1 /*
2 * Copyright (c) 2022-2025 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "cert_manager_auth_list_mgr.h"
17
18 #include "securec.h"
19
20 #include "cert_manager.h"
21 #include "cert_manager_file_operator.h"
22 #include "cert_manager_mem.h"
23 #include "cert_manager_storage.h"
24 #include "cert_manager_uri.h"
25 #include "cm_log.h"
26 #include "cm_type.h"
27
28 #define MAX_PATH_LEN 512
29 #define MAX_AUTH_COUNT 256
30 #define AUTH_LIST_VERSION 0
31
32 // LCOV_EXCL_START
CheckAuthListFileSizeValid(const struct CmBlob * originList,uint32_t * authCount)33 static int32_t CheckAuthListFileSizeValid(const struct CmBlob *originList, uint32_t *authCount)
34 {
35 if (originList->size < (sizeof(uint32_t) + sizeof(uint32_t))) { /* version and count size */
36 CM_LOG_E("invalid authlist size[%u]", originList->size);
37 return CMR_ERROR_STORAGE;
38 }
39
40 uint32_t count = 0;
41 (void)memcpy_s(&count, sizeof(count), originList->data + sizeof(uint32_t), sizeof(count));
42 if (count > MAX_OUT_BLOB_SIZE) {
43 CM_LOG_E("invalid auth count[%u]", count);
44 return CMR_ERROR_MEM_OPERATION_COPY;
45 }
46
47 uint32_t size = sizeof(uint32_t) + sizeof(uint32_t) + sizeof(uint32_t) * count;
48 if (originList->size != size) {
49 CM_LOG_E("invalid auth list file size[%u], count[%u]", originList->size, count);
50 return CMR_ERROR_STORAGE;
51 }
52
53 *authCount = count;
54 return CM_SUCCESS;
55 }
56
IsUidExist(const struct CmBlob * list,uint32_t count,uint32_t targetUid,uint32_t * position)57 static bool IsUidExist(const struct CmBlob *list, uint32_t count, uint32_t targetUid, uint32_t *position)
58 {
59 uint32_t uid;
60 uint32_t offset = sizeof(uint32_t) + sizeof(uint32_t);
61 for (uint32_t i = 0; i < count; ++i) {
62 (void)memcpy_s(&uid, sizeof(uint32_t), list->data + offset, sizeof(uint32_t));
63 offset += sizeof(uint32_t);
64 if (uid == targetUid) {
65 *position = offset;
66 return true;
67 }
68 }
69 return false;
70 }
71
CopyBlob(const struct CmBlob * originList,struct CmBlob * outList)72 static int32_t CopyBlob(const struct CmBlob *originList, struct CmBlob *outList)
73 {
74 uint8_t *data = (uint8_t *)CMMalloc(originList->size);
75 if (data == NULL) {
76 CM_LOG_E("out data malloc failed");
77 return CMR_ERROR_MALLOC_FAIL;
78 }
79
80 (void)memcpy_s(data, originList->size, originList->data, originList->size);
81
82 outList->data = data;
83 outList->size = originList->size;
84 return CM_SUCCESS;
85 }
86
InsertUid(const struct CmBlob * originList,uint32_t uid,struct CmBlob * addedList)87 static int32_t InsertUid(const struct CmBlob *originList, uint32_t uid, struct CmBlob *addedList)
88 {
89 uint32_t count = 0;
90 int32_t ret = CheckAuthListFileSizeValid(originList, &count);
91 if (ret != CM_SUCCESS) {
92 return ret;
93 }
94
95 uint32_t position = 0;
96 bool isUidExist = IsUidExist(originList, count, uid, &position);
97 if (isUidExist) {
98 /* exist then copy origin */
99 return CopyBlob(originList, addedList);
100 }
101
102 if (count >= MAX_AUTH_COUNT) {
103 CM_LOG_E("max granted uid count reached, count = %u", count);
104 return CMR_ERROR_MAX_GRANT_COUNT_REACHED;
105 }
106
107 uint32_t size = originList->size + sizeof(uint32_t); /* add one uid */
108 uint8_t *data = (uint8_t *)CMMalloc(size);
109 if (data == NULL) {
110 return CMR_ERROR_MALLOC_FAIL;
