diff --git a/bundle.json b/bundle.json index 87127edfdb88e24cf4bfaf8ac5401ca93f8f8b49..96d327677eb2998a0f21e3622f2c6f1795614757 100644 --- a/bundle.json +++ b/bundle.json @@ -33,7 +33,8 @@ "huks", "eventhandler", "build_framework", - "access_token" + "access_token", + "ylong_json" ], "third_party": [ "openssl", diff --git a/services/key_enable/BUILD.gn b/services/key_enable/BUILD.gn index 28323f1b4426f1a6f8589f8ed55e227a318b50fd..24b6dd877cc3e2787cc669aacf8c9926e0edb584 100644 --- a/services/key_enable/BUILD.gn +++ b/services/key_enable/BUILD.gn @@ -17,12 +17,13 @@ import("../../code_signature.gni") ohos_rust_executable("key_enable") { sources = [ "src/main.rs" ] deps = [ + "${rust_openssl_dir}/openssl:lib", "utils:libkey_enable_utils", - "${rust_openssl_dir}/openssl:lib" ] external_deps = [ - "hisysevent:hisysevent_rust", "hilog:hilog_rust", + "hisysevent:hisysevent_rust", + "ylong_json:lib", ] if (build_variant == "root") { rustenv = [ "code_signature_debuggable=on" ] @@ -35,20 +36,6 @@ ohos_rust_executable("key_enable") { part_name = "code_signature" } -ohos_prebuilt_etc("trusted_code_signature_certs") { - source = "config/trusted_code_signature_certs.cer" - part_name = "code_signature" - subsystem_name = "security" - relative_install_dir = "security" -} - -ohos_prebuilt_etc("trusted_code_signature_test_certs") { - source = "config/trusted_code_signature_test_certs.cer" - part_name = "code_signature" - subsystem_name = "security" - relative_install_dir = "security" -} - ohos_prebuilt_etc("key_enable.cfg") { source = "key_enable.cfg" relative_install_dir = "init" @@ -60,7 +47,5 @@ group("key_enable_targets") { deps = [ ":key_enable", ":key_enable.cfg", - ":trusted_code_signature_certs", - ":trusted_code_signature_test_certs" ] -} \ No newline at end of file +} diff --git a/services/key_enable/config/trusted_code_signature_certs.cer b/services/key_enable/config/trusted_code_signature_certs.cer deleted file mode 100644 index 1159206cce0148127797499ae28c4dc86863f68a..0000000000000000000000000000000000000000 --- a/services/key_enable/config/trusted_code_signature_certs.cer +++ /dev/null @@ -1,51 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICGjCCAaGgAwIBAgIIShhpn519jNAwCgYIKoZIzj0EAwMwUzELMAkGA1UEBhMC -Q04xDzANBgNVBAoMBkh1YXdlaTETMBEGA1UECwwKSHVhd2VpIENCRzEeMBwGA1UE -AwwVSHVhd2VpIENCRyBSb290IENBIEcyMB4XDTIwMDMxNjAzMDQzOVoXDTQ5MDMx -NjAzMDQzOVowUzELMAkGA1UEBhMCQ04xDzANBgNVBAoMBkh1YXdlaTETMBEGA1UE -CwwKSHVhd2VpIENCRzEeMBwGA1UEAwwVSHVhd2VpIENCRyBSb290IENBIEcyMHYw -EAYHKoZIzj0CAQYFK4EEACIDYgAEWidkGnDSOw3/HE2y2GHl+fpWBIa5S+IlnNrs -GUvwC1I2QWvtqCHWmwFlFK95zKXiM8s9yV3VVXh7ivN8ZJO3SC5N1TCrvB2lpHMB -wcz4DA0kgHCMm/wDec6kOHx1xvCRo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0T -AQH/BAUwAwEB/zAdBgNVHQ4EFgQUo45a9Vq8cYwqaiVyfkiS4pLcIAAwCgYIKoZI -zj0EAwMDZwAwZAIwMypeB7P0IbY7c6gpWcClhRznOJFj8uavrNu2PIoz9KIqr3jn -BlBHJs0myI7ntYpEAjBbm8eDMZY5zq5iMZUC6H7UzYSix4Uy1YlsLVV738PtKP9h -FTjgDHctXJlC5L7+ZDY= ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIDADCCAoegAwIBAgIIJGDixWQS3MkwCgYIKoZIzj0EAwMwUzELMAkGA1UEBhMC -Q04xDzANBgNVBAoMBkh1YXdlaTETMBEGA1UECwwKSHVhd2VpIENCRzEeMBwGA1UE -AwwVSHVhd2VpIENCRyBSb290IENBIEcyMB4XDTIwMDMxNjEyMzIzOVoXDTQwMDMx -NjEyMzIzOVowZDELMAkGA1UEBhMCQ04xDzANBgNVBAoMBkh1YXdlaTETMBEGA1UE -CwwKSHVhd2VpIENCRzEvMC0GA1UEAwwmSHVhd2VpIENCRyBTb2Z0d2FyZSBTaWdu -aW5nIFNlcnZpY2UgQ0EwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAASsEz7cwYkzFh9b -xIwKfXx5qHGjl5WITy0teGnNWqv+jYCceeixHqErvK7YRn2hVPIqhRqKWeANHZUK -G0qxi+NIpmSmQS8/63CLz1QAcxfv2Xl3/V82dF0v9lm16ehMsN+jggEVMIIBETAf -BgNVHSMEGDAWgBSjjlr1WrxxjCpqJXJ+SJLiktwgADAdBgNVHQ4EFgQU+vX3viBW -XV3U2m3xFBU8HQnbsjQwDwYDVR0TAQH/BAUwAwEB/zBGBgNVHSAEPzA9MDsGBFUd -IAAwMzAxBggrBgEFBQcCARYlaHR0cDovL2Nwa2ktY2F3ZWIuaHVhd2VpLmNvbS9j -cGtpL2NwczAOBgNVHQ8BAf8EBAMCAQYwZgYDVR0fBF8wXTBboFmgV4ZVaHR0cDov -L2Nwa2ktY2F3ZWIuaHVhd2VpLmNvbS9jcGtpL3NlcnZsZXQvY3JsRmlsZURvd24u -Y3JsP2NlcnR5cGU9MTAmL3Jvb3RfZzJfY3JsLmNybDAKBggqhkjOPQQDAwNnADBk -AjBrAQQxUlNgqhYkcEm5eksnPxDkPJSY/qNd2BDgbvEydiLwPSvB7Z9lipxz8ikZ -EeUCMGppWcaV//SIG1y5tEwthLwWeEaF613vUILWQLir8+CA3RZGsRBqtE8xSqfz -yafLYQ== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIC2zCCAmGgAwIBAgIIbYJpqbm8ip4wCgYIKoZIzj0EAwMwZDELMAkGA1UEBhMC -Q04xDzANBgNVBAoMBkh1YXdlaTETMBEGA1UECwwKSHVhd2VpIENCRzEvMC0GA1UE -AwwmSHVhd2VpIENCRyBTb2Z0d2FyZSBTaWduaW5nIFNlcnZpY2UgQ0EwHhcNMjMw -NzEwMDEzMTU3WhcNMjgwNzEwMDEzMTU3WjBiMQswCQYDVQQGDAJDTjEPMA0GA1UE -CgwGSHVhd2VpMRMwEQYDVQQLDApIdWF3ZWkgQ0JHMS0wKwYDVQQDDCRIYXJtb255 -T1MgQXBwbGljYXRpb24gQ29kZSBTaWduYXR1cmUwWTATBgcqhkjOPQIBBggqhkjO -PQMBBwNCAAS/112HcjszspWy5oViPaLmTJrwTY80DESGnQWcc6hdFlv5aoR/iiCm -yzmrWyDogn1Wlgzh3HTQN233602dJA+6o4H+MIH7MB8GA1UdIwQYMBaAFPr1974g -Vl1d1Npt8RQVPB0J27I0MB0GA1UdDgQWBBQNVp+N1XY53RDvCEUpsN9d5KciyTBG -BgNVHSAEPzA9MDsGBFUdIAAwMzAxBggrBgEFBQcCARYlaHR0cDovL3BraS5jb25z -dW1lci5odWF3ZWkuY29tL2NhL2NwczAOBgNVHQ8BAf8EBAMCB4AwTAYDVR0fBEUw -QzBBoD+gPYY7aHR0cDovL3BraS5jb25zdW1lci5odWF3ZWkuY29tL2NhL2NybC9z -b2Z0X3NpZ25fc3J2X2NybC5jcmwwEwYDVR0lBAwwCgYIKwYBBQUHAwMwCgYIKoZI -zj0EAwMDaAAwZQIxAOGqDUSOAjAtSPW7fAh4zsQslGGj8qu/z2GsJzl+joaO9mF5 -At3CSsVpaZn3ccs+fwIwOqvl/l6gIsSmNzGFyc8hqNZ88JqN3ulG+1iEGJRx9Gi3 -guBzykEdSpJbPy7zwHKw ------END CERTIFICATE----- \ No newline at end of file diff --git a/services/key_enable/config/trusted_code_signature_test_certs.cer