1 /*
2 * Copyright (c) 2020-2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "huks_adapter.h"
17 #include <stdio.h>
18 #include "securec.h"
19 #include "commonutil_test.h"
20 #include "hks_api.h"
21 #include "hks_param.h"
22 #include "log.h"
23 #include "mem_stat.h"
24
25 #define X25519_KEY_LEN 256
26 #define ED25519_KEY_LEN 256
27 #define X25519_KEY_PARAM_SET_SIZE 128 /* priv key size: 32, pub key size: 32, add two tag, no larger than 128 */
28 #define DEFAULT_PARAM_SET_OUT_SIZE 1024
29 #define HC_PARAM_CHAIN_LEN 255
30 #define HC_PARAM_KEY_LEN 256
31 #define BITS_PER_BYTE 8
32 #define HC_CCM_NONCE_LEN 7
33 #define PLAIN_LENGTH 64
34
35 #if (defined(_SUPPORT_SEC_CLONE_) || defined(_SUPPORT_SEC_CLONE_SERVER_))
36 static const uint8_t g_factor[] = "hichain_key_enc_key";
37 static const int32_t g_cert_chain_cnt = 4;
38 #endif
39
40 union huks_key_type_union {
41 struct huks_key_type type_struct;
42 uint32_t key_type;
43 };
44
45 #define CREATE_STRUCT(T) \
46 struct T *create_struct_##T(void) \
47 { \
48 struct T *val = (struct T *)MALLOC(sizeof(struct T)); \
49 if (val == NULL) { \
50 return NULL; \
51 } \
52 (void)memset_s(val, sizeof(*val), 0, sizeof(*val)); \
53 return val; \
54 }
55
56 #define CONVERT_TO_BLOB(T, field_name) \
57 struct HksBlob convert_to_blob_from_##T(struct T *val) \
58 { \
59 struct HksBlob hks_blob_val; \
60 (void)memset_s(&hks_blob_val, sizeof(hks_blob_val), 0, sizeof(hks_blob_val)); \
61 check_ptr_return_val(val->field_name, hks_blob_val); \
62 check_num_return_val(val->length, hks_blob_val); \
63 hks_blob_val.data = val->field_name; \
64 hks_blob_val.size = val->length; \
65 return hks_blob_val; \
66 }
67
68 CREATE_STRUCT(hc_key_alias)
69 CREATE_STRUCT(sha256_value)
70 CREATE_STRUCT(uint8_buff)
71
72 CONVERT_TO_BLOB(hc_key_alias, key_alias)
73 CONVERT_TO_BLOB(ltpk, ltpk)
74 CONVERT_TO_BLOB(sha256_value, sha256_value)
75 CONVERT_TO_BLOB(sha512_value, sha512_value)
76 CONVERT_TO_BLOB(signature, signature)
77 CONVERT_TO_BLOB(stpk, stpk)
78 CONVERT_TO_BLOB(stsk, stsk)
79 CONVERT_TO_BLOB(hc_auth_id, auth_id)
80
81 static const uint8_t g_key_type_pairs[HC_MAX_KEY_TYPE_NUM][HC_KEY_TYPE_PAIR_LEN] = {
82 { 0x00, 0x00 }, /* ACCESSOR_PK */
83 { 0x00, 0x01 }, /* CONTROLLER_PK */
84 { 0x00, 0x02 }, /* ed25519 KEYPAIR */
85 { 0x00, 0x03 }, /* KEK, key encryption key, used only by DeviceAuthService */
86 { 0x00, 0x04 }, /* DEK, data encryption key, used only by upper apps */
87 { 0x00, 0x05 }, /* key tmp */
88 { 0x00, 0x06 } /* PSK, preshared key index */
89 };
90
91 static const char *g_large_prime_number_hex_384 =
92 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74"\
93 "020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F1437"\
94 "4FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED"\
95 "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF05"\
96 "98DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB"\
97 "9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B"\
98 "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF695581718"\
99 "3995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D04507A33"\
100 "A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7"\
101 "ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864"\
102 "D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E2"\
103 "08E24FA074E5AB3143DB5BFCE0FD108E4B82D120A93AD2CAFFFFFFFFFFFFFFFF";
104
105 static const char *g_large_prime_number_hex_256 =
106 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74"\
107 "020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F1437"\
108 "4FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED"\
109 "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF05"\
110 "98DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB"\
111 "9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B"\
112 "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF695581718"\
113 "3995497CEA956AE515D2261898FA051015728E5A8AACAA68FFFFFFFFFFFFFFFF";
114
hks_hex_string_to_byte(const char * src,uint8_t * dst,uint32_t dst_size)115 static int32_t hks_hex_string_to_byte(const char *src, uint8_t *dst, uint32_t dst_size)
116 {
117 size_t length = strlen(src);
118 if (length % 2 != 0) { /* 2 : odd number or not */
119 LOGE("Invalid hex_string length: %zu, even num is expected", length);
120 return ERROR_CODE_FAILED;
121 }
122
123 uint32_t hex_length = length / BYTE_TO_HEX_OPER_LENGTH; /* Calculate hexadecimal length */
124 if (dst_size < hex_length) {
125 LOGE("Invalid dst_size: %u is smaller than hex_length: %u", dst_size, hex_length);
126 return ERROR_CODE_FAILED;
127 }
128
129 uint8_t nibble[2]; /* create an array of two elements */
130 for (uint32_t i = 0; i < hex_length; i++) {
131 nibble[0] = src[i * BYTE_TO_HEX_OPER_LENGTH];
132 nibble[1] = src[i * BYTE_TO_HEX_OPER_LENGTH + 1];
133 for (uint32_t j = 0; j < BYTE_TO_HEX_OPER_LENGTH; j++) { /* iterate through array */
134 if ((nibble[j] <= 'F') && (nibble[j] >= 'A')) {
135 nibble[j] = nibble[j] - 'A' + 10; /* 10 : hex conversion */
136 } else if ((nibble[j] <= 'f') && (nibble[j] >= 'a')) {
137 nibble[j] = nibble[j] - 'a' + 10; /* 10 : hex conversion */
138 } else if ((nibble[j] >= '0') && (nibble[j] <= '9')) {
139 nibble[j] = nibble[j] - '0';
140 } else {
141 LOGE("Invalid char: [%c] in hex string, [0-9]|[A-F]|[a-f] expected", (char)nibble[j]);
142 return ERROR_CODE_FAILED;
143 }
144 }
145 dst[i] = nibble[0] << 4; /* 4 : shift left for filling */
146 dst[i] |= nibble[1];
147 }
148 return ERROR_CODE_SUCCESS;
149 }
150
construct_param_set(struct HksParamSet ** out,const struct HksParam * in_param,const uint32_t in_param_num)151 static int32_t construct_param_set(struct HksParamSet **out, const struct HksParam *in_param,
152 const uint32_t in_param_num)
153 {
154 struct HksParamSet *param_set = NULL;
155 int32_t status = HksInitParamSet(¶m_set);
156 if (status != ERROR_CODE_SUCCESS) {
157 LOGE("init param set failed, status=%d", status);
158 return ERROR_CODE_INIT_PARAM_SET;
159 }
160
161 status = HksAddParams(param_set, in_param, in_param_num);
162 if (status != ERROR_CODE_SUCCESS) {
163 LOGE("add digest param failed, status=%d", status);
164 HksFreeParamSet(¶m_set);
165 return ERROR_CODE_ADD_PARAM;
166 }
167
168 status = HksBuildParamSet(¶m_set);
169 if (status != ERROR_CODE_SUCCESS) {
170 LOGE("build param set failed, status=%d", status);
171 HksFreeParamSet(¶m_set);
172 return ERROR_CODE_BUILD_PARAM_SET;
173 }
174
175 *out = param_set;
176 return ERROR_CODE_SUCCESS;
177 }
178
sha256(const struct uint8_buff * message)179 static struct sha256_value sha256(const struct uint8_buff *message)
180 {
181 struct sha256_value sha256_value;
182 (void)memset_s(&sha256_value, sizeof(sha256_value), 0, sizeof(sha256_value));
183
184 struct HksBlob src_data = { message->length, message->val };
185
186 struct HksBlob hash = { 0, NULL };
187 hash.data = (uint8_t *)MALLOC(HC_SHA256_LEN * sizeof(uint8_t));
188 if (hash.data == NULL) {
189 LOGE("SHA256 malloc failed");
190 return sha256_value;
191 }
192 hash.size = HC_SHA256_LEN;
193
194 struct HksParamSet *param_set = NULL;
195 struct HksParam digest_param[] = {
196 {
197 .tag = HKS_TAG_DIGEST,
198 .uint32Param = HKS_DIGEST_SHA256
199 }
200 };
201 int32_t status = construct_param_set(¶m_set, digest_param, array_size(digest_param));
202 if (status != ERROR_CODE_SUCCESS) {
203 safe_free(hash.data);
204 LOGE("construct param set in the sha256 failed, status=%d", status);
205 return sha256_value;
206 }
207 status = HksHash(param_set, &src_data, &hash);