111 }
112
113 do {
114 ret = CMR_ERROR_MEM_OPERATION_COPY;
115 if (memcpy_s(data, size, originList->data, originList->size) != EOK) {
116 CM_LOG_E("copy origin list failed");
117 break;
118 }
119 if (memcpy_s(data + originList->size, size - originList->size, &uid, sizeof(uint32_t)) != EOK) {
120 CM_LOG_E("copy inserted uid failed");
121 break;
122 }
123
124 /* refresh count after add */
125 uint32_t countAfterAdd = count + 1;
126 if (memcpy_s(data + sizeof(uint32_t), sizeof(countAfterAdd), &countAfterAdd, sizeof(countAfterAdd)) != EOK) {
127 CM_LOG_E("refresh count after add failed");
128 break;
129 }
130 ret = CM_SUCCESS;
131 } while (0);
132 if (ret != CM_SUCCESS) {
133 CM_FREE_PTR(data);
134 return ret;
135 }
136
137 addedList->data = data;
138 addedList->size = size;
139 return CM_SUCCESS;
140 }
141
RemoveUid(const struct CmBlob * originList,uint32_t uid,struct CmBlob * removedList)142 static int32_t RemoveUid(const struct CmBlob *originList, uint32_t uid, struct CmBlob *removedList)
143 {
144 uint32_t count = 0;
145 int32_t ret = CheckAuthListFileSizeValid(originList, &count);
146 if (ret != CM_SUCCESS) {
147 return ret;
148 }
149
150 uint32_t position = 0;
151 bool isUidExist = IsUidExist(originList, count, uid, &position);
152 if (!isUidExist) {
153 /* not exist then copy origin */
154 return CopyBlob(originList, removedList);
155 }
156
157 uint32_t size = originList->size - sizeof(uint32_t); /* delete one uid */
158 uint8_t *data = (uint8_t *)CMMalloc(size);
159 if (data == NULL) {
160 return CMR_ERROR_MALLOC_FAIL;
161 }
162
163 do {
164 ret = CMR_ERROR_MEM_OPERATION_COPY;
165 uint32_t beforeSize = position - sizeof(uint32_t); /* positon >= 12 */
166 if (memcpy_s(data, size, originList->data, beforeSize) != EOK) {
167 CM_LOG_E("copy origin list before uid failed");
168 break;
169 }
170
171 if (size > beforeSize) { /* has buffer after uid */
172 if (memcpy_s(data + beforeSize, size - beforeSize, originList->data + position,
173 originList->size - position) != EOK) {
174 CM_LOG_E("copy origin list after uid failed");
175 break;
176 }
177 }
178
179 /* refresh count after remove */
180 uint32_t countAfterRemove = count - 1; /* count > 1 */
181 if (memcpy_s(data + sizeof(uint32_t), sizeof(countAfterRemove),
182 &countAfterRemove, sizeof(countAfterRemove)) != EOK) {
183 CM_LOG_E("refresh count after delete failed");
184 break;
185 }
186 ret = CM_SUCCESS;
187 } while (0);
188 if (ret != CM_SUCCESS) {
189 CM_FREE_PTR(data);
190 return ret;
191 }
192
193 removedList->data = data;
194 removedList->size = size;
195 return CM_SUCCESS;
196 }
197
RefreshAuthListBuf(const char * path,const char * fileName,uint32_t uid,bool isAdd,struct CmBlob * authList)198 static int32_t RefreshAuthListBuf(const char *path, const char *fileName, uint32_t uid, bool isAdd,
199 struct CmBlob *authList)
200 {
201 struct CmBlob list = { 0, NULL };
202 int32_t ret = CmStorageGetBuf(path, fileName, &list);
203 if (ret != CM_SUCCESS) {
204 return ret;
205 }
206
207 if (isAdd) {
208 ret = InsertUid(&list, uid, authList);
209 } else {
210 ret = RemoveUid(&list, uid, authList);
211 }
212 CM_FREE_PTR(list.data);
213 return ret;
214 }
215
216 /*
217 * auth list buffer format:
218 * |--version--|--uidCount(n)--|--uid0--|--uid1--|...|--uid(n-1)--|
