BGraversen <brian <at> digital-identity.dk> writes:
>
> Hi.
>
> My goal is to access the certificate that was used to sign the apk
> package; and ordinarily, I would do that from inside the program like
> this
>
> Certificates[] signingCertificates =
> getClass().getProtectionDomain().getCodeSource().getCertificates();
>
> Unfortunatly it appers that getProtectionDomain() returns null on
> android - according to the specs
>
>
http://developer.android.com/reference/java/lang/Class.html#getProtectionDomain%
28%29
>
> this method might return null (to converse space?), but only for
> system classes. Since I'm calling this from one of my own classes, I
> would expect to get a non-null value, but unfortunatly not :(
>
> I have tried from the emulator, and from an application deployed on my
> phone using adb through a USB cable. I'm using the latest SDK (2.2)
> and targetting android 1.6.
>
> So I guess I have two questions, the first being: why does
> getProtectionDomain return null, and have anyone had any success using
> this method from inside an android application.
>
> And the second: Is there some other way to access the certificate that
> a given apk package was signed with (I can live with the restriction
> that only a given package can know its own certificate).
>
> Kind regards
> Brian Graversen
>
Have you found the answer? I am doing something like following and getting
null
from getCertificates:
Vector<JarEntry> entriesVec = new Vector<JarEntry>();
// Ensure all the entries' signatures verify correctly
byte[] buffer = new byte[8192];
Enumeration entries = jarFile.entries();
while (entries.hasMoreElements()) {
JarEntry je = (JarEntry) entries.nextElement();
// Skip directories.
if (je.isDirectory()) continue;
entriesVec.addElement(je);
InputStream is = jarFile.getInputStream(je);
// Read in each jar entry. A security exception will
// be thrown if a signature/digest check fails.
int n;
while ((n = is.read(buffer, 0, buffer.length)) != -1) {
// Don't care
}
is.close();
}
// Get the list of signer certificates
Enumeration e = entriesVec.elements();
while (e.hasMoreElements()) {
JarEntry je = (JarEntry) e.nextElement();
// Every file must be signed except files in META-INF.
Certificate[] certs = (Certificate[]) je.getCertificates();
if ((certs == null) || (certs.length == 0)) {
if (!je.getName().startsWith("META-INF"))
throw new SecurityException("The provider " +
"has unsigned " +
"class files.");
} else {
// Check whether the file is signed by the expected
// signer. The jar may be signed by multiple signers.
// See if one of the signers is 'targetCert'.
int startIndex = 0;
X509Certificate[] certChain;
boolean signedAsExpected = false;
while ((certChain = getAChain(certs, startIndex)) != null) {
if (certChain[0].equals(targetCert)) {
// Stop since one trusted signer is found.
signedAsExpected = true;
break;
}
// Proceed to the next chain.
startIndex += certChain.length;
}
--
You received this message because you are subscribed to the Google Groups
"Android Security Discussions" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/android-security-discuss?hl=en.
