diff --git a/bundle.json b/bundle.json index d3739da58f55fbd32c31ffcc402536d3cbcf3549..aee20468fc6b1cf0d8f7bd5b4e718fdfa40ba301 100644 --- a/bundle.json +++ b/bundle.json @@ -37,7 +37,6 @@ "common_event_service", "data_share", "device_auth", - "device_certificate_manager", "device_info_manager", "dsoftbus", "eventhandler", @@ -46,7 +45,6 @@ "hisysevent", "hitrace", "hilog", - "huks", "init", "ipc", "json", diff --git a/common/include/dm_cert.h b/common/include/dm_cert.h new file mode 100644 index 0000000000000000000000000000000000000000..5080ef8603a258794371a09acfc78e9ec7267d47 --- /dev/null +++ b/common/include/dm_cert.h @@ -0,0 +1,42 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + +#ifndef OHOS_DM_CERT_H +#define OHOS_DM_CERT_H + +#define DM_CERTS_COUNT 4 +#define UDID_BUF_LEN 65 +#define DM_CERTIFICATE_SIZE 8192 + +#include +#include + +#include "dm_random.h" + +namespace OHOS { +namespace DistributedHardware { +typedef struct DmBlob { + uint32_t size; + uint8_t *data; +} DmBlob; + +typedef struct DmCertChain { + DmBlob *cert; + uint32_t certCount; +} DmCertChain; +} // namespace DistributedHardware +} // namespace OHOS +#endif //OHOS_DM_CERT_H \ No newline at end of file diff --git a/services/implementation/include/attest/dm_auth_generate_attest.h b/common/include/i_dm_auth_cert_ext.h similarity index 53% rename from services/implementation/include/attest/dm_auth_generate_attest.h rename to common/include/i_dm_auth_cert_ext.h index b78ce8bd8bcb15e5e3139a1ab29a16fb929decd7..fafda279c421563357281076ee117c98e5f000f8 100644 --- a/services/implementation/include/attest/dm_auth_generate_attest.h +++ b/common/include/i_dm_auth_cert_ext.h @@ -13,29 +13,21 @@ * limitations under the License. */ -#ifndef OHOS_DM_AUTH_GENERATE_ATTEST_H -#define OHOS_DM_AUTH_GENERATE_ATTEST_H +#ifndef OHOS_I_DM_AUTH_CERT_EXT_H +#define OHOS_I_DM_AUTH_CERT_EXT_H -#include "dm_auth_attest_common.h" - -#include "dcm_api.h" -#include "dcm_type.h" +#include "dm_cert.h" namespace OHOS { namespace DistributedHardware { -class AuthGenerateAttest { +class IDMAuthCertExt { public: - static AuthGenerateAttest &GetInstance(void) - { - static AuthGenerateAttest instance; - return instance; - } - - int32_t GenerateCertificate(DmCertChain &dmCertChain); - int32_t ConvertDcmCertChainToDmCertChain(const DcmCertChain &dcmCertChain, DmCertChain &dmCertChain); - int32_t InitCertChain(DcmCertChain *certChain); - void FreeCertChain(DcmCertChain *chain); + virtual ~IDMAuthCertExt() = default; + virtual int32_t GenerateCertificate(DmCertChain &dmCertChain) = 0; + virtual int32_t VerifyCertificate(const DmCertChain &dmCertChain, const char *deviceIdHash) = 0; }; + +using CreateDMAuthCertFuncPtr = IDMAuthCertExt *(*)(void); } // namespace DistributedHardware } // namespace OHOS -#endif // OHOS_DM_AUTH_GENERATE_ATTEST_H \ No newline at end of file +#endif // OHOS_I_DM_AUTH_CERT_EXT_H \ No newline at end of file diff --git a/commondependency/include/deviceprofile_connector.h b/commondependency/include/deviceprofile_connector.h index 81505fbd3ff46e06c644826bd687590409470ebc..f68ca375e1368e38578e20b6997377b00ec63e08 100644 --- a/commondependency/include/deviceprofile_connector.h +++ b/commondependency/include/deviceprofile_connector.h @@ -291,7 +291,7 @@ public: std::map> &aclMap, std::string dmVersion = ""); void GenerateAclHash(DistributedDeviceProfile::AccessControlProfile &acl, std::map> &aclMap, const std::string &dmVersion); - DM_EXPORT int32_t checkIsSameAccountByUdidHash(const std::string &udidHash); + DM_EXPORT int32_t CheckIsSameAccountByUdidHash(const std::string &udidHash); DM_EXPORT int32_t GetAclListHashStr(const DevUserInfo &localDevUserInfo, const DevUserInfo &remoteDevUserInfo, std::string &aclListHash, std::string dmVersion = ""); DM_EXPORT bool IsLnnAcl(const DistributedDeviceProfile::AccessControlProfile &profile); diff --git a/commondependency/src/deviceprofile_connector.cpp b/commondependency/src/deviceprofile_connector.cpp index ea886490e0157eed399d1881a8147a0a4076fa08..30a00a769bb6d05de01dfec662567ca8e686e119 100644 --- a/commondependency/src/deviceprofile_connector.cpp +++ b/commondependency/src/deviceprofile_connector.cpp @@ -1615,7 +1615,7 @@ DM_EXPORT int32_t DeviceProfileConnector::IsSameAccount(const std::string &udid) return ERR_DM_FAILED; } -DM_EXPORT int32_t