Just An Application

August 7, 2014

And Another One: Part Two — Why Ouch ?

The section of the method PluginManager.containsPluginPermissionAndSignatures of interest is this

    ...
    
        // check to ensure the plugin is properly signed
        Signature signatures[] = pkgInfo.signatures;
        if (signatures == null) {
            return false;
        }
        if (SystemProperties.getBoolean("ro.secure", false)) {
            boolean signatureMatch = false;
            for (Signature signature : signatures) {
                for (int i = 0; i < SIGNATURES.length; i++) {
                    if (SIGNATURES[i].equals(signature)) {
                        signatureMatch = true;
                        break;
                    }
                }
            }
            if (!signatureMatch) {
                return false;
            }
        }
        
    ...

It is trying to determine whether any of the signatures of the given Android package are present in the array of signatures in the static variable SIGNATURES.

If so then

the plugin is properly signed

The static variable SIGNATURES is an array of length one.

    ...
    
    private static final Signature[] SIGNATURES = new Signature[] {
        new Signature(SIGNATURE_1)
    };
    
    ...

The signature it contains is hard-wired, its raw value being held in the static variable SIGNATURE_1.

    ...
    
    // Only plugin matches one of the signatures in the list can be loaded
    // inside the WebView process
    private static final String SIGNATURE_1 = "308204c5308203ada003020102020900d ...  629ba637";
    
    ...

The raw value is obviously a bunch of hex digits.

Less obviously, for some but not others, it is a DER encoded certificate which looks like this in DER-ese

