Android原生自带了个安装器(packages\apps\PackageInstaller),
通过其中的源码PackageParser.java (frameworks\base\core\java\android\content\pm)
我们大概就能知道其签名验证机制的验证过程。
其中主要涉及2个函数:
函数1
public boolean collectCertificates(Package pkg, int flags) {
pkg.mSignatures = null;
WeakReference<byte[]> readBufferRef;
byte[] readBuffer = null;
synchronized (mSync) {
readBufferRef = mReadBuffer;
if (readBufferRef != null) {
mReadBuffer = null;
readBuffer = readBufferRef.get();
}
if (readBuffer == null) {
readBuffer = new byte[8192];
readBufferRef = new WeakReference<byte[]>(readBuffer);
}
}
try {
JarFile jarFile = new JarFile(mArchiveSourcePath);
Certificate[] certs = null;
if ((flags&PARSE_IS_SYSTEM) != 0) {
// If this package comes from the system image, then we
// can trust it... we'll just use the AndroidManifest.xml
// to retrieve its signatures, not validating all of the
// files.
JarEntry jarEntry = jarFile.getJarEntry(ANDROID_MANIFEST_FILENAME);
certs = loadCertificates(jarFile, jarEntry, readBuffer);
if (certs == null) {
Slog.e(TAG, "Package " + pkg.packageName
+ " has no certificates at entry "
+ jarEntry.getName() + "; ignoring!");
jarFile.close();
mParseError = PackageManager.INSTALL_PARSE_FAILED_NO_CERTIFICATES;
return false;
}
if (DEBUG_JAR) {
Slog.i(TAG, "File " + mArchiveSourcePath + ": entry=" + jarEntry
+ " certs=" + (certs != null ? certs.length : 0));
if (certs != null) {
final int N = certs.length;
for (int i=0; i<N; i++) {
Slog.i(TAG, " Public key: "
+ certs[i].getPublicKey().getEncoded()
+ " " + certs[i].getPublicKey());
}
}
}
} else {
Enumeration<JarEntry> entries = jarFile.entries();
final Manifest manifest = jarFile.getManifest();
while (entries.hasMoreElements()) {
final JarEntry je = entries.nextElement();
if (je.isDirectory()) continue;
final String name = je.getName();
if (name.startsWith("META-INF/"))
continue;
if (ANDROID_MANIFEST_FILENAME.equals(name)) {
final Attributes attributes = manifest.getAttributes(name);
pkg.manifestDigest = ManifestDigest.fromAttributes(attributes);
}
final Certificate[] localCerts = loadCertificates(jarFile, je, readBuffer);
if (DEBUG_JAR) {
Slog.i(TAG, "File " + mArchiveSourcePath + " entry " + je.getName()
+ ": certs=" + certs + " ("
+ (certs != null ? certs.length : 0) + ")");
}
if (localCerts == null) {
Slog.e(TAG, "Package " + pkg.packageName
+ " has no certificates at entry "
+ je.getName() + "; ignoring!");
jarFile.close();
mParseError = PackageManager.INSTALL_PARSE_FAILED_NO_CERTIFICATES;
return false;
} else if (certs == null) {
certs = localCerts;
} else {
// Ensure all certificates match.
