1 /* 2 * Copyright (C) 2008 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package com.android.signapk; 18 19 import sun.misc.BASE64Encoder; 20 import sun.security.pkcs.ContentInfo; 21 import sun.security.pkcs.PKCS7; 22 import sun.security.pkcs.SignerInfo; 23 import sun.security.x509.AlgorithmId; 24 import sun.security.x509.X500Name; 25 26 import java.io.BufferedReader; 27 import java.io.ByteArrayOutputStream; 28 import java.io.DataInputStream; 29 import java.io.File; 30 import java.io.FileInputStream; 31 import java.io.FileOutputStream; 32 import java.io.FilterOutputStream; 33 import java.io.IOException; 34 import java.io.InputStream; 35 import java.io.InputStreamReader; 36 import java.io.OutputStream; 37 import java.io.PrintStream; 38 import java.security.AlgorithmParameters; 39 import java.security.DigestOutputStream; 40 import java.security.GeneralSecurityException; 41 import java.security.Key; 42 import java.security.KeyFactory; 43 import java.security.MessageDigest; 44 import java.security.PrivateKey; 45 import java.security.Signature; 46 import java.security.SignatureException; 47 import java.security.cert.Certificate; 48 import java.security.cert.CertificateFactory; 49 import java.security.cert.X509Certificate; 50 import java.security.spec.InvalidKeySpecException; 51 import java.security.spec.KeySpec; 52 import java.security.spec.PKCS8EncodedKeySpec; 53 import java.util.ArrayList; 54 import java.util.Collections; 55 import java.util.Date; 56 import java.util.Enumeration; 57 import java.util.List; 58 import java.util.Map; 59 import java.util.TreeMap; 60 import java.util.jar.Attributes; 61 import java.util.jar.JarEntry; 62 import java.util.jar.JarFile; 63 import java.util.jar.JarOutputStream; 64 import java.util.jar.Manifest; 65 import java.util.regex.Pattern; 66 import javax.crypto.Cipher; 67 import javax.crypto.EncryptedPrivateKeyInfo; 68 import javax.crypto.SecretKeyFactory; 69 import javax.crypto.spec.PBEKeySpec; 70 71 /** 72 * Command line tool to sign JAR files (including APKs and OTA updates) in 73 * a way compatible with the mincrypt verifier, using SHA1 and RSA keys. 74 */ 75 class SignApk { 76 private static final String CERT_SF_NAME = "META-INF/CERT.SF"; 77 private static final String CERT_RSA_NAME = "META-INF/CERT.RSA"; 78 79 // Files matching this pattern are not copied to the output. 80 private static Pattern stripPattern = 81 Pattern.compile("^META-INF/(.*)[.](SF|RSA|DSA)$"); 82 83 private static X509Certificate readPublicKey(File file) 84 throws IOException, GeneralSecurityException { 85 FileInputStream input = new FileInputStream(file); 86 try { 87 CertificateFactory cf = CertificateFactory.getInstance("X.509"); 88 return (X509Certificate) cf.generateCertificate(input); 89 } finally { 90 input.close(); 91 } 92 } 93 94 /** 95 * Reads the password from stdin and returns it as a string. 96 * 97 * @param keyFile The file containing the private key. Used to prompt the user. 98 */ 99 private static String readPassword(File keyFile) { 100 // TODO: use Console.readPassword() when it's available. 