From 70eeb9be5421357c3f6307989d2ba78a89dbd63d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E2=80=9CHJ=E2=80=9D?= <huangjun42@huawei.com>
Date: Mon, 26 Jul 2021 15:09:56 +0800
Subject: [PATCH 1/3] huangjun42@huawei.com
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: “HJ” <huangjun42@huawei.com>
---
 .../OpenHarmonyCer/OpenHarmony.cer            | Bin 527 -> 0 bytes
 .../OpenHarmonyCer/OpenHarmony.jks            | Bin 1158 -> 0 bytes
 .../innerkits/appverify_lite/src/app_verify.c |  14 ++--
 .../appverify_lite/src/mbedtls_pkcs7.c        |  68 +++++++++++++-----
 4 files changed, 59 insertions(+), 23 deletions(-)
 delete mode 100755 interfaces/innerkits/appverify_lite/OpenHarmonyCer/OpenHarmony.cer
 delete mode 100755 interfaces/innerkits/appverify_lite/OpenHarmonyCer/OpenHarmony.jks

diff --git a/interfaces/innerkits/appverify_lite/OpenHarmonyCer/OpenHarmony.cer b/interfaces/innerkits/appverify_lite/OpenHarmonyCer/OpenHarmony.cer
deleted file mode 100755
index 1c856dd34df9ad5b864e265153d0430ab6d1e9f9..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 527
zcmXqLV&XPvV%)HRnTe5!i6wXX9#I1xHV&;ek8`#x%uK8d2E~Tl2Apinp)72|OwN9W
zA_hVr4wo>ue?e-VM`BTKeqN=as(~^{lv`K^NmRilwJbF!zaTd?uS6jvH8Iyv-9Qzj
zj9FL?Sy^y?T1k0gQK~|4W_n&?Noi54fr2=%k%6Isp^1U9F%U&b@EaMJBMS_Svmy<I
z+1SBh!^8*;BxXi-W+w&~<!^QSth<xgIMz&myDH`Ly8Nq?ukJs)VeLeAt2IyTlrBrZ
zvU}mEx1+Fo9{1iUe5Z=%cQ32RKFRdC@qZ5g+MULG7wZ}57;pmvN0y%j81C#12C^Uy
zABz}^$nj){Pi{JL&1EZ+IgTa8$vq97V~QF{%<c>ZE=&sS5&u<>&8iovVHdvmMNn0(
z%4q+i@U!2x#LT^H|68GYHj{z?qitj8?ju^)pZh1t&aCg4o%p7q$cy33^Sc^V0jomG
E03H6L;s5{u

diff --git a/interfaces/innerkits/appverify_lite/OpenHarmonyCer/OpenHarmony.jks b/interfaces/innerkits/appverify_lite/OpenHarmonyCer/OpenHarmony.jks
deleted file mode 100755
index 2b7d4c8a6d676e76ddc05ed099f67297e295af80..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 1158
zcmXqLVrgPxWHxAGv1a4cYV&CO&dbQoxS)wehoy-{11PLw(8MT!BE`ta()iDy@wY+a
z4>oS779K7}rUm5&r3RX8TreS^snRSW|9;iH+__XFVs0Z_)Q)4T{i~Vcb}%tB91dXd
zFgl$2$zAT{l;#x?Y>|g2oPTC1ad)cA$=~nWPW;(n6tKto%<tbu&jjj)mQOsdFw=)C
z(<pw`1jl5ds3$JM8hNW*qM7g9Gb%j6Ygl054R;}@h@qXF4MRRd0YfT79zzC0B0~{F
zE|8zcP|2XcPz+?HF_bWrgT+(9BAE>7K-ol~Xem%_s(~WHFi}Gh7NL;L+*AcaGXo<t
z6Eh=YV<QVggC=GkxFUA81x-wU4VsvKGBGj$sZR(QMwIYi1BJ&VXD*?xC8hT-yIkkf
zFHqe)aouwPaCkH{G3_}2Q(OJZ%c-}U^|!a*+O%W4{Hr@lW3SmeZcZrFYT3Jk```6+
zUZ=us(KlaQySwIP#^#(#R|8#7*5&c~O!L*|-ak{6w3MB>At=2`<NE6*t-PIY-TiZv
zsx#Ho-+L8FTU$QQw5faMxLI<_)sIu|`V|!N94XzCQpb^RH<Nd*eAtwU{y_>ExohQ_
z(=NW}Qu=TG#z324|3a5-%S!YrZWsn%v{=>n-P<K?-7PUbmE|dKckjQq%I)8u*%P-;
zKOZS`VbY)ABMdnw6B+npC-QX5YR=SsX2AY~yXD*c!kHh<co--2FPb&=_uaOMBJIm`
z(zQ7=i{=W4hI!weac1AYQ<2yI3L7}KtMjBB$XqQa)j0WD8PCx_cK^0KRO5Ins<dkF
z-nC78kISELY4ksL@~Fmkdj{V}98)cheeV2s%vLq*@t2>AuR1UNcv528^ZXqq6I3ko
zXHM!A%e!`E#^V=JxoU3@U$bL2xjg&T6Pp^>yW484dU%ds?PZ#}v{v!j8Usf84P5T4
zq<EsEBYf7sweY{g|6k)ZmrG7^)&0e)bGE<x{Vm%|r<-{;+w#5ZbIfnv(feSfclFnf
z3%Pu3zuh`6vlZ>tcf8m9{=$MyMO)@dHXU$gSa&{ckLS-qHHox63m+U1yXOBgMDu^o
z>=PnVJe<6b_2RUWizlXjjyiCE+1m#@c0Os@bTN9y-Z!f32|u2c{g<-}3BNxh;~q!)
ze$CRPFp1u?<?TtOH{ZTq`*E3AQ2xC|MqB!iD+&p0=-u!;a+c|(Aj6aQbnlf+{9bx+
z)jq#W|B2ehR@;B=4-u~V+5cnvm4(ZV*&eQq+41(mnIBEZ-Uokd+J4NiN1=Z~n}Rl1
zqvk#Nx0{!~Uw=gXLjRI2{=Cx|RTAcXRarKJIrvw_v8C@P9of_@xy@ZOZ_=vEvbTP&
zp7*~r!0D#trksk^b<fhay{~NfDUxu)z|KI?fRl|?n~#}Eij{#yBvZ(4+j`A(>2}}T
q+e)uGqu1{{{DMV9!1T7}ncIP)yz@9Xxo<t_Ov|sl&BV;uwg3SCWA=Lh

