From b8ea760e4a2c49fa9f1a74c59beb2374001481bd Mon Sep 17 00:00:00 2001 From: zhenghui Date: Tue, 23 Jan 2024 16:06:36 +0800 Subject: [PATCH 1/6] cfi configure in local_code_signature Signed-off-by: zhenghui --- interfaces/innerkits/local_code_sign/BUILD.gn | 8 +++++++- services/local_code_sign/BUILD.gn | 6 ++++++ test/unittest/BUILD.gn | 6 ++++++ 3 files changed, 19 insertions(+), 1 deletion(-) diff --git a/interfaces/innerkits/local_code_sign/BUILD.gn b/interfaces/innerkits/local_code_sign/BUILD.gn index 99827d1..5c5a55a 100644 --- a/interfaces/innerkits/local_code_sign/BUILD.gn +++ b/interfaces/innerkits/local_code_sign/BUILD.gn @@ -19,6 +19,12 @@ config("public_local_code_sign_configs") { } ohos_shared_library("liblocal_code_sign_sdk") { + sanitize = { + cfi = true + cfi_cross_dso = true + debug = false + } + branch_protector_ret = "pac_ret" sources = [ "src/local_code_sign_client.cpp", "src/local_code_sign_kit.cpp", @@ -34,8 +40,8 @@ ohos_shared_library("liblocal_code_sign_sdk") { external_deps = [ "c_utils:utils", - "hisysevent:libhisysevent", "hilog:libhilog", + "hisysevent:libhisysevent", "ipc:ipc_core", "safwk:system_ability_fwk", "samgr:samgr_proxy", diff --git a/services/local_code_sign/BUILD.gn b/services/local_code_sign/BUILD.gn index 8b3f3b0..5c38c04 100644 --- a/services/local_code_sign/BUILD.gn +++ b/services/local_code_sign/BUILD.gn @@ -16,6 +16,12 @@ import("//build/ohos/sa_profile/sa_profile.gni") import("../../code_signature.gni") ohos_shared_library("liblocal_code_sign") { + sanitize = { + cfi = true + cfi_cross_dso = true + debug = false + } + branch_protector_ret = "pac_ret" sources = [ "${code_signature_root_dir}/utils/src/cert_utils.cpp", "src/local_code_sign_service.cpp", diff --git a/test/unittest/BUILD.gn b/test/unittest/BUILD.gn index 82a2287..9acd9b5 100644 --- a/test/unittest/BUILD.gn +++ b/test/unittest/BUILD.gn @@ -64,6 +64,12 @@ ohos_unittest("code_sign_utils_unittest") { } ohos_unittest("local_code_sign_unittest") { + sanitize = { + cfi = true + cfi_cross_dso = true + debug = false + } + branch_protector_ret = "pac_ret" module_out_path = "security/code_signature" resource_config_file = "resources/ohos_test.xml" sources = [ "local_code_sign_test.cpp" ] -- Gitee From da20446002dac3a54c6a2e012c7ab3d4db7751cc Mon Sep 17 00:00:00 2001 From: fwx1262723 Date: Tue, 30 Jan 2024 15:43:50 +0800 Subject: [PATCH 2/6] log level modify Signed-off-by: fwx1262723 --- interfaces/innerkits/code_sign_utils/src/code_sign_utils.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/interfaces/innerkits/code_sign_utils/src/code_sign_utils.cpp b/interfaces/innerkits/code_sign_utils/src/code_sign_utils.cpp index d4ff79d..bc05b6c 100644 --- a/interfaces/innerkits/code_sign_utils/src/code_sign_utils.cpp +++ b/interfaces/innerkits/code_sign_utils/src/code_sign_utils.cpp @@ -212,7 +212,7 @@ int32_t CodeSignUtils::EnforceCodeSignForFile(const std::string &path, const uin int32_t CodeSignUtils::EnforceCodeSignForAppWithOwnerId(const std::string &ownerId, const std::string &path, const EntryMap &entryPathMap, FileType type, const std::string &moduleName) { - LOG_DEBUG(LABEL, "Start to enforce codesign FileType:%{public}d, entryPathMap size:%{public}u", + LOG_INFO(LABEL, "Start to enforce codesign FileType:%{public}d, entryPathMap