1 /*
2 * Copyright (C) 2025 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "alg_defs.h"
17 #include "alg_loader.h"
18 #include "hc_log.h"
19 #include "identity_manager.h"
20 #include "asy_token_manager.h"
21 #include "pseudonym_manager.h"
22 #include "identity_service_defines.h"
23 #include "identity_operation.h"
24 #include "cert_operation.h"
25 #include "hal_error.h"
26 #include "account_module_defines.h"
27
CreateUrlStr(uint8_t credType,int32_t keyType,char ** urlStr)28 static int32_t CreateUrlStr(uint8_t credType, int32_t keyType, char **urlStr)
29 {
30 TrustType trustType = TRUST_TYPE_P2P;
31 if (credType != ACCOUNT_UNRELATED) {
32 trustType = TRUST_TYPE_UID;
33 }
34 CJson *urlJson = CreateCredUrlJson(PRE_SHARED, keyType, trustType);
35 if (!urlJson) {
36 LOGE("Failed to create CredUrlJson info!");
37 return HC_ERR_ALLOC_MEMORY;
38 }
39 char *str = PackJsonToString(urlJson);
40 FreeJson(urlJson);
41 if (str == NULL) {
42 LOGE("Failed to pack url json to string!");
43 return HC_ERR_PACKAGE_JSON_TO_STRING_FAIL;
44 }
45 *urlStr = str;
46 return HC_SUCCESS;
47 }
48
ConvertISProofTypeToCertType(uint32_t protocolType,IdentityProofType * returnType)49 static int32_t ConvertISProofTypeToCertType(uint32_t protocolType, IdentityProofType *returnType)
50 {
51 if (protocolType == PROOF_TYPE_PSK) {
52 *returnType = PRE_SHARED;
53 return HC_SUCCESS;
54 } else if (protocolType == PROOF_TYPE_PKI) {
55 *returnType = CERTIFICATED;
56 return HC_SUCCESS;
57 }
58 return HC_ERR_NOT_SUPPORT;
59 }
60
ConvertISAlgToCertAlg(uint32_t alg,Algorithm * returnAlg)61 static int32_t ConvertISAlgToCertAlg(uint32_t alg, Algorithm *returnAlg)
62 {
63 if (alg == ALGO_TYPE_P256) {
64 *returnAlg = P256;
65 return HC_SUCCESS;
66 }
67 return HC_ERR_NOT_SUPPORT;
68 }
69
ISSetISOEntity(IdentityInfo * info)70 static int32_t ISSetISOEntity(IdentityInfo *info)
71 {
72 #ifdef ENABLE_ACCOUNT_AUTH_ISO
73 ProtocolEntity *entity = (ProtocolEntity *)HcMalloc(sizeof(ProtocolEntity), 0);
74 if (entity == NULL) {
75 LOGE("Failed to alloc memory for ISO protocol entity!");
76 return HC_ERR_ALLOC_MEMORY;
77 }
78 entity->protocolType = ALG_ISO;
79 entity->expandProcessCmds = 0;
80 if (info->protocolVec.pushBack(&info->protocolVec, (const ProtocolEntity **)&entity) == NULL) {
81 HcFree(entity);
82 LOGE("Failed to push protocol entity!");
83 return HC_ERR_ALLOC_MEMORY;
84 }
85 return HC_SUCCESS;
86 #else
87 (void)info;
88 LOGE("ISO not support!");
89 return HC_ERR_NOT_SUPPORT;
90 #endif
91 }
92
ISSetEcSpekeEntity(IdentityInfo * info,bool isNeedRefreshPseudonymId)93 static int32_t ISSetEcSpekeEntity(IdentityInfo *info, bool isNeedRefreshPseudonymId)
94 {
95 #ifdef ENABLE_ACCOUNT_AUTH_EC_SPEKE
96 ProtocolEntity *entity = (ProtocolEntity *)HcMalloc(sizeof(ProtocolEntity), 0);
97 if (entity == NULL) {
98 LOGE("Failed to alloc memory for ec-speke protocol entity!");
99 return HC_ERR_ALLOC_MEMORY;
100 }
101 entity->protocolType = ALG_EC_SPEKE;
102 entity->expandProcessCmds = 0;
103 #ifdef ENABLE_PSEUDONYM
104 if (isNeedRefreshPseudonymId) {
105 entity->expandProcessCmds |= CMD_MK_AGREE;
106 }
107 #else
108 (void)isNeedRefreshPseudonymId;
109 #endif
110 if (info->protocolVec.pushBack(&info->protocolVec, (const ProtocolEntity **)&entity) == NULL) {
111 HcFree(entity);
112 LOGE("Failed to push protocol entity!");