208 if ((status == 0) && (hash.size == HC_SHA256_LEN)) {
209 (void)memcpy_s(sha256_value.sha256_value, sizeof(sha256_value.sha256_value), hash.data, HC_SHA256_LEN);
210 sha256_value.length = HC_SHA256_LEN;
211 } else {
212 LOGE("SHA256 failed, status=%d", status);
213 sha256_value.length = 0;
214 }
215 safe_free(hash.data);
216 HksFreeParamSet(¶m_set);
217 return sha256_value;
218 }
219
Compare(const uint8_t * a,uint32_t lenA,const uint8_t * b,uint32_t lenB)220 static int32_t Compare(const uint8_t *a, uint32_t lenA, const uint8_t *b, uint32_t lenB)
221 {
222 const uint8_t *tmpA = a;
223 const uint8_t *tmpB = b;
224 uint32_t len = lenA;
225 if (lenA < lenB) {
226 for (uint32_t i = 0; i < lenB - lenA; i++) {
227 if (b[i] > 0) {
228 return 1; // a < b: 1
229 }
230 }
231 tmpA = a;
232 tmpB = b + lenB - lenA;
233 len = lenA;
234 }
235 if (lenA > lenB) {
236 for (uint32_t i = 0; i < lenA - lenB; i++) {
237 if (a[i] > 0) {
238 return -1; // a > b: -1
239 }
240 }
241 tmpA = a + lenA - lenB;
242 tmpB = b;
243 len = lenB;
244 }
245 for (uint32_t i = 0; i < len; i++) {
246 if (*(tmpA + i) > *(tmpB + i)) {
247 return -1;
248 }
249 if (*(tmpA + i) < *(tmpB + i)) {
250 return 1;
251 }
252 }
253 return 0;
254 }
255
CheckDlSpekePublicKey(const struct var_buffer * key,uint32_t bigNumLen)256 int32_t CheckDlSpekePublicKey(const struct var_buffer *key, uint32_t bigNumLen)
257 {
258 if (key == NULL) {
259 LOGE("Param is null.");
260 return HC_INPUT_PTR_NULL;
261 }
262 const char *primeHex = NULL;
263 if (bigNumLen == HC_BIG_PRIME_MAX_LEN_384) {
264 primeHex = g_large_prime_number_hex_384;
265 } else {
266 primeHex = g_large_prime_number_hex_256;
267 }
268 uint8_t min = 1;
269 uint32_t primeLen = strlen(primeHex) / BYTE_TO_HEX_OPER_LENGTH;
270 if (key->length > primeLen) {
271 LOGE("key->length > primeLen.");
272 return HC_INPUT_ERROR;
273 }
274 uint8_t *primeVal = (uint8_t *)MALLOC(primeLen);
275 if (primeVal == NULL) {
276 LOGE("Malloc primeVal failed.");
277 return HC_MALLOC_FAILED;
278 }
279 if (hex_string_to_byte(primeHex, strlen(primeHex), primeVal) != ERROR_CODE_SUCCESS) {
280 LOGE("hex_string_to_byte for prime num failed");
281 FREE(primeVal);
282 return HC_INPUT_ERROR;
283 }
284 /*
285 * P - 1, since the last byte of large prime number must be greater than 1,
286 * do not need to think about borrowing forward
287 */
288 primeVal[primeLen - 1] -= 1;
289 if (Compare(key->data, key->length, &min, sizeof(uint8_t)) >= 0) {
290 LOGE("key <= 1, invalid.");
291 FREE(primeVal);
292 return HC_MEMCPY_ERROR;
293 }
294 if (Compare(key->data, key->length, primeVal, primeLen) <= 0) {
295 LOGE("key >= p - 1, invalid.");
296 FREE(primeVal);
297 return HC_MEMCPY_ERROR;
298 }
299 FREE(primeVal);
300 return HC_OK;
301 }
302
cal_bignum_exp(struct var_buffer * base,struct var_buffer * exp,const uint32_t big_num_len,struct big_num * out_result)303 int32_t cal_bignum_exp(struct var_buffer *base, struct var_buffer *exp,
304 const uint32_t big_num_len, struct big_num *out_result)
305 {
306 check_ptr_return_val(base, HC_INPUT_ERROR);
307 check_ptr_return_val(exp, HC_INPUT_ERROR);
308 check_ptr_return_val(out_result, HC_INPUT_ERROR);
309
310 if ((big_num_len != HC_BIG_PRIME_MAX_LEN_384) && (big_num_len != HC_BIG_PRIME_MAX_LEN_256)) {
311 LOGE("Not support big number len %d", big_num_len);
312 return HC_LARGE_PRIME_NUMBER_LEN_UNSUPPORT;
313 }
314
315 struct HksBlob big_num_a = { base->length, base->data };
316 struct HksBlob big_num_e = { exp->length, exp->data };
317
318 uint8_t *large_num = (uint8_t *)MALLOC(big_num_len);
319 if (large_num == NULL) {
320 LOGE("Malloc big num buff fail");
321 return ERROR_CODE_FAILED;
322 }
323
324 (void)memset_s(large_num, big_num_len, 0, big_num_len);
325 int32_t status;
326
327 if (big_num_len == HC_BIG_PRIME_MAX_LEN_384) {
328 status = hks_hex_string_to_byte(g_large_prime_number_hex_384, large_num, big_num_len);
329 } else {
330 status = hks_hex_string_to_byte(g_large_prime_number_hex_256, large_num, big_num_len);
331 }
332 if (status != ERROR_CODE_SUCCESS) {
333 FREE(large_num);
334 return ERROR_CODE_FAILED;
335 }
336
337 struct HksBlob big_num_n = { big_num_len, large_num };
338 struct HksBlob big_num_x = { big_num_len, out_result->big_num };
339 if (big_num_len > sizeof(out_result->big_num)) {
340 LOGE("The big num array is shorter than the expected output len.");
341 FREE(large_num);
342 return ERROR_CODE_FAILED;
343 }
344
345 status = HksBnExpMod(&big_num_x, &big_num_a, &big_num_e, &big_num_n);
346 FREE(large_num);
347 if (status != ERROR_CODE_SUCCESS) {
348 LOGE("Huks bn exp mod error, status=%d", status);
349 return ERROR_CODE_FAILED;
350 }
351 out_result->length = big_num_x.size;
352
353 return ERROR_CODE_SUCCESS;
354 }
355
generate_random(uint32_t length)356 struct random_value generate_random(uint32_t length)
357 {
358 struct random_value rand;
359 (void)memset_s(&rand, sizeof(rand), 0, sizeof(rand));
360 if ((length == 0) || (length > HC_RAMDOM_MAX_LEN)) {
361 LOGE("Generate random failed, invalid param length: %d", length);
362 return rand;
363 }
364 rand.length = length;
365 (void)memset_s(rand.random_value, HC_RAMDOM_MAX_LEN, 1, HC_RAMDOM_MAX_LEN);
366 return rand;
367 }
368
compute_hmac(struct var_buffer * key,const struct uint8_buff * message,struct hmac * out_hmac)369 int32_t compute_hmac(struct var_buffer *key, const struct uint8_buff *message, struct hmac *out_hmac)
370 {
371 check_ptr_return_val(key, HC_INPUT_ERROR);
372 check_ptr_return_val(message, HC_INPUT_ERROR);
373 check_ptr_return_val(out_hmac, HC_INPUT_ERROR);
374
375 struct HksBlob hks_key = { key->length, key->data };
376 struct HksBlob src_data = { message->length, message->val };
377 struct HksBlob output = { HC_HMAC_LEN, out_hmac->hmac };
378 struct HksParamSet *param_set = NULL;
379
380 struct HksParam hmac_param[] = {
381 {
382 .tag = HKS_TAG_PURPOSE,
383 .uint32Param = HKS_KEY_PURPOSE_MAC
384 }, {
385 .tag = HKS_TAG_DIGEST,
386 .uint32Param = HKS_DIGEST_SHA256
387 }, {
388 .tag = HKS_TAG_IS_KEY_ALIAS, /* temporary key, is_key_alias is set to false determined using REE for MAC */
389 .boolParam = false
390 }
391 };
392 int32_t status = construct_param_set(¶m_set, hmac_param, array_size(hmac_param));
393 if (status != ERROR_CODE_SUCCESS) {
394 LOGE("construct HMAC param set failed, status=%d", status);
395 return ERROR_CODE_BUILD_PARAM_SET;
396 }
397
398 /* make hmac */
399 status = HksMac(&hks_key, param_set, &src_data, &output);
400 if (status != ERROR_CODE_SUCCESS) {
401 LOGE("Huks hmac failed, status: %d", status);
402 HksFreeParamSet(¶m_set);
403 return ERROR_CODE_FAILED;
404 }
405 out_hmac->length = output.size;
406 HksFreeParamSet(¶m_set);
407
408 return ERROR_CODE_SUCCESS;
409 }
410
compute_hkdf(struct var_buffer * shared_secret,struct hc_salt * salt,char * key_info,uint32_t hkdf_len,struct var_buffer * out_hkdf)411 int32_t compute_hkdf(struct var_buffer *shared_secret, struct hc_salt *salt,
412 char *key_info, uint32_t hkdf_len, struct var_buffer *out_hkdf)
413 {
414 check_ptr_return_val(shared_secret, HC_INPUT_ERROR);
415 check_ptr_return_val(salt, HC_INPUT_ERROR);
416 check_ptr_return_val(out_hkdf, HC_INPUT_ERROR);
417 check_ptr_return_val(key_info, HC_INPUT_ERROR);
418
419 struct HksBlob derived_key = { hkdf_len, out_hkdf->data };
420 struct HksBlob hks_salt = { salt->length, salt->salt };
421 struct HksBlob hks_key_info = { (uint32_t)strlen(key_info), (uint8_t *)key_info };
422
423 /* original key */
424 struct HksBlob kdf_key = { shared_secret->length, shared_secret->data };
