From 616bd526f3deaa0b18ba17245004f5789a07e880 Mon Sep 17 00:00:00 2001 From: Zhou Shihui Date: Tue, 9 Jul 2024 16:43:58 +0800 Subject: [PATCH] =?UTF-8?q?=E5=A2=9E=E5=8A=A0rootCa=E6=A0=A1=E9=AA=8C?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Zhou Shihui --- .../config/OpenHarmony/trusted_apps_sources.json | 3 +++ .../appverify/config/trusted_apps_sources.json | 3 +++ .../appverify/config/trusted_apps_sources_test.json | 3 +++ .../appverify/include/init/matching_result.h | 1 + .../appverify/include/init/trusted_source_manager.h | 2 ++ .../include/util/hap_cert_verify_openssl_utils.h | 2 +- .../innerkits/appverify/include/util/pkcs7_context.h | 1 + .../appverify/src/init/trusted_source_manager.cpp | 7 +++++++ .../src/util/hap_cert_verify_openssl_utils.cpp | 8 +++++--- .../appverify/src/util/hap_verify_openssl_utils.cpp | 2 +- .../innerkits/appverify/src/verify/hap_verify_v2.cpp | 12 ++++++++++++ .../src/hap_cert_verify_openssl_utils_test.cpp | 7 ++++--- 12 files changed, 43 insertions(+), 8 deletions(-) diff --git a/interfaces/innerkits/appverify/config/OpenHarmony/trusted_apps_sources.json b/interfaces/innerkits/appverify/config/OpenHarmony/trusted_apps_sources.json index ffe1556..b500cc3 100644 --- a/interfaces/innerkits/appverify/config/OpenHarmony/trusted_apps_sources.json +++ b/interfaces/innerkits/appverify/config/OpenHarmony/trusted_apps_sources.json @@ -8,6 +8,7 @@ "profile-signing-certificate":"C=CN, O=Huawei, OU=HOS AppGallery, CN=HOS Profile Management", "profile-debug-signing-certificate":"C=CN, O=Huawei, OU=HOS AppGallery, CN=HOS Profile Management Debug", "issuer-ca":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA", + "root-ca":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Root CA G2", "max-certs-path":3, "critialcal-cert-extension":["keyusage","huawei-signing-capability"] }, @@ -17,6 +18,7 @@ "profile-signing-certificate":"C=CN, O=Huawei CBG, OU=HOS Development Team, CN=HOS Application Provision Profile Release", "profile-debug-signing-certificate":"C=CN, O=Huawei CBG, OU=HOS Development Team, CN=HOS Application Provision Profile Release_Debug", "issuer-ca":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA", + "root-ca":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Root CA G2", "max-certs-path":3, "critialcal-cert-extension":["keyusage","huawei-signing-capability"] }, @@ -26,6 +28,7 @@ "profile-signing-certificate":"C=CN, O=OpenHarmony, OU=OpenHarmony Team, CN=OpenHarmony Application Profile Release", "profile-debug-signing-certificate":"C=CN, O=OpenHarmony, OU=OpenHarmony Team, CN=OpenHarmony Application Profile Debug", "issuer-ca":"C=CN, O=OpenHarmony, OU=OpenHarmony Team, CN=OpenHarmony Application CA", + "root-ca":"C=CN, O=OpenHarmony, OU=OpenHarmony Team, CN=OpenHarmony Application Root CA", "max-certs-path":3, "critialcal-cert-extension":["keyusage"] } diff --git a/interfaces/innerkits/appverify/config/trusted_apps_sources.json b/interfaces/innerkits/appverify/config/trusted_apps_sources.json index b7af5f6..fba1577 100644 --- a/interfaces/innerkits/appverify/config/trusted_apps_sources.json +++ b/interfaces/innerkits/appverify/config/trusted_apps_sources.json @@ -8,6 +8,7 @@ "profile-signing-certificate":"C=CN, O=Huawei, OU=HOS AppGallery, CN=HOS Profile Management", "profile-debug-signing-certificate":"C=CN, O=Huawei, OU=HOS AppGallery, CN=HOS