diff --git a/OAT.XML b/OAT.XML
new file mode 100644
index 0000000000000000000000000000000000000000..1cd742d06498ac8f278f1aa68cbab3f6cd8e7ca0
--- /dev/null
+++ b/OAT.XML
@@ -0,0 +1,60 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/interfaces/innerkits/appverify/BUILD.gn b/interfaces/innerkits/appverify/BUILD.gn
index 8c8a29c02b04b8e1ba4e2e5096732c9fe3816cf3..65a1fb4a8ef59f7821749abf7c8a6ade9b06e2a4 100644
--- a/interfaces/innerkits/appverify/BUILD.gn
+++ b/interfaces/innerkits/appverify/BUILD.gn
@@ -30,6 +30,7 @@ ohos_shared_library("libhapverify") {
"src/common/hap_byte_buffer_data_source.cpp",
"src/common/hap_file_data_source.cpp",
"src/common/random_access_file.cpp",
+ "src/init/device_type_manager.cpp",
"src/init/hap_crl_manager.cpp",
"src/init/json_parser_utils.cpp",
"src/init/trusted_root_ca.cpp",
@@ -52,7 +53,7 @@ ohos_shared_library("libhapverify") {
"-fvisibility=hidden",
]
- ldflags = [ "-Wl,--exclude-libs,ALL" ]
+ ldflags = [ "-Wl,--exclude-libs=libcrypto_static.a" ]
deps = [
"//third_party/openssl:libcrypto_static",
@@ -72,6 +73,11 @@ ohos_shared_library("libhapverify") {
"ipc:ipc_core",
"os_account:libaccountkits",
]
+
+ if (!build_public_version) {
+ deps += [ "//base/security/securityadapter/interfaces/innerkits/securitydiagnose:libsecuritydiagnose_static" ]
+ defines = [ "SUPPORT_GET_DEVICE_TYPES" ]
+ }
}
part_name = "appverify"
diff --git a/interfaces/innerkits/appverify/include/init/device_type_manager.h b/interfaces/innerkits/appverify/include/init/device_type_manager.h
new file mode 100644
index 0000000000000000000000000000000000000000..4bb7d9f84015a7e6fb276d5a775cfd31d3dcc388
--- /dev/null
+++ b/interfaces/innerkits/appverify/include/init/device_type_manager.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2021 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef OHOS_DEVICE_TYPE_MANAGER_H
+#define OHOS_DEVICE_TYPE_MANAGER_H
+
+#include "common/export_define.h"
+
+#include
+
+namespace OHOS {
+namespace Security {
+namespace Verify {
+class DeviceTypeManager {
+public:
+ DLL_EXPORT static DeviceTypeManager& GetInstance();
+ DLL_EXPORT bool GetDeviceTypeInfo();
+ /* Forbid replication constructs and replication */
+ DeviceTypeManager(const DeviceTypeManager& deviceTypeManager) = delete;
+ DeviceTypeManager& operator = (const DeviceTypeManager& deviceTypeManager) = delete;
+
+private:
+ DeviceTypeManager();
+ ~DeviceTypeManager();
+
+ bool GetDeviceType();
+
+private:
+ /* true: debugging type; false: commercial type */
+ bool deviceType;
+ std::mutex getDeviceTypeMtx;
+};
+} // namespace Verify
+} // namespace Security
+} // namespace OHOS
+#endif // OHOS_DEVICE_TYPE_MANAGER_H
\ No newline at end of file
diff --git a/interfaces/innerkits/appverify/include/init/hap_crl_manager.h b/interfaces/innerkits/appverify/include/init/hap_crl_manager.h
index 3c5087810ebf5e797871188305cf7cf5dc0b87e5..cc4469f1a6812dceed06b9406dc362df320aec95 100644
--- a/interfaces/innerkits/appverify/include/init/hap_crl_manager.h
