1 /*
2  * Copyright (C) 2021 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  *     http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 #ifndef HAP_VERIFY_OPENSSL_UTILS_H
16 #define HAP_VERIFY_OPENSSL_UTILS_H
17 
18 #include <string>
19 #include <vector>
20 
21 #include "common/export_define.h"
22 #include "common/hap_byte_buffer.h"
23 #include "interfaces/hap_verify_result.h"
24 #include "openssl/evp.h"
25 #include "openssl/ossl_typ.h"
26 #include "openssl/pkcs7.h"
27 #include "openssl/safestack.h"
28 #include "util/digest_parameter.h"
29 #include "util/hap_cert_verify_openssl_utils.h"
30 #include "util/pkcs7_context.h"
31 
32 namespace OHOS {
33 namespace Security {
34 namespace Verify {
35 enum SignatureAlgorithm {
36     ALGORITHM_SHA256_WITH_RSA_PSS = 0x00000101,
37     ALGORITHM_SHA384_WITH_RSA_PSS,
38     ALGORITHM_SHA512_WITH_RSA_PSS,
39     ALGORITHM_SHA256_WITH_RSA_PKCS1_V1_5,
40     ALGORITHM_SHA384_WITH_RSA_PKCS1_V1_5,
41     ALGORITHM_SHA512_WITH_RSA_PKCS1_V1_5,
42     ALGORITHM_SHA256_WITH_ECDSA = 0x00000201,
43     ALGORITHM_SHA384_WITH_ECDSA,
44     ALGORITHM_SHA512_WITH_ECDSA,
45     ALGORITHM_SHA256_WITH_DSA = 0x00000301,
46     ALGORITHM_SHA384_WITH_DSA,
47     ALGORITHM_SHA512_WITH_DSA,
48 };
49 
50 class HapVerifyOpensslUtils {
51 public:
52     DLL_EXPORT static bool ParsePkcs7Package(const unsigned char packageData[],
53         uint32_t packageLen, Pkcs7Context& pkcs7Context);
54     DLL_EXPORT static bool GetCertChains(PKCS7* p7, Pkcs7Context& pkcs7Context);
55     DLL_EXPORT static bool VerifyPkcs7(Pkcs7Context& pkcs7Context);
56     DLL_EXPORT static bool GetPublickeys(const CertChain& signCertChain, std::vector<std::string>& SignatureVec);
57     DLL_EXPORT static bool GetSignatures(const CertChain& signCertChain, std::vector<std::string>& SignatureVec);
58     static int32_t GetDigest(const HapByteBuffer& chunk, const std::vector<OptionalBlock>& optionalBlocks,
59         const DigestParameter& digestParameter, unsigned char (&out)[EVP_MAX_MD_SIZE]);
60     static bool DigestInit(const DigestParameter& digestParameter);
61     static bool DigestUpdate(const DigestParameter& digestParameter, const unsigned char content[], int32_t len);
62     static int32_t GetDigest(const DigestParameter& digestParameter, unsigned char (&out)[EVP_MAX_MD_SIZE]);
63     static int32_t GetDigestAlgorithmOutputSizeBytes(int32_t nId);
64     DLL_EXPORT static int32_t GetDigestAlgorithmId(int32_t signAlgorithm);
65     static void GetOpensslErrorMessage();
66 
67 private:
68     DLL_EXPORT static bool VerifyPkcs7SignedData(Pkcs7Context& pkcs7Context);
69     DLL_EXPORT static bool VerifySignInfo(STACK_OF(PKCS7_SIGNER_INFO)* signerInfoStack,
70         BIO* p7Bio, int32_t signInfoNum, Pkcs7Context& pkcs7Context);
71     DLL_EXPORT static bool GetPublickeyFromCertificate(const X509* ptrX509, std::vector<std::string>& publicKeyVec);
72     DLL_EXPORT static bool GetDerCert(X509* ptrX509, std::vector<std::string>& SignatureVec);
73     static bool VerifyShaWithRsaPss(const PKCS7_SIGNER_INFO* signInfo, BIO* p7Bio, EVP_PKEY* pkey, bool isPss);
74     DLL_EXPORT static bool VerifyShaWithRsaPss(const PKCS7_SIGNER_INFO* signInfo, EVP_PKEY* pkey, bool isPss,
75         const unsigned char digest[], uint32_t digestLen);
76     static bool VerifyCertChain(CertChain& certsChain, PKCS7* p7, PKCS7_SIGNER_INFO* signInfo,
77         Pkcs7Context& pkcs7Context, CertSign& certVisitSign);
78     static bool IsEnablePss(const PKCS7_SIGNER_INFO* signInfo);
79     static bool GetContentInfo(const PKCS7* p7ContentInfo, HapByteBuffer& content);
80     static bool CheckPkcs7SignedDataIsValid(const PKCS7* p7);
81     DLL_EXPORT static bool AsnStringCmp(const ASN1_OCTET_STRING* asnStr, const unsigned char data[], int32_t len);
82     static bool VerifyPkcs7AuthAttributes(const PKCS7_SIGNER_INFO* signInfo, EVP_MD_CTX* mdCtx, int32_t mdType);
83     static const EVP_MD_CTX* FindMdCtxInBio(BIO* p7Bio, int32_t mdType);
84     static bool CheckDigestParameter(const DigestParameter& digestParameter);
85 
86 private:
87     static const int32_t OPENSSL_PKCS7_VERIFY_SUCCESS;
88     static const int32_t OPENSSL_ERR_MESSAGE_MAX_LEN;
89     static const int32_t OPENSSL_READ_DATA_MAX_TIME;
90     static const int32_t OPENSSL_READ_DATA_LEN_EACH_TIME;
91     static const int32_t MAX_OID_LENGTH;
92     static const std::string PKCS7_EXT_SHAWITHRSA_PSS;
93 };
94 } // namespace Verify
95 } // namespace Security
96 } // namespace OHOS
97 #endif // HAP_VERIFY_OPENSSL_UTILS_H
98