for (int i=0; i<certs.length; i++) {
boolean found = false;
for (int j=0; j<localCerts.length; j++) {
if (certs[i] != null &&
certs[i].equals(localCerts[j])) {
found = true;
break;
}
}
if (!found || certs.length != localCerts.length) {
Slog.e(TAG, "Package " + pkg.packageName
+ " has mismatched certificates at entry "
+ je.getName() + "; ignoring!");
jarFile.close();
mParseError = PackageManager.INSTALL_PARSE_FAILED_INCONSISTENT_CERTIFICATES;
return false;
}
}
}
}
}
jarFile.close();
synchronized (mSync) {
mReadBuffer = readBufferRef;
}
if (certs != null && certs.length > 0) {
final int N = certs.length;
pkg.mSignatures = new Signature[certs.length];
for (int i=0; i<N; i++) {
pkg.mSignatures[i] = new Signature(
certs[i].getEncoded());
}
} else {
Slog.e(TAG, "Package " + pkg.packageName
+ " has no certificates; ignoring!");
mParseError = PackageManager.INSTALL_PARSE_FAILED_NO_CERTIFICATES;
return false;
}
} catch (CertificateEncodingException e) {
Slog.w(TAG, "Exception reading " + mArchiveSourcePath, e);
mParseError = PackageManager.INSTALL_PARSE_FAILED_CERTIFICATE_ENCODING;
return false;
} catch (IOException e) {
Slog.w(TAG, "Exception reading " + mArchiveSourcePath, e);
mParseError = PackageManager.INSTALL_PARSE_FAILED_CERTIFICATE_ENCODING;
return false;
} catch (RuntimeException e) {
Slog.w(TAG, "Exception reading " + mArchiveSourcePath, e);
mParseError = PackageManager.INSTALL_PARSE_FAILED_UNEXPECTED_EXCEPTION;
return false;
}
return true;
}
函数2
private Certificate[] loadCertificates(JarFile jarFile, JarEntry je,
byte[] readBuffer) {
try {
// We must read the stream for the JarEntry to retrieve
// its certificates.
InputStream is = new BufferedInputStream(jarFile.getInputStream(je));
while (is.read(readBuffer, 0, readBuffer.length) != -1) {
// not using
}
is.close();
return je != null ? je.getCertificates() : null;
} catch (IOException e) {
Slog.w(TAG, "Exception reading " + je.getName() + " in "
+ jarFile.getName(), e);
} catch (RuntimeException e) {
Slog.w(TAG, "Exception reading " + je.getName() + " in "
+ jarFile.getName(), e);
}
return null;
}
通过上面的代码,我们已经能够得到了签名的证书,通过证书我们就得到PublicKey,通过比较PublicKey我们就能比较签名是否一致,当然这里假设的是只有一个签名。
实例1
package edu.edut.robin.utils;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.security.PublicKey;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.jar.JarEntry;
import java.util.jar.JarFile;
import android.content.Context;
import android.content.pm.PackageInfo;
import android.content.pm.PackageManager;
import android.content.pm.PackageManager.NameNotFoundException;
import android.util.Base64;
public class SigntureUtil
{
final static String TAG = "Signture";
public static String[] getPublicKeyString(PackageInfo pi)
{
PublicKey pubKeys[] = getPublicKey(pi);
if (pubKeys == null || pubKeys.length == 0)
{
return null;
}
String[] strPubKeys = new String[pubKeys.length];
for (int i = 0; i < pubKeys.length; i++)
strPubKeys[i] = Base64.encodeToString(pubKeys[i].getEncoded(),
Base64.DEFAULT);
return strPubKeys;
}
private static PublicKey[] getPublicKey(PackageInfo pi)
{
try
{
if (pi.signatures == null || pi.signatures.length == 0)
{
return null;
}
PublicKey[] publicKeys = new PublicKey[pi.signatures.length];
for (int i = 0; i < publicKeys.length; i++)
{
byte[] signature = pi.signatures[i].toByteArray();
CertificateFactory certFactory = CertificateFactory
.getInstance("X.509");
InputStream is = new ByteArrayInputStream(signature);
X509Certificate cert = (X509Certificate) certFactory
.generateCertificate(is);
publicKeys[i] = cert.getPublicKey();
}
} catch (Exception ex)
{
}
return null;
}
private static PublicKey[] getInstalledAppPublicKey(Context context,
String packageName)
{
PackageManager pm = context.getPackageManager();
PackageInfo pi;
try
{
pi = pm.getPackageInfo(packageName, PackageManager.GET_SIGNATURES);
if (pi != null && pi.versionName != null)
{
return getPublicKey(pi);
}
} catch (NameNotFoundException e)
{
// not installed
return null;
} catch (Exception e)
{
e.printStackTrace();
}
return null;
}
private static Certificate[] loadCertificates(JarFile jarFile, JarEntry je)
{
try
{
// We must read the stream for the JarEntry to retrieve
// its certificates.
