From b2bf2749536e181c4e6acdd6735cd47d9f105f97 Mon Sep 17 00:00:00 2001 From: lihehe Date: Thu, 6 Jun 2024 15:47:53 +0800 Subject: [PATCH] enable keys for rddevice Change-Id: I1845e920917a506381253e4398db9a0570bf87bc Signed-off-by: lihehe --- code_signature.gni | 2 +- .../src/jit_code_signer_hybrid.cpp | 4 +- .../src/jit_code_signer_single.cpp | 2 +- .../jit_code_sign/src/pac_sign_ctx.cpp | 2 +- services/key_enable/BUILD.gn | 46 ++++---- .../trusted_cert_path_test.json | 90 -------------- .../openharmony/dev/trusted_cert_path.json | 104 ---------------- .../release/trusted_cert_path.json | 7 ++ .../key_enable/config/trusted_cert_path.json | 23 +++- .../config/trusted_cert_path_test.json | 21 ---- services/key_enable/src/cert_path_utils.rs | 39 +++++- services/key_enable/src/cert_utils.rs | 22 +++- .../utils/include/devices_security.h | 41 ------- services/key_enable/utils/include/key_utils.h | 1 + .../key_enable/utils/src/devices_security.cpp | 111 +++++++++--------- test/unittest/BUILD.gn | 10 +- test/unittest/key_enable_utils_test.cpp | 20 +--- 17 files changed, 181 insertions(+), 364 deletions(-) delete mode 100644 services/key_enable/config/not_sign_hap_py_path/trusted_cert_path_test.json delete mode 100644 services/key_enable/config/openharmony/dev/trusted_cert_path.json delete mode 100644 services/key_enable/utils/include/devices_security.h diff --git a/code_signature.gni b/code_signature.gni index 12a3e3a..cb5eae7 100644 --- a/code_signature.gni +++ b/code_signature.gni @@ -23,7 +23,7 @@ declare_args() { code_signature_support_openharmony_ca = true code_signature_support_oh_code_sign = false code_signature_enable_xpm_mode = 0 - code_signature_support_oh_release_app = true + code_signature_support_oh_release_app = false code_signature_screenlock_mgr_enable = false if (defined(global_parts_info) && defined(global_parts_info.theme_screenlock_mgr)) { diff --git a/interfaces/innerkits/jit_code_sign/src/jit_code_signer_hybrid.cpp b/interfaces/innerkits/jit_code_sign/src/jit_code_signer_hybrid.cpp index c0c7693..bf74a40 100644 --- a/interfaces/innerkits/jit_code_sign/src/jit_code_signer_hybrid.cpp +++ b/interfaces/innerkits/jit_code_sign/src/jit_code_signer_hybrid.cpp @@ -110,7 +110,7 @@ int32_t JitCodeSignerHybrid::ValidateSubCode(Instr *jitMemory, PACSignCtx &verif if (signature != signTable_[index]) { #ifdef JIT_FORT_DISABLE LOG_ERROR("Validate insn (%{public}8x) failed at offset = %{public}x, " \ - "signature(%{public}x) != wanted(%{pucblic}x)", + "signature(%{public}x) != wanted(%{public}x)", *(insnPtr), index * INSTRUCTION_SIZE, signature, signTable_[index]); #endif #ifndef JIT_CODE_SIGN_PERMISSIVE @@ -149,7 +149,7 @@ __attribute__((no_sanitize("cfi"))) int32_t JitCodeSignerHybrid::ValidateCodeCop if (signature != signTable_[index]) { #ifdef JIT_FORT_DISABLE LOG_ERROR("Validate insn (%{public}x) without context failed at index = %{public}x," \ - "signature(%{public}x) != wanted(%{pucblic}x).", + "signature(%{public}x) != wanted(%{public}x).", insn, index, signature, signTable_[index]); #endif #ifndef JIT_CODE_SIGN_PERMISSIVE diff --git a/interfaces/innerkits/jit_code_sign/src/jit_code_signer_single.cpp b/interfaces/innerkits/jit_code_sign/src/jit_code_signer_single.cpp index 128548a..d4fae3d 100644 --- a/interfaces/innerkits/jit_code_sign/src/jit_code_signer_single.cpp +++ b/interfaces/innerkits/jit_code_sign/src/jit_code_signer_single.cpp @@ -85,7 +85,7 @@ int32_t JitCodeSignerSingle::ValidateCodeCopy(Instr *jitMemory, if (signature != signTable_[index]) { #ifdef JIT_FORT_DISABLE LOG_ERROR("validate insn(%{public}x) without context failed at index = " \ - "%{public}x, signature(%{public}x) != wanted(%{pucblic}x)", + "%{public}x, signature(%{public}x) != wanted(%{public}x)", insn, index * INSTRUCTION_SIZE, signature, signTable_[index]); #endif #ifndef JIT_CODE_SIGN_PERMISSIVE diff --git a/interfaces/innerkits/jit_code_sign/src/pac_sign_ctx.cpp b/interfaces/innerkits/jit_code_sign/src/pac_sign_ctx.cpp index ef86c14..b714e3e 100644 --- a/interfaces/innerkits/jit_code_sign/src/pac_sign_ctx.cpp +++ b/interfaces/innerkits/jit_code_sign/src/pac_sign_ctx.cpp @@ -156,7 +156,7 @@ uint32_t PACSignCtx::SignSingle(uint32_t value, uint32_t index) uint64_t paddingContext = PaddingContext(SIGN_WITHOUT_CONTEXT, index); uint32_t signature = PACGA(value, paddingContext); #if defined(JIT_CODE_SIGN_DEBUGGABLE) && defined(JIT_FORT_DISABLE) - LOG_ERROR("Get signature = %{public}x", signature); + LOG_INFO("Get signature = %{public}x", signature); #endif return signature; } diff --git a/services/key_enable/BUILD.gn b/services/key_enable/BUILD.gn index 4aa59b2..5ba1c7d 100644 --- a/services/key_enable/BUILD.gn +++ b/services/key_enable/BUILD.gn @@ -36,15 +36,21 @@ ohos_rust_executable("key_enable") { ] external_deps += [ "c_utils:utils_rust" ] } + rustenv = [] + if (build_variant == "root") { + rustenv += [ "code_signature_debuggable=on" ] + } else { + rustenv += [ "code_signature_debuggable=off" ] + } + if (code_signature_support_oh_release_app) { + rustenv += [ "support_openharmony_ca=on" ] + } else { + rustenv += [ "support_openharmony_ca=off" ] + } crate_name = "key_enable" crate_type = "bin" subsystem_name = "security" part_name = "code_signature" - if (build_variant == "root") { - rustenv = [ "code_signature_debuggable=on" ] - } else { - rustenv = [ "code_signature_debuggable=off" ] - } } ohos_rust_shared_ffi("key_enable_lib") { @@ -58,23 +64,25 @@ ohos_rust_shared_ffi("key_enable_lib") { ] external_deps += [ "c_utils:utils_rust" ] } - crate_name = "key_enable" - subsystem_name = "security" - part_name = "code_signature" + rustenv = [] if (build_variant == "root") { - rustenv = [ "code_signature_debuggable=on" ] + rustenv += [ "code_signature_debuggable=on" ] } else { - rustenv = [ "code_signature_debuggable=off" ] + rustenv += [ "code_signature_debuggable=off" ] } + if (code_signature_support_oh_release_app) { + rustenv += [ "support_openharmony_ca=on" ] + } else { + rustenv += [ "support_openharmony_ca=off" ] + } + crate_name = "key_enable" + subsystem_name = "security" + part_name = "code_signature" } ohos_prebuilt_etc("trusted_cert_path") { - if (code_signature_support_openharmony_ca) { - if (code_signature_support_oh_release_app) { - source = "config/openharmony/release/trusted_cert_path.json" - } else { - source = "config/openharmony/dev/trusted_cert_path.json" - } + if (code_signature_support_oh_release_app) { + source = "config/openharmony/release/trusted_cert_path.json" } else { source = "config/trusted_cert_path.json" } @@ -84,11 +92,7 @@ ohos_prebuilt_etc("trusted_cert_path") { } ohos_prebuilt_etc("trusted_cert_path_test") { - if (defined(sign_hap_py_path)) { - source = "config/trusted_cert_path_test.json" - } else { - source = "config/not_sign_hap_py_path/trusted_cert_path_test.json" - } + source = "config/trusted_cert_path_test.json" part_name = "code_signature" subsystem_name = "security" relative_install_dir = "security" diff --git a/services/key_enable/config/not_sign_hap_py_path/trusted_cert_path_test.json b/services/key_enable/config/not_sign_hap_py_path/trusted_cert_path_test.json deleted file mode 100644 index e40fd11..0000000 --- a/services/key_enable/config/not_sign_hap_py_path/trusted_cert_path_test.