CN107980132A - A kind of APK signature authentications method and system - Google Patents
A kind of APK signature authentications method and system Download PDFInfo
- Publication number
- CN107980132A CN107980132A CN201780001458.0A CN201780001458A CN107980132A CN 107980132 A CN107980132 A CN 107980132A CN 201780001458 A CN201780001458 A CN 201780001458A CN 107980132 A CN107980132 A CN 107980132A
- Authority
- CN
- China
- Prior art keywords
- apk
- signature
- acquirer
- apk file
- file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Abstract
The present invention provides a kind of APK signature authentications method and system, signs to original APK file, generates signing messages;A customized ID value domains are added in APK signaling blocks, the signing messages is inserted into the customized ID value domains, generates the APK file after signature;Terminal obtains the APK file after the signature, extracts the signing messages, restores original APK file;The legitimacy of signing messages described in terminal authentication and the original APK file, after being verified, terminal installs the original APK file, the primary sign test mechanism of terminal operating system, the system that more than Android7.0 can be applicable in, good compatibility are not interfered with, applicability is wide, and as long as acquirer generates an APK file signed, it becomes possible to downloads in payment terminal vendor equipment and other Android devices, reduces the maintenance cost of acquirer.
Description
Technical field
The present invention relates to signature authentication field, more particularly to a kind of APK signature authentications method and system.
Background technology
Android is the open source operating system based on Linux frameworks of Google companies exploitation, and installation procedure thereon is equal
For APK (Android Package) form.APK file form is actually zip compressed file formats, it is broadly divided into three
Part, the file content source data respectively compressed, the catalogue source data and catalogue end of identification structure of compression.
In financial payment field, usually by the intelligent terminal of acquirer buying payment terminal manufacturer, paying
The program of acquirer oneself is installed, installation procedure is APK forms in terminal.Acquirer can be whole for the payment of institute's manufacturing company
End equipment safeguards the APK to have signed, it is also possible to needs APK being installed in other Android devices.
Applicant of the present invention had formerly submitted the application for a patent for invention of Application No. 201510780639.0, open
A kind of APK signature authentications method and its system, add signing messages, this scheme under the META-INF catalogues of APK source files
Before Android7.0 systems can normal operation, but since Android7.0 systems, introduce a new application
Signature scheme APK Signature Scheme v2, the i.e. primary signature of APK V2 forms.The primary Autograph Session of APK V2 forms is to whole
A APK data carry out signature sign test, do not allow to be inserted into file to META-INF catalogues by the APK of the primary signature of V2 forms.
Therefore, the system of such scheme and inapplicable more than Android7.0, it is necessary to make improvements, to overcome the above problem.
The content of the invention
The technical problems to be solved by the invention are:A kind of APK signature authentications method and system are provided, being capable of compatible terminal
The primary signature mechanism of V2 forms of operating system, improves the compatibility of APK signature authentications, can adapt to different editions
Android system.
In order to solve the above-mentioned technical problem, a kind of technical solution for using of the present invention for:
A kind of APK signature authentications method, including step:
S1, sign original APK file, generates signing messages;
S2, APK signaling blocks add a customized ID-value domains, by the signing messages be inserted into it is described customized
ID-value domains, generate the APK file after signature;
S3, terminal obtain the APK file after the signature, extract the signing messages, restore original APK file;
The legitimacy of signing messages described in S4, terminal authentication and the original APK file, after being verified, terminal installation
The original APK file.
In order to solve the above-mentioned technical problem, the another technical solution that uses of the present invention for:
A kind of APK Signature Authentication Systems, including acquirer and terminal, the acquirer include first memory, the
One processor and storage on the first memory and the first computer program that can be run on first processor, the terminal bag
Include second memory, second processor and be stored in the second computer that can be run on second memory and in second processor
Program,
The first processor realizes following steps when performing first computer program:
S1, sign original APK file, generates signing messages;
S2, APK signaling blocks add a customized ID-value domains, by the signing messages be inserted into it is described customized
ID-value domains, generate the APK file after signature;
The second processor realizes following steps when performing the second computer program:
S3, obtain the APK file after the signature, extracts the signing messages, restores original APK file;
S4, the legitimacy for verifying the signing messages and the original APK file, after being verified, installation is described original
APK file.
The beneficial effects of the present invention are:A customized ID-value domains are added in APK signaling blocks, will be to original APK
Signing messages after file is signed is inserted into the customized ID-value domains, does not interfere with the primary of terminal operating system
Sign test mechanism, the system that can be applicable in more than Android7.0, good compatibility, applicability is wide, as long as and acquirer generation
One APK file signed, it becomes possible to download in payment terminal vendor equipment and other Android devices, reduce and receive list
The maintenance cost of mechanism.
Brief description of the drawings
Fig. 1 is a kind of flow chart of APK signature authentications method of the embodiment of the present invention;
Fig. 2 is a kind of structure diagram of APK Signature Authentication Systems of the embodiment of the present invention;
Fig. 3 is the data format schematic diagram of the signing messages of the embodiment of the present invention;
Fig. 4 is the signal of file format of the APK file of the embodiment of the present invention after primary signature V2 and authority signature
Figure;
Label declaration:
1st, acquirer;2nd, first memory;3rd, first processor;4th, terminal;5th, second memory;6th, second processing
Device;7th, APK Signature Authentication Systems.
Embodiment
The design of most critical of the present invention is:A customized ID-value domains are added in APK signaling blocks, will be to original
Signing messages after APK file is signed is inserted into the customized ID-value domains, does not interfere with terminal operating system
Original sign test mechanism.
