MarcoBuster/Magisk
1
1
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Use temporary files to process zips

Browse Source 
Fix #96
This commit is contained in:
topjohnwu 2017-02-15 23:43:30 +08:00
parent 21b11f1b48
commit d1c939f48a
5 changed files with 904 additions and 552 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
app/src/main/java/com/topjohnwu/magisk/asyncs/ProcessRepoZip.java
View File

@ -12,6 +12,10 @@ import com.topjohnwu.magisk.utils.Shell;
import com.topjohnwu.magisk.utils.Utils; import com.topjohnwu.magisk.utils.Utils;
import com.topjohnwu.magisk.utils.ZipUtils; import com.topjohnwu.magisk.utils.ZipUtils;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.OutputStream; import java.io.OutputStream;
public class ProcessRepoZip extends ParallelTask<Void, Void, Boolean> { public class ProcessRepoZip extends ParallelTask<Void, Void, Boolean> {
@ -33,26 +37,59 @@ public class ProcessRepoZip extends ParallelTask<Void, Void, Boolean> {
@Override @Override
protected Boolean doInBackground(Void... params) { protected Boolean doInBackground(Void... params) {
// Create a buffer in memory for input/output
ByteArrayInOutStream buffer = new ByteArrayInOutStream(); FileInputStream in;
FileOutputStream out;
try { try {
// First remove top folder (the folder with the repo name) in Github source zip
ZipUtils.removeTopFolder(activity.getContentResolver().openInputStream(mUri), buffer);
// Then sign the zip for the first time // Create temp file
ZipUtils.signZip(activity, buffer.getInputStream(), buffer, false); File temp1 = new File(magiskManager.getCacheDir(), "1.zip");
File temp2 = new File(magiskManager.getCacheDir(), "2.zip");
// Adjust the zip to prevent unzip issues if (magiskManager.getCacheDir().mkdirs()) {
ZipUtils.adjustZip(buffer); temp1.createNewFile();
temp2.createNewFile();
// Finally, sign the whole zip file again
ZipUtils.signZip(activity, buffer.getInputStream(), buffer, true);
// Write it back to the downloaded zip
try (OutputStream out = activity.getContentResolver().openOutputStream(mUri)) {
buffer.writeTo(out);
} }
out = new FileOutputStream(temp1);
// First remove top folder in Github source zip, Uri -> temp1
ZipUtils.removeTopFolder(activity.getContentResolver().openInputStream(mUri), out);
out.flush();
out.close();
out = new FileOutputStream(temp2);
// Then sign the zip for the first time, temp1 -> temp2
ZipUtils.signZip(activity, temp1, out, false);
out.flush();
out.close();
// Adjust the zip to prevent unzip issues, temp2 -> temp2
ZipUtils.adjustZip(temp2);
out = new FileOutputStream(temp1);
// Finally, sign the whole zip file again, temp2 -> temp1
ZipUtils.signZip(activity, temp2, out, true);
out.flush();
out.close();
in = new FileInputStream(temp1);
// Write it back to the downloaded zip, temp1 -> Uri
try (OutputStream target = activity.getContentResolver().openOutputStream(mUri)) {
byte[] buffer = new byte[4096];
int length;
if (target == null) throw new FileNotFoundException();
while ((length = in.read(buffer)) > 0)
target.write(buffer, 0, length);
}
// Delete the temp file
temp1.delete();
temp2.delete();
return true; return true;
} catch (Exception e) { } catch (Exception e) {
Logger.error("ProcessRepoZip: Error!"); Logger.error("ProcessRepoZip: Error!");

667
app/src/main/java/com/topjohnwu/magisk/utils/ZipUtils.java
View File

@ -76,6 +76,11 @@ public class ZipUtils {
private static final int USE_SHA1 = 1; private static final int USE_SHA1 = 1;
private static final int USE_SHA256 = 2; private static final int USE_SHA256 = 2;
// Files matching this pattern are not copied to the output.
private static Pattern stripPattern =
Pattern.compile("^(META-INF/((.*)[.](SF|RSA|DSA|EC)|com/android/otacert))|(" +
Pattern.quote(JarFile.MANIFEST_NAME) + ")$");
static { static {
System.loadLibrary("zipadjust"); System.loadLibrary("zipadjust");
sBouncyCastleProvider = new BouncyCastleProvider(); sBouncyCastleProvider = new BouncyCastleProvider();
@ -84,11 +89,17 @@ public class ZipUtils {
public native static byte[] zipAdjust(byte[] bytes, int size); public native static byte[] zipAdjust(byte[] bytes, int size);
public native static void zipAdjust(String filename);
// Wrapper function for the JNI function // Wrapper function for the JNI function
public static void adjustZip(ByteArrayInOutStream buffer) { public static void adjustZip(ByteArrayInOutStream buffer) {
buffer.setBuffer(zipAdjust(buffer.toByteArray(), buffer.size())); buffer.setBuffer(zipAdjust(buffer.toByteArray(), buffer.size()));
} }
public static void adjustZip(File file) {
zipAdjust(file.getPath());
}
public static void removeTopFolder(InputStream in, OutputStream out) throws IOException { public static void removeTopFolder(InputStream in, OutputStream out) throws IOException {
try { try {
JarInputStream source = new JarInputStream(in); JarInputStream source = new JarInputStream(in);
@ -186,24 +197,23 @@ public class ZipUtils {
} }
} }
public static void signZip(Context context, InputStream inputStream, public static void signZip(Context context, File input,
OutputStream outputStream, boolean signWholeFile) throws Exception { OutputStream outputStream, boolean signWholeFile) throws Exception {
JarMap inputJar; JarFile inputJar = new JarFile(input);
int hashes = 0; int hashes = 0;
try { try {
X509Certificate publicKey = readPublicKey(context.getAssets().open(PUBLIC_KEY_NAME)); X509Certificate publicKey = GeneralUtils.readPublicKey(context.getAssets().open(PUBLIC_KEY_NAME));
hashes |= getDigestAlgorithm(publicKey); hashes |= FileUtils.getDigestAlgorithm(publicKey);
// Set the ZIP file timestamp to the starting valid time // Set the ZIP file timestamp to the starting valid time
// of the 0th certificate plus one hour (to match what // of the 0th certificate plus one hour (to match what
// we've historically done). // we've historically done).
