1 /*
2 * Copyright (C) 2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "creds_manager.h"
17
18 #include "account_module_defines.h"
19 #include "account_related_creds_manager.h"
20 #include "account_related_group_auth.h"
21 #include "alg_defs.h"
22 #include "alg_loader.h"
23 #include "creds_operation_utils.h"
24 #include "das_task_common.h"
25 #include "data_manager.h"
26 #include "group_auth_data_operation.h"
27 #include "group_operation_common.h"
28 #include "hc_log.h"
29 #include "hc_types.h"
30 #include "securec.h"
31
GetAccountRelatedCandidateGroups(int32_t osAccountId,const CJson * in,bool isDeviceLevel,GroupEntryVec * vec)32 static int32_t GetAccountRelatedCandidateGroups(int32_t osAccountId, const CJson *in, bool isDeviceLevel,
33 GroupEntryVec *vec)
34 {
35 BaseGroupAuth *groupAuth = GetAccountRelatedGroupAuth();
36 if (groupAuth == NULL) {
37 return HC_ERR_NULL_PTR;
38 }
39 QueryGroupParams queryParams = InitQueryGroupParams();
40 if (!isDeviceLevel) {
41 queryParams.groupVisibility = GROUP_VISIBILITY_PUBLIC;
42 }
43 ((AccountRelatedGroupAuth *)groupAuth)->getAccountCandidateGroup(osAccountId, in, &queryParams, vec);
44 return HC_SUCCESS;
45 }
46
GetAccountUnrelatedCandidateGroups(int32_t osAccountId,bool isDeviceLevel,GroupEntryVec * vec)47 static int32_t GetAccountUnrelatedCandidateGroups(int32_t osAccountId, bool isDeviceLevel, GroupEntryVec *vec)
48 {
49 QueryGroupParams queryParams = InitQueryGroupParams();
50 queryParams.groupType = PEER_TO_PEER_GROUP;
51 if (!isDeviceLevel) {
52 queryParams.groupVisibility = GROUP_VISIBILITY_PUBLIC;
53 }
54 return QueryGroups(osAccountId, &queryParams, vec);
55 }
56
IsP2pAuthTokenExist(const TrustedDeviceEntry * deviceEntry)57 static bool IsP2pAuthTokenExist(const TrustedDeviceEntry *deviceEntry)
58 {
59 Uint8Buff pkgNameBuff = { (uint8_t *)GROUP_MANAGER_PACKAGE_NAME, strlen(GROUP_MANAGER_PACKAGE_NAME) };
60
61 const char *serviceType = StringGet(&deviceEntry->serviceType);
62 Uint8Buff serviceTypeBuff = { (uint8_t *)serviceType, strlen(serviceType) };
63
64 const char *peerAuthId = StringGet(&deviceEntry->authId);
65 Uint8Buff peerAuthIdBuff = { (uint8_t *)peerAuthId, strlen(peerAuthId) };
66
67 uint8_t keyAliasVal[ISO_KEY_ALIAS_LEN] = { 0 };
68 Uint8Buff keyAlias = { keyAliasVal, ISO_KEY_ALIAS_LEN };
69 int32_t ret = GenerateKeyAlias(&pkgNameBuff, &serviceTypeBuff, KEY_ALIAS_AUTH_TOKEN, &peerAuthIdBuff, &keyAlias);
70 if (ret != HC_SUCCESS) {
71 LOGE("Failed to generate key alias!");
72 return false;
73 }
74
75 ret = GetLoaderInstance()->checkKeyExist(&keyAlias);
76 if (ret != HC_SUCCESS) {
77 LOGE("auth token not exist!");
78 return false;
79 }
80 return true;
81 }
82
GetAccountUnrelatedIdentityInfo(int32_t osAccountId,const char * groupId,const char * deviceId,bool isUdid,IdentityInfo * info)83 static int32_t GetAccountUnrelatedIdentityInfo(int32_t osAccountId, const char *groupId,
84 const char *deviceId, bool isUdid, IdentityInfo *info)
85 {
86 TrustedDeviceEntry *deviceEntry = CreateDeviceEntry();
87 if (deviceEntry == NULL) {
88 LOGE("Failed to create deviceEntry!");
89 return HC_ERR_ALLOC_MEMORY;
90 }
91 int32_t ret = GaGetTrustedDeviceEntryById(osAccountId, deviceId, isUdid, groupId, deviceEntry);
92 if (ret != HC_SUCCESS) {
93 LOGE("Failed to get device entry!");
94 DestroyDeviceEntry(deviceEntry);
95 return ret;
96 }
97
98 int32_t keyType = IsP2pAuthTokenExist(deviceEntry) ? KEY_TYPE_SYM : KEY_TYPE_ASYM;
99 DestroyDeviceEntry(deviceEntry);
100 ret = GetIdentityInfoByType(keyType, TRUST_TYPE_P2P, groupId, info);
101 if (ret != HC_SUCCESS) {
102 LOGE("Failed to get p2p identity by key type!");
103 }
104 return ret;
105 }
106
GetIdentityInfo(int32_t osAccountId,const TrustedGroupEntry * groupEntry,const char * deviceId,bool isUdid,IdentityInfo ** returnInfo)107 static int32_t GetIdentityInfo(int32_t osAccountId, const TrustedGroupEntry *groupEntry,
108 const char *deviceId, bool isUdid, IdentityInfo **returnInfo)
109 {
110 IdentityInfo *info = CreateIdentityInfo();
111 if (info == NULL) {
112 LOGE("Failed to create identity info!");
113 return HC_ERR_ALLOC_MEMORY;
114 }
115 int32_t ret;
116 const char *groupId = StringGet(&groupEntry->id);
