diff --git a/interfaces/innerkits/code_sign_utils/include/code_sign_utils.h b/interfaces/innerkits/code_sign_utils/include/code_sign_utils.h index 395169ac2ebb199e6c1c7b60d0140c6b2664e478..334709288c8f72b1ee193a46cb6c00588e3316ee 100644 --- a/interfaces/innerkits/code_sign_utils/include/code_sign_utils.h +++ b/interfaces/innerkits/code_sign_utils/include/code_sign_utils.h @@ -56,6 +56,17 @@ public: */ static int32_t EnforceCodeSignForApp(const std::string &path, const EntryMap &entryPathMap, FileType type); + /** + * @brief Enforce code signature for app with ownerID + * @param ownerId app-identifier of the signature + * @param path hap real path on disk + * @param entryPath map from entryname in hap to real path on disk + * @param type signature file type + * @return err code, see err_code.h + */ + static int32_t EnforceCodeSignForAppWithOwnerId(std::string ownerId, const std::string &path, + const EntryMap &entryPathMap, FileType type); + /** * @brief Enforce code signature for file with signature * @param path file path diff --git a/interfaces/innerkits/code_sign_utils/src/code_sign_utils.cpp b/interfaces/innerkits/code_sign_utils/src/code_sign_utils.cpp index 6064956f5e87abe6beed9538f113876eff039384..2df9cccc83d24ec78a39fd06891015133c56a717 100644 --- a/interfaces/innerkits/code_sign_utils/src/code_sign_utils.cpp +++ b/interfaces/innerkits/code_sign_utils/src/code_sign_utils.cpp @@ -226,7 +226,8 @@ void CodeSignUtils::ShowCodeSignInfo(const std::string &path, const struct code_ rootHashPtr[0], rootHashPtr[1], rootHashPtr[2], rootHashPtr[32], rootHashPtr[63]); // 2, 32, 63 data index } -int32_t CodeSignUtils::EnforceCodeSignForApp(const std::string &path, const EntryMap &entryPathMap, FileType type) +int32_t CodeSignUtils::EnforceCodeSignForAppWithOwnerId(std::string ownerId, const std::string &path, + const EntryMap &entryPathMap, FileType type) { int32_t ret; std::string realPath; @@ -261,6 +262,21 @@ int32_t CodeSignUtils::EnforceCodeSignForApp(const std::string &path, const Entr return ret; } + if (!ownerId.empty()) { + ByteBuffer sigBuffer; + sigBuffer.CopyFrom(reinterpret_cast(arg.sig_ptr), arg.sig_size); + std::string retId; + ret = SignerInfo::ParseOwnerIdFromSignature(sigBuffer, retId); + if (ret != CS_SUCCESS) { + LOG_ERROR(LABEL, "get ownerId from signature failed, ret %{public}d", ret); + break; + } else if (retId != ownerId) { + ret = CS_ERR_INVALID_OWNER_ID; + LOG_ERROR(LABEL, "invalid ownerId retId %{public}s ownerId %{public}s", retId.c_str(), ownerId.c_str()); + break; + } + } + ShowCodeSignInfo(targetFile, arg); if (!CheckFilePathValid(targetFile, Constants::ENABLE_APP_BASE_PATH)) { @@ -270,6 +286,11 @@ int32_t CodeSignUtils::EnforceCodeSignForApp(const std::string &path, const Entr } while (ret == CS_SUCCESS); return ret; } + +int32_t CodeSignUtils::EnforceCodeSignForApp(const std::string &path, const EntryMap &entryPathMap, FileType type) +{ + return EnforceCodeSignForAppWithOwnerId("", path, entryPathMap, type); +} } } } diff --git a/interfaces/innerkits/common/include/errcode.h b/interfaces/innerkits/common/include/errcode.h index f6d18dda0fd5e2d2e25d1efe98eaf625e271f436..1145993eb5a8222ab66783924d388fd1201f6eaf 100644 --- a/interfaces/innerkits/common/include/errcode.h +++ b/interfaces/innerkits/common/include/errcode.h @@ -95,6 +95,7 @@ enum SignBlockErrCode { CS_ERR_SIGN_ADDR_ALIGN = -0x621, CS_ERR_SIGN_EXTENSION_OFFSET_ALIGN = -0x622, CS_ERR_TARGET_FILE_PATH = -0x623, + CS_ERR_INVALID_OWNER_ID = -0x624, }; } } diff --git a/test/unittest/code_sign_utils_test.cpp b/test/unittest/code_sign_utils_test.cpp index f54d8f3ef55d04ef8eebf49a8484b8948dc58a8b..22b191df605d1977055df0f7030d7c013b04c309 100644 --- a/test/unittest/code_sign_utils_test.cpp +++ b/test/unittest/code_sign_utils_test.cpp @@ -48,6 +48,8 @@ static const std::string APP_BASE_PATH = "/data/app/el1/bundle/public/tmp"; static const string DEV_NAME = "/dev/code_sign"; static const string SUBJECT = "Huawei: HarmonyOS Application Code Signature"; static