b/services/key_enable/config/trusted_code_signature_test_certs.cer deleted file mode 100644 index 448a34433c2393eb2658a11fc629c9cef332a90f..0000000000000000000000000000000000000000 --- a/services/key_enable/config/trusted_code_signature_test_certs.cer +++ /dev/null @@ -1,51 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICJTCCAaugAwIBAgIIb/9KnVieVTgwCgYIKoZIzj0EAwMwWDELMAkGA1UEBhMC -Q04xDzANBgNVBAoMBkh1YXdlaTETMBEGA1UECwwKSHVhd2VpIENCRzEjMCEGA1UE -AwwaSHVhd2VpIENCRyBSb290IENBIEcyIFRlc3QwHhcNMjAwMzEyMTI0NDAwWhcN -NDkwMzEyMTI0NDAwWjBYMQswCQYDVQQGEwJDTjEPMA0GA1UECgwGSHVhd2VpMRMw -EQYDVQQLDApIdWF3ZWkgQ0JHMSMwIQYDVQQDDBpIdWF3ZWkgQ0JHIFJvb3QgQ0Eg -RzIgVGVzdDB2MBAGByqGSM49AgEGBSuBBAAiA2IABLS4fgvaYKKfyMZW/4nNTsSv -xqVxqOEDfLySZK/fSEN0IDQj0sK/qK5hvnf0OxWhwI49P3dKGmQ+cSujXvy0me2D -JTjY127XYZJrvJwwMkrT/vMrZC5kSOEJbt1qAgSmiaNCMEAwDgYDVR0PAQH/BAQD -AgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFGldwFjx9Tzm/QpA8R1gc9wc -eMbFMAoGCCqGSM49BAMDA2gAMGUCMQCCUDRaglmycUGrHmF+L8owKJhbqOUqbwuX -7XL/vJcp3HeHjiXu7XZmYQ+QAvHPhU0CMCiwWFbDl8ETw4VK25QbwhL/QiUfiRfC -J6LzteOvjLTEV5iebQMz/nS1j7/oj3Rsqg== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIDCjCCApGgAwIBAgIIWbEqGvOqT10wCgYIKoZIzj0EAwMwWDELMAkGA1UEBhMC -Q04xDzANBgNVBAoMBkh1YXdlaTETMBEGA1UECwwKSHVhd2VpIENCRzEjMCEGA1UE -AwwaSHVhd2VpIENCRyBSb290IENBIEcyIFRlc3QwHhcNMjAwMzEzMTE1ODI4WhcN -NDAwMzEzMTE1ODI4WjBpMQswCQYDVQQGEwJDTjEPMA0GA1UECgwGSHVhd2VpMRMw -EQYDVQQLDApIdWF3ZWkgQ0JHMTQwMgYDVQQDDCtIdWF3ZWkgQ0JHIFNvZnR3YXJl -IFNpZ25pbmcgU2VydmljZSBDQSBUZXN0MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE -ukPDS3s0TpYa/lANCTc7eX8fdGGjMPUbvso3TtlBvzdm0XDNTdVtZq3XVOfefgpE -OaC/JSoXgiNHkeEQ4XSSm0d7MbeoYEyoEKWa1G2/SOQxbVNqKLexxlGMjMuOLdMb -o4IBFTCCAREwHwYDVR0jBBgwFoAUaV3AWPH1POb9CkDxHWBz3Bx4xsUwHQYDVR0O -BBYEFHu4R1Kn8cxYnvtV7OEtcQ4Hmi8mMA8GA1UdEwEB/wQFMAMBAf8wRgYDVR0g -BD8wPTA7BgRVHSAAMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly9jcGtpLWNhd2ViLmh1 -YXdlaS5jb20vY3BraS9jcHMwDgYDVR0PAQH/BAQDAgEGMGYGA1UdHwRfMF0wW6BZ -oFeGVWh0dHA6Ly9jcGtpLWNhd2ViLmh1YXdlaS5jb20vY3BraS9zZXJ2bGV0L2Ny -bEZpbGVEb3duLmNybD9jZXJ0eXBlPTEwJi9yb290X2cyX2NybC5jcmwwCgYIKoZI -zj0EAwMDZwAwZAIwF7PjIuOODhpDhzpw2cqV/xbLNJ5CExFJHxcy1D0bHljE5xTt -csIN40Ma6aEi3MJQAjAHQLfAzZvMmreYwKnc2bHXlS68roSRvNTvrUKp3Lcp92nK -MzieiyKHlWKEgrUjnKc= ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIC4DCCAmagAwIBAgIIU/SrKJPkW6YwCgYIKoZIzj0EAwMwaTELMAkGA1UEBhMC -Q04xDzANBgNVBAoMBkh1YXdlaTETMBEGA1UECwwKSHVhd2VpIENCRzE0MDIGA1UE -AwwrSHVhd2VpIENCRyBTb2Z0d2FyZSBTaWduaW5nIFNlcnZpY2UgQ0EgVGVzdDAe -Fw0yMzA2MDEwMzI4NDNaFw0yODA2MDEwMzI4NDNaMGIxCzAJBgNVBAYMAkNOMQ8w -DQYDVQQKDAZIdWF3ZWkxEzARBgNVBAsMCkh1YXdlaSBDQkcxLTArBgNVBAMMJEhh -cm1vbnlPUyBBcHBsaWNhdGlvbiBDb2RlIFNpZ25hdHVyZTBZMBMGByqGSM49AgEG -CCqGSM49AwEHA0IABGbgEvMyY8++O+rVbt2i9HKyUP5nf+p01NqN8OCgBHB5o4fg -YIRJXY+cpaUZxkkBfvkt6/kLywacXwR0hXLHkE+jgf4wgfswHwYDVR0jBBgwFoAU -e7hHUqfxzFie+1Xs4S1xDgeaLyYwHQYDVR0OBBYEFCjtHe1Kvhx4q5H6Igh3TEyl -CbZVMEYGA1UdIAQ/MD0wOwYEVR0gADAzMDEGCCsGAQUFBwIBFiVodHRwOi8vcGtp -LmNvbnN1bWVyLmh1YXdlaS5jb20vY2EvY3BzMA4GA1UdDwEB/wQEAwIHgDBMBgNV -HR8ERTBDMEGgP6A9hjtodHRwOi8vcGtpLmNvbnN1bWVyLmh1YXdlaS5jb20vY2Ev -Y3JsL3NvZnRfc2lnbl9zcnZfY3JsLmNybDATBgNVHSUEDDAKBggrBgEFBQcDAzAK -BggqhkjOPQQDAwNoADBlAjEAi6AqF238lxOz5Su6cu4+9+OzGA5pBC8q9Z+BaLww -wLIC8Mnm4DlohM/piE3sLr4RAjBp7unOVdJ/EGmhDwKYfUrtw7II4OZbAUCQMlaN -41XENywaqxpl1zbuBvlK2l7EhsI= ------END CERTIFICATE----- \ No newline at end of file diff --git a/services/key_enable/src/cert_chain_utils.rs b/services/key_enable/src/cert_chain_utils.rs index a267764dec68974215a56f79d8e4968a0acd532c..d770547f3bc502e745451a73f99d5482eca726f3 100644 --- a/services/key_enable/src/cert_chain_utils.rs +++ b/services/key_enable/src/cert_chain_utils.rs @@ -13,31 +13,47 @@ * limitations under the License. */ -use openssl::x509::{X509, X509StoreContext, X509VerifyResult}; -use openssl::x509::store::{X509Store, X509StoreBuilder}; -use openssl::x509::verify::X509VerifyFlags; -use openssl::stack::Stack; +use hilog_rust::{error, hilog, HiLogLabel, LogType}; use openssl::error::ErrorStack; +use openssl::x509::X509; use std::ffi::{c_char, CString}; -use hilog_rust::{error, info, hilog, HiLogLabel, LogType}; -use super::file_utils; +use ylong_json::JsonValue; + +const ALLOWED_APP_SOURCE_MEMBERNAMES: &[&str] = &[ + "huawei app gallery", + "huawei system apps", + "third_party app preload", +]; +const TRUST_APP_SOURCE_KEY: &str = "trust-app-source"; +const CERT_NAME_KEY: &str = "name"; +const APP_SIGNING_CERT_KEY: &str = "app-signing-cert"; +const ISSUER_CA_KEY: &str = "issuer-ca"; +const MAX_CERT_PATH: &str = "max-certs-path"; const LOG_LABEL: HiLogLabel = HiLogLabel { log_type: LogType::LogCore, domain: 0xd002f00, // security domain - tag: "CODE_SIGN" + tag: "CODE_SIGN", }; -fn print_openssl_error_stack(error_stack: ErrorStack) -{ +/// data of trust app source +pub struct TrustAppSource { + /// signing + pub signing: CString, + /// issuer + pub issuer: CString, + /// path + pub path_len: i32, +} + +fn print_openssl_error_stack(error_stack: ErrorStack) { for error in error_stack.errors() { error!