1 /*
2 * This file is part of the openHiTLS project.
3 *
4 * openHiTLS is licensed under the Mulan PSL v2.
5 * You can use this software according to the terms and conditions of the Mulan PSL v2.
6 * You may obtain a copy of Mulan PSL v2 at:
7 *
8 * http://license.coscl.org.cn/MulanPSL2
9 *
10 * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND,
11 * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT,
12 * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE.
13 * See the Mulan PSL v2 for more details.
14 */
15
16 #include <stdlib.h>
17 #include <string.h>
18 #include "hitls_build.h"
19 #include "bsl_err_internal.h"
20 #include "bsl_list.h"
21 #include "tls_binlog_id.h"
22 #include "hitls_error.h"
23 #include "hitls_type.h"
24 #include "hitls_cert_type.h"
25 #include "tls_config.h"
26 #include "cert_method.h"
27 #include "cert_mgr.h"
28 #include "cert.h"
29 #ifdef HITLS_TLS_FEATURE_SECURITY
30 #include "security.h"
31 #endif
32
33 #ifdef HITLS_TLS_FEATURE_SECURITY
CheckCertSecuritylevel(HITLS_Config * config,HITLS_CERT_X509 * cert,bool isCACert)34 static int32_t CheckCertSecuritylevel(HITLS_Config *config, HITLS_CERT_X509 *cert, bool isCACert)
35 {
36 CERT_MgrCtx *mgrCtx = config->certMgrCtx;
37 if (mgrCtx == NULL) {
38 return RETURN_ERROR_NUMBER_PROCESS(HITLS_UNREGISTERED_CALLBACK, BINLOG_ID16550, "unregistered callback");
39 }
40
41 HITLS_CERT_Key *pubkey = NULL;
42 int32_t ret = SAL_CERT_X509Ctrl(config, cert, CERT_CTRL_GET_PUB_KEY, NULL, (void *)&pubkey);
43 if (ret != HITLS_SUCCESS) {
44 return RETURN_ERROR_NUMBER_PROCESS(ret, BINLOG_ID16551, "GET_PUB_KEY fail");
45 }
46 do {
47 int32_t secBits = 0;
48 ret = SAL_CERT_KeyCtrl(config, pubkey, CERT_KEY_CTRL_GET_SECBITS, NULL, (void *)&secBits);
49 if (ret != HITLS_SUCCESS) {
50 break;
51 }
52
53 if (isCACert == true) {
54 ret = SECURITY_CfgCheck(config, HITLS_SECURITY_SECOP_CA_KEY, secBits, 0, cert);
55 if (ret != SECURITY_SUCCESS) {
56 (void)RETURN_ERROR_NUMBER_PROCESS(ret, BINLOG_ID16552, "CfgCheck fail");
57 ret = HITLS_CERT_ERR_CA_KEY_WITH_INSECURE_SECBITS;
58 break;
59 }
60 } else {
61 ret = SECURITY_CfgCheck(config, HITLS_SECURITY_SECOP_EE_KEY, secBits, 0, cert);
62 if (ret != SECURITY_SUCCESS) {
63 (void)RETURN_ERROR_NUMBER_PROCESS(ret, BINLOG_ID16553, "CfgCheck fail");
64 ret = HITLS_CERT_ERR_EE_KEY_WITH_INSECURE_SECBITS;
65 break;
66 }
67 }
68
69 int32_t signAlg = 0;
70 ret = SAL_CERT_X509Ctrl(config, cert, CERT_CTRL_GET_SIGN_ALGO, NULL, (void *)&signAlg);
71 if (ret != HITLS_SUCCESS) {
72 (void)RETURN_ERROR_NUMBER_PROCESS(ret, BINLOG_ID16554, "GET_SIGN_ALGO fail");
73 break;
74 }
75
76 ret = SECURITY_CfgCheck(config, HITLS_SECURITY_SECOP_SIGALG_CHECK, 0, signAlg, NULL);
77 if (ret != SECURITY_SUCCESS) {
78 (void)RETURN_ERROR_NUMBER_PROCESS(ret, BINLOG_ID16555, "CfgCheck fail");
79 ret = HITLS_CERT_ERR_INSECURE_SIG_ALG;
80 break;
81 }
82 ret = HITLS_SUCCESS;
83 } while (false);
84 SAL_CERT_KeyFree(mgrCtx, pubkey);
85 return ret;
86 }
87 #endif
88
HITLS_CFG_SetVerifyStore(HITLS_Config * config,HITLS_CERT_Store * store,bool isClone)89 int32_t HITLS_CFG_SetVerifyStore(HITLS_Config *config, HITLS_CERT_Store *store, bool isClone)
90 {
91 if (config == NULL) {
92 return HITLS_NULL_INPUT;
93 }
94
95 HITLS_CERT_Store *newStore = NULL;
96 if (isClone && store != NULL) {
97 newStore = SAL_CERT_StoreDup(config->certMgrCtx, store);
98 if (newStore == NULL) {
99 return HITLS_CERT_ERR_STORE_DUP;
