1 /*
2 * Copyright (C) 2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "das_standard_token_manager.h"
17 #include "alg_loader.h"
18 #include "das_task_common.h"
19 #include "hc_log.h"
20
RegisterLocalIdentityStd(const TokenManagerParams * params)21 static int32_t RegisterLocalIdentityStd(const TokenManagerParams *params)
22 {
23 Uint8Buff pkgNameBuff = { params->pkgName.val, params->pkgName.length };
24 Uint8Buff serviceTypeBuff = { params->serviceType.val, params->serviceType.length };
25 KeyAliasType keyType = (KeyAliasType)params->userType;
26 uint8_t keyAliasVal[PAKE_KEY_ALIAS_LEN] = { 0 };
27 Uint8Buff keyAliasBuff = { keyAliasVal, PAKE_KEY_ALIAS_LEN };
28 Uint8Buff authIdBuff = { params->authId.val, params->authId.length };
29 int32_t res = GenerateKeyAlias(&pkgNameBuff, &serviceTypeBuff, keyType, &authIdBuff, &keyAliasBuff);
30 if (res != HC_SUCCESS) {
31 LOGE("Failed to generate identity keyPair alias!");
32 return res;
33 }
34
35 const AlgLoader *loader = GetLoaderInstance();
36 res = loader->checkKeyExist(&keyAliasBuff, false, params->osAccountId);
37 if (res == HC_SUCCESS) {
38 LOGD("Key pair is exist.");
39 return HC_SUCCESS;
40 }
41
42 ExtraInfo exInfo = { authIdBuff, -1, -1 }; /* UserType and pairType are not required when generating key. */
43 KeyParams keyParams = { { keyAliasBuff.val, keyAliasBuff.length, true }, false, params->osAccountId };
44 res = loader->generateKeyPairWithStorage(&keyParams, PAKE_ED25519_KEY_PAIR_LEN, ED25519,
45 KEY_PURPOSE_SIGN_VERIFY, &exInfo);
46 if (res != HC_SUCCESS) {
47 LOGE("Failed to generate key pair!");
48 return res;
49 }
50 LOGI("Key pair generated successfully!");
51 return HC_SUCCESS;
52 }
53
UnregisterLocalIdentityStd(const TokenManagerParams * params)54 static int32_t UnregisterLocalIdentityStd(const TokenManagerParams *params)
55 {
56 Uint8Buff pkgNameBuff = { params->pkgName.val, params->pkgName.length };
57 Uint8Buff serviceTypeBuff = { params->serviceType.val, params->serviceType.length };
58 KeyAliasType keyType = (KeyAliasType)params->userType;
59 uint8_t pakeKeyAliasVal[PAKE_KEY_ALIAS_LEN] = { 0 };
60 Uint8Buff pakeKeyAliasBuff = { pakeKeyAliasVal, PAKE_KEY_ALIAS_LEN };
61 Uint8Buff authIdBuff = { params->authId.val, params->authId.length };
62 int32_t res = GenerateKeyAlias(&pkgNameBuff, &serviceTypeBuff, keyType, &authIdBuff, &pakeKeyAliasBuff);
63 if (res != HC_SUCCESS) {
64 LOGE("Failed to generate identity keyPair alias!");
65 return res;
66 }
67 LOGI("KeyPair alias(HEX): %" LOG_PUB "x%" LOG_PUB "x%" LOG_PUB "x%" LOG_PUB "x****.",
68 pakeKeyAliasVal[DEV_AUTH_ZERO], pakeKeyAliasVal[DEV_AUTH_ONE], pakeKeyAliasVal[DEV_AUTH_TWO],
69 pakeKeyAliasVal[DEV_AUTH_THREE]);
70
71 const AlgLoader *loader = GetLoaderInstance();
72 res = loader->deleteKey(&pakeKeyAliasBuff, false, params->osAccountId);
73 if (res != HC_SUCCESS) {
74 LOGE("Failed to delete key pair!");
75 return res;
76 }
77 LOGI("Key pair deleted successfully!");
78
79 // try to delete upgrade keypair if exist.
