From 7bcbf6e5fd6b49283f6c01a388848872fc6eff8f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E5=B7=8D?= Date: Mon, 19 May 2025 20:04:11 +0800 Subject: [PATCH 01/16] =?UTF-8?q?=E8=AE=BE=E5=A4=87=E8=AF=81=E4=B9=A6?= =?UTF-8?q?=E6=A0=A1=E9=AA=8C?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李巍 --- bundle.json | 2 + common/include/dm_constants.h | 1 + common/src/dm_constants.cpp | 3 +- sa_profile/device_manager.cfg | 8 +- services/implementation/BUILD.gn | 11 ++ .../include/attest/dm_auth_attest_common.h | 57 +++++++ .../include/attest/dm_auth_generate_attest.h | 40 +++++ .../include/attest/dm_auth_validate_attest.h | 41 +++++ .../include/authentication_v2/auth_manager.h | 4 + .../authentication_v2/dm_auth_context.h | 2 + .../authentication_v2/dm_auth_manager_base.h | 4 + .../src/attest/dm_auth_attest_common.cpp | 147 ++++++++++++++++++ .../src/attest/dm_auth_generate_attest.cpp | 98 ++++++++++++ .../src/attest/dm_auth_validate_attest.cpp | 126 +++++++++++++++ .../src/authentication_v2/auth_manager.cpp | 56 ++++++- .../auth_stages/auth_negotiate.cpp | 35 +++++ .../dm_auth_manager_base.cpp | 4 + .../dm_auth_message_processor.cpp | 11 ++ .../BUILD.gn | 2 + .../dmauthmanagerv2_fuzzer/BUILD.gn | 2 + .../ondatareceivedv2_fuzzer/BUILD.gn | 2 + test/unittest/BUILD.gn | 16 ++ 22 files changed, 667 insertions(+), 5 deletions(-) create mode 100644 services/implementation/include/attest/dm_auth_attest_common.h create mode 100644 services/implementation/include/attest/dm_auth_generate_attest.h create mode 100644 services/implementation/include/attest/dm_auth_validate_attest.h create mode 100644 services/implementation/src/attest/dm_auth_attest_common.cpp create mode 100644 services/implementation/src/attest/dm_auth_generate_attest.cpp create mode 100644 services/implementation/src/attest/dm_auth_validate_attest.cpp diff --git a/bundle.json b/bundle.json index aee20468f..d3739da58 100644 --- a/bundle.json +++ b/bundle.json @@ -37,6 +37,7 @@ "common_event_service", "data_share", "device_auth", + "device_certificate_manager", "device_info_manager", "dsoftbus", "eventhandler", @@ -45,6 +46,7 @@ "hisysevent", "hitrace", "hilog", + "huks", "init", "ipc", "json", diff --git a/common/include/dm_constants.h b/common/include/dm_constants.h index 9de251c63..f9525bf8c 100755 --- a/common/include/dm_constants.h +++ b/common/include/dm_constants.h @@ -182,6 +182,7 @@ extern const char* DM_VERSION_5_0_3; extern const char* DM_VERSION_5_0_4; extern const char* DM_VERSION_5_0_5; extern const char* DM_VERSION_5_1_0; +extern const char* DM_VERSION_5_1_1; extern const char* DM_CURRENT_VERSION; extern const char* DM_VERSION_5_0_OLD_MAX; // Estimated highest version number of the old version } // namespace DistributedHardware diff --git a/common/src/dm_constants.cpp b/common/src/dm_constants.cpp index feb239eed..33867b48b 100644 --- a/common/src/dm_constants.cpp +++ b/common/src/dm_constants.cpp @@ -170,7 +170,8 @@ const char* DM_VERSION_5_0_3 = "5.0.3"; const char* DM_VERSION_5_0_4 = "5.0.4"; const char* DM_VERSION_5_0_5 = "5.0.5"; const char* DM_VERSION_5_1_0 = "5.1.0"; -const char* DM_CURRENT_VERSION = DM_VERSION_5_1_0; +const char* DM_VERSION_5_1_1 = "5.1.1"; +const char* DM_CURRENT_VERSION = DM_VERSION_5_1_1; // 看改变后的影响 const char* DM_VERSION_5_0_OLD_MAX = "5.0.99"; // Estimated highest version number of the old version } // namespace DistributedHardware } // namespace OHOS \ No newline at end of file diff --git a/sa_profile/device_manager.cfg b/sa_profile/device_manager.cfg index 35104cf5a..7a1fa625b 100644 --- a/sa_profile/device_manager.cfg +++ b/sa_profile/device_manager.cfg @@ -40,11 +40,15 @@ "ohos.permission.ALLOW_CONNECT_CAR", "ohos.permission.ACCESS_SERVICE_DP", "ohos.permission.ACCESS_SENSING_WITH_ULTRASOUND", - "ohos.permission.ACCESS_DEVAUTH_CRED_PRIVILEGE" + "ohos.permission.ACCESS_DEVAUTH_CRED_PRIVILEGE", + "ohos.permission.ACCESS_IDS", + "ohos.permission.sec.ACCESS_UDID" ], "permission_acls" : [ "ohos.permission.MANAGE_SOFTBUS_NETWORK", - "ohos.permission.ACCESS_DEVAUTH_CRED_PRIVILEGE" + "ohos.permission.ACCESS_DEVAUTH_CRED_PRIVILEGE", + "ohos.permission.ACCESS_IDS", + "ohos.permission.sec.ACCESS_UDID" ], "jobs" : { "on-start" : "service:device_manager" diff --git a/services/implementation/BUILD.gn b/services/implementation/BUILD.gn index d3ec32d92..506217b00 100644 --- a/services/implementation/BUILD.gn +++ b/services/implementation/BUILD.gn @@ -114,6 +114,7 @@ if (defined(ohos_lite)) { "include", "include/config", "include/adapter", + "include/attest", "include/authentication", "include/authentication_v2", "include/ability", @@ -236,12 +237,14 @@ if (defined(ohos_lite)) { "c_utils:utils", "common_event_service:cesfwk_innerkits", "device_auth:deviceauth_sdk", + "device_certificate_manager:device_cert_mgr_sdk", "device_info_manager:distributed_device_profile_common", "device_info_manager:distributed_device_profile_sdk", "dsoftbus:softbus_client", "eventhandler:libeventhandler", "ffrt:libffrt", "hilog:libhilog", + "huks:libhukssdk", "init:libbegetutil", "ipc:ipc_core", "mbedtls:mbedtls_shared", @@ -269,6 +272,14 @@ if (defined(ohos_lite)) { external_deps += [ "spatial_awareness:spatial_awareness_client" ] } + if (!device_manager_common) { + sources += [ + "src/attest/dm_auth_attest_common.cpp", + "src/attest/dm_auth_generate_attest.cpp", + "src/attest/dm_auth_validate_attest.cpp", + ] + } + subsystem_name = "distributedhardware" part_name = "device_manager" diff --git a/services/implementation/include/attest/dm_auth_attest_common.h b/services/implementation/include/attest/dm_auth_attest_common.h new file mode 100644 index 000000000..4568b7d05 --- /dev/null +++ b/services/implementation/include/attest/dm_auth_attest_common.h @@ -0,0 +1,57 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef OHOS_DM_AUTH_ATTEST_COMMON_H +#define OHOS_DM_AUTH_ATTEST_COMMON_H + +#define DM_CERTS_COUNT 4 +#define UDID_BUF_LEN 65 +#define DM_CERTIFICATE_SIZE 8192 + +#include +#include + +#include "dm_auth_manager_base.h" +#include "dm_crypto.h" +#include "dm_random.h" +#include "json_object.h" + +namespace OHOS { +namespace DistributedHardware { + +typedef struct DmBlob { + uint32_t size; + uint8_t *data; +} DmBlob; + +typedef struct DmCertChain { + DmBlob *cert; + uint32_t certCount; +} DmCertChain; + +class AuthAttestCommon { +public: + static AuthAttestCommon &GetInstance(void) + { + static AuthAttestCommon instance; + return instance; + } + + std::string SerializeDmCertChain(const DmCertChain* chain); + bool DeserializeDmCertChain(const std::string& data, DmCertChain* outChain); +}; +} // namespace DistributedHardware +} // namespace OHOS +#endif // OHOS_DM_AUTH_ATTEST_COMMON_H \ No newline at end of file diff --git a/services/implementation/include/attest/dm_auth_generate_attest.h b/services/implementation/include/attest/dm_auth_generate_attest.h new file mode 100644 index 000000000..2e4f02e69 --- /dev/null +++ b/services/implementation/include/attest/dm_auth_generate_attest.h @@ -0,0 +1,40 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef OHOS_DM_AUTH_GENERATE_ATTEST_H +#define OHOS_DM_AUTH_GENERATE_ATTEST_H + +#include "dm_auth_attest_common.h" + +#include "dcm_api.h" +#include "dcm_type.h" + +namespace OHOS { +namespace DistributedHardware { +class AuthGenerateAttest { +public: + static AuthGenerateAttest &GetInstance(void) + { + static AuthGenerateAttest instance; + return instance; + } + + int32_t GenerateCertificate(DmCertChain &dmCertChain); + int32_t ConvertDcmCertChainToDmCertChain(DcmCertChain &dcmCertChain, DmCertChain &dmCertChain); + int32_t InitCertChain(DcmCertChain *certChain); +}; +} // namespace DistributedHardware +} // namespace OHOS +#endif // OHOS_DM_AUTH_GENERATE_ATTEST_H \ No newline at end of file diff --git a/services/implementation/include/attest/dm_auth_validate_attest.h b/services/implementation/include/attest/dm_auth_validate_attest.h new file mode 100644 index 000000000..4712d2317 --- /dev/null +++ b/services/implementation/include/attest/dm_auth_validate_attest.h @@ -0,0 +1,41 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef OHOS_DM_AUTH_VALIDATE_ATTEST_H +#define OHOS_DM_AUTH_VALIDATE_ATTEST_H + +#include "dm_auth_attest_common.h" + +#include "hks_api.h" +#include "hks_param.h" +#include "hks_type.h" + +namespace OHOS { +namespace DistributedHardware { +class AuthValidateAttest { +public: + static AuthValidateAttest &GetInstance(void) + { + static AuthValidateAttest instance; + return instance; + } + + int32_t VerifyCertificate(DmCertChain &dmCertChain, const char* deviceUdid); + int32_t ConvertDmCertChainToHksCertChain(DmCertChain &dmCertChain, HksCertChain &hksCertChain); + int32_t FillHksParamSet(struct HksParamSet **paramSet, struct HksParam *param, int32_t paramNums); +}; +} // namespace DistributedHardware +} // namespace OHOS +#endif // OHOS_DM_AUTH_VALIDATE_ATTEST_H \ No newline at end of file diff --git a/services/implementation/include/authentication_v2/auth_manager.h b/services/implementation/include/authentication_v2/auth_manager.h index 2767c79b4..c68b7c883 100644 --- a/services/implementation/include/authentication_v2/auth_manager.h +++ b/services/implementation/include/authentication_v2/auth_manager.h @@ -25,6 +25,10 @@ #include "json_object.h" #include "softbus_connector.h" #include "softbus_session.h" +#if !defined(DEVICE_MANAGER_COMMON_FLAG) +#include "dm_auth_generate_attest.h" +#include "dm_auth_validate_attest.h" +#endif namespace OHOS { namespace DistributedHardware { diff --git a/services/implementation/include/authentication_v2/dm_auth_context.h b/services/implementation/include/authentication_v2/dm_auth_context.h index 71e5d3f45..694a26c86 100644 --- a/services/implementation/include/authentication_v2/dm_auth_context.h +++ b/services/implementation/include/authentication_v2/dm_auth_context.h @@ -217,6 +217,8 @@ struct DmAuthContext { DmAccess accesser; DmAccess accessee; std::multimap proxy; // Multimap where the key is the accessor and the value is the accesssee + std::string cert; + bool isBlueFlag{false}; std::shared_ptr authStateMachine; std::shared_ptr authUiStateMgr; diff --git a/services/implementation/include/authentication_v2/dm_auth_manager_base.h b/services/implementation/include/authentication_v2/dm_auth_manager_base.h index e19793aa6..91e759b48 100644 --- a/services/implementation/include/authentication_v2/dm_auth_manager_base.h +++ b/services/implementation/include/authentication_v2/dm_auth_manager_base.h @@ -75,6 +75,10 @@ extern const char* WAIT_NEGOTIATE_TIMEOUT_TASK; extern const char* ADD_TIMEOUT_TASK; extern const char* WAIT_SESSION_CLOSE_TIMEOUT_TASK; extern const char* CLOSE_SESSION_TASK_SEPARATOR; +extern const char* TAG_DM_CERT_CHAIN; +extern const char* TAG_CERT_COUNT; +extern const char* TAG_CERT; +extern const char* TAG_IS_BLUE_FLAG; extern const int32_t AUTHENTICATE_TIMEOUT; extern const int32_t CONFIRM_TIMEOUT; diff --git a/services/implementation/src/attest/dm_auth_attest_common.cpp b/services/implementation/src/attest/dm_auth_attest_common.cpp new file mode 100644 index 000000000..5480912cd --- /dev/null +++ b/services/implementation/src/attest/dm_auth_attest_common.cpp @@ -0,0 +1,147 @@ +/* +* Copyright (c) 2025 Huawei Device Co., Ltd. +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ + +#include "dm_auth_attest_common.h" + +#include "dm_error_type.h" +#include "dm_log.h" + +namespace OHOS { +namespace DistributedHardware { + +const int32_t MAX_CERT_COUNT = 1024; +constexpr int32_t HEX_TO_UINT8 = 2; + +std::string AuthAttestCommon::SerializeDmCertChain(const DmCertChain* chain) +{ + if (!chain || !chain->cert || chain->certCount == 0) { + return "{}"; + } + JsonObject jsonObject; + jsonObject[TAG_CERT_COUNT] = chain->certCount; + std::vector certStrings; + JsonObject jsonArrayObj(JsonCreateType::JSON_CREATE_TYPE_ARRAY); + for (uint32_t i = 0; i < chain->certCount; ++i) { + const DmBlob& blob = chain->cert[i]; + if (!blob.data || blob.size == 0) { + return "{}"; + } + const uint32_t hexLen = blob.size * HEX_TO_UINT8 + 1; // 2*blob.size + 1 + char* hexBuffer = new char[hexLen]; + if (!hexBuffer) { + return "{}"; + } + int32_t ret = Crypto::ConvertBytesToHexString(hexBuffer, hexLen, blob.data, blob.size); + if (ret != DM_OK) { + delete[] hexBuffer; + return "{}"; + } + hexBuffer[blob.size * HEX_TO_UINT8] = '\0'; + certStrings.emplace_back(hexBuffer, hexLen); + jsonArrayObj.PushBack(std::string(hexBuffer)); + delete[] hexBuffer; + } + jsonObject.Insert(TAG_CERT, jsonArrayObj); + return jsonObject.Dump(); +} + +bool ValidateInputJson(const std::string& data) +{ + JsonObject jsonObject; + jsonObject.Parse(data); + if (!jsonObject.Contains(TAG_CERT_COUNT) || !jsonObject.Contains(TAG_CERT)) { + LOGE("DeserializeDmCertChain: Missing required fields 'certCount' or 'cert'"); + return false; + } + const uint32_t certCount = jsonObject[TAG_CERT_COUNT].Get(); + if (certCount == 0 || certCount > MAX_CERT_COUNT) { + LOGE("DeserializeDmCertChain: Invalid certCount value %{public}u", certCount); + return false; + } + return true; +} + + bool ProcessCertItem(const JsonItemObject& item, DmBlob& cert, uint32_t processedIndex) + { + std::string hexStr = item.Get(); + LOGI("DeserializeDmCertChain hexStr=%{public}s.", hexStr.c_str()); + const size_t hexLen = hexStr.length(); + if (hexLen == 0 || hexLen % HEX_TO_UINT8 != 0) { + LOGE("DeserializeDmCertChain: Invalid HEX length %{public}zu at index %{public}u", hexLen, processedIndex); + return false; + } + const uint32_t binSize = hexLen / HEX_TO_UINT8; + cert.data = new uint8_t[binSize]; + if (cert.data == nullptr) { + LOGE("DeserializeDmCertChain: Data allocation failed at index %{public}u", processedIndex); + return false; + } + int32_t ret = Crypto::ConvertHexStringToBytes(cert.data, binSize, hexStr.c_str(), hexLen); + if (ret != DM_OK) { + LOGE("DeserializeDmCertChain: HEX conversion failed at index %{public}u, ret = %{public}d", + processedIndex, ret); + delete[] cert.data; + cert.data = nullptr; + return false; + } + cert.size = binSize; + return true; +} + +bool AuthAttestCommon::DeserializeDmCertChain(const std::string& data, DmCertChain* outChain) +{ + if (!outChain || data.empty() || !ValidateInputJson(data)) { + LOGE("Invalid input"); + return false; + } + JsonObject jsonObject; + jsonObject.Parse(data); + const uint32_t certCount = jsonObject[TAG_CERT_COUNT].Get(); + JsonObject jsonArrayObj(JsonCreateType::JSON_CREATE_TYPE_ARRAY); + jsonArrayObj.Parse(jsonObject[TAG_CERT].Dump()); + DmBlob* certs = new DmBlob[certCount]; + if (certs == nullptr) { + LOGE("DeserializeDmCertChain: Memory allocation failed for certs array"); + return false; + } + memset_s(certs, sizeof(DmBlob) * certCount, 0, sizeof(DmBlob) * certCount); + bool success = true; + uint32_t processedIndex = 0; + for (const auto& item : jsonArrayObj.Items()) { + if (!ProcessCertItem(item, certs[processedIndex], processedIndex)) { + success = false; + break; + } + processedIndex++; + } + if (!success) { + for (uint32_t i = 0; i < processedIndex; ++i) { + delete[] certs[i].data; + } + delete[] certs; + return false; + } + if (outChain->cert != nullptr) { + for (uint32_t i = 0; i < outChain->certCount; ++i) { + delete[] outChain->cert[i].data; + } + delete[] outChain->cert; + } + outChain->cert = certs; + outChain->certCount = certCount; + return true; +} +} // namespace DistributedHardware +} // namespace OHOS \ No newline at end of file diff --git a/services/implementation/src/attest/dm_auth_generate_attest.cpp b/services/implementation/src/attest/dm_auth_generate_attest.cpp new file mode 100644 index 000000000..7f9ab86dd --- /dev/null +++ b/services/implementation/src/attest/dm_auth_generate_attest.cpp @@ -0,0 +1,98 @@ +/* +* Copyright (c) 2025 Huawei Device Co., Ltd. +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ + +#include "dm_auth_generate_attest.h" + +#include "dm_error_type.h" +#include "dm_log.h" + +namespace OHOS { +namespace DistributedHardware { + +constexpr uint64_t MIN_DCM_RANDOM = 0; +constexpr uint64_t MAX_DCM_RANDOM = 9999999999; + +int32_t AuthGenerateAttest::GenerateCertificate(DmCertChain &dmCertChain) +{ + LOGI("GenerateCertificate Start"); + DcmIdType ids[] = { DCM_ID_TYPE_UDID }; + uint64_t randomNum = GenRandLongLong(MIN_DCM_RANDOM, MAX_DCM_RANDOM); + LOGI("GenerateCertificate randomNum=%{public}lu", randomNum); + DcmBlob challengeBlob = {sizeof(randomNum), (uint8_t *)& randomNum}; + DcmCertChain* dcmCertChain = new DcmCertChain(); + InitCertChain(dcmCertChain); + int32_t ret = DcmAttestIdsEx(ids, sizeof(ids)/sizeof(ids[0]), &challengeBlob, DCM_CERT_TYPE_ROOT_V2, dcmCertChain); + if (ret != DCM_SUCCESS) { + LOGE("DcmAttestIdsEx fail, ret=%{public}d", ret); + return ret; + } + LOGI("DcmCertChain certCount=%{public}d, blob.size=%{public}d, blod.data=%{public}s", dcmCertChain -> certCount, + (*dcmCertChain -> cert).size, (*dcmCertChain->cert).data); + ret = ConvertDcmCertChainToDmCertChain(*dcmCertChain, dmCertChain); + if (ret != DM_OK) { + LOGE("covertToSoftbusCertChain fail. ret=%{public}d", ret); + return ret; + } + return 0; +} + +int32_t AuthGenerateAttest::InitCertChain(DcmCertChain *certChain) +{ + certChain->certCount = DM_CERTS_COUNT; + certChain->cert = new DcmBlob[certChain->certCount]; + for (uint32_t i = 0; i < certChain->certCount; ++i) { + certChain->cert[i].size = DM_CERTIFICATE_SIZE; + certChain->cert[i].data = new uint8_t[DM_CERTIFICATE_SIZE]; + } + return DM_OK; +} + +void FreeCertChain(DcmCertChain* chain) +{ + if (!chain) { + return; + } + for (uint32_t i = 0; i < chain->certCount; ++i) { + delete[] chain->cert[i].data; + chain->cert[i].data = nullptr; + } + delete[] chain->cert; + chain->cert = nullptr; + delete chain; +} + +int32_t AuthGenerateAttest::ConvertDcmCertChainToDmCertChain(DcmCertChain &dcmCertChain, DmCertChain &dmCertChain) +{ + LOGI("ConvertDcmCertChainToDmCertChain start!"); + dmCertChain.certCount = dcmCertChain.certCount; + if (dcmCertChain.certCount > 0) { + dmCertChain.cert = new DmBlob[dcmCertChain.certCount]; + for (uint32_t i = 0; i < dcmCertChain.certCount; ++i) { + dmCertChain.cert[i].size = dcmCertChain.cert[i].size; + if (dcmCertChain.cert[i].size > 0 && dcmCertChain.cert[i].data != nullptr) { + dmCertChain.cert[i].data = new uint8_t[dcmCertChain.cert[i].size]; + memcpy_s(dmCertChain.cert[i].data, dmCertChain.cert[i].size, + dcmCertChain.cert[i].data, dcmCertChain.cert[i].size); + } else { + dmCertChain.cert[i].data = nullptr; + } + } + } else { + dmCertChain.cert = nullptr; + } + return DM_OK; +} +} // namespace DistributedHardware +} // namespace OHOS \ No newline at end of file diff --git a/services/implementation/src/attest/dm_auth_validate_attest.cpp b/services/implementation/src/attest/dm_auth_validate_attest.cpp new file mode 100644 index 000000000..4824468e5 --- /dev/null +++ b/services/implementation/src/attest/dm_auth_validate_attest.cpp @@ -0,0 +1,126 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "dm_auth_validate_attest.h" + +#include "dm_error_type.h" +#include "dm_log.h" + +namespace OHOS { +namespace DistributedHardware { + +int32_t AuthValidateAttest::VerifyCertificate(DmCertChain &dmCertChain, const char* deviceIdHash) +{ + LOGI("VerifyCertificate start!"); + char udidStr[UDID_BUF_LEN] = {0}; + uint64_t randNum = 0; + HksCertChain hksCertChain; + int32_t ret = ConvertDmCertChainToHksCertChain(dmCertChain, hksCertChain); + if (ret != DM_OK) { + LOGE("ConvertDmCertChainToHksCertChain fail, ret=%{public}d", ret); + return ret; + } + HksParamSet *outputParam = NULL; + HksParam outputData[] = { + {.tag = HKS_TAG_ATTESTATION_CHALLENGE, .blob = {sizeof(uint64_t), (uint8_t *)&randNum}}, + {.tag = HKS_TAG_ATTESTATION_ID_UDID, .blob = {UDID_BUF_LEN, (uint8_t *)udidStr}}, + }; + ret = FillHksParamSet(&outputParam, outputData, sizeof(outputData) / sizeof(outputData[0])); + if (ret != DM_OK) { + LOGE("FillHksParamSet failed, ret=%{public}d", ret); + return ERR_DM_FAILED; + } + ret = HksValidateCertChain(&hksCertChain, outputParam); + if (ret != HKS_SUCCESS) { + LOGE("HksValidateCertChain fail, ret=%{public}d", ret); + return ret; + } + uint32_t cnt = 0; + HksBlob *blob = &outputParam->params[cnt].blob; + if (memcpy_s(&randNum, sizeof(uint64_t), blob->data, blob->size) != EOK) { + LOGE("memcpy randNum failed"); + return ERR_DM_FAILED; + } + LOGI("randNum = %{public}lu", randNum); + blob = &outputParam->params[++cnt].blob; + if (memcpy_s(udidStr, UDID_BUF_LEN, blob->data, blob->size) != EOK) { + LOGE("memcpy udidStr failed"); + return ERR_DM_FAILED; + } + LOGI("zhengshu de udid Str = %{public}s", udidStr); + std::string certDeviceIdHash = Crypto::GetUdidHash(std::string(udidStr)); + LOGI("zhengshu de certDeviceIdHash = %{public}s", certDeviceIdHash.c_str()); + LOGI("baowen chuanguolai deviceIdHash = %{public}s", deviceIdHash); + if (strcmp(deviceIdHash, certDeviceIdHash.c_str()) != 0) { + LOGE("verifyCertificate fail"); + return ERR_DM_FAILED; + } + return DM_OK; +} + +int32_t AuthValidateAttest::FillHksParamSet(HksParamSet **paramSet, HksParam *param, int32_t paramNums) +{ + if (param == NULL) { + LOGE("param is null"); + return ERR_DM_INPUT_PARA_INVALID; + } + int32_t ret = HksInitParamSet(paramSet); + if (ret != HKS_SUCCESS) { + LOGE("HksInitParamSet failed, hks ret = %{public}d", ret); + return ERR_DM_FAILED; + } + ret = HksAddParams(*paramSet, param, paramNums); + if (ret != HKS_SUCCESS) { + LOGE("HksAddParams failed, hks ret = %{public}d", ret); + HksFreeParamSet(paramSet); + return ERR_DM_FAILED; + } + ret = HksBuildParamSet(paramSet); + if (ret != HKS_SUCCESS) { + LOGE("HksBuildParamSet failed, hks ret = %{public}d", ret); + HksFreeParamSet(paramSet); + return ERR_DM_FAILED; + } + return DM_OK; +} + +int32_t AuthValidateAttest::ConvertDmCertChainToHksCertChain(DmCertChain &dmCertChain, HksCertChain &hksCertChain) +{ + if (dmCertChain.certCount == 0 || dmCertChain.cert == nullptr) { + return ERR_DM_INPUT_PARA_INVALID; + } + hksCertChain.certsCount = dmCertChain.certCount; + hksCertChain.certs = new HksBlob[hksCertChain.certsCount]; + const size_t totalSize = sizeof(HksBlob) * hksCertChain.certsCount; + memset_s(hksCertChain.certs, totalSize, 0, totalSize); + for (uint32_t i = 0; i < hksCertChain.certsCount; ++i) { + if (dmCertChain.cert[i].data == nullptr || dmCertChain.cert[i].size == 0) { + return ERR_DM_FAILED; + } + hksCertChain.certs[i].size = dmCertChain.cert[i].size; + hksCertChain.certs[i].data = new uint8_t[hksCertChain.certs[i].size]; + if (hksCertChain.certs[i].data == nullptr) { + return ERR_DM_MALLOC_FAILED; + } + if (memcpy_s(hksCertChain.certs[i].data, hksCertChain.certs[i].size, + dmCertChain.cert[i].data, dmCertChain.cert[i].size) != 0) { + LOGE("memcpy cert data failed"); + return ERR_DM_FAILED; + } + } + return DM_OK; +} +} // namespace DistributedHardware +} // namespace OHOS \ No newline at end of file diff --git a/services/implementation/src/authentication_v2/auth_manager.cpp b/services/implementation/src/authentication_v2/auth_manager.cpp index 97f29240d..a05bbbb65 100644 --- a/services/implementation/src/authentication_v2/auth_manager.cpp +++ b/services/implementation/src/authentication_v2/auth_manager.cpp @@ -130,8 +130,8 @@ AuthManager::AuthManager(std::shared_ptr softbusConnector, context_->authenticationMap[AUTH_TYPE_PIN_ULTRASONIC] = nullptr; context_->authenticationMap[AUTH_TYPE_NFC] = nullptr; context_->authenticationMap[AUTH_TYPE_CRE] = nullptr; - context_->accesser.dmVersion = DM_VERSION_5_1_0; - context_->accessee.dmVersion = DM_VERSION_5_1_0; + context_->accesser.dmVersion = DM_VERSION_5_1_1; + context_->accessee.dmVersion = DM_VERSION_5_1_1; context_->timer = std::make_shared(); context_->authMessageProcessor = std::make_shared(); } @@ -619,6 +619,57 @@ int32_t AuthManager::AuthenticateDevice(const std::string &pkgName, int32_t auth return DM_OK; } +std::string GenerateCertificate() +{ +#ifdef DEVICE_MANAGER_COMMON_FLAG + context_->isBlueFlag = true; + LOGI("Blue device do not generate cert!"); + return ""; +#else + DmCertChain dmCertChain; + LOGI("generate cert start"); + int32_t certRet = AuthGenerateAttest::GetInstance().GenerateCertificate(dmCertChain); + LOGI("generate cert end"); + if (certRet != DM_OK) { + LOGE("generate cert fail, certRet = %{public}d", certRet); + return ""; + } + LOGI("dmCertChain certCount=%{public}d, blob.size=%{public}d, blod.data=%{public}s", dmCertChain.certCount, + (*dmCertChain.cert).size, (*dmCertChain.cert).data); + // 序列化 + std::string cert = AuthAttestCommon::GetInstance().SerializeDmCertChain(&dmCertChain); + LOGI("SerializeDmCertChain cert = %{public}s", cert.c_str()); + // 反序列化 + DmCertChain dmCertChainDeserialize{nullptr, 0}; + AuthAttestCommon::GetInstance().DeserializeDmCertChain(cert, &dmCertChainDeserialize); + LOGI("dmCertChainDeserialize certCount=%{public}d, blob.size=%{public}d, blod.data=%{public}s", + dmCertChainDeserialize.certCount, (*dmCertChainDeserialize.cert).size, (*dmCertChainDeserialize.cert).data); + // 校验数据 + bool valid = true; + if (dmCertChainDeserialize.certCount != dmCertChain.certCount) { + LOGI("verify error 1!"); + valid = false; + } else { + for (uint32_t i = 0; i < dmCertChainDeserialize.certCount; ++i) { + if (dmCertChainDeserialize.cert[i].size != dmCertChain.cert[i].size) { + LOGI("verify error 2!"); + valid = false; + } else { + for (uint32_t j = 0; j < dmCertChainDeserialize.cert[i].size; ++j) { + if (dmCertChainDeserialize.cert[i].data[j] != dmCertChain.cert[i].data[j]) { + LOGI("verify error 3!"); + valid = false; + break; + } + } + } + } + } + LOGI("valid = %{public}d", valid); + return cert; +#endif +} + int32_t AuthManager::BindTarget(const std::string &pkgName, const PeerTargetId &targetId, const std::map &bindParam, int sessionId, uint64_t logicalSessionId) { @@ -660,6 +711,7 @@ int32_t AuthManager::BindTarget(const std::string &pkgName, const PeerTargetId & return ERR_DM_INPUT_PARA_INVALID; } + context_->cert = GenerateCertificate(); // 证书生成 context_->sessionId = sessionId; context_->logicalSessionId = logicalSessionId; context_->requestId = static_cast(logicalSessionId); diff --git a/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp b/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp index 3da6b139d..f0b99df27 100644 --- a/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp +++ b/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp @@ -178,6 +178,35 @@ int32_t AuthSinkNegotiateStateMachine::ProcRespNegotiate5_1_0(std::shared_ptr context) +{ +#ifdef DEVICE_MANAGER_COMMON_FLAG + LOGI("Blue device do not verify cert!"); + return DM_OK; +#else + // verify cert, 任何一端低于5.1.1都不校验证书 + if (!CompareVersion(context->accesser.dmVersion, DM_VERSION_5_1_0) + || !CompareVersion(context->accessee.dmVersion, DM_VERSION_5_1_0) || context->isBlueFlag) { + LOGI("cert verify is not supported"); + return DM_OK; + } + LOGI("AuthSinkNegotiateStateMachine::Action cert = %{public}s", context->cert.c_str()); + DmCertChain dmCertChain{nullptr, 0}; + AuthAttestCommon::GetInstance().DeserializeDmCertChain(context->cert, &dmCertChain); + LOGI("validate cert start"); + char localDeviceId[DEVICE_UUID_LENGTH] = {0}; + GetDevUdid(localDeviceId, DEVICE_UUID_LENGTH); + // context->accesser.deviceIdHash 对端udidHash + int32_t certRet = AuthValidateAttest::GetInstance() + .VerifyCertificate(dmCertChain, context->accesser.deviceIdHash.c_str()); + LOGI("validate cert end"); + if (certRet != DM_OK) { + LOGE("validate cert fail, certRet = %{public}d", certRet); + } + return certRet; +#endif +} + int32_t AuthSinkNegotiateStateMachine::Action(std::shared_ptr context) { LOGI("AuthSinkNegotiateStateMachine::Action sessionid %{public}d", context->sessionId); @@ -207,6 +236,12 @@ int32_t AuthSinkNegotiateStateMachine::Action(std::shared_ptr con context->reason = ret; return ret; } + ret = VerifyCertificate(context); // 证书校验,失败则返回 + if (ret != DM_OK) { + LOGE("AuthSinkNegotiateStateMachine::Action cert verify fail!"); + context->reason = ret; + return ret; + } context->authMessageProcessor->CreateAndSendMsg(MSG_TYPE_RESP_ACL_NEGOTIATE, context); context->timer->StartTimer(std::string(WAIT_REQUEST_TIMEOUT_TASK), DmAuthState::GetTaskTimeout(context, WAIT_REQUEST_TIMEOUT_TASK, WAIT_REQUEST_TIMEOUT), diff --git a/services/implementation/src/authentication_v2/dm_auth_manager_base.cpp b/services/implementation/src/authentication_v2/dm_auth_manager_base.cpp index dab0d68fb..3519ded5b 100644 --- a/services/implementation/src/authentication_v2/dm_auth_manager_base.cpp +++ b/services/implementation/src/authentication_v2/dm_auth_manager_base.cpp @@ -77,6 +77,10 @@ const char* GET_ULTRASONIC_PIN_TIMEOUT_TASK = "deviceManagerTimer:getUltrasonicP const char* ADD_TIMEOUT_TASK = "deviceManagerTimer:add"; const char* WAIT_SESSION_CLOSE_TIMEOUT_TASK = "deviceManagerTimer:waitSessionClose"; const char* CLOSE_SESSION_TASK_SEPARATOR = "#"; +const char* TAG_DM_CERT_CHAIN = "dmCertChain"; +const char* TAG_CERT_COUNT = "certCount"; +const char* TAG_CERT = "cert"; +const char* TAG_IS_BLUE_FLAG = "isBlueFlag"; const int32_t AUTHENTICATE_TIMEOUT = 120; const int32_t CONFIRM_TIMEOUT = 60; diff --git a/services/implementation/src/authentication_v2/dm_auth_message_processor.cpp b/services/implementation/src/authentication_v2/dm_auth_message_processor.cpp index 38427822c..d6d58a2ea 100644 --- a/services/implementation/src/authentication_v2/dm_auth_message_processor.cpp +++ b/services/implementation/src/authentication_v2/dm_auth_message_processor.cpp @@ -653,6 +653,9 @@ int32_t DmAuthMessageProcessor::CreateNegotiateMessage(std::shared_ptraccessee.displayId; jsonObject[TAG_PEER_PKG_NAME] = context->accessee.pkgName; jsonObject[TAG_HOST_PKGLABEL] = context->pkgLabel; + LOGI("DmAuthMessageProcessor::CreateNegotiateMessage cert = %{public}s", context->cert.c_str()); + jsonObject[TAG_DM_CERT_CHAIN] = context->cert; + jsonObject[TAG_IS_BLUE_FLAG] = context->isBlueFlag; return DM_OK; } @@ -1038,6 +1041,14 @@ void DmAuthMessageProcessor::ParseUltrasonicSide( } else { context->ultrasonicInfo = DmUltrasonicInfo::DM_Ultrasonic_Invalid; } + LOGI("ParseNegotiateMessage TAG_DM_CERT_CHAIN START!"); + if (IsString(jsonObject, TAG_DM_CERT_CHAIN)) { + context->cert = jsonObject[TAG_DM_CERT_CHAIN].Get(); + LOGI("ParseNegotiateMessage context->cert = %{public}s", context->cert.c_str()); + } + if (jsonObject[TAG_IS_BLUE_FLAG].IsBoolean()) { + context->isBlueFlag = jsonObject[TAG_IS_BLUE_FLAG].Get(); + } } int32_t DmAuthMessageProcessor::ParseMessageRespAclNegotiate(const JsonObject &jsonObject, diff --git a/test/commonfuzztest/authenticatedeviceserviceimpl_fuzzer/BUILD.gn b/test/commonfuzztest/authenticatedeviceserviceimpl_fuzzer/BUILD.gn index 6a4dccbc0..22815d122 100644 --- a/test/commonfuzztest/authenticatedeviceserviceimpl_fuzzer/BUILD.gn +++ b/test/commonfuzztest/authenticatedeviceserviceimpl_fuzzer/BUILD.gn @@ -75,11 +75,13 @@ ohos_fuzztest("AuthenticateDeviceServiceImplFuzzTest") { "access_token:libtoken_setproc", "cJSON:cjson", "device_auth:deviceauth_sdk", + "device_certificate_manager:device_cert_mgr_sdk", "device_info_manager:distributed_device_profile_common", "device_info_manager:distributed_device_profile_sdk", "dsoftbus:softbus_client", "ffrt:libffrt", "hilog:libhilog", + "huks:libhukssdk", "init:libbegetutil", "ipc:ipc_single", "safwk:system_ability_fwk", diff --git a/test/commonfuzztest/dmauthmanagerv2_fuzzer/BUILD.gn b/test/commonfuzztest/dmauthmanagerv2_fuzzer/BUILD.gn index fb2de39ca..3b1b9ca3c 100644 --- a/test/commonfuzztest/dmauthmanagerv2_fuzzer/BUILD.gn +++ b/test/commonfuzztest/dmauthmanagerv2_fuzzer/BUILD.gn @@ -54,11 +54,13 @@ ohos_fuzztest("DmAuthManagerV2FuzzTest") { external_deps = [ "cJSON:cjson", "device_auth:deviceauth_sdk", + "device_certificate_manager:device_cert_mgr_sdk", "device_info_manager:distributed_device_profile_common", "device_info_manager:distributed_device_profile_sdk", "dsoftbus:softbus_client", "ffrt:libffrt", "hilog:libhilog", + "huks:libhukssdk", "init:libbegetutil", "ipc:ipc_single", "safwk:system_ability_fwk", diff --git a/test/commonfuzztest/ondatareceivedv2_fuzzer/BUILD.gn b/test/commonfuzztest/ondatareceivedv2_fuzzer/BUILD.gn index b81e1b472..9bcbb88f4 100644 --- a/test/commonfuzztest/ondatareceivedv2_fuzzer/BUILD.gn +++ b/test/commonfuzztest/ondatareceivedv2_fuzzer/BUILD.gn @@ -53,11 +53,13 @@ ohos_fuzztest("OnDataReceivedV2FuzzTest") { external_deps = [ "cJSON:cjson", "device_auth:deviceauth_sdk", + "device_certificate_manager:device_cert_mgr_sdk", "device_info_manager:distributed_device_profile_common", "device_info_manager:distributed_device_profile_sdk", "dsoftbus:softbus_client", "ffrt:libffrt", "hilog:libhilog", + "huks:libhukssdk", "init:libbegetutil", "ipc:ipc_single", "safwk:system_ability_fwk", diff --git a/test/unittest/BUILD.gn b/test/unittest/BUILD.gn index f0af8d78f..eb89e82b3 100644 --- a/test/unittest/BUILD.gn +++ b/test/unittest/BUILD.gn @@ -390,6 +390,7 @@ ohos_unittest("UTTest_device_manager_service") { "access_token:libtoken_setproc", "cJSON:cjson", "device_auth:deviceauth_sdk", + "device_certificate_manager:device_cert_mgr_sdk", "device_info_manager:distributed_device_profile_common", "device_info_manager:distributed_device_profile_sdk", "dsoftbus:softbus_client", @@ -398,6 +399,7 @@ ohos_unittest("UTTest_device_manager_service") { "googletest:gmock", "googletest:gmock_main", "hilog:libhilog", + "huks:libhukssdk", "selinux_adapter:librestorecon", ] } @@ -418,6 +420,7 @@ ohos_unittest("UTTest_dm_softbus_cache") { "access_token:libtoken_setproc", "cJSON:cjson", "device_auth:deviceauth_sdk", + "device_certificate_manager:device_cert_mgr_sdk", "device_info_manager:distributed_device_profile_common", "device_info_manager:distributed_device_profile_sdk", "dsoftbus:softbus_client", @@ -425,6 +428,7 @@ ohos_unittest("UTTest_dm_softbus_cache") { "googletest:gmock", "googletest:gmock_main", "hilog:libhilog", + "huks:libhukssdk", "selinux_adapter:librestorecon", ] } @@ -451,6 +455,7 @@ ohos_unittest("UTTest_device_manager_service_three") { "access_token:libtoken_setproc", "cJSON:cjson", "device_auth:deviceauth_sdk", + "device_certificate_manager:device_cert_mgr_sdk", "device_info_manager:distributed_device_profile_common", "device_info_manager:distributed_device_profile_sdk", "dsoftbus:softbus_client", @@ -458,6 +463,7 @@ ohos_unittest("UTTest_device_manager_service_three") { "googletest:gmock", "googletest:gmock_main", "hilog:libhilog", + "huks:libhukssdk", "selinux_adapter:librestorecon", ] } @@ -1239,6 +1245,7 @@ ohos_unittest("UTTest_device_manager_service_impl") { external_deps = [ "device_auth:deviceauth_sdk", + "device_certificate_manager:device_cert_mgr_sdk", "device_info_manager:distributed_device_profile_common", "device_info_manager:distributed_device_profile_sdk", "dsoftbus:softbus_client", @@ -1247,6 +1254,7 @@ ohos_unittest("UTTest_device_manager_service_impl") { "googletest:gmock", "googletest:gmock_main", "hilog:libhilog", + "huks:libhukssdk", "os_account:libaccountkits", "os_account:os_account_innerkits", ] @@ -1269,6 +1277,7 @@ ohos_unittest("UTTest_device_manager_service_impl_first") { external_deps = [ "device_auth:deviceauth_sdk", + "device_certificate_manager:device_cert_mgr_sdk", "device_info_manager:distributed_device_profile_common", "device_info_manager:distributed_device_profile_sdk", "dsoftbus:softbus_client", @@ -1277,6 +1286,7 @@ ohos_unittest("UTTest_device_manager_service_impl_first") { "googletest:gmock", "googletest:gmock_main", "hilog:libhilog", + "huks:libhukssdk", "os_account:libaccountkits", "os_account:os_account_innerkits", ] @@ -2028,6 +2038,7 @@ ohos_unittest("UTTest_auth_pin_auth_state") { deps = [ ":device_manager_test_common" ] external_deps = [ + "device_auth:deviceauth_sdk", "device_auth:deviceauth_sdk", "device_info_manager:distributed_device_profile_common", "device_info_manager:distributed_device_profile_sdk", @@ -2036,6 +2047,7 @@ ohos_unittest("UTTest_auth_pin_auth_state") { "googletest:gmock", "googletest:gmock_main", "hilog:libhilog", + "huks:libhukssdk", ] } @@ -2087,6 +2099,7 @@ ohos_unittest("UTTest_auth_credential_state") { external_deps = [ "device_auth:deviceauth_sdk", + "device_certificate_manager:device_cert_mgr_sdk", "device_info_manager:distributed_device_profile_common", "device_info_manager:distributed_device_profile_sdk", "dsoftbus:softbus_client", @@ -2094,6 +2107,7 @@ ohos_unittest("UTTest_auth_credential_state") { "googletest:gmock", "googletest:gmock_main", "hilog:libhilog", + "huks:libhukssdk", ] } @@ -2118,6 +2132,7 @@ ohos_unittest("UTTest_auth_acl") { external_deps = [ "device_auth:deviceauth_sdk", + "device_certificate_manager:device_cert_mgr_sdk", "device_info_manager:distributed_device_profile_common", "device_info_manager:distributed_device_profile_sdk", "dsoftbus:softbus_client", @@ -2125,6 +2140,7 @@ ohos_unittest("UTTest_auth_acl") { "googletest:gmock", "googletest:gmock_main", "hilog:libhilog", + "huks:libhukssdk", ] } -- Gitee From 383b943058b8564bb2837f595e86eaac56719770 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E5=B7=8D?= Date: Mon, 19 May 2025 20:16:36 +0800 Subject: [PATCH 02/16] =?UTF-8?q?UT=E4=BE=9D=E8=B5=96=E8=A1=A5=E5=85=85?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李巍 --- test/unittest/BUILD.gn | 2 ++ 1 file changed, 2 insertions(+) diff --git a/test/unittest/BUILD.gn b/test/unittest/BUILD.gn index eb89e82b3..431eed6aa 100644 --- a/test/unittest/BUILD.gn +++ b/test/unittest/BUILD.gn @@ -2167,6 +2167,7 @@ ohos_unittest("UTTest_auth_negotiate") { "access_token:libnativetoken", "access_token:libtoken_setproc", "device_auth:deviceauth_sdk", + "device_certificate_manager:device_cert_mgr_sdk", "device_info_manager:distributed_device_profile_common", "device_info_manager:distributed_device_profile_sdk", "dsoftbus:softbus_client", @@ -2174,6 +2175,7 @@ ohos_unittest("UTTest_auth_negotiate") { "googletest:gmock", "googletest:gmock_main", "hilog:libhilog", + "huks:libhukssdk", ] } -- Gitee From 2d6aedb05affe3dd5dedbd0119f7038cc113a3ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E5=B7=8D?= Date: Mon, 19 May 2025 21:56:56 +0800 Subject: [PATCH 03/16] =?UTF-8?q?=E5=8E=BB=E9=99=A4=E8=B0=83=E8=AF=95?= =?UTF-8?q?=E4=BF=A1=E6=81=AF?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李巍 --- common/include/dm_error_type.h | 3 ++ .../src/attest/dm_auth_generate_attest.cpp | 5 +-- .../src/attest/dm_auth_validate_attest.cpp | 10 ++---- .../src/authentication_v2/auth_manager.cpp | 35 +------------------ .../auth_stages/auth_negotiate.cpp | 17 ++++----- 5 files changed, 15 insertions(+), 55 deletions(-) diff --git a/common/include/dm_error_type.h b/common/include/dm_error_type.h index fd1873e55..d427c4c94 100644 --- a/common/include/dm_error_type.h +++ b/common/include/dm_error_type.h @@ -136,6 +136,9 @@ enum { ERR_DM_PARSE_MESSAGE_FAILED = 969298348, ERR_DM_GET_BMS_FAILED = 969298349, ERR_DM_GET_BUNDLE_NAME_FAILED = 969298349, + ERR_DM_DESERIAL_CERT_FAILED = 969298350, + ERR_DM_VERIFY_CERT_FAILED = 969298351, + ERR_DM_GET_PARAM_FAILED = 969298352, }; } // namespace DistributedHardware } // namespace OHOS diff --git a/services/implementation/src/attest/dm_auth_generate_attest.cpp b/services/implementation/src/attest/dm_auth_generate_attest.cpp index 7f9ab86dd..92236df85 100644 --- a/services/implementation/src/attest/dm_auth_generate_attest.cpp +++ b/services/implementation/src/attest/dm_auth_generate_attest.cpp @@ -29,7 +29,6 @@ int32_t AuthGenerateAttest::GenerateCertificate(DmCertChain &dmCertChain) LOGI("GenerateCertificate Start"); DcmIdType ids[] = { DCM_ID_TYPE_UDID }; uint64_t randomNum = GenRandLongLong(MIN_DCM_RANDOM, MAX_DCM_RANDOM); - LOGI("GenerateCertificate randomNum=%{public}lu", randomNum); DcmBlob challengeBlob = {sizeof(randomNum), (uint8_t *)& randomNum}; DcmCertChain* dcmCertChain = new DcmCertChain(); InitCertChain(dcmCertChain); @@ -38,14 +37,12 @@ int32_t AuthGenerateAttest::GenerateCertificate(DmCertChain &dmCertChain) LOGE("DcmAttestIdsEx fail, ret=%{public}d", ret); return ret; } - LOGI("DcmCertChain certCount=%{public}d, blob.size=%{public}d, blod.data=%{public}s", dcmCertChain -> certCount, - (*dcmCertChain -> cert).size, (*dcmCertChain->cert).data); ret = ConvertDcmCertChainToDmCertChain(*dcmCertChain, dmCertChain); if (ret != DM_OK) { LOGE("covertToSoftbusCertChain fail. ret=%{public}d", ret); return ret; } - return 0; + return DM_OK; } int32_t AuthGenerateAttest::InitCertChain(DcmCertChain *certChain) diff --git a/services/implementation/src/attest/dm_auth_validate_attest.cpp b/services/implementation/src/attest/dm_auth_validate_attest.cpp index 4824468e5..7e69e269a 100644 --- a/services/implementation/src/attest/dm_auth_validate_attest.cpp +++ b/services/implementation/src/attest/dm_auth_validate_attest.cpp @@ -51,21 +51,17 @@ int32_t AuthValidateAttest::VerifyCertificate(DmCertChain &dmCertChain, const ch HksBlob *blob = &outputParam->params[cnt].blob; if (memcpy_s(&randNum, sizeof(uint64_t), blob->data, blob->size) != EOK) { LOGE("memcpy randNum failed"); - return ERR_DM_FAILED; + return ERR_DM_GET_PARAM_FAILED; } - LOGI("randNum = %{public}lu", randNum); blob = &outputParam->params[++cnt].blob; if (memcpy_s(udidStr, UDID_BUF_LEN, blob->data, blob->size) != EOK) { LOGE("memcpy udidStr failed"); - return ERR_DM_FAILED; + return ERR_DM_GET_PARAM_FAILED; } - LOGI("zhengshu de udid Str = %{public}s", udidStr); std::string certDeviceIdHash = Crypto::GetUdidHash(std::string(udidStr)); - LOGI("zhengshu de certDeviceIdHash = %{public}s", certDeviceIdHash.c_str()); - LOGI("baowen chuanguolai deviceIdHash = %{public}s", deviceIdHash); if (strcmp(deviceIdHash, certDeviceIdHash.c_str()) != 0) { LOGE("verifyCertificate fail"); - return ERR_DM_FAILED; + return ERR_DM_VERIFY_CERT_FAILED; } return DM_OK; } diff --git a/services/implementation/src/authentication_v2/auth_manager.cpp b/services/implementation/src/authentication_v2/auth_manager.cpp index a05bbbb65..9950b717b 100644 --- a/services/implementation/src/authentication_v2/auth_manager.cpp +++ b/services/implementation/src/authentication_v2/auth_manager.cpp @@ -627,45 +627,12 @@ std::string GenerateCertificate() return ""; #else DmCertChain dmCertChain; - LOGI("generate cert start"); int32_t certRet = AuthGenerateAttest::GetInstance().GenerateCertificate(dmCertChain); - LOGI("generate cert end"); if (certRet != DM_OK) { LOGE("generate cert fail, certRet = %{public}d", certRet); return ""; } - LOGI("dmCertChain certCount=%{public}d, blob.size=%{public}d, blod.data=%{public}s", dmCertChain.certCount, - (*dmCertChain.cert).size, (*dmCertChain.cert).data); - // 序列化 std::string cert = AuthAttestCommon::GetInstance().SerializeDmCertChain(&dmCertChain); - LOGI("SerializeDmCertChain cert = %{public}s", cert.c_str()); - // 反序列化 - DmCertChain dmCertChainDeserialize{nullptr, 0}; - AuthAttestCommon::GetInstance().DeserializeDmCertChain(cert, &dmCertChainDeserialize); - LOGI("dmCertChainDeserialize certCount=%{public}d, blob.size=%{public}d, blod.data=%{public}s", - dmCertChainDeserialize.certCount, (*dmCertChainDeserialize.cert).size, (*dmCertChainDeserialize.cert).data); - // 校验数据 - bool valid = true; - if (dmCertChainDeserialize.certCount != dmCertChain.certCount) { - LOGI("verify error 1!"); - valid = false; - } else { - for (uint32_t i = 0; i < dmCertChainDeserialize.certCount; ++i) { - if (dmCertChainDeserialize.cert[i].size != dmCertChain.cert[i].size) { - LOGI("verify error 2!"); - valid = false; - } else { - for (uint32_t j = 0; j < dmCertChainDeserialize.cert[i].size; ++j) { - if (dmCertChainDeserialize.cert[i].data[j] != dmCertChain.cert[i].data[j]) { - LOGI("verify error 3!"); - valid = false; - break; - } - } - } - } - } - LOGI("valid = %{public}d", valid); return cert; #endif } @@ -711,7 +678,7 @@ int32_t AuthManager::BindTarget(const std::string &pkgName, const PeerTargetId & return ERR_DM_INPUT_PARA_INVALID; } - context_->cert = GenerateCertificate(); // 证书生成 + context_->cert = GenerateCertificate(); context_->sessionId = sessionId; context_->logicalSessionId = logicalSessionId; context_->requestId = static_cast(logicalSessionId); diff --git a/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp b/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp index f0b99df27..1ed71161d 100644 --- a/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp +++ b/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp @@ -184,26 +184,23 @@ int32_t VerifyCertificate(std::shared_ptr context) LOGI("Blue device do not verify cert!"); return DM_OK; #else - // verify cert, 任何一端低于5.1.1都不校验证书 if (!CompareVersion(context->accesser.dmVersion, DM_VERSION_5_1_0) || !CompareVersion(context->accessee.dmVersion, DM_VERSION_5_1_0) || context->isBlueFlag) { LOGI("cert verify is not supported"); return DM_OK; } - LOGI("AuthSinkNegotiateStateMachine::Action cert = %{public}s", context->cert.c_str()); DmCertChain dmCertChain{nullptr, 0}; - AuthAttestCommon::GetInstance().DeserializeDmCertChain(context->cert, &dmCertChain); - LOGI("validate cert start"); - char localDeviceId[DEVICE_UUID_LENGTH] = {0}; - GetDevUdid(localDeviceId, DEVICE_UUID_LENGTH); - // context->accesser.deviceIdHash 对端udidHash + if (!AuthAttestCommon::GetInstance().DeserializeDmCertChain(context->cert, &dmCertChain)) { + LOGE("cert deserialize fail!"); + return ERR_DM_DESERIAL_CERT_FAILED; + } int32_t certRet = AuthValidateAttest::GetInstance() .VerifyCertificate(dmCertChain, context->accesser.deviceIdHash.c_str()); - LOGI("validate cert end"); if (certRet != DM_OK) { LOGE("validate cert fail, certRet = %{public}d", certRet); + return ERR_DM_VERIFY_CERT_FAILED; } - return certRet; + return DM_OK; #endif } @@ -236,7 +233,7 @@ int32_t AuthSinkNegotiateStateMachine::Action(std::shared_ptr con context->reason = ret; return ret; } - ret = VerifyCertificate(context); // 证书校验,失败则返回 + ret = VerifyCertificate(context); if (ret != DM_OK) { LOGE("AuthSinkNegotiateStateMachine::Action cert verify fail!"); context->reason = ret; -- Gitee From aa3f1c46ee94396169921c327047fba854830eb0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E5=B7=8D?