diff --git a/.gitignore b/.gitignore
index 7b7d0aa31..2865ee369 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,9 +1,18 @@
-out/
-obj/
-libs/
+/out
+/obj
+/libs
*.zip
*.jks
*.apk
# Built binaries
ziptools/zipadjust
+
+# Android Studio / Gradle
+*.iml
+.gradle
+/local.properties
+/.idea
+/build
+/captures
+.externalNativeBuild
diff --git a/.gitmodules b/.gitmodules
index 1c63eaa4c..cdc9d7a6e 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -1,27 +1,27 @@
[submodule "jni/selinux"]
- path = jni/external/selinux
+ path = core/jni/external/selinux
url = https://github.com/topjohnwu/selinux.git
[submodule "jni/su"]
- path = jni/su
+ path = core/jni/su
url = https://github.com/topjohnwu/MagiskSU.git
[submodule "jni/magiskpolicy"]
- path = jni/magiskpolicy
+ path = core/jni/magiskpolicy
url = https://github.com/topjohnwu/magiskpolicy.git
[submodule "MagiskManager"]
- path = java
+ path = app
url = https://github.com/topjohnwu/MagiskManager.git
[submodule "jni/busybox"]
- path = jni/external/busybox
+ path = core/jni/external/busybox
url = https://github.com/topjohnwu/ndk-busybox.git
[submodule "jni/external/dtc"]
- path = jni/external/dtc
+ path = core/jni/external/dtc
url = https://github.com/dgibson/dtc
[submodule "jni/external/lz4"]
- path = jni/external/lz4
+ path = core/jni/external/lz4
url = https://github.com/lz4/lz4.git
[submodule "jni/external/bzip2"]
- path = jni/external/bzip2
+ path = core/jni/external/bzip2
url = https://github.com/nemequ/bzip2.git
[submodule "jni/external/xz"]
- path = jni/external/xz
+ path = core/jni/external/xz
url = https://github.com/xz-mirror/xz.git
diff --git a/app b/app
new file mode 160000
index 000000000..863b13a69
--- /dev/null
+++ b/app
@@ -0,0 +1 @@
+Subproject commit 863b13a6946c851a4df1043acb8c5003a1b0f3c0
diff --git a/build.gradle b/build.gradle
new file mode 100644
index 000000000..e6b32bc78
--- /dev/null
+++ b/build.gradle
@@ -0,0 +1,27 @@
+// Top-level build file where you can add configuration options common to all sub-projects/modules.
+
+buildscript {
+
+ repositories {
+ google()
+ jcenter()
+ }
+ dependencies {
+ classpath 'com.android.tools.build:gradle:3.0.1'
+
+
+ // NOTE: Do not place your application dependencies here; they belong
+ // in the individual module build.gradle files
+ }
+}
+
+allprojects {
+ repositories {
+ google()
+ jcenter()
+ }
+}
+
+task clean(type: Delete) {
+ delete rootProject.buildDir
+}
diff --git a/build.py b/build.py
index cc82e1bd1..b3027eecc 100755
--- a/build.py
+++ b/build.py
@@ -43,6 +43,11 @@ import lzma
import base64
import tempfile
+if 'ANDROID_NDK' in os.environ:
+ ndk_build = os.path.join(os.environ['ANDROID_NDK'], 'ndk-build')
+else:
+ ndk_build = os.path.join(os.environ['ANDROID_HOME'], 'ndk-bundle', 'ndk-build')
+
def mv(source, target):
print('mv: {} -> {}'.format(source, target))
shutil.move(source, target)
@@ -84,18 +89,13 @@ def build_binary(args):
header('* Building Magisk binaries')
# Force update Android.mk timestamp to trigger recompilation
- os.utime(os.path.join('jni', 'Android.mk'))
+ os.utime(os.path.join('core', 'jni', 'Android.mk'))
debug_flag = '' if args.release else '-DMAGISK_DEBUG'
cflag = 'MAGISK_FLAGS=\"-DMAGISK_VERSION=\\\"{}\\\" -DMAGISK_VER_CODE={} {}\"'.format(args.versionString, args.versionCode, debug_flag)
- if 'ANDROID_NDK' in os.environ:
- ndk_build = os.path.join(os.environ['ANDROID_NDK'], 'ndk-build')
- else:
- ndk_build = os.path.join(os.environ['ANDROID_HOME'], 'ndk-bundle', 'ndk-build')
-
# Prebuild
- proc = subprocess.run('{} PRECOMPILE=true {} -j{}'.format(ndk_build, cflag, multiprocessing.cpu_count()), shell=True)
+ proc = subprocess.run('{} -C core PRECOMPILE=true {} -j{}'.format(ndk_build, cflag, multiprocessing.cpu_count()), shell=True)
if proc.returncode != 0:
error('Build Magisk binary failed!')
@@ -104,7 +104,7 @@ def build_binary(args):
mkdir_p(os.path.join('out', arch))
with open(os.path.join('out', arch, 'dump.h'), 'w') as dump:
dump.write('#include "stdlib.h"\n')
- mv(os.path.join('libs', arch, 'magisk'), os.path.join('out', arch, 'magisk'))
+ mv(os.path.join('core', 'libs', arch, 'magisk'), os.path.join('out', arch, 'magisk'))
with open(os.path.join('out', arch, 'magisk'), 'rb') as bin:
dump.write('const uint8_t magisk_dump[] = "')
dump.write(''.join("\\x{:02X}".format(c) for c in lzma.compress(bin.read(), preset=9)))
@@ -112,7 +112,7 @@ def build_binary(args):
print('')
- proc = subprocess.run('{} {} -j{}'.format(ndk_build, cflag, multiprocessing.cpu_count()), shell=True)
+ proc = subprocess.run('{} -C core {} -j{}'.format(ndk_build, cflag, multiprocessing.cpu_count()), shell=True)
if proc.returncode != 0:
error('Build Magisk binary failed!')
@@ -120,7 +120,7 @@ def build_binary(args):
for arch in ['arm64-v8a', 'armeabi-v7a', 'x86', 'x86_64']:
for binary in ['magiskinit', 'magiskboot', 'b64xz', 'busybox']:
try:
- mv(os.path.join('libs', arch, binary), os.path.join('out', arch, binary))
+ mv(os.path.join('core', 'libs', arch, binary), os.path.join('out', arch, binary))
except:
pass
@@ -129,18 +129,16 @@ def build_apk(args):
for key in ['public.certificate.x509.pem', 'private.key.pk8']:
source = os.path.join('ziptools', key)
- target = os.path.join('java', 'app', 'src', 'main', 'assets', key)
+ target = os.path.join('app', 'src', 'main', 'assets', key)
cp(source, target)
for script in ['magisk_uninstaller.sh', 'util_functions.sh']:
source = os.path.join('scripts', script)
- target = os.path.join('java', 'app', 'src', 'main', 'assets', script)
+ target = os.path.join('app', 'src', 'main', 'assets', script)
cp(source, target)
- os.chdir('java')
-
if args.release:
- if not os.path.exists(os.path.join('..', 'release_signature.jks')):
+ if not os.path.exists('release_signature.jks'):
error('Please generate a java keystore and place it in \'release_signature.jks\'')
proc = subprocess.run('{} app:assembleRelease'.format(os.path.join('.', 'gradlew')), shell=True)
@@ -173,17 +171,15 @@ def build_apk(args):
error('Cannot find apksigner.jar in Android SDK build tools')
proc = subprocess.run('java -jar {} sign --ks {} --out {} {}'.format(
- apksigner,
- os.path.join('..', 'release_signature.jks'),
- release, aligned), shell=True)
+ apksigner, 'release_signature.jks', release, aligned), shell=True)
if proc.returncode != 0:
error('Release sign Magisk Manager failed!')
rm(unsigned)
rm(aligned)
- mkdir(os.path.join('..', 'out'))
- target = os.path.join('..', 'out', 'app-release.apk')
+ mkdir('out')
+ target = os.path.join('out', 'app-release.apk')
print('')
mv(release, target)
else:
@@ -192,25 +188,20 @@ def build_apk(args):
error('Build Magisk Manager failed!')
source = os.path.join('app', 'build', 'outputs', 'apk', 'debug', 'app-debug.apk')
- mkdir(os.path.join('..', 'out'))
- target = os.path.join('..', 'out', 'app-debug.apk')
+ mkdir('out')
+ target = os.path.join('out', 'app-debug.apk')
print('')
mv(source, target)
- # Return to upper directory
- os.chdir('..')
-
def build_snet(args):
- os.chdir('java')
proc = subprocess.run('{} snet:assembleRelease'.format(os.path.join('.', 'gradlew')), shell=True)
if proc.returncode != 0:
error('Build snet extention failed!')
source = os.path.join('snet', 'build', 'outputs', 'apk', 'release', 'snet-release-unsigned.apk')
- mkdir(os.path.join('..', 'out'))
- target = os.path.join('..', 'out', 'snet.apk')
+ mkdir('out')
+ target = os.path.join('out', 'snet.apk')
print('')
mv(source, target)
- os.chdir('..')
def gen_update_binary():
update_bin = []
@@ -342,8 +333,8 @@ def zip_uninstaller(args):
sign_adjust_zip(unsigned, output)
def sign_adjust_zip(unsigned, output):
- signer_name = 'zipsigner-1.0.jar'
- jarsigner = os.path.join('java', 'crypto', 'build', 'libs', signer_name)
+ signer_name = 'zipsigner-1.1.jar'
+ jarsigner = os.path.join('crypto', 'build', 'libs', signer_name)
if os.name != 'nt' and not os.path.exists(os.path.join('ziptools', 'zipadjust')):
header('* Building zipadjust')
@@ -353,11 +344,9 @@ def sign_adjust_zip(unsigned, output):
error('Build zipadjust failed!')
if not os.path.exists(jarsigner):
header('* Building ' + signer_name)
- os.chdir('java')
proc = subprocess.run('{} crypto:shadowJar'.format(os.path.join('.', 'gradlew')), shell=True)
if proc.returncode != 0:
error('Build {} failed!'.format(signer_name))
- os.chdir('..')
header('* Signing / Adjusting Zip')
@@ -396,15 +385,13 @@ def cleanup(args):
if 'binary' in args.target:
header('* Cleaning binaries')
- subprocess.run(os.path.join(os.environ['ANDROID_HOME'], 'ndk-bundle', 'ndk-build') + ' clean', shell=True)
+ subprocess.run(ndk_build + ' -C core COMPILEALL=true clean', shell=True)
for arch in ['arm64-v8a', 'armeabi-v7a', 'x86', 'x86_64']:
shutil.rmtree(os.path.join('out', arch), ignore_errors=True)
if 'java' in args.target:
header('* Cleaning java')
- os.chdir('java')
subprocess.run('{} clean'.format(os.path.join('.', 'gradlew')), shell=True)
- os.chdir('..')
for f in os.listdir('out'):
if '.apk' in f:
rm(os.path.join('out', f))
diff --git a/core/.gitignore b/core/.gitignore
new file mode 100644
index 000000000..796b96d1c
--- /dev/null
+++ b/core/.gitignore
@@ -0,0 +1 @@
+/build
diff --git a/core/build.gradle b/core/build.gradle
new file mode 100644
index 000000000..6fb33987b
--- /dev/null
+++ b/core/build.gradle
@@ -0,0 +1,20 @@
+apply plugin: 'com.android.library'
+
+android {
+ compileSdkVersion 27
+
+ externalNativeBuild {
+ ndkBuild {
+ path 'jni/Android.mk'
+ }
+ }
+
+ defaultConfig {
+ externalNativeBuild {
+ ndkBuild {
+ // Passes an optional argument to ndk-build.
