Massive project restructure
This commit is contained in:
parent
145ef32e28
commit
3709489b3a
15
.gitignore
vendored
15
.gitignore
vendored
@ -1,9 +1,18 @@
|
|||||||
out/
|
/out
|
||||||
obj/
|
/obj
|
||||||
libs/
|
/libs
|
||||||
*.zip
|
*.zip
|
||||||
*.jks
|
*.jks
|
||||||
*.apk
|
*.apk
|
||||||
|
|
||||||
# Built binaries
|
# Built binaries
|
||||||
ziptools/zipadjust
|
ziptools/zipadjust
|
||||||
|
|
||||||
|
# Android Studio / Gradle
|
||||||
|
*.iml
|
||||||
|
.gradle
|
||||||
|
/local.properties
|
||||||
|
/.idea
|
||||||
|
/build
|
||||||
|
/captures
|
||||||
|
.externalNativeBuild
|
||||||
|
18
.gitmodules
vendored
18
.gitmodules
vendored
@ -1,27 +1,27 @@
|
|||||||
[submodule "jni/selinux"]
|
[submodule "jni/selinux"]
|
||||||
path = jni/external/selinux
|
path = core/jni/external/selinux
|
||||||
url = https://github.com/topjohnwu/selinux.git
|
url = https://github.com/topjohnwu/selinux.git
|
||||||
[submodule "jni/su"]
|
[submodule "jni/su"]
|
||||||
path = jni/su
|
path = core/jni/su
|
||||||
url = https://github.com/topjohnwu/MagiskSU.git
|
url = https://github.com/topjohnwu/MagiskSU.git
|
||||||
[submodule "jni/magiskpolicy"]
|
[submodule "jni/magiskpolicy"]
|
||||||
path = jni/magiskpolicy
|
path = core/jni/magiskpolicy
|
||||||
url = https://github.com/topjohnwu/magiskpolicy.git
|
url = https://github.com/topjohnwu/magiskpolicy.git
|
||||||
[submodule "MagiskManager"]
|
[submodule "MagiskManager"]
|
||||||
path = java
|
path = app
|
||||||
url = https://github.com/topjohnwu/MagiskManager.git
|
url = https://github.com/topjohnwu/MagiskManager.git
|
||||||
[submodule "jni/busybox"]
|
[submodule "jni/busybox"]
|
||||||
path = jni/external/busybox
|
path = core/jni/external/busybox
|
||||||
url = https://github.com/topjohnwu/ndk-busybox.git
|
url = https://github.com/topjohnwu/ndk-busybox.git
|
||||||
[submodule "jni/external/dtc"]
|
[submodule "jni/external/dtc"]
|
||||||
path = jni/external/dtc
|
path = core/jni/external/dtc
|
||||||
url = https://github.com/dgibson/dtc
|
url = https://github.com/dgibson/dtc
|
||||||
[submodule "jni/external/lz4"]
|
[submodule "jni/external/lz4"]
|
||||||
path = jni/external/lz4
|
path = core/jni/external/lz4
|
||||||
url = https://github.com/lz4/lz4.git
|
url = https://github.com/lz4/lz4.git
|
||||||
[submodule "jni/external/bzip2"]
|
[submodule "jni/external/bzip2"]
|
||||||
path = jni/external/bzip2
|
path = core/jni/external/bzip2
|
||||||
url = https://github.com/nemequ/bzip2.git
|
url = https://github.com/nemequ/bzip2.git
|
||||||
[submodule "jni/external/xz"]
|
[submodule "jni/external/xz"]
|
||||||
path = jni/external/xz
|
path = core/jni/external/xz
|
||||||
url = https://github.com/xz-mirror/xz.git
|
url = https://github.com/xz-mirror/xz.git
|
||||||
|
1
app
Submodule
1
app
Submodule
@ -0,0 +1 @@
|
|||||||
|
Subproject commit 863b13a6946c851a4df1043acb8c5003a1b0f3c0
|
27
build.gradle
Normal file
27
build.gradle
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
// Top-level build file where you can add configuration options common to all sub-projects/modules.
|
||||||
|
|
||||||
|
buildscript {
|
||||||
|
|
||||||
|
repositories {
|
||||||
|
google()
|
||||||
|
jcenter()
|
||||||
|
}
|
||||||
|
dependencies {
|
||||||
|
classpath 'com.android.tools.build:gradle:3.0.1'
|
||||||
|
|
||||||
|
|
||||||
|
// NOTE: Do not place your application dependencies here; they belong
|
||||||
|
// in the individual module build.gradle files
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
allprojects {
|
||||||
|
repositories {
|
||||||
|
google()
|
||||||
|
jcenter()
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
task clean(type: Delete) {
|
||||||
|
delete rootProject.buildDir
|
||||||
|
}
|
59
build.py
59
build.py
@ -43,6 +43,11 @@ import lzma
|
|||||||
import base64
|
import base64
|
||||||
import tempfile
|
import tempfile
|
||||||
|
|
||||||
|
if 'ANDROID_NDK' in os.environ:
|
||||||
|
ndk_build = os.path.join(os.environ['ANDROID_NDK'], 'ndk-build')
|
||||||
|
else:
|
||||||
|
ndk_build = os.path.join(os.environ['ANDROID_HOME'], 'ndk-bundle', 'ndk-build')
|
||||||
|
|
||||||
def mv(source, target):
|
def mv(source, target):
|
||||||
print('mv: {} -> {}'.format(source, target))
|
print('mv: {} -> {}'.format(source, target))
|
||||||
shutil.move(source, target)
|
shutil.move(source, target)
|
||||||
@ -84,18 +89,13 @@ def build_binary(args):
|
|||||||
header('* Building Magisk binaries')
|
header('* Building Magisk binaries')
|
||||||
|
|
||||||
# Force update Android.mk timestamp to trigger recompilation
|
# Force update Android.mk timestamp to trigger recompilation
|
||||||
os.utime(os.path.join('jni', 'Android.mk'))
|
os.utime(os.path.join('core', 'jni', 'Android.mk'))
|
||||||
|
|
||||||
debug_flag = '' if args.release else '-DMAGISK_DEBUG'
|
debug_flag = '' if args.release else '-DMAGISK_DEBUG'
|
||||||
cflag = 'MAGISK_FLAGS=\"-DMAGISK_VERSION=\\\"{}\\\" -DMAGISK_VER_CODE={} {}\"'.format(args.versionString, args.versionCode, debug_flag)
|
cflag = 'MAGISK_FLAGS=\"-DMAGISK_VERSION=\\\"{}\\\" -DMAGISK_VER_CODE={} {}\"'.format(args.versionString, args.versionCode, debug_flag)
|
||||||
|
|
||||||
if 'ANDROID_NDK' in os.environ:
|
|
||||||
ndk_build = os.path.join(os.environ['ANDROID_NDK'], 'ndk-build')
|
|
||||||
else:
|
|
||||||
ndk_build = os.path.join(os.environ['ANDROID_HOME'], 'ndk-bundle', 'ndk-build')
|
|
||||||
|
|
||||||
# Prebuild
|
# Prebuild
|
||||||
proc = subprocess.run('{} PRECOMPILE=true {} -j{}'.format(ndk_build, cflag, multiprocessing.cpu_count()), shell=True)
|
proc = subprocess.run('{} -C core PRECOMPILE=true {} -j{}'.format(ndk_build, cflag, multiprocessing.cpu_count()), shell=True)
|
||||||
if proc.returncode != 0:
|
if proc.returncode != 0:
|
||||||
error('Build Magisk binary failed!')
|
error('Build Magisk binary failed!')
|
||||||
|
|
||||||
@ -104,7 +104,7 @@ def build_binary(args):
|
|||||||
mkdir_p(os.path.join('out', arch))
|
mkdir_p(os.path.join('out', arch))
|
||||||
with open(os.path.join('out', arch, 'dump.h'), 'w') as dump:
|
with open(os.path.join('out', arch, 'dump.h'), 'w') as dump:
|
||||||
dump.write('#include "stdlib.h"\n')
|
dump.write('#include "stdlib.h"\n')
|
||||||
mv(os.path.join('libs', arch, 'magisk'), os.path.join('out', arch, 'magisk'))
|
mv(os.path.join('core', 'libs', arch, 'magisk'), os.path.join('out', arch, 'magisk'))
|
||||||
with open(os.path.join('out', arch, 'magisk'), 'rb') as bin:
|
with open(os.path.join('out', arch, 'magisk'), 'rb') as bin:
|
||||||
dump.write('const uint8_t magisk_dump[] = "')
|
dump.write('const uint8_t magisk_dump[] = "')
|
||||||
dump.write(''.join("\\x{:02X}".format(c) for c in lzma.compress(bin.read(), preset=9)))
|
dump.write(''.join("\\x{:02X}".format(c) for c in lzma.compress(bin.read(), preset=9)))
|
||||||
@ -112,7 +112,7 @@ def build_binary(args):
|
|||||||
|
|
||||||
print('')
|
print('')
|
||||||
|
|
||||||
proc = subprocess.run('{} {} -j{}'.format(ndk_build, cflag, multiprocessing.cpu_count()), shell=True)
|
proc = subprocess.run('{} -C core {} -j{}'.format(ndk_build, cflag, multiprocessing.cpu_count()), shell=True)
|
||||||
if proc.returncode != 0:
|
if proc.returncode != 0:
|
||||||
error('Build Magisk binary failed!')
|
error('Build Magisk binary failed!')
|
||||||
|
|
||||||
@ -120,7 +120,7 @@ def build_binary(args):
|
|||||||
for arch in ['arm64-v8a', 'armeabi-v7a', 'x86', 'x86_64']:
|
for arch in ['arm64-v8a', 'armeabi-v7a', 'x86', 'x86_64']:
|
||||||
for binary in ['magiskinit', 'magiskboot', 'b64xz', 'busybox']:
|
for binary in ['magiskinit', 'magiskboot', 'b64xz', 'busybox']:
|
||||||
try:
|
try:
|
||||||
mv(os.path.join('libs', arch, binary), os.path.join('out', arch, binary))
|
mv(os.path.join('core', 'libs', arch, binary), os.path.join('out', arch, binary))
|
||||||
except:
|
except:
|
||||||
pass
|
pass
|
||||||
|
|
||||||
@ -129,18 +129,16 @@ def build_apk(args):
|
|||||||
|
|
||||||
for key in ['public.certificate.x509.pem', 'private.key.pk8']:
|
for key in ['public.certificate.x509.pem', 'private.key.pk8']:
|
||||||
source = os.path.join('ziptools', key)
|
source = os.path.join('ziptools', key)
|
||||||
target = os.path.join('java', 'app', 'src', 'main', 'assets', key)
|
target = os.path.join('app', 'src', 'main', 'assets', key)
|
||||||
cp(source, target)
|
cp(source, target)
|
||||||
|
|
||||||
for script in ['magisk_uninstaller.sh', 'util_functions.sh']:
|
for script in ['magisk_uninstaller.sh', 'util_functions.sh']:
|
||||||
source = os.path.join('scripts', script)
|
source = os.path.join('scripts', script)
|
||||||
target = os.path.join('java', 'app', 'src', 'main', 'assets', script)
|
target = os.path.join('app', 'src', 'main', 'assets', script)
|
||||||
cp(source, target)
|
cp(source, target)
|
||||||
|
|
||||||
os.chdir('java')
|
|
||||||
|
|
||||||
if args.release:
|
if args.release:
|
||||||
if not os.path.exists(os.path.join('..', 'release_signature.jks')):
|
if not os.path.exists('release_signature.jks'):
|
||||||
error('Please generate a java keystore and place it in \'release_signature.jks\'')
|
error('Please generate a java keystore and place it in \'release_signature.jks\'')
|
||||||
|
|
||||||
proc = subprocess.run('{} app:assembleRelease'.format(os.path.join('.', 'gradlew')), shell=True)
|
proc = subprocess.run('{} app:assembleRelease'.format(os.path.join('.', 'gradlew')), shell=True)
|
||||||
@ -173,17 +171,15 @@ def build_apk(args):
|
|||||||
error('Cannot find apksigner.jar in Android SDK build tools')
|
error('Cannot find apksigner.jar in Android SDK build tools')
|
||||||
|
|
||||||
proc = subprocess.run('java -jar {} sign --ks {} --out {} {}'.format(
|
proc = subprocess.run('java -jar {} sign --ks {} --out {} {}'.format(
|
||||||
apksigner,
|
apksigner, 'release_signature.jks', release, aligned), shell=True)
|
||||||
os.path.join('..', 'release_signature.jks'),
|
|
||||||
release, aligned), shell=True)
|
|
||||||
if proc.returncode != 0:
|
if proc.returncode != 0:
|
||||||
error('Release sign Magisk Manager failed!')
|
error('Release sign Magisk Manager failed!')
