From f3485928d9f7ea402ae7e412faf604d005b4a362 Mon Sep 17 00:00:00 2001 From: lihehe Date: Mon, 1 Apr 2024 16:15:23 +0800 Subject: [PATCH] add dfx info and skip time check during validation of local code signing certs. Signed-off-by: lihehe Change-Id: I59edef69ba093706c960c9407890fc413e61e4fc --- utils/include/openssl_utils.h | 1 + utils/src/huks_attest_verifier.cpp | 25 ++++++++++++++++++++++++ utils/src/openssl_utils.cpp | 31 ++++++++++++++++++++++++++++++ 3 files changed, 57 insertions(+) diff --git a/utils/include/openssl_utils.h b/utils/include/openssl_utils.h index 98054ce..c4a5d4f 100644 --- a/utils/include/openssl_utils.h +++ b/utils/include/openssl_utils.h @@ -40,6 +40,7 @@ X509 *LoadCertFromBuffer(const uint8_t *buffer, const uint32_t size); STACK_OF(X509) *MakeStackOfCerts(const std::vector &certChain); int CreateNIDFromOID(const std::string &oid, const std::string &shortName, const std::string &longName); +bool ConvertCertToPEMString(const ByteBuffer &cert, std::string &pemString); } } } diff --git a/utils/src/huks_attest_verifier.cpp b/utils/src/huks_attest_verifier.cpp index 8485dce..c5056b5 100644 --- a/utils/src/huks_attest_verifier.cpp +++ b/utils/src/huks_attest_verifier.cpp @@ -128,6 +128,8 @@ static bool VerifyIssurCert(X509 *cert, STACK_OF(X509) *chain) break; } X509_STORE_CTX_set_purpose(storeCtx, X509_PURPOSE_ANY); + // because user can set date of device, validation skip time check for fool-proofing + X509_STORE_CTX_set_flags(storeCtx, X509_V_FLAG_NO_CHECK_TIME); int index = X509_verify_cert(storeCtx); if (index <= 0) { index = X509_STORE_CTX_get_error(storeCtx); @@ -230,6 +232,26 @@ static bool VerifyExtension(X509 *cert, const ByteBuffer &challenge) return true; } +static void ShowCertInfo(const std::vector &certChainBuffer, + const ByteBuffer &issuerBuffer, const ByteBuffer &certBuffer) +{ + std::string pem; + LOG_INFO("Dump cert chain"); + for (auto cert: certChainBuffer) { + if (ConvertCertToPEMString(cert, pem)) { + LOG_INFO("%{private}s", pem.c_str()); + } + } + LOG_INFO("Dump issuer cert"); + if (ConvertCertToPEMString(issuerBuffer, pem)) { + LOG_INFO("%{private}s", pem.c_str()); + } + LOG_INFO("Dump signing cert"); + if (ConvertCertToPEMString(certBuffer, pem)) { + LOG_INFO("%{private}s", pem.c_str()); + } +} + bool GetVerifiedCert(const ByteBuffer &buffer, const ByteBuffer &challenge, ByteBuffer &certBuffer) { std::vector certChainBuffer; @@ -281,6 +303,9 @@ bool GetVerifiedCert(const ByteBuffer &buffer, const ByteBuffer &challenge, Byte X509_free(signCert); X509_free(issuerCert); sk_X509_pop_free(certChain, X509_free); + if (!ret) { + ShowCertInfo(certChainBuffer, issuerBuffer, certBuffer); + } return ret; } } diff --git a/utils/src/openssl_utils.cpp b/utils/src/openssl_utils.cpp index 0f41c5c..7397a57 100644 --- a/utils/src/openssl_utils.cpp +++ b/utils/src/openssl_utils.cpp @@ -15,6 +15,7 @@ #include "openssl_utils.h" +#include #include "log.h" namespace OHOS { @@ -46,6 +47,36 @@ X509 *LoadCertFromBuffer(const uint8_t *buffer, const uint32_t size) return cert; } +bool ConvertCertToPEMString(const ByteBuffer &certBuffer, std::string &pemString) +{ + X509 *cert = LoadCertFromBuffer(certBuffer.GetBuffer(), certBuffer.GetSize()); + if (cert == nullptr) { + return false; + } + BIO *mem = BIO_new(BIO_s_mem()); + if (mem == nullptr) { + X509_free(cert); + return false; + } + bool ret = false; + do { + if (!PEM_write_bio_X509(mem, cert)) { + ERR_LOG_WITH_OPEN_SSL_MSG("convert to pem failed."); + break; + } + uint8_t *outData = nullptr; + uint32_t len = BIO_get_mem_data(mem, &outData); + if (len < 0) { + break; + } + pemString = std::string(reinterpret_cast(outData), len); + ret = true; + } while (0); + BIO_free(mem); + X509_free(cert); + return ret; +} + STACK_OF(X509) *MakeStackOfCerts(const std::vector &certChain) { STACK_OF(X509)* certs = sk_X509_new_null(); -- Gitee