1 /*
2 * Copyright (c) 2021-2025 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15 #define HUKS_DISABLE_LOG_AT_FILE_TO_REDUCE_ROM_SIZE
16
17 #include "hks_client_check.h"
18
19 #include <stddef.h>
20
21 #include "hks_base_check.h"
22 #include "hks_common_check.h"
23 #include "hks_log.h"
24 #include "hks_param.h"
25 #include "hks_template.h"
26 #include "hks_mem.h"
27 #include "hks_storage_manager.h"
28
29 #include "securec.h"
30
31 #ifdef L2_STANDARD
32 static const uint32_t CHANGE_STORAGE_LEVEL_CFG_LIST[] = HUKS_CHANGE_STORAGE_LEVEL_CONFIG;
33 #endif
34
35 #ifndef _CUT_AUTHENTICATE_
CheckProcessNameAndKeyAliasSize(uint32_t processNameSize,uint32_t keyAliasSize)36 static int32_t CheckProcessNameAndKeyAliasSize(uint32_t processNameSize, uint32_t keyAliasSize)
37 {
38 HKS_IF_TRUE_LOGE_RETURN(processNameSize > HKS_MAX_PROCESS_NAME_LEN, HKS_ERROR_INVALID_ARGUMENT,
39 "processName size too long, size %" LOG_PUBLIC "u", processNameSize)
40
41 HKS_IF_TRUE_LOGE_RETURN(keyAliasSize > HKS_MAX_KEY_ALIAS_LEN, HKS_ERROR_INVALID_ARGUMENT,
42 "keyAlias size too long, size %" LOG_PUBLIC "u", keyAliasSize)
43
44 return HKS_SUCCESS;
45 }
46
HksCheckProcessNameAndKeyAlias(const struct HksBlob * processName,const struct HksBlob * keyAlias)47 int32_t HksCheckProcessNameAndKeyAlias(const struct HksBlob *processName, const struct HksBlob *keyAlias)
48 {
49 HKS_IF_NOT_SUCC_RETURN(HksCheckBlob2(processName, keyAlias), HKS_ERROR_INVALID_ARGUMENT)
50
51 return CheckProcessNameAndKeyAliasSize(processName->size, keyAlias->size);
52 }
53
HksCheckGenAndImportKeyParams(const struct HksBlob * processName,const struct HksBlob * keyAlias,const struct HksParamSet * paramSetIn,const struct HksBlob * key)54 int32_t HksCheckGenAndImportKeyParams(const struct HksBlob *processName, const struct HksBlob *keyAlias,
55 const struct HksParamSet *paramSetIn, const struct HksBlob *key)
56 {
57 int32_t ret = HksCheckBlob3AndParamSet(processName, keyAlias, key, paramSetIn);
58 HKS_IF_NOT_SUCC_RETURN(ret, ret)
59
60 return CheckProcessNameAndKeyAliasSize(processName->size, keyAlias->size);
61 }
62
HksCheckImportWrappedKeyParams(const struct HksBlob * processName,const struct HksBlob * keyAlias,const struct HksBlob * wrappingKeyAlias,const struct HksParamSet * paramSetIn,const struct HksBlob * wrappedKeyData)63 int32_t HksCheckImportWrappedKeyParams(const struct HksBlob *processName, const struct HksBlob *keyAlias,
64 const struct HksBlob *wrappingKeyAlias, const struct HksParamSet *paramSetIn, const struct HksBlob *wrappedKeyData)
65 {
66 int32_t ret = HksCheckBlob4AndParamSet(processName, keyAlias, wrappingKeyAlias, wrappedKeyData, paramSetIn);
67 HKS_IF_NOT_SUCC_RETURN(ret, ret)
68
69 ret = CheckProcessNameAndKeyAliasSize(processName->size, keyAlias->size);
70 HKS_IF_NOT_SUCC_RETURN(ret, ret)
71
72 return CheckProcessNameAndKeyAliasSize(processName->size, wrappingKeyAlias->size);
73 }
74
HksCheckAllParams(const struct HksBlob * processName,const struct HksBlob * keyAlias,const struct HksParamSet * paramSet,const struct HksBlob * data1,const struct HksBlob * data2)75 int32_t HksCheckAllParams(const struct HksBlob *processName, const struct HksBlob *keyAlias,
