確定來自APK的簽名證書
[英]Determine signing certificate from an APK
I have created a signed APK from Eclipse for Android. I want to know that which RSA certificate type is used in that signed APK like RSA-1024 or RSA 2048.
我已經為Android從Eclipse創建了一個簽名的APK。我想知道在那個簽名的APK中使用的RSA證書類型,比如RSA-1024或RSA 2048。
How would i know that from APK file?
如何從APK文件中得知?
EDIT Title changed from "Which RSA certificate is used in signed APK in Eclipse? How to know RSA key size (1024/2048)?"
編輯標題從“在Eclipse中簽名的APK中使用哪個RSA證書?”如何知道RSA密鑰大小(1024/2048)?
1 个解决方案
#1
7
Which RSA certificate is used in signed APK in Eclipse?
在Eclipse中簽名的APK中使用哪個RSA證書?
Under Eclipse during debugging (and in the absence of another key), you will sign with the default Android debug key.
在調試期間(在沒有其他鍵的情況下),您將使用默認的Android調試鍵進行簽名。
Eclipse creates it if its not present. The key is added to debug.keystore, with a store and key password of android. See Signing in Debug Mode at Android's Signing Your Application.
如果不存在,Eclipse將創建它。將密鑰添加到調試中。keystore,帶有android的存儲和密鑰密碼。參見在Android的應用程序簽名處的調試模式下的簽名。
You can sign with a few tools, including keytool or jarsigner. But I believe you need to use another tool to examine the certificate in the APK.
您可以使用一些工具進行簽名,包括keytool或jarsigner。但是我認為您需要使用另一個工具來檢查APK中的證書。
You can use OpenSSL to dump the relevant bits since its PKCS #7, but you need manually extract the relevant files from the APK.
您可以使用OpenSSL來轉儲相關的位元,因為它的PKCS #7,但是您需要從APK中手動提取相關的文件。
For signing, I use jarsigner when working from the command line. For example, on Windows with the Debug key:
對於簽名,我在使用命令行時使用jarsigner。例如,在帶有調試鍵的Windows上:
jarsigner -verbose -keystore C:\Users\<user>\.android\debug.keystore \
-storepass android -keypass android -digestalg SHA1 \
-sigalg SHA1withRSA <package name>.apk androiddebugkey
Eclipse performs similar for you under the IDE.
Eclipse在IDE下執行類似的操作。
You can't use jarsigner to dump the information. For example, the following will print the distinguished name, but it will not print the subjectPublicKeyInfo block:
您不能使用jarsigner轉儲信息。例如,下面將打印專有名稱,但不會打印subjectPublicKeyInfo塊:
$ jarsigner -verbose -certs -verify Test.apk
Similarly, you can't use keytool because it does not print the subjectPublicKeyInfo block either:
類似地,您不能使用keytool,因為它沒有打印subjectPublicKeyInfo塊:
$ keytool -printcert -file META-INF/CERT.RSA
To determine the certificate in the APK, you need to look at a couple of files. The files of interest are in the META_INF directory of the APK. The signatures are in an .SF file along with a .RSA file (or .DSA file) for each signer. The signer's .RSA file (or .DSA file) are just PKCS #7 format.
要確定APK中的證書,需要查看幾個文件。感興趣的文件位於APK的META_INF目錄中。簽名在. sf文件中以及每個簽名的. rsa文件(或. dsa文件)中。rsa文件(或. dsa文件)只是PKCS #7格式。
I say "the signatures are in..." because individual elements of the APK are signed, and not the entire APK. So classes.dex gets signed, AndroidManifest.xml gets signed, each icon in res/ gets signed, etc.
我說“簽名在…”是因為APK的單個元素是被簽名的,而不是整個APK。那么類。dex簽了名,AndroidManifest。xml被簽名,res/中的每個圖標被簽名,等等。
Note: while jarsigner supports multiple signatures, Android only supports one signer (if I recall correctly).
注意:雖然jarsigner支持多個簽名,但Android只支持一個簽名(如果我沒記錯的話)。
Here's an example with an APK called CrackMe.apk using OpenSSL.
