From 5dfbb6f005c5a7e4d58bd8ea5217a051c94cdc77 Mon Sep 17 00:00:00 2001 From: haixiangw Date: Tue, 25 Feb 2025 04:39:41 -0800 Subject: [PATCH] =?UTF-8?q?=E5=A2=9E=E5=8A=A0=E5=9B=BD=E5=AF=86=E7=B3=BB?= =?UTF-8?q?=E7=BB=9F=E7=94=A8=E6=88=B7=E6=A0=B9CA=E8=B7=AF=E5=BE=84?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: haixiangw --- .../main/core/include/cert_manager.h | 11 +--- .../main/core/include/cert_manager_storage.h | 6 ++ .../main/core/src/cert_manager.c | 36 ++++++++++-- .../main/core/src/cert_manager_query.c | 55 +++++++++++++++---- .../main/core/src/cert_manager_status.c | 18 +++++- .../main/core/src/cm_event_process.c | 2 +- 6 files changed, 99 insertions(+), 29 deletions(-) diff --git a/services/cert_manager_standard/cert_manager_engine/main/core/include/cert_manager.h b/services/cert_manager_standard/cert_manager_engine/main/core/include/cert_manager.h index 48f68e6..60fca89 100644 --- a/services/cert_manager_standard/cert_manager_engine/main/core/include/cert_manager.h +++ b/services/cert_manager_standard/cert_manager_engine/main/core/include/cert_manager.h @@ -23,13 +23,6 @@ extern "C" { #define CM_ERROR(rc) (int32_t) (rc) -#define CERT_DIR "/data/service/el1/public/cert_manager_service/certificates" -#define CREDNTIAL_STORE "/data/service/el1/public/cert_manager_service/certificates/credential/" -#define SYSTEM_CA_STORE "/system/etc/security/certificates/" -#define USER_CA_STORE "/data/service/el1/public/cert_manager_service/certificates/user/" -#define APP_CA_STORE "/data/service/el1/public/cert_manager_service/certificates/priv_credential/" -#define CREDENTIAL_STORE "./certificates/credential/" - /* Store it in the database. */ struct CertPropertyOri { const struct CmContext *context; @@ -42,8 +35,8 @@ struct CertPropertyOri { int32_t CertManagerInitialize(void); -int32_t CertManagerFindCertFileNameByUri( - const struct CmContext *context, const struct CmBlob *certUri, uint32_t store, struct CmMutableBlob *path); +int32_t CertManagerFindCertFileNameByUri(const struct CmContext *context, const struct CmBlob *certUri, + uint32_t store, bool isGmSysCert, struct CmMutableBlob *path); int32_t CmRemoveAppCert(const struct CmContext *context, const struct CmBlob *keyUri, const uint32_t store); diff --git a/services/cert_manager_standard/cert_manager_engine/main/core/include/cert_manager_storage.h b/services/cert_manager_standard/cert_manager_engine/main/core/include/cert_manager_storage.h index 89da7ac..83bdfff 100755 --- a/services/cert_manager_standard/cert_manager_engine/main/core/include/cert_manager_storage.h +++ b/services/cert_manager_standard/cert_manager_engine/main/core/include/cert_manager_storage.h @@ -25,6 +25,7 @@ extern "C" { #define CERT_DIR "/data/service/el1/public/cert_manager_service/certificates" #define CREDNTIAL_STORE "/data/service/el1/public/cert_manager_service/certificates/credential/" #define SYSTEM_CA_STORE "/system/etc/security/certificates/" +#define SYSTEM_CA_STORE_GM "/system/etc/security/certificates_gm/" #define USER_CA_STORE "/data/service/el1/public/cert_manager_service/certificates/user/" #define PRI_CREDNTIAL_STORE "/data/service/el1/public/cert_manager_service/certificates/priv_credential/" #define SYS_CREDNTIAL_STORE "/data/service/el1/public/cert_manager_service/certificates/sys_credential/" @@ -35,6 +36,11 @@ extern "C" { #define CERT_CONFIG_FILE_SUFFIX ".config" #define CERT_BACKUP_FILENAME_FORMAT "%08lx.%d" +#define SYSTEM_CA_PATH_COUNT_2 2 /* system root ca path: common alg + gm */ +#define SYSTEM_CA_PATH_COUNT_1 1 /* system root ca path: common alg */ +#define SYSTEM_CA_PATH_INDEX 0 +#define SYSTEM_CA_GM_PATH_INDEX 1 + int32_t GetRootPath(uint32_t store, char *rootPath, uint32_t pathLen); int32_t ConstructUserIdPath(const struct CmContext *context, uint32_t store, diff --git a/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager.c b/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager.c index c38909f..2340b3b 100644 --- a/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager.c +++ b/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager.c @@ -101,7 +101,7 @@ static int32_t GetFilePath(const struct CmContext *context, uint32_t store, char ret = sprintf_s(pathPtr, MAX_PATH_LEN, "%s%u", USER_CA_STORE, context->userId); break; case CM_PRI_CREDENTIAL_STORE: - ret = sprintf_s(pathPtr, MAX_PATH_LEN, "%s%u", APP_CA_STORE, context->userId); + ret = sprintf_s(pathPtr, MAX_PATH_LEN, "%s%u", PRI_CREDNTIAL_STORE, context->userId); break; case CM_SYS_CREDENTIAL_STORE: ret = sprintf_s(pathPtr, MAX_PATH_LEN, "%s%u", SYS_CREDNTIAL_STORE, context->userId); @@ -192,12 +192,38 @@ static int32_t FindObjectCert(const struct CmBlob *certUri, const struct CmMutab return CMR_ERROR_NOT_FOUND; } +static int32_t GetGmSystemCaCertPath(struct CmMutableBlob *path) +{ + if ((path == NULL) || (path->data == NULL) || (path->size == 0)) { + CM_LOG_E("Null pointer failure"); + return CMR_ERROR_NULL_POINTER; + } + + /* get gm system ca cert path */ + char *pathStr = (char *)path->data; + if (sprintf_s(pathStr, path->size, "%s", SYSTEM_CA_STORE_GM) < 0) { + CM_LOG_E("sprintf gm system ca path failed"); + return CMR_ERROR_MEM_OPERATION_PRINT; + } + + path->size = strlen(pathStr) + 1; + return CM_SUCCESS; +} + int32_t CertManagerFindCertFileNameByUri(const struct CmContext *context, const struct CmBlob *certUri, - uint32_t store, struct CmMutableBlob *path) + uint32_t store, bool isGmSysCert, struct CmMutableBlob *path) { ASSERT_ARGS(context && certUri && certUri->data); - int32_t ret = CmGetFilePath(context, store, path); + int32_t ret; + if (!isGmSysCert) { + ret = CmGetFilePath(context, store, path); + } else { + if (CmIsDirExist(SYSTEM_CA_STORE_GM) != CM_SUCCESS) { + return CMR_ERROR_NOT_FOUND; + } + ret = GetGmSystemCaCertPath(path); + } if (ret != CM_SUCCESS) { CM_LOG_E("Failed obtain path for store %x\n", store); return ret; @@ -287,7 +313,7 @@ static int32_t CmAppCertGetFilePath(const struct CmContext *context, const uint3 ret = sprintf_s((char*)path->data, MAX_PATH_LEN, "%s%u/%u", CREDNTIAL_STORE, context->userId, context->uid); break; case CM_PRI_CREDENTIAL_STORE : - ret = sprintf_s((char*)path->data, MAX_PATH_LEN, "%s%u", APP_CA_STORE, context->userId); + ret = sprintf_s((char*)path->data, MAX_PATH_LEN, "%s%u", PRI_CREDNTIAL_STORE, context->userId); break; case CM_SYS_CREDENTIAL_STORE: ret = sprintf_s((char *)path->data, MAX_PATH_LEN, "%s%u", SYS_CREDNTIAL_STORE, context->userId); @@ -315,7 +341,7 @@ static int32_t CmCallingAppCertGetFilePath(const struct CmContext *context, cons break; case CM_PRI_CREDENTIAL_STORE : ret = sprintf_s((char*)path->data, MAX_PATH_LEN, "%s%u/%u", - APP_CA_STORE, context->userId, context->uid); + PRI_CREDNTIAL_STORE, context->userId, context->uid); break; case CM_SYS_CREDENTIAL_STORE: ret = sprintf_s((char *)path->data, MAX_PATH_LEN, "%s%u/%u", diff --git a/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_query.c b/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_query.c index 7e895a0..eef37da 100644 --- a/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_query.c +++ b/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_query.c @@ -157,9 +157,19 @@ int32_t CmGetCertPathList(const struct CmContext *context, uint32_t store, struc return CM_SUCCESS; } +static int32_t GetSysCertPathCount(void) +{ + if (CmIsDirExist(SYSTEM_CA_STORE_GM) == CM_SUCCESS) { + CM_LOG_D("exist gm system ca store path."); + return SYSTEM_CA_PATH_COUNT_2; + } + + return SYSTEM_CA_PATH_COUNT_1; +} + int32_t CmGetSysCertPathList(const struct CmContext *context, struct CmMutableBlob *pathList) { - uint32_t sysPathCnt = 1; /* system root ca path only have one layer */ + uint32_t sysPathCnt = GetSysCertPathCount(); uint32_t listSize = sizeof(struct CmMutableBlob) * sysPathCnt; struct CmMutableBlob *cPathList = (struct CmMutableBlob *)CMMalloc(listSize); if (cPathList == NULL) { @@ -168,22 +178,43 @@ int32_t CmGetSysCertPathList(const struct CmContext *context, struct CmMutableBl } (void)memset_s(cPathList, listSize, 0, listSize); - int32_t ret = MallocCertPath(&cPathList[0], SYSTEM_CA_STORE); + int32_t ret; + do { + ret = MallocCertPath(&cPathList[SYSTEM_CA_PATH_INDEX], SYSTEM_CA_STORE); + if (ret != CM_SUCCESS) { + CM_LOG_E("malloc cPathList[0] failed"); + break; + } + + if (sprintf_s((char *)cPathList[SYSTEM_CA_PATH_INDEX].data, cPathList[SYSTEM_CA_PATH_INDEX].size, + "%s", SYSTEM_CA_STORE) < 0) { + CM_LOG_E("sprintf_s path failed"); + ret = CMR_ERROR_MEM_OPERATION_PRINT; + break; + } + + if (sysPathCnt == SYSTEM_CA_PATH_COUNT_2) { /* has gm system ca store path */ + ret = MallocCertPath(&cPathList[SYSTEM_CA_GM_PATH_INDEX], SYSTEM_CA_STORE_GM); + if (ret != CM_SUCCESS) { + CM_LOG_E("malloc cPathList[1] failed"); + break; + } + + if (sprintf_s((char *)cPathList[SYSTEM_CA_GM_PATH_INDEX].data, cPathList[SYSTEM_CA_GM_PATH_INDEX].size, + "%s", SYSTEM_CA_STORE_GM) < 0) { + CM_LOG_E("sprintf_s path failed"); + ret = CMR_ERROR_MEM_OPERATION_PRINT; + break; + } + } + } while (0); if (ret != CM_SUCCESS) { - CM_LOG_E("malloc cPathList[0] failed"); CmFreePathList(cPathList, sysPathCnt); return ret; } - if (sprintf_s((char *)cPathList[0].data, cPathList[0].size, "%s", SYSTEM_CA_STORE) < 0) { - CM_LOG_E("sprintf_s path failed"); - CmFreePathList(cPathList, sysPathCnt); - return CMR_ERROR_MEM_OPERATION_PRINT; - } - pathList->data = (uint8_t *)cPathList; pathList->size = sysPathCnt; - return CM_SUCCESS; } @@ -477,7 +508,7 @@ static int32_t GetCertContext(const struct CmBlob *fileName, struct CmContext *c certContext->uid = context->uid; return CM_SUCCESS; } - + struct CMUri uriObj; int32_t ret = CertManagerUriDecode(&uriObj, (char *)fileName->data); if (ret != CM_SUCCESS) { @@ -494,7 +525,7 @@ static int32_t GetCertContext(const struct CmBlob *fileName, struct CmContext *c return CMR_ERROR_INVALID_ARGUMENT_URI; } (void)CertManagerFreeUri(&uriObj); - + certContext->userId = userId; certContext->uid = uid; return CM_SUCCESS; diff --git a/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_status.c b/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_status.c index bb71a68..dbd1a26 100644 --- a/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_status.c +++ b/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_status.c @@ -804,10 +804,24 @@ int32_t SetcertStatus(const struct CmContext *context, const struct CmBlob *cert char pathBuf[CERT_MAX_PATH_LEN] = {0}; struct CmMutableBlob path = { sizeof(pathBuf), (uint8_t *) pathBuf }; struct CertFile certFile = { 0, 0 }; - int32_t ret = CertManagerFindCertFileNameByUri(context, certUri, store, &path); + int32_t ret = CertManagerFindCertFileNameByUri(context, certUri, store, false, &path); if (ret != CMR_OK) { + /* + * If the store type is not CM_SYSTEM_TRUSTED_STORE, ret is returned. + * Otherwise, try to obtain the gm system ca path. + */ CM_LOG_E("CertManagerFindCertFileNameByUri error = %d", ret); - return ret; + if (store != CM_SYSTEM_TRUSTED_STORE) { + return ret; + } + + path.size = sizeof(pathBuf); /* clear path data and size */ + (void)memset_s(path.data, path.size, 0, path.size); + ret = CertManagerFindCertFileNameByUri(context, certUri, store, true, &path); + if (ret != CMR_OK) { + CM_LOG_E("CertManagerFindCertFileNameByUri gm system ca error = %d", ret); + return ret; + } } certFile.path = &(CM_BLOB(&path)); certFile.fileName = &(CM_BLOB(certUri)); diff --git a/services/cert_manager_standard/cert_manager_engine/main/core/src/cm_event_process.c b/services/cert_manager_standard/cert_manager_engine/main/core/src/cm_event_process.c index d91b8b5..64720dd 100644 --- a/services/cert_manager_standard/cert_manager_engine/main/core/src/cm_event_process.c +++ b/services/cert_manager_standard/cert_manager_engine/main/core/src/cm_event_process.c @@ -504,7 +504,7 @@ int32_t CmDeleteProcessInfo(const struct CmContext *context) } /* Delete private credentail */ - ret = CmTraversalDir(context, APP_CA_STORE, CM_PRI_CREDENTIAL_STORE); + ret = CmTraversalDir(context, PRI_CREDNTIAL_STORE, CM_PRI_CREDENTIAL_STORE); if (ret != CM_SUCCESS) { CM_LOG_E("CmDeletePrivateCredential failed"); } -- Gitee