1 /* 2 * Copyright (c) 2023-2024 Huawei Device Co., Ltd. 3 * Licensed under the Apache License, Version 2.0 (the "License"); 4 * you may not use this file except in compliance with the License. 5 * You may obtain a copy of the License at 6 * 7 * http://www.apache.org/licenses/LICENSE-2.0 8 * 9 * Unless required by applicable law or agreed to in writing, software 10 * distributed under the License is distributed on an "AS IS" BASIS, 11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 * See the License for the specific language governing permissions and 13 * limitations under the License. 14 */ 15 16 #ifndef COMMUNICATIONNETSTACK_VERIFY_CERT_H 17 #define COMMUNICATIONNETSTACK_VERIFY_CERT_H 18 19 #include <fstream> 20 #include <iostream> 21 #include <set> 22 23 #include <openssl/ssl.h> 24 25 #include "net_ssl_type.h" 26 27 namespace OHOS { 28 namespace NetStack { 29 namespace Ssl { 30 class SslConstant final { 31 public: 32 /* Sys Ca Path */ 33 static const char *const SYSPRECAPATH; 34 /* User Installed Ca Path */ 35 static const char *const USERINSTALLEDCAPATH; 36 /* Uidtransformdivisor */ 37 static const int UIDTRANSFORMDIVISOR; 38 }; 39 40 enum VerifyResult { VERIFY_RESULT_UNKNOWN = -1, VERIFY_RESULT_FAIL = 0, VERIFY_RESULT_SUCCESS = 1 }; 41 42 enum SslErrorCode { 43 SSL_NONE_ERR = 0, 44 SSL_ERROR_CODE_BASE = 2305000, 45 // The following error codes are added since API11 46 SSL_X509_V_ERR_UNSPECIFIED = SSL_ERROR_CODE_BASE + X509_V_ERR_UNSPECIFIED, 47 SSL_X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT = SSL_ERROR_CODE_BASE + X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, 48 SSL_X509_V_ERR_UNABLE_TO_GET_CRL = SSL_ERROR_CODE_BASE + X509_V_ERR_UNABLE_TO_GET_CRL, 49 SSL_X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE = SSL_ERROR_CODE_BASE + X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, 50 SSL_X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE = SSL_ERROR_CODE_BASE + X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, 51 SSL_X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY = 52 SSL_ERROR_CODE_BASE + X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, 53 SSL_X509_V_ERR_CERT_SIGNATURE_FAILURE = SSL_ERROR_CODE_BASE + X509_V_ERR_CERT_SIGNATURE_FAILURE, 54 SSL_X509_V_ERR_CRL_SIGNATURE_FAILURE = SSL_ERROR_CODE_BASE + X509_V_ERR_CRL_SIGNATURE_FAILURE, 55 SSL_X509_V_ERR_CERT_NOT_YET_VALID = SSL_ERROR_CODE_BASE + X509_V_ERR_CERT_NOT_YET_VALID, 56 SSL_X509_V_ERR_CERT_HAS_EXPIRED = SSL_ERROR_CODE_BASE + X509_V_ERR_CERT_HAS_EXPIRED, 57 SSL_X509_V_ERR_CRL_NOT_YET_VALID = SSL_ERROR_CODE_BASE + X509_V_ERR_CRL_NOT_YET_VALID, 58 SSL_X509_V_ERR_CRL_HAS_EXPIRED = SSL_ERROR_CODE_BASE + X509_V_ERR_CRL_HAS_EXPIRED, 59 SSL_X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY = 60 SSL_ERROR_CODE_BASE + X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, 61 SSL_X509_V_ERR_CERT_REVOKED = SSL_ERROR_CODE_BASE + X509_V_ERR_CERT_REVOKED, 62 SSL_X509_V_ERR_INVALID_CA = SSL_ERROR_CODE_BASE + X509_V_ERR_INVALID_CA, 63 SSL_X509_V_ERR_CERT_UNTRUSTED = SSL_ERROR_CODE_BASE + X509_V_ERR_CERT_UNTRUSTED, 64 // The following error codes are added since API12 65 SSL_X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT = SSL_ERROR_CODE_BASE + X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, 66 SSL_X509_V_ERR_INVALID_CALL = SSL_ERROR_CODE_BASE + X509_V_ERR_INVALID_CALL, 67 SSL_X509_V_ERR_OUT_OF_MEMORY = SSL_ERROR_CODE_BASE + 999 68 }; 69 70 static const std::multiset<uint32_t> SslErrorCodeSetBase{SSL_NONE_ERR, 71 SSL_ERROR_CODE_BASE, 72 SSL_X509_V_ERR_UNSPECIFIED, 73 SSL_X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, 74 SSL_X509_V_ERR_UNABLE_TO_GET_CRL, 75 SSL_X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, 76 SSL_X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, 77 SSL_X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, 78 SSL_X509_V_ERR_CERT_SIGNATURE_FAILURE, 79 SSL_X509_V_ERR_CRL_SIGNATURE_FAILURE, 80 SSL_X509_V_ERR_CERT_NOT_YET_VALID, 81 SSL_X509_V_ERR_CERT_HAS_EXPIRED, 82 SSL_X509_V_ERR_CRL_NOT_YET_VALID, 83 SSL_X509_V_ERR_CRL_HAS_EXPIRED, 84 SSL_X509_V_ERR_CERT_REVOKED, 85 SSL_X509_V_ERR_INVALID_CA, 86 SSL_X509_V_ERR_CERT_UNTRUSTED}; 87 88 static const std::multiset<uint32_t> SslErrorCodeSetSinceAPI12{SSL_NONE_ERR, 89 SSL_ERROR_CODE_BASE, 90 SSL_X509_V_ERR_UNSPECIFIED, 91 SSL_X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, 92 SSL_X509_V_ERR_UNABLE_TO_GET_CRL, 93 SSL_X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, 94 SSL_X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, 95 SSL_X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, 96 SSL_X509_V_ERR_CERT_SIGNATURE_FAILURE, 97 SSL_X509_V_ERR_CRL_SIGNATURE_FAILURE, 98 SSL_X509_V_ERR_CERT_NOT_YET_VALID, 99 SSL_X509_V_ERR_CERT_HAS_EXPIRED, 100 SSL_X509_V_ERR_CRL_NOT_YET_VALID, 101 SSL_X509_V_ERR_CRL_HAS_EXPIRED, 102 SSL_X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, 103 SSL_X509_V_ERR_CERT_REVOKED, 104 SSL_X509_V_ERR_INVALID_CA, 105 SSL_X509_V_ERR_CERT_UNTRUSTED, 106 // New error code since API12. 107 SSL_X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, 108 SSL_X509_V_ERR_INVALID_CALL, 109 SSL_X509_V_ERR_OUT_OF_MEMORY}; 110 111 std::string GetUserInstalledCaPath(); 112 113 X509 *PemToX509(const uint8_t *pemCert, size_t pemSize); 114 115 X509 *DerToX509(const uint8_t *derCert, size_t derSize); 116 117 X509 *CertBlobToX509(const CertBlob *cert); 118 119 uint32_t VerifyCert(const CertBlob *cert); 120 121 uint32_t VerifyCert(const CertBlob *cert, const CertBlob *caCert); 122 123 void FreeResources(X509 **certX509, X509 **caX509, X509_STORE **store, X509_STORE_CTX **ctx); 124 } // namespace Ssl 125 } // namespace NetStack 126 } // namespace OHOS 127 128 #endif // COMMUNICATIONNETSTACK_VERIFY_CERT_H 129