It refer to Fig. 1, a kind of APK signature authentications method, including step:
S1, sign original APK file, generates signing messages;
S2, APK signaling blocks add a customized ID-value domains, by the signing messages be inserted into it is described customized
ID-value domains, generate the APK file after signature;
S3, terminal obtain the APK file after the signature, extract the signing messages, restore original APK file;
The legitimacy of signing messages described in S4, terminal authentication and the original APK file, after being verified, terminal installation
The original APK file.
Seen from the above description, the beneficial effects of the present invention are:A customized ID-value is added in APK signaling blocks
Domain, the signing messages after signing to original APK file are inserted into the customized ID-value domains, do not interfere with terminal
The primary sign test mechanism of operating system, the system that can be applicable in more than Android7.0, good compatibility, applicability is wide, and receives
As long as unit structure generates an APK file signed, it becomes possible to downloads to payment terminal vendor equipment and other Android are set
It is standby upper, reduce the maintenance cost of acquirer.
Further, the step S2 is specifically included:
According to APK signature block formats, a customized ID-value domains are added in APK signaling blocks, by the signing messages
The customized ID-value domains are inserted into, and accordingly change the block length and catalogue of the APK signaling blocks of the original APK file
End of identification structure, generates the APK file after signature.
Seen from the above description, according to APK signature block formats, a customized ID-value domains are added in APK signaling blocks,
The signing messages is inserted into the customized ID-value domains, and accordingly changes the block of the APK signaling blocks of original APK file
Length and catalogue end of identification structure, generate the APK file after signature, APK file and the original APK file phase of having signed
Than, APK signaling blocks only increase a customized ID-value domain, meet the APK file form of the primary signature of V2 forms,
The primary sign tests of Android are had no effect on, so for the equipment of more than Android7.0, can also normal mounting.
Further, the block length and catalogue end of identification structure of the APK signaling blocks of the modification original APK file
Specifically include:
The block length of the APK signaling blocks adds the size in self-defined ID-value domains, the catalogue end of identification structure
In catalogue deviation post add self-defined ID-value domains size.
Seen from the above description, due to not being changed to APK file form, and simply add in APK signaling blocks
Add a customized ID-value for meeting APK signature block formats, in the customized ID-value additions signing messages, institute
Simply to change the data length of APK signaling blocks, therefore it may only be necessary to adaptively to the block length and catalogue of APK signaling blocks
Catalogue deviation post in end of identification structure is modified, and change is small, easy to operate.
Further, the signing messages is extracted in the step S3, restores original APK file and specifically include:
Signing messages is copied out according to ID marks customized ID-value domains from APK signaling blocks;
The customized ID-value domains are deleted from the APK signaling blocks, and accordingly change the APK of APK file
The block length and catalogue end of identification structure of signaling block, restore original APK file.
Seen from the above description, signing messages is copied out from APK signaling blocks according to ID marks, and it is signed from APK
Deleted in block, the block length and catalogue end of identification structure of the corresponding APK signaling blocks for changing APK file, restore original APK texts
Part, can either realize the verification to original APK file, also ensure that original APK file smoothly can carry out sign test peace in terminal
Dress.
Further, the block length of the APK signaling blocks of the modification APK file and catalogue end of identification structure are specifically wrapped
Include:
The block length of the APK signaling blocks subtracts the size in self-defined ID-value domains, the catalogue end of identification structure
In catalogue deviation post subtract the size in self-defined ID-value domains.
Seen from the above description, due to simply changing the size of data of APK signaling blocks, so by signing messages slave phase
After the position answered is deleted, it is only necessary to change the catalogue deviation post in the block length and catalogue end of identification structure of APK signaling blocks
, it is convenient and efficient.
Further, the step S1 is specifically included:
Acquirer work public key certificate is generated, public key corresponding with acquirer work public key certificate is distributed to
Different vendor;
Original APK file and acquirer are signed into description information together as data are signed, number is signed to described
According to Hash is calculated, the first cryptographic Hash is obtained;
Fill first cryptographic Hash, the data after being filled;
Obtain with the corresponding private key of acquirer work public key certificate, and after the utilization private key is to the filling
Data are signed, and obtain acquirer signed data;
Generation includes acquirer signature description information, acquirer signed data and acquirer work public key card
The signing messages of book.
Further, the legitimacy of signing messages described in terminal authentication and the original APK file has in the step S4
Body includes:
Terminal uses corresponding manufacturer A.L.S. according to the acquirer root public key certification authentication that the public key generates
The legitimacy of acquirer work public key certificate in breath;
If being verified, second public key is extracted from acquirer work public key certificate, uses described second
Acquirer signed data described in public key decryptions, obtains the first cryptographic Hash;
Hash is calculated to the receipts single structure signature description information and original APK file, obtains the second cryptographic Hash;
Judge whether second cryptographic Hash and first cryptographic Hash are consistent, if unanimously, being verified.
Seen from the above description, the object of acquirer signature is original APK file, is received by the unified generation of acquirer
Unit structure work public key certificate, different vendor is distributed to by public key corresponding with acquirer work public key certificate, different
The CA servers of manufacturer use institute according to respective certificates constructing algorithm using public key generation acquirer root public key certificate, terminal
The legitimacy of the acquirer work public key certificate in signing messages described in acquirer root public key certification authentication is stated, is verified
Afterwards, respective sign test is carried out using the public key of the unified distribution of acquirer, guarantee has signed APK file in the complete of data transmission procedure
Whole property and APK legitimacies, acquirer also need to only safeguard a file signed and one for the terminal device of different vendor
Set signature realization mechanism, is greatly reduced the maintenance cost that acquirer is directed to APK signatures.
