1 /*
2 * Copyright (C) 2021 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "util/hap_cert_verify_openssl_utils.h"
17
18 #include <cmath>
19 #include <fstream>
20
21 #include "openssl/pem.h"
22 #include "openssl/sha.h"
23
24 #include "common/hap_verify_log.h"
25 #include "init/hap_crl_manager.h"
26 #include "init/trusted_root_ca.h"
27 #include "securec.h"
28 #include "util/hap_verify_openssl_utils.h"
29
30 namespace OHOS {
31 namespace Security {
32 namespace Verify {
33 const unsigned int HapCertVerifyOpensslUtils::MIN_CERT_CHAIN_LEN_NEED_VERIFY_CRL = 2;
34 const int HapCertVerifyOpensslUtils::OPENSSL_READ_CRL_MAX_TIME = 1048576; // 1024 * 1024
35 const int HapCertVerifyOpensslUtils::OPENSSL_READ_CRL_LEN_EACH_TIME = 1024;
36 const int HapCertVerifyOpensslUtils::BASE64_ENCODE_LEN_OF_EACH_GROUP_DATA = 4;
37 const int HapCertVerifyOpensslUtils::BASE64_ENCODE_PACKET_LEN = 3;
38 constexpr int BUFF_SIZE = 3;
39
GetX509CertFromPemString(const std::string & pemString)40 X509* HapCertVerifyOpensslUtils::GetX509CertFromPemString(const std::string& pemString)
41 {
42 BIO* pemBio = BIO_new(BIO_s_mem());
43 if (pemBio == nullptr) {
44 HapVerifyOpensslUtils::GetOpensslErrorMessage();
45 HAPVERIFY_LOG_ERROR(LABEL, "BIO_new failed");
46 return nullptr;
47 }
48 int strLen = static_cast<int>(pemString.size());
49 if (BIO_write(pemBio, pemString.c_str(), strLen) != strLen) {
50 HapVerifyOpensslUtils::GetOpensslErrorMessage();
51 HAPVERIFY_LOG_ERROR(LABEL, "BIO_write failed");
52 BIO_free_all(pemBio);
53 return nullptr;
54 }
55 X509* cert = PEM_read_bio_X509(pemBio, nullptr, nullptr, nullptr);
56 BIO_free_all(pemBio);
57 return cert;
58 }
59
GetX509CertFromBase64String(const std::string & base64String)60 X509* HapCertVerifyOpensslUtils::GetX509CertFromBase64String(const std::string& base64String)
61 {
62 std::unique_ptr<unsigned char[]> decodeBuffer = std::make_unique<unsigned char[]>(base64String.size());
63
64 const unsigned char* input = reinterpret_cast<const unsigned char *>(base64String.c_str());
65 int len = EVP_DecodeBlock(decodeBuffer.get(), input, base64String.size());
66 if (len <= 0) {
67 HapVerifyOpensslUtils::GetOpensslErrorMessage();
68 HAPVERIFY_LOG_ERROR(LABEL, "base64Decode failed, len: %{public}d", len);
69 return nullptr;
70 }
71
72 const unsigned char* derBits = decodeBuffer.get();
73 X509* cert = d2i_X509(nullptr, &derBits, len);
74 return cert;
75 }
76
GetPublickeyBase64FromPemCert(const std::string & certStr,std::string & publicKey)77 bool HapCertVerifyOpensslUtils::GetPublickeyBase64FromPemCert(const std::string& certStr, std::string& publicKey)
78 {
79 X509* cert = GetX509CertFromPemString(certStr);
80 if (cert == nullptr) {
81 HAPVERIFY_LOG_ERROR(LABEL, "GetX509CertFromPemString failed");
82 return false;
83 }
84
85 if (!GetPublickeyBase64(cert, publicKey)) {
86 HAPVERIFY_LOG_ERROR(LABEL, "X509_get_pubkey failed");
87 HapVerifyOpensslUtils::GetOpensslErrorMessage();
88 X509_free(cert);
89 return false;
90 }
91 X509_free(cert);
92 return true;
93 }
94
GetFingerprintBase64FromPemCert(const std::string & certStr,std::string & fingerprint)95 bool HapCertVerifyOpensslUtils::GetFingerprintBase64FromPemCert(const std::string& certStr, std::string& fingerprint)