size:%{public}u", type, static_cast(entryPathMap.size())); if (type == FILE_ENTRY_ADD || type == FILE_ENTRY_ONLY || type == FILE_ALL) { StoredEntryMapInsert(moduleName, entryPathMap); -- Gitee From 3ca3baf81c72e7c647c2eb4dcd662688087dbd26 Mon Sep 17 00:00:00 2001 From: fwx1262723 Date: Tue, 30 Jan 2024 20:17:17 +0800 Subject: [PATCH 3/6] print path in LOG_INFO Signed-off-by: fwx1262723 --- .../innerkits/code_sign_utils/src/code_sign_utils.cpp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/interfaces/innerkits/code_sign_utils/src/code_sign_utils.cpp b/interfaces/innerkits/code_sign_utils/src/code_sign_utils.cpp index bc05b6c..2a3a6c5 100644 --- a/interfaces/innerkits/code_sign_utils/src/code_sign_utils.cpp +++ b/interfaces/innerkits/code_sign_utils/src/code_sign_utils.cpp @@ -179,7 +179,7 @@ int32_t CodeSignUtils::EnableCodeSignForFile(const std::string &path, const stru ret = CS_SUCCESS; } while (0); close(fd); - LOG_INFO(LABEL, "Enforcing file complete"); + LOG_INFO(LABEL, "Enforcing file complete and ret = %{public}d", ret); return ret; } @@ -212,8 +212,8 @@ int32_t CodeSignUtils::EnforceCodeSignForFile(const std::string &path, const uin int32_t CodeSignUtils::EnforceCodeSignForAppWithOwnerId(const std::string &ownerId, const std::string &path, const EntryMap &entryPathMap, FileType type, const std::string &moduleName) { - LOG_INFO(LABEL, "Start to enforce codesign FileType:%{public}d, entryPathMap size:%{public}u", - type, static_cast(entryPathMap.size())); + LOG_INFO(LABEL, "Start to enforce codesign FileType:%{public}d, entryPathMap size:%{public}u, path = %{public}s", + type, static_cast(entryPathMap.size()), path.c_str()); if (type == FILE_ENTRY_ADD || type == FILE_ENTRY_ONLY || type == FILE_ALL) { StoredEntryMapInsert(moduleName, entryPathMap); if (type == FILE_ENTRY_ADD) { -- Gitee From 1e27fa981966bd8fca8be0dc972c85b962255449 Mon Sep 17 00:00:00 2001 From: yeyuning Date: Tue, 30 Jan 2024 16:43:54 +0800 Subject: [PATCH 4/6] =?UTF-8?q?=E5=A4=9A=E5=AD=97=E8=8A=82=E5=AD=97?= =?UTF-8?q?=E7=AC=A6=E5=88=87=E7=89=87?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: yeyuning Change-Id: I97eb04f787d20a303eefa7811afa6ff46ee79c29 --- services/key_enable/src/cert_path_utils.rs | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/services/key_enable/src/cert_path_utils.rs b/services/key_enable/src/cert_path_utils.rs index 8bc658f..bcab701 100644 --- a/services/key_enable/src/cert_path_utils.rs +++ b/services/key_enable/src/cert_path_utils.rs @@ -30,6 +30,7 @@ const TYPE_KEY: &str = "type"; const SUBJECT_KEY: &str = "subject"; const ISSUER_KEY: &str = "issuer"; const MAX_CERT_PATH: &str = "max-certs-path"; +const COMMON_NAME_CHAR_LIMIT: usize = 7; /// profile cert path error pub enum CertPathError { /// cert path add remove error @@ -365,11 +366,15 @@ pub fn common_format_fabricate_name(common_name: &str, organization: &str, email if common_name.len() >= organization.len() && common_name.starts_with(organization) { return common_name.to_string(); } - if common_name.len() >= 7 && organization.len() >= 7 && common_name[0..7] == organization[0..7] { - ret = common_name.to_string(); - } else { - ret = format!