From ffe714a66af0be9eced7145b39d67f96a7f70c06 Mon Sep 17 00:00:00 2001 From: yeyuning Date: Wed, 25 Oct 2023 14:41:49 +0800 Subject: [PATCH] =?UTF-8?q?feat:debug=E6=A8=A1=E5=BC=8F=E4=B8=8B=E5=90=91?= =?UTF-8?q?=E5=86=85=E6=A0=B8=E5=86=99=E5=85=A5debug-signing?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: yeyuning Change-Id: I7ab55d62891ee14609c4cd1c7072c13b89eee0e5 --- bundle.json | 3 +- services/key_enable/src/cert_chain_utils.rs | 49 ++-- services/key_enable/utils/BUILD.gn | 1 + .../key_enable/utils/include/cert_utils.h | 3 +- services/key_enable/utils/src/cert_utils.cpp | 14 +- .../invalid_structure_cert_path.json | 4 +- test/unittest/rust_key_enable_test.rs | 225 +++++++++++------- 7 files changed, 188 insertions(+), 111 deletions(-) diff --git a/bundle.json b/bundle.json index 96d3276..3be88ff 100644 --- a/bundle.json +++ b/bundle.json @@ -34,7 +34,8 @@ "eventhandler", "build_framework", "access_token", - "ylong_json" + "ylong_json", + "init" ], "third_party": [ "openssl", diff --git a/services/key_enable/src/cert_chain_utils.rs b/services/key_enable/src/cert_chain_utils.rs index cda3136..9636ab3 100644 --- a/services/key_enable/src/cert_chain_utils.rs +++ b/services/key_enable/src/cert_chain_utils.rs @@ -27,6 +27,7 @@ const ALLOWED_APP_SOURCE_MEMBERNAMES: &[&str] = &[ const TRUST_APP_SOURCE_KEY: &str = "trust-app-source"; const CERT_NAME_KEY: &str = "name"; const APP_SIGNING_CERT_KEY: &str = "app-signing-cert"; +const APP_DEBUG_SIGNING_CERT_KEY: &str = "profile-debug-signing-certificate"; const ISSUER_CA_KEY: &str = "issuer-ca"; const MAX_CERT_PATH: &str = "max-certs-path"; @@ -46,6 +47,11 @@ pub struct TrustAppSource { pub path_len: i32, } +extern "C" { + /// return true if developermode is ture else false + pub fn IsDeveloperModeOn() -> bool; +} + fn print_openssl_error_stack(error_stack: ErrorStack) { for error in error_stack.errors() { error!(LOG_LABEL, "{}", @public(error.to_string())); @@ -148,30 +154,21 @@ fn fabricate_name(subject: &str) -> String { ret } -/// load cert path from json file -pub fn load_cert_path_from_json_file(cert_paths: &mut Vec, file_path: &str) { - let value = match JsonValue::from_file(file_path) { - Ok(v) => v, - Err(e) => { - error!( - LOG_LABEL, - "Error loading JSON from file {}: {}", file_path, e - ); - return; - } - }; - - let cert_path_array = match value[TRUST_APP_SOURCE_KEY].try_as_array() { +fn parse_trust_app_sources( + cert_paths: &mut Vec, + json_value: &JsonValue, + subject_key: &str, +) { + let cert_path_array = match json_value[TRUST_APP_SOURCE_KEY].try_as_array() { Ok(array) => array, Err(_) => { error!( LOG_LABEL, - "Cannot get preset key TRUST_APP_SOURCE_KEY from file {}", file_path + "Cannot get preset key TRUST_APP_SOURCE_KEY from file " ); return; } }; - for cert_path in cert_path_array.iter() { let cert_name = match cert_path[CERT_NAME_KEY].try_as_string() { Ok(name) => name, @@ -187,7 +184,7 @@ pub fn load_cert_path_from_json_file(cert_paths: &mut Vec, file_ continue; } - let signing = match cert_path[APP_SIGNING_CERT_KEY].try_as_string() { + let signing = match cert_path[subject_key].try_as_string() { Ok(s) => s, Err(_) => continue, }; @@ -220,3 +217,21 @@ pub fn load_cert_path_from_json_file(cert_paths: &mut Vec, file_ }); } } + +/// load cert path from json file +pub fn load_cert_path_from_json_file(cert_paths: &mut Vec, file_path: &str) { + let value = match JsonValue::from_file(file_path) { + Ok(v) => v, + Err(e) => { + error!