1 /*
2 * Copyright (C) 2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "das_standard_token_manager.h"
17 #include "alg_loader.h"
18 #include "das_task_common.h"
19 #include "hc_log.h"
20 #include "hisysevent_common.h"
21
RegisterLocalIdentityStd(const TokenManagerParams * params)22 static int32_t RegisterLocalIdentityStd(const TokenManagerParams *params)
23 {
24 uint8_t keyAliasVal[PAKE_KEY_ALIAS_LEN] = { 0 };
25 Uint8Buff keyAliasBuff = { keyAliasVal, PAKE_KEY_ALIAS_LEN };
26 int32_t res = GenerateKeyAlias(params, &keyAliasBuff);
27 if (res != HC_SUCCESS) {
28 LOGE("Failed to generate identity keyPair alias!");
29 return res;
30 }
31
32 const AlgLoader *loader = GetLoaderInstance();
33 res = loader->checkKeyExist(&keyAliasBuff, false, params->osAccountId);
34 if (res == HC_SUCCESS) {
35 LOGD("Key pair is exist.");
36 return HC_SUCCESS;
37 }
38
39 /* UserType and pairType are not required when generating key. */
40 ExtraInfo exInfo = { { params->authId.val, params->authId.length }, -1, -1 };
41 KeyParams keyParams = { { keyAliasBuff.val, keyAliasBuff.length, true }, false, params->osAccountId };
42 res = loader->generateKeyPairWithStorage(&keyParams, PAKE_ED25519_KEY_PAIR_LEN, ED25519,
43 KEY_PURPOSE_SIGN_VERIFY, &exInfo);
44 if (res != HC_SUCCESS) {
45 LOGE("Failed to generate key pair!");
46 return res;
47 }
48 LOGI("Key pair generated successfully!");
49 return HC_SUCCESS;
50 }
51
UnregisterLocalIdentityStd(const TokenManagerParams * params)52 static int32_t UnregisterLocalIdentityStd(const TokenManagerParams *params)
53 {
54 uint8_t pakeKeyAliasVal[PAKE_KEY_ALIAS_LEN] = { 0 };
55 Uint8Buff pakeKeyAliasBuff = { pakeKeyAliasVal, PAKE_KEY_ALIAS_LEN };
56 int32_t res = GenerateKeyAlias(params, &pakeKeyAliasBuff);
57 if (res != HC_SUCCESS) {
58 LOGE("Failed to generate identity keyPair alias!");
59 return res;
60 }
61 LOGI("KeyPair alias(HEX): %" LOG_PUB "x%" LOG_PUB "x%" LOG_PUB "x%" LOG_PUB "x****.",
62 pakeKeyAliasVal[DEV_AUTH_ZERO], pakeKeyAliasVal[DEV_AUTH_ONE], pakeKeyAliasVal[DEV_AUTH_TWO],
63 pakeKeyAliasVal[DEV_AUTH_THREE]);
64
65 const AlgLoader *loader = GetLoaderInstance();
66 res = loader->deleteKey(&pakeKeyAliasBuff, false, params->osAccountId);
67 if (res != HC_SUCCESS) {
68 LOGE("Failed to delete key pair!");
69 return res;
70 }
71 LOGI("Key pair deleted successfully!");
72
73 // try to delete upgrade keypair if exist.