|
||||||
|
|
||||||
rm(unsigned)
|
rm(unsigned)
|
||||||
rm(aligned)
|
rm(aligned)
|
||||||
|
|
||||||
mkdir(os.path.join('..', 'out'))
|
mkdir('out')
|
||||||
target = os.path.join('..', 'out', 'app-release.apk')
|
target = os.path.join('out', 'app-release.apk')
|
||||||
print('')
|
print('')
|
||||||
mv(release, target)
|
mv(release, target)
|
||||||
else:
|
else:
|
||||||
@ -192,25 +188,20 @@ def build_apk(args):
|
|||||||
error('Build Magisk Manager failed!')
|
error('Build Magisk Manager failed!')
|
||||||
|
|
||||||
source = os.path.join('app', 'build', 'outputs', 'apk', 'debug', 'app-debug.apk')
|
source = os.path.join('app', 'build', 'outputs', 'apk', 'debug', 'app-debug.apk')
|
||||||
mkdir(os.path.join('..', 'out'))
|
mkdir('out')
|
||||||
target = os.path.join('..', 'out', 'app-debug.apk')
|
target = os.path.join('out', 'app-debug.apk')
|
||||||
print('')
|
print('')
|
||||||
mv(source, target)
|
mv(source, target)
|
||||||
|
|
||||||
# Return to upper directory
|
|
||||||
os.chdir('..')
|
|
||||||
|
|
||||||
def build_snet(args):
|
def build_snet(args):
|
||||||
os.chdir('java')
|
|
||||||
proc = subprocess.run('{} snet:assembleRelease'.format(os.path.join('.', 'gradlew')), shell=True)
|
proc = subprocess.run('{} snet:assembleRelease'.format(os.path.join('.', 'gradlew')), shell=True)
|
||||||
if proc.returncode != 0:
|
if proc.returncode != 0:
|
||||||
error('Build snet extention failed!')
|
error('Build snet extention failed!')
|
||||||
source = os.path.join('snet', 'build', 'outputs', 'apk', 'release', 'snet-release-unsigned.apk')
|
source = os.path.join('snet', 'build', 'outputs', 'apk', 'release', 'snet-release-unsigned.apk')
|
||||||
mkdir(os.path.join('..', 'out'))
|
mkdir('out')
|
||||||
target = os.path.join('..', 'out', 'snet.apk')
|
target = os.path.join('out', 'snet.apk')
|
||||||
print('')
|
print('')
|
||||||
mv(source, target)
|
mv(source, target)
|
||||||
os.chdir('..')
|
|
||||||
|
|
||||||
def gen_update_binary():
|
def gen_update_binary():
|
||||||
update_bin = []
|
update_bin = []
|
||||||
@ -342,8 +333,8 @@ def zip_uninstaller(args):
|
|||||||
sign_adjust_zip(unsigned, output)
|
sign_adjust_zip(unsigned, output)
|
||||||
|
|
||||||
def sign_adjust_zip(unsigned, output):
|
def sign_adjust_zip(unsigned, output):
|
||||||
signer_name = 'zipsigner-1.0.jar'
|
signer_name = 'zipsigner-1.1.jar'
|
||||||
jarsigner = os.path.join('java', 'crypto', 'build', 'libs', signer_name)
|
jarsigner = os.path.join('crypto', 'build', 'libs', signer_name)
|
||||||
|
|
||||||
if os.name != 'nt' and not os.path.exists(os.path.join('ziptools', 'zipadjust')):
|
if os.name != 'nt' and not os.path.exists(os.path.join('ziptools', 'zipadjust')):
|
||||||
header('* Building zipadjust')
|
header('* Building zipadjust')
|
||||||
@ -353,11 +344,9 @@ def sign_adjust_zip(unsigned, output):
|
|||||||
error('Build zipadjust failed!')
|
error('Build zipadjust failed!')
|
||||||
if not os.path.exists(jarsigner):
|
if not os.path.exists(jarsigner):
|
||||||
header('* Building ' + signer_name)
|
header('* Building ' + signer_name)
|
||||||
os.chdir('java')
|
|
||||||
proc = subprocess.run('{} crypto:shadowJar'.format(os.path.join('.', 'gradlew')), shell=True)
|
proc = subprocess.run('{} crypto:shadowJar'.format(os.path.join('.', 'gradlew')), shell=True)
|
||||||
if proc.returncode != 0:
|
if proc.returncode != 0:
|
||||||
error('Build {} failed!'.format(signer_name))
|
error('Build {} failed!'.format(signer_name))
|
||||||
os.chdir('..')
|
|
||||||
|
|
||||||
header('* Signing / Adjusting Zip')
|
header('* Signing / Adjusting Zip')
|
||||||
|
|
||||||
@ -396,15 +385,13 @@ def cleanup(args):
|
|||||||
|
|
||||||
if 'binary' in args.target:
|
if 'binary' in args.target:
|
||||||
header('* Cleaning binaries')
|
header('* Cleaning binaries')
|
||||||
subprocess.run(os.path.join(os.environ['ANDROID_HOME'], 'ndk-bundle', 'ndk-build') + ' clean', shell=True)
|
subprocess.run(ndk_build + ' -C core COMPILEALL=true clean', shell=True)
|
||||||
for arch in ['arm64-v8a', 'armeabi-v7a', 'x86', 'x86_64']:
|
for arch in ['arm64-v8a', 'armeabi-v7a', 'x86', 'x86_64']:
|
||||||
shutil.rmtree(os.path.join('out', arch), ignore_errors=True)
|
shutil.rmtree(os.path.join('out', arch), ignore_errors=True)
|
||||||
|
|
||||||
if 'java' in args.target:
|
if 'java' in args.target:
|
||||||
header('* Cleaning java')
|
header('* Cleaning java')
|
||||||
os.chdir('java')
|
|
||||||
subprocess.run('{} clean'.format(os.path.join('.', 'gradlew')), shell=True)
|
subprocess.run('{} clean'.format(os.path.join('.', 'gradlew')), shell=True)
|
||||||
os.chdir('..')
|
|
||||||
for f in os.listdir('out'):
|
for f in os.listdir('out'):
|
||||||
if '.apk' in f:
|
if '.apk' in f:
|
||||||
rm(os.path.join('out', f))
|
rm(os.path.join('out', f))
|
||||||
|
1
core/.gitignore
vendored
Normal file
1
core/.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
|||||||
|
/build
|
20
core/build.gradle
Normal file
20
core/build.gradle
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
apply plugin: 'com.android.library'
|
||||||
|
|
||||||
|
android {
|
||||||
|
compileSdkVersion 27
|
||||||
|
|
||||||
|
externalNativeBuild {
|
||||||
|
ndkBuild {
|
||||||
|
path 'jni/Android.mk'
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
defaultConfig {
|
||||||
|
externalNativeBuild {
|
||||||
|
ndkBuild {
|
||||||
|
// Passes an optional argument to ndk-build.
|
||||||
|
arguments "COMPILEALL=true"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
@ -14,7 +14,7 @@ LIBFDT := $(EXT_PATH)/dtc/libfdt
|
|||||||
# Binaries
|
# Binaries
|
||||||
########################
|
########################
|
||||||
|
|
||||||
ifdef PRECOMPILE
|
ifneq "$(or $(PRECOMPILE), $(COMPILEALL))" ""
|
||||||
|
|
||||||
# magisk main binary
|
# magisk main binary
|
||||||
include $(CLEAR_VARS)
|
include $(CLEAR_VARS)
|
||||||
@ -54,8 +54,9 @@ LOCAL_CFLAGS := -DIS_DAEMON -DSELINUX
|
|||||||
LOCAL_LDLIBS := -llog
|
LOCAL_LDLIBS := -llog
|
||||||
include $(BUILD_EXECUTABLE)
|
include $(BUILD_EXECUTABLE)
|
||||||
|
|
||||||
# precompile
|
endif
|
||||||
else
|
|
||||||
|
ifndef PRECOMPILE
|
||||||
|
|
||||||
# magiskinit
|
# magiskinit
|
||||||
include $(CLEAR_VARS)
|
include $(CLEAR_VARS)
|
||||||
@ -64,7 +65,7 @@ LOCAL_STATIC_LIBRARIES := libsepol liblzma
|
|||||||
LOCAL_C_INCLUDES := \
|
LOCAL_C_INCLUDES := \
|
||||||
jni/include \
|
jni/include \
|
||||||
jni/magiskpolicy \
|
jni/magiskpolicy \
|
||||||
out/$(TARGET_ARCH_ABI) \
|
../out/$(TARGET_ARCH_ABI) \
|
||||||
$(LIBSEPOL) \
|
$(LIBSEPOL) \
|
||||||
$(LIBLZMA)
|
$(LIBLZMA)
|
||||||
|
|
0
jni/external/xz → core/jni/external/xz
vendored
0
jni/external/xz → core/jni/external/xz
vendored
1
core/src/main/AndroidManifest.xml
Normal file
1
core/src/main/AndroidManifest.xml
Normal file
@ -0,0 +1 @@
|
|||||||
|
<manifest package="com.topjohnwu.native.magisk" />
|
1
crypto/.gitignore
vendored
Normal file
1
crypto/.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
|||||||
|
/build
|
38
crypto/build.gradle
Normal file
38
crypto/build.gradle
Normal file
@ -0,0 +1,38 @@
|
|||||||
|
apply plugin: 'java-library'
|
||||||
|
|
||||||
|
apply plugin: 'com.github.johnrengelman.shadow'
|
||||||
|
apply plugin: 'java'
|
||||||
|
|
||||||
|
sourceCompatibility = "1.8"
|
||||||
|
targetCompatibility = "1.8"
|
||||||
|
|
||||||
|
jar {
|
||||||
|
manifest {
|
||||||
|
attributes 'Main-Class': 'com.topjohnwu.crypto.ZipSigner'
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
shadowJar {
|
||||||
|
baseName = 'zipsigner'
|
||||||
|
classifier = null
|
||||||
|
version = 1.1
|
||||||
|
}
|
||||||
|
|
||||||
|
buildscript {
|
||||||
|
repositories {
|
||||||
|
jcenter()
|
||||||
|
}
|
||||||
|
dependencies {
|
||||||
|
classpath 'com.github.jengelman.gradle.plugins:shadow:2.0.1'
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
repositories {
|
||||||
|
jcenter()
|
||||||
|
}
|
||||||
|
|
||||||
|
dependencies {
|
||||||
|
implementation fileTree(include: ['*.jar'], dir: 'libs')
|
||||||
|
implementation 'org.bouncycastle:bcprov-jdk15on:1.58'
|
||||||
|
implementation 'org.bouncycastle:bcpkix-jdk15on:1.58'
|
||||||
|
}
|
@ -0,0 +1,34 @@
|
|||||||
|
package com.topjohnwu.crypto;
|
||||||
|
|
||||||
|
import java.io.ByteArrayInputStream;
|
||||||
|
import java.io.ByteArrayOutputStream;
|
||||||
|
import java.io.IOException;
|
||||||
|
import java.io.InputStream;
|
||||||
|
import java.io.OutputStream;
|
||||||
|
|
||||||
|
public class ByteArrayStream extends ByteArrayOutputStream {
|
||||||
|
public byte[] getBuf() {
|
||||||
|
return buf;
|
||||||
|
}
|
||||||
|
public synchronized void readFrom(InputStream is) {
|
||||||
|
readFrom(is, Integer.MAX_VALUE);
|
||||||
|
}
|
||||||
|
public synchronized void readFrom(InputStream is, int len) {
|
||||||
|
int read;
|
||||||
|
byte buffer[] = new byte[4096];
|
||||||
|
try {
|
||||||
|
while ((read = is.read(buffer, 0, len < buffer.length ? len : buffer.length)) > 0) {
|
||||||
|
write(buffer, 0, read);
|
||||||
|
len -= read;
|
||||||
|
}
|
||||||
|
} catch (IOException e) {
|
||||||
|
e.printStackTrace();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
public synchronized void writeTo(OutputStream out, int off, int len) throws IOException {
|
||||||
|
out.write(buf, off, len);
|
||||||
|
}
|
||||||
|
public ByteArrayInputStream getInputStream() {
|
||||||
|
return new ByteArrayInputStream(buf, 0, count);
|
||||||
|
}
|
||||||
|
}
|
136
crypto/src/main/java/com/topjohnwu/crypto/CryptoUtils.java
Normal file
136
crypto/src/main/java/com/topjohnwu/crypto/CryptoUtils.java
Normal file
@ -0,0 +1,136 @@
|
|||||||
|
package com.topjohnwu.crypto;
|
||||||
|
|
||||||
|
import org.bouncycastle.asn1.ASN1InputStream;
|
||||||
|
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
|
||||||
|
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
|
||||||
|
import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
|
||||||
|
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
|
||||||
|
import org.bouncycastle.asn1.x9.X9ObjectIdentifiers;
|
||||||
|
|
||||||
|
import java.io.ByteArrayInputStream;
|
||||||
|
import java.io.IOException;
|
||||||
|
import java.io.InputStream;
|
||||||
|
import java.security.GeneralSecurityException;
|
||||||
|
import java.security.Key;
|
||||||
|
import java.security.KeyFactory;
|
||||||
|
import java.security.PrivateKey;
|
||||||
|
import java.security.PublicKey;
|
||||||
|
import java.security.Signature;
|
||||||
|
import java.security.cert.CertificateFactory;
|
||||||
|
import java.security.cert.X509Certificate;
|
||||||
|
import java.security.spec.ECPrivateKeySpec;
|
||||||
|
import java.security.spec.ECPublicKeySpec;
|
||||||
|
import java.security.spec.InvalidKeySpecException;
|
||||||
|
import java.security.spec.PKCS8EncodedKeySpec;
|
||||||
|
import java.util.Arrays;
|
||||||
|
import java.util.HashMap;
|
||||||
|
import java.util.Map;
|
||||||
|
|
||||||
|
class CryptoUtils {
|
||||||
|
|
||||||
|
private static final Map<String, String> ID_TO_ALG;
|
||||||
|
private static final Map<String, String> ALG_TO_ID;
|
||||||
|
|
||||||
|
static {
|
||||||
|
ID_TO_ALG = new HashMap<>();
|
||||||
|
ALG_TO_ID = new HashMap<>();
|
||||||
|
ID_TO_ALG.put(X9ObjectIdentifiers.ecdsa_with_SHA256.getId(), "SHA256withECDSA");
|
||||||
|
ID_TO_ALG.put(X9ObjectIdentifiers.ecdsa_with_SHA384.getId(), "SHA384withECDSA");
|
||||||
|
ID_TO_ALG.put(X9ObjectIdentifiers.ecdsa_with_SHA512.getId(), "SHA512withECDSA");
|
||||||
|
ID_TO_ALG.put(PKCSObjectIdentifiers.sha1WithRSAEncryption.getId(), "SHA1withRSA");
|
||||||
|
ID_TO_ALG.put(PKCSObjectIdentifiers.sha256WithRSAEncryption.getId(), "SHA256withRSA");
|
||||||
|
ID_TO_ALG.put(PKCSObjectIdentifiers.sha512WithRSAEncryption.getId(), "SHA512withRSA");
|
||||||
|
ALG_TO_ID.put("SHA256withECDSA", X9ObjectIdentifiers.ecdsa_with_SHA256.getId());
|
||||||
|
ALG_TO_ID.put("SHA384withECDSA", X9ObjectIdentifiers.ecdsa_with_SHA384.getId());
|
||||||
|
ALG_TO_ID.put("SHA512withECDSA", X9ObjectIdentifiers.ecdsa_with_SHA512.getId());
|
||||||
|
