From 04770181f4f9d0c5ddfe9ea08d44096561e3d271 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E5=B7=8D?= Date: Thu, 7 Aug 2025 14:31:33 +0800 Subject: [PATCH 1/4] =?UTF-8?q?=E8=AE=BE=E5=A4=87=E8=AF=81=E4=B9=A6?= =?UTF-8?q?=E9=87=8D=E6=94=BE?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李巍 --- common/include/dm_constants.h | 1 + common/include/i_dm_auth_cert_ext.h | 2 ++ common/src/dm_constants.cpp | 3 +- .../include/attest/dm_auth_cert.h | 2 ++ .../include/authentication_v2/auth_manager.h | 2 -- .../authentication_v2/dm_auth_context.h | 6 ++-- .../authentication_v2/dm_auth_manager_base.h | 1 + .../include/authentication_v2/dm_auth_state.h | 4 +++ .../src/attest/dm_auth_cert.cpp | 18 +++++++++++ .../src/authentication_v2/auth_manager.cpp | 32 ------------------- .../auth_stages/auth_confirm.cpp | 32 +++++++++++++++++++ .../auth_stages/auth_negotiate.cpp | 3 ++ .../dm_auth_manager_base.cpp | 1 + .../dm_auth_message_processor.cpp | 15 +++------ 14 files changed, 74 insertions(+), 48 deletions(-) diff --git a/common/include/dm_constants.h b/common/include/dm_constants.h index 91877cd19..403201b60 100755 --- a/common/include/dm_constants.h +++ b/common/include/dm_constants.h @@ -200,6 +200,7 @@ extern const char* DM_VERSION_5_1_0; extern const char* DM_VERSION_5_1_1; extern const char* DM_VERSION_5_1_2; extern const char* DM_VERSION_5_1_3; +extern const char* DM_VERSION_5_1_4; extern const char* DM_CURRENT_VERSION; extern const char* DM_ACL_AGING_VERSION; extern const char* DM_VERSION_5_0_OLD_MAX; // Estimated highest version number of the old version diff --git a/common/include/i_dm_auth_cert_ext.h b/common/include/i_dm_auth_cert_ext.h index fafda279c..e9b801927 100644 --- a/common/include/i_dm_auth_cert_ext.h +++ b/common/include/i_dm_auth_cert_ext.h @@ -25,6 +25,8 @@ public: virtual ~IDMAuthCertExt() = default; virtual int32_t GenerateCertificate(DmCertChain &dmCertChain) = 0; virtual int32_t VerifyCertificate(const DmCertChain &dmCertChain, const char *deviceIdHash) = 0; + virtual int32_t GenerateCertificateV2(DmCertChain &dmCertChain, const int64_t random) = 0; + virtual int32_t VerifyCertificateV2(const DmCertChain &dmCertChain, const char *deviceIdHash, const int64_t random) = 0; }; using CreateDMAuthCertFuncPtr = IDMAuthCertExt *(*)(void); diff --git a/common/src/dm_constants.cpp b/common/src/dm_constants.cpp index 3be5b9fb7..73ed7a13c 100644 --- a/common/src/dm_constants.cpp +++ b/common/src/dm_constants.cpp @@ -188,7 +188,8 @@ const char* DM_VERSION_5_1_0 = "5.1.0"; const char* DM_VERSION_5_1_1 = "5.1.1"; const char* DM_VERSION_5_1_2 = "5.1.2"; const char* DM_VERSION_5_1_3 = "5.1.3"; -const char* DM_CURRENT_VERSION = DM_VERSION_5_1_3; +const char* DM_VERSION_5_1_4 = "5.1.4"; +const char* DM_CURRENT_VERSION = DM_VERSION_5_1_4; const char* DM_ACL_AGING_VERSION = DM_VERSION_5_1_0; const char* DM_VERSION_5_0_OLD_MAX = "5.0.99"; // Estimated highest version number of the old version const int32_t OLD_DM_HO_OSTYPE = -1; diff --git a/services/implementation/include/attest/dm_auth_cert.h b/services/implementation/include/attest/dm_auth_cert.h index 889139861..6fe773777 100644 --- a/services/implementation/include/attest/dm_auth_cert.h +++ b/services/implementation/include/attest/dm_auth_cert.h @@ -38,6 +38,8 @@ public: int32_t GenerateCertificate(DmCertChain &dmCertChain); int32_t VerifyCertificate(const DmCertChain &dmCertChain, const char *deviceIdHash); + int32_t GenerateCertificateV2(DmCertChain &dmCertChain, const int64_t random); + int32_t VerifyCertificateV2(const DmCertChain &dmCertChain, const char *deviceIdHash, const int64_t random); private: AuthCert(); diff --git a/services/implementation/include/authentication_v2/auth_manager.h b/services/implementation/include/authentication_v2/auth_manager.h index 9b087c1e0..02deef3fe 100644 --- a/services/implementation/include/authentication_v2/auth_manager.h +++ b/services/implementation/include/authentication_v2/auth_manager.h @@ -154,8 +154,6 @@ private: void GetBindCallerInfo(); int32_t GetBindLevel(int32_t bindLevel); void GetIsNeedJoinLnnParam(const std::map &bindParam); - std::mutex certMtx_; - std::condition_variable