feat(patcher): inject new CA certificates

Old Android devices do not have the new CA root certificates, and fixing this user-side requires manually installing them as system certificates, requiring root.

Author: rushiiMachine

.editorconfig

@@ -25,6 +25,8 @@ ij_java_keep_simple_methods_in_one_line = true
 ij_java_line_comment_add_space = true
 ij_java_line_comment_at_first_column = false
 ij_java_spaces_within_array_initializer_braces = true
+ij_kotlin_call_parameters_new_line_after_left_paren = false
+ij_kotlin_call_parameters_right_paren_on_new_line = false
 
 [*.kt]
 ij_kotlin_name_count_to_use_star_import = 3

app/src/main/kotlin/com/aliucord/manager/patcher/KotlinPatchRunner.kt

@@ -31,6 +31,7 @@ class KotlinPatchRunner(
         SmaliPatchStep(),
         PatchIconsStep(options),
         PatchManifestStep(options),
+        PatchCertsStep(),
         ReorganizeDexStep(),
         AddAliuhookLibsStep(),
         SaveMetadataStep(options),

app/src/main/kotlin/com/aliucord/manager/patcher/steps/patch/PatchCertsStep.kt

@@ -0,0 +1,230 @@
+package com.aliucord.manager.patcher.steps.patch
+
+import android.app.Application
+import android.os.Build
+import com.aliucord.manager.R
+import com.aliucord.manager.patcher.StepRunner
+import com.aliucord.manager.patcher.steps.StepGroup
+import com.aliucord.manager.patcher.steps.base.Step
+import com.aliucord.manager.patcher.steps.base.StepState
+import com.aliucord.manager.patcher.steps.download.CopyDependenciesStep
+import com.aliucord.manager.patcher.util.ArscUtil
+import com.aliucord.manager.patcher.util.ArscUtil.addResource
+import com.aliucord.manager.patcher.util.ArscUtil.getMainArscChunk
+import com.aliucord.manager.patcher.util.ArscUtil.getPackageChunk
+import com.aliucord.manager.patcher.util.ArscUtil.getResourceFileNames
+import com.aliucord.manager.patcher.util.AxmlUtil.getMainAxmlChunk
+import com.aliucord.manager.util.find
+import com.github.diamondminer88.zip.ZipReader
+import com.github.diamondminer88.zip.ZipWriter
+import com.google.devrel.gmscore.tools.apk.arsc.*
+import org.koin.core.component.KoinComponent
+import org.koin.core.component.inject
+import java.io.File
+
+/**
+ * Adds a network security config that manually adds new CA root certificates.
+ * This is useful for old Android devices that do not have updated root certs.
+ */
+class PatchCertsStep : Step(), KoinComponent {
+    private val context: Application by inject()
+
+    override val group = StepGroup.Patch
+    override val localizedName = R.string.patch_step_patch_certs
+
+    // Manager's (this application) network security config is used as a template
+    // to inject into Aliucord, except with the resource ids pointing to certificate files changed
+    // to new ones injected into the patched app's arsc
+    override suspend fun execute(container: StepRunner) {
+        val apk = container.getStep<CopyDependenciesStep>().patchedApk
+
+        if (Build.VERSION.SDK_INT >= 26) {
+            container.log("Modern device detected, skipping injecting root certs")
+            state = StepState.Skipped
+            return
+        }
+
+        container.log("Parsing resources.arsc")
+        val arsc = ArscUtil.readArsc(apk)
+        val resourcesChunk = arsc.getMainArscChunk()
+        val packageChunk = arsc.getPackageChunk()
+
+        container.log("Creating new raw resources in arsc")
+        val certificateIds = CERTIFICATES.keys.map { certificateName ->
+            packageChunk.addResource(
+                typeName = "raw",
+                resourceName = certificateName,
+                configurations = { it.isDefault },
+                valueType = BinaryResourceValue.Type.STRING,
+                valueData = resourcesChunk.stringPool.addString("res/$certificateName.der"),
+            )
+        }
+
+        container.log("Generating new network security config AXML")
+        val newNetworkSecurityConfigBytes = generateNetworkConfig(certificateIds)
+
+        container.log("Parsing existing AndroidManifest.xml")
+        val networkSecurityConfigId = getNetworkSecurityConfigResourceId(apk)
+        val networkSecurityConfigPath = resourcesChunk.getResourceFileNames(
+            resourceId = networkSecurityConfigId,
+            configurations = { it.isDefault },
+        ).single()
+
+        ZipWriter(apk, /* append = */ true).use { zip ->
+            zip.deleteEntries(networkSecurityConfigPath, "resources.arsc")
+
+            container.log("Writing new network security config AXML")
+            zip.writeEntry(networkSecurityConfigPath, newNetworkSecurityConfigBytes)
+
+            container.log("Writing new arsc")
+            zip.writeEntry("resources.arsc", arsc.toByteArray())
+
+            for ((name, id) in CERTIFICATES) {
+                container.log("Writing $name CA certificate to apk")
+
+                val bytes = context.resources.openRawResource(id).use { it.readBytes() }
+                zip.writeEntry("res/$name.der", bytes)
+            }
+        }
+    }
+
+    /**
+     * From an APK, read the manifest's `android:networkSecurityConfig` references to a resource.
+     * This is then used to get the filename of the resource from `resources.arsc`.
+     */
+    fun getNetworkSecurityConfigResourceId(apk: File): BinaryResourceIdentifier {
+        val manifestBytes = ZipReader(apk).use {
+            it.openEntry("AndroidManifest.xml")?.read()
+        } ?: error("APK missing manifest")
+        val manifest = BinaryResourceFile(manifestBytes)
+        val mainChunk = manifest.getMainAxmlChunk()
+
+        // Prefetch string indexes to avoid parsing the entire string pool