+ arguments "COMPILEALL=true"
+ }
+ }
+ }
+}
diff --git a/jni/Android.mk b/core/jni/Android.mk
similarity index 96%
rename from jni/Android.mk
rename to core/jni/Android.mk
index 8263025d7..8f5d728cd 100644
--- a/jni/Android.mk
+++ b/core/jni/Android.mk
@@ -14,7 +14,7 @@ LIBFDT := $(EXT_PATH)/dtc/libfdt
# Binaries
########################
-ifdef PRECOMPILE
+ifneq "$(or $(PRECOMPILE), $(COMPILEALL))" ""
# magisk main binary
include $(CLEAR_VARS)
@@ -54,8 +54,9 @@ LOCAL_CFLAGS := -DIS_DAEMON -DSELINUX
LOCAL_LDLIBS := -llog
include $(BUILD_EXECUTABLE)
-# precompile
-else
+endif
+
+ifndef PRECOMPILE
# magiskinit
include $(CLEAR_VARS)
@@ -64,7 +65,7 @@ LOCAL_STATIC_LIBRARIES := libsepol liblzma
LOCAL_C_INCLUDES := \
jni/include \
jni/magiskpolicy \
- out/$(TARGET_ARCH_ABI) \
+ ../out/$(TARGET_ARCH_ABI) \
$(LIBSEPOL) \
$(LIBLZMA)
diff --git a/jni/Application.mk b/core/jni/Application.mk
similarity index 100%
rename from jni/Application.mk
rename to core/jni/Application.mk
diff --git a/jni/b64xz.c b/core/jni/b64xz.c
similarity index 100%
rename from jni/b64xz.c
rename to core/jni/b64xz.c
diff --git a/jni/core/bootstages.c b/core/jni/core/bootstages.c
similarity index 100%
rename from jni/core/bootstages.c
rename to core/jni/core/bootstages.c
diff --git a/jni/core/daemon.c b/core/jni/core/daemon.c
similarity index 100%
rename from jni/core/daemon.c
rename to core/jni/core/daemon.c
diff --git a/jni/core/log_monitor.c b/core/jni/core/log_monitor.c
similarity index 100%
rename from jni/core/log_monitor.c
rename to core/jni/core/log_monitor.c
diff --git a/jni/core/magisk.c b/core/jni/core/magisk.c
similarity index 100%
rename from jni/core/magisk.c
rename to core/jni/core/magisk.c
diff --git a/jni/core/magiskinit.c b/core/jni/core/magiskinit.c
similarity index 100%
rename from jni/core/magiskinit.c
rename to core/jni/core/magiskinit.c
diff --git a/jni/core/socket.c b/core/jni/core/socket.c
similarity index 100%
rename from jni/core/socket.c
rename to core/jni/core/socket.c
diff --git a/jni/external/Android.mk b/core/jni/external/Android.mk
similarity index 100%
rename from jni/external/Android.mk
rename to core/jni/external/Android.mk
diff --git a/jni/external/busybox b/core/jni/external/busybox
similarity index 100%
rename from jni/external/busybox
rename to core/jni/external/busybox
diff --git a/jni/external/bzip2 b/core/jni/external/bzip2
similarity index 100%
rename from jni/external/bzip2
rename to core/jni/external/bzip2
diff --git a/jni/external/dtc b/core/jni/external/dtc
similarity index 100%
rename from jni/external/dtc
rename to core/jni/external/dtc
diff --git a/jni/external/include/sha1.h b/core/jni/external/include/sha1.h
similarity index 100%
rename from jni/external/include/sha1.h
rename to core/jni/external/include/sha1.h
diff --git a/jni/external/include/sqlite3.h b/core/jni/external/include/sqlite3.h
similarity index 100%
rename from jni/external/include/sqlite3.h
rename to core/jni/external/include/sqlite3.h
diff --git a/jni/external/include/xz_config/config.h b/core/jni/external/include/xz_config/config.h
similarity index 100%
rename from jni/external/include/xz_config/config.h
rename to core/jni/external/include/xz_config/config.h
diff --git a/jni/external/lz4 b/core/jni/external/lz4
similarity index 100%
rename from jni/external/lz4
rename to core/jni/external/lz4
diff --git a/jni/external/selinux b/core/jni/external/selinux
similarity index 100%
rename from jni/external/selinux
rename to core/jni/external/selinux
diff --git a/jni/external/sha1/sha1.c b/core/jni/external/sha1/sha1.c
similarity index 100%
rename from jni/external/sha1/sha1.c
rename to core/jni/external/sha1/sha1.c
diff --git a/jni/external/stubs/selinux_stub.c b/core/jni/external/stubs/selinux_stub.c
similarity index 100%
rename from jni/external/stubs/selinux_stub.c
rename to core/jni/external/stubs/selinux_stub.c
diff --git a/jni/external/stubs/sqlite3_stub.c b/core/jni/external/stubs/sqlite3_stub.c
similarity index 100%
rename from jni/external/stubs/sqlite3_stub.c
rename to core/jni/external/stubs/sqlite3_stub.c
diff --git a/jni/external/xz b/core/jni/external/xz
similarity index 100%
rename from jni/external/xz
rename to core/jni/external/xz
diff --git a/jni/include/cpio.h b/core/jni/include/cpio.h
similarity index 100%
rename from jni/include/cpio.h
rename to core/jni/include/cpio.h
diff --git a/jni/include/daemon.h b/core/jni/include/daemon.h
similarity index 100%
rename from jni/include/daemon.h
rename to core/jni/include/daemon.h
diff --git a/jni/include/list.h b/core/jni/include/list.h
similarity index 100%
rename from jni/include/list.h
rename to core/jni/include/list.h
diff --git a/jni/include/logging.h b/core/jni/include/logging.h
similarity index 100%
rename from jni/include/logging.h
rename to core/jni/include/logging.h
diff --git a/jni/include/magisk.h b/core/jni/include/magisk.h
similarity index 100%
rename from jni/include/magisk.h
rename to core/jni/include/magisk.h
diff --git a/jni/include/magiskrc.h b/core/jni/include/magiskrc.h
similarity index 100%
rename from jni/include/magiskrc.h
rename to core/jni/include/magiskrc.h
diff --git a/jni/include/resetprop.h b/core/jni/include/resetprop.h
similarity index 100%
rename from jni/include/resetprop.h
rename to core/jni/include/resetprop.h
diff --git a/jni/include/utils.h b/core/jni/include/utils.h
similarity index 100%
rename from jni/include/utils.h
rename to core/jni/include/utils.h
diff --git a/jni/include/vector.h b/core/jni/include/vector.h
similarity index 100%
rename from jni/include/vector.h
rename to core/jni/include/vector.h
diff --git a/jni/magiskboot/bootimg.c b/core/jni/magiskboot/bootimg.c
similarity index 100%
rename from jni/magiskboot/bootimg.c
rename to core/jni/magiskboot/bootimg.c
diff --git a/jni/magiskboot/bootimg.h b/core/jni/magiskboot/bootimg.h
similarity index 100%
rename from jni/magiskboot/bootimg.h
rename to core/jni/magiskboot/bootimg.h
diff --git a/jni/magiskboot/compress.c b/core/jni/magiskboot/compress.c
similarity index 100%
rename from jni/magiskboot/compress.c
rename to core/jni/magiskboot/compress.c
diff --git a/jni/magiskboot/dtb.c b/core/jni/magiskboot/dtb.c
similarity index 100%
rename from jni/magiskboot/dtb.c
rename to core/jni/magiskboot/dtb.c
diff --git a/jni/magiskboot/hexpatch.c b/core/jni/magiskboot/hexpatch.c
similarity index 100%
rename from jni/magiskboot/hexpatch.c
rename to core/jni/magiskboot/hexpatch.c
diff --git a/jni/magiskboot/magiskboot.h b/core/jni/magiskboot/magiskboot.h
similarity index 100%
rename from jni/magiskboot/magiskboot.h
rename to core/jni/magiskboot/magiskboot.h
diff --git a/jni/magiskboot/main.c b/core/jni/magiskboot/main.c
similarity index 100%
rename from jni/magiskboot/main.c
rename to core/jni/magiskboot/main.c
diff --git a/jni/magiskboot/ramdisk.c b/core/jni/magiskboot/ramdisk.c
similarity index 100%
rename from jni/magiskboot/ramdisk.c
rename to core/jni/magiskboot/ramdisk.c
diff --git a/jni/magiskboot/types.c b/core/jni/magiskboot/types.c
similarity index 100%
rename from jni/magiskboot/types.c
rename to core/jni/magiskboot/types.c
diff --git a/jni/magiskboot/types.h b/core/jni/magiskboot/types.h
similarity index 100%
rename from jni/magiskboot/types.h
rename to core/jni/magiskboot/types.h
diff --git a/jni/magiskhide/hide_utils.c b/core/jni/magiskhide/hide_utils.c
similarity index 100%
rename from jni/magiskhide/hide_utils.c
rename to core/jni/magiskhide/hide_utils.c
diff --git a/jni/magiskhide/magiskhide.c b/core/jni/magiskhide/magiskhide.c
similarity index 100%
rename from jni/magiskhide/magiskhide.c
rename to core/jni/magiskhide/magiskhide.c
diff --git a/jni/magiskhide/magiskhide.h b/core/jni/magiskhide/magiskhide.h
similarity index 100%
rename from jni/magiskhide/magiskhide.h
rename to core/jni/magiskhide/magiskhide.h
diff --git a/jni/magiskhide/proc_monitor.c b/core/jni/magiskhide/proc_monitor.c
similarity index 100%
rename from jni/magiskhide/proc_monitor.c
rename to core/jni/magiskhide/proc_monitor.c
diff --git a/jni/magiskpolicy b/core/jni/magiskpolicy
similarity index 100%
rename from jni/magiskpolicy
rename to core/jni/magiskpolicy
diff --git a/jni/resetprop/ErrnoRestorer.h b/core/jni/resetprop/ErrnoRestorer.h
similarity index 100%
rename from jni/resetprop/ErrnoRestorer.h
rename to core/jni/resetprop/ErrnoRestorer.h
diff --git a/jni/resetprop/_system_properties.h b/core/jni/resetprop/_system_properties.h
similarity index 100%
rename from jni/resetprop/_system_properties.h
rename to core/jni/resetprop/_system_properties.h
diff --git a/jni/resetprop/bionic_futex.h b/core/jni/resetprop/bionic_futex.h
similarity index 100%
rename from jni/resetprop/bionic_futex.h
rename to core/jni/resetprop/bionic_futex.h
diff --git a/jni/resetprop/bionic_lock.h b/core/jni/resetprop/bionic_lock.h
similarity index 100%
rename from jni/resetprop/bionic_lock.h
rename to core/jni/resetprop/bionic_lock.h
diff --git a/jni/resetprop/bionic_macros.h b/core/jni/resetprop/bionic_macros.h
similarity index 100%
rename from jni/resetprop/bionic_macros.h
rename to core/jni/resetprop/bionic_macros.h