113 return HC_ERR_ALLOC_MEMORY;
114 }
115 return HC_SUCCESS;
116 #else
117 (void)info;
118 (void)isNeedRefreshPseudonymId;
119 LOGE("ec speke not support!");
120 return HC_ERR_NOT_SUPPORT;
121 #endif
122 }
123
ISSetCertInfoAndEntity(int32_t osAccountId,const CJson * context,const CJson * credAuthInfo,bool isPseudonym,IdentityInfo * info)124 static int32_t ISSetCertInfoAndEntity(int32_t osAccountId, const CJson *context, const CJson *credAuthInfo,
125 bool isPseudonym, IdentityInfo *info)
126 {
127 const char *authId = GetStringFromJson(credAuthInfo, FIELD_DEVICE_ID);
128 if (authId == NULL) {
129 LOGE("Failed to get auth ID!");
130 return HC_ERR_JSON_GET;
131 }
132 AccountToken *token = CreateAccountToken();
133 if (token == NULL) {
134 LOGE("Failed to create account token!");
135 return HC_ERR_ALLOC_MEMORY;
136 }
137 const char *userId = GetStringFromJson(context, FIELD_USER_ID);
138 if (userId == NULL) {
139 LOGE("Failed to get user ID!");
140 return HC_ERR_JSON_GET;
141 }
142 int32_t res = GetAccountAuthTokenManager()->getToken(osAccountId, token, userId, authId);
143 if (res != HC_SUCCESS) {
144 LOGE("Failed to get account token!");
145 DestroyAccountToken(token);
146 return res;
147 }
148 res = GenerateCertInfo(&token->pkInfoStr, &token->pkInfoSignature, &info->proof.certInfo);
149 DestroyAccountToken(token);
150 if (res != HC_SUCCESS) {
151 LOGE("Failed to generate cert info!");
152 return res;
153 }
154 uint32_t signAlg = 0;
155 if (GetUnsignedIntFromJson(credAuthInfo, FIELD_ALGORITHM_TYPE, &signAlg) != HC_SUCCESS) {
156 LOGE("Failed to get algorithm type!");
157 return HC_ERR_JSON_GET;
158 }
159 res = ConvertISAlgToCertAlg(signAlg, &info->proof.certInfo.signAlg);
160 if (res != HC_SUCCESS) {
161 LOGE("unsupport algorithm type!");
162 return res;
163 }
164 info->proof.certInfo.isPseudonym = isPseudonym;
165 const char *pdidIndex = GetStringFromJson(context, FIELD_CRED_ID);
166 if (pdidIndex == NULL) {
167 LOGE("Failed to get cred ID!");
168 return HC_ERR_JSON_GET;
169 }
170 bool isNeedRefreshPseudonymId = GetPseudonymInstance()->isNeedRefreshPseudonymId(osAccountId, pdidIndex);
171 return ISSetEcSpekeEntity(info, isNeedRefreshPseudonymId);
172 }
173
ISSetPreShareUrlAndEntity(const CJson * credAuthInfo,IdentityInfo * info)174 static int32_t ISSetPreShareUrlAndEntity(const CJson *credAuthInfo, IdentityInfo *info)
175 {
176 uint8_t credType = ACCOUNT_UNRELATED;
177 if (GetUint8FromJson(credAuthInfo, FIELD_CRED_TYPE, &credType) != HC_SUCCESS) {
178 LOGE("get int from json failed!");
179 return HC_ERR_JSON_GET;
180 }
181 uint8_t keyFormat;
182 if (GetUint8FromJson(credAuthInfo, FIELD_KEY_FORMAT, &keyFormat) != HC_SUCCESS) {
183 LOGE("get int from json failed!");
184 return HC_ERR_JSON_GET;
185 }
186 int32_t res = HC_ERROR;
187 KeyType keyType;
188 if (keyFormat == SYMMETRIC_KEY) {
189 res = ISSetISOEntity(info);
190 keyType = KEY_TYPE_SYM;
191 } else if (keyFormat == ASYMMETRIC_KEY || keyFormat == ASYMMETRIC_PUB_KEY) {
192 res = ISSetEcSpekeEntity(info, false);
193 keyType = KEY_TYPE_ASYM;
194 }
195 if (res != HC_SUCCESS) {
196 return res;
197 }
198 char *urlStr = NULL;
199 res = CreateUrlStr(credType, keyType, &urlStr);
200 if (res != HC_SUCCESS) {
201 LOGE("Failed to create url string!");
202 return res;
203 }
204 res = SetPreSharedUrlForProof(urlStr, &info->proof.preSharedUrl);
