From cd5571ad716eacd80bd8656355e4bd27391075d6 Mon Sep 17 00:00:00 2001 From: zfeixiang Date: Wed, 2 Jul 2025 16:29:00 +0800 Subject: [PATCH 1/9] print elf signature info Signed-off-by: zfeixiang --- binary_sign_tool/api/include/service_api.h | 1 + .../api/include/sign_tool_service_impl.h | 1 + .../api/src/sign_tool_service_impl.cpp | 12 ++ binary_sign_tool/cmd/src/params_run_tool.cpp | 16 ++- .../cmd/src/params_trust_list.cpp | 1 + binary_sign_tool/common/include/constant.h | 1 + .../hap/provider/include/sign_provider.h | 1 - binary_sign_tool/hap/sign/src/sign_elf.cpp | 1 - binary_sign_tool/hap/signature_tools_hap.gni | 2 + .../hap/verify/include/verify_elf.h | 69 +++++++++++ .../hap/verify/src/verify_elf.cpp | 111 ++++++++++++++++++ 11 files changed, 211 insertions(+), 5 deletions(-) create mode 100644 binary_sign_tool/hap/verify/include/verify_elf.h create mode 100644 binary_sign_tool/hap/verify/src/verify_elf.cpp diff --git a/binary_sign_tool/api/include/service_api.h b/binary_sign_tool/api/include/service_api.h index 0807eda6..0b22f966 100644 --- a/binary_sign_tool/api/include/service_api.h +++ b/binary_sign_tool/api/include/service_api.h @@ -27,6 +27,7 @@ public: ~ServiceApi() = default; virtual bool Sign(Options* params) = 0; + virtual bool Verify(Options* option) = 0; }; } // namespace SignatureTools } // namespace OHOS diff --git a/binary_sign_tool/api/include/sign_tool_service_impl.h b/binary_sign_tool/api/include/sign_tool_service_impl.h index 149fbfb4..c13aa678 100644 --- a/binary_sign_tool/api/include/sign_tool_service_impl.h +++ b/binary_sign_tool/api/include/sign_tool_service_impl.h @@ -30,6 +30,7 @@ public: SignToolServiceImpl() = default; virtual ~SignToolServiceImpl() = default; bool Sign(Options* options)override; + bool Verify(Options* option)override; }; } // namespace SignatureTools } // namespace OHOS diff --git a/binary_sign_tool/api/src/sign_tool_service_impl.cpp b/binary_sign_tool/api/src/sign_tool_service_impl.cpp index 44147135..0f371ae6 100644 --- a/binary_sign_tool/api/src/sign_tool_service_impl.cpp +++ b/binary_sign_tool/api/src/sign_tool_service_impl.cpp @@ -26,6 +26,7 @@ #include "param_constants.h" #include "constant.h" #include "remote_sign_provider.h" +#include "verify_elf.h" namespace OHOS { namespace SignatureTools { @@ -73,5 +74,16 @@ int SignToolServiceImpl::GetProvisionContent(const std::string& input, std::stri } return 0; } + +bool SignToolServiceImpl::Verify(Options* option) +{ + VerifyElf verifyElf; + if (!verifyElf.Verify(option)) { + PrintErrorNumberMsg("VERIFY_ERROR", VERIFY_ERROR, "elf verify failed!"); + return false; + } + PrintMsg("elf verify successed!"); + return true; +} } // namespace SignatureTools } // namespace OHOS diff --git a/binary_sign_tool/cmd/src/params_run_tool.cpp b/binary_sign_tool/cmd/src/params_run_tool.cpp index 1136bf6d..43f6200f 100644 --- a/binary_sign_tool/cmd/src/params_run_tool.cpp +++ b/binary_sign_tool/cmd/src/params_run_tool.cpp @@ -16,8 +16,6 @@ #include "params_run_tool.h" #include #include -#include - #include "constant.h" #include "help.h" @@ -27,7 +25,8 @@ const std::string ParamsRunTool::VERSION = "1.0.0"; static std::unordered_map > DISPATCH_RUN_METHOD { - {SIGN_ELF, ParamsRunTool::RunSignApp} + {SIGN_ELF, ParamsRunTool::RunSignApp}, + {VERIFY_ELF, ParamsRunTool::RunVerifyApp}, }; bool ParamsRunTool::ProcessCmd(char** args, size_t size) @@ -148,5 +147,16 @@ void ParamsRunTool::Version() { PrintMsg(ParamsRunTool::VERSION); } + +bool ParamsRunTool::RunVerifyApp(Options* params, SignToolServiceImpl& api) +{ + if (!params->Required({Options::IN_FILE})) { + return false; + } + if (!CmdUtil::UpdateParamForCheckInFile(params, {Options::IN_FILE})) { + return false; + } + return api.Verify(params); +} } // namespace SignatureTools } // namespace OHOS \ No newline at end of file diff --git a/binary_sign_tool/cmd/src/params_trust_list.cpp b/binary_sign_tool/cmd/src/params_trust_list.cpp index 9b6bff64..aee3d55f 100644 --- a/binary_sign_tool/cmd/src/params_trust_list.cpp +++ b/binary_sign_tool/cmd/src/params_trust_list.cpp @@ -27,6 +27,7 @@ const std::string options = "[options]:"; const std::vector commands = { SIGN_ELF + options, + VERIFY_ELF + options, }; ParamsTrustList ParamsTrustList::GetInstance() diff --git a/binary_sign_tool/common/include/constant.h b/binary_sign_tool/common/include/constant.h index e7154c0d..9b06b5ef 100644 --- a/binary_sign_tool/common/include/constant.h +++ b/binary_sign_tool/common/include/constant.h @@ -75,6 +75,7 @@ const std::string GENERATE_CERT = "generate-cert"; const std::string GENERATE_APP_CERT = "generate-app-cert"; const std::string GENERATE_PROFILE_CERT = "generate-profile-cert"; const std::string SIGN_ELF = "sign"; +const std::string VERIFY_ELF = "verify"; const std::string SIGN_PROFILE = "sign-profile"; const std::string VERIFY_APP = "verify-app"; const std::string VERIFY_PROFILE = "verify-profile"; diff --git a/binary_sign_tool/hap/provider/include/sign_provider.h b/binary_sign_tool/hap/provider/include/sign_provider.h index 7a3a76b8..6bbd6424 100644 --- a/binary_sign_tool/hap/provider/include/sign_provider.h +++ b/binary_sign_tool/hap/provider/include/sign_provider.h @@ -21,7 +21,6 @@ #include #include #include -#include #include #include #include diff --git a/binary_sign_tool/hap/sign/src/sign_elf.cpp b/binary_sign_tool/hap/sign/src/sign_elf.cpp index bc54e3aa..3c59e5d4 100644 --- a/binary_sign_tool/hap/sign/src/sign_elf.cpp +++ b/binary_sign_tool/hap/sign/src/sign_elf.cpp @@ -14,7 +14,6 @@ */ #include "sign_elf.h" -#include #include #include "file_utils.h" diff --git a/binary_sign_tool/hap/signature_tools_hap.gni b/binary_sign_tool/hap/signature_tools_hap.gni index a8ea3a9b..1bbcc755 100644 --- a/binary_sign_tool/hap/signature_tools_hap.gni +++ b/binary_sign_tool/hap/signature_tools_hap.gni @@ -13,6 +13,7 @@ import("../signature_tools.gni") signature_tools_hap_include = [ + "${signature_tools_hap}/verify/include", "${hapsigntool_cpp_hap}/verify/include", "${hapsigntool_cpp_hap}/config/include", "${signature_tools_hap}/entity/include", @@ -31,6 +32,7 @@ signature_tools_hap_src = [ "${hapsigntool_cpp_hap}/provider/src/remote_sign_provider.cpp", "${signature_tools_hap}/provider/src/sign_provider.cpp", "${signature_tools_hap}/sign/src/sign_elf.cpp", + "${signature_tools_hap}/verify/src/verify_elf.cpp", "${hapsigntool_cpp_hap}/utils/src/dynamic_lib_handle.cpp", "${signature_tools_hap}/sign/src/bc_pkcs7_generator.cpp", ] diff --git a/binary_sign_tool/hap/verify/include/verify_elf.h b/binary_sign_tool/hap/verify/include/verify_elf.h new file mode 100644 index 00000000..bea0104c --- /dev/null +++ b/binary_sign_tool/hap/verify/include/verify_elf.h @@ -0,0 +1,69 @@ +/* + * Copyright (c) 2024-2024 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef SIGNATRUETOOLS_VERIFY_ELF_H +#define SIGNATRUETOOLS_VERIFY_ELF_H + +#include +#include +#include + +#include "options.h" +#include "signature_tools_log.h" + +namespace OHOS { +namespace SignatureTools { + +struct ElfSignInfo { + uint32_t type; + uint32_t length; + uint8_t version; + uint8_t hashAlgorithm; + uint8_t logBlockSize; + uint8_t saltSize; + uint32_t signSize; + uint64_t dataSize; + uint8_t rootHash[64]; + uint8_t salt[32]; + uint32_t flags; + uint8_t reserved_1[12]; + uint8_t reserved_2[127]; + uint8_t csVersion; + uint8_t signature[0]; +}; + +class VerifyElf { +public: + static constexpr int PAGE_SIZE = 4096; + static const int8_t SIGNATURE_BLOCK; + static const int8_t PROFILE_NOSIGNED_BLOCK; + static const int8_t PROFILE_SIGNED_BLOCK; + static const int8_t KEY_ROTATION_BLOCK; + static const int8_t CODESIGNING_BLOCK_TYPE; + static const std::string profileSec; + static const std::string permissionSec; + static const std::string codesignSec; + +public: + bool Verify(Options* options); + static bool CheckParams(Options* options); + static bool GetRawContent(const std::vector& contentVec, std::string& rawContent); + +private: + static bool ParseSignBlock(const ELFIO::elfio& elfReader); +}; +} // namespace SignatureTools +} // namespace OHOS +#endif \ No newline at end of file diff --git a/binary_sign_tool/hap/verify/src/verify_elf.cpp b/binary_sign_tool/hap/verify/src/verify_elf.cpp new file mode 100644 index 00000000..1613ef6d --- /dev/null +++ b/binary_sign_tool/hap/verify/src/verify_elf.cpp @@ -0,0 +1,111 @@ +/* + * Copyright (c) 2024-2024 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "verify_elf.h" + +#include +#include "constant.h" +#include "file_utils.h" +#include "signature_tools_log.h" +#include "hash_utils.h" +#include "pkcs7_data.h" + +namespace OHOS { +namespace SignatureTools { + +const int8_t VerifyElf::SIGNATURE_BLOCK = 0; +const int8_t VerifyElf::PROFILE_NOSIGNED_BLOCK = 1; +const int8_t VerifyElf::PROFILE_SIGNED_BLOCK = 2; +const int8_t VerifyElf::KEY_ROTATION_BLOCK = 3; +const int8_t VerifyElf::CODESIGNING_BLOCK_TYPE = 3; +const std::string VerifyElf::codesignSec = ".codesign"; +const std::string VerifyElf::profileSec = ".profile"; +const std::string VerifyElf::permissionSec = ".permission"; + +bool VerifyElf::Verify(Options* options) +{ + // check param + if (options == nullptr) { + PrintErrorNumberMsg("VERIFY_ERROR", VERIFY_ERROR, "Param options is null."); + return false; + } + std::string elfFile = options->GetString(Options::IN_FILE); + ELFIO::elfio elfReader; + if (!elfReader.load(elfFile)) { + SIGNATURE_TOOLS_LOGE("failed to load input ELF file"); + return false; + } + + + // get codesignSec section + + ParseSignBlock(elfReader); + + // get profileSec section + + + + // get permissionSec section + + return true; +} + +bool VerifyElf::ParseSignBlock(const ELFIO::elfio& elfReader) +{ + ELFIO::section* sec = elfReader.sections[codesignSec]; + if (!sec) { + SIGNATURE_TOOLS_LOGE("codesign section is not found"); + return false; + } + ELFIO::Elf64_Off secOffElf64 = sec->get_offset(); + uint64_t secOff = static_cast(secOffElf64); + if (secOff % PAGE_SIZE != 0) { + SIGNATURE_TOOLS_LOGE("codesign section offset is not aligned"); + return false; + } + const char* data = sec->get_data(); + uint64_t csBlockSize = sec->get_size(); + if (csBlockSize == 0 || csBlockSize % PAGE_SIZE != 0) { + SIGNATURE_TOOLS_LOGE("codesign section size is not aligned"); + return false; + } + const ElfSignInfo* signInfo = reinterpret_cast(data); + PrintMsg("codesign section offset: " + std::to_string(signInfo->dataSize)); + return true; +} + +bool VerifyElf::GetRawContent(const std::vector& contentVec, std::string& rawContent) +{ + PKCS7Data p7Data; + int parseFlag = p7Data.Parse(contentVec); + if (parseFlag < 0) { + SIGNATURE_TOOLS_LOGE("parse content failed!"); + return false; + } + int verifyFlag = p7Data.Verify(); + if (verifyFlag < 0) { + SIGNATURE_TOOLS_LOGE("verify content failed!"); + return false; + } + int getContentFlag = p7Data.GetContent(rawContent); + if (getContentFlag < 0) { + SIGNATURE_TOOLS_LOGE("get p7Data raw content failed!"); + return false; + } + return true; +} + +} // namespace SignatureTools +} // namespace OHOS \ No newline at end of file -- Gitee From 5a0066bb7d9433d5703cc58b225d70f75347c69a Mon Sep 17 00:00:00 2001 From: zfeixiang Date: Thu, 3 Jul 2025 12:00:34 +0800 Subject: [PATCH 2/9] change adhoc name Signed-off-by: zfeixiang --- .../api/src/sign_tool_service_impl.cpp | 9 +++--- binary_sign_tool/cmd/include/help.h | 29 ++++++++++--------- binary_sign_tool/cmd/src/cmd_util.cpp | 16 +++++----- binary_sign_tool/cmd/src/params_run_tool.cpp | 2 +- .../codesigning/sign/include/code_signing.h | 4 +-- .../codesigning/sign/src/code_signing.cpp | 12 ++++---- binary_sign_tool/common/include/options.h | 2 +- binary_sign_tool/common/src/options.cpp | 2 +- .../hap/entity/include/param_constants.h | 6 ++-- .../hap/entity/src/param_constants.cpp | 6 ++-- ...n_provider.h => self_sign_sign_provider.h} | 12 ++++---- ...ovider.cpp => self_sign_sign_provider.cpp} | 4 +-- .../hap/provider/src/sign_provider.cpp | 8 ++--- binary_sign_tool/hap/sign/include/sign_elf.h | 2 +- binary_sign_tool/hap/sign/src/sign_elf.cpp | 10 +++---- binary_sign_tool/hap/signature_tools_hap.gni | 2 +- 16 files changed, 63 insertions(+), 63 deletions(-) rename binary_sign_tool/hap/provider/include/{ad_hoc_sign_provider.h => self_sign_sign_provider.h} (73%) rename binary_sign_tool/hap/provider/src/{ad_hoc_sign_provider.cpp => self_sign_sign_provider.cpp} (92%) diff --git a/binary_sign_tool/api/src/sign_tool_service_impl.cpp b/binary_sign_tool/api/src/sign_tool_service_impl.cpp index 0f371ae6..596b8e44 100644 --- a/binary_sign_tool/api/src/sign_tool_service_impl.cpp +++ b/binary_sign_tool/api/src/sign_tool_service_impl.cpp @@ -20,7 +20,7 @@ #include "profile_info.h" #include "profile_verify.h" #include "signature_tools_errno.h" -#include "ad_hoc_sign_provider.h" +#include "self_sign_sign_provider.h" #include "local_sign_provider.h" #include "signature_tools_log.h" #include "param_constants.h" @@ -38,10 +38,10 @@ bool SignToolServiceImpl::Sign(Options* options) return false; } std::string mode = options->GetString(Options::MODE); - std::string adhoc = options->GetString(Options::AD_HOC); + std::string selfSign = options->GetString(Options::SELF_SIGN); std::shared_ptr signProvider; - if (ParamConstants::AD_HOC_TYPE_1 == adhoc) { - signProvider = std::make_shared(); + if (ParamConstants::SELF_SIGN_TYPE_1 == selfSign) { + signProvider = std::make_shared(); } else if (LOCAL_SIGN == mode) { signProvider = std::make_shared(); } else if (REMOTE_SIGN == mode) { @@ -82,7 +82,6 @@ bool SignToolServiceImpl::Verify(Options* option) PrintErrorNumberMsg("VERIFY_ERROR", VERIFY_ERROR, "elf verify failed!"); return false; } - PrintMsg("elf verify successed!"); return true; } } // namespace SignatureTools diff --git a/binary_sign_tool/cmd/include/help.h b/binary_sign_tool/cmd/include/help.h index c59a16cd..ab40041b 100644 --- a/binary_sign_tool/cmd/include/help.h +++ b/binary_sign_tool/cmd/include/help.h @@ -24,12 +24,11 @@ namespace OHOS { namespace SignatureTools { const std::string HELP_TXT_HEADER = R"( -USAGE: [options] +USAGE: [options] )"; const std::string SIGN_HELP_TXT = R"( sign[options]: - -mode : signature mode, required fields, including localSign/remoteSign/remoteResign; -keyAlias : key alias, required fields; -keyPwd : key password, optional fields on localSign mode; -appCertFile : application signature certificate file, required fields on localSign mode, optional fields @@ -37,23 +36,16 @@ const std::string SIGN_HELP_TXT = R"( -profileFile : signed Provision Profile file, p7b format, required fields; -profileSigned : indicates whether the profile file has a signature.The options are as follows : 1 : yes; 0:no; default value:1. optional fields; - -inFile : input original application package file, .hap, .bin, and .elf format, required fields; + -inFile : input original elf file, required fields; -signAlg : signature algorithm, required fields, including SHA256withECDSA/SHA384withECDSA; -keystoreFile : keystore file, if signature mode is localSign, required fields on localSign mode, JKS or P12 format; -keystorePwd : keystore password, optional fields on localSign mode; -outFile : output the signed Provision Profile file, required fields; application package file format is hap; - -signServer : remote signer plugin, required fields on remoteSign mode; - -signerPlugin : remote sign service url, required fields on remoteSign mode; - -onlineAuthMode : remote sign auth mode, required fields on remoteSign mode, including account; - -username : user account for online auth, required fields on remoteSign mode with account auth mode; - -userPwd : user password for online auth, required fields on remoteSign mode with account auth mode; - -ext : extend parameters for remote signer plugin, optional fields; - -signCode : Whether the HAP file is signed code, The value 1 means enable sign code, and value 0 means - disable sign code.The default value is 1. It is optional. + -moduleFile : module.json file. - -adHoc : Whether the HAP file is ad hoc, The value 1 means enable ad hoc, and value 0 means disable ad hoc. + -selfSign : Whether the HAP file is self sign, The value 1 means enable self sign, and value 0 means disable self sign. The default value is 0. It is optional. EXAMPLE : @@ -62,12 +54,21 @@ const std::string SIGN_HELP_TXT = R"( -profileFile "/home/signed-profile.p7b" -inFile "/home/app1-unsigned.hap" -signAlg SHA256withECDSA )"; +const std::string VERIFY_HELP_TXT = R"( + verify[options]: + -inFile : verify elf file, required fields; + + EXAMPLE: + verify -inFile "/home/app1-signed.hap" +)"; + const std::string HELP_END_TXT = R"( COMMANDS : - sign : application package signature + sign : elf file signature + verify : elf file verification )"; /* help.txt all content */ -const std::string HELP_TXT = HELP_TXT_HEADER + SIGN_HELP_TXT + HELP_END_TXT; +const std::string HELP_TXT = HELP_TXT_HEADER + SIGN_HELP_TXT + VERIFY_HELP_TXT + HELP_END_TXT; } } #endif \ No newline at end of file diff --git a/binary_sign_tool/cmd/src/cmd_util.cpp b/binary_sign_tool/cmd/src/cmd_util.cpp index 6b2b5b15..c2ad97ca 100644 --- a/binary_sign_tool/cmd/src/cmd_util.cpp +++ b/binary_sign_tool/cmd/src/cmd_util.cpp @@ -140,23 +140,23 @@ static bool UpdateParamForVariantBoolProfileSigned(const ParamsSharedPtr& param) return true; } -static bool UpdateParamForVariantBoolAdHoc(const ParamsSharedPtr& param) +static bool UpdateParamForVariantBoolSelfSign(const ParamsSharedPtr& param) { Options* options = param->GetOptions(); // The bool type is used only by the "sign-elf" module - if (options->count(Options::AD_HOC)) { - std::string val = options->GetString(Options::AD_HOC); + if (options->count(Options::SELF_SIGN)) { + std::string val = options->GetString(Options::SELF_SIGN); if (val == "1" || val == "true" || val == "TRUE") { - (*options)[Options::AD_HOC] = ParamConstants::AD_HOC_TYPE_1; + (*options)[Options::SELF_SIGN] = ParamConstants::SELF_SIGN_TYPE_1; } else if (val == "0" || val == "false" || val == "FALSE") { - (*options)[Options::AD_HOC] = ParamConstants::AD_HOC_TYPE_0; + (*options)[Options::SELF_SIGN] = ParamConstants::SELF_SIGN_TYPE_0; } else { PrintErrorNumberMsg("COMMAND_PARAM_ERROR", COMMAND_PARAM_ERROR, - val + " is not valid value for "+"-" + Options::AD_HOC); + val + " is not valid value for "+"-" + Options::SELF_SIGN); return false; } } else if (param->GetMethod() == SIGN_ELF) { - (*options)[Options::AD_HOC] = ParamConstants::AD_HOC_TYPE_0; + (*options)[Options::SELF_SIGN] = ParamConstants::SELF_SIGN_TYPE_0; } return true; @@ -277,7 +277,7 @@ static bool UpdateParam(const ParamsSharedPtr& param) if (!UpdateParamForVariantBoolProfileSigned(param)) { return false; } - if (!UpdateParamForVariantBoolAdHoc(param)) { + if (!UpdateParamForVariantBoolSelfSign(param)) { return false; } if (!UpdateParamForCheckSignAlg(param)) { diff --git a/binary_sign_tool/cmd/src/params_run_tool.cpp b/binary_sign_tool/cmd/src/params_run_tool.cpp index 43f6200f..682d8864 100644 --- a/binary_sign_tool/cmd/src/params_run_tool.cpp +++ b/binary_sign_tool/cmd/src/params_run_tool.cpp @@ -83,7 +83,7 @@ bool ParamsRunTool::RunSignApp(Options* params, SignToolServiceImpl& api) PrintErrorNumberMsg("COMMAND_ERROR", COMMAND_ERROR, "not support command param '" + mode + "'"); return false; } - if (params->GetString(Options::AD_HOC) == ParamConstants::AD_HOC_TYPE_1) { + if (params->GetString(Options::SELF_SIGN) == ParamConstants::SELF_SIGN_TYPE_1) { return api.Sign(params); } if (StringUtils::CaseCompare(mode, LOCAL_SIGN)) { diff --git a/binary_sign_tool/codesigning/sign/include/code_signing.h b/binary_sign_tool/codesigning/sign/include/code_signing.h index 3543c573..76f78601 100644 --- a/binary_sign_tool/codesigning/sign/include/code_signing.h +++ b/binary_sign_tool/codesigning/sign/include/code_signing.h @@ -32,7 +32,7 @@ namespace OHOS { namespace SignatureTools { class CodeSigning { public: - CodeSigning(SignerConfig* signConfig, bool adHoc); + CodeSigning(SignerConfig* signConfig, bool selfSign); CodeSigning(); bool GetElfCodeSignBlock(const std::string &input, uint64_t& csOffset, std::vector &codesignData); @@ -42,7 +42,7 @@ public: std::vector& ret); bool GetOwnerIdFromCert(std::string& ownerID); SignerConfig* m_signConfig; - bool m_adHoc; + bool m_selfSign; private: static constexpr int MIN_CERT_CHAIN_SIZE = 2; diff --git a/binary_sign_tool/codesigning/sign/src/code_signing.cpp b/binary_sign_tool/codesigning/sign/src/code_signing.cpp index 2662db7f..1ed428a6 100644 --- a/binary_sign_tool/codesigning/sign/src/code_signing.cpp +++ b/binary_sign_tool/codesigning/sign/src/code_signing.cpp @@ -25,13 +25,13 @@ namespace SignatureTools { const FsVerityHashAlgorithm FS_SHA256(1, "SHA-256", 256 / 8); const FsVerityHashAlgorithm FS_SHA512(2, "SHA-512", 512 / 8); const int8_t LOG_2_OF_FSVERITY_HASH_PAGE_SIZE = 12; -const int FLAG_AD_HOC = 1 << 4; +const int FLAG_SELF_SIGN = 1 << 4; const uint8_t ELF_CODE_SIGN_VERSION = 0x3; -CodeSigning::CodeSigning(SignerConfig* signConfig, bool adHoc) +CodeSigning::CodeSigning(SignerConfig* signConfig, bool selfSign) { m_signConfig = signConfig; - m_adHoc = adHoc; + m_selfSign = selfSign; } CodeSigning::CodeSigning() @@ -47,8 +47,8 @@ bool CodeSigning::GetElfCodeSignBlock(const std::string &input, uint64_t& csOffs return false; } int flags = 0; - if (m_adHoc) { - flags = flags | FLAG_AD_HOC; + if (m_selfSign) { + flags = flags | FLAG_SELF_SIGN; } std::streamsize fileSize = inputstream.tellg(); inputstream.seekg(0, std::ios::beg); @@ -57,7 +57,7 @@ bool CodeSigning::GetElfCodeSignBlock(const std::string &input, uint64_t& csOffs fsVerityGenerator->GenerateFsVerityDigest(inputstream, fileSize, flags); std::vector signature; - if (!m_adHoc) { + if (!m_selfSign) { std::string ownerID; GetOwnerIdFromCert(ownerID); std::vector fsVerityDigest = fsVerityGenerator->GetFsVerityDigest(); diff --git a/binary_sign_tool/common/include/options.h b/binary_sign_tool/common/include/options.h index 625fd8f7..6e613cbb 100644 --- a/binary_sign_tool/common/include/options.h +++ b/binary_sign_tool/common/include/options.h @@ -120,7 +120,7 @@ public: static const std::string PROFILE_FILE; static const std::string PROFILE_SIGNED; static const std::string MODULE_FILE; - static const std::string AD_HOC; + static const std::string SELF_SIGN; }; } // namespace SignatureTools } // namespace OHOS diff --git a/binary_sign_tool/common/src/options.cpp b/binary_sign_tool/common/src/options.cpp index a3f7d7dd..2eda0319 100644 --- a/binary_sign_tool/common/src/options.cpp +++ b/binary_sign_tool/common/src/options.cpp @@ -57,7 +57,7 @@ const std::string Options::PROOF_FILE = "outproof"; const std::string Options::PROFILE_FILE = "profileFile"; const std::string Options::PROFILE_SIGNED = "profileSigned"; const std::string Options::MODULE_FILE = "moduleFile"; -const std::string Options::AD_HOC = "adHoc"; +const std::string Options::SELF_SIGN = "selfSign"; char* Options::GetChars(const std::string& key) { diff --git a/binary_sign_tool/hap/entity/include/param_constants.h b/binary_sign_tool/hap/entity/include/param_constants.h index 2afcc113..35029ac1 100644 --- a/binary_sign_tool/hap/entity/include/param_constants.h +++ b/binary_sign_tool/hap/entity/include/param_constants.h @@ -61,13 +61,13 @@ public: static const std::string PARAM_RESIGN_CONFIG_FILE; static const std::string PARAM_IN_FORM; static const std::string PARAM_SIGN_CODE; - static const std::string PARAM_AD_HOC; + static const std::string PARAM_SELF_SIGN; static const std::string PARAM_MODULE_FILE; static constexpr int FILE_NAME_MIN_LENGTH = 2; static const std::string DISABLE_SIGN_CODE; static const std::string ENABLE_SIGN_CODE; - static const std::string AD_HOC_TYPE_0; - static const std::string AD_HOC_TYPE_1; + static const std::string SELF_SIGN_TYPE_0; + static const std::string SELF_SIGN_TYPE_1; }; } // namespace SignatureTools } // namespace OHOS diff --git a/binary_sign_tool/hap/entity/src/param_constants.cpp b/binary_sign_tool/hap/entity/src/param_constants.cpp index fe48cf05..c4650e20 100644 --- a/binary_sign_tool/hap/entity/src/param_constants.cpp +++ b/binary_sign_tool/hap/entity/src/param_constants.cpp @@ -53,11 +53,11 @@ const std::string ParamConstants::PARAM_VERIFY_PROPERTY_FILE = "outproperty"; const std::string ParamConstants::PARAM_RESIGN_CONFIG_FILE = "resignconfig"; const std::string ParamConstants::PARAM_IN_FORM = "inForm"; const std::string ParamConstants::PARAM_SIGN_CODE = "signCode"; -const std::string ParamConstants::PARAM_AD_HOC = "adHoc"; +const std::string ParamConstants::PARAM_SELF_SIGN = "selfSign"; const std::string ParamConstants::PARAM_MODULE_FILE = "moduleFile"; const std::string ParamConstants::DISABLE_SIGN_CODE = "0"; const std::string ParamConstants::ENABLE_SIGN_CODE = "1"; -const std::string ParamConstants::AD_HOC_TYPE_0 = "0"; -const std::string ParamConstants::AD_HOC_TYPE_1 = "1"; +const std::string ParamConstants::SELF_SIGN_TYPE_0 = "0"; +const std::string ParamConstants::SELF_SIGN_TYPE_1 = "1"; } // namespace SignatureTools } // namespace OHOS \ No newline at end of file diff --git a/binary_sign_tool/hap/provider/include/ad_hoc_sign_provider.h b/binary_sign_tool/hap/provider/include/self_sign_sign_provider.h similarity index 73% rename from binary_sign_tool/hap/provider/include/ad_hoc_sign_provider.h rename to binary_sign_tool/hap/provider/include/self_sign_sign_provider.h index 03b6c1ca..e681f3eb 100644 --- a/binary_sign_tool/hap/provider/include/ad_hoc_sign_provider.h +++ b/binary_sign_tool/hap/provider/include/self_sign_sign_provider.h @@ -12,19 +12,19 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -#ifndef SIGNATRUETOOLS_AD_HOC_SIGN_PROVIDER_H -#define SIGNATRUETOOLS_AD_HOC_SIGN_PROVIDER_H +#ifndef SIGNATRUETOOLS_SELF_SIGN_SIGN_PROVIDER_H +#define SIGNATRUETOOLS_SELF_SIGN_SIGN_PROVIDER_H #include "sign_provider.h" namespace OHOS { namespace SignatureTools { -class AdHocSignProvider : public SignProvider { +class SelfSignSignProvider : public SignProvider { public: - AdHocSignProvider() = default; - ~AdHocSignProvider() = default; + SelfSignSignProvider() = default; + ~SelfSignSignProvider() = default; bool SignElf(Options* options); }; } // namespace SignatureTools } // namespace OHOS -#endif // SIGNATRUETOOLS_AD_HOC_SIGN_PROVIDER_H \ No newline at end of file +#endif // SIGNATRUETOOLS_SELF_SIGN_SIGN_PROVIDER_H \ No newline at end of file diff --git a/binary_sign_tool/hap/provider/src/ad_hoc_sign_provider.cpp b/binary_sign_tool/hap/provider/src/self_sign_sign_provider.cpp similarity index 92% rename from binary_sign_tool/hap/provider/src/ad_hoc_sign_provider.cpp rename to binary_sign_tool/hap/provider/src/self_sign_sign_provider.cpp index 918b5371..c8b05cc6 100644 --- a/binary_sign_tool/hap/provider/src/ad_hoc_sign_provider.cpp +++ b/binary_sign_tool/hap/provider/src/self_sign_sign_provider.cpp @@ -12,13 +12,13 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -#include "ad_hoc_sign_provider.h" +#include "self_sign_sign_provider.h" #include "params.h" #include "sign_elf.h" namespace OHOS { namespace SignatureTools { -bool AdHocSignProvider::SignElf(Options* options) +bool SelfSignSignProvider::SignElf(Options* options) { if (!SignProvider::CheckParams(options)) { SIGNATURE_TOOLS_LOGE("Parameter check failed !"); diff --git a/binary_sign_tool/hap/provider/src/sign_provider.cpp b/binary_sign_tool/hap/provider/src/sign_provider.cpp index c0ccd184..7c0f13c8 100644 --- a/binary_sign_tool/hap/provider/src/sign_provider.cpp +++ b/binary_sign_tool/hap/provider/src/sign_provider.cpp @@ -199,7 +199,7 @@ bool SignProvider::CheckParams(Options* options) paramFileds.emplace_back(ParamConstants::PARAM_LOCAL_PUBLIC_CERT); paramFileds.emplace_back(ParamConstants::PARAM_SIGN_CODE); paramFileds.emplace_back(ParamConstants::PARAM_MODULE_FILE); - paramFileds.emplace_back(ParamConstants::PARAM_AD_HOC); + paramFileds.emplace_back(ParamConstants::PARAM_SELF_SIGN); std::unordered_set paramSet = Params::InitParamField(paramFileds); for (auto it = options->begin(); it != options->end(); it++) { @@ -212,9 +212,9 @@ bool SignProvider::CheckParams(Options* options) || signParams.at(ParamConstants::PARAM_BASIC_PROFILE_SIGNED).empty()) { signParams[ParamConstants::PARAM_BASIC_PROFILE_SIGNED] = DEFAULT_PROFILE_SIGNED_1; } - if (signParams.find(ParamConstants::PARAM_AD_HOC) == signParams.end() - || signParams.at(ParamConstants::PARAM_AD_HOC).empty()) { - signParams[ParamConstants::PARAM_AD_HOC] = ParamConstants::AD_HOC_TYPE_0; + if (signParams.find(ParamConstants::PARAM_SELF_SIGN) == signParams.end() + || signParams.at(ParamConstants::PARAM_SELF_SIGN).empty()) { + signParams[ParamConstants::PARAM_SELF_SIGN] = ParamConstants::SELF_SIGN_TYPE_0; } return true; } diff --git a/binary_sign_tool/hap/sign/include/sign_elf.h b/binary_sign_tool/hap/sign/include/sign_elf.h index 4a929a35..ab5d2801 100644 --- a/binary_sign_tool/hap/sign/include/sign_elf.h +++ b/binary_sign_tool/hap/sign/include/sign_elf.h @@ -45,7 +45,7 @@ private: static bool WriteSecDataToFile(ELFIO::elfio& reader, SignerConfig& signerConfig, std::map& signParams); static bool GenerateCodeSignByte(SignerConfig& signerConfig, const std::string& inputFile, uint64_t& csOffset, - const std::string& adHoc); + const std::string& selfSign); static bool ReplaceDataOffset(const std::string& filePath, uint64_t& csOffset, const std::vector& csData); }; } // namespace SignatureTools diff --git a/binary_sign_tool/hap/sign/src/sign_elf.cpp b/binary_sign_tool/hap/sign/src/sign_elf.cpp index 3c59e5d4..97088921 100644 --- a/binary_sign_tool/hap/sign/src/sign_elf.cpp +++ b/binary_sign_tool/hap/sign/src/sign_elf.cpp @@ -60,8 +60,8 @@ bool SignElf::Sign(SignerConfig& signerConfig, std::map& signParams) { - if (signParams.at(ParamConstants::PARAM_AD_HOC) == ParamConstants::AD_HOC_TYPE_1) { + if (signParams.at(ParamConstants::PARAM_SELF_SIGN) == ParamConstants::SELF_SIGN_TYPE_1) { return true; } // check elf bin or so @@ -213,9 +213,9 @@ bool SignElf::WriteSecDataToFile(ELFIO::elfio& reader, SignerConfig& signerConfi } bool SignElf::GenerateCodeSignByte(SignerConfig& signerConfig, const std::string& inputFile, uint64_t& csOffset, - const std::string& adHoc) + const std::string& selfSign) { - CodeSigning codeSigning(&signerConfig, (adHoc == ParamConstants::AD_HOC_TYPE_1)); + CodeSigning codeSigning(&signerConfig, (selfSign == ParamConstants::SELF_SIGN_TYPE_1)); std::vector codesignData; bool getElfCodeSignBlockFlag = codeSigning.GetElfCodeSignBlock(inputFile, csOffset, codesignData); if (!getElfCodeSignBlockFlag) { diff --git a/binary_sign_tool/hap/signature_tools_hap.gni b/binary_sign_tool/hap/signature_tools_hap.gni index 1bbcc755..b6731a97 100644 --- a/binary_sign_tool/hap/signature_tools_hap.gni +++ b/binary_sign_tool/hap/signature_tools_hap.gni @@ -27,7 +27,7 @@ signature_tools_hap_src = [ "${hapsigntool_cpp_hap}/entity/src/content_digest_algorithm.cpp", "${signature_tools_hap}/entity/src/param_constants.cpp", "${hapsigntool_cpp_hap}/entity/src/signature_algorithm_helper.cpp", - "${signature_tools_hap}/provider/src/ad_hoc_sign_provider.cpp", + "${signature_tools_hap}/provider/src/self_sign_sign_provider.cpp", "${signature_tools_hap}/provider/src/local_sign_provider.cpp", "${hapsigntool_cpp_hap}/provider/src/remote_sign_provider.cpp", "${signature_tools_hap}/provider/src/sign_provider.cpp", -- Gitee From 16c335b7b45df8df76d1f3baa39949ebf427c1bc Mon Sep 17 00:00:00 2001 From: zfeixiang Date: Thu, 3 Jul 2025 16:32:13 +0800 Subject: [PATCH 3/9] verify elf Signed-off-by: zfeixiang --- .../hap/verify/include/verify_elf.h | 10 ++- .../hap/verify/src/verify_elf.cpp | 68 +++++++++++++++---- 2 files changed, 59 insertions(+), 19 deletions(-) diff --git a/binary_sign_tool/hap/verify/include/verify_elf.h b/binary_sign_tool/hap/verify/include/verify_elf.h index bea0104c..a90c89de 100644 --- a/binary_sign_tool/hap/verify/include/verify_elf.h +++ b/binary_sign_tool/hap/verify/include/verify_elf.h @@ -19,7 +19,8 @@ #include #include #include - +#include +#include "pkcs7_data.h" #include "options.h" #include "signature_tools_log.h" @@ -47,11 +48,6 @@ struct ElfSignInfo { class VerifyElf { public: static constexpr int PAGE_SIZE = 4096; - static const int8_t SIGNATURE_BLOCK; - static const int8_t PROFILE_NOSIGNED_BLOCK; - static const int8_t PROFILE_SIGNED_BLOCK; - static const int8_t KEY_ROTATION_BLOCK; - static const int8_t CODESIGNING_BLOCK_TYPE; static const std::string profileSec; static const std::string permissionSec; static const std::string codesignSec; @@ -63,6 +59,8 @@ public: private: static bool ParseSignBlock(const ELFIO::elfio& elfReader); + static bool PrintCertChainToCmd(std::vector& certChain); + static bool VerifyAppPkcs7(Pkcs7Context& pkcs7Context, const unsigned char* pkcs7Block, uint32_t pkcs7Len); }; } // namespace SignatureTools } // namespace OHOS diff --git a/binary_sign_tool/hap/verify/src/verify_elf.cpp b/binary_sign_tool/hap/verify/src/verify_elf.cpp index 1613ef6d..1d3f5c69 100644 --- a/binary_sign_tool/hap/verify/src/verify_elf.cpp +++ b/binary_sign_tool/hap/verify/src/verify_elf.cpp @@ -19,17 +19,12 @@ #include "constant.h" #include "file_utils.h" #include "signature_tools_log.h" +#include "verify_hap_openssl_utils.h" #include "hash_utils.h" -#include "pkcs7_data.h" namespace OHOS { namespace SignatureTools { -const int8_t VerifyElf::SIGNATURE_BLOCK = 0; -const int8_t VerifyElf::PROFILE_NOSIGNED_BLOCK = 1; -const int8_t VerifyElf::PROFILE_SIGNED_BLOCK = 2; -const int8_t VerifyElf::KEY_ROTATION_BLOCK = 3; -const int8_t VerifyElf::CODESIGNING_BLOCK_TYPE = 3; const std::string VerifyElf::codesignSec = ".codesign"; const std::string VerifyElf::profileSec = ".profile"; const std::string VerifyElf::permissionSec = ".permission"; @@ -50,15 +45,8 @@ bool VerifyElf::Verify(Options* options) // get codesignSec section - ParseSignBlock(elfReader); - // get profileSec section - - - - // get permissionSec section - return true; } @@ -83,6 +71,16 @@ bool VerifyElf::ParseSignBlock(const ELFIO::elfio& elfReader) } const ElfSignInfo* signInfo = reinterpret_cast(data); PrintMsg("codesign section offset: " + std::to_string(signInfo->dataSize)); + + Pkcs7Context pkcs7Context; + + VerifyAppPkcs7(pkcs7Context, reinterpret_cast(signInfo->signature), signInfo->signSize); + + if (!PrintCertChainToCmd(pkcs7Context.certChain[0])) { + SIGNATURE_TOOLS_LOGE("print cert chain to cmd failed\n"); + return false; + } + return true; } @@ -107,5 +105,49 @@ bool VerifyElf::GetRawContent(const std::vector& contentVec, std::string return true; } +bool VerifyElf::VerifyAppPkcs7(Pkcs7Context& pkcs7Context, const unsigned char* pkcs7Block, uint32_t pkcs7Len) +{ + // const unsigned char* pkcs7Block = reinterpret_cast(hapSignatureBlock.GetBufferPtr()); + // uint32_t pkcs7Len = static_cast(hapSignatureBlock.GetCapacity()); + if (!VerifyHapOpensslUtils::ParsePkcs7Package(pkcs7Block, pkcs7Len, pkcs7Context)) { + SIGNATURE_TOOLS_LOGE("parse pkcs7 failed"); + return false; + } + if (!VerifyHapOpensslUtils::GetCertChains(pkcs7Context.p7, pkcs7Context)) { + SIGNATURE_TOOLS_LOGE("GetCertChains from pkcs7 failed"); + return false; + } + if (!VerifyHapOpensslUtils::VerifyPkcs7(pkcs7Context)) { + SIGNATURE_TOOLS_LOGE("verify signature failed"); + return false; + } + return true; +} + +bool VerifyElf::PrintCertChainToCmd(std::vector& certChain) +{ + BIO* outFd = BIO_new_fp(stdout, BIO_NOCLOSE); + if (!outFd) { + PrintErrorNumberMsg("IO_ERROR", IO_ERROR, "The stdout stream may have errors"); + return false; + } + uint64_t format = XN_FLAG_SEP_COMMA_PLUS; // Print according to RFC2253 + uint64_t content = X509_FLAG_NO_EXTENSIONS | X509_FLAG_NO_ATTRIBUTES | X509_FLAG_NO_HEADER | X509_FLAG_NO_SIGDUMP; + int num = 0; + for (auto& cert : certChain) { + PrintMsg("+++++++++++++++++++++++++++++++++certificate #" + std::to_string(num) + + "+++++++++++++++++++++++++++++++++++++"); + if (!X509_print_ex(outFd, cert, format, content)) { + VerifyHapOpensslUtils::GetOpensslErrorMessage(); + SIGNATURE_TOOLS_LOGE("print x509 cert to cmd failed"); + BIO_free(outFd); + return false; + } + ++num; + } + BIO_free(outFd); + return true; +} + } // namespace SignatureTools } // namespace OHOS \ No newline at end of file -- Gitee From b39333b5bc32a480a6489b660dc40a3d0c521629 Mon Sep 17 00:00:00 2001 From: zfeixiang Date: Thu, 3 Jul 2025 20:55:00 +0800 Subject: [PATCH 4/9] print elf signature info Signed-off-by: zfeixiang --- .../hap/verify/include/verify_elf.h | 2 - .../hap/verify/src/verify_elf.cpp | 66 +++++-------------- 2 files changed, 17 insertions(+), 51 deletions(-) diff --git a/binary_sign_tool/hap/verify/include/verify_elf.h b/binary_sign_tool/hap/verify/include/verify_elf.h index a90c89de..1de0ac3c 100644 --- a/binary_sign_tool/hap/verify/include/verify_elf.h +++ b/binary_sign_tool/hap/verify/include/verify_elf.h @@ -55,12 +55,10 @@ public: public: bool Verify(Options* options); static bool CheckParams(Options* options); - static bool GetRawContent(const std::vector& contentVec, std::string& rawContent); private: static bool ParseSignBlock(const ELFIO::elfio& elfReader); static bool PrintCertChainToCmd(std::vector& certChain); - static bool VerifyAppPkcs7(Pkcs7Context& pkcs7Context, const unsigned char* pkcs7Block, uint32_t pkcs7Len); }; } // namespace SignatureTools } // namespace OHOS diff --git a/binary_sign_tool/hap/verify/src/verify_elf.cpp b/binary_sign_tool/hap/verify/src/verify_elf.cpp index 1d3f5c69..70b14c00 100644 --- a/binary_sign_tool/hap/verify/src/verify_elf.cpp +++ b/binary_sign_tool/hap/verify/src/verify_elf.cpp @@ -17,14 +17,13 @@ #include #include "constant.h" -#include "file_utils.h" #include "signature_tools_log.h" #include "verify_hap_openssl_utils.h" -#include "hash_utils.h" namespace OHOS { namespace SignatureTools { +const int FLAG_SELF_SIGN = 1 << 4; const std::string VerifyElf::codesignSec = ".codesign"; const std::string VerifyElf::profileSec = ".profile"; const std::string VerifyElf::permissionSec = ".permission"; @@ -42,11 +41,11 @@ bool VerifyElf::Verify(Options* options) SIGNATURE_TOOLS_LOGE("failed to load input ELF file"); return false; } - - // get codesignSec section - ParseSignBlock(elfReader); - + bool signFlag = ParseSignBlock(elfReader); + if (!signFlag) { + return false; + } return true; } @@ -54,7 +53,7 @@ bool VerifyElf::ParseSignBlock(const ELFIO::elfio& elfReader) { ELFIO::section* sec = elfReader.sections[codesignSec]; if (!sec) { - SIGNATURE_TOOLS_LOGE("codesign section is not found"); + PrintErrorNumberMsg("VERIFY_ERROR", VERIFY_ERROR, "codesign is not found"); return false; } ELFIO::Elf64_Off secOffElf64 = sec->get_offset(); @@ -70,55 +69,24 @@ bool VerifyElf::ParseSignBlock(const ELFIO::elfio& elfReader) return false; } const ElfSignInfo* signInfo = reinterpret_cast(data); - PrintMsg("codesign section offset: " + std::to_string(signInfo->dataSize)); - - Pkcs7Context pkcs7Context; - - VerifyAppPkcs7(pkcs7Context, reinterpret_cast(signInfo->signature), signInfo->signSize); - - if (!PrintCertChainToCmd(pkcs7Context.certChain[0])) { - SIGNATURE_TOOLS_LOGE("print cert chain to cmd failed\n"); - return false; - } - - return true; -} - -bool VerifyElf::GetRawContent(const std::vector& contentVec, std::string& rawContent) -{ - PKCS7Data p7Data; - int parseFlag = p7Data.Parse(contentVec); - if (parseFlag < 0) { - SIGNATURE_TOOLS_LOGE("parse content failed!"); - return false; - } - int verifyFlag = p7Data.Verify(); - if (verifyFlag < 0) { - SIGNATURE_TOOLS_LOGE("verify content failed!"); + if ((signInfo->flags & FLAG_SELF_SIGN) == FLAG_SELF_SIGN) { + PrintMsg("codesign is self-sign"); return false; } - int getContentFlag = p7Data.GetContent(rawContent); - if (getContentFlag < 0) { - SIGNATURE_TOOLS_LOGE("get p7Data raw content failed!"); - return false; - } - return true; -} + Pkcs7Context pkcs7Context; + auto signData = reinterpret_cast(signInfo->signature); -bool VerifyElf::VerifyAppPkcs7(Pkcs7Context& pkcs7Context, const unsigned char* pkcs7Block, uint32_t pkcs7Len) -{ - // const unsigned char* pkcs7Block = reinterpret_cast(hapSignatureBlock.GetBufferPtr()); - // uint32_t pkcs7Len = static_cast(hapSignatureBlock.GetCapacity()); - if (!VerifyHapOpensslUtils::ParsePkcs7Package(pkcs7Block, pkcs7Len, pkcs7Context)) { - SIGNATURE_TOOLS_LOGE("parse pkcs7 failed"); + PKCS7* p7 = d2i_PKCS7(nullptr, &signData, signInfo->signSize); + if (p7 == nullptr || !PKCS7_type_is_signed(p7) || p7->d.sign == nullptr) { + SIGNATURE_TOOLS_LOGE("sign data to pcs7 failed"); return false; } - if (!VerifyHapOpensslUtils::GetCertChains(pkcs7Context.p7, pkcs7Context)) { - SIGNATURE_TOOLS_LOGE("GetCertChains from pkcs7 failed"); + if (!VerifyHapOpensslUtils::GetCertChains(p7, pkcs7Context)) { + SIGNATURE_TOOLS_LOGE("GetCertChains form pkcs7 failed"); return false; } - if (!VerifyHapOpensslUtils::VerifyPkcs7(pkcs7Context)) { - SIGNATURE_TOOLS_LOGE("verify signature failed"); + if (!PrintCertChainToCmd(pkcs7Context.certChain[0])) { + SIGNATURE_TOOLS_LOGE("print cert chain to cmd failed"); return false; } return true; -- Gitee From a6b51b79168fed7847b71f6186ba8e9a263fbd9d Mon Sep 17 00:00:00 2001 From: zfeixiang Date: Fri, 4 Jul 2025 17:05:53 +0800 Subject: [PATCH 5/9] print elf signature info Signed-off-by: zfeixiang --- binary_sign_tool/hap/verify/src/verify_elf.