From e6cd99f7a141a10c32c5b0f3b866ddf993dd7665 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E5=B7=8D?= Date: Thu, 29 May 2025 17:36:07 +0800 Subject: [PATCH 1/4] =?UTF-8?q?=E8=AE=BE=E5=A4=87=E8=AF=81=E4=B9=A6?= =?UTF-8?q?=E4=BC=98=E5=8C=96?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李巍 --- bundle.json | 2 - .../include/dm_cert.h | 37 ++-- common/include/i_dm_auth_cert_ext.h | 32 +++ services/implementation/BUILD.gn | 14 +- .../include/attest/dm_auth_attest_common.h | 17 +- ..._auth_validate_attest.h => dm_auth_cert.h} | 47 +++-- .../src/attest/dm_auth_attest_common.cpp | 35 ++-- .../src/attest/dm_auth_cert.cpp | 90 ++++++++ .../src/attest/dm_auth_generate_attest.cpp | 180 ---------------- .../src/attest/dm_auth_validate_attest.cpp | 196 ------------------ .../src/authentication_v2/auth_manager.cpp | 9 +- .../auth_stages/auth_negotiate.cpp | 16 +- .../BUILD.gn | 7 - .../dmauthmanagerv2_fuzzer/BUILD.gn | 7 - .../ondatareceivedv2_fuzzer/BUILD.gn | 7 - test/unittest/BUILD.gn | 63 ------ 16 files changed, 212 insertions(+), 547 deletions(-) rename services/implementation/include/attest/dm_auth_generate_attest.h => common/include/dm_cert.h (53%) create mode 100644 common/include/i_dm_auth_cert_ext.h rename services/implementation/include/attest/{dm_auth_validate_attest.h => dm_auth_cert.h} (48%) create mode 100644 services/implementation/src/attest/dm_auth_cert.cpp delete mode 100644 services/implementation/src/attest/dm_auth_generate_attest.cpp delete mode 100644 services/implementation/src/attest/dm_auth_validate_attest.cpp diff --git a/bundle.json b/bundle.json index d3739da58..aee20468f 100644 --- a/bundle.json +++ b/bundle.json @@ -37,7 +37,6 @@ "common_event_service", "data_share", "device_auth", - "device_certificate_manager", "device_info_manager", "dsoftbus", "eventhandler", @@ -46,7 +45,6 @@ "hisysevent", "hitrace", "hilog", - "huks", "init", "ipc", "json", diff --git a/services/implementation/include/attest/dm_auth_generate_attest.h b/common/include/dm_cert.h similarity index 53% rename from services/implementation/include/attest/dm_auth_generate_attest.h rename to common/include/dm_cert.h index b78ce8bd8..5080ef860 100644 --- a/services/implementation/include/attest/dm_auth_generate_attest.h +++ b/common/include/dm_cert.h @@ -13,29 +13,30 @@ * limitations under the License. */ -#ifndef OHOS_DM_AUTH_GENERATE_ATTEST_H -#define OHOS_DM_AUTH_GENERATE_ATTEST_H -#include "dm_auth_attest_common.h" +#ifndef OHOS_DM_CERT_H +#define OHOS_DM_CERT_H -#include "dcm_api.h" -#include "dcm_type.h" +#define DM_CERTS_COUNT 4 +#define UDID_BUF_LEN 65 +#define DM_CERTIFICATE_SIZE 8192 + +#include +#include + +#include "dm_random.h" namespace OHOS { namespace DistributedHardware { -class AuthGenerateAttest { -public: - static AuthGenerateAttest &GetInstance(void) - { - static AuthGenerateAttest instance; - return instance; - } +typedef struct DmBlob { + uint32_t size; + uint8_t *data; +} DmBlob; - int32_t GenerateCertificate(DmCertChain &dmCertChain); - int32_t ConvertDcmCertChainToDmCertChain(const DcmCertChain &dcmCertChain, DmCertChain &dmCertChain); - int32_t InitCertChain(DcmCertChain *certChain); - void FreeCertChain(DcmCertChain *chain); -}; +typedef struct DmCertChain { + DmBlob *cert; + uint32_t certCount; +} DmCertChain; } // namespace DistributedHardware } // namespace OHOS -#endif // OHOS_DM_AUTH_GENERATE_ATTEST_H \ No newline at end of file +#endif //OHOS_DM_CERT_H \ No newline at end of file diff --git a/common/include/i_dm_auth_cert_ext.h b/common/include/i_dm_auth_cert_ext.h new file mode 100644 index 000000000..657b5cf13 --- /dev/null +++ b/common/include/i_dm_auth_cert_ext.h @@ -0,0 +1,32 @@ +/* + * Copyright (c) 2025 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef OHOS_I_DM_AUTH_CERT_EXT_H +#define OHOS_I_DM_AUTH_CERT_EXT_H + +#include "dm_cert.h" + +namespace OHOS { +namespace DistributedHardware { +class IDMAuthCertExt { +public: + virtual ~IDMAuthCertExt() = default; + virtual int32_t GenerateCertificate(DmCertChain &dmCertChain) = 0; + virtual int32_t VerifyCertificate(const DmCertChain &dmCertChain, const char *deviceIdHash) = 0; +}; + +using CreateDMAuthCertFuncPtr = IDMAuthCertExt *(*)(void); +} // namespace DistributedHardware +} // namespace OHOS \ No newline at end of file diff --git a/services/implementation/BUILD.gn b/services/implementation/BUILD.gn index a0acf9c81..d8c4ef707 100644 --- a/services/implementation/BUILD.gn +++ b/services/implementation/BUILD.gn @@ -178,6 +178,8 @@ if (defined(ohos_lite)) { "src/ability/standard/dm_ability_manager.cpp", "src/ability/standard/dm_dialog_manager.cpp", "src/adapter/standard/dm_adapter_manager.cpp", + "src/attest/dm_auth_attest_common.cpp", + "src/attest/dm_auth_cert.cpp", "src/authentication/auth_message_processor.cpp", "src/authentication/auth_request_state.cpp", "src/authentication/auth_response_state.cpp", @@ -272,18 +274,6 @@ if (defined(ohos_lite)) { external_deps += [ "spatial_awareness:spatial_awareness_client" ] } - if (!device_manager_common) { - sources += [ - "src/attest/dm_auth_attest_common.cpp", - "src/attest/dm_auth_generate_attest.cpp", - "src/attest/dm_auth_validate_attest.cpp", - ] - external_deps += [ - "device_certificate_manager:device_cert_mgr_sdk", - "huks:libhukssdk", - ] - } - subsystem_name = "distributedhardware" part_name = "device_manager" diff --git a/services/implementation/include/attest/dm_auth_attest_common.h b/services/implementation/include/attest/dm_auth_attest_common.h index 49a635ada..00c949930 100644 --- a/services/implementation/include/attest/dm_auth_attest_common.h +++ b/services/implementation/include/attest/dm_auth_attest_common.h @@ -25,23 +25,13 @@ #include "dm_anonymous.h" #include "dm_auth_manager_base.h" +#include "dm_cert.h" #include "dm_crypto.h" #include "dm_random.h" #include "json_object.h" namespace OHOS { namespace DistributedHardware { - -typedef struct DmBlob { - uint32_t size; - uint8_t *data; -} DmBlob; - -typedef struct DmCertChain { - DmBlob *cert; - uint32_t certCount; -} DmCertChain; - class AuthAttestCommon { public: static AuthAttestCommon &GetInstance(void) @@ -52,7 +42,10 @@ public: std::string SerializeDmCertChain(const DmCertChain *chain); bool DeserializeDmCertChain(const std::string &data, DmCertChain *outChain); - void FreeCertChain(DmCertChain *chain); + void FreeDmCertChain(DmCertChain &chain); +private: + AuthAttestCommon(); + ~AuthAttestCommon(); }; } // namespace DistributedHardware } // namespace OHOS diff --git a/services/implementation/include/attest/dm_auth_validate_attest.h b/services/implementation/include/attest/dm_auth_cert.h similarity index 48% rename from services/implementation/include/attest/dm_auth_validate_attest.h rename to services/implementation/include/attest/dm_auth_cert.h index 997f58cf8..889139861 100644 --- a/services/implementation/include/attest/dm_auth_validate_attest.h +++ b/services/implementation/include/attest/dm_auth_cert.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2025 Huawei Device Co., Ltd. +* Copyright (c) 2025 Huawei Device Co., Ltd. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at @@ -13,30 +13,43 @@ * limitations under the License. */ -#ifndef OHOS_DM_AUTH_VALIDATE_ATTEST_H -#define OHOS_DM_AUTH_VALIDATE_ATTEST_H +#ifndef OHOS_DM_AUTH_CERT_H +#define OHOS_DM_AUTH_CERT_H -#include "dm_auth_attest_common.h" +#include -#include "hks_api.h" -#include "hks_param.h" -#include "hks_type.h" +#include "dm_cert.h" +#include "i_dm_auth_cert_ext.h" +#if defined(__LITEOS_M__) +#include "dm_mutex.h" +#else +#include +#endif namespace OHOS { namespace DistributedHardware { -class AuthValidateAttest { +class AuthCert { public: - static AuthValidateAttest &GetInstance(void) + static AuthCert &GetInstance(void) { - static AuthValidateAttest instance; + static AuthCert instance; return instance; } - int32_t VerifyCertificate(const DmCertChain &dmCertChain, const char *deviceUdid); - int32_t ConvertDmCertChainToHksCertChain(const DmCertChain &dmCertChain, HksCertChain &hksCertChain); - int32_t FillHksParamSet(struct HksParamSet **paramSet, struct HksParam *param, int32_t paramNums); - void FreeHksCertChain(HksCertChain &chain); + int32_t GenerateCertificate(DmCertChain &dmCertChain); + int32_t VerifyCertificate(const DmCertChain &dmCertChain, const char *deviceIdHash); + +private: + AuthCert(); + ~AuthCert(); + bool IsDMAdapterAuthCertLoaded(); + + bool isAdapterAuthCertSoLoaded_ = false; + void *authCertSoHandle_ = nullptr; + std::mutex isAdapterAuthCertLoadedLock_; + std::shared_ptr dmAuthCertExt_; }; -} // namespace DistributedHardware -} // namespace OHOS -#endif // OHOS_DM_AUTH_VALIDATE_ATTEST_H \ No newline at end of file +} // namespace DistributedHardware +} // namespace OHOS + +#endif // OHOS_DM_AUTH_CERT_H \ No newline at end of file diff --git a/services/implementation/src/attest/dm_auth_attest_common.cpp b/services/implementation/src/attest/dm_auth_attest_common.cpp index 3dc79bf54..e4747b615 100644 --- a/services/implementation/src/attest/dm_auth_attest_common.cpp +++ b/services/implementation/src/attest/dm_auth_attest_common.cpp @@ -24,9 +24,20 @@ namespace DistributedHardware { const int32_t MAX_CERT_COUNT = 1024; constexpr int32_t HEX_TO_UINT8 = 2; +AuthAttestCommon::AuthAttestCommon() +{ + LOGD("AuthAttestCommon constructor"); +} + +AuthAttestCommon::~AuthAttestCommon() +{ + LOGD("AuthAttestCommon destructor"); +} + std::string AuthAttestCommon::SerializeDmCertChain(const DmCertChain *chain) { if (chain == nullptr || chain->cert == nullptr || chain->certCount == 0) { + LOGE("input param is invalid."); return "{}"; } JsonObject