80 if (memcmp(params->pkgName.val, GROUP_MANAGER_PACKAGE_NAME, HcStrlen(GROUP_MANAGER_PACKAGE_NAME)) == 0) {
81 LOGI("Try to delete upgrade key pair.");
82 res = GenerateKeyAlias(&pkgNameBuff, &serviceTypeBuff, KEY_ALIAS_LT_KEY_PAIR, &authIdBuff, &pakeKeyAliasBuff);
83 if (res != HC_SUCCESS) {
84 LOGE("Failed to generate upgrade key pair alias!");
85 return res;
86 }
87 res = ToLowerCase(&pakeKeyAliasBuff);
88 if (res != HC_SUCCESS) {
89 LOGE("Failed to convert self key alias to lower case!");
90 return res;
91 }
92 LOGI("Upgrade key pair alias(HEX): %" LOG_PUB "x%" LOG_PUB "x%" LOG_PUB "x%" LOG_PUB "x****.",
93 pakeKeyAliasVal[DEV_AUTH_ZERO], pakeKeyAliasVal[DEV_AUTH_ONE], pakeKeyAliasVal[DEV_AUTH_TWO],
94 pakeKeyAliasVal[DEV_AUTH_THREE]);
95 res = loader->deleteKey(&pakeKeyAliasBuff, true, params->osAccountId);
96 if (res != HC_SUCCESS) {
97 LOGE("Failed to delete upgrade key pair!");
98 return res;
99 }
100 LOGI("Upgrade key pair deleted successfully!");
101 }
102
103 return HC_SUCCESS;
104 }
105
DeletePeerPubKey(int32_t osAccountId,const Uint8Buff * pkgNameBuff,const Uint8Buff * serviceTypeBuff,KeyAliasType keyType,const Uint8Buff * authIdPeer)106 static int32_t DeletePeerPubKey(int32_t osAccountId, const Uint8Buff *pkgNameBuff, const Uint8Buff *serviceTypeBuff,
107 KeyAliasType keyType, const Uint8Buff *authIdPeer)
108 {
109 uint8_t pakeKeyAliasVal[PAKE_KEY_ALIAS_LEN] = { 0 };
110 Uint8Buff pakeKeyAliasBuff = { pakeKeyAliasVal, PAKE_KEY_ALIAS_LEN };
111 int32_t res = GenerateKeyAlias(pkgNameBuff, serviceTypeBuff, keyType, authIdPeer, &pakeKeyAliasBuff);
112 if (res != HC_SUCCESS) {
113 LOGE("Failed to generate peer pub key alias!");
114 return res;
115 }
116 LOGI("PubKey alias(HEX): %" LOG_PUB "x%" LOG_PUB "x%" LOG_PUB "x%" LOG_PUB "x****.", pakeKeyAliasVal[DEV_AUTH_ZERO],
117 pakeKeyAliasVal[DEV_AUTH_ONE], pakeKeyAliasVal[DEV_AUTH_TWO], pakeKeyAliasVal[DEV_AUTH_THREE]);
118 const AlgLoader *loader = GetLoaderInstance();
119 res = loader->deleteKey(&pakeKeyAliasBuff, false, osAccountId);
120 if (res != HC_SUCCESS) {
121 LOGE("Failed to delete peer public key!");
122 return res;
123 }
124 LOGI("PubKey deleted successfully!");
125
126 res = ToLowerCase(&pakeKeyAliasBuff);
127 if (res != HC_SUCCESS) {
128 LOGE("Failed to convert peer key alias to lower case!");
129 return res;
130 }
131 res = loader->deleteKey(&pakeKeyAliasBuff, true, osAccountId);
132 if (res != HC_SUCCESS) {
133 LOGE("Failed to delete peer public key by lower case alias!");
134 }
135 return res;
136 }
137
DeleteAuthPsk(int32_t osAccountId,const Uint8Buff * pkgNameBuff,const Uint8Buff * serviceTypeBuff,const Uint8Buff * authIdPeer)138 static int32_t DeleteAuthPsk(int32_t osAccountId, const Uint8Buff *pkgNameBuff, const Uint8Buff *serviceTypeBuff,
139 const Uint8Buff *authIdPeer)
140 {
141 uint8_t pakeKeyAliasVal[PAKE_KEY_ALIAS_LEN] = { 0 };
142 Uint8Buff pakeKeyAliasBuff = { pakeKeyAliasVal, PAKE_KEY_ALIAS_LEN };
