1 /*
2 * Copyright (c) 2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #ifdef HKS_CONFIG_FILE
17 #include HKS_CONFIG_FILE
18 #else
19 #include "hks_config.h"
20 #endif
21
22 #include "hks_core_service_key_attest.h"
23
24 #include <stdbool.h>
25 #include <stddef.h>
26
27 #include "hks_ability.h"
28 #include "dcm_attest.h"
29 #include "hks_auth.h"
30 #include "hks_base_check.h"
31 #include "hks_check_paramset.h"
32 #include "hks_chipset_platform_decrypt.h"
33 #include "hks_client_service_adapter_common.h"
34 #include "hks_cmd_id.h"
35 #include "hks_common_check.h"
36 #include "hks_core_service_three_stage.h"
37 #include "hks_crypto_adapter.h"
38 #include "hks_crypto_hal.h"
39 #include "hks_log.h"
40 #include "hks_mem.h"
41 #include "hks_param.h"
42 #include "hks_secure_access.h"
43 #include "hks_sm_import_wrap_key.h"
44 #include "hks_template.h"
45 #include "hks_type_inner.h"
46 #include "hks_util.h"
47
48 #include "securec.h"
49
50 #ifndef _HARDWARE_ROOT_KEY_
51 #include "hks_rkc.h"
52 #endif
53
54 #ifndef _CUT_AUTHENTICATE_
55
56 #ifdef HKS_SUPPORT_API_ATTEST_KEY
CheckAttestKeyParams(const struct HksBlob * key,const struct HksParamSet * paramSet,struct HksBlob * certChain)57 static int32_t CheckAttestKeyParams(const struct HksBlob *key, const struct HksParamSet *paramSet,
58 struct HksBlob *certChain)
59 {
60 HKS_IF_NOT_SUCC_LOGE_RETURN(CheckBlob(key), HKS_ERROR_INVALID_ARGUMENT, "invalid key!")
61
62 if ((CheckBlob(certChain) != HKS_SUCCESS) || (certChain->size < HKS_ATTEST_CERT_SIZE)) {
63 HKS_LOG_E("invalid cert chain!");
64 return HKS_ERROR_INVALID_ARGUMENT;
65 }
66
67 HKS_IF_NOT_SUCC_LOGE_RETURN(HksCheckParamSetValidity(paramSet), HKS_ERROR_INVALID_ARGUMENT, "invalid paramSet!")
68
69 return HKS_SUCCESS;
70 }
71 #endif
72
HksCoreAttestKey(const struct HksBlob * key,const struct HksParamSet * paramSet,struct HksBlob * certChain)73 int32_t HksCoreAttestKey(const struct HksBlob *key, const struct HksParamSet *paramSet, struct HksBlob *certChain)
74 {
75 #ifdef HKS_SUPPORT_API_ATTEST_KEY
76 int32_t ret = CheckAttestKeyParams(key, paramSet, certChain);
77 HKS_IF_NOT_SUCC_RETURN(ret, ret)
78
79 struct HksParam *certTypeParam = NULL;
80 ret = HksGetParam(paramSet, HKS_TAG_ATTESTATION_CERT_TYPE, &certTypeParam);
81 if (ret == HKS_SUCCESS) {
82 HKS_LOG_E("not support compatible rsa attest");
83 return HKS_ERROR_NOT_SUPPORTED;
84 } else if (ret != HKS_ERROR_PARAM_NOT_EXIST) {
85 HKS_LOG_E("get attest cert type failed");
86 return ret;
87 }
88
89 struct HksKeyNode *keyNode = HksGenerateKeyNode(key);
90 HKS_IF_NULL_LOGE_RETURN(keyNode, HKS_ERROR_CORRUPT_FILE, "generate keynode failed")
91
92 ret = HksProcessIdentityVerify(keyNode->paramSet, paramSet);
93 if (ret != HKS_SUCCESS) {
94 HKS_LOG_E("access control failed");
95 HksFreeKeyNode(&keyNode);
96 return ret;
97 }
98
99 struct HksBlob rawKey;
100 HksGetRawKey(keyNode->paramSet, &rawKey);
101 ret = CreateAttestCertChain(keyNode->paramSet, paramSet, certChain, &rawKey);
102 HksFreeKeyNode(&keyNode);
103 HKS_FREE_BLOB(rawKey);
104 return ret;
105 #else
106 (void)key;
107 (void)paramSet;
108 (void)certChain;
109 return HKS_ERROR_NOT_SUPPORTED;
110 #endif
111 }
112
113 #endif /* _CUT_AUTHENTICATE_ */