diff --git a/frameworks/cert_manager_standard/main/common/src/cm_pfx.c b/frameworks/cert_manager_standard/main/common/src/cm_pfx.c index f0a1cef9b18455dc72b7e7c58b8480180a531062..be2a7d158c2c13e7bcf7d99ba15b914b531edc4c 100644 --- a/frameworks/cert_manager_standard/main/common/src/cm_pfx.c +++ b/frameworks/cert_manager_standard/main/common/src/cm_pfx.c @@ -154,29 +154,25 @@ static int32_t CmGetPemDerCertChain(const struct CmBlob *certChain, STACK_OF(X50 break; } - if (certChain->data[0] == '-') { - // PEM format - while ((tmpCert = PEM_read_bio_X509(bio, NULL, NULL, NULL)) != NULL) { - sk_X509_push(fullChain, tmpCert); - }; - } else if (certChain->data[0] == ASN1_TAG_TYPE_SEQ) { + if (certChain->data[0] == ASN1_TAG_TYPE_SEQ) { // Der format while ((tmpCert = d2i_X509_bio(bio, NULL)) != NULL) { sk_X509_push(fullChain, tmpCert); + // avoid double free + tmpCert = NULL; } } else { - CM_LOG_E("invalid certificate format."); - ret = CMR_ERROR_INVALID_CERT_FORMAT; - break; + // Pem format and other format + while ((tmpCert = PEM_read_bio_X509(bio, NULL, NULL, NULL)) != NULL) { + sk_X509_push(fullChain, tmpCert); + tmpCert = NULL; + }; } } while (0); if (bio != NULL) { BIO_free(bio); } - if (tmpCert != NULL) { - X509_free(tmpCert); - } return ret; } @@ -200,8 +196,8 @@ static int32_t CmParseCertChain(const struct CmBlob *certChain, struct AppCert * break; } - int certCount = sk_X509_num(fullChain); - if (certCount == 0) { + int32_t certCount = sk_X509_num(fullChain); + if (certCount <= 0) { CM_LOG_E("cert chain has no cert"); ret = CMR_ERROR_OPENSSL_FAIL; break; @@ -214,7 +210,7 @@ static int32_t CmParseCertChain(const struct CmBlob *certChain, struct AppCert * } /* default certificate chain is packaged as a whole */ - appCert->certCount = certCount; + appCert->certCount = (uint32_t)certCount; appCert->certSize = certChain->size; *cert = sk_X509_value(fullChain, 0); // Increase the reference count to prevent it from being released @@ -244,14 +240,7 @@ static int32_t CmGetPemDerPrivKey(const struct CmBlob *privKey, EVP_PKEY **pkey) } // The private key info contains the corresponding public key info - if (privKey->data[0] == '-') { - // PEM format - if (PEM_read_bio_PrivateKey(bio, pkey, NULL, NULL) == NULL) { - ret = CMR_ERROR_OPENSSL_FAIL; - CM_LOG_E("pem read bio private key faild"); - break; - } - } else if (privKey->data[0] == ASN1_TAG_TYPE_SEQ) { + if (privKey->data[0] == ASN1_TAG_TYPE_SEQ) { // Der format if (d2i_PrivateKey_bio(bio, pkey) == NULL) { ret = CMR_ERROR_OPENSSL_FAIL; @@ -259,9 +248,12 @@ static int32_t CmGetPemDerPrivKey(const struct CmBlob *privKey, EVP_PKEY **pkey) break; } } else { - CM_LOG_E("invalid priv key format."); - ret = CMR_ERROR_INVALID_CERT_FORMAT; - break; + // Pem and other format + if (PEM_read_bio_PrivateKey(bio, pkey, NULL, NULL) == NULL) { + ret = CMR_ERROR_OPENSSL_FAIL; + CM_LOG_E("pem or other format read bio private key faild"); + break; + } } } while (0); diff --git a/frameworks/cert_manager_standard/main/common/src/cm_x509.c b/frameworks/cert_manager_standard/main/common/src/cm_x509.c index b0a4140bf2e0ddb6f023c9d8f46b30010964ce42..ed395b44a81387fcde48d2b47c389895b0f41ce9 100644 --- a/frameworks/cert_manager_standard/main/common/src/cm_x509.c +++ b/frameworks/cert_manager_standard/main/common/src/cm_x509.c @@ -37,24 +37,31 @@ typedef ASN1_TIME *(TIME_FUNC)(const X509 *); // LCOV_EXCL_START X509 *InitCertContext(const uint8_t *certBuf, uint32_t size) { - X509 *x509 = NULL; if (certBuf == NULL || size > MAX_LEN_CERTIFICATE || size == 0) { return NULL; } - BIO *bio = BIO_new_mem_buf(certBuf, (int)size); - if (!bio) { - return NULL; - } - if (certBuf[0] == '-') { + X509 *x509 = NULL; + BIO *bio = NULL; + + do { + bio = BIO_new_mem_buf(certBuf, (int)size); + if (!bio) { + break; + } + + if (certBuf[0] == ASN1_TAG_TYPE_SEQ) { + // Der format + x509 = d2i_X509_bio(bio, NULL); + break; + } + // PEM format x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL); - } else if (certBuf[0] == ASN1_TAG_TYPE_SEQ) { - // Der format - x509 = d2i_X509_bio(bio, NULL); - } else { - CM_LOG_E("invalid certificate format."); + } while (0); + + if (bio != NULL) { + BIO_free(bio); } - BIO_free(bio); return x509; } diff --git a/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_app_cert_process.c b/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_app_cert_process.c index d5427e411a42280160e4da02caebcf31f2c9595e..d9e45088125bf43c9edcc89c9823fa7dadcd3e6b 100644 --- a/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_app_cert_process.c +++ b/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_app_cert_process.c @@ -447,15 +447,17 @@ static int32_t GetCredCertName(struct CmContext *context, const struct CmAppCert { int32_t ret = CM_SUCCESS; X509 *cert = NULL; - int32_t certManagerUid; + int32_t certManagerUid = 0; do { - if (certParam->store == CM_CREDENTIAL_STORE) { - if (!CmGetCertManagerAppUid(&certManagerUid, (int32_t)context->userId)) { + // only install user cred and target userid/caller user id is not 0 + if (certParam->store == CM_CREDENTIAL_STORE && context->userId != 0) { + if (!CmGetCertManagerAppUid(&certManagerUid, (int32_t)(context->userId))) { + ret = CM_FAILURE; CM_LOG_E("get cert manager uid failed"); - } else { - context->uid = (uint32_t)certManagerUid; + break; } + context->uid = (uint32_t)certManagerUid; } ret = ParseAppCert(certParam, priKey, certName, appCert, &cert); diff --git a/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_check.c b/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_check.c index 5ea6ee3946cc6d6715b4e4d376ec9ac01b6261ae..1a58aaaca0547ae74753851c9507926a4f19b748 100644 --- a/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_check.c +++ b/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_check.c @@ -207,13 +207,13 @@ static int32_t CmCheckCertAlias(const struct CmBlob *certAlias, uint32_t store, static bool CmCheckUserIdAndUpdateContext(const uint32_t inputUserId, uint32_t *callerUserId, uint32_t store) { if (*callerUserId == 0) { /* caller is sa */ + // If caller is sa, system credentials must specify the userid if (inputUserId == 0 || inputUserId == INIT_INVALID_VALUE) { if (store == CM_CREDENTIAL_STORE) { return true; - } else { - CM_LOG_E("caller is sa, input userId %u is invalid", inputUserId); - return false; } + CM_LOG_E("caller is sa, input userId %u is invalid, store: %u", inputUserId, store); + return false; } CM_LOG_D("update caller userId from %u to %u", *callerUserId, inputUserId); *callerUserId = inputUserId; @@ -246,7 +246,7 @@ static int32_t CmCheckAppCertParam(const struct CmAppCertParam *certParam) } if (CM_DETECT_ALIAS_CHECK(certParam->aliasFormat)) { - CM_LOG_E("CmCheckAppCertParam credFormat check fail, aliasFormat:%u", certParam->aliasFormat); + CM_LOG_E("CmCheckAppCertParam aliasFormat check fail, aliasFormat:%u", certParam->aliasFormat); return CMR_ERROR_INVALID_ARGUMENT; } @@ -286,6 +286,7 @@ int32_t CmServiceInstallAppCertCheck(const struct CmAppCertParam *certParam, str return ret; } + // Allow installation user credentials to specify userid if ((certParam->store == CM_SYS_CREDENTIAL_STORE || certParam->store == CM_CREDENTIAL_STORE) && !CmCheckUserIdAndUpdateContext(certParam->userId, &(cmContext->userId), certParam->store)) { CM_LOG_E("input userId is invalid"); diff --git a/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_permission_check.cpp b/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_permission_check.cpp index 8ce463c0c8b8a9d117914f05f870eb1f2e58df9f..fd55ad67fa2f86c2e7c108d24f0a93b33eb82f4f 100755 --- a/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_permission_check.cpp +++ b/services/cert_manager_standard/cert_manager_engine/main/core/src/cert_manager_permission_check.cpp @@ -99,6 +99,7 @@ bool CmPermissionCheck(const uint32_t store) } } +// LCOV_EXCL_START static sptr GetBundleMgr() { auto systemAbilityManager = SystemAbilityManagerClient::GetInstance().GetSystemAbilityManager(); @@ -124,6 +125,7 @@ static sptr GetBundleMgr() return bundleMgr; } +// Temporarily process, install all user credentials under the certificate manager uid bool CmGetCertManagerAppUid(int32_t *uid, int32_t userId) { char bundleName[] = "com.ohos.certmanager"; @@ -141,4 +143,5 @@ bool CmGetCertManagerAppUid(int32_t *uid, int32_t userId) *uid = tmpUid; return true; -} \ No newline at end of file +} +// LCOV_EXCL_STOP \ No newline at end of file diff --git a/services/cert_manager_standard/cert_manager_engine/main/rdb/src/cm_rdb_open_callback.cpp b/services/cert_manager_standard/cert_manager_engine/main/rdb/src/cm_rdb_open_callback.cpp index 0bdb278d919a8abca5c44558bb87a926660a0069..eb3466da8166f09807ab1abd7d8669d30c1a28b8 100644 --- a/services/cert_manager_standard/cert_manager_engine/main/rdb/src/cm_rdb_open_callback.cpp +++ b/services/cert_manager_standard/cert_manager_engine/main/rdb/src/cm_rdb_open_callback.cpp @@ -37,7 +37,7 @@ int32_t CmRdbOpenCallback::OnUpgrade(NativeRdb::RdbStore &rdbStore, int currentV /* Upgrade the database: Add the AUTH_STORAGE_LEVEL column with a default value of 1 (EL1). */ if (currentVersion == RDB_VERSION_FIRST && targetVersion == RDB_VERSION_CURRENT) { int32_t ret = rdbStore.ExecuteSql("ALTER TABLE " + CERT_PROPERTY_TABLE_NAME + " ADD COLUMN " + - COLUMN_AUTH_STORAGE_LEVEL + " INTEGER DEFAULT_FORMAT 1;"); + COLUMN_AUTH_STORAGE_LEVEL + " INTEGER DEFAULT 1;"); CM_LOG_I("Upgrade execute sql ret: %d", ret); } return NativeRdb::E_OK; diff --git a/test/unittest/src/cm_app_cert_test.cpp b/test/unittest/src/cm_app_cert_test.cpp index 962b0685f0778d42d6223e8ae4fadac7b65dfba0..585a9aa5301ac70dcedf21c7137802bd7073053c 100644 --- a/test/unittest/src/cm_app_cert_test.cpp +++ b/test/unittest/src/cm_app_cert_test.cpp @@ -65,15 +65,6 @@ static const struct CmBlob g_appCert = { sizeof(g_rsa2048P12CertInfo), const_cas static const struct CmBlob g_eccAppCert = { sizeof(g_eccP256P12CertInfo), const_cast(g_eccP256P12CertInfo) }; static const struct CmBlob g_appCertPwd = { sizeof(g_certPwd), const_cast(g_certPwd) }; -static const struct CmBlob g_appPemCertChain = { strlen(g_rsa2048PEMCertChain) + 1, - reinterpret_cast(g_rsa2048PEMCertChain) }; -static const struct CmBlob g_appPemCertPrivKey = { strlen(g_rsa2048PEMPrivKey) + 1, - reinterpret_cast(g_rsa2048PEMPrivKey) }; -static const struct CmBlob g_appDerCertChain = { sizeof(g_rsa2048DERCertChain), - const_cast(g_rsa2048DERCertChain) }; -static const struct CmBlob g_appDerCertPrivKey = { sizeof(g_rsa2048DERPrivKey), - const_cast(g_rsa2048DERPrivKey) }; - static const uint8_t g_p12AbnormalCertinfo[] = { 0x30, 0x82, 0x0b, 0xc1, 0x02, 0x01, 0x03, 0x30, 0x82, 0x0b, 0x87, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x82, 0x0b, 0x78, 0x04, 0x82, 0x0b, 0x74, 0x30, 0x82, @@ -858,53 +849,5 @@ HWTEST_F(CmAppCertTest, AppCertInstallPwdTest003, TestSize.Level0) EXPECT_EQ(ret, CMR_ERROR_INVALID_ARGUMENT) << \ "AppCertInstallPwdTest003 33 bytes sepcial pwd test failed, retcode:" << ret; } - -/** - * @tc.name: AppCertInstallCnAlias001 - * @tc.desc: Test Install user app cert chain and priv key normal function - * @tc.type: FUNC - */ -HWTEST_F(CmAppCertTest, AppCertInstallCnAlias001, TestSize.Level0) -{ - char retUriBuf[MAX_LEN_URI] = {0}; - struct CmBlob keyUri = { sizeof(retUriBuf), reinterpret_cast(retUriBuf) }; - struct CmBlob credPwd = { 0, NULL }; - - uint8_t certAliasBuf[] = "我的PEM证书"; - struct CmBlob certAlias = { sizeof(certAliasBuf), certAliasBuf }; - - struct CmAppCertParam appCertParam = { (struct CmBlob *)&g_appPemCertChain, &credPwd, &certAlias, - CM_CREDENTIAL_STORE, TEST_USERID, CM_AUTH_STORAGE_LEVEL_EL2, CHAIN_KEY, - (struct CmBlob *)&g_appPemCertPrivKey, SHA256_FORMAT }; - int32_t ret = CmInstallAppCertEx(&appCertParam, &keyUri); - EXPECT_EQ(ret, CM_SUCCESS) << "AppCertInstallCnAlias001 test install pem failed, retcode:" << ret; - - ret = CmUninstallAppCert(&keyUri, CM_CREDENTIAL_STORE); - EXPECT_EQ(ret, CM_SUCCESS) << "AppCertInstallCnAlias001 test uninstall failed, retcode:" << ret; -} - -/** - * @tc.name: AppCertInstallCnAlias002 - * @tc.desc: Test Install user app cert chain and priv key normal function - * @tc.type: FUNC - */ -HWTEST_F(CmAppCertTest, AppCertInstallCnAlias002, TestSize.Level0) -{ - char retUriBuf[MAX_LEN_URI] = {0}; - struct CmBlob keyUri = { sizeof(retUriBuf), reinterpret_cast(retUriBuf) }; - struct CmBlob credPwd = { 0, NULL }; - - uint8_t certAliasBuf[] = "我的DER证书"; - struct CmBlob certAlias = { sizeof(certAliasBuf), certAliasBuf }; - - struct CmAppCertParam appCertParam = { (struct CmBlob *)&g_appDerCertChain, &credPwd, &certAlias, - CM_CREDENTIAL_STORE, TEST_USERID, CM_AUTH_STORAGE_LEVEL_EL2, CHAIN_KEY, - (struct CmBlob *)&g_appDerCertPrivKey, SHA256_FORMAT }; - int32_t ret = CmInstallAppCertEx(&appCertParam, &keyUri); - EXPECT_EQ(ret, CM_SUCCESS) << "AppCertInstallCnAlias002 test install der failed, retcode:" << ret; - - ret = CmUninstallAppCert(&keyUri, CM_CREDENTIAL_STORE); - EXPECT_EQ(ret, CM_SUCCESS) << "AppCertInstallCnAlias002 test uninstall failed, retcode:" << ret; -} } // end of namespace diff --git a/test/unittest/src/cm_init_test.cpp b/test/unittest/src/cm_init_test.cpp index b312161ebf5b6dc361e06b134226aacd1790ece9..c75e0d340e670e15127f425f7f2edbd6e5552465 100755 --- a/test/unittest/src/cm_init_test.cpp +++ b/test/unittest/src/cm_init_test.cpp @@ -440,7 +440,7 @@ HWTEST_F(CmInitTest, CmInitTest020, TestSize.Level0) /** * @tc.name: CmInitTest021 - * @tc.desc: Abnormal case: Test init sm2 with SHA256_FORMAT + * @tc.desc: Abnormal case: Test init sm2 with SHA256 * @tc.type: FUNC */ HWTEST_F(CmInitTest, CmInitTest021, TestSize.Level0)