From 0b0325d349e46a98aae7582d1e29edac4262d10d Mon Sep 17 00:00:00 2001 From: zhanzeyi Date: Mon, 24 Jul 2023 11:40:33 +0800 Subject: [PATCH 1/3] =?UTF-8?q?=E4=BD=BF=E7=94=A8=E7=AD=BE=E5=90=8D?= =?UTF-8?q?=E6=97=B6=E9=97=B4=E6=A0=A1=E9=AA=8Cprofile=E8=AF=81=E4=B9=A6?= =?UTF-8?q?=EF=BC=8C=E5=8F=AA=E8=A6=81=E7=AD=BE=E5=90=8D=E7=9E=AC=E9=97=B4?= =?UTF-8?q?profile=E6=9C=AA=E8=BF=87=E6=9C=9F=EF=BC=8C=E9=82=A3profile?= =?UTF-8?q?=E5=B0=B1=E5=BA=94=E8=AF=A5=E8=A7=86=E4=B8=BA=E6=9C=89=E6=95=88?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: zhanzeyi --- .../hapsigntool/profile/VerifyHelper.java | 21 ++++++++++++++++++- .../hapsigntool/utils/CertChainUtils.java | 10 ++++----- 2 files changed, 25 insertions(+), 6 deletions(-) diff --git a/hapsigntool/hap_sign_tool_lib/src/main/java/com/ohos/hapsigntool/profile/VerifyHelper.java b/hapsigntool/hap_sign_tool_lib/src/main/java/com/ohos/hapsigntool/profile/VerifyHelper.java index 54944b4b..fc507055 100644 --- a/hapsigntool/hap_sign_tool_lib/src/main/java/com/ohos/hapsigntool/profile/VerifyHelper.java +++ b/hapsigntool/hap_sign_tool_lib/src/main/java/com/ohos/hapsigntool/profile/VerifyHelper.java @@ -26,6 +26,10 @@ import com.ohos.hapsigntool.utils.FileUtils; import com.ohos.hapsigntool.utils.ValidateUtils; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; +import org.bouncycastle.asn1.ASN1Encodable; +import org.bouncycastle.asn1.ASN1Set; +import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; +import org.bouncycastle.asn1.x509.Time; import org.bouncycastle.cert.X509CertificateHolder; import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; import org.bouncycastle.cms.CMSException; @@ -44,10 +48,13 @@ import java.security.Signature; import java.security.SignatureException; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; +import java.time.LocalDateTime; +import java.time.ZoneId; import java.util.ArrayList; import java.util.Collection; import java.util.Iterator; import java.util.List; +import java.util.Date; /** * Signed provision profile verifier. @@ -134,11 +141,23 @@ public class VerifyHelper implements IProvisionVerifier { SignerInformationStore signerInfos = cmsSignedData.getSignerInfos(); Collection signers = signerInfos.getSigners(); + Date signTime = Date.from(LocalDateTime.now().atZone(ZoneId.systemDefault()).toInstant()); + for (SignerInformation signer : signers) { SignerId sid = signer.getSID(); + + ASN1Set attrValues = signer.getSignedAttributes().get(PKCSObjectIdentifiers.pkcs_9_at_signingTime) + .getAttrValues(); + + if (attrValues.size() > 0) { + ASN1Encodable objectAt = attrValues.getObjectAt(0); + signTime = Time.getInstance(objectAt).getDate(); + } else { + LOGGER.warn("get sign time false, use local datetime verify cert chain"); + } X500Principal principal = new X500Principal(sid.getIssuer().getEncoded()); CertChainUtils.verifyCertChain(certificates, principal, sid.getSerialNumber(), - certificates.get(certificates.size() - 1)); + certificates.get(certificates.size() - 1), signTime); } result.setContent(FileUtils.GSON.fromJson(new String((byte[]) (cmsSignedData diff --git a/hapsigntool/hap_sign_tool_lib/src/main/java/com/ohos/hapsigntool/utils/CertChainUtils.java b/hapsigntool/hap_sign_tool_lib/src/main/java/com/ohos/hapsigntool/utils/CertChainUtils.java index 