diff --git a/jni/resetprop/resetprop.cpp b/core/jni/resetprop/resetprop.cpp
similarity index 100%
rename from jni/resetprop/resetprop.cpp
rename to core/jni/resetprop/resetprop.cpp
diff --git a/jni/resetprop/system_properties.cpp b/core/jni/resetprop/system_properties.cpp
similarity index 100%
rename from jni/resetprop/system_properties.cpp
rename to core/jni/resetprop/system_properties.cpp
diff --git a/jni/resetprop/system_properties.h b/core/jni/resetprop/system_properties.h
similarity index 100%
rename from jni/resetprop/system_properties.h
rename to core/jni/resetprop/system_properties.h
diff --git a/jni/su b/core/jni/su
similarity index 100%
rename from jni/su
rename to core/jni/su
diff --git a/jni/utils/cpio.c b/core/jni/utils/cpio.c
similarity index 100%
rename from jni/utils/cpio.c
rename to core/jni/utils/cpio.c
diff --git a/jni/utils/file.c b/core/jni/utils/file.c
similarity index 100%
rename from jni/utils/file.c
rename to core/jni/utils/file.c
diff --git a/jni/utils/img.c b/core/jni/utils/img.c
similarity index 100%
rename from jni/utils/img.c
rename to core/jni/utils/img.c
diff --git a/jni/utils/list.c b/core/jni/utils/list.c
similarity index 100%
rename from jni/utils/list.c
rename to core/jni/utils/list.c
diff --git a/jni/utils/misc.c b/core/jni/utils/misc.c
similarity index 100%
rename from jni/utils/misc.c
rename to core/jni/utils/misc.c
diff --git a/jni/utils/vector.c b/core/jni/utils/vector.c
similarity index 100%
rename from jni/utils/vector.c
rename to core/jni/utils/vector.c
diff --git a/jni/utils/xwrap.c b/core/jni/utils/xwrap.c
similarity index 100%
rename from jni/utils/xwrap.c
rename to core/jni/utils/xwrap.c
diff --git a/core/src/main/AndroidManifest.xml b/core/src/main/AndroidManifest.xml
new file mode 100644
index 000000000..1d9dded58
--- /dev/null
+++ b/core/src/main/AndroidManifest.xml
@@ -0,0 +1 @@
+
diff --git a/crypto/.gitignore b/crypto/.gitignore
new file mode 100644
index 000000000..796b96d1c
--- /dev/null
+++ b/crypto/.gitignore
@@ -0,0 +1 @@
+/build
diff --git a/crypto/build.gradle b/crypto/build.gradle
new file mode 100644
index 000000000..edfb254cd
--- /dev/null
+++ b/crypto/build.gradle
@@ -0,0 +1,38 @@
+apply plugin: 'java-library'
+
+apply plugin: 'com.github.johnrengelman.shadow'
+apply plugin: 'java'
+
+sourceCompatibility = "1.8"
+targetCompatibility = "1.8"
+
+jar {
+ manifest {
+ attributes 'Main-Class': 'com.topjohnwu.crypto.ZipSigner'
+ }
+}
+
+shadowJar {
+ baseName = 'zipsigner'
+ classifier = null
+ version = 1.1
+}
+
+buildscript {
+ repositories {
+ jcenter()
+ }
+ dependencies {
+ classpath 'com.github.jengelman.gradle.plugins:shadow:2.0.1'
+ }
+}
+
+repositories {
+ jcenter()
+}
+
+dependencies {
+ implementation fileTree(include: ['*.jar'], dir: 'libs')
+ implementation 'org.bouncycastle:bcprov-jdk15on:1.58'
+ implementation 'org.bouncycastle:bcpkix-jdk15on:1.58'
+}
diff --git a/crypto/src/main/java/com/topjohnwu/crypto/ByteArrayStream.java b/crypto/src/main/java/com/topjohnwu/crypto/ByteArrayStream.java
new file mode 100644
index 000000000..ef6c7bc6d
--- /dev/null
+++ b/crypto/src/main/java/com/topjohnwu/crypto/ByteArrayStream.java
@@ -0,0 +1,34 @@
+package com.topjohnwu.crypto;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+
+public class ByteArrayStream extends ByteArrayOutputStream {
+ public byte[] getBuf() {
+ return buf;
+ }
+ public synchronized void readFrom(InputStream is) {
+ readFrom(is, Integer.MAX_VALUE);
+ }
+ public synchronized void readFrom(InputStream is, int len) {
+ int read;
+ byte buffer[] = new byte[4096];
+ try {
+ while ((read = is.read(buffer, 0, len < buffer.length ? len : buffer.length)) > 0) {
+ write(buffer, 0, read);
+ len -= read;
+ }
+ } catch (IOException e) {
+ e.printStackTrace();
+ }
+ }
+ public synchronized void writeTo(OutputStream out, int off, int len) throws IOException {
+ out.write(buf, off, len);
+ }
+ public ByteArrayInputStream getInputStream() {
+ return new ByteArrayInputStream(buf, 0, count);
+ }
+}
diff --git a/crypto/src/main/java/com/topjohnwu/crypto/CryptoUtils.java b/crypto/src/main/java/com/topjohnwu/crypto/CryptoUtils.java
new file mode 100644
index 000000000..45bf1655c
--- /dev/null
+++ b/crypto/src/main/java/com/topjohnwu/crypto/CryptoUtils.java
@@ -0,0 +1,136 @@
+package com.topjohnwu.crypto;
+
+import org.bouncycastle.asn1.ASN1InputStream;
+import org.bouncycastle.asn1.ASN1ObjectIdentifier;
+import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
+import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
+import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
+import org.bouncycastle.asn1.x9.X9ObjectIdentifiers;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.GeneralSecurityException;
+import java.security.Key;
+import java.security.KeyFactory;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.Signature;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.security.spec.ECPrivateKeySpec;
+import java.security.spec.ECPublicKeySpec;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.PKCS8EncodedKeySpec;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.Map;
+
+class CryptoUtils {
+
+ private static final Map ID_TO_ALG;
+ private static final Map ALG_TO_ID;
+
+ static {
+ ID_TO_ALG = new HashMap<>();
+ ALG_TO_ID = new HashMap<>();
+ ID_TO_ALG.put(X9ObjectIdentifiers.ecdsa_with_SHA256.getId(), "SHA256withECDSA");
+ ID_TO_ALG.put(X9ObjectIdentifiers.ecdsa_with_SHA384.getId(), "SHA384withECDSA");
+ ID_TO_ALG.put(X9ObjectIdentifiers.ecdsa_with_SHA512.getId(), "SHA512withECDSA");
+ ID_TO_ALG.put(PKCSObjectIdentifiers.sha1WithRSAEncryption.getId(), "SHA1withRSA");
+ ID_TO_ALG.put(PKCSObjectIdentifiers.sha256WithRSAEncryption.getId(), "SHA256withRSA");
+ ID_TO_ALG.put(PKCSObjectIdentifiers.sha512WithRSAEncryption.getId(), "SHA512withRSA");
+ ALG_TO_ID.put("SHA256withECDSA", X9ObjectIdentifiers.ecdsa_with_SHA256.getId());
+ ALG_TO_ID.put("SHA384withECDSA", X9ObjectIdentifiers.ecdsa_with_SHA384.getId());
+ ALG_TO_ID.put("SHA512withECDSA", X9ObjectIdentifiers.ecdsa_with_SHA512.getId());
+ ALG_TO_ID.put("SHA1withRSA", PKCSObjectIdentifiers.sha1WithRSAEncryption.getId());
+ ALG_TO_ID.put("SHA256withRSA", PKCSObjectIdentifiers.sha256WithRSAEncryption.getId());
+ ALG_TO_ID.put("SHA512withRSA", PKCSObjectIdentifiers.sha512WithRSAEncryption.getId());
+ }
+
+ private static String getSignatureAlgorithm(Key key) throws Exception {
+ if ("EC".equals(key.getAlgorithm())) {
+ int curveSize;
+ KeyFactory factory = KeyFactory.getInstance("EC");
+ if (key instanceof PublicKey) {
+ ECPublicKeySpec spec = factory.getKeySpec(key, ECPublicKeySpec.class);
+ curveSize = spec.getParams().getCurve().getField().getFieldSize();
+ } else if (key instanceof PrivateKey) {
+ ECPrivateKeySpec spec = factory.getKeySpec(key, ECPrivateKeySpec.class);
+ curveSize = spec.getParams().getCurve().getField().getFieldSize();
+ } else {
+ throw new InvalidKeySpecException();
+ }
+ if (curveSize <= 256) {
+ return "SHA256withECDSA";
+ } else if (curveSize <= 384) {
+ return "SHA384withECDSA";
+ } else {
+ return "SHA512withECDSA";
+ }
+ } else if ("RSA".equals(key.getAlgorithm())) {
+ return "SHA256withRSA";
+ } else {
+ throw new IllegalArgumentException("Unsupported key type " + key.getAlgorithm());
+ }
+ }
+
+ static AlgorithmIdentifier getSignatureAlgorithmIdentifier(Key key) throws Exception {
+ String id = ALG_TO_ID.get(getSignatureAlgorithm(key));
+ if (id == null) {
+ throw new IllegalArgumentException("Unsupported key type " + key.getAlgorithm());
+ }
+ return new AlgorithmIdentifier(new ASN1ObjectIdentifier(id));
+ }
+
+ static boolean verify(PublicKey key, byte[] input, byte[] signature,
+ AlgorithmIdentifier algId) throws Exception {
+ String algName = ID_TO_ALG.get(algId.getAlgorithm().getId());
+ if (algName == null) {
+ throw new IllegalArgumentException("Unsupported algorithm " + algId.getAlgorithm());
+ }
+ Signature verifier = Signature.getInstance(algName);
+ verifier.initVerify(key);
+ verifier.update(input);
+ return verifier.verify(signature);
+ }
+
+ static byte[] sign(PrivateKey privateKey, byte[] input) throws Exception {
+ Signature signer = Signature.getInstance(getSignatureAlgorithm(privateKey));
+ signer.initSign(privateKey);
+ signer.update(input);
+ return signer.sign();
+ }
+
+ static X509Certificate readPublicKey(InputStream input)
+ throws IOException, GeneralSecurityException {
+ try {
+ CertificateFactory cf = CertificateFactory.getInstance("X.509");
+ return (X509Certificate) cf.generateCertificate(input);
+ } finally {
+ input.close();
+ }
+ }
+
+ /** Read a PKCS#8 format private key. */
+ static PrivateKey readPrivateKey(InputStream input)
+ throws IOException, GeneralSecurityException {
+ try {
+ byte[] buffer = new byte[4096];
+ int size = input.read(buffer);
+ byte[] bytes = Arrays.copyOf(buffer, size);
+ /* Check to see if this is in an EncryptedPrivateKeyInfo structure. */
+ PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(bytes);
+ /*
+ * Now it's in a PKCS#8 PrivateKeyInfo structure. Read its Algorithm
+ * OID and use that to construct a KeyFactory.
