确定来自 APK 的签名证书 [英] Determine signing certificate from an APK
问题描述
我已经从 Eclipse 为 Android 创建了一个签名的 APK.我想知道在签名的 APK 中使用了哪种 RSA 证书类型,例如 RSA-1024 或 RSA 2048.
I have created a signed APK from Eclipse for Android. I want to know that which RSA certificate type is used in that signed APK like RSA-1024 or RSA 2048.
我如何从 APK 文件中知道这一点?
How would i know that from APK file?
EDIT 标题已从Eclipse 中签名的 APK 中使用了哪个 RSA 证书?如何知道 RSA 密钥大小 (1024/2048)?"
EDIT Title changed from "Which RSA certificate is used in signed APK in Eclipse? How to know RSA key size (1024/2048)?"
推荐答案
Eclipse 中签名的 APK 使用哪个 RSA 证书?
Which RSA certificate is used in signed APK in Eclipse?
在 Eclipse 下调试期间(并且在没有其他密钥的情况下),您将使用默认的 Android 调试密钥进行签名.
Under Eclipse during debugging (and in the absence of another key), you will sign with the default Android debug key.
如果它不存在,Eclipse 会创建它.密钥被添加到debug.keystore,存储和密钥密码android.请参阅 Android 的签署您的应用程序中的以调试模式登录.
Eclipse creates it if its not present. The key is added to debug.keystore, with a store and key password of android. See Signing in Debug Mode at Android's Signing Your Application.
您可以使用一些工具进行签名,包括 keytool 或 jarsigner.但是我相信您需要使用其他工具来检查APK中的证书.
You can sign with a few tools, including keytool or jarsigner. But I believe you need to use another tool to examine the certificate in the APK.
您可以使用 OpenSSL 转储自其 PKCS #7 起的相关位,但您需要从 APK 中手动提取相关文件.
You can use OpenSSL to dump the relevant bits since its PKCS #7, but you need manually extract the relevant files from the APK.
对于签名,我在命令行中使用 jarsigner.例如,在带有 Debug 键的 Windows 上:
For signing, I use jarsigner when working from the command line. For example, on Windows with the Debug key:
jarsigner -verbose -keystore C:\Users\<user>\.android\debug.keystore \
-storepass android -keypass android -digestalg SHA1 \
-sigalg SHA1withRSA <package name>.apk androiddebugkey
Eclipse 在 IDE 下为您执行类似的操作.
Eclipse performs similar for you under the IDE.
你不能使用jarsigner来转储信息.例如,以下将打印可分辨名称,但它不会打印subjectPublicKeyInfo块:
You can't use jarsigner to dump the information. For example, the following will print the distinguished name, but it will not print the subjectPublicKeyInfo block:
$ jarsigner -verbose -certs -verify Test.apk
同样,您不能使用 keytool 因为它也不打印 subjectPublicKeyInfo 块:
Similarly, you can't use keytool because it does not print the subjectPublicKeyInfo block either:
$ keytool -printcert -file META-INF/CERT.RSA
<小时>
要确定 APK 中的证书,您需要查看几个文件.感兴趣的文件位于 APK 的 META_INF 目录中.签名位于 .SF 文件以及每个签名者的 .RSA 文件(或 .DSA 文件)中.签名者的 .RSA 文件(或 .DSA 文件)只是 PKCS #7 格式.
To determine the certificate in the APK, you need to look at a couple of files. The files of interest are in the META_INF directory of the APK. The signatures are in an .SF file along with a .RSA file (or .DSA file) for each signer. The signer's .RSA file (or .DSA file) are just PKCS #7 format.
我说签名在...中"是因为 APK 的各个元素都已签名,而不是整个 APK.所以classes.dex 被签名,AndroidManifest.xml 被签名,res/ 中的每个图标都被签名,等等.
I say "the signatures are in..." because individual elements of the APK are signed, and not the entire APK. So classes.dex gets signed, AndroidManifest.xml gets signed, each icon in res/ gets signed, etc.
注意:虽然 jarsigner 支持多个签名,但 Android 只支持一个签名者(如果我没记错的话).
