1 /*
2 * Copyright (C) 2025 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16
17 #include "identity_operation.h"
18
19 #include "alg_defs.h"
20 #include "alg_loader.h"
21 #include "clib_error.h"
22 #include "cred_listener.h"
23 #include "device_auth.h"
24 #include "device_auth_defines.h"
25 #include "hal_error.h"
26 #include "hc_log.h"
27 #include "hc_time.h"
28 #include "identity_service_defines.h"
29
30 #ifdef DEV_AUTH_PERMISSION_ENABLE
31 #include "permission_adapter.h"
32 #endif
33
GetCredentialById(int32_t osAccountId,const char * credId,Credential ** returnEntry)34 int32_t GetCredentialById(int32_t osAccountId, const char *credId, Credential **returnEntry)
35 {
36 if (credId == NULL) {
37 LOGE("The input credId is NULL!");
38 return IS_ERR_INVALID_PARAMS;
39 }
40 uint32_t index;
41 CredentialVec credentialVec = CreateCredentialVec();
42 QueryCredentialParams params = InitQueryCredentialParams();
43 params.credId = credId;
44 int32_t ret = QueryCredentials(osAccountId, ¶ms, &credentialVec);
45 if (ret != IS_SUCCESS) {
46 LOGE("Failed to query credentials!");
47 ClearCredentialVec(&credentialVec);
48 return ret;
49 }
50 Credential **credential = NULL;
51 FOR_EACH_HC_VECTOR(credentialVec, index, credential) {
52 *returnEntry = DeepCopyCredential(*credential);
53 ClearCredentialVec(&credentialVec);
54 if (*returnEntry == NULL) {
55 LOGE("Failed to copy credential!");
56 return IS_ERR_ALLOC_MEMORY;
57 }
58 return IS_SUCCESS;
59 }
60 ClearCredentialVec(&credentialVec);
61 LOGI("This credId does not exist!");
62 return IS_ERR_LOCAL_CRED_NOT_EXIST;
63 }
64
int64ToString(int64_t num,char ** result)65 static int32_t int64ToString(int64_t num, char **result)
66 {
67 const int bufferSize = MAX_INT64_SIZE + 1;
68 char *tempStr = (char *)HcMalloc(bufferSize, 0);
69 if (tempStr == NULL) {
70 LOGE("Failed to allocate memory!");
71 return IS_ERR_ALLOC_MEMORY;
72 }
73 if (sprintf_s(tempStr, bufferSize, "%" PRId64, num) < 0) {
74 LOGE("Failed to convert int64 to string!");
75 HcFree(tempStr);
76 return IS_ERR_CONVERT_FAILED;
77 }
78 *result = tempStr;
79 return IS_SUCCESS;
80 }
81
CombineBaseCredId(const char * credentialOwner,const char * deviceId,char ** baseCredIdStr)82 static int32_t CombineBaseCredId(const char *credentialOwner, const char *deviceId, char **baseCredIdStr)
83 {
84 if (credentialOwner == NULL || deviceId == NULL) {
85 LOGE("Invalid input parameters!");
86 return IS_ERR_INVALID_PARAMS;
87 }
88 char *timeStr = NULL;
89 int32_t ret = int64ToString(HcGetCurTimeInMillis(), &timeStr);
90 if (ret != IS_SUCCESS) {
91 LOGE("Failed to convert time to string!");
92 return ret;
93 }
94 size_t totalLength = HcStrlen(credentialOwner) + HcStrlen(deviceId) + HcStrlen(timeStr) + 1;
95 char *tempCredId = (char *)HcMalloc(totalLength, 0);
96 if (tempCredId == NULL) {
97 LOGE("Failed to allocate memory for tempCredId!");
98 HcFree(timeStr);
99 return IS_ERR_ALLOC_MEMORY;
100 }
101
102 if (strcpy_s(tempCredId, totalLength, credentialOwner) != EOK) {
103 LOGE("Failed to copy credentialOwner to tempCredId!");
104 HcFree(timeStr);
105 HcFree(tempCredId);
106 return IS_ERR_CONVERT_FAILED;
107 }
108 if (strcat_s(tempCredId, totalLength, deviceId) != EOK) {
109 LOGE("Failed to concatenate deviceId to tempCredId!");
110 HcFree(timeStr);
111 HcFree(tempCredId);
112 return IS_ERR_CONVERT_FAILED;
113 }
114 if (strcat_s(tempCredId, totalLength, timeStr) != EOK) {
115 LOGE("Failed to concatenate timeStr to tempCredId!");
116 HcFree(timeStr);
117 HcFree(tempCredId);
118 return IS_ERR_CONVERT_FAILED;
119 }
120 HcFree(timeStr);
121 *baseCredIdStr = tempCredId;
122 return IS_SUCCESS;
123 }
124
Uint8BuffToString(Uint8Buff * byte,char ** str)125 static int32_t Uint8BuffToString(Uint8Buff *byte, char **str)
126 {
127 uint32_t strLen = byte->length * BYTE_TO_HEX_OPER_LENGTH + 1;
128 char *tempStr = (char *)HcMalloc(strLen, 0);
129 if (tempStr == NULL) {
130 LOGE("Failed to malloc tempStr");
131 return IS_ERR_ALLOC_MEMORY;
132 }
133 int32_t ret = ByteToHexString(byte->val, byte->length, tempStr, strLen);
134 if (ret != IS_SUCCESS) {
135 LOGE("Failed to convert byte to hex string");
136 HcFree(tempStr);
137 return ret;
138 }
139 *str = tempStr;
140 return IS_SUCCESS;
141 }
142
Sha256BaseCredId(const char * baseCredIdStr,Uint8Buff * credIdByte,char ** credIdStr)143 static int32_t Sha256BaseCredId(const char *baseCredIdStr, Uint8Buff *credIdByte, char **credIdStr)
144 {
145 Uint8Buff returnCredIdByte = { NULL, SHA256_LEN };
146 returnCredIdByte.val = (uint8_t *)HcMalloc(SHA256_LEN, 0);
147 if (returnCredIdByte.val == NULL) {
148 LOGE("Failed to malloc memory for returnCredIdByte");
149 return IS_ERR_ALLOC_MEMORY;
150 }
151
152 Uint8Buff baseCredIdBuff = { (uint8_t *)baseCredIdStr, (uint32_t)HcStrlen(baseCredIdStr) };
153 int32_t ret = GetLoaderInstance()->sha256(&baseCredIdBuff, &returnCredIdByte);
154 if (ret == HAL_ERR_HUKS) {
155 LOGE("Huks sha256 error");
156 HcFree(returnCredIdByte.val);
157 return IS_ERR_HUKS_SHA256_FAILED;
158 }
159 if (ret != IS_SUCCESS) {
160 LOGE("Failed to sha256 credId, ret = %" LOG_PUB "d", ret);
161 HcFree(returnCredIdByte.val);
162 return ret;
163 }
164
165 char *returnCredIdStr = NULL;
166 ret = Uint8BuffToString(&returnCredIdByte, &returnCredIdStr);
167 if (ret != IS_SUCCESS) {
168 LOGE("Failed to convert credIdByte to credIdStr, ret = %" LOG_PUB "d", ret);
169 HcFree(returnCredIdByte.val);
170 return ret;
171 }
172 *credIdStr = returnCredIdStr;
173 credIdByte->val = returnCredIdByte.val;
174 credIdByte->length = SHA256_LEN;
175 return IS_SUCCESS;
176 }
177
GenerateCredIdInner(const char * credentialOwner,const char * deviceId,Uint8Buff * credIdByte,char ** credIdStr)178 static int32_t GenerateCredIdInner(const char *credentialOwner, const char *deviceId,
179 Uint8Buff *credIdByte, char **credIdStr)
180 {
181 char *baseCredIdStr = NULL;
182 int32_t ret = CombineBaseCredId(credentialOwner, deviceId, &baseCredIdStr);
183 if (ret != IS_SUCCESS) {
184 LOGE("Failed to combine credId!");
185 return ret;
186 }
187
188 ret = Sha256BaseCredId(baseCredIdStr, credIdByte, credIdStr);
189 HcFree(baseCredIdStr);
190 return ret;
191 }
192
isCredIdExist(int32_t osAccountId,const char * credIdStr)193 static bool isCredIdExist(int32_t osAccountId, const char *credIdStr)
194 {
195 Credential *existedCredential = NULL;
196 int32_t ret = GetCredentialById(osAccountId, credIdStr, &existedCredential);