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "trust-profile-path":[ - { - "mode":"developer", - "type":"", - "subject":"C=CN, O=Huawei, OU=HOS AppGallery, CN=HOS Profile Management", - "issuer":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA Test", - "max-certs-path":3 - }, - { - "mode":"developer", - "type":"", - "subject":"C=CN, O=Huawei CBG, OU=HOS Development Team, CN=HOS Application Provision Profile Release", - "issuer":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA Test", - "max-certs-path":3 - }, - { - "mode":"debug", - "type":"", - "subject":"C=CN, O=Huawei, OU=HOS AppGallery, CN=HOS Profile Management Debug", - "issuer":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA Test", - "max-certs-path":3 - }, - { - "mode":"debug", - "type":"", - "subject":"C=CN, O=Huawei CBG, OU=HOS Development Team, CN=HOS Application Provision Profile Release_Debug", - "issuer":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA Test", - "max-certs-path":3 - } - ], - "trust-cert-path":[ - { - "mode":"Release", - "type":"Authed", - "subject":"C=CN, O=Huawei, OU=HOS AppGallery, CN=HOS AppGallery Application Release", - "issuer":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA Test", - "max-certs-path":3 - }, - { - "mode":"Release", - "type":"Platform", - "subject":"ALL", - "issuer":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA Test", - "max-certs-path":3 - }, - { - "mode":"Release", - "type":"Platform", - "subject":"C=CN, O=OpenHarmony, OU=OpenHarmony Team, CN=OpenHarmony Application Release", - "issuer":"C=CN, O=OpenHarmony, OU=OpenHarmony Team, CN=OpenHarmony Application CA", - "max-certs-path":3 - }, - { - "mode":"Release", - "type":"Block", - "subject":"C=CN, O=Huawei, OU=Huawei CBG, CN=HOS Application Provision Debug V2", - "issuer":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA Test", - "max-certs-path":3 - }, - { - "mode":"Release", - "type":"Block", - "subject":"", - "issuer":"", - "max-certs-path":3 - }, - { - "mode":"Dev", - "type":"Platform", - "subject":"C=CN, O=Huawei, OU=Huawei CBG, CN=HOS Application Provision Debug V2", - "issuer":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA Test", - "max-certs-path":3 - }, - { - "mode":"Dev", - "type":"Debug", - "subject":"", - "issuer":"", - "max-certs-path":3 - }, - { - "mode":"Dev", - "type":"Authed", - "subject":"C=CN, O=Organization, OU=Unit, CN=ide_demo_app", - "issuer":"C=CN, O=OpenHarmony, OU=OpenHarmony Team, CN=OpenHarmony Application CA", - "max-certs-path":3 - } - ] -} \ No newline at end of file diff --git a/services/key_enable/config/openharmony/dev/trusted_cert_path.json b/services/key_enable/config/openharmony/dev/trusted_cert_path.json deleted file mode 100644 index 939e972..0000000 --- a/services/key_enable/config/openharmony/dev/trusted_cert_path.json +++ /dev/null @@ -1,104 +0,0 @@ -{ - "trust-profile-path":[ - { - "mode":"developer", - "type":"", - "subject":"C=CN, O=Huawei, OU=HOS AppGallery, CN=HOS Profile Management", - "issuer":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA", - "max-certs-path":3 - }, - { - "mode":"developer", - "type":"", - "subject":"C=CN, O=Huawei CBG, OU=HOS Development Team, CN=HOS Application Provision Profile Release", - "issuer":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA", - "max-certs-path":3 - }, - { - "mode":"debug", - "type":"", - "subject":"C=CN, O=Huawei, OU=HOS AppGallery, CN=HOS Profile Management Debug", - "issuer":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA", - "max-certs-path":3 - }, - { - "mode":"debug", - "type":"", - "subject":"C=CN, O=OpenHarmony, OU=OpenHarmony Team, CN=OpenHarmony Application Profile