425
426 /* derived key param */
427 struct HksParamSet *param_set = NULL;
428 struct HksParam hkdf_param[] = {
429 {
430 .tag = HKS_TAG_PURPOSE,
431 .uint32Param = HKS_KEY_PURPOSE_DERIVE
432 }, {
433 .tag = HKS_TAG_ALGORITHM,
434 .uint32Param = HKS_ALG_HKDF
435 }, {
436 .tag = HKS_TAG_DIGEST,
437 .uint32Param = HKS_DIGEST_SHA256
438 }, {
439 .tag = HKS_TAG_SALT,
440 .blob = hks_salt
441 }, {
442 .tag = HKS_TAG_INFO,
443 .blob = hks_key_info
444 }, {
445 .tag = HKS_TAG_IS_KEY_ALIAS,
446 .boolParam = false
447 }
448 };
449 int32_t status = construct_param_set(¶m_set, hkdf_param, array_size(hkdf_param));
450 if (status != ERROR_CODE_SUCCESS) {
451 LOGE("construct hkdf param set failed, status=%d", status);
452 return ERROR_CODE_BUILD_PARAM_SET;
453 }
454
455 /* make hkdf */
456 status = HksDeriveKey(param_set, &kdf_key, &derived_key);
457 if (status != ERROR_CODE_SUCCESS) {
458 LOGE("Huks key derivation failed, status: %d", status);
459 HksFreeParamSet(¶m_set);
460 return ERROR_CODE_FAILED;
461 }
462 out_hkdf->length = derived_key.size;
463
464 HksFreeParamSet(¶m_set);
465 return ERROR_CODE_SUCCESS;
466 }
467
init_aes_gcm_encrypt_param_set(struct HksParamSet ** param_set,struct random_value * nonce,struct aes_aad * aad,uint32_t key_byte_size)468 static int32_t init_aes_gcm_encrypt_param_set(struct HksParamSet **param_set,
469 struct random_value *nonce, struct aes_aad *aad, uint32_t key_byte_size)
470 {
471 struct HksParam encrypt_param[] = {
472 {
473 .tag = HKS_TAG_PURPOSE,
474 .uint32Param = HKS_KEY_PURPOSE_ENCRYPT
475 }, {
476 .tag = HKS_TAG_ALGORITHM,
477 .uint32Param = HKS_ALG_AES
478 }, {
479 .tag = HKS_TAG_BLOCK_MODE,
480 .uint32Param = HKS_MODE_GCM
481 }, {
482 .tag = HKS_TAG_PADDING,
483 .uint32Param = HKS_PADDING_NONE
484 }, {
485 .tag = HKS_TAG_NONCE,
486 .blob = { nonce->length, nonce->random_value }
487 }, {
488 .tag = HKS_TAG_ASSOCIATED_DATA,
489 .blob = { aad->length, aad->aad }
490 }, {
491 .tag = HKS_TAG_IS_KEY_ALIAS,
492 .boolParam = false
493 }, {
494 .tag = HKS_TAG_KEY_SIZE,
495 .uint32Param = key_byte_size * BITS_PER_BYTE
496 }
497 };
498
499 return construct_param_set(param_set, encrypt_param, array_size(encrypt_param));
500 }
501
aes_gcm_encrypt(struct var_buffer * key,const struct uint8_buff * plain,struct aes_aad * aad,struct uint8_buff * out_cipher)502 int32_t aes_gcm_encrypt(struct var_buffer *key, const struct uint8_buff *plain,
503 struct aes_aad *aad, struct uint8_buff *out_cipher)
504 {
505 check_ptr_return_val(key, HC_INPUT_ERROR);
506 check_ptr_return_val(plain, HC_INPUT_ERROR);
507 check_ptr_return_val(aad, HC_INPUT_ERROR);
508 check_ptr_return_val(out_cipher, HC_INPUT_ERROR);
509 struct random_value nonce = generate_random(HC_AES_GCM_NONCE_LEN);
510 if (nonce.length == 0) {
511 LOGE("Generate random to make nonce failed");
512 return HC_GEN_RANDOM_FAILED;
513 }
514
515 struct HksBlob hks_key = { key->length, key->data };
516 struct HksBlob hks_plain_text = { plain->length, plain->val };
517
518 if (memcpy_s(out_cipher->val, out_cipher->size, nonce.random_value, nonce.length) != EOK) {
519 LOGE("memcpy nonce fail");
520 return ERROR_CODE_FAILED;
521 }
522
523 struct HksBlob tag_cipher = { out_cipher->size - nonce.length, out_cipher->val + nonce.length };
524 struct HksParamSet *param_set = NULL;
525 int32_t status = init_aes_gcm_encrypt_param_set(¶m_set, &nonce, aad, hks_key.size);
526 if (status != ERROR_CODE_SUCCESS) {
527 LOGE("init encrypt param set failed, status=%d", status);
528 return ERROR_CODE_BUILD_PARAM_SET;
529 }
530
531 status = HksEncrypt(&hks_key, param_set, &hks_plain_text, &tag_cipher);
532 if (status != ERROR_CODE_SUCCESS) {
533 LOGE("Huks aead encrypt error, status: %d", status);
534 HksFreeParamSet(¶m_set);
535 return ERROR_CODE_FAILED;
536 }
537
538 out_cipher->length = tag_cipher.size + nonce.length;
539 HksFreeParamSet(¶m_set);
540 return ERROR_CODE_SUCCESS;
541 }
542
init_aes_gcm_decrypt_param_set(struct HksParamSet ** param_set,const struct uint8_buff * cipher,struct aes_aad * aad,uint32_t key_byte_size)543 static int32_t init_aes_gcm_decrypt_param_set(struct HksParamSet **param_set,
544 const struct uint8_buff *cipher, struct aes_aad *aad, uint32_t key_byte_size)
545 {
546 struct HksParam decrypt_param[] = {
547 {
548 .tag = HKS_TAG_PURPOSE,
549 .uint32Param = HKS_KEY_PURPOSE_DECRYPT
550 }, {
551 .tag = HKS_TAG_ALGORITHM,
552 .uint32Param = HKS_ALG_AES
553 }, {
554 .tag = HKS_TAG_BLOCK_MODE,
555 .uint32Param = HKS_MODE_GCM
556 }, {
557 .tag = HKS_TAG_PADDING,
558 .uint32Param = HKS_PADDING_NONE
559 }, {
560 .tag = HKS_TAG_NONCE,
561 .blob = { HC_AES_GCM_NONCE_LEN, cipher->val }
562 }, {
563 .tag = HKS_TAG_ASSOCIATED_DATA,
564 .blob = { aad->length, aad->aad }
565 }, {
566 .tag = HKS_TAG_IS_KEY_ALIAS,
567 .boolParam = false
568 }, {
569 .tag = HKS_TAG_KEY_SIZE,
570 .uint32Param = key_byte_size * BITS_PER_BYTE
571 }
572 };
573
574 return construct_param_set(param_set, decrypt_param, array_size(decrypt_param));
575 }
576
577 /*
578 * aes_gcm_decrypt_mock
579 */
aes_gcm_decrypt(struct var_buffer * key,const struct uint8_buff * cipher,struct aes_aad * aad,struct uint8_buff * out_plain)580 int32_t aes_gcm_decrypt(struct var_buffer *key, const struct uint8_buff *cipher,
581 struct aes_aad *aad, struct uint8_buff *out_plain)
582 {
583 check_ptr_return_val(key, HC_INPUT_ERROR);
584 check_ptr_return_val(cipher, HC_INPUT_ERROR);
585 check_ptr_return_val(aad, HC_INPUT_ERROR);
586 check_ptr_return_val(out_plain, HC_INPUT_ERROR);
587
588 if (cipher->length < HC_AES_GCM_NONCE_LEN) {
589 LOGE("Cipher length is short than nonce max length");
590 }
591
592 struct HksBlob hks_key = { key->length, key->data };
593 struct HksBlob nonce_blob = { HC_AES_GCM_NONCE_LEN, cipher->val };
594 struct HksBlob cipher_text_with_tag = { cipher->length - nonce_blob.size, cipher->val + nonce_blob.size };
595 struct HksBlob plain_text = { 0, NULL };
596
597 plain_text.data = (uint8_t *)MALLOC(cipher_text_with_tag.size - HKS_AE_TAG_LEN);
598 check_ptr_return_val(plain_text.data, ERROR_CODE_FAILED);
599 plain_text.size = cipher_text_with_tag.size - HKS_AE_TAG_LEN;
600
601 struct HksParamSet *param_set = NULL;
602 int32_t status = init_aes_gcm_decrypt_param_set(¶m_set, cipher, aad, hks_key.size);
603 if (status != ERROR_CODE_SUCCESS) {
604 LOGE("init encrypt param set failed, status=%d", status);
605 safe_free(plain_text.data);
606 return ERROR_CODE_BUILD_PARAM_SET;
607 }
608
609 status = HksDecrypt(&hks_key, param_set, &cipher_text_with_tag, &plain_text);
610 if (status != ERROR_CODE_SUCCESS) {
611 LOGE("Huks aead decrypt failed, status: %d", status);
612 safe_free(plain_text.data);
613 HksFreeParamSet(¶m_set);
614 return ERROR_CODE_FAILED;
615 }
616
617 if (memcpy_s(out_plain->val, out_plain->size, plain_text.data, plain_text.size) != EOK) {
618 safe_free(plain_text.data);
619 HksFreeParamSet(¶m_set);
620 return ERROR_CODE_FAILED;
621 }
622 out_plain->length = plain_text.size;
623
624 safe_free(plain_text.data);
625 HksFreeParamSet(¶m_set);
626 return status;
627 }
628
generate_service_id(const struct session_identity * identity)629 struct service_id generate_service_id(const struct session_identity *identity)
630 {
631 struct service_id service_id;
632 (void)memset_s(&service_id, sizeof(service_id), 0, sizeof(service_id));
633 if (identity == NULL) {
634 LOGE("Input is null");
635 return service_id;
636 }
637
638 uint32_t pack_name_len = identity->package_name.length;