197 DestroyCredential(existedCredential);
198
199 return ret == IS_SUCCESS;
200 }
201
UseImportedCredId(int32_t osAccountId,Credential * credential,Uint8Buff * credIdByte)202 static int32_t UseImportedCredId(int32_t osAccountId, Credential *credential, Uint8Buff *credIdByte)
203 {
204 if (isCredIdExist(osAccountId, StringGet(&credential->credId))) {
205 LOGE("Imported credId existed");
206 return IS_ERR_IMPORTED_CRED_ID_EXISTED;
207 }
208 LOGI("Imported credId not existed in DB, use imported credId");
209
210 uint32_t credIdByteLen = HcStrlen(StringGet(&credential->credId)) / BYTE_TO_HEX_OPER_LENGTH;
211 credIdByte->length = credIdByteLen;
212 uint8_t *returnCredIdByteVal = (uint8_t *)HcMalloc(credIdByteLen, 0);
213 if (returnCredIdByteVal == NULL) {
214 LOGE("Failed to malloc memory for credIdByte");
215 return IS_ERR_ALLOC_MEMORY;
216 }
217
218 int32_t ret = HexStringToByte(StringGet(&credential->credId), returnCredIdByteVal, credIdByte->length);
219 if (ret != IS_SUCCESS) {
220 LOGE("Failed to convert credId to byte, ret = %" LOG_PUB "d", ret);
221 HcFree(returnCredIdByteVal);
222 return IS_ERR_INVALID_HEX_STRING;
223 }
224 credIdByte->val = returnCredIdByteVal;
225 return IS_SUCCESS;
226 }
227
GenerateUniqueCredId(int32_t osAccountId,Credential * credential,Uint8Buff * credIdByte,char ** credIdStr)228 static int32_t GenerateUniqueCredId(int32_t osAccountId,
229 Credential *credential, Uint8Buff *credIdByte, char **credIdStr)
230 {
231 char *returnCredId = NULL;
232 const char *credOwner = StringGet(&credential->credOwner);
233 const char *deviceId = StringGet(&credential->deviceId);
234 int32_t ret = GenerateCredIdInner(credOwner, deviceId, credIdByte, &returnCredId);
235 if (ret != IS_SUCCESS) {
236 return ret;
237 }
238 if (isCredIdExist(osAccountId, returnCredId)) {
239 LOGW("CredId already exists, regenerate credId");
240 HcFree(returnCredId);
241 returnCredId = NULL;
242 ret = GenerateCredIdInner(credOwner, deviceId, credIdByte, &returnCredId);
243 if (ret != IS_SUCCESS) {
244 return ret;
245 }
246 }
247 *credIdStr = returnCredId;
248 return IS_SUCCESS;
249 }
250
GenerateCredId(int32_t osAccountId,Credential * credential,Uint8Buff * credIdByte)251 int32_t GenerateCredId(int32_t osAccountId, Credential *credential, Uint8Buff *credIdByte)
252 {
253 if (HcStrlen(StringGet(&credential->credId)) > 0) {
254 return UseImportedCredId(osAccountId, credential, credIdByte); // credId is set by user
255 }
256
257 char *credIdStr = NULL;
258 int32_t ret = GenerateUniqueCredId(osAccountId, credential, credIdByte, &credIdStr);
259 if (ret != IS_SUCCESS) {
260 return ret;
261 }
262
263 if (!StringSetPointer(&credential->credId, credIdStr)) {
264 LOGE("Failed to set credId");
265 HcFree(credIdByte->val);
266 HcFree(credIdStr);
267 return IS_ERR_MEMORY_COPY;
268 }
269 HcFree(credIdStr);
270 LOGI("Generate credId success");
271 return IS_SUCCESS;
272 }
273
CheckOutMaxCredSize(int32_t osAccountId,const char * credOwner)274 static int32_t CheckOutMaxCredSize(int32_t osAccountId, const char *credOwner)
275 {
276 QueryCredentialParams queryParams = InitQueryCredentialParams();
277 queryParams.credOwner = credOwner;
278 CredentialVec credentialVec = CreateCredentialVec();
279 int32_t ret = QueryCredentials(osAccountId, &queryParams, &credentialVec);
280 if (ret != IS_SUCCESS) {
281 LOGE("Failed to query credentials");
282 ClearCredentialVec(&credentialVec);
283 return ret;
284 }
285 if (credentialVec.size(&credentialVec) > MAX_CRED_SIZE) {
286 LOGE("The number of credentials exceeds the maximum limit");
287 ClearCredentialVec(&credentialVec);
288 return IS_ERR_BEYOND_LIMIT;
289 }
290 ClearCredentialVec(&credentialVec);
291 return IS_SUCCESS;
292 }
293
GetAlgoFromCred(uint8_t algorithmType)294 static Algorithm GetAlgoFromCred(uint8_t algorithmType)
295 {
296 switch (algorithmType) {
297 case ALGO_TYPE_P256:
298 return P256;
299 case ALGO_TYPE_ED25519:
300 return ED25519;
301 default:
302 return AES;
303 }
304 }
305
GenerateKeyValue(int32_t osAccountId,Credential * credential,KeyParams keyParams,Algorithm algo,ExtraInfo exInfo)306 static int32_t GenerateKeyValue(int32_t osAccountId,
307 Credential *credential, KeyParams keyParams, Algorithm algo, ExtraInfo exInfo)
308 {
309 Uint8Buff keyAlias = { keyParams.keyBuff.key, keyParams.keyBuff.keyLen };
310 if (GetLoaderInstance()->checkKeyExist(&keyAlias, false, osAccountId) != HAL_ERR_KEY_NOT_EXIST) {
311 LOGI("The keyValue corresponding to the credId already exists in HUKS, no need to generate.");
312 return IS_SUCCESS;
313 }
314 LOGI("The keyValue corresponding to the credId does not exist in HUKS, generate keyValue.");
315 uint32_t keyLen = (credential->algorithmType == ALGO_TYPE_AES_128) ? AES_128_KEY_LEN : ALGO_KEY_LEN;
316 int32_t ret = GetLoaderInstance()->generateKeyPairWithStorage(&keyParams, keyLen, algo,
317 KEY_PURPOSE_KEY_AGREE, &exInfo);
318 if (ret == HAL_ERR_HUKS) {
319 LOGE("Huks generateKeyPair failed!");
320 return IS_ERR_HUKS_GENERATE_KEY_FAILED;
321 }
322 if (ret != IS_SUCCESS) {
323 LOGE("Failed to generate key pair!");
324 return ret;
325 }
326 LOGI("Generate key pair success!");
327 return IS_SUCCESS;
328 }
329
ImportKeyValue(KeyParams keyParams,Uint8Buff * keyValue,Algorithm algo,ExtraInfo exInfo,uint8_t subject)330 static int32_t ImportKeyValue(KeyParams keyParams,
331 Uint8Buff *keyValue, Algorithm algo, ExtraInfo exInfo, uint8_t subject)
332 {
333 int32_t ret;
334
335 if (algo == AES) {
336 KeyPurpose keyPurpose = subject == SUBJECT_MASTER_CONTROLLER ? KEY_PURPOSE_MAC : KEY_PURPOSE_DERIVE;
337 ret = GetLoaderInstance()->importSymmetricKey(&keyParams, keyValue, keyPurpose, &exInfo);
338 } else {
339 ret = GetLoaderInstance()->importPublicKey(&keyParams, keyValue, algo, &exInfo);
340 }
341
342 if (ret == HAL_ERR_HUKS) {
343 LOGE("Huks import key failed!");
344 return IS_ERR_HUKS_IMPORT_KEY_FAILED;
345 }
346 if (ret != IS_SUCCESS) {
347 LOGE("Failed to import key pair!");
348 return ret;
349 }
350 LOGI("Import key pair success!");
351 return IS_SUCCESS;
352 }
353
AddKeyValueToHuks(int32_t osAccountId,Uint8Buff * credIdByte,Credential * credential,uint8_t method,Uint8Buff * keyValue)354 int32_t AddKeyValueToHuks(int32_t osAccountId, Uint8Buff *credIdByte, Credential *credential, uint8_t method,
355 Uint8Buff *keyValue)
356 {
357 if (credential->credType == ACCOUNT_SHARED && keyValue->val == NULL) {
358 return IS_SUCCESS;
