app-info 2.8.5 → 3.0.0.beta1

data/lib/app_info/android/signatures/base.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+require 'app_info/android/signatures/info'
+
+module AppInfo::Android::Signature
+  class Base
+    def self.verify(parser)
+      instance = new(parser)
+      instance.verify
+      instance
+    end
+
+    DESCRIPTION = 'APK Signature Scheme'
+
+    attr_reader :verified
+
+    def initialize(parser)
+      @parser = parser
+      @verified = false
+    end
+
+    # @abstract Subclass and override {#verify} to implement
+    def verify
+      raise NotImplementedError, ".#{__method__} method implantation required in #{self.class}"
+    end
+
+    # @abstract Subclass and override {#certificates} to implement
+    def certificates
+      raise NotImplementedError, ".#{__method__} method implantation required in #{self.class}"
+    end
+
+    def scheme
+      "v#{version}"
+    end
+
+    def description
+      "#{DESCRIPTION} #{scheme}"
+    end
+
+    def logger
+      @parser.logger
+    end
+  end
+end
+
+require 'app_info/android/signatures/v1'
+require 'app_info/android/signatures/v2'
+require 'app_info/android/signatures/v3'
+require 'app_info/android/signatures/v4'

data/lib/app_info/android/signatures/info.rb

@@ -0,0 +1,152 @@
+# frozen_string_literal: true
+
+require 'stringio'
+require 'openssl'
+
+module AppInfo::Android::Signature
+  # APK signature scheme signurate info
+  #
+  # FORMAT:
+  # OFFSET       DATA TYPE  DESCRIPTION
+  # * @+0  bytes uint64:    size in bytes (excluding this field)
+  # * @+8  bytes payload
+  # * @-24 bytes uint64:    size in bytes (same as the one above)
+  # * @-16 bytes uint128:   magic value
+  class Info
+    include AppInfo::Helper::IOBlock
+
+    # Signature block information
+    SIG_SIZE_OF_BLOCK_SIZE = 8
+    SIG_MAGIC_BLOCK_SIZE = 16
+    SIG_BLOCK_MIN_SIZE = 32
+
+    # Magic value: APK Sig Block 42
+    SIG_MAGIC = [
+      0x41, 0x50, 0x4b, 0x20, 0x53, 0x69,
+      0x67, 0x20, 0x42, 0x6c, 0x6f, 0x63,
+      0x6b, 0x20, 0x34, 0x32
+    ].freeze
+
+    attr_reader :total_size, :pairs, :magic, :logger
+
+    def initialize(version, parser, logger)
+      @version = version
+      @parser = parser
+      @logger = logger
+
+      pares_signatures_pairs
+    end
+
+    # Find singers
+    #
+    # FORMAT:
+    # OFFSET       DATA TYPE  DESCRIPTION
+    # * @+0  bytes uint64:    size in bytes
+    # * @+8  bytes payload    block
+    #   * @+0  bytes uint32:    id
+    #   * @+4  bytes payload:   value
+    def signers(block_id)
+      count = 0
+      until @pairs.eof?
+        left_bytes = left_bytes_check(
+          @pairs, UINT64_SIZE, NotFoundError,
+          "Insufficient data to read size of APK Signing Block ##{count}"
+        )
+
+        pair_buf = @pairs.read(UINT64_SIZE)
+        pair_size = pair_buf.unpack1('Q')
+        if pair_size < UINT32_SIZE || pair_size > UINT32_MAX_VALUE
+          raise NotFoundError,
+                "APK Signing Block ##{count} size out of range: #{pair_size} > #{UINT32_MAX_VALUE}"
+        end
+
+        if pair_size > left_bytes
+          raise NotFoundError,
+                "APK Signing Block ##{count} size out of range: #{pair_size} > #{left_bytes}"
+        end
+
+        # fetch next signer block position
+        next_pos = @pairs.pos + pair_size.to_i
+
+        id_block = @pairs.read(UINT32_SIZE)
+        id_bytes = id_block.unpack('C*')
+        if id_bytes == block_id
+          logger.debug "Signature block id v#{@version} scheme (0x#{id_block.unpack1('H*')}) found"
+          value = @pairs.read(pair_size - UINT32_SIZE)
+          return StringIO.new(value)
+        end
+
+        @pairs.seek(next_pos)
+        count += 1
+      end
+
+      block_id_hex = block_id.reverse.pack('C*').unpack1('H*')
+      raise NotFoundError, "Not found block id 0x#{block_id_hex} in APK Signing Block."
+    end
+
+    def zip64?
+      zip_io.zip64_file?(start_buffer)
+    end
+
+    def pares_signatures_pairs
+      block = signature_block
+      block.rewind
+      # get pairs size
+      @total_size = block.size - (SIG_SIZE_OF_BLOCK_SIZE + SIG_MAGIC_BLOCK_SIZE)
+
+      # get pairs block
+      @pairs = StringIO.new(block.read(@total_size))
+
+      # get magic value
+      block.seek(block.pos + SIG_SIZE_OF_BLOCK_SIZE)
+      @magic = block.read(SIG_MAGIC_BLOCK_SIZE)
+    end
+
+    def signature_block
+      @signature_block ||= lambda {
+        logger.debug "cdir_offset: #{cdir_offset}"
+
+        file_io.seek(cdir_offset - (Info::SIG_MAGIC_BLOCK_SIZE + Info::SIG_SIZE_OF_BLOCK_SIZE))
+        footer_block = file_io.read(Info::SIG_SIZE_OF_BLOCK_SIZE)
+        if footer_block.size < Info::SIG_SIZE_OF_BLOCK_SIZE
+          raise NotFoundError, "APK Signing Block size out of range: #{footer_block.size}"
+        end
+
+        footer = footer_block.unpack1('Q')
+        total_size = footer
+        offset = cdir_offset - total_size - Info::SIG_SIZE_OF_BLOCK_SIZE
+        raise NotFoundError, "APK Signing Block offset out of range: #{offset}" if offset.negative?
+
+        file_io.seek(offset)
+        header = file_io.read(Info::SIG_SIZE_OF_BLOCK_SIZE).unpack1('Q')
+
+        if header != footer
+          raise NotFoundError,
+                "APK Signing Block header and footer mismatch: #{header} != #{footer}"
+        end
+
+        io = file_io.read(total_size)
+        StringIO.new(io)
+      }.call
+    end
+
+    def cdir_offset
+      @cdir_offset ||= lambda {
+        eocd_buffer = zip_io.get_e_o_c_d(start_buffer)
+        eocd_buffer[12..16].unpack1('V')
+      }.call
+    end
+
+    def start_buffer
+      @start_buffer ||= zip_io.start_buf(file_io)
+    end
+
+    def zip_io
+      @zip_io ||= @parser.zip
+    end
+
+    def file_io
+      @file_io ||= File.open(@parser.file, 'rb')
+    end
+  end
+end