這里有一個APK的例子叫做CrackMe。使用OpenSSL apk。
$ mkdir APK-test
$ mv CrackMe.apk APK-test
$ cd APK-test
Next unpack the APK. Its just a ZIP file with additional metadata in META-INF/.
下一個解壓縮APK文件。它只是一個帶有元inf /的附加元數據的ZIP文件。
$ unzip -a CrackMe.apk
$ ls
AndroidManifest.xml META-INF res
CrackMe.apk classes.dex resources.arsc
Next, take a look in the META-INF directory.
接下來,查看META-INF目錄。
$ cd META-INF/
$ ls
CERT.RSA CERT.SF MANIFEST.MF
The signatures are in CERT.SF, and the signer is in CERT.RSA.
簽名在CERT.SF中,簽名者在CERT.RSA中。
Finally, use OpenSSL to parse CERT.RSA.
最后,使用OpenSSL來解析CERT.RSA。
$ openssl pkcs7 -in CERT.RSA -inform DER -print_certs | openssl x509 -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1346030704 (0x503acc70)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=NY, L=New York, O=Unknown, OU=Unknown, CN=Example, LLC
Validity
Not Before: Aug 27 01:25:04 2012 GMT
Not After : Dec 5 01:25:04 2035 GMT
Subject: C=US, ST=NY, L=New York, O=Unknown, OU=Unknown, CN=Example, LLC
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (3072 bit)
Modulus:
00:8d:a8:9a:34:84:d5:72:4f:e8:e7:69:78:e4:17:
13:93:e8:c5:23:a0:93:a7:f8:6c:58:3d:f0:ed:30:
...
c1:2d:5e:9f:a4:79:56:19:7d:26:4d:27:6a:3e:26:
c0:fd:6a:ed:24:e9:62:80:73:8d
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
80:c0:ac:a5:65:13:f3:2d:dd:d5:71:82:7c:2e:72:63:72:cf:
76:49:4b:09:3c:12:e7:d6:9b:3d:53:8b:d4:e0:9c:ff:f2:d6:
...
80:4d:9b:15:3f:82:1a:72:b2:4b:fd:05:2b:e7:36:f0:43:98:
80:b7:8f:6c:fd:64
You can also use -pubkey when utilizing x509 to extract the public key PEM format:
使用x509提取公鑰PEM格式時,也可以使用-pubkey:
$ openssl pkcs7 -in CERT.RSA -inform DER -print_certs | openssl x509 -noout -pubkey
-----BEGIN PUBLIC KEY-----
MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAjaiaNITVck/o52l45BcT
k+jFI6CTp/hsWD3w7TAoGMA4RyH1pNcLD3ZZLXqdCPGKzKf107YhmiSp9K3DALG+
AHorHroKsnmGJFXglIEOLAq7gBVrfxOiBAxr0HW4MLXXGMvr2Asq4AkJAbFFmApU
5I3bGv3DCApHBbH6B10V5gTT0VzbkxHAejqNJVIHBmi6ueKLKh5ytJeRZufgD3ZX
+uEszGfJrD48woXkqSlCOyxHSi4PWyHLm95OXYkvlBSudNt5q9yDuy+KkJgrSHLC
jwxISkM2JzEoWYhqNqRgosBv6pg16+97YPeE6tHoG6dHazjCClhr5oZxw/7t6969
8rZ8m/fcLf3cOtcApqOFhCViq0ddADrOxMD2Qsp/xHx1kUg7eprE6dOEvQKr4oT5
oBiJkOStnAQFWRw/GDFTqpvDsYSOKn64/1cJ/+NEeLw4y+HCTMcNAsPknBQlXxNc
hzX0zSqrJ+vBLV6fpHlWGX0mTSdqPibA/WrtJOligHONAgMBAAE=
-----END PUBLIC KEY-----
If interested in the Android APK validation code, see collectCertificates from PackageParser.java.
如果對Android APK驗證代碼感興趣,請參閱PackageParser.java中的collectCertificates。
注意!
本站翻译的文章,版权归属于本站,未经许可禁止转摘,转摘请注明本文地址:https://www.itdaan.com/blog/2014/06/14/7252dd4c90590ff0c22cc159abf2d80d.html。