143 int32_t res = GenerateKeyAlias(pkgNameBuff, serviceTypeBuff, KEY_ALIAS_PSK, authIdPeer, &pakeKeyAliasBuff);
144 if (res != HC_SUCCESS) {
145 LOGE("Failed to generate psk alias!");
146 return res;
147 }
148 LOGI("Psk alias(HEX): %" LOG_PUB "x%" LOG_PUB "x%" LOG_PUB "x%" LOG_PUB "x****.", pakeKeyAliasVal[DEV_AUTH_ZERO],
149 pakeKeyAliasVal[DEV_AUTH_ONE], pakeKeyAliasVal[DEV_AUTH_TWO], pakeKeyAliasVal[DEV_AUTH_THREE]);
150 const AlgLoader *loader = GetLoaderInstance();
151 res = loader->deleteKey(&pakeKeyAliasBuff, false, osAccountId);
152 if (res != HC_SUCCESS) {
153 LOGE("Failed to delete psk!");
154 return res;
155 }
156 res = loader->deleteKey(&pakeKeyAliasBuff, true, osAccountId);
157 if (res != HC_SUCCESS) {
158 LOGE("Failed to delete psk!");
159 return res;
160 }
161 LOGI("Psk deleted successfully!");
162
163 res = ToLowerCase(&pakeKeyAliasBuff);
164 if (res != HC_SUCCESS) {
165 LOGE("Failed to convert psk alias to lower case!");
166 return res;
167 }
168 res = loader->deleteKey(&pakeKeyAliasBuff, true, osAccountId);
169 if (res != HC_SUCCESS) {
170 LOGE("Failed to delete psk by lower case alias!");
171 }
172 return res;
173 }
174
DeletePseudonymPskStd(int32_t osAccountId,const Uint8Buff * serviceTypeBuff,const Uint8Buff * authIdPeer)175 static int32_t DeletePseudonymPskStd(int32_t osAccountId, const Uint8Buff *serviceTypeBuff,
176 const Uint8Buff *authIdPeer)
177 {
178 uint8_t pakeKeyAliasVal[PAKE_KEY_ALIAS_LEN] = { 0 };
179 Uint8Buff pakeKeyAliasBuff = { pakeKeyAliasVal, PAKE_KEY_ALIAS_LEN };
180 int32_t res = GeneratePseudonymPskAlias(serviceTypeBuff, authIdPeer, &pakeKeyAliasBuff);
181 if (res != HC_SUCCESS) {
182 LOGE("Failed to generate pseudonym psk alias!");
183 return res;
184 }
185 res = ToLowerCase(&pakeKeyAliasBuff);
186 if (res != HC_SUCCESS) {
187 LOGE("Failed to convert pseudonym psk alias to lower case!");
188 return res;
189 }
190 res = GetLoaderInstance()->deleteKey(&pakeKeyAliasBuff, true, osAccountId);
191 if (res != HC_SUCCESS) {
192 LOGE("Failed to delete pseudonym psk!");
193 return res;
194 }
195 LOGI("Delete pseudonym psk successfully!");
196 return HC_SUCCESS;
197 }
198
DeletePeerAuthInfoStd(const TokenManagerParams * params)199 static int32_t DeletePeerAuthInfoStd(const TokenManagerParams *params)
200 {
201 Uint8Buff pkgNameBuff = { params->pkgName.val, params->pkgName.length };
202 Uint8Buff serviceTypeBuff = { params->serviceType.val, params->serviceType.length };
203 #ifdef DEV_AUTH_FUNC_TEST
204 KeyAliasType keyType = KEY_ALIAS_LT_KEY_PAIR;
205 #else
206 KeyAliasType keyType = (KeyAliasType)params->userType;
207 #endif
208 Uint8Buff authIdBuff = { params->authId.val, params->authId.length };
209 int32_t res = DeletePeerPubKey(params->osAccountId, &pkgNameBuff, &serviceTypeBuff, keyType, &authIdBuff);
210 if (res != HC_SUCCESS) {
211 return res;
212 }
213
214 res = DeleteAuthPsk(params->osAccountId, &pkgNameBuff, &serviceTypeBuff, &authIdBuff);
215 if (res != HC_SUCCESS) {
216 return res;
217 }
218
219 // try to delete pseudonym psk if exist.
220 return DeletePseudonymPskStd(params->osAccountId, &serviceTypeBuff, &authIdBuff);
221 }
222
GenerateSelfKeyAlias(const PakeParams * params,Uint8Buff * selfKeyAlias)223 static int32_t GenerateSelfKeyAlias(const PakeParams *params, Uint8Buff *selfKeyAlias)
224 {
225 KeyAliasType keyType = (KeyAliasType)params->userType;
226 // if self data is from upgrade, key type should be key-pair.
227 if (params->isSelfFromUpgrade) {
228 keyType = KEY_ALIAS_LT_KEY_PAIR;
229 }
230 Uint8Buff packageName = { (uint8_t *)params->packageName, HcStrlen(params->packageName) };
231 Uint8Buff serviceType = { (uint8_t *)params->serviceType, HcStrlen(params->serviceType) };
232 int32_t res = GenerateKeyAlias(&packageName, &serviceType, keyType, &(params->baseParams.idSelf), selfKeyAlias);
233 if (res != HC_SUCCESS) {
234 LOGE("generate self key alias failed");
235 return res;
236 }
237 if (params->isSelfFromUpgrade) {
238 res = ToLowerCase(selfKeyAlias);
239 if (res != HC_SUCCESS) {
240 LOGE("Failed to convert self key alias to lower case!");
241 return res;
242 }
243 }
244 return HC_SUCCESS;
245 }
246
GeneratePeerKeyAlias(const PakeParams * params,Uint8Buff * peerKeyAlias)247 static int32_t GeneratePeerKeyAlias(const PakeParams *params, Uint8Buff *peerKeyAlias)
248 {
249 Uint8Buff packageName = { (uint8_t *)params->packageName, HcStrlen(params->packageName) };
250 Uint8Buff serviceType = { (uint8_t *)params->serviceType, HcStrlen(params->serviceType) };
251 #ifdef DEV_AUTH_FUNC_TEST
252 KeyAliasType keyTypePeer = KEY_ALIAS_LT_KEY_PAIR;
253 #else
254 KeyAliasType keyTypePeer = (KeyAliasType)params->userTypePeer;
255 #endif
256 int32_t res = GenerateKeyAlias(&packageName, &serviceType, keyTypePeer, &(params->baseParams.idPeer), peerKeyAlias);
257 if (res != HC_SUCCESS) {
258 LOGE("generate peer key alias failed");
259 return res;
260 }
261 if (params->isPeerFromUpgrade) {
262 res = ToLowerCase(peerKeyAlias);
263 if (res != HC_SUCCESS) {
264 LOGE("Failed to convert peer key alias to lower case!");
265 return res;
266 }
267 }
268 return HC_SUCCESS;
269 }
270
GenerateSharedKeyAlias(const PakeParams * params,Uint8Buff * sharedKeyAlias)271 static int32_t GenerateSharedKeyAlias(const PakeParams *params, Uint8Buff *sharedKeyAlias)
272 {
273 Uint8Buff packageName = { (uint8_t *)params->packageName, HcStrlen(params->packageName) };
274 Uint8Buff serviceType = { (uint8_t *)params->serviceType, HcStrlen(params->serviceType) };
275 int32_t res = GenerateKeyAlias(&packageName, &serviceType, KEY_ALIAS_PSK, &(params->baseParams.idPeer),
276 sharedKeyAlias);
277 if (res != HC_SUCCESS) {
278 LOGE("generate psk alias failed");
279 return res;
280 }
281 if (params->isPeerFromUpgrade) {
282 res = ToLowerCase(sharedKeyAlias);
283 if (res != HC_SUCCESS) {
284 LOGE("Failed to convert psk alias to lower case!");
285 return res;
286 }
287 }
288 return HC_SUCCESS;
289 }
290
ComputeAndSavePskInner(const PakeParams * params,const Uint8Buff * selfKeyAlias,const Uint8Buff * peerKeyAlias,Uint8Buff * sharedKeyAlias)291 static int32_t ComputeAndSavePskInner(const PakeParams *params, const Uint8Buff *selfKeyAlias,
292 const Uint8Buff *peerKeyAlias, Uint8Buff *sharedKeyAlias)
293 {
294 KeyParams selfKeyParams = {
295 { selfKeyAlias->val, selfKeyAlias->length, true },
296 params->isSelfFromUpgrade,
297 params->baseParams.osAccountId
298 };
299 KeyBuff peerKeyBuff = { peerKeyAlias->val, peerKeyAlias->length, true };
300 int32_t res;
301 Algorithm alg = (params->baseParams.curveType == CURVE_256) ? P256 : ED25519;
302 if (alg == ED25519) {
303 uint8_t peerPubKeyVal[PAKE_ED25519_KEY_PAIR_LEN] = { 0 };
304 Uint8Buff peerPubKeyBuff = { peerPubKeyVal, PAKE_ED25519_KEY_PAIR_LEN };
305 KeyParams peerKeyParams = {
306 .keyBuff = { peerKeyAlias->val, peerKeyAlias->length, true },
307 .isDeStorage = params->isPeerFromUpgrade,
308 .osAccountId = params->baseParams.osAccountId
309 };
310 res = params->baseParams.loader->exportPublicKey(&peerKeyParams, &peerPubKeyBuff);
311 if (res != HC_SUCCESS) {
312 LOGE("Failed to export peer public key!");
313 return res;
314 }
315 peerKeyBuff.key = peerPubKeyBuff.val;
316 peerKeyBuff.keyLen = peerPubKeyBuff.length;
317 peerKeyBuff.isAlias = false;
318 }
319 res = params->baseParams.loader->agreeSharedSecretWithStorage(&selfKeyParams, &peerKeyBuff, alg,
320 PAKE_PSK_LEN, sharedKeyAlias);
321 if (res != HC_SUCCESS) {
322 LOGE("Failed to agree psk!");
323 }
324 return res;
325 }
326
ComputeAndSavePskStd(const PakeParams * params)327 static int32_t ComputeAndSavePskStd(const PakeParams *params)
328 {
329 uint8_t selfKeyAliasVal[PAKE_KEY_ALIAS_LEN] = { 0 };
330 Uint8Buff selfKeyAlias = { selfKeyAliasVal, PAKE_KEY_ALIAS_LEN };
331 uint8_t peerKeyAliasVal[PAKE_KEY_ALIAS_LEN] = { 0 };
332 Uint8Buff peerKeyAlias = { peerKeyAliasVal, PAKE_KEY_ALIAS_LEN };
333 int32_t res = GenerateSelfKeyAlias(params, &selfKeyAlias);
334 if (res != HC_SUCCESS) {
335 return res;
336 }
337
338 res = GeneratePeerKeyAlias(params, &peerKeyAlias);
339 if (res != HC_SUCCESS) {
340 return res;
341 }
342
343 res = params->baseParams.loader->checkKeyExist(&selfKeyAlias, params->isSelfFromUpgrade,
344 params->baseParams.osAccountId);
345 if (res != HC_SUCCESS) {
346 LOGE("self auth keyPair not exist");
347 return res;
348 }
349 res = params->baseParams.loader->checkKeyExist(&peerKeyAlias, params->isPeerFromUpgrade,
350 params->baseParams.osAccountId);
351 if (res != HC_SUCCESS) {
352 LOGE("peer auth pubKey not exist");
353 return res;
354 }
355
356 uint8_t sharedKeyAliasVal[PAKE_KEY_ALIAS_LEN] = { 0 };
357 Uint8Buff sharedKeyAlias = { sharedKeyAliasVal, PAKE_KEY_ALIAS_LEN };
358 res = GenerateSharedKeyAlias(params, &sharedKeyAlias);
359 if (res != HC_SUCCESS) {
360 return res;
361 }
362
363 LOGI("PubKey alias(HEX): %" LOG_PUB "x%" LOG_PUB "x%" LOG_PUB "x%" LOG_PUB "x****, priKey alias(HEX): %"
