1 /* 2 * Copyright (c) 2023-2024 Huawei Device Co., Ltd. 3 * Licensed under the Apache License, Version 2.0 (the "License"); 4 * you may not use this file except in compliance with the License. 5 * You may obtain a copy of the License at 6 * 7 * http://www.apache.org/licenses/LICENSE-2.0 8 * 9 * Unless required by applicable law or agreed to in writing, software 10 * distributed under the License is distributed on an "AS IS" BASIS, 11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 * See the License for the specific language governing permissions and 13 * limitations under the License. 14 */ 15 16 #ifndef COMMUNICATIONNETSTACK_VERIFY_CERT_H 17 #define COMMUNICATIONNETSTACK_VERIFY_CERT_H 18 19 #include <fstream> 20 #include <iostream> 21 #include <set> 22 23 #include <openssl/ssl.h> 24 25 #include "net_ssl_type.h" 26 27 namespace OHOS { 28 namespace NetStack { 29 namespace Ssl { 30 class SslConstant final { 31 public: 32 /* Sys Ca Path */ 33 static const char *const SYSPRECAPATH; 34 /* User Installed Ca Path */ 35 static const char *const USERINSTALLEDCAPATH; 36 /* Uidtransformdivisor */ 37 static const int UIDTRANSFORMDIVISOR; 38 }; 39 40 enum VerifyResult { VERIFY_RESULT_UNKNOWN = -1, VERIFY_RESULT_FAIL = 0, VERIFY_RESULT_SUCCESS = 1 }; 41 42 enum SslErrorCode { 43 SSL_NONE_ERR = 0, 44 SSL_ERROR_CODE_BASE = 2305000, 45 // The following error codes are added since API11 46 SSL_X509_V_ERR_UNSPECIFIED = SSL_ERROR_CODE_BASE + X509_V_ERR_UNSPECIFIED, 47 SSL_X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT = SSL_ERROR_CODE_BASE + X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, 48 SSL_X509_V_ERR_UNABLE_TO_GET_CRL = SSL_ERROR_CODE_BASE + X509_V_ERR_UNABLE_TO_GET_CRL, 49 SSL_X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE = SSL_ERROR_CODE_BASE + X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, 50 SSL_X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE = SSL_ERROR_CODE_BASE + X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, 51 SSL_X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY = 52 SSL_ERROR_CODE_BASE + X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, 53 SSL_X509_V_ERR_CERT_SIGNATURE_FAILURE = SSL_ERROR_CODE_BASE + X509_V_ERR_CERT_SIGNATURE_FAILURE, 54 SSL_X509_V_ERR_CRL_SIGNATURE_FAILURE = SSL_ERROR_CODE_BASE + X509_V_ERR_CRL_SIGNATURE_FAILURE, 55 SSL_X509_V_ERR_CERT_NOT_YET_VALID = SSL_ERROR_CODE_BASE + X509_V_ERR_CERT_NOT_YET_VALID, 56 SSL_X509_V_ERR_CERT_HAS_EXPIRED = SSL_ERROR_CODE_BASE + X509_V_ERR_CERT_HAS_EXPIRED, 57 SSL_X509_V_ERR_CRL_NOT_YET_VALID = SSL_ERROR_CODE_BASE + X509_V_ERR_CRL_NOT_YET_VALID, 58 SSL_X509_V_ERR_CRL_HAS_EXPIRED = SSL_ERROR_CODE_BASE + X509_V_ERR_CRL_HAS_EXPIRED, 59 SSL_X509_V_ERR_CERT_REVOKED = SSL_ERROR_CODE_BASE + X509_V_ERR_CERT_REVOKED, 60 SSL_X509_V_ERR_INVALID_CA = SSL_ERROR_CODE_BASE + X509_V_ERR_INVALID_CA, 61 SSL_X509_V_ERR_CERT_UNTRUSTED = SSL_ERROR_CODE_BASE + X509_V_ERR_CERT_UNTRUSTED, 62 // The following error codes are added since API12 63 SSL_X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT = SSL_ERROR_CODE_BASE + X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, 64 SSL_X509_V_ERR_INVALID_CALL = SSL_ERROR_CODE_BASE + X509_V_ERR_INVALID_CALL, 65 SSL_X509_V_ERR_OUT_OF_MEMORY = SSL_ERROR_CODE_BASE + 999 66 }; 67 68 static const std::multiset<uint32_t> SslErrorCodeSetBase{SSL_NONE_ERR, 69 SSL_ERROR_CODE_BASE, 70 SSL_X509_V_ERR_UNSPECIFIED, 71 SSL_X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, 72 SSL_X509_V_ERR_UNABLE_TO_GET_CRL, 73 SSL_X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, 74 SSL_X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, 75 SSL_X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, 76 SSL_X509_V_ERR_CERT_SIGNATURE_FAILURE, 77 SSL_X509_V_ERR_CRL_SIGNATURE_FAILURE, 78 SSL_X509_V_ERR_CERT_NOT_YET_VALID, 79 SSL_X509_V_ERR_CERT_HAS_EXPIRED, 80 SSL_X509_V_ERR_CRL_NOT_YET_VALID, 81 SSL_X509_V_ERR_CRL_HAS_EXPIRED, 82 SSL_X509_V_ERR_CERT_REVOKED, 83 SSL_X509_V_ERR_INVALID_CA, 84 