从APK确定签名证书 [英] Determine signing certificate from an APK
问题描述
我已经从Eclipse for Android创建了一个签名的APK.我想知道在签名的APK(例如RSA-1024或RSA 2048)中使用了哪种RSA证书类型.
I have created a signed APK from Eclipse for Android. I want to know that which RSA certificate type is used in that signed APK like RSA-1024 or RSA 2048.
我怎么会从APK文件中得知这一点?
How would i know that from APK file?
编辑标题从"Eclipse中的签名APK中使用了哪个RSA证书?如何知道RSA密钥大小(1024/2048)?"
EDIT Title changed from "Which RSA certificate is used in signed APK in Eclipse? How to know RSA key size (1024/2048)?"
推荐答案
在Eclipse的签名APK中使用哪个RSA证书?
Which RSA certificate is used in signed APK in Eclipse?
在Eclipse调试期间(并且在没有其他密钥的情况下),您将使用默认的Android调试密钥进行签名.
Under Eclipse during debugging (and in the absence of another key), you will sign with the default Android debug key.
如果不存在,Eclipse将创建它.密钥将添加到debug.keystore
中,并具有 android 的存储和密钥密码.请参阅Android的签名应用程序中的在调试模式下签名.
Eclipse creates it if its not present. The key is added to debug.keystore
, with a store and key password of android. See Signing in Debug Mode at Android's Signing Your Application.
您可以使用一些工具进行签名,包括keytool
或jarsigner
.但是我相信您需要使用其他工具来检查APK中的证书.
You can sign with a few tools, including keytool
or jarsigner
. But I believe you need to use another tool to examine the certificate in the APK.
您可以使用OpenSSL自PKCS#7起转储相关位,但是您需要从APK中手动提取相关文件.
You can use OpenSSL to dump the relevant bits since its PKCS #7, but you need manually extract the relevant files from the APK.
对于签名,从命令行工作时使用jarsigner
.例如,在Windows上,使用Debug键:
For signing, I use jarsigner
when working from the command line. For example, on Windows with the Debug key:
jarsigner -verbose -keystore C:\Users\<user>\.android\debug.keystore \
-storepass android -keypass android -digestalg SHA1 \
-sigalg SHA1withRSA <package name>.apk androiddebugkey
Eclipse在IDE下为您执行类似的操作.
Eclipse performs similar for you under the IDE.
您不能使用jarsigner
转储信息.例如,以下将打印专有名称,但将不打印subjectPublicKeyInfo
块:
You can't use jarsigner
to dump the information. For example, the following will print the distinguished name, but it will not print the subjectPublicKeyInfo
block:
$ jarsigner -verbose -certs -verify Test.apk
类似地,您不能使用keytool
,因为它也不打印subjectPublicKeyInfo
块:
Similarly, you can't use keytool
because it does not print the subjectPublicKeyInfo
block either:
$ keytool -printcert -file META-INF/CERT.RSA
要确定APK中的证书,您需要查看几个文件.感兴趣的文件位于APK的META_INF
目录中.每个签名者的签名与.RSA
文件(或.DSA
文件)一起在.SF
文件中.签名者的.RSA
文件(或.DSA
文件)只是PKCS#7格式.
To determine the certificate in the APK, you need to look at a couple of files. The files of interest are in the META_INF
directory of the APK. The signatures are in an .SF
file along with a .RSA
file (or .DSA
file) for each signer. The signer's .RSA
file (or .DSA
file) are just PKCS #7 format.
我说签名在...中"是因为APK的各个元素都签名了,而不是整个APK.因此,classes.dex
被签名,AndroidManifest.xml
被签名,res/
中的每个图标都被签名,等等.
I say "the signatures are in..." because individual elements of the APK are signed, and not the entire APK. So classes.dex
gets signed, AndroidManifest.xml
gets signed, each icon in res/
gets signed, etc.
注意:虽然jarsigner
支持多个签名,但Android仅支持一个签名者(如果我没记错的话).
Note: while jarsigner
supports multiple signatures, Android only supports one signer (if I recall correctly).