ALG_TO_ID.put("SHA1withRSA", PKCSObjectIdentifiers.sha1WithRSAEncryption.getId());
|
||||||
|
ALG_TO_ID.put("SHA256withRSA", PKCSObjectIdentifiers.sha256WithRSAEncryption.getId());
|
||||||
|
ALG_TO_ID.put("SHA512withRSA", PKCSObjectIdentifiers.sha512WithRSAEncryption.getId());
|
||||||
|
}
|
||||||
|
|
||||||
|
private static String getSignatureAlgorithm(Key key) throws Exception {
|
||||||
|
if ("EC".equals(key.getAlgorithm())) {
|
||||||
|
int curveSize;
|
||||||
|
KeyFactory factory = KeyFactory.getInstance("EC");
|
||||||
|
if (key instanceof PublicKey) {
|
||||||
|
ECPublicKeySpec spec = factory.getKeySpec(key, ECPublicKeySpec.class);
|
||||||
|
curveSize = spec.getParams().getCurve().getField().getFieldSize();
|
||||||
|
} else if (key instanceof PrivateKey) {
|
||||||
|
ECPrivateKeySpec spec = factory.getKeySpec(key, ECPrivateKeySpec.class);
|
||||||
|
curveSize = spec.getParams().getCurve().getField().getFieldSize();
|
||||||
|
} else {
|
||||||
|
throw new InvalidKeySpecException();
|
||||||
|
}
|
||||||
|
if (curveSize <= 256) {
|
||||||
|
return "SHA256withECDSA";
|
||||||
|
} else if (curveSize <= 384) {
|
||||||
|
return "SHA384withECDSA";
|
||||||
|
} else {
|
||||||
|
return "SHA512withECDSA";
|
||||||
|
}
|
||||||
|
} else if ("RSA".equals(key.getAlgorithm())) {
|
||||||
|
return "SHA256withRSA";
|
||||||
|
} else {
|
||||||
|
throw new IllegalArgumentException("Unsupported key type " + key.getAlgorithm());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
static AlgorithmIdentifier getSignatureAlgorithmIdentifier(Key key) throws Exception {
|
||||||
|
String id = ALG_TO_ID.get(getSignatureAlgorithm(key));
|
||||||
|
if (id == null) {
|
||||||
|
throw new IllegalArgumentException("Unsupported key type " + key.getAlgorithm());
|
||||||
|
}
|
||||||
|
return new AlgorithmIdentifier(new ASN1ObjectIdentifier(id));
|
||||||
|
}
|
||||||
|
|
||||||
|
static boolean verify(PublicKey key, byte[] input, byte[] signature,
|
||||||
|
AlgorithmIdentifier algId) throws Exception {
|
||||||
|
String algName = ID_TO_ALG.get(algId.getAlgorithm().getId());
|
||||||
|
if (algName == null) {
|
||||||
|
throw new IllegalArgumentException("Unsupported algorithm " + algId.getAlgorithm());
|
||||||
|
}
|
||||||
|
Signature verifier = Signature.getInstance(algName);
|
||||||
|
verifier.initVerify(key);
|
||||||
|
verifier.update(input);
|
||||||
|
return verifier.verify(signature);
|
||||||
|
}
|
||||||
|
|
||||||
|
static byte[] sign(PrivateKey privateKey, byte[] input) throws Exception {
|
||||||
|
Signature signer = Signature.getInstance(getSignatureAlgorithm(privateKey));
|
||||||
|
signer.initSign(privateKey);
|
||||||
|
signer.update(input);
|
||||||
|
return signer.sign();
|
||||||
|
}
|
||||||
|
|
||||||
|
static X509Certificate readPublicKey(InputStream input)
|
||||||
|
throws IOException, GeneralSecurityException {
|
||||||
|
try {
|
||||||
|
CertificateFactory cf = CertificateFactory.getInstance("X.509");
|
||||||
|
return (X509Certificate) cf.generateCertificate(input);
|
||||||
|
} finally {
|
||||||
|
input.close();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/** Read a PKCS#8 format private key. */
|
||||||
|
static PrivateKey readPrivateKey(InputStream input)
|
||||||
|
throws IOException, GeneralSecurityException {
|
||||||
|
try {
|
||||||
|
byte[] buffer = new byte[4096];
|
||||||
|
int size = input.read(buffer);
|
||||||
|
byte[] bytes = Arrays.copyOf(buffer, size);
|
||||||
|
/* Check to see if this is in an EncryptedPrivateKeyInfo structure. */
|
||||||
|
PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(bytes);
|
||||||
|
/*
|
||||||
|
* Now it's in a PKCS#8 PrivateKeyInfo structure. Read its Algorithm
|
||||||
|
* OID and use that to construct a KeyFactory.
|
||||||
|
*/
|
||||||
|
ASN1InputStream bIn = new ASN1InputStream(new ByteArrayInputStream(spec.getEncoded()));
|
||||||
|
PrivateKeyInfo pki = PrivateKeyInfo.getInstance(bIn.readObject());
|
||||||
|
String algOid = pki.getPrivateKeyAlgorithm().getAlgorithm().getId();
|
||||||
|
return KeyFactory.getInstance(algOid).generatePrivate(spec);
|
||||||
|
} finally {
|
||||||
|
input.close();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
122
crypto/src/main/java/com/topjohnwu/crypto/JarMap.java
Normal file
122
crypto/src/main/java/com/topjohnwu/crypto/JarMap.java
Normal file
@ -0,0 +1,122 @@
|
|||||||
|
package com.topjohnwu.crypto;
|
||||||
|
|
||||||
|
import java.io.Closeable;
|
||||||
|
import java.io.File;
|
||||||
|
import java.io.IOException;
|
||||||
|
import java.io.InputStream;
|
||||||
|
import java.io.OutputStream;
|
||||||
|
import java.util.Collections;
|
||||||
|
import java.util.Enumeration;
|
||||||
|
import java.util.LinkedHashMap;
|
||||||
|
import java.util.jar.JarEntry;
|
||||||
|
import java.util.jar.JarFile;
|
||||||
|
import java.util.jar.JarInputStream;
|
||||||
|
import java.util.jar.Manifest;
|
||||||
|
import java.util.zip.ZipEntry;
|
||||||
|
import java.util.zip.ZipFile;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* A universal random access interface for both JarFile and JarInputStream
|
||||||
|
*
|
||||||
|
* In the case when JarInputStream is provided to constructor, the whole stream
|
||||||
|
* will be loaded into memory for random access purposes.
|
||||||
|
* On the other hand, when a JarFile is provided, it simply works as a wrapper.
|
||||||
|
* */
|
||||||
|
|
||||||
|
public class JarMap implements Closeable, AutoCloseable {
|
||||||
|
private JarFile jarFile;
|
||||||
|
private JarInputStream jis;
|
||||||
|
private boolean isInputStream = false;
|
||||||
|
private LinkedHashMap<String, JarEntry> bufMap;
|
||||||
|
|
||||||
|
public JarMap(File file) throws IOException {
|
||||||
|
this(file, true);
|
||||||
|
}
|
||||||
|
|
||||||
|
public JarMap(File file, boolean verify) throws IOException {
|
||||||
|
this(file, verify, ZipFile.OPEN_READ);
|
||||||
|
}
|
||||||
|
|
||||||
|
public JarMap(File file, boolean verify, int mode) throws IOException {
|
||||||
|
jarFile = new JarFile(file, verify, mode);
|
||||||
|
}
|
||||||
|
|
||||||
|
public JarMap(String name) throws IOException {
|
||||||
|
this(new File(name));
|
||||||
|
}
|
||||||
|
|
||||||
|
public JarMap(String name, boolean verify) throws IOException {
|
||||||
|
this(new File(name), verify);
|
||||||
|
}
|
||||||
|
|
||||||
|
public JarMap(InputStream is) throws IOException {
|
||||||
|
this(is, true);
|
||||||
|
}
|
||||||
|
|
||||||
|
public JarMap(InputStream is, boolean verify) throws IOException {
|
||||||
|
isInputStream = true;
|
||||||
|
bufMap = new LinkedHashMap<>();
|
||||||
|
jis = new JarInputStream(is, verify);
|
||||||
|
JarEntry entry;
|
||||||
|
while ((entry = jis.getNextJarEntry()) != null) {
|
||||||
|
bufMap.put(entry.getName(), new JarMapEntry(entry, jis));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
public File getFile() {
|
||||||
|
return isInputStream ? null : new File(jarFile.getName());
|
||||||
|
}
|
||||||
|
|
||||||
|
public Manifest getManifest() throws IOException {
|
||||||
|
return isInputStream ? jis.getManifest() : jarFile.getManifest();
|
||||||
|
}
|
||||||
|
|
||||||
|
public InputStream getInputStream(ZipEntry ze) throws IOException {
|
||||||
|
return isInputStream ? ((JarMapEntry) bufMap.get(ze.getName())).data.getInputStream() :
|
||||||
|
jarFile.getInputStream(ze);
|
||||||
|
}
|
||||||
|
|
||||||
|
public OutputStream getOutputStream(ZipEntry ze) {
|
||||||
|
if (!isInputStream) // Only support InputStream mode
|
||||||
|
return null;
|
||||||
|
ByteArrayStream bs = ((JarMapEntry) bufMap.get(ze.getName())).data;
|
||||||
|
bs.reset();
|
||||||
|
return bs;
|
||||||
|
}
|
||||||
|
|
||||||
|
public byte[] getRawData(ZipEntry ze) throws IOException {
|
||||||
|
if (isInputStream) {
|
||||||
|
return ((JarMapEntry) bufMap.get(ze.getName())).data.toByteArray();
|
||||||
|
} else {
|
||||||
|
ByteArrayStream bytes = new ByteArrayStream();
|
||||||
|
bytes.readFrom(jarFile.getInputStream(ze));
|
||||||
|
return bytes.toByteArray();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
public Enumeration<JarEntry> entries() {
|
||||||
|
return isInputStream ? Collections.enumeration(bufMap.values()) : jarFile.entries();
|
||||||
|
}
|
||||||
|
|
||||||
|
public ZipEntry getEntry(String name) {
|
||||||
|
return getJarEntry(name);
|
||||||
|
}
|
||||||
|
|
||||||
|
public JarEntry getJarEntry(String name) {
|
||||||
|
return isInputStream ? bufMap.get(name) : jarFile.getJarEntry(name);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void close() throws IOException {
|
||||||
|
(isInputStream ? jis : jarFile).close();
|
||||||
|
}
|
||||||
|
|
||||||
|
private static class JarMapEntry extends JarEntry {
|
||||||
|
ByteArrayStream data;
|
||||||
|
JarMapEntry(JarEntry je, InputStream is) {
|
||||||
|
super(je);
|
||||||
|
data = new ByteArrayStream();
|
||||||
|
data.readFrom(is);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
502
crypto/src/main/java/com/topjohnwu/crypto/SignAPK.java
Normal file
502
crypto/src/main/java/com/topjohnwu/crypto/SignAPK.java
Normal file
@ -0,0 +1,502 @@
|
|||||||
|
package com.topjohnwu.crypto;
|
||||||
|
|
||||||
|
import org.bouncycastle.asn1.ASN1InputStream;
|
||||||
|
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
|
||||||
|
import org.bouncycastle.asn1.DEROutputStream;
|
||||||
|
import org.bouncycastle.asn1.cms.CMSObjectIdentifiers;
|
||||||
|
import org.bouncycastle.cert.jcajce.JcaCertStore;
|
||||||
|
import org.bouncycastle.cms.CMSException;
|
||||||
|
import org.bouncycastle.cms.CMSProcessableByteArray;
|
||||||
|
import org.bouncycastle.cms.CMSSignedData;
|
||||||
|
import org.bouncycastle.cms.CMSSignedDataGenerator;
|
||||||
|
import org.bouncycastle.cms.CMSTypedData;
|
||||||
|
import org.bouncycastle.cms.jcajce.JcaSignerInfoGeneratorBuilder;
|
||||||
|
import org.bouncycastle.jce.provider.BouncyCastleProvider;
|
||||||
|
import org.bouncycastle.operator.ContentSigner;
|
||||||
|
import org.bouncycastle.operator.OperatorCreationException;
|
||||||
|
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
|
||||||
|
import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
|
||||||
|
import org.bouncycastle.util.encoders.Base64;
|
||||||
|
|
||||||
|
import java.io.BufferedOutputStream;
|
||||||
|
import java.io.ByteArrayOutputStream;
|
||||||
|
import java.io.File;
|
||||||
|
import java.io.FileNotFoundException;
|
||||||
|
import java.io.FileOutputStream;
|
||||||
|
import java.io.FilterOutputStream;
|
||||||
|
import java.io.IOException;
|
||||||
|
import java.io.InputStream;
|
||||||
|
import java.io.OutputStream;
|
||||||
|
import java.io.PrintStream;
|
||||||
|
import java.io.RandomAccessFile;
|
||||||
|
import java.security.DigestOutputStream;
|
||||||
|
import java.security.GeneralSecurityException;
|
||||||
|
import java.security.MessageDigest;
|
||||||
|
import java.security.PrivateKey;
|
||||||
|
import java.security.Provider;
|
||||||
|
import java.security.Security;
|
||||||
|
import java.security.cert.CertificateEncodingException;
|
||||||
|
import java.security.cert.X509Certificate;
|
||||||
|
import java.util.ArrayList;
|
||||||
|
import java.util.Collections;
|
||||||
|
import java.util.Enumeration;
|
||||||
|
import java.util.Locale;
|
||||||
|
import java.util.Map;
|
||||||
|
import java.util.TreeMap;
|
||||||
|
import java.util.jar.Attributes;
|
||||||
|
import java.util.jar.JarEntry;
|
||||||
|
import java.util.jar.JarFile;
|
||||||
|
import java.util.jar.JarOutputStream;
|
||||||
|
import java.util.jar.Manifest;
|
||||||
|
import java.util.regex.Pattern;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Modified from from AOSP(Marshmallow) SignAPK.java
|
||||||
|
* */
|
||||||
|
|
||||||
|
public class SignAPK {
|
||||||
|
|
||||||
|
private static final String CERT_SF_NAME = "META-INF/CERT.SF";
|
||||||
|
private static final String CERT_SIG_NAME = "META-INF/CERT.%s";
|
||||||
|
|
||||||
|
public static Provider sBouncyCastleProvider;
|
||||||
|
// bitmasks for which hash algorithms we need the manifest to include.
