app-info 2.8.5 → 3.0.0.beta2

data/lib/app_info/android/signature.rb

@@ -0,0 +1,114 @@
+# frozen_string_literal: true
+
+module AppInfo
+  class Android < File
+    # Android Signature
+    #
+    # Support digest and length:
+    #
+    # RSA：1024、2048、4096、8192、16384
+    # EC：NIST P-256、P-384、P-521
+    # DSA：1024、2048、3072
+    module Signature
+      class VersionError < Error; end
+      class SecurityError < Error; end
+      class NotFoundError < NotFoundError; end
+
+      module Version
+        V1 = 1
+        V2 = 2
+        V3 = 3
+        V4 = 4
+      end
+
+      # All registerd verions to verify
+      #
+      # key is the version
+      # value is the class
+      @versions = {}
+
+      class << self
+        # Verify Android Signature
+        #
+        # @example Get unverified v1 certificates, verified v2 certificates,
+        #  and not found v3 certificate
+        #
+        #   signature.versions(parser)
+        #   # => [
+        #   #   {
+        #   #     version: 1,
+        #   #     verified: false,
+        #   #     certificates: [<AppInfo::Certificate>, ...],
+        #   #     verifier: AppInfo::Androig::Signature
+        #   #   },
+        #   #   {
+        #   #     version: 2,
+        #   #     verified: false,
+        #   #     certificates: [<AppInfo::Certificate>, ...],
+        #   #     verifier: AppInfo::Androig::Signature
+        #   #   },
+        #   #   {
+        #   #     version: 3
+        #   #   }
+        #   # ]
+        # @todo version 4 no implantation yet
+        # @param [AppInfo::File] parser
+        # @param [Version, Integer] min_version
+        # @return [Array<Hash>] versions
+        def verify(parser, min_version: Version::V4)
+          min_version = min_version.to_i if min_version.is_a?(String)
+          if min_version && min_version > Version::V4
+            raise VersionError,
+                  "No signature found in #{min_version} scheme or newer for android file"
+          end
+
+          if min_version.zero?
+            raise VersionError,
+                  "Unkonwn version: #{min_version}, avaiables in 1/2/3 and 4 (no implantation yet)"
+          end
+
+          # try full version signatures if min_version is nil
+          versions = min_version.downto(Version::V1).each_with_object([]) do |version, signatures|
+            next unless kclass = fetch(version)
+
+            data = { version: version }
+            begin
+              verifier = kclass.verify(parser)
+              data[:verified] = verifier.verified
+              data[:certificates] = verifier.certificates
+              data[:verifier] = verifier
+            rescue SecurityError, NotFoundError
+              # not this version, try the low version
+            ensure
+              signatures << data
+            end
+          end
+
+          versions.sort_by { |entry| entry[:version] }
+        end
+
+        def registered
+          @versions.keys
+        end
+
+        def register(version, verifier)
+          @versions[version] = verifier
+        end
+
+        def fetch(version)
+          @versions[version]
+        end
+
+        def exist?(version)
+          @versions.key?(version)
+        end
+      end
+
+      UINT32_MAX_VALUE = 2_147_483_647
+      UINT32_SIZE = 4
+      UINT64_SIZE = 8
+    end
+  end
+end
+
+require 'app_info/android/signatures/base'

data/lib/app_info/android/signatures/base.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+require 'app_info/android/signatures/info'
+
+module AppInfo
+  class Android < File
+    module Signature
+      class Base
+        def self.verify(parser)
+          instance = new(parser)
+          instance.verify
+          instance
+        end
+
+        DESCRIPTION = 'APK Signature Scheme'
+
+        attr_reader :verified
+
+        def initialize(parser)
+          @parser = parser
+          @verified = false
+        end
+
+        # @abstract Subclass and override {#verify} to implement
+        def verify
+          raise NotImplementedError, ".#{__method__} method implantation required in #{self.class}"
+        end
+
+        # @abstract Subclass and override {#certificates} to implement
+        def certificates
+          raise NotImplementedError, ".#{__method__} method implantation required in #{self.class}"
+        end
+
+        def scheme
+          "v#{version}"
+        end
+
+        def description
+          "#{DESCRIPTION} #{scheme}"
+        end
+
+        def logger
+          @parser.logger
+        end
+      end
+    end
+  end
+end
+
+require 'app_info/android/signatures/v1'
+require 'app_info/android/signatures/v2'
+require 'app_info/android/signatures/v3'
+require 'app_info/android/signatures/v4'