359 }
360 KeyParams keyParams = { { credIdByte->val, credIdByte->length, true }, false, osAccountId };
361 int32_t authId = 0;
362 Uint8Buff authIdBuff = { (uint8_t *)&authId, sizeof(int32_t) };
363 ExtraInfo exInfo = { authIdBuff, DEFAULT_EX_INFO_VAL, DEFAULT_EX_INFO_VAL };
364 Algorithm algo = GetAlgoFromCred(credential->algorithmType);
365 switch (method) {
366 case METHOD_GENERATE:
367 return GenerateKeyValue(osAccountId, credential, keyParams, algo, exInfo);
368 case METHOD_IMPORT:
369 return ImportKeyValue(keyParams, keyValue, algo, exInfo, credential->subject);
370 default:
371 return IS_ERR_INVALID_PARAMS;
372 }
373 }
374
GetValidKeyAlias(int32_t osAccountId,const char * credId,Uint8Buff * credIdHashBuff)375 int32_t GetValidKeyAlias(int32_t osAccountId, const char *credId, Uint8Buff *credIdHashBuff)
376 {
377 uint32_t credIdByteLen = HcStrlen(credId) / BYTE_TO_HEX_OPER_LENGTH;
378 Uint8Buff returnCredIdByte = { NULL, credIdByteLen };
379 returnCredIdByte.val = (uint8_t *)HcMalloc(credIdByteLen, 0);
380 if (returnCredIdByte.val == NULL) {
381 LOGE("Failed to malloc credIdByteLen");
382 return IS_ERR_ALLOC_MEMORY;
383 }
384 int32_t ret = HexStringToByte(credId, returnCredIdByte.val, returnCredIdByte.length);
385 if (ret != IS_SUCCESS) {
386 LOGE("Failed to convert credId to byte, invalid credId, ret = %" LOG_PUB "d", ret);
387 HcFree(returnCredIdByte.val);
388 return IS_ERR_INVALID_HEX_STRING;
389 }
390
391 ret = GetLoaderInstance()->checkKeyExist(&returnCredIdByte, false, osAccountId);
392 if (ret != IS_SUCCESS) {
393 HcFree(returnCredIdByte.val);
394 return ret;
395 }
396 credIdHashBuff->val = returnCredIdByte.val;
397 credIdHashBuff->length = credIdByteLen;
398 return IS_SUCCESS;
399 }
400
AddCredAndSaveDb(int32_t osAccountId,Credential * credential)401 int32_t AddCredAndSaveDb(int32_t osAccountId, Credential *credential)
402 {
403 int32_t ret = AddCredToDb(osAccountId, credential);
404 if (ret != IS_SUCCESS) {
405 LOGE("Failed to add credential to database");
406 return ret;
407 }
408 ret = SaveOsAccountCredDb(osAccountId);
409 if (ret != IS_SUCCESS) {
410 LOGE("Failed to save CredDb, ret: %" LOG_PUB "d", ret);
411 return ret;
412 }
413 return IS_SUCCESS;
414 }
415
416
IsValueInArray(uint8_t value,uint8_t * array,uint32_t length)417 static bool IsValueInArray(uint8_t value, uint8_t *array, uint32_t length)
418 {
419 for (uint32_t i = 0; i < length; i++) {
420 if (array[i] == value) {
421 return true;
422 }
423 }
424 return false;
425 }
426
SetVectorFromList(StringVector * dataVector,CJson * dataList)427 static int32_t SetVectorFromList(StringVector *dataVector, CJson *dataList)
428 {
429 int32_t dataListNum = GetItemNum(dataList);
430 for (int32_t i = 0; i < dataListNum; i++) {
431 CJson *item = GetItemFromArray(dataList, i);
432 if (item == NULL) {
433 LOGE("item is null.");
434 return IS_ERR_JSON_GET;
435 }
436 const char *data = GetStringValue(item);
437 if (data == NULL) {
438 LOGE("the data of list is null.");
439 return IS_ERR_JSON_GET;
440 }
441 HcString strData = CreateString();
442 if (!StringSetPointer(&strData, data)) {
443 LOGE("Failed to set strData!");
444 DeleteString(&strData);
445 return IS_ERR_MEMORY_COPY;
446 }
447 if (dataVector->pushBackT(dataVector, strData) == NULL) {
448 LOGE("Failed to push strData to vector!");
449 DeleteString(&strData);
450 return IS_ERR_MEMORY_COPY;
451 }
452 }
453 return IS_SUCCESS;
454 }
455
SetMethodFromJson(CJson * json,uint8_t * method)456 static int32_t SetMethodFromJson(CJson *json, uint8_t *method)
457 {
458 int32_t methodInt32 = DEFAULT_VAL;
459 if (GetIntFromJson(json, FIELD_METHOD, &methodInt32) != IS_SUCCESS) {
460 LOGE("Failed to get method from credReqParam");
461 return IS_ERR_JSON_GET;
462 }
463 *method = (uint8_t)methodInt32;
464
465 uint8_t methodRange[] = { METHOD_GENERATE, METHOD_IMPORT };
466 uint32_t length = sizeof(methodRange) / sizeof(methodRange[0]);
467 if (!IsValueInArray(*method, methodRange, length)) {
468 LOGE("method is invalid.");
469 return IS_ERR_INVALID_PARAMS;
470 }
471 return IS_SUCCESS;
472 }
473
SetCredType(Credential * credential,CJson * json)474 static int32_t SetCredType(Credential *credential, CJson *json)
475 {
476 if (GetUint8FromJson(json, FIELD_CRED_TYPE, &credential->credType) != IS_SUCCESS) {
477 LOGE("Failed to get credential type from credReqParam");
478 return IS_ERR_JSON_GET;
479 }
480
481 uint8_t credTypeRange[] = { ACCOUNT_RELATED, ACCOUNT_UNRELATED, ACCOUNT_SHARED };
482 uint32_t length = sizeof(credTypeRange) / sizeof(credTypeRange[0]);
483 if (!IsValueInArray(credential->credType, credTypeRange, length)) {
484 LOGE("credential type is invalid.");
485 return IS_ERR_INVALID_PARAMS;
486 }
487 return IS_SUCCESS;
488 }
489
SetKeyFormat(Credential * credential,CJson * json,uint8_t method)490 static int32_t SetKeyFormat(Credential *credential, CJson *json, uint8_t method)
491 {
492 if (GetUint8FromJson(json, FIELD_KEY_FORMAT, &credential->keyFormat) != IS_SUCCESS) {
493 LOGE("Failed to get key format from credReqParam");
494 return IS_ERR_JSON_GET;
495 }
496 uint8_t keyFormatRange[] = { SYMMETRIC_KEY, ASYMMETRIC_PUB_KEY, ASYMMETRIC_KEY, X509_CERT};
497 uint32_t length = sizeof(keyFormatRange) / sizeof(keyFormatRange[0]);
498 if (!IsValueInArray(credential->keyFormat, keyFormatRange, length)) {
499 LOGE("key format is invalid.");
500 return IS_ERR_INVALID_PARAMS;
501 }
502 if (credential->keyFormat == SYMMETRIC_KEY && method != METHOD_IMPORT) {
503 LOGE("Symmetric key is only supported for import");
504 return IS_ERR_INVALID_PARAMS;
505 }
506 if (credential->keyFormat == ASYMMETRIC_PUB_KEY && method != METHOD_IMPORT) {
507 LOGE("Asymmetric public key is only supported for import");
508 return IS_ERR_INVALID_PARAMS;
509 }
510 if (credential->keyFormat == ASYMMETRIC_KEY && method != METHOD_GENERATE) {
511 LOGE("Asymmetric key is only supported for generate");
512 return IS_ERR_INVALID_PARAMS;
513 }
514 return IS_SUCCESS;
515 }
516
SetAuthorizedScope(Credential * credential,CJson * json)517 static int32_t SetAuthorizedScope(Credential *credential, CJson *json)
518 {
519 if (GetUint8FromJson(json, FIELD_AUTHORIZED_SCOPE, &credential->authorizedScope) != IS_SUCCESS) {
520 LOGE("Failed to get authorizedScope from credReqParam");
521 return IS_ERR_JSON_GET;
522 }
523 uint8_t scopeRange[] = { SCOPE_DEVICE, SCOPE_USER, SCOPE_APP };
524 uint32_t length = sizeof(scopeRange) / sizeof(scopeRange[0]);