|
||||||
|
private static final int USE_SHA1 = 1;
|
||||||
|
private static final int USE_SHA256 = 2;
|
||||||
|
|
||||||
|
static {
|
||||||
|
sBouncyCastleProvider = new BouncyCastleProvider();
|
||||||
|
Security.insertProviderAt(sBouncyCastleProvider, 1);
|
||||||
|
}
|
||||||
|
|
||||||
|
public static void signZip(InputStream publicIn, InputStream privateIn,
|
||||||
|
JarMap input, File output, boolean minSign) throws Exception {
|
||||||
|
int alignment = 4;
|
||||||
|
BufferedOutputStream outputFile;
|
||||||
|
int hashes = 0;
|
||||||
|
X509Certificate publicKey = CryptoUtils.readPublicKey(publicIn);
|
||||||
|
hashes |= getDigestAlgorithm(publicKey);
|
||||||
|
|
||||||
|
// Set the ZIP file timestamp to the starting valid time
|
||||||
|
// of the 0th certificate plus one hour (to match what
|
||||||
|
// we've historically done).
|
||||||
|
long timestamp = publicKey.getNotBefore().getTime() + 3600L * 1000;
|
||||||
|
PrivateKey privateKey = CryptoUtils.readPrivateKey(privateIn);
|
||||||
|
|
||||||
|
outputFile = new BufferedOutputStream(new FileOutputStream(output));
|
||||||
|
if (minSign) {
|
||||||
|
signWholeFile(input.getFile(), publicKey, privateKey, outputFile);
|
||||||
|
} else {
|
||||||
|
JarOutputStream outputJar = new JarOutputStream(outputFile);
|
||||||
|
// For signing .apks, use the maximum compression to make
|
||||||
|
// them as small as possible (since they live forever on
|
||||||
|
// the system partition). For OTA packages, use the
|
||||||
|
// default compression level, which is much much faster
|
||||||
|
// and produces output that is only a tiny bit larger
|
||||||
|
// (~0.1% on full OTA packages I tested).
|
||||||
|
outputJar.setLevel(9);
|
||||||
|
Manifest manifest = addDigestsToManifest(input, hashes);
|
||||||
|
copyFiles(manifest, input, outputJar, timestamp, alignment);
|
||||||
|
signFile(manifest, input, publicKey, privateKey, outputJar);
|
||||||
|
outputJar.close();
|
||||||
|
}
|
||||||
|
input.close();
|
||||||
|
outputFile.close();
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Return one of USE_SHA1 or USE_SHA256 according to the signature
|
||||||
|
* algorithm specified in the cert.
|
||||||
|
*/
|
||||||
|
private static int getDigestAlgorithm(X509Certificate cert) {
|
||||||
|
String sigAlg = cert.getSigAlgName().toUpperCase(Locale.US);
|
||||||
|
if ("SHA1WITHRSA".equals(sigAlg) ||
|
||||||
|
"MD5WITHRSA".equals(sigAlg)) { // see "HISTORICAL NOTE" above.
|
||||||
|
return USE_SHA1;
|
||||||
|
} else if (sigAlg.startsWith("SHA256WITH")) {
|
||||||
|
return USE_SHA256;
|
||||||
|
} else {
|
||||||
|
throw new IllegalArgumentException("unsupported signature algorithm \"" + sigAlg +
|
||||||
|
"\" in cert [" + cert.getSubjectDN());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
/** Returns the expected signature algorithm for this key type. */
|
||||||
|
private static String getSignatureAlgorithm(X509Certificate cert) {
|
||||||
|
String sigAlg = cert.getSigAlgName().toUpperCase(Locale.US);
|
||||||
|
String keyType = cert.getPublicKey().getAlgorithm().toUpperCase(Locale.US);
|
||||||
|
if ("RSA".equalsIgnoreCase(keyType)) {
|
||||||
|
if (getDigestAlgorithm(cert) == USE_SHA256) {
|
||||||
|
return "SHA256withRSA";
|
||||||
|
} else {
|
||||||
|
return "SHA1withRSA";
|
||||||
|
}
|
||||||
|
} else if ("EC".equalsIgnoreCase(keyType)) {
|
||||||
|
return "SHA256withECDSA";
|
||||||
|
} else {
|
||||||
|
throw new IllegalArgumentException("unsupported key type: " + keyType);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
// Files matching this pattern are not copied to the output.
|
||||||
|
private static Pattern stripPattern =
|
||||||
|
Pattern.compile("^(META-INF/((.*)[.](SF|RSA|DSA|EC)|com/android/otacert))|(" +
|
||||||
|
Pattern.quote(JarFile.MANIFEST_NAME) + ")$");
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Add the hash(es) of every file to the manifest, creating it if
|
||||||
|
* necessary.
|
||||||
|
*/
|
||||||
|
private static Manifest addDigestsToManifest(JarMap jar, int hashes)
|
||||||
|
throws IOException, GeneralSecurityException {
|
||||||
|
Manifest input = jar.getManifest();
|
||||||
|
Manifest output = new Manifest();
|
||||||
|
Attributes main = output.getMainAttributes();
|
||||||
|
if (input != null) {
|
||||||
|
main.putAll(input.getMainAttributes());
|
||||||
|
} else {
|
||||||
|
main.putValue("Manifest-Version", "1.0");
|
||||||
|
main.putValue("Created-By", "1.0 (Android SignApk)");
|
||||||
|
}
|
||||||
|
MessageDigest md_sha1 = null;
|
||||||
|
MessageDigest md_sha256 = null;
|
||||||
|
if ((hashes & USE_SHA1) != 0) {
|
||||||
|
md_sha1 = MessageDigest.getInstance("SHA1");
|
||||||
|
}
|
||||||
|
if ((hashes & USE_SHA256) != 0) {
|
||||||
|
md_sha256 = MessageDigest.getInstance("SHA256");
|
||||||
|
}
|
||||||
|
byte[] buffer = new byte[4096];
|
||||||
|
int num;
|
||||||
|
// We sort the input entries by name, and add them to the
|
||||||
|
// output manifest in sorted order. We expect that the output
|
||||||
|
// map will be deterministic.
|
||||||
|
TreeMap<String, JarEntry> byName = new TreeMap<String, JarEntry>();
|
||||||
|
for (Enumeration<JarEntry> e = jar.entries(); e.hasMoreElements(); ) {
|
||||||
|
JarEntry entry = e.nextElement();
|
||||||
|
byName.put(entry.getName(), entry);
|
||||||
|
}
|
||||||
|
for (JarEntry entry: byName.values()) {
|
||||||
|
String name = entry.getName();
|
||||||
|
if (!entry.isDirectory() &&
|
||||||
|
(stripPattern == null || !stripPattern.matcher(name).matches())) {
|
||||||
|
InputStream data = jar.getInputStream(entry);
|
||||||
|
while ((num = data.read(buffer)) > 0) {
|
||||||
|
if (md_sha1 != null) md_sha1.update(buffer, 0, num);
|
||||||
|
if (md_sha256 != null) md_sha256.update(buffer, 0, num);
|
||||||
|
}
|
||||||
|
Attributes attr = null;
|
||||||
|
if (input != null) attr = input.getAttributes(name);
|
||||||
|
attr = attr != null ? new Attributes(attr) : new Attributes();
|
||||||
|
if (md_sha1 != null) {
|
||||||
|
attr.putValue("SHA1-Digest",
|
||||||
|
new String(Base64.encode(md_sha1.digest()), "ASCII"));
|
||||||
|
}
|
||||||
|
if (md_sha256 != null) {
|
||||||
|
attr.putValue("SHA-256-Digest",
|
||||||
|
new String(Base64.encode(md_sha256.digest()), "ASCII"));
|
||||||
|
}
|
||||||
|
output.getEntries().put(name, attr);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return output;
|
||||||
|
}
|
||||||
|
|
||||||
|
/** Write to another stream and track how many bytes have been
|
||||||
|
* written.
|
||||||
|
*/
|
||||||
|
private static class CountOutputStream extends FilterOutputStream {
|
||||||
|
private int mCount;
|
||||||
|
public CountOutputStream(OutputStream out) {
|
||||||
|
super(out);
|
||||||
|
mCount = 0;
|
||||||
|
}
|
||||||
|
@Override
|
||||||
|
public void write(int b) throws IOException {
|
||||||
|
super.write(b);
|
||||||
|
mCount++;
|
||||||
|
}
|
||||||
|
@Override
|
||||||
|
public void write(byte[] b, int off, int len) throws IOException {
|
||||||
|
super.write(b, off, len);
|
||||||
|
mCount += len;
|
||||||
|
}
|
||||||
|
public int size() {
|
||||||
|
return mCount;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
/** Write a .SF file with a digest of the specified manifest. */
|
||||||
|
private static void writeSignatureFile(Manifest manifest, OutputStream out,
|
||||||
|
int hash)
|
||||||
|
throws IOException, GeneralSecurityException {
|
||||||
|
Manifest sf = new Manifest();
|
||||||
|
Attributes main = sf.getMainAttributes();
|
||||||
|
main.putValue("Signature-Version", "1.0");
|
||||||
|
main.putValue("Created-By", "1.0 (Android SignApk)");
|
||||||
|
MessageDigest md = MessageDigest.getInstance(
|
||||||
|
hash == USE_SHA256 ? "SHA256" : "SHA1");
|
||||||
|
PrintStream print = new PrintStream(
|
||||||
|
new DigestOutputStream(new ByteArrayOutputStream(), md),
|
||||||
|
true, "UTF-8");
|
||||||
|
// Digest of the entire manifest
|
||||||
|
manifest.write(print);
|
||||||
|
print.flush();
|
||||||
|
main.putValue(hash == USE_SHA256 ? "SHA-256-Digest-Manifest" : "SHA1-Digest-Manifest",
|
||||||
|
new String(Base64.encode(md.digest()), "ASCII"));
|
||||||
|
Map<String, Attributes> entries = manifest.getEntries();
|
||||||
|
for (Map.Entry<String, Attributes> entry : entries.entrySet()) {
|
||||||
|
// Digest of the manifest stanza for this entry.
