Android App签名(证书)校验过程源码分析

本文从源码角度深入分析了Android App的签名校验过程,涉及PackageParser和JarVerifier等关键组件,详细阐述了从manifest.xml提取到证书链验证的整个流程,并对签名伪造的可能性进行了探讨。总结了签名和校验过程,提出了关于签名伪造和证书在升级中作用的疑问。
摘要由CSDN通过智能技术生成

  Android App安装是需要证书支持的,我们在Eclipse或者Android Studio中开发App时,并没有注意关于证书的事,也能正确安装App。这是因为使用了默认的debug证书。在Android App升级的时候,证书发挥的作用就尤为明显了。只有证书相同时,才能对App进行升级。证书也是为了防止App伪造的,属于Android安全策略的一部分。另外,Android沙箱机制中,也和证书有关。两个App如要共享文件,代码,或者资源时,需要使用shareUid属性,只有证书相同的App的才能shareUid。才外,如果一个App中申明了signature级别的权限,也是只有和那个App签名相同的App才能申请到对应的权限。

  虽然之前也了解过Android App的签名校验过程,但都是根据别人总结的结果,没有自己动手分析Android源码。所以本篇Blog将从源码出发分析Android App的签名校验过程,分析完源码之后,也会和网上大多数的资料一样给出总结。

  注意:由于签名校验过程是在App安装时进行的,所以源码分析的起始点是上篇Blog:PackageInstaller源码分析。不过不想了解PackageInstall源码也没有关系,只要不纠结程序的起点,分析过程就是App 签名校验模块。

一、 源码分析

  上篇BlogPackageInstaller源码分析中,程序安装过程调用了installPackageLI()方法。而在installPackageLI()方法内部,调用了collectCertificates()方法,从而进入了App的签名检验过程。下面我们查看collectCertificates()的源码实现,源码路径:/frameworks/base/core/java/android/content/pm/PackageParser.java

public void collectCertificates(Package pkg, int flags) throws PackageParserException {
    pkg.mCertificates = null;
    pkg.mSignatures = null;
    pkg.mSigningKeys = null;

    collectCertificates(pkg, new File(pkg.baseCodePath), flags);

    if (!ArrayUtils.isEmpty(pkg.splitCodePaths)) {
        for (String splitCodePath : pkg.splitCodePaths) {
            collectCertificates(pkg, new File(splitCodePath), flags);
        }
    }
}
private static void collectCertificates(Package pkg, File apkFile, int flags)
        throws PackageParserException {
    final String apkPath = apkFile.getAbsolutePath();

    StrictJarFile jarFile = null;
    try {
        jarFile = new StrictJarFile(apkPath);

        // Always verify manifest, regardless of source
        final ZipEntry manifestEntry = jarFile.findEntry(ANDROID_MANIFEST_FILENAME);
        if (manifestEntry == null) {
            throw new PackageParserException(INSTALL_PARSE_FAILED_BAD_MANIFEST,
                    "Package " + apkPath + " has no manifest");
        }

        final List<ZipEntry> toVerify = new ArrayList<>();
        toVerify.add(manifestEntry);

        // If we're parsing an untrusted package, verify all contents
        if ((flags & PARSE_IS_SYSTEM) == 0) {
            final Iterator<ZipEntry> i = jarFile.iterator();
            while (i.hasNext()) {
                final ZipEntry entry = i.next();

                if (entry.isDirectory()) continue;
                if (entry.getName().startsWith("META-INF/")) continue;
                if (entry.getName().equals(ANDROID_MANIFEST_FILENAME)) continue;

                toVerify.add(entry);
            }
        }

        // Verify that entries are signed consistently with the first entry
        // we encountered. Note that for splits, certificates may have
        // already been populated during an earlier parse of a base APK.
        for (ZipEntry entry : toVerify) {
            final Certificate[][] entryCerts = loadCertificates(jarFile, entry);
            if (ArrayUtils.isEmpty(entryCerts)) {
                throw new PackageParserException(INSTALL_PARSE_FAILED_NO_CERTIFICATES,
                        "Package " + apkPath + " has no certificates at entry "
                        + entry.getName());
            }
            final Signature[] entrySignatures = convertToSignatures(entryCerts);