long timestamp = publicKey.getNotBefore().getTime() + 3600L * 1000; long timestamp = publicKey.getNotBefore().getTime() + 3600L * 1000;
PrivateKey privateKey = readPrivateKey(context.getAssets().open(PRIVATE_KEY_NAME)); PrivateKey privateKey = GeneralUtils.readPrivateKey(context.getAssets().open(PRIVATE_KEY_NAME));
inputJar = new JarMap(new JarInputStream(inputStream));
if (signWholeFile) { if (signWholeFile) {
if (!"RSA".equalsIgnoreCase(privateKey.getAlgorithm())) { if (!"RSA".equalsIgnoreCase(privateKey.getAlgorithm())) {
throw new IOException("Cannot sign OTA packages with non-RSA keys"); throw new IOException("Cannot sign OTA packages with non-RSA keys");
} }
signWholeFile(inputJar, context.getAssets().open(PUBLIC_KEY_NAME), FileUtils.signWholeFile(inputJar, context.getAssets().open(PUBLIC_KEY_NAME),
publicKey, privateKey, outputStream); publicKey, privateKey, outputStream);
} else { } else {
JarOutputStream outputJar = new JarOutputStream(outputStream); JarOutputStream outputJar = new JarOutputStream(outputStream);
@ -214,9 +224,9 @@ public class ZipUtils {
// and produces output that is only a tiny bit larger // and produces output that is only a tiny bit larger
// (~0.1% on full OTA packages I tested). // (~0.1% on full OTA packages I tested).
outputJar.setLevel(9); outputJar.setLevel(9);
Manifest manifest = addDigestsToManifest(inputJar, hashes); Manifest manifest = FileUtils.addDigestsToManifest(inputJar, hashes);
copyFiles(manifest, inputJar, outputJar, timestamp); FileUtils.copyFiles(manifest, inputJar, outputJar, timestamp);
signFile(manifest, inputJar, publicKey, privateKey, outputJar); GeneralUtils.signFile(manifest, publicKey, privateKey, outputJar);
outputJar.close(); outputJar.close();
} }
} catch (Exception e) { } catch (Exception e) {
@ -225,69 +235,54 @@ public class ZipUtils {
} }
} }
public static class JarMap extends TreeMap<String, Pair<JarEntry, ByteArrayOutputStream> > { public static void signZip(Context context, InputStream inputStream,
OutputStream outputStream, boolean signWholeFile) throws Exception {
private Manifest manifest; StreamUtils.JarMap inputJar;
int hashes = 0;
public JarMap(JarInputStream in) throws IOException { try {
super(); X509Certificate publicKey = GeneralUtils.readPublicKey(context.getAssets().open(PUBLIC_KEY_NAME));
manifest = in.getManifest(); hashes |= FileUtils.getDigestAlgorithm(publicKey);
byte[] buffer = new byte[4096]; // Set the ZIP file timestamp to the starting valid time
int num; // of the 0th certificate plus one hour (to match what
JarEntry entry; // we've historically done).
while ((entry = in.getNextJarEntry()) != null) { long timestamp = publicKey.getNotBefore().getTime() + 3600L * 1000;
ByteArrayOutputStream stream = new ByteArrayOutputStream(); PrivateKey privateKey = GeneralUtils.readPrivateKey(context.getAssets().open(PRIVATE_KEY_NAME));
while ((num = in.read(buffer)) > 0) { inputJar = new StreamUtils.JarMap(new JarInputStream(inputStream));
stream.write(buffer, 0, num); if (signWholeFile) {
if (!"RSA".equalsIgnoreCase(privateKey.getAlgorithm())) {
throw new IOException("Cannot sign OTA packages with non-RSA keys");
} }
put(entry.getName(), entry, stream); StreamUtils.signWholeFile(inputJar, context.getAssets().open(PUBLIC_KEY_NAME),
} publicKey, privateKey, outputStream);
in.close();
}
public JarEntry getJarEntry(String name) {
return get(name).first;
}
public ByteArrayOutputStream getStream(String name) {
return get(name).second;
}
public void put(String name, JarEntry entry, ByteArrayOutputStream stream) {
put(name, new Pair<>(entry, stream));
}
public Manifest getManifest() {
return manifest;
}
public Enumeration<JarEntry> entries() {
Iterator<Map.Entry<String, Pair<JarEntry, ByteArrayOutputStream> >> i = entrySet().iterator();
ArrayList<JarEntry> list = new ArrayList<>();
while (i.hasNext())
list.add(i.next().getValue().first);
return Collections.enumeration(list);
}
}
/**
* Return one of USE_SHA1 or USE_SHA256 according to the signature
* algorithm specified in the cert.