525 if (!IsValueInArray(credential->authorizedScope, scopeRange, length)) {
526 LOGE("Invalid authorizedScope");
527 return IS_ERR_INVALID_PARAMS;
528 }
529 return IS_SUCCESS;
530 }
531
SetAlgorithmType(Credential * credential,CJson * json)532 static int32_t SetAlgorithmType(Credential *credential, CJson *json)
533 {
534 if (GetUint8FromJson(json, FIELD_ALGORITHM_TYPE, &credential->algorithmType) != IS_SUCCESS) {
535 LOGE("Failed to get algorithm type from credReqParam");
536 return IS_ERR_JSON_GET;
537 }
538 uint8_t algorithmTypeRange[] = { ALGO_TYPE_AES_256, ALGO_TYPE_P256, ALGO_TYPE_ED25519 };
539 uint32_t length = sizeof(algorithmTypeRange) / sizeof(algorithmTypeRange[0]);
540 if (!IsValueInArray(credential->algorithmType, algorithmTypeRange, length)) {
541 LOGE("Invalid algorithm type");
542 return IS_ERR_INVALID_PARAMS;
543 }
544 return IS_SUCCESS;
545 }
546
SetSubject(Credential * credential,CJson * json)547 static int32_t SetSubject(Credential *credential, CJson *json)
548 {
549 if (GetUint8FromJson(json, FIELD_SUBJECT, &credential->subject) != IS_SUCCESS) {
550 LOGE("Failed to get subject from credReqParam");
551 return IS_ERR_JSON_GET;
552 }
553 uint8_t subjectRange[] = { SUBJECT_MASTER_CONTROLLER, SUBJECT_ACCESSORY_DEVICE };
554 uint32_t length = sizeof(subjectRange) / sizeof(subjectRange[0]);
555 if (!IsValueInArray(credential->subject, subjectRange, length)) {
556 LOGE("Invalid subject");
557 return IS_ERR_INVALID_PARAMS;
558 }
559 return IS_SUCCESS;
560 }
561
SetIssuer(Credential * credential,CJson * json)562 static int32_t SetIssuer(Credential *credential, CJson *json)
563 {
564 if (GetUint8FromJson(json, FIELD_ISSUER, &credential->issuer) != IS_SUCCESS) {
565 LOGW("Failed to get issuer from credReqParam");
566 }
567 if (credential->credType == ACCOUNT_UNRELATED) {
568 return IS_SUCCESS;
569 }
570 uint8_t issuerRange[] = { SYSTEM_ACCOUNT, APP_ACCOUNT, DOMANIN_ACCOUNT };
571 uint32_t length = sizeof(issuerRange) / sizeof(issuerRange[0]);
572 if (credential->issuer == DEFAULT_VAL || !IsValueInArray(credential->issuer, issuerRange, length)) {
573 LOGE("Invalid issuer");
574 return IS_ERR_INVALID_PARAMS;
575 }
576 return IS_SUCCESS;
577 }
578
SetDeviceId(Credential * credential,CJson * json)579 static int32_t SetDeviceId(Credential *credential, CJson *json)
580 {
581 const char *deviceId = GetStringFromJson(json, FIELD_DEVICE_ID);
582 if (deviceId == NULL || strcmp(deviceId, "") == 0) {
583 LOGE("Failed to get deviceId from credReqParam");
584 return IS_ERR_JSON_GET;
585 }
586 if (!StringSetPointer(&credential->deviceId, deviceId)) {
587 LOGE("Failed to set deviceId");
588 return IS_ERR_MEMORY_COPY;
589 }
590 return IS_SUCCESS;
591 }
592
SetCredOwner(Credential * credential,CJson * json)593 static int32_t SetCredOwner(Credential *credential, CJson *json)
594 {
595 const char *credOwner = GetStringFromJson(json, FIELD_CRED_OWNER);
596 if (credOwner == NULL || strcmp(credOwner, "") == 0) {
597 LOGE("Failed to get credOwner from credReqParam");
598 return IS_ERR_JSON_GET;
599 }
600 if (!StringSetPointer(&credential->credOwner, credOwner)) {
601 LOGE("Failed to set credOwner");
602 return IS_ERR_MEMORY_COPY;
603 }
604 return IS_SUCCESS;
605 }
606
SetProofType(Credential * credential,CJson * json)607 static int32_t SetProofType(Credential *credential, CJson *json)
608 {
609 if (GetUint8FromJson(json, FIELD_PROOF_TYPE, &credential->proofType) != IS_SUCCESS) {
610 LOGE("Failed to get proofType from credReqParam");
611 return IS_ERR_JSON_GET;
612 }
613 uint8_t proofTypeRange[] = { PROOF_TYPE_PSK, PROOF_TYPE_PKI };
614 uint32_t length = sizeof(proofTypeRange) / sizeof(proofTypeRange[0]);
615 if (!IsValueInArray(credential->proofType, proofTypeRange, length)) {
616 LOGE("Invalid proofType");
617 return IS_ERR_INVALID_PARAMS;
618 }
619 return IS_SUCCESS;
620 }
621
SetUserId(Credential * credential,CJson * json)622 static int32_t SetUserId(Credential *credential, CJson *json)
623 {
624 const char *userId = GetStringFromJson(json, FIELD_USER_ID);
625 if (credential->credType == ACCOUNT_RELATED && (userId == NULL || strcmp(userId, "") == 0)) {
626 LOGE("Invalid params, when credType is account, userId is NULL");
627 return IS_ERR_INVALID_PARAMS;
628 }
629 if (userId == NULL) {
630 return IS_SUCCESS;
631 }
632 if (!StringSetPointer(&credential->userId, userId)) {
633 LOGW("Failed to set userId");
634 }
635
636 return IS_SUCCESS;
637 }
638
SetKeyValueFromJson(CJson * json,Credential * credential,uint8_t method,Uint8Buff * keyValue)639 static int32_t SetKeyValueFromJson(CJson *json, Credential *credential, uint8_t method, Uint8Buff *keyValue)
640 {
641 const char *keyValueStr = GetStringFromJson(json, FIELD_KEY_VALUE);
642 if (credential->credType == ACCOUNT_SHARED && keyValueStr == NULL) {
643 return IS_SUCCESS;
644 }
645 if (method == METHOD_GENERATE) {
646 if (HcStrlen(keyValueStr) > 0) {
647 LOGE("Invalid params, when method is generate, keyValue should not be passed in");
648 return IS_ERR_KEYVALUE_METHOD_CONFLICT;
649 }
650 return IS_SUCCESS;
651 }
652 if (keyValueStr == NULL || HcStrlen(keyValueStr) <= 0) {
653 LOGE("Invalid params, when method is imoprt, keyValue is NULL");
654 return IS_ERR_INVALID_PARAMS;
655 }
656 uint32_t keyValueLen = HcStrlen(keyValueStr) / BYTE_TO_HEX_OPER_LENGTH;
657 keyValue->length = keyValueLen;
658 uint8_t *returnKeyVal = (uint8_t *)HcMalloc(keyValueLen, 0);
659 if (returnKeyVal == NULL) {
660 LOGE("Failed to malloc memory for keyValue");
661 return IS_ERR_ALLOC_MEMORY;
662 }
663 if (GetByteFromJson(json, FIELD_KEY_VALUE, returnKeyVal, keyValue->length) != IS_SUCCESS) {
664 LOGE("set keyValue fail.");
665 HcFree(returnKeyVal);
666 return IS_ERR_JSON_GET;
667 }
668 keyValue->val = returnKeyVal;
669 return IS_SUCCESS;
670 }
671
SetPeerUserSpaceId(Credential * credential,CJson * json,uint8_t method)672 static int32_t SetPeerUserSpaceId(Credential *credential, CJson *json, uint8_t method)
673 {
674 const char *peerUserSpaceId = GetStringFromJson(json, FIELD_PEER_USER_SPACE_ID);
675 if (credential->credType == ACCOUNT_UNRELATED && method == METHOD_IMPORT &&
676 (peerUserSpaceId == NULL || strcmp(peerUserSpaceId, "") == 0)) {
677 LOGE("Invalid params, when credType is not account and method is import, peer osaccount id is NULL");
678 return IS_ERR_INVALID_PARAMS;
679 }
680 if (peerUserSpaceId == NULL) {
681 return IS_SUCCESS;