Debug", - "issuer":"C=CN, O=OpenHarmony, OU=OpenHarmony Team, CN=OpenHarmony Application CA", - "max-certs-path":3 - }, - { - "mode":"debug", - "type":"", - "subject":"C=CN, O=Huawei CBG, OU=HOS Development Team, CN=HOS Application Provision Profile Release_Debug", - "issuer":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA", - "max-certs-path":3 - } - ], - "trust-cert-path":[ - { - "mode":"Release", - "type":"Authed", - "subject":"C=CN, O=Huawei, OU=HOS AppGallery, CN=HOS AppGallery Application Release", - "issuer":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA", - "max-certs-path":3 - }, - { - "mode":"Release", - "type":"Platform", - "subject":"ALL", - "issuer":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA", - "max-certs-path":3 - }, - { - "mode":"Release", - "type":"Block", - "subject":"C=CN, O=Huawei, OU=Huawei CBG, CN=HOS Application Provision Debug V2", - "issuer":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA", - "max-certs-path":3 - }, - { - "mode":"Release", - "type":"Block", - "subject":"C=CN, O=Huawei, OU=Huawei CBG, CN=DevEcoTesting Release", - "issuer":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA", - "max-certs-path":3 - }, - { - "mode":"Release", - "type":"Block", - "subject":"C=CN, O=Huawei, OU=Huawei CBG, CN=HarmonyOS SDK debug tools", - "issuer":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA", - "max-certs-path":3 - }, - { - "mode":"Dev", - "type":"Platform", - "subject":"C=CN, O=Huawei, OU=Huawei CBG, CN=HOS Application Provision Debug V2", - "issuer":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA", - "max-certs-path":3 - }, - { - "mode":"Dev", - "type":"Platform", - "subject":"C=CN, O=Huawei, OU=Huawei CBG, CN=DevEcoTesting Release", - "issuer":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA", - "max-certs-path":3 - }, - { - "mode":"Dev", - "type":"Platform", - "subject":"C=CN, O=Huawei, OU=Huawei CBG, CN=HarmonyOS SDK debug tools", - "issuer":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA", - "max-certs-path":3 - }, - { - "mode":"Dev", - "type":"Authed", - "subject":"C=CN, O=OpenHarmony, OU=OpenHarmony Team, CN=OpenHarmony Application Release", - "issuer":"C=CN, O=OpenHarmony, OU=OpenHarmony Team, CN=OpenHarmony Application CA", - "max-certs-path":3 - } - ] -} diff --git a/services/key_enable/config/openharmony/release/trusted_cert_path.json b/services/key_enable/config/openharmony/release/trusted_cert_path.json index 27b5338..3f83a7b 100644 --- a/services/key_enable/config/openharmony/release/trusted_cert_path.json +++ b/services/key_enable/config/openharmony/release/trusted_cert_path.json @@ -99,6 +99,13 @@ "subject":"C=CN, O=OpenHarmony, OU=OpenHarmony Team, CN=OpenHarmony Application Release", "issuer":"C=CN, O=OpenHarmony, OU=OpenHarmony Team, CN=OpenHarmony Application CA", "max-certs-path":3 + }, + { + "mode":"Release", + "type":"Authed", + "subject":"C=CN, O=Organization, OU=Unit, CN=ide_demo_app", + "issuer":"C=CN, O=OpenHarmony, OU=OpenHarmony Team, CN=OpenHarmony Application CA", + "max-certs-path":3 } ] } diff --git a/services/key_enable/config/trusted_cert_path.json b/services/key_enable/config/trusted_cert_path.json index ad03e42..f5b71b9 100644 --- a/services/key_enable/config/trusted_cert_path.json +++ b/services/key_enable/config/trusted_cert_path.json @@ -21,6 +21,13 @@ "issuer":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA", "max-certs-path":3 }, + { + "mode":"debug", + "type":"", + "subject":"C=CN, O=OpenHarmony, OU=OpenHarmony Team, CN=OpenHarmony Application Profile Debug", + "issuer":"C=CN, O=OpenHarmony, OU=OpenHarmony Team, CN=OpenHarmony Application CA", + "max-certs-path":3 + }, { "mode":"debug", "type":"", @@ -79,12 +86,26 @@ "issuer":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA", "max-certs-path":3 }, - { + { "mode":"Dev", "type":"Platform", "subject":"C=CN, O=Huawei, OU=Huawei CBG, CN=HarmonyOS SDK debug tools", "issuer":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA", "max-certs-path":3 + }, + { + "mode":"Release", + "type":"Restricted", + "subject":"C=CN, O=OpenHarmony, OU=OpenHarmony Team, CN=OpenHarmony Application Release", + "issuer":"C=CN, O=OpenHarmony, OU=OpenHarmony Team, CN=OpenHarmony Application CA", + "max-certs-path":3 + }, + { + "mode":"Release", + "type":"Restricted", + "subject":"C=CN, O=Organization, OU=Unit, CN=ide_demo_app", + "issuer":"C=CN, O=OpenHarmony, OU=OpenHarmony Team, CN=OpenHarmony Application CA", + "max-certs-path":3 } ] } diff --git a/services/key_enable/config/trusted_cert_path_test.json b/services/key_enable/config/trusted_cert_path_test.json index 5b6847d..e235e5f 100644 --- a/services/key_enable/config/trusted_cert_path_test.json +++ b/services/key_enable/config/trusted_cert_path_test.json @@ -51,33 +51,12 @@ "issuer":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA Test", "max-certs-path":3 }, - { - "mode":"Release", - "type":"Block", - "subject":"", - "issuer":"", - "max-certs-path":3 - }, { "mode":"Dev", "type":"Platform", "subject":"C=CN, O=Huawei, OU=Huawei CBG, CN=HOS Application Provision Debug V2", "issuer":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA Test", "max-certs-path":3 - }, - { - "mode":"Dev", - "type":"Debug", - "subject":"", - "issuer":"", - "max-certs-path":3 - }, - { - "mode":"Dev", - "type":"Authed", - "subject":"C=CN, O=Organization, OU=Unit, CN=ide_demo_app", - "issuer":"C=CN, O=OpenHarmony, OU=OpenHarmony Team, CN=OpenHarmony Application CA", - "max-certs-path":3 } ] } \ No newline at end of file diff --git a/services/key_enable/src/cert_path_utils.rs b/services/key_enable/src/cert_path_utils.rs index b579299..6841b15 100644 --- a/services/key_enable/src/cert_path_utils.rs +++ b/services/key_enable/src/cert_path_utils.rs @@ -18,6 +18,10 @@ use hilog_rust::{error, hilog, info, HiLogLabel, LogType}; use std::ffi::{c_char, CString}; use ylong_json::JsonValue; +extern "C" { + fn IsRdDevice() -> bool; +} + const LOG_LABEL: HiLogLabel = HiLogLabel { log_type: LogType::LogCore, domain: 0xd005a06, // security domain @@ -46,6 +50,8 @@ pub enum ReleaseCertPathType { Developer = 0x3, /// release block code Block = 0x4, + /// restrict code + Restricted = 0xff, } impl ReleaseCertPathType { @@ -55,6 +61,7 @@ impl ReleaseCertPathType { "Authed" => Ok(ReleaseCertPathType::Authed as u32), "Developer" => Ok(ReleaseCertPathType::Developer as u32), "Block" => Ok(ReleaseCertPathType::Block as u32), + "Restricted" => Ok(ReleaseCertPathType::Restricted as u32), _ => Err(()), } } @@ -71,6 +78,8 @@ pub enum DebugCertPathType { Block = 0x104, /// debug debug code Debug = 0x105, + /// restrict code + Restricted = 0x1ff, } impl DebugCertPathType { @@ -81,6 +90,7 @@ impl DebugCertPathType { "Developer" => Ok(DebugCertPathType::Developer as u32), "Block" => Ok(DebugCertPathType::Block as u32), "Debug" => Ok(DebugCertPathType::Debug as u32), + "Restricted" => Ok(DebugCertPathType::Restricted as u32), _ => Err(()), } } @@ -152,8 +162,8 @@ impl TrustCertPath { if !unsafe { IsDeveloperModeOn() } && &cert_path.mode == "Dev" { continue; } - if !cert_path.subject.is_empty() - && !cert_path.issuer_ca.is_empty() + if !cert_path.subject.is_empty() + && !cert_path.issuer_ca.is_empty() && cert_path.add_subject_cert_path().is_err() { error!