diff --git a/autosign/autosign.config b/autosign/autosign.config index 08725d333c57d485cf3c5debe6bb5fa9d806dd24..4f0ba8a60374b21a1e14d856cadc6c1665534dea 100644 --- a/autosign/autosign.config +++ b/autosign/autosign.config @@ -1,7 +1,9 @@ // Base configuration // // Location of signtool.jar -config.signtool=../hapsigntool/hap_sign_tool/build/libs/hap_sign_tool-1.0-SNAPSHOT.jar + +config.signtool=../hapsigntool/hap_sign_tool/build/libs/hap-sign-tool.jar + // All products would be put into folder config.targetDir=result diff --git a/hapsigntool/hap_sign_tool/build.gradle b/hapsigntool/hap_sign_tool/build.gradle index 3205c9ba810b5d78bbf0caa99ae628511c517d47..59550d7eef642aa12aaab88356e8b50a813ed3af 100644 --- a/hapsigntool/hap_sign_tool/build.gradle +++ b/hapsigntool/hap_sign_tool/build.gradle @@ -4,18 +4,18 @@ plugins { } group 'com.ohos' -version '1.0-SNAPSHOT' + repositories { - mavenCentral() + maven { url 'https://mirrors.huaweicloud.com/repository/maven/' } } dependencies { implementation 'org.bouncycastle:bcpkix-jdk15on:1.69' testImplementation 'org.junit.jupiter:junit-jupiter-api:5.7.2' testRuntimeOnly 'org.junit.jupiter:junit-jupiter-engine:5.7.2' - implementation group: 'org.apache.logging.log4j', name: 'log4j-api', version: '2.17.0' - implementation group: 'org.apache.logging.log4j', name: 'log4j-core', version: '2.17.0' + implementation group: 'org.apache.logging.log4j', name: 'log4j-api', version: '2.17.1' + implementation group: 'org.apache.logging.log4j', name: 'log4j-core', version: '2.17.1' implementation 'com.google.code.gson:gson:2.8.6' implementation project(':hap_sign_tool_lib') } @@ -40,4 +40,6 @@ jar { attributes 'Main-Class': 'com.ohos.hapsigntool.HapSignTool' } + archiveBaseName = "hap-sign-tool" + } \ No newline at end of file diff --git a/hapsigntool/hap_sign_tool_lib/build.gradle b/hapsigntool/hap_sign_tool_lib/build.gradle index b5f7c0ce085f52045a7a1ccdb4c0ba5ea95dff9e..1c9fcf1b3b1eb063b0e1cd86d75cd9e0019a60b1 100644 --- a/hapsigntool/hap_sign_tool_lib/build.gradle +++ b/hapsigntool/hap_sign_tool_lib/build.gradle @@ -7,14 +7,14 @@ version '1.0-SNAPSHOT' repositories { - mavenCentral() + maven { url 'https://mirrors.huaweicloud.com/repository/maven/' } } dependencies { testImplementation 'org.junit.jupiter:junit-jupiter-api:5.7.2' testRuntimeOnly 'org.junit.jupiter:junit-jupiter-engine:5.7.2' - implementation group: 'org.apache.logging.log4j', name: 'log4j-api', version: '2.17.0' - implementation group: 'org.apache.logging.log4j', name: 'log4j-core', version: '2.17.0' + implementation group: 'org.apache.logging.log4j', name: 'log4j-api', version: '2.17.1' + implementation group: 'org.apache.logging.log4j', name: 'log4j-core', version: '2.17.1' implementation 'org.bouncycastle:bcpkix-jdk15on:1.69' implementation 'com.google.code.gson:gson:2.8.6' } diff --git a/hapsigntool/hap_sign_tool_lib/src/main/java/com/ohos/hapsigntool/api/SignToolServiceImpl.java b/hapsigntool/hap_sign_tool_lib/src/main/java/com/ohos/hapsigntool/api/SignToolServiceImpl.java index f619f0ef1d91989cfb73f19082f48884f0999189..3390d1d6915f56ac5737b395736f8743c8596619 100644 --- a/hapsigntool/hap_sign_tool_lib/src/main/java/com/ohos/hapsigntool/api/SignToolServiceImpl.java +++ b/hapsigntool/hap_sign_tool_lib/src/main/java/com/ohos/hapsigntool/api/SignToolServiceImpl.java @@ -29,6 +29,7 @@ import com.ohos.hapsigntool.profile.VerifyHelper; import com.ohos.hapsigntool.profile.model.VerificationResult; import com.ohos.hapsigntool.utils.CertUtils; import com.ohos.hapsigntool.utils.FileUtils; +import com.ohos.hapsigntool.utils.ProfileUtils; import com.ohos.hapsigntool.utils.StringUtils; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; @@ -225,7 +226,7 @@ public class SignToolServiceImpl implements ServiceApi { boolean result; try { LocalizationAdapter adapter = new LocalizationAdapter(options); - byte[] provisionContent = ProfileSignTool.getProvisionContent(new File(adapter.getInFile())); + byte[] provisionContent = ProfileUtils.getProvisionContent(new File(adapter.getInFile())); byte[] p7b = ProfileSignTool.generateP7b(adapter, provisionContent); FileUtils.write(p7b, new File(adapter.getOutFile())); result = true; diff --git a/hapsigntool/hap_sign_tool_lib/src/main/java/com/ohos/hapsigntool/key/KeyPairTools.java b/hapsigntool/hap_sign_tool_lib/src/main/java/com/ohos/hapsigntool/key/KeyPairTools.java index 285795a24df97274be569989478d5a41d0fa3ee4..3adc08bb5332af115445a58c8a98ef7d137e8696 100644 --- a/hapsigntool/hap_sign_tool_lib/src/main/java/com/ohos/hapsigntool/key/KeyPairTools.java +++ b/hapsigntool/hap_sign_tool_lib/src/main/java/com/ohos/hapsigntool/key/KeyPairTools.java @@ -27,8 +27,11 @@ import java.security.Key; import java.security.KeyFactory; import java.security.KeyPair; import java.security.KeyPairGenerator; +import java.security.PublicKey; +import java.security.PrivateKey; import java.security.NoSuchAlgorithmException; import java.security.spec.InvalidKeySpecException; +import java.security.spec.PKCS8EncodedKeySpec; import java.security.spec.X509EncodedKeySpec; /** @@ -123,16 +126,36 @@ public final class KeyPairTools { * * @param algorithm input parameter and algorithm can not be null. * @param keyString input parameter and keyString can not be null. - * @return return x509EncodedKeySpec. + * @return return PublicKey. */ - public static Key string2Key(String algorithm, String keyString) { - X509EncodedKeySpec x509EncodedKeySpec = new X509EncodedKeySpec(Base64.decode(keyString)); + public static PublicKey stringToPublicKey(String algorithm, String keyString) { + X509EncodedKeySpec spec = new X509EncodedKeySpec(Base64.decode(keyString)); + PublicKey result = null; try { - return KeyFactory.getInstance(algorithm).generatePublic(x509EncodedKeySpec); + result = KeyFactory.getInstance(algorithm).generatePublic(spec); + } catch (InvalidKeySpecException | NoSuchAlgorithmException exception) { + LOGGER.debug(exception.getMessage(), exception); + CustomException.throwException(ERROR.ACCESS_ERROR, exception.getMessage()); + } + return result; + } + + /** + * Convert string back to key + * + * @param algorithm input parameter and algorithm can not be null. + * @param keyString input parameter and keyString can not be null. + * @return return PrivateKey. + */ + public static PrivateKey stringToPrivateKey(String algorithm, String keyString) { + PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(Base64.decode(keyString)); + PrivateKey result = null; + try { + result = KeyFactory.getInstance(algorithm).generatePrivate(spec); } catch (InvalidKeySpecException | NoSuchAlgorithmException exception) { LOGGER.debug(exception.getMessage(), exception); CustomException.throwException(ERROR.ACCESS_ERROR, exception.getMessage()); - return null; } + return result; } } diff --git a/hapsigntool/hap_sign_tool_lib/src/main/java/com/ohos/hapsigntool/profile/ProfileSignTool.java b/hapsigntool/hap_sign_tool_lib/src/main/java/com/ohos/hapsigntool/profile/ProfileSignTool.java index a646be9a0e9d7911aa2e3bc9fba6dc9277d533cc..72d3528c2a16f9146aa71ca4e3a24c846c6d1cf1 100644 --- a/hapsigntool/hap_sign_tool_lib/src/main/java/com/ohos/hapsigntool/profile/ProfileSignTool.java +++ b/hapsigntool/hap_sign_tool_lib/src/main/java/com/ohos/hapsigntool/profile/ProfileSignTool.java @@ -18,10 +18,10 @@ package com.ohos.hapsigntool.profile; import com.ohos.hapsigntool.api.LocalizationAdapter; import com.ohos.hapsigntool.error.CustomException; import com.ohos.hapsigntool.error.ERROR; -import com.ohos.hapsigntool.profile.model.Provision; +import com.ohos.hapsigntool.profile.model.VerificationResult; import com.ohos.hapsigntool.signer.ISigner; import com.ohos.hapsigntool.signer.SignerFactory; -import com.ohos.hapsigntool.utils.FileUtils; +import com.ohos.hapsigntool.utils.ValidateUtils; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.bouncycastle.asn1.ASN1EncodableVector; @@ -48,9 +48,7 @@ import org.bouncycastle.operator.DigestCalculatorProvider; import org.bouncycastle.operator.OperatorCreationException; import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder; -import java.io.File; import java.io.IOException; -import java.nio.charset.StandardCharsets; import java.security.cert.CRLException; import java.security.cert.CertificateEncodingException; import java.security.cert.X509CRL; @@ -87,20 +85,12 @@ public final class ProfileSignTool { */ public static byte[] generateP7b(LocalizationAdapter adapter, byte[] content) { ISigner signer = new SignerFactory().getSigner(adapter); - return signProfile(content, signer, adapter.getSignAlg()); - } - - /** - * Get provision content. - * - * @param input input provision profile - * @return file data - */ - public static byte[] getProvisionContent(File input) throws IOException { - byte[] bytes = FileUtils.readFile(input); - Provision provision = FileUtils.GSON.fromJson(new String(bytes, StandardCharsets.UTF_8), Provision.class); - Provision.enforceValid(provision); - return FileUtils.GSON.toJson(provision).getBytes(StandardCharsets.UTF_8); + byte[] p7b = signProfile(content, signer, adapter.getSignAlg()); + VerifyHelper verifyHelper = new VerifyHelper(); + VerificationResult verificationResult = verifyHelper.verify(p7b); + ValidateUtils.throwIfNotMatches(verificationResult.isVerifiedPassed(), ERROR.SIGN_ERROR, + verificationResult.getMessage()); + return p7b; } /** @@ -120,6 +110,9 @@ public final class ProfileSignTool { byte[] digest = getContentDigest(content, digestAlgId); ASN1Set signedAttr = generatePKCS9Attributes(digest); byte[] signature = signer.getSignature(signedAttr.getEncoded("DER"), sigAlg, null); + // To validate cert(public key) and private key + VerifyHelper.verifySignature(signer.getCertificates().get(0), signature, + signedAttr.getEncoded("DER"), sigAlg); SignerIdentifier signerIdentifier = generateSignerIdentifier(signer.getCertificates().get(0)); SignerInfo signerInfo = new SignerInfo(signerIdentifier, digestAlgId, signedAttr, sigAlgId, new DEROctetString(signature), null); diff --git a/hapsigntool/hap_sign_tool_lib/src/main/java/com/ohos/hapsigntool/profile/VerifyHelper.java b/hapsigntool/hap_sign_tool_lib/src/main/java/com/ohos/hapsigntool/profile/VerifyHelper.java index d9bde1bf8904996e6567d0190c650dc54b2c4dd5..2986cd945874c6252b192df076997750222d38e2 100644 --- a/hapsigntool/hap_sign_tool_lib/src/main/java/com/ohos/hapsigntool/profile/VerifyHelper.java +++ b/hapsigntool/hap_sign_tool_lib/src/main/java/com/ohos/hapsigntool/profile/VerifyHelper.java @@ -17,23 +17,37 @@ package com.ohos.hapsigntool.profile; import com.ohos.hapsigntool.error.CustomException; import com.ohos.hapsigntool.error.ERROR; +import com.ohos.hapsigntool.hap.verify.VerifyUtils; import com.ohos.hapsigntool.profile.model.Provision; import com.ohos.hapsigntool.profile.model.VerificationResult; +import com.ohos.hapsigntool.utils.CertChainUtils; +import com.ohos.hapsigntool.utils.CertUtils; import com.ohos.hapsigntool.utils.FileUtils; import com.ohos.hapsigntool.utils.ValidateUtils; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.bouncycastle.cert.X509CertificateHolder; +import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; import org.bouncycastle.cms.CMSException; import org.bouncycastle.cms.CMSSignedData; import org.bouncycastle.cms.SignerId; -import org.bouncycastle.cms.SignerInformationVerifier; -import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder; +import org.bouncycastle.cms.SignerInformation; +import org.bouncycastle.cms.SignerInformationStore; import org.bouncycastle.util.Store; +import javax.security.auth.x500.X500Principal; +import java.io.IOException; import java.nio.charset.StandardCharsets; +import java.security.InvalidKeyException; +import java.security.NoSuchAlgorithmException; +import java.security.Signature; +import java.security.SignatureException; import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; +import java.util.ArrayList; import java.util.Collection; +import java.util.Iterator; +import java.util.List; /** * Signed provision profile verifier. @@ -54,6 +68,55 @@ public class VerifyHelper implements IProvisionVerifier { // Empty constructor } + /** + * Checked signed data with public key. + * + * @param cert public key + * @param signedData signed data with private key + * @param unsignedData unsigned data + * @param algorithm algorithm + */ + public static void verifySignature(X509Certificate cert, byte[] signedData, byte[] unsignedData, String algorithm) { + try { + Signature signature = Signature.getInstance(algorithm); + signature.initVerify(cert); + signature.update(unsignedData); + ValidateUtils.throwIfNotMatches(signature.verify(signedData), ERROR.SIGN_ERROR, "Signature not matched!"); + } catch (InvalidKeyException | SignatureException | NoSuchAlgorithmException exception) { + LOGGER.debug(exception.getMessage(), exception); + CustomException.throwException(ERROR.SIGN_ERROR, "Failed to verify signature: " + exception.getMessage()); + } + } + + /** + * Convert store collection to list. + * + * @param certificates certificates from cmsSignedData + * @return List + */ + public static List certStoreToCertList(Store certificates) { + String errorMsg = "Verify failed, not found cert chain"; + JcaX509CertificateConverter converter = new JcaX509CertificateConverter(); + ValidateUtils.throwIfMatches(certificates == null, ERROR.VERIFY_ERROR, errorMsg); + Collection matches = certificates.getMatches(null); + ValidateUtils.throwIfMatches(matches == null || !matches.iterator().hasNext(), + ERROR.VERIFY_ERROR, errorMsg); + + List certificateList = new ArrayList<>(); + Iterator iterator = matches.iterator(); + try { + while (iterator.hasNext()) { + X509CertificateHolder next = iterator.next(); + certificateList.add(converter.getCertificate(next)); + } + } catch (CertificateException exception) { + LOGGER.debug(exception.getMessage(), exception); + CustomException.throwException(ERROR.VERIFY_ERROR, errorMsg); + } + ValidateUtils.throwIfMatches(certificateList.size() == 0, ERROR.VERIFY_ERROR, errorMsg); + return certificateList; + } + /** * verify p7b content. * @@ -66,41 +129,39 @@ public class VerifyHelper implements IProvisionVerifier { try { CMSSignedData cmsSignedData = this.verifyPkcs(p7b); + List certificates = certStoreToCertList(cmsSignedData.getCertificates()); + CertUtils.sortCertificateChain(certificates); + + SignerInformationStore signerInfos = cmsSignedData.getSignerInfos(); + Collection