From d8122984cfd6552afaabfe240c62721ff4554c4a Mon Sep 17 00:00:00 2001
From: yang1946 <yuzhaoyang1@huawei.com>
Date: Wed, 17 Apr 2024 17:19:44 +0800
Subject: [PATCH] =?UTF-8?q?=E4=BB=A3=E7=A0=81=E7=AD=BE=E5=90=8D=E4=BB=93?=
 =?UTF-8?q?=E5=A2=9E=E5=8A=A0tdd=E8=A6=86=E7=9B=96=E7=8E=87?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: yang1946 <yuzhaoyang1@huawei.com>
---
 .../innerkits/common/include/byte_buffer.h    |  2 +-
 interfaces/innerkits/local_code_sign/BUILD.gn |  4 ++
 test/unittest/BUILD.gn                        | 26 +++++++
 test/unittest/local_code_sign_utils_test.cpp  | 71 +++++++++++++++++++
 .../unittest/multi_thread_local_sign_test.cpp |  4 +-
 test/unittest/resources/ohos_test.xml         | 16 +++++
 utils/src/cert_utils.cpp                      |  4 ++
 utils/src/huks_attest_verifier.cpp            | 31 +++++---
 utils/src/openssl_utils.cpp                   |  2 +-
 9 files changed, 148 insertions(+), 12 deletions(-)
 create mode 100644 test/unittest/local_code_sign_utils_test.cpp

diff --git a/interfaces/innerkits/common/include/byte_buffer.h b/interfaces/innerkits/common/include/byte_buffer.h
index dd6c30f..18d5d97 100644
--- a/interfaces/innerkits/common/include/byte_buffer.h
+++ b/interfaces/innerkits/common/include/byte_buffer.h
@@ -38,7 +38,7 @@ public:
         Init(bufferSize);
     }
 
-    ByteBuffer(const ByteBuffer &other)
+    ByteBuffer(const ByteBuffer &other): data(nullptr), size(0)
     {
         CopyFrom(other.GetBuffer(), other.GetSize());
     }
diff --git a/interfaces/innerkits/local_code_sign/BUILD.gn b/interfaces/innerkits/local_code_sign/BUILD.gn
index 8aaa9d3..6257623 100644
--- a/interfaces/innerkits/local_code_sign/BUILD.gn
+++ b/interfaces/innerkits/local_code_sign/BUILD.gn
@@ -40,6 +40,10 @@ ohos_shared_library("liblocal_code_sign_sdk") {
     ":public_local_code_sign_configs",
   ]
   configs = [ "${code_signature_root_dir}:common_utils_config" ]
+  defines = []
+  if (build_variant == "root") {
+    defines += [ "CODE_SIGNATURE_DEBUGGABLE" ]
+  }
 
   external_deps = [
     "c_utils:utils",
diff --git a/test/unittest/BUILD.gn b/test/unittest/BUILD.gn
index 3e70355..ec2acca 100644
--- a/test/unittest/BUILD.gn
+++ b/test/unittest/BUILD.gn
@@ -98,6 +98,31 @@ ohos_unittest("local_code_sign_unittest") {
   ]
 }
 
