From 70eeb9be5421357c3f6307989d2ba78a89dbd63d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E2=80=9CHJ=E2=80=9D?= <huangjun42@huawei.com>
Date: Mon, 26 Jul 2021 15:09:56 +0800
Subject: [PATCH] huangjun42@huawei.com
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: “HJ” <huangjun42@huawei.com>
---
 .../OpenHarmonyCer/OpenHarmony.cer            | Bin 527 -> 0 bytes
 .../OpenHarmonyCer/OpenHarmony.jks            | Bin 1158 -> 0 bytes
 .../innerkits/appverify_lite/src/app_verify.c |  14 ++--
 .../appverify_lite/src/mbedtls_pkcs7.c        |  68 +++++++++++++-----
 4 files changed, 59 insertions(+), 23 deletions(-)
 delete mode 100755 interfaces/innerkits/appverify_lite/OpenHarmonyCer/OpenHarmony.cer
 delete mode 100755 interfaces/innerkits/appverify_lite/OpenHarmonyCer/OpenHarmony.jks

diff --git a/interfaces/innerkits/appverify_lite/OpenHarmonyCer/OpenHarmony.cer b/interfaces/innerkits/appverify_lite/OpenHarmonyCer/OpenHarmony.cer
deleted file mode 100755
index 1c856dd34df9ad5b864e265153d0430ab6d1e9f9..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 527
zcmXqLV&XPvV%)HRnTe5!i6wXX9#I1xHV&;ek8`#x%uK8d2E~Tl2Apinp)72|OwN9W
zA_hVr4wo>ue?e-VM`BTKeqN=as(~^{lv`K^NmRilwJbF!zaTd?uS6jvH8Iyv-9Qzj
zj9FL?Sy^y?T1k0gQK~|4W_n&?Noi54fr2=%k%6Isp^1U9F%U&b@EaMJBMS_Svmy<I
z+1SBh!^8*;BxXi-W+w&~<!^QSth<xgIMz&myDH`Ly8Nq?ukJs)VeLeAt2IyTlrBrZ
zvU}mEx1+Fo9{1iUe5Z=%cQ32RKFRdC@qZ5g+MULG7wZ}57;pmvN0y%j81C#12C^Uy
zABz}^$nj){Pi{JL&1EZ+IgTa8$vq97V~QF{%<c>ZE=&sS5&u<>&8iovVHdvmMNn0(
z%4q+i@U!2x#LT^H|68GYHj{z?qitj8?ju^)pZh1t&aCg4o%p7q$cy33^Sc^V0jomG
E03H6L;s5{u

diff --git a/interfaces/innerkits/appverify_lite/OpenHarmonyCer/OpenHarmony.jks b/interfaces/innerkits/appverify_lite/OpenHarmonyCer/OpenHarmony.jks
deleted file mode 100755
index 2b7d4c8a6d676e76ddc05ed099f67297e295af80..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 1158
zcmXqLVrgPxWHxAGv1a4cYV&CO&dbQoxS)wehoy-{11PLw(8MT!BE`ta()iDy@wY+a
z4>oS779K7}rUm5&r3RX8TreS^snRSW|9;iH+__XFVs0Z_)Q)4T{i~Vcb}%tB91dXd
zFgl$2$zAT{l;#x?Y>|g2oPTC1ad)cA$=~nWPW;(n6tKto%<tbu&jjj)mQOsdFw=)C
z(<pw`1jl5ds3$JM8hNW*qM7g9Gb%j6Ygl054R;}@h@qXF4MRRd0YfT79zzC0B0~{F
zE|8zcP|2XcPz+?HF_bWrgT+(9BAE>7K-ol~Xem%_s(~WHFi}Gh7NL;L+*AcaGXo<t
z6Eh=YV<QVggC=GkxFUA81x-wU4VsvKGBGj$sZR(QMwIYi1BJ&VXD*?xC8hT-yIkkf
zFHqe)aouwPaCkH{G3_}2Q(OJZ%c-}U^|!a*+O%W4{Hr@lW3SmeZcZrFYT3Jk```6+
zUZ=us(KlaQySwIP#^#(#R|8#7*5&c~O!L*|-ak{6w3MB>At=2`<NE6*t-PIY-TiZv
zsx#Ho-+L8FTU$QQw5faMxLI<_)sIu|`V|!N94XzCQpb^RH<Nd*eAtwU{y_>ExohQ_
z(=NW}Qu=TG#z324|3a5-%S!YrZWsn%v{=>n-P<K?-7PUbmE|dKckjQq%I)8u*%P-;