74 if (memcmp(params->pkgName.val, GROUP_MANAGER_PACKAGE_NAME, HcStrlen(GROUP_MANAGER_PACKAGE_NAME)) == 0) {
75 LOGI("Try to delete upgrade key pair.");
76 TokenManagerParams tokenParams = *params;
77 tokenParams.userType = KEY_ALIAS_LT_KEY_PAIR;
78 res = GenerateKeyAlias(&tokenParams, &pakeKeyAliasBuff);
79 if (res != HC_SUCCESS) {
80 LOGE("Failed to generate upgrade key pair alias!");
81 return res;
82 }
83 res = ToLowerCase(&pakeKeyAliasBuff);
84 if (res != HC_SUCCESS) {
85 LOGE("Failed to convert self key alias to lower case!");
86 return res;
87 }
88 LOGI("Upgrade key pair alias(HEX): %" LOG_PUB "x%" LOG_PUB "x%" LOG_PUB "x%" LOG_PUB "x****.",
89 pakeKeyAliasVal[DEV_AUTH_ZERO], pakeKeyAliasVal[DEV_AUTH_ONE], pakeKeyAliasVal[DEV_AUTH_TWO],
90 pakeKeyAliasVal[DEV_AUTH_THREE]);
91 res = loader->deleteKey(&pakeKeyAliasBuff, true, params->osAccountId);
92 if (res != HC_SUCCESS) {
93 LOGE("Failed to delete upgrade key pair!");
94 return res;
95 }
96 LOGI("Upgrade key pair deleted successfully!");
97 }
98
99 return HC_SUCCESS;
100 }
101
DeletePeerPubKey(const TokenManagerParams * params)102 static int32_t DeletePeerPubKey(const TokenManagerParams *params)
103 {
104 uint8_t pakeKeyAliasVal[PAKE_KEY_ALIAS_LEN] = { 0 };
105 Uint8Buff pakeKeyAliasBuff = { pakeKeyAliasVal, PAKE_KEY_ALIAS_LEN };
106 int32_t res = GenerateKeyAlias(params, &pakeKeyAliasBuff);
107 if (res != HC_SUCCESS) {
108 LOGE("Failed to generate peer pub key alias!");
109 return res;
110 }
111 LOGI("PubKey alias(HEX): %" LOG_PUB "x%" LOG_PUB "x%" LOG_PUB "x%" LOG_PUB "x****.", pakeKeyAliasVal[DEV_AUTH_ZERO],
112 pakeKeyAliasVal[DEV_AUTH_ONE], pakeKeyAliasVal[DEV_AUTH_TWO], pakeKeyAliasVal[DEV_AUTH_THREE]);
113 const AlgLoader *loader = GetLoaderInstance();
114 res = loader->deleteKey(&pakeKeyAliasBuff, false, params->osAccountId);
115 if (res != HC_SUCCESS) {
116 LOGE("Failed to delete peer public key!");
117 return res;
118 }
119 LOGI("PubKey deleted successfully!");
120
121 res = ToLowerCase(&pakeKeyAliasBuff);
122 if (res != HC_SUCCESS) {
123 LOGE("Failed to convert peer key alias to lower case!");
124 return res;
125 }
126 res = loader->deleteKey(&pakeKeyAliasBuff, true, params->osAccountId);
127 if (res != HC_SUCCESS) {
128 LOGE("Failed to delete peer public key by lower case alias!");
129 }
130 return res;
131 }
132
DeleteAuthPsk(const TokenManagerParams * params)133 static int32_t DeleteAuthPsk(const TokenManagerParams *params)
134 {
135 uint8_t pakeKeyAliasVal[PAKE_KEY_ALIAS_LEN] = { 0 };
136 Uint8Buff pakeKeyAliasBuff = { pakeKeyAliasVal, PAKE_KEY_ALIAS_LEN };
137 int32_t res = GenerateKeyAlias(params, &pakeKeyAliasBuff);
138 if (res != HC_SUCCESS) {
139 LOGE("Failed to generate psk alias!");
140 return res;
141 }
142 LOGI("Psk alias(HEX): %" LOG_PUB "x%" LOG_PUB "x%" LOG_PUB "x%" LOG_PUB "x****.", pakeKeyAliasVal[DEV_AUTH_ZERO],
143 pakeKeyAliasVal[DEV_AUTH_ONE], pakeKeyAliasVal[DEV_AUTH_TWO], pakeKeyAliasVal[DEV_AUTH_THREE]);
144 const AlgLoader *loader = GetLoaderInstance();
145 res = loader->deleteKey(&pakeKeyAliasBuff, false, params->osAccountId);
146 if (res != HC_SUCCESS) {
147 LOGE("Failed to delete psk!");
148 return res;
149 }
150 res = loader->deleteKey(&pakeKeyAliasBuff, true, params->osAccountId);
151 if (res != HC_SUCCESS) {
152 LOGE("Failed to delete psk!");
153 return res;
154 }
155 LOGI("Psk deleted successfully!");
156
157 res = ToLowerCase(&pakeKeyAliasBuff);
158 if (res != HC_SUCCESS) {
159 LOGE("Failed to convert psk alias to lower case!");
160 return res;
161 }