101 System.out.print("Enter password for " + keyFile + " (password will not be hidden): "); 102 System.out.flush(); 103 BufferedReader stdin = new BufferedReader(new InputStreamReader(System.in)); 104 try { 105 return stdin.readLine(); 106 } catch (IOException ex) { 107 return null; 108 } 109 } 110 111 /** 112 * Decrypt an encrypted PKCS 8 format private key. 113 * 114 * Based on ghstark's post on Aug 6, 2006 at 115 * http://forums.sun.com/thread.jspa?threadID=758133&messageID=4330949 116 * 117 * @param encryptedPrivateKey The raw data of the private key 118 * @param keyFile The file containing the private key 119 */ 120 private static KeySpec decryptPrivateKey(byte[] encryptedPrivateKey, File keyFile) 121 throws GeneralSecurityException { 122 EncryptedPrivateKeyInfo epkInfo; 123 try { 124 epkInfo = new EncryptedPrivateKeyInfo(encryptedPrivateKey); 125 } catch (IOException ex) { 126 // Probably not an encrypted key. 127 return null; 128 } 129 130 char[] password = readPassword(keyFile).toCharArray(); 131 132 SecretKeyFactory skFactory = SecretKeyFactory.getInstance(epkInfo.getAlgName()); 133 Key key = skFactory.generateSecret(new PBEKeySpec(password)); 134 135 Cipher cipher = Cipher.getInstance(epkInfo.getAlgName()); 136 cipher.init(Cipher.DECRYPT_MODE, key, epkInfo.getAlgParameters()); 137 138 try { 139 return epkInfo.getKeySpec(cipher); 140 } catch (InvalidKeySpecException ex) { 141 System.err.println("signapk: Password for " + keyFile + " may be bad."); 142 throw ex; 143 } 144 } 145 146 /** Read a PKCS 8 format private key. */ 147 private static PrivateKey readPrivateKey(File file) 148 throws IOException, GeneralSecurityException { 149 DataInputStream input = new DataInputStream(new FileInputStream(file)); 150 try { 151 byte[] bytes = new byte[(int) file.length()]; 152 input.read(bytes); 153 154 KeySpec spec = decryptPrivateKey(bytes, file); 155 if (spec == null) { 156 spec = new PKCS8EncodedKeySpec(bytes); 157 } 158 159 try { 160 return KeyFactory.getInstance("RSA").generatePrivate(spec); 161 } catch (InvalidKeySpecException ex) { 162 return KeyFactory.getInstance("DSA").generatePrivate(spec); 163 } 164 } finally { 165 input.close(); 166 } 167 } 168 169 /** Add the SHA1 of every file to the manifest, creating it if necessary. */ 170 private static Manifest addDigestsToManifest(JarFile jar) 171 throws IOException, GeneralSecurityException { 172 Manifest input = jar.getManifest(); 173 Manifest output = new Manifest(); 174 Attributes main = output.getMainAttributes(); 175 if (input != null) { 176 main.putAll(input.getMainAttributes()); 177 } else { 178 main.putValue("Manifest-Version", "1.0"); 179 main.putValue("Created-By", "1.0 (Android SignApk)"); 180 } 181 182 BASE64Encoder base64 = new BASE64Encoder(); 183 MessageDigest md = MessageDigest.getInstance("SHA1"); 184 byte[] buffer = new byte[4096]; 185 int num; 186 187 // We sort the input entries by name, and add them to the 188 // output manifest in sorted order. We expect that the output 189 // map will be deterministic. 190 191 TreeMap<String, JarEntry> byName = new TreeMap<String, JarEntry>(); 192 193 for (Enumeration<JarEntry> e = jar.entries(); e.hasMoreElements(); ) { 194 JarEntry entry = e.nextElement(); 195 byName.put(entry.getName(), entry); 196 } 197 198 for (JarEntry entry: byName.values()) { 199 String name = entry.getName(); 200 if (!entry.isDirectory() && !name.equals(JarFile.MANIFEST_NAME) && 201 !name.equals(CERT_SF_NAME) && !name.equals(CERT_RSA_NAME) && 202 (stripPattern == null || 203 !stripPattern.matcher(name).matches())) { 204 InputStream data = jar.getInputStream(entry); 205 while ((num = data.read(buffer)) > 0) { 206 md.update(buffer, 0, num); 207 } 208 209 Attributes attr = null; 210 if (input != null) attr = input.getAttributes(name); 