CN107980132A - A kind of APK signature authentications method and system - Google Patents

A kind of APK signature authentications method and system Download PDF

Info

Publication number
CN107980132A
CN107980132A CN201780001458.0A CN201780001458A CN107980132A CN 107980132 A CN107980132 A CN 107980132A CN 201780001458 A CN201780001458 A CN 201780001458A CN 107980132 A CN107980132 A CN 107980132A
Authority
CN
China
Prior art keywords
apk
signature
acquirer
apk file
file
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201780001458.0A
Other languages
Chinese (zh)
Inventor
陈菲菲
孟陆强
彭波涛
江中杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fujian Landi Commercial Equipment Co Ltd
Original Assignee
Fujian Landi Commercial Equipment Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fujian Landi Commercial Equipment Co Ltd filed Critical Fujian Landi Commercial Equipment Co Ltd
Publication of CN107980132A publication Critical patent/CN107980132A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Abstract

The present invention provides a kind of APK signature authentications method and system, signs to original APK file, generates signing messages;A customized ID value domains are added in APK signaling blocks, the signing messages is inserted into the customized ID value domains, generates the APK file after signature;Terminal obtains the APK file after the signature, extracts the signing messages, restores original APK file;The legitimacy of signing messages described in terminal authentication and the original APK file, after being verified, terminal installs the original APK file, the primary sign test mechanism of terminal operating system, the system that more than Android7.0 can be applicable in, good compatibility are not interfered with, applicability is wide, and as long as acquirer generates an APK file signed, it becomes possible to downloads in payment terminal vendor equipment and other Android devices, reduces the maintenance cost of acquirer.

