From 8945e7377b80239f6233590377a40104da2ca03e Mon Sep 17 00:00:00 2001 From: yang1946 Date: Fri, 5 Jul 2024 10:38:49 +0800 Subject: [PATCH] =?UTF-8?q?=E6=9C=AC=E5=9C=B0=E7=AD=BE=E5=90=8D=E4=BA=8C?= =?UTF-8?q?=E7=BA=A7CA=E6=A0=A1=E9=AA=8C?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: yang1946 --- interfaces/innerkits/local_code_sign/BUILD.gn | 3 + utils/src/huks_attest_verifier.cpp | 58 +++++++++++++++++-- 2 files changed, 57 insertions(+), 4 deletions(-) diff --git a/interfaces/innerkits/local_code_sign/BUILD.gn b/interfaces/innerkits/local_code_sign/BUILD.gn index 6257623..eeb2f96 100644 --- a/interfaces/innerkits/local_code_sign/BUILD.gn +++ b/interfaces/innerkits/local_code_sign/BUILD.gn @@ -44,6 +44,9 @@ ohos_shared_library("liblocal_code_sign_sdk") { if (build_variant == "root") { defines += [ "CODE_SIGNATURE_DEBUGGABLE" ] } + if (code_signature_support_oh_code_sign) { + defines += [ "VERIFY_KEY_ATTEST_CERTCHAIN" ] + } external_deps = [ "c_utils:utils", diff --git a/utils/src/huks_attest_verifier.cpp b/utils/src/huks_attest_verifier.cpp index 88dc72e..b9deed2 100644 --- a/utils/src/huks_attest_verifier.cpp +++ b/utils/src/huks_attest_verifier.cpp @@ -61,6 +61,9 @@ static bool g_verifierInited = false; static int g_saNid = 0; static int g_challengeNid = 0; static int g_attestationNid = 0; +#ifdef VERIFY_KEY_ATTEST_CERTCHAIN +static constexpr uint32_t COMMON_NAME_BUF_SIZE = 256; +#endif static inline int GetNidFromDefination(const std::vector &defVector) { @@ -273,6 +276,53 @@ static bool VerifyCertAndExtension(X509 *signCert, X509 *issuerCert, const ByteB return true; } +static bool VerifyIntermediateCASubject(const std::vector &certChainBuffer) +{ +#ifndef VERIFY_KEY_ATTEST_CERTCHAIN + LOG_INFO("Skip intermediate CA subject verification."); + return true; +#else + if (certChainBuffer.empty()) { + LOG_ERROR("The vector is empty"); + return false; + } + + auto certBuffer = certChainBuffer.back(); + X509 *cert = LoadCertFromBuffer(certBuffer.GetBuffer(), certBuffer.GetSize()); + if (cert == nullptr) { + LOG_ERROR("Load intermediate CA cert failed."); + return false; + } + + bool ret = false; + do { + X509_NAME *subjectName = X509_get_subject_name(cert); + if (subjectName == nullptr) { + LOG_ERROR("Get subject name failed."); + break; + } + + char commonNameBuf[COMMON_NAME_BUF_SIZE] = {0}; + int len = X509_NAME_get_text_by_NID(subjectName, NID_commonName, commonNameBuf, COMMON_NAME_BUF_SIZE); + if (len <= 0) { + LOG_ERROR("Get common name failed."); + break; + } + + if (!strstr(commonNameBuf, "Huawei CBG Mobile Equipment CA") && + !strstr(commonNameBuf, "Huawei CBG Equipment S2 CA") && + !strstr(commonNameBuf, "Huawei CBG Equipment S3 CA")) { + LOG_ERROR("Intermediate CA common name not matched, common name:%{private}s", commonNameBuf); + break; + } + + ret = true; + } while (0); + + X509_free(cert); + return ret; +#endif +} bool GetVerifiedCert(const ByteBuffer &buffer, const ByteBuffer &challenge, ByteBuffer &certBuffer) { @@ -282,13 +332,11 @@ bool GetVerifiedCert(const ByteBuffer &buffer, const ByteBuffer &challenge, Byte LOG_ERROR("Get cert chain failed."); return false; } - X509 *issuerCert = LoadCertFromBuffer(issuerBuffer.GetBuffer(), issuerBuffer.GetSize()); if (issuerCert == nullptr) { LOG_ERROR("Load issuerCert cert failed."); return false; } - bool ret = false; X509 *signCert = nullptr; STACK_OF(X509 *) certChain = nullptr; @@ -298,18 +346,20 @@ bool GetVerifiedCert(const ByteBuffer &buffer, const ByteBuffer &challenge, Byte LOG_ERROR("Load cert chain failed."); break; } + if (!VerifyIntermediateCASubject(certChainBuffer)) { + LOG_ERROR("Failed to verify the Intermediate CA subject."); + break; + } if (!VerifyIssurCert(issuerCert, certChain)) { LOG_ERROR("Verify issuer cert not pass."); break; } LOG_DEBUG("Verify issuer cert pass"); - signCert = LoadCertFromBuffer(certBuffer.GetBuffer(), certBuffer.GetSize()); if (signCert == nullptr) { LOG_ERROR("Load signing cert failed."); break; } - if (!VerifyCertAndExtension(signCert, issuerCert, challenge)) { break; } -- Gitee