|
||||||
|
print.print("Name: " + entry.getKey() + "\r\n");
|
||||||
|
for (Map.Entry<Object, Object> att : entry.getValue().entrySet()) {
|
||||||
|
print.print(att.getKey() + ": " + att.getValue() + "\r\n");
|
||||||
|
}
|
||||||
|
print.print("\r\n");
|
||||||
|
print.flush();
|
||||||
|
Attributes sfAttr = new Attributes();
|
||||||
|
sfAttr.putValue(hash == USE_SHA256 ? "SHA-256-Digest" : "SHA1-Digest-Manifest",
|
||||||
|
new String(Base64.encode(md.digest()), "ASCII"));
|
||||||
|
sf.getEntries().put(entry.getKey(), sfAttr);
|
||||||
|
}
|
||||||
|
CountOutputStream cout = new CountOutputStream(out);
|
||||||
|
sf.write(cout);
|
||||||
|
// A bug in the java.util.jar implementation of Android platforms
|
||||||
|
// up to version 1.6 will cause a spurious IOException to be thrown
|
||||||
|
// if the length of the signature file is a multiple of 1024 bytes.
|
||||||
|
// As a workaround, add an extra CRLF in this case.
|
||||||
|
if ((cout.size() % 1024) == 0) {
|
||||||
|
cout.write('\r');
|
||||||
|
cout.write('\n');
|
||||||
|
}
|
||||||
|
}
|
||||||
|
/** Sign data and write the digital signature to 'out'. */
|
||||||
|
private static void writeSignatureBlock(
|
||||||
|
CMSTypedData data, X509Certificate publicKey, PrivateKey privateKey,
|
||||||
|
OutputStream out)
|
||||||
|
throws IOException,
|
||||||
|
CertificateEncodingException,
|
||||||
|
OperatorCreationException,
|
||||||
|
CMSException {
|
||||||
|
ArrayList<X509Certificate> certList = new ArrayList<>(1);
|
||||||
|
certList.add(publicKey);
|
||||||
|
JcaCertStore certs = new JcaCertStore(certList);
|
||||||
|
CMSSignedDataGenerator gen = new CMSSignedDataGenerator();
|
||||||
|
ContentSigner signer = new JcaContentSignerBuilder(getSignatureAlgorithm(publicKey))
|
||||||
|
.setProvider(sBouncyCastleProvider)
|
||||||
|
.build(privateKey);
|
||||||
|
gen.addSignerInfoGenerator(
|
||||||
|
new JcaSignerInfoGeneratorBuilder(
|
||||||
|
new JcaDigestCalculatorProviderBuilder()
|
||||||
|
.setProvider(sBouncyCastleProvider)
|
||||||
|
.build())
|
||||||
|
.setDirectSignature(true)
|
||||||
|
.build(signer, publicKey));
|
||||||
|
gen.addCertificates(certs);
|
||||||
|
CMSSignedData sigData = gen.generate(data, false);
|
||||||
|
ASN1InputStream asn1 = new ASN1InputStream(sigData.getEncoded());
|
||||||
|
DEROutputStream dos = new DEROutputStream(out);
|
||||||
|
dos.writeObject(asn1.readObject());
|
||||||
|
}
|
||||||
|
/**
|
||||||
|
* Copy all the files in a manifest from input to output. We set
|
||||||
|
* the modification times in the output to a fixed time, so as to
|
||||||
|
* reduce variation in the output file and make incremental OTAs
|
||||||
|
* more efficient.
|
||||||
|
*/
|
||||||
|
private static void copyFiles(Manifest manifest, JarMap in, JarOutputStream out,
|
||||||
|
long timestamp, int alignment) throws IOException {
|
||||||
|
byte[] buffer = new byte[4096];
|
||||||
|
int num;
|
||||||
|
Map<String, Attributes> entries = manifest.getEntries();
|
||||||
|
ArrayList<String> names = new ArrayList<>(entries.keySet());
|
||||||
|
Collections.sort(names);
|
||||||
|
boolean firstEntry = true;
|
||||||
|
long offset = 0L;
|
||||||
|
// We do the copy in two passes -- first copying all the
|
||||||
|
// entries that are STORED, then copying all the entries that
|
||||||
|
// have any other compression flag (which in practice means
|
||||||
|
// DEFLATED). This groups all the stored entries together at
|
||||||
|
// the start of the file and makes it easier to do alignment
|
||||||
|
// on them (since only stored entries are aligned).
|
||||||
|
for (String name : names) {
|
||||||
|
JarEntry inEntry = in.getJarEntry(name);
|
||||||
|
JarEntry outEntry = null;
|
||||||
|
if (inEntry.getMethod() != JarEntry.STORED) continue;
|
||||||
|
// Preserve the STORED method of the input entry.
|
||||||
|
outEntry = new JarEntry(inEntry);
|
||||||
|
outEntry.setTime(timestamp);
|
||||||
|
// 'offset' is the offset into the file at which we expect
|
||||||
|
// the file data to begin. This is the value we need to
|
||||||
|
// make a multiple of 'alignement'.
|
||||||
|
offset += JarFile.LOCHDR + outEntry.getName().length();
|
||||||
|
if (firstEntry) {
|
||||||
|
// The first entry in a jar file has an extra field of
|
||||||
|
// four bytes that you can't get rid of; any extra
|
||||||
|
// data you specify in the JarEntry is appended to
|
||||||
|
// these forced four bytes. This is JAR_MAGIC in
|
||||||
|
// JarOutputStream; the bytes are 0xfeca0000.
|
||||||
|
offset += 4;
|
||||||
|
firstEntry = false;
|
||||||
|
}
|
||||||
|
if (alignment > 0 && (offset % alignment != 0)) {
|
||||||
|
// Set the "extra data" of the entry to between 1 and
|
||||||
|
// alignment-1 bytes, to make the file data begin at
|
||||||
|
// an aligned offset.
|
||||||
|
int needed = alignment - (int)(offset % alignment);
|
||||||
|
outEntry.setExtra(new byte[needed]);
|
||||||
|
offset += needed;
|
||||||
|
}
|
||||||
|
out.putNextEntry(outEntry);
|
||||||
|
InputStream data = in.getInputStream(inEntry);
|
||||||
|
while ((num = data.read(buffer)) > 0) {
|
||||||
|
out.write(buffer, 0, num);
|
||||||
|
offset += num;
|
||||||
|
}
|
||||||
|
out.flush();
|
||||||
|
}
|
||||||
|
// Copy all the non-STORED entries. We don't attempt to
|
||||||
|
// maintain the 'offset' variable past this point; we don't do
|
||||||
|
// alignment on these entries.
|
||||||
|
for (String name : names) {
|
||||||
|
JarEntry inEntry = in.getJarEntry(name);
|
||||||
|
JarEntry outEntry = null;
|
||||||
|
if (inEntry.getMethod() == JarEntry.STORED) continue;
|
||||||
|
// Create a new entry so that the compressed len is recomputed.
|
||||||
|
outEntry = new JarEntry(name);
|
||||||
|
outEntry.setTime(timestamp);
|
||||||
|
out.putNextEntry(outEntry);
|
||||||
|
InputStream data = in.getInputStream(inEntry);
|
||||||
|
while ((num = data.read(buffer)) > 0) {
|
||||||
|
out.write(buffer, 0, num);
|
||||||
|
}
|
||||||
|
out.flush();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// This class is to provide a file's content, but trimming out the last two bytes
|
||||||
|
// Used for signWholeFile
|
||||||
|
private static class CMSProcessableFile implements CMSTypedData {
|
||||||
|
|
||||||
|
private ASN1ObjectIdentifier type;
|
||||||
|
private RandomAccessFile file;
|
||||||
|
|
||||||
|
CMSProcessableFile(File file) throws FileNotFoundException {
|
||||||
|
this.file = new RandomAccessFile(file, "r");
|
||||||
|
type = new ASN1ObjectIdentifier(CMSObjectIdentifiers.data.getId());
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public ASN1ObjectIdentifier getContentType() {
|
||||||
|
return type;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void write(OutputStream out) throws IOException, CMSException {
|
||||||
|
file.seek(0);
|
||||||
|
int read;
|
||||||
|
byte buffer[] = new byte[4096];
|
||||||
|
int len = (int) file.length() - 2;
|
||||||
|
while ((read = file.read(buffer, 0, len < buffer.length ? len : buffer.length)) > 0) {
|
||||||
|
out.write(buffer, 0, read);
|
||||||
|
len -= read;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public Object getContent() {
|
||||||
|
return file;
|
||||||
|
}
|
||||||
|
|
||||||
|
byte[] getTail() throws IOException {
|
||||||
|
byte tail[] = new byte[22];
|
||||||
|
file.seek(file.length() - 22);
|
||||||
|
file.readFully(tail);
|
||||||
|
return tail;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
private static void signWholeFile(File input, X509Certificate publicKey,
|
||||||
|
PrivateKey privateKey, OutputStream outputStream)
|
||||||
|
throws Exception {
|
||||||
|
ByteArrayOutputStream temp = new ByteArrayOutputStream();
|
||||||
|
// put a readable message and a null char at the start of the
|
||||||
|
// archive comment, so that tools that display the comment
|
||||||
|
// (hopefully) show something sensible.
|
||||||
|
// TODO: anything more useful we can put in this message?
|
||||||
|
byte[] message = "signed by SignApk".getBytes("UTF-8");
|
||||||
|
temp.write(message);
|
||||||
|
temp.write(0);
|
||||||
|
|
||||||
|
CMSProcessableFile cmsFile = new CMSProcessableFile(input);
|
||||||
|
writeSignatureBlock(cmsFile, publicKey, privateKey, temp);
|
||||||
|
|
||||||
|
// For a zip with no archive comment, the
|
||||||
|
// end-of-central-directory record will be 22 bytes long, so
|
||||||
|
// we expect to find the EOCD marker 22 bytes from the end.
|
||||||
|
byte[] zipData = cmsFile.getTail();
|
||||||
|
if (zipData[zipData.length-22] != 0x50 ||
|
||||||
|
zipData[zipData.length-21] != 0x4b ||
|
||||||
|
zipData[zipData.length-20] != 0x05 ||
|
||||||
|
zipData[zipData.length-19] != 0x06) {
|
||||||
|
throw new IllegalArgumentException("zip data already has an archive comment");
|
||||||
|
}
|
||||||
|
int total_size = temp.size() + 6;
|
||||||
|
if (total_size > 0xffff) {
|
||||||
|
throw new IllegalArgumentException("signature is too big for ZIP file comment");
|
||||||
|
}
|
||||||
|
// signature starts this many bytes from the end of the file
|
||||||
|
int signature_start = total_size - message.length - 1;
|
||||||
|
temp.write(signature_start & 0xff);
|
||||||
|
temp.write((signature_start >> 8) & 0xff);
|
||||||
|
// Why the 0xff bytes? In a zip file with no archive comment,
|
||||||
|
// bytes [-6:-2] of the file are the little-endian offset from
|
||||||
|
// the start of the file to the central directory. So for the
|
||||||
|
// two high bytes to be 0xff 0xff, the archive would have to
|
||||||
|
// be nearly 4GB in size. So it's unlikely that a real
|
||||||
|
// commentless archive would have 0xffs here, and lets us tell
|
||||||
|
// an old signed archive from a new one.
|
||||||
|
temp.write(0xff);
|
||||||
|
temp.write(0xff);
|
||||||
|
temp.write(total_size & 0xff);
|
||||||
|
temp.write((total_size >> 8) & 0xff);
|
||||||
|
temp.flush();
|
||||||
|
// Signature verification checks that the EOCD header is the
|
||||||
|
// last such sequence in the file (to avoid minzip finding a
|
||||||
|
// fake EOCD appended after the signature in its scan). The
|
||||||
|
// odds of producing this sequence by chance are very low, but
|
||||||
|
// let's catch it here if it does.
