1 /*
2 * Copyright (c) 2021-2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #ifdef HKS_CONFIG_FILE
17 #include HKS_CONFIG_FILE
18 #else
19 #include "hks_config.h"
20 #endif
21
22 #include "hks_check_paramset.h"
23
24 #include <stddef.h>
25
26 #include "hks_base_check.h"
27 #include "hks_common_check.h"
28 #include "hks_crypto_hal.h"
29 #include "hks_log.h"
30 #include "hks_param.h"
31 #include "hks_template.h"
32 #include "securec.h"
33
34 #ifdef _CUT_AUTHENTICATE_
35 #undef HKS_SUPPORT_HASH_C
36 #undef HKS_SUPPORT_RSA_C
37 #undef HKS_SUPPORT_ECC_C
38 #undef HKS_SUPPORT_X25519_C
39 #undef HKS_SUPPORT_ED25519_C
40 #undef HKS_SUPPORT_KDF_PBKDF2
41 #endif /* _CUT_AUTHENTICATE_ */
42
43 #define HKS_DEFAULT_PBKDF2_ITERATION 1000
44 #define HKS_DEFAULT_PBKDF2_SALT_SIZE 16
45
46 #ifndef _CUT_AUTHENTICATE_
47 static uint32_t g_genKeyAlg[] = {
48 #ifdef HKS_SUPPORT_RSA_C
49 HKS_ALG_RSA,
50 #endif
51 #ifdef HKS_SUPPORT_AES_C
52 HKS_ALG_AES,
53 #endif
54 #ifdef HKS_SUPPORT_ECC_C
55 HKS_ALG_ECC,
56 #endif
57 #ifdef HKS_SUPPORT_HMAC_C
58 HKS_ALG_HMAC,
59 #endif
60 #ifdef HKS_SUPPORT_ED25519_C
61 HKS_ALG_ED25519,
62 #endif
63 #ifdef HKS_SUPPORT_X25519_C
64 HKS_ALG_X25519,
65 #endif
66 #ifdef HKS_SUPPORT_DSA_C
67 HKS_ALG_DSA,
68 #endif
69 #ifdef HKS_SUPPORT_DH_C
70 HKS_ALG_DH,
71 #endif
72 #ifdef HKS_SUPPORT_ECDH_C
73 HKS_ALG_ECDH,
74 #endif
75 #ifdef HKS_SUPPORT_SM3_C
76 HKS_ALG_SM3,
77 #endif
78 #ifdef HKS_SUPPORT_SM2_C
79 HKS_ALG_SM2,
80 #endif
81 #ifdef HKS_SUPPORT_SM4_C
82 HKS_ALG_SM4,
83 #endif
84 };
85
86 static uint32_t g_importKeyAlg[] = {
87 #ifdef HKS_SUPPORT_RSA_C
88 HKS_ALG_RSA,
89 #endif
90 #ifdef HKS_SUPPORT_AES_C
91 HKS_ALG_AES,
92 #endif
93 #ifdef HKS_SUPPORT_ECC_C
94 HKS_ALG_ECC,
95 #endif
96 #ifdef HKS_SUPPORT_X25519_C
97 HKS_ALG_X25519,
98 #endif
99 #ifdef HKS_SUPPORT_ED25519_C
100 HKS_ALG_ED25519,
101 #endif
102 #ifdef HKS_SUPPORT_DSA_C
103 HKS_ALG_DSA,
104 #endif
105 #ifdef HKS_SUPPORT_DH_C
106 HKS_ALG_DH,
107 #endif
108 #ifdef HKS_SUPPORT_HMAC_C
109 HKS_ALG_HMAC,
110 #endif
111 #ifdef HKS_SUPPORT_SM2_C
112 HKS_ALG_SM2,
113 #endif
114 #ifdef HKS_SUPPORT_SM3_C
115 HKS_ALG_SM3,
116 #endif
117 #ifdef HKS_SUPPORT_SM4_C
118 HKS_ALG_SM4,
119 #endif
120 };
121
122 static uint32_t g_cipherAlg[] = {
123 #ifdef HKS_SUPPORT_RSA_C
124 HKS_ALG_RSA,
125 #endif
126 #ifdef HKS_SUPPORT_AES_C
127 HKS_ALG_AES,
128 #endif
129 #ifdef HKS_SUPPORT_SM2_C
130 HKS_ALG_SM2,
131 #endif
132 #ifdef HKS_SUPPORT_SM4_C
133 HKS_ALG_SM4,
134 #endif
135 };
136 #ifdef HKS_SUPPORT_API_SIGN_VERIFY
137 static uint32_t g_signAlg[] = {
138 #ifdef HKS_SUPPORT_RSA_C
139 HKS_ALG_RSA,
140 #endif
141 #ifdef HKS_SUPPORT_DSA_C
142 HKS_ALG_DSA,
143 #endif
144 #ifdef HKS_SUPPORT_ECC_C
145 HKS_ALG_ECC,
146 #endif
147 #ifdef HKS_SUPPORT_ED25519_C
148 HKS_ALG_ED25519,
149 #endif
150 #ifdef HKS_SUPPORT_SM2_C
151 HKS_ALG_SM2,
152 #endif
153 };
154 #endif
155
156 static uint32_t g_agreeAlg[] = {
157 #ifdef HKS_SUPPORT_X25519_C
158 HKS_ALG_X25519,
159 #endif
160 #ifdef HKS_SUPPORT_ECDH_C
161 HKS_ALG_ECDH,
162 #endif
163 #ifdef HKS_SUPPORT_DH_C
164 HKS_ALG_DH,
165 #endif
166 };
167
168 static uint32_t g_agreeAlgLocal[] = {
169 #ifdef HKS_SUPPORT_ECDH_C
170 HKS_ALG_ECDH,
171 #endif
172 #ifdef HKS_SUPPORT_X25519_C
173 HKS_ALG_X25519,
174 #endif
175 #ifdef HKS_SUPPORT_DH_C
176 HKS_ALG_DH,
177 #endif
178 };
179
180 static uint32_t g_unwrapSuite[] = {
181 #if defined(HKS_SUPPORT_X25519_C) && defined(HKS_SUPPORT_AES_GCM)
182 HKS_UNWRAP_SUITE_X25519_AES_256_GCM_NOPADDING,
183 #endif
184 #if defined(HKS_SUPPORT_ECDH_C) && defined(HKS_SUPPORT_AES_GCM)
185 HKS_UNWRAP_SUITE_ECDH_AES_256_GCM_NOPADDING,
186 #endif
187 #if defined(HKS_SUPPORT_SM2_C) && defined(HKS_SUPPORT_SM4_C)
188 HKS_UNWRAP_SUITE_SM2_SM4_128_CBC_PKCS7_WITH_VERIFY_DIG_SM3,
189 HKS_UNWRAP_SUITE_SM2_SM4_128_CBC_PKCS7
190 #endif
191 };
192 #endif /* _CUT_AUTHENTICATE_ */
193
194 static uint32_t g_deriveAlg[] = {
195 #ifdef HKS_SUPPORT_KDF_HKDF
196 HKS_ALG_HKDF,
197 #endif
198 #ifdef HKS_SUPPORT_KDF_PBKDF2
199 HKS_ALG_PBKDF2,
200 #endif
201 #ifdef HKS_SUPPORT_KDF_SM3
202 HKS_ALG_GMKDF,
203 #endif
204 };
205
206 static uint32_t g_deriveAlgLocal[] = {
207 #ifdef HKS_SUPPORT_KDF_HKDF
208 HKS_ALG_HKDF,
209 #endif
210 };
211
212 static uint32_t g_digest[] = {
213 HKS_DIGEST_SHA1,
214 HKS_DIGEST_SHA224,
215 HKS_DIGEST_SHA256,
216 HKS_DIGEST_SHA384,
217 HKS_DIGEST_SHA512,
218 HKS_DIGEST_SM3
219 };
220 static uint32_t g_macDigest[] = {
221 HKS_DIGEST_SHA1,
222 HKS_DIGEST_SHA224,
223 HKS_DIGEST_SHA256,
224 HKS_DIGEST_SHA384,
225 HKS_DIGEST_SHA512,
226 HKS_DIGEST_SM3
227 };
228 #ifdef HKS_SUPPORT_AES_C
229 static uint32_t g_aesKeySizeLocal[] = {
230 HKS_AES_KEY_SIZE_128,
231 HKS_AES_KEY_SIZE_192,
232 HKS_AES_KEY_SIZE_256,
233 };
234 #endif
235 #ifdef HKS_SUPPORT_RSA_C
236 static uint32_t g_rsaKeySizeLocal[] = {
237 HKS_RSA_KEY_SIZE_512,
238 HKS_RSA_KEY_SIZE_768,
239 HKS_RSA_KEY_SIZE_1024,
240 HKS_RSA_KEY_SIZE_2048,
241 HKS_RSA_KEY_SIZE_3072,
242 HKS_RSA_KEY_SIZE_4096,
243 };
244 #endif
245
246 static uint32_t g_cipherAlgLocal[] = {
247 #ifdef HKS_SUPPORT_AES_C
248 HKS_ALG_AES,
249 #endif
250 #ifdef HKS_SUPPORT_RSA_C
251 HKS_ALG_RSA,
252 #endif
253 };
254
255 static uint32_t g_symmetricAlgorithm[] = {
256 #ifdef HKS_SUPPORT_AES_C
257 HKS_ALG_AES,
258 #endif
259 #ifdef HKS_SUPPORT_HMAC_C