            if (pkg.mCertificates == null) {
                pkg.mCertificates = entryCerts;
                pkg.mSignatures = entrySignatures;
                pkg.mSigningKeys = new ArraySet<PublicKey>();
                for (int i=0; i < entryCerts.length; i++) {
                    pkg.mSigningKeys.add(entryCerts[i][0].getPublicKey());
                }
            } else {
                if (!Signature.areExactMatch(pkg.mSignatures, entrySignatures)) {
                    throw new PackageParserException(
                            INSTALL_PARSE_FAILED_INCONSISTENT_CERTIFICATES, "Package " + apkPath
                                    + " has mismatched certificates at entry "
                                    + entry.getName());
                }
            }
        }
    } catch (GeneralSecurityException e) {
        throw new PackageParserException(INSTALL_PARSE_FAILED_CERTIFICATE_ENCODING,
                "Failed to collect certificates from " + apkPath, e);
    } catch (IOException | RuntimeException e) {
        throw new PackageParserException(INSTALL_PARSE_FAILED_NO_CERTIFICATES,
                "Failed to collect certificates from " + apkPath, e);
    } finally {
        closeQuietly(jarFile);
    }
}

  在collectCertificates(Package pkg, File apkFile, int flags)函数里面,首先提取apk的manifest.xml文件。

final ZipEntry manifestEntry = jarFile.findEntry(ANDROID_MANIFEST_FILENAME);
if (manifestEntry == null) {
   throw new PackageParserException(INSTALL_PARSE_FAILED_BAD_MANIFEST,
           "Package " + apkPath + " has no manifest");
}
final List<ZipEntry> toVerify = new ArrayList<>();
toVerify.add(manifestEntry);

  然后,程序遍历apk文件的所有文件节点,把除了META-INF/文件夹里面的文外外的所以文件加入待检验List。

// If we're parsing an untrusted package, verify all contents
if ((flags & PARSE_IS_SYSTEM) == 0) {
    final Iterator<ZipEntry> i = jarFile.iterator();
    while (i.hasNext()) {
        final ZipEntry entry = i.next();

        if (entry.isDirectory()) continue;
        if (entry.getName().startsWith("META-INF/")) continue;
        if (entry.getName().equals(ANDROID_MANIFEST_FILENAME)) continue;

        toVerify.add(entry);
    }
}

  紧接着把所以节点传入loadCertificates()方法,

for (ZipEntry entry : toVerify) {
   final Certificate[][] entryCerts = loadCertificates(jarFile, entry);
   if (ArrayUtils.isEmpty(entryCerts)) {
       throw new PackageParserException(INSTALL_PARSE_FAILED_NO_CERTIFICATES,
               "Package " + apkPath + " has no certificates at entry "
               + entry.getName());
   }
   final Signature[] entrySignatures = convertToSignatures(entryCerts);

   if (pkg.mCertificates == null) {
       pkg.mCertificates = entryCerts;
       pkg.mSignatures = entrySignatures;
       pkg.mSigningKeys = new ArraySet<PublicKey>();
       for (int i=0; i < entryCerts.length; i++) {
           pkg.mSigningKeys.add(entryCerts[i][0].getPublicKey());
       }
   } else {
       if (!Signature.areExactMatch(pkg.mSignatures, entrySignatures)) {
           throw new PackageParserException(
                   INSTALL_PARSE_FAILED_INCONSISTENT_CERTIFICATES, "Package " + apkPath
                           + " has mismatched certificates at entry "
                           + entry.getName());
       }
   }
}

