app-info 2.8.4 → 3.0.0.beta1

data/lib/app_info/android/signature.rb

@@ -0,0 +1,114 @@
+# frozen_string_literal: true
+
+module AppInfo
+  module Android
+    # Android Signature
+    #
+    # Support digest and length:
+    #
+    # RSA：1024、2048、4096、8192、16384
+    # EC：NIST P-256、P-384、P-521
+    # DSA：1024、2048、3072
+    module Signature
+      class VersionError < Error; end
+      class SecurityError < Error; end
+      class NotFoundError < NotFoundError; end
+
+      module Version
+        V1    = 1
+        V2    = 2
+        V3    = 3
+        V4    = 4
+      end
+
+      # All registerd verions to verify
+      #
+      # key is the version
+      # value is the class
+      @versions = {}
+
+      class << self
+        # Verify Android Signature
+        #
+        # @example Get unverified v1 certificates, verified v2 certificates,
+        #  and not found v3 certificate
+        #
+        #   signature.versions(parser)
+        #   # => [
+        #   #   {
+        #   #     version: 1,
+        #   #     verified: false,
+        #   #     certificates: [<AppInfo::Certificate>, ...],
+        #   #     verifier: AppInfo::Androig::Signature
+        #   #   },
+        #   #   {
+        #   #     version: 2,
+        #   #     verified: false,
+        #   #     certificates: [<AppInfo::Certificate>, ...],
+        #   #     verifier: AppInfo::Androig::Signature
+        #   #   },
+        #   #   {
+        #   #     version: 3
+        #   #   }
+        #   # ]
+        # @todo version 4 no implantation yet
+        # @param [AppInfo::File] parser
+        # @param [Version, Integer] min_version
+        # @return [Array<Hash>] versions
+        def verify(parser, min_version: Version::V4)
+          min_version = min_version.to_i if min_version.is_a?(String)
+          if min_version && min_version > Version::V4
+            raise VersionError,
+                  "No signature found in #{min_version} scheme or newer for android file"
+          end
+
+          if min_version.zero?
+            raise VersionError,
+                  "Unkonwn version: #{min_version}, avaiables in 1/2/3 and 4 (no implantation yet)"
+          end
+
+          # try full version signatures if min_version is nil
+          versions = min_version.downto(Version::V1).each_with_object([]) do |version, signatures|
+            next unless kclass = fetch(version)
+
+            data = { version: version }
+            begin
+              verifier = kclass.verify(parser)
+              data[:verified] = verifier.verified
+              data[:certificates] = verifier.certificates
+              data[:verifier] = verifier
+            rescue SecurityError, NotFoundError
+              # not this version, try the low version
+            ensure
+              signatures << data
+            end
+          end
+
+          versions.sort_by { |entry| entry[:version] }
+        end
+
+        def registered
+          @versions.keys
+        end
+
+        def register(version, verifier)
+          @versions[version] = verifier
+        end
+
+        def fetch(version)
+          @versions[version]
+        end
+
+        def exist?(version)
+          @versions.key?(version)
+        end
+      end
+
+      UINT32_MAX_VALUE = 2_147_483_647
+      UINT32_SIZE = 4
+      UINT64_SIZE = 8
+    end
+  end
+end
+
+require 'app_info/android/signatures/base'

data/lib/app_info/android/signatures/base.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+require 'app_info/android/signatures/info'
+
+module AppInfo::Android::Signature
+  class Base
+    def self.verify(parser)
+      instance = new(parser)
+      instance.verify
+      instance
+    end
+
+    DESCRIPTION = 'APK Signature Scheme'
+
+    attr_reader :verified
+
+    def initialize(parser)
+      @parser = parser
+      @verified = false
+    end
+
+    # @abstract Subclass and override {#verify} to implement
+    def verify
+      raise NotImplementedError, ".#{__method__} method implantation required in #{self.class}"
+    end
+
+    # @abstract Subclass and override {#certificates} to implement
+    def certificates
+      raise NotImplementedError, ".#{__method__} method implantation required in #{self.class}"
+    end
+
+    def scheme
+      "v#{version}"
+    end
+
+    def description
+      "#{DESCRIPTION} #{scheme}"
+    end
+
+    def logger
+      @parser.logger
+    end
+  end
+end
+
+require 'app_info/android/signatures/v1'
+require 'app_info/android/signatures/v2'
+require 'app_info/android/signatures/v3'
+require 'app_info/android/signatures/v4'