diff --git a/interfaces/innerkits/appverify_lite/src/app_verify.c b/interfaces/innerkits/appverify_lite/src/app_verify.c
index 09e58a7..30dcf7b 100755
--- a/interfaces/innerkits/appverify_lite/src/app_verify.c
+++ b/interfaces/innerkits/appverify_lite/src/app_verify.c
@@ -53,11 +53,11 @@ static const TrustAppCert g_trustAppList[] = {
 #ifndef OHOS_SIGN_HAPS_BY_SERVER
     {
         .maxCertPath = CERT_MAX_DEPTH,
-        .name = "huawei system apps",
-        .appSignCert = "C=CN, O=OpenHarmony, OU=OpenHarmony Development Team, CN=OpenHarmony Software Signature",
-        .profileSignCert = "C=CN, O=OpenHarmony, OU=OpenHarmony Development Team, CN=OpenHarmony Software Signature",
-        .profileDebugSignCert = "C=CN, O=OpenHarmony, OU=OpenHarmony Development Team, CN=OpenHarmony Software Signature",
-        .issueCA = "C=CN, O=OpenHarmony, OU=OpenHarmony Development Team, CN=OpenHarmony Software Signature",
+        .name = "OpenHarmony apps",
+        .appSignCert = "C=CN, O=OpenHarmony, OU=OpenHarmony Team, CN=OpenHarmony Application Release",
+        .profileSignCert = "C=CN, O=OpenHarmony, OU=OpenHarmony Team, CN=OpenHarmony Application Profile Release",
+        .profileDebugSignCert = "C=CN, O=OpenHarmony, OU=OpenHarmony Team, CN=OpenHarmony Application Profile Debug",
+        .issueCA = "C=CN, O=OpenHarmony, OU=OpenHarmony Team, CN=OpenHarmony Application CA",
     },
 #endif
 };
@@ -367,6 +367,10 @@ static int GetCertTypeBySourceName(const TrustAppCert *cert)
         return CERT_TYPE_APPGALLARY;
     } else if (strcmp(cert->name, "huawei system apps") == 0) {
         return CERT_TYPE_SYETEM;
+#ifndef OHOS_SIGN_HAPS_BY_SERVER
+    } else if (strcmp(cert->name, "OpenHarmony apps") == 0) {
+        return CERT_TYPE_SYETEM;
+#endif
     } else {
         return CERT_TYPE_OTHER;
     }
diff --git a/interfaces/innerkits/appverify_lite/src/mbedtls_pkcs7.c b/interfaces/innerkits/appverify_lite/src/mbedtls_pkcs7.c
index a069ba8..c96b320 100755
--- a/interfaces/innerkits/appverify_lite/src/mbedtls_pkcs7.c
+++ b/interfaces/innerkits/appverify_lite/src/mbedtls_pkcs7.c
@@ -88,20 +88,22 @@ static const unsigned char g_debugModeRootCertInPem[] =
