确定来自 APK 的签名证书 [英] Determine signing certificate from an APK
问题描述
我已经从 Eclipse 为 Android 创建了一个签名的 APK.我想知道在签名的 APK 中使用了哪种 RSA 证书类型,例如 RSA-1024 或 RSA 2048.
I have created a signed APK from Eclipse for Android. I want to know that which RSA certificate type is used in that signed APK like RSA-1024 or RSA 2048.
我如何从 APK 文件中知道这一点?
How would i know that from APK file?
EDIT 标题已从Eclipse 中签名的 APK 中使用了哪个 RSA 证书?如何知道 RSA 密钥大小 (1024/2048)?"
EDIT Title changed from "Which RSA certificate is used in signed APK in Eclipse? How to know RSA key size (1024/2048)?"
推荐答案
Eclipse 中签名的 APK 使用哪个 RSA 证书?
Which RSA certificate is used in signed APK in Eclipse?
在 Eclipse 下调试期间(并且在没有其他密钥的情况下),您将使用默认的 Android 调试密钥进行签名.
Under Eclipse during debugging (and in the absence of another key), you will sign with the default Android debug key.
如果它不存在,Eclipse 会创建它.密钥被添加到debug.keystore
,存储和密钥密码android.请参阅 Android 的签署您的应用程序中的以调试模式登录.
Eclipse creates it if its not present. The key is added to debug.keystore
, with a store and key password of android. See Signing in Debug Mode at Android's Signing Your Application.
您可以使用一些工具进行签名,包括 keytool
或 jarsigner
.但是我相信您需要使用其他工具来检查APK中的证书.
You can sign with a few tools, including keytool
or jarsigner
. But I believe you need to use another tool to examine the certificate in the APK.
您可以使用 OpenSSL 转储自其 PKCS #7 起的相关位,但您需要从 APK 中手动提取相关文件.
You can use OpenSSL to dump the relevant bits since its PKCS #7, but you need manually extract the relevant files from the APK.
对于签名,我在命令行中使用 jarsigner
.例如,在带有 Debug 键的 Windows 上:
For signing, I use jarsigner
when working from the command line. For example, on Windows with the Debug key:
jarsigner -verbose -keystore C:\Users\<user>\.android\debug.keystore \
-storepass android -keypass android -digestalg SHA1 \
-sigalg SHA1withRSA <package name>.apk androiddebugkey
Eclipse 在 IDE 下为您执行类似的操作.
Eclipse performs similar for you under the IDE.
你不能使用jarsigner
来转储信息.例如,以下将打印可分辨名称,但它不会打印subjectPublicKeyInfo
块:
You can't use jarsigner
to dump the information. For example, the following will print the distinguished name, but it will not print the subjectPublicKeyInfo
block:
$ jarsigner -verbose -certs -verify Test.apk
同样,您不能使用 keytool
因为它也不打印 subjectPublicKeyInfo
块:
Similarly, you can't use keytool
because it does not print the subjectPublicKeyInfo
block either:
$ keytool -printcert -file META-INF/CERT.RSA
<小时>
要确定 APK 中的证书,您需要查看几个文件.感兴趣的文件位于 APK 的 META_INF
目录中.签名位于 .SF
文件以及每个签名者的 .RSA
文件(或 .DSA
文件)中.签名者的 .RSA
文件(或 .DSA
文件)只是 PKCS #7 格式.
To determine the certificate in the APK, you need to look at a couple of files. The files of interest are in the META_INF
directory of the APK. The signatures are in an .SF
file along with a .RSA
file (or .DSA
file) for each signer. The signer's .RSA
file (or .DSA
file) are just PKCS #7 format.
我说签名在...中"是因为 APK 的各个元素都已签名,而不是整个 APK.所以classes.dex
被签名,AndroidManifest.xml
被签名,res/
中的每个图标都被签名,等等.
I say "the signatures are in..." because individual elements of the APK are signed, and not the entire APK. So classes.dex
gets signed, AndroidManifest.xml
gets signed, each icon in res/
gets signed, etc.
注意:虽然 jarsigner
支持多个签名,但 Android 只支持一个签名者(如果我没记错的话).
