• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (c) 2022 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  *    http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #include "cert_manager_check.h"
17 
18 #include <ctype.h>
19 
20 #include "cert_manager.h"
21 #include "cert_manager_permission_check.h"
22 #include "cm_log.h"
23 
CheckUri(const struct CmBlob * keyUri)24 int32_t CheckUri(const struct CmBlob *keyUri)
25 {
26     if (CmCheckBlob(keyUri) != CM_SUCCESS) {
27         CM_LOG_E("invalid uri");
28         return CMR_ERROR_INVALID_ARGUMENT;
29     }
30 
31     if (keyUri->size > MAX_AUTH_LEN_URI) {
32         CM_LOG_E("invalid uri len:%u", keyUri->size);
33         return CMR_ERROR_INVALID_ARGUMENT;
34     }
35 
36     for (uint32_t i = 1; i < keyUri->size; ++i) { /* from index 1 has '\0' */
37         if (keyUri->data[i] == 0) {
38             return CM_SUCCESS;
39         }
40     }
41     return CMR_ERROR_INVALID_ARGUMENT;
42 }
43 
CmServiceGetSystemCertListCheck(const uint32_t store)44 int32_t CmServiceGetSystemCertListCheck(const uint32_t store)
45 {
46     if (store != CM_SYSTEM_TRUSTED_STORE) {
47         CM_LOG_E("invalid input arguments store:%u", store);
48         return CMR_ERROR_INVALID_ARGUMENT;
49     }
50 
51     if (!CmHasCommonPermission()) {
52         CM_LOG_E("permission check failed");
53         return CMR_ERROR_PERMISSION_DENIED;
54     }
55 
56     return CM_SUCCESS;
57 }
58 
CmServiceGetSystemCertCheck(const uint32_t store,const struct CmBlob * certUri)59 int32_t CmServiceGetSystemCertCheck(const uint32_t store, const struct CmBlob *certUri)
60 {
61     if (store != CM_SYSTEM_TRUSTED_STORE) {
62         CM_LOG_E("invalid input arguments store:%u", store);
63         return CMR_ERROR_INVALID_ARGUMENT;
64     }
65 
66     if (CheckUri(certUri) != CM_SUCCESS) {
67         CM_LOG_E("invalid input arguments");
68         return CMR_ERROR_INVALID_ARGUMENT;
69     }
70 
71     if (!CmHasCommonPermission()) {
72         CM_LOG_E("permission check failed");
73         return CMR_ERROR_PERMISSION_DENIED;
74     }
75 
76     return CM_SUCCESS;
77 }
78 
CmServiceSetCertStatusCheck(const uint32_t store,const struct CmBlob * certUri,const uint32_t status)79 int32_t CmServiceSetCertStatusCheck(const uint32_t store, const struct CmBlob *certUri, const uint32_t status)
80 {
81     if (store != CM_SYSTEM_TRUSTED_STORE) {
82         CM_LOG_E("invalid input arguments store:%u", store);
83         return CMR_ERROR_INVALID_ARGUMENT;
84     }
85 
86     if (CheckUri(certUri) != CM_SUCCESS) {
87         CM_LOG_E("invalid input arguments");
88         return CMR_ERROR_INVALID_ARGUMENT;
89     }
90 
91     if ((status != 0) && (status != 1)) {
92         CM_LOG_E("invalid input status:%u", status);
93         return CMR_ERROR_INVALID_ARGUMENT;
94     }
95 
96     if (!CmHasPrivilegedPermission() || !CmHasCommonPermission()) {
97         CM_LOG_E("permission check failed");
98         return CMR_ERROR_PERMISSION_DENIED;
99     }
100 
101     if (!CmIsSystemApp()) {
102         CM_LOG_E("set cert status: caller is not system app");
103         return CMR_ERROR_NOT_SYSTEMP_APP;
104     }
105 
106     return CM_SUCCESS;
107 }
108 
AppCertCheckBlobValid(const struct CmBlob * data)109 static bool AppCertCheckBlobValid(const struct CmBlob *data)
110 {
111     for (uint32_t i = 0; i < data->size; i++) {
112         if ((i > 0) && (data->data[i] == '\0')) { /* from index 1 has '\0' */
113             CM_LOG_I("data has string end character");
114             return true;
115         }
116 
117         if ((!isalnum(data->data[i])) && (data->data[i] != '_')) { /* has invalid character */
118             CM_LOG_E("data include invalid character");
119             return false;
120         }
121     }
122 
123     CM_LOG_E("data has no string end character");
124     return false;
125 }
126 
CmCheckMaxInstalledCertCount(const uint32_t store,const struct CmContext * cmContext)127 static bool CmCheckMaxInstalledCertCount(const uint32_t store, const struct CmContext *cmContext)
128 {
129     bool isValid = true;
130     uint32_t fileCount = 0;
131     struct CmBlob fileNames[MAX_COUNT_CERTIFICATE];
132     uint32_t len = MAX_COUNT_CERTIFICATE * sizeof(struct CmBlob);
133     (void)memset_s(fileNames, len, 0, len);
134 
135     if (CmServiceGetAppCertList(cmContext, store, fileNames,
136         MAX_COUNT_CERTIFICATE, &fileCount) != CM_SUCCESS) {
137         isValid = false;
138         CM_LOG_E("Get App cert list fail");
139     }
140 
141     if (fileCount >= MAX_COUNT_CERTIFICATE) {
142         isValid = false;