Description

A kind of APK signature authentications method and system
Technical field
The present invention relates to signature authentication field, more particularly to a kind of APK signature authentications method and system.
Background technology
Android is the open source operating system based on Linux frameworks of Google companies exploitation, and installation procedure thereon is equal For APK (Android Package) form.APK file form is actually zip compressed file formats, it is broadly divided into three Part, the file content source data respectively compressed, the catalogue source data and catalogue end of identification structure of compression.
In financial payment field, usually by the intelligent terminal of acquirer buying payment terminal manufacturer, paying The program of acquirer oneself is installed, installation procedure is APK forms in terminal.Acquirer can be whole for the payment of institute's manufacturing company End equipment safeguards the APK to have signed, it is also possible to needs APK being installed in other Android devices.
Applicant of the present invention had formerly submitted the application for a patent for invention of Application No. 201510780639.0, open A kind of APK signature authentications method and its system, add signing messages, this scheme under the META-INF catalogues of APK source files Before Android7.0 systems can normal operation, but since Android7.0 systems, introduce a new application Signature scheme APK Signature Scheme v2, the i.e. primary signature of APK V2 forms.The primary Autograph Session of APK V2 forms is to whole A APK data carry out signature sign test, do not allow to be inserted into file to META-INF catalogues by the APK of the primary signature of V2 forms. Therefore, the system of such scheme and inapplicable more than Android7.0, it is necessary to make improvements, to overcome the above problem.
The content of the invention
The technical problems to be solved by the invention are:A kind of APK signature authentications method and system are provided, being capable of compatible terminal The primary signature mechanism of V2 forms of operating system, improves the compatibility of APK signature authentications, can adapt to different editions Android system.
In order to solve the above-mentioned technical problem, a kind of technical solution for using of the present invention for:
A kind of APK signature authentications method, including step:
S1, sign original APK file, generates signing messages;
S2, APK signaling blocks add a customized ID-value domains, by the signing messages be inserted into it is described customized ID-value domains, generate the APK file after signature;
S3, terminal obtain the APK file after the signature, extract the signing messages, restore original APK file;
The legitimacy of signing messages described in S4, terminal authentication and the original APK file, after being verified, terminal installation The original APK file.
In order to solve the above-mentioned technical problem, the another technical solution that uses of the present invention for:
A kind of APK Signature Authentication Systems, including acquirer and terminal, the acquirer include first memory, the One processor and storage on the first memory and the first computer program that can be run on first processor, the terminal bag Include second memory, second processor and be stored in the second computer that can be run on second memory and in second processor Program,
The first processor realizes following steps when performing first computer program:
S1, sign original APK file, generates signing messages;
S2, APK signaling blocks add a customized ID-value domains, by the signing messages be inserted into it is described customized ID-value domains, generate the APK file after signature;
The second processor realizes following steps when performing the second computer program:
S3, obtain the APK file after the signature, extracts the signing messages, restores original APK file;
S4, the legitimacy for verifying the signing messages and the original APK file, after being verified, installation is described original APK file.
The beneficial effects of the present invention are:A customized ID-value domains are added in APK signaling blocks, will be to original APK Signing messages after file is signed is inserted into the customized ID-value domains, does not interfere with the primary of terminal operating system Sign test mechanism, the system that can be applicable in more than Android7.0, good compatibility, applicability is wide, as long as and acquirer generation One APK file signed, it becomes possible to download in payment terminal vendor equipment and other Android devices, reduce and receive list The maintenance cost of mechanism.
Brief description of the drawings
Fig. 1 is a kind of flow chart of APK signature authentications method of the embodiment of the present invention;
Fig. 2 is a kind of structure diagram of APK Signature Authentication Systems of the embodiment of the present invention;
Fig. 3 is the data format schematic diagram of the signing messages of the embodiment of the present invention;
Fig. 4 is the signal of file format of the APK file of the embodiment of the present invention after primary signature V2 and authority signature Figure;
Label declaration:
1st, acquirer;2nd, first memory;3rd, first processor;4th, terminal;5th, second memory;6th, second processing Device;7th, APK Signature Authentication Systems.
Embodiment
The design of most critical of the present invention is:A customized ID-value domains are added in APK signaling blocks, will be to original Signing messages after APK file is signed is inserted into the customized ID-value domains, does not interfere with terminal operating system Original sign test mechanism.
It refer to Fig. 1, a kind of APK signature authentications method, including step:
S1, sign original APK file, generates signing messages;
S2, APK signaling blocks add a customized ID-value domains, by the signing messages be inserted into it is described customized ID-value domains, generate the APK file after signature;
S3, terminal obtain the APK file after the signature, extract the signing messages, restore original APK file;
The legitimacy of signing messages described in S4, terminal authentication and the original APK file, after being verified, terminal installation The original APK file.
Seen from the above description, the beneficial effects of the present invention are:A customized ID-value is added in APK signaling blocks Domain, the signing messages after signing to original APK file are inserted into the customized ID-value domains, do not interfere with terminal The primary sign test mechanism of operating system, the system that can be applicable in more than Android7.0, good compatibility, applicability is wide, and receives As long as unit structure generates an APK file signed, it becomes possible to downloads to payment terminal vendor equipment and other Android are set It is standby upper, reduce the maintenance cost of acquirer.
Further, the step S2 is specifically included:
According to APK signature block formats, a customized ID-value domains are added in APK signaling blocks, by the signing messages The customized ID-value domains are inserted into, and accordingly change the block length and catalogue of the APK signaling blocks of the original APK file End of identification structure, generates the APK file after signature.
Seen from the above description, according to APK signature block formats, a customized ID-value domains are added in APK signaling blocks, The signing messages is inserted into the customized ID-value domains, and accordingly changes the block of the APK signaling blocks of original APK file Length and catalogue end of identification structure, generate the APK file after signature, APK file and the original APK file phase of having signed Than, APK signaling blocks only increase a customized ID-value domain, meet the APK file form of the primary signature of V2 forms, The primary sign tests of Android are had no effect on, so for the equipment of more than Android7.0, can also normal mounting.
Further, the block length and catalogue end of identification structure of the APK signaling blocks of the modification original APK file Specifically include:
The block length of the APK signaling blocks adds the size in self-defined ID-value domains, the catalogue end of identification structure In catalogue deviation post add self-defined ID-value domains size.
Seen from the above description, due to not being changed to APK file form, and simply add in APK signaling blocks Add a customized ID-value for meeting APK signature block formats, in the customized ID-value additions signing messages, institute Simply to change the data length of APK signaling blocks, therefore it may only be necessary to adaptively to the block length and catalogue of APK signaling blocks Catalogue deviation post in end of identification structure is modified, and change is small, easy to operate.
Further, the signing messages is extracted in the step S3, restores original APK file and specifically include:
Signing messages is copied out according to ID marks customized ID-value domains from APK signaling blocks;