Further, the terminal installation original APK file includes in the step S4:
Primary signed data is extracted from APK signaling blocks, is restored not by the APK file of primary signature;
Verify the primary signed data and described not by the legitimacy of the APK file of primary signature, after being verified, peace
Not by the APK file of primary signature described in dress.
Seen from the above description, APK signature authentications method using the present invention, does not interfere with the primary of terminal operating system
Sign test mechanism, terminal can be smoothed out primary sign test mechanism and install not by the APK file of primary signature, good compatibility.
Fig. 2, a kind of APK Signature Authentication Systems 7, including acquirer 1 and terminal 4 are refer to, the acquirer 1 includes
What first memory 2, first processor 3 and being stored in can be run on first memory 2 and on first processor 3 first calculates
Machine program, the terminal 4 include second memory 5, second processor 6 and are stored on second memory 5 and can be at second
The second computer program run on reason device 6, it is characterised in that
The first processor 3 realizes following steps when performing first computer program:
S1, sign original APK file, generates signing messages;
S2, APK signaling blocks add a customized ID-value domains, by the signing messages be inserted into it is described customized
ID-value domains, generate the APK file after signature;
The second processor 6 realizes following steps when performing the second computer program:
S3, obtain the APK file after the signature, extracts the signing messages, restores original APK file;
S4, the legitimacy for verifying the signing messages and the original APK file, after being verified, installation is described original
APK file.
Seen from the above description, the beneficial effects of the present invention are:A customized ID-value is added in APK signaling blocks
Domain, the signing messages after signing to original APK file are inserted into the customized ID-value domains, do not interfere with terminal
The primary sign test mechanism of operating system, the system that can be applicable in more than Android7.0, good compatibility, applicability is wide, and receives
As long as unit structure generates an APK file signed, it becomes possible to downloads to payment terminal vendor equipment and other Android are set
It is standby upper, reduce the maintenance cost of acquirer.
Further, the step S2 is specifically included:
According to APK signature block formats, a customized ID-value domains are added in APK signaling blocks, by the signing messages
The customized ID-value domains are inserted into, and accordingly change the block length and catalogue of the APK signaling blocks of the original APK file
End of identification structure, generates the APK file after signature.
Seen from the above description, according to APK signature block formats, a customized ID-value domains are added in APK signaling blocks,
The signing messages is inserted into the customized ID-value domains, and accordingly changes the block of the APK signaling blocks of original APK file
Length and catalogue end of identification structure, generate the APK file after signature, APK file and the original APK file phase of having signed
Than, APK signaling blocks only increase a customized ID-value domain, meet the APK file form of the primary signature of V2 forms,
The primary sign tests of Android are had no effect on, so for the equipment of more than Android7.0, can also normal mounting.
Further, the block length and catalogue end of identification structure of the APK signaling blocks of the modification original APK file
Specifically include:
The block length of the APK signaling blocks adds the size in self-defined ID-value domains, the catalogue end of identification structure
In catalogue deviation post add self-defined ID-value domains size.
Seen from the above description, due to not being changed to APK file form, and simply add in APK signaling blocks
Add a customized ID-value for meeting APK signature block formats, in the customized ID-value additions signing messages, institute
Simply to change the data length of APK signaling blocks, therefore it may only be necessary to adaptively to the block length and catalogue of APK signaling blocks
Catalogue deviation post in end of identification structure is modified, and change is small, easy to operate.
Further, the signing messages is extracted in the step S3, restores original APK file and specifically include:
Signing messages is copied out according to ID marks customized ID-value domains from APK signaling blocks;
The customized ID-value domains are deleted from the APK signaling blocks, and accordingly change the APK of APK file
The block length and catalogue end of identification structure of signaling block, restore original APK file.
Seen from the above description, signing messages is copied out from APK signaling blocks according to ID marks, and it is signed from APK
Deleted in block, the block length and catalogue end of identification structure of the corresponding APK signaling blocks for changing APK file, restore original APK texts
Part, can either realize the verification to original APK file, also ensure that original APK file smoothly can carry out sign test peace in terminal
Dress.
Further, the block length of the APK signaling blocks of the modification APK file and catalogue end of identification structure are specifically wrapped
Include:
The block length of the APK signaling blocks subtracts the size in self-defined ID-value domains, the catalogue end of identification structure
In catalogue deviation post subtract the size in self-defined ID-value domains.
Seen from the above description, due to simply changing the size of data of APK signaling blocks, so by signing messages slave phase
After the position answered is deleted, it is only necessary to change the catalogue deviation post in the block length and catalogue end of identification structure of APK signaling blocks
, it is convenient and efficient.
Further, the step S1 is specifically included:
Acquirer work public key certificate is generated, public key corresponding with acquirer work public key certificate is distributed to
Different vendor;
Original APK file and acquirer are signed into description information together as data are signed, number is signed to described
According to Hash is calculated, the first cryptographic Hash is obtained;
Fill first cryptographic Hash, the data after being filled;
Obtain with the corresponding private key of acquirer work public key certificate, and after the utilization private key is to the filling
Data are signed, and obtain acquirer signed data;
Generation includes acquirer signature description information, acquirer signed data and acquirer work public key card
The signing messages of book.