signers = signerInfos.getSigners(); + + for (SignerInformation signer : signers) { + SignerId sid = signer.getSID(); + X500Principal principal = new X500Principal(sid.getIssuer().getEncoded()); + CertChainUtils.verifyCertChain(certificates, principal, sid.getSerialNumber(), + certificates.get(certificates.size() - 1)); + } + result.setContent(FileUtils.GSON.fromJson(new String((byte[]) (cmsSignedData .getSignedContent().getContent()), StandardCharsets.UTF_8), Provision.class)); result.setMessage("OK"); result.setVerifiedPassed(true); return result; - } catch (CustomException exception) { + } catch (CustomException | IOException exception) { LOGGER.debug(exception.getMessage(), exception); - result.setMessage("Failed to verify provision" + exception.getMessage()); + result.setMessage(exception.getMessage()); result.setVerifiedPassed(false); return result; } } - @SuppressWarnings("unchecked") CMSSignedData verifyPkcs(byte[] p7b) { CMSSignedData cmsSignedData = null; try { cmsSignedData = new CMSSignedData(p7b); - Store store = cmsSignedData.getCertificates(); - cmsSignedData.verifySignatures((SignerId sid) -> { - Collection collection = - (Collection) store.getMatches(sid); - ValidateUtils.throwIfNotMatches(collection != null && collection.size() == 1, ERROR.VERIFY_ERROR, - "No matched cert or more than one matched certs: " + collection); - X509CertificateHolder cert = collection.iterator().next(); - SignerInformationVerifier signInfoVerifier = null; - try { - signInfoVerifier = (new JcaSimpleSignerInfoVerifierBuilder()).setProvider("BC").build(cert); - } catch (CertificateException exception) { - LOGGER.debug(exception.getMessage(), exception); - CustomException.throwException(ERROR.VERIFY_ERROR, "Failed to verify BC signatures: " - + exception.getMessage()); - } - return signInfoVerifier; - }); + boolean verifyResult = VerifyUtils.verifyCmsSignedData(cmsSignedData); + ValidateUtils.throwIfNotMatches(verifyResult, ERROR.VERIFY_ERROR, + "Failed to verify BC signatures"); return cmsSignedData; } catch (CMSException exception) { LOGGER.debug(exception.getMessage(), exception); diff --git a/hapsigntool/hap_sign_tool_lib/src/main/java/com/ohos/hapsigntool/utils/CertChainUtils.java b/hapsigntool/hap_sign_tool_lib/src/main/java/com/ohos/hapsigntool/utils/CertChainUtils.java new file mode 100644 index 0000000000000000000000000000000000000000..84135e8301ddb105597b5a6f1c55c10fb99b06e2 --- /dev/null +++ b/hapsigntool/hap_sign_tool_lib/src/main/java/com/ohos/hapsigntool/utils/CertChainUtils.java @@ -0,0 +1,123 @@ +/* + * Copyright (c) 2021-2022 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.ohos.hapsigntool.utils; + +import com.ohos.hapsigntool.error.CustomException; +import com.ohos.hapsigntool.error.ERROR; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; + +import javax.security.auth.x500.X500Principal; +import java.io.IOException; +import java.math.BigInteger; +import java.security.InvalidAlgorithmParameterException; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.cert.CertPath; +import java.security.cert.CertPathBuilder; +import java.security.cert.CertPathBuilderException; +import java.security.cert.CertPathValidator; +import java.security.cert.CertPathValidatorException; +import java.security.cert.CertPathValidatorResult; +import java.security.cert.CertStore; +import java.security.cert.CertificateException; +import java.security.cert.CertificateFactory; +import java.security.cert.CollectionCertStoreParameters; +import java.security.cert.PKIXBuilderParameters; +import java.security.cert.PKIXCertPathBuilderResult; +import java.security.cert.PKIXCertPathValidatorResult; +import java.security.cert.PKIXParameters; +import java.security.cert.X509CertSelector; +import java.security.cert.X509Certificate; +import java.time.LocalDateTime; +import java.time.ZoneId; +import java.util.Base64; +import java.util.Date; +import java.util.List; + +/** + * Check cert list is cert chain. + */ +public class CertChainUtils { + + private static final Logger LOGGER = LogManager.getLogger(CertUtils.class); + + private CertChainUtils() { + } + + private static CertPath getCertPath(List certificates, KeyStore trustStore, X500Principal issuer, + BigInteger serial) throws KeyStoreException, InvalidAlgorithmParameterException, + NoSuchAlgorithmException, CertPathBuilderException, CertificateException { + if (certificates.size() != 1 && (issuer != null || serial != null)) { + X509CertSelector targetCertSelector = new X509CertSelector(); + targetCertSelector.setIssuer(issuer); + targetCertSelector.setSerialNumber(serial); + PKIXBuilderParameters params = new PKIXBuilderParameters(trustStore, targetCertSelector); + CertStore certStore = CertStore.getInstance("Collection", + new CollectionCertStoreParameters(certificates)); + params.addCertStore(certStore); + params.setDate(Date.from(LocalDateTime.now().atZone(ZoneId.systemDefault()).toInstant())); + params.setRevocationEnabled(false); + CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX"); + PKIXCertPathBuilderResult result = (PKIXCertPathBuilderResult) certPathBuilder.build(params); + return result.getCertPath(); + } else { + CertificateFactory factory = CertificateFactory.getInstance("X.509"); + return factory.generateCertPath(certificates); + } + } + + + /** + * Check cert list is cert chain. + * + * @param certificates cert list to be verified + * @param issuer issuer + * @param serial serial number + * @param root root cert + */ + public static void verifyCertChain(List certificates, X500Principal issuer, BigInteger serial, + X509Certificate root) { + try { + KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType()); + trustStore.load(null, null); + trustStore.setCertificateEntry("root", root); + CertPath certPath = getCertPath(certificates, trustStore, issuer, serial); + PKIXParameters params = new PKIXParameters(trustStore); + params.setRevocationEnabled(false); + params.setDate(Date.from(LocalDateTime.now().atZone(ZoneId.systemDefault()).toInstant())); + CertStore certStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters()); + params.addCertStore(certStore); + CertPathValidator validator = CertPathValidator.getInstance("PKIX"); + CertPathValidatorResult validatorResult = validator.validate(certPath, params); + ValidateUtils.throwIfNotMatches(validatorResult instanceof PKIXCertPathValidatorResult, + ERROR.VERIFY_ERROR, "Validator result not target type"); + if (validatorResult instanceof PKIXCertPathValidatorResult) { + PKIXCertPathValidatorResult pkixValidatorResult = (PKIXCertPathValidatorResult) validatorResult; + ValidateUtils.throwIfNotMatches(params.getTrustAnchors().contains(pkixValidatorResult.getTrustAnchor()), + ERROR.VERIFY_ERROR, "Anchor is not trusted: " + Base64.getEncoder().encodeToString( + pkixValidatorResult.getTrustAnchor().getTrustedCert().getEncoded())); + } else { + CustomException.throwException(ERROR.VERIFY_ERROR, "Validator result not target type"); + } + } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException | IOException | CertificateException + | KeyStoreException | CertPathBuilderException | CertPathValidatorException