260 HKS_ALG_HMAC,
261 #endif
262 #ifdef HKS_SUPPORT_SM3_C
263 HKS_ALG_SM3,
264 #endif
265 #ifdef HKS_SUPPORT_SM4_C
266 HKS_ALG_SM4,
267 #endif
268 };
269
CheckAndGetAlgorithm(const struct HksParamSet * paramSet,const uint32_t * expectAlg,uint32_t expectCnt,uint32_t * alg)270 static int32_t CheckAndGetAlgorithm(
271 const struct HksParamSet *paramSet, const uint32_t *expectAlg, uint32_t expectCnt, uint32_t *alg)
272 {
273 struct HksParam *algParam = NULL;
274 int32_t ret = HksGetParam(paramSet, HKS_TAG_ALGORITHM, &algParam);
275 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, HKS_ERROR_CHECK_GET_ALG_FAIL,
276 "get param 0x%" LOG_PUBLIC "x failed!", HKS_TAG_ALGORITHM)
277
278 ret = HksCheckValue(algParam->uint32Param, expectAlg, expectCnt);
279 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, HKS_ERROR_INVALID_ALGORITHM,
280 "alg value %" LOG_PUBLIC "u not expected", algParam->uint32Param)
281
282 *alg = algParam->uint32Param;
283 return ret;
284 }
285
CheckAndGetDigest(const struct HksParamSet * paramSet,const uint32_t * expectDigest,uint32_t expectCnt,uint32_t * digest)286 static int32_t CheckAndGetDigest(
287 const struct HksParamSet *paramSet, const uint32_t *expectDigest, uint32_t expectCnt, uint32_t *digest)
288 {
289 struct HksParam *digestParam = NULL;
290 int32_t ret = HksGetParam(paramSet, HKS_TAG_DIGEST, &digestParam);
291 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, HKS_ERROR_CHECK_GET_DIGEST_FAIL,
292 "get param get 0x%" LOG_PUBLIC "x failed!", HKS_TAG_DIGEST)
293
294 ret = HksCheckValue(digestParam->uint32Param, expectDigest, expectCnt);
295 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, HKS_ERROR_INVALID_DIGEST,
296 "digest value %" LOG_PUBLIC "u not expected", digestParam->uint32Param)
297
298 *digest = digestParam->uint32Param;
299 return ret;
300 }
301
302 #ifndef _CUT_AUTHENTICATE_
CheckGenKeyParamsByAlg(uint32_t alg,const struct HksParamSet * paramSet,struct ParamsValues * params,uint32_t keyFlag)303 static int32_t CheckGenKeyParamsByAlg(uint32_t alg, const struct HksParamSet *paramSet,
304 struct ParamsValues *params, uint32_t keyFlag)
305 {
306 int32_t ret = HksGetInputParmasByAlg(alg, HKS_CHECK_TYPE_GEN_KEY, paramSet, params);
307 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret,
308 "get input params by algorithm failed, ret = %" LOG_PUBLIC "d", ret)
309
310 ret = HksCheckFixedParams(alg, HKS_CHECK_TYPE_GEN_KEY, params);
311 HKS_IF_NOT_SUCC_RETURN(ret, ret)
312
313 ret = HksCheckGenKeyPurpose(alg, params->purpose.value, keyFlag);
314 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret,
315 "check purpose not expected, purpose = %" LOG_PUBLIC "d", params->purpose.value);
316 return HksCheckGenKeyMutableParams(alg, params);
317 }
318
CheckGenKeyMacDeriveParams(uint32_t alg,uint32_t inputPurpose,const struct HksParamSet * paramSet,struct ParamsValues * params,uint32_t keyFlag)319 static int32_t CheckGenKeyMacDeriveParams(
320 uint32_t alg, uint32_t inputPurpose, const struct HksParamSet *paramSet, struct ParamsValues *params,
321 uint32_t keyFlag)
322 {
323 if (alg != HKS_ALG_AES && alg != HKS_ALG_HMAC && alg != HKS_ALG_SM3 && alg != HKS_ALG_SM4) {
324 HKS_LOG_E("check mac or derive, not valid alg, alg: %" LOG_PUBLIC "u", alg);
325 return HKS_ERROR_INVALID_PURPOSE;
326 }
327
328 int32_t ret = HksCheckGenKeyPurpose(alg, inputPurpose, keyFlag);
329 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "check purpose invalid, purpose 0x%" LOG_PUBLIC "x", inputPurpose)
330
331 if (inputPurpose == HKS_KEY_PURPOSE_MAC) {
332 ret = HksGetInputParmasByAlg(alg, HKS_CHECK_TYPE_GEN_MAC_KEY, paramSet, params);
333 } else {
334 ret = HksGetInputParmasByAlg(alg, HKS_CHECK_TYPE_GEN_DERIVE_KEY, paramSet, params);
335 }
336 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "get input params by algorithm failed, ret = %" LOG_PUBLIC "d", ret)
337
338 if (inputPurpose == HKS_KEY_PURPOSE_MAC) {
339 ret = HksCheckFixedParams(alg, HKS_CHECK_TYPE_GEN_MAC_KEY, params);
340 } else {
341 ret = HksCheckFixedParams(alg, HKS_CHECK_TYPE_GEN_DERIVE_KEY, params);
342 }
343 HKS_IF_NOT_SUCC_LOGE(ret, "get input params by algorithm failed, ret = %" LOG_PUBLIC "d", ret)
344
345 return ret;
346 }
347
CoreCheckGenKeyParams(const struct HksParamSet * paramSet,struct ParamsValues * params,uint32_t keyFlag)348 static int32_t CoreCheckGenKeyParams(const struct HksParamSet *paramSet, struct ParamsValues *params, uint32_t keyFlag)
349 {
350 uint32_t alg;
351 int32_t ret = HksCheckParamSetTag(paramSet);
352 HKS_IF_NOT_SUCC_RETURN(ret, ret)
353
354 ret = CheckAndGetAlgorithm(paramSet, g_genKeyAlg, HKS_ARRAY_SIZE(g_genKeyAlg), &alg);
355 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "check and get alg failed")
356
357 struct HksParam *purposeParam = NULL;
358 struct HksParam *batchPurposeParam = NULL;
359 ret = HksGetParam(paramSet, HKS_TAG_PURPOSE, &purposeParam);
360 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, HKS_ERROR_CHECK_GET_PURPOSE_FAIL,
361 "get param get 0x%" LOG_PUBLIC "x failed", HKS_TAG_PURPOSE)
362 ret = HksGetParam(paramSet, HKS_TAG_BATCH_PURPOSE, &batchPurposeParam);
363 if (ret == HKS_SUCCESS) {
364 if ((purposeParam->uint32Param | batchPurposeParam->uint32Param) != purposeParam->uint32Param) {
365 HKS_LOG_E("batchPurposeParam should fall within the scope of purposeParam.");
