1 /*
2 * Copyright (C) 2025 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "alg_defs.h"
17 #include "alg_loader.h"
18 #include "hc_log.h"
19 #include "identity_manager.h"
20 #include "asy_token_manager.h"
21 #include "pseudonym_manager.h"
22 #include "identity_service_defines.h"
23 #include "identity_operation.h"
24 #include "cert_operation.h"
25 #include "hal_error.h"
26 #include "account_module_defines.h"
27
CreateUrlStr(uint8_t credType,int32_t keyType,char ** urlStr)28 static int32_t CreateUrlStr(uint8_t credType, int32_t keyType, char **urlStr)
29 {
30 TrustType trustType = TRUST_TYPE_P2P;
31 if (credType != ACCOUNT_UNRELATED) {
32 trustType = TRUST_TYPE_UID;
33 }
34 CJson *urlJson = CreateCredUrlJson(PRE_SHARED, keyType, trustType);
35 if (!urlJson) {
36 LOGE("Failed to create CredUrlJson info!");
37 return HC_ERR_ALLOC_MEMORY;
38 }
39 char *str = PackJsonToString(urlJson);
40 FreeJson(urlJson);
41 if (str == NULL) {
42 LOGE("Failed to PackJsonToString!");
43 return HC_ERR_PACKAGE_JSON_TO_STRING_FAIL;
44 }
45 *urlStr = str;
46 return HC_SUCCESS;
47 }
48
ConvertISProofTypeToCertType(uint32_t protocolType,IdentityProofType * returnType)49 static int32_t ConvertISProofTypeToCertType(uint32_t protocolType, IdentityProofType *returnType)
50 {
51 if (protocolType == PROOF_TYPE_PSK) {
52 *returnType = PRE_SHARED;
53 return HC_SUCCESS;
54 } else if (protocolType == PROOF_TYPE_PKI) {
55 *returnType = CERTIFICATED;
56 return HC_SUCCESS;
57 }
58 return HC_ERR_NOT_SUPPORT;
59 }
60
ConvertISAlgToCertAlg(uint32_t alg,Algorithm * returnAlg)61 static int32_t ConvertISAlgToCertAlg(uint32_t alg, Algorithm *returnAlg)
62 {
63 if (alg == ALGO_TYPE_P256) {
64 *returnAlg = P256;
65 return HC_SUCCESS;
66 }
67 return HC_ERR_NOT_SUPPORT;
68 }
69
GetProofTypeFromContext(const CJson * context,uint32_t * returnProofType)70 static int32_t GetProofTypeFromContext(const CJson *context, uint32_t *returnProofType)
71 {
72 CJson *credAuthInfo = GetObjFromJson(context, FIELD_CREDENTIAL_OBJ);
73 if (credAuthInfo == NULL) {
74 LOGE("Get self credAuthInfo fail.");
75 return HC_ERR_JSON_GET;
76 }
77 uint32_t proofType = 0;
78 if (GetUnsignedIntFromJson(credAuthInfo, FIELD_PROOF_TYPE, &proofType) != HC_SUCCESS) {
79 LOGE("Get proofType fail.");
80 return HC_ERR_JSON_GET;
81 }
82 *returnProofType = proofType;
83 return HC_SUCCESS;
84 }
85
ISSetISOEntity(IdentityInfo * info)86 static int32_t ISSetISOEntity(IdentityInfo *info)
87 {
88 #ifdef ENABLE_ACCOUNT_AUTH_ISO
89 ProtocolEntity *entity = (ProtocolEntity *)HcMalloc(sizeof(ProtocolEntity), 0);
90 if (entity == NULL) {
91 LOGE("Failed to alloc memory for ISO protocol entity!");
92 return HC_ERR_ALLOC_MEMORY;
93 }
94 entity->protocolType = ALG_ISO;
95 entity->expandProcessCmds = 0;
96 if (info->protocolVec.pushBack(&info->protocolVec, (const ProtocolEntity **)&entity) == NULL) {
97 HcFree(entity);
98 LOGE("Failed to push protocol entity!");
99 return HC_ERR_ALLOC_MEMORY;
100 }
101 return HC_SUCCESS;
102 #else
103 (void)info;
104 LOGE("ISO not support!");
105 return HC_ERR_NOT_SUPPORT;
106 #endif
107 }
108
ISSetEcSpekeEntity(IdentityInfo * info,bool isNeedRefreshPseudonymId)109 static int32_t ISSetEcSpekeEntity(IdentityInfo *info, bool isNeedRefreshPseudonymId)
110 {
111 #ifdef ENABLE_ACCOUNT_AUTH_EC_SPEKE
112 ProtocolEntity *entity = (ProtocolEntity *)HcMalloc(sizeof(ProtocolEntity), 0);
113 if (entity == NULL) {
