1 /*
2 * Copyright (c) 2025 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #ifndef OHOS_DM_AUTH_MESSAGE_PROCESSOR_V2_H
17 #define OHOS_DM_AUTH_MESSAGE_PROCESSOR_V2_H
18
19 #include <memory>
20
21 #include "access_control_profile.h"
22 #include "crypto_mgr.h"
23 #include "deviceprofile_connector.h"
24 #include "dm_ability_manager.h"
25 #include "json_object.h"
26
27 namespace OHOS {
28 namespace DistributedHardware {
29 struct DmAuthContext;
30 struct DmAccess;
31 struct DmProxyAuthContext;
32 struct DmProxyAccess;
33
34 extern const char* TAG_LNN_PUBLIC_KEY;
35 extern const char* TAG_TRANSMIT_PUBLIC_KEY;
36 extern const char* TAG_LNN_CREDENTIAL_ID;
37 extern const char* TAG_TRANSMIT_CREDENTIAL_ID;
38 extern const char* TAG_CONFIRM_OPERATION_V2;
39 extern const char* TAG_AUTH_TYPE_LIST;
40 extern const char* TAG_CURRENT_AUTH_TYPE_IDX;
41
42 // IS interface input parameter json format string key
43 extern const char* TAG_METHOD;
44 extern const char* TAG_PEER_USER_SPACE_ID;
45 extern const char* TAG_SUBJECT;
46 extern const char* TAG_CRED_TYPE;
47 extern const char* TAG_KEY_FORMAT;
48 extern const char* TAG_ALGORITHM_TYPE;
49 extern const char* TAG_PROOF_TYPE;
50 extern const char* TAG_KEY_VALUE;
51 extern const char* TAG_AUTHORIZED_SCOPE;
52 extern const char* TAG_AUTHORIZED_APP_LIST;
53 extern const char* TAG_CREDENTIAL_OWNER;
54 extern const char* TAG_SYNC;
55 extern const char* TAG_ACCESS;
56 extern const char* TAG_PROXY;
57 extern const char* TAG_ACL;
58 extern const char* TAG_ACCESSER;
59 extern const char* TAG_ACCESSEE;
60 extern const char* TAG_SERVICEINFO;
61 extern const char* TAG_USER_CONFIRM_OPT;
62 // The local SK information is synchronized to the remote end to construct acl-accesser/accessee.
63 extern const char* TAG_TRANSMIT_SK_ID;
64 extern const char* TAG_LNN_SK_ID;
65 extern const char* TAG_TRANSMIT_SK_TIMESTAMP;
66 extern const char* TAG_LNN_SK_TIMESTAMP;
67 extern const char* TAG_USER_ID;
68 extern const char* TAG_TOKEN_ID;
69 extern const char* TAG_NETWORKID_ID;
70 extern const char* TAG_ISSUER;
71
72 extern const char* TAG_DEVICE_VERSION;
73 extern const char* TAG_DEVICE_NAME;
74 extern const char* TAG_DEVICE_ID_HASH;
75 extern const char* TAG_ACCOUNT_ID_HASH;
76 extern const char* TAG_TOKEN_ID_HASH;
77 extern const char* TAG_SESSION_NAME;
78 extern const char* TAG_ACL_CHECKSUM;
79 extern const char* TAG_COMPRESS_ORI_LEN;
80 extern const char* TAG_COMPRESS;
81 extern const char* TAG_REPLY;
82 extern const char* TAG_STATE;
83 extern const char* TAG_REASON;
84 extern const char* TAG_PEER_USER_ID;
85 extern const char* TAG_PEER_DISPLAY_ID;
86 extern const char* TAG_EXTRA_INFO;
87
88 extern const char* TAG_IS_ONLINE;
89 extern const char* TAG_IS_AUTHED;
90 extern const char* TAG_CREDENTIAL_INFO;
91 extern const char* TAG_CERT_INFO;
92 extern const char* TAG_LANGUAGE;
