从APK确定签名证书 [英] Determine signing certificate from an APK
问题描述
我已经从Eclipse for Android创建了一个签名的APK.我想知道在签名的APK(例如RSA-1024或RSA 2048)中使用了哪种RSA证书类型.
I have created a signed APK from Eclipse for Android. I want to know that which RSA certificate type is used in that signed APK like RSA-1024 or RSA 2048.
我怎么会从APK文件中得知这一点?
How would i know that from APK file?
编辑标题从"Eclipse中的签名APK中使用了哪个RSA证书?如何知道RSA密钥大小(1024/2048)?"
EDIT Title changed from "Which RSA certificate is used in signed APK in Eclipse? How to know RSA key size (1024/2048)?"
推荐答案
在Eclipse的签名APK中使用哪个RSA证书?
Which RSA certificate is used in signed APK in Eclipse?
在Eclipse调试期间(并且在没有其他密钥的情况下),您将使用默认的Android调试密钥进行签名.
Under Eclipse during debugging (and in the absence of another key), you will sign with the default Android debug key.
如果不存在,Eclipse将创建它.密钥将添加到debug.keystore中,并具有 android 的存储和密钥密码.请参阅Android的签名应用程序中的在调试模式下签名.
Eclipse creates it if its not present. The key is added to debug.keystore, with a store and key password of android. See Signing in Debug Mode at Android's Signing Your Application.
您可以使用一些工具进行签名,包括keytool或jarsigner.但是我相信您需要使用其他工具来检查APK中的证书.
You can sign with a few tools, including keytool or jarsigner. But I believe you need to use another tool to examine the certificate in the APK.
您可以使用OpenSSL自PKCS#7起转储相关位,但是您需要从APK中手动提取相关文件.
You can use OpenSSL to dump the relevant bits since its PKCS #7, but you need manually extract the relevant files from the APK.
对于签名,从命令行工作时使用jarsigner.例如,在Windows上,使用Debug键:
For signing, I use jarsigner when working from the command line. For example, on Windows with the Debug key:
jarsigner -verbose -keystore C:\Users\<user>\.android\debug.keystore \
-storepass android -keypass android -digestalg SHA1 \
-sigalg SHA1withRSA <package name>.apk androiddebugkey
Eclipse在IDE下为您执行类似的操作.
Eclipse performs similar for you under the IDE.
您不能使用jarsigner转储信息.例如,以下将打印专有名称,但将不打印subjectPublicKeyInfo块:
You can't use jarsigner to dump the information. For example, the following will print the distinguished name, but it will not print the subjectPublicKeyInfo block:
$ jarsigner -verbose -certs -verify Test.apk
类似地,您不能使用keytool,因为它也不打印subjectPublicKeyInfo块:
Similarly, you can't use keytool because it does not print the subjectPublicKeyInfo block either:
$ keytool -printcert -file META-INF/CERT.RSA
要确定APK中的证书,您需要查看几个文件.感兴趣的文件位于APK的META_INF目录中.每个签名者的签名与.RSA文件(或.DSA文件)一起在.SF文件中.签名者的.RSA文件(或.DSA文件)只是PKCS#7格式.
To determine the certificate in the APK, you need to look at a couple of files. The files of interest are in the META_INF directory of the APK. The signatures are in an .SF file along with a .RSA file (or .DSA file) for each signer. The signer's .RSA file (or .DSA file) are just PKCS #7 format.
我说签名在...中"是因为APK的各个元素都签名了,而不是整个APK.因此,classes.dex被签名,AndroidManifest.xml被签名,res/中的每个图标都被签名,等等.
I say "the signatures are in..." because individual elements of the APK are signed, and not the entire APK. So classes.dex gets signed, AndroidManifest.xml gets signed, each icon in res/ gets signed, etc.
注意:虽然jarsigner支持多个签名,但Android仅支持一个签名者(如果我没记错的话).
Note: while jarsigner supports multiple signatures, Android only supports one signer (if I recall correctly).
