diff --git a/README.md b/README.md index cb55e4c7daf6818f138b85b331cf02e690059f59..0a91acf363d8a8856c8fa0206fc955df7bf0d10b 100644 --- a/README.md +++ b/README.md @@ -40,9 +40,9 @@ The code signature component provides the following functions: | **API**| **Description**| | --- | --- | | int32_t EnforceCodeSignForApp(const EntryMap &entryPath, const std::string &signatureFile); | Enforces code signing for HAPs.| -| int32_t EnforceCodeSignForApp(const std::string &path, const EntryMap &entryPathMap, FileType type); | Enforces code signing for HAPs.| +| int32_t EnforceCodeSignForApp(const std::string &path, const EntryMap &entryPathMap, FileType type, uint32_t flag); | Enforces code signing for HAPs.| | int32_t EnforceCodeSignForFile(const std::string &path, const ByteBuffer &signature); | Enforces code signing for files.| -| int32_t EnforceCodeSignForAppWithOwnerId(std::string ownerId, const std::string &path, const EntryMap &entryPathMap, FileType type); | Enforces code signing for HAPs with the owner ID.| +| int32_t EnforceCodeSignForAppWithOwnerId(std::string ownerId, const std::string &path, const EntryMap &entryPathMap, FileType type, uint32_t flag); | Enforces code signing for HAPs with the owner ID.| | int ParseOwnerIdFromSignature(const ByteBuffer &sigbuffer, std::string &ownerID); | Parses the owner ID from the signature.| | int32_t EnableKeyInProfile(const std::string &bundleName, const ByteBuffer &profileBuffer); | Trusts a developer certificate.| | int32_t RemoveKeyInProfile(const std::string &bundleName); | Revokes a trusted developer certificate.| diff --git a/README_zh.md b/README_zh.md index d49e2f596f2f7a0d9186103d66b46c53e9ab8da6..4f6d880bcf25c629f1a7fa939ecab1ee3fabe706 100644 --- a/README_zh.md +++ b/README_zh.md @@ -42,9 +42,9 @@ | **接口声明** | **接口描述** | | --- | --- | | int32_t EnforceCodeSignForApp(const EntryMap &entryPath, const std::string &signatureFile); | 对hap使能代码签名 | -| int32_t EnforceCodeSignForApp(const std::string &path, const EntryMap &entryPathMap, FileType type); | 对hap使能代码签名 | +| int32_t EnforceCodeSignForApp(const std::string &path, const EntryMap &entryPathMap, FileType type, uint32_t flag); | 对hap使能代码签名 | | int32_t EnforceCodeSignForFile(const std::string &path, const ByteBuffer &signature); | 对文件使能代码签名 | -| int32_t EnforceCodeSignForAppWithOwnerId(std::string ownerId, const std::string &path, const EntryMap &entryPathMap, FileType type); | 对hap使能代码签名和OwnerId校验 | +| int32_t EnforceCodeSignForAppWithOwnerId(std::string ownerId, const std::string &path, const EntryMap &entryPathMap, FileType type, uint32_t flag); | 对hap使能代码签名和OwnerId校验 | | int ParseOwnerIdFromSignature(const ByteBuffer &sigbuffer, std::string &ownerID); | 从签名中解析OwnerId | | int32_t EnableKeyInProfile(const std::string &bundleName, const ByteBuffer &profileBuffer); | 信任开发者证书 | | int32_t RemoveKeyInProfile(const std::string &bundleName); | 撤销已信任的开发者证书 | diff --git a/interfaces/inner_api/code_sign_utils/include/code_sign_helper.h b/interfaces/inner_api/code_sign_utils/include/code_sign_helper.h index 9f9dfd704aff0a0046ba82c6c5818115287a0a63..1b5754dac6e427b75ed25e0a00cd52d8c019e179 100644 --- a/interfaces/inner_api/code_sign_utils/include/code_sign_helper.h +++ b/interfaces/inner_api/code_sign_utils/include/code_sign_helper.h @@ -38,11 +38,12 @@ public: * @param ownerId string to abtain owner ID from the signature file * @param path hap real path on disk * @param CallbackFunc enforce code sign callback function address + * @param flag attributes of