First, we need to distinguish between these two basic concepts of encryption and authentication
distinguish:
Encryption is a data encryption, so unauthorized users can not obtain the correct information content even if the encrypted information, data encryption can protect data and prevent eavesdropping attack. With its emphasis on data security. Authentication
is used to determine the authenticity of an identity and identification, the system can give different permissions according to the different capacity. With its emphasis on the authenticity of the user. The focus of both is different.
Public key and private key:
Public and private key is commonly known as asymmetric encryption, symmetric encryption (using the user name and password) way to improve.
In modern cryptography, encryption and decryption use different keys (public key), also non-symmetric key cryptography, two keys for each communication party, public and private key, the two key can be to each other and decryption. Public key is public, no
confidential, while the private key is held by the individuals themselves, and must be kept and for confidentiality.
Public key private key principles:
(1) a public key corresponding to a private key.
(2) key pair, so that we all know the public key, do not tell other, only you know, is a private key.
(3 ) If you use one of the keys to encrypt data, only the corresponding key can decrypt.
If using one of the keys to decrypt the data, the data must be a corresponding encryption key.
Based on public key encryption process:
For example, there are two users, Alice and Bob, Alice wanted to for some expressly sent to Bob through a dual-key encryption technology, Bob has a public key and private key encryption and decryption process is as follows:
1.Bob send his public key to Alice.
2.Alice with Bob's public key to encrypt her message, and then sent to Bob.
3.Bob with his private key to decrypt Alice's message.
Alice uses Bob's public key encryption, Bob's private key to decrypt.
Public key-based authentication process:
Authentication and encryption, the main user to identify the authenticity of the user. If we can identify a user's private key is correct, you can identify the authenticity of the user.
Or two users, Alice and Bob, Alice wants Bob to know that he is the real Alice, rather than fake, so Alice using public key cryptography to send the file signature to Bob, Bob uses Alice's public key to decrypt the file If the decryption is successful, Alice's
private key is correct, and thus Alice's authentication. The entire authentication process is as follows:
1.Alice with her private key to encrypt the file, so the file signature.
2.Alice signature file sent to Bob.
3.Bob with Alice's public key to decrypt the file, in order to verify the signature.
Alice uses private key encryption, Bob, with Alice's public key to decrypt.
Signature
Why we must sign a Apk:
1) The identity of the sender authentication
Developers may use the same Package Name to confuse the replacement of already installed programs, in order to ensure that the signature of the package not be replaced
2) to ensure the integrity of the information transmission
Signature for each file in the package are processed to ensure that the contents of the package will not be replaced
3) to prevent the transaction repudiation occurred, Market for software requirements dense.
Generate Key:
1.产生RSA私钥(private key)
openssl genrsa -3 -out testkey.pem 2048
-3 是算法的参数(public exponent)。
2048 是私钥长度。
testkey.pem 是输出的文件。
2.产生PKCS#10格式的认证请求。所谓认证请求就是发给认证机构认证的一个请求,它主要包括一个公钥和一些相关信息(如组织名称和联系人邮件地址)。
openssl req -new -x509 -key testkey.pem -out testkey.x509.pem -days 10000 /
-subj ‘/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com’
3. 把私钥的格式转换成PKCS #8(Private-Key Information Syntax Standard.)
openssl pkcs8 -in testkey.pem -topk8 -outform DER -out testkey.pk8 -nocrypt
私钥是不能让别人知道的,否则就起不到保密的作用了。私钥通常是要加密保存的,-nocryp,表示不加密 -password stdin 可加密.
Android provides a the script mkkey.sh used to simplify the above steps:
Sign APK:
Android提供了为jar/zip文件签名的程序signapk.jar 。(build/tools/signapk.jar)
它的用法如下:
Usage: signapk publickey.x509[.pem] privatekey.pk8 input.jar output.jar
第一个参数是公钥,即前面第二步产生的testkey.x509.pem。
第二个参数是私钥,即前面第三步产生的testkey.pk8。
第三个参数是要签名的文件。
第四个参数是输出的文件(即签名后的文件)。
如:java -jar signapk.jar testkey.x509.pem testkey.pk8 update.zip update-signed.zip
If the APK is signed properly, Jarsigner prints "jar verified". If you want more details, you can try one of these commands:
jarsigner -verify -verbose -certs my_application.apk
The command above, with the -certs option added, will show you the "CN=" line that describes who created the key.