211 attr = attr != null ? new Attributes(attr) : new Attributes(); 212 attr.putValue("SHA1-Digest", base64.encode(md.digest())); 213 output.getEntries().put(name, attr); 214 } 215 } 216 217 return output; 218 } 219 220 /** Write to another stream and also feed it to the Signature object. */ 221 private static class SignatureOutputStream extends FilterOutputStream { 222 private Signature mSignature; 223 private int mCount; 224 225 public SignatureOutputStream(OutputStream out, Signature sig) { 226 super(out); 227 mSignature = sig; 228 mCount = 0; 229 } 230 231 @Override 232 public void write(int b) throws IOException { 233 try { 234 mSignature.update((byte) b); 235 } catch (SignatureException e) { 236 throw new IOException("SignatureException: " + e); 237 } 238 super.write(b); 239 mCount++; 240 } 241 242 @Override 243 public void write(byte[] b, int off, int len) throws IOException { 244 try { 245 mSignature.update(b, off, len); 246 } catch (SignatureException e) { 247 throw new IOException("SignatureException: " + e); 248 } 249 super.write(b, off, len); 250 mCount += len; 251 } 252 253 public int size() { 254 return mCount; 255 } 256 } 257 258 /** Write a .SF file with a digest of the specified manifest. */ 259 private static void writeSignatureFile(Manifest manifest, SignatureOutputStream out) 260 throws IOException, GeneralSecurityException { 261 Manifest sf = new Manifest(); 262 Attributes main = sf.getMainAttributes(); 263 main.putValue("Signature-Version", "1.0"); 264 main.putValue("Created-By", "1.0 (Android SignApk)"); 265 266 BASE64Encoder base64 = new BASE64Encoder(); 267 MessageDigest md = MessageDigest.getInstance("SHA1"); 268 PrintStream print = new PrintStream( 269 new DigestOutputStream(new ByteArrayOutputStream(), md), 270 true, "UTF-8"); 271 272 // Digest of the entire manifest 273 manifest.write(print); 274 print.flush(); 275 main.putValue("SHA1-Digest-Manifest", base64.encode(md.digest())); 276 277 Map<String, Attributes> entries = manifest.getEntries(); 278 for (Map.Entry<String, Attributes> entry : entries.entrySet()) { 279 // Digest of the manifest stanza for this entry. 280 print.print("Name: " + entry.getKey() + "\r\n"); 281 for (Map.Entry<Object, Object> att : entry.getValue().entrySet()) { 282 print.print(att.getKey() + ": " + att.getValue() + "\r\n"); 283 } 284 print.print("\r\n"); 285 print.flush(); 286 287 Attributes sfAttr = new Attributes(); 288 sfAttr.putValue("SHA1-Digest", base64.encode(md.digest())); 289 sf.getEntries().put(entry.getKey(), sfAttr); 290 } 291 292 sf.write(out); 293 294 // A bug in the java.util.jar implementation of Android platforms 295 // up to version 1.6 will cause a spurious IOException to be thrown 296 // if the length of the signature file is a multiple of 1024 bytes. 297 // As a workaround, add an extra CRLF in this case. 298 if ((out.size() % 1024) == 0) { 299 out.write('\r'); 300 out.write('\n'); 301 } 302 } 303 304 /** Write a .RSA file with a digital signature. */ 305 private static void writeSignatureBlock( 306 Signature signature, X509Certificate publicKey, OutputStream out) 307 throws IOException, GeneralSecurityException { 308 SignerInfo signerInfo = new SignerInfo( 309 new X500Name(publicKey.getIssuerX500Principal().getName()), 310 publicKey.getSerialNumber(), 311 AlgorithmId.get("SHA1"), 312 AlgorithmId.get("RSA"), 313 signature.sign()); 314 315 PKCS7 pkcs7 = new PKCS7( 316 new