates(Package pkg, File apkFile, int flags)函数⾥⾯,⾸先提取apk的l⽂件。
final ZipEntry manifestEntry = jarFile.findEntry(ANDROID_MANIFEST_FILENAME);
if (manifestEntry == null) {
throw new PackageParserException(INSTALL_PARSE_FAILED_BAD_MANIFEST,
"Package " + apkPath + " has no manifest");
}
final List<ZipEntry> toVerify = new ArrayList<>();
toVerify.add(manifestEntry);
然后,程序遍历apk⽂件的所有⽂件节点,把除了META-INF/⽂件夹⾥⾯的⽂外外的所以⽂件加⼊待检验List。
// If we're parsing an untrusted package, verify all contents
if ((flags & PARSE_IS_SYSTEM) == 0) {
final Iterator<ZipEntry> i = jarFile.iterator();
while (i.hasNext()) {
final ZipEntry entry = i.next();
if (entry.isDirectory()) continue;
if (Name().startsWith("META-INF/")) continue;
if (Name().equals(ANDROID_MANIFEST_FILENAME)) continue;
toVerify.add(entry);
}
}
紧接着把所以节点传⼊loadCertificates()⽅法,
for (ZipEntry entry : toVerify) {
final Certificate[][] entryCerts = loadCertificates(jarFile, entry);
if (ArrayUtils.isEmpty(entryCerts)) {
throw new PackageParserException(INSTALL_PARSE_FAILED_NO_CERTIFICATES,
"Package " + apkPath + " has no certificates at entry "
+ Name());
}
final Signature[] entrySignatures = convertToSignatures(entryCerts);
if (pkg.mCertificates == null) {
pkg.mCertificates = entryCerts;
pkg.mSignatures = entrySignatures;
pkg.mSigningKeys = new ArraySet<PublicKey>();
for (int i=0; i < entryCerts.length; i++) {
pkg.mSigningKeys.add(entryCerts[i][0].getPublicKey());
}
} else {
if (!Signature.areExactMatch(pkg.mSignatures, entrySignatures)) {
throw new PackageParserException(
INSTALL_PARSE_FAILED_INCONSISTENT_CERTIFICATES, "Package " + apkPath
+ " has mismatched certificates at entry "
+ Name());
}
}
}
要知道loadCertificates()的作⽤需要分析其⽅法实现原型。在PackageParser.java中实现了loadCertificates()⽅法。
private static Certificate[][] loadCertificates(StrictJarFile jarFile, ZipEntry entry)throws PackageParserException {
InputStream is = null;
try {
// We must read the stream for the JarEntry to retrieve
// its certificates.
is = InputStream(entry);
readFullyIgnoringContents(is);
CertificateChains(entry);
} catch (IOException | RuntimeException e) {
throw new PackageParserException(INSTALL_PARSE_FAILED_UNEXPECTED_EXCEPTION,
"Failed reading " + Name() + " in " + jarFile, e);
} finally {
IoUtils.closeQuietly(is);
}
}
在StrictJarFile.java中,实现了getCertificateChains()⽅法,代码路
径/libcore/luni/src/main/java/java/util/jar/StrictJarFile.java。
public Certificate[][] getCertificateChains(ZipEntry ze) {
if (isSigned) {
Name());
}
return null;
}
StrictJarFile.java中的getCertificateChains()继续调⽤JarVerifier中的getCertificateChains()⽅法,代码路
径:/libcore/luni/src/main/java/java/util/jar/JarVerifier.java。
Certificate[][] getCertificateChains(String name) {
(name);
}
private final Hashtable<String, Certificate[][]> verifiedEntries=new Hashtable<String, Certificate[][]>();
verifiedEntries仅仅是JarVerifier中的⼀个变量,所以重点要查看verifiedEntries是怎样被赋值的。我们暂时把这个问题先放到后⾯处理。
在PackageParser.java中的collectCertificates(Package pkg, File apkFile, int flags)函数中,调⽤final Certificate[][] entryCerts = loadCertificates(jarFile, entry)前,先对jarFile进⾏了实例化,我们根据Stric
tJarFile的构造函数查看⼀下实例化过程。代码路径:/libcore/luni/src/main/java/java/util/jar/StrictJarFile.java。
public StrictJarFile(String fileName) throws IOException {
this.nativeHandle = nativeOpenJarFile(fileName);
this.raf = new RandomAccessFile(fileName, "r");
try {
// Read the MANIFEST and signature files up front and try to
// parse them. We never want to accept a JAR File with broken signatures
// or manifests, so it's best to throw as early as possible.
HashMap<String, byte[]> metaEntries = getMetaEntries();
this.manifest = new (JarFile.MANIFEST_NAME), true);
this.verifier = new JarVerifier(fileName, manifest, metaEntries);
isSigned = adCertificates() && verifier.isSignedJar();
} catch (IOException ioe) {
nativeClose(this.nativeHandle);
throw ioe;
}
guard.open("close");
}
private HashMap<String, byte[]> getMetaEntries() throws IOException {
HashMap<String, byte[]> metaEntries = new HashMap<String, byte[]>();
Iterator<ZipEntry> entryIterator = new EntryIterator(nativeHandle, "META-INF/");
while (entryIterator.hasNext()) {
final ZipEntry entry = ();
metaEntries.Name(), adFully(getInputStream(entry)));
}
return metaEntries;
}
JarVerifier构造函数。
JarVerifier(String name, Manifest manifest, HashMap<String, byte[]> metaEntries) {
jarName = name;
this.manifest = manifest;
this.mainAttributesEnd = MainAttributesEnd();
}
从上⾯的源码可以看出,getMetaEntries()就是从apk的META-INF/⽂件夹中读取⽂件,并把结果存储起来,存储形式是⽂件名为键⽂件byte内容为值得键值对。
回到StrictJarFile.java⽂件中的构造函数,⾥⾯还有⼀⾏代码与JarVerifier有关,即isSigned = adCertificates() && verifier.isSignedJar()。isSignedJar()函数⽐较简单,就是根据JarVerifier的certificates变量是否为空来判定Jar是否被签过名。在JarVerifier中查看readCertificates()源码。
boolean isSignedJar() {
return certificates.size() > 0;
}
synchronized boolean readCertificates() {
if (metaEntries.isEmpty()) {
return false;
}
Iterator<String> it = metaEntries.keySet().iterator();
while (it.hasNext()) {
String key = it.next();
if (dsWith(".DSA") || dsWith(".RSA") || dsWith(".EC")) {
verifyCertificate(key);
}
}
return true;
}
这个函数从META-INF/⽂件夹中提取以.DSA或.RSA或.EC结尾的⽂件,然后交给verifyCertificate(key)函数处理。所以我们查看verifyCertificate(key)函数实现。
private void verifyCertificate(String certFile) {
// Found Digital Sig, .SF should already have been read
String signatureFile = certFile.substring(0, certFile.lastIndexOf('.')) + ".SF";
byte[] sfBytes = (signatureFile);
if (sfBytes == null) {
return;
}
byte[] manifestBytes = (JarFile.MANIFEST_NAME);
// Manifest entry is required for any verifications.
if (manifestBytes == null) {
return;
}
byte[] sBlockBytes = (certFile);
try {
Certificate[] signerCertChain = JarUtils.verifySignature(
new ByteArrayInputStream(sfBytes),
new ByteArrayInputStream(sBlockBytes));
if (signerCertChain != null) {
certificates.put(signatureFile, signerCertChain);
}
} catch (IOException e) {
return;
} catch (GeneralSecurityException e) {
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。
发表评论