+++ b/interfaces/innerkits/appverify/include/init/hap_crl_manager.h
@@ -43,8 +43,8 @@ private:
~HapCrlManager();
/* Forbid external replication constructs and external replication */
- HapCrlManager(const HapCrlManager& hapCrlManager);
- const HapCrlManager& operator=(const HapCrlManager& hapCrlManager);
+ HapCrlManager(const HapCrlManager& hapCrlManager) = delete;
+ HapCrlManager& operator = (const HapCrlManager& hapCrlManager) = delete;
DLL_EXPORT X509_CRL* GetFinalCrl(X509_CRL* crlInPackage, Pkcs7Context& pkcs7Context);
DLL_EXPORT X509_CRL* GetCrlByIssuer(const std::string& issuer);
diff --git a/interfaces/innerkits/appverify/include/init/trusted_root_ca.h b/interfaces/innerkits/appverify/include/init/trusted_root_ca.h
index af9895893205ad51a8c7c6feedf7dec00e9751d9..297b832993e7fd4e57bec389c5ff798bda2e5e05 100644
--- a/interfaces/innerkits/appverify/include/init/trusted_root_ca.h
+++ b/interfaces/innerkits/appverify/include/init/trusted_root_ca.h
@@ -42,8 +42,8 @@ private:
~TrustedRootCa();
/* Forbid external replication constructs and external replication */
- TrustedRootCa(const TrustedRootCa& trustedRoot);
- const TrustedRootCa& operator=(const TrustedRootCa& trustedRoot);
+ TrustedRootCa(const TrustedRootCa& trustedRoot) = delete;
+ TrustedRootCa& operator = (const TrustedRootCa& trustedRoot) = delete;
DLL_EXPORT bool GetTrustedRootCAFromJson(StringCertMap& rootCertMap, const std::string& filePath);
X509* FindMatchedRoot(const StringCertMap& rootCertMap, X509* caCert);
diff --git a/interfaces/innerkits/appverify/include/init/trusted_source_manager.h b/interfaces/innerkits/appverify/include/init/trusted_source_manager.h
index a922a5f754fdf07bac9129b691e236c68f8c5978..42a789cd549a9bbb59d2b6a72335ab75810e20fd 100644
--- a/interfaces/innerkits/appverify/include/init/trusted_source_manager.h
+++ b/interfaces/innerkits/appverify/include/init/trusted_source_manager.h
@@ -55,7 +55,7 @@ private:
/* Forbid external replication constructs and external replication */
TrustedSourceManager(const TrustedSourceManager& trustedSource) = delete;
- const TrustedSourceManager& operator=(const TrustedSourceManager& trustedSource) = delete;
+ TrustedSourceManager& operator = (const TrustedSourceManager& trustedSource) = delete;
bool GetAppTrustedSources(SourceInfoVec& trustedAppSources, std::string& souucesVersion,
std::string& souucesReleaseTime, const std::string& filePath);
diff --git a/interfaces/innerkits/appverify/src/init/device_type_manager.cpp b/interfaces/innerkits/appverify/src/init/device_type_manager.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..f5ad8aa36cf75ed0667a2569c96de0587bce4697
--- /dev/null
+++ b/interfaces/innerkits/appverify/src/init/device_type_manager.cpp
@@ -0,0 +1,84 @@
+/*
+ * Copyright (C) 2021 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "init/device_type_manager.h"
+
+#include "common/hap_verify_log.h"
+#include "init/trusted_root_ca.h"
+#include "init/trusted_source_manager.h"
+
+#ifdef SUPPORT_GET_DEVICE_TYPES