DeviceProfileConnector::checkIsSameAccountByUdidHash(const std::string &udidHash) +DM_EXPORT int32_t DeviceProfileConnector::CheckIsSameAccountByUdidHash(const std::string &udidHash) { if (udidHash.empty()) { LOGE("udidHash is empty!"); diff --git a/services/implementation/BUILD.gn b/services/implementation/BUILD.gn index a0acf9c811cae459e920f53b6d66ecaa931f3cd0..d8c4ef70779e81246b3cf7d5ae72dd0c60b8ed59 100644 --- a/services/implementation/BUILD.gn +++ b/services/implementation/BUILD.gn @@ -178,6 +178,8 @@ if (defined(ohos_lite)) { "src/ability/standard/dm_ability_manager.cpp", "src/ability/standard/dm_dialog_manager.cpp", "src/adapter/standard/dm_adapter_manager.cpp", + "src/attest/dm_auth_attest_common.cpp", + "src/attest/dm_auth_cert.cpp", "src/authentication/auth_message_processor.cpp", "src/authentication/auth_request_state.cpp", "src/authentication/auth_response_state.cpp", @@ -272,18 +274,6 @@ if (defined(ohos_lite)) { external_deps += [ "spatial_awareness:spatial_awareness_client" ] } - if (!device_manager_common) { - sources += [ - "src/attest/dm_auth_attest_common.cpp", - "src/attest/dm_auth_generate_attest.cpp", - "src/attest/dm_auth_validate_attest.cpp", - ] - external_deps += [ - "device_certificate_manager:device_cert_mgr_sdk", - "huks:libhukssdk", - ] - } - subsystem_name = "distributedhardware" part_name = "device_manager" diff --git a/services/implementation/include/attest/dm_auth_attest_common.h b/services/implementation/include/attest/dm_auth_attest_common.h index 49a635ada3b889e41d147d0ff3a318abe7e429e5..00c9499309dfc475b0f2797ad5bc16e74e4fa43b 100644 --- a/services/implementation/include/attest/dm_auth_attest_common.h +++ b/services/implementation/include/attest/dm_auth_attest_common.h @@ -25,23 +25,13 @@ #include "dm_anonymous.h" #include "dm_auth_manager_base.h" +#include "dm_cert.h" #include "dm_crypto.h" #include "dm_random.h" #include "json_object.h" namespace OHOS { namespace DistributedHardware { - -typedef struct DmBlob { - uint32_t size; - uint8_t *data; -} DmBlob; - -typedef struct DmCertChain { - DmBlob *cert; - uint32_t certCount; -} DmCertChain; - class AuthAttestCommon { public: static AuthAttestCommon &GetInstance(void) @@ -52,7 +42,10 @@ public: std::string SerializeDmCertChain(const DmCertChain *chain); bool DeserializeDmCertChain(const std::string &data, DmCertChain *outChain); - void FreeCertChain(DmCertChain *chain); + void FreeDmCertChain(DmCertChain &chain); +private: + AuthAttestCommon(); + ~AuthAttestCommon(); }; } // namespace DistributedHardware } // namespace OHOS diff --git a/services/implementation/include/attest/dm_auth_validate_attest.h b/services/implementation/include/attest/dm_auth_cert.h similarity index 48% rename from services/implementation/include/attest/dm_auth_validate_attest.h rename to services/implementation/include/attest/dm_auth_cert.h index 997f58cf88753a9ad2c0f735d5b908fb6246cc87..8891398616c2f3e87d5ce5dacda580dfb4aab098 100644 --- a/services/implementation/include/attest/dm_auth_validate_attest.h +++ b/services/implementation/include/attest/dm_auth_cert.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2025 Huawei Device Co., Ltd. +* Copyright (c) 2025 Huawei Device Co., Ltd. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at @@ -13,30 +13,43 @@ * limitations under the License. */ -#ifndef OHOS_DM_AUTH_VALIDATE_ATTEST_H -#define OHOS_DM_AUTH_VALIDATE_ATTEST_H +#ifndef OHOS_DM_AUTH_CERT_H +#define OHOS_DM_AUTH_CERT_H -#include "dm_auth_attest_common.h" +#include -#include "hks_api.h" -#include "hks_param.h" -#include "hks_type.h" +#include "dm_cert.h" +#include "i_dm_auth_cert_ext.h" +#if defined(__LITEOS_M__) +#include "dm_mutex.h" +#else +#include +#endif namespace OHOS { namespace DistributedHardware { -class AuthValidateAttest { +class AuthCert { public: - static AuthValidateAttest &GetInstance(void) + static AuthCert &GetInstance(void) { - static AuthValidateAttest instance; + static AuthCert instance; return instance; } - int32_t VerifyCertificate(const DmCertChain &dmCertChain, const char *deviceUdid); - int32_t ConvertDmCertChainToHksCertChain(const DmCertChain &dmCertChain, HksCertChain &hksCertChain); - int32_t FillHksParamSet(struct HksParamSet **paramSet, struct HksParam *param, int32_t paramNums); - void FreeHksCertChain(HksCertChain &chain); + int32_t GenerateCertificate(DmCertChain &dmCertChain); + int32_t VerifyCertificate(const DmCertChain &dmCertChain, const char *deviceIdHash); + +private: + AuthCert(); + ~AuthCert(); + bool IsDMAdapterAuthCertLoaded(); + + bool isAdapterAuthCertSoLoaded_ = false; + void *authCertSoHandle_ = nullptr; + std::mutex isAdapterAuthCertLoadedLock_; + std::shared_ptr dmAuthCertExt_; }; -} // namespace DistributedHardware -} // namespace OHOS -#endif // OHOS_DM_AUTH_VALIDATE_ATTEST_H \ No newline at end of file +} // namespace DistributedHardware +} // namespace OHOS + +#endif // OHOS_DM_AUTH_CERT_H \ No newline at end of file diff --git a/services/implementation/src/attest/dm_auth_attest_common.cpp b/services/implementation/src/attest/dm_auth_attest_common.cpp index 3dc79bf54f3b43de2b5c5031d3f8c6b8384671b9..50a43b60af2ceefb13bc0c9bc0628d0de1ce50c9 100644 --- a/services/implementation/src/attest/dm_auth_attest_common.cpp +++ b/services/implementation/src/attest/dm_auth_attest_common.cpp @@ -21,12 +21,23 @@ namespace OHOS { namespace DistributedHardware { -const int32_t MAX_CERT_COUNT = 1024; +const int32_t MAX_CERT_COUNT = 100; constexpr int32_t HEX_TO_UINT8 = 2; +AuthAttestCommon::AuthAttestCommon() +{ + LOGD("AuthAttestCommon constructor"); +} + +AuthAttestCommon::~AuthAttestCommon() +{ + LOGD("AuthAttestCommon destructor"); +} + std::string AuthAttestCommon::SerializeDmCertChain(const DmCertChain *chain) { - if (chain == nullptr || chain->cert == nullptr || chain->certCount == 0) { + if (chain == nullptr || chain->cert == nullptr || chain->certCount == 0 || chain->certCount > MAX_CERT_COUNT) { + LOGE("input param is invalid."); return "{}"; } JsonObject jsonObject; @@ -35,15 +46,18 @@ std::string AuthAttestCommon::SerializeDmCertChain(const DmCertChain *chain) for (uint32_t i = 0; i < chain->certCount; ++i) { const DmBlob &blob = chain->cert[i]; if (blob.data == nullptr || blob.size == 0) { + LOGE("blob data or size is empty."); return "{}"; } const uint32_t hexLen = blob.size * HEX_TO_UINT8 + 1; // 2*blob.size + 1 char *hexBuffer = new char[hexLen]{0}; if (hexBuffer == nullptr) { + LOGE("hexBuffer malloc failed."); return "{}"; } int32_t ret = Crypto::ConvertBytesToHexString(hexBuffer, hexLen, blob.data, blob.size); if (ret != DM_OK) { + LOGE("ConvertBytesToHexString failed."); delete[] hexBuffer; return "{}"; } @@ -145,21 +159,18 @@ bool AuthAttestCommon::DeserializeDmCertChain(const std::string &data, DmCertCha return true; } -void AuthAttestCommon::FreeCertChain(DmCertChain *chain) +void AuthAttestCommon::FreeDmCertChain(DmCertChain &chain) { - if (chain == nullptr) { - LOGI("chain is nullptr!"); - return; - } - for (uint32_t i = 0; i < chain->certCount; ++i) { - delete[] chain->cert[i].data; - chain->cert[i].data = nullptr; - chain->cert[i].size = 0; + if (chain.cert != nullptr) { + for (uint32_t i = 0; i < chain.certCount; ++i) { + delete[] chain.cert[i].data; + chain.cert[i].data = nullptr; + chain.cert[i].size = 0; + } + delete[] chain.cert; + chain.cert = nullptr; + chain.certCount = 0; } - delete[] chain->cert; - chain->cert = nullptr; - chain->certCount = 0; - delete chain; } } // namespace DistributedHardware } // namespace OHOS \ No newline at end of file diff --git a/services/implementation/src/attest/dm_auth_cert.cpp b/services/implementation/src/attest/dm_auth_cert.cpp new file mode 100644 index 0000000000000000000000000000000000000000..1587ae6bc362b6fd00d7d5ca6086155d3ce301b1 --- /dev/null +++ b/services/implementation/src/attest/dm_auth_cert.cpp @@ -0,0 +1,90 @@ +/* +* Copyright (c) 2025 Huawei Device Co., Ltd. +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ + +#include "dm_auth_cert.h" + +#include "dm_error_type.h" +#include "dm_log.h" + +namespace OHOS { +namespace DistributedHardware { + +constexpr const char* LIB_DM_AUTH_CERT = "libdm_auth_cert.z.so"; + +AuthCert::AuthCert() +{ + LOGD("AuthCert AuthCert"); +} + +AuthCert::~AuthCert() +{ + LOGD("AuthCert destructor"); +} + +bool AuthCert::IsDMAdapterAuthCertLoaded() +{ + LOGI("Start."); + std::lock_guard lock(isAdapterAuthCertLoadedLock_); + if (isAdapterAuthCertSoLoaded_ && (dmAuthCertExt_ != nullptr)) { + return true; + } + authCertSoHandle_ = dlopen(LIB_DM_AUTH_CERT, RTLD_NOW | RTLD_NODELETE | RTLD_NOLOAD); + char *error = dlerror(); + if (error != nullptr) { + LOGE("dlopen failed, err: %{public}s", error); + } + if (authCertSoHandle_ == nullptr) { + authCertSoHandle_ = dlopen(LIB_DM_AUTH_CERT, RTLD_NOW | RTLD_NODELETE); + error = dlerror(); + if (error != nullptr) { + LOGE("dlopen failed again! err: %{public}s", error); + } + } + if (authCertSoHandle_ == nullptr) { + LOGE("load dm check api white list so failed."); + return false; + } + auto func = (CreateDMAuthCertFuncPtr)dlsym(authCertSoHandle_, "CreateDMAuthCertExtObject"); + if (func == nullptr || dlerror() != nullptr) { + dlclose(authCertSoHandle_); + authCertSoHandle_ = nullptr; + LOGE("Create object function is not exist. err: %{public}s", (dlerror() == nullptr ? "null" : dlerror())); + return false; + } + dmAuthCertExt_ = std::shared_ptr(func()); + isAdapterAuthCertSoLoaded_ = true; + LOGI("Success."); + return true; +} + +int32_t AuthCert::GenerateCertificate(DmCertChain &dmCertChain) +{ + if (!IsDMAdapterAuthCertLoaded()) { + LOGE("authCertSo load failed!"); + return ERR_DM_FAILED; + } + return dmAuthCertExt_->GenerateCertificate(dmCertChain); +} + +int32_t AuthCert::VerifyCertificate(const DmCertChain &dmCertChain, const char *deviceIdHash) +{ + if (!IsDMAdapterAuthCertLoaded()) { + LOGE("authCertSo load failed!"); + return ERR_DM_FAILED; + } + return dmAuthCertExt_->VerifyCertificate(dmCertChain, deviceIdHash); +} +} // namespace DistributedHardware +} // namespace OHOS \ No newline at end of file diff --git a/services/implementation/src/attest/dm_auth_generate_attest.cpp b/services/implementation/src/attest/dm_auth_generate_attest.cpp deleted file mode 100644 index 96842a5b2ff60b2effdaa548eb5465a631f98907..0000000000000000000000000000000000000000 --- a/services/implementation/src/attest/dm_auth_generate_attest.cpp +++ /dev/null @@ -1,180 +0,0 @@ -/* -* Copyright (c) 2025 Huawei Device Co., Ltd. -* Licensed under the Apache License, Version 2.0 (the "License"); -* you may not use this file except in compliance with the License. -* You may obtain a copy of the License at -* -* http://www.apache.org/licenses/LICENSE-2.0 -* -* Unless required by applicable law or agreed to in writing, software -* distributed under the License is distributed on an "AS IS" BASIS, -* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -* See the License for the specific language governing permissions and -* limitations under the License. -*/ - -#include "dm_auth_generate_attest.h" - -#include "dm_error_type.h" -#include "dm_log.h" - -namespace OHOS { -namespace DistributedHardware { - -constexpr uint64_t MIN_DCM_RANDOM = 0; -constexpr uint64_t MAX_DCM_RANDOM = 9999999999; - -int32_t AuthGenerateAttest::GenerateCertificate(DmCertChain &dmCertChain) -{ - LOGI("GenerateCertificate Start"); - DcmIdType ids[] = { DCM_ID_TYPE_UDID }; - uint64_t randomNum = GenRandLongLong(MIN_DCM_RANDOM, MAX_DCM_RANDOM); - DcmBlob challengeBlob = {sizeof(randomNum), (uint8_t *) &randomNum}; - DcmCertChain *dcmCertChain = new DcmCertChain(); - if (dcmCertChain == nullptr) { - LOGE("new dcmCertChain fail!"); - return ERR_DM_MALLOC_FAILED; - } - InitCertChain(dcmCertChain); - int32_t ret = DcmAttestIdsEx(ids, sizeof(ids)/sizeof(ids[0]), &challengeBlob, DCM_CERT_TYPE_ROOT_V2, dcmCertChain); - if (ret != DCM_SUCCESS) { - LOGE("DcmAttestIdsEx fail, ret=%{public}d", ret); - FreeCertChain(dcmCertChain); - return ret; - } - ret = ConvertDcmCertChainToDmCertChain(*dcmCertChain, dmCertChain); - if (ret != DM_OK) { - LOGE("covertToSoftbusCertChain fail. ret=%{public}d", ret); - FreeCertChain(dcmCertChain); - return ret; - } - FreeCertChain(dcmCertChain); - LOGI("Success."); - return DM_OK; -} - -int32_t AuthGenerateAttest::InitCertChain(DcmCertChain *certChain) -{ - if (certChain == nullptr) { - LOGE("certChain is nullptr."); - return ERR_DM_INPUT_PARA_INVALID; - } - LOGI("InitCertChain Start"); - certChain->certCount = DM_CERTS_COUNT; - certChain->cert = new DcmBlob[certChain->certCount]; - if (certChain->cert == nullptr) { - certChain->certCount = 0; - LOGE("new dcmCertChain.cert fail!"); - return ERR_DM_MALLOC_FAILED; - } - for (uint32_t i = 0; i < certChain->certCount; ++i) { - certChain->cert[i].data = new uint8_t[DM_CERTIFICATE_SIZE]{0}; - if (certChain->cert[i].data == nullptr) { - certChain->cert[i].size = 0; - for (uint32_t j = 0; j < i; ++j) { - delete[] certChain->cert[j].data; - certChain->cert[j].data = nullptr; - certChain->cert[j].size = 0; - } - delete[] certChain->cert; - certChain->cert = nullptr; - certChain->certCount = 0; - LOGE("new dcmCertChain.cert.data fail!"); - return ERR_DM_MALLOC_FAILED; - } - certChain->cert[i].size = DM_CERTIFICATE_SIZE; - } - return DM_OK; -} - -void AuthGenerateAttest::FreeCertChain(DcmCertChain *chain) -{ - if (chain == nullptr) { - LOGI("chain is nullptr!"); - return; - } - for (uint32_t i = 0; i < chain->certCount; ++i) { - delete[] chain->cert[i].data; - chain->cert[i].data = nullptr; - chain->cert[i].size = 0; - } - delete[] chain->cert; - chain->cert = nullptr; - chain->certCount = 0; - delete chain; -} - -int32_t ValidateInput(const DcmCertChain &dcmCertChain) -{ - if (dcmCertChain.certCount > 0 && dcmCertChain.cert == nullptr) { - LOGE("Invalid cert chain: certCount>0 but cert array is null!"); - return ERR_DM_INPUT_PARA_INVALID; - } - return DM_OK; -} - -int32_t CopyCertificates(const DcmCertChain &dcmCertChain, DmBlob *newCertArray, uint32_t &allocatedCerts) -{ - if (newCertArray == nullptr) { - LOGE("newCertArray is invalid param."); - return ERR_DM_INPUT_PARA_INVALID; - } - for (uint32_t i = 0; i < dcmCertChain.certCount; ++i) { - const auto &src = dcmCertChain.cert[i]; - auto &dest = newCertArray[i]; - dest.size = src.size; - dest.data = nullptr; - if (src.size == 0 || src.data == nullptr) continue; - dest.data = new uint8_t[src.size]{0}; - if (dest.data == nullptr) { - allocatedCerts = i; - return ERR_DM_MALLOC_FAILED; - } - - if (memcpy_s(dest.data, src.size, src.data, src.size) != DM_OK) { - delete[] dest.data; - dest.data = nullptr; - allocatedCerts = i; - return ERR_DM_FAILED; - } - allocatedCerts = i + 1; - } - return DM_OK; -} - -int32_t AuthGenerateAttest::ConvertDcmCertChainToDmCertChain(const DcmCertChain &dcmCertChain, DmCertChain &dmCertChain) -{ - LOGI("ConvertDcmCertChainToDmCertChain start!"); - int32_t ret = ValidateInput(dcmCertChain); - if (ret != DM_OK) { - return ret; - } - if (dcmCertChain.certCount == 0) { - dmCertChain.cert = nullptr; - dmCertChain.certCount = 0; - return DM_OK; - } - DmBlob *newCertArray = new DmBlob[dcmCertChain.certCount]; - if (newCertArray == nullptr) { - LOGE("Failed to allocate cert array!"); - return ERR_DM_MALLOC_FAILED; - } - uint32_t allocatedCerts = 0; - ret = CopyCertificates(dcmCertChain, newCertArray, allocatedCerts); - if (ret != DM_OK) { - for (uint32_t j = 0; j < allocatedCerts; ++j) { - delete[] newCertArray[j].data; - } - delete[] newCertArray; - return ret; - } - dmCertChain.cert = newCertArray; - dmCertChain.certCount = dcmCertChain.certCount; - for (uint32_t i = 0; i < dcmCertChain.certCount; ++i) { - delete[] newCertArray[i].data; - } - delete[] newCertArray; - return DM_OK; -} -} // namespace DistributedHardware -} // namespace OHOS \ No newline at end of file diff --git a/services/implementation/src/attest/dm_auth_validate_attest.cpp b/services/implementation/src/attest/dm_auth_validate_attest.cpp deleted file mode 100644 index fdf810b44b01b1924f8c115736ab2efac80ea205..0000000000000000000000000000000000000000 --- a/services/implementation/src/attest/dm_auth_validate_attest.cpp +++ /dev/null @@ -1,196 +0,0 @@ -/* - * Copyright (c) 2025 Huawei Device Co., Ltd. - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#include "dm_auth_validate_attest.h" - -#include "dm_error_type.h" -#include "dm_log.h" - -namespace OHOS { -namespace DistributedHardware { - -int32_t ProcessValidationResult(const char *deviceIdHash, char *udidStr, - uint64_t randNum, const HksParamSet *outputParam) -{ - if (deviceIdHash == nullptr || udidStr == nullptr || outputParam == nullptr) { - LOGE("input param is nullptr."); - return ERR_DM_INPUT_PARA_INVALID; - } - uint32_t cnt = 0; - HksBlob *blob = &outputParam->params[cnt].blob; - if (blob == nullptr) { - LOGE("outputParam blob is nullptr"); - return ERR_DM_GET_PARAM_FAILED; - } - if (memcpy_s(&randNum, sizeof(uint64_t), blob->data, blob->size) != EOK) { - LOGE("memcpy randNum failed"); - return ERR_DM_GET_PARAM_FAILED; - } - blob = &outputParam->params[++cnt].blob; - if (memcpy_s(udidStr, UDID_BUF_LEN, blob->data, blob->size) != EOK) { - LOGE("memcpy udidStr failed"); - return ERR_DM_GET_PARAM_FAILED; - } - std::string certDeviceIdHash = Crypto::GetUdidHash(std::string(udidStr)); - LOGI("accesser udidHash=%{public}s, certudidHash=%{public}s", - GetAnonyString(std::string(deviceIdHash)).c_str(), GetAnonyString(certDeviceIdHash).c_str()); - if (strcmp(deviceIdHash, certDeviceIdHash.c_str()) != 0) { - LOGE("verifyCertificate fail"); - return ERR_DM_DESERIAL_CERT_FAILED; - } - return DM_OK; -} - -int32_t AuthValidateAttest::VerifyCertificate(const DmCertChain &dmCertChain, const char *deviceIdHash) -{ - if (deviceIdHash == nullptr) { - LOGE("deviceIdHash is nullptr."); - return ERR_DM_INPUT_PARA_INVALID; - } - LOGI("VerifyCertificate start!"); - char udidStr[UDID_BUF_LEN] = {0}; - uint64_t randNum = 0; - HksCertChain hksCertChain; - int32_t ret = ConvertDmCertChainToHksCertChain(dmCertChain, hksCertChain); - if (ret != DM_OK) { - LOGE("ConvertDmCertChainToHksCertChain fail, ret=%{public}d", ret); - return ret; - } - HksParamSet *outputParam = NULL; - HksParam outputData[] = { - {.tag = HKS_TAG_ATTESTATION_CHALLENGE, .blob = {sizeof(uint64_t), (uint8_t *) &randNum}}, - {.tag = HKS_TAG_ATTESTATION_ID_UDID, .blob = {UDID_BUF_LEN, (uint8_t *)udidStr}}, - }; - ret = FillHksParamSet(&outputParam, outputData, sizeof(outputData) / sizeof(outputData[0])); - if (ret != DM_OK) { - LOGE("FillHksParamSet failed, ret=%{public}d", ret); - FreeHksCertChain(hksCertChain); - return ERR_DM_FAILED; - } - ret = HksValidateCertChain(&hksCertChain, outputParam); - if (ret != HKS_SUCCESS) { - LOGE("HksValidateCertChain fail, ret=%{public}d", ret); - FreeHksCertChain(hksCertChain); - HksFreeParamSet(&outputParam); - return ret; - } - ret = ProcessValidationResult(deviceIdHash, udidStr, randNum, outputParam); - if (ret != DM_OK) { - LOGE("ProcessValidationResult fail, ret=%{public}d", ret); - FreeHksCertChain(hksCertChain); - HksFreeParamSet(&outputParam); - return ret; - } - FreeHksCertChain(hksCertChain); - HksFreeParamSet(&outputParam); - return DM_OK; -} - -int32_t AuthValidateAttest::FillHksParamSet(HksParamSet **paramSet, HksParam *param, int32_t paramNums) -{ - if (param == nullptr) { - LOGE("param is null"); - return ERR_DM_INPUT_PARA_INVALID; - } - int32_t ret = HksInitParamSet(paramSet); - if (ret != HKS_SUCCESS) { - LOGE("HksInitParamSet failed, hks ret = %{public}d", ret); - return ERR_DM_FAILED; - } - ret = HksAddParams(*paramSet, param, paramNums); - if (ret != HKS_SUCCESS) { - LOGE("HksAddParams failed, hks ret = %{public}d", ret); - HksFreeParamSet(paramSet); - return ERR_DM_FAILED; - } - ret = HksBuildParamSet(paramSet); - if (ret != HKS_SUCCESS) { - LOGE("HksBuildParamSet failed, hks ret = %{public}d", ret); - HksFreeParamSet(paramSet); - return ERR_DM_FAILED; - } - return DM_OK; -} - -void AuthValidateAttest::FreeHksCertChain(HksCertChain &chain) -{ - if (chain.certs != nullptr) { - for (uint32_t i = 0; i < chain.certsCount; ++i) { - chain.certs[i].size = 0; - delete[] chain.certs[i].data; - chain.certs[i].data = nullptr; - } - delete[] chain.certs; - chain.certs = nullptr; - } - chain.certsCount = 0; -} - -int32_t AllocateHksBlobArray(uint32_t count, HksBlob **outArray) -{ - HksBlob *arr = new HksBlob[count]{0}; - if (arr == nullptr) { - LOGE("Alloc failed for certs"); - return ERR_DM_MALLOC_FAILED; - } - *outArray = arr; - return DM_OK; -} - -int32_t CopySingleCert(const DmBlob &src, HksBlob &dest) -{ - if (src.data == nullptr || src.size == 0) { - LOGE("Invalid src cert"); - return ERR_DM_FAILED; - } - dest.data = new uint8_t[src.size]{0}; - if (dest.data == nullptr) { - LOGE("Alloc failed for size"); - return ERR_DM_MALLOC_FAILED; - } - dest.size = src.size; - if (memcpy_s(dest.data, src.size, src.data, src.size) != 0) { - LOGE("memcpy_s failed size"); - delete[] dest.data; - dest.data = nullptr; - return ERR_DM_FAILED; - } - return DM_OK; -} - -int32_t AuthValidateAttest::ConvertDmCertChainToHksCertChain(const DmCertChain &dmCertChain, HksCertChain &hksCertChain) -{ - if (dmCertChain.certCount == 0 || dmCertChain.cert == nullptr) { - return ERR_DM_INPUT_PARA_INVALID; - } - HksBlob *newCerts = nullptr; - int32_t ret = AllocateHksBlobArray(dmCertChain.certCount, &newCerts); - if (ret != DM_OK) { - LOGE("AllocateHksBlobArray fail, ret = %{public}d", ret); - return ret; - } - for (uint32_t i = 0; i < dmCertChain.certCount; ++i) { - if ((ret = CopySingleCert(dmCertChain.cert[i], newCerts[i])) != DM_OK) { - FreeHksCertChain(hksCertChain); - delete[] newCerts; - return ret; - } - } - hksCertChain.certs = newCerts; - hksCertChain.certsCount = dmCertChain.certCount; - return DM_OK; -} -} // namespace DistributedHardware -} // namespace OHOS \ No newline at end of file diff --git a/services/implementation/src/authentication_v2/auth_manager.cpp b/services/implementation/src/authentication_v2/auth_manager.cpp index 04729f6f43eb63319b319ee1b112166c1d97dfe3..cf5a594b28f2402dcf4b1f6264e2e2cd5fc7b0b9 100644 --- a/services/implementation/src/authentication_v2/auth_manager.cpp +++ b/services/implementation/src/authentication_v2/auth_manager.cpp @@ -24,6 +24,8 @@ #include "multiple_user_connector.h" #include "auth_manager.h" +#include "dm_auth_cert.h" +#include "dm_auth_attest_common.h" #include "dm_constants.h" #include "dm_crypto.h" #include "dm_random.h" @@ -36,10 +38,6 @@ #include "dm_auth_context.h" #include "dm_auth_message_processor.h" #include "dm_auth_state.h" -#if !defined(DEVICE_MANAGER_COMMON_FLAG) -#include "dm_auth_generate_attest.h" -#include "dm_auth_validate_attest.h" -#endif namespace OHOS { namespace DistributedHardware { @@ -635,12 +633,13 @@ std::string GenerateCertificate(std::shared_ptr context_) return ""; #else DmCertChain dmCertChain; - int32_t certRet = AuthGenerateAttest::GetInstance().GenerateCertificate(dmCertChain); + int32_t certRet = AuthCert::GetInstance().GenerateCertificate(dmCertChain); if (certRet != DM_OK) { LOGE("generate cert fail, certRet = %{public}d", certRet); return ""; } std::string cert = AuthAttestCommon::GetInstance().SerializeDmCertChain(&dmCertChain); + AuthAttestCommon::GetInstance().FreeDmCertChain(dmCertChain); return cert; #endif } diff --git a/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp b/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp index 14046e717fe6a0086022b26ca9889df3a68207fc..0639821f5398a6ec18b3b22d16f9ff68a618b012 100644 --- a/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp +++ b/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp @@ -22,6 +22,8 @@ #include "accessee.h" #include "auth_manager.h" #include "app_manager.h" +#include "dm_auth_cert.h" +#include "dm_auth_attest_common.h" #include "dm_crypto.h" #include "dm_log.h" #include "dm_timer.h" @@ -41,10 +43,6 @@ #include "multiple_user_connector.h" #include "os_account_manager.h" #include "parameter.h" -#if !defined(DEVICE_MANAGER_COMMON_FLAG) -#include "dm_auth_generate_attest.h" -#include "dm_auth_validate_attest.h" -#endif using namespace OHOS::Security::AccessToken; @@ -187,6 +185,7 @@ int32_t AuthSinkNegotiateStateMachine::ProcRespNegotiate5_1_0(std::shared_ptr context) { #ifdef DEVICE_MANAGER_COMMON_FLAG + (void)context; LOGI("Blue device do not verify cert!"); return DM_OK; #else @@ -200,20 +199,22 @@ int32_t VerifyCertificate(std::shared_ptr context) && context->accesser.isCommonFlag == true) { LOGI("src is common device."); if (DeviceProfileConnector::GetInstance() - .checkIsSameAccountByUdidHash(context->accesser.deviceIdHash) == DM_OK) { + .CheckIsSameAccountByUdidHash(context->accesser.deviceIdHash) == DM_OK) { LOGE("src is common device, but the udidHash is identical in acl!"); return ERR_DM_VERIFY_CERT_FAILED; - } + } return DM_OK; - } + } DmCertChain dmCertChain{nullptr, 0}; if (!AuthAttestCommon::GetInstance() .DeserializeDmCertChain(context->accesser.cert, &dmCertChain)) { LOGE("cert deserialize fail!"); return ERR_DM_DESERIAL_CERT_FAILED; - } - int32_t certRet = AuthValidateAttest::GetInstance() + } + int32_t certRet = AuthCert::GetInstance() .VerifyCertificate(dmCertChain, context->accesser.deviceIdHash.c_str()); + // free dmCertChain memory + AuthAttestCommon::GetInstance().FreeDmCertChain(dmCertChain); if (certRet != DM_OK) { LOGE("validate cert fail, certRet = %{public}d", certRet); return ERR_DM_VERIFY_CERT_FAILED; diff --git a/test/commonfuzztest/authenticatedeviceserviceimpl_fuzzer/BUILD.gn b/test/commonfuzztest/authenticatedeviceserviceimpl_fuzzer/BUILD.gn index f79c6dfe0658f1a481bd1cf8d88ce64fa6f10ba6..6a4dccbc02a5bdffe3dcd3c630eb179facc98ca9 100644 --- a/test/commonfuzztest/authenticatedeviceserviceimpl_fuzzer/BUILD.gn +++ b/test/commonfuzztest/authenticatedeviceserviceimpl_fuzzer/BUILD.gn @@ -85,13 +85,6 @@ ohos_fuzztest("AuthenticateDeviceServiceImplFuzzTest") { "safwk:system_ability_fwk", "selinux_adapter:librestorecon", ] - - if (!device_manager_common) { - external_deps += [ - "device_certificate_manager:device_cert_mgr_sdk", - "huks:libhukssdk", - ] - } } ############################################################################### diff --git a/test/commonfuzztest/dmauthmanagerv2_fuzzer/BUILD.gn b/test/commonfuzztest/dmauthmanagerv2_fuzzer/BUILD.gn index 93e9b15d99aff4c62f07e483c8c23d23fa946382..fb2de39cab0aa6a70aefea49cc690e3e5d00b8f4 100644 --- a/test/commonfuzztest/dmauthmanagerv2_fuzzer/BUILD.gn +++ b/test/commonfuzztest/dmauthmanagerv2_fuzzer/BUILD.gn @@ -69,13 +69,6 @@ ohos_fuzztest("DmAuthManagerV2FuzzTest") { "DH_LOG_TAG=\"DmAuthManagerV2FuzzTest\"", "LOG_DOMAIN=0xD004110", ] - - if (!device_manager_common) { - external_deps += [ - "device_certificate_manager:device_cert_mgr_sdk", - "huks:libhukssdk", - ] - } } ############################################################################### diff --git a/test/commonfuzztest/ondatareceivedv2_fuzzer/BUILD.gn b/test/commonfuzztest/ondatareceivedv2_fuzzer/BUILD.gn index c6f9f7df8f3cfe584626f2b55e434832151711b7..b81e1b47298dfc17c2d5288fd1d947d192304f19 100644 --- a/test/commonfuzztest/ondatareceivedv2_fuzzer/BUILD.gn +++ b/test/commonfuzztest/ondatareceivedv2_fuzzer/BUILD.gn @@ -68,13 +68,6 @@ ohos_fuzztest("OnDataReceivedV2FuzzTest") { "DH_LOG_TAG=\"OnDataReceivedV2FuzzTest\"", "LOG_DOMAIN=0xD004110", ] - - if (!device_manager_common) { - external_deps += [ - "device_certificate_manager:device_cert_mgr_sdk", - "huks:libhukssdk", - ] - } } ############################################################################### diff --git a/test/unittest/BUILD.gn b/test/unittest/BUILD.gn index a82f0cd598efe4687ff7d9d89ba9c164a0388bb5..f0af8d78f5bd582c7e922368ee98b3acc709e454 100644 --- a/test/unittest/BUILD.gn +++ b/test/unittest/BUILD.gn @@ -400,13 +400,6 @@ ohos_unittest("UTTest_device_manager_service") { "hilog:libhilog", "selinux_adapter:librestorecon", ] - - if (!device_manager_common) { - external_deps += [ - "device_certificate_manager:device_cert_mgr_sdk", - "huks:libhukssdk", - ] - } } ## UnitTest UTTest_device_manager_service }}} @@ -434,13 +427,6 @@ ohos_unittest("UTTest_dm_softbus_cache") { "hilog:libhilog", "selinux_adapter:librestorecon", ] - - if (!device_manager_common) { - external_deps += [ - "device_certificate_manager:device_cert_mgr_sdk", - "huks:libhukssdk", - ] - } } ## UnitTest UTTest_dm_softbus_cache }}} @@ -474,13 +460,6 @@ ohos_unittest("UTTest_device_manager_service_three") { "hilog:libhilog", "selinux_adapter:librestorecon", ] - - if (!device_manager_common) { - external_deps += [ - "device_certificate_manager:device_cert_mgr_sdk", - "huks:libhukssdk", - ] - } } ## UnitTest UTTest_device_manager_service_three }}} @@ -1271,13 +1250,6 @@ ohos_unittest("UTTest_device_manager_service_impl") { "os_account:libaccountkits", "os_account:os_account_innerkits", ] - - if (!device_manager_common) { - external_deps += [ - "device_certificate_manager:device_cert_mgr_sdk", - "huks:libhukssdk", - ] - } } ## UnitTest UTTest_device_manager_service_impl }}} @@ -1308,13 +1280,6 @@ ohos_unittest("UTTest_device_manager_service_impl_first") { "os_account:libaccountkits", "os_account:os_account_innerkits", ] - - if (!device_manager_common) { - external_deps += [ - "device_certificate_manager:device_cert_mgr_sdk", - "huks:libhukssdk", - ] - } } ## UnitTest UTTest_device_manager_service_impl_first }}} @@ -2072,13 +2037,6 @@ ohos_unittest("UTTest_auth_pin_auth_state") { "googletest:gmock_main", "hilog:libhilog", ] - - if (!device_manager_common) { - external_deps += [ - "device_certificate_manager:device_cert_mgr_sdk", - "huks:libhukssdk", - ] - } } ## UnitTest UTTest_auth_pin_auth_state }}} @@ -2137,13 +2095,6 @@ ohos_unittest("UTTest_auth_credential_state") { "googletest:gmock_main", "hilog:libhilog", ] - - if (!device_manager_common) { - external_deps += [ - "device_certificate_manager:device_cert_mgr_sdk", - "huks:libhukssdk", - ] - } } ## UnitTest UTTest_auth_credential_state }}} @@ -2175,13 +2126,6 @@ ohos_unittest("UTTest_auth_acl") { "googletest:gmock_main", "hilog:libhilog", ] - - if (!device_manager_common) { - external_deps += [ - "device_certificate_manager:device_cert_mgr_sdk", - "huks:libhukssdk", - ] - } } ## UnitTest UTTest_auth_acl }}} @@ -2215,13 +2159,6 @@ ohos_unittest("UTTest_auth_negotiate") { "googletest:gmock_main", "hilog:libhilog", ] - - if (!device_manager_common) { - external_deps += [ - "device_certificate_manager:device_cert_mgr_sdk", - "huks:libhukssdk", - ] - } } ## UnitTest UTTest_auth_negotiate }}}