我们来分析几个文件:
1. CERT.RSA
通过 openssl pkcs7 -inform DER -in CERT.RSA -noout -print_certs -text 查看生成的CERT.RSA
Certificate:
Data:
Version: 3 (0x2) // 版本号
Serial Number: 10623618503190643167 (0x936eacbe07f201df) // 证书序列号
Signature Algorithm: sha1WithRSAEncryption //算法参数
Issuer: C=US, ST=California, L=Mountain View, O=Android, OU=Android, CN=Android/[email protected] //发布者名称
Validity
Not Before: Feb 29 01:33:46 2008 GMT // 生效日期,终止日期
Not After : Jul 17 01:33:46 2035 GMT
Subject: C=US, ST=California, L=Mountain View, O=Android, OU=Android, CN=Android/[email protected] // 主体名称
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus: // 算法 参数 密钥
00:d6:93:19:04:de:c6:0b:24:b1:ed:c7:62:e0:d9:
d8:25:3e:3e:cd:6c:eb:1d:e2:ff:06:8c:a8:e8:bc:
a8:cd:6b:d3:78:6e:a7:0a:a7:6c:e6:0e:bb:0f:99:
35:59:ff:d9:3e:77:a9:43:e7:e8:3d:4b:64:b8:e4:
fe:a2:d3:e6:56:f1:e2:67:a8:1b:bf:b2:30:b5:78:
c2:04:43:be:4c:72:18:b8:46:f5:21:15:86:f0:38:
a1:4e:89:c2:be:38:7f:8e:be:cf:8f:ca:c3:da:1e:
e3:30:c9:ea:93:d0:a7:c3:dc:4a:f3:50:22:0d:50:
08:07:32:e0:80:97:17:ee:6a:05:33:59:e6:a6:94:
ec:2c:b3:f2:84:a0:a4:66:c8:7a:94:d8:3b:31:09:
3a:67:37:2e:2f:64:12:c0:6e:6d:42:f1:58:18:df:
fe:03:81:cc:0c:d4:44:da:6c:dd:c3:b8:24:58:19:
48:01:b3:25:64:13:4f:bf:de:98:c9:28:77:48:db:
f5:67:6a:54:0d:81:54:c8:bb:ca:07:b9:e2:47:55:
33:11:c4:6b:9a:f7:6f:de:ec:cc:8e:69:e7:c8:a2:
d0:8e:78:26:20:94:3f:99:72:7d:3c:04:fe:72:99:
1d:99:df:9b:ae:38:a0:b2:17:7f:a3:1d:5b:6a:fe:
e9:1f
Exponent: 3 (0x3)
X509v3 extensions:
X509v3 Subject Key Identifier:
48:59:00:56:3D:27:2C:46:AE:11:86:05:A4:74:19:AC:09:CA:8C:11
X509v3 Authority Key Identifier:
keyid:48:59:00:56:3D:27:2C:46:AE:11:86:05:A4:74:19:AC:09:CA:8C:11
DirName:/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/[email protected]
serial:93:6E:AC:BE:07:F2:01:DF
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption // 算法 参数 已加密的Hash值
7a:af:96:8c:eb:50:c4:41:05:51:18:d0:da:ab:af:01:5b:8a:
76:5a:27:a7:15:a2:c2:b4:4f:22:14:15:ff:da:ce:03:09:5a:
bf:a4:2d:f7:07:08:72:6c:20:69:e5:c3:6e:dd:ae:04:00:be:
29:45:2c:08:4b:c2:7e:b6:a1:7e:ac:9d:be:18:2c:20:4e:b1:
53:11:f4:55:d8:24:b6:56:db:e4:dc:22:40:91:2d:75:86:fe:
88:95:1d:01:a8:fe:b5:ae:5a:42:60:53:5d:f8:34:31:05:24:
22:46:8c:36:e2:2c:2a:5e:f9:94:d6:1d:d7:30:6a:e4:c9:f6:
95:1b:a3:c1:2f:1d:19:14:dd:c6:1f:1a:62:da:2d:f8:27:f6:
03:fe:a5:60:3b:2c:54:0d:bd:7c:01:9c:36:ba:b2:9a:42:71:
c1:17:df:52:3c:db:c5:f3:81:7a:49:e0:ef:a6:0c:bd:7f:74:
17:7e:7a:4f:19:3d:43:f4:22:07:72:66:6e:4c:4d:83:e1:bd:
5a:86:08:7c:f3:4f:2d:ec:21:e2:45:ca:6c:2b:b0:16:e6:83:
63:80:50:d2:c4:30:ee:a7:c2:6a:1c:49:d3:76:0a:58:ab:7f:
1a:82:cc:93:8b:48:31:38:43:24:bd:04:01:fa:12:16:3a:50:
57:0e:68:4d
通过 openssl x509 -in testkey.x509.pem -noout -text 查看用到的证书
