openharmony/security_appverify
1
0
Fork 0
mirror of https://gitee.com/openharmony/security_appverify synced 2024-11-23 06:29:44 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

update openharmony 1.0.1

Browse Source
This commit is contained in:
mamingshuai 2021-03-11 22:30:15 +08:00
parent c37948c286
commit 8dcac85d7f
47 changed files with 1190 additions and 197 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
.gitee/ISSUE_TEMPLATE.zh-CN.md
View File

@ -1,13 +0,0 @@
### 该问题是怎么引起的?
### 重现步骤
### 报错信息

15
.gitee/PULL_REQUEST_TEMPLATE.zh-CN.md
View File

@ -1,15 +0,0 @@
### 相关的Issue
### 原因(目的、解决的问题等)
### 描述(做了什么,变更了什么)
### 测试用例(新增、改动、可能影响的功能)

49
BUILD.gn
View File

@ -1,49 +0,0 @@
# Copyright (c) 2020 Huawei Device Co., Ltd.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
config("app_verify_config") {
include_dirs = [
"include",
"//third_party/bounds_checking_function/include",
"//third_party/cJSON",
"//base/security/interfaces/innerkits/app_verify",
"//base/security/frameworks/app_verify/products/default",
"//base/security/frameworks/app_verify/products/ipcamera",
]
defines = [
"PARSE_PEM_FORMAT_SIGNED_DATA"
]
cflags = [
"-Wall",
]
}
shared_library("verify") {
sources = [
"src/app_common.c",
"src/app_provision.c",
"src/app_verify.c",
"src/mbedtls_pkcs7.c",
"src/app_centraldirectory.c",
"src/app_file.c",
"src/app_verify_hap.c",
"src/app_verify_hal.c",
]
configs += [ ":app_verify_config" ]
public_deps = [
"//third_party/bounds_checking_function:libsec_shared",
"//third_party/mbedtls:mbedtls_shared",
"//third_party/cJSON:cjson_shared",
"//base/security/frameworks/app_verify/products/ipcamera:verify_base",
]
}

0
LICENSE Executable file → Normal file
View File

0
OpenHarmonyCer/.keep
View File

8
README.md Normal file
View File

@ -0,0 +1,8 @@
# Application Signature Verification<a name="EN-US_TOPIC_0000001121676905"></a>
To ensure the integrity and trustworthiness of the applications to be installed in OpenHarmony, the applications must be signed and their signatures must be verified.
In application development: After developing an application, you need to sign its installation package to ensure that the installation package is not tampered with when it is released on devices. To sign the application package, you can use the signature tools and the public key certificates and follow the signing certificate generation specifications provided by the application integrity verification module. For your convenience, a public key certificate and a corresponding private key are preset in OpenHarmony. You need to replace the public key certificate and private key in your commercial version of OpenHarmony.
In application installation: the application framework subsystem of OpenHarmony installs applications. Upon receiving the application installation package, the application framework subsystem parses the signature of the installation package, and verifies the signature using the APIs provided by the application integrity verification module. The application can be installed only after the verification succeeds. The application integrity verification module uses the preset public key certificate to verify the signature.

8
README_zh.md Normal file
View File

@ -0,0 +1,8 @@
# 应用签名验签子系统<a name="ZH-CN_TOPIC_0000001121676905"></a>
OpenHarmony允许应用安装。为了确保应用的完整性和来源可靠需要对安装的应用进行签名和验签。
应用开发阶段开发者完成开发并生成安装包后需要开发者对安装包进行签名以证明安装包发布到设备的过程中没有被篡改。OpenHarmony的应用完整性校验模块提供了签名工具、签名证书生成规范以及签名所需的公钥证书等完整的机制支撑开发者对应用安装包签名。为了方便开源社区开发者版本中预置了公钥证书和对应的私钥为开源社区提供离线签名和校验能力在商用版本中应替换此公钥证书和对应的私钥。
应用安装阶段OpenHarmony程序框架子系统负责应用的安装。在接收到应用安装包之后应用程序框架子系统需要解析安装包的签名数据然后使用应用完整性校验模块的API对签名进行验证只有校验成功之后才允许安装此应用. 应用完整性校验模块在校验安装包签名数据时,会使用系统预置的公钥证书进行验签。

52
interfaces/innerkits/appverify_lite/BUILD.gn Normal file
View File

@ -0,0 +1,52 @@
# Copyright (c) 2020 Huawei Device Co., Ltd.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
config("app_verify_config") {
include_dirs = [
"include",
"//third_party/bounds_checking_function/include",
"//third_party/cJSON",
"//base/security/appverify/interfaces/innerkits/appverify_lite",
"//base/security/appverify/interfaces/innerkits/appverify_lite/products/default",
"//base/security/appverify/interfaces/innerkits/appverify_lite/products/ipcamera",
]
defines = [ "PARSE_PEM_FORMAT_SIGNED_DATA" ]
cflags = [ "-Wall" ]
}
shared_library("verify") {
sources = [
"src/app_centraldirectory.c",
"src/app_common.c",
"src/app_file.c",
"src/app_provision.c",
"src/app_verify.c",
"src/app_verify_hal.c",
"src/app_verify_hap.c",
"src/mbedtls_pkcs7.c",
]
configs += [ ":app_verify_config" ]
public_deps = [
"//base/security/appverify/interfaces/innerkits/appverify_lite/products/ipcamera:verify_base",
"//build/lite/config/component/cJSON:cjson_shared",
"//third_party/bounds_checking_function:libsec_shared",
"//third_party/mbedtls:mbedtls_shared",
]
}
if (ohos_build_type == "debug" && ohos_kernel_type == "liteos_a") {
group("unittest") {
deps = [ "//base/security/appverify/interfaces/innerkits/appverify_lite/unittest:unittest" ]
}
}

177
interfaces/innerkits/appverify_lite/LICENSE Normal file
View File

@ -0,0 +1,177 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS

0
OpenHarmonyCer/OpenHarmony.cer → interfaces/innerkits/appverify_lite/OpenHarmonyCer/OpenHarmony.cer
View File

0
OpenHarmonyCer/OpenHarmony.jks → interfaces/innerkits/appverify_lite/OpenHarmonyCer/OpenHarmony.jks
View File

0
include/app_centraldirectory.h → interfaces/innerkits/appverify_lite/include/app_centraldirectory.h Executable file → Normal file
View File

0
include/app_common.h → interfaces/innerkits/appverify_lite/include/app_common.h Executable file → Normal file
View File

0
include/app_file.h → interfaces/innerkits/appverify_lite/include/app_file.h Executable file → Normal file
View File

1
include/app_provision.h → interfaces/innerkits/appverify_lite/include/app_provision.h Executable file → Normal file
View File

@ -32,6 +32,7 @@ extern "C" {
#define MAX_UDID_NUM 100
#define UDID_VERIFY_BYTES 64
int ParseProfile(const char *buf, int len, ProfileProf *pf);
void ProfFreeData(ProfileProf *pf);
int VerifyProfileContent(const ProfileProf *pf);

0
include/app_verify.h → interfaces/innerkits/appverify_lite/include/app_verify.h Executable file → Normal file
View File

7
include/app_verify_hal.h → interfaces/innerkits/appverify_lite/include/app_verify_hal.h Normal file → Executable file
View File

@ -16,22 +16,23 @@
#ifndef SECURITY_APP_VERIFY_HAL_H
#define SECURITY_APP_VERIFY_HAL_H
#include <stdlib.h>
#ifdef __cplusplus
#if __cplusplus
extern "C" {
#endif
#endif
#define INQUIRY_UDID_OK 0
#define INQUIRY_UDID_ERROR -1
typedef char* (*GetDeviceUdid)();
typedef int (*GetDeviceUdid)(unsigned char *udid, int size);
typedef struct {
GetDeviceUdid devUdidFunc;
} ProductDiff;
void RegistHalFunc();
char *GetDevUdid();
int InquiryDeviceUdid(unsigned char *udid, int size);
#ifdef __cplusplus
#if __cplusplus