zKOZS`VbY)ABMdnw6B+npC-QX5YR=SsX2AY~yXD*c!kHh<co--2FPb&=_uaOMBJIm`
z(zQ7=i{=W4hI!weac1AYQ<2yI3L7}KtMjBB$XqQa)j0WD8PCx_cK^0KRO5Ins<dkF
z-nC78kISELY4ksL@~Fmkdj{V}98)cheeV2s%vLq*@t2>AuR1UNcv528^ZXqq6I3ko
zXHM!A%e!`E#^V=JxoU3@U$bL2xjg&T6Pp^>yW484dU%ds?PZ#}v{v!j8Usf84P5T4
zq<EsEBYf7sweY{g|6k)ZmrG7^)&0e)bGE<x{Vm%|r<-{;+w#5ZbIfnv(feSfclFnf
z3%Pu3zuh`6vlZ>tcf8m9{=$MyMO)@dHXU$gSa&{ckLS-qHHox63m+U1yXOBgMDu^o
z>=PnVJe<6b_2RUWizlXjjyiCE+1m#@c0Os@bTN9y-Z!f32|u2c{g<-}3BNxh;~q!)
ze$CRPFp1u?<?TtOH{ZTq`*E3AQ2xC|MqB!iD+&p0=-u!;a+c|(Aj6aQbnlf+{9bx+
z)jq#W|B2ehR@;B=4-u~V+5cnvm4(ZV*&eQq+41(mnIBEZ-Uokd+J4NiN1=Z~n}Rl1
zqvk#Nx0{!~Uw=gXLjRI2{=Cx|RTAcXRarKJIrvw_v8C@P9of_@xy@ZOZ_=vEvbTP&
zp7*~r!0D#trksk^b<fhay{~NfDUxu)z|KI?fRl|?n~#}Eij{#yBvZ(4+j`A(>2}}T
q+e)uGqu1{{{DMV9!1T7}ncIP)yz@9Xxo<t_Ov|sl&BV;uwg3SCWA=Lh

diff --git a/interfaces/innerkits/appverify_lite/src/app_verify.c b/interfaces/innerkits/appverify_lite/src/app_verify.c
index 09e58a7..30dcf7b 100755
--- a/interfaces/innerkits/appverify_lite/src/app_verify.c
+++ b/interfaces/innerkits/appverify_lite/src/app_verify.c
@@ -53,11 +53,11 @@ static const TrustAppCert g_trustAppList[] = {
 #ifndef OHOS_SIGN_HAPS_BY_SERVER
     {
         .maxCertPath = CERT_MAX_DEPTH,
-        .name = "huawei system apps",
-        .appSignCert = "C=CN, O=OpenHarmony, OU=OpenHarmony Development Team, CN=OpenHarmony Software Signature",
-        .profileSignCert = "C=CN, O=OpenHarmony, OU=OpenHarmony Development Team, CN=OpenHarmony Software Signature",
-        .profileDebugSignCert = "C=CN, O=OpenHarmony, OU=OpenHarmony Development Team, CN=OpenHarmony Software Signature",
-        .issueCA = "C=CN, O=OpenHarmony, OU=OpenHarmony Development Team, CN=OpenHarmony Software Signature",
+        .name = "OpenHarmony apps",
+        .appSignCert = "C=CN, O=OpenHarmony, OU=OpenHarmony Team, CN=OpenHarmony Application Release",
+        .profileSignCert = "C=CN, O=OpenHarmony, OU=OpenHarmony Team, CN=OpenHarmony Application Profile Release",
+        .profileDebugSignCert = "C=CN, O=OpenHarmony, OU=OpenHarmony Team, CN=OpenHarmony Application Profile Debug",
+        .issueCA = "C=CN, O=OpenHarmony, OU=OpenHarmony Team, CN=OpenHarmony Application CA",
     },
 #endif
 };
@@ -367,6 +367,10 @@ static int GetCertTypeBySourceName(const TrustAppCert *cert)
         return CERT_TYPE_APPGALLARY;
     } else if (strcmp(cert->name, "huawei system apps") == 0) {
         return CERT_TYPE_SYETEM;
+#ifndef OHOS_SIGN_HAPS_BY_SERVER
