From d481092ed7fb657193b2d4ad67ad65a3af6c39fe Mon Sep 17 00:00:00 2001 From: tan-qingliu Date: Thu, 12 Dec 2024 17:51:49 +0800 Subject: [PATCH] =?UTF-8?q?=E6=96=B0=E5=A2=9E=E6=94=AF=E6=8C=81=E6=8C=87?= =?UTF-8?q?=E5=AE=9A=E5=AE=89=E8=A3=85=E4=BD=8D=E7=BD=AE=E5=AE=89=E8=A3=85?= =?UTF-8?q?CA=E8=AF=81=E4=B9=A6=E7=9A=84napi=E6=8E=A5=E5=8F=A3?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: tan-qingliu Change-Id: I98da9336e6d8d49415ac9676aa7c9eb449ffc30c --- .../napi/include/cm_napi_user_trusted_cert.h | 1 + interfaces/kits/napi/src/cm_napi.cpp | 1 + interfaces/kits/napi/src/cm_napi_common.cpp | 10 +- .../napi/src/cm_napi_user_trusted_cert.cpp | 104 ++++++++++++++++-- .../napi/src/dialog/cm_napi_dialog_common.cpp | 2 +- .../dialog/cm_napi_open_install_dialog.cpp | 2 +- .../include/cert_manager_permission_check.h | 2 + .../main/core/src/cert_manager_check.c | 15 ++- .../src/cert_manager_permission_check.cpp | 5 + 9 files changed, 120 insertions(+), 22 deletions(-) diff --git a/interfaces/kits/napi/include/cm_napi_user_trusted_cert.h b/interfaces/kits/napi/include/cm_napi_user_trusted_cert.h index 27a889c..7a4b032 100755 --- a/interfaces/kits/napi/include/cm_napi_user_trusted_cert.h +++ b/interfaces/kits/napi/include/cm_napi_user_trusted_cert.h @@ -21,6 +21,7 @@ namespace CMNapi { napi_value CMNapiInstallUserTrustedCert(napi_env env, napi_callback_info info); + napi_value CMNapiInstallUserTrustedCertSync(napi_env env, napi_callback_info info); napi_value CMNapiUninstallAllUserTrustedCert(napi_env env, napi_callback_info info); napi_value CMNapiUninstallUserTrustedCert(napi_env env, napi_callback_info info); } // namespace CMNapi diff --git a/interfaces/kits/napi/src/cm_napi.cpp b/interfaces/kits/napi/src/cm_napi.cpp index 4accac2..0101125 100644 --- a/interfaces/kits/napi/src/cm_napi.cpp +++ b/interfaces/kits/napi/src/cm_napi.cpp @@ -150,6 +150,7 @@ extern "C" { /* user ca */ DECLARE_NAPI_FUNCTION("installUserTrustedCertificate", CMNapiInstallUserTrustedCert), + DECLARE_NAPI_FUNCTION("installUserTrustedCertificateSync", CMNapiInstallUserTrustedCertSync), DECLARE_NAPI_FUNCTION("uninstallAllUserTrustedCertificate", CMNapiUninstallAllUserTrustedCert), DECLARE_NAPI_FUNCTION("uninstallUserTrustedCertificate", CMNapiUninstallUserTrustedCert), DECLARE_NAPI_FUNCTION("getAllUserTrustedCertificates", CMNapiGetAllUserTrustedCertList), diff --git a/interfaces/kits/napi/src/cm_napi_common.cpp b/interfaces/kits/napi/src/cm_napi_common.cpp index 1634b50..58da3a8 100644 --- a/interfaces/kits/napi/src/cm_napi_common.cpp +++ b/interfaces/kits/napi/src/cm_napi_common.cpp @@ -453,16 +453,16 @@ napi_value GenerateBusinessError(napi_env env, int32_t errorCode) return nullptr; } - napi_value businessError = nullptr; - NAPI_CALL(env, napi_create_object(env, &businessError)); - napi_value code = nullptr; int32_t outCode = TranformErrorCode(errorCode); NAPI_CALL(env, napi_create_int32(env, outCode, &code)); - NAPI_CALL(env, napi_set_named_property(env, businessError, BUSINESS_ERROR_PROPERTY_CODE.c_str(), code)); + napi_value message = nullptr; NAPI_CALL(env, napi_create_string_utf8(env, errorMsg, NAPI_AUTO_LENGTH, &message)); - NAPI_CALL(env, napi_set_named_property(env, businessError, BUSINESS_ERROR_PROPERTY_MESSAGE.c_str(), message)); + + napi_value businessError = nullptr; + NAPI_CALL(env, napi_create_error(env, nullptr, message, &businessError)); + NAPI_CALL(env, napi_set_named_property(env, businessError, BUSINESS_ERROR_PROPERTY_CODE.c_str(), code)); return businessError; } diff --git a/interfaces/kits/napi/src/cm_napi_user_trusted_cert.cpp b/interfaces/kits/napi/src/cm_napi_user_trusted_cert.cpp index 980c3b3..2407ead 100644 --- a/interfaces/kits/napi/src/cm_napi_user_trusted_cert.cpp +++ b/interfaces/kits/napi/src/cm_napi_user_trusted_cert.cpp @@ -26,6 +26,7 @@ namespace CMNapi { namespace { constexpr int CM_NAPI_USER_INSTALL_ARGS_CNT = 2; +constexpr int CM_NAPI_USER_INSTALL_SYNC_ARGS_CNT = 2; constexpr int CM_NAPI_USER_UNINSTALL_ARGS_CNT = 2; constexpr int CM_NAPI_USER_UNINSTALL_ALL_ARGS_CNT = 1; constexpr int CM_NAPI_CALLBACK_ARG_CNT = 1; @@ -67,21 +68,23 @@ static void FreeUserCertAsyncContext(napi_env env, UserCertAsyncContext &context CM_FREE_PTR(context); } -static int32_t GetUserCertData(napi_env env, napi_value object, UserCertAsyncContext context) +static int32_t GetUserCertData(napi_env env, napi_value object, CmBlob **outCert) { - context->userCert = static_cast(CmMalloc(sizeof(CmBlob))); - if (context->userCert == nullptr) { + CmBlob *userCert = static_cast(CmMalloc(sizeof(CmBlob))); + if (userCert == nullptr) { CM_LOG_E("could not alloc userCert blob memory"); return CMR_ERROR_MALLOC_FAIL; } - (void)memset_s(context->userCert, sizeof(CmBlob), 0, sizeof(CmBlob)); + (void)memset_s(userCert, sizeof(CmBlob), 0, sizeof(CmBlob)); - napi_value result = GetUint8Array(env, object, *(context->userCert)); + napi_value result = GetUint8Array(env, object, *(userCert)); if (result == nullptr) { CM_LOG_E("could not get userCert data"); - return CMR_ERROR_INVALID_OPERATION; + CM_FREE_PTR(userCert); + return CMR_ERROR_INVALID_ARGUMENT; } + *outCert = userCert; return CM_SUCCESS; } @@ -119,7 +122,7 @@ static napi_value ParseCertInfo(napi_env env, napi_value object, UserCertAsyncCo return nullptr; } - int32_t ret = GetUserCertData(env, userCertValue, context); + int32_t ret = GetUserCertData(env, userCertValue, &context->userCert); if (ret != CM_SUCCESS) { return nullptr; } @@ -200,6 +203,36 @@ static napi_value ParseUninstallUserCertParams(napi_env env, napi_callback_info return GetInt32(env, 0); } +static int32_t ParseInstallUserCertSyncParams(napi_env env, napi_callback_info info, CmBlob **userCert, + CmCertScope &installScope) +{ + size_t argc = CM_NAPI_USER_INSTALL_SYNC_ARGS_CNT; + napi_value argv[CM_NAPI_USER_INSTALL_SYNC_ARGS_CNT] = { nullptr }; + napi_get_cb_info(env, info, &argc, argv, nullptr, nullptr); + + if (argc != CM_NAPI_USER_INSTALL_SYNC_ARGS_CNT) { + CM_LOG_E("arguments count is not expected when installing user cert sync"); + return CMR_ERROR_INVALID_ARGUMENT; + } + + size_t index = 0; + int32_t ret = GetUserCertData(env, argv[index], userCert); + if (ret != CM_SUCCESS) { + CM_LOG_E("could not get userCert"); + return CMR_ERROR_INVALID_ARGUMENT; + } + + index++; + uint32_t scope = CM_ALL_USER; + napi_value result = ParseUint32(env, argv[index], scope); + if (result == nullptr) { + CM_LOG_E("could not get install scope"); + return CMR_ERROR_INVALID_ARGUMENT; + } + installScope = static_cast(scope); + return CM_SUCCESS; +} + static napi_value ParseUninstallAllUserCertParams(napi_env env, napi_callback_info info, UserCertAsyncContext context) { size_t argc = CM_NAPI_USER_UNINSTALL_ALL_ARGS_CNT; @@ -386,6 +419,31 @@ static napi_value UninstallAllUserCertAsyncWork(napi_env env, UserCertAsyncConte return promise; } +static int32_t InstallUserCertSyncExecute(CmBlob *userCert, const CmCertScope scope, CmBlob *certUri) +{ + int32_t ret; + // alias is empty string + uint8_t alias[1] = { 0 }; + CmBlob certAlias = { .size = sizeof(alias), .data = alias }; + + uint32_t userId = 0; + if (scope == CM_CURRENT_USER) { + userId = INIT_INVALID_VALUE; + } else if (scope == CM_GLOBAL_USER) { + userId = 0; + } else { + CM_LOG_E("invalid certificate scope"); + return CMR_ERROR_INVALID_ARGUMENT; + } + + ret = CmInstallUserCACert(userCert, &certAlias, userId, true, certUri); + if (ret != CM_SUCCESS) { + CM_LOG_E("install user cert sync, init certUri failed"); + return ret; + } + return ret; +} + napi_value CMNapiInstallUserTrustedCert(napi_env env, napi_callback_info info) { UserCertAsyncContext context = InitUserCertAsyncContext(); @@ -411,6 +469,38 @@ napi_value CMNapiInstallUserTrustedCert(napi_env env, napi_callback_info info) return result; } +napi_value CMNapiInstallUserTrustedCertSync(napi_env env, napi_callback_info info) +{ + CmBlob *userCert = nullptr; + CmCertScope installScope; + uint8_t uri[OUT_AUTH_URI_SIZE] = { 0 }; + CmBlob certUri = { sizeof(uri), uri }; + + int32_t ret = CM_SUCCESS; + do { + ret = ParseInstallUserCertSyncParams(env, info, &userCert, installScope); + if (ret != CM_SUCCESS) { + CM_LOG_E("parse install user cert sync params failed"); + break; + } + + ret = InstallUserCertSyncExecute(userCert, installScope, &certUri); + if (ret != CM_SUCCESS) { + CM_LOG_E("install user cert sync execute failed"); + break; + } + } while (0); + + if (ret != CM_SUCCESS) { + CM_LOG_E("install user cert sync failed, ret = %d", ret); + napi_throw(env, GenerateBusinessError(env, ret)); + return nullptr; + } + napi_value result = ConvertResultCertUri(env, &certUri); + FreeCmBlob(userCert); + return result; +} + napi_value CMNapiUninstallUserTrustedCert(napi_env env, napi_callback_info info) { UserCertAsyncContext context = InitUserCertAsyncContext(); diff --git a/interfaces/kits/napi/src/dialog/cm_napi_dialog_common.cpp b/interfaces/kits/napi/src/dialog/cm_napi_dialog_common.cpp index 149fa7e..d72c8f4 100644 --- a/interfaces/kits/napi/src/dialog/cm_napi_dialog_common.cpp +++ b/interfaces/kits/napi/src/dialog/cm_napi_dialog_common.cpp @@ -133,7 +133,7 @@ static std::string EncodeBase64(const uint8_t *indata, const uint32_t length) encodeStr += g_base64Table[(triple >> BYTE_INDEX_ONE * BYTE_SHIFT_6) & BASE64_URL_TABLE_SIZE]; encodeStr += g_base64Table[(triple >> BYTE_INDEX_ZONE * BYTE_SHIFT_6) & BASE64_URL_TABLE_SIZE]; } - + switch (BASE64_GROUP_NUM - (i % BASE64_GROUP_NUM)) { case BYTE_END_TWO: encodeStr.replace(encodeStr.length() - BYTE_END_TWO, 1, BASE64_PADDING); diff --git a/interfaces/kits/napi/src/dialog/cm_napi_open_install_dialog.cpp b/interfaces/kits/napi/src/dialog/cm_napi_open_install_dialog.cpp index 5f842ca..d28ad1b 100644 --- a/interfaces/kits/napi/src/dialog/cm_napi_open_install_dialog.cpp +++ b/interfaces/kits/napi/src/dialog/cm_napi_open_install_dialog.cpp @@ -169,7 +169,7 @@ static napi_value CMCheckArgvAndInitContext(std::shared_ptrenv, argv[PARAM3], asyncContext->certStr) == nullptr) { CM_LOG_E("cert is not a uint8Array or the length is 0 or too long."); diff --git a/services/cert_manager_standard/cert_manager_engine/main/core/include/cert_manager_permission_check.h b/services/cert_manager_standard/cert_manager_engine/main/core/include/cert_manager_permission_check.h index 429d151..22ffdaa 100755 --- a/services/cert_manager_standard/cert_manager_engine/main/core/include/cert_manager_permission_check.h +++ b/services/cert_manager_standard/cert_manager_engine/main/core/include/cert_manager_permission_check.h @@ -26,6 +26,8 @@ bool CmHasPrivilegedPermission(void); bool CmHasCommonPermission(void); +bool CmHasEnterpriseUserTrustedPermission(void); + bool CmHasUserTrustedPermission(void); bool CmHasSystemAppPermission(void); diff --git a/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_check.c b/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_check.c index 8b41023..c2b90f6 100644 --- a/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_check.c +++ b/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_check.c @@ -466,11 +466,15 @@ static bool CmCheckAndUpdateCallerUserId(const uint32_t inputUserId, uint32_t *c return true; } - /* caller is hap, callerUserId is not 0 */ - if (inputUserId != INIT_INVALID_VALUE) { + /* caller is hap, callerUserId can be 0 or 0xFFFFFFFF */ + if (inputUserId != 0 && inputUserId != INIT_INVALID_VALUE) { CM_LOG_E("caller is hap, input userId %u is not supported", inputUserId); return false; } + if (inputUserId == 0) { + CM_LOG_D("hap install in public location: update caller userId from %u to 0", *callerUserId); + *callerUserId = 0; + } return true; } @@ -492,16 +496,11 @@ int32_t CmServiceInstallUserCertCheck(struct CmContext *cmContext, const struct return ret; } - if (!CmHasCommonPermission() || !CmHasUserTrustedPermission()) { + if (!CmHasEnterpriseUserTrustedPermission() && !CmHasUserTrustedPermission()) { CM_LOG_E("install user cert: caller no permission"); return CMR_ERROR_PERMISSION_DENIED; } - if (!CmIsSystemApp()) { - CM_LOG_E("install user cert: caller is not system app"); - return CMR_ERROR_NOT_SYSTEMP_APP; - } - if (!CmCheckAndUpdateCallerUserId(userId, &(cmContext->userId))) { CM_LOG_E("input userId is invalid"); return CMR_ERROR_INVALID_ARGUMENT; diff --git a/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_permission_check.cpp b/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_permission_check.cpp index 1f788a2..fc66412 100755 --- a/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_permission_check.cpp +++ b/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_permission_check.cpp @@ -45,6 +45,11 @@ bool CmHasCommonPermission(void) return HasPermission("ohos.permission.ACCESS_CERT_MANAGER"); } +bool CmHasEnterpriseUserTrustedPermission(void) +{ + return HasPermission("ohos.permission.ACCESS_ENTERPRISE_USER_TRUSTED_CERT"); +} + bool CmHasUserTrustedPermission(void) { return HasPermission("ohos.permission.ACCESS_USER_TRUSTED_CERT"); -- Gitee