76 const struct HksParamSet *paramSet, const struct HksBlob *data1, const struct HksBlob *data2)
77 {
78 int32_t ret = HksCheckBlob4AndParamSet(processName, keyAlias, data1, data2, paramSet);
79 HKS_IF_NOT_SUCC_RETURN(ret, ret)
80
81 return CheckProcessNameAndKeyAliasSize(processName->size, keyAlias->size);
82 }
83
HksCheckServiceInitParams(const struct HksBlob * processName,const struct HksBlob * keyAlias,const struct HksParamSet * paramSet)84 int32_t HksCheckServiceInitParams(const struct HksBlob *processName, const struct HksBlob *keyAlias,
85 const struct HksParamSet *paramSet)
86 {
87 int32_t ret = HksCheckBlob2AndParamSet(processName, keyAlias, paramSet);
88 HKS_IF_NOT_SUCC_RETURN(ret, ret)
89
90 return CheckProcessNameAndKeyAliasSize(processName->size, keyAlias->size);
91 }
92
HksCheckGetKeyParamSetParams(const struct HksBlob * processName,const struct HksBlob * keyAlias,const struct HksParamSet * paramSet)93 int32_t HksCheckGetKeyParamSetParams(const struct HksBlob *processName, const struct HksBlob *keyAlias,
94 const struct HksParamSet *paramSet)
95 {
96 HKS_IF_NOT_SUCC_RETURN(HksCheckProcessNameAndKeyAlias(processName, keyAlias), HKS_ERROR_INVALID_ARGUMENT)
97
98 HKS_IF_TRUE_LOGE_RETURN(paramSet == NULL || paramSet->paramSetSize == 0, HKS_ERROR_INVALID_ARGUMENT,
99 "invalid paramSet")
100
101 return HKS_SUCCESS;
102 }
103
HksCheckExportPublicKeyParams(const struct HksBlob * processName,const struct HksBlob * keyAlias,const struct HksBlob * key)104 int32_t HksCheckExportPublicKeyParams(const struct HksBlob *processName, const struct HksBlob *keyAlias,
105 const struct HksBlob *key)
106 {
107 HKS_IF_NOT_SUCC_RETURN(HksCheckBlob3(processName, keyAlias, key), HKS_ERROR_INVALID_ARGUMENT)
108
109 return CheckProcessNameAndKeyAliasSize(processName->size, keyAlias->size);
110 }
111
HksCheckDeriveKeyParams(const struct HksBlob * processName,const struct HksParamSet * paramSet,const struct HksBlob * mainKey,const struct HksBlob * derivedKey)112 int32_t HksCheckDeriveKeyParams(const struct HksBlob *processName, const struct HksParamSet *paramSet,
113 const struct HksBlob *mainKey, const struct HksBlob *derivedKey)
114 {
115 return HksCheckGenAndImportKeyParams(processName, mainKey, paramSet, derivedKey);
116 }
117
HksCheckGetKeyInfoListParams(const struct HksBlob * processName,const struct HksKeyInfo * keyInfoList,const uint32_t * listCount)118 int32_t HksCheckGetKeyInfoListParams(const struct HksBlob *processName, const struct HksKeyInfo *keyInfoList,
119 const uint32_t *listCount)
120 {
121 HKS_IF_NOT_SUCC_LOGE_RETURN(CheckBlob(processName), HKS_ERROR_INVALID_ARGUMENT, "invalid processName")
122
123 HKS_IF_TRUE_LOGE_RETURN(processName->size > HKS_MAX_PROCESS_NAME_LEN, HKS_ERROR_INVALID_ARGUMENT,
124 "processName size too long, size %" LOG_PUBLIC "u", processName->size)
125
126 HKS_IF_TRUE_LOGE_RETURN(keyInfoList == NULL || listCount == NULL, HKS_ERROR_INVALID_ARGUMENT,
127 "keyInfoList or listCount null.")