*/
private static int getDigestAlgorithm(X509Certificate cert) {
String sigAlg = cert.getSigAlgName().toUpperCase(Locale.US);
if ("SHA1WITHRSA".equals(sigAlg) ||
"MD5WITHRSA".equals(sigAlg)) { // see "HISTORICAL NOTE" above.
return USE_SHA1;
} else if (sigAlg.startsWith("SHA256WITH")) {
return USE_SHA256;
} else { } else {
throw new IllegalArgumentException("unsupported signature algorithm \"" + sigAlg + JarOutputStream outputJar = new JarOutputStream(outputStream);
"\" in cert [" + cert.getSubjectDN()); // For signing .apks, use the maximum compression to make
// them as small as possible (since they live forever on
// the system partition). For OTA packages, use the
// default compression level, which is much much faster
// and produces output that is only a tiny bit larger
// (~0.1% on full OTA packages I tested).
outputJar.setLevel(9);
Manifest manifest = StreamUtils.addDigestsToManifest(inputJar, hashes);
StreamUtils.copyFiles(manifest, inputJar, outputJar, timestamp);
GeneralUtils.signFile(manifest, publicKey, privateKey, outputJar);
outputJar.close();
}
} catch (Exception e) {
e.printStackTrace();
throw e;
} }
} }
// This class host general functions
public static class GeneralUtils {
/** Returns the expected signature algorithm for this key type. */ /** Returns the expected signature algorithm for this key type. */
private static String getSignatureAlgorithm(X509Certificate cert) { private static String getSignatureAlgorithm(X509Certificate cert) {
String sigAlg = cert.getSigAlgName().toUpperCase(Locale.US); String sigAlg = cert.getSigAlgName().toUpperCase(Locale.US);
String keyType = cert.getPublicKey().getAlgorithm().toUpperCase(Locale.US); String keyType = cert.getPublicKey().getAlgorithm().toUpperCase(Locale.US);
if ("RSA".equalsIgnoreCase(keyType)) { if ("RSA".equalsIgnoreCase(keyType)) {
if (getDigestAlgorithm(cert) == USE_SHA256) { if (FileUtils.getDigestAlgorithm(cert) == USE_SHA256) {
return "SHA256withRSA"; return "SHA256withRSA";
} else { } else {
return "SHA1withRSA"; return "SHA1withRSA";
@ -300,10 +295,7 @@ public class ZipUtils {
throw new IllegalArgumentException("unsupported key type: " + keyType); throw new IllegalArgumentException("unsupported key type: " + keyType);
} }
} }
// Files matching this pattern are not copied to the output.
private static Pattern stripPattern =
Pattern.compile("^(META-INF/((.*)[.](SF|RSA|DSA|EC)|com/android/otacert))|(" +
Pattern.quote(JarFile.MANIFEST_NAME) + ")$");
private static X509Certificate readPublicKey(InputStream input) private static X509Certificate readPublicKey(InputStream input)
throws IOException, GeneralSecurityException { throws IOException, GeneralSecurityException {
try { try {
@ -373,6 +365,7 @@ public class ZipUtils {
input.close(); input.close();
} }
} }
private static PrivateKey decodeAsKeyType(KeySpec spec, String keyType) private static PrivateKey decodeAsKeyType(KeySpec spec, String keyType)
throws GeneralSecurityException { throws GeneralSecurityException {
try { try {
@ -382,57 +375,6 @@ public class ZipUtils {
} }
} }
/**
* Add the hash(es) of every file to the manifest, creating it if
* necessary.
*/
private static Manifest addDigestsToManifest(JarMap jar, int hashes)
throws IOException, GeneralSecurityException {
Manifest input = jar.getManifest();
Manifest output = new Manifest();
Attributes main = output.getMainAttributes();
if (input != null) {
main.putAll(input.getMainAttributes());
} else {
main.putValue("Manifest-Version", "1.0");
main.putValue("Created-By", "1.0 (Android SignApk)");
}
MessageDigest md_sha1 = null;
MessageDigest md_sha256 = null;
if ((hashes & USE_SHA1) != 0) {
md_sha1 = MessageDigest.getInstance("SHA1");
}
if ((hashes & USE_SHA256) != 0) {
md_sha256 = MessageDigest.getInstance("SHA256");
}
// We sort the input entries by name, and add them to the
// output manifest in sorted order. We expect that the output
// map will be deterministic.
