1 /*
2 * Copyright (c) 2021-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "hks_client_check.h"
17
18 #include <stddef.h>
19
20 #include "hks_base_check.h"
21 #include "hks_common_check.h"
22 #include "hks_log.h"
23 #include "hks_param.h"
24 #include "hks_template.h"
25 #include "hks_mem.h"
26 #include "hks_storage_manager.h"
27
28 #ifdef L2_STANDARD
29 static const uint32_t CHANGE_STORAGE_LEVEL_CFG_LIST[] = HUKS_CHANGE_STORAGE_LEVEL_CONFIG;
30 #endif
31
32 #ifndef _CUT_AUTHENTICATE_
CheckProcessNameAndKeyAliasSize(uint32_t processNameSize,uint32_t keyAliasSize)33 static int32_t CheckProcessNameAndKeyAliasSize(uint32_t processNameSize, uint32_t keyAliasSize)
34 {
35 if (processNameSize > HKS_MAX_PROCESS_NAME_LEN) {
36 HKS_LOG_E("processName size too long, size %" LOG_PUBLIC "u", processNameSize);
37 return HKS_ERROR_INVALID_ARGUMENT;
38 }
39
40 if (keyAliasSize > HKS_MAX_KEY_ALIAS_LEN) {
41 HKS_LOG_E("keyAlias size too long, size %" LOG_PUBLIC "u", keyAliasSize);
42 return HKS_ERROR_INVALID_ARGUMENT;
43 }
44
45 return HKS_SUCCESS;
46 }
47
HksCheckProcessNameAndKeyAlias(const struct HksBlob * processName,const struct HksBlob * keyAlias)48 int32_t HksCheckProcessNameAndKeyAlias(const struct HksBlob *processName, const struct HksBlob *keyAlias)
49 {
50 HKS_IF_NOT_SUCC_RETURN(HksCheckBlob2(processName, keyAlias), HKS_ERROR_INVALID_ARGUMENT)
51
52 return CheckProcessNameAndKeyAliasSize(processName->size, keyAlias->size);
53 }
54
HksCheckGenAndImportKeyParams(const struct HksBlob * processName,const struct HksBlob * keyAlias,const struct HksParamSet * paramSetIn,const struct HksBlob * key)55 int32_t HksCheckGenAndImportKeyParams(const struct HksBlob *processName, const struct HksBlob *keyAlias,
56 const struct HksParamSet *paramSetIn, const struct HksBlob *key)
57 {
58 int32_t ret = HksCheckBlob3AndParamSet(processName, keyAlias, key, paramSetIn);
59 HKS_IF_NOT_SUCC_RETURN(ret, ret)
60
61 return CheckProcessNameAndKeyAliasSize(processName->size, keyAlias->size);
62 }
63
HksCheckImportWrappedKeyParams(const struct HksBlob * processName,const struct HksBlob * keyAlias,const struct HksBlob * wrappingKeyAlias,const struct HksParamSet * paramSetIn,const struct HksBlob * wrappedKeyData)64 int32_t HksCheckImportWrappedKeyParams(const struct HksBlob *processName, const struct HksBlob *keyAlias,
65 const struct HksBlob *wrappingKeyAlias, const struct HksParamSet *paramSetIn, const struct HksBlob *wrappedKeyData)
66 {
67 int32_t ret = HksCheckBlob4AndParamSet(processName, keyAlias, wrappingKeyAlias, wrappedKeyData, paramSetIn);
68 HKS_IF_NOT_SUCC_RETURN(ret, ret)
69
70 ret = CheckProcessNameAndKeyAliasSize(processName->size, keyAlias->size);
71 HKS_IF_NOT_SUCC_RETURN(ret, ret)
72
73 return CheckProcessNameAndKeyAliasSize(processName->size, wrappingKeyAlias->size);
74 }
75
HksCheckAllParams(const struct HksBlob * processName,const struct HksBlob * keyAlias,const struct HksParamSet * paramSet,const struct HksBlob * data1,const struct HksBlob * data2)76 int32_t HksCheckAllParams(const struct HksBlob *processName, const struct HksBlob *keyAlias,
77 const struct HksParamSet *paramSet, const struct HksBlob *data1, const struct HksBlob *data2)