( LOG_LABEL, @@ -388,6 +398,23 @@ pub fn common_format_fabricate_name(common_name: &str, organization: &str, email ret } +fn convert_cert_type(cert_path_type: u32) -> u32 { + if cert_path_type == ReleaseCertPathType::Restricted as u32 { + if env!("support_openharmony_ca") == "on" || unsafe { IsRdDevice() } { + return ReleaseCertPathType::Authed as u32; + } else { + return 0; // return invalid type + } + } else if cert_path_type == DebugCertPathType::Restricted as u32 { + if env!("support_openharmony_ca") == "on" || unsafe { IsRdDevice() } { + return DebugCertPathType::Authed as u32; + } else { + return 0; // return invalid type + } + } + cert_path_type +} + fn cert_path_operation( subject: String, issuer: String, @@ -404,6 +431,12 @@ where let subject_cstring = CString::new(subject).expect("convert to subject_cstring error!"); let issuer_cstring = CString::new(issuer).expect("convert to cstring error!"); + let converted_cert_type = convert_cert_type(cert_path_type); + + // invalid cert type, skip adding + if converted_cert_type == 0u32 { + return Ok(()); + } let cert_path_info = CertPathInfo { signing_length: subject_cstring.as_bytes().len() as u32, @@ -411,7 +444,7 @@ where signing: subject_cstring.as_ptr() as u64, issuer: issuer_cstring.as_ptr() as u64, path_len: path_length, - path_type: cert_path_type, + path_type: converted_cert_type, __reserved: [0; 32], }; let ret = operation(&cert_path_info); diff --git a/services/key_enable/src/cert_utils.rs b/services/key_enable/src/cert_utils.rs index 94a0aa6..455afe4 100644 --- a/services/key_enable/src/cert_utils.rs +++ b/services/key_enable/src/cert_utils.rs @@ -16,21 +16,31 @@ use super::cert_chain_utils::PemCollection; use super::cert_path_utils::TrustCertPath; const TRUSTED_ROOT_CERT: &str = "/system/etc/security/trusted_root_ca.json"; -const ALLOWED_ROOT_CERT_MEMBER_NAMES: &[&str] = &[ - "C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Root CA G2", - "C=CN, O=OpenHarmony, OU=OpenHarmony Team, CN=OpenHarmony Application Root CA", -]; +const ALLOWED_ROOT_CERT_MEMBER_NAMES: &[&str] = + &["C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Root CA G2"]; +const ALLOWED_OH_ROOT_CERT_MEMBER_NAMES: &[&str] = + &["C=CN, O=OpenHarmony, OU=OpenHarmony Team, CN=OpenHarmony Application Root CA"]; const TRUSTED_ROOT_CERT_TEST: &str = "/system/etc/security/trusted_root_ca_test.json"; const ALLOWED_ROOT_CERT_MEMBER_NAMES_TEST: &[&str] = &["C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Root CA G2 Test"]; const TRUSTED_CERT_PATH: &str = "/system/etc/security/trusted_cert_path.json"; const TRUSTED_CERT_PATH_TEST: &str = "/system/etc/security/trusted_cert_path_test.json"; +extern "C" { + fn IsRdDevice() -> bool; +} + /// get trusted certs form json file pub fn get_trusted_certs() -> PemCollection { let mut root_cert = PemCollection::new(); root_cert.load_pem_certs_from_json_file(TRUSTED_ROOT_CERT, ALLOWED_ROOT_CERT_MEMBER_NAMES); - if env!("code_signature_debuggable") == "on" { + if env!("support_openharmony_ca") == "on" || unsafe { IsRdDevice() } { + root_cert.load_pem_certs_from_json_file( + TRUSTED_ROOT_CERT, + ALLOWED_OH_ROOT_CERT_MEMBER_NAMES + ); + } + if env!("code_signature_debuggable") == "on" || unsafe { IsRdDevice() } { root_cert.load_pem_certs_from_json_file( TRUSTED_ROOT_CERT_TEST, ALLOWED_ROOT_CERT_MEMBER_NAMES_TEST @@ -43,7 +53,7 @@ pub fn get_trusted_certs() -> PemCollection { pub fn get_cert_path() -> TrustCertPath { let mut cert_paths = TrustCertPath::new(); cert_paths.load_cert_path_from_json_file(TRUSTED_CERT_PATH); - if env!("code_signature_debuggable") == "on" { + if env!