366 return HKS_ERROR_INVALID_PURPOSE;
367 }
368 }
369
370 if (((purposeParam->uint32Param & HKS_KEY_PURPOSE_DERIVE) != 0) ||
371 ((purposeParam->uint32Param & HKS_KEY_PURPOSE_MAC) != 0)) {
372 return CheckGenKeyMacDeriveParams(alg, purposeParam->uint32Param, paramSet, params, keyFlag);
373 }
374
375 return CheckGenKeyParamsByAlg(alg, paramSet, params, keyFlag);
376 }
377
CheckImportKeySize(uint32_t alg,const struct ParamsValues * params,const struct HksBlob * key)378 static int32_t CheckImportKeySize(uint32_t alg, const struct ParamsValues *params, const struct HksBlob *key)
379 {
380 int32_t ret = HKS_SUCCESS;
381 switch (alg) {
382 case HKS_ALG_ED25519:
383 case HKS_ALG_X25519:
384 case HKS_ALG_RSA:
385 case HKS_ALG_ECC:
386 case HKS_ALG_SM2:
387 case HKS_ALG_DH: {
388 if (key->size < sizeof(struct HksPubKeyInfo)) {
389 ret = HKS_ERROR_INVALID_KEY_INFO;
390 break;
391 }
392 struct HksPubKeyInfo *keyMaterial = (struct HksPubKeyInfo *)(key->data);
393 if ((keyMaterial->keyAlg != alg) || (keyMaterial->keySize != params->keyLen.value)) {
394 ret = HKS_ERROR_INVALID_KEY_INFO;
395 }
396 break;
397 }
398 #ifdef HKS_SUPPORT_DSA_C
399 case HKS_ALG_DSA:
400 break;
401 #endif
402 default:
403 return HKS_ERROR_INVALID_ALGORITHM;
404 }
405 return ret;
406 }
407
CheckAndGetWrappedKeyUnwrapAlgSuite(const struct HksParamSet * paramSet,uint32_t * algSuite)408 static int32_t CheckAndGetWrappedKeyUnwrapAlgSuite(const struct HksParamSet *paramSet, uint32_t *algSuite)
409 {
410 struct HksParam *algorithmSuite = NULL;
411 int32_t ret = HksGetParam(paramSet, HKS_TAG_UNWRAP_ALGORITHM_SUITE, &algorithmSuite);
412 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, HKS_ERROR_CHECK_GET_ALG_FAIL, "get unwrap algorithm suite fail")
413
414 ret = HksCheckValue(algorithmSuite->uint32Param, g_unwrapSuite, HKS_ARRAY_SIZE(g_unwrapSuite));
415 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, HKS_ERROR_INVALID_ALGORITHM,
416 "unwrap algorithm suite value %" LOG_PUBLIC "u not expected", algorithmSuite->uint32Param)
417
418 *algSuite = algorithmSuite->uint32Param;
419 return HKS_SUCCESS;
420 }
421
422 #ifdef HKS_SUPPORT_API_SIGN_VERIFY
CheckSignVerifyParamsByAlg(uint32_t cmdId,uint32_t alg,const struct ParamsValues * inputParams)423 static int32_t CheckSignVerifyParamsByAlg(uint32_t cmdId, uint32_t alg, const struct ParamsValues *inputParams)
424 {
425 int32_t ret = HksCheckFixedParams(alg, HKS_CHECK_TYPE_USE_KEY, inputParams);
426 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "check sign or verify fixed params failed, ret = %" LOG_PUBLIC "d", ret)
427
428 ret = HksCheckSignVerifyMutableParams(cmdId, alg, inputParams);
429 HKS_IF_NOT_SUCC_LOGE(ret, "check sign or verify mutable params failed, ret = %" LOG_PUBLIC "d", ret)
430
431 return ret;
432 }
433 #endif
434 #endif /* _CUT_AUTHENTICATE_ */
435
CheckCipherParamsByAlg(uint32_t cmdId,uint32_t alg,const struct HksParamSet * paramSet,const struct ParamsValues * inputParams)436 static int32_t CheckCipherParamsByAlg(
437 uint32_t cmdId, uint32_t alg, const struct HksParamSet *paramSet, const struct ParamsValues *inputParams)
438 {
439 int32_t ret = HksCheckFixedParams(alg, HKS_CHECK_TYPE_USE_KEY, inputParams);
440 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "cipher check fixed params failed, ret = %" LOG_PUBLIC "d", ret)
441
442 ret = HksCheckCipherMutableParams(cmdId, alg, inputParams);
443 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "cipher check mutable params failed, ret = %" LOG_PUBLIC "d", ret)
444
445 ret = HksCheckCipherMaterialParams(alg, inputParams, paramSet);
446 HKS_IF_NOT_SUCC_LOGE(ret, "cipher check material params failed, ret = %" LOG_PUBLIC "d", ret)
447
448 return ret;
449 }
450
451 #ifndef _CUT_AUTHENTICATE_
452 #ifdef HKS_SUPPORT_KDF_PBKDF2
CheckPbkdf2DeriveKeyParams(const struct HksParamSet * paramSet)453 static int32_t CheckPbkdf2DeriveKeyParams(const struct HksParamSet *paramSet)
454 {
455 struct HksParam *iterationParam = NULL;
456 int32_t ret = HksGetParam(paramSet, HKS_TAG_ITERATION, &iterationParam);
457 HKS_IF_NOT_SUCC_RETURN(ret, HKS_ERROR_CHECK_GET_ITERATION_FAIL)
458
459 if (iterationParam->uint32Param < HKS_DEFAULT_PBKDF2_ITERATION) {
460 return HKS_ERROR_INVALID_ITERATION;
461 }
462
463 struct HksParam *saltParam = NULL;
464 ret = HksGetParam(paramSet, HKS_TAG_SALT, &saltParam);
465 HKS_IF_NOT_SUCC_RETURN(ret, HKS_ERROR_CHECK_GET_SALT_FAIL)
466
467 if ((CheckBlob(&saltParam->blob) != HKS_SUCCESS) || (saltParam->blob.size < HKS_DEFAULT_PBKDF2_SALT_SIZE)) {
468 return HKS_ERROR_INVALID_SALT;
469 }
470
471 return HKS_SUCCESS;
472 }
473 #endif
474
HksCoreCheckGenKeyParams(const struct HksBlob * keyAlias,const struct HksParamSet * paramSet,const struct HksBlob * keyIn,const struct HksBlob * keyOut,uint32_t keyFlag)475 int32_t HksCoreCheckGenKeyParams(const struct HksBlob *keyAlias, const struct HksParamSet *paramSet,
476 const struct HksBlob *keyIn, const struct HksBlob *keyOut, uint32_t keyFlag)
477 {
478 (void)keyAlias;
479 (void)keyIn;
480 (void)keyOut;
481 struct ParamsValues params;
482 (void)memset_s(¶ms, sizeof(params), 0, sizeof(params));
483 return CoreCheckGenKeyParams(paramSet, ¶ms, keyFlag);
484 }
485