117 if (groupEntry->type == PEER_TO_PEER_GROUP) {
118 ret = GetAccountUnrelatedIdentityInfo(osAccountId, groupId, deviceId, isUdid, info);
119 } else {
120 ret = GetAccountRelatedCredInfo(osAccountId, groupId, deviceId, isUdid, info);
121 }
122 if (ret != HC_SUCCESS) {
123 LOGE("Failed to get identity info!");
124 DestroyIdentityInfo(info);
125 return ret;
126 }
127 *returnInfo = info;
128 return HC_SUCCESS;
129 }
130
IsDeviceInGroup(int32_t osAccountId,int32_t groupType,const char * deviceId,const char * groupId,bool isUdid)131 static bool IsDeviceInGroup(int32_t osAccountId, int32_t groupType, const char *deviceId, const char *groupId,
132 bool isUdid)
133 {
134 if (isUdid) {
135 return GaIsDeviceInGroup(groupType, osAccountId, deviceId, NULL, groupId);
136 } else {
137 return GaIsDeviceInGroup(groupType, osAccountId, NULL, deviceId, groupId);
138 }
139 }
140
AddNoPseudonymIdentityInfo(int32_t osAccountId,const TrustedGroupEntry * groupEntry,const char * deviceId,bool isUdid,IdentityInfoVec * identityInfoVec)141 static void AddNoPseudonymIdentityInfo(int32_t osAccountId, const TrustedGroupEntry *groupEntry, const char *deviceId,
142 bool isUdid, IdentityInfoVec *identityInfoVec)
143 {
144 IdentityInfo *info = NULL;
145 if (GetIdentityInfo(osAccountId, groupEntry, deviceId, isUdid, &info) != HC_SUCCESS) {
146 return;
147 }
148 info->proof.certInfo.isPseudonym = false;
149 identityInfoVec->pushBack(identityInfoVec, (const IdentityInfo **)&info);
150 }
151
GetIdentityInfos(int32_t osAccountId,const CJson * in,const GroupEntryVec * groupEntryVec,IdentityInfoVec * identityInfoVec)152 static int32_t GetIdentityInfos(int32_t osAccountId, const CJson *in, const GroupEntryVec *groupEntryVec,
153 IdentityInfoVec *identityInfoVec)
154 {
155 const char *pkgName = GetStringFromJson(in, FIELD_SERVICE_PKG_NAME);
156 if (pkgName == NULL) {
157 LOGE("Failed to get service package name!");
158 return HC_ERR_JSON_GET;
159 }
160 bool isUdid = false;
161 const char *deviceId = GetPeerDevIdFromJson(in, &isUdid);
162 if (deviceId == NULL) {
163 LOGE("Failed to get peer device id!");
164 return HC_ERR_JSON_GET;
165 }
166 uint32_t index;
167 TrustedGroupEntry **ptr = NULL;
168 FOR_EACH_HC_VECTOR(*groupEntryVec, index, ptr) {
169 const TrustedGroupEntry *groupEntry = (TrustedGroupEntry *)(*ptr);
170 const char *groupId = StringGet(&(groupEntry->id));
171 if (groupId == NULL) {
172 continue;
173 }
174 if (!GaIsGroupAccessible(osAccountId, groupId, pkgName)) {
175 continue;
176 }
177 if (!IsDeviceInGroup(osAccountId, groupEntry->type, deviceId, groupId, isUdid)) {
178 continue;
179 }
180 IdentityInfo *info = NULL;
181 if (GetIdentityInfo(osAccountId, groupEntry, deviceId, isUdid, &info) != HC_SUCCESS) {
182 continue;
183 }
184 if (info->proofType == CERTIFICATED) {
185 info->proof.certInfo.isPseudonym = true;
186 }
187 identityInfoVec->pushBack(identityInfoVec, (const IdentityInfo **)&info);
188 if (info->proofType == CERTIFICATED) {
189 AddNoPseudonymIdentityInfo(osAccountId, groupEntry, deviceId, isUdid, identityInfoVec);
190 }
191 }
192 LOGI("The identity info size is: %u", identityInfoVec->size(identityInfoVec));
193 return HC_SUCCESS;
194 }
195
GetCredInfosForPinType(IdentityInfoVec * identityInfoVec)196 static int32_t GetCredInfosForPinType(IdentityInfoVec *identityInfoVec)
197 {
198 IdentityInfo *info = CreateIdentityInfo();
199 if (info == NULL) {
200 LOGE("Failed to create identity info!");
201 return HC_ERR_ALLOC_MEMORY;
202 }
203 int32_t ret = GetIdentityInfoByType(KEY_TYPE_SYM, TRUST_TYPE_PIN, NULL, info);
204 if (ret != HC_SUCCESS) {
205 LOGE("Failed to get credential info for pin!");
206 DestroyIdentityInfo(info);
207 return ret;
208 }
209 identityInfoVec->pushBack(identityInfoVec, (const IdentityInfo **)&info);
210 return HC_SUCCESS;
211 }
212
CheckAndGetP2pCredInfo(const CJson * in,const CJson * urlJson,IdentityInfo * info)213 static int32_t CheckAndGetP2pCredInfo(const CJson *in, const CJson *urlJson, IdentityInfo *info)
214 {
215 int32_t osAccountId = INVALID_OS_ACCOUNT;
216 if (GetIntFromJson(in, FIELD_OS_ACCOUNT_ID, &osAccountId) != HC_SUCCESS) {
217 LOGE("Failed to get osAccountId!");
218 return HC_ERR_JSON_GET;
219 }
