From 111dd843aebb4d22dfb884e99eaac9c90aef8810 Mon Sep 17 00:00:00 2001 From: Kemin <541416002@qq.com> Date: Fri, 11 Nov 2022 17:32:44 +0800 Subject: [PATCH 1/4] =?UTF-8?q?=E8=A7=A3=E5=86=B39=E6=9C=88=E4=BB=BDOpenHa?= =?UTF-8?q?rmony=E7=BC=96=E8=AF=91=E9=97=AE=E9=A2=98=EF=BC=8C=E8=A1=A5?= =?UTF-8?q?=E5=85=85selinux=E6=9D=83=E9=99=90=E6=96=87=E4=BB=B6?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cert_mgr_service/build/BUILD.gn | 5 +- .../interfaces/innerkits/native_cpp/BUILD.gn | 5 +- .../interfaces/kits/napi/BUILD.gn | 2 +- cert_mgr_service/sample/client/BUILD.gn | 2 +- .../services/cert_mgr_ability/BUILD.gn | 3 +- cert_mgr_service/services/core/BUILD.gn | 14 ++- .../services/core/adapter/cert_adapter.c | 31 +++++-- .../services/core/adapter/cert_adapter_mock.c | 86 +++++++++++++++++-- .../services/core/cert/cert_service.c | 2 +- .../services/core/cert/cert_service_active.c | 4 +- .../services/core/cert/cert_service_auth.c | 12 +-- .../core/cert/cert_service_challenge.c | 4 +- .../services/core/cert/cert_service_reset.c | 4 +- cert_mgr_service/services/core/cert_entry.c | 2 +- cert_mgr_service/services/core/dfx/cert_dfx.c | 2 +- .../core/include/adapter/cert_adapter.h | 2 +- .../core/include/adapter/cert_adapter_mock.h | 16 +++- .../services/core/include/cert_type.h | 2 +- .../core/include/security/cert_security.h | 1 - .../services/core/include/utils/cert_utils.h | 2 +- .../core/include/utils/cert_utils_file.h | 5 +- .../services/core/security/cert_security.c | 9 +- .../core/security/cert_security_ticket.c | 11 +-- .../core/security/cert_security_token.c | 2 +- .../services/core/utils/cert_utils.c | 44 ++++++---- .../services/core/utils/cert_utils_file.c | 20 +++++ .../services/core/utils/cert_utils_log.c | 6 +- .../services/core/utils/cert_utils_memleak.c | 1 + cert_mgr_service/services/etc/init/BUILD.gn | 8 +- .../{cert_mgr_sa.cfg => cert_mgr_service.cfg} | 7 +- .../{cert_mgr_sa.rc => cert_mgr_service.rc} | 2 +- .../services/oem_adapter/BUILD.gn | 2 +- cert_mgr_service/services/sa_profile/BUILD.gn | 3 +- .../test/data/cert_mock_network_para | 2 +- cert_mgr_service/test/unittest/BUILD.gn | 3 +- .../system/cert_mgr_service.te | 65 ++++++++++++++ .../cert_mgr_standard/system/parameter.te | 14 +++ .../system/parameter_contexts | 14 +++ 38 files changed, 326 insertions(+), 93 deletions(-) rename cert_mgr_service/services/etc/init/{cert_mgr_sa.cfg => cert_mgr_service.cfg} (58%) rename cert_mgr_service/services/etc/init/{cert_mgr_sa.rc => cert_mgr_service.rc} (88%) create mode 100644 certmanager/cert_mgr_standard/system/cert_mgr_service.te create mode 100644 certmanager/cert_mgr_standard/system/parameter.te create mode 100644 certmanager/cert_mgr_standard/system/parameter_contexts diff --git a/cert_mgr_service/build/BUILD.gn b/cert_mgr_service/build/BUILD.gn index 6c13230..4c8af6e 100644 --- a/cert_mgr_service/build/BUILD.gn +++ b/cert_mgr_service/build/BUILD.gn @@ -15,18 +15,17 @@ import("//build/ohos.gni") import("//base/cert_mgr_service/build/certconfig.gni") group("cert_standard_packages") { + deps = [] if (is_standard_system) { - deps = [ + deps += [ "${certmanager_path}/services/etc/init:cert_mgr_etc", "${certmanager_path}/services/sa_profile:cert_mgr_sa_profile", "${certmanager_path}/services/cert_mgr_ability:cert_mgr_service", "${certmanager_path}/interfaces/innerkits/native_cpp:cert_mgr_sdk", #"${certmanager_path}/interfaces/kits/napi:cert_mgr_kit", ] - #print("enable_cert_test_sample = ${enable_cert_test_sample}.") if (enable_cert_test_sample) { deps += ["${certmanager_path}/sample/client:certtestclient"] } } } - diff --git a/cert_mgr_service/interfaces/innerkits/native_cpp/BUILD.gn b/cert_mgr_service/interfaces/innerkits/native_cpp/BUILD.gn index bde3f46..c099d94 100644 --- a/cert_mgr_service/interfaces/innerkits/native_cpp/BUILD.gn +++ b/cert_mgr_service/interfaces/innerkits/native_cpp/BUILD.gn @@ -40,11 +40,10 @@ ohos_shared_library("cert_mgr_sdk") { ":cert_mgr_sdk_config", ] - deps = [ - "//utils/native/base:utils", - ] + deps = [] external_deps = [ + "c_utils:utils", "hiviewdfx_hilog_native:libhilog", "ipc:ipc_core", "safwk:system_ability_fwk", diff --git a/cert_mgr_service/interfaces/kits/napi/BUILD.gn b/cert_mgr_service/interfaces/kits/napi/BUILD.gn index c164240..4220ba7 100644 --- a/cert_mgr_service/interfaces/kits/napi/BUILD.gn +++ b/cert_mgr_service/interfaces/kits/napi/BUILD.gn @@ -37,12 +37,12 @@ ohos_shared_library("cert_mgr_kit") { deps = [ "${certmanager_innerkit_path}/native_cpp:cert_mgr_sdk", "//foundation/ace/napi/:ace_napi", - "//utils/native/base:utils", ] relative_install_dir = "module" external_deps = [ + "c_utils:utils", "hiviewdfx_hilog_native:libhilog", "ipc:ipc_core", ] diff --git a/cert_mgr_service/sample/client/BUILD.gn b/cert_mgr_service/sample/client/BUILD.gn index 4c234f1..e163880 100644 --- a/cert_mgr_service/sample/client/BUILD.gn +++ b/cert_mgr_service/sample/client/BUILD.gn @@ -30,10 +30,10 @@ ohos_executable("certtestclient") { deps = [ "${certmanager_standard_path}/interfaces/innerkits/native_cpp:cert_mgr_sdk", - "//utils/native/base:utils", ] external_deps = [ + "c_utils:utils", "hiviewdfx_hilog_native:libhilog", "ipc:ipc_core", "safwk:system_ability_fwk", diff --git a/cert_mgr_service/services/cert_mgr_ability/BUILD.gn b/cert_mgr_service/services/cert_mgr_ability/BUILD.gn index eed27d9..e06582e 100644 --- a/cert_mgr_service/services/cert_mgr_ability/BUILD.gn +++ b/cert_mgr_service/services/cert_mgr_ability/BUILD.gn @@ -46,14 +46,15 @@ ohos_shared_library("cert_mgr_service") { ] deps = [ - "//utils/native/base:utils", "${certmanager_standard_path}/services/core:cert_mgr_core", ] external_deps = [ + "c_utils:utils", "hiviewdfx_hilog_native:libhilog", "ipc:ipc_core", "safwk:system_ability_fwk", + "samgr:samgr_common", "samgr:samgr_proxy", "netmanager_base:net_conn_manager_if", ] diff --git a/cert_mgr_service/services/core/BUILD.gn b/cert_mgr_service/services/core/BUILD.gn index 3ab6f33..c291761 100644 --- a/cert_mgr_service/services/core/BUILD.gn +++ b/cert_mgr_service/services/core/BUILD.gn @@ -37,6 +37,7 @@ sources_common = [ "utils/cert_utils_list.c", "utils/cert_utils.c", ] + if (enable_cert_debug_memory_leak) { sources_common += [ "utils/cert_utils_memleak.c", @@ -48,6 +49,7 @@ if (enable_cert_debug_dfx) { "dfx/cert_dfx.c", ] } + config("cert_mgr_core_config") { visibility = [ ":*" ] cflags = [ @@ -64,6 +66,10 @@ config("cert_mgr_core_config") { "//base/startup/syspara_lite/adapter/native/syspara/include", ] + include_dirs += [ + "//base/startup/init/interfaces/innerkits/include/syspara", + ] + defines = [ "CERT_HILOG_LEVEL = 1" ] if (enable_cert_common_debug) { defines += [ @@ -96,6 +102,10 @@ config("cert_mgr_core_config") { "__CERT_NETWORK_DEBUG_LOG__", ] } + + defines += [ + "MBEDTLS_ALLOW_PRIVATE_ACCESS", + ] } ohos_shared_library("cert_mgr_core") { @@ -116,8 +126,8 @@ ohos_shared_library("cert_mgr_core") { external_deps = [ "hiviewdfx_hilog_native:libhilog", - "utils_base:utils", - "startup_l2:syspara", + "c_utils:utils", + "init:libbegetutil", ] subsystem_name = "certmanager" diff --git a/cert_mgr_service/services/core/adapter/cert_adapter.c b/cert_mgr_service/services/core/adapter/cert_adapter.c index bf77302..df5a86d 100644 --- a/cert_mgr_service/services/core/adapter/cert_adapter.c +++ b/cert_mgr_service/services/core/adapter/cert_adapter.c @@ -65,12 +65,18 @@ int32_t CertWriteTicket(const TicketInfo* ticketInfo) // 读取Manufacturekey int32_t CertGetManufacturekey(uint8_t manufacturekey[], uint32_t len) { + if (CERT_MOCK_DEVICE_STUB_FLAG) { + return OsGetAcKeyStub((char*)manufacturekey, len); + } return OEMGetManufacturekey((char*)manufacturekey, len); } // 读取ProductId int32_t CertGetProductId(uint8_t productId[], uint32_t len) { + if (CERT_MOCK_DEVICE_STUB_FLAG) { + return OsGetProdIdStub((char*)productId, len); + } return OEMGetProductId((char*)productId, len); } @@ -81,7 +87,13 @@ int32_t CertReadToken(TokenInfo* tokenInfo) return CERT_ERR; } char token[TOKEN_ENCRYPT_LEN + 1] = {0}; - int32_t ret = OEMReadToken(token, sizeof(token)); + int32_t ret = 0; + if (CERT_MOCK_DEVICE_STUB_FLAG) { + ret = OsReadTokenStub(token, sizeof(token)); + } else { + ret = OEMReadToken(token, sizeof(token)); + } + if (ret != CERT_OK) { CERT_LOG_ERROR("[CertReadToken] Read oem token failed, ret = %d", ret); return ret; @@ -95,7 +107,7 @@ int32_t CertReadToken(TokenInfo* tokenInfo) return CERT_ERR; } offset += (TOKEN_VALUE_ENCRYPT_LEN + 1); - if (memcpy_s(tokenInfo->salt, SALT_ENCRYPT_LEN, token + offset, SALT_ENCRYPT_LEN) != 0) { + if (memcpy_s(tokenInfo->salt, SALT_ENCRYPT_LEN, token + offset, SALT_ENCRYPT_LEN) != 0) { return CERT_ERR; } offset += (SALT_ENCRYPT_LEN + 1); @@ -133,7 +145,13 @@ int32_t CertWriteToken(TokenInfo* tokenInfo) if (memcpy_s(token + offset, sizeof(token), tokenInfo->version, sizeof(tokenInfo->version)) != 0) { return CERT_ERR; } - int32_t ret = OEMWriteToken(token, sizeof(token)); + int32_t ret = 0; + if (CERT_MOCK_DEVICE_STUB_FLAG) { + ret = OsWriteTokenStub(token, sizeof(token)); + } else { + ret = OEMWriteToken(token, sizeof(token)); + } + if (ret != CERT_OK) { CERT_LOG_ERROR("[CertWriteToken] Write token failed, ret = %d", ret); ret = CERT_ERR; @@ -142,9 +160,12 @@ int32_t CertWriteToken(TokenInfo* tokenInfo) } // 读取ProductKey -int32_t CertGetProductKey(uint8_t productId[], uint32_t len) +int32_t CertGetProductKey(uint8_t productKey[], uint32_t len) { - return OEMGetProductKey((char*)productId, len); + if (CERT_MOCK_DEVICE_STUB_FLAG) { + return OsGetProdKeyStub((char*)productKey, len); + } + return OEMGetProductKey((char*)productKey, len); } char* CertGetVersionId(void) diff --git a/cert_mgr_service/services/core/adapter/cert_adapter_mock.c b/cert_mgr_service/services/core/adapter/cert_adapter_mock.c index ccba281..f146f6e 100644 --- a/cert_mgr_service/services/core/adapter/cert_adapter_mock.c +++ b/cert_mgr_service/services/core/adapter/cert_adapter_mock.c @@ -32,7 +32,7 @@ static int32_t GetJsonOjectStringStub(const char *root, const char *key, char ** return CERT_ERR; } char* jsonStr = NULL; - int32_t ret = ReadFileBuffer(CETR_MOCK_STUB_PATH, CETR_MOCK_STUB_NETWORK_NAME, &jsonStr); + int32_t ret = ReadFileBuffer(CERT_MOCK_STUB_PATH, CERT_MOCK_STUB_NETWORK_NAME, &jsonStr); if (ret != CERT_OK) { return CERT_ERR; } @@ -57,12 +57,10 @@ int32_t SendChallMsgStub(CERT_ACTION_TYPE actionType, char** respMsg) if (root == NULL) { return CERT_ERR; } - CERT_LOG_INFO("[SendChallMsgStub] action = %s.", root); int32_t ret = GetJsonOjectStringStub(root, CERT_MOCK_L2_CHALLENGE, respMsg); if (ret != CERT_OK) { return CERT_ERR; } - CERT_LOG_INFO("[SendChallMsgStub] respose message = %s.", *respMsg); return ret; } @@ -76,12 +74,10 @@ int32_t SendCertMsgStub(CERT_ACTION_TYPE actionType, char **respMsg) if (root == NULL) { return CERT_ERR; } - CERT_LOG_INFO("[SendCertMsgStub] root name = %s.", root); int32_t ret = GetJsonOjectStringStub(root, CERT_MOCK_L2_RESPONSE, respMsg); if (ret != CERT_OK) { return CERT_ERR; } - CERT_LOG_INFO("[SendCertMsgStub] respose message = %s.", *respMsg); return ret; } @@ -91,7 +87,7 @@ static char* GetDeviceParaStub(const char* key) return NULL; } char* jsonStr = NULL; - int32_t ret = ReadFileBuffer(CETR_MOCK_STUB_PATH, CETR_MOCK_STUB_DEVICE_NAME, &jsonStr); + int32_t ret = ReadFileBuffer(CERT_MOCK_STUB_PATH, CERT_MOCK_STUB_DEVICE_NAME, &jsonStr); if (ret != CERT_OK) { return NULL; } @@ -180,7 +176,7 @@ char* OsGetUdidStub(void) ret = CERT_ERR; break; } - ret = Sha256Value((const unsigned char *)udid, udidSha256, UDID_STRING_LEN + 1); + ret = Sha256Value((const unsigned char *)udid, udidSize, udidSha256, UDID_STRING_LEN + 1); } while (0); CERT_MEM_FREE(manufacture); CERT_MEM_FREE(model); @@ -194,3 +190,79 @@ char* OsGetUdidStub(void) CERT_LOG_INFO_ANONY("[OsGetUdidStub] Sha256(udid) = %s\n", udidSha256); return udidSha256; } + +int OsGetAcKeyStub(char *acKey, unsigned int len) +{ + if ((acKey == NULL) || (len == 0)) { + return CERT_ERR; + } + const char manufacturekeyBuf[] = { + 0x13, 0x42, 0x3F, 0x3F, 0x53, 0x3F, 0x72, 0x30, 0x3F, 0x3F, 0x1C, 0x3F, 0x2F, 0x3F, 0x2E, 0x42, + 0x3F, 0x08, 0x3F, 0x57, 0x3F, 0x10, 0x3F, 0x3F, 0x29, 0x17, 0x52, 0x3F, 0x3F, 0x3F, 0x3F, 0x3F, + 0x57, 0x16, 0x3F, 0x7D, 0x4A, 0x0F, 0x3F, 0x3F, 0x3F, 0x30, 0x0C, 0x3F, 0x3F, 0x4C, 0x3F, 0x47 + }; + uint32_t manufacturekeyBufLen = sizeof(manufacturekeyBuf); + if (len < manufacturekeyBufLen) { + return CERT_ERR; + } + + int ret = memcpy_s(acKey, len, manufacturekeyBuf, manufacturekeyBufLen); + return ret; +} + +int OsGetProdIdStub(char* productId, uint32_t len) +{ + if ((productId == NULL) || (len == 0)) { + return CERT_ERR; + } + const char productIdBuf[] = "OH00000D"; + uint32_t productIdLen = strlen(productIdBuf); + if (len < productIdLen) { + return CERT_ERR; + } + + int ret = memcpy_s(productId, len, productIdBuf, productIdLen); + return ret; +} + +int OsGetProdKeyStub(char* productKey, uint32_t len) +{ + if ((productKey == NULL) || (len == 0)) { + return CERT_ERR; + } + const char productKeyBuf[] = "test"; + uint32_t productKeyLen = sizeof(productKeyBuf); + if (len < productKeyLen) { + return CERT_ERR; + } + + int ret = memcpy_s(productKey, len, productKeyBuf, productKeyLen); + return ret; +} + +int32_t OsReadTokenStub(char* buffer, uint32_t bufferLen) +{ + if (buffer == NULL || bufferLen == 0) { + return CERT_ERR; + } + int32_t ret = ReadFile(CERT_MOCK_STUB_PATH, CERT_MOCK_TOKEN_FILE_NAME, buffer, bufferLen); + if (ret != 0) { + return CERT_ERR; + } + return CERT_OK; +} + +int32_t OsWriteTokenStub(char* buffer, uint32_t bufferLen) +{ + if (buffer == NULL || bufferLen == 0) { + return CERT_ERR; + } + if (CreateFile(CERT_MOCK_STUB_PATH, CERT_MOCK_TOKEN_FILE_NAME) != 0) { + return CERT_ERR; + } + int32_t ret = WriteFile(CERT_MOCK_STUB_PATH, CERT_MOCK_TOKEN_FILE_NAME, buffer, bufferLen); + if (ret != 0) { + return CERT_ERR; + } + return CERT_OK; +} \ No newline at end of file diff --git a/cert_mgr_service/services/core/cert/cert_service.c b/cert_mgr_service/services/core/cert/cert_service.c index 7967a12..8421601 100644 --- a/cert_mgr_service/services/core/cert/cert_service.c +++ b/cert_mgr_service/services/core/cert/cert_service.c @@ -127,7 +127,7 @@ static int32_t ActiveToken(AuthResult* authResult) CERT_LOG_ERROR("[ActiveToken] Invalid parameter"); return CERT_ERR; } - CERT_LOG_DEBUG("[ActiveToken] Flush token begin."); + int32_t ret = FlushToken(authResult); if (ret != CERT_OK) { CERT_LOG_ERROR("[ActiveToken] Flush Token failed, ret = %d.", ret); diff --git a/cert_mgr_service/services/core/cert/cert_service_active.c b/cert_mgr_service/services/core/cert/cert_service_active.c index 94ead61..323849c 100644 --- a/cert_mgr_service/services/core/cert/cert_service_active.c +++ b/cert_mgr_service/services/core/cert/cert_service_active.c @@ -38,7 +38,7 @@ int32_t GenActiveMsg(AuthResult* authResult, const ChallengeResult* challengeRes return CERT_ERR; } - if (strlen(authResult->ticket) == 0 || strlen(authResult->tokenValue) == 0 || strlen(authResult->ticket) == 0) { + if (strlen(authResult->ticket) == 0 || strlen(authResult->tokenValue) == 0 || strlen(authResult->tokenId) == 0) { CERT_LOG_ERROR("[GenActiveMsg] The length of token is 0."); return CERT_ERR; } @@ -99,7 +99,7 @@ int32_t ParseActiveResult(const char* jsonStr) CERT_LOG_ERROR("[ParseActiveResult] Invalid parameter"); return CERT_ERR; } - int32_t errorCode = (int32_t)GetObjectItemValueNumber(jsonStr, "errcode"); + uint64_t errorCode = GetObjectItemValueNumber(jsonStr, "errcode"); if (isnan(errorCode)) { CERT_LOG_ERROR("[ParseActiveResult] errorCode is nan."); return CERT_ERR; diff --git a/cert_mgr_service/services/core/cert/cert_service_auth.c b/cert_mgr_service/services/core/cert/cert_service_auth.c index ca382c0..2ea4b1e 100644 --- a/cert_mgr_service/services/core/cert/cert_service_auth.c +++ b/cert_mgr_service/services/core/cert/cert_service_auth.c @@ -30,7 +30,7 @@ bool IsAuthStatusChg(void) { CERT_LOG_DEBUG("[IsAuthStatusChg] Begin."); char* authStatusBase64 = NULL; - if (GetAuthStatus(&authStatusBase64) != 0) { + if (GetAuthStatus(&authStatusBase64) != CERT_OK) { CERT_LOG_ERROR("[IsAuthStatusChg] Load auth status failed or status file not exist"); return true; } @@ -344,7 +344,7 @@ uint64_t GetCurrentTime(void) uint64_t currentTime = challengeResult->currentTime; FREE_CHALLENGE_RESULT(challengeResult); - CERT_LOG_DEBUG("[GetCloudCurrentTime] End."); + CERT_LOG_DEBUG("[GetCurrentTime] End."); return currentTime; } @@ -353,12 +353,12 @@ int32_t CheckVersionChanged(AuthStatus* authStatus) CERT_LOG_DEBUG("[CheckVersionChanged] Begin."); if ((authStatus == NULL) || (authStatus->versionId == NULL)) { CERT_LOG_ERROR("[CheckVersionChanged] Invalid parameter"); - return false; + return CERT_ERR; } char* versionIdFromOs = CertGetVersionId(); if (versionIdFromOs == NULL) { CERT_LOG_ERROR("[CheckVersionChanged] Cert GetVersionId is null"); - return false; + return CERT_ERR; } int32_t ret = strcmp(versionIdFromOs, authStatus->versionId); @@ -582,7 +582,7 @@ static int32_t ParseTicket(const cJSON* json, AuthResult* authResult) if (memcpy_s(authResult->ticket, len + 1, item, len + 1) != 0) { CERT_MEM_FREE(authResult->ticket); authResult->ticket = NULL; - CERT_LOG_ERROR("[ParseAuthStats] ticket memset_s or copy failed"); + CERT_LOG_ERROR("[ParseTicket] ticket memset_s or copy failed"); return CERT_ERR; } @@ -683,7 +683,7 @@ int32_t GenAuthMsg(ChallengeResult* challengeResult, DevicePacket** devPacket) int32_t ret = PackProductInfo(&devicePacket->productInfo); if (ret != CERT_OK) { CERT_LOG_ERROR("[GenAuthMsg] Pack ProductInfo failed."); - DestroyDevicePacket(&devicePacket); + FREE_DEVICE_PACKET(devicePacket); return CERT_ERR; } *devPacket = devicePacket; diff --git a/cert_mgr_service/services/core/cert/cert_service_challenge.c b/cert_mgr_service/services/core/cert/cert_service_challenge.c index 53405d8..a642aac 100644 --- a/cert_mgr_service/services/core/cert/cert_service_challenge.c +++ b/cert_mgr_service/services/core/cert/cert_service_challenge.c @@ -85,7 +85,7 @@ static int32_t ParseChallengeResult(const char* jsonStr, ChallengeResult *challe CERT_LOG_ERROR("[ParseChallengeResult] Invalid parameter"); return CERT_ERR; } - int32_t errorCode = (int32_t) GetObjectItemValueNumber(jsonStr, "errcode"); + uint64_t errorCode = GetObjectItemValueNumber(jsonStr, "errcode"); if (isnan(errorCode)) { CERT_LOG_WARN("[ParseChallengeResult] errorCode is nan."); CERT_LOG_ERROR("[ParseChallengeResult] Parse