fix code_signature cleancode

Signed-off-by: ligongshao <flamingsword1953@163.com>
2024-11-27 16:30:30 +00:00 · 2023-08-30 19:00:46 +08:00 · 2023-08-30 19:00:46 +08:00 · de5e2c4813
commit de5e2c4813
parent 65247790d2
11 changed files with 80 additions and 87 deletions
--- a/interfaces/innerkits/code_sign_utils/include/stat_utils.h
+++ b/interfaces/innerkits/code_sign_utils/include/stat_utils.h
@ -16,9 +16,9 @@
 #ifndef CODE_SIGN_STAT_UTILS_H
 #define CODE_SIGN_STAT_UTILS_H

+#include <string>
 #include <asm/unistd.h>
 #include <linux/stat.h>
-#include <string>
 #include <unistd.h>

 namespace OHOS {
--- a/interfaces/innerkits/code_sign_utils/src/code_sign_utils.cpp
+++ b/interfaces/innerkits/code_sign_utils/src/code_sign_utils.cpp
@ -19,14 +19,14 @@
 #include <cstdlib>
 #include <cstdint>
 #include <cstdio>
-#include <fcntl.h>
 #include <iostream>
+#include <sys/types.h>
+#include <unistd.h>
+#include <fcntl.h>
 #include <linux/fs.h>
 #include <linux/fsverity.h>
 #include <linux/stat.h>
 #include <linux/types.h>
-#include <sys/types.h>
-#include <unistd.h>

 #include "cs_hisysevent.h"
 #include "cs_hitrace.h"
--- a/interfaces/innerkits/local_code_sign/src/local_code_sign_client.cpp
+++ b/interfaces/innerkits/local_code_sign/src/local_code_sign_client.cpp
@ -14,12 +14,7 @@
 */

 #include "local_code_sign_client.h"
-
-#include <cstring>
-#include <iostream>
 #include <iservice_registry.h>
-#include <unistd.h>
-
 #include "cs_hisysevent.h"
 #include "local_code_sign_proxy.h"
 #include "local_code_sign_load_callback.h"
@ -192,7 +187,6 @@ LocalCodeSignClient *GetLocalCodeSignClient()
 {
    return &LocalCodeSignClient::GetInstance();
 }
-
 }
 }
 }
--- a/services/key_enable/utils/include/key_utils.h
+++ b/services/key_enable/utils/include/key_utils.h
@ -17,7 +17,6 @@
 #define CODE_SIGN_KEY_UTILS_H

 #include <sys/types.h>
-#include <cstdint>

 typedef int32_t KeySerial;

--- a/test/unittest/code_sign_utils_test.cpp
+++ b/test/unittest/code_sign_utils_test.cpp
@ -20,80 +20,81 @@
 namespace OHOS {
 namespace Security {
 namespace CodeSign {
-
 using namespace testing::ext;
 using namespace std;

-#define TMP_BASE_PATH "/data/service/el1/public/bms/bundle_manager_service/tmp"
-#define APP_BASE_PATH "/data/app/el1/bundle/public/tmp"
+static const std::string TMP_BASE_PATH = "/data/service/el1/public/bms/bundle_manager_service/tmp";
+static const std::string APP_BASE_PATH = "/data/app/el1/bundle/public/tmp";
+
 static const EntryMap g_hapWithoutLibRetSuc = {
-    {"Hap", APP_BASE_PATH"/demo_without_lib/demo_without_lib.hap"},
+    {"Hap", APP_BASE_PATH + "/demo_without_lib/demo_without_lib.hap"},
 };
 static const std::string g_sigWithoutLibRetSucPath =
-    TMP_BASE_PATH"/demo_without_lib/demo_without_lib.sig";
+    TMP_BASE_PATH + "/demo_without_lib/demo_without_lib.sig";

 static EntryMap g_hapWithMultiLibRetSuc = {
    {"Hap",
-        APP_BASE_PATH"/demo_with_multi_lib/demo_with_multi_lib.hap"},
+        APP_BASE_PATH + "/demo_with_multi_lib/demo_with_multi_lib.hap"},
    {"libs/arm64-v8a/libc++_shared.so",
-        APP_BASE_PATH"/demo_with_multi_lib/libs/arm64-v8a/libc++_shared.so"},
+        APP_BASE_PATH + "/demo_with_multi_lib/libs/arm64-v8a/libc++_shared.so"},
    {"libs/arm64-v8a/libentry.so",
-        APP_BASE_PATH"/demo_with_multi_lib/libs/arm64-v8a/libentry.so"}
+        APP_BASE_PATH + "/demo_with_multi_lib/libs/arm64-v8a/libentry.so"}
 };
 static const std::string g_sigWithMultiLibRetSucPath =
-    TMP_BASE_PATH"/demo_with_multi_lib/demo_with_multi_lib.sig";
+    TMP_BASE_PATH + "/demo_with_multi_lib/demo_with_multi_lib.sig";

