From e2863781221127b1bd27b75bc5bcef04d5788df9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E5=B7=8D?= Date: Wed, 18 Jun 2025 16:54:58 +0800 Subject: [PATCH 1/4] =?UTF-8?q?=E5=A2=9E=E5=8A=A0=E8=AF=81=E4=B9=A6?= =?UTF-8?q?=E6=A0=A1=E9=AA=8C?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李巍 --- common/include/dm_constants.h | 1 + common/src/dm_constants.cpp | 3 +- .../auth_stages/auth_acl.cpp | 50 ++++++++++++++++++- .../auth_stages/auth_credential.cpp | 31 ++++++++++-- .../auth_stages/auth_negotiate.cpp | 2 - .../dm_auth_message_processor.cpp | 5 +- 6 files changed, 82 insertions(+), 10 deletions(-) diff --git a/common/include/dm_constants.h b/common/include/dm_constants.h index ef2572271..e888cde22 100755 --- a/common/include/dm_constants.h +++ b/common/include/dm_constants.h @@ -184,6 +184,7 @@ extern const char* DM_VERSION_5_0_3; extern const char* DM_VERSION_5_0_4; extern const char* DM_VERSION_5_0_5; extern const char* DM_VERSION_5_1_0; +extern const char* DM_VERSION_5_1_1; extern const char* DM_CURRENT_VERSION; extern const char* DM_ACL_AGING_VERSION; extern const char* DM_VERSION_5_0_OLD_MAX; // Estimated highest version number of the old version diff --git a/common/src/dm_constants.cpp b/common/src/dm_constants.cpp index fe35b8f0f..d3b86ae71 100644 --- a/common/src/dm_constants.cpp +++ b/common/src/dm_constants.cpp @@ -172,7 +172,8 @@ const char* DM_VERSION_5_0_3 = "5.0.3"; const char* DM_VERSION_5_0_4 = "5.0.4"; const char* DM_VERSION_5_0_5 = "5.0.5"; const char* DM_VERSION_5_1_0 = "5.1.0"; -const char* DM_CURRENT_VERSION = DM_VERSION_5_1_0; +const char* DM_VERSION_5_1_0 = "5.1.1"; +const char* DM_CURRENT_VERSION = DM_VERSION_5_1_1; const char* DM_ACL_AGING_VERSION = DM_VERSION_5_1_0; const char* DM_VERSION_5_0_OLD_MAX = "5.0.99"; // Estimated highest version number of the old version } // namespace DistributedHardware diff --git a/services/implementation/src/authentication_v2/auth_stages/auth_acl.cpp b/services/implementation/src/authentication_v2/auth_stages/auth_acl.cpp index 950e09b05..546aa54ef 100644 --- a/services/implementation/src/authentication_v2/auth_stages/auth_acl.cpp +++ b/services/implementation/src/authentication_v2/auth_stages/auth_acl.cpp @@ -18,6 +18,8 @@ #include "auth_manager.h" #include "deviceprofile_connector.h" +#include "dm_auth_attest_common.h" +#include "dm_auth_cert.h" #include "dm_auth_context.h" #include "dm_auth_state.h" #include "dm_auth_state_machine.h" @@ -31,6 +33,47 @@ namespace DistributedHardware { const int32_t USLEEP_TIME_US_500000 = 500000; // 500ms +int32_t VerifyCertificate(std::shared_ptr context) +{ +#ifdef DEVICE_MANAGER_COMMON_FLAG + (void)context; + LOGI("Blue device do not verify cert!"); + return DM_OK; +#else + // Compatible with 5.1.0 and earlier + if (!CompareVersion(context->accesser.dmVersion, DM_VERSION_5_1_0)) { + LOGI("cert verify is not supported"); + return DM_OK; + } + // Compatible common device + if (CompareVersion(context->accesser.dmVersion, DM_VERSION_5_1_0) + && context->accesser.isCommonFlag == true) { + LOGI("src is common device."); + if (DeviceProfileConnector::GetInstance() + .CheckIsSameAccountByUdidHash(context->accesser.deviceIdHash) == DM_OK) { + LOGE("src is common device, but the udidHash is identical in acl!"); + return ERR_DM_VERIFY_CERT_FAILED; + } + return DM_OK; + } + DmCertChain dmCertChain{nullptr, 0}; + if (!AuthAttestCommon::GetInstance() + .DeserializeDmCertChain(context->accesser.cert, &dmCertChain)) { + LOGE("cert deserialize fail!"); + return ERR_DM_DESERIAL_CERT_FAILED; + } + int32_t certRet = AuthCert::GetInstance() + .VerifyCertificate(dmCertChain, context->accesser.deviceIdHash.c_str()); + // free dmCertChain memory + AuthAttestCommon::GetInstance().FreeDmCertChain(dmCertChain); + if (certRet != DM_OK) { + LOGE("validate cert fail, certRet = %{public}d", certRet); + return ERR_DM_VERIFY_CERT_FAILED; + } + return DM_OK; +#endif +} + // Received 180 synchronization message, send 190 message int32_t AuthSinkDataSyncState::Action(std::shared_ptr context) { @@ -38,7 +81,12 @@ int32_t AuthSinkDataSyncState::Action(std::shared_ptr context) // Query the ACL of the sink end. Compare the ACLs at both ends. context->softbusConnector->SyncLocalAclListProcess({context->accessee.deviceId, context->accessee.userId}, {context->accesser.deviceId, context->accesser.userId}, context->accesser.aclStrList); - + int32_t ret = VerifyCertificate(context); + if (ret != DM_OK) { + LOGE("AuthSinkNegotiateStateMachine::Action cert verify fail!"); + context->reason = ret; + return ret; + } // Synchronize the local SP information, the format is uncertain, not done for now context->authMessageProcessor->CreateAndSendMsg(MSG_TYPE_RESP_DATA_SYNC, context); context->accessee.deviceName = context->softbusConnector->GetLocalDeviceName(); diff --git a/services/implementation/src/authentication_v2/auth_stages/auth_credential.cpp b/services/implementation/src/authentication_v2/auth_stages/auth_credential.cpp index a483b4ad8..1b0397fae 100644 --- a/services/implementation/src/authentication_v2/auth_stages/auth_credential.cpp +++ b/services/implementation/src/authentication_v2/auth_stages/auth_credential.cpp @@ -16,6 +16,8 @@ #include #include #include +#include "dm_auth_attest_common.h" +#include "dm_auth_cert.h" #include "dm_auth_context.h" #include "dm_auth_manager_base.h" #include "dm_auth_message_processor.h" @@ -108,6 +110,29 @@ DmAuthStateType AuthSrcCredentialAuthDoneState::GetStateType() return DmAuthStateType::AUTH_SRC_CREDENTIAL_AUTH_DONE_STATE; } +std::string GenerateCertificate(std::shared_ptr context) +{ +#ifdef DEVICE_MANAGER_COMMON_FLAG + if (context == nullptr) { + LOGE("context_ is nullptr!"); + return ""; + } + context->accesser.isCommonFlag = true; + LOGI("Blue device do not generate cert!"); + return ""; +#else + DmCertChain dmCertChain; + int32_t certRet = AuthCert::GetInstance().GenerateCertificate(dmCertChain); + if (certRet != DM_OK) { + LOGE("generate cert fail, certRet = %{public}d", certRet); + return ""; + } + std::string cert = AuthAttestCommon::GetInstance().SerializeDmCertChain(&dmCertChain); + AuthAttestCommon::GetInstance().FreeDmCertChain(dmCertChain); + return cert; +#endif +} + int32_t AuthSrcCredentialAuthDoneState::Action(std::shared_ptr context) { // decrypt and transmit transmitData @@ -115,7 +140,6 @@ int32_t AuthSrcCredentialAuthDoneState::Action(std::shared_ptr co if (ret != DM_OK) { return ret; } - // Authentication completion triggers the Onfinish callback event. if (context->authStateMachine->WaitExpectEvent(ON_FINISH) != ON_FINISH) { LOGE("AuthSrcCredentialAuthDoneState::Action Hichain auth SINK transmit data failed"); @@ -128,7 +152,6 @@ int32_t AuthSrcCredentialAuthDoneState::Action(std::shared_ptr co LOGE("AuthSrcCredentialAuthDoneState::Action DP save user session key failed"); return ret; } - // first time joinLnn, auth lnnCredential if (context->accesser.isGenerateLnnCredential == true && context->isAppCredentialVerified == false && context->accesser.bindLevel != USER) { @@ -141,7 +164,6 @@ int32_t AuthSrcCredentialAuthDoneState::Action(std::shared_ptr co LOGE("AuthSrcCredentialAuthDoneState::Action Hichain auth credentail failed"); return ret; } - // wait for onTransmit event if (context->authStateMachine->WaitExpectEvent(ON_TRANSMIT) != ON_TRANSMIT) { LOGE("AuthSrcCredentialAuthDoneState::Action failed, ON_TRANSMIT event not arrived."); @@ -151,9 +173,11 @@ int32_t AuthSrcCredentialAuthDoneState::Action(std::shared_ptr co } else if (context->accesser.isGenerateLnnCredential == true && context->accesser.bindLevel != USER) { SetAuthContext(skId, context->accesser.lnnSkTimeStamp, context->accesser.lnnSessionKeyId); msgType = MSG_TYPE_REQ_DATA_SYNC; + context->accesser.cert = GenerateCertificate(context); } else { // Non-first-time authentication transport credential process SetAuthContext(skId, context->accesser.transmitSkTimeStamp, context->accesser.transmitSessionKeyId); msgType = MSG_TYPE_REQ_DATA_SYNC; + context->accesser.cert = GenerateCertificate(context); } std::string message = context->authMessageProcessor->CreateMessage(msgType, context); @@ -161,7 +185,6 @@ int32_t AuthSrcCredentialAuthDoneState::Action(std::shared_ptr co LOGE("AuthSrcCredentialAuthDoneState::Action CreateMessage failed"); return ERR_DM_FAILED; } - return context->softbusConnector->GetSoftbusSession()->SendData(context->sessionId, message); } diff --git a/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp b/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp index 2a4066dbf..eae7d1726 100644 --- a/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp +++ b/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp @@ -24,8 +24,6 @@ #include "app_manager.h" #include "business_event.h" #include "distributed_device_profile_client.h" -#include "dm_auth_cert.h" -#include "dm_auth_attest_common.h" #include "dm_crypto.h" #include "dm_log.h" #include "dm_timer.h" diff --git a/services/implementation/src/authentication_v2/dm_auth_message_processor.cpp b/services/implementation/src/authentication_v2/dm_auth_message_processor.cpp index 03712b2b4..9d5d6fcab 100644 --- a/services/implementation/src/authentication_v2/dm_auth_message_processor.cpp +++ b/services/implementation/src/authentication_v2/dm_auth_message_processor.cpp @@ -836,7 +836,7 @@ int32_t DmAuthMessageProcessor::ParseSyncMessage(std::shared_ptr context->confirmOperation = static_cast(userConfirmOpt); } } - + ParseCert(jsonObject, context); return DM_OK; } @@ -1430,7 +1430,8 @@ int32_t DmAuthMessageProcessor::EncryptSyncMessage(std::shared_ptrconfirmOperation; } - + syncMsgJson[TAG_IS_COMMON_FLAG] = context->accesser.isCommonFlag; + syncMsgJson[TAG_DM_CERT_CHAIN] = context->accesser.cert; std::string syncMsg = syncMsgJson.Dump(); std::string compressMsg = CompressSyncMsg(syncMsg); if (compressMsg.empty()) { -- Gitee From 4d272921dfd4d46eed843839dc2df55da86c95dd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E5=B7=8D?= Date: Wed, 18 Jun 2025 17:41:28 +0800 Subject: [PATCH 2/4] =?UTF-8?q?=E6=A3=80=E8=A7=86=E4=BF=AE=E6=94=B9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李巍 --- common/src/dm_constants.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common/src/dm_constants.cpp b/common/src/dm_constants.cpp index d3b86ae71..73eee5e9c 100644 --- a/common/src/dm_constants.cpp +++ b/common/src/dm_constants.cpp @@ -172,7 +172,7 @@ const char* DM_VERSION_5_0_3 = "5.0.3"; const char* DM_VERSION_5_0_4 = "5.0.4"; const char* DM_VERSION_5_0_5 = "5.0.5"; const char* DM_VERSION_5_1_0 = "5.1.0"; -const char* DM_VERSION_5_1_0 = "5.1.1"; +const char* DM_VERSION_5_1_1 = "5.1.1"; const char* DM_CURRENT_VERSION = DM_VERSION_5_1_1; const char* DM_ACL_AGING_VERSION = DM_VERSION_5_1_0; const char* DM_VERSION_5_0_OLD_MAX = "5.0.99"; // Estimated highest version number of the old version -- Gitee From 5e097f0ff3055b2e7c71bd8353c33a84f9f28c1e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E5=B7=8D?= Date: Wed, 18 Jun 2025 20:07:05 +0800 Subject: [PATCH 3/4] =?UTF-8?q?