("{}: {}", organization, common_name); + if common_name.len() >= COMMON_NAME_CHAR_LIMIT && organization.len() >= COMMON_NAME_CHAR_LIMIT { + let common_name_prefix = &common_name.as_bytes()[..COMMON_NAME_CHAR_LIMIT]; + let organization_prefix = &organization.as_bytes()[..COMMON_NAME_CHAR_LIMIT]; + if common_name_prefix == organization_prefix { + ret = common_name.to_string(); + return ret; + } } + ret = format!("{}: {}", organization, common_name); } else if !common_name.is_empty() { ret = common_name.to_string(); } else if !organization.is_empty() { -- Gitee From 2e4e2b7aa744357a85b3a0de92a4e05be9c327f5 Mon Sep 17 00:00:00 2001 From: yang1946 Date: Thu, 1 Feb 2024 09:33:27 +0800 Subject: [PATCH 5/6] =?UTF-8?q?=E4=BB=A3=E7=A0=81=E7=AD=BE=E5=90=8D?= =?UTF-8?q?=E6=8E=A5=E5=8F=A3=E4=BC=98=E5=8C=96?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: yang1946 --- .../code_sign_utils/include/code_sign_utils.h | 29 +++------ .../code_sign_utils/src/code_sign_utils.cpp | 59 ++++--------------- services/key_enable/BUILD.gn | 6 +- .../key_enable.cfg} | 0 .../key_enable.cfg} | 0 test/unittest/code_sign_utils_test.cpp | 57 +++++++----------- utils/src/code_sign_block.cpp | 9 ++- 7 files changed, 53 insertions(+), 107 deletions(-) rename services/key_enable/cfg/{key_enable.disable_xpm.cfg => disable_xpm/key_enable.cfg} (100%) rename services/key_enable/cfg/{key_enable.enable_xpm.cfg => enable_xpm/key_enable.cfg} (100%) diff --git a/interfaces/innerkits/code_sign_utils/include/code_sign_utils.h b/interfaces/innerkits/code_sign_utils/include/code_sign_utils.h index 90d51b1..822aef7 100644 --- a/interfaces/innerkits/code_sign_utils/include/code_sign_utils.h +++ b/interfaces/innerkits/code_sign_utils/include/code_sign_utils.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2023 Huawei Device Co., Ltd. + * Copyright (c) 2023-2024 Huawei Device Co., Ltd. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at @@ -42,7 +42,7 @@ typedef enum { class CodeSignUtils { public: /** - * @brief Enforce code signature for app + * @brief Enforce code signature for a hap * @param entryPath map from entryname in hap to real path on disk * @param signatureFile signature file path * @return err code, see err_code.h @@ -50,27 +50,25 @@ public: static int32_t EnforceCodeSignForApp(const EntryMap &entryPath, const std::string &signatureFile); /** - * @brief Enforce code signature for app + * @brief Enforce code signature for a hap with its native files. + * Multiple instances should be created to enable code signing for a multi-hap app. * @param path hap real path on disk * @param entryPath map from entryname in hap to real path on disk * @param type signature file type - * @param moduleName hap module name * @return err code, see err_code.h */ - int32_t EnforceCodeSignForApp(const std::string &path, const EntryMap &entryPathMap, - FileType type, const std::string &moduleName); + int32_t EnforceCodeSignForApp(const std::string &path, const EntryMap &entryPathMap, FileType type); /** - * @brief Enforce code signature for app with ownerID + * @brief Enforce code signature for a hap with ownerID * @param ownerId app-identifier of the signature * @param path hap real path on disk * @param entryPath map from entryname in hap to real path on disk * @param type signature file type - * @param moduleName hap module name * @return err code, see err_code.h */ int32_t