libs * @return err code, see err_code.h */ - int32_t ProcessMultiTask(const std::string &ownerId, const std::string &path, CallbackFunc &func); + int32_t ProcessMultiTask(const std::string &ownerId, const std::string &path, CallbackFunc &func, uint32_t flag); private: - int32_t ProcessOneFile(); + int32_t ProcessOneFile(uint32_t flag); int32_t ExecuteMultiTask(const std::string &ownerId, const std::string &path, CallbackFunc &func); void ShowCodeSignInfo(const std::string &path, const struct code_sign_enable_arg &arg); private: diff --git a/interfaces/inner_api/code_sign_utils/include/code_sign_utils.h b/interfaces/inner_api/code_sign_utils/include/code_sign_utils.h index 6f06b68476ab8849c9d3c62a45a1d9fce8eafcd1..a34dfa4fc495abd9b1c9d7db3dd83ab5061c96af 100644 --- a/interfaces/inner_api/code_sign_utils/include/code_sign_utils.h +++ b/interfaces/inner_api/code_sign_utils/include/code_sign_utils.h @@ -39,6 +39,10 @@ typedef enum { FILE_TYPE_MAX, } FileType; +enum CodeSignInfoFlag { + IS_UNCOMPRESSED_NATIVE_LIBS = 0x01 << 0, +}; + class CodeSignUtils { public: /** @@ -55,9 +59,11 @@ public: * @param path hap real path on disk * @param entryPath map from entryname in hap to real path on disk * @param type signature file type + * @param flag attributes of libs * @return err code, see err_code.h */ - int32_t EnforceCodeSignForApp(const std::string &path, const EntryMap &entryPathMap, FileType type); + int32_t EnforceCodeSignForApp(const std::string &path, const EntryMap &entryPathMap, + FileType type, uint32_t flag = 0); /** * @brief Enforce code signature for a hap with ownerID @@ -65,10 +71,11 @@ public: * @param path hap real path on disk * @param entryPath map from entryname in hap to real path on disk * @param type signature file type + * @param flag attributes of libs * @return err code, see err_code.h */ int32_t EnforceCodeSignForAppWithOwnerId(const std::string &ownerId, const std::string &path, - const EntryMap &entryPathMap, FileType type); + const EntryMap &entryPathMap, FileType type, uint32_t flag = 0); /** * @brief Enforce code signature for file with signature @@ -124,7 +131,7 @@ public: static int32_t IsSupportFsVerity(const std::string &path); private: static int32_t EnableCodeSignForFile(const std::string &path, const struct code_sign_enable_arg &arg); - int32_t ProcessCodeSignBlock(const std::string &ownerId, const std::string &path, FileType type); + int32_t ProcessCodeSignBlock(const std::string &ownerId, const std::string &path, FileType type, uint32_t flag); int32_t HandleCodeSignBlockFailure(const std::string &realPath, int32_t ret); private: EntryMap storedEntryMap_; diff --git a/interfaces/inner_api/code_sign_utils/src/code_sign_helper.cpp b/interfaces/inner_api/code_sign_utils/src/code_sign_helper.cpp index bec7200c2987c37c85c22356d171a0b286bb450b..377259c563028da89ddb2b6e70bf8b4195ebc0a4 100644 --- a/interfaces/inner_api/code_sign_utils/src/code_sign_helper.cpp +++ b/interfaces/inner_api/code_sign_utils/src/code_sign_helper.cpp @@ -30,11 +30,12 @@ int32_t CodeSignHelper::ParseCodeSignBlock(const std::string &realPath, return codeSignBlock_.ParseCodeSignBlock(realPath, entryMap, fileType); } -int32_t CodeSignHelper::ProcessMultiTask(const std::string &ownerId, const std::string &path, CallbackFunc &func) +int32_t CodeSignHelper::ProcessMultiTask(const std::string &ownerId, const std::string &path, + CallbackFunc &func, uint32_t flag) { int32_t ret; do { - ret = ProcessOneFile(); + ret = ProcessOneFile(flag); if (ret == CS_SUCCESS_END) { break; } else if (ret != CS_SUCCESS) { @@ -44,11 +45,11 @@ int32_t CodeSignHelper::ProcessMultiTask(const std::string &ownerId, const std:: return ExecuteMultiTask(ownerId, path, func); } -int32_t CodeSignHelper::ProcessOneFile() +int32_t CodeSignHelper::ProcessOneFile(uint32_t flag) { std::string targetFile; struct code_sign_enable_arg arg = {0}; - int32_t ret = codeSignBlock_.GetOneFileAndCodeSignInfo(targetFile, arg); + int32_t ret = codeSignBlock_.GetOneFileAndCodeSignInfo(targetFile, arg, flag); if (ret != CS_SUCCESS) { return ret; } diff --git a/interfaces/inner_api/code_sign_utils/src/code_sign_utils.cpp b/interfaces/inner_api/code_sign_utils/src/code_sign_utils.cpp index 9a4a3316b8d585b22be446099de92c6713a56115..a9fa7aa5814924e0794a8ac6b31cd7cede5d907e 100644 --- a/interfaces/inner_api/code_sign_utils/src/code_sign_utils.cpp +++ b/interfaces/inner_api/code_sign_utils/src/code_sign_utils.cpp @@ -195,10 +195,10 @@ int32_t CodeSignUtils::EnforceCodeSignForFile(const std::string &path, const uin } int32_t CodeSignUtils::EnforceCodeSignForAppWithOwnerId(const std::string &ownerId, const std::string &path, - const EntryMap &entryPathMap, FileType type) + const EntryMap &entryPathMap, FileType type, uint32_t flag) { - LOG_INFO("Start to enforce codesign FileType:%{public}d, entryPathMap size:%{public}u, path = %{public}s", - type, static_cast(entryPathMap.size()), path.c_str()); + LOG_INFO("Start to enforce codesign FileType:%{public}u, entryPathMap size:%{public}zu, path = %{public}s, " + "flag = %{public}u", type, entryPathMap.size(), path.c_str(), flag); if (type == FILE_ENTRY_ADD || type == FILE_ENTRY_ONLY || type == FILE_ALL) { { std::lock_guard lock(storedEntryMapLock_); @@ -212,17 +212,18 @@ int32_t CodeSignUtils::EnforceCodeSignForAppWithOwnerId(const std::string &owner return CS_ERR_PARAM_INVALID; } std::lock_guard lock(storedEntryMapLock_); - int ret = ProcessCodeSignBlock(ownerId, path, type); + int ret = ProcessCodeSignBlock(ownerId, path, type, flag); if (ret != CS_SUCCESS) { // retry once to make sure stability - ret = ProcessCodeSignBlock(ownerId, path, type); + ret = ProcessCodeSignBlock(ownerId, path, type, flag); } storedEntryMap_.clear(); LOG_INFO("Enforcing done, ret = %{public}d", ret); return ret; } -int32_t CodeSignUtils::ProcessCodeSignBlock(const std::string &ownerId, const std::string &path, FileType type) +int32_t CodeSignUtils::ProcessCodeSignBlock(const std::string &ownerId, const std::string &path, + FileType type, uint32_t flag) { std::string realPath; if (!OHOS::PathToRealPath(path, realPath)) { @@ -234,7 +235,7 @@ int32_t CodeSignUtils::ProcessCodeSignBlock(const std::string &ownerId, const st if (ret != CS_SUCCESS) { return HandleCodeSignBlockFailure(realPath, ret); } - ret = codeSignHelper.ProcessMultiTask(ownerId, path, EnableCodeSignForFile); + ret = codeSignHelper.ProcessMultiTask(ownerId, path, EnableCodeSignForFile, flag); return ret; } @@ -248,9 +249,10 @@ int32_t CodeSignUtils::HandleCodeSignBlockFailure(const std::string &realPath, i return ret; } -int32_t CodeSignUtils::EnforceCodeSignForApp(const std::string &path, const EntryMap &entryPathMap, FileType type) +int32_t CodeSignUtils::EnforceCodeSignForApp(const std::string &path, const EntryMap &entryPathMap, + FileType type, uint32_t flag) { - return EnforceCodeSignForAppWithOwnerId("", path, entryPathMap, type); + return EnforceCodeSignForAppWithOwnerId("", path, entryPathMap, type, flag); } int32_t CodeSignUtils::EnableKeyInProfile(const