205 FreeJsonString(urlStr);
206 if (res != HC_SUCCESS) {
207 LOGE("Failed to set preSharedUrl of proof!");
208 return res;
209 }
210 info->proofType = PRE_SHARED;
211 return HC_SUCCESS;
212 }
213
ISSetCertProofAndEntity(const CJson * context,const CJson * credAuthInfo,bool isPseudonym,IdentityInfo * info)214 static int32_t ISSetCertProofAndEntity(const CJson *context, const CJson *credAuthInfo,
215 bool isPseudonym, IdentityInfo *info)
216 {
217 int32_t res = HC_ERROR;
218 if (info->proofType == PRE_SHARED) {
219 res = ISSetPreShareUrlAndEntity(credAuthInfo, info);
220 if (res != HC_SUCCESS) {
221 LOGE("Failed to set preshared url");
222 }
223 } else if (info->proofType == CERTIFICATED) {
224 int32_t osAccountId = 0;
225 if (GetIntFromJson(context, FIELD_OS_ACCOUNT_ID, &osAccountId) != HC_SUCCESS) {
226 LOGE("Failed to get osAccountId!");
227 return HC_ERR_JSON_GET;
228 }
229 res = ISSetCertInfoAndEntity(osAccountId, context, credAuthInfo, isPseudonym, info);
230 if (res != HC_SUCCESS) {
231 LOGE("Failed to get cert info!");
232 }
233 } else {
234 res = HC_ERR_NOT_SUPPORT;
235 LOGE("unknown proof type!");
236 }
237 return res;
238 }
239
ISGetIdentityInfo(const CJson * context,bool isPseudonym,IdentityInfo ** returnInfo)240 static int32_t ISGetIdentityInfo(const CJson *context, bool isPseudonym, IdentityInfo **returnInfo)
241 {
242 CJson *credAuthInfo = GetObjFromJson(context, FIELD_CREDENTIAL_OBJ);
243 if (credAuthInfo == NULL) {
244 LOGE("Get self credAuthInfo fail.");
245 return HC_ERR_JSON_GET;
246 }
247 uint32_t proofType = 0;
248 int32_t res = GetUnsignedIntFromJson(credAuthInfo, FIELD_PROOF_TYPE, &proofType);
249 if (res != HC_SUCCESS) {
250 LOGE("Get proofType fail.");
251 return res;
252 }
253 if (isPseudonym && proofType != PROOF_TYPE_PKI) {
254 return HC_SUCCESS;
255 }
256 IdentityInfo *info = CreateIdentityInfo();
257 if (info == NULL) {
258 LOGE("Failed to alloc memory for IdentityInfo!");
259 return HC_ERR_JSON_GET;
260 }
261 info->IdInfoType = DEFAULT_ID_TYPE;
262 do {
263 res = ConvertISProofTypeToCertType(proofType, &info->proofType);
264 if (res != HC_SUCCESS) {
265 LOGE("unsupport proof type!");
266 break;
267 }
268 res = ISSetCertProofAndEntity(context, credAuthInfo, isPseudonym, info);
269 if (res != HC_SUCCESS) {
270 LOGE("Failed to set cert proof and protocol entity!");
271 break;
272 }
273 } while (0);
274 if (res != HC_SUCCESS) {
275 DestroyIdentityInfo(info);
276 return res;
277 }
278 *returnInfo = info;
279 return HC_SUCCESS;
280 }
281
AddIdentityInfoToVec(const CJson * in,bool isPseudonym,IdentityInfoVec * vec)282 static int32_t AddIdentityInfoToVec(const CJson *in, bool isPseudonym, IdentityInfoVec *vec)
283 {
284 IdentityInfo *info = NULL;
285 int32_t res = ISGetIdentityInfo(in, isPseudonym, &info);
286 if (res != HC_SUCCESS) {
287 LOGE("Get Identity by credAuthInfo fail.");
288 return res;
289 }
290 if (info == NULL) {
291 return HC_SUCCESS;
292 }
293 if (vec->pushBack(vec, (const IdentityInfo **)&info) == NULL) {
294 DestroyIdentityInfo(info);
295 LOGE("Failed to push protocol entity!");
296 return HC_ERR_ALLOC_MEMORY;
297 }
298 return HC_SUCCESS;
299 }
300
GetCredInfosByPeerIdentity(const CJson * in,IdentityInfoVec * vec)301 static int32_t GetCredInfosByPeerIdentity(const CJson *in, IdentityInfoVec *vec)
302 {
