From 23ebea7216b77b226d213f592cf71313724a257c Mon Sep 17 00:00:00 2001 From: fwx1262723 Date: Mon, 3 Jun 2024 14:58:08 +0800 Subject: [PATCH] root cert modified Signed-off-by: fwx1262723 --- services/key_enable/BUILD.gn | 10 ++++++++++ services/key_enable/src/cert_utils.rs | 12 ++++++++++-- services/key_enable/src/profile_utils.rs | 3 ++- test/unittest/BUILD.gn | 5 +++++ 4 files changed, 27 insertions(+), 3 deletions(-) diff --git a/services/key_enable/BUILD.gn b/services/key_enable/BUILD.gn index 4aa59b2..e7fa997 100644 --- a/services/key_enable/BUILD.gn +++ b/services/key_enable/BUILD.gn @@ -45,6 +45,11 @@ ohos_rust_executable("key_enable") { } else { rustenv = [ "code_signature_debuggable=off" ] } + if (code_signature_support_oh_code_sign) { + rustenv += [ "code_signature_oh_code_sign=true" ] + } else { + rustenv += [ "code_signature_oh_code_sign=false" ] + } } ohos_rust_shared_ffi("key_enable_lib") { @@ -66,6 +71,11 @@ ohos_rust_shared_ffi("key_enable_lib") { } else { rustenv = [ "code_signature_debuggable=off" ] } + if (code_signature_support_oh_code_sign) { + rustenv += [ "code_signature_oh_code_sign=true" ] + } else { + rustenv += [ "code_signature_oh_code_sign=false" ] + } } ohos_prebuilt_etc("trusted_cert_path") { diff --git a/services/key_enable/src/cert_utils.rs b/services/key_enable/src/cert_utils.rs index 94a0aa6..45da3ce 100644 --- a/services/key_enable/src/cert_utils.rs +++ b/services/key_enable/src/cert_utils.rs @@ -15,8 +15,12 @@ use super::cert_chain_utils::PemCollection; use super::cert_path_utils::TrustCertPath; +use super::profile_utils::IsRdDevice; const TRUSTED_ROOT_CERT: &str = "/system/etc/security/trusted_root_ca.json"; -const ALLOWED_ROOT_CERT_MEMBER_NAMES: &[&str] = &[ +const TRUSTED_OH_ROOT_CERT: &str = "/system/etc/security/trusted_root_ca_oh.json"; +const ALLOWED_ROOT_CERT_MEMBER_NAMES: &[&str] = + &["C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Root CA G2"]; +const ALLOWED_OH_ROOT_CERT_MEMBER_NAMES: &[&str] = &[ "C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Root CA G2", "C=CN, O=OpenHarmony, OU=OpenHarmony Team, CN=OpenHarmony Application Root CA", ]; @@ -29,7 +33,11 @@ const TRUSTED_CERT_PATH_TEST: &str = "/system/etc/security/trusted_cert_path_tes /// get trusted certs form json file pub fn get_trusted_certs() -> PemCollection { let mut root_cert = PemCollection::new(); - root_cert.load_pem_certs_from_json_file(TRUSTED_ROOT_CERT, ALLOWED_ROOT_CERT_MEMBER_NAMES); + if env!("code_signature_oh_code_sign") == "true" && unsafe { !IsRdDevice() } { + root_cert.load_pem_certs_from_json_file(TRUSTED_ROOT_CERT, ALLOWED_ROOT_CERT_MEMBER_NAMES); + } else { + root_cert.load_pem_certs_from_json_file(TRUSTED_OH_ROOT_CERT, ALLOWED_OH_ROOT_CERT_MEMBER_NAMES); + } if env!("code_signature_debuggable") == "on" { root_cert.load_pem_certs_from_json_file( TRUSTED_ROOT_CERT_TEST, diff --git a/services/key_enable/src/profile_utils.rs b/services/key_enable/src/profile_utils.rs index 254ee5f..a2c68f0 100644 --- a/services/key_enable/src/profile_utils.rs +++ b/services/key_enable/src/profile_utils.rs @@ -72,7 +72,8 @@ extern "C" { /// if developer state on return true pub fn IsDeveloperModeOn() -> bool; fn CodeSignGetUdid(udid: *mut u8) -> i32; - fn IsRdDevice() -> bool; + /// if the device is on Rd mode + pub fn IsRdDevice() -> bool; } #[no_mangle] diff --git a/test/unittest/BUILD.gn b/test/unittest/BUILD.gn index 3eee513..acffdb7 100644 --- a/test/unittest/BUILD.gn +++ b/test/unittest/BUILD.gn @@ -220,6 +220,11 @@ ohos_rust_static_library("rust_key_enable_lib") { } else { rustenv = [ "code_signature_debuggable=off" ] } + if (code_signature_support_oh_code_sign) { + rustenv += [ "code_signature_oh_code_sign=true" ] + } else { + rustenv += [ "code_signature_oh_code_sign=false" ] + } crate_name = "key_enable" crate_type = "rlib" subsystem_name = "security" -- Gitee