EnforceCodeSignForAppWithOwnerId(const std::string &ownerId, const std::string &path, - const EntryMap &entryPathMap, FileType type, const std::string &moduleName); + const EntryMap &entryPathMap, FileType type); /** * @brief Enforce code signature for file with signature @@ -118,11 +116,6 @@ public: * @return return ture if in permissive mode */ static bool InPermissiveMode(); - /** - * @brief Check if code signing is completed - * @return return ture if Completed - */ - bool IsCodeSignEnableCompleted(); /** * @brief Check if the file path support FsVerity * @param path file path @@ -132,14 +125,10 @@ public: private: static int32_t IsFsVerityEnabled(int fd); static int32_t EnableCodeSignForFile(const std::string &path, const struct code_sign_enable_arg &arg); - void StoredEntryMapInsert(const std::string &moduleName, const EntryMap &entryPathMap); - void StoredEntryMapDelete(const std::string &moduleName); - void StoredEntryMapSearch(const std::string &moduleName, EntryMap &entryPathMap); - int32_t ProcessCodeSignBlock(const std::string &ownerId, const std::string &path, - FileType type, const std::string &moduleName); + int32_t ProcessCodeSignBlock(const std::string &ownerId, const std::string &path, FileType type); int32_t HandleCodeSignBlockFailure(const std::string &realPath, int32_t ret); private: - std::unordered_map storedEntryMap_; + EntryMap storedEntryMap_; std::mutex storedEntryMapLock_; }; } diff --git a/interfaces/innerkits/code_sign_utils/src/code_sign_utils.cpp b/interfaces/innerkits/code_sign_utils/src/code_sign_utils.cpp index d4ff79d..de70acf 100644 --- a/interfaces/innerkits/code_sign_utils/src/code_sign_utils.cpp +++ b/interfaces/innerkits/code_sign_utils/src/code_sign_utils.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2023 Huawei Device Co., Ltd. + * Copyright (c) 2023-2024 Huawei Device Co., Ltd. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at @@ -210,12 +210,15 @@ int32_t CodeSignUtils::EnforceCodeSignForFile(const std::string &path, const uin } int32_t CodeSignUtils::EnforceCodeSignForAppWithOwnerId(const std::string &ownerId, const std::string &path, - const EntryMap &entryPathMap, FileType type, const std::string &moduleName) + const EntryMap &entryPathMap, FileType type) { LOG_DEBUG(LABEL, "Start to enforce codesign FileType:%{public}d, entryPathMap size:%{public}u", type, static_cast(entryPathMap.size())); if (type == FILE_ENTRY_ADD || type == FILE_ENTRY_ONLY || type == FILE_ALL) { - StoredEntryMapInsert(moduleName, entryPathMap); + { + std::lock_guard lock(storedEntryMapLock_); + storedEntryMap_.insert(entryPathMap.begin(), entryPathMap.end()); + } if (type == FILE_ENTRY_ADD) { LOG_DEBUG(LABEL, "Add entryPathMap complete"); return CS_SUCCESS; @@ -223,24 +226,21 @@ int32_t CodeSignUtils::EnforceCodeSignForAppWithOwnerId(const std::string &owner } else if (type >= FILE_TYPE_MAX) { return CS_ERR_PARAM_INVALID; } - return ProcessCodeSignBlock(ownerId, path, type, moduleName); + return ProcessCodeSignBlock(ownerId, path, type); } -int32_t CodeSignUtils::ProcessCodeSignBlock(const std::string &ownerId, const std::string &path, - FileType type, const std::string &moduleName) +int32_t CodeSignUtils::ProcessCodeSignBlock(const std::string &ownerId, const std::string &path, FileType type) { std::string