303 if (in == NULL || vec == NULL) {
304 LOGE("Invalid input params!");
305 return HC_ERR_INVALID_PARAMS;
306 }
307 int32_t res = HC_ERROR;
308 #ifdef ENABLE_PSEUDONYM
309 //try enable pseudonym
310 res = AddIdentityInfoToVec(in, true, vec);
311 if (res != HC_SUCCESS) {
312 LOGE("add identity info to vec failed.");
313 return res;
314 }
315 #endif
316 res = AddIdentityInfoToVec(in, false, vec);
317 if (res != HC_SUCCESS) {
318 LOGE("add identity info to vec failed.");
319 return res;
320 }
321 return HC_SUCCESS;
322 }
323
GetCredInfoByPeerUrl(const CJson * in,const Uint8Buff * presharedUrl,IdentityInfo ** returnInfo)324 static int32_t GetCredInfoByPeerUrl(const CJson *in, const Uint8Buff *presharedUrl, IdentityInfo **returnInfo)
325 {
326 if (in == NULL || presharedUrl == NULL || returnInfo == NULL) {
327 LOGE("Invalid input params!");
328 return HC_ERR_INVALID_PARAMS;
329 }
330 IdentityInfo *info = NULL;
331 int32_t res = ISGetIdentityInfo(in, false, &info);
332 if (res != HC_SUCCESS) {
333 LOGE("Get Identity by credAuthInfo fail.");
334 return res;
335 }
336 if (memcmp(presharedUrl->val, info->proof.preSharedUrl.val, presharedUrl->length) != 0) {
337 DestroyIdentityInfo(info);
338 LOGE("peer presharedUrl is not equal.");
339 return HC_ERR_MEMORY_COMPARE;
340 }
341 *returnInfo = info;
342 return HC_SUCCESS;
343 }
344
ComputeHkdfKeyAlias(const CJson * in,int32_t osAccountId,Uint8Buff * credIdByte,Uint8Buff * sharedSecret)345 static int32_t ComputeHkdfKeyAlias(const CJson *in, int32_t osAccountId, Uint8Buff *credIdByte, Uint8Buff *sharedSecret)
346 {
347 uint8_t *pskVal = (uint8_t *)HcMalloc(PAKE_PSK_LEN, 0);
348 if (pskVal == NULL) {
349 LOGE("Failed to alloc memory for psk!");
350 return HC_ERR_ALLOC_MEMORY;
351 }
352 Uint8Buff pskBuff = { pskVal, PAKE_PSK_LEN };
353 uint8_t *nonceVal = (uint8_t *)HcMalloc(PAKE_NONCE_LEN, 0);
354 if (nonceVal == NULL) {
355 LOGE("Failed to alloc memory for nonce!");
356 HcFree(pskVal);
357 return HC_ERR_ALLOC_MEMORY;
358 }
359 Uint8Buff nonceBuff = { nonceVal, PAKE_NONCE_LEN };
360 int32_t ret = GetByteFromJson(in, FIELD_NONCE, nonceBuff.val, nonceBuff.length);
361 if (ret != HC_SUCCESS) {
362 LOGE("Failed to get nonce!");
363 HcFree(pskVal);
364 HcFree(nonceVal);
365 return HC_ERR_JSON_GET;
366 }
367 Uint8Buff keyInfo = { (uint8_t *)TMP_AUTH_KEY_FACTOR, HcStrlen(TMP_AUTH_KEY_FACTOR) };
368 KeyParams keyAliasParams = { { credIdByte->val, credIdByte->length, true }, false, osAccountId };
369 ret = GetLoaderInstance()->computeHkdf(&keyAliasParams, &nonceBuff, &keyInfo, &pskBuff);
370 HcFree(nonceVal);
371 if (ret != HC_SUCCESS) {
372 LOGE("Failed to compute hkdf for psk!");
373 HcFree(pskVal);
374 return ret;
375 }
376
377 ret = ConvertPsk(&pskBuff, sharedSecret);
378 HcFree(pskVal);
379 if (ret != HC_SUCCESS) {
380 LOGE("Failed to convert psk!");
381 }
382 return ret;
383 }
384
ComputeAuthToken(int32_t osAccountId,const char * userId,const Uint8Buff keyAlias,Uint8Buff * authToken)385 static int32_t ComputeAuthToken(int32_t osAccountId, const char *userId, const Uint8Buff keyAlias, Uint8Buff *authToken)
386 {
387 authToken->val = (uint8_t *)HcMalloc(AUTH_TOKEN_SIZE, 0);
388 if (authToken->val == NULL) {
389 LOGE("Failed to alloc memory for auth token!");
390 return HC_ERR_ALLOC_MEMORY;
391 }
392 authToken->length = AUTH_TOKEN_SIZE;