128
129 for (uint32_t i = 0; i < *listCount; ++i) {
130 HKS_IF_TRUE_RETURN(CheckBlob(&(keyInfoList[i].alias)) != HKS_SUCCESS || keyInfoList[i].paramSet == NULL ||
131 keyInfoList[i].paramSet->paramSetSize == 0, HKS_ERROR_INVALID_ARGUMENT)
132 }
133
134 return HKS_SUCCESS;
135 }
136 #endif /* _CUT_AUTHENTICATE_ */
137
HksCheckGenerateRandomParams(const struct HksBlob * processName,const struct HksBlob * random)138 int32_t HksCheckGenerateRandomParams(const struct HksBlob *processName, const struct HksBlob *random)
139 {
140 HKS_IF_NOT_SUCC_RETURN(HksCheckBlob2(processName, random), HKS_ERROR_INVALID_ARGUMENT)
141
142 if (processName->size > HKS_MAX_PROCESS_NAME_LEN) {
143 HKS_LOG_E("processName size too long, size %" LOG_PUBLIC "u.", processName->size);
144 return HKS_ERROR_INVALID_ARGUMENT;
145 }
146
147 if (random->size > HKS_MAX_RANDOM_LEN) {
148 HKS_LOG_E("random size too long, size %" LOG_PUBLIC "u.", random->size);
149 return HKS_ERROR_INVALID_ARGUMENT;
150 }
151
152 return HKS_SUCCESS;
153 }
154
155 #ifdef HKS_SUPPORT_API_ATTEST_KEY
HksCheckAttestKeyParams(const struct HksBlob * processName,const struct HksBlob * keyAlias,const struct HksParamSet * paramSet,struct HksBlob * certChain)156 int32_t HksCheckAttestKeyParams(const struct HksBlob *processName, const struct HksBlob *keyAlias,
157 const struct HksParamSet *paramSet, struct HksBlob *certChain)
158 {
159 return HksCheckGenAndImportKeyParams(processName, keyAlias, paramSet, certChain);
160 }
161 #endif
162
163 #ifdef HKS_SUPPORT_USER_AUTH_ACCESS_CONTROL
CheckAuthAccessLevel(const struct HksParamSet * paramSet)164 static int32_t CheckAuthAccessLevel(const struct HksParamSet *paramSet)
165 {
166 struct HksParam *authAccess = NULL;
167 int32_t ret = HksGetParam(paramSet, HKS_TAG_KEY_AUTH_ACCESS_TYPE, &authAccess);
168 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, HKS_ERROR_CHECK_GET_ACCESS_TYPE_FAILED, "get auth access type fail")
169
170 HKS_IF_TRUE_LOGE_RETURN(authAccess->uint32Param < HKS_AUTH_ACCESS_INVALID_CLEAR_PASSWORD,
171 HKS_ERROR_INVALID_ARGUMENT, "auth access level is too low")
172 return HKS_SUCCESS;
173 }
174
CheckUserAuthParamsValidity(const struct HksParamSet * paramSet,uint32_t userAuthType,uint32_t authAccessType,uint32_t challengeType)175 static int32_t CheckUserAuthParamsValidity(const struct HksParamSet *paramSet, uint32_t userAuthType,
176 uint32_t authAccessType, uint32_t challengeType)
177 {
178 int32_t ret = HksCheckUserAuthParams(userAuthType, authAccessType, challengeType);
179 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "check user auth params failed")
180
181 if (challengeType == HKS_CHALLENGE_TYPE_NONE) {
182 struct HksParam *authTimeout = NULL;
183 ret = HksGetParam(paramSet, HKS_TAG_AUTH_TIMEOUT, &authTimeout);
184 if (ret == HKS_SUCCESS) {
185 HKS_IF_TRUE_LOGE_RETURN(authTimeout->uint32Param > MAX_AUTH_TIMEOUT_SECOND ||
186 authTimeout->uint32Param == 0, HKS_ERROR_INVALID_TIME_OUT, "invalid auth timeout param")
187 }
188 }
189
190 struct HksParam *secureSignType = NULL;
191 ret = HksGetParam(paramSet, HKS_TAG_KEY_SECURE_SIGN_TYPE, &secureSignType);
192 if (ret == HKS_SUCCESS) {
193 ret = HksCheckSecureSignParams(secureSignType->uint32Param);