realPath; if (!OHOS::PathToRealPath(path, realPath)) { return CS_ERR_FILE_PATH; } int32_t ret; - EntryMap entryMap; CodeSignHelper codeSignHelper; { std::lock_guard lock(storedEntryMapLock_); - StoredEntryMapSearch(moduleName, entryMap); - ret = codeSignHelper.ParseCodeSignBlock(realPath, entryMap, type); - StoredEntryMapDelete(moduleName); + ret = codeSignHelper.ParseCodeSignBlock(realPath, storedEntryMap_, type); + storedEntryMap_.clear(); } if (ret != CS_SUCCESS) { return HandleCodeSignBlockFailure(realPath, ret); @@ -258,10 +258,9 @@ int32_t CodeSignUtils::HandleCodeSignBlockFailure(const std::string &realPath, i return ret; } -int32_t CodeSignUtils::EnforceCodeSignForApp(const std::string &path, const EntryMap &entryPathMap, - FileType type, const std::string &moduleName) +int32_t CodeSignUtils::EnforceCodeSignForApp(const std::string &path, const EntryMap &entryPathMap, FileType type) { - return EnforceCodeSignForAppWithOwnerId("", path, entryPathMap, type, moduleName); + return EnforceCodeSignForAppWithOwnerId("", path, entryPathMap, type); } int32_t CodeSignUtils::EnableKeyInProfile(const std::string &bundleName, const ByteBuffer &profileBuffer) @@ -317,40 +316,6 @@ bool CodeSignUtils::IsSupportOHCodeSign() return false; #endif } - -bool CodeSignUtils::IsCodeSignEnableCompleted() -{ - std::lock_guard lock(storedEntryMapLock_); - if (!storedEntryMap_.empty()) { - storedEntryMap_.clear(); - return false; - } - return true; -} - -void CodeSignUtils::StoredEntryMapInsert(const std::string &moduleName, const EntryMap &entryPathMap) -{ - std::lock_guard lock(storedEntryMapLock_); - auto iter = storedEntryMap_.find(moduleName); - if (iter != storedEntryMap_.end()) { - iter->second.insert(entryPathMap.begin(), entryPathMap.end()); - return; - } - storedEntryMap_.emplace(moduleName, entryPathMap); -} - -void CodeSignUtils::StoredEntryMapDelete(const std::string &moduleName) -{ - storedEntryMap_.erase(moduleName); -} - -void CodeSignUtils::StoredEntryMapSearch(const std::string &moduleName, EntryMap &entryPathMap) -{ - auto iter = storedEntryMap_.find(moduleName); - if (iter != storedEntryMap_.end()) { - entryPathMap = iter->second; - } -} } } } diff --git a/services/key_enable/BUILD.gn b/services/key_enable/BUILD.gn index 5f9c91e..2978094 100644 --- a/services/key_enable/BUILD.gn +++ b/services/key_enable/BUILD.gn @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Huawei Device Co., Ltd. +# Copyright (c) 2023-2024 Huawei Device Co., Ltd. # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at @@ -83,9 +83,9 @@ ohos_prebuilt_etc("trusted_cert_path_test") { ohos_prebuilt_etc("key_enable.cfg") { if (code_signature_enable_xpm_mode) { - source = "cfg/key_enable.enable_xpm.cfg" + source = "cfg/enable_xpm/key_enable.cfg" } else { - source = "cfg/key_enable.disable_xpm.cfg" + source = "cfg/disable_xpm/key_enable.cfg" } relative_install_dir = "init" subsystem_name = "security" diff --git a/services/key_enable/cfg/key_enable.disable_xpm.cfg b/services/key_enable/cfg/disable_xpm/key_enable.cfg similarity index 100% rename from services/key_enable/cfg/key_enable.disable_xpm.cfg rename to services/key_enable/cfg/disable_xpm/key_enable.cfg diff --git a/services/key_enable/cfg/key_enable.enable_xpm.cfg b/services/key_enable/cfg/enable_xpm/key_enable.cfg similarity index 100% rename from services/key_enable/cfg/key_enable.enable_xpm.cfg rename to services/key_enable/cfg/enable_xpm/key_enable.cfg diff --git a/test/unittest/code_sign_utils_test.cpp b/test/unittest/code_sign_utils_test.cpp index 97f25aa..c1e431a 100644 --- a/test/unittest/code_sign_utils_test.cpp +++ b/test/unittest/code_sign_utils_test.