+#include "security_device_mode.h"
+#endif // SUPPORT_GET_DEVICE_TYPES
+
+namespace OHOS {
+namespace Security {
+namespace Verify {
+DeviceTypeManager& DeviceTypeManager::GetInstance()
+{
+ static DeviceTypeManager deviceTypeManager;
+ return deviceTypeManager;
+}
+
+DeviceTypeManager::DeviceTypeManager() : deviceType(false), getDeviceTypeMtx()
+{
+}
+
+DeviceTypeManager::~DeviceTypeManager()
+{
+}
+
+bool DeviceTypeManager::GetDeviceType()
+{
+#ifndef SUPPORT_GET_DEVICE_TYPES
+ return false;
+#else
+ return InvokeIsDevelopmentMode();
+#endif // SUPPORT_GET_DEVICE_TYPES
+}
+
+bool DeviceTypeManager::GetDeviceTypeInfo()
+{
+ bool currentDeviceType = GetDeviceType();
+ HAPVERIFY_LOG_DEBUG(LABEL, "current device is type: %{public}d", static_cast(currentDeviceType));
+
+ if (currentDeviceType == deviceType) {
+ return currentDeviceType;
+ }
+
+ TrustedRootCa& rootCertsObj = TrustedRootCa::GetInstance();
+ TrustedSourceManager& trustedAppSourceManager = TrustedSourceManager::GetInstance();
+ getDeviceTypeMtx.lock();
+ if (currentDeviceType) {
+ /* Device type change from commercial to debugging */
+ bool ret = rootCertsObj.EnableDebug() && trustedAppSourceManager.EnableDebug();
+ if (!ret) {
+ HAPVERIFY_LOG_ERROR(LABEL, "Enable debug failed");
+ rootCertsObj.DisableDebug();
+ trustedAppSourceManager.DisableDebug();
+ return currentDeviceType;
+ }
+ } else {
+ /* Device type change from debugging to commercial */
+ rootCertsObj.DisableDebug();
+ trustedAppSourceManager.DisableDebug();
+ }
+ deviceType = currentDeviceType;
+ getDeviceTypeMtx.unlock();
+ return currentDeviceType;
+}
+} // namespace Verify
+} // namespace Security
+} // namespace OHOS
\ No newline at end of file
diff --git a/interfaces/innerkits/appverify/src/init/trusted_root_ca.cpp b/interfaces/innerkits/appverify/src/init/trusted_root_ca.cpp
index 68e2d23e7125356a8c4ed15da4adc1bc03e97880..fbf154bf55c6fb99a09081324603ed3a9003eb7e 100644
--- a/interfaces/innerkits/appverify/src/init/trusted_root_ca.cpp
+++ b/interfaces/innerkits/appverify/src/init/trusted_root_ca.cpp
@@ -61,11 +61,11 @@ bool TrustedRootCa::EnableDebug()
void TrustedRootCa::DisableDebug()
{
+ isDebug = false;
for (auto& rootCert : rootCertsForTest) {
X509_free(rootCert.second);
}
rootCertsForTest.clear();
- isDebug = false;
}
bool TrustedRootCa::Init()
diff --git a/interfaces/innerkits/appverify/src/init/trusted_source_manager.cpp b/interfaces/innerkits/appverify/src/init/trusted_source_manager.cpp
index ae8adb062c3be375dec3bffab947c9392806ceb6..127cc79b037f31e85ae6f52c7ca24d8c16597b33 100644
--- a/interfaces/innerkits/appverify/src/init/trusted_source_manager.cpp
+++ b/interfaces/innerkits/appverify/src/init/trusted_source_manager.cpp
@@ -73,8 +73,8 @@ bool TrustedSourceManager::EnableDebug()
void TrustedSourceManager::DisableDebug()
{
- appTrustedSourcesForTest.clear();
isDebug = false;
+ appTrustedSourcesForTest.clear();
}
bool TrustedSourceManager::Init()