msg failed."); @@ -128,7 +128,7 @@ static int32_t SetChallenge(ChallengeResult* challengeResult, CERT_ACTION_TYPE a char* respMsg = NULL; ret = SendChallMsg(reqMsg, &respMsg, actionType); - DestroyDevicePacket(&reqMsg); + FREE_DEVICE_PACKET(reqMsg); if (ret != CERT_OK) { CERT_LOG_ERROR("[SetChallenge] Send Challenge Msg failed"); return ret; diff --git a/cert_mgr_service/services/core/cert/cert_service_reset.c b/cert_mgr_service/services/core/cert/cert_service_reset.c index 8bf1ef8..a429a65 100644 --- a/cert_mgr_service/services/core/cert/cert_service_reset.c +++ b/cert_mgr_service/services/core/cert/cert_service_reset.c @@ -44,7 +44,7 @@ int32_t GenResetMsg(ChallengeResult* challengeResult, DevicePacket** devPacket) if (devicePacket == NULL) { CERT_LOG_ERROR("[GenResetMsg] Create DevicePacket failed."); return CERT_ERR; - } + } devicePacket->appId = StrdupDevInfo(APP_ID); devicePacket->tenantId = StrdupDevInfo(TENANT_ID); devicePacket->randomUuid = StrdupDevInfo(RANDOM_UUID); @@ -86,7 +86,7 @@ int32_t ParseResetResult(const char* jsonStr) CERT_LOG_ERROR("[ParseResetResult] Invalid parameter"); return CERT_ERR; } - int32_t errorCode = (int32_t) GetObjectItemValueNumber(jsonStr, "errcode"); + uint64_t errorCode = GetObjectItemValueNumber(jsonStr, "errcode"); if (isnan(errorCode)) { CERT_LOG_ERROR("[ParseResetResult] errorCode is nan."); return CERT_ERR; diff --git a/cert_mgr_service/services/core/cert_entry.c b/cert_mgr_service/services/core/cert_entry.c index 0336422..4e30467 100644 --- a/cert_mgr_service/services/core/cert_entry.c +++ b/cert_mgr_service/services/core/cert_entry.c @@ -25,7 +25,7 @@ int32_t CertTask(void) // 执行主流程代码 int32_t ret = ProcCert(); if (ret != CERT_OK) { - CERT_LOG_ERROR("[CertTask] Proc Cert failed ret = %d.", ret); + CERT_LOG_ERROR("[CertTask] Proc failed ret = %d.", ret); } // 创建主流程定时器 diff --git a/cert_mgr_service/services/core/dfx/cert_dfx.c b/cert_mgr_service/services/core/dfx/cert_dfx.c index 340040d..3e71b50 100644 --- a/cert_mgr_service/services/core/dfx/cert_dfx.c +++ b/cert_mgr_service/services/core/dfx/cert_dfx.c @@ -183,7 +183,7 @@ void PrintAuthResult(AuthResult* authResult) if (authResult->authStatus == NULL) { CERT_LOG_WARN("authStatus = null;"); } else { - CERT_LOG_INFO_ANONY("authStatus = %s;", authResult->authStatus); + // authResult->authStatus 内容过长,不在打印 } CERT_LOG_INFO("----------------------------"); } diff --git a/cert_mgr_service/services/core/include/adapter/cert_adapter.h b/cert_mgr_service/services/core/include/adapter/cert_adapter.h index 15cb4db..2d94991 100644 --- a/cert_mgr_service/services/core/include/adapter/cert_adapter.h +++ b/cert_mgr_service/services/core/include/adapter/cert_adapter.h @@ -64,7 +64,7 @@ int32_t CertReadToken(TokenInfo* tokenInfo); int32_t CertWriteToken(TokenInfo* tokenInfo); -int32_t CertGetProductKey(uint8_t productId[], uint32_t len); +int32_t CertGetProductKey(uint8_t productKey[], uint32_t len); int32_t CertSetParameter(const char *key, const char *value); diff --git a/cert_mgr_service/services/core/include/adapter/cert_adapter_mock.h b/cert_mgr_service/services/core/include/adapter/cert_adapter_mock.h index 6544f8f..28f3bc6 100644 --- a/cert_mgr_service/services/core/include/adapter/cert_adapter_mock.h +++ b/cert_mgr_service/services/core/include/adapter/cert_adapter_mock.h @@ -34,9 +34,10 @@ extern "C" { #define CERT_MOCK_DEVICE_STUB_FLAG false #endif -#define CETR_MOCK_STUB_PATH "/data/data" -#define CETR_MOCK_STUB_NETWORK_NAME "cert_mock_network_para" -#define CETR_MOCK_STUB_DEVICE_NAME "cert_mock_device_para" +#define CERT_MOCK_STUB_PATH "/data/data" +#define CERT_MOCK_STUB_NETWORK_NAME "cert_mock_network_para" +#define CERT_MOCK_STUB_DEVICE_NAME "cert_mock_device_para" +#define CERT_MOCK_TOKEN_FILE_NAME "token" #define CERT_MOCK_STUB_MAX_LEN 512 // 定义打桩数据Json的节点名称 @@ -67,6 +68,15 @@ char* OsGetSecurityPatchTagStub(void); char* OsGetUdidStub(void); +int OsGetAcKeyStub(char *acKey, unsigned int len); + +int OsGetProdIdStub(char* productId, uint32_t len); + +int OsGetProdKeyStub(char* productKey, uint32_t len); + +int32_t OsReadTokenStub(char* buffer, uint32_t bufferLen); + +int32_t OsWriteTokenStub(char* buffer, uint32_t bufferLen); #ifdef __cplusplus #if __cplusplus diff --git a/cert_mgr_service/services/core/include/cert_type.h b/cert_mgr_service/services/core/include/cert_type.h index 647a928..fe32211 100644 --- a/cert_mgr_service/services/core/include/cert_type.h +++ b/cert_mgr_service/services/core/include/cert_type.h @@ -88,9 +88,9 @@ typedef struct { // 认证返回结果中的authStatus结构 typedef struct { char* versionId; + char* authType; int32_t softwareResult; int32_t hardwareResult; - char* authType; uint64_t expireTime; // 项目新增字段,参考接口文档 } AuthStatus; diff --git a/cert_mgr_service/services/core/include/security/cert_security.h b/cert_mgr_service/services/core/include/security/cert_security.h index 4a994b3..d2fc3c9 100644 --- a/cert_mgr_service/services/core/include/security/cert_security.h +++ b/cert_mgr_service/services/core/include/security/cert_security.h @@ -21,7 +21,6 @@ #include "ctr_drbg.h" #include "hkdf.h" #include "md.h" -#include "md_internal.h" #include "sha256.h" #include "entropy.h" diff --git a/cert_mgr_service/services/core/include/utils/cert_utils.h b/cert_mgr_service/services/core/include/utils/cert_utils.h index 5d7f3cf..9b35e9a 100644 --- a/cert_mgr_service/services/core/include/utils/cert_utils.h +++ b/cert_mgr_service/services/core/include/utils/cert_utils.h @@ -49,7 +49,7 @@ int32_t ToLowerStr(char* str, int len); int32_t StrToHex(char *pbDest, char *pbSrc, int nLen); -int Sha256Value(const unsigned char *src, char *dest, int destLen); +int Sha256Value(const unsigned char *src, int srcLen, char *dest, int destLen); int32_t AnonymiseStr(char* str); diff --git a/cert_mgr_service/services/core/include/utils/cert_utils_file.h b/cert_mgr_service/services/core/include/utils/cert_utils_file.h index 64f6f51..133ea4e 100644 --- a/cert_mgr_service/services/core/include/utils/cert_utils_file.h +++ b/cert_mgr_service/services/core/include/utils/cert_utils_file.h @@ -32,8 +32,11 @@ int32_t ReadFile(const char* path, const