639 if ((pack_name_len == 0) || (pack_name_len > HC_PACKAGE_NAME_BUFF_LEN)) {
640 LOGE("Pack name length is: %u", pack_name_len);
641 return service_id;
642 }
643 uint32_t type_len = identity->service_type.length;
644 if ((type_len == 0) || (type_len > HC_SERVICE_TYPE_BUFF_LEN)) {
645 LOGE("Service type length is: %u", type_len);
646 return service_id;
647 }
648 uint32_t srv_len = type_len + pack_name_len;
649 struct uint8_buff id_buff = {
650 .length = srv_len,
651 .size = srv_len
652 };
653
654 id_buff.val = (uint8_t *)MALLOC(srv_len);
655 if (id_buff.val == NULL) {
656 LOGE("Malloc mem failed");
657 return service_id;
658 }
659
660 if (memcpy_s(id_buff.val, srv_len, identity->package_name.name, pack_name_len) != EOK) {
661 LOGE("Copy service id buff failed");
662 safe_free(id_buff.val);
663 return service_id;
664 }
665 if (memcpy_s(id_buff.val + pack_name_len, srv_len - pack_name_len, identity->service_type.type, type_len) != EOK) {
666 LOGE("Copy service id buff failed");
667 safe_free(id_buff.val);
668 return service_id;
669 }
670
671 struct sha256_value srv_sha256 = sha256(&id_buff);
672 safe_free(id_buff.val);
673 id_buff.val = NULL;
674
675 if (srv_sha256.length > 0) {
676 if (memcpy_s(service_id.service_id, HC_SERVICE_ID_BUFF_LEN, srv_sha256.sha256_value, HC_SHA256_LEN) == EOK) {
677 service_id.length = srv_sha256.length;
678 } else {
679 LOGE("Copy hash value failed");
680 }
681 }
682
683 return service_id;
684 }
685
convert_byte_to_hex_string(const uint8_t * byte_array,uint32_t byte_array_size,uint8_t * hex_string,uint32_t out_size)686 static int32_t convert_byte_to_hex_string(const uint8_t *byte_array, uint32_t byte_array_size,
687 uint8_t *hex_string, uint32_t out_size)
688 {
689 int32_t length = 0;
690
691 check_num_return_val(byte_array_size, length);
692 if (out_size < (byte_array_size * BYTE_TO_HEX_OPER_LENGTH)) { /* doubleword, length*2 */
693 return length;
694 }
695 uint32_t hex_str_arr_len = (uint32_t)(out_size + 1);
696 char *hex_str_arr = (char *)MALLOC(hex_str_arr_len);
697 if (hex_str_arr == NULL) {
698 LOGE("Copy hex arr to string failed");
699 return 0;
700 }
701 (void)memset_s(hex_str_arr, hex_str_arr_len, 0, hex_str_arr_len);
702 for (uint32_t i = 0; i < byte_array_size; i++) {
703 if (sprintf_s((char *)(hex_str_arr + length), hex_str_arr_len - length, "%02x", byte_array[i]) < 0) {
704 LOGE("What happened was that the probability was zero"); /* caller perceives memery error, no return */
705 }
706 length += BYTE_TO_HEX_OPER_LENGTH; /* doubleword, length increases 2 each time */
707 }
708 if (memcpy_s(hex_string, out_size, hex_str_arr, length) != EOK) {
709 LOGE("Copy hex arr to string failed");
710 length = 0;
711 }
712
713 safe_free(hex_str_arr);
714 hex_str_arr = NULL;
715 return length;
716 }
717
generate_key_alias(const struct service_id * service_id,const struct hc_auth_id * auth_id,enum huks_key_alias_type key_type)718 struct hc_key_alias generate_key_alias(const struct service_id *service_id,
719 const struct hc_auth_id *auth_id, enum huks_key_alias_type key_type)
720 {
721 struct hc_key_alias temp_alias;
722 (void)memset_s(&temp_alias, sizeof(temp_alias), 0, sizeof(temp_alias));
723 check_ptr_return_val(service_id, temp_alias);
724 check_ptr_return_val(auth_id, temp_alias);
725 if (key_type >= HC_MAX_KEY_TYPE_NUM) {
726 LOGE("Invalid user type");
727 return temp_alias;
728 }
729 if (service_id->length > HC_SERVICE_ID_BUFF_LEN) {
730 LOGE("service_id length is error");
731 return temp_alias;
732 }
733 if (auth_id->length > HC_AUTH_ID_BUFF_LEN) {
734 LOGE("auth_id length is error");
735 return temp_alias;
736 }
737
738 uint32_t key_type_pair_size = HC_KEY_TYPE_PAIR_LEN;
739 const uint8_t *key_type_pair = g_key_type_pairs[key_type];
740 uint32_t total_len = service_id->length + auth_id->length + key_type_pair_size;
741 struct uint8_buff key_alias_buff;
742
743 (void)memset_s(&key_alias_buff, sizeof(key_alias_buff), 0, sizeof(key_alias_buff));
744 key_alias_buff.val = (uint8_t *)MALLOC(total_len + 1);
745 if (key_alias_buff.val == NULL) {
746 LOGE("Malloc key alias buff failed");
747 return temp_alias;
748 }
749
750 key_alias_buff.size = total_len + 1; /* one character longer for terminator */
751 key_alias_buff.length = total_len;
752 (void)memset_s(key_alias_buff.val, key_alias_buff.size, 0, key_alias_buff.size);
753 (void)memcpy_s(key_alias_buff.val, key_alias_buff.size, service_id->service_id, service_id->length);
754 (void)memcpy_s(key_alias_buff.val + service_id->length, key_alias_buff.size - service_id->length,
755 key_type_pair, key_type_pair_size);
756 (void)memcpy_s(key_alias_buff.val + service_id->length + key_type_pair_size,
757 key_alias_buff.size - service_id->length - key_type_pair_size,
758 auth_id->auth_id, auth_id->length);
759
760 struct hc_key_alias key_alias;
761 (void)memset_s(&key_alias, sizeof(key_alias), 0, sizeof(key_alias));
762 struct sha256_value alias_sha256 = sha256(&key_alias_buff);
763
764 safe_free(key_alias_buff.val);
765 key_alias_buff.val = NULL;
766 if (alias_sha256.length > 0) {
767 int32_t length = convert_byte_to_hex_string(alias_sha256.sha256_value, alias_sha256.length,
768 key_alias.key_alias, HC_KEY_ALIAS_MAX_LEN);
769 key_alias.length = length;
770 }
771 return key_alias;
772 }
773
init_x25519_generate_key_input_param_set(struct HksParamSet ** input_param_set)774 static int32_t init_x25519_generate_key_input_param_set(struct HksParamSet **input_param_set)
775 {
776 struct HksParam key_param[] = {
777 {
778 .tag = HKS_TAG_KEY_STORAGE_FLAG,
779 .uint32Param = HKS_STORAGE_TEMP
780 }, {
781 .tag = HKS_TAG_PURPOSE,
782 .uint32Param = HKS_KEY_PURPOSE_SIGN | HKS_KEY_PURPOSE_VERIFY
783 }, {
784 .tag = HKS_TAG_ALGORITHM,
785 .uint32Param = HKS_ALG_X25519
786 }, {
787 .tag = HKS_TAG_KEY_SIZE,
788 .uint32Param = X25519_KEY_LEN
789 }, {
790 .tag = HKS_TAG_IS_ALLOWED_WRAP,
791 .boolParam = true
792 }
793 };
794
795 int32_t status = construct_param_set(input_param_set, key_param, array_size(key_param));
796 if (status != ERROR_CODE_SUCCESS) {
797 LOGE("construct encrypt param set failed, status=%d", status);
798 return ERROR_CODE_BUILD_PARAM_SET;
799 }
800
801 return ERROR_CODE_SUCCESS;
802 }
803
parse_x25519_output_param_set(struct HksParamSet * output_param_set,struct st_key_pair * out_key_pair)804 static int32_t parse_x25519_output_param_set(struct HksParamSet *output_param_set,
805 struct st_key_pair *out_key_pair)
806 {
807 int32_t status = HksFreshParamSet(output_param_set, false); /* false means fresh by local, not though IPC */
808 if (status != ERROR_CODE_SUCCESS) {
809 LOGE("fresh param set failed, status:%d", status);
810 return ERROR_CODE_FRESH_PARAM_SET;
811 }
812
813 struct HksParam *pub_key_param = NULL;
814 status = HksGetParam(output_param_set, HKS_TAG_ASYMMETRIC_PUBLIC_KEY_DATA, &pub_key_param);
815 if (status != ERROR_CODE_SUCCESS) {
816 LOGE("get pub key from param set failed, status:%d", status);
817 return ERROR_CODE_GET_PUB_KEY_FROM_PARAM_SET;
818 }
819
820 struct HksParam *priv_key_param = NULL;
821 status = HksGetParam(output_param_set, HKS_TAG_ASYMMETRIC_PRIVATE_KEY_DATA, &priv_key_param);
822 if (status != ERROR_CODE_SUCCESS) {
823 LOGE("get priv key from param set failed, status:%d", status);
824 return ERROR_CODE_GET_PRIV_KEY_FROM_PARAM_SET;
825 }
826
827 if (memcpy_s(out_key_pair->st_public_key.stpk, HC_ST_PUBLIC_KEY_LEN,
828 pub_key_param->blob.data, pub_key_param->blob.size) != EOK) {
829 LOGE("parse x25519 output param set memcpy public key failed!");
830 return ERROR_CODE_FAILED;