220 const char *groupId = GetStringFromJson(urlJson, FIELD_GROUP_ID);
221 if (groupId == NULL) {
222 LOGE("Failed to get groupId!");
223 return HC_ERR_JSON_GET;
224 }
225 int32_t ret = CheckGroupExist(osAccountId, groupId);
226 if (ret != HC_SUCCESS) {
227 LOGE("group not exist!");
228 return ret;
229 }
230 TrustedDeviceEntry *deviceEntry = CreateDeviceEntry();
231 if (deviceEntry == NULL) {
232 LOGE("Failed to create device entry!");
233 return HC_ERR_ALLOC_MEMORY;
234 }
235 ret = GetPeerDeviceEntry(osAccountId, in, groupId, deviceEntry);
236 DestroyDeviceEntry(deviceEntry);
237 if (ret != HC_SUCCESS) {
238 LOGE("peer device not found!");
239 return ret;
240 }
241 int32_t keyType = 0;
242 if (GetIntFromJson(urlJson, PRESHARED_URL_KEY_TYPE, &keyType) != HC_SUCCESS) {
243 LOGE("Failed to get key type!");
244 return HC_ERR_JSON_GET;
245 }
246 ret = GetIdentityInfoByType(keyType, TRUST_TYPE_P2P, groupId, info);
247 if (ret != HC_SUCCESS) {
248 LOGE("Failed to get p2p identity info by key type!");
249 }
250 return ret;
251 }
252
GetCredInfoByPeerUrlInner(const CJson * in,const Uint8Buff * presharedUrl,IdentityInfo * info)253 static int32_t GetCredInfoByPeerUrlInner(const CJson *in, const Uint8Buff *presharedUrl, IdentityInfo *info)
254 {
255 CJson *urlJson = CreateJsonFromString((const char *)presharedUrl->val);
256 if (urlJson == NULL) {
257 LOGE("Failed to create url json!");
258 return HC_ERR_JSON_CREATE;
259 }
260 int32_t trustType = 0;
261 if (GetIntFromJson(urlJson, PRESHARED_URL_TRUST_TYPE, &trustType) != HC_SUCCESS) {
262 LOGE("Failed to get trust type!");
263 FreeJson(urlJson);
264 return HC_ERR_JSON_GET;
265 }
266 int32_t ret;
267 switch (trustType) {
268 case TRUST_TYPE_PIN:
269 ret = GetIdentityInfoByType(KEY_TYPE_SYM, TRUST_TYPE_PIN, NULL, info);
270 break;
271 case TRUST_TYPE_UID:
272 ret = GetAccountSymCredInfoByPeerUrl(in, urlJson, info);
273 break;
274 case TRUST_TYPE_P2P:
275 ret = CheckAndGetP2pCredInfo(in, urlJson, info);
276 break;
277 default:
278 LOGE("Invalid trust type!");
279 ret = HC_ERR_INVALID_PARAMS;
280 break;
281 }
282 FreeJson(urlJson);
283 return ret;
284 }
285
GetSharedSecretForPinInPake(const CJson * in,Uint8Buff * sharedSecret)286 static int32_t GetSharedSecretForPinInPake(const CJson *in, Uint8Buff *sharedSecret)
287 {
288 const char *pinCode = GetStringFromJson(in, FIELD_PIN_CODE);
289 if (pinCode == NULL) {
290 LOGE("Failed to get pinCode!");
291 return HC_ERR_JSON_GET;
292 }
293 uint32_t pinLen = strlen(pinCode);
294 sharedSecret->val = (uint8_t *)HcMalloc(pinLen, 0);
295 if (sharedSecret->val == NULL) {
296 LOGE("Failed to alloc sharedSecret memory!");
297 return HC_ERR_ALLOC_MEMORY;
298 }
299 if (memcpy_s(sharedSecret->val, pinLen, pinCode, pinLen) != HC_SUCCESS) {
300 LOGE("Failed to memcpy pinCode!");
301 FreeBuffData(sharedSecret);
302 return HC_ERR_MEMORY_COPY;
303 }
304 sharedSecret->length = pinLen;
305 return HC_SUCCESS;
306 }
307
GenerateKeyAliasInIso(const CJson * in,const char * groupId,uint8_t * keyAlias,uint32_t keyAliasLen)308 static int32_t GenerateKeyAliasInIso(const CJson *in, const char *groupId, uint8_t *keyAlias,
309 uint32_t keyAliasLen)
310 {
311 int32_t osAccountId = INVALID_OS_ACCOUNT;
312 if (GetIntFromJson(in, FIELD_OS_ACCOUNT_ID, &osAccountId) != HC_SUCCESS) {
313 LOGE("Failed to get osAccountId!");
314 return HC_ERR_JSON_GET;
315 }
316 TrustedDeviceEntry *deviceEntry = CreateDeviceEntry();
317 if (deviceEntry == NULL) {
318 LOGE("Failed to create device entry!");
319 return HC_ERR_ALLOC_MEMORY;
320 }
321 int32_t ret = GetPeerDeviceEntry(osAccountId, in, groupId, deviceEntry);
322 if (ret != HC_SUCCESS) {
323 LOGE("Failed to get peer device entry!");
324 DestroyDeviceEntry(deviceEntry);
325 return ret;
326 }
327 Uint8Buff pkgNameBuff = { (uint8_t *)GROUP_MANAGER_PACKAGE_NAME, (uint32_t)strlen(GROUP_MANAGER_PACKAGE_NAME) };
328 const char *serviceType = StringGet(&deviceEntry->serviceType);
329 Uint8Buff serviceTypeBuff = { (uint8_t *)serviceType, (uint32_t)strlen(serviceType) };
330 const char *peerAuthId = StringGet(&deviceEntry->authId);
331 Uint8Buff peerAuthIdBuff = { (uint8_t *)peerAuthId, (uint32_t)strlen(peerAuthId) };
332 Uint8Buff outKeyAlias = { keyAlias, keyAliasLen };