CheckRsaKeyLen(uint32_t alg,uint32_t keyType,const struct ParamsValues * params,const struct HksBlob * key)486 static int32_t CheckRsaKeyLen(uint32_t alg, uint32_t keyType, const struct ParamsValues *params,
487 const struct HksBlob *key)
488 {
489 (void)keyType;
490 if (key->size < sizeof(struct HksKeyMaterialRsa)) {
491 HKS_LOG_E("invalid import key size: %" LOG_PUBLIC "u", key->size);
492 return HKS_ERROR_INVALID_KEY_INFO;
493 }
494
495 struct HksKeyMaterialRsa *keyMaterial = (struct HksKeyMaterialRsa *)(key->data);
496 if ((keyMaterial->keyAlg != alg) || (keyMaterial->keySize != params->keyLen.value)) {
497 HKS_LOG_E("invalid import key material");
498 return HKS_ERROR_INVALID_KEY_INFO;
499 }
500
501 if ((keyMaterial->nSize > HKS_RSA_KEY_SIZE_4096) || (keyMaterial->nSize == 0) ||
502 (keyMaterial->dSize > HKS_RSA_KEY_SIZE_4096) || (keyMaterial->dSize == 0) ||
503 (keyMaterial->eSize > HKS_RSA_KEY_SIZE_4096) || (keyMaterial->eSize == 0)) {
504 HKS_LOG_E("invalid import key material n/d/e size");
505 return HKS_ERROR_INVALID_KEY_INFO;
506 }
507
508 uint32_t keySize = sizeof(struct HksKeyMaterialRsa) + keyMaterial->nSize + keyMaterial->dSize + keyMaterial->eSize;
509 if (key->size < keySize) {
510 HKS_LOG_E("import key size[%" LOG_PUBLIC "u] smaller than keySize[%" LOG_PUBLIC "u]", key->size, keySize);
511 return HKS_ERROR_INVALID_KEY_INFO;
512 }
513
514 return HKS_SUCCESS;
515 }
516
CheckEccKeyLen(uint32_t alg,uint32_t keyType,const struct ParamsValues * params,const struct HksBlob * key)517 static int32_t CheckEccKeyLen(uint32_t alg, uint32_t keyType, const struct ParamsValues *params,
518 const struct HksBlob *key)
519 {
520 if (key->size < sizeof(struct HksKeyMaterialEcc)) {
521 HKS_LOG_E("invalid import key size: %" LOG_PUBLIC "u", key->size);
522 return HKS_ERROR_INVALID_KEY_INFO;
523 }
524
525 struct HksKeyMaterialEcc *keyMaterial = (struct HksKeyMaterialEcc *)(key->data);
526 if ((keyMaterial->keyAlg != alg) || (keyMaterial->keySize != params->keyLen.value)) {
527 HKS_LOG_E("invalid import key material");
528 return HKS_ERROR_INVALID_KEY_INFO;
529 }
530
531 if ((keyMaterial->xSize > HKS_ECC_KEY_SIZE_521) || (keyMaterial->ySize > HKS_ECC_KEY_SIZE_521) ||
532 (keyMaterial->zSize > HKS_ECC_KEY_SIZE_521)) {
533 HKS_LOG_E("invalid import key material x/y/z size, bigger than 521");
534 return HKS_ERROR_INVALID_KEY_INFO;
535 }
536
537 if (keyMaterial->zSize == 0) {
538 HKS_LOG_E("invalid import key material z size: 0");
539 return HKS_ERROR_INVALID_KEY_INFO;
540 }
541 if ((keyType == HKS_KEY_TYPE_KEY_PAIR) && ((keyMaterial->xSize == 0) || (keyMaterial->ySize == 0))) {
542 HKS_LOG_E("invalid import key material x/y size: 0");
543 return HKS_ERROR_INVALID_KEY_INFO;
544 }
545
546 uint32_t keySize = sizeof(struct HksKeyMaterialEcc) + keyMaterial->xSize + keyMaterial->ySize + keyMaterial->zSize;
547 if (key->size < keySize) {
548 HKS_LOG_E("import key size[%" LOG_PUBLIC "u] smaller than keySize[%" LOG_PUBLIC "u]", key->size, keySize);
549 return HKS_ERROR_INVALID_KEY_INFO;
550 }
551
552 return HKS_SUCCESS;
553 }
554
CheckDsaKeyLen(uint32_t alg,uint32_t keyType,const struct ParamsValues * params,const struct HksBlob * key)555 static int32_t CheckDsaKeyLen(uint32_t alg, uint32_t keyType, const struct ParamsValues *params,
556 const struct HksBlob *key)
557 {
558 if (key->size < sizeof(struct HksKeyMaterialDsa)) {
559 HKS_LOG_E("invalid import key size: %" LOG_PUBLIC "u", key->size);
560 return HKS_ERROR_INVALID_KEY_INFO;
561 }
562
563 struct HksKeyMaterialDsa *keyMaterial = (struct HksKeyMaterialDsa *)(key->data);
564 if ((keyMaterial->keyAlg != alg) || (keyMaterial->keySize != params->keyLen.value)) {
565 HKS_LOG_E("invalid import key material");
566 return HKS_ERROR_INVALID_KEY_INFO;
567 }
568
569 if ((keyMaterial->xSize > MAX_KEY_SIZE) || (keyMaterial->ySize > MAX_KEY_SIZE) ||
570 (keyMaterial->pSize > MAX_KEY_SIZE) || (keyMaterial->qSize > MAX_KEY_SIZE) ||
571 (keyMaterial->gSize > MAX_KEY_SIZE)) {
572 HKS_LOG_E("invalid import key material x/y/p/q/g size, bigger than 2048");
573 return HKS_ERROR_INVALID_KEY_INFO;
574 }
575
576 if ((keyMaterial->xSize == 0) ||
577 (keyMaterial->pSize == 0) || (keyMaterial->qSize == 0) || (keyMaterial->gSize == 0)) {
578 HKS_LOG_E("invalid import key material x/p/q/g size: 0");
579 return HKS_ERROR_INVALID_KEY_INFO;
580 }
581
582 if ((keyType == HKS_KEY_TYPE_KEY_PAIR) && (keyMaterial->ySize == 0)) {
583 HKS_LOG_E("invalid import key material y size: 0");
584 return HKS_ERROR_INVALID_KEY_INFO;
585 }
586
587 uint32_t keySize = sizeof(struct HksKeyMaterialDsa) + keyMaterial->xSize + keyMaterial->ySize +
588 keyMaterial->pSize + keyMaterial->qSize + keyMaterial->gSize;
589 if (key->size < keySize) {
590 HKS_LOG_E("import key size[%" LOG_PUBLIC "u] smaller than keySize[%" LOG_PUBLIC "u]", key->size, keySize);
591 return HKS_ERROR_INVALID_KEY_INFO;
592 }
593
594 return HKS_SUCCESS;
595 }
596
CheckCurve25519KeyLen(uint32_t alg,uint32_t keyType,const struct ParamsValues * params,const struct HksBlob * key)597 static int32_t CheckCurve25519KeyLen(uint32_t alg, uint32_t keyType, const struct ParamsValues *params,
598 const struct HksBlob *key)
599 {
600 if (key->size < sizeof(struct HksKeyMaterial25519)) {
601 HKS_LOG_E("invalid import Curve25519 key size: %" LOG_PUBLIC "u", key->size);
602 return HKS_ERROR_INVALID_KEY_INFO;
603 }
604