-//wrong hap and wrong lib
+// wrong hap and wrong lib
 static EntryMap g_wrongHapWithMultiLibRetFail = {
    {"Hap",
-        APP_BASE_PATH"/demo_with_multi_lib_error/demo_with_multi_lib.hap"},
+     APP_BASE_PATH + "/demo_with_multi_lib_error/demo_with_multi_lib.hap"},
    {"libs/arm64-v8a/libc++_shared.so",
-        APP_BASE_PATH"/demo_with_multi_lib_error/libs/arm64-v8a/libc++_shared.so"},
+     APP_BASE_PATH + "/demo_with_multi_lib_error/libs/arm64-v8a/libc++_shared.so"},
    {"libs/arm64-v8a/libentry.so",
-        APP_BASE_PATH"/demo_with_multi_lib_error/libs/arm64-v8a/libentry.so"}
-};
+     APP_BASE_PATH + "/demo_with_multi_lib_error/libs/arm64-v8a/libentry.so"}};

-//examples of Enforce code signature for app
+// examples of Enforce code signature for app
 static const std::vector<std::string> g_HapWithoutLibSigPkcs7ErrorPath({
-   TMP_BASE_PATH"/demo_without_lib/pkcs7_error/demo_without_lib_001.sig", //Ilegal pkcs7 format
-   TMP_BASE_PATH"/demo_without_lib/pkcs7_error/demo_without_lib_002.sig", //Disable to find cert chain
-   TMP_BASE_PATH"/demo_without_lib/pkcs7_error/demo_without_lib_003.sig", //Don't support digest algorithm
-   TMP_BASE_PATH"/demo_without_lib/pkcs7_error/demo_without_lib_004.sig", //Don't support signature algorithm
-   TMP_BASE_PATH"/demo_without_lib/pkcs7_error/demo_without_lib_005.sig", //Wrong signature
-   TMP_BASE_PATH"/demo_without_lib/pkcs7_error/demo_without_lib_006.sig", //Expired signature
-   TMP_BASE_PATH"/demo_without_lib/pkcs7_error/demo_without_lib_007.sig", //Cert chain validate fail
+    TMP_BASE_PATH + "/demo_without_lib/pkcs7_error/demo_without_lib_001.sig", // Ilegal pkcs7 format
+    TMP_BASE_PATH + "/demo_without_lib/pkcs7_error/demo_without_lib_002.sig", // Disable to find cert chain
+    TMP_BASE_PATH + "/demo_without_lib/pkcs7_error/demo_without_lib_003.sig", // Don't support digest algorithm
+    TMP_BASE_PATH + "/demo_without_lib/pkcs7_error/demo_without_lib_004.sig", // Don't support signature algorithm
+    TMP_BASE_PATH + "/demo_without_lib/pkcs7_error/demo_without_lib_005.sig", // Wrong signature
+    TMP_BASE_PATH + "/demo_without_lib/pkcs7_error/demo_without_lib_006.sig", // Expired signature
+    TMP_BASE_PATH + "/demo_without_lib/pkcs7_error/demo_without_lib_007.sig", // Cert chain validate fail
 });

