1 /*
2 * Copyright (c) 2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "x509_cert_chain_openssl_ex.h"
17
18 #include "certificate_openssl_class.h"
19 #include "certificate_openssl_common.h"
20 #include "cf_blob.h"
21 #include "cf_log.h"
22 #include "cf_memory.h"
23 #include "cf_result.h"
24 #include "utils.h"
25 #include "x509_cert_chain_spi.h"
26
27 #define X509_CERT_CHAIN_OPENSSL_CLASS "X509CertChainOpensslClass"
28
GetX509CertChainClass(void)29 const char *GetX509CertChainClass(void)
30 {
31 return X509_CERT_CHAIN_OPENSSL_CLASS;
32 }
33
CfToString(HcfX509CertChainSpi * self,CfBlob * out)34 CfResult CfToString(HcfX509CertChainSpi *self, CfBlob *out)
35 {
36 if ((self == NULL) || (out == NULL)) {
37 LOGE("The input data is null!");
38 return CF_INVALID_PARAMS;
39 }
40 if (!CfIsClassMatch((CfObjectBase *)self, GetX509CertChainClass())) {
41 LOGE("Input wrong class type!");
42 return CF_INVALID_PARAMS;
43 }
44
45 HcfX509CertChainOpensslImpl *certChain = (HcfX509CertChainOpensslImpl *)self;
46 STACK_OF(X509) *x509CertChain = certChain->x509CertChain;
47
48 int32_t certsNum = sk_X509_num(x509CertChain);
49 BIO *bio = BIO_new(BIO_s_mem());
50 if (bio == NULL) {
51 LOGE("BIO_new error");
52 return CF_ERR_MALLOC;
53 }
54 for (int32_t i = 0; i < certsNum; ++i) {
55 X509 *cert = sk_X509_value(x509CertChain, i);
56 int len = X509_print(bio, cert);
57 if (len <= 0) {
58 LOGE("X509_print error");
59 BIO_free(bio);
60 return CF_ERR_CRYPTO_OPERATION;
61 }
62 }
63 BUF_MEM *bufMem = NULL;
64 if (BIO_get_mem_ptr(bio, &bufMem) > 0 && bufMem != NULL) {
65 CfResult res = DeepCopyDataToOut(bufMem->data, bufMem->length, out);
66 BIO_free(bio);
67 return res;
68 }
69
70 BIO_free(bio);
71 LOGE("BIO_get_mem_ptr error");
72 return CF_ERR_CRYPTO_OPERATION;
73 }
74
CfHashCode(HcfX509CertChainSpi * self,CfBlob * out)75 CfResult CfHashCode(HcfX509CertChainSpi *self, CfBlob *out)
76 {
77 if ((self == NULL) || (out == NULL)) {
78 LOGE("The input data is null!");
79 return CF_INVALID_PARAMS;
80 }
81 if (!CfIsClassMatch((CfObjectBase *)self, GetX509CertChainClass())) {
82 LOGE("Input wrong class type!");
83 return CF_INVALID_PARAMS;
84 }
85
86 HcfX509CertChainOpensslImpl *certChain = (HcfX509CertChainOpensslImpl *)self;
87 STACK_OF(X509) *x509CertChain = certChain->x509CertChain;
88 int32_t certsNum = sk_X509_num(x509CertChain);
89 BIO *bio = BIO_new(BIO_s_mem());
90 if (bio == NULL) {
91 LOGE("BIO_new error");
92 return CF_ERR_MALLOC;
93 }
94 for (int32_t i = 0; i < certsNum; ++i) {
95 X509 *cert = sk_X509_value(x509CertChain, i);
96 int len = i2d_X509_bio(bio, cert);
97 if (len < 0) {
98 LOGE("i2d_X509_bio error");
99 BIO_free(bio);
100 return CF_ERR_CRYPTO_OPERATION;
101 }
102 }
103
104 out->data = (uint8_t *)CfMalloc(SHA256_DIGEST_LENGTH, 0);
105 if (out->data == NULL) {
106 LOGE("CfMalloc error");
107 BIO_free(bio);
108 return CF_ERR_MALLOC;
109 }
110 BUF_MEM *bufMem = NULL;
111 if (BIO_get_mem_ptr(bio, &bufMem) > 0 && bufMem != NULL) {
112 SHA256((unsigned char *)bufMem->data, bufMem->length, out->data);
113 out->size = SHA256_DIGEST_LENGTH;
114 BIO_free(bio);
115 return CF_SUCCESS;
116 }
117
118 BIO_free(bio);
119 CfBlobDataFree(out);
120 LOGE("BIO_get_mem_ptr error");
121 return CF_ERR_CRYPTO_OPERATION;
122 }
123
GetX509FromHcfX509Certificate(const HcfCertificate * cert)124 X509 *GetX509FromHcfX509Certificate(const HcfCertificate *cert)
125 {
126 if (!CfIsClassMatch((CfObjectBase *)cert, HCF_X509_CERTIFICATE_CLASS)) {