/* JarMap is a TreeMap, so it's already sorted */
for (String name : jar.keySet()) {
JarEntry entry = jar.getJarEntry(name);
if (!entry.isDirectory() &&
(stripPattern == null || !stripPattern.matcher(name).matches())) {
byte[] buffer = jar.getStream(name).toByteArray();
if (md_sha1 != null) md_sha1.update(buffer, 0, buffer.length);
if (md_sha256 != null) md_sha256.update(buffer, 0, buffer.length);
Attributes attr = null;
if (input != null) attr = input.getAttributes(name);
attr = attr != null ? new Attributes(attr) : new Attributes();
if (md_sha1 != null) {
attr.putValue("SHA1-Digest",
new String(Base64.encode(md_sha1.digest()), "ASCII"));
}
if (md_sha256 != null) {
attr.putValue("SHA-256-Digest",
new String(Base64.encode(md_sha256.digest()), "ASCII"));
}
output.getEntries().put(name, attr);
}
}
return output;
}
/** /**
* Add a copy of the public key to the archive; this should * Add a copy of the public key to the archive; this should
* exactly match one of the files in * exactly match one of the files in
@ -463,30 +405,6 @@ public class ZipUtils {
manifest.getEntries().put(OTACERT_NAME, attr); manifest.getEntries().put(OTACERT_NAME, attr);
} }
/** Write to another stream and track how many bytes have been
* written.
*/
private static class CountOutputStream extends FilterOutputStream {
private int mCount;
public CountOutputStream(OutputStream out) {
super(out);
mCount = 0;
}
@Override
public void write(int b) throws IOException {
super.write(b);
mCount++;
}
@Override
public void write(byte[] b, int off, int len) throws IOException {
super.write(b, off, len);
mCount += len;
}
public int size() {
return mCount;
}
}
/** Write a .SF file with a digest of the specified manifest. */ /** Write a .SF file with a digest of the specified manifest. */
private static void writeSignatureFile(Manifest manifest, OutputStream out, private static void writeSignatureFile(Manifest manifest, OutputStream out,
int hash) int hash)
@ -556,31 +474,55 @@ public class ZipUtils {
dos.writeObject(asn1.readObject()); dos.writeObject(asn1.readObject());
} }
} }
/**
* Copy all the files in a manifest from input to output. We set private static void signFile(Manifest manifest,
* the modification times in the output to a fixed time, so as to X509Certificate publicKey, PrivateKey privateKey,
* reduce variation in the output file and make incremental OTAs JarOutputStream outputJar)
* more efficient. throws Exception {
*/ // Assume the certificate is valid for at least an hour.
private static void copyFiles(Manifest manifest, long timestamp = publicKey.getNotBefore().getTime() + 3600L * 1000;
JarMap in, JarOutputStream out, long timestamp) throws IOException { // MANIFEST.MF
Map<String, Attributes> entries = manifest.getEntries(); JarEntry je = new JarEntry(JarFile.MANIFEST_NAME);
ArrayList<String> names = new ArrayList<>(entries.keySet()); je.setTime(timestamp);
Collections.sort(names); outputJar.putNextEntry(je);
for (String name : names) { manifest.write(outputJar);
JarEntry inEntry = in.getJarEntry(name); // CERT.SF / CERT#.SF
JarEntry outEntry; je = new JarEntry(CERT_SF_NAME);
if (inEntry.getMethod() == JarEntry.STORED) { je.setTime(timestamp);
// Preserve the STORED method of the input entry. outputJar.putNextEntry(je);
outEntry = new JarEntry(inEntry); ByteArrayOutputStream baos = new ByteArrayOutputStream();
} else { writeSignatureFile(manifest, baos, FileUtils.getDigestAlgorithm(publicKey));
// Create a new entry so that the compressed len is recomputed. byte[] signedData = baos.toByteArray();
outEntry = new JarEntry(name); outputJar.write(signedData);
// CERT.{DSA,EC,RSA} / CERT#.{DSA,EC,RSA}
je = new JarEntry((String.format(CERT_SIG_NAME, privateKey.getAlgorithm())));
je.setTime(timestamp);
outputJar.putNextEntry(je);
writeSignatureBlock(new CMSProcessableByteArray(signedData),
publicKey, privateKey, outputJar);
} }
outEntry.setTime(timestamp);
out.putNextEntry(outEntry); /** Write to another stream and track how many bytes have been
in.getStream(name).writeTo(out); * written.
out.flush(); */
private static class CountOutputStream extends FilterOutputStream {
private int mCount;
public CountOutputStream(OutputStream out) {
super(out);
mCount = 0;
}
@Override
public void write(int b) throws IOException {
super.write(b);
mCount++;
}
@Override
public void write(byte[] b, int off, int len) throws IOException {
super.write(b, off, len);
mCount += len;
}
public int size() {
return mCount;
} }
} }
@ -634,16 +576,193 @@ public class ZipUtils {
} }
} }
} }
}
// This class host functions that consumes JarFiles
public static class FileUtils {
/**
* Return one of USE_SHA1 or USE_SHA256 according to the signature
* algorithm specified in the cert.