exception) { + LOGGER.debug(exception.getMessage(), exception); + CustomException.throwException(ERROR.VERIFY_ERROR, "Failed to verify signature: " + exception.getMessage()); + } + } +} diff --git a/hapsigntool/hap_sign_tool_lib/src/main/java/com/ohos/hapsigntool/utils/CertUtils.java b/hapsigntool/hap_sign_tool_lib/src/main/java/com/ohos/hapsigntool/utils/CertUtils.java index 267c6f53794a528e02403391c2a6603c6aa72d24..dcff2274f2284fe34952d354142dd30968f89b84 100644 --- a/hapsigntool/hap_sign_tool_lib/src/main/java/com/ohos/hapsigntool/utils/CertUtils.java +++ b/hapsigntool/hap_sign_tool_lib/src/main/java/com/ohos/hapsigntool/utils/CertUtils.java @@ -15,15 +15,11 @@ package com.ohos.hapsigntool.utils; -import com.google.gson.Gson; import com.ohos.hapsigntool.error.CustomException; import com.ohos.hapsigntool.error.ERROR; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; -import org.bouncycastle.asn1.ASN1ObjectIdentifier; import org.bouncycastle.asn1.x500.X500Name; -import org.bouncycastle.asn1.x500.X500NameBuilder; -import org.bouncycastle.asn1.x500.style.BCStyle; import org.bouncycastle.asn1.x509.KeyPurposeId; import org.bouncycastle.asn1.x509.KeyUsage; import org.bouncycastle.util.io.pem.PemObject; @@ -45,9 +41,7 @@ import java.security.cert.X509CRL; import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.Collections; -import java.util.HashMap; import java.util.List; -import java.util.Map; /** * Cert Usage Util. @@ -147,31 +141,36 @@ public final class CertUtils { return ids.toArray(new KeyPurposeId[]{}); } - @SuppressWarnings("unchecked") public static X500Name buildDN(String nameString) { - ValidateUtils.throwIfNotMatches(!StringUtils.isEmpty(nameString), ERROR.COMMAND_ERROR, ""); - - String gsonStr = nameString.replace(",", "\",\""); - gsonStr = "{\"" + gsonStr.replace("=", "\":\"") + "\"}"; - - X500NameBuilder builder = new X500NameBuilder(); - HashMap map = FileUtils.GSON.fromJson(gsonStr, HashMap.class); + checkDN(nameString); + X500Name dn = null; + try { + dn = new X500Name(nameString); + } catch (IllegalArgumentException | IndexOutOfBoundsException exception) { + LOGGER.debug(exception.getMessage(), exception); + CustomException.throwException(ERROR.COMMAND_ERROR, + String.format("Error params near: %s. Reason: %s", nameString, exception.getMessage())); + } + return dn; + } - BCStyle x500NameStyle = (BCStyle) BCStyle.INSTANCE; - for (Map.Entry entry : map.entrySet()) { - if (StringUtils.isEmpty(entry.getKey()) || StringUtils.isEmpty(entry.getValue())) { - continue; - } - try { - ASN1ObjectIdentifier oid = x500NameStyle.attrNameToOID(entry.getKey().trim()); - builder.addRDN(oid, entry.getValue()); - } catch (IllegalArgumentException | IndexOutOfBoundsException exception) { - LOGGER.debug(exception.getMessage(), exception); - CustomException.throwException(ERROR.COMMAND_ERROR, - String.format("Error params near: %s. Reason: %s", nameString, exception.getMessage())); - } + /** + * To verify the format of subject or issuer. + * Refer to X500NameStyle.fromString(). + * + * @param nameString subject or issuer + */ + private static void checkDN(String nameString) { + String errorMsg = String.format("Format error, must be \"X=xx,XX=xxx,...\", please check: \"%s\"", nameString); + ValidateUtils.throwIfNotMatches(!StringUtils.isEmpty(nameString), ERROR.COMMAND_ERROR, errorMsg); + String[] pairs = nameString.split(","); + for (String pair : pairs) { + ValidateUtils.throwIfNotMatches(!StringUtils.isEmpty(nameString.trim()), ERROR.COMMAND_ERROR, errorMsg); + String[] kvPair = pair.split("="); + ValidateUtils.throwIfNotMatches(kvPair.length == SECOND_INDEX, ERROR.COMMAND_ERROR, errorMsg); + // Key will be checked in X500NameStyle.attrNameToOID + ValidateUtils.throwIfNotMatches(!StringUtils.isEmpty(kvPair[1].trim()), ERROR.COMMAND_ERROR, errorMsg); } - return builder.build(); } /** @@ -265,7 +264,12 @@ public final class CertUtils { return certificates; } - private static void sortCertificateChain(List certificates) { + /** + * Sort cert chain to sign cert, sub cert, root cert + * + * @param certificates cert chain + */ + public static void sortCertificateChain(List certificates) { if (certificates != null && certificates.size() > 1) { int size = certificates.size(); X500Principal lastSubjectX500Principal = (certificates.get(size - 1)).getSubjectX500Principal(); diff --git a/hapsigntool/hap_sign_tool_lib/src/main/java/com/ohos/hapsigntool/utils/ProfileUtils.java b/hapsigntool/hap_sign_tool_lib/src/main/java/com/ohos/hapsigntool/utils/ProfileUtils.java new file mode 100644 index 0000000000000000000000000000000000000000..0eef37b9c03a6255ca6ddad5f6023c0d5c6b3b4a --- /dev/null +++ b/hapsigntool/hap_sign_tool_lib/src/main/java/com/ohos/hapsigntool/utils/ProfileUtils.java @@ -0,0 +1,44 @@ +/* + * Copyright (c) 2021-2022 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.ohos.hapsigntool.utils; + +import com.ohos.hapsigntool.profile.model.Provision; + +import java.io.File; +import java.io.IOException; +import java.nio.charset.StandardCharsets; + +/** + * Utils to process provision profile + */ +public class ProfileUtils { + + private ProfileUtils() { + } + + /** + * Get provision content. + * + * @param input input provision profile + * @return file data + */ + public static byte[] getProvisionContent(File input) throws IOException { + byte[] bytes = FileUtils.readFile(input); + Provision provision = FileUtils.GSON.fromJson(new String(bytes, StandardCharsets.UTF_8), Provision.class); + Provision.enforceValid(provision); + return FileUtils.GSON.toJson(provision).getBytes(StandardCharsets.UTF_8); + } +} diff --git a/hapsigntool/hap_sign_tool_lib/src/test/java/com/ohos/hapsigntool/CertTest.java b/hapsigntool/hap_sign_tool_lib/src/test/java/com/ohos/hapsigntool/CertTest.java index a37ae857eaa30c5b2d36d18f7f4f07e85e4f6bf9..f7771f9deb4f2768c4d7925d7aaf190994bc53f9 100644 --- a/hapsigntool/hap_sign_tool_lib/src/test/java/com/ohos/hapsigntool/CertTest.java +++ b/hapsigntool/hap_sign_tool_lib/src/test/java/com/ohos/hapsigntool/CertTest.java @@ -206,17 +206,12 @@ public class CertTest { public void testCsrTemplate() { X500Name name = new X500Name(APP1_RELEASE); byte[] csr = generateCsrParameters(name); + assertNotNull(csr); + assertTrue(csr.length > 0); String csrTemplate = CertUtils.toCsrTemplate(csr); assertNotNull(csrTemplate); assertTrue(csrTemplate.startsWith("-----BEGIN NEW CERTIFICATE REQUEST-----\n")); assertTrue(csrTemplate.endsWith("\n-----END NEW CERTIFICATE REQUEST-----\n")); - - try { - csrTemplate = CertUtils.toCsrTemplate(null); - assertNull(csrTemplate); - } catch (Exception exception) { - logger.info(exception, () -> exception.getMessage()); - } } private byte[] generateCsrParameters(X500Name name) { diff --git a/hapsigntool/hap_sign_tool_lib/src/test/java/com/ohos/hapsigntool/ProfileTest.java b/hapsigntool/hap_sign_tool_lib/src/test/java/com/ohos/hapsigntool/ProfileTest.java index fffaa6b5371ac3a86f083af5a4eed5a70b10f8b1..f63b5df6d2cca889de11ce07d3ee0738c4de3c96 100644 --- a/hapsigntool/hap_sign_tool_lib/src/test/java/com/ohos/hapsigntool/ProfileTest.java +++ b/hapsigntool/hap_sign_tool_lib/src/test/java/com/ohos/hapsigntool/ProfileTest.java @@ -18,11 +18,13 @@ package com.ohos.hapsigntool; import