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/binary_sign_tool/hap/verify/src/verify_elf.cpp b/binary_sign_tool/hap/verify/src/verify_elf.cpp index 70b14c00..59599120 100644 --- a/binary_sign_tool/hap/verify/src/verify_elf.cpp +++ b/binary_sign_tool/hap/verify/src/verify_elf.cpp @@ -71,7 +71,7 @@ bool VerifyElf::ParseSignBlock(const ELFIO::elfio& elfReader) const ElfSignInfo* signInfo = reinterpret_cast(data); if ((signInfo->flags & FLAG_SELF_SIGN) == FLAG_SELF_SIGN) { PrintMsg("codesign is self-sign"); - return false; + return true; } Pkcs7Context pkcs7Context; auto signData = reinterpret_cast(signInfo->signature); -- Gitee From e05172222b08b6910dec0af346927a19e88f3ac0 Mon Sep 17 00:00:00 2001 From: zfeixiang Date: Fri, 4 Jul 2025 18:23:30 +0800 Subject: [PATCH 6/9] print elf signature info Signed-off-by: zfeixiang --- binary_sign_tool/cmd/src/params_run_tool.cpp | 2 ++ binary_sign_tool/hap/provider/include/sign_provider.h | 1 + binary_sign_tool/hap/sign/src/sign_elf.cpp | 1 + 3 files changed, 4 insertions(+) diff --git a/binary_sign_tool/cmd/src/params_run_tool.cpp b/binary_sign_tool/cmd/src/params_run_tool.cpp index 682d8864..4867105d 100644 --- a/binary_sign_tool/cmd/src/params_run_tool.cpp +++ b/binary_sign_tool/cmd/src/params_run_tool.cpp @@ -16,6 +16,8 @@ #include "params_run_tool.h" #include #include +#include + #include "constant.h" #include "help.h" diff --git a/binary_sign_tool/hap/provider/include/sign_provider.h b/binary_sign_tool/hap/provider/include/sign_provider.h index 6bbd6424..7a3a76b8 100644 --- a/binary_sign_tool/hap/provider/include/sign_provider.h +++ b/binary_sign_tool/hap/provider/include/sign_provider.h @@ -21,6 +21,7 @@ #include #include #include +#include #include #include #include diff --git a/binary_sign_tool/hap/sign/src/sign_elf.cpp b/binary_sign_tool/hap/sign/src/sign_elf.cpp index 97088921..810abe5a 100644 --- a/binary_sign_tool/hap/sign/src/sign_elf.cpp +++ b/binary_sign_tool/hap/sign/src/sign_elf.cpp @@ -14,6 +14,7 @@ */ #include "sign_elf.h" +#include #include #include "file_utils.h" -- Gitee From 00d2228d04788e7e4ff77631e4f7a9df427c6120 Mon Sep 17 00:00:00 2001 From: zfeixiang Date: Sat, 5 Jul 2025 14:26:57 +0800 Subject: [PATCH 7/9] print elf signature info Signed-off-by: zfeixiang --- binary_sign_tool/api/src/sign_tool_service_impl.cpp | 1 - binary_sign_tool/cmd/include/help.h | 10 +++++----- binary_sign_tool/common/include/constant.h | 2 +- binary_sign_tool/hap/verify/src/verify_elf.cpp | 4 ++-- 4 files changed, 8 insertions(+), 9 deletions(-) diff --git a/binary_sign_tool/api/src/sign_tool_service_impl.cpp b/binary_sign_tool/api/src/sign_tool_service_impl.cpp index 596b8e44..3d4123f7 100644 --- a/binary_sign_tool/api/src/sign_tool_service_impl.cpp +++ b/binary_sign_tool/api/src/sign_tool_service_impl.cpp @@ -79,7 +79,6 @@ bool SignToolServiceImpl::Verify(Options* option) { VerifyElf verifyElf; if (!verifyElf.Verify(option)) { - PrintErrorNumberMsg("VERIFY_ERROR", VERIFY_ERROR, "elf verify failed!"); return false; } return true; diff --git a/binary_sign_tool/cmd/include/help.h b/binary_sign_tool/cmd/include/help.h index ab40041b..74080d8c 100644 --- a/binary_sign_tool/cmd/include/help.h +++ b/binary_sign_tool/cmd/include/help.h @@ -24,7 +24,7 @@ namespace OHOS { namespace SignatureTools { const std::string HELP_TXT_HEADER = R"( -USAGE: [options] +USAGE: [options] )"; const std::string SIGN_HELP_TXT = R"( @@ -55,17 +55,17 @@ const std::string SIGN_HELP_TXT = R"( )"; const std::string VERIFY_HELP_TXT = R"( - verify[options]: - -inFile : verify elf file, required fields; + display-sign[options]: + -inFile : display-sign elf file sign information, required fields; EXAMPLE: - verify -inFile "/home/app1-signed.hap" + display-sign -inFile "/home/app1-signed.hap" )"; const std::string HELP_END_TXT = R"( COMMANDS : sign : elf file signature - verify : elf file verification + display-sign : elf file verification )"; /* help.txt all content */ const std::string HELP_TXT = HELP_TXT_HEADER + SIGN_HELP_TXT + VERIFY_HELP_TXT + HELP_END_TXT; diff --git a/binary_sign_tool/common/include/constant.h b/binary_sign_tool/common/include/constant.h index 9b06b5ef..e162cb0c 100644 --- a/binary_sign_tool/common/include/constant.h +++ b/binary_sign_tool/common/include/constant.h @@ -75,7 +75,7 @@ const std::string GENERATE_CERT = "generate-cert"; const std::string GENERATE_APP_CERT = "generate-app-cert"; const std::string GENERATE_PROFILE_CERT = "generate-profile-cert"; const std::string SIGN_ELF = "sign"; -const std::string VERIFY_ELF = "verify"; +const std::string VERIFY_ELF = "display-sign"; const std::string SIGN_PROFILE = "sign-profile"; const std::string VERIFY_APP = "verify-app"; const std::string VERIFY_PROFILE = "verify-profile"; diff --git a/binary_sign_tool/hap/verify/src/verify_elf.cpp b/binary_sign_tool/hap/verify/src/verify_elf.cpp index 59599120..77fdaa6e 100644 --- a/binary_sign_tool/hap/verify/src/verify_elf.cpp +++ b/binary_sign_tool/hap/verify/src/verify_elf.cpp @@ -53,8 +53,8 @@ bool VerifyElf::ParseSignBlock(const ELFIO::elfio& elfReader) { ELFIO::section* sec = elfReader.sections[codesignSec]; if (!sec) { - PrintErrorNumberMsg("VERIFY_ERROR", VERIFY_ERROR, "codesign is not found"); - return false; + PrintMsg("codesign is not found"); + return true; } ELFIO::Elf64_Off secOffElf64 = sec->get_offset(); uint64_t secOff = static_cast(secOffElf64); -- Gitee From 18dc47897f8ecd04cccaafafcf2c9711d14ef72c Mon Sep 17 00:00:00 2001 From: zfeixiang Date: Sat, 5 Jul 2025 17:49:57 +0800 Subject: [PATCH 8/9] print elf signature info Signed-off-by: zfeixiang --- README_ZH.md | 26 ++++++++++++++----- binary_sign_tool/cmd/include/help.h | 12 ++++----- binary_sign_tool/cmd/src/params_run_tool.cpp | 2 -- .../hap/verify/include/verify_elf.h | 2 +- .../hap/verify/src/verify_elf.cpp | 10 +++---- 5 files changed, 30 insertions(+), 22 deletions(-) diff --git a/README_ZH.md b/README_ZH.md index 90bb5e1d..faea57dc 100644 --- a/README_ZH.md +++ b/README_ZH.md @@ -432,7 +432,14 @@ Profile签名证书:OpenHarmonyProfileRelease.pem、OpenHarmonyProfileDebug.pe (1)二进制签名工具(binary-sign-tool)的命令实例如下: ```shell -binary-sign-tool sign -keyAlias "oh-app1-key-v1" -signAlg "SHA256withECDSA" -appCertFile "result\app1.pem" -profileFile "result\app1-profile.p7b" -profileSigned "1" -inFile "app1-unsigned.zip" -keystoreFile "result\ohtest.p12" -outFile "result\app1-unsigned.hap" -keyPwd "123456" -keystorePwd "123456" -moduleFile "module.json" -adHoc "1" +// 证书签名 +binary-sign-tool sign -keyAlias "oh-app1-key-v1" -signAlg "SHA256withECDSA" -appCertFile "result\app1.pem" -profileFile "result\app1-profile.p7b" -profileSigned "1" -inFile "unsigned.elf" -keystoreFile "result\ohtest.p12" -outFile "signed.elf" -keyPwd "123456" -keystorePwd "123456" -moduleFile "module.json" + +// 本机自签名 +binary-sign-tool sign -inFile "unsigned.elf" -outFile "signed.elf" -selfSign "1" + +// 输出二进制文件签名信息 +binary-sign-tool display-sign -inFile "signed.elf" ``` 上述命令的参数说明如下: @@ -440,16 +447,16 @@ binary-sign-tool sign -keyAlias "oh-app1-key-v1" -signAlg "SHA256withECDSA" -app sign : 二进制文件签名 ├── -keyAlias #密钥别名,必填项,不区分大小写 ├── -keyPwd #密钥口令,可选项 - ├── -appCertFile #应用签名证书文件(证书链,顺序为实体证书-中间CA证书-根证书),必填项 + ├── -appCertFile #签名证书文件(证书链,顺序为实体证书-中间CA证书-根证书),必填项 ├── -profileFile #签名后的Provision Profile文件名,p7b格式,可选项 ├── -profileSigned #指示profile文件是否带有签名,1表示有签名,0表示没有签名,默认为1。