333 ret = GenerateKeyAlias(&pkgNameBuff, &serviceTypeBuff, KEY_ALIAS_AUTH_TOKEN, &peerAuthIdBuff,
334 &outKeyAlias);
335 DestroyDeviceEntry(deviceEntry);
336 return ret;
337 }
338
AuthGeneratePsk(const CJson * in,const char * groupId,const Uint8Buff * seed,Uint8Buff * sharedSecret)339 static int32_t AuthGeneratePsk(const CJson *in, const char *groupId, const Uint8Buff *seed,
340 Uint8Buff *sharedSecret)
341 {
342 uint8_t keyAlias[ISO_KEY_ALIAS_LEN] = { 0 };
343 int ret = GenerateKeyAliasInIso(in, groupId, keyAlias, sizeof(keyAlias));
344 if (ret != HC_SUCCESS) {
345 LOGE("Failed to generate key alias in iso!");
346 return ret;
347 }
348 Uint8Buff keyAliasBuf = { keyAlias, sizeof(keyAlias) };
349 return GetLoaderInstance()->computeHmac(&keyAliasBuf, seed, sharedSecret, true);
350 }
351
AuthGeneratePskUsePin(const Uint8Buff * seed,const char * pinCode,Uint8Buff * sharedSecret)352 static int32_t AuthGeneratePskUsePin(const Uint8Buff *seed, const char *pinCode, Uint8Buff *sharedSecret)
353 {
354 Uint8Buff messageBuf = { (uint8_t *)pinCode, (uint32_t)strlen(pinCode) };
355 uint8_t hash[SHA256_LEN] = { 0 };
356 Uint8Buff hashBuf = { hash, sizeof(hash) };
357 int ret = GetLoaderInstance()->sha256(&messageBuf, &hashBuf);
358 if (ret != HC_SUCCESS) {
359 LOGE("sha256 failed, ret:%d", ret);
360 return ret;
361 }
362 return GetLoaderInstance()->computeHmac(&hashBuf, seed, sharedSecret, false);
363 }
364
GetSharedSecretForPinInIso(const CJson * in,Uint8Buff * sharedSecret)365 static int32_t GetSharedSecretForPinInIso(const CJson *in, Uint8Buff *sharedSecret)
366 {
367 const char *pinCode = GetStringFromJson(in, FIELD_PIN_CODE);
368 if (pinCode == NULL) {
369 LOGE("Failed to get pinCode!");
370 return HC_ERR_JSON_GET;
371 }
372 uint8_t *seedVal = (uint8_t *)HcMalloc(SEED_LEN, 0);
373 if (seedVal == NULL) {
374 LOGE("Failed to alloc seed memory!");
375 return HC_ERR_ALLOC_MEMORY;
376 }
377 Uint8Buff seedBuff = { seedVal, SEED_LEN };
378 int32_t ret = GetByteFromJson(in, FIELD_SEED, seedBuff.val, seedBuff.length);
379 if (ret != HC_SUCCESS) {
380 LOGE("Failed to get seed!");
381 HcFree(seedVal);
382 return HC_ERR_JSON_GET;
383 }
384 uint8_t *pskVal = (uint8_t *)HcMalloc(ISO_PSK_LEN, 0);
385 if (pskVal == NULL) {
386 LOGE("Failed to alloc psk memory!");
387 HcFree(seedVal);
388 return HC_ERR_ALLOC_MEMORY;
389 }
390 sharedSecret->val = pskVal;
391 sharedSecret->length = ISO_PSK_LEN;
392 ret = AuthGeneratePskUsePin(&seedBuff, pinCode, sharedSecret);
393 HcFree(seedVal);
394 if (ret != HC_SUCCESS) {
395 LOGE("Failed to generate psk use pin!");
396 FreeBuffData(sharedSecret);
397 }
398 return ret;
399 }
400
GetSharedSecretForP2pInIso(const CJson * in,const char * groupId,Uint8Buff * sharedSecret)401 static int32_t GetSharedSecretForP2pInIso(const CJson *in, const char *groupId, Uint8Buff *sharedSecret)
402 {
403 uint8_t *seedVal = (uint8_t *)HcMalloc(SEED_LEN, 0);
404 if (seedVal == NULL) {
405 LOGE("Failed to alloc memory for seed!");
406 return HC_ERR_ALLOC_MEMORY;
407 }
408 Uint8Buff seedBuff = { seedVal, SEED_LEN };
409 int32_t ret = GetByteFromJson(in, FIELD_SEED, seedBuff.val, seedBuff.length);
410 if (ret != HC_SUCCESS) {
411 LOGE("Failed to get seed!");
412 HcFree(seedVal);
413 return HC_ERR_JSON_GET;
414 }
415 uint8_t *pskVal = (uint8_t *)HcMalloc(ISO_PSK_LEN, 0);
416 if (pskVal == NULL) {
417 LOGE("Failed to alloc memory for psk!");
418 HcFree(seedVal);
419 return HC_ERR_ALLOC_MEMORY;
420 }
421 sharedSecret->val = pskVal;
422 sharedSecret->length = ISO_PSK_LEN;
423 ret = AuthGeneratePsk(in, groupId, &seedBuff, sharedSecret);
424 HcFree(seedVal);
425 if (ret != HC_SUCCESS) {
426 LOGE("Failed to generate psk!");
427 FreeBuffData(sharedSecret);
428 }
429 return ret;
430 }
431
GetSelfAuthIdAndUserType(int32_t osAccountId,const char * groupId,Uint8Buff * authIdBuff,int32_t * userType)432 static int32_t GetSelfAuthIdAndUserType(int32_t osAccountId, const char *groupId, Uint8Buff *authIdBuff,
433 int32_t *userType)
434 {
435 TrustedDeviceEntry *deviceEntry = CreateDeviceEntry();
436 if (deviceEntry == NULL) {
437 LOGE("Failed to create device entry!");
438 return HC_ERR_ALLOC_MEMORY;
439 }
440 int32_t ret = GetSelfDeviceEntry(osAccountId, groupId, deviceEntry);