219 * | 4Byte | 4Byte | 4Byte | 4Byte |...| 4Byte |
220 */
InitAuthListBuf(uint32_t uid,struct CmBlob * authList)221 static int32_t InitAuthListBuf(uint32_t uid, struct CmBlob *authList)
222 {
223 uint32_t count = 1;
224 uint32_t version = AUTH_LIST_VERSION;
225 uint32_t size = sizeof(version) + sizeof(count) + sizeof(uid) * count;
226 uint8_t *data = (uint8_t *)CMMalloc(size);
227 if (data == NULL) {
228 CM_LOG_E("malloc file buffer failed");
229 return CMR_ERROR_MALLOC_FAIL;
230 }
231 (void)memset_s(data, size, 0, size);
232
233 int32_t ret = CM_SUCCESS;
234 uint32_t offset = 0;
235 do {
236 if (memcpy_s(data + offset, size - offset, &version, sizeof(version)) != EOK) {
237 CM_LOG_E("copy count failed");
238 ret = CMR_ERROR_MEM_OPERATION_COPY;
239 break;
240 }
241 offset += sizeof(version);
242
243 if (memcpy_s(data + offset, size - offset, &count, sizeof(count)) != EOK) {
244 CM_LOG_E("copy count failed");
245 ret = CMR_ERROR_MEM_OPERATION_COPY;
246 break;
247 }
248 offset += sizeof(count);
249
250 if (memcpy_s(data + offset, size - offset, &uid, sizeof(uid)) != EOK) {
251 CM_LOG_E("copy uid failed");
252 ret = CMR_ERROR_MEM_OPERATION_COPY;
253 break;
254 }
255 } while (0);
256 if (ret != CM_SUCCESS) {
257 CM_FREE_PTR(data);
258 return ret;
259 }
260
261 authList->data = data;
262 authList->size = size;
263 return CM_SUCCESS;
264 }
265
RefreshAuthList(const char * path,const char * fileName,uint32_t uid,bool isAdd)266 static int32_t RefreshAuthList(const char *path, const char *fileName, uint32_t uid, bool isAdd)
267 {
268 bool isAuthListExist = false;
269 int32_t ret = CmIsFileExist(path, fileName);
270 if (ret == CM_SUCCESS) {
271 isAuthListExist = true;
272 }
273
274 if (!isAuthListExist && !isAdd) {
275 CM_LOG_D("auth list file not exist when delete uid");
276 return CM_SUCCESS; /* auth list file not exit when delete uid */
277 }
278
279 struct CmBlob authList = { 0, NULL };
280 if (isAuthListExist) {
281 ret = RefreshAuthListBuf(path, fileName, uid, isAdd, &authList);
282 } else { /* auth list file not exit when add uid */
283 ret = InitAuthListBuf(uid, &authList);
284 }
285 if (ret != CM_SUCCESS) {
286 return ret;
287 }
288
289 ret = CmFileWrite(path, fileName, 0, authList.data, authList.size);
290 if (ret != CM_SUCCESS) {
291 CM_LOG_E("write file failed");
292 }
293 CM_FREE_PTR(authList.data);
294 return ret;
295 }
296
FormatAppUidList(const struct CmBlob * list,struct CmAppUidList * appUidList)297 static int32_t FormatAppUidList(const struct CmBlob *list, struct CmAppUidList *appUidList)
298 {
299 uint32_t count = 0;
300 int32_t ret = CheckAuthListFileSizeValid(list, &count);
301 if (ret != CM_SUCCESS) {
302 return ret;
303 }
304
305 if (count == 0) {
306 appUidList->appUidCount = 0;
307 CM_LOG_D("auth list has no auth uid");
308 return CM_SUCCESS; /* has no auth uid */
309 }
310
311 uint8_t *data = (uint8_t *)CMMalloc(count * sizeof(uint32_t));
312 if (data == NULL) {
313 CM_LOG_E("malloc app uid buffer failed");
314 return ret = CMR_ERROR_MALLOC_FAIL;
315 }
316
317 uint32_t offsetOut = 0;
318 uint32_t offset = sizeof(uint32_t) + sizeof(uint32_t);
319 for (uint32_t i = 0; i < count; ++i) {
320 (void)memcpy_s(data + offsetOut, sizeof(uint32_t), list->data + offset, sizeof(uint32_t));
321 offset += sizeof(uint32_t);