com.ohos.hapsigntool.api.LocalizationAdapter; import com.ohos.hapsigntool.api.model.Options; import com.ohos.hapsigntool.key.KeyPairTools; -import com.ohos.hapsigntool.keystore.KeyStoreHelper; import com.ohos.hapsigntool.profile.ProfileSignTool; import com.ohos.hapsigntool.profile.VerifyHelper; import com.ohos.hapsigntool.profile.model.VerificationResult; +import com.ohos.hapsigntool.signer.ISigner; +import com.ohos.hapsigntool.signer.LocalSigner; import com.ohos.hapsigntool.utils.FileUtils; +import com.ohos.hapsigntool.utils.ProfileUtils; import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.junit.jupiter.api.Test; import org.junit.platform.commons.logging.Logger; @@ -31,14 +33,16 @@ import org.junit.platform.commons.logging.LoggerFactory; import java.io.File; import java.io.IOException; import java.io.InputStream; +import java.nio.charset.StandardCharsets; import java.nio.file.Files; import java.nio.file.Path; import java.nio.file.Paths; -import java.security.KeyPair; +import java.security.PrivateKey; import java.security.Security; import static org.junit.jupiter.api.Assertions.assertFalse; import static org.junit.jupiter.api.Assertions.assertTrue; +import static org.junit.jupiter.api.Assertions.assertNotNull; /** * ProfileTest. @@ -47,9 +51,9 @@ import static org.junit.jupiter.api.Assertions.assertTrue; */ public class ProfileTest { /** - * Add log info. + * Params SHA256withRSA. */ - private final Logger logger = LoggerFactory.getLogger(ProfileTest.class); + public static final String SHA_256_WITH_ECC = "SHA256withECDSA"; /** * Output the signed ProvisionProfile file in p7b format. */ @@ -57,11 +61,11 @@ public class ProfileTest { /** * Keystore file in JKS or P12 format. */ - private static final String KEY_STORE_PATH = "test_keypair.jks"; + private static final String KEY_STORE_PATH = "test-keystore.jks"; /** * Key alias. */ - private static final String KEY_ALIAS = "oh-app1-key-v1"; + private static final String KEY_ALIAS = "oh-profile1-key-v1"; /** * Key pwd and keystore pwd. */ @@ -73,7 +77,7 @@ public class ProfileTest { /** * Profile signing certificate. */ - private static final String CERT_PATH = "test_profile_cert.cer"; + private static final String CERT_PATH = "test-profile-cert.cer"; /** * Mode is localSign. */ @@ -82,21 +86,30 @@ public class ProfileTest { * Mode is remoteSign. */ private static final String REMOTE_SIGN = "remoteSign"; + /** - * Params SHA256withRSA. + * Test error profile content. */ - public static final String SHA_256_WITH_RSA = "SHA256withRSA"; + private static final String ERROR_PROFILE_CONTENT = "mnbvcxzlkjhgfdsapoiuytrewq"; + + private static final String PRIVATE_KEY_STR = "ME4CAQAwEAYHKoZIzj0CAQYFK4EEACIENzA1AgEBBDDave+tlNDdIlc0HsRKe" + + "Wbhcj3BVUmKRoHtz51waRY4K5+SrHpD2GVZHD+2EeZ135A="; static { Security.addProvider(new BouncyCastleProvider()); } + /** + * Add log info. + */ + private final Logger logger = LoggerFactory.getLogger(ProfileTest.class); + @Test public void testProfile() throws IOException { try { Options options = new Options(); LocalizationAdapter adapter = new LocalizationAdapter(options); - byte[] provisionContent = ProfileSignTool.getProvisionContent(new File(adapter.getInFile())); + byte[] provisionContent = ProfileUtils.getProvisionContent(new File(adapter.getInFile())); byte[] p7b = ProfileSignTool.generateP7b(adapter, provisionContent); FileUtils.write(p7b, new File(adapter.getOutFile())); assertFalse(FileUtils.isFileExist(OUT_PATH)); @@ -106,24 +119,22 @@ public class ProfileTest { loadFile(IN_FILE_PATH); loadFile(CERT_PATH); deleteFile(OUT_PATH); - deleteFile(KEY_STORE_PATH); - KeyPair keyPair = KeyPairTools.generateKeyPair(KeyPairTools.RSA, KeyPairTools.RSA_2048); - KeyStoreHelper keyStoreHelper = new KeyStoreHelper(KEY_STORE_PATH, PWD.toCharArray()); - keyStoreHelper.store(KEY_ALIAS, PWD.toCharArray(), keyPair, null); Options options = new Options(); putParams(options); LocalizationAdapter adapter = new LocalizationAdapter(options); - byte[] provisionContent = ProfileSignTool.getProvisionContent(new File(adapter.getInFile())); - byte[] p7b = ProfileSignTool.generateP7b(adapter, provisionContent); - FileUtils.write(p7b, new File(adapter.getOutFile())); - assertTrue(FileUtils.isFileExist(OUT_PATH)); + byte[] provisionContent = ProfileUtils.getProvisionContent(new File(adapter.getInFile())); + PrivateKey privateKey = KeyPairTools.stringToPrivateKey(KeyPairTools.ECC, PRIVATE_KEY_STR); + ISigner signer = new LocalSigner(privateKey, adapter.getSignCertChain()); + byte[] p7b = ProfileSignTool.signProfile(provisionContent, signer, adapter.getSignAlg()); + assertNotNull(p7b); VerifyHelper verifyHelper = new VerifyHelper(); VerificationResult verificationResult = verifyHelper.verify(p7b); assertTrue(verificationResult.isVerifiedPassed()); + try { options.put(Options.MODE, REMOTE_SIGN); adapter = new LocalizationAdapter(options); - provisionContent = ProfileSignTool.getProvisionContent(new File(adapter.getInFile())); + provisionContent = ProfileUtils.getProvisionContent(new File(adapter.getInFile())); p7b = ProfileSignTool.generateP7b(adapter, provisionContent); FileUtils.write(p7b, new File(adapter.getOutFile())); assertTrue(FileUtils.isFileExist(OUT_PATH)); @@ -131,7 +142,7 @@ public class ProfileTest { logger.info(exception, () -> exception.getMessage()); } try { - verificationResult = verifyHelper.verify(null); + verificationResult = verifyHelper.verify(ERROR_PROFILE_CONTENT.getBytes(StandardCharsets.UTF_8)); assertFalse(verificationResult.isVerifiedPassed()); } catch (Exception exception) { logger.info(exception, () -> exception.getMessage()); @@ -153,7 +164,7 @@ public class ProfileTest { options.put(Options.MODE, LOCAL_SIGN); options.put(Options.PROFILE_CERT_FILE, CERT_PATH); options.put(Options.IN_FILE, IN_FILE_PATH); - options.put(Options.SIGN_ALG, SHA_256_WITH_RSA); + options.put(Options.SIGN_ALG, SHA_256_WITH_ECC); options.put(Options.KEY_STORE_FILE, KEY_STORE_PATH); options.put(Options.KEY_STORE_RIGHTS, PWD.toCharArray()); options.put(Options.OUT_FILE, OUT_PATH); diff --git a/hapsigntool/hap_sign_tool_lib/src/test/resources/app-sign-srv-ca.cer b/hapsigntool/hap_sign_tool_lib/src/test/resources/app-sign-srv-ca.cer deleted file mode 100644 index 63c8efbf8f1bfae1d19194b0647ff9b8888ae8bb..0000000000000000000000000000000000000000 --- a/hapsigntool/hap_sign_tool_lib/src/test/resources/app-sign-srv-ca.cer +++ /dev/null @@ -1,22 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDqTCCApGgAwIBAgIFAJJiSpAwDQYJKoZIhvcNAQEMBQAwVTELMAkGA1UEBhMC -Q04xHjAcBgNVBAsMFU9wZW5IYXJtb255IENvbW11bml0eTEQMA4GA1UEAwwHUm9v -dCBDQTEUMBIGA1UECgwLT3Blbkhhcm1vbnkwHhcNMjIwMTA0MTIwMTU3WhcNMjMw -MTA0MTIwMTU3WjBvMQswCQYDVQQGEwJDTjEeMBwGA1UECwwVT3Blbkhhcm1vbnkg -Q29tbXVuaXR5MSowKAYDVQQDDCEgQXBwbGljYXRpb24gU2lnbmF0dXJlIFNlcnZp -Y2UgQ0ExFDASBgNVBAoMC09wZW5IYXJtb255MIIBIjANBgkqhkiG9w0BAQEFAAOC -AQ8AMIIBCgKCAQEAiCMs9n9z5GOAs/rt/sLX0oVY5dhLc9MutYgxXfnoLJsLH/Ex -9IoyH+HIAowsaoRg41s/6up8OIp01FYEAQ5/T/hVbNMjnXfgy6AZMIWU2LZrv5Bs -phEF08tfuy8Rfs3OAlFlvjKjyTDPW/pv6hgTTGOFdd4jw+D5YRsLfF50030X2wPg -BU0IHwcxoDWSrXYsXhBoFTR9rgv/fu38NSY9IL5tKM1BZDfoq6pkML0PalD5+EUo -8f/jl2RotGqZXfRsJHS15Lt6kIeHZ1LL/uIxVEYiX526vO6l9D0po6cah2P+VaCy -33QPs0bGDybC1GskmfYOpbKVUhAZSTAFHvWYWwIDAQABo2YwZDAdBgNVHQ4EFgQU -f9mJlQV0AmcywRSuaT+s9K3AnQgwHwYDVR0jBBgwFoAUYH4Ah5XEx7InOmRu+PiY -XVE6C3EwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZI -hvcNAQEMBQADggEBAFVdwa+aASKc3kVVgYSttYaC3pCw9Hw+93F2lPTndlOZdVwn -xJpdZU7E/FDkAZglE5SLjThCqBvyY0Ylzcvo8JKFXZVF6syZSxiQDayFmW/yUIfP -40BgPVka7JhznrPY1WQFsva+RKUxZafsXaP6+nnw6pvIbtTUaLIUJi2+KX/nl87d -gje5Muok/aQ9ALPJu4m3rbbnrsNm1VzszywygPnOAK8vlWwtxhLZeBK8SaRVhzbE -DkX3NTGhebFDZiOeExmzA5O3GvDkeLG7qaKzxVYkpoU3Mt8b6CUOJlW4NCp5odRt -HpUB2504/5zS5ciM7LYejJ4Q1ysmSmx8VRmDs94= ------END CERTIFICATE----- diff --git a/hapsigntool/hap_sign_tool_lib/src/test/resources/root-ca.cer b/hapsigntool/hap_sign_tool_lib/src/test/resources/root-ca.cer deleted file mode 100644 index f46bde79a144d4cd32e4a6c731c33694bcbd2991..0000000000000000000000000000000000000000 --- a/hapsigntool/hap_sign_tool_lib/src/test/resources/root-ca.cer +++ /dev/null @@ -1,21 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDbTCCAlWgAwIBAgIEBNIkszANBgkqhkiG9w0BAQwFADBVMQswCQYDVQQGEwJD -TjEeMBwGA1UECwwVT3Blbkhhcm1vbnkgQ29tbXVuaXR5MRAwDgYDVQQDDAdSb290 -IENBMRQwEgYDVQQKDAtPcGVuSGFybW9ueTAeFw0yMjAxMDQxMjAxMjNaFw0yMzAx -MDQxMjAxMjNaMFUxCzAJBgNVBAYTAkNOMR4wHAYDVQQLDBVPcGVuSGFybW9ueSBD -b21tdW5pdHkxEDAOBgNVBAMMB1Jvb3QgQ0ExFDASBgNVBAoMC09wZW5IYXJtb255 -MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqBa7pDeoRhPFqKGb5Ycc -mZpTnqFiFY7RFjGv+uot2pTX+72qp7v49kDcY5wEquo7p1TzoVOtttlWLzqR8elb -+w62bSxxCpgziN66Z/YoiigxcA5qoapOOd6cGrB24n16y4HnS9hY20RSAYHor7Ow -T7ZL6wZXud/n+L8BSTEnXS7bKYZ6o3FXVlBYcOInlVYYBwyie035DYNpvsZROppY -N3IpG/4/MKgZb3ydOo4Z8nnyt7yVvhC0FivLfXUfn/7mi9Ava1u1gldZFlpxaIdT -YNgmLcYq3RBFh/EV/Hnatn6r8022w1UrKNNt/NDiQXSHqvzxb7D1JVgb1XLAsHXQ -wwIDAQABo0UwQzAdBgNVHQ4EFgQUYH4Ah5XEx7InOmRu+PiYXVE6C3EwEgYDVR0T -AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEMBQADggEB -AGmk+8GwSqOOt7qf8gjc2ewRRePjUh3HEeUCyE80mElj5CicHWt64jl/tEX6nFJJ -4jk0nygdmO9W3hCbBiyhDQUwIWInlMg9rUTL/DM7a2oUBcZSnSK4tTiWAYz5ZDmO -YWR6M8tcuftwENbeDa/OYiMp/jtOet+9z9JNHYietSDR9/H+qOAISSwhLP/1Y08n -F9orqCu91WbSf/o7CLwpC1GSJNeXE06704a2vrCbbe1Uw9hA2BaVaq4J+fjLhaLI -4UtE9edYQWdwnReyfWJw061wkCGLKmh+t8ZP2gxKBwrc1lXN+0oeJWR9J2zdWVPM -qhSTxnmY7iZj+bzgAJXDPPA= ------END CERTIFICATE----- diff --git a/hapsigntool/hap_sign_tool_lib/src/test/resources/test-profile-cert.cer b/hapsigntool/hap_sign_tool_lib/src/test/resources/test-profile-cert.cer new file mode 100644 index 0000000000000000000000000000000000000000..d60fbfee1217fbacc7e5acaf38ec386c6b74922c --- /dev/null +++ b/hapsigntool/hap_sign_tool_lib/src/test/resources/test-profile-cert.cer @@ -0,0 +1,42 @@ +-----BEGIN CERTIFICATE----- +MIICYzCCAemgAwIBAgIFANHjmCMwCgYIKoZIzj0EAwIwajELMAkGA1UEBhMCQ04x +FDASBgNVBAoMC09wZW5IYXJtb255MR4wHAYDVQQLDBVPcGVuSGFybW9ueSBDb21t +dW5pdHkxJTAjBgNVBAMMHFByb2ZpbGUgU2lnbmF0dXJlIFNlcnZpY2UgQ0EwHhcN +MjIwMTI3MDYyNTI4WhcNMjMwMTI3MDYyNTI4WjBeMQswCQYDVQQGEwJDTjEUMBIG +A1UECgwLT3Blbkhhcm1vbnkxHjAcBgNVBAsMFU9wZW5IYXJtb255IENvbW11bml0 +eTEZMBcGA1UEAwwQUHJvZmlsZTEgUmVsZWFzZTB2MBAGByqGSM49AgEGBSuBBAAi +A2IABCRWTi3FEtN5N4yUvAOuwfS5FWm9upUJJ2b5NHSYMI4Ki0oETuhdvUlPUzEV +4oPWJsN+uyKHc0QJ8V7Ie3wUY6b96b484XM8dn5itGKFxoXHFn0qB6d8O3IjqTWN +Whtmm6NrMGkwHQYDVR0OBBYEFIdFfrAddz3xKR7lFAzZMkSAPQSfMAkGA1UdEwQC +MAAwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMBgGDCsGAQQB +j1sCgngBAwQIMAYCAQEKAQEwCgYIKoZIzj0EAwIDaAAwZQIwSQI/LTC9A/1M9pyA +O6e9PnBYVOe/v6HQHVsxRW0quYOjwdmW1RMYnS0/IYtCATipAjEAlRCXD62L4JqK +v0iuuOQ93Z6yw4XOlS7aLf1mAzHg3+zDovDwT2KXYcP7liyk0eXL +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICNTCCAdugAwIBAgIFANI3mFIwCgYIKoZIzj0EAwMwVTELMAkGA1UEBhMCQ04x +FDASBgNVBAoMC09wZW5IYXJtb255MR4wHAYDVQQLDBVPcGVuSGFybW9ueSBDb21t +dW5pdHkxEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMjIwMTI3MDYyNTIxWhcNMjMwMTI3 +MDYyNTIxWjBqMQswCQYDVQQGEwJDTjEUMBIGA1UECgwLT3Blbkhhcm1vbnkxHjAc +BgNVBAsMFU9wZW5IYXJtb255IENvbW11bml0eTElMCMGA1UEAwwcUHJvZmlsZSBT +aWduYXR1cmUgU2VydmljZSBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABKxTieAz +OwMSZ94VZCRyDvb0/3JRFlCF6gQwglZdpKoYtV9c5ODk5guA1mF/DLm9y2UO5mVn +JbDz+5y9OP/Gz+8KdmYxwfJF3nkdbJhkkY+Aa2GFxDJKOB/p0DK2eNEbS6NmMGQw +HQYDVR0OBBYEFMrA5cub681AbkGKX9fEsU2BUI9mMB8GA1UdIwQYMBaAFFlHysOd +mKMM/4F2CJkrev0ne4dLMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQD +AgEGMAoGCCqGSM49BAMDA0gAMEUCIDFGdXPqlG7ALOChqAdmy9dQC4lQxc0UQ3q6 +JU5uw/kYAiEAy8oua/ztyd8nFh3BFAuAaT/FuxPKg75OrInDUG3QjRg= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIB4TCCAYegAwIBAgIEIeaMJzAKBggqhkjOPQQDAzBVMQswCQYDVQQGEwJDTjEU +MBIGA1UECgwLT3Blbkhhcm1vbnkxHjAcBgNVBAsMFU9wZW5IYXJtb255IENvbW11 +bml0eTEQMA4GA1UEAwwHUm9vdCBDQTAeFw0yMjAxMjcwNjI1MTlaFw0yMzAxMjcw +NjI1MTlaMFUxCzAJBgNVBAYTAkNOMRQwEgYDVQQKDAtPcGVuSGFybW9ueTEeMBwG +A1UECwwVT3Blbkhhcm1vbnkgQ29tbXVuaXR5MRAwDgYDVQQDDAdSb290IENBMFkw +EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmU8fa61OuaaC6avKmgUcj3aeXacExj0K +jaSPx1hbk17lltn8ZymS2wNLqYZ5GYBEwPwyjq0gZ2JHATV0+4QYhKNFMEMwHQYD +VR0OBBYEFFlHysOdmKMM/4F2CJkrev0ne4dLMBIGA1UdEwEB/wQIMAYBAf8CAQAw +DgYDVR0PAQH/BAQDAgEGMAoGCCqGSM49BAMDA0gAMEUCIAJDOXqy2hlnOjR8UAEq +nXMJBhMIsWNlfm9GYRuuD8SvAiEA8l8u707ZpFT5yvtd7dkcvUB61K9y55LBf5Ct +lyh7zQI= +-----END CERTIFICATE----- diff --git a/hapsigntool/hap_sign_tool_lib/src/test/resources/test_profile_cert.cer b/hapsigntool/hap_sign_tool_lib/src/test/resources/test_profile_cert.cer deleted file mode 100644 index a7322f93272c5dacc77ad9a9cc221e091b69f66e..0000000000000000000000000000000000000000 --- a/hapsigntool/hap_sign_tool_lib/src/test/resources/test_profile_cert.cer +++ /dev/null @@ -1,65 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDbTCCAlWgAwIBAgIEBNIkszANBgkqhkiG9w0BAQwFADBVMQswCQYDVQQGEwJD -TjEeMBwGA1UECwwVT3Blbkhhcm1vbnkgQ29tbXVuaXR5MRAwDgYDVQQDDAdSb290 -IENBMRQwEgYDVQQKDAtPcGVuSGFybW9ueTAeFw0yMjAxMDQxMjAxMjNaFw0yMzAx -MDQxMjAxMjNaMFUxCzAJBgNVBAYTAkNOMR4wHAYDVQQLDBVPcGVuSGFybW9ueSBD -b21tdW5pdHkxEDAOBgNVBAMMB1Jvb3QgQ0ExFDASBgNVBAoMC09wZW5IYXJtb255 -MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqBa7pDeoRhPFqKGb5Ycc -mZpTnqFiFY7RFjGv+uot2pTX+72qp7v49kDcY5wEquo7p1TzoVOtttlWLzqR8elb -+w62bSxxCpgziN66Z/YoiigxcA5qoapOOd6cGrB24n16y4HnS9hY20RSAYHor7Ow -T7ZL6wZXud/n+L8BSTEnXS7bKYZ6o3FXVlBYcOInlVYYBwyie035DYNpvsZROppY -N3IpG/4/MKgZb3ydOo4Z8nnyt7yVvhC0FivLfXUfn/7mi9Ava1u1gldZFlpxaIdT -YNgmLcYq3RBFh/EV/Hnatn6r8022w1UrKNNt/NDiQXSHqvzxb7D1JVgb1XLAsHXQ -wwIDAQABo0UwQzAdBgNVHQ4EFgQUYH4Ah5XEx7InOmRu+PiYXVE6C3EwEgYDVR0T -AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEMBQADggEB -AGmk+8GwSqOOt7qf8gjc2ewRRePjUh3HEeUCyE80mElj5CicHWt64jl/tEX6nFJJ -4jk0nygdmO9W3hCbBiyhDQUwIWInlMg9rUTL/DM7a2oUBcZSnSK4tTiWAYz5ZDmO -YWR6M8tcuftwENbeDa/OYiMp/jtOet+9z9JNHYietSDR9/H+qOAISSwhLP/1Y08n -F9orqCu91WbSf/o7CLwpC1GSJNeXE06704a2vrCbbe1Uw9hA2BaVaq4J+fjLhaLI -4UtE9edYQWdwnReyfWJw061wkCGLKmh+t8ZP2gxKBwrc1lXN+0oeJWR9J2zdWVPM -qhSTxnmY7iZj+bzgAJXDPPA= ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIDqTCCApGgAwIBAgIFAJJiSpAwDQYJKoZIhvcNAQEMBQAwVTELMAkGA1UEBhMC -Q04xHjAcBgNVBAsMFU9wZW5IYXJtb255IENvbW11bml0eTEQMA4GA1UEAwwHUm9v -dCBDQTEUMBIGA1UECgwLT3Blbkhhcm1vbnkwHhcNMjIwMTA0MTIwMTU3WhcNMjMw -MTA0MTIwMTU3WjBvMQswCQYDVQQGEwJDTjEeMBwGA1UECwwVT3Blbkhhcm1vbnkg -Q29tbXVuaXR5MSowKAYDVQQDDCEgQXBwbGljYXRpb24gU2lnbmF0dXJlIFNlcnZp -Y2UgQ0ExFDASBgNVBAoMC09wZW5IYXJtb255MIIBIjANBgkqhkiG9w0BAQEFAAOC -AQ8AMIIBCgKCAQEAiCMs9n9z5GOAs/rt/sLX0oVY5dhLc9MutYgxXfnoLJsLH/Ex -9IoyH+HIAowsaoRg41s/6up8OIp01FYEAQ5/T/hVbNMjnXfgy6AZMIWU2LZrv5Bs -phEF08tfuy8Rfs3OAlFlvjKjyTDPW/pv6hgTTGOFdd4jw+D5YRsLfF50030X2wPg -BU0IHwcxoDWSrXYsXhBoFTR9rgv/fu38NSY9IL5tKM1BZDfoq6pkML0PalD5+EUo -8f/jl2RotGqZXfRsJHS15Lt6kIeHZ1LL/uIxVEYiX526vO6l9D0po6cah2P+VaCy -33QPs0bGDybC1GskmfYOpbKVUhAZSTAFHvWYWwIDAQABo2YwZDAdBgNVHQ4EFgQU -f9mJlQV0AmcywRSuaT+s9K3AnQgwHwYDVR0jBBgwFoAUYH4Ah5XEx7InOmRu+PiY -XVE6C3EwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZI -hvcNAQEMBQADggEBAFVdwa+aASKc3kVVgYSttYaC3pCw9Hw+93F2lPTndlOZdVwn -xJpdZU7E/FDkAZglE5SLjThCqBvyY0Ylzcvo8JKFXZVF6syZSxiQDayFmW/yUIfP -40BgPVka7JhznrPY1WQFsva+RKUxZafsXaP6+nnw6pvIbtTUaLIUJi2+KX/nl87d -gje5Muok/aQ9ALPJu4m3rbbnrsNm1VzszywygPnOAK8vlWwtxhLZeBK8SaRVhzbE -DkX3NTGhebFDZiOeExmzA5O3GvDkeLG7qaKzxVYkpoU3Mt8b6CUOJlW4NCp5odRt -HpUB2504/5zS5ciM7LYejJ4Q1ysmSmx8VRmDs94= ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIDmDCCAoCgAwIBAgIFANEUD+8wDQYJKoZIhvcNAQELBQAwbjELMAkGA1UEBhMC -Q04xHjAcBgNVBAsMFU9wZW5IYXJtb255IENvbW11bml0eTEpMCcGA1UEAwwgQXBw -bGljYXRpb24gU2lnbmF0dXJlIFNlcnZpY2UgQ0ExFDASBgNVBAoMC09wZW5IYXJt -b255MB4XDTIyMDEwNDEyMDM1OFoXDTIzMDEwNDEyMDM1OFowWjELMAkGA1UEBhMC -Q04xHjAcBgNVBAsMFU9wZW5IYXJtb255IENvbW11bml0eTEVMBMGA1UEAwwMQXBw -MSBSZWxlYXNlMRQwEgYDVQQKDAtPcGVuSGFybW9ueTCCASIwDQYJKoZIhvcNAQEB -BQADggEPADCCAQoCggEBAJcB00Tgz1XUYG6508q2sskmxMz2ISJY1KSlFhaTgiBa -0NEWM/vtslgb0R+3YRvQe6x8CfXkNwQtwbooxtHZxnlGB2wezq48aNmPLxQj+pij -iw/OVV5HFrbRAnszGsGBZL71BjV30ntZ8uwLq+iTFtyG4SoRgMWm632t/U90ttD8 -0CITBFThF5DLnRLN4yR/FysfqggrSygj1USrkCJfYVBKIBz1oo0r5r1bXmTMQBtA -ZYv6ONPgZWSHwWpB0ZAQI/v2sBUhVufLJdzj0ckVLKznkHThpIGJ289IrM8a7C4b -hTIiXqdk2OWS4L28aHXCdpm1ugHctdmAPjP1MYjOYE8CAwEAAaNRME8wHQYDVR0O -BBYEFF9my7g4SO70qSORHAckxIHf7nbsMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQD -AgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMA0GCSqGSIb3DQEBCwUAA4IBAQBg970m -z07sOfZadyQV5bpfcpRrRL9872+f37A5tZIR6LOIIKg9457LrWmzb+ZiOgOEx+8j -2GpprWRMmxMZirFc6Jb88HcbBktiZXhvennHlXB+ZLp0ijWF3mU0KjTePtayd11H -pO9B8TIljbXoXagJQL0TIqHrq12hCMaDjt5BzB2ODtd4QCi5cY66A+L4nIQdomvj -LqIWVxBQ+hUHEVFcdFy3YLVKS7d6lP2TliGZ9ztrYh4Nv4BIfMhda91lOAmAy8I2 -leJTVGnQS4H1en4TWBG4UzGQ67M+nMyzRP3coSeP9twUzuoQOVAmOfeMvZMYdKHQ -0k6rWiZZdMPPyZQU ------END CERTIFICATE----- diff --git a/tools/auto_test.py b/tools/auto_test.py index a5054dd6c0821771928d3f8d2f831a91f4da0c1e..fbfa53759e5bc24805118f7bcb3292465dc1b577 100644 --- a/tools/auto_test.py +++ b/tools/auto_test.py @@ -237,13 +237,13 @@ simple_scope = { '-subCaCertFile "./test1/profile-sign-srv-ca1.cer" -outForm certChain ' '-rootCaCertFile "./test1/root-ca1.cer" -keyPwd 123456', # Profile sign cert via ohtest.p12 - 'generate-profile-cert -keyAlias "oh-app2-key-v1" -issuer "C=CN,O=OpenHarmony,OU=OpenHarmony Community,' + 'generate-profile-cert -keyAlias "oh-profile2-key-v1" -issuer "C=CN,O=OpenHarmony,OU=OpenHarmony Community,' 'CN=Profile Signature Service CA" -issuerKeyAlias "oh-profile-sign-srv-ca2-key-v1" ' '-subject "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=Profile2 Release" ' '-validity 365 -signAlg SHA256withECDSA -keystoreFile "./test2/ohtest.p12" ' '-keystorePwd 123456 -outFile "./test2/profile2.cer" -keyPwd 123456 -outForm cert ', # Profile sign cert chain via ohtest.p12 - 'generate-profile-cert -keyAlias "oh-app2-key-v1" -issuer "C=CN,O=OpenHarmony,OU=OpenHarmony Community,' + 'generate-profile-cert -keyAlias "oh-profile2-key-v1" -issuer "C=CN,O=OpenHarmony,OU=OpenHarmony Community,' 'CN=Profile Signature Service CA" -issuerKeyAlias "oh-profile-sign-srv-ca2-key-v1" ' '-subject "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=Profile2 Release" -validity 365 ' '-signAlg SHA256withECDSA -keystoreFile "./test2/ohtest.p12" ' @@ -251,7 +251,7 @@ simple_scope = { '-outForm certChain -rootCaCertFile "./test2/root-ca2.cer" -keyPwd 123456' ], 'sign-profile': [ - 'sign-profile -mode localSign -keyAlias "oh-app1-key-v1" -profileCertFile "./test1/profile-release1.pem" ' + 'sign-profile -mode localSign -keyAlias "oh-profile1-key-v1" -profileCertFile "./test1/profile-release1.pem" ' '-inFile "profile.json" -signAlg SHA256withECDSA -keystoreFile "./test1/ohtest.jks" -keystorePwd 123456 ' '-outFile "./test1/app1-profile1.p7b" -keyPwd 123456' ], diff --git a/tools/commands.config b/tools/commands.config index d768cc3f9030ad4b2577128a0441dd35980c5dac..885770032585d8f5abf9f9a069c7e86a1b5d366c 100644 --- a/tools/commands.config +++ b/tools/commands.config @@ -46,8 +46,8 @@ 'generate-ca -keyAlias "oh-profile-sign-srv-ca-key-v1" -keyPwd 123456 -keyAlg ECC -keySize NIST-P-256 -issuer "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=Root CA" -issuerKeyAlias "oh-root-ca-key-v1" -issuerKeyPwd 123456 -subject "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN= Application Signature Service CA" -validity 365 -signAlg SHA256withECDSA -basicConstraintsPathLen 1 -keystoreFile "ohtest.jks" -keystorePwd 123456 -extCfgFile "111.txt" -outFile', 'generate-ca -keyAlias "oh-profile-sign-srv-ca-key-v1" -keyPwd 123456 -keyAlg ECC -keySize NIST-P-256 -issuer "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=Root CA" -issuerKeyAlias "oh-root-ca-key-v1" -issuerKeyPwd 123456 -subject "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN= Application Signature Service CA" -validity 365 -signAlg SHA256withECDSA -basicConstraintsPathLen 1 -keystoreFile "ohtest.jks" -keystorePwd 123456 -extCfgFile "111.txt" -outFile "@#$%&"', 'generate-ca -keyAlias "oh-profile-sign-srv-ca-key-v1" -keyPwd 123456 -keyAlg ECC -keySize NIST-P-256 -issuer "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=Root CA" -issuerKeyAlias "oh-root-ca-key-v1" -issuerKeyPwd 123456 -subject "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN= Application Signature Service CA" -validity 365 -signAlg SHA256withECDSA -basicConstraintsPathLen 1 -keystoreFile "ohtest.p12" -keystorePwd 123456 -extCfgFile "111.txt" -outFile "profile-sign-srv-ca.cer"', - 'generate-ca -keyAlias "oh-profile-sign-srv-ca-key-v1" -keyPwd 123456 -keyAlg ECC -keySize NIST-P-256 -issuer "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=Root CA" -issuerKeyAlias "oh-root-ca-key-v1" -issuerKeyPwd 123456 -subject "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN= Application Signature Service CA" -validity 365 -signAlg SHA256withECDSA -basicConstraintsPathLen 1 -keystoreFile "ohtest.jks" -keystorePwd 123456 -outFile "profile-sign-srv-ca.cer"', - 'generate-ca -keyAlias "oh-profile-sign-srv-ca-key-v1" -keyPwd 123456 -keyAlg ECC -keySize NIST-P-256 -issuer "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=Root CA" -issuerKeyAlias "oh-root-ca-key-v1" -issuerKeyPwd 123456 -subject "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN= Application Signature Service CA" -validity 365 -signAlg SHA256withECDSA -basicConstraintsPathLen 1 -keystoreFile "ohtest.jks" -keystorePwd 123456 -extCfgFile -outFile "profile-sign-srv-ca.cer"', + 'generate-ca -keyAlias "oh-profile-sign-srv-ca-key-v1" -keyPwd 123456 -keyAlg ECC -keySize NIST-P-256 -issuer "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=Root CA" -issuerKeyAlias "oh-root-ca-key-v1" -issuerKeyPwd 