• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (c) 2024 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  *     http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #include "cmappcert_fuzzer.h"
17 
18 #include "cm_fuzz_test_common.h"
19 #include "cm_test_common.h"
20 #include "cm_cert_data_rsa.h"
21 #include "cm_ipc_client_serialization.h"
22 #include "cm_ipc_service.h"
23 #include "cm_param.h"
24 #include "cert_manager_api.h"
25 #include "cm_type.h"
26 
27 using namespace CmFuzzTest;
28 namespace OHOS {
29     constexpr uint32_t TEST_USERID = 100;
30     constexpr uint32_t MIN_DATA_USE_TIME = 4;
InstallAppCert(uint8_t * tmpData,uint32_t * remainSize,uint32_t * offset,uint32_t store,struct CmBlob * keyUri)31     static bool InstallAppCert(uint8_t *tmpData, uint32_t *remainSize, uint32_t *offset, uint32_t store,
32         struct CmBlob *keyUri)
33     {
34         uint8_t certAliasBuf[] = "keyA";
35         struct CmBlob certAlias = { sizeof(certAliasBuf), certAliasBuf };
36         if (TenPercentChanceOfBeingTrue(tmpData, remainSize, offset)) {
37             if (!GetCmBlobFromBuffer(tmpData, remainSize, offset, keyUri)) {
38                 return false;
39             }
40         }
41 
42         const struct CmBlob appCert = { sizeof(g_rsa2048P12CertInfo), const_cast<uint8_t *>(g_rsa2048P12CertInfo) };
43         const struct CmBlob appCertPwd = { sizeof(g_certPwd), const_cast<uint8_t *>(g_certPwd) };
44         struct CmParam params01[] = {
45             { .tag = CM_TAG_PARAM0_BUFFER, .blob = appCert },
46             { .tag = CM_TAG_PARAM1_BUFFER, .blob = appCertPwd },
47             { .tag = CM_TAG_PARAM2_BUFFER, .blob = certAlias },
48             { .tag = CM_TAG_PARAM0_UINT32, .uint32Param = store },
49             { .tag = CM_TAG_PARAM1_UINT32, .uint32Param = TEST_USERID },
50         };
51         struct CmParamSet *paramSet01 = NULL;
52         int32_t ret = CmParamsToParamSet(params01, CM_ARRAY_SIZE(params01), &paramSet01);
53         if (ret != CM_SUCCESS) {
54             return false;
55         }
56         struct CmBlob paramSetBlob = { paramSet01->paramSetSize, reinterpret_cast<uint8_t *>(paramSet01) };
57 
58         (void)CmIpcServiceInstallAppCert(&paramSetBlob, keyUri, nullptr);
59         CmFreeParamSet(&paramSet01);
60         return true;
61     }
62 
GetAllAppCert(uint8_t * tmpData,uint32_t * remainSize,uint32_t * offset,uint32_t store)63     static bool GetAllAppCert(uint8_t *tmpData, uint32_t *remainSize, uint32_t *offset, uint32_t store)
64     {
65         struct CmParam params02[] = { { .tag = CM_TAG_PARAM0_UINT32, .uint32Param = store } };
66         struct CmParamSet *paramSet02 = NULL;
67         int32_t ret = CmParamsToParamSet(params02, CM_ARRAY_SIZE(params02), &paramSet02);
68         if (ret != CM_SUCCESS) {
69             return false;
70         }
71         struct CmBlob paramSetBlob = { paramSet02->paramSetSize, reinterpret_cast<uint8_t *>(paramSet02) };
72 
73         (void)CmIpcServiceGetAppCertList(&paramSetBlob, nullptr, nullptr);
74         CmFreeParamSet(&paramSet02);
75         return true;
76     }
77 
GetAppCert(uint8_t * tmpData,uint32_t * remainSize,uint32_t * offset,uint32_t store,struct CmBlob * keyUri)78     static bool GetAppCert(uint8_t *tmpData, uint32_t *remainSize, uint32_t *offset, uint32_t store,
79         struct CmBlob *keyUri)
80     {
81         if (TenPercentChanceOfBeingTrue(tmpData, remainSize, offset)) {
82             if (!GetCmBlobFromBuffer(tmpData, remainSize, offset, keyUri)) {
83                 return false;
84             }
85         }
86 
87         struct CmParam params03[] = {
88             { .tag = CM_TAG_PARAM0_BUFFER, .blob = *keyUri },
89             { .tag = CM_TAG_PARAM0_UINT32, .uint32Param = store },
90         };
91         struct CmParamSet *paramSet03 = NULL;
92         int32_t ret = CmParamsToParamSet(params03, CM_ARRAY_SIZE(params03), &paramSet03);
93         if (ret != CM_SUCCESS) {
94             return false;
95         }
96         struct CmBlob paramSetBlob = { paramSet03->paramSetSize, reinterpret_cast<uint8_t *>(paramSet03) };
97 
98         (void)CmIpcServiceGetAppCert(&paramSetBlob, nullptr, nullptr);
99         CmFreeParamSet(&paramSet03);
100         return true;
101     }
102 
UnInstallAppCert(uint8_t * tmpData,uint32_t * remainSize,uint32_t * offset,uint32_t store,struct CmBlob * keyUri)103     static bool UnInstallAppCert(uint8_t *tmpData, uint32_t *remainSize, uint32_t *offset, uint32_t store,
104         struct CmBlob *keyUri)
105     {
106         if (TenPercentChanceOfBeingTrue(tmpData, remainSize, offset)) {
107             if (!GetCmBlobFromBuffer(tmpData, remainSize, offset, keyUri)) {
108                 return false;
109             }
110         }
111 
112         struct CmParam params04[] = {
113             { .tag = CM_TAG_PARAM0_BUFFER, .blob = *keyUri },
114             { .tag = CM_TAG_PARAM0_UINT32, .uint32Param = store },
115         };
116         struct CmParamSet *paramSet04 = NULL;
117         int32_t ret = CmParamsToParamSet(params04, CM_ARRAY_SIZE(params04), &paramSet04);
118         if (ret != CM_SUCCESS) {
119             return false;
120         }
121         struct CmBlob paramSetBlob = { paramSet04->paramSetSize, reinterpret_cast<uint8_t *>(paramSet04) };
122 
123         (void)CmIpcServiceUninstallAppCert(&paramSetBlob, nullptr, nullptr);
124         CmFreeParamSet(&paramSet04);
125         return true;
126     }
127 
DoSomethingInterestingWithMyAPI(const uint8_t * data,size_t size)128     bool DoSomethingInterestingWithMyAPI(const uint8_t* data, size_t size)
129     {
130         uint8_t *tmpData = nullptr;
131         if (!CopyMyData(data, size, sizeof(uint32_t) * MIN_DATA_USE_TIME, &tmpData)) {
132             return false;
133         }
134 
135         uint32_t remainSize = static_cast<uint32_t>(size);
136         uint32_t offset = 0;
137         CertmanagerTest::MockHapToken mockHap;
138 
139         uint32_t store;
140         if (!GetUintFromBuffer(tmpData, &remainSize, &offset, &store)) {
141             CmFree(tmpData);
142             return false;
143         }
144         store %= CM_SYS_CREDENTIAL_STORE + 1;
145         bool ret = false;
146         uint8_t uriBuf[MAX_LEN_URI] = {0};
147         struct CmBlob keyUri = { sizeof(uriBuf), uriBuf };
148 
149         do {
150             if (!InstallAppCert(tmpData, &remainSize, &offset, store, &keyUri)) {
151                 break;
152             }
153 
154             if (!GetAllAppCert(tmpData, &remainSize, &offset, store)) {
155                 break;
156             }
157 
158             if (!GetAppCert(tmpData, &remainSize, &offset, store, &keyUri)) {
159                 break;
160             }
161 
162             if (!UnInstallAppCert(tmpData, &remainSize, &offset, store, &keyUri)) {
163                 break;
164             }
165             ret = true;
166         } while (0);
167         (void)CmIpcServiceUninstallAllAppCert(nullptr, nullptr, nullptr);
168         CmFree(tmpData);
169         return ret;
170     }
171 }
172 
173 /* Fuzzer entry point */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)174 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
175 {
176     /* Run your code on data */
177     OHOS::DoSomethingInterestingWithMyAPI(data, size);
178     return 0;
179 }
180 
181