*/
private static int getDigestAlgorithm(X509Certificate cert) {
String sigAlg = cert.getSigAlgName().toUpperCase(Locale.US);
if ("SHA1WITHRSA".equals(sigAlg) ||
"MD5WITHRSA".equals(sigAlg)) { // see "HISTORICAL NOTE" above.
return USE_SHA1;
} else if (sigAlg.startsWith("SHA256WITH")) {
return USE_SHA256;
} else {
throw new IllegalArgumentException("unsupported signature algorithm \"" + sigAlg +
"\" in cert [" + cert.getSubjectDN());
}
}
private static Manifest addDigestsToManifest(JarFile jar, int hashes)
throws IOException, GeneralSecurityException {
Manifest input = jar.getManifest();
Manifest output = new Manifest();
Attributes main = output.getMainAttributes();
if (input != null) {
main.putAll(input.getMainAttributes());
} else {
main.putValue("Manifest-Version", "1.0");
main.putValue("Created-By", "1.0 (Android SignApk)");
}
MessageDigest md_sha1 = null;
MessageDigest md_sha256 = null;
if ((hashes & USE_SHA1) != 0) {
md_sha1 = MessageDigest.getInstance("SHA1");
}
if ((hashes & USE_SHA256) != 0) {
md_sha256 = MessageDigest.getInstance("SHA256");
}
byte[] buffer = new byte[4096];
int num;
// We sort the input entries by name, and add them to the
// output manifest in sorted order. We expect that the output
// map will be deterministic.
TreeMap<String, JarEntry> byName = new TreeMap<String, JarEntry>();
for (Enumeration<JarEntry> e = jar.entries(); e.hasMoreElements(); ) {
JarEntry entry = e.nextElement();
byName.put(entry.getName(), entry);
}
for (JarEntry entry: byName.values()) {
String name = entry.getName();
if (!entry.isDirectory() &&
(stripPattern == null || !stripPattern.matcher(name).matches())) {
InputStream data = jar.getInputStream(entry);
while ((num = data.read(buffer)) > 0) {
if (md_sha1 != null) md_sha1.update(buffer, 0, num);
if (md_sha256 != null) md_sha256.update(buffer, 0, num);
}
Attributes attr = null;
if (input != null) attr = input.getAttributes(name);
attr = attr != null ? new Attributes(attr) : new Attributes();
// Remove any previously computed digests from this entry's attributes.
for (Iterator<Object> i = attr.keySet().iterator(); i.hasNext();) {
Object key = i.next();
if (!(key instanceof Attributes.Name)) {
continue;
}
String attributeNameLowerCase =
((Attributes.Name) key).toString().toLowerCase(Locale.US);
if (attributeNameLowerCase.endsWith("-digest")) {
i.remove();
}
}
// Add SHA-1 digest if requested
if (md_sha1 != null) {
attr.putValue("SHA1-Digest",
new String(Base64.encode(md_sha1.digest()), "ASCII"));
}
// Add SHA-256 digest if requested
if (md_sha256 != null) {
attr.putValue("SHA-256-Digest",
new String(Base64.encode(md_sha256.digest()), "ASCII"));
}
output.getEntries().put(name, attr);
}
}
return output;
}
private static void copyFiles(Manifest manifest,
JarFile in, JarOutputStream out, long timestamp) throws IOException {
byte[] buffer = new byte[4096];
int num;
Map<String, Attributes> entries = manifest.getEntries();
ArrayList<String> names = new ArrayList<String>(entries.keySet());
Collections.sort(names);
for (String name : names) {
JarEntry inEntry = in.getJarEntry(name);
JarEntry outEntry = null;
if (inEntry.getMethod() == JarEntry.STORED) {
// Preserve the STORED method of the input entry.
outEntry = new JarEntry(inEntry);
} else {
// Create a new entry so that the compressed len is recomputed.
outEntry = new JarEntry(name);
}
outEntry.setTime(timestamp);
out.putNextEntry(outEntry);
InputStream data = in.getInputStream(inEntry);
while ((num = data.read(buffer)) > 0) {
out.write(buffer, 0, num);
}
out.flush();
}
}
private static void signWholeFile(JarFile inputJar, InputStream publicKeyFile,
X509Certificate publicKey, PrivateKey privateKey,
OutputStream outputStream) throws Exception {
CMSSigner cmsOut = new CMSSigner(inputJar, publicKeyFile,
publicKey, privateKey, outputStream);
ByteArrayOutputStream temp = new ByteArrayOutputStream();
// put a readable message and a null char at the start of the
// archive comment, so that tools that display the comment
// (hopefully) show something sensible.
// TODO: anything more useful we can put in this message?
byte[] message = "signed by SignApk".getBytes("UTF-8");
temp.write(message);
temp.write(0);
cmsOut.writeSignatureBlock(temp);
byte[] zipData = cmsOut.getSigner().getTail();
// For a zip with no archive comment, the
// end-of-central-directory record will be 22 bytes long, so
// we expect to find the EOCD marker 22 bytes from the end.
if (zipData[zipData.length-22] != 0x50 ||
zipData[zipData.length-21] != 0x4b ||
zipData[zipData.length-20] != 0x05 ||
zipData[zipData.length-19] != 0x06) {
throw new IllegalArgumentException("zip data already has an archive comment");
}
int total_size = temp.size() + 6;
if (total_size > 0xffff) {
throw new IllegalArgumentException("signature is too big for ZIP file comment");
}
// signature starts this many bytes from the end of the file
int signature_start = total_size - message.length - 1;
temp.write(signature_start & 0xff);
temp.write((signature_start >> 8) & 0xff);
// Why the 0xff bytes? In a zip file with no archive comment,
// bytes [-6:-2] of the file are the little-endian offset from
// the start of the file to the central directory. So for the
// two high bytes to be 0xff 0xff, the archive would have to
// be nearly 4GB in size. So it's unlikely that a real
// commentless archive would have 0xffs here, and lets us tell
// an old signed archive from a new one.