( + LOG_LABEL, + "Error loading JSON from file {}: {}", file_path, e + ); + return; + } + }; + parse_trust_app_sources(cert_paths, &value, APP_SIGNING_CERT_KEY); + if unsafe { IsDeveloperModeOn() } { + parse_trust_app_sources(cert_paths, &value, APP_DEBUG_SIGNING_CERT_KEY); + } +} diff --git a/services/key_enable/utils/BUILD.gn b/services/key_enable/utils/BUILD.gn index c8c22ab..9db830e 100644 --- a/services/key_enable/utils/BUILD.gn +++ b/services/key_enable/utils/BUILD.gn @@ -33,6 +33,7 @@ ohos_static_library("libkey_enable_utils") { external_deps = [ "c_utils:utils", "hilog:libhilog", + "init:libbegetutil", ] subsystem_name = "security" part_name = "code_signature" diff --git a/services/key_enable/utils/include/cert_utils.h b/services/key_enable/utils/include/cert_utils.h index 10a1912..bb27e49 100644 --- a/services/key_enable/utils/include/cert_utils.h +++ b/services/key_enable/utils/include/cert_utils.h @@ -30,11 +30,12 @@ struct CertPathInfo { uint8_t __reserved[36]; }; -#define CERT_IOCTL_CMD _IOW(CERT_IOCTL_MAGIC_NUMBER, 1, CertPathInfo) +#define ADD_CERT_PATH_CMD _IOW(CERT_IOCTL_MAGIC_NUMBER, 1, CertPathInfo) #ifdef __cplusplus extern "C" { #endif int AddCertPath(const CertPathInfo &info); + bool IsDeveloperModeOn(); #ifdef __cplusplus } #endif diff --git a/services/key_enable/utils/src/cert_utils.cpp b/services/key_enable/utils/src/cert_utils.cpp index 3feacbd..01aaa94 100644 --- a/services/key_enable/utils/src/cert_utils.cpp +++ b/services/key_enable/utils/src/cert_utils.cpp @@ -19,6 +19,7 @@ #include #include #include +#include #include "log.h" #include "errcode.h" #include "cert_utils.h" @@ -33,7 +34,7 @@ int AddCertPath(const CertPathInfo &info) return CS_ERR_FILE_OPEN; } - int ret = ioctl(fd, CERT_IOCTL_CMD, &info); + int ret = ioctl(fd, ADD_CERT_PATH_CMD, &info); if (ret < 0) { LOG_ERROR(LABEL, "ioctl error, errno = <%{public}d, %{public}s>", errno, strerror(errno)); close(fd); @@ -42,4 +43,13 @@ int AddCertPath(const CertPathInfo &info) close(fd); return CS_SUCCESS; -} \ No newline at end of file +} + +bool IsDeveloperModeOn() +{ + bool ret = false; + if (OHOS::system::GetBoolParameter("const.security.developermode.state", false)) { + ret = true; + } + return ret; +} diff --git a/test/unittest/resources/demo_cert/cert_path/invalid_structure_cert_path.json b/test/unittest/resources/demo_cert/cert_path/invalid_structure_cert_path.json index cb881b5..1e79a14 100644 --- a/test/unittest/resources/demo_cert/cert_path/invalid_structure_cert_path.json +++ b/test/unittest/resources/demo_cert/cert_path/invalid_structure_cert_path.json @@ -32,8 +32,8 @@ { "name":"huawei app gallery", "wrong_app-signing-cert":"C=CN, O=Huawei CBG, OU=HOS Development Team, CN=HOS Application Provision Dev", - "profile-signing-certificate":"C=CN, O=Huawei CBG, OU=HOS Development Team, CN=HOS Application Provision Profile Dev", - "profile-debug-signing-certificate":"C=CN, O=Huawei CBG, OU=HOS Development Team, CN=HOS Application Provision Profile Dev_Debug", + "wrong_profile-signing-certificate":"C=CN, O=Huawei CBG, OU=HOS Development Team, CN=HOS Application Provision Profile Dev", + "wrong_profile-debug-signing-certificate":"C=CN, O=Huawei CBG, OU=HOS Development Team, CN=HOS Application Provision Profile Dev_Debug", "issuer-ca":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA Test", "max-certs-path":3, "critialcal-cert-extension":["keyusage","huawei-signing-capability"] diff --git a/test/unittest/rust_key_enable_test.rs b/test/unittest/rust_key_enable_test.rs index 81f0304..2570d9c 100644 --- a/test/unittest/rust_key_enable_test.rs +++ b/test/unittest/rust_key_enable_test.rs @@ -30,7 +30,10 @@ const ALLOWED_ROOT_CERT_MEMBER_NAMES: &[&str] = &[ "C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Root CA G2 Test", ]; extern crate key_enable; -use key_enable::cert_chain_utils::{load_cert_path_from_json_file, load_pem_cert_from_json_file}; +use key_enable::cert_chain_utils::{ + load_cert_path_from_json_file, load_pem_cert_from_json_file, IsDeveloperModeOn, + TrustAppSource, +}; #[test] fn test_load_pem_cert_from_valid_json_file() { @@ -82,61 +85,142 @@ fn test_empty_pem_cert_json_file() { assert!(result.is_empty()); } +fn assert_eq_right_cert_path(cert_paths: Vec) { + if unsafe { IsDeveloperModeOn() } { + assert_eq!(cert_paths.len(), 5, "Expected 5 entries to be populated"); + + assert_eq!( + cert_paths[0].path_len, 3, + "Expected the path of the first entry to be 3" + ); + assert_eq!( + cert_paths[0].signing.to_str().unwrap(), + "Huawei: HOS AppGallery Application Release", + "Unexpected app-signing-cert for the first entry" + ); + assert_eq!( + cert_paths[0].issuer.to_str().unwrap(), + "Huawei CBG Software Signing Service CA Test", + "Unexpected issuer-ca for the first entry" + ); + + assert_eq!( + cert_paths[1].path_len, 3, + "Expected the path of the second entry to be 3" + ); + assert_eq!( + cert_paths[1].signing.to_str().unwrap(), + "Huawei CBG: HOS Application Provision Dev", + "Unexpected app-signing-cert for the second entry" + ); + assert_eq!( + cert_paths[1].issuer.to_str().unwrap(), + "Huawei CBG Software Signing Service CA Test", + "Unexpected issuer-ca for the second entry" + ); + + assert_eq!( + cert_paths[2].path_len, 3, + "Expected the path of the third entry to be 3" + ); + assert_eq!( + cert_paths[2].signing.to_str().unwrap(), + "Huawei: HOS Preload Service", + "Unexpected app-signing-cert for the third entry" + ); + assert_eq!( + cert_paths[2].issuer.to_str().unwrap(), + "Huawei CBG Software Signing Service CA Test", + "Unexpected issuer-ca for the third entry" + ); + assert_eq!( + cert_paths[3].path_len, 3, + "Expected the path of the first debug profile entry to be 3" + ); + assert_eq!( + cert_paths[3].signing.to_str().unwrap(), + "Huawei: HOS Profile Management Debug", + "Unexpected app-signing-cert for the first debug profile entry" + ); + assert_eq!( + cert_paths[3].issuer.to_str().unwrap(), + "Huawei CBG Software Signing Service CA Test", + "Unexpected issuer-ca for the first debug profile entry" + ); + + assert_eq!( + cert_paths[4].path_len, 3, + "Expected the path of the second debug profile entry to be 3" + ); + assert_eq!( + cert_paths[4].signing.to_str().unwrap(), + "Huawei CBG: HOS Application Provision Profile Dev_Debug", + "Unexpected app-signing-cert for the second debug profile entry" + ); + assert_eq!( + cert_paths[4].issuer.to_str().unwrap(), + "Huawei CBG Software Signing Service CA Test", + "Unexpected issuer-ca for the second debug profile entry" + ); + } else { + assert_eq!( + cert_paths.len(), + 3, + "Expected three entries to be populated" + ); + + assert_eq!( + cert_paths[0].path_len, 3, + "Expected the path of the first entry to be 3" + ); + assert_eq!( + cert_paths[0].signing.to_str().unwrap(), + "Huawei: HOS AppGallery Application Release", + "Unexpected app-signing-cert for the first entry" + ); + assert_eq!( + cert_paths[0].issuer.to_str().unwrap(), + "Huawei CBG Software Signing Service CA Test", + "Unexpected issuer-ca for the first entry" + ); + + assert_eq!