data/lib/app_info/android/signatures/info.rb

@@ -0,0 +1,152 @@
+# frozen_string_literal: true
+
+require 'stringio'
+require 'openssl'
+
+module AppInfo::Android::Signature
+  # APK signature scheme signurate info
+  #
+  # FORMAT:
+  # OFFSET       DATA TYPE  DESCRIPTION
+  # * @+0  bytes uint64:    size in bytes (excluding this field)
+  # * @+8  bytes payload
+  # * @-24 bytes uint64:    size in bytes (same as the one above)
+  # * @-16 bytes uint128:   magic value
+  class Info
+    include AppInfo::Helper::IOBlock
+
+    # Signature block information
+    SIG_SIZE_OF_BLOCK_SIZE = 8
+    SIG_MAGIC_BLOCK_SIZE = 16
+    SIG_BLOCK_MIN_SIZE = 32
+
+    # Magic value: APK Sig Block 42
+    SIG_MAGIC = [
+      0x41, 0x50, 0x4b, 0x20, 0x53, 0x69,
+      0x67, 0x20, 0x42, 0x6c, 0x6f, 0x63,
+      0x6b, 0x20, 0x34, 0x32
+    ].freeze
+
+    attr_reader :total_size, :pairs, :magic, :logger
+
+    def initialize(version, parser, logger)
+      @version = version
+      @parser = parser
+      @logger = logger
+
+      pares_signatures_pairs
+    end
+
+    # Find singers
+    #
+    # FORMAT:
+    # OFFSET       DATA TYPE  DESCRIPTION
+    # * @+0  bytes uint64:    size in bytes
+    # * @+8  bytes payload    block
+    #   * @+0  bytes uint32:    id
+    #   * @+4  bytes payload:   value
+    def signers(block_id)
+      count = 0
+      until @pairs.eof?
+        left_bytes = left_bytes_check(
+          @pairs, UINT64_SIZE, NotFoundError,
+          "Insufficient data to read size of APK Signing Block ##{count}"
+        )
+
+        pair_buf = @pairs.read(UINT64_SIZE)
+        pair_size = pair_buf.unpack1('Q')
+        if pair_size < UINT32_SIZE || pair_size > UINT32_MAX_VALUE
+          raise NotFoundError,
+                "APK Signing Block ##{count} size out of range: #{pair_size} > #{UINT32_MAX_VALUE}"
+        end
+
+        if pair_size > left_bytes
+          raise NotFoundError,
+                "APK Signing Block ##{count} size out of range: #{pair_size} > #{left_bytes}"
+        end
+
+        # fetch next signer block position
+        next_pos = @pairs.pos + pair_size.to_i
+
+        id_block = @pairs.read(UINT32_SIZE)
+        id_bytes = id_block.unpack('C*')
+        if id_bytes == block_id
+          logger.debug "Signature block id v#{@version} scheme (0x#{id_block.unpack1('H*')}) found"
+          value = @pairs.read(pair_size - UINT32_SIZE)
+          return StringIO.new(value)
+        end
+
+        @pairs.seek(next_pos)
+        count += 1
+      end
+
+      block_id_hex = block_id.reverse.pack('C*').unpack1('H*')
+      raise NotFoundError, "Not found block id 0x#{block_id_hex} in APK Signing Block."
+    end
+
+    def zip64?
+      zip_io.zip64_file?(start_buffer)
+    end
+
+    def pares_signatures_pairs
+      block = signature_block
+      block.rewind
+      # get pairs size
+      @total_size = block.size - (SIG_SIZE_OF_BLOCK_SIZE + SIG_MAGIC_BLOCK_SIZE)
+
+      # get pairs block
+      @pairs = StringIO.new(block.read(@total_size))
+
+      # get magic value
+      block.seek(block.pos + SIG_SIZE_OF_BLOCK_SIZE)
+      @magic = block.read(SIG_MAGIC_BLOCK_SIZE)
+    end
+
+    def signature_block
+      @signature_block ||= lambda {
+        logger.debug "cdir_offset: #{cdir_offset}"
+
+        file_io.seek(cdir_offset - (Info::SIG_MAGIC_BLOCK_SIZE + Info::SIG_SIZE_OF_BLOCK_SIZE))
+        footer_block = file_io.read(Info::SIG_SIZE_OF_BLOCK_SIZE)
+        if footer_block.size < Info::SIG_SIZE_OF_BLOCK_SIZE
+          raise NotFoundError, "APK Signing Block size out of range: #{footer_block.size}"
+        end
+
+        footer = footer_block.unpack1('Q')
+        total_size = footer
+        offset = cdir_offset - total_size - Info::SIG_SIZE_OF_BLOCK_SIZE
+        raise NotFoundError, "APK Signing Block offset out of range: #{offset}" if offset.negative?
+
+        file_io.seek(offset)
+        header = file_io.read(Info::SIG_SIZE_OF_BLOCK_SIZE).unpack1('Q')
+
+        if header != footer
+          raise NotFoundError,
+                "APK Signing Block header and footer mismatch: #{header} != #{footer}"
+        end
+
+        io = file_io.read(total_size)
+        StringIO.new(io)
+      }.call
+    end
+
+    def cdir_offset
+      @cdir_offset ||= lambda {
+        eocd_buffer = zip_io.get_e_o_c_d(start_buffer)
+        eocd_buffer[12..16].unpack1('V')
+      }.call
+    end
+
+    def start_buffer
+      @start_buffer ||= zip_io.start_buf(file_io)
+    end
+
+    def zip_io
+      @zip_io ||= @parser.zip
+    end
+
+    def file_io
+      @file_io ||= File.open(@parser.file, 'rb')
+    end
+  end
+end