temp.write(0xff);
temp.write(0xff);
temp.write(total_size & 0xff);
temp.write((total_size >> 8) & 0xff);
temp.flush();
// Signature verification checks that the EOCD header is the
// last such sequence in the file (to avoid minzip finding a
// fake EOCD appended after the signature in its scan). The
// odds of producing this sequence by chance are very low, but
// let's catch it here if it does.
byte[] b = temp.toByteArray();
for (int i = 0; i < b.length-3; ++i) {
if (b[i] == 0x50 && b[i+1] == 0x4b && b[i+2] == 0x05 && b[i+3] == 0x06) {
throw new IllegalArgumentException("found spurious EOCD header at " + i);
}
}
outputStream.write(total_size & 0xff);
outputStream.write((total_size >> 8) & 0xff);
temp.writeTo(outputStream);
}
private static class CMSSigner implements CMSTypedData { private static class CMSSigner implements CMSTypedData {
private JarMap inputJar; private JarFile inputJar;
private InputStream publicKeyFile; private InputStream publicKeyFile;
private X509Certificate publicKey; private X509Certificate publicKey;
private PrivateKey privateKey; private PrivateKey privateKey;
private OutputStream outputStream; private OutputStream outputStream;
private final ASN1ObjectIdentifier type; private final ASN1ObjectIdentifier type;
private WholeFileSignerOutputStream signer; private GeneralUtils.WholeFileSignerOutputStream signer;
public CMSSigner(JarMap inputJar, InputStream publicKeyFile, public CMSSigner(JarFile inputJar, InputStream publicKeyFile,
X509Certificate publicKey, PrivateKey privateKey, X509Certificate publicKey, PrivateKey privateKey,
OutputStream outputStream) { OutputStream outputStream) {
this.inputJar = inputJar; this.inputJar = inputJar;
@ -662,7 +781,7 @@ public class ZipUtils {
} }
public void write(OutputStream out) throws IOException { public void write(OutputStream out) throws IOException {
try { try {
signer = new WholeFileSignerOutputStream(out, outputStream); signer = new GeneralUtils.WholeFileSignerOutputStream(out, outputStream);
JarOutputStream outputJar = new JarOutputStream(signer); JarOutputStream outputJar = new JarOutputStream(signer);
int hash = getDigestAlgorithm(publicKey); int hash = getDigestAlgorithm(publicKey);
// Assume the certificate is valid for at least an hour. // Assume the certificate is valid for at least an hour.
@ -671,7 +790,7 @@ public class ZipUtils {
copyFiles(manifest, inputJar, outputJar, timestamp); copyFiles(manifest, inputJar, outputJar, timestamp);
// Don't add Otacert, it's not an OTA // Don't add Otacert, it's not an OTA
// addOtacert(outputJar, publicKeyFile, timestamp, manifest, hash); // addOtacert(outputJar, publicKeyFile, timestamp, manifest, hash);
signFile(manifest, inputJar, publicKey, privateKey, outputJar); GeneralUtils.signFile(manifest, publicKey, privateKey, outputJar);
signer.notifyClosing(); signer.notifyClosing();
outputJar.close(); outputJar.close();
signer.finish(); signer.finish();
@ -685,12 +804,96 @@ public class ZipUtils {
CertificateEncodingException, CertificateEncodingException,
OperatorCreationException, OperatorCreationException,
CMSException { CMSException {
ZipUtils.writeSignatureBlock(this, publicKey, privateKey, temp); GeneralUtils.writeSignatureBlock(this, publicKey, privateKey, temp);
} }
public WholeFileSignerOutputStream getSigner() { public GeneralUtils.WholeFileSignerOutputStream getSigner() {
return signer; return signer;
} }
} }
}
// This class host functions that consumes inputstreams
// Uses JarMap (virtual random access JarFile in memory)
public static class StreamUtils {
/**
* Add the hash(es) of every file to the manifest, creating it if
* necessary.
*/
private static Manifest addDigestsToManifest(JarMap jar, int hashes)
throws IOException, GeneralSecurityException {
Manifest input = jar.getManifest();
Manifest output = new Manifest();
Attributes main = output.getMainAttributes();
if (input != null) {
main.putAll(input.getMainAttributes());
} else {
main.putValue("Manifest-Version", "1.0");
main.putValue("Created-By", "1.0 (Android SignApk)");
}
MessageDigest md_sha1 = null;
MessageDigest md_sha256 = null;
if ((hashes & USE_SHA1) != 0) {
md_sha1 = MessageDigest.getInstance("SHA1");
}
if ((hashes & USE_SHA256) != 0) {
md_sha256 = MessageDigest.getInstance("SHA256");
}
// We sort the input entries by name, and add them to the
// output manifest in sorted order. We expect that the output
// map will be deterministic.