162 res = loader->deleteKey(&pakeKeyAliasBuff, true, params->osAccountId);
163 if (res != HC_SUCCESS) {
164 LOGE("Failed to delete psk by lower case alias!");
165 }
166 return res;
167 }
168
DeletePseudonymPskStd(int32_t osAccountId,const Uint8Buff * serviceTypeBuff,const Uint8Buff * authIdPeer)169 static int32_t DeletePseudonymPskStd(int32_t osAccountId, const Uint8Buff *serviceTypeBuff,
170 const Uint8Buff *authIdPeer)
171 {
172 uint8_t pakeKeyAliasVal[PAKE_KEY_ALIAS_LEN] = { 0 };
173 Uint8Buff pakeKeyAliasBuff = { pakeKeyAliasVal, PAKE_KEY_ALIAS_LEN };
174 int32_t res = GeneratePseudonymPskAlias(serviceTypeBuff, authIdPeer, &pakeKeyAliasBuff);
175 if (res != HC_SUCCESS) {
176 LOGE("Failed to generate pseudonym psk alias!");
177 return res;
178 }
179 res = ToLowerCase(&pakeKeyAliasBuff);
180 if (res != HC_SUCCESS) {
181 LOGE("Failed to convert pseudonym psk alias to lower case!");
182 return res;
183 }
184 res = GetLoaderInstance()->deleteKey(&pakeKeyAliasBuff, true, osAccountId);
185 if (res != HC_SUCCESS) {
186 LOGE("Failed to delete pseudonym psk!");
187 return res;
188 }
189 LOGI("Delete pseudonym psk successfully!");
190 return HC_SUCCESS;
191 }
192
DeletePeerAuthInfoStd(const TokenManagerParams * params)193 static int32_t DeletePeerAuthInfoStd(const TokenManagerParams *params)
194 {
195 TokenManagerParams tokenParams = *params;
196 #ifdef DEV_AUTH_FUNC_TEST
197 tokenParams.userType = KEY_ALIAS_LT_KEY_PAIR;
198 #endif
199 int32_t res = DeletePeerPubKey(&tokenParams);
200 if (res != HC_SUCCESS) {
201 return res;
202 }
203
204 tokenParams.userType = KEY_ALIAS_PSK;
205 res = DeleteAuthPsk(&tokenParams);
206 if (res != HC_SUCCESS) {
207 return res;
208 }
209
210 // try to delete pseudonym psk if exist.
211 Uint8Buff serviceTypeBuff = { params->serviceType.val, params->serviceType.length };
212 Uint8Buff authIdBuff = { params->authId.val, params->authId.length };
213 return DeletePseudonymPskStd(params->osAccountId, &serviceTypeBuff, &authIdBuff);
214 }
215
GenerateSelfKeyAlias(const PakeParams * params,Uint8Buff * selfKeyAlias)216 static int32_t GenerateSelfKeyAlias(const PakeParams *params, Uint8Buff *selfKeyAlias)
217 {
218 TokenManagerParams tokenParams = { 0 };
219 tokenParams.pkgName.val = (uint8_t *)params->packageName;
220 tokenParams.pkgName.length = HcStrlen(params->packageName);
221 tokenParams.serviceType.val = (uint8_t *)params->serviceType;
222 tokenParams.serviceType.length = HcStrlen(params->serviceType);
223 tokenParams.userType = params->userType;
224 // if self data is from upgrade, key type should be key-pair.
225 if (params->isSelfFromUpgrade) {
226 tokenParams.userType = KEY_ALIAS_LT_KEY_PAIR;
227 }
228 tokenParams.authId = params->baseParams.idSelf;
229 int32_t res = GenerateKeyAlias(&tokenParams, selfKeyAlias);
230 if (res != HC_SUCCESS) {
231 LOGE("generate self key alias failed");
232 return res;
233 }
234 if (params->isSelfFromUpgrade) {
235 res = ToLowerCase(selfKeyAlias);
236 if (res != HC_SUCCESS) {
237 LOGE("Failed to convert self key alias to lower case!");
238 return res;
239 }
240 }
241 return HC_SUCCESS;
242 }
243
GeneratePeerKeyAlias(const PakeParams * params,Uint8Buff * peerKeyAlias)244 static int32_t GeneratePeerKeyAlias(const PakeParams *params, Uint8Buff *peerKeyAlias)
245 {
246 TokenManagerParams tokenParams = { 0 };
247 tokenParams.pkgName.val = (uint8_t *)params->packageName;
248 tokenParams.pkgName.length = HcStrlen(params->packageName);
249 tokenParams.serviceType.val = (uint8_t *)params->serviceType;
250 tokenParams.serviceType.length = HcStrlen(params->serviceType);
