From de958f2c2aa1c274e5505dac1c3edec9bdfd9598 Mon Sep 17 00:00:00 2001 From: Zhou Shihui Date: Fri, 25 Apr 2025 15:11:23 +0800 Subject: [PATCH] =?UTF-8?q?udid=E6=A0=A1=E9=AA=8C=E5=A4=B1=E8=B4=A5?= =?UTF-8?q?=E5=8D=95=E7=8B=AC=E9=94=99=E8=AF=AF=E7=A0=81?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Zhou Shihui --- .../include/interfaces/hap_verify_result.h | 1 + .../appverify/include/verify/hap_verify_v2.h | 6 +-- .../appverify/src/verify/hap_verify_v2.cpp | 48 +++++++++++-------- .../test/unittest/src/hap_verify_v2_test.cpp | 4 +- 4 files changed, 34 insertions(+), 25 deletions(-) diff --git a/interfaces/innerkits/appverify/include/interfaces/hap_verify_result.h b/interfaces/innerkits/appverify/include/interfaces/hap_verify_result.h index b793e83..d4a4c1f 100644 --- a/interfaces/innerkits/appverify/include/interfaces/hap_verify_result.h +++ b/interfaces/innerkits/appverify/include/interfaces/hap_verify_result.h @@ -47,6 +47,7 @@ enum HapVerifyResultCode { NO_PROFILE_BLOCK_FAIL = -12, VERIFY_SIGNATURE_FAIL = -13, VERIFY_SOURCE_INIT_FAIL = -14, + DEVICE_UNAUTHORIZED = -15, }; enum GetOptionalBlockResultCode { diff --git a/interfaces/innerkits/appverify/include/verify/hap_verify_v2.h b/interfaces/innerkits/appverify/include/verify/hap_verify_v2.h index bbac732..ba84cb1 100644 --- a/interfaces/innerkits/appverify/include/verify/hap_verify_v2.h +++ b/interfaces/innerkits/appverify/include/verify/hap_verify_v2.h @@ -38,15 +38,15 @@ private: int32_t Verify(RandomAccessFile& hapFile, HapVerifyResult& hapVerifyV1Result); bool VerifyAppPkc7AndParseProfile(Pkcs7Context& pkcs7Context, HapByteBuffer& hapProfileBlock, HapVerifyResult& hapVerifyV1Result); - bool VerifyAppSourceAndParseProfile(Pkcs7Context& pkcs7Context, const HapByteBuffer& hapProfileBlock, + int32_t VerifyAppSourceAndParseProfile(Pkcs7Context& pkcs7Context, const HapByteBuffer& hapProfileBlock, HapVerifyResult& hapVerifyV1Result, bool& profileNeadWriteCrl); bool VerifyAppPkcs7(Pkcs7Context& pkcs7Context, const HapByteBuffer& hapSignatureBlock); bool VerifyAppSource(Pkcs7Context& pkcs7Context, Pkcs7Context& profileContext); DLL_EXPORT bool GetDigestAndAlgorithm(Pkcs7Context& digest); DLL_EXPORT bool CheckFilePath(const std::string& filePath, std::string& standardFilePath); void WriteCrlIfNeed(const Pkcs7Context& pkcs7Context, const bool& profileNeedWriteCrl); - DLL_EXPORT bool ParseAndVerifyProfileIfNeed(const std::string& profile, ProvisionInfo& provisionInfo, - bool isCallParseAndVerify); + DLL_EXPORT AppProvisionVerifyResult ParseAndVerifyProfileIfNeed(const std::string& profile, + ProvisionInfo& provisionInfo, bool isCallParseAndVerify); bool IsAppDistributedTypeAllowInstall(const AppDistType& type, const ProvisionInfo& provisionInfo) const; DLL_EXPORT bool VerifyProfileInfo(const Pkcs7Context& pkcs7Context, const Pkcs7Context& profileContext, ProvisionInfo& provisionInfo); diff --git a/interfaces/innerkits/appverify/src/verify/hap_verify_v2.cpp b/interfaces/innerkits/appverify/src/verify/hap_verify_v2.cpp index e8a62c1..c4bdce0 100644 --- a/interfaces/innerkits/appverify/src/verify/hap_verify_v2.cpp +++ b/interfaces/innerkits/appverify/src/verify/hap_verify_v2.cpp @@ -113,10 +113,11 @@ int32_t HapVerifyV2::Verify(RandomAccessFile& hapFile, HapVerifyResult& hapVerif return NO_PROFILE_BLOCK_FAIL; } bool profileNeedWriteCrl = false; - if (!VerifyAppSourceAndParseProfile(pkcs7Context, hapSignInfo.optionBlocks[profileIndex].optionalBlockValue, - hapVerifyV1Result, profileNeedWriteCrl)) { + int32_t ret = VerifyAppSourceAndParseProfile(pkcs7Context, + hapSignInfo.optionBlocks[profileIndex].optionalBlockValue, hapVerifyV1Result, profileNeedWriteCrl); + if (ret != VERIFY_SUCCESS) { HAPVERIFY_LOG_ERROR("APP source is not trusted"); - return APP_SOURCE_NOT_TRUSTED; + return ret; } if (!GetDigestAndAlgorithm(pkcs7Context)) { HAPVERIFY_LOG_ERROR("Get digest failed"); @@ -161,13 +162,13 @@ bool HapVerifyV2::VerifyAppPkcs7(Pkcs7Context& pkcs7Context, const HapByteBuffer return true; } -bool HapVerifyV2::VerifyAppSourceAndParseProfile(Pkcs7Context& pkcs7Context, +int32_t HapVerifyV2::VerifyAppSourceAndParseProfile(Pkcs7Context& pkcs7Context, const HapByteBuffer& hapProfileBlock, HapVerifyResult& hapVerifyV1Result, bool& profileNeadWriteCrl) { std::string certSubject; if (!HapCertVerifyOpensslUtils::GetSubjectFromX509(pkcs7Context.certChains[0][0], certSubject)) { HAPVERIFY_LOG_ERROR("Get info of sign cert failed"); - return false; + return APP_SOURCE_NOT_TRUSTED; } HAPVERIFY_LOG_DEBUG("App signature subject: %{private}s, issuer: %{public}s", certSubject.c_str(), pkcs7Context.certIssuer.c_str()); @@ -180,19 +181,19 @@ bool HapVerifyV2::VerifyAppSourceAndParseProfile(Pkcs7Context& pkcs7Context, pkcs7Context.matchResult.rootCa != pkcs7Context.rootCa) { HAPVERIFY_LOG_ERROR("MatchRootCa failed, target rootCa: %{public}s, rootCa in pkcs7: %{public}s", pkcs7Context.matchResult.rootCa.c_str(), pkcs7Context.rootCa.c_str()); - return false; + return APP_SOURCE_NOT_TRUSTED; } Pkcs7Context profileContext; std::string profile; if (!HapProfileVerifyUtils::ParseProfile(profileContext, pkcs7Context, hapProfileBlock, profile)) { HAPVERIFY_LOG_ERROR("Parse profile pkcs7 failed"); - return false; + return APP_SOURCE_NOT_TRUSTED; } if (!VerifyProfileSignature(pkcs7Context, profileContext)) { HAPVERIFY_LOG_ERROR("VerifyProfileSignature failed"); - return false; + return APP_SOURCE_NOT_TRUSTED; } /* * If app source is not trusted, verify profile. @@ -204,32 +205,39 @@ bool HapVerifyV2::VerifyAppSourceAndParseProfile(Pkcs7Context& pkcs7Context, if (pkcs7Context.matchResult.matchState == DO_NOT_MATCH) { if (!HapProfileVerifyUtils::VerifyProfile(profileContext)) { HAPVERIFY_LOG_ERROR("profile verify failed"); - return false; + return APP_SOURCE_NOT_TRUSTED; } if (profileContext.matchResult.rootCa != pkcs7Context.rootCa) { HAPVERIFY_LOG_ERROR("MatchProfileRootCa failed, target rootCa: %{public}s, rootCa in profile: %{public}s", profileContext.matchResult.rootCa.c_str(), pkcs7Context.rootCa.c_str()); - return false; + return APP_SOURCE_NOT_TRUSTED; } AppProvisionVerifyResult profileRet = ParseAndVerify(profile, provisionInfo); if (profileRet != PROVISION_OK) { HAPVERIFY_LOG_ERROR("profile parsing failed, error: %{public}d", static_cast(profileRet)); - return