1/* 2 * Copyright (c) 2021-2023 Huawei Device Co., Ltd. 3 * Licensed under the Apache License, Version 2.0 (the "License"); 4 * you may not use this file except in compliance with the License. 5 * You may obtain a copy of the License at 6 * 7 * http://www.apache.org/licenses/LICENSE-2.0 8 * 9 * Unless required by applicable law or agreed to in writing, software 10 * distributed under the License is distributed on an "AS IS" BASIS, 11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 * See the License for the specific language governing permissions and 13 * limitations under the License. 14 */ 15 16USAGE: <generate-keypair|generate-csr|generate-cert|generate-ca|generate-app-cert|generate-profile-cert> [options] 17USAGE: <sign-profile|verify-profile|sign-app|verify-app> [options] 18 19 generate-keypair [options]: 20 -keyAlias : key alias, required fields; 21 -keyPwd : key password, optional fields; 22 -keyAlg : key algorithm, required fields, including RSA/ECC; 23 -keySize : key size, required fields, the size of the RSA algorithm is 2048/3072/4096, and the size of the ECC algorithm is NIST-P-256/NIST-P-384; 24 -keystoreFile : keystore file, required fields, JKS or P12 format; 25 -keystorePwd : keystore password, optional fields; 26 -extCfgFile : Extend Profile, optional fields; 27 28 EXAMPLE: 29 generate-keypair -keyAlias "oh-app1-key-v1" -keyPwd ****** -keyAlg ECC -keySize NIST-P-256 -keystoreFile "D:\OH\app-keypair.jks" -keystorePwd ****** 30 generate-keypair -keyAlias "oh-profile-key-v1" -keyPwd ****** -keyAlg RSA -keySize 2048 -keystoreFile "D:\OH\profile-keypair.jks" -keystorePwd ****** 31 32 generate-csr [options]: 33 -keyAlias : key alias, required fields; 34 -keyPwd : key password, optional fields; 35 -subject : certificate subject, required fields; 36 -signAlg : signature algorithm, required fields, including SHA256withRSA/SHA384withRSA/SHA256withECDSA/SHA384withECDSA; 37 -keystoreFile : keystore file, required fields, JKS or P12 format; 38 -keystorePwd : keystore password, optional fields; 39 -outFile : output file, optional fields, if not filled, it will be directly output to the console; 40 -extCfgFile : Extend Profile, optional fields; 41 42 EXAMPLE: 43 generate-csr -keyAlias "oh-app1-key-v1" -keyPwd ****** -subject "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=App1 Release" -signAlg SHA256withECDSA -keystoreFile "D:\OH\app-keypair.jks" -keystorePwd ****** -outFile "D:\OH\oh-app1-key-v1.csr" 44 45 generate-cert [options]: 46 -keyAlias : key alias, required fields; 47 -keyPwd : key password, optional fields; 48 -issuer : issuer subject, required fields; 49 -issuerKeyAlias : issuer key alias, required fields; 50 -issuerKeyPwd : issuer key password, optional fields; 51 -subject : certificate subject, required fields; 52 -validity : certificate validity, optional fields, the default is 1095 days; 53 -keyUsage : key usage, required fields, including digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, certificateSignature, crlSignature, encipherOnly and decipherOnly, if the certificate includes multiple key usages, separate them with commas; 54 -keyUsageCritical : whether keyUsage is a key item, optional fields, the default is true; 55 -extKeyUsage : extended key usage, optional fields, including clientAuthentication, serverAuthentication, codeSignature, emailProtection, smartCardLogin, timestamp, ocspSignature; 56 -extKeyUsageCritical : whether extKeyUsage is a key item, optional fields, the default is false; 57 -signAlg : signature algorithm, required fields, including SHA256withRSA/SHA384withRSA/SHA256withECDSA/SHA384withECDSA; 58 -basicConstraints : whether to include basicConstraints, optional fields, the default is false; 59 -basicConstraintsCritical : whether basicConstraints is a key item, optional fields, the default is false; 60 -basicConstraintsCa : whether it is CA, optional fields, the default is false; 61 -basicConstraintsPathLen : basicConstraints path length, optional fields, the default is 0; 62 -keystoreFile : keystore file, required fields, JKS or P12 format; 63 -keystorePwd : keystore password, optional fields; 64 -outFile : output file, optional fields, if not filled, it will be directly output to the console; 65 -extCfgFile : Extend Profile, optional fields; 66 -issuerKeystoreFile : issuer keystore file, optional fields, JKS or P12 format; 67 -issuerKeystorePwd : issuer keystore password, optional fields; 68 69 EXAMPLE: 70 generate-cert -keyAlias "oh-app1-key-v1" -keyPwd ****** -issuer "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=Application Signature Service CA" -issuerKeyAlias "oh-app-sign-srv-ca-key-v1" -issuerKeyPwd ****** -subject "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=App1 Release" -validity 365 -keyUsage digitalSignature -extKeyUsage codeSignature -signAlg SHA256withECDSA -keystoreFile "D:\OH\app-keypair.jks" -keystorePwd ****** -outFile "D:\OH\app1.cer" 71 72 generate-ca [options]: 73 -keyAlias : key alias, required fields; 74 -keyPwd : key password, optional fields; 75 -keyAlg : key algorithm, required fields, including RSA/ECC; 76 -keySize : key size, required fields, the size of the RSA algorithm is 2048/3072/4096, and the size of the ECC algorithm is NIST-P-256/NIST-P-384; 77 -issuer : issuer subject, optional fields, if it is empty, it means root CA; 78 -issuerKeyAlias : issuer key alias, optional fields, if it is empty, it means root CA; 79 -issuerKeyPwd : issuer key password, optional fields; 80 -subject : certificate subject, required fields; 81 -validity : certificate validity, optional fields, the default is 3650 days; 82 -signAlg : signature algorithm, required fields, including SHA256withRSA/SHA384withRSA/SHA256withECDSA/SHA384withECDSA; 83 -basicConstraintsPathLen : basicConstraints path length, optional fields, the default is 0; 84 -keystoreFile : keystore file, required fields, JKS or P12 format; 85 -keystorePwd : keystore password, optional fields; 86 -outFile : output file, optional fields, if not filled, it will be directly output to the console; 87 -extCfgFile : Extend Profile, optional fields; 88 -issuerKeystoreFile : issuer keystore file, optional fields, JKS or P12 format; 89 -issuerKeystorePwd : issuer keystore password, optional fields; 90 91 EXAMPLE: 92 generate-ca -keyAlias "oh-root-ca-key-v1" -subject "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=Root CA" -validity 365 -signAlg SHA384withECDSA -keystoreFile "D:\OH\app-keypair.jks" -keystorePwd ****** -outFile "D:\OH\root-ca.cer" -keyAlg RSA -keySize 2048 93 generate-ca -keyAlias "oh-app1-key-v1" -keyAlg RSA -keySize 2048 -issuer "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=Root CA" -issuerKeyAlias "oh-sub-app-ca-key-v1" -issuerKeyPwd ****** -subject "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN= Application Signature Service CA" -validity 365 -signAlg SHA384withECDSA -keystoreFile "D:\OH\app-keypair.jks" -keystorePwd ****** -outFile "D:\OH\sub-app-sign-srv-ca.cer" 94 generate-ca -keyAlias "oh-profile-key-v1" -keyAlg RSA -keySize 4096 -issuer "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=Root CA" -issuerKeyAlias "oh-sub-profile-ca-key-v1" -issuerKeyPwd ****** -subject "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN= Profile Signature Service CA" -validity 365 -signAlg SHA384withECDSA -keystoreFile "D:\OH\profile-keypair.jks" -keystorePwd ****** -outFile "D:\OH\sub-profile-sign-srv-ca.cer" 95 96 generate-app-cert [options]: 97 -keyAlias : key alias, required fields; 98 -keyPwd : key password, optional fields; 99 -issuer : issuer subject, required fields; 100 -issuerKeyAlias : issuer key alias, required fields; 101 -issuerKeyPwd : issuer key password, optional fields; 102 -subject : certificate subject, required fields; 103 -validity : certificate validity, optional fields, the default is 1095 days; 104 -signAlg : signature algorithm, required fields, including SHA256withRSA/SHA384withRSA/SHA256withECDSA/SHA384withECDSA; 105 -keystoreFile : keystore file, required fields, JKS or P12 format; 106 -keystorePwd : keystore password, optional fields; 107 -outForm : the format of the output certificate file, including cert/certChain, optional fields, the default is cert; 108 -rootCaCertFile : root CA certificate file, required when outForm is certChain; 109 -subCaCertFile : secondary sub-CA certificate file, required when outForm is certChain; 110 -outFile : output certificate file (certificate or certificate chain), optional fields, if not filled, it will be directly output to the console; 111 -extCfgFile : Extend Profile, optional fields; 112 -issuerKeystoreFile : issuer keystore file, optional fields, JKS or P12 format; 113 -issuerKeystorePwd : issuer keystore password, optional fields; 114 115 EXAMPLE: 