1 files changed, 30 insertions, 11 deletions

diff --git a/libmincrypt/tools/DumpPublicKey.java b/libmincrypt/tools/DumpPublicKey.java
index 12b4f56..7189116 100644
--- a/libmincrypt/tools/DumpPublicKey.java
+++ b/libmincrypt/tools/DumpPublicKey.java
@@ -19,7 +19,7 @@ package com.android.dumpkey;
 import java.io.FileInputStream;
 import java.math.BigInteger;
 import java.security.cert.CertificateFactory;
-import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
 import java.security.KeyStore;
 import java.security.Key;
 import java.security.PublicKey;
@@ -34,20 +34,22 @@ class DumpPublicKey {
     /**
      * @param key to perform sanity checks on
      * @return version number of key.  Supported versions are:
-     *     1: 2048-bit key with e=3
-     *     2: 2048-bit key with e=65537
+     *     1: 2048-bit RSA key with e=3 and SHA-1 hash
+     *     2: 2048-bit RSA key with e=65537 and SHA-1 hash
+     *     3: 2048-bit RSA key with e=3 and SHA-256 hash
+     *     4: 2048-bit RSA key with e=65537 and SHA-256 hash
      * @throws Exception if the key has the wrong size or public exponent
 
      */
-    static int check(RSAPublicKey key) throws Exception {
+    static int check(RSAPublicKey key, boolean useSHA256) throws Exception {
         BigInteger pubexp = key.getPublicExponent();
         BigInteger modulus = key.getModulus();
         int version;
 
         if (pubexp.equals(BigInteger.valueOf(3))) {
-            version = 1;
+            version = useSHA256 ? 3 : 1;
         } else if (pubexp.equals(BigInteger.valueOf(65537))) {
-            version = 2;
+            version = useSHA256 ? 4 : 2;
         } else {
             throw new Exception("Public exponent should be 3 or 65537 but is " +
                                 pubexp.toString(10) + ".");
@@ -67,8 +69,8 @@ class DumpPublicKey {
      *    version 1 key, the string will be a C initializer; this is
      *    not true for newer key versions.
      */
-    static String print(RSAPublicKey key) throws Exception {
-        int version = check(key);
+    static String print(RSAPublicKey key, boolean useSHA256) throws Exception {
+        int version = check(key, useSHA256);
 
         BigInteger N = key.getModulus();
 
@@ -135,10 +137,27 @@ class DumpPublicKey {
             for (int i = 0; i < args.length; i++) {
                 FileInputStream input = new FileInputStream(args[i]);
                 CertificateFactory cf = CertificateFactory.getInstance("X.509");
-                Certificate cert = cf.generateCertificate(input);
+                X509Certificate cert = (X509Certificate) cf.generateCertificate(input);
+
+                boolean useSHA256 = false;
+                String sigAlg = cert.getSigAlgName();
+                if ("SHA1withRSA".equals(sigAlg) || "MD5withRSA".equals(sigAlg)) {
+                    // SignApk has historically accepted "MD5withRSA"
+                    // certificates, but treated them as "SHA1withRSA"
+                    // anyway.  Continue to do so for backwards
+                    // compatibility.
+                  useSHA256 = false;
+                } else if ("SHA256withRSA".equals(sigAlg)) {
+                  useSHA256 = true;
+                } else {
+                  System.err.println(args[i] + ": unsupported signature algorithm \"" +
+                                     sigAlg + "\"");
+                  System.exit(1);
+                }
+
                 RSAPublicKey key = (RSAPublicKey) (cert.getPublicKey());
-                check(key);
-                System.out.print(print(key));
+                check(key, useSHA256);
+                System.out.print(print(key, useSHA256));
                 System.out.println(i < args.length - 1 ? "," : "");
             }
         } catch (Exception e) {