441 if (ret != HC_SUCCESS) {
442 LOGE("Failed to get self device entry!");
443 DestroyDeviceEntry(deviceEntry);
444 return ret;
445 }
446 const char *selfAuthId = StringGet(&deviceEntry->authId);
447 uint32_t authIdLen = strlen(selfAuthId);
448 authIdBuff->val = (uint8_t *)HcMalloc(authIdLen + 1, 0);
449 if (authIdBuff->val == NULL) {
450 LOGE("Failed to alloc memory for authId!");
451 DestroyDeviceEntry(deviceEntry);
452 return HC_ERR_ALLOC_MEMORY;
453 }
454 if (memcpy_s(authIdBuff->val, authIdLen + 1, selfAuthId, authIdLen) != EOK) {
455 LOGE("Failed to copy authId!");
456 HcFree(authIdBuff->val);
457 authIdBuff->val = NULL;
458 DestroyDeviceEntry(deviceEntry);
459 return HC_ERR_MEMORY_COPY;
460 }
461 authIdBuff->length = authIdLen;
462 *userType = deviceEntry->devType;
463 DestroyDeviceEntry(deviceEntry);
464 return HC_SUCCESS;
465 }
466
ComputeAndSavePsk(int32_t osAccountId,const char * groupId,const TrustedDeviceEntry * peerDeviceEntry,const Uint8Buff * sharedKeyAlias)467 static int32_t ComputeAndSavePsk(int32_t osAccountId, const char *groupId, const TrustedDeviceEntry *peerDeviceEntry,
468 const Uint8Buff *sharedKeyAlias)
469 {
470 Uint8Buff selfAuthIdBuff = { NULL, 0 };
471 int32_t selfUserType = 0;
472 int32_t ret = GetSelfAuthIdAndUserType(osAccountId, groupId, &selfAuthIdBuff, &selfUserType);
473 if (ret != HC_SUCCESS) {
474 LOGE("Failed to get self auth id and user type!");
475 return ret;
476 }
477
478 Uint8Buff pkgNameBuff = { (uint8_t *)GROUP_MANAGER_PACKAGE_NAME, strlen(GROUP_MANAGER_PACKAGE_NAME) };
479 const char *serviceType = StringGet(&peerDeviceEntry->serviceType);
480 Uint8Buff serviceTypeBuff = { (uint8_t *)serviceType, strlen(serviceType) };
481 KeyAliasType keyType = (KeyAliasType)selfUserType;
482 uint8_t selfKeyAliasVal[PAKE_KEY_ALIAS_LEN] = { 0 };
483 Uint8Buff selfKeyAlias = { selfKeyAliasVal, PAKE_KEY_ALIAS_LEN };
484 ret = GenerateKeyAlias(&pkgNameBuff, &serviceTypeBuff, keyType, &selfAuthIdBuff, &selfKeyAlias);
485 HcFree(selfAuthIdBuff.val);
486 if (ret != HC_SUCCESS) {
487 LOGE("Failed to generate self key alias!");
488 return ret;
489 }
490
491 #ifdef DEV_AUTH_FUNC_TEST
492 KeyAliasType keyTypePeer = KEY_ALIAS_LT_KEY_PAIR;
493 #else
494 KeyAliasType keyTypePeer = (KeyAliasType)peerDeviceEntry->devType;
495 #endif
496 const char *peerAuthId = StringGet(&peerDeviceEntry->authId);
497 Uint8Buff peerAuthIdBuff = { (uint8_t *)peerAuthId, strlen(peerAuthId) };
498 uint8_t peerKeyAliasVal[PAKE_KEY_ALIAS_LEN] = { 0 };
499 Uint8Buff peerKeyAlias = { peerKeyAliasVal, PAKE_KEY_ALIAS_LEN };
500 ret = GenerateKeyAlias(&pkgNameBuff, &serviceTypeBuff, keyTypePeer, &peerAuthIdBuff, &peerKeyAlias);
501 if (ret != HC_SUCCESS) {
502 LOGE("Failed to generate peer key alias!");
503 return ret;
504 }
505
506 ret = GetLoaderInstance()->checkKeyExist(&selfKeyAlias);
507 if (ret != HC_SUCCESS) {
508 LOGE("self auth keyPair not exist!");
509 return ret;
510 }
511 ret = GetLoaderInstance()->checkKeyExist(&peerKeyAlias);
512 if (ret != HC_SUCCESS) {
513 LOGE("peer auth pubKey not exist!");
514 return ret;
515 }
516
517 KeyBuff selfKeyAliasBuff = { selfKeyAlias.val, selfKeyAlias.length, true };
518 KeyBuff peerKeyAliasBuff = { peerKeyAlias.val, peerKeyAlias.length, true };
519 return GetLoaderInstance()->agreeSharedSecretWithStorage(&selfKeyAliasBuff, &peerKeyAliasBuff, ED25519,
520 PAKE_PSK_LEN, sharedKeyAlias);
521 }
522
GeneratePskAliasAndCheckExist(const CJson * in,const char * groupId,Uint8Buff * pskKeyAlias)523 static int32_t GeneratePskAliasAndCheckExist(const CJson *in, const char *groupId, Uint8Buff *pskKeyAlias)
524 {
525 int32_t osAccountId = INVALID_OS_ACCOUNT;
526 if (GetIntFromJson(in, FIELD_OS_ACCOUNT_ID, &osAccountId) != HC_SUCCESS) {
527 LOGE("Failed to get osAccountId!");
528 return HC_ERR_JSON_GET;
529 }
530 TrustedDeviceEntry *deviceEntry = CreateDeviceEntry();
531 if (deviceEntry == NULL) {
532 LOGE("Failed to create device entry!");
533 return HC_ERR_ALLOC_MEMORY;
534 }
535 int32_t ret = GetPeerDeviceEntry(osAccountId, in, groupId, deviceEntry);
536 if (ret != HC_SUCCESS) {
537 LOGE("Failed to get peer device entry!");
538 DestroyDeviceEntry(deviceEntry);
539 return ret;
540 }