(LOG_LABEL, "{}", @public(error.to_string())); } } -fn load_certs_from_pem_file(file_path: &str) -> Option> -{ - let pem = file_utils::load_bytes_from_file(file_path); +fn load_certs_from_json_file(file_path: &str, member_names: &[&str]) -> Option> { + let pem: Vec = load_pem_cert_from_json_file(file_path, member_names); match X509::stack_from_pem(&pem) { Ok(certs) => Some(certs), Err(e) => { @@ -47,8 +63,7 @@ fn load_certs_from_pem_file(file_path: &str) -> Option> } } -fn dump_cert_in_der(cert: X509) -> Option> -{ +fn dump_cert_in_der(cert: X509) -> Option> { match cert.to_der() { Ok(der) => Some(der), Err(e) => { @@ -58,71 +73,104 @@ fn dump_cert_in_der(cert: X509) -> Option> } } -fn convert_to_stack(certs: Vec) -> Stack -{ - let mut stack_of_certs = Stack::::new().expect("Create Stack failed"); - for cert in certs { - stack_of_certs.push(cert).unwrap(); +/// get root cert from json file +pub fn get_root_cert_from_json_file(certs: &mut Vec>, path: &str, member_names: &[&str]) { + let pem_certs: Vec = load_certs_from_json_file(path, member_names).unwrap(); + for pem_cert in pem_certs { + let der_cert = dump_cert_in_der(pem_cert).unwrap(); + certs.push(der_cert); } - stack_of_certs } -fn convert_to_store(certs: Vec) -> X509Store -{ - let mut store_builder = X509StoreBuilder::new().expect("Create X509StoreBuilder failed"); - for cert in certs { - store_builder.add_cert(cert).unwrap(); - } - store_builder.set_flags(X509VerifyFlags::NO_CHECK_TIME).expect("Set X509Store flag failed"); - store_builder.build() -} +/// load pem certs from json file +pub fn load_pem_cert_from_json_file(file_path: &str, member_names: &[&str]) -> Vec { + let value = match JsonValue::from_file(file_path) { + Ok(v) => v, + Err(e) => { + error!( + LOG_LABEL, + "Error loading JSON from file {}: {}", file_path, e + ); + return Vec::new(); + } + }; -fn verify_certs(cert: &X509, inter_ca:Vec, root_ca: Vec) -> Result -{ - let cert_chain = convert_to_stack(inter_ca); - let store = convert_to_store(root_ca); - let mut ctx = X509StoreContext::new().expect("Create X509StoreContext failed"); - ctx.init(&store, cert, &cert_chain, |c| { - c.verify_cert()?; - Ok(c.error()) - }) + let cert_vec: Vec = member_names + .iter() + .filter_map(|subject| { + let cert_value = &value[subject]; + match cert_value.try_as_string() { + Ok(s) => Some(s.to_string()), + Err(_) => None, + } + }) + .collect(); + cert_vec.join("\n").into_bytes() } -/// get cert from file -/// verify the cert if a chain is found in file and then return the leaf cert in DER format -pub fn get_verifed_cert_from_chain(path: &str) -> Option> -{ - let mut certs = load_certs_from_pem_file(path).unwrap(); - let count = certs.len(); - match count { - 0 => { - error!(LOG_LABEL, "No cert in file."); - return None; - }, - 1 => { - info!(LOG_LABEL, "Only one cert in file, use directly."); - return dump_cert_in_der(certs.pop().unwrap()); - }, - _ => () - } - // chain format: root_ca -> inter_ca(may 0, 1 or more) -> cert - let cert = certs.pop().unwrap(); - let mut inter_ca = Vec::new(); - let mut root_ca = Vec::new(); - for _i in 1..count - 1 { - inter_ca.push(certs.pop().unwrap()); - } - root_ca.push(certs.pop().unwrap()); - match verify_certs(&cert, inter_ca, root_ca) { - Ok(X509VerifyResult::OK) => (), - Ok(result) => { - error!(LOG_LABEL, "Verification failed: {}", @public(result.error_string())); - return None; - } +/// load cert path from json file +pub fn load_cert_path_from_json_file(cert_paths: &mut Vec, file_path: &str) { + let value = match JsonValue::from_file(file_path) { + Ok(v) => v, Err(e) => { - print_openssl_error_stack(e); - return None; + error!( + LOG_LABEL, + "Error loading JSON from file {}: {}", file_path, e + ); + return; + } + }; + + let cert_path_array = match value[TRUST_APP_SOURCE_KEY].try_as_array() { + Ok(array) => array, + Err(_) => { + error!( + LOG_LABEL, + "Cannot get preset key TRUST_APP_SOURCE_KEY from file {}", file_path + ); + return; + } + }; + + for cert_path in cert_path_array.iter() { + let cert_name = match cert_path[CERT_NAME_KEY].try_as_string() { + Ok(name) => name, + Err(e) => { + error!( + LOG_LABEL, + "Error trying to interpret CERT_NAME_KEY as string: {:?}", e + ); + return; + } + }; + if !ALLOWED_APP_SOURCE_MEMBERNAMES.contains(&cert_name.as_str()) { + continue; } + + let signing = match cert_path[APP_SIGNING_CERT_KEY].try_as_string() { + Ok(s) => s, + Err(_) => continue, + }; + + let issuer = match cert_path[ISSUER_CA_KEY].try_as_string() { + Ok(s) => s, + Err(_) => continue, + }; + + let path_len = match cert_path[MAX_CERT_PATH] + .try_as_number() + .and_then(|n| n.try_as_i64()) + { + Ok(num) => num, + Err(_) => continue, + }; + + let signing_cstring = CString::new(signing.as_str()).expect("app-signing-cert is invalid"); + let issuer_cstring = CString::new(issuer.as_str()).expect("issuer-ca is invalid"); + cert_paths.push(TrustAppSource { + signing: signing_cstring, + issuer: issuer_cstring, + path_len: path_len as i32, + }); } - dump_cert_in_der(cert) -} \ No newline at end of file +} diff --git a/services/key_enable/src/cert_utils.rs b/services/key_enable/src/cert_utils.rs index 949303ca080b1f0506dc8c058ef69bdc5f813fc0..9b97a131416f0f168ecd8460ec0cc0ebc5cf9f44 100644 --- a/services/key_enable/src/cert_utils.rs +++ b/services/key_enable/src/cert_utils.rs @@ -13,39 +13,43 @@ * limitations under the License. */ -use std::ffi::{c_char, CString}; -use hilog_rust::{error, hilog, HiLogLabel, LogType}; - use