diff --git a/interfaces/innerkits/appverify/src/interfaces/hap_verify.cpp b/interfaces/innerkits/appverify/src/interfaces/hap_verify.cpp
index 12356632dc3647d357bca248095822fb578bc59f..754cc6e197d2f91f421e485952156bfc2e169583 100644
--- a/interfaces/innerkits/appverify/src/interfaces/hap_verify.cpp
+++ b/interfaces/innerkits/appverify/src/interfaces/hap_verify.cpp
@@ -17,6 +17,7 @@
#include
+#include "init/device_type_manager.h"
#include "init/hap_crl_manager.h"
#include "init/trusted_root_ca.h"
#include "init/trusted_source_manager.h"
@@ -33,6 +34,7 @@ bool HapVerifyInit()
TrustedRootCa& rootCertsObj = TrustedRootCa::GetInstance();
TrustedSourceManager& trustedAppSourceManager = TrustedSourceManager::GetInstance();
HapCrlManager& hapCrlManager = HapCrlManager::GetInstance();
+ DeviceTypeManager& deviceTypeManager = DeviceTypeManager::GetInstance();
g_mtx.lock();
g_isInit = rootCertsObj.Init() && trustedAppSourceManager.Init();
if (!g_isInit) {
@@ -40,6 +42,7 @@ bool HapVerifyInit()
trustedAppSourceManager.Recovery();
}
hapCrlManager.Init();
+ deviceTypeManager.GetDeviceTypeInfo();
g_mtx.unlock();
return g_isInit;
}
diff --git a/interfaces/innerkits/appverify/src/provision/provision_verify.cpp b/interfaces/innerkits/appverify/src/provision/provision_verify.cpp
index 56304f9b4fe297405ac1f83c755414aa1d41e42d..2e31c9d04219eb7ec63186193be206a8449161ae 100644
--- a/interfaces/innerkits/appverify/src/provision/provision_verify.cpp
+++ b/interfaces/innerkits/appverify/src/provision/provision_verify.cpp
@@ -27,6 +27,7 @@
#endif // STANDARD_SYSTEM
#include "common/hap_verify_log.h"
+#include "init/device_type_manager.h"
using namespace std;
using namespace nlohmann;
@@ -202,6 +203,20 @@ AppProvisionVerifyResult ParseProvision(const string& appProvision, ProvisionInf
return PROVISION_OK;
}
+inline bool CheckDeviceID(const std::vector& deviceIds, const string& deviceId)
+{
+ auto iter = find(deviceIds.begin(), deviceIds.end(), deviceId);
+ if (iter == deviceIds.end()) {
+ DeviceTypeManager& deviceTypeManager = DeviceTypeManager::GetInstance();
+ if (!deviceTypeManager.GetDeviceTypeInfo()) {
+ HAPVERIFY_LOG_ERROR(LABEL, "current device is not authorized");
+ return false;
+ }
+ HAPVERIFY_LOG_INFO(LABEL, "current device is a debug device");
+ }
+ return true;
+}
+
AppProvisionVerifyResult CheckDeviceID(ProvisionInfo& info)
{
// Checking device ids
@@ -209,39 +224,40 @@ AppProvisionVerifyResult CheckDeviceID(ProvisionInfo& info)
HAPVERIFY_LOG_ERROR(LABEL, "device-id list is empty.");
return PROVISION_DEVICE_UNAUTHORIZED;
}
+
if (info.debugInfo.deviceIds.size() > MAXIMUM_NUM_DEVICES) {
HAPVERIFY_LOG_ERROR(LABEL, "No. of device IDs in list exceed maximum number %{public}d", MAXIMUM_NUM_DEVICES);
return PROVISION_NUM_DEVICE_EXCEEDED;
}
+
+ if (info.debugInfo.deviceIdType != VALUE_DEVICE_ID_TYPE_UDID) {
+ HAPVERIFY_LOG_ERROR(LABEL, "type of device ID is not supported.");
+ return PROVISION_UNSUPPORTED_DEVICE_TYPE;
+ }
+
string deviceId;
- if (info.debugInfo.deviceIdType == VALUE_DEVICE_ID_TYPE_UDID) {
#ifndef STANDARD_SYSTEM