jsonObject; @@ -35,15 +46,18 @@ std::string AuthAttestCommon::SerializeDmCertChain(const DmCertChain *chain) for (uint32_t i = 0; i < chain->certCount; ++i) { const DmBlob &blob = chain->cert[i]; if (blob.data == nullptr || blob.size == 0) { + LOGE("blob data or size is empty."); return "{}"; } const uint32_t hexLen = blob.size * HEX_TO_UINT8 + 1; // 2*blob.size + 1 char *hexBuffer = new char[hexLen]{0}; if (hexBuffer == nullptr) { + LOGE("hexBuffer malloc failed."); return "{}"; } int32_t ret = Crypto::ConvertBytesToHexString(hexBuffer, hexLen, blob.data, blob.size); if (ret != DM_OK) { + LOGE("ConvertBytesToHexString failed."); delete[] hexBuffer; return "{}"; } @@ -145,21 +159,16 @@ bool AuthAttestCommon::DeserializeDmCertChain(const std::string &data, DmCertCha return true; } -void AuthAttestCommon::FreeCertChain(DmCertChain *chain) +void AuthAttestCommon::FreeDmCertChain(DmCertChain &chain) { - if (chain == nullptr) { - LOGI("chain is nullptr!"); - return; - } - for (uint32_t i = 0; i < chain->certCount; ++i) { - delete[] chain->cert[i].data; - chain->cert[i].data = nullptr; - chain->cert[i].size = 0; + if (chain.cert != nullptr) { + for (uint32_t i = 0; i < chain.certCount; ++i) { + delete[] chain.cert[i].data; + } + delete[] chain.cert; + chain.cert = nullptr; + chain.certCount = 0; } - delete[] chain->cert; - chain->cert = nullptr; - chain->certCount = 0; - delete chain; } } // namespace DistributedHardware } // namespace OHOS \ No newline at end of file diff --git a/services/implementation/src/attest/dm_auth_cert.cpp b/services/implementation/src/attest/dm_auth_cert.cpp new file mode 100644 index 000000000..1587ae6bc --- /dev/null +++ b/services/implementation/src/attest/dm_auth_cert.cpp @@ -0,0 +1,90 @@ +/* +* Copyright (c) 2025 Huawei Device Co., Ltd. +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ + +#include "dm_auth_cert.h" + +#include "dm_error_type.h" +#include "dm_log.h" + +namespace OHOS { +namespace DistributedHardware { + +constexpr const char* LIB_DM_AUTH_CERT = "libdm_auth_cert.z.so"; + +AuthCert::AuthCert() +{ + LOGD("AuthCert AuthCert"); +} + +AuthCert::~AuthCert() +{ + LOGD("AuthCert destructor"); +} + +bool AuthCert::IsDMAdapterAuthCertLoaded() +{ + LOGI("Start."); + std::lock_guard lock(isAdapterAuthCertLoadedLock_); + if (isAdapterAuthCertSoLoaded_ && (dmAuthCertExt_ != nullptr)) { + return true; + } + authCertSoHandle_ = dlopen(LIB_DM_AUTH_CERT, RTLD_NOW | RTLD_NODELETE | RTLD_NOLOAD); + char *error = dlerror(); + if (error != nullptr) { + LOGE("dlopen failed, err: %{public}s", error); + } + if (authCertSoHandle_ == nullptr) { + authCertSoHandle_ = dlopen(LIB_DM_AUTH_CERT, RTLD_NOW | RTLD_NODELETE); + error = dlerror(); + if (error != nullptr) { + LOGE("dlopen failed again! err: %{public}s", error); + } + } + if (authCertSoHandle_ == nullptr) { + LOGE("load dm check api white list so failed."); + return false; + } + auto func = (CreateDMAuthCertFuncPtr)dlsym(authCertSoHandle_, "CreateDMAuthCertExtObject"); + if (func == nullptr || dlerror() != nullptr) { + dlclose(authCertSoHandle_); + authCertSoHandle_ = nullptr; + LOGE("Create object function is not exist. err: %{public}s", (dlerror() == nullptr ? "null" : dlerror())); + return false; + } + dmAuthCertExt_ = std::shared_ptr(func()); + isAdapterAuthCertSoLoaded_ = true; + LOGI("Success."); + return true; +} + +int32_t AuthCert::GenerateCertificate(DmCertChain &dmCertChain) +{ + if (!IsDMAdapterAuthCertLoaded()) { + LOGE("authCertSo load failed!"); + return ERR_DM_FAILED; + } + return dmAuthCertExt_->GenerateCertificate(dmCertChain); +} + +int32_t AuthCert::VerifyCertificate(const DmCertChain &dmCertChain, const char *deviceIdHash) +{ + if (!IsDMAdapterAuthCertLoaded()) { + LOGE("authCertSo load failed!"); + return ERR_DM_FAILED; + } + return dmAuthCertExt_->VerifyCertificate(dmCertChain, deviceIdHash); +} +} // namespace DistributedHardware +} // namespace OHOS \ No newline at end of file diff --git a/services/implementation/src/attest/dm_auth_generate_attest.cpp b/services/implementation/src/attest/dm_auth_generate_attest.cpp deleted file mode 100644 index 96842a5b2..000000000 --- a/services/implementation/src/attest/dm_auth_generate_attest.cpp +++ /dev/null @@ -1,180 +0,0 @@ -/* -* Copyright (c) 2025 Huawei Device Co., Ltd. -* Licensed under the Apache License, Version 2.0 (the "License"); -* you may not use this file except in compliance with the License. -* You may obtain a copy of the License at -* -* http://www.apache.org/licenses/LICENSE-2.0 -* -* Unless required by applicable law or agreed to in writing, software -* distributed under the License is distributed on an "AS IS" BASIS, -* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -* See the License for the specific language governing permissions and -* limitations