96 {
97 HAPVERIFY_LOG_DEBUG(LABEL, "GetFingerprintBase64FromPemCert begin");
98 X509* cert = GetX509CertFromPemString(certStr);
99 if (cert == nullptr) {
100 HAPVERIFY_LOG_ERROR(LABEL, "GetX509CertFromPemString failed");
101 return false;
102 }
103 int certLen = i2d_X509(cert, nullptr);
104 if (certLen <= 0) {
105 HAPVERIFY_LOG_ERROR(LABEL, "certLen %{public}d, i2d_X509 failed", certLen);
106 HapVerifyOpensslUtils::GetOpensslErrorMessage();
107 X509_free(cert);
108 return false;
109 }
110
111 std::unique_ptr<unsigned char[]> derCertificate = std::make_unique<unsigned char[]>(certLen);
112
113 unsigned char* derCertificateBackup = derCertificate.get();
114 if (i2d_X509(cert, &derCertificateBackup) <= 0) {
115 HAPVERIFY_LOG_ERROR(LABEL, "i2d_X509 failed");
116 HapVerifyOpensslUtils::GetOpensslErrorMessage();
117 X509_free(cert);
118 return false;
119 }
120 SHA256_CTX sha256;
121 SHA256_Init(&sha256);
122 SHA256_Update(&sha256, derCertificate.get(), certLen);
123 unsigned char hash[SHA256_DIGEST_LENGTH];
124 SHA256_Final(hash, &sha256);
125 char buff[BUFF_SIZE] = {0};
126 for (int index = 0; index < SHA256_DIGEST_LENGTH; ++index) {
127 if (sprintf_s(buff, sizeof(buff), "%02X", hash[index]) < 0) {
128 fingerprint.clear();
129 HAPVERIFY_LOG_ERROR(LABEL, "transforms hash string to hexadecimal string failed");
130 X509_free(cert);
131 return false;
132 }
133 fingerprint += buff;
134 }
135 X509_free(cert);
136 HAPVERIFY_LOG_DEBUG(LABEL, "GetFingerprintBase64FromPemCert end %{public}s", fingerprint.c_str());
137 return true;
138 }
139
GetPublickeyBase64(const X509 * cert,std::string & publicKey)140 bool HapCertVerifyOpensslUtils::GetPublickeyBase64(const X509* cert, std::string& publicKey)
141 {
142 EVP_PKEY *pkey = X509_get0_pubkey(cert);
143 if (pkey == nullptr) {
144 HAPVERIFY_LOG_ERROR(LABEL, "X509_get0_pubkey failed");
145 HapVerifyOpensslUtils::GetOpensslErrorMessage();
146 return false;
147 }
148
149 int keyLen = i2d_PublicKey(pkey, nullptr);
150 if (keyLen <= 0) {
151 HAPVERIFY_LOG_ERROR(LABEL, "keyLen %{public}d, i2d_PublicKey failed", keyLen);
152 HapVerifyOpensslUtils::GetOpensslErrorMessage();
153 return false;
154 }
155 std::unique_ptr<unsigned char[]> derPublicKey = std::make_unique<unsigned char[]>(keyLen);
156 int base64KeyLen = CalculateLenAfterBase64Encode(keyLen);
157 std::unique_ptr<unsigned char[]> base64PublicKey = std::make_unique<unsigned char[]>(base64KeyLen);
158 unsigned char* derCertificateBackup = derPublicKey.get();
159 if (i2d_PublicKey(pkey, &derCertificateBackup) <= 0) {
160 HAPVERIFY_LOG_ERROR(LABEL, "i2d_PublicKey failed");
161 HapVerifyOpensslUtils::GetOpensslErrorMessage();
162 return false;
163 }
164
165 int outLen = EVP_EncodeBlock(base64PublicKey.get(), derPublicKey.get(), keyLen);
166 publicKey = std::string(reinterpret_cast<char*>(base64PublicKey.get()), outLen);
167 return true;
168 }
169
170 /*
171 * The length after Base64 encoding is 4/3 of the length before encoding,
172 * and openssl function will add '\0' to the encoded string.
