1/*
2 * Copyright (c) 2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 *     http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16use super::cert_chain_utils::PemCollection;
17use super::cert_path_utils::TrustCertPath;
18const TRUSTED_ROOT_CERT: &str = "/system/etc/security/trusted_root_ca.json";
19const ALLOWED_ROOT_CERT_MEMBER_NAMES: &[&str] =
20    &["C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Root CA G2"];
21const ALLOWED_OH_ROOT_CERT_MEMBER_NAMES: &[&str] =
22    &["C=CN, O=OpenHarmony, OU=OpenHarmony Team, CN=OpenHarmony Application Root CA"];
23const TRUSTED_ROOT_CERT_TEST: &str = "/system/etc/security/trusted_root_ca_test.json";
24const ALLOWED_ROOT_CERT_MEMBER_NAMES_TEST: &[&str] =
25    &["C=CN, O=Huawei, OU=Huawei CBG, CN=Huawei CBG Root CA G2 Test"];
26const TRUSTED_CERT_PATH: &str = "/system/etc/security/trusted_cert_path.json";
27const TRUSTED_CERT_PATH_MIRROR: &str = "/system/etc/security/trusted_cert_path_mirror.json";
28
29extern "C" {
30    fn IsRdDevice() -> bool;
31}
32
33/// get trusted certs form json file
34pub fn get_trusted_certs() -> PemCollection {
35    let mut root_cert = PemCollection::new();
36    root_cert.load_pem_certs_from_json_file(TRUSTED_ROOT_CERT, ALLOWED_ROOT_CERT_MEMBER_NAMES);
37    if env!("support_openharmony_ca") == "on" || unsafe { IsRdDevice() } {
38        root_cert.load_pem_certs_from_json_file(
39            TRUSTED_ROOT_CERT,
40            ALLOWED_OH_ROOT_CERT_MEMBER_NAMES
41        );
42    }
43    if env!("code_signature_debuggable") == "on" || unsafe { IsRdDevice() } {
44        root_cert.load_pem_certs_from_json_file(
45            TRUSTED_ROOT_CERT_TEST,
46            ALLOWED_ROOT_CERT_MEMBER_NAMES_TEST
47        );
48    }
49    root_cert
50}
51
52/// get cert path form json file
53pub fn get_cert_path() -> TrustCertPath {
54    let mut cert_paths = TrustCertPath::new();
55    cert_paths.load_cert_path_from_json_file(TRUSTED_CERT_PATH);
56    if env!("code_signature_debuggable") == "on" || unsafe { IsRdDevice() } {
57        cert_paths.load_cert_path_from_json_file(TRUSTED_CERT_PATH_MIRROR);
58    }
59    cert_paths
60}
61