data/lib/app_info/android/signatures/info.rb

@@ -0,0 +1,158 @@
+# frozen_string_literal: true
+
+require 'stringio'
+require 'openssl'
+
+module AppInfo
+  class Android < File
+    module Signature
+      # APK signature scheme signurate info
+      #
+      # FORMAT:
+      # OFFSET       DATA TYPE  DESCRIPTION
+      # * @+0  bytes uint64:    size in bytes (excluding this field)
+      # * @+8  bytes payload
+      # * @-24 bytes uint64:    size in bytes (same as the one above)
+      # * @-16 bytes uint128:   magic value
+      class Info
+        include AppInfo::Helper::IOBlock
+
+        # Signature block information
+        SIG_SIZE_OF_BLOCK_SIZE = 8
+        SIG_MAGIC_BLOCK_SIZE = 16
+        SIG_BLOCK_MIN_SIZE = 32
+
+        # Magic value: APK Sig Block 42
+        SIG_MAGIC = [
+          0x41, 0x50, 0x4b, 0x20, 0x53, 0x69,
+          0x67, 0x20, 0x42, 0x6c, 0x6f, 0x63,
+          0x6b, 0x20, 0x34, 0x32
+        ].freeze
+
+        attr_reader :total_size, :pairs, :magic, :logger
+
+        def initialize(version, parser, logger)
+          @version = version
+          @parser = parser
+          @logger = logger
+
+          pares_signatures_pairs
+        end
+
+        # Find singers
+        #
+        # FORMAT:
+        # OFFSET       DATA TYPE  DESCRIPTION
+        # * @+0  bytes uint64:    size in bytes
+        # * @+8  bytes payload    block
+        #   * @+0  bytes uint32:    id
+        #   * @+4  bytes payload:   value
+        def signers(block_id)
+          count = 0
+          until @pairs.eof?
+            left_bytes = left_bytes_check(
+              @pairs, UINT64_SIZE, NotFoundError,
+              "Insufficient data to read size of APK Signing Block ##{count}"
+            )
+
+            pair_buf = @pairs.read(UINT64_SIZE)
+            pair_size = pair_buf.unpack1('Q')
+            if pair_size < UINT32_SIZE || pair_size > UINT32_MAX_VALUE
+              raise NotFoundError,
+                    "APK Signing Block ##{count} size out of range: #{pair_size} > #{UINT32_MAX_VALUE}"
+            end
+
+            if pair_size > left_bytes
+              raise NotFoundError,
+                    "APK Signing Block ##{count} size out of range: #{pair_size} > #{left_bytes}"
+            end
+
+            # fetch next signer block position
+            next_pos = @pairs.pos + pair_size.to_i
+
+            id_block = @pairs.read(UINT32_SIZE)
+            id_bytes = id_block.unpack('C*')
+            if id_bytes == block_id
+              logger.debug "Signature block id v#{@version} scheme (0x#{id_block.unpack1('H*')}) found"
+              value = @pairs.read(pair_size - UINT32_SIZE)
+              return StringIO.new(value)
+            end
+
+            @pairs.seek(next_pos)
+            count += 1
+          end
+
+          block_id_hex = block_id.reverse.pack('C*').unpack1('H*')
+          raise NotFoundError, "Not found block id 0x#{block_id_hex} in APK Signing Block."
+        end
+
+        def zip64?
+          zip_io.zip64_file?(start_buffer)
+        end
+
+        def pares_signatures_pairs
+          block = signature_block
+          block.rewind
+          # get pairs size
+          @total_size = block.size - (SIG_SIZE_OF_BLOCK_SIZE + SIG_MAGIC_BLOCK_SIZE)
+
+          # get pairs block
+          @pairs = StringIO.new(block.read(@total_size))
+
+          # get magic value
+          block.seek(block.pos + SIG_SIZE_OF_BLOCK_SIZE)
+          @magic = block.read(SIG_MAGIC_BLOCK_SIZE)
+        end
+
+        def signature_block
+          @signature_block ||= lambda {
+            logger.debug "cdir_offset: #{cdir_offset}"
+
+            file_io.seek(cdir_offset - (Info::SIG_MAGIC_BLOCK_SIZE + Info::SIG_SIZE_OF_BLOCK_SIZE))
+            footer_block = file_io.read(Info::SIG_SIZE_OF_BLOCK_SIZE)
+            if footer_block.size < Info::SIG_SIZE_OF_BLOCK_SIZE
+              raise NotFoundError, "APK Signing Block size out of range: #{footer_block.size}"
+            end
+
+            footer = footer_block.unpack1('Q')
+            total_size = footer
+            offset = cdir_offset - total_size - Info::SIG_SIZE_OF_BLOCK_SIZE
+            if offset.negative?
+              raise NotFoundError, "APK Signing Block offset out of range: #{offset}"
+            end
+
+            file_io.seek(offset)
+            header = file_io.read(Info::SIG_SIZE_OF_BLOCK_SIZE).unpack1('Q')
+
+            if header != footer
+              raise NotFoundError,
+                    "APK Signing Block header and footer mismatch: #{header} != #{footer}"
+            end
+
+            io = file_io.read(total_size)
+            StringIO.new(io)
+          }.call
+        end
+
+        def cdir_offset
+          @cdir_offset ||= lambda {
+            eocd_buffer = zip_io.get_e_o_c_d(start_buffer)
+            eocd_buffer[12..16].unpack1('V')
+          }.call
+        end
+
+        def start_buffer
+          @start_buffer ||= zip_io.start_buf(file_io)
+        end
+
+        def zip_io
+          @zip_io ||= @parser.zip
+        end
+
+        def file_io
+          @file_io ||= ::File.open(@parser.file, 'rb')
+        end
+      end
+    end
+  end
+end