under the License. -*/ - -#include "dm_auth_generate_attest.h" - -#include "dm_error_type.h" -#include "dm_log.h" - -namespace OHOS { -namespace DistributedHardware { - -constexpr uint64_t MIN_DCM_RANDOM = 0; -constexpr uint64_t MAX_DCM_RANDOM = 9999999999; - -int32_t AuthGenerateAttest::GenerateCertificate(DmCertChain &dmCertChain) -{ - LOGI("GenerateCertificate Start"); - DcmIdType ids[] = { DCM_ID_TYPE_UDID }; - uint64_t randomNum = GenRandLongLong(MIN_DCM_RANDOM, MAX_DCM_RANDOM); - DcmBlob challengeBlob = {sizeof(randomNum), (uint8_t *) &randomNum}; - DcmCertChain *dcmCertChain = new DcmCertChain(); - if (dcmCertChain == nullptr) { - LOGE("new dcmCertChain fail!"); - return ERR_DM_MALLOC_FAILED; - } - InitCertChain(dcmCertChain); - int32_t ret = DcmAttestIdsEx(ids, sizeof(ids)/sizeof(ids[0]), &challengeBlob, DCM_CERT_TYPE_ROOT_V2, dcmCertChain); - if (ret != DCM_SUCCESS) { - LOGE("DcmAttestIdsEx fail, ret=%{public}d", ret); - FreeCertChain(dcmCertChain); - return ret; - } - ret = ConvertDcmCertChainToDmCertChain(*dcmCertChain, dmCertChain); - if (ret != DM_OK) { - LOGE("covertToSoftbusCertChain fail. ret=%{public}d", ret); - FreeCertChain(dcmCertChain); - return ret; - } - FreeCertChain(dcmCertChain); - LOGI("Success."); - return DM_OK; -} - -int32_t AuthGenerateAttest::InitCertChain(DcmCertChain *certChain) -{ - if (certChain == nullptr) { - LOGE("certChain is nullptr."); - return ERR_DM_INPUT_PARA_INVALID; - } - LOGI("InitCertChain Start"); - certChain->certCount = DM_CERTS_COUNT; - certChain->cert = new DcmBlob[certChain->certCount]; - if (certChain->cert == nullptr) { - certChain->certCount = 0; - LOGE("new dcmCertChain.cert fail!"); - return ERR_DM_MALLOC_FAILED; - } - for (uint32_t i = 0; i < certChain->certCount; ++i) { - certChain->cert[i].data = new uint8_t[DM_CERTIFICATE_SIZE]{0}; - if (certChain->cert[i].data == nullptr) { - certChain->cert[i].size = 0; - for (uint32_t j = 0; j < i; ++j) { - delete[] certChain->cert[j].data; - certChain->cert[j].data = nullptr; - certChain->cert[j].size = 0; - } - delete[] certChain->cert; - certChain->cert = nullptr; - certChain->certCount = 0; - LOGE("new dcmCertChain.cert.data fail!"); - return ERR_DM_MALLOC_FAILED; - } - certChain->cert[i].size = DM_CERTIFICATE_SIZE; - } - return DM_OK; -} - -void AuthGenerateAttest::FreeCertChain(DcmCertChain *chain) -{ - if (chain == nullptr) { - LOGI("chain is nullptr!"); - return; - } - for (uint32_t i = 0; i < chain->certCount; ++i) { - delete[] chain->cert[i].data; - chain->cert[i].data = nullptr; - chain->cert[i].size = 0; - } - delete[] chain->cert; - chain->cert = nullptr; - chain->certCount = 0; - delete chain; -} - -int32_t ValidateInput(const DcmCertChain &dcmCertChain) -{ - if (dcmCertChain.certCount > 0 && dcmCertChain.cert == nullptr) { - LOGE("Invalid cert chain: certCount>0 but cert array is null!"); - return ERR_DM_INPUT_PARA_INVALID; - } - return DM_OK; -} - -int32_t CopyCertificates(const DcmCertChain &dcmCertChain, DmBlob *newCertArray, uint32_t &allocatedCerts) -{ - if (newCertArray == nullptr) { - LOGE("newCertArray is invalid param."); - return ERR_DM_INPUT_PARA_INVALID; - } - for (uint32_t i = 0; i < dcmCertChain.certCount; ++i) { - const auto &src = dcmCertChain.cert[i]; - auto &dest = newCertArray[i]; - dest.size = src.size; - dest.data = nullptr; - if (src.size == 0 || src.data == nullptr) continue; - dest.data = new uint8_t[src.size]{0}; - if (dest.data == nullptr) { - allocatedCerts = i; - return ERR_DM_MALLOC_FAILED; - } - - if (memcpy_s(dest.data, src.size, src.data, src.size) != DM_OK) { - delete[] dest.data; - dest.data = nullptr; - allocatedCerts = i; - return ERR_DM_FAILED; - } - allocatedCerts = i + 1; - } - return DM_OK; -} - -int32_t AuthGenerateAttest::ConvertDcmCertChainToDmCertChain(const DcmCertChain &dcmCertChain, DmCertChain &dmCertChain) -{ - LOGI("ConvertDcmCertChainToDmCertChain start!"); - int32_t ret = ValidateInput(dcmCertChain); - if (ret != DM_OK) { - return ret; - } - if (dcmCertChain.certCount == 0) { - dmCertChain.cert = nullptr; - dmCertChain.certCount = 0; - return DM_OK; - } - DmBlob *newCertArray = new DmBlob[dcmCertChain.certCount]; - if (newCertArray == nullptr) { - LOGE("Failed to allocate cert array!"); - return ERR_DM_MALLOC_FAILED; - } - uint32_t allocatedCerts = 0; - ret = CopyCertificates(dcmCertChain, newCertArray, allocatedCerts); - if (ret != DM_OK) { - for (uint32_t j = 0; j < allocatedCerts; ++j) { - delete[] newCertArray[j].data; - } - delete[] newCertArray; - return ret; - } - dmCertChain.cert = newCertArray; - dmCertChain.certCount = dcmCertChain.certCount; - for (uint32_t i = 0; i < dcmCertChain.certCount; ++i) { - delete[] newCertArray[i].data; - } - delete[] newCertArray; - return DM_OK; -} -} // namespace DistributedHardware -} // namespace OHOS \ No