std::string &bundleName, const ByteBuffer &profileBuffer) diff --git a/test/unittest/code_sign_utils_test.cpp b/test/unittest/code_sign_utils_test.cpp index 48569a9f5120e56bbc2183624df693f70387b3f4..aec1406ec618d20ae9bcac7c8b184aac95e9e1ce 100644 --- a/test/unittest/code_sign_utils_test.cpp +++ b/test/unittest/code_sign_utils_test.cpp @@ -387,7 +387,7 @@ HWTEST_F(CodeSignUtilsTest, CodeSignUtilsTest_0014, TestSize.Level0) std::string targetFile; struct code_sign_enable_arg arg = {0}; - ret = codeSignBlock.GetOneFileAndCodeSignInfo(targetFile, arg); + ret = codeSignBlock.GetOneFileAndCodeSignInfo(targetFile, arg, 0); EXPECT_EQ(ret, CS_SUCCESS); EXPECT_EQ(arg.version, 1); EXPECT_EQ(arg.cs_version, 1); @@ -399,7 +399,7 @@ HWTEST_F(CodeSignUtilsTest, CodeSignUtilsTest_0014, TestSize.Level0) EXPECT_EQ(arg.flags, 1); EXPECT_EQ(arg.tree_offset, 0x10c000); - ret = codeSignBlock.GetOneFileAndCodeSignInfo(targetFile, arg); + ret = codeSignBlock.GetOneFileAndCodeSignInfo(targetFile, arg, 0); EXPECT_EQ(ret, CS_SUCCESS_END); } @@ -428,7 +428,7 @@ HWTEST_F(CodeSignUtilsTest, CodeSignUtilsTest_0015, TestSize.Level0) do { std::string targetFile; struct code_sign_enable_arg arg = {0}; - ret = codeSignBlock.GetOneFileAndCodeSignInfo(targetFile, arg); + ret = codeSignBlock.GetOneFileAndCodeSignInfo(targetFile, arg, 0); if (ret != CS_SUCCESS_END) { EXPECT_EQ(ret, CS_SUCCESS); EXPECT_EQ(arg.version, 1); diff --git a/utils/include/code_sign_block.h b/utils/include/code_sign_block.h index c56d6464b5fca96883c3412245e1bbc416f0191b..eb41262d4ea64eb2be25ec3688ca204f0461ad6d 100644 --- a/utils/include/code_sign_block.h +++ b/utils/include/code_sign_block.h @@ -133,7 +133,7 @@ public: static constexpr uint32_t CSB_EXTENSION_TYPE_PAGE_INFO_VERSION = 2; int32_t ParseCodeSignBlock(const std::string &realPath, const EntryMap &entryMap, FileType fileType); - int32_t GetOneFileAndCodeSignInfo(std::string &targetFile, struct code_sign_enable_arg &arg); + int32_t GetOneFileAndCodeSignInfo(std::string &targetFile, struct code_sign_enable_arg &arg, uint32_t flag); int32_t ProcessExtension(uintptr_t &extensionAddr, const uintptr_t blockAddrEnd, struct code_sign_enable_arg &arg); private: diff --git a/utils/src/code_sign_block.cpp b/utils/src/code_sign_block.cpp index 6d5587f4b43884741b7ddff1c72e7b6dbbed090a..34b22a8111ed2caf3f4eab75fd221a17fab91cbd 100644 --- a/utils/src/code_sign_block.cpp +++ b/utils/src/code_sign_block.cpp @@ -94,7 +94,8 @@ int32_t CodeSignBlock::ProcessExtension(uintptr_t &extensionAddr, return CS_SUCCESS; } -int32_t CodeSignBlock::GetOneFileAndCodeSignInfo(std::string &targetFile, struct code_sign_enable_arg &arg) +int32_t CodeSignBlock::GetOneFileAndCodeSignInfo(std::string &targetFile, + struct code_sign_enable_arg &arg, uint32_t flag) { int32_t ret; uintptr_t signInfoAddr; @@ -122,8 +123,14 @@ int32_t CodeSignBlock::GetOneFileAndCodeSignInfo(std::string &targetFile, struct } uint32_t extensionCount = 0; + uint32_t extensionNum = signInfo->extensionNum; + if ((flag & IS_UNCOMPRESSED_NATIVE_LIBS) == 0) { + extensionNum = std::min(signInfo->extensionNum, 1u); + } + LOG_DEBUG("flag = %{public}u, extensionNum = %{public}u, signInfo->extensionNum = %{public}u", + flag, extensionNum, signInfo->extensionNum); auto extensionAddr = reinterpret_cast(signInfo) + signInfo->extensionOffset; - while (extensionCount < signInfo->extensionNum) { + while (extensionCount < extensionNum) { ret = ProcessExtension(extensionAddr, blockAddrEnd, arg); if (ret != CS_SUCCESS) { return ret;