0
include/app_verify_hap.h → interfaces/innerkits/appverify_lite/include/app_verify_hap.h Executable file → Normal file
View File

149
interfaces/innerkits/appverify_lite/include/app_verify_pub.h Executable file
View File

@ -0,0 +1,149 @@
/*
* Copyright (c) 2020 Huawei Device Co., Ltd.
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef SECURITY_APP_VERIFY_PUB_H
#define SECURITY_APP_VERIFY_PUB_H
#include <stdbool.h>
#ifdef __cplusplus
#if __cplusplus
extern "C" {
#endif
#endif
typedef enum {
V_OK = 0,
/* begin app sign parse */
V_ERR_GET_CERT_INFO = 0xef000002,
V_ERR_UNTRUSTED_CERT = 0xef000003,
V_ERR_INTEGRITY = 0xef000004,
V_ERR_GET_SIGNHEAD = 0xef000005,
V_ERR_GET_SIGN_BLOCK = 0xef000006,
V_ERR_GET_HASH_DIFF = 0xef000007,
V_ERR_INVALID_CONTENT_TAG = 0xef000008,
V_ERR_INVALID_HASH_ALG = 0xef000009,
V_ERR_GET_ROOT_HASH = 0xef00000a,
V_ERR_CALC_BLOCK_HASH = 0xef00000c,
V_ERR_PARSE_PKC7_DATA = 0xef00000d,
V_ERR_VERIFY_CERT_CHAIN = 0xef00000e,
V_ERR_VERIFY_SIGNATURE = 0xef00000f,
V_ERR_GET_CERT_TYPE = 0xef000010,
/* begin profile signparse */
V_ERR_GET_PROFILE_DATA = 0xef000011,
V_ERR_GET_PARSE_PROFILE = 0xef000012,
V_ERR_PROF_CONTENT_INVALID = 0xef000013,
V_ERR_VERFIY_PROF_CERT = 0xef000014,
V_ERR_GET_CERT_PK = 0xef000015,
V_ERR_GET_APPID = 0xef000016,
V_ERR_INVALID_DISP_TYPE = 0xef000017,
V_ERR_INVALID_APP_BUNDLE = 0xef000018,
V_ERR_INVALID_DATE = 0xef000019,
V_ERR_INVALID_DEVID = 0xef00001a,
/* begin file operation */
V_ERR_FILE_OPEN = 0xef00001b,
V_ERR_FILE_STAT = 0xef00001c,
V_ERR_FILE_LENGTH = 0xef00001d,
/* begin memory operation */
V_ERR_MEMSET = 0xef00001e,
V_ERR_MEMCPY = 0xef00001f,
V_ERR_MALLOC = 0xef000020,
/* default error */
V_ERR = 0xffffffff,
} AppVErrCode;
typedef struct {
int notBefore;
int notAfter;
} ProfValidity;
typedef struct {
char *developerId; /* developer-id */
unsigned char *devCert; /* development-certificate */
unsigned char *releaseCert; /* distribution-certificate */
char *bundleName; /* bundle-name */
char *appFeature; /* app-feature : hos_system_app/hos_normal_app */
} ProfBundleInfo;
typedef struct {
int restricNum;
char **restricPermission;
int permissionNum;
char **permission;
} ProfPermission;
typedef struct {
char *devIdType;
int devidNum;
char **deviceId;
} ProfDebugInfo;
typedef struct {
int versionCode; /* version */
char *versionName; /* version description */
char *uuid; /* uuid */
char *type; /* debug/release */
char *appDistType; /* app-distribution-type */
ProfValidity validity; /* validity */
ProfBundleInfo bundleInfo; /* bundle-info */
ProfPermission permission; /* permissions */
ProfDebugInfo debugInfo; /* debug-info */
char *issuer; /* issuer */
char *appid; /* bundle_name_pk(base64) */
} ProfileProf;
typedef struct {
char *pk;
int len;
} AppSignPk;
struct VfyRst;
typedef int (*GetSignPk)(struct VfyRst *verifyRst, AppSignPk *pk);
typedef void (*FreeSignPK)(AppSignPk *pk);
typedef int (*MessageFunc)(unsigned char operationResult, const char *bundleName, unsigned char errCode);
typedef struct VfyRst {
ProfileProf profile; /* profile */
} VerifyResult;
/* verify app integrity, return 0 if OK, otherwise errcode AppVErrCode */
int APPVERI_AppVerify(const char *filePath, VerifyResult *verifyRst);
/* free the verify result of APPVERI_AppVerify returned */
void APPVERI_FreeVerifyRst(VerifyResult *verifyRst);
/* set debugmode */
int APPVERI_SetDebugMode(bool mode);
/* get unsigned file len without verify, return V_ERR if not OK */
int APPVERI_GetUnsignedFileLength(const char *filePath);
/* register msg func */
void APPVERI_RegisterMsgFunc(MessageFunc messageFunc);
void APPVERI_SetActsMode(bool mode);
int APPVERI_IsActsMode(void);
#ifdef __cplusplus
#if __cplusplus
}
#endif
#endif
#endif

0
include/mbedtls_pkcs7.h → interfaces/innerkits/appverify_lite/include/mbedtls_pkcs7.h Executable file → Normal file
View File

59
interfaces/innerkits/appverify_lite/products/default/app_verify_default.c Executable file
View File

@ -0,0 +1,59 @@
/*
* Copyright (c) 2020 Huawei Device Co., Ltd.
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include "app_verify_default.h"
#include "app_verify_pub.h"
#include "pms_common.h"
#include "pms_inner.h"
#include "pms_interface_inner.h"
#include "iunknown.h"
#include "samgr_lite.h"
int GetUdidServer(unsigned char *udid, int size)
{
IUnknown *iUnknown = SAMGR_GetInstance()->GetFeatureApi(PERMISSION_SERVICE, PERM_INNER);
if (iUnknown == NULL) {
return INQUIRY_UDID_ERROR;
}
PmsInnerApi *interface = NULL;
iUnknown->QueryInterface(iUnknown, DEFAULT_VERSION, (void **) &interface);
if (interface == NULL || interface->GetDevUdid == NULL) {
return INQUIRY_UDID_ERROR;
}
int ret = interface->GetDevUdid(udid, size);
return ret;
}
int GetUdidClient(unsigned char *udid, int size)
{
return RequestDevUdid(udid, size);
}
int GetUdid(unsigned char *udid, int size)
{
int ret;
if (APPVERI_IsActsMode() == false) {
ret = GetUdidServer(udid, size);
} else {
ret = GetUdidClient(udid, size);
}
return ret;
}
void RegistBaseDefaultFunc(ProductDiff *productFunc)
{
productFunc->devUdidFunc = GetUdid;
}

1
products/default/app_verify_default.h → interfaces/innerkits/appverify_lite/products/default/app_verify_default.h Normal file → Executable file
View File

@ -15,7 +15,6 @@
#ifndef SECURITY_APP_VERIFY_DEFAULT_H
#define SECURITY_APP_VERIFY_DEFAULT_H
#include <stdlib.h>
#include "app_verify_hal.h"
#ifdef __cplusplus

39
interfaces/innerkits/appverify_lite/products/ipcamera/BUILD.gn Executable file
View File