Profile Management Debug", "issuer-ca":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA", + "root-ca": "C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Root CA G2", "max-certs-path":3, "critialcal-cert-extension":["keyusage","huawei-signing-capability"] }, @@ -17,6 +18,7 @@ "profile-signing-certificate":"C=CN, O=Huawei CBG, OU=HOS Development Team, CN=HOS Application Provision Profile Release", "profile-debug-signing-certificate":"C=CN, O=Huawei CBG, OU=HOS Development Team, CN=HOS Application Provision Profile Release_Debug", "issuer-ca":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA", + "root-ca": "C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Root CA G2", "max-certs-path":3, "critialcal-cert-extension":["keyusage","huawei-signing-capability"] }, @@ -26,6 +28,7 @@ "profile-signing-certificate":"", "profile-debug-signing-certificate":"", "issuer-ca":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA", + "root-ca": "C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Root CA G2", "max-certs-path":3, "critialcal-cert-extension":["keyusage","huawei-signing-capability"] } diff --git a/interfaces/innerkits/appverify/config/trusted_apps_sources_test.json b/interfaces/innerkits/appverify/config/trusted_apps_sources_test.json index 8718e9e..6267568 100644 --- a/interfaces/innerkits/appverify/config/trusted_apps_sources_test.json +++ b/interfaces/innerkits/appverify/config/trusted_apps_sources_test.json @@ -8,6 +8,7 @@ "profile-signing-certificate":"C=CN, O=Huawei, OU=HOS AppGallery, CN=HOS Profile Management", "profile-debug-signing-certificate":"C=CN, O=Huawei, OU=HOS AppGallery, CN=HOS Profile Management Debug", "issuer-ca":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA Test", + "root-ca":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Root CA G2 Test", "max-certs-path":3, "critialcal-cert-extension":["keyusage","huawei-signing-capability"] }, @@ -17,6 +18,7 @@ "profile-signing-certificate":"C=CN, O=Huawei CBG, OU=HOS Development Team, CN=HOS Application Provision Profile Dev", "profile-debug-signing-certificate":"C=CN, O=Huawei CBG, OU=HOS Development Team, CN=HOS Application Provision Profile Dev_Debug", "issuer-ca":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA Test", + "root-ca":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Root CA G2 Test", "max-certs-path":3, "critialcal-cert-extension":["keyusage","huawei-signing-capability"] }, @@ -26,6 +28,7 @@ "profile-signing-certificate":"", "profile-debug-signing-certificate":"", "issuer-ca":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA Test", + "root-ca":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Root CA G2 Test", "max-certs-path":3, "critialcal-cert-extension":["keyusage","huawei-signing-capability"] } diff --git a/interfaces/innerkits/appverify/include/init/matching_result.h b/interfaces/innerkits/appverify/include/init/matching_result.h index 70578e2..67f1d70 100644 --- a/interfaces/innerkits/appverify/include/init/matching_result.h +++ b/interfaces/innerkits/appverify/include/init/matching_result.h @@ -36,6 +36,7 @@ enum MatchingStates { struct MatchingResult { MatchingStates matchState; TrustedSources source; + std::string rootCa; }; } // namespace Verify } // namespace Security diff --git a/interfaces/innerkits/appverify/include/init/trusted_source_manager.h