=E6=A0=BC=E5=BC=8F=E6=95=B4=E6=94=B9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李巍 --- .../auth_stages/auth_acl.cpp | 26 +++++++++++-------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/services/implementation/src/authentication_v2/auth_stages/auth_acl.cpp b/services/implementation/src/authentication_v2/auth_stages/auth_acl.cpp index 546aa54ef..4c619ccac 100644 --- a/services/implementation/src/authentication_v2/auth_stages/auth_acl.cpp +++ b/services/implementation/src/authentication_v2/auth_stages/auth_acl.cpp @@ -40,30 +40,34 @@ int32_t VerifyCertificate(std::shared_ptr context) LOGI("Blue device do not verify cert!"); return DM_OK; #else + if (context == nullptr) { + LOGE("context_ is nullptr!"); + return ERR_DM_POINT_NULL; + } // Compatible with 5.1.0 and earlier if (!CompareVersion(context->accesser.dmVersion, DM_VERSION_5_1_0)) { LOGI("cert verify is not supported"); return DM_OK; } // Compatible common device - if (CompareVersion(context->accesser.dmVersion, DM_VERSION_5_1_0) - && context->accesser.isCommonFlag == true) { + if (CompareVersion(context->accesser.dmVersion, DM_VERSION_5_1_0) && + context->accesser.isCommonFlag == true) { LOGI("src is common device."); - if (DeviceProfileConnector::GetInstance() - .CheckIsSameAccountByUdidHash(context->accesser.deviceIdHash) == DM_OK) { + if (DeviceProfileConnector::GetInstance(). + CheckIsSameAccountByUdidHash(context->accesser.deviceIdHash) == DM_OK) { LOGE("src is common device, but the udidHash is identical in acl!"); return ERR_DM_VERIFY_CERT_FAILED; - } - return DM_OK; } + return DM_OK; + } DmCertChain dmCertChain{nullptr, 0}; - if (!AuthAttestCommon::GetInstance() - .DeserializeDmCertChain(context->accesser.cert, &dmCertChain)) { + if (!AuthAttestCommon::GetInstance(). + DeserializeDmCertChain(context->accesser.cert, &dmCertChain)) { LOGE("cert deserialize fail!"); return ERR_DM_DESERIAL_CERT_FAILED; - } - int32_t certRet = AuthCert::GetInstance() - .VerifyCertificate(dmCertChain, context->accesser.deviceIdHash.c_str()); + } + int32_t certRet = AuthCert::GetInstance(). + VerifyCertificate(dmCertChain, context->accesser.deviceIdHash.c_str()); // free dmCertChain memory AuthAttestCommon::GetInstance().FreeDmCertChain(dmCertChain); if (certRet != DM_OK) { -- Gitee From 566a7cb3bdf5dcd020951bf237df8fbcbc3f6855 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E5=B7=8D?= Date: Wed, 18 Jun 2025 21:45:49 +0800 Subject: [PATCH 4/4] =?UTF-8?q?=E6=A3=80=E8=A7=86=E6=84=8F=E8=A7=81?= =?UTF-8?q?=E6=95=B4=E6=94=B9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李巍 --- .../include/authentication_v2/dm_auth_state.h | 4 ++++ .../src/authentication_v2/auth_stages/auth_acl.cpp | 11 ++++++----- .../authentication_v2/auth_stages/auth_credential.cpp | 8 ++++---- .../authentication_v2/dm_auth_message_processor.cpp | 1 - 4 files changed, 14 insertions(+), 10 deletions(-) diff --git a/services/implementation/include/authentication_v2/dm_auth_state.h b/services/implementation/include/authentication_v2/dm_auth_state.h index 87ebc199c..e76128700 100644 --- a/services/implementation/include/authentication_v2/dm_auth_state.h +++ b/services/implementation/include/authentication_v2/dm_auth_state.h @@ -428,6 +428,8 @@ public: virtual ~AuthSrcCredentialAuthDoneState() {}; DmAuthStateType GetStateType() override; int32_t Action(std::shared_ptr context) override; +private: + std::string GenerateCertificate(std::shared_ptr context); }; class AuthSinkCredentialAuthStartState : public DmAuthState { @@ -486,6 +488,8 @@ public: virtual ~AuthSinkDataSyncState() {}; DmAuthStateType GetStateType() override; int32_t Action(std::shared_ptr context) override; +private: + int32_t VerifyCertificate(std::shared_ptr context); }; class AuthSrcDataSyncState : public DmAuthState { diff --git a/services/implementation/src/authentication_v2/auth_stages/auth_acl.cpp b/services/implementation/src/authentication_v2/auth_stages/auth_acl.cpp index 4c619ccac..40a662089 100644 --- a/services/implementation/src/authentication_v2/auth_stages/auth_acl.cpp +++ b/services/implementation/src/authentication_v2/auth_stages/auth_acl.cpp @@ -33,11 +33,11 @@ namespace DistributedHardware { const int32_t USLEEP_TIME_US_500000 = 500000; // 500ms -int32_t VerifyCertificate(std::shared_ptr context) +int32_t AuthSinkDataSyncState::VerifyCertificate(std::shared_ptr