78 {
79 int32_t ret = HksCheckBlob4AndParamSet(processName, keyAlias, data1, data2, paramSet);
80 HKS_IF_NOT_SUCC_RETURN(ret, ret)
81
82 return CheckProcessNameAndKeyAliasSize(processName->size, keyAlias->size);
83 }
84
HksCheckServiceInitParams(const struct HksBlob * processName,const struct HksBlob * keyAlias,const struct HksParamSet * paramSet)85 int32_t HksCheckServiceInitParams(const struct HksBlob *processName, const struct HksBlob *keyAlias,
86 const struct HksParamSet *paramSet)
87 {
88 int32_t ret = HksCheckBlob2AndParamSet(processName, keyAlias, paramSet);
89 HKS_IF_NOT_SUCC_RETURN(ret, ret)
90
91 return CheckProcessNameAndKeyAliasSize(processName->size, keyAlias->size);
92 }
93
HksCheckGetKeyParamSetParams(const struct HksBlob * processName,const struct HksBlob * keyAlias,const struct HksParamSet * paramSet)94 int32_t HksCheckGetKeyParamSetParams(const struct HksBlob *processName, const struct HksBlob *keyAlias,
95 const struct HksParamSet *paramSet)
96 {
97 HKS_IF_NOT_SUCC_RETURN(HksCheckProcessNameAndKeyAlias(processName, keyAlias), HKS_ERROR_INVALID_ARGUMENT)
98
99 if ((paramSet == NULL) || (paramSet->paramSetSize == 0)) {
100 HKS_LOG_E("invalid paramSet");
101 return HKS_ERROR_INVALID_ARGUMENT;
102 }
103
104 return HKS_SUCCESS;
105 }
106
HksCheckExportPublicKeyParams(const struct HksBlob * processName,const struct HksBlob * keyAlias,const struct HksBlob * key)107 int32_t HksCheckExportPublicKeyParams(const struct HksBlob *processName, const struct HksBlob *keyAlias,
108 const struct HksBlob *key)
109 {
110 HKS_IF_NOT_SUCC_RETURN(HksCheckBlob3(processName, keyAlias, key), HKS_ERROR_INVALID_ARGUMENT)
111
112 return CheckProcessNameAndKeyAliasSize(processName->size, keyAlias->size);
113 }
114
HksCheckDeriveKeyParams(const struct HksBlob * processName,const struct HksParamSet * paramSet,const struct HksBlob * mainKey,const struct HksBlob * derivedKey)115 int32_t HksCheckDeriveKeyParams(const struct HksBlob *processName, const struct HksParamSet *paramSet,
116 const struct HksBlob *mainKey, const struct HksBlob *derivedKey)
117 {
118 return HksCheckGenAndImportKeyParams(processName, mainKey, paramSet, derivedKey);
119 }
120
HksCheckGetKeyInfoListParams(const struct HksBlob * processName,const struct HksKeyInfo * keyInfoList,const uint32_t * listCount)121 int32_t HksCheckGetKeyInfoListParams(const struct HksBlob *processName, const struct HksKeyInfo *keyInfoList,
122 const uint32_t *listCount)
123 {
124 HKS_IF_NOT_SUCC_LOGE_RETURN(CheckBlob(processName), HKS_ERROR_INVALID_ARGUMENT, "invalid processName")
125
126 if (processName->size > HKS_MAX_PROCESS_NAME_LEN) {
127 HKS_LOG_E("processName size too long, size %" LOG_PUBLIC "u", processName->size);
128 return HKS_ERROR_INVALID_ARGUMENT;
129 }
130
131 if ((keyInfoList == NULL) || (listCount == NULL)) {
132 HKS_LOG_E("keyInfoList or listCount null.");
133 return HKS_ERROR_INVALID_ARGUMENT;
134 }
135
136 for (uint32_t i = 0; i < *listCount; ++i) {
137 if ((CheckBlob(&(keyInfoList[i].alias)) != HKS_SUCCESS) ||
138 (keyInfoList[i].paramSet == NULL) || (keyInfoList[i].paramSet->paramSetSize == 0)) {
139 return HKS_ERROR_INVALID_ARGUMENT;
140 }
141 }
142
143 return HKS_SUCCESS;