127 LOGE("Input wrong openssl class type!");
128 return NULL;
129 }
130 HcfX509CertificateImpl *impl = (HcfX509CertificateImpl *)cert;
131 if (!CfIsClassMatch((CfObjectBase *)(impl->spiObj), X509_CERT_OPENSSL_CLASS)) {
132 LOGE("Input wrong openssl class type!");
133 return NULL;
134 }
135 HcfOpensslX509Cert *realCert = (HcfOpensslX509Cert *)(impl->spiObj);
136
137 return realCert->x509;
138 }
139
FreeCertArrayData(HcfX509CertificateArray * certs)140 static void FreeCertArrayData(HcfX509CertificateArray *certs)
141 {
142 if (certs == NULL || certs->data == NULL) {
143 return;
144 }
145 for (uint32_t i = 0; i < certs->count; ++i) {
146 CfObjDestroy(certs->data[i]);
147 }
148 CF_FREE_PTR(certs->data);
149 certs->count = 0;
150 }
151
GetCertChainFromCollection(const HcfX509CertChainBuildParameters * inParams,STACK_OF (X509)* certStack)152 static CfResult GetCertChainFromCollection(const HcfX509CertChainBuildParameters *inParams, STACK_OF(X509) *certStack)
153 {
154 if (inParams->validateParameters.certCRLCollections == NULL) {
155 LOGE("The input is NULL!");
156 return CF_INVALID_PARAMS;
157 }
158
159 for (uint32_t i = 0; i < inParams->validateParameters.certCRLCollections->count; ++i) {
160 HcfX509CertificateArray retCerts = { NULL, 0 };
161 HcfCertCrlCollection *collection = inParams->validateParameters.certCRLCollections->data[i];
162 CfResult res = collection->selectCerts(collection, &(inParams->certMatchParameters), &retCerts);
163 if (res != CF_SUCCESS) {
164 LOGE("Get mached certs failed!");
165 return res;
166 }
167 for (uint32_t j = 0; j < retCerts.count; ++j) {
168 X509 *cert = GetX509FromHcfX509Certificate((HcfCertificate *)retCerts.data[j]);
169 if (cert == NULL) {
170 LOGE("GetX509Cert from inParams failed!");
171 FreeCertArrayData(&retCerts);
172 return CF_INVALID_PARAMS;
173 }
174
175 X509 *certDup = X509_dup(cert);
176 if (certDup == NULL) {
177 LOGE("Memory allocation failure!");
178 FreeCertArrayData(&retCerts);
179 return CF_ERR_MALLOC;
180 }
181 if (sk_X509_push(certStack, certDup) <= 0) {
182 LOGE("Push cert to SK failed!");
183 X509_free(certDup);
184 FreeCertArrayData(&retCerts);
185 return CF_ERR_CRYPTO_OPERATION;
186 }
187 }
188 FreeCertArrayData(&retCerts);
189 }
190 return CF_SUCCESS;
191 }
192
GetLeafCertsFromCertStack(const HcfX509CertChainBuildParameters * inParams,STACK_OF (X509)* allCerts,STACK_OF (X509)* leafCerts)193 CfResult GetLeafCertsFromCertStack(
194 const HcfX509CertChainBuildParameters *inParams, STACK_OF(X509) *allCerts, STACK_OF(X509) *leafCerts)
195 {
196 CfResult res = GetCertChainFromCollection(inParams, allCerts);
197 if (res != CF_SUCCESS) {
198 LOGE("Error geting certificates from collection.");
199 return res;
200 }
201
202 int allCertsLen = sk_X509_num(allCerts);
203 if (allCertsLen == 0) {
204 LOGE("The num of all certificate from collection is 0.");
205 return CF_INVALID_PARAMS;
206 }
207 for (int i = 0; i < allCertsLen; ++i) {
208 X509 *x509 = sk_X509_value(allCerts, i);
209 if (!CheckIsLeafCert(x509)) {
210 continue;
211 }
212
213 X509 *x = X509_dup(x509);
214 if (x == NULL) {
215 LOGE("Dup the cert failed.");
216 return CF_ERR_CRYPTO_OPERATION;
217 }
218 if (!sk_X509_push(leafCerts, x)) {
219 X509_free(x);
220 LOGE("Push the cert into stack failed.");
221 return CF_ERR_CRYPTO_OPERATION;
222 }
223 }
224
225 if (sk_X509_num(leafCerts) <= 0) {
226 LOGE("The num of leaf certificate is 0.");
227 return CF_INVALID_PARAMS;
228 }
229 return CF_SUCCESS;
230 }
231