ngvel / seek-for-android

Automatically exported from code.google.com/p/seek-for-android
0 stars 0 forks source link

getAppCerts in AccessController.java does not get the certificate chain #55

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What's the problem?
getAppCerts in AccessController.java does not get the certificate chain

The certificates returned by the PackackManager PackageInfo.signatures returns 
multiple signatures only if the package was signed by multiple parties.  
Therefore there will only be an array of signatures if two or more parties sign 
the package with their own certificates (or certificate chain).  If one party 
signs the package with a their certificate (or certificate chain) then only one 
signature is returned.

Due to this the requirement on page 33 of the GP Secure Element Access Control 
spec (GPD_SPE_013), where processing of chained certificates in steps  A) and 
C)for each entity in the chain, is not met.

What version of the product are you using? On what operating system?
2.4.0 on Android 4.2.2

Original issue reported on code.google.com by er...@motorola.com on 20 Mar 2013 at 3:20

GoogleCodeExporter commented 9 years ago
The getAPPCerts() in AccessController.java should be updated as follows:

public Certificate[] getAPPCerts(String packageName)
            throws CertificateException, NoSuchAlgorithmException, AccessControlException,
            CardException {

        PackageInfo foundPkgInfo;

        try {
            foundPkgInfo = mPackageManager.getPackageInfo(packageName,
                                                    PackageManager.GET_SIGNATURES);
        } catch (NameNotFoundException ne) {
            throw new AccessControlException("Package does not exist");
        }

        if (foundPkgInfo == null) {
                throw new AccessControlException("Package does not exist");
            }

        ArrayList<Certificate> appCerts = new ArrayList<Certificate>();

        // this is the certificate chain...
        for (Signature signature : foundPkgInfo.signatures) {
            appCerts.add(decodeCertificate(signature.toByteArray()));
        }
        return appCerts.toArray(new Certificate[appCerts.size()]);
    }

Original comment by danny.w....@gmail.com on 28 Mar 2013 at 1:45

GoogleCodeExporter commented 9 years ago
I see how the performance gets improved by switching from .getInstalledPackages 
to .getPackageInfo.  However, I don't see how, given the device application is 
signed by one party with a certificate chain, the getAPPCerts will return an 
array of certificates.

If the app is only signed by one party then there will be only one signature.  
If there is only one signature then decodeCertificate will only be called one 
time in the loop.  decodeCertificate is only designed to return one 
certificate.  It does not return an array of certificates.  I still don't see 
any way for getAPPCerts to return an array of size more than one certificate.

Original comment by er...@motorola.com on 28 Mar 2013 at 3:03

GoogleCodeExporter commented 9 years ago
the improvement on using getPackageInfo would be desired definitely to improve 
older version of SEEK implementation.  similar to finding on DTAG

https://github.com/DTAG-PD14/AccessControl/issues/4

Original comment by tommypo...@gmail.com on 23 Apr 2013 at 8:52