114 LOGE("Failed to alloc memory for ec-speke protocol entity!");
115 return HC_ERR_ALLOC_MEMORY;
116 }
117 entity->protocolType = ALG_EC_SPEKE;
118 entity->expandProcessCmds = 0;
119 #ifdef ENABLE_PSEUDONYM
120 if (isNeedRefreshPseudonymId) {
121 entity->expandProcessCmds |= CMD_MK_AGREE;
122 }
123 #else
124 (void)isNeedRefreshPseudonymId;
125 #endif
126 if (info->protocolVec.pushBack(&info->protocolVec, (const ProtocolEntity **)&entity) == NULL) {
127 HcFree(entity);
128 LOGE("Failed to push protocol entity!");
129 return HC_ERR_ALLOC_MEMORY;
130 }
131 return HC_SUCCESS;
132 #else
133 (void)info;
134 (void)isNeedRefreshPseudonymId;
135 LOGE("ec speke not support!");
136 return HC_ERR_NOT_SUPPORT;
137 #endif
138 }
139
ISSetCertInfoAndEntity(int32_t osAccountId,const CJson * context,const CJson * credAuthInfo,bool isPseudonym,IdentityInfo * info)140 static int32_t ISSetCertInfoAndEntity(int32_t osAccountId, const CJson *context, const CJson *credAuthInfo,
141 bool isPseudonym, IdentityInfo *info)
142 {
143 const char *authId = GetStringFromJson(credAuthInfo, FIELD_DEVICE_ID);
144 if (authId == NULL) {
145 LOGE("Failed to get auth ID!");
146 return HC_ERR_JSON_GET;
147 }
148 AccountToken *token = CreateAccountToken();
149 if (token == NULL) {
150 LOGE("Failed to create account token!");
151 return HC_ERR_ALLOC_MEMORY;
152 }
153 const char *userId = GetStringFromJson(context, FIELD_USER_ID);
154 if (userId == NULL) {
155 LOGE("Failed to get user ID!");
156 DestroyAccountToken(token);
157 return HC_ERR_JSON_GET;
158 }
159 int32_t res = GetAccountAuthTokenManager()->getToken(osAccountId, token, userId, authId);
160 if (res != HC_SUCCESS) {
161 LOGE("Failed to get account token!");
162 DestroyAccountToken(token);
163 return res;
164 }
165 res = GenerateCertInfo(&token->pkInfoStr, &token->pkInfoSignature, &info->proof.certInfo);
166 DestroyAccountToken(token);
167 if (res != HC_SUCCESS) {
168 LOGE("Failed to generate cert info!");
169 return res;
170 }
171 uint32_t signAlg = 0;
172 if (GetUnsignedIntFromJson(credAuthInfo, FIELD_ALGORITHM_TYPE, &signAlg) != HC_SUCCESS) {
173 LOGE("Failed to get algorithm type!");
174 return HC_ERR_JSON_GET;
175 }
176 res = ConvertISAlgToCertAlg(signAlg, &info->proof.certInfo.signAlg);
177 if (res != HC_SUCCESS) {
178 LOGE("unsupport algorithm type!");
179 return res;
180 }
181 info->proof.certInfo.isPseudonym = isPseudonym;
182 const char *pdidIndex = GetStringFromJson(context, FIELD_CRED_ID);
183 if (pdidIndex == NULL) {
184 LOGE("Failed to get cred ID!");
185 return HC_ERR_JSON_GET;
186 }
187 bool isNeedRefreshPseudonymId = GetPseudonymInstance()->isNeedRefreshPseudonymId(osAccountId, pdidIndex);
188 return ISSetEcSpekeEntity(info, isNeedRefreshPseudonymId);
189 }
190
ISSetPreShareUrlAndEntity(const CJson * credAuthInfo,IdentityInfo * info)191 static int32_t ISSetPreShareUrlAndEntity(const CJson *credAuthInfo, IdentityInfo *info)
192 {
193 uint8_t credType = ACCOUNT_UNRELATED;
194 if (GetUint8FromJson(credAuthInfo, FIELD_CRED_TYPE, &credType) != HC_SUCCESS) {
195 LOGE("get int from json failed!");
196 return HC_ERR_JSON_GET;
197 }
198 uint8_t keyFormat;
199 if (GetUint8FromJson(credAuthInfo, FIELD_KEY_FORMAT, &keyFormat) != HC_SUCCESS) {
200 LOGE("get int from json failed!");
201 return HC_ERR_JSON_GET;
202 }
203 int32_t res = HC_ERROR;
204 KeyType keyType;
205 if (keyFormat == SYMMETRIC_KEY) {
206 res = ISSetISOEntity(info);
207 keyType = KEY_TYPE_SYM;
208 } else if (keyFormat == ASYMMETRIC_KEY || keyFormat == ASYMMETRIC_PUB_KEY) {
209 res = ISSetEcSpekeEntity(info, false);
210 keyType = KEY_TYPE_ASYM;
211 }
212 if (res != HC_SUCCESS) {
213 return res;
214 }
215 char *urlStr = NULL;
216 res = CreateUrlStr(credType, keyType, &urlStr);
217 if (res != HC_SUCCESS) {
218 LOGE("Failed to create url string!");
219 return res;
220 }
221 res = SetPreSharedUrlForProof(urlStr, &info->proof.preSharedUrl);
222 FreeJsonString(urlStr);
223 if (res != HC_SUCCESS) {
224 LOGE("Failed to set preSharedUrl of proof!");
225 return res;
226 }
227 info->proofType = PRE_SHARED;
228 return HC_SUCCESS;
229 }
230
ISSetCertProofAndEntity(const CJson * context,bool isPseudonym,IdentityInfo * info)231 static int32_t ISSetCertProofAndEntity(const CJson *context, bool isPseudonym, IdentityInfo *info)
232 {
233 CJson *credAuthInfo = GetObjFromJson(context, FIELD_CREDENTIAL_OBJ);
234 if (credAuthInfo == NULL) {
235 LOGE("Get self credAuthInfo fail.");
236 return HC_ERR_JSON_GET;
237 }
238 int32_t res = HC_ERROR;
239 if (info->proofType == PRE_SHARED) {
240 res = ISSetPreShareUrlAndEntity(credAuthInfo, info);
241 if (res != HC_SUCCESS) {
242 LOGE("Failed to set preshared url");
243 }
244 } else if (info->proofType == CERTIFICATED) {
245 int32_t osAccountId = 0;
246 if (GetIntFromJson(context, FIELD_OS_ACCOUNT_ID, &osAccountId) != HC_SUCCESS) {
247 LOGE("Failed to get osAccountId!");
248 return HC_ERR_JSON_GET;
249 }
250 res = ISSetCertInfoAndEntity(osAccountId, context, credAuthInfo, isPseudonym, info);
251 if (res != HC_SUCCESS) {
252 LOGE("Failed to get cert info!");
253 }
254 } else {
255 res = HC_ERR_NOT_SUPPORT;
256 LOGE("unknown proof type!");
257 }
258 return res;
259 }
260
ISGetIdentityInfo(const CJson * context,bool isPseudonym,IdentityInfo ** returnInfo)261 static int32_t ISGetIdentityInfo(const CJson *context, bool isPseudonym, IdentityInfo **returnInfo)
262 {
263 uint32_t proofType = 0;
264 int32_t res = GetProofTypeFromContext(context, &proofType);
265 if (res != HC_SUCCESS) {
266 return res;
267 }
268 if (isPseudonym && proofType != PROOF_TYPE_PKI) {
269 return HC_SUCCESS;
270 }
271 IdentityInfo *info = CreateIdentityInfo();
272 if (info == NULL) {
273 LOGE("Failed to alloc memory for IdentityInfo!");
274 return HC_ERR_JSON_GET;
275 }
276 info->IdInfoType = DEFAULT_ID_TYPE;
277 do {
278 res = ConvertISProofTypeToCertType(proofType, &info->proofType);
279 if (res != HC_SUCCESS) {
280 LOGE("unsupport proof type!");
281 break;
282 }
283 res = ISSetCertProofAndEntity(context, isPseudonym, info);
284 if (res != HC_SUCCESS) {
285 LOGE("Failed to set cert proof and protocol entity!");
286 break;
287 }
288 } while (0);
289 if (res != HC_SUCCESS) {
290 DestroyIdentityInfo(info);
291 return res;
292 }
293 *returnInfo = info;
294 return HC_SUCCESS;
295 }
296
AddIdentityInfoToVec(const CJson * in,bool isPseudonym,IdentityInfoVec * vec)297 static int32_t AddIdentityInfoToVec(const CJson *in, bool isPseudonym, IdentityInfoVec *vec)
298 {
299 IdentityInfo *info = NULL;
300 int32_t res = ISGetIdentityInfo(in, isPseudonym, &info);
301 if (res != HC_SUCCESS) {
302 LOGE("Get Identity by credAuthInfo fail.");
303 return res;
304 }
305 if (info == NULL) {
306 return HC_SUCCESS;
307 }
308 if (vec->pushBack(vec, (const IdentityInfo **)&info) == NULL) {
309 DestroyIdentityInfo(info);
310 LOGE("Failed to push protocol entity!");
311 return HC_ERR_ALLOC_MEMORY;
312 }
313 return HC_SUCCESS;
314 }
315
GetCredInfosByPeerIdentity(const CJson * in,IdentityInfoVec * vec)316 static int32_t GetCredInfosByPeerIdentity(const CJson *in, IdentityInfoVec *vec)
317 {
318 if (in == NULL || vec == NULL) {
319 LOGE("Invalid input params!");
320 return HC_ERR_INVALID_PARAMS;
321 }
322 int32_t res = HC_ERROR;
323 #ifdef ENABLE_PSEUDONYM
324 //try enable pseudonym
325 res = AddIdentityInfoToVec(in, true, vec);
326 if (res != HC_SUCCESS) {
327 LOGE("add identity info to vec failed.");
328 return res;
329 }
330 #endif
331 res = AddIdentityInfoToVec(in, false, vec);
332 if (res != HC_SUCCESS) {
333 LOGE("add identity info to vec failed.");
334 return res;
335 }
336 return HC_SUCCESS;
337 }
338
GetCredInfoByPeerUrl(const CJson * in,const Uint8Buff * presharedUrl,IdentityInfo ** returnInfo)339 static int32_t GetCredInfoByPeerUrl(const CJson *in, const Uint8Buff *presharedUrl, IdentityInfo **returnInfo)
340 {
341 if (in == NULL || presharedUrl == NULL || returnInfo == NULL) {
342 LOGE("Invalid input params!");
343 return HC_ERR_INVALID_PARAMS;
344 }
345 uint32_t proofType = 0;
346 int32_t res = GetProofTypeFromContext(in, &proofType);
347 if (res != HC_SUCCESS) {
348 return res;
349 }
350 if (proofType != PROOF_TYPE_PSK) {
351 LOGE("Proof type not match, cur proof type: %" LOG_PUB "d.", proofType);
352 return IS_AUTH_ERR_PROOF_NOT_MATCH;
353 }
354 IdentityInfo *info = NULL;
355 res = ISGetIdentityInfo(in, false, &info);
356 if (res != HC_SUCCESS) {
357 LOGE("Get Identity by credAuthInfo fail.");
358 return res;
359 }
360 if (memcmp(presharedUrl->val, info->proof.preSharedUrl.val, presharedUrl->length) != 0) {
361 DestroyIdentityInfo(info);
362 LOGE("peer presharedUrl is not equal.");
363 return HC_ERR_MEMORY_COMPARE;
364 }
365 *returnInfo = info;
366 return HC_SUCCESS;
367 }
368
ComputeHkdfKeyAlias(const CJson * in,int32_t osAccountId,Uint8Buff * credIdByte,Uint8Buff * sharedSecret)369 static int32_t ComputeHkdfKeyAlias(const CJson *in, int32_t osAccountId, Uint8Buff *credIdByte, Uint8Buff *sharedSecret)
370 {
371 uint8_t *pskVal = (uint8_t *)HcMalloc(PAKE_PSK_LEN, 0);
372 if (pskVal == NULL) {
373 LOGE("Failed to alloc memory for psk!");
374 return HC_ERR_ALLOC_MEMORY;
375 }
376 Uint8Buff pskBuff = { pskVal, PAKE_PSK_LEN };
377 uint8_t *nonceVal = (uint8_t *)HcMalloc(PAKE_NONCE_LEN, 0);
378 if (nonceVal == NULL) {
379 LOGE("Failed to alloc memory for nonce!");
380 HcFree(pskVal);
381 return HC_ERR_ALLOC_MEMORY;
382 }
383 Uint8Buff nonceBuff = { nonceVal, PAKE_NONCE_LEN };
384 int32_t ret = GetByteFromJson(in, FIELD_NONCE, nonceBuff.val, nonceBuff.length);
385 if (ret != HC_SUCCESS) {
386 LOGE("Failed to get nonce!");
387 HcFree(pskVal);
388 HcFree(nonceVal);
389 return HC_ERR_JSON_GET;
390 }
391 Uint8Buff keyInfo = { (uint8_t *)TMP_AUTH_KEY_FACTOR, HcStrlen(TMP_AUTH_KEY_FACTOR) };
392 KeyParams keyAliasParams = { { credIdByte->val, credIdByte->length, true }, false, osAccountId };
393 ret = GetLoaderInstance()->computeHkdf(&keyAliasParams, &nonceBuff, &keyInfo, &pskBuff);
394 HcFree(nonceVal);
395 if (ret != HC_SUCCESS) {
396 LOGE("Failed to compute hkdf for psk!");
397 HcFree(pskVal);
398 return ret;
399 }
400
401 ret = ConvertPsk(&pskBuff, sharedSecret);
402 HcFree(pskVal);
403 if (ret != HC_SUCCESS) {
404 LOGE("Error occurs, Failed to convert psk!");
405 }
406 return ret;
407 }
408
ComputeAuthToken(int32_t osAccountId,const char * userId,const Uint8Buff keyAlias,Uint8Buff * authToken)409 static int32_t ComputeAuthToken(int32_t osAccountId, const char *userId, const Uint8Buff keyAlias, Uint8Buff *authToken)
410 {
411 authToken->val = (uint8_t *)HcMalloc(AUTH_TOKEN_SIZE, 0);
412 if (authToken->val == NULL) {
413 LOGE("Failed to alloc memory for auth token!");
414 return HC_ERR_ALLOC_MEMORY;
415 }
416 authToken->length = AUTH_TOKEN_SIZE;
417 Uint8Buff userIdBuff = { (uint8_t *)userId, HcStrlen(userId) };
418 Uint8Buff challenge = { (uint8_t *)KEY_INFO_PERSISTENT_TOKEN, HcStrlen(KEY_INFO_PERSISTENT_TOKEN) };
419 KeyParams keyAliasParams = { { keyAlias.val, keyAlias.length, true }, false, osAccountId };
420 int32_t ret = GetLoaderInstance()->computeHkdf(&keyAliasParams, &userIdBuff, &challenge, authToken);
421 if (ret != HC_SUCCESS) {
422 LOGE("Failed to computeHkdf from authCode to authToken!");
423 FreeBuffData(authToken);
424 }
425 return ret;
426 }
427
CheckKeyAliasIsValid(int32_t osAccountId,const char * credId,Uint8Buff * keyAlias)428 static int32_t CheckKeyAliasIsValid(int32_t osAccountId, const char *credId, Uint8Buff *keyAlias)
429 {
430 int32_t ret = GetValidKeyAlias(osAccountId, credId, keyAlias);
431 if (ret == HAL_ERR_KEY_NOT_EXIST) {
432 LOGE("Huks key not exist!");
433 DelCredById(osAccountId, credId);
434 return IS_ERR_HUKS_KEY_NOT_EXIST;
435 }
436 if (ret == HAL_ERR_HUKS) {
437 LOGE("HUKS occured error, when check key exist.");
438 return IS_ERR_HUKS_CHECK_KEY_EXIST_FAILED;
439 }
440 if (ret != IS_SUCCESS) {
441 LOGE("Failed to check key exist in HUKS.");
442 return ret;
443 }
444 return IS_SUCCESS;
445 }
446
GenerateAuthTokenForAccessory(int32_t osAccountId,const char * credId,const CJson * in,Uint8Buff * authToken)447 static int32_t GenerateAuthTokenForAccessory(int32_t osAccountId, const char *credId, const CJson *in,
448 Uint8Buff *authToken)
449 {
450 const char *userIdSelf = GetStringFromJson(in, FIELD_USER_ID);
451 if (userIdSelf == NULL) {
452 LOGE("Failed to get self user ID!");
453 return HC_ERR_JSON_GET;
454 }
455 Uint8Buff credIdByte = { NULL, 0 };
456 int32_t ret = CheckKeyAliasIsValid(osAccountId, credId, &credIdByte);
457 if (ret != IS_SUCCESS) {
458 return ret;
459 }
460 ret = ComputeAuthToken(osAccountId, userIdSelf, credIdByte, authToken);
461 FreeBuffData(&credIdByte);
462 return ret;
463 }
464
GenerateTokenAliasForController(int32_t osAccountId,const char * credId,Uint8Buff * authToken)465 static int32_t GenerateTokenAliasForController(int32_t osAccountId, const char *credId, Uint8Buff *authToken)
466 {
467 return CheckKeyAliasIsValid(osAccountId, credId, authToken);
468 }
469
GenerateAuthTokenByDevType(int32_t osAccountId,const CJson * in,Uint8Buff * authToken,bool * isTokenStored)470 static int32_t GenerateAuthTokenByDevType(int32_t osAccountId, const CJson *in, Uint8Buff *authToken,
471 bool *isTokenStored)
472 {
473 const char *credId = GetStringFromJson(in, FIELD_CRED_ID);
474 if (credId == NULL) {
475 LOGE("Failed to get cred ID!");
476 return HC_ERR_JSON_GET;
477 }
478 const CJson *credAuthInfo = GetObjFromJson(in, FIELD_CREDENTIAL_OBJ);
479 if (credAuthInfo == NULL) {
480 LOGE("Get credAuthInfo fail.");
481 return HC_ERR_JSON_GET;
482 }
483 uint8_t localDevType = SUBJECT_ACCESSORY_DEVICE;
484 if (GetUint8FromJson(credAuthInfo, FIELD_SUBJECT, &localDevType) != HC_SUCCESS) {
485 LOGE("Failed to get subject!");
486 return HC_ERR_JSON_GET;
487 }
488 int32_t ret = HC_ERROR;
489 if (localDevType == SUBJECT_ACCESSORY_DEVICE) {
490 *isTokenStored = false;
491 ret = GenerateAuthTokenForAccessory(osAccountId, credId, in, authToken);
492 } else {
493 ret = GenerateTokenAliasForController(osAccountId, credId, authToken);
494 }
495 return ret;
496 }
497
ISGetAccountSymSharedSecret(const CJson * in,Uint8Buff * sharedSecret)498 static int32_t ISGetAccountSymSharedSecret(const CJson *in, Uint8Buff *sharedSecret)
499 {
500 if (in == NULL || sharedSecret == NULL) {
501 LOGE("Incorrect input params!");
502 return HC_ERR_INVALID_PARAMS;
503 }
504 int32_t osAccountId;
505 if (GetIntFromJson(in, FIELD_OS_ACCOUNT_ID, &osAccountId) != HC_SUCCESS) {
506 LOGE("Failed to get osAccountId from Json!");
507 return HC_ERR_JSON_GET;
508 }
509 bool isTokenStored = true;
510 Uint8Buff authToken = { NULL, 0 };
511 int32_t ret = GenerateAuthTokenByDevType(osAccountId, in, &authToken, &isTokenStored);
512 if (ret != HC_SUCCESS) {
513 LOGE("Error occurs, Failed to generate auth token!");
514 return ret;
515 }
516 uint8_t seed[SEED_SIZE] = { 0 };
517 Uint8Buff seedBuff = { seed, SEED_SIZE };
518 ret = GetByteFromJson(in, FIELD_SEED, seed, SEED_SIZE);
519 if (ret != HC_SUCCESS) {
520 LOGE("Get seed failed!");
521 FreeBuffData(&authToken);
522 return HC_ERR_JSON_GET;
523 }
524 sharedSecret->val = (uint8_t *)HcMalloc(ISO_PSK_LEN, 0);
525 if (sharedSecret->val == NULL) {
526 LOGE("HcMalloc sharedSecret memory failed!");
527 FreeBuffData(&authToken);
528 return HC_ERR_ALLOC_MEMORY;
529 }
530 sharedSecret->length = ISO_PSK_LEN;
531 KeyParams keyParams = { { authToken.val, authToken.length, isTokenStored }, false, osAccountId };
532 ret = GetLoaderInstance()->computeHmac(&keyParams, &seedBuff, sharedSecret);
533 FreeBuffData(&authToken);
534 if (ret != HC_SUCCESS) {
535 LOGE("Error occurs, ComputeHmac for psk failed, ret: %" LOG_PUB "d.", ret);
536 FreeBuffData(sharedSecret);
537 }
538 return ret;
539 }
540
AuthGeneratePsk(const CJson * in,const Uint8Buff * seed,Uint8Buff * sharedSecret)541 static int32_t AuthGeneratePsk(const CJson *in, const Uint8Buff *seed, Uint8Buff *sharedSecret)
542 {
543 int32_t osAccountId = INVALID_OS_ACCOUNT;
544 if (GetIntFromJson(in, FIELD_OS_ACCOUNT_ID, &osAccountId) != HC_SUCCESS) {
545 LOGE("Failed to get osAccountId!");
546 return HC_ERR_JSON_GET;
547 }
548 const char *credId = GetStringFromJson(in, FIELD_CRED_ID);
549 if (credId == NULL) {
550 LOGE("Failed to get cred ID!");
551 return HC_ERR_JSON_GET;
552 }
553 Uint8Buff credIdByte = { NULL, 0 };
554 int32_t ret = CheckKeyAliasIsValid(osAccountId, credId, &credIdByte);
555 if (ret != IS_SUCCESS) {
556 return ret;
557 }
558 KeyParams keyAliasParams = { { credIdByte.val, credIdByte.length, true }, false, osAccountId };
559 ret = GetLoaderInstance()->computeHmac(&keyAliasParams, seed, sharedSecret);
560 FreeBuffData(&credIdByte);
561 return ret;
562 }
563
GetSharedSecretForP2pInIso(const CJson * in,Uint8Buff * sharedSecret)564 static int32_t GetSharedSecretForP2pInIso(const CJson *in, Uint8Buff *sharedSecret)
565 {
566 uint8_t *seedVal = (uint8_t *)HcMalloc(SEED_LEN, 0);
567 if (seedVal == NULL) {
568 LOGE("Failed to alloc memory for seed!");
569 return HC_ERR_ALLOC_MEMORY;
570 }
571 Uint8Buff seedBuff = { seedVal, SEED_LEN };
572 int32_t ret = GetByteFromJson(in, FIELD_SEED, seedBuff.val, seedBuff.length);
573 if (ret != HC_SUCCESS) {
574 LOGE("Failed to get seed!");
575 HcFree(seedVal);
