Implementation of Transforming Android Signature File into pk8 and pem

2021-11-29 08:26:11
OfStack
 
Android Signature Tool 
 
Commonly used signature tools of android are jarsigner and apksigner. jarsigner uses the keystore file and apksigner uses pk8+x509.pem. 
 
What are. pem and.pk8 files 
 
.pem 
 
When android signs apk, the file. pem is a digital certificate of X. 509, which contains the user's public key and other information and is used for decryption. The file format can not only store digital certificates, but also store various key. 
 
.pk8 
 
File with. pk8 extension should correspond to PKCS # 8 to hold private key. 
 
Convert keystore file to pk8+pem 
 
1. Convert keystore file to pkcs 12 format 
 
keytool -importkeystore -srckeystore my.keystore -destkeystore tmp.p12 -srcstoretype JKS -deststoretype PKCS12 
 
2. Convert PKCS12 dump into pem 
 
openssl pkcs12 -in tmp.p12 -nodes -out tmp.rsa.pem 
 
tmp. rsa. pem is in text format and can be viewed directly. 
 
Open the text to see the private key (PRIVATE KEY) and certificate (CERTIFICATE); 
 
Copy "BEGIN CERTIFICATE" "END CERTIFICATE" to (new file) cert. x509.pem 
 
Copy "BEGIN RSA PRIVATE KEY" "END RSA PRIVATE KEY" to (ibid.) private. rsa. pem 
 
The cert. x509.pem file is the last certificate file we need 
 
3. Generate the private key in pk8 format 
 
openssl pkcs8 -topk8 -outform DER -in private.rsa.pem -inform PEM -out private.pk8 -nocrypt 

cert.x509.pem private.pk8 
 
That is, the last document we need. 
 
* Remarks: 

-nocrypt This parameter sets key encryption. If this parameter is set, sign below as long as the certificate + key does not need a password. If encryption should 

openssl pkcs8 -topk8 -outform  

DER-in private. rsa. pem-inform PEM-out private. pk8 Enter password next * 
 
4. Usage 
 
java -jar signapk.jar cert.x509.pem private.pk8 unsigned.apk signed.apk 
 
Usage of jarsigner 
 
jarsigner -verbose -keystore android.keystore -signedjar android_signed.apk android.apk android.keystore 
 
Using this method will report an error: the certificate chain cannot be found. XX must reference a valid keystore key entry that contains the private key and the corresponding public key certificate chain. 
 
jarsigner-verbose-keystore DT. jks-signedjar signed. apk unsigned. apk [Alias] 

Additional knowledge: Android creates its own pk8, x509.pem and signs app 
 
1. Generate key 
 
Command: keytool-genkey-v-keystore app. keystore-alias gundam_wing-keyalg RSA-validity 20000 

Console output: 

Enter the keystore password: 

Enter the new password again: 

What is your first name and last name? 

[Unknown]: TechStone 

What is your organizational unit name? 

[Unknown]: Gundam 

What is your organization name? 

[Unknown]: Gundam 

What is the name of your city or region? 

[Unknown]: Shanghai 

What is the name of your province/city/autonomous region? 

[Unknown]: Shanghai 

What is the two-letter country code for this unit? 

[Unknown]: zh 

Is CN=TechStone, OU=Gundam, O=Gundam, L=Shanghai, ST=Shanghai, C=zh correct? 

[No]: Y 
 
Generating a 2,048-bit RSA key pair and self-signed certificate (SHA256withRSA) (valid for 20,000 days) for the following objects: 

CN=TechStone, OU=Gundam, O=Gundam, L=Shanghai, ST=Shanghai, C=zh 

Input 
< 
gundam_wing 
> 
Key password of 

(If the password is the same as the keystore password, press Enter): 

[Storing app. keystore] 
 
This command generates an key with organizational/personal information and stores it in the app. keystore file 
 
2. Convert the format of key 
 
Command: 
 
keytool -importkeystore -srckeystore app.keystore -destkeystore tmp.p12 -srcstoretype JKS -deststoretype PKCS12 
 
The console will be prompted for the password for tmp. p12 and the password for app. keystore, and the tmp. p12 file will be generated when entered correctly. 

3. Turn key dump in PKCS12 format into text that can be read directly 
 
Command: 
 
openssl pkcs12 -in tmp.p12 -nodes -out tmp.rsa.pem 

The password will also be prompted during the dump process, and the readable token will be stored in tmp. rsa. pem after correct entry 
 
4. Extraction 

Open tmp. rsa. pem in a text editor, and the 

-----BEGIN PRIVATE KEY----- 

To 

-----END PRIVATE KEY----- 
 
The text of this 1 paragraph (containing these two tag) is copied and created as the file my_private. rsa. pem 
 
Will start from 

-----BEGIN CERTIFICATE----- 

To 

-----END CERTIFICATE----- 
 
The text of this 1 paragraph (containing these two tag) is copied and created as the file my. x509.pem (the public key used when signing) 
 
5. Transform and generate the private key in pk8 format 
 
openssl pkcs8 -topk8 -outform DER -in my_private.rsa.pem -inform PEM -out my_private.pk8 -nocrypt 
 
This generated my_private. pk8 is the private key used when signing 
 
6. Sign apk 
 
java -jar signapk.jar my.x509.pem my_private.pk8 my.apk my_signed.apk