     "7XL/vJcp3HeHjiXu7XZmYQ+QAvHPhU0CMCiwWFbDl8ETw4VK25QbwhL/QiUfiRfC\r\n"
     "J6LzteOvjLTEV5iebQMz/nS1j7/oj3Rsqg==\r\n"
     "-----END CERTIFICATE-----\r\n";
-static mbedtls_x509_crt g_selfSignedCert;
-static const unsigned char g_selfSignedCertInPem[] =
+static mbedtls_x509_crt g_ohosRootCert;
+static const unsigned char g_ohosRootCertInPem[] =
     "-----BEGIN CERTIFICATE-----\r\n"
-    "MIICCzCCAbCgAwIBAgIEbZe8FTAMBggqhkjOPQQDAgUAMHMxCzAJBgNVBAYTAkNO\r\n"
-    "MRQwEgYDVQQKEwtPcGVuSGFybW9ueTElMCMGA1UECxMcT3Blbkhhcm1vbnkgRGV2\r\n"
-    "ZWxvcG1lbnQgVGVhbTEnMCUGA1UEAxMeT3Blbkhhcm1vbnkgU29mdHdhcmUgU2ln\r\n"
-    "bmF0dXJlMCAXDTIwMTAxNDAzMzAzM1oYDzIwNzAxMDE0MDMzMDMzWjBzMQswCQYD\r\n"
-    "VQQGEwJDTjEUMBIGA1UEChMLT3Blbkhhcm1vbnkxJTAjBgNVBAsTHE9wZW5IYXJt\r\n"
-    "b255IERldmVsb3BtZW50IFRlYW0xJzAlBgNVBAMTHk9wZW5IYXJtb255IFNvZnR3\r\n"
-    "YXJlIFNpZ25hdHVyZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCP2fr47i2IG\r\n"
-    "CKyX7apk865v1ZPVv82wrZEHOqzkPiLTG+o+6EEuuHGLngu9lA7Kc5+LpnhryQLz\r\n"
-    "gf9sD625M72jLjAsMAsGA1UdDwQEAwIHgDAdBgNVHQ4EFgQUx2NA8kYsHoN2qGMI\r\n"
-    "xmJeHuVVnDUwDAYIKoZIzj0EAwIFAANHADBEAiAHWP8lxpp/FHwHE9H0ESUmejK/\r\n"
-    "4lfN9rRcndM/+yB7mwIgEAE9gVW7xCrX509iHZl/iJth7IBySgDM590oelCqVXY=\r\n"
+    "MIICRDCCAcmgAwIBAgIED+E4izAMBggqhkjOPQQDAwUAMGgxCzAJBgNVBAYTAkNO\r\n"
+    "MRQwEgYDVQQKEwtPcGVuSGFybW9ueTEZMBcGA1UECxMQT3Blbkhhcm1vbnkgVGVh\r\n"
+    "bTEoMCYGA1UEAxMfT3Blbkhhcm1vbnkgQXBwbGljYXRpb24gUm9vdCBDQTAeFw0y\r\n"
+    "MTAyMDIxMjE0MThaFw00OTEyMzExMjE0MThaMGgxCzAJBgNVBAYTAkNOMRQwEgYD\r\n"
+    "VQQKEwtPcGVuSGFybW9ueTEZMBcGA1UECxMQT3Blbkhhcm1vbnkgVGVhbTEoMCYG\r\n"
+    "A1UEAxMfT3Blbkhhcm1vbnkgQXBwbGljYXRpb24gUm9vdCBDQTB2MBAGByqGSM49\r\n"
+    "AgEGBSuBBAAiA2IABE023XmRaw2DnO8NSsb+KG/uY0FtS3u5LQucdr3qWVnRW5ui\r\n"
+    "QIL6ttNZBEeLTUeYcJZCpayg9Llf+1SmDA7dY4iP2EcRo4UN3rilovtfFfsmH4ty\r\n"
+    "3SApHVFzWUl+NwdH8KNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC\r\n"
+    "AQYwHQYDVR0OBBYEFBc6EKGrGXzlAE+s0Zgnsphadw7NMAwGCCqGSM49BAMDBQAD\r\n"
+    "ZwAwZAIwd1p3JzHN93eoPped1li0j64npgqNzwy4OrkehYAqNXpcpaEcLZ7UxW8E\r\n"
+    "I2lZJ3SbAjAkqySHb12sIwdSFKSN9KCMMEo/eUT5dUXlcKR2nZz0MJdxT5F51qcX\r\n"
+    "1CumzkcYhgU=\r\n"
     "-----END CERTIFICATE-----\r\n";
 
