1 /*
2  * Copyright (c) 2023-2024 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  *     http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #include "local_code_sign_service.h"
17 
18 #include "directory_ex.h"
19 #include "fsverity_utils_helper.h"
20 #include "ipc_skeleton.h"
21 #include "iservice_registry.h"
22 #include "local_sign_key.h"
23 #include "log.h"
24 #include "pkcs7_generator.h"
25 
26 namespace OHOS {
27 namespace Security {
28 namespace CodeSign {
29 const std::string DEFAULT_HASH_ALGORITHM = "sha256";
30 const std::string TASK_ID = "unload";
31 constexpr int32_t DELAY_TIME = 180000;
32 constexpr uint32_t MAX_OWNER_ID_LEN = 32; // owner id in signature should not exceed 32 bytes
33 
34 const bool REGISTER_RESULT =
35     SystemAbility::MakeAndRegisterAbility(DelayedSingleton<LocalCodeSignService>::GetInstance().get());
36 
LocalCodeSignService()37 LocalCodeSignService::LocalCodeSignService()
38     : SystemAbility(LOCAL_CODE_SIGN_SA_ID, false), state_(ServiceRunningState::STATE_NOT_START)
39 {
40 }
41 
~LocalCodeSignService()42 LocalCodeSignService::~LocalCodeSignService()
43 {
44 }
45 
OnStart()46 void LocalCodeSignService::OnStart()
47 {
48     LOG_INFO("LocalCodeSignService OnStart");
49     if (state_ == ServiceRunningState::STATE_RUNNING) {
50         LOG_INFO("LocalCodeSignService has already started.");
51         return;
52     }
53     if (!Init()) {
54         LOG_ERROR("Init LocalCodeSignService failed.");
55         return;
56     }
57     bool ret = Publish(DelayedSingleton<LocalCodeSignService>::GetInstance().get());
58     if (!ret) {
59         LOG_ERROR("Publish service failed.");
60         return;
61     }
62     state_ = ServiceRunningState::STATE_RUNNING;
63     DelayUnloadTask();
64 }
65 
Init()66 bool LocalCodeSignService::Init()
67 {
68     auto runner = AppExecFwk::EventRunner::Create(TASK_ID, AppExecFwk::ThreadMode::FFRT);
69     if (unloadHandler_ == nullptr) {
70         unloadHandler_ = std::make_shared<AppExecFwk::EventHandler>(runner);
71     }
72     return true;
73 }
74 
DelayUnloadTask()75 void LocalCodeSignService::DelayUnloadTask()
76 {
77     auto task = [this]() {
78         sptr<ISystemAbilityManager> samgr = SystemAbilityManagerClient::GetInstance().GetSystemAbilityManager();
79         if (samgr == nullptr) {
80             LOG_ERROR("Get system ability mgr failed.");
81             return;
82         }
83         int32_t ret = samgr->UnloadSystemAbility(LOCAL_CODE_SIGN_SA_ID);
84         if (ret != ERR_OK) {
85             LOG_ERROR("Remove system ability failed.");
86             return;
87         }
88     };
89     unloadHandler_->RemoveTask(TASK_ID);
90     unloadHandler_->PostTask(task, TASK_ID, DELAY_TIME);
91 }
92 
OnStop()93 void LocalCodeSignService::OnStop()
94 {
95     LOG_INFO("LocalCodeSignService OnStop");
96     if (unloadHandler_ != nullptr) {
97         unloadHandler_->RemoveTask(TASK_ID);
98         unloadHandler_ = nullptr;
99     }
100     state_ = ServiceRunningState::STATE_NOT_START;
101 }
102 
InitLocalCertificate(const ByteBuffer & challenge,ByteBuffer & certChainData)103 int32_t LocalCodeSignService::InitLocalCertificate(const ByteBuffer &challenge, ByteBuffer &certChainData)
104 {
105     LocalSignKey &key = LocalSignKey::GetInstance();
106     key.SetChallenge(challenge);
107     if (!key.InitKey()) {
108         LOG_ERROR("Init key failed.");
109         return CS_ERR_HUKS_INIT_KEY;
110     }
111     return key.GetFormattedCertChain(certChainData);
112 }
113 
SignLocalCode(const std::string & ownerID,const std::string & filePath,ByteBuffer & signature)114 int32_t LocalCodeSignService::SignLocalCode(const std::string &ownerID, const std::string &filePath,
115                                             ByteBuffer &signature)
116 {
117     if (ownerID.length() > MAX_OWNER_ID_LEN) {
118         LOG_ERROR("ownerID len %{public}zu should not exceed %{public}u", ownerID.length(), MAX_OWNER_ID_LEN);
119         return CS_ERR_INVALID_OWNER_ID;
120     }
121     ByteBuffer digest;
122     std::string realPath;
123     if (!OHOS::PathToRealPath(filePath, realPath)) {
124         LOG_INFO("Get real path failed, path = %{public}s", filePath.c_str());
125         return CS_ERR_FILE_PATH;
126     }
127     if (!FsverityUtilsHelper::GetInstance().GenerateFormattedDigest(realPath.c_str(), digest)) {
128         LOG_ERROR("Generate formatted fsverity digest failed.");
129         return CS_ERR_COMPUTE_DIGEST;
130     }
131     return PKCS7Generator::GenerateSignature(ownerID, LocalSignKey::GetInstance(), DEFAULT_HASH_ALGORITHM.c_str(),
132         digest, signature);
133 }
134 }
135 }
136 }
137