831 }
832 out_key_pair->st_public_key.length = pub_key_param->blob.size;
833
834 if (memcpy_s(out_key_pair->st_private_key.stsk, HC_ST_PRIVATE_KEY_LEN,
835 priv_key_param->blob.data, priv_key_param->blob.size) != EOK) {
836 LOGE("parse x25519 output param set memcpy private key failed!");
837 return ERROR_CODE_FAILED;
838 }
839 out_key_pair->st_private_key.length = priv_key_param->blob.size;
840
841 return ERROR_CODE_SUCCESS;
842 }
843
generate_st_key_pair(struct st_key_pair * out_key_pair)844 int32_t generate_st_key_pair(struct st_key_pair *out_key_pair)
845 {
846 check_ptr_return_val(out_key_pair, HC_INPUT_ERROR);
847 (void)memset_s(out_key_pair, sizeof(*out_key_pair), 0, sizeof(*out_key_pair));
848
849 struct HksParamSet *input_param_set = NULL;
850 int32_t status = init_x25519_generate_key_input_param_set(&input_param_set);
851 if (status != ERROR_CODE_SUCCESS) {
852 LOGE("init x25519 generate key input param set failed! status:%d", status);
853 return status;
854 }
855
856 struct HksParamSet *output_param_set = (struct HksParamSet *)MALLOC(X25519_KEY_PARAM_SET_SIZE);
857 if (output_param_set == NULL) {
858 LOGE("allocate buffer for output param set failed");
859 HksFreeParamSet(&input_param_set);
860 return ERROR_CODE_FAILED;
861 }
862
863 (void)memset_s(output_param_set, X25519_KEY_PARAM_SET_SIZE, 0, X25519_KEY_PARAM_SET_SIZE);
864 output_param_set->paramSetSize = X25519_KEY_PARAM_SET_SIZE;
865
866 do {
867 status = HksGenerateKey(NULL, input_param_set, output_param_set);
868 if (status != ERROR_CODE_SUCCESS) {
869 LOGE("generate x25519 key failed! status:%d", status);
870 status = ERROR_CODE_GENERATE_KEY;
871 break;
872 }
873
874 status = parse_x25519_output_param_set(output_param_set, out_key_pair);
875 if (status != ERROR_CODE_SUCCESS) {
876 LOGE("parse x25519 output param set failed! status:%d", status);
877 break;
878 }
879 } while (0);
880
881 HksFreeParamSet(&input_param_set);
882 safe_free(output_param_set);
883 return status;
884 }
885
generate_lt_key_pair(struct hc_key_alias * key_alias,const struct hc_auth_id * auth_id)886 int32_t generate_lt_key_pair(struct hc_key_alias *key_alias, const struct hc_auth_id *auth_id)
887 {
888 check_ptr_return_val(key_alias, HC_INPUT_ERROR);
889 check_ptr_return_val(auth_id, HC_INPUT_ERROR);
890
891 struct HksBlob key_alias_blob = convert_to_blob_from_hc_key_alias(key_alias);
892 check_num_return_val(key_alias_blob.size, ERROR_CODE_FAILED);
893
894 struct hc_auth_id tmp_id = *auth_id;
895 struct HksParamSet *param_set = NULL;
896 struct HksParam key_param[] = {
897 {
898 .tag = HKS_TAG_ALGORITHM,
899 .uint32Param = HKS_ALG_ED25519
900 }, {
901 .tag = HKS_TAG_KEY_STORAGE_FLAG,
902 .uint32Param = HKS_STORAGE_PERSISTENT
903 }, {
904 .tag = HKS_TAG_PURPOSE,
905 .uint32Param = HKS_KEY_PURPOSE_SIGN | HKS_KEY_PURPOSE_VERIFY
906 }, {
907 .tag = HKS_TAG_KEY_SIZE,
908 .uint32Param = ED25519_KEY_LEN
909 }, {
910 .tag = HKS_TAG_PADDING,
911 .uint32Param = HKS_PADDING_NONE
912 }, {
913 .tag = HKS_TAG_DIGEST,
914 .uint32Param = HKS_DIGEST_SHA256
915 }, {
916 .tag = HKS_TAG_KEY_AUTH_ID,
917 .blob = convert_to_blob_from_hc_auth_id(&tmp_id)
918 }, {
919 .tag = HKS_TAG_IS_ALLOWED_WRAP,
920 .boolParam = true
921 }
922 };
923
924 int32_t status = construct_param_set(¶m_set, key_param, array_size(key_param));
925 if (status != ERROR_CODE_SUCCESS) {
926 LOGE("construct encrypt param set failed, status=%d", status);
927 return ERROR_CODE_BUILD_PARAM_SET;
928 }
929
930 status = HksGenerateKey(&key_alias_blob, param_set, NULL);
931 if (status != ERROR_CODE_SUCCESS) {
932 LOGE("Hks generate failed, status=%d", status);
933 HksFreeParamSet(¶m_set);
934 return ERROR_CODE_GENERATE_KEY;
935 }
936
937 HksFreeParamSet(¶m_set);
938 return ERROR_CODE_SUCCESS;
939 }
940
export_lt_public_key(struct hc_key_alias * key_alias,struct ltpk * out_public_key)941 int32_t export_lt_public_key(struct hc_key_alias *key_alias, struct ltpk *out_public_key)
942 {
943 check_ptr_return_val(key_alias, HC_INPUT_ERROR);
944 check_ptr_return_val(out_public_key, HC_INPUT_ERROR);
945
946 struct HksBlob key_alias_blob = convert_to_blob_from_hc_key_alias(key_alias);
947 check_num_return_val(key_alias_blob.size, ERROR_CODE_FAILED);
948
949 struct HksBlob key = { HC_LT_PUBLIC_KEY_LEN, out_public_key->ltpk };
950 int32_t hks_status = HksExportPublicKey(&key_alias_blob, NULL, &key);
951 if (hks_status != ERROR_CODE_SUCCESS) {
952 LOGE("Export public key failed, status=%d", hks_status);
953 return ERROR_CODE_FAILED;
954 }
955 out_public_key->length = key.size;
956
957 return ERROR_CODE_SUCCESS;
958 }
959
delete_key(struct hc_key_alias * key_alias)960 int32_t delete_key(struct hc_key_alias *key_alias)
961 {
962 check_ptr_return_val(key_alias, HC_INPUT_ERROR);
963
964 struct HksBlob key_alias_blob = convert_to_blob_from_hc_key_alias(key_alias);
965 check_num_return_val(key_alias_blob.size, ERROR_CODE_FAILED);
966
967 int32_t hks_status = HksDeleteKey(&key_alias_blob, NULL);
968 if (hks_status != ERROR_CODE_SUCCESS) {
969 LOGE("Delete key failed, status=%d", hks_status);
970 return ERROR_CODE_FAILED;
971 }
972
973 return ERROR_CODE_SUCCESS;
974 }
975
976 /*
977 * delete long time public key
978 *
979 * @key_alias: long time public key alias
980 * @return 0 -- success, others -- failed
981 */
delete_lt_public_key(struct hc_key_alias * key_alias)982 int32_t delete_lt_public_key(struct hc_key_alias *key_alias)
983 {
984 int32_t hks_status = delete_key(key_alias);
985 if (hks_status != ERROR_CODE_SUCCESS) {
986 LOGE("Delete lt public key failed, status=%d", hks_status);
987 }
988
989 return hks_status;
990 }
991
init_import_lt_public_key_param_set(struct HksParamSet ** param_set,const int32_t user_type,const int32_t pair_type,struct hc_auth_id * auth_id)992 static int32_t init_import_lt_public_key_param_set(struct HksParamSet **param_set,
993 const int32_t user_type, const int32_t pair_type, struct hc_auth_id *auth_id)
994 {
995 #if !(defined(_SUPPORT_SEC_CLONE_) || defined(_SUPPORT_SEC_CLONE_SERVER_))
996 union huks_key_type_union huks_key_type;
997 huks_key_type.type_struct.user_type = (uint8_t)user_type;
998 huks_key_type.type_struct.pair_type = (uint8_t)pair_type;
999 huks_key_type.type_struct.reserved1 = (uint8_t)0;
1000 huks_key_type.type_struct.reserved2 = (uint8_t)0;
1001 #endif
1002
1003 (void)pair_type;
1004 struct HksParam key_param[] = {
1005 {
1006 .tag = HKS_TAG_ALGORITHM,
1007 .uint32Param = HKS_ALG_ED25519
1008 }, {
1009 .tag = HKS_TAG_KEY_SIZE,
1010 .uint32Param = ED25519_KEY_LEN
1011 }, {
1012 .tag = HKS_TAG_PADDING,
1013 .uint32Param = HKS_PADDING_NONE
1014 }, {
1015 .tag = HKS_TAG_DIGEST,
1016 .uint32Param = HKS_DIGEST_SHA256
1017 }, {
1018 .tag = HKS_TAG_KEY_AUTH_ID,
1019 .blob = convert_to_blob_from_hc_auth_id(auth_id)
1020 }, {
1021 .tag = HKS_TAG_IS_ALLOWED_WRAP,
1022 .boolParam = true
1023 },
1024 #if (defined(_SUPPORT_SEC_CLONE_) || defined(_SUPPORT_SEC_CLONE_SERVER_))
1025 {
1026 .tag = HKS_TAG_PURPOSE,
1027 .uint32Param = HKS_KEY_PURPOSE_VERIFY
1028 }, {
1029 .tag = HKS_TAG_KEY_ROLE,
1030 .uint32Param = user_type
1031 }
1032 #else
1033 {
1034 .tag = HKS_TAG_PURPOSE,
1035 .uint32Param = HKS_KEY_PURPOSE_VERIFY
1036 }, {
1037 .tag = HKS_TAG_KEY_ROLE,
1038 .uint32Param = (uint32_t)huks_key_type.key_type
1039 }
1040 #endif
1041 };
1042
1043 return construct_param_set(param_set, key_param, array_size(key_param));
1044 }
1045