= Date: Mon, 19 May 2025 22:37:17 +0800 Subject: [PATCH 04/16] =?UTF-8?q?=E5=A2=9E=E5=8A=A0=E5=86=85=E5=AD=98?= =?UTF-8?q?=E7=AE=A1=E7=90=86?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李巍 --- .../implementation/include/attest/dm_auth_generate_attest.h | 1 + .../implementation/src/attest/dm_auth_generate_attest.cpp | 5 ++++- .../src/authentication_v2/dm_auth_message_processor.cpp | 3 --- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/services/implementation/include/attest/dm_auth_generate_attest.h b/services/implementation/include/attest/dm_auth_generate_attest.h index 2e4f02e69..fec04c29f 100644 --- a/services/implementation/include/attest/dm_auth_generate_attest.h +++ b/services/implementation/include/attest/dm_auth_generate_attest.h @@ -34,6 +34,7 @@ public: int32_t GenerateCertificate(DmCertChain &dmCertChain); int32_t ConvertDcmCertChainToDmCertChain(DcmCertChain &dcmCertChain, DmCertChain &dmCertChain); int32_t InitCertChain(DcmCertChain *certChain); + void FreeCertChain(DcmCertChain* chain); }; } // namespace DistributedHardware } // namespace OHOS diff --git a/services/implementation/src/attest/dm_auth_generate_attest.cpp b/services/implementation/src/attest/dm_auth_generate_attest.cpp index 92236df85..fa7a5682a 100644 --- a/services/implementation/src/attest/dm_auth_generate_attest.cpp +++ b/services/implementation/src/attest/dm_auth_generate_attest.cpp @@ -35,13 +35,16 @@ int32_t AuthGenerateAttest::GenerateCertificate(DmCertChain &dmCertChain) int32_t ret = DcmAttestIdsEx(ids, sizeof(ids)/sizeof(ids[0]), &challengeBlob, DCM_CERT_TYPE_ROOT_V2, dcmCertChain); if (ret != DCM_SUCCESS) { LOGE("DcmAttestIdsEx fail, ret=%{public}d", ret); + FreeCertChain(dcmCertChain); return ret; } ret = ConvertDcmCertChainToDmCertChain(*dcmCertChain, dmCertChain); if (ret != DM_OK) { LOGE("covertToSoftbusCertChain fail. ret=%{public}d", ret); + FreeCertChain(dcmCertChain); return ret; } + FreeCertChain(dcmCertChain); return DM_OK; } @@ -56,7 +59,7 @@ int32_t AuthGenerateAttest::InitCertChain(DcmCertChain *certChain) return DM_OK; } -void FreeCertChain(DcmCertChain* chain) +void AuthGenerateAttest::FreeCertChain(DcmCertChain* chain) { if (!chain) { return; diff --git a/services/implementation/src/authentication_v2/dm_auth_message_processor.cpp b/services/implementation/src/authentication_v2/dm_auth_message_processor.cpp index d6d58a2ea..82d7a1312 100644 --- a/services/implementation/src/authentication_v2/dm_auth_message_processor.cpp +++ b/services/implementation/src/authentication_v2/dm_auth_message_processor.cpp @@ -653,7 +653,6 @@ int32_t DmAuthMessageProcessor::CreateNegotiateMessage(std::shared_ptraccessee.displayId; jsonObject[TAG_PEER_PKG_NAME] = context->accessee.pkgName; jsonObject[TAG_HOST_PKGLABEL] = context->pkgLabel; - LOGI("DmAuthMessageProcessor::CreateNegotiateMessage cert = %{public}s", context->cert.c_str()); jsonObject[TAG_DM_CERT_CHAIN] = context->cert; jsonObject[TAG_IS_BLUE_FLAG] = context->isBlueFlag; return DM_OK; @@ -1041,10 +1040,8 @@ void DmAuthMessageProcessor::ParseUltrasonicSide( } else { context->ultrasonicInfo = DmUltrasonicInfo::DM_Ultrasonic_Invalid; } - LOGI("ParseNegotiateMessage TAG_DM_CERT_CHAIN START!"); if (IsString(jsonObject, TAG_DM_CERT_CHAIN)) { context->cert = jsonObject[TAG_DM_CERT_CHAIN].Get(); - LOGI("ParseNegotiateMessage context->cert = %{public}s", context->cert.c_str()); } if (jsonObject[TAG_IS_BLUE_FLAG].IsBoolean()) { context->isBlueFlag = jsonObject[TAG_IS_BLUE_FLAG].Get(); -- Gitee From ff77c3b4136d06a1ccf2763bcba2e5ee78a25e31 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E5=B7=8D?= Date: Tue, 20 May 2025 09:20:23 +0800 Subject: [PATCH 05/16] =?UTF-8?q?=E4=BF=AE=E6=94=B9build.gn=E7=9A=84?= =?UTF-8?q?=E4=BE=9D=E8=B5=96?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李巍 --- services/implementation/BUILD.gn | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/services/implementation/BUILD.gn b/services/implementation/BUILD.gn index 506217b00..0efccf066 100644 --- a/services/implementation/BUILD.gn +++ b/services/implementation/BUILD.gn @@ -237,14 +237,12 @@ if (defined(ohos_lite)) { "c_utils:utils", "common_event_service:cesfwk_innerkits", "device_auth:deviceauth_sdk", - "device_certificate_manager:device_cert_mgr_sdk", "device_info_manager:distributed_device_profile_common", "device_info_manager:distributed_device_profile_sdk", "dsoftbus:softbus_client", "eventhandler:libeventhandler", "ffrt:libffrt", "hilog:libhilog", - "huks:libhukssdk", "init:libbegetutil", "ipc:ipc_core", "mbedtls:mbedtls_shared", @@ -278,6 +276,10 @@ if (defined(ohos_lite)) { "src/attest/dm_auth_generate_attest.cpp", "src/attest/dm_auth_validate_attest.cpp", ] + external_deps += [ + "device_certificate_manager:device_cert_mgr_sdk", + "huks:libhukssdk", + ] } subsystem_name = "distributedhardware" -- Gitee From 81bc6e5946da0c0e21c6879871d02aab98d13feb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E5=B7=8D?= Date: Tue, 20 May 2025 10:28:19 +0800 Subject: [PATCH 06/16] =?UTF-8?q?gn=E4=BE=9D=E8=B5=96=E6=95=B4=E6=94=B9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李巍 --- .../BUILD.gn | 9 ++- .../dmauthmanagerv2_fuzzer/BUILD.gn | 9 ++- .../ondatareceivedv2_fuzzer/BUILD.gn | 9 ++- test/unittest/BUILD.gn | 81 ++++++++++++++----- 4 files changed, 84 insertions(+), 24 deletions(-) diff --git a/test/commonfuzztest/authenticatedeviceserviceimpl_fuzzer/BUILD.gn b/test/commonfuzztest/authenticatedeviceserviceimpl_fuzzer/BUILD.gn index 22815d122..f79c6dfe0 100644 --- a/test/commonfuzztest/authenticatedeviceserviceimpl_fuzzer/BUILD.gn +++ b/test/commonfuzztest/authenticatedeviceserviceimpl_fuzzer/BUILD.gn @@ -75,18 +75,23 @@ ohos_fuzztest("AuthenticateDeviceServiceImplFuzzTest") { "access_token:libtoken_setproc", "cJSON:cjson", "device_auth:deviceauth_sdk", - "device_certificate_manager:device_cert_mgr_sdk", "device_info_manager:distributed_device_profile_common", "device_info_manager:distributed_device_profile_sdk", "dsoftbus:softbus_client", "ffrt:libffrt", "hilog:libhilog", - "huks:libhukssdk", "init:libbegetutil", "ipc:ipc_single", "safwk:system_ability_fwk", "selinux_adapter:librestorecon", ] + + if (!device_manager_common) { + external_deps += [ + "device_certificate_manager:device_cert_mgr_sdk", + "huks:libhukssdk", + ] + } } ############################################################################### diff --git a/test/commonfuzztest/dmauthmanagerv2_fuzzer/BUILD.gn b/test/commonfuzztest/dmauthmanagerv2_fuzzer/BUILD.gn index 3b1b9ca3c..93e9b15d9 100644 --- a/test/commonfuzztest/dmauthmanagerv2_fuzzer/BUILD.gn +++ b/test/commonfuzztest/dmauthmanagerv2_fuzzer/BUILD.gn @@ -54,13 +54,11 @@ ohos_fuzztest("DmAuthManagerV2FuzzTest") { external_deps = [ "cJSON:cjson", "device_auth:deviceauth_sdk", - "device_certificate_manager:device_cert_mgr_sdk", "device_info_manager:distributed_device_profile_common", "device_info_manager:distributed_device_profile_sdk", "dsoftbus:softbus_client", "ffrt:libffrt", "hilog:libhilog", - "huks:libhukssdk", "init:libbegetutil", "ipc:ipc_single", "safwk:system_ability_fwk", @@ -71,6 +69,13 @@ ohos_fuzztest("DmAuthManagerV2FuzzTest") { "DH_LOG_TAG=\"DmAuthManagerV2FuzzTest\"", "LOG_DOMAIN=0xD004110", ] + + if (!device_manager_common) { + external_deps += [ + "device_certificate_manager:device_cert_mgr_sdk", + "huks:libhukssdk", + ] + } } ############################################################################### diff --git a/test/commonfuzztest/ondatareceivedv2_fuzzer/BUILD.gn b/test/commonfuzztest/ondatareceivedv2_fuzzer/BUILD.gn index 9bcbb88f4..c6f9f7df8 100644 --- a/test/commonfuzztest/ondatareceivedv2_fuzzer/BUILD.gn +++ b/test/commonfuzztest/ondatareceivedv2_fuzzer/BUILD.gn @@ -53,13 +53,11 @@ ohos_fuzztest("OnDataReceivedV2FuzzTest") { external_deps = [ "cJSON:cjson", "device_auth:deviceauth_sdk", - "device_certificate_manager:device_cert_mgr_sdk", "device_info_manager:distributed_device_profile_common", "device_info_manager:distributed_device_profile_sdk", "dsoftbus:softbus_client", "ffrt:libffrt", "hilog:libhilog", - "huks:libhukssdk", "init:libbegetutil", "ipc:ipc_single", "safwk:system_ability_fwk", @@ -70,6 +68,13 @@ ohos_fuzztest("OnDataReceivedV2FuzzTest") { "DH_LOG_TAG=\"OnDataReceivedV2FuzzTest\"", "LOG_DOMAIN=0xD004110", ] + + if (!device_manager_common) { + external_deps += [ + "device_certificate_manager:device_cert_mgr_sdk", + "huks:libhukssdk", + ] + } } ############################################################################### diff --git a/test/unittest/BUILD.gn b/test/unittest/BUILD.gn index 431eed6aa..a82f0cd59 100644 --- a/test/unittest/BUILD.gn +++ b/test/unittest/BUILD.gn @@ -390,7 +390,6 @@ ohos_unittest("UTTest_device_manager_service") { "access_token:libtoken_setproc", "cJSON:cjson", "device_auth:deviceauth_sdk", - "device_certificate_manager:device_cert_mgr_sdk", "device_info_manager:distributed_device_profile_common", "device_info_manager:distributed_device_profile_sdk", "dsoftbus:softbus_client", @@ -399,9 +398,15 @@ ohos_unittest("UTTest_device_manager_service") { "googletest:gmock", "googletest:gmock_main", "hilog:libhilog", - "huks:libhukssdk", "selinux_adapter:librestorecon", ] + + if (!device_manager_common) { + external_deps += [ + "device_certificate_manager:device_cert_mgr_sdk", + "huks:libhukssdk", + ] + } } ## UnitTest UTTest_device_manager_service }}} @@ -420,7 +425,6 @@ ohos_unittest("UTTest_dm_softbus_cache") { "access_token:libtoken_setproc", "cJSON:cjson", "device_auth:deviceauth_sdk", - "device_certificate_manager:device_cert_mgr_sdk", "device_info_manager:distributed_device_profile_common", "device_info_manager:distributed_device_profile_sdk", "dsoftbus:softbus_client", @@ -428,9 +432,15 @@ ohos_unittest("UTTest_dm_softbus_cache") { "googletest:gmock", "googletest:gmock_main", "hilog:libhilog", - "huks:libhukssdk", "selinux_adapter:librestorecon", ] + + if (!device_manager_common) { + external_deps += [ + "device_certificate_manager:device_cert_mgr_sdk", + "huks:libhukssdk", + ] + } } ## UnitTest UTTest_dm_softbus_cache }}} @@ -455,7 +465,6 @@ ohos_unittest("UTTest_device_manager_service_three") { "access_token:libtoken_setproc", "cJSON:cjson", "device_auth:deviceauth_sdk", - "device_certificate_manager:device_cert_mgr_sdk", "device_info_manager:distributed_device_profile_common", "device_info_manager:distributed_device_profile_sdk", "dsoftbus:softbus_client", @@ -463,9 +472,15 @@ ohos_unittest("UTTest_device_manager_service_three") { "googletest:gmock", "googletest:gmock_main", "hilog:libhilog", - "huks:libhukssdk", "selinux_adapter:librestorecon", ] + + if (!device_manager_common) { + external_deps += [ + "device_certificate_manager:device_cert_mgr_sdk", + "huks:libhukssdk", + ] + } } ## UnitTest UTTest_device_manager_service_three }}} @@ -1245,7 +1260,6 @@ ohos_unittest("UTTest_device_manager_service_impl") { external_deps = [ "device_auth:deviceauth_sdk", - "device_certificate_manager:device_cert_mgr_sdk", "device_info_manager:distributed_device_profile_common", "device_info_manager:distributed_device_profile_sdk", "dsoftbus:softbus_client", @@ -1254,10 +1268,16 @@ ohos_unittest("UTTest_device_manager_service_impl") { "googletest:gmock", "googletest:gmock_main", "hilog:libhilog", - "huks:libhukssdk", "os_account:libaccountkits", "os_account:os_account_innerkits", ] + + if (!device_manager_common) { + external_deps += [ + "device_certificate_manager:device_cert_mgr_sdk", + "huks:libhukssdk", + ] + } } ## UnitTest UTTest_device_manager_service_impl }}} @@ -1277,7 +1297,6 @@ ohos_unittest("UTTest_device_manager_service_impl_first") { external_deps = [ "device_auth:deviceauth_sdk", - "device_certificate_manager:device_cert_mgr_sdk", "device_info_manager:distributed_device_profile_common", "device_info_manager:distributed_device_profile_sdk", "dsoftbus:softbus_client", @@ -1286,10 +1305,16 @@ ohos_unittest("UTTest_device_manager_service_impl_first") { "googletest:gmock", "googletest:gmock_main", "hilog:libhilog", - "huks:libhukssdk", "os_account:libaccountkits", "os_account:os_account_innerkits", ] + + if (!device_manager_common) { + external_deps += [ + "device_certificate_manager:device_cert_mgr_sdk", + "huks:libhukssdk", + ] + } } ## UnitTest UTTest_device_manager_service_impl_first }}} @@ -2038,7 +2063,6 @@ ohos_unittest("UTTest_auth_pin_auth_state") { deps = [ ":device_manager_test_common" ] external_deps = [ - "device_auth:deviceauth_sdk", "device_auth:deviceauth_sdk", "device_info_manager:distributed_device_profile_common", "device_info_manager:distributed_device_profile_sdk", @@ -2047,8 +2071,14 @@ ohos_unittest("UTTest_auth_pin_auth_state") { "googletest:gmock", "googletest:gmock_main", "hilog:libhilog", - "huks:libhukssdk", ] + + if (!device_manager_common) { + external_deps += [ + "device_certificate_manager:device_cert_mgr_sdk", + "huks:libhukssdk", + ] + } } ## UnitTest UTTest_auth_pin_auth_state }}} @@ -2099,7 +2129,6 @@ ohos_unittest("UTTest_auth_credential_state") { external_deps = [ "device_auth:deviceauth_sdk", - "device_certificate_manager:device_cert_mgr_sdk", "device_info_manager:distributed_device_profile_common", "device_info_manager:distributed_device_profile_sdk", "dsoftbus:softbus_client", @@ -2107,8 +2136,14 @@ ohos_unittest("UTTest_auth_credential_state") { "googletest:gmock", "googletest:gmock_main", "hilog:libhilog", - "huks:libhukssdk", ] + + if (!device_manager_common) { + external_deps += [ + "device_certificate_manager:device_cert_mgr_sdk", + "huks:libhukssdk", + ] + } } ## UnitTest UTTest_auth_credential_state }}} @@ -2132,7 +2167,6 @@ ohos_unittest("UTTest_auth_acl") { external_deps = [ "device_auth:deviceauth_sdk", - "device_certificate_manager:device_cert_mgr_sdk", "device_info_manager:distributed_device_profile_common", "device_info_manager:distributed_device_profile_sdk", "dsoftbus:softbus_client", @@ -2140,8 +2174,14 @@ ohos_unittest("UTTest_auth_acl") { "googletest:gmock", "googletest:gmock_main", "hilog:libhilog", - "huks:libhukssdk", ] + + if (!device_manager_common) { + external_deps += [ + "device_certificate_manager:device_cert_mgr_sdk", + "huks:libhukssdk", + ] + } } ## UnitTest UTTest_auth_acl }}} @@ -2167,7 +2207,6 @@ ohos_unittest("UTTest_auth_negotiate") { "access_token:libnativetoken", "access_token:libtoken_setproc", "device_auth:deviceauth_sdk", - "device_certificate_manager:device_cert_mgr_sdk", "device_info_manager:distributed_device_profile_common", "device_info_manager:distributed_device_profile_sdk", "dsoftbus:softbus_client", @@ -2175,8 +2214,14 @@ ohos_unittest("UTTest_auth_negotiate") { "googletest:gmock", "googletest:gmock_main", "hilog:libhilog", - "huks:libhukssdk", ] + + if (!device_manager_common) { + external_deps += [ + "device_certificate_manager:device_cert_mgr_sdk", + "huks:libhukssdk", + ] + } } ## UnitTest UTTest_auth_negotiate }}} -- Gitee From dd9d8237d6a826a51534738db7275c9ece085e70 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E5=B7=8D?