 /* valid digest alg now: sha256 sha384 sha512 */
@@ -957,8 +959,8 @@ static int UnLoadDebugModeRootCert(void)
 static int LoadSelfSignedCert(void)
 {
     int rc;
-    mbedtls_x509_crt_init(&g_selfSignedCert);
-    rc = mbedtls_x509_crt_parse(&g_selfSignedCert, g_selfSignedCertInPem, sizeof(g_selfSignedCertInPem));
+    mbedtls_x509_crt_init(&g_ohosRootCert);
+    rc = mbedtls_x509_crt_parse(&g_ohosRootCert, g_ohosRootCertInPem, sizeof(g_ohosRootCertInPem));
     if (rc) {
         LOG_ERROR("load self signed ca failed %d", rc);
         return rc;
@@ -970,7 +972,7 @@ static int LoadSelfSignedCert(void)
 
 static void UnLoadSelfSignedCert(void)
 {
-    mbedtls_x509_crt_free(&g_selfSignedCert);
+    mbedtls_x509_crt_free(&g_ohosRootCert);
 }
 static void DLogCrtVerifyInfo(unsigned int flags)
 {
@@ -1072,7 +1074,7 @@ int PKCS7_VerifyCertsChain(const Pkcs7 *pkcs7)
             return PKCS7_IS_REVOKED;
         }
 #ifndef OHOS_SIGN_HAPS_BY_SERVER
-        rc = VerifyClicert(clicert, &g_selfSignedCert, pkcs7);
+        rc = VerifyClicert(clicert, &g_ohosRootCert, pkcs7);
         LOG_DEBUG("Verify self : %d", rc);
         if (rc == PKCS7_SUCC) {
             signer = signer->next;
@@ -1121,9 +1123,39 @@ static size_t GetSignersCnt(const SignerInfo *signers)
     }
     return cnt;
 }
+
+static bool IsIncludeRoot(const SignerInfo *signer)
+{
+    mbedtls_x509_crt *pre = signer->certPath.crt;
+    mbedtls_x509_crt *cur = pre;
+    int i = 0;
+    while (i < signer->certPath.depth && cur != NULL) {
+        pre = cur;
+        cur = cur->next;
+        i++;
+    }
+
+    if (pre == NULL) {
+        return false;
+    }
+
+    /* root cert is a self-sign cert */
+    if (CompareX509NameList(&pre->issuer, &pre->subject) == 0) {
+        LOG_INFO("Include root cert");
+        return true;
+    }
+    LOG_INFO("Not include root cert");
+    return false;
+}
+
 static size_t GetSignerSignningCertDepth(const SignerInfo *signer)
 {
-    return signer->certPath.depth + 1; // 1 for root cert;
+    if (IsIncludeRoot(signer)) {
+        return signer->certPath.depth;
+    }
+
+    /* root cert is not included in signer->certPath, add 1 for root cert */
+    return signer->certPath.depth + 1;
 }
 
 void PKCS7_FreeAllSignersResolvedInfo(SignersResovedInfo *sri)
-- 
Gitee


From 940a77227485344c2cef0a13dbab69e4e3fa5613 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E2=80=9CHJ=E2=80=9D?= <huangjun42@huawei.com>
Date: Mon, 2 Aug 2021 13:13:09 +0800
Subject: [PATCH 2/3] huangjun42@huawei.com
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: “HJ” <huangjun42@huawei.com>
---
 interfaces/innerkits/appverify/BUILD.gn       |  8 +-
 .../include/init/device_type_manager.h        | 48 +++++++++++
 .../appverify/include/init/hap_crl_manager.h  |  4 +-
 .../appverify/include/init/trusted_root_ca.h  |  4 +-
 .../include/init/trusted_source_manager.h     |  2 +-
 .../src/init/device_type_manager.cpp          | 84 +++++++++++++++++++
 .../appverify/src/init/trusted_root_ca.cpp    |  2 +-
 .../src/init/trusted_source_manager.cpp       |  2 +-
 .../appverify/src/interfaces/hap_verify.cpp   |  3 +
 .../src/provision/provision_verify.cpp        | 58 ++++++++-----
 10 files changed, 186 insertions(+), 29 deletions(-)
 create mode 100644 interfaces/innerkits/appverify/include/init/device_type_manager.h
 create mode 100644 interfaces/innerkits/appverify/src/init/device_type_manager.cpp

diff --git a/interfaces/innerkits/appverify/BUILD.gn b/interfaces/innerkits/appverify/BUILD.gn
index 8c8a29c..65a1fb4 100644
--- a/interfaces/innerkits/appverify/BUILD.gn
+++ b/interfaces/innerkits/appverify/BUILD.gn
@@ -30,6 +30,7 @@ ohos_shared_library("libhapverify") {
     "src/common/hap_byte_buffer_data_source.cpp",
     "src/common/hap_file_data_source.cpp",
     "src/common/random_access_file.cpp",
+    "src/init/device_type_manager.cpp",
     "src/init/hap_crl_manager.cpp",
     "src/init/json_parser_utils.cpp",
     "src/init/trusted_root_ca.cpp",
@@ -52,7 +53,7 @@ ohos_shared_library("libhapverify") {
     "-fvisibility=hidden",
   ]
 