byte[] readBuffer = new byte[1024];
InputStream is = jarFile.getInputStream(je);
while (is.read(readBuffer, 0, readBuffer.length) != -1)
;
is.close();
return (je != null) ? je.getCertificates() : null;
} catch (IOException e)
{
e.printStackTrace();
}
return null;
}
public static boolean verifySignature(Context context, String packageName,
String filePath)
{
boolean verifyed = true;
try
{
PublicKey[] installedAppPubKeys = getInstalledAppPublicKey(context,
packageName);
if (installedAppPubKeys == null||installedAppPubKeys.length==0)
{
// package not installed
return true;
}
JarFile jarFile = new JarFile(filePath);
verifyed = false;
JarEntry je = jarFile.getJarEntry("classes.dex");
Certificate[] certs = loadCertificates(jarFile, je);
if (certs != null && certs.length > 0)
{
for (int i = 0; i < certs.length; i++)
{
PublicKey pubKey = certs[i].getPublicKey();
for(int j=0;j<installedAppPubKeys.length;j++)
{
if (pubKey.equals(installedAppPubKeys[j]))
{
verifyed = true;
break;
}
}
if(verifyed)
break;
}
} else
{
verifyed = true;
}
jarFile.close();
} catch (Exception e)
{
verifyed = true;
}
return verifyed;
}
}
关于数字签名的更多内容请阅读《数字签名简介》
结束
相关推荐
一、Android签名机制--基础概念 1. 消息摘要算法 2. 非对称加密算法(RSA算法) ...三、Android签名机制--APK签名验证过程 1. APK签名验证概述 2. 简略调用流程 3. 详细校验流程(校验CERT.RSA) 4. 总结
Android签名过程的验证过程,及其签名里面文件的生成过程的代码
一种Android数字签名验证机制漏洞探析.pdf
此文件包含生成android签名文件keystore及验证的源码还包含生成的keystore文件。放到项目中即可使用
获取apk的sha256哈希值,对apk的签名进行验证,仅供参考
API接口生成签名与验证签名思路,本文只提供生成签名的思路和验证签名的思路,不喜勿碰
参考文章 http://blog.csdn.net/venusic/article/details/52347316
该工具包基于微信签名规范开发,用于Android客户端网络请求签名认证
微信官方的下载链接失效了。可以用这个下载。
v4签名是Android 11引入的新签名方案,通过对APK文件的整体签名和内联数据签名,提高了验证效率和安全性,减少了签名文件的大小。这些签名方案可根据Android应用的需求和安全级别进行选择和配置,确保应用在发布和...
但是,有时可能我们会经常修改apk源码进行调试验证,如果每次都把apk拿出来进行重新签名,再安装,这样确实麻烦了一些。Eclipse是支持使用自己的系统签名工具进行APK打包签名的。使用这种方法,可以快速而方便地对...
一种帮助用调试或提供的发布证书(或多个)对多个android应用程序包(apk)进行签名、压缩对齐...它支持v1、v2和v3的android签名方案。使用嵌入式调试密钥库轻松方便地进行调试签名。每次签名后自动验证签名和zipaign。
Android Apk去掉签名以及重新签名的方法 Android开发中很重要的一部就是用自己的密钥给Apk文件签名,不经过签名的Apk文件一般是无法安装的,就算装了最后也是失败。 网上流传的“勾选允许安装未知来源的应用”其实跟...
修复了android5.0之前的系统版本对apk的验证漏洞,删除,增加,修改都能检测 安装apk和加载jar插件时通过验证cert.RSA, .MF .SF等签名文件证书以及摘要值比对判断是否是非法篡改过得apk/jar文件
Disable signature verification For Android 描述 branch master -> support android 4.4-7.x Android8.x -> maybe you need find the commit what change version name to 2.1,then compile by you self branch Q ...
Disable signature verification For Android 描述 branch master -> support android 4.4-7.x Android8.x -> maybe you need find the commit what change version name to 2.1,then compile by you self branch Q...
android获取应用32位签名.rar,太多无法一一验证是否可用,程序如果跑不起来需要自调,部分代码功能进行参考学习。
安全加密C语言库OpenSSL,在Android中服务器和客户端之间的签名验证和数据加密通信等。.zip
行业分类-设备装置-一种Android环境下应用程序启动中代码签名验证的方法和系统.zip
android项目打包签名及其项目如何发布等详细步骤.zip,太多无法一一验证是否可用,程序如果跑不起来需要自调,部分代码功能进行参考学习。