173 * So len_after_encode = len_before_encode * 4/3 + 1
174 */
CalculateLenAfterBase64Encode(int len)175 int HapCertVerifyOpensslUtils::CalculateLenAfterBase64Encode(int len)
176 {
177 return static_cast<int>(ceil(static_cast<long double>(len) / BASE64_ENCODE_PACKET_LEN) *
178 BASE64_ENCODE_LEN_OF_EACH_GROUP_DATA + 1);
179 }
180
CompareX509Cert(const X509 * certA,const std::string & base64Cert)181 bool HapCertVerifyOpensslUtils::CompareX509Cert(const X509* certA, const std::string& base64Cert)
182 {
183 if (certA == nullptr) {
184 HAPVERIFY_LOG_ERROR(LABEL, "certA is nullptr");
185 return false;
186 }
187
188 X509* certB = GetX509CertFromPemString(base64Cert);
189 if (certB == nullptr) {
190 HAPVERIFY_LOG_ERROR(LABEL, "generate certB failed");
191 return false;
192 }
193 bool ret = (X509_cmp(certA, certB) == 0);
194 X509_free(certB);
195 return ret;
196 }
197
GetX509CrlFromDerBuffer(const HapByteBuffer & crlBuffer,int offset,int len)198 X509_CRL* HapCertVerifyOpensslUtils::GetX509CrlFromDerBuffer(const HapByteBuffer& crlBuffer, int offset, int len)
199 {
200 if (crlBuffer.GetBufferPtr() == nullptr) {
201 HAPVERIFY_LOG_ERROR(LABEL, "invalid input, crlbuffer is null");
202 return nullptr;
203 }
204 if ((len <= 0) || (offset < 0) || (crlBuffer.GetCapacity() - len < offset)) {
205 HAPVERIFY_LOG_ERROR(LABEL, "invalid input, offset: %{public}d, len: %{public}d", offset, len);
206 return nullptr;
207 }
208
209 BIO* derBio = BIO_new(BIO_s_mem());
210 if (derBio == nullptr) {
211 HapVerifyOpensslUtils::GetOpensslErrorMessage();
212 HAPVERIFY_LOG_ERROR(LABEL, "BIO_new failed");
213 return nullptr;
214 }
215 if (BIO_write(derBio, crlBuffer.GetBufferPtr() + offset, len) != len) {
216 HapVerifyOpensslUtils::GetOpensslErrorMessage();
217 HAPVERIFY_LOG_ERROR(LABEL, "BIO_write failed");
218 BIO_free_all(derBio);
219 return nullptr;
220 }
221 X509_CRL* crl = d2i_X509_CRL_bio(derBio, nullptr);
222 BIO_free_all(derBio);
223 return crl;
224 }
225
WriteX509CrlToStream(std::ofstream & crlFile,X509_CRL * crl)226 void HapCertVerifyOpensslUtils::WriteX509CrlToStream(std::ofstream& crlFile, X509_CRL* crl)
227 {
228 if (!crlFile.is_open()) {
229 HAPVERIFY_LOG_ERROR(LABEL, "fill is not open");
230 return;
231 }
232
233 BIO* derBio = BIO_new(BIO_s_mem());
234 if (derBio == nullptr) {
235 HAPVERIFY_LOG_ERROR(LABEL, "BIO_new failed");
236 return;
237 }
238 if (crl == nullptr || i2d_X509_CRL_bio(derBio, crl) == 0) {
239 BIO_free_all(derBio);
240 HAPVERIFY_LOG_ERROR(LABEL, "i2d_X509_CRL_bio failed");
241 return;
242 }
243
244 int totalLen = 0;
245 long long posStart = crlFile.tellp();
246 crlFile.seekp(posStart + sizeof(totalLen));
247 char buf[OPENSSL_READ_CRL_LEN_EACH_TIME];
248 int readLen = BIO_read(derBio, buf, sizeof(buf));
249 int readTime = 0;
