I have a library of MD5 hashes of public keys used to sign various jars, and a mapping to their respective keystores which we use to sign different APKs. What I'd like to be able to do is identify which keystore was used to sign an APK, but without using trial and error. (Also, sadly, many of our keys share similar or identical DNs.)
我有一个MD5散列公共密钥库,用于对各种jar进行签名,并有一个映射到它们各自的密钥存储库,我们使用它们来对不同的APKs进行签名。我想要做的是识别使用哪个密钥库来签署APK,但不使用尝试和错误。(遗憾的是,我们的许多密钥共享类似或相同的DNs。)
My solution, because I know the META-INF/FOO.RSA (or FOO.DSA) contains the certificate, was to extract the certificate from the APK's RSA file and directly calculate the MD5 hash. (I know the certificate is there because it is accessible to a running android application, and the jarsigner documentation tells me it is there.)
我的解,因为我知道META-INF/FOO。RSA(或FOO.DSA)包含证书,是从APK的RSA文件中提取证书并直接计算MD5散列。(我知道证书在那里,因为运行中的android应用程序可以访问它,jarsigner文档告诉我证书在那里。)
But I can't find any tool that gives me the actual bytes of the certificate. I can get the DN and the certificate metadata when I use jarsigner -verbose -verify -certs my.apk, but that doesn't give me the bytes.
但是我找不到任何工具可以给出证书的实际字节数。当使用jarsigner -verbose -verify -verify -certs时,我可以获得DN和证书元数据。apk,但它不给我字节。
2 个解决方案
#1
22
Extract the JAR then use 'openssl' to output the certificate:
提取JAR,然后使用“openssl”输出证书:
So assuming 'foo.jar' is in your current directory, do something like:
假设“foo。jar'在当前目录中,执行以下操作:
mkdir temp
cd temp
jar -xvf ../foo.jar
cd META-INF
openssl pkcs7 -in FOO.RSA -print_certs -inform DER -out foo.cer
#2
1
Hexdump FOO.RSA. The last n bytes are the signature itself, where n depends on the key length (e.g., 1024 bit RSA). If you sign something twice with the same key, you can diff the .RSA files and see that only the last n bytes change; the static part of the file is the cert and the bits that change are the signature on the hash of FOO.sf. There may be a delimiter between the cert and signature that you'd also have to remove.
Hexdump FOO.RSA。最后的n个字节是签名本身,其中n依赖于密钥长度(例如,1024位RSA)。如果你用相同的键签名两次,你可以删除。rsa文件,只看到最后n个字节的变化;文件的静态部分是cert,更改的位是FOO.sf散列上的签名。证书和签名之间可能有一个分隔符,您也必须删除它。
#1
22
Extract the JAR then use 'openssl' to output the certificate:
提取JAR,然后使用“openssl”输出证书:
So assuming 'foo.jar' is in your current directory, do something like:
假设“foo。jar'在当前目录中,执行以下操作:
mkdir temp
cd temp
jar -xvf ../foo.jar
cd META-INF
openssl pkcs7 -in FOO.RSA -print_certs -inform DER -out foo.cer
#2
1
Hexdump FOO.RSA. The last n bytes are the signature itself, where n depends on the key length (e.g., 1024 bit RSA). If you sign something twice with the same key, you can diff the .RSA files and see that only the last n bytes change; the static part of the file is the cert and the bits that change are the signature on the hash of FOO.sf. There may be a delimiter between the cert and signature that you'd also have to remove.
Hexdump FOO.RSA。最后的n个字节是签名本身,其中n依赖于密钥长度(例如,1024位RSA)。如果你用相同的键签名两次,你可以删除。rsa文件,只看到最后n个字节的变化;文件的静态部分是cert,更改的位是FOO.sf散列上的签名。证书和签名之间可能有一个分隔符,您也必须删除它。