605 struct HksKeyMaterial25519 *keyMaterial = (struct HksKeyMaterial25519 *)(key->data);
606 if ((keyMaterial->keyAlg != alg) || (keyMaterial->keySize != params->keyLen.value)) {
607 HKS_LOG_E("invalid import Curve25519 key material");
608 return HKS_ERROR_INVALID_KEY_INFO;
609 }
610
611 if ((keyMaterial->pubKeySize > HKS_CURVE25519_KEY_SIZE_256) ||
612 (keyMaterial->priKeySize > HKS_CURVE25519_KEY_SIZE_256)) {
613 HKS_LOG_E("invalid import Curve25519 key material pubKey/priKey size, bigger than 256");
614 return HKS_ERROR_INVALID_KEY_INFO;
615 }
616
617 if (keyMaterial->priKeySize == 0) {
618 HKS_LOG_E("invalid import Curve25519 key material priKey size: 0");
619 return HKS_ERROR_INVALID_KEY_INFO;
620 }
621
622 if ((keyType == HKS_KEY_TYPE_KEY_PAIR) && (keyMaterial->pubKeySize == 0)) {
623 HKS_LOG_E("invalid import Curve25519 key material pubKey size: 0");
624 return HKS_ERROR_INVALID_KEY_INFO;
625 }
626
627 uint32_t keySize = sizeof(struct HksKeyMaterial25519) + keyMaterial->pubKeySize + keyMaterial->priKeySize;
628 if (key->size < keySize) {
629 HKS_LOG_E("import key size[%" LOG_PUBLIC "u] smaller than keySize[%" LOG_PUBLIC "u]", key->size, keySize);
630 return HKS_ERROR_INVALID_KEY_INFO;
631 }
632
633 return HKS_SUCCESS;
634 }
635
CheckDHKeyLen(uint32_t alg,uint32_t keyType,const struct ParamsValues * params,const struct HksBlob * key)636 static int32_t CheckDHKeyLen(uint32_t alg, uint32_t keyType, const struct ParamsValues *params,
637 const struct HksBlob *key)
638 {
639 if (key->size < sizeof(struct HksKeyMaterialDh)) {
640 HKS_LOG_E("invalid import DH key size: %" LOG_PUBLIC "u", key->size);
641 return HKS_ERROR_INVALID_KEY_INFO;
642 }
643
644 struct HksKeyMaterialDh *keyMaterial = (struct HksKeyMaterialDh *)(key->data);
645 if ((keyMaterial->keyAlg != alg) || (keyMaterial->keySize != params->keyLen.value)) {
646 HKS_LOG_E("invalid import DH key material");
647 return HKS_ERROR_INVALID_KEY_INFO;
648 }
649
650 if ((keyMaterial->pubKeySize > HKS_DH_KEY_SIZE_4096) || (keyMaterial->priKeySize > HKS_DH_KEY_SIZE_4096)) {
651 HKS_LOG_E("invalid import DH key material pubKey/priKey size, bigger than 4096");
652 return HKS_ERROR_INVALID_KEY_INFO;
653 }
654
655 if (keyMaterial->priKeySize == 0) {
656 HKS_LOG_E("invalid import DH key material priKey size: 0");
657 return HKS_ERROR_INVALID_KEY_INFO;
658 }
659
660 if ((keyType == HKS_KEY_TYPE_KEY_PAIR) && (keyMaterial->pubKeySize == 0)) {
661 HKS_LOG_E("invalid import DH key material pubKey size: 0");
662 return HKS_ERROR_INVALID_KEY_INFO;
663 }
664
665 uint32_t keySize = sizeof(struct HksKeyMaterialDh) + keyMaterial->pubKeySize + keyMaterial->priKeySize;
666 if (key->size < keySize) {
667 HKS_LOG_E("import key size[%" LOG_PUBLIC "u] smaller than keySize[%" LOG_PUBLIC "u]", key->size, keySize);
668 return HKS_ERROR_INVALID_KEY_INFO;
669 }
670
671 return HKS_SUCCESS;
672 }
673
CheckKeyLen(uint32_t alg,uint32_t keyType,const struct ParamsValues * params,const struct HksBlob * key)674 static int32_t CheckKeyLen(uint32_t alg, uint32_t keyType, const struct ParamsValues *params,
675 const struct HksBlob *key)
676 {
677 switch (alg) {
678 case HKS_ALG_RSA:
679 return CheckRsaKeyLen(alg, keyType, params, key);
680 case HKS_ALG_ECC:
681 case HKS_ALG_SM2:
682 return CheckEccKeyLen(alg, keyType, params, key);
683 case HKS_ALG_DSA:
684 return CheckDsaKeyLen(alg, keyType, params, key);
685 case HKS_ALG_X25519:
686 case HKS_ALG_ED25519:
687 return CheckCurve25519KeyLen(alg, keyType, params, key);
688 case HKS_ALG_DH:
689 return CheckDHKeyLen(alg, keyType, params, key);
690 default:
691 return HKS_ERROR_INVALID_ALGORITHM;
692 }
693 }
694
CheckMutableParams(uint32_t alg,uint32_t keyType,const struct ParamsValues * params)695 static int32_t CheckMutableParams(uint32_t alg, uint32_t keyType, const struct ParamsValues *params)
696 {
697 if (keyType == HKS_KEY_TYPE_KEY_PAIR) {
698 return HKS_SUCCESS;
699 }
700
701 switch (alg) {
702 case HKS_ALG_RSA:
703 if ((params->purpose.value != HKS_KEY_PURPOSE_SIGN) &&
704 (params->purpose.value != HKS_KEY_PURPOSE_DECRYPT)) {
705 HKS_LOG_E("Import rsa private key check purpose failed.");
706 return HKS_ERROR_INVALID_PURPOSE;
707 }
708 return HKS_SUCCESS;
709 case HKS_ALG_ECC:
710 if ((params->purpose.value != HKS_KEY_PURPOSE_SIGN) && (params->purpose.value != HKS_KEY_PURPOSE_AGREE) &&
711 (params->purpose.value != HKS_KEY_PURPOSE_UNWRAP)) {
712 HKS_LOG_E("Import ecc private key check purpose failed.");
713 return HKS_ERROR_INVALID_PURPOSE;
714 }
715 return HKS_SUCCESS;
716 case HKS_ALG_SM2:
717 case HKS_ALG_DSA:
718 case HKS_ALG_ED25519:
719 if (params->purpose.value != HKS_KEY_PURPOSE_SIGN) {
720 HKS_LOG_E("Import sm2 or dsa or ed25519 private key check purpose failed.");
721 return HKS_ERROR_INVALID_PURPOSE;
722 }
723 return HKS_SUCCESS;
724 case HKS_ALG_X25519:
725 case HKS_ALG_DH:
726 return HKS_SUCCESS;
727 default:
728 return HKS_ERROR_INVALID_ALGORITHM;
729 }
730 }
731
CheckImportKey(uint32_t alg,uint32_t keyType,const struct ParamsValues * params,const struct HksBlob * key)732 static int32_t CheckImportKey(uint32_t alg, uint32_t keyType, const struct ParamsValues *params,
733 const struct HksBlob *key)
734 {
735 int32_t ret = CheckKeyLen(alg, keyType, params, key);
