• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (c) 2023-2025 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  *     http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #ifndef OHOS_SECURITY_CODE_SIGN_UTILS_H
17 #define OHOS_SECURITY_CODE_SIGN_UTILS_H
18 
19 #include <cstdint>
20 #include <mutex>
21 #include <string>
22 #include <sys/ioctl.h>
23 #include <sys/types.h>
24 #include <unordered_map>
25 #include <linux/fsverity.h>
26 #include "byte_buffer.h"
27 #include "errcode.h"
28 #ifdef SUPPORT_BINARY_ENABLE
29 #include "cert_path.h"
30 #endif
31 
32 namespace OHOS {
33 namespace Security {
34 namespace CodeSign {
35 using EntryMap = std::unordered_map<std::string, std::string>;
36 
37 typedef enum {
38     FILE_ALL, // Enable hap and so(new and historical records)
39     FILE_SELF, // Only enable hap
40     FILE_ENTRY_ONLY, // Only enable so(new and historical records)
41     FILE_ENTRY_ADD, // Only record, not enable
42     FILE_TYPE_MAX,
43 } FileType;
44 
45 enum CodeSignInfoFlag {
46     IS_UNCOMPRESSED_NATIVE_LIBS = 0x01 << 0,
47 };
48 
49 class CodeSignUtils {
50 public:
51     /**
52      * @brief Enforce code signature for a hap
53      * @param entryPath map from entryname in hap to real path on disk
54      * @param signatureFile signature file path
55      * @return err code, see err_code.h
56      */
57     static int32_t EnforceCodeSignForApp(const EntryMap &entryPath, const std::string &signatureFile);
58 
59     /**
60      * @brief Enforce code signature for a hap with its native files.
61      * Multiple instances should be created to enable code signing for a multi-hap app.
62      * @param path hap real path on disk
63      * @param entryPath map from entryname in hap to real path on disk
64      * @param type signature file type
65      * @param flag attributes of libs
66      * @return err code, see err_code.h
67      */
68     int32_t EnforceCodeSignForApp(const std::string &path, const EntryMap &entryPathMap,
69         FileType type, uint32_t flag = 0);
70 
71     /**
72      * @brief Enforce code signature for a hap with owner ID
73      * @param ownerId app-identifier of the signature
74      * @param path hap real path on disk
75      * @param entryPath map from entryname in hap to real path on disk
76      * @param type signature file type
77      * @param flag attributes of libs
78      * @return err code, see err_code.h
79      */
80     int32_t EnforceCodeSignForAppWithOwnerId(const std::string &ownerId, const std::string &path,
81         const EntryMap &entryPathMap, FileType type, uint32_t flag = 0);
82 
83     /**
84      * @brief Enforce code signature for a hap with plugin ID
85      * @param ownerId app-identifier of the signature
86      * @param pluginId plugin-identifier of the signature
87      * @param path hap real path on disk
88      * @param entryPath map from entryname in hap to real path on disk
89      * @param type signature file type
90      * @param flag attributes of libs
91      * @return err code, see err_code.h
92      */
93     int32_t EnforceCodeSignForAppWithPluginId(const std::string &ownerId, const std::string &pluginId,
94         const std::string &path, const EntryMap &entryPathMap, FileType type, uint32_t flag = 0);
95 
96     /**
97      * @brief Enforce code signature for file with signature
98      * @param path file path
99      * @param signature buffer carring signature of the target file
100      * @param len length of signature data
101      * @return err code, see err_code.h
102      */
103     static int32_t EnforceCodeSignForFile(const std::string &path, const uint8_t *signature, const uint32_t len);
104 
105     /**
106      * @brief Enforce code signature for file with signature
107      * @param path file path
108      * @param signature bytebuffer carring signature of the target file
109      * @return err code, see err_code.h
110      */
111     static int32_t EnforceCodeSignForFile(const std::string &path, const ByteBuffer &signature);
112     /**
113      * @brief Get owner ID from signature file
114      * @param sigbuffer buffer of the signature file
115      * @param ownerID string to abtain owner ID from the signature file
116      * @return err code, see err_code.h
117      */
118     static int ParseOwnerIdFromSignature(const ByteBuffer &sigbuffer, std::string &ownerID);
119     /**
120      * @brief Enable key in profile content data and dump profile buffer
121      * @param bundleName bundleName
122      * @param profileBuffer profile bytebuffer carring signer info and signed cert info
123      * @return err code, see err_code.h
124      */
125     static int32_t EnableKeyInProfile(const std::string &bundleName, const ByteBuffer &profileBuffer);
126     /**
127      * @brief Remove key in profile content data and remove profile
128      * @param bundleName bundleName
129      * @return err code, see err_code.h
130      */
131     static int32_t RemoveKeyInProfile(const std::string &bundleName);
132 
133 #ifdef SUPPORT_BINARY_ENABLE
134     /**
135     * @brief Enable certificate path
136     * @param info CertPathInfo structure containing path information
137     * @return err code, see err_code.h
138     */
139     static int32_t EnableKey(const CertPathInfo &info);
140 
141     /**
142     * @brief Remove certificate path
143     * @param info CertPathInfo structure containing path information
144     * @return err code, see err_code.h
145     */
146     static int32_t RemoveKey(const CertPathInfo &info);
147 #endif
148 
149     /**
150      * @brief Enforce code signature for elf file
151      * @param path file path
152      * @return err code, see err_code.h
153      */
154     static int32_t EnforceCodeSignForFile(const std::string &path);
155 
156     /**
157      * @brief Whether enabling code signing for app compiled by oh-sdk
158      * @return return ture if support oh-sdk code sign
159      */
160     static bool IsSupportOHCodeSign();
161     /**
162      * @brief Check if code signing is permissive
163      * @return return ture if in permissive mode
164      */
165     static bool InPermissiveMode();
166     /**
167      * @brief Check if the file path support FsVerity
168      * @param path file path
169      * @return err code, see err_code.h
170      */
171     static int32_t IsSupportFsVerity(const std::string &path);
172 private:
173     static int32_t EnableCodeSignForFile(const std::string &path, const struct code_sign_enable_arg &arg);
174     int32_t ProcessCodeSignBlock(const std::string &ownerId, const std::string &pluginId,
175         const std::string &path, FileType type, uint32_t flag);
176     int32_t HandleCodeSignBlockFailure(const std::string &realPath, int32_t ret);
177 private:
178     EntryMap storedEntryMap_;
179     std::mutex storedEntryMapLock_;
180 };
181 }
182 }
183 }
184 #endif
185