322 offsetOut += sizeof(uint32_t);
323 }
324
325 appUidList->appUidCount = count;
326 appUidList->appUid = (uint32_t *)data;
327 return CM_SUCCESS;
328 }
329
CmAddAuthUid(const struct CmContext * context,const struct CmBlob * uri,uint32_t uid)330 int32_t CmAddAuthUid(const struct CmContext *context, const struct CmBlob *uri, uint32_t uid)
331 {
332 int32_t ret = CmCheckCredentialExist(context, uri);
333 if (ret != CM_SUCCESS) {
334 return ret;
335 }
336
337 char authListPath[MAX_PATH_LEN] = { 0 };
338 ret = ConstructAuthListPath(context, CM_CREDENTIAL_STORE, authListPath, MAX_PATH_LEN);
339 if (ret != CM_SUCCESS) {
340 return ret;
341 }
342
343 ret = RefreshAuthList(authListPath, (char *)uri->data, uid, true);
344 if (ret != CM_SUCCESS) {
345 CM_LOG_E("refresh auth list failed, ret = %d", ret);
346 }
347 return ret;
348 }
349
CmRemoveAuthUid(const struct CmContext * context,const struct CmBlob * uri,uint32_t uid)350 int32_t CmRemoveAuthUid(const struct CmContext *context, const struct CmBlob *uri, uint32_t uid)
351 {
352 char authListPath[MAX_PATH_LEN] = { 0 };
353 int32_t ret = ConstructAuthListPath(context, CM_CREDENTIAL_STORE, authListPath, MAX_PATH_LEN);
354 if (ret != CM_SUCCESS) {
355 return ret;
356 }
357
358 ret = RefreshAuthList(authListPath, (char *)uri->data, uid, false);
359 if (ret != CM_SUCCESS) {
360 CM_LOG_E("refresh auth list failed, ret = %d", ret);
361 }
362 return ret;
363 }
364
CmGetAuthList(const struct CmContext * context,const struct CmBlob * uri,struct CmAppUidList * appUidList)365 int32_t CmGetAuthList(const struct CmContext *context, const struct CmBlob *uri, struct CmAppUidList *appUidList)
366 {
367 char authListPath[MAX_PATH_LEN] = { 0 };
368 int32_t ret = ConstructAuthListPath(context, CM_CREDENTIAL_STORE, authListPath, MAX_PATH_LEN);
369 if (ret != CM_SUCCESS) {
370 return ret;
371 }
372
373 /* auth list file not exist */
374 ret = CmIsFileExist(authListPath, (char *)uri->data);
375 if (ret != CM_SUCCESS) {
376 CM_LOG_D("auth list file not exist.");
377 appUidList->appUidCount = 0;
378 return CM_SUCCESS;
379 }
380
381 struct CmBlob list = { 0, NULL };
382 ret = CmStorageGetBuf(authListPath, (char *)uri->data, &list);
383 if (ret != CM_SUCCESS) {
384 return ret;
385 }
386
387 ret = FormatAppUidList(&list, appUidList);
388 CM_FREE_PTR(list.data);
389 return ret;
390 }
391
CmDeleteAuthListFile(const struct CmContext * context,const struct CmBlob * uri)392 int32_t CmDeleteAuthListFile(const struct CmContext *context, const struct CmBlob *uri)
393 {
394 char authListPath[MAX_PATH_LEN] = { 0 };
395 int32_t ret = ConstructAuthListPath(context, CM_CREDENTIAL_STORE, authListPath, MAX_PATH_LEN);
396 if (ret != CM_SUCCESS) {
397 return ret;
398 }
399
400 ret = CmIsFileExist(authListPath, (char *)uri->data);
401 if (ret != CM_SUCCESS) { /* auth list file not exist */
402 return CM_SUCCESS;
403 }
404
405 ret = CmFileRemove(authListPath, (char *)uri->data);
406 if (ret != CM_SUCCESS) {
407 CM_LOG_E("remove file failed, ret = %d", ret);
408 }
409 return ret;
410 }
411
CmCheckIsAuthUidExist(const struct CmContext * context,const struct CmBlob * uri,uint32_t targetUid,bool * isInAuthList)412 int32_t CmCheckIsAuthUidExist(const struct CmContext *context, const struct CmBlob *uri,
413 uint32_t targetUid, bool *isInAuthList)