这是一个使用OpenSSL的名为CrackMe.apk的APK的示例.
Here's an example with an APK called CrackMe.apk using OpenSSL.
$ mkdir APK-test
$ mv CrackMe.apk APK-test
$ cd APK-test
接下来打开APK的包装.它只是一个META-INF/
中带有其他元数据的ZIP文件.
Next unpack the APK. Its just a ZIP file with additional metadata in META-INF/
.
$ unzip -a CrackMe.apk
$ ls
AndroidManifest.xml META-INF res
CrackMe.apk classes.dex resources.arsc
接下来,在META-INF
目录中查看.
Next, take a look in the META-INF
directory.
$ cd META-INF/
$ ls
CERT.RSA CERT.SF MANIFEST.MF
签名位于CERT.SF
中,而签名者位于CERT.RSA
中.
The signatures are in CERT.SF
, and the signer is in CERT.RSA
.
最后,使用OpenSSL解析CERT.RSA
.
Finally, use OpenSSL to parse CERT.RSA
.
$ openssl pkcs7 -in CERT.RSA -inform DER -print_certs | openssl x509 -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1346030704 (0x503acc70)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=NY, L=New York, O=Unknown, OU=Unknown, CN=Example, LLC
Validity
Not Before: Aug 27 01:25:04 2012 GMT
Not After : Dec 5 01:25:04 2035 GMT
Subject: C=US, ST=NY, L=New York, O=Unknown, OU=Unknown, CN=Example, LLC
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (3072 bit)
Modulus:
00:8d:a8:9a:34:84:d5:72:4f:e8:e7:69:78:e4:17:
13:93:e8:c5:23:a0:93:a7:f8:6c:58:3d:f0:ed:30:
...
c1:2d:5e:9f:a4:79:56:19:7d:26:4d:27:6a:3e:26:
c0:fd:6a:ed:24:e9:62:80:73:8d
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
80:c0:ac:a5:65:13:f3:2d:dd:d5:71:82:7c:2e:72:63:72:cf:
76:49:4b:09:3c:12:e7:d6:9b:3d:53:8b:d4:e0:9c:ff:f2:d6:
...
80:4d:9b:15:3f:82:1a:72:b2:4b:fd:05:2b:e7:36:f0:43:98:
80:b7:8f:6c:fd:64
在使用x509
提取公钥PEM格式时,也可以使用-pubkey
:
You can also use -pubkey
when utilizing x509
to extract the public key PEM format:
$ openssl pkcs7 -in CERT.RSA -inform DER -print_certs | openssl x509 -noout -pubkey
-----BEGIN PUBLIC KEY-----
MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAjaiaNITVck/o52l45BcT
k+jFI6CTp/hsWD3w7TAoGMA4RyH1pNcLD3ZZLXqdCPGKzKf107YhmiSp9K3DALG+
AHorHroKsnmGJFXglIEOLAq7gBVrfxOiBAxr0HW4MLXXGMvr2Asq4AkJAbFFmApU
5I3bGv3DCApHBbH6B10V5gTT0VzbkxHAejqNJVIHBmi6ueKLKh5ytJeRZufgD3ZX
+uEszGfJrD48woXkqSlCOyxHSi4PWyHLm95OXYkvlBSudNt5q9yDuy+KkJgrSHLC
jwxISkM2JzEoWYhqNqRgosBv6pg16+97YPeE6tHoG6dHazjCClhr5oZxw/7t6969
8rZ8m/fcLf3cOtcApqOFhCViq0ddADrOxMD2Qsp/xHx1kUg7eprE6dOEvQKr4oT5
oBiJkOStnAQFWRw/GDFTqpvDsYSOKn64/1cJ/+NEeLw4y+HCTMcNAsPknBQlXxNc
hzX0zSqrJ+vBLV6fpHlWGX0mTSdqPibA/WrtJOligHONAgMBAAE=
-----END PUBLIC KEY-----
如果对Android APK验证代码感兴趣,请参见 查看全文