393 Uint8Buff userIdBuff = { (uint8_t *)userId, HcStrlen(userId) };
394 Uint8Buff challenge = { (uint8_t *)KEY_INFO_PERSISTENT_TOKEN, HcStrlen(KEY_INFO_PERSISTENT_TOKEN) };
395 KeyParams keyAliasParams = { { keyAlias.val, keyAlias.length, true }, false, osAccountId };
396 int32_t ret = GetLoaderInstance()->computeHkdf(&keyAliasParams, &userIdBuff, &challenge, authToken);
397 if (ret != HC_SUCCESS) {
398 LOGE("Failed to computeHkdf from authCode to authToken!");
399 FreeBuffData(authToken);
400 }
401 return ret;
402 }
403
GenerateAuthTokenForAccessory(int32_t osAccountId,const char * credId,const CJson * in,Uint8Buff * authToken)404 static int32_t GenerateAuthTokenForAccessory(int32_t osAccountId, const char *credId, const CJson *in,
405 Uint8Buff *authToken)
406 {
407 const char *userIdSelf = GetStringFromJson(in, FIELD_USER_ID);
408 if (userIdSelf == NULL) {
409 LOGE("Failed to get self user ID!");
410 return HC_ERR_JSON_GET;
411 }
412 Uint8Buff credIdByte = { NULL, 0 };
413 int32_t ret = GetValidKeyAlias(osAccountId, credId, &credIdByte);
414 if (ret == HAL_ERR_KEY_NOT_EXIST) {
415 LOGE("Huks key not exist!");
416 DelCredById(osAccountId, credId);
417 return IS_ERR_HUKS_KEY_NOT_EXIST;
418 }
419 if (ret == HAL_ERR_HUKS) {
420 LOGE("Huks check key exist failed");
421 return IS_ERR_HUKS_CHECK_KEY_EXIST_FAILED;
422 }
423 if (ret != IS_SUCCESS) {
424 LOGE("Failed to check key exist in HUKS");
425 return ret;
426 }
427 ret = ComputeAuthToken(osAccountId, userIdSelf, credIdByte, authToken);
428 FreeBuffData(&credIdByte);
429 return ret;
430 }
431
GenerateTokenAliasForController(int32_t osAccountId,const char * credId,Uint8Buff * authToken)432 static int32_t GenerateTokenAliasForController(int32_t osAccountId, const char *credId, Uint8Buff *authToken)
433 {
434 int32_t ret = GetValidKeyAlias(osAccountId, credId, authToken);
435 if (ret == HAL_ERR_KEY_NOT_EXIST) {
436 LOGE("Huks key not exist!");
437 DelCredById(osAccountId, credId);
438 return IS_ERR_HUKS_KEY_NOT_EXIST;
439 }
440 if (ret == HAL_ERR_HUKS) {
441 LOGE("Huks check key exist failed");
442 return IS_ERR_HUKS_CHECK_KEY_EXIST_FAILED;
443 }
444 if (ret != IS_SUCCESS) {
445 LOGE("Failed to check key exist in HUKS");
446 return ret;
447 }
448 return HC_SUCCESS;
449 }
450
GenerateAuthTokenByDevType(int32_t osAccountId,const CJson * in,Uint8Buff * authToken,bool * isTokenStored)451 static int32_t GenerateAuthTokenByDevType(int32_t osAccountId, const CJson *in, Uint8Buff *authToken,
452 bool *isTokenStored)
453 {
454 const char *credId = GetStringFromJson(in, FIELD_CRED_ID);
455 if (credId == NULL) {
456 LOGE("Failed to get cred ID!");
457 return HC_ERR_JSON_GET;
458 }
459 const CJson *credAuthInfo = GetObjFromJson(in, FIELD_CREDENTIAL_OBJ);
460 if (credAuthInfo == NULL) {
461 LOGE("Get credAuthInfo fail.");
462 return HC_ERR_JSON_GET;
463 }
464 uint8_t localDevType = SUBJECT_ACCESSORY_DEVICE;
465 if (GetUint8FromJson(credAuthInfo, FIELD_SUBJECT, &localDevType) != HC_SUCCESS) {
466 LOGE("Failed to get subject!");
467 return HC_ERR_JSON_GET;
468 }
469 int32_t ret = HC_ERROR;
470 if (localDevType == SUBJECT_ACCESSORY_DEVICE) {
471 *isTokenStored = false;
472 ret = GenerateAuthTokenForAccessory(osAccountId, credId, in, authToken);
473 } else {
474 ret = GenerateTokenAliasForController(osAccountId, credId, authToken);
