1 /*
2 * Copyright (c) 2020-2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "huks_adapter.h"
17 #include <stdio.h>
18 #include "securec.h"
19 #include "commonutil.h"
20 #include "hks_api.h"
21 #include "hks_param.h"
22 #include "log.h"
23 #include "mem_stat.h"
24 #include "os_account_adapter.h"
25
26 #define X25519_KEY_LEN 256
27 #define ED25519_KEY_LEN 256
28 #define X25519_KEY_PARAM_SET_SIZE 128 /* priv key size: 32, pub key size: 32, add two tag, no larger than 128 */
29 #define DEFAULT_PARAM_SET_OUT_SIZE 1024
30 #define HC_PARAM_CHAIN_LEN 255
31 #define HC_PARAM_KEY_LEN 256
32 #define BITS_PER_BYTE 8
33 #define HC_CCM_NONCE_LEN 7
34
35 #if (defined(_SUPPORT_SEC_CLONE_) || defined(_SUPPORT_SEC_CLONE_SERVER_))
36 static const uint8_t g_factor[] = "hichain_key_enc_key";
37 static const int32_t g_cert_chain_cnt = 4;
38 #endif
39
40 union huks_key_type_union {
41 struct huks_key_type type_struct;
42 uint32_t key_type;
43 };
44
45 #define CREATE_STRUCT(T) \
46 struct T *create_struct_##T(void) \
47 { \
48 struct T *val = (struct T *)MALLOC(sizeof(struct T)); \
49 if (val == NULL) { \
50 return NULL; \
51 } \
52 (void)memset_s(val, sizeof(*val), 0, sizeof(*val)); \
53 return val; \
54 }
55
56 #define CONVERT_TO_BLOB(T, field_name) \
57 struct HksBlob convert_to_blob_from_##T(struct T *val) \
58 { \
59 struct HksBlob hks_blob_val; \
60 (void)memset_s(&hks_blob_val, sizeof(hks_blob_val), 0, sizeof(hks_blob_val)); \
61 check_ptr_return_val(val->field_name, hks_blob_val); \
62 check_num_return_val(val->length, hks_blob_val); \
63 hks_blob_val.data = val->field_name; \
64 hks_blob_val.size = val->length; \
65 return hks_blob_val; \
66 }
67
68 CREATE_STRUCT(hc_key_alias)
69 CREATE_STRUCT(sha256_value)
70 CREATE_STRUCT(uint8_buff)
71
72 CONVERT_TO_BLOB(hc_key_alias, key_alias)
73 CONVERT_TO_BLOB(ltpk, ltpk)
74 CONVERT_TO_BLOB(sha256_value, sha256_value)
75 CONVERT_TO_BLOB(sha512_value, sha512_value)
76 CONVERT_TO_BLOB(signature, signature)
77 CONVERT_TO_BLOB(stpk, stpk)
78 CONVERT_TO_BLOB(stsk, stsk)
79 CONVERT_TO_BLOB(hc_auth_id, auth_id)
80
81 static const uint8_t g_key_type_pairs[HC_MAX_KEY_TYPE_NUM][HC_KEY_TYPE_PAIR_LEN] = {
82 { 0x00, 0x00 }, /* ACCESSOR_PK */
83 { 0x00, 0x01 }, /* CONTROLLER_PK */
84 { 0x00, 0x02 }, /* ed25519 KEYPAIR */
85 { 0x00, 0x03 }, /* KEK, key encryption key, used only by DeviceAuthService */
86 { 0x00, 0x04 }, /* DEK, data encryption key, used only by upper apps */
87 { 0x00, 0x05 }, /* key tmp */
88 { 0x00, 0x06 } /* PSK, preshared key index */
89 };
90
91 static const char *g_large_prime_number_hex_384 =
92 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74"\
93 "020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F1437"\
94 "4FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED"\
95 "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF05"\
96 "98DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB"\
97 "9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B"\
98 "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF695581718"\
99 "3995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D04507A33"\
100 "A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7"\
101 "ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864"\
102 "D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E2"\
103 "08E24FA074E5AB3143DB5BFCE0FD108E4B82D120A93AD2CAFFFFFFFFFFFFFFFF";
104
105 static const char *g_large_prime_number_hex_256 =
106 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74"\
107 "020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F1437"\
108 "4FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED"\
109 "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF05"\
110 "98DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB"\
111 "9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B"\
112 "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF695581718"\
113 "3995497CEA956AE515D2261898FA051015728E5A8AACAA68FFFFFFFFFFFFFFFF";
114
hks_hex_string_to_byte(const char * src,uint8_t * dst,uint32_t dst_size)115 static int32_t hks_hex_string_to_byte(const char *src, uint8_t *dst, uint32_t dst_size)
116 {
117 size_t length = strlen(src);
118 if (length % 2 != 0) { /* odd number or not */
119 LOGE("Invalid hex_string length: %zu, even num is expected", length);
120 return ERROR_CODE_FAILED;
121 }
122
123 uint32_t hex_length = length / BYTE_TO_HEX_OPER_LENGTH; /* Calculate hexadecimal length */
124 if (dst_size < hex_length) {
125 LOGE("Invalid dst_size: %u is smaller than hex_length: %u", dst_size, hex_length);
126 return ERROR_CODE_FAILED;
127 }
128
129 uint8_t nibble[2]; /* create an array of two elements */
130 for (uint32_t i = 0; i < hex_length; i++) {
131 nibble[0] = src[i * BYTE_TO_HEX_OPER_LENGTH];
132 nibble[1] = src[i * BYTE_TO_HEX_OPER_LENGTH + 1];
133 for (uint32_t j = 0; j < BYTE_TO_HEX_OPER_LENGTH; j++) { /* iterate through array */
134 if ((nibble[j] <= 'F') && (nibble[j] >= 'A')) {
135 nibble[j] = nibble[j] - 'A' + 10; /* hex conversion */
136 } else if ((nibble[j] <= 'f') && (nibble[j] >= 'a')) {
137 nibble[j] = nibble[j] - 'a' + 10; /* hex conversion */
138 } else if ((nibble[j] >= '0') && (nibble[j] <= '9')) {
139 nibble[j] = nibble[j] - '0';
140 } else {
141 LOGE("Invalid char: [%c] in hex string, [0-9]|[A-F]|[a-f] expected", (char)nibble[j]);
142 return ERROR_CODE_FAILED;
143 }
144 }
145 dst[i] = nibble[0] << 4; /* shift left for filling */
146 dst[i] |= nibble[1];
147 }
148 return ERROR_CODE_SUCCESS;
149 }
150
construct_param_set(struct HksParamSet ** out,const struct HksParam * in_param,const uint32_t in_param_num)151 static int32_t construct_param_set(struct HksParamSet **out, const struct HksParam *in_param,
152 const uint32_t in_param_num)
153 {
154 struct HksParamSet *param_set = NULL;
155 int32_t status = HksInitParamSet(¶m_set);
156 if (status != ERROR_CODE_SUCCESS) {
157 LOGE("init param set failed, status=%d", status);
158 return ERROR_CODE_INIT_PARAM_SET;
159 }
160
161 status = HksAddParams(param_set, in_param, in_param_num);
162 if (status != ERROR_CODE_SUCCESS) {
163 LOGE("add digest param failed, status=%d", status);
164 HksFreeParamSet(¶m_set);
165 return ERROR_CODE_ADD_PARAM;
166 }
167
168 status = HksBuildParamSet(¶m_set);
169 if (status != ERROR_CODE_SUCCESS) {
170 LOGE("build param set failed, status=%d", status);
171 HksFreeParamSet(¶m_set);
172 return ERROR_CODE_BUILD_PARAM_SET;
173 }
174
175 *out = param_set;
176 return ERROR_CODE_SUCCESS;
177 }
178
GenerateStorageLevelParamSet(struct HksParamSet ** paramSet)179 static int32_t GenerateStorageLevelParamSet(struct HksParamSet **paramSet)
180 {
181 int32_t userId;
182 int32_t ret = GetFrontUserId(&userId);
183 if (ret != ERROR_CODE_SUCCESS) {
184 LOGE("GetFrontUserId failed");
185 return ERROR_CODE_FAILED;
186 }
187 struct HksParam genParams[] = {
188 {
189 .tag = HKS_TAG_SPECIFIC_USER_ID,
190 .int32Param = userId
191 }, {
192 .tag = HKS_TAG_AUTH_STORAGE_LEVEL,
193 .uint32Param = HKS_AUTH_STORAGE_LEVEL_CE
194 }
195 };
196 return construct_param_set(paramSet, genParams, array_size(genParams));
197 }
198
sha256(const struct uint8_buff * message)199 static struct sha256_value sha256(const struct uint8_buff *message)
200 {
201 struct sha256_value sha256_value;
202 (void)memset_s(&sha256_value, sizeof(sha256_value), 0, sizeof(sha256_value));
203
204 struct HksBlob src_data = { message->length, message->val };
205
206 struct HksBlob hash = { 0, NULL };
207 hash.data = (uint8_t *)MALLOC(HC_SHA256_LEN * sizeof(uint8_t));
208 if (hash.data == NULL) {
209 LOGE("SHA256 malloc failed");
210 return sha256_value;
211 }
212 hash.size = HC_SHA256_LEN;
213
214 struct HksParamSet *param_set = NULL;
215 struct HksParam digest_param[] = {
216 {
217 .tag = HKS_TAG_DIGEST,
218 .uint32Param = HKS_DIGEST_SHA256
219 }
220 };
221 int32_t status = construct_param_set(¶m_set, digest_param, array_size(digest_param));
222 if (status != ERROR_CODE_SUCCESS) {
223 safe_free(hash.data);
224 LOGE("construct param set in the sha256 failed, status=%d", status);
225 return sha256_value;
226 }
227 status = HksHash(param_set, &src_data, &hash);
228 if ((status == 0) && (hash.size == HC_SHA256_LEN)) {
229 (void)memcpy_s(sha256_value.sha256_value, sizeof(sha256_value.sha256_value), hash.data, HC_SHA256_LEN);
230 sha256_value.length = HC_SHA256_LEN;
231 } else {
232 LOGE("SHA256 failed, status=%d", status);
233 sha256_value.length = 0;
234 }