char* fileName, char* buffer, uint32_t int32_t CreateFile(const char* path, const char* fileName); +bool DeleteFile(const char* path, const char* fileName); + bool IsFileExist(const char* path, const char* fileName); -int32_t ReadFileBuffer(const char* path, const char* fileName, char** jsonStr); + +int32_t ReadFileBuffer(const char* path, const char* fileName, char** outStr); #ifdef __cplusplus #if __cplusplus diff --git a/cert_mgr_service/services/core/security/cert_security.c b/cert_mgr_service/services/core/security/cert_security.c index c6dfbd9..ff4e6c5 100644 --- a/cert_mgr_service/services/core/security/cert_security.c +++ b/cert_mgr_service/services/core/security/cert_security.c @@ -42,7 +42,7 @@ int32_t Base64Encode(const uint8_t* srcData, size_t srcDataLen, uint8_t* base64E size_t outLen = 0; int32_t ret = mbedtls_base64_encode(NULL, 0, &outLen, srcData, srcDataLen); - if ((outLen == 0) || (outLen > (base64EncodeLen + 1))) { + if ((outLen == 0) || (outLen > (size_t)(base64EncodeLen + 1))) { CERT_LOG_ERROR("[Base64Encode] Base64 encode get outLen failed, outLen = %u, ret = -0x00%x", outLen, -ret); return ERR_CERT_SECURITY_BASE64_ENCODE; } @@ -78,9 +78,6 @@ void GetSalt(uint8_t* salt, uint32_t saltLen) } // temp右移8bits salt[i] = (uint8_t)((temp >> ((i % randomNumBytes) * offsetBits)) & 0xff); - if (salt[i] == 0) { - salt[i]++; - } } } @@ -183,7 +180,7 @@ int32_t GetAesKey(const SecurityParam* salt, const VersionData* versionData, co return ret; } -// AES-1238-CBC-PKCS#7加密 +// AES-128-CBC-PKCS#7加密 static int32_t EncryptAesCbc(AesCryptBufferDatas* datas, const uint8_t* aesKey, const char* iv, size_t ivLen) { @@ -240,7 +237,7 @@ static int32_t EncryptAesCbc(AesCryptBufferDatas* datas, const uint8_t* aesKey, return ret; } -// AES-1238-CBC-PKCS#7解密 +// AES-128-CBC-PKCS#7解密 static int32_t DecryptAesCbc(AesCryptBufferDatas* datas, const uint8_t* aesKey, const uint8_t* iv, size_t ivLen) { diff --git a/cert_mgr_service/services/core/security/cert_security_ticket.c b/cert_mgr_service/services/core/security/cert_security_ticket.c index 067dc3a..4b52ce8 100644 --- a/cert_mgr_service/services/core/security/cert_security_ticket.c +++ b/cert_mgr_service/services/core/security/cert_security_ticket.c @@ -28,8 +28,7 @@ int32_t WriteTicketToDevice(const char* ticket, uint8_t ticketLen) uint8_t ticketData[ENCRYPT_LEN + 1] = {0}; uint8_t encryptedData[BASE64_LEN] = {0}; uint8_t salt[SALT_LEN] = {0}; - TicketInfo ticketInfo; - + if ((ticket == NULL) || (ticketLen < MIN_TICKET_LEN) || (ticketLen >= MAX_TICKET_LEN)) { CERT_LOG_ERROR("[WriteTicketToDevice] Input Parameter."); return ERR_CERT_SECURITY_INVALID_ARG; @@ -47,17 +46,15 @@ int32_t WriteTicketToDevice(const char* ticket, uint8_t ticketLen) CERT_LOG_ERROR("[WriteTicketToDevice] Get AesKey fail."); return ERR_CERT_SECURITY_GEN_AESKEY; } - (void)memset_s(&ticketInfo, sizeof(TicketInfo), 0, sizeof(TicketInfo)); - if (ret != CERT_OK) { - CERT_LOG_ERROR("[WriteTicketToDevice] ticketInfo memset_s fail."); - return ERR_CERT_SECURITY_MEM_MEMSET; - } + ret = Encrypt(ticketData, ticketLen, aesKey, encryptedData, BASE64_LEN); if (ret != CERT_OK) { CERT_LOG_ERROR("[WriteTicketToDevice] ticketData Encrypt fail."); return ERR_CERT_SECURITY_ENCRYPT; } + TicketInfo ticketInfo; + (void)memset_s(&ticketInfo, sizeof(TicketInfo), 0, sizeof(TicketInfo)); if (memcpy_s(ticketInfo.ticket, sizeof(ticketInfo.ticket), encryptedData, BASE64_LEN) != 0 || memcpy_s(ticketInfo.salt, sizeof(ticketInfo.salt), salt, SALT_LEN) != 0) { CERT_LOG_ERROR("[WriteTicketToDevice] ticket or salt memcpy_s fail."); diff --git a/cert_mgr_service/services/core/security/cert_security_token.c b/cert_mgr_service/services/core/security/cert_security_token.c index 7330a70..37fed8a 100644 --- a/cert_mgr_service/services/core/security/cert_security_token.c +++ b/cert_mgr_service/services/core/security/cert_security_token.c @@ -210,7 +210,7 @@ static int32_t GetTokenInfo(const char* tokenValue, uint8_t tokenValueLen, } ret = memcpy_s(tokenInfo->version, sizeof(tokenInfo->version), g_tokenVersion, sizeof(tokenInfo->version)); if (ret != 0) { - CERT_LOG_ERROR("[GetTokenInfo] memcpy_s tokenVersion failed"); + CERT_LOG_ERROR("[GetTokenInfo] memcpy_s tokenVersion failed"); return ERR_CERT_SECURITY_MEM_MEMCPY; } return CERT_OK; diff --git a/cert_mgr_service/services/core/utils/cert_utils.c b/cert_mgr_service/services/core/utils/cert_utils.c index ab83732..93ea5b7 100644 --- a/cert_mgr_service/services/core/utils/cert_utils.c +++ b/cert_mgr_service/services/core/utils/cert_utils.c @@ -18,34 +18,47 @@ #include "mbedtls/ctr_drbg.h" #include "mbedtls/entropy.h" #include "mbedtls/sha256.h" +#include "mbedtls/version.h" #include "cert_utils_log.h" #include "cert_utils_memleak.h" #include "cert_utils.h" +#define HEX_LEN_PER_BYTE 2 // 16进制1字节占用长度 #define DEV_BUF_LENGTH 3 #define HASH_LENGTH 32 +#if defined(MBEDTLS_VERSION_NUMBER) && (MBEDTLS_VERSION_NUMBER >= 0x03000000) +#define mbedtls_sha256_starts_ret mbedtls_sha256_starts +#define mbedtls_sha256_update_ret mbedtls_sha256_update +#define mbedtls_sha256_finish_ret mbedtls_sha256_finish +#endif + int32_t GetRandomNum(void) { - mbedtls_ctr_drbg_context randomContext; - mbedtls_entropy_context randomEntropy; - mbedtls_ctr_drbg_init(&randomContext); - mbedtls_entropy_init(&randomEntropy); + static mbedtls_ctr_drbg_context randomContext; + static mbedtls_entropy_context randomEntropy; + static bool initFlag = false; + const char* pers = "CTR_DRBG"; uint8_t random = 0; + int32_t ret = 0; do { - int32_t ret = mbedtls_ctr_drbg_seed(&randomContext, mbedtls_entropy_func, &randomEntropy, - (const uint8_t*)pers, strlen(pers)); - if (ret != CERT_OK) { - break; + if (initFlag == false) { + mbedtls_ctr_drbg_init(&randomContext); + mbedtls_entropy_init(&randomEntropy); + ret = mbedtls_ctr_drbg_seed(&randomContext, mbedtls_entropy_func, &randomEntropy, + (const unsigned char *)pers, strlen(pers)); + if (ret != CERT_OK) { + break; + } + initFlag = true; } + ret = mbedtls_ctr_drbg_random(&randomContext, &random, sizeof(random)); if (ret != CERT_OK) { break; } } while (0); - mbedtls_ctr_drbg_free(&randomContext); - mbedtls_entropy_free(&randomEntropy); return