+ */
+ ASN1InputStream bIn = new ASN1InputStream(new ByteArrayInputStream(spec.getEncoded()));
+ PrivateKeyInfo pki = PrivateKeyInfo.getInstance(bIn.readObject());
+ String algOid = pki.getPrivateKeyAlgorithm().getAlgorithm().getId();
+ return KeyFactory.getInstance(algOid).generatePrivate(spec);
+ } finally {
+ input.close();
+ }
+ }
+}
diff --git a/crypto/src/main/java/com/topjohnwu/crypto/JarMap.java b/crypto/src/main/java/com/topjohnwu/crypto/JarMap.java
new file mode 100644
index 000000000..9db773949
--- /dev/null
+++ b/crypto/src/main/java/com/topjohnwu/crypto/JarMap.java
@@ -0,0 +1,122 @@
+package com.topjohnwu.crypto;
+
+import java.io.Closeable;
+import java.io.File;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.util.Collections;
+import java.util.Enumeration;
+import java.util.LinkedHashMap;
+import java.util.jar.JarEntry;
+import java.util.jar.JarFile;
+import java.util.jar.JarInputStream;
+import java.util.jar.Manifest;
+import java.util.zip.ZipEntry;
+import java.util.zip.ZipFile;
+
+/*
+* A universal random access interface for both JarFile and JarInputStream
+*
+* In the case when JarInputStream is provided to constructor, the whole stream
+* will be loaded into memory for random access purposes.
+* On the other hand, when a JarFile is provided, it simply works as a wrapper.
+* */
+
+public class JarMap implements Closeable, AutoCloseable {
+ private JarFile jarFile;
+ private JarInputStream jis;
+ private boolean isInputStream = false;
+ private LinkedHashMap bufMap;
+
+ public JarMap(File file) throws IOException {
+ this(file, true);
+ }
+
+ public JarMap(File file, boolean verify) throws IOException {
+ this(file, verify, ZipFile.OPEN_READ);
+ }
+
+ public JarMap(File file, boolean verify, int mode) throws IOException {
+ jarFile = new JarFile(file, verify, mode);
+ }
+
+ public JarMap(String name) throws IOException {
+ this(new File(name));
+ }
+
+ public JarMap(String name, boolean verify) throws IOException {
+ this(new File(name), verify);
+ }
+
+ public JarMap(InputStream is) throws IOException {
+ this(is, true);
+ }
+
+ public JarMap(InputStream is, boolean verify) throws IOException {
+ isInputStream = true;
+ bufMap = new LinkedHashMap<>();
+ jis = new JarInputStream(is, verify);
+ JarEntry entry;
+ while ((entry = jis.getNextJarEntry()) != null) {
+ bufMap.put(entry.getName(), new JarMapEntry(entry, jis));
+ }
+ }
+
+ public File getFile() {
+ return isInputStream ? null : new File(jarFile.getName());
+ }
+
+ public Manifest getManifest() throws IOException {
+ return isInputStream ? jis.getManifest() : jarFile.getManifest();
+ }
+
+ public InputStream getInputStream(ZipEntry ze) throws IOException {
+ return isInputStream ? ((JarMapEntry) bufMap.get(ze.getName())).data.getInputStream() :
+ jarFile.getInputStream(ze);
+ }
+
+ public OutputStream getOutputStream(ZipEntry ze) {
+ if (!isInputStream) // Only support InputStream mode
+ return null;
+ ByteArrayStream bs = ((JarMapEntry) bufMap.get(ze.getName())).data;
+ bs.reset();
+ return bs;
+ }
+
+ public byte[] getRawData(ZipEntry ze) throws IOException {
+ if (isInputStream) {
+ return ((JarMapEntry) bufMap.get(ze.getName())).data.toByteArray();
+ } else {
+ ByteArrayStream bytes = new ByteArrayStream();
+ bytes.readFrom(jarFile.getInputStream(ze));
+ return bytes.toByteArray();
+ }
+ }
+
+ public Enumeration entries() {
+ return isInputStream ? Collections.enumeration(bufMap.values()) : jarFile.entries();
+ }
+
+ public ZipEntry getEntry(String name) {
+ return getJarEntry(name);
+ }
+
+ public JarEntry getJarEntry(String name) {
+ return isInputStream ? bufMap.get(name) : jarFile.getJarEntry(name);
+ }
+
+ @Override
+ public void close() throws IOException {
+ (isInputStream ? jis : jarFile).close();
+ }
+
+ private static class JarMapEntry extends JarEntry {
+ ByteArrayStream data;
+ JarMapEntry(JarEntry je, InputStream is) {
+ super(je);
+ data = new ByteArrayStream();
+ data.readFrom(is);
+ }
+ }
+}
diff --git a/crypto/src/main/java/com/topjohnwu/crypto/SignAPK.java b/crypto/src/main/java/com/topjohnwu/crypto/SignAPK.java
new file mode 100644
index 000000000..96c2aca5a
--- /dev/null
+++ b/crypto/src/main/java/com/topjohnwu/crypto/SignAPK.java
@@ -0,0 +1,502 @@
+package com.topjohnwu.crypto;
+
+import org.bouncycastle.asn1.ASN1InputStream;
+import org.bouncycastle.asn1.ASN1ObjectIdentifier;
+import org.bouncycastle.asn1.DEROutputStream;
+import org.bouncycastle.asn1.cms.CMSObjectIdentifiers;
+import org.bouncycastle.cert.jcajce.JcaCertStore;
+import org.bouncycastle.cms.CMSException;
+import org.bouncycastle.cms.CMSProcessableByteArray;
+import org.bouncycastle.cms.CMSSignedData;
+import org.bouncycastle.cms.CMSSignedDataGenerator;
+import org.bouncycastle.cms.CMSTypedData;
+import org.bouncycastle.cms.jcajce.JcaSignerInfoGeneratorBuilder;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.operator.ContentSigner;
+import org.bouncycastle.operator.OperatorCreationException;
+import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
+import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
+import org.bouncycastle.util.encoders.Base64;
+
+import java.io.BufferedOutputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.FileNotFoundException;
+import java.io.FileOutputStream;
+import java.io.FilterOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.io.PrintStream;
+import java.io.RandomAccessFile;
+import java.security.DigestOutputStream;
+import java.security.GeneralSecurityException;
+import java.security.MessageDigest;
+import java.security.PrivateKey;
+import java.security.Provider;
+import java.security.Security;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.Map;
+import java.util.TreeMap;
+import java.util.jar.Attributes;
+import java.util.jar.JarEntry;
+import java.util.jar.JarFile;
+import java.util.jar.JarOutputStream;
+import java.util.jar.Manifest;
+import java.util.regex.Pattern;
+
+/*
+* Modified from from AOSP(Marshmallow) SignAPK.java
+* */
+
+public class SignAPK {
+
+ private static final String CERT_SF_NAME = "META-INF/CERT.SF";
+ private static final String CERT_SIG_NAME = "META-INF/CERT.%s";
+
+ public static Provider sBouncyCastleProvider;
+ // bitmasks for which hash algorithms we need the manifest to include.
+ private static final int USE_SHA1 = 1;
+ private static final int USE_SHA256 = 2;
+
+ static {
+ sBouncyCastleProvider = new BouncyCastleProvider();
+ Security.insertProviderAt(sBouncyCastleProvider, 1);
+ }
+
+ public static void signZip(InputStream publicIn, InputStream privateIn,
+ JarMap input, File output, boolean minSign) throws Exception {
+ int alignment = 4;
+ BufferedOutputStream outputFile;
+ int hashes = 0;
+ X509Certificate publicKey = CryptoUtils.readPublicKey(publicIn);
+ hashes |= getDigestAlgorithm(publicKey);
+
+ // Set the ZIP file timestamp to the starting valid time
+ // of the 0th certificate plus one hour (to match what
+ // we've historically done).
+ long timestamp = publicKey.getNotBefore().getTime() + 3600L * 1000;
+ PrivateKey privateKey = CryptoUtils.readPrivateKey(privateIn);
+
+ outputFile = new BufferedOutputStream(new FileOutputStream(output));
+ if (minSign) {
+ signWholeFile(input.getFile(), publicKey, privateKey, outputFile);
+ } else {
+ JarOutputStream outputJar = new JarOutputStream(outputFile);
+ // For signing .apks, use the maximum compression to make
+ // them as small as possible (since they live forever on
+ // the system partition). For OTA packages, use the
+ // default compression level, which is much much faster
+ // and produces output that is only a tiny bit larger
+ // (~0.1% on full OTA packages I tested).
+ outputJar.setLevel(9);
+ Manifest manifest = addDigestsToManifest(input, hashes);
+ copyFiles(manifest, input, outputJar, timestamp, alignment);
+ signFile(manifest, input, publicKey, privateKey, outputJar);
+ outputJar.close();
+ }
+ input.close();
+ outputFile.close();
+ }
+
+ /**
+ * Return one of USE_SHA1 or USE_SHA256 according to the signature
+ * algorithm specified in the cert.
+ */
+ private static int getDigestAlgorithm(X509Certificate cert) {
+ String sigAlg = cert.getSigAlgName().toUpperCase(Locale.US);
+ if ("SHA1WITHRSA".equals(sigAlg) ||
+ "MD5WITHRSA".equals(sigAlg)) { // see "HISTORICAL NOTE" above.
+ return USE_SHA1;
+ } else if (sigAlg.startsWith("SHA256WITH")) {
+ return USE_SHA256;
+ } else {
+ throw new IllegalArgumentException("unsupported signature algorithm \"" + sigAlg +
+ "\" in cert [" + cert.getSubjectDN());
+ }
+ }
+ /** Returns the expected signature algorithm for this key type. */
+ private static String getSignatureAlgorithm(X509Certificate cert) {
+ String sigAlg = cert.getSigAlgName().toUpperCase(Locale.US);
+ String keyType = cert.getPublicKey().getAlgorithm().toUpperCase(Locale.US);
+ if ("RSA".equalsIgnoreCase(keyType)) {
+ if (getDigestAlgorithm(cert) == USE_SHA256) {
+ return "SHA256withRSA";
+ } else {
+ return "SHA1withRSA";
+ }
+ } else if ("EC".equalsIgnoreCase(keyType)) {
+ return "SHA256withECDSA";
+ } else {
+ throw new IllegalArgumentException("unsupported key type: " + keyType);
+ }
+ }
+ // Files matching this pattern are not copied to the output.