+        val networkSecurityConfigStringIdx = mainChunk.stringPool.indexOf("networkSecurityConfig")
+        val applicationStringIdx = mainChunk.stringPool.indexOf("application")
+
+        val applicationChunk = mainChunk.chunks
+            .find { it is XmlStartElementChunk && it.nameIndex == applicationStringIdx } as? XmlStartElementChunk
+            ?: error("Unable to find <application> in manifest")
+        val networkSecurityConfig = applicationChunk.attributes
+            .find { it.nameIndex() == networkSecurityConfigStringIdx }
+            ?: error("Unable to find android:networkSecurityConfig in manifest")
+
+        assert(networkSecurityConfig.typedValue().type() == BinaryResourceValue.Type.REFERENCE)
+
+        return BinaryResourceIdentifier.create(networkSecurityConfig.typedValue().data())
+    }
+
+    /**
+     * This generates a binary AXML representation a network security config similar to the one
+     * manager uses [R.xml.network_security_config], except with resource IDs generated for the patched APK.
+     */
+    private fun generateNetworkConfig(certificateIds: List<BinaryResourceIdentifier>): ByteArray {
+        val axml = BinaryResourceFile(byteArrayOf())
+        val xmlChunk = XmlChunk(null)
+        val strings = StringPoolChunk(xmlChunk)
+
+        axml.appendChunk(xmlChunk)
+        xmlChunk.appendChunk(strings)
+        xmlChunk.appendChunk(XmlResourceMapChunk(intArrayOf(), xmlChunk))
+
+        // Nested chunks
+        // @formatter:off
+        val chunkNames = arrayOf("network-security-config", "base-config", "trust-anchors")
+        for (chunkName in chunkNames) {
+            xmlChunk.appendChunk(XmlStartElementChunk(
+                /* namespaceIndex = */ -1,
+                /* nameIndex = */ strings.addString(chunkName),
+                /* idIndex = */ -1,
+                /* classIndex = */ -1,
+                /* styleIndex = */ -1,
+                /* attributes = */ emptyList(),
+                /* parent = */ xmlChunk,
+            ))
+        }
+
+        // Allow "system" certificates
+        run {
+            val certificateChunk = XmlStartElementChunk(
+                /* namespaceIndex = */ -1,
+                /* nameIndex = */ strings.addString("certificates", /* deduplicate = */ true),
+                /* idIndex = */ -1,
+                /* classIndex = */ -1,
+                /* styleIndex = */ -1,
+                /* attributes = */ listOf(),
+                /* parent = */ xmlChunk,
+            )
+            certificateChunk.attributes += XmlAttribute(
+                /* namespaceIndex = */ -1,
+                /* nameIndex = */ xmlChunk.stringPool.addString("src", /* deduplicate = */ true),
+                /* rawValueIndex = */ xmlChunk.stringPool.addString("system"),
+                /* typedValue = */ BinaryResourceValue(
+                    /* type = */ BinaryResourceValue.Type.STRING,
+                    /* data = */ xmlChunk.stringPool.addString("system", /* deduplicate = */ true),
+                ),
+                /* parent = */ certificateChunk,
+            )
+
+            xmlChunk.appendChunk(certificateChunk)
+            xmlChunk.appendChunk(XmlEndElementChunk(
+                /* namespaceIndex = */ -1,
+                /* nameIndex = */ strings.addString("certificates", /* deduplicate = */ true),
+                /* parent = */ xmlChunk,
+            ))
+        }
+
+        // Add custom certificate references
+        for (certificateId in certificateIds) {
+            val certificateChunk = XmlStartElementChunk(
+                /* namespaceIndex = */ -1,
+                /* nameIndex = */ strings.addString("certificates", /* deduplicate = */ true),
+                /* idIndex = */ -1,
+                /* classIndex = */ -1,
+                /* styleIndex = */ -1,
+                /* attributes = */ listOf(),
+                /* parent = */ xmlChunk,
+            )
+            certificateChunk.attributes += XmlAttribute(
+                /* namespaceIndex = */ -1,
+                /* nameIndex = */ xmlChunk.stringPool.addString("src", /* deduplicate = */ true),
+                /* rawValueIndex = */ -1,
+                /* typedValue = */ BinaryResourceValue(
+                    /* type = */ BinaryResourceValue.Type.REFERENCE,
+                    /* data = */ certificateId.resourceId(),
+                ),
+                /* parent = */ certificateChunk,
+            )
+
+            xmlChunk.appendChunk(certificateChunk)
+            xmlChunk.appendChunk(XmlEndElementChunk(
+                /* namespaceIndex = */ -1,
+                /* nameIndex = */ strings.addString("certificates", /* deduplicate = */ true),
+                /* parent = */ xmlChunk,
+            ))
+        }
+
+        // Reverse nested chunks
+        for (chunkName in chunkNames.reversed()) {
+            xmlChunk.appendChunk(XmlEndElementChunk(
+                /* namespaceIndex = */ -1,
+                /* nameIndex = */ strings.addString(chunkName, /* deduplicate = */ true),
+                /* parent = */ xmlChunk,
+            ))
+        }
+        // @formatter:on
+
+        return axml.toByteArray()
+    }
+
+    private companion object {
+        val CERTIFICATES = mapOf(
+            "globalsign_root_r4" to R.raw.globalsign_root_r4,
+            "gts_root_r1" to R.raw.gts_root_r1,
+            "gts_root_r2" to R.raw.gts_root_r2,
+            "gts_root_r3" to R.raw.gts_root_r3,
+            "gts_root_r4" to R.raw.gts_root_r4,
+            "isrg_root_x1" to R.raw.isrg_root_x1,
+            "isrg_root_x2" to R.raw.isrg_root_x2,
+        )
+    }
+}