541 Uint8Buff pkgNameBuff = { (uint8_t *)GROUP_MANAGER_PACKAGE_NAME, strlen(GROUP_MANAGER_PACKAGE_NAME) };
542 const char *serviceType = StringGet(&deviceEntry->serviceType);
543 Uint8Buff serviceTypeBuff = { (uint8_t *)serviceType, strlen(serviceType) };
544 const char *peerAuthId = StringGet(&deviceEntry->authId);
545 Uint8Buff peerAuthIdBuff = { (uint8_t *)peerAuthId, strlen(peerAuthId) };
546 ret = GenerateKeyAlias(&pkgNameBuff, &serviceTypeBuff, KEY_ALIAS_PSK, &peerAuthIdBuff, pskKeyAlias);
547 if (ret != HC_SUCCESS) {
548 LOGE("Failed to generate psk key alias!");
549 DestroyDeviceEntry(deviceEntry);
550 return ret;
551 }
552 LOGI("psk alias: %x %x %x %x****.", pskKeyAlias->val[DEV_AUTH_ZERO], pskKeyAlias->val[DEV_AUTH_ONE],
553 pskKeyAlias->val[DEV_AUTH_TWO], pskKeyAlias->val[DEV_AUTH_THREE]);
554 if (GetLoaderInstance()->checkKeyExist(pskKeyAlias) != HC_SUCCESS) {
555 ret = ComputeAndSavePsk(osAccountId, groupId, deviceEntry, pskKeyAlias);
556 }
557 DestroyDeviceEntry(deviceEntry);
558 return ret;
559 }
560
UpperToLowercase(Uint8Buff * hex)561 static void UpperToLowercase(Uint8Buff *hex)
562 {
563 for (uint32_t i = 0; i < hex->length; i++) {
564 if (hex->val[i] >= 'A' && hex->val[i] <= 'F') {
565 hex->val[i] += ASCII_CASE_DIFFERENCE_VALUE;
566 }
567 }
568 }
569
ConvertPsk(const Uint8Buff * srcPsk,Uint8Buff * sharedSecret)570 static int32_t ConvertPsk(const Uint8Buff *srcPsk, Uint8Buff *sharedSecret)
571 {
572 uint32_t len = PAKE_PSK_LEN * BYTE_TO_HEX_OPER_LENGTH;
573 sharedSecret->val = (uint8_t *)HcMalloc(len + 1, 0);
574 if (sharedSecret->val == NULL) {
575 LOGE("Failed to alloc memory for sharedSecret!");
576 return HC_ERR_ALLOC_MEMORY;
577 }
578
579 if (ByteToHexString(srcPsk->val, srcPsk->length, (char *)sharedSecret->val, len + 1) != HC_SUCCESS) {
580 LOGE("Convert psk from byte to hex string failed!");
581 HcFree(sharedSecret->val);
582 return HC_ERR_CONVERT_FAILED;
583 }
584 sharedSecret->length = len;
585 (void)UpperToLowercase(sharedSecret);
586 return HC_SUCCESS;
587 }
588
GetSharedSecretForP2pInPake(const CJson * in,const char * groupId,Uint8Buff * sharedSecret)589 static int32_t GetSharedSecretForP2pInPake(const CJson *in, const char *groupId, Uint8Buff *sharedSecret)
590 {
591 uint8_t pskKeyAliasVal[PAKE_KEY_ALIAS_LEN] = { 0 };
592 Uint8Buff pskKeyAlias = { pskKeyAliasVal, PAKE_KEY_ALIAS_LEN };
593 int32_t ret = GeneratePskAliasAndCheckExist(in, groupId, &pskKeyAlias);
594 if (ret != HC_SUCCESS) {
595 LOGE("Failed to generate key alias for psk!");
596 return ret;
597 }
598 uint8_t *pskVal = (uint8_t *)HcMalloc(PAKE_PSK_LEN, 0);
599 if (pskVal == NULL) {
600 LOGE("Failed to alloc memory for psk!");
601 return HC_ERR_ALLOC_MEMORY;
602 }
603 Uint8Buff pskBuff = { pskVal, PAKE_PSK_LEN };
604 uint8_t *nonceVal = (uint8_t *)HcMalloc(PAKE_NONCE_LEN, 0);
605 if (nonceVal == NULL) {
606 LOGE("Failed to alloc memory for nonce!");
607 HcFree(pskVal);
608 return HC_ERR_ALLOC_MEMORY;
609 }
610 Uint8Buff nonceBuff = { nonceVal, PAKE_NONCE_LEN };
611 ret = GetByteFromJson(in, FIELD_NONCE, nonceBuff.val, nonceBuff.length);
612 if (ret != HC_SUCCESS) {
613 LOGE("Failed to get nonce!");
614 HcFree(pskVal);
615 HcFree(nonceVal);
616 return HC_ERR_JSON_GET;
617 }
618 Uint8Buff keyInfo = { (uint8_t *)TMP_AUTH_KEY_FACTOR, strlen(TMP_AUTH_KEY_FACTOR) };
619 ret = GetLoaderInstance()->computeHkdf(&pskKeyAlias, &nonceBuff, &keyInfo, &pskBuff, true);
620 HcFree(nonceVal);
621 if (ret != HC_SUCCESS) {
622 LOGE("Failed to compute hkdf for psk!");
623 HcFree(pskVal);
624 return ret;
625 }
626
627 ret = ConvertPsk(&pskBuff, sharedSecret);
628 HcFree(pskVal);
629 if (ret != HC_SUCCESS) {
630 LOGE("Failed to convert psk!");
631 }
632 return ret;
633 }
634
GetSharedSecretForPin(const CJson * in,ProtocolAlgType protocolType,Uint8Buff * sharedSecret)635 static int32_t GetSharedSecretForPin(const CJson *in, ProtocolAlgType protocolType, Uint8Buff *sharedSecret)
636 {
637 int32_t ret;
638 if (protocolType == ALG_ISO) {
639 ret = GetSharedSecretForPinInIso(in, sharedSecret);
640 LOGI("get shared secret for pin in iso result: %d", ret);
641 } else {
642 ret = GetSharedSecretForPinInPake(in, sharedSecret);
643 LOGI("get shared secret for pin in pake result: %d", ret);