250 while (readLen > 0 && (++readTime < OPENSSL_READ_CRL_MAX_TIME)) {
251 crlFile.write(buf, readLen);
252 totalLen += readLen;
253 readLen = BIO_read(derBio, buf, sizeof(buf));
254 }
255 BIO_free_all(derBio);
256 long long posEnd = crlFile.tellp();
257 crlFile.seekp(posStart);
258 /* write crl data len */
259 crlFile.write(reinterpret_cast<char*>(&totalLen), sizeof(totalLen));
260 crlFile.seekp(posEnd);
261 }
262
GenerateCertSignFromCertStack(STACK_OF (X509)* certs,CertSign & certVisitSign)263 void HapCertVerifyOpensslUtils::GenerateCertSignFromCertStack(STACK_OF(X509)* certs, CertSign& certVisitSign)
264 {
265 if (certs == nullptr) {
266 return;
267 }
268
269 for (int i = 0; i < sk_X509_num(certs); i++) {
270 X509* cert = sk_X509_value(certs, i);
271 if (cert == nullptr) {
272 continue;
273 }
274 certVisitSign[cert] = false;
275 }
276 }
277
ClearCertVisitSign(CertSign & certVisitSign)278 void HapCertVerifyOpensslUtils::ClearCertVisitSign(CertSign& certVisitSign)
279 {
280 for (auto& certPair : certVisitSign) {
281 certPair.second = false;
282 }
283 }
284
GetCertsChain(CertChain & certsChain,CertSign & certVisitSign)285 bool HapCertVerifyOpensslUtils::GetCertsChain(CertChain& certsChain, CertSign& certVisitSign)
286 {
287 if (certsChain.empty() || certVisitSign.empty()) {
288 HAPVERIFY_LOG_ERROR(LABEL, "input is invalid");
289 return false;
290 }
291
292 X509* issuerCert;
293 X509* cert = certsChain[0];
294 while ((issuerCert = FindCertOfIssuer(cert, certVisitSign)) != nullptr) {
295 certsChain.push_back(X509_dup(issuerCert));
296 certVisitSign[issuerCert] = true;
297 cert = issuerCert;
298 }
299
300 TrustedRootCa& rootCertsObj = TrustedRootCa::GetInstance();
301 issuerCert = rootCertsObj.FindMatchedRoot(certsChain[certsChain.size() - 1]);
302 if (issuerCert == nullptr) {
303 std::string caIssuer;
304 GetIssuerFromX509(certsChain[certsChain.size() - 1], caIssuer);
305 HAPVERIFY_LOG_ERROR(LABEL, "it do not come from trusted root, issuer: %{public}s", caIssuer.c_str());
306 return false;
307 }
308 if (X509_cmp(issuerCert, certsChain[certsChain.size() - 1]) == 0) {
309 X509_free(issuerCert);
310 } else {
311 certsChain.push_back(issuerCert);
312 }
313 return true;
314 }
315
FindCertOfIssuer(X509 * cert,CertSign & certVisitSign)316 X509* HapCertVerifyOpensslUtils::FindCertOfIssuer(X509* cert, CertSign& certVisitSign)
317 {
318 if (cert == nullptr) {
319 HAPVERIFY_LOG_ERROR(LABEL, "input is invalid");
320 return nullptr;
321 }
322
323 X509_NAME* signCertIssuer = X509_get_issuer_name(cert);
324 for (auto certPair : certVisitSign) {
325 if (certPair.second) {
326 continue;
327 }
328
329 X509* issuerCert = certPair.first;
330 X509_NAME* issuerCertSubject = X509_get_subject_name(issuerCert);
331 /* verify sign and issuer */
332 if (X509NameCompare(issuerCertSubject, signCertIssuer) &&