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2023 Huawei Device Co., Ltd. + * Copyright (c) 2023-2024 Huawei Device Co., Ltd. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at @@ -472,10 +472,9 @@ HWTEST_F(CodeSignUtilsTest, CodeSignUtilsTest_0015, TestSize.Level0) HWTEST_F(CodeSignUtilsTest, CodeSignUtilsTest_0016, TestSize.Level0) { std::string hapRealPath = APP_BASE_PATH + "/demo_with_multi_lib/demo_with_code_sign_block.hap"; - std::string moduleName = "EntryAbility"; EntryMap entryMap; CodeSignUtils utils; - int32_t ret = utils.EnforceCodeSignForApp(hapRealPath, entryMap, FILE_SELF, moduleName); + int32_t ret = utils.EnforceCodeSignForApp(hapRealPath, entryMap, FILE_SELF); EXPECT_EQ(ret, CS_SUCCESS); std::string filePath1("libs/arm64-v8a/libc++_shared.so"); @@ -485,10 +484,10 @@ HWTEST_F(CodeSignUtilsTest, CodeSignUtilsTest_0016, TestSize.Level0) std::string targetPath2 = TEST_APP_DTAT_DIR + "libs/arm64/libentry.so"; entryMap.emplace(filePath2, targetPath2); - ret = utils.EnforceCodeSignForApp(hapRealPath, entryMap, FILE_ENTRY_ADD, moduleName); + ret = utils.EnforceCodeSignForApp(hapRealPath, entryMap, FILE_ENTRY_ADD); EXPECT_EQ(ret, CS_SUCCESS); - ret = utils.EnforceCodeSignForApp(hapRealPath, entryMap, FILE_ALL, moduleName); + ret = utils.EnforceCodeSignForApp(hapRealPath, entryMap, FILE_ALL); EXPECT_EQ(ret, CS_ERR_FILE_PATH); } @@ -504,7 +503,7 @@ HWTEST_F(CodeSignUtilsTest, CodeSignUtilsTest_0017, TestSize.Level0) EntryMap entryMap; CodeSignUtils utils; int32_t ret = utils.EnforceCodeSignForAppWithOwnerId("DEBUG_LIB_ID", - hapRealPath, entryMap, FILE_SELF, "EntryAbility"); + hapRealPath, entryMap, FILE_SELF); EXPECT_EQ(ret, CS_SUCCESS); } @@ -520,7 +519,7 @@ HWTEST_F(CodeSignUtilsTest, CodeSignUtilsTest_0018, TestSize.Level0) EntryMap entryMap; CodeSignUtils utils; int32_t ret = utils.EnforceCodeSignForAppWithOwnerId("test-app-identifier", - hapRealPath, entryMap, FILE_SELF, "EntryAbility"); + hapRealPath, entryMap, FILE_SELF); EXPECT_EQ(ret, CS_SUCCESS); } @@ -536,7 +535,7 @@ HWTEST_F(CodeSignUtilsTest, CodeSignUtilsTest_0019, TestSize.Level0) EntryMap entryMap; CodeSignUtils utils; int32_t ret = utils.EnforceCodeSignForAppWithOwnerId("INVALID_ID", - hapRealPath, entryMap, FILE_SELF, "EntryAbility"); + hapRealPath, entryMap, FILE_SELF); EXPECT_EQ(ret, CS_ERR_INVALID_OWNER_ID); } @@ -552,7 +551,7 @@ HWTEST_F(CodeSignUtilsTest, CodeSignUtilsTest_0020, TestSize.Level0) EntryMap entryMap; CodeSignUtils utils; int32_t ret = utils.EnforceCodeSignForAppWithOwnerId("INVALID_ID", - hapRealPath, entryMap, FILE_SELF, "EntryAbility"); + hapRealPath, entryMap, FILE_SELF); EXPECT_EQ(ret, CS_ERR_INVALID_OWNER_ID); } @@ -576,7 +575,7 @@ HWTEST_F(CodeSignUtilsTest, CodeSignUtilsTest_0021, TestSize.Level0) EntryMap entryMap; CodeSignUtils utils; - ret = utils.EnforceCodeSignForApp(hapEnablePath, entryMap, FILE_SELF, "EntryAbility"); + ret = utils.EnforceCodeSignForApp(hapEnablePath, entryMap, FILE_SELF); EXPECT_EQ(ret, CS_SUCCESS); } @@ -616,26 +615,25 @@ HWTEST_F(CodeSignUtilsTest, CodeSignUtilsTest_0022, TestSize.Level0) HWTEST_F(CodeSignUtilsTest, CodeSignUtilsTest_0023, TestSize.Level0) { std::string hapRealPath = APP_BASE_PATH + "/demo_with_multi_lib/demo_with_code_sign_block.hap"; - std::string moduleName = "EntryAbility"; EntryMap entryMap; - std::string filePath1("libs/arm64-v8a/code_sign_block/libc++_shared.so"); + std::string filePath1("libs/arm64-v8a/libc++_shared.so"); std::string targetPath1 = APP_BASE_PATH + "/demo_with_multi_lib/libs/arm64-v8a/code_sign_block/libc++_shared.so"; entryMap.emplace(filePath1, targetPath1); CodeSignUtils utils; - int32_t ret = utils.EnforceCodeSignForApp(hapRealPath, entryMap, FILE_ENTRY_ONLY, moduleName); + int32_t ret = utils.EnforceCodeSignForApp(hapRealPath, entryMap, FILE_ENTRY_ONLY); EXPECT_EQ(ret, CS_SUCCESS); - std::string filePath2("libs/arm64-v8a/code_sign_block/libentry.so"); + std::string filePath2("libs/arm64-v8a/libentry.so"); std::string targetPath2 = APP_BASE_PATH + "/demo_with_multi_lib/libs/arm64-v8a/code_sign_block/libentry.so"; entryMap.emplace(filePath2, targetPath2); - ret = utils.EnforceCodeSignForApp(hapRealPath, entryMap, FILE_ENTRY_ADD, moduleName); + ret = utils.EnforceCodeSignForApp(hapRealPath, entryMap, FILE_ENTRY_ADD); EXPECT_EQ(ret, CS_SUCCESS); entryMap.clear(); - ret = utils.EnforceCodeSignForApp(hapRealPath, entryMap, FILE_ALL, moduleName); + ret = utils.EnforceCodeSignForApp(hapRealPath, entryMap, FILE_ALL); EXPECT_EQ(ret, CS_SUCCESS); } @@ -653,7 +651,7 @@ HWTEST_F(CodeSignUtilsTest, CodeSignUtilsTest_0024, TestSize.Level0) EntryMap entryMap; CodeSignUtils utils; std::string hapRealPath = APP_BASE_PATH + "/demo_without_lib/demo_without_lib.hap"; - int32_t ret = utils.EnforceCodeSignForApp(hapRealPath, entryMap, FILE_SELF, "EntryAbility"); + int32_t ret = utils.EnforceCodeSignForApp(hapRealPath, entryMap, FILE_SELF); EXPECT_EQ(ret, CS_SUCCESS); SaveStringToFile(XPM_DEBUG_FS_MODE_PATH, ENFORCE_MODE); } @@ -672,13 +670,13 @@ HWTEST_F(CodeSignUtilsTest, CodeSignUtilsTest_0025, TestSize.Level0) std::string hapRealPath = APP_BASE_PATH + "/demo_without_lib/demo_without_lib.hap"; EntryMap entryMap; CodeSignUtils utils; - int32_t ret = utils.EnforceCodeSignForApp(hapRealPath, entryMap, FILE_SELF, "EntryAbility"); + int32_t ret = utils.EnforceCodeSignForApp(hapRealPath, entryMap, FILE_SELF); EXPECT_EQ(ret, CS_CODE_SIGN_NOT_EXISTS); } /** * @tc.name: CodeSignUtilsTest_0026 - * @tc.desc: enable code signature in multiple Hap Scenarios + * @tc.desc: hap so mismatch scenarios * @tc.type: Func * @tc.require: */ @@ -686,9 +684,7 @@ HWTEST_F(CodeSignUtilsTest, CodeSignUtilsTest_0026, TestSize.Level0) { EntryMap entryMap; CodeSignUtils utils; - std::string hapRealPath = APP_BASE_PATH + "/demo_with_multi_lib/demo_with_code_sign_block.hap"; - std::string hapRealPath2 = APP_BASE_PATH + "/demo_with_multi_lib/entry-default-signed-release.hap"; - std::string hapRealPath3 = APP_BASE_PATH + "/demo_with_multi_lib/entry-default-signed-debug.hap"; + std::string hapRealPath = APP_BASE_PATH + "/demo_with_multi_lib/entry-default-signed-release.hap"; std::string filePath1("libs/arm64-v8a/code_sign_block/libc++_shared.so"); std::string