super::cert_chain_utils; -const LOG_LABEL: HiLogLabel = HiLogLabel { - log_type: LogType::LogCore, - domain: 0xd002f00, // security domain - tag: "CODE_SIGN" -}; - -const CODE_SIGNATURE_TRUSTED_CERTS: &str = "/system/etc/security/trusted_code_signature_certs.cer"; -const CODE_SIGNATURE_TRUSTED_TEST_CERTS: &str = "/system/etc/security/trusted_code_signature_test_certs.cer"; +const TRUSTED_ROOT_CERT: &str = "/system/etc/security/trusted_root_ca.json"; +const ALLOWED_ROOT_CERT_MEMBER_NAMES: &[&str] = &[ + "C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Root CA G2", + "C=CN, O=OpenHarmony, OU=OpenHarmony Team, CN=OpenHarmony Application Root CA", +]; +const TRUSTED_ROOT_CERT_TEST: &str = "/system/etc/security/trusted_root_ca_test.json"; +const ALLOWED_ROOT_CERT_MEMBER_NAMES_TEST: &[&str] = + &["C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Root CA G2 Test"]; +const TRUSTED_APP_SOURCES: &str = "/system/etc/security/trusted_apps_sources.json"; +const TRUSTED_APP_SOURCES_TEST: &str = "/system/etc/security/trusted_apps_sources_test.json"; -fn get_trusted_cert_from_file(certs: &mut Vec>, file_path: &str) -{ - match cert_chain_utils::get_verifed_cert_from_chain(file_path) { - Some(der) => { - certs.push(der); - }, - None => { - error!(LOG_LABEL, "Get trusted cert failed."); - } +/// get trusted certs form json file +pub fn get_trusted_certs() -> Vec> { + let mut certs = Vec::new(); + cert_chain_utils::get_root_cert_from_json_file( + &mut certs, + TRUSTED_ROOT_CERT, + ALLOWED_ROOT_CERT_MEMBER_NAMES + ); + if env!("code_signature_debuggable") == "on" { + cert_chain_utils::get_root_cert_from_json_file( + &mut certs, + TRUSTED_ROOT_CERT_TEST, + ALLOWED_ROOT_CERT_MEMBER_NAMES_TEST + ); } + certs } -// compatible with multiple CA -pub fn get_trusted_certs() -> Vec> -{ - let mut certs = Vec::new(); - get_trusted_cert_from_file(&mut certs, CODE_SIGNATURE_TRUSTED_CERTS); +/// get cert path form json file +pub fn get_cert_path() -> Vec { + let mut cert_paths = Vec::new(); + cert_chain_utils::load_cert_path_from_json_file(&mut cert_paths, TRUSTED_APP_SOURCES); if env!("code_signature_debuggable") == "on" { - get_trusted_cert_from_file(&mut certs, CODE_SIGNATURE_TRUSTED_TEST_CERTS); + cert_chain_utils::load_cert_path_from_json_file(&mut cert_paths, TRUSTED_APP_SOURCES_TEST); } - certs -} \ No newline at end of file + cert_paths +} diff --git a/services/key_enable/src/cs_hisysevent.rs b/services/key_enable/src/cs_hisysevent.rs index 291e9727161acd5b7f18f05384232b0b29179a7f..39aaef150c0758dff5bacb329e8eefb72af5ea3d 100644 --- a/services/key_enable/src/cs_hisysevent.rs +++ b/services/key_enable/src/cs_hisysevent.rs @@ -13,16 +13,17 @@ * limitations under the License. */ -use hisysevent::{EventType}; +use hisysevent::EventType; /// report add key err by hisysevent -pub fn report_add_key_err(cert_type: &str, errcode: i32) -{ +pub fn report_add_key_err(cert_type: &str, errcode: i32) { hisysevent::write( "CODE_SIGN", "CS_ADD_KEY", EventType::Fault, - &[hisysevent::build_str_param!("STRING_SINGLE", cert_type), - hisysevent::build_number_param!("INT32_SINGLE", errcode)] + &[ + hisysevent::build_str_param!("STRING_SINGLE", cert_type), + hisysevent::build_number_param!("INT32_SINGLE", errcode), + ], ); -} \ No newline at end of file +} diff --git a/services/key_enable/src/key_enable.rs b/services/key_enable/src/key_enable.rs index 81608a5b268d048b94eddeac225a3001234428c7..a692defe32df00ce0536dd3f76baa661b10bfb19 100644 --- a/services/key_enable/src/key_enable.rs +++ b/services/key_enable/src/key_enable.rs @@ -13,22 +13,20 @@ * limitations under the License. */ -use std::fs::File; +use super::cert_utils; +use super::cs_hisysevent; +use hilog_rust::{error, hilog, HiLogLabel, LogType}; use std::ffi::{c_char, CString}; +use std::fs::File; use std::io::{BufRead, BufReader}; use std::option::Option; use std::ptr; use std::thread::sleep_ms; -use std::vec::Vec; - -use hilog_rust::{error, hilog, HiLogLabel, LogType}; -use super::cs_hisysevent; -use super::cert_utils; const LOG_LABEL: HiLogLabel = HiLogLabel { log_type: LogType::LogCore, domain: 0xd002f00, // security domain - tag: "CODE_SIGN" + tag: "CODE_SIGN", }; const CERT_DATA_MAX_SIZE: usize = 8192; @@ -45,16 +43,39 @@ const SLEEP_MILLI_SECONDS: u32 = 50; type KeySerial = i32; +#[repr(C)] +pub struct CertPathInfo { + /// signing_length + pub signing_length: u32, + /// issuer_length + pub issuer_length: u32, + /// signing + pub signing: u64, + /// issuer + pub issuer: u64, + /// path + pub path_len: u32, + __reserved: [u8; 36], +} + extern "C" { fn InitLocalCertificate(cert_data: *mut u8, cert_size: *mut usize) -> i32; - fn AddKey(type_name: *const u8, description: *const u8, payload: *const u8, - plen: usize, ring_id: KeySerial) -> KeySerial; - fn KeyctlRestrictKeyring(ring_id: KeySerial, type_name: *const u8, - restriction: *const u8) -> KeySerial; + fn AddKey( + type_name: *const u8, + description: *const u8, + payload: *const u8, + plen: usize, + ring_id: KeySerial, + ) -> KeySerial; + fn KeyctlRestrictKeyring( + ring_id: KeySerial, + type_name: *const u8, + restriction: *const u8, + ) -> KeySerial; + fn AddCertPath(info: *const CertPathInfo) -> i32; } -fn get_local_key() -> Option> -{ +fn get_local_key() -> Option> { let mut cert_size = CERT_DATA_MAX_SIZE; let