- int32_t ret = OHOS::AccountSA::OhosAccountKits::GetInstance().GetUdid(deviceId);
- if (ret != 0) {
- HAPVERIFY_LOG_ERROR(LABEL, "obtaining current device id failed (%{public}d).", ret);
- return PROVISION_DEVICE_UNAUTHORIZED;
- }
+ int32_t ret = OHOS::AccountSA::OhosAccountKits::GetInstance().GetUdid(deviceId);
+ if (ret != 0) {
+ HAPVERIFY_LOG_ERROR(LABEL, "obtaining current device id failed (%{public}d).", ret);
+ return PROVISION_DEVICE_UNAUTHORIZED;
+ }
#else
- char udid[DEV_UUID_LEN] = {0};
- int ret = GetDevUdid(udid, sizeof(udid));
- if (ret != EC_SUCCESS) {
- HAPVERIFY_LOG_ERROR(LABEL, "obtaining current device id failed (%{public}d).", static_cast(ret));
- return PROVISION_DEVICE_UNAUTHORIZED;
- }
- deviceId = std::string(udid, sizeof(udid) - 1);
- HAPVERIFY_LOG_INFO(LABEL, "L2 UDID:%{public}s, len:%{public}d.", deviceId.c_str(), deviceId.size());
-#endif // STANDARD_SYSTEM
- } else {
- HAPVERIFY_LOG_ERROR(LABEL, "type of device ID is not supported.");
- return PROVISION_UNSUPPORTED_DEVICE_TYPE;
+ char udid[DEV_UUID_LEN] = {0};
+ int ret = GetDevUdid(udid, sizeof(udid));
+ if (ret != EC_SUCCESS) {
+ HAPVERIFY_LOG_ERROR(LABEL, "obtaining current device id failed (%{public}d).", static_cast(ret));
+ return PROVISION_DEVICE_UNAUTHORIZED;
}
+ deviceId = std::string(udid, sizeof(udid) - 1);
+ HAPVERIFY_LOG_INFO(LABEL, "L2 UDID:%{public}s, len:%{public}d.", deviceId.c_str(), deviceId.size());
+#endif // STANDARD_SYSTEM
if (deviceId.empty()) {
HAPVERIFY_LOG_ERROR(LABEL, "device-id of current device is empty.");
return PROVISION_DEVICE_UNAUTHORIZED;
}
- auto iter = find(info.debugInfo.deviceIds.begin(), info.debugInfo.deviceIds.end(), deviceId);
- if (iter == info.debugInfo.deviceIds.end()) {
- HAPVERIFY_LOG_ERROR(LABEL, "current device is not authorized.");
+
+ if (!CheckDeviceID(info.debugInfo.deviceIds, deviceId)) {
return PROVISION_DEVICE_UNAUTHORIZED;
}
return PROVISION_OK;
diff --git a/interfaces/innerkits/appverify_lite/OpenHarmonyCer/OpenHarmony.cer b/interfaces/innerkits/appverify_lite/OpenHarmonyCer/OpenHarmony.cer
deleted file mode 100755
index 1c856dd34df9ad5b864e265153d0430ab6d1e9f9..0000000000000000000000000000000000000000
Binary files a/interfaces/innerkits/appverify_lite/OpenHarmonyCer/OpenHarmony.cer and /dev/null differ
diff --git a/interfaces/innerkits/appverify_lite/OpenHarmonyCer/OpenHarmony.jks b/interfaces/innerkits/appverify_lite/OpenHarmonyCer/OpenHarmony.jks
deleted file mode 100755
index 2b7d4c8a6d676e76ddc05ed099f67297e295af80..0000000000000000000000000000000000000000
Binary files a/interfaces/innerkits/appverify_lite/OpenHarmonyCer/OpenHarmony.jks and /dev/null differ
diff --git a/interfaces/innerkits/appverify_lite/src/app_verify.c b/interfaces/innerkits/appverify_lite/src/app_verify.c
index 09e58a7b717a8f37f7c4caaca86dae70f800349b..30dcf7bfb7f8661dabecde940234cb9399d18eb6 100755
--- a/interfaces/innerkits/appverify_lite/src/app_verify.c
+++ b/interfaces/innerkits/appverify_lite/src/app_verify.c