AlgorithmId[] { AlgorithmId.get("SHA1") }, 317 new ContentInfo(ContentInfo.DATA_OID, null), 318 new X509Certificate[] { publicKey }, 319 new SignerInfo[] { signerInfo }); 320 321 pkcs7.encodeSignedData(out); 322 } 323 324 private static void signWholeOutputFile(byte[] zipData, 325 OutputStream outputStream, 326 X509Certificate publicKey, 327 PrivateKey privateKey) 328 throws IOException, GeneralSecurityException { 329 330 // For a zip with no archive comment, the 331 // end-of-central-directory record will be 22 bytes long, so 332 // we expect to find the EOCD marker 22 bytes from the end. 333 if (zipData[zipData.length-22] != 0x50 || 334 zipData[zipData.length-21] != 0x4b || 335 zipData[zipData.length-20] != 0x05 || 336 zipData[zipData.length-19] != 0x06) { 337 throw new IllegalArgumentException("zip data already has an archive comment"); 338 } 339 340 Signature signature = Signature.getInstance("SHA1withRSA"); 341 signature.initSign(privateKey); 342 signature.update(zipData, 0, zipData.length-2); 343 344 ByteArrayOutputStream temp = new ByteArrayOutputStream(); 345 346 // put a readable message and a null char at the start of the 347 // archive comment, so that tools that display the comment 348 // (hopefully) show something sensible. 349 // TODO: anything more useful we can put in this message? 350 byte[] message = "signed by SignApk".getBytes("UTF-8"); 351 temp.write(message); 352 temp.write(0); 353 writeSignatureBlock(signature, publicKey, temp); 354 int total_size = temp.size() + 6; 355 if (total_size > 0xffff) { 356 throw new IllegalArgumentException("signature is too big for ZIP file comment"); 357 } 358 // signature starts this many bytes from the end of the file 359 int signature_start = total_size - message.length - 1; 360 temp.write(signature_start & 0xff); 361 temp.write((signature_start >> 8) & 0xff); 362 // Why the 0xff bytes? In a zip file with no archive comment, 363 // bytes [-6:-2] of the file are the little-endian offset from 364 // the start of the file to the central directory. So for the 365 // two high bytes to be 0xff 0xff, the archive would have to 366 // be nearly 4GB in side. So it's unlikely that a real 367 // commentless archive would have 0xffs here, and lets us tell 368 // an old signed archive from a new one. 369 temp.write(0xff); 370 temp.write(0xff); 371 temp.write(total_size & 0xff); 372 temp.write((total_size >> 8) & 0xff); 373 temp.flush(); 374 375 // Signature verification checks that the EOCD header is the 376 // last such sequence in the file (to avoid minzip finding a 377 // fake EOCD appended after the signature in its scan). The 378 // odds of producing this sequence by chance are very low, but 379 // let's catch it here if it does. 380 byte[] b = temp.toByteArray(); 381 for (int i = 0; i < b.length-3; ++i) { 382 if (b[i] == 0x50 && b[i+1] == 0x4b && b[i+2] == 0x05 && b[i+3] == 0x06) { 383 throw new IllegalArgumentException("found spurious EOCD header at " + i); 384 } 385 } 386 387 outputStream.write(zipData, 0, zipData.length-2); 388 outputStream.write(total_size & 0xff); 389 outputStream.write((total_size >> 8) & 0xff); 390 temp.writeTo(outputStream); 391 } 392 393 /** 394 * Copy all the files in a manifest from input to output. We set 395 * the modification times in the output to a fixed time, so as to 396 * reduce variation in the output file and make incremental OTAs 397 * more efficient. 