Further, verify that the signing messages and the legitimacy of the original APK file are specifically wrapped in the step S4
Include:
Using in corresponding manufacturer signing messages according to the acquirer root public key certification authentication that the public key generates
Acquirer work public key certificate legitimacy;
If being verified, second public key is extracted from acquirer work public key certificate, uses described second
Acquirer signed data described in public key decryptions, obtains the first cryptographic Hash;
Hash is calculated to the receipts single structure signature description information and original APK file, obtains the second cryptographic Hash;
Judge whether second cryptographic Hash and first cryptographic Hash are consistent, if unanimously, being verified.
Seen from the above description, the object of acquirer signature is original APK file, is received by the unified generation of acquirer
Unit structure work public key certificate, different vendor is distributed to by public key corresponding with acquirer work public key certificate, different
The CA servers of manufacturer use institute according to respective certificates constructing algorithm using public key generation acquirer root public key certificate, terminal
The legitimacy of the acquirer work public key certificate in signing messages described in acquirer root public key certification authentication is stated, is verified
Afterwards, respective sign test is carried out using the public key of the unified distribution of acquirer, guarantee has signed APK file in the complete of data transmission procedure
Whole property and APK legitimacies, acquirer also need to only safeguard a file signed and one for the terminal device of different vendor
Set signature realization mechanism, is greatly reduced the maintenance cost that acquirer is directed to APK signatures.
Further, the original APK file is installed in the step S4 includes:
Primary signed data is extracted from APK signaling blocks, is restored not by the APK file of primary signature;
Verify the primary signed data and described not by the legitimacy of the APK file of primary signature, after being verified, peace
Not by the APK file of primary signature described in dress.
Seen from the above description, APK Signature Authentication Systems using the present invention, do not interfere with the primary of terminal operating system
Sign test mechanism, terminal can be smoothed out primary sign test mechanism and install not by the APK file of primary signature, good compatibility.
Embodiment one
It refer to Fig. 1, a kind of APK signature authentications method, including step:
S1, sign original APK file, generates signing messages;
Specifically, acquirer 1 calls encryption device to generate the first public private key pair and the second public private key pair, acquirer 1
Signature operation generation acquirer work public key certificate AcquirerWCRT is carried out to the second public key using the first private key, will be with institute
State the CA servers that corresponding first public keys of acquirer work public key certificate AcquirerWCRT are distributed to different vendor;
Acquirer 1 is by original APK file and acquirer signature description information together as being signed data
SourceData, calculates Hash to the data SourceData that is signed, obtains the first cryptographic Hash HASH1;
The first cryptographic Hash HASH1 is filled by acquirer 1 according to the signature filling mode of PKCS#1_V1.5,
Data PAD_data after being filled;
Acquirer 1 obtains the second private key corresponding with acquirer work public key certificate, profit from secure storage medium
Signature is encrypted to the data after the filling with second private key, obtains acquirer signed data Signature;
By acquirer signature description information, acquirer signed data Signature, acquirer work public key certificate
The signing messages of first splicing generation acquirer of AcquirerWCRT and signature file, the data format of the signing messages
As shown in figure 3, wherein, acquirer signature description information random length, is described acquirer signed data, acquirer
Signed data length is 256 bytes, is to original APK file signature as a result, acquirer work public key certificate random length, is
The mechanism work public key certificate that signature uses, signature file head random length are carried out, but is no more than 1k, for identification signature files classes
Type and the data-bias and length for identifying the acquirer signed data, position acquirer signed data;
S2, APK signaling blocks add a customized ID-value domains, by the signing messages be inserted into it is described customized
ID-value domains, generate the APK file after signature;
According to APK signature block formats, a customized ID-value domains are added in APK signaling blocks, by the signing messages
The customized ID-value domains are inserted into, and accordingly change the block length and catalogue of the APK signaling blocks of the original APK file
End of identification structure, specifically, the block length of the APK signaling blocks adds the size in the self-defined ID-value domains, it is described
Catalogue deviation post in catalogue end of identification structure adds the size in the self-defined ID-value domains, after generation is signed
APK file;
Shown in Fig. 4 be to do not carried out successively by the APK file of primary signature it is primary signature and acquirer signature after
APK file form variation diagram;
From fig. 4 it can be seen that acquirer does not change primary label after signing to the APK file after primary signature V2
The structure of name APK file, make use of APK to sign customized ID-value domains in the block to be inserted into signing messages;
S3, terminal 4 obtain the APK file after the signature, extract the signing messages, restore original APK file;
Specifically, signing messages is copied out according to ID marks customized ID-value domains from APK signaling blocks;By described in
Customized ID-value domains are deleted from the APK signaling blocks, and accordingly change the block length of the APK signaling blocks of APK file
With catalogue end of identification structure, specifically, the block length of the APK signaling blocks subtracts the size in self-defined ID-value domains, institute
The size that the catalogue deviation post in catalogue end of identification structure subtracts self-defined ID-value domains is stated, restores original APK texts
Part;
Wherein, the ID marks of the primary signatures of APK are fixed as 0x7109871a, to avoid conflicting therewith, can define described
The ID of signing messages is identified as 0x71536966 or other values, as long as without conflicting with the ID of the primary signatures of APK marks
Can be with;
S4, terminal test the legitimacy of the 4 cards signing messages and the original APK file, after being verified, terminal installation
The original APK file.
