diff --git a/BUILD.gn b/BUILD.gn index 0968a5e4bb474d9459da3cd63c47fdad2c2e2d52..03d0a113363639d55bda208320e523a8d52cfcb2 100644 --- a/BUILD.gn +++ b/BUILD.gn @@ -27,8 +27,10 @@ group("appverify_components") { deps = [ "//base/security/appverify/interfaces/innerkits/appverify:libhapverify", "//base/security/appverify/interfaces/innerkits/appverify/config:trusted_apps_sources", + "//base/security/appverify/interfaces/innerkits/appverify/config:trusted_apps_sources_oh", "//base/security/appverify/interfaces/innerkits/appverify/config:trusted_apps_sources_test", "//base/security/appverify/interfaces/innerkits/appverify/config:trusted_root_ca", + "//base/security/appverify/interfaces/innerkits/appverify/config:trusted_root_ca_oh", "//base/security/appverify/interfaces/innerkits/appverify/config:trusted_root_ca_test", "//base/security/appverify/interfaces/innerkits/appverify/config:trusted_tickets_sources", ] diff --git a/interfaces/innerkits/appverify/config/BUILD.gn b/interfaces/innerkits/appverify/config/BUILD.gn index 9dd27f377f944b85c6c4fa0016d6a9fdc24aafa3..6cf665df49676aea5a8a1c1998fd08581587f447 100644 --- a/interfaces/innerkits/appverify/config/BUILD.gn +++ b/interfaces/innerkits/appverify/config/BUILD.gn @@ -14,11 +14,15 @@ import("//build/ohos.gni") ohos_prebuilt_etc("trusted_apps_sources") { - if (build_public_version) { - source = "OpenHarmony/trusted_apps_sources.json" - } else { - source = "trusted_apps_sources.json" - } + source = "trusted_apps_sources.json" + part_name = "appverify" + subsystem_name = "security" + relative_install_dir = "security" +} + +ohos_prebuilt_etc("trusted_apps_sources_oh") { + source = "OpenHarmony/trusted_apps_sources.json" + output = "trusted_apps_sources_oh.json" part_name = "appverify" subsystem_name = "security" relative_install_dir = "security" @@ -32,11 +36,15 @@ ohos_prebuilt_etc("trusted_apps_sources_test") { } ohos_prebuilt_etc("trusted_root_ca") { - if (build_public_version) { - source = "OpenHarmony/trusted_root_ca.json" - } else { - source = "trusted_root_ca.json" - } + source = "trusted_root_ca.json" + part_name = "appverify" + subsystem_name = "security" + relative_install_dir = "security" +} + +ohos_prebuilt_etc("trusted_root_ca_oh") { + source = "OpenHarmony/trusted_root_ca.json" + output = "trusted_root_ca_oh.json" part_name = "appverify" subsystem_name = "security" relative_install_dir = "security" diff --git a/interfaces/innerkits/appverify/include/init/trusted_root_ca.h b/interfaces/innerkits/appverify/include/init/trusted_root_ca.h index c0dac142fbf870940a9d3517f5b43440ea1a99ac..6ff3d7f32eb367f7d0e70e0006a753feffc68332 100644 --- a/interfaces/innerkits/appverify/include/init/trusted_root_ca.h +++ b/interfaces/innerkits/appverify/include/init/trusted_root_ca.h @@ -33,6 +33,7 @@ class TrustedRootCa { public: DLL_EXPORT static TrustedRootCa& GetInstance(); DLL_EXPORT bool Init(); + DLL_EXPORT bool InitNotRd(); DLL_EXPORT void Recovery(); DLL_EXPORT bool EnableDebug(); DLL_EXPORT void DisableDebug(); @@ -47,11 +48,13 @@ private: TrustedRootCa(const TrustedRootCa& trustedRoot) = delete; TrustedRootCa& operator = (const TrustedRootCa& trustedRoot) = delete; + DLL_EXPORT bool InitByFile(const std::string& filePath); DLL_EXPORT bool GetTrustedRootCAFromJson(StringCertMap& rootCertMap, const std::string& filePath); X509* FindMatchedRoot(const