certCV_; }; class AuthSrcManager : public AuthManager { diff --git a/services/implementation/include/authentication_v2/dm_auth_context.h b/services/implementation/include/authentication_v2/dm_auth_context.h index d2c126332..f30fc20ac 100644 --- a/services/implementation/include/authentication_v2/dm_auth_context.h +++ b/services/implementation/include/authentication_v2/dm_auth_context.h @@ -196,14 +196,17 @@ struct DmAccess { int32_t sessionKeyId; // Used as key delivery material, retrieves the SK from the bus int32_t transmitSessionKeyId; // Permanent application SKID on this end, returned by DP for ACL updates and aging int32_t lnnSessionKeyId{0}; // Permanent user SKID on this end, returned by DP for ACL updates and aging + int32_t oldBindLevel; int64_t transmitSkTimeStamp; // Used for aging, time is 2 days, application-level credential timestamp int64_t lnnSkTimeStamp{0}; // Used for aging, time is 2 days, user-level credential timestamp int64_t skTimeStamp; // Used for aging, time is 2 days + int64_t certRandom{0}; // Used for cert generate bool isAuthed; bool isUserLevelAuthed; bool isOnline; bool isGenerateLnnCredential{true}; bool isPutLnnAcl{true}; + bool isCommonFlag{false}; std::string dmVersion; std::string edition; // Used for compatibility before version 5.1.0, assists in version negotiation std::string aclTypeList; // Trust relationship list, used for data aging, KV format @@ -216,12 +219,11 @@ struct DmAccess { // send both the new and old protocol messages simultaneously in the 80 message when // authType == import. Therefore, it is required to define these fields for compatibility processing. std::string accountGroupIdHash; - int32_t oldBindLevel; + std::string oldBundleName; // construct for old version compatible end std::string extraInfo; // Expandable field, JSON format, KV structure std::string cert; - bool isCommonFlag{false}; }; struct DmAuthContext { diff --git a/services/implementation/include/authentication_v2/dm_auth_manager_base.h b/services/implementation/include/authentication_v2/dm_auth_manager_base.h index 2bb96eefe..c680323a4 100644 --- a/services/implementation/include/authentication_v2/dm_auth_manager_base.h +++ b/services/implementation/include/authentication_v2/dm_auth_manager_base.h @@ -80,6 +80,7 @@ extern const char* TAG_DM_CERT_CHAIN; extern const char* TAG_CERT_COUNT; extern const char* TAG_CERT; extern const char* TAG_IS_COMMON_FLAG; +extern const char* TAG_CERT_RANDOM; extern const int32_t AUTHENTICATE_TIMEOUT; extern const int32_t CONFIRM_TIMEOUT; diff --git a/services/implementation/include/authentication_v2/dm_auth_state.h b/services/implementation/include/authentication_v2/dm_auth_state.h index 3015dcd65..378378fc6 100644 --- a/services/implementation/include/authentication_v2/dm_auth_state.h +++ b/services/implementation/include/authentication_v2/dm_auth_state.h @@ -232,6 +232,10 @@ private: void GetCustomDescBySinkLanguage(std::shared_ptr context); void ResetBindLevel(std::shared_ptr context); void NegotiateUltrasonic(std::shared_ptr context); + void GenerateCertificate(std::shared_ptr context); +private: + std::mutex certMtx_; + std::condition_variable certCV_; }; class AuthSinkStatePinAuthComm { diff --git a/services/implementation/src/attest/dm_auth_cert.cpp b/services/implementation/src/attest/dm_auth_cert.cpp index 1587ae6bc..5efaa1876 100644 --- a/services/implementation/src/attest/dm_auth_cert.cpp +++ b/services/implementation/src/attest/dm_auth_cert.cpp @@ -86,5 +86,23 @@ int32_t AuthCert::VerifyCertificate(const DmCertChain &dmCertChain, const char * } return dmAuthCertExt_->VerifyCertificate(dmCertChain, deviceIdHash); } + +int32_t AuthCert::GenerateCertificateV2(DmCertChain &dmCertChain, const int64_t random); +{ + if (!IsDMAdapterAuthCertLoaded()) { + LOGE("authCertSo load failed!"); + return ERR_DM_FAILED; + } + return dmAuthCertExt_->GenerateCertificateV2(dmCertChain, random); +} + +int32_t AuthCert::VerifyCertificateV2(const DmCertChain &dmCertChain, const char *deviceIdHash, const int64_t random) +{ + if (!IsDMAdapterAuthCertLoaded()) { + LOGE("authCertSo load failed!"); + return ERR_DM_FAILED; + } + return