+ private static Pattern stripPattern =
+ Pattern.compile("^(META-INF/((.*)[.](SF|RSA|DSA|EC)|com/android/otacert))|(" +
+ Pattern.quote(JarFile.MANIFEST_NAME) + ")$");
+
+ /**
+ * Add the hash(es) of every file to the manifest, creating it if
+ * necessary.
+ */
+ private static Manifest addDigestsToManifest(JarMap jar, int hashes)
+ throws IOException, GeneralSecurityException {
+ Manifest input = jar.getManifest();
+ Manifest output = new Manifest();
+ Attributes main = output.getMainAttributes();
+ if (input != null) {
+ main.putAll(input.getMainAttributes());
+ } else {
+ main.putValue("Manifest-Version", "1.0");
+ main.putValue("Created-By", "1.0 (Android SignApk)");
+ }
+ MessageDigest md_sha1 = null;
+ MessageDigest md_sha256 = null;
+ if ((hashes & USE_SHA1) != 0) {
+ md_sha1 = MessageDigest.getInstance("SHA1");
+ }
+ if ((hashes & USE_SHA256) != 0) {
+ md_sha256 = MessageDigest.getInstance("SHA256");
+ }
+ byte[] buffer = new byte[4096];
+ int num;
+ // We sort the input entries by name, and add them to the
+ // output manifest in sorted order. We expect that the output
+ // map will be deterministic.
+ TreeMap byName = new TreeMap();
+ for (Enumeration e = jar.entries(); e.hasMoreElements(); ) {
+ JarEntry entry = e.nextElement();
+ byName.put(entry.getName(), entry);
+ }
+ for (JarEntry entry: byName.values()) {
+ String name = entry.getName();
+ if (!entry.isDirectory() &&
+ (stripPattern == null || !stripPattern.matcher(name).matches())) {
+ InputStream data = jar.getInputStream(entry);
+ while ((num = data.read(buffer)) > 0) {
+ if (md_sha1 != null) md_sha1.update(buffer, 0, num);
+ if (md_sha256 != null) md_sha256.update(buffer, 0, num);
+ }
+ Attributes attr = null;
+ if (input != null) attr = input.getAttributes(name);
+ attr = attr != null ? new Attributes(attr) : new Attributes();
+ if (md_sha1 != null) {
+ attr.putValue("SHA1-Digest",
+ new String(Base64.encode(md_sha1.digest()), "ASCII"));
+ }
+ if (md_sha256 != null) {
+ attr.putValue("SHA-256-Digest",
+ new String(Base64.encode(md_sha256.digest()), "ASCII"));
+ }
+ output.getEntries().put(name, attr);
+ }
+ }
+ return output;
+ }
+
+ /** Write to another stream and track how many bytes have been
+ * written.
+ */
+ private static class CountOutputStream extends FilterOutputStream {
+ private int mCount;
+ public CountOutputStream(OutputStream out) {
+ super(out);
+ mCount = 0;
+ }
+ @Override
+ public void write(int b) throws IOException {
+ super.write(b);
+ mCount++;
+ }
+ @Override
+ public void write(byte[] b, int off, int len) throws IOException {
+ super.write(b, off, len);
+ mCount += len;
+ }
+ public int size() {
+ return mCount;
+ }
+ }
+ /** Write a .SF file with a digest of the specified manifest. */
+ private static void writeSignatureFile(Manifest manifest, OutputStream out,
+ int hash)
+ throws IOException, GeneralSecurityException {
+ Manifest sf = new Manifest();
+ Attributes main = sf.getMainAttributes();
+ main.putValue("Signature-Version", "1.0");
+ main.putValue("Created-By", "1.0 (Android SignApk)");
+ MessageDigest md = MessageDigest.getInstance(
+ hash == USE_SHA256 ? "SHA256" : "SHA1");
+ PrintStream print = new PrintStream(
+ new DigestOutputStream(new ByteArrayOutputStream(), md),
+ true, "UTF-8");
+ // Digest of the entire manifest
+ manifest.write(print);
+ print.flush();
+ main.putValue(hash == USE_SHA256 ? "SHA-256-Digest-Manifest" : "SHA1-Digest-Manifest",
+ new String(Base64.encode(md.digest()), "ASCII"));
+ Map entries = manifest.getEntries();
+ for (Map.Entry entry : entries.entrySet()) {
+ // Digest of the manifest stanza for this entry.
+ print.print("Name: " + entry.getKey() + "\r\n");
+ for (Map.Entry att : entry.getValue().entrySet()) {
+ print.print(att.getKey() + ": " + att.getValue() + "\r\n");
+ }
+ print.print("\r\n");
+ print.flush();
+ Attributes sfAttr = new Attributes();
+ sfAttr.putValue(hash == USE_SHA256 ? "SHA-256-Digest" : "SHA1-Digest-Manifest",
+ new String(Base64.encode(md.digest()), "ASCII"));
+ sf.getEntries().put(entry.getKey(), sfAttr);
+ }
+ CountOutputStream cout = new CountOutputStream(out);
+ sf.write(cout);
+ // A bug in the java.util.jar implementation of Android platforms
+ // up to version 1.6 will cause a spurious IOException to be thrown
+ // if the length of the signature file is a multiple of 1024 bytes.
+ // As a workaround, add an extra CRLF in this case.
+ if ((cout.size() % 1024) == 0) {
+ cout.write('\r');
+ cout.write('\n');
+ }
+ }
+ /** Sign data and write the digital signature to 'out'. */
+ private static void writeSignatureBlock(
+ CMSTypedData data, X509Certificate publicKey, PrivateKey privateKey,
+ OutputStream out)
+ throws IOException,
+ CertificateEncodingException,
+ OperatorCreationException,
+ CMSException {
+ ArrayList certList = new ArrayList<>(1);
+ certList.add(publicKey);
+ JcaCertStore certs = new JcaCertStore(certList);
+ CMSSignedDataGenerator gen = new CMSSignedDataGenerator();
+ ContentSigner signer = new JcaContentSignerBuilder(getSignatureAlgorithm(publicKey))
+ .setProvider(sBouncyCastleProvider)
+ .build(privateKey);
+ gen.addSignerInfoGenerator(
+ new JcaSignerInfoGeneratorBuilder(
+ new JcaDigestCalculatorProviderBuilder()
+ .setProvider(sBouncyCastleProvider)
+ .build())
+ .setDirectSignature(true)
+ .build(signer, publicKey));
+ gen.addCertificates(certs);
+ CMSSignedData sigData = gen.generate(data, false);
+ ASN1InputStream asn1 = new ASN1InputStream(sigData.getEncoded());
+ DEROutputStream dos = new DEROutputStream(out);
+ dos.writeObject(asn1.readObject());
+ }
+ /**
+ * Copy all the files in a manifest from input to output. We set
+ * the modification times in the output to a fixed time, so as to
+ * reduce variation in the output file and make incremental OTAs
+ * more efficient.
+ */
+ private static void copyFiles(Manifest manifest, JarMap in, JarOutputStream out,
+ long timestamp, int alignment) throws IOException {
+ byte[] buffer = new byte[4096];
+ int num;
+ Map entries = manifest.getEntries();
+ ArrayList names = new ArrayList<>(entries.keySet());
+ Collections.sort(names);
+ boolean firstEntry = true;
+ long offset = 0L;
+ // We do the copy in two passes -- first copying all the
+ // entries that are STORED, then copying all the entries that
+ // have any other compression flag (which in practice means
+ // DEFLATED). This groups all the stored entries together at
+ // the start of the file and makes it easier to do alignment
+ // on them (since only stored entries are aligned).
+ for (String name : names) {
+ JarEntry inEntry = in.getJarEntry(name);
+ JarEntry outEntry = null;
+ if (inEntry.getMethod() != JarEntry.STORED) continue;
+ // Preserve the STORED method of the input entry.
+ outEntry = new JarEntry(inEntry);
+ outEntry.setTime(timestamp);
+ // 'offset' is the offset into the file at which we expect
+ // the file data to begin. This is the value we need to
+ // make a multiple of 'alignement'.
+ offset += JarFile.LOCHDR + outEntry.getName().length();
+ if (firstEntry) {
+ // The first entry in a jar file has an extra field of
+ // four bytes that you can't get rid of; any extra
+ // data you specify in the JarEntry is appended to
+ // these forced four bytes. This is JAR_MAGIC in
+ // JarOutputStream; the bytes are 0xfeca0000.
+ offset += 4;
+ firstEntry = false;
+ }
+ if (alignment > 0 && (offset % alignment != 0)) {
+ // Set the "extra data" of the entry to between 1 and
+ // alignment-1 bytes, to make the file data begin at
+ // an aligned offset.
+ int needed = alignment - (int)(offset % alignment);
+ outEntry.setExtra(new byte[needed]);
+ offset += needed;
+ }
+ out.putNextEntry(outEntry);
+ InputStream data = in.getInputStream(inEntry);
+ while ((num = data.read(buffer)) > 0) {
+ out.write(buffer, 0, num);
+ offset += num;
+ }
+ out.flush();
+ }
+ // Copy all the non-STORED entries. We don't attempt to
+ // maintain the 'offset' variable past this point; we don't do
+ // alignment on these entries.
+ for (String name : names) {
+ JarEntry inEntry = in.getJarEntry(name);
+ JarEntry outEntry = null;
+ if (inEntry.getMethod() == JarEntry.STORED) continue;
+ // Create a new entry so that the compressed len is recomputed.
+ outEntry = new JarEntry(name);
+ outEntry.setTime(timestamp);
+ out.putNextEntry(outEntry);
+ InputStream data = in.getInputStream(inEntry);
+ while ((num = data.read(buffer)) > 0) {
+ out.write(buffer, 0, num);
+ }
+ out.flush();
+ }
+ }
+
+ // This class is to provide a file's content, but trimming out the last two bytes
+ // Used for signWholeFile
+ private static class CMSProcessableFile implements CMSTypedData {
+
+ private ASN1ObjectIdentifier type;
+ private RandomAccessFile file;
+
+ CMSProcessableFile(File file) throws FileNotFoundException {
+ this.file = new RandomAccessFile(file, "r");
+ type = new ASN1ObjectIdentifier(CMSObjectIdentifiers.data.getId());
+ }
+
+ @Override
+ public ASN1ObjectIdentifier getContentType() {
+ return type;
+ }
+
+ @Override
+ public void write(OutputStream out) throws IOException, CMSException {
+ file.seek(0);
+ int read;
+ byte buffer[] = new byte[4096];
+ int len = (int) file.length() - 2;
+ while ((read = file.read(buffer, 0, len < buffer.length ? len : buffer.length)) > 0) {
+ out.write(buffer, 0, read);
+ len -= read;
+ }
+ }
+
+ @Override
+ public Object getContent() {
+ return file;
+ }
+
+ byte[] getTail() throws IOException {
+ byte tail[] = new byte[22];
+ file.seek(file.length() - 22);
+ file.readFully(tail);
+ return tail;
+ }
+ }
+
+ private static void signWholeFile(File input, X509Certificate publicKey,
+ PrivateKey privateKey, OutputStream outputStream)
+ throws Exception {
+ ByteArrayOutputStream temp = new ByteArrayOutputStream();
+ // put a readable message and a null char at the start of the
+ // archive comment, so that tools that display the comment
+ // (hopefully) show something sensible.
