search

GoogleCloudPlatform / kms-integrations

https://cloud.google.com/kms
Apache License 2.0
39 stars 13 forks source link

Signing APK with PKCS11 library and gcloud hsm #15

Closed averzicco closed 1 year ago

averzicco commented 1 year ago

Hi,

I'm trying to setup apksigner to sign android apk files with keys stored in gcloud hsm.

apksigner tool allow to use the Sun PKCS #11 JCA Provider to store the keypair, so I've configured it to use the PKCS11 library you offer. The only way to make it work is by enabling generate_certs: true option but this create a problem, the certificate bundled in the signed APK is the generated one. Since google play use the certificate signature to validate the APK, the validation is failing.

As far as I understand gcloud hsm doesn't allow to store the certificate for the private key but for this use case would be enough being able to use a certificate loaded from the file system instead of generating it a runtime.

Is there a way to use the PKCS11 library for this use case?

For example here there is an example on how to setup apksigner with yubihsm

bdhess commented 1 year ago

This is now possible using the experimental_certs configuration option in v1.3 of the library. That configuration value is a list of PEM-formatted X.509 certificates (one certificate per list item).

As an example, I was able to use apksigner with a configuration like

---
tokens:
  - key_ring: "projects/bdhess-sandbox/locations/us-central1/keyRings/ossl-test"
    experimental_certs:
      - |
        -----BEGIN CERTIFICATE-----
        MIIBfDCCASOgAwIBAgIUR8kwFjcoNdDY+s2/c/fydMxysugwCgYIKoZIzj0EAwIw
        FDESMBAGA1UEAwwJb3NzbC10ZXN0MB4XDTIzMDkxNDE2MzUwMFoXDTMzMDkxMTE2
        MzUwMFowFDESMBAGA1UEAwwJb3NzbC10ZXN0MFkwEwYHKoZIzj0CAQYIKoZIzj0D
        AQcDQgAEh83KrXS6bznV3G0yysO3ZHAY6pnSqGpLuTshLfAcS0bHYb5nH8q9noDY
        Of6vJobGk5J1wnMwoXt9xm75WVXsXaNTMFEwHQYDVR0OBBYEFKsgEQ9wY4WCMcVn
        SRuDn3Kl4+u1MB8GA1UdIwQYMBaAFKsgEQ9wY4WCMcVnSRuDn3Kl4+u1MA8GA1Ud
        EwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgEwebwA6Njw1nW/gzIT6cNHAs
        d4XyCB+01OfSk1Hp3TkCIEYxCEMn4oAyAJozzVyApY/Yu1/sM0Ospmh8i3P/thJK
        -----END CERTIFICATE-----

CLI invocation:

KMS_PKCS11_CONFIG=config.yaml apksigner sign \
  --min-sdk-version=18 \
  --provider-class sun.security.pkcs11.SunPKCS11 \
  --provider-arg pkcs11_java.cfg \
  --ks NONE \
  --ks-type PKCS11 \
  --ks-key-alias ossl-test \
  stubapp.apk