|
||||||
|
byte[] b = temp.toByteArray();
|
||||||
|
for (int i = 0; i < b.length-3; ++i) {
|
||||||
|
if (b[i] == 0x50 && b[i+1] == 0x4b && b[i+2] == 0x05 && b[i+3] == 0x06) {
|
||||||
|
throw new IllegalArgumentException("found spurious EOCD header at " + i);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
cmsFile.write(outputStream);
|
||||||
|
outputStream.write(total_size & 0xff);
|
||||||
|
outputStream.write((total_size >> 8) & 0xff);
|
||||||
|
temp.writeTo(outputStream);
|
||||||
|
}
|
||||||
|
private static void signFile(Manifest manifest, JarMap inputJar,
|
||||||
|
X509Certificate publicKey, PrivateKey privateKey,
|
||||||
|
JarOutputStream outputJar)
|
||||||
|
throws Exception {
|
||||||
|
// Assume the certificate is valid for at least an hour.
|
||||||
|
long timestamp = publicKey.getNotBefore().getTime() + 3600L * 1000;
|
||||||
|
// MANIFEST.MF
|
||||||
|
JarEntry je = new JarEntry(JarFile.MANIFEST_NAME);
|
||||||
|
je.setTime(timestamp);
|
||||||
|
outputJar.putNextEntry(je);
|
||||||
|
manifest.write(outputJar);
|
||||||
|
je = new JarEntry(CERT_SF_NAME);
|
||||||
|
je.setTime(timestamp);
|
||||||
|
outputJar.putNextEntry(je);
|
||||||
|
ByteArrayOutputStream baos = new ByteArrayOutputStream();
|
||||||
|
writeSignatureFile(manifest, baos, getDigestAlgorithm(publicKey));
|
||||||
|
byte[] signedData = baos.toByteArray();
|
||||||
|
outputJar.write(signedData);
|
||||||
|
// CERT.{EC,RSA} / CERT#.{EC,RSA}
|
||||||
|
final String keyType = publicKey.getPublicKey().getAlgorithm();
|
||||||
|
je = new JarEntry(String.format(CERT_SIG_NAME, keyType));
|
||||||
|
je.setTime(timestamp);
|
||||||
|
outputJar.putNextEntry(je);
|
||||||
|
writeSignatureBlock(new CMSProcessableByteArray(signedData),
|
||||||
|
publicKey, privateKey, outputJar);
|
||||||
|
}
|
||||||
|
}
|
231
crypto/src/main/java/com/topjohnwu/crypto/SignBoot.java
Normal file
231
crypto/src/main/java/com/topjohnwu/crypto/SignBoot.java
Normal file
@ -0,0 +1,231 @@
|
|||||||
|
package com.topjohnwu.crypto;
|
||||||
|
|
||||||
|
import org.bouncycastle.asn1.ASN1Encodable;
|
||||||
|
import org.bouncycastle.asn1.ASN1EncodableVector;
|
||||||
|
import org.bouncycastle.asn1.ASN1InputStream;
|
||||||
|
import org.bouncycastle.asn1.ASN1Integer;
|
||||||
|
import org.bouncycastle.asn1.ASN1Object;
|
||||||
|
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
|
||||||
|
import org.bouncycastle.asn1.ASN1Primitive;
|
||||||
|
import org.bouncycastle.asn1.ASN1Sequence;
|
||||||
|
import org.bouncycastle.asn1.DEROctetString;
|
||||||
|
import org.bouncycastle.asn1.DERPrintableString;
|
||||||
|
import org.bouncycastle.asn1.DERSequence;
|
||||||
|
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
|
||||||
|
import org.bouncycastle.jce.provider.BouncyCastleProvider;
|
||||||
|
|
||||||
|
import java.io.ByteArrayInputStream;
|
||||||
|
import java.io.IOException;
|
||||||
|
import java.io.InputStream;
|
||||||
|
import java.io.OutputStream;
|
||||||
|
import java.nio.ByteBuffer;
|
||||||
|
import java.nio.ByteOrder;
|
||||||
|
import java.security.PrivateKey;
|
||||||
|
import java.security.PublicKey;
|
||||||
|
import java.security.Security;
|
||||||
|
import java.security.cert.CertificateEncodingException;
|
||||||
|
import java.security.cert.CertificateFactory;
|
||||||
|
import java.security.cert.X509Certificate;
|
||||||
|
import java.util.Arrays;
|
||||||
|
|
||||||
|
public class SignBoot {
|
||||||
|
|
||||||
|
static {
|
||||||
|
Security.addProvider(new BouncyCastleProvider());
|
||||||
|
}
|
||||||
|
|
||||||
|
public static boolean doSignature(String target, InputStream imgIn, OutputStream imgOut,
|
||||||
|
InputStream keyIn, InputStream certIn) {
|
||||||
|
try {
|
||||||
|
ByteArrayStream bas = new ByteArrayStream();
|
||||||
|
bas.readFrom(imgIn);
|
||||||
|
byte[] image = bas.toByteArray();
|
||||||
|
bas.close();
|
||||||
|
int signableSize = getSignableImageSize(image);
|
||||||
|
if (signableSize < image.length) {
|
||||||
|
System.err.println("NOTE: truncating input from " +
|
||||||
|
image.length + " to " + signableSize + " bytes");
|
||||||
|
image = Arrays.copyOf(image, signableSize);
|
||||||
|
} else if (signableSize > image.length) {
|
||||||
|
throw new IllegalArgumentException("Invalid image: too short, expected " +
|
||||||
|
signableSize + " bytes");
|
||||||
|
}
|
||||||
|
BootSignature bootsig = new BootSignature(target, image.length);
|
||||||
|
X509Certificate cert = CryptoUtils.readPublicKey(certIn);
|
||||||
|
bootsig.setCertificate(cert);
|
||||||
|
PrivateKey key = CryptoUtils.readPrivateKey(keyIn);
|
||||||
|
bootsig.setSignature(bootsig.sign(image, key),
|
||||||
|
CryptoUtils.getSignatureAlgorithmIdentifier(key));
|
||||||
|
byte[] encoded_bootsig = bootsig.getEncoded();
|
||||||
|
imgOut.write(image);
|
||||||
|
imgOut.write(encoded_bootsig);
|
||||||
|
imgOut.flush();
|
||||||
|
return true;
|
||||||
|
} catch (Exception e) {
|
||||||
|
e.printStackTrace(System.err);
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
public static boolean verifySignature(InputStream imgIn, InputStream certPath) {
|
||||||
|
try {
|
||||||
|
ByteArrayStream bas = new ByteArrayStream();
|
||||||
|
bas.readFrom(imgIn);
|
||||||
|
byte[] image = bas.toByteArray();
|
||||||
|
bas.close();
|
||||||
|
int signableSize = getSignableImageSize(image);
|
||||||
|
if (signableSize >= image.length) {
|
||||||
|
System.err.println("Invalid image: not signed");
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
byte[] signature = Arrays.copyOfRange(image, signableSize, image.length);
|
||||||
|
BootSignature bootsig = new BootSignature(signature);
|
||||||
|
if (certPath != null) {
|
||||||
|
bootsig.setCertificate(CryptoUtils.readPublicKey(certPath));
|
||||||
|
}
|
||||||
|
if (bootsig.verify(Arrays.copyOf(image, signableSize))) {
|
||||||
|
System.err.println("Signature is VALID");
|
||||||
|
return true;
|
||||||
|
} else {
|
||||||
|
System.err.println("Signature is INVALID");
|
||||||
|
}
|
||||||
|
} catch (Exception e) {
|
||||||
|
e.printStackTrace(System.err);
|
||||||
|
System.err.println("Invalid image: not signed");
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
public static int getSignableImageSize(byte[] data) throws Exception {
|
||||||
|
if (!Arrays.equals(Arrays.copyOfRange(data, 0, 8),
|
||||||
|
"ANDROID!".getBytes("US-ASCII"))) {
|
||||||
|
throw new IllegalArgumentException("Invalid image header: missing magic");
|
||||||
|
}
|
||||||
|
ByteBuffer image = ByteBuffer.wrap(data);
|
||||||
|
image.order(ByteOrder.LITTLE_ENDIAN);
|
||||||
|
image.getLong(); // magic
|
||||||
|
int kernelSize = image.getInt();
|
||||||
|
image.getInt(); // kernel_addr
|
||||||
|
int ramdskSize = image.getInt();
|
||||||
|
image.getInt(); // ramdisk_addr
|
||||||
|
int secondSize = image.getInt();
|
||||||
|
image.getLong(); // second_addr + tags_addr
|
||||||
|
int pageSize = image.getInt();
|
||||||
|
int length = pageSize // include the page aligned image header
|
||||||
|
+ ((kernelSize + pageSize - 1) / pageSize) * pageSize
|
||||||
|
+ ((ramdskSize + pageSize - 1) / pageSize) * pageSize
|
||||||
|
+ ((secondSize + pageSize - 1) / pageSize) * pageSize;
|
||||||
|
length = ((length + pageSize - 1) / pageSize) * pageSize;
|
||||||
|
if (length <= 0) {
|
||||||
|
throw new IllegalArgumentException("Invalid image header: invalid length");
|
||||||
|
}
|
||||||
|
return length;
|
||||||
|
}
|
||||||
|
|
||||||
|
static class BootSignature extends ASN1Object {
|
||||||
|
private ASN1Integer formatVersion;
|
||||||
|
private ASN1Encodable certificate;
|
||||||
|
private AlgorithmIdentifier algorithmIdentifier;
|
||||||
|
private DERPrintableString target;
|
||||||
|
private ASN1Integer length;
|
||||||
|
private DEROctetString signature;
|
||||||
|
private PublicKey publicKey;
|
||||||
|
private static final int FORMAT_VERSION = 1;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Initializes the object for signing an image file
|
||||||
|
* @param target Target name, included in the signed data
|
||||||
|
* @param length Length of the image, included in the signed data
|
||||||
|
*/
|
||||||
|
public BootSignature(String target, int length) {
|
||||||
|
this.formatVersion = new ASN1Integer(FORMAT_VERSION);
|
||||||
|
this.target = new DERPrintableString(target);
|
||||||
|
this.length = new ASN1Integer(length);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Initializes the object for verifying a signed image file
|
||||||
|
* @param signature Signature footer
|
||||||
|
*/
|
||||||
|
public BootSignature(byte[] signature)
|
||||||
|
throws Exception {
|
||||||
|
ASN1InputStream stream = new ASN1InputStream(signature);
|
||||||
|
ASN1Sequence sequence = (ASN1Sequence) stream.readObject();
|
||||||
|
formatVersion = (ASN1Integer) sequence.getObjectAt(0);
|
||||||
|
if (formatVersion.getValue().intValue() != FORMAT_VERSION) {
|
||||||
|
throw new IllegalArgumentException("Unsupported format version");
|
||||||
|
}
|
||||||
|
certificate = sequence.getObjectAt(1);
|
||||||
|
byte[] encoded = ((ASN1Object) certificate).getEncoded();
|
||||||
|
ByteArrayInputStream bis = new ByteArrayInputStream(encoded);
|
||||||
|
CertificateFactory cf = CertificateFactory.getInstance("X.509");
|
||||||
|
X509Certificate c = (X509Certificate) cf.generateCertificate(bis);
|
||||||
|
publicKey = c.getPublicKey();
|
||||||
|
ASN1Sequence algId = (ASN1Sequence) sequence.getObjectAt(2);
|
||||||
|
algorithmIdentifier = new AlgorithmIdentifier(
|
||||||
|
(ASN1ObjectIdentifier) algId.getObjectAt(0));
|
||||||
|
ASN1Sequence attrs = (ASN1Sequence) sequence.getObjectAt(3);
|
||||||
|
target = (DERPrintableString) attrs.getObjectAt(0);
|
||||||
|
length = (ASN1Integer) attrs.getObjectAt(1);
|
||||||
|
this.signature = (DEROctetString) sequence.getObjectAt(4);
|
||||||
|
}
|
||||||
|
|
||||||
|
public ASN1Object getAuthenticatedAttributes() {
|
||||||
|
ASN1EncodableVector attrs = new ASN1EncodableVector();
|
||||||
|
attrs.add(target);
|
||||||
|
attrs.add(length);
|
||||||
|
return new DERSequence(attrs);
|
||||||
|
}
|
||||||
|
|
||||||
|
public byte[] getEncodedAuthenticatedAttributes() throws IOException {
|
||||||
|
return getAuthenticatedAttributes().getEncoded();
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setSignature(byte[] sig, AlgorithmIdentifier algId) {
|
||||||
|
algorithmIdentifier = algId;
|
||||||
|
signature = new DEROctetString(sig);
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setCertificate(X509Certificate cert)
|
||||||
|
throws Exception, IOException, CertificateEncodingException {
|
||||||
|
ASN1InputStream s = new ASN1InputStream(cert.getEncoded());
|
||||||
|
certificate = s.readObject();
|
||||||
|
publicKey = cert.getPublicKey();
|
||||||
|
}
|
||||||
|
|
||||||
|
public byte[] generateSignableImage(byte[] image) throws IOException {
|
||||||
|
byte[] attrs = getEncodedAuthenticatedAttributes();
|
||||||
|
byte[] signable = Arrays.copyOf(image, image.length + attrs.length);
|
||||||
|
for (int i=0; i < attrs.length; i++) {
|
||||||
|
signable[i+image.length] = attrs[i];
|
||||||
|
}
|
||||||
|
return signable;
|
||||||
|
}
|
||||||
|
|
||||||
|
public byte[] sign(byte[] image, PrivateKey key) throws Exception {
|
||||||
|
byte[] signable = generateSignableImage(image);
|
||||||
|
return CryptoUtils.sign(key, signable);
|
||||||
|
}
|
||||||
|
|
||||||
|
public boolean verify(byte[] image) throws Exception {
|
||||||
|
if (length.getValue().intValue() != image.length) {
|
||||||
|
throw new IllegalArgumentException("Invalid image length");
|
||||||
|
}
|
||||||
|
byte[] signable = generateSignableImage(image);
|
||||||
|
return CryptoUtils.verify(publicKey, signable, signature.getOctets(),
|
||||||
|
algorithmIdentifier);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public ASN1Primitive toASN1Primitive() {
|
||||||
|
ASN1EncodableVector v = new ASN1EncodableVector();
|
||||||
|
v.add(formatVersion);
|
||||||
|
v.add(certificate);
|
||||||
|
v.add(algorithmIdentifier);
|
||||||
|
v.add(getAuthenticatedAttributes());
|
||||||
|
v.add(signature);
|
||||||
|
return new DERSequence(v);
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
}
|
42
crypto/src/main/java/com/topjohnwu/crypto/ZipSigner.java
Normal file
42
crypto/src/main/java/com/topjohnwu/crypto/ZipSigner.java
Normal file
@ -0,0 +1,42 @@
|
|||||||
|
package com.topjohnwu.crypto;
|
||||||
|
|
||||||
|
import org.bouncycastle.jce.provider.BouncyCastleProvider;
|
||||||
|
|
||||||
|
import java.io.File;
|
||||||
|
import java.io.FileInputStream;
|
||||||
|
import java.io.InputStream;
|
||||||
|
import java.security.Security;
|
||||||
|
|
||||||
|
public class ZipSigner {
|
||||||
|
public static void main(String[] args) {
|
||||||
|
boolean minSign = false;
|
||||||
|
int argStart = 0;
|
||||||
|
|
||||||
|
if (args.length < 4) {
|
||||||
|
System.err.println("Usage: zipsigner [-m] publickey.x509[.pem] privatekey.pk8 input.jar output.jar");
|
||||||
|
System.exit(2);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (args[0].equals("-m")) {
|
||||||
|
minSign = true;
|
||||||
|
argStart = 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
SignAPK.sBouncyCastleProvider = new BouncyCastleProvider();
|
||||||
|
Security.insertProviderAt(SignAPK.sBouncyCastleProvider, 1);
|
||||||
|
|
||||||
|
File pubKey = new File(args[argStart]);
|
||||||
|
File privKey = new File(args[argStart + 1]);
|
||||||
|
File input = new File(args[argStart + 2]);
|
||||||
|
File output = new File(args[argStart + 3]);
|
||||||
|
|
||||||
|
try (InputStream pub = new FileInputStream(pubKey);
|
||||||
|
InputStream priv = new FileInputStream(privKey);
|
||||||
|
JarMap jar = new JarMap(input, false)) {
|
||||||
|
SignAPK.signZip(pub, priv, jar, output, minSign);
|
||||||
|
} catch (Exception e) {
|
||||||
|
e.printStackTrace();