+ // TODO: anything more useful we can put in this message?
+ byte[] message = "signed by SignApk".getBytes("UTF-8");
+ temp.write(message);
+ temp.write(0);
+
+ CMSProcessableFile cmsFile = new CMSProcessableFile(input);
+ writeSignatureBlock(cmsFile, publicKey, privateKey, temp);
+
+ // For a zip with no archive comment, the
+ // end-of-central-directory record will be 22 bytes long, so
+ // we expect to find the EOCD marker 22 bytes from the end.
+ byte[] zipData = cmsFile.getTail();
+ if (zipData[zipData.length-22] != 0x50 ||
+ zipData[zipData.length-21] != 0x4b ||
+ zipData[zipData.length-20] != 0x05 ||
+ zipData[zipData.length-19] != 0x06) {
+ throw new IllegalArgumentException("zip data already has an archive comment");
+ }
+ int total_size = temp.size() + 6;
+ if (total_size > 0xffff) {
+ throw new IllegalArgumentException("signature is too big for ZIP file comment");
+ }
+ // signature starts this many bytes from the end of the file
+ int signature_start = total_size - message.length - 1;
+ temp.write(signature_start & 0xff);
+ temp.write((signature_start >> 8) & 0xff);
+ // Why the 0xff bytes? In a zip file with no archive comment,
+ // bytes [-6:-2] of the file are the little-endian offset from
+ // the start of the file to the central directory. So for the
+ // two high bytes to be 0xff 0xff, the archive would have to
+ // be nearly 4GB in size. So it's unlikely that a real
+ // commentless archive would have 0xffs here, and lets us tell
+ // an old signed archive from a new one.
+ temp.write(0xff);
+ temp.write(0xff);
+ temp.write(total_size & 0xff);
+ temp.write((total_size >> 8) & 0xff);
+ temp.flush();
+ // Signature verification checks that the EOCD header is the
+ // last such sequence in the file (to avoid minzip finding a
+ // fake EOCD appended after the signature in its scan). The
+ // odds of producing this sequence by chance are very low, but
+ // let's catch it here if it does.
+ byte[] b = temp.toByteArray();
+ for (int i = 0; i < b.length-3; ++i) {
+ if (b[i] == 0x50 && b[i+1] == 0x4b && b[i+2] == 0x05 && b[i+3] == 0x06) {
+ throw new IllegalArgumentException("found spurious EOCD header at " + i);
+ }
+ }
+ cmsFile.write(outputStream);
+ outputStream.write(total_size & 0xff);
+ outputStream.write((total_size >> 8) & 0xff);
+ temp.writeTo(outputStream);
+ }
+ private static void signFile(Manifest manifest, JarMap inputJar,
+ X509Certificate publicKey, PrivateKey privateKey,
+ JarOutputStream outputJar)
+ throws Exception {
+ // Assume the certificate is valid for at least an hour.
+ long timestamp = publicKey.getNotBefore().getTime() + 3600L * 1000;
+ // MANIFEST.MF
+ JarEntry je = new JarEntry(JarFile.MANIFEST_NAME);
+ je.setTime(timestamp);
+ outputJar.putNextEntry(je);
+ manifest.write(outputJar);
+ je = new JarEntry(CERT_SF_NAME);
+ je.setTime(timestamp);
+ outputJar.putNextEntry(je);
+ ByteArrayOutputStream baos = new ByteArrayOutputStream();
+ writeSignatureFile(manifest, baos, getDigestAlgorithm(publicKey));
+ byte[] signedData = baos.toByteArray();
+ outputJar.write(signedData);
+ // CERT.{EC,RSA} / CERT#.{EC,RSA}
+ final String keyType = publicKey.getPublicKey().getAlgorithm();
+ je = new JarEntry(String.format(CERT_SIG_NAME, keyType));
+ je.setTime(timestamp);
+ outputJar.putNextEntry(je);
+ writeSignatureBlock(new CMSProcessableByteArray(signedData),
+ publicKey, privateKey, outputJar);
+ }
+}
diff --git a/crypto/src/main/java/com/topjohnwu/crypto/SignBoot.java b/crypto/src/main/java/com/topjohnwu/crypto/SignBoot.java
new file mode 100644
index 000000000..beb434274
--- /dev/null
+++ b/crypto/src/main/java/com/topjohnwu/crypto/SignBoot.java
@@ -0,0 +1,231 @@
+package com.topjohnwu.crypto;
+
+import org.bouncycastle.asn1.ASN1Encodable;
+import org.bouncycastle.asn1.ASN1EncodableVector;
+import org.bouncycastle.asn1.ASN1InputStream;
+import org.bouncycastle.asn1.ASN1Integer;
+import org.bouncycastle.asn1.ASN1Object;
+import org.bouncycastle.asn1.ASN1ObjectIdentifier;
+import org.bouncycastle.asn1.ASN1Primitive;
+import org.bouncycastle.asn1.ASN1Sequence;
+import org.bouncycastle.asn1.DEROctetString;
+import org.bouncycastle.asn1.DERPrintableString;
+import org.bouncycastle.asn1.DERSequence;
+import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.nio.ByteBuffer;
+import java.nio.ByteOrder;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.Security;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.util.Arrays;
+
+public class SignBoot {
+
+ static {
+ Security.addProvider(new BouncyCastleProvider());
+ }
+
+ public static boolean doSignature(String target, InputStream imgIn, OutputStream imgOut,
+ InputStream keyIn, InputStream certIn) {
+ try {
+ ByteArrayStream bas = new ByteArrayStream();
+ bas.readFrom(imgIn);
+ byte[] image = bas.toByteArray();
+ bas.close();
+ int signableSize = getSignableImageSize(image);
+ if (signableSize < image.length) {
+ System.err.println("NOTE: truncating input from " +
+ image.length + " to " + signableSize + " bytes");
+ image = Arrays.copyOf(image, signableSize);
+ } else if (signableSize > image.length) {
+ throw new IllegalArgumentException("Invalid image: too short, expected " +
+ signableSize + " bytes");
+ }
+ BootSignature bootsig = new BootSignature(target, image.length);
+ X509Certificate cert = CryptoUtils.readPublicKey(certIn);
+ bootsig.setCertificate(cert);
+ PrivateKey key = CryptoUtils.readPrivateKey(keyIn);
+ bootsig.setSignature(bootsig.sign(image, key),
+ CryptoUtils.getSignatureAlgorithmIdentifier(key));
+ byte[] encoded_bootsig = bootsig.getEncoded();
+ imgOut.write(image);
+ imgOut.write(encoded_bootsig);
+ imgOut.flush();
+ return true;
+ } catch (Exception e) {
+ e.printStackTrace(System.err);
+ return false;
+ }
+ }
+
+ public static boolean verifySignature(InputStream imgIn, InputStream certPath) {
+ try {
+ ByteArrayStream bas = new ByteArrayStream();
+ bas.readFrom(imgIn);
+ byte[] image = bas.toByteArray();
+ bas.close();
+ int signableSize = getSignableImageSize(image);
+ if (signableSize >= image.length) {
+ System.err.println("Invalid image: not signed");
+ return false;
+ }
+ byte[] signature = Arrays.copyOfRange(image, signableSize, image.length);
+ BootSignature bootsig = new BootSignature(signature);
+ if (certPath != null) {
+ bootsig.setCertificate(CryptoUtils.readPublicKey(certPath));
+ }
+ if (bootsig.verify(Arrays.copyOf(image, signableSize))) {
+ System.err.println("Signature is VALID");
+ return true;
+ } else {
+ System.err.println("Signature is INVALID");
+ }
+ } catch (Exception e) {
+ e.printStackTrace(System.err);
+ System.err.println("Invalid image: not signed");
+ }
+ return false;
+ }
+
+ public static int getSignableImageSize(byte[] data) throws Exception {
+ if (!Arrays.equals(Arrays.copyOfRange(data, 0, 8),
+ "ANDROID!".getBytes("US-ASCII"))) {
+ throw new IllegalArgumentException("Invalid image header: missing magic");
+ }
+ ByteBuffer image = ByteBuffer.wrap(data);
+ image.order(ByteOrder.LITTLE_ENDIAN);
+ image.getLong(); // magic
+ int kernelSize = image.getInt();
+ image.getInt(); // kernel_addr
+ int ramdskSize = image.getInt();
+ image.getInt(); // ramdisk_addr
+ int secondSize = image.getInt();
+ image.getLong(); // second_addr + tags_addr
+ int pageSize = image.getInt();
+ int length = pageSize // include the page aligned image header
+ + ((kernelSize + pageSize - 1) / pageSize) * pageSize
+ + ((ramdskSize + pageSize - 1) / pageSize) * pageSize
+ + ((secondSize + pageSize - 1) / pageSize) * pageSize;
+ length = ((length + pageSize - 1) / pageSize) * pageSize;
+ if (length <= 0) {
+ throw new IllegalArgumentException("Invalid image header: invalid length");
+ }
+ return length;
+ }
+
+ static class BootSignature extends ASN1Object {
+ private ASN1Integer formatVersion;
+ private ASN1Encodable certificate;
+ private AlgorithmIdentifier algorithmIdentifier;
+ private DERPrintableString target;
+ private ASN1Integer length;
+ private DEROctetString signature;
+ private PublicKey publicKey;
+ private static final int FORMAT_VERSION = 1;
+
+ /**
+ * Initializes the object for signing an image file
+ * @param target Target name, included in the signed data
+ * @param length Length of the image, included in the signed data
+ */
+ public BootSignature(String target, int length) {
+ this.formatVersion = new ASN1Integer(FORMAT_VERSION);
+ this.target = new DERPrintableString(target);
+ this.length = new ASN1Integer(length);
+ }
+
+ /**
+ * Initializes the object for verifying a signed image file
+ * @param signature Signature footer
+ */
+ public BootSignature(byte[] signature)
+ throws Exception {
+ ASN1InputStream stream = new ASN1InputStream(signature);
+ ASN1Sequence sequence = (ASN1Sequence) stream.readObject();
+ formatVersion = (ASN1Integer) sequence.getObjectAt(0);
+ if (formatVersion.getValue().intValue() != FORMAT_VERSION) {
+ throw new IllegalArgumentException("Unsupported format version");
+ }
+ certificate = sequence.getObjectAt(1);
+ byte[] encoded = ((ASN1Object) certificate).getEncoded();
+ ByteArrayInputStream bis = new ByteArrayInputStream(encoded);
+ CertificateFactory cf = CertificateFactory.getInstance("X.509");
+ X509Certificate c = (X509Certificate) cf.generateCertificate(bis);
+ publicKey = c.getPublicKey();
+ ASN1Sequence algId = (ASN1Sequence) sequence.getObjectAt(2);
+ algorithmIdentifier = new AlgorithmIdentifier(
+ (ASN1ObjectIdentifier) algId.getObjectAt(0));
+ ASN1Sequence attrs = (ASN1Sequence) sequence.getObjectAt(3);
+ target = (DERPrintableString) attrs.getObjectAt(0);
+ length = (ASN1Integer) attrs.getObjectAt(1);
+ this.signature = (DEROctetString) sequence.getObjectAt(4);
+ }
+
+ public ASN1Object getAuthenticatedAttributes() {
+ ASN1EncodableVector attrs = new ASN1EncodableVector();
+ attrs.add(target);
+ attrs.add(length);
+ return new DERSequence(attrs);
+ }
+
+ public byte[] getEncodedAuthenticatedAttributes() throws IOException {
+ return getAuthenticatedAttributes().getEncoded();