116 generate-app-cert -keyAlias "oh-app1-key-v1" -keyPwd ****** -issuer "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=Application Debug Signature Service CA" -issuerKeyAlias "oh-app-sign-debug-srv-ca-key-v1" -subject "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=App1 Debug" -validity 365 -signAlg SHA256withECDSA -rootCaCertFile "D:\OH\root-ca.cer" -subCaCertFile "D:\OH\sub-app-sign-srv-ca.cer" -keystoreFile "D:\OH\app-keypair.jks" -keystorePwd ****** -outForm certChain -outFile "D:\OH\app-debug-cert.cer" 117 generate-app-cert -keyAlias "oh-app1-key-v1" -keyPwd ****** -issuer "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=Application Release Signature Service CA" -issuerKeyAlias "oh-app-sign-release-srv-ca-key-v1" -subject "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=App1 Release" -validity 365 -signAlg SHA256withECDSA -rootCaCertFile "D:\OH\root-ca.cer" -subCaCertFile "D:\OH\sub-app-sign-srv-ca.cer" -keystoreFile "D:\OH\app-keypair.jks" -keystorePwd ****** -outForm certChain -outFile "D:\OH\app-release-cert.cer" 118 119 generate-profile-cert [options]: 120 -keyAlias : key alias, required fields; 121 -keyPwd : key password, optional fields; 122 -issuer : issuer subject, required fields; 123 -issuerKeyAlias : issuer key alias, required fields; 124 -issuerKeyPwd : issuer key password, optional fields; 125 -subject : certificate subject, required fields; 126 -validity : certificate validity, optional fields, the default is 1095 days; 127 -signAlg : signature algorithm, required fields, including SHA256withRSA/SHA384withRSA/SHA256withECDSA/SHA384withECDSA; 128 -keystoreFile : keystore file, required fields, JKS or P12 format; 129 -keystorePwd : keystore password, optional fields; 130 -outForm : the format of the output certificate file, including cert/certChain, optional fields, the default is cert; 131 -rootCaCertFile : root CA certificate file, required when outForm is certChain; 132 -subCaCertFile : secondary sub-CA certificate file, required when outForm is certChain; 133 -outFile : output file, optional fields, if not filled, it will be directly output to the console; 134 -extCfgFile : Extend Profile, optional fields; 135 -issuerKeystoreFile : issuer keystore file, optional fields, JKS or P12 format; 136 -issuerKeystorePwd : issuer keystore password, optional fields; 137 138 EXAMPLE: 139 generate-profile-cert -keyAlias "oh-profile-key-v1" -keyPwd ****** -issuer "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=Provision Profile Debug Signature Service CA" -issuerKeyAlias "oh-profile-sign-debug-srv-ca-key-v1" -issuerKeyPwd ****** -subject "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=Provision Profile Debug" -validity 365 -signAlg SHA256withECDSA -rootCaCertFile "D:\OH\root-ca.cer" -subCaCertFile "D:\OH\sub-profile-sign-srv-ca.cer" -keystoreFile "D:\OH\profile-keypair.jks" -keystorePwd ****** -outForm certChain -outFile "D:\OH\provision-profile-debug.cer" 140 generate-profile-cert -keyAlias "oh-profile-key-v1" -keyPwd ****** -issuer "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=Provision Profile Release Signature Service CA" -issuerKeyAlias "oh-profile-sign-release-srv-ca-key-v1" -issuerKeyPwd ****** -subject "C=CN,O=OpenHarmony,OU=OpenHarmony Community,CN=Provision Profile Release" -validity 365 -signAlg SHA256withECDSA -rootCaCertFile "D:\OH\root-ca.cer" -subCaCertFile "D:\OH\sub-profile-sign-srv-ca.cer" -keystoreFile "D:\OH\profile-keypair.jks" -keystorePwd ****** -outForm certChain -outFile "D:\OH\provision-profile-release.cer" 141 142 sign-profile [options]: 143 -mode : signature mode, required fields, including localSign/remoteSign; 144 -keyAlias : key alias, required fields; 145 -keyPwd : key password, optional fields; 146 -profileCertFile : profile signing certificate (certificate chain, the order is three-level-two-root), required fields; 147 -inFile : input original Provision Profile file, required fields; 148 -signAlg : signature algorithm, required fields, including SHA256withRSA/SHA384withRSA/SHA256withECDSA/SHA384withECDSA; 149 -keystoreFile : keystore file, if signature mode is localSign, required fields, JKS or P12 format; 150 -keystorePwd : keystore password, optional fields; 151 -outFile : output the signed Provision Profile file, p7b format, required fields; 152 -extCfgFile : Extend Profile, optional fields; 153 154 EXAMPLE: 155 