143         CM_LOG_E("The app cert installed has reached max count:%u", fileCount);
144     }
145 
146     CM_LOG_I("app cert installed count:%u", fileCount);
147 
148     CmFreeFileNames(fileNames, fileCount);
149     return isValid;
150 }
151 
CmServiceInstallAppCertCheck(const struct CmBlob * appCert,const struct CmBlob * appCertPwd,const struct CmBlob * certAlias,const uint32_t store,const struct CmContext * cmContext)152 int32_t CmServiceInstallAppCertCheck(const struct CmBlob *appCert, const struct CmBlob *appCertPwd,
153     const struct CmBlob *certAlias, const uint32_t store, const struct CmContext *cmContext)
154 {
155     if (store != CM_CREDENTIAL_STORE && store != CM_PRI_CREDENTIAL_STORE) {
156         CM_LOG_E("CmInstallAppCertCheck store check fail, store:%u", store);
157         return CMR_ERROR_INVALID_ARGUMENT;
158     }
159 
160     if ((CmCheckBlob(appCert) != CM_SUCCESS) || (CmCheckBlob(appCertPwd) != CM_SUCCESS) ||
161         (CmCheckBlob(certAlias) != CM_SUCCESS)) {
162         CM_LOG_E("CmInstallAppCertCheck blob check fail");
163         return CMR_ERROR_INVALID_ARGUMENT;
164     }
165 
166     if (appCert->size > MAX_LEN_APP_CERT || appCertPwd->size > MAX_LEN_APP_CERT_PASSWD ||
167         certAlias->size > MAX_LEN_CERT_ALIAS) {
168         CM_LOG_E("CmInstallAppCertCheck max check fail, appCert:%u, appCertPwd:%u, certAlias:%u",
169             appCert->size, appCertPwd->size, certAlias->size);
170         return CMR_ERROR_INVALID_ARGUMENT;
171     }
172 
173     if (!AppCertCheckBlobValid(appCertPwd) || !AppCertCheckBlobValid(certAlias)) {
174         CM_LOG_E("CmInstallAppCertCheck blob data check fail");
175         return CMR_ERROR_INVALID_ARGUMENT;
176     }
177 
178     if (CmCheckMaxInstalledCertCount(store, cmContext) == false) {
179         CM_LOG_E("CmCheckMaxInstalledCertCount check fail");
180         return CM_FAILURE;
181     }
182 
183     if (!CmPermissionCheck(store)) {
184         CM_LOG_E("permission check failed");
185         return CMR_ERROR_PERMISSION_DENIED;
186     }
187 
188     if (!CmIsSystemAppByStoreType(store)) {
189         CM_LOG_E("install app cert: caller is not system app");
190         return CMR_ERROR_NOT_SYSTEMP_APP;
191     }
192 
193     return CM_SUCCESS;
194 }
195 
CmServiceUninstallAppCertCheck(const uint32_t store,const struct CmBlob * keyUri)196 int32_t CmServiceUninstallAppCertCheck(const uint32_t store, const struct CmBlob *keyUri)
197 {
198     if ((store != CM_CREDENTIAL_STORE) && (store != CM_PRI_CREDENTIAL_STORE)) {
199         CM_LOG_E("invalid input arguments store:%u", store);
200         return CMR_ERROR_INVALID_ARGUMENT;
201     }
202 
203     if (CheckUri(keyUri) != CM_SUCCESS) {
204         CM_LOG_E("invalid input arguments");
205         return CMR_ERROR_INVALID_ARGUMENT;
206     }
207 
208     if (!CmPermissionCheck(store)) {
209         CM_LOG_E("permission check failed");
210         return CMR_ERROR_PERMISSION_DENIED;
211     }
212 
213     if (!CmIsSystemAppByStoreType(store)) {
214         CM_LOG_E("uninstall app cert: caller is not system app");
215         return CMR_ERROR_NOT_SYSTEMP_APP;
216     }
217 
218     return CM_SUCCESS;
219 }
220 
CmServiceGetAppCertListCheck(const uint32_t store)221 int32_t CmServiceGetAppCertListCheck(const uint32_t store)
222 {
223     if ((store != CM_CREDENTIAL_STORE) && (store != CM_PRI_CREDENTIAL_STORE)) {
224         CM_LOG_E("invalid input arguments store:%u", store);
225         return CMR_ERROR_INVALID_ARGUMENT;
226     }
227 
228     if (!CmHasPrivilegedPermission() || !CmHasCommonPermission()) {
229         CM_LOG_E("permission check failed");
230         return CMR_ERROR_PERMISSION_DENIED;
231     }
232 
233     if (!CmIsSystemApp()) {
234         CM_LOG_E("get app cert list: caller is not system app");
235         return CMR_ERROR_NOT_SYSTEMP_APP;
236     }
237 
238     return CM_SUCCESS;
239 }
240 
CmServiceGetAppCertCheck(const uint32_t store,const struct CmBlob * keyUri)241 int32_t CmServiceGetAppCertCheck(const uint32_t store, const struct CmBlob *keyUri)
242 {
243     if ((store != CM_CREDENTIAL_STORE) && (store != CM_PRI_CREDENTIAL_STORE)) {
244         CM_LOG_E("invalid input arguments store:%u", store);
245         return CMR_ERROR_INVALID_ARGUMENT;
246     }
247 
248     if (CheckUri(keyUri) != CM_SUCCESS) {
249         CM_LOG_E("invalid input arguments");
250         return CMR_ERROR_INVALID_ARGUMENT;
251     }
252 
253     if (!CmHasCommonPermission()) {
254         CM_LOG_E("permission check failed");
255         return CMR_ERROR_PERMISSION_DENIED;
256     }
257 
258     return CM_SUCCESS;
259 }
260 
261