false; + if (profileRet == PROVISION_DEVICE_UNAUTHORIZED) { + return DEVICE_UNAUTHORIZED; + } + return APP_SOURCE_NOT_TRUSTED; } if (!VerifyProfileInfo(pkcs7Context, profileContext, provisionInfo)) { HAPVERIFY_LOG_ERROR("VerifyProfileInfo failed"); - return false; + return APP_SOURCE_NOT_TRUSTED; } isCallParseAndVerify = true; } - if (!ParseAndVerifyProfileIfNeed(profile, provisionInfo, isCallParseAndVerify)) { - return false; + AppProvisionVerifyResult profileRet = ParseAndVerifyProfileIfNeed(profile, provisionInfo, isCallParseAndVerify); + if (profileRet != PROVISION_OK) { + if (profileRet == PROVISION_DEVICE_UNAUTHORIZED) { + return DEVICE_UNAUTHORIZED; + } + return APP_SOURCE_NOT_TRUSTED; } if (!GenerateAppId(provisionInfo) || !GenerateFingerprint(provisionInfo)) { HAPVERIFY_LOG_ERROR("Generate appId or generate fingerprint failed"); - return false; + return APP_SOURCE_NOT_TRUSTED; } SetOrganization(provisionInfo); SetProfileBlockData(pkcs7Context, hapProfileBlock, provisionInfo); @@ -237,7 +245,7 @@ bool HapVerifyV2::VerifyAppSourceAndParseProfile(Pkcs7Context& pkcs7Context, hapVerifyV1Result.SetProvisionInfo(provisionInfo); profileNeadWriteCrl = profileContext.needWriteCrl; - return true; + return VERIFY_SUCCESS; } bool HapVerifyV2::VerifyProfileSignature(const Pkcs7Context& pkcs7Context, Pkcs7Context& profileContext) @@ -382,18 +390,18 @@ void HapVerifyV2::WriteCrlIfNeed(const Pkcs7Context& pkcs7Context, const bool& p hapCrlManager.WriteCrlsToFile(); } -bool HapVerifyV2::ParseAndVerifyProfileIfNeed(const std::string& profile, +AppProvisionVerifyResult HapVerifyV2::ParseAndVerifyProfileIfNeed(const std::string& profile, ProvisionInfo& provisionInfo, bool isCallParseAndVerify) { if (isCallParseAndVerify) { - return isCallParseAndVerify; + return PROVISION_OK; } AppProvisionVerifyResult profileRet = ParseAndVerify(profile, provisionInfo); if (profileRet != PROVISION_OK) { HAPVERIFY_LOG_ERROR("profile parse failed, error: %{public}d", static_cast(profileRet)); - return false; + return profileRet; } - return true; + return PROVISION_OK; } bool HapVerifyV2::GetDigestAndAlgorithm(Pkcs7Context& digest) diff --git a/interfaces/innerkits/appverify/test/unittest/src/hap_verify_v2_test.cpp b/interfaces/innerkits/appverify/test/unittest/src/hap_verify_v2_test.cpp index 9641cee..9e94b19 100644 --- a/interfaces/innerkits/appverify/test/unittest/src/hap_verify_v2_test.cpp +++ b/interfaces/innerkits/appverify/test/unittest/src/hap_verify_v2_test.cpp @@ -238,12 +238,12 @@ HWTEST_F(HapVerifyV2Test, ParseAndVerifyProfileIfNeedTest001, TestSize.Level1) HapVerifyV2 v2; std::string profile; ProvisionInfo provisionInfo; - ASSERT_FALSE(v2.ParseAndVerifyProfileIfNeed(profile, provisionInfo, false)); + ASSERT_FALSE(v2.ParseAndVerifyProfileIfNeed(profile, provisionInfo, false) == PROVISION_OK); /* * @tc.steps: step1. input no need parse and verify profile. * @tc.expected: step1. the return will be true. */ - ASSERT_TRUE(v2.ParseAndVerifyProfileIfNeed(profile, provisionInfo, true)); + ASSERT_TRUE(v2.ParseAndVerifyProfileIfNeed(profile, provisionInfo, true) == PROVISION_OK); } /** -- Gitee