682 }
683 if (!StringSetPointer(&credential->peerUserSpaceId, peerUserSpaceId)) {
684 LOGW("Failed to set peerUserSpaceId");
685 }
686 return IS_SUCCESS;
687 }
688
SetAppList(Credential * credential,CJson * json)689 static int32_t SetAppList(Credential *credential, CJson *json)
690 {
691 CJson *appList = GetObjFromJson(json, FIELD_AUTHORIZED_APP_LIST);
692 if (appList == NULL) {
693 if (credential->authorizedScope == SCOPE_APP) {
694 LOGE("when authorizedScope is APP, authorizedAppList is required");
695 return IS_ERR_INVALID_PARAMS;
696 }
697 return IS_SUCCESS;
698 }
699
700 int32_t ret = SetVectorFromList(&credential->authorizedAppList, appList);
701 if (ret != IS_SUCCESS) {
702 LOGE("Failed to set authorized app list from credReqParam");
703 return ret;
704 }
705 return IS_SUCCESS;
706 }
707
SetExtendInfo(Credential * credential,CJson * json)708 static int32_t SetExtendInfo(Credential *credential, CJson *json)
709 {
710 const char *extendInfo = GetStringFromJson(json, FIELD_EXTEND_INFO);
711 if (extendInfo == NULL || strcmp(extendInfo, "") == 0) {
712 LOGW("Failed to get extendInfo from credReqParam");
713 }
714 if (extendInfo == NULL) {
715 LOGW("Failed to get extendInfo from credReqParam");
716 return IS_SUCCESS;
717 }
718 if (!StringSetPointer(&credential->extendInfo, extendInfo)) {
719 LOGW("Failed to set extendInfo!");
720 }
721 return IS_SUCCESS;
722 }
723
SetCredIdFromJson(Credential * credential,CJson * json)724 static int32_t SetCredIdFromJson(Credential *credential, CJson *json)
725 {
726 const char *credIdStr = GetStringFromJson(json, FIELD_CRED_ID);
727 if (credIdStr == NULL || HcStrlen(credIdStr) == 0) {
728 LOGI("No imported credId in credReqParam, credId will be generated by IS.");
729 return IS_SUCCESS;
730 }
731 if (!StringSetPointer(&credential->credId, credIdStr)) {
732 LOGE("Failed to set credId");
733 return IS_ERR_ALLOC_MEMORY;
734 }
735 return IS_SUCCESS;
736 }
737
SetRequiredField(Credential * credential,CJson * json,uint8_t * method)738 static int32_t SetRequiredField(Credential *credential, CJson *json, uint8_t *method)
739 {
740 int32_t ret = SetMethodFromJson(json, method);
741 if (ret != IS_SUCCESS) {
742 return ret;
743 }
744
745 ret = SetCredType(credential, json);
746 if (ret != IS_SUCCESS) {
747 return ret;
748 }
749
750 ret = SetKeyFormat(credential, json, *method);
751 if (ret != IS_SUCCESS) {
752 return ret;
753 }
754
755 ret = SetAuthorizedScope(credential, json);
756 if (ret != IS_SUCCESS) {
757 return ret;
758 }
759
760 ret = SetAlgorithmType(credential, json);
761 if (ret != IS_SUCCESS) {
762 return ret;
763 }
764
765 ret = SetSubject(credential, json);
766 if (ret != IS_SUCCESS) {
767 return ret;
768 }
769
770 ret = SetDeviceId(credential, json);
771 if (ret != IS_SUCCESS) {
772 return ret;
773 }
774
775 ret = SetCredOwner(credential, json);
776 if (ret != IS_SUCCESS) {
777 return ret;
778 }
779
780 ret = SetProofType(credential, json);
781 if (ret != IS_SUCCESS) {
782 return ret;
783 }
784 #ifdef DEV_AUTH_PERMISSION_ENABLE
785 credential->ownerUid = GetCallingUid();
786 LOGI("UID: %" LOG_PUB "d", credential->ownerUid);
787 #endif
788 return IS_SUCCESS;
789 }
790
SetSpecialRequiredField(Credential * credential,CJson * json,uint8_t * method,Uint8Buff * keyValue)791 static int32_t SetSpecialRequiredField(Credential *credential, CJson *json, uint8_t *method, Uint8Buff *keyValue)
792 {
793 int32_t ret = SetUserId(credential, json);
794 if (ret != IS_SUCCESS) {
795 return ret;
796 }
797
798 ret = SetIssuer(credential, json);
799 if (ret != IS_SUCCESS) {
800 return ret;
801 }
802
803 ret = SetKeyValueFromJson(json, credential, *method, keyValue);
804 if (ret != IS_SUCCESS) {
805 return ret;
806 }
807
808 ret = SetPeerUserSpaceId(credential, json, *method);
809 if (ret != IS_SUCCESS) {
810 HcFree(keyValue->val);
811 return ret;
812 }
813
814 ret = SetAppList(credential, json);
815 if (ret != IS_SUCCESS) {
816 HcFree(keyValue->val);
817 return ret;
818 }
819 return IS_SUCCESS;
820 }
821
SetOptionalField(Credential * credential,CJson * json)822 static int32_t SetOptionalField(Credential *credential, CJson *json)
823 {
824 int32_t ret = SetExtendInfo(credential, json);
825 if (ret != IS_SUCCESS) {
826 return ret;
827 }
828
829 return SetCredIdFromJson(credential, json);
830 }
831
CheckAndSetCredInfo(int32_t osAccountId,Credential * credential,CJson * json,uint8_t * method,Uint8Buff * keyValue)832 int32_t CheckAndSetCredInfo(int32_t osAccountId,
833 Credential *credential, CJson *json, uint8_t *method, Uint8Buff *keyValue)
834 {
835 int32_t ret = SetRequiredField(credential, json, method);
836 if (ret != IS_SUCCESS) {
837 return ret;
838 }
839
840 ret = SetSpecialRequiredField(credential, json, method, keyValue);
841 if (ret != IS_SUCCESS) {
842 return ret;
843 }
844
845 ret = SetOptionalField(credential, json);
846 if (ret != IS_SUCCESS) {
847 HcFree(keyValue->val);
848 return ret;
849 }
850
851 ret = CheckOutMaxCredSize(osAccountId, StringGet(&credential->credOwner));
852 if (ret != IS_SUCCESS) {
853 HcFree(keyValue->val);
854 }
855 return ret;
856 }
857
SetQueryParamsFromJson(QueryCredentialParams * queryParams,CJson * json)858 int32_t SetQueryParamsFromJson(QueryCredentialParams *queryParams, CJson *json)
859 {
860 queryParams->credId = GetStringFromJson(json, FIELD_CRED_ID);
861
862 queryParams->deviceId = GetStringFromJson(json, FIELD_DEVICE_ID);
863
864 queryParams->peerUserSpaceId = GetStringFromJson(json, FIELD_PEER_USER_SPACE_ID);
865
866 if (GetUint8FromJson(json, FIELD_SUBJECT, &queryParams->subject) != IS_SUCCESS) {
867 LOGW("Failed to set query params: subject");
868 }
869
870 queryParams->userId = GetStringFromJson(json, FIELD_USER_ID);
871
872 if (GetUint8FromJson(json, FIELD_ISSUER, &queryParams->issuer) != IS_SUCCESS) {
873 LOGW("Failed to set query params: issuer");
874 }
875
876 if (GetUint8FromJson(json, FIELD_CRED_TYPE, &queryParams->credType) != IS_SUCCESS) {
877 LOGW("Failed to set query params: credType");
878 }
879
880 if (GetUint8FromJson(json, FIELD_KEY_FORMAT, &queryParams->keyFormat) != IS_SUCCESS) {
881 LOGW("Failed to set query params: keyFormat");
882 }
883
884 if (GetUint8FromJson(json, FIELD_ALGORITHM_TYPE, &queryParams->algorithmType) != IS_SUCCESS) {
885 LOGW("Failed to set query params: algorithmType");
886 }
887
888 if (GetUint8FromJson(json, FIELD_PROOF_TYPE, &queryParams->proofType) != IS_SUCCESS) {