dmAuthCertExt_->VerifyCertificateV2(dmCertChain, deviceIdHash, random); +} } // namespace DistributedHardware } // namespace OHOS \ No newline at end of file diff --git a/services/implementation/src/authentication_v2/auth_manager.cpp b/services/implementation/src/authentication_v2/auth_manager.cpp index 70ffbf663..ad9835e7c 100644 --- a/services/implementation/src/authentication_v2/auth_manager.cpp +++ b/services/implementation/src/authentication_v2/auth_manager.cpp @@ -26,8 +26,6 @@ #include "multiple_user_connector.h" #include "auth_manager.h" -#include "dm_auth_attest_common.h" -#include "dm_auth_cert.h" #include "dm_constants.h" #include "dm_crypto.h" #include "dm_random.h" @@ -40,7 +38,6 @@ #include "dm_auth_context.h" #include "dm_auth_message_processor.h" #include "dm_auth_state.h" -#include "ffrt.h" #include "json_object.h" #ifdef SUPPORT_MSDP @@ -652,33 +649,6 @@ int32_t AuthManager::AuthenticateDevice(const std::string &pkgName, int32_t auth return DM_OK; } -void GenerateCertificate(std::shared_ptr context) -{ - if (context == nullptr) { - LOGE("context is nullptr!"); - return; - } -#ifdef DEVICE_MANAGER_COMMON_FLAG - context->accesser.isCommonFlag = true; - LOGI("open device do not generate cert!"); - context->accesser.cert = "common"; -#else - DmCertChain dmCertChain; - int32_t certRet = AuthCert::GetInstance().GenerateCertificate(dmCertChain); - if (certRet != DM_OK) { - LOGE("generate cert fail, certRet = %{public}d", certRet); - return; - } - { - std::lock_guard lock(certMtx_); - context->accesser.cert = AuthAttestCommon::GetInstance().SerializeDmCertChain(&dmCertChain); - } - certCV_.notify_all(); - AuthAttestCommon::GetInstance().FreeDmCertChain(dmCertChain); -#endif - return; -} - int32_t AuthManager::BindTarget(const std::string &pkgName, const PeerTargetId &targetId, const std::map &bindParam, int sessionId, uint64_t logicalSessionId) { @@ -723,8 +693,6 @@ int32_t AuthManager::BindTarget(const std::string &pkgName, const PeerTargetId & context_->logicalSessionId = logicalSessionId; context_->requestId = static_cast(logicalSessionId); context_->authStateMachine->TransitionTo(std::make_shared()); - // generate cert sync - ffrt::submit([=]() { GenerateCertificate(context_);}); info = { .funcName = "BindTarget" }; info.channelId = sessionId; DmRadarHelper::GetInstance().ReportAuthSendRequest(info); diff --git a/services/implementation/src/authentication_v2/auth_stages/auth_confirm.cpp b/services/implementation/src/authentication_v2/auth_stages/auth_confirm.cpp index 7918ad77a..67fe9384b 100644 --- a/services/implementation/src/authentication_v2/auth_stages/auth_confirm.cpp +++ b/services/implementation/src/authentication_v2/auth_stages/auth_confirm.cpp @@ -22,6 +22,8 @@ #include "deviceprofile_connector.h" #include "distributed_device_profile_errors.h" #include "dm_anonymous.h" +#include "dm_auth_attest_common.h" +#include "dm_auth_cert.h" #include "dm_auth_context.h" #include "dm_auth_state.h" #include "dm_auth_state_machine.h" @@ -31,6 +33,7 @@ #include "dm_log.h" #include "dm_negotiate_process.h" #include "dm_softbus_cache.h" +#include "ffrt.h" #include "multiple_user_connector.h" namespace OHOS { @@ -613,6 +616,33 @@ void AuthSrcConfirmState::GetP2PCredentialInfo(std::shared_ptr co } } +void AuthSrcConfirmState::GenerateCertificate(std::shared_ptr context) +{ + if (context == nullptr) { + LOGE("context is nullptr!"); + return; + } +#ifdef DEVICE_MANAGER_COMMON_FLAG + context->accesser.isCommonFlag = true; + LOGI("open device do not generate cert!"); + context->accesser.cert = "common"; +#else + DmCertChain dmCertChain; + int32_t certRet = AuthCert::GetInstance().GenerateCertificateV2(dmCertChain, context->accessee.certRandom); + if (certRet != DM_OK) { + LOGE("generate cert fail, certRet = %{public}d", certRet); + return; + } + { + std::lock_guard lock(certMtx_); + context->accesser.cert = AuthAttestCommon::GetInstance().SerializeDmCertChain(&dmCertChain); + } + certCV_.notify_all(); + AuthAttestCommon::GetInstance().FreeDmCertChain(dmCertChain); +#endif + return; +} + int32_t AuthSrcConfirmState::Action(std::shared_ptr context) { LOGI("start."); @@ -641,6 +671,8 @@ int32_t