1 /* 2 * Copyright (c) 2023-2024 Huawei Device Co., Ltd. 3 * Licensed under the Apache License, Version 2.0 (the "License"); 4 * you may not use this file except in compliance with the License. 5 * You may obtain a copy of the License at 6 * 7 * http://www.apache.org/licenses/LICENSE-2.0 8 * 9 * Unless required by applicable law or agreed to in writing, software 10 * distributed under the License is distributed on an "AS IS" BASIS, 11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 * See the License for the specific language governing permissions and 13 * limitations under the License. 14 */ 15 16 #ifndef OHOS_SECURITY_CODE_SIGN_UTILS_H 17 #define OHOS_SECURITY_CODE_SIGN_UTILS_H 18 19 #include <cstdint> 20 #include <mutex> 21 #include <string> 22 #include <sys/ioctl.h> 23 #include <sys/types.h> 24 #include <unordered_map> 25 #include <linux/fsverity.h> 26 #include "byte_buffer.h" 27 #include "errcode.h" 28 29 namespace OHOS { 30 namespace Security { 31 namespace CodeSign { 32 using EntryMap = std::unordered_map<std::string, std::string>; 33 34 typedef enum { 35 FILE_ALL, // Enable hap and so(new and historical records) 36 FILE_SELF, // Only enable hap 37 FILE_ENTRY_ONLY, // Only enable so(new and historical records) 38 FILE_ENTRY_ADD, // Only record, not enable 39 FILE_TYPE_MAX, 40 } FileType; 41 42 enum CodeSignInfoFlag { 43 IS_UNCOMPRESSED_NATIVE_LIBS = 0x01 << 0, 44 }; 45 46 class CodeSignUtils { 47 public: 48 /** 49 * @brief Enforce code signature for a hap 50 * @param entryPath map from entryname in hap to real path on disk 51 * @param signatureFile signature file path 52 * @return err code, see err_code.h 53 */ 54 static int32_t EnforceCodeSignForApp(const EntryMap &entryPath, const std::string &signatureFile); 55 56 /** 57 * @brief Enforce code signature for a hap with its native files. 58 * Multiple instances should be created to enable code signing for a multi-hap app. 59 * @param path hap real path on disk 60 * @param entryPath map from entryname in hap to real path on disk 61 * @param type signature file type 62 * @param flag attributes of libs 63 * @return err code, see err_code.h 64 */ 65 int32_t EnforceCodeSignForApp(const std::string &path, const EntryMap &entryPathMap, 66 FileType type, uint32_t flag = 0); 67 68 /** 69 * @brief Enforce code signature for a hap with ownerID 70 * @param ownerId app-identifier of the signature 71 * @param path hap real path on disk 72 * @param entryPath map from entryname in hap to real path on disk 73 * @param type signature file type 74 * @param flag attributes of libs 75 * @return err code, see err_code.h 76 */ 77 int32_t EnforceCodeSignForAppWithOwnerId(const std::string &ownerId, const std::string &path, 78 const EntryMap &entryPathMap, FileType type, uint32_t flag = 0); 79 80 /** 81 * @brief Enforce code signature for file with signature 82 * @param path file path 83 * @param signature buffer carring signature of the target file 84 * @param len length of signature data 85 * @return err code, see err_code.h 86 */ 87 static int32_t EnforceCodeSignForFile(const std::string &path, const uint8_t *signature, const uint32_t len); 88 89 /** 90 * @brief Enforce code signature for file with signature 91 * @param path file path 92 * @param signature bytebuffer carring signature of the target file 93 * @return err code, see err_code.h 94 */ 95 static int32_t EnforceCodeSignForFile(const std::string &path, const ByteBuffer &signature); 96 /** 97 * @brief Get owner ID from signature file 98 * @param sigbuffer buffer of the signature file 99 * @param ownerID string to abtain owner ID from the signature file 100 * @return err code, see err_code.h 101 */ 102 static int ParseOwnerIdFromSignature(const ByteBuffer &sigbuffer, std::string &ownerID); 103 /** 104 * @brief Enable key in profile content data and dump profile buffer 105 * @param bundleName bundleName 106 * @param profileBuffer profile bytebuffer carring signer info and signed cert info 107 * @return err code, see err_code.h 108 */ 109 static int32_t EnableKeyInProfile(const std::string &bundleName, const ByteBuffer &profileBuffer); 110 /** 111 * @brief Remove key in profile content data and remove profile 112 * @param bundleName bundleName 113 * @return err code, see err_code.h 114 */ 115 static int32_t RemoveKeyInProfile(const std::string &bundleName); 116 /** 117 * @brief Whether enabling code signing for app compiled by oh-sdk 118 * @return return ture if support oh-sdk code sign 119 */ 120 static bool IsSupportOHCodeSign(); 121 /** 122 * @brief Check if code signing is permissive 123 * @return return ture if in permissive mode 124 */ 125 static bool InPermissiveMode(); 126 /** 127 * @brief Check if the file path support FsVerity 128 * @param path file path 129 * @return err code, see err_code.h 130 */ 131 static int32_t IsSupportFsVerity(const std::string &path); 132 private: 133 static int32_t EnableCodeSignForFile(const std::string &path, const struct code_sign_enable_arg &arg); 134 int32_t ProcessCodeSignBlock(const std::string &ownerId, const std::string &path, FileType type, uint32_t flag); 135 int32_t HandleCodeSignBlockFailure(const std::string &realPath, int32_t ret); 136 private: 137 EntryMap storedEntryMap_; 138 std::mutex storedEntryMapLock_; 139 }; 140 } 141 } 142 } 143 #endif 144