Example 1 with CentralDirectoryRecord
use of com.android.apksig.internal.zip.CentralDirectoryRecord in project apksig by venshine.
the class V1SchemeVerifier method checkForDuplicateEntries.
/**
* Returns the set of entry names and reports any duplicate entry names in the {@code result}
* as errors.
*/
private static Set<String> checkForDuplicateEntries(List<CentralDirectoryRecord> cdRecords, Result result) {
Set<String> cdEntryNames = new HashSet<>(cdRecords.size());
Set<String> duplicateCdEntryNames = null;
for (CentralDirectoryRecord cdRecord : cdRecords) {
String entryName = cdRecord.getName();
if (!cdEntryNames.add(entryName)) {
// This is an error. Report this once per duplicate name.
if (duplicateCdEntryNames == null) {
duplicateCdEntryNames = new HashSet<>();
}
if (duplicateCdEntryNames.add(entryName)) {
result.addError(Issue.JAR_SIG_DUPLICATE_ZIP_ENTRY, entryName);
}
}
}
return cdEntryNames;
}
Also used :
CentralDirectoryRecord(com.android.apksig.internal.zip.CentralDirectoryRecord)
HashSet(java.util.HashSet)
Example 2 with CentralDirectoryRecord
use of com.android.apksig.internal.zip.CentralDirectoryRecord in project apksig by venshine.
the class SourceStampVerifier method verifySourceStamp.
/**
* Verifies the provided {@code apk}'s source stamp signature, including verification of the
* SHA-256 digest of the stamp signing certificate matches the {@code expectedCertDigest}, and
* returns the result of the verification.
*
* @see #verifySourceStamp(String)
*/
private SourceStampVerifier.Result verifySourceStamp(DataSource apk, String expectedCertDigest) {
Result result = new Result();
try {
ZipSections zipSections = ApkUtilsLite.findZipSections(apk);
// Attempt to obtain the source stamp's certificate digest from the APK.
List<CentralDirectoryRecord> cdRecords = ZipUtils.parseZipCentralDirectory(apk, zipSections);
CentralDirectoryRecord sourceStampCdRecord = null;
for (CentralDirectoryRecord cdRecord : cdRecords) {
if (SOURCE_STAMP_CERTIFICATE_HASH_ZIP_ENTRY_NAME.equals(cdRecord.getName())) {
sourceStampCdRecord = cdRecord;
break;
}
}
// APK's signature block to determine the appropriate status to return.
if (sourceStampCdRecord == null) {
boolean stampSigningBlockFound;
try {
ApkSigningBlockUtilsLite.findSignature(apk, zipSections, SourceStampConstants.V2_SOURCE_STAMP_BLOCK_ID);
stampSigningBlockFound = true;
} catch (SignatureNotFoundException e) {
stampSigningBlockFound = false;
}
result.addVerificationError(stampSigningBlockFound ? ApkVerificationIssue.SOURCE_STAMP_SIGNATURE_BLOCK_WITHOUT_CERT_DIGEST : ApkVerificationIssue.SOURCE_STAMP_CERT_DIGEST_AND_SIG_BLOCK_MISSING);
return result;
}
// Verify that the contents of the source stamp certificate digest match the expected
// value, if provided.