144 }
145 #endif /* _CUT_AUTHENTICATE_ */
146
HksCheckGenerateRandomParams(const struct HksBlob * processName,const struct HksBlob * random)147 int32_t HksCheckGenerateRandomParams(const struct HksBlob *processName, const struct HksBlob *random)
148 {
149 HKS_IF_NOT_SUCC_RETURN(HksCheckBlob2(processName, random), HKS_ERROR_INVALID_ARGUMENT)
150
151 if (processName->size > HKS_MAX_PROCESS_NAME_LEN) {
152 HKS_LOG_E("processName size too long, size %" LOG_PUBLIC "u.", processName->size);
153 return HKS_ERROR_INVALID_ARGUMENT;
154 }
155
156 if (random->size > HKS_MAX_RANDOM_LEN) {
157 HKS_LOG_E("random size too long, size %" LOG_PUBLIC "u.", random->size);
158 return HKS_ERROR_INVALID_ARGUMENT;
159 }
160
161 return HKS_SUCCESS;
162 }
163
164 #ifdef HKS_SUPPORT_API_ATTEST_KEY
HksCheckAttestKeyParams(const struct HksBlob * processName,const struct HksBlob * keyAlias,const struct HksParamSet * paramSet,struct HksBlob * certChain)165 int32_t HksCheckAttestKeyParams(const struct HksBlob *processName, const struct HksBlob *keyAlias,
166 const struct HksParamSet *paramSet, struct HksBlob *certChain)
167 {
168 return HksCheckGenAndImportKeyParams(processName, keyAlias, paramSet, certChain);
169 }
170 #endif
171
172 #ifdef HKS_SUPPORT_USER_AUTH_ACCESS_CONTROL
CheckAuthAccessLevel(const struct HksParamSet * paramSet)173 static int32_t CheckAuthAccessLevel(const struct HksParamSet *paramSet)
174 {
175 struct HksParam *authAccess = NULL;
176 int32_t ret = HksGetParam(paramSet, HKS_TAG_KEY_AUTH_ACCESS_TYPE, &authAccess);
177 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, HKS_ERROR_CHECK_GET_ACCESS_TYPE_FAILED, "get auth access type fail")
178
179 if (authAccess->uint32Param < HKS_AUTH_ACCESS_INVALID_CLEAR_PASSWORD) {
180 HKS_LOG_E("auth access level is too low");
181 return HKS_ERROR_INVALID_ARGUMENT;
182 }
183 return HKS_SUCCESS;
184 }
185
CheckUserAuthParamsValidity(const struct HksParamSet * paramSet,uint32_t userAuthType,uint32_t authAccessType,uint32_t challengeType)186 static int32_t CheckUserAuthParamsValidity(const struct HksParamSet *paramSet, uint32_t userAuthType,
187 uint32_t authAccessType, uint32_t challengeType)
188 {
189 int32_t ret = HksCheckUserAuthParams(userAuthType, authAccessType, challengeType);
190 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "check user auth params failed")
191
192 if (challengeType == HKS_CHALLENGE_TYPE_NONE) {
193 struct HksParam *authTimeout = NULL;
194 ret = HksGetParam(paramSet, HKS_TAG_AUTH_TIMEOUT, &authTimeout);
195 if (ret == HKS_SUCCESS) {
196 if (authTimeout->uint32Param > MAX_AUTH_TIMEOUT_SECOND || authTimeout->uint32Param == 0) {
197 HKS_LOG_E("invalid auth timeout param");
198 return HKS_ERROR_INVALID_TIME_OUT;
199 }
200 }
201 }
202
203 struct HksParam *secureSignType = NULL;
204 ret = HksGetParam(paramSet, HKS_TAG_KEY_SECURE_SIGN_TYPE, &secureSignType);
205 if (ret == HKS_SUCCESS) {
206 ret = HksCheckSecureSignParams(secureSignType->uint32Param);
207 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, HKS_ERROR_INVALID_SECURE_SIGN_TYPE, "secure sign type is invalid")
208
209 /* secure sign ability only support sign-purpose algorithm */
210 struct HksParam *purposeParam = NULL;