100 }
101 } else {
102 newStore = store;
103 }
104
105 int32_t ret = SAL_CERT_SetVerifyStore(config->certMgrCtx, newStore);
106 if (ret != HITLS_SUCCESS) {
107 if (isClone && newStore != NULL) {
108 SAL_CERT_StoreFree(config->certMgrCtx, newStore);
109 }
110 }
111 return ret;
112 }
113
HITLS_CFG_GetVerifyStore(const HITLS_Config * config)114 HITLS_CERT_Store *HITLS_CFG_GetVerifyStore(const HITLS_Config *config)
115 {
116 if (config == NULL) {
117 return NULL;
118 }
119
120 return SAL_CERT_GetVerifyStore(config->certMgrCtx);
121 }
122
HITLS_CFG_SetChainStore(HITLS_Config * config,HITLS_CERT_Store * store,bool isClone)123 int32_t HITLS_CFG_SetChainStore(HITLS_Config *config, HITLS_CERT_Store *store, bool isClone)
124 {
125 if (config == NULL) {
126 return HITLS_NULL_INPUT;
127 }
128
129 HITLS_CERT_Store *newStore = NULL;
130 if (isClone && store != NULL) {
131 newStore = SAL_CERT_StoreDup(config->certMgrCtx, store);
132 if (newStore == NULL) {
133 return HITLS_CERT_ERR_STORE_DUP;
134 }
135 } else {
136 newStore = store;
137 }
138
139 int32_t ret = SAL_CERT_SetChainStore(config->certMgrCtx, newStore);
140 if (ret != HITLS_SUCCESS) {
141 if (isClone && newStore != NULL) {
142 SAL_CERT_StoreFree(config->certMgrCtx, newStore);
143 }
144 }
145 return ret;
146 }
147
HITLS_CFG_GetChainStore(const HITLS_Config * config)148 HITLS_CERT_Store *HITLS_CFG_GetChainStore(const HITLS_Config *config)
149 {
150 if (config == NULL) {
151 return NULL;
152 }
153
154 return SAL_CERT_GetChainStore(config->certMgrCtx);
155 }
156
HITLS_CFG_SetCertStore(HITLS_Config * config,HITLS_CERT_Store * store,bool isClone)157 int32_t HITLS_CFG_SetCertStore(HITLS_Config *config, HITLS_CERT_Store *store, bool isClone)
158 {
159 if (config == NULL) {
160 return HITLS_NULL_INPUT;
161 }
162
163 HITLS_CERT_Store *newStore = NULL;
164 if (isClone && store != NULL) {
165 newStore = SAL_CERT_StoreDup(config->certMgrCtx, store);
166 if (newStore == NULL) {
167 return HITLS_CERT_ERR_STORE_DUP;
168 }
169 } else {
170 newStore = store;
171 }
172
173 int32_t ret = SAL_CERT_SetCertStore(config->certMgrCtx, newStore);
174 if (ret != HITLS_SUCCESS) {
175 if (isClone && newStore != NULL) {
176 SAL_CERT_StoreFree(config->certMgrCtx, newStore);
177 }
178 }
179 return ret;
180 }
181
HITLS_CFG_GetCertStore(const HITLS_Config * config)182 HITLS_CERT_Store *HITLS_CFG_GetCertStore(const HITLS_Config *config)
183 {
184 if (config == NULL) {
185 return NULL;
186 }
187
188 return SAL_CERT_GetCertStore(config->certMgrCtx);
189 }
190
HITLS_CFG_SetVerifyDepth(HITLS_Config * config,uint32_t depth)191 int32_t HITLS_CFG_SetVerifyDepth(HITLS_Config *config, uint32_t depth)
192 {
193 if (config == NULL) {
194 return HITLS_NULL_INPUT;
195 }
196
197 return SAL_CERT_SetVerifyDepth(config->certMgrCtx, depth);
198 }
199
HITLS_CFG_GetVerifyDepth(const HITLS_Config * config,uint32_t * depth)200 int32_t HITLS_CFG_GetVerifyDepth(const HITLS_Config *config, uint32_t *depth)
201 {
202 if (config == NULL) {
203 return HITLS_NULL_INPUT;
204 }
205
206 return SAL_CERT_GetVerifyDepth(config->certMgrCtx, depth);
207 }
208
HITLS_CFG_SetDefaultPasswordCb(HITLS_Config * config,HITLS_PasswordCb cb)209 int32_t HITLS_CFG_SetDefaultPasswordCb(HITLS_Config *config, HITLS_PasswordCb cb)
210 {
211 if (config == NULL) {
212 return HITLS_NULL_INPUT;
213 }
214
215 return SAL_CERT_SetDefaultPasswordCb(config->certMgrCtx, cb);