Wherein, terminal 4 verifies that the signing messages and the legitimacy of the original APK file specifically include:
The CA servers of different vendor are given birth to according to the first public key that respective certificates constructing mechanism is issued using acquirer
It is mounted in advance in the respective terminal of manufacturer into acquirer root public key certificate, and by the acquirer root public key certificate;
Terminal 4 is demonstrate,proved using the acquirer work public key in signing messages described in the acquirer root public key certification authentication
The legitimacy of book AcquirerWCRT;
If being verified, terminal 4 extracts the second public key using acquirer work public key certificate AcquirerWCRT, makes
The acquirer signed data described in second public key decryptions, obtains the first cryptographic Hash HASH1;
Terminal 4 calculates Hash to the receipts single structure signature description information and original APK file, obtains the second cryptographic Hash
HASH2;
Judge whether second cryptographic Hash and first cryptographic Hash are consistent, if unanimously, proving acquired in terminal 4
APK file after signature is legal, is not tampered with, and vendor equipment is verified APK file after signature, it is allowed to which terminal installs institute
State original APK file;
Since the original APK file is the APK file after primary sign test, terminal 4 is described original in installation
During APK file, the operating system of terminal 4 is also required to test the legitimacy of the APK file after the primary signature
Card, the i.e. primary sign test process of terminal 4, specifically include:
Primary signed data is extracted from APK signaling blocks, is restored not by the APK file of primary signature;
Verify the primary signed data and described not by the legitimacy of the APK file of primary signature, after being verified, peace
Not by the APK file of primary signature described in dress.
Embodiment two
Fig. 2, a kind of APK Signature Authentication Systems 7, including acquirer 1 and terminal 4 are refer to, the acquirer 1 includes
What first memory 2, first processor 3 and being stored in can be run on first memory 2 and on first processor 3 first calculates
Machine program, the terminal 4 include second memory 5, second processor 6 and are stored on second memory 5 and can be at second
The second computer program run on reason device 6, it is characterised in that
The first processor 3 realizes following steps when performing first computer program:
S1, sign original APK file, generates signing messages;
Specifically, acquirer 1 calls encryption device to generate the first public private key pair and the second public private key pair, acquirer 1
Signature operation generation acquirer work public key certificate AcquirerWCRT is carried out to the second public key using the first private key, will be with institute
State the CA servers that corresponding first public keys of acquirer work public key certificate AcquirerWCRT are distributed to different vendor;
Acquirer 1 is by original APK file and acquirer signature description information together as being signed data
SourceData, calculates Hash to the data SourceData that is signed, obtains the first cryptographic Hash HASH1;
The first cryptographic Hash HASH1 is filled by acquirer 1 according to the signature filling mode of PKCS#1_V1.5,
Data PAD_data after being filled;
Acquirer 1 obtains the second private key corresponding with acquirer work public key certificate, profit from secure storage medium
Signature is encrypted to the data after the filling with second private key, obtains acquirer signed data Signature;
By acquirer signature description information, acquirer signed data Signature, acquirer work public key certificate
The signing messages of first splicing generation acquirer of AcquirerWCRT and signature file, the data format of the signing messages
As shown in figure 3, wherein, acquirer signature description information random length, is described acquirer signed data, acquirer
Signed data length is 256 bytes, is to original APK file signature as a result, acquirer work public key certificate random length, is
The mechanism work public key certificate that signature uses, signature file head random length are carried out, but is no more than 1k, for identification signature files classes
Type and the data-bias and length for identifying the acquirer signed data, position acquirer signed data;
S2, APK signaling blocks add a customized ID-value domains, by the signing messages be inserted into it is described customized
ID-value domains, generate the APK file after signature;
According to APK signature block formats, a customized ID-value domains are added in APK signaling blocks, by the signing messages
The customized ID-value domains are inserted into, and accordingly change the block length and catalogue of the APK signaling blocks of the original APK file
End of identification structure, specifically, the block length of the APK signaling blocks adds the size in the self-defined ID-value domains, it is described
Catalogue deviation post in catalogue end of identification structure adds the size in the self-defined ID-value domains, after generation is signed
APK file;
Shown in Fig. 4 be to do not carried out successively by the APK file of primary signature it is primary signature and acquirer signature after
APK file form variation diagram;
From fig. 4 it can be seen that acquirer 1 do not change after signing to the APK file after primary signature V2 it is primary
The structure for APK file of signing, make use of APK to sign customized ID-value domains in the block to be inserted into signing messages;
The second processor 6 realizes following steps when performing the second computer program:
S3, obtain the APK file after the signature, extracts the signing messages, restores original APK file;
Specifically, signing messages is copied out according to ID marks customized ID-value domains from APK signaling blocks;By described in
Customized ID-value domains are deleted from the APK signaling blocks, and accordingly change the block length of the APK signaling blocks of APK file
With catalogue end of identification structure, specifically, the block length of the APK signaling blocks subtracts the size in self-defined ID-value domains, institute
The size that the catalogue deviation post in catalogue end of identification structure subtracts self-defined ID-value domains is stated, restores original APK texts
Part;
Wherein, the ID marks of the primary signatures of APK are fixed as 0x7109871a, to avoid conflicting therewith, can define described
The ID of signing messages is identified as 0x71536966 or other values, as long as without conflicting with the ID of the primary signatures of APK marks
Can be with;
S4, the legitimacy for verifying the signing messages and the original APK file, after being verified, installation is described original
APK file;
Wherein, verify that the signing messages and the legitimacy of the original APK file specifically include:
The CA servers of different vendor are given birth to according to the first public key that respective certificates constructing mechanism is issued using acquirer
It is mounted in advance in the respective terminal of manufacturer into acquirer root public key certificate, and by the acquirer root public key certificate;
Terminal 4 is demonstrate,proved using the acquirer work public key in signing messages described in the acquirer root public key certification authentication
The legitimacy of book AcquirerWCRT;
If being verified, terminal 4 extracts the second public key using acquirer work public key certificate AcquirerWCRT, makes
The acquirer signed data described in second public key decryptions, obtains the first cryptographic Hash HASH1;
Terminal 4 calculates Hash to the receipts single structure signature description information and original APK file, obtains the second Hash
HASH2;
Judge whether second cryptographic Hash and first cryptographic Hash are consistent, if unanimously, proving acquired in terminal 4
APK file after signature is legal, is not tampered with, and vendor equipment is verified APK file after signature, it is allowed to which terminal 4 is installed
The original APK file;
Since the original APK file is the APK file after primary sign test, terminal 4 is described original in installation
During APK file, the operating system of terminal 4 is also required to test the legitimacy of the APK file after the primary signature
Card, the i.e. primary sign test process of terminal, specifically include:
Primary signed data is extracted from APK signaling blocks, is restored not by the APK file of primary signature;
Verify the primary signed data and described not by the legitimacy of the APK file of primary signature, after being verified, peace
Not by the APK file of primary signature described in dress.