211 ret = HksGetParam(paramSet, HKS_TAG_PURPOSE, &purposeParam);
212 if (ret != HKS_SUCCESS || (purposeParam->uint32Param & HKS_KEY_PURPOSE_SIGN) == 0) {
213 HKS_LOG_E("secure sign tag only support sign-purpose alg");
214 return HKS_ERROR_INVALID_ARGUMENT;
215 }
216 ret = CheckAuthAccessLevel(paramSet);
217 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, HKS_ERROR_INVALID_ARGUMENT, "check auth access level fail")
218 }
219
220 return HKS_SUCCESS;
221 }
222 #endif
223
HksCheckAndGetUserAuthInfo(const struct HksParamSet * paramSet,uint32_t * userAuthType,uint32_t * authAccessType)224 int32_t HksCheckAndGetUserAuthInfo(const struct HksParamSet *paramSet, uint32_t *userAuthType,
225 uint32_t *authAccessType)
226 {
227 #ifdef HKS_SUPPORT_USER_AUTH_ACCESS_CONTROL
228 HKS_IF_NULL_LOGE_RETURN(paramSet, HKS_ERROR_NOT_SUPPORTED, "null init paramSet: not support user auth!")
229
230 struct HksParam *noRequireAuth = NULL;
231 int32_t ret = HksGetParam(paramSet, HKS_TAG_NO_AUTH_REQUIRED, &noRequireAuth);
232 if (ret == HKS_SUCCESS && noRequireAuth->boolParam == true) {
233 HKS_LOG_I("no require auth=true");
234 return HKS_ERROR_NOT_SUPPORTED;
235 }
236
237 struct HksParam *userAuthTypeParam = NULL;
238 ret = HksGetParam(paramSet, HKS_TAG_USER_AUTH_TYPE, &userAuthTypeParam);
239 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, HKS_ERROR_NOT_SUPPORTED, "no user auth type param: not support user auth!")
240
241 struct HksParam *accessTypeParam = NULL;
242 ret = HksGetParam(paramSet, HKS_TAG_KEY_AUTH_ACCESS_TYPE, &accessTypeParam);
243 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, HKS_ERROR_CHECK_GET_ACCESS_TYPE_FAILED, "get auth access type param failed")
244
245 struct HksParam *challengeTypeParam = NULL;
246 ret = HksGetParam(paramSet, HKS_TAG_CHALLENGE_TYPE, &challengeTypeParam);
247 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, HKS_ERROR_CHECK_GET_CHALLENGE_TYPE_FAILED, "get challenge type param failed")
248
249 ret = CheckUserAuthParamsValidity(paramSet, userAuthTypeParam->uint32Param, accessTypeParam->uint32Param,
250 challengeTypeParam->uint32Param);
251 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "check user auth params validity failed")
252
253 *userAuthType = userAuthTypeParam->uint32Param;
254 *authAccessType = accessTypeParam->uint32Param;
255 return HKS_SUCCESS;
256 #else
257 (void)paramSet;
258 (void)userAuthType;
259 (void)authAccessType;
260 return HKS_SUCCESS;
261 #endif
262 }
263
HksCheckIsAllowedWrap(const struct HksParamSet * paramSet)264 bool HksCheckIsAllowedWrap(const struct HksParamSet *paramSet)
265 {
266 struct HksParam *isAllowedWrap = NULL;
267 int32_t ret = HksGetParam(paramSet, HKS_TAG_IS_ALLOWED_WRAP, &isAllowedWrap);
268 if (ret == HKS_SUCCESS) {
269 return isAllowedWrap->boolParam;
270 }
271 return false;
272 }
273
HksCheckUserAuthKeyPurposeValidity(const struct HksParamSet * paramSet)274 int32_t HksCheckUserAuthKeyPurposeValidity(const struct HksParamSet *paramSet)
275 {
276 #ifdef HKS_SUPPORT_USER_AUTH_ACCESS_CONTROL
277 HKS_IF_NULL_LOGE_RETURN(paramSet, HKS_ERROR_NULL_POINTER, "paramSet is null!")
278
279 // step 1. Judge whether the allowed wrap param is true.