235 safe_free(hash.data);
236 HksFreeParamSet(¶m_set);
237 return sha256_value;
238 }
239
Compare(const uint8_t * a,uint32_t lenA,const uint8_t * b,uint32_t lenB)240 static int32_t Compare(const uint8_t *a, uint32_t lenA, const uint8_t *b, uint32_t lenB)
241 {
242 const uint8_t *tmpA = a;
243 const uint8_t *tmpB = b;
244 uint32_t len = lenA;
245 if (lenA < lenB) {
246 for (uint32_t i = 0; i < lenB - lenA; i++) {
247 if (b[i] > 0) {
248 return 1; // a < b: 1
249 }
250 }
251 tmpA = a;
252 tmpB = b + lenB - lenA;
253 len = lenA;
254 }
255 if (lenA > lenB) {
256 for (uint32_t i = 0; i < lenA - lenB; i++) {
257 if (a[i] > 0) {
258 return -1; // a > b: -1
259 }
260 }
261 tmpA = a + lenA - lenB;
262 tmpB = b;
263 len = lenB;
264 }
265 for (uint32_t i = 0; i < len; i++) {
266 if (*(tmpA + i) > *(tmpB + i)) {
267 return -1;
268 }
269 if (*(tmpA + i) < *(tmpB + i)) {
270 return 1;
271 }
272 }
273 return 0;
274 }
275
CheckDlSpekePublicKey(const struct var_buffer * key,uint32_t bigNumLen)276 int32_t CheckDlSpekePublicKey(const struct var_buffer *key, uint32_t bigNumLen)
277 {
278 if (key == NULL) {
279 LOGE("Param is null.");
280 return HC_INPUT_PTR_NULL;
281 }
282 const char *primeHex = NULL;
283 if (bigNumLen == HC_BIG_PRIME_MAX_LEN_384) {
284 primeHex = g_large_prime_number_hex_384;
285 } else {
286 primeHex = g_large_prime_number_hex_256;
287 }
288 uint8_t min = 1;
289 uint32_t primeLen = strlen(primeHex) / BYTE_TO_HEX_OPER_LENGTH;
290 if (key->length > primeLen) {
291 LOGE("key->length > primeLen.");
292 return HC_INPUT_ERROR;
293 }
294 uint8_t *primeVal = (uint8_t *)MALLOC(primeLen);
295 if (primeVal == NULL) {
296 LOGE("Malloc primeVal failed.");
297 return HC_MALLOC_FAILED;
298 }
299 if (hex_string_to_byte(primeHex, strlen(primeHex), primeVal) != ERROR_CODE_SUCCESS) {
300 LOGE("hex_string_to_byte for prime num failed");
301 FREE(primeVal);
302 return HC_INPUT_ERROR;
303 }
304 /*
305 * P - 1, since the last byte of large prime number must be greater than 1,
306 * do not need to think about borrowing forward
307 */
308 primeVal[primeLen - 1] -= 1;
309 if (Compare(key->data, key->length, &min, sizeof(uint8_t)) >= 0) {
310 LOGE("key <= 1, invalid.");
311 FREE(primeVal);
312 return HC_MEMCPY_ERROR;
313 }
314 if (Compare(key->data, key->length, primeVal, primeLen) <= 0) {
315 LOGE("key >= p - 1, invalid.");
316 FREE(primeVal);
317 return HC_MEMCPY_ERROR;
318 }
319 FREE(primeVal);
320 return HC_OK;
321 }
322
cal_bignum_exp(struct var_buffer * base,struct var_buffer * exp,const uint32_t big_num_len,struct big_num * out_result)323 int32_t cal_bignum_exp(struct var_buffer *base, struct var_buffer *exp,
324 const uint32_t big_num_len, struct big_num *out_result)
325 {
326 check_ptr_return_val(base, HC_INPUT_ERROR);
327 check_ptr_return_val(exp, HC_INPUT_ERROR);
328 check_ptr_return_val(out_result, HC_INPUT_ERROR);
329
330 if ((big_num_len != HC_BIG_PRIME_MAX_LEN_384) && (big_num_len != HC_BIG_PRIME_MAX_LEN_256)) {
331 LOGE("Not support big number len %d", big_num_len);
332 return HC_LARGE_PRIME_NUMBER_LEN_UNSUPPORT;
333 }
334
335 struct HksBlob big_num_a = { base->length, base->data };
336 struct HksBlob big_num_e = { exp->length, exp->data };
337
338 uint8_t *large_num = (uint8_t *)MALLOC(big_num_len);
339 if (large_num == NULL) {
340 LOGE("Malloc big num buff fail");
341 return ERROR_CODE_FAILED;
342 }
343
344 (void)memset_s(large_num, big_num_len, 0, big_num_len);
345 int32_t status;
346
347 if (big_num_len == HC_BIG_PRIME_MAX_LEN_384) {
348 status = hks_hex_string_to_byte(g_large_prime_number_hex_384, large_num, big_num_len);
349 } else {
350 status = hks_hex_string_to_byte(g_large_prime_number_hex_256, large_num, big_num_len);
351 }
352 if (status != ERROR_CODE_SUCCESS) {
353 FREE(large_num);
354 return ERROR_CODE_FAILED;
355 }
356
357 struct HksBlob big_num_n = { big_num_len, large_num };
358 struct HksBlob big_num_x = { big_num_len, out_result->big_num };
359 if (big_num_len > sizeof(out_result->big_num)) {
360 LOGE("The big num array is shorter than the expected output len.");
361 FREE(large_num);
362 return ERROR_CODE_FAILED;
363 }
364
365 status = HksBnExpMod(&big_num_x, &big_num_a, &big_num_e, &big_num_n);
366 FREE(large_num);
367 if (status != ERROR_CODE_SUCCESS) {
368 LOGE("Huks bn exp mod error, status=%d", status);
369 return ERROR_CODE_FAILED;
370 }
371 out_result->length = big_num_x.size;
372
373 return ERROR_CODE_SUCCESS;
374 }
375
generate_random(uint32_t length)376 struct random_value generate_random(uint32_t length)
377 {
378 struct random_value rand;
379 (void)memset_s(&rand, sizeof(rand), 0, sizeof(rand));
380 if ((length == 0) || (length > HC_RAMDOM_MAX_LEN)) {
381 LOGE("Generate random failed, invalid param length: %d", length);
382 return rand;
383 }
384
385 struct HksBlob hks_rand = { length, rand.random_value };
386 int32_t status = HksGenerateRandom(NULL, &hks_rand);
387 if (status == ERROR_CODE_SUCCESS) {
388 rand.length = hks_rand.size;
389 } else {
390 LOGE("Huks generate random failed, status: %d", status);
391 }
392
393 return rand;
394 }
395
compute_hmac(struct var_buffer * key,const struct uint8_buff * message,struct hmac * out_hmac)396 int32_t compute_hmac(struct var_buffer *key, const struct uint8_buff *message, struct hmac *out_hmac)
397 {
398 check_ptr_return_val(key, HC_INPUT_ERROR);
399 check_ptr_return_val(message, HC_INPUT_ERROR);
400 check_ptr_return_val(out_hmac, HC_INPUT_ERROR);
401
402 struct HksBlob hks_key = { key->length, key->data };
403 struct HksBlob src_data = { message->length, message->val };
404 struct HksBlob output = { HC_HMAC_LEN, out_hmac->hmac };
405 struct HksParamSet *param_set = NULL;
406
407 int32_t userId;
408 int32_t ret = GetFrontUserId(&userId);
409 if (ret != ERROR_CODE_SUCCESS) {
410 LOGE("GetFrontUserId failed");
411 return ERROR_CODE_FAILED;
412 }
413 struct HksParam hmac_param[] = {
414 {
415 .tag = HKS_TAG_PURPOSE,
416 .uint32Param = HKS_KEY_PURPOSE_MAC
417 }, {
418 .tag = HKS_TAG_DIGEST,
419 .uint32Param = HKS_DIGEST_SHA256
420 }, {
421 .tag = HKS_TAG_IS_KEY_ALIAS, /* temporary key, is_key_alias is set to false determined using REE for MAC */
422 .boolParam = false
423 }, {
424 .tag = HKS_TAG_SPECIFIC_USER_ID,
425 .int32Param = userId
426 }, {
427 .tag = HKS_TAG_AUTH_STORAGE_LEVEL,
428 .uint32Param = HKS_AUTH_STORAGE_LEVEL_CE
429 }
430 };
431 int32_t status = construct_param_set(¶m_set, hmac_param, array_size(hmac_param));
432 if (status != ERROR_CODE_SUCCESS) {
433 LOGE("construct HMAC param set failed, status=%d", status);
434 return ERROR_CODE_BUILD_PARAM_SET;
435 }
436
437 /* make hmac */
438 status = HksMac(&hks_key, param_set, &src_data, &output);
439 if (status != ERROR_CODE_SUCCESS) {
440 LOGE("Huks hmac failed, status: %d", status);
441 HksFreeParamSet(¶m_set);
442 return ERROR_CODE_FAILED;
443 }
444 out_hmac->length = output.size;
445 HksFreeParamSet(¶m_set);
446
447 return ERROR_CODE_SUCCESS;
448 }
449
compute_hkdf(struct var_buffer * shared_secret,struct hc_salt * salt,char * key_info,uint32_t hkdf_len,struct var_buffer * out_hkdf)450 int32_t compute_hkdf(struct var_buffer *shared_secret, struct hc_salt *salt,
451 char *key_info, uint32_t hkdf_len, struct var_buffer *out_hkdf)
452 {
453 check_ptr_return_val(shared_secret, HC_INPUT_ERROR);
454 check_ptr_return_val(salt, HC_INPUT_ERROR);
455 check_ptr_return_val(out_hkdf, HC_INPUT_ERROR);
456 check_ptr_return_val(key_info, HC_INPUT_ERROR);
457
458 struct HksBlob derived_key = { hkdf_len, out_hkdf->data };
459 struct HksBlob hks_salt = { salt->length, salt->salt };
460 struct HksBlob hks_key_info = { (uint32_t)strlen(key_info), (uint8_t *)key_info };
461
462 /* original key */
463 struct HksBlob kdf_key = { shared_secret->length, shared_secret->data };
464
465 int32_t userId;
466 int32_t ret = GetFrontUserId(&userId);
467 if (ret != ERROR_CODE_SUCCESS) {
468 LOGE("GetFrontUserId failed");
469 return ERROR_CODE_FAILED;
470 }
471 /* derived key param */
472 struct HksParamSet *param_set = NULL;
473 struct HksParam hkdf_param[] = {
474 { .tag = HKS_TAG_PURPOSE, .uint32Param = HKS_KEY_PURPOSE_DERIVE },
475 { .tag = HKS_TAG_ALGORITHM, .uint32Param = HKS_ALG_HKDF },
476 { .tag = HKS_TAG_DIGEST, .uint32Param = HKS_DIGEST_SHA256 },
477 { .tag = HKS_TAG_SALT, .blob = hks_salt },
478 { .tag = HKS_TAG_INFO, .blob = hks_key_info },
479 { .tag = HKS_TAG_IS_KEY_ALIAS, .boolParam = false },
480 { .tag = HKS_TAG_SPECIFIC_USER_ID, .int32Param = userId },
481 { .tag = HKS_TAG_AUTH_STORAGE_LEVEL, .uint32Param = HKS_AUTH_STORAGE_LEVEL_CE }
482 };
483 int32_t status = construct_param_set(¶m_set, hkdf_param, array_size(hkdf_param));
484 if (status != ERROR_CODE_SUCCESS) {
485 LOGE("construct hkdf param set failed, status=%d", status);
486 return ERROR_CODE_BUILD_PARAM_SET;
487 }
488
489 /* make hkdf */
490 status = HksDeriveKey(param_set, &kdf_key, &derived_key);
491 if (status != ERROR_CODE_SUCCESS) {
492 LOGE("Huks key derivation failed, status: %d", status);
493 HksFreeParamSet(¶m_set);
494 return ERROR_CODE_FAILED;
495 }
496 out_hkdf->length = derived_key.size;
497
498 HksFreeParamSet(¶m_set);
499 return ERROR_CODE_SUCCESS;
500 }
501
init_aes_gcm_encrypt_param_set(struct HksParamSet ** param_set,struct random_value * nonce,struct aes_aad * aad,uint32_t key_byte_size)502 static int32_t init_aes_gcm_encrypt_param_set(struct HksParamSet **param_set,
503 struct random_value *nonce, struct aes_aad *aad, uint32_t key_byte_size)
504 {
505 int32_t userId;
506 int32_t ret = GetFrontUserId(&userId);
507 if (ret != ERROR_CODE_SUCCESS) {
508 LOGE("GetFrontUserId failed");
509 return ERROR_CODE_FAILED;
510 }
511 struct HksParam encrypt_param[] = {
512 {
513 .tag = HKS_TAG_PURPOSE,
514 .uint32Param = HKS_KEY_PURPOSE_ENCRYPT
515 }, {
516 .tag = HKS_TAG_ALGORITHM,
517 .uint32Param = HKS_ALG_AES
518 }, {
519 .tag = HKS_TAG_BLOCK_MODE,
520 .uint32Param = HKS_MODE_GCM
521 }, {
522 .tag = HKS_TAG_PADDING,
523 .uint32Param = HKS_PADDING_NONE
524 }, {
525 .tag = HKS_TAG_NONCE,
526 .blob = { nonce->length, nonce->random_value }
527 }, {
528 .tag = HKS_TAG_ASSOCIATED_DATA,
529 .blob = { aad->length, aad->aad }
530 }, {
531 .tag = HKS_TAG_IS_KEY_ALIAS,
532 .boolParam = false
533 }, {
534 .tag = HKS_TAG_KEY_SIZE,
535 .uint32Param = key_byte_size * BITS_PER_BYTE
536 }, {
537 .tag = HKS_TAG_SPECIFIC_USER_ID,
538 .int32Param = userId
539 }, {
540 .tag = HKS_TAG_AUTH_STORAGE_LEVEL,
541 .uint32Param = HKS_AUTH_STORAGE_LEVEL_CE
542 }
543 };
544
545 return construct_param_set(param_set, encrypt_param, array_size(encrypt_param));
546 }
547
aes_gcm_encrypt(struct var_buffer * key,const struct uint8_buff * plain,struct aes_aad * aad,struct uint8_buff * out_cipher)548 int32_t aes_gcm_encrypt(struct var_buffer *key, const struct uint8_buff *plain,
549 struct aes_aad *aad, struct uint8_buff *out_cipher)
550 {
551 check_ptr_return_val(key, HC_INPUT_ERROR);
552 check_ptr_return_val(plain, HC_INPUT_ERROR);
553 check_ptr_return_val(aad, HC_INPUT_ERROR);
554 check_ptr_return_val(out_cipher, HC_INPUT_ERROR);
555 struct random_value nonce = generate_random(HC_AES_GCM_NONCE_LEN);
556 if (nonce.length == 0) {
557 LOGE("Generate random to make nonce failed");
558 return HC_GEN_RANDOM_FAILED;
559 }
560
561 struct HksBlob hks_key = { key->length, key->data };
562 struct HksBlob hks_plain_text = { plain->length, plain->val };
563
564 if (memcpy_s(out_cipher->val, out_cipher->size, nonce.random_value, nonce.length) != EOK) {
565 LOGE("memcpy nonce fail");
566 return ERROR_CODE_FAILED;
567 }
568
569 struct HksBlob tag_cipher = { out_cipher->size - nonce.length, out_cipher->val + nonce.length };
570 struct HksParamSet *param_set = NULL;
571 int32_t status = init_aes_gcm_encrypt_param_set(¶m_set, &nonce, aad, hks_key.size);
572 if (status != ERROR_CODE_SUCCESS) {
573 LOGE("init encrypt param set failed, status=%d", status);
574 return ERROR_CODE_BUILD_PARAM_SET;
575 }
576
577 status = HksEncrypt(&hks_key, param_set, &hks_plain_text, &tag_cipher);
578 if (status != ERROR_CODE_SUCCESS) {
579 LOGE("Huks aead encrypt error, status: %d", status);
580 HksFreeParamSet(¶m_set);
581 return ERROR_CODE_FAILED;
582 }
583
584 out_cipher->length = tag_cipher.size + nonce.length;
585 HksFreeParamSet(¶m_set);
586 return ERROR_CODE_SUCCESS;
587 }
588
init_aes_gcm_decrypt_param_set(struct HksParamSet ** param_set,const struct uint8_buff * cipher,struct aes_aad * aad,uint32_t key_byte_size)589 static int32_t init_aes_gcm_decrypt_param_set(struct HksParamSet **param_set,
590 const struct uint8_buff *cipher, struct aes_aad *aad, uint32_t key_byte_size)
591 {
592 int32_t userId;
593 int32_t ret = GetFrontUserId(&userId);
594 if (ret != ERROR_CODE_SUCCESS) {
595 LOGE("GetFrontUserId failed");
596 return ERROR_CODE_FAILED;
597 }
598 struct HksParam decrypt_param[] = {
599 {
600 .tag = HKS_TAG_PURPOSE,
601 .uint32Param = HKS_KEY_PURPOSE_DECRYPT
602 }, {
603 .tag = HKS_TAG_ALGORITHM,
604 .uint32Param = HKS_ALG_AES
605 }, {
606 .tag = HKS_TAG_BLOCK_MODE,
607 .uint32Param = HKS_MODE_GCM
608 }, {
609 .tag = HKS_TAG_PADDING,
610 .uint32Param = HKS_PADDING_NONE
611 }, {
612 .tag = HKS_TAG_NONCE,
613 .blob = { HC_AES_GCM_NONCE_LEN, cipher->val }
614 }, {
615 .tag = HKS_TAG_ASSOCIATED_DATA,
616 .blob = { aad->length, aad->aad }
617 }, {
618 .tag = HKS_TAG_IS_KEY_ALIAS,
619 .boolParam = false
620 }, {
621 .tag = HKS_TAG_KEY_SIZE,
622 .uint32Param = key_byte_size * BITS_PER_BYTE
623 }, {
624 .tag = HKS_TAG_SPECIFIC_USER_ID,
625 .int32Param = userId
626 }, {
627 .tag = HKS_TAG_AUTH_STORAGE_LEVEL,
628 .uint32Param = HKS_AUTH_STORAGE_LEVEL_CE
629 }
630 };
631
632 return construct_param_set(param_set, decrypt_param, array_size(decrypt_param));
633 }
634
aes_gcm_decrypt(struct var_buffer * key,const struct uint8_buff * cipher,struct aes_aad * aad,struct uint8_buff * out_plain)635 int32_t aes_gcm_decrypt(struct var_buffer *key, const struct uint8_buff *cipher,
636 struct aes_aad *aad, struct uint8_buff *out_plain)
637 {
638 check_ptr_return_val(key, HC_INPUT_ERROR);
639 check_ptr_return_val(cipher, HC_INPUT_ERROR);
640 check_ptr_return_val(aad, HC_INPUT_ERROR);
641 check_ptr_return_val(out_plain, HC_INPUT_ERROR);
642
643 if (cipher->length < HC_AES_GCM_NONCE_LEN) {
644 LOGE("Cipher length is short than nonce max length");
645 return ERROR_CODE_FAILED;
646 }
647
648 struct HksBlob hks_key = { key->length, key->data };
649 struct HksBlob nonce_blob = { HC_AES_GCM_NONCE_LEN, cipher->val };
650 struct HksBlob cipher_text_with_tag = { cipher->length - nonce_blob.size, cipher->val + nonce_blob.size };
651 struct HksBlob plain_text = { 0, NULL };
652
653 plain_text.data = (uint8_t *)MALLOC(cipher_text_with_tag.size - HKS_AE_TAG_LEN);
654 check_ptr_return_val(plain_text.data, ERROR_CODE_FAILED);
655 plain_text.size = cipher_text_with_tag.size - HKS_AE_TAG_LEN;
656
657 struct HksParamSet *param_set = NULL;
658 int32_t status = init_aes_gcm_decrypt_param_set(¶m_set, cipher, aad, hks_key.size);
659 if (status != ERROR_CODE_SUCCESS) {
660 LOGE("init encrypt param set failed, status=%d", status);
661 safe_free(plain_text.data);
662 return ERROR_CODE_BUILD_PARAM_SET;
663 }
664
665 status = HksDecrypt(&hks_key, param_set, &cipher_text_with_tag, &plain_text);
666 if (status != ERROR_CODE_SUCCESS) {
667 LOGE("Huks aead decrypt failed, status: %d", status);
668 safe_free(plain_text.data);
669 HksFreeParamSet(¶m_set);
670 return ERROR_CODE_FAILED;
671 }
672
673 if (memcpy_s(out_plain->val, out_plain->size, plain_text.data, plain_text.size) != EOK) {
674 safe_free(plain_text.data);
675 HksFreeParamSet(¶m_set);
676 return ERROR_CODE_FAILED;
677 }
678 out_plain->length = plain_text.size;
679
680 safe_free(plain_text.data);
681 HksFreeParamSet(¶m_set);
682 return status;
683 }
684
generate_service_id(const struct session_identity * identity)685 struct service_id generate_service_id(const struct session_identity *identity)
686 {
687 struct service_id service_id;
688 (void)memset_s(&service_id, sizeof(service_id), 0, sizeof(service_id));
689 if (identity == NULL) {
690 LOGE("Input is null");
691 return service_id;
692 }
693
694 uint32_t pack_name_len = identity->package_name.length;
695 if ((pack_name_len == 0) || (pack_name_len > HC_PACKAGE_NAME_BUFF_LEN)) {
696 LOGE("Pack name length is: %u", pack_name_len);
697 return service_id;
698 }
699 uint32_t type_len = identity->service_type.length;
700 if ((type_len == 0) || (type_len > HC_SERVICE_TYPE_BUFF_LEN)) {
701 LOGE("Service type length is: %u", type_len);
702 return service_id;
703 }
704 uint32_t srv_len = type_len + pack_name_len;
705 struct uint8_buff id_buff = {
706 .length = srv_len,
707 .size = srv_len
708 };
709
710 id_buff.val = (uint8_t *)MALLOC(srv_len);
711 if (id_buff.val == NULL) {
712 LOGE("Malloc mem failed");
713 return service_id;
714 }
715
716 if (memcpy_s(id_buff.val, srv_len, identity->package_name.name, pack_name_len) != EOK) {
717 LOGE("Copy service id buff failed");
718 safe_free(id_buff.val);
719 return service_id;
720 }
721 if (memcpy_s(id_buff.val + pack_name_len, srv_len - pack_name_len, identity->service_type.type, type_len) != EOK) {
722 LOGE("Copy service id buff failed");
723 safe_free(id_buff.val);
724 return service_id;
725 }
726
727 struct sha256_value srv_sha256 = sha256(&id_buff);
728 safe_free(id_buff.val);
729 id_buff.val = NULL;
730
731 if (srv_sha256.length > 0) {
732 if (memcpy_s(service_id.service_id, HC_SERVICE_ID_BUFF_LEN, srv_sha256.sha256_value, HC_SHA256_LEN) == EOK) {
733 service_id.length = srv_sha256.length;
734 } else {
735 LOGE("Copy hash value failed");
736 }
737 }
738
739 return service_id;
740 }
741
convert_byte_to_hex_string(const uint8_t * byte_array,uint32_t byte_array_size,uint8_t * hex_string,uint32_t out_size)742 static int32_t convert_byte_to_hex_string(const uint8_t *byte_array, uint32_t byte_array_size,
743 uint8_t *hex_string, uint32_t out_size)
744 {
745 int32_t length = 0;
746
747 check_num_return_val(byte_array_size, length);
748 if (out_size < (byte_array_size * BYTE_TO_HEX_OPER_LENGTH)) { /* doubleword, length*2 */
749 return length;
750 }
751 uint32_t hex_str_arr_len = (uint32_t)(out_size + 1);
752 char *hex_str_arr = (char *)MALLOC(hex_str_arr_len);
753 if (hex_str_arr == NULL) {
754 LOGE("Copy hex arr to string failed");
755 return 0;
756 }
757 (void)memset_s(hex_str_arr, hex_str_arr_len, 0, hex_str_arr_len);
758 for (uint32_t i = 0; i < byte_array_size; i++) {
759 if (sprintf_s((char *)(hex_str_arr + length), hex_str_arr_len - length, "%02x", byte_array[i]) < 0) {
760 LOGE("What happened was that the probability was zero"); /* caller perceives memery error, no return */
761 }
762 length += BYTE_TO_HEX_OPER_LENGTH; /* doubleword, length increases 2 each time */
763 }
764 if (memcpy_s(hex_string, out_size, hex_str_arr, length) != EOK) {
765 LOGE("Copy hex arr to string failed");
766 length = 0;
767 }
768
769 safe_free(hex_str_arr);
770 hex_str_arr = NULL;
771 return length;
772 }
773
generate_key_alias(const struct service_id * service_id,const struct hc_auth_id * auth_id,enum huks_key_alias_type key_type)774 struct hc_key_alias generate_key_alias(const struct service_id *service_id,
775 const struct hc_auth_id *auth_id, enum huks_key_alias_type key_type)
776 {
777 struct hc_key_alias temp_alias;
778 (void)memset_s(&temp_alias, sizeof(temp_alias), 0, sizeof(temp_alias));
779 check_ptr_return_val(service_id, temp_alias);
780 check_ptr_return_val(auth_id, temp_alias);
781 if (key_type >= HC_MAX_KEY_TYPE_NUM) {
782 LOGE("Invalid user type");
783 return temp_alias;
784 }
785 if (service_id->length > HC_SERVICE_ID_BUFF_LEN) {
786 LOGE("service_id length is error");
787 return temp_alias;
788 }
789 if (auth_id->length > HC_AUTH_ID_BUFF_LEN) {
790 LOGE("auth_id length is error");
791 return temp_alias;
792 }
793
794 uint32_t key_type_pair_size = HC_KEY_TYPE_PAIR_LEN;
795 const uint8_t *key_type_pair = g_key_type_pairs[key_type];
796 uint32_t total_len = service_id->length + auth_id->length + key_type_pair_size;
797 struct uint8_buff key_alias_buff;
798
799 (void)memset_s(&key_alias_buff, sizeof(key_alias_buff), 0, sizeof(key_alias_buff));
800 key_alias_buff.val = (uint8_t *)MALLOC(total_len + 1);
801 if (key_alias_buff.val == NULL) {
802 LOGE("Malloc key alias buff failed");
803 return temp_alias;
804 }
805
806 key_alias_buff.size = total_len + 1; /* one character longer for terminator */
807 key_alias_buff.length = total_len;
808 (void)memset_s(key_alias_buff.val, key_alias_buff.size, 0, key_alias_buff.size);
809 (void)memcpy_s(key_alias_buff.val, key_alias_buff.size, service_id->service_id, service_id->length);
810 (void)memcpy_s(key_alias_buff.val + service_id->length, key_alias_buff.size - service_id->length,
811 key_type_pair, key_type_pair_size);
812 (void)memcpy_s(key_alias_buff.val + service_id->length + key_type_pair_size,
813 key_alias_buff.size - service_id->length - key_type_pair_size,
814 auth_id->auth_id, auth_id->length);
815
816 struct hc_key_alias key_alias;
817 (void)memset_s(&key_alias, sizeof(key_alias), 0, sizeof(key_alias));
818 struct sha256_value alias_sha256 = sha256(&key_alias_buff);
819
820 safe_free(key_alias_buff.val);
821 key_alias_buff.val = NULL;
822 if (alias_sha256.length > 0) {
823 int32_t length = convert_byte_to_hex_string(alias_sha256.sha256_value, alias_sha256.length,
824 key_alias.key_alias, HC_KEY_ALIAS_MAX_LEN);
825 key_alias.length = (uint32_t)length;
826 }
827 return key_alias;
828 }
829
init_x25519_generate_key_input_param_set(struct HksParamSet ** input_param_set)830 static int32_t init_x25519_generate_key_input_param_set(struct HksParamSet **input_param_set)
831 {
832 int32_t userId;
833 int32_t ret = GetFrontUserId(&userId);
834 if (ret != ERROR_CODE_SUCCESS) {
835 LOGE("GetFrontUserId failed");
836 return ERROR_CODE_FAILED;
837 }
838 struct HksParam key_param[] = {
839 {
840 .tag = HKS_TAG_KEY_STORAGE_FLAG,
841 .uint32Param = HKS_STORAGE_TEMP
842 }, {
843 .tag = HKS_TAG_PURPOSE,
844 .uint32Param = HKS_KEY_PURPOSE_SIGN | HKS_KEY_PURPOSE_VERIFY
845 }, {
846 .tag = HKS_TAG_ALGORITHM,
847 .uint32Param = HKS_ALG_X25519
848 }, {
849 .tag = HKS_TAG_KEY_SIZE,
850 .uint32Param = X25519_KEY_LEN
851 }, {
852 .tag = HKS_TAG_IS_ALLOWED_WRAP,
853 .boolParam = true
854 }, {
855 .tag = HKS_TAG_SPECIFIC_USER_ID,
856 .int32Param = userId
857 }, {
858 .tag = HKS_TAG_AUTH_STORAGE_LEVEL,
859 .uint32Param = HKS_AUTH_STORAGE_LEVEL_CE
860 }
861 };
862
863 int32_t status = construct_param_set(input_param_set, key_param, array_size(key_param));
864 if (status != ERROR_CODE_SUCCESS) {
865 LOGE("construct encrypt param set failed, status=%d", status);
866 return ERROR_CODE_BUILD_PARAM_SET;
867 }
868
869 return ERROR_CODE_SUCCESS;
870 }
871
parse_x25519_output_param_set(struct HksParamSet * output_param_set,struct st_key_pair * out_key_pair)872 static int32_t parse_x25519_output_param_set(struct HksParamSet *output_param_set,
873 struct st_key_pair *out_key_pair)
874 {
875 int32_t status = HksFreshParamSet(output_param_set, false); /* false means fresh by local, not though IPC */
876 if (status != ERROR_CODE_SUCCESS) {
877 LOGE("fresh param set failed, status:%d", status);
878 return ERROR_CODE_FRESH_PARAM_SET;
879 }
880
881 struct HksParam *pub_key_param = NULL;
882 status = HksGetParam(output_param_set, HKS_TAG_ASYMMETRIC_PUBLIC_KEY_DATA, &pub_key_param);
883 if (status != ERROR_CODE_SUCCESS) {
884 LOGE("get pub key from param set failed, status:%d", status);
885 return ERROR_CODE_GET_PUB_KEY_FROM_PARAM_SET;
886 }
887
888 struct HksParam *priv_key_param = NULL;
889 status = HksGetParam(output_param_set, HKS_TAG_ASYMMETRIC_PRIVATE_KEY_DATA, &priv_key_param);
890 if (status != ERROR_CODE_SUCCESS) {
891 LOGE("get priv key from param set failed, status:%d", status);
892 return ERROR_CODE_GET_PRIV_KEY_FROM_PARAM_SET;
893 }
894
895 if (memcpy_s(out_key_pair->st_public_key.stpk, HC_ST_PUBLIC_KEY_LEN,
896 pub_key_param->blob.data, pub_key_param->blob.size) != EOK) {
897 LOGE("parse x25519 output param set memcpy public key failed!");
898 return ERROR_CODE_FAILED;
899 }
900 out_key_pair->st_public_key.length = pub_key_param->blob.size;
901
902 if (memcpy_s(out_key_pair->st_private_key.stsk, HC_ST_PRIVATE_KEY_LEN,
903 priv_key_param->blob.data, priv_key_param->blob.size) != EOK) {
904 LOGE("parse x25519 output param set memcpy private key failed!");
905 return ERROR_CODE_FAILED;
906 }
907 out_key_pair->st_private_key.length = priv_key_param->blob.size;
908
909 return ERROR_CODE_SUCCESS;
910 }
911
generate_st_key_pair(struct st_key_pair * out_key_pair)912 int32_t generate_st_key_pair(struct st_key_pair *out_key_pair)
913 {
914 check_ptr_return_val(out_key_pair, HC_INPUT_ERROR);
915 (void)memset_s(out_key_pair, sizeof(*out_key_pair), 0, sizeof(*out_key_pair));
916
917 struct HksParamSet *input_param_set = NULL;
918 int32_t status = init_x25519_generate_key_input_param_set(&input_param_set);
919 if (status != ERROR_CODE_SUCCESS) {
920 LOGE("init x25519 generate key input param set failed! status:%d", status);
921 return status;
922 }
923
924 struct HksParamSet *output_param_set = (struct HksParamSet *)MALLOC(X25519_KEY_PARAM_SET_SIZE);
925 if (output_param_set == NULL) {
926 LOGE("allocate buffer for output param set failed");
927 HksFreeParamSet(&input_param_set);
928 return ERROR_CODE_FAILED;
929 }
930
931 (void)memset_s(output_param_set, X25519_KEY_PARAM_SET_SIZE, 0, X25519_KEY_PARAM_SET_SIZE);
932 output_param_set->paramSetSize = X25519_KEY_PARAM_SET_SIZE;
933
934 do {
935 status = HksGenerateKey(NULL, input_param_set, output_param_set);
936 if (status != ERROR_CODE_SUCCESS) {
937 LOGE("generate x25519 key failed! status:%d", status);
938 status = ERROR_CODE_GENERATE_KEY;
939 break;
940 }
941
942 status = parse_x25519_output_param_set(output_param_set, out_key_pair);
943 if (status != ERROR_CODE_SUCCESS) {
944 LOGE("parse x25519 output param set failed! status:%d", status);
945 break;
946 }
947 } while (0);
948
949 HksFreeParamSet(&input_param_set);
950 safe_free(output_param_set);
951 return status;
952 }
953
generate_lt_key_pair(struct hc_key_alias * key_alias,const struct hc_auth_id * auth_id)954 int32_t generate_lt_key_pair(struct hc_key_alias *key_alias, const struct hc_auth_id *auth_id)
955 {
956 check_ptr_return_val(key_alias, HC_INPUT_ERROR);
957 check_ptr_return_val(auth_id, HC_INPUT_ERROR);
958
959 struct HksBlob key_alias_blob = convert_to_blob_from_hc_key_alias(key_alias);
960 check_num_return_val(key_alias_blob.size, ERROR_CODE_FAILED);
961
962 int32_t userId;
963 int32_t ret = GetFrontUserId(&userId);
964 if (ret != ERROR_CODE_SUCCESS) {
965 LOGE("GetFrontUserId failed");
966 return ERROR_CODE_FAILED;
967 }
968
969 struct hc_auth_id tmp_id = *auth_id;
970 struct HksParamSet *param_set = NULL;
971 struct HksParam key_param[] = {
972 { .tag = HKS_TAG_ALGORITHM, .uint32Param = HKS_ALG_ED25519 },
973 { .tag = HKS_TAG_KEY_STORAGE_FLAG, .uint32Param = HKS_STORAGE_PERSISTENT },
974 { .tag = HKS_TAG_PURPOSE, .uint32Param = HKS_KEY_PURPOSE_SIGN | HKS_KEY_PURPOSE_VERIFY },
975 { .tag = HKS_TAG_KEY_SIZE, .uint32Param = ED25519_KEY_LEN },
976 { .tag = HKS_TAG_PADDING, .uint32Param = HKS_PADDING_NONE },
977 { .tag = HKS_TAG_DIGEST, .uint32Param = HKS_DIGEST_SHA256 },
978 { .tag = HKS_TAG_KEY_AUTH_ID, .blob = convert_to_blob_from_hc_auth_id(&tmp_id) },
979 { .tag = HKS_TAG_IS_ALLOWED_WRAP, .boolParam = true },
980 { .tag = HKS_TAG_SPECIFIC_USER_ID, .int32Param = userId },
981 { .tag = HKS_TAG_AUTH_STORAGE_LEVEL, .uint32Param = HKS_AUTH_STORAGE_LEVEL_CE }
982 };
983
984 int32_t status = construct_param_set(¶m_set, key_param, array_size(key_param));
985 if (status != ERROR_CODE_SUCCESS) {
986 LOGE("construct encrypt param set failed, status=%d", status);
987 return ERROR_CODE_BUILD_PARAM_SET;
988 }
989
990 status = HksGenerateKey(&key_alias_blob, param_set, NULL);
991 if (status != ERROR_CODE_SUCCESS) {
992 LOGE("Hks generate failed, status=%d", status);
993 HksFreeParamSet(¶m_set);
994 return ERROR_CODE_GENERATE_KEY;
995 }
996
997 HksFreeParamSet(¶m_set);
998 return ERROR_CODE_SUCCESS;
999 }
1000
export_lt_public_key(struct hc_key_alias * key_alias,struct ltpk * out_public_key)1001 int32_t export_lt_public_key(struct hc_key_alias *key_alias, struct ltpk *out_public_key)
1002 {
1003 check_ptr_return_val(key_alias, HC_INPUT_ERROR);
1004 check_ptr_return_val(out_public_key, HC_INPUT_ERROR);
1005
1006 struct HksBlob key_alias_blob = convert_to_blob_from_hc_key_alias(key_alias);
1007 check_num_return_val(key_alias_blob.size, ERROR_CODE_FAILED);
1008
1009 struct HksBlob key = { HC_LT_PUBLIC_KEY_LEN, out_public_key->ltpk };
1010 struct HksParamSet *paramSet = NULL;
1011
1012 int32_t status = GenerateStorageLevelParamSet(¶mSet);
1013 if (status != ERROR_CODE_SUCCESS) {
1014 LOGE("generate storage level param set failed, status = %d", status);
1015 return status;
1016 }
1017
1018 int32_t hks_status = HksExportPublicKey(&key_alias_blob, paramSet, &key);
1019 if (hks_status != ERROR_CODE_SUCCESS) {
1020 LOGE("Export public key failed, status=%d", hks_status);
1021 HksFreeParamSet(¶mSet);
1022 return ERROR_CODE_FAILED;
1023 }
1024 out_public_key->length = key.size;
1025 HksFreeParamSet(¶mSet);
1026 return ERROR_CODE_SUCCESS;
1027 }
1028
delete_key(struct hc_key_alias * key_alias)1029 int32_t delete_key(struct hc_key_alias *key_alias)
1030 {
1031 check_ptr_return_val(key_alias, HC_INPUT_ERROR);
1032
1033 struct HksBlob key_alias_blob = convert_to_blob_from_hc_key_alias(key_alias);
1034 check_num_return_val(key_alias_blob.size, ERROR_CODE_FAILED);
1035
1036 struct HksParamSet *paramSet = NULL;
1037 int32_t status = GenerateStorageLevelParamSet(¶mSet);
1038 if (status != ERROR_CODE_SUCCESS) {
1039 LOGE("generate storage level param set failed, status = %d", status);
1040 return status;
1041 }
1042
1043 int32_t hks_status = HksDeleteKey(&key_alias_blob, paramSet);
1044 if (hks_status != ERROR_CODE_SUCCESS) {
1045 LOGE("Delete key failed, status=%d", hks_status);
1046 HksFreeParamSet(¶mSet);
1047 return ERROR_CODE_FAILED;
1048 }
1049
1050 HksFreeParamSet(¶mSet);
1051 return ERROR_CODE_SUCCESS;
1052 }
1053
1054 /*
1055 * delete long time public key
1056 *
1057 * @key_alias: long time public key alias
1058 * @return 0 -- success, others -- failed
1059 */
delete_lt_public_key(struct hc_key_alias * key_alias)1060 int32_t delete_lt_public_key(struct hc_key_alias *key_alias)
1061 {
1062 int32_t hks_status = delete_key(key_alias);
1063 if (hks_status != ERROR_CODE_SUCCESS) {
1064 LOGE("Delete lt public key failed, status=%d", hks_status);
1065 }
1066
1067 return hks_status;
1068 }
1069
init_import_lt_public_key_param_set(struct HksParamSet ** param_set,const int32_t user_type,const int32_t pair_type,struct hc_auth_id * auth_id)1070 static int32_t init_import_lt_public_key_param_set(struct HksParamSet **param_set,
1071 const int32_t user_type, const int32_t pair_type, struct hc_auth_id *auth_id)
1072 {
1073 #if !(defined(_SUPPORT_SEC_CLONE_) || defined(_SUPPORT_SEC_CLONE_SERVER_))
1074 union huks_key_type_union huks_key_type;
1075 huks_key_type.type_struct.user_type = (uint8_t)user_type;
1076 huks_key_type.type_struct.pair_type = (uint8_t)pair_type;
1077 huks_key_type.type_struct.reserved1 = (uint8_t)0;
1078 huks_key_type.type_struct.reserved2 = (uint8_t)0;
1079 #endif
1080
1081 int32_t userId;
1082 int32_t ret = GetFrontUserId(&userId);
1083 if (ret != ERROR_CODE_SUCCESS) {
1084 LOGE("GetFrontUserId failed");
1085 return ERROR_CODE_FAILED;
1086 }
1087 (void)pair_type;
1088 struct HksParam key_param[] = {
1089 { .tag = HKS_TAG_ALGORITHM, .uint32Param = HKS_ALG_ED25519 },
1090 { .tag = HKS_TAG_KEY_SIZE, .uint32Param = ED25519_KEY_LEN },
1091 { .tag = HKS_TAG_PADDING, .uint32Param = HKS_PADDING_NONE },
1092 { .tag = HKS_TAG_DIGEST, .uint32Param = HKS_DIGEST_SHA256 },
1093 { .tag = HKS_TAG_KEY_AUTH_ID, .blob = convert_to_blob_from_hc_auth_id(auth_id) },
1094 { .tag = HKS_TAG_IS_ALLOWED_WRAP, .boolParam = true },
1095 { .tag = HKS_TAG_SPECIFIC_USER_ID, .int32Param = userId },
1096 { .tag = HKS_TAG_AUTH_STORAGE_LEVEL, .uint32Param = HKS_AUTH_STORAGE_LEVEL_CE },
1097 #if (defined(_SUPPORT_SEC_CLONE_) || defined(_SUPPORT_SEC_CLONE_SERVER_))
1098 { .tag = HKS_TAG_PURPOSE, .uint32Param = HKS_KEY_PURPOSE_VERIFY },
1099 { .tag = HKS_TAG_KEY_ROLE, .uint32Param = user_type }
1100 #else
1101 { .tag = HKS_TAG_PURPOSE, .uint32Param = HKS_KEY_PURPOSE_VERIFY },
1102 { .tag = HKS_TAG_KEY_ROLE, .uint32Param = (uint32_t)huks_key_type.key_type }
1103 #endif
1104 };
1105
1106 return construct_param_set(param_set, key_param, array_size(key_param));
1107 }
1108
import_lt_public_key(struct hc_key_alias * key_alias,struct ltpk * peer_public_key,const int32_t user_type,const int32_t pair_type,struct hc_auth_id * auth_id)1109 int32_t import_lt_public_key(struct hc_key_alias *key_alias, struct ltpk *peer_public_key,
1110 const int32_t user_type, const int32_t pair_type, struct hc_auth_id *auth_id)
1111 {
1112 if ((pair_type < 0) || (pair_type >= HC_MAX_PAIR_TYPE_NUM)) {
1113 return HC_INPUT_ERROR;
1114 }
1115 if ((user_type < 0) || (user_type >= HC_MAX_KEY_TYPE_NUM)) {
1116 return HC_INPUT_ERROR;
1117 }
1118 check_ptr_return_val(key_alias, HC_INPUT_ERROR);
1119 check_ptr_return_val(peer_public_key, HC_INPUT_ERROR);
1120 check_ptr_return_val(auth_id, HC_INPUT_ERROR);
1121
1122 struct HksBlob key_alias_blob = convert_to_blob_from_hc_key_alias(key_alias);
1123 if (key_alias_blob.size == 0) {
1124 LOGE("Convert key alias to blob failed");
1125 return ERROR_CODE_FAILED;
1126 }
1127
1128 struct HksBlob ltpk_key_blob = convert_to_blob_from_ltpk(peer_public_key);
1129 if (ltpk_key_blob.size == 0) {
1130 LOGE("Convert ltpk key to blob failed");
1131 return ERROR_CODE_FAILED;
1132 }
1133
1134 struct HksParamSet *param_set = NULL;
1135 int32_t status = init_import_lt_public_key_param_set(¶m_set, user_type, pair_type, auth_id);
1136 if (status != ERROR_CODE_SUCCESS) {
1137 LOGE("init import lt public key input param set failed! status:%d", status);
1138 return status;
1139 }
1140
1141 status = HksImportKey(&key_alias_blob, param_set, <pk_key_blob);
1142
1143 HksFreeParamSet(¶m_set);
1144 return status;
1145 }
1146
check_lt_public_key_exist(struct hc_key_alias * key_alias)1147 int32_t check_lt_public_key_exist(struct hc_key_alias *key_alias)
1148 {
1149 check_ptr_return_val(key_alias, HC_INPUT_ERROR);
1150 check_num_return_val(key_alias->length, HC_INPUT_ERROR);
1151 struct HksBlob key_alias_blob = convert_to_blob_from_hc_key_alias(key_alias);
1152 struct HksParamSet *paramSet = NULL;
1153
1154 int32_t status = GenerateStorageLevelParamSet(¶mSet);
1155 if (status != ERROR_CODE_SUCCESS) {
1156 LOGE("generate storage level param set failed, status = %d", status);
1157 return status;
1158 }
1159
1160 int32_t hks_status = HksKeyExist(&key_alias_blob, paramSet);
1161 if (hks_status == 0) {
1162 HksFreeParamSet(¶mSet);
1163 return ERROR_CODE_SUCCESS;
1164 } else {
1165 LOGI("Check lt public key exist failed, status = %d", hks_status);
1166 HksFreeParamSet(¶mSet);
1167 return ERROR_CODE_FAILED;
1168 }
1169 }
1170
check_key_exist(struct hc_key_alias * key_alias)1171 int32_t check_key_exist(struct hc_key_alias *key_alias)
1172 {
1173 check_ptr_return_val(key_alias, HC_INPUT_ERROR);
1174 check_num_return_val(key_alias->length, HC_INPUT_ERROR);
1175 struct HksBlob key_alias_blob = convert_to_blob_from_hc_key_alias(key_alias);
1176 struct HksParamSet *paramSet = NULL;
1177
1178 int32_t status = GenerateStorageLevelParamSet(¶mSet);
1179 if (status != ERROR_CODE_SUCCESS) {
1180 LOGE("generate storage level param set failed, status = %d", status);
1181 return status;
1182 }
1183 int32_t hks_status = HksKeyExist(&key_alias_blob, paramSet);
1184 if (hks_status == 0) {
1185 HksFreeParamSet(¶mSet);
1186 return ERROR_CODE_SUCCESS;
1187 } else {
1188 LOGI("Check key exist failed, status = %d", hks_status);
1189 HksFreeParamSet(¶mSet);
1190 return ERROR_CODE_FAILED;
1191 }
1192 }
1193
init_key_info_list(struct HksKeyInfo * key_info_list,int32_t len)1194 static int32_t init_key_info_list(struct HksKeyInfo *key_info_list, int32_t len)
1195 {
1196 (void)memset_s(key_info_list, sizeof(struct HksKeyInfo) * len, 0, sizeof(struct HksKeyInfo) * len);
1197 for (int32_t i = 0; i < len; ++i) {
1198 struct HksKeyInfo key_info_tmp;
1199
1200 key_info_tmp.alias.data = (uint8_t *)MALLOC(HC_KEY_ALIAS_MAX_LEN);
1201 if (key_info_tmp.alias.data == NULL) {
1202 LOGE("allocate space for key info alias data failed");
1203 return ERROR_CODE_NO_SPACE;
1204 }
1205 (void)memset_s(key_info_tmp.alias.data, HC_KEY_ALIAS_MAX_LEN, 0, HC_KEY_ALIAS_MAX_LEN);
1206 key_info_tmp.alias.size = HC_KEY_ALIAS_MAX_LEN;
1207
1208 key_info_tmp.paramSet = (struct HksParamSet *)MALLOC(DEFAULT_PARAM_SET_OUT_SIZE);
1209 if (key_info_tmp.paramSet == NULL) {
1210 safe_free(key_info_tmp.alias.data);
1211 key_info_tmp.alias.data = NULL;
1212 LOGE("allocate space for key param set failed");
1213 return ERROR_CODE_NO_SPACE;
1214 }
1215 (void)memset_s(key_info_tmp.paramSet, DEFAULT_PARAM_SET_OUT_SIZE, 0, DEFAULT_PARAM_SET_OUT_SIZE);
1216 key_info_tmp.paramSet->paramSetSize = DEFAULT_PARAM_SET_OUT_SIZE;
1217
1218 key_info_list[i] = key_info_tmp;
1219 }
1220 return 0;
1221 }
1222
inner_get_lt_info_by_key_info(struct HksKeyInfo * key_info,struct huks_key_type * out_key_type,struct hc_auth_id * out_auth_id)1223 static int32_t inner_get_lt_info_by_key_info(struct HksKeyInfo *key_info,
1224 struct huks_key_type *out_key_type, struct hc_auth_id *out_auth_id)
1225 {
1226 union huks_key_type_union key_type_union;
1227 struct HksParam *key_role = NULL;
1228 int32_t status = HksGetParam(key_info->paramSet, HKS_TAG_KEY_ROLE, &key_role);
1229 if (status != ERROR_CODE_SUCCESS) {
1230 LOGE("get key role from param set failed, status:%d", status);
1231 return ERROR_CODE_FAILED;
1232 }
1233
1234 key_type_union.key_type = key_role->uint32Param;
1235 out_key_type->user_type = key_type_union.type_struct.user_type;
1236 out_key_type->pair_type = key_type_union.type_struct.pair_type;
1237 out_key_type->reserved1 = key_type_union.type_struct.reserved1;
1238 out_key_type->reserved2 = key_type_union.type_struct.reserved2;
1239
1240 struct HksParam *auth_id = NULL;
1241 status = HksGetParam(key_info->paramSet, HKS_TAG_KEY_AUTH_ID, &auth_id);
1242 if (status != ERROR_CODE_SUCCESS) {
1243 LOGE("get auth id from param set failed, status:%d", status);
1244 return ERROR_CODE_FAILED;
1245 }
1246
1247 if (memcpy_s(out_auth_id->auth_id, HC_AUTH_ID_BUFF_LEN,
1248 auth_id->blob.data, auth_id->blob.size) != EOK) {
1249 LOGE("Copy key param failed");
1250 return ERROR_CODE_FAILED;
1251 }
1252 out_auth_id->length = auth_id->blob.size;
1253
1254 return status;
1255 }
1256
SetKeyType(union huks_key_type_union keyTypeUnion,struct huks_key_type * outKeyType)1257 static void SetKeyType(union huks_key_type_union keyTypeUnion, struct huks_key_type *outKeyType)
1258 {
1259 outKeyType->user_type = keyTypeUnion.type_struct.user_type;
1260 outKeyType->pair_type = keyTypeUnion.type_struct.pair_type;
1261 outKeyType->reserved1 = keyTypeUnion.type_struct.reserved1;
1262 outKeyType->reserved2 = keyTypeUnion.type_struct.reserved2;
1263 }
1264
inner_get_lt_info_by_key_alias(struct HksBlob * key_alias,struct huks_key_type * out_key_type,struct hc_auth_id * out_auth_id)1265 static int32_t inner_get_lt_info_by_key_alias(struct HksBlob *key_alias,
1266 struct huks_key_type *out_key_type, struct hc_auth_id *out_auth_id)
1267 {
1268 struct HksParamSet *output_param_set = (struct HksParamSet *)MALLOC(DEFAULT_PARAM_SET_OUT_SIZE);
1269 if (output_param_set == NULL) {
1270 LOGE("allocate space for param set out failed");
1271 return ERROR_CODE_FAILED;
1272 }
1273 (void)memset_s(output_param_set, DEFAULT_PARAM_SET_OUT_SIZE, 0, DEFAULT_PARAM_SET_OUT_SIZE);
1274 output_param_set->paramSetSize = DEFAULT_PARAM_SET_OUT_SIZE;
1275
1276 struct HksParamSet *paramSet = NULL;
1277 int32_t status = GenerateStorageLevelParamSet(¶mSet);
1278 if (status != ERROR_CODE_SUCCESS) {
1279 LOGE("generate storage level param set failed, status = %d", status);
1280 safe_free(output_param_set);
1281 return status;
1282 }
1283 status = HksGetKeyParamSet(key_alias, paramSet, output_param_set);
1284 if (status != ERROR_CODE_SUCCESS) {
1285 LOGE("Get huks key param set failed");
1286 goto get_key_info_free;
1287 }
1288 status = HksFreshParamSet(output_param_set, false);
1289 if (status != ERROR_CODE_SUCCESS) {
1290 LOGE("fresh param set failed, status:%d", status);
1291 goto get_key_info_free;
1292 }
1293 struct HksParam *key_role = NULL;
1294 status = HksGetParam(output_param_set, HKS_TAG_KEY_ROLE, &key_role);
1295 if (status != ERROR_CODE_SUCCESS) {
1296 LOGE("get key role from param set failed, status:%d", status);
1297 goto get_key_info_free;
1298 }
1299 union huks_key_type_union key_type_union;
1300 key_type_union.key_type = key_role->uint32Param;
1301 SetKeyType(key_type_union, out_key_type);
1302 struct HksParam *auth_id = NULL;
1303 status = HksGetParam(output_param_set, HKS_TAG_KEY_AUTH_ID, &auth_id);
1304 if (status != ERROR_CODE_SUCCESS) {
1305 LOGE("get auth id from param set failed, status:%d", status);
1306 goto get_key_info_free;
1307 }
1308
1309 if (memcpy_s(out_auth_id->auth_id, HC_AUTH_ID_BUFF_LEN, auth_id->blob.data, auth_id->blob.size) != EOK) {
1310 LOGE("Copy key param failed");
1311 goto get_key_info_free;
1312 }
1313 out_auth_id->length = auth_id->blob.size;
1314
1315 get_key_info_free:
1316 HksFreeParamSet(¶mSet);
1317 safe_free(output_param_set);
1318 return status;
1319 }
1320
get_lt_key_info(struct hc_key_alias * alias,struct huks_key_type * out_key_type,struct hc_auth_id * out_auth_id)1321 int32_t get_lt_key_info(struct hc_key_alias *alias, struct huks_key_type *out_key_type, struct hc_auth_id *out_auth_id)
1322 {
1323 check_ptr_return_val(alias, HC_INPUT_ERROR);
1324 check_ptr_return_val(out_key_type, HC_INPUT_ERROR);
1325 check_ptr_return_val(out_auth_id, HC_INPUT_ERROR);
1326
1327 struct HksBlob alias_blob = convert_to_blob_from_hc_key_alias(alias);
1328 return inner_get_lt_info_by_key_alias(&alias_blob, out_key_type, out_auth_id);
1329 }
1330
check_key_alias_is_owner(struct hc_key_alias * key_alias)1331 int32_t check_key_alias_is_owner(struct hc_key_alias *key_alias)
1332 {
1333 check_ptr_return_val(key_alias, HC_INPUT_ERROR);
1334 check_num_return_val(key_alias->length, HC_INPUT_ERROR);
1335
1336 int32_t error_code = check_lt_public_key_exist(key_alias);
1337 if (error_code != ERROR_CODE_SUCCESS) {
1338 LOGE("Key is not exist");
1339 return error_code;
1340 }
1341
1342 struct huks_key_type key_type;
1343 struct hc_auth_id auth_id;
1344
1345 struct HksBlob key_alias_blob = convert_to_blob_from_hc_key_alias(key_alias);
1346 error_code = inner_get_lt_info_by_key_alias(&key_alias_blob, &key_type, &auth_id);
1347 if (error_code != ERROR_CODE_SUCCESS) {
1348 LOGE("Get key info failed");
1349 return error_code;
1350 }
1351
1352 if (key_type.user_type != (uint8_t)HC_USER_TYPE_CONTROLLER) {
1353 return ERROR_CODE_FAILED;
1354 }
1355 if (key_type.pair_type == (uint8_t)HC_PAIR_TYPE_BIND) {
1356 return ERROR_CODE_SUCCESS;
1357 } else {
1358 return ERROR_CODE_FAILED;
1359 }
1360 }
1361
load_lt_public_key_list(const struct hc_auth_id * owner_id,int32_t trust_user_type,struct HksKeyInfo * key_info_list,uint32_t list_count,struct hc_auth_id * out_auth_list)1362 static uint32_t load_lt_public_key_list(const struct hc_auth_id *owner_id, int32_t trust_user_type,
1363 struct HksKeyInfo *key_info_list, uint32_t list_count, struct hc_auth_id *out_auth_list)
1364 {
1365 uint8_t pair_type = owner_id == NULL ? (uint8_t)HC_PAIR_TYPE_BIND : (uint8_t)HC_PAIR_TYPE_AUTH;
1366 uint8_t user_type = (uint8_t)trust_user_type;
1367 int32_t err_code;
1368 struct huks_key_type key_type;
1369 struct hc_auth_id auth_id;
1370 uint32_t effect_count = 0;
1371
1372 if ((trust_user_type < 0) || (trust_user_type >= HC_MAX_KEY_TYPE_NUM)) {
1373 return effect_count;
1374 }
1375 for (uint32_t i = 0; i < list_count; i++) {
1376 struct HksParam *key_flag_param = NULL;
1377 int32_t status = HksGetParam(key_info_list[i].paramSet, HKS_TAG_KEY_FLAG, &key_flag_param);
1378 if (status != ERROR_CODE_SUCCESS) {
1379 LOGE("get key flag from param set failed, status:%d", status);
1380 return ERROR_CODE_FAILED;
1381 }
1382 if (key_flag_param->uint32Param == HKS_KEY_FLAG_GENERATE_KEY) {
1383 continue;
1384 }
1385 err_code = inner_get_lt_info_by_key_info(&key_info_list[i], &key_type, &auth_id);
1386 if (err_code != ERROR_CODE_SUCCESS) {
1387 continue;
1388 }
1389 if (key_type.user_type != user_type) {
1390 continue;
1391 }
1392 if (user_type == (uint8_t)HC_USER_TYPE_CONTROLLER) {
1393 if (key_type.pair_type != pair_type) {
1394 continue;
1395 }
1396 }
1397 if (memcpy_s(out_auth_list[effect_count].auth_id, HC_AUTH_ID_BUFF_LEN,
1398 auth_id.auth_id, auth_id.length) != EOK) {
1399 LOGE("Copy from temp hc_auth_id to out_auth_list failed");
1400 continue;
1401 }
1402 out_auth_list[effect_count].length = auth_id.length;
1403 effect_count++;
1404 }
1405 return effect_count;
1406 }
1407
get_lt_public_key_list(const struct hc_auth_id * owner_auth_id,int32_t trust_user_type,struct hc_auth_id * out_auth_list,uint32_t * out_count)1408 int32_t get_lt_public_key_list(const struct hc_auth_id *owner_auth_id, int32_t trust_user_type,
1409 struct hc_auth_id *out_auth_list, uint32_t *out_count)
1410 {
1411 check_ptr_return_val(out_auth_list, HC_INPUT_ERROR);
1412 check_ptr_return_val(out_count, HC_INPUT_ERROR);
1413
1414 int32_t error_code = ERROR_CODE_SUCCESS;
1415 struct HksKeyInfo key_info_list[HC_PUB_KEY_ALIAS_MAX_NUM];
1416 int32_t status = init_key_info_list(key_info_list, HC_PUB_KEY_ALIAS_MAX_NUM);
1417 if (status != ERROR_CODE_SUCCESS) {
1418 LOGE("Init key info list failed, status=%d", status);
1419 error_code = ERROR_CODE_FAILED;
1420 goto exit;
1421 }
1422
1423 uint32_t list_count = HC_PUB_KEY_ALIAS_MAX_NUM;
1424 status = HksGetKeyInfoList(NULL, key_info_list, &list_count);
1425 if (status != ERROR_CODE_SUCCESS) {
1426 LOGE("Huks get pub key info list failed, status=%d", status);
1427 error_code = ERROR_CODE_FAILED;
1428 goto exit;
1429 }
1430
1431 /* filter with trust_user_type */
1432 uint32_t effect_count = load_lt_public_key_list(owner_auth_id, trust_user_type, key_info_list,
1433 list_count, out_auth_list);
1434 /* output param */
1435 *out_count = effect_count;
1436
1437 exit:
1438 for (int32_t i = 0; i < HC_PUB_KEY_ALIAS_MAX_NUM; ++i) {
1439 safe_free(key_info_list[i].alias.data);
1440 safe_free(key_info_list[i].paramSet);
1441 }
1442 return error_code;
1443 }
1444
gen_sign_key_param_set(struct HksParamSet ** param_set)1445 static int32_t gen_sign_key_param_set(struct HksParamSet **param_set)
1446 {
1447 int32_t userId;
1448 int32_t ret = GetFrontUserId(&userId);
1449 if (ret != ERROR_CODE_SUCCESS) {
1450 LOGE("GetFrontUserId failed");
1451 return ERROR_CODE_FAILED;
1452 }
1453 struct HksParam params[] = {
1454 {
1455 .tag = HKS_TAG_PURPOSE,
1456 .uint32Param = HKS_KEY_PURPOSE_SIGN /* correspond to old key usage */
1457 }, {
1458 .tag = HKS_TAG_ALGORITHM,
1459 .uint32Param = HKS_ALG_ED25519 /* alg, correspond to old key type */
1460 }, {
1461 .tag = HKS_TAG_PADDING,
1462 .uint32Param = HKS_PADDING_NONE
1463 }, {
1464 .tag = HKS_TAG_DIGEST,
1465 .uint32Param = HKS_DIGEST_SHA256
1466 }, {
1467 .tag = HKS_TAG_SPECIFIC_USER_ID,
1468 .int32Param = userId
1469 }, {
1470 .tag = HKS_TAG_AUTH_STORAGE_LEVEL,
1471 .uint32Param = HKS_AUTH_STORAGE_LEVEL_CE
1472 }
1473 };
1474
1475 int32_t status = construct_param_set(param_set, params, array_size(params));
1476 if (status != ERROR_CODE_SUCCESS) {
1477 LOGE("construct param set for sign failed, status:%d", status);
1478 }
1479
1480 return status;
1481 }
1482
sign(struct hc_key_alias * key_alias,const struct uint8_buff * message,struct signature * out_signature)1483 int32_t sign(struct hc_key_alias *key_alias, const struct uint8_buff *message, struct signature *out_signature)
1484 {
1485 check_ptr_return_val(key_alias, HC_INPUT_ERROR);
1486 check_ptr_return_val(message, HC_INPUT_ERROR);
1487 check_ptr_return_val(out_signature, HC_INPUT_ERROR);
1488 check_num_return_val(key_alias->length, HC_INPUT_ERROR);
1489
1490 struct HksBlob key_alias_blob = convert_to_blob_from_hc_key_alias(key_alias);
1491 if (key_alias_blob.size == 0) {
1492 LOGE("Convert hks key alias to blob failed");
1493 return ERROR_CODE_FAILED;
1494 }
1495
1496 struct sha256_value sha256_value = sha256(message);
1497 if (sha256_value.length == 0) {
1498 LOGE("Get sha256 hash failed");
1499 return ERROR_CODE_FAILED;
1500 }
1501
1502 struct HksBlob hash = convert_to_blob_from_sha256_value(&sha256_value);
1503 if (hash.size == 0) {
1504 LOGE("Convert sha256 hash to blob failed");
1505 return ERROR_CODE_FAILED;
1506 }
1507
1508 struct HksParamSet *key_param_set = NULL;
1509 int32_t hks_status = gen_sign_key_param_set(&key_param_set);
1510 if (hks_status != ERROR_CODE_SUCCESS) {
1511 LOGE("gen sign key param set failed, status:%d", hks_status);
1512 return ERROR_CODE_FAILED;
1513 }
1514
1515 struct HksBlob signature = { HC_SIGNATURE_LEN, out_signature->signature };
1516 hks_status = HksSign(&key_alias_blob, key_param_set, &hash, &signature);
1517 if ((hks_status == ERROR_CODE_SUCCESS) && (signature.size == HC_SIGNATURE_LEN)) {
1518 out_signature->length = HC_SIGNATURE_LEN;
1519 } else {
1520 LOGE("Sign failed, status=%d", hks_status);
1521 hks_status = ERROR_CODE_FAILED;
1522 }
1523
1524 HksFreeParamSet(&key_param_set);
1525 return hks_status;
1526 }
1527
gen_verify_key_param_set(const bool is_keyalias,const uint32_t key_size,const int32_t user_type,struct HksParamSet ** param_set)1528 static int gen_verify_key_param_set(const bool is_keyalias, const uint32_t key_size,
1529 const int32_t user_type, struct HksParamSet **param_set)
1530 {
1531 int32_t userId;
1532 int32_t ret = GetFrontUserId(&userId);
1533 if (ret != ERROR_CODE_SUCCESS) {
1534 LOGE("GetFrontUserId failed");
1535 return ERROR_CODE_FAILED;
1536 }
1537 struct HksParam params[] = {
1538 {
1539 .tag = HKS_TAG_PURPOSE,
1540 .uint32Param = HKS_KEY_PURPOSE_VERIFY
1541 }, {
1542 .tag = HKS_TAG_ALGORITHM,
1543 .uint32Param = HKS_ALG_ED25519
1544 }, {
1545 .tag = HKS_TAG_DIGEST,
1546 .uint32Param = HKS_DIGEST_SHA256
1547 }, {
1548 .tag = HKS_TAG_PADDING,
1549 .uint32Param = HKS_PADDING_NONE
1550 }, {
1551 .tag = HKS_TAG_KEY_ROLE,
1552 .uint32Param = (uint32_t)user_type
1553 }, {
1554 .tag = HKS_TAG_IS_KEY_ALIAS,
1555 .boolParam = is_keyalias
1556 }, {
1557 .tag = HKS_TAG_KEY_SIZE,
1558 .uint32Param = (is_keyalias ? 0 : key_size)
1559 }, {
1560 .tag = HKS_TAG_SPECIFIC_USER_ID,