@ -0,0 +1,39 @@
# Copyright (c) 2020 Huawei Device Co., Ltd.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
config("verify_base_config") {
include_dirs = [
"//base/security/appverify/interfaces/innerkits/appverify_lite/include",
"//base/startup/syspara_lite/interfaces/kits",
"//base/security/appverify/interfaces/innerkits/appverify_lite/products/ipcamera",
"//base/security/permission/services/permission_lite/pms_base/include",
"//foundation/distributedschedule/samgr_lite/interfaces/kits/samgr",
"//base/security/permission/services/permission_lite/pms/include",
"//base/security/permission/interfaces/innerkits/permission_lite",
"//base/security/permission/interfaces/kits/permission_lite",
]
cflags = [ "-Wall" ]
}
shared_library("verify_base") {
sources = [
"../default/app_verify_default.c",
"app_verify_base.c",
]
configs += [ ":verify_base_config" ]
public_deps = [
"//base/hiviewdfx/hilog_lite/frameworks/featured:hilog_shared",
"//base/startup/syspara_lite/frameworks/parameter:parameter",
"//foundation/distributedschedule/samgr_lite/samgr:samgr",
]
}

0
products/ipcamera/app_verify_base.c → interfaces/innerkits/appverify_lite/products/ipcamera/app_verify_base.c
View File

1
products/ipcamera/app_verify_base.h → interfaces/innerkits/appverify_lite/products/ipcamera/app_verify_base.h Normal file → Executable file
View File

@ -15,7 +15,6 @@
#ifndef SECURITY_APP_VERIFY_BASE_H
#define SECURITY_APP_VERIFY_BASE_H
#include <stdlib.h>
#include "app_verify_hal.h"
#include "log.h"

7
src/app_centraldirectory.c → interfaces/innerkits/appverify_lite/src/app_centraldirectory.c
View File

@ -16,7 +16,6 @@
#include "app_centraldirectory.h"
#include <fcntl.h>
#include <stdbool.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/stat.h>
@ -38,6 +37,7 @@ void HapPutByte(const HapBuf *hapBuffer, int offset, char value)
if ((offset >= 0) && (hapBuffer->len - offset >= (int)(sizeof(value)))) {
*(char *)((char *)hapBuffer->buffer + offset) = value;
}
return;
}
void HapPutData(const HapBuf *hapBuffer, int offset, const unsigned char *data, int len)
@ -64,6 +64,7 @@ void HapSetInt32(const HapBuf *buffer, int offset, int value)
if ((offset >= 0) && ((buffer->len - offset) >= (int)(sizeof(value)))) {
HapPutInt32((unsigned char *)buffer->buffer + offset, buffer->len - offset, (int)(value));
}
return;
}
bool CreateHapBuffer(HapBuf *hapBuffer, int len)
@ -106,7 +107,7 @@ static bool GetEocd(const FileRead *hapFile, HapEocd *hapEocd, int *eocdOffset)
if (HapGetShort((unsigned char*)fileStart + hapFile->len - sizeof(short), sizeof(short)) == 0 &&
HapGetInt((unsigned char*)fileStart + hapFile->len - sizeof(MinEocd), sizeof(int)) == HAP_EOCD_MAGIC) {
if (memcpy_s(&hapEocd->eocdHead, sizeof(MinEocd),
fileStart + hapFile->len - sizeof(MinEocd), sizeof(char) * sizeof(MinEocd)) != EOK) {
fileStart + hapFile->len - sizeof(MinEocd), sizeof(MinEocd)) != EOK) {
HapMUnMap(mmapInfo.mapAddr, mmapInfo.mmapSize);
LOG_ERROR("copy error");
return false;
@ -125,7 +126,7 @@ static bool GetEocd(const FileRead *hapFile, HapEocd *hapEocd, int *eocdOffset)
sizeof(short)) == (maxReadLen - i)) &&
(HapGetInt((unsigned char*)fileStart + i, sizeof(int)) == HAP_EOCD_MAGIC)) {
if (memcpy_s(&hapEocd->eocdHead, sizeof(MinEocd),
fileStart + i, sizeof(char) * sizeof(MinEocd)) != EOK) {
fileStart + i, sizeof(MinEocd)) != EOK) {
HapMUnMap(mmapInfo.mapAddr, mmapInfo.mmapSize);
LOG_ERROR("copy error");
return false;

2
src/app_common.c → interfaces/innerkits/appverify_lite/src/app_common.c
View File

@ -14,7 +14,6 @@
*/
#include "app_common.h"
#include <stdlib.h>
long long HapGetInt64(const unsigned char *buf, int len)
{
@ -72,4 +71,5 @@ void HapPutInt32(unsigned char *buf, int len, int value)
buf[i] = var;
var = var >> (BYTE_BITS);
}
return;
}

8
src/app_file.c → interfaces/innerkits/appverify_lite/src/app_file.c
View File

@ -17,19 +17,19 @@
#include <fcntl.h>
#include <limits.h>
#include <stdbool.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>
#include "app_centraldirectory.h"
#include "app_verify_hal.h"
static int g_memoryPageSize = 0;
int InitVerify(FileRead *file, const char *filePath, int *handle)
{
if (handle == NULL || file == NULL || filePath == NULL) {
LOG_ERROR("invalid input");
LOG_ERROR("file open error");
return V_ERR_FILE_OPEN;
}
RegistHalFunc();
@ -44,8 +44,8 @@ int InitVerify(FileRead *file, const char *filePath, int *handle)
return V_ERR_FILE_OPEN;
}
*handle = open(path, O_RDONLY, 0);
APPV_FREE(path);
if (*handle < 0) {
APPV_FREE(path);
LOG_PRINT_STR("file open error %s", path);
return V_ERR_FILE_OPEN;
}
@ -54,10 +54,12 @@ int InitVerify(FileRead *file, const char *filePath, int *handle)
}
if (g_memoryPageSize <= 0) {
LOG_ERROR("MAP_FAILED %d", g_memoryPageSize);
APPV_FREE(path);
return V_ERR_FILE_STAT;
}
file->len = lseek(*handle, 0, SEEK_END);
file->fp = *handle;
APPV_FREE(path);
return V_OK;
}

35
src/app_provision.c → interfaces/innerkits/appverify_lite/src/app_provision.c
View File