@@ -53,11 +53,11 @@ static const TrustAppCert g_trustAppList[] = {
#ifndef OHOS_SIGN_HAPS_BY_SERVER
{
.maxCertPath = CERT_MAX_DEPTH,
- .name = "huawei system apps",
- .appSignCert = "C=CN, O=OpenHarmony, OU=OpenHarmony Development Team, CN=OpenHarmony Software Signature",
- .profileSignCert = "C=CN, O=OpenHarmony, OU=OpenHarmony Development Team, CN=OpenHarmony Software Signature",
- .profileDebugSignCert = "C=CN, O=OpenHarmony, OU=OpenHarmony Development Team, CN=OpenHarmony Software Signature",
- .issueCA = "C=CN, O=OpenHarmony, OU=OpenHarmony Development Team, CN=OpenHarmony Software Signature",
+ .name = "OpenHarmony apps",
+ .appSignCert = "C=CN, O=OpenHarmony, OU=OpenHarmony Team, CN=OpenHarmony Application Release",
+ .profileSignCert = "C=CN, O=OpenHarmony, OU=OpenHarmony Team, CN=OpenHarmony Application Profile Release",
+ .profileDebugSignCert = "C=CN, O=OpenHarmony, OU=OpenHarmony Team, CN=OpenHarmony Application Profile Debug",
+ .issueCA = "C=CN, O=OpenHarmony, OU=OpenHarmony Team, CN=OpenHarmony Application CA",
},
#endif
};
@@ -367,6 +367,10 @@ static int GetCertTypeBySourceName(const TrustAppCert *cert)
return CERT_TYPE_APPGALLARY;
} else if (strcmp(cert->name, "huawei system apps") == 0) {
return CERT_TYPE_SYETEM;
+#ifndef OHOS_SIGN_HAPS_BY_SERVER
+ } else if (strcmp(cert->name, "OpenHarmony apps") == 0) {
+ return CERT_TYPE_SYETEM;
+#endif
} else {
return CERT_TYPE_OTHER;
}
diff --git a/interfaces/innerkits/appverify_lite/src/mbedtls_pkcs7.c b/interfaces/innerkits/appverify_lite/src/mbedtls_pkcs7.c
index a069ba8afc140f9d8141b34eaf51f33193638b98..c96b32063e771e236618f1b90015d786dc60a891 100755
--- a/interfaces/innerkits/appverify_lite/src/mbedtls_pkcs7.c
+++ b/interfaces/innerkits/appverify_lite/src/mbedtls_pkcs7.c
@@ -88,20 +88,22 @@ static const unsigned char g_debugModeRootCertInPem[] =
"7XL/vJcp3HeHjiXu7XZmYQ+QAvHPhU0CMCiwWFbDl8ETw4VK25QbwhL/QiUfiRfC\r\n"
"J6LzteOvjLTEV5iebQMz/nS1j7/oj3Rsqg==\r\n"
"-----END CERTIFICATE-----\r\n";
-static mbedtls_x509_crt g_selfSignedCert;
-static const unsigned char g_selfSignedCertInPem[] =
+static mbedtls_x509_crt g_ohosRootCert;
+static const unsigned char g_ohosRootCertInPem[] =
"-----BEGIN CERTIFICATE-----\r\n"
- "MIICCzCCAbCgAwIBAgIEbZe8FTAMBggqhkjOPQQDAgUAMHMxCzAJBgNVBAYTAkNO\r\n"
- "MRQwEgYDVQQKEwtPcGVuSGFybW9ueTElMCMGA1UECxMcT3Blbkhhcm1vbnkgRGV2\r\n"
- "ZWxvcG1lbnQgVGVhbTEnMCUGA1UEAxMeT3Blbkhhcm1vbnkgU29mdHdhcmUgU2ln\r\n"
- "bmF0dXJlMCAXDTIwMTAxNDAzMzAzM1oYDzIwNzAxMDE0MDMzMDMzWjBzMQswCQYD\r\n"
- "VQQGEwJDTjEUMBIGA1UEChMLT3Blbkhhcm1vbnkxJTAjBgNVBAsTHE9wZW5IYXJt\r\n"
- "b255IERldmVsb3BtZW50IFRlYW0xJzAlBgNVBAMTHk9wZW5IYXJtb255IFNvZnR3\r\n"
- "YXJlIFNpZ25hdHVyZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCP2fr47i2IG\r\n"
- "CKyX7apk865v1ZPVv82wrZEHOqzkPiLTG+o+6EEuuHGLngu9lA7Kc5+LpnhryQLz\r\n"
- "gf9sD625M72jLjAsMAsGA1UdDwQEAwIHgDAdBgNVHQ4EFgQUx2NA8kYsHoN2qGMI\r\n"
- "xmJeHuVVnDUwDAYIKoZIzj0EAwIFAANHADBEAiAHWP8lxpp/FHwHE9H0ESUmejK/\r\n"
- "4lfN9rRcndM/+yB7mwIgEAE9gVW7xCrX509iHZl/iJth7IBySgDM590oelCqVXY=\r\n"