-  ldflags = [ "-Wl,--exclude-libs,ALL" ]
+  ldflags = [ "-Wl,--exclude-libs=libcrypto_static.a" ]
 
   deps = [
     "//third_party/openssl:libcrypto_static",
@@ -72,6 +73,11 @@ ohos_shared_library("libhapverify") {
       "ipc:ipc_core",
       "os_account:libaccountkits",
     ]
+
+    if (!build_public_version) {
+      deps += [ "//base/security/securityadapter/interfaces/innerkits/securitydiagnose:libsecuritydiagnose_static" ]
+      defines = [ "SUPPORT_GET_DEVICE_TYPES" ]
+    }
   }
 
   part_name = "appverify"
diff --git a/interfaces/innerkits/appverify/include/init/device_type_manager.h b/interfaces/innerkits/appverify/include/init/device_type_manager.h
new file mode 100644
index 0000000..4bb7d9f
--- /dev/null
+++ b/interfaces/innerkits/appverify/include/init/device_type_manager.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2021 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef OHOS_DEVICE_TYPE_MANAGER_H
+#define OHOS_DEVICE_TYPE_MANAGER_H
+
+#include "common/export_define.h"
+
+#include <mutex>
+
+namespace OHOS {
+namespace Security {
+namespace Verify {
+class DeviceTypeManager {
+public:
+    DLL_EXPORT static DeviceTypeManager& GetInstance();
+    DLL_EXPORT bool GetDeviceTypeInfo();
+    /* Forbid replication constructs and replication */
+    DeviceTypeManager(const DeviceTypeManager& deviceTypeManager) = delete;
+    DeviceTypeManager& operator = (const DeviceTypeManager& deviceTypeManager) = delete;
+
+private:
+    DeviceTypeManager();
+    ~DeviceTypeManager();
+
+    bool GetDeviceType();
+
+private:
+    /* true: debugging type; false: commercial type */
+    bool deviceType;
+    std::mutex getDeviceTypeMtx;
+};
+} // namespace Verify
+} // namespace Security
+} // namespace OHOS
+#endif // OHOS_DEVICE_TYPE_MANAGER_H
\ No newline at end of file
diff --git a/interfaces/innerkits/appverify/include/init/hap_crl_manager.h b/interfaces/innerkits/appverify/include/init/hap_crl_manager.h
index 3c50878..cc4469f 100644
--- a/interfaces/innerkits/appverify/include/init/hap_crl_manager.h
+++ b/interfaces/innerkits/appverify/include/init/hap_crl_manager.h
@@ -43,8 +43,8 @@ private:
     ~HapCrlManager();
 
     /* Forbid external replication constructs and external replication */
-    HapCrlManager(const HapCrlManager& hapCrlManager);
-    const HapCrlManager& operator=(const HapCrlManager& hapCrlManager);
+    HapCrlManager(const HapCrlManager& hapCrlManager) = delete;
+    HapCrlManager& operator = (const HapCrlManager& hapCrlManager) = delete;
 
     DLL_EXPORT X509_CRL* GetFinalCrl(X509_CRL* crlInPackage, Pkcs7Context& pkcs7Context);
     DLL_EXPORT X509_CRL* GetCrlByIssuer(const std::string& issuer);
diff --git a/interfaces/innerkits/appverify/include/init/trusted_root_ca.h b/interfaces/innerkits/appverify/include/init/trusted_root_ca.h
index af98958..297b832 100644
--- a/interfaces/innerkits/appverify/include/init/trusted_root_ca.h
+++ b/interfaces/innerkits/appverify/include/init/trusted_root_ca.h
@@ -42,8 +42,8 @@ private:
     ~TrustedRootCa();
 
     /* Forbid external replication constructs and external replication */
-    TrustedRootCa(const TrustedRootCa& trustedRoot);
-    const TrustedRootCa& operator=(const TrustedRootCa& trustedRoot);
+    TrustedRootCa(const TrustedRootCa& trustedRoot) = delete;
+    TrustedRootCa& operator = (const TrustedRootCa& trustedRoot) = delete;
 
     DLL_EXPORT bool GetTrustedRootCAFromJson(StringCertMap& rootCertMap, const std::string& filePath);
     X509* FindMatchedRoot(const StringCertMap& rootCertMap, X509* caCert);
diff --git a/interfaces/innerkits/appverify/include/init/trusted_source_manager.h b/interfaces/innerkits/appverify/include/init/trusted_source_manager.h
index a922a5f..42a789c 100644
--- a/interfaces/innerkits/appverify/include/init/trusted_source_manager.h
+++ b/interfaces/innerkits/appverify/include/init/trusted_source_manager.h
@@ -55,7 +55,7 @@ private:
 
     /* Forbid external replication constructs and external replication */
     TrustedSourceManager(const TrustedSourceManager& trustedSource) = delete;
-    const TrustedSourceManager& operator=(const TrustedSourceManager& trustedSource) = delete;
+    TrustedSourceManager& operator = (const TrustedSourceManager& trustedSource) = delete;
 