data/lib/app_info/android/signatures/v1.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+module AppInfo::Android::Signature
+  # Android v1 Signature
+  class V1 < Base
+    DESCRIPTION = 'JAR signing'
+
+    PKCS7_HEADER = [0x30, 0x82].freeze
+
+    attr_reader :certificates, :signatures
+
+    def version
+      Version::V1
+    end
+
+    def description
+      DESCRIPTION
+    end
+
+    def verify
+      @signatures = fetch_signatures
+      @certificates = fetch_certificates
+
+      raise NotFoundError, 'Not found certificates' if @certificates.empty?
+    end
+
+    private
+
+    def fetch_signatures
+      case @parser
+      when AppInfo::APK
+        signatures_from(@parser.apk)
+      when AppInfo::AAB
+        signatures_from(@parser)
+      end
+    end
+
+    def fetch_certificates
+      @signatures.each_with_object([]) do |(_, sign), obj|
+        next if sign.certificates.empty?
+
+        obj << AppInfo::Certificate.new(sign.certificates[0])
+      end
+    end
+
+    def signatures_from(parser)
+      signs = {}
+      parser.each_file do |path, data|
+        # find META-INF/xxx.{RSA|DSA|EC}
+        next unless path =~ %r{^META-INF/} && data.unpack('CC') == PKCS7_HEADER
+
+        signs[path] = OpenSSL::PKCS7.new(data)
+      end
+      signs
+    end
+  end
+
+  register(Version::V1, V1)
+end

