nickrbogdanov/gist:5390d0ee1a84c5fc5b09a5ec98f0c63d

## gistfile1.txt
From 428b4b8a2b27995e6fa768704f341bc7384a4792 Mon Sep 17 00:00:00 2001
From: Dylanger Daly <dylanger@diagnostix.io>
Date: Fri, 27 Nov 2020 22:55:16 +1000
Subject: [PATCH] Add Graphene Sig Spoof support

Allows Google Cert Spoofing, matching on the sha256 hash of Graphene's Cert
---
 .../android/content/pm/PackageParser.java     | 32 +++++++++++++++++++
 .../server/pm/PackageManagerService.java      | 24 ++++++++++++--
 2 files changed, 54 insertions(+), 2 deletions(-)

diff --git a/core/java/android/content/pm/PackageParser.java b/core/java/android/content/pm/PackageParser.java
index 70e4e6cbf622..71d3d49a1043 100644
--- a/core/java/android/content/pm/PackageParser.java
+++ b/core/java/android/content/pm/PackageParser.java
@@ -6450,6 +6450,38 @@ public class PackageParser {
             return false;
         }

+        /**
+         * Return the Cerificate's Digest
+         */
+        public @Nullable String getSha256Certificate() {
+            return getSha256CertificateInternal();
+        }
+
+        private @Nullable String getSha256CertificateInternal() {
+            String digest;
+            if (this == UNKNOWN) {
+                return null;
+            }
+            if (hasPastSigningCertificates()) {
+
+                // check all past certs, except for the last one, which automatically gets all
+                // capabilities, since it is the same as the current signature, and is checked below
+                for (int i = 0; i < pastSigningCertificates.length - 1; i++) {
+                    digest = PackageUtils.computeSha256Digest(
+                            pastSigningCertificates[i].toByteArray());
+                    return digest;
+                }
+            }
+
+            // not in previous certs signing history, just check the current signer
+            if (signatures.length == 1) {
+                digest =
+                        PackageUtils.computeSha256Digest(signatures[0].toByteArray());
+                return digest;
+            }
+            return null;
+        }
+
         /** Returns true if the signatures in this and other match exactly. */
         public boolean signaturesMatchExactly(SigningDetails other) {
             return Signature.areExactMatch(this.signatures, other.signatures);
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index 99e1388dcd52..9c62787f5c4b 100644
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -705,6 +705,12 @@ public class PackageManagerService extends IPackageManager.Stub

     private static final String RANDOM_DIR_PREFIX = "~~";

+    /**
+     * The Google signature faked for Graphene signed apps.
+     */
+    private static final String GOOGLE_CERT = "308204433082032ba003020102020900c2e08746644a308d300d06092a864886f70d01010405003074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f6964301e170d3038303832313233313333345a170d3336303130373233313333345a3074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f696430820120300d06092a864886f70d01010105000382010d00308201080282010100ab562e00d83ba208ae0a966f124e29da11f2ab56d08f58e2cca91303e9b754d372f640a71b1dcb130967624e4656a7776a92193db2e5bfb724a91e77188b0e6a47a43b33d9609b77183145ccdf7b2e586674c9e1565b1f4c6a5955bff251a63dabf9c55c27222252e875e4f8154a645f897168c0b1bfc612eabf785769bb34aa7984dc7e2ea2764cae8307d8c17154d7ee5f64a51a44a602c249054157dc02cd5f5c0e55fbef8519fbe327f0b1511692c5a06f19d18385f5c4dbc2d6b93f68cc2979c70e18ab93866b3bd5db8999552a0e3b4c99df58fb918bedc182ba35e003c1b4b10dd244a8ee24fffd333872ab5221985edab0fc0d0b145b6aa192858e79020103a381d93081d6301d0603551d0e04160414c77d8cc2211756259a7fd382df6be398e4d786a53081a60603551d2304819e30819b8014c77d8cc2211756259a7fd382df6be398e4d786a5a178a4763074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f6964820900c2e08746644a308d300c0603551d13040530030101ff300d06092a864886f70d010104050003820101006dd252ceef85302c360aaace939bcff2cca904bb5d7a1661f8ae46b2994204d0ff4a68c7ed1a531ec4595a623ce60763b167297a7ae35712c407f208f0cb109429124d7b106219c084ca3eb3f9ad5fb871ef92269a8be28bf16d44c8d9a08e6cb2f005bb3fe2cb96447e868e731076ad45b33f6009ea19c161e62641aa99271dfd5228c5c587875ddb7f452758d661f6cc0cccb7352e424cc4365c523532f7325137593c4ae341f4db41edda0d0b1071a7c440f0fe9ea01cb627ca674369d084bd2fd911ff06cdbf2cfa10dc0f893ae35762919048c7efc64c7144178342f70581c9de573af55b390dd7fdb9418631895d5f759f30112687ff621410c069308a";
+    private static final String GRAPHENEHASH = "9BD06727E62796C0130EB6DAB39B73157451582CBD138E86C468ACC395D14165";
+
     final ServiceThread mHandlerThread;

