mirror of
https://gitee.com/openharmony/security_appverify
synced 2024-11-23 14:39:58 +00:00
openharmony_ci
Gitee
commit
0dee0602d1
@ -8,6 +8,7 @@
|
||||
"profile-signing-certificate":"C=CN, O=Huawei, OU=HOS AppGallery, CN=HOS Profile Management",
|
||||
"profile-debug-signing-certificate":"C=CN, O=Huawei, OU=HOS AppGallery, CN=HOS Profile Management Debug",
|
||||
"issuer-ca":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA",
|
||||
"root-ca":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Root CA G2",
|
||||
"max-certs-path":3,
|
||||
"critialcal-cert-extension":["keyusage","huawei-signing-capability"]
|
||||
},
|
||||
@ -17,6 +18,7 @@
|
||||
"profile-signing-certificate":"C=CN, O=Huawei CBG, OU=HOS Development Team, CN=HOS Application Provision Profile Release",
|
||||
"profile-debug-signing-certificate":"C=CN, O=Huawei CBG, OU=HOS Development Team, CN=HOS Application Provision Profile Release_Debug",
|
||||
"issuer-ca":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA",
|
||||
"root-ca":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Root CA G2",
|
||||
"max-certs-path":3,
|
||||
"critialcal-cert-extension":["keyusage","huawei-signing-capability"]
|
||||
},
|
||||
@ -26,6 +28,7 @@
|
||||
"profile-signing-certificate":"C=CN, O=OpenHarmony, OU=OpenHarmony Team, CN=OpenHarmony Application Profile Release",
|
||||
"profile-debug-signing-certificate":"C=CN, O=OpenHarmony, OU=OpenHarmony Team, CN=OpenHarmony Application Profile Debug",
|
||||
"issuer-ca":"C=CN, O=OpenHarmony, OU=OpenHarmony Team, CN=OpenHarmony Application CA",
|
||||
"root-ca":"C=CN, O=OpenHarmony, OU=OpenHarmony Team, CN=OpenHarmony Application Root CA",
|
||||
"max-certs-path":3,
|
||||
"critialcal-cert-extension":["keyusage"]
|
||||
}
|
||||
|
||||
@ -8,6 +8,7 @@
|
||||
"profile-signing-certificate":"C=CN, O=Huawei, OU=HOS AppGallery, CN=HOS Profile Management",
|
||||
"profile-debug-signing-certificate":"C=CN, O=Huawei, OU=HOS AppGallery, CN=HOS Profile Management Debug",
|
||||
"issuer-ca":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA",
|
||||
"root-ca": "C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Root CA G2",
|
||||
"max-certs-path":3,
|
||||
"critialcal-cert-extension":["keyusage","huawei-signing-capability"]
|
||||
},
|
||||
@ -17,6 +18,7 @@
|
||||
"profile-signing-certificate":"C=CN, O=Huawei CBG, OU=HOS Development Team, CN=HOS Application Provision Profile Release",
|
||||
"profile-debug-signing-certificate":"C=CN, O=Huawei CBG, OU=HOS Development Team, CN=HOS Application Provision Profile Release_Debug",
|
||||
"issuer-ca":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA",
|
||||
"root-ca": "C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Root CA G2",
|
||||
"max-certs-path":3,
|
||||
"critialcal-cert-extension":["keyusage","huawei-signing-capability"]
|
||||
},
|
||||
@ -26,6 +28,7 @@
|
||||
"profile-signing-certificate":"",
|
||||
"profile-debug-signing-certificate":"",
|
||||
"issuer-ca":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA",
|
||||
"root-ca": "C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Root CA G2",
|
||||
"max-certs-path":3,
|
||||
"critialcal-cert-extension":["keyusage","huawei-signing-capability"]
|
||||
}
|
||||
|
||||
@ -8,6 +8,7 @@
|
||||
"profile-signing-certificate":"C=CN, O=Huawei, OU=HOS AppGallery, CN=HOS Profile Management",
|
||||