 static const std::vector<std::string> g_HapWithMultiLibSigPkcs7ErrorPath({
-   TMP_BASE_PATH"/demo_with_multi_lib/pkcs7_error/demo_with_multi_lib_001.sig", //Ilegal pkcs7 format
-   TMP_BASE_PATH"/demo_with_multi_lib/pkcs7_error/demo_with_multi_lib_002.sig", //Disable to find cert chain
-   TMP_BASE_PATH"/demo_with_multi_lib/pkcs7_error/demo_with_multi_lib_003.sig", //Don't support digest algorithm
-   TMP_BASE_PATH"/demo_with_multi_lib/pkcs7_error/demo_with_multi_lib_004.sig", //Don't support signature algorithm
-   TMP_BASE_PATH"/demo_with_multi_lib/pkcs7_error/demo_with_multi_lib_005.sig", //Wrong signature
-   TMP_BASE_PATH"/demo_with_multi_lib/pkcs7_error/demo_with_multi_lib_006.sig", //Expired signature
-   TMP_BASE_PATH"/demo_with_multi_lib/pkcs7_error/demo_with_multi_lib_007.sig", //Cert chain validate fail
+    TMP_BASE_PATH + "/demo_with_multi_lib/pkcs7_error/demo_with_multi_lib_001.sig", // Ilegal pkcs7 format
+    TMP_BASE_PATH + "/demo_with_multi_lib/pkcs7_error/demo_with_multi_lib_002.sig", // Disable to find cert chain
+    TMP_BASE_PATH + "/demo_with_multi_lib/pkcs7_error/demo_with_multi_lib_003.sig", // Don't support digest algorithm
+    TMP_BASE_PATH + "/demo_with_multi_lib/pkcs7_error/demo_with_multi_lib_004.sig", // Don't support signature algorithm
+    TMP_BASE_PATH + "/demo_with_multi_lib/pkcs7_error/demo_with_multi_lib_005.sig", // Wrong signature
+    TMP_BASE_PATH + "/demo_with_multi_lib/pkcs7_error/demo_with_multi_lib_006.sig", // Expired signature
+    TMP_BASE_PATH + "/demo_with_multi_lib/pkcs7_error/demo_with_multi_lib_007.sig", // Cert chain validate fail
 });

-//examples of Enforce code signature for file
-static const std::string g_fileEnableSuc = APP_BASE_PATH"/demo_with_multi_lib/libs/arm64-v8a/libentry.so";
-static const std::string g_filesigEnablePath = TMP_BASE_PATH"/demo_with_multi_lib/libs/arm64-v8a/libentry.so.fsv-sig";
+// examples of Enforce code signature for file
+static const std::string g_fileEnableSuc = APP_BASE_PATH + "/demo_with_multi_lib/libs/arm64-v8a/libentry.so";
+static const std::string g_filesigEnablePath =
+    TMP_BASE_PATH + "/demo_with_multi_lib/libs/arm64-v8a/libentry.so.fsv-sig";

-//wrong format file
-static const std::string g_wrongFileEnableFail = APP_BASE_PATH"/demo_with_multi_lib_error/libs/arm64-v8a/libentry.so";
+// wrong format file
+static const std::string g_wrongFileEnableFail =
+    APP_BASE_PATH + "/demo_with_multi_lib_error/libs/arm64-v8a/libentry.so";

 static const std::vector<std::string> g_fileSigEnableFailPath({
-   TMP_BASE_PATH"/demo_with_multi_lib/pkcs7_error/file/libentry_01.so.fsv-sig", //ilegal pkcs7 format
-   TMP_BASE_PATH"/demo_with_multi_lib/pkcs7_error/file/libentry_02.so.fsv-sig", //Disable to find cert chain
-   TMP_BASE_PATH"/demo_with_multi_lib/pkcs7_error/file/libentry_03.so.fsv-sig", //Don't support digest algorithm
-   TMP_BASE_PATH"/demo_with_multi_lib/pkcs7_error/file/libentry_04.so.fsv-sig", //Don't support signature algorithm
-   TMP_BASE_PATH"/demo_with_multi_lib/pkcs7_error/file/libentry_05.so.fsv-sig", //Wrong signature
-   TMP_BASE_PATH"/demo_with_multi_lib/pkcs7_error/file/libentry_06.so.fsv-sig", //Expired signature
-   TMP_BASE_PATH"/demo_with_multi_lib/pkcs7_error/file/libentry_07.so.fsv-sig", //Cert chain validate fail
+    TMP_BASE_PATH + "/demo_with_multi_lib/pkcs7_error/file/libentry_01.so.fsv-sig", // ilegal pkcs7 format
+    TMP_BASE_PATH + "/demo_with_multi_lib/pkcs7_error/file/libentry_02.so.fsv-sig", // Disable to find cert chain
+    TMP_BASE_PATH + "/demo_with_multi_lib/pkcs7_error/file/libentry_03.so.fsv-sig", // Don't support digest algorithm
+    TMP_BASE_PATH + "/demo_with_multi_lib/pkcs7_error/file/libentry_04.so.fsv-sig", // Don't support signature algorithm
+    TMP_BASE_PATH + "/demo_with_multi_lib/pkcs7_error/file/libentry_05.so.fsv-sig", // Wrong signature
+    TMP_BASE_PATH + "/demo_with_multi_lib/pkcs7_error/file/libentry_06.so.fsv-sig", // Expired signature
+    TMP_BASE_PATH + "/demo_with_multi_lib/pkcs7_error/file/libentry_07.so.fsv-sig", // Cert chain validate fail
 });