ABS(random); } @@ -154,8 +167,7 @@ int32_t ToLowerStr(char* str, int len) return CERT_ERR; } - int i; - for (i = 0; i < len; i++) { + for (int i = 0; i < len; i++) { str[i] = tolower(str[i]); } return CERT_OK; @@ -195,18 +207,18 @@ int32_t StrToHex(char *pbDest, char *pbSrc, int nLen) return CERT_OK; } -int Sha256Value(const unsigned char *src, char *dest, int destLen) +int Sha256Value(const unsigned char *src, int srcLen, char *dest, int destLen) { if (src == NULL) { return CERT_ERR; } - char buf[DEV_BUF_LENGTH]; - unsigned char hash[HASH_LENGTH]; + char buf[DEV_BUF_LENGTH] = {0}; + unsigned char hash[HASH_LENGTH] = {0}; mbedtls_sha256_context context; mbedtls_sha256_init(&context); mbedtls_sha256_starts_ret(&context, 0); - mbedtls_sha256_update_ret(&context, src, strlen((const char *)src)); + mbedtls_sha256_update_ret(&context, src, srcLen); mbedtls_sha256_finish_ret(&context, hash); for (size_t i = 0; i < HASH_LENGTH; i++) { diff --git a/cert_mgr_service/services/core/utils/cert_utils_file.c b/cert_mgr_service/services/core/utils/cert_utils_file.c index f080d52..c7a1eff 100644 --- a/cert_mgr_service/services/core/utils/cert_utils_file.c +++ b/cert_mgr_service/services/core/utils/cert_utils_file.c @@ -220,6 +220,26 @@ bool IsFileExist(const char* path, const char* fileName) return true; } +bool DeleteFile(const char* path, const char* fileName) +{ + if (path == NULL || fileName == NULL) { + return false; + } + if (strlen(path) == 0 || strlen(fileName) == 0) { + return false; + } + char* filePath = GenFilePath(path, fileName); + if (filePath == NULL) { + return false; + } + int32_t ret = remove(filePath); + CERT_MEM_FREE(filePath); + if (ret != 0) { + return false; + } + return true; +} + int32_t ReadFileBuffer(const char* path, const char* fileName, char** outStr) { if (path == NULL || fileName == NULL || outStr == NULL) { diff --git a/cert_mgr_service/services/core/utils/cert_utils_log.c b/cert_mgr_service/services/core/utils/cert_utils_log.c index 693bea3..42e2189 100644 --- a/cert_mgr_service/services/core/utils/cert_utils_log.c +++ b/cert_mgr_service/services/core/utils/cert_utils_log.c @@ -56,7 +56,7 @@ void CertLog(CertLogLevel logLevel, const char* fmt, ...) int32_t ret = vsprintf_s(outStr, sizeof(outStr), fmt, arg); va_end(arg); if (ret < 0) { - CertLogPrint(logLevel, "Cert log length error."); + CertLogPrint(logLevel, "log length error."); return; } CertLogPrint(logLevel, outStr); @@ -73,7 +73,7 @@ void CertLogAnonyStr(CertLogLevel logLevel, const char* fmt, const char* str) } int32_t ret = AnonymiseStr(strDup); if (ret != CERT_OK) { - CERT_LOG_ERROR("[CertLogAnony] AnonymiseStr failed, ret = %d;", ret); + CERT_LOG_ERROR("[CertLogAnonyStr] AnonymiseStr failed, ret = %d;", ret); CERT_MEM_FREE(strDup); return; } @@ -81,7 +81,7 @@ void CertLogAnonyStr(CertLogLevel logLevel, const char* fmt, const char* str) ret = sprintf_s(outStr, sizeof(outStr), fmt, strDup); CERT_MEM_FREE(strDup); if (ret < 0) { - CertLogPrint(logLevel, "[CertLogAnony] Cert anony str length error."); + CertLogPrint(logLevel, "[CertLogAnonyStr] anony str length error."); return; } CertLogPrint(logLevel, outStr); diff --git a/cert_mgr_service/services/core/utils/cert_utils_memleak.c b/cert_mgr_service/services/core/utils/cert_utils_memleak.c index 5e333f2..20717d1 100644 --- a/cert_mgr_service/services/core/utils/cert_utils_memleak.c +++ b/cert_mgr_service/services/core/utils/cert_utils_memleak.c @@ -48,6 +48,7 @@ int32_t InitMemNodeList(void) if (list == NULL) { return CERT_ERR; } + (void)memset_s(list, sizeof(List), 0, sizeof(List)); list->head = NULL; g_memNodeList = list; return CERT_OK; diff --git a/cert_mgr_service/services/etc/init/BUILD.gn b/cert_mgr_service/services/etc/init/BUILD.gn index a138f69..2708fb5 100644 --- a/cert_mgr_service/services/etc/init/BUILD.gn +++ b/cert_mgr_service/services/etc/init/BUILD.gn @@ -16,15 +16,15 @@ import("//base/cert_mgr_service/build/certconfig.gni") group("cert_mgr_etc") { deps = [ - ":cert_mgr_sa.rc", + ":cert_mgr_service.cfg", ] } -ohos_prebuilt_etc("cert_mgr_sa.rc") { +ohos_prebuilt_etc("cert_mgr_service.cfg") { if (use_musl) { - source = "cert_mgr_sa.cfg" + source = "cert_mgr_service.cfg" } else { - source = "cert_mgr_sa.rc" + source = "cert_mgr_service.rc" } relative_install_dir = "init" subsystem_name = "certmanager" diff --git a/cert_mgr_service/services/etc/init/cert_mgr_sa.cfg b/cert_mgr_service/services/etc/init/cert_mgr_service.cfg similarity index 58% rename from cert_mgr_service/services/etc/init/cert_mgr_sa.cfg rename to cert_mgr_service/services/etc/init/cert_mgr_service.cfg index 90e0c2e..c002200 100644 --- a/cert_mgr_service/services/etc/init/cert_mgr_sa.cfg +++ b/cert_mgr_service/services/etc/init/cert_mgr_service.cfg @@ -2,15 +2,16 @@ "jobs" : [{ "name" : "post-fs-data", "cmds" : [ - "start cert_mgr_server" + "start cert_mgr_service" ] } ], "services" : [{ - "name" : "cert_mgr_server", + "name" : "cert_mgr_service", "path" : ["/system/bin/sa_main", "/system/profile/cert_mgr_service.xml"], "uid" : "root", - "gid" : ["system", "shell", "uhid", "root"] + "gid" : ["system", "shell", "uhid", "root"], + "secon" : "u:r:cert_mgr_service:s0" } ] } diff --git a/cert_mgr_service/services/etc/init/cert_mgr_sa.rc b/cert_mgr_service/services/etc/init/cert_mgr_service.rc similarity index 88% rename from cert_mgr_service/services/etc/init/cert_mgr_sa.rc rename to cert_mgr_service/services/etc/init/cert_mgr_service.rc index 6f2dbbf..f851cd0 100644 --- a/cert_mgr_service/services/etc/init/cert_mgr_sa.rc +++ b/cert_mgr_service/services/etc/init/cert_mgr_service.rc @@ -11,7 +11,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -service cert_mgr_server /system/bin/sa_main /system/profile/cert_mgr_service.xml +service cert_mgr_service_sa /system/bin/sa_main /system/profile/cert_mgr_service.xml class z_core user root group system shell diff --git a/cert_mgr_service/services/oem_adapter/BUILD.gn b/cert_mgr_service/services/oem_adapter/BUILD.gn index 02b8de3..232f274 100644 --- a/cert_mgr_service/services/oem_adapter/BUILD.gn +++ b/cert_mgr_service/services/oem_adapter/BUILD.gn @@ -39,10 +39,10 @@ ohos_shared_library("cert_mgr_oem_adapter") { deps = [ "//third_party/cJSON:cjson_static", - "//utils/native/base:utils", ] external_deps = [ + "c_utils:utils", "hiviewdfx_hilog_native:libhilog", ] diff --git a/cert_mgr_service/services/sa_profile/BUILD.gn b/cert_mgr_service/services/sa_profile/BUILD.gn index f345abc..28b82b3 100644 --- a/cert_mgr_service/services/sa_profile/BUILD.gn +++ b/cert_mgr_service/services/sa_profile/BUILD.gn @@ -11,8 +11,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -import("//build/ohos.gni") -import("//base/cert_mgr_service/build/certconfig.gni") +import("//build/ohos/sa_profile/sa_profile.gni") ohos_sa_profile("cert_mgr_sa_profile") { sources = [ "7100.xml" ] diff --git a/cert_mgr_service/test/data/cert_mock_network_para b/cert_mgr_service/test/data/cert_mock_network_para index f7b07e2..6efa992 100644 --- a/cert_mgr_service/test/data/cert_mock_network_para +++ b/cert_mgr_service/test/data/cert_mock_network_para @@ -20,7 +20,7 @@ "challenge": { "currentTime": 1647914836482, "challenge": "b39b752290266b95acedde9b2f89fa5ebea6e060d509b0b20d07c922bcea7b64", - "errcode": 1 + "errcode": 0 }, "response": { "ticket": "ujlrjJ6loo16/32VSKj9hZ+vDpiPgt+L", diff --git a/cert_mgr_service/test/unittest/BUILD.gn b/cert_mgr_service/test/unittest/BUILD.gn index 29e4da6..1006225 100644 --- a/cert_mgr_service/test/unittest/BUILD.gn +++ b/cert_mgr_service/test/unittest/BUILD.gn @@ -39,10 +39,10 @@ deps_in = [ "//third_party/mbedtls:mbedtls_shared", "//third_party/googletest:gtest_main", "//third_party/googletest:gmock", - "//utils/native/base:utils" ] deps_ex = [ + "c_utils:utils", "hiviewdfx_hilog_native:libhilog", "ipc:ipc_core", "safwk:system_ability_fwk", @@ -82,7 +82,6 @@ ohos_unittest("CertMgrCoreTest") { "${certmanager_standard_path}/services/core:cert_mgr_core", "${certmanager_standard_path}/services/cert_mgr_ability:cert_mgr_service", "${certmanager_standard_path}/interfaces/innerkits/native_cpp:cert_mgr_sdk", - "//utils/native/base:utils", ] external_deps = deps_ex } diff --git a/certmanager/cert_mgr_standard/system/cert_mgr_service.te b/certmanager/cert_mgr_standard/system/cert_mgr_service.te new file mode 100644 index 0000000..4b17bec --- /dev/null +++ b/certmanager/cert_mgr_standard/system/cert_mgr_service.te @@ -0,0 +1,65 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type cert_mgr_service, sadomain, domain; +type cert_mgr_service_exec, system_file_attr, exec_attr, file_attr; + +init_daemon_domain(cert_mgr_service); + +allow cert_mgr_service port:tcp_socket { name_connect }; +allow cert_mgr_service cert_mgr_service:tcp_socket { connect create read setopt write getopt getattr }; +allow cert_mgr_service data_ota_package:dir { add_name search write remove_name }; +allow cert_mgr_service data_ota_package:dir { append ioctl open read }; +allow cert_mgr_service data_ota_package:file { append create ioctl open read rename unlink }; +allow cert_mgr_service dev_file:sock_file { write }; +allow cert_mgr_service netsysnative:unix_stream_socket { connectto }; +allow cert_mgr_service cert_mgr_service:udp_socket { create bind connect getattr read write }; +allow cert_mgr_service data_data_file:file { append map open read create write getattr setattr unlink lock ioctl rename }; +allow cert_mgr_service data_data_file:dir { search getattr add_name open read remove_name search write create }; +allow storage_daemon hmdfs:dir { mounton }; +allow foundation storage_manager:dir { open read write }; +allow netsysnative netmanager:tcp_socket { create read write getopt setopt }; + +allow cert_mgr_service accesstoken_service:binder { call }; +allow cert_mgr_service data_dhcp:dir { add_name remove_name search write create }; +allow cert_mgr_service data_dhcp:file { create getattr ioctl lock open read setattr unlink write }; +allow cert_mgr_service data_file:dir { search }; +allow cert_mgr_service data_misc:dir { add_name search write }; +allow cert_mgr_service data_misc:file { create ioctl open read write }; +allow cert_mgr_service data_misc:sock_file { write }; +allow cert_mgr_service accessibility_param:file { read }; +allow cert_mgr_service dev_unix_socket:dir { search }; +allow cert_mgr_service foundation:binder { call transfer }; +allow cert_mgr_service netmanager:binder { call transfer }; +allow cert_mgr_service node:udp_socket { node_bind }; +allow cert_mgr_service port:udp_socket { name_bind }; +allow cert_mgr_service softbus_server:binder { call }; +allow cert_mgr_service system_basic_hap:binder { call }; +allow cert_mgr_service system_bin_file:dir { search }; +allow cert_mgr_service system_bin_file:file { execute execute_no_trans map read open }; +allow cert_mgr_service wifi_hal_service:unix_stream_socket { connectto }; +allow cert_mgr_service cert_mgr_service:netlink_route_socket { create nlmsg_read read write }; +allow cert_mgr_service cert_mgr_service:packet_socket { bind create read write }; +allow cert_mgr_service cert_mgr_service:udp_socket { bind create ioctl setopt getopt read write }; +allow cert_mgr_service cert_mgr_service:unix_dgram_socket { ioctl getopt setopt }; +allowxperm cert_mgr_service data_dhcp:file ioctl { 0x5413 }; +allowxperm cert_mgr_service data_misc:file ioctl { 0x5413 }; +allowxperm cert_mgr_service cert_mgr_service:udp_socket ioctl { 0x890B 0x8913 0x8915 0x8916 0x891b 0x891c 0x8927 0x8933 }; +allowxperm cert_mgr_service cert_mgr_service:unix_dgram_socket ioctl { 0x8910 }; +allow cert_mgr_service paramservice_socket:sock_file { write create setattr getattr relabelto }; +allow cert_mgr_service kernel:unix_stream_socket { connectto }; +allow cert_mgr_service cert_auth_result_param:file { map open read }; +allow cert_mgr_service cert_auth_result_param:parameter_service { set }; + +allow cert_mgr_service sa_cert_mgr_service:samgr_class { add }; +allow cert_mgr_service sa_net_conn_manager:samgr_class { get }; diff --git a/certmanager/cert_mgr_standard/system/parameter.te b/certmanager/cert_mgr_standard/system/parameter.te new file mode 100644 index 0000000..29df3f4 --- /dev/null +++ b/certmanager/cert_mgr_standard/system/parameter.te @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +type cert_auth_result_param, parameter_attr; diff --git a/certmanager/cert_mgr_standard/system/parameter_contexts b/certmanager/cert_mgr_standard/system/parameter_contexts new file mode 100644 index 0000000..0776ba8 --- /dev/null +++ b/certmanager/cert_mgr_standard/system/parameter_contexts @@ -0,0 +1,14 @@ +# Copyright (c) 2022 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +cert.auth.result u:object_r:cert_auth_result_param:s0 -- Gitee From 22e220788a3a22cd65d0ea84e1610e363fbe60eb Mon Sep 17 00:00:00 2001 From: Kemin <541416002@qq.com> Date: Mon, 14 Nov 2022 17:15:42 +0800 Subject: [PATCH 2/4] =?UTF-8?q?