+ "MIICRDCCAcmgAwIBAgIED+E4izAMBggqhkjOPQQDAwUAMGgxCzAJBgNVBAYTAkNO\r\n"
+ "MRQwEgYDVQQKEwtPcGVuSGFybW9ueTEZMBcGA1UECxMQT3Blbkhhcm1vbnkgVGVh\r\n"
+ "bTEoMCYGA1UEAxMfT3Blbkhhcm1vbnkgQXBwbGljYXRpb24gUm9vdCBDQTAeFw0y\r\n"
+ "MTAyMDIxMjE0MThaFw00OTEyMzExMjE0MThaMGgxCzAJBgNVBAYTAkNOMRQwEgYD\r\n"
+ "VQQKEwtPcGVuSGFybW9ueTEZMBcGA1UECxMQT3Blbkhhcm1vbnkgVGVhbTEoMCYG\r\n"
+ "A1UEAxMfT3Blbkhhcm1vbnkgQXBwbGljYXRpb24gUm9vdCBDQTB2MBAGByqGSM49\r\n"
+ "AgEGBSuBBAAiA2IABE023XmRaw2DnO8NSsb+KG/uY0FtS3u5LQucdr3qWVnRW5ui\r\n"
+ "QIL6ttNZBEeLTUeYcJZCpayg9Llf+1SmDA7dY4iP2EcRo4UN3rilovtfFfsmH4ty\r\n"
+ "3SApHVFzWUl+NwdH8KNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\r\n"
+ "AQYwHQYDVR0OBBYEFBc6EKGrGXzlAE+s0Zgnsphadw7NMAwGCCqGSM49BAMDBQAD\r\n"
+ "ZwAwZAIwd1p3JzHN93eoPped1li0j64npgqNzwy4OrkehYAqNXpcpaEcLZ7UxW8E\r\n"
+ "I2lZJ3SbAjAkqySHb12sIwdSFKSN9KCMMEo/eUT5dUXlcKR2nZz0MJdxT5F51qcX\r\n"
+ "1CumzkcYhgU=\r\n"
"-----END CERTIFICATE-----\r\n";
/* valid digest alg now: sha256 sha384 sha512 */
@@ -957,8 +959,8 @@ static int UnLoadDebugModeRootCert(void)
static int LoadSelfSignedCert(void)
{
int rc;
- mbedtls_x509_crt_init(&g_selfSignedCert);
- rc = mbedtls_x509_crt_parse(&g_selfSignedCert, g_selfSignedCertInPem, sizeof(g_selfSignedCertInPem));
+ mbedtls_x509_crt_init(&g_ohosRootCert);
+ rc = mbedtls_x509_crt_parse(&g_ohosRootCert, g_ohosRootCertInPem, sizeof(g_ohosRootCertInPem));
if (rc) {
LOG_ERROR("load self signed ca failed %d", rc);
return rc;
@@ -970,7 +972,7 @@ static int LoadSelfSignedCert(void)
static void UnLoadSelfSignedCert(void)
{
- mbedtls_x509_crt_free(&g_selfSignedCert);
+ mbedtls_x509_crt_free(&g_ohosRootCert);
}
static void DLogCrtVerifyInfo(unsigned int flags)
{
@@ -1072,7 +1074,7 @@ int PKCS7_VerifyCertsChain(const Pkcs7 *pkcs7)
return PKCS7_IS_REVOKED;
}
#ifndef OHOS_SIGN_HAPS_BY_SERVER
- rc = VerifyClicert(clicert, &g_selfSignedCert, pkcs7);
+ rc = VerifyClicert(clicert, &g_ohosRootCert, pkcs7);
LOG_DEBUG("Verify self : %d", rc);
if (rc == PKCS7_SUCC) {
signer = signer->next;
@@ -1121,9 +1123,39 @@ static size_t GetSignersCnt(const SignerInfo *signers)
}
return cnt;
}
+
+static bool IsIncludeRoot(const SignerInfo *signer)
+{
+ mbedtls_x509_crt *pre = signer->certPath.crt;
+ mbedtls_x509_crt *cur = pre;
+ int i = 0;
+ while (i < signer->certPath.depth && cur != NULL) {
+ pre = cur;
+ cur = cur->next;
+ i++;
+ }
+
+ if (pre == NULL) {
+ return false;
+ }
+
+ /* root cert is a self-sign cert */
+ if (CompareX509NameList(&pre->issuer, &pre->subject) == 0) {
+ LOG_INFO("Include root cert");
+ return true;
+ }
+ LOG_INFO("Not include root cert");
+ return false;
+}
+
static size_t GetSignerSignningCertDepth(const SignerInfo *signer)
{
- return signer->certPath.depth + 1; // 1 for root cert;
+ if (IsIncludeRoot(signer)) {
+ return signer->certPath.depth;
+ }
+
+ /* root cert is not included in signer->certPath, add 1 for root cert */
+ return signer->certPath.depth + 1;
}
void PKCS7_FreeAllSignersResolvedInfo(SignersResovedInfo *sri)