data/lib/app_info/android/signatures/v2.rb

@@ -0,0 +1,117 @@
+# frozen_string_literal: true
+
+module AppInfo::Android::Signature
+  # Android v2 Signature
+  #
+  # FULL FORMAT:
+  # OFFSET       DATA TYPE  DESCRIPTION
+  # * @+0  bytes uint32:    signer size in bytes
+  # * @+4  bytes payload    signer block
+  #   * @+0  bytes unit32:    signed data size in bytes
+  #   * @+4  bytes payload    signed data block
+  #     * @+0  bytes unit32:    digests with size in bytes
+  #     * @+0  bytes unit32:    digests with size in bytes
+  #   * @+X  bytes unit32:    signatures with size in bytes
+  #     * @+X+4  bytes payload    signed data block
+  #   * @+Y  bytes unit32:    public key with size in bytes
+  #     * @+Y+4  bytes payload    signed data block
+  class V2 < Base
+    include AppInfo::Helper::IOBlock
+    include AppInfo::Helper::Signatures
+    include AppInfo::Helper::Algorithm
+
+    # V2 Signature ID 0x7109871a
+    BLOCK_ID = [0x1a, 0x87, 0x09, 0x71].freeze
+
+    attr_reader :certificates, :digests
+
+    def version
+      Version::V2
+    end
+
+    # Verify
+    # @todo verified signatures
+    def verify
+      signers_block = singers_block(BLOCK_ID)
+      @certificates, @digests = verified_certs(signers_block, verify: true)
+      # @verified = true
+    end
+
+    private
+
+    def verified_certs(signers_block, verify:)
+      unless (signers = length_prefix_block(signers_block))
+        raise SecurityError, 'Not found signers'
+      end
+
+      certificates = []
+      content_digests = {}
+      loop_length_prefix_io(signers, name: 'Singer', logger: logger) do |signer|
+        signer_certs, signer_digests = extract_signer_data(signer, verify: verify)
+        certificates.concat(signer_certs)
+        content_digests.merge!(signer_digests)
+      end
+      raise SecurityError, 'No signers found' if certificates.empty?
+
+      [certificates, content_digests]
+    end
+
+    def extract_signer_data(signer, verify:)
+      # raw data
+      signed_data = length_prefix_block(signer)
+      signatures = length_prefix_block(signer)
+      public_key = length_prefix_block(signer, raw: true)
+
+      # FIXME: extract code below and re-organizate
+
+      algorithems = signature_algorithms(signatures)
+      raise SecurityError, 'No signatures found' if verify && algorithems.empty?
+
+      # find best algorithem to verify signed data with public key and signature
+      unless best_algorithem = best_algorithem(algorithems)
+        raise SecurityError, 'No supported signatures found'
+      end
+
+      algorithems_digest = best_algorithem[:digest]
+      signature = best_algorithem[:signature]
+
+      pkey = OpenSSL::PKey.read(public_key)
+      digest = OpenSSL::Digest.new(algorithems_digest)
+      verified = pkey.verify(digest, signature, signed_data.string)
+      raise SecurityError, "#{algorithems_digest} signature did not verify" unless verified
+
+      # verify algorithm ID full equal (and sort) between digests and signature
+      digests = length_prefix_block(signed_data)
+      content_digests = signed_data_digests(digests)
+      content_digest = content_digests[algorithems_digest]&.fetch(:content)
+
+      unless content_digest
+        raise SecurityError,
+              'Signature algorithms don\'t match between digests and signatures records'
+      end
+
+      previous_digest = content_digests.fetch(algorithems_digest)
+      content_digests[algorithems_digest] = content_digest
+      if previous_digest && previous_digest[:content] != content_digest
+        raise SecurityError,
+              'Signature algorithms don\'t match between digests and signatures records'
+      end
+
+      certificates = length_prefix_block(signed_data)
+      certs = signed_data_certs(certificates)
+      raise SecurityError, 'No certificates listed' if certs.empty?
+
+      main_cert = certs[0]
+      if main_cert.public_key.to_der != pkey.to_der
+        raise SecurityError, 'Public key mismatch between certificate and signature record'
+      end
+
+      additional_attrs = length_prefix_block(signed_data)
+      verify_additional_attrs(additional_attrs, certs)
+
+      [certs, content_digests]
+    end
+  end
+
+  register(Version::V2, V2)
+end