644 }
645 return ret;
646 }
647
GetSharedSecretForP2p(const CJson * in,const CJson * urlJson,ProtocolAlgType protocolType,Uint8Buff * sharedSecret)648 static int32_t GetSharedSecretForP2p(const CJson *in, const CJson *urlJson, ProtocolAlgType protocolType,
649 Uint8Buff *sharedSecret)
650 {
651 const char *groupId = GetStringFromJson(urlJson, FIELD_GROUP_ID);
652 if (groupId == NULL) {
653 LOGE("Failed to get groupId!");
654 return HC_ERR_JSON_GET;
655 }
656 int32_t ret;
657 if (protocolType == ALG_ISO) {
658 ret = GetSharedSecretForP2pInIso(in, groupId, sharedSecret);
659 LOGI("get shared secret for p2p in iso result: %d", ret);
660 } else {
661 ret = GetSharedSecretForP2pInPake(in, groupId, sharedSecret);
662 LOGI("get shared secret for p2p in pake result: %d", ret);
663 }
664 return ret;
665 }
666
GetGroupInfoByGroupId(int32_t osAccountId,const char * groupId,GroupEntryVec * groupEntryVec)667 static void GetGroupInfoByGroupId(int32_t osAccountId, const char *groupId, GroupEntryVec *groupEntryVec)
668 {
669 QueryGroupParams queryParams = InitQueryGroupParams();
670 queryParams.groupId = groupId;
671 int32_t ret = QueryGroups(osAccountId, &queryParams, groupEntryVec);
672 if (ret != HC_SUCCESS) {
673 LOGE("Failed to query groups for groupId: %s!", groupId);
674 }
675 }
676
GetCandidateGroups(int32_t osAccountId,const CJson * in,GroupEntryVec * groupEntryVec)677 static void GetCandidateGroups(int32_t osAccountId, const CJson *in, GroupEntryVec *groupEntryVec)
678 {
679 bool isDeviceLevel = false;
680 (void)GetBoolFromJson(in, FIELD_IS_DEVICE_LEVEL, &isDeviceLevel);
681
682 int32_t ret = GetAccountRelatedCandidateGroups(osAccountId, in, isDeviceLevel, groupEntryVec);
683 if (ret != HC_SUCCESS) {
684 LOGE("Failed to get account related groups!");
685 }
686
687 ret = GetAccountUnrelatedCandidateGroups(osAccountId, isDeviceLevel, groupEntryVec);
688 if (ret != HC_SUCCESS) {
689 LOGE("Failed to get p2p groups!");
690 }
691 }
692
GetCredInfosForGroups(const CJson * in,IdentityInfoVec * identityInfoVec)693 static int32_t GetCredInfosForGroups(const CJson *in, IdentityInfoVec *identityInfoVec)
694 {
695 int32_t osAccountId = INVALID_OS_ACCOUNT;
696 if (GetIntFromJson(in, FIELD_OS_ACCOUNT_ID, &osAccountId) != HC_SUCCESS) {
697 LOGE("Failed to get osAccountId!");
698 return HC_ERR_JSON_GET;
699 }
700 const char *groupId = GetStringFromJson(in, FIELD_GROUP_ID);
701 if (groupId == NULL) {
702 groupId = GetStringFromJson(in, FIELD_SERVICE_TYPE);
703 }
704
705 GroupEntryVec groupEntryVec = CreateGroupEntryVec();
706 if (groupId == NULL) {
707 GetCandidateGroups(osAccountId, in, &groupEntryVec);
708 } else {
709 GetGroupInfoByGroupId(osAccountId, groupId, &groupEntryVec);
710 }
711
712 if (groupEntryVec.size(&groupEntryVec) == 0) {
713 LOGE("No satisfied candidate group!");
714 ClearGroupEntryVec(&groupEntryVec);
715 return HC_ERR_NO_CANDIDATE_GROUP;
716 }
717 int32_t ret = GetIdentityInfos(osAccountId, in, &groupEntryVec, identityInfoVec);
718 ClearGroupEntryVec(&groupEntryVec);
719 return ret;
720 }
721
AddCertInfoToJson(const CertInfo * certInfo,CJson * out)722 int32_t AddCertInfoToJson(const CertInfo *certInfo, CJson *out)
723 {
724 if (certInfo == NULL || out == NULL) {
725 LOGE("Invalid cert info or out!");
726 return HC_ERR_INVALID_PARAMS;
727 }
728 if (AddIntToJson(out, FIELD_SIGN_ALG, certInfo->signAlg) != HC_SUCCESS) {
729 LOGE("add sign alg to json failed!");
730 return HC_ERR_JSON_ADD;
731 }
732 if (AddStringToJson(out, FIELD_PK_INFO, (const char *)certInfo->pkInfoStr.val) != HC_SUCCESS) {
733 LOGE("add pk info str to json failed!");
734 return HC_ERR_JSON_ADD;
735 }
736 if (AddByteToJson(out, FIELD_PK_INFO_SIGNATURE, certInfo->pkInfoSignature.val,
737 certInfo->pkInfoSignature.length) != HC_SUCCESS) {
738 LOGE("add pk info sign to json failed!");
739 return HC_ERR_JSON_ADD;
740 }
741 return HC_SUCCESS;
742 }
743
GetCredInfosByPeerIdentity(const CJson * in,IdentityInfoVec * identityInfoVec)744 int32_t GetCredInfosByPeerIdentity(const CJson *in, IdentityInfoVec *identityInfoVec)
745 {
746 if (in == NULL || identityInfoVec == NULL) {
747 LOGE("Invalid input params!");
748 return HC_ERR_INVALID_PARAMS;
749 }