StringCertMap& rootCertMap, X509* caCert); private: static const std::string TRUSTED_ROOT_CA_FILE_PATH; + static const std::string TRUSTED_ROOT_CA_OH_FILE_PATH; static const std::string TRUSTED_ROOT_CA_TEST_FILE_PATH; StringCertMap rootCerts; StringCertMap rootCertsForTest; diff --git a/interfaces/innerkits/appverify/include/init/trusted_source_manager.h b/interfaces/innerkits/appverify/include/init/trusted_source_manager.h index 22f693f20b1edcdebf87172839c8e096759da2ef..beebd2c1f844d6e47b91c1bbb79ef0b20754c572 100644 --- a/interfaces/innerkits/appverify/include/init/trusted_source_manager.h +++ b/interfaces/innerkits/appverify/include/init/trusted_source_manager.h @@ -43,6 +43,7 @@ class TrustedSourceManager { public: DLL_EXPORT static TrustedSourceManager& GetInstance(); DLL_EXPORT bool Init(); + DLL_EXPORT bool InitNotRd(); DLL_EXPORT void Recovery(); DLL_EXPORT bool EnableDebug(); DLL_EXPORT void DisableDebug(); @@ -56,7 +57,7 @@ private: /* Forbid external replication constructs and external replication */ TrustedSourceManager(const TrustedSourceManager& trustedSource) = delete; TrustedSourceManager& operator = (const TrustedSourceManager& trustedSource) = delete; - + DLL_EXPORT bool InitByFile(const std::string& filePath); bool GetAppTrustedSources(SourceInfoVec& trustedAppSources, std::string& souucesVersion, std::string& souucesReleaseTime, const std::string& filePath); bool ParseTrustedAppSourceJson(SourceInfoVec& trustedAppSources, const JsonObjVec& trustedAppSourceJson); @@ -70,6 +71,7 @@ private: private: static const std::string APP_TRUSTED_SOURCE_FILE_PATH; + static const std::string APP_TRUSTED_SOURCE_OH_FILE_PATH; static const std::string APP_TRUSTED_SOURCE_TEST_FILE_PATH; static const std::string KEY_OF_APP_TRUSTED_SOURCE; static const std::string KEY_OF_APP_TRUSTED_SOURCE_VERSION; diff --git a/interfaces/innerkits/appverify/include/interfaces/hap_verify.h b/interfaces/innerkits/appverify/include/interfaces/hap_verify.h index 4cc94611bbe34caceef768a0850386b78dfa3eaf..a8d86b9755f204c4710c268604114147cc29ac35 100644 --- a/interfaces/innerkits/appverify/include/interfaces/hap_verify.h +++ b/interfaces/innerkits/appverify/include/interfaces/hap_verify.h @@ -27,6 +27,7 @@ namespace Verify { DLL_EXPORT bool EnableDebugMode(); DLL_EXPORT void DisableDebugMode(); DLL_EXPORT int32_t HapVerify(const std::string& filePath, HapVerifyResult& hapVerifyResult); +DLL_EXPORT int32_t HapVerifyNotRd(const std::string& filePath, HapVerifyResult& hapVerifyResult); DLL_EXPORT int32_t ParseHapProfile(const std::string& filePath, HapVerifyResult& hapVerifyV1Result); DLL_EXPORT int32_t ParseHapSignatureInfo(const std::string& filePath, SignatureInfo &hapSignInfo); DLL_EXPORT void SetDevMode(DevMode devMode); diff --git a/interfaces/innerkits/appverify/include/provision/provision_verify.h b/interfaces/innerkits/appverify/include/provision/provision_verify.h index 2d0a62f988fd5f5e20b89e0a039381db8e1cfe7c..eb31098059c2a806e0e647d23707634d9ff47a8f 100644 --- a/interfaces/innerkits/appverify/include/provision/provision_verify.h +++ b/interfaces/innerkits/appverify/include/provision/provision_verify.h @@ -56,6 +56,8 @@ DLL_EXPORT AppProvisionVerifyResult ParseProvision(const std::string& appProvisi DLL_EXPORT AppProvisionVerifyResult ParseProfile(const std::string& appProvision, ProvisionInfo& info); DLL_EXPORT void SetRdDevice(bool