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 10623618503190643167 (0x936eacbe07f201df)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=California, L=Mountain View, O=Android, OU=Android, CN=Android/[email protected]
Validity
Not Before: Feb 29 01:33:46 2008 GMT
Not After : Jul 17 01:33:46 2035 GMT
Subject: C=US, ST=California, L=Mountain View, O=Android, OU=Android, CN=Android/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d6:93:19:04:de:c6:0b:24:b1:ed:c7:62:e0:d9:
d8:25:3e:3e:cd:6c:eb:1d:e2:ff:06:8c:a8:e8:bc:
a8:cd:6b:d3:78:6e:a7:0a:a7:6c:e6:0e:bb:0f:99:
35:59:ff:d9:3e:77:a9:43:e7:e8:3d:4b:64:b8:e4:
fe:a2:d3:e6:56:f1:e2:67:a8:1b:bf:b2:30:b5:78:
c2:04:43:be:4c:72:18:b8:46:f5:21:15:86:f0:38:
a1:4e:89:c2:be:38:7f:8e:be:cf:8f:ca:c3:da:1e:
e3:30:c9:ea:93:d0:a7:c3:dc:4a:f3:50:22:0d:50:
08:07:32:e0:80:97:17:ee:6a:05:33:59:e6:a6:94:
ec:2c:b3:f2:84:a0:a4:66:c8:7a:94:d8:3b:31:09:
3a:67:37:2e:2f:64:12:c0:6e:6d:42:f1:58:18:df:
fe:03:81:cc:0c:d4:44:da:6c:dd:c3:b8:24:58:19:
48:01:b3:25:64:13:4f:bf:de:98:c9:28:77:48:db:
f5:67:6a:54:0d:81:54:c8:bb:ca:07:b9:e2:47:55:
33:11:c4:6b:9a:f7:6f:de:ec:cc:8e:69:e7:c8:a2:
d0:8e:78:26:20:94:3f:99:72:7d:3c:04:fe:72:99:
1d:99:df:9b:ae:38:a0:b2:17:7f:a3:1d:5b:6a:fe:
e9:1f
Exponent: 3 (0x3)
X509v3 extensions:
X509v3 Subject Key Identifier:
48:59:00:56:3D:27:2C:46:AE:11:86:05:A4:74:19:AC:09:CA:8C:11
X509v3 Authority Key Identifier:
keyid:48:59:00:56:3D:27:2C:46:AE:11:86:05:A4:74:19:AC:09:CA:8C:11
DirName:/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/[email protected]
serial:93:6E:AC:BE:07:F2:01:DF
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
7a:af:96:8c:eb:50:c4:41:05:51:18:d0:da:ab:af:01:5b:8a:
76:5a:27:a7:15:a2:c2:b4:4f:22:14:15:ff:da:ce:03:09:5a:
bf:a4:2d:f7:07:08:72:6c:20:69:e5:c3:6e:dd:ae:04:00:be:
29:45:2c:08:4b:c2:7e:b6:a1:7e:ac:9d:be:18:2c:20:4e:b1:
53:11:f4:55:d8:24:b6:56:db:e4:dc:22:40:91:2d:75:86:fe:
88:95:1d:01:a8:fe:b5:ae:5a:42:60:53:5d:f8:34:31:05:24:
22:46:8c:36:e2:2c:2a:5e:f9:94:d6:1d:d7:30:6a:e4:c9:f6:
95:1b:a3:c1:2f:1d:19:14:dd:c6:1f:1a:62:da:2d:f8:27:f6:
03:fe:a5:60:3b:2c:54:0d:bd:7c:01:9c:36:ba:b2:9a:42:71:
c1:17:df:52:3c:db:c5:f3:81:7a:49:e0:ef:a6:0c:bd:7f:74:
17:7e:7a:4f:19:3d:43:f4:22:07:72:66:6e:4c:4d:83:e1:bd:
5a:86:08:7c:f3:4f:2d:ec:21:e2:45:ca:6c:2b:b0:16:e6:83:
63:80:50:d2:c4:30:ee:a7:c2:6a:1c:49:d3:76:0a:58:ab:7f:
1a:82:cc:93:8b:48:31:38:43:24:bd:04:01:fa:12:16:3a:50:
57:0e:68:4d
我们发现是一样的,这就证明了上一篇说的 CERT.RSA中包含了证书testkey.x509.pem的信息,但CERT.RSA不仅仅包含证书还包含了签名数据因为 CERT.RSA 是 DER格式的, 那么我们把 testkey.x509.pem 转换为 DER 格式
<<< openssl x509 -in testkey.x509.pem -inform PEM -out testkey.x509.der -outform DER >>>
我们再次对比 testkey.x509.der 和 CERT.RSA 发现 CERT.RSA 文件后面和前面都多了数据
后面的数据就是签名数据,是CERT.SF 这个摘要信息 被 testkey.pk8 这个私钥加密,当然还要用到
testkey.x509.pem 这个证书进行合作,因为这个证书里面包含证书和证书链,证书和证书链中包含了公钥和加密算法
2 . OTA升级的时候我们会发现用到 /res/keys 这个文件,这个文件怎么来的呢?