     bool GetAppTrustedSources(SourceInfoVec& trustedAppSources, std::string& souucesVersion,
         std::string& souucesReleaseTime, const std::string& filePath);
diff --git a/interfaces/innerkits/appverify/src/init/device_type_manager.cpp b/interfaces/innerkits/appverify/src/init/device_type_manager.cpp
new file mode 100644
index 0000000..f5ad8aa
--- /dev/null
+++ b/interfaces/innerkits/appverify/src/init/device_type_manager.cpp
@@ -0,0 +1,84 @@
+/*
+ * Copyright (C) 2021 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "init/device_type_manager.h"
+
+#include "common/hap_verify_log.h"
+#include "init/trusted_root_ca.h"
+#include "init/trusted_source_manager.h"
+
+#ifdef SUPPORT_GET_DEVICE_TYPES
+#include "security_device_mode.h"
+#endif // SUPPORT_GET_DEVICE_TYPES
+
+namespace OHOS {
+namespace Security {
+namespace Verify {
+DeviceTypeManager& DeviceTypeManager::GetInstance()
+{
+    static DeviceTypeManager deviceTypeManager;
+    return deviceTypeManager;
+}
+
+DeviceTypeManager::DeviceTypeManager() : deviceType(false), getDeviceTypeMtx()
+{
+}
+
+DeviceTypeManager::~DeviceTypeManager()
+{
+}
+
+bool DeviceTypeManager::GetDeviceType()
+{
+#ifndef SUPPORT_GET_DEVICE_TYPES
+    return false;
+#else
+    return InvokeIsDevelopmentMode();
+#endif // SUPPORT_GET_DEVICE_TYPES
+}
+
+bool DeviceTypeManager::GetDeviceTypeInfo()
+{
+    bool currentDeviceType = GetDeviceType();
+    HAPVERIFY_LOG_DEBUG(LABEL, "current device is type: %{public}d", static_cast<int>(currentDeviceType));
+
+    if (currentDeviceType == deviceType) {
+        return currentDeviceType;
+    }
+
+    TrustedRootCa& rootCertsObj = TrustedRootCa::GetInstance();
+    TrustedSourceManager& trustedAppSourceManager = TrustedSourceManager::GetInstance();
+    getDeviceTypeMtx.lock();
+    if (currentDeviceType) {
+        /* Device type change from  commercial to debugging */
+        bool ret = rootCertsObj.EnableDebug() && trustedAppSourceManager.EnableDebug();
+        if (!ret) {
+            HAPVERIFY_LOG_ERROR(LABEL, "Enable debug failed");
+            rootCertsObj.DisableDebug();
+            trustedAppSourceManager.DisableDebug();
+            return currentDeviceType;
+        }
+    } else {
+        /* Device type change from debugging to commercial */
+        rootCertsObj.DisableDebug();
+        trustedAppSourceManager.DisableDebug();
+    }
+    deviceType = currentDeviceType;
+    getDeviceTypeMtx.unlock();
+    return currentDeviceType;
+}
+} // namespace Verify
+} // namespace Security
+} // namespace OHOS
\ No newline at end of file
diff --git a/interfaces/innerkits/appverify/src/init/trusted_root_ca.cpp b/interfaces/innerkits/appverify/src/init/trusted_root_ca.cpp
index 68e2d23..fbf154b 100644
--- a/interfaces/innerkits/appverify/src/init/trusted_root_ca.cpp
+++ b/interfaces/innerkits/appverify/src/init/trusted_root_ca.cpp
@@ -61,11 +61,11 @@ bool TrustedRootCa::EnableDebug()
 
 void TrustedRootCa::DisableDebug()
 {
+    isDebug = false;
     for (auto& rootCert : rootCertsForTest) {
         X509_free(rootCert.second);
     }
     rootCertsForTest.clear();
-    isDebug = false;
 }
 
 bool TrustedRootCa::Init()
diff --git a/interfaces/innerkits/appverify/src/init/trusted_source_manager.cpp b/interfaces/innerkits/appverify/src/init/trusted_source_manager.cpp
index ae8adb0..127cc79 100644
--- a/interfaces/innerkits/appverify/src/init/trusted_source_manager.cpp
+++ b/interfaces/innerkits/appverify/src/init/trusted_source_manager.cpp
@@ -73,8 +73,8 @@ bool TrustedSourceManager::EnableDebug()
 
 void TrustedSourceManager::DisableDebug()
 {
-    appTrustedSourcesForTest.clear();
     isDebug = false;
+    appTrustedSourcesForTest.clear();
 }
 
 bool TrustedSourceManager::Init()
diff --git a/interfaces/innerkits/appverify/src/interfaces/hap_verify.cpp b/interfaces/innerkits/appverify/src/interfaces/hap_verify.cpp
index 1235663..754cc6e 100644
--- a/interfaces/innerkits/appverify/src/interfaces/hap_verify.cpp
+++ b/interfaces/innerkits/appverify/src/interfaces/hap_verify.cpp
@@ -17,6 +17,7 @@
 