The customized ID-value domains are deleted from the APK signaling blocks, and accordingly change the APK of APK file The block length and catalogue end of identification structure of signaling block, restore original APK file.
Seen from the above description, signing messages is copied out from APK signaling blocks according to ID marks, and it is signed from APK Deleted in block, the block length and catalogue end of identification structure of the corresponding APK signaling blocks for changing APK file, restore original APK texts Part, can either realize the verification to original APK file, also ensure that original APK file smoothly can carry out sign test peace in terminal Dress.
Further, the block length of the APK signaling blocks of the modification APK file and catalogue end of identification structure are specifically wrapped Include:
The block length of the APK signaling blocks subtracts the size in self-defined ID-value domains, the catalogue end of identification structure In catalogue deviation post subtract the size in self-defined ID-value domains.
Seen from the above description, due to simply changing the size of data of APK signaling blocks, so by signing messages slave phase After the position answered is deleted, it is only necessary to change the catalogue deviation post in the block length and catalogue end of identification structure of APK signaling blocks , it is convenient and efficient.
Further, the step S1 is specifically included:
Acquirer work public key certificate is generated, public key corresponding with acquirer work public key certificate is distributed to Different vendor;
Original APK file and acquirer are signed into description information together as data are signed, number is signed to described According to Hash is calculated, the first cryptographic Hash is obtained;
Fill first cryptographic Hash, the data after being filled;
Obtain with the corresponding private key of acquirer work public key certificate, and after the utilization private key is to the filling Data are signed, and obtain acquirer signed data;
Generation includes acquirer signature description information, acquirer signed data and acquirer work public key card The signing messages of book.
Further, the legitimacy of signing messages described in terminal authentication and the original APK file has in the step S4 Body includes:
Terminal uses corresponding manufacturer A.L.S. according to the acquirer root public key certification authentication that the public key generates The legitimacy of acquirer work public key certificate in breath;
If being verified, second public key is extracted from acquirer work public key certificate, uses described second Acquirer signed data described in public key decryptions, obtains the first cryptographic Hash;
Hash is calculated to the receipts single structure signature description information and original APK file, obtains the second cryptographic Hash;
Judge whether second cryptographic Hash and first cryptographic Hash are consistent, if unanimously, being verified.
Seen from the above description, the object of acquirer signature is original APK file, is received by the unified generation of acquirer Unit structure work public key certificate, different vendor is distributed to by public key corresponding with acquirer work public key certificate, different The CA servers of manufacturer use institute according to respective certificates constructing algorithm using public key generation acquirer root public key certificate, terminal The legitimacy of the acquirer work public key certificate in signing messages described in acquirer root public key certification authentication is stated, is verified Afterwards, respective sign test is carried out using the public key of the unified distribution of acquirer, guarantee has signed APK file in the complete of data transmission procedure Whole property and APK legitimacies, acquirer also need to only safeguard a file signed and one for the terminal device of different vendor Set signature realization mechanism, is greatly reduced the maintenance cost that acquirer is directed to APK signatures.
Further, the terminal installation original APK file includes in the step S4:
Primary signed data is extracted from APK signaling blocks, is restored not by the APK file of primary signature;
Verify the primary signed data and described not by the legitimacy of the APK file of primary signature, after being verified, peace Not by the APK file of primary signature described in dress.
Seen from the above description, APK signature authentications method using the present invention, does not interfere with the primary of terminal operating system Sign test mechanism, terminal can be smoothed out primary sign test mechanism and install not by the APK file of primary signature, good compatibility.
Fig. 2, a kind of APK Signature Authentication Systems 7, including acquirer 1 and terminal 4 are refer to, the acquirer 1 includes What first memory 2, first processor 3 and being stored in can be run on first memory 2 and on first processor 3 first calculates Machine program, the terminal 4 include second memory 5, second processor 6 and are stored on second memory 5 and can be at second The second computer program run on reason device 6, it is characterised in that
The first processor 3 realizes following steps when performing first computer program:
S1, sign original APK file, generates signing messages;
S2, APK signaling blocks add a customized ID-value domains, by the signing messages be inserted into it is described customized ID-value domains, generate the APK file after signature;
The second processor 6 realizes following steps when performing the second computer program:
S3, obtain the APK file after the signature, extracts the signing messages, restores original APK file;
S4, the legitimacy for verifying the signing messages and the original APK file, after being verified, installation is described original APK file.
Seen from the above description, the beneficial effects of the present invention are:A customized ID-value is added in APK signaling blocks Domain, the signing messages after signing to original APK file are inserted into the customized ID-value domains, do not interfere with terminal The primary sign test mechanism of operating system, the system that can be applicable in more than Android7.0, good compatibility, applicability is wide, and receives As long as unit structure generates an APK file signed, it becomes possible to downloads to payment terminal vendor equipment and other Android are set It is standby upper, reduce the maintenance cost of acquirer.
Further, the step S2 is specifically included:
According to APK signature block formats, a customized ID-value domains are added in APK signaling blocks, by the signing messages The customized ID-value domains are inserted into, and accordingly change the block length and catalogue of the APK signaling blocks of the original APK file End of identification structure, generates the APK file after signature.
Seen from the above description, according to APK signature block formats, a customized ID-value domains are added in APK signaling blocks, The signing messages is inserted into the customized ID-value domains, and accordingly changes the block of the APK signaling blocks of original APK file Length and catalogue end of identification structure, generate the APK file after signature, APK file and the original APK file phase of having signed Than, APK signaling blocks only increase a customized ID-value domain, meet the APK file form of the primary signature of V2 forms, The primary sign tests of Android are had no effect on, so for the equipment of more than Android7.0, can also normal mounting.
Further, the block length and catalogue end of identification structure of the APK signaling blocks of the modification original APK file Specifically include:
The block length of the APK signaling blocks adds the size in self-defined ID-value domains, the catalogue end of identification structure In catalogue deviation post add self-defined ID-value domains size.
Seen from the above description, due to not being changed to APK file form, and simply add in APK signaling blocks Add a customized ID-value for meeting APK signature block formats, in the customized ID-value additions signing messages, institute Simply to change the data length of APK signaling blocks, therefore it may only be necessary to adaptively to the block length and catalogue of APK signaling blocks Catalogue deviation post in end of identification structure is modified, and change is small, easy to operate.
Further, the signing messages is extracted in the step S3, restores original APK file and specifically include:
Signing messages is copied out according to ID marks customized ID-value domains from APK signaling blocks;
The customized ID-value domains are deleted from the APK signaling blocks, and accordingly change the APK of APK file The block length and catalogue end of identification structure of signaling block, restore original APK file.