Note: while jarsigner
supports multiple signatures, Android only supports one signer (if I recall correctly).
这是一个使用 OpenSSL 的名为 CrackMe.apk 的 APK 的示例.
Here's an example with an APK called CrackMe.apk using OpenSSL.
$ mkdir APK-test
$ mv CrackMe.apk APK-test
$ cd APK-test
接下来解压 APK.它只是一个在 META-INF/
中带有附加元数据的 ZIP 文件.
Next unpack the APK. Its just a ZIP file with additional metadata in META-INF/
.
$ unzip -a CrackMe.apk
$ ls
AndroidManifest.xml META-INF res
CrackMe.apk classes.dex resources.arsc
接下来,查看META-INF
目录.
$ cd META-INF/
$ ls
CERT.RSA CERT.SF MANIFEST.MF
签名在CERT.SF
中,签名者在CERT.RSA
中.
The signatures are in CERT.SF
, and the signer is in CERT.RSA
.
最后使用OpenSSL解析CERT.RSA
.
Finally, use OpenSSL to parse CERT.RSA
.
$ openssl pkcs7 -in CERT.RSA -inform DER -print_certs | openssl x509 -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1346030704 (0x503acc70)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=NY, L=New York, O=Unknown, OU=Unknown, CN=Example, LLC
Validity
Not Before: Aug 27 01:25:04 2012 GMT
Not After : Dec 5 01:25:04 2035 GMT
Subject: C=US, ST=NY, L=New York, O=Unknown, OU=Unknown, CN=Example, LLC
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (3072 bit)
Modulus:
00:8d:a8:9a:34:84:d5:72:4f:e8:e7:69:78:e4:17:
13:93:e8:c5:23:a0:93:a7:f8:6c:58:3d:f0:ed:30:
...
c1:2d:5e:9f:a4:79:56:19:7d:26:4d:27:6a:3e:26:
c0:fd:6a:ed:24:e9:62:80:73:8d
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
80:c0:ac:a5:65:13:f3:2d:dd:d5:71:82:7c:2e:72:63:72:cf:
76:49:4b:09:3c:12:e7:d6:9b:3d:53:8b:d4:e0:9c:ff:f2:d6:
...
80:4d:9b:15:3f:82:1a:72:b2:4b:fd:05:2b:e7:36:f0:43:98:
80:b7:8f:6c:fd:64
在利用x509
提取公钥PEM格式时,也可以使用-pubkey
:
You can also use -pubkey
when utilizing x509
to extract the public key PEM format:
$ openssl pkcs7 -in CERT.RSA -inform DER -print_certs | openssl x509 -noout -pubkey
-----BEGIN PUBLIC KEY-----
MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAjaiaNITVck/o52l45BcT
k+jFI6CTp/hsWD3w7TAoGMA4RyH1pNcLD3ZZLXqdCPGKzKf107YhmiSp9K3DALG+
AHorHroKsnmGJFXglIEOLAq7gBVrfxOiBAxr0HW4MLXXGMvr2Asq4AkJAbFFmApU
5I3bGv3DCApHBbH6B10V5gTT0VzbkxHAejqNJVIHBmi6ueKLKh5ytJeRZufgD3ZX
+uEszGfJrD48woXkqSlCOyxHSi4PWyHLm95OXYkvlBSudNt5q9yDuy+KkJgrSHLC
jwxISkM2JzEoWYhqNqRgosBv6pg16+97YPeE6tHoG6dHazjCClhr5oZxw/7t6969
8rZ8m/fcLf3cOtcApqOFhCViq0ddADrOxMD2Qsp/xHx1kUg7eprE6dOEvQKr4oT5
oBiJkOStnAQFWRw/GDFTqpvDsYSOKn64/1cJ/+NEeLw4y+HCTMcNAsPknBQlXxNc
hzX0zSqrJ+vBLV6fpHlWGX0mTSdqPibA/WrtJOligHONAgMBAAE=
-----END PUBLIC KEY-----
<小时>
如果对 Android APK 验证代码感兴趣,请参阅 collectCertificates
来自 PackageParser.java
.
这篇关于确定来自 APK 的签名证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!