import_lt_public_key(struct hc_key_alias * key_alias,struct ltpk * peer_public_key,const int32_t user_type,const int32_t pair_type,struct hc_auth_id * auth_id)1046 int32_t import_lt_public_key(struct hc_key_alias *key_alias, struct ltpk *peer_public_key,
1047 const int32_t user_type, const int32_t pair_type, struct hc_auth_id *auth_id)
1048 {
1049 if ((pair_type < 0) || (pair_type >= HC_MAX_PAIR_TYPE_NUM)) {
1050 return HC_INPUT_ERROR;
1051 }
1052 if ((user_type < 0) || (user_type >= HC_MAX_KEY_TYPE_NUM)) {
1053 return HC_INPUT_ERROR;
1054 }
1055 check_ptr_return_val(key_alias, HC_INPUT_ERROR);
1056 check_ptr_return_val(peer_public_key, HC_INPUT_ERROR);
1057 check_ptr_return_val(auth_id, HC_INPUT_ERROR);
1058
1059 struct HksBlob key_alias_blob = convert_to_blob_from_hc_key_alias(key_alias);
1060 if (key_alias_blob.size == 0) {
1061 LOGE("Convert key alias to blob failed");
1062 return ERROR_CODE_FAILED;
1063 }
1064
1065 struct HksBlob ltpk_key_blob = convert_to_blob_from_ltpk(peer_public_key);
1066 if (ltpk_key_blob.size == 0) {
1067 LOGE("Convert ltpk key to blob failed");
1068 return ERROR_CODE_FAILED;
1069 }
1070
1071 struct HksParamSet *param_set = NULL;
1072 int32_t status = init_import_lt_public_key_param_set(¶m_set, user_type, pair_type, auth_id);
1073 if (status != ERROR_CODE_SUCCESS) {
1074 LOGE("init import lt public key input param set failed! status:%d", status);
1075 return status;
1076 }
1077
1078 status = HksImportKey(&key_alias_blob, param_set, <pk_key_blob);
1079
1080 HksFreeParamSet(¶m_set);
1081 return status;
1082 }
1083
check_lt_public_key_exist(struct hc_key_alias * key_alias)1084 int32_t check_lt_public_key_exist(struct hc_key_alias *key_alias)
1085 {
1086 check_ptr_return_val(key_alias, HC_INPUT_ERROR);
1087 check_num_return_val(key_alias->length, HC_INPUT_ERROR);
1088 struct HksBlob key_alias_blob = convert_to_blob_from_hc_key_alias(key_alias);
1089 int32_t hks_status = HksKeyExist(&key_alias_blob, NULL);
1090 if (hks_status == 0) {
1091 return ERROR_CODE_SUCCESS;
1092 } else {
1093 LOGI("Check lt public key exist failed, status = %d", hks_status);
1094 return ERROR_CODE_FAILED;
1095 }
1096 }
1097
check_key_exist(struct hc_key_alias * key_alias)1098 int32_t check_key_exist(struct hc_key_alias *key_alias)
1099 {
1100 check_ptr_return_val(key_alias, HC_INPUT_ERROR);
1101 check_num_return_val(key_alias->length, HC_INPUT_ERROR);
1102 struct HksBlob key_alias_blob = convert_to_blob_from_hc_key_alias(key_alias);
1103 int32_t hks_status = HksKeyExist(&key_alias_blob, NULL);
1104 if (hks_status == 0) {
1105 return ERROR_CODE_SUCCESS;
1106 } else {
1107 LOGI("Check key exist failed, status = %d", hks_status);
1108 return ERROR_CODE_FAILED;
1109 }
1110 }
1111
init_key_info_list(struct HksKeyInfo * key_info_list,int32_t len)1112 static int32_t init_key_info_list(struct HksKeyInfo *key_info_list, int32_t len)
1113 {
1114 (void)memset_s(key_info_list, sizeof(struct HksKeyInfo) * len, 0, sizeof(struct HksKeyInfo) * len);
1115 for (int32_t i = 0; i < len; ++i) {
1116 struct HksKeyInfo key_info_tmp;
1117
1118 key_info_tmp.alias.data = (uint8_t *)MALLOC(HC_KEY_ALIAS_MAX_LEN);
1119 if (key_info_tmp.alias.data == NULL) {
1120 LOGE("allocate space for key info alias data failed");
1121 return ERROR_CODE_NO_SPACE;
1122 }
1123 (void)memset_s(key_info_tmp.alias.data, HC_KEY_ALIAS_MAX_LEN, 0, HC_KEY_ALIAS_MAX_LEN);
1124 key_info_tmp.alias.size = HC_KEY_ALIAS_MAX_LEN;
1125
1126 key_info_tmp.paramSet = (struct HksParamSet *)MALLOC(DEFAULT_PARAM_SET_OUT_SIZE);
1127 if (key_info_tmp.paramSet == NULL) {
1128 safe_free(key_info_tmp.alias.data);
1129 key_info_tmp.alias.data = NULL;
1130 LOGE("allocate space for key param set failed");
1131 return ERROR_CODE_NO_SPACE;
1132 }
1133 (void)memset_s(key_info_tmp.paramSet, DEFAULT_PARAM_SET_OUT_SIZE, 0, DEFAULT_PARAM_SET_OUT_SIZE);
1134 key_info_tmp.paramSet->paramSetSize = DEFAULT_PARAM_SET_OUT_SIZE;
1135
1136 key_info_list[i] = key_info_tmp;
1137 }
1138 return 0;
1139 }
1140
inner_get_lt_info_by_key_info(struct HksKeyInfo * key_info,struct huks_key_type * out_key_type,struct hc_auth_id * out_auth_id)1141 static int32_t inner_get_lt_info_by_key_info(struct HksKeyInfo *key_info,
1142 struct huks_key_type *out_key_type, struct hc_auth_id *out_auth_id)
1143 {
1144 union huks_key_type_union key_type_union;
1145 struct HksParam *key_role = NULL;
1146 int32_t status = HksGetParam(key_info->paramSet, HKS_TAG_KEY_ROLE, &key_role);
1147 if (status != ERROR_CODE_SUCCESS) {
1148 LOGE("get key role from param set failed, status:%d", status);
1149 return ERROR_CODE_FAILED;
1150 }
1151
1152 key_type_union.key_type = key_role->uint32Param;
1153 out_key_type->user_type = key_type_union.type_struct.user_type;
1154 out_key_type->pair_type = key_type_union.type_struct.pair_type;
1155 out_key_type->reserved1 = key_type_union.type_struct.reserved1;
1156 out_key_type->reserved2 = key_type_union.type_struct.reserved2;
1157
1158 struct HksParam *auth_id = NULL;
1159 status = HksGetParam(key_info->paramSet, HKS_TAG_KEY_AUTH_ID, &auth_id);
1160 if (status != ERROR_CODE_SUCCESS) {
1161 LOGE("get auth id from param set failed, status:%d", status);
1162 return ERROR_CODE_FAILED;
1163 }
1164
1165 if (memcpy_s(out_auth_id->auth_id, HC_AUTH_ID_BUFF_LEN,
1166 auth_id->blob.data, auth_id->blob.size) != EOK) {
1167 LOGE("Copy key param failed");
1168 return ERROR_CODE_FAILED;
1169 }
1170 out_auth_id->length = auth_id->blob.size;
1171
1172 return status;
1173 }
1174
inner_get_lt_info_by_key_alias(struct HksBlob * key_alias,struct huks_key_type * out_key_type,struct hc_auth_id * out_auth_id)1175 static int32_t inner_get_lt_info_by_key_alias(struct HksBlob *key_alias,
1176 struct huks_key_type *out_key_type, struct hc_auth_id *out_auth_id)
1177 {
1178 struct HksParamSet *output_param_set = (struct HksParamSet *)MALLOC(DEFAULT_PARAM_SET_OUT_SIZE);
1179 if (output_param_set == NULL) {
1180 LOGE("allocate space for param set out failed");
1181 return ERROR_CODE_FAILED;
1182 }
1183 (void)memset_s(output_param_set, DEFAULT_PARAM_SET_OUT_SIZE, 0, DEFAULT_PARAM_SET_OUT_SIZE);
1184 output_param_set->paramSetSize = DEFAULT_PARAM_SET_OUT_SIZE;
1185
1186 int32_t status = HksGetKeyParamSet(key_alias, NULL, output_param_set);
1187 if (status != ERROR_CODE_SUCCESS) {
1188 LOGE("Get huks key param set failed");
1189 goto get_key_info_free;
1190 }
1191
1192 status = HksFreshParamSet(output_param_set, false);
1193 if (status != ERROR_CODE_SUCCESS) {
1194 LOGE("fresh param set failed, status:%d", status);
1195 goto get_key_info_free;
1196 }
1197
1198 struct HksParam *key_role = NULL;
1199 status = HksGetParam(output_param_set, HKS_TAG_KEY_ROLE, &key_role);
1200 if (status != ERROR_CODE_SUCCESS) {
1201 LOGE("get key role from param set failed, status:%d", status);
1202 goto get_key_info_free;
1203 }
1204
1205 union huks_key_type_union key_type_union;
1206 key_type_union.key_type = key_role->uint32Param;
1207 out_key_type->user_type = key_type_union.type_struct.user_type;
1208 out_key_type->pair_type = key_type_union.type_struct.pair_type;
1209 out_key_type->reserved1 = key_type_union.type_struct.reserved1;
1210 out_key_type->reserved2 = key_type_union.type_struct.reserved2;
1211
1212 struct HksParam *auth_id = NULL;
1213 status = HksGetParam(output_param_set, HKS_TAG_KEY_AUTH_ID, &auth_id);
1214 if (status != ERROR_CODE_SUCCESS) {
1215 LOGE("get auth id from param set failed, status:%d", status);
1216 goto get_key_info_free;
1217 }
1218
1219 if (memcpy_s(out_auth_id->auth_id, HC_AUTH_ID_BUFF_LEN, auth_id->blob.data, auth_id->blob.size) != EOK) {
1220 LOGE("Copy key param failed");
1221 goto get_key_info_free;
1222 }
1223 out_auth_id->length = auth_id->blob.size;
1224
1225 get_key_info_free:
1226 safe_free(output_param_set);
1227 return status;
1228 }
1229
get_lt_key_info(struct hc_key_alias * alias,struct huks_key_type * out_key_type,struct hc_auth_id * out_auth_id)1230 int32_t get_lt_key_info(struct hc_key_alias *alias, struct huks_key_type *out_key_type, struct hc_auth_id *out_auth_id)
1231 {
1232 check_ptr_return_val(alias, HC_INPUT_ERROR);
1233 check_ptr_return_val(out_key_type, HC_INPUT_ERROR);
1234 check_ptr_return_val(out_auth_id, HC_INPUT_ERROR);
1235
1236 struct HksBlob alias_blob = convert_to_blob_from_hc_key_alias(alias);
1237 return inner_get_lt_info_by_key_alias(&alias_blob, out_key_type, out_auth_id);
1238 }
1239
check_key_alias_is_owner(struct hc_key_alias * key_alias)1240 int32_t check_key_alias_is_owner(struct hc_key_alias *key_alias)
1241 {
1242 check_ptr_return_val(key_alias, HC_INPUT_ERROR);
1243 check_num_return_val(key_alias->length, HC_INPUT_ERROR);
1244
1245 int32_t error_code = check_lt_public_key_exist(key_alias);
1246 if (error_code != ERROR_CODE_SUCCESS) {
1247 LOGE("Key is not exist");
1248 return error_code;
1249 }
1250
1251 struct huks_key_type key_type;
1252 struct hc_auth_id auth_id;
1253
1254 struct HksBlob key_alias_blob = convert_to_blob_from_hc_key_alias(key_alias);
1255 error_code = inner_get_lt_info_by_key_alias(&key_alias_blob, &key_type, &auth_id);
1256 if (error_code != ERROR_CODE_SUCCESS) {
1257 LOGE("Get key info failed");
1258 return error_code;
1259 }
1260
1261 if (key_type.user_type != (uint8_t)HC_USER_TYPE_CONTROLLER) {
1262 return ERROR_CODE_FAILED;
1263 }
1264 if (key_type.pair_type == (uint8_t)HC_PAIR_TYPE_BIND) {
1265 return ERROR_CODE_SUCCESS;
1266 } else {
1267 return ERROR_CODE_FAILED;
1268 }
1269 }
1270
load_lt_public_key_list(const struct hc_auth_id * owner_id,int32_t trust_user_type,struct HksKeyInfo * key_info_list,uint32_t list_count,struct hc_auth_id * out_auth_list)1271 static uint32_t load_lt_public_key_list(const struct hc_auth_id *owner_id, int32_t trust_user_type,
1272 struct HksKeyInfo *key_info_list, uint32_t list_count, struct hc_auth_id *out_auth_list)
1273 {
1274 uint8_t pair_type = owner_id == NULL ? (uint8_t)HC_PAIR_TYPE_BIND : (uint8_t)HC_PAIR_TYPE_AUTH;
1275 uint8_t user_type = (uint8_t)trust_user_type;
1276 int32_t err_code;
1277 struct huks_key_type key_type;
1278 struct hc_auth_id auth_id;
1279 uint32_t effect_count = 0;
1280
1281 if ((trust_user_type < 0) || (trust_user_type >= HC_MAX_KEY_TYPE_NUM)) {
1282 return effect_count;
1283 }
1284 for (uint32_t i = 0; i < list_count; i++) {
1285 struct HksParam *key_flag_param = NULL;
1286 int32_t status = HksGetParam(key_info_list[i].paramSet, HKS_TAG_KEY_FLAG, &key_flag_param);
1287 if (status != ERROR_CODE_SUCCESS) {
1288 LOGE("get key flag from param set failed, status:%d", status);
1289 return ERROR_CODE_FAILED;
1290 }
1291 if (key_flag_param->uint32Param == HKS_KEY_FLAG_GENERATE_KEY) {
1292 continue;
1293 }
1294 err_code = inner_get_lt_info_by_key_info(&key_info_list[i], &key_type, &auth_id);
1295 if (err_code != ERROR_CODE_SUCCESS) {
1296 continue;
1297 }
1298 if (key_type.user_type != user_type) {
1299 continue;
1300 }
1301 if (user_type == (uint8_t)HC_USER_TYPE_CONTROLLER) {
1302 if (key_type.pair_type != pair_type) {
1303 continue;
1304 }
1305 }
1306 if (memcpy_s(out_auth_list[effect_count].auth_id, HC_AUTH_ID_BUFF_LEN,
1307 auth_id.auth_id, auth_id.length) != EOK) {
1308 LOGE("Copy from temp hc_auth_id to out_auth_list failed");
1309 continue;
1310 }
1311 out_auth_list[effect_count].length = auth_id.length;
1312 effect_count++;
1313 }
1314 return effect_count;
1315 }
1316
get_lt_public_key_list(const struct hc_auth_id * owner_auth_id,int32_t trust_user_type,struct hc_auth_id * out_auth_list,uint32_t * out_count)1317 int32_t get_lt_public_key_list(const struct hc_auth_id *owner_auth_id, int32_t trust_user_type,
1318 struct hc_auth_id *out_auth_list, uint32_t *out_count)
1319 {
1320 check_ptr_return_val(out_auth_list, HC_INPUT_ERROR);
1321 check_ptr_return_val(out_count, HC_INPUT_ERROR);
1322
1323 int32_t error_code = ERROR_CODE_SUCCESS;
1324 struct HksKeyInfo key_info_list[HC_PUB_KEY_ALIAS_MAX_NUM];
1325 int32_t status = init_key_info_list(key_info_list, HC_PUB_KEY_ALIAS_MAX_NUM);
1326 if (status != ERROR_CODE_SUCCESS) {
1327 LOGE("Init key info list failed, status=%d", status);
1328 error_code = ERROR_CODE_FAILED;
1329 goto exit;
1330 }
1331
1332 uint32_t list_count = HC_PUB_KEY_ALIAS_MAX_NUM;
1333 status = HksGetKeyInfoList(NULL, key_info_list, &list_count);
1334 if (status != ERROR_CODE_SUCCESS) {
1335 LOGE("Huks get pub key info list failed, status=%d", status);
1336 error_code = ERROR_CODE_FAILED;
1337 goto exit;
1338 }
1339
1340 /* filter with trust_user_type */
1341 uint32_t effect_count = load_lt_public_key_list(owner_auth_id, trust_user_type, key_info_list,
1342 list_count, out_auth_list);
1343 /* output param */
1344 *out_count = effect_count;
1345
1346 exit:
1347 for (int32_t i = 0; i < HC_PUB_KEY_ALIAS_MAX_NUM; ++i) {
1348 safe_free(key_info_list[i].alias.data);
1349 safe_free(key_info_list[i].paramSet);
1350 }
1351 return error_code;
1352 }
1353
gen_sign_key_param_set(struct HksParamSet ** param_set)1354 static int32_t gen_sign_key_param_set(struct HksParamSet **param_set)
1355 {
1356 struct HksParam params[] = {
1357 {
1358 .tag = HKS_TAG_PURPOSE,
1359 .uint32Param = HKS_KEY_PURPOSE_SIGN /* correspond to old key usage */
1360 }, {
1361 .tag = HKS_TAG_ALGORITHM,
1362 .uint32Param = HKS_ALG_ED25519 /* alg, correspond to old key type */
1363 }, {
1364 .tag = HKS_TAG_PADDING,
1365 .uint32Param = HKS_PADDING_NONE
1366 }, {
1367 .tag = HKS_TAG_DIGEST,
1368 .uint32Param = HKS_DIGEST_SHA256
1369 }
1370 };
1371
1372 int32_t status = construct_param_set(param_set, params, array_size(params));
1373 if (status != ERROR_CODE_SUCCESS) {
1374 LOGE("construct param set for sign failed, status:%d", status);
1375 }
1376
1377 return status;
1378 }
1379
sign(struct hc_key_alias * key_alias,const struct uint8_buff * message,struct signature * out_signature)1380 int32_t sign(struct hc_key_alias *key_alias, const struct uint8_buff *message, struct signature *out_signature)
1381 {
1382 check_ptr_return_val(key_alias, HC_INPUT_ERROR);
1383 check_ptr_return_val(message, HC_INPUT_ERROR);
1384 check_ptr_return_val(out_signature, HC_INPUT_ERROR);
1385 check_num_return_val(key_alias->length, HC_INPUT_ERROR);
1386
1387 struct HksBlob key_alias_blob = convert_to_blob_from_hc_key_alias(key_alias);
1388 if (key_alias_blob.size == 0) {
1389 LOGE("Convert hks key alias to blob failed");
1390 return ERROR_CODE_FAILED;
1391 }
1392
1393 struct sha256_value sha256_value = sha256(message);
1394 if (sha256_value.length == 0) {
1395 LOGE("Get sha256 hash failed");
1396 return ERROR_CODE_FAILED;
1397 }
1398
1399 struct HksBlob hash = convert_to_blob_from_sha256_value(&sha256_value);
1400 if (hash.size == 0) {
1401 LOGE("Convert sha256 hash to blob failed");
1402 return ERROR_CODE_FAILED;
1403 }
1404
1405 struct HksParamSet *key_param_set = NULL;
1406 int32_t hks_status = gen_sign_key_param_set(&key_param_set);
1407 if (hks_status != ERROR_CODE_SUCCESS) {
1408 LOGE("gen sign key param set failed, status:%d", hks_status);
1409 return ERROR_CODE_FAILED;
1410 }
1411
1412 struct HksBlob signature = { HC_SIGNATURE_LEN, out_signature->signature };
1413 hks_status = HksSign(&key_alias_blob, key_param_set, &hash, &signature);
