From b39173b574ff0c8f22098bf611c04d7af0022823 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E4=B8=8A=E5=AE=98=E6=99=AF=E5=A8=81?= Date: Fri, 7 Feb 2025 20:09:57 +0800 Subject: [PATCH] =?UTF-8?q?=E5=87=AD=E6=8D=AE=E5=AF=B9=E5=BA=94=E7=9A=84?= =?UTF-8?q?=E5=AF=86=E9=92=A5=E6=94=AF=E6=8C=81=E5=88=86=E7=B1=BB=E5=88=86?= =?UTF-8?q?=E7=BA=A7=E5=AD=98=E5=82=A8?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 上官景威 --- .../cm_ipc/include/cm_ipc_client.h | 3 +- .../os_dependency/cm_ipc/src/cm_ipc_client.c | 24 +- .../main/include/cert_manager_api.h | 2 + .../main/include/cm_type.h | 11 + .../main/src/cert_manager_api.c | 26 +- .../include/cm_napi_install_app_cert_common.h | 4 + interfaces/kits/napi/src/cm_napi.cpp | 12 + .../src/cm_napi_install_app_cert_common.cpp | 97 ++- .../napi/src/dialog/cm_napi_dialog_common.cpp | 16 +- .../main/core/include/cert_manager.h | 13 +- .../main/core/include/cert_manager_auth_mgr.h | 2 +- .../core/include/cert_manager_key_operation.h | 10 +- .../main/core/include/cert_manager_query.h | 2 + .../main/core/src/cert_manager.c | 70 +- .../core/src/cert_manager_app_cert_process.c | 63 +- .../main/core/src/cert_manager_auth_mgr.c | 167 +++-- .../main/core/src/cert_manager_check.c | 5 + .../core/src/cert_manager_key_operation.c | 176 +++-- .../main/core/src/cert_manager_query.c | 23 + .../main/core/src/cert_manager_service.c | 17 +- .../main/core/src/cert_manager_status.c | 2 +- .../main/core/src/cm_event_process.c | 18 +- .../main/rdb/include/cm_cert_property_rdb.h | 1 + .../main/rdb/include/cm_rdb_config.h | 16 +- .../main/rdb/src/cm_cert_property_rdb.cpp | 23 +- .../main/rdb/src/cm_rdb_open_callback.cpp | 8 +- .../cert_manager_service.cfg | 3 +- .../os_dependency/idl/cm_ipc/cm_ipc_service.c | 4 +- test/BUILD.gn | 1 + .../src/cm_app_cert_multi_thread_test.cpp | 11 +- test/unittest/src/cm_app_cert_test.cpp | 29 + test/unittest/src/cm_pri_app_cert_test.cpp | 628 ++++++++++++++++++ 32 files changed, 1266 insertions(+), 221 deletions(-) create mode 100644 test/unittest/src/cm_pri_app_cert_test.cpp diff --git a/frameworks/cert_manager_standard/main/os_dependency/cm_ipc/include/cm_ipc_client.h b/frameworks/cert_manager_standard/main/os_dependency/cm_ipc/include/cm_ipc_client.h index fef6731..48d2d93 100755 --- a/frameworks/cert_manager_standard/main/os_dependency/cm_ipc/include/cm_ipc_client.h +++ b/frameworks/cert_manager_standard/main/os_dependency/cm_ipc/include/cm_ipc_client.h @@ -32,8 +32,7 @@ int32_t CmClientGetCertInfo(const struct CmBlob *certUri, const uint32_t store, int32_t CmClientSetCertStatus(const struct CmBlob *certUri, const uint32_t store, const uint32_t status); -int32_t CmClientInstallAppCert(const struct CmBlob *appCert, const struct CmBlob *appCertPwd, - const struct CmBlob *certAlias, const uint32_t store, struct CmBlob *keyUri); +int32_t CmClientInstallAppCert(const struct CmAppCertParam *certParam, struct CmBlob *keyUri); int32_t CmClientUninstallAppCert(const struct CmBlob *keyUri, const uint32_t store); diff --git a/frameworks/cert_manager_standard/main/os_dependency/cm_ipc/src/cm_ipc_client.c b/frameworks/cert_manager_standard/main/os_dependency/cm_ipc/src/cm_ipc_client.c index 45a75a2..66e64a3 100644 --- a/frameworks/cert_manager_standard/main/os_dependency/cm_ipc/src/cm_ipc_client.c +++ b/frameworks/cert_manager_standard/main/os_dependency/cm_ipc/src/cm_ipc_client.c @@ -191,7 +191,7 @@ int32_t CmClientSetCertStatus(const struct CmBlob *certUri, const uint32_t store return SetCertificateStatus(CM_MSG_SET_CERTIFICATE_STATUS, certUri, store, status); } -static int32_t InstallAppCert(const struct CmAppCertParam *certParam, struct CmBlob *keyUri) +int32_t CmClientInstallAppCert(const struct CmAppCertParam *certParam, struct CmBlob *keyUri) { int32_t ret; struct CmParamSet *sendParamSet = NULL; @@ -201,6 +201,7 @@ static int32_t InstallAppCert(const struct CmAppCertParam *certParam, struct CmB { .tag = CM_TAG_PARAM2_BUFFER, .blob = *(certParam->certAlias) }, { .tag = CM_TAG_PARAM0_UINT32, .uint32Param = certParam->store }, { .tag = CM_TAG_PARAM1_UINT32, .uint32Param = certParam->userId }, + { .tag = CM_TAG_PARAM2_UINT32, .uint32Param = certParam->level }, }; do { @@ -226,14 +227,6 @@ static int32_t InstallAppCert(const struct CmAppCertParam *certParam, struct CmB return ret; } -int32_t CmClientInstallAppCert(const struct CmBlob *appCert, const struct CmBlob *appCertPwd, - const struct CmBlob *certAlias, const uint32_t store, struct CmBlob *keyUri) -{ - struct CmAppCertParam certParam = { (struct CmBlob *)appCert, (struct CmBlob *)appCertPwd, - (struct CmBlob *)certAlias, store, INIT_INVALID_VALUE }; - return InstallAppCert(&certParam, keyUri); -} - static int32_t UninstallAppCert(enum CertManagerInterfaceCode type, const struct CmBlob *keyUri, const uint32_t store) { @@ -309,7 +302,7 @@ static int32_t CmAppCertListGetCertCount(const struct CmBlob *outData, uint32_t credCount = 0; int32_t ret = GetUint32FromBuffer(&credCount, outData, offset); if (ret != CM_SUCCESS) { - CM_LOG_E("App cert get list faild ret:%d", ret); + CM_LOG_E("App cert get list failed ret:%d", ret); return ret; } @@ -1038,5 +1031,14 @@ int32_t CmClientUninstallAllUserTrustedCert(void) int32_t CmClientInstallSystemAppCert(const struct CmAppCertParam *certParam, struct CmBlob *keyUri) { - return InstallAppCert(certParam, keyUri); + struct CmAppCertParam certParamEx = { + certParam->appCert, + certParam->appCertPwd, + certParam->certAlias, + certParam->store, + certParam->userId, + /* this is only valid for installing private credentials and is used for filling here. */ + CM_AUTH_STORAGE_LEVEL_EL1 + }; + return CmClientInstallAppCert(&certParamEx, keyUri); } diff --git a/interfaces/innerkits/cert_manager_standard/main/include/cert_manager_api.h b/interfaces/innerkits/cert_manager_standard/main/include/cert_manager_api.h index 1789e58..c70284d 100644 --- a/interfaces/innerkits/cert_manager_standard/main/include/cert_manager_api.h +++ b/interfaces/innerkits/cert_manager_standard/main/include/cert_manager_api.h @@ -33,6 +33,8 @@ CM_API_EXPORT int32_t CmSetCertStatus(const struct CmBlob *certUri, const uint32 CM_API_EXPORT int32_t CmInstallAppCert(const struct CmBlob *appCert, const struct CmBlob *appCertPwd, const struct CmBlob *certAlias, const uint32_t store, struct CmBlob *keyUri); +CM_API_EXPORT int32_t CmInstallAppCertEx(const struct CmAppCertParam *certParam, struct CmBlob *keyUri); + CM_API_EXPORT int32_t CmUninstallAppCert(const struct CmBlob *keyUri, const uint32_t store); CM_API_EXPORT int32_t CmUninstallAllAppCert(void); diff --git a/interfaces/innerkits/cert_manager_standard/main/include/cm_type.h b/interfaces/innerkits/cert_manager_standard/main/include/cm_type.h index 1b89de1..bbad297 100644 --- a/interfaces/innerkits/cert_manager_standard/main/include/cm_type.h +++ b/interfaces/innerkits/cert_manager_standard/main/include/cm_type.h @@ -65,6 +65,8 @@ extern "C" { #define CERT_STATUS_ENABLED ((uint32_t) 0) #define CERT_STATUS_DISABLED ((uint32_t) 1) +#define ERROR_LEVEL 0 + /* * Align to 4-tuple * Before calling this function, ensure that the size does not overflow after 3 is added. @@ -82,6 +84,8 @@ extern "C" { #define CM_SYS_CREDENTIAL_STORE 4 #define CM_STORE_CHECK(a) \ (((a) != CM_CREDENTIAL_STORE) && ((a) != CM_PRI_CREDENTIAL_STORE) && ((a) != CM_SYS_CREDENTIAL_STORE)) +#define CM_LEVEL_CHECK(a) \ + (((a) != CM_AUTH_STORAGE_LEVEL_EL1) && ((a) != CM_AUTH_STORAGE_LEVEL_EL2) && ((a) != CM_AUTH_STORAGE_LEVEL_EL4)) #define CA_STORE_PATH_SYSTEM "/etc/security/certificates" #define CA_STORE_PATH_USER_SANDBOX_BASE "/data/certificates/user_cacerts/" @@ -376,12 +380,19 @@ struct CmSignatureSpec { uint32_t digest; }; +enum CmAuthStorageLevel { + CM_AUTH_STORAGE_LEVEL_EL1 = 1, + CM_AUTH_STORAGE_LEVEL_EL2 = 2, + CM_AUTH_STORAGE_LEVEL_EL4 = 4, +}; + struct CmAppCertParam { struct CmBlob *appCert; struct CmBlob *appCertPwd; struct CmBlob *certAlias; uint32_t store; uint32_t userId; + enum CmAuthStorageLevel level; }; struct CertName { diff --git a/interfaces/innerkits/cert_manager_standard/main/src/cert_manager_api.c b/interfaces/innerkits/cert_manager_standard/main/src/cert_manager_api.c index 11fb015..db9dec4 100644 --- a/interfaces/innerkits/cert_manager_standard/main/src/cert_manager_api.c +++ b/interfaces/innerkits/cert_manager_standard/main/src/cert_manager_api.c @@ -80,16 +80,40 @@ CM_API_EXPORT int32_t CmSetCertStatus(const struct CmBlob *certUri, const uint32 return ret; } +CM_API_EXPORT int32_t CmInstallAppCertEx(const struct CmAppCertParam *certParam, struct CmBlob *keyUri) +{ + CM_LOG_D("enter install app certificate extension"); + /* The store must be private, and the userid must be invalid */ + if (certParam == NULL || certParam->appCert == NULL || certParam->appCertPwd == NULL|| + certParam->certAlias == NULL || keyUri == NULL || certParam->userId != INIT_INVALID_VALUE || + keyUri->data == NULL || certParam->store != CM_PRI_CREDENTIAL_STORE || CM_LEVEL_CHECK(certParam->level)) { + CM_LOG_E("an error in the parameters of installing the application certificate ex."); + return CMR_ERROR_INVALID_ARGUMENT; + } + + int32_t ret = CmClientInstallAppCert(certParam, keyUri); + CM_LOG_D("leave install app certificate extension, result = %d", ret); + return ret; +} + CM_API_EXPORT int32_t CmInstallAppCert(const struct CmBlob *appCert, const struct CmBlob *appCertPwd, const struct CmBlob *certAlias, const uint32_t store, struct CmBlob *keyUri) { CM_LOG_D("enter install app certificate"); if (appCert == NULL || appCertPwd == NULL || certAlias == NULL || keyUri == NULL || keyUri->data == NULL || CM_STORE_CHECK(store)) { + CM_LOG_E("an error in the parameters of installing the application certificate."); return CMR_ERROR_INVALID_ARGUMENT; } - int32_t ret = CmClientInstallAppCert(appCert, appCertPwd, certAlias, store, keyUri); + /* The public credentials are at the EL2 level. */ + enum CmAuthStorageLevel level = (store == CM_CREDENTIAL_STORE) ? CM_AUTH_STORAGE_LEVEL_EL2 : + CM_AUTH_STORAGE_LEVEL_EL1; + + struct CmAppCertParam certParam = { (struct CmBlob *)appCert, (struct CmBlob *)appCertPwd, + (struct CmBlob *)certAlias, store, INIT_INVALID_VALUE, level }; + + int32_t ret = CmClientInstallAppCert(&certParam, keyUri); CM_LOG_D("leave install app certificate, result = %d", ret); return ret; } diff --git a/interfaces/kits/napi/include/cm_napi_install_app_cert_common.h b/interfaces/kits/napi/include/cm_napi_install_app_cert_common.h index c7c6637..5a7f3a9 100644 --- a/interfaces/kits/napi/include/cm_napi_install_app_cert_common.h +++ b/interfaces/kits/napi/include/cm_napi_install_app_cert_common.h @@ -18,6 +18,7 @@ #include "napi/native_api.h" #include "napi/native_node_api.h" +#include "cm_type.h" struct InstallAppCertAsyncContextT { napi_async_work asyncWork = nullptr; @@ -30,6 +31,9 @@ struct InstallAppCertAsyncContextT { struct CmBlob *keyAlias = nullptr; struct CmBlob *keyUri = nullptr; uint32_t store = 0; + + /* add auth storage level: default el1, only valid while install private cert */ + enum CmAuthStorageLevel level = CM_AUTH_STORAGE_LEVEL_EL1; }; using InstallAppCertAsyncContext = InstallAppCertAsyncContextT *; diff --git a/interfaces/kits/napi/src/cm_napi.cpp b/interfaces/kits/napi/src/cm_napi.cpp index fac2296..9fcc132 100644 --- a/interfaces/kits/napi/src/cm_napi.cpp +++ b/interfaces/kits/napi/src/cm_napi.cpp @@ -121,6 +121,17 @@ namespace CMNapi { AddInt32Property(env, scope, "GLOBAL_USER", CM_GLOBAL_USER); return scope; } + + static napi_value CreateAuthStorageLevel(napi_env env) + { + napi_value level = nullptr; + NAPI_CALL(env, napi_create_object(env, &level)); + + AddInt32Property(env, level, "EL1", CM_AUTH_STORAGE_LEVEL_EL1); + AddInt32Property(env, level, "EL2", CM_AUTH_STORAGE_LEVEL_EL2); + AddInt32Property(env, level, "EL4", CM_AUTH_STORAGE_LEVEL_EL4); + return level; + } } // namespace CertManagerNapi using namespace CMNapi; @@ -135,6 +146,7 @@ extern "C" { DECLARE_NAPI_PROPERTY("CmKeyPadding", CreateCMKeyPadding(env)), DECLARE_NAPI_PROPERTY("CertType", CreateCertType(env)), DECLARE_NAPI_PROPERTY("CertScope", CreateCertScope(env)), + DECLARE_NAPI_PROPERTY("AuthStorageLevel", CreateAuthStorageLevel(env)), /* system ca */ DECLARE_NAPI_FUNCTION("getSystemTrustedCertificateList", CMNapiGetSystemCertList), diff --git a/interfaces/kits/napi/src/cm_napi_install_app_cert_common.cpp b/interfaces/kits/napi/src/cm_napi_install_app_cert_common.cpp index 150a1d4..f05e49b 100644 --- a/interfaces/kits/napi/src/cm_napi_install_app_cert_common.cpp +++ b/interfaces/kits/napi/src/cm_napi_install_app_cert_common.cpp @@ -76,19 +76,41 @@ static napi_value GetCredAlias(napi_env env, napi_value napiObject, CmBlob *&cer return ParseCertAlias(env, napiObject, certAlias); } +static napi_value GetLevelOrCallback(napi_env env, InstallAppCertAsyncContext context, napi_value napiObject) +{ + napi_valuetype type = napi_undefined; + NAPI_CALL(env, napi_typeof(env, napiObject, &type)); + if (type == napi_number) { + uint32_t level = CM_AUTH_STORAGE_LEVEL_EL1; + napi_value result = ParseUint32(env, napiObject, level); + if (result == nullptr || CM_LEVEL_CHECK(level)) { + ThrowError(env, PARAM_ERROR, "level is not a uint32 or level is invalid."); + CM_LOG_E("could not get level"); + return nullptr; + } + context->level = (enum CmAuthStorageLevel)level; + } else { + int32_t ret = GetCallback(env, napiObject, context->callback); + if (ret != CM_SUCCESS) { + ThrowError(env, PARAM_ERROR, "Get callback failed, callback must be a function."); + CM_LOG_E("get callback function faild when install application cert"); + return nullptr; + } + } + return GetInt32(env, 0); +} + napi_value InstallAppCertParseParams( napi_env env, napi_callback_info info, InstallAppCertAsyncContext context, uint32_t store) { size_t argc = CM_NAPI_INSTALL_APP_CERT_MAX_ARGS; napi_value argv[CM_NAPI_INSTALL_APP_CERT_MAX_ARGS] = { nullptr }; NAPI_CALL(env, napi_get_cb_info(env, info, &argc, argv, nullptr, nullptr)); - if ((argc != CM_NAPI_INSTALL_APP_CERT_MIN_ARGS) && (argc != CM_NAPI_INSTALL_APP_CERT_MAX_ARGS)) { ThrowError(env, PARAM_ERROR, "arguments count invalid, arguments count need between 3 and 4."); CM_LOG_E("arguments count invalid. argc = %d", argc); return nullptr; } - size_t index = 0; context->keystore = static_cast(CmMalloc(sizeof(CmBlob))); if (context->keystore == nullptr) { @@ -96,7 +118,6 @@ napi_value InstallAppCertParseParams( return nullptr; } (void)memset_s(context->keystore, sizeof(CmBlob), 0, sizeof(CmBlob)); - napi_value result = GetUint8Array(env, argv[index], *context->keystore); if (result == nullptr) { ThrowError(env, PARAM_ERROR, "keystore is not a uint8Array or the length is 0 or too long."); @@ -121,15 +142,12 @@ napi_value InstallAppCertParseParams( } index++; + context->level = CM_AUTH_STORAGE_LEVEL_EL1; if (index < argc) { - int32_t ret = GetCallback(env, argv[index], context->callback); - if (ret != CM_SUCCESS) { - ThrowError(env, PARAM_ERROR, "Get callback failed, callback must be a function."); - CM_LOG_E("get callback function faild when install application cert"); + if (GetLevelOrCallback(env, context, argv[index]) == nullptr) { return nullptr; } } - return GetInt32(env, 0); } @@ -175,6 +193,40 @@ static napi_value GenAppCertBusinessError(napi_env env, int32_t errorCode, uint3 return GenerateBusinessError(env, errorCode); } +static void InstallAppCertExecute(napi_env env, void *data) +{ + InstallAppCertAsyncContext context = static_cast(data); + InitKeyUri(context->keyUri); + if (context->store == CM_PRI_CREDENTIAL_STORE) { + struct CmAppCertParam certParam = { (struct CmBlob *)context->keystore, (struct CmBlob *)context->keystorePwd, + (struct CmBlob *)context->keyAlias, context->store, INIT_INVALID_VALUE, context->level }; + + context->result = CmInstallAppCertEx(&certParam, context->keyUri); + } else { + context->result = CmInstallAppCert(context->keystore, + context->keystorePwd, context->keyAlias, context->store, context->keyUri); + } +} + +static void InstallAppCertComplete(napi_env env, napi_status status, void *data) +{ + InstallAppCertAsyncContext context = static_cast(data); + napi_value result[RESULT_NUMBER] = { nullptr }; + if (context->result == CM_SUCCESS) { + NAPI_CALL_RETURN_VOID(env, napi_create_uint32(env, 0, &result[0])); + result[1] = InstallAppCertWriteResult(env, context); + } else { + result[0] = GenAppCertBusinessError(env, context->result, context->store); + NAPI_CALL_RETURN_VOID(env, napi_get_undefined(env, &result[1])); + } + if (context->deferred != nullptr) { + GeneratePromise(env, context->deferred, context->result, result, CM_ARRAY_SIZE(result)); + } else { + GenerateCallback(env, context->callback, result, CM_ARRAY_SIZE(result), context->result); + } + DeleteInstallAppCertAsyncContext(env, context); +} + napi_value InstallAppCertAsyncWork(napi_env env, InstallAppCertAsyncContext asyncContext) { napi_value promise = nullptr; @@ -184,32 +236,9 @@ napi_value InstallAppCertAsyncWork(napi_env env, InstallAppCertAsyncContext asyn NAPI_CALL(env, napi_create_string_latin1(env, "InstallAppCertAsyncWork", NAPI_AUTO_LENGTH, &resourceName)); NAPI_CALL(env, napi_create_async_work( - env, - nullptr, - resourceName, - [](napi_env env, void *data) { - InstallAppCertAsyncContext context = static_cast(data); - InitKeyUri(context->keyUri); - context->result = CmInstallAppCert(context->keystore, - context->keystorePwd, context->keyAlias, context->store, context->keyUri); - }, - [](napi_env env, napi_status status, void *data) { - InstallAppCertAsyncContext context = static_cast(data); - napi_value result[RESULT_NUMBER] = { nullptr }; - if (context->result == CM_SUCCESS) { - NAPI_CALL_RETURN_VOID(env, napi_create_uint32(env, 0, &result[0])); - result[1] = InstallAppCertWriteResult(env, context); - } else { - result[0] = GenAppCertBusinessError(env, context->result, context->store); - NAPI_CALL_RETURN_VOID(env, napi_get_undefined(env, &result[1])); - } - if (context->deferred != nullptr) { - GeneratePromise(env, context->deferred, context->result, result, CM_ARRAY_SIZE(result)); - } else { - GenerateCallback(env, context->callback, result, CM_ARRAY_SIZE(result), context->result); - } - DeleteInstallAppCertAsyncContext(env, context); - }, + env, nullptr, resourceName, + InstallAppCertExecute, + InstallAppCertComplete, static_cast(asyncContext), &asyncContext->asyncWork)); diff --git a/interfaces/kits/napi/src/dialog/cm_napi_dialog_common.cpp b/interfaces/kits/napi/src/dialog/cm_napi_dialog_common.cpp index e069787..9e1bdc2 100644 --- a/interfaces/kits/napi/src/dialog/cm_napi_dialog_common.cpp +++ b/interfaces/kits/napi/src/dialog/cm_napi_dialog_common.cpp @@ -26,7 +26,7 @@ #define BYTE_SHIFT_16 0x10 #define BYTE_SHIFT_8 0x08 -#define BYTE_SHIFT_6 6 +#define BYTE_SHIFT_6 0x06 #define BASE64_URL_TABLE_SIZE 0x3F #define BASE64_GROUP_NUM 3 #define BYTE_INDEX_ZONE 0 @@ -50,7 +50,7 @@ static const std::string DIALOG_INSTALL_FAILED_MSG = "the user install certifica " in the certificate manager dialog"; static const std::string DIALOG_NOT_SUPPORTED_MSG = "the API is not supported on this device"; -static const std::string DIOLOG_OPERATION_FAILED_MSG = "the user operation failed " +static const std::string DIALOG_OPERATION_FAILED_MSG = "the user operation failed " "in the certification manager dialog: "; static const std::string PARSE_CERT_FAILED_MSG = "parse the certificate failed."; static const std::string ADVANCED_SECURITY_MSG = "the device enters advanced security mode."; @@ -94,12 +94,12 @@ static const std::unordered_map DIALOG_CODE_TO_MSG_MAP = { { CMR_DIALOG_ERROR_NOT_ENTERPRISE_DEVICE, NOT_ENTERPRISE_DEVICE_MSG }, { CMR_DIALOG_ERROR_PARAM_INVALID, DIALOG_INVALID_PARAMS_MSG }, - { CMR_DIALOG_ERROR_PARSE_CERT_FAILED, DIOLOG_OPERATION_FAILED_MSG + PARSE_CERT_FAILED_MSG }, - { CMR_DIALOG_ERROR_ADVANCED_SECURITY, DIOLOG_OPERATION_FAILED_MSG + ADVANCED_SECURITY_MSG }, - { CMR_DIALOG_ERROR_INCORRECT_FORMAT, DIOLOG_OPERATION_FAILED_MSG + INCORRECT_FORMAT_MSG }, - { CMR_DIALOG_ERROR_MAX_QUANTITY_REACHED, DIOLOG_OPERATION_FAILED_MSG + MAX_QUANTITY_REACHED_MSG }, - { CMR_DIALOG_ERROR_SA_INTERNAL_ERROR, DIOLOG_OPERATION_FAILED_MSG + SA_INTERNAL_ERROR_MSG }, - { CMR_DIALOG_ERROR_NOT_EXIST, DIOLOG_OPERATION_FAILED_MSG + NOT_EXIST_MSG }, + { CMR_DIALOG_ERROR_PARSE_CERT_FAILED, DIALOG_OPERATION_FAILED_MSG + PARSE_CERT_FAILED_MSG }, + { CMR_DIALOG_ERROR_ADVANCED_SECURITY, DIALOG_OPERATION_FAILED_MSG + ADVANCED_SECURITY_MSG }, + { CMR_DIALOG_ERROR_INCORRECT_FORMAT, DIALOG_OPERATION_FAILED_MSG + INCORRECT_FORMAT_MSG }, + { CMR_DIALOG_ERROR_MAX_QUANTITY_REACHED, DIALOG_OPERATION_FAILED_MSG + MAX_QUANTITY_REACHED_MSG }, + { CMR_DIALOG_ERROR_SA_INTERNAL_ERROR, DIALOG_OPERATION_FAILED_MSG + SA_INTERNAL_ERROR_MSG }, + { CMR_DIALOG_ERROR_NOT_EXIST, DIALOG_OPERATION_FAILED_MSG + NOT_EXIST_MSG }, }; } // namespace diff --git a/services/cert_manager_standard/cert_manager_engine/main/core/include/cert_manager.h b/services/cert_manager_standard/cert_manager_engine/main/core/include/cert_manager.h index 1f9cbb5..48f68e6 100644 --- a/services/cert_manager_standard/cert_manager_engine/main/core/include/cert_manager.h +++ b/services/cert_manager_standard/cert_manager_engine/main/core/include/cert_manager.h @@ -30,6 +30,16 @@ extern "C" { #define APP_CA_STORE "/data/service/el1/public/cert_manager_service/certificates/priv_credential/" #define CREDENTIAL_STORE "./certificates/credential/" +/* Store it in the database. */ +struct CertPropertyOri { + const struct CmContext *context; + struct CmBlob *uri; + struct CmBlob *alias; + struct CmBlob *subjectName; + uint32_t store; + enum CmAuthStorageLevel level; +}; + int32_t CertManagerInitialize(void); int32_t CertManagerFindCertFileNameByUri( @@ -85,8 +95,7 @@ int32_t CmRemoveBackupUserCert(const struct CmContext *context, const struct CmB int32_t CmGetDisplayNameByURI(const struct CmBlob *uri, const char *object, struct CmBlob *displayName); -int32_t RdbInsertCertProperty(const struct CmContext *context, const struct CmBlob *uri, - const struct CmBlob *alias, const struct CmBlob *subjectName, uint32_t store); +int32_t RdbInsertCertProperty(const struct CertPropertyOri *propertyOri); int32_t GetObjNameFromCertData(const struct CmBlob *certData, const struct CmBlob *certAlias, struct CmBlob *objectName); diff --git a/services/cert_manager_standard/cert_manager_engine/main/core/include/cert_manager_auth_mgr.h b/services/cert_manager_standard/cert_manager_engine/main/core/include/cert_manager_auth_mgr.h index c7db762..2ee4c17 100755 --- a/services/cert_manager_standard/cert_manager_engine/main/core/include/cert_manager_auth_mgr.h +++ b/services/cert_manager_standard/cert_manager_engine/main/core/include/cert_manager_auth_mgr.h @@ -32,7 +32,7 @@ int32_t CmAuthIsAuthorizedApp(const struct CmContext *context, const struct CmBl int32_t CmAuthRemoveGrantedApp(const struct CmContext *context, const struct CmBlob *keyUri, uint32_t appUid); -int32_t CmAuthDeleteAuthInfo(const struct CmContext *context, const struct CmBlob *uri); +int32_t CmAuthDeleteAuthInfo(const struct CmContext *context, const struct CmBlob *uri, enum CmAuthStorageLevel level); int32_t CmAuthDeleteAuthInfoByUserId(uint32_t userId, const struct CmBlob *uri); diff --git a/services/cert_manager_standard/cert_manager_engine/main/core/include/cert_manager_key_operation.h b/services/cert_manager_standard/cert_manager_engine/main/core/include/cert_manager_key_operation.h index bc8ed23..04855ee 100755 --- a/services/cert_manager_standard/cert_manager_engine/main/core/include/cert_manager_key_operation.h +++ b/services/cert_manager_standard/cert_manager_engine/main/core/include/cert_manager_key_operation.h @@ -34,21 +34,23 @@ struct CmKeyProperties { uint32_t padding; uint32_t digest; uint32_t purpose; + enum CmAuthStorageLevel level; /* 添加level */ }; -int32_t CmKeyOpGenMacKey(const struct CmBlob *alias); +int32_t CmKeyOpGenMacKey(const struct CmBlob *alias, enum CmAuthStorageLevel level); int32_t CmKeyOpGenMacKeyIfNotExist(const struct CmBlob *alias); -int32_t CmKeyOpDeleteKey(const struct CmBlob *alias); +int32_t CmKeyOpDeleteKey(const struct CmBlob *alias, enum CmAuthStorageLevel level); -int32_t CmKeyOpCalcMac(const struct CmBlob *alias, const struct CmBlob *srcData, struct CmBlob *mac); +int32_t CmKeyOpCalcMac(const struct CmBlob *alias, const struct CmBlob *srcData, + struct CmBlob *mac, enum CmAuthStorageLevel level); int32_t CmKeyOpImportKey(const struct CmBlob *alias, const struct CmKeyProperties *properties, const struct CmBlob *keyPair); int32_t CmKeyOpInit(const struct CmContext *context, const struct CmBlob *alias, const struct CmSignatureSpec *spec, - struct CmBlob *handle); + enum CmAuthStorageLevel level, struct CmBlob *handle); int32_t CmKeyOpProcess(enum CmSignVerifyCmd cmdId, const struct CmContext *context, const struct CmBlob *handle, const struct CmBlob *inData, struct CmBlob *outData); diff --git a/services/cert_manager_standard/cert_manager_engine/main/core/include/cert_manager_query.h b/services/cert_manager_standard/cert_manager_engine/main/core/include/cert_manager_query.h index a08d291..a69e867 100755 --- a/services/cert_manager_standard/cert_manager_engine/main/core/include/cert_manager_query.h +++ b/services/cert_manager_standard/cert_manager_engine/main/core/include/cert_manager_query.h @@ -41,6 +41,8 @@ uint32_t CmGetMatchedCertIndex(const struct CmMutableBlob *certFileList, const s void CmFreeCertFiles(struct CertFileInfo *cFileList, uint32_t certCount); void CmFreePathList(struct CmMutableBlob *pList, uint32_t pathCount); + +int32_t GetRdbAuthStorageLevel(const struct CmBlob *keyUri, enum CmAuthStorageLevel *level); #ifdef __cplusplus } #endif diff --git a/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager.c b/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager.c index 2213461..fb64e7f 100644 --- a/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager.c +++ b/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager.c @@ -27,6 +27,7 @@ #include "cert_manager_status.h" #include "cert_manager_storage.h" #include "cert_manager_uri.h" +#include "cert_manager_query.h" #include "cm_cert_property_rdb.h" #include "cert_manager_crypto_operation.h" #include "cm_log.h" @@ -214,9 +215,16 @@ int32_t CmRemoveAppCert(const struct CmContext *context, const struct CmBlob *ke const uint32_t store) { ASSERT_ARGS(context && keyUri && keyUri->data && keyUri->size); - int32_t ret; + + enum CmAuthStorageLevel level; + int32_t ret = GetRdbAuthStorageLevel(keyUri, &level); + if (ret != CM_SUCCESS) { + CM_LOG_E("get rdb auth storage level failed, ret = %d", ret); + return ret; + } + if (store == CM_CREDENTIAL_STORE) { - ret = CmAuthDeleteAuthInfo(context, keyUri); + ret = CmAuthDeleteAuthInfo(context, keyUri, level); if (ret != CM_SUCCESS) { CM_LOG_E("delete auth info failed when remove app certificate."); /* ignore ret code, only record log */ } @@ -241,7 +249,7 @@ int32_t CmRemoveAppCert(const struct CmContext *context, const struct CmBlob *ke CM_LOG_E("CertManagerFileRemove failed ret: %d", ret); return ret; } - ret = CmKeyOpDeleteKey(keyUri); + ret = CmKeyOpDeleteKey(keyUri, level); if (ret != CM_SUCCESS) { /* ignore the return of deleteKey */ CM_LOG_E("CertManagerKeyRemove failed, ret: %d", ret); } @@ -249,13 +257,14 @@ int32_t CmRemoveAppCert(const struct CmContext *context, const struct CmBlob *ke return CMR_OK; } -static void ClearAuthInfo(const struct CmContext *context, const struct CmBlob *keyUri, const uint32_t store) +static void ClearAuthInfo(const struct CmContext *context, const struct CmBlob *keyUri, const uint32_t store, + enum CmAuthStorageLevel level) { if (store != CM_CREDENTIAL_STORE) { return; } - int32_t ret = CmAuthDeleteAuthInfo(context, keyUri); + int32_t ret = CmAuthDeleteAuthInfo(context, keyUri, level); if (ret != CM_SUCCESS) { CM_LOG_E("delete auth info failed."); /* ignore ret code, only record log */ } @@ -361,7 +370,7 @@ int32_t CmGetUri(const char *filePath, struct CmBlob *uriBlob) return CM_SUCCESS; } -static int32_t GetUriAndDeleteRdbData(const char *filePath, struct CmBlob *uriBlob) +static int32_t GetUriAndDeleteRdbData(const char *filePath, struct CmBlob *uriBlob, enum CmAuthStorageLevel *level) { int32_t ret = CmGetUri(filePath, uriBlob); if (ret != CM_SUCCESS) { @@ -369,6 +378,12 @@ static int32_t GetUriAndDeleteRdbData(const char *filePath, struct CmBlob *uriBl return ret; } + ret = GetRdbAuthStorageLevel(uriBlob, level); + if (ret != CM_SUCCESS) { + CM_LOG_E("get rdb auth storage level failed, ret = %d", ret); + return ret; + } + ret = DeleteCertProperty((char *)uriBlob->data); if (ret != CM_SUCCESS) { CM_LOG_E("Failed delete cert: %s rdbData", (char *)uriBlob->data); @@ -396,8 +411,12 @@ static int32_t CmRemoveSpecifiedAppCert(const struct CmContext *context, const u break; } - if (CmUserIdLayerGetFileCountAndNames(pathBuf, fileNames, MAX_COUNT_CERTIFICATE, &fileCount) != CM_SUCCESS) { - ret = CM_FAILURE; + if (store == CM_CREDENTIAL_STORE) { + ret = CmUidLayerGetFileCountAndNames(pathBuf, fileNames, MAX_COUNT_CERTIFICATE, &fileCount); + } else { + ret = CmUserIdLayerGetFileCountAndNames(pathBuf, fileNames, MAX_COUNT_CERTIFICATE, &fileCount); + } + if (ret != CM_SUCCESS) { CM_LOG_E("Get file count and names from path faild"); break; } @@ -410,19 +429,19 @@ static int32_t CmRemoveSpecifiedAppCert(const struct CmContext *context, const u uriBlob.size = sizeof(uriBuf); (void)memset_s(uriBuf, uriBlob.size, 0, uriBlob.size); - if (GetUriAndDeleteRdbData((char *)fileNames[i].data, &uriBlob) != CM_SUCCESS) { + enum CmAuthStorageLevel level; + if (GetUriAndDeleteRdbData((char *)fileNames[i].data, &uriBlob, &level) != CM_SUCCESS) { CM_LOG_E("Get uri failed"); continue; } - int32_t retCode = CmKeyOpDeleteKey(&uriBlob); + int32_t retCode = CmKeyOpDeleteKey(&uriBlob, level); if (retCode != CM_SUCCESS) { /* ignore the return of deleteKey */ CM_LOG_E("App key %u remove failed ret: %d", i, retCode); } - ClearAuthInfo(context, &uriBlob, store); + ClearAuthInfo(context, &uriBlob, store, level); } } while (0); - CmFreeFileNames(fileNames, MAX_COUNT_CERTIFICATE); return ret; } @@ -496,7 +515,7 @@ int32_t CmServiceGetCallingAppCertList(const struct CmContext *context, uint32_t CM_LOG_E("Get file path for store:%u faild", store); return CM_FAILURE; } - + ret = CmUidLayerGetFileCountAndNames(pathBuf, fileNames, fileSize, fileCount); if (ret != CM_SUCCESS) { CM_LOG_E("Get file count and names from path faild ret:%d", ret); @@ -684,35 +703,36 @@ static const char* GetCertType(uint32_t store) return NULL; } -int32_t RdbInsertCertProperty(const struct CmContext *context, const struct CmBlob *uri, - const struct CmBlob *alias, const struct CmBlob *subjectName, uint32_t store) +int32_t RdbInsertCertProperty(const struct CertPropertyOri *propertyOri) { struct CertProperty certProp; (void)memset_s(&certProp, sizeof(struct CertProperty), 0, sizeof(struct CertProperty)); - certProp.userId = (int32_t)context->userId; - certProp.uid = (int32_t)context->uid; + certProp.userId = (int32_t)propertyOri->context->userId; + certProp.uid = (int32_t)propertyOri->context->uid; + certProp.level = propertyOri->level; - const char *certType = GetCertType(store); + const char *certType = GetCertType(propertyOri->store); if (certType == NULL) { - CM_LOG_E("Type %d does not support installation", store); + CM_LOG_E("Type does not support installation"); return CMR_ERROR_INVALID_ARGUMENT; } - certProp.certStore = (int32_t)store; - if (memcpy_s(certProp.certType, MAX_LEN_CERT_TYPE, certType, strlen(certType)) != CM_SUCCESS) { + certProp.certStore = (int32_t)propertyOri->store; + if (memcpy_s(certProp.certType, MAX_LEN_CERT_TYPE, certType, strlen(certType)) != EOK) { CM_LOG_E("memcpy certType fail"); return CMR_ERROR_INVALID_OPERATION; } - if (memcpy_s(certProp.uri, MAX_LEN_URI, (char *)uri->data, uri->size) != CM_SUCCESS) { + if (memcpy_s(certProp.uri, MAX_LEN_URI, (char *)propertyOri->uri->data, propertyOri->uri->size) != EOK) { CM_LOG_E("memcpy uri fail"); return CMR_ERROR_INVALID_OPERATION; } - if (memcpy_s(certProp.alias, MAX_LEN_CERT_ALIAS, (char *)alias->data, alias->size) != CM_SUCCESS) { + if (memcpy_s(certProp.alias, MAX_LEN_CERT_ALIAS, (char *)propertyOri->alias->data, propertyOri->alias->size) + != EOK) { CM_LOG_E("memcpy subjectName fail"); return CMR_ERROR_INVALID_OPERATION; } - if (memcpy_s(certProp.subjectName, MAX_LEN_SUBJECT_NAME, (char *)subjectName->data, subjectName->size) - != CM_SUCCESS) { + if (memcpy_s(certProp.subjectName, MAX_LEN_SUBJECT_NAME, (char *)propertyOri->subjectName->data, + propertyOri->subjectName->size) != EOK) { CM_LOG_E("memcpy subjectName fail"); return CMR_ERROR_INVALID_OPERATION; } diff --git a/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_app_cert_process.c b/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_app_cert_process.c index 4a3af16..65118c8 100644 --- a/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_app_cert_process.c +++ b/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_app_cert_process.c @@ -14,6 +14,7 @@ */ #include "cert_manager_app_cert_process.h" +#include "cert_manager_auth_list_mgr.h" #include #include @@ -34,6 +35,7 @@ #include "cert_manager_crypto_operation.h" #include "cert_manager_service.h" #include "cert_manager_uri.h" +#include "cert_manager_query.h" #include "cm_log.h" #include "cm_pfx.h" #include "cm_type.h" @@ -230,7 +232,7 @@ static int32_t SaveKeyMaterialCurve25519(uint32_t algType, const EVP_PKEY *pKey, return CM_SUCCESS; } -static int32_t ImportRsaKey(const EVP_PKEY *priKey, const struct CmBlob *keyUri) +static int32_t ImportRsaKey(const EVP_PKEY *priKey, const struct CmBlob *keyUri, enum CmAuthStorageLevel level) { struct CmBlob keyPair = { 0, NULL }; int32_t ret; @@ -253,6 +255,7 @@ static int32_t ImportRsaKey(const EVP_PKEY *priKey, const struct CmBlob *keyUri) .algType = HKS_ALG_RSA, .keySize = keySize, .purpose = CM_KEY_PURPOSE_SIGN | CM_KEY_PURPOSE_VERIFY, + .level = level, }; ret = CmKeyOpImportKey(keyUri, &props, &keyPair); @@ -268,7 +271,7 @@ static int32_t ImportRsaKey(const EVP_PKEY *priKey, const struct CmBlob *keyUri) return ret; } -static int32_t ImportEccKey(const EVP_PKEY *priKey, const struct CmBlob *keyUri) +static int32_t ImportEccKey(const EVP_PKEY *priKey, const struct CmBlob *keyUri, enum CmAuthStorageLevel level) { struct CmBlob keyPair = { 0, NULL }; int32_t ret; @@ -296,6 +299,7 @@ static int32_t ImportEccKey(const EVP_PKEY *priKey, const struct CmBlob *keyUri) .algType = (uint32_t)algType, .keySize = keyLen, .purpose = CM_KEY_PURPOSE_SIGN | CM_KEY_PURPOSE_VERIFY, + .level = level, }; ret = CmKeyOpImportKey(keyUri, &props, &keyPair); @@ -312,7 +316,7 @@ static int32_t ImportEccKey(const EVP_PKEY *priKey, const struct CmBlob *keyUri) return ret; } -static int32_t ImportEd25519Key(const EVP_PKEY *priKey, const struct CmBlob *keyUri) +static int32_t ImportEd25519Key(const EVP_PKEY *priKey, const struct CmBlob *keyUri, enum CmAuthStorageLevel level) { struct CmBlob keyPair = { 0, NULL }; int32_t ret = SaveKeyMaterialCurve25519(HKS_ALG_ED25519, priKey, &keyPair); @@ -325,6 +329,7 @@ static int32_t ImportEd25519Key(const EVP_PKEY *priKey, const struct CmBlob *key .algType = HKS_ALG_ED25519, .keySize = HKS_CURVE25519_KEY_SIZE_256, .purpose = CM_KEY_PURPOSE_SIGN | CM_KEY_PURPOSE_VERIFY, + .level = level, }; ret = CmKeyOpImportKey(keyUri, &props, &keyPair); if (ret != CMR_OK) { @@ -338,15 +343,16 @@ static int32_t ImportEd25519Key(const EVP_PKEY *priKey, const struct CmBlob *key return ret; } -static int32_t ImportKeyPair(const EVP_PKEY *priKey, const struct CmBlob *keyUri) +static int32_t ImportKeyPair(const EVP_PKEY *priKey, const struct CmBlob *keyUri, + enum CmAuthStorageLevel level) { switch (EVP_PKEY_base_id(priKey)) { case EVP_PKEY_RSA: - return ImportRsaKey(priKey, keyUri); + return ImportRsaKey(priKey, keyUri, level); case EVP_PKEY_EC: - return ImportEccKey(priKey, keyUri); + return ImportEccKey(priKey, keyUri, level); case EVP_PKEY_ED25519: - return ImportEd25519Key(priKey, keyUri); + return ImportEd25519Key(priKey, keyUri, level); case NID_undef: CM_LOG_E("key's baseid is not specified"); return CMR_ERROR_INVALID_CERT_FORMAT; @@ -444,22 +450,51 @@ static int32_t GetCredCertName(const struct CmContext *context, const struct CmA return ret; } -static int32_t StoreKeyAndCert(const struct CmContext *context, uint32_t store, +static int32_t StoreKeyAndCert(const struct CmContext *context, const struct CmAppCertParam *param, struct AppCert *appCert, EVP_PKEY *priKey, struct CmBlob *keyUri) { - int32_t ret = CmCheckCertCount(context, store, (char *)keyUri->data); + int32_t ret = CmCheckCertCount(context, param->store, (char *)keyUri->data); if (ret != CM_SUCCESS) { CM_LOG_E("cert count beyond maxcount, can't install"); return CMR_ERROR_MAX_CERT_COUNT_REACHED; } + enum CmAuthStorageLevel level; + ret = GetRdbAuthStorageLevel(keyUri, &level); + /* Return "CM_SUCCESS" when no results are found in the query. */ + if (ret != CM_SUCCESS) { + CM_LOG_E("get rdb auth storage level failed, ret = %d", ret); + return ret; + } + + switch (param->store) { + case CM_PRI_CREDENTIAL_STORE: + /* The result is found, but the level does not match. */ + if (level != ERROR_LEVEL && level != param->level) { + ret = CmRemoveAppCert(context, keyUri, CM_PRI_CREDENTIAL_STORE); + if (ret != CM_SUCCESS) { + /* Don't return when the deletion fails to increase fault tolerance. */ + CM_LOG_E("remove private app cert failed, ret = %d", ret); + } + } + level = param->level; + break; + case CM_CREDENTIAL_STORE: + if (level == ERROR_LEVEL) { + level = CM_AUTH_STORAGE_LEVEL_EL2; + } + break; + default: + level = CM_AUTH_STORAGE_LEVEL_EL1; + break; + } - ret = ImportKeyPair(priKey, keyUri); + ret = ImportKeyPair(priKey, keyUri, level); if (ret != CM_SUCCESS) { CM_LOG_E("import key pair failed"); return ret; } - ret = StoreAppCert(context, appCert, store, keyUri); + ret = StoreAppCert(context, appCert, param->store, keyUri); if (ret != CM_SUCCESS) { CM_LOG_E("store App Cert failed"); return ret; @@ -494,13 +529,15 @@ int32_t CmInstallAppCertPro( break; } - ret = StoreKeyAndCert(context, certParam->store, &appCert, priKey, keyUri); + ret = StoreKeyAndCert(context, certParam, &appCert, priKey, keyUri); if (ret != CM_SUCCESS) { CM_LOG_E("StoreKeyAndCert fail"); break; } + struct CertPropertyOri propertyOri = { context, keyUri, &displayName, &subjectName, + certParam->store, certParam->level }; - ret = RdbInsertCertProperty(context, keyUri, &displayName, &subjectName, certParam->store); + ret = RdbInsertCertProperty(&propertyOri); if (ret != CM_SUCCESS) { CM_LOG_E("Failed to RdbInsertCertProperty"); break; diff --git a/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_auth_mgr.c b/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_auth_mgr.c index f3b4f7d..dd016d3 100755 --- a/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_auth_mgr.c +++ b/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_auth_mgr.c @@ -25,6 +25,7 @@ #include "cert_manager_session_mgr.h" #include "cert_manager_crypto_operation.h" #include "cert_manager_uri.h" +#include "cert_manager_query.h" #include "cm_log.h" #include "cm_util.h" @@ -190,7 +191,8 @@ static int32_t ConstructCommonUri(const struct CMUri *uriObj, struct CmBlob *com return CmConstructUri(&uri, commonUri); } -static int32_t CalcUriMac(const struct CMUri *uriObj, uint32_t clientUid, struct CmBlob *mac, bool isNeedGenKey) +static int32_t CalcUriMac(const struct CMUri *uriObj, uint32_t clientUid, struct CmBlob *mac, + bool isNeedGenKey, enum CmAuthStorageLevel level) { struct CmBlob toBeAuthedUri = { 0, NULL }; struct CmBlob macKeyUri = { 0, NULL }; @@ -212,14 +214,14 @@ static int32_t CalcUriMac(const struct CMUri *uriObj, uint32_t clientUid, struct } if (isNeedGenKey) { - ret = CmKeyOpGenMacKey(&macKeyUri); + ret = CmKeyOpGenMacKey(&macKeyUri, level); if (ret != CM_SUCCESS) { CM_LOG_E("generate mac key failed, ret = %d", ret); break; } } - ret = CmKeyOpCalcMac(&macKeyUri, &toBeAuthedUri, mac); + ret = CmKeyOpCalcMac(&macKeyUri, &toBeAuthedUri, mac, level); if (ret != CM_SUCCESS) { CM_LOG_E("calc mac failed, ret = %d", ret); break; @@ -231,7 +233,7 @@ static int32_t CalcUriMac(const struct CMUri *uriObj, uint32_t clientUid, struct return ret; } -static int32_t DeleteMacKey(const struct CMUri *uriObj, uint32_t clientUid) +static int32_t DeleteMacKey(const struct CMUri *uriObj, uint32_t clientUid, enum CmAuthStorageLevel level) { struct CmBlob macKeyUri = { 0, NULL }; int32_t ret; @@ -244,7 +246,7 @@ static int32_t DeleteMacKey(const struct CMUri *uriObj, uint32_t clientUid) break; } - ret = CmKeyOpDeleteKey(&macKeyUri); + ret = CmKeyOpDeleteKey(&macKeyUri, level); if (ret != CM_SUCCESS) { CM_LOG_E("delete mac key failed, ret = %d", ret); break; @@ -294,7 +296,8 @@ static int32_t ConstructAuthUri(const struct CMUri *uriObj, uint32_t clientUid, return ret; } -static int32_t GenerateAuthUri(const struct CMUri *uriObj, uint32_t clientUid, struct CmBlob *authUri) +static int32_t GenerateAuthUri(const struct CMUri *uriObj, uint32_t clientUid, + struct CmBlob *authUri, enum CmAuthStorageLevel level) { struct CmBlob tempAuthUri = { 0, NULL }; int32_t ret; @@ -302,7 +305,7 @@ static int32_t GenerateAuthUri(const struct CMUri *uriObj, uint32_t clientUid, s /* calc uri mac */ uint8_t macData[MAC_SHA256_LEN] = {0}; struct CmBlob mac = { sizeof(macData), macData }; - ret = CalcUriMac(uriObj, clientUid, &mac, true); + ret = CalcUriMac(uriObj, clientUid, &mac, true, level); if (ret != CM_SUCCESS) { CM_LOG_E("calc uri mac failed, ret = %d", ret); break; @@ -354,6 +357,13 @@ int32_t CmAuthGrantAppCertificate(const struct CmContext *context, const struct } do { + enum CmAuthStorageLevel level; + ret = GetRdbAuthStorageLevel(keyUri, &level); + if (ret != CM_SUCCESS) { + CM_LOG_E("get rdb auth storage level failed, ret = %d", ret); + break; + } + ret = CheckCallerIsProducer(context, &uriObj); if (ret != CM_SUCCESS) { CM_LOG_E("check caller userId/uid failed when grant, ret = %d", ret); @@ -361,7 +371,7 @@ int32_t CmAuthGrantAppCertificate(const struct CmContext *context, const struct } /* auth URI */ - ret = GenerateAuthUri(&uriObj, appUid, authUri); + ret = GenerateAuthUri(&uriObj, appUid, authUri, level); if (ret != CM_SUCCESS) { CM_LOG_E("construct auth URI failed, ret = %d", ret); break; @@ -458,7 +468,7 @@ static int32_t GetMacByteFromString(const char *macString, struct CmBlob *macByt return CM_SUCCESS; } -static int32_t CheckIsAuthorizedApp(const struct CMUri *uriObj) +static int32_t CheckIsAuthorizedApp(const struct CMUri *uriObj, enum CmAuthStorageLevel level) { if ((uriObj->clientApp == NULL) || (uriObj->mac == NULL)) { CM_LOG_E("invalid input auth uri"); @@ -482,7 +492,7 @@ static int32_t CheckIsAuthorizedApp(const struct CMUri *uriObj) return CMR_ERROR_INVALID_ARGUMENT; } - ret = CalcUriMac(uriObj, clientUid, &mac, false); + ret = CalcUriMac(uriObj, clientUid, &mac, false, level); if (ret != CM_SUCCESS) { CM_LOG_E("calc uri mac failed, ret = %d", ret); CM_FREE_PTR(macByte.data); @@ -509,10 +519,28 @@ int32_t CmAuthIsAuthorizedApp(const struct CmContext *context, const struct CmBl return ret; } - ret = CheckIsAuthorizedApp(&uriObj); - if (ret != CM_SUCCESS) { - CM_LOG_E("check is authed app failed, ret = %d", ret); - } + do { + struct CmBlob commonUri = { 0, NULL }; + ret = ConstructCommonUri(&uriObj, &commonUri, CM_CREDENTIAL_STORE); + if (ret != CM_SUCCESS) { + CM_LOG_E("construct common uri failed, ret = %d", ret); + break; + } + + enum CmAuthStorageLevel level; + ret = GetRdbAuthStorageLevel(&commonUri, &level); + if (ret != CM_SUCCESS) { + CM_LOG_E("get rdb auth storage level failed, ret = %d", ret); + break; + } + + ret = CheckIsAuthorizedApp(&uriObj, level); + if (ret != CM_SUCCESS) { + CM_LOG_E("check is authed app failed, ret = %d", ret); + break; + } + } while (0); + (void)CertManagerFreeUri(&uriObj); return ret; } @@ -530,6 +558,13 @@ int32_t CmAuthRemoveGrantedApp(const struct CmContext *context, const struct CmB } do { + enum CmAuthStorageLevel level; + ret = GetRdbAuthStorageLevel(keyUri, &level); + if (ret != CM_SUCCESS) { + CM_LOG_E("get rdb auth storage level failed, ret = %d", ret); + break; + } + ret = CheckCallerIsProducer(context, &uriObj); if (ret != CM_SUCCESS) { CM_LOG_E("check caller userId/uid failed when remove grant, ret = %d", ret); @@ -537,7 +572,7 @@ int32_t CmAuthRemoveGrantedApp(const struct CmContext *context, const struct CmB } /* delete mac key */ - ret = DeleteMacKey(&uriObj, appUid); + ret = DeleteMacKey(&uriObj, appUid, level); if (ret != CM_SUCCESS) { CM_LOG_E("delete mac key failed, ret = %d", ret); break; @@ -560,7 +595,8 @@ int32_t CmAuthRemoveGrantedApp(const struct CmContext *context, const struct CmB return ret; } -static int32_t DeleteAuthInfo(uint32_t userId, const struct CmBlob *uri, const struct CmAppUidList *appUidList) +static int32_t DeleteAuthInfo(uint32_t userId, const struct CmBlob *uri, const struct CmAppUidList *appUidList, + enum CmAuthStorageLevel level) { struct CMUri uriObj; (void)memset_s(&uriObj, sizeof(uriObj), 0, sizeof(uriObj)); @@ -572,7 +608,7 @@ static int32_t DeleteAuthInfo(uint32_t userId, const struct CmBlob *uri, const s do { for (uint32_t i = 0; i < appUidList->appUidCount; ++i) { - ret = DeleteMacKey(&uriObj, appUidList->appUid[i]); + ret = DeleteMacKey(&uriObj, appUidList->appUid[i], level); if (ret != CM_SUCCESS) { CM_LOG_E("delete mac key failed, ret = %d", ret); break; @@ -585,7 +621,7 @@ static int32_t DeleteAuthInfo(uint32_t userId, const struct CmBlob *uri, const s } /* clear auth info when delete public credential */ -int32_t CmAuthDeleteAuthInfo(const struct CmContext *context, const struct CmBlob *uri) +int32_t CmAuthDeleteAuthInfo(const struct CmContext *context, const struct CmBlob *uri, enum CmAuthStorageLevel level) { pthread_mutex_lock(&g_authMgrLock); struct CmAppUidList appUidList = { 0, NULL }; @@ -597,7 +633,7 @@ int32_t CmAuthDeleteAuthInfo(const struct CmContext *context, const struct CmBlo break; } - ret = DeleteAuthInfo(context->userId, uri, &appUidList); + ret = DeleteAuthInfo(context->userId, uri, &appUidList, level); if (ret != CM_SUCCESS) { CM_LOG_E("delete auth failed, ret = %d", ret); break; @@ -624,6 +660,7 @@ int32_t CmAuthDeleteAuthInfoByUserId(uint32_t userId, const struct CmBlob *uri) { pthread_mutex_lock(&g_authMgrLock); struct CmAppUidList appUidList = { 0, NULL }; + enum CmAuthStorageLevel level; int32_t ret; do { ret = CmGetAuthListByUserId(userId, uri, &appUidList); @@ -632,7 +669,13 @@ int32_t CmAuthDeleteAuthInfoByUserId(uint32_t userId, const struct CmBlob *uri) break; } - ret = DeleteAuthInfo(userId, uri, &appUidList); + ret = GetRdbAuthStorageLevel(uri, &level); + if (ret != CM_SUCCESS) { + CM_LOG_E("get rdb auth storage level failed, ret = %d", ret); + break; + } + + ret = DeleteAuthInfo(userId, uri, &appUidList, level); if (ret != CM_SUCCESS) { CM_LOG_E("delete auth failed, ret = %d", ret); break; @@ -654,39 +697,56 @@ int32_t CmAuthDeleteAuthInfoByUserId(uint32_t userId, const struct CmBlob *uri) int32_t CmAuthDeleteAuthInfoByUid(uint32_t userId, uint32_t targetUid, const struct CmBlob *uri) { pthread_mutex_lock(&g_authMgrLock); - bool isInAuthList = false; - int32_t ret = CmCheckIsAuthUidExistByUserId(userId, targetUid, uri, &isInAuthList); - if (ret != CM_SUCCESS) { - CM_LOG_E("check is in auth list failed, ret = %d", ret); - pthread_mutex_unlock(&g_authMgrLock); - return ret; - } + int32_t ret; + do { + bool isInAuthList = false; + ret = CmCheckIsAuthUidExistByUserId(userId, targetUid, uri, &isInAuthList); + if (ret != CM_SUCCESS) { + CM_LOG_E("check is in auth list failed, ret = %d", ret); + break; + } - if (!isInAuthList) { - pthread_mutex_unlock(&g_authMgrLock); - return CM_SUCCESS; - } + if (!isInAuthList) { + ret = CM_SUCCESS; + break; + } - uint32_t appUid[] = { targetUid }; - struct CmAppUidList appUidList = { sizeof(appUid) / sizeof(uint32_t), appUid }; - ret = DeleteAuthInfo(userId, uri, &appUidList); - if (ret != CM_SUCCESS) { - CM_LOG_E("delete mac key info failed, ret = %d", ret); - pthread_mutex_unlock(&g_authMgrLock); - return ret; - } + enum CmAuthStorageLevel level; + ret = GetRdbAuthStorageLevel(uri, &level); + if (ret != CM_SUCCESS) { + CM_LOG_E("get rdb auth storage level failed, ret = %d", ret); + break; + } - ret = CmRemoveAuthUidByUserId(userId, targetUid, uri); - if (ret != CM_SUCCESS) { - CM_LOG_E("remove auth uid by user id failed, ret = %d", ret); - } + uint32_t appUid[] = { targetUid }; + struct CmAppUidList appUidList = { sizeof(appUid) / sizeof(uint32_t), appUid }; + ret = DeleteAuthInfo(userId, uri, &appUidList, level); + if (ret != CM_SUCCESS) { + CM_LOG_E("delete mac key info failed, ret = %d", ret); + break; + } + + ret = CmRemoveAuthUidByUserId(userId, targetUid, uri); + if (ret != CM_SUCCESS) { + CM_LOG_E("remove auth uid by user id failed, ret = %d", ret); + break; + } + } while (0); pthread_mutex_unlock(&g_authMgrLock); return ret; } -static int32_t CheckCommonPermission(const struct CmContext *context, const struct CMUri *uriObj) +static int32_t CheckCommonPermission(const struct CmContext *context, const struct CMUri *uriObj, + const struct CmBlob *commonUri) { - int32_t ret = CheckCallerIsProducer(context, uriObj); + enum CmAuthStorageLevel level; + int32_t ret = GetRdbAuthStorageLevel(commonUri, &level); + if (ret != CM_SUCCESS) { + CM_LOG_E("get rdb auth storage level failed, ret = %d", ret); + return ret; + } + + ret = CheckCallerIsProducer(context, uriObj); if (ret == CM_SUCCESS) { return ret; } @@ -708,7 +768,7 @@ static int32_t CheckCommonPermission(const struct CmContext *context, const stru } CM_LOG_D("caller may be authed app, need check"); - return CheckIsAuthorizedApp(uriObj); + return CheckIsAuthorizedApp(uriObj, level); } int32_t CmCheckAndGetCommonUri(const struct CmContext *context, uint32_t store, const struct CmBlob *uri, @@ -725,18 +785,19 @@ int32_t CmCheckAndGetCommonUri(const struct CmContext *context, uint32_t store, } do { - if (store != CM_SYS_CREDENTIAL_STORE) { - ret = CheckCommonPermission(context, &uriObj); - if (ret != CM_SUCCESS) { - break; - } - } - ret = ConstructCommonUri(&uriObj, commonUri, store); if (ret != CM_SUCCESS) { CM_LOG_E("construct common uri failed, ret = %d", ret); break; } + + if (store != CM_SYS_CREDENTIAL_STORE) { + ret = CheckCommonPermission(context, &uriObj, commonUri); + if (ret != CM_SUCCESS) { + CM_FREE_PTR(commonUri->data); + break; + } + } } while (0); (void)CertManagerFreeUri(&uriObj); diff --git a/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_check.c b/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_check.c index c9bfc23..42b930b 100644 --- a/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_check.c +++ b/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_check.c @@ -219,6 +219,11 @@ int32_t CmServiceInstallAppCertCheck(const struct CmAppCertParam *certParam, str return CMR_ERROR_INVALID_ARGUMENT; } + if (CM_LEVEL_CHECK(certParam->level)) { + CM_LOG_E("CmInstallAppCertCheck level check fail, level:%u", certParam->level); + return CMR_ERROR_INVALID_ARGUMENT; + } + int32_t ret = CmCheckAppCert(certParam->appCert); if (ret != CM_SUCCESS) { return ret; diff --git a/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_key_operation.c b/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_key_operation.c index 9a16f45..9a791af 100755 --- a/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_key_operation.c +++ b/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_key_operation.c @@ -15,17 +15,22 @@ #include "cert_manager_key_operation.h" +#include "securec.h" + #include "cert_manager_mem.h" #include "cert_manager_session_mgr.h" #include "cert_manager_crypto_operation.h" +#include "cert_manager_uri.h" #include "cm_cert_property_rdb.h" #include "cm_log.h" #include "cm_type.h" +#include "cm_util.h" #include "hks_api.h" #include "hks_param.h" #include "hks_type.h" +#define HAP_USER_ID 100 struct PropertyToHuks { uint32_t cmProperty; uint32_t huksProperty; @@ -56,10 +61,63 @@ static struct PropertyToHuks g_cmDigestProperty[] = { { CM_DIGEST_SM3, HKS_DIGEST_SM3 }, }; +static struct PropertyToHuks g_cmLevelProperty[] = { + { CM_AUTH_STORAGE_LEVEL_EL1, HKS_AUTH_STORAGE_LEVEL_DE }, + { CM_AUTH_STORAGE_LEVEL_EL2, HKS_AUTH_STORAGE_LEVEL_CE }, + { CM_AUTH_STORAGE_LEVEL_EL4, HKS_AUTH_STORAGE_LEVEL_ECE }, +}; + #define INVALID_PROPERTY_VALUE 0xFFFF #define DEFAULT_LEN_USED_FOR_MALLOC 1024 -static int32_t ConstructParamSet(const struct HksParam *params, uint32_t paramCount, struct HksParamSet **outParamSet) +static int32_t AddUserIdParam(struct HksParamSet *paramSet, enum CmAuthStorageLevel level, const struct CmBlob *uri) +{ + if (level == CM_AUTH_STORAGE_LEVEL_EL1) { + CM_LOG_I("level is el1"); + return CM_SUCCESS; + } + struct CMUri uriObj; + (void)memset_s(&uriObj, sizeof(uriObj), 0, sizeof(uriObj)); + + int32_t ret = CertManagerUriDecode(&uriObj, (char *)uri->data); //uri->data已被校验有\0结尾 + if (ret != CM_SUCCESS) { + CM_LOG_E("Failed to decode uri, ret = %d", ret); + return ret; + } + do { + if (uriObj.user == NULL) { + CM_LOG_E("uri format is invalid"); + ret = CMR_ERROR_INVALID_ARGUMENT; + break; + } + + uint32_t userId = 0; + if (CmIsNumeric(uriObj.user, strlen(uriObj.user) + 1, &userId) != CM_SUCCESS) { + CM_LOG_E("parse string to uint32 failed."); + ret = CMR_ERROR_INVALID_ARGUMENT; + break; + } + /* If the caller is SA and the level is not EL1, + the initial value of userid needs to be set and passed to HUKS. */ + if (userId == 0) { + userId = HAP_USER_ID; + } + struct HksParam userIdParam = { + .tag = HKS_TAG_SPECIFIC_USER_ID, + .uint32Param = userId, + }; + ret = HksAddParams(paramSet, &userIdParam, 1); + if (ret != HKS_SUCCESS) { + CM_LOG_E("add userIdParam tag failed"); + break; + } + } while (0); + (void)CertManagerFreeUri(&uriObj); + return ret; +} + +static int32_t ConstructParamSet(const struct HksParam *params, uint32_t paramCount, struct HksParamSet **outParamSet, + enum CmAuthStorageLevel level, const struct CmBlob *uri) { struct HksParamSet *paramSet = NULL; int32_t ret = HksInitParamSet(¶mSet); @@ -68,6 +126,13 @@ static int32_t ConstructParamSet(const struct HksParam *params, uint32_t paramCo return ret; } + ret = AddUserIdParam(paramSet, level, uri); + if (ret != HKS_SUCCESS) { + CM_LOG_E("add userid param failed"); + HksFreeParamSet(¶mSet); + return ret; + } + ret = HksAddParams(paramSet, params, paramCount); if (ret != HKS_SUCCESS) { CM_LOG_E("add params failed"); @@ -101,19 +166,31 @@ static int32_t GetKeyAlias(struct HksBlob *keyAlias, struct CmBlob *encodeTarget return ret; } -int32_t CmKeyOpGenMacKey(const struct CmBlob *alias) +static uint32_t TranslateToHuksLevel(enum CmAuthStorageLevel level) +{ + uint32_t res = HKS_AUTH_STORAGE_LEVEL_DE; + for (int i = 0; i < CM_ARRAY_SIZE(g_cmLevelProperty); ++i) { + if (level == g_cmLevelProperty[i].cmProperty) { + res = (uint32_t)g_cmLevelProperty[i].huksProperty; + } + } + return res; +} + +int32_t CmKeyOpGenMacKey(const struct CmBlob *alias, enum CmAuthStorageLevel level) { + uint32_t huksAuthStorageLevel = TranslateToHuksLevel(level); struct HksParam genMacKeyParams[] = { { .tag = HKS_TAG_ALGORITHM, .uint32Param = HKS_ALG_HMAC }, { .tag = HKS_TAG_KEY_SIZE, .uint32Param = HKS_AES_KEY_SIZE_256 }, { .tag = HKS_TAG_PURPOSE, .uint32Param = HKS_KEY_PURPOSE_MAC }, { .tag = HKS_TAG_DIGEST, .uint32Param = HKS_DIGEST_SHA256 }, - { .tag = HKS_TAG_AUTH_STORAGE_LEVEL, .uint32Param = HKS_AUTH_STORAGE_LEVEL_DE }, + { .tag = HKS_TAG_AUTH_STORAGE_LEVEL, .uint32Param = huksAuthStorageLevel }, }; struct HksParamSet *paramSet = NULL; int32_t ret = ConstructParamSet(genMacKeyParams, sizeof(genMacKeyParams) / sizeof(struct HksParam), - ¶mSet); + ¶mSet, level, alias); if (ret != CM_SUCCESS) { CM_LOG_E("construct gen mac key paramSet failed"); return CMR_ERROR_KEY_OPERATION_FAILED; @@ -145,7 +222,8 @@ int32_t CmKeyOpGenMacKeyIfNotExist(const struct CmBlob *alias) { .tag = HKS_TAG_AUTH_STORAGE_LEVEL, .uint32Param = HKS_AUTH_STORAGE_LEVEL_DE }, }; struct HksParamSet *paramSet = NULL; - int32_t ret = ConstructParamSet(keyExistParams, sizeof(keyExistParams) / sizeof(struct HksParam), ¶mSet); + int32_t ret = ConstructParamSet(keyExistParams, sizeof(keyExistParams) / sizeof(struct HksParam), ¶mSet, + CM_AUTH_STORAGE_LEVEL_EL1, alias); if (ret != CM_SUCCESS) { CM_LOG_E("Failed to construct key exist paramSet"); return CMR_ERROR_KEY_OPERATION_FAILED; @@ -172,16 +250,18 @@ int32_t CmKeyOpGenMacKeyIfNotExist(const struct CmBlob *alias) return CMR_ERROR_KEY_OPERATION_FAILED; } - return CmKeyOpGenMacKey(alias); + return CmKeyOpGenMacKey(alias, CM_AUTH_STORAGE_LEVEL_EL1); } -int32_t CmKeyOpDeleteKey(const struct CmBlob *alias) +int32_t CmKeyOpDeleteKey(const struct CmBlob *alias, enum CmAuthStorageLevel level) { + uint32_t huksAuthStorageLevel = TranslateToHuksLevel(level); struct HksParam deleteKeyParams[] = { - { .tag = HKS_TAG_AUTH_STORAGE_LEVEL, .uint32Param = HKS_AUTH_STORAGE_LEVEL_DE }, + { .tag = HKS_TAG_AUTH_STORAGE_LEVEL, .uint32Param = huksAuthStorageLevel }, }; struct HksParamSet *paramSet = NULL; - int32_t ret = ConstructParamSet(deleteKeyParams, sizeof(deleteKeyParams) / sizeof(struct HksParam), ¶mSet); + int32_t ret = ConstructParamSet(deleteKeyParams, sizeof(deleteKeyParams) / sizeof(struct HksParam), ¶mSet, + level, alias); if (ret != CM_SUCCESS) { CM_LOG_E("Failed to construct delete key paramSet"); return CMR_ERROR_KEY_OPERATION_FAILED; @@ -208,18 +288,21 @@ int32_t CmKeyOpDeleteKey(const struct CmBlob *alias) return CM_SUCCESS; } -int32_t CmKeyOpCalcMac(const struct CmBlob *alias, const struct CmBlob *srcData, struct CmBlob *mac) +int32_t CmKeyOpCalcMac(const struct CmBlob *alias, const struct CmBlob *srcData, + struct CmBlob *mac, enum CmAuthStorageLevel level) { + uint32_t huksAuthStorageLevel = TranslateToHuksLevel(level); struct HksParam macParams[] = { { .tag = HKS_TAG_ALGORITHM, .uint32Param = HKS_ALG_HMAC }, { .tag = HKS_TAG_KEY_SIZE, .uint32Param = HKS_AES_KEY_SIZE_256 }, { .tag = HKS_TAG_PURPOSE, .uint32Param = HKS_KEY_PURPOSE_MAC }, { .tag = HKS_TAG_DIGEST, .uint32Param = HKS_DIGEST_SHA256 }, - { .tag = HKS_TAG_AUTH_STORAGE_LEVEL, .uint32Param = HKS_AUTH_STORAGE_LEVEL_DE }, + { .tag = HKS_TAG_AUTH_STORAGE_LEVEL, .uint32Param = huksAuthStorageLevel }, }; struct HksParamSet *paramSet = NULL; - int32_t ret = ConstructParamSet(macParams, sizeof(macParams) / sizeof(struct HksParam), ¶mSet); + int32_t ret = ConstructParamSet(macParams, sizeof(macParams) / sizeof(struct HksParam), ¶mSet, + level, alias); if (ret != CM_SUCCESS) { CM_LOG_E("construct mac init paramSet failed"); return CMR_ERROR_KEY_OPERATION_FAILED; @@ -261,16 +344,18 @@ int32_t CmKeyOpCalcMac(const struct CmBlob *alias, const struct CmBlob *srcData, int32_t CmKeyOpImportKey(const struct CmBlob *alias, const struct CmKeyProperties *properties, const struct CmBlob *keyPair) { + uint32_t huksAuthStorageLevel = TranslateToHuksLevel(properties->level); struct HksParam importKeyParams[] = { { .tag = HKS_TAG_IMPORT_KEY_TYPE, .uint32Param = HKS_KEY_TYPE_KEY_PAIR }, { .tag = HKS_TAG_ALGORITHM, .uint32Param = properties->algType }, { .tag = HKS_TAG_KEY_SIZE, .uint32Param = properties->keySize }, { .tag = HKS_TAG_PURPOSE, .uint32Param = properties->purpose }, - { .tag = HKS_TAG_AUTH_STORAGE_LEVEL, .uint32Param = HKS_AUTH_STORAGE_LEVEL_DE }, + { .tag = HKS_TAG_AUTH_STORAGE_LEVEL, .uint32Param = huksAuthStorageLevel }, }; struct HksParamSet *paramSet = NULL; - int32_t ret = ConstructParamSet(importKeyParams, sizeof(importKeyParams) / sizeof(struct HksParam), ¶mSet); + int32_t ret = ConstructParamSet(importKeyParams, sizeof(importKeyParams) / sizeof(struct HksParam), ¶mSet, + properties->level, alias); if (ret != CM_SUCCESS) { CM_LOG_E("construct import key paramSet failed"); return CMR_ERROR_KEY_OPERATION_FAILED; @@ -318,6 +403,7 @@ static void TranslateToHuksProperties(const struct CmSignatureSpec *spec, struct keyProperties->purpose = INVALID_PROPERTY_VALUE; keyProperties->padding = INVALID_PROPERTY_VALUE; keyProperties->digest = INVALID_PROPERTY_VALUE; + keyProperties->level = INVALID_PROPERTY_VALUE; for (uint32_t i = 0; i < CM_ARRAY_SIZE(g_cmPurposeProperty); ++i) { if (spec->purpose == g_cmPurposeProperty[i].cmProperty) { @@ -339,10 +425,12 @@ static void TranslateToHuksProperties(const struct CmSignatureSpec *spec, struct break; } } + CM_LOG_D("purpose[%u], digest[%u], padding[%u]", spec->purpose, spec->digest, spec->padding); } -static int32_t GetKeyProperties(const struct CmBlob *commonUri, struct CmKeyProperties *keySpec) +static int32_t GetKeyProperties(const struct CmBlob *commonUri, struct CmKeyProperties *keySpec, + enum CmAuthStorageLevel level) { struct HksParamSet *outParamSet = (struct HksParamSet*)CMMalloc(DEFAULT_LEN_USED_FOR_MALLOC); if (outParamSet == NULL) { @@ -351,11 +439,13 @@ static int32_t GetKeyProperties(const struct CmBlob *commonUri, struct CmKeyProp } outParamSet->paramSetSize = DEFAULT_LEN_USED_FOR_MALLOC; + uint32_t huksAuthStorageLevel = TranslateToHuksLevel(level); struct HksParam getKeyParams[] = { - { .tag = HKS_TAG_AUTH_STORAGE_LEVEL, .uint32Param = HKS_AUTH_STORAGE_LEVEL_DE }, + { .tag = HKS_TAG_AUTH_STORAGE_LEVEL, .uint32Param = huksAuthStorageLevel }, }; struct HksParamSet *inParamSet = NULL; - int32_t ret = ConstructParamSet(getKeyParams, sizeof(getKeyParams) / sizeof(struct HksParam), &inParamSet); + int32_t ret = ConstructParamSet(getKeyParams, sizeof(getKeyParams) / sizeof(struct HksParam), &inParamSet, + level, commonUri); if (ret != CM_SUCCESS) { CM_LOG_E("Failed to construct get key inParamSet"); CM_FREE_PTR(outParamSet); @@ -388,7 +478,7 @@ static int32_t GetKeyProperties(const struct CmBlob *commonUri, struct CmKeyProp } static int32_t AddParamsToParamSet(const struct CmBlob *commonUri, const struct CmSignatureSpec *spec, - struct HksParamSet *paramSet) + struct HksParamSet *paramSet, enum CmAuthStorageLevel level) { struct CmKeyProperties inputKeyProp = {0}; TranslateToHuksProperties(spec, &inputKeyProp); @@ -396,31 +486,28 @@ static int32_t AddParamsToParamSet(const struct CmBlob *commonUri, const struct int32_t ret; do { struct CmKeyProperties keySpec = {0}; - - struct HksBlob keyAlias = { commonUri->size, commonUri->data }; - uint8_t encodeBuf[MAX_LEN_BASE64URL_SHA256] = { 0 }; - struct CmBlob encodeTarget = { sizeof(encodeBuf), encodeBuf }; - ret = GetKeyAlias(&keyAlias, &encodeTarget); - if (ret != CM_SUCCESS) { - CM_LOG_E("get keyalias failed"); - break; - } - - ret = GetKeyProperties((struct CmBlob *)&keyAlias, &keySpec); + ret = GetKeyProperties(commonUri, &keySpec, level); if (ret != HKS_SUCCESS) { CM_LOG_E("Failed to get key properties, ret = %d", ret); break; } + uint32_t huksAuthStorageLevel = TranslateToHuksLevel(level); struct HksParam params[] = { { .tag = HKS_TAG_ALGORITHM, .uint32Param = keySpec.algType }, { .tag = HKS_TAG_KEY_SIZE, .uint32Param = keySpec.keySize }, { .tag = HKS_TAG_PURPOSE, .uint32Param = inputKeyProp.purpose }, { .tag = HKS_TAG_DIGEST, .uint32Param = inputKeyProp.digest }, { .tag = HKS_TAG_PADDING, .uint32Param = inputKeyProp.padding }, - { .tag = HKS_TAG_AUTH_STORAGE_LEVEL, .uint32Param = HKS_AUTH_STORAGE_LEVEL_DE }, + { .tag = HKS_TAG_AUTH_STORAGE_LEVEL, .uint32Param = huksAuthStorageLevel }, }; + ret = AddUserIdParam(paramSet, level, commonUri); + if (ret != HKS_SUCCESS) { + CM_LOG_E("add userid param failed"); + break; + } + ret = HksAddParams(paramSet, params, sizeof(params) / sizeof(struct HksParam)); if (ret != HKS_SUCCESS) { CM_LOG_E("add params failed"); @@ -445,7 +532,7 @@ static int32_t AddParamsToParamSet(const struct CmBlob *commonUri, const struct } static int32_t ConstructInitParamSet(const struct CmBlob *commonUri, const struct CmSignatureSpec *spec, - struct HksParamSet **outParamSet) + struct HksParamSet **outParamSet, enum CmAuthStorageLevel level) { struct HksParamSet *paramSet = NULL; int32_t ret = HksInitParamSet(¶mSet); @@ -454,7 +541,7 @@ static int32_t ConstructInitParamSet(const struct CmBlob *commonUri, const struc return CMR_ERROR_KEY_OPERATION_FAILED; } - ret = AddParamsToParamSet(commonUri, spec, paramSet); + ret = AddParamsToParamSet(commonUri, spec, paramSet, level); if (ret != CM_SUCCESS) { CM_LOG_E("add params failed"); HksFreeParamSet(¶mSet); @@ -521,24 +608,25 @@ static int32_t ServiceSignVerifyAbort(const struct CmBlob *handle, const struct } int32_t CmKeyOpInit(const struct CmContext *context, const struct CmBlob *alias, const struct CmSignatureSpec *spec, - struct CmBlob *handle) + enum CmAuthStorageLevel level, struct CmBlob *handle) { - struct HksBlob keyAlias = { alias->size, alias->data }; - uint8_t encodeBuf[MAX_LEN_BASE64URL_SHA256] = { 0 }; - struct CmBlob encodeTarget = { sizeof(encodeBuf), encodeBuf }; - int32_t ret = GetKeyAlias(&keyAlias, &encodeTarget); - if (ret != CM_SUCCESS) { - CM_LOG_E("get keyalias failed"); - return ret; - } struct HksParamSet *paramSet = NULL; - ret = ConstructInitParamSet((struct CmBlob *)&keyAlias, spec, ¶mSet); + int32_t ret = ConstructInitParamSet(alias, spec, ¶mSet, level); if (ret != CM_SUCCESS) { CM_LOG_E("construct init paramSet failed, ret = %d", ret); return ret; } do { + struct HksBlob keyAlias = { alias->size, alias->data }; + uint8_t encodeBuf[MAX_LEN_BASE64URL_SHA256] = { 0 }; + struct CmBlob encodeTarget = { sizeof(encodeBuf), encodeBuf }; + ret = GetKeyAlias(&keyAlias, &encodeTarget); + if (ret != CM_SUCCESS) { + CM_LOG_E("get keyalias failed"); + break; + } + struct HksBlob handleOut = { handle->size, handle->data }; ret = HksInit(&keyAlias, paramSet, &handleOut, NULL); if (ret != HKS_SUCCESS) { @@ -572,7 +660,9 @@ int32_t CmKeyOpProcess(enum CmSignVerifyCmd cmdId, const struct CmContext *conte { .tag = HKS_TAG_AUTH_STORAGE_LEVEL, .uint32Param = HKS_AUTH_STORAGE_LEVEL_DE }, }; struct HksParamSet *paramSet = NULL; - int32_t ret = ConstructParamSet(params, sizeof(params) / sizeof(struct HksParam), ¶mSet); + /* There is no need to specify level and userid. Pass the default values instead. */ + int32_t ret = ConstructParamSet(params, sizeof(params) / sizeof(struct HksParam), ¶mSet, + CM_AUTH_STORAGE_LEVEL_EL1, NULL); if (ret != CM_SUCCESS) { CM_LOG_E("Failed to construct paramSet"); CmDeleteSession(handle); diff --git a/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_query.c b/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_query.c index 544b274..c57bd30 100644 --- a/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_query.c +++ b/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_query.c @@ -557,3 +557,26 @@ uint32_t CmGetMatchedCertIndex(const struct CmMutableBlob *certFileList, const s } return matchIndex; } + +int32_t GetRdbAuthStorageLevel(const struct CmBlob *keyUri, enum CmAuthStorageLevel *level) +{ + CM_LOG_D("enter GetRdbAuthStorageLevel"); + if (keyUri == NULL || level == NULL) { + CM_LOG_E("Invalid input parameters: keyUri or level is NULL"); + return CMR_ERROR_INVALID_ARGUMENT; + } + + struct CertProperty certProp; + (void)memset_s(&certProp, sizeof(struct CertProperty), 0, sizeof(struct CertProperty)); + + certProp.level = ERROR_LEVEL; + int32_t ret = QueryCertProperty((char *)keyUri->data, &certProp); + if (ret != CM_SUCCESS) { + CM_LOG_E("Failed to QueryCertProperty, ret: %d", ret); + return ret; + } + /* If the return value of level is ERROR_LEVEL, nothing is found */ + *level = certProp.level; + + return ret; +} diff --git a/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_service.c b/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_service.c index 1750481..ef9f78c 100644 --- a/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_service.c +++ b/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_service.c @@ -281,7 +281,15 @@ int32_t CmServiceInit(const struct CmContext *context, const struct CmBlob *auth return ret; } - ret = CmKeyOpInit(context, &commonUri, spec, handle); + enum CmAuthStorageLevel level; + ret = GetRdbAuthStorageLevel(&commonUri, &level); + if (ret != CM_SUCCESS) { + CM_LOG_E("get rdb auth storage level failed, ret = %d", ret); + CM_FREE_PTR(commonUri.data); + return ret; + } + + ret = CmKeyOpInit(context, &commonUri, spec, level, handle); CM_FREE_PTR(commonUri.data); return ret; } @@ -526,7 +534,7 @@ int32_t CmServiceGetCertList(const struct CmContext *context, const struct UserC int32_t ret = CM_SUCCESS; struct CmMutableBlob pathList = { 0, NULL }; - + do { if (store == CM_USER_TRUSTED_STORE) { if (context->userId != 0 && prop->userId != INIT_INVALID_VALUE) { @@ -783,7 +791,10 @@ int32_t CmInstallUserCert(const struct CmContext *context, const struct CmBlob * break; } - ret = RdbInsertCertProperty(context, certUri, &displayName, &subjectName, CM_USER_TRUSTED_STORE); + struct CertPropertyOri propertyOri = { context, certUri, &displayName, &subjectName, + CM_USER_TRUSTED_STORE, CM_AUTH_STORAGE_LEVEL_EL1 }; + + ret = RdbInsertCertProperty(&propertyOri); if (ret != CM_SUCCESS) { CM_LOG_E("Failed to RdbInsertCertProperty"); break; diff --git a/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_status.c b/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_status.c index 3fa57e4..4697455 100644 --- a/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_status.c +++ b/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_status.c @@ -85,7 +85,7 @@ static int32_t Ikhmac(uint8_t *data, uint32_t len, uint8_t *mac) char aliasData[] = CM_INTEGRITY_KEY_URI; struct CmBlob alias = { strlen(aliasData), (uint8_t *)aliasData }; - return CmKeyOpCalcMac(&alias, &dataBlob, &macBlob); + return CmKeyOpCalcMac(&alias, &dataBlob, &macBlob, CM_AUTH_STORAGE_LEVEL_EL1); } static void FreeStatus(struct CertStatus *cs) diff --git a/services/cert_manager_standard/cert_manager_engine/main/core/src/cm_event_process.c b/services/cert_manager_standard/cert_manager_engine/main/core/src/cm_event_process.c index 859f00c..4af95ad 100644 --- a/services/cert_manager_standard/cert_manager_engine/main/core/src/cm_event_process.c +++ b/services/cert_manager_standard/cert_manager_engine/main/core/src/cm_event_process.c @@ -27,6 +27,8 @@ #include "cert_manager_session_mgr.h" #include "cert_manager_status.h" #include "cert_manager_storage.h" +#include "cert_manager_query.h" +#include "cm_cert_property_rdb.h" #include "cm_log.h" #include "cm_type.h" #include "cm_util.h" @@ -57,11 +59,17 @@ static int32_t CmTraversalDirActionCredential(const char *filePath, const char * } struct CmBlob keyUri = { strlen(fileName) + 1, (uint8_t *)fileName }; - ret = CmKeyOpDeleteKey(&keyUri); + enum CmAuthStorageLevel level; + ret = GetRdbAuthStorageLevel(&keyUri, &level); + if (ret != CM_SUCCESS) { + CM_LOG_E("get storage level failed, ret: %d", ret); + return ret; + } + + ret = CmKeyOpDeleteKey(&keyUri, level); if (ret != CM_SUCCESS) { /* ignore the return of delete key */ CM_LOG_E("App key delete failed ret: %d", ret); } - return CM_SUCCESS; } @@ -75,6 +83,12 @@ static int32_t CmTraversalDirActionUserCa(const struct CmContext *context, const } struct CmBlob certUri = { strlen(fileName) + 1, (uint8_t *)fileName }; /* include '\0' at end. */ + ret = DeleteCertProperty(fileName); + if (ret != CM_SUCCESS) { + CM_LOG_E("delete user ca cert property failed, ret: %d", ret); + return ret; + } + struct CmMutableBlob pathBlob = { strlen(filePath) + 1, (uint8_t *)filePath }; ret = CmSetStatusEnable(context, &pathBlob, &certUri, store); if (ret != CM_SUCCESS) { diff --git a/services/cert_manager_standard/cert_manager_engine/main/rdb/include/cm_cert_property_rdb.h b/services/cert_manager_standard/cert_manager_engine/main/rdb/include/cm_cert_property_rdb.h index 559a578..d058294 100644 --- a/services/cert_manager_standard/cert_manager_engine/main/rdb/include/cm_cert_property_rdb.h +++ b/services/cert_manager_standard/cert_manager_engine/main/rdb/include/cm_cert_property_rdb.h @@ -30,6 +30,7 @@ struct CertProperty { int32_t certStore; int32_t userId; int32_t uid; + enum CmAuthStorageLevel level; }; int32_t CreateCertPropertyRdb(void); diff --git a/services/cert_manager_standard/cert_manager_engine/main/rdb/include/cm_rdb_config.h b/services/cert_manager_standard/cert_manager_engine/main/rdb/include/cm_rdb_config.h index 2314720..5222d35 100644 --- a/services/cert_manager_standard/cert_manager_engine/main/rdb/include/cm_rdb_config.h +++ b/services/cert_manager_standard/cert_manager_engine/main/rdb/include/cm_rdb_config.h @@ -19,11 +19,25 @@ #include #include +const int32_t RDB_VERSION_FIRST = 1; +const int32_t RDB_VERSION_CURRENT = 2; + +const std::string CERT_MANAGER_RDB_NAME = "/cert_manager.db"; +const std::string CERT_PROPERTY_TABLE_NAME = "cert_property"; +const std::string COLUMN_URI = "URI"; +const std::string COLUMN_ALIAS = "ALIAS"; +const std::string COLUMN_SUBJECT_NAME = "SUBJECT_NAME"; +const std::string COLUMN_CERT_TYPE = "CERT_TYPE"; +const std::string COLUMN_CERT_STORE = "CERT_STORE"; +const std::string COLUMN_USERID = "USERID"; +const std::string COLUMN_UID = "UID"; +const std::string COLUMN_AUTH_STORAGE_LEVEL = "AUTH_STORAGE_LEVEL"; + namespace OHOS { namespace Security { namespace CertManager { struct RdbConfig { - int32_t version = 1; + int32_t version = RDB_VERSION_CURRENT; std::string dbPath = "/data/service/el1/public/cert_manager_service/rdb"; std::string dbName; std::string tableName; diff --git a/services/cert_manager_standard/cert_manager_engine/main/rdb/src/cm_cert_property_rdb.cpp b/services/cert_manager_standard/cert_manager_engine/main/rdb/src/cm_cert_property_rdb.cpp index 94b6636..058738b 100644 --- a/services/cert_manager_standard/cert_manager_engine/main/rdb/src/cm_cert_property_rdb.cpp +++ b/services/cert_manager_standard/cert_manager_engine/main/rdb/src/cm_cert_property_rdb.cpp @@ -25,16 +25,6 @@ using namespace OHOS; using namespace OHOS::Security::CertManager; -const std::string CERT_MANAGER_RDB_NAME = "/cert_manager.db"; -const std::string CERT_PROPERTY_TABLE_NAME = "cert_property"; -const std::string COLUMN_URI = "URI"; -const std::string COLUMN_ALIAS = "ALIAS"; -const std::string COLUMN_SUBJECT_NAME = "SUBJECT_NAME"; -const std::string COLUMN_CERT_TYPE = "CERT_TYPE"; -const std::string COLUMN_CERT_STORE = "CERT_STORE"; -const std::string COLUMN_USERID = "USERID"; -const std::string COLUMN_UID = "UID"; - static std::shared_ptr cmRdbDataManager = nullptr; int32_t CreateCertPropertyRdb(void) @@ -45,7 +35,8 @@ int32_t CreateCertPropertyRdb(void) rdbConfig.tableName = CERT_PROPERTY_TABLE_NAME; rdbConfig.createTableSql = std::string("CREATE TABLE IF NOT EXISTS " + CERT_PROPERTY_TABLE_NAME + "(URI TEXT PRIMARY KEY, ALIAS TEXT NOT NULL, SUBJECT_NAME TEXT NOT NULL, CERT_TYPE TEXT NOT NULL, " + - "CERT_STORE INTEGER NOT NULL, USERID INTEGER NOT NULL, UID INTEGER NOT NULL)"); + "CERT_STORE INTEGER NOT NULL, USERID INTEGER NOT NULL, UID INTEGER NOT NULL, " + + "AUTH_STORAGE_LEVEL INTEGER NOT NULL)"); cmRdbDataManager = std::make_shared(rdbConfig); bool ret = cmRdbDataManager->CreateTable(); if (!ret) { @@ -75,6 +66,7 @@ int32_t InsertCertProperty(const struct CertProperty *certProperty) insertBucket.PutInt(COLUMN_CERT_STORE, certProperty->certStore); insertBucket.PutInt(COLUMN_USERID, certProperty->userId); insertBucket.PutInt(COLUMN_UID, certProperty->uid); + insertBucket.PutInt(COLUMN_AUTH_STORAGE_LEVEL, certProperty->level); bool ret = cmRdbDataManager->InsertData(insertBucket); if (!ret) { CM_LOG_E("Failed to insert cert:%s property data", certProperty->uri); @@ -176,6 +168,7 @@ static int32_t GetIntValue(const std::shared_ptr static int32_t GetCertProperty(const std::shared_ptr &resultSet, struct CertProperty *certProperty) { + CM_LOG_D("enter GetCertProperty"); int32_t ret = GetStringValue(resultSet, COLUMN_URI, certProperty->uri, MAX_LEN_URI); if (ret != CM_SUCCESS) { CM_LOG_E("Failed to get uri"); @@ -217,6 +210,14 @@ static int32_t GetCertProperty(const std::shared_ptrlevel = (enum CmAuthStorageLevel)level; return ret; } diff --git a/services/cert_manager_standard/cert_manager_engine/main/rdb/src/cm_rdb_open_callback.cpp b/services/cert_manager_standard/cert_manager_engine/main/rdb/src/cm_rdb_open_callback.cpp index db027e9..2f17106 100644 --- a/services/cert_manager_standard/cert_manager_engine/main/rdb/src/cm_rdb_open_callback.cpp +++ b/services/cert_manager_standard/cert_manager_engine/main/rdb/src/cm_rdb_open_callback.cpp @@ -32,7 +32,13 @@ int32_t CmRdbOpenCallback::OnCreate(NativeRdb::RdbStore &rdbStore) int32_t CmRdbOpenCallback::OnUpgrade(NativeRdb::RdbStore &rdbStore, int currentVersion, int targetVersion) { - CM_LOG_D("CmRdbOpenCallback OnUpgrade"); + CM_LOG_D("CmRdbOpenCallback OnUpgrade : database upgrade. currentVersion = %{public}d, newVersion = %{public}d", + currentVersion, targetVersion); + /* Upgrade the database: Add the AUTH_STORAGE_LEVEL column with a default value of 1 (EL1). */ + if (currentVersion == RDB_VERSION_FIRST && targetVersion == RDB_VERSION_CURRENT) { + rdbStore.ExecuteSql("ALTER TABLE " + CERT_PROPERTY_TABLE_NAME + " ADD COLUMN " + + COLUMN_AUTH_STORAGE_LEVEL + " INTEGER DEFAULT 1;"); + } return NativeRdb::E_OK; } diff --git a/services/cert_manager_standard/cert_manager_service.cfg b/services/cert_manager_standard/cert_manager_service.cfg index 193d499..a07709b 100644 --- a/services/cert_manager_standard/cert_manager_service.cfg +++ b/services/cert_manager_standard/cert_manager_service.cfg @@ -26,7 +26,8 @@ "apl" : "system_basic", "permission" : [ "ohos.permission.REPORT_SECURITY_EVENT", - "ohos.permission.MANAGE_LOCAL_ACCOUNTS" + "ohos.permission.MANAGE_LOCAL_ACCOUNTS", + "ohos.permission.INTERACT_ACROSS_LOCAL_ACCOUNTS" ] } ] diff --git a/services/cert_manager_standard/cert_manager_service/main/os_dependency/idl/cm_ipc/cm_ipc_service.c b/services/cert_manager_standard/cert_manager_service/main/os_dependency/idl/cm_ipc/cm_ipc_service.c index c9c87c0..8627871 100644 --- a/services/cert_manager_standard/cert_manager_service/main/os_dependency/idl/cm_ipc/cm_ipc_service.c +++ b/services/cert_manager_standard/cert_manager_service/main/os_dependency/idl/cm_ipc/cm_ipc_service.c @@ -217,12 +217,14 @@ void CmIpcServiceInstallAppCert(const struct CmBlob *paramSetBlob, struct CmBlob struct CmBlob appCert = { 0, NULL }; struct CmBlob appCertPwd = { 0, NULL }; struct CmBlob certAlias = { 0, NULL }; + enum CmAuthStorageLevel level; struct CmParamOut params[] = { { .tag = CM_TAG_PARAM0_BUFFER, .blob = &appCert }, { .tag = CM_TAG_PARAM1_BUFFER, .blob = &appCertPwd }, { .tag = CM_TAG_PARAM2_BUFFER, .blob = &certAlias }, { .tag = CM_TAG_PARAM0_UINT32, .uint32Param = &store }, { .tag = CM_TAG_PARAM1_UINT32, .uint32Param = &userId }, + { .tag = CM_TAG_PARAM2_UINT32, .uint32Param = &level }, }; int32_t ret; @@ -235,7 +237,7 @@ void CmIpcServiceInstallAppCert(const struct CmBlob *paramSetBlob, struct CmBlob break; } - struct CmAppCertParam certParam = { &appCert, &appCertPwd, &certAlias, store, userId }; + struct CmAppCertParam certParam = { &appCert, &appCertPwd, &certAlias, store, userId, level }; ret = CmServicInstallAppCert(&cmContext, &certParam, outData); if (ret != CM_SUCCESS) { CM_LOG_E("service install app cert failed, ret = %d", ret); diff --git a/test/BUILD.gn b/test/BUILD.gn index 7b22ca6..8a86075 100644 --- a/test/BUILD.gn +++ b/test/BUILD.gn @@ -29,6 +29,7 @@ ohos_unittest("cm_sdk_test") { "unittest/src/cm_grant_test.cpp", "unittest/src/cm_init_test.cpp", "unittest/src/cm_is_authed_test.cpp", + "unittest/src/cm_pri_app_cert_test.cpp", "unittest/src/cm_remove_grant_test.cpp", "unittest/src/cm_set_status_test.cpp", "unittest/src/cm_sys_app_cert_test.cpp", diff --git a/test/unittest/multi_thread_test/src/cm_app_cert_multi_thread_test.cpp b/test/unittest/multi_thread_test/src/cm_app_cert_multi_thread_test.cpp index 9811063..ed1f0b3 100644 --- a/test/unittest/multi_thread_test/src/cm_app_cert_multi_thread_test.cpp +++ b/test/unittest/multi_thread_test/src/cm_app_cert_multi_thread_test.cpp @@ -114,15 +114,20 @@ HWTEST_F(CmAppCertMultiThreadTest, CmAppCertMultiThreadTest004, TestSize.Level0) { uint8_t certAliasBuf[] = "keyB"; struct CmBlob certAlias = { sizeof(certAliasBuf), certAliasBuf }; + uint8_t certAliasBuf04[] = "keyC"; + struct CmBlob certAlias04 = { sizeof(certAliasBuf04), certAliasBuf04 }; uint8_t uriBuf[MAX_LEN_URI] = {0}; struct CmBlob keyUri = { sizeof(uriBuf), uriBuf }; int32_t ret = CmInstallAppCert(&g_appCert, &g_appCertPwd, &certAlias, CM_CREDENTIAL_STORE, &keyUri); - EXPECT_EQ(ret, CM_SUCCESS) << "CmAppCertMultiThreadTest004 1 failed, retcode:" << ret; + EXPECT_EQ(ret, CM_SUCCESS) << "CmAppCertMultiThreadTest 1 failed, retcode:" << ret; - ret = CmInstallAppCert(&g_appCert, &g_appCertPwd, &certAlias, CM_PRI_CREDENTIAL_STORE, &keyUri); - EXPECT_EQ(ret, CM_SUCCESS) << "CmAppCertMultiThreadTest004 2 failed, retcode:" << ret; + ret = CmInstallAppCert(&g_appCert, &g_appCertPwd, &certAlias04, CM_PRI_CREDENTIAL_STORE, &keyUri); + EXPECT_EQ(ret, CM_SUCCESS) << "CmAppCertMultiThreadTest 2 failed, retcode:" << ret; + + ret = CmUninstallAllAppCert(); + EXPECT_EQ(ret, CM_SUCCESS) << "AppCertUnInstallAllTest 2 test failed, retcode:" << ret; SET_THREAD_NUM(MULTI_THREAD_NUM); GTEST_RUN_TASK(TestUninstallAppCertMultiThread); diff --git a/test/unittest/src/cm_app_cert_test.cpp b/test/unittest/src/cm_app_cert_test.cpp index e0ae813..bfbf9a8 100644 --- a/test/unittest/src/cm_app_cert_test.cpp +++ b/test/unittest/src/cm_app_cert_test.cpp @@ -22,8 +22,13 @@ #include "cm_mem.h" #include "cm_test_common.h" +#include "accesstoken_kit.h" +#include "token_setproc.h" +#include "access_token.h" + using namespace testing::ext; using namespace CertmanagerTest; +using namespace OHOS::Security::AccessToken; namespace { struct CredentialResult { struct Credential certificate; @@ -139,11 +144,17 @@ HWTEST_F(CmAppCertTest, AppCertInstallBaseTest001, TestSize.Level0) int32_t ret = CmInstallAppCert(&g_appCert, &g_appCertPwd, &certAlias, CM_CREDENTIAL_STORE, &keyUri); EXPECT_EQ(ret, CM_SUCCESS) << "AppCertInstallBaseTest001 credentail test failed, retcode:" << ret; + ret = CmUninstallAllAppCert(); + EXPECT_EQ(ret, CM_SUCCESS) << "AppCertUnInstallAllTest test failed, retcode:" << ret; + ret = CmInstallAppCert(&g_appCert, &g_appCertPwd, &certAlias, CM_PRI_CREDENTIAL_STORE, &keyUri); EXPECT_EQ(ret, CM_SUCCESS) << "AppCertInstallBaseTest001 pri_credentail test failed, retcode:" << ret; char uriBuf[] = "oh:t=ak;o=keyA;u=0;a=0"; EXPECT_EQ(strcmp(uriBuf, (char *)keyUri.data), 0) << "strcmp failed"; + + ret = CmUninstallAllAppCert(); + EXPECT_EQ(ret, CM_SUCCESS) << "AppCertUnInstallAllTest test failed, retcode:" << ret; } /** @@ -214,6 +225,9 @@ HWTEST_F(CmAppCertTest, AppCertInstallAbnormalTest004, TestSize.Level0) ret = CmInstallAppCert(&g_appCert, &g_appCertPwd, &certAlias, CM_SYS_CREDENTIAL_STORE + 1, &keyUri); EXPECT_EQ(ret, CMR_ERROR_INVALID_ARGUMENT) << "AppCertInstallAbnormalTest004 privite test failed, retcode:" << ret; + + ret = CmUninstallAllAppCert(); + EXPECT_EQ(ret, CM_SUCCESS) << "AppCertUnInstallAllTest 005 test failed, retcode:" << ret; } /** @@ -233,6 +247,9 @@ HWTEST_F(CmAppCertTest, AppCertInstallBaseEccTest005, TestSize.Level0) int32_t ret = CmInstallAppCert(&g_eccAppCert, &g_appCertPwd, &certAlias, CM_CREDENTIAL_STORE, &keyUri); EXPECT_EQ(ret, CM_SUCCESS) << "AppCertInstallBaseEccTest005 test failed, retcode:" << ret; + ret = CmUninstallAllAppCert(); + EXPECT_EQ(ret, CM_SUCCESS) << "AppCertUnInstallAllTest 005 test failed, retcode:" << ret; + ret = CmInstallAppCert(&g_eccAppCert, &g_appCertPwd, &certAlias, CM_PRI_CREDENTIAL_STORE, &keyUri); EXPECT_EQ(ret, CM_SUCCESS) << "AppCertInstallBaseEccTest005 privite test failed, retcode:" << ret; @@ -256,6 +273,9 @@ HWTEST_F(CmAppCertTest, AppCertInstallBaseSM2Test001, TestSize.Level0) int32_t ret = CmInstallAppCert(&g_sm2AppCert, &g_appSM2CertPwd, &certAlias, CM_CREDENTIAL_STORE, &keyUri); EXPECT_EQ(ret, CM_SUCCESS) << "BaseSM2Test001 public test failed, retcode:" << ret; + ret = CmUninstallAllAppCert(); + EXPECT_EQ(ret, CM_SUCCESS) << "BaseSM2Test001 test failed, retcode:" << ret; + keyUri.size = sizeof(keyUriBuf); ret = CmInstallAppCert(&g_sm2AppCert, &g_appSM2CertPwd, &certAlias, CM_PRI_CREDENTIAL_STORE, &keyUri); EXPECT_EQ(ret, CM_SUCCESS) << "BaseSM2Test001 privite test failed, retcode:" << ret; @@ -280,6 +300,9 @@ HWTEST_F(CmAppCertTest, AppCertInstallBaseSM2Test002, TestSize.Level0) int32_t ret = CmInstallAppCert(&g_sm2AppCert2, &g_appSM2CertPwd, &certAlias, CM_CREDENTIAL_STORE, &keyUri); EXPECT_EQ(ret, CM_SUCCESS) << "BaseSM2Test002 public test failed, retcode:" << ret; + ret = CmUninstallAllAppCert(); + EXPECT_EQ(ret, CM_SUCCESS) << "BaseSM2Test001 test failed, retcode:" << ret; + keyUri.size = sizeof(keyUriBuf); ret = CmInstallAppCert(&g_sm2AppCert2, &g_appSM2CertPwd, &certAlias, CM_PRI_CREDENTIAL_STORE, &keyUri); EXPECT_EQ(ret, CM_SUCCESS) << "BaseSM2Test002 privite test failed, retcode:" << ret; @@ -501,6 +524,9 @@ HWTEST_F(CmAppCertTest, CmGetAppCertListPerformanceTest001, TestSize.Level0) int32_t ret = CmInstallAppCert(&g_appCert, &g_appCertPwd, &certAlias, CM_CREDENTIAL_STORE, &keyUri); EXPECT_EQ(ret, CM_SUCCESS) << "CmGetAppCertListPerformanceTest001 install failed, retcode:" << ret; + ret = CmUninstallAllAppCert(); + EXPECT_EQ(ret, CM_SUCCESS) << "CmGetAppCertListPerformanceTest001 test failed, retcode:" << ret; + ret = CmInstallAppCert(&g_appCert, &g_appCertPwd, &certAlias, CM_PRI_CREDENTIAL_STORE, &keyUri); EXPECT_EQ(ret, CM_SUCCESS) << "CmGetAppCertListPerformanceTest001 private install failed, retcode:" << ret; @@ -718,6 +744,9 @@ HWTEST_F(CmAppCertTest, AppCertUnInstallAllAppCertBaseTest001, TestSize.Level0) int32_t ret = CmInstallAppCert(&g_appCert, &g_appCertPwd, &certAlias, CM_CREDENTIAL_STORE, &keyUri); EXPECT_EQ(ret, CM_SUCCESS) << "AppCertUnInstallAllAppCertBaseTest001 1 failed, retcode:" << ret; + ret = CmUninstallAllAppCert(); + EXPECT_EQ(ret, CM_SUCCESS) << "AppCertUnInstallAllAppCertBaseTest001 test failed, retcode:" << ret; + ret = CmInstallAppCert(&g_appCert, &g_appCertPwd, &certAlias, CM_PRI_CREDENTIAL_STORE, &keyUri); EXPECT_EQ(ret, CM_SUCCESS) << "AppCertUnInstallAllAppCertBaseTest001 2 failed, retcode:" << ret; diff --git a/test/unittest/src/cm_pri_app_cert_test.cpp b/test/unittest/src/cm_pri_app_cert_test.cpp new file mode 100644 index 0000000..850bb31 --- /dev/null +++ b/test/unittest/src/cm_pri_app_cert_test.cpp @@ -0,0 +1,628 @@ +/* + * Copyright (c) 2024 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include + +#include "cert_manager_api.h" +#include "cm_cert_data_ecc.h" +#include "cm_cert_data_part1_rsa.h" +#include "cm_cert_data_part3_rsa.h" +#include "cm_mem.h" +#include "cm_test_common.h" + +#define TEST_USERID 100 + +using namespace testing::ext; +using namespace CertmanagerTest; +namespace { + +static const struct CmBlob g_appCert = { sizeof(g_rsa2048P12CertInfo), const_cast(g_rsa2048P12CertInfo) }; +static const struct CmBlob g_eccAppCert = { sizeof(g_eccP256P12CertInfo), const_cast(g_eccP256P12CertInfo) }; +static const struct CmBlob g_appCertPwd = { sizeof(g_certPwd), const_cast(g_certPwd) }; + +static const uint8_t g_abnormalCertData[] = { + 0x30, 0x82, 0x0b, 0xc1, 0x02, 0x01, 0x03, 0xf7, 0x0d, 0x01, 0x07, 0x06, 0x09, 0x2a, 0x86, 0x48, + 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x82, 0x0b, 0x78, 0x04, 0x82, 0x0b, 0x74, 0x30, 0x82, + 0x00, 0x3a, 0x69, 0x16, 0xe1, 0x63, 0x0c, 0xe5, 0x92, 0xc2, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, + 0x06, 0xa0, 0x82, 0x06, 0x18, 0x30, 0x82, 0x06, 0x14, 0x02, 0x01, 0x00, 0x30, 0x82, 0x06, 0x0d, + 0x06, 0x09, 0x0b, 0x74, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0x30, 0x1c, 0x06, 0x0a, 0x2a, + 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x0c, 0x01 +}; + +class CmPriAppCertTest : public testing::Test { +public: + static void SetUpTestCase(void); + + static void TearDownTestCase(void); + + void SetUp(); + + void TearDown(); +}; + +void CmPriAppCertTest::SetUpTestCase(void) +{ + SetATPermission(); +} + +void CmPriAppCertTest::TearDownTestCase(void) +{ +} + +void CmPriAppCertTest::SetUp() +{ +} + +void CmPriAppCertTest::TearDown() +{ +} + +/** + * @tc.name: PriAppCertTest001 + * @tc.desc: Test CertManager Install private app cert interface base function + * @tc.type: FUNC + */ +HWTEST_F(CmPriAppCertTest, PriAppCertTest001, TestSize.Level0) +{ + char retUriBuf[MAX_LEN_URI] = {0}; + struct CmBlob priKeyUri = { sizeof(retUriBuf), reinterpret_cast(retUriBuf) }; + + uint8_t certAliasBuf[] = "PrikeyA"; + struct CmBlob certAlias = { sizeof(certAliasBuf), certAliasBuf }; + uint8_t certAliasBuf001[] = "PrikeyB"; + struct CmBlob certAlias01 = { sizeof(certAliasBuf001), certAliasBuf001 }; + + /* test g_appCert */ + struct CmAppCertParam appCertParam = { (struct CmBlob *)&g_appCert, (struct CmBlob *)&g_appCertPwd, + &certAlias, CM_PRI_CREDENTIAL_STORE, INIT_INVALID_VALUE, CM_AUTH_STORAGE_LEVEL_EL1 }; + int32_t ret = CmInstallAppCertEx(&appCertParam, &priKeyUri); + EXPECT_EQ(ret, CM_SUCCESS) << "PriAppCertTest001 1 credentail test failed, retcode:" << ret; + + char uriBuf[] = "oh:t=ak;o=PrikeyA;u=0;a=0"; + EXPECT_EQ(strcmp(uriBuf, (char *)priKeyUri.data), 0) << "strcmp failed, uri: %s" << (char *)priKeyUri.data; + + /* test g_eccAppCert, level=el1 */ + struct CmAppCertParam appCertParam01 = { (struct CmBlob *)&g_eccAppCert, (struct CmBlob *)&g_appCertPwd, + &certAlias01, CM_PRI_CREDENTIAL_STORE, INIT_INVALID_VALUE, CM_AUTH_STORAGE_LEVEL_EL1 }; + ret = CmInstallAppCertEx(&appCertParam01, &priKeyUri); + EXPECT_EQ(ret, CM_SUCCESS) << "PriAppCertTest001 2 credentail test failed, retcode:" << ret; + + char uriBuf001[] = "oh:t=ak;o=PrikeyB;u=0;a=0"; + EXPECT_EQ(strcmp(uriBuf001, (char *)priKeyUri.data), 0) << "strcmp failed"; + + ret = CmUninstallAllAppCert(); + EXPECT_EQ(ret, CM_SUCCESS) << "PriAppCertTest001 test failed, retcode:" << ret; +} + +/** + * @tc.name: PriAppCertTest002 + * @tc.desc: Test CertManager Install private app cert interface base function + * @tc.type: FUNC + */ +HWTEST_F(CmPriAppCertTest, PriAppCertTest002, TestSize.Level0) +{ + char retUriBuf[MAX_LEN_URI] = {0}; + struct CmBlob priKeyUri = { sizeof(retUriBuf), reinterpret_cast(retUriBuf) }; + + uint8_t certAliasBuf[] = "PrikeyA"; + struct CmBlob certAlias = { sizeof(certAliasBuf), certAliasBuf }; + uint8_t certAliasBuf002[] = "PrikeyB"; + struct CmBlob certAlias02 = { sizeof(certAliasBuf002), certAliasBuf002 }; + + /* test g_appCert,level=el2 */ + struct CmAppCertParam appCertParam = { (struct CmBlob *)&g_appCert, (struct CmBlob *)&g_appCertPwd, + &certAlias, CM_PRI_CREDENTIAL_STORE, INIT_INVALID_VALUE, CM_AUTH_STORAGE_LEVEL_EL2 }; + int32_t ret = CmInstallAppCertEx(&appCertParam, &priKeyUri); + EXPECT_EQ(ret, CM_SUCCESS) << "PriAppCertTest002 1 credentail test failed, retcode:" << ret; + + char uriBuf[] = "oh:t=ak;o=PrikeyA;u=0;a=0"; + EXPECT_EQ(strcmp(uriBuf, (char *)priKeyUri.data), 0) << "strcmp failed"; + + /* test g_eccAppCert */ + struct CmAppCertParam appCertParam01 = { (struct CmBlob *)&g_eccAppCert, (struct CmBlob *)&g_appCertPwd, + &certAlias02, CM_PRI_CREDENTIAL_STORE, INIT_INVALID_VALUE, CM_AUTH_STORAGE_LEVEL_EL2 }; + ret = CmInstallAppCertEx(&appCertParam01, &priKeyUri); + EXPECT_EQ(ret, CM_SUCCESS) << "PriAppCertTest002 2 credentail test failed, retcode:" << ret; + + char uriBuf001[] = "oh:t=ak;o=PrikeyB;u=0;a=0"; + EXPECT_EQ(strcmp(uriBuf001, (char *)priKeyUri.data), 0) << "strcmp failed"; + + ret = CmUninstallAllAppCert(); + EXPECT_EQ(ret, CM_SUCCESS) << "PriAppCertTest002 test failed, retcode:" << ret; +} + +/** + * @tc.name: PriAppCertTest003 + * @tc.desc: Test CertManager Install private app cert interface base function + * @tc.type: FUNC + */ +HWTEST_F(CmPriAppCertTest, PriAppCertTest003, TestSize.Level0) +{ + char retUriBuf[MAX_LEN_URI] = {0}; + struct CmBlob priKeyUri = { sizeof(retUriBuf), reinterpret_cast(retUriBuf) }; + + uint8_t certAliasBuf[] = "PrikeyA"; + struct CmBlob certAlias = { sizeof(certAliasBuf), certAliasBuf }; + uint8_t certAliasBuf003[] = "PrikeyB"; + struct CmBlob certAlias03 = { sizeof(certAliasBuf003), certAliasBuf003 }; + + /* test g_appCert, level=el4 */ + struct CmAppCertParam appCertParam = { (struct CmBlob *)&g_appCert, (struct CmBlob *)&g_appCertPwd, + &certAlias, CM_PRI_CREDENTIAL_STORE, INIT_INVALID_VALUE, CM_AUTH_STORAGE_LEVEL_EL4 }; + int32_t ret = CmInstallAppCertEx(&appCertParam, &priKeyUri); + EXPECT_EQ(ret, CM_SUCCESS) << "PriAppCertTest003 credentail test failed, retcode:" << ret; + + char uriBuf[] = "oh:t=ak;o=PrikeyA;u=0;a=0"; + EXPECT_EQ(strcmp(uriBuf, (char *)priKeyUri.data), 0) << "strcmp failed"; + + /* test g_eccAppCert, level=el4 */ + struct CmAppCertParam appCertParam01 = { (struct CmBlob *)&g_eccAppCert, (struct CmBlob *)&g_appCertPwd, + &certAlias03, CM_PRI_CREDENTIAL_STORE, INIT_INVALID_VALUE, CM_AUTH_STORAGE_LEVEL_EL4 }; + ret = CmInstallAppCertEx(&appCertParam01, &priKeyUri); + EXPECT_EQ(ret, CM_SUCCESS) << "PriAppCertTest002 2 credentail test failed, retcode:" << ret; + + char uriBuf001[] = "oh:t=ak;o=PrikeyB;u=0;a=0"; + EXPECT_EQ(strcmp(uriBuf001, (char *)priKeyUri.data), 0) << "strcmp failed"; + + ret = CmUninstallAllAppCert(); + EXPECT_EQ(ret, CM_SUCCESS) << "PriAppCertTest003 test failed, retcode:" << ret; +} + +/** + * @tc.name: PriAppCertTest004 + * @tc.desc: Test Install private app cert abnormal function + * @tc.type: FUNC + */ +HWTEST_F(CmPriAppCertTest, PriAppCertTest004, TestSize.Level0) +{ + char retUriBuf[MAX_LEN_URI] = {0}; + struct CmBlob priKeyUri = { sizeof(retUriBuf), reinterpret_cast(retUriBuf) }; + + uint8_t certAliasBuf[] = "PrikeyA"; + struct CmBlob certAlias = { sizeof(certAliasBuf), certAliasBuf }; + + /* level is invalid */ + struct CmAppCertParam appCertParam = { (struct CmBlob *)&g_appCert, (struct CmBlob *)&g_appCertPwd, + &certAlias, CM_PRI_CREDENTIAL_STORE, INIT_INVALID_VALUE, static_cast(ERROR_LEVEL) }; + int32_t ret = CmInstallAppCertEx(&appCertParam, &priKeyUri); + EXPECT_EQ(ret, CMR_ERROR_INVALID_ARGUMENT) << "PriAppCertTest004 credentail test failed, retcode:" << ret; +} + +/** + * @tc.name: PriAppCertTest005 + * @tc.desc: Test Install private app cert abnormal function + * @tc.type: FUNC + */ +HWTEST_F(CmPriAppCertTest, PriAppCertTest005, TestSize.Level0) +{ + char retUriBuf[MAX_LEN_URI] = {0}; + struct CmBlob priKeyUri = { sizeof(retUriBuf), reinterpret_cast(retUriBuf) }; + + uint8_t certAliasBuf[] = "PrikeyA"; + struct CmBlob certAlias = { sizeof(certAliasBuf), certAliasBuf }; + + /* store is not private cred */ + struct CmAppCertParam appCertParam = { (struct CmBlob *)&g_appCert, (struct CmBlob *)&g_appCertPwd, + &certAlias, CM_CREDENTIAL_STORE, INIT_INVALID_VALUE, CM_AUTH_STORAGE_LEVEL_EL1 }; + int32_t ret = CmInstallAppCertEx(&appCertParam, &priKeyUri); + EXPECT_EQ(ret, CMR_ERROR_INVALID_ARGUMENT) << "PriAppCertTest005 credentail test failed, retcode:" << ret; +} + +/** + * @tc.name: PriAppCertTest006 + * @tc.desc: Test Install private app cert abnormal function + * @tc.type: FUNC + */ +HWTEST_F(CmPriAppCertTest, PriAppCertTest006, TestSize.Level0) +{ + char retUriBuf[MAX_LEN_URI] = {0}; + struct CmBlob priKeyUri = { sizeof(retUriBuf), reinterpret_cast(retUriBuf) }; + + uint8_t certAliasBuf[] = "PrikeyA"; + struct CmBlob certAlias = { sizeof(certAliasBuf), certAliasBuf }; + + /* pri app cert data is abnormal */ + struct CmBlob abnormalAppCert = { sizeof(g_abnormalCertData), const_cast(g_abnormalCertData) }; + + struct CmAppCertParam appCertParam = { &abnormalAppCert, (struct CmBlob *)&g_appCertPwd, + &certAlias, CM_PRI_CREDENTIAL_STORE, INIT_INVALID_VALUE, CM_AUTH_STORAGE_LEVEL_EL1 }; + int32_t ret = CmInstallAppCertEx(&appCertParam, &priKeyUri); + EXPECT_EQ(ret, CMR_ERROR_INVALID_CERT_FORMAT) << "PriAppCertTest006 credentail test failed, retcode:" << ret; +} + +/** + * @tc.name: PriAppCertTest007 + * @tc.desc: Test CertManager Install private app cert interface abnormal function + * @tc.type: FUNC + */ +HWTEST_F(CmPriAppCertTest, PriAppCertTest007, TestSize.Level0) +{ + char retUriBuf[MAX_LEN_URI] = {0}; + struct CmBlob priKeyUri = { sizeof(retUriBuf), reinterpret_cast(retUriBuf) }; + + /* certParam is nullptr */ + int32_t ret = CmInstallAppCertEx(nullptr, &priKeyUri); + EXPECT_EQ(ret, CMR_ERROR_INVALID_ARGUMENT) << "PriAppCertTest007 credentail test failed, retcode:" << ret; +} + +/** + * @tc.name: PriAppCertTest008 + * @tc.desc: Test CertManager Install private app cert interface abnormal function + * @tc.type: FUNC + */ +HWTEST_F(CmPriAppCertTest, PriAppCertTest008, TestSize.Level0) +{ + char retUriBuf[MAX_LEN_URI] = {0}; + struct CmBlob priKeyUri = { sizeof(retUriBuf), reinterpret_cast(retUriBuf) }; + + uint8_t certAliasBuf[] = "PriAppCertTest008"; + struct CmBlob certAlias007 = { sizeof(certAliasBuf), certAliasBuf }; + + /* certParam->appCert is nullptr */ + struct CmAppCertParam appCertParam = { nullptr, (struct CmBlob *)&g_appCertPwd, + &certAlias007, CM_PRI_CREDENTIAL_STORE, INIT_INVALID_VALUE, CM_AUTH_STORAGE_LEVEL_EL1 }; + int32_t ret = CmInstallAppCertEx(&appCertParam, &priKeyUri); + EXPECT_EQ(ret, CMR_ERROR_INVALID_ARGUMENT) << "PriAppCertTest008 credentail test failed, retcode:" << ret; +} + +/** + * @tc.name: PriAppCertTest009 + * @tc.desc: Test CertManager Install private app cert interface abnormal function + * @tc.type: FUNC + */ +HWTEST_F(CmPriAppCertTest, PriAppCertTest009, TestSize.Level0) +{ + char retUriBuf[MAX_LEN_URI] = {0}; + struct CmBlob priKeyUri = { sizeof(retUriBuf), reinterpret_cast(retUriBuf) }; + + uint8_t certAliasBuf[] = "PriAppCertTest009"; + struct CmBlob certAlias008 = { sizeof(certAliasBuf), certAliasBuf }; + + /* certParam->appCertPwd is nullptr */ + struct CmAppCertParam appCertParam = { (struct CmBlob *)&g_appCert, nullptr, + &certAlias008, CM_PRI_CREDENTIAL_STORE, INIT_INVALID_VALUE, CM_AUTH_STORAGE_LEVEL_EL1 }; + int32_t ret = CmInstallAppCertEx(&appCertParam, &priKeyUri); + EXPECT_EQ(ret, CMR_ERROR_INVALID_ARGUMENT) << "PriAppCertTest009 credentail test failed, retcode:" << ret; +} + +/** + * @tc.name: PriAppCertTest010 + * @tc.desc: Test CertManager Install private app cert interface abnormal function + * @tc.type: FUNC + */ +HWTEST_F(CmPriAppCertTest, PriAppCertTest010, TestSize.Level0) +{ + char retUriBuf[MAX_LEN_URI] = {0}; + struct CmBlob priKeyUri = { sizeof(retUriBuf), reinterpret_cast(retUriBuf) }; + + /* certParam->certAlias is nullptr */ + struct CmAppCertParam appCertParam = { (struct CmBlob *)&g_appCert, (struct CmBlob *)&g_appCertPwd, + nullptr, CM_PRI_CREDENTIAL_STORE, INIT_INVALID_VALUE, CM_AUTH_STORAGE_LEVEL_EL1 }; + int32_t ret = CmInstallAppCertEx(&appCertParam, &priKeyUri); + EXPECT_EQ(ret, CMR_ERROR_INVALID_ARGUMENT) << "PriAppCertTest010 credentail test failed, retcode:" << ret; +} + +/** + * @tc.name: PriAppCertTest011 + * @tc.desc: Test CertManager Install private app cert interface abnormal function + * @tc.type: FUNC + */ +HWTEST_F(CmPriAppCertTest, PriAppCertTest011, TestSize.Level0) +{ + uint8_t certAliasBuf[] = "PriAppCertTest011"; + struct CmBlob certAlias010 = { sizeof(certAliasBuf), certAliasBuf }; + struct CmAppCertParam appCertParam = { (struct CmBlob *)&g_appCert, (struct CmBlob *)&g_appCertPwd, + &certAlias010, CM_PRI_CREDENTIAL_STORE, INIT_INVALID_VALUE, CM_AUTH_STORAGE_LEVEL_EL1 }; + + /* keyUri is nullptr */ + int32_t ret = CmInstallAppCertEx(&appCertParam, nullptr); + EXPECT_EQ(ret, CMR_ERROR_INVALID_ARGUMENT) << "PriAppCertTest011 credentail test failed, retcode:" << ret; +} + +/** + * @tc.name: PriAppCertTest012 + * @tc.desc: Test CertManager Install private app cert interface abnormal function + * @tc.type: FUNC + */ +HWTEST_F(CmPriAppCertTest, PriAppCertTest012, TestSize.Level0) +{ + struct CmBlob priKeyUri = { 0, nullptr }; + uint8_t certAliasBuf[] = "PriAppCertTest012"; + struct CmBlob certAlias010 = { sizeof(certAliasBuf), certAliasBuf }; + struct CmAppCertParam appCertParam = { (struct CmBlob *)&g_appCert, (struct CmBlob *)&g_appCertPwd, + &certAlias010, CM_PRI_CREDENTIAL_STORE, INIT_INVALID_VALUE, CM_AUTH_STORAGE_LEVEL_EL1 }; + + /* keyUri->data is nullptr */ + int32_t ret = CmInstallAppCertEx(&appCertParam, &priKeyUri); + EXPECT_EQ(ret, CMR_ERROR_INVALID_ARGUMENT) << "PriAppCertTest012 credentail test failed, retcode:" << ret; +} + +/** + * @tc.name: PriAppCertTest013 + * @tc.desc: Test CertManager Install private app cert interface abnormal function + * @tc.type: FUNC + */ +HWTEST_F(CmPriAppCertTest, PriAppCertTest013, TestSize.Level0) +{ + char retUriBuf[MAX_LEN_URI] = {0}; + struct CmBlob priKeyUri = { sizeof(retUriBuf), reinterpret_cast(retUriBuf) }; + + /* certAlias not include '\0' */ + uint8_t certAliasBuf[] = "PrikeyB"; + struct CmBlob certAlias013 = { sizeof(certAliasBuf) - 1, certAliasBuf }; + + struct CmAppCertParam appCertParam = { (struct CmBlob *)&g_eccAppCert, (struct CmBlob *)&g_appCertPwd, + &certAlias013, CM_PRI_CREDENTIAL_STORE, INIT_INVALID_VALUE, CM_AUTH_STORAGE_LEVEL_EL1 }; + int32_t ret = CmInstallAppCertEx(&appCertParam, &priKeyUri); + EXPECT_EQ(ret, CMR_ERROR_INVALID_ARGUMENT) << "PriAppCertTest013 credentail test failed, retcode:" << ret; +} + +/** + * @tc.name: PriAppCertTest014 + * @tc.desc: Test CertManager Install private app cert interface abnormal function + * @tc.type: FUNC + */ +HWTEST_F(CmPriAppCertTest, PriAppCertTest014, TestSize.Level0) +{ + char retUriBuf[MAX_LEN_URI] = {0}; + struct CmBlob priKeyUri = { sizeof(retUriBuf), reinterpret_cast(retUriBuf) }; + uint8_t certAliasBuf[] = "PrikeyB"; + struct CmBlob certAlias014 = { sizeof(certAliasBuf), certAliasBuf }; + + /* cert pwd not include '\0' */ + uint8_t errPwdBuf[] = "123789"; + struct CmBlob errPwd = { sizeof(errPwdBuf) - 1, errPwdBuf }; + + struct CmAppCertParam appCertParam = { (struct CmBlob *)&g_eccAppCert, &errPwd, + &certAlias014, CM_PRI_CREDENTIAL_STORE, INIT_INVALID_VALUE, CM_AUTH_STORAGE_LEVEL_EL1 }; + int32_t ret = CmInstallAppCertEx(&appCertParam, &priKeyUri); + EXPECT_EQ(ret, CMR_ERROR_INVALID_ARGUMENT) << "PriAppCertTest014 credentail test failed, retcode:" << ret; +} + +/** + * @tc.name: PriAppCertTest015 + * @tc.desc: Test CertManager Install private app cert interface abnormal function + * @tc.type: FUNC + */ +HWTEST_F(CmPriAppCertTest, PriAppCertTest015, TestSize.Level0) +{ + char retUriBuf[MAX_LEN_URI] = {0}; + struct CmBlob priKeyUri = { sizeof(retUriBuf), reinterpret_cast(retUriBuf) }; + + /* certAlias data is nullptr */ + uint8_t certAliasBuf[] = "PrikeyB"; + struct CmBlob certAlias015 = { sizeof(certAliasBuf), nullptr }; + + struct CmAppCertParam appCertParam = { (struct CmBlob *)&g_eccAppCert, (struct CmBlob *)&g_appCertPwd, + &certAlias015, CM_PRI_CREDENTIAL_STORE, INIT_INVALID_VALUE, CM_AUTH_STORAGE_LEVEL_EL1 }; + int32_t ret = CmInstallAppCertEx(&appCertParam, &priKeyUri); + EXPECT_EQ(ret, CMR_ERROR_INVALID_ARGUMENT) << "PriAppCertTest015 credentail test failed, retcode:" << ret; +} + +/** + * @tc.name: PriAppCertTest016 + * @tc.desc: Test CertManager Install private app cert interface abnormal function + * @tc.type: FUNC + */ +HWTEST_F(CmPriAppCertTest, PriAppCertTest016, TestSize.Level0) +{ + char retUriBuf[MAX_LEN_URI] = {0}; + struct CmBlob priKeyUri = { sizeof(retUriBuf), reinterpret_cast(retUriBuf) }; + + /* certAlias size is 0 */ + uint8_t certAliasBuf[] = "PrikeyB"; + struct CmBlob certAlias016 = { 0, certAliasBuf }; + + struct CmAppCertParam appCertParam = { (struct CmBlob *)&g_eccAppCert, (struct CmBlob *)&g_appCertPwd, + &certAlias016, CM_PRI_CREDENTIAL_STORE, INIT_INVALID_VALUE, CM_AUTH_STORAGE_LEVEL_EL1 }; + int32_t ret = CmInstallAppCertEx(&appCertParam, &priKeyUri); + EXPECT_EQ(ret, CMR_ERROR_INVALID_ARGUMENT) << "PriAppCertTest016 credentail test failed, retcode:" << ret; +} + +/** + * @tc.name: PriAppCertTest017 + * @tc.desc: Test CertManager Install private app cert interface abnormal function + * @tc.type: FUNC + */ +HWTEST_F(CmPriAppCertTest, PriAppCertTest017, TestSize.Level0) +{ + char retUriBuf[MAX_LEN_URI] = {0}; + struct CmBlob priKeyUri = { sizeof(retUriBuf), reinterpret_cast(retUriBuf) }; + + /* certAlias size beyond max */ + uint8_t certAliasBuf[] = "123456789012345678901234567890123456789012345678901234567890 \ + 12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789"; + struct CmBlob certAlias018 = { sizeof(certAliasBuf), certAliasBuf }; + + struct CmAppCertParam appCertParam = { (struct CmBlob *)&g_eccAppCert, (struct CmBlob *)&g_appCertPwd, + &certAlias018, CM_PRI_CREDENTIAL_STORE, INIT_INVALID_VALUE, CM_AUTH_STORAGE_LEVEL_EL1 }; + int32_t ret = CmInstallAppCertEx(&appCertParam, &priKeyUri); + EXPECT_EQ(ret, CMR_ERROR_INVALID_ARGUMENT) << + "PriAppCertTest017 credentail test failed, retcode:" << ret; +} + +/** + * @tc.name: PriAppCertTest018 + * @tc.desc: Test CertManager Install private app cert interface abnormal function + * @tc.type: FUNC + */ +HWTEST_F(CmPriAppCertTest, PriAppCertTest018, TestSize.Level0) +{ + char retUriBuf[MAX_LEN_URI] = {0}; + struct CmBlob priKeyUri = { sizeof(retUriBuf), reinterpret_cast(retUriBuf) }; + uint8_t certAliasBuf[] = "PrikeyB"; + struct CmBlob certAlias019 = { sizeof(certAliasBuf), certAliasBuf }; + + /* appCert data is nullptr */ + struct CmBlob appCert = { sizeof(g_rsa2048P12CertInfo), nullptr }; + + struct CmAppCertParam appCertParam = { &appCert, (struct CmBlob *)&g_appCertPwd, + &certAlias019, CM_PRI_CREDENTIAL_STORE, INIT_INVALID_VALUE, CM_AUTH_STORAGE_LEVEL_EL1 }; + int32_t ret = CmInstallAppCertEx(&appCertParam, &priKeyUri); + EXPECT_EQ(ret, CMR_ERROR_INVALID_ARGUMENT) << "PriAppCertTest018 credentail test failed, retcode:" << ret; +} + +/** + * @tc.name: PriAppCertTest019 + * @tc.desc: Test CertManager Install private app cert interface abnormal function + * @tc.type: FUNC + */ +HWTEST_F(CmPriAppCertTest, PriAppCertTest019, TestSize.Level0) +{ + char retUriBuf[MAX_LEN_URI] = {0}; + struct CmBlob priKeyUri = { sizeof(retUriBuf), reinterpret_cast(retUriBuf) }; + uint8_t certAliasBuf[] = "PrikeyB"; + struct CmBlob certAlias019 = { sizeof(certAliasBuf), certAliasBuf }; + + /* appCert size is 0 */ + struct CmBlob appCert = { 0, const_cast(g_rsa2048P12CertInfo) }; + + struct CmAppCertParam appCertParam = { &appCert, (struct CmBlob *)&g_appCertPwd, + &certAlias019, CM_PRI_CREDENTIAL_STORE, INIT_INVALID_VALUE, CM_AUTH_STORAGE_LEVEL_EL1 }; + int32_t ret = CmInstallAppCertEx(&appCertParam, &priKeyUri); + EXPECT_EQ(ret, CMR_ERROR_INVALID_ARGUMENT) << "PriAppCertTest019 credentail test failed, retcode:" << ret; +} + +/** + * @tc.name: PriAppCertTest020 + * @tc.desc: Test CertManager Install private app cert interface abnormal function + * @tc.type: FUNC + */ +HWTEST_F(CmPriAppCertTest, PriAppCertTest020, TestSize.Level0) +{ + char retUriBuf[MAX_LEN_URI] = {0}; + struct CmBlob priKeyUri = { sizeof(retUriBuf), reinterpret_cast(retUriBuf) }; + uint8_t certAliasBuf[] = "PrikeyB"; + struct CmBlob certAlias019 = { sizeof(certAliasBuf), certAliasBuf }; + + /* appCert size beyond max */ + uint8_t appCertData[MAX_LEN_APP_CERT + 1] = { 0 }; + struct CmBlob appCert = { MAX_LEN_APP_CERT + 1, appCertData }; + + struct CmAppCertParam appCertParam = { &appCert, (struct CmBlob *)&g_appCertPwd, + &certAlias019, CM_PRI_CREDENTIAL_STORE, INIT_INVALID_VALUE, CM_AUTH_STORAGE_LEVEL_EL1 }; + int32_t ret = CmInstallAppCertEx(&appCertParam, &priKeyUri); + EXPECT_EQ(ret, CMR_ERROR_INVALID_ARGUMENT) << "PriAppCertTest020 credentail test failed, retcode:" << ret; +} + +/** + * @tc.name: PriAppCertTest021 + * @tc.desc: Test CertManager Install private app cert interface abnormal function + * @tc.type: FUNC + */ +HWTEST_F(CmPriAppCertTest, PriAppCertTest021, TestSize.Level0) +{ + char retUriBuf[MAX_LEN_URI] = {0}; + struct CmBlob priKeyUri = { sizeof(retUriBuf), reinterpret_cast(retUriBuf) }; + uint8_t certAliasBuf[] = "PrikeyB"; + struct CmBlob certAlias020 = { sizeof(certAliasBuf), certAliasBuf }; + + /* appCertPwd->data is nullptr */ + uint8_t pwdBuf[] = "123789"; + struct CmBlob appCertPwd = { sizeof(pwdBuf), nullptr }; + + struct CmAppCertParam appCertParam = { (struct CmBlob *)&g_eccAppCert, &appCertPwd, + &certAlias020, CM_PRI_CREDENTIAL_STORE, INIT_INVALID_VALUE, CM_AUTH_STORAGE_LEVEL_EL1 }; + int32_t ret = CmInstallAppCertEx(&appCertParam, &priKeyUri); + EXPECT_EQ(ret, CMR_ERROR_INVALID_ARGUMENT) << "PriAppCertTest021 credentail test failed, retcode:" << ret; +} + +/** + * @tc.name: PriAppCertTest022 + * @tc.desc: Test CertManager Install private app cert interface abnormal function + * @tc.type: FUNC + */ +HWTEST_F(CmPriAppCertTest, PriAppCertTest022, TestSize.Level0) +{ + char retUriBuf[MAX_LEN_URI] = {0}; + struct CmBlob priKeyUri = { sizeof(retUriBuf), reinterpret_cast(retUriBuf) }; + uint8_t certAliasBuf[] = "PrikeyB"; + struct CmBlob certAlias021 = { sizeof(certAliasBuf), certAliasBuf }; + + /* appCertPwd->size is 0 */ + uint8_t pwdBuf[] = "123789"; + struct CmBlob appCertPwd = { 0, pwdBuf }; + + struct CmAppCertParam appCertParam = { (struct CmBlob *)&g_eccAppCert, &appCertPwd, + &certAlias021, CM_PRI_CREDENTIAL_STORE, INIT_INVALID_VALUE, CM_AUTH_STORAGE_LEVEL_EL1 }; + int32_t ret = CmInstallAppCertEx(&appCertParam, &priKeyUri); + EXPECT_EQ(ret, CMR_ERROR_INVALID_ARGUMENT) << "PriAppCertTest022 credentail test failed, retcode:" << ret; +} + +/** + * @tc.name: PriAppCertTest023 + * @tc.desc: Test CertManager Install private app cert interface abnormal function + * @tc.type: FUNC + */ +HWTEST_F(CmPriAppCertTest, PriAppCertTest023, TestSize.Level0) +{ + char retUriBuf[MAX_LEN_URI] = {0}; + struct CmBlob priKeyUri = { sizeof(retUriBuf), reinterpret_cast(retUriBuf) }; + uint8_t certAliasBuf[] = "PrikeyB"; + struct CmBlob certAlias022 = { sizeof(certAliasBuf), certAliasBuf }; + + /* appCertPwd->size beyond max */ + uint8_t pwdBuf[] = "123456789012345678901234567890123456"; + struct CmBlob appCertPwd = { sizeof(pwdBuf), pwdBuf }; + + struct CmAppCertParam appCertParam = { (struct CmBlob *)&g_eccAppCert, &appCertPwd, + &certAlias022, CM_PRI_CREDENTIAL_STORE, INIT_INVALID_VALUE, CM_AUTH_STORAGE_LEVEL_EL1 }; + int32_t ret = CmInstallAppCertEx(&appCertParam, &priKeyUri); + EXPECT_EQ(ret, CMR_ERROR_INVALID_ARGUMENT) << "PriAppCertTest023 credentail test failed, retcode:" << ret; +} + +/** + * @tc.name: PriAppCertTest024 + * @tc.desc: Test CertManager Install private app cert interface abnormal function + * @tc.type: FUNC + */ +HWTEST_F(CmPriAppCertTest, PriAppCertTest024, TestSize.Level0) +{ + char retUriBuf[MAX_LEN_URI] = {0}; + struct CmBlob priKeyUri = { sizeof(retUriBuf), reinterpret_cast(retUriBuf) }; + + uint8_t certAliasBuf[] = "PrikeyA"; + struct CmBlob certAlias = { sizeof(certAliasBuf), certAliasBuf }; + + /* err password */ + uint8_t appCertPwdBuf[] = "123456789"; + struct CmBlob errAppCertPwd = { sizeof(appCertPwdBuf), appCertPwdBuf }; + + struct CmAppCertParam appCertParam = { (struct CmBlob *)&g_appCert, &errAppCertPwd, + &certAlias, CM_PRI_CREDENTIAL_STORE, INIT_INVALID_VALUE, CM_AUTH_STORAGE_LEVEL_EL1 }; + int32_t ret = CmInstallAppCertEx(&appCertParam, &priKeyUri); + EXPECT_EQ(ret, CMR_ERROR_PASSWORD_IS_ERR) << "PriAppCertTest024 credentail test failed, retcode:" << ret; +} + +/** + * @tc.name: PriAppCertTest025 + * @tc.desc: Test CertManager Install private app cert interface abnormal function + * @tc.type: FUNC + */ +HWTEST_F(CmPriAppCertTest, PriAppCertTest025, TestSize.Level0) +{ + char retUriBuf[MAX_LEN_URI] = {0}; + struct CmBlob priKeyUri = { sizeof(retUriBuf), reinterpret_cast(retUriBuf) }; + + uint8_t certAliasBuf[] = "PrikeyA"; + struct CmBlob certAlias = { sizeof(certAliasBuf), certAliasBuf }; + + /* userid is not invalid */ + struct CmAppCertParam appCertParam = { (struct CmBlob *)&g_appCert, (struct CmBlob *)&g_appCertPwd, + &certAlias, CM_PRI_CREDENTIAL_STORE, TEST_USERID, CM_AUTH_STORAGE_LEVEL_EL1 }; + int32_t ret = CmInstallAppCertEx(&appCertParam, &priKeyUri); + EXPECT_EQ(ret, CMR_ERROR_INVALID_ARGUMENT) << "PriAppCertTest025 1 credentail test failed, retcode:" << ret; +} +} \ No newline at end of file -- Gitee