可选项 ├── -inFile #输入的原始elf文件,必填项 ├── -signAlg #签名算法,必填项,包括SHA256withECDSA / SHA384withECDSA - ├── -keystoreFile #密钥库文件,非adHoc模式时为必填项 + ├── -keystoreFile #密钥库文件,非自签名模式时为必填项 ├── -keystorePwd #密钥库口令,可选项 ├── -outFile #输出签名后文件,必填项 ├── -moduleFile #权限module.json文件,可选项 - ├── -adHoc #是否本机调试模式,1表示开启,可选项。 + ├── -selfSign #是否本机调试模式,1表示开启,可选项。 ##### 接口说明 @@ -458,16 +465,21 @@ binary-sign-tool sign -keyAlias "oh-app1-key-v1" -signAlg "SHA256withECDSA" -app sign : 二进制文件签名 ├── -keyAlias #密钥别名,必填项,不区分大小写 ├── -keyPwd #密钥口令,可选项 - ├── -appCertFile #应用签名证书文件(证书链,顺序为实体证书-中间CA证书-根证书),必填项 + ├── -appCertFile #签名证书文件(证书链,顺序为实体证书-中间CA证书-根证书),必填项 ├── -profileFile #签名后的Provision Profile文件名,p7b格式,可选项 ├── -profileSigned #指示profile文件是否带有签名,1表示有签名,0表示没有签名,默认为1。可选项 ├── -inFile #输入的原始elf文件,必填项 ├── -signAlg #签名算法,必填项,包括SHA256withECDSA / SHA384withECDSA - ├── -keystoreFile #密钥库文件,非adHoc模式时为必填项 + ├── -keystoreFile #密钥库文件,非自签名模式时为必填项 ├── -keystorePwd #密钥库口令,可选项 ├── -outFile #输出签名后文件,必填项 ├── -moduleFile #权限module.json文件,可选项 - ├── -adHoc #是否本机调试模式,1表示开启,可选项。 + ├── -selfSign #是否本机调试模式,1表示开启,可选项。 + +2.输出二进制文件签名信息 + + display-sign : 二进制文件签名 + ├── -inFile #输入的已签名elf文件,必填项 #### 相关仓 不涉及 diff --git a/binary_sign_tool/cmd/include/help.h b/binary_sign_tool/cmd/include/help.h index 74080d8c..84fa66fb 100644 --- a/binary_sign_tool/cmd/include/help.h +++ b/binary_sign_tool/cmd/include/help.h @@ -42,16 +42,14 @@ const std::string SIGN_HELP_TXT = R"( JKS or P12 format; -keystorePwd : keystore password, optional fields on localSign mode; -outFile : output the signed Provision Profile file, required fields; - application package file format is hap; - -moduleFile : module.json file. - -selfSign : Whether the HAP file is self sign, The value 1 means enable self sign, and value 0 means disable self sign. + -selfSign : Whether the elf file is self sign, The value 1 means enable self sign, and value 0 means disable. The default value is 0. It is optional. EXAMPLE : sign -keyAlias "oh-app1-key-v1" -appCertFile "/home/app-release-cert.cer" -signCode "1" --keystoreFile "/home/app-keypair.jks" -keystorePwd ****** -outFile "/home/app1-signed.hap --profileFile "/home/signed-profile.p7b" -inFile "/home/app1-unsigned.hap" -signAlg SHA256withECDSA +-keystoreFile "/home/app-keypair.jks" -keystorePwd ****** -outFile "signed.elf" +-profileFile "/home/signed-profile.p7b" -inFile "unsigned.elf" -signAlg SHA256withECDSA )"; const std::string VERIFY_HELP_TXT = R"( @@ -59,13 +57,13 @@ const std::string VERIFY_HELP_TXT = R"( -inFile : display-sign elf file sign information, required fields; EXAMPLE: - display-sign -inFile "/home/app1-signed.hap" + display-sign -inFile "signed.elf" )"; const std::string HELP_END_TXT = R"( COMMANDS : sign : elf file signature - display-sign : elf file verification + display-sign : display elf file signature )"; /* help.txt all content */ const std::string HELP_TXT = HELP_TXT_HEADER + SIGN_HELP_TXT + VERIFY_HELP_TXT + HELP_END_TXT; diff --git a/binary_sign_tool/cmd/src/params_run_tool.cpp b/binary_sign_tool/cmd/src/params_run_tool.cpp index 4867105d..43026041 100644 --- a/binary_sign_tool/cmd/src/params_run_tool.cpp +++ b/binary_sign_tool/cmd/src/params_run_tool.cpp @@ -53,14 +53,12 @@ bool ParamsRunTool::ProcessCmd(char** args, size_t size) PrintMsg(param->GetMethod() + " failed"); return false; } - PrintMsg("Start " + param->GetMethod()); SIGNATURE_TOOLS_LOGD("%s run start time ", param->GetMethod().c_str()); if (!DispatchParams(param, *serviceApi)) { SIGNATURE_TOOLS_LOGD("%s run end time ", param->GetMethod().c_str()); PrintMsg(param->GetMethod() + " failed"); return false; } - PrintMsg(param->GetMethod() + " success"); SIGNATURE_TOOLS_LOGD("%s run end time ", param->GetMethod().c_str()); } return true; diff --git a/binary_sign_tool/hap/verify/include/verify_elf.h b/binary_sign_tool/hap/verify/include/verify_elf.h index 1de0ac3c..d7ac9f07 100644 --- a/binary_sign_tool/hap/verify/include/verify_elf.h +++ b/binary_sign_tool/hap/verify/include/verify_elf.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2024-2024 Huawei Device Co., Ltd. + * Copyright (c) 2025-2025 Huawei Device Co., Ltd. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at diff --git a/binary_sign_tool/hap/verify/src/verify_elf.cpp b/binary_sign_tool/hap/verify/src/verify_elf.cpp index 77fdaa6e..7ce57d52 100644 --- a/binary_sign_tool/hap/verify/src/verify_elf.cpp +++ b/binary_sign_tool/hap/verify/src/verify_elf.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2024-2024 Huawei Device Co., Ltd. + * Copyright (c) 2025-2025 Huawei Device Co., Ltd. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at @@ -53,24 +53,24 @@ bool VerifyElf::ParseSignBlock(const ELFIO::elfio& elfReader) { ELFIO::section* sec = elfReader.sections[codesignSec]; if (!sec) { - PrintMsg("codesign is not found"); + PrintMsg("code signature is not found"); return true; } ELFIO::Elf64_Off secOffElf64 = sec->get_offset(); uint64_t secOff = static_cast(secOffElf64); if (secOff % PAGE_SIZE != 0) { - SIGNATURE_TOOLS_LOGE("codesign section offset is not aligned"); + SIGNATURE_TOOLS_LOGE("code signature section offset is not aligned"); return false; } const char* data = sec->get_data(); uint64_t csBlockSize = sec->get_size(); if (csBlockSize == 0 || csBlockSize % PAGE_SIZE != 0) { - SIGNATURE_TOOLS_LOGE("codesign section size is not aligned"); + SIGNATURE_TOOLS_LOGE("code signature section size is not aligned"); return false; } const ElfSignInfo* signInfo = reinterpret_cast(data); if ((signInfo->flags & FLAG_SELF_SIGN) == FLAG_SELF_SIGN) { - PrintMsg("codesign is self-sign"); + PrintMsg("code signature is self-sign"); return true; } Pkcs7Context pkcs7Context; -- Gitee From 91779051d1cd2ba766e60ade8bb3c2e23bccd765 Mon Sep 17 00:00:00 2001 From: zfeixiang Date: Sat, 5 Jul 2025 20:45:18 +0800 Subject: [PATCH 9/9] print elf signature info Signed-off-by: zfeixiang --- README_ZH.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README_ZH.md b/README_ZH.md index faea57dc..4f97fa97 100644 --- a/README_ZH.md +++ b/README_ZH.md @@ -477,8 +477,8 @@ binary-sign-tool display-sign -inFile "signed.elf" ├── -selfSign #是否本机调试模式,1表示开启,可选项。 2.输出二进制文件签名信息 - - display-sign : 二进制文件签名 + + display-sign : 输出二进制文件签名信息 ├── -inFile #输入的已签名elf文件,必填项 #### 相关仓 -- Gitee