1414 if ((hks_status == ERROR_CODE_SUCCESS) && (signature.size == HC_SIGNATURE_LEN)) {
1415 out_signature->length = HC_SIGNATURE_LEN;
1416 } else {
1417 LOGE("Sign failed, status=%d", hks_status);
1418 hks_status = ERROR_CODE_FAILED;
1419 }
1420
1421 HksFreeParamSet(&key_param_set);
1422 return hks_status;
1423 }
1424
gen_verify_key_param_set(const bool is_keyalias,const uint32_t key_size,const int32_t user_type,struct HksParamSet ** param_set)1425 static int gen_verify_key_param_set(const bool is_keyalias, const uint32_t key_size,
1426 const int32_t user_type, struct HksParamSet **param_set)
1427 {
1428 struct HksParam params[] = {
1429 {
1430 .tag = HKS_TAG_PURPOSE,
1431 .uint32Param = HKS_KEY_PURPOSE_VERIFY
1432 }, {
1433 .tag = HKS_TAG_ALGORITHM,
1434 .uint32Param = HKS_ALG_ED25519
1435 }, {
1436 .tag = HKS_TAG_DIGEST,
1437 .uint32Param = HKS_DIGEST_SHA256
1438 }, {
1439 .tag = HKS_TAG_PADDING,
1440 .uint32Param = HKS_PADDING_NONE
1441 }, {
1442 .tag = HKS_TAG_KEY_ROLE,
1443 .uint32Param = (uint32_t)user_type
1444 }, {
1445 .tag = HKS_TAG_IS_KEY_ALIAS,
1446 .boolParam = is_keyalias
1447 }, {
1448 .tag = HKS_TAG_KEY_SIZE,
1449 .uint32Param = (is_keyalias ? 0 : key_size)
1450 }
1451 };
1452
1453 int32_t status = construct_param_set(param_set, params, array_size(params));
1454 if (status != ERROR_CODE_SUCCESS) {
1455 LOGE("construct param set for verify failed, status:%d", status);
1456 }
1457
1458 return status;
1459 }
1460
verify(struct hc_key_alias * key_alias,const int32_t user_type,const struct uint8_buff * message,struct signature * signature)1461 int32_t verify(struct hc_key_alias *key_alias, const int32_t user_type,
1462 const struct uint8_buff *message, struct signature *signature)
1463 {
1464 check_ptr_return_val(key_alias, HC_INPUT_ERROR);
1465 check_ptr_return_val(message, HC_INPUT_ERROR);
1466 check_ptr_return_val(signature, HC_INPUT_ERROR);
1467 check_num_return_val(key_alias->length, HC_INPUT_ERROR);
1468 return ERROR_CODE_SUCCESS;
1469 }
1470
verify_with_public_key(const int32_t user_type,const struct uint8_buff * message,struct var_buffer * public_key,struct signature * signature)1471 int32_t verify_with_public_key(const int32_t user_type, const struct uint8_buff *message,
1472 struct var_buffer *public_key, struct signature *signature)
1473 {
1474 check_ptr_return_val(message, HC_INPUT_ERROR);
1475 check_ptr_return_val(public_key, HC_INPUT_ERROR);
1476 check_ptr_return_val(signature, HC_INPUT_ERROR);
1477
1478 int32_t error_code = ERROR_CODE_FAILED;
1479 struct sha256_value sha256_value = sha256(message);
1480 if (sha256_value.length == 0) {
1481 LOGE("Get sha256 hash failed");
1482 return error_code;
1483 }
1484
1485 struct HksBlob hash = convert_to_blob_from_sha256_value(&sha256_value);
1486 if (hash.size == 0) {
1487 LOGE("Convert sha256 hash to blob failed");
1488 return error_code;
1489 }
1490
1491 struct HksBlob signature_blob = convert_to_blob_from_signature(signature);
1492 if (signature_blob.size == 0) {
1493 LOGE("Convert hks signature to blob failed");
1494 return error_code;
1495 }
1496
1497 struct HksParamSet *key_param_set = NULL;
1498 int32_t hks_status = gen_verify_key_param_set(false, /* false: is public key */
1499 public_key->length * BITS_PER_BYTE, user_type, &key_param_set);
1500 if (hks_status != ERROR_CODE_SUCCESS) {
1501 LOGE("gen verify with public key param set failed, status:%d", hks_status);
1502 return error_code;
1503 }
1504
1505 struct HksBlob public_key_blob = { public_key->length, public_key->data };
1506 hks_status = HksVerify(&public_key_blob, key_param_set, &hash, &signature_blob);
1507 if (hks_status == 0) {
1508 error_code = ERROR_CODE_SUCCESS;
1509 } else {
1510 LOGE("Verify failed, status=%d", hks_status);
1511 error_code = ERROR_CODE_FAILED;
1512 }
1513
1514 HksFreeParamSet(&key_param_set);
1515 return error_code;
1516 }
1517
gen_agreed_key_param_set(struct HksParamSet ** param_set)1518 static int32_t gen_agreed_key_param_set(struct HksParamSet **param_set)
1519 {
1520 struct HksParam params[] = {
1521 {
1522 .tag = HKS_TAG_PURPOSE,
1523 .uint32Param = HKS_KEY_PURPOSE_DERIVE
1524 }, {
1525 .tag = HKS_TAG_ALGORITHM,
1526 .uint32Param = HKS_ALG_X25519
1527 }, {
1528 .tag = HKS_TAG_KEY_SIZE,
1529 .uint32Param = HC_ST_PUBLIC_KEY_LEN * BITS_PER_BYTE
1530 }, {
1531 .tag = HKS_TAG_IS_KEY_ALIAS,
1532 .boolParam = false
1533 }
1534 };
1535
1536 int32_t status = construct_param_set(param_set, params, array_size(params));
1537 if (status != ERROR_CODE_SUCCESS) {
1538 LOGE("construct param set for agreed key failed, status:%d", status);
1539 }
1540
1541 return status;
1542 }
1543
compute_sts_shared_secret(struct stsk * self_private_key,struct stpk * peer_public_key,struct sts_shared_secret * out_shared_key)1544 int32_t compute_sts_shared_secret(struct stsk *self_private_key, struct stpk *peer_public_key,
1545 struct sts_shared_secret *out_shared_key)
1546 {
1547 check_ptr_return_val(self_private_key, HC_INPUT_ERROR);
1548 check_num_return_val(self_private_key->length, HC_INPUT_ERROR);
1549 check_ptr_return_val(peer_public_key, HC_INPUT_ERROR);
1550 check_num_return_val(peer_public_key->length, HC_INPUT_ERROR);
1551 check_ptr_return_val(out_shared_key, HC_INPUT_ERROR);
1552
1553 (void)memset_s(out_shared_key, sizeof(*out_shared_key), 0, sizeof(*out_shared_key));
1554 int32_t error_code = ERROR_CODE_FAILED;
1555 struct HksBlob self_private_key_blob = convert_to_blob_from_stsk(self_private_key);
1556 if (self_private_key_blob.size == 0) {
1557 LOGE("Convert key alias for private key to blob failed");
1558 return error_code;
1559 }
1560
1561 struct HksBlob peer_public_key_blob = convert_to_blob_from_stpk(peer_public_key);
1562 if (peer_public_key_blob.size == 0) {
1563 LOGE("Convert key alias for peer public key to blob failed");
1564 return error_code;
1565 }
1566
1567 struct HksParamSet *param_set = NULL;
1568 int32_t hks_status = gen_agreed_key_param_set(¶m_set);
1569 if (hks_status != ERROR_CODE_SUCCESS) {
1570 LOGE("gen agreed key param set failed! status:%d", hks_status);
1571 return error_code;
1572 }
1573
1574 struct HksBlob key_alias_for_agreed_key = { HC_STS_SHARED_SECRET_LENGTH, out_shared_key->sts_shared_secret };
1575 hks_status = HksAgreeKey(param_set, &self_private_key_blob, &peer_public_key_blob, &key_alias_for_agreed_key);
1576 if ((hks_status == 0) && (key_alias_for_agreed_key.size == HC_STS_SHARED_SECRET_LENGTH)) {
1577 out_shared_key->length = key_alias_for_agreed_key.size;
1578 error_code = ERROR_CODE_SUCCESS;
1579 } else {
1580 LOGE("Key agreement by alias failed, status:%d", hks_status);
1581 }
1582 return error_code;
1583 }
1584
key_info_init(void)1585 int32_t key_info_init(void)
1586 {
1587 int32_t ret = HksInitialize();
1588 if (ret == HKS_SUCCESS) {
1589 return ERROR_CODE_SUCCESS;
1590 }
1591
1592 if ((ret != HKS_ERROR_INVALID_KEY_FILE) && (ret != HKS_ERROR_CRYPTO_ENGINE_ERROR) &&
1593 (ret != HKS_ERROR_UPDATE_ROOT_KEY_MATERIAL_FAIL)) {
1594 LOGE("Hks: Init hks failed, ret: %d", ret);
1595 return ERROR_CODE_FAILED;
1596 }
1597
1598 DBG_OUT("Hks: The local hks file needs to be refreshed!");
1599 LOGI("Start to delete local database file!");
1600 ret = HksRefreshKeyInfo();
1601 if (ret != HKS_SUCCESS) {
1602 LOGE("Hks: HksRefreshKeyInfo failed, ret:%d", ret);
1603 return ERROR_CODE_FAILED;
1604 }
1605 ret = HksInitialize();
1606 if (ret != HKS_SUCCESS) {
1607 LOGE("Hks: Init hks failed, ret:%d", ret);
1608 return ERROR_CODE_FAILED;
1609 }
1610 return ERROR_CODE_SUCCESS;
1611 }