Note: while jarsigner supports multiple signatures, Android only supports one signer (if I recall correctly).
这是一个使用 OpenSSL 的名为 CrackMe.apk 的 APK 的示例.
Here's an example with an APK called CrackMe.apk using OpenSSL.
$ mkdir APK-test
$ mv CrackMe.apk APK-test
$ cd APK-test
接下来解压 APK.它只是一个在 META-INF/ 中带有附加元数据的 ZIP 文件.
Next unpack the APK. Its just a ZIP file with additional metadata in META-INF/.
$ unzip -a CrackMe.apk
$ ls
AndroidManifest.xml META-INF res
CrackMe.apk classes.dex resources.arsc
接下来,查看META-INF目录.
$ cd META-INF/
$ ls
CERT.RSA CERT.SF MANIFEST.MF
签名在CERT.SF中,签名者在CERT.RSA中.
The signatures are in CERT.SF, and the signer is in CERT.RSA.
最后使用OpenSSL解析CERT.RSA.
Finally, use OpenSSL to parse CERT.RSA.
$ openssl pkcs7 -in CERT.RSA -inform DER -print_certs | openssl x509 -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1346030704 (0x503acc70)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=NY, L=New York, O=Unknown, OU=Unknown, CN=Example, LLC
Validity
Not Before: Aug 27 01:25:04 2012 GMT
Not After : Dec 5 01:25:04 2035 GMT
Subject: C=US, ST=NY, L=New York, O=Unknown, OU=Unknown, CN=Example, LLC
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (3072 bit)
Modulus:
00:8d:a8:9a:34:84:d5:72:4f:e8:e7:69:78:e4:17:
13:93:e8:c5:23:a0:93:a7:f8:6c:58:3d:f0:ed:30:
...
c1:2d:5e:9f:a4:79:56:19:7d:26:4d:27:6a:3e:26:
c0:fd:6a:ed:24:e9:62:80:73:8d
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
80:c0:ac:a5:65:13:f3:2d:dd:d5:71:82:7c:2e:72:63:72:cf:
76:49:4b:09:3c:12:e7:d6:9b:3d:53:8b:d4:e0:9c:ff:f2:d6:
...
80:4d:9b:15:3f:82:1a:72:b2:4b:fd:05:2b:e7:36:f0:43:98:
80:b7:8f:6c:fd:64
在利用x509提取公钥PEM格式时,也可以使用-pubkey:
You can also use -pubkey when utilizing x509 to extract the public key PEM format:
$ openssl pkcs7 -in CERT.RSA -inform DER -print_certs | openssl x509 -noout -pubkey
-----BEGIN PUBLIC KEY-----
MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAjaiaNITVck/o52l45BcT
k+jFI6CTp/hsWD3w7TAoGMA4RyH1pNcLD3ZZLXqdCPGKzKf107YhmiSp9K3DALG+
AHorHroKsnmGJFXglIEOLAq7gBVrfxOiBAxr0HW4MLXXGMvr2Asq4AkJAbFFmApU
5I3bGv3DCApHBbH6B10V5gTT0VzbkxHAejqNJVIHBmi6ueKLKh5ytJeRZufgD3ZX
+uEszGfJrD48woXkqSlCOyxHSi4PWyHLm95OXYkvlBSudNt5q9yDuy+KkJgrSHLC
jwxISkM2JzEoWYhqNqRgosBv6pg16+97YPeE6tHoG6dHazjCClhr5oZxw/7t6969
8rZ8m/fcLf3cOtcApqOFhCViq0ddADrOxMD2Qsp/xHx1kUg7eprE6dOEvQKr4oT5
oBiJkOStnAQFWRw/GDFTqpvDsYSOKn64/1cJ/+NEeLw4y+HCTMcNAsPknBQlXxNc
hzX0zSqrJ+vBLV6fpHlWGX0mTSdqPibA/WrtJOligHONAgMBAAE=
-----END PUBLIC KEY-----
<小时>
如果对 Android APK 验证代码感兴趣,请参阅 collectCertificates 来自 PackageParser.java.
这篇关于确定来自 APK 的签名证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