194 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, HKS_ERROR_INVALID_SECURE_SIGN_TYPE, "secure sign type is invalid")
195
196 /* secure sign ability only support sign-purpose algorithm */
197 struct HksParam *purposeParam = NULL;
198 ret = HksGetParam(paramSet, HKS_TAG_PURPOSE, &purposeParam);
199 HKS_IF_TRUE_LOGE_RETURN(ret != HKS_SUCCESS || (purposeParam->uint32Param & HKS_KEY_PURPOSE_SIGN) == 0,
200 HKS_ERROR_INVALID_ARGUMENT, "secure sign tag only support sign-purpose alg")
201 ret = CheckAuthAccessLevel(paramSet);
202 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, HKS_ERROR_INVALID_ARGUMENT, "check auth access level fail")
203 }
204
205 return HKS_SUCCESS;
206 }
207 #endif
208
HksCheckAndGetUserAuthInfo(const struct HksParamSet * paramSet,uint32_t * userAuthType,uint32_t * authAccessType)209 int32_t HksCheckAndGetUserAuthInfo(const struct HksParamSet *paramSet, uint32_t *userAuthType,
210 uint32_t *authAccessType)
211 {
212 #ifdef HKS_SUPPORT_USER_AUTH_ACCESS_CONTROL
213 HKS_IF_NULL_LOGE_RETURN(paramSet, HKS_ERROR_NOT_SUPPORTED, "null init paramSet: not support user auth!")
214
215 struct HksParam *noRequireAuth = NULL;
216 int32_t ret = HksGetParam(paramSet, HKS_TAG_NO_AUTH_REQUIRED, &noRequireAuth);
217 if (ret == HKS_SUCCESS && noRequireAuth->boolParam == true) {
218 HKS_LOG_D("no require auth=true");
219 return HKS_ERROR_NOT_SUPPORTED;
220 }
221
222 struct HksParam *userAuthTypeParam = NULL;
223 ret = HksGetParam(paramSet, HKS_TAG_USER_AUTH_TYPE, &userAuthTypeParam);
224 HKS_IF_NOT_SUCC_RETURN(ret, HKS_ERROR_NOT_SUPPORTED)
225
226 struct HksParam *accessTypeParam = NULL;
227 ret = HksGetParam(paramSet, HKS_TAG_KEY_AUTH_ACCESS_TYPE, &accessTypeParam);
228 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, HKS_ERROR_CHECK_GET_ACCESS_TYPE_FAILED, "get auth access type param failed")
229
230 struct HksParam *challengeTypeParam = NULL;
231 ret = HksGetParam(paramSet, HKS_TAG_CHALLENGE_TYPE, &challengeTypeParam);
232 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, HKS_ERROR_CHECK_GET_CHALLENGE_TYPE_FAILED, "get challenge type param failed")
233
234 ret = CheckUserAuthParamsValidity(paramSet, userAuthTypeParam->uint32Param, accessTypeParam->uint32Param,
235 challengeTypeParam->uint32Param);
236 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "check user auth params validity failed")
237
238 *userAuthType = userAuthTypeParam->uint32Param;
239 *authAccessType = accessTypeParam->uint32Param;
240 return HKS_SUCCESS;
241 #else
242 (void)paramSet;
243 (void)userAuthType;
244 (void)authAccessType;
245 return HKS_SUCCESS;
246 #endif
247 }
248
HksCheckIsAllowedWrap(const struct HksParamSet * paramSet)249 bool HksCheckIsAllowedWrap(const struct HksParamSet *paramSet)
250 {
251 struct HksParam *isAllowedWrap = NULL;
252 int32_t ret = HksGetParam(paramSet, HKS_TAG_IS_ALLOWED_WRAP, &isAllowedWrap);
253 HKS_IF_NOT_SUCC_RETURN(ret, false)
254 return isAllowedWrap->boolParam;
255 }
256
HksCheckUserAuthKeyPurposeValidity(const struct HksParamSet * paramSet)257 int32_t HksCheckUserAuthKeyPurposeValidity(const struct HksParamSet *paramSet)
258 {
259 #ifdef HKS_SUPPORT_USER_AUTH_ACCESS_CONTROL
260 HKS_IF_NULL_LOGE_RETURN(paramSet, HKS_ERROR_NULL_POINTER, "paramSet is null!")
261
262 // step 1. Judge whether the user auth key purpose is set.