data/lib/app_info/android/signatures/v1.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+module AppInfo
+  class Android < File
+    module Signature
+      # Android v1 Signature
+      class V1 < Base
+        DESCRIPTION = 'JAR signing'
+
+        PKCS7_HEADER = [0x30, 0x82].freeze
+
+        attr_reader :certificates, :signatures
+
+        def version
+          Version::V1
+        end
+
+        def description
+          DESCRIPTION
+        end
+
+        def verify
+          @signatures = fetch_signatures
+          @certificates = fetch_certificates
+
+          raise NotFoundError, 'Not found certificates' if @certificates.empty?
+        end
+
+        private
+
+        def fetch_signatures
+          case @parser
+          when AppInfo::APK
+            signatures_from(@parser.apk)
+          when AppInfo::AAB
+            signatures_from(@parser)
+          end
+        end
+
+        def fetch_certificates
+          @signatures.each_with_object([]) do |(_, sign), obj|
+            next if sign.certificates.empty?
+
+            obj << AppInfo::Certificate.new(sign.certificates[0])
+          end
+        end
+
+        def signatures_from(parser)
+          signs = {}
+          parser.each_file do |path, data|
+            # find META-INF/xxx.{RSA|DSA|EC}
+            next unless path =~ %r{^META-INF/} && data.unpack('CC') == PKCS7_HEADER
+
+            signs[path] = OpenSSL::PKCS7.new(data)
+          end
+          signs
+        end
+      end
+
+      register(Version::V1, V1)
+    end
+  end
+end