现在我们来看看签名到底做了些什么: build/tools/signapk.jar
1.先为输入的jar/zip文件中的所有文件生成SHA1数字签名(除了CERT.RSA,CERT.SF和MANIFEST.MF)
并把数字签名信息写入MANIFEST.MF
2.对manifest 用private key 签名并写入CERT.SF
3.把对输出文件的签名和公钥写入CERT.RSA。
Align the final APK package
Once you have signed the APK with your private key, run zipalign on the file. This tool ensures that all uncompressed data starts with a particular byte alignment, relative to the start of the file. Ensuring alignment at 4-byte boundaries provides a performance
optimization when installed on a device. When aligned, the Android system is able to read files with mmap(), even if they contain binary data with alignment restrictions, rather than copying all of the data from the package. The benefit is a reduction in the
amount of RAM consumed by the running application.
$ zipalign -v 4 your_project_name-unaligned.apk your_project_name.apk
The -v flag turns on verbose output (optional). 4 is the byte-alignment (don't use anything other than 4). The first file argument is your signed .apk file (the input) and the second file is the destination .apk file (the output). If you're overriding an existing
APK, add the -f flag.
Caution: Your input APK must be signed with your private key before you optimize the package with zipalign. If you sign it after using zipalign, it will undo the alignment.
You can check your APK Align or not like this
zipalign -c -v 4 MyDemo.apk
Signature Parser
frameworks\base\core\java\android\content\pm\PackageParser.java
private PackageInfo parsePackage(String archiveFilePath, int flags)
PackageParser public boolean collectCertificates(Package pkg, int flags)
private Certificate[] loadCertificates(JarFile jarFile, JarEntry je, byte[] readBuffer)
frameworks\base\core\java\android\content\pm\PackageManager.java
public PackageInfo getPackageArchiveInfo(String archiveFilePath, int flags)
Certifiaction
Sample X.509 certificates
Certs in /libcore/luni/src/main/files/cacerts
We can use /libcore/luni/src/main/files/certimport.sh to generate a cacerts.bks
It in /system/etc/security/cacerts/
The filenames in the cacerts directory are in the format of <hash>.<n>
where "hash" is the subject hash produced by:
openssl x509 -subject_hash -in filename
and the "n" is a unique integer identifier starting at 0 to deal
openssl x509 -in filename -inform PEM -text -fingerprint
> <hash>.<n>
Certificate filename extensions
Common filename extensions for X.509 certificates are:
* .pem - (Privacy Enhanced Mail) Base64 encoded DER certificate, enclosed between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----"
* .cer, .crt, .der - usually in binary DER form, but Base64-encoded certificates are common too (see .pem above)
* .p7b, .p7c - PKCS#7 SignedData structure without data, just certificate(s) or CRL(s)
* .p12 - PKCS#12, may contain certificate(s) (public) and private keys (password protected)
* .pfx - PFX, predecessor of PKCS#12 (usually contains data in PKCS#12 format, e.g., with PFX files generated in IIS)
PKCS#7 is a standard for signing or encrypting (officially called "enveloping") data. Since the certificate is needed to verify signed data, it is possible to include them in the SignedData structure. A .P7C file is a degenerated SignedData structure, without
any data to sign.
PKCS#12 evolved from the personal information exchange (PFX) standard and is used to exchange public and private objects in a single file.
Certificate Store
libcore/luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustedCertificateStore.java
framework/base/keystore/java/android/security/Keystore.java
packages/app/KeyChain/src/com/android/keychain/KeyChainSerivce.java
Reference
http://en.wikipedia.org/wiki/X.509
http://www.openssl.org/docs/apps/x509.html
http://developer.android.com/guide/publishing/app-signing.html