@ -15,7 +15,6 @@
#include "app_provision.h"
#include <stdbool.h>
#include <stdlib.h>
#include <string.h>
#include "app_common.h"
#include "app_verify_hal.h"
@ -27,7 +26,9 @@ static void ProfInit(ProfileProf *pf)
int ret = memset_s(pf, sizeof(ProfileProf), 0, sizeof(ProfileProf));
if (ret != V_OK) {
LOG_ERROR("memset failed");
return;
}
return;
}
static char *GetStringTag(const cJSON *root, const char *tag)
@ -56,7 +57,7 @@ static char *GetStringTag(const cJSON *root, const char *tag)
return value;
}
static void FreeStringArray(char **array, int num)
static void FreeStringAttay(char **array, int num)
{
if (array == NULL) {
return;
@ -67,6 +68,7 @@ static void FreeStringArray(char **array, int num)
}
}
APPV_FREE(array);
return;
}
static char **GetStringArrayTag(const cJSON *root, const char *tag, int *numReturn)
@ -97,14 +99,14 @@ static char **GetStringArrayTag(const cJSON *root, const char *tag, int *numRetu
int ret = strcpy_s(value[i], len + 1, item->valuestring);
if (ret != V_OK) {
LOG_ERROR("str cpy error : %d", ret);
FreeStringArray(value, num);
FreeStringAttay(value, num);
return NULL;
}
}
*numReturn = num;
return value;
EXIT:
FreeStringArray(value, num);
FreeStringAttay(value, num);
return NULL;
}
@ -198,10 +200,9 @@ static int GetProfDebugInfo(const cJSON *root, ProfDebugInfo *profVal)
static int GetProfIssuerInfo(const cJSON *root, ProfileProf *pf)
{
int len;
pf->issuer = GetStringTag(root, "issuer");
if (pf->issuer == NULL) {
len = strlen(APP_STORE);
int len = strlen(APP_STORE);
pf->issuer = APPV_MALLOC(len + 1);
if (pf->issuer == NULL) {
return V_ERR;
@ -228,22 +229,25 @@ static void FreeProfBundle(ProfBundleInfo *pfval)
static void FreeProfPerssion(ProfPermission *pfval)
{
FreeStringArray(pfval->permission, pfval->permissionNum);
FreeStringAttay(pfval->permission, pfval->permissionNum);
pfval->permissionNum = 0;
pfval->permission = NULL;
FreeStringArray(pfval->restricPermission, pfval->restricNum);
FreeStringAttay(pfval->restricPermission, pfval->restricNum);
pfval->restricNum = 0;
pfval->restricPermission = NULL;
return;
}
static void FreeProfDebuginfo(ProfDebugInfo *pfval)
{
FREE_IF_NOT_NULL(pfval->devIdType);
FreeStringArray(pfval->deviceId, pfval->devidNum);
FreeStringAttay(pfval->deviceId, pfval->devidNum);
pfval->devidNum = 0;
pfval->deviceId = NULL;
return;
}
void ProfFreeData(ProfileProf *pf)
@ -260,6 +264,7 @@ void ProfFreeData(ProfileProf *pf)
FreeProfDebuginfo(&pf->debugInfo);
FREE_IF_NOT_NULL(pf->issuer);
FREE_IF_NOT_NULL(pf->appid);
return;
}
/* parse profile */
@ -354,17 +359,25 @@ static int VerifyAppBundleInfo(const ProfileProf *pf)
static int VerifyUdid(const ProfileProf *pf)
{
unsigned int size = UDID_VERIFY_BYTES + 1;
if (pf->debugInfo.devidNum > MAX_UDID_NUM) {
LOG_ERROR("udid num exceed maximum");
return V_ERR;
}
char *udid = GetDevUdid();
unsigned char *udid = APPV_MALLOC(size);
if (udid == NULL) {
LOG_ERROR("udid is null");
return V_ERR;
}
(void)memset_s(udid, size, 0, size);
int result = InquiryDeviceUdid(udid, size);
if (result != INQUIRY_UDID_OK) {
free(udid);
LOG_ERROR("get udid fail");
return V_ERR;
}
for (int i = 0; i < pf->debugInfo.devidNum; i++) {
if (strcmp(pf->debugInfo.deviceId[i], udid) == 0) {
if (strcmp((const char *)pf->debugInfo.deviceId[i], (const char *)udid) == 0) {
LOG_INFO("find right udid");
free(udid);
udid = NULL;

56
src/app_verify.c → interfaces/innerkits/appverify_lite/src/app_verify.c Executable file → Normal file
View File

@ -16,7 +16,6 @@
#include "app_verify.h"
#include <fcntl.h>
#include <stdbool.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/types.h>
@ -83,6 +82,8 @@ static const TrustAppCert g_trustAppListTest[] = {
static bool g_isDebugMode = false;
static bool g_isActsMode = false;
static void SignHeadN2H(HwSignHead *signHead)
{
signHead->blockNum = HapGetInt((unsigned char *)&signHead->blockNum, sizeof(signHead->blockNum));
@ -90,6 +91,7 @@ static void SignHeadN2H(HwSignHead *signHead)
signHead->magicLow = HapGetInt64((unsigned char *)&signHead->magicLow, sizeof(signHead->magicLow));
signHead->magicHigh = HapGetInt64((unsigned char *)&signHead->magicHigh, sizeof(signHead->magicHigh));
signHead->version = HapGetInt((unsigned char *)&signHead->version, sizeof(signHead->version));
return;
}
static void BlockHeadN2H(BlockHead *blockHead)
@ -97,6 +99,7 @@ static void BlockHeadN2H(BlockHead *blockHead)
blockHead->type = HapGetInt((unsigned char *)&blockHead->type, sizeof(blockHead->type));
blockHead->length = HapGetInt((unsigned char *)&blockHead->length, sizeof(blockHead->length));
blockHead->offset = HapGetInt((unsigned char *)&blockHead->offset, sizeof(blockHead->offset));
return;
}
static void ContentN2H(ContentInfo *content)
@ -105,6 +108,7 @@ static void ContentN2H(ContentInfo *content)
content->size = HapGetInt((unsigned char *)&content->size, sizeof(content->size));
content->algId = HapGetInt((unsigned char *)&content->algId, sizeof(content->algId));
content->length = HapGetInt((unsigned char *)&content->length, sizeof(content->length));
return;
}
static int GetSignHead(const FileRead *file, SignatureInfo *signInfo)
@ -201,6 +205,9 @@ char *GetSignBlockByType(const SignatureInfo *signInfo, int fp, int blockType, i
if (blockHead->length == 0 || blockHead->length > (signInfo->hapCoreDirOffset - signInfo->fullSignBlockOffset)) {
return NULL;
}
if ((blockHead->length + 1) >= signInfo->fileSize) {
return NULL;
}
char *buf = APPV_MALLOC(blockHead->length + 1);
if (buf == NULL) {
LOG_ERROR("malloc error");
@ -232,18 +239,6 @@ int GetHashUnitLen(int hashAlg)
return mbedtls_md_get_size(mbedtls_md_info_from_type((mbedtls_md_type_t)hashAlg));
}
int CalculateHash(const unsigned char *input, int len, int hashAlg, unsigned char *output)
{
if (input == NULL || output == NULL || len < 0) {
return V_ERR;
}
int ret = mbedtls_md(mbedtls_md_info_from_type((mbedtls_md_type_t)hashAlg), input, len, output);
if (ret) {
LOG_ERROR("Error: calc digest failed");
}
return ret;
}
static int CalcCmpContHash(const Pkcs7 *pkcs7, const SignerInfo *signer,
mbedtls_md_type_t algType, unsigned char *hash, size_t *hashLen)
{
@ -336,7 +331,7 @@ static int VerifyRawHash(const SignatureInfo *signInfo, const FileRead *fileRead
if (content->algId != HASH_ALG_SHA256 && content->algId != HASH_ALG_SHA384 && content->algId != HASH_ALG_SHA512) {
LOG_ERROR("hash alg invalid");
APPV_FREE(content);
return ret;
return V_ERR;
}
HapBuf actualDigest = {0};
int rootHashLen = GetHashUnitLen(content->algId);
@ -539,7 +534,6 @@ EXIT:
APPV_FREE(profileData);
return V_ERR;
}
static unsigned char *GetRsaPk(const mbedtls_pk_context *pk, int *len)
{
unsigned char *buf = APPV_MALLOC(MAX_PK_BUF);
@ -645,14 +639,16 @@ static int ParseCertGetPk(const char *certEncoded, AppSignPk *pk)
}
int len = 0;
unsigned char *pkBuf = GetPkBuf(&cert->pk, &len);
mbedtls_x509_crt_free(cert);
APPV_FREE(cert);
if (pkBuf == NULL) {
LOG_ERROR("get pk error");
mbedtls_x509_crt_free(cert);
APPV_FREE(cert);
return V_ERR;
}
pk->pk = (char *)pkBuf;
pk->len = len;
mbedtls_x509_crt_free(cert);
APPV_FREE(cert);
return V_OK;
}
@ -678,6 +674,7 @@ static void FreeAppSignPublicKey(AppSignPk *pk)
if (pk->pk != NULL) {
APPV_FREE(pk->pk);
}
return;
}
int GetAppid(ProfileProf *profile)
@ -715,15 +712,16 @@ int GetAppid(ProfileProf *profile)
}
ret = mbedtls_base64_encode((unsigned char *)appid + bundleNameLen + 1,
appidLen - bundleNameLen - 1, &useLen, (unsigned char *)pk.pk, pk.len);
FreeAppSignPublicKey(&pk);
if (ret != V_OK) {
LOG_ERROR("base 64 encode error");
APPV_FREE(appid);
FreeAppSignPublicKey(&pk);
return V_ERR_GET_APPID;
}
profile->appid = appid;
LOG_INFO("appid len: %d, bL len: %d, base64: %d", appidLen, bundleNameLen, (int)useLen);
LOG_PRINT_STR("%s", appid);
FreeAppSignPublicKey(&pk);
return V_OK;
}
@ -749,11 +747,12 @@ static int VerifyProfGetContent(int fp, const SignatureInfo *signInfo, int certT
}
ret = ParseProfile(profBuf, len, pf);
APPV_FREE(profBuf);
if (ret != V_OK) {
LOG_ERROR("GetSignBlock error");
APPV_FREE(profBuf);
return V_ERR_GET_PARSE_PROFILE;
}
APPV_FREE(profBuf);
ret = VerifyProfileContent(pf);
P_ERR_GOTO_WTTH_LOG(ret);
@ -1134,12 +1133,14 @@ static int VerifyIntegrity(SignatureInfo *signInfo, int fp, ProfileProf *pf)
}
ret = VerfiyAppSourceGetProfile(fp, signInfo, certType, binSignCert, pf);
FreeCertInfo(binSignCert);
APPV_FREE(binSignCert);
if (ret != V_OK) {
LOG_ERROR("verify app source failed : %d", ret);
FreeCertInfo(binSignCert);
APPV_FREE(binSignCert);
return ret;
}
FreeCertInfo(binSignCert);
APPV_FREE(binSignCert);
return V_OK;
}
@ -1207,6 +1208,17 @@ int APPVERI_SetDebugMode(bool mode)
return V_OK;
}
/* set test mode */
void APPVERI_SetActsMode(bool mode)
{
g_isActsMode = mode;
}
int APPVERI_IsActsMode(void)
{
return g_isActsMode;
}
void APPVERI_FreeVerifyRst(VerifyResult *verifyRst)
{
if (verifyRst == NULL) {
@ -1215,4 +1227,4 @@ void APPVERI_FreeVerifyRst(VerifyResult *verifyRst)
LOG_INFO("free verify rst data");
ProfFreeData(&verifyRst->profile);
return;
}
}

