1 /*
2 * Copyright (c) 2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "openssl_util.h"
17 #include <fstream>
18 #include <openssl/pem.h>
19 #include <openssl/sha.h>
20 #include <openssl/x509.h>
21
22 namespace Hpackage {
23 namespace {
24 constexpr uint32_t HASH_SOURCE_BLOCK_LEN = 4096;
25
GetTextContentFromX509Name(X509_NAME * name,int nId,std::string & textContent)26 void GetTextContentFromX509Name(X509_NAME *name, int nId, std::string &textContent)
27 {
28 int contentLen = X509_NAME_get_text_by_NID(name, nId, nullptr, 0);
29 if (contentLen <= 0) {
30 return;
31 }
32
33 std::unique_ptr<char[]> textBuffer = std::make_unique<char[]>(contentLen + 1);
34 if (textBuffer == nullptr) {
35 return;
36 }
37
38 if (X509_NAME_get_text_by_NID(name, nId, textBuffer.get(), contentLen + 1) != contentLen) {
39 return;
40 }
41 textContent = std::string(textBuffer.get());
42 textBuffer.reset(nullptr);
43
44 return;
45 }
46 }
47
GetASN1OctetStringData(const ASN1_OCTET_STRING * octString,std::vector<uint8_t> & asn1Data)48 int32_t GetASN1OctetStringData(const ASN1_OCTET_STRING *octString, std::vector<uint8_t> &asn1Data)
49 {
50 if (octString == nullptr) {
51 return -1;
52 }
53 const uint8_t *octChar = ASN1_STRING_get0_data(octString);
54 if (octChar == nullptr) {
55 PKG_LOGE("get asn1 obj string failed!");
56 return -1;
57 }
58
59 int32_t octLen = ASN1_STRING_length(octString);
60 if (octLen <= 0) {
61 PKG_LOGE("invalid asn1 obj string len %d!", octLen);
62 return -1;
63 }
64 asn1Data.assign(octChar, octChar + octLen);
65
66 return 0;
67 }
68
GetX509AlgorithmNid(const X509_ALGOR * x509Algo,int32_t & algoNid)69 int32_t GetX509AlgorithmNid(const X509_ALGOR *x509Algo, int32_t &algoNid)
70 {
71 if (x509Algo == nullptr) {
72 return -1;
73 }
74
75 const ASN1_OBJECT *algObj = nullptr;
76 X509_ALGOR_get0(&algObj, nullptr, nullptr, x509Algo);
77 if (algObj == nullptr) {
78 PKG_LOGE("x509 algor get0 fail!");
79 return -1;
80 }
81 algoNid = OBJ_obj2nid(algObj);
82 if (algoNid <= 0) {
83 PKG_LOGE("invalid algo nid %d!", algoNid);
84 return -1;
85 }
86
87 return 0;
88 }
89
GetX509CertFromPemString(const std::string & pemString)90 X509 *GetX509CertFromPemString(const std::string &pemString)
91 {
92 BIO *pemBio = BIO_new(BIO_s_mem());
93 if (pemBio == nullptr) {
94 return nullptr;
95 }
96 int strLen = static_cast<int>(pemString.size());
97 if (BIO_write(pemBio, pemString.c_str(), strLen) != strLen) {
98 BIO_free_all(pemBio);
99 return nullptr;
100 }
101
102 X509 *cert = PEM_read_bio_X509(pemBio, nullptr, nullptr, nullptr);
103 if (cert == nullptr) {
104 PKG_LOGE("pem read x509 fail");
105 }
106 BIO_free_all(pemBio);
107
108 return cert;
109 }
110
GetX509CertFromPemFile(const std::string & filePath)111 X509 *GetX509CertFromPemFile(const std::string &filePath)
112 {
113 std::ifstream ifs(filePath);
114 if (!ifs.is_open()) {
115 PKG_LOGE("file %s not exist", filePath.c_str());
116 return nullptr;
117 }
118 BIO *certbio = BIO_new_file(filePath.c_str(), "r");
119 if (certbio == nullptr) {
120 PKG_LOGE("Failed to create BIO");
121 return nullptr;
122 }
123
124 X509 *cert = PEM_read_bio_X509(certbio, nullptr, nullptr, nullptr);
125 if (cert == nullptr) {
126 PKG_LOGE("Failed to read x509 certificate");
127 BIO_free_all(certbio);
128 return nullptr;
129 }
130 BIO_free_all(certbio);
131
132 return cert;
133 }
134
VerifyX509CertByIssuerCert(X509 * cert,X509 * issuerCert)135 bool VerifyX509CertByIssuerCert(X509 *cert, X509 *issuerCert)
136 {
137 if (cert == nullptr || issuerCert == nullptr) {
138 return false;
139 }
140
141 EVP_PKEY *pubKey = X509_get_pubkey(issuerCert);
142 if (pubKey == nullptr) {
143 PKG_LOGE("get pubkey fial.");
144 return false;
145 }
146
147 return (X509_verify(cert, pubKey) == 1);
148 }
149