Seen from the above description, signing messages is copied out from APK signaling blocks according to ID marks, and it is signed from APK Deleted in block, the block length and catalogue end of identification structure of the corresponding APK signaling blocks for changing APK file, restore original APK texts Part, can either realize the verification to original APK file, also ensure that original APK file smoothly can carry out sign test peace in terminal Dress.
Further, the block length of the APK signaling blocks of the modification APK file and catalogue end of identification structure are specifically wrapped Include:
The block length of the APK signaling blocks subtracts the size in self-defined ID-value domains, the catalogue end of identification structure In catalogue deviation post subtract the size in self-defined ID-value domains.
Seen from the above description, due to simply changing the size of data of APK signaling blocks, so by signing messages slave phase After the position answered is deleted, it is only necessary to change the catalogue deviation post in the block length and catalogue end of identification structure of APK signaling blocks , it is convenient and efficient.
Further, the step S1 is specifically included:
Acquirer work public key certificate is generated, public key corresponding with acquirer work public key certificate is distributed to Different vendor;
Original APK file and acquirer are signed into description information together as data are signed, number is signed to described According to Hash is calculated, the first cryptographic Hash is obtained;
Fill first cryptographic Hash, the data after being filled;
Obtain with the corresponding private key of acquirer work public key certificate, and after the utilization private key is to the filling Data are signed, and obtain acquirer signed data;
Generation includes acquirer signature description information, acquirer signed data and acquirer work public key card The signing messages of book.
Further, verify that the signing messages and the legitimacy of the original APK file are specifically wrapped in the step S4 Include:
Using in corresponding manufacturer signing messages according to the acquirer root public key certification authentication that the public key generates Acquirer work public key certificate legitimacy;
If being verified, second public key is extracted from acquirer work public key certificate, uses described second Acquirer signed data described in public key decryptions, obtains the first cryptographic Hash;
Hash is calculated to the receipts single structure signature description information and original APK file, obtains the second cryptographic Hash;
Judge whether second cryptographic Hash and first cryptographic Hash are consistent, if unanimously, being verified.
Seen from the above description, the object of acquirer signature is original APK file, is received by the unified generation of acquirer Unit structure work public key certificate, different vendor is distributed to by public key corresponding with acquirer work public key certificate, different The CA servers of manufacturer use institute according to respective certificates constructing algorithm using public key generation acquirer root public key certificate, terminal The legitimacy of the acquirer work public key certificate in signing messages described in acquirer root public key certification authentication is stated, is verified Afterwards, respective sign test is carried out using the public key of the unified distribution of acquirer, guarantee has signed APK file in the complete of data transmission procedure Whole property and APK legitimacies, acquirer also need to only safeguard a file signed and one for the terminal device of different vendor Set signature realization mechanism, is greatly reduced the maintenance cost that acquirer is directed to APK signatures.
Further, the original APK file is installed in the step S4 includes:
Primary signed data is extracted from APK signaling blocks, is restored not by the APK file of primary signature;
Verify the primary signed data and described not by the legitimacy of the APK file of primary signature, after being verified, peace Not by the APK file of primary signature described in dress.
Seen from the above description, APK Signature Authentication Systems using the present invention, do not interfere with the primary of terminal operating system Sign test mechanism, terminal can be smoothed out primary sign test mechanism and install not by the APK file of primary signature, good compatibility.
Embodiment one
It refer to Fig. 1, a kind of APK signature authentications method, including step:
S1, sign original APK file, generates signing messages;
Specifically, acquirer 1 calls encryption device to generate the first public private key pair and the second public private key pair, acquirer 1 Signature operation generation acquirer work public key certificate AcquirerWCRT is carried out to the second public key using the first private key, will be with institute State the CA servers that corresponding first public keys of acquirer work public key certificate AcquirerWCRT are distributed to different vendor;
Acquirer 1 is by original APK file and acquirer signature description information together as being signed data SourceData, calculates Hash to the data SourceData that is signed, obtains the first cryptographic Hash HASH1;
The first cryptographic Hash HASH1 is filled by acquirer 1 according to the signature filling mode of PKCS#1_V1.5, Data PAD_data after being filled;
Acquirer 1 obtains the second private key corresponding with acquirer work public key certificate, profit from secure storage medium Signature is encrypted to the data after the filling with second private key, obtains acquirer signed data Signature;
By acquirer signature description information, acquirer signed data Signature, acquirer work public key certificate The signing messages of first splicing generation acquirer of AcquirerWCRT and signature file, the data format of the signing messages As shown in figure 3, wherein, acquirer signature description information random length, is described acquirer signed data, acquirer Signed data length is 256 bytes, is to original APK file signature as a result, acquirer work public key certificate random length, is The mechanism work public key certificate that signature uses, signature file head random length are carried out, but is no more than 1k, for identification signature files classes Type and the data-bias and length for identifying the acquirer signed data, position acquirer signed data;
S2, APK signaling blocks add a customized ID-value domains, by the signing messages be inserted into it is described customized ID-value domains, generate the APK file after signature;
According to APK signature block formats, a customized ID-value domains are added in APK signaling blocks, by the signing messages The customized ID-value domains are inserted into, and accordingly change the block length and catalogue of the APK signaling blocks of the original APK file End of identification structure, specifically, the block length of the APK signaling blocks adds the size in the self-defined ID-value domains, it is described Catalogue deviation post in catalogue end of identification structure adds the size in the self-defined ID-value domains, after generation is signed APK file;
Shown in Fig. 4 be to do not carried out successively by the APK file of primary signature it is primary signature and acquirer signature after APK file form variation diagram;
From fig. 4 it can be seen that acquirer does not change primary label after signing to the APK file after primary signature V2 The structure of name APK file, make use of APK to sign customized ID-value domains in the block to be inserted into signing messages;
S3, terminal 4 obtain the APK file after the signature, extract the signing messages, restore original APK file;
Specifically, signing messages is copied out according to ID marks customized ID-value domains from APK signaling blocks;By described in Customized ID-value domains are deleted from the APK signaling blocks, and accordingly change the block length of the APK signaling blocks of APK file With catalogue end of identification structure, specifically, the block length of the APK signaling blocks subtracts the size in self-defined ID-value domains, institute The size that the catalogue deviation post in catalogue end of identification structure subtracts self-defined ID-value domains is stated, restores original APK texts Part;
Wherein, the ID marks of the primary signatures of APK are fixed as 0x7109871a, to avoid conflicting therewith, can define described The ID of signing messages is identified as 0x71536966 or other values, as long as without conflicting with the ID of the primary signatures of APK marks Can be with;
S4, terminal test the legitimacy of the 4 cards signing messages and the original APK file, after being verified, terminal installation The original APK file.
Wherein, terminal 4 verifies that the signing messages and the legitimacy of the original APK file specifically include:
The CA servers of different vendor are given birth to according to the first public key that respective certificates constructing mechanism is issued using acquirer It is mounted in advance in the respective terminal of manufacturer into acquirer root public key certificate, and by the acquirer root public key certificate;
