1 /*
2 * Copyright (c) 2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 use super::cert_chain_utils::PemCollection;
17 use super::cert_path_utils::TrustCertPath;
18 const TRUSTED_ROOT_CERT: &str = "/system/etc/security/trusted_root_ca.json";
19 const ALLOWED_ROOT_CERT_MEMBER_NAMES: &[&str] =
20 &["C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Root CA G2"];
21 const ALLOWED_OH_ROOT_CERT_MEMBER_NAMES: &[&str] =
22 &["C=CN, O=OpenHarmony, OU=OpenHarmony Team, CN=OpenHarmony Application Root CA"];
23 const TRUSTED_ROOT_CERT_TEST: &str = "/system/etc/security/trusted_root_ca_test.json";
24 const ALLOWED_ROOT_CERT_MEMBER_NAMES_TEST: &[&str] =
25 &["C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Root CA G2 Test"];
26 const TRUSTED_CERT_PATH: &str = "/system/etc/security/trusted_cert_path.json";
27 const TRUSTED_CERT_PATH_TEST: &str = "/system/etc/security/trusted_cert_path_test.json";
28
29 extern "C" {
IsRdDevice() -> bool30 fn IsRdDevice() -> bool;
31 }
32
33 /// get trusted certs form json file
get_trusted_certs() -> PemCollection34 pub fn get_trusted_certs() -> PemCollection {
35 let mut root_cert = PemCollection::new();
36 root_cert.load_pem_certs_from_json_file(TRUSTED_ROOT_CERT, ALLOWED_ROOT_CERT_MEMBER_NAMES);
37 if env!("support_openharmony_ca") == "on" || unsafe { IsRdDevice() } {
38 root_cert.load_pem_certs_from_json_file(
39 TRUSTED_ROOT_CERT,
40 ALLOWED_OH_ROOT_CERT_MEMBER_NAMES
41 );
42 }
43 if env!("code_signature_debuggable") == "on" || unsafe { IsRdDevice() } {
44 root_cert.load_pem_certs_from_json_file(
45 TRUSTED_ROOT_CERT_TEST,
46 ALLOWED_ROOT_CERT_MEMBER_NAMES_TEST
47 );
48 }
49 root_cert
50 }
51
52 /// get cert path form json file
get_cert_path() -> TrustCertPath53 pub fn get_cert_path() -> TrustCertPath {
54 let mut cert_paths = TrustCertPath::new();
55 cert_paths.load_cert_path_from_json_file(TRUSTED_CERT_PATH);
56 if env!("code_signature_debuggable") == "on" || unsafe { IsRdDevice() } {
57 cert_paths.load_cert_path_from_json_file(TRUSTED_CERT_PATH_TEST);
58 }
59 cert_paths
60 }
61