 #include <mutex>
 
+#include "init/device_type_manager.h"
 #include "init/hap_crl_manager.h"
 #include "init/trusted_root_ca.h"
 #include "init/trusted_source_manager.h"
@@ -33,6 +34,7 @@ bool HapVerifyInit()
     TrustedRootCa& rootCertsObj = TrustedRootCa::GetInstance();
     TrustedSourceManager& trustedAppSourceManager = TrustedSourceManager::GetInstance();
     HapCrlManager& hapCrlManager = HapCrlManager::GetInstance();
+    DeviceTypeManager& deviceTypeManager = DeviceTypeManager::GetInstance();
     g_mtx.lock();
     g_isInit = rootCertsObj.Init() && trustedAppSourceManager.Init();
     if (!g_isInit) {
@@ -40,6 +42,7 @@ bool HapVerifyInit()
         trustedAppSourceManager.Recovery();
     }
     hapCrlManager.Init();
+    deviceTypeManager.GetDeviceTypeInfo();
     g_mtx.unlock();
     return g_isInit;
 }
diff --git a/interfaces/innerkits/appverify/src/provision/provision_verify.cpp b/interfaces/innerkits/appverify/src/provision/provision_verify.cpp
index 56304f9..2e31c9d 100644
--- a/interfaces/innerkits/appverify/src/provision/provision_verify.cpp
+++ b/interfaces/innerkits/appverify/src/provision/provision_verify.cpp
@@ -27,6 +27,7 @@
 #endif // STANDARD_SYSTEM
 
 #include "common/hap_verify_log.h"
+#include "init/device_type_manager.h"
 
 using namespace std;
 using namespace nlohmann;
@@ -202,6 +203,20 @@ AppProvisionVerifyResult ParseProvision(const string& appProvision, ProvisionInf
     return PROVISION_OK;
 }
 
+inline bool CheckDeviceID(const std::vector<std::string>& deviceIds, const string& deviceId)
+{
+    auto iter = find(deviceIds.begin(), deviceIds.end(), deviceId);
+    if (iter == deviceIds.end()) {
+        DeviceTypeManager& deviceTypeManager = DeviceTypeManager::GetInstance();
+        if (!deviceTypeManager.GetDeviceTypeInfo()) {
+            HAPVERIFY_LOG_ERROR(LABEL, "current device is not authorized");
+            return false;
+        }
+        HAPVERIFY_LOG_INFO(LABEL, "current device is a debug device");
+    }
+    return true;
+}
+
 AppProvisionVerifyResult CheckDeviceID(ProvisionInfo& info)
 {
     // Checking device ids
@@ -209,39 +224,40 @@ AppProvisionVerifyResult CheckDeviceID(ProvisionInfo& info)
         HAPVERIFY_LOG_ERROR(LABEL, "device-id list is empty.");
         return PROVISION_DEVICE_UNAUTHORIZED;
     }
+
     if (info.debugInfo.deviceIds.size() > MAXIMUM_NUM_DEVICES) {
         HAPVERIFY_LOG_ERROR(LABEL, "No. of device IDs in list exceed maximum number %{public}d", MAXIMUM_NUM_DEVICES);
         return PROVISION_NUM_DEVICE_EXCEEDED;
     }
+
+    if (info.debugInfo.deviceIdType != VALUE_DEVICE_ID_TYPE_UDID) {
+        HAPVERIFY_LOG_ERROR(LABEL, "type of device ID is not supported.");
+        return PROVISION_UNSUPPORTED_DEVICE_TYPE;
+    }
+
     string deviceId;
-    if (info.debugInfo.deviceIdType == VALUE_DEVICE_ID_TYPE_UDID) {
 #ifndef STANDARD_SYSTEM
-        int32_t ret = OHOS::AccountSA::OhosAccountKits::GetInstance().GetUdid(deviceId);
-        if (ret != 0) {
-            HAPVERIFY_LOG_ERROR(LABEL, "obtaining current device id failed (%{public}d).", ret);
-            return PROVISION_DEVICE_UNAUTHORIZED;
-        }
+    int32_t ret = OHOS::AccountSA::OhosAccountKits::GetInstance().GetUdid(deviceId);
+    if (ret != 0) {
+        HAPVERIFY_LOG_ERROR(LABEL, "obtaining current device id failed (%{public}d).", ret);
+        return PROVISION_DEVICE_UNAUTHORIZED;
+    }
 #else
-        char udid[DEV_UUID_LEN] = {0};
-        int ret = GetDevUdid(udid, sizeof(udid));
-        if (ret != EC_SUCCESS) {
-            HAPVERIFY_LOG_ERROR(LABEL, "obtaining current device id failed (%{public}d).", static_cast<int>(ret));
-            return PROVISION_DEVICE_UNAUTHORIZED;
-        }
-        deviceId = std::string(udid, sizeof(udid) - 1);
-        HAPVERIFY_LOG_INFO(LABEL, "L2 UDID:%{public}s, len:%{public}d.", deviceId.c_str(), deviceId.size());
-#endif // STANDARD_SYSTEM
-    } else {
-        HAPVERIFY_LOG_ERROR(LABEL, "type of device ID is not supported.");
-        return PROVISION_UNSUPPORTED_DEVICE_TYPE;
+    char udid[DEV_UUID_LEN] = {0};
+    int ret = GetDevUdid(udid, sizeof(udid));
+    if (ret != EC_SUCCESS) {
+        HAPVERIFY_LOG_ERROR(LABEL, "obtaining current device id failed (%{public}d).", static_cast<int>(ret));
+        return PROVISION_DEVICE_UNAUTHORIZED;
     }
+    deviceId = std::string(udid, sizeof(udid) - 1);
+    HAPVERIFY_LOG_INFO(LABEL, "L2 UDID:%{public}s, len:%{public}d.", deviceId.c_str(), deviceId.size());
+#endif // STANDARD_SYSTEM
     if (deviceId.empty()) {
         HAPVERIFY_LOG_ERROR(LABEL, "device-id of current device is empty.");
         return PROVISION_DEVICE_UNAUTHORIZED;
     }
-    auto iter = find(info.debugInfo.deviceIds.begin(), info.debugInfo.deviceIds.end(), deviceId);
-    if (iter == info.debugInfo.deviceIds.end()) {
-        HAPVERIFY_LOG_ERROR(LABEL, "current device is not authorized.");
+
+    if (!CheckDeviceID(info.debugInfo.deviceIds, deviceId)) {
         return PROVISION_DEVICE_UNAUTHORIZED;
     }
     return PROVISION_OK;
-- 
Gitee