263 struct HksParam *userAuthKeyPurposeParam = NULL;
264 int32_t ret = HksGetParam(paramSet, HKS_TAG_KEY_AUTH_PURPOSE, &userAuthKeyPurposeParam);
265 HKS_IF_NOT_SUCC_LOGI_RETURN(ret, HKS_SUCCESS, "not set key auth purpose: default need user auth access control!")
266
267 // step 2. Judge whether the user auth key purpose is within the range of alogrithm key purpose.
268 struct HksParam *keyPurposeParam = NULL;
269 ret = HksGetParam(paramSet, HKS_TAG_PURPOSE, &keyPurposeParam);
270 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "get key purpose param failed!")
271
272 uint32_t keyPurpose = keyPurposeParam->uint32Param;
273 if ((userAuthKeyPurposeParam->uint32Param == 0) ||
274 (userAuthKeyPurposeParam->uint32Param | keyPurpose) != keyPurpose) {
275 HKS_LOG_E("key auth purpose is invalid!");
276 return HKS_ERROR_INVALID_PURPOSE;
277 }
278
279 // step 3. Judge the validify of symmetric and asymmetric algorithm settings for purpose.
280 ret = HksCheckUserAuthKeyInfoValidity(paramSet);
281 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "HksCheckUserAuthKeyInfoValidity failed!")
282
283 return HKS_SUCCESS;
284 #else
285 (void)paramSet;
286 return HKS_SUCCESS;
287 #endif
288 }
289
HksCheckListAliasesParam(const struct HksBlob * processName)290 int32_t HksCheckListAliasesParam(const struct HksBlob *processName)
291 {
292 HKS_IF_NOT_SUCC_LOGE_RETURN(CheckBlob(processName), HKS_ERROR_INVALID_ARGUMENT, "invalid processName");
293
294 HKS_IF_TRUE_LOGE_RETURN(processName->size > HKS_MAX_PROCESS_NAME_LEN, HKS_ERROR_INVALID_ARGUMENT,
295 "processName size too long, size %" LOG_PUBLIC "u", processName->size)
296 return HKS_SUCCESS;
297 }
298
HKsCheckOldKeyAliasDiffNewKeyAlias(const struct HksBlob * oldKeyAlias,const struct HksBlob * newKeyAlias)299 int32_t HKsCheckOldKeyAliasDiffNewKeyAlias(const struct HksBlob *oldKeyAlias,
300 const struct HksBlob *newKeyAlias)
301 {
302 HKS_IF_TRUE_LOGE_RETURN(oldKeyAlias == NULL || newKeyAlias == NULL, HKS_ERROR_INVALID_ARGUMENT,
303 "oldKeyAlias or newKeyAlias is null!")
304 HKS_IF_TRUE_LOGE_RETURN(oldKeyAlias->size == newKeyAlias->size &&
305 HksMemCmp(oldKeyAlias->data, newKeyAlias->data, oldKeyAlias->size) == 0, HKS_ERROR_ALREADY_EXISTS,
306 "oldKeyAlias same as newKeyAlias!")
307 return HKS_SUCCESS;
308 }
309
HksCheckOldKeyExist(const struct HksProcessInfo * processInfo,const struct HksBlob * oldKeyAlias,const struct HksParamSet * paramSet)310 int32_t HksCheckOldKeyExist(const struct HksProcessInfo *processInfo, const struct HksBlob *oldKeyAlias,
311 const struct HksParamSet *paramSet)
312 {
313 int32_t ret = HksCheckProcessNameAndKeyAlias(&processInfo->processName, oldKeyAlias);
314 HKS_IF_NOT_SUCC_RETURN(ret, ret);
315
316 ret = HksManageStoreIsKeyBlobExist(processInfo, paramSet, oldKeyAlias, HKS_STORAGE_TYPE_KEY);
317 HKS_IF_TRUE_LOGE(ret == HKS_ERROR_NOT_EXIST, "the oldKey not exist!")
318 return ret;
319 }
320
HksCheckNewKeyNotExist(const struct HksProcessInfo * processInfo,const struct HksBlob * newKeyAlias,const struct HksParamSet * paramSet)321 int32_t HksCheckNewKeyNotExist(const struct HksProcessInfo *processInfo, const struct HksBlob *newKeyAlias,
322 const struct HksParamSet *paramSet)
323 {
324 int32_t ret = HksCheckProcessNameAndKeyAlias(&processInfo->processName, newKeyAlias);
325 HKS_IF_NOT_SUCC_RETURN(ret, ret);
326
327 ret = HksManageStoreIsKeyBlobExist(processInfo, paramSet, newKeyAlias, HKS_STORAGE_TYPE_KEY);
328 HKS_IF_TRUE_LOGE_RETURN(ret == HKS_SUCCESS, HKS_ERROR_ALREADY_EXISTS, "the newKey is already exist!")
329 HKS_IF_TRUE_LOGI_RETURN(ret == HKS_ERROR_NOT_EXIST, HKS_SUCCESS, "the newKey is not exist!")
330 return ret;
331 }
332
333 #ifdef L2_STANDARD
HksCheckProcessInConfigList(const struct HksBlob * processName)334 int32_t HksCheckProcessInConfigList(const struct HksBlob *processName)
335 {
336 uint32_t uid = 0;
337 HKS_IF_NOT_EOK_LOGE_RETURN(memcpy_s(&uid, sizeof(uid), processName->data, processName->size),
338 HKS_ERROR_NO_PERMISSION, "illegal uid, please check your process name")
339
340 for (uint32_t i = 0; i < HKS_ARRAY_SIZE(CHANGE_STORAGE_LEVEL_CFG_LIST); ++i) {
341 HKS_IF_TRUE_LOGI_RETURN(uid == CHANGE_STORAGE_LEVEL_CFG_LIST[i], HKS_SUCCESS,
342 "%" LOG_PUBLIC "u could change storage level", uid)
343 }
344 HKS_LOG_E("%" LOG_PUBLIC "u don't have permission to change storage level", uid);
345 return HKS_ERROR_NO_PERMISSION;
346 }
347
HksCheckChangeStorageLevelParams(const struct HksBlob * processName,const struct HksBlob * keyAlias,const struct HksParamSet * srcParamSet,const struct HksParamSet * destParamSet)348 int32_t HksCheckChangeStorageLevelParams(const struct HksBlob *processName, const struct HksBlob *keyAlias,
349 const struct HksParamSet *srcParamSet, const struct HksParamSet *destParamSet)
350 {
351 // step 1. common check
352 int32_t ret = HksCheckBlob2AndParamSet2(processName, keyAlias, srcParamSet, destParamSet);
353 HKS_IF_NOT_SUCC_RETURN(ret, ret)
354
355 ret = CheckProcessNameAndKeyAliasSize(processName->size, keyAlias->size);
356 HKS_IF_NOT_SUCC_RETURN(ret, ret)
357
358 // step 2. Judge whether storage level is expected, currently only support d->c
359 struct HksParam *srcStorageLevelParam = NULL;
360 ret = HksGetParam(srcParamSet, HKS_TAG_AUTH_STORAGE_LEVEL, &srcStorageLevelParam);
361 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "srcParamSet not set storage level!")
362
363 HKS_IF_TRUE_LOGE_RETURN(srcStorageLevelParam->uint32Param != HKS_AUTH_STORAGE_LEVEL_DE, HKS_ERROR_NOT_SUPPORTED,
364 "storage level in srcParamSet must be DE")
365
366 struct HksParam *destStorageLevelParam = NULL;
367 ret = HksGetParam(destParamSet, HKS_TAG_AUTH_STORAGE_LEVEL, &destStorageLevelParam);
368 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "destParamSet not set storage level!")
369
370 HKS_IF_TRUE_LOGE_RETURN(destStorageLevelParam->uint32Param != HKS_AUTH_STORAGE_LEVEL_CE, HKS_ERROR_NOT_SUPPORTED,
371 "storage level in destParamSet must be CE")
372 return HKS_SUCCESS;
373 }
374 #endif