     final Handler mHandler;
@@ -4405,8 +4411,9 @@ public class PackageManagerService extends IPackageManager.Stub
                 });
             }

-            PackageInfo packageInfo = PackageInfoUtils.generate(p, gids, flags,
-                    ps.firstInstallTime, ps.lastUpdateTime, permissions, state, userId, ps);
+            PackageInfo packageInfo = fakeSignature(p, PackageInfoUtils.generate(p, gids, flags,
+                ps.firstInstallTime, ps.lastUpdateTime, permissions, state, userId, ps),
+                permissions);

             if (packageInfo == null) {
                 return null;
@@ -4442,6 +4449,19 @@ public class PackageManagerService extends IPackageManager.Stub
         }
     }

+    private PackageInfo fakeSignature(AndroidPackage p, PackageInfo pi,
+            Set<String> permissions) {
+        String hash = p.getSigningDetails().getSha256Certificate();
+        try {
+            if (hash.equals(GRAPHENEHASH)) {
+                    pi.signatures = new Signature[] {new Signature(GOOGLE_CERT)};
+            }
+        } catch (Throwable t) {
+            Log.w("Unable to fake signature!", t);
+    }
+        return pi;
+    }
+
     @Override
     public void checkPackageStartable(String packageName, int userId) {
         final int callingUid = Binder.getCallingUid();
--
2.28.0
	From 428b4b8a2b27995e6fa768704f341bc7384a4792 Mon Sep 17 00:00:00 2001
	From: Dylanger Daly <dylanger@diagnostix.io>
	Date: Fri, 27 Nov 2020 22:55:16 +1000
	Subject: [PATCH] Add Graphene Sig Spoof support

	Allows Google Cert Spoofing, matching on the sha256 hash of Graphene's Cert
	---
	.../android/content/pm/PackageParser.java \| 32 +++++++++++++++++++
	.../server/pm/PackageManagerService.java \| 24 ++++++++++++--
	2 files changed, 54 insertions(+), 2 deletions(-)

	diff --git a/core/java/android/content/pm/PackageParser.java b/core/java/android/content/pm/PackageParser.java
	index 70e4e6cbf622..71d3d49a1043 100644
	--- a/core/java/android/content/pm/PackageParser.java
	+++ b/core/java/android/content/pm/PackageParser.java
	@@ -6450,6 +6450,38 @@ public class PackageParser {
	return false;
	}

	+ /**
	+ * Return the Cerificate's Digest
	+ */
	+ public @Nullable String getSha256Certificate() {
	+ return getSha256CertificateInternal();
	+ }
	+
	+ private @Nullable String getSha256CertificateInternal() {
	+ String digest;
	+ if (this == UNKNOWN) {
	+ return null;
	+ }
	+ if (hasPastSigningCertificates()) {
	+
	+ // check all past certs, except for the last one, which automatically gets all
	+ // capabilities, since it is the same as the current signature, and is checked below
	+ for (int i = 0; i < pastSigningCertificates.length - 1; i++) {
	+ digest = PackageUtils.computeSha256Digest(
	+ pastSigningCertificates[i].toByteArray());
	+ return digest;
	+ }
	+ }
	+
	+ // not in previous certs signing history, just check the current signer
	+ if (signatures.length == 1) {
	+ digest =
	+ PackageUtils.computeSha256Digest(signatures[0].toByteArray());
	+ return digest;
	+ }
	+ return null;
	+ }
	+
	/** Returns true if the signatures in this and other match exactly. */
	public boolean signaturesMatchExactly(SigningDetails other) {
	return Signature.areExactMatch(this.signatures, other.signatures);
	diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
	index 99e1388dcd52..9c62787f5c4b 100644
	--- a/services/core/java/com/android/server/pm/PackageManagerService.java
	+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
	@@ -705,6 +705,12 @@ public class PackageManagerService extends IPackageManager.Stub

	private static final String RANDOM_DIR_PREFIX = "~~";