( + cert_paths[1].path_len, 3, + "Expected the path of the second entry to be 3" + ); + assert_eq!( + cert_paths[1].signing.to_str().unwrap(), + "Huawei CBG: HOS Application Provision Dev", + "Unexpected app-signing-cert for the second entry" + ); + assert_eq!( + cert_paths[1].issuer.to_str().unwrap(), + "Huawei CBG Software Signing Service CA Test", + "Unexpected issuer-ca for the second entry" + ); + + assert_eq!( + cert_paths[2].path_len, 3, + "Expected the path of the third entry to be 3" + ); + assert_eq!( + cert_paths[2].signing.to_str().unwrap(), + "Huawei: HOS Preload Service", + "Unexpected app-signing-cert for the third entry" + ); + assert_eq!( + cert_paths[2].issuer.to_str().unwrap(), + "Huawei CBG Software Signing Service CA Test", + "Unexpected issuer-ca for the third entry" + ); + } +} + #[test] fn test_successful_load_cert_path() { let mut cert_paths = Vec::new(); load_cert_path_from_json_file(&mut cert_paths, VALID_CERT_PATH); - - assert_eq!( - cert_paths.len(), - 3, - "Expected three entries to be populated" - ); - - assert_eq!( - cert_paths[0].path_len, 3, - "Expected the path of the first entry to be 3" - ); - assert_eq!( - cert_paths[0].signing.to_str().unwrap(), - "Huawei: HOS AppGallery Application Release", - "Unexpected app-signing-cert for the first entry" - ); - assert_eq!( - cert_paths[0].issuer.to_str().unwrap(), - "Huawei CBG Software Signing Service CA Test", - "Unexpected issuer-ca for the first entry" - ); - - assert_eq!( - cert_paths[1].path_len, 3, - "Expected the path of the second entry to be 3" - ); - assert_eq!( - cert_paths[1].signing.to_str().unwrap(), - "Huawei CBG: HOS Application Provision Dev", - "Unexpected app-signing-cert for the second entry" - ); - assert_eq!( - cert_paths[1].issuer.to_str().unwrap(), - "Huawei CBG Software Signing Service CA Test", - "Unexpected issuer-ca for the second entry" - ); - - assert_eq!( - cert_paths[2].path_len, 3, - "Expected the path of the third entry to be 3" - ); - assert_eq!( - cert_paths[2].signing.to_str().unwrap(), - "Huawei: HOS Preload Service", - "Unexpected app-signing-cert for the third entry" - ); - assert_eq!( - cert_paths[2].issuer.to_str().unwrap(), - "Huawei CBG Software Signing Service CA Test", - "Unexpected issuer-ca for the third entry" - ); + assert_eq_right_cert_path(cert_paths); } #[test] fn test_invalid_cert_path_file_path() { @@ -152,42 +236,7 @@ fn test_invalid_cert_path_file_path() { fn test_invalid_cert_path_json_structure() { let mut cert_paths = Vec::new(); load_cert_path_from_json_file(&mut cert_paths, INVALID_STRUCTURE_CERT_PATH); - - assert_eq!( - cert_paths.len(), - 3, - "Expected 3 valid TrustAppSource instances for given JSON" - ); - - assert_eq!( - cert_paths[0].signing.to_str().unwrap(), - "Huawei: HOS AppGallery Application Release" - ); - assert_eq!( - cert_paths[0].issuer.to_str().unwrap(), - "Huawei CBG Software Signing Service CA Test" - ); - assert_eq!(cert_paths[0].path_len, 3); - - assert_eq!( - cert_paths[1].signing.to_str().unwrap(), - "Huawei CBG: HOS Application Provision Dev" - ); - assert_eq!( - cert_paths[1].issuer.to_str().unwrap(), - "Huawei CBG Software Signing Service CA Test" - ); - assert_eq!(cert_paths[1].path_len, 3); - - assert_eq!( - cert_paths[2].signing.to_str().unwrap(), - "Huawei: HOS Preload Service" - ); - assert_eq!( - cert_paths[2].issuer.to_str().unwrap(), - "Huawei CBG Software Signing Service CA Test" - ); - assert_eq!(cert_paths[2].path_len, 3); + assert_eq_right_cert_path(cert_paths); } #[test] -- Gitee