+    } else if (strcmp(cert->name, "OpenHarmony apps") == 0) {
+        return CERT_TYPE_SYETEM;
+#endif
     } else {
         return CERT_TYPE_OTHER;
     }
diff --git a/interfaces/innerkits/appverify_lite/src/mbedtls_pkcs7.c b/interfaces/innerkits/appverify_lite/src/mbedtls_pkcs7.c
index a069ba8..c96b320 100755
--- a/interfaces/innerkits/appverify_lite/src/mbedtls_pkcs7.c
+++ b/interfaces/innerkits/appverify_lite/src/mbedtls_pkcs7.c
@@ -88,20 +88,22 @@ static const unsigned char g_debugModeRootCertInPem[] =
     "7XL/vJcp3HeHjiXu7XZmYQ+QAvHPhU0CMCiwWFbDl8ETw4VK25QbwhL/QiUfiRfC\r\n"
     "J6LzteOvjLTEV5iebQMz/nS1j7/oj3Rsqg==\r\n"
     "-----END CERTIFICATE-----\r\n";
-static mbedtls_x509_crt g_selfSignedCert;
-static const unsigned char g_selfSignedCertInPem[] =
+static mbedtls_x509_crt g_ohosRootCert;
+static const unsigned char g_ohosRootCertInPem[] =
     "-----BEGIN CERTIFICATE-----\r\n"
-    "MIICCzCCAbCgAwIBAgIEbZe8FTAMBggqhkjOPQQDAgUAMHMxCzAJBgNVBAYTAkNO\r\n"
-    "MRQwEgYDVQQKEwtPcGVuSGFybW9ueTElMCMGA1UECxMcT3Blbkhhcm1vbnkgRGV2\r\n"
-    "ZWxvcG1lbnQgVGVhbTEnMCUGA1UEAxMeT3Blbkhhcm1vbnkgU29mdHdhcmUgU2ln\r\n"
-    "bmF0dXJlMCAXDTIwMTAxNDAzMzAzM1oYDzIwNzAxMDE0MDMzMDMzWjBzMQswCQYD\r\n"
-    "VQQGEwJDTjEUMBIGA1UEChMLT3Blbkhhcm1vbnkxJTAjBgNVBAsTHE9wZW5IYXJt\r\n"
-    "b255IERldmVsb3BtZW50IFRlYW0xJzAlBgNVBAMTHk9wZW5IYXJtb255IFNvZnR3\r\n"
-    "YXJlIFNpZ25hdHVyZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCP2fr47i2IG\r\n"
-    "CKyX7apk865v1ZPVv82wrZEHOqzkPiLTG+o+6EEuuHGLngu9lA7Kc5+LpnhryQLz\r\n"
-    "gf9sD625M72jLjAsMAsGA1UdDwQEAwIHgDAdBgNVHQ4EFgQUx2NA8kYsHoN2qGMI\r\n"
-    "xmJeHuVVnDUwDAYIKoZIzj0EAwIFAANHADBEAiAHWP8lxpp/FHwHE9H0ESUmejK/\r\n"
-    "4lfN9rRcndM/+yB7mwIgEAE9gVW7xCrX509iHZl/iJth7IBySgDM590oelCqVXY=\r\n"
+    "MIICRDCCAcmgAwIBAgIED+E4izAMBggqhkjOPQQDAwUAMGgxCzAJBgNVBAYTAkNO\r\n"
+    "MRQwEgYDVQQKEwtPcGVuSGFybW9ueTEZMBcGA1UECxMQT3Blbkhhcm1vbnkgVGVh\r\n"
+    "bTEoMCYGA1UEAxMfT3Blbkhhcm1vbnkgQXBwbGljYXRpb24gUm9vdCBDQTAeFw0y\r\n"
+    "MTAyMDIxMjE0MThaFw00OTEyMzExMjE0MThaMGgxCzAJBgNVBAYTAkNOMRQwEgYD\r\n"
+    "VQQKEwtPcGVuSGFybW9ueTEZMBcGA1UECxMQT3Blbkhhcm1vbnkgVGVhbTEoMCYG\r\n"
+    "A1UEAxMfT3Blbkhhcm1vbnkgQXBwbGljYXRpb24gUm9vdCBDQTB2MBAGByqGSM49\r\n"
+    "AgEGBSuBBAAiA2IABE023XmRaw2DnO8NSsb+KG/uY0FtS3u5LQucdr3qWVnRW5ui\r\n"
+    "QIL6ttNZBEeLTUeYcJZCpayg9Llf+1SmDA7dY4iP2EcRo4UN3rilovtfFfsmH4ty\r\n"
+    "3SApHVFzWUl+NwdH8KNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\r\n"
+    "AQYwHQYDVR0OBBYEFBc6EKGrGXzlAE+s0Zgnsphadw7NMAwGCCqGSM49BAMDBQAD\r\n"
