1 /* 2 * Copyright (c) 2023-2024 Huawei Device Co., Ltd. 3 * Licensed under the Apache License, Version 2.0 (the "License"); 4 * you may not use this file except in compliance with the License. 5 * You may obtain a copy of the License at 6 * 7 * http://www.apache.org/licenses/LICENSE-2.0 8 * 9 * Unless required by applicable law or agreed to in writing, software 10 * distributed under the License is distributed on an "AS IS" BASIS, 11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 * See the License for the specific language governing permissions and 13 * limitations under the License. 14 */ 15 16 #ifndef OHOS_SECURITY_CODE_SIGN_UTILS_H 17 #define OHOS_SECURITY_CODE_SIGN_UTILS_H 18 19 #include <cstdint> 20 #include <mutex> 21 #include <string> 22 #include <sys/ioctl.h> 23 #include <sys/types.h> 24 #include <unordered_map> 25 #include <linux/fsverity.h> 26 #include "byte_buffer.h" 27 #include "errcode.h" 28 29 namespace OHOS { 30 namespace Security { 31 namespace CodeSign { 32 using EntryMap = std::unordered_map<std::string, std::string>; 33 34 typedef enum { 35 FILE_ALL, // Enable hap and so(new and historical records) 36 FILE_SELF, // Only enable hap 37 FILE_ENTRY_ONLY, // Only enable so(new and historical records) 38 FILE_ENTRY_ADD, // Only record, not enable 39 FILE_TYPE_MAX, 40 } FileType; 41 42 class CodeSignUtils { 43 public: 44 /** 45 * @brief Enforce code signature for a hap 46 * @param entryPath map from entryname in hap to real path on disk 47 * @param signatureFile signature file path 48 * @return err code, see err_code.h 49 */ 50 static int32_t EnforceCodeSignForApp(const EntryMap &entryPath, const std::string &signatureFile); 51 52 /** 53 * @brief Enforce code signature for a hap with its native files. 54 * Multiple instances should be created to enable code signing for a multi-hap app. 55 * @param path hap real path on disk 56 * @param entryPath map from entryname in hap to real path on disk 57 * @param type signature file type 58 * @return err code, see err_code.h 59 */ 60 int32_t EnforceCodeSignForApp(const std::string &path, const EntryMap &entryPathMap, FileType type); 61 62 /** 63 * @brief Enforce code signature for a hap with ownerID 64 * @param ownerId app-identifier of the signature 65 * @param path hap real path on disk 66 * @param entryPath map from entryname in hap to real path on disk 67 * @param type signature file type 68 * @return err code, see err_code.h 69 */ 70 int32_t EnforceCodeSignForAppWithOwnerId(const std::string &ownerId, const std::string &path, 71 const EntryMap &entryPathMap, FileType type); 72 73 /** 74 * @brief Enforce code signature for file with signature 75 * @param path file path 76 * @param signature buffer carring signature of the target file 77 * @param len length of signature data 78 * @return err code, see err_code.h 79 */ 80 static int32_t EnforceCodeSignForFile(const std::string &path, const uint8_t *signature, const uint32_t len); 81 82 /** 83 * @brief Enforce code signature for file with signature 84 * @param path file path 85 * @param signature bytebuffer carring signature of the target file 86 * @return err code, see err_code.h 87 */ 88 static int32_t EnforceCodeSignForFile(const std::string &path, const ByteBuffer &signature); 89 /** 90 * @brief Get owner ID from signature file 91 * @param sigbuffer buffer of the signature file 92 * @param ownerID string to abtain owner ID from the signature file 93 * @return err code, see err_code.h 94 */ 95 static int ParseOwnerIdFromSignature(const ByteBuffer &sigbuffer, std::string &ownerID); 96 /** 97 * @brief Enable key in profile content data and dump profile buffer 98 * @param bundleName bundleName 99 * @param profileBuffer profile bytebuffer carring signer info and signed cert info 100 * @return err code, see err_code.h 101 */ 102 static int32_t EnableKeyInProfile(const std::string &bundleName, const ByteBuffer &profileBuffer); 103 /** 104 * @brief Remove key in profile content data and remove profile 105 * @param bundleName bundleName 106 * @return err code, see err_code.h 107 */ 108 static int32_t RemoveKeyInProfile(const std::string &bundleName); 109 /** 110 * @brief Whether enabling code signing for app compiled by oh-sdk 111 * @return return ture if support oh-sdk code sign 112 */ 113 static bool IsSupportOHCodeSign(); 114 /** 115 * @brief Check if code signing is permissive 116 * @return return ture if in permissive mode 117 */ 118 static bool InPermissiveMode(); 119 /** 120 * @brief Check if the file path support FsVerity 121 * @param path file path 122 * @return err code, see err_code.h 123 */ 124 static int32_t IsSupportFsVerity(const std::string &path); 125 private: 126 static int32_t IsFsVerityEnabled(int fd); 127 static int32_t EnableCodeSignForFile(const std::string &path, const struct code_sign_enable_arg &arg); 128 int32_t ProcessCodeSignBlock(const std::string &ownerId, const std::string &path, FileType type); 129 int32_t HandleCodeSignBlockFailure(const std::string &realPath, int32_t ret); 130 private: 131 EntryMap storedEntryMap_; 132 std::mutex storedEntryMapLock_; 133 }; 134 } 135 } 136 } 137 #endif 138