8ef733ca..7bfb0653 100644 --- a/hapsigntool/hap_sign_tool_lib/src/main/java/com/ohos/hapsigntool/utils/CertChainUtils.java +++ b/hapsigntool/hap_sign_tool_lib/src/main/java/com/ohos/hapsigntool/utils/CertChainUtils.java @@ -59,7 +59,7 @@ public class CertChainUtils { } private static CertPath getCertPath(List certificates, KeyStore trustStore, X500Principal issuer, - BigInteger serial) throws KeyStoreException, InvalidAlgorithmParameterException, + BigInteger serial, Date signTime) throws KeyStoreException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, CertPathBuilderException, CertificateException { if (certificates.size() != 1 && (issuer != null || serial != null)) { X509CertSelector targetCertSelector = new X509CertSelector(); @@ -69,7 +69,7 @@ public class CertChainUtils { CertStore certStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(certificates)); params.addCertStore(certStore); - params.setDate(Date.from(LocalDateTime.now().atZone(ZoneId.systemDefault()).toInstant())); + params.setDate(signTime); params.setRevocationEnabled(false); CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX"); PKIXCertPathBuilderResult result = (PKIXCertPathBuilderResult) certPathBuilder.build(params); @@ -90,15 +90,15 @@ public class CertChainUtils { * @param root root cert */ public static void verifyCertChain(List certificates, X500Principal issuer, BigInteger serial, - X509Certificate root) { + X509Certificate root, Date signTime) { try { KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType()); trustStore.load(null, null); trustStore.setCertificateEntry("root", root); - CertPath certPath = getCertPath(certificates, trustStore, issuer, serial); + CertPath certPath = getCertPath(certificates, trustStore, issuer, serial, signTime); PKIXParameters params = new PKIXParameters(trustStore); params.setRevocationEnabled(false); - params.setDate(Date.from(LocalDateTime.now().atZone(ZoneId.systemDefault()).toInstant())); + params.setDate(signTime); CertStore certStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters()); params.addCertStore(certStore); CertPathValidator validator = CertPathValidator.getInstance("PKIX"); -- Gitee From 1970b5f2382e15a0819c52d5e55a773822bada59 Mon Sep 17 00:00:00 2001 From: zhanzeyi Date: Mon, 24 Jul 2023 11:50:34 +0800 Subject: [PATCH 2/3] =?UTF-8?q?=E6=A0=A1=E9=AA=8Cprofile=E6=97=B6=EF=BC=8C?= =?UTF-8?q?=E8=BE=93=E5=87=BA=E5=AD=97=E6=AE=B5=E4=B8=8Eprofile=E6=A0=BC?= =?UTF-8?q?=E5=BC=8F=E8=A7=A3=E8=80=A6?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: zhanzeyi --- .../java/com/ohos/hapsigntool/profile/VerifyHelper.java | 9 ++------- .../hapsigntool/profile/model/VerificationResult.java | 8 +++++--- 2 files changed, 7 insertions(+), 10 deletions(-) diff --git a/hapsigntool/hap_sign_tool_lib/src/main/java/com/ohos/hapsigntool/profile/VerifyHelper.java b/hapsigntool/hap_sign_tool_lib/src/main/java/com/ohos/hapsigntool/profile/VerifyHelper.java index fc507055..a1950781 100644 --- a/hapsigntool/hap_sign_tool_lib/src/main/java/com/ohos/hapsigntool/profile/VerifyHelper.java +++ b/hapsigntool/hap_sign_tool_lib/src/main/java/com/ohos/hapsigntool/profile/VerifyHelper.java @@ -18,7 +18,6 @@ package com.ohos.hapsigntool.profile; import com.ohos.hapsigntool.error.CustomException; import