216 }
217
HITLS_CFG_GetDefaultPasswordCb(HITLS_Config * config)218 HITLS_PasswordCb HITLS_CFG_GetDefaultPasswordCb(HITLS_Config *config)
219 {
220 if (config == NULL) {
221 return NULL;
222 }
223
224 return SAL_CERT_GetDefaultPasswordCb(config->certMgrCtx);
225 }
226
HITLS_CFG_SetDefaultPasswordCbUserdata(HITLS_Config * config,void * userdata)227 int32_t HITLS_CFG_SetDefaultPasswordCbUserdata(HITLS_Config *config, void *userdata)
228 {
229 if (config == NULL) {
230 return HITLS_NULL_INPUT;
231 }
232
233 return SAL_CERT_SetDefaultPasswordCbUserdata(config->certMgrCtx, userdata);
234 }
235
HITLS_CFG_GetDefaultPasswordCbUserdata(HITLS_Config * config)236 void *HITLS_CFG_GetDefaultPasswordCbUserdata(HITLS_Config *config)
237 {
238 if (config == NULL) {
239 return NULL;
240 }
241
242 return SAL_CERT_GetDefaultPasswordCbUserdata(config->certMgrCtx);
243 }
244
CFG_SetCertificate(HITLS_Config * config,HITLS_CERT_X509 * cert,bool isClone,bool isTlcpEncCert)245 static int32_t CFG_SetCertificate(HITLS_Config *config, HITLS_CERT_X509 *cert, bool isClone, bool isTlcpEncCert)
246 {
247 if (config == NULL || cert == NULL) {
248 return HITLS_NULL_INPUT;
249 }
250
251 HITLS_CERT_X509 *newCert = cert;
252 if (isClone) {
253 newCert = SAL_CERT_X509Dup(config->certMgrCtx, cert);
254 if (newCert == NULL) {
255 return HITLS_CERT_ERR_X509_DUP;
256 }
257 }
258
259 int32_t ret = SAL_CERT_SetCurrentCert(config, newCert, isTlcpEncCert);
260 if (ret != HITLS_SUCCESS) {
261 if (isClone) {
262 SAL_CERT_X509Free(newCert);
263 }
264 }
265 return ret;
266 }
267
HITLS_CFG_SetCertificate(HITLS_Config * config,HITLS_CERT_X509 * cert,bool isClone)268 int32_t HITLS_CFG_SetCertificate(HITLS_Config *config, HITLS_CERT_X509 *cert, bool isClone)
269 {
270 if (config == NULL || cert == NULL || config->certMgrCtx == NULL) {
271 return HITLS_NULL_INPUT;
272 }
273 #ifdef HITLS_TLS_FEATURE_SECURITY
274 int32_t ret = CheckCertSecuritylevel(config, cert, false);
275 if (ret != HITLS_SUCCESS) {
276 return ret;
277 }
278 #endif
279 return CFG_SetCertificate(config, cert, isClone, false);
280 }
281 #ifdef HITLS_TLS_CONFIG_CERT_LOAD_FILE
HITLS_CFG_LoadCertFile(HITLS_Config * config,const char * file,HITLS_ParseFormat format)282 int32_t HITLS_CFG_LoadCertFile(HITLS_Config *config, const char *file, HITLS_ParseFormat format)
283 {
284 if (config == NULL || file == NULL || strlen(file) == 0) {
285 return HITLS_NULL_INPUT;
286 }
287 int32_t ret;
288 HITLS_CERT_X509 *cert = SAL_CERT_X509Parse(LIBCTX_FROM_CONFIG(config),
289 ATTRIBUTE_FROM_CONFIG(config), config, (const uint8_t *)file, (uint32_t)strlen(file),
290 TLS_PARSE_TYPE_FILE, format);
291 if (cert == NULL) {
292 return HITLS_CFG_ERR_LOAD_CERT_FILE;
293 }
294 #ifdef HITLS_TLS_FEATURE_SECURITY
295 ret = CheckCertSecuritylevel(config, cert, false);
296 if (ret != HITLS_SUCCESS) {
297 SAL_CERT_X509Free(cert);
298 return ret;
299 }
300 #endif
301 ret = SAL_CERT_SetCurrentCert(config, cert, false);
302 if (ret != HITLS_SUCCESS) {
303 SAL_CERT_X509Free(cert);
304 }
305 return ret;
306 }
307 #endif /* HITLS_TLS_CONFIG_CERT_LOAD_FILE */
308
HITLS_CFG_LoadCertBuffer(HITLS_Config * config,const uint8_t * buf,uint32_t bufLen,HITLS_ParseFormat format)309 int32_t HITLS_CFG_LoadCertBuffer(HITLS_Config *config, const uint8_t *buf, uint32_t bufLen, HITLS_ParseFormat format)
310 {
311 if (config == NULL || buf == NULL || bufLen == 0) {
312 return HITLS_NULL_INPUT;