data/lib/app_info/android/signatures/v3.rb

@@ -0,0 +1,127 @@
+# frozen_string_literal: true
+
+module AppInfo::Android::Signature
+  # Android v3 Signature
+  #
+  # FULL FORMAT:
+  # OFFSET       DATA TYPE  DESCRIPTION
+  # * @+0  bytes uint32:    signer size in bytes
+  # * @+4  bytes payload    signer block
+  #   * @+0    bytes unit32:    signed data size in bytes
+  #   * @+4    bytes payload    signed data block
+  #     * @+0    bytes unit32:    digests with size in bytes
+  #     * @+0    bytes unit32:    digests with size in bytes
+  #   * @+W    bytes unit32:    minSDK
+  #   * @+X+4  bytes unit32:    maxSDK
+  #   * @+Y+4  bytes unit32:    signatures with size in bytes
+  #     * @+Y+4    bytes payload    signed data block
+  #   * @+Z    bytes unit32:    public key with size in bytes
+  #     * @+Z+4    bytes payload    signed data block
+  class V3 < Base
+    include AppInfo::Helper::IOBlock
+    include AppInfo::Helper::Signatures
+    include AppInfo::Helper::Algorithm
+
+    # V3 Signature ID 0xf05368c0
+    V3_BLOCK_ID   = [0xc0, 0x68, 0x53, 0xf0].freeze
+
+    # V3.1 Signature ID 0x1b93ad61
+    V3_1_BLOCK_ID = [0x61, 0xad, 0x93, 0x1b].freeze
+
+    attr_reader :certificates, :digests
+
+    def version
+      Version::V3
+    end
+
+    def verify
+      begin
+        signers_block = singers_block(V3_1_BLOCK_ID)
+      rescue NotFoundError
+        signers_block = singers_block(V3_BLOCK_ID)
+      end
+
+      @certificates, @digests = verified_certs(signers_block)
+    end
+
+    private
+
+    def verified_certs(signers_block)
+      unless (signers = length_prefix_block(signers_block))
+        raise SecurityError, 'Not found signers'
+      end
+
+      certificates = []
+      content_digests = {}
+      loop_length_prefix_io(signers, name: 'Singer', logger: logger) do |signer|
+        signer_certs, signer_digests = extract_signer_data(signer)
+        certificates.concat(signer_certs)
+        content_digests.merge!(signer_digests)
+      end
+      raise SecurityError, 'No signers found' if certificates.empty?
+
+      [certificates, content_digests]
+    end
+
+    def extract_signer_data(signer)
+      # raw data
+      signed_data = length_prefix_block(signer)
+
+      # TODO: verify min_sdk and max_sdk
+      min_sdk = signer.read(UINT32_SIZE)
+      max_sdk = signer.read(UINT32_SIZE)
+
+      signatures = length_prefix_block(signer)
+      public_key = length_prefix_block(signer, raw: true)
+
+      algorithems = signature_algorithms(signatures)
+      raise SecurityError, 'No signatures found' if algorithems.empty?
+
+      # find best algorithem to verify signed data with public key and signature
+      unless best_algorithem = best_algorithem(algorithems)
+        raise SecurityError, 'No supported signatures found'
+      end
+
+      algorithems_digest = best_algorithem[:digest]
+      signature = best_algorithem[:signature]
+
+      pkey = OpenSSL::PKey.read(public_key)
+      digest = OpenSSL::Digest.new(algorithems_digest)
+      verified = pkey.verify(digest, signature, signed_data.string)
+      raise SecurityError, "#{algorithems_digest} signature did not verify" unless verified
+
+      # verify algorithm ID full equal (and sort) between digests and signature
+      digests = length_prefix_block(signed_data)
+      content_digests = signed_data_digests(digests)
+      content_digest = content_digests[algorithems_digest]&.fetch(:content)
+
+      unless content_digest
+        raise SecurityError,
+              'Signature algorithms don\'t match between digests and signatures records'
+      end
+
+      previous_digest = content_digests.fetch(algorithems_digest)
+      content_digests[algorithems_digest] = content_digest
+      if previous_digest && previous_digest[:content] != content_digest
+        raise SecurityError,
+              'Signature algorithms don\'t match between digests and signatures records'
+      end
+
+      certificates = length_prefix_block(signed_data)
+      certs = signed_data_certs(certificates)
+      raise SecurityError, 'No certificates listed' if certs.empty?
+
+      main_cert = certs[0]
+      if main_cert.public_key.to_der != pkey.to_der
+        raise SecurityError, 'Public key mismatch between certificate and signature record'
+      end
+
+      additional_attrs = length_prefix_block(signed_data)
+      verify_additional_attrs(additional_attrs, certs)
+
+      [certs, content_digests]
+    end
+  end
+
+  register(Version::V3, V3)
+end

data/lib/app_info/android/signatures/v4.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module AppInfo::Android::Signature
+  # Android v4 Signature
+  #
+  # TODO: ApkSignatureSchemeV4Verifier.java
+  class V4 < Base
+    def version
+      Version::V4
+    end
+  end
+
+  # register(Version::V4, V4)
+end

data/lib/app_info/apk.rb

@@ -5,8 +5,8 @@ require 'image_size'
 require 'forwardable'
 
 module AppInfo
-  # Parse APK file
-  class APK
+  # Parse APK file parser, wrapper for {https://github.com/icyleaf/android_parser android_parser}.
+  class APK < File
     include Helper::HumanFileSize
     extend Forwardable
 