context) { #ifdef DEVICE_MANAGER_COMMON_FLAG (void)context; - LOGI("Blue device do not verify cert!"); + LOGI("open source device do not verify cert!"); return DM_OK; #else if (context == nullptr) { @@ -82,15 +82,16 @@ int32_t VerifyCertificate(std::shared_ptr context) int32_t AuthSinkDataSyncState::Action(std::shared_ptr context) { LOGI("AuthSinkDataSyncState::Action start"); - // Query the ACL of the sink end. Compare the ACLs at both ends. - context->softbusConnector->SyncLocalAclListProcess({context->accessee.deviceId, context->accessee.userId}, - {context->accesser.deviceId, context->accesser.userId}, context->accesser.aclStrList); + // verify device cert int32_t ret = VerifyCertificate(context); if (ret != DM_OK) { LOGE("AuthSinkNegotiateStateMachine::Action cert verify fail!"); context->reason = ret; return ret; } + // Query the ACL of the sink end. Compare the ACLs at both ends. + context->softbusConnector->SyncLocalAclListProcess({context->accessee.deviceId, context->accessee.userId}, + {context->accesser.deviceId, context->accesser.userId}, context->accesser.aclStrList); // Synchronize the local SP information, the format is uncertain, not done for now context->authMessageProcessor->CreateAndSendMsg(MSG_TYPE_RESP_DATA_SYNC, context); context->accessee.deviceName = context->softbusConnector->GetLocalDeviceName(); diff --git a/services/implementation/src/authentication_v2/auth_stages/auth_credential.cpp b/services/implementation/src/authentication_v2/auth_stages/auth_credential.cpp index 1b0397fae..363cb393f 100644 --- a/services/implementation/src/authentication_v2/auth_stages/auth_credential.cpp +++ b/services/implementation/src/authentication_v2/auth_stages/auth_credential.cpp @@ -110,7 +110,7 @@ DmAuthStateType AuthSrcCredentialAuthDoneState::GetStateType() return DmAuthStateType::AUTH_SRC_CREDENTIAL_AUTH_DONE_STATE; } -std::string GenerateCertificate(std::shared_ptr context) +std::string AuthSrcCredentialAuthDoneState::GenerateCertificate(std::shared_ptr context) { #ifdef DEVICE_MANAGER_COMMON_FLAG if (context == nullptr) { @@ -118,7 +118,7 @@ std::string GenerateCertificate(std::shared_ptr context) return ""; } context->accesser.isCommonFlag = true; - LOGI("Blue device do not generate cert!"); + LOGI("open device do not generate cert!"); return ""; #else DmCertChain dmCertChain; @@ -172,12 +172,12 @@ int32_t AuthSrcCredentialAuthDoneState::Action(std::shared_ptr co // First-time authentication and Lnn credential process } else if (context->accesser.isGenerateLnnCredential == true && context->accesser.bindLevel != USER) { SetAuthContext(skId, context->accesser.lnnSkTimeStamp, context->accesser.lnnSessionKeyId); - msgType = MSG_TYPE_REQ_DATA_SYNC; context->accesser.cert = GenerateCertificate(context); + msgType = MSG_TYPE_REQ_DATA_SYNC; } else { // Non-first-time authentication transport credential process SetAuthContext(skId, context->accesser.transmitSkTimeStamp, context->accesser.transmitSessionKeyId); - msgType = MSG_TYPE_REQ_DATA_SYNC; context->accesser.cert = GenerateCertificate(context); + msgType = MSG_TYPE_REQ_DATA_SYNC; } std::string message = context->authMessageProcessor->CreateMessage(msgType, context); diff --git a/services/implementation/src/authentication_v2/dm_auth_message_processor.cpp b/services/implementation/src/authentication_v2/dm_auth_message_processor.cpp index 9d5d6fcab..820a997d7 100644 --- a/services/implementation/src/authentication_v2/dm_auth_message_processor.cpp +++ b/services/implementation/src/authentication_v2/dm_auth_message_processor.cpp @@ -994,7 +994,6 @@ int32_t DmAuthMessageProcessor::ParseNegotiateMessage( } ParseAccesserInfo(jsonObject, context); ParseUltrasonicSide(jsonObject, context); - ParseCert(jsonObject, context); context->authStateMachine->TransitionTo(std::make_shared()); return DM_OK; } -- Gitee