93 extern const char* TAG_ULTRASONIC_SIDE;
94
95 // Logical Session Tag
96 constexpr const char* DM_TAG_LOGICAL_SESSION_ID = "logicalSessionId";
97
98 // Message type
99 enum DmMessageType {
100 // Terminate/Exception Message
101 MSG_TYPE_UNKNOWN = 0,
102 MSG_TYPE_AUTH_TERMINATE = 1,
103 // Normal Message
104 MSG_TYPE_REQ_ACL_NEGOTIATE = 80,
105 MSG_TYPE_RESP_ACL_NEGOTIATE = 90,
106 MSG_TYPE_REQ_USER_CONFIRM = 100,
107 MSG_TYPE_FORWARD_ULTRASONIC_START = 101,
108 MSG_TYPE_REVERSE_ULTRASONIC_START = 102,
109 MSG_TYPE_RESP_USER_CONFIRM = 110,
110 MSG_TYPE_FORWARD_ULTRASONIC_NEGOTIATE = 111,
111 MSG_TYPE_REVERSE_ULTRASONIC_DONE = 112,
112 MSG_TYPE_REQ_PIN_AUTH_START = 120,
113 MSG_TYPE_RESP_PIN_AUTH_START = 130,
114 MSG_TYPE_REQ_PIN_AUTH_MSG_NEGOTIATE = 121,
115 MSG_TYPE_RESP_PIN_AUTH_MSG_NEGOTIATE = 131,
116 MSG_TYPE_REQ_CREDENTIAL_EXCHANGE = 140,
117 MSG_TYPE_RESP_CREDENTIAL_EXCHANGE = 150,
118 MSG_TYPE_REQ_SK_DERIVE = 141,
119 MSG_TYPE_RESP_SK_DERIVE = 151,
120 MSG_TYPE_REQ_CREDENTIAL_AUTH_START = 160,
121 MSG_TYPE_RESP_CREDENTIAL_AUTH_START = 170,
122 MSG_TYPE_REQ_CREDENTIAL_AUTH_NEGOTIATE = 161,
123 MSG_TYPE_RESP_CREDENTIAL_AUTH_NEGOTIATE = 171,
124 MSG_TYPE_REQ_DATA_SYNC = 180,
125 MSG_TYPE_RESP_DATA_SYNC = 190,
126 MSG_TYPE_AUTH_REQ_FINISH = 200,
127 MSG_TYPE_AUTH_RESP_FINISH = 201,
128 };
129
130 struct DmAccessControlTable {
131 int32_t accessControlId;
132 int64_t accesserId;
133 int64_t accesseeId;
134 std::string deviceId;
135 std::string sessionKey;
136 int32_t bindType;
137 uint32_t authType;
138 uint32_t deviceType;
139 std::string deviceIdHash;
140 int32_t status;
141 int32_t validPeriod;
142 int32_t lastAuthTime;
143 uint32_t bindLevel;
144 };
145
146 // Structure used for synchronizing ACL access
147 // Attention: Modifying this structure requires updating the From/ToJson functions in dm_auth_message_processor.cpp.
148 struct DmAccessToSync {
149 // the deviceName translate in 80/90 messages, cleaned the privacy info
150 std::string deviceName;
151 // the device display name, which need save in DB
152 std::string deviceNameFull;
153 // For A->B communication, whether it's the A end or B end, the Accesser object stores
154 // the A end's deviceId, and the Accessee object stores the B end's deviceId
155 std::string deviceId;
156 int32_t userId;
157 std::string accountId;
158 uint64_t tokenId;
159 std::string bundleName; // Stores the bundleName, HAP -> bundleName in BMS, SA -> process name
160 std::string pkgName; // Store pkgName set by client
161 int32_t bindLevel; // Passed through for business purposes, no custom definition required
162 int32_t sessionKeyId; // User credential ID
163 int64_t skTimeStamp; // Used for aging, time is 2 days, user-level credential timestamp
164 // the user confirm operation result for the confirm dialog, means allow or allow always.