398 */ 399 private static void copyFiles(Manifest manifest, 400 JarFile in, JarOutputStream out, long timestamp) throws IOException { 401 byte[] buffer = new byte[4096]; 402 int num; 403 404 Map<String, Attributes> entries = manifest.getEntries(); 405 List<String> names = new ArrayList(entries.keySet()); 406 Collections.sort(names); 407 for (String name : names) { 408 JarEntry inEntry = in.getJarEntry(name); 409 JarEntry outEntry = null; 410 if (inEntry.getMethod() == JarEntry.STORED) { 411 // Preserve the STORED method of the input entry. 412 outEntry = new JarEntry(inEntry); 413 } else { 414 // Create a new entry so that the compressed len is recomputed. 415 outEntry = new JarEntry(name); 416 } 417 outEntry.setTime(timestamp); 418 out.putNextEntry(outEntry); 419 420 InputStream data = in.getInputStream(inEntry); 421 while ((num = data.read(buffer)) > 0) { 422 out.write(buffer, 0, num); 423 } 424 out.flush(); 425 } 426 } 427 428 public static void main(String[] args) { 429 if (args.length != 4 && args.length != 5) { 430 System.err.println("Usage: signapk [-w] " + 431 "publickey.x509[.pem] privatekey.pk8 " + 432 "input.jar output.jar"); 433 System.exit(2); 434 } 435 436 boolean signWholeFile = false; 437 int argstart = 0; 438 if (args[0].equals("-w")) { 439 signWholeFile = true; 440 argstart = 1; 441 } 442 443 JarFile inputJar = null; 444 JarOutputStream outputJar = null; 445 FileOutputStream outputFile = null; 446 447 try { 448 X509Certificate publicKey = readPublicKey(new File(args[argstart+0])); 449 450 // Assume the certificate is valid for at least an hour. 451 long timestamp = publicKey.getNotBefore().getTime() + 3600L * 1000; 452 453 PrivateKey privateKey = readPrivateKey(new File(args[argstart+1])); 454 inputJar = new JarFile(new File(args[argstart+2]), false); // Don't verify. 455 456 OutputStream outputStream = null; 457 if (signWholeFile) { 458 outputStream = new ByteArrayOutputStream(); 459 } else { 460 outputStream = outputFile = new FileOutputStream(args[argstart+3]); 461 } 462 outputJar = new JarOutputStream(outputStream); 463 outputJar.setLevel(9); 464 465 JarEntry je; 466 467 // MANIFEST.MF 468 Manifest manifest = addDigestsToManifest(inputJar); 469 je = new JarEntry(JarFile.MANIFEST_NAME); 470 je.setTime(timestamp); 471 outputJar.putNextEntry(je); 472 manifest.write(outputJar); 473 474 // CERT.SF 475 Signature signature = Signature.getInstance("SHA1withRSA"); 476 signature.initSign(privateKey); 477 je = new JarEntry(CERT_SF_NAME); 478 je.setTime(timestamp); 479 outputJar.putNextEntry(je); 480 writeSignatureFile(manifest, 481 new SignatureOutputStream(outputJar, signature)); 482 483 // CERT.RSA 484 je = new JarEntry(CERT_RSA_NAME); 485 je.setTime(timestamp); 486 outputJar.putNextEntry(je); 487 writeSignatureBlock(signature, publicKey, outputJar); 488 489 // Everything else 490 copyFiles(manifest, inputJar, outputJar, timestamp); 491 492 outputJar.close(); 493 outputJar = null; 494 outputStream.flush(); 495 496 if (signWholeFile) { 497 outputFile = new FileOutputStream(args[argstart+3]); 498 signWholeOutputFile(((ByteArrayOutputStream)outputStream).toByteArray(), 499 outputFile, publicKey, privateKey); 500 } 501 } catch (Exception e) { 502 e.printStackTrace(); 503 System.exit(1); 504 } finally { 505 try { 506 if (inputJar != null) inputJar.close(); 507 if (outputFile != null) outputFile.close(); 508 } catch (IOException e) { 509 e.printStackTrace(); 510 System.exit(1); 511 } 512 } 513 } 514 } 515
