• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (C) 2021 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  *     http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #include "init/trusted_root_ca.h"
17 
18 #include "nlohmann/json.hpp"
19 
20 #include "common/hap_verify_log.h"
21 #include "util/hap_cert_verify_openssl_utils.h"
22 
23 namespace OHOS {
24 namespace Security {
25 namespace Verify {
26 const std::string TrustedRootCa::TRUSTED_ROOT_CA_FILE_PATH = "/system/etc/security/trusted_root_ca.json";
27 const std::string TrustedRootCa::TRUSTED_ROOT_CA_TEST_FILE_PATH = "/system/etc/security/trusted_root_ca_test.json";
28 const std::string OPENHARMONY_CERT = "C=CN, O=OpenHarmony, OU=OpenHarmony Team, CN=OpenHarmony Application Root CA";
29 
GetInstance()30 TrustedRootCa& TrustedRootCa::GetInstance()
31 {
32     static TrustedRootCa singleTrustedRoot;
33     return singleTrustedRoot;
34 }
35 
TrustedRootCa()36 TrustedRootCa::TrustedRootCa() : rootCerts(), rootCertsForTest(), isInit(false), isDebug(false),
37     devMode(DevMode::DEFAULT)
38 {
39 }
40 
~TrustedRootCa()41 TrustedRootCa::~TrustedRootCa()
42 {
43     for (auto rootCert : rootCerts) {
44         X509_free(rootCert.second);
45     }
46     for (auto rootCert : rootCertsForTest) {
47         X509_free(rootCert.second);
48     }
49 }
50 
EnableDebug()51 bool TrustedRootCa::EnableDebug()
52 {
53     if (isDebug) {
54         return true;
55     }
56 
57     isDebug = GetTrustedRootCAFromJson(rootCertsForTest, TRUSTED_ROOT_CA_TEST_FILE_PATH);
58     if (isDebug) {
59         HAPVERIFY_LOG_INFO(LABEL, "parse root certs test success, certs num: %{public}zu", rootCertsForTest.size());
60     }
61     return isDebug;
62 }
63 
DisableDebug()64 void TrustedRootCa::DisableDebug()
65 {
66     isDebug = false;
67     for (auto& rootCert : rootCertsForTest) {
68         X509_free(rootCert.second);
69     }
70     rootCertsForTest.clear();
71 }
72 
SetDevMode(DevMode mode)73 void TrustedRootCa::SetDevMode(DevMode mode)
74 {
75     devMode = mode;
76 }
77 
Init()78 bool TrustedRootCa::Init()
79 {
80     if (isInit) {
81         return true;
82     }
83 
84     isInit = GetTrustedRootCAFromJson(rootCerts, TRUSTED_ROOT_CA_FILE_PATH);
85     if (isInit) {
86         HAPVERIFY_LOG_INFO(LABEL, "parse root certs success, certs num: %{public}zu", rootCerts.size());
87     }
88     return isInit;
89 }
90 
Recovery()91 void TrustedRootCa::Recovery()
92 {
93     for (auto& rootCert : rootCerts) {
94         X509_free(rootCert.second);
95     }
96     rootCerts.clear();
97     isInit = false;
98 }
99 
GetTrustedRootCAFromJson(StringCertMap & rootCertMap,const std::string & filePath)100 bool TrustedRootCa::GetTrustedRootCAFromJson(StringCertMap& rootCertMap, const std::string& filePath)
101 {
102     nlohmann::json trustedRootCAJson;
103     std::string errorInfo;
104     if (!JsonParserUtils::ReadTrustedRootCAFromJson(trustedRootCAJson, filePath, errorInfo)) {
105         HAPVERIFY_LOG_ERROR(LABEL, "get jsonObj from %{public}s failed, because %{public}s",
106             filePath.c_str(), errorInfo.c_str());
107         return false;
108     }
109 
110     JsonMap trustedRootCAJsonMap;
111     JsonParserUtils::ParseJsonToMap(trustedRootCAJson, trustedRootCAJsonMap);
112     for (auto jsonPair : trustedRootCAJsonMap) {
113         HAPVERIFY_LOG_INFO(LABEL, "parse cert: %{public}s", jsonPair.second.c_str());
114         X509* cert = HapCertVerifyOpensslUtils::GetX509CertFromPemString(jsonPair.second);
115         if (cert == nullptr) {
116             HAPVERIFY_LOG_ERROR(LABEL, "GetX509CertFromPemString failed, key: %{public}s value: %{public}s",
117                 jsonPair.first.c_str(), jsonPair.second.c_str());
118             return false;
119         }
120         rootCertMap[jsonPair.first] = cert;
121     }
122 
123     if (rootCertMap.empty()) {
124         HAPVERIFY_LOG_ERROR(LABEL, "no root cert");
125         return false;
126     }
127     return true;
128 }
129 
FindMatchedRoot(X509 * caCert)130 X509* TrustedRootCa::FindMatchedRoot(X509* caCert)
131 {
132     if (caCert == nullptr) {
133         return nullptr;
134     }
135 
136     X509* root = FindMatchedRoot(rootCerts, caCert);
137     if (root != nullptr) {
138         return root;
139     }
140 
141     if (isDebug) {
142         HAPVERIFY_LOG_INFO(LABEL, "try to match with test root");
143         root = FindMatchedRoot(rootCertsForTest, caCert);
144     }
145     return root;
146 }
147 
FindMatchedRoot(const StringCertMap & rootCertMap,X509 * caCert)148 X509* TrustedRootCa::FindMatchedRoot(const StringCertMap& rootCertMap, X509* caCert)
149 {
150     for (auto root : rootCertMap) {
151         if (root.first == OPENHARMONY_CERT && devMode == DevMode::NON_DEV) {
152             continue;
153         }
154         if (HapCertVerifyOpensslUtils::X509NameCompare(X509_get_subject_name(root.second),
155             X509_get_issuer_name(caCert)) &&
156             HapCertVerifyOpensslUtils::CertVerify(caCert, root.second)) {
157             return X509_dup(root.second);
158         }
159     }
160     return nullptr;
161 }
162 } // namespace Verify
163 } // namespace Security
164 } // namespace OHOS
165