      0 1221: SEQUENCE {
      4  941:   SEQUENCE {
      8    3:     [0] {
     10    1:       INTEGER 2
            :       }
     13    9:     INTEGER 00 D7 CB 41 2F 75 F4 88 7E
     24   13:     SEQUENCE {
     26    9:       OBJECT IDENTIFIER sha1withRSAEncryption (1 2 840 113549 1 1 5)
     37    0:       NULL
            :       }
     39  157:     SEQUENCE {
     42   11:       SET {
     44    9:         SEQUENCE {
     46    3:           OBJECT IDENTIFIER countryName (2 5 4 6)
     51    2:           PrintableString 'US'
            :           }
            :         }
     55   19:       SET {
     57   17:         SEQUENCE {
     59    3:           OBJECT IDENTIFIER stateOrProvinceName (2 5 4 8)
     64   10:           PrintableString 'California'
            :           }
            :         }
     76   17:       SET {
     78   15:         SEQUENCE {
     80    3:           OBJECT IDENTIFIER localityName (2 5 4 7)
     85    8:           PrintableString 'San Jose'
            :           }
            :         }
     95   35:       SET {
     97   33:         SEQUENCE {
     99    3:           OBJECT IDENTIFIER organizationName (2 5 4 10)
    104   26:           PrintableString 'Adobe Systems Incorporated'
            :           }
            :         }
    132   28:       SET {
    134   26:         SEQUENCE {
    136    3:           OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
    141   19:           PrintableString 'Information Systems'
            :           }
            :         }
    162   35:       SET {
    164   33:         SEQUENCE {
    166    3:           OBJECT IDENTIFIER commonName (2 5 4 3)
    171   26:           PrintableString 'Adobe Systems Incorporated'
            :           }
            :         }
            :       }
    199   30:     SEQUENCE {
    201   13:       UTCTime 01/10/2009 00:23:14 GMT
    216   13:       UTCTime 16/02/2037 00:23:14 GMT
            :       }
    231  157:     SEQUENCE {
    234   11:       SET {
    236    9:         SEQUENCE {
    238    3:           OBJECT IDENTIFIER countryName (2 5 4 6)
    243    2:           PrintableString 'US'
            :           }
            :         }
    247   19:       SET {
    249   17:         SEQUENCE {
    251    3:           OBJECT IDENTIFIER stateOrProvinceName (2 5 4 8)
    256   10:           PrintableString 'California'
            :           }
            :         }
    268   17:       SET {
    270   15:         SEQUENCE {
    272    3:           OBJECT IDENTIFIER localityName (2 5 4 7)
    277    8:           PrintableString 'San Jose'
            :           }
            :         }
    287   35:       SET {
    289   33:         SEQUENCE {
    291    3:           OBJECT IDENTIFIER organizationName (2 5 4 10)
    296   26:           PrintableString 'Adobe Systems Incorporated'
            :           }
            :         }
    324   28:       SET {
    326   26:         SEQUENCE {
    328    3:           OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
    333   19:           PrintableString 'Information Systems'
            :           }
            :         }
    354   35:       SET {
    356   33:         SEQUENCE {
    358    3:           OBJECT IDENTIFIER commonName (2 5 4 3)
    363   26:           PrintableString 'Adobe Systems Incorporated'
            :           }
            :         }
            :       }
    391  288:     SEQUENCE {
    395   13:       SEQUENCE {
    397    9:         OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1)
    408    0:         NULL
            :         }
    410  269:       BIT STRING, encapsulates {
    415  264:         SEQUENCE {
    419  257:           INTEGER
            :             00 99 72 4F 3E 05 BB D7 88 43 79 4F 35 77 76 E0
            :             4B 34 0E 13 CB 1C 9C CB 30 44 86 51 80 D7 D8 FE
            :             C8 16 6C 5B BD 87 6D A8 B8 0A A7 1E B6 BA 3D 4D
            :             34 55 C9 A8 DE 16 2D 24 A2 5C 4C 1C D0 4C 95 23
            :             AF FD 06 A2 79 FC 8F 0D 01 8F 24 24 86 BD BB 2D
            :             BF BF 6F CB 21 ED 56 78 79 09 19 28 B8 76 F7 CC
            :             EB C7 BC CE F1 57 36 6E BE 74 E3 3A E1 D7 E9 37
            :             30 91 AD AB 83 27 48 21 54 AF C0 69 3A 54 95 22
            :                     [ Another 129 bytes skipped ]
    680    1:           INTEGER 3
            :           }
            :         }
            :       }
    683  262:     [3] {
    687  258:       SEQUENCE {
    691   29:         SEQUENCE {
    693    3:           OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14)
    698   22:           OCTET STRING, encapsulates {
    700   20:             OCTET STRING
            :               5A F4 18 E4 19 A6 39 E1 65 7D B9 60 99 63 64 A3
            :               7E F2 0D 40
            :             }
            :           }
    722  210:         SEQUENCE {
    725    3:           OBJECT IDENTIFIER authorityKeyIdentifier (2 5 29 35)
    730  202:           OCTET STRING, encapsulates {
    733  199:             SEQUENCE {
    736   20:               [0]
            :                 5A F4 18 E4 19 A6 39 E1 65 7D B9 60 99 63 64 A3
            :                 7E F2 0D 40
    758  163:               [1] {
    761  160:                 [4] {
    764  157:                   SEQUENCE {
    767   11:                     SET {
    769    9:                       SEQUENCE {
    771    3:                         OBJECT IDENTIFIER countryName (2 5 4 6)
    776    2:                         PrintableString 'US'
            :                         }
            :                       }
    780   19:                     SET {
    782   17:                       SEQUENCE {
    784    3:                         OBJECT IDENTIFIER
            :                           stateOrProvinceName (2 5 4 8)
    789   10:                         PrintableString 'California'
            :                         }
            :                       }
    801   17:                     SET {
    803   15:                       SEQUENCE {
    805    3:                         OBJECT IDENTIFIER localityName (2 5 4 7)
    810    8:                         PrintableString 'San Jose'
            :                         }
            :                       }
    820   35:                     SET {
    822   33:                       SEQUENCE {
    824    3:                         OBJECT IDENTIFIER organizationName (2 5 4 10)
    829   26:                         PrintableString 'Adobe Systems Incorporated'
            :                         }
            :                       }
    857   28:                     SET {
    859   26:                       SEQUENCE {
    861    3:                         OBJECT IDENTIFIER
            :                           organizationalUnitName (2 5 4 11)
    866   19:                         PrintableString 'Information Systems'
            :                         }
            :                       }
    887   35:                     SET {
    889   33:                       SEQUENCE {
    891    3:                         OBJECT IDENTIFIER commonName (2 5 4 3)
    896   26:                         PrintableString 'Adobe Systems Incorporated'
            :                         }
            :                       }
            :                     }
            :                   }
            :                 }
    924    9:               [2] 00 D7 CB 41 2F 75 F4 88 7E
            :               }
            :             }
            :           }
    935   12:         SEQUENCE {
    937    3:           OBJECT IDENTIFIER basicConstraints (2 5 29 19)
    942    5:           OCTET STRING, encapsulates {
    944    3:             SEQUENCE {
    946    1:               BOOLEAN TRUE
            :               }
            :             }
            :           }
            :         }
            :       }
            :     }
    949   13:   SEQUENCE {
    951    9:     OBJECT IDENTIFIER sha1withRSAEncryption (1 2 840 113549 1 1 5)
    962    0:     NULL
            :     }
    964  257:   BIT STRING
            :     76 C2 A1 1F E3 03 35 96 89 C2 EB C7 B2 C3 98 EF
            :     F8 C3 F9 AD 54 5C DB AC 75 DF 63 BF 7B 53 95 B6
            :     98 8D 18 42 D6 AA 15 56 D5 95 B5 69 2E 08 22 4D
            :     66 7A 4C 9C 43 8F 05 E7 49 06 C5 3D D8 01 6D DE
            :     70 04 06 88 66 F0 18 46 36 5E FD 14 6E 9B FA A4
            :     8C 9E CF 65 7F 87 B9 7C 75 7D A1 1F 22 5C 4A 24
            :     17 7B F2 D7 18 8E 6C CE 2A 70 A1 E8 A8 41 A1 44
            :     71 EB 51 45 73 98 B8 A0 AD DD 8B 6C 8C 15 38 CA
            :             [ Another 128 bytes skipped ]
            :   }

