parse APKv1 signatures with a cert chain like apksigner #1038
Conversation
eighthave
changed the title
|
The logs are so verbose, I can't see what the failure is. Any way to change that? |
Microsoft signs their APKs with a X.509 certificate chain of trust, so there are actually three certificates included. apksigner only cares about the certificate that actually signs the manifest and ignores the certificates that just sign other certificates. https://apkpure.com/microsoft-edge-preview/com.microsoft.emmx/download https://gitlab.com/fdroid/fdroidserver/-/issues/1128 https://gitlab.com/fdroid/fdroidserver/-/merge_requests/1466 X.509 certificates and JAR signatures are a combination of machine- generated and plain data with trivial human input, so are not copyrightable. So I included signature files directly.
eighthave
force-pushed
the
read-cert-chain
branch
from
caca155
to
2cf8155
Compare
|
I forgot to add the new test APK! |
|
Looks like the official algorithm is to loop through the certificates, and verify which one works with the |
|
As we told you before: checking just either the first or either the last would not be right. A patch was provided. Meanwhile, for more details summed up and a POC included, please refer to https://www.openwall.com/lists/oss-security/2024/04/20/3 – and follow up to https://github.com/obfusk/fdroid-fakesigner-poc
You could have asked @obfusk for it, she'd have provided that. |
|
What would be great to have is a Python implementation of the algorithm in apksigner. #313 Unfortunately, neither that oss-security post nor that fdroid-fakesigner-poc contain that. I would welcome a full implementation as a replacement for this pull request |
|
Sorry Hans: I'm neither profound enough in Python, nor educated enough in the topic at hand to provide such an implementation. I can read the code, yes. And after being explained, I was able to understand enough to evaluate the patch and apply it with confidence. I'm aware that the patch is not complete, and more or less simply blocks APKs potentially targeting the vulnerability – and that it would have no unwanted side-effects (to my repo, or to F-Droid's at that). But that's all. So all I can say here is you don't need the first cert, or the last cert, but the matching cert. This patch simply uses the last cert instead of the first, it doesn't check if it's really the corresponding cert. So it does not really fix a thing. Certs are not ordered in v1, they are just an unordered set. |
|
That's all true. This pull request does fix the one case I could find of APKs
signed by a certificate chain: Microsoft. An APK could still exploit this
algorithm in the same way as before this pull request.
|
|
But it breaks things for other cases, if I understood Fay correctly. I don't know if it's a good idea to base this on a single example APK only. A second one might have the order inverted, a third one having the needed cert in the middle. The next release of the same app might do one of the two even. So I don't think this change is expedient, and would rather discourage merging it. Better have androguard spit out a warning if it encounters such a case where it cannot tell for sure which cert is the right one, maybe. But as I wrote on the related issue at fdroidserver, I'm only the messenger here – the one with some basic understanding acquired in the process (as the issue with fdroidserver was reported to me as well, and I had to see to safeguarding my repo), not the expert with long-time experience in the field who could give profound advice. So while I felt obliged to put in the little I know about it to make sure it's not missed but considered (to prevent harm if there is such involved), I cannot provide a solution unfortunately. |
|
Hi @eighthave , appreciate the effort put into the pull request. It does not seem wise to move forward with replacing one problematic section with another that also has issues. |
|
To actually do it fully correctly, there basically has to be a full JAR signature verification. That's not something I'm going to implement. @obfusk has already done a lot of work there with https://github.com/obfusk/apksigtool, so I'll defer to her. |
Microsoft signs their APKs with a X.509 certificate chain of trust, so there are actually three certificates included. apksigner only cares about the certificate that actually signs the manifest and ignores the certificates that just sign other certificates.
The correct values for the test case come from: