• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (c) 2023-2024 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  *     http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #include "cert_context.h"
17 
18 #include <map>
19 #include <node_api.h>
20 #include <openssl/ssl.h>
21 
22 #include "napi_utils.h"
23 #include "net_ssl_exec.h"
24 #include "netstack_common_utils.h"
25 #include "netstack_log.h"
26 #include "net_ssl_verify_cert.h"
27 #if HAS_NETMANAGER_BASE
28 #include "net_conn_client.h"
29 #endif // HAS_NETMANAGER_BASE
30 
31 static constexpr const int PARAM_JUST_CERT = 1;
32 
33 static constexpr const int PARAM_CERT_AND_CACERT = 2;
34 
35 namespace OHOS::NetStack::Ssl {
36 
37 static const std::map<int32_t, const char *> SSL_ERR_MAP = {
38     {SslErrorCode::SSL_NONE_ERR, "Verify success."},
39     {SslErrorCode::SSL_X509_V_ERR_UNSPECIFIED, "Unspecified error."},
40     {SslErrorCode::SSL_X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, "Unable to get issuer certificate."},
41     {SslErrorCode::SSL_X509_V_ERR_UNABLE_TO_GET_CRL, "Unable to get certificate revocation list (CRL)."},
42     {SslErrorCode::SSL_X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, "Unable to decrypt certificate signature."},
43     {SslErrorCode::SSL_X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, "Unable to decrypt CRL signature."},
44     {SslErrorCode::SSL_X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, "Unable to decode issuer public key."},
45     {SslErrorCode::SSL_X509_V_ERR_CERT_SIGNATURE_FAILURE, "Certificate signature failure."},
46     {SslErrorCode::SSL_X509_V_ERR_CRL_SIGNATURE_FAILURE, "CRL signature failure."},
47     {SslErrorCode::SSL_X509_V_ERR_CERT_NOT_YET_VALID, "Certificate is not yet valid."},
48     {SslErrorCode::SSL_X509_V_ERR_CERT_HAS_EXPIRED, "Certificate has expired."},
49     {SslErrorCode::SSL_X509_V_ERR_CRL_NOT_YET_VALID, "CRL is not yet valid."},
50     {SslErrorCode::SSL_X509_V_ERR_CRL_HAS_EXPIRED, "CRL has expired."},
51     {SslErrorCode::SSL_X509_V_ERR_CERT_REVOKED, "Certificate has been revoked."},
52     {SslErrorCode::SSL_X509_V_ERR_INVALID_CA, "Invalid certificate authority (CA)."},
53     {SslErrorCode::SSL_X509_V_ERR_CERT_UNTRUSTED, "Certificate is untrusted."},
54     {SslErrorCode::SSL_X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, "self-signed certificate."},
55     {SslErrorCode::SSL_X509_V_ERR_INVALID_CALL, "invalid certificate verification context."}
56 };
57 
CertContext(napi_env env,const std::shared_ptr<EventManager> & manager)58 CertContext::CertContext(napi_env env, const std::shared_ptr<EventManager> &manager)
59     : BaseContext(env, manager), certBlob_(nullptr), certBlobClient_(nullptr) {}
60 
ParseParams(napi_value * params,size_t paramsCount)61 void CertContext::ParseParams(napi_value *params, size_t paramsCount)
62 {
63     bool valid = CheckParamsType(params, paramsCount);
64     if (valid) {
65         if (paramsCount == PARAM_JUST_CERT) {
66             certBlob_ = ParseCertBlobFromValue(GetEnv(), params[0]);
67             SetParseOK(certBlob_ != nullptr);
68         } else if (paramsCount == PARAM_CERT_AND_CACERT) {
69             certBlob_ = ParseCertBlobFromValue(GetEnv(), params[0]);
70             certBlobClient_ = ParseCertBlobFromValue(GetEnv(), params[1]);
71             SetParseOK(certBlob_ != nullptr && certBlobClient_ != nullptr);
72         }
73     } else {
74         SetErrorCode(PARSE_ERROR_CODE);
75     }
76 }
77 
CheckParamsType(napi_value * params,size_t paramsCount)78 bool CertContext::CheckParamsType(napi_value *params, size_t paramsCount)
79 {
80     if (paramsCount == PARAM_JUST_CERT) {
81         return NapiUtils::GetValueType(GetEnv(), params[0]) == napi_object;
82     } else if (paramsCount == PARAM_CERT_AND_CACERT) {
83         return NapiUtils::GetValueType(GetEnv(), params[0]) == napi_object &&
84                NapiUtils::GetValueType(GetEnv(), params[1]) == napi_object;
85     }
86     return false;
87 }
88 
ParseCertBlobFromValue(napi_env env,napi_value value)89 CertBlob *CertContext::ParseCertBlobFromValue(napi_env env, napi_value value)
90 {
91     napi_value typeValue;
92     napi_value dataValue;
93     napi_get_named_property(env, value, "type", &typeValue);
94     napi_get_named_property(env, value, "data", &dataValue);
95     if (typeValue == nullptr || dataValue == nullptr) {
96         SetErrorCode(PARSE_ERROR_CODE);
97         return new CertBlob{CERT_TYPE_MAX, 0, nullptr};
98     }
99     return ParseCertBlobFromData(env, value, typeValue, dataValue);
100 }
101 
ParseCertBlobFromData(napi_env env,napi_value value,napi_value typeValue,napi_value dataValue)102 CertBlob *CertContext::ParseCertBlobFromData(napi_env env, napi_value value, napi_value typeValue, napi_value dataValue)
103 {
104     size_t dataSize = 0;
105     uint32_t type;
106     uint32_t size = 0;
107     uint8_t *data = nullptr;
108     napi_get_value_uint32(env, typeValue, &type);
109     CertType certType = static_cast<CertType>(type);
110     if (certType == CERT_TYPE_PEM) {
111         NETSTACK_LOGD("CERT_TYPE_PEM\n");
112         napi_valuetype valueType;
113         napi_typeof(env, dataValue, &valueType);
114         if (valueType != napi_string) {
115             NETSTACK_LOGE("pem but not string\n");
116             return new CertBlob{CERT_TYPE_MAX, 0, nullptr};
117         }
118         napi_get_value_string_utf8(env, dataValue, nullptr, 0, &dataSize);
119         if (dataSize + 1 < SIZE_MAX / sizeof(uint8_t)) {
120             data = new uint8_t[dataSize + 1];
121             napi_get_value_string_utf8(env, dataValue, reinterpret_cast<char *>(data), dataSize + 1, &dataSize);
122             size = static_cast<uint32_t>(dataSize);
123         } else {
124             return new CertBlob{CERT_TYPE_MAX, 0, nullptr};
125         }
126     } else if (certType == CERT_TYPE_DER) {
127         NETSTACK_LOGD("CERT_TYPE_DER\n");
128         bool isArrayBuffer = false;
129         napi_is_buffer(env, dataValue, &isArrayBuffer);
130         if (!isArrayBuffer) {
131             NETSTACK_LOGE("der but bot arraybuffer\n");
132             return new CertBlob{CERT_TYPE_MAX, 0, nullptr};
133         }
134         void *dataArray = nullptr;
135         napi_get_arraybuffer_info(env, dataValue, &dataArray, &dataSize);
136         if (dataSize < SIZE_MAX / sizeof(uint8_t)) {
137             data = new uint8_t[dataSize];
138             std::copy(static_cast<uint8_t *>(dataArray), static_cast<uint8_t *>(dataArray) + dataSize, data);
139             size = static_cast<uint32_t>(dataSize);
140         } else {
141             return new CertBlob{CERT_TYPE_MAX, 0, nullptr};
142         }
143     } else {
144         return new CertBlob{CERT_TYPE_MAX, 0, nullptr};
145     }
146     return new CertBlob{static_cast<CertType>(type), static_cast<uint32_t>(size), static_cast<uint8_t *>(data)};
147 }
148 
GetCertBlob()149 CertBlob *CertContext::GetCertBlob()
150 {
151     return certBlob_;
152 }
153 
GetCertBlobClient()154 CertBlob *CertContext::GetCertBlobClient()
155 {
156     return certBlobClient_;
157 }
158 
GetErrorCode() const159 int32_t CertContext::GetErrorCode() const
160 {
161     auto errorCode = BaseContext::GetErrorCode();
162     if (errorCode == PARSE_ERROR_CODE) {
163         return PARSE_ERROR_CODE;
164     }
165 #if HAS_NETMANAGER_BASE
166     const auto &errorCodeSet =
167         OHOS::NetManagerStandard::NetConnClient::IsAPIVersionSupported(CommonUtils::SdkVersion::TWELVE)
168             ? SslErrorCodeSetSinceAPI12
169             : SslErrorCodeSetBase;
170 #else
171     const auto &errorCodeSet = SslErrorCodeSetSinceAPI12;
172 #endif
173     if (errorCodeSet.find(errorCode) == errorCodeSet.end()) {
174         errorCode = SSL_X509_V_ERR_UNSPECIFIED;
175     }
176     return errorCode;
177 }
178 
GetErrorMessage() const179 std::string CertContext::GetErrorMessage() const
180 {
181     auto err = BaseContext::GetErrorCode();
182     if (err == PARSE_ERROR_CODE) {
183         return PARSE_ERROR_MSG;
184     }
185 
186     auto pos = SSL_ERR_MAP.find(err);
187     if (pos != SSL_ERR_MAP.end()) {
188         return pos->second;
189     }
190     return SSL_ERR_MAP.at(SslErrorCode::SSL_X509_V_ERR_CERT_UNTRUSTED);
191 }
192 
~CertContext()193 CertContext::~CertContext()
194 {
195     if (certBlob_ != nullptr) {
196         if (certBlob_->data != nullptr) {
197             delete[] certBlob_->data;
198             certBlob_->data = nullptr;
199         }
200         delete certBlob_;
201         certBlob_ = nullptr;
202     }
203 
204     if (certBlobClient_ != nullptr) {
205         if (certBlobClient_->data != nullptr) {
206             delete[] certBlobClient_->data;
207             certBlobClient_->data = nullptr;
208         }
209         delete certBlobClient_;
210         certBlobClient_ = nullptr;
211     }
212     NETSTACK_LOGD("CertContext is destructed by the destructor");
213 }
214 } // namespace OHOS::NetStack::Ssl
215