280 if (HksCheckIsAllowedWrap(paramSet)) {
281 HKS_LOG_E("key with access control isn't allowed wrap!");
282 return HKS_ERROR_INVALID_ARGUMENT;
283 }
284
285 // step 2. Judge whether the user auth key purpose is set.
286 struct HksParam *userAuthKeyPurposeParam = NULL;
287 int32_t ret = HksGetParam(paramSet, HKS_TAG_KEY_AUTH_PURPOSE, &userAuthKeyPurposeParam);
288 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, HKS_SUCCESS, "not set key auth purpose: default need user auth access control!")
289
290 // step 3. Judge whether the user auth key purpose is within the range of alogrithm key purpose.
291 struct HksParam *keyPurposeParam = NULL;
292 ret = HksGetParam(paramSet, HKS_TAG_PURPOSE, &keyPurposeParam);
293 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "get key purpose param failed!")
294
295 uint32_t keyPurpose = keyPurposeParam->uint32Param;
296 if ((userAuthKeyPurposeParam->uint32Param == 0) ||
297 (userAuthKeyPurposeParam->uint32Param | keyPurpose) != keyPurpose) {
298 HKS_LOG_E("key auth purpose is invalid!");
299 return HKS_ERROR_INVALID_PURPOSE;
300 }
301
302 // step 4. Judge the validify of symmetric and asymmetric algorithm settings for purpose.
303 ret = HksCheckUserAuthKeyInfoValidity(paramSet);
304 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "HksCheckUserAuthKeyInfoValidity failed!")
305
306 return HKS_SUCCESS;
307 #else
308 (void)paramSet;
309 return HKS_SUCCESS;
310 #endif
311 }
312
HksCheckListAliasesParam(const struct HksBlob * processName)313 int32_t HksCheckListAliasesParam(const struct HksBlob *processName)
314 {
315 HKS_IF_NOT_SUCC_LOGE_RETURN(CheckBlob(processName), HKS_ERROR_INVALID_ARGUMENT, "invalid processName");
316
317 if (processName->size > HKS_MAX_PROCESS_NAME_LEN) {
318 HKS_LOG_E("processName size too long, size %" LOG_PUBLIC "u", processName->size);
319 return HKS_ERROR_INVALID_ARGUMENT;
320 }
321 return HKS_SUCCESS;
322 }
323
HKsCheckOldKeyAliasDiffNewKeyAlias(const struct HksBlob * oldKeyAlias,const struct HksBlob * newKeyAlias)324 int32_t HKsCheckOldKeyAliasDiffNewKeyAlias(const struct HksBlob *oldKeyAlias,
325 const struct HksBlob *newKeyAlias)
326 {
327 if (oldKeyAlias == NULL || newKeyAlias == NULL) {
328 HKS_LOG_E("oldKeyAlias or newKeyAlias is null !");
329 return HKS_ERROR_INVALID_ARGUMENT;
330 }
331 if ((oldKeyAlias->size == newKeyAlias->size) &&
332 (HksMemCmp(oldKeyAlias->data, newKeyAlias->data, oldKeyAlias->size) == 0)) {
333 HKS_LOG_E("oldKeyAlias same as newKeyAlias !");
334 return HKS_ERROR_ALREADY_EXISTS;
335 }
336 return HKS_SUCCESS;
337 }
338
HksCheckOldKeyExist(const struct HksProcessInfo * processInfo,const struct HksBlob * oldKeyAlias,const struct HksParamSet * paramSet)339 int32_t HksCheckOldKeyExist(const struct HksProcessInfo *processInfo, const struct HksBlob *oldKeyAlias,
340 const struct HksParamSet *paramSet)
341 {
342 int32_t ret = HksCheckProcessNameAndKeyAlias(&processInfo->processName, oldKeyAlias);
343 HKS_IF_NOT_SUCC_RETURN(ret, ret);
344
345 ret = HksManageStoreIsKeyBlobExist(processInfo, paramSet, oldKeyAlias, HKS_STORAGE_TYPE_KEY);
346 if (ret == HKS_ERROR_NOT_EXIST) {
347 HKS_LOG_E("the oldKey not exist!");
348 }