313 }
314
315 HITLS_CERT_X509 *newCert = SAL_CERT_X509Parse(LIBCTX_FROM_CONFIG(config),
316 ATTRIBUTE_FROM_CONFIG(config),config, buf, bufLen, TLS_PARSE_TYPE_BUFF, format);
317 if (newCert == NULL) {
318 return HITLS_CFG_ERR_LOAD_CERT_BUFFER;
319 }
320 int ret = HITLS_SUCCESS;
321 #ifdef HITLS_TLS_FEATURE_SECURITY
322 ret = CheckCertSecuritylevel(config, newCert, false);
323 if (ret != HITLS_SUCCESS) {
324 SAL_CERT_X509Free(newCert);
325 return ret;
326 }
327 #endif
328 ret = SAL_CERT_SetCurrentCert(config, newCert, false);
329 if (ret != HITLS_SUCCESS) {
330 SAL_CERT_X509Free(newCert);
331 }
332
333 return ret;
334 }
335
HITLS_CFG_GetCertificate(const HITLS_Config * config)336 HITLS_CERT_X509 *HITLS_CFG_GetCertificate(const HITLS_Config *config)
337 {
338 if (config == NULL) {
339 return NULL;
340 }
341
342 return SAL_CERT_GetCurrentCert(config->certMgrCtx);
343 }
344
CFG_SetPrivateKey(HITLS_Config * config,HITLS_CERT_Key * privateKey,bool isClone,bool isTlcpEncCertPriKey)345 static int32_t CFG_SetPrivateKey(HITLS_Config *config, HITLS_CERT_Key *privateKey, bool isClone,
346 bool isTlcpEncCertPriKey)
347 {
348 if (config == NULL || privateKey == NULL) {
349 return HITLS_NULL_INPUT;
350 }
351
352 HITLS_CERT_Key *newKey = NULL;
353 if (isClone) {
354 newKey = SAL_CERT_KeyDup(config->certMgrCtx, privateKey);
355 if (newKey == NULL) {
356 return HITLS_CERT_ERR_X509_DUP;
357 }
358 } else {
359 newKey = privateKey;
360 }
361
362 int32_t ret = SAL_CERT_SetCurrentPrivateKey(config, newKey, isTlcpEncCertPriKey);
363 if (ret != HITLS_SUCCESS) {
364 if (isClone) {
365 SAL_CERT_KeyFree(config->certMgrCtx, newKey);
366 }
367 }
368 return ret;
369 }
370
371 #ifdef HITLS_TLS_PROTO_TLCP11
HITLS_CFG_SetTlcpPrivateKey(HITLS_Config * config,HITLS_CERT_Key * privateKey,bool isClone,bool isTlcpEncCertPriKey)372 int32_t HITLS_CFG_SetTlcpPrivateKey(HITLS_Config *config, HITLS_CERT_Key *privateKey,
373 bool isClone, bool isTlcpEncCertPriKey)
374 {
375 return CFG_SetPrivateKey(config, privateKey, isClone, isTlcpEncCertPriKey);
376 }
377
HITLS_CFG_SetTlcpCertificate(HITLS_Config * config,HITLS_CERT_X509 * cert,bool isClone,bool isTlcpEncCert)378 int32_t HITLS_CFG_SetTlcpCertificate(HITLS_Config *config, HITLS_CERT_X509 *cert, bool isClone, bool isTlcpEncCert)
379 {
380 return CFG_SetCertificate(config, cert, isClone, isTlcpEncCert);
381 }
382 #endif
383
HITLS_CFG_SetPrivateKey(HITLS_Config * config,HITLS_CERT_Key * privateKey,bool isClone)384 int32_t HITLS_CFG_SetPrivateKey(HITLS_Config *config, HITLS_CERT_Key *privateKey, bool isClone)
385 {
386 return CFG_SetPrivateKey(config, privateKey, isClone, false);
387 }
388
389 #ifdef HITLS_TLS_CONFIG_CERT_LOAD_FILE
HITLS_CFG_ProviderLoadKeyFile(HITLS_Config * config,const char * file,const char * format,const char * type)390 int32_t HITLS_CFG_ProviderLoadKeyFile(HITLS_Config *config, const char *file, const char *format, const char *type)
391 {
392 if (config == NULL || file == NULL || strlen(file) == 0) {
393 return HITLS_NULL_INPUT;
394 }
395 HITLS_CERT_Key *newKey = SAL_CERT_KeyParse(config, (const uint8_t *)file, (uint32_t)strlen(file),
396 TLS_PARSE_TYPE_FILE, format, type);
397 if (newKey == NULL) {
398 return HITLS_CFG_ERR_LOAD_KEY_FILE;
399 }
400
401 int32_t ret = SAL_CERT_SetCurrentPrivateKey(config, newKey, false);
402 if (ret != HITLS_SUCCESS) {
403 SAL_CERT_KeyFree(config->certMgrCtx, newKey);