165 int32_t userConfirmOperation = UiAction::USER_OPERATION_TYPE_CANCEL_AUTH;
166 };
167
168 // json and struct conversion functions
169 void ToJson(JsonItemObject &itemObject, const DmAccessControlTable &table);
170 void FromJson(const JsonItemObject &itemObject, DmAccessControlTable &table);
171 void ToJson(JsonItemObject &itemObject, const DmAccessToSync &table);
172 void FromJson(const JsonItemObject &itemObject, DmAccessToSync &table);
173
174 using JsonTypeCheckFuncPtr = bool (JsonItemObject::*)() const;
175
176 template <typename T>
SetValueFromJson(const JsonItemObject & itemObject,const std::string & key,JsonTypeCheckFuncPtr funcPtr,T & value)177 void SetValueFromJson(const JsonItemObject &itemObject, const std::string &key,
178 JsonTypeCheckFuncPtr funcPtr, T &value)
179 {
180 if (itemObject.Contains(key) && (itemObject[key].*funcPtr)()) {
181 value = itemObject[key].Get<T>();
182 }
183 }
184
185 class DmAuthMessageProcessor {
186 public:
187 using CreateMessageFuncPtr =
188 int32_t (DmAuthMessageProcessor::*)(std::shared_ptr<DmAuthContext>, JsonObject &jsonObject);
189 using ParaseMessageFuncPtr =
190 int32_t (DmAuthMessageProcessor::*)(const JsonObject &, std::shared_ptr<DmAuthContext>);
191
192 DmAuthMessageProcessor();
193 ~DmAuthMessageProcessor();
194 // Parse the message, and save the parsed information to the context
195 int32_t ParseMessage(std::shared_ptr<DmAuthContext> context, const std::string &message);
196 // Create a message, construct the corresponding message based on msgType
197 std::string CreateMessage(DmMessageType msgType, std::shared_ptr<DmAuthContext> context);
198
199 // Create and send a message
200 void CreateAndSendMsg(DmMessageType msgType, std::shared_ptr<DmAuthContext> context);
201
202 // Save the session key
203 int32_t SaveSessionKey(const uint8_t *sessionKey, const uint32_t keyLen);
204
205 // Save the permanent session key to the data profile
206 int32_t SaveSessionKeyToDP(int32_t userId, int32_t &skId);
207 int32_t SaveDerivativeSessionKeyToDP(int32_t userId, const std::string &suffix, int32_t &skId);
208 int32_t GetSessionKey(int32_t userId, int32_t &skId);
209 // Save the current access control list
210 int32_t PutAccessControlList(std::shared_ptr<DmAuthContext> context,
211 DmAccess &access, std::string trustDeviceId);
212 int32_t SetProxyAccess(std::shared_ptr<DmAuthContext> context, DmProxyAuthContext &proxyAuthContext,
213 DistributedDeviceProfile::Accesser &accesser, DistributedDeviceProfile::Accessee &accessee);
214 int32_t PutProxyAccessControlList(std::shared_ptr<DmAuthContext> context,
215 DistributedDeviceProfile::AccessControlProfile &profile, DistributedDeviceProfile::Accesser &accesser,
216 DistributedDeviceProfile::Accessee &accessee);
217 bool IsExistTheToken(JsonObject &proxyObj, int64_t tokenId);
218 void SetAclProxyRelate(std::shared_ptr<DmAuthContext> context);
219 void SetAclProxyRelate(std::shared_ptr<DmAuthContext> context,
220 DistributedDeviceProfile::AccessControlProfile &profile);
221 // Extract the access control list (ACL) for message parsing and bus usage.