Terminal 4 is demonstrate,proved using the acquirer work public key in signing messages described in the acquirer root public key certification authentication The legitimacy of book AcquirerWCRT;
If being verified, terminal 4 extracts the second public key using acquirer work public key certificate AcquirerWCRT, makes The acquirer signed data described in second public key decryptions, obtains the first cryptographic Hash HASH1;
Terminal 4 calculates Hash to the receipts single structure signature description information and original APK file, obtains the second cryptographic Hash HASH2;
Judge whether second cryptographic Hash and first cryptographic Hash are consistent, if unanimously, proving acquired in terminal 4 APK file after signature is legal, is not tampered with, and vendor equipment is verified APK file after signature, it is allowed to which terminal installs institute State original APK file;
Since the original APK file is the APK file after primary sign test, terminal 4 is described original in installation During APK file, the operating system of terminal 4 is also required to test the legitimacy of the APK file after the primary signature Card, the i.e. primary sign test process of terminal 4, specifically include:
Primary signed data is extracted from APK signaling blocks, is restored not by the APK file of primary signature;
Verify the primary signed data and described not by the legitimacy of the APK file of primary signature, after being verified, peace Not by the APK file of primary signature described in dress.
Embodiment two
Fig. 2, a kind of APK Signature Authentication Systems 7, including acquirer 1 and terminal 4 are refer to, the acquirer 1 includes What first memory 2, first processor 3 and being stored in can be run on first memory 2 and on first processor 3 first calculates Machine program, the terminal 4 include second memory 5, second processor 6 and are stored on second memory 5 and can be at second The second computer program run on reason device 6, it is characterised in that
The first processor 3 realizes following steps when performing first computer program:
S1, sign original APK file, generates signing messages;
Specifically, acquirer 1 calls encryption device to generate the first public private key pair and the second public private key pair, acquirer 1 Signature operation generation acquirer work public key certificate AcquirerWCRT is carried out to the second public key using the first private key, will be with institute State the CA servers that corresponding first public keys of acquirer work public key certificate AcquirerWCRT are distributed to different vendor;
Acquirer 1 is by original APK file and acquirer signature description information together as being signed data SourceData, calculates Hash to the data SourceData that is signed, obtains the first cryptographic Hash HASH1;
The first cryptographic Hash HASH1 is filled by acquirer 1 according to the signature filling mode of PKCS#1_V1.5, Data PAD_data after being filled;
Acquirer 1 obtains the second private key corresponding with acquirer work public key certificate, profit from secure storage medium Signature is encrypted to the data after the filling with second private key, obtains acquirer signed data Signature;
By acquirer signature description information, acquirer signed data Signature, acquirer work public key certificate The signing messages of first splicing generation acquirer of AcquirerWCRT and signature file, the data format of the signing messages As shown in figure 3, wherein, acquirer signature description information random length, is described acquirer signed data, acquirer Signed data length is 256 bytes, is to original APK file signature as a result, acquirer work public key certificate random length, is The mechanism work public key certificate that signature uses, signature file head random length are carried out, but is no more than 1k, for identification signature files classes Type and the data-bias and length for identifying the acquirer signed data, position acquirer signed data;
S2, APK signaling blocks add a customized ID-value domains, by the signing messages be inserted into it is described customized ID-value domains, generate the APK file after signature;
According to APK signature block formats, a customized ID-value domains are added in APK signaling blocks, by the signing messages The customized ID-value domains are inserted into, and accordingly change the block length and catalogue of the APK signaling blocks of the original APK file End of identification structure, specifically, the block length of the APK signaling blocks adds the size in the self-defined ID-value domains, it is described Catalogue deviation post in catalogue end of identification structure adds the size in the self-defined ID-value domains, after generation is signed APK file;
Shown in Fig. 4 be to do not carried out successively by the APK file of primary signature it is primary signature and acquirer signature after APK file form variation diagram;
From fig. 4 it can be seen that acquirer 1 do not change after signing to the APK file after primary signature V2 it is primary The structure for APK file of signing, make use of APK to sign customized ID-value domains in the block to be inserted into signing messages;
The second processor 6 realizes following steps when performing the second computer program:
S3, obtain the APK file after the signature, extracts the signing messages, restores original APK file;
Specifically, signing messages is copied out according to ID marks customized ID-value domains from APK signaling blocks;By described in Customized ID-value domains are deleted from the APK signaling blocks, and accordingly change the block length of the APK signaling blocks of APK file With catalogue end of identification structure, specifically, the block length of the APK signaling blocks subtracts the size in self-defined ID-value domains, institute The size that the catalogue deviation post in catalogue end of identification structure subtracts self-defined ID-value domains is stated, restores original APK texts Part;
Wherein, the ID marks of the primary signatures of APK are fixed as 0x7109871a, to avoid conflicting therewith, can define described The ID of signing messages is identified as 0x71536966 or other values, as long as without conflicting with the ID of the primary signatures of APK marks Can be with;
S4, the legitimacy for verifying the signing messages and the original APK file, after being verified, installation is described original APK file;
Wherein, verify that the signing messages and the legitimacy of the original APK file specifically include:
The CA servers of different vendor are given birth to according to the first public key that respective certificates constructing mechanism is issued using acquirer It is mounted in advance in the respective terminal of manufacturer into acquirer root public key certificate, and by the acquirer root public key certificate;
Terminal 4 is demonstrate,proved using the acquirer work public key in signing messages described in the acquirer root public key certification authentication The legitimacy of book AcquirerWCRT;
If being verified, terminal 4 extracts the second public key using acquirer work public key certificate AcquirerWCRT, makes The acquirer signed data described in second public key decryptions, obtains the first cryptographic Hash HASH1;
Terminal 4 calculates Hash to the receipts single structure signature description information and original APK file, obtains the second Hash HASH2;
Judge whether second cryptographic Hash and first cryptographic Hash are consistent, if unanimously, proving acquired in terminal 4 APK file after signature is legal, is not tampered with, and vendor equipment is verified APK file after signature, it is allowed to which terminal 4 is installed The original APK file;
Since the original APK file is the APK file after primary sign test, terminal 4 is described original in installation During APK file, the operating system of terminal 4 is also required to test the legitimacy of the APK file after the primary signature Card, the i.e. primary sign test process of terminal, specifically include:
Primary signed data is extracted from APK signaling blocks, is restored not by the APK file of primary signature;
Verify the primary signed data and described not by the legitimacy of the APK file of primary signature, after being verified, peace Not by the APK file of primary signature described in dress.
In conclusion a kind of APK signature authentications method and system provided by the invention, make by oneself in APK signaling blocks addition one The ID-value domains of justice, the signing messages after signing to original APK file are inserted into the customized ID-value domains, The primary sign test mechanism of terminal operating system is not interfered with, the system that can be applicable in more than Android7.0, good compatibility, is applicable in Property it is wide, as long as and acquirer generate an APK file signed, it becomes possible to download to payment terminal vendor equipment and its In his Android device, the maintenance cost of acquirer is reduced.