=E5=92=8Cdevelop=E5=88=86=E6=94=AF=E7=9A=84?= =?UTF-8?q?=E9=9A=8F=E6=9C=BA=E6=95=B0=E7=94=9F=E6=88=90=E9=80=BB=E8=BE=91?= =?UTF-8?q?=E4=BF=9D=E6=8C=81=E4=B8=80=E8=87=B4?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../services/core/adapter/cert_adapter_oem.c | 1 - .../services/core/utils/cert_utils.c | 44 +++++++++++-------- .../services/etc/init/cert_mgr_service.rc | 2 +- 3 files changed, 26 insertions(+), 21 deletions(-) diff --git a/cert_mgr_service/services/core/adapter/cert_adapter_oem.c b/cert_mgr_service/services/core/adapter/cert_adapter_oem.c index 48e4bb0..3fab6bc 100644 --- a/cert_mgr_service/services/core/adapter/cert_adapter_oem.c +++ b/cert_mgr_service/services/core/adapter/cert_adapter_oem.c @@ -16,7 +16,6 @@ #include "cert_type.h" #include "cert_utils_file.h" #include "cert_adapter_oem.h" -#include "cert_utils_log.h" // 是否存在重置标记 bool OEMIsResetFlagExist(void) diff --git a/cert_mgr_service/services/core/utils/cert_utils.c b/cert_mgr_service/services/core/utils/cert_utils.c index 93ea5b7..da5b68c 100644 --- a/cert_mgr_service/services/core/utils/cert_utils.c +++ b/cert_mgr_service/services/core/utils/cert_utils.c @@ -23,7 +23,6 @@ #include "cert_utils_memleak.h" #include "cert_utils.h" -#define HEX_LEN_PER_BYTE 2 // 16进制1字节占用长度 #define DEV_BUF_LENGTH 3 #define HASH_LENGTH 32 @@ -35,31 +34,38 @@ int32_t GetRandomNum(void) { - static mbedtls_ctr_drbg_context randomContext; - static mbedtls_entropy_context randomEntropy; - static bool initFlag = false; - + mbedtls_ctr_drbg_context randomContext; + mbedtls_entropy_context randomEntropy; + mbedtls_ctr_drbg_init(&randomContext); + mbedtls_entropy_init(&randomEntropy); const char* pers = "CTR_DRBG"; - uint8_t random = 0; - int32_t ret = 0; + int32_t result = 0; + const int32_t randomBytes = 4; + unsigned char* random = (unsigned char *)CERT_MEM_MALLOC(randomBytes); + if (random == NULL) { + return 0; + } do { - if (initFlag == false) { - mbedtls_ctr_drbg_init(&randomContext); - mbedtls_entropy_init(&randomEntropy); - ret = mbedtls_ctr_drbg_seed(&randomContext, mbedtls_entropy_func, &randomEntropy, - (const unsigned char *)pers, strlen(pers)); - if (ret != CERT_OK) { - break; - } - initFlag = true; + int32_t ret = mbedtls_ctr_drbg_seed(&randomContext, mbedtls_entropy_func, &randomEntropy, + (const uint8_t*)pers, strlen(pers)); + if (ret != CERT_OK) { + break; } - - ret = mbedtls_ctr_drbg_random(&randomContext, &random, sizeof(random)); + ret = mbedtls_ctr_drbg_random(&randomContext, random, randomBytes); if (ret != CERT_OK) { break; } + + result = random[randomBytes - 1]; + for (int i = randomBytes - 2; i >= 0; --i) { + result <<= 8; + result |= random[i]; + } } while (0); - return ABS(random); + mbedtls_ctr_drbg_free(&randomContext); + mbedtls_entropy_free(&randomEntropy); + CERT_MEM_FREE(random); + return ABS(result); } char* CertStrdup(const char* input) diff --git a/cert_mgr_service/services/etc/init/cert_mgr_service.rc b/cert_mgr_service/services/etc/init/cert_mgr_service.rc index f851cd0..a527eac 100644 --- a/cert_mgr_service/services/etc/init/cert_mgr_service.rc +++ b/cert_mgr_service/services/etc/init/cert_mgr_service.rc @@ -11,7 +11,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -service cert_mgr_service_sa /system/bin/sa_main /system/profile/cert_mgr_service.xml +service cert_mgr_service /system/bin/sa_main /system/profile/cert_mgr_service.xml class z_core user root group system shell -- Gitee From 68460d8083aa5fc1f777b7d0176b15108f0479be Mon Sep 17 00:00:00 2001 From: Kemin <541416002@qq.com> Date: Tue, 15 Nov 2022 11:19:08 +0800 Subject: [PATCH 3/4] =?UTF-8?q?=E9=80=80=E5=9B=9Esalt=E7=9A=84=E9=80=BB?= =?UTF-8?q?=E8=BE=91?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cert_mgr_service/services/core/security/cert_security.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/cert_mgr_service/services/core/security/cert_security.c b/cert_mgr_service/services/core/security/cert_security.c index ff4e6c5..86cafd2 100644 --- a/cert_mgr_service/services/core/security/cert_security.c +++ b/cert_mgr_service/services/core/security/cert_security.c @@ -78,6 +78,9 @@ void GetSalt(uint8_t* salt, uint32_t saltLen) } // temp右移8bits salt[i] = (uint8_t)((temp >> ((i % randomNumBytes) * offsetBits)) & 0xff); + if (salt[i] == 0) { + salt[i]++; + } } } -- Gitee From 212eed820482fe845364e8b673f761edc0429db2 Mon Sep 17 00:00:00 2001 From: Kemin <541416002@qq.com> Date: Tue, 15 Nov 2022 11:45:25 +0800 Subject: [PATCH 4/4] =?UTF-8?q?=E4=BF=AE=E6=94=B9=E6=A0=BC=E5=BC=8F?= =?UTF-8?q?=E9=97=AE=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cert_mgr_service/services/core/adapter/cert_adapter.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cert_mgr_service/services/core/adapter/cert_adapter.c b/cert_mgr_service/services/core/adapter/cert_adapter.c index df5a86d..fc6280e 100644 --- a/cert_mgr_service/services/core/adapter/cert_adapter.c +++ b/cert_mgr_service/services/core/adapter/cert_adapter.c @@ -89,7 +89,7 @@ int32_t CertReadToken(TokenInfo* tokenInfo) char token[TOKEN_ENCRYPT_LEN + 1] = {0}; int32_t ret = 0; if (CERT_MOCK_DEVICE_STUB_FLAG) { - ret = OsReadTokenStub(token, sizeof(token)); + ret = OsReadTokenStub(token, sizeof(token)); } else { ret = OEMReadToken(token, sizeof(token)); } @@ -147,7 +147,7 @@ int32_t CertWriteToken(TokenInfo* tokenInfo) } int32_t ret = 0; if (CERT_MOCK_DEVICE_STUB_FLAG) { - ret = OsWriteTokenStub(token, sizeof(token)); + ret = OsWriteTokenStub(token, sizeof(token)); } else { ret = OEMWriteToken(token, sizeof(token)); } -- Gitee