1561 .int32Param = userId
1562 }, {
1563 .tag = HKS_TAG_AUTH_STORAGE_LEVEL,
1564 .uint32Param = HKS_AUTH_STORAGE_LEVEL_CE
1565 }
1566 };
1567
1568 int32_t status = construct_param_set(param_set, params, array_size(params));
1569 if (status != ERROR_CODE_SUCCESS) {
1570 LOGE("construct param set for verify failed, status:%d", status);
1571 }
1572
1573 return status;
1574 }
1575
verify(struct hc_key_alias * key_alias,const int32_t user_type,const struct uint8_buff * message,struct signature * signature)1576 int32_t verify(struct hc_key_alias *key_alias, const int32_t user_type,
1577 const struct uint8_buff *message, struct signature *signature)
1578 {
1579 check_ptr_return_val(key_alias, HC_INPUT_ERROR);
1580 check_ptr_return_val(message, HC_INPUT_ERROR);
1581 check_ptr_return_val(signature, HC_INPUT_ERROR);
1582 check_num_return_val(key_alias->length, HC_INPUT_ERROR);
1583
1584 int32_t error_code = ERROR_CODE_FAILED;
1585 struct HksBlob key_alias_blob = convert_to_blob_from_hc_key_alias(key_alias);
1586 if (key_alias_blob.size == 0) {
1587 LOGE("Convert hks key alias to blob failed");
1588 return error_code;
1589 }
1590
1591 struct HksBlob signature_blob = convert_to_blob_from_signature(signature);
1592 if (signature_blob.size == 0) {
1593 LOGE("Convert hks signature to blob failed");
1594 return error_code;
1595 }
1596
1597 struct sha256_value sha256_value = sha256(message);
1598 if (sha256_value.length == 0) {
1599 LOGE("Get sha256 hash failed. message val:%s, message length:%d", message->val, message->length);
1600 return error_code;
1601 }
1602
1603 struct HksBlob hash = convert_to_blob_from_sha256_value(&sha256_value);
1604 if (hash.size == 0) {
1605 LOGE("Convert sha256 hash to blob failed");
1606 return error_code;
1607 }
1608
1609 /* true: is key alias, 0: key alias have not key size */
1610 struct HksParamSet *key_param_set = NULL;
1611 int32_t hks_status = gen_verify_key_param_set(true, 0, user_type, &key_param_set);
1612 if (hks_status != ERROR_CODE_SUCCESS) {
1613 LOGE("failed to gen verify key param set, status:%d", hks_status);
1614 return error_code;
1615 }
1616
1617 hks_status = HksVerify(&key_alias_blob, key_param_set, &hash, &signature_blob);
1618 if (hks_status == 0) {
1619 error_code = ERROR_CODE_SUCCESS;
1620 } else {
1621 LOGE("Verify failed. status=%d", hks_status);
1622 if (check_lt_public_key_exist(key_alias) != ERROR_CODE_SUCCESS) {
1623 error_code = ERROR_CODE_NO_PEER_PUBLIC_KEY;
1624 }
1625 }
1626
1627 HksFreeParamSet(&key_param_set);
1628 return error_code;
1629 }
1630
verify_with_public_key(const int32_t user_type,const struct uint8_buff * message,struct var_buffer * public_key,struct signature * signature)1631 int32_t verify_with_public_key(const int32_t user_type, const struct uint8_buff *message,
1632 struct var_buffer *public_key, struct signature *signature)
1633 {
1634 check_ptr_return_val(message, HC_INPUT_ERROR);
1635 check_ptr_return_val(public_key, HC_INPUT_ERROR);
1636 check_ptr_return_val(signature, HC_INPUT_ERROR);
1637
1638 int32_t error_code = ERROR_CODE_FAILED;
1639 struct sha256_value sha256_value = sha256(message);
1640 if (sha256_value.length == 0) {
1641 LOGE("Get sha256 hash failed");
1642 return error_code;
1643 }
1644
1645 struct HksBlob hash = convert_to_blob_from_sha256_value(&sha256_value);
1646 if (hash.size == 0) {
1647 LOGE("Convert sha256 hash to blob failed");
1648 return error_code;
1649 }
1650
1651 struct HksBlob signature_blob = convert_to_blob_from_signature(signature);
1652 if (signature_blob.size == 0) {
1653 LOGE("Convert hks signature to blob failed");
1654 return error_code;
1655 }
1656
1657 struct HksParamSet *key_param_set = NULL;
1658 int32_t hks_status = gen_verify_key_param_set(false, /* false: is public key */
1659 public_key->length * BITS_PER_BYTE, user_type, &key_param_set);
1660 if (hks_status != ERROR_CODE_SUCCESS) {
1661 LOGE("gen verify with public key param set failed, status:%d", hks_status);
1662 return error_code;
1663 }
1664
1665 struct HksBlob public_key_blob = { public_key->length, public_key->data };
1666 hks_status = HksVerify(&public_key_blob, key_param_set, &hash, &signature_blob);
1667 if (hks_status == 0) {
1668 error_code = ERROR_CODE_SUCCESS;
1669 } else {
1670 LOGE("Verify failed, status=%d", hks_status);
1671 error_code = ERROR_CODE_FAILED;
1672 }
1673
1674 HksFreeParamSet(&key_param_set);
1675 return error_code;
1676 }
1677
gen_agreed_key_param_set(struct HksParamSet ** param_set)1678 static int32_t gen_agreed_key_param_set(struct HksParamSet **param_set)
1679 {
1680 int32_t userId;
1681 int32_t ret = GetFrontUserId(&userId);
1682 if (ret != ERROR_CODE_SUCCESS) {
1683 LOGE("GetFrontUserId failed");
1684 return ERROR_CODE_FAILED;
1685 }
1686 struct HksParam params[] = {
1687 {
1688 .tag = HKS_TAG_PURPOSE,
1689 .uint32Param = HKS_KEY_PURPOSE_DERIVE
1690 }, {
1691 .tag = HKS_TAG_ALGORITHM,
1692 .uint32Param = HKS_ALG_X25519
1693 }, {
1694 .tag = HKS_TAG_KEY_SIZE,
1695 .uint32Param = HC_ST_PUBLIC_KEY_LEN * BITS_PER_BYTE
1696 }, {
1697 .tag = HKS_TAG_IS_KEY_ALIAS,
1698 .boolParam = false
1699 }, {
1700 .tag = HKS_TAG_SPECIFIC_USER_ID,
1701 .int32Param = userId
1702 }, {
1703 .tag = HKS_TAG_AUTH_STORAGE_LEVEL,
1704 .uint32Param = HKS_AUTH_STORAGE_LEVEL_CE
1705 }
1706 };
1707
1708 int32_t status = construct_param_set(param_set, params, array_size(params));
1709 if (status != ERROR_CODE_SUCCESS) {
1710 LOGE("construct param set for agreed key failed, status:%d", status);
1711 }
1712
1713 return status;
1714 }
1715
compute_sts_shared_secret(struct stsk * self_private_key,struct stpk * peer_public_key,struct sts_shared_secret * out_shared_key)1716 int32_t compute_sts_shared_secret(struct stsk *self_private_key, struct stpk *peer_public_key,
1717 struct sts_shared_secret *out_shared_key)
1718 {
1719 check_ptr_return_val(self_private_key, HC_INPUT_ERROR);
1720 check_num_return_val(self_private_key->length, HC_INPUT_ERROR);
1721 check_ptr_return_val(peer_public_key, HC_INPUT_ERROR);
1722 check_num_return_val(peer_public_key->length, HC_INPUT_ERROR);
1723 check_ptr_return_val(out_shared_key, HC_INPUT_ERROR);
1724
1725 (void)memset_s(out_shared_key, sizeof(*out_shared_key), 0, sizeof(*out_shared_key));
1726 int32_t error_code = ERROR_CODE_FAILED;
1727 struct HksBlob self_private_key_blob = convert_to_blob_from_stsk(self_private_key);
1728 if (self_private_key_blob.size == 0) {
1729 LOGE("Convert key alias for private key to blob failed");
1730 return error_code;
1731 }
1732
1733 struct HksBlob peer_public_key_blob = convert_to_blob_from_stpk(peer_public_key);
1734 if (peer_public_key_blob.size == 0) {
1735 LOGE("Convert key alias for peer public key to blob failed");
1736 return error_code;
1737 }
1738
1739 struct HksParamSet *param_set = NULL;
1740 int32_t hks_status = gen_agreed_key_param_set(¶m_set);
1741 if (hks_status != ERROR_CODE_SUCCESS) {
1742 LOGE("gen agreed key param set failed! status:%d", hks_status);
1743 return error_code;
1744 }
1745
1746 struct HksBlob key_alias_for_agreed_key = { HC_STS_SHARED_SECRET_LENGTH, out_shared_key->sts_shared_secret };
1747 hks_status = HksAgreeKey(param_set, &self_private_key_blob, &peer_public_key_blob, &key_alias_for_agreed_key);
1748 if ((hks_status == 0) && (key_alias_for_agreed_key.size == HC_STS_SHARED_SECRET_LENGTH)) {
1749 out_shared_key->length = key_alias_for_agreed_key.size;
1750 error_code = ERROR_CODE_SUCCESS;
1751 } else {
1752 LOGE("Key agreement by alias failed, status:%d", hks_status);
1753 }
1754 return error_code;
1755 }
1756
key_info_init(void)1757 int32_t key_info_init(void)
1758 {
1759 int32_t ret = HksInitialize();
1760 if (ret == HKS_SUCCESS) {
1761 return ERROR_CODE_SUCCESS;
1762 }
1763
1764 if ((ret != HKS_ERROR_INVALID_KEY_FILE) && (ret != HKS_ERROR_CRYPTO_ENGINE_ERROR) &&
1765 (ret != HKS_ERROR_UPDATE_ROOT_KEY_MATERIAL_FAIL)) {
1766 LOGE("Hks: Init hks failed, ret: %d", ret);
1767 return ERROR_CODE_FAILED;
1768 }
1769
1770 DBG_OUT("Hks: The local hks file needs to be refreshed!");
1771 LOGI("Start to delete local database file!");
1772 ret = HksRefreshKeyInfo();
1773 if (ret != HKS_SUCCESS) {
1774 LOGE("Hks: HksRefreshKeyInfo failed, ret:%d", ret);
1775 return ERROR_CODE_FAILED;
1776 }
1777 ret = HksInitialize();
1778 if (ret != HKS_SUCCESS) {
1779 LOGE("Hks: Init hks failed, ret:%d", ret);
1780 return ERROR_CODE_FAILED;
1781 }
1782 return ERROR_CODE_SUCCESS;
1783 }
1784