576 return HC_ERR_JSON_GET;
577 }
578 uint8_t *pskVal = (uint8_t *)HcMalloc(ISO_PSK_LEN, 0);
579 if (pskVal == NULL) {
580 LOGE("HcMalloc memory for psk failed.!");
581 HcFree(seedVal);
582 return HC_ERR_ALLOC_MEMORY;
583 }
584 sharedSecret->val = pskVal;
585 sharedSecret->length = ISO_PSK_LEN;
586 ret = AuthGeneratePsk(in, &seedBuff, sharedSecret);
587 HcFree(seedVal);
588 if (ret != HC_SUCCESS) {
589 LOGE("Failed to generate psk!");
590 FreeBuffData(sharedSecret);
591 }
592 return ret;
593 }
594
GetSharedSecretForP2pInPake(const CJson * in,Uint8Buff * sharedSecret)595 static int32_t GetSharedSecretForP2pInPake(const CJson *in, Uint8Buff *sharedSecret)
596 {
597 const char *credId = GetStringFromJson(in, FIELD_CRED_ID);
598 if (credId == NULL) {
599 LOGE("get credId from json failed");
600 return HC_ERR_JSON_GET;
601 }
602 int32_t osAccountId;
603 if (GetIntFromJson(in, FIELD_OS_ACCOUNT_ID, &osAccountId) != HC_SUCCESS) {
604 LOGE("Failed to get osAccountId!");
605 return HC_ERR_JSON_GET;
606 }
607 uint32_t credIdByteLen = HcStrlen(credId) / BYTE_TO_HEX_OPER_LENGTH;
608 Uint8Buff credIdByte = { NULL, credIdByteLen };
609 credIdByte.val = (uint8_t *)HcMalloc(credIdByteLen, 0);
610 if (credIdByte.val == NULL) {
611 LOGE("Failed to Hcmalloc credIdByteLen memory.");
612 return IS_ERR_ALLOC_MEMORY;
613 }
614 int32_t ret = HexStringToByte(credId, credIdByte.val, credIdByte.length);
615 if (ret != IS_SUCCESS) {
616 LOGE("Error occurs, invalid credId, ret = %" LOG_PUB "d", ret);
617 HcFree(credIdByte.val);
618 return IS_ERR_INVALID_HEX_STRING;
619 }
620 LOGI("psk alias: %" LOG_PUB "x %" LOG_PUB "x %" LOG_PUB "x %" LOG_PUB "x****.", credIdByte.val[DEV_AUTH_ZERO],
621 credIdByte.val[DEV_AUTH_ONE], credIdByte.val[DEV_AUTH_TWO], credIdByte.val[DEV_AUTH_THREE]);
622
623 ret = GetLoaderInstance()->checkKeyExist(&credIdByte, false, osAccountId);
624 if (ret != HC_SUCCESS) {
625 HcFree(credIdByte.val);
626 LOGE("psk not exist");
627 return ret;
628 }
629 ret = ComputeHkdfKeyAlias(in, osAccountId, &credIdByte, sharedSecret);
630 HcFree(credIdByte.val);
631 if (ret != HC_SUCCESS) {
632 LOGE("compute hkdf key alias failed.");
633 FreeBuffData(sharedSecret);
634 }
635 return ret;
636 }
637
GetSharedSecretForP2p(const CJson * in,ProtocolAlgType protocolType,Uint8Buff * sharedSecret)638 static int32_t GetSharedSecretForP2p(
639 const CJson *in, ProtocolAlgType protocolType, Uint8Buff *sharedSecret)
640 {
641 int32_t ret;
642 if (protocolType == ALG_ISO) {
643 ret = GetSharedSecretForP2pInIso(in, sharedSecret);
644 LOGI("get shared secret for p2p in iso result: %" LOG_PUB "d", ret);
645 } else {
646 ret = GetSharedSecretForP2pInPake(in, sharedSecret);
647 LOGI("get shared secret for p2p in pake result: %" LOG_PUB "d", ret);
648 }
649 return ret;
650 }
651
GetSharedSecretForUid(const CJson * in,ProtocolAlgType protocolType,Uint8Buff * sharedSecret)652 static int32_t GetSharedSecretForUid(
653 const CJson *in, ProtocolAlgType protocolType, Uint8Buff *sharedSecret)
654 {
655 if (protocolType != ALG_ISO) {
656 LOGE("protocol type is not iso, not supported!");
657 return HC_ERR_INVALID_PARAMS;
658 }
659 return ISGetAccountSymSharedSecret(in, sharedSecret);
660 }
661
GetSharedSecretByUrl(const CJson * in,const Uint8Buff * presharedUrl,ProtocolAlgType protocolType,Uint8Buff * sharedSecret)662 static int32_t GetSharedSecretByUrl(
663 const CJson *in, const Uint8Buff *presharedUrl, ProtocolAlgType protocolType, Uint8Buff *sharedSecret)