/* JarMap is a TreeMap, so it's already sorted */
for (String name : jar.keySet()) {
JarEntry entry = jar.getJarEntry(name);
if (!entry.isDirectory() &&
(stripPattern == null || !stripPattern.matcher(name).matches())) {
byte[] buffer = jar.getStream(name).toByteArray();
if (md_sha1 != null) md_sha1.update(buffer, 0, buffer.length);
if (md_sha256 != null) md_sha256.update(buffer, 0, buffer.length);
Attributes attr = null;
if (input != null) attr = input.getAttributes(name);
attr = attr != null ? new Attributes(attr) : new Attributes();
if (md_sha1 != null) {
attr.putValue("SHA1-Digest",
new String(Base64.encode(md_sha1.digest()), "ASCII"));
}
if (md_sha256 != null) {
attr.putValue("SHA-256-Digest",
new String(Base64.encode(md_sha256.digest()), "ASCII"));
}
output.getEntries().put(name, attr);
}
}
return output;
}
/**
* Copy all the files in a manifest from input to output. We set
* the modification times in the output to a fixed time, so as to
* reduce variation in the output file and make incremental OTAs
* more efficient.
*/
private static void copyFiles(Manifest manifest,
JarMap in, JarOutputStream out, long timestamp) throws IOException {
Map<String, Attributes> entries = manifest.getEntries();
ArrayList<String> names = new ArrayList<>(entries.keySet());
Collections.sort(names);
for (String name : names) {
JarEntry inEntry = in.getJarEntry(name);
JarEntry outEntry;
if (inEntry.getMethod() == JarEntry.STORED) {
// Preserve the STORED method of the input entry.
outEntry = new JarEntry(inEntry);
} else {
// Create a new entry so that the compressed len is recomputed.
outEntry = new JarEntry(name);
}
outEntry.setTime(timestamp);
out.putNextEntry(outEntry);
in.getStream(name).writeTo(out);
out.flush();
}
}
private static void signWholeFile(JarMap inputJar, InputStream publicKeyFile, private static void signWholeFile(JarMap inputJar, InputStream publicKeyFile,
X509Certificate publicKey, PrivateKey privateKey, X509Certificate publicKey, PrivateKey privateKey,
@ -752,30 +955,102 @@ public class ZipUtils {
temp.writeTo(outputStream); temp.writeTo(outputStream);
} }
private static void signFile(Manifest manifest, JarMap inputJar, public static class JarMap extends TreeMap<String, Pair<JarEntry, ByteArrayOutputStream> > {
private Manifest manifest;
public JarMap(JarInputStream in) throws IOException {
super();
manifest = in.getManifest();
byte[] buffer = new byte[4096];
int num;
JarEntry entry;
while ((entry = in.getNextJarEntry()) != null) {
ByteArrayOutputStream stream = new ByteArrayOutputStream();
while ((num = in.read(buffer)) > 0) {
stream.write(buffer, 0, num);
}
put(entry.getName(), entry, stream);
}
in.close();
}
public JarEntry getJarEntry(String name) {
return get(name).first;
}
public ByteArrayOutputStream getStream(String name) {
return get(name).second;
}
public void put(String name, JarEntry entry, ByteArrayOutputStream stream) {
put(name, new Pair<>(entry, stream));
}
public Manifest getManifest() {
return manifest;
}
public Enumeration<JarEntry> entries() {
Iterator<Entry<String, Pair<JarEntry, ByteArrayOutputStream> >> i = entrySet().iterator();
ArrayList<JarEntry> list = new ArrayList<>();
while (i.hasNext())
list.add(i.next().getValue().first);
return Collections.enumeration(list);
}
}
private static class CMSSigner implements CMSTypedData {
private JarMap inputJar;
private InputStream publicKeyFile;
private X509Certificate publicKey;
private PrivateKey privateKey;
private OutputStream outputStream;
private final ASN1ObjectIdentifier type;
private GeneralUtils.WholeFileSignerOutputStream signer;
public CMSSigner(JarMap inputJar, InputStream publicKeyFile,
X509Certificate publicKey, PrivateKey privateKey, X509Certificate publicKey, PrivateKey privateKey,
JarOutputStream outputJar) OutputStream outputStream) {
throws Exception { this.inputJar = inputJar;
this.publicKeyFile = publicKeyFile;
this.publicKey = publicKey;
this.privateKey = privateKey;
this.outputStream = outputStream;
this.type = new ASN1ObjectIdentifier(CMSObjectIdentifiers.data.getId());
}
public Object getContent() {
// Not supported, but still don't crash or return null
return 1;
}
public ASN1ObjectIdentifier getContentType() {
return type;
}
public void write(OutputStream out) throws IOException {
try {
signer = new GeneralUtils.WholeFileSignerOutputStream(out, outputStream);
JarOutputStream outputJar = new JarOutputStream(signer);
int hash = FileUtils.getDigestAlgorithm(publicKey);
// Assume the certificate is valid for at least an hour. // Assume the certificate is valid for at least an hour.
