2024年2月18日发(作者:)

(apkPath); Certificate[][] signerCerts = new Certificate[][] { }; Signature[] signerSigs = convertToSignatures(signerCerts); Signature[] pastSignerSigs = null; int[] pastSignerSigsFlags = null; if ( != null) { // populate proof-of-rotation information pastSignerSigs = new Signature[()]; pastSignerSigsFlags = new int[()]; for (int i = 0; i < ; i++) { pastSignerSigs[i] = new Signature((i).getEncoded()); pastSignerSigsFlags[i] = (i); } } return new gDetails( signerSigs, G_BLOCK_V3, pastSignerSigs, pastSignerSigsFlags); } catch (SignatureNotFoundException e) { // not signed with v3, try older if allowed if (minSignatureSchemeVersion >= G_BLOCK_V3) { throw new PackageParserException(INSTALL_PARSE_FAILED_NO_CERTIFICATES, "No APK Signature Scheme v3 signature in package " + apkPath, e); } } catch (Exception e) { // APK Signature Scheme v2 signature found but did not verify throw new PackageParserException(INSTALL_PARSE_FAILED_NO_CERTIFICATES, "Failed to collect certificates from " + apkPath + " using APK Signature Scheme v3", e); } finally { nd(TRACE_TAG_PACKAGE_MANAGER); } // redundant, protective version check if (minSignatureSchemeVersion > G_BLOCK_V2) { // V2 and before are older than the requested minimum signing version throw new PackageParserException(INSTALL_PARSE_FAILED_NO_CERTIFICATES, "No signature found in package of version " + minSignatureSchemeVersion + " or newer for package " + apkPath); } // try v2 egin(TRACE_TAG_PACKAGE_MANAGER, "verifyV2"); try { Certificate[][] signerCerts = (apkPath); Signature[] signerSigs = convertToSignatures(signerCerts); return new gDetails( signerSigs, G_BLOCK_V2); } catch (SignatureNotFoundException e) { // not signed with v2, try older if allowed if (minSignatureSchemeVersion >= G_BLOCK_V2) { throw new PackageParserException(INSTALL_PARSE_FAILED_NO_CERTIFICATES, "No APK Signature Scheme v2 signature in package " + apkPath, e); } } catch (Exception e) { // APK Signature Scheme v2 signature found but did not verify throw new PackageParserException(INSTALL_PARSE_FAILED_NO_CERTIFICATES, "Failed to collect certificates from " + apkPath + " using APK Signature Scheme v2", e); } finally { nd(TRACE_TAG_PACKAGE_MANAGER); } // redundant, protective version check if (minSignatureSchemeVersion > ) { // V1 and is older than the requested minimum signing version

// fully verify all contents, except for and the META-INF/ files. if (verifyFull) { final Iterator i = jarFile[0].iterator(); while (t()) { final ZipEntry entry = (); if (ctory()) continue; final String entryName = e(); if (With("META-INF/")) continue; if ((D_MANIFEST_FILENAME)) continue; (entry); } class VerificationData { public Exception exception; public int exceptionFlag; public boolean wait; public int index; public Object objWaitAll; public boolean shutDown; } VerificationData vData = new VerificationData(); tAll = new Object(); final ThreadPoolExecutor verificationExecutor = new ThreadPoolExecutor( NUMBER_OF_CORES, NUMBER_OF_CORES, 1,/*keep alive time*/ S, new LinkedBlockingQueue()); for (ZipEntry entry : toVerify) { Runnable verifyTask = new Runnable(){ public void run() { try { if (ionFlag != 0 ) { Slog.w(TAG, "VerifyV1 exit with exception " + ionFlag); return; } String tid = ng(tThread().getId()); StrictJarFile tempJarFile; synchronized (strictJarFiles) { tempJarFile = (tid); if (tempJarFile == null) { if ( >= NUMBER_OF_CORES) { = 0; } tempJarFile = jarFile[++]; (tid, tempJarFile); } } final Certificate[][] entryCerts = loadCertificates(tempJarFile, entry); if (y(entryCerts)) { throw new PackageParserException(INSTALL_PARSE_FAILED_NO_CERTIFICATES, "Package " + apkPath + " has no certificates at entry " + e()); } // make sure all entries use the same signing certs final Signature[] entrySigs = convertToSignatures(entryCerts); if (!ctMatch(lastSigs, entrySigs)) { throw new PackageParserException( INSTALL_PARSE_FAILED_INCONSISTENT_CERTIFICATES, "Package " + apkPath + " has mismatched certificates at entry " + e()); } } catch (GeneralSecurityException e) {

// to verifying the APK using the JAR signature scheme. boolean v2SignatureGenerated = false; boolean v3SignatureGenerated = false; StringTokenizer tokenizer = new StringTokenizer(apkSignatureSchemeIdList, ","); while (eTokens()) { String idText = ken().trim(); if (y()) { continue; } int id; try { id = nt(idText); } catch (Exception ignored) { continue; } if (id == _ATTRIBUTE_ANDROID_APK_SIGNED_ID) { // This APK was supposed to be signed with APK Signature Scheme v2 but no // such signature was found. v2SignatureGenerated = true; break; } if (id == _ATTRIBUTE_ANDROID_APK_SIGNED_ID) { // This APK was supposed to be signed with APK Signature Scheme v3 but no // such signature was found. v3SignatureGenerated = true; break; } } if (v2SignatureGenerated) { throw new SecurityException(signatureFile + " indicates " + jarName + " is signed using APK Signature Scheme v2, but no such signature was" + " found. Signature stripped?"); } if (v3SignatureGenerated) { throw new SecurityException(signatureFile + " indicates " + jarName + " is signed using APK Signature Scheme v3, but no such signature was" + " found. Signature stripped?"); } } } // Do we actually have any signatures to look at? if ((URE_VERSION) == null) { return; } boolean createdBySigntool = false; String createdBy = ue("Created-By"); if (createdBy != null) { createdBySigntool = f("signtool") != -1; } // Use .SF to verify the mainAttributes of the manifest // If there is no -Digest-Manifest-Main-Attributes entry in .SF // file, such as those created before java 1.5, then we ignore // such verification. Log.d("StrictJarVerifier","liyang--verifyCertificate:mainAttributesEnd="+mainAttributesEnd+", createdBySigntool="+createdBySigntool); if (mainAttributesEnd > 0 && !createdBySigntool) { String digestAttribute = "-Digest-Manifest-Main-Attributes"; if (!verify(attributes, digestAttribute, manifestBytes, 0, mainAttributesEnd, false, true)) { throw failedVerification(jarName, signatureFile); } } // Use .SF to verify the whole manifest.