From e697db8c1c30f6c604816ef2b6f306e296c9ce3f Mon Sep 17 00:00:00 2001 From: amao Date: Fri, 31 May 2024 14:47:37 +0800 Subject: [PATCH] root ca Signed-off-by: amao Change-Id: I81fb898c316f5d31be6d034d30dbdf3fec871709 --- BUILD.gn | 2 ++ .../innerkits/appverify/config/BUILD.gn | 28 ++++++++++++------- .../appverify/include/init/trusted_root_ca.h | 3 ++ .../include/init/trusted_source_manager.h | 4 ++- .../appverify/include/interfaces/hap_verify.h | 1 + .../include/provision/provision_verify.h | 2 ++ .../appverify/src/init/trusted_root_ca.cpp | 16 +++++++++-- .../src/init/trusted_source_manager.cpp | 17 +++++++++-- .../appverify/src/interfaces/hap_verify.cpp | 28 +++++++++++++++++-- .../src/provision/provision_verify.cpp | 5 ++++ 10 files changed, 89 insertions(+), 17 deletions(-) diff --git a/BUILD.gn b/BUILD.gn index 0968a5e..03d0a11 100644 --- a/BUILD.gn +++ b/BUILD.gn @@ -27,8 +27,10 @@ group("appverify_components") { deps = [ "//base/security/appverify/interfaces/innerkits/appverify:libhapverify", "//base/security/appverify/interfaces/innerkits/appverify/config:trusted_apps_sources", + "//base/security/appverify/interfaces/innerkits/appverify/config:trusted_apps_sources_oh", "//base/security/appverify/interfaces/innerkits/appverify/config:trusted_apps_sources_test", "//base/security/appverify/interfaces/innerkits/appverify/config:trusted_root_ca", + "//base/security/appverify/interfaces/innerkits/appverify/config:trusted_root_ca_oh", "//base/security/appverify/interfaces/innerkits/appverify/config:trusted_root_ca_test", "//base/security/appverify/interfaces/innerkits/appverify/config:trusted_tickets_sources", ] diff --git a/interfaces/innerkits/appverify/config/BUILD.gn b/interfaces/innerkits/appverify/config/BUILD.gn index 9dd27f3..6cf665d 100644 --- a/interfaces/innerkits/appverify/config/BUILD.gn +++ b/interfaces/innerkits/appverify/config/BUILD.gn @@ -14,11 +14,15 @@ import("//build/ohos.gni") ohos_prebuilt_etc("trusted_apps_sources") { - if (build_public_version) { - source = "OpenHarmony/trusted_apps_sources.json" - } else { - source = "trusted_apps_sources.json" - } + source = "trusted_apps_sources.json" + part_name = "appverify" + subsystem_name = "security" + relative_install_dir = "security" +} + +ohos_prebuilt_etc("trusted_apps_sources_oh") { + source = "OpenHarmony/trusted_apps_sources.json" + output = "trusted_apps_sources_oh.json" part_name = "appverify" subsystem_name = "security" relative_install_dir = "security" @@ -32,11 +36,15 @@ ohos_prebuilt_etc("trusted_apps_sources_test") { } ohos_prebuilt_etc("trusted_root_ca") { - if (build_public_version) { - source = "OpenHarmony/trusted_root_ca.json" - } else { - source = "trusted_root_ca.json" - } + source = "trusted_root_ca.json" + part_name = "appverify" + subsystem_name = "security" + relative_install_dir = "security" +} + +ohos_prebuilt_etc("trusted_root_ca_oh") { + source = "OpenHarmony/trusted_root_ca.json" + output = "trusted_root_ca_oh.json" part_name = "appverify" subsystem_name = "security" relative_install_dir = "security" diff --git a/interfaces/innerkits/appverify/include/init/trusted_root_ca.h b/interfaces/innerkits/appverify/include/init/trusted_root_ca.h index c0dac14..6ff3d7f 100644 --- a/interfaces/innerkits/appverify/include/init/trusted_root_ca.h +++ b/interfaces/innerkits/appverify/include/init/trusted_root_ca.h @@ -33,6 +33,7 @@ class TrustedRootCa { public: DLL_EXPORT static TrustedRootCa& GetInstance(); DLL_EXPORT bool Init(); + DLL_EXPORT bool InitNotRd(); DLL_EXPORT void Recovery(); DLL_EXPORT bool EnableDebug(); DLL_EXPORT void DisableDebug(); @@ -47,11 +48,13 @@ private: TrustedRootCa(const TrustedRootCa& trustedRoot) = delete; TrustedRootCa& operator = (const TrustedRootCa& trustedRoot) = delete; + DLL_EXPORT bool InitByFile(const std::string& filePath); DLL_EXPORT bool GetTrustedRootCAFromJson(StringCertMap& rootCertMap, const std::string& filePath); X509* FindMatchedRoot(const StringCertMap& rootCertMap, X509* caCert); private: static const std::string TRUSTED_ROOT_CA_FILE_PATH; + static const std::string TRUSTED_ROOT_CA_OH_FILE_PATH; static const std::string TRUSTED_ROOT_CA_TEST_FILE_PATH; StringCertMap rootCerts; StringCertMap rootCertsForTest; diff --git a/interfaces/innerkits/appverify/include/init/trusted_source_manager.h b/interfaces/innerkits/appverify/include/init/trusted_source_manager.h index 22f693f..beebd2c 100644 --- a/interfaces/innerkits/appverify/include/init/trusted_source_manager.h +++ b/interfaces/innerkits/appverify/include/init/trusted_source_manager.h @@ -43,6 +43,7 @@ class TrustedSourceManager { public: DLL_EXPORT static TrustedSourceManager& GetInstance(); DLL_EXPORT bool Init(); + DLL_EXPORT bool InitNotRd(); DLL_EXPORT void Recovery(); DLL_EXPORT bool EnableDebug(); DLL_EXPORT void DisableDebug(); @@ -56,7 +57,7 @@ private: /* Forbid external replication constructs and external replication */ TrustedSourceManager(const TrustedSourceManager& trustedSource) = delete; TrustedSourceManager& operator = (const TrustedSourceManager& trustedSource) = delete; - + DLL_EXPORT bool InitByFile(const std::string& filePath); bool GetAppTrustedSources(SourceInfoVec& trustedAppSources, std::string& souucesVersion, std::string& souucesReleaseTime, const std::string& filePath); bool ParseTrustedAppSourceJson(SourceInfoVec& trustedAppSources, const JsonObjVec& trustedAppSourceJson); @@ -70,6 +71,7 @@ private: private: static const std::string APP_TRUSTED_SOURCE_FILE_PATH; + static const std::string APP_TRUSTED_SOURCE_OH_FILE_PATH; static const std::string APP_TRUSTED_SOURCE_TEST_FILE_PATH; static const std::string KEY_OF_APP_TRUSTED_SOURCE; static const std::string KEY_OF_APP_TRUSTED_SOURCE_VERSION; diff --git a/interfaces/innerkits/appverify/include/interfaces/hap_verify.h b/interfaces/innerkits/appverify/include/interfaces/hap_verify.h index 4cc9461..a8d86b9 100644 --- a/interfaces/innerkits/appverify/include/interfaces/hap_verify.h +++ b/interfaces/innerkits/appverify/include/interfaces/hap_verify.h @@ -27,6 +27,7 @@ namespace Verify { DLL_EXPORT bool EnableDebugMode(); DLL_EXPORT void DisableDebugMode(); DLL_EXPORT int32_t HapVerify(const std::string& filePath, HapVerifyResult& hapVerifyResult); +DLL_EXPORT int32_t HapVerifyNotRd(const std::string& filePath, HapVerifyResult& hapVerifyResult); DLL_EXPORT int32_t ParseHapProfile(const std::string& filePath, HapVerifyResult& hapVerifyV1Result); DLL_EXPORT int32_t ParseHapSignatureInfo(const std::string& filePath, SignatureInfo &hapSignInfo); DLL_EXPORT void SetDevMode(DevMode devMode); diff --git a/interfaces/innerkits/appverify/include/provision/provision_verify.h b/interfaces/innerkits/appverify/include/provision/provision_verify.h index 2d0a62f..eb31098 100644 --- a/interfaces/innerkits/appverify/include/provision/provision_verify.h +++ b/interfaces/innerkits/appverify/include/provision/provision_verify.h @@ -56,6 +56,8 @@ DLL_EXPORT AppProvisionVerifyResult ParseProvision(const std::string& appProvisi DLL_EXPORT AppProvisionVerifyResult ParseProfile(const std::string& appProvision, ProvisionInfo& info); DLL_EXPORT void SetRdDevice(bool isRdDevice); + +DLL_EXPORT bool GetRdDevice(); } // namespace Verify } // namespace Security } // namespace OHOS diff --git a/interfaces/innerkits/appverify/src/init/trusted_root_ca.cpp b/interfaces/innerkits/appverify/src/init/trusted_root_ca.cpp index 90bebfe..a1cda75 100644 --- a/interfaces/innerkits/appverify/src/init/trusted_root_ca.cpp +++ b/interfaces/innerkits/appverify/src/init/trusted_root_ca.cpp @@ -18,12 +18,14 @@ #include "nlohmann/json.hpp" #include "common/hap_verify_log.h" +#include "provision/provision_verify.h" #include "util/hap_cert_verify_openssl_utils.h" namespace OHOS { namespace Security { namespace Verify { const std::string TrustedRootCa::TRUSTED_ROOT_CA_FILE_PATH = "/system/etc/security/trusted_root_ca.json"; +const std::string TrustedRootCa::TRUSTED_ROOT_CA_OH_FILE_PATH = "/system/etc/security/trusted_root_ca_oh.json"; const std::string TrustedRootCa::TRUSTED_ROOT_CA_TEST_FILE_PATH = "/system/etc/security/trusted_root_ca_test.json"; const std::string OPENHARMONY_CERT = "C=CN, O=OpenHarmony, OU=OpenHarmony Team, CN=OpenHarmony Application Root CA"; @@ -75,19 +77,29 @@ void TrustedRootCa::SetDevMode(DevMode mode) devMode = mode; } -bool TrustedRootCa::Init() +bool TrustedRootCa::InitByFile(const std::string& filePath) { if (isInit) { return true; } - isInit = GetTrustedRootCAFromJson(rootCerts, TRUSTED_ROOT_CA_FILE_PATH); + isInit = GetTrustedRootCAFromJson(rootCerts, filePath); if (isInit) { HAPVERIFY_LOG_INFO("parse root certs success, certs num: %{public}zu", rootCerts.size()); } return isInit; } +bool TrustedRootCa::Init() +{ + return InitByFile(TRUSTED_ROOT_CA_OH_FILE_PATH); +} + +bool TrustedRootCa::InitNotRd() +{ + return InitByFile(TRUSTED_ROOT_CA_FILE_PATH); +} + void TrustedRootCa::Recovery() { for (auto& rootCert : rootCerts) { diff --git a/interfaces/innerkits/appverify/src/init/trusted_source_manager.cpp b/interfaces/innerkits/appverify/src/init/trusted_source_manager.cpp index d8e8dc4..8a09799 100644 --- a/interfaces/innerkits/appverify/src/init/trusted_source_manager.cpp +++ b/interfaces/innerkits/appverify/src/init/trusted_source_manager.cpp @@ -18,12 +18,15 @@ #include "nlohmann/json.hpp" #include "common/hap_verify_log.h" +#include "provision/provision_verify.h" namespace OHOS { namespace Security { namespace Verify { const std::string TrustedSourceManager::APP_TRUSTED_SOURCE_FILE_PATH = "/system/etc/security/trusted_apps_sources.json"; +const std::string TrustedSourceManager::APP_TRUSTED_SOURCE_OH_FILE_PATH = + "/system/etc/security/trusted_apps_sources_oh.json"; const std::string TrustedSourceManager::APP_TRUSTED_SOURCE_TEST_FILE_PATH = "/system/etc/security/trusted_apps_sources_test.json"; const std::string TrustedSourceManager::KEY_OF_APP_TRUSTED_SOURCE = "trust-app-source"; @@ -77,13 +80,13 @@ void TrustedSourceManager::DisableDebug() appTrustedSourcesForTest.clear(); } -bool TrustedSourceManager::Init() +bool TrustedSourceManager::InitByFile(const std::string& filePath) { if (isInit) { return true; } - isInit = GetAppTrustedSources(appTrustedSources, version, releaseTime, APP_TRUSTED_SOURCE_FILE_PATH); + isInit = GetAppTrustedSources(appTrustedSources, version, releaseTime, filePath); if (isInit) { HAPVERIFY_LOG_INFO("trusted app source version: %{public}s, releaseTime: %{public}s, Size:" " %{public}zu", version.c_str(), releaseTime.c_str(), appTrustedSources.size()); @@ -91,6 +94,16 @@ bool TrustedSourceManager::Init() return isInit; } +bool TrustedSourceManager::Init() +{ + return InitByFile(APP_TRUSTED_SOURCE_OH_FILE_PATH); +} + +bool TrustedSourceManager::InitNotRd() +{ + return InitByFile(APP_TRUSTED_SOURCE_FILE_PATH); +} + void TrustedSourceManager::Recovery() { appTrustedSources.clear(); diff --git a/interfaces/innerkits/appverify/src/interfaces/hap_verify.cpp b/interfaces/innerkits/appverify/src/interfaces/hap_verify.cpp index 316cfc5..7cff2f9 100644 --- a/interfaces/innerkits/appverify/src/interfaces/hap_verify.cpp +++ b/interfaces/innerkits/appverify/src/interfaces/hap_verify.cpp @@ -31,7 +31,7 @@ namespace Verify { static std::mutex g_mtx; static bool g_isInit = false; -bool HapVerifyInit() +bool g_hapVerifyInit(std::function initLoader) { TrustedRootCa& rootCertsObj = TrustedRootCa::GetInstance(); TrustedSourceManager& trustedAppSourceManager = TrustedSourceManager::GetInstance(); @@ -39,7 +39,7 @@ bool HapVerifyInit() DeviceTypeManager& deviceTypeManager = DeviceTypeManager::GetInstance(); TrustedTicketManager& trustedTicketSourceManager = TrustedTicketManager::GetInstance(); g_mtx.lock(); - g_isInit = rootCertsObj.Init() && trustedAppSourceManager.Init(); + g_isInit = initLoader(rootCertsObj, trustedAppSourceManager); if (!g_isInit) { rootCertsObj.Recovery(); trustedAppSourceManager.Recovery(); @@ -51,6 +51,21 @@ bool HapVerifyInit() return g_isInit; } +bool NotRdInitLoader(TrustedRootCa& rootCertsObj, TrustedSourceManager& trustedAppSourceManager) +{ + return rootCertsObj.InitNotRd() && trustedAppSourceManager.InitNotRd(); +} + +bool RdInitLoader(TrustedRootCa& rootCertsObj, TrustedSourceManager& trustedAppSourceManager) +{ + return rootCertsObj.Init() && trustedAppSourceManager.Init(); +} + +bool HapVerifyInit() +{ + return g_hapVerifyInit(RdInitLoader); +} + bool EnableDebugMode() { TrustedRootCa& rootCertsObj = TrustedRootCa::GetInstance(); @@ -92,6 +107,15 @@ int32_t HapVerify(const std::string& filePath, HapVerifyResult& hapVerifyResult) return hapVerifyV2.Verify(filePath, hapVerifyResult); } +int32_t HapVerifyNotRd(const std::string& filePath, HapVerifyResult& hapVerifyResult) +{ + if (!g_isInit && !g_hapVerifyInit(NotRdInitLoader)) { + return VERIFY_SOURCE_INIT_FAIL; + } + HapVerifyV2 hapVerifyV2; + return hapVerifyV2.Verify(filePath, hapVerifyResult); +} + int32_t ParseHapProfile(const std::string& filePath, HapVerifyResult& hapVerifyV1Result) { HapVerifyV2 hapVerifyV2; diff --git a/interfaces/innerkits/appverify/src/provision/provision_verify.cpp b/interfaces/innerkits/appverify/src/provision/provision_verify.cpp index 2f4a20f..8d1f9c0 100644 --- a/interfaces/innerkits/appverify/src/provision/provision_verify.cpp +++ b/interfaces/innerkits/appverify/src/provision/provision_verify.cpp @@ -342,6 +342,11 @@ void SetRdDevice(bool isRdDevice) g_isRdDevice = isRdDevice; } +bool IsRdDevice() +{ + return g_isRdDevice; +} + AppProvisionVerifyResult ParseAndVerify(const string& appProvision, ProvisionInfo& info) { HAPVERIFY_LOG_DEBUG("Enter HarmonyAppProvision Verify"); -- Gitee