AuthSrcConfirmState::Action(std::shared_ptr context) NegotiateProxyAcl(context); NegotiateUltrasonic(context); context->authMessageProcessor->CreateAndSendMsg(MSG_TYPE_REQ_USER_CONFIRM, context); + // generate cert sync + ffrt::submit([=]() { GenerateCertificate(context_);}); context->listener->OnAuthResult(context->processInfo, context->peerTargetId.deviceId, context->accessee.tokenIdHash, static_cast(STATUS_DM_SHOW_AUTHORIZE_UI), DM_OK); context->listener->OnBindResult(context->processInfo, context->peerTargetId, diff --git a/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp b/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp index 490247779..ccb64281f 100644 --- a/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp +++ b/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp @@ -51,6 +51,8 @@ namespace DistributedHardware { namespace { const char* DM_DISTURBANCE_EVENT_KEY = "business_id_cast+_disturbance_event"; const char* DM_ANTI_DISTURBANCE_MODE = "is_in_anti_disturbance_mode"; + const int64_t DM_MIN_RANDOM = 1; + const int64_t DM_MAX_RANDOM_INT64 = INT64_MAX; } DmAuthStateType AuthSrcStartState::GetStateType() @@ -248,6 +250,7 @@ int32_t AuthSinkNegotiateStateMachine::Action(std::shared_ptr con context->reason = ret; return ret; } + context->accessee.certRandom = GenRandLongLong(DM_MIN_RANDOM, DM_MAX_RANDOM_INT64); context->authMessageProcessor->CreateAndSendMsg(MSG_TYPE_RESP_ACL_NEGOTIATE, context); context->timer->StartTimer(std::string(WAIT_REQUEST_TIMEOUT_TASK), DmAuthState::GetTaskTimeout(context, WAIT_REQUEST_TIMEOUT_TASK, WAIT_REQUEST_TIMEOUT), diff --git a/services/implementation/src/authentication_v2/dm_auth_manager_base.cpp b/services/implementation/src/authentication_v2/dm_auth_manager_base.cpp index 9a3910b6e..3c9fb29de 100644 --- a/services/implementation/src/authentication_v2/dm_auth_manager_base.cpp +++ b/services/implementation/src/authentication_v2/dm_auth_manager_base.cpp @@ -82,6 +82,7 @@ const char* TAG_DM_CERT_CHAIN = "dmCertChain"; const char* TAG_CERT_COUNT = "certCount"; const char* TAG_CERT = "cert"; const char* TAG_IS_COMMON_FLAG = "isCommonFlag"; +const char* TAG_CERT_RANDOM = "certRandom"; const int32_t AUTHENTICATE_TIMEOUT = 120; const int32_t CONFIRM_TIMEOUT = 60; diff --git a/services/implementation/src/authentication_v2/dm_auth_message_processor.cpp b/services/implementation/src/authentication_v2/dm_auth_message_processor.cpp index 2394a4f42..a7ce1af73 100644 --- a/services/implementation/src/authentication_v2/dm_auth_message_processor.cpp +++ b/services/implementation/src/authentication_v2/dm_auth_message_processor.cpp @@ -947,6 +947,7 @@ int32_t DmAuthMessageProcessor::CreateRespNegotiateMessage(std::shared_ptraccessee.language; jsonObject[TAG_EXTRA_INFO] = context->accessee.extraInfo; jsonObject[TAG_NETWORKID_ID] = context->accessee.networkId; + jsonObject[TAG_CERT_RANDOM] = context->accessee.certRandom; jsonObject[TAG_IS_ONLINE] = context->accesser.isOnline; CreateProxyRespNegotiateMessage(context, jsonObject); @@ -1540,50 +1541,42 @@ int32_t DmAuthMessageProcessor::ParseMessageRespAclNegotiate(const JsonObject &j if (jsonObject[TAG_DEVICE_VERSION].IsString()) { context->accessee.dmVersion = jsonObject[TAG_DEVICE_VERSION].Get(); } - if (jsonObject[TAG_DEVICE_NAME].IsString()) { context->accessee.deviceName = jsonObject[TAG_DEVICE_NAME].Get(); } - if (jsonObject[TAG_DEVICE_ID_HASH].IsString()) { context->accessee.deviceIdHash = jsonObject[TAG_DEVICE_ID_HASH].Get(); } - if (jsonObject[TAG_USER_ID].IsNumberInteger()) { context->accessee.userId = jsonObject[TAG_USER_ID].Get(); } - if (jsonObject[TAG_ACCOUNT_ID_HASH].IsString()) { context->accessee.accountIdHash = jsonObject[TAG_ACCOUNT_ID_HASH].Get(); } - if (jsonObject[TAG_TOKEN_ID_HASH].IsString()) { context->accessee.tokenIdHash = jsonObject[TAG_TOKEN_ID_HASH].Get(); } - if (jsonObject[TAG_NETWORKID_ID].IsString()) { context->accessee.networkId = jsonObject[TAG_NETWORKID_ID].Get(); } - if (jsonObject[TAG_IS_ONLINE].IsBoolean()) { context->isOnline = jsonObject[TAG_IS_ONLINE].Get(); } - if (jsonObject[TAG_ACL_TYPE_LIST].IsString()) { context->accessee.aclTypeList = jsonObject[TAG_ACL_TYPE_LIST].Get(); } - if (jsonObject[TAG_CERT_TYPE_LIST].IsString()) { context->accessee.credTypeList = jsonObject[TAG_CERT_TYPE_LIST].Get(); } - if (jsonObject[TAG_LANGUAGE].IsString()) { context->accessee.language = jsonObject[TAG_LANGUAGE].Get(); } - if (jsonObject[TAG_EXTRA_INFO].IsString()) { context->accessee.extraInfo = jsonObject[TAG_EXTRA_INFO].Get(); } + if (jsonObject[TAG_CERT_RANDOM].IsNumberInteger()) { + context->accessee.certRandom = jsonObject[TAG_CERT_RANDOM].Get(); + } ParseMessageProxyRespAclNegotiate(jsonObject, context); context->authStateMachine->TransitionTo(std::make_shared()); return DM_OK; -- Gitee From cb29db825257db1d41603decf23a70d69cddbbda Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E5=B7=8D?= Date: Thu, 7 Aug 2025 14:38:05 +0800 Subject: [PATCH 2/4] =?UTF-8?q?=E6=A0=BC=E5=BC=8F=E8=B0=83=E6=95=B4?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李巍 --- .../implementation/include/authentication_v2/dm_auth_context.h | 1 - 1 file changed, 1 deletion(-) diff --git a/services/implementation/include/authentication_v2/dm_auth_context.h b/services/implementation/include/authentication_v2/dm_auth_context.h index 847f21585..7dcd92207 100644 --- a/services/implementation/include/authentication_v2/dm_auth_context.h +++ b/services/implementation/include/authentication_v2/dm_auth_context.h @@ -218,7 +218,6 @@ struct DmAccess { // send both the new and old protocol messages simultaneously in the 80 message when // authType == import. Therefore, it is required to define these fields for compatibility processing. std::string accountGroupIdHash; - std::string oldBundleName; // construct for old version compatible end std::string extraInfo; // Expandable field, JSON format, KV structure -- Gitee From 86227c369cc14bc3a0a92169361c679ee75f9b12 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E5=B7=8D?= Date: Thu, 7 Aug 2025 16:34:18 +0800 Subject: [PATCH 3/4] =?UTF-8?q?=E6=A0=BC=E5=BC=8F=E6=95=B4=E6=94=B9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李巍 --- common/include/i_dm_auth_cert_ext.h | 3 ++- .../src/authentication_v2/auth_stages/auth_acl.cpp | 10 ++++++++-- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/common/include/i_dm_auth_cert_ext.h b/common/include/i_dm_auth_cert_ext.h index e9b801927..65f2fe8cc 100644 --- a/common/include/i_dm_auth_cert_ext.h +++ b/common/include/i_dm_auth_cert_ext.h @@ -26,7 +26,8 @@ public: virtual int32_t GenerateCertificate(DmCertChain &dmCertChain) = 0; virtual int32_t VerifyCertificate(const DmCertChain &dmCertChain, const char *deviceIdHash) = 0; virtual int32_t GenerateCertificateV2(DmCertChain &dmCertChain, const int64_t random) = 0; - virtual int32_t VerifyCertificateV2(const DmCertChain &dmCertChain, const char *deviceIdHash, const int64_t random) = 0; + virtual int32_t VerifyCertificateV2(const DmCertChain &dmCertChain, const char *deviceIdHash, + const int64_t random) = 0; }; using CreateDMAuthCertFuncPtr = IDMAuthCertExt *(*)(void); diff --git a/services/implementation/src/authentication_v2/auth_stages/auth_acl.cpp b/services/implementation/src/authentication_v2/auth_stages/auth_acl.cpp index a4581ac99..b2fc5f435 100644 --- a/services/implementation/src/authentication_v2/auth_stages/auth_acl.cpp +++ b/services/implementation/src/authentication_v2/auth_stages/auth_acl.cpp @@ -66,8 +66,14 @@ int32_t AuthSinkDataSyncState::VerifyCertificate(std::shared_ptr LOGE("cert deserialize fail!"); return ERR_DM_DESERIAL_CERT_FAILED; } - int32_t certRet = AuthCert::GetInstance(). - VerifyCertificate(dmCertChain, context->accesser.deviceIdHash.c_str()); + int32_t certRet = -1; + if (CompareVersion(context->accesser.dmVersion, DM_VERSION_5_1_3)) { + certRet = AuthCert::GetInstance(). + VerifyCertificateV2(dmCertChain, context->accesser.deviceIdHash.c_str(), context->accessee.certRandom); + } else { + certRet = AuthCert::GetInstance(). + VerifyCertificate(dmCertChain, context->accesser.deviceIdHash.c_str()); + } // free dmCertChain memory AuthAttestCommon::GetInstance().FreeDmCertChain(dmCertChain); if (certRet != DM_OK) { -- Gitee From 86d3bab49d8ab85a998646ae8f0956ff9f8925b2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9D=8E=E5=B7=8D?