• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (C) 2021 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  *     http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #include "init/trusted_root_ca.h"
17 
18 #include "nlohmann/json.hpp"
19 
20 #include "common/hap_verify_log.h"
21 #include "util/hap_cert_verify_openssl_utils.h"
22 
23 namespace OHOS {
24 namespace Security {
25 namespace Verify {
26 const std::string TrustedRootCa::TRUSTED_ROOT_CA_FILE_PATH = "/system/etc/security/trusted_root_ca.json";
27 const std::string TrustedRootCa::TRUSTED_ROOT_CA_TEST_FILE_PATH = "/system/etc/security/trusted_root_ca_test.json";
28 
GetInstance()29 TrustedRootCa& TrustedRootCa::GetInstance()
30 {
31     static TrustedRootCa singleTrustedRoot;
32     return singleTrustedRoot;
33 }
34 
TrustedRootCa()35 TrustedRootCa::TrustedRootCa() : rootCerts(), rootCertsForTest(), isInit(false), isDebug(false)
36 {
37 }
38 
~TrustedRootCa()39 TrustedRootCa::~TrustedRootCa()
40 {
41     for (auto rootCert : rootCerts) {
42         X509_free(rootCert.second);
43     }
44     for (auto rootCert : rootCertsForTest) {
45         X509_free(rootCert.second);
46     }
47 }
48 
EnableDebug()49 bool TrustedRootCa::EnableDebug()
50 {
51     if (isDebug) {
52         return true;
53     }
54 
55     isDebug = GetTrustedRootCAFromJson(rootCertsForTest, TRUSTED_ROOT_CA_TEST_FILE_PATH);
56     if (isDebug) {
57         HAPVERIFY_LOG_INFO(LABEL, "parse root certs test success, certs num: %{public}zu", rootCertsForTest.size());
58     }
59     return isDebug;
60 }
61 
DisableDebug()62 void TrustedRootCa::DisableDebug()
63 {
64     isDebug = false;
65     for (auto& rootCert : rootCertsForTest) {
66         X509_free(rootCert.second);
67     }
68     rootCertsForTest.clear();
69 }
70 
Init()71 bool TrustedRootCa::Init()
72 {
73     if (isInit) {
74         return true;
75     }
76 
77     isInit = GetTrustedRootCAFromJson(rootCerts, TRUSTED_ROOT_CA_FILE_PATH);
78     if (isInit) {
79         HAPVERIFY_LOG_INFO(LABEL, "parse root certs success, certs num: %{public}zu", rootCerts.size());
80     }
81     return isInit;
82 }
83 
Recovery()84 void TrustedRootCa::Recovery()
85 {
86     for (auto& rootCert : rootCerts) {
87         X509_free(rootCert.second);
88     }
89     rootCerts.clear();
90     isInit = false;
91 }
92 
GetTrustedRootCAFromJson(StringCertMap & rootCertMap,const std::string & filePath)93 bool TrustedRootCa::GetTrustedRootCAFromJson(StringCertMap& rootCertMap, const std::string& filePath)
94 {
95     nlohmann::json trustedRootCAJson;
96     std::string errorInfo;
97     if (!JsonParserUtils::ReadTrustedRootCAFromJson(trustedRootCAJson, filePath, errorInfo)) {
98         HAPVERIFY_LOG_ERROR(LABEL, "get jsonObj from %{public}s failed, because %{public}s",
99             filePath.c_str(), errorInfo.c_str());
100         return false;
101     }
102 
103     JsonMap trustedRootCAJsonMap;
104     JsonParserUtils::ParseJsonToMap(trustedRootCAJson, trustedRootCAJsonMap);
105     for (auto jsonPair : trustedRootCAJsonMap) {
106         HAPVERIFY_LOG_INFO(LABEL, "parse cert: %{public}s", jsonPair.second.c_str());
107         X509* cert = HapCertVerifyOpensslUtils::GetX509CertFromPemString(jsonPair.second);
108         if (cert == nullptr) {
109             HAPVERIFY_LOG_ERROR(LABEL, "GetX509CertFromPemString failed, key: %{public}s value: %{public}s",
110                 jsonPair.first.c_str(), jsonPair.second.c_str());
111             return false;
112         }
113         rootCertMap[jsonPair.first] = cert;
114     }
115 
116     if (rootCertMap.empty()) {
117         HAPVERIFY_LOG_ERROR(LABEL, "no root cert");
118         return false;
119     }
120     return true;
121 }
122 
FindMatchedRoot(X509 * caCert)123 X509* TrustedRootCa::FindMatchedRoot(X509* caCert)
124 {
125     if (caCert == nullptr) {
126         return nullptr;
127     }
128 
129     X509* root = FindMatchedRoot(rootCerts, caCert);
130     if (root != nullptr) {
131         return root;
132     }
133 
134     if (isDebug) {
135         HAPVERIFY_LOG_INFO(LABEL, "try to match with test root");
136         root = FindMatchedRoot(rootCertsForTest, caCert);
137     }
138     return root;
139 }
140 
FindMatchedRoot(const StringCertMap & rootCertMap,X509 * caCert)141 X509* TrustedRootCa::FindMatchedRoot(const StringCertMap& rootCertMap, X509* caCert)
142 {
143     for (auto root : rootCertMap) {
144         if (HapCertVerifyOpensslUtils::X509NameCompare(X509_get_subject_name(root.second),
145             X509_get_issuer_name(caCert)) &&
146             HapCertVerifyOpensslUtils::CertVerify(caCert, root.second)) {
147             return X509_dup(root.second);
148         }
149     }
150     return nullptr;
151 }
152 } // namespace Verify
153 } // namespace Security
154 } // namespace OHOS
155