In conclusion a kind of APK signature authentications method and system provided by the invention, make by oneself in APK signaling blocks addition one
The ID-value domains of justice, the signing messages after signing to original APK file are inserted into the customized ID-value domains,
The primary sign test mechanism of terminal operating system is not interfered with, the system that can be applicable in more than Android7.0, good compatibility, is applicable in
Property it is wide, as long as and acquirer generate an APK file signed, it becomes possible to download to payment terminal vendor equipment and its
In his Android device, the maintenance cost of acquirer is reduced.
Claims (16)
- A kind of 1. APK signature authentications method, it is characterised in that including step:S1, sign original APK file, generates signing messages;S2, in APK signaling blocks add a customized ID-value domains, and the signing messages is inserted into the customized ID- Value domains, generate the APK file after signature;S3, terminal obtain the APK file after the signature, extract the signing messages, restore original APK file;The legitimacy of signing messages described in S4, terminal authentication and the original APK file, after being verified, described in terminal installation Original APK file.
- 2. APK signature authentications method according to claim 1, it is characterised in thatThe step S2 is specifically included:According to APK signature block formats, a customized ID-value domains are added in APK signaling blocks, the signing messages is inserted into The customized ID-value domains, and accordingly change the block length of the APK signaling blocks of the original APK file and catalogue terminates Structure is identified, generates the APK file after signature.
- 3. APK signature authentications method according to claim 2, it is characterised in thatThe block length and catalogue end of identification structure of the APK signaling blocks of the modification original APK file specifically include:The block length of the APK signaling blocks adds the size in the self-defined ID-value domains, the catalogue end of identification structure In catalogue deviation post add the self-defined ID-value domains size.
- 4. APK signature authentications method according to claim 1, it is characterised in thatThe signing messages is extracted in the step S3, original APK file is restored and specifically includes:Signing messages is copied out according to ID marks customized ID-value domains from APK signaling blocks;The customized ID-value domains are deleted from the APK signaling blocks, and accordingly change the APK signatures of APK file The block length and catalogue end of identification structure of block, restore original APK file.
- 5. APK signature authentications method according to claim 4, it is characterised in thatThe block length and catalogue end of identification structure of the APK signaling blocks of the modification APK file specifically include:The block length of the APK signaling blocks subtracts the size in the self-defined ID-value domains, the catalogue end of identification structure In catalogue deviation post subtract the size in the self-defined ID-value domains.
- 6. APK signature authentications method according to claim 1, it is characterised in thatThe step S1 is specifically included:Acquirer work public key certificate is generated, public key corresponding with acquirer work public key certificate is distributed to difference Manufacturer;Original APK file and acquirer are signed into description information together as data are signed, data meter is signed to described Hash is calculated, obtains the first cryptographic Hash;Fill first cryptographic Hash, the data after being filled;Private key corresponding with acquirer work public key certificate is obtained, and using the private key to the data after the filling Sign, obtain acquirer signed data;Generation includes acquirer signature description information, acquirer signed data and acquirer work public key certificate Signing messages.
- 7. APK signature authentications method according to claim 6, it is characterised in thatThe legitimacy of signing messages described in terminal authentication and the original APK file specifically includes in the step S4:Terminal is used in corresponding manufacturer signing messages according to the acquirer root public key certification authentication that the public key generates Acquirer work public key certificate legitimacy;If being verified, second public key is extracted from acquirer work public key certificate, uses second public key The acquirer signed data is decrypted, obtains the first cryptographic Hash;Hash is calculated to the receipts single structure signature description information and original APK file, obtains the second cryptographic Hash;Judge whether second cryptographic Hash and first cryptographic Hash are consistent, if unanimously, being verified.
- 8. APK signature authentications method according to claim 6, it is characterised in thatTerminal is installed the original APK file and is included in the step S4:Primary signed data is extracted from APK signaling blocks, is restored not by the APK file of primary signature;Verify the primary signed data and described not by the legitimacy of the APK file of primary signature, after being verified, institute is installed State not by the APK file of primary signature.
- 9. a kind of APK Signature Authentication Systems, including acquirer and terminal, the acquirer includes first memory, first Processor and storage are on the first memory and the first computer program that can be run on first processor, the terminal include Second memory, second processor and it is stored in the second computer journey that can be run on second memory and in second processor Sequence, it is characterised in thatThe first processor realizes following steps when performing first computer program:S1, sign original APK file, generates signing messages;S2, in APK signaling blocks add a customized ID-value domains, and the signing messages is inserted into the customized ID- Value domains, generate the APK file after signature;The second processor realizes following steps when performing the second computer program:S3, obtain the APK file after the signature, extracts the signing messages, restores original APK file;S4, the legitimacy for verifying the signing messages and the original APK file, after being verified, the installation original APK texts Part.
