PoC + writeup + patch

6c6dc25112/fdroidserver.patch (L28) https://github.com/androguard/androguard/issues/1030 refs #1128
2024-04-09 11:19:21 +02:00 · 2024-04-09 11:19:21 +02:00 · 6448b4f6a5
parent 142467e70c
commit 6448b4f6a5
1 changed files with 24 additions and 25 deletions
--- a/fdroidserver/common.py
+++ b/fdroidserver/common.py
@ -3149,39 +3149,38 @@ def signer_fingerprint(cert_encoded):

 def get_first_signer_certificate(apkpath):
    """Get the first signing certificate from the APK, DER-encoded."""
-    cert_encoded_v1 = None
-    cert_encoded_v2 = None
-    cert_encoded_v3 = None
-    with zipfile.ZipFile(apkpath, 'r') as apk:
-        certs_v1 = [n for n in apk.namelist() if SIGNATURE_BLOCK_FILE_REGEX.match(n)]
-        if len(certs_v1) > 1:
-            logging.error(_("Found multiple JAR Signature Block Files in {path}").format(path=apkpath))
-            return None
-        elif len(certs_v1) == 1:
-            cert_encoded_v1 = get_certificate(apk.read(certs_v1[0]))
+    class FDict(dict):
+        def __setitem__(self, k, v):
+            if k not in self:
+                super().__setitem__(k, v)

+    certs = None
+    cert_encoded = None
    if use_androguard():
        apkobject = _get_androguard_APK(apkpath)
-        certs_v2 = apkobject.get_certificates_der_v2()
-        if len(certs_v2) > 0:
-            logging.debug(_('Using APK Signature v2'))
-            cert_encoded_v2 = certs_v2[0]
-
-        certs_v3 = apkobject.get_certificates_der_v3()
-        if len(certs_v3) > 0:
+        apkobject._v2_blocks = FDict()
+        certs = apkobject.get_certificates_der_v3()
+        if len(certs) > 0:
            logging.debug(_('Using APK Signature v3'))
-            cert_encoded_v3 = certs_v3[0]
+            cert_encoded = certs[0]
+        if not cert_encoded:
+            certs = apkobject.get_certificates_der_v2()
+            if len(certs) > 0:
+                logging.debug(_('Using APK Signature v2'))
+                cert_encoded = certs[0]
+
+    if not cert_encoded:
+        with zipfile.ZipFile(apkpath, 'r') as apk:
+            cert_files = [n for n in apk.namelist() if SIGNATURE_BLOCK_FILE_REGEX.match(n)]
+            if len(cert_files) > 1:
+                logging.error(_("Found multiple JAR Signature Block Files in {path}").format(path=apkpath))
+                return None
+            elif len(cert_files) == 1:
+                cert_encoded = get_certificate(apk.read(cert_files[0]))

-    cert_encoded = cert_encoded_v3 or cert_encoded_v2 or cert_encoded_v1
    if not cert_encoded:
        logging.error(_("No signing certificates found in {path}").format(path=apkpath))
        return None
-    if (
-        (cert_encoded_v2 and cert_encoded_v2 != cert_encoded)
-        or (cert_encoded_v1 and cert_encoded_v1 != cert_encoded)
-    ):
-        logging.error(_("Different certificates found in {path}").format(path=apkpath))
-        return None
    return cert_encoded