= Date: Sun, 10 Aug 2025 11:04:21 +0800 Subject: [PATCH 4/4] =?UTF-8?q?=E8=AE=BE=E5=A4=87=E8=AF=81=E4=B9=A6?= =?UTF-8?q?=E9=87=8D=E6=94=BE?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 李巍 --- common/include/dm_cert.h | 4 ++++ common/include/i_dm_auth_cert_ext.h | 4 ++-- .../implementation/include/attest/dm_auth_cert.h | 4 ++-- .../include/authentication_v2/dm_auth_context.h | 6 ++++-- .../include/authentication_v2/dm_auth_state.h | 9 --------- .../implementation/src/attest/dm_auth_cert.cpp | 4 ++-- .../auth_stages/auth_confirm.cpp | 13 +++++++++---- .../auth_stages/auth_credential.cpp | 16 ++++++++-------- .../auth_stages/auth_negotiate.cpp | 2 +- .../dm_auth_message_processor.cpp | 2 +- 10 files changed, 33 insertions(+), 31 deletions(-) diff --git a/common/include/dm_cert.h b/common/include/dm_cert.h index 5080ef860..75510dd45 100644 --- a/common/include/dm_cert.h +++ b/common/include/dm_cert.h @@ -20,6 +20,10 @@ #define DM_CERTS_COUNT 4 #define UDID_BUF_LEN 65 #define DM_CERTIFICATE_SIZE 8192 +#define ATTEST_CERTS_INDEX 0 +#define DEVICE_CERTS_INDEX 1 +#define MANUFACTURE_CERTS_INDEX 2 +#define ROOT_CERTS_INDEX 3 #include #include diff --git a/common/include/i_dm_auth_cert_ext.h b/common/include/i_dm_auth_cert_ext.h index 65f2fe8cc..56efa391e 100644 --- a/common/include/i_dm_auth_cert_ext.h +++ b/common/include/i_dm_auth_cert_ext.h @@ -25,9 +25,9 @@ public: virtual ~IDMAuthCertExt() = default; virtual int32_t GenerateCertificate(DmCertChain &dmCertChain) = 0; virtual int32_t VerifyCertificate(const DmCertChain &dmCertChain, const char *deviceIdHash) = 0; - virtual int32_t GenerateCertificateV2(DmCertChain &dmCertChain, const int64_t random) = 0; + virtual int32_t GenerateCertificateV2(DmCertChain &dmCertChain, const uint64_t random) = 0; virtual int32_t VerifyCertificateV2(const DmCertChain &dmCertChain, const char *deviceIdHash, - const int64_t random) = 0; + const uint64_t random) = 0; }; using CreateDMAuthCertFuncPtr = IDMAuthCertExt *(*)(void); diff --git a/services/implementation/include/attest/dm_auth_cert.h b/services/implementation/include/attest/dm_auth_cert.h index 6fe773777..a2d4a3ffc 100644 --- a/services/implementation/include/attest/dm_auth_cert.h +++ b/services/implementation/include/attest/dm_auth_cert.h @@ -38,8 +38,8 @@ public: int32_t GenerateCertificate(DmCertChain &dmCertChain); int32_t VerifyCertificate(const DmCertChain &dmCertChain, const char *deviceIdHash); - int32_t GenerateCertificateV2(DmCertChain &dmCertChain, const int64_t random); - int32_t VerifyCertificateV2(const DmCertChain &dmCertChain, const char *deviceIdHash, const int64_t random); + int32_t GenerateCertificateV2(DmCertChain &dmCertChain, const uint64_t random); + int32_t VerifyCertificateV2(const DmCertChain &dmCertChain, const char *deviceIdHash, const uint64_t random); private: AuthCert(); diff --git a/services/implementation/include/authentication_v2/dm_auth_context.h b/services/implementation/include/authentication_v2/dm_auth_context.h index 7dcd92207..e60adda5c 100644 --- a/services/implementation/include/authentication_v2/dm_auth_context.h +++ b/services/implementation/include/authentication_v2/dm_auth_context.h @@ -200,7 +200,7 @@ struct DmAccess { int64_t transmitSkTimeStamp; // Used for aging, time is 2 days, application-level credential timestamp int64_t lnnSkTimeStamp{0}; // Used for aging, time is 2 days, user-level credential timestamp int64_t skTimeStamp; // Used for aging, time is 2 days - int64_t certRandom{0}; // Used for cert generate + uint64_t certRandom{0}; // Used for cert generate bool isAuthed; bool isUserLevelAuthed; bool isOnline; @@ -303,7 +303,9 @@ struct DmAuthContext { bool needBind{true}; bool needAgreeCredential{true}; bool needAuth{true}; - + std::mutex certMtx_; // cert lock + std::mutex certCVMtx_; // cert cv lock + std::condition_variable certCV_; // cert cv CleanNotifyCallback cleanNotifyCallback{nullptr}; std::string GetDeviceId(DmAuthSide side); diff --git a/services/implementation/include/authentication_v2/dm_auth_state.h b/services/implementation/include/authentication_v2/dm_auth_state.h index a8932ca36..0eae06814 100644 --- a/services/implementation/include/authentication_v2/dm_auth_state.h +++ b/services/implementation/include/authentication_v2/dm_auth_state.h @@ -239,9 +239,6 @@ private: void ResetBindLevel(std::shared_ptr context); void NegotiateUltrasonic(std::shared_ptr context); void GenerateCertificate(std::shared_ptr context); -private: - std::mutex certMtx_; - std::condition_variable certCV_; }; class AuthSinkStatePinAuthComm { @@ -463,9 +460,6 @@ public: int32_t Action(std::shared_ptr context) override; int32_t DerivativeSessionKey(std::shared_ptr context); int32_t DerivativeProxySessionKey(std::shared_ptr context); -private: - std::mutex certCVMtx_; - std::condition_variable certCV_; }; class AuthSinkSKDeriveState : public DmAuthState { @@ -501,9 +495,6 @@ public: int32_t DerivativeSessionKey(std::shared_ptr context); int32_t DerivativeProxySessionKey(std::shared_ptr context); int32_t HandleSrcCredentialAuthDone(std::shared_ptr context); -private: - std::mutex certCVMtx_; - std::condition_variable certCV_; }; class AuthSinkCredentialAuthStartState : public DmAuthState { diff --git a/services/implementation/src/attest/dm_auth_cert.cpp b/services/implementation/src/attest/dm_auth_cert.cpp index 5efaa1876..4438e561a 100644 --- a/services/implementation/src/attest/dm_auth_cert.cpp +++ b/services/implementation/src/attest/dm_auth_cert.cpp @@ -87,7 +87,7 @@ int32_t AuthCert::VerifyCertificate(const DmCertChain &dmCertChain, const char * return dmAuthCertExt_->VerifyCertificate(dmCertChain, deviceIdHash); } -int32_t AuthCert::GenerateCertificateV2(DmCertChain &dmCertChain, const int64_t random); +int32_t AuthCert::GenerateCertificateV2(DmCertChain &dmCertChain, const uint64_t random) { if (!IsDMAdapterAuthCertLoaded()) { LOGE("authCertSo load failed!"); @@ -96,7 +96,7 @@ int32_t AuthCert::GenerateCertificateV2(DmCertChain &dmCertChain, const int64_t return dmAuthCertExt_->GenerateCertificateV2(dmCertChain, random); } -int32_t AuthCert::VerifyCertificateV2(const DmCertChain &dmCertChain, const char *deviceIdHash, const int64_t random) +int32_t AuthCert::VerifyCertificateV2(const DmCertChain &dmCertChain, const char *deviceIdHash, const uint64_t random) { if (!IsDMAdapterAuthCertLoaded()) { LOGE("authCertSo load failed!"); diff --git a/services/implementation/src/authentication_v2/auth_stages/auth_confirm.cpp b/services/implementation/src/authentication_v2/auth_stages/auth_confirm.cpp index 67fe9384b..28ed7e71f 100644 --- a/services/implementation/src/authentication_v2/auth_stages/auth_confirm.cpp +++ b/services/implementation/src/authentication_v2/auth_stages/auth_confirm.cpp @@ -628,16 +628,21 @@ void AuthSrcConfirmState::GenerateCertificate(std::shared_ptr con context->accesser.cert = "common"; #else DmCertChain dmCertChain; - int32_t certRet = AuthCert::GetInstance().GenerateCertificateV2(dmCertChain, context->accessee.certRandom); + int32_t certRet = -1; + if (CompareVersion(context->accessee.dmVersion, DM_VERSION_5_1_3)) { + certRet = AuthCert::GetInstance().GenerateCertificateV2(dmCertChain, context->accessee.certRandom); + } else { + certRet = AuthCert::GetInstance().GenerateCertificate(dmCertChain); + } if (certRet != DM_OK) { LOGE("generate cert fail, certRet = %{public}d", certRet); return; } { - std::lock_guard lock(certMtx_); + std::lock_guard lock(context->certMtx_); context->accesser.cert = AuthAttestCommon::GetInstance().SerializeDmCertChain(&dmCertChain); } - certCV_.notify_all(); + context->certCV_.notify_all(); AuthAttestCommon::GetInstance().FreeDmCertChain(dmCertChain); #endif return; @@ -672,7 +677,7 @@ int32_t AuthSrcConfirmState::Action(std::shared_ptr context) NegotiateUltrasonic(context); context->authMessageProcessor->CreateAndSendMsg(MSG_TYPE_REQ_USER_CONFIRM, context); // generate cert sync - ffrt::submit([=]() { GenerateCertificate(context_);}); + ffrt::submit([=]() { GenerateCertificate(context);}); context->listener->OnAuthResult(context->processInfo, context->peerTargetId.deviceId, context->accessee.tokenIdHash, static_cast(STATUS_DM_SHOW_AUTHORIZE_UI), DM_OK); context->listener->OnBindResult(context->processInfo, context->peerTargetId, diff --git a/services/implementation/src/authentication_v2/auth_stages/auth_credential.cpp