sign-profile -mode localSign -keyAlias "oh-profile-key-v1" -keyPwd ****** -profileCertFile "D:\OH\provision-profile-release.cer" -inFile "D:\OH\app1-profile-release.json" -signAlg SHA256withECDSA -keystoreFile "D:\OH\profile-keypair.jks" -keystorePwd ****** -outFile "D:\OH\signed-profile.p7b" 156 157 verify-profile [options]: 158 -inFile : signed Provision Profile file, p7b format, required fields; 159 -outFile : Verification result file (including verification result and profile content), json format, optional; if not filled, it will be directly output to the console; 160 -extCfgFile : Extend Profile, optional fields; 161 162 EXAMPLE: 163 verify-profile -inFile "D:\OH\signed-profile.p7b" -outFile "D:\OH\VerifyResult.json" 164 165 sign-app [options]: 166 -mode : signature mode, required fields, including localSign/remoteSign/remoteResign; 167 -keyAlias : key alias, required fields; 168 -keyPwd : key password, optional fields on localSign mode; 169 -appCertFile : application signature certificate file, required fields on localSign mode, optional fields on remoteSign mode; 170 -profileFile : signed Provision Profile file, p7b format, required fields; 171 -profileSigned : indicates whether the profile file has a signature.The options are as follows: 1:yes; 0:no; default value:1. optional fields; 172 -inFile : input original application package file, .hap, .bin, and .elf format, required fields; 173 -signAlg : signature algorithm, required fields, including SHA256withRSA/SHA384withRSA/SHA256withECDSA/SHA384withECDSA; 174 -keystoreFile : keystore file, if signature mode is localSign, required fields on localSign mode, JKS or P12 format; 175 -keystorePwd : keystore password, optional fields on localSign mode; 176 -outFile : output the signed Provision Profile file, required fields; 177 -extCfgFile : Extend Profile, optional fields; 178 -inForm : Enter the format of the original file. The supported file formats include .zip, .bin, and .elf.; 179 -compatibleVersion : min compatible api version for running app, required fields while input original application package file format is hap; 180 -signServer : remote signer plugin, required fields on remoteSign mode; 181 -signerPlugin : remote sign service url, required fields on remoteSign mode; 182 -onlineAuthMode : remote sign auth mode, required fields on remoteSign mode, including account; 183 -username : user account for online auth, required fields on remoteSign mode with account auth mode; 184 -userPwd : user password for online auth, required fields on remoteSign mode with account auth mode; 185 -ext : extend parameters for remote signer plugin, optional fields; 186 -signCode : Whether the HAP file is signed code, The value 1 means enable sign code, and value 0 means disable sign code. The default value is 1. It is optional. 187 188 EXAMPLE: 189 sign-app -mode localSign -keyAlias "oh-app1-key-v1" -appCertFile "D:\OH\app-release-cert.cer" -profileFile "D:\OH\signed-profile.p7b" -inFile "D:\OH\app1-unsigned.hap" -signAlg SHA256withECDSA -keystoreFile "D:\OH\app-keypair.jks" -keystorePwd ****** -outFile "D:\OH\app1-signed.hap -compatibleVersion 8" -signCode "1" 190 191 verify-app [options]: 192 -inFile : signed application package file, hap or bin format, required fields; 193 -outCertChain : signed certificate chain file, required fields; 194 -outProfile : profile file in application package, required fields; 195 -extCfgFile : Extend Profile, optional fields; 196 -inForm : Enter the format of the original file. The supported file formats include .zip, .bin, and .elf.; 197 198 EXAMPLE: 199 verify-app -inFile "D:\OH\app1-signed.hap" -outCertChain "outCertChain.cer" -outProfile "outprofile.p7b" 200 201COMMANDS: 202 generate-keypair : generate key pair 203 generate-csr : generate certificate signing request 204 generate-cert : generate certificate in full, large and complete, any certificate can be generated 205 generate-ca : generate root/subject CA certificate, if the key does not exist, generate the key together 206 generate-app-cert : generate application debug/release certificate 207 generate-profile-cert : generate application debug/release certificate 208 sign-profile : Provision Profile file signature 209 verify-profile : Provision Profile file verification 210 sign-app : application package signature 211 verify-app : application package file verification