  要知道loadCertificates()的作用需要分析其方法实现原型。在PackageParser.java中实现了loadCertificates()方法。

private static Certificate[][] loadCertificates(StrictJarFile jarFile, ZipEntry entry)throws PackageParserException {
   InputStream is = null;
   try {
       // We must read the stream for the JarEntry to retrieve
       // its certificates.
       is = jarFile.getInputStream(entry);
       readFullyIgnoringContents(is);
       return jarFile.getCertificateChains(entry);
   } catch (IOException | RuntimeException e) {
       throw new PackageParserException(INSTALL_PARSE_FAILED_UNEXPECTED_EXCEPTION,
               "Failed reading " + entry.getName() + " in " + jarFile, e);
   } finally {
       IoUtils.closeQuietly(is);
   }
}

  在StrictJarFile.java中,实现了getCertificateChains()方法,代码路径/libcore/luni/src/main/java/java/util/jar/StrictJarFile.java。

public Certificate[][] getCertificateChains(ZipEntry ze) {
if (isSigned) {
   return verifier.getCertificateChains(ze.getName());
}

return null;
}

  StrictJarFile.java中的getCertificateChains()继续调用JarVerifier中的getCertificateChains()方法,代码路径:/libcore/luni/src/main/java/java/util/jar/JarVerifier.java。

Certificate[][] getCertificateChains(String name) {
    return verifiedEntries.get(name);
}
private final Hashtable<String, Certificate[][]> verifiedEntries=new Hashtable<String, 
这个工具前后用了好多天的时间查阅资料并不断修改才完成。本工具可以用于读取apk的大量信息,无其他依赖。可以直接通过命令行运行,也可以当作架使用。 命令行方式使用举例: 获取AndroidManifest.xml文件中定义的versionCode: java -jar ApkAnalysis.jar “apk路径” -versionCode 获取apk证书详情: java -jar ApkAnalysis.jar “apk路径” -certs 获取apk证书中的第一条的详情: java -jar ApkAnalysis.jar “apk路径” -certs 0 获取证书摘要(百度、高德地图等API中需要的那个SHA1): java -jar ApkAnalysis.jar “apk路径” -certs 0 SHA1 获取apk发布者信息: java -jar ApkAnalysis.jar “apk路径” -certs 0 issuer 获取apk声明的权限: java -jar ApkAnalysis.jar “apk路径” -permissions 当作为架使用时,通过 ApkAnalysis apkAnalysis = ApkAnalysis.getApkReader(apkFilePath); 获取到ApkAnalysis的实例,然后就调用对应方法读取即可。相信都会使用自动补全等功能吧?那个会告诉你有哪些可用的方法,这里不例举了。 输入 java -jar ApkAnalysis.jar -help会给出如下提示,请慢慢研究。如果好用,请不吝评价一下,谢谢~至于源码么,会反编译的就反编译吧,我也拦不住的,纯Java写的,还是很好反编译的,也没有代码混淆过。感兴趣愿意一起交流的可以留言问我要,纯粹伸手党就算了。 Apk分析工具 v1.0.7 编译时JDK版本:1.6.0_33 当前JRE版本:1.6.0_33 作者:周骞 发布日期:2015-01-08 --------------------------------------------------- ApkAnalysis [-versionCode] [-versionName] [-packageName]... 可用的选项: -versionCode 版本号 -versionName 版本名称,如1.0.3 -packageName Apk名 -certs [index] [MD5|SHA1|issuer|subject|validity] 获取证书的信息 -verify 校验apk内文件的签名,并列出未通过校验的文件 -permissions 获取apk所需的权限 -features 获取apk所需的特性 -activities [detail] 获取apk所含的Activity -services [detail] 获取apk所含的Service -receivers [detail] 获取apk所含的静态Receiver -content [name] 获取AndroidManifest.xml中的内容 -extract 抽取apk中的文件 -h[elp] 显示此帮助信息 --------------------------------------------------- 如在程序中引用本,方法如下: ApkAnalysis apkAnalysis = ApkAnalysis.getApkReader(apkFilePath); 需要判断apkAnalysis是否为null,为null表示读取失败,不为null时即可调用getXX()获取数据
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值