404 }
405 return ret;
406 }
407
HITLS_CFG_LoadKeyFile(HITLS_Config * config,const char * file,HITLS_ParseFormat format)408 int32_t HITLS_CFG_LoadKeyFile(HITLS_Config *config, const char *file, HITLS_ParseFormat format)
409 {
410 if (config == NULL || file == NULL || strlen(file) == 0) {
411 return HITLS_NULL_INPUT;
412 }
413
414 HITLS_CERT_Key *newKey = SAL_CERT_KeyParse(config, (const uint8_t *)file, (uint32_t)strlen(file),
415 TLS_PARSE_TYPE_FILE, SAL_CERT_GetParseFormatStr(format), NULL);
416 if (newKey == NULL) {
417 return HITLS_CFG_ERR_LOAD_KEY_FILE;
418 }
419
420 int32_t ret = SAL_CERT_SetCurrentPrivateKey(config, newKey, false);
421 if (ret != HITLS_SUCCESS) {
422 SAL_CERT_KeyFree(config->certMgrCtx, newKey);
423 }
424 return ret;
425 }
426 #endif /* HITLS_TLS_CONFIG_CERT_LOAD_FILE */
427
HITLS_CFG_ProviderLoadKeyBuffer(HITLS_Config * config,const uint8_t * buf,uint32_t bufLen,const char * format,const char * type)428 int32_t HITLS_CFG_ProviderLoadKeyBuffer(HITLS_Config *config, const uint8_t *buf, uint32_t bufLen, const char *format,
429 const char *type)
430 {
431 if (config == NULL || buf == NULL || bufLen == 0) {
432 return HITLS_NULL_INPUT;
433 }
434 HITLS_CERT_Key *newKey = SAL_CERT_KeyParse(config, buf, bufLen, TLS_PARSE_TYPE_BUFF, type, format);
435 if (newKey == NULL) {
436 return HITLS_CFG_ERR_LOAD_KEY_BUFFER;
437 }
438
439 int32_t ret = SAL_CERT_SetCurrentPrivateKey(config, newKey, false);
440 if (ret != HITLS_SUCCESS) {
441 SAL_CERT_KeyFree(config->certMgrCtx, newKey);
442 }
443 return ret;
444 }
445
HITLS_CFG_LoadKeyBuffer(HITLS_Config * config,const uint8_t * buf,uint32_t bufLen,HITLS_ParseFormat format)446 int32_t HITLS_CFG_LoadKeyBuffer(HITLS_Config *config, const uint8_t *buf, uint32_t bufLen, HITLS_ParseFormat format)
447 {
448 if (config == NULL || buf == NULL || bufLen == 0) {
449 return HITLS_NULL_INPUT;
450 }
451
452 HITLS_CERT_Key *newKey = SAL_CERT_KeyParse(config, buf, bufLen, TLS_PARSE_TYPE_BUFF,
453 SAL_CERT_GetParseFormatStr(format), NULL);
454 if (newKey == NULL) {
455 return HITLS_CFG_ERR_LOAD_KEY_BUFFER;
456 }
457
458 int32_t ret = SAL_CERT_SetCurrentPrivateKey(config, newKey, false);
459 if (ret != HITLS_SUCCESS) {
460 SAL_CERT_KeyFree(config->certMgrCtx, newKey);
461 }
462 return ret;
463 }
464
HITLS_CFG_GetPrivateKey(HITLS_Config * config)465 HITLS_CERT_Key *HITLS_CFG_GetPrivateKey(HITLS_Config *config)
466 {
467 if (config == NULL) {
468 return NULL;
469 }
470
471 return SAL_CERT_GetCurrentPrivateKey(config->certMgrCtx, false);
472 }
473
HITLS_CFG_CheckPrivateKey(HITLS_Config * config)474 int32_t HITLS_CFG_CheckPrivateKey(HITLS_Config *config)
475 {
476 if (config == NULL) {
477 return HITLS_NULL_INPUT;
478 }
479
480 CERT_MgrCtx *certMgrCtx = config->certMgrCtx;
481 if (certMgrCtx == NULL) {
482 /* If no certificate callback is registered, the certificate management module will not initialized. */
483 return HITLS_UNREGISTERED_CALLBACK;
484 }
485
486 HITLS_CERT_X509 *cert = SAL_CERT_GetCurrentCert(certMgrCtx);
487 if (cert == NULL) {
488 /* no certificate is added */
489 return HITLS_CONFIG_NO_CERT;
490 }
491
492 HITLS_CERT_Key *privateKey = SAL_CERT_GetCurrentPrivateKey(certMgrCtx, false);
493 if (privateKey == NULL) {
494 /* no private key is added */
495 return HITLS_CONFIG_NO_PRIVATE_KEY;
496 }
497
498 return SAL_CERT_CheckPrivateKey(config, cert, privateKey);
499 }
500