664 {
665 if (in == NULL || presharedUrl == NULL || sharedSecret == NULL) {
666 LOGE("Input params invalid!");
667 return HC_ERR_INVALID_PARAMS;
668 }
669
670 CJson *urlJson = CreateJsonFromString((const char *)presharedUrl->val);
671 if (urlJson == NULL) {
672 LOGE("Failed to create url json from preshared url!");
673 return HC_ERR_JSON_CREATE;
674 }
675
676 int32_t trustType = 0;
677 if (GetIntFromJson(urlJson, PRESHARED_URL_TRUST_TYPE, &trustType) != HC_SUCCESS) {
678 LOGE("Get trust type from url json failed!");
679 FreeJson(urlJson);
680 return HC_ERR_JSON_GET;
681 }
682 FreeJson(urlJson);
683
684 int32_t ret;
685 switch (trustType) {
686 case TRUST_TYPE_P2P:
687 ret = GetSharedSecretForP2p(in, protocolType, sharedSecret);
688 break;
689 case TRUST_TYPE_UID:
690 ret = GetSharedSecretForUid(in, protocolType, sharedSecret);
691 break;
692 default:
693 LOGE("Invalid trust type!");
694 ret = HC_ERR_INVALID_PARAMS;
695 break;
696 }
697 return ret;
698 }
699
GetCredInfoByPeerCert(const CJson * in,const CertInfo * certInfo,IdentityInfo ** returnInfo)700 static int32_t GetCredInfoByPeerCert(const CJson *in, const CertInfo *certInfo, IdentityInfo **returnInfo)
701 {
702 if (in == NULL || certInfo == NULL || returnInfo == NULL) {
703 LOGE("Invalid input params!");
704 return HC_ERR_INVALID_PARAMS;
705 }
706 uint32_t proofType = 0;
707 int32_t res = GetProofTypeFromContext(in, &proofType);
708 if (res != HC_SUCCESS) {
709 return res;
710 }
711 if (proofType != PROOF_TYPE_PKI) {
712 LOGE("Proof type not match, cur proof type: %" LOG_PUB "d.", proofType);
713 return IS_AUTH_ERR_PROOF_NOT_MATCH;
714 }
715 IdentityInfo *info = NULL;
716 res = ISGetIdentityInfo(in, certInfo->isPseudonym, &info);
717 if (res != HC_SUCCESS) {
718 LOGE("Get Identity by credAuthInfo fail.");
719 return res;
720 }
721 *returnInfo = info;
722 return HC_SUCCESS;
723 }
724
GetSharedSecretByPeerCert(const CJson * in,const CertInfo * peerCertInfo,ProtocolAlgType protocolType,Uint8Buff * sharedSecret)725 static int32_t GetSharedSecretByPeerCert(
726 const CJson *in, const CertInfo *peerCertInfo, ProtocolAlgType protocolType, Uint8Buff *sharedSecret)
727 {
728 if (in == NULL || peerCertInfo == NULL || sharedSecret == NULL) {
729 LOGE("Input params invalid!");
730 return HC_ERR_INVALID_PARAMS;
731 }
732 if (protocolType != ALG_EC_SPEKE) {
733 LOGE("protocol type is not ec speke, not support!");
734 return HC_ERR_INVALID_PARAMS;
735 }
736 int32_t osAccountId = INVALID_OS_ACCOUNT;
737 if (GetIntFromJson(in, FIELD_OS_ACCOUNT_ID, &osAccountId) != HC_SUCCESS) {
738 LOGE("Get os account id failed!");
739 return HC_ERR_JSON_GET;
740 }
741 const char *credId = GetStringFromJson(in, FIELD_ACROSS_ACCOUNT_CRED_ID);
742 if (credId != NULL) {
743 LOGI("across account credential Id exists.");
744 }
745 return GetAccountAsymSharedSecret(osAccountId, credId, FIELD_ACROSS_ACCOUNT_CRED_ID, peerCertInfo, sharedSecret);
746 }
747
748 static const AuthIdentity g_authIdentity = {
749 .getCredInfosByPeerIdentity = GetCredInfosByPeerIdentity,
750 .getCredInfoByPeerUrl = GetCredInfoByPeerUrl,
751 .getSharedSecretByUrl = GetSharedSecretByUrl,
752 .getCredInfoByPeerCert = GetCredInfoByPeerCert,
753 .getSharedSecretByPeerCert = GetSharedSecretByPeerCert,
754 };
755
GetCredAuthIdentity(void)756 const AuthIdentity *GetCredAuthIdentity(void)
757 {
758 return &g_authIdentity;
759 }
760