Fix certificate chain

KH0000001 · Dec 12, 2023 · 5de0cda · 5de0cda
1 parent a987e0e
commit 5de0cda
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 14 deletions.
diff --git a/app/build.gradle b/app/build.gradle
@@ -11,8 +11,8 @@ android {
         applicationId "es.chiteroman.bootloaderspoofer"
         minSdk 26
         targetSdk 34
-        versionCode 20
-        versionName '2.0'
+        versionCode 21
+        versionName '2.1'
         multiDexEnabled false
     }
 

diff --git a/app/src/main/java/es/chiteroman/bootloaderspoofer/Xposed.java b/app/src/main/java/es/chiteroman/bootloaderspoofer/Xposed.java
@@ -49,7 +49,23 @@ public final class Xposed implements IXposedHookLoadPackage {
             IqJEk9kh8vjuGzTaAZyU5keUmpWNc1gI7OvDMaH4+8vQ
             -----END RSA PRIVATE KEY-----
             """;
-    private static volatile boolean hardwareAttesatation = true;
+    private static final KeyPair keyPair;
+    private static boolean hardwareAttesatation = false;
+
+    static {
+        try {
+            PEMParser parser = new PEMParser(new StringReader(SW_RSA_ATTEST_ROOT_KEY));
+            PEMKeyPair pemKeyPair = (PEMKeyPair) parser.readObject();
+            parser.close();
+
+            JcaPEMKeyConverter jcaPEMKeyConverter = new JcaPEMKeyConverter();
+
+            keyPair = jcaPEMKeyConverter.getKeyPair(pemKeyPair);
+
+        } catch (Exception e) {
+            throw new RuntimeException("Couldn't read keypair");
+        }
+    }
 
     private static int indexOf(byte[] array, byte[] target) {
         outer:
@@ -64,7 +80,27 @@ private static int indexOf(byte[] array, byte[] target) {
         return -1;
     }
 
-    private static Certificate doLogic(Certificate certificate) {
+    private static Certificate hackOtherCert(Certificate certificate) {
+        try {
+            X509CertificateHolder certificateHolder = new X509CertificateHolder(certificate.getEncoded());
+
+            X509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(certificateHolder.getSubject(), certificateHolder.getSerialNumber(), certificateHolder.getNotBefore(), certificateHolder.getNotAfter(), certificateHolder.getSubject(), keyPair.getPublic());
+
+            ContentSigner contentSigner = new JcaContentSignerBuilder("SHA256WithRSAEncryption").build(keyPair.getPrivate());
+            X509CertificateHolder ch = certBuilder.build(contentSigner);
+
+            JcaX509CertificateConverter converter = new JcaX509CertificateConverter();
+
+            return converter.getCertificate(ch);
+
+        } catch (Exception e) {
+            XposedBridge.log("Error creating other cert: " + e);
+        }
+
+        return certificate;
+    }
+
+    private static Certificate hackLeafCert(Certificate certificate) {
         try {
             X509CertificateHolder certificateHolder = new X509CertificateHolder(certificate.getEncoded());
 
@@ -123,14 +159,6 @@ private static Certificate doLogic(Certificate certificate) {
 
             } else {
 
-                PEMParser parser = new PEMParser(new StringReader(SW_RSA_ATTEST_ROOT_KEY));
-                PEMKeyPair pemKeyPair = (PEMKeyPair) parser.readObject();
-                parser.close();
-
-                JcaPEMKeyConverter jcaPEMKeyConverter = new JcaPEMKeyConverter();
-
-                KeyPair keyPair = jcaPEMKeyConverter.getKeyPair(pemKeyPair);
-
                 X509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(certificateHolder.getSubject(), certificateHolder.getSerialNumber(), certificateHolder.getNotBefore(), certificateHolder.getNotAfter(), certificateHolder.getSubject(), keyPair.getPublic());
 
                 certBuilder.copyAndAddExtension(extension.getExtnId(), extension.isCritical(), modCert);
@@ -143,7 +171,7 @@ private static Certificate doLogic(Certificate certificate) {
             }
 
         } catch (Exception e) {
-            XposedBridge.log("ERROR creating certificate: " + e);
+            XposedBridge.log("ERROR creating leaf certificate: " + e);
         }
 
         return certificate;
@@ -161,14 +189,18 @@ public void handleLoadPackage(XC_LoadPackage.LoadPackageParam lpparam) {
                 protected void afterHookedMethod(MethodHookParam param) {
                     Certificate[] certificates = (Certificate[]) param.getResult();
 
-                    certificates[0] = doLogic(certificates[0]);
+                    certificates[0] = hackLeafCert(certificates[0]);
 
                     if (hardwareAttesatation) {
                         for (Method method : certificates[0].getClass().getMethods()) {
                             if (method.getName().toLowerCase(Locale.ROOT).contains("verify")) {
                                 XposedBridge.hookMethod(method, XC_MethodReplacement.DO_NOTHING);
                             }
                         }
+                    } else {
+                        for (int i = 1; i < certificates.length; i++) {
+                            certificates[i] = hackOtherCert(certificates[i]);
+                        }
                     }
 
                     param.setResult(certificates);