TheArchive/Magisk
1
0
Fork 0
mirror of https://github.com/topjohnwu/Magisk.git synced 2024-11-24 02:25:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

Verify app signature

Browse Source
This commit is contained in:
vvb2060 2022-04-08 18:03:58 +08:00 committed by John Wu
parent 4cff0384f7
commit 05d6d2b51b
11 changed files with 205 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/src/main/java/com/topjohnwu/magisk/core/Config.kt
View File

@ -41,6 +41,7 @@ object Config : PreferenceModel, DBConfig {
const val DENYLIST = "denylist"
const val SU_MANAGER = "requester"
const val KEYSTORE = "keystore"
const val CERTDIGEST = "cert_digest"
// prefs
const val SU_REQUEST_TIMEOUT = "su_request_timeout"
@ -152,6 +153,7 @@ object Config : PreferenceModel, DBConfig {
var denyList by DBBoolSettingsNoWrite(Key.DENYLIST, false)
var suManager by dbStrings(Key.SU_MANAGER, "", true)
var keyStoreRaw by dbStrings(Key.KEYSTORE, "", true)
var certDigest by dbStrings(Key.CERTDIGEST, "", true)
private const val SU_FINGERPRINT = "su_fingerprint"

1
app/src/main/java/com/topjohnwu/magisk/core/tasks/HideAPK.kt
View File

@ -121,6 +121,7 @@ object HideAPK {
val repack = File(activity.cacheDir, "patched.apk")
val pkg = genPackageName()
Config.keyStoreRaw = ""
Config.certDigest = ""
if (!patch(activity, stub, FileOutputStream(repack), pkg, label))
return false

4
app/src/main/java/com/topjohnwu/magisk/core/utils/Keygen.kt
View File

@ -12,6 +12,7 @@ import java.io.ByteArrayOutputStream
import java.math.BigInteger
import java.security.KeyPairGenerator
import java.security.KeyStore
import java.security.MessageDigest
import java.security.PrivateKey
import java.security.cert.X509Certificate
import java.util.*
@ -73,6 +74,9 @@ class Keygen : CertKeyProvider {
}
Config.keyStoreRaw = bytes.toString("UTF-8")
val digest = MessageDigest.getInstance("SHA-256").digest(cert.encoded)
Config.certDigest = digest.joinToString("") { "%02x".format(it) }
return ks
}
}

3
native/jni/Android.mk
View File

@ -13,7 +13,8 @@ LOCAL_STATIC_LIBRARIES := \
libnanopb \
libsystemproperties \
libphmap \
libxhook
libxhook \
libmincrypt
LOCAL_SRC_FILES := \
core/applets.cpp \

2
native/jni/core/bootstages.cpp
View File

@ -20,6 +20,7 @@ using namespace std;
static bool safe_mode = false;
static int stub_fd = -1;
bool zygisk_enabled = false;
string APKCERT;
/*********
* Setup *
@ -124,6 +125,7 @@ static bool magisk_env() {
LOGI("* Initializing Magisk environment\n");
string stub_path = MAGISKTMP + "/stub.apk";
APKCERT = read_certificate(stub_path);
stub_fd = xopen(stub_path.data(), O_RDONLY | O_CLOEXEC);
unlink(stub_path.data());