byte[] sourceStampCertificateDigest = LocalFileRecord.getUncompressedData(apk, sourceStampCdRecord, zipSections.getZipCentralDirectoryOffset());
if (expectedCertDigest != null) {
String actualCertDigest = ApkSigningBlockUtilsLite.toHex(sourceStampCertificateDigest);
if (!expectedCertDigest.equalsIgnoreCase(actualCertDigest)) {
result.addVerificationError(ApkVerificationIssue.SOURCE_STAMP_EXPECTED_DIGEST_MISMATCH, actualCertDigest, expectedCertDigest);
return result;
}
}
Map<Integer, Map<ContentDigestAlgorithm, byte[]>> signatureSchemeApkContentDigests = new HashMap<>();
if (mMaxSdkVersion >= AndroidSdkVersion.P) {
SignatureInfo signatureInfo;
try {
signatureInfo = ApkSigningBlockUtilsLite.findSignature(apk, zipSections, V3SchemeConstants.APK_SIGNATURE_SCHEME_V3_BLOCK_ID);
} catch (SignatureNotFoundException e) {
signatureInfo = null;
}
if (signatureInfo != null) {
Map<ContentDigestAlgorithm, byte[]> apkContentDigests = new EnumMap<>(ContentDigestAlgorithm.class);
parseSigners(signatureInfo.signatureBlock, VERSION_APK_SIGNATURE_SCHEME_V3, apkContentDigests, result);
signatureSchemeApkContentDigests.put(VERSION_APK_SIGNATURE_SCHEME_V3, apkContentDigests);
}
}
if (mMaxSdkVersion >= AndroidSdkVersion.N && (mMinSdkVersion < AndroidSdkVersion.P || signatureSchemeApkContentDigests.isEmpty())) {
SignatureInfo signatureInfo;
try {
signatureInfo = ApkSigningBlockUtilsLite.findSignature(apk, zipSections, V2SchemeConstants.APK_SIGNATURE_SCHEME_V2_BLOCK_ID);
} catch (SignatureNotFoundException e) {
signatureInfo = null;
}
if (signatureInfo != null) {
Map<ContentDigestAlgorithm, byte[]> apkContentDigests = new EnumMap<>(ContentDigestAlgorithm.class);
parseSigners(signatureInfo.signatureBlock, VERSION_APK_SIGNATURE_SCHEME_V2, apkContentDigests, result);
signatureSchemeApkContentDigests.put(VERSION_APK_SIGNATURE_SCHEME_V2, apkContentDigests);
}
}
if (mMinSdkVersion < AndroidSdkVersion.N || signatureSchemeApkContentDigests.isEmpty()) {
Map<ContentDigestAlgorithm, byte[]> apkContentDigests = getApkContentDigestFromV1SigningScheme(cdRecords, apk, zipSections, result);
signatureSchemeApkContentDigests.put(VERSION_JAR_SIGNATURE_SCHEME, apkContentDigests);
}
ApkSigResult sourceStampResult = V2SourceStampVerifier.verify(apk, zipSections, sourceStampCertificateDigest, signatureSchemeApkContentDigests, mMinSdkVersion, mMaxSdkVersion);
result.mergeFrom(sourceStampResult);
return result;
} catch (ApkFormatException | IOException | ZipFormatException e) {
result.addVerificationError(ApkVerificationIssue.MALFORMED_APK, e);
} catch (NoSuchAlgorithmException e) {
result.addVerificationError(ApkVerificationIssue.UNEXPECTED_EXCEPTION, e);
} catch (SignatureNotFoundException e) {
result.addVerificationError(ApkVerificationIssue.SOURCE_STAMP_SIG_MISSING);
}
return result;
}
Also used :
CentralDirectoryRecord(com.android.apksig.internal.zip.CentralDirectoryRecord)
HashMap(java.util.HashMap)
ApkSigResult(com.android.apksig.internal.apk.ApkSigResult)
ZipFormatException(com.android.apksig.zip.ZipFormatException)
IOException(java.io.IOException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
ApkSigResult(com.android.apksig.internal.apk.ApkSigResult)
SignatureInfo(com.android.apksig.internal.apk.SignatureInfo)
ApkFormatException(com.android.apksig.apk.ApkFormatException)
SignatureNotFoundException(com.android.apksig.internal.apk.SignatureNotFoundException)
ContentDigestAlgorithm(com.android.apksig.internal.apk.ContentDigestAlgorithm)
HashMap(java.util.HashMap)
Map(java.util.Map)
EnumMap(java.util.EnumMap)
EnumMap(java.util.EnumMap)
ZipSections(com.android.apksig.zip.ZipSections)
Example 3 with CentralDirectoryRecord
use of com.android.apksig.internal.zip.CentralDirectoryRecord in project apksig by venshine.
the class SourceStampVerifier method getApkContentDigestFromV1SigningScheme.
/**
* Returns a mapping of the {@link ContentDigestAlgorithm} to the {@code byte[]} digest of the
* V1 / jar signing META-INF/MANIFEST.MF; if this file is not found then an empty {@code Map} is
* returned.
*
* <p>If any errors are encountered while parsing the V1 signers the provided {@code result}
* will be updated to include a warning, but the source stamp verification can still proceed.