data/lib/app_info/android/signatures/v2.rb

@@ -0,0 +1,121 @@
+# frozen_string_literal: true
+
+module AppInfo
+  class Android < File
+    module Signature
+      # Android v2 Signature
+      #
+      # FULL FORMAT:
+      # OFFSET       DATA TYPE  DESCRIPTION
+      # * @+0  bytes uint32:    signer size in bytes
+      # * @+4  bytes payload    signer block
+      #   * @+0  bytes unit32:    signed data size in bytes
+      #   * @+4  bytes payload    signed data block
+      #     * @+0  bytes unit32:    digests with size in bytes
+      #     * @+0  bytes unit32:    digests with size in bytes
+      #   * @+X  bytes unit32:    signatures with size in bytes
+      #     * @+X+4  bytes payload    signed data block
+      #   * @+Y  bytes unit32:    public key with size in bytes
+      #     * @+Y+4  bytes payload    signed data block
+      class V2 < Base
+        include AppInfo::Helper::IOBlock
+        include AppInfo::Helper::Signatures
+        include AppInfo::Helper::Algorithm
+
+        # V2 Signature ID 0x7109871a
+        BLOCK_ID = [0x1a, 0x87, 0x09, 0x71].freeze
+
+        attr_reader :certificates, :digests
+
+        def version
+          Version::V2
+        end
+
+        # Verify
+        # @todo verified signatures
+        def verify
+          signers_block = singers_block(BLOCK_ID)
+          @certificates, @digests = verified_certs(signers_block, verify: true)
+          # @verified = true
+        end
+
+        private
+
+        def verified_certs(signers_block, verify:)
+          unless (signers = length_prefix_block(signers_block))
+            raise SecurityError, 'Not found signers'
+          end
+
+          certificates = []
+          content_digests = {}
+          loop_length_prefix_io(signers, name: 'Singer', logger: logger) do |signer|
+            signer_certs, signer_digests = extract_signer_data(signer, verify: verify)
+            certificates.concat(signer_certs)
+            content_digests.merge!(signer_digests)
+          end
+          raise SecurityError, 'No signers found' if certificates.empty?
+
+          [certificates, content_digests]
+        end
+
+        def extract_signer_data(signer, verify:)
+          # raw data
+          signed_data = length_prefix_block(signer)
+          signatures = length_prefix_block(signer)
+          public_key = length_prefix_block(signer, raw: true)
+
+          # FIXME: extract code below and re-organize
+
+          algorithems = signature_algorithms(signatures)
+          raise SecurityError, 'No signatures found' if verify && algorithems.empty?
+
+          # find best algorithem to verify signed data with public key and signature
+          unless best_algorithem = best_algorithem(algorithems)
+            raise SecurityError, 'No supported signatures found'
+          end
+
+          algorithems_digest = best_algorithem[:digest]
+          signature = best_algorithem[:signature]
+
+          pkey = OpenSSL::PKey.read(public_key)
+          digest = OpenSSL::Digest.new(algorithems_digest)
+          verified = pkey.verify(digest, signature, signed_data.string)
+          raise SecurityError, "#{algorithems_digest} signature did not verify" unless verified
+
+          # verify algorithm ID full equal (and sort) between digests and signature
+          digests = length_prefix_block(signed_data)
+          content_digests = signed_data_digests(digests)
+          content_digest = content_digests[algorithems_digest]&.fetch(:content)
+
+          unless content_digest
+            raise SecurityError,
+                  'Signature algorithms don\'t match between digests and signatures records'
+          end
+
+          previous_digest = content_digests.fetch(algorithems_digest)
+          content_digests[algorithems_digest] = content_digest
+          if previous_digest && previous_digest[:content] != content_digest
+            raise SecurityError,
+                  'Signature algorithms don\'t match between digests and signatures records'
+          end
+
+          certificates = length_prefix_block(signed_data)
+          certs = signed_data_certs(certificates)
+          raise SecurityError, 'No certificates listed' if certs.empty?
+
+          main_cert = certs[0]
+          if main_cert.public_key.to_der != pkey.to_der
+            raise SecurityError, 'Public key mismatch between certificate and signature record'
+          end
+
+          additional_attrs = length_prefix_block(signed_data)
+          verify_additional_attrs(additional_attrs, certs)
+
+          [certs, content_digests]
+        end
+      end
+
+      register(Version::V2, V2)
+    end
+  end
+end