889 LOGW("Failed to set query params: proofType");
890 }
891
892 if (GetUint8FromJson(json, FIELD_AUTHORIZED_SCOPE, &queryParams->authorizedScope) != IS_SUCCESS) {
893 LOGW("Failed to set query params: authorizedScope");
894 }
895
896 queryParams->credOwner = GetStringFromJson(json, FIELD_CRED_OWNER);
897
898 return IS_SUCCESS;
899 }
900
IsOriginalStrHashMatch(const char * originalStr,const char * subHashedStr)901 static int32_t IsOriginalStrHashMatch(const char *originalStr, const char *subHashedStr)
902 {
903 Uint8Buff originalStrBuffer = { (uint8_t *)originalStr, (uint32_t)HcStrlen(originalStr) };
904 uint8_t hashedStrBytes[SHA256_LEN] = { 0 };
905 Uint8Buff hashedStrBuffer = { hashedStrBytes, sizeof(hashedStrBytes) };
906 int32_t result = GetLoaderInstance()->sha256(&originalStrBuffer, &hashedStrBuffer);
907 if (result != IS_SUCCESS) {
908 LOGE("sha256 failed, ret:%" LOG_PUB "d", result);
909 return result;
910 }
911 uint32_t hashedStrHexLength = SHA256_LEN * BYTE_TO_HEX_OPER_LENGTH + 1;
912 char *hashedStrHex = (char *)HcMalloc(hashedStrHexLength, 0);
913 if (hashedStrHex == NULL) {
914 LOGE("malloc hashedStrHex string failed");
915 return IS_ERR_ALLOC_MEMORY;
916 }
917 result = ByteToHexString(hashedStrBytes, SHA256_LEN, hashedStrHex, hashedStrHexLength);
918 if (result != IS_SUCCESS) {
919 LOGE("Byte to hexString failed, ret:%" LOG_PUB "d", result);
920 HcFree(hashedStrHex);
921 return result;
922 }
923 char *upperSubHashedStr = NULL;
924 result = ToUpperCase(subHashedStr, &upperSubHashedStr);
925 if (result != IS_SUCCESS) {
926 LOGE("Failed to convert the input sub hashed string to upper case!");
927 HcFree(hashedStrHex);
928 return result;
929 }
930 if (strstr((const char *)hashedStrHex, upperSubHashedStr) != NULL) {
931 LOGI("Original string hash is match!");
932 HcFree(hashedStrHex);
933 HcFree(upperSubHashedStr);
934 return IS_SUCCESS;
935 }
936 HcFree(hashedStrHex);
937 HcFree(upperSubHashedStr);
938 return IS_ERROR;
939 }
940
IsCredHashMatch(Credential * credential,CJson * reqJson)941 bool IsCredHashMatch(Credential *credential, CJson *reqJson)
942 {
943 const char *deviceIdHash = GetStringFromJson(reqJson, FIELD_DEVICE_ID_HASH);
944 if (deviceIdHash != NULL &&
945 IsOriginalStrHashMatch(StringGet(&credential->deviceId), deviceIdHash) != IS_SUCCESS) {
946 return false;
947 }
948
949 const char *userIdHash = GetStringFromJson(reqJson, FIELD_USER_ID_HASH);
950 if (userIdHash != NULL &&
951 IsOriginalStrHashMatch(StringGet(&credential->userId), userIdHash) != IS_SUCCESS) {
952 return false;
953 }
954
955 return true;
956 }
957
CheckCredKeyExist(int32_t osAccountId,const Credential * credential,const char * credId)958 static int32_t CheckCredKeyExist(int32_t osAccountId, const Credential *credential, const char *credId)
959 {
960 // ACCOUNT_SHARED type dose not need check key
961 if (credential->credType == ACCOUNT_SHARED) {
962 return HC_SUCCESS;
963 }
964 uint32_t credIdByteLen = HcStrlen(credId) / BYTE_TO_HEX_OPER_LENGTH;
965 Uint8Buff credIdByte = { NULL, credIdByteLen };
966 credIdByte.val = (uint8_t *)HcMalloc(credIdByteLen, 0);
967 if (credIdByte.val == NULL) {
968 LOGE("Failed to malloc credIdByteLen");
969 return IS_ERR_ALLOC_MEMORY;
970 }
971 int32_t ret = HexStringToByte(credId, credIdByte.val, credIdByte.length);
972 if (ret != IS_SUCCESS) {
973 LOGE("Failed to convert credId to byte, invalid credId, ret = %" LOG_PUB "d", ret);
974 HcFree(credIdByte.val);
975 return IS_ERR_INVALID_HEX_STRING;
976 }
977 ret = GetLoaderInstance()->checkKeyExist(&credIdByte, false, osAccountId);
978 HcFree(credIdByte.val);
979 switch (ret) {
980 // delete invaild credId
981 case HAL_ERR_KEY_NOT_EXIST:
982 LOGE("Huks key not exist!");
983 DelCredById(osAccountId, credId);
984 break;
985 case HAL_ERR_HUKS:
986 LOGE("Failed to check key exist in huks");
987 break;
988 case IS_SUCCESS:
989 break;
990 default:
991 LOGE("CheckKeyExist failed");
992 break;
993 }
994 return ret;
995 }
996
GetCredIdsFromCredVec(int32_t osAccountId,CJson * reqJson,CredentialVec * credentialVec,CJson * credIdJson)997 int32_t GetCredIdsFromCredVec(int32_t osAccountId, CJson *reqJson, CredentialVec *credentialVec, CJson *credIdJson)
998 {
999 uint32_t index;
1000 int32_t ret;
1001 Credential **ptr;
1002 FOR_EACH_HC_VECTOR(*credentialVec, index, ptr) {
1003 if (*ptr == NULL) {
1004 continue;
1005 }
1006 Credential *credential = (Credential *)(*ptr);
1007 const char *credId = StringGet(&credential->credId);
1008 if (CheckCredKeyExist(osAccountId, credential, credId) != IS_SUCCESS) {
1009 LOGE("CredKey not Exist!");
1010 continue;
1011 }
1012 if (!IsCredHashMatch(credential, reqJson)) {
1013 continue;
1014 }
1015
1016 ret = AddStringToArray(credIdJson, credId);
1017 if (ret != IS_SUCCESS) {
1018 LOGE("Failed to add credId to json");
1019 return IS_ERR_JSON_ADD;
1020 }
1021 }
1022
1023 return IS_SUCCESS;
1024 }
1025
UpdateExtendInfo(Credential * credential,const char * extendInfo)1026 static int32_t UpdateExtendInfo(Credential *credential, const char *extendInfo)
1027 {
1028 if (!StringSetPointer(&credential->extendInfo, extendInfo)) {
1029 LOGE("Failed to update extendInfo");
1030 return IS_ERR_MEMORY_COPY;
1031 }
1032 return IS_SUCCESS;
1033 }
1034
UpdateAppList(Credential * credential,CJson * appList)1035 static int32_t UpdateAppList(Credential *credential, CJson *appList)
1036 {
1037 DestroyStrVector(&credential->authorizedAppList);
1038 credential->authorizedAppList = CreateStrVector();
1039 int32_t ret = SetVectorFromList(&credential->authorizedAppList, appList);
1040 if (ret != IS_SUCCESS) {
1041 LOGE("Failed to update authorizedAppList");
1042 return ret;
1043 }
1044 return IS_SUCCESS;
1045 }
1046
UpdateInfoFromJson(Credential * credential,CJson * json)1047 int32_t UpdateInfoFromJson(Credential *credential, CJson *json)
1048 {
1049 const char *extendInfo = GetStringFromJson(json, FIELD_EXTEND_INFO);
1050 CJson *appList = GetObjFromJson(json, FIELD_AUTHORIZED_APP_LIST);
1051
1052 if (extendInfo == NULL && appList == NULL) {
1053 LOGE("Failed to set update info: no valid field");
1054 return IS_ERR_INVALID_PARAMS;
1055 }
1056
1057 int32_t ret;
1058
1059 if (extendInfo != NULL) {
1060 ret = UpdateExtendInfo(credential, extendInfo);
1061 if (ret != IS_SUCCESS) {
1062 return ret;
1063 }
1064 }
1065
1066 if (appList != NULL) {
1067 ret = UpdateAppList(credential, appList);
1068 }
1069