下面附加一下代码,大家可以在SDK找到这些代码
PRODUCT_VERITY_SIGNING_KEY := build/target/product/security/verity
// build/core/Makefile
# Keys authorized to sign OTA packages this build will accept. The
# build always uses dev-keys for this; release packaging tools will
# substitute other keys for this one.
OTA_PUBLIC_KEYS := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
# Generate a file containing the keys that will be read by the
# recovery binary.
RECOVERY_INSTALL_OTA_KEYS := \
$(call intermediates-dir-for,PACKAGING,ota_keys)/keys
DUMPKEY_JAR := $(HOST_OUT_JAVA_LIBRARIES)/dumpkey.jar
$(RECOVERY_INSTALL_OTA_KEYS): PRIVATE_OTA_PUBLIC_KEYS := $(OTA_PUBLIC_KEYS)
$(RECOVERY_INSTALL_OTA_KEYS): extra_keys := $(patsubst %,%.x509.pem,$(PRODUCT_EXTRA_RECOVERY_KEYS))
$(RECOVERY_INSTALL_OTA_KEYS): $(OTA_PUBLIC_KEYS) $(DUMPKEY_JAR) $(extra_keys)
@echo "DumpPublicKey: $@ <= $(PRIVATE_OTA_PUBLIC_KEYS) $(extra_keys)"
@rm -rf $@
@mkdir -p $(dir $@)
java -jar $(DUMPKEY_JAR) $(PRIVATE_OTA_PUBLIC_KEYS) $(extra_keys) > $@
// build/core/config.mk
# The default key if not set as LOCAL_CERTIFICATE
ifdef PRODUCT_DEFAULT_DEV_CERTIFICATE
DEFAULT_SYSTEM_DEV_CERTIFICATE := $(PRODUCT_DEFAULT_DEV_CERTIFICATE)
else
DEFAULT_SYSTEM_DEV_CERTIFICATE := build/target/product/security/testkey
endif
$(hide) echo "default_system_dev_certificate=$(DEFAULT_SYSTEM_DEV_CERTIFICATE)" >> $(zip_root)/META/misc_info.txt
可见现在用的是 testkey ,misc_info.txt中也是default_system_dev_certificate=build/target/product/security/testkey
/res/keys 文件其实是 用 java -jar dumpkey.jar testkey.x509.pem > RECOVERY_INSTALL_OTA_KEYS,使用dumpkey.jar程序将公钥文件转为keys
然后cp $(RECOVERY_INSTALL_OTA_KEYS) $(TARGET_RECOVERY_ROOT_OUT)/res/keys
补充:
这里还有一个点就是 system/etc/security/otacerts.zip 这个是 otacert压缩包
ALL_DEFAULT_INSTALLED_MODULES += $(TARGET_OUT_ETC)/security/otacerts.zip
$(TARGET_OUT_ETC)/security/otacerts.zip: KEY_CERT_PAIR := $(DEFAULT_KEY_CERT_PAIR)
$(TARGET_OUT_ETC)/security/otacerts.zip: $(addsuffix .x509.pem,$(DEFAULT_KEY_CERT_PAIR))
$(hide) rm -f $@
$(hide) mkdir -p $(dir $@)
$(hide) zip -qj $@ $<
.PHONY: otacerts
otacerts: $(TARGET_OUT_ETC)/security/otacerts.zip
这个文件的作用是什么呢? 当在Android系统中备使用OTA服务运行常规的检查,并且被可用更新通知,更新下载到一个cache或者是data分区,并且他的加密签名和位于/system/etc/security/otacerts.zip的证书进行验证.用户被推送来安装更新,
可见一个在AN系统中升级OTA包流程中有2次校验,一次是 上面说的更新包下载进行校验,还有一次是进入recovery中 用
/res/keys 这个校验, 一般来说这两个文件是一样。