java 从签名的 APK 或 JAR 中提取原始 X.509 证书
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/13692917/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Extract raw X.509 Certificate from a signed APK or JAR
提问by Jeff DQ
I have a library of MD5 hashes of public keys used to sign various jars, and a mapping to their respective keystores which we use to sign different APKs. What I'd like to be able to do is identify which keystore was used to sign an APK, but without using trial and error. (Also, sadly, many of our keys share similar or identical DNs.)
我有一个公钥的 MD5 哈希库,用于对各种 jar 进行签名,并映射到我们用来对不同 APK 进行签名的各自密钥库。我希望能够做的是确定使用哪个密钥库对 APK 进行签名,但不使用反复试验。(此外,遗憾的是,我们的许多密钥共享相似或相同的 DN。)
My solution, because I know the META-INF/FOO.RSA (or FOO.DSA) contains the certificate, was to extract the certificate from the APK's RSA file and directly calculate the MD5 hash. (I know the certificate is there because it is accessible to a running android application, and the jarsigner documentation tells me it is there.)
我的解决方案,因为我知道 META-INF/FOO.RSA(或 FOO.DSA)包含证书,所以从 APK 的 RSA 文件中提取证书并直接计算 MD5 哈希。(我知道证书在那里,因为它可以被正在运行的 android 应用程序访问,并且 jarsigner 文档告诉我它在那里。)
But I can't find any tool that gives me the actual bytes of the certificate. I can get the DN and the certificate metadata when I use jarsigner -verbose -verify -certs my.apk, but that doesn't give me the bytes.
但是我找不到任何工具可以提供证书的实际字节数。我可以在使用时获得 DN 和证书元数据jarsigner -verbose -verify -certs my.apk,但这并没有给我字节。
回答by frederikdebacker
Extract the JAR then use 'openssl' to output the certificate:
提取 JAR,然后使用“openssl”输出证书:
So assuming 'foo.jar' is in your current directory, do something like:
因此,假设“foo.jar”在您的当前目录中,请执行以下操作:
mkdir temp
cd temp
jar -xvf ../foo.jar
cd META-INF
openssl pkcs7 -in FOO.RSA -print_certs -inform DER -out foo.cer
回答by Jeremy
Hexdump FOO.RSA. The last n bytes are the signature itself, where n depends on the key length (e.g., 1024 bit RSA). If you sign something twice with the same key, you can diff the .RSA files and see that only the last n bytes change; the static part of the file is the cert and the bits that change are the signature on the hash of FOO.sf. There may be a delimiter between the cert and signature that you'd also have to remove.
Hexdump FOO.RSA。最后 n 个字节是签名本身,其中 n 取决于密钥长度(例如,1024 位 RSA)。如果您使用相同的密钥对某些内容进行两次签名,则可以比较 .RSA 文件并看到只有最后 n 个字节发生了变化;文件的静态部分是证书,更改的位是 FOO.sf 散列上的签名。您还必须删除证书和签名之间的分隔符。