data/lib/app_info/android/signatures/v1.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+module AppInfo::Android::Signature
+  # Android v1 Signature
+  class V1 < Base
+    DESCRIPTION = 'JAR signing'
+
+    PKCS7_HEADER = [0x30, 0x82].freeze
+
+    attr_reader :certificates, :signatures
+
+    def version
+      Version::V1
+    end
+
+    def description
+      DESCRIPTION
+    end
+
+    def verify
+      @signatures = fetch_signatures
+      @certificates = fetch_certificates
+
+      raise NotFoundError, 'Not found certificates' if @certificates.empty?
+    end
+
+    private
+
+    def fetch_signatures
+      case @parser
+      when AppInfo::APK
+        signatures_from(@parser.apk)
+      when AppInfo::AAB
+        signatures_from(@parser)
+      end
+    end
+
+    def fetch_certificates
+      @signatures.each_with_object([]) do |(_, sign), obj|
+        next if sign.certificates.empty?
+
+        obj << AppInfo::Certificate.new(sign.certificates[0])
+      end
+    end
+
+    def signatures_from(parser)
+      signs = {}
+      parser.each_file do |path, data|
+        # find META-INF/xxx.{RSA|DSA|EC}
+        next unless path =~ %r{^META-INF/} && data.unpack('CC') == PKCS7_HEADER
+
+        signs[path] = OpenSSL::PKCS7.new(data)
+      end
+      signs
+    end
+  end
+
+  register(Version::V1, V1)
+end