targetPath1 = APP_BASE_PATH + "/demo_with_multi_lib/libs/arm64-v8a/code_sign_block/libc++_shared.so"; @@ -697,23 +693,12 @@ HWTEST_F(CodeSignUtilsTest, CodeSignUtilsTest_0026, TestSize.Level0) std::string targetPath2 = APP_BASE_PATH + "/demo_with_multi_lib/libs/arm64-v8a/code_sign_block/libentry.so"; entryMap.emplace(filePath2, targetPath2); - int32_t ret = utils.EnforceCodeSignForApp(hapRealPath, entryMap, FILE_ENTRY_ADD, "EntryAbility"); + int32_t ret = utils.EnforceCodeSignForApp(hapRealPath, entryMap, FILE_ENTRY_ADD); EXPECT_EQ(ret, CS_SUCCESS); entryMap.clear(); - ret = utils.EnforceCodeSignForAppWithOwnerId("test-app-identifier", - hapRealPath2, entryMap, FILE_ALL, "EntryAbility2"); - EXPECT_EQ(ret, CS_SUCCESS); - - ret = utils.EnforceCodeSignForApp(hapRealPath, entryMap, FILE_ALL, "EntryAbility"); - EXPECT_EQ(ret, CS_SUCCESS); - - ret = utils.EnforceCodeSignForAppWithOwnerId("DEBUG_LIB_ID", - hapRealPath3, entryMap, FILE_ALL, "EntryAbility3"); - EXPECT_EQ(ret, CS_SUCCESS); - - ret = utils.IsCodeSignEnableCompleted(); - EXPECT_EQ(ret, true); + ret = utils.EnforceCodeSignForAppWithOwnerId("test-app-identifier", hapRealPath, entryMap, FILE_ALL); + EXPECT_EQ(ret, CS_ERR_NO_SIGNATURE); } } // namespace CodeSign } // namespace Security diff --git a/utils/src/code_sign_block.cpp b/utils/src/code_sign_block.cpp index 0525f04..fce1548 100644 --- a/utils/src/code_sign_block.cpp +++ b/utils/src/code_sign_block.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2023 Huawei Device Co., Ltd. + * Copyright (c) 2023-2024 Huawei Device Co., Ltd. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at @@ -101,6 +101,7 @@ int32_t CodeSignBlock::ParseNativeLibSignInfo(const EntryMap &entryMap) return CS_ERR_NO_SIGNATURE; } + size_t signMapPreSize = signMap_.size(); auto entryInfo = soInfo->info; auto entryInfoEnd = soInfo->info + soInfo->sectionNum; auto dataInfo = CONST_STATIC_CAST(char, soInfo); @@ -130,6 +131,12 @@ int32_t CodeSignBlock::ParseNativeLibSignInfo(const EntryMap &entryMap) entryInfo++; } while (entryInfo < entryInfoEnd); + if (entryMap.size() != signMap_.size() - signMapPreSize) { + LOG_DEBUG(LABEL, "signMap_ size:%{public}u, signMapPreSize:%{public}u", + static_cast(signMap_.size()), static_cast(signMapPreSize)); + return CS_ERR_NO_SIGNATURE; + } + return CS_SUCCESS; } -- Gitee From de676ac5938f6fda8cdafad0169e8eae4b2781c6 Mon Sep 17 00:00:00 2001 From: limerence Date: Tue, 6 Feb 2024 12:03:48 +0800 Subject: [PATCH 6/6] fix 4G xpm region for 64bit OS Signed-off-by: limerence --- .../code_sign_attr_utils/include/code_sign_attr_utils.h | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/interfaces/innerkits/code_sign_attr_utils/include/code_sign_attr_utils.h b/interfaces/innerkits/code_sign_attr_utils/include/code_sign_attr_utils.h index f7d63f2..c2354ff 100755 --- a/interfaces/innerkits/code_sign_attr_utils/include/code_sign_attr_utils.h +++ b/interfaces/innerkits/code_sign_attr_utils/include/code_sign_attr_utils.h @@ -22,8 +22,13 @@ extern "C" { #endif -#define MAX_OWNERID_LEN 64 +#if defined(__LP64__) +#define XPM_REGION_LEN 0x100000000 +#else #define XPM_REGION_LEN 0x10000000 +#endif + +#define MAX_OWNERID_LEN 64 #define OWNERID_SYSTEM_TAG "SYSTEM_LIB_ID" #define OWNERID_DEBUG_TAG "DEBUG_LIB_ID" -- Gitee