736 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "check key len failed, ret = %" LOG_PUBLIC "d", ret)
737
738 ret = CheckMutableParams(alg, keyType, params);
739 HKS_IF_NOT_SUCC_LOGE(ret, "check mutable params faile, ret = %" LOG_PUBLIC "d", ret)
740 return ret;
741 }
742
CheckImportSymmetricKeySize(const struct ParamsValues * params,const struct HksBlob * key)743 static int32_t CheckImportSymmetricKeySize(const struct ParamsValues *params, const struct HksBlob *key)
744 {
745 if (key->size != HKS_KEY_BYTES(params->keyLen.value)) {
746 return HKS_ERROR_INVALID_KEY_INFO;
747 }
748 return HKS_SUCCESS;
749 }
750
HksCoreCheckImportKeyParams(const struct HksBlob * keyAlias,const struct HksBlob * key,const struct HksParamSet * paramSet,const struct HksBlob * keyOut)751 int32_t HksCoreCheckImportKeyParams(const struct HksBlob *keyAlias, const struct HksBlob *key,
752 const struct HksParamSet *paramSet, const struct HksBlob *keyOut)
753 {
754 (void)keyAlias;
755 (void)keyOut;
756 /* import key paramset is subset of generate key paramset */
757 struct ParamsValues params;
758 (void)memset_s(¶ms, sizeof(params), 0, sizeof(params));
759 int32_t ret = CoreCheckGenKeyParams(paramSet, ¶ms, HKS_KEY_FLAG_IMPORT_KEY);
760 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "CheckImportKeyParams failed")
761
762 uint32_t alg;
763 ret = CheckAndGetAlgorithm(paramSet, g_importKeyAlg, HKS_ARRAY_SIZE(g_importKeyAlg), &alg);
764 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "import key check and get alg failed")
765
766 if ((alg == HKS_ALG_AES) || (alg == HKS_ALG_SM3) || (alg == HKS_ALG_SM4) || (alg == HKS_ALG_HMAC)) {
767 return CheckImportSymmetricKeySize(¶ms, key);
768 }
769
770 struct HksParam *importKeyTypeParam = NULL;
771 ret = HksGetParam(paramSet, HKS_TAG_IMPORT_KEY_TYPE, &importKeyTypeParam);
772 if ((ret == HKS_SUCCESS) &&
773 ((importKeyTypeParam->uint32Param == HKS_KEY_TYPE_PRIVATE_KEY) ||
774 (importKeyTypeParam->uint32Param == HKS_KEY_TYPE_KEY_PAIR))) {
775 /* check private key or keypair key params */
776 return CheckImportKey(alg, importKeyTypeParam->uint32Param, ¶ms, key);
777 }
778
779 /* check public key params: 1. check keySize */
780 ret = CheckImportKeySize(alg, ¶ms, key);
781 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "import key check key size invalid")
782
783 /* check public key params: 2. check mutable params */
784 return CheckImportMutableParams(alg, ¶ms);
785 }
786
HksCoreCheckImportWrappedKeyParams(const struct HksBlob * key,const struct HksBlob * wrappedKeyData,const struct HksParamSet * paramSet,struct HksBlob * keyOut,uint32_t * outUnwrapSuite)787 int32_t HksCoreCheckImportWrappedKeyParams(const struct HksBlob *key, const struct HksBlob *wrappedKeyData,
788 const struct HksParamSet *paramSet, struct HksBlob *keyOut, uint32_t *outUnwrapSuite)
789 {
790 (void)keyOut;
791
792 HKS_IF_NOT_SUCC_LOGE_RETURN(CheckBlob(key), HKS_ERROR_INVALID_ARGUMENT, "wrapping key is invalid")
793
794 /* first check wrapping-related params and wrapped key data */
795 uint32_t unwrapSuite = 0;
796 int32_t ret = CheckAndGetWrappedKeyUnwrapAlgSuite(paramSet, &unwrapSuite);
797 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "check import wrapped params set failed")
798
799 ret = HksCheckWrappedDataFormatValidity(wrappedKeyData, HKS_IMPORT_WRAPPED_KEY_TOTAL_BLOBS, NULL);
800 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "check import wrapped key data format failed")
801
802 /* then check the origin key paramset which is the same as import key */
803 struct ParamsValues params;
804 (void)memset_s(¶ms, sizeof(params), 0, sizeof(params));
805 ret = CoreCheckGenKeyParams(paramSet, ¶ms, HKS_KEY_FLAG_IMPORT_KEY);
806 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "check origin key param set failed")
807
808 uint32_t alg;
809 ret = CheckAndGetAlgorithm(paramSet, g_importKeyAlg, HKS_ARRAY_SIZE(g_importKeyAlg), &alg);
810 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "CheckImportKeyParams get alg failed")
811 *outUnwrapSuite = unwrapSuite;
812 return HKS_SUCCESS;
813 }
814
HksCoreCheckSignVerifyParams(uint32_t cmdId,const struct HksBlob * key,const struct HksParamSet * paramSet,const struct HksBlob * srcData,const struct HksBlob * signature)815 int32_t HksCoreCheckSignVerifyParams(uint32_t cmdId, const struct HksBlob *key, const struct HksParamSet *paramSet,
816 const struct HksBlob *srcData, const struct HksBlob *signature)
817 {
818 #ifdef HKS_SUPPORT_API_SIGN_VERIFY
819 (void)srcData;
820 uint32_t alg;
821 int32_t ret = CheckAndGetAlgorithm(paramSet, g_signAlg, HKS_ARRAY_SIZE(g_signAlg), &alg);
822 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "check and get alg failed")
823
824 struct ParamsValues params;
825 (void)memset_s(¶ms, sizeof(params), 0, sizeof(params));
826
827 ret = HksGetInputParmasByAlg(alg, HKS_CHECK_TYPE_USE_KEY, paramSet, ¶ms);
828 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "sign or verify get input params failed, ret = %" LOG_PUBLIC "d", ret)
829
830 ret = CheckSignVerifyParamsByAlg(cmdId, alg, ¶ms);
831 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "sign or verify check params failed, ret = %" LOG_PUBLIC "d", ret)
832
833 uint32_t keySize = 0;
834 ret = HksGetKeySize(alg, key, &keySize);
835 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "get keySize failed!")