Claims (16)

  1. A kind of 1. APK signature authentications method, it is characterised in that including step:
    S1, sign original APK file, generates signing messages;
    S2, in APK signaling blocks add a customized ID-value domains, and the signing messages is inserted into the customized ID- Value domains, generate the APK file after signature;
    S3, terminal obtain the APK file after the signature, extract the signing messages, restore original APK file;
    The legitimacy of signing messages described in S4, terminal authentication and the original APK file, after being verified, described in terminal installation Original APK file.
  2. 2. APK signature authentications method according to claim 1, it is characterised in that
    The step S2 is specifically included:
    According to APK signature block formats, a customized ID-value domains are added in APK signaling blocks, the signing messages is inserted into The customized ID-value domains, and accordingly change the block length of the APK signaling blocks of the original APK file and catalogue terminates Structure is identified, generates the APK file after signature.
  3. 3. APK signature authentications method according to claim 2, it is characterised in that
    The block length and catalogue end of identification structure of the APK signaling blocks of the modification original APK file specifically include:
    The block length of the APK signaling blocks adds the size in the self-defined ID-value domains, the catalogue end of identification structure In catalogue deviation post add the self-defined ID-value domains size.
  4. 4. APK signature authentications method according to claim 1, it is characterised in that
    The signing messages is extracted in the step S3, original APK file is restored and specifically includes:
    Signing messages is copied out according to ID marks customized ID-value domains from APK signaling blocks;
    The customized ID-value domains are deleted from the APK signaling blocks, and accordingly change the APK signatures of APK file The block length and catalogue end of identification structure of block, restore original APK file.
  5. 5. APK signature authentications method according to claim 4, it is characterised in that
    The block length and catalogue end of identification structure of the APK signaling blocks of the modification APK file specifically include:
    The block length of the APK signaling blocks subtracts the size in the self-defined ID-value domains, the catalogue end of identification structure In catalogue deviation post subtract the size in the self-defined ID-value domains.
  6. 6. APK signature authentications method according to claim 1, it is characterised in that
    The step S1 is specifically included:
    Acquirer work public key certificate is generated, public key corresponding with acquirer work public key certificate is distributed to difference Manufacturer;
    Original APK file and acquirer are signed into description information together as data are signed, data meter is signed to described Hash is calculated, obtains the first cryptographic Hash;
    Fill first cryptographic Hash, the data after being filled;
    Private key corresponding with acquirer work public key certificate is obtained, and using the private key to the data after the filling Sign, obtain acquirer signed data;
    Generation includes acquirer signature description information, acquirer signed data and acquirer work public key certificate Signing messages.
  7. 7. APK signature authentications method according to claim 6, it is characterised in that
    The legitimacy of signing messages described in terminal authentication and the original APK file specifically includes in the step S4:
    Terminal is used in corresponding manufacturer signing messages according to the acquirer root public key certification authentication that the public key generates Acquirer work public key certificate legitimacy;
    If being verified, second public key is extracted from acquirer work public key certificate, uses second public key The acquirer signed data is decrypted, obtains the first cryptographic Hash;
    Hash is calculated to the receipts single structure signature description information and original APK file, obtains the second cryptographic Hash;
    Judge whether second cryptographic Hash and first cryptographic Hash are consistent, if unanimously, being verified.
  8. 8. APK signature authentications method according to claim 6, it is characterised in that
    Terminal is installed the original APK file and is included in the step S4:
    Primary signed data is extracted from APK signaling blocks, is restored not by the APK file of primary signature;
    Verify the primary signed data and described not by the legitimacy of the APK file of primary signature, after being verified, institute is installed State not by the APK file of primary signature.
  9. 9. a kind of APK Signature Authentication Systems, including acquirer and terminal, the acquirer includes first memory, first Processor and storage are on the first memory and the first computer program that can be run on first processor, the terminal include Second memory, second processor and it is stored in the second computer journey that can be run on second memory and in second processor Sequence, it is characterised in that
    The first processor realizes following steps when performing first computer program:
    S1, sign original APK file, generates signing messages;
    S2, in APK signaling blocks add a customized ID-value domains, and the signing messages is inserted into the customized ID- Value domains, generate the APK file after signature;
    The second processor realizes following steps when performing the second computer program:
    S3, obtain the APK file after the signature, extracts the signing messages, restores original APK file;
    S4, the legitimacy for verifying the signing messages and the original APK file, after being verified, the installation original APK texts Part.
  10. 10. APK Signature Authentication Systems according to claim 9, it is characterised in that
    The step S2 is specifically included:
    According to APK signature block formats, a customized ID-value domains are added in APK signaling blocks, the signing messages is inserted into The customized ID-value domains, and accordingly change the block length of the APK signaling blocks of the original APK file and catalogue terminates Structure is identified, generates the APK file after signature.
  11. 11. APK Signature Authentication Systems according to claim 10, it is characterised in that
    The block length and catalogue end of identification structure of the APK signaling blocks of the modification original APK file specifically include:
    The block length of the APK signaling blocks adds the size in the self-defined ID-value domains, the catalogue end of identification structure In catalogue deviation post add the self-defined ID-value domains size.
  12. 12. APK Signature Authentication Systems according to claim 9, it is characterised in that
    The signing messages is extracted in the step S3, original APK file is restored and specifically includes:
    Signing messages is copied out according to ID marks customized ID-value domains from APK signaling blocks;
    The customized ID-value domains are deleted from the APK signaling blocks, and accordingly change the APK signatures of APK file The block length and catalogue end of identification structure of block, restore original APK file.
  13. 13. APK Signature Authentication Systems according to claim 12, it is characterised in that
    The block length and catalogue end of identification structure of the APK signaling blocks of the modification APK file specifically include:
    The block length of the APK signaling blocks subtracts the size in the self-defined ID-value domains, the catalogue end of identification structure In catalogue deviation post subtract the size in the self-defined ID-value domains.
  14. 14. APK Signature Authentication Systems according to claim 9, it is characterised in that
    The step S1 is specifically included:
    Acquirer work public key certificate is generated, public key corresponding with acquirer work public key certificate is distributed to difference Manufacturer;
    Original APK file and acquirer are signed into description information together as data are signed, data meter is signed to described Hash is calculated, obtains the first cryptographic Hash;
    Fill first cryptographic Hash, the data after being filled;
    Private key corresponding with acquirer work public key certificate is obtained, and using the private key to the data after the filling Sign, obtain acquirer signed data;
    Generation includes acquirer signature description information, acquirer signed data and acquirer work public key certificate Signing messages.
  15. 15. APK Signature Authentication Systems according to claim 14, it is characterised in that
    Verify that the signing messages and the legitimacy of the original APK file specifically include in the step S4:
    Use the receipts in corresponding manufacturer signing messages according to the acquirer root public key certification authentication that the public key generates The legitimacy of unit structure work public key certificate;
    If being verified, second public key is extracted from acquirer work public key certificate, uses second public key The acquirer signed data is decrypted, obtains the first cryptographic Hash;
    Hash is calculated to the receipts single structure signature description information and original APK file, obtains the second cryptographic Hash;
    Judge whether second cryptographic Hash and first cryptographic Hash are consistent, if unanimously, being verified.
  16. 16. APK Signature Authentication Systems according to claim 9, it is characterised in that
    The original APK file is installed in the step S4 to be included:
    Primary signed data is extracted from APK signaling blocks, is restored not by the APK file of primary signature;
    Verify the primary signed data and described not by the legitimacy of the APK file of primary signature, after being verified, institute is installed State not by the APK file of primary signature.
CN201780001458.0A 2017-10-27 2017-10-27 A kind of APK signature authentications method and system Pending CN107980132A (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2017/108082 WO2019080110A1 (en) 2017-10-27 2017-10-27 Apk signature authentication method and system