222 // If no ACL is available, return an empty string. The returned string is in
223 // JSON format: {dmversion:x,accesser:[{accesserDeviceId:y,...},...], accessee:{...}}
224 int32_t DeleteSessionKeyToDP(int32_t userId, int32_t skId);
225
226 void DmAuthUltrasonicMessageProcessor();
227
228 private:
229 // construct function implementation
230 void ConstructCreateMessageFuncMap();
231 void ConstructParseMessageFuncMap();
232 // Internal implementations for various message types
233 // Used to encrypt the synchronization message
234 int32_t EncryptSyncMessage(std::shared_ptr<DmAuthContext> &context, DmAccess &accessSide, std::string &encSyncMsg);
235 int32_t CreateProxyAccessMessage(std::shared_ptr<DmAuthContext> &context, JsonObject &syncMsgJson);
236 // Parse the authentication start message
237 int32_t ParseAuthStartMessage(const JsonObject &jsonObject, std::shared_ptr<DmAuthContext> context);
238
239 // Parse the 80 message
240 int32_t ParseNegotiateMessage(const JsonObject &jsonObject, std::shared_ptr<DmAuthContext> context);
241 int32_t ParseProxyNegotiateMessage(const JsonObject &jsonObject, std::shared_ptr<DmAuthContext> context);
242 // Parse the 90 message
243 int32_t ParseMessageRespAclNegotiate(const JsonObject &json, std::shared_ptr<DmAuthContext> context);
244 int32_t ParseMessageProxyRespAclNegotiate(const JsonObject &jsonObject, std::shared_ptr<DmAuthContext> context);
245 // Parse the 100 message
246 int32_t ParseMessageReqUserConfirm(const JsonObject &json, std::shared_ptr<DmAuthContext> context);
247 int32_t ParseMessageProxyReqUserConfirm(const JsonObject &json, std::shared_ptr<DmAuthContext> context);
248 // Parse the 110 message
249 int32_t ParseMessageRespUserConfirm(const JsonObject &json, std::shared_ptr<DmAuthContext> context);
250 int32_t ParseMessageProxyRespUserConfirm(const JsonObject &json, std::shared_ptr<DmAuthContext> context);
251 // Parse the 120 message
252 int32_t ParseMessageReqPinAuthStart(const JsonObject &json, std::shared_ptr<DmAuthContext> context);
253 // Parse the 130 message
254 int32_t ParseMessageRespPinAuthStart(const JsonObject &json, std::shared_ptr<DmAuthContext> context);
255 // Parse the 121 message
256 int32_t ParseMessageReqPinAuthNegotiate(const JsonObject &json, std::shared_ptr<DmAuthContext> context);
257 // Parse the 131 message
258 int32_t ParseMessageRespPinAuthNegotiate(const JsonObject &jsonObject, std::shared_ptr<DmAuthContext> context);
259 // Parse the 140 message
260 int32_t ParseMessageReqCredExchange(const JsonObject &jsonObject, std::shared_ptr<DmAuthContext> context);
261 // Parse the 150 message
262 int32_t ParseMessageRspCredExchange(const JsonObject &jsonObject, std::shared_ptr<DmAuthContext> context);
263 int32_t ParseProxyCredExchangeToSync(std::shared_ptr<DmAuthContext> &context, JsonObject &jsonObject);
264 // Parse the 141 message
265 int32_t ParseMessageReqSKDerive(const JsonObject &jsonObject, std::shared_ptr<DmAuthContext> context);
266 // Parse the 151 message
267 int32_t ParseMessageRspSKDerive(const JsonObject &jsonObject, std::shared_ptr<DmAuthContext> context);
268 // Parse the 161, 170, and 171 messages