364 LOG_PUB "x%" LOG_PUB "x%" LOG_PUB "x%" LOG_PUB "x****, psk alias(HEX): %"
365 LOG_PUB "x%" LOG_PUB "x%" LOG_PUB "x%" LOG_PUB "x****.",
366 peerKeyAliasVal[DEV_AUTH_ZERO], peerKeyAliasVal[DEV_AUTH_ONE],
367 peerKeyAliasVal[DEV_AUTH_TWO], peerKeyAliasVal[DEV_AUTH_THREE],
368 selfKeyAliasVal[DEV_AUTH_ZERO], selfKeyAliasVal[DEV_AUTH_ONE],
369 selfKeyAliasVal[DEV_AUTH_TWO], selfKeyAliasVal[DEV_AUTH_THREE],
370 sharedKeyAliasVal[DEV_AUTH_ZERO], sharedKeyAliasVal[DEV_AUTH_ONE],
371 sharedKeyAliasVal[DEV_AUTH_TWO], sharedKeyAliasVal[DEV_AUTH_THREE]);
372 return ComputeAndSavePskInner(params, &selfKeyAlias, &peerKeyAlias, &sharedKeyAlias);
373 }
374
GetPublicKeyStd(const TokenManagerParams * params,Uint8Buff * returnPk)375 static int32_t GetPublicKeyStd(const TokenManagerParams *params, Uint8Buff *returnPk)
376 {
377 Uint8Buff pkgNameBuff = { params->pkgName.val, params->pkgName.length };
378 Uint8Buff serviceTypeBuff = { params->serviceType.val, params->serviceType.length };
379 KeyAliasType keyType = (KeyAliasType)params->userType;
380 uint8_t keyAliasVal[PAKE_KEY_ALIAS_LEN] = { 0 };
381 Uint8Buff keyAliasBuff = { keyAliasVal, PAKE_KEY_ALIAS_LEN };
382 Uint8Buff authIdBuff = { params->authId.val, params->authId.length };
383 int32_t res = GenerateKeyAlias(&pkgNameBuff, &serviceTypeBuff, keyType, &authIdBuff, &keyAliasBuff);
384 if (res != HC_SUCCESS) {
385 LOGE("Failed to generate keyPair alias!");
386 return res;
387 }
388
389 bool isDeStorage = false;
390 const AlgLoader *loader = GetLoaderInstance();
391 res = loader->checkKeyExist(&keyAliasBuff, false, params->osAccountId);
392 if (res != HC_SUCCESS) {
393 isDeStorage = true;
394 res = loader->checkKeyExist(&keyAliasBuff, true, params->osAccountId);
395 if (res != HC_SUCCESS) {
396 res = ToLowerCase(&keyAliasBuff);
397 if (res != HC_SUCCESS) {
398 LOGE("Failed to convert key alias to lower case!");
399 return res;
400 }
401 res = loader->checkKeyExist(&keyAliasBuff, true, params->osAccountId);
402 if (res != HC_SUCCESS) {
403 LOGE("Key not exist!");
404 return res;
405 }
406 }
407 }
408
409 KeyParams keyParams = { { keyAliasBuff.val, keyAliasBuff.length, true }, isDeStorage, params->osAccountId };
410 res = loader->exportPublicKey(&keyParams, returnPk);
411 if (res != HC_SUCCESS) {
412 LOGE("Failed to export public key!");
413 return res;
414 }
415 LOGI("Get public key successfully!");
416 return HC_SUCCESS;
417 }
418
419 TokenManager g_asyTokenManagerInstance = {
420 .registerLocalIdentity = RegisterLocalIdentityStd,
421 .unregisterLocalIdentity = UnregisterLocalIdentityStd,
422 .deletePeerAuthInfo = DeletePeerAuthInfoStd,
423 .computeAndSavePsk = ComputeAndSavePskStd,
424 .getPublicKey = GetPublicKeyStd,
425 };
426
GetStandardTokenManagerInstance(void)427 const TokenManager *GetStandardTokenManagerInstance(void)
428 {
429 return &g_asyTokenManagerInstance;
430 }