349 return ret;
350 }
351
HksCheckNewKeyNotExist(const struct HksProcessInfo * processInfo,const struct HksBlob * newKeyAlias,const struct HksParamSet * paramSet)352 int32_t HksCheckNewKeyNotExist(const struct HksProcessInfo *processInfo, const struct HksBlob *newKeyAlias,
353 const struct HksParamSet *paramSet)
354 {
355 int32_t ret = HksCheckProcessNameAndKeyAlias(&processInfo->processName, newKeyAlias);
356 HKS_IF_NOT_SUCC_RETURN(ret, ret);
357
358 ret = HksManageStoreIsKeyBlobExist(processInfo, paramSet, newKeyAlias, HKS_STORAGE_TYPE_KEY);
359 if (ret == HKS_SUCCESS) {
360 HKS_LOG_E("the newKey is already exist!");
361 return HKS_ERROR_ALREADY_EXISTS;
362 }
363 if (ret == HKS_ERROR_NOT_EXIST) {
364 HKS_LOG_I("the newKey is not exist!");
365 return HKS_SUCCESS;
366 }
367 return ret;
368 }
369
370 #ifdef L2_STANDARD
HksCheckProcessInConfigList(const struct HksBlob * processName)371 int32_t HksCheckProcessInConfigList(const struct HksBlob *processName)
372 {
373 uint32_t uid = 0;
374 if (memcpy_s(&uid, sizeof(uid), processName->data, processName->size) != EOK) {
375 HKS_LOG_E("illegal uid, please check your process name");
376 return HKS_ERROR_NO_PERMISSION;
377 }
378
379 for (uint32_t i = 0; i < HKS_ARRAY_SIZE(CHANGE_STORAGE_LEVEL_CFG_LIST); ++i) {
380 if (uid == CHANGE_STORAGE_LEVEL_CFG_LIST[i]) {
381 HKS_LOG_I("%" LOG_PUBLIC "u could change storage level", uid);
382 return HKS_SUCCESS;
383 }
384 }
385 HKS_LOG_E("%" LOG_PUBLIC "u don't have permission to change storage level", uid);
386 return HKS_ERROR_NO_PERMISSION;
387 }
388
HksCheckChangeStorageLevelParams(const struct HksBlob * processName,const struct HksBlob * keyAlias,const struct HksParamSet * srcParamSet,const struct HksParamSet * destParamSet)389 int32_t HksCheckChangeStorageLevelParams(const struct HksBlob *processName, const struct HksBlob *keyAlias,
390 const struct HksParamSet *srcParamSet, const struct HksParamSet *destParamSet)
391 {
392 // step 1. common check
393 int32_t ret = HksCheckBlob2AndParamSet2(processName, keyAlias, srcParamSet, destParamSet);
394 HKS_IF_NOT_SUCC_RETURN(ret, ret)
395
396 ret = CheckProcessNameAndKeyAliasSize(processName->size, keyAlias->size);
397 HKS_IF_NOT_SUCC_RETURN(ret, ret)
398
399 // step 2. Judge whether storage level is expected, currently only support d->c
400 struct HksParam *srcStorageLevelParam = NULL;
401 ret = HksGetParam(srcParamSet, HKS_TAG_AUTH_STORAGE_LEVEL, &srcStorageLevelParam);
402 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "srcParamSet not set storage level!")
403
404 if (srcStorageLevelParam->uint32Param != HKS_AUTH_STORAGE_LEVEL_DE) {
405 HKS_LOG_E("storage level in srcParamSet must be DE");
406 return HKS_ERROR_NOT_SUPPORTED;
407 }
408
409 struct HksParam *destStorageLevelParam = NULL;
410 ret = HksGetParam(destParamSet, HKS_TAG_AUTH_STORAGE_LEVEL, &destStorageLevelParam);
411 HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "destParamSet not set storage level!")
412
413 if (destStorageLevelParam->uint32Param != HKS_AUTH_STORAGE_LEVEL_CE) {
414 HKS_LOG_E("storage level in destParamSet must be CE");
415 return HKS_ERROR_NOT_SUPPORTED;
416 }
417 return HKS_SUCCESS;
418 }
419 #endif