"profile-debug-signing-certificate":"C=CN, O=Huawei, OU=HOS AppGallery, CN=HOS Profile Management Debug",
|
||||
"issuer-ca":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA Test",
|
||||
"root-ca":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Root CA G2 Test",
|
||||
"max-certs-path":3,
|
||||
"critialcal-cert-extension":["keyusage","huawei-signing-capability"]
|
||||
},
|
||||
@ -17,6 +18,7 @@
|
||||
"profile-signing-certificate":"C=CN, O=Huawei CBG, OU=HOS Development Team, CN=HOS Application Provision Profile Dev",
|
||||
"profile-debug-signing-certificate":"C=CN, O=Huawei CBG, OU=HOS Development Team, CN=HOS Application Provision Profile Dev_Debug",
|
||||
"issuer-ca":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA Test",
|
||||
"root-ca":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Root CA G2 Test",
|
||||
"max-certs-path":3,
|
||||
"critialcal-cert-extension":["keyusage","huawei-signing-capability"]
|
||||
},
|
||||
@ -26,6 +28,7 @@
|
||||
"profile-signing-certificate":"",
|
||||
"profile-debug-signing-certificate":"",
|
||||
"issuer-ca":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Software Signing Service CA Test",
|
||||
"root-ca":"C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Root CA G2 Test",
|
||||
"max-certs-path":3,
|
||||
"critialcal-cert-extension":["keyusage","huawei-signing-capability"]
|
||||
}
|
||||
|
||||
@ -36,6 +36,7 @@ enum MatchingStates {
|
||||
struct MatchingResult {
|
||||
MatchingStates matchState;
|
||||
TrustedSources source;
|
||||
std::string rootCa;
|
||||
};
|
||||
} // namespace Verify
|
||||
} // namespace Security
|
||||
|
||||
@ -35,6 +35,7 @@ struct HapAppSourceInfo {
|
||||
std::string issuer;
|
||||
int32_t maxCertsPath = 0;
|
||||
StringVec critialcalCertExtension;
|
||||
std::string rootCa;
|
||||
};
|
||||
|
||||
using SourceInfoVec = std::vector<HapAppSourceInfo>;
|
||||
@ -79,6 +80,7 @@ private:
|
||||
static const std::string KEY_OF_PROFILE_SIGNING_CERTIFICATE;
|
||||
static const std::string KEY_OF_PROFILE_DEBUG_SIGNING_CERTIFICATE;
|
||||
static const std::string KEY_OF_ISSUER;
|
||||
static const std::string KEY_OF_ROOT_CA;
|
||||
static const std::string KEY_OF_MAX_CERTS_PATH;
|
||||
static const std::string KEY_OF_CRITIALCAL_CERT_EXTENSION;
|
||||
static const std::string APP_GALLERY_SOURCE_NAME;
|
||||
|
||||
@ -34,7 +34,7 @@ public:
|
||||
DLL_EXPORT static X509_CRL* GetX509CrlFromDerBuffer(const HapByteBuffer& crlBuffer, int32_t offset, int32_t len);
|
||||
DLL_EXPORT static void GenerateCertSignFromCertStack(STACK_OF(X509)* certs, CertSign& certVisitSign);
|
||||
DLL_EXPORT static void ClearCertVisitSign(CertSign& certVisitSign);
|
||||
DLL_EXPORT static bool GetCertsChain(CertChain& certsChain, CertSign& certVisitSign);
|
||||
DLL_EXPORT static bool GetCertsChain(CertChain& certsChain, CertSign& certVisitSign, Pkcs7Context& pkcs7Context);
|
||||
DLL_EXPORT static bool CertVerify(X509* cert, const X509* issuerCert);
|
||||
DLL_EXPORT static bool GetSubjectFromX509(const X509* cert, std::string& subject);
|
||||
DLL_EXPORT static bool GetIssuerFromX509(const X509* cert, std::string& issuer);
|
||||
|
||||
@ -38,6 +38,7 @@ struct Pkcs7Context {
|
||||
PKCS7* p7;
|
||||
Pkcs7CertChains certChains;
|
||||
HapByteBuffer content;
|
||||
std::string rootCa;
|
||||
|
||||
Pkcs7Context()
|
||||