b/services/implementation/src/authentication_v2/auth_stages/auth_credential.cpp index 47d2813af..6f294d97f 100644 --- a/services/implementation/src/authentication_v2/auth_stages/auth_credential.cpp +++ b/services/implementation/src/authentication_v2/auth_stages/auth_credential.cpp @@ -117,8 +117,8 @@ int32_t AuthSrcCredentialAuthDoneState::Action(std::shared_ptr co CHECK_NULL_RETURN(context->authMessageProcessor, ERR_DM_POINT_NULL); if (GetSessionKey(context)) { DerivativeSessionKey(context); - std::unique_lock cvLock(certCVMtx_); - certCV_.wait_for(cvLock, std::chrono::milliseconds(GENERATE_CERT_TIMEOUT), + std::unique_lock cvLock(context->certCVMtx_); + context->certCV_.wait_for(cvLock, std::chrono::milliseconds(GENERATE_CERT_TIMEOUT), [=] {return !context->accesser.cert.empty();}); context->authMessageProcessor->CreateAndSendMsg(MSG_TYPE_REQ_DATA_SYNC, context); return DM_OK; @@ -169,14 +169,14 @@ int32_t AuthSrcCredentialAuthDoneState::HandleSrcCredentialAuthDone(std::shared_ return ret; } SetAuthContext(skId, context->accesser.lnnSkTimeStamp, context->accesser.lnnSessionKeyId); - std::unique_lock cvLock(certCVMtx_); - certCV_.wait_for(cvLock, std::chrono::milliseconds(GENERATE_CERT_TIMEOUT), + std::unique_lock cvLock(context->certCVMtx_); + context->certCV_.wait_for(cvLock, std::chrono::milliseconds(GENERATE_CERT_TIMEOUT), [=] {return !context->accesser.cert.empty();}); msgType = MSG_TYPE_REQ_DATA_SYNC; } else { // Non-first-time authentication transport credential process DerivativeSessionKey(context); - std::unique_lock cvLock(certCVMtx_); - certCV_.wait_for(cvLock, std::chrono::milliseconds(GENERATE_CERT_TIMEOUT), + std::unique_lock cvLock(context->certCVMtx_); + context->certCV_.wait_for(cvLock, std::chrono::milliseconds(GENERATE_CERT_TIMEOUT), [=] {return !context->accesser.cert.empty();}); msgType = MSG_TYPE_REQ_DATA_SYNC; } @@ -746,8 +746,8 @@ int32_t AuthSrcSKDeriveState::Action(std::shared_ptr context) // derive transmit sk DerivativeSessionKey(context); // wait cert generate - std::unique_lock cvLock(certCVMtx_); - certCV_.wait_for(cvLock, std::chrono::milliseconds(GENERATE_CERT_TIMEOUT), + std::unique_lock cvLock(context->certCVMtx_); + context->certCV_.wait_for(cvLock, std::chrono::milliseconds(GENERATE_CERT_TIMEOUT), [=] {return !context->accesser.cert.empty();}); // send 180 std::string message = context->authMessageProcessor->CreateMessage(MSG_TYPE_REQ_DATA_SYNC, context); diff --git a/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp b/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp index ccb64281f..853d616dc 100644 --- a/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp +++ b/services/implementation/src/authentication_v2/auth_stages/auth_negotiate.cpp @@ -250,7 +250,7 @@ int32_t AuthSinkNegotiateStateMachine::Action(std::shared_ptr con context->reason = ret; return ret; } - context->accessee.certRandom = GenRandLongLong(DM_MIN_RANDOM, DM_MAX_RANDOM_INT64); + context->accessee.certRandom = static_cast(GenRandLongLong(DM_MIN_RANDOM, DM_MAX_RANDOM_INT64)); context->authMessageProcessor->CreateAndSendMsg(MSG_TYPE_RESP_ACL_NEGOTIATE, context); context->timer->StartTimer(std::string(WAIT_REQUEST_TIMEOUT_TASK), DmAuthState::GetTaskTimeout(context, WAIT_REQUEST_TIMEOUT_TASK, WAIT_REQUEST_TIMEOUT), diff --git a/services/implementation/src/authentication_v2/dm_auth_message_processor.cpp b/services/implementation/src/authentication_v2/dm_auth_message_processor.cpp index a7ce1af73..792f37174 100644 --- a/services/implementation/src/authentication_v2/dm_auth_message_processor.cpp +++ b/services/implementation/src/authentication_v2/dm_auth_message_processor.cpp @@ -1575,7 +1575,7 @@ int32_t DmAuthMessageProcessor::ParseMessageRespAclNegotiate(const JsonObject &j context->accessee.extraInfo = jsonObject[TAG_EXTRA_INFO].Get(); } if (jsonObject[TAG_CERT_RANDOM].IsNumberInteger()) { - context->accessee.certRandom = jsonObject[TAG_CERT_RANDOM].Get(); + context->accessee.certRandom = jsonObject[TAG_CERT_RANDOM].Get(); } ParseMessageProxyRespAclNegotiate(jsonObject, context); context->authStateMachine->TransitionTo(std::make_shared()); -- Gitee