isRdDevice); + +DLL_EXPORT bool GetRdDevice(); } // namespace Verify } // namespace Security } // namespace OHOS diff --git a/interfaces/innerkits/appverify/src/init/trusted_root_ca.cpp b/interfaces/innerkits/appverify/src/init/trusted_root_ca.cpp index 90bebfe8fe061bdc2a18c01b57271041bfa35945..a1cda75a60eeefb1366d2b9df32b299f3e4d462f 100644 --- a/interfaces/innerkits/appverify/src/init/trusted_root_ca.cpp +++ b/interfaces/innerkits/appverify/src/init/trusted_root_ca.cpp @@ -18,12 +18,14 @@ #include "nlohmann/json.hpp" #include "common/hap_verify_log.h" +#include "provision/provision_verify.h" #include "util/hap_cert_verify_openssl_utils.h" namespace OHOS { namespace Security { namespace Verify { const std::string TrustedRootCa::TRUSTED_ROOT_CA_FILE_PATH = "/system/etc/security/trusted_root_ca.json"; +const std::string TrustedRootCa::TRUSTED_ROOT_CA_OH_FILE_PATH = "/system/etc/security/trusted_root_ca_oh.json"; const std::string TrustedRootCa::TRUSTED_ROOT_CA_TEST_FILE_PATH = "/system/etc/security/trusted_root_ca_test.json"; const std::string OPENHARMONY_CERT = "C=CN, O=OpenHarmony, OU=OpenHarmony Team, CN=OpenHarmony Application Root CA"; @@ -75,19 +77,29 @@ void TrustedRootCa::SetDevMode(DevMode mode) devMode = mode; } -bool TrustedRootCa::Init() +bool TrustedRootCa::InitByFile(const std::string& filePath) { if (isInit) { return true; } - isInit = GetTrustedRootCAFromJson(rootCerts, TRUSTED_ROOT_CA_FILE_PATH); + isInit = GetTrustedRootCAFromJson(rootCerts, filePath); if (isInit) { HAPVERIFY_LOG_INFO("parse root certs success, certs num: %{public}zu", rootCerts.size()); } return isInit; } +bool TrustedRootCa::Init() +{ + return InitByFile(TRUSTED_ROOT_CA_OH_FILE_PATH); +} + +bool TrustedRootCa::InitNotRd() +{ + return InitByFile(TRUSTED_ROOT_CA_FILE_PATH); +} + void TrustedRootCa::Recovery() { for (auto& rootCert : rootCerts) { diff --git a/interfaces/innerkits/appverify/src/init/trusted_source_manager.cpp b/interfaces/innerkits/appverify/src/init/trusted_source_manager.cpp index d8e8dc4ed11c7963a218a80d84419746b19bfa34..8a097996549abb6fe4c6bf22fa5575aab76fbca0 100644 --- a/interfaces/innerkits/appverify/src/init/trusted_source_manager.cpp +++ b/interfaces/innerkits/appverify/src/init/trusted_source_manager.cpp @@ -18,12 +18,15 @@ #include "nlohmann/json.hpp" #include "common/hap_verify_log.h" +#include "provision/provision_verify.h" namespace OHOS { namespace Security { namespace Verify { const std::string TrustedSourceManager::APP_TRUSTED_SOURCE_FILE_PATH = "/system/etc/security/trusted_apps_sources.json"; +const std::string TrustedSourceManager::APP_TRUSTED_SOURCE_OH_FILE_PATH = + "/system/etc/security/trusted_apps_sources_oh.json"; const std::string TrustedSourceManager::APP_TRUSTED_SOURCE_TEST_FILE_PATH = "/system/etc/security/trusted_apps_sources_test.json"; const std::string TrustedSourceManager::KEY_OF_APP_TRUSTED_SOURCE = "trust-app-source"; @@ -77,13 +80,13 @@ void TrustedSourceManager::DisableDebug() appTrustedSourcesForTest.clear(); } -bool TrustedSourceManager::Init() +bool TrustedSourceManager::InitByFile(const std::string& filePath) { if (isInit) { return true; } - isInit = GetAppTrustedSources(appTrustedSources, version, releaseTime, APP_TRUSTED_SOURCE_FILE_PATH); + isInit = GetAppTrustedSources(appTrustedSources, version, releaseTime, filePath); if (isInit) { HAPVERIFY_LOG_INFO("trusted