@@ -21,18 +21,26 @@ module AppInfo
       AUTOMOTIVE  = 'Automotive'
     end
 
-    def initialize(file)
-      @file = file
-    end
-
+    # return file size
+    # @example Read file size in integer
+    #   aab.size                    # => 3618865
+    #
+    # @example Read file size in human readabale
+    #   aab.size(human_size: true)  # => '3.45 MB'
+    #
+    # @param [Boolean] human_size Convert integer value to human readable.
+    # @return [Integer, String]
     def size(human_size: false)
       file_to_human_size(@file, human_size: human_size)
     end
 
-    def os
+    def file_type
+      Format::APK
+    end
+
+    def platform
       Platform::ANDROID
     end
-    alias file_type os
 
     def_delegators :apk, :manifest, :resource, :dex
 
@@ -86,28 +94,25 @@ module AppInfo
     end
     alias min_os_version min_sdk_version
 
-    def sign_version
-      return 'v1' unless signs.empty?
-
-      # when ?
-      # https://source.android.com/security/apksigning/v2?hl=zh-cn
-      #   'v2'
-      # when ?
-      # https://source.android.com/security/apksigning/v3?hl=zh-cn
-      #   'v3'
-      'unknown'
+    # Return multi version certifiates of signatures
+    # @return [Array<Hash>]
+    # @see AppInfo::Android::Signature.verify
+    def signatures
+      @signatures ||= Android::Signature.verify(self)
     end
 
+    # Legacy v1 scheme signatures, it will remove soon.
+    # @deprecated Use {#signatures}
+    # @return [Array<OpenSSL::PKCS7, nil>]
     def signs
-      apk.signs.each_with_object([]) do |(path, sign), obj|
-        obj << Sign.new(path, sign)
-      end
+      @signs ||= v1sign&.signatures || []
     end
 
+    # Legacy v1 scheme certificates, it will remove soon.
+    # @deprecated Use {#signatures}
+    # @return [Array<OpenSSL::PKCS7, nil>]
     def certificates
-      apk.certificates.each_with_object([]) do |(path, certificate), obj|
-        obj << Certificate.new(path, certificate)
-      end
+      @certificates ||= v1sign&.certificates || []
     end
 
     def activities
@@ -118,13 +123,17 @@ module AppInfo
       @apk ||= ::Android::Apk.new(@file)
     end
 
+    def zip
+      @zip ||= apk.instance_variable_get(:@zip)
+    end
+
     def icons
       @icons ||= apk.icon.each_with_object([]) do |(path, data), obj|
-        icon_name = File.basename(path)
-        icon_path = File.join(contents, File.dirname(path))
-        icon_file = File.join(icon_path, icon_name)
+        icon_name = ::File.basename(path)
+        icon_path = ::File.join(contents, ::File.dirname(path))
+        icon_file = ::File.join(icon_path, icon_name)
         FileUtils.mkdir_p icon_path
-        File.write(icon_file, data, encoding: Encoding::BINARY)
+        ::File.write(icon_file, data, encoding: Encoding::BINARY)
 
         obj << {
           name: icon_name,
@@ -147,27 +156,15 @@ module AppInfo
     end
 
     def contents
-      @contents ||= File.join(Dir.mktmpdir, "AppInfo-android-#{SecureRandom.hex}")
+      @contents ||= ::File.join(Dir.mktmpdir, "AppInfo-android-#{SecureRandom.hex}")
     end
 
-    # Android Certificate
-    class Certificate
-      attr_reader :path, :certificate
+    private
 
-      def initialize(path, certificate)
-        @path = path
-        @certificate = certificate
-      end
-    end
-
-    # Android Sign
-    class Sign
-      attr_reader :path, :sign
-
-      def initialize(path, sign)
-        @path = path
-        @sign = sign
-      end
+    def v1sign
+      @v1sign ||= Android::Signature::V1.verify(self)
+    rescue Android::Signature::NotFoundError
+      nil
     end
   end
 end