1 /*
2  * Copyright (C) 2021 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  *     http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #include "init/trusted_root_ca.h"
17 
18 #include "common/hap_verify_log.h"
19 #include "util/hap_cert_verify_openssl_utils.h"
20 
21 namespace OHOS {
22 namespace Security {
23 namespace Verify {
24 const std::string TrustedRootCa::TRUSTED_ROOT_CA_FILE_PATH = "/system/etc/security/trusted_root_ca.json";
25 const std::string TrustedRootCa::TRUSTED_ROOT_CA_TEST_FILE_PATH = "/system/etc/security/trusted_root_ca_test.json";
26 const std::string OPENHARMONY_CERT = "C=CN, O=OpenHarmony, OU=OpenHarmony Team, CN=OpenHarmony Application Root CA";
27 
GetInstance()28 TrustedRootCa& TrustedRootCa::GetInstance()
29 {
30     static TrustedRootCa singleTrustedRoot;
31     return singleTrustedRoot;
32 }
33 
TrustedRootCa()34 TrustedRootCa::TrustedRootCa() : rootCerts(), rootCertsForTest(), isInit(false), isDebug(false),
35     devMode(DevMode::DEFAULT)
36 {
37 }
38 
~TrustedRootCa()39 TrustedRootCa::~TrustedRootCa()
40 {
41     for (auto rootCert : rootCerts) {
42         X509_free(rootCert.second);
43     }
44     for (auto rootCert : rootCertsForTest) {
45         X509_free(rootCert.second);
46     }
47 }
48 
EnableDebug()49 bool TrustedRootCa::EnableDebug()
50 {
51     if (isDebug) {
52         return true;
53     }
54 
55     isDebug = GetTrustedRootCAFromJson(rootCertsForTest, TRUSTED_ROOT_CA_TEST_FILE_PATH);
56     if (isDebug) {
57         HAPVERIFY_LOG_INFO("parse root certs test success, certs num: %{public}zu", rootCertsForTest.size());
58     }
59     return isDebug;
60 }
61 
DisableDebug()62 void TrustedRootCa::DisableDebug()
63 {
64     isDebug = false;
65     for (auto& rootCert : rootCertsForTest) {
66         X509_free(rootCert.second);
67     }
68     rootCertsForTest.clear();
69 }
70 
SetDevMode(DevMode mode)71 void TrustedRootCa::SetDevMode(DevMode mode)
72 {
73     devMode = mode;
74 }
75 
Init()76 bool TrustedRootCa::Init()
77 {
78     if (isInit) {
79         return true;
80     }
81 
82     isInit = GetTrustedRootCAFromJson(rootCerts, TRUSTED_ROOT_CA_FILE_PATH);
83     if (isInit) {
84         HAPVERIFY_LOG_INFO("parse root certs success, certs num: %{public}zu", rootCerts.size());
85     }
86     return isInit;
87 }
88 
Recovery()89 void TrustedRootCa::Recovery()
90 {
91     for (auto& rootCert : rootCerts) {
92         X509_free(rootCert.second);
93     }
94     rootCerts.clear();
95     isInit = false;
96 }
97 
GetTrustedRootCAFromJson(StringCertMap & rootCertMap,const std::string & filePath)98 bool TrustedRootCa::GetTrustedRootCAFromJson(StringCertMap& rootCertMap, const std::string& filePath)
99 {
100     cJSON* trustedRootCAJson = NULL;
101     std::string errorInfo;
102     if (!JsonParserUtils::ReadTrustedRootCAFromJson(&trustedRootCAJson, filePath, errorInfo)) {
103         HAPVERIFY_LOG_ERROR("get jsonObj from %{public}s failed, because %{public}s",
104             filePath.c_str(), errorInfo.c_str());
105         return false;
106     }
107 
108     JsonMap trustedRootCAJsonMap;
109     JsonParserUtils::ParseJsonToMap(trustedRootCAJson, trustedRootCAJsonMap);
110     for (auto jsonPair : trustedRootCAJsonMap) {
111         X509* cert = HapCertVerifyOpensslUtils::GetX509CertFromPemString(jsonPair.second);
112         if (cert == nullptr) {
113             HAPVERIFY_LOG_ERROR("GetX509CertFromPemString failed, key: %{public}s value: %{public}s",
114                 jsonPair.first.c_str(), jsonPair.second.c_str());
115             cJSON_Delete(trustedRootCAJson);
116             return false;
117         }
118         rootCertMap[jsonPair.first] = cert;
119     }
120 
121     if (rootCertMap.empty()) {
122         HAPVERIFY_LOG_ERROR("no root cert");
123         cJSON_Delete(trustedRootCAJson);
124         return false;
125     }
126     cJSON_Delete(trustedRootCAJson);
127     return true;
128 }
129 
FindMatchedRoot(X509 * caCert)130 X509* TrustedRootCa::FindMatchedRoot(X509* caCert)
131 {
132     if (caCert == nullptr) {
133         return nullptr;
134     }
135 
136     X509* root = FindMatchedRoot(rootCerts, caCert);
137     if (root != nullptr) {
138         return root;
139     }
140 
141     if (isDebug) {
142         HAPVERIFY_LOG_INFO("try to match with test root");
143         root = FindMatchedRoot(rootCertsForTest, caCert);
144     }
145     return root;
146 }
147 
FindMatchedRoot(const StringCertMap & rootCertMap,X509 * caCert)148 X509* TrustedRootCa::FindMatchedRoot(const StringCertMap& rootCertMap, X509* caCert)
149 {
150     for (auto root : rootCertMap) {
151         if (root.first == OPENHARMONY_CERT && devMode == DevMode::NON_DEV) {
152             continue;
153         }
154         if (HapCertVerifyOpensslUtils::X509NameCompare(X509_get_subject_name(root.second),
155             X509_get_issuer_name(caCert)) &&
156             HapCertVerifyOpensslUtils::CertVerify(caCert, root.second)) {
157             return X509_dup(root.second);
158         }
159     }
160     return nullptr;
161 }
162 } // namespace Verify
163 } // namespace Security
164 } // namespace OHOS
165