1 /* 2 * Copyright (C) 2019 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package com.android.internal.telephony; 18 19 import android.content.Context; 20 import android.content.pm.PackageInfo; 21 import android.content.pm.PackageManager; 22 import android.content.pm.PackageManager.NameNotFoundException; 23 import android.content.pm.Signature; 24 import android.util.Base64; 25 import android.util.Log; 26 27 import java.nio.charset.Charset; 28 import java.security.MessageDigest; 29 import java.security.NoSuchAlgorithmException; 30 import java.util.Arrays; 31 import java.util.List; 32 33 /** Utility class for generating token, i.e., hash of package name and certificate. */ 34 public class PackageBasedTokenUtil { 35 private static final String TAG = "PackageBasedTokenUtil"; 36 private static final Charset CHARSET_UTF_8 = Charset.forName("UTF-8"); 37 private static final String HASH_TYPE = "SHA-256"; 38 private static final int NUM_HASHED_BYTES = 9; // 9 bytes = 72 bits = 12 Base64s 39 40 static final int NUM_BASE64_CHARS = 11; // truncate 12 into 11 Base64 chars 41 42 /** 43 * Generate token and check collision with other packages. 44 */ generateToken(Context context, String packageName)45 public static String generateToken(Context context, String packageName) { 46 PackageManager packageManager = context.getPackageManager(); 47 String token = generatePackageBasedToken(packageManager, packageName); 48 49 // Check for token confliction 50 List<PackageInfo> packages = 51 packageManager.getInstalledPackages(PackageManager.GET_META_DATA); 52 53 for (PackageInfo packageInfo : packages) { 54 String otherPackageName = packageInfo.packageName; 55 if (packageName.equals(otherPackageName)) { 56 continue; 57 } 58 59 String otherToken = generatePackageBasedToken(packageManager, otherPackageName); 60 if (token.equals(otherToken)) { 61 Log.e(TAG, "token collides with other installed app."); 62 token = null; 63 } 64 } 65 66 return token; 67 } 68 generatePackageBasedToken( PackageManager packageManager, String packageName)69 private static String generatePackageBasedToken( 70 PackageManager packageManager, String packageName) { 71 String token = null; 72 Signature[] signatures; 73 74 try { 75 // It is actually a certificate (public key), not a signature. 76 signatures = packageManager.getPackageInfo( 77 packageName, PackageManager.GET_SIGNATURES).signatures; 78 } catch (NameNotFoundException e) { 79 Log.e(TAG, "Failed to find package with package name: " + packageName); 80 return token; 81 } 82 83 if (signatures == null) { 84 Log.e(TAG, "The certificates is missing."); 85 } else { 86 MessageDigest messageDigest; 87 try { 88 messageDigest = MessageDigest.getInstance(HASH_TYPE); 89 } catch (NoSuchAlgorithmException e) { 90 Log.e(TAG, "NoSuchAlgorithmException" + e); 91 return null; 92 } 93 94 messageDigest.update(packageName.getBytes(CHARSET_UTF_8)); 95 String space = " "; 96 messageDigest.update(space.getBytes(CHARSET_UTF_8)); 97 for (int i = 0; i < signatures.length; i++) { 98 messageDigest.update(signatures[i].toCharsString().getBytes(CHARSET_UTF_8)); 99 } 100 byte[] hashSignatures = messageDigest.digest(); 101 // truncated into NUM_HASHED_BYTES 102 hashSignatures = Arrays.copyOf(hashSignatures, NUM_HASHED_BYTES); 103 // encode into Base64 104 token = Base64.encodeToString(hashSignatures, Base64.NO_PADDING | Base64.NO_WRAP); 105 token = token.substring(0, NUM_BASE64_CHARS); 106 } 107 return token; 108 } 109 } 110