From a732379c3d5073d26b4561832f02e4e913072bf7 Mon Sep 17 00:00:00 2001
From: HJ <huangjun42@huawei.com>
Date: Thu, 5 Aug 2021 02:44:07 +0000
Subject: [PATCH 3/3] =?UTF-8?q?OAT=E6=89=AB=E6=8F=8F=E8=A7=84=E5=88=99?=
 =?UTF-8?q?=E9=85=8D=E7=BD=AE?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 OAT.XML | 60 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)
 create mode 100644 OAT.XML

diff --git a/OAT.XML b/OAT.XML
new file mode 100644
index 0000000..1cd742d
--- /dev/null
+++ b/OAT.XML
@@ -0,0 +1,60 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Copyright (c) 2021 Huawei Device Co., Ltd.
+
+     Licensed under the Apache License, Version 2.0 (the "License");
+     you may not use this file except in compliance with the License.
+     You may obtain a copy of the License at
+
+          http://www.apache.org/licenses/LICENSE-2.0
+
+     Unless required by applicable law or agreed to in writing, software
+     distributed under the License is distributed on an "AS IS" BASIS,
+     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+     See the License for the specific language governing permissions and
+     limitations under the License.
+
+    This is the configuration file template for OpenHarmony OSS Audit Tool, please copy it to your project root dir and modify it refer to OpenHarmony/tools_oat/README.
+
+-->
+
+<configuration>
+    <oatconfig>
+        <licensefile></licensefile>
+        <policylist>
+            <policy name="projectPolicy" desc="">
+                <!--policyitem type="compatibility" name="GPL-2.0+" path="abc/.*" desc="Process that runs independently, invoked by the X process."/-->
+                <!--policyitem type="license" name="LGPL" path="abc/.*" desc="Dynamically linked by module X"/-->
+                <!--policyitem type="copyright" name="xxx" path="abc/.*" rule="may" group="defaultGroup" filefilter="copyrightPolicyFilter" desc="Developed by X Company"/-->
+            </policy>
+        </policylist>
+        <filefilterlist>
+            <filefilter name="defaultFilter" desc="Files not to check">
+                <filteritem type="filename" name="*.uvwxyz" desc="Describe the reason for filtering scan results"/>
+                <filteritem type="filepath" name="dir name underproject/.*.uvwxyz" desc="Describe the reason for filtering scan results"/>
+                <filteritem type="filepath" name="projectroot/[a-zA-Z0-9]{20,}.sh" desc="Temp files"/>
+            </filefilter>
+            <filefilter name="defaultPolicyFilter" desc="Filters for compatibility，license header policies">
+            </filefilter>
+            <filefilter name="copyrightPolicyFilter" desc="Filters for copyright header policies">
+            </filefilter>
+            <filefilter name="licenseFileNamePolicyFilter" desc="Filters for LICENSE file policies">
+            </filefilter>
+            <filefilter name="readmeFileNamePolicyFilter" desc="Filters for README file policies">
+            </filefilter>
+            <filefilter name="readmeOpenSourcefileNamePolicyFilter" desc="Filters for README.OpenSource file policies">
+            </filefilter>
+            <filefilter name="binaryFileTypePolicyFilter" desc="Filters for binary file policies">
+                <filteritem type="filepath" name="base/security/appverify/figures/image_appverify.png" desc="Picture of module architecture in README"/>
+                <filteritem type="filepath" name="base/security/appverify/figures/zh-cn_image_appverify.png" desc="Picture of module architecture in README"/>
+            </filefilter>
+
+        </filefilterlist>
+        <licensematcherlist>
+            <licensematcher name="uvwxyz License" desc="If the scanning result is InvalidLicense, you can define matching rules here. Note that quotation marks must be escaped.">
+                <licensetext name="
+                    uvwxyz license text xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+				 " desc=""/>
+            </licensematcher>
+        </licensematcherlist>
+    </oatconfig>
+</configuration>
-- 
Gitee