1070 return ret;
1071 }
1072
DelCredById(int32_t osAccountId,const char * credId)1073 int32_t DelCredById(int32_t osAccountId, const char *credId)
1074 {
1075 QueryCredentialParams delParams = InitQueryCredentialParams();
1076 delParams.credId = credId;
1077 int32_t ret = DelCredential(osAccountId, &delParams);
1078 if (ret != IS_SUCCESS) {
1079 LOGE("Failed to delete credential, ret: %" LOG_PUB "d", ret);
1080 return ret;
1081 }
1082 ret = SaveOsAccountCredDb(osAccountId);
1083 if (ret != IS_SUCCESS) {
1084 LOGE("Failed to save CredDb, ret: %" LOG_PUB "d", ret);
1085 return ret;
1086 }
1087 return IS_SUCCESS;
1088 }
1089
AddKeyValueToReturn(Uint8Buff keyValue,char ** returnData)1090 int32_t AddKeyValueToReturn(Uint8Buff keyValue, char **returnData)
1091 {
1092 CJson *keyValueJson = CreateJson();
1093 if (keyValueJson == NULL) {
1094 LOGE("Failed to create keyValueJson");
1095 return IS_ERR_JSON_CREATE;
1096 }
1097 int32_t ret = AddByteToJson(keyValueJson, FIELD_KEY_VALUE, keyValue.val, keyValue.length);
1098 if (ret != IS_SUCCESS) {
1099 LOGE("Failed to add key value to json");
1100 FreeJson(keyValueJson);
1101 return IS_ERR_JSON_ADD;
1102 }
1103 *returnData = PackJsonToString(keyValueJson);
1104 FreeJson(keyValueJson);
1105 if (*returnData == NULL) {
1106 LOGE("Failed to pack key value json to string");
1107 return IS_ERR_PACKAGE_JSON_TO_STRING_FAIL;
1108 }
1109 return IS_SUCCESS;
1110 }
1111
GenerateReturnEmptyArrayStr(char ** returnVec)1112 int32_t GenerateReturnEmptyArrayStr(char **returnVec)
1113 {
1114 CJson *json = CreateJsonArray();
1115 if (json == NULL) {
1116 LOGE("Failed to allocate json memory!");
1117 return IS_ERR_JSON_CREATE;
1118 }
1119 *returnVec = PackJsonToString(json);
1120 FreeJson(json);
1121 if (*returnVec == NULL) {
1122 LOGE("Failed to convert json to string!");
1123 return IS_ERR_PACKAGE_JSON_TO_STRING_FAIL;
1124 }
1125 return IS_SUCCESS;
1126 }
1127
CheckOwnerUidPermission(Credential * credential)1128 int32_t CheckOwnerUidPermission(Credential *credential)
1129 {
1130 #ifdef DEV_AUTH_PERMISSION_ENABLE
1131 int32_t currentUid = GetCallingUid();
1132 if (currentUid != credential->ownerUid) {
1133 LOGE("currentUid is not the same as the ownerUid of the credential");
1134 return IS_ERR_OWNER_UID;
1135 }
1136 #else
1137 (void)credential;
1138 #endif
1139 return IS_SUCCESS;
1140 }
1141
GenerateCredKeyAlias(const char * credId,const char * deviceId,Uint8Buff * alias)1142 int32_t GenerateCredKeyAlias(const char *credId, const char *deviceId, Uint8Buff *alias)
1143 {
1144 if ((credId == NULL) || (deviceId == NULL) || (alias == NULL)) {
1145 LOGE("Invalid input params");
1146 return IS_ERR_NULL_PTR;
1147 }
1148 uint32_t credIdLen = HcStrlen(credId);
1149 uint32_t deviceIdLen = HcStrlen(deviceId);
1150 uint32_t aliasStrLen = credIdLen + deviceIdLen + 1;
1151 uint8_t *aliasStr = (uint8_t *)HcMalloc(aliasStrLen, 0);
1152 if (aliasStr == NULL) {
1153 LOGE("Failed to malloc for key aliasStr.");
1154 return IS_ERR_ALLOC_MEMORY;
1155 }
1156 Uint8Buff aliasBuff = {
1157 aliasStr,
1158 aliasStrLen
1159 };
1160 if (memcpy_s(aliasBuff.val, aliasBuff.length, credId, credIdLen) != EOK) {
1161 LOGE("Failed to copy credId.");
1162 HcFree(aliasStr);
1163 return IS_ERR_MEMORY_COPY;
1164 }
1165 if (memcpy_s(aliasBuff.val + credIdLen, deviceIdLen,
1166 deviceId, deviceIdLen) != EOK) {
1167 LOGE("Failed to copy deviceId.");
1168 HcFree(aliasStr);
1169 return IS_ERR_MEMORY_COPY;
1170 }
1171 int32_t ret = GetLoaderInstance()->sha256(&aliasBuff, alias);
1172 HcFree(aliasStr);
1173 if (ret != HAL_SUCCESS) {
1174 LOGE("Compute alias failed");
1175 }
1176 return ret;
1177 }
1178
ComputeAndSavePskInner(int32_t osAccountId,uint8_t credAlgo,const Uint8Buff * selfKeyAlias,const Uint8Buff * peerKeyAlias,Uint8Buff * sharedKeyAlias)1179 static int32_t ComputeAndSavePskInner(int32_t osAccountId, uint8_t credAlgo, const Uint8Buff *selfKeyAlias,
1180 const Uint8Buff *peerKeyAlias, Uint8Buff *sharedKeyAlias)
1181 {
1182 KeyParams selfKeyParams = { { selfKeyAlias->val, selfKeyAlias->length, true }, false, osAccountId };
1183 uint8_t peerPubKeyVal[KEY_VALUE_MAX_LENGTH] = { 0 };
1184 Uint8Buff peerPubKeyBuff = { peerPubKeyVal, KEY_VALUE_MAX_LENGTH };
1185 KeyParams keyParams = { { peerKeyAlias->val, peerKeyAlias->length, true }, false, osAccountId };
1186 int32_t res = GetLoaderInstance()->exportPublicKey(&keyParams, &peerPubKeyBuff);
1187 if (res != IS_SUCCESS) {
1188 LOGE("Failed to export peer public key!");
1189 return res;
1190 }
1191 KeyBuff peerKeyBuff = { peerPubKeyBuff.val, peerPubKeyBuff.length, false };
1192 Algorithm algo = GetAlgoFromCred(credAlgo);
1193 res = GetLoaderInstance()->agreeSharedSecretWithStorage(&selfKeyParams, &peerKeyBuff, algo,
1194 PSK_LEN, sharedKeyAlias);
1195 if (res != IS_SUCCESS) {
1196 LOGE("Agree psk failed.");
1197 }
1198 return res;
1199 }
1200
SetAgreeCredInfo(int32_t osAccountId,CJson * reqJson,Credential * agreeCredential,Uint8Buff * keyValue,Uint8Buff * agreeCredIdByte)1201 int32_t SetAgreeCredInfo(int32_t osAccountId, CJson *reqJson,
1202 Credential *agreeCredential, Uint8Buff *keyValue, Uint8Buff *agreeCredIdByte)
1203 {
1204 if (AddIntToJson(reqJson, FIELD_METHOD, METHOD_IMPORT) != IS_SUCCESS) {
1205 LOGE("Failed to add method to json!");
1206 return IS_ERR_JSON_ADD;
1207 }
1208 uint8_t method = DEFAULT_VAL;
1209 int32_t ret = CheckAndSetCredInfo(osAccountId, agreeCredential, reqJson, &method, keyValue);
1210 if (ret != IS_SUCCESS) {
1211 return ret;
1212 }
1213 if ((ret = GenerateCredId(osAccountId, agreeCredential, agreeCredIdByte)) != IS_SUCCESS) {
1214 HcFree(keyValue->val);
1215 return ret;
1216 }
1217 return IS_SUCCESS;
1218 }
1219
ImportAgreeKeyValue(int32_t osAccountId,Credential * agreeCredential,Uint8Buff * keyValue,Uint8Buff * peerKeyAlias)1220 int32_t ImportAgreeKeyValue(int32_t osAccountId, Credential *agreeCredential, Uint8Buff *keyValue,
1221 Uint8Buff *peerKeyAlias)
1222 {
1223 int32_t ret = GenerateCredKeyAlias(
1224 StringGet(&agreeCredential->credId), StringGet(&agreeCredential->deviceId), peerKeyAlias);
1225 if (ret != IS_SUCCESS) {
1226 LOGE("Failed to generate peer key alias!");
1227 return ret;
1228 }
1229 ret = AddKeyValueToHuks(osAccountId, peerKeyAlias, agreeCredential, METHOD_IMPORT, keyValue);
1230 if (ret != IS_SUCCESS) {
1231 LOGE("Failed to add peer key value to huks!");
1232 return ret;
1233 }
1234 return IS_SUCCESS;
1235 }