+ohos_unittest("local_code_sign_utils_unittest") {
+  module_out_path = "security/code_signature"
+  resource_config_file = "resources/ohos_test.xml"
+  sources = [
+    "${code_signature_root_dir}/services/local_code_sign/src/local_sign_key.cpp",
+    "${code_signature_root_dir}/utils/src/cert_utils.cpp",
+    "local_code_sign_utils_test.cpp",
+  ]
+  deps = [ "${code_signature_root_dir}/interfaces/innerkits/code_sign_utils:libcode_sign_utils" ]
+
+  include_dirs = [
+    "utils/include",
+    "${code_signature_root_dir}/services/local_code_sign/include",
+  ]
+
+  configs = [ "${code_signature_root_dir}:common_utils_config" ]
+  external_deps = [
+    "c_utils:utils",
+    "fsverity-utils:libfsverity_utils",
+    "hilog:libhilog",
+    "huks:libhukssdk",
+    "openssl:libcrypto_shared",
+  ]
+}
+
 ohos_unittest("sign_and_enforce_unittest") {
   module_out_path = "security/code_signature"
   resource_config_file = "resources/ohos_test.xml"
@@ -222,6 +247,7 @@ group("unittest_group") {
       ":code_sign_utils_unittest",
       ":enable_verity_ioctl_unittest",
       ":local_code_sign_unittest",
+      ":local_code_sign_utils_unittest",
       ":multi_thread_local_sign_unittest",
       ":rust_key_enable_unittest",
       ":sign_and_enforce_unittest",
diff --git a/test/unittest/local_code_sign_utils_test.cpp b/test/unittest/local_code_sign_utils_test.cpp
new file mode 100644
index 0000000..afdb63e
--- /dev/null
+++ b/test/unittest/local_code_sign_utils_test.cpp
@@ -0,0 +1,71 @@
+/*
+ * Copyright (c) 2024 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <cstdlib>
+#include <gtest/gtest.h>
+#include <string>
+
+#include "cert_utils.h"
+#include "directory_ex.h"
+#include "fsverity_utils_helper.h"
+#include "local_sign_key.h"
+#include "log.h"
+#include "pkcs7_generator.h"
+
+using namespace OHOS::Security::CodeSign;
+using namespace testing::ext;
+using namespace std;
+
+namespace OHOS {
+namespace Security {
+namespace CodeSign {
+static const std::string AN_BASE_PATH = "/data/local/ark-cache/tmp/";
+static const std::string DEMO_AN_PATH2 = AN_BASE_PATH + "demo2.an";
+static const std::string DEFAULT_HASH_ALGORITHM = "sha256";
+
+class LocalCodeSignUtilsTest : public testing::Test {
+public:
+    LocalCodeSignUtilsTest() {};
+    virtual ~LocalCodeSignUtilsTest() {};
+    static void SetUpTestCase() {};
+    static void TearDownTestCase() {};
+    void SetUp() {};
+    void TearDown() {};
+};
+
+/**
+ * @tc.name: LocalCodeSignUtilsTest_0001
+ * @tc.desc: Used to increase utils coverage
+ * @tc.type: Func
+ * @tc.require: issueI8FCGF
+ */
+HWTEST_F(LocalCodeSignUtilsTest, LocalCodeSignUtilsTest_0001, TestSize.Level0)
+{
+    ByteBuffer digest;
+    std::string realPath;
+    std::string ownerID = "";
+    bool bRet = OHOS::PathToRealPath(DEMO_AN_PATH2, realPath);
+    EXPECT_EQ(bRet, true);
+    bRet = FsverityUtilsHelper::GetInstance().GenerateFormattedDigest(realPath.c_str(), digest);
+    EXPECT_EQ(bRet, true);
+
+    ByteBuffer signature;
+    int ret = PKCS7Generator::GenerateSignature(ownerID, LocalSignKey::GetInstance(), DEFAULT_HASH_ALGORITHM.c_str(),
+        digest, signature);
+    EXPECT_EQ(ret, CS_ERR_HUKS_OBTAIN_CERT);
+}
+} // namespace CodeSign
+} // namespace Security
+} // namespace OHOS
diff --git a/test/unittest/multi_thread_local_sign_test.cpp b/test/unittest/multi_thread_local_sign_test.cpp
index 8469915..ccd8b43 100644
--- a/test/unittest/multi_thread_local_sign_test.cpp
+++ b/test/unittest/multi_thread_local_sign_test.cpp
@@ -38,7 +38,7 @@ static constexpr uint32_t MULTI_THREAD_NUM = 10;
 static constexpr int64_t BUFFER_SIZE = 1024;
 static const std::string AN_BASE_PATH = "/data/local/ark-cache/tmp/multi_thread/";
 static const std::string ORIGIN_AN_FILE = AN_BASE_PATH + "demo.an";
-static const std::string DemoWithownerID = AN_BASE_PATH + "demoWithownerID.an";
+static const std::string DEMO_WITHOWNER_ID = AN_BASE_PATH + "demoWithownerID.an";
 
 static const char *VALID_CALLER = "installs";
 
@@ -103,7 +103,7 @@ void LocalCodeSignAndEnforceWithOwnerID()
     ByteBuffer sig;
     uint64_t selfTokenId = NativeTokenSet(VALID_CALLER);
     std::string ownerID = "AppName123";
-    int ret = LocalCodeSignKit::SignLocalCode(ownerID, DemoWithownerID, sig);
+    int ret = LocalCodeSignKit::SignLocalCode(ownerID, DEMO_WITHOWNER_ID, sig);
     std::thread::id thisId = std::this_thread::get_id();
     std::ostringstream oss;
     oss << thisId;
diff --git a/test/unittest/resources/ohos_test.xml b/test/unittest/resources/ohos_test.xml
index b189ee4..6adfabe 100644
--- a/test/unittest/resources/ohos_test.xml
+++ b/test/unittest/resources/ohos_test.xml
@@ -88,6 +88,22 @@
             <option name="shell" value="rm -rf /data/local/ark-cache/tmp"/>
             <option name="shell" value="rm -rf /data/test/tmp"/>
         </cleaner>
+    </target>
+        <target name="local_code_sign_utils_unittest">
+        <preparer>
+            <option name="shell" value="mkdir -p /data/test/tmp"/>
+            <option name="shell" value="mkdir -p /data/local/ark-cache/tmp"/>
+            <option name="push" value="demo_an/demo.an -> /data/test/tmp" src="res"/>
+            <option name="shell" value="cp /data/test/tmp/demo.an /data/test/tmp/demo2.an"/>
+            <option name="shell" value="cp /data/test/tmp/* /data/local/ark-cache/tmp"/>
+            <option name="shell" value="power-shell wakeup"/>
+            <option name="shell" value="uinput -T -m 594 2117 594 864 400"/>
+            <option name="shell" value="power-shell setmode 602"/>
+        </preparer>
+        <cleaner>
+            <option name="shell" value="rm -rf /data/local/ark-cache/tmp"/>
+            <option name="shell" value="rm -rf /data/test/tmp"/>
+        </cleaner>
     </target>
     <target name="sign_and_enforce_unittest">
         <preparer>
diff --git a/utils/src/cert_utils.cpp b/utils/src/cert_utils.cpp
index 7a9ca0b..e937389 100644
--- a/utils/src/cert_utils.cpp
+++ b/utils/src/cert_utils.cpp
@@ -149,6 +149,10 @@ bool GetCertChainFormBuffer(const ByteBuffer &certChainBuffer,
     uint32_t certsCount = *reinterpret_cast<uint32_t *>(rawPtr);
     rawPtr += sizeof(uint32_t);
 