836
837 ret = HksCheckSignature(cmdId, alg, keySize, signature);
838 HKS_IF_NOT_SUCC_LOGE(ret, "check signature failed, ret = %" LOG_PUBLIC "d", ret)
839
840 return ret;
841 #else
842 (void)cmdId;
843 (void)key;
844 (void)paramSet;
845 (void)srcData;
846 (void)signature;
847 return HKS_ERROR_NOT_SUPPORTED;
848 #endif
849 }
850
HksLocalCheckSignVerifyParams(uint32_t cmdId,uint32_t keySize,const struct HksParamSet * paramSet,const struct HksBlob * srcData,const struct HksBlob * signature)851 int32_t HksLocalCheckSignVerifyParams(uint32_t cmdId, uint32_t keySize, const struct HksParamSet *paramSet,
852 const struct HksBlob *srcData, const struct HksBlob *signature)
853 {
854 #ifdef HKS_SUPPORT_API_SIGN_VERIFY
855 (void)srcData;
856 uint32_t alg;
857 int32_t ret = CheckAndGetAlgorithm(paramSet, g_signAlg, HKS_ARRAY_SIZE(g_signAlg), &alg);
858 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "local check and get alg failed")
859
860 struct ParamsValues params;
861 (void)memset_s(¶ms, sizeof(params), 0, sizeof(params));
862
863 ret = HksGetInputParmasByAlg(alg, HKS_CHECK_TYPE_USE_KEY, paramSet, ¶ms);
864 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "sign or verify get input params failed, ret = %" LOG_PUBLIC "d", ret)
865
866 ret = CheckSignVerifyParamsByAlg(cmdId, alg, ¶ms);
867 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "sign or verify local check params failed, ret = %" LOG_PUBLIC "d", ret)
868
869 ret = HksCheckSignature(cmdId, alg, keySize, signature);
870 HKS_IF_NOT_SUCC_LOGE(ret, "check signature failed, ret = %" LOG_PUBLIC "d", ret)
871
872 return ret;
873 #else
874 (void)cmdId;
875 (void)keySize;
876 (void)paramSet;
877 (void)srcData;
878 (void)signature;
879 return HKS_ERROR_NOT_SUPPORTED;
880 #endif
881 }
882
HksCoreCheckAgreeKeyParams(const struct HksParamSet * paramSet,const struct HksBlob * privateKey,const struct HksBlob * peerPublicKey,const struct HksBlob * agreedKey,bool isLocalCheck)883 int32_t HksCoreCheckAgreeKeyParams(const struct HksParamSet *paramSet, const struct HksBlob *privateKey,
884 const struct HksBlob *peerPublicKey, const struct HksBlob *agreedKey, bool isLocalCheck)
885 {
886 uint32_t alg;
887 int32_t ret;
888
889 if (isLocalCheck) {
890 ret = CheckAndGetAlgorithm(paramSet, g_agreeAlgLocal, HKS_ARRAY_SIZE(g_agreeAlgLocal), &alg);
891 } else {
892 ret = CheckAndGetAlgorithm(paramSet, g_agreeAlg, HKS_ARRAY_SIZE(g_agreeAlg), &alg);
893 }
894 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "check alg failed")
895
896 uint32_t keySize = 0;
897 if (isLocalCheck) {
898 if (alg == HKS_ALG_ED25519) {
899 if ((privateKey->size != HKS_KEY_BYTES(HKS_CURVE25519_KEY_SIZE_256)) ||
900 (peerPublicKey->size != HKS_KEY_BYTES(HKS_CURVE25519_KEY_SIZE_256))) {
901 return HKS_ERROR_INVALID_KEY_SIZE;
902 }
903 }
904
905 if (alg == HKS_ALG_DH || alg == HKS_ALG_ECC || alg == HKS_ALG_ECDH) {
906 if (privateKey->size < sizeof(struct HksKeyMaterialHeader)) {
907 return HKS_ERROR_INVALID_ARGUMENT;
908 }
909 keySize = ((struct HksKeyMaterialHeader *)privateKey->data)->keySize;
910 } else if (alg == HKS_ALG_ED25519) {
911 keySize = privateKey->size * HKS_BITS_PER_BYTE;
912 }
913 } else {
914 ret = HksGetKeySize(alg, privateKey, &keySize);
915 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "get key size failed")
916 }
917
918 uint32_t size = keySize / HKS_BITS_PER_BYTE + keySize % HKS_BITS_PER_BYTE;
919 if (agreedKey->size < size) {
920 HKS_LOG_E("agreeKey buffer too small, size %" LOG_PUBLIC "u", agreedKey->size);
921 return HKS_ERROR_BUFFER_TOO_SMALL;
922 }
923
924 return HKS_SUCCESS;
925 }
926
HksCoreCheckCipherParams(uint32_t cmdId,const struct HksBlob * key,const struct HksParamSet * paramSet,const struct HksBlob * inData,const struct HksBlob * outData)927 int32_t HksCoreCheckCipherParams(uint32_t cmdId, const struct HksBlob *key, const struct HksParamSet *paramSet,
928 const struct HksBlob *inData, const struct HksBlob *outData)
929 {
930 uint32_t alg;
931 int32_t ret = CheckAndGetAlgorithm(paramSet, g_cipherAlg, HKS_ARRAY_SIZE(g_cipherAlg), &alg);
932 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "check alg failed")
933
934 struct ParamsValues params;
935 (void)memset_s(¶ms, sizeof(params), 0, sizeof(params));
936
937 ret = HksGetInputParmasByAlg(alg, HKS_CHECK_TYPE_USE_KEY, paramSet, ¶ms);
938 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "cipher get input params failed, ret = %" LOG_PUBLIC "d", ret)
939
940 if ((alg == HKS_ALG_RSA) || (alg == HKS_ALG_SM4) || (alg == HKS_ALG_SM2)) {
941 ret = HksGetKeySize(alg, key, ¶ms.keyLen.value);
942 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "rsa/SM4/SM2 cipher get key size failed")
943 }
944
945 ret = CheckCipherParamsByAlg(cmdId, alg, paramSet, ¶ms);
946 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "cipher check params failed, ret = %" LOG_PUBLIC "d", ret)
947
948 ret = HksCheckCipherData(cmdId, alg, ¶ms, inData, outData);
949 HKS_IF_NOT_SUCC_LOGE(ret, "cipher check input or output data failed, ret = %" LOG_PUBLIC "d", ret)
950
951 return ret;
952 }
953 #endif /* _CUT_AUTHENTICATE_ */
954
HksLocalCheckCipherParams(uint32_t cmdId,uint32_t keySize,const struct HksParamSet * paramSet,const struct HksBlob * inData,const struct HksBlob * outData)955 int32_t HksLocalCheckCipherParams(uint32_t cmdId, uint32_t keySize, const struct HksParamSet *paramSet,
956 const struct HksBlob *inData, const struct HksBlob *outData)
957 {
958 uint32_t alg;
959 int32_t ret = CheckAndGetAlgorithm(paramSet, g_cipherAlgLocal, HKS_ARRAY_SIZE(g_cipherAlgLocal), &alg);
960 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "check alg failed")
961
962 if (alg == HKS_ALG_AES) {
963 #ifdef HKS_SUPPORT_AES_C
964 ret = HksCheckValue(keySize, g_aesKeySizeLocal, HKS_ARRAY_SIZE(g_aesKeySizeLocal));
965 #else
966 ret = HKS_ERROR_NOT_SUPPORTED;
967 #endif
968 } else if (alg == HKS_ALG_RSA) {
969 #ifdef HKS_SUPPORT_RSA_C
970 ret = HksCheckValue(keySize, g_rsaKeySizeLocal, HKS_ARRAY_SIZE(g_rsaKeySizeLocal));
971 #else
972 ret = HKS_ERROR_NOT_SUPPORTED;
973 #endif
974 }
975 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, HKS_ERROR_INVALID_KEY_SIZE,
976 "keySize value %" LOG_PUBLIC "u not expected", keySize)