or this in X.509 speak

    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                d7:cb:41:2f:75:f4:88:7e
            Signature Algorithm: sha1WithRSAEncryption
            Issuer: C=US, ST=California, L=San Jose, O=Adobe Systems Incorporated, \
    OU=Information Systems, CN=Adobe Systems Incorporated
            Validity
                Not Before: Oct  1 00:23:14 2009 GMT
                Not After : Feb 16 00:23:14 2037 GMT
            Subject: C=US, ST=California, L=San Jose, O=Adobe Systems Incorporated, \
    OU=Information Systems, CN=Adobe Systems Incorporated
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                RSA Public Key: (2048 bit)
                    Modulus (2048 bit):
                        00:99:72:4f:3e:05:bb:d7:88:43:79:4f:35:77:76:
                        e0:4b:34:0e:13:cb:1c:9c:cb:30:44:86:51:80:d7:
                        d8:fe:c8:16:6c:5b:bd:87:6d:a8:b8:0a:a7:1e:b6:
                        ba:3d:4d:34:55:c9:a8:de:16:2d:24:a2:5c:4c:1c:
                        d0:4c:95:23:af:fd:06:a2:79:fc:8f:0d:01:8f:24:
                        24:86:bd:bb:2d:bf:bf:6f:cb:21:ed:56:78:79:09:
                        19:28:b8:76:f7:cc:eb:c7:bc:ce:f1:57:36:6e:be:
                        74:e3:3a:e1:d7:e9:37:30:91:ad:ab:83:27:48:21:
                        54:af:c0:69:3a:54:95:22:f8:c7:96:dd:84:d1:6e:
                        24:bb:22:1f:5d:bb:80:9c:a5:6d:d2:b6:e7:99:c5:
                        fa:06:b6:d9:c5:c0:9a:da:54:ea:4c:5d:b1:52:3a:
                        97:94:ed:22:a3:88:9e:5e:05:b2:9f:8e:e0:a8:d6:
                        1e:fe:07:ae:28:f6:5d:ec:e2:ff:7e:dc:5b:14:16:
                        d7:c7:aa:d7:f0:d3:5e:8f:4a:4b:96:4d:bf:50:ae:
                        9a:a6:d6:20:15:77:70:d9:74:13:1b:3e:7e:3a:bd:
                        6d:16:3d:65:75:8e:2f:08:22:db:9c:88:59:8b:9d:
                        b6:26:3d:96:3d:13:94:2c:91:fc:5e:fe:34:fc:1e:
                        06:e3
                    Exponent: 3 (0x3)
            X509v3 extensions:
                X509v3 Subject Key Identifier:
                    5A:F4:18:E4:19:A6:39:E1:65:7D:B9:60:99:63:64:A3:7E:F2:0D:40
                X509v3 Authority Key Identifier:
                    keyid:5A:F4:18:E4:19:A6:39:E1:65:7D:B9:60:99:63:64:A3:7E:F2:0D:40
                    DirName:\
    /C=US/ST=California/L=San Jose/O=Adobe Systems Incorporated/OU=Information Systems/CN=Adobe Systems Incorporated
                    serial:D7:CB:41:2F:75:F4:88:7E
    