750 const char *pinCode = GetStringFromJson(in, FIELD_PIN_CODE);
751 if (pinCode != NULL) {
752 return GetCredInfosForPinType(identityInfoVec);
753 } else {
754 return GetCredInfosForGroups(in, identityInfoVec);
755 }
756 }
757
GetCredInfoByPeerUrl(const CJson * in,const Uint8Buff * presharedUrl,IdentityInfo ** returnInfo)758 int32_t GetCredInfoByPeerUrl(const CJson *in, const Uint8Buff *presharedUrl, IdentityInfo **returnInfo)
759 {
760 if (in == NULL || presharedUrl == NULL || returnInfo == NULL) {
761 LOGE("Invalid input params!");
762 return HC_ERR_INVALID_PARAMS;
763 }
764 IdentityInfo *info = CreateIdentityInfo();
765 if (info == NULL) {
766 LOGE("Failed to create identity info!");
767 return HC_ERR_ALLOC_MEMORY;
768 }
769 int32_t ret = GetCredInfoByPeerUrlInner(in, presharedUrl, info);
770 if (ret != HC_SUCCESS) {
771 LOGE("Failed to get credential info by peer url!");
772 DestroyIdentityInfo(info);
773 return ret;
774 }
775 *returnInfo = info;
776 return HC_SUCCESS;
777 }
778
GetSharedSecretByUrl(const CJson * in,const Uint8Buff * presharedUrl,ProtocolAlgType protocolType,Uint8Buff * sharedSecret)779 int32_t GetSharedSecretByUrl(const CJson *in, const Uint8Buff *presharedUrl, ProtocolAlgType protocolType,
780 Uint8Buff *sharedSecret)
781 {
782 if (in == NULL || presharedUrl == NULL || sharedSecret == NULL) {
783 LOGE("Invalid input params!");
784 return HC_ERR_INVALID_PARAMS;
785 }
786 CJson *urlJson = CreateJsonFromString((const char *)presharedUrl->val);
787 if (urlJson == NULL) {
788 LOGE("Failed to create url json!");
789 return HC_ERR_JSON_CREATE;
790 }
791 int32_t trustType = 0;
792 if (GetIntFromJson(urlJson, PRESHARED_URL_TRUST_TYPE, &trustType) != HC_SUCCESS) {
793 LOGE("Failed to get trust type!");
794 FreeJson(urlJson);
795 return HC_ERR_JSON_GET;
796 }
797 int32_t ret;
798 switch (trustType) {
799 case TRUST_TYPE_PIN:
800 ret = GetSharedSecretForPin(in, protocolType, sharedSecret);
801 break;
802 case TRUST_TYPE_P2P:
803 ret = GetSharedSecretForP2p(in, urlJson, protocolType, sharedSecret);
804 break;
805 case TRUST_TYPE_UID:
806 if (protocolType != ALG_ISO) {
807 LOGE("protocol type is not iso, not supported!");
808 ret = HC_ERR_INVALID_PARAMS;
809 } else {
810 ret = GetAccountSymSharedSecret(in, urlJson, sharedSecret);
811 }
812 break;
813 default:
814 LOGE("Invalid trust type!");
815 ret = HC_ERR_INVALID_PARAMS;
816 break;
817 }
818 FreeJson(urlJson);
819 return ret;
820 }
821
GetCredInfoByPeerCert(const CJson * in,const CertInfo * certInfo,IdentityInfo ** returnInfo)822 int32_t GetCredInfoByPeerCert(const CJson *in, const CertInfo *certInfo, IdentityInfo **returnInfo)
823 {
824 if (in == NULL || certInfo == NULL || returnInfo == NULL) {
825 LOGE("Invalid input params!");
826 return HC_ERR_INVALID_PARAMS;
827 }
828 int32_t osAccountId = INVALID_OS_ACCOUNT;
829 if (GetIntFromJson(in, FIELD_OS_ACCOUNT_ID, &osAccountId) != HC_SUCCESS) {
830 LOGE("Failed to get osAccountId!");
831 return HC_ERR_JSON_GET;
832 }
833 int32_t res = GetAccountAsymCredInfo(osAccountId, certInfo, returnInfo);
834 if (res != HC_SUCCESS) {
835 LOGE("Failed to get account asym cred info!");
836 return res;
837 }
838 if (certInfo->isPseudonym) {
839 (*returnInfo)->proof.certInfo.isPseudonym = true;
840 } else {
841 (*returnInfo)->proof.certInfo.isPseudonym = false;
842 }
843 return HC_SUCCESS;
844 }
845
GetSharedSecretByPeerCert(const CJson * in,const CertInfo * peerCertInfo,ProtocolAlgType protocolType,Uint8Buff * sharedSecret)846 int32_t GetSharedSecretByPeerCert(const CJson *in, const CertInfo *peerCertInfo, ProtocolAlgType protocolType,
847 Uint8Buff *sharedSecret)
848 {
849 if (in == NULL || peerCertInfo == NULL || sharedSecret == NULL) {
850 LOGE("Invalid input params!");
851 return HC_ERR_INVALID_PARAMS;
852 }
853 if (protocolType != ALG_EC_SPEKE) {
854 LOGE("protocol type is not ec speke, not support!");
855 return HC_ERR_INVALID_PARAMS;
856 }
857 int32_t osAccountId = INVALID_OS_ACCOUNT;
858 if (GetIntFromJson(in, FIELD_OS_ACCOUNT_ID, &osAccountId) != HC_SUCCESS) {
859 LOGE("Failed to get osAccountId!");
860 return HC_ERR_JSON_GET;
861 }
862 return GetAccountAsymSharedSecret(osAccountId, peerCertInfo, sharedSecret);
863 }