475 }
476 return ret;
477 }
478
ISGetAccountSymSharedSecret(const CJson * in,Uint8Buff * sharedSecret)479 static int32_t ISGetAccountSymSharedSecret(const CJson *in, Uint8Buff *sharedSecret)
480 {
481 if (in == NULL || sharedSecret == NULL) {
482 LOGE("Invalid input params!");
483 return HC_ERR_INVALID_PARAMS;
484 }
485 int32_t osAccountId;
486 if (GetIntFromJson(in, FIELD_OS_ACCOUNT_ID, &osAccountId) != HC_SUCCESS) {
487 LOGE("Failed to get osAccountId!");
488 return HC_ERR_JSON_GET;
489 }
490 bool isTokenStored = true;
491 Uint8Buff authToken = { NULL, 0 };
492 int32_t ret = GenerateAuthTokenByDevType(osAccountId, in, &authToken, &isTokenStored);
493 if (ret != HC_SUCCESS) {
494 LOGE("Failed to generate auth token!");
495 return ret;
496 }
497 uint8_t seed[SEED_SIZE] = { 0 };
498 Uint8Buff seedBuff = { seed, SEED_SIZE };
499 ret = GetByteFromJson(in, FIELD_SEED, seed, SEED_SIZE);
500 if (ret != HC_SUCCESS) {
501 LOGE("Failed to get seed!");
502 FreeBuffData(&authToken);
503 return HC_ERR_JSON_GET;
504 }
505 sharedSecret->val = (uint8_t *)HcMalloc(ISO_PSK_LEN, 0);
506 if (sharedSecret->val == NULL) {
507 LOGE("Failed to alloc sharedSecret memory!");
508 FreeBuffData(&authToken);
509 return HC_ERR_ALLOC_MEMORY;
510 }
511 sharedSecret->length = ISO_PSK_LEN;
512 KeyParams keyParams = { { authToken.val, authToken.length, isTokenStored }, false, osAccountId };
513 ret = GetLoaderInstance()->computeHmac(&keyParams, &seedBuff, sharedSecret);
514 FreeBuffData(&authToken);
515 if (ret != HC_SUCCESS) {
516 LOGE("ComputeHmac for psk failed, ret: %" LOG_PUB "d.", ret);
517 FreeBuffData(sharedSecret);
518 }
519 return ret;
520 }
521
AuthGeneratePsk(const CJson * in,const Uint8Buff * seed,Uint8Buff * sharedSecret)522 static int32_t AuthGeneratePsk(const CJson *in, const Uint8Buff *seed, Uint8Buff *sharedSecret)
523 {
524 int32_t osAccountId = INVALID_OS_ACCOUNT;
525 if (GetIntFromJson(in, FIELD_OS_ACCOUNT_ID, &osAccountId) != HC_SUCCESS) {
526 LOGE("Failed to get osAccountId!");
527 return HC_ERR_JSON_GET;
528 }
529 const char *credId = GetStringFromJson(in, FIELD_CRED_ID);
530 if (credId == NULL) {
531 LOGE("Failed to get cred ID!");
532 return HC_ERR_JSON_GET;
533 }
534 Uint8Buff credIdByte = { NULL, 0 };
535 int32_t ret = GetValidKeyAlias(osAccountId, credId, &credIdByte);
536 if (ret == HAL_ERR_KEY_NOT_EXIST) {
537 LOGE("Huks key not exist!");
538 DelCredById(osAccountId, credId);
539 return IS_ERR_HUKS_KEY_NOT_EXIST;
540 }
541 if (ret == HAL_ERR_HUKS) {
542 LOGE("Huks check key exist failed");
543 return IS_ERR_HUKS_CHECK_KEY_EXIST_FAILED;
544 }
545 if (ret != IS_SUCCESS) {
546 LOGE("Failed to check key exist in HUKS");
547 return ret;
548 }
549 KeyParams keyAliasParams = { { credIdByte.val, credIdByte.length, true }, false, osAccountId };
550 ret = GetLoaderInstance()->computeHmac(&keyAliasParams, seed, sharedSecret);
551 FreeBuffData(&credIdByte);
552 return ret;
553 }
554
GetSharedSecretForP2pInIso(const CJson * in,Uint8Buff * sharedSecret)555 static int32_t GetSharedSecretForP2pInIso(const CJson *in, Uint8Buff *sharedSecret)
556 {
557 uint8_t *seedVal = (uint8_t *)HcMalloc(SEED_LEN, 0);
558 if (seedVal == NULL) {
559 LOGE("Failed to alloc memory for seed!");
560 return HC_ERR_ALLOC_MEMORY;
561 }
562 Uint8Buff seedBuff = { seedVal, SEED_LEN };