Publications (1)

Publication Number Publication Date
CN107980132A true CN107980132A (en) 2018-05-01

Family

ID=62006087

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201780001458.0A Pending CN107980132A (en) 2017-10-27 2017-10-27 A kind of APK signature authentications method and system

Country Status (2)

Country Link
CN (1) CN107980132A (en)
WO (1) WO2019080110A1 (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108875082A (en) * 2018-07-17 2018-11-23 北京奇安信科技有限公司 A kind of Large Volume Data read-write processing method and device
CN109756340A (en) * 2018-12-03 2019-05-14 深圳市新国都支付技术有限公司 A kind of number sign test method, apparatus and storage medium
CN110224485A (en) * 2019-05-17 2019-09-10 中国电力科学研究院有限公司 A kind of intelligence distribution transformer terminals software management system
CN111240735A (en) * 2020-01-17 2020-06-05 北京小米移动软件有限公司 Application packaging method, application packaging device and storage medium
CN111787529A (en) * 2020-07-17 2020-10-16 江苏海全科技有限公司 Signature method and system suitable for Android intelligent POS machine application
CN112306512A (en) * 2020-11-09 2021-02-02 武汉天喻信息产业股份有限公司 Method and system for downloading and installing APK (android package) file based on CCID (central control identity) protocol
CN112560017A (en) * 2020-12-21 2021-03-26 福建新大陆支付技术有限公司 Method for realizing APK unified signature by using three-level certificate authentication
CN113407912A (en) * 2021-04-16 2021-09-17 江苏先安科技有限公司 Third party countersignature and verification method based on V2 or V3 signature mechanism