333 CertVerify(cert, issuerCert)) {
334 return issuerCert;
335 }
336 }
337 return nullptr;
338 }
339
CertVerify(X509 * cert,const X509 * issuerCert)340 bool HapCertVerifyOpensslUtils::CertVerify(X509* cert, const X509* issuerCert)
341 {
342 if (cert == nullptr) {
343 HAPVERIFY_LOG_ERROR(LABEL, "input is invalid");
344 return false;
345 }
346
347 EVP_PKEY* caPublicKey = X509_get0_pubkey(issuerCert);
348 if (caPublicKey == nullptr) {
349 HapVerifyOpensslUtils::GetOpensslErrorMessage();
350 HAPVERIFY_LOG_ERROR(LABEL, "get pubkey from caCert failed");
351 return false;
352 }
353 return X509_verify(cert, caPublicKey) > 0;
354 }
355
VerifyCertChainPeriodOfValidity(CertChain & certsChain,const ASN1_TYPE * signTime)356 bool HapCertVerifyOpensslUtils::VerifyCertChainPeriodOfValidity(CertChain& certsChain, const ASN1_TYPE* signTime)
357 {
358 if (certsChain.empty()) {
359 return false;
360 }
361
362 for (unsigned int i = 0; i < certsChain.size() - 1; i++) {
363 if (certsChain[i] == nullptr) {
364 HAPVERIFY_LOG_ERROR(LABEL, "%{public}dst cert is nullptr", i);
365 return false;
366 }
367 const ASN1_TIME* notBefore = X509_get0_notBefore(certsChain[i]);
368 const ASN1_TIME* notAfter = X509_get0_notAfter(certsChain[i]);
369 if (!CheckSignTimeInValidPeriod(signTime, notBefore, notAfter)) {
370 HAPVERIFY_LOG_ERROR(LABEL, "%{public}dst cert is not in period of validity", i);
371 return false;
372 }
373 }
374 return true;
375 }
376
CheckAsn1TimeIsValid(const ASN1_TIME * asn1Time)377 bool HapCertVerifyOpensslUtils::CheckAsn1TimeIsValid(const ASN1_TIME* asn1Time)
378 {
379 if (asn1Time == nullptr || asn1Time->data == nullptr) {
380 return false;
381 }
382 return true;
383 }
384
CheckAsn1TypeIsValid(const ASN1_TYPE * asn1Type)385 bool HapCertVerifyOpensslUtils::CheckAsn1TypeIsValid(const ASN1_TYPE* asn1Type)
386 {
387 if (asn1Type == nullptr || asn1Type->value.asn1_string == nullptr ||
388 asn1Type->value.asn1_string->data == nullptr) {
389 return false;
390 }
391 return true;
392 }
393
CheckSignTimeInValidPeriod(const ASN1_TYPE * signTime,const ASN1_TIME * notBefore,const ASN1_TIME * notAfter)394 bool HapCertVerifyOpensslUtils::CheckSignTimeInValidPeriod(const ASN1_TYPE* signTime,
395 const ASN1_TIME* notBefore, const ASN1_TIME* notAfter)
396 {
397 if (!CheckAsn1TimeIsValid(notBefore) || !CheckAsn1TimeIsValid(notAfter)) {
398 HAPVERIFY_LOG_ERROR(LABEL, "no valid period");
399 return false;
400 }
401 if (!CheckAsn1TypeIsValid(signTime)) {
402 HAPVERIFY_LOG_ERROR(LABEL, "signTime is invalid");
403 return false;
404 }
405
406 if (ASN1_TIME_compare(notBefore, signTime->value.asn1_string) > 0 ||
407 ASN1_TIME_compare(notAfter, signTime->value.asn1_string) < 0) {
408 HAPVERIFY_LOG_ERROR(LABEL, "Out of valid period, signTime: %{public}s, notBefore: %{public}s, "