6
src/app_verify_hal.c → interfaces/innerkits/appverify_lite/src/app_verify_hal.c Normal file → Executable file
View File

@ -25,11 +25,11 @@ void RegistHalFunc()
RegistProductFunc(&g_productDiffFunc);
}
char *GetDevUdid()
int InquiryDeviceUdid(unsigned char *udid, int size)
{
if (g_productDiffFunc.devUdidFunc == NULL) {
return NULL;
return INQUIRY_UDID_ERROR;
}
return g_productDiffFunc.devUdidFunc();
return g_productDiffFunc.devUdidFunc(udid, size);
}

21
src/app_verify_hap.c → interfaces/innerkits/appverify_lite/src/app_verify_hap.c
View File

@ -15,7 +15,6 @@
#include "app_verify_hap.h"
#include <stdbool.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <unistd.h>
#include "app_centraldirectory.h"
@ -110,7 +109,7 @@ static int GetChunkSumCount(int fileSize, int coreDirectorySize, int eocdSize, i
}
static int ComputeDigestsWithOptionalBlock(const int digestAlgorithm, int fp, const SignatureInfo *signInfo,
const HapBuf *chunkDigest, const HapBuf *finalDigest)
const HapBuf *chunkDigest, const HapBuf *fianlDigest)
{
int ret, readLen;
int rst = V_ERR;
@ -147,7 +146,7 @@ static int ComputeDigestsWithOptionalBlock(const int digestAlgorithm, int fp, co
P_NULL_GOTO_WTTH_LOG(outbuf);
ret = mbedtls_md_finish(mdCtx, outbuf);
P_ERR_GOTO_WTTH_LOG(ret);
HapPutData(finalDigest, 0, outbuf, rootHashLen);
HapPutData(fianlDigest, 0, outbuf, rootHashLen);
(void)memset_s(outbuf, rootHashLen, 0, rootHashLen);
rst = V_OK;
EXIT:
@ -158,7 +157,7 @@ EXIT:
return rst;
}
static int HapUpdateDigestHead(int digestAlgorithm, mbedtls_md_context_t *mdCtx, const mbedtls_md_info_t *mdInfo,
static int HapUpdateDigistHead(int digestAlgorithm, mbedtls_md_context_t *mdCtx, const mbedtls_md_info_t *mdInfo,
int readLen, size_t *hlen)
{
mbedtls_md_init(mdCtx);
@ -206,7 +205,7 @@ static int UpdateSmallBlock(int readLen, const int fp, mbedtls_md_context_t *mdC
return V_OK;
}
static int ComputeFileHash(const SignatureInfo *signInfo, int digestAlgorithm, const int fp,
static int ComputerFileHash(const SignatureInfo *signInfo, int digestAlgorithm, const int fp,
const HapBuf *chunkDigest, int *offset)
{
mbedtls_md_context_t *mdCtx = APPV_MALLOC(sizeof(mbedtls_md_context_t));
@ -222,7 +221,7 @@ static int ComputeFileHash(const SignatureInfo *signInfo, int digestAlgorithm, c
APPV_FREE(mdCtx);
return V_ERR;
}
int ret = HapUpdateDigestHead(digestAlgorithm, mdCtx, mdInfo, readLen, &hlen);
int ret = HapUpdateDigistHead(digestAlgorithm, mdCtx, mdInfo, readLen, &hlen);
P_ERR_GOTO_WTTH_LOG(ret);
LOG_INFO("content: %d, %d", rawBufLen, pos);
ret = UpdateSmallBlock(readLen, fp, mdCtx);
@ -247,7 +246,7 @@ EXIT:
return V_ERR;
}
static int ComputeCoreDirHash(const SignatureInfo *signInfo, int digestAlgorithm, const int fp,
static int ComputerCoreDirHash(const SignatureInfo *signInfo, int digestAlgorithm, const int fp,
const HapBuf *chunkDigest, int *offset)
{
int centralDirSize = signInfo->hapEocdOffset - signInfo->hapCoreDirOffset;
@ -270,7 +269,7 @@ static int ComputeCoreDirHash(const SignatureInfo *signInfo, int digestAlgorithm
return V_OK;
}
static int ComputeEocdHash(const SignatureInfo *signInfo, int digestAlgorithm, const int fp,
static int ComputerEocdHash(const SignatureInfo *signInfo, int digestAlgorithm, const int fp,
const HapBuf *chunkDigest, int *offset)
{
if (signInfo->hapEocdSize <= 0) {
@ -320,11 +319,11 @@ bool VerifyIntegrityChunk(int digestAlgorithm, const int fp,
HapSetInt32(&chunkDigest, 1, sumCount);
int offset = HAP_DIGEST_PRIFIX_LEN;
int ret;
ret = ComputeFileHash(signInfo, digestAlgorithm, fp, &chunkDigest, &offset);
ret = ComputerFileHash(signInfo, digestAlgorithm, fp, &chunkDigest, &offset);
P_ERR_GOTO_WTTH_LOG(ret);
ret = ComputeCoreDirHash(signInfo, digestAlgorithm, fp, &chunkDigest, &offset);
ret = ComputerCoreDirHash(signInfo, digestAlgorithm, fp, &chunkDigest, &offset);
P_ERR_GOTO_WTTH_LOG(ret);
ret = ComputeEocdHash(signInfo, digestAlgorithm, fp, &chunkDigest, &offset);
ret = ComputerEocdHash(signInfo, digestAlgorithm, fp, &chunkDigest, &offset);
P_ERR_GOTO_WTTH_LOG(ret);
ret = ComputeDigestsWithOptionalBlock(digestAlgorithm, fp, signInfo, &chunkDigest, actualDigest);
P_ERR_GOTO_WTTH_LOG(ret);