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20140011021A (en) * 2012-06-11 2014-01-28 김정현 Method for preventing unauthorized copying of the android platform-based applications and inserting digital watermarking in order to track the first clone
CN105391717A (en) * 2015-11-13 2016-03-09 福建联迪商用设备有限公司 APK signature authentication method and APK signature authentication system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101740256B1 (en) * 2012-11-26 2017-06-09 한국전자통신연구원 Apparatus for mobile app integrity assurance and method thereof
CN104156638B (en) * 2014-06-06 2018-04-20 国家计算机网络与信息安全管理中心 A kind of implementation method of extension signature towards Android system software

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20140011021A (en) * 2012-06-11 2014-01-28 김정현 Method for preventing unauthorized copying of the android platform-based applications and inserting digital watermarking in order to track the first clone
CN105391717A (en) * 2015-11-13 2016-03-09 福建联迪商用设备有限公司 APK signature authentication method and APK signature authentication system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
建帅: "新一代开源Android渠道包生成工具Walle", 《HTTPS://TECH.MEITUAN.COM/2017/01/13/ANDROIDAPK-V2-SIGNATURE-SCHEME.HTML》 *
李涛: "Android新一代多渠道打包神器", 《HTTPS://ZHUANLAN.ZHIHU.COM/P/26546894》 *

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108875082B (en) * 2018-07-17 2021-01-01 奇安信科技集团股份有限公司 High-capacity data read-write processing method and device
CN108875082A (en) * 2018-07-17 2018-11-23 北京奇安信科技有限公司 A kind of Large Volume Data read-write processing method and device
CN109756340A (en) * 2018-12-03 2019-05-14 深圳市新国都支付技术有限公司 A kind of number sign test method, apparatus and storage medium
CN109756340B (en) * 2018-12-03 2022-10-21 深圳市新国都支付技术有限公司 Digital signature verification method, device and storage medium
CN110224485A (en) * 2019-05-17 2019-09-10 中国电力科学研究院有限公司 A kind of intelligence distribution transformer terminals software management system
CN111240735A (en) * 2020-01-17 2020-06-05 北京小米移动软件有限公司 Application packaging method, application packaging device and storage medium
CN111240735B (en) * 2020-01-17 2023-11-28 北京小米移动软件有限公司 Application packaging method, application packaging device and storage medium
CN111787529A (en) * 2020-07-17 2020-10-16 江苏海全科技有限公司 Signature method and system suitable for Android intelligent POS machine application
CN112306512A (en) * 2020-11-09 2021-02-02 武汉天喻信息产业股份有限公司 Method and system for downloading and installing APK (android package) file based on CCID (central control identity) protocol
CN112306512B (en) * 2020-11-09 2023-12-26 武汉天喻信息产业股份有限公司 Method and system for downloading and installing APK file based on CCID protocol
CN112560017A (en) * 2020-12-21 2021-03-26 福建新大陆支付技术有限公司 Method for realizing APK unified signature by using three-level certificate authentication
CN112560017B (en) * 2020-12-21 2022-12-06 福建新大陆支付技术有限公司 Method for realizing APK unified signature by using three-level certificate authentication
CN113407912A (en) * 2021-04-16 2021-09-17 江苏先安科技有限公司 Third party countersignature and verification method based on V2 or V3 signature mechanism

Also Published As

Publication number Publication date
WO2019080110A1 (en) 2019-05-02

Similar Documents

Publication Publication Date Title
CN105391717B (en) A kind of APK signature authentication method and its system
CN107980132A (en) A kind of APK signature authentications method and system
CN103905207B (en) Method and system for unifying APK signature
CN105787357B (en) One kind being based on Android system APK method for down loading and its system
CN107194242B (en) Firmware upgrade method and device
CN103944903B (en) Multi-party authorized APK signature method and system
CN107463806B (en) Signature and signature verification method for Android application program installation package
CN103685138B (en) The authentication method of the Android platform application software that mobile interchange is online and system
CN107769924B (en) Method and system for verifying APK signature of POS machine
CN104156638B (en) A kind of implementation method of extension signature towards Android system software
CN102685727B (en) Method for transmitting and operating application program, system for operating application program, server and terminal
CN104426658B (en) The method and device of authentication is carried out to the application on mobile terminal
CN104537293A (en) Authentication device and system
CN110362990A (en) Using the security processing of installation, apparatus and system
CN103269271A (en) Method and system for back-upping private key in electronic signature token
CN106789075B (en) POS digital signature anti-cutting system
CN112560017B (en) Method for realizing APK unified signature by using three-level certificate authentication
CN105320900A (en) PDF digital signature method and system and PDF digital signature verification method and system
CN107301343A (en) Secure data processing method, device and electronic equipment
CN102663292A (en) Method and system for realizing smart card application and deployment
CN109756340B (en) Digital signature verification method, device and storage medium
CN109787768A (en) A kind of authentication configuration method, device and computer readable storage medium
CN108880789B (en) Hardware product anti-counterfeiting tracing method, node equipment and system
CN107994993B (en) Application program detection method and device
CN109670289A (en) A kind of method and system identifying background server legitimacy

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20180501