1236
CheckAndDelInvalidCred(int32_t osAccountId,const char * selfCredId,Uint8Buff * selfCredIdByte)1237 int32_t CheckAndDelInvalidCred(int32_t osAccountId, const char *selfCredId, Uint8Buff *selfCredIdByte)
1238 {
1239 int32_t ret = GetValidKeyAlias(osAccountId, selfCredId, selfCredIdByte);
1240 if (ret == HAL_ERR_KEY_NOT_EXIST) {
1241 LOGE("Huks key not exist!");
1242 DelCredById(osAccountId, selfCredId);
1243 return IS_ERR_HUKS_KEY_NOT_EXIST;
1244 }
1245 if (ret == HAL_ERR_HUKS) {
1246 LOGE("Huks check key exist failed");
1247 return IS_ERR_HUKS_CHECK_KEY_EXIST_FAILED;
1248 }
1249 if (ret != IS_SUCCESS) {
1250 LOGE("Failed to check key exist in HUKS");
1251 return ret;
1252 }
1253 return IS_SUCCESS;
1254 }
1255
ComputePskAndDelInvalidKey(int32_t osAccountId,uint8_t credAlgo,Uint8Buff * selfCredIdByte,Uint8Buff * peerKeyAlias,Uint8Buff * agreeCredIdByte)1256 int32_t ComputePskAndDelInvalidKey(int32_t osAccountId, uint8_t credAlgo, Uint8Buff *selfCredIdByte,
1257 Uint8Buff *peerKeyAlias, Uint8Buff *agreeCredIdByte)
1258 {
1259 int32_t ret = ComputeAndSavePskInner(osAccountId, credAlgo, selfCredIdByte, peerKeyAlias, agreeCredIdByte);
1260 if (ret != IS_SUCCESS) {
1261 LOGE("Failed to compute and save psk!");
1262 return ret;
1263 }
1264 ret = GetLoaderInstance()->deleteKey(peerKeyAlias, false, osAccountId);
1265 if (ret != IS_SUCCESS) {
1266 LOGE("Failed to delete key from HUKS");
1267 return ret;
1268 }
1269 return IS_SUCCESS;
1270 }
1271
SetRequiredParamsFromJson(QueryCredentialParams * queryParams,CJson * baseInfoJson)1272 int32_t SetRequiredParamsFromJson(QueryCredentialParams *queryParams, CJson *baseInfoJson)
1273 {
1274 if (GetUint8FromJson(baseInfoJson, FIELD_CRED_TYPE, &(queryParams->credType)) != IS_SUCCESS) {
1275 LOGE("Failed to set query params: credType");
1276 return IS_ERR_JSON_GET;
1277 }
1278 if (queryParams->credType != ACCOUNT_SHARED) {
1279 LOGE("Not support for credType %" LOG_PUB "d, only support for ACCOUNT_SHARED", queryParams->credType);
1280 return IS_ERR_NOT_SUPPORT;
1281 }
1282 const char *credOwner = GetStringFromJson(baseInfoJson, FIELD_CRED_OWNER);
1283 if (credOwner == NULL || strcmp(credOwner, "") == 0) {
1284 LOGE("Failed to set query params: credOwner");
1285 return IS_ERR_JSON_GET;
1286 }
1287 queryParams->credOwner = credOwner;
1288 return IS_SUCCESS;
1289 }
1290
SetUpdateToQueryParams(CJson * json,QueryCredentialParams * queryParams)1291 int32_t SetUpdateToQueryParams(CJson *json, QueryCredentialParams *queryParams)
1292 {
1293 const char *userId = GetStringFromJson(json, FIELD_USER_ID);
1294 if (userId == NULL || strcmp(userId, "") == 0) {
1295 LOGE("Failed to set query params: userId");
1296 return IS_ERR_JSON_GET;
1297 }
1298 queryParams->userId = userId;
1299 const char *deviceId = GetStringFromJson(json, FIELD_DEVICE_ID);
1300 if (deviceId == NULL || strcmp(deviceId, "") == 0) {
1301 LOGE("Failed to set query params: deviceId");
1302 return IS_ERR_JSON_GET;
1303 }
1304 queryParams->deviceId = deviceId;
1305 return IS_SUCCESS;
1306 }
1307
EraseCredIdInVec(const char * credId,CredentialVec * credVec)1308 static int32_t EraseCredIdInVec(const char *credId, CredentialVec *credVec)
1309 {
1310 uint32_t index = 0;
1311 Credential **item;
1312 while (index < credVec->size(credVec)) {
1313 item = credVec->getp(credVec, index);
1314 if (item == NULL || *item == NULL) {
1315 index++;
1316 continue;
1317 }
1318 const char *itemCredId = StringGet(&(*item)->credId);
1319 if (itemCredId != NULL && strcmp(credId, itemCredId) == 0) {
1320 credVec->eraseElement(credVec, item, index);
1321 return IS_SUCCESS;
1322 }
1323 index++;
1324 }
1325 return IS_ERROR;
1326 }
1327
AddUpdateInfoToJson(QueryCredentialParams * queryParams,CJson * baseInfoJson)1328 int32_t AddUpdateInfoToJson(QueryCredentialParams *queryParams, CJson *baseInfoJson)
1329 {
1330 if (AddStringToJson(baseInfoJson, FIELD_USER_ID, queryParams->userId) != IS_SUCCESS) {
1331 LOGE("add userId to baseInfoJson fail.");
1332 return IS_ERR_JSON_ADD;
1333 }
1334 if (AddStringToJson(baseInfoJson, FIELD_DEVICE_ID, queryParams->deviceId) != IS_SUCCESS) {
1335 LOGE("add deviceId to baseInfoJson fail.");
1336 return IS_ERR_JSON_ADD;
1337 }
1338 if (AddIntToJson(baseInfoJson, FIELD_METHOD, METHOD_IMPORT) != IS_SUCCESS) {
1339 LOGE("Failed to add method to baseInfoJson!");
1340 return IS_ERR_JSON_ADD;
1341 }
1342 return IS_SUCCESS;
1343 }
1344
EraseUpdateCredIdInSelfVec(CredentialVec * updateCredVec,CredentialVec * selfCredVec)1345 int32_t EraseUpdateCredIdInSelfVec(CredentialVec *updateCredVec, CredentialVec *selfCredVec)
1346 {
1347 Credential **cred = updateCredVec->getp(updateCredVec, 0);
1348 if (cred == NULL || *cred == NULL) {
1349 LOGE("Failed to get first cred");
1350 return IS_ERR_NULL_PTR;
1351 }
1352 const char *updateCredId = StringGet(&(*cred)->credId);
1353 if (updateCredId == NULL) {
1354 LOGE("Failed to get updateCredId");
1355 return IS_ERR_NULL_PTR;
1356 }
1357 return EraseCredIdInVec(updateCredId, selfCredVec);
1358 }
1359
GetQueryJsonStr(CJson * baseInfoJson,char ** queryJsonStr)1360 int32_t GetQueryJsonStr(CJson *baseInfoJson, char **queryJsonStr)
1361 {
1362 const char *credOwner = GetStringFromJson(baseInfoJson, FIELD_CRED_OWNER);
1363 if (credOwner == NULL) {
1364 LOGE("Failed to get credOwner");
1365 return IS_ERR_INVALID_PARAMS;
1366 }
1367 CJson *queryJson = CreateJson();
1368 if (queryJson == NULL) {
1369 LOGE("Failed to create queryJson");
1370 return IS_ERR_JSON_CREATE;
1371 }
1372 if (AddStringToJson(queryJson, FIELD_CRED_OWNER, credOwner)) {
1373 FreeJson(queryJson);
1374 return IS_ERR_JSON_ADD;
1375 }
1376 *queryJsonStr = PackJsonToString(queryJson);
1377 FreeJson(queryJson);
1378 if (*queryJsonStr == NULL) {
1379 LOGE("Failed to pack queryJson to string");
1380 return IS_ERR_PACKAGE_JSON_TO_STRING_FAIL;
1381 }
1382 return IS_SUCCESS;
1383 }
1384
GetUpdateCredVec(int32_t osAccountId,CJson * updateInfo,QueryCredentialParams * queryParams,CredentialVec * updateCredVec)1385 int32_t GetUpdateCredVec(int32_t osAccountId, CJson *updateInfo,
1386 QueryCredentialParams *queryParams, CredentialVec *updateCredVec)
1387 {
1388 int32_t ret = SetUpdateToQueryParams(updateInfo, queryParams);
1389 if (ret != IS_SUCCESS) {
1390 LOGE("Failed to set updateLists to query params");
1391 return ret;
1392 }
1393 return QueryCredentials(osAccountId, queryParams, updateCredVec);
1394 }
1395