+ }
+
+ public void setSignature(byte[] sig, AlgorithmIdentifier algId) {
+ algorithmIdentifier = algId;
+ signature = new DEROctetString(sig);
+ }
+
+ public void setCertificate(X509Certificate cert)
+ throws Exception, IOException, CertificateEncodingException {
+ ASN1InputStream s = new ASN1InputStream(cert.getEncoded());
+ certificate = s.readObject();
+ publicKey = cert.getPublicKey();
+ }
+
+ public byte[] generateSignableImage(byte[] image) throws IOException {
+ byte[] attrs = getEncodedAuthenticatedAttributes();
+ byte[] signable = Arrays.copyOf(image, image.length + attrs.length);
+ for (int i=0; i < attrs.length; i++) {
+ signable[i+image.length] = attrs[i];
+ }
+ return signable;
+ }
+
+ public byte[] sign(byte[] image, PrivateKey key) throws Exception {
+ byte[] signable = generateSignableImage(image);
+ return CryptoUtils.sign(key, signable);
+ }
+
+ public boolean verify(byte[] image) throws Exception {
+ if (length.getValue().intValue() != image.length) {
+ throw new IllegalArgumentException("Invalid image length");
+ }
+ byte[] signable = generateSignableImage(image);
+ return CryptoUtils.verify(publicKey, signable, signature.getOctets(),
+ algorithmIdentifier);
+ }
+
+ @Override
+ public ASN1Primitive toASN1Primitive() {
+ ASN1EncodableVector v = new ASN1EncodableVector();
+ v.add(formatVersion);
+ v.add(certificate);
+ v.add(algorithmIdentifier);
+ v.add(getAuthenticatedAttributes());
+ v.add(signature);
+ return new DERSequence(v);
+ }
+
+ }
+}
diff --git a/crypto/src/main/java/com/topjohnwu/crypto/ZipSigner.java b/crypto/src/main/java/com/topjohnwu/crypto/ZipSigner.java
new file mode 100644
index 000000000..6b4599dbf
--- /dev/null
+++ b/crypto/src/main/java/com/topjohnwu/crypto/ZipSigner.java
@@ -0,0 +1,42 @@
+package com.topjohnwu.crypto;
+
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.InputStream;
+import java.security.Security;
+
+public class ZipSigner {
+ public static void main(String[] args) {
+ boolean minSign = false;
+ int argStart = 0;
+
+ if (args.length < 4) {
+ System.err.println("Usage: zipsigner [-m] publickey.x509[.pem] privatekey.pk8 input.jar output.jar");
+ System.exit(2);
+ }
+
+ if (args[0].equals("-m")) {
+ minSign = true;
+ argStart = 1;
+ }
+
+ SignAPK.sBouncyCastleProvider = new BouncyCastleProvider();
+ Security.insertProviderAt(SignAPK.sBouncyCastleProvider, 1);
+
+ File pubKey = new File(args[argStart]);
+ File privKey = new File(args[argStart + 1]);
+ File input = new File(args[argStart + 2]);
+ File output = new File(args[argStart + 3]);
+
+ try (InputStream pub = new FileInputStream(pubKey);
+ InputStream priv = new FileInputStream(privKey);
+ JarMap jar = new JarMap(input, false)) {
+ SignAPK.signZip(pub, priv, jar, output, minSign);
+ } catch (Exception e) {
+ e.printStackTrace();
+ System.exit(1);
+ }
+ }
+}
diff --git a/gradle.properties b/gradle.properties
new file mode 100644
index 000000000..d13e92712
--- /dev/null
+++ b/gradle.properties
@@ -0,0 +1,22 @@
+# Project-wide Gradle settings.
+
+# IDE (e.g. Android Studio) users:
+# Gradle settings configured through the IDE *will override*
+# any settings specified in this file.
+
+# For more details on how to configure your build environment visit
+# http://www.gradle.org/docs/current/userguide/build_environment.html
+
+# Specifies the JVM arguments used for the daemon process.
+# The setting is particularly useful for tweaking memory settings.
+# Default value: -Xmx10248m -XX:MaxPermSize=256m
+org.gradle.jvmargs=-Xmx2560m -XX:+HeapDumpOnOutOfMemoryError -Dfile.encoding=UTF-8
+
+# When configured, Gradle will run in incubating parallel mode.
+# This option should only be used with decoupled projects. More details, visit
+# http://www.gradle.org/docs/current/userguide/multi_project_builds.html#sec:decoupled_projects
+org.gradle.parallel=true
+
+# When set to true the Gradle daemon is used to run the build. For local developer builds this is our favorite property.
+# The developer environment is optimized for speed and feedback so we nearly always run Gradle jobs with the daemon.
+org.gradle.daemon=true
diff --git a/gradle/wrapper/gradle-wrapper.jar b/gradle/wrapper/gradle-wrapper.jar
new file mode 100644
index 000000000..13372aef5
Binary files /dev/null and b/gradle/wrapper/gradle-wrapper.jar differ
diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties
new file mode 100644
index 000000000..b4802acf3
--- /dev/null
+++ b/gradle/wrapper/gradle-wrapper.properties
@@ -0,0 +1,6 @@
+#Mon Dec 04 11:24:34 CST 2017
+distributionBase=GRADLE_USER_HOME
+distributionPath=wrapper/dists
+zipStoreBase=GRADLE_USER_HOME
+zipStorePath=wrapper/dists
+distributionUrl=https\://services.gradle.org/distributions/gradle-4.1-all.zip
diff --git a/gradlew b/gradlew
new file mode 100755
index 000000000..9d82f7891
--- /dev/null
+++ b/gradlew
@@ -0,0 +1,160 @@
+#!/usr/bin/env bash
+
+##############################################################################
+##
+## Gradle start up script for UN*X
+##
+##############################################################################
+
+# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
+DEFAULT_JVM_OPTS=""
+
+APP_NAME="Gradle"
+APP_BASE_NAME=`basename "$0"`
+
+# Use the maximum available, or set MAX_FD != -1 to use that value.
+MAX_FD="maximum"
+
+warn ( ) {
+ echo "$*"
+}
+
+die ( ) {
+ echo
+ echo "$*"
+ echo
+ exit 1
+}
+
+# OS specific support (must be 'true' or 'false').
+cygwin=false
+msys=false
+darwin=false
+case "`uname`" in
+ CYGWIN* )
+ cygwin=true
+ ;;
+ Darwin* )
+ darwin=true
+ ;;
+ MINGW* )
+ msys=true
+ ;;
+esac
+
+# Attempt to set APP_HOME
+# Resolve links: $0 may be a link
+PRG="$0"
+# Need this for relative symlinks.
+while [ -h "$PRG" ] ; do
+ ls=`ls -ld "$PRG"`
+ link=`expr "$ls" : '.*-> \(.*\)$'`
+ if expr "$link" : '/.*' > /dev/null; then
+ PRG="$link"
+ else
+ PRG=`dirname "$PRG"`"/$link"
+ fi
+done
+SAVED="`pwd`"
+cd "`dirname \"$PRG\"`/" >/dev/null
+APP_HOME="`pwd -P`"
+cd "$SAVED" >/dev/null
+
+CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
+
+# Determine the Java command to use to start the JVM.
+if [ -n "$JAVA_HOME" ] ; then
+ if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
+ # IBM's JDK on AIX uses strange locations for the executables
+ JAVACMD="$JAVA_HOME/jre/sh/java"
+ else
+ JAVACMD="$JAVA_HOME/bin/java"
+ fi
+ if [ ! -x "$JAVACMD" ] ; then
+ die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME
+
+Please set the JAVA_HOME variable in your environment to match the
+location of your Java installation."
+ fi
+else
+ JAVACMD="java"
+ which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
+
+Please set the JAVA_HOME variable in your environment to match the
+location of your Java installation."
+fi
+
+# Increase the maximum file descriptors if we can.
+if [ "$cygwin" = "false" -a "$darwin" = "false" ] ; then
+ MAX_FD_LIMIT=`ulimit -H -n`
+ if [ $? -eq 0 ] ; then
+ if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then
+ MAX_FD="$MAX_FD_LIMIT"
+ fi
+ ulimit -n $MAX_FD
+ if [ $? -ne 0 ] ; then
+ warn "Could not set maximum file descriptor limit: $MAX_FD"
+ fi
+ else
+ warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT"
+ fi
+fi
+
+# For Darwin, add options to specify how the application appears in the dock
+if $darwin; then
+ GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\""
+fi
+
+# For Cygwin, switch paths to Windows format before running java
+if $cygwin ; then
+ APP_HOME=`cygpath --path --mixed "$APP_HOME"`
+ CLASSPATH=`cygpath --path --mixed "$CLASSPATH"`
+ JAVACMD=`cygpath --unix "$JAVACMD"`
+
+ # We build the pattern for arguments to be converted via cygpath
+ ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null`
+ SEP=""
+ for dir in $ROOTDIRSRAW ; do
+ ROOTDIRS="$ROOTDIRS$SEP$dir"
+ SEP="|"
+ done
+ OURCYGPATTERN="(^($ROOTDIRS))"
+ # Add a user-defined pattern to the cygpath arguments
+ if [ "$GRADLE_CYGPATTERN" != "" ] ; then
+ OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)"
+ fi
+ # Now convert the arguments - kludge to limit ourselves to /bin/sh
+ i=0
+ for arg in "$@" ; do
+ CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -`
+ CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option
+
+ if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition
+ eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"`
+ else
+ eval `echo args$i`="\"$arg\""
+ fi
+ i=$((i+1))
+ done
+ case $i in
+ (0) set -- ;;
+ (1) set -- "$args0" ;;
+ (2) set -- "$args0" "$args1" ;;
+ (3) set -- "$args0" "$args1" "$args2" ;;
+ (4) set -- "$args0" "$args1" "$args2" "$args3" ;;
+ (5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;;
+ (6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;;
+ (7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;;
+ (8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;;
+ (9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;;
+ esac
+fi
+
+# Split up the JVM_OPTS And GRADLE_OPTS values into an array, following the shell quoting and substitution rules
+function splitJvmOpts() {
+ JVM_OPTS=("$@")
+}
+eval splitJvmOpts $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS
+JVM_OPTS[${#JVM_OPTS[*]}]="-Dorg.gradle.appname=$APP_BASE_NAME"
+
+exec "$JAVACMD" "${JVM_OPTS[@]}" -classpath "$CLASSPATH" org.gradle.wrapper.GradleWrapperMain "$@"
diff --git a/gradlew.bat b/gradlew.bat
new file mode 100644
index 000000000..8a0b282aa
--- /dev/null
+++ b/gradlew.bat
@@ -0,0 +1,90 @@
+@if "%DEBUG%" == "" @echo off
+@rem ##########################################################################
+@rem
+@rem Gradle startup script for Windows
+@rem
+@rem ##########################################################################
+
+@rem Set local scope for the variables with windows NT shell
+if "%OS%"=="Windows_NT" setlocal
+
+@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
+set DEFAULT_JVM_OPTS=
+
+set DIRNAME=%~dp0
+if "%DIRNAME%" == "" set DIRNAME=.