*/
private static Map<ContentDigestAlgorithm, byte[]> getApkContentDigestFromV1SigningScheme(List<CentralDirectoryRecord> cdRecords, DataSource apk, ZipSections zipSections, Result result) throws IOException, ApkFormatException {
CentralDirectoryRecord manifestCdRecord = null;
List<CentralDirectoryRecord> signatureBlockRecords = new ArrayList<>(1);
Map<ContentDigestAlgorithm, byte[]> v1ContentDigest = new EnumMap<>(ContentDigestAlgorithm.class);
for (CentralDirectoryRecord cdRecord : cdRecords) {
String cdRecordName = cdRecord.getName();
if (cdRecordName == null) {
continue;
}
if (manifestCdRecord == null && MANIFEST_ENTRY_NAME.equals(cdRecordName)) {
manifestCdRecord = cdRecord;
continue;
}
if (cdRecordName.startsWith("META-INF/") && (cdRecordName.endsWith(".RSA") || cdRecordName.endsWith(".DSA") || cdRecordName.endsWith(".EC"))) {
signatureBlockRecords.add(cdRecord);
}
}
if (manifestCdRecord == null) {
// thus an empty digest will invalidate that signature.
return v1ContentDigest;
}
if (signatureBlockRecords.isEmpty()) {
result.addVerificationWarning(ApkVerificationIssue.JAR_SIG_NO_SIGNATURES);
} else {
for (CentralDirectoryRecord signatureBlockRecord : signatureBlockRecords) {
try {
CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
byte[] signatureBlockBytes = LocalFileRecord.getUncompressedData(apk, signatureBlockRecord, zipSections.getZipCentralDirectoryOffset());
for (Certificate certificate : certFactory.generateCertificates(new ByteArrayInputStream(signatureBlockBytes))) {
// first is used as the signer of this block.
if (certificate instanceof X509Certificate) {
Result.SignerInfo signerInfo = new Result.SignerInfo();
signerInfo.setSigningCertificate((X509Certificate) certificate);
result.addV1Signer(signerInfo);
break;
}
}
} catch (CertificateException e) {
// Log a warning for the parsing exception but still proceed with the stamp
// verification.
result.addVerificationWarning(ApkVerificationIssue.JAR_SIG_PARSE_EXCEPTION, signatureBlockRecord.getName(), e);
break;
} catch (ZipFormatException e) {
throw new ApkFormatException("Failed to read APK", e);
}
}
}
try {
byte[] manifestBytes = LocalFileRecord.getUncompressedData(apk, manifestCdRecord, zipSections.getZipCentralDirectoryOffset());
v1ContentDigest.put(ContentDigestAlgorithm.SHA256, computeSha256DigestBytes(manifestBytes));
return v1ContentDigest;
} catch (ZipFormatException e) {
throw new ApkFormatException("Failed to read APK", e);
}
}
Also used :
CentralDirectoryRecord(com.android.apksig.internal.zip.CentralDirectoryRecord)
ArrayList(java.util.ArrayList)
CertificateException(java.security.cert.CertificateException)
ZipFormatException(com.android.apksig.zip.ZipFormatException)
CertificateFactory(java.security.cert.CertificateFactory)
X509Certificate(java.security.cert.X509Certificate)
GuaranteedEncodedFormX509Certificate(com.android.apksig.internal.util.GuaranteedEncodedFormX509Certificate)
ApkSigResult(com.android.apksig.internal.apk.ApkSigResult)
ApkSignerInfo(com.android.apksig.internal.apk.ApkSignerInfo)
ByteArrayInputStream(java.io.ByteArrayInputStream)
ApkFormatException(com.android.apksig.apk.ApkFormatException)
ContentDigestAlgorithm(com.android.apksig.internal.apk.ContentDigestAlgorithm)
EnumMap(java.util.EnumMap)
X509Certificate(java.security.cert.X509Certificate)
GuaranteedEncodedFormX509Certificate(com.android.apksig.internal.util.GuaranteedEncodedFormX509Certificate)
Certificate(java.security.cert.Certificate)
Example 4 with CentralDirectoryRecord
use of com.android.apksig.internal.zip.CentralDirectoryRecord in project apksig by venshine.
the class ApkUtils method getAndroidManifest.
/**
* Returns the contents of the APK's {@code AndroidManifest.xml}.