                X509v3 Basic Constraints:
                    CA:TRUE
        Signature Algorithm: sha1WithRSAEncryption
            76:c2:a1:1f:e3:03:35:96:89:c2:eb:c7:b2:c3:98:ef:f8:c3:
            f9:ad:54:5c:db:ac:75:df:63:bf:7b:53:95:b6:98:8d:18:42:
            d6:aa:15:56:d5:95:b5:69:2e:08:22:4d:66:7a:4c:9c:43:8f:
            05:e7:49:06:c5:3d:d8:01:6d:de:70:04:06:88:66:f0:18:46:
            36:5e:fd:14:6e:9b:fa:a4:8c:9e:cf:65:7f:87:b9:7c:75:7d:
            a1:1f:22:5c:4a:24:17:7b:f2:d7:18:8e:6c:ce:2a:70:a1:e8:
            a8:41:a1:44:71:eb:51:45:73:98:b8:a0:ad:dd:8b:6c:8c:15:
            38:ca:8f:1e:40:b4:d8:b9:60:00:9e:a2:2c:18:8d:28:92:48:
            13:d2:c0:b4:a4:d3:34:b7:cf:05:50:7e:1f:cf:0a:06:fe:94:
            6c:7f:fc:43:5e:17:3a:f6:fc:3e:34:00:64:37:10:ac:c8:06:
            f8:30:a1:47:88:29:1d:46:f2:fe:ed:9f:b5:c7:04:23:ca:74:
            7e:d1:57:2d:75:28:94:ac:1f:19:f9:39:89:76:63:08:57:93:
            93:fa:bb:43:64:9a:a8:80:6a:31:3b:1a:b9:a5:09:22:a4:4c:
            24:67:b9:06:20:37:f2:da:0d:48:4d:9f:fd:8f:e6:28:ee:ea:
            62:9b:a6:37

from which we can see that it is a self-signed certificate apparently originating from Adobe which expires in 2037 !

So why is a signature a certificate as opposed to, oh I don’t know

a message digest encrypted using a private key

say ?

There seems to be no reason other than at some point Android decided to use the term signature to mean certificate thereby confusing themselves and everybody else.

To summarize, a plugin is

properly signed

if the Android package has as one of its signatures certificates a specific certificate which is apparently issued by Adobe.

The intent behind this is presumably that only an Android package signed by Adobe using the hard-wired certificate can load a plugin into a WebView process.

Readers are invited to guess what plugin that might be.

Even as it stands relying on a self-signed hard-wired certificate that does not expire until 2037 is not really a good idea but it gets worse


Copyright (c) 2014 By Simon Lewis. All Rights Reserved.

Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and owner Simon Lewis is strictly prohibited.

Excerpts and links may be used, provided that full and clear credit is given to Simon Lewis and justanapplication.wordpress.com with appropriate and specific direction to the original content.

Advertisements

2 Comments »

  1. […] quite clever, although I say so myself, and have managed to get the hard-wired self-signed Adobe certificate used by the android.web.PluginManager as one of the application’s […]

    Pingback by And Another One: Part Three — For My Next Trick … | Just An Application — August 7, 2014 @ 10:26 am

  2. […] that I do not know the private key corresponding to the public key in the Adobe certificate, there was no way the certificate I created for the public key corresponding to the private key I […]

    Pingback by Another One: Part Sixteen — Spot The Deliberate Mistake | Just An Application — August 16, 2014 @ 7:12 am


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: