• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (c) 2022 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  *    http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #include "cert_manager_check.h"
17 
18 #include <ctype.h>
19 
20 #include "cert_manager.h"
21 #include "cert_manager_permission_check.h"
22 #include "cm_log.h"
23 
CheckUri(const struct CmBlob * keyUri)24 int32_t CheckUri(const struct CmBlob *keyUri)
25 {
26     if (CmCheckBlob(keyUri) != CM_SUCCESS) {
27         CM_LOG_E("invalid uri");
28         return CMR_ERROR_INVALID_ARGUMENT;
29     }
30 
31     if (keyUri->size > MAX_AUTH_LEN_URI) {
32         CM_LOG_E("invalid uri len:%u", keyUri->size);
33         return CMR_ERROR_INVALID_ARGUMENT;
34     }
35 
36     for (uint32_t i = 1; i < keyUri->size; ++i) { /* from index 1 has '\0' */
37         if (keyUri->data[i] == 0) {
38             return CM_SUCCESS;
39         }
40     }
41     return CMR_ERROR_INVALID_ARGUMENT;
42 }
43 
CmServiceGetSystemCertListCheck(const uint32_t store)44 int32_t CmServiceGetSystemCertListCheck(const uint32_t store)
45 {
46     if (store != CM_SYSTEM_TRUSTED_STORE) {
47         CM_LOG_E("invalid input arguments store:%u", store);
48         return CMR_ERROR_INVALID_ARGUMENT;
49     }
50 
51     if (!CmHasCommonPermission()) {
52         CM_LOG_E("permission check failed");
53         return CMR_ERROR_PERMISSION_DENIED;
54     }
55 
56     return CM_SUCCESS;
57 }
58 
CmServiceGetSystemCertCheck(const uint32_t store,const struct CmBlob * certUri)59 int32_t CmServiceGetSystemCertCheck(const uint32_t store, const struct CmBlob *certUri)
60 {
61     if (store != CM_SYSTEM_TRUSTED_STORE) {
62         CM_LOG_E("invalid input arguments store:%u", store);
63         return CMR_ERROR_INVALID_ARGUMENT;
64     }
65 
66     if (CheckUri(certUri) != CM_SUCCESS) {
67         CM_LOG_E("invalid input arguments");
68         return CMR_ERROR_INVALID_ARGUMENT;
69     }
70 
71     if (!CmHasCommonPermission()) {
72         CM_LOG_E("permission check failed");
73         return CMR_ERROR_PERMISSION_DENIED;
74     }
75 
76     return CM_SUCCESS;
77 }
78 
CmServiceSetCertStatusCheck(const uint32_t store,const struct CmBlob * certUri,const uint32_t status)79 int32_t CmServiceSetCertStatusCheck(const uint32_t store, const struct CmBlob *certUri, const uint32_t status)
80 {
81     if (store != CM_SYSTEM_TRUSTED_STORE) {
82         CM_LOG_E("invalid input arguments store:%u", store);
83         return CMR_ERROR_INVALID_ARGUMENT;
84     }
85 
86     if (CheckUri(certUri) != CM_SUCCESS) {
87         CM_LOG_E("invalid input arguments");
88         return CMR_ERROR_INVALID_ARGUMENT;
89     }
90 
91     if ((status != 0) && (status != 1)) {
92         CM_LOG_E("invalid input status:%u", status);
93         return CMR_ERROR_INVALID_ARGUMENT;
94     }
95 
96     if (!CmHasPrivilegedPermission() || !CmHasCommonPermission()) {
97         CM_LOG_E("permission check failed");
98         return CMR_ERROR_PERMISSION_DENIED;
99     }
100 
101     if (!CmIsSystemApp()) {
102         CM_LOG_E("set cert status: caller is not system app");
103         return CMR_ERROR_NOT_SYSTEMP_APP;
104     }
105 
106     return CM_SUCCESS;
107 }
108 
AppCertCheckBlobValid(const struct CmBlob * data)109 static bool AppCertCheckBlobValid(const struct CmBlob *data)
110 {
111     for (uint32_t i = 0; i < data->size; i++) {
112         if ((i > 0) && (data->data[i] == '\0')) { /* from index 1 has '\0' */
113             CM_LOG_E("data has string end character");
114             return true;
115         }
116 
117         if ((!isalnum(data->data[i])) && (data->data[i] != '_')) { /* has invalid character */
118             CM_LOG_E("data include invalid character");
119             return false;
120         }
121     }
122 
123     return true;
124 }
125 
CmCheckMaxInstalledCertCount(const uint32_t store,const struct CmContext * cmContext)126 static bool CmCheckMaxInstalledCertCount(const uint32_t store, const struct CmContext *cmContext)
127 {
128     bool isValid = true;
129     uint32_t fileCount = 0;
130     struct CmBlob fileNames[MAX_COUNT_CERTIFICATE];
131     uint32_t len = MAX_COUNT_CERTIFICATE * sizeof(struct CmBlob);
132     (void)memset_s(fileNames, len, 0, len);
133 
134     if (CmServiceGetAppCertList(cmContext, store, fileNames,
135         MAX_COUNT_CERTIFICATE, &fileCount) != CM_SUCCESS) {
136         isValid = false;
137         CM_LOG_E("Get App cert list fail");
138     }
139 
140     if (fileCount >= MAX_COUNT_CERTIFICATE) {
141         isValid = false;
142         CM_LOG_E("The app cert installed has reached max count:%u", fileCount);
143     }
144 
145     CM_LOG_I("app cert installed count:%u", fileCount);
146 
147     CmFreeFileNames(fileNames, fileCount);
148     return isValid;
149 }
150 
CmServiceInstallAppCertCheck(const struct CmBlob * appCert,const struct CmBlob * appCertPwd,const struct CmBlob * certAlias,const uint32_t store,const struct CmContext * cmContext)151 int32_t CmServiceInstallAppCertCheck(const struct CmBlob *appCert, const struct CmBlob *appCertPwd,
152     const struct CmBlob *certAlias, const uint32_t store, const struct CmContext *cmContext)
153 {
154     if (store != CM_CREDENTIAL_STORE && store != CM_PRI_CREDENTIAL_STORE) {
155         CM_LOG_E("CmInstallAppCertCheck store check fail, store:%u", store);
156         return CMR_ERROR_INVALID_ARGUMENT;
157     }
158 
159     if ((CmCheckBlob(appCert) != CM_SUCCESS) || (CmCheckBlob(appCertPwd) != CM_SUCCESS) ||
160         (CmCheckBlob(certAlias) != CM_SUCCESS)) {
161         CM_LOG_E("CmInstallAppCertCheck blob check fail");
162         return CMR_ERROR_INVALID_ARGUMENT;
163     }
164 
165     if (appCert->size > MAX_LEN_APP_CERT || appCertPwd->size > MAX_LEN_APP_CERT_PASSWD ||
166         certAlias->size > MAX_LEN_CERT_ALIAS) {
167         CM_LOG_E("CmInstallAppCertCheck max check fail, appCert:%u, appCertPwd:%u, certAlias:%u",
168             appCert->size, appCertPwd->size, certAlias->size);
169         return CMR_ERROR_INVALID_ARGUMENT;
170     }
171 
172     if (!AppCertCheckBlobValid(appCertPwd) || !AppCertCheckBlobValid(certAlias)) {
173         CM_LOG_E("CmInstallAppCertCheck blob data check fail");
174         return CMR_ERROR_INVALID_ARGUMENT;
175     }
176 
177     if (CmCheckMaxInstalledCertCount(store, cmContext) == false) {
178         CM_LOG_E("CmCheckMaxInstalledCertCount check fail");
179         return CM_FAILURE;
180     }
181 
182     if (!CmPermissionCheck(store)) {
183         CM_LOG_E("permission check failed");
184         return CMR_ERROR_PERMISSION_DENIED;
185     }
186 
187     if (!CmIsSystemAppByStoreType(store)) {
188         CM_LOG_E("install app cert: caller is not system app");
189         return CMR_ERROR_NOT_SYSTEMP_APP;
190     }
191 
192     return CM_SUCCESS;
193 }
194 
CmServiceUninstallAppCertCheck(const uint32_t store,const struct CmBlob * keyUri)195 int32_t CmServiceUninstallAppCertCheck(const uint32_t store, const struct CmBlob *keyUri)
196 {
197     if ((store != CM_CREDENTIAL_STORE) && (store != CM_PRI_CREDENTIAL_STORE)) {
198         CM_LOG_E("invalid input arguments store:%u", store);
199         return CMR_ERROR_INVALID_ARGUMENT;
200     }
201 
202     if (CheckUri(keyUri) != CM_SUCCESS) {
203         CM_LOG_E("invalid input arguments");
204         return CMR_ERROR_INVALID_ARGUMENT;
205     }
206 
207     if (!CmPermissionCheck(store)) {
208         CM_LOG_E("permission check failed");
209         return CMR_ERROR_PERMISSION_DENIED;
210     }
211 
212     if (!CmIsSystemAppByStoreType(store)) {
213         CM_LOG_E("uninstall app cert: caller is not system app");
214         return CMR_ERROR_NOT_SYSTEMP_APP;
215     }
216 
217     return CM_SUCCESS;
218 }
219 
CmServiceGetAppCertListCheck(const uint32_t store)220 int32_t CmServiceGetAppCertListCheck(const uint32_t store)
221 {
222     if ((store != CM_CREDENTIAL_STORE) && (store != CM_PRI_CREDENTIAL_STORE)) {
223         CM_LOG_E("invalid input arguments store:%u", store);
224         return CMR_ERROR_INVALID_ARGUMENT;
225     }
226 
227     if (!CmHasPrivilegedPermission() || !CmHasCommonPermission()) {
228         CM_LOG_E("permission check failed");
229         return CMR_ERROR_PERMISSION_DENIED;
230     }
231 
232     if (!CmIsSystemApp()) {
233         CM_LOG_E("get app cert list: caller is not system app");
234         return CMR_ERROR_NOT_SYSTEMP_APP;
235     }
236 
237     return CM_SUCCESS;
238 }
239 
CmServiceGetAppCertCheck(const uint32_t store,const struct CmBlob * keyUri)240 int32_t CmServiceGetAppCertCheck(const uint32_t store, const struct CmBlob *keyUri)
241 {
242     if ((store != CM_CREDENTIAL_STORE) && (store != CM_PRI_CREDENTIAL_STORE)) {
243         CM_LOG_E("invalid input arguments store:%u", store);
244         return CMR_ERROR_INVALID_ARGUMENT;
245     }
246 
247     if (CheckUri(keyUri) != CM_SUCCESS) {
248         CM_LOG_E("invalid input arguments");
249         return CMR_ERROR_INVALID_ARGUMENT;
250     }
251 
252     if (!CmHasCommonPermission()) {
253         CM_LOG_E("permission check failed");
254         return CMR_ERROR_PERMISSION_DENIED;
255     }
256 
257     return CM_SUCCESS;
258 }
259 
260