app/src/main/kotlin/com/aliucord/manager/patcher/steps/patch/PatchIconsStep.kt

@@ -28,7 +28,7 @@ import com.aliucord.manager.patcher.util.ArscUtil.getResourceFileNames
 import com.aliucord.manager.patcher.util.AxmlUtil
 import com.aliucord.manager.ui.screens.patchopts.PatchOptions
 import com.aliucord.manager.ui.screens.patchopts.PatchOptions.IconReplacement
-import com.aliucord.manager.util.getResBytes
+import com.aliucord.manager.util.getRawBytes
 import com.github.diamondminer88.zip.ZipWriter
 import com.google.devrel.gmscore.tools.apk.arsc.*
 import org.koin.core.component.KoinComponent
@@ -184,12 +184,12 @@ class PatchIconsStep(private val options: PatchOptions) : Step(), KoinComponent
                 }
 
                 container.log("Writing monochrome icon AXML to apk")
-                it.writeEntry("res/ic_aliucord_monochrome.xml", context.getResBytes(monochromeIconId))
+                it.writeEntry("res/ic_aliucord_monochrome.xml", context.resources.getRawBytes(monochromeIconId))
             }
 
             if (options.iconReplacement is IconReplacement.OldDiscord) {
                 container.log("Writing custom icon foreground to apk")
-                it.writeEntry("res/ic_foreground_replacement.xml", context.getResBytes(R.drawable.ic_discord_old_monochrome))
+                it.writeEntry("res/ic_foreground_replacement.xml", context.resources.getRawBytes(R.drawable.ic_discord_old_monochrome))
             } else if (options.iconReplacement is IconReplacement.CustomImage) {
                 container.log("Writing custom icon foreground to apk")
                 it.writeEntry("res/ic_foreground_replacement.png", options.iconReplacement.imageBytes)

app/src/main/kotlin/com/aliucord/manager/patcher/util/AxmlUtil.kt

@@ -27,7 +27,7 @@ object AxmlUtil {
     /**
      * Get the only top-level chunk in an axml file.
      */
-    private fun BinaryResourceFile.getMainAxmlChunk(): XmlChunk {
+    fun BinaryResourceFile.getMainAxmlChunk(): XmlChunk {
         if (this.chunks.size > 1)
             error("More than 1 top level chunk in axml")
 