data/lib/app_info/android/signatures/v2.rb

@@ -0,0 +1,117 @@
+# frozen_string_literal: true
+
+module AppInfo::Android::Signature
+  # Android v2 Signature
+  #
+  # FULL FORMAT:
+  # OFFSET       DATA TYPE  DESCRIPTION
+  # * @+0  bytes uint32:    signer size in bytes
+  # * @+4  bytes payload    signer block
+  #   * @+0  bytes unit32:    signed data size in bytes
+  #   * @+4  bytes payload    signed data block
+  #     * @+0  bytes unit32:    digests with size in bytes
+  #     * @+0  bytes unit32:    digests with size in bytes
+  #   * @+X  bytes unit32:    signatures with size in bytes
+  #     * @+X+4  bytes payload    signed data block
+  #   * @+Y  bytes unit32:    public key with size in bytes
+  #     * @+Y+4  bytes payload    signed data block
+  class V2 < Base
+    include AppInfo::Helper::IOBlock
+    include AppInfo::Helper::Signatures
+    include AppInfo::Helper::Algorithm
+
+    # V2 Signature ID 0x7109871a
+    BLOCK_ID = [0x1a, 0x87, 0x09, 0x71].freeze
+
+    attr_reader :certificates, :digests
+
+    def version
+      Version::V2
+    end
+
+    # Verify
+    # @todo verified signatures
+    def verify
+      signers_block = singers_block(BLOCK_ID)
+      @certificates, @digests = verified_certs(signers_block, verify: true)
+      # @verified = true
+    end
+
+    private
+
+    def verified_certs(signers_block, verify:)
+      unless (signers = length_prefix_block(signers_block))
+        raise SecurityError, 'Not found signers'
+      end
+
+      certificates = []
+      content_digests = {}
+      loop_length_prefix_io(signers, name: 'Singer', logger: logger) do |signer|
+        signer_certs, signer_digests = extract_signer_data(signer, verify: verify)
+        certificates.concat(signer_certs)
+        content_digests.merge!(signer_digests)
+      end
+      raise SecurityError, 'No signers found' if certificates.empty?
+
+      [certificates, content_digests]
+    end
+
+    def extract_signer_data(signer, verify:)
+      # raw data
+      signed_data = length_prefix_block(signer)
+      signatures = length_prefix_block(signer)
+      public_key = length_prefix_block(signer, raw: true)
+
+      # FIXME: extract code below and re-organizate
+
+      algorithems = signature_algorithms(signatures)
+      raise SecurityError, 'No signatures found' if verify && algorithems.empty?
+
+      # find best algorithem to verify signed data with public key and signature
+      unless best_algorithem = best_algorithem(algorithems)
+        raise SecurityError, 'No supported signatures found'
+      end
+
+      algorithems_digest = best_algorithem[:digest]
+      signature = best_algorithem[:signature]
+
+      pkey = OpenSSL::PKey.read(public_key)
+      digest = OpenSSL::Digest.new(algorithems_digest)
+      verified = pkey.verify(digest, signature, signed_data.string)
+      raise SecurityError, "#{algorithems_digest} signature did not verify" unless verified
+
+      # verify algorithm ID full equal (and sort) between digests and signature
+      digests = length_prefix_block(signed_data)
+      content_digests = signed_data_digests(digests)
+      content_digest = content_digests[algorithems_digest]&.fetch(:content)
+
+      unless content_digest
+        raise SecurityError,
+              'Signature algorithms don\'t match between digests and signatures records'
+      end
+
+      previous_digest = content_digests.fetch(algorithems_digest)
+      content_digests[algorithems_digest] = content_digest
+      if previous_digest && previous_digest[:content] != content_digest
+        raise SecurityError,
+              'Signature algorithms don\'t match between digests and signatures records'
+      end
+
+      certificates = length_prefix_block(signed_data)
+      certs = signed_data_certs(certificates)
+      raise SecurityError, 'No certificates listed' if certs.empty?
+
+      main_cert = certs[0]
+      if main_cert.public_key.to_der != pkey.to_der
+        raise SecurityError, 'Public key mismatch between certificate and signature record'
+      end
+
+      additional_attrs = length_prefix_block(signed_data)
+      verify_additional_attrs(additional_attrs, certs)
+
+      [certs, content_digests]
+    end
+  end
+
+  register(Version::V2, V2)
+end