-//examples of can't find the signature file
+// examples of can't find the signature file
 static const EntryMap g_hapSigNotExist = {
-    {"sigNotExist", APP_BASE_PATH"/demo_without_lib/demo_without_lib.hap"},
+    {"sigNotExist", APP_BASE_PATH + "/demo_without_lib/demo_without_lib.hap"},
 };

 class CodeSignUtilsTest : public testing::Test {
@ -128,8 +129,8 @@ static bool ReadSignatureFromFile(const std::string &path, ByteBuffer &data)
    return ret == fileSize;
 }

-//excute the exceptional examples first, because of it's always successful
-//once the same file signature verified successfully
+// excute the exceptional examples first, because of it's always successful
+// once the same file signature verified successfully

 /**
 * @tc.name: CodeSignUtilsTest_0001
@ -139,8 +140,8 @@ static bool ReadSignatureFromFile(const std::string &path, ByteBuffer &data)
 */
 HWTEST_F(CodeSignUtilsTest, CodeSignUtilsTest_0001, TestSize.Level0)
 {
-    int ret = CodeSignUtils::EnforceCodeSignForApp(g_hapWithoutLibRetSuc,
-           TMP_BASE_PATH"/demo_with_multi_lib/pkcs7_error/file/libentry_01.so.fsv-sig");
+    std::string sigPath = TMP_BASE_PATH + "/demo_with_multi_lib/pkcs7_error/file/libentry_01.so.fsv-sig";
+    int ret = CodeSignUtils::EnforceCodeSignForApp(g_hapWithoutLibRetSuc, sigPath);
    EXPECT_EQ(ret, CS_ERR_EXTRACT_FILES);
 }

@ -320,6 +321,6 @@ HWTEST_F(CodeSignUtilsTest, CodeSignUtilsTest_0012, TestSize.Level0)
    ret = CodeSignUtils::EnforceCodeSignForApp(g_hapWithMultiLibRetSuc, g_sigWithMultiLibRetSucPath);
    EXPECT_EQ(ret, CS_SUCCESS);
 }
-} //namespace CodeSign
-} //namespace Security
-} //namespace OHOS
+}  // namespace CodeSign
+}  // namespace Security
+}  // namespace OHOS
--- a/test/unittest/local_code_sign_test.cpp
+++ b/test/unittest/local_code_sign_test.cpp
@ -30,9 +30,8 @@ using namespace std;
 namespace OHOS {
 namespace Security {
 namespace CodeSign {
-
-#define AN_BASE_PATH "/data/local/ark-cache/tmp/"
-static const std::string DEMO_AN_PATH = AN_BASE_PATH"demo.an";
+static const std::string AN_BASE_PATH = "/data/local/ark-cache/tmp/";
+static const std::string DEMO_AN_PATH = AN_BASE_PATH + "demo.an";

 class LocalCodeSignTest : public testing::Test {
 public:
@ -116,6 +115,6 @@ HWTEST_F(LocalCodeSignTest, LocalCodeSignTest_0005, TestSize.Level0)
    NativeTokenReset(selfTokenId);
    EXPECT_EQ(ret, CS_ERR_FILE_PATH);
 }
-} //namespace CodeSign
-} //namespace Security
-} //namespace OHOS
+} // namespace CodeSign
+} // namespace Security
+} // namespace OHOS
--- a/test/unittest/multi_thread_local_sign_test.cpp
+++ b/test/unittest/multi_thread_local_sign_test.cpp
@ -116,6 +116,6 @@ HWMTEST_F(MultiThreadLocalSignTest, MultiThreadLocalSignTest_0001, TestSize.Leve
 {
    LocalCodeSignAndEnforce();
 }
-} //namespace CodeSign
-} //namespace Security
-} //namespace OHOS
+} // namespace CodeSign
+} // namespace Security
+} // namespace OHOS
--- a/test/unittest/sign_and_enforce_test.cpp
+++ b/test/unittest/sign_and_enforce_test.cpp
@ -33,17 +33,17 @@ using namespace std;
 namespace OHOS {
 namespace Security {
 namespace CodeSign {
-
-#define AN_BASE_PATH "/data/local/ark-cache/tmp/"
-
-static const std::string DEMO_AN_PATH = AN_BASE_PATH"demo.an";
-static const std::string DEMO_TAMPER_AN_PATH = AN_BASE_PATH"fake_demo.an";
+static const std::string AN_BASE_PATH = "/data/local/ark-cache/tmp/";
+static const std::string DEMO_AN_PATH = AN_BASE_PATH + "demo.an";
+static const std::string DEMO_TAMPER_AN_PATH = AN_BASE_PATH + "fake_demo.an";

 static const char *g_validCaller = "installs";

 static const std::string FAKE_SERIAL_NUMBER = "0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
 static const std::string FAKE_CONTENT = "FAKE";

+static const int MAX_TEST_BUF_LEN = 1024;
+
 static void ModifySignatureFormat(ByteBuffer &pkcs7Data)
 {
    uint8_t *data = pkcs7Data.GetBuffer();
@ -54,12 +54,15 @@ static void ModifySignatureValue(PKCS7_SIGNER_INFO *p7info)
 {
    const uint8_t *data = ASN1_STRING_get0_data(p7info->enc_digest);
    int len = ASN1_STRING_length(p7info->enc_digest);
+    if (len <= 0 || len > MAX_TEST_BUF_LEN) {
+        return;
+    }
    uint8_t *fdata = static_cast<uint8_t *>(malloc(len));
    if (fdata == nullptr) {
        return;
    }
-    (void) memcpy_s(fdata, len, data, len);
-    (void) memcpy_s(fdata, len, FAKE_CONTENT.c_str(), FAKE_CONTENT.length());
+    (void)memcpy_s(fdata, len, data, len);
+    (void)memcpy_s(fdata, len, FAKE_CONTENT.c_str(), FAKE_CONTENT.length());
    ASN1_STRING_set0(p7info->enc_digest, fdata, len);
 }

@ -237,6 +240,6 @@ HWTEST_F(SignAndEnforceTest, SignAndEnforceTest_0006, TestSize.Level0)
    int32_t ret = CodeSignUtils::EnforceCodeSignForFile(DEMO_AN_PATH, sig);
    EXPECT_EQ(ret, CS_SUCCESS);
 }
-} //namespace CodeSign
-} //namespace Security
-} //namespace OHOS
+} // namespace CodeSign
+} // namespace Security
+} // namespace OHOS
--- a/utils/src/cert_utils.cpp
+++ b/utils/src/cert_utils.cpp
@ -23,7 +23,6 @@
 namespace OHOS {
 namespace Security {
 namespace CodeSign {
-
 static const uint32_t CERT_DATA_SIZE = 8192;
 static const uint32_t CERT_COUNT = 4;

--- a/utils/src/fsverity_utils_helper.cpp
+++ b/utils/src/fsverity_utils_helper.cpp
@ -12,16 +12,14 @@
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
-
+#include "fsverity_utils_helper.h"
 #include <common_defs.h>
 #include <fcntl.h>
 #include <fsverity_uapi.h>
 #include <sys/types.h>
 #include <unistd.h>
-
 #include "errcode.h"
 #include "file_helper.h"
-#include "fsverity_utils_helper.h"
 #include "log.h"

 namespace OHOS {
--- a/utils/src/signer_info.cpp
+++ b/utils/src/signer_info.cpp
@ -14,9 +14,6 @@
 */

 #include "signer_info.h"
-
-#include <string>
-
 #include "log.h"
 #include "openssl/asn1.h"
 #include "openssl/pem.h"
@ -142,6 +139,9 @@ bool SignerInfo::AddSignatureInSignerInfo(const ByteBuffer &signature)
    }
    uint32_t signatureSize = signature.GetSize();
    // tmp will be free when freeing p7info_
+    if (signatureSize == 0) {
+        return false;
+    }
    uint8_t *tmp = static_cast<uint8_t *>(malloc(signatureSize));
    if (tmp == nullptr) {
        return false;