app source version: %{public}s, releaseTime: %{public}s, Size:" " %{public}zu", version.c_str(), releaseTime.c_str(), appTrustedSources.size()); @@ -91,6 +94,16 @@ bool TrustedSourceManager::Init() return isInit; } +bool TrustedSourceManager::Init() +{ + return InitByFile(APP_TRUSTED_SOURCE_OH_FILE_PATH); +} + +bool TrustedSourceManager::InitNotRd() +{ + return InitByFile(APP_TRUSTED_SOURCE_FILE_PATH); +} + void TrustedSourceManager::Recovery() { appTrustedSources.clear(); diff --git a/interfaces/innerkits/appverify/src/interfaces/hap_verify.cpp b/interfaces/innerkits/appverify/src/interfaces/hap_verify.cpp index 316cfc53764dbb42c37df945fb4f503788a7a19d..7cff2f96adcebf9b55c51fbae1388196ce352908 100644 --- a/interfaces/innerkits/appverify/src/interfaces/hap_verify.cpp +++ b/interfaces/innerkits/appverify/src/interfaces/hap_verify.cpp @@ -31,7 +31,7 @@ namespace Verify { static std::mutex g_mtx; static bool g_isInit = false; -bool HapVerifyInit() +bool g_hapVerifyInit(std::function initLoader) { TrustedRootCa& rootCertsObj = TrustedRootCa::GetInstance(); TrustedSourceManager& trustedAppSourceManager = TrustedSourceManager::GetInstance(); @@ -39,7 +39,7 @@ bool HapVerifyInit() DeviceTypeManager& deviceTypeManager = DeviceTypeManager::GetInstance(); TrustedTicketManager& trustedTicketSourceManager = TrustedTicketManager::GetInstance(); g_mtx.lock(); - g_isInit = rootCertsObj.Init() && trustedAppSourceManager.Init(); + g_isInit = initLoader(rootCertsObj, trustedAppSourceManager); if (!g_isInit) { rootCertsObj.Recovery(); trustedAppSourceManager.Recovery(); @@ -51,6 +51,21 @@ bool HapVerifyInit() return g_isInit; } +bool NotRdInitLoader(TrustedRootCa& rootCertsObj, TrustedSourceManager& trustedAppSourceManager) +{ + return rootCertsObj.InitNotRd() && trustedAppSourceManager.InitNotRd(); +} + +bool RdInitLoader(TrustedRootCa& rootCertsObj, TrustedSourceManager& trustedAppSourceManager) +{ + return rootCertsObj.Init() && trustedAppSourceManager.Init(); +} + +bool HapVerifyInit() +{ + return g_hapVerifyInit(RdInitLoader); +} + bool EnableDebugMode() { TrustedRootCa& rootCertsObj = TrustedRootCa::GetInstance(); @@ -92,6 +107,15 @@ int32_t HapVerify(const std::string& filePath, HapVerifyResult& hapVerifyResult) return hapVerifyV2.Verify(filePath, hapVerifyResult); } +int32_t HapVerifyNotRd(const std::string& filePath, HapVerifyResult& hapVerifyResult) +{ + if (!g_isInit && !g_hapVerifyInit(NotRdInitLoader)) { + return VERIFY_SOURCE_INIT_FAIL; + } + HapVerifyV2 hapVerifyV2; + return hapVerifyV2.Verify(filePath, hapVerifyResult); +} + int32_t ParseHapProfile(const std::string& filePath, HapVerifyResult& hapVerifyV1Result) { HapVerifyV2 hapVerifyV2; diff --git a/interfaces/innerkits/appverify/src/provision/provision_verify.cpp b/interfaces/innerkits/appverify/src/provision/provision_verify.cpp index 2f4a20fa110b4266b726ede9cca1908519f0ed54..8d1f9c00c7a00f8618bb9e091ef012d417687b1f 100644 --- a/interfaces/innerkits/appverify/src/provision/provision_verify.cpp +++ b/interfaces/innerkits/appverify/src/provision/provision_verify.cpp @@ -342,6 +342,11 @@ void SetRdDevice(bool isRdDevice) g_isRdDevice = isRdDevice; } +bool IsRdDevice() +{ + return g_isRdDevice; +} + AppProvisionVerifyResult ParseAndVerify(const string& appProvision, ProvisionInfo& info) { HAPVERIFY_LOG_DEBUG("Enter HarmonyAppProvision Verify");