55
native/jni/core/db.cpp
View File

@ -6,6 +6,7 @@
#include <db.hpp>
#include <socket.hpp>
#include <utils.hpp>
#include <mincrypt/sha256.h>
#define DB_VERSION 12
@ -359,43 +360,89 @@ int get_db_strings(db_strings &str, int key) {
return 0;
}
static bool is_stub_trusted(const char *pkg, const char *trust_hash) {
// TODO: Remove when next stable released
if (trust_hash[0] == 0) {
LOGW("su: skip check stub.apk signature\n");
return true;
}
string cert = read_certificate(find_apk_path(pkg));
if (cert.empty())
return false;
uint8_t hash[SHA256_DIGEST_SIZE];
SHA256_hash(cert.data(), cert.length(), hash);
char hash_hex[SHA256_DIGEST_SIZE * 2 + 1];
char *ptr = &hash_hex[0];
for (uint8_t i: hash) {
ptr += sprintf(ptr, "%02x", i);
}
return strcmp(trust_hash, hash_hex) == 0;
}
bool get_manager(int user_id, std::string *pkg, struct stat *st) {
db_strings str;
get_db_strings(str, SU_MANAGER);
get_db_strings(str, CERT_DIGEST);
char app_path[128];
if (APKCERT.empty())
LOGW("su: skip check app signature\n");
if (!str[SU_MANAGER].empty()) {
// App is repackaged
sprintf(app_path, "%s/%d/%s", APP_DATA_DIR, user_id, str[SU_MANAGER].data());
if (stat(app_path, st) == 0) {
if (is_stub_trusted(str[SU_MANAGER].data(), str[CERT_DIGEST].data())) {
strcpy(app_path, "/dyn/current.apk");
if (!APKCERT.empty() && access(app_path, F_OK) == 0) {
if (read_certificate(app_path) == APKCERT) {
if (pkg)
pkg->swap(str[SU_MANAGER]);
return true;
} else {
LOGW("su: current.apk signature mismatch\n");
}
} else {
if (pkg)
pkg->swap(str[SU_MANAGER]);
return true;
}
} else {
LOGW("su: stub.apk signature mismatch\n");
}
}
}
// Check the official package name
sprintf(app_path, "%s/%d/" JAVA_PACKAGE_NAME, APP_DATA_DIR, user_id);
if (stat(app_path, st) == 0) {
string cert = read_certificate(find_apk_path(JAVA_PACKAGE_NAME));
if (APKCERT.empty())
cert.clear();
if (cert == APKCERT) {
if (pkg)
*pkg = JAVA_PACKAGE_NAME;
return true;
} else {
LOGE("su: cannot find manager\n");
LOGW("su: app signature mismatch\n");
}
}
LOGE("su: cannot find trusted app\n");
memset(st, 0, sizeof(*st));
if (pkg)
pkg->clear();
return false;
}
}
bool get_manager(string *pkg) {
struct stat st;
struct stat st{};
return get_manager(0, pkg, &st);
}
int get_manager_app_id() {
struct stat st;
struct stat st{};
if (get_manager(0, nullptr, &st))
return to_app_id(st.st_uid);
return -1;

3
native/jni/core/scripting.cpp
View File

@ -152,6 +152,7 @@ void exec_module_scripts(const char *stage, const vector<string_view> &modules)
constexpr char install_script[] = R"EOF(
APK=%s
log -t Magisk "apk_uninstall: $(pm uninstall %s 2>&1)"
log -t Magisk "apk_install: $APK"
log -t Magisk "apk_install: $(pm install -r $APK 2>&1)"
rm -f $APK
@ -163,7 +164,7 @@ void install_apk(const char *apk) {
.fork = fork_no_orphan
};
char cmds[sizeof(install_script) + 4096];
sprintf(cmds, install_script, apk);
sprintf(cmds, install_script, apk, JAVA_PACKAGE_NAME);
exec_command_sync(exec, "/system/bin/sh", "-c", cmds);
}

5
native/jni/include/db.hpp
View File

@ -84,11 +84,12 @@ protected:
* DB Strings *
**************/
constexpr const char *DB_STRING_KEYS[] = { "requester" };
constexpr const char *DB_STRING_KEYS[] = { "requester", "cert_digest" };
// Strings keys indices
enum {
SU_MANAGER = 0
SU_MANAGER = 0,
CERT_DIGEST
};
class db_strings : public db_dict<std::string, std::size(DB_STRING_KEYS)> {

1
native/jni/include/magisk.hpp
View File

@ -35,6 +35,7 @@ constexpr const char *applet_names[] = { "su", "resetprop", nullptr };
extern int SDK_INT;
#define APP_DATA_DIR (SDK_INT >= 24 ? "/data/user_de" : "/data/user")
extern std::string APKCERT;
// Multi-call entrypoints
int magisk_main(int argc, char *argv[]);