data/lib/app_info/android/signatures/v3.rb

@@ -0,0 +1,127 @@
+# frozen_string_literal: true
+
+module AppInfo::Android::Signature
+  # Android v3 Signature
+  #
+  # FULL FORMAT:
+  # OFFSET       DATA TYPE  DESCRIPTION
+  # * @+0  bytes uint32:    signer size in bytes
+  # * @+4  bytes payload    signer block
+  #   * @+0    bytes unit32:    signed data size in bytes
+  #   * @+4    bytes payload    signed data block
+  #     * @+0    bytes unit32:    digests with size in bytes
+  #     * @+0    bytes unit32:    digests with size in bytes
+  #   * @+W    bytes unit32:    minSDK
+  #   * @+X+4  bytes unit32:    maxSDK
+  #   * @+Y+4  bytes unit32:    signatures with size in bytes
+  #     * @+Y+4    bytes payload    signed data block
+  #   * @+Z    bytes unit32:    public key with size in bytes
+  #     * @+Z+4    bytes payload    signed data block
+  class V3 < Base
+    include AppInfo::Helper::IOBlock
+    include AppInfo::Helper::Signatures
+    include AppInfo::Helper::Algorithm
+
+    # V3 Signature ID 0xf05368c0
+    V3_BLOCK_ID   = [0xc0, 0x68, 0x53, 0xf0].freeze
+
+    # V3.1 Signature ID 0x1b93ad61
+    V3_1_BLOCK_ID = [0x61, 0xad, 0x93, 0x1b].freeze
+
+    attr_reader :certificates, :digests
+
+    def version
+      Version::V3
+    end
+
+    def verify
+      begin
+        signers_block = singers_block(V3_1_BLOCK_ID)
+      rescue NotFoundError
+        signers_block = singers_block(V3_BLOCK_ID)
+      end
+
+      @certificates, @digests = verified_certs(signers_block)
+    end
+
+    private
+
+    def verified_certs(signers_block)
+      unless (signers = length_prefix_block(signers_block))
+        raise SecurityError, 'Not found signers'
+      end
+
+      certificates = []
+      content_digests = {}
+      loop_length_prefix_io(signers, name: 'Singer', logger: logger) do |signer|
+        signer_certs, signer_digests = extract_signer_data(signer)
+        certificates.concat(signer_certs)
+        content_digests.merge!(signer_digests)
+      end
+      raise SecurityError, 'No signers found' if certificates.empty?
+
+      [certificates, content_digests]
+    end
+
+    def extract_signer_data(signer)
+      # raw data
+      signed_data = length_prefix_block(signer)
+
+      # TODO: verify min_sdk and max_sdk
+      min_sdk = signer.read(UINT32_SIZE)
+      max_sdk = signer.read(UINT32_SIZE)
+
+      signatures = length_prefix_block(signer)
+      public_key = length_prefix_block(signer, raw: true)
+
+      algorithems = signature_algorithms(signatures)
+      raise SecurityError, 'No signatures found' if algorithems.empty?
+
+      # find best algorithem to verify signed data with public key and signature
+      unless best_algorithem = best_algorithem(algorithems)
+        raise SecurityError, 'No supported signatures found'
+      end
+
+      algorithems_digest = best_algorithem[:digest]
+      signature = best_algorithem[:signature]
+
+      pkey = OpenSSL::PKey.read(public_key)
+      digest = OpenSSL::Digest.new(algorithems_digest)
+      verified = pkey.verify(digest, signature, signed_data.string)
+      raise SecurityError, "#{algorithems_digest} signature did not verify" unless verified
+
+      # verify algorithm ID full equal (and sort) between digests and signature
+      digests = length_prefix_block(signed_data)
+      content_digests = signed_data_digests(digests)
+      content_digest = content_digests[algorithems_digest]&.fetch(:content)
+
+      unless content_digest
+        raise SecurityError,
+              'Signature algorithms don\'t match between digests and signatures records'
+      end
+
+      previous_digest = content_digests.fetch(algorithems_digest)
+      content_digests[algorithems_digest] = content_digest
+      if previous_digest && previous_digest[:content] != content_digest
+        raise SecurityError,
+              'Signature algorithms don\'t match between digests and signatures records'
+      end
+
+      certificates = length_prefix_block(signed_data)
+      certs = signed_data_certs(certificates)
+      raise SecurityError, 'No certificates listed' if certs.empty?
+
+      main_cert = certs[0]
+      if main_cert.public_key.to_der != pkey.to_der
+        raise SecurityError, 'Public key mismatch between certificate and signature record'
+      end
+
+      additional_attrs = length_prefix_block(signed_data)
+      verify_additional_attrs(additional_attrs, certs)
+
+      [certs, content_digests]
+    end
+  end
+
+  register(Version::V3, V3)
+end

data/lib/app_info/android/signatures/v4.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module AppInfo::Android::Signature
+  # Android v4 Signature
+  #
+  # TODO: ApkSignatureSchemeV4Verifier.java
+  class V4 < Base
+    def version
+      Version::V4
+    end
+  end
+
+  # register(Version::V4, V4)
+end