APK安裝時的過濾方式：包名白名單、證書認證

1.定義一些全局變量，文件位置：

Build.java (frameworks\base\core\java\android\os) 

        /**
         * 包管理方式名稱<br>
         *     whitelist: 白名單方式
         *     certificate: 證書認證方式
         *     none: 不進行管理
         */
        public static String packageManage = "none";
        /**
         * 允許 Launch 顯示的 APP 及 APP 白名單
         */
		public static String[] packageAllow = new String[]{	"com.baidu.searchbox", 
									"com.thinta.product.thintazlib",
									"com.thinta.product.x4usertool"};
        /**
         * 允許 Launch 顯示的 APP的 證書存放路徑
         */
		public static String certificatePath = "/system/etc/security/media.zip";

 

2.修改安裝APK過程，在安裝過程添加驗證

修改文件的位置：

PackageManagerService.java (frameworks\base\services\core\java\com\android\server\pm) 

首先添加一個函數：

	private static HashSet<X509Certificate> getTrustedCerts(File keystore)
			throws IOException, GeneralSecurityException {
			HashSet<X509Certificate> trusted = new HashSet<X509Certificate>();
			if (keystore == null) {
				return trusted;
			}
			ZipFile zip = new ZipFile(keystore);
			try {
				CertificateFactory cf = CertificateFactory.getInstance("X.509");
				Enumeration<? extends ZipEntry> entries = zip.entries();
				while (entries.hasMoreElements()) {
					ZipEntry entry = entries.nextElement();
					InputStream is = zip.getInputStream(entry);
					try {
						trusted.add((X509Certificate) cf.generateCertificate(is));
					} finally {
						is.close();
					}
				}
			} finally {
				zip.close();
			}
			return trusted;
		}

修改的函數：private void installPackageLI(InstallArgs args, PackageInstalledInfo res) 

第一處修改：
　　　　 if(Build.ThintaCust.packageManage.equals("certificate"))
			tmp_flags = PackageManager.GET_SIGNATURES;
        final int parseFlags = mDefParseFlags | PackageParser.PARSE_CHATTY
                | (forwardLocked ? PackageParser.PARSE_FORWARD_LOCK : 0)
                | (onSd ? PackageParser.PARSE_ON_SDCARD : 0) | tmp_flags;

第二處修改：
		if(Build.ThintaCust.packageManage.equals("none")){
			Log.d("XYP_DEBUG", "packageManage = none  \n");
		}else if(Build.ThintaCust.packageManage.equals("whitelist")){
			Log.d("XYP_DEBUG", "packageManage = whitelist  \n");
			List<String> list = Arrays.asList(Build.ThintaCust.packageAllow);
			if(list.contains(pkg.packageName)){
				Log.d("XYP_DEBUG", "can install \n");
			}else{
				Log.d("XYP_DEBUG", "forbid install \n");
				res.setError(PackageManager.INSTALL_FAILED_USER_RESTRICTED, "installPackageLI, forbid install");
				return;
			}
		}else if(Build.ThintaCust.packageManage.equals("certificate")){
			int verify_pass = 0;
			try{
				File file = new File(Build.ThintaCust.certificatePath);
				HashSet<X509Certificate> trusted = getTrustedCerts(file);
				CertificateFactory cf = CertificateFactory.getInstance("X.509");

				for (X509Certificate c : trusted) {
					String tmp_public_key = c.getPublicKey().toString();
					for(Signature sig : pkg.mSignatures)
					{
						X509Certificate cert = (X509Certificate)cf.generateCertificate(new ByteArrayInputStream(sig.toByteArray()));
						String tmp_key = cert.getPublicKey().toString();
						if(tmp_public_key.equals(tmp_key)){
							verify_pass = 1;
							break;
						}
					}
					if(verify_pass == 1)
						break;
				}
				if(verify_pass != 1){
					Log.d("XYP_DEBUG", "forbid install \n");
					res.setError(PackageManager.INSTALL_FAILED_USER_RESTRICTED, "installPackageLI, forbid install");
					return;
				}
			}catch(FileNotFoundException e){
				Log.d("XYP_DEBUG", e.toString());
			}catch(CertificateException e){
				Log.d("XYP_DEBUG", e.toString());
			}catch(IOException e){
				Log.d("XYP_DEBUG", e.toString());
			}catch(GeneralSecurityException e){
				Log.d("XYP_DEBUG", e.toString());
			}
		}

3.證書的壓縮方式：

zip -r media.zip media.x509.pem

直接用命令把*.x509.pem 打包成zip文件，然后放到目標板的合適位置；

用第一步中的certificatePath指向存放該zip文件的位置。