	+ /**
	+ * The Google signature faked for Graphene signed apps.
	+ */
	+ private static final String GOOGLE_CERT = "308204433082032ba003020102020900c2e08746644a308d300d06092a864886f70d01010405003074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f6964301e170d3038303832313233313333345a170d3336303130373233313333345a3074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f696430820120300d06092a864886f70d01010105000382010d00308201080282010100ab562e00d83ba208ae0a966f124e29da11f2ab56d08f58e2cca91303e9b754d372f640a71b1dcb130967624e4656a7776a92193db2e5bfb724a91e77188b0e6a47a43b33d9609b77183145ccdf7b2e586674c9e1565b1f4c6a5955bff251a63dabf9c55c27222252e875e4f8154a645f897168c0b1bfc612eabf785769bb34aa7984dc7e2ea2764cae8307d8c17154d7ee5f64a51a44a602c249054157dc02cd5f5c0e55fbef8519fbe327f0b1511692c5a06f19d18385f5c4dbc2d6b93f68cc2979c70e18ab93866b3bd5db8999552a0e3b4c99df58fb918bedc182ba35e003c1b4b10dd244a8ee24fffd333872ab5221985edab0fc0d0b145b6aa192858e79020103a381d93081d6301d0603551d0e04160414c77d8cc2211756259a7fd382df6be398e4d786a53081a60603551d2304819e30819b8014c77d8cc2211756259a7fd382df6be398e4d786a5a178a4763074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f6964820900c2e08746644a308d300c0603551d13040530030101ff300d06092a864886f70d010104050003820101006dd252ceef85302c360aaace939bcff2cca904bb5d7a1661f8ae46b2994204d0ff4a68c7ed1a531ec4595a623ce60763b167297a7ae35712c407f208f0cb109429124d7b106219c084ca3eb3f9ad5fb871ef92269a8be28bf16d44c8d9a08e6cb2f005bb3fe2cb96447e868e731076ad45b33f6009ea19c161e62641aa99271dfd5228c5c587875ddb7f452758d661f6cc0cccb7352e424cc4365c523532f7325137593c4ae341f4db41edda0d0b1071a7c440f0fe9ea01cb627ca674369d084bd2fd911ff06cdbf2cfa10dc0f893ae35762919048c7efc64c7144178342f70581c9de573af55b390dd7fdb9418631895d5f759f30112687ff621410c069308a";
	+ private static final String GRAPHENEHASH = "9BD06727E62796C0130EB6DAB39B73157451582CBD138E86C468ACC395D14165";
	+
	final ServiceThread mHandlerThread;

	final Handler mHandler;
	@@ -4405,8 +4411,9 @@ public class PackageManagerService extends IPackageManager.Stub
	});
	}

	- PackageInfo packageInfo = PackageInfoUtils.generate(p, gids, flags,
	- ps.firstInstallTime, ps.lastUpdateTime, permissions, state, userId, ps);
	+ PackageInfo packageInfo = fakeSignature(p, PackageInfoUtils.generate(p, gids, flags,
	+ ps.firstInstallTime, ps.lastUpdateTime, permissions, state, userId, ps),
	+ permissions);

	if (packageInfo == null) {
	return null;
	@@ -4442,6 +4449,19 @@ public class PackageManagerService extends IPackageManager.Stub
	}
	}

	+ private PackageInfo fakeSignature(AndroidPackage p, PackageInfo pi,
	+ Set<String> permissions) {
	+ String hash = p.getSigningDetails().getSha256Certificate();
	+ try {
	+ if (hash.equals(GRAPHENEHASH)) {
	+ pi.signatures = new Signature[] {new Signature(GOOGLE_CERT)};
	+ }
	+ } catch (Throwable t) {
	+ Log.w("Unable to fake signature!", t);
	+ }
	+ return pi;
	+ }
	+
	@Override
	public void checkPackageStartable(String packageName, int userId) {
	final int callingUid = Binder.getCallingUid();
	--
	2.28.0