+    if (certsCount == 0) {
+        return false;
+    }
+
     uint32_t certSize;
     bool ret = true;
     uint32_t restSize = certChainBuffer.GetSize() - sizeof(uint32_t);
diff --git a/utils/src/huks_attest_verifier.cpp b/utils/src/huks_attest_verifier.cpp
index 7f02fe7..5d94ed8 100644
--- a/utils/src/huks_attest_verifier.cpp
+++ b/utils/src/huks_attest_verifier.cpp
@@ -56,6 +56,7 @@ static const std::vector<std::string> CHALLENGE_EXTENSION = {
 
 static const std::string LOCAL_CODE_SIGN_SA_NAME = "local_code_sign";
 
+static constexpr uint32_t MIN_VECTOR_SIZE = 3;
 static bool g_verifierInited = false;
 static int g_saNid = 0;
 static int g_challengeNid = 0;
@@ -63,6 +64,9 @@ static int g_attestationNid = 0;
 
 static inline int GetNidFromDefination(const std::vector<std::string> &defVector)
 {
+    if (defVector.size() < MIN_VECTOR_SIZE) {
+        return NID_undef;
+    }
     return CreateNIDFromOID(defVector[0], defVector[1], defVector[defVector.size() - 1]);
 }
 
@@ -252,6 +256,22 @@ static void ShowCertInfo(const std::vector<ByteBuffer> &certChainBuffer,
     }
 }
 
+static bool VerifyCertAndExtension(X509 *signCert, X509 *issuerCert, const ByteBuffer &challenge)
+{
+    if (!VerifySigningCert(signCert, issuerCert)) {
+        return false;
+    }
+    LOG_DEBUG("Verify sign cert pass");
+
+    if (!VerifyExtension(signCert, challenge)) {
+        LOG_ERROR("Verify extension failed.");
+        return false;
+    }
+    LOG_INFO("Verify success");
+    return true;
+}
+
+
 bool GetVerifiedCert(const ByteBuffer &buffer, const ByteBuffer &challenge, ByteBuffer &certBuffer)
 {
     std::vector<ByteBuffer> certChainBuffer;
@@ -288,24 +308,19 @@ bool GetVerifiedCert(const ByteBuffer &buffer, const ByteBuffer &challenge, Byte
             break;
         }
 
-        if (!VerifySigningCert(signCert, issuerCert)) {
-            break;
-        }
-        LOG_DEBUG("Verify sign cert pass");
-
-        if (!VerifyExtension(signCert, challenge)) {
-            LOG_ERROR("Verify extension failed.");
+        if (!VerifyCertAndExtension(signCert, issuerCert, challenge)) {
             break;
         }
-        LOG_INFO("Verify success");
         ret = true;
     } while (0);
     X509_free(signCert);
     X509_free(issuerCert);
     sk_X509_pop_free(certChain, X509_free);
+#ifdef CODE_SIGNATURE_DEBUGGABLE
     if (!ret) {
         ShowCertInfo(certChainBuffer, issuerBuffer, certBuffer);
     }
+#endif
     return ret;
 }
 }
diff --git a/utils/src/openssl_utils.cpp b/utils/src/openssl_utils.cpp
index 7397a57..ee9e514 100644
--- a/utils/src/openssl_utils.cpp
+++ b/utils/src/openssl_utils.cpp
@@ -65,7 +65,7 @@ bool ConvertCertToPEMString(const ByteBuffer &certBuffer, std::string &pemString
             break;
         }
         uint8_t *outData = nullptr;
-        uint32_t len = BIO_get_mem_data(mem, &outData);
+        int32_t len = BIO_get_mem_data(mem, &outData);
         if (len < 0) {
             break;
         }
-- 
Gitee