1 /* 2 * Copyright (c) 2024-2024 Huawei Device Co., Ltd. 3 * Licensed under the Apache License, Version 2.0 (the "License"); 4 * you may not use this file except in compliance with the License. 5 * You may obtain a copy of the License at 6 * 7 * http://www.apache.org/licenses/LICENSE-2.0 8 * 9 * Unless required by applicable law or agreed to in writing, software 10 * distributed under the License is distributed on an "AS IS" BASIS, 11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 * See the License for the specific language governing permissions and 13 * limitations under the License. 14 */ 15 #ifndef HELP_H 16 #define HELP_H 17 18 #include <string> 19 /* this file use to create help.txt content and 20 * it is divided into 12 strings according 21 * to the functional module 22 */ 23 namespace OHOS { 24 namespace SignatureTools { 25 26 const std::string HELP_TXT_HEADER = R"( 27 USAGE: <generate-keypair|generate-csr|generate-cert|generate-ca|generate-app-cert|generate-profile-cert>[options] 28 USAGE: <sign-profile|verify-profile|sign-app|verify-app>[options] 29 )"; 30 31 const std::string KEYPAIR_HELP_TXT = R"( 32 generate-keypair[options]: 33 -keyAlias : key alias, required fields; 34 -keyPwd : key password, optional fields; 35 -keyAlg : key algorithm, required fields, including ECC; 36 -keySize : key size, required fields, and the size of the ECC algorithm is NIST-P-256/NIST-P-384; 37 -keystoreFile : keystore file, required fields, JKS or P12 format; 38 -keystorePwd : keystore password, optional fields; 39 -extCfgFile : Extend Profile, optional fields; 40 41 EXAMPLE: 42 generate-keypair -keyAlias "oh-app1-key-v1" -keyPwd ****** -keyAlg ECC -keySize NIST-P-256 43 -keystoreFile "/home/app-keypair.jks" -keystorePwd ****** 44 generate-keypair -keyAlias "oh-profile-key-v1" -keyPwd ****** -keyAlg ECC -keySize NIST-P-256 45 -keystoreFile "/home/profile-keypair.jks" -keystorePwd ****** 46 )"; 47 48 const std::string CSR_HELP_TXT = R"( 49 generate-csr[options]: 50 -keyAlias : key alias, required fields; 51 -keyPwd : key password, optional fields; 52 -subject : certificate subject, required fields; 53 -signAlg : signature algorithm, required fields, including SHA256withECDSA/SHA384withECDSA; 54 -keystoreFile : keystore file, required fields, JKS or P12 format; 55 -keystorePwd : keystore password, optional fields; 56 -outFile : output file, optional fields, if not filled, it will be directly output to the console; 57 -extCfgFile : Extend Profile, optional fields; 58 59 EXAMPLE: 60 generate-csr -keyAlias "oh-app1-key-v1" -keyPwd ****** -signAlg SHA256withECDSA -keystorePwd ****** 61 -subject "C=CN, O=OpenHarmony, OU=OpenHarmony Community, CN=App1 Release" -keystoreFile "/home/app-keypair.jks" 62 -outFile "/home/oh-app1-key-v1.csr" 63 )"; 64 65 const std::string CERT_HELP_TXT = R"( 66 generate-cert[options]: 67 -keyAlias : key alias, required fields; 68 -keyPwd : key password, optional fields; 69 -issuer : issuer subject, required fields; 70 -issuerKeyAlias : issuer key alias, required fields; 71 -issuerKeyPwd : issuer key password, optional fields; 72 -subject : certificate subject, required fields; 73 -validity : certificate validity, optional fields, the default is 1095 days; 74 -keyUsage : key usage, required fields, including digitalSignature, nonRepudiation, keyEncipherment, 75 dataEncipherment, keyAgreement, certificateSignature, crlSignature, encipherOnly and decipherOnly, if the 76 certificate includes multiple key usages, separate them with commas; 77 -keyUsageCritical : whether keyUsage is a key item, optional fields, the default is true; 78 -extKeyUsage : extended key usage, optional fields, including