mut cert_data = Vec::with_capacity(cert_size); let pcert = cert_data.as_mut_ptr(); @@ -72,8 +93,7 @@ fn get_local_key() -> Option> /// [Serial][Flags][Usage][Expiry][Permissions][UID][GID][TypeName][Description]: [Summary] /// [0] [1] [2] [3] [4] [5] [6] [7] [8] [9] /// 3985ad4c I------ 1 perm 082f0000 0 0 keyring .fs-verity: empty -fn parse_key_info(line: String) -> Option -{ +fn parse_key_info(line: String) -> Option { let attrs: Vec<&str> = line.split_whitespace().collect(); if attrs.len() != 10 { return None; @@ -91,19 +111,23 @@ fn parse_key_info(line: String) -> Option } } -fn enable_key(key_id: KeySerial, key_name: &str, cert_data: &Vec) -> i32 -{ +fn enable_key(key_id: KeySerial, key_name: &str, cert_data: &Vec) -> i32 { let type_name = CString::new("asymmetric").expect("type name is invalid"); let keyname = CString::new(key_name).expect("keyname is invalid"); unsafe { - let ret: i32 = AddKey(type_name.as_ptr(), keyname.as_ptr(), cert_data.as_ptr(), cert_data.len(), key_id); + let ret: i32 = AddKey( + type_name.as_ptr(), + keyname.as_ptr(), + cert_data.as_ptr(), + cert_data.len(), + key_id, + ); ret } } -fn enable_key_list(key_id: KeySerial, certs: Vec>) -> i32 -{ - let prefix = String::from(CODE_SIGN_KEY_NAME_PREFIX); +fn enable_key_list(key_id: KeySerial, certs: Vec>, key_name_prefix: &str) -> i32 { + let prefix = String::from(key_name_prefix); for (i, cert_data) in certs.iter().enumerate() { let key_name = prefix.clone() + &i.to_string(); let ret = enable_key(key_id, key_name.as_str(), cert_data); @@ -115,8 +139,7 @@ fn enable_key_list(key_id: KeySerial, certs: Vec>) -> i32 } /// parse proc_key_file to get keyring id -fn get_keyring_id() -> Result -{ +fn get_keyring_id() -> Result { let file = File::open(PROC_KEY_FILE_PATH).expect("Open /proc/keys failed"); let lines = BufReader::new(file).lines(); for line in lines.flatten() { @@ -131,10 +154,13 @@ fn get_keyring_id() -> Result } // enable all trusted keys -fn enable_trusted_keys(key_id: KeySerial) -> Result<(), ()> -{ +fn enable_trusted_keys(key_id: KeySerial) -> Result<(), ()> { let certs = cert_utils::get_trusted_certs(); - let ret = enable_key_list(key_id, certs); + if certs.is_empty() { + error!(LOG_LABEL, "empty trusted certs!"); + return Err(()); + } + let ret = enable_key_list(key_id, certs, CODE_SIGN_KEY_NAME_PREFIX); if ret < 0 { cs_hisysevent::report_add_key_err("code_sign_keys", ret); return Err(()); @@ -143,14 +169,13 @@ fn enable_trusted_keys(key_id: KeySerial) -> Result<(), ()> } // enable local key from local code sign SA -fn enable_local_key(key_id: KeySerial) -> Result<(), ()> -{ +fn enable_local_key(key_id: KeySerial) -> Result<(), ()> { let mut times = 0; let cert_data = loop { match get_local_key() { Some(key) => { break key; - }, + } None => { error!(LOG_LABEL, "Get local key failed, may try again."); } @@ -172,8 +197,7 @@ fn enable_local_key(key_id: KeySerial) -> Result<(), ()> } // restrict fs-verity keyring, don't allow to add more keys -fn restrict_keys(key_id: KeySerial) -> Result<(), ()> -{ +fn restrict_keys(key_id: KeySerial) -> Result<(), ()> { unsafe { if KeyctlRestrictKeyring(key_id, ptr::null(), ptr::null()) < 0 { error!(LOG_LABEL, "Restrict keyring err"); @@ -183,12 +207,43 @@ fn restrict_keys(key_id: KeySerial) -> Result<(), ()> Ok(()) } +/// Add ca path from json file +fn add_cert_path() -> Result<(), ()> { + let cert_paths = cert_utils::get_cert_path(); + if cert_paths.is_empty() { + error!(LOG_LABEL, "empty cert paths!"); + return Err(()); + } + for cert_path in &cert_paths { + let signing_clone = cert_path.signing.clone(); + let issuer_clone = cert_path.issuer.clone(); + unsafe { + let cert_info = CertPathInfo { + signing_length: signing_clone.as_bytes().len() as u32, + issuer_length: issuer_clone.as_bytes().len() as u32, + signing: signing_clone.as_ptr() as u64, + issuer: issuer_clone.as_ptr() as u64, + path_len: cert_path.path_len as u32, + __reserved: [0; 36], + }; + + let ret = AddCertPath(&cert_info); + if ret < 0 { + cs_hisysevent::report_add_key_err("cert_path", ret); + error!(LOG_LABEL, "add cert path error!"); + return Err(()); + } + } + } + Ok(()) +} + /// enable trusted and local keys, and then restrict keyring -pub fn enable_all_keys() -> Result<(), ()> -{ +pub fn enable_all_keys() -> Result<(), ()> { let key_id = get_keyring_id()?; enable_trusted_keys(key_id)?; enable_local_key(key_id)?; restrict_keys(key_id)?; + add_cert_path()?; Ok(()) -} \ No newline at end of file +} diff --git a/services/key_enable/src/file_utils.rs b/services/key_enable/src/lib.rs similarity index 67% rename from services/key_enable/src/file_utils.rs rename to services/key_enable/src/lib.rs index c852b95334f3d569cf51432a761cfc1910fdfb3e..b381c92edd1a7bc1be1fad959d9b9a5c8ac385c8 100644 --- a/services/key_enable/src/file_utils.rs +++ b/services/key_enable/src/lib.rs @@ -1,25 +1,23 @@ -/* - * Copyright (c) 2023 Huawei Device Co., Ltd. - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -use std::fs::File; -use std::io::{Read}; - -pub fn load_bytes_from_file(file_path: &str) -> Vec -{ - let mut file = File::open(file_path).expect("Open file failed."); - let mut data = Vec::new(); - file.read_to_end(&mut data).expect("Read file failed."); - data -} \ No newline at end of file +/* + * Copyright (c) 2023 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +//!crate for unittest + +/// module contains cert chain func +pub mod cert_chain_utils; +/// module contains cert utils func +pub mod cert_utils; +/// module contains rust hisysevent +pub mod cs_hisysevent; diff --git a/services/key_enable/src/main.rs b/services/key_enable/src/main.rs index e044b43be897e04b665b0010c7dcd123fa7ccb4d..c953920f59b1600a8d13a7e7ee03089a1453234a 100644 --- a/services/key_enable/src/main.rs +++ b/services/key_enable/src/main.rs @@ -14,29 +14,27 @@ */ //! enable keys for code signature -use hilog_rust::{info, error, hilog, HiLogLabel, LogType}; +use hilog_rust::{error, hilog, info, HiLogLabel, LogType}; use std::ffi::{c_char, CString}; mod cert_chain_utils; mod cert_utils; mod cs_hisysevent; -mod file_utils; mod key_enable; const LOG_LABEL: HiLogLabel = HiLogLabel { log_type: LogType::LogCore, domain: 0xd002f00, // security domain - tag: "CODE_SIGN" + tag: "CODE_SIGN", }; -fn main() -{ +fn main() { match key_enable::enable_all_keys() { Ok(()) => { info!(LOG_LABEL, "Succeed to enable all keys."); - }, + } Err(()) => { error!(LOG_LABEL, "Enable keys failed."); } }; -} \ No newline at end of file +} diff --git a/services/key_enable/utils/BUILD.gn b/services/key_enable/utils/BUILD.gn index ba5aa7598b249948c43e40a52a166a8f6c5b889c..c8c22abf6bb82c4c0c4a207505f1034fa90464b6 100644 --- a/services/key_enable/utils/BUILD.gn +++ b/services/key_enable/utils/BUILD.gn @@ -16,6 +16,7 @@ import("../../../code_signature.gni") ohos_static_library("libkey_enable_utils") { sources = [ + "src/cert_utils.cpp", "src/key_utils.cpp", "src/local_code_sign_utils.cpp", ] diff --git a/services/key_enable/utils/include/cert_utils.h b/services/key_enable/utils/include/cert_utils.h new file mode 100644 index 0000000000000000000000000000000000000000..10a19128fd1fb7a8f36570f44a6ff1f07f4df17f --- /dev/null +++ b/services/key_enable/utils/include/cert_utils.h @@ -0,0 +1,42 @@ +/* + * Copyright (c) 2023 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef CODE_SIGN_IOCTL_UTILS_H +#define CODE_SIGN_IOCTL_UTILS_H + +#include + +#define CERT_DEVICE_PATH "/dev/code_sign" +#define CERT_IOCTL_MAGIC_NUMBER 'k' + +struct CertPathInfo { + uint32_t signing_length; + uint32_t issuer_length; + uint64_t signing; + uint64_t issuer; + uint32_t path_len; + uint8_t __reserved[36]; +}; + +#define CERT_IOCTL_CMD _IOW(CERT_IOCTL_MAGIC_NUMBER, 1, CertPathInfo) +#ifdef __cplusplus +extern "C" { +#endif + int AddCertPath(const CertPathInfo &info); +#ifdef __cplusplus +} +#endif + +#endif \ No newline at end of file diff --git a/services/key_enable/utils/src/cert_utils.cpp b/services/key_enable/utils/src/cert_utils.cpp new file mode 100644 index 0000000000000000000000000000000000000000..3feacbd6f0bfdf44e4b472079ce88d057a5ce2aa --- /dev/null +++ b/services/key_enable/utils/src/cert_utils.cpp @@ -0,0 +1,45 @@ +/* + * Copyright (c) 2023 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include +#include +#include +#include +#include +#include +#include "log.h" +#include "errcode.h" +#include "cert_utils.h" + +using namespace OHOS::Security::CodeSign; + +int AddCertPath(const CertPathInfo &info) +{ + int fd = open(CERT_DEVICE_PATH, O_WRONLY); + if (fd == -1) { + LOG_ERROR(LABEL, "Error opening device, errno = <%{public}d, %{public}s>", errno, strerror(errno)); + return CS_ERR_FILE_OPEN; + } + + int ret = ioctl(fd, CERT_IOCTL_CMD, &info); + if (ret < 0) { + LOG_ERROR(LABEL, "ioctl error, errno = <%{public}d, %{public}s>", errno, strerror(errno)); + close(fd); + return ret; + } + + close(fd); + return CS_SUCCESS; +} \ No newline at end of file diff --git a/test/unittest/BUILD.gn b/test/unittest/BUILD.gn index b33b4257ad8fb0c05c7f60c4edc31fe45278fb52..86f8e1b6ee90bffedeb58e40ca9a8131634a6568 100644 --- a/test/unittest/BUILD.gn +++ b/test/unittest/BUILD.gn @@ -121,6 +121,38 @@ ohos_unittest("multi_thread_local_sign_unittest") { ] } +ohos_rust_static_library("rust_key_enable_lib") { + sources = [ "${code_signature_root_dir}/services/key_enable/src/lib.rs" ] + deps = [ + "${code_signature_root_dir}/services/key_enable/utils:libkey_enable_utils", + "${rust_openssl_dir}/openssl:lib", + ] + external_deps = [ + "hilog:hilog_rust", + "hisysevent:hisysevent_rust", + "ylong_json:lib", + ] + if (build_variant == "root") { + rustenv = [ "code_signature_debuggable=on" ] + } else { + rustenv = [ "code_signature_debuggable=off" ] + } + crate_name = "key_enable" + crate_type = "rlib" + subsystem_name = "security" + part_name = "code_signature" +} + +ohos_rust_unittest("rust_key_enable_unittest") { + module_out_path = "security/code_signature" + resource_config_file = "resources/ohos_test.xml" + crate_root = "./rust_key_enable_test.rs" + sources = [ "./rust_key_enable_test.rs" ] + deps = [ ":rust_key_enable_lib" ] + subsystem_name = "security" + part_name = "code_signature" +} + group("unittest_group") { testonly = true if (!defined(ohos_lite)) { @@ -128,6 +160,7 @@ group("unittest_group") { ":code_sign_utils_unittest", ":local_code_sign_unittest", ":multi_thread_local_sign_unittest", + ":rust_key_enable_unittest", ":sign_and_enforce_unittest", ] } diff --git a/test/unittest/resources/demo_cert/cert/empty_pem_cert.json b/test/unittest/resources/demo_cert/cert/empty_pem_cert.json