• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (c) 2022 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  *     http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #include "cert_manager_permission_check.h"
17 
18 #include "accesstoken_kit.h"
19 #include "ipc_skeleton.h"
20 #include "tokenid_kit.h"
21 
22 #include "cm_log.h"
23 
24 using namespace OHOS::Security::AccessToken;
25 
HasPermission(const std::string & permissionName)26 static bool HasPermission(const std::string &permissionName)
27 {
28     AccessTokenID tokenId = OHOS::IPCSkeleton::GetCallingTokenID();
29 
30     int result = AccessTokenKit::VerifyAccessToken(tokenId, permissionName);
31     if (result == PERMISSION_GRANTED) {
32         return true;
33     }
34 
35     return false;
36 }
37 
CmHasPrivilegedPermission(void)38 bool CmHasPrivilegedPermission(void)
39 {
40     return HasPermission("ohos.permission.ACCESS_CERT_MANAGER_INTERNAL");
41 }
42 
CmHasCommonPermission(void)43 bool CmHasCommonPermission(void)
44 {
45     return HasPermission("ohos.permission.ACCESS_CERT_MANAGER");
46 }
47 
CmHasEnterpriseUserTrustedPermission(void)48 bool CmHasEnterpriseUserTrustedPermission(void)
49 {
50     return HasPermission("ohos.permission.ACCESS_ENTERPRISE_USER_TRUSTED_CERT");
51 }
52 
CmHasUserTrustedPermission(void)53 bool CmHasUserTrustedPermission(void)
54 {
55     return HasPermission("ohos.permission.ACCESS_USER_TRUSTED_CERT");
56 }
57 
CmHasSystemAppPermission(void)58 bool CmHasSystemAppPermission(void)
59 {
60     return HasPermission("ohos.permission.ACCESS_SYSTEM_APP_CERT");
61 }
62 
CmIsSystemApp(void)63 bool CmIsSystemApp(void)
64 {
65     AccessTokenID tokenId = OHOS::IPCSkeleton::GetCallingTokenID();
66     auto tokenType = AccessTokenKit::GetTokenType(tokenId);
67     if (tokenType == TOKEN_HAP) { /* only care about hap type */
68         uint64_t fullTokenId = OHOS::IPCSkeleton::GetCallingFullTokenID();
69         return TokenIdKit::IsSystemAppByFullTokenID(fullTokenId);
70     }
71     return true;
72 }
73 
CmIsSystemAppByStoreType(const uint32_t store)74 bool CmIsSystemAppByStoreType(const uint32_t store)
75 {
76     /* care about public and system credential */
77     if (store == CM_CREDENTIAL_STORE || store == CM_SYS_CREDENTIAL_STORE) {
78         return CmIsSystemApp();
79     }
80     return true;
81 }
82 
CmPermissionCheck(const uint32_t store)83 bool CmPermissionCheck(const uint32_t store)
84 {
85     switch (store) {
86         case CM_CREDENTIAL_STORE:
87             return CmHasPrivilegedPermission() && CmHasCommonPermission();
88         case CM_PRI_CREDENTIAL_STORE:
89             return CmHasCommonPermission();
90         case CM_SYS_CREDENTIAL_STORE:
91             return CmHasCommonPermission() && CmHasSystemAppPermission();
92         default:
93             return false;
94     }
95 }
96