@@ -163,8 +163,9 @@ object AxmlUtil {
      * This is then used to get the filename of the resource from `resources.arsc`.
      */
     fun readManifestIconInfo(apk: File): ManifestIconInfo {
-        val manifestBytes = ZipReader(apk).use { it.openEntry("AndroidManifest.xml")?.read() }
-            ?: error("APK missing manifest")
+        val manifestBytes = ZipReader(apk).use {
+            it.openEntry("AndroidManifest.xml")?.read()
+        } ?: error("APK missing manifest")
         val manifest = BinaryResourceFile(manifestBytes)
         val mainChunk = manifest.getMainAxmlChunk()
 

app/src/main/kotlin/com/aliucord/manager/patcher/util/ManifestPatcher.kt

@@ -16,7 +16,6 @@ object ManifestPatcher {
     private const val USE_EMBEDDED_DEX = "useEmbeddedDex"
     private const val EXTRACT_NATIVE_LIBS = "extractNativeLibs"
     private const val REQUEST_LEGACY_EXTERNAL_STORAGE = "requestLegacyExternalStorage"
-    private const val NETWORK_SECURITY_CONFIG = "networkSecurityConfig"
     private const val LABEL = "label"
     private const val PACKAGE = "package"
     private const val COMPILE_SDK_VERSION = "compileSdkVersion"
@@ -128,7 +127,6 @@ object ManifestPatcher {
                                 private var addMetadata = true
 
                                 override fun attr(ns: String?, name: String, resourceId: Int, type: Int, value: Any?) {
-                                    if (name == NETWORK_SECURITY_CONFIG) return
                                     if (name == REQUEST_LEGACY_EXTERNAL_STORAGE) addLegacyStorage = false
                                     if (name == USE_EMBEDDED_DEX) addUseEmbeddedDex = false
                                     if (name == EXTRACT_NATIVE_LIBS) addExtractNativeLibs = false

app/src/main/kotlin/com/aliucord/manager/util/Context.kt

@@ -4,6 +4,7 @@ import android.annotation.SuppressLint
 import android.app.Activity
 import android.content.*
 import android.content.pm.PackageManager
+import android.content.res.Resources
 import android.net.ConnectivityManager
 import android.net.Uri
 import android.os.*
@@ -16,8 +17,7 @@ import androidx.annotation.AnyRes
 import androidx.annotation.StringRes
 import androidx.core.content.ContextCompat
 import androidx.core.content.getSystemService
-import com.aliucord.manager.BuildConfig
-import com.aliucord.manager.R
+import com.aliucord.manager.*
 import com.google.android.gms.safetynet.SafetyNet
 import java.io.File
 import java.io.InputStream
@@ -111,21 +111,21 @@ fun Activity.requestNoBatteryOptimizations() {
 }
 
 /**
- * Get the raw bytes for a resource.
+ * Get the raw bytes for any resource stored as a file within the APK.
  * @param id The resource identifier
- * @return The resource's raw bytes as stored inside the APK
+ * @return The resource's raw bytes as stored inside the APK (no parsing is done).
  */
-fun Context.getResBytes(@AnyRes id: Int): ByteArray {
+fun Resources.getRawBytes(@AnyRes id: Int): ByteArray {
     val tValue = TypedValue()
-    this.resources.getValue(
+    this.getValue(
         /* id = */ id,
         /* outValue = */ tValue,
         /* resolveRefs = */ true,
     )
 
     val resPath = tValue.string.toString()
 
-    return this.javaClass.classLoader
+    return ManagerApplication::class.java.classLoader
         ?.getResourceAsStream(resPath)
         ?.use(InputStream::readBytes)
         ?: error("Failed to get resource file $resPath from APK")

app/src/main/res/values/strings.xml

@@ -162,6 +162,7 @@
   <string name="patch_step_dl_smali">Downloading smali patches</string>
   <string name="patch_step_copy_deps">Copying dependencies</string>
   <string name="patch_step_patch_manifests">Patching APK manifest</string>
+  <string name="patch_step_patch_certs">Adding modern root certificates</string>
   <string name="patch_step_patch_icon">Patching app icon</string>
   <string name="patch_step_add_aliuhook">Adding Aliuhook library</string>
   <string name="patch_step_patch_smali">Applying smali patches</string>

gradle/libs.versions.toml

@@ -7,7 +7,7 @@ androidx-lifecycle = "2.9.4"
 androidx-splashscreen = "1.0.1"
 apksig = "8.13.0"
 axml = "1.0.1"
-binary-resources = "2.0.1"
+binary-resources = "2.1.0"
 bouncycastle = "1.82"
 coil = "3.3.0"
 compose = "1.9.4"