|
||||||
|
System.exit(1);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
22
gradle.properties
Normal file
22
gradle.properties
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
# Project-wide Gradle settings.
|
||||||
|
|
||||||
|
# IDE (e.g. Android Studio) users:
|
||||||
|
# Gradle settings configured through the IDE *will override*
|
||||||
|
# any settings specified in this file.
|
||||||
|
|
||||||
|
# For more details on how to configure your build environment visit
|
||||||
|
# http://www.gradle.org/docs/current/userguide/build_environment.html
|
||||||
|
|
||||||
|
# Specifies the JVM arguments used for the daemon process.
|
||||||
|
# The setting is particularly useful for tweaking memory settings.
|
||||||
|
# Default value: -Xmx10248m -XX:MaxPermSize=256m
|
||||||
|
org.gradle.jvmargs=-Xmx2560m -XX:+HeapDumpOnOutOfMemoryError -Dfile.encoding=UTF-8
|
||||||
|
|
||||||
|
# When configured, Gradle will run in incubating parallel mode.
|
||||||
|
# This option should only be used with decoupled projects. More details, visit
|
||||||
|
# http://www.gradle.org/docs/current/userguide/multi_project_builds.html#sec:decoupled_projects
|
||||||
|
org.gradle.parallel=true
|
||||||
|
|
||||||
|
# When set to true the Gradle daemon is used to run the build. For local developer builds this is our favorite property.
|
||||||
|
# The developer environment is optimized for speed and feedback so we nearly always run Gradle jobs with the daemon.
|
||||||
|
org.gradle.daemon=true
|
BIN
gradle/wrapper/gradle-wrapper.jar
vendored
Normal file
BIN
gradle/wrapper/gradle-wrapper.jar
vendored
Normal file
Binary file not shown.
6
gradle/wrapper/gradle-wrapper.properties
vendored
Normal file
6
gradle/wrapper/gradle-wrapper.properties
vendored
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
#Mon Dec 04 11:24:34 CST 2017
|
||||||
|
distributionBase=GRADLE_USER_HOME
|
||||||
|
distributionPath=wrapper/dists
|
||||||
|
zipStoreBase=GRADLE_USER_HOME
|
||||||
|
zipStorePath=wrapper/dists
|
||||||
|
distributionUrl=https\://services.gradle.org/distributions/gradle-4.1-all.zip
|
160
gradlew
vendored
Executable file
160
gradlew
vendored
Executable file
@ -0,0 +1,160 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
##############################################################################
|
||||||
|
##
|
||||||
|
## Gradle start up script for UN*X
|
||||||
|
##
|
||||||
|
##############################################################################
|
||||||
|
|
||||||
|
# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
|
||||||
|
DEFAULT_JVM_OPTS=""
|
||||||
|
|
||||||
|
APP_NAME="Gradle"
|
||||||
|
APP_BASE_NAME=`basename "$0"`
|
||||||
|
|
||||||
|
# Use the maximum available, or set MAX_FD != -1 to use that value.
|
||||||
|
MAX_FD="maximum"
|
||||||
|
|
||||||
|
warn ( ) {
|
||||||
|
echo "$*"
|
||||||
|
}
|
||||||
|
|
||||||
|
die ( ) {
|
||||||
|
echo
|
||||||
|
echo "$*"
|
||||||
|
echo
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
|
# OS specific support (must be 'true' or 'false').
|
||||||
|
cygwin=false
|
||||||
|
msys=false
|
||||||
|
darwin=false
|
||||||
|
case "`uname`" in
|
||||||
|
CYGWIN* )
|
||||||
|
cygwin=true
|
||||||
|
;;
|
||||||
|
Darwin* )
|
||||||
|
darwin=true
|
||||||
|
;;
|
||||||
|
MINGW* )
|
||||||
|
msys=true
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
# Attempt to set APP_HOME
|
||||||
|
# Resolve links: $0 may be a link
|
||||||
|
PRG="$0"
|
||||||
|
# Need this for relative symlinks.
|
||||||
|
while [ -h "$PRG" ] ; do
|
||||||
|
ls=`ls -ld "$PRG"`
|
||||||
|
link=`expr "$ls" : '.*-> \(.*\)$'`
|
||||||
|
if expr "$link" : '/.*' > /dev/null; then
|
||||||
|
PRG="$link"
|
||||||
|
else
|
||||||
|
PRG=`dirname "$PRG"`"/$link"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
SAVED="`pwd`"
|
||||||
|
cd "`dirname \"$PRG\"`/" >/dev/null
|
||||||
|
APP_HOME="`pwd -P`"
|
||||||
|
cd "$SAVED" >/dev/null
|
||||||
|
|
||||||
|
CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
|
||||||
|
|
||||||
|
# Determine the Java command to use to start the JVM.
|
||||||
|
if [ -n "$JAVA_HOME" ] ; then
|
||||||
|
if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
|
||||||
|
# IBM's JDK on AIX uses strange locations for the executables
|
||||||
|
JAVACMD="$JAVA_HOME/jre/sh/java"
|
||||||
|
else
|
||||||
|
JAVACMD="$JAVA_HOME/bin/java"
|
||||||
|
fi
|
||||||
|
if [ ! -x "$JAVACMD" ] ; then
|
||||||
|
die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME
|
||||||
|
|
||||||
|
Please set the JAVA_HOME variable in your environment to match the
|
||||||
|
location of your Java installation."
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
JAVACMD="java"
|
||||||
|
which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
|
||||||
|
|
||||||
|
Please set the JAVA_HOME variable in your environment to match the
|
||||||
|
location of your Java installation."
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Increase the maximum file descriptors if we can.
|
||||||
|
if [ "$cygwin" = "false" -a "$darwin" = "false" ] ; then
|
||||||
|
MAX_FD_LIMIT=`ulimit -H -n`
|
||||||
|
if [ $? -eq 0 ] ; then
|
||||||
|
if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then
|
||||||
|
MAX_FD="$MAX_FD_LIMIT"
|
||||||
|
fi
|
||||||
|
ulimit -n $MAX_FD
|
||||||
|
if [ $? -ne 0 ] ; then
|
||||||
|
warn "Could not set maximum file descriptor limit: $MAX_FD"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# For Darwin, add options to specify how the application appears in the dock
|
||||||
|
if $darwin; then
|
||||||
|
GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\""
|
||||||
|
fi
|
||||||
|
|
||||||
|
# For Cygwin, switch paths to Windows format before running java
|
||||||
|
if $cygwin ; then
|
||||||
|
APP_HOME=`cygpath --path --mixed "$APP_HOME"`
|
||||||
|
CLASSPATH=`cygpath --path --mixed "$CLASSPATH"`
|
||||||
|
JAVACMD=`cygpath --unix "$JAVACMD"`
|
||||||
|
|
||||||
|
# We build the pattern for arguments to be converted via cygpath
|
||||||
|
ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null`
|
||||||
|
SEP=""
|
||||||
|
for dir in $ROOTDIRSRAW ; do
|
||||||
|
ROOTDIRS="$ROOTDIRS$SEP$dir"
|
||||||
|
SEP="|"
|
||||||
|
done
|
||||||
|
OURCYGPATTERN="(^($ROOTDIRS))"
|
||||||
|
# Add a user-defined pattern to the cygpath arguments
|
||||||
|
if [ "$GRADLE_CYGPATTERN" != "" ] ; then
|
||||||
|
OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)"
|
||||||
|
fi
|
||||||
|
# Now convert the arguments - kludge to limit ourselves to /bin/sh
|
||||||
|
i=0
|
||||||
|
for arg in "$@" ; do
|
||||||
|
CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -`
|
||||||
|
CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option
|
||||||
|
|
||||||
|
if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition
|
||||||
|
eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"`
|
||||||
|
else
|
||||||
|
eval `echo args$i`="\"$arg\""
|
||||||
|
fi
|
||||||
|
i=$((i+1))
|
||||||
|
done
|
||||||
|
case $i in
|
||||||
|
(0) set -- ;;
|
||||||
|
(1) set -- "$args0" ;;
|
||||||
|
(2) set -- "$args0" "$args1" ;;
|
||||||
|
(3) set -- "$args0" "$args1" "$args2" ;;
|
||||||
|
(4) set -- "$args0" "$args1" "$args2" "$args3" ;;
|
||||||
|
(5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;;
|
||||||
|
(6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;;
|
||||||
|
(7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;;
|
||||||
|
(8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;;
|
||||||
|
(9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;;
|
||||||
|
esac
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Split up the JVM_OPTS And GRADLE_OPTS values into an array, following the shell quoting and substitution rules
|
||||||
|
function splitJvmOpts() {
|
||||||
|
JVM_OPTS=("$@")
|
||||||
|
}
|
||||||
|
eval splitJvmOpts $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS
|
||||||
|
JVM_OPTS[${#JVM_OPTS[*]}]="-Dorg.gradle.appname=$APP_BASE_NAME"
|
||||||
|
|
||||||
|
exec "$JAVACMD" "${JVM_OPTS[@]}" -classpath "$CLASSPATH" org.gradle.wrapper.GradleWrapperMain "$@"
|
90
gradlew.bat
vendored
Normal file
90
gradlew.bat
vendored
Normal file
@ -0,0 +1,90 @@
|
|||||||
|
@if "%DEBUG%" == "" @echo off
|
||||||
|
@rem ##########################################################################
|
||||||
|
@rem
|
||||||
|
@rem Gradle startup script for Windows
|
||||||
|
@rem
|
||||||
|
@rem ##########################################################################
|
||||||
|
|
||||||
|
@rem Set local scope for the variables with windows NT shell
|
||||||
|
if "%OS%"=="Windows_NT" setlocal
|
||||||
|
|
||||||
|
@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
|
||||||
|
set DEFAULT_JVM_OPTS=
|
||||||
|
|
||||||
|
set DIRNAME=%~dp0
|
||||||
|
if "%DIRNAME%" == "" set DIRNAME=.