HITLS_CFG_AddChainCert(HITLS_Config * config,HITLS_CERT_X509 * cert,bool isClone)501 int32_t HITLS_CFG_AddChainCert(HITLS_Config *config, HITLS_CERT_X509 *cert, bool isClone)
502 {
503 if (config == NULL || cert == NULL || config->certMgrCtx == NULL) {
504 return HITLS_NULL_INPUT;
505 }
506 int32_t ret = HITLS_SUCCESS;
507 #ifdef HITLS_TLS_FEATURE_SECURITY
508 ret = CheckCertSecuritylevel(config, cert, true);
509 if (ret != HITLS_SUCCESS) {
510 return ret;
511 }
512 #endif
513 HITLS_CERT_X509 *newCert = cert;
514 if (isClone) {
515 newCert = SAL_CERT_X509Dup(config->certMgrCtx, cert);
516 if (newCert == NULL) {
517 return HITLS_CERT_ERR_X509_DUP;
518 }
519 }
520
521 ret = SAL_CERT_AddChainCert(config->certMgrCtx, newCert);
522 if (ret != HITLS_SUCCESS) {
523 if (isClone) {
524 SAL_CERT_X509Free(newCert);
525 }
526 }
527 return ret;
528 }
529
HITLS_CFG_AddCertToStore(HITLS_Config * config,HITLS_CERT_X509 * cert,HITLS_CERT_StoreType storeType,bool isClone)530 int32_t HITLS_CFG_AddCertToStore(HITLS_Config *config, HITLS_CERT_X509 *cert, HITLS_CERT_StoreType storeType,
531 bool isClone)
532 {
533 if (config == NULL || cert == NULL) {
534 BSL_ERR_PUSH_ERROR(HITLS_NULL_INPUT);
535 return HITLS_NULL_INPUT;
536 }
537
538 HITLS_CERT_Store *store = NULL;
539 switch (storeType) {
540 case TLS_CERT_STORE_TYPE_DEFAULT:
541 store = SAL_CERT_GetCertStore(config->certMgrCtx);
542 break;
543 case TLS_CERT_STORE_TYPE_VERIFY:
544 store = SAL_CERT_GetVerifyStore(config->certMgrCtx);
545 break;
546 case TLS_CERT_STORE_TYPE_CHAIN:
547 store = SAL_CERT_GetChainStore(config->certMgrCtx);
548 break;
549 default:
550 return HITLS_CERT_ERR_INVALID_STORE_TYPE;
551 }
552 HITLS_CERT_X509 *newCert = cert;
553 if (isClone) {
554 newCert = SAL_CERT_X509Dup(config->certMgrCtx, cert);
555 if (newCert == NULL) {
556 return HITLS_CERT_ERR_X509_DUP;
557 }
558 }
559
560 int32_t ret = SAL_CERT_StoreCtrl(config, store, CERT_STORE_CTRL_ADD_CERT_LIST, newCert, NULL);
561 if (ret != HITLS_SUCCESS) {
562 BSL_ERR_PUSH_ERROR(ret);
563 if (isClone) {
564 SAL_CERT_X509Free(newCert);
565 }
566 }
567
568 return ret;
569 }
570
HITLS_CFG_ParseCert(HITLS_Config * config,const uint8_t * buf,uint32_t len,HITLS_ParseType type,HITLS_ParseFormat format)571 HITLS_CERT_X509 *HITLS_CFG_ParseCert(HITLS_Config *config, const uint8_t *buf, uint32_t len,
572 HITLS_ParseType type, HITLS_ParseFormat format)
573 {
574 if (config == NULL || buf == NULL || len == 0) {
575 return NULL;
576 }
577
578 HITLS_CERT_X509 *newCert = SAL_CERT_X509Parse(LIBCTX_FROM_CONFIG(config),
579 ATTRIBUTE_FROM_CONFIG(config), config, buf, len, type, format);
580 if (newCert == NULL) {
581 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID17158, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
582 "X509Parse fail", 0, 0, 0, 0);
583 BSL_ERR_PUSH_ERROR(HITLS_CFG_ERR_LOAD_CERT_BUFFER);
584 return NULL;
585 }
586
587 return newCert;
588 }
589
HITLS_CFG_ProviderParseKey(HITLS_Config * config,const uint8_t * buf,uint32_t len,HITLS_ParseType type,const char * format,const char * encodeType)590 HITLS_CERT_Key *HITLS_CFG_ProviderParseKey(HITLS_Config *config, const uint8_t *buf, uint32_t len,
591 HITLS_ParseType type, const char *format, const char *encodeType)
592 {
593 if (config == NULL || buf == NULL || len == 0) {
594 return NULL;
595 }
596
597 HITLS_CERT_Key *newKey = SAL_CERT_KeyParse(config, buf, len, type, format, encodeType);
598 if (newKey == NULL) {