*
* @throws IOException if an I/O error occurs while reading the APK
* @throws ApkFormatException if the APK is malformed
*/
public static ByteBuffer getAndroidManifest(DataSource apk) throws IOException, ApkFormatException {
ZipSections zipSections;
try {
zipSections = findZipSections(apk);
} catch (ZipFormatException e) {
throw new ApkFormatException("Not a valid ZIP archive", e);
}
List<CentralDirectoryRecord> cdRecords = V1SchemeVerifier.parseZipCentralDirectory(apk, zipSections);
CentralDirectoryRecord androidManifestCdRecord = null;
for (CentralDirectoryRecord cdRecord : cdRecords) {
if (ANDROID_MANIFEST_ZIP_ENTRY_NAME.equals(cdRecord.getName())) {
androidManifestCdRecord = cdRecord;
break;
}
}
if (androidManifestCdRecord == null) {
throw new ApkFormatException("Missing " + ANDROID_MANIFEST_ZIP_ENTRY_NAME);
}
DataSource lfhSection = apk.slice(0, zipSections.getZipCentralDirectoryOffset());
try {
return ByteBuffer.wrap(LocalFileRecord.getUncompressedData(lfhSection, androidManifestCdRecord, lfhSection.size()));
} catch (ZipFormatException e) {
throw new ApkFormatException("Failed to read " + ANDROID_MANIFEST_ZIP_ENTRY_NAME, e);
}
}
Also used :
CentralDirectoryRecord(com.android.apksig.internal.zip.CentralDirectoryRecord)
ZipFormatException(com.android.apksig.zip.ZipFormatException)
DataSource(com.android.apksig.util.DataSource)
Example 5 with CentralDirectoryRecord
use of com.android.apksig.internal.zip.CentralDirectoryRecord in project apksig by venshine.
the class ApkSigner method extractPinPatterns.
/**
* Return list of pin patterns embedded in the pin pattern asset file. If no such file, return
* {@code null}.
*/
private static List<Hints.PatternWithRange> extractPinPatterns(List<CentralDirectoryRecord> cdRecords, DataSource lhfSection) throws IOException, ApkFormatException {
CentralDirectoryRecord pinListCdRecord = findCdRecord(cdRecords, Hints.PIN_HINT_ASSET_ZIP_ENTRY_NAME);
List<Hints.PatternWithRange> pinPatterns = null;
if (pinListCdRecord != null) {
pinPatterns = new ArrayList<>();
byte[] patternBlob;
try {
patternBlob = LocalFileRecord.getUncompressedData(lhfSection, pinListCdRecord, lhfSection.size());
} catch (ZipFormatException ex) {
throw new ApkFormatException("Bad " + pinListCdRecord);
}
pinPatterns = Hints.parsePinPatterns(patternBlob);
}
return pinPatterns;
}
Also used :
CentralDirectoryRecord(com.android.apksig.internal.zip.CentralDirectoryRecord)
ApkFormatException(com.android.apksig.apk.ApkFormatException)
ZipFormatException(com.android.apksig.zip.ZipFormatException)
Aggregations
CentralDirectoryRecord (com.android.apksig.internal.zip.CentralDirectoryRecord)12
ZipFormatException (com.android.apksig.zip.ZipFormatException)10
ApkFormatException (com.android.apksig.apk.ApkFormatException)9
ArrayList (java.util.ArrayList)5
EnumMap (java.util.EnumMap)5
HashSet (java.util.HashSet)5
ApkUtils (com.android.apksig.apk.ApkUtils)4
ApkSigResult (com.android.apksig.internal.apk.ApkSigResult)4
IOException (java.io.IOException)4
HashMap (java.util.HashMap)4
ContentDigestAlgorithm (com.android.apksig.internal.apk.ContentDigestAlgorithm)3
SignatureNotFoundException (com.android.apksig.internal.apk.SignatureNotFoundException)3
DataSource (com.android.apksig.util.DataSource)3
Map (java.util.Map)3
ApkSigningBlockUtils (com.android.apksig.internal.apk.ApkSigningBlockUtils)2
ByteBuffer (java.nio.ByteBuffer)2
MessageDigest (java.security.MessageDigest)2
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)2
X509Certificate (java.security.cert.X509Certificate)2
ApkSigningBlockNotFoundException (com.android.apksig.apk.ApkSigningBlockNotFoundException)1