const string ISSUER = "Huawei CBG Software Signing Service CA Test"; +static const string OH_SUBJECT = "OpenHarmony Application Release"; +static const string OH_ISSUER = "OpenHarmony Application CA"; static const EntryMap g_hapWithoutLibRetSuc = { {"Hap", APP_BASE_PATH + "/demo_without_lib/demo_without_lib.hap"}, @@ -487,6 +489,70 @@ HWTEST_F(CodeSignUtilsTest, CodeSignUtilsTest_0016, TestSize.Level0) ret = CodeSignUtils::EnforceCodeSignForApp(hapRealPath, entryMap, FILE_ALL); EXPECT_EQ(ret, CS_ERR_TARGET_FILE_PATH); } + +/** + * @tc.name: CodeSignUtilsTest_0017 + * @tc.desc: enable code signature for debug app with libs + * @tc.type: Func + * @tc.require: + */ +HWTEST_F(CodeSignUtilsTest, CodeSignUtilsTest_0017, TestSize.Level0) +{ + std::string hapRealPath = APP_BASE_PATH + "/demo_with_multi_lib/entry-default-signed-debug.hap"; + EntryMap entryMap; + int ret = CallIoctl(OH_SUBJECT.c_str(), OH_ISSUER.c_str(), MAX_CERT_CHAIN); + EXPECT_EQ(ret, 0); + ret = CodeSignUtils::EnforceCodeSignForAppWithOwnerId("DEBUG_LIB_ID", hapRealPath, entryMap, FILE_SELF); + EXPECT_EQ(ret, CS_SUCCESS); +} + +/** + * @tc.name: CodeSignUtilsTest_0018 + * @tc.desc: enable code signature for release app with libs + * @tc.type: Func + * @tc.require: + */ +HWTEST_F(CodeSignUtilsTest, CodeSignUtilsTest_0018, TestSize.Level0) +{ + std::string hapRealPath = APP_BASE_PATH + "/demo_with_multi_lib/entry-default-signed-release.hap"; + EntryMap entryMap; + int ret = CallIoctl(OH_SUBJECT.c_str(), OH_ISSUER.c_str(), MAX_CERT_CHAIN); + EXPECT_EQ(ret, 0); + ret = CodeSignUtils::EnforceCodeSignForAppWithOwnerId("test-app-identifier", hapRealPath, entryMap, FILE_SELF); + EXPECT_EQ(ret, CS_SUCCESS); +} + +/** + * @tc.name: CodeSignUtilsTest_0019 + * @tc.desc: enable code signature for debug app with libs + * @tc.type: Func + * @tc.require: + */ +HWTEST_F(CodeSignUtilsTest, CodeSignUtilsTest_0019, TestSize.Level0) +{ + std::string hapRealPath = APP_BASE_PATH + "/demo_with_multi_lib/entry-default-signed-debug.hap"; + EntryMap entryMap; + int ret = CallIoctl(OH_SUBJECT.c_str(), OH_ISSUER.c_str(), MAX_CERT_CHAIN); + EXPECT_EQ(ret, 0); + ret = CodeSignUtils::EnforceCodeSignForAppWithOwnerId("INVALID_ID", hapRealPath, entryMap, FILE_SELF); + EXPECT_EQ(ret, CS_ERR_INVALID_OWNER_ID); +} + +/** + * @tc.name: CodeSignUtilsTest_0020 + * @tc.desc: enable code signature for release app with libs + * @tc.type: Func + * @tc.require: + */ +HWTEST_F(CodeSignUtilsTest, CodeSignUtilsTest_0020, TestSize.Level0) +{ + std::string hapRealPath = APP_BASE_PATH + "/demo_with_multi_lib/entry-default-signed-release.hap"; + EntryMap entryMap; + int ret = CallIoctl(OH_SUBJECT.c_str(), OH_ISSUER.c_str(), MAX_CERT_CHAIN); + EXPECT_EQ(ret, 0); + ret = CodeSignUtils::EnforceCodeSignForAppWithOwnerId("INVALID_ID", hapRealPath, entryMap, FILE_SELF); + EXPECT_EQ(ret, CS_ERR_INVALID_OWNER_ID); +} } // namespace CodeSign } // namespace Security } // namespace OHOS diff --git a/test/unittest/resources/demo_with_multi_lib/entry-default-signed-debug.hap b/test/unittest/resources/demo_with_multi_lib/entry-default-signed-debug.hap new file mode 100644 index 0000000000000000000000000000000000000000..9ded5898d24239c863c6b42ddf9b012e583e040f Binary files /dev/null and b/test/unittest/resources/demo_with_multi_lib/entry-default-signed-debug.hap differ diff --git a/test/unittest/resources/demo_with_multi_lib/entry-default-signed-release.hap b/test/unittest/resources/demo_with_multi_lib/entry-default-signed-release.hap new file mode 100644 index 0000000000000000000000000000000000000000..b9e20d637615d473702deb65e8a26d8dff440374 Binary files /dev/null and b/test/unittest/resources/demo_with_multi_lib/entry-default-signed-release.hap differ diff --git a/test/unittest/resources/ohos_test.xml b/test/unittest/resources/ohos_test.xml index 91283bdd624d1a0b226faf8a92fb3e7494a38f7a..8f0b943b21c56809ec17028617588ed00155e22d 100644 --- a/test/unittest/resources/ohos_test.xml +++ b/test/unittest/resources/ohos_test.xml @@ -58,6 +58,8 @@