new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/test/unittest/resources/demo_cert/cert/invalid_structure_pem_cert.json b/test/unittest/resources/demo_cert/cert/invalid_structure_pem_cert.json new file mode 100644 index 0000000000000000000000000000000000000000..2383dbe94baff1b2b0ec573ea103fcadd875f239 --- /dev/null +++ b/test/unittest/resources/demo_cert/cert/invalid_structure_pem_cert.json @@ -0,0 +1,3 @@ +{ + "C=json, O=invalid, OU=cert, CN=pem":"-----BEGIN CERTIFICATE-----\nMIICGjCCAaGgAwIBAgIIShhpn519jNAwCgYIKoZIzj0EAwMwUzELMAkGA1UEBhMC\nQ04xDzANBgNVBAoMBkh1YXdlaTETMBEGA1UECwwKSHVhd2VpIENCRzEeMBwGA1UE\nAwwVSHVhd2VpIENCRyBSb290IENBIEcyMB4XDTIwMDMxNjAzMDQzOVoXDTQ5MDMx\nNjAzMDQzOVowUzELMAkGA1UEBhMCQ04xDzANBgNVBAoMBkh1YXdlaTETMBEGA1UE\nCwwKSHVhd2VpIENCRzEeMBwGA1UEAwwVSHVhd2VpIENCRyBSb290IENBIEcyMHYw\nEAYHKoZIzj0CAQYFK4EEACIDYgAEWidkGnDSOw3/HE2y2GHl+fpWBIa5S+IlnNrs\nGUvwC1I2QWvtqCHWmwFlFK95zKXiM8s9yV3VVXh7ivN8ZJO3SC5N1TCrvB2lpHMB\nwcz4DA0kgHCMm/wDec6kOHx1xvCRo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0T\nAQH/BAUwAwEB/zAdBgNVHQ4EFgQUo45a9Vq8cYwqaiVyfkiS4pLcIAAwCgYIKoZI\nzj0EAwMDZwAwZAIwMypeB7P0IbY7c6gpWcClhRznOJFj8uavrNu2PIoz9KIqr3jn\nBlBHJs0myI7ntYpEAjBbm8eDMZY5zq5iMZUC6H7UzYSix4Uy1YlsLVV738PtKP9h\nFTjgDHctXJlC5L7+ZDY=\n-----END CERTIFICATE-----\n" +} \ No newline at end of file diff --git a/test/unittest/resources/demo_cert/cert/valid_pem_cert.json b/test/unittest/resources/demo_cert/cert/valid_pem_cert.json new file mode 100644 index 0000000000000000000000000000000000000000..6fc318cece97160fdca977f80a151e13324f3353 --- /dev/null +++ b/test/unittest/resources/demo_cert/cert/valid_pem_cert.json @@ -0,0 +1,5 @@ +{ + "C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Root CA G2":"-----BEGIN CERTIFICATE-----\nMIICGjCCAaGgAwIBAgIIShhpn519jNAwCgYIKoZIzj0EAwMwUzELMAkGA1UEBhMC\nQ04xDzANBgNVBAoMBkh1YXdlaTETMBEGA1UECwwKSHVhd2VpIENCRzEeMBwGA1UE\nAwwVSHVhd2VpIENCRyBSb290IENBIEcyMB4XDTIwMDMxNjAzMDQzOVoXDTQ5MDMx\nNjAzMDQzOVowUzELMAkGA1UEBhMCQ04xDzANBgNVBAoMBkh1YXdlaTETMBEGA1UE\nCwwKSHVhd2VpIENCRzEeMBwGA1UEAwwVSHVhd2VpIENCRyBSb290IENBIEcyMHYw\nEAYHKoZIzj0CAQYFK4EEACIDYgAEWidkGnDSOw3/HE2y2GHl+fpWBIa5S+IlnNrs\nGUvwC1I2QWvtqCHWmwFlFK95zKXiM8s9yV3VVXh7ivN8ZJO3SC5N1TCrvB2lpHMB\nwcz4DA0kgHCMm/wDec6kOHx1xvCRo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0T\nAQH/BAUwAwEB/zAdBgNVHQ4EFgQUo45a9Vq8cYwqaiVyfkiS4pLcIAAwCgYIKoZI\nzj0EAwMDZwAwZAIwMypeB7P0IbY7c6gpWcClhRznOJFj8uavrNu2PIoz9KIqr3jn\nBlBHJs0myI7ntYpEAjBbm8eDMZY5zq5iMZUC6H7UzYSix4Uy1YlsLVV738PtKP9h\nFTjgDHctXJlC5L7+ZDY=\n-----END CERTIFICATE-----\n", + "C=CN, O=OpenHarmony, OU=OpenHarmony Team, CN=OpenHarmony Application Root CA":"-----BEGIN CERTIFICATE-----\nMIICRDCCAcmgAwIBAgIED+E4izAMBggqhkjOPQQDAwUAMGgxCzAJBgNVBAYTAkNO\nMRQwEgYDVQQKEwtPcGVuSGFybW9ueTEZMBcGA1UECxMQT3Blbkhhcm1vbnkgVGVh\nbTEoMCYGA1UEAxMfT3Blbkhhcm1vbnkgQXBwbGljYXRpb24gUm9vdCBDQTAeFw0y\nMTAyMDIxMjE0MThaFw00OTEyMzExMjE0MThaMGgxCzAJBgNVBAYTAkNOMRQwEgYD\nVQQKEwtPcGVuSGFybW9ueTEZMBcGA1UECxMQT3Blbkhhcm1vbnkgVGVhbTEoMCYG\nA1UEAxMfT3Blbkhhcm1vbnkgQXBwbGljYXRpb24gUm9vdCBDQTB2MBAGByqGSM49\nAgEGBSuBBAAiA2IABE023XmRaw2DnO8NSsb+KG/uY0FtS3u5LQucdr3qWVnRW5ui\nQIL6ttNZBEeLTUeYcJZCpayg9Llf+1SmDA7dY4iP2EcRo4UN3rilovtfFfsmH4ty\n3SApHVFzWUl+NwdH8KNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\nAQYwHQYDVR0OBBYEFBc6EKGrGXzlAE+s0Zgnsphadw7NMAwGCCqGSM49BAMDBQAD\nZwAwZAIwd1p3JzHN93eoPped1li0j64npgqNzwy4OrkehYAqNXpcpaEcLZ7UxW8E\nI2lZJ3SbAjAkqySHb12sIwdSFKSN9KCMMEo/eUT5dUXlcKR2nZz0MJdxT5F51qcX\n1CumzkcYhgU=\n-----END CERTIFICATE-----\n", + "C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Root CA G2 Test":"-----BEGIN CERTIFICATE-----\nMIICRDCCAcmgAwIBAgIED+E4izAMBggqhkjOPQQDAwUAMGgxCzAJBgNVBAYTAkNO\nMRQwEgYDVQQKEwtPcGVuSGFybW9ueTEZMBcGA1UECxMQT3Blbkhhcm1vbnkgVGVh\nbTEoMCYGA1UEAxMfT3Blbkhhcm1vbnkgQXBwbGljYXRpb24gUm9vdCBDQTAeFw0y\nMTAyMDIxMjE0MThaFw00OTEyMzExMjE0MThaMGgxCzAJBgNVBAYTAkNOMRQwEgYD\nVQQKEwtPcGVuSGFybW9ueTEZMBcGA1UECxMQT3Blbkhhcm1vbnkgVGVhbTEoMCYG\nA1UEAxMfT3Blbkhhcm1vbnkgQXBwbGljYXRpb24gUm9vdCBDQTB2MBAGByqGSM49\nAgEGBSuBBAAiA2IABE023XmRaw2DnO8NSsb+KG/uY0FtS3u5LQucdr3qWVnRW5ui\nQIL6ttNZBEeLTUeYcJZCpayg9Llf+1SmDA7dY4iP2EcRo4UN3rilovtfFfsmH4ty\n3SApHVFzWUl+NwdH8KNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\nAQYwHQYDVR0OBBYEFBc6EKGrGXzlAE+s0Zgnsphadw7NMAwGCCqGSM49BAMDBQAD\nZwAwZAIwd1p3JzHN93eoPped1li0j64npgqNzwy4OrkehYAqNXpcpaEcLZ7UxW8E\nI2lZJ3SbAjAkqySHb12sIwdSFKSN9KCMMEo/eUT5dUXlcKR2nZz0MJdxT5F51qcX\n1CumzkcYhgU=\n-----END CERTIFICATE-----\n" +} \ No newline at end of file diff --git a/test/unittest/resources/demo_cert/cert_path/empty_cert_path.json b/test/unittest/resources/demo_cert/cert_path/empty_cert_path.json new file mode 100644 index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/test/unittest/resources/demo_cert/cert_path/invalid_structure_cert_path.json b/test/unittest/resources/demo_cert/cert_path/invalid_structure_cert_path.json new file mode 100644 index 0000000000000000000000000000000000000000..cb881b5473d1ce69e98cb47eda7bc794063b1f3a --- /dev/null +++ b/test/unittest/resources/demo_cert/cert_path/invalid_structure_cert_path.json @@ -0,0 +1,69 @@ +{ + "version": "1.0.1", + "release-time":"2021-01-01 10:01:01", + "trust-app-source":[ + { + "name":"huawei app gallery", + "app-signing-cert":"C=CN, O=Huawei, OU=HOS