977
978 struct ParamsValues params;
979 (void)memset_s(¶ms, sizeof(params), 0, sizeof(params));
980
981 ret = HksGetInputParmasByAlg(alg, HKS_CHECK_TYPE_USE_KEY, paramSet, ¶ms);
982 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "local cipher get input params failed, ret = %" LOG_PUBLIC "d", ret)
983
984 ret = CheckCipherParamsByAlg(cmdId, alg, paramSet, ¶ms);
985 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "local cipher check params failed, ret = %" LOG_PUBLIC "d", ret)
986
987 ret = HksCheckCipherData(cmdId, alg, ¶ms, inData, outData);
988 HKS_IF_NOT_SUCC_LOGE(ret, "local cipher check input or output data failed, ret = %" LOG_PUBLIC "d", ret)
989
990 return ret;
991 }
992
HksCoreCheckDeriveKeyParams(const struct HksParamSet * paramSet,const struct HksBlob * mainKey,const struct HksBlob * derivedKey,bool isLocalCheck)993 int32_t HksCoreCheckDeriveKeyParams(const struct HksParamSet *paramSet, const struct HksBlob *mainKey,
994 const struct HksBlob *derivedKey, bool isLocalCheck)
995 {
996 (void)mainKey;
997 (void)derivedKey;
998 uint32_t alg;
999 int32_t ret;
1000 if (isLocalCheck) {
1001 ret = CheckAndGetAlgorithm(paramSet, g_deriveAlgLocal, HKS_ARRAY_SIZE(g_deriveAlgLocal), &alg);
1002 } else {
1003 ret = CheckAndGetAlgorithm(paramSet, g_deriveAlg, HKS_ARRAY_SIZE(g_deriveAlg), &alg);
1004 }
1005 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "check alg failed")
1006
1007 struct HksParam *purposeParam = NULL;
1008 ret = HksGetParam(paramSet, HKS_TAG_PURPOSE, &purposeParam);
1009 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, HKS_ERROR_CHECK_GET_PURPOSE_FAIL,
1010 "get param get 0x%" LOG_PUBLIC "x failed", HKS_TAG_PURPOSE)
1011
1012 if (purposeParam->uint32Param != HKS_KEY_PURPOSE_DERIVE) {
1013 return HKS_ERROR_INVALID_PURPOSE;
1014 }
1015
1016 /* according to RFC5869, HKDF no need check salt and info */
1017 uint32_t digest;
1018 ret = CheckAndGetDigest(paramSet, g_digest, HKS_ARRAY_SIZE(g_digest), &digest);
1019 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "check digest failed")
1020
1021 #ifdef HKS_SUPPORT_KDF_PBKDF2
1022 if (alg == HKS_ALG_PBKDF2) {
1023 return CheckPbkdf2DeriveKeyParams(paramSet);
1024 }
1025 #endif
1026
1027 return HKS_SUCCESS;
1028 }
1029
CheckMacPurpose(const struct HksParamSet * paramSet)1030 static int32_t CheckMacPurpose(const struct HksParamSet *paramSet)
1031 {
1032 struct HksParam *purposeParam = NULL;
1033 int32_t ret = HksGetParam(paramSet, HKS_TAG_PURPOSE, &purposeParam);
1034 HKS_IF_NOT_SUCC_RETURN(ret, HKS_ERROR_CHECK_GET_PURPOSE_FAIL)
1035
1036 if (purposeParam->uint32Param != HKS_KEY_PURPOSE_MAC) {
1037 return HKS_ERROR_INVALID_PURPOSE;
1038 }
1039
1040 return HKS_SUCCESS;
1041 }
1042
CheckMacOutput(const struct HksBlob * key,const struct HksParamSet * paramSet,const struct HksBlob * mac,bool isLocalCheck)1043 static int32_t CheckMacOutput(
1044 const struct HksBlob *key, const struct HksParamSet *paramSet, const struct HksBlob *mac, bool isLocalCheck)
1045 {
1046 uint32_t digest;
1047 int32_t ret;
1048 if (isLocalCheck) {
1049 ret = CheckAndGetDigest(paramSet, g_digest, HKS_ARRAY_SIZE(g_digest), &digest);
1050 } else {
1051 ret = CheckAndGetDigest(paramSet, g_macDigest, HKS_ARRAY_SIZE(g_macDigest), &digest);
1052 }
1053 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "check digest failed")
1054
1055 uint32_t digestLen;
1056 ret = HksGetDigestLen(digest, &digestLen);
1057 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "get digest length failed, ret = %" LOG_PUBLIC "d", ret)
1058
1059 if (mac->size < digestLen) {
1060 HKS_LOG_E("mac buffer too small, size %" LOG_PUBLIC "u", mac->size);
1061 return HKS_ERROR_BUFFER_TOO_SMALL;
1062 }
1063
1064 if ((isLocalCheck) && (key->size < digestLen)) { /* the unit of local engine input key size is byte */
1065 HKS_LOG_E("key size too small, size = %" LOG_PUBLIC "u", key->size);
1066 return HKS_ERROR_INVALID_KEY_SIZE;
1067 }
1068
1069 return HKS_SUCCESS;
1070 }
1071
HksCoreCheckMacParams(const struct HksBlob * key,const struct HksParamSet * paramSet,const struct HksBlob * srcData,const struct HksBlob * mac,bool isLocalCheck)1072 int32_t HksCoreCheckMacParams(const struct HksBlob *key, const struct HksParamSet *paramSet,
1073 const struct HksBlob *srcData, const struct HksBlob *mac, bool isLocalCheck)
1074 {
1075 (void)srcData;
1076 int32_t ret = CheckMacPurpose(paramSet);
1077 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "check Mac purpose failed")
1078
1079 return CheckMacOutput(key, paramSet, mac, isLocalCheck);
1080 }
1081
CheckIsSymmetricAlgorithm(uint32_t alg)1082 static bool CheckIsSymmetricAlgorithm(uint32_t alg)
1083 {
1084 for (uint32_t i = 0; i < HKS_ARRAY_SIZE(g_symmetricAlgorithm); ++i) {
1085 if (alg == g_symmetricAlgorithm[i]) {
1086 return true;
1087 }
1088 }
1089 return false;
1090 }
1091
HksCoreCheckAgreeDeriveFinishParams(const struct HksBlob * key,const struct HksParamSet * paramSet)1092 int32_t HksCoreCheckAgreeDeriveFinishParams(const struct HksBlob *key, const struct HksParamSet *paramSet)
1093 {
1094 // check the key paramset is consistent with key real attributes, including key size and valid key algorithm
1095 struct HksParam *keySize = NULL;
1096 int32_t ret = HksGetParam(paramSet, HKS_TAG_KEY_SIZE, &keySize);
1097 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "get key size from agree paramset failed!")
1098 if (HKS_KEY_BYTES(keySize->uint32Param) != key->size) {
1099 HKS_LOG_E("key size param from paramSet is not consistent with real key size, param size %" LOG_PUBLIC
1100 "u not equals to real key size %" LOG_PUBLIC "u", HKS_KEY_BYTES(keySize->uint32Param), key->size);
1101 return HKS_ERROR_INVALID_ARGUMENT;
1102 }
1103 struct HksParam *algorithm = NULL;
1104 ret = HksGetParam(paramSet, HKS_TAG_ALGORITHM, &algorithm);
1105 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "get key algorithm from agree paramset failed!")
1106 if (!CheckIsSymmetricAlgorithm(algorithm->uint32Param)) {
1107 HKS_LOG_E("Agreed or derived key algorithm param can only be symmetric! Algorithm is %" LOG_PUBLIC "u",
1108 algorithm->uint32Param);
1109 return HKS_ERROR_INVALID_ARGUMENT;
1110 }
1111
1112 return HKS_SUCCESS;
1113 }
1114