269 int32_t ParseMessageNegotiateTransmit(const JsonObject &jsonObject, std::shared_ptr<DmAuthContext> context);
270 // Parse the 180 message
271 int32_t ParseMessageSyncReq(const JsonObject &jsonObject, std::shared_ptr<DmAuthContext> context);
272 // Parse the 190 message
273 int32_t ParseMessageSyncResp(const JsonObject &jsonObject, std::shared_ptr<DmAuthContext> context);
274 // Parse the 200 message
275 int32_t ParseMessageSinkFinish(const JsonObject &jsonObject, std::shared_ptr<DmAuthContext> context);
276 // Parse the 201 message
277 int32_t ParseMessageSrcFinish(const JsonObject &jsonObject, std::shared_ptr<DmAuthContext> context);
278 // Parse the 102 message
279 int32_t ParseMessageReverseUltrasonicStart(const JsonObject &jsonObject, std::shared_ptr<DmAuthContext> context);
280 // Parse the 112 message
281 int32_t ParseMessageReverseUltrasonicDone(const JsonObject &jsonObject, std::shared_ptr<DmAuthContext> context);
282 // Parse the 101 message
283 int32_t ParseMessageForwardUltrasonicStart(const JsonObject &jsonObject, std::shared_ptr<DmAuthContext> context);
284 // Parse the 111 message
285 int32_t ParseMessageForwardUltrasonicNegotiate(const JsonObject &jsonObject,
286 std::shared_ptr<DmAuthContext> context);
287
288 // Create the 80 message
289 int32_t CreateNegotiateMessage(std::shared_ptr<DmAuthContext> context, JsonObject &jsonObject);
290 int32_t CreateProxyNegotiateMessage(std::shared_ptr<DmAuthContext> context, JsonObject &jsonObject);
291 // Create the 90 message
292 int32_t CreateRespNegotiateMessage(std::shared_ptr<DmAuthContext> context, JsonObject &jsonObject);
293 int32_t CreateProxyRespNegotiateMessage(std::shared_ptr<DmAuthContext> context, JsonObject &jsonObject);
294 // Create the 100 message
295 int32_t CreateMessageReqUserConfirm(std::shared_ptr<DmAuthContext> context, JsonObject &json);
296 int32_t CreateMessageProxyReqUserConfirm(std::shared_ptr<DmAuthContext> context, JsonObject &json);
297 // Create the 110 message
298 int32_t CreateMessageRespUserConfirm(std::shared_ptr<DmAuthContext> context, JsonObject &json);
299 // Create the 120 message
300 int32_t CreateMessageReqPinAuthStart(std::shared_ptr<DmAuthContext> context, JsonObject &json);
301 // Create the 130 message
302 int32_t CreateMessageRespPinAuthStart(std::shared_ptr<DmAuthContext> context, JsonObject &json);
303 // Create the 121 message
304 int32_t CreateMessageReqPinAuthNegotiate(std::shared_ptr<DmAuthContext> context, JsonObject &json);
305 // Create the 131 message
306 int32_t CreateMessageRespPinAuthNegotiate(std::shared_ptr<DmAuthContext> context, JsonObject &json);
307 // Create the 140 message
308 int32_t CreateMessageReqCredExchange(std::shared_ptr<DmAuthContext> context, JsonObject &jsonObject);
309 // Create the 150 message
310 int32_t CreateMessageRspCredExchange(std::shared_ptr<DmAuthContext> context, JsonObject &jsonObject);
311 int32_t CreateProxyCredExchangeMessage(std::shared_ptr<DmAuthContext> &context, JsonObject &jsonData);
312 // Create 141 message.
313 int32_t CreateMessageReqSKDerive(std::shared_ptr<DmAuthContext> context, JsonObject &jsonObject);
314 // Create 151 message.