- 10. APK Signature Authentication Systems according to claim 9, it is characterised in thatThe step S2 is specifically included:According to APK signature block formats, a customized ID-value domains are added in APK signaling blocks, the signing messages is inserted into The customized ID-value domains, and accordingly change the block length of the APK signaling blocks of the original APK file and catalogue terminates Structure is identified, generates the APK file after signature.
- 11. APK Signature Authentication Systems according to claim 10, it is characterised in thatThe block length and catalogue end of identification structure of the APK signaling blocks of the modification original APK file specifically include:The block length of the APK signaling blocks adds the size in the self-defined ID-value domains, the catalogue end of identification structure In catalogue deviation post add the self-defined ID-value domains size.
- 12. APK Signature Authentication Systems according to claim 9, it is characterised in thatThe signing messages is extracted in the step S3, original APK file is restored and specifically includes:Signing messages is copied out according to ID marks customized ID-value domains from APK signaling blocks;The customized ID-value domains are deleted from the APK signaling blocks, and accordingly change the APK signatures of APK file The block length and catalogue end of identification structure of block, restore original APK file.
- 13. APK Signature Authentication Systems according to claim 12, it is characterised in thatThe block length and catalogue end of identification structure of the APK signaling blocks of the modification APK file specifically include:The block length of the APK signaling blocks subtracts the size in the self-defined ID-value domains, the catalogue end of identification structure In catalogue deviation post subtract the size in the self-defined ID-value domains.
- 14. APK Signature Authentication Systems according to claim 9, it is characterised in thatThe step S1 is specifically included:Acquirer work public key certificate is generated, public key corresponding with acquirer work public key certificate is distributed to difference Manufacturer;Original APK file and acquirer are signed into description information together as data are signed, data meter is signed to described Hash is calculated, obtains the first cryptographic Hash;Fill first cryptographic Hash, the data after being filled;Private key corresponding with acquirer work public key certificate is obtained, and using the private key to the data after the filling Sign, obtain acquirer signed data;Generation includes acquirer signature description information, acquirer signed data and acquirer work public key certificate Signing messages.
- 15. APK Signature Authentication Systems according to claim 14, it is characterised in thatVerify that the signing messages and the legitimacy of the original APK file specifically include in the step S4:Use the receipts in corresponding manufacturer signing messages according to the acquirer root public key certification authentication that the public key generates The legitimacy of unit structure work public key certificate;If being verified, second public key is extracted from acquirer work public key certificate, uses second public key The acquirer signed data is decrypted, obtains the first cryptographic Hash;Hash is calculated to the receipts single structure signature description information and original APK file, obtains the second cryptographic Hash;Judge whether second cryptographic Hash and first cryptographic Hash are consistent, if unanimously, being verified.
- 16. APK Signature Authentication Systems according to claim 9, it is characterised in thatThe original APK file is installed in the step S4 to be included:Primary signed data is extracted from APK signaling blocks, is restored not by the APK file of primary signature;Verify the primary signed data and described not by the legitimacy of the APK file of primary signature, after being verified, institute is installed State not by the APK file of primary signature.
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2017/108082 WO2019080110A1 (en) | 2017-10-27 | 2017-10-27 | Apk signature authentication method and system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107980132A true CN107980132A (en) | 2018-05-01 |
Family
ID=62006087
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201780001458.0A Pending CN107980132A (en) | 2017-10-27 | 2017-10-27 | A kind of APK signature authentications method and system |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN107980132A (en) |
WO (1) | WO2019080110A1 (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108875082A (en) * | 2018-07-17 | 2018-11-23 | 北京奇安信科技有限公司 | A kind of Large Volume Data read-write processing method and device |
CN109756340A (en) * | 2018-12-03 | 2019-05-14 | 深圳市新国都支付技术有限公司 | A kind of number sign test method, apparatus and storage medium |
CN110224485A (en) * | 2019-05-17 | 2019-09-10 | 中国电力科学研究院有限公司 | A kind of intelligence distribution transformer terminals software management system |
CN111240735A (en) * | 2020-01-17 | 2020-06-05 | 北京小米移动软件有限公司 | Application packaging method, application packaging device and storage medium |
CN111787529A (en) * | 2020-07-17 | 2020-10-16 | 江苏海全科技有限公司 | Signature method and system suitable for Android intelligent POS machine application |
CN112306512A (en) * | 2020-11-09 | 2021-02-02 | 武汉天喻信息产业股份有限公司 | Method and system for downloading and installing APK (android package) file based on CCID (central control identity) protocol |
CN112560017A (en) * | 2020-12-21 | 2021-03-26 | 福建新大陆支付技术有限公司 | Method for realizing APK unified signature by using three-level certificate authentication |