("code_signature_debuggable") == "on" || unsafe { IsRdDevice() } { cert_paths.load_cert_path_from_json_file(TRUSTED_CERT_PATH_TEST); } cert_paths diff --git a/services/key_enable/utils/include/devices_security.h b/services/key_enable/utils/include/devices_security.h deleted file mode 100644 index f0d9465..0000000 --- a/services/key_enable/utils/include/devices_security.h +++ /dev/null @@ -1,41 +0,0 @@ -/* - * Copyright (c) 2024 Huawei Device Co., Ltd. - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#ifndef CODE_SIGN_DEVICES_SECURITY_H -#define CODE_SIGN_DEVICES_SECURITY_H - -#ifndef LOG_RUST -#define LOG_RUST -#endif - -#include - -#ifdef __cplusplus -extern "C" { -#endif - -#define DEVICE_MODE_RD 0 -#define DEVICE_MODE_USER 1 -#define DEVICE_MODE_ERROR 2 - -int32_t GetEfuseStatus(); -int32_t GetDeviceMode(); -bool IsRdDevice(); - -#ifdef __cplusplus -} -#endif - -#endif \ No newline at end of file diff --git a/services/key_enable/utils/include/key_utils.h b/services/key_enable/utils/include/key_utils.h index f44e535..7ba018c 100644 --- a/services/key_enable/utils/include/key_utils.h +++ b/services/key_enable/utils/include/key_utils.h @@ -40,6 +40,7 @@ KeySerial KeyctlRestrictKeyring( const char *type, const char *restriction); +bool IsRdDevice(); #ifdef __cplusplus } #endif diff --git a/services/key_enable/utils/src/devices_security.cpp b/services/key_enable/utils/src/devices_security.cpp index 7b1195b..a5827a5 100644 --- a/services/key_enable/utils/src/devices_security.cpp +++ b/services/key_enable/utils/src/devices_security.cpp @@ -13,7 +13,7 @@ * limitations under the License. */ -#include "devices_security.h" +#include "key_utils.h" #include #include @@ -25,72 +25,77 @@ #include "log.h" #include "parameter.h" -constexpr int32_t VALUE_MAX_LEN = 64; -constexpr int32_t CMDLINE_MAX_BUF_LEN = 4096; -static const std::string OEM_MODE = "const.boot.oemmode"; -static const std::string OEM_MODE_RD = "rd"; -static const std::string EFUSE_STATE_FILE = "/proc/cmdline"; - using namespace OHOS::Security::CodeSign; -int32_t GetEfuseStatus() -{ - int32_t fd = open(EFUSE_STATE_FILE.c_str(), O_RDONLY); - if (fd < 0) { - LOG_ERROR(LABEL, "open %{public}s failed, %{public}s", EFUSE_STATE_FILE.c_str(), strerror(errno)); - return DEVICE_MODE_ERROR; - } +enum DeviceMode { + NOT_INITIALIZE = 0, + DEVICE_MODE_RD, + DEVICE_MODE_NOT_RD +}; - char *buf = static_cast(malloc(CMDLINE_MAX_BUF_LEN)); - if (buf == nullptr) { - LOG_ERROR(LABEL, "alloc read buffer failed"); - (void) close(fd); - return DEVICE_MODE_ERROR; - } - (void)memset_s(buf, CMDLINE_MAX_BUF_LEN, 0, CMDLINE_MAX_BUF_LEN); +constexpr int32_t CMDLINE_MAX_BUF_LEN = 4096; +static const std::string PROC_CMDLINE_FILE_PATH = "/proc/cmdline"; +static int32_t g_isRdDevice = NOT_INITIALIZE; - int32_t deviceMode = DEVICE_MODE_ERROR; - ssize_t ret = read(fd, buf, CMDLINE_MAX_BUF_LEN - 1); - (void) close(fd); - if (ret < 0) { - LOG_ERROR(LABEL, "read %{public}s failed, %{public}s", EFUSE_STATE_FILE.c_str(), strerror(errno)); - free(buf); - buf = nullptr; - return deviceMode; +bool CheckDeviceMode(char *buf, ssize_t bunLen) +{ + if (strstr(buf, "oemmode=rd")) { + LOG_DEBUG(LABEL, "Oemode is rd"); + return true; + } else { + LOG_DEBUG(LABEL, "Not rd mode, cmdline = %{private}s", buf); } + return false; +} - if (strstr(buf, "efuse_status=0")) { - LOG_DEBUG(LABEL, "device is fused, need to check device id"); - deviceMode = DEVICE_MODE_USER; - } else if (strstr(buf, "efuse_status=1")) { - LOG_DEBUG(LABEL, "device is not fused, skip device id check"); - deviceMode = DEVICE_MODE_RD; +int32_t CheckEfuseStatus(char *buf, ssize_t bunLen) +{ + if (strstr(buf, "efuse_status=1")) { + LOG_DEBUG(LABEL, "device is not efused"); + return true; } else { - LOG_ERROR(LABEL, "failed to obtain the device efuse status"); + LOG_DEBUG(LABEL, "Not efused, cmdline = %{private}s", buf); } - - free(buf); - buf = nullptr; - return deviceMode; + return false; } -int32_t GetDeviceMode() +void ParseCMDLine() { - LOG_DEBUG(LABEL, "start to check the OEM mode of the device"); - - char value[VALUE_MAX_LEN] = {0}; - int32_t ret = GetParameter(OEM_MODE.c_str(), nullptr, value, sizeof(value)); - if ((ret >= 0) && (strncmp(value, OEM_MODE_RD.c_str(), sizeof(value)) == 0)) { - LOG_DEBUG(LABEL, "oem mode is rd, skip device id check"); - return DEVICE_MODE_RD; + int32_t fd = open(PROC_CMDLINE_FILE_PATH.c_str(), O_RDONLY); + if (fd < 0) { + g_isRdDevice = DEVICE_MODE_NOT_RD; + LOG_ERROR(LABEL, "open %{public}s failed, %{public}s", + PROC_CMDLINE_FILE_PATH.c_str(), strerror(errno)); + return; } - - return GetEfuseStatus(); + char *buf = nullptr; + int32_t status = DEVICE_MODE_NOT_RD; + do { + buf = static_cast(malloc(CMDLINE_MAX_BUF_LEN)); + if (buf == nullptr) { + LOG_ERROR(LABEL, "Alloc buffer for reading cmdline failed."); + break; + } + (void) memset_s(buf, CMDLINE_MAX_BUF_LEN, 0, CMDLINE_MAX_BUF_LEN); + ssize_t bufLen = read(fd, buf, CMDLINE_MAX_BUF_LEN - 1); + if (bufLen < 0) { + LOG_ERROR(LABEL, "Read %{public}s failed, %{public}s.", + PROC_CMDLINE_FILE_PATH.c_str(), strerror(errno)); + break; + } + if (CheckDeviceMode(buf, bufLen) || CheckEfuseStatus(buf, bufLen)) { + status = DEVICE_MODE_RD; + } + } while (0); + g_isRdDevice = status; + (void) close(fd); + free(buf); } + bool IsRdDevice() { - if (GetDeviceMode() != DEVICE_MODE_RD) { - return false; + if (g_isRdDevice == NOT_INITIALIZE) { + ParseCMDLine(); } - return true; + return g_isRdDevice == DEVICE_MODE_RD; } \ No newline at end of file diff --git a/test/unittest/BUILD.gn b/test/unittest/BUILD.gn index 3eee513..6e55182 100644 --- a/test/unittest/BUILD.gn +++ b/test/unittest/BUILD.gn @@ -215,10 +215,16 @@ ohos_rust_static_library("rust_key_enable_lib") { "hisysevent:hisysevent_rust", "ylong_json:lib", ] + rustenv = [] if (build_variant == "root") { - rustenv = [ "code_signature_debuggable=on" ] + rustenv += [ "code_signature_debuggable=on" ] } else { - rustenv = [ "code_signature_debuggable=off" ] + rustenv += [ "code_signature_debuggable=off" ] + } + if (code_signature_support_oh_release_app) { + rustenv += [ "support_openharmony_ca=on" ] + } else { + rustenv += [ "support_openharmony_ca=off" ] } crate_name = "key_enable" crate_type = "rlib" diff --git a/test/unittest/key_enable_utils_test.cpp b/test/unittest/key_enable_utils_test.cpp index df97f6b..656863e 100644 --- a/test/unittest/key_enable_utils_test.cpp +++ b/test/unittest/key_enable_utils_test.cpp @@ -17,7 +17,7 @@ #include #include -#include "devices_security.h" +#include "key_utils.h" using namespace testing::ext; using namespace std; @@ -38,28 +38,14 @@ public: /** * @tc.name: KeyEnableUtilsTest_0001 - * @tc.desc: Obtaining cmdline node data from aarch64 device + * @tc.desc: check status of device * @tc.type: Func * @tc.require: issueI8FCGF */ HWTEST_F(KeyEnableUtilsTest, KeyEnableUtilsTest_0001, TestSize.Level0) { - int32_t efuseStatus = GetEfuseStatus(); - EXPECT_NE(efuseStatus, DEVICE_MODE_ERROR); + EXPECT_EQ(IsRdDevice(), true); } - -/** - * @tc.name: KeyEnableUtilsTest_0001 - * @tc.desc: Obtaining device mode from aarch64 device - * @tc.type: Func - * @tc.require: issueI8FCGF - */ -HWTEST_F(KeyEnableUtilsTest, KeyEnableUtilsTest_0002, TestSize.Level0) -{ - int32_t deviceMode = GetDeviceMode(); - EXPECT_NE(deviceMode, DEVICE_MODE_ERROR); -} - } // namespace CodeSign } // namespace Security } // namespace OHOS -- Gitee