563 int32_t ret = GetByteFromJson(in, FIELD_SEED, seedBuff.val, seedBuff.length);
564 if (ret != HC_SUCCESS) {
565 LOGE("Failed to get seed!");
566 HcFree(seedVal);
567 return HC_ERR_JSON_GET;
568 }
569 uint8_t *pskVal = (uint8_t *)HcMalloc(ISO_PSK_LEN, 0);
570 if (pskVal == NULL) {
571 LOGE("Failed to alloc memory for psk!");
572 HcFree(seedVal);
573 return HC_ERR_ALLOC_MEMORY;
574 }
575 sharedSecret->val = pskVal;
576 sharedSecret->length = ISO_PSK_LEN;
577 ret = AuthGeneratePsk(in, &seedBuff, sharedSecret);
578 HcFree(seedVal);
579 if (ret != HC_SUCCESS) {
580 LOGE("Failed to generate psk!");
581 FreeBuffData(sharedSecret);
582 }
583 return ret;
584 }
585
GetSharedSecretForP2pInPake(const CJson * in,Uint8Buff * sharedSecret)586 static int32_t GetSharedSecretForP2pInPake(const CJson *in, Uint8Buff *sharedSecret)
587 {
588 const char *credId = GetStringFromJson(in, FIELD_CRED_ID);
589 if (credId == NULL) {
590 LOGE("get credId from json failed");
591 return HC_ERR_JSON_GET;
592 }
593 int32_t osAccountId;
594 if (GetIntFromJson(in, FIELD_OS_ACCOUNT_ID, &osAccountId) != HC_SUCCESS) {
595 LOGE("Failed to get osAccountId!");
596 return HC_ERR_JSON_GET;
597 }
598 uint32_t credIdByteLen = HcStrlen(credId) / BYTE_TO_HEX_OPER_LENGTH;
599 Uint8Buff credIdByte = { NULL, credIdByteLen };
600 credIdByte.val = (uint8_t *)HcMalloc(credIdByteLen, 0);
601 if (credIdByte.val == NULL) {
602 LOGE("Failed to malloc credIdByteLen");
603 return IS_ERR_ALLOC_MEMORY;
604 }
605 int32_t ret = HexStringToByte(credId, credIdByte.val, credIdByte.length);
606 if (ret != IS_SUCCESS) {
607 LOGE("Failed to convert credId to byte, invalid credId, ret = %" LOG_PUB "d", ret);
608 HcFree(credIdByte.val);
609 return IS_ERR_INVALID_HEX_STRING;
610 }
611 LOGI("psk alias: %" LOG_PUB "x %" LOG_PUB "x %" LOG_PUB "x %" LOG_PUB "x****.", credIdByte.val[DEV_AUTH_ZERO],
612 credIdByte.val[DEV_AUTH_ONE], credIdByte.val[DEV_AUTH_TWO], credIdByte.val[DEV_AUTH_THREE]);
613
614 ret = GetLoaderInstance()->checkKeyExist(&credIdByte, false, osAccountId);
615 if (ret != HC_SUCCESS) {
616 HcFree(credIdByte.val);
617 LOGE("psk not exist");
618 return ret;
619 }
620 ret = ComputeHkdfKeyAlias(in, osAccountId, &credIdByte, sharedSecret);
621 HcFree(credIdByte.val);
622 if (ret != HC_SUCCESS) {
623 LOGE("compute hkdf key alias failed.");
624 FreeBuffData(sharedSecret);
625 }
626 return ret;
627 }
628
GetSharedSecretForP2p(const CJson * in,ProtocolAlgType protocolType,Uint8Buff * sharedSecret)629 static int32_t GetSharedSecretForP2p(
630 const CJson *in, ProtocolAlgType protocolType, Uint8Buff *sharedSecret)
631 {
632 int32_t ret;
633 if (protocolType == ALG_ISO) {
634 ret = GetSharedSecretForP2pInIso(in, sharedSecret);
635 LOGI("get shared secret for p2p in iso result: %" LOG_PUB "d", ret);
636 } else {
637 ret = GetSharedSecretForP2pInPake(in, sharedSecret);
638 LOGI("get shared secret for p2p in pake result: %" LOG_PUB "d", ret);
639 }
640 return ret;
641 }
642
GetSharedSecretForUid(const CJson * in,ProtocolAlgType protocolType,Uint8Buff * sharedSecret)643 static int32_t GetSharedSecretForUid(
644 const CJson *in, ProtocolAlgType protocolType, Uint8Buff *sharedSecret)
645 {
646 if (protocolType != ALG_ISO) {
647 LOGE("protocol type is not iso, not supported!");
648 return HC_ERR_INVALID_PARAMS;
649 }
650 return ISGetAccountSymSharedSecret(in, sharedSecret);