这是一个使用OpenSSL的名为CrackMe.apk的APK的示例.
Here's an example with an APK called CrackMe.apk using OpenSSL.
$ mkdir APK-test
$ mv CrackMe.apk APK-test
$ cd APK-test
接下来打开APK的包装.它只是一个META-INF/中带有其他元数据的ZIP文件.
Next unpack the APK. Its just a ZIP file with additional metadata in META-INF/.
$ unzip -a CrackMe.apk
$ ls
AndroidManifest.xml META-INF res
CrackMe.apk classes.dex resources.arsc
接下来,在META-INF目录中查看.
Next, take a look in the META-INF directory.
$ cd META-INF/
$ ls
CERT.RSA CERT.SF MANIFEST.MF
签名位于CERT.SF中,而签名者位于CERT.RSA中.
The signatures are in CERT.SF, and the signer is in CERT.RSA.
最后,使用OpenSSL解析CERT.RSA.
Finally, use OpenSSL to parse CERT.RSA.
$ openssl pkcs7 -in CERT.RSA -inform DER -print_certs | openssl x509 -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1346030704 (0x503acc70)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=NY, L=New York, O=Unknown, OU=Unknown, CN=Example, LLC
Validity
Not Before: Aug 27 01:25:04 2012 GMT
Not After : Dec 5 01:25:04 2035 GMT
Subject: C=US, ST=NY, L=New York, O=Unknown, OU=Unknown, CN=Example, LLC
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (3072 bit)
Modulus:
00:8d:a8:9a:34:84:d5:72:4f:e8:e7:69:78:e4:17:
13:93:e8:c5:23:a0:93:a7:f8:6c:58:3d:f0:ed:30:
...
c1:2d:5e:9f:a4:79:56:19:7d:26:4d:27:6a:3e:26:
c0:fd:6a:ed:24:e9:62:80:73:8d
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
80:c0:ac:a5:65:13:f3:2d:dd:d5:71:82:7c:2e:72:63:72:cf:
76:49:4b:09:3c:12:e7:d6:9b:3d:53:8b:d4:e0:9c:ff:f2:d6:
...
80:4d:9b:15:3f:82:1a:72:b2:4b:fd:05:2b:e7:36:f0:43:98:
80:b7:8f:6c:fd:64
在使用x509提取公钥PEM格式时,也可以使用-pubkey:
You can also use -pubkey when utilizing x509 to extract the public key PEM format:
$ openssl pkcs7 -in CERT.RSA -inform DER -print_certs | openssl x509 -noout -pubkey
-----BEGIN PUBLIC KEY-----
MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAjaiaNITVck/o52l45BcT
k+jFI6CTp/hsWD3w7TAoGMA4RyH1pNcLD3ZZLXqdCPGKzKf107YhmiSp9K3DALG+
AHorHroKsnmGJFXglIEOLAq7gBVrfxOiBAxr0HW4MLXXGMvr2Asq4AkJAbFFmApU
5I3bGv3DCApHBbH6B10V5gTT0VzbkxHAejqNJVIHBmi6ueKLKh5ytJeRZufgD3ZX
+uEszGfJrD48woXkqSlCOyxHSi4PWyHLm95OXYkvlBSudNt5q9yDuy+KkJgrSHLC
jwxISkM2JzEoWYhqNqRgosBv6pg16+97YPeE6tHoG6dHazjCClhr5oZxw/7t6969
8rZ8m/fcLf3cOtcApqOFhCViq0ddADrOxMD2Qsp/xHx1kUg7eprE6dOEvQKr4oT5
oBiJkOStnAQFWRw/GDFTqpvDsYSOKn64/1cJ/+NEeLw4y+HCTMcNAsPknBQlXxNc
hzX0zSqrJ+vBLV6fpHlWGX0mTSdqPibA/WrtJOligHONAgMBAAE=
-----END PUBLIC KEY-----
如果对Android APK验证代码感兴趣,请参见 查看全文