: needWriteCrl(false), digestAlgorithm(0), matchResult(), certIssuer(),
|
||||
|
||||
@ -32,6 +32,7 @@ const std::string TrustedSourceManager::KEY_OF_APP_SIGNING_CERT = "app-signing-c
|
||||
const std::string TrustedSourceManager::KEY_OF_PROFILE_SIGNING_CERTIFICATE = "profile-signing-certificate";
|
||||
const std::string TrustedSourceManager::KEY_OF_PROFILE_DEBUG_SIGNING_CERTIFICATE = "profile-debug-signing-certificate";
|
||||
const std::string TrustedSourceManager::KEY_OF_ISSUER = "issuer-ca";
|
||||
const std::string TrustedSourceManager::KEY_OF_ROOT_CA = "root-ca";
|
||||
const std::string TrustedSourceManager::KEY_OF_MAX_CERTS_PATH = "max-certs-path";
|
||||
const std::string TrustedSourceManager::KEY_OF_CRITIALCAL_CERT_EXTENSION = "critialcal-cert-extension";
|
||||
const std::string TrustedSourceManager::APP_GALLERY_SOURCE_NAME = "huawei app gallery";
|
||||
@ -164,6 +165,10 @@ bool TrustedSourceManager::ParseTrustedAppSourceJson(SourceInfoVec& trustedAppSo
|
||||
HAPVERIFY_LOG_ERROR("Get issuer Failed");
|
||||
return false;
|
||||
}
|
||||
if (!JsonParserUtils::GetJsonString(appSource, KEY_OF_ROOT_CA, hapAppSource.rootCa)) {
|
||||
HAPVERIFY_LOG_ERROR("Get root ca Failed");
|
||||
return false;
|
||||
}
|
||||
if (!JsonParserUtils::GetJsonInt(appSource, KEY_OF_MAX_CERTS_PATH, hapAppSource.maxCertsPath)) {
|
||||
HAPVERIFY_LOG_ERROR("Get maxCertsPath Failed");
|
||||
return false;
|
||||
@ -187,6 +192,7 @@ std::string TrustedSourceManager::EncapTrustedAppSourceString(const HapAppSource
|
||||
"profileSigningCertificate: " + appSourceInfo.profileSigningCertificate + "\n" +
|
||||
"profileDebugSigningCertificate: " + appSourceInfo.profileDebugSigningCertificate + "\n" +
|
||||
"issuer: " + appSourceInfo.issuer + "\n" +
|
||||
"rootCa: " + appSourceInfo.rootCa + "\n" +
|
||||
"maxCertsPath: " + std::to_string(appSourceInfo.maxCertsPath) + "\n" +
|
||||
"critialcalCertExtension: ";
|
||||
for (auto extension : appSourceInfo.critialcalCertExtension) {
|
||||
@ -219,6 +225,7 @@ MatchingResult TrustedSourceManager::MatchTrustedSource(const SourceInfoVec& tru
|
||||
ret.matchState = TrustedSourceListCompare(certSubject, certIssuer, appSource, blobType);
|
||||
if (ret.matchState != DO_NOT_MATCH) {
|
||||
ret.source = appSource.source;
|
||||
ret.rootCa = appSource.rootCa;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
@ -296,7 +296,8 @@ void HapCertVerifyOpensslUtils::ClearCertVisitSign(CertSign& certVisitSign)
|
||||
}
|
||||
}
|
||||
|
||||
bool HapCertVerifyOpensslUtils::GetCertsChain(CertChain& certsChain, CertSign& certVisitSign)
|
||||
bool HapCertVerifyOpensslUtils::GetCertsChain(CertChain& certsChain, CertSign& certVisitSign,
|
||||
Pkcs7Context& pkcs7Context)
|
||||
{
|
||||
if (certsChain.empty() || certVisitSign.empty()) {
|
||||
HAPVERIFY_LOG_ERROR("input is invalid");
|
||||
@ -313,9 +314,10 @@ bool HapCertVerifyOpensslUtils::GetCertsChain(CertChain& certsChain, CertSign& c
|
||||
|
||||
TrustedRootCa& rootCertsObj = TrustedRootCa::GetInstance();
|
||||
issuerCert = rootCertsObj.FindMatchedRoot(certsChain[certsChain.size() - 1]);
|
||||
std::string caIssuer;
|
||||
GetIssuerFromX509(certsChain[certsChain.size() - 1], caIssuer);
|
||||
pkcs7Context.rootCa = caIssuer;
|
||||
if (issuerCert == nullptr) {
|
||||
std::string caIssuer;
|
||||
GetIssuerFromX509(certsChain[certsChain.size() - 1], caIssuer);
|
||||