599 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID17165, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
600 "Provider KeyParse fail", 0, 0, 0, 0);
601 BSL_ERR_PUSH_ERROR(HITLS_CFG_ERR_LOAD_KEY_BUFFER);
602 return NULL;
603 }
604
605 return newKey;
606 }
607
HITLS_CFG_ParseKey(HITLS_Config * config,const uint8_t * buf,uint32_t len,HITLS_ParseType type,HITLS_ParseFormat format)608 HITLS_CERT_Key *HITLS_CFG_ParseKey(HITLS_Config *config, const uint8_t *buf, uint32_t len,
609 HITLS_ParseType type, HITLS_ParseFormat format)
610 {
611 if (config == NULL || buf == NULL || len == 0) {
612 return NULL;
613 }
614
615 HITLS_CERT_Key *newKey = SAL_CERT_KeyParse(config, buf, len, type,
616 SAL_CERT_GetParseFormatStr(format), NULL);
617 if (newKey == NULL) {
618 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID17164, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
619 "KeyParse fail", 0, 0, 0, 0);
620 BSL_ERR_PUSH_ERROR(HITLS_CFG_ERR_LOAD_KEY_BUFFER);
621 return NULL;
622 }
623
624 return newKey;
625 }
626
HITLS_CFG_GetChainCerts(HITLS_Config * config)627 HITLS_CERT_Chain *HITLS_CFG_GetChainCerts(HITLS_Config *config)
628 {
629 if (config == NULL) {
630 return NULL;
631 }
632
633 return SAL_CERT_GetCurrentChainCerts(config->certMgrCtx);
634 }
635
636
HITLS_CFG_ClearChainCerts(HITLS_Config * config)637 int32_t HITLS_CFG_ClearChainCerts(HITLS_Config *config)
638 {
639 if (config == NULL) {
640 return HITLS_NULL_INPUT;
641 }
642
643 SAL_CERT_ClearCurrentChainCerts(config->certMgrCtx);
644 return HITLS_SUCCESS;
645 }
646
HITLS_CFG_AddExtraChainCert(HITLS_Config * config,HITLS_CERT_X509 * cert)647 int32_t HITLS_CFG_AddExtraChainCert(HITLS_Config *config, HITLS_CERT_X509 *cert)
648 {
649 if (config == NULL || cert == NULL) {
650 return HITLS_NULL_INPUT;
651 }
652
653 return SAL_CERT_AddExtraChainCert(config->certMgrCtx, cert);
654 }
655
HITLS_CFG_GetExtraChainCerts(HITLS_Config * config)656 HITLS_CERT_Chain *HITLS_CFG_GetExtraChainCerts(HITLS_Config *config)
657 {
658 if (config == NULL) {
659 return NULL;
660 }
661
662 return SAL_CERT_GetExtraChainCerts(config->certMgrCtx);
663 }
664
HITLS_CFG_RemoveCertAndKey(HITLS_Config * config)665 int32_t HITLS_CFG_RemoveCertAndKey(HITLS_Config *config)
666 {
667 if (config == NULL) {
668 return HITLS_NULL_INPUT;
669 }
670 SAL_CERT_ClearCertAndKey(config->certMgrCtx);
671 return HITLS_SUCCESS;
672 }
673
HITLS_CFG_SetVerifyCb(HITLS_Config * config,HITLS_VerifyCb callback)674 int32_t HITLS_CFG_SetVerifyCb(HITLS_Config *config, HITLS_VerifyCb callback)
675 {
676 if (config == NULL) {
677 return HITLS_NULL_INPUT;
678 }
679
680 return SAL_CERT_SetVerifyCb(config->certMgrCtx, callback);
681 }
682
HITLS_CFG_GetVerifyCb(HITLS_Config * config)683 HITLS_VerifyCb HITLS_CFG_GetVerifyCb(HITLS_Config *config)
684 {
685 if (config == NULL) {
686 return NULL;
687 }
688
689 return SAL_CERT_GetVerifyCb(config->certMgrCtx);
690 }
691
692 #ifdef HITLS_TLS_FEATURE_CERT_MODE
HITLS_CFG_SetVerifyNoneSupport(HITLS_Config * config,bool support)693 int32_t HITLS_CFG_SetVerifyNoneSupport(HITLS_Config *config, bool support)
694 {
695 if (config == NULL) {
696 return HITLS_NULL_INPUT;
697 }
698 config->isSupportVerifyNone = support;
699
700 return HITLS_SUCCESS;
701 }
702
HITLS_CFG_GetVerifyNoneSupport(HITLS_Config * config,uint8_t * isSupport)703 int32_t HITLS_CFG_GetVerifyNoneSupport(HITLS_Config *config, uint8_t *isSupport)