com.ohos.hapsigntool.error.ERROR; import com.ohos.hapsigntool.hap.verify.VerifyUtils; -import com.ohos.hapsigntool.profile.model.Provision; import com.ohos.hapsigntool.profile.model.VerificationResult; import com.ohos.hapsigntool.utils.CertChainUtils; import com.ohos.hapsigntool.utils.CertUtils; @@ -50,11 +49,7 @@ import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.time.LocalDateTime; import java.time.ZoneId; -import java.util.ArrayList; -import java.util.Collection; -import java.util.Iterator; -import java.util.List; -import java.util.Date; +import java.util.*; /** * Signed provision profile verifier. @@ -161,7 +156,7 @@ public class VerifyHelper implements IProvisionVerifier { } result.setContent(FileUtils.GSON.fromJson(new String((byte[]) (cmsSignedData - .getSignedContent().getContent()), StandardCharsets.UTF_8), Provision.class)); + .getSignedContent().getContent()), StandardCharsets.UTF_8), Map.class)); result.setMessage("OK"); result.setVerifiedPassed(true); return result; diff --git a/hapsigntool/hap_sign_tool_lib/src/main/java/com/ohos/hapsigntool/profile/model/VerificationResult.java b/hapsigntool/hap_sign_tool_lib/src/main/java/com/ohos/hapsigntool/profile/model/VerificationResult.java index f1dbc98a..ce6c50b3 100644 --- a/hapsigntool/hap_sign_tool_lib/src/main/java/com/ohos/hapsigntool/profile/model/VerificationResult.java +++ b/hapsigntool/hap_sign_tool_lib/src/main/java/com/ohos/hapsigntool/profile/model/VerificationResult.java @@ -15,6 +15,8 @@ package com.ohos.hapsigntool.profile.model; +import java.util.Map; + /** * VerificationResult. * @@ -34,7 +36,7 @@ public class VerificationResult { /** * Field content. */ - private Provision content; + private Map content; public boolean isVerifiedPassed() { return verifiedPassed; @@ -52,11 +54,11 @@ public class VerificationResult { this.message = string; } - public Provision getContent() { + public Map getContent() { return content; } - public void setContent(Provision provision) { + public void setContent(Map provision) { this.content = provision; } -- Gitee From ff75c049b00dda7fbac9207b0294379851798b14 Mon Sep 17 00:00:00 2001 From: zhanzeyi Date: Mon, 24 Jul 2023 11:52:37 +0800 Subject: [PATCH 3/3] =?UTF-8?q?=E6=A0=A1=E9=AA=8Cprofile=E6=97=B6=EF=BC=8C?= =?UTF-8?q?=E8=BE=93=E5=87=BA=E5=AD=97=E6=AE=B5=E4=B8=8Eprofile=E6=A0=BC?= =?UTF-8?q?=E5=BC=8F=E8=A7=A3=E8=80=A6?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: zhanzeyi --- .../java/com/ohos/hapsigntool/profile/VerifyHelper.java | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/hapsigntool/hap_sign_tool_lib/src/main/java/com/ohos/hapsigntool/profile/VerifyHelper.java b/hapsigntool/hap_sign_tool_lib/src/main/java/com/ohos/hapsigntool/profile/VerifyHelper.java index a1950781..c2c68463 100644 --- a/hapsigntool/hap_sign_tool_lib/src/main/java/com/ohos/hapsigntool/profile/VerifyHelper.java +++ b/hapsigntool/hap_sign_tool_lib/src/main/java/com/ohos/hapsigntool/profile/VerifyHelper.java @@ -49,7 +49,12 @@ import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.time.LocalDateTime; import java.time.ZoneId; -import java.util.*; +import java.util.ArrayList; +import java.util.Collection; +import java.util.Iterator; +import java.util.List; +import java.util.Map; +import java.util.Date; /** * Signed provision profile verifier. -- Gitee