|
||||||
|
set APP_BASE_NAME=%~n0
|
||||||
|
set APP_HOME=%DIRNAME%
|
||||||
|
|
||||||
|
@rem Find java.exe
|
||||||
|
if defined JAVA_HOME goto findJavaFromJavaHome
|
||||||
|
|
||||||
|
set JAVA_EXE=java.exe
|
||||||
|
%JAVA_EXE% -version >NUL 2>&1
|
||||||
|
if "%ERRORLEVEL%" == "0" goto init
|
||||||
|
|
||||||
|
echo.
|
||||||
|
echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
|
||||||
|
echo.
|
||||||
|
echo Please set the JAVA_HOME variable in your environment to match the
|
||||||
|
echo location of your Java installation.
|
||||||
|
|
||||||
|
goto fail
|
||||||
|
|
||||||
|
:findJavaFromJavaHome
|
||||||
|
set JAVA_HOME=%JAVA_HOME:"=%
|
||||||
|
set JAVA_EXE=%JAVA_HOME%/bin/java.exe
|
||||||
|
|
||||||
|
if exist "%JAVA_EXE%" goto init
|
||||||
|
|
||||||
|
echo.
|
||||||
|
echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME%
|
||||||
|
echo.
|
||||||
|
echo Please set the JAVA_HOME variable in your environment to match the
|
||||||
|
echo location of your Java installation.
|
||||||
|
|
||||||
|
goto fail
|
||||||
|
|
||||||
|
:init
|
||||||
|
@rem Get command-line arguments, handling Windowz variants
|
||||||
|
|
||||||
|
if not "%OS%" == "Windows_NT" goto win9xME_args
|
||||||
|
if "%@eval[2+2]" == "4" goto 4NT_args
|
||||||
|
|
||||||
|
:win9xME_args
|
||||||
|
@rem Slurp the command line arguments.
|
||||||
|
set CMD_LINE_ARGS=
|
||||||
|
set _SKIP=2
|
||||||
|
|
||||||
|
:win9xME_args_slurp
|
||||||
|
if "x%~1" == "x" goto execute
|
||||||
|
|
||||||
|
set CMD_LINE_ARGS=%*
|
||||||
|
goto execute
|
||||||
|
|
||||||
|
:4NT_args
|
||||||
|
@rem Get arguments from the 4NT Shell from JP Software
|
||||||
|
set CMD_LINE_ARGS=%$
|
||||||
|
|
||||||
|
:execute
|
||||||
|
@rem Setup the command line
|
||||||
|
|
||||||
|
set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
|
||||||
|
|
||||||
|
@rem Execute Gradle
|
||||||
|
"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS%
|
||||||
|
|
||||||
|
:end
|
||||||
|
@rem End local scope for the variables with windows NT shell
|
||||||
|
if "%ERRORLEVEL%"=="0" goto mainEnd
|
||||||
|
|
||||||
|
:fail
|
||||||
|
rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of
|
||||||
|
rem the _cmd.exe /c_ return code!
|
||||||
|
if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1
|
||||||
|
exit /b 1
|
||||||
|
|
||||||
|
:mainEnd
|
||||||
|
if "%OS%"=="Windows_NT" endlocal
|
||||||
|
|
||||||
|
:omega
|
1
java
1
java
@ -1 +0,0 @@
|
|||||||
Subproject commit f5ceee547c294b8e188860c451882dd71a5909df
|
|
1
settings.gradle
Normal file
1
settings.gradle
Normal file
@ -0,0 +1 @@
|
|||||||
|
include ':app', ':native', ':crypto', ':snet'
|
1
snet/.gitignore
vendored
Normal file
1
snet/.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
|||||||
|
/build
|
30
snet/build.gradle
Normal file
30
snet/build.gradle
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
apply plugin: 'com.android.application'
|
||||||
|
|
||||||
|
android {
|
||||||
|
compileSdkVersion 27
|
||||||
|
buildToolsVersion "27.0.1"
|
||||||
|
|
||||||
|
defaultConfig {
|
||||||
|
applicationId "com.topjohnwu.snet"
|
||||||
|
minSdkVersion 21
|
||||||
|
targetSdkVersion 27
|
||||||
|
versionCode 1
|
||||||
|
versionName "1.0"
|
||||||
|
}
|
||||||
|
|
||||||
|
buildTypes {
|
||||||
|
release {
|
||||||
|
minifyEnabled true
|
||||||
|
proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
repositories {
|
||||||
|
google()
|
||||||
|
}
|
||||||
|
|
||||||
|
dependencies {
|
||||||
|
implementation fileTree(dir: 'libs', include: ['*.jar'])
|
||||||
|
implementation 'com.google.android.gms:play-services-safetynet:11.6.0'
|
||||||
|
}
|
24
snet/proguard-rules.pro
vendored
Normal file
24
snet/proguard-rules.pro
vendored
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
# Add project specific ProGuard rules here.
|
||||||
|
# You can control the set of applied configuration files using the
|
||||||
|
# proguardFiles setting in build.gradle.
|
||||||
|
#
|
||||||
|
# For more details, see
|
||||||
|
# http://developer.android.com/guide/developing/tools/proguard.html
|
||||||
|
|
||||||
|
# If your project uses WebView with JS, uncomment the following
|
||||||
|
# and specify the fully qualified class name to the JavaScript interface
|
||||||
|
# class:
|
||||||
|
#-keepclassmembers class fqcn.of.javascript.interface.for.webview {
|
||||||
|
# public *;
|
||||||
|
#}
|
||||||
|
|
||||||
|
# Uncomment this to preserve the line number information for
|
||||||
|
# debugging stack traces.
|
||||||
|
#-keepattributes SourceFile,LineNumberTable
|
||||||
|
|
||||||
|
# If you keep the line number information, uncomment this to
|
||||||
|
# hide the original source file name.
|
||||||
|
#-renamesourcefileattribute SourceFile
|
||||||
|
|
||||||
|
-keep class com.topjohnwu.snet.SafetyNet* { *; }
|
||||||
|
-dontwarn java.lang.invoke**
|
7
snet/src/main/AndroidManifest.xml
Normal file
7
snet/src/main/AndroidManifest.xml
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
|
||||||
|
package="com.topjohnwu.snet">
|
||||||
|
|
||||||
|
<meta-data
|
||||||
|
android:name="com.google.android.gms.version"
|
||||||
|
android:value="@integer/google_play_services_version" />
|
||||||
|
</manifest>
|
@ -0,0 +1,5 @@
|
|||||||
|
package com.topjohnwu.snet;
|
||||||
|
|
||||||
|
public interface SafetyNetCallback {
|
||||||
|
void onResponse(int responseCode);
|
||||||
|
}
|
124
snet/src/main/java/com/topjohnwu/snet/SafetyNetHelper.java
Normal file
124
snet/src/main/java/com/topjohnwu/snet/SafetyNetHelper.java
Normal file
@ -0,0 +1,124 @@
|
|||||||
|
package com.topjohnwu.snet;
|
||||||
|
|
||||||
|
import android.app.Activity;
|
||||||
|
import android.content.Context;
|
||||||
|
import android.os.Bundle;
|
||||||
|
import android.support.annotation.NonNull;
|
||||||
|
import android.support.annotation.Nullable;
|
||||||
|
import android.util.Base64;
|
||||||
|
|
||||||
|
import com.google.android.gms.common.ConnectionResult;
|
||||||
|
import com.google.android.gms.common.GoogleApiAvailability;
|
||||||
|
import com.google.android.gms.common.api.GoogleApiClient;
|
||||||
|
import com.google.android.gms.common.api.ResultCallback;
|
||||||
|
import com.google.android.gms.common.api.Status;
|
||||||
|
import com.google.android.gms.safetynet.SafetyNet;
|
||||||
|
import com.google.android.gms.safetynet.SafetyNetApi;
|
||||||
|
|
||||||
|
import org.json.JSONException;
|
||||||
|
import org.json.JSONObject;
|
||||||
|
|
||||||
|
import java.lang.reflect.Field;
|
||||||
|
import java.security.SecureRandom;
|
||||||
|
|
||||||
|
public class SafetyNetHelper
|
||||||
|
implements GoogleApiClient.ConnectionCallbacks, GoogleApiClient.OnConnectionFailedListener {
|
||||||
|
|
||||||
|
public static final int CAUSE_SERVICE_DISCONNECTED = 0x01;
|
||||||
|
public static final int CAUSE_NETWORK_LOST = 0x02;
|
||||||
|
public static final int RESPONSE_ERR = 0x04;
|
||||||
|
public static final int CONNECTION_FAIL = 0x08;
|
||||||
|
|
||||||
|
public static final int BASIC_PASS = 0x10;
|
||||||
|
public static final int CTS_PASS = 0x20;
|
||||||
|
|
||||||
|
private GoogleApiClient mGoogleApiClient;
|
||||||
|
private Activity mActivity;
|
||||||
|
private int responseCode;
|
||||||
|
private SafetyNetCallback cb;
|
||||||
|
private String dexPath;
|
||||||
|
private boolean isDarkTheme;
|
||||||
|
|
||||||
|
public SafetyNetHelper(Activity activity, String dexPath, SafetyNetCallback cb) {
|
||||||
|
mActivity = activity;
|
||||||
|
this.cb = cb;
|
||||||
|
this.dexPath = dexPath;
|
||||||
|
responseCode = 0;
|
||||||
|
|
||||||
|
// Get theme
|
||||||
|
try {
|
||||||
|
Context context = activity.getApplicationContext();
|
||||||
|
Field theme = context.getClass().getField("isDarkTheme");
|
||||||
|
isDarkTheme = (boolean) theme.get(context);
|
||||||
|
} catch (Exception e) {
|
||||||
|
e.printStackTrace();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Entry point to start test
|
||||||
|
public void attest() {
|
||||||
|
// Connect Google Service
|
||||||
|
mGoogleApiClient = new GoogleApiClient.Builder(mActivity)
|
||||||
|
.addApi(SafetyNet.API)
|
||||||
|
.addOnConnectionFailedListener(this)
|
||||||
|
.addConnectionCallbacks(this)
|
||||||
|
.build();
|
||||||
|
mGoogleApiClient.connect();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void onConnectionSuspended(int i) {
|
||||||
|
cb.onResponse(i);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void onConnectionFailed(@NonNull ConnectionResult result) {
|
||||||
|
Class<? extends Activity> clazz = mActivity.getClass();
|
||||||
|
try {
|
||||||
|
// Use external resources
|
||||||
|
clazz.getMethod("swapResources", String.class, int.class).invoke(mActivity, dexPath,
|
||||||
|
isDarkTheme ? android.R.style.Theme_Material : android.R.style.Theme_Material_Light);
|
||||||
|
try {
|
||||||
|
GoogleApiAvailability.getInstance().getErrorDialog(mActivity, result.getErrorCode(), 0).show();
|
||||||
|
} catch (Exception e) {
|
||||||
|
e.printStackTrace();
|
||||||
|
}
|
||||||
|
clazz.getMethod("restoreResources").invoke(mActivity);
|
||||||
|
} catch (Exception e) {
|
||||||
|
e.printStackTrace();
|
||||||
|
}
|
||||||
|
cb.onResponse(CONNECTION_FAIL);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void onConnected(@Nullable Bundle bundle) {
|
||||||
|
// Create nonce
|
||||||
|
byte[] nonce = new byte[24];
|
||||||
|
new SecureRandom().nextBytes(nonce);
|
||||||
|
|
||||||
|
// Call SafetyNet
|
||||||
|
SafetyNet.SafetyNetApi.attest(mGoogleApiClient, nonce)
|
||||||
|
.setResultCallback(new ResultCallback<SafetyNetApi.AttestationResult>() {
|
||||||
|
@Override
|
||||||
|
public void onResult(@NonNull SafetyNetApi.AttestationResult result) {
|
||||||
|
Status status = result.getStatus();
|
||||||
|
try {
|
||||||
|
if (!status.isSuccess()) throw new JSONException("");
|
||||||
|
String json = new String(Base64.decode(
|
||||||
|
result.getJwsResult().split("\\.")[1], Base64.DEFAULT));
|
||||||
|
JSONObject decoded = new JSONObject(json);
|
||||||
|
responseCode |= decoded.getBoolean("ctsProfileMatch") ? CTS_PASS : 0;
|
||||||
|
responseCode |= decoded.getBoolean("basicIntegrity") ? BASIC_PASS : 0;
|
||||||
|
} catch (JSONException e) {
|
||||||
|
responseCode = RESPONSE_ERR;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Disconnect
|
||||||
|
mGoogleApiClient.disconnect();
|
||||||
|
|
||||||
|
// Return results
|
||||||
|
cb.onResponse(responseCode);
|
||||||
|
}
|
||||||
|
});
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user