= Date: Tue, 20 May 2025 11:02:50 +0800 Subject: [PATCH 07/16] =?UTF-8?q?=E7=BC=96=E8=AF=91=E5=A4=B1=E8=B4=A5?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李巍 --- .../implementation/src/authentication_v2/auth_manager.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/implementation/src/authentication_v2/auth_manager.cpp b/services/implementation/src/authentication_v2/auth_manager.cpp index 9950b717b..fd281b279 100644 --- a/services/implementation/src/authentication_v2/auth_manager.cpp +++ b/services/implementation/src/authentication_v2/auth_manager.cpp @@ -619,7 +619,7 @@ int32_t AuthManager::AuthenticateDevice(const std::string &pkgName, int32_t auth return DM_OK; } -std::string GenerateCertificate() +std::string GenerateCertificate(std::shared_ptr context_) { #ifdef DEVICE_MANAGER_COMMON_FLAG context_->isBlueFlag = true; @@ -678,7 +678,7 @@ int32_t AuthManager::BindTarget(const std::string &pkgName, const PeerTargetId & return ERR_DM_INPUT_PARA_INVALID; } - context_->cert = GenerateCertificate(); + context_->cert = GenerateCertificate(context_); context_->sessionId = sessionId; context_->logicalSessionId = logicalSessionId; context_->requestId = static_cast(logicalSessionId); -- Gitee From 49d80e4d26af39567f097c848508f7766eacb4df Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E5=B7=8D?= Date: Tue, 20 May 2025 14:13:43 +0800 Subject: [PATCH 08/16] =?UTF-8?q?=E8=AF=81=E4=B9=A6=E5=A4=B4=E6=96=87?= =?UTF-8?q?=E4=BB=B6=E7=A7=BB=E5=8A=A8?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李巍 --- .../implementation/include/authentication_v2/auth_manager.h | 4 ---- .../implementation/src/authentication_v2/auth_manager.cpp | 4 ++++ .../src/authentication_v2/auth_stages/auth_negotiate.cpp | 4 ++++ 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/services/implementation/include/authentication_v2/auth_manager.h b/services/implementation/include/authentication_v2/auth_manager.h index c68b7c883..2767c79b4 100644 --- a/services/implementation/include/authentication_v2/auth_manager.h +++ b/services/implementation/include/authentication_v2/auth_manager.h @@ -25,10 +25,6 @@ #include "json_object.h" #include "softbus_connector.h" #include "softbus_session.h" -#if !defined(DEVICE_MANAGER_COMMON_FLAG) -#include "dm_auth_generate_attest.h" -#include "dm_auth_validate_attest.h" -#endif namespace OHOS { namespace DistributedHardware { diff --git a/services/implementation/src/authentication_v2/auth_manager.cpp b/services/implementation/src/authentication_v2/auth_manager.cpp index fd281b279..46faa16e3 100644 --- a/services/implementation/src/authentication_v2/auth_manager.cpp +++ b/services/implementation/src/authentication_v2/auth_manager.cpp @@ -36,6 +36,10 @@ #include "dm_auth_context.h" #include "dm_auth_message_processor.h" #include "dm_auth_state.h" +#if !defined(DEVICE_MANAGER_COMMON_FLAG) +#include "dm_auth_generate_attest.h" +#include "dm_auth_validate_attest.h" +#endif namespace OHOS { namespace DistributedHardware { diff --git a/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp b/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp index 1ed71161d..11c5fa9f9 100644 --- a/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp +++ b/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp @@ -40,6 +40,10 @@ #include "multiple_user_connector.h" #include "os_account_manager.h" #include "parameter.h" +#if !defined(DEVICE_MANAGER_COMMON_FLAG) +#include "dm_auth_generate_attest.h" +#include "dm_auth_validate_attest.h" +#endif using namespace OHOS::Security::AccessToken; -- Gitee From 3d6cb39460211e7809dd513c351a04686c6e414d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E5=B7=8D?= Date: Wed, 21 May 2025 09:12:55 +0800 Subject: [PATCH 09/16] =?UTF-8?q?udud=E9=9D=9Ecore=E7=B1=BB=E5=9E=8B?= =?UTF-8?q?=E6=9D=83=E9=99=90?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李巍 --- sa_profile/device_manager.cfg | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/sa_profile/device_manager.cfg b/sa_profile/device_manager.cfg index 7a1fa625b..a1aaa5e7c 100644 --- a/sa_profile/device_manager.cfg +++ b/sa_profile/device_manager.cfg @@ -47,8 +47,7 @@ "permission_acls" : [ "ohos.permission.MANAGE_SOFTBUS_NETWORK", "ohos.permission.ACCESS_DEVAUTH_CRED_PRIVILEGE", - "ohos.permission.ACCESS_IDS", - "ohos.permission.sec.ACCESS_UDID" + "ohos.permission.ACCESS_IDS" ], "jobs" : { "on-start" : "service:device_manager" -- Gitee From cf08da6cedab99822b14f5611a9e34fdcdd15730 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E5=B7=8D?= Date: Thu, 22 May 2025 22:45:41 +0800 Subject: [PATCH 10/16] =?UTF-8?q?=E5=A2=9E=E5=8A=A0=E5=86=85=E5=AD=98?= =?UTF-8?q?=E9=87=8A=E6=94=BE?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李巍 --- .../include/attest/dm_auth_validate_attest.h | 1 + .../src/attest/dm_auth_attest_common.cpp | 4 +- .../src/attest/dm_auth_generate_attest.cpp | 101 +++++++++++--- .../src/attest/dm_auth_validate_attest.cpp | 128 +++++++++++++----- 4 files changed, 182 insertions(+), 52 deletions(-) diff --git a/services/implementation/include/attest/dm_auth_validate_attest.h b/services/implementation/include/attest/dm_auth_validate_attest.h index 4712d2317..5e3d8fcd2 100644 --- a/services/implementation/include/attest/dm_auth_validate_attest.h +++ b/services/implementation/include/attest/dm_auth_validate_attest.h @@ -35,6 +35,7 @@ public: int32_t VerifyCertificate(DmCertChain &dmCertChain, const char* deviceUdid); int32_t ConvertDmCertChainToHksCertChain(DmCertChain &dmCertChain, HksCertChain &hksCertChain); int32_t FillHksParamSet(struct HksParamSet **paramSet, struct HksParam *param, int32_t paramNums); + void FreeHksCertChain(HksCertChain& chain); }; } // namespace DistributedHardware } // namespace OHOS diff --git a/services/implementation/src/attest/dm_auth_attest_common.cpp b/services/implementation/src/attest/dm_auth_attest_common.cpp index 5480912cd..e2348e543 100644 --- a/services/implementation/src/attest/dm_auth_attest_common.cpp +++ b/services/implementation/src/attest/dm_auth_attest_common.cpp @@ -26,7 +26,7 @@ constexpr int32_t HEX_TO_UINT8 = 2; std::string AuthAttestCommon::SerializeDmCertChain(const DmCertChain* chain) { - if (!chain || !chain->cert || chain->certCount == 0) { + if (chain == nullptr || !chain->cert || chain->certCount == 0) { return "{}"; } JsonObject jsonObject; @@ -102,7 +102,7 @@ bool ValidateInputJson(const std::string& data) bool AuthAttestCommon::DeserializeDmCertChain(const std::string& data, DmCertChain* outChain) { - if (!outChain || data.empty() || !ValidateInputJson(data)) { + if (outChain == nullptr || data.empty() || !ValidateInputJson(data)) { LOGE("Invalid input"); return false; } diff --git a/services/implementation/src/attest/dm_auth_generate_attest.cpp b/services/implementation/src/attest/dm_auth_generate_attest.cpp index fa7a5682a..a6416a43f 100644 --- a/services/implementation/src/attest/dm_auth_generate_attest.cpp +++ b/services/implementation/src/attest/dm_auth_generate_attest.cpp @@ -29,8 +29,13 @@ int32_t AuthGenerateAttest::GenerateCertificate(DmCertChain &dmCertChain) LOGI("GenerateCertificate Start"); DcmIdType ids[] = { DCM_ID_TYPE_UDID }; uint64_t randomNum = GenRandLongLong(MIN_DCM_RANDOM, MAX_DCM_RANDOM); + LOGI("GenerateCertificate randomNum=%{public}lu", randomNum); DcmBlob challengeBlob = {sizeof(randomNum), (uint8_t *)& randomNum}; DcmCertChain* dcmCertChain = new DcmCertChain(); + if (dcmCertChain == nullptr) { + LOGE("new dcmCertChain fail!"); + return ERR_DM_MALLOC_FAILED; + } InitCertChain(dcmCertChain); int32_t ret = DcmAttestIdsEx(ids, sizeof(ids)/sizeof(ids[0]), &challengeBlob, DCM_CERT_TYPE_ROOT_V2, dcmCertChain); if (ret != DCM_SUCCESS) { @@ -50,18 +55,37 @@ int32_t AuthGenerateAttest::GenerateCertificate(DmCertChain &dmCertChain) int32_t AuthGenerateAttest::InitCertChain(DcmCertChain *certChain) { + LOGI("InitCertChain Start"); certChain->certCount = DM_CERTS_COUNT; - certChain->cert = new DcmBlob[certChain->certCount]; + certChain->cert = new (std::nothrow) DcmBlob[certChain->certCount]; + if (certChain->cert == nullptr) { + certChain->certCount = 0; + LOGE("new dcmCertChain.cert fail!"); + return ERR_DM_MALLOC_FAILED; + } for (uint32_t i = 0; i < certChain->certCount; ++i) { + certChain->cert[i].data = new (std::nothrow) uint8_t[DM_CERTIFICATE_SIZE]; + if (certChain->cert[i].data == nullptr) { + certChain->cert[i].size = 0; + for (uint32_t j = 0; j < i; ++j) { + delete[] certChain->cert[j].data; + certChain->cert[j].data = nullptr; + certChain->cert[j].size = 0; + } + delete[] certChain->cert; + certChain->cert = nullptr; + certChain->certCount = 0; + LOGE("new dcmCertChain.cert.data fail!"); + return ERR_DM_MALLOC_FAILED; + } certChain->cert[i].size = DM_CERTIFICATE_SIZE; - certChain->cert[i].data = new uint8_t[DM_CERTIFICATE_SIZE]; } return DM_OK; } void AuthGenerateAttest::FreeCertChain(DcmCertChain* chain) { - if (!chain) { + if (chain == nullptr) { return; } for (uint32_t i = 0; i < chain->certCount; ++i) { @@ -73,25 +97,68 @@ void AuthGenerateAttest::FreeCertChain(DcmCertChain* chain) delete chain; } +int32_t ValidateInput(DcmCertChain &dcmCertChain) +{ + if (dcmCertChain.certCount > 0 && dcmCertChain.cert == nullptr) { + LOGE("Invalid cert chain: certCount>0 but cert array is null!"); + return ERR_DM_INPUT_PARA_INVALID; + } + return DM_OK; +} + +int32_t CopyCertificates(DcmCertChain& dcmCertChain, DmBlob* newCertArray, uint32_t& allocatedCerts) +{ + for (uint32_t i = 0; i < dcmCertChain.certCount; ++i) { + const auto& src = dcmCertChain.cert[i]; + auto& dest = newCertArray[i]; + dest.size = src.size; + dest.data = nullptr; + if (src.size == 0 || src.data == nullptr) continue; + dest.data = new (std::nothrow) uint8_t[src.size]; + if (dest.data == nullptr) { + allocatedCerts = i; + return ERR_DM_MALLOC_FAILED; + } + + if (memcpy_s(dest.data, src.size, src.data, src.size) != DM_OK) { + delete[] dest.data; + dest.data = nullptr; + allocatedCerts = i; + return ERR_DM_FAILED; + } + allocatedCerts = i + 1; + } + return DM_OK; +} + int32_t AuthGenerateAttest::ConvertDcmCertChainToDmCertChain(DcmCertChain &dcmCertChain, DmCertChain &dmCertChain) { LOGI("ConvertDcmCertChainToDmCertChain start!"); - dmCertChain.certCount = dcmCertChain.certCount; - if (dcmCertChain.certCount > 0) { - dmCertChain.cert = new DmBlob[dcmCertChain.certCount]; - for (uint32_t i = 0; i < dcmCertChain.certCount; ++i) { - dmCertChain.cert[i].size = dcmCertChain.cert[i].size; - if (dcmCertChain.cert[i].size > 0 && dcmCertChain.cert[i].data != nullptr) { - dmCertChain.cert[i].data = new uint8_t[dcmCertChain.cert[i].size]; - memcpy_s(dmCertChain.cert[i].data, dmCertChain.cert[i].size, - dcmCertChain.cert[i].data, dcmCertChain.cert[i].size); - } else { - dmCertChain.cert[i].data = nullptr; - } - } - } else { + int32_t ret = ValidateInput(dcmCertChain); + if (ret != DM_OK) { + return ret; + } + if (dcmCertChain.certCount == 0) { dmCertChain.cert = nullptr; + dmCertChain.certCount = 0; + return DM_OK; + } + DmBlob* newCertArray = new (std::nothrow) DmBlob[dcmCertChain.certCount]; + if (newCertArray == nullptr) { + LOGE("Failed to allocate cert array!"); + return ERR_DM_MALLOC_FAILED; } + uint32_t allocatedCerts = 0; + ret = CopyCertificates(dcmCertChain, newCertArray, allocatedCerts); + if (ret != DM_OK) { + for (uint32_t j = 0; j < allocatedCerts; ++j) { + delete[] newCertArray[j].data; + } + delete[] newCertArray; + return ret; + } + dmCertChain.cert = newCertArray; + dmCertChain.certCount = dcmCertChain.certCount; return DM_OK; } } // namespace DistributedHardware diff --git a/services/implementation/src/attest/dm_auth_validate_attest.cpp b/services/implementation/src/attest/dm_auth_validate_attest.cpp index 7e69e269a..5c871245c 100644 --- a/services/implementation/src/attest/dm_auth_validate_attest.cpp +++ b/services/implementation/src/attest/dm_auth_validate_attest.cpp @@ -21,6 +21,27 @@ namespace OHOS { namespace DistributedHardware { +int32_t ProcessValidationResult(const char* deviceIdHash, char* udidStr, uint64_t randNum, HksParamSet *outputParam) +{ + uint32_t cnt = 0; + HksBlob *blob = &outputParam->params[cnt].blob; + if (memcpy_s(&randNum, sizeof(uint64_t), blob->data, blob->size) != EOK) { + LOGE("memcpy randNum failed"); + return ERR_DM_GET_PARAM_FAILED; + } + blob = &outputParam->params[++cnt].blob; + if (memcpy_s(udidStr, UDID_BUF_LEN, blob->data, blob->size) != EOK) { + LOGE("memcpy udidStr failed"); + return ERR_DM_GET_PARAM_FAILED; + } + std::string certDeviceIdHash = Crypto::GetUdidHash(std::string(udidStr)); + if (strcmp(deviceIdHash, certDeviceIdHash.c_str()) != 0) { + LOGE("verifyCertificate fail"); + return ERR_DM_DESERIAL_CERT_FAILED; + } + return DM_OK; +} + int32_t AuthValidateAttest::VerifyCertificate(DmCertChain &dmCertChain, const char* deviceIdHash) { LOGI("VerifyCertificate start!"); @@ -40,35 +61,28 @@ int32_t AuthValidateAttest::VerifyCertificate(DmCertChain &dmCertChain, const ch ret = FillHksParamSet(&outputParam, outputData, sizeof(outputData) / sizeof(outputData[0])); if (ret != DM_OK) { LOGE("FillHksParamSet failed, ret=%{public}d", ret); + FreeHksCertChain(hksCertChain); return ERR_DM_FAILED; } ret = HksValidateCertChain(&hksCertChain, outputParam); if (ret != HKS_SUCCESS) { LOGE("HksValidateCertChain fail, ret=%{public}d", ret); + FreeHksCertChain(hksCertChain); return ret; } - uint32_t cnt = 0; - HksBlob *blob = &outputParam->params[cnt].blob; - if (memcpy_s(&randNum, sizeof(uint64_t), blob->data, blob->size) != EOK) { - LOGE("memcpy randNum failed"); - return ERR_DM_GET_PARAM_FAILED; - } - blob = &outputParam->params[++cnt].blob; - if (memcpy_s(udidStr, UDID_BUF_LEN, blob->data, blob->size) != EOK) { - LOGE("memcpy udidStr failed"); - return ERR_DM_GET_PARAM_FAILED; - } - std::string certDeviceIdHash = Crypto::GetUdidHash(std::string(udidStr)); - if (strcmp(deviceIdHash, certDeviceIdHash.c_str()) != 0) { - LOGE("verifyCertificate fail"); - return ERR_DM_VERIFY_CERT_FAILED; + ret = ProcessValidationResult(deviceIdHash, udidStr, randNum, outputParam); + if (ret != DM_OK) { + LOGE("ProcessValidationResult fail, ret=%{public}d", ret); + FreeHksCertChain(hksCertChain); + return ret; } + FreeHksCertChain(hksCertChain); return DM_OK; } int32_t AuthValidateAttest::FillHksParamSet(HksParamSet **paramSet, HksParam *param, int32_t paramNums) { - if (param == NULL) { + if (param == nullptr) { LOGE("param is null"); return ERR_DM_INPUT_PARA_INVALID; } @@ -92,30 +106,78 @@ int32_t AuthValidateAttest::FillHksParamSet(HksParamSet **paramSet, HksParam *pa return DM_OK; } +void AuthValidateAttest::FreeHksCertChain(HksCertChain& chain) +{ + if (chain.certs != nullptr) { + for (uint32_t i = 0; i < chain.certsCount; ++i) { + delete[] chain.certs[i].data; + } + delete[] chain.certs; + chain.certs = nullptr; + } + chain.certsCount = 0; +} + +int32_t AllocateHksBlobArray(uint32_t count, HksBlob** outArray) +{ + HksBlob* arr = new (std::nothrow) HksBlob[count]; + if (arr == nullptr) { + LOGE("Alloc failed for certs"); + return ERR_DM_MALLOC_FAILED; + } + + const size_t totalSize = sizeof(HksBlob) * count; + if (memset_s(arr, totalSize, 0, totalSize) != 0) { + LOGE("memset_s failed"); + delete[] arr; + return ERR_DM_FAILED; + } + + *outArray = arr; + return DM_OK; +} + +int32_t CopySingleCert(const DmBlob& src, HksBlob& dest) +{ + if (src.data == nullptr || src.size == 0) { + LOGE("Invalid src cert"); + return ERR_DM_FAILED; + } + dest.data = new (std::nothrow) uint8_t[src.size]; + if (dest.data == nullptr) { + LOGE("Alloc failed for size"); + return ERR_DM_MALLOC_FAILED; + } + dest.size = src.size; + if (memcpy_s(dest.data, src.size, src.data, src.size) != 0) { + LOGE("memcpy_s failed size"); + delete[] dest.data; + dest.data = nullptr; + return ERR_DM_FAILED; + } + return DM_OK; +} + int32_t AuthValidateAttest::ConvertDmCertChainToHksCertChain(DmCertChain &dmCertChain, HksCertChain &hksCertChain) { if (dmCertChain.certCount == 0 || dmCertChain.cert == nullptr) { return ERR_DM_INPUT_PARA_INVALID; } - hksCertChain.certsCount = dmCertChain.certCount; - hksCertChain.certs = new HksBlob[hksCertChain.certsCount]; - const size_t totalSize = sizeof(HksBlob) * hksCertChain.certsCount; - memset_s(hksCertChain.certs, totalSize, 0, totalSize); - for (uint32_t i = 0; i < hksCertChain.certsCount; ++i) { - if (dmCertChain.cert[i].data == nullptr || dmCertChain.cert[i].size == 0) { - return ERR_DM_FAILED; - } - hksCertChain.certs[i].size = dmCertChain.cert[i].size; - hksCertChain.certs[i].data = new uint8_t[hksCertChain.certs[i].size]; - if (hksCertChain.certs[i].data == nullptr) { - return ERR_DM_MALLOC_FAILED; - } - if (memcpy_s(hksCertChain.certs[i].data, hksCertChain.certs[i].size, - dmCertChain.cert[i].data, dmCertChain.cert[i].size) != 0) { - LOGE("memcpy cert data failed"); - return ERR_DM_FAILED; + HksBlob* newCerts = nullptr; + int32_t ret = AllocateHksBlobArray(dmCertChain.certCount, &newCerts); + if (ret != DM_OK) { + LOGE("AllocateHksBlobArray fail, ret = %{public}d", ret); + return ret; + } + for (uint32_t i = 0; i < dmCertChain.certCount; ++i) { + if ((ret = CopySingleCert(dmCertChain.cert[i], newCerts[i])) != DM_OK) { + FreeHksCertChain(hksCertChain); + delete[] newCerts; + return ret; } } + hksCertChain.certs = newCerts; + hksCertChain.certsCount = dmCertChain.certCount; return DM_OK; } } // namespace DistributedHardware -- Gitee From 3d6195a5368485e8d99ff96435a00be0370a306f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E5=B7=8D?= Date: Fri, 23 May 2025 09:21:52 +0800 Subject: [PATCH 11/16] =?UTF-8?q?=E6=A0=BC=E5=BC=8F=E4=BF=AE=E6=94=B9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李巍 --- common/src/dm_constants.cpp | 2 +- services/implementation/src/attest/dm_auth_attest_common.cpp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/common/src/dm_constants.cpp b/common/src/dm_constants.cpp index 33867b48b..35904bddf 100644 --- a/common/src/dm_constants.cpp +++ b/common/src/dm_constants.cpp @@ -171,7 +171,7 @@ const char* DM_VERSION_5_0_4 = "5.0.4"; const char* DM_VERSION_5_0_5 = "5.0.5"; const char* DM_VERSION_5_1_0 = "5.1.0"; const char* DM_VERSION_5_1_1 = "5.1.1"; -const char* DM_CURRENT_VERSION = DM_VERSION_5_1_1; // 看改变后的影响 +const char* DM_CURRENT_VERSION = DM_VERSION_5_1_0; const char* DM_VERSION_5_0_OLD_MAX = "5.0.99"; // Estimated highest version number of the old version } // namespace DistributedHardware } // namespace OHOS \ No newline at end of file diff --git a/services/implementation/src/attest/dm_auth_attest_common.cpp b/services/implementation/src/attest/dm_auth_attest_common.cpp index e2348e543..7fd78fb54 100644 --- a/services/implementation/src/attest/dm_auth_attest_common.cpp +++ b/services/implementation/src/attest/dm_auth_attest_common.cpp @@ -26,7 +26,7 @@ constexpr int32_t HEX_TO_UINT8 = 2; std::string AuthAttestCommon::SerializeDmCertChain(const DmCertChain* chain) { - if (chain == nullptr || !chain->cert || chain->certCount == 0) { + if (chain == nullptr || chain->cert == nullptr || chain->certCount == 0) { return "{}"; } JsonObject jsonObject; -- Gitee From 88f7325f9bcee4b423bbe61686807c9fe802e8f0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E5=B7=8D?= Date: Sat, 24 May 2025 14:51:39 +0800 Subject: [PATCH 12/16] =?UTF-8?q?=E6=A0=BC=E5=BC=8F=E4=BF=AE=E6=94=B9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李巍 --- .../include/attest/dm_auth_attest_common.h | 5 ++-- .../include/attest/dm_auth_generate_attest.h | 2 +- .../include/attest/dm_auth_validate_attest.h | 4 ++-- .../authentication_v2/dm_auth_context.h | 2 +- .../authentication_v2/dm_auth_manager_base.h | 2 +- .../src/attest/dm_auth_attest_common.cpp | 23 ++++++++----------- .../src/attest/dm_auth_generate_attest.cpp | 14 ++++++----- .../src/attest/dm_auth_validate_attest.cpp | 16 +++++++------ .../src/authentication_v2/auth_manager.cpp | 2 +- .../auth_stages/auth_negotiate.cpp | 2 +- .../dm_auth_manager_base.cpp | 2 +- .../dm_auth_message_processor.cpp | 6 ++--- 12 files changed, 40 insertions(+), 40 deletions(-) diff --git a/services/implementation/include/attest/dm_auth_attest_common.h b/services/implementation/include/attest/dm_auth_attest_common.h index 4568b7d05..2e42f5a89 100644 --- a/services/implementation/include/attest/dm_auth_attest_common.h +++ b/services/implementation/include/attest/dm_auth_attest_common.h @@ -23,6 +23,7 @@ #include #include +#include "dm_anonymous.h" #include "dm_auth_manager_base.h" #include "dm_crypto.h" #include "dm_random.h" @@ -49,8 +50,8 @@ public: return instance; } - std::string SerializeDmCertChain(const DmCertChain* chain); - bool DeserializeDmCertChain(const std::string& data, DmCertChain* outChain); + std::string SerializeDmCertChain(const DmCertChain *chain); + bool DeserializeDmCertChain(const std::string &data, DmCertChain *outChain); }; } // namespace DistributedHardware } // namespace OHOS diff --git a/services/implementation/include/attest/dm_auth_generate_attest.h b/services/implementation/include/attest/dm_auth_generate_attest.h index fec04c29f..292084079 100644 --- a/services/implementation/include/attest/dm_auth_generate_attest.h +++ b/services/implementation/include/attest/dm_auth_generate_attest.h @@ -34,7 +34,7 @@ public: int32_t GenerateCertificate(DmCertChain &dmCertChain); int32_t ConvertDcmCertChainToDmCertChain(DcmCertChain &dcmCertChain, DmCertChain &dmCertChain); int32_t InitCertChain(DcmCertChain *certChain); - void FreeCertChain(DcmCertChain* chain); + void FreeCertChain(DcmCertChain *chain); }; } // namespace DistributedHardware } // namespace OHOS diff --git a/services/implementation/include/attest/dm_auth_validate_attest.h b/services/implementation/include/attest/dm_auth_validate_attest.h index 5e3d8fcd2..7ae04ed2f 100644 --- a/services/implementation/include/attest/dm_auth_validate_attest.h +++ b/services/implementation/include/attest/dm_auth_validate_attest.h @@ -32,10 +32,10 @@ public: return instance; } - int32_t VerifyCertificate(DmCertChain &dmCertChain, const char* deviceUdid); + int32_t VerifyCertificate(DmCertChain &dmCertChain, const char *deviceUdid); int32_t ConvertDmCertChainToHksCertChain(DmCertChain &dmCertChain, HksCertChain &hksCertChain); int32_t FillHksParamSet(struct HksParamSet **paramSet, struct HksParam *param, int32_t paramNums); - void FreeHksCertChain(HksCertChain& chain); + void FreeHksCertChain(HksCertChain &chain); }; } // namespace DistributedHardware } // namespace OHOS diff --git a/services/implementation/include/authentication_v2/dm_auth_context.h b/services/implementation/include/authentication_v2/dm_auth_context.h index 694a26c86..5f362a5a5 100644 --- a/services/implementation/include/authentication_v2/dm_auth_context.h +++ b/services/implementation/include/authentication_v2/dm_auth_context.h @@ -218,7 +218,7 @@ struct DmAuthContext { DmAccess accessee; std::multimap proxy; // Multimap where the key is the accessor and the value is the accesssee std::string cert; - bool isBlueFlag{false}; + bool isCommonFlag{false}; std::shared_ptr authStateMachine; std::shared_ptr authUiStateMgr; diff --git a/services/implementation/include/authentication_v2/dm_auth_manager_base.h b/services/implementation/include/authentication_v2/dm_auth_manager_base.h index 91e759b48..923379717 100644 --- a/services/implementation/include/authentication_v2/dm_auth_manager_base.h +++ b/services/implementation/include/authentication_v2/dm_auth_manager_base.h @@ -78,7 +78,7 @@ extern const char* CLOSE_SESSION_TASK_SEPARATOR; extern const char* TAG_DM_CERT_CHAIN; extern const char* TAG_CERT_COUNT; extern const char* TAG_CERT; -extern const char* TAG_IS_BLUE_FLAG; +extern const char* TAG_IS_COMMON_FLAG; extern const int32_t AUTHENTICATE_TIMEOUT; extern const int32_t CONFIRM_TIMEOUT; diff --git a/services/implementation/src/attest/dm_auth_attest_common.cpp b/services/implementation/src/attest/dm_auth_attest_common.cpp index 7fd78fb54..aac8a8037 100644 --- a/services/implementation/src/attest/dm_auth_attest_common.cpp +++ b/services/implementation/src/attest/dm_auth_attest_common.cpp @@ -24,23 +24,22 @@ namespace DistributedHardware { const int32_t MAX_CERT_COUNT = 1024; constexpr int32_t HEX_TO_UINT8 = 2; -std::string AuthAttestCommon::SerializeDmCertChain(const DmCertChain* chain) +std::string AuthAttestCommon::SerializeDmCertChain(const DmCertChain *chain) { if (chain == nullptr || chain->cert == nullptr || chain->certCount == 0) { return "{}"; } JsonObject jsonObject; jsonObject[TAG_CERT_COUNT] = chain->certCount; - std::vector certStrings; JsonObject jsonArrayObj(JsonCreateType::JSON_CREATE_TYPE_ARRAY); for (uint32_t i = 0; i < chain->certCount; ++i) { const DmBlob& blob = chain->cert[i]; - if (!blob.data || blob.size == 0) { + if (blob.data == nullptr || blob.size == 0) { return "{}"; } const uint32_t hexLen = blob.size * HEX_TO_UINT8 + 1; // 2*blob.size + 1 - char* hexBuffer = new char[hexLen]; - if (!hexBuffer) { + char* hexBuffer = new char[hexLen]{0}; + if (hexBuffer == nullptr) { return "{}"; } int32_t ret = Crypto::ConvertBytesToHexString(hexBuffer, hexLen, blob.data, blob.size); @@ -48,8 +47,6 @@ std::string AuthAttestCommon::SerializeDmCertChain(const DmCertChain* chain) delete[] hexBuffer; return "{}"; } - hexBuffer[blob.size * HEX_TO_UINT8] = '\0'; - certStrings.emplace_back(hexBuffer, hexLen); jsonArrayObj.PushBack(std::string(hexBuffer)); delete[] hexBuffer; } @@ -57,11 +54,11 @@ std::string AuthAttestCommon::SerializeDmCertChain(const DmCertChain* chain) return jsonObject.Dump(); } -bool ValidateInputJson(const std::string& data) +bool ValidateInputJson(const std::string &data) { JsonObject jsonObject; jsonObject.Parse(data); - if (!jsonObject.Contains(TAG_CERT_COUNT) || !jsonObject.Contains(TAG_CERT)) { + if (!IsUint32(jsonObject, TAG_CERT_COUNT) || !jsonObject.Contains(TAG_CERT)) { LOGE("DeserializeDmCertChain: Missing required fields 'certCount' or 'cert'"); return false; } @@ -73,10 +70,9 @@ bool ValidateInputJson(const std::string& data) return true; } - bool ProcessCertItem(const JsonItemObject& item, DmBlob& cert, uint32_t processedIndex) + bool ProcessCertItem(const JsonItemObject &item, DmBlob &cert, uint32_t processedIndex) { std::string hexStr = item.Get(); - LOGI("DeserializeDmCertChain hexStr=%{public}s.", hexStr.c_str()); const size_t hexLen = hexStr.length(); if (hexLen == 0 || hexLen % HEX_TO_UINT8 != 0) { LOGE("DeserializeDmCertChain: Invalid HEX length %{public}zu at index %{public}u", hexLen, processedIndex); @@ -100,7 +96,7 @@ bool ValidateInputJson(const std::string& data) return true; } -bool AuthAttestCommon::DeserializeDmCertChain(const std::string& data, DmCertChain* outChain) +bool AuthAttestCommon::DeserializeDmCertChain(const std::string &data, DmCertChain *outChain) { if (outChain == nullptr || data.empty() || !ValidateInputJson(data)) { LOGE("Invalid input"); @@ -111,12 +107,11 @@ bool AuthAttestCommon::DeserializeDmCertChain(const std::string& data, DmCertCha const uint32_t certCount = jsonObject[TAG_CERT_COUNT].Get(); JsonObject jsonArrayObj(JsonCreateType::JSON_CREATE_TYPE_ARRAY); jsonArrayObj.Parse(jsonObject[TAG_CERT].Dump()); - DmBlob* certs = new DmBlob[certCount]; + DmBlob* certs = new DmBlob[certCount]{0}; if (certs == nullptr) { LOGE("DeserializeDmCertChain: Memory allocation failed for certs array"); return false; } - memset_s(certs, sizeof(DmBlob) * certCount, 0, sizeof(DmBlob) * certCount); bool success = true; uint32_t processedIndex = 0; for (const auto& item : jsonArrayObj.Items()) { diff --git a/services/implementation/src/attest/dm_auth_generate_attest.cpp b/services/implementation/src/attest/dm_auth_generate_attest.cpp index a6416a43f..6243cf3a7 100644 --- a/services/implementation/src/attest/dm_auth_generate_attest.cpp +++ b/services/implementation/src/attest/dm_auth_generate_attest.cpp @@ -31,7 +31,7 @@ int32_t AuthGenerateAttest::GenerateCertificate(DmCertChain &dmCertChain) uint64_t randomNum = GenRandLongLong(MIN_DCM_RANDOM, MAX_DCM_RANDOM); LOGI("GenerateCertificate randomNum=%{public}lu", randomNum); DcmBlob challengeBlob = {sizeof(randomNum), (uint8_t *)& randomNum}; - DcmCertChain* dcmCertChain = new DcmCertChain(); + DcmCertChain *dcmCertChain = new DcmCertChain(); if (dcmCertChain == nullptr) { LOGE("new dcmCertChain fail!"); return ERR_DM_MALLOC_FAILED; @@ -57,14 +57,14 @@ int32_t AuthGenerateAttest::InitCertChain(DcmCertChain *certChain) { LOGI("InitCertChain Start"); certChain->certCount = DM_CERTS_COUNT; - certChain->cert = new (std::nothrow) DcmBlob[certChain->certCount]; + certChain->cert = new DcmBlob[certChain->certCount]; if (certChain->cert == nullptr) { certChain->certCount = 0; LOGE("new dcmCertChain.cert fail!"); return ERR_DM_MALLOC_FAILED; } for (uint32_t i = 0; i < certChain->certCount; ++i) { - certChain->cert[i].data = new (std::nothrow) uint8_t[DM_CERTIFICATE_SIZE]; + certChain->cert[i].data = new uint8_t[DM_CERTIFICATE_SIZE]; if (certChain->cert[i].data == nullptr) { certChain->cert[i].size = 0; for (uint32_t j = 0; j < i; ++j) { @@ -83,7 +83,7 @@ int32_t AuthGenerateAttest::InitCertChain(DcmCertChain *certChain) return DM_OK; } -void AuthGenerateAttest::FreeCertChain(DcmCertChain* chain) +void AuthGenerateAttest::FreeCertChain(DcmCertChain *chain) { if (chain == nullptr) { return; @@ -91,9 +91,11 @@ void AuthGenerateAttest::FreeCertChain(DcmCertChain* chain) for (uint32_t i = 0; i < chain->certCount; ++i) { delete[] chain->cert[i].data; chain->cert[i].data = nullptr; + chain->cert[i].size = 0; } delete[] chain->cert; chain->cert = nullptr; + chain->certCount = 0; delete chain; } @@ -114,7 +116,7 @@ int32_t CopyCertificates(DcmCertChain& dcmCertChain, DmBlob* newCertArray, uint3 dest.size = src.size; dest.data = nullptr; if (src.size == 0 || src.data == nullptr) continue; - dest.data = new (std::nothrow) uint8_t[src.size]; + dest.data = new uint8_t[src.size]; if (dest.data == nullptr) { allocatedCerts = i; return ERR_DM_MALLOC_FAILED; @@ -143,7 +145,7 @@ int32_t AuthGenerateAttest::ConvertDcmCertChainToDmCertChain(DcmCertChain &dcmCe dmCertChain.certCount = 0; return DM_OK; } - DmBlob* newCertArray = new (std::nothrow) DmBlob[dcmCertChain.certCount]; + DmBlob* newCertArray = new DmBlob[dcmCertChain.certCount]; if (newCertArray == nullptr) { LOGE("Failed to allocate cert array!"); return ERR_DM_MALLOC_FAILED; diff --git a/services/implementation/src/attest/dm_auth_validate_attest.cpp b/services/implementation/src/attest/dm_auth_validate_attest.cpp index 5c871245c..31dae0c02 100644 --- a/services/implementation/src/attest/dm_auth_validate_attest.cpp +++ b/services/implementation/src/attest/dm_auth_validate_attest.cpp @@ -21,7 +21,7 @@ namespace OHOS { namespace DistributedHardware { -int32_t ProcessValidationResult(const char* deviceIdHash, char* udidStr, uint64_t randNum, HksParamSet *outputParam) +int32_t ProcessValidationResult(const char *deviceIdHash, char *udidStr, uint64_t randNum, HksParamSet *outputParam) { uint32_t cnt = 0; HksBlob *blob = &outputParam->params[cnt].blob; @@ -42,7 +42,7 @@ int32_t ProcessValidationResult(const char* deviceIdHash, char* udidStr, uint64_ return DM_OK; } -int32_t AuthValidateAttest::VerifyCertificate(DmCertChain &dmCertChain, const char* deviceIdHash) +int32_t AuthValidateAttest::VerifyCertificate(DmCertChain &dmCertChain, const char *deviceIdHash) { LOGI("VerifyCertificate start!"); char udidStr[UDID_BUF_LEN] = {0}; @@ -106,11 +106,13 @@ int32_t AuthValidateAttest::FillHksParamSet(HksParamSet **paramSet, HksParam *pa return DM_OK; } -void AuthValidateAttest::FreeHksCertChain(HksCertChain& chain) +void AuthValidateAttest::FreeHksCertChain(HksCertChain &chain) { if (chain.certs != nullptr) { for (uint32_t i = 0; i < chain.certsCount; ++i) { + chain.certs[i].size = 0; delete[] chain.certs[i].data; + chain.certs[i].data = nullptr; } delete[] chain.certs; chain.certs = nullptr; @@ -118,9 +120,9 @@ void AuthValidateAttest::FreeHksCertChain(HksCertChain& chain) chain.certsCount = 0; } -int32_t AllocateHksBlobArray(uint32_t count, HksBlob** outArray) +int32_t AllocateHksBlobArray(uint32_t count, HksBlob **outArray) { - HksBlob* arr = new (std::nothrow) HksBlob[count]; + HksBlob* arr = new HksBlob[count]; if (arr == nullptr) { LOGE("Alloc failed for certs"); return ERR_DM_MALLOC_FAILED; @@ -137,13 +139,13 @@ int32_t AllocateHksBlobArray(uint32_t count, HksBlob** outArray) return DM_OK; } -int32_t CopySingleCert(const DmBlob& src, HksBlob& dest) +int32_t CopySingleCert(const DmBlob &src, HksBlob &dest) { if (src.data == nullptr || src.size == 0) { LOGE("Invalid src cert"); return ERR_DM_FAILED; } - dest.data = new (std::nothrow) uint8_t[src.size]; + dest.data = new uint8_t[src.size]; if (dest.data == nullptr) { LOGE("Alloc failed for size"); return ERR_DM_MALLOC_FAILED; diff --git a/services/implementation/src/authentication_v2/auth_manager.cpp b/services/implementation/src/authentication_v2/auth_manager.cpp index 46faa16e3..0e9b96b45 100644 --- a/services/implementation/src/authentication_v2/auth_manager.cpp +++ b/services/implementation/src/authentication_v2/auth_manager.cpp @@ -626,7 +626,7 @@ int32_t AuthManager::AuthenticateDevice(const std::string &pkgName, int32_t auth std::string GenerateCertificate(std::shared_ptr context_) { #ifdef DEVICE_MANAGER_COMMON_FLAG - context_->isBlueFlag = true; + context_->isCommonFlag = true; LOGI("Blue device do not generate cert!"); return ""; #else diff --git a/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp b/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp index 11c5fa9f9..1678fd99b 100644 --- a/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp +++ b/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp @@ -189,7 +189,7 @@ int32_t VerifyCertificate(std::shared_ptr context) return DM_OK; #else if (!CompareVersion(context->accesser.dmVersion, DM_VERSION_5_1_0) - || !CompareVersion(context->accessee.dmVersion, DM_VERSION_5_1_0) || context->isBlueFlag) { + || !CompareVersion(context->accessee.dmVersion, DM_VERSION_5_1_0) || context->isCommonFlag) { LOGI("cert verify is not supported"); return DM_OK; } diff --git a/services/implementation/src/authentication_v2/dm_auth_manager_base.cpp b/services/implementation/src/authentication_v2/dm_auth_manager_base.cpp index 3519ded5b..f2d4fd466 100644 --- a/services/implementation/src/authentication_v2/dm_auth_manager_base.cpp +++ b/services/implementation/src/authentication_v2/dm_auth_manager_base.cpp @@ -80,7 +80,7 @@ const char* CLOSE_SESSION_TASK_SEPARATOR = "#"; const char* TAG_DM_CERT_CHAIN = "dmCertChain"; const char* TAG_CERT_COUNT = "certCount"; const char* TAG_CERT = "cert"; -const char* TAG_IS_BLUE_FLAG = "isBlueFlag"; +const char* TAG_IS_COMMON_FLAG = "isCommonFlag"; const int32_t AUTHENTICATE_TIMEOUT = 120; const int32_t CONFIRM_TIMEOUT = 60; diff --git a/services/implementation/src/authentication_v2/dm_auth_message_processor.cpp b/services/implementation/src/authentication_v2/dm_auth_message_processor.cpp index 82d7a1312..42ef22125 100644 --- a/services/implementation/src/authentication_v2/dm_auth_message_processor.cpp +++ b/services/implementation/src/authentication_v2/dm_auth_message_processor.cpp @@ -654,7 +654,7 @@ int32_t DmAuthMessageProcessor::CreateNegotiateMessage(std::shared_ptraccessee.pkgName; jsonObject[TAG_HOST_PKGLABEL] = context->pkgLabel; jsonObject[TAG_DM_CERT_CHAIN] = context->cert; - jsonObject[TAG_IS_BLUE_FLAG] = context->isBlueFlag; + jsonObject[TAG_IS_COMMON_FLAG] = context->isCommonFlag; return DM_OK; } @@ -1043,8 +1043,8 @@ void DmAuthMessageProcessor::ParseUltrasonicSide( if (IsString(jsonObject, TAG_DM_CERT_CHAIN)) { context->cert = jsonObject[TAG_DM_CERT_CHAIN].Get(); } - if (jsonObject[TAG_IS_BLUE_FLAG].IsBoolean()) { - context->isBlueFlag = jsonObject[TAG_IS_BLUE_FLAG].Get(); + if (jsonObject[TAG_IS_COMMON_FLAG].IsBoolean()) { + context->isCommonFlag = jsonObject[TAG_IS_COMMON_FLAG].Get(); } } -- Gitee From f775b6da560d64c82dad64adc8a28f6e182e51e7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E5=B7=8D?= Date: Sat, 24 May 2025 15:01:30 +0800 Subject: [PATCH 13/16] =?UTF-8?q?=E6=A0=BC=E5=BC=8F=E6=95=B4=E6=94=B9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李巍 --- .../src/attest/dm_auth_attest_common.cpp | 8 ++++---- .../src/attest/dm_auth_generate_attest.cpp | 10 +++++----- .../src/attest/dm_auth_validate_attest.cpp | 8 ++++---- 3 files changed, 13 insertions(+), 13 deletions(-) diff --git a/services/implementation/src/attest/dm_auth_attest_common.cpp b/services/implementation/src/attest/dm_auth_attest_common.cpp index aac8a8037..480bdbebc 100644 --- a/services/implementation/src/attest/dm_auth_attest_common.cpp +++ b/services/implementation/src/attest/dm_auth_attest_common.cpp @@ -33,12 +33,12 @@ std::string AuthAttestCommon::SerializeDmCertChain(const DmCertChain *chain) jsonObject[TAG_CERT_COUNT] = chain->certCount; JsonObject jsonArrayObj(JsonCreateType::JSON_CREATE_TYPE_ARRAY); for (uint32_t i = 0; i < chain->certCount; ++i) { - const DmBlob& blob = chain->cert[i]; + const DmBlob &blob = chain->cert[i]; if (blob.data == nullptr || blob.size == 0) { return "{}"; } const uint32_t hexLen = blob.size * HEX_TO_UINT8 + 1; // 2*blob.size + 1 - char* hexBuffer = new char[hexLen]{0}; + char *hexBuffer = new char[hexLen]{0}; if (hexBuffer == nullptr) { return "{}"; } @@ -107,14 +107,14 @@ bool AuthAttestCommon::DeserializeDmCertChain(const std::string &data, DmCertCha const uint32_t certCount = jsonObject[TAG_CERT_COUNT].Get(); JsonObject jsonArrayObj(JsonCreateType::JSON_CREATE_TYPE_ARRAY); jsonArrayObj.Parse(jsonObject[TAG_CERT].Dump()); - DmBlob* certs = new DmBlob[certCount]{0}; + DmBlob *certs = new DmBlob[certCount]{0}; if (certs == nullptr) { LOGE("DeserializeDmCertChain: Memory allocation failed for certs array"); return false; } bool success = true; uint32_t processedIndex = 0; - for (const auto& item : jsonArrayObj.Items()) { + for (const auto &item : jsonArrayObj.Items()) { if (!ProcessCertItem(item, certs[processedIndex], processedIndex)) { success = false; break; diff --git a/services/implementation/src/attest/dm_auth_generate_attest.cpp b/services/implementation/src/attest/dm_auth_generate_attest.cpp index 6243cf3a7..3c6cf7ea1 100644 --- a/services/implementation/src/attest/dm_auth_generate_attest.cpp +++ b/services/implementation/src/attest/dm_auth_generate_attest.cpp @@ -30,7 +30,7 @@ int32_t AuthGenerateAttest::GenerateCertificate(DmCertChain &dmCertChain) DcmIdType ids[] = { DCM_ID_TYPE_UDID }; uint64_t randomNum = GenRandLongLong(MIN_DCM_RANDOM, MAX_DCM_RANDOM); LOGI("GenerateCertificate randomNum=%{public}lu", randomNum); - DcmBlob challengeBlob = {sizeof(randomNum), (uint8_t *)& randomNum}; + DcmBlob challengeBlob = {sizeof(randomNum), (uint8_t *) &randomNum}; DcmCertChain *dcmCertChain = new DcmCertChain(); if (dcmCertChain == nullptr) { LOGE("new dcmCertChain fail!"); @@ -108,11 +108,11 @@ int32_t ValidateInput(DcmCertChain &dcmCertChain) return DM_OK; } -int32_t CopyCertificates(DcmCertChain& dcmCertChain, DmBlob* newCertArray, uint32_t& allocatedCerts) +int32_t CopyCertificates(DcmCertChain &dcmCertChain, DmBlob *newCertArray, uint32_t &allocatedCerts) { for (uint32_t i = 0; i < dcmCertChain.certCount; ++i) { - const auto& src = dcmCertChain.cert[i]; - auto& dest = newCertArray[i]; + const auto &src = dcmCertChain.cert[i]; + auto &dest = newCertArray[i]; dest.size = src.size; dest.data = nullptr; if (src.size == 0 || src.data == nullptr) continue; @@ -145,7 +145,7 @@ int32_t AuthGenerateAttest::ConvertDcmCertChainToDmCertChain(DcmCertChain &dcmCe dmCertChain.certCount = 0; return DM_OK; } - DmBlob* newCertArray = new DmBlob[dcmCertChain.certCount]; + DmBlob *newCertArray = new DmBlob[dcmCertChain.certCount]; if (newCertArray == nullptr) { LOGE("Failed to allocate cert array!"); return ERR_DM_MALLOC_FAILED; diff --git a/services/implementation/src/attest/dm_auth_validate_attest.cpp b/services/implementation/src/attest/dm_auth_validate_attest.cpp index 31dae0c02..5e0fd3696 100644 --- a/services/implementation/src/attest/dm_auth_validate_attest.cpp +++ b/services/implementation/src/attest/dm_auth_validate_attest.cpp @@ -55,7 +55,7 @@ int32_t AuthValidateAttest::VerifyCertificate(DmCertChain &dmCertChain, const ch } HksParamSet *outputParam = NULL; HksParam outputData[] = { - {.tag = HKS_TAG_ATTESTATION_CHALLENGE, .blob = {sizeof(uint64_t), (uint8_t *)&randNum}}, + {.tag = HKS_TAG_ATTESTATION_CHALLENGE, .blob = {sizeof(uint64_t), (uint8_t *) &randNum}}, {.tag = HKS_TAG_ATTESTATION_ID_UDID, .blob = {UDID_BUF_LEN, (uint8_t *)udidStr}}, }; ret = FillHksParamSet(&outputParam, outputData, sizeof(outputData) / sizeof(outputData[0])); @@ -122,13 +122,13 @@ void AuthValidateAttest::FreeHksCertChain(HksCertChain &chain) int32_t AllocateHksBlobArray(uint32_t count, HksBlob **outArray) { - HksBlob* arr = new HksBlob[count]; + HksBlob *arr = new HksBlob[count]; if (arr == nullptr) { LOGE("Alloc failed for certs"); return ERR_DM_MALLOC_FAILED; } - const size_t totalSize = sizeof(HksBlob) * count; + const size_t totalSize = sizeof(HksBlob) *count; if (memset_s(arr, totalSize, 0, totalSize) != 0) { LOGE("memset_s failed"); delete[] arr; @@ -165,7 +165,7 @@ int32_t AuthValidateAttest::ConvertDmCertChainToHksCertChain(DmCertChain &dmCert if (dmCertChain.certCount == 0 || dmCertChain.cert == nullptr) { return ERR_DM_INPUT_PARA_INVALID; } - HksBlob* newCerts = nullptr; + HksBlob *newCerts = nullptr; int32_t ret = AllocateHksBlobArray(dmCertChain.certCount, &newCerts); if (ret != DM_OK) { LOGE("AllocateHksBlobArray fail, ret = %{public}d", ret); -- Gitee From a4e45921e6296cbbcdcb53d0df148f22db8d56ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E5=B7=8D?= Date: Sat, 24 May 2025 15:30:35 +0800 Subject: [PATCH 14/16] =?UTF-8?q?=E6=A0=BC=E5=BC=8F=E6=95=B4=E6=94=B9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李巍 --- .../src/attest/dm_auth_generate_attest.cpp | 1 - .../src/attest/dm_auth_validate_attest.cpp | 10 +--------- 2 files changed, 1 insertion(+), 10 deletions(-) diff --git a/services/implementation/src/attest/dm_auth_generate_attest.cpp b/services/implementation/src/attest/dm_auth_generate_attest.cpp index 3c6cf7ea1..c0f756ee1 100644 --- a/services/implementation/src/attest/dm_auth_generate_attest.cpp +++ b/services/implementation/src/attest/dm_auth_generate_attest.cpp @@ -29,7 +29,6 @@ int32_t AuthGenerateAttest::GenerateCertificate(DmCertChain &dmCertChain) LOGI("GenerateCertificate Start"); DcmIdType ids[] = { DCM_ID_TYPE_UDID }; uint64_t randomNum = GenRandLongLong(MIN_DCM_RANDOM, MAX_DCM_RANDOM); - LOGI("GenerateCertificate randomNum=%{public}lu", randomNum); DcmBlob challengeBlob = {sizeof(randomNum), (uint8_t *) &randomNum}; DcmCertChain *dcmCertChain = new DcmCertChain(); if (dcmCertChain == nullptr) { diff --git a/services/implementation/src/attest/dm_auth_validate_attest.cpp b/services/implementation/src/attest/dm_auth_validate_attest.cpp index 5e0fd3696..a80adbc10 100644 --- a/services/implementation/src/attest/dm_auth_validate_attest.cpp +++ b/services/implementation/src/attest/dm_auth_validate_attest.cpp @@ -122,19 +122,11 @@ void AuthValidateAttest::FreeHksCertChain(HksCertChain &chain) int32_t AllocateHksBlobArray(uint32_t count, HksBlob **outArray) { - HksBlob *arr = new HksBlob[count]; + HksBlob *arr = new HksBlob[count]{0}; if (arr == nullptr) { LOGE("Alloc failed for certs"); return ERR_DM_MALLOC_FAILED; } - - const size_t totalSize = sizeof(HksBlob) *count; - if (memset_s(arr, totalSize, 0, totalSize) != 0) { - LOGE("memset_s failed"); - delete[] arr; - return ERR_DM_FAILED; - } - *outArray = arr; return DM_OK; } -- Gitee From c90704ca4fdf8ab08963056256c8b948a5da73bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E5=B7=8D?= Date: Sun, 25 May 2025 23:29:48 +0800 Subject: [PATCH 15/16] =?UTF-8?q?=E6=A3=80=E8=A7=86=E6=84=8F=E8=A7=81?= =?UTF-8?q?