data/lib/app_info/android/signatures/v3.rb

@@ -0,0 +1,131 @@
+# frozen_string_literal: true
+
+module AppInfo
+  class Android < File
+    module Signature
+      # Android v3 Signature
+      #
+      # FULL FORMAT:
+      # OFFSET       DATA TYPE  DESCRIPTION
+      # * @+0  bytes uint32:    signer size in bytes
+      # * @+4  bytes payload    signer block
+      #   * @+0    bytes unit32:    signed data size in bytes
+      #   * @+4    bytes payload    signed data block
+      #     * @+0    bytes unit32:    digests with size in bytes
+      #     * @+0    bytes unit32:    digests with size in bytes
+      #   * @+W    bytes unit32:    minSDK
+      #   * @+X+4  bytes unit32:    maxSDK
+      #   * @+Y+4  bytes unit32:    signatures with size in bytes
+      #     * @+Y+4    bytes payload    signed data block
+      #   * @+Z    bytes unit32:    public key with size in bytes
+      #     * @+Z+4    bytes payload    signed data block
+      class V3 < Base
+        include AppInfo::Helper::IOBlock
+        include AppInfo::Helper::Signatures
+        include AppInfo::Helper::Algorithm
+
+        # V3 Signature ID 0xf05368c0
+        V3_BLOCK_ID   = [0xc0, 0x68, 0x53, 0xf0].freeze
+
+        # V3.1 Signature ID 0x1b93ad61
+        V3_1_BLOCK_ID = [0x61, 0xad, 0x93, 0x1b].freeze
+
+        attr_reader :certificates, :digests
+
+        def version
+          Version::V3
+        end
+
+        def verify
+          begin
+            signers_block = singers_block(V3_1_BLOCK_ID)
+          rescue NotFoundError
+            signers_block = singers_block(V3_BLOCK_ID)
+          end
+
+          @certificates, @digests = verified_certs(signers_block)
+        end
+
+        private
+
+        def verified_certs(signers_block)
+          unless (signers = length_prefix_block(signers_block))
+            raise SecurityError, 'Not found signers'
+          end
+
+          certificates = []
+          content_digests = {}
+          loop_length_prefix_io(signers, name: 'Singer', logger: logger) do |signer|
+            signer_certs, signer_digests = extract_signer_data(signer)
+            certificates.concat(signer_certs)
+            content_digests.merge!(signer_digests)
+          end
+          raise SecurityError, 'No signers found' if certificates.empty?
+
+          [certificates, content_digests]
+        end
+
+        def extract_signer_data(signer)
+          # raw data
+          signed_data = length_prefix_block(signer)
+
+          # TODO: verify min_sdk and max_sdk
+          min_sdk = signer.read(UINT32_SIZE)
+          max_sdk = signer.read(UINT32_SIZE)
+
+          signatures = length_prefix_block(signer)
+          public_key = length_prefix_block(signer, raw: true)
+
+          algorithems = signature_algorithms(signatures)
+          raise SecurityError, 'No signatures found' if algorithems.empty?
+
+          # find best algorithem to verify signed data with public key and signature
+          unless best_algorithem = best_algorithem(algorithems)
+            raise SecurityError, 'No supported signatures found'
+          end
+
+          algorithems_digest = best_algorithem[:digest]
+          signature = best_algorithem[:signature]
+
+          pkey = OpenSSL::PKey.read(public_key)
+          digest = OpenSSL::Digest.new(algorithems_digest)
+          verified = pkey.verify(digest, signature, signed_data.string)
+          raise SecurityError, "#{algorithems_digest} signature did not verify" unless verified
+
+          # verify algorithm ID full equal (and sort) between digests and signature
+          digests = length_prefix_block(signed_data)
+          content_digests = signed_data_digests(digests)
+          content_digest = content_digests[algorithems_digest]&.fetch(:content)
+
+          unless content_digest
+            raise SecurityError,
+                  'Signature algorithms don\'t match between digests and signatures records'
+          end
+
+          previous_digest = content_digests.fetch(algorithems_digest)
+          content_digests[algorithems_digest] = content_digest
+          if previous_digest && previous_digest[:content] != content_digest
+            raise SecurityError,
+                  'Signature algorithms don\'t match between digests and signatures records'
+          end
+
+          certificates = length_prefix_block(signed_data)
+          certs = signed_data_certs(certificates)
+          raise SecurityError, 'No certificates listed' if certs.empty?
+
+          main_cert = certs[0]
+          if main_cert.public_key.to_der != pkey.to_der
+            raise SecurityError, 'Public key mismatch between certificate and signature record'
+          end
+
+          additional_attrs = length_prefix_block(signed_data)
+          verify_additional_attrs(additional_attrs, certs)
+
+          [certs, content_digests]
+        end
+      end
+
+      register(Version::V3, V3)
+    end
+  end
+end

data/lib/app_info/android/signatures/v4.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module AppInfo
+  class Android < File
+    module Signature
+      # Android v4 Signature
+      #
+      # TODO: ApkSignatureSchemeV4Verifier.java
+      class V4 < Base
+        def version
+          Version::V4
+        end
+      end
+
+      # register(Version::V4, V4)
+    end
+  end
+end