newline at end of file diff --git a/services/implementation/src/attest/dm_auth_validate_attest.cpp b/services/implementation/src/attest/dm_auth_validate_attest.cpp deleted file mode 100644 index fdf810b44..000000000 --- a/services/implementation/src/attest/dm_auth_validate_attest.cpp +++ /dev/null @@ -1,196 +0,0 @@ -/* - * Copyright (c) 2025 Huawei Device Co., Ltd. - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#include "dm_auth_validate_attest.h" - -#include "dm_error_type.h" -#include "dm_log.h" - -namespace OHOS { -namespace DistributedHardware { - -int32_t ProcessValidationResult(const char *deviceIdHash, char *udidStr, - uint64_t randNum, const HksParamSet *outputParam) -{ - if (deviceIdHash == nullptr || udidStr == nullptr || outputParam == nullptr) { - LOGE("input param is nullptr."); - return ERR_DM_INPUT_PARA_INVALID; - } - uint32_t cnt = 0; - HksBlob *blob = &outputParam->params[cnt].blob; - if (blob == nullptr) { - LOGE("outputParam blob is nullptr"); - return ERR_DM_GET_PARAM_FAILED; - } - if (memcpy_s(&randNum, sizeof(uint64_t), blob->data, blob->size) != EOK) { - LOGE("memcpy randNum failed"); - return ERR_DM_GET_PARAM_FAILED; - } - blob = &outputParam->params[++cnt].blob; - if (memcpy_s(udidStr, UDID_BUF_LEN, blob->data, blob->size) != EOK) { - LOGE("memcpy udidStr failed"); - return ERR_DM_GET_PARAM_FAILED; - } - std::string certDeviceIdHash = Crypto::GetUdidHash(std::string(udidStr)); - LOGI("accesser udidHash=%{public}s, certudidHash=%{public}s", - GetAnonyString(std::string(deviceIdHash)).c_str(), GetAnonyString(certDeviceIdHash).c_str()); - if (strcmp(deviceIdHash, certDeviceIdHash.c_str()) != 0) { - LOGE("verifyCertificate fail"); - return ERR_DM_DESERIAL_CERT_FAILED; - } - return DM_OK; -} - -int32_t AuthValidateAttest::VerifyCertificate(const DmCertChain &dmCertChain, const char *deviceIdHash) -{ - if (deviceIdHash == nullptr) { - LOGE("deviceIdHash is nullptr."); - return ERR_DM_INPUT_PARA_INVALID; - } - LOGI("VerifyCertificate start!"); - char udidStr[UDID_BUF_LEN] = {0}; - uint64_t randNum = 0; - HksCertChain hksCertChain; - int32_t ret = ConvertDmCertChainToHksCertChain(dmCertChain, hksCertChain); - if (ret != DM_OK) { - LOGE("ConvertDmCertChainToHksCertChain fail, ret=%{public}d", ret); - return ret; - } - HksParamSet *outputParam = NULL; - HksParam outputData[] = { - {.tag = HKS_TAG_ATTESTATION_CHALLENGE, .blob = {sizeof(uint64_t), (uint8_t *) &randNum}}, - {.tag = HKS_TAG_ATTESTATION_ID_UDID, .blob = {UDID_BUF_LEN, (uint8_t *)udidStr}}, - }; - ret = FillHksParamSet(&outputParam, outputData, sizeof(outputData) / sizeof(outputData[0])); - if (ret != DM_OK) { - LOGE("FillHksParamSet failed, ret=%{public}d", ret); - FreeHksCertChain(hksCertChain); - return ERR_DM_FAILED; - } - ret = HksValidateCertChain(&hksCertChain, outputParam); - if (ret != HKS_SUCCESS) { - LOGE("HksValidateCertChain fail, ret=%{public}d", ret); - FreeHksCertChain(hksCertChain); - HksFreeParamSet(&outputParam); - return ret; - } - ret = ProcessValidationResult(deviceIdHash, udidStr, randNum, outputParam); - if (ret != DM_OK) { - LOGE("ProcessValidationResult fail, ret=%{public}d", ret); - FreeHksCertChain(hksCertChain); - HksFreeParamSet(&outputParam); - return ret; - } - FreeHksCertChain(hksCertChain); - HksFreeParamSet(&outputParam); - return DM_OK; -} - -int32_t AuthValidateAttest::FillHksParamSet(HksParamSet **paramSet, HksParam *param, int32_t paramNums) -{ - if (param == nullptr) { - LOGE("param is null"); - return ERR_DM_INPUT_PARA_INVALID; - } - int32_t ret = HksInitParamSet(paramSet); - if (ret != HKS_SUCCESS) { - LOGE("HksInitParamSet failed, hks ret = %{public}d", ret); - return ERR_DM_FAILED; - } - ret = HksAddParams(*paramSet, param, paramNums); - if (ret != HKS_SUCCESS) { - LOGE("HksAddParams failed, hks ret = %{public}d", ret); - HksFreeParamSet(paramSet); - return ERR_DM_FAILED; - } - ret = HksBuildParamSet(paramSet); - if (ret != HKS_SUCCESS) { - LOGE("HksBuildParamSet failed, hks ret = %{public}d", ret); - HksFreeParamSet(paramSet); - return ERR_DM_FAILED; - } - return DM_OK; -} - -void AuthValidateAttest::FreeHksCertChain(HksCertChain &chain) -{ - if (chain.certs != nullptr) { - for (uint32_t i = 0; i < chain.certsCount; ++i) { - chain.certs[i].size = 0; - delete[] chain.certs[i].data; - chain.certs[i].data = nullptr; - } - delete[] chain.certs; - chain.certs = nullptr; - } - chain.certsCount = 0; -} - -int32_t AllocateHksBlobArray(uint32_t count, HksBlob **outArray) -{ - HksBlob *arr = new HksBlob[count]{0}; - if (arr == nullptr) { - LOGE("Alloc failed for certs"); - return ERR_DM_MALLOC_FAILED; - } - *outArray = arr; - return DM_OK; -} - -int32_t CopySingleCert(const DmBlob &src, HksBlob &dest) -{ - if (src.data == nullptr || src.size == 0) { - LOGE("Invalid src cert"); - return ERR_DM_FAILED; - } - dest.data = new uint8_t[src.size]{0}; - if (dest.data == nullptr) { - LOGE("Alloc failed for size"); - return ERR_DM_MALLOC_FAILED; - } - dest.size = src.size; - if (memcpy_s(dest.data, src.size, src.data, src.size) != 0) { - LOGE("memcpy_s failed size"); - delete[] dest.data; - dest.data = nullptr; - return ERR_DM_FAILED; - } - return DM_OK; -} - -int32_t AuthValidateAttest::ConvertDmCertChainToHksCertChain(const DmCertChain &dmCertChain, HksCertChain &hksCertChain) -{ - if (dmCertChain.certCount == 0 || dmCertChain.cert == nullptr) { - return ERR_DM_INPUT_PARA_INVALID; - } - HksBlob *newCerts = nullptr; - int32_t ret = AllocateHksBlobArray(dmCertChain.certCount, &newCerts); - if (ret != DM_OK) { - LOGE("AllocateHksBlobArray fail, ret = %{public}d", ret); - return ret; - } - for (uint32_t i = 0; i < dmCertChain.certCount; ++i) { - if ((ret = CopySingleCert(dmCertChain.cert[i], newCerts[i])) != DM_OK) { - FreeHksCertChain(hksCertChain); - delete[] newCerts; - return ret; - } - } - hksCertChain.certs = newCerts; - hksCertChain.certsCount = dmCertChain.certCount; - return DM_OK; -} -} // namespace DistributedHardware -} // namespace OHOS \ No newline at end of file diff --git a/services/implementation/src/authentication_v2/auth_manager.cpp b/services/implementation/src/authentication_v2/auth_manager.cpp index 04729f6f4..cf5a594b2 100644 --- a/services/implementation/src/authentication_v2/auth_manager.cpp +++ b/services/implementation/src/authentication_v2/auth_manager.cpp @@ -24,6 +24,8 @@ #include "multiple_user_connector.h" #include "auth_manager.h" +#include "dm_auth_cert.h" +#include "dm_auth_attest_common.h" #include "dm_constants.h" #include "dm_crypto.h" #include "dm_random.h" @@ -36,10 +38,6 @@ #include "dm_auth_context.h" #include "dm_auth_message_processor.h" #include "dm_auth_state.h" -#if !defined(DEVICE_MANAGER_COMMON_FLAG) -#include "dm_auth_generate_attest.h" -#include "dm_auth_validate_attest.h" -#endif namespace OHOS { namespace DistributedHardware { @@ -635,12 +633,13 @@ std::string GenerateCertificate(std::shared_ptr context_) return ""; #else DmCertChain dmCertChain; - int32_t certRet = AuthGenerateAttest::GetInstance().GenerateCertificate(dmCertChain); + int32_t certRet = AuthCert::GetInstance().GenerateCertificate(dmCertChain); if (certRet != DM_OK) { LOGE("generate cert fail, certRet = %{public}d", certRet); return ""; } std::string cert = AuthAttestCommon::GetInstance().SerializeDmCertChain(&dmCertChain); + AuthAttestCommon::GetInstance().FreeDmCertChain(dmCertChain); return cert; #endif } diff --git a/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp b/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp index 14046e717..ac96b1326 100644 --- a/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp +++ b/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp @@ -22,6 +22,8 @@ #include "accessee.h" #include "auth_manager.h" #include "app_manager.h" +#include "dm_auth_cert.h" +#include "dm_auth_attest_common.h" #include "dm_crypto.h" #include "dm_log.h" #include "dm_timer.h" @@ -41,10 +43,6 @@ #include "multiple_user_connector.h" #include "os_account_manager.h" #include "parameter.h" -#if !defined(DEVICE_MANAGER_COMMON_FLAG) -#include "dm_auth_generate_attest.h" -#include "dm_auth_validate_attest.h" -#endif using namespace OHOS::Security::AccessToken; @@ -203,17 +201,19 @@ int32_t VerifyCertificate(std::shared_ptr context) .checkIsSameAccountByUdidHash(context->accesser.deviceIdHash) == DM_OK) { LOGE("src is common device, but the udidHash is identical in acl!"); return ERR_DM_VERIFY_CERT_FAILED; - } + } return DM_OK; - } + } DmCertChain dmCertChain{nullptr, 0}; if (!AuthAttestCommon::GetInstance() .DeserializeDmCertChain(context->accesser.cert, &dmCertChain)) { LOGE("cert deserialize fail!"); return ERR_DM_DESERIAL_CERT_FAILED; - } - int32_t certRet = AuthValidateAttest::GetInstance() + } + int32_t certRet = AuthCert::GetInstance() .VerifyCertificate(dmCertChain, context->accesser.deviceIdHash.c_str()); + // free dmCertChain memory + AuthAttestCommon::GetInstance().FreeDmCertChain(dmCertChain); if (certRet != DM_OK) { LOGE("validate cert fail, certRet = %{public}d", certRet); return ERR_DM_VERIFY_CERT_FAILED; diff --git a/test/commonfuzztest/authenticatedeviceserviceimpl_fuzzer/BUILD.gn b/test/commonfuzztest/authenticatedeviceserviceimpl_fuzzer/BUILD.gn index f79c6dfe0..6a4dccbc0 100644 --- a/test/commonfuzztest/authenticatedeviceserviceimpl_fuzzer/BUILD.gn +++ b/test/commonfuzztest/authenticatedeviceserviceimpl_fuzzer/BUILD.gn @@ -85,13 +85,6 @@ ohos_fuzztest("AuthenticateDeviceServiceImplFuzzTest") { "safwk:system_ability_fwk", "selinux_adapter:librestorecon", ] - - if (!device_manager_common) { - external_deps += [ - "device_certificate_manager:device_cert_mgr_sdk", - "huks:libhukssdk", - ] - } } ############################################################################### diff --git a/test/commonfuzztest/dmauthmanagerv2_fuzzer/BUILD.gn b/test/commonfuzztest/dmauthmanagerv2_fuzzer/BUILD.gn index 93e9b15d9..fb2de39ca 100644 --- a/test/commonfuzztest/dmauthmanagerv2_fuzzer/BUILD.gn +++ b/test/commonfuzztest/dmauthmanagerv2_fuzzer/BUILD.gn @@ -69,13 +69,6 @@ ohos_fuzztest("DmAuthManagerV2FuzzTest") { "DH_LOG_TAG=\"DmAuthManagerV2FuzzTest\"", "LOG_DOMAIN=0xD004110", ] - - if (!device_manager_common) { - external_deps += [ - "device_certificate_manager:device_cert_mgr_sdk", - "huks:libhukssdk", - ] - } } ############################################################################### diff --git a/test/commonfuzztest/ondatareceivedv2_fuzzer/BUILD.gn b/test/commonfuzztest/ondatareceivedv2_fuzzer/BUILD.gn index c6f9f7df8..b81e1b472 100644 --- a/test/commonfuzztest/ondatareceivedv2_fuzzer/BUILD.gn +++ b/test/commonfuzztest/ondatareceivedv2_fuzzer/BUILD.gn @@ -68,13 +68,6 @@ ohos_fuzztest("OnDataReceivedV2FuzzTest") { "DH_LOG_TAG=\"OnDataReceivedV2FuzzTest\"", "LOG_DOMAIN=0xD004110", ] - - if (!device_manager_common) { - external_deps += [ - "device_certificate_manager:device_cert_mgr_sdk", - "huks:libhukssdk", - ] - } } ############################################################################### diff --git a/test/unittest/BUILD.gn b/test/unittest/BUILD.gn index a82f0cd59..f0af8d78f 100644 --- a/test/unittest/BUILD.gn +++ b/test/unittest/BUILD.gn @@ -400,13 +400,6 @@ ohos_unittest("UTTest_device_manager_service") { "hilog:libhilog", "selinux_adapter:librestorecon", ] - - if (!device_manager_common) { - external_deps += [ - "device_certificate_manager:device_cert_mgr_sdk", - "huks:libhukssdk", - ] - } } ## UnitTest UTTest_device_manager_service }}} @@ -434,13 +427,6 @@ ohos_unittest("UTTest_dm_softbus_cache") { "hilog:libhilog", "selinux_adapter:librestorecon", ] - - if (!device_manager_common) { - external_deps += [ - "device_certificate_manager:device_cert_mgr_sdk", - "huks:libhukssdk", - ] - } } ## UnitTest UTTest_dm_softbus_cache }}} @@ -474,13 +460,6 @@ ohos_unittest("UTTest_device_manager_service_three") { "hilog:libhilog", "selinux_adapter:librestorecon", ] - - if (!device_manager_common) { - external_deps += [ - "device_certificate_manager:device_cert_mgr_sdk", - "huks:libhukssdk", - ] - } } ## UnitTest UTTest_device_manager_service_three }}} @@ -1271,13 +1250,6 @@ ohos_unittest("UTTest_device_manager_service_impl") { "os_account:libaccountkits", "os_account:os_account_innerkits", ] - - if (!device_manager_common) { - external_deps += [ - "device_certificate_manager:device_cert_mgr_sdk", - "huks:libhukssdk", - ] - } } ## UnitTest UTTest_device_manager_service_impl }}} @@ -1308,13 +1280,6 @@ ohos_unittest("UTTest_device_manager_service_impl_first") { "os_account:libaccountkits", "os_account:os_account_innerkits", ] - - if (!device_manager_common) { - external_deps += [ - "device_certificate_manager:device_cert_mgr_sdk", - "huks:libhukssdk", - ] - } } ## UnitTest UTTest_device_manager_service_impl_first }}} @@ -2072,13 +2037,6 @@ ohos_unittest("UTTest_auth_pin_auth_state") { "googletest:gmock_main", "hilog:libhilog", ] - - if (!device_manager_common) { - external_deps += [ - "device_certificate_manager:device_cert_mgr_sdk", - "huks:libhukssdk", - ] - } } ## UnitTest UTTest_auth_pin_auth_state }}} @@ -2137,13 +2095,6 @@ ohos_unittest("UTTest_auth_credential_state") { "googletest:gmock_main", "hilog:libhilog", ] - - if (!device_manager_common) { - external_deps += [ - "device_certificate_manager:device_cert_mgr_sdk", - "huks:libhukssdk", - ] - } } ## UnitTest UTTest_auth_credential_state }}} @@ -2175,13 +2126,6 @@ ohos_unittest("UTTest_auth_acl") { "googletest:gmock_main", "hilog:libhilog", ] - - if (!device_manager_common) { - external_deps += [ - "device_certificate_manager:device_cert_mgr_sdk", - "huks:libhukssdk", - ] - } } ## UnitTest UTTest_auth_acl }}} @@ -2215,13 +2159,6 @@ ohos_unittest("UTTest_auth_negotiate") { "googletest:gmock_main", "hilog:libhilog", ] - - if (!device_manager_common) { - external_deps += [ - "device_certificate_manager:device_cert_mgr_sdk", - "huks:libhukssdk", - ] - } } ## UnitTest UTTest_auth_negotiate }}} -- Gitee From ce9003480ed215aa054574ff41a7c3dcd2f15798 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E5=B7=8D?= Date: Thu, 29 May 2025 19:45:11 +0800 Subject: [PATCH 2/4] =?UTF-8?q?=E5=A2=9E=E5=8A=A0=E6=A0=A1=E9=AA=8C?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李巍 --- .../implementation/src/attest/dm_auth_attest_common.cpp | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/services/implementation/src/attest/dm_auth_attest_common.cpp b/services/implementation/src/attest/dm_auth_attest_common.cpp index e4747b615..50a43b60a 100644 --- a/services/implementation/src/attest/dm_auth_attest_common.cpp +++ b/services/implementation/src/attest/dm_auth_attest_common.cpp @@ -21,7 +21,7 @@ namespace OHOS { namespace DistributedHardware { -const int32_t MAX_CERT_COUNT = 1024; +const int32_t MAX_CERT_COUNT = 100; constexpr int32_t HEX_TO_UINT8 = 2; AuthAttestCommon::AuthAttestCommon() @@ -36,7 +36,7 @@ AuthAttestCommon::~AuthAttestCommon() std::string AuthAttestCommon::SerializeDmCertChain(const DmCertChain *chain) { - if (chain == nullptr || chain->cert == nullptr || chain->certCount == 0) { + if (chain == nullptr || chain->cert == nullptr || chain->certCount == 0 || chain->certCount > MAX_CERT_COUNT) { LOGE("input param is invalid."); return "{}"; } @@ -164,6 +164,8 @@ void AuthAttestCommon::FreeDmCertChain(DmCertChain &chain) if (chain.cert != nullptr) { for (uint32_t i = 0; i < chain.certCount; ++i) { delete[] chain.cert[i].data; + chain.cert[i].data = nullptr; + chain.cert[i].size = 0; } delete[] chain.cert; chain.cert = nullptr; -- Gitee From ddc3d08545c51232e05d8f578fe06f6cb1f1f656 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E5=B7=8D?= Date: Thu, 29 May 2025 20:01:06 +0800 Subject: [PATCH 3/4] =?UTF-8?q?=E5=A2=9E=E5=8A=A0endIf?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李巍 --- common/include/i_dm_auth_cert_ext.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/common/include/i_dm_auth_cert_ext.h b/common/include/i_dm_auth_cert_ext.h index 657b5cf13..fafda279c 100644 --- a/common/include/i_dm_auth_cert_ext.h +++ b/common/include/i_dm_auth_cert_ext.h @@ -29,4 +29,5 @@ public: using CreateDMAuthCertFuncPtr = IDMAuthCertExt *(*)(void); } // namespace DistributedHardware -} // namespace OHOS \ No newline at end of file +} // namespace OHOS +#endif // OHOS_I_DM_AUTH_CERT_EXT_H \ No newline at end of file -- Gitee From 715fedc1520cc184f49554483ace6dde1dd3ae74 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E5=B7=8D?= Date: Thu, 29 May 2025 23:10:36 +0800 Subject: [PATCH 4/4] =?UTF-8?q?=E6=A3=80=E8=A7=86=E6=84=8F=E8=A7=81?= =?UTF-8?q?=E6=95=B4=E6=94=B9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李巍 --- commondependency/include/deviceprofile_connector.h | 2 +- commondependency/src/deviceprofile_connector.cpp | 2 +- .../src/authentication_v2/auth_stages/auth_negotiate.cpp | 3 ++- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/commondependency/include/deviceprofile_connector.h b/commondependency/include/deviceprofile_connector.h index 81505fbd3..f68ca375e 100644 --- a/commondependency/include/deviceprofile_connector.h +++ b/commondependency/include/deviceprofile_connector.h @@ -291,7 +291,7 @@ public: std::map> &aclMap, std::string dmVersion = ""); void GenerateAclHash(DistributedDeviceProfile::AccessControlProfile &acl, std::map> &aclMap, const std::string &dmVersion); - DM_EXPORT int32_t checkIsSameAccountByUdidHash(const std::string &udidHash); + DM_EXPORT int32_t CheckIsSameAccountByUdidHash(const std::string &udidHash); DM_EXPORT int32_t GetAclListHashStr(const DevUserInfo &localDevUserInfo, const DevUserInfo &remoteDevUserInfo, std::string &aclListHash, std::string dmVersion = ""); DM_EXPORT bool IsLnnAcl(const DistributedDeviceProfile::AccessControlProfile &profile); diff --git a/commondependency/src/deviceprofile_connector.cpp b/commondependency/src/deviceprofile_connector.cpp index ea886490e..30a00a769 100644 --- a/commondependency/src/deviceprofile_connector.cpp +++ b/commondependency/src/deviceprofile_connector.cpp @@ -1615,7 +1615,7 @@ DM_EXPORT int32_t DeviceProfileConnector::IsSameAccount(const std::string &udid) return ERR_DM_FAILED; } -DM_EXPORT int32_t DeviceProfileConnector::checkIsSameAccountByUdidHash(const std::string &udidHash) +DM_EXPORT int32_t DeviceProfileConnector::CheckIsSameAccountByUdidHash(const std::string &udidHash) { if (udidHash.empty()) { LOGE("udidHash is empty!"); diff --git a/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp b/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp index ac96b1326..0639821f5 100644 --- a/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp +++ b/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp @@ -185,6 +185,7 @@ int32_t AuthSinkNegotiateStateMachine::ProcRespNegotiate5_1_0(std::shared_ptr context) { #ifdef DEVICE_MANAGER_COMMON_FLAG + (void)context; LOGI("Blue device do not verify cert!"); return DM_OK; #else @@ -198,7 +199,7 @@ int32_t VerifyCertificate(std::shared_ptr context) && context->accesser.isCommonFlag == true) { LOGI("src is common device."); if (DeviceProfileConnector::GetInstance() - .checkIsSameAccountByUdidHash(context->accesser.deviceIdHash) == DM_OK) { + .CheckIsSameAccountByUdidHash(context->accesser.deviceIdHash) == DM_OK) { LOGE("src is common device, but the udidHash is identical in acl!"); return ERR_DM_VERIFY_CERT_FAILED; } -- Gitee