=E4=BF=AE=E6=94=B9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李巍 --- .../src/attest/dm_auth_attest_common.cpp | 12 ++++++------ .../src/attest/dm_auth_generate_attest.cpp | 13 +++++++++++-- .../src/attest/dm_auth_validate_attest.cpp | 10 +++++++++- .../src/authentication_v2/auth_manager.cpp | 4 ++++ 4 files changed, 30 insertions(+), 9 deletions(-) diff --git a/services/implementation/src/attest/dm_auth_attest_common.cpp b/services/implementation/src/attest/dm_auth_attest_common.cpp index 480bdbebc..6db2d3d52 100644 --- a/services/implementation/src/attest/dm_auth_attest_common.cpp +++ b/services/implementation/src/attest/dm_auth_attest_common.cpp @@ -59,12 +59,12 @@ bool ValidateInputJson(const std::string &data) JsonObject jsonObject; jsonObject.Parse(data); if (!IsUint32(jsonObject, TAG_CERT_COUNT) || !jsonObject.Contains(TAG_CERT)) { - LOGE("DeserializeDmCertChain: Missing required fields 'certCount' or 'cert'"); + LOGE("Missing required fields 'certCount' or 'cert'"); return false; } const uint32_t certCount = jsonObject[TAG_CERT_COUNT].Get(); if (certCount == 0 || certCount > MAX_CERT_COUNT) { - LOGE("DeserializeDmCertChain: Invalid certCount value %{public}u", certCount); + LOGE("Invalid certCount value %{public}u", certCount); return false; } return true; @@ -75,18 +75,18 @@ bool ValidateInputJson(const std::string &data) std::string hexStr = item.Get(); const size_t hexLen = hexStr.length(); if (hexLen == 0 || hexLen % HEX_TO_UINT8 != 0) { - LOGE("DeserializeDmCertChain: Invalid HEX length %{public}zu at index %{public}u", hexLen, processedIndex); + LOGE("Invalid HEX length %{public}zu at index %{public}u", hexLen, processedIndex); return false; } const uint32_t binSize = hexLen / HEX_TO_UINT8; cert.data = new uint8_t[binSize]; if (cert.data == nullptr) { - LOGE("DeserializeDmCertChain: Data allocation failed at index %{public}u", processedIndex); + LOGE("Data allocation failed at index %{public}u", processedIndex); return false; } int32_t ret = Crypto::ConvertHexStringToBytes(cert.data, binSize, hexStr.c_str(), hexLen); if (ret != DM_OK) { - LOGE("DeserializeDmCertChain: HEX conversion failed at index %{public}u, ret = %{public}d", + LOGE("HEX conversion failed at index %{public}u, ret = %{public}d", processedIndex, ret); delete[] cert.data; cert.data = nullptr; @@ -109,7 +109,7 @@ bool AuthAttestCommon::DeserializeDmCertChain(const std::string &data, DmCertCha jsonArrayObj.Parse(jsonObject[TAG_CERT].Dump()); DmBlob *certs = new DmBlob[certCount]{0}; if (certs == nullptr) { - LOGE("DeserializeDmCertChain: Memory allocation failed for certs array"); + LOGE("Memory allocation failed for certs array"); return false; } bool success = true; diff --git a/services/implementation/src/attest/dm_auth_generate_attest.cpp b/services/implementation/src/attest/dm_auth_generate_attest.cpp index c0f756ee1..e62307472 100644 --- a/services/implementation/src/attest/dm_auth_generate_attest.cpp +++ b/services/implementation/src/attest/dm_auth_generate_attest.cpp @@ -54,6 +54,10 @@ int32_t AuthGenerateAttest::GenerateCertificate(DmCertChain &dmCertChain) int32_t AuthGenerateAttest::InitCertChain(DcmCertChain *certChain) { + if (certChain == nullptr) { + LOGE("certChain is nullptr."); + return ERR_DM_INPUT_PARA_INVALID; + } LOGI("InitCertChain Start"); certChain->certCount = DM_CERTS_COUNT; certChain->cert = new DcmBlob[certChain->certCount]; @@ -63,7 +67,7 @@ int32_t AuthGenerateAttest::InitCertChain(DcmCertChain *certChain) return ERR_DM_MALLOC_FAILED; } for (uint32_t i = 0; i < certChain->certCount; ++i) { - certChain->cert[i].data = new uint8_t[DM_CERTIFICATE_SIZE]; + certChain->cert[i].data = new uint8_t[DM_CERTIFICATE_SIZE]{0}; if (certChain->cert[i].data == nullptr) { certChain->cert[i].size = 0; for (uint32_t j = 0; j < i; ++j) { @@ -85,6 +89,7 @@ int32_t AuthGenerateAttest::InitCertChain(DcmCertChain *certChain) void AuthGenerateAttest::FreeCertChain(DcmCertChain *chain) { if (chain == nullptr) { + LOGI("chain is nullptr!"); return; } for (uint32_t i = 0; i < chain->certCount; ++i) { @@ -109,13 +114,17 @@ int32_t ValidateInput(DcmCertChain &dcmCertChain) int32_t CopyCertificates(DcmCertChain &dcmCertChain, DmBlob *newCertArray, uint32_t &allocatedCerts) { + if (newCertArray == nullptr || newCertArray->length != dcmCertChain.certCount) { + LOGE("newCertArray is invalid param."); + return ERR_DM_INPUT_PARA_INVALID; + } for (uint32_t i = 0; i < dcmCertChain.certCount; ++i) { const auto &src = dcmCertChain.cert[i]; auto &dest = newCertArray[i]; dest.size = src.size; dest.data = nullptr; if (src.size == 0 || src.data == nullptr) continue; - dest.data = new uint8_t[src.size]; + dest.data = new uint8_t[src.size]{0}; if (dest.data == nullptr) { allocatedCerts = i; return ERR_DM_MALLOC_FAILED; diff --git a/services/implementation/src/attest/dm_auth_validate_attest.cpp b/services/implementation/src/attest/dm_auth_validate_attest.cpp index a80adbc10..7b727b1ca 100644 --- a/services/implementation/src/attest/dm_auth_validate_attest.cpp +++ b/services/implementation/src/attest/dm_auth_validate_attest.cpp @@ -23,6 +23,10 @@ namespace DistributedHardware { int32_t ProcessValidationResult(const char *deviceIdHash, char *udidStr, uint64_t randNum, HksParamSet *outputParam) { + if (deviceIdHash == nullptr || udidStr == nullptr || outputParam == nullptr) { + LOGE("input param is nullptr."); + return ERR_DM_INPUT_PARA_INVALID; + } uint32_t cnt = 0; HksBlob *blob = &outputParam->params[cnt].blob; if (memcpy_s(&randNum, sizeof(uint64_t), blob->data, blob->size) != EOK) { @@ -44,6 +48,10 @@ int32_t ProcessValidationResult(const char *deviceIdHash, char *udidStr, uint64_ int32_t AuthValidateAttest::VerifyCertificate(DmCertChain &dmCertChain, const char *deviceIdHash) { + if (deviceIdHash == nullptr) { + LOGE("deviceIdHash is nullptr."); + return ERR_DM_INPUT_PARA_INVALID; + } LOGI("VerifyCertificate start!"); char udidStr[UDID_BUF_LEN] = {0}; uint64_t randNum = 0; @@ -137,7 +145,7 @@ int32_t CopySingleCert(const DmBlob &src, HksBlob &dest) LOGE("Invalid src cert"); return ERR_DM_FAILED; } - dest.data = new uint8_t[src.size]; + dest.data = new uint8_t[src.size]{0}; if (dest.data == nullptr) { LOGE("Alloc failed for size"); return ERR_DM_MALLOC_FAILED; diff --git a/services/implementation/src/authentication_v2/auth_manager.cpp b/services/implementation/src/authentication_v2/auth_manager.cpp index 0e9b96b45..459262261 100644 --- a/services/implementation/src/authentication_v2/auth_manager.cpp +++ b/services/implementation/src/authentication_v2/auth_manager.cpp @@ -626,6 +626,10 @@ int32_t AuthManager::AuthenticateDevice(const std::string &pkgName, int32_t auth std::string GenerateCertificate(std::shared_ptr context_) { #ifdef DEVICE_MANAGER_COMMON_FLAG + if (context_ == nullptr) { + LOGE("context_ is nullptr!"); + return ERR_DM_INPUT_PARA_INVALID; + } context_->isCommonFlag = true; LOGI("Blue device do not generate cert!"); return ""; -- Gitee From 6ba6ab164c713ab63d6267f482c61f2d5060d444 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E5=B7=8D?= Date: Sun, 25 May 2025 23:58:11 +0800 Subject: [PATCH 16/16] =?UTF-8?q?=E8=AF=81=E4=B9=A6=E4=BD=8D=E7=BD=AE?= =?UTF-8?q?=E6=95=B4=E6=94=B9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李巍 --- .../authentication_v2/dm_auth_context.h | 4 +-- .../dm_auth_message_processor.h | 1 + .../src/authentication_v2/auth_manager.cpp | 4 +-- .../auth_stages/auth_negotiate.cpp | 28 +++++++++++-------- .../dm_auth_message_processor.cpp | 28 ++++++++++--------- 5 files changed, 36 insertions(+), 29 deletions(-) diff --git a/services/implementation/include/authentication_v2/dm_auth_context.h b/services/implementation/include/authentication_v2/dm_auth_context.h index 5f362a5a5..faf47baa2 100644 --- a/services/implementation/include/authentication_v2/dm_auth_context.h +++ b/services/implementation/include/authentication_v2/dm_auth_context.h @@ -171,6 +171,8 @@ struct DmAccess { std::string oldBundleName; // construct for old version compatible end std::string extraInfo; // Expandable field, JSON format, KV structure + std::string cert; + bool isCommonFlag{false}; }; struct DmAuthContext { @@ -217,8 +219,6 @@ struct DmAuthContext { DmAccess accesser; DmAccess accessee; std::multimap proxy; // Multimap where the key is the accessor and the value is the accesssee - std::string cert; - bool isCommonFlag{false}; std::shared_ptr authStateMachine; std::shared_ptr authUiStateMgr; diff --git a/services/implementation/include/authentication_v2/dm_auth_message_processor.h b/services/implementation/include/authentication_v2/dm_auth_message_processor.h index 88dbc2f8f..0183ac559 100644 --- a/services/implementation/include/authentication_v2/dm_auth_message_processor.h +++ b/services/implementation/include/authentication_v2/dm_auth_message_processor.h @@ -321,6 +321,7 @@ private: bool CheckAccessValidityAndAssign(std::shared_ptr &context, DmAccess &access, DmAccess &accessTmp); void ParseUltrasonicSide(const JsonObject &jsonObject, std::shared_ptr context); + void ParseCert(const JsonObject &jsonObject, std::shared_ptr context); std::shared_ptr cryptoMgr_ = nullptr; std::unordered_map createMessageFuncMap_; std::unordered_map paraseMessageFuncMap_; diff --git a/services/implementation/src/authentication_v2/auth_manager.cpp b/services/implementation/src/authentication_v2/auth_manager.cpp index 459262261..21d9563fa 100644 --- a/services/implementation/src/authentication_v2/auth_manager.cpp +++ b/services/implementation/src/authentication_v2/auth_manager.cpp @@ -630,7 +630,7 @@ std::string GenerateCertificate(std::shared_ptr context_) LOGE("context_ is nullptr!"); return ERR_DM_INPUT_PARA_INVALID; } - context_->isCommonFlag = true; + context_->accesser.isCommonFlag = true; LOGI("Blue device do not generate cert!"); return ""; #else @@ -686,7 +686,7 @@ int32_t AuthManager::BindTarget(const std::string &pkgName, const PeerTargetId & return ERR_DM_INPUT_PARA_INVALID; } - context_->cert = GenerateCertificate(context_); + context_->accesser.cert = GenerateCertificate(context_); context_->sessionId = sessionId; context_->logicalSessionId = logicalSessionId; context_->requestId = static_cast(logicalSessionId); diff --git a/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp b/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp index 1678fd99b..1eb1df5d2 100644 --- a/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp +++ b/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp @@ -188,13 +188,19 @@ int32_t VerifyCertificate(std::shared_ptr context) LOGI("Blue device do not verify cert!"); return DM_OK; #else - if (!CompareVersion(context->accesser.dmVersion, DM_VERSION_5_1_0) - || !CompareVersion(context->accessee.dmVersion, DM_VERSION_5_1_0) || context->isCommonFlag) { - LOGI("cert verify is not supported"); - return DM_OK; + if (!CompareVersion(context->accesser.dmVersion, DM_VERSION_5_1_0)) { + LOGI("cert verify is not supported"); + return DM_OK; + } + if (CompareVersion(context->accesser.dmVersion, DM_VERSION_5_1_0) + && context->accesser.isCommonFlag == true) { + LOGI("src is common device."); + // 不校验证书,设置对端设备安全等级为0 + return DM_OK; } DmCertChain dmCertChain{nullptr, 0}; - if (!AuthAttestCommon::GetInstance().DeserializeDmCertChain(context->cert, &dmCertChain)) { + if (!AuthAttestCommon::GetInstance() + .DeserializeDmCertChain(context->accesser.cert, &dmCertChain)) { LOGE("cert deserialize fail!"); return ERR_DM_DESERIAL_CERT_FAILED; } @@ -211,7 +217,6 @@ int32_t VerifyCertificate(std::shared_ptr context) int32_t AuthSinkNegotiateStateMachine::Action(std::shared_ptr context) { LOGI("AuthSinkNegotiateStateMachine::Action sessionid %{public}d", context->sessionId); - // 1. Create an authorization timer if (context->timer != nullptr) { context->timer->StartTimer(std::string(AUTHENTICATE_TIMEOUT_TASK), @@ -220,7 +225,6 @@ int32_t AuthSinkNegotiateStateMachine::Action(std::shared_ptr con DmAuthState::HandleAuthenticateTimeout(context, name); }); } - // To be compatible with historical versions, use ConvertSrcVersion to get the actual version on the source side. std::string preVersion = std::string(DM_VERSION_5_0_OLD_MAX); LOGI("AuthSinkNegotiateStateMachine::Action start version compare %{public}s to %{public}s", @@ -230,16 +234,16 @@ int32_t AuthSinkNegotiateStateMachine::Action(std::shared_ptr con context->reason = ERR_DM_VERSION_INCOMPATIBLE; return ERR_DM_VERSION_INCOMPATIBLE; } - - int32_t ret = ProcRespNegotiate5_1_0(context); + // verify cert + int32_t ret = VerifyCertificate(context); if (ret != DM_OK) { - LOGE("AuthSinkNegotiateStateMachine::Action proc response negotiate failed"); + LOGE("AuthSinkNegotiateStateMachine::Action cert verify fail!"); context->reason = ret; return ret; } - ret = VerifyCertificate(context); + ret = ProcRespNegotiate5_1_0(context); if (ret != DM_OK) { - LOGE("AuthSinkNegotiateStateMachine::Action cert verify fail!"); + LOGE("AuthSinkNegotiateStateMachine::Action proc response negotiate failed"); context->reason = ret; return ret; } diff --git a/services/implementation/src/authentication_v2/dm_auth_message_processor.cpp b/services/implementation/src/authentication_v2/dm_auth_message_processor.cpp index 42ef22125..c9b3821ab 100644 --- a/services/implementation/src/authentication_v2/dm_auth_message_processor.cpp +++ b/services/implementation/src/authentication_v2/dm_auth_message_processor.cpp @@ -647,14 +647,15 @@ int32_t DmAuthMessageProcessor::CreateNegotiateMessage(std::shared_ptraccesser.tokenIdHash; jsonObject[TAG_BUNDLE_NAME_V2] = context->accesser.bundleName; jsonObject[TAG_EXTRA_INFO] = context->accesser.extraInfo; + jsonObject[TAG_IS_COMMON_FLAG] = context->accesser.isCommonFlag; + jsonObject[TAG_DM_CERT_CHAIN] = context->accesser.cert; jsonObject[TAG_PEER_BUNDLE_NAME_V2] = context->accessee.bundleName; jsonObject[TAG_ULTRASONIC_SIDE] = static_cast(context->ultrasonicInfo); jsonObject[TAG_PEER_DISPLAY_ID] = context->accessee.displayId; jsonObject[TAG_PEER_PKG_NAME] = context->accessee.pkgName; jsonObject[TAG_HOST_PKGLABEL] = context->pkgLabel; - jsonObject[TAG_DM_CERT_CHAIN] = context->cert; - jsonObject[TAG_IS_COMMON_FLAG] = context->isCommonFlag; + return DM_OK; } @@ -976,17 +977,14 @@ int32_t DmAuthMessageProcessor::ParseNegotiateMessage( context->logicalSessionId = jsonObject[DM_TAG_LOGICAL_SESSION_ID].Get(); context->requestId = static_cast(context->logicalSessionId); } - if (jsonObject[TAG_PKG_NAME].IsString()) { context->pkgName = jsonObject[TAG_PKG_NAME].Get(); context->accesser.pkgName = context->pkgName; context->accessee.pkgName = context->accesser.pkgName; } - if (jsonObject[TAG_PEER_PKG_NAME].IsString()) { context->accessee.pkgName = jsonObject[TAG_PEER_PKG_NAME].Get(); } - if (jsonObject[TAG_DM_VERSION_V2].IsString()) { context->accesser.dmVersion = jsonObject[TAG_DM_VERSION_V2].Get(); } @@ -1005,7 +1003,6 @@ int32_t DmAuthMessageProcessor::ParseNegotiateMessage( if (jsonObject[TAG_BUNDLE_NAME_V2].IsString()) { context->accesser.bundleName = jsonObject[TAG_BUNDLE_NAME_V2].Get(); } - if (jsonObject[TAG_EXTRA_INFO].IsString()) { context->accesser.extraInfo = jsonObject[TAG_EXTRA_INFO].Get(); } @@ -1020,11 +1017,22 @@ int32_t DmAuthMessageProcessor::ParseNegotiateMessage( context->pkgLabel = jsonObject[TAG_HOST_PKGLABEL].Get(); } ParseUltrasonicSide(jsonObject, context); - + ParseCert(jsonObject, context); context->authStateMachine->TransitionTo(std::make_shared()); return DM_OK; } +void DmAuthMessageProcessor::ParseCert(const JsonObject &jsonObject, + std::shared_ptr context) +{ + if (jsonObject[TAG_DM_CERT_CHAIN].IsString()) { + context->accesser.cert = jsonObject[TAG_DM_CERT_CHAIN].Get(); + } + if (jsonObject[TAG_IS_COMMON_FLAG].IsBoolean()) { + context->accesser.isCommonFlag = jsonObject[TAG_IS_COMMON_FLAG].Get(); + } +} + void DmAuthMessageProcessor::ParseUltrasonicSide( const JsonObject &jsonObject, std::shared_ptr context) { @@ -1040,12 +1048,6 @@ void DmAuthMessageProcessor::ParseUltrasonicSide( } else { context->ultrasonicInfo = DmUltrasonicInfo::DM_Ultrasonic_Invalid; } - if (IsString(jsonObject, TAG_DM_CERT_CHAIN)) { - context->cert = jsonObject[TAG_DM_CERT_CHAIN].Get(); - } - if (jsonObject[TAG_IS_COMMON_FLAG].IsBoolean()) { - context->isCommonFlag = jsonObject[TAG_IS_COMMON_FLAG].Get(); - } } int32_t DmAuthMessageProcessor::ParseMessageRespAclNegotiate(const JsonObject &jsonObject, -- Gitee