clientAuthentication, serverAuthentication, 79 codeSignature, emailProtection, smartCardLogin, timestamp, ocspSignature; 80 -extKeyUsageCritical : whether extKeyUsage is a key item, optional fields, the default is false; 81 -signAlg : signature algorithm, required fields, includingSHA256withECDSA/SHA384withECDSA; 82 -basicConstraints : whether to include basicConstraints, optional fields, the default is false; 83 -basicConstraintsCritical : whether basicConstraints is a key item, optional fields, the default is false; 84 -basicConstraintsCa : whether it is CA, optional fields, the default is false; 85 -basicConstraintsPathLen : basicConstraints path length, optional fields, the default is 0; 86 -keystoreFile : keystore file, required fields, JKS or P12 format; 87 -keystorePwd : keystore password, optional fields; 88 -outFile : output file, optional fields, if not filled, it will be directly output to the console; 89 -extCfgFile : Extend Profile, optional fields; 90 -issuerKeystoreFile : issuer keystore file, optional fields, JKS or P12 format; 91 -issuerKeystorePwd : issuer keystore password, optional fields; 92 93 EXAMPLE: 94 generate-cert -keyAlias "oh-app1-key-v1" -keyPwd ****** -issuerKeyAlias "oh-app-sign-srv-ca-key-v1" 95 -issuer "C=CN, O=OpenHarmony, OU=OpenHarmony Community, CN=Application Signature Service CA" -issuerKeyPwd ****** 96 -subject "C=CN, O=OpenHarmony, OU=OpenHarmony Community, CN=App1 Release" -outFile "/home/app1.cer" -keystorePwd ****** 97 -keyUsage digitalSignature -extKeyUsage codeSignature -signAlg SHA256withECDSA -keystoreFile "/home/app-keypair.jks" 98 )"; 99 100 const std::string CA_CERT_HELP_TXT = R"( 101 generate-ca[options]: 102 -keyAlias : key alias, required fields; 103 -keyPwd : key password, optional fields; 104 -keyAlg : key algorithm, required fields, including ECC; 105 -keySize : key size, required fields, and the size of the ECC algorithm is NIST-P-256/NIST-P-384; 106 -issuer : issuer subject, optional fields, if it is empty, it means root CA; 107 -issuerKeyAlias : issuer key alias, optional fields, if it is empty, it means root CA; 108 -issuerKeyPwd : issuer key password, optional fields; 109 -subject : certificate subject, required fields; 110 -validity : certificate validity, optional fields, the default is 3650 days; 111 -signAlg : signature algorithm, required fields, including SHA256withECDSA/SHA384withECDSA; 112 -basicConstraintsPathLen : basicConstraints path length, optional fields, the default is 0; 113 -keystoreFile : keystore file, required fields, JKS or P12 format; 114 -keystorePwd : keystore password, optional fields; 115 -outFile : output file, optional fields, if not filled, it will be directly output to the console; 116 -extCfgFile : Extend Profile, optional fields; 117 -issuerKeystoreFile : issuer keystore file, optional fields, JKS or P12 format; 118 -issuerKeystorePwd : issuer keystore password, optional fields; 119 120 EXAMPLE: 121 generate-ca -keyAlias "oh-root-ca-key-v1" -validity 365 -signAlg SHA384withECDSA -keySize NIST-P-256 122 -subject "C=CN, O=OpenHarmony, OU=OpenHarmony Community,CN=Root CA" -keystoreFile "/home/app-keypair.jks" 123 -keystorePwd ****** -outFile "/home/root-ca.cer" -keyAlg ECC 124 generate-ca -keyAlias "oh-app1-key-v1" -keyAlg ECC -issuerKeyAlias "oh-sub-app-ca-key-v1" -issuerKeyPwd ****** 125 -issuer "C=CN, O=OpenHarmony, OU=OpenHarmony Community, CN=Root CA" -keySize NIST-P-256 -validity 365 126 -subject "C=CN, O=OpenHarmony, OU=OpenHarmony Community, CN= Application Signature Service CA" -signAlg SHA384withECDSA 127 -keystoreFile "/home/app-keypair.jks" -keystorePwd ****** -outFile "/home/sub-app-sign-srv-ca.cer" 128 )"; 129 130 const std::string APP_CERT_HELP_TXT = R"( 131 generate-app-cert[options]: 132 -keyAlias : key alias, required fields; 133 -keyPwd : key password, optional fields; 134 -issuer : issuer subject, required fields; 135 -issuerKeyAlias : issuer key alias, required fields; 136 -issuerKeyPwd : issuer key password, optional fields; 137 -subject : certificate subject, required fields; 138 -validity : certificate validity, optional fields, the default is 1095 days; 139 -signAlg : signature algorithm, required fields, including SHA256withECDSA/SHA384withECDSA; 140 -keystoreFile : keystore file, required fields, JKS or P12 format; 141 -keystorePwd : keystore password, optional fields; 142 -outForm : the format of the output certificate file, including cert/certChain, optional fields, 143 the default is cert; 144 -rootCaCertFile : root CA certificate file, required when outForm is certChain; 145 -subCaCertFile : secondary sub -CA certificate file, required when outForm is certChain; 146 -outFile : output certificate file(certificate or certificate chain), optional fields, if not filled, 147 it will be directly output to the console; 148 -extCfgFile : Extend Profile, optional fields; 149 -issuerKeystoreFile : issuer keystore file, optional fields, JKS or P12 format; 150 -issuerKeystorePwd : issuer keystore password, optional fields; 151 152 EXAMPLE: 153 generate-app-cert -keyAlias "oh-app1-key-v1" -issuerKeyAlias "oh-app-sign-debug-srv-ca-key-v1" -validity 365 154 -issuer "C=CN, O=OpenHarmony, OU=OpenHarmony Community, CN=Application Debug Signature Service CA" -keyPwd ****** 155 -signAlg SHA256withECDSA -keystoreFile "/home/app-keypair.jks" -outFile "/home/app-debug-cert.cer" -outForm cert 156 -subject "C=CN, O=OpenHarmony, OU=OpenHarmony Community, CN=App1 Debug" -keystorePwd ****** 157 generate-app-cert -keyAlias "oh-app1-key-v1" -issuerKeyAlias "oh-app-sign-release-srv-ca-key-v1" -validity 365 158 -issuer "C=CN, O=OpenHarmony, OU=OpenHarmony Community, CN=Application Release Signature Service CA" -keyPwd ****** 159 -signAlg SHA256withECDSA -rootCaCertFile "/home/root-ca.cer" -subCaCertFile "/home/sub-app-sign-srv-ca.cer" 160 -subject "C=CN, O=OpenHarmony, OU=OpenHarmony Community, CN=App1 Release" -keystorePwd ****** -outForm certChain 161 -keystoreFile "/home/app-keypair.jks" -outFile "/home/app-release-cert.cer" 162 )"; 163 164 const std::string PROFILE_CERT_HELP_TXT = R"( 165 generate-profile-cert[options]: 166 -subject : certificate subject, required fields; 167 -validity : certificate validity, optional fields, the default is 1095 days; 168 -signAlg : signature algorithm, required fields, including SHA256withECDSA/SHA384withECDSA; 169 -keystoreFile : keystore file, required fields, JKS or P12 format; 170 -keystorePwd : keystore password, optional fields; 171 -outForm : the format of the output certificate file, including cert/certChain, optional fields, 172 the default is cert; 173 -keyAlias : key alias, required fields; 174 -keyPwd : key password, optional fields; 175 -issuer : issuer subject, required fields; 176 -issuerKeyAlias : issuer key alias, required fields; 177 -issuerKeyPwd : issuer key password, optional fields; 178 -rootCaCertFile : root CA certificate file, required when outForm is certChain; 179 -subCaCertFile : secondary sub -CA certificate file, required when outForm is certChain; 180 -outFile : output file, optional fields, if not filled, it will be directly output to the console; 181 -extCfgFile : Extend Profile, optional fields; 182 -issuerKeystoreFile : issuer keystore file, optional fields, JKS or P12 format; 183 -issuerKeystorePwd : issuer keystore password, optional fields; 184 185 EXAMPLE: 186 generate-profile-cert -keyAlias "oh-profile-key-v1" -issuerKeyAlias "oh-profile-sign-debug-srv-ca-key-v1" 187 -keyPwd ****** -issuerKeyPwd ****** -keystoreFile "/home/profile-keypair.jks" -keystorePwd ****** -validity 365 188 -issuer "C=CN, O=OpenHarmony, OU=OpenHarmony Community, CN=Provision Profile Debug Signature Service CA" 189 -subject "C=CN, O=OpenHarmony, OU=OpenHarmony Community, CN=Provision Profile Debug" -signAlg SHA256withECDSA 190 -outFile "/home/provision-profile-debug.cer" -outForm cert 191 generate-profile-cert -keyAlias "oh-profile-key-v1" -issuerKeyAlias "oh-profile-sign-release-srv-ca-key-v1" 192 -keyPwd ****** -issuerKeyPwd ****** -keystoreFile "/home/profile-keypair.jks" -keystorePwd ****** -validity 365 193 -issuer "C=CN, O=OpenHarmony, OU=OpenHarmony Community, CN=Provision Profile Release Signature Service CA" 194 -subject "C=CN, O=OpenHarmony, OU=OpenHarmony Community, CN=Provision Profile Release" -signAlg SHA256withECDSA 195 -rootCaCertFile "/home/root-ca.cer" -subCaCertFile "/home/sub-profile-sign-srv-ca.cer" -outForm certChain 196 -outFile "/home/provision-profile-release.cer" 197 )"; 198 199 200 const std::string SIGN_PROFILE_HELP_TXT = R"( 201 sign-profile[options]: 202 -mode : signature mode, required fields, including localSign/remoteSign; 203 -keyAlias : key alias, required fields; 204 -keyPwd : key password, optional fields; 205 -profileCertFile : profile signing certificate(certificate chain, the order is three -level -two -root), 206 required fields; 207 -inFile : input original Provision Profile file, required fields; 208 -signAlg : signature algorithm, required fields, including SHA256withECDSA/SHA384withECDSA; 209 -keystoreFile : keystore file, if signature mode is localSign, required fields, JKS or P12 format; 210 -keystorePwd : keystore password, optional fields; 211 -outFile : output the signed Provision Profile file, p7b format, required fields; 212 -extCfgFile : Extend Profile, optional fields; 213 -signServer : remote signer plugin, required fields on remoteSign mode; 214 -signerPlugin : remote sign service url, required fields on remoteSign mode; 215 -onlineAuthMode : remote sign auth mode, required fields on remoteSign mode, including account; 216 -username : user account for online auth, required fields on remoteSign mode with account auth mode; 217 -userPwd : user password for online auth, required fields on remoteSign mode with account auth mode; 218 219 EXAMPLE: 220 sign-profile -mode localSign -keyAlias "oh-profile-key-v1" -outFile "/home/signed-profile.p7b" 221 -keystoreFile "/home/profile-keypair.jks" -keystorePwd ****** -keyPwd ****** -signAlg SHA256withECDSA 222 -profileCertFile "/home/provision-profile-release.cer" -inFile "/home/app1-profile-release.json" 223 )"; 224 225 const std::string VERIFY_PROFILE_HELP_TXT = R"( 226 verify-profile[options]: 227 -inFile : signed Provision Profile file, p7b format, required fields; 228 -outFile : Verification result file(including verification result and profile content), 229 json format, optional; if not filled, it will be directly output to the console; 230 -extCfgFile : Extend Profile, optional fields; 231 232 EXAMPLE: 233 verify-profile -inFile "/home/signed-profile.p7b" -outFile "/home/VerifyResult.json" 234 )"; 235 236 const std::string SIGN_APP_HELP_TXT = R"( 237 sign-app[options]: 238 -mode : signature mode, required fields, including localSign/remoteSign/remoteResign; 239 -keyAlias : key alias, required fields; 240 -keyPwd : key password, optional fields on localSign mode; 241 -appCertFile : application signature certificate file, required fields on localSign mode, optional fields 242 on remoteSign mode; 243 -profileFile : signed Provision Profile file, p7b format, required fields; 244 -profileSigned : indicates whether the profile file has a signature.The options are as follows 245 : 1 : yes; 0:no; default value:1. optional fields; 246 -inFile : input original application package file, .hap, .bin, and .elf format, required fields; 247 -signAlg : signature algorithm, required fields, including SHA256withECDSA/SHA384withECDSA; 248 -keystoreFile : keystore file, if signature mode is localSign, required fields on localSign mode, 249 JKS or P12 format; 250 -keystorePwd : keystore password, optional fields on localSign mode; 251 -outFile : output the signed Provision Profile file, required fields; 252 -extCfgFile : Extend Profile, optional fields; 253 -inForm : Enter the format of the original file.The supported file formats include.zip, .bin, and .elf.; 254 -compatibleVersion : min compatible api version for running app, required fields while input original 255 application package file format is hap; 256 -signServer : remote signer plugin, required fields on remoteSign mode; 257 -signerPlugin : remote sign service url, required fields on remoteSign mode; 258 -onlineAuthMode : remote sign auth mode, required fields on remoteSign mode, including account; 259 -username : user account for online auth, required fields on remoteSign mode with account auth mode; 260 -userPwd : user password for online auth, required fields on remoteSign mode with account auth mode; 261 -ext : extend parameters for remote signer plugin, optional fields; 262 -signCode : Whether the HAP file is signed code, The value 1 means enable sign code, and value 0 means 263 disable sign code.The default value is 1. It is optional. 264 265 EXAMPLE : 266 sign-app-mode localSign -keyAlias "oh-app1-key-v1" -appCertFile "/home/app-release-cert.cer" -signCode "1" 267 -keystoreFile "/home/app-keypair.jks" -keystorePwd ****** -outFile "/home/app1-signed.hap -compatibleVersion 8" 268 -profileFile "/home/signed-profile.p7b" -inFile "/home/app1-unsigned.hap" -signAlg SHA256withECDSA 269 )"; 270 271 const std::string VERIFY_APP_HELP_TXT = R"( 272 verify-app[options]: 273 -inFile : signed application package file, hap or bin format, required fields; 274 -outCertChain : signed certificate chain file, required fields; 275 -outProfile : profile file in application package, required fields; 276 -extCfgFile : Extend Profile, optional fields; 277 -inForm : Enter the format of the original file.The supported file formats include.zip, .bin, and .elf.; 278 279 EXAMPLE: 280 verify-app-inFile "/home/app1-signed.hap" -outCertChain "outCertChain.cer" -outProfile "outprofile.p7b" 281 )"; 282 283 const std::string HELP_END_TXT = R"( 284 COMMANDS : 285 generate-keypair : generate key pair 286 generate-csr : generate certificate signing request 287 generate-cert : generate certificate in full, large and complete, any certificate can be generated 288 generate-ca : generate root / subject CA certificate, if the key does not exist, generate the key together 289 generate-app -cert : generate application debug / release certificate 290 generate-profile -cert : generate application debug / release certificate 291 sign-profile : Provision Profile file signature 292 verify-profile : Provision Profile file verification 293 sign-app : application package signature 294 verify-app : application package file verification 295 )"; 296 /* help.txt all content */ 297 const std::string HELP_TXT = HELP_TXT_HEADER + KEYPAIR_HELP_TXT + CSR_HELP_TXT + CERT_HELP_TXT 298 + CA_CERT_HELP_TXT + APP_CERT_HELP_TXT + PROFILE_CERT_HELP_TXT 299 + SIGN_PROFILE_HELP_TXT + VERIFY_PROFILE_HELP_TXT + SIGN_APP_HELP_TXT 300 + VERIFY_APP_HELP_TXT + HELP_END_TXT; 301 } 302 } 303 #endif