134
native/jni/utils/files.cpp
View File

@ -57,17 +57,33 @@ static void post_order_walk(int dirfd, const Func &fn) {
}
}
enum visit_result {
CONTINUE, SKIP, TERMINATE
};
template <typename Func>
static void pre_order_walk(int dirfd, const Func &fn) {
static visit_result pre_order_walk(int dirfd, const Func &fn) {
auto dir = xopen_dir(dirfd);
if (!dir) return;
if (!dir) {
close(dirfd);
return SKIP;
}
for (dirent *entry; (entry = xreaddir(dir.get()));) {
if (!fn(dirfd, entry))
switch (fn(dirfd, entry)) {
case CONTINUE:
break;
case SKIP:
continue;
if (entry->d_type == DT_DIR)
pre_order_walk(xopenat(dirfd, entry->d_name, O_RDONLY | O_CLOEXEC), fn);
case TERMINATE:
return TERMINATE;
}
if (entry->d_type == DT_DIR) {
int fd = xopenat(dirfd, entry->d_name, O_RDONLY | O_CLOEXEC);
if (pre_order_walk(fd, fn) == TERMINATE) return TERMINATE;
}
}
return CONTINUE;
}
static void remove_at(int dirfd, struct dirent *entry) {
@ -400,20 +416,20 @@ void parse_mnt(const char *file, const function<bool(mntent*)> &fn) {
}
void backup_folder(const char *dir, vector<raw_file> &files) {
char path[4096];
char path[PATH_MAX];
xrealpath(dir, path);
int len = strlen(path);
pre_order_walk(xopen(dir, O_RDONLY), [&](int dfd, dirent *entry) -> bool {
pre_order_walk(xopen(dir, O_RDONLY), [&](int dfd, dirent *entry) -> visit_result {
int fd = xopenat(dfd, entry->d_name, O_RDONLY);
if (fd < 0)
return false;
return SKIP;
run_finally f([&]{ close(fd); });
if (fd_path(fd, path, sizeof(path)) < 0)
return false;
return SKIP;
raw_file file;
file.path = path + len + 1;
if (fgetattr(fd, &file.attr) < 0)
return false;
return SKIP;
if (entry->d_type == DT_REG) {
fd_full_read(fd, file.buf, file.sz);
} else if (entry->d_type == DT_LNK) {
@ -423,7 +439,7 @@ void backup_folder(const char *dir, vector<raw_file> &files) {
memcpy(file.buf, path, file.sz);
}
files.emplace_back(std::move(file));
return true;
return CONTINUE;
});
}
@ -507,3 +523,99 @@ mmap_data::mmap_data(const char *name, bool rw) {
close(fd);
buf = static_cast<uint8_t *>(b);
}
string find_apk_path(const char *pkg) {
char buf[PATH_MAX];
pre_order_walk(xopen("/data/app", O_RDONLY), [&](int dfd, dirent *entry) -> visit_result {
if (entry->d_type != DT_DIR)
return SKIP;
size_t len = strlen(pkg);
if (strncmp(entry->d_name, pkg, len) == 0 && entry->d_name[len] == '-') {
fd_pathat(dfd, entry->d_name, buf, sizeof(buf));
return TERMINATE;
} else if (strncmp(entry->d_name, "~~", 2) == 0) {
return CONTINUE;
} else return SKIP;
});
string path(buf);
return path.append("/base.apk");
}
string read_certificate(string app_path) {
string certificate;
uint32_t size4;
uint64_t size8, size_of_block;
int fd = xopen(app_path.data(), O_RDONLY);
if (fd < 0) {
return certificate;
}
run_finally f([&] { close(fd); });
for (int i = 0;; i++) {
unsigned short n;
lseek(fd, -i - 2, SEEK_END);
read(fd, &n, 2);
if (n == i) {
lseek(fd, -22, SEEK_CUR);
read(fd, &size4, 4);
if (size4 == 0x6054b50u) { // central directory end magic
break;
}
}
if (i == 0xffff) {
return certificate;
}
}
lseek(fd, 12, SEEK_CUR);
read(fd, &size4, 0x4);
lseek(fd, (off_t) (size4 - 0x18), SEEK_SET);
read(fd, &size8, 0x8);
unsigned char buffer[0x10] = {0};
read(fd, buffer, 0x10);
if (memcmp(buffer, "APK Sig Block 42", 0x10) != 0) {
return certificate;
}
lseek(fd, (off_t) (size4 - (size8 + 0x8)), SEEK_SET);
read(fd, &size_of_block, 0x8);
if (size_of_block != size8) {
return certificate;
}
for (;;) {
uint32_t id;
uint32_t offset;
read(fd, &size8, 0x8); // sequence length
if (size8 == size_of_block) {
break;
}
read(fd, &id, 0x4); // id
offset = 4;
if (id == 0x7109871au) {
read(fd, &size4, 0x4); // signer-sequence length
read(fd, &size4, 0x4); // signer length
read(fd, &size4, 0x4); // signed data length
offset += 0x4 * 3;
read(fd, &size4, 0x4); // digests-sequence length
lseek(fd, (off_t) (size4), SEEK_CUR);// skip digests
offset += 0x4 + size4;
read(fd, &size4, 0x4); // certificates length
read(fd, &size4, 0x4); // certificate length
offset += 0x4 * 2;
certificate.resize(size4);
read(fd, certificate.data(), size4);
offset += size4;
}
lseek(fd, (off_t) (size8 - offset), SEEK_CUR);
}
return certificate;
}

3
native/jni/utils/files.hpp
View File

@ -102,6 +102,9 @@ void parse_mnt(const char *file, const std::function<bool(mntent*)> &fn);
void backup_folder(const char *dir, std::vector<raw_file> &files);
void restore_folder(const char *dir, std::vector<raw_file> &files);
std::string find_apk_path(const char *pkg);
std::string read_certificate(std::string app_path);
template <typename T>
void full_read(const char *filename, T &buf, size_t &size) {
static_assert(std::is_pointer<T>::value);