VerifyDigestByPubKey(EVP_PKEY * pubKey,const int nid,const std::vector<uint8_t> & digestData,const std::vector<uint8_t> & signature)150 int32_t VerifyDigestByPubKey(EVP_PKEY *pubKey, const int nid, const std::vector<uint8_t> &digestData,
151 const std::vector<uint8_t> &signature)
152 {
153 if (pubKey == nullptr) {
154 PKG_LOGE("pubKey is empty");
155 return -1;
156 }
157
158 EVP_MD_CTX *mdCtx = EVP_MD_CTX_create();
159 if (mdCtx == nullptr) {
160 PKG_LOGE("EVP_MD_CTX_create failed");
161 return -1;
162 }
163 EVP_PKEY_CTX *pkeyCtx = nullptr;
164 if (EVP_DigestVerifyInit(mdCtx, &pkeyCtx, EVP_get_digestbynid(nid), nullptr, pubKey) != 1) {
165 PKG_LOGE("EVP init, error");
166 EVP_MD_CTX_destroy(mdCtx);
167 return -1;
168 }
169 if (EVP_DigestVerifyUpdate(mdCtx, digestData.data(), digestData.size()) != 1) {
170 PKG_LOGE("EVP update, error");
171 EVP_MD_CTX_destroy(mdCtx);
172 return -1;
173 }
174
175 int ret = EVP_DigestVerifyFinal(mdCtx, signature.data(), signature.size());
176 if (ret != 1) {
177 PKG_LOGE("EVP final, error");
178 EVP_MD_CTX_destroy(mdCtx);
179 return -1;
180 }
181
182 EVP_MD_CTX_destroy(mdCtx);
183 return 0;
184 }
185
CalcSha256Digest(const PkgStreamPtr srcData,const size_t dataLen,std::vector<uint8_t> & result)186 int32_t CalcSha256Digest(const PkgStreamPtr srcData, const size_t dataLen, std::vector<uint8_t> &result)
187 {
188 if (srcData == nullptr || dataLen == 0) {
189 return -1;
190 }
191 if (result.size() != SHA256_DIGEST_LENGTH) {
192 result.resize(SHA256_DIGEST_LENGTH);
193 }
194 SHA256_CTX ctx;
195 SHA256_Init(&ctx);
196
197 size_t offset = 0;
198 size_t remainLen = dataLen;
199 size_t blockLen = HASH_SOURCE_BLOCK_LEN;
200 PkgBuffer buffer(blockLen);
201 size_t readLen = 0;
202 int32_t ret = 0;
203 while (remainLen >= blockLen) {
204 ret = srcData->Read(buffer, offset, blockLen, readLen);
205 if (ret != 0) {
206 PKG_LOGE("Fail read data");
207 return -1;
208 }
209 SHA256_Update(&ctx, buffer.buffer, blockLen);
210 offset += readLen;
211 remainLen -= readLen;
212 }
213 if (remainLen > 0) {
214 ret = srcData->Read(buffer, offset, remainLen, readLen);
215 if (ret != 0) {
216 PKG_LOGE("Fail read data");
217 return -1;
218 }
219 SHA256_Update(&ctx, buffer.buffer, readLen);
220 }
221
222 if (SHA256_Final(result.data(), &ctx) != 1) {
223 PKG_LOGE("SHA256_Final(), error");
224 return -1;
225 }
226
227 return 0;
228 }
229
GetStringFromX509Name(X509_NAME * x509Name)230 std::string GetStringFromX509Name(X509_NAME *x509Name)
231 {
232 if (x509Name == nullptr) {
233 return "";
234 }
235
236 std::string country;
237 GetTextContentFromX509Name(x509Name, NID_countryName, country);
238
239 std::string organization;
240 GetTextContentFromX509Name(x509Name, NID_organizationName, organization);
241
242 std::string organizationalUnitName;
243 GetTextContentFromX509Name(x509Name, NID_organizationalUnitName, organizationalUnitName);
244
245 std::string commonName;
246 GetTextContentFromX509Name(x509Name, NID_commonName, commonName);
247
248 return "C=" + country + ", O=" + organization + ", OU=" + organizationalUnitName + ", CN=" + commonName;
249 }
250
GetX509CertSubjectName(X509 * cert)251 std::string GetX509CertSubjectName(X509 *cert)
252 {
253 if (cert == nullptr) {
254 return "";
255 }
256
257 X509_NAME *subjectName = X509_get_subject_name(cert);
258 if (subjectName == nullptr) {
259 PKG_LOGE("cert subject name is null");
260 return "";
261 }
262
263 return GetStringFromX509Name(subjectName);
264 }
265
GetX509CertIssuerName(X509 * cert)266 std::string GetX509CertIssuerName(X509 *cert)
267 {
268 if (cert == nullptr) {
269 return "";
270 }
271
272 X509_NAME *issuerName = X509_get_issuer_name(cert);
273 if (issuerName == nullptr) {
274 PKG_LOGE("cert issuer name is null");
275 return "";
276 }
277
278 return GetStringFromX509Name(issuerName);
279 }
280 }
281