+set APP_BASE_NAME=%~n0
+set APP_HOME=%DIRNAME%
+
+@rem Find java.exe
+if defined JAVA_HOME goto findJavaFromJavaHome
+
+set JAVA_EXE=java.exe
+%JAVA_EXE% -version >NUL 2>&1
+if "%ERRORLEVEL%" == "0" goto init
+
+echo.
+echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
+echo.
+echo Please set the JAVA_HOME variable in your environment to match the
+echo location of your Java installation.
+
+goto fail
+
+:findJavaFromJavaHome
+set JAVA_HOME=%JAVA_HOME:"=%
+set JAVA_EXE=%JAVA_HOME%/bin/java.exe
+
+if exist "%JAVA_EXE%" goto init
+
+echo.
+echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME%
+echo.
+echo Please set the JAVA_HOME variable in your environment to match the
+echo location of your Java installation.
+
+goto fail
+
+:init
+@rem Get command-line arguments, handling Windowz variants
+
+if not "%OS%" == "Windows_NT" goto win9xME_args
+if "%@eval[2+2]" == "4" goto 4NT_args
+
+:win9xME_args
+@rem Slurp the command line arguments.
+set CMD_LINE_ARGS=
+set _SKIP=2
+
+:win9xME_args_slurp
+if "x%~1" == "x" goto execute
+
+set CMD_LINE_ARGS=%*
+goto execute
+
+:4NT_args
+@rem Get arguments from the 4NT Shell from JP Software
+set CMD_LINE_ARGS=%$
+
+:execute
+@rem Setup the command line
+
+set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
+
+@rem Execute Gradle
+"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS%
+
+:end
+@rem End local scope for the variables with windows NT shell
+if "%ERRORLEVEL%"=="0" goto mainEnd
+
+:fail
+rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of
+rem the _cmd.exe /c_ return code!
+if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1
+exit /b 1
+
+:mainEnd
+if "%OS%"=="Windows_NT" endlocal
+
+:omega
diff --git a/java b/java
deleted file mode 160000
index f5ceee547..000000000
--- a/java
+++ /dev/null
@@ -1 +0,0 @@
-Subproject commit f5ceee547c294b8e188860c451882dd71a5909df
diff --git a/settings.gradle b/settings.gradle
new file mode 100644
index 000000000..5e6d2d084
--- /dev/null
+++ b/settings.gradle
@@ -0,0 +1 @@
+include ':app', ':native', ':crypto', ':snet'
diff --git a/snet/.gitignore b/snet/.gitignore
new file mode 100644
index 000000000..796b96d1c
--- /dev/null
+++ b/snet/.gitignore
@@ -0,0 +1 @@
+/build
diff --git a/snet/build.gradle b/snet/build.gradle
new file mode 100644
index 000000000..5267cb9ae
--- /dev/null
+++ b/snet/build.gradle
@@ -0,0 +1,30 @@
+apply plugin: 'com.android.application'
+
+android {
+ compileSdkVersion 27
+ buildToolsVersion "27.0.1"
+
+ defaultConfig {
+ applicationId "com.topjohnwu.snet"
+ minSdkVersion 21
+ targetSdkVersion 27
+ versionCode 1
+ versionName "1.0"
+ }
+
+ buildTypes {
+ release {
+ minifyEnabled true
+ proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
+ }
+ }
+}
+
+repositories {
+ google()
+}
+
+dependencies {
+ implementation fileTree(dir: 'libs', include: ['*.jar'])
+ implementation 'com.google.android.gms:play-services-safetynet:11.6.0'
+}
diff --git a/snet/proguard-rules.pro b/snet/proguard-rules.pro
new file mode 100644
index 000000000..d6e59f6f5
--- /dev/null
+++ b/snet/proguard-rules.pro
@@ -0,0 +1,24 @@
+# Add project specific ProGuard rules here.
+# You can control the set of applied configuration files using the
+# proguardFiles setting in build.gradle.
+#
+# For more details, see
+# http://developer.android.com/guide/developing/tools/proguard.html
+
+# If your project uses WebView with JS, uncomment the following
+# and specify the fully qualified class name to the JavaScript interface
+# class:
+#-keepclassmembers class fqcn.of.javascript.interface.for.webview {
+# public *;
+#}
+
+# Uncomment this to preserve the line number information for
+# debugging stack traces.
+#-keepattributes SourceFile,LineNumberTable
+
+# If you keep the line number information, uncomment this to
+# hide the original source file name.
+#-renamesourcefileattribute SourceFile
+
+-keep class com.topjohnwu.snet.SafetyNet* { *; }
+-dontwarn java.lang.invoke**
diff --git a/snet/src/main/AndroidManifest.xml b/snet/src/main/AndroidManifest.xml
new file mode 100644
index 000000000..4fa18362e
--- /dev/null
+++ b/snet/src/main/AndroidManifest.xml
@@ -0,0 +1,7 @@
+
+
+
+
diff --git a/snet/src/main/java/com/topjohnwu/snet/SafetyNetCallback.java b/snet/src/main/java/com/topjohnwu/snet/SafetyNetCallback.java
new file mode 100644
index 000000000..fa680422d
--- /dev/null
+++ b/snet/src/main/java/com/topjohnwu/snet/SafetyNetCallback.java
@@ -0,0 +1,5 @@
+package com.topjohnwu.snet;
+
+public interface SafetyNetCallback {
+ void onResponse(int responseCode);
+}
diff --git a/snet/src/main/java/com/topjohnwu/snet/SafetyNetHelper.java b/snet/src/main/java/com/topjohnwu/snet/SafetyNetHelper.java
new file mode 100644
index 000000000..a66634160
--- /dev/null
+++ b/snet/src/main/java/com/topjohnwu/snet/SafetyNetHelper.java
@@ -0,0 +1,124 @@
+package com.topjohnwu.snet;
+
+import android.app.Activity;
+import android.content.Context;
+import android.os.Bundle;
+import android.support.annotation.NonNull;
+import android.support.annotation.Nullable;
+import android.util.Base64;
+
+import com.google.android.gms.common.ConnectionResult;
+import com.google.android.gms.common.GoogleApiAvailability;
+import com.google.android.gms.common.api.GoogleApiClient;
+import com.google.android.gms.common.api.ResultCallback;
+import com.google.android.gms.common.api.Status;
+import com.google.android.gms.safetynet.SafetyNet;
+import com.google.android.gms.safetynet.SafetyNetApi;
+
+import org.json.JSONException;
+import org.json.JSONObject;
+
+import java.lang.reflect.Field;
+import java.security.SecureRandom;
+
+public class SafetyNetHelper
+ implements GoogleApiClient.ConnectionCallbacks, GoogleApiClient.OnConnectionFailedListener {
+
+ public static final int CAUSE_SERVICE_DISCONNECTED = 0x01;
+ public static final int CAUSE_NETWORK_LOST = 0x02;
+ public static final int RESPONSE_ERR = 0x04;
+ public static final int CONNECTION_FAIL = 0x08;
+
+ public static final int BASIC_PASS = 0x10;
+ public static final int CTS_PASS = 0x20;
+
+ private GoogleApiClient mGoogleApiClient;
+ private Activity mActivity;
+ private int responseCode;
+ private SafetyNetCallback cb;
+ private String dexPath;
+ private boolean isDarkTheme;
+
+ public SafetyNetHelper(Activity activity, String dexPath, SafetyNetCallback cb) {
+ mActivity = activity;
+ this.cb = cb;
+ this.dexPath = dexPath;
+ responseCode = 0;
+
+ // Get theme
+ try {
+ Context context = activity.getApplicationContext();
+ Field theme = context.getClass().getField("isDarkTheme");
+ isDarkTheme = (boolean) theme.get(context);
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+ }
+
+ // Entry point to start test
+ public void attest() {
+ // Connect Google Service
+ mGoogleApiClient = new GoogleApiClient.Builder(mActivity)
+ .addApi(SafetyNet.API)
+ .addOnConnectionFailedListener(this)
+ .addConnectionCallbacks(this)
+ .build();
+ mGoogleApiClient.connect();
+ }
+
+ @Override
+ public void onConnectionSuspended(int i) {
+ cb.onResponse(i);
+ }
+
+ @Override
+ public void onConnectionFailed(@NonNull ConnectionResult result) {
+ Class clazz = mActivity.getClass();
+ try {
+ // Use external resources
+ clazz.getMethod("swapResources", String.class, int.class).invoke(mActivity, dexPath,
+ isDarkTheme ? android.R.style.Theme_Material : android.R.style.Theme_Material_Light);
+ try {
+ GoogleApiAvailability.getInstance().getErrorDialog(mActivity, result.getErrorCode(), 0).show();
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+ clazz.getMethod("restoreResources").invoke(mActivity);
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+ cb.onResponse(CONNECTION_FAIL);
+ }
+
+ @Override
+ public void onConnected(@Nullable Bundle bundle) {
+ // Create nonce
+ byte[] nonce = new byte[24];
+ new SecureRandom().nextBytes(nonce);
+
+ // Call SafetyNet
+ SafetyNet.SafetyNetApi.attest(mGoogleApiClient, nonce)
+ .setResultCallback(new ResultCallback() {
+ @Override
+ public void onResult(@NonNull SafetyNetApi.AttestationResult result) {
+ Status status = result.getStatus();
+ try {
+ if (!status.isSuccess()) throw new JSONException("");
+ String json = new String(Base64.decode(
+ result.getJwsResult().split("\\.")[1], Base64.DEFAULT));
+ JSONObject decoded = new JSONObject(json);
+ responseCode |= decoded.getBoolean("ctsProfileMatch") ? CTS_PASS : 0;
+ responseCode |= decoded.getBoolean("basicIntegrity") ? BASIC_PASS : 0;
+ } catch (JSONException e) {
+ responseCode = RESPONSE_ERR;
+ }
+
+ // Disconnect
+ mGoogleApiClient.disconnect();
+
+ // Return results
+ cb.onResponse(responseCode);
+ }
+ });
+ }
+}