409 "notAfter: %{public}s", signTime->value.asn1_string->data, notBefore->data, notAfter->data);
410 return false;
411 }
412 HAPVERIFY_LOG_DEBUG(LABEL, "signTime type: %{public}d, data: %{public}s, notBefore: %{public}s, "
413 "notAfter: %{public}s", signTime->type, signTime->value.asn1_string->data, notBefore->data, notAfter->data);
414 return true;
415 }
416
VerifyCrl(CertChain & certsChain,STACK_OF (X509_CRL)* crls,Pkcs7Context & pkcs7Context)417 bool HapCertVerifyOpensslUtils::VerifyCrl(CertChain& certsChain, STACK_OF(X509_CRL)* crls, Pkcs7Context& pkcs7Context)
418 {
419 if (certsChain.empty()) {
420 HAPVERIFY_LOG_ERROR(LABEL, "cert chain is null");
421 return false;
422 }
423
424 /* get signed cert's issuer and then it will be used to find local crl */
425 if (!GetIssuerFromX509(certsChain[0], pkcs7Context.certIssuer)) {
426 HAPVERIFY_LOG_ERROR(LABEL, "get issuer of signed cert failed");
427 return false;
428 }
429 X509_CRL* targetCrl = GetCrlBySignedCertIssuer(crls, certsChain[0]);
430 /* crl is optional */
431 if (targetCrl != nullptr && certsChain.size() >= MIN_CERT_CHAIN_LEN_NEED_VERIFY_CRL) {
432 /* if it include crl, it must be verified by ca cert */
433 if (X509_CRL_verify(targetCrl, X509_get0_pubkey(certsChain[1])) <= 0) {
434 HapVerifyOpensslUtils::GetOpensslErrorMessage();
435 HAPVERIFY_LOG_ERROR(LABEL, "verify crlInPackage failed");
436 return false;
437 }
438 }
439 HapCrlManager& hapCrlManager = HapCrlManager::GetInstance();
440 return hapCrlManager.CrlCheck(certsChain[0], targetCrl, pkcs7Context);
441 }
442
GetCrlBySignedCertIssuer(STACK_OF (X509_CRL)* crls,const X509 * cert)443 X509_CRL* HapCertVerifyOpensslUtils::GetCrlBySignedCertIssuer(STACK_OF(X509_CRL)* crls, const X509* cert)
444 {
445 if (crls == nullptr || cert == nullptr) {
446 return nullptr;
447 }
448
449 X509_NAME* certIssuer = X509_get_issuer_name(cert);
450 for (int i = 0; i < sk_X509_CRL_num(crls); i++) {
451 X509_CRL* crl = sk_X509_CRL_value(crls, i);
452 if (crl == nullptr) {
453 continue;
454 }
455
456 X509_NAME* crlIssuer = X509_CRL_get_issuer(crl);
457 if (X509NameCompare(crlIssuer, certIssuer)) {
458 return crl;
459 }
460 }
461 return nullptr;
462 }
463
X509NameCompare(const X509_NAME * a,const X509_NAME * b)464 bool HapCertVerifyOpensslUtils::X509NameCompare(const X509_NAME* a, const X509_NAME* b)
465 {
466 if (a == nullptr || b == nullptr) {
467 return false;
468 }
469
470 return X509_NAME_cmp(a, b) == 0;
471 }
472
GetSubjectFromX509(const X509 * cert,std::string & subject)473 bool HapCertVerifyOpensslUtils::GetSubjectFromX509(const X509* cert, std::string& subject)
474 {
475 if (cert == nullptr) {
476 HAPVERIFY_LOG_ERROR(LABEL, "cert is nullptr");
477 return false;
478 }
479
480 X509_NAME* name = X509_get_subject_name(cert);
481 subject = GetDnToString(name);