30
src/mbedtls_pkcs7.c → interfaces/innerkits/appverify_lite/src/mbedtls_pkcs7.c Executable file → Normal file
View File

@ -136,7 +136,7 @@ static int GetContentInfoType(unsigned char **p, const unsigned char *end,
*hasContent = (seqLen != len + (*p - start));
*p += len; // pass the oid info to the real content location.
return rc;
return PKCS7_SUCC;
}
static int GetContentLenOfContentInfo(unsigned char **p, const unsigned char *end, size_t *len)
@ -185,7 +185,7 @@ static int ParseSignerDigestAlg(unsigned char **p, const unsigned char *end, Sig
if (InvalidDigestAlg(&signer->digestAlgId)) {
return PKCS7_INVALID_DIGEST_ALG;
}
return rc;
return PKCS7_SUCC;
}
static int ParseSignerAuthAttr(unsigned char **p, const unsigned char *end, SignerInfo *signer)
@ -206,7 +206,7 @@ static int ParseSignerAuthAttr(unsigned char **p, const unsigned char *end, Sign
signer->authAttrRaw.p = raw;
signer->authAttrRaw.len = len + tlLen;
return rc;
return PKCS7_SUCC;
}
/*
@ -235,7 +235,7 @@ static int ParseSignerEncAlg(unsigned char **p, const unsigned char *end, Signer
if (InvalidDigestEncAlg(&signer->digestEncAlgId)) {
return PKCS7_INVALID_SIGNING_ALG;
}
return rc;
return PKCS7_SUCC;
}
/*
@ -255,7 +255,7 @@ static int ParseSignerSignature(unsigned char **p, const unsigned char *end, Sig
signer->signature.len = len;
signer->signature.p = *p;
*p += len;
return rc;
return PKCS7_SUCC;
}
static int GetSignerSignature(const SignerInfo *signer, unsigned char **sig, size_t *sigLen)
@ -284,7 +284,7 @@ static int ParseSignerUnAuthAttr(unsigned char **p, const unsigned char *end, Si
signer->unAuthAttr.len = len;
signer->unAuthAttr.p = *p;
*p += len;
return rc;
return PKCS7_SUCC;
}
static int SerialCmp(const mbedtls_x509_buf *a, const mbedtls_x509_buf *b)
@ -518,7 +518,7 @@ static int ParseSignedDataContentInfo(unsigned char **p, const unsigned char *en
content->data.len = len;
DlogContentInfo(content);
*p += len;
return rc;
return PKCS7_SUCC;
}
static int ParseSignedDataCerts(unsigned char **p, const unsigned char *end, mbedtls_x509_crt **certs)
@ -698,6 +698,7 @@ static void FreeSignedDataCerts(Pkcs7 *pkcs7)
static void FreeSignedDataCrl(Pkcs7 *pkcs7)
{
mbedtls_x509_crl_free(&pkcs7->signedData.crl);
return;
}
static int GetCertsNumOfSignedData(const mbedtls_x509_crt *crts)
@ -972,7 +973,6 @@ static void UnLoadSelfSignedCert(void)
{
mbedtls_x509_crt_free(&g_selfSignedCert);
}
static void DLogCrtVerifyInfo(unsigned int flags)
{
char vrfyBuf[VERIFY_BUF_LEN];
@ -1046,7 +1046,6 @@ int PKCS7_VerifyCertsChain(const Pkcs7 *pkcs7)
while (signer != NULL) {
mbedtls_x509_crt *clicert = signer->certPath.crt;
if (clicert == NULL) {
signer = signer->next;
LOG_ERROR("Signer has no certs");
return PKCS7_HAS_NO_SIGNER_CRT;
}
@ -1065,7 +1064,7 @@ int PKCS7_VerifyCertsChain(const Pkcs7 *pkcs7)
}
}
rc = VerifyClicert(clicert, signer->rootCert, pkcs7);
LOG_DEBUG("Verify root : %d", rc);
LOG_DEBUG("Verify : %d", rc);
if (rc == PKCS7_SUCC) {
signer = signer->next;
continue;
@ -1187,18 +1186,17 @@ int PKCS7_GetDigestInSignerAuthAttr(const SignerInfo *signer, unsigned char **di
return PKCS7_INVALID_VALUE;
}
unsigned char *p = signer->authAttr.p;
unsigned char *end = p + signer->authAttr.len;
size_t tmpLen = 0;
int rc;
if (p == NULL) {
return PKCS7_HAS_NO_AUTH_ATTR_IN_SIGNER;
}
unsigned char *end = p + signer->authAttr.len;
size_t tmpLen = 0;
/* SET OF SEQUENCE */
while (p < end) {
size_t seqLen;
unsigned char *seqEnd = NULL;
rc = mbedtls_asn1_get_tag(&p, end, &seqLen, MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED);
int rc = mbedtls_asn1_get_tag(&p, end, &seqLen, MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED);
if (rc) {
return rc;
}
@ -1271,7 +1269,7 @@ int PKCS7_EnableDebugMode(bool mode)
return rc;
}
g_debugModeEnabled = mode;
return rc;
return PKCS7_SUCC;
}
#ifdef PARSE_PEM_FORMAT_SIGNED_DATA

58
interfaces/innerkits/appverify_lite/unittest/BUILD.gn Executable file
View File

@ -0,0 +1,58 @@
# Copyright (c) 2020 Huawei Device Co., Ltd.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import("//build/lite/config/component/lite_component.gni")
import("//build/lite/config/test.gni")
unittest("app_verify_test") {
output_extension = "bin"
output_dir = "$root_out_dir/test/unittest/security"
sources = [
"packets/business_packet.cpp",
"packets/modified_packet.cpp",
"packets/success_test.cpp",
"packets/udid_right_test.cpp",
"packets/udid_wrong_test.cpp",
"packets/unsigned_packet.cpp",
"packets/wrong_license.cpp",
"src/hap_verify_test.cpp",
"src/write_file.cpp",
]
include_dirs = [
"src",
"//base/security/appverify/interfaces/innerkits/appverify_lite/include",
"//base/startup/syspara_lite/interfaces/kits",
"//base/security/permission/interfaces/innerkits/permission_lite",
"//third_party/bounds_checking_function/include",
"//third_party/cJSON",
]
deps = [
"//base/hiviewdfx/hilog_lite/frameworks/featured:hilog_shared",
"//base/security/appverify/interfaces/innerkits/appverify_lite:verify",
"//base/security/permission/services/permission_lite/pms_client:pms_client",
"//base/startup/syspara_lite/frameworks/parameter:parameter",
"//build/lite/config/component/cJSON:cjson_shared",
"//third_party/bounds_checking_function:libsec_shared",
"//third_party/mbedtls:mbedtls_shared",
]
ldflags = [
"-lstdc++",
"-lm",
"-lpthread",
]
}
group("unittest") {
deps = [ ":app_verify_test" ]
}

23
interfaces/innerkits/appverify_lite/unittest/packets/business_packet.cpp Normal file
View File

File diff suppressed because one or more lines are too long

22
interfaces/innerkits/appverify_lite/unittest/packets/modified_packet.cpp Normal file
View File