+    "ZwAwZAIwd1p3JzHN93eoPped1li0j64npgqNzwy4OrkehYAqNXpcpaEcLZ7UxW8E\r\n"
+    "I2lZJ3SbAjAkqySHb12sIwdSFKSN9KCMMEo/eUT5dUXlcKR2nZz0MJdxT5F51qcX\r\n"
+    "1CumzkcYhgU=\r\n"
     "-----END CERTIFICATE-----\r\n";
 
 /* valid digest alg now: sha256 sha384 sha512 */
@@ -957,8 +959,8 @@ static int UnLoadDebugModeRootCert(void)
 static int LoadSelfSignedCert(void)
 {
     int rc;
-    mbedtls_x509_crt_init(&g_selfSignedCert);
-    rc = mbedtls_x509_crt_parse(&g_selfSignedCert, g_selfSignedCertInPem, sizeof(g_selfSignedCertInPem));
+    mbedtls_x509_crt_init(&g_ohosRootCert);
+    rc = mbedtls_x509_crt_parse(&g_ohosRootCert, g_ohosRootCertInPem, sizeof(g_ohosRootCertInPem));
     if (rc) {
         LOG_ERROR("load self signed ca failed %d", rc);
         return rc;
@@ -970,7 +972,7 @@ static int LoadSelfSignedCert(void)
 
 static void UnLoadSelfSignedCert(void)
 {
-    mbedtls_x509_crt_free(&g_selfSignedCert);
+    mbedtls_x509_crt_free(&g_ohosRootCert);
 }
 static void DLogCrtVerifyInfo(unsigned int flags)
 {
@@ -1072,7 +1074,7 @@ int PKCS7_VerifyCertsChain(const Pkcs7 *pkcs7)
             return PKCS7_IS_REVOKED;
         }
 #ifndef OHOS_SIGN_HAPS_BY_SERVER
-        rc = VerifyClicert(clicert, &g_selfSignedCert, pkcs7);
+        rc = VerifyClicert(clicert, &g_ohosRootCert, pkcs7);
         LOG_DEBUG("Verify self : %d", rc);
         if (rc == PKCS7_SUCC) {
             signer = signer->next;
@@ -1121,9 +1123,39 @@ static size_t GetSignersCnt(const SignerInfo *signers)
     }
     return cnt;
 }
+
+static bool IsIncludeRoot(const SignerInfo *signer)
+{
+    mbedtls_x509_crt *pre = signer->certPath.crt;
+    mbedtls_x509_crt *cur = pre;
+    int i = 0;
+    while (i < signer->certPath.depth && cur != NULL) {
+        pre = cur;
+        cur = cur->next;
+        i++;
+    }
+
+    if (pre == NULL) {
+        return false;
+    }
+
+    /* root cert is a self-sign cert */
+    if (CompareX509NameList(&pre->issuer, &pre->subject) == 0) {
+        LOG_INFO("Include root cert");
+        return true;
+    }
+    LOG_INFO("Not include root cert");
+    return false;
+}
+
 static size_t GetSignerSignningCertDepth(const SignerInfo *signer)
 {
-    return signer->certPath.depth + 1; // 1 for root cert;
+    if (IsIncludeRoot(signer)) {
+        return signer->certPath.depth;
+    }
+
+    /* root cert is not included in signer->certPath, add 1 for root cert */
+    return signer->certPath.depth + 1;
 }
 
 void PKCS7_FreeAllSignersResolvedInfo(SignersResovedInfo *sri)
-- 
Gitee