AppGallery, CN=HOS AppGallery Application Release", + "profile-signing-certificate":"C=CN, O=Huawei, OU=HOS AppGallery, CN=HOS Profile Management", + "profile-debug-signing-certificate":"C=CN, O=Huawei, OU=HOS AppGallery, CN=HOS Profile Management Debug", + "issuer-ca":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA Test", + "max-certs-path":3, + "critialcal-cert-extension":["keyusage","huawei-signing-capability"] + }, + { + "name":"huawei system apps", + "app-signing-cert":"C=CN, O=Huawei CBG, OU=HOS Development Team, CN=HOS Application Provision Dev", + "profile-signing-certificate":"C=CN, O=Huawei CBG, OU=HOS Development Team, CN=HOS Application Provision Profile Dev", + "profile-debug-signing-certificate":"C=CN, O=Huawei CBG, OU=HOS Development Team, CN=HOS Application Provision Profile Dev_Debug", + "issuer-ca":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA Test", + "max-certs-path":3, + "critialcal-cert-extension":["keyusage","huawei-signing-capability"] + }, + { + "name":"third_party app preload", + "app-signing-cert":"C=CN, O=Huawei, OU=HOS Open Platform, CN=HOS Preload Service", + "profile-signing-certificate":"", + "profile-debug-signing-certificate":"", + "issuer-ca":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA Test", + "max-certs-path":3, + "critialcal-cert-extension":["keyusage","huawei-signing-capability"] + }, + { + "name":"huawei app gallery", + "wrong_app-signing-cert":"C=CN, O=Huawei CBG, OU=HOS Development Team, CN=HOS Application Provision Dev", + "profile-signing-certificate":"C=CN, O=Huawei CBG, OU=HOS Development Team, CN=HOS Application Provision Profile Dev", + "profile-debug-signing-certificate":"C=CN, O=Huawei CBG, OU=HOS Development Team, CN=HOS Application Provision Profile Dev_Debug", + "issuer-ca":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA Test", + "max-certs-path":3, + "critialcal-cert-extension":["keyusage","huawei-signing-capability"] + }, + { + "name":"huawei app gallery", + "app-signing-cert":"C=CN, O=Huawei, OU=HOS Open Platform, CN=HOS Preload Service", + "profile-signing-certificate":"", + "profile-debug-signing-certificate":"", + "wrong_issuer-ca":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA Test", + "max-certs-path":3, + "critialcal-cert-extension":["keyusage","huawei-signing-capability"] + }, + { + "name":"huawei app gallery", + "app-signing-cert":"C=CN, O=Huawei, OU=HOS Open Platform, CN=HOS Preload Service", + "profile-signing-certificate":"", + "profile-debug-signing-certificate":"", + "issuer-ca":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA Test", + "wrong_max-certs-path":3, + "critialcal-cert-extension":["keyusage","huawei-signing-capability"] + }, + { + "name":"not included name", + "app-signing-cert":"C=CN, O=Huawei, OU=HOS Open Platform, CN=HOS Preload Service", + "profile-signing-certificate":"", + "profile-debug-signing-certificate":"", + "issuer-ca":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA Test", + "max-certs-path":3, + "critialcal-cert-extension":["keyusage","huawei-signing-capability"] + } + ] +} diff --git a/test/unittest/resources/demo_cert/cert_path/valid_cert_path.json b/test/unittest/resources/demo_cert/cert_path/valid_cert_path.json new file mode 100644 index 0000000000000000000000000000000000000000..7ade04726d52722719e8ae0afb7899d51c12a63b --- /dev/null +++ b/test/unittest/resources/demo_cert/cert_path/valid_cert_path.json @@ -0,0 +1,33 @@ +{ + "version": "1.0.1", + "release-time":"2021-06-03 10:06:00", + "trust-app-source":[ + { + "name":"huawei app gallery", + "app-signing-cert":"C=CN, O=Huawei, OU=HOS AppGallery, CN=HOS AppGallery Application Release", + "profile-signing-certificate":"C=CN, O=Huawei, OU=HOS AppGallery, CN=HOS Profile Management", + "profile-debug-signing-certificate":"C=CN, O=Huawei, OU=HOS AppGallery, CN=HOS Profile Management Debug", + "issuer-ca":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA Test", + "max-certs-path":3, + "critialcal-cert-extension":["keyusage","huawei-signing-capability"] + }, + { + "name":"huawei system apps", + "app-signing-cert":"C=CN, O=Huawei CBG, OU=HOS Development Team, CN=HOS Application Provision Dev", + "profile-signing-certificate":"C=CN, O=Huawei CBG, OU=HOS Development Team, CN=HOS Application Provision Profile Dev", + "profile-debug-signing-certificate":"C=CN, O=Huawei CBG, OU=HOS Development Team, CN=HOS Application Provision Profile Dev_Debug", + "issuer-ca":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA Test", + "max-certs-path":3, + "critialcal-cert-extension":["keyusage","huawei-signing-capability"] + }, + { + "name":"third_party app preload", + "app-signing-cert":"C=CN, O=Huawei, OU=HOS Open Platform, CN=HOS Preload Service", + "profile-signing-certificate":"", + "profile-debug-signing-certificate":"", + "issuer-ca":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA Test", + "max-certs-path":3, + "critialcal-cert-extension":["keyusage","huawei-signing-capability"] + } + ] +} diff --git a/test/unittest/resources/ohos_test.xml b/test/unittest/resources/ohos_test.xml index dec40b92e2620aac7047eadfd90f8a6f083fd6db..cbbd037e73ca062e79469f952735f9e8885511aa 100644 --- a/test/unittest/resources/ohos_test.xml +++ b/test/unittest/resources/ohos_test.xml @@ -99,5 +99,19 @@