HAPVERIFY_LOG_ERROR("it do not come from trusted root, issuer: %{public}s", caIssuer.c_str());
|
||||
return false;
|
||||
}
|
||||
|
||||
@ -118,7 +118,7 @@ bool HapVerifyOpensslUtils::GetCertChains(PKCS7* p7, Pkcs7Context& pkcs7Context)
|
||||
bool HapVerifyOpensslUtils::VerifyCertChain(CertChain& certsChain, PKCS7* p7,
|
||||
PKCS7_SIGNER_INFO* signInfo, Pkcs7Context& pkcs7Context, CertSign& certVisitSign)
|
||||
{
|
||||
if (!HapCertVerifyOpensslUtils::GetCertsChain(certsChain, certVisitSign)) {
|
||||
if (!HapCertVerifyOpensslUtils::GetCertsChain(certsChain, certVisitSign, pkcs7Context)) {
|
||||
HAPVERIFY_LOG_ERROR("get cert chain for signInfo failed");
|
||||
return false;
|
||||
}
|
||||
|
||||
@ -158,6 +158,13 @@ bool HapVerifyV2::VerifyAppSourceAndParseProfile(Pkcs7Context& pkcs7Context,
|
||||
pkcs7Context.matchResult = trustedSourceManager.IsTrustedSource(certSubject, pkcs7Context.certIssuer,
|
||||
HAP_SIGN_BLOB, pkcs7Context.certChains[0].size());
|
||||
|
||||
if (pkcs7Context.matchResult.matchState == MATCH_WITH_SIGN &&
|
||||
pkcs7Context.matchResult.rootCa != pkcs7Context.rootCa) {
|
||||
HAPVERIFY_LOG_ERROR("MatchRootCa failed, target rootCa: %{public}s, rootCa in pkcs7: %{public}s",
|
||||
pkcs7Context.matchResult.rootCa.c_str(), pkcs7Context.rootCa.c_str());
|
||||
return false;
|
||||
}
|
||||
|
||||
Pkcs7Context profileContext;
|
||||
std::string profile;
|
||||
if (!HapProfileVerifyUtils::ParseProfile(profileContext, pkcs7Context, hapProfileBlock, profile)) {
|
||||
@ -181,6 +188,11 @@ bool HapVerifyV2::VerifyAppSourceAndParseProfile(Pkcs7Context& pkcs7Context,
|
||||
HAPVERIFY_LOG_ERROR("profile verify failed");
|
||||
return false;
|
||||
}
|
||||
if (profileContext.matchResult.rootCa != pkcs7Context.rootCa) {
|
||||
HAPVERIFY_LOG_ERROR("MatchProfileRootCa failed, target rootCa: %{public}s, rootCa in profile: %{public}s",
|
||||
profileContext.matchResult.rootCa.c_str(), pkcs7Context.rootCa.c_str());
|
||||
return false;
|
||||
}
|
||||
AppProvisionVerifyResult profileRet = ParseAndVerify(profile, provisionInfo);
|
||||
if (profileRet != PROVISION_OK) {
|
||||
HAPVERIFY_LOG_ERROR("profile parsing failed, error: %{public}d", static_cast<int>(profileRet));
|
||||
|
||||
@ -207,15 +207,16 @@ HWTEST_F(HapCertVerifyOpensslUtilsTest, GetCertsChainTest001, TestSize.Level1)
|
||||
CertChain certsChain;
|
||||
CertSign certVisitSign;
|
||||
certVisitSign[certX509] = false;
|
||||
ASSERT_FALSE(HapCertVerifyOpensslUtils::GetCertsChain(certsChain, certVisitSign));
|
||||
Pkcs7Context pkcs7Context;
|
||||
ASSERT_FALSE(HapCertVerifyOpensslUtils::GetCertsChain(certsChain, certVisitSign, pkcs7Context));
|
||||
/*
|
||||
* @tc.steps: step2. Push a self signed cert to certChain.
|
||||
* @tc.expected: step2. The return is false due to can not verify by root ca.
|
||||
*/
|
||||
certsChain.push_back(certX509);
|
||||
ASSERT_FALSE(HapCertVerifyOpensslUtils::GetCertsChain(certsChain, certVisitSign));
|
||||
ASSERT_FALSE(HapCertVerifyOpensslUtils::GetCertsChain(certsChain, certVisitSign, pkcs7Context));
|
||||
certVisitSign[certX509] = true;
|
||||
ASSERT_FALSE(HapCertVerifyOpensslUtils::GetCertsChain(certsChain, certVisitSign));
|
||||
ASSERT_FALSE(HapCertVerifyOpensslUtils::GetCertsChain(certsChain, certVisitSign, pkcs7Context));
|
||||
X509_free(certX509);
|
||||
}
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user