651 }
652
GetSharedSecretByUrl(const CJson * in,const Uint8Buff * presharedUrl,ProtocolAlgType protocolType,Uint8Buff * sharedSecret)653 static int32_t GetSharedSecretByUrl(
654 const CJson *in, const Uint8Buff *presharedUrl, ProtocolAlgType protocolType, Uint8Buff *sharedSecret)
655 {
656 if (in == NULL || presharedUrl == NULL || sharedSecret == NULL) {
657 LOGE("Invalid input params!");
658 return HC_ERR_INVALID_PARAMS;
659 }
660
661 CJson *urlJson = CreateJsonFromString((const char *)presharedUrl->val);
662 if (urlJson == NULL) {
663 LOGE("Failed to create url json!");
664 return HC_ERR_JSON_CREATE;
665 }
666
667 int32_t trustType = 0;
668 if (GetIntFromJson(urlJson, PRESHARED_URL_TRUST_TYPE, &trustType) != HC_SUCCESS) {
669 LOGE("Failed to get trust type!");
670 FreeJson(urlJson);
671 return HC_ERR_JSON_GET;
672 }
673 FreeJson(urlJson);
674
675 int32_t ret;
676 switch (trustType) {
677 case TRUST_TYPE_P2P:
678 ret = GetSharedSecretForP2p(in, protocolType, sharedSecret);
679 break;
680 case TRUST_TYPE_UID:
681 ret = GetSharedSecretForUid(in, protocolType, sharedSecret);
682 break;
683 default:
684 LOGE("Invalid trust type!");
685 ret = HC_ERR_INVALID_PARAMS;
686 break;
687 }
688 return ret;
689 }
690
GetCredInfoByPeerCert(const CJson * in,const CertInfo * certInfo,IdentityInfo ** returnInfo)691 static int32_t GetCredInfoByPeerCert(const CJson *in, const CertInfo *certInfo, IdentityInfo **returnInfo)
692 {
693 if (in == NULL || certInfo == NULL || returnInfo == NULL) {
694 LOGE("Invalid input params!");
695 return HC_ERR_INVALID_PARAMS;
696 }
697 IdentityInfo *info = NULL;
698 int32_t res = ISGetIdentityInfo(in, certInfo->isPseudonym, &info);
699 if (res != HC_SUCCESS) {
700 LOGE("Get Identity by credAuthInfo fail.");
701 return res;
702 }
703 *returnInfo = info;
704 return HC_SUCCESS;
705 }
706
GetSharedSecretByPeerCert(const CJson * in,const CertInfo * peerCertInfo,ProtocolAlgType protocolType,Uint8Buff * sharedSecret)707 static int32_t GetSharedSecretByPeerCert(
708 const CJson *in, const CertInfo *peerCertInfo, ProtocolAlgType protocolType, Uint8Buff *sharedSecret)
709 {
710 if (in == NULL || peerCertInfo == NULL || sharedSecret == NULL) {
711 LOGE("Invalid input params!");
712 return HC_ERR_INVALID_PARAMS;
713 }
714 if (protocolType != ALG_EC_SPEKE) {
715 LOGE("protocol type is not ec speke, not support!");
716 return HC_ERR_INVALID_PARAMS;
717 }
718 int32_t osAccountId = INVALID_OS_ACCOUNT;
719 if (GetIntFromJson(in, FIELD_OS_ACCOUNT_ID, &osAccountId) != HC_SUCCESS) {
720 LOGE("Failed to get osAccountId!");
721 return HC_ERR_JSON_GET;
722 }
723 const char *credId = GetStringFromJson(in, FIELD_ACROSS_ACCOUNT_CRED_ID);
724 if (credId != NULL) {
725 LOGI("across account credential Id exists.");
726 }
727 return GetAccountAsymSharedSecret(osAccountId, credId, peerCertInfo, sharedSecret);
728 }
729
730 static const AuthIdentity g_authIdentity = {
731 .getCredInfosByPeerIdentity = GetCredInfosByPeerIdentity,
732 .getCredInfoByPeerUrl = GetCredInfoByPeerUrl,
733 .getSharedSecretByUrl = GetSharedSecretByUrl,
734 .getCredInfoByPeerCert = GetCredInfoByPeerCert,
735 .getSharedSecretByPeerCert = GetSharedSecretByPeerCert,
736 };
737
GetCredAuthIdentity(void)738 const AuthIdentity *GetCredAuthIdentity(void)
739 {
740 return &g_authIdentity;
741 }
742