251 #ifdef DEV_AUTH_FUNC_TEST
252 tokenParams.userType = KEY_ALIAS_LT_KEY_PAIR;
253 #else
254 tokenParams.userType = params->userTypePeer;
255 #endif
256 tokenParams.authId = params->baseParams.idPeer;
257 int32_t res = GenerateKeyAlias(&tokenParams, peerKeyAlias);
258 if (res != HC_SUCCESS) {
259 LOGE("generate peer key alias failed");
260 return res;
261 }
262 if (params->isPeerFromUpgrade) {
263 res = ToLowerCase(peerKeyAlias);
264 if (res != HC_SUCCESS) {
265 LOGE("Failed to convert peer key alias to lower case!");
266 return res;
267 }
268 }
269 return HC_SUCCESS;
270 }
271
GenerateSharedKeyAlias(const PakeParams * params,Uint8Buff * sharedKeyAlias)272 static int32_t GenerateSharedKeyAlias(const PakeParams *params, Uint8Buff *sharedKeyAlias)
273 {
274 TokenManagerParams tokenParams = { 0 };
275 tokenParams.pkgName.val = (uint8_t *)params->packageName;
276 tokenParams.pkgName.length = HcStrlen(params->packageName);
277 tokenParams.serviceType.val = (uint8_t *)params->serviceType;
278 tokenParams.serviceType.length = HcStrlen(params->serviceType);
279 tokenParams.userType = KEY_ALIAS_PSK;
280 tokenParams.authId = params->baseParams.idPeer;
281 int32_t res = GenerateKeyAlias(&tokenParams, sharedKeyAlias);
282 if (res != HC_SUCCESS) {
283 LOGE("generate psk alias failed");
284 return res;
285 }
286 if (params->isPeerFromUpgrade) {
287 res = ToLowerCase(sharedKeyAlias);
288 if (res != HC_SUCCESS) {
289 LOGE("Failed to convert psk alias to lower case!");
290 return res;
291 }
292 }
293 return HC_SUCCESS;
294 }
295
ComputeAndSavePskInner(const PakeParams * params,const Uint8Buff * selfKeyAlias,const Uint8Buff * peerKeyAlias,Uint8Buff * sharedKeyAlias)296 static int32_t ComputeAndSavePskInner(const PakeParams *params, const Uint8Buff *selfKeyAlias,
297 const Uint8Buff *peerKeyAlias, Uint8Buff *sharedKeyAlias)
298 {
299 KeyParams selfKeyParams = {
300 { selfKeyAlias->val, selfKeyAlias->length, true },
301 params->isSelfFromUpgrade,
302 params->baseParams.osAccountId
303 };
304 KeyBuff peerKeyBuff = { peerKeyAlias->val, peerKeyAlias->length, true };
305 int32_t res;
306 Algorithm alg = (params->baseParams.curveType == CURVE_256) ? P256 : ED25519;
307 if (alg == ED25519) {
308 uint8_t peerPubKeyVal[PAKE_ED25519_KEY_PAIR_LEN] = { 0 };
309 Uint8Buff peerPubKeyBuff = { peerPubKeyVal, PAKE_ED25519_KEY_PAIR_LEN };
310 KeyParams peerKeyParams = {
311 .keyBuff = { peerKeyAlias->val, peerKeyAlias->length, true },
312 .isDeStorage = params->isPeerFromUpgrade,
313 .osAccountId = params->baseParams.osAccountId
314 };
315 res = params->baseParams.loader->exportPublicKey(&peerKeyParams, &peerPubKeyBuff);
316 if (res != HC_SUCCESS) {
317 LOGE("Failed to export peer public key!");
318 return res;
319 }
320 peerKeyBuff.key = peerPubKeyBuff.val;
321 peerKeyBuff.keyLen = peerPubKeyBuff.length;
322 peerKeyBuff.isAlias = false;
323 }
324 res = params->baseParams.loader->agreeSharedSecretWithStorage(&selfKeyParams, &peerKeyBuff, alg,
325 PAKE_PSK_LEN, sharedKeyAlias);
326 if (res != HC_SUCCESS) {
327 LOGE("Failed to agree psk!");
328 ReportRadarEvent(res);
329 }
330 return res;
331 }
332
ComputeAndSavePskStd(const PakeParams * params)333 static int32_t ComputeAndSavePskStd(const PakeParams *params)
334 {
335 uint8_t selfKeyAliasVal[PAKE_KEY_ALIAS_LEN] = { 0 };
336 Uint8Buff selfKeyAlias = { selfKeyAliasVal, PAKE_KEY_ALIAS_LEN };
337 uint8_t peerKeyAliasVal[PAKE_KEY_ALIAS_LEN] = { 0 };
338 Uint8Buff peerKeyAlias = { peerKeyAliasVal, PAKE_KEY_ALIAS_LEN };
