1 /* 2 * Copyright (c) 2023-2024 Huawei Device Co., Ltd. 3 * Licensed under the Apache License, Version 2.0 (the "License"); 4 * you may not use this file except in compliance with the License. 5 * You may obtain a copy of the License at 6 * 7 * http://www.apache.org/licenses/LICENSE-2.0 8 * 9 * Unless required by applicable law or agreed to in writing, software 10 * distributed under the License is distributed on an "AS IS" BASIS, 11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 * See the License for the specific language governing permissions and 13 * limitations under the License. 14 */ 15 16 #ifndef NETMANAGER_BASE_NET_SECURITY_CONFIG_H 17 #define NETMANAGER_BASE_NET_SECURITY_CONFIG_H 18 19 #include <string> 20 #include <set> 21 #include <vector> 22 23 #include "cJSON.h" 24 #include "openssl/ssl.h" 25 26 namespace OHOS { 27 namespace NetManagerStandard { 28 29 struct Domain { 30 std::string domainName_; 31 bool includeSubDomains_; 32 }; 33 34 struct TrustAnchors { 35 std::vector<std::string> certs_; 36 }; 37 38 struct Pin { 39 std::string digestAlgorithm_; 40 std::string digest_; 41 }; 42 43 struct PinSet { 44 bool isOpenMode = false; 45 bool shouldVerifyRootCa_ = false; 46 std::vector<Pin> pins_; 47 std::string expiration_; 48 }; 49 50 struct BaseConfig { 51 bool cleartextTrafficPermitted_ = true; 52 TrustAnchors trustAnchors_; 53 }; 54 55 struct DomainConfig { 56 bool cleartextTrafficPermitted_ = true; 57 std::vector<Domain> domains_; 58 TrustAnchors trustAnchors_; 59 PinSet pinSet_; 60 }; 61 62 class NetworkSecurityConfig final { 63 public: 64 static NetworkSecurityConfig& GetInstance(); 65 int32_t GetPinSetForHostName(const std::string &hostname, std::string &pins); 66 bool IsPinOpenMode(const std::string &hostname); 67 bool IsPinOpenModeVerifyRootCa(const std::string &hostname); 68 bool TrustUser0Ca(); 69 bool TrustUserCa(); 70 int32_t GetTrustAnchorsForHostName(const std::string &hostname, std::vector<std::string> &certs); 71 bool IsUserDnsCache(); 72 int32_t IsCleartextPermitted(bool &baseCleartextPermitted); 73 int32_t IsCleartextPermitted(const std::string &hostname, bool &cleartextPermitted); 74 75 private: 76 int32_t GetConfig(); 77 bool IsCACertFileName(const char *fileName); 78 void GetCAFilesFromPath(const std::string caPath, std::vector<std::string> &caFiles); 79 void AddSurfixToCACertFileName(const std::string &caPath, 80 std::set<std::string> &allFileNames, std::string &caFile); 81 X509 *ReadCertFile(const std::string &fileName); 82 std::string GetRehashedCADirName(const std::string &caPath); 83 std::string BuildRehasedCAPath(const std::string &caPath); 84 std::string GetRehasedCAPath(const std::string &caPath); 85 std::string ReHashCAPathForX509(const std::string &caPath); 86 int32_t CreateRehashedCertFiles(); 87 int32_t GetJsonFromBundle(std::string &jsonProfile); 88 int32_t ParseJsonConfig(const std::string &content); 89 void ParseJsonBaseConfig(const cJSON* const root, BaseConfig &baseConfig); 90 void ParseJsonDomainConfigs(const cJSON* const root, std::vector<DomainConfig> &domainConfigs); 91 void ParseJsonTrustAnchors(const cJSON* const root, TrustAnchors &trustAnchors); 92 void ParseJsonDomains(const cJSON* const root, std::vector<Domain> &domains); 93 void ParseJsonPinSet(const cJSON* const root, PinSet &pinSet); 94 bool ValidateDate(const std::string &dateStr); 95 void DumpConfigs(); 96 std::string GetJsonProfile(); 97 void ParseJsonCleartextPermitted(const cJSON* const root, bool &cleartextPermitted); 98 99 private: 100 NetworkSecurityConfig(); 101 ~NetworkSecurityConfig(); 102 BaseConfig baseConfig_; 103 std::vector<DomainConfig> domainConfigs_; 104 bool trustUser0Ca_ = true; 105 bool trustUserCa_ = true; 106 bool isUserDnsCache_ = true; 107 bool hasBaseConfig_ = false; 108 }; 109 110 } 111 } 112 #endif /* NETMANAGER_BASE_NET_SECURITY_CONFIG_H */ 113