File diff suppressed because one or more lines are too long

21
interfaces/innerkits/appverify_lite/unittest/packets/success_test.cpp Executable file
View File

File diff suppressed because one or more lines are too long

21
interfaces/innerkits/appverify_lite/unittest/packets/udid_right_test.cpp Normal file
View File

File diff suppressed because one or more lines are too long

21
interfaces/innerkits/appverify_lite/unittest/packets/udid_wrong_test.cpp Normal file
View File

File diff suppressed because one or more lines are too long

21
interfaces/innerkits/appverify_lite/unittest/packets/unsigned_packet.cpp Normal file
View File

File diff suppressed because one or more lines are too long

22
interfaces/innerkits/appverify_lite/unittest/packets/wrong_license.cpp Normal file
View File

File diff suppressed because one or more lines are too long

277
interfaces/innerkits/appverify_lite/unittest/src/hap_verify_test.cpp Executable file
View File

@ -0,0 +1,277 @@
/*
* Copyright (c) 2020 Huawei Device Co., Ltd.
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include "hap_verify_test.h"
#include <fstream>
#include <gtest/gtest.h>
#include <string>
#include "app_verify_pub.h"
#include "write_file.h"
using namespace std;
using namespace testing::ext;
namespace {
class app_verify_test : public testing::Test {
public:
static void SetUpTestCase(void);
static void TearDownTestCase(void);
void SetUp();
void TearDown();
};
void app_verify_test::SetUpTestCase(void)
{
}
void app_verify_test::TearDownTestCase(void)
{
}
void app_verify_test::SetUp()
{
}
void app_verify_test::TearDown()
{
}
/**
* @tc.require: SR000E10EO
* @tc.name: test001
* @tc.desc: hap包可以安装并验签通过
* @tc.function: SUB_SEC_AppSec_AppSign_VerifySignature
* @tc.spec: SUB_SEC_AppSec_AppSign_VerifySignature
* @tc.feature: SUB_SEC_AppSec_AppSign_VerifySignature
* @tc.number: SUB_SEC_AppSec_AppSign_VerifySignature_1500
* @tc.size: MEDIUM
* @tc.level: level 3
* @tc.type: FUNC
*/
HWTEST_F(app_verify_test, test001, TestSize.Level3)
{
const char *signedHap = "./business_packet.hap";
DeleteFile(signedHap);
CopyFile(GetBusinessHap(), signedHap);
VerifyResult verifyResult = {0};
int32_t resultCode = APPVERI_AppVerify(signedHap, &verifyResult);
ASSERT_TRUE(resultCode == V_OK);
APPVERI_FreeVerifyRst(&verifyResult);
DeleteFile(signedHap);
}
/**
* @tc.require: SR000E10EO
* @tc.name: test002
* @tc.desc:
* @tc.function: SUB_SEC_AppSec_AppSign_VerifySignature
* @tc.spec: SUB_SEC_AppSec_AppSign_VerifySignature
* @tc.feature: SUB_SEC_AppSec_AppSign_VerifySignature
* @tc.number: SUB_SEC_AppSec_AppSign_VerifySignature_1500
* @tc.size: MEDIUM
* @tc.level: level 3
* @tc.type: FUNC
*/
HWTEST_F(app_verify_test, test002, TestSize.Level3)
{
const char *unsignedHap = "./unsigned_packet.hap";
DeleteFile(unsignedHap);
CopyFile(GetUnsignedHap(), unsignedHap);
VerifyResult verifyResult = {0};
int32_t resultCode = APPVERI_AppVerify(unsignedHap, &verifyResult);
ASSERT_TRUE(resultCode != V_OK);
APPVERI_FreeVerifyRst(&verifyResult);
DeleteFile(unsignedHap);
}
/**
* @tc.require: SR000E10EO
* @tc.name: test003
* @tc.desc: udid号与设备不对应的应用安装验签失败
* @tc.function: SUB_SEC_AppSec_AppSign_VerifySignature
* @tc.spec: SUB_SEC_AppSec_AppSign_VerifySignature
* @tc.feature: SUB_SEC_AppSec_AppSign_VerifySignature
* @tc.number: SUB_SEC_AppSec_AppSign_VerifySignature_1500
* @tc.size: MEDIUM
* @tc.level: level 3
* @tc.type: FUNC
*/
HWTEST_F(app_verify_test, test003, TestSize.Level3)
{
APPVERI_SetDebugMode(true);
APPVERI_SetActsMode(true);
const char *udidUnmatchHap = "./udid_wrong_test.hap";
DeleteFile(udidUnmatchHap);
CopyFile(GetWrongUdidHap(), udidUnmatchHap);
VerifyResult verifyResult = {0};
int32_t resultCode = APPVERI_AppVerify(udidUnmatchHap, &verifyResult);
ASSERT_TRUE(resultCode != V_OK);
APPVERI_FreeVerifyRst(&verifyResult);
APPVERI_SetDebugMode(false);
APPVERI_SetActsMode(false);
DeleteFile(udidUnmatchHap);
}
/**
* @tc.require: AR000F5M36
* @tc.name: test004
* @tc.desc: udid号与设备对应的应用安装验签
* @tc.function: SUB_SEC_AppSec_AppSign_VerifySignature
* @tc.spec: SUB_SEC_AppSec_AppSign_VerifySignature
* @tc.feature: SUB_SEC_AppSec_AppSign_VerifySignature
* @tc.number: SUB_SEC_AppSec_AppSign_VerifySignature_1500
* @tc.size: MEDIUM
* @tc.level: level 3
* @tc.type: FUNC
*/
HWTEST_F(app_verify_test, test004, TestSize.Level3)
{
APPVERI_SetDebugMode(true);
APPVERI_SetActsMode(true);
const char *udidMatchHap = "./udid_right_test.hap";
DeleteFile(udidMatchHap);
CopyFile(GetRightUdidHap(), udidMatchHap);
VerifyResult verifyResult = {0};
int32_t resultCode = APPVERI_AppVerify(udidMatchHap, &verifyResult);
ASSERT_TRUE(resultCode == V_OK);
APPVERI_FreeVerifyRst(&verifyResult);
APPVERI_SetDebugMode(false);
APPVERI_SetActsMode(false);
DeleteFile(udidMatchHap);
}
/**
* @tc.require: SR000E320R
* @tc.name: test005
* @tc.desc:
* @tc.function: SUB_SEC_AppSec_AppSign_VerifySignature
* @tc.spec: SUB_SEC_AppSec_AppSign_VerifySignature
* @tc.feature: SUB_SEC_AppSec_AppSign_VerifySignature
* @tc.number: SUB_SEC_AppSec_AppSign_VerifySignature_1500
* @tc.size: MEDIUM
* @tc.level: level 3
* @tc.type: FUNC
*/
HWTEST_F(app_verify_test, test005, TestSize.Level3)
{
const char *tamperedHap = "./modified_packet.hap";
DeleteFile(tamperedHap);
CopyFile(GetModifiedHap(), tamperedHap);
VerifyResult verifyResult = {0};
int32_t resultCode = APPVERI_AppVerify(tamperedHap, &verifyResult);
ASSERT_TRUE(resultCode != V_OK);
APPVERI_FreeVerifyRst(&verifyResult);
DeleteFile(tamperedHap);
}
/**
* @tc.require: AR000E320S
* @tc.name: test006
* @tc.desc: debug模式打开hap成功hap成功
* @tc.function: SUB_SEC_AppSec_AppSign_VerifySignature
* @tc.spec: SUB_SEC_AppSec_AppSign_VerifySignature
* @tc.feature: SUB_SEC_AppSec_AppSign_VerifySignature
* @tc.number: SUB_SEC_AppSec_AppSign_VerifySignature_1500
* @tc.size: MEDIUM
* @tc.level: level 3
* @tc.type: FUNC
*/
HWTEST_F(app_verify_test, test006, TestSize.Level3)
{
APPVERI_SetDebugMode(true);
APPVERI_SetActsMode(true);
const char *testHap = "./success_test.hap";
DeleteFile(testHap);
CopyFile(GetSuccessHap(), testHap);
VerifyResult verifyResult = {0};
int32_t resultCode = APPVERI_AppVerify(testHap, &verifyResult);
ASSERT_TRUE(resultCode != V_OK);
APPVERI_FreeVerifyRst(&verifyResult);
APPVERI_SetActsMode(false);
DeleteFile(testHap);
const char *businessHap = "./business_packet.hap";
DeleteFile(businessHap);
CopyFile(GetBusinessHap(), businessHap);
VerifyResult verifyResult1 = {0};
resultCode = APPVERI_AppVerify(businessHap, &verifyResult1);
APPVERI_FreeVerifyRst(&verifyResult1);
ASSERT_TRUE(resultCode == V_OK);
APPVERI_SetDebugMode(false);
DeleteFile(businessHap);
}
/**
* @tc.require: AR000E320S
* @tc.name: test007
* @tc.desc: debug模式关闭hap成功hap失败
* @tc.function: SUB_SEC_AppSec_AppSign_VerifySignature
* @tc.spec: SUB_SEC_AppSec_AppSign_VerifySignature
* @tc.feature: SUB_SEC_AppSec_AppSign_VerifySignature
* @tc.number: SUB_SEC_AppSec_AppSign_VerifySignature_1500
* @tc.size: MEDIUM
* @tc.level: level 3
* @tc.type: FUNC
*/
HWTEST_F(app_verify_test, test007, TestSize.Level3)
{
APPVERI_SetDebugMode(false);
const char *businessHap = "./business_packet.hap";
DeleteFile(businessHap);
CopyFile(GetBusinessHap(), businessHap);
VerifyResult verifyResult = {0};
int32_t resultCode = APPVERI_AppVerify(businessHap, &verifyResult);
ASSERT_TRUE(resultCode == V_OK);
APPVERI_FreeVerifyRst(&verifyResult);
DeleteFile(businessHap);
const char *testHap = "./success_test.hap";
DeleteFile(testHap);
CopyFile(GetSuccessHap(), testHap);
VerifyResult verifyResult1 = {0};
APPVERI_SetActsMode(true);
resultCode = APPVERI_AppVerify(testHap, &verifyResult1);
APPVERI_FreeVerifyRst(&verifyResult);
ASSERT_TRUE(resultCode != V_OK);
APPVERI_SetDebugMode(false);
APPVERI_SetActsMode(false);
DeleteFile(testHap);
}
/**
* @tc.require: SR000E320R
* @tc.name: test008
* @tc.desc: 使
* @tc.function: SUB_SEC_AppSec_AppSign_VerifySignature
* @tc.spec: SUB_SEC_AppSec_AppSign_VerifySignature
* @tc.feature: SUB_SEC_AppSec_AppSign_VerifySignature
* @tc.number: SUB_SEC_AppSec_AppSign_VerifySignature_1500
* @tc.size: MEDIUM
* @tc.level: level 3
* @tc.type: FUNC
*/
HWTEST_F(app_verify_test, test008, TestSize.Level3)
{
const char *wrongHap = "./wrong_license.hap";
DeleteFile(wrongHap);
CopyFile(GetWrongLiceseHap(), wrongHap);
VerifyResult verifyResult = {0};
int32_t resultCode = APPVERI_AppVerify(wrongHap, &verifyResult);
ASSERT_TRUE(resultCode != V_OK);
APPVERI_FreeVerifyRst(&verifyResult);
DeleteFile(wrongHap);
}
}