339 int32_t res = GenerateSelfKeyAlias(params, &selfKeyAlias);
340 if (res != HC_SUCCESS) {
341 return res;
342 }
343
344 res = GeneratePeerKeyAlias(params, &peerKeyAlias);
345 if (res != HC_SUCCESS) {
346 return res;
347 }
348
349 res = params->baseParams.loader->checkKeyExist(&selfKeyAlias, params->isSelfFromUpgrade,
350 params->baseParams.osAccountId);
351 if (res != HC_SUCCESS) {
352 LOGE("self auth keyPair not exist");
353 return res;
354 }
355 res = params->baseParams.loader->checkKeyExist(&peerKeyAlias, params->isPeerFromUpgrade,
356 params->baseParams.osAccountId);
357 if (res != HC_SUCCESS) {
358 LOGE("peer auth pubKey not exist");
359 return res;
360 }
361
362 uint8_t sharedKeyAliasVal[PAKE_KEY_ALIAS_LEN] = { 0 };
363 Uint8Buff sharedKeyAlias = { sharedKeyAliasVal, PAKE_KEY_ALIAS_LEN };
364 res = GenerateSharedKeyAlias(params, &sharedKeyAlias);
365 if (res != HC_SUCCESS) {
366 return res;
367 }
368
369 LOGI("PubKey alias(HEX): %" LOG_PUB "x%" LOG_PUB "x%" LOG_PUB "x%" LOG_PUB "x****, priKey alias(HEX): %"
370 LOG_PUB "x%" LOG_PUB "x%" LOG_PUB "x%" LOG_PUB "x****, psk alias(HEX): %"
371 LOG_PUB "x%" LOG_PUB "x%" LOG_PUB "x%" LOG_PUB "x****.",
372 peerKeyAliasVal[DEV_AUTH_ZERO], peerKeyAliasVal[DEV_AUTH_ONE],
373 peerKeyAliasVal[DEV_AUTH_TWO], peerKeyAliasVal[DEV_AUTH_THREE],
374 selfKeyAliasVal[DEV_AUTH_ZERO], selfKeyAliasVal[DEV_AUTH_ONE],
375 selfKeyAliasVal[DEV_AUTH_TWO], selfKeyAliasVal[DEV_AUTH_THREE],
376 sharedKeyAliasVal[DEV_AUTH_ZERO], sharedKeyAliasVal[DEV_AUTH_ONE],
377 sharedKeyAliasVal[DEV_AUTH_TWO], sharedKeyAliasVal[DEV_AUTH_THREE]);
378 return ComputeAndSavePskInner(params, &selfKeyAlias, &peerKeyAlias, &sharedKeyAlias);
379 }
380
GetPublicKeyStd(const TokenManagerParams * params,Uint8Buff * returnPk)381 static int32_t GetPublicKeyStd(const TokenManagerParams *params, Uint8Buff *returnPk)
382 {
383 uint8_t keyAliasVal[PAKE_KEY_ALIAS_LEN] = { 0 };
384 Uint8Buff keyAliasBuff = { keyAliasVal, PAKE_KEY_ALIAS_LEN };
385 int32_t res = GenerateKeyAlias(params, &keyAliasBuff);
386 if (res != HC_SUCCESS) {
387 LOGE("Failed to generate keyPair alias!");
388 return res;
389 }
390
391 bool isDeStorage = false;
392 const AlgLoader *loader = GetLoaderInstance();
393 res = loader->checkKeyExist(&keyAliasBuff, false, params->osAccountId);
394 if (res != HC_SUCCESS) {
395 isDeStorage = true;
396 res = loader->checkKeyExist(&keyAliasBuff, true, params->osAccountId);
397 if (res != HC_SUCCESS) {
398 res = ToLowerCase(&keyAliasBuff);
399 if (res != HC_SUCCESS) {
400 LOGE("Failed to convert key alias to lower case!");
401 return res;
402 }
403 res = loader->checkKeyExist(&keyAliasBuff, true, params->osAccountId);
404 if (res != HC_SUCCESS) {
405 LOGE("Key not exist!");
406 return res;
407 }
408 }
409 }
410
411 KeyParams keyParams = { { keyAliasBuff.val, keyAliasBuff.length, true }, isDeStorage, params->osAccountId };
412 res = loader->exportPublicKey(&keyParams, returnPk);
413 if (res != HC_SUCCESS) {
414 LOGE("Failed to export public key!");
415 return res;
416 }
417 LOGI("Get public key successfully!");
418 return HC_SUCCESS;
419 }
420
421 TokenManager g_asyTokenManagerInstance = {
422 .registerLocalIdentity = RegisterLocalIdentityStd,
423 .unregisterLocalIdentity = UnregisterLocalIdentityStd,
424 .deletePeerAuthInfo = DeletePeerAuthInfoStd,
425 .computeAndSavePsk = ComputeAndSavePskStd,
426 .getPublicKey = GetPublicKeyStd,
427 };
428
GetStandardTokenManagerInstance(void)429 const TokenManager *GetStandardTokenManagerInstance(void)
430 {
431 return &g_asyTokenManagerInstance;
432 }