123456 -subject "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN= profilelication Signature Service CA" -validity 365 -signAlg SHA256withECDSA -basicConstraintsPathLen 1 -keystoreFile "ohtest.jks" -keystorePwd 123456 -outFile "profile-sign-srv-ca.cer"', + 'generate-ca -keyAlias "oh-profile-sign-srv-ca-key-v1" -keyPwd 123456 -keyAlg ECC -keySize NIST-P-256 -issuer "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=Root CA" -issuerKeyAlias "oh-root-ca-key-v1" -issuerKeyPwd 123456 -subject "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN= profilelication Signature Service CA" -validity 365 -signAlg SHA256withECDSA -basicConstraintsPathLen 1 -keystoreFile "ohtest.jks" -keystorePwd 123456 -extCfgFile -outFile "profile-sign-srv-ca.cer"', 'generate-cert -keyAlias "oh-app1-key-v1" -keyPwd 123456 -issuer "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=Application Signature Service CA" -issuerKeyAlias "oh-root-ca-key-v1" -issuerKeyPwd 123456 -subject "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=App1 Release" -validity 365 -keyUsage digitalSignature -keyUsageCritical true -extKeyUsage codeSignature -extKeyUsageCritical false -signAlg SHA256withECDSA -basicConstraints false -basicConstraintsCritical false -basicConstraintsCa false -basicConstraintsPathLen 0 -keystoreFile "ohtest.jks" -keystorePwd 123456 -outFile "app1.cer" -extCfgFile "111.txt"', 'generate-cert -keyAlias "oh-app1-key-v1" -keyPwd 123456 -issuer "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=Application Signature Service CA" -issuerKeyAlias "oh-profile-sign-srv-ca-key-v1" -issuerKeyPwd 123456 -subject "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=App1 Release" -validity 365 -keyUsage digitalSignature -keyUsageCritical true -extKeyUsage codeSignature -extKeyUsageCritical false -signAlg SHA256withECDSA -basicConstraints false -basicConstraintsCritical false -basicConstraintsCa false -basicConstraintsPathLen 0 -keystoreFile "ohtest.jks" -keystorePwd 123456 -outFile "app1.cer" -extCfgFile "111.txt"', 'generate-cert -keyAlias "oh-app1-key-v1" -keyPwd 123456 -issuer "C=CN,O=OpenHarmony,OU=OpenHarmony Community" -issuerKeyAlias "oh-profile-sign-srv-ca-key-v1" -issuerKeyPwd 123456 -subject "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=App1 Release" -validity 365 -keyUsage digitalSignature -keyUsageCritical true -extKeyUsage codeSignature -extKeyUsageCritical false -signAlg SHA256withECDSA -basicConstraints false -basicConstraintsCritical false -basicConstraintsCa false -basicConstraintsPathLen 0 -keystoreFile "ohtest.jks" -keystorePwd 123456 -outFile "app1.cer" -extCfgFile "111.txt"', @@ -100,7 +100,7 @@ 'generate-profile-cert -keyAlias "oh-app1-key-v1" -keyPwd 123456 -issuer "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=profilelication Signature Service CA" -issuerKeyAlias "oh-profile-sign-srv-ca-key-v1" -issuerKeyPwd 123456 -subject "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=profile1 Debug" -validity 365 -signAlg SHA256withECDSA -keystoreFile "ohtest.p12" -keystorePwd 123456 -outForm -rootCaCertFile "root-ca1.cer" -subCaCertFile "profile-sign-srv-ca.cer" -outFile -extCfgFile "111.txt"', 'generate-profile-cert -keyAlias "oh-app1-key-v1" -keyPwd 123456 -issuer "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=profilelication Signature Service CA" -issuerKeyAlias "oh-profile-sign-srv-ca-key-v1" -issuerKeyPwd 123456 -subject "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=profile1 Debug" -validity 365 -signAlg SHA256withECDSA -keystoreFile "ohtest.p12" -keystorePwd 123456 -outForm certChain -rootCaCertFile "root-ca1.cer" -subCaCertFile "profile-sign-srv-ca.cer" -outFile -extCfgFile "111.txt"', 'generate-profile-cert -keyAlias "oh-app1-key-v1" -keyPwd 123456 -issuer "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=profilelication Signature Service CA" -issuerKeyAlias "oh-profile-sign-srv-ca-key-v1" -issuerKeyPwd 123456 -subject "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=profile1 Debug" -validity 365 -signAlg SHA256withECDSA -keystoreFile "ohtest.p12" -keystorePwd 123456 -outForm certChain -rootCaCertFile "root-ca1.cer" -subCaCertFile "profile-sign-srv-ca.cer" -extCfgFile "111.txt"', - 'generate-profile-cert -keyAlias "oh-app1-key-v1" -keyPwd 123456 -issuer "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=profilelication Signature Service CA" -issuerKeyAlias "oh-profile-sign-srv-ca-key-v1" -issuerKeyPwd 123456 -subject "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=profile1 Debug" -validity 365 -signAlg SHA256withECDSA -keystoreFile "ohtest.p12" -keystorePwd 123456 -outForm certChain -rootCaCertFile "root-ca1.cer" -subCaCertFile "profile-sign-srv-ca.cer" -outFile "profile-debug1.pem"', + 'generate-profile-cert -keyAlias "oh-app1-key-v1" -keyPwd 123456 -issuer "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=profilelication Signature Service CA" -issuerKeyAlias "oh-profile-sign-srv-ca-key-v1" -issuerKeyPwd 123456 -subject "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=profile1 Debug" -validity 365 -signAlg SHA256withECDSA -keystoreFile "ohtest.jks" -keystorePwd 123456 -outForm certChain -rootCaCertFile "root-ca1.cer" -subCaCertFile "profile-sign-srv-ca.cer" -outFile "profile-debug1.pem"', 'sign-profile -mode localSign -keyAlias "oh-app1-key-v1" -profileCertFile "profile-debug1.pem" -inFile "profile.json" -signAlg SHA256withECDSA -keystoreFile "ohtest.jks" -keystorePwd 123456 -outFile "app1-profile1.p7b" -keyPwd 123456 -extCfgFile "111.txt"', 'sign-profile -mode localSign -keyAlias "oh-app1-key-v1" -profileCertFile "profile-debug1.pem" -inFile "profile.json" -signAlg SHA384withECDSA -keystoreFile "ohtest.jks" -keystorePwd 123456 -outFile "app1-profile1.p7b" -keyPwd 123456 -extCfgFile "111.txt"', 'sign-profile -mode localSign -keyAlias "oh-app1-key-v1" -profileCertFile "profile-debug1.pem" -inFile "profile.json" -signAlg SHA384withECDSA -keystoreFile "ohtest.jks" -keystorePwd 123456 -outFile "app1-profile1.p7b" -keyPwd 123456', @@ -326,6 +326,7 @@ 'sign-profile -mode localSign -keyAlias "oh-app1-key-v1" -profileCertFile "profile-debug1.pem" -inFile "profile.json" -signAlg SHA384withECDSA -keystoreFile "ohtest.jks" -keystorePwd 123456 -outFile -keyPwd 123456 -extCfgFile "111.txt"', 'sign-profile -mode localSign -keyAlias "oh-app1-key-v1" -profileCertFile "profile-debug1.pem" -inFile "profile.json" -signAlg SHA384withECDSA -keystoreFile "ohtest.jks" -keystorePwd 123456 -outFile "app1-profile1.jks" -keyPwd 123456 -extCfgFile "111.txt"', 'sign-profile -mode localSign -keyAlias "oh-app1-key-v1" -profileCertFile "profile-debug1.pem" -inFile "profile.json" -signAlg SHA384withECDSA -keystoreFile "ohtest.jks" -keystorePwd 123456 -outFile "app1-profile1.p7b" -keyPwd 123456 -extCfgFile ""', + 'sign-profile -mode localSign -keyAlias "oh-app1-key-v1" -profileCertFile "profile-debug1.pem" -inFile "profile.json" -signAlg SHA384withECDSA -keystoreFile "ohtest.p12" -keystorePwd 123456 -outFile "app1-profile1.p7b" -keyPwd 123456', 'verify-profile -outFile "verify-result.json"', 'verify-profile -outFile "verify-result.json" -inFile', 'verify-profile -outFile "verify-result.json" -inFile "profile-debug1.pem"',