482 HAPVERIFY_LOG_DEBUG(LABEL, "subject = %{public}s", subject.c_str());
483 return true;
484 }
485
GetIssuerFromX509(const X509 * cert,std::string & issuer)486 bool HapCertVerifyOpensslUtils::GetIssuerFromX509(const X509* cert, std::string& issuer)
487 {
488 if (cert == nullptr) {
489 HAPVERIFY_LOG_ERROR(LABEL, "cert is nullptr");
490 return false;
491 }
492
493 X509_NAME* name = X509_get_issuer_name(cert);
494 issuer = GetDnToString(name);
495 HAPVERIFY_LOG_DEBUG(LABEL, "cert issuer = %{public}s", issuer.c_str());
496 return true;
497 }
498
GetSerialNumberFromX509(const X509 * cert,long long & certNumber)499 bool HapCertVerifyOpensslUtils::GetSerialNumberFromX509(const X509* cert, long long& certNumber)
500 {
501 if (cert == nullptr) {
502 HAPVERIFY_LOG_ERROR(LABEL, "cert is nullptr");
503 return false;
504 }
505
506 const ASN1_INTEGER* certSN = X509_get0_serialNumber(cert);
507 certNumber = ASN1_INTEGER_get(certSN);
508 HAPVERIFY_LOG_DEBUG(LABEL, "cert number = %{public}lld", certNumber);
509 return true;
510 }
511
GetIssuerFromX509Crl(const X509_CRL * crl,std::string & issuer)512 bool HapCertVerifyOpensslUtils::GetIssuerFromX509Crl(const X509_CRL* crl, std::string& issuer)
513 {
514 if (crl == nullptr) {
515 HAPVERIFY_LOG_ERROR(LABEL, "clr is nullptr");
516 return false;
517 }
518
519 X509_NAME* name = X509_CRL_get_issuer(crl);
520 if (name == nullptr) {
521 HAPVERIFY_LOG_ERROR(LABEL, "crl issuer nullptr");
522 return false;
523 }
524 issuer = GetDnToString(name);
525 return true;
526 }
527
GetDnToString(X509_NAME * name)528 std::string HapCertVerifyOpensslUtils::GetDnToString(X509_NAME* name)
529 {
530 if (name == nullptr) {
531 return "";
532 }
533
534 std::string countryName;
535 GetTextFromX509Name(name, NID_countryName, countryName);
536 std::string organizationName;
537 GetTextFromX509Name(name, NID_organizationName, organizationName);
538 std::string organizationalUnitName;
539 GetTextFromX509Name(name, NID_organizationalUnitName, organizationalUnitName);
540 std::string commonName;
541 GetTextFromX509Name(name, NID_commonName, commonName);
542 return "C=" + countryName + ", O=" + organizationName + ", OU=" + organizationalUnitName +
543 ", CN=" + commonName;
544 }
545
GetTextFromX509Name(X509_NAME * name,int nId,std::string & text)546 void HapCertVerifyOpensslUtils::GetTextFromX509Name(X509_NAME* name, int nId, std::string& text)
547 {
548 int textLen = X509_NAME_get_text_by_NID(name, nId, nullptr, 0);
549 if (textLen <= 0) {
550 return;
551 }
552
553 std::unique_ptr<char[]> buffer = std::make_unique<char[]>(textLen + 1);
554 if (X509_NAME_get_text_by_NID(name, nId, buffer.get(), textLen + 1) != textLen) {
555 return;
556 }
557 text = std::string(buffer.get());
558 }
559 } // namespace Verify
560 } // namespace Security
561 } // namespace OHOS
562