10
products/default/app_verify_default.c → interfaces/innerkits/appverify_lite/unittest/src/hap_verify_test.h
View File

@ -13,11 +13,7 @@
* limitations under the License.
*/
#include "app_verify_default.h"
#include "parameter.h"
void RegistBaseDefaultFunc(ProductDiff *productFunc)
{
productFunc->devUdidFunc = GetSerial;
}
#ifndef APPSECURITY_HAP_VERIFY_TEST_H
#define APPSECURITY_HAP_VERIFY_TEST_H
#endif // APPSECURITY_HAP_VERIFY_TEST_H

80
interfaces/innerkits/appverify_lite/unittest/src/write_file.cpp Executable file
View File

@ -0,0 +1,80 @@
/*
* Copyright (c) 2020 Huawei Device Co., Ltd.
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include "write_file.h"
#include <fcntl.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>
#include "mbedtls/base64.h"
#include "securec.h"
const int MAX_FILE_LEN = 1000000;
const int ONCE_WRITE = 2000;
int CopyFile(const char *org, const char *dest)
{
int ret = 0;
if (org == NULL || dest == NULL) {
return -1;
}
int in = open(dest, O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH);
if (in < 0) {
return -1;
}
int wholeLen = strlen(org);
if (wholeLen == 0 || wholeLen > MAX_FILE_LEN) {
close(in);
return -1;
}
char *buffer = (char *)malloc(wholeLen);
if (buffer == NULL) {
close(in);
return -1;
}
(void)memset_s(buffer, wholeLen, 0, wholeLen);
int len = 0;
mbedtls_base64_decode((unsigned char *)buffer, (size_t)wholeLen, (size_t *)&len, (unsigned char *)org, (size_t)wholeLen);
int num = 0;
while (num < len) {
int trueLen = ((len - num) >= ONCE_WRITE) ? ONCE_WRITE : (len - num);
char *temp = buffer + num;
num += trueLen;
ret = write(in, temp, trueLen);
if (ret < 0) {
goto EXIT;
}
}
ret = 0;
EXIT:
close(in);
free(buffer);
return ret;
}
void DeleteFile(const char *path)
{
if (path == NULL) {
return;
}
remove(path);
return;
}

29
interfaces/innerkits/appverify_lite/unittest/src/write_file.h Normal file
View File

@ -0,0 +1,29 @@
/*
* Copyright (c) 2020 Huawei Device Co., Ltd.
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef APPSECURITY_WRITE_FILE_H
#define APPSECURITY_WRITE_FILE_H
#include <stdio.h>
#include <stdlib.h>
void DeleteFile(const char *path);
int CopyFile(const char *org, const char *dest);
const char* GetWrongLiceseHap(void);
const char* GetUnsignedHap(void);
const char* GetWrongUdidHap(void);
const char* GetRightUdidHap(void);
const char* GetSuccessHap(void);
const char* GetModifiedHap(void);
const char* GetBusinessHap(void);
#endif // APPSECURITY_WRITE_FILE_H

35
products/ipcamera/BUILD.gn
View File

@ -1,35 +0,0 @@
# Copyright (c) 2020 Huawei Device Co., Ltd.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
config("verify_base_config") {
include_dirs = [
"//base/security/frameworks/app_verify/include",
"//base/startup/interfaces/kits/syspara_lite",
"//base/security/frameworks/app_verify/products/ipcamera",
]
cflags = [
"-Wall",
]
}
shared_library("verify_base") {
sources = [
"app_verify_base.c",
"../default/app_verify_default.c",
]
configs += [ ":verify_base_config" ]
public_deps = [
"//base/startup/frameworks/syspara_lite/parameter:parameter",
"//base/hiviewdfx/frameworks/hilog_lite/featured:hilog_shared",
]
}

3
readme.md
View File

@ -1,3 +0,0 @@
详见https://gitee.com/openharmony/docs/blob/master/readme/安全子系统README.md
see: https://gitee.com/openharmony/docs/blob/master/docs-en/readme/security-subsystem.md