704 {
705 if (config == NULL || isSupport == NULL) {
706 return HITLS_NULL_INPUT;
707 }
708
709 *isSupport = (uint8_t)config->isSupportVerifyNone;
710 return HITLS_SUCCESS;
711 }
712
HITLS_CFG_GetClientVerifySupport(HITLS_Config * config,uint8_t * isSupport)713 int32_t HITLS_CFG_GetClientVerifySupport(HITLS_Config *config, uint8_t *isSupport)
714 {
715 if (config == NULL || isSupport == NULL) {
716 return HITLS_NULL_INPUT;
717 }
718
719 *isSupport = (uint8_t)config->isSupportClientVerify;
720 return HITLS_SUCCESS;
721 }
722
HITLS_CFG_GetNoClientCertSupport(HITLS_Config * config,uint8_t * isSupport)723 int32_t HITLS_CFG_GetNoClientCertSupport(HITLS_Config *config, uint8_t *isSupport)
724 {
725 if (config == NULL || isSupport == NULL) {
726 return HITLS_NULL_INPUT;
727 }
728
729 *isSupport = (uint8_t)config->isSupportNoClientCert;
730 return HITLS_SUCCESS;
731 }
732
HITLS_CFG_SetClientVerifySupport(HITLS_Config * config,bool support)733 int32_t HITLS_CFG_SetClientVerifySupport(HITLS_Config *config, bool support)
734 {
735 if (config == NULL) {
736 return HITLS_NULL_INPUT;
737 }
738 config->isSupportClientVerify = support;
739 return HITLS_SUCCESS;
740 }
741
HITLS_CFG_SetNoClientCertSupport(HITLS_Config * config,bool support)742 int32_t HITLS_CFG_SetNoClientCertSupport(HITLS_Config *config, bool support)
743 {
744 if (config == NULL) {
745 return HITLS_NULL_INPUT;
746 }
747
748 config->isSupportNoClientCert = support;
749 return HITLS_SUCCESS;
750 }
751 #endif
752
753 #ifdef HITLS_TLS_EXTENSION_CERT_AUTH
HITLS_CFG_AddCAIndication(HITLS_Config * config,HITLS_TrustedCAType caType,const uint8_t * data,uint32_t len)754 int32_t HITLS_CFG_AddCAIndication(HITLS_Config *config, HITLS_TrustedCAType caType, const uint8_t *data, uint32_t len)
755 {
756 if ((config == NULL) || (data == NULL) || (len == 0)) {
757 return HITLS_NULL_INPUT;
758 }
759
760 HITLS_TrustedCANode *newCaNode = BSL_SAL_Calloc(1u, sizeof(HITLS_TrustedCANode));
761 if (newCaNode == NULL) {
762 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16558, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "Calloc fail", 0, 0, 0, 0);
763 return HITLS_MEMALLOC_FAIL;
764 }
765 newCaNode->caType = caType;
766 newCaNode->data = BSL_SAL_Dump(data, len);
767 if (newCaNode->data == NULL) {
768 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16559, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "Dump fail", 0, 0, 0, 0);
769 BSL_SAL_FREE(newCaNode);
770 return HITLS_MEMALLOC_FAIL;
771 }
772 newCaNode->dataSize = len;
773
774 if (config->caList == NULL) {
775 config->caList = BSL_LIST_New(sizeof(HITLS_TrustedCANode *));
776 if (config->caList == NULL) {
777 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16560, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
778 "LIST_New fail", 0, 0, 0, 0);
779 BSL_SAL_FREE(newCaNode->data);
780 BSL_SAL_FREE(newCaNode);
781 return HITLS_MEMALLOC_FAIL;
782 }
783 }
784
785 /* tail insertion */
786 int32_t ret = (int32_t)BSL_LIST_AddElement((BslList *)config->caList, newCaNode, BSL_LIST_POS_END);
787 if (ret != 0) {
788 BSL_SAL_FREE(newCaNode->data);
789 BSL_SAL_FREE(newCaNode);
790 }
791 return ret;
792 }
HITLS_CFG_GetCAList(const HITLS_Config * config)793 HITLS_TrustedCAList *HITLS_CFG_GetCAList(const HITLS_Config *config)
794 {
795 if (config == NULL) {
796 return NULL;
797 }
798 return config->caList;
799 }
800
801 #endif