CN113407912A (en) * | 2021-04-16 | 2021-09-17 | 江苏先安科技有限公司 | Third party countersignature and verification method based on V2 or V3 signature mechanism |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20140011021A (en) * | 2012-06-11 | 2014-01-28 | 김정현 | Method for preventing unauthorized copying of the android platform-based applications and inserting digital watermarking in order to track the first clone |
CN105391717A (en) * | 2015-11-13 | 2016-03-09 | 福建联迪商用设备有限公司 | APK signature authentication method and APK signature authentication system |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101740256B1 (en) * | 2012-11-26 | 2017-06-09 | 한국전자통신연구원 | Apparatus for mobile app integrity assurance and method thereof |
CN104156638B (en) * | 2014-06-06 | 2018-04-20 | 国家计算机网络与信息安全管理中心 | A kind of implementation method of extension signature towards Android system software |
-
2017
- 2017-10-27 WO PCT/CN2017/108082 patent/WO2019080110A1/en active Application Filing
- 2017-10-27 CN CN201780001458.0A patent/CN107980132A/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20140011021A (en) * | 2012-06-11 | 2014-01-28 | 김정현 | Method for preventing unauthorized copying of the android platform-based applications and inserting digital watermarking in order to track the first clone |
CN105391717A (en) * | 2015-11-13 | 2016-03-09 | 福建联迪商用设备有限公司 | APK signature authentication method and APK signature authentication system |
Non-Patent Citations (2)
Title |
---|
建帅: "新一代开源Android渠道包生成工具Walle", 《HTTPS://TECH.MEITUAN.COM/2017/01/13/ANDROIDAPK-V2-SIGNATURE-SCHEME.HTML》 * |
李涛: "Android新一代多渠道打包神器", 《HTTPS://ZHUANLAN.ZHIHU.COM/P/26546894》 * |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108875082B (en) * | 2018-07-17 | 2021-01-01 | 奇安信科技集团股份有限公司 | High-capacity data read-write processing method and device |
CN108875082A (en) * | 2018-07-17 | 2018-11-23 | 北京奇安信科技有限公司 | A kind of Large Volume Data read-write processing method and device |
CN109756340A (en) * | 2018-12-03 | 2019-05-14 | 深圳市新国都支付技术有限公司 | A kind of number sign test method, apparatus and storage medium |
CN109756340B (en) * | 2018-12-03 | 2022-10-21 | 深圳市新国都支付技术有限公司 | Digital signature verification method, device and storage medium |
CN110224485A (en) * | 2019-05-17 | 2019-09-10 | 中国电力科学研究院有限公司 | A kind of intelligence distribution transformer terminals software management system |
CN111240735A (en) * | 2020-01-17 | 2020-06-05 | 北京小米移动软件有限公司 | Application packaging method, application packaging device and storage medium |
CN111240735B (en) * | 2020-01-17 | 2023-11-28 | 北京小米移动软件有限公司 | Application packaging method, application packaging device and storage medium |
CN111787529A (en) * | 2020-07-17 | 2020-10-16 | 江苏海全科技有限公司 | Signature method and system suitable for Android intelligent POS machine application |
CN112306512A (en) * | 2020-11-09 | 2021-02-02 | 武汉天喻信息产业股份有限公司 | Method and system for downloading and installing APK (android package) file based on CCID (central control identity) protocol |
CN112306512B (en) * | 2020-11-09 | 2023-12-26 | 武汉天喻信息产业股份有限公司 | Method and system for downloading and installing APK file based on CCID protocol |
CN112560017A (en) * | 2020-12-21 | 2021-03-26 | 福建新大陆支付技术有限公司 | Method for realizing APK unified signature by using three-level certificate authentication |
CN112560017B (en) * | 2020-12-21 | 2022-12-06 | 福建新大陆支付技术有限公司 | Method for realizing APK unified signature by using three-level certificate authentication |
CN113407912A (en) * | 2021-04-16 | 2021-09-17 | 江苏先安科技有限公司 | Third party countersignature and verification method based on V2 or V3 signature mechanism |
Also Published As
Publication number | Publication date |
---|---|
WO2019080110A1 (en) | 2019-05-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105391717B (en) | A kind of APK signature authentication method and its system | |
CN107980132A (en) | A kind of APK signature authentications method and system | |
CN103905207B (en) | Method and system for unifying APK signature | |
CN105787357B (en) | One kind being based on Android system APK method for down loading and its system | |
CN107194242B (en) | Firmware upgrade method and device | |
CN103944903B (en) | Multi-party authorized APK signature method and system | |
CN107463806B (en) | Signature and signature verification method for Android application program installation package | |
CN103685138B (en) | The authentication method of the Android platform application software that mobile interchange is online and system | |
CN107769924B (en) | Method and system for verifying APK signature of POS machine | |
CN104156638B (en) | A kind of implementation method of extension signature towards Android system software | |
CN102685727B (en) | Method for transmitting and operating application program, system for operating application program, server and terminal | |
CN104426658B (en) | The method and device of authentication is carried out to the application on mobile terminal | |
CN104537293A (en) | Authentication device and system | |
CN110362990A (en) | Using the security processing of installation, apparatus and system | |
CN103269271A (en) | Method and system for back-upping private key in electronic signature token | |
CN106789075B (en) | POS digital signature anti-cutting system | |
CN112560017B (en) | Method for realizing APK unified signature by using three-level certificate authentication | |
CN105320900A (en) | PDF digital signature method and system and PDF digital signature verification method and system | |
CN107301343A (en) | Secure data processing method, device and electronic equipment | |
CN102663292A (en) | Method and system for realizing smart card application and deployment | |
CN109756340B (en) | Digital signature verification method, device and storage medium | |
CN109787768A (en) | A kind of authentication configuration method, device and computer readable storage medium | |
CN108880789B (en) | Hardware product anti-counterfeiting tracing method, node equipment and system | |
CN107994993B (en) | Application program detection method and device | |
CN109670289A (en) | A kind of method and system identifying background server legitimacy |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180501 |