315 int32_t CreateMessageRspSKDerive(std::shared_ptr<DmAuthContext> context, JsonObject &jsonObject);
316 // Create the 160 message
317 int32_t CreateMessageReqCredAuthStart(std::shared_ptr<DmAuthContext> context, JsonObject &jsonObject);
318 // Construct the 161, 170, and 171 credential authentication messages
319 int32_t CreateCredentialNegotiateMessage(std::shared_ptr<DmAuthContext> context, JsonObject &jsonObject);
320 int32_t CreateNegotiateOldMessage(std::shared_ptr<DmAuthContext> context, JsonObject &jsonObject);
321 // Construct the 180 and 190 sync messages
322 int32_t CreateSyncMessage(std::shared_ptr<DmAuthContext> context, JsonObject &jsonObject);
323 // Create the 190 message
324 int32_t CreateMessageSyncResp(std::shared_ptr<DmAuthContext> context, JsonObject &jsonObject);
325 // Create the 200 message
326 int32_t CreateMessageFinish(std::shared_ptr<DmAuthContext> context, JsonObject &jsonObject);
327
328 // Compress the sync message
329 std::string CompressSyncMsg(std::string &inputStr);
330 // Decompress the sync message
331 std::string DecompressSyncMsg(std::string& compressed, uint32_t oriLen);
332 // Serialize the ACL
333 int32_t ACLToStr(DistributedDeviceProfile::AccessControlProfile acl, std::string aclStr);
334 // Decrypt the 180 and 190 messages
335 int32_t DecryptSyncMessage(std::shared_ptr<DmAuthContext> &context,
336 DmAccess &access, std::string &enSyncMsg);
337 // Parse the sync message
338 int32_t ParseSyncMessage(std::shared_ptr<DmAuthContext> &context,
339 DmAccess &access, JsonObject &jsonObject);
340 int32_t ParseProxyAccessToSync(std::shared_ptr<DmAuthContext> &context, JsonObject &jsonObject);
341 int32_t CreateMessageForwardUltrasonicStart(std::shared_ptr<DmAuthContext> context, JsonObject &jsonObject);
342 int32_t CreateMessageReverseUltrasonicStart(std::shared_ptr<DmAuthContext> context, JsonObject &jsonObject);
343 int32_t CreateMessageForwardUltrasonicNegotiate(std::shared_ptr<DmAuthContext> context, JsonObject &jsonObject);
344 int32_t CreateMessageReverseUltrasonicDone(std::shared_ptr<DmAuthContext> context, JsonObject &jsonObject);
345
346 std::string Base64Encode(std::string &inputStr);
347 std::string Base64Decode(std::string &inputStr);
348 void SetAccessControlList(std::shared_ptr<DmAuthContext> context,
349 DistributedDeviceProfile::AccessControlProfile &profile);
350 void SetTransmitAccessControlList(std::shared_ptr<DmAuthContext> context,
351 DistributedDeviceProfile::Accesser &accesser, DistributedDeviceProfile::Accessee &accessee);
352 void SetLnnAccessControlList(std::shared_ptr<DmAuthContext> context,
353 DistributedDeviceProfile::Accesser &accesser, DistributedDeviceProfile::Accessee &accessee);
354 int32_t CheckLogicalSessionId(const JsonObject &jsonObject, std::shared_ptr<DmAuthContext> context);
355 bool CheckAccessValidityAndAssign(std::shared_ptr<DmAuthContext> &context, DmAccess &access,
356 DmAccess &accessTmp);
357 void ParseUltrasonicSide(const JsonObject &jsonObject, std::shared_ptr<DmAuthContext> context);
358 void ParseCert(const JsonObject &jsonObject, std::shared_ptr<DmAuthContext> context);
359 void ParseAccesserInfo(const JsonObject &jsonObject, std::shared_ptr<DmAuthContext> context);
360 std::shared_ptr<CryptoMgr> cryptoMgr_ = nullptr;
361 std::unordered_map<DmMessageType, CreateMessageFuncPtr> createMessageFuncMap_;
362 std::unordered_map<DmMessageType, ParaseMessageFuncPtr> paraseMessageFuncMap_;
363 };
364 } // namespace DistributedHardware
365 } // namespace OHOS
366 #endif // OHOS_DM_AUTH_MESSAGE_PROCESSOR_V2_H