long timestamp = publicKey.getNotBefore().getTime() + 3600L * 1000; long timestamp = publicKey.getNotBefore().getTime() + 3600L * 1000;
// MANIFEST.MF Manifest manifest = addDigestsToManifest(inputJar, hash);
JarEntry je = new JarEntry(JarFile.MANIFEST_NAME); copyFiles(manifest, inputJar, outputJar, timestamp);
je.setTime(timestamp); // Don't add Otacert, it's not an OTA
outputJar.putNextEntry(je); // addOtacert(outputJar, publicKeyFile, timestamp, manifest, hash);
manifest.write(outputJar); GeneralUtils.signFile(manifest, publicKey, privateKey, outputJar);
// CERT.SF / CERT#.SF signer.notifyClosing();
je = new JarEntry(CERT_SF_NAME); outputJar.close();
je.setTime(timestamp); signer.finish();
outputJar.putNextEntry(je); }
ByteArrayOutputStream baos = new ByteArrayOutputStream(); catch (Exception e) {
writeSignatureFile(manifest, baos, getDigestAlgorithm(publicKey)); throw new IOException(e);
byte[] signedData = baos.toByteArray(); }
outputJar.write(signedData); }
// CERT.{DSA,EC,RSA} / CERT#.{DSA,EC,RSA} public void writeSignatureBlock(ByteArrayOutputStream temp)
je = new JarEntry((String.format(CERT_SIG_NAME, privateKey.getAlgorithm()))); throws IOException,
je.setTime(timestamp); CertificateEncodingException,
outputJar.putNextEntry(je); OperatorCreationException,
writeSignatureBlock(new CMSProcessableByteArray(signedData), CMSException {
publicKey, privateKey, outputJar); GeneralUtils.writeSignatureBlock(this, publicKey, privateKey, temp);
}
public GeneralUtils.WholeFileSignerOutputStream getSigner() {
return signer;
}
}
} }
} }

41
app/src/main/jni/jni_glue.c
View File

@ -4,10 +4,15 @@
#include <jni.h> #include <jni.h>
#include <stdlib.h> #include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
#include <sys/stat.h>
#include <fcntl.h>
#include "zipadjust.h" #include "zipadjust.h"
JNIEXPORT jbyteArray JNICALL JNIEXPORT jbyteArray JNICALL
Java_com_topjohnwu_magisk_utils_ZipUtils_zipAdjust(JNIEnv *env, jclass type, jbyteArray jbytes, jint size) { Java_com_topjohnwu_magisk_utils_ZipUtils_zipAdjust___3BI(JNIEnv *env, jclass type,
jbyteArray jbytes, jint size) {
fin = (*env)->GetPrimitiveArrayCritical(env, jbytes, NULL); fin = (*env)->GetPrimitiveArrayCritical(env, jbytes, NULL);
insize = (size_t) size; insize = (size_t) size;
@ -21,3 +26,37 @@ Java_com_topjohnwu_magisk_utils_ZipUtils_zipAdjust(JNIEnv *env, jclass type, jby
return ret; return ret;
} }
JNIEXPORT void JNICALL
Java_com_topjohnwu_magisk_utils_ZipUtils_zipAdjust__Ljava_lang_String_2(JNIEnv *env, jclass type, jstring name) {
const char *filename = (*env)->GetStringUTFChars(env, name, NULL);
int fd = open(filename, O_RDONLY);
if (fd < 0)
return;
// Load the file to memory
insize = lseek(fd, 0, SEEK_END);
lseek(fd, 0, SEEK_SET);
fin = malloc(insize);
read(fd, fin, insize);
zipadjust(0);
close(fd);
// Open file for output
fd = open(filename, O_WRONLY | O_TRUNC);
if (fd < 0)
return;
(*env)->ReleaseStringUTFChars(env, name, filename);
// Write back to file
lseek(fd, 0, SEEK_SET);
write(fd, fout, outsize);
close(fd);
free(fin);
free(fout);
}

6
app/src/main/jni/zipadjust.c
View File

@ -1,14 +1,8 @@
#include <stdlib.h> #include <stdlib.h>
#include <stdio.h> #include <stdio.h>
#include <zlib.h> #include <zlib.h>
#include <android/log.h>
#include "zipadjust.h" #include "zipadjust.h"
#define LOG_TAG "zipadjust"
#define LOGD(...) __android_log_print(ANDROID_LOG_DEBUG, LOG_TAG, __VA_ARGS__)
#define LOGE(...) __android_log_print(ANDROID_LOG_ERROR, LOG_TAG, __VA_ARGS__)
size_t insize = 0, outsize = 0, alloc = 0; size_t insize = 0, outsize = 0, alloc = 0;
unsigned char *fin = NULL, *fout = NULL; unsigned char *fin = NULL, *fout = NULL;

7
app/src/main/jni/zipadjust.h
View File

@ -1,9 +1,16 @@
#ifndef MAGISKMANAGER_ZIPADJUST_H_H #ifndef MAGISKMANAGER_ZIPADJUST_H_H
#define MAGISKMANAGER_ZIPADJUST_H_H #define MAGISKMANAGER_ZIPADJUST_H_H
#include <android/log.h>
int zipadjust(int decompress); int zipadjust(int decompress);
extern size_t insize, outsize, alloc; extern size_t insize, outsize, alloc;
extern unsigned char *fin, *fout; extern unsigned char *fin, *fout;
#define LOG_TAG "zipadjust"
#define LOGD(...) __android_log_print(ANDROID_LOG_DEBUG, LOG_TAG, __VA_ARGS__)
#define LOGE(...) __android_log_print(ANDROID_LOG_ERROR, LOG_TAG, __VA_ARGS__)
#endif //MAGISKMANAGER_ZIPADJUST_H_H #endif //MAGISKMANAGER_ZIPADJUST_H_H