• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (c) 2023-2024 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  *     http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #ifndef OHOS_SECURITY_CODE_SIGN_UTILS_H
17 #define OHOS_SECURITY_CODE_SIGN_UTILS_H
18 
19 #include <cstdint>
20 #include <mutex>
21 #include <string>
22 #include <sys/ioctl.h>
23 #include <sys/types.h>
24 #include <unordered_map>
25 #include <linux/fsverity.h>
26 #include "byte_buffer.h"
27 #include "errcode.h"
28 
29 namespace OHOS {
30 namespace Security {
31 namespace CodeSign {
32 using EntryMap = std::unordered_map<std::string, std::string>;
33 
34 typedef enum {
35     FILE_ALL, // Enable hap and so(new and historical records)
36     FILE_SELF, // Only enable hap
37     FILE_ENTRY_ONLY, // Only enable so(new and historical records)
38     FILE_ENTRY_ADD, // Only record, not enable
39     FILE_TYPE_MAX,
40 } FileType;
41 
42 class CodeSignUtils {
43 public:
44     /**
45      * @brief Enforce code signature for a hap
46      * @param entryPath map from entryname in hap to real path on disk
47      * @param signatureFile signature file path
48      * @return err code, see err_code.h
49      */
50     static int32_t EnforceCodeSignForApp(const EntryMap &entryPath, const std::string &signatureFile);
51 
52     /**
53      * @brief Enforce code signature for a hap with its native files.
54      * Multiple instances should be created to enable code signing for a multi-hap app.
55      * @param path hap real path on disk
56      * @param entryPath map from entryname in hap to real path on disk
57      * @param type signature file type
58      * @return err code, see err_code.h
59      */
60     int32_t EnforceCodeSignForApp(const std::string &path, const EntryMap &entryPathMap, FileType type);
61 
62     /**
63      * @brief Enforce code signature for a hap with ownerID
64      * @param ownerId app-identifier of the signature
65      * @param path hap real path on disk
66      * @param entryPath map from entryname in hap to real path on disk
67      * @param type signature file type
68      * @return err code, see err_code.h
69      */
70     int32_t EnforceCodeSignForAppWithOwnerId(const std::string &ownerId, const std::string &path,
71         const EntryMap &entryPathMap, FileType type);
72 
73     /**
74      * @brief Enforce code signature for file with signature
75      * @param path file path
76      * @param signature buffer carring signature of the target file
77      * @param len length of signature data
78      * @return err code, see err_code.h
79      */
80     static int32_t EnforceCodeSignForFile(const std::string &path, const uint8_t *signature, const uint32_t len);
81 
82     /**
83      * @brief Enforce code signature for file with signature
84      * @param path file path
85      * @param signature bytebuffer carring signature of the target file
86      * @return err code, see err_code.h
87      */
88     static int32_t EnforceCodeSignForFile(const std::string &path, const ByteBuffer &signature);
89     /**
90      * @brief Get owner ID from signature file
91      * @param sigbuffer buffer of the signature file
92      * @param ownerID string to abtain owner ID from the signature file
93      * @return err code, see err_code.h
94      */
95     static int ParseOwnerIdFromSignature(const ByteBuffer &sigbuffer, std::string &ownerID);
96     /**
97      * @brief Enable key in profile content data and dump profile buffer
98      * @param bundleName bundleName
99      * @param profileBuffer profile bytebuffer carring signer info and signed cert info
100      * @return err code, see err_code.h
101      */
102     static int32_t EnableKeyInProfile(const std::string &bundleName, const ByteBuffer &profileBuffer);
103     /**
104      * @brief Remove key in profile content data and remove profile
105      * @param bundleName bundleName
106      * @return err code, see err_code.h
107      */
108     static int32_t RemoveKeyInProfile(const std::string &bundleName);
109     /**
110      * @brief Whether enabling code signing for app compiled by oh-sdk
111      * @return return ture if support oh-sdk code sign
112      */
113     static bool IsSupportOHCodeSign();
114     /**
115      * @brief Check if code signing is permissive
116      * @return return ture if in permissive mode
117      */
118     static bool InPermissiveMode();
119     /**
120      * @brief Check if the file path support FsVerity
121      * @param path file path
122      * @return err code, see err_code.h
123      */
124     static int32_t IsSupportFsVerity(const std::string &path);
125 private:
126     static int32_t IsFsVerityEnabled(int fd);
127     static int32_t EnableCodeSignForFile(const std::string &path, const struct code_sign_enable_arg &arg);
128     int32_t ProcessCodeSignBlock(const std::string &ownerId, const std::string &path, FileType type);
129     int32_t HandleCodeSignBlockFailure(const std::string &realPath, int32_t ret);
130 private:
131     EntryMap storedEntryMap_;
132     std::mutex storedEntryMapLock_;
133 };
134 }
135 }
136 }
137 #endif
138