414 {
415 *isInAuthList = false;
416
417 char authListPath[MAX_PATH_LEN] = { 0 };
418 int32_t ret = ConstructAuthListPath(context, CM_CREDENTIAL_STORE, authListPath, MAX_PATH_LEN);
419 if (ret != CM_SUCCESS) {
420 return ret;
421 }
422
423 ret = CmIsFileExist(authListPath, (char *)uri->data);
424 if (ret != CM_SUCCESS) { /* auth list file not exist */
425 return CM_SUCCESS;
426 }
427
428 struct CmBlob list = { 0, NULL };
429 ret = CmStorageGetBuf(authListPath, (char *)uri->data, &list);
430 if (ret != CM_SUCCESS) {
431 return ret;
432 }
433
434 uint32_t count = 0;
435 ret = CheckAuthListFileSizeValid(&list, &count);
436 if (ret != CM_SUCCESS) {
437 CM_FREE_PTR(list.data);
438 return ret;
439 }
440
441 uint32_t position = 0;
442 *isInAuthList = IsUidExist(&list, count, targetUid, &position);
443 CM_FREE_PTR(list.data);
444
445 return CM_SUCCESS;
446 }
447
CmRemoveAuthUidByUserId(uint32_t userId,uint32_t targetUid,const struct CmBlob * uri)448 int32_t CmRemoveAuthUidByUserId(uint32_t userId, uint32_t targetUid, const struct CmBlob *uri)
449 {
450 uint32_t uid = 0;
451 int32_t ret = CertManagerGetUidFromUri(uri, &uid);
452 if (ret != CM_SUCCESS) {
453 return ret;
454 }
455
456 struct CmContext context = { userId, uid, { 0 } };
457 return CmRemoveAuthUid(&context, uri, targetUid);
458 }
459
CmGetAuthListByUserId(uint32_t userId,const struct CmBlob * uri,struct CmAppUidList * appUidList)460 int32_t CmGetAuthListByUserId(uint32_t userId, const struct CmBlob *uri, struct CmAppUidList *appUidList)
461 {
462 uint32_t uid = 0;
463 int32_t ret = CertManagerGetUidFromUri(uri, &uid);
464 if (ret != CM_SUCCESS) {
465 return ret;
466 }
467
468 struct CmContext context = { userId, uid, { 0 } };
469 return CmGetAuthList(&context, uri, appUidList);
470 }
471
CmDeleteAuthListFileByUserId(uint32_t userId,const struct CmBlob * uri)472 int32_t CmDeleteAuthListFileByUserId(uint32_t userId, const struct CmBlob *uri)
473 {
474 uint32_t uid = 0;
475 int32_t ret = CertManagerGetUidFromUri(uri, &uid);
476 if (ret != CM_SUCCESS) {
477 return ret;
478 }
479
480 struct CmContext context = { userId, uid, { 0 } };
481 return CmDeleteAuthListFile(&context, uri);
482 }
483
CmCheckIsAuthUidExistByUserId(uint32_t userId,uint32_t targetUid,const struct CmBlob * uri,bool * isInAuthList)484 int32_t CmCheckIsAuthUidExistByUserId(uint32_t userId, uint32_t targetUid,
485 const struct CmBlob *uri, bool *isInAuthList)
486 {
487 uint32_t uid = 0;
488 int32_t ret = CertManagerGetUidFromUri(uri, &uid);
489 if (ret != CM_SUCCESS) {
490 return ret;
491 }
492
493 struct CmContext context = { userId, uid, { 0 } };
494 return CmCheckIsAuthUidExist(&context, uri, targetUid, isInAuthList);
495 }
496
CmCheckCredentialExist(const struct CmContext * context,const struct CmBlob * uri)497 int32_t CmCheckCredentialExist(const struct CmContext *context, const struct CmBlob *uri)
498 {
499 char uidPath[MAX_PATH_LEN] = { 0 };
500 int32_t ret = ConstructUidPath(context, CM_CREDENTIAL_STORE, uidPath, MAX_PATH_LEN);
501 if (ret != CM_SUCCESS) {
502 return ret;
503 }
504
505 char *fileName = (char *)uri->data;
506 ret = CmIsFileExist(uidPath, fileName);
507 if (ret != CM_SUCCESS) {
508 CM_LOG_E("Credential file not exist.");
509 }
510 return ret;
511 }
512 // LCOV_EXCL_STOP
513