b/interfaces/innerkits/appverify/include/init/trusted_source_manager.h index 22f693f..28776fb 100644 --- a/interfaces/innerkits/appverify/include/init/trusted_source_manager.h +++ b/interfaces/innerkits/appverify/include/init/trusted_source_manager.h @@ -35,6 +35,7 @@ struct HapAppSourceInfo { std::string issuer; int32_t maxCertsPath = 0; StringVec critialcalCertExtension; + std::string rootCa; }; using SourceInfoVec = std::vector; @@ -79,6 +80,7 @@ private: static const std::string KEY_OF_PROFILE_SIGNING_CERTIFICATE; static const std::string KEY_OF_PROFILE_DEBUG_SIGNING_CERTIFICATE; static const std::string KEY_OF_ISSUER; + static const std::string KEY_OF_ROOT_CA; static const std::string KEY_OF_MAX_CERTS_PATH; static const std::string KEY_OF_CRITIALCAL_CERT_EXTENSION; static const std::string APP_GALLERY_SOURCE_NAME; diff --git a/interfaces/innerkits/appverify/include/util/hap_cert_verify_openssl_utils.h b/interfaces/innerkits/appverify/include/util/hap_cert_verify_openssl_utils.h index fd70334..2768299 100644 --- a/interfaces/innerkits/appverify/include/util/hap_cert_verify_openssl_utils.h +++ b/interfaces/innerkits/appverify/include/util/hap_cert_verify_openssl_utils.h @@ -34,7 +34,7 @@ public: DLL_EXPORT static X509_CRL* GetX509CrlFromDerBuffer(const HapByteBuffer& crlBuffer, int32_t offset, int32_t len); DLL_EXPORT static void GenerateCertSignFromCertStack(STACK_OF(X509)* certs, CertSign& certVisitSign); DLL_EXPORT static void ClearCertVisitSign(CertSign& certVisitSign); - DLL_EXPORT static bool GetCertsChain(CertChain& certsChain, CertSign& certVisitSign); + DLL_EXPORT static bool GetCertsChain(CertChain& certsChain, CertSign& certVisitSign, Pkcs7Context& pkcs7Context); DLL_EXPORT static bool CertVerify(X509* cert, const X509* issuerCert); DLL_EXPORT static bool GetSubjectFromX509(const X509* cert, std::string& subject); DLL_EXPORT static bool GetIssuerFromX509(const X509* cert, std::string& issuer); diff --git a/interfaces/innerkits/appverify/include/util/pkcs7_context.h b/interfaces/innerkits/appverify/include/util/pkcs7_context.h index 5b26d52..024260f 100644 --- a/interfaces/innerkits/appverify/include/util/pkcs7_context.h +++ b/interfaces/innerkits/appverify/include/util/pkcs7_context.h @@ -38,6 +38,7 @@ struct Pkcs7Context { PKCS7* p7; Pkcs7CertChains certChains; HapByteBuffer content; + std::string rootCa; Pkcs7Context() : needWriteCrl(false), digestAlgorithm(0), matchResult(), certIssuer(), diff --git a/interfaces/innerkits/appverify/src/init/trusted_source_manager.cpp b/interfaces/innerkits/appverify/src/init/trusted_source_manager.cpp index 5a52eba..4640bd5 100644 --- a/interfaces/innerkits/appverify/src/init/trusted_source_manager.cpp +++ b/interfaces/innerkits/appverify/src/init/trusted_source_manager.cpp @@ -32,6 +32,7 @@ const std::string TrustedSourceManager::KEY_OF_APP_SIGNING_CERT = "app-signing-c const std::string TrustedSourceManager::KEY_OF_PROFILE_SIGNING_CERTIFICATE = "profile-signing-certificate"; const std::string TrustedSourceManager::KEY_OF_PROFILE_DEBUG_SIGNING_CERTIFICATE = "profile-debug-signing-certificate"; const std::string TrustedSourceManager::KEY_OF_ISSUER = "issuer-ca"; +const std::string TrustedSourceManager::KEY_OF_ROOT_CA = "root-ca"; const std::string TrustedSourceManager::KEY_OF_MAX_CERTS_PATH = "max-certs-path"; const std::string TrustedSourceManager::KEY_OF_CRITIALCAL_CERT_EXTENSION = "critialcal-cert-extension"; const std::string TrustedSourceManager::APP_GALLERY_SOURCE_NAME = "huawei app gallery"; @@ -159,6 +160,10 @@ bool TrustedSourceManager::ParseTrustedAppSourceJson(SourceInfoVec& trustedAppSo HAPVERIFY_LOG_ERROR("Get issuer Failed"); return false; } + if (!JsonParserUtils::GetJsonString(appSource, KEY_OF_ROOT_CA, hapAppSource.rootCa)) { + HAPVERIFY_LOG_ERROR("Get root ca Failed"); + return false; + } if (!JsonParserUtils::GetJsonInt(appSource, KEY_OF_MAX_CERTS_PATH, hapAppSource.maxCertsPath)) { HAPVERIFY_LOG_ERROR("Get maxCertsPath Failed"); return false; @@ -182,6 +187,7 @@ std::string TrustedSourceManager::EncapTrustedAppSourceString(const HapAppSource "profileSigningCertificate: " + appSourceInfo.profileSigningCertificate + "\n" + "profileDebugSigningCertificate: " + appSourceInfo.profileDebugSigningCertificate + "\n" + "issuer: " + appSourceInfo.issuer + "\n" + + "rootCa: " + appSourceInfo.rootCa + "\n" + "maxCertsPath: " + std::to_string(appSourceInfo.maxCertsPath) + "\n" + "critialcalCertExtension: "; for (auto extension : appSourceInfo.critialcalCertExtension) { @@ -214,6 +220,7 @@ MatchingResult TrustedSourceManager::MatchTrustedSource(const SourceInfoVec& tru ret.matchState = TrustedSourceListCompare(certSubject, certIssuer, appSource, blobType); if (ret.matchState != DO_NOT_MATCH) { ret.source = appSource.source; + ret.rootCa = appSource.rootCa; break; } } diff --git a/interfaces/innerkits/appverify/src/util/hap_cert_verify_openssl_utils.cpp b/interfaces/innerkits/appverify/src/util/hap_cert_verify_openssl_utils.cpp index 400970e..abdb2a7 100644 --- a/interfaces/innerkits/appverify/src/util/hap_cert_verify_openssl_utils.cpp +++ b/interfaces/innerkits/appverify/src/util/hap_cert_verify_openssl_utils.cpp @@ -296,7 +296,8 @@ void HapCertVerifyOpensslUtils::ClearCertVisitSign(CertSign& certVisitSign) } } -bool HapCertVerifyOpensslUtils::GetCertsChain(CertChain& certsChain, CertSign& certVisitSign) +bool HapCertVerifyOpensslUtils::GetCertsChain(CertChain& certsChain, CertSign& certVisitSign, + Pkcs7Context& pkcs7Context) { if (certsChain.empty() || certVisitSign.empty()) { HAPVERIFY_LOG_ERROR("input is invalid"); @@ -313,9 +314,10 @@ bool HapCertVerifyOpensslUtils::GetCertsChain(CertChain& certsChain, CertSign& c TrustedRootCa& rootCertsObj = TrustedRootCa::GetInstance(); issuerCert = rootCertsObj.FindMatchedRoot(certsChain[certsChain.size() - 1]); + std::string caIssuer; + GetIssuerFromX509(certsChain[certsChain.size() - 1], caIssuer); + pkcs7Context.rootCa = caIssuer; if (issuerCert == nullptr) { - std::string caIssuer; - GetIssuerFromX509(certsChain[certsChain.size() - 1], caIssuer); HAPVERIFY_LOG_ERROR("it do not come from trusted root, issuer: %{public}s", caIssuer.c_str()); return false; } diff --git a/interfaces/innerkits/appverify/src/util/hap_verify_openssl_utils.cpp b/interfaces/innerkits/appverify/src/util/hap_verify_openssl_utils.cpp index 009b3f4..e18e8f1 100644 --- a/interfaces/innerkits/appverify/src/util/hap_verify_openssl_utils.cpp +++ b/interfaces/innerkits/appverify/src/util/hap_verify_openssl_utils.cpp @@ -118,7 +118,7 @@ bool HapVerifyOpensslUtils::GetCertChains(PKCS7* p7, Pkcs7Context& pkcs7Context) bool HapVerifyOpensslUtils::VerifyCertChain(CertChain& certsChain, PKCS7* p7, PKCS7_SIGNER_INFO* signInfo, Pkcs7Context& pkcs7Context, CertSign& certVisitSign) { - if (!HapCertVerifyOpensslUtils::GetCertsChain(certsChain, certVisitSign)) { + if (!HapCertVerifyOpensslUtils::GetCertsChain(certsChain, certVisitSign, pkcs7Context)) { HAPVERIFY_LOG_ERROR("get cert chain for signInfo failed"); return false; } diff --git a/interfaces/innerkits/appverify/src/verify/hap_verify_v2.cpp b/interfaces/innerkits/appverify/src/verify/hap_verify_v2.cpp index 6910834..2d1f4cc 100644 --- a/interfaces/innerkits/appverify/src/verify/hap_verify_v2.cpp +++ b/interfaces/innerkits/appverify/src/verify/hap_verify_v2.cpp @@ -158,6 +158,13 @@ bool HapVerifyV2::VerifyAppSourceAndParseProfile(Pkcs7Context& pkcs7Context, pkcs7Context.matchResult = trustedSourceManager.IsTrustedSource(certSubject, pkcs7Context.certIssuer, HAP_SIGN_BLOB, pkcs7Context.certChains[0].size()); + if (pkcs7Context.matchResult.matchState == MATCH_WITH_SIGN && + pkcs7Context.matchResult.rootCa != pkcs7Context.rootCa) { + HAPVERIFY_LOG_ERROR("MatchRootCa failed, target rootCa: %{public}s, rootCa in pkcs7: %{public}s", + pkcs7Context.matchResult.rootCa.c_str(), pkcs7Context.rootCa.c_str()); + return false; + } + Pkcs7Context profileContext; std::string profile; if (!HapProfileVerifyUtils::ParseProfile(profileContext, pkcs7Context, hapProfileBlock, profile)) { @@ -181,6 +188,11 @@ bool HapVerifyV2::VerifyAppSourceAndParseProfile(Pkcs7Context& pkcs7Context, HAPVERIFY_LOG_ERROR("profile verify failed"); return false; } + if (profileContext.matchResult.rootCa != pkcs7Context.rootCa) { + HAPVERIFY_LOG_ERROR("MatchProfileRootCa failed, target rootCa: %{public}s, rootCa in profile: %{public}s", + profileContext.matchResult.rootCa.c_str(), pkcs7Context.rootCa.c_str()); + return false; + } AppProvisionVerifyResult profileRet = ParseAndVerify(profile, provisionInfo); if (profileRet != PROVISION_OK) { HAPVERIFY_LOG_ERROR("profile parsing failed, error: %{public}d", static_cast(profileRet)); diff --git a/interfaces/innerkits/appverify/test/unittest/src/hap_cert_verify_openssl_utils_test.cpp b/interfaces/innerkits/appverify/test/unittest/src/hap_cert_verify_openssl_utils_test.cpp index 878b939..f90d830 100644 --- a/interfaces/innerkits/appverify/test/unittest/src/hap_cert_verify_openssl_utils_test.cpp +++ b/interfaces/innerkits/appverify/test/unittest/src/hap_cert_verify_openssl_utils_test.cpp @@ -207,15 +207,16 @@ HWTEST_F(HapCertVerifyOpensslUtilsTest, GetCertsChainTest001, TestSize.Level1) CertChain certsChain; CertSign certVisitSign; certVisitSign[certX509] = false; - ASSERT_FALSE(HapCertVerifyOpensslUtils::GetCertsChain(certsChain, certVisitSign)); + Pkcs7Context pkcs7Context; + ASSERT_FALSE(HapCertVerifyOpensslUtils::GetCertsChain(certsChain, certVisitSign, pkcs7Context)); /* * @tc.steps: step2. Push a self signed cert to certChain. * @tc.expected: step2. The return is false due to can not verify by root ca. */ certsChain.push_back(certX509); - ASSERT_FALSE(HapCertVerifyOpensslUtils::GetCertsChain(certsChain, certVisitSign)); + ASSERT_FALSE(HapCertVerifyOpensslUtils::GetCertsChain(certsChain, certVisitSign, pkcs7Context)); certVisitSign[certX509] = true; - ASSERT_FALSE(HapCertVerifyOpensslUtils::GetCertsChain(certsChain, certVisitSign)); + ASSERT_FALSE(HapCertVerifyOpensslUtils::GetCertsChain(certsChain, certVisitSign, pkcs7Context)); X509_free(certX509); } -- Gitee