• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (C) 2021-2022 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  *     http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #include "util/hap_profile_verify_utils.h"
17 
18 #include "common/hap_verify_log.h"
19 #include "init/matching_result.h"
20 #include "init/trusted_source_manager.h"
21 #include "util/hap_cert_verify_openssl_utils.h"
22 #include "util/hap_signing_block_utils.h"
23 #include "util/hap_verify_openssl_utils.h"
24 
25 namespace OHOS {
26 namespace Security {
27 namespace Verify {
ParseProfile(Pkcs7Context & profilePkcs7Context,const Pkcs7Context & hapPkcs7Context,const HapByteBuffer & pkcs7ProfileBlock,std::string & profile)28 bool HapProfileVerifyUtils::ParseProfile(Pkcs7Context& profilePkcs7Context, const Pkcs7Context& hapPkcs7Context,
29     const HapByteBuffer& pkcs7ProfileBlock, std::string& profile)
30 {
31     if (hapPkcs7Context.matchResult.matchState == MATCH_WITH_SIGN &&
32         hapPkcs7Context.matchResult.source == APP_GALLARY) {
33         profile = std::string(pkcs7ProfileBlock.GetBufferPtr(), pkcs7ProfileBlock.GetCapacity());
34         HAPVERIFY_LOG_DEBUG("hap include unsigned provision");
35         return true;
36     }
37     const unsigned char* pkcs7Block = reinterpret_cast<const unsigned char*>(pkcs7ProfileBlock.GetBufferPtr());
38     uint32_t pkcs7Len = static_cast<unsigned int>(pkcs7ProfileBlock.GetCapacity());
39     if (!HapVerifyOpensslUtils::ParsePkcs7Package(pkcs7Block, pkcs7Len, profilePkcs7Context)) {
40         HAPVERIFY_LOG_ERROR("parse pkcs7 failed");
41         return false;
42     }
43 
44     profile = std::string(profilePkcs7Context.content.GetBufferPtr(), profilePkcs7Context.content.GetCapacity());
45     return true;
46 }
47 
VerifyProfile(Pkcs7Context & pkcs7Context)48 bool HapProfileVerifyUtils::VerifyProfile(Pkcs7Context& pkcs7Context)
49 {
50     if (!HapVerifyOpensslUtils::GetCertChains(pkcs7Context.p7, pkcs7Context)) {
51         HAPVERIFY_LOG_ERROR("GetCertChains from pkcs7 failed");
52         return false;
53     }
54 
55     if (!HapVerifyOpensslUtils::VerifyPkcs7(pkcs7Context)) {
56         HAPVERIFY_LOG_ERROR("verify profile signature failed");
57         return false;
58     }
59 
60     std::string certSubject;
61     std::string certIssuer;
62     if (!HapCertVerifyOpensslUtils::GetSubjectFromX509(pkcs7Context.certChains[0][0], certSubject) ||
63         !HapCertVerifyOpensslUtils::GetIssuerFromX509(pkcs7Context.certChains[0][0], certIssuer)) {
64         HAPVERIFY_LOG_ERROR("Get info of sign cert failed");
65         return false;
66     }
67 
68     TrustedSourceManager& trustedSourceManager = TrustedSourceManager::GetInstance();
69     pkcs7Context.matchResult = trustedSourceManager.IsTrustedSource(certSubject, certIssuer, PROFILE_BLOB,
70         pkcs7Context.certChains[0].size());
71     if (pkcs7Context.matchResult.matchState == DO_NOT_MATCH) {
72         HAPVERIFY_LOG_ERROR("profile signature is not trusted source, subject: %{private}s, issuer: %{public}s",
73             certSubject.c_str(), certIssuer.c_str());
74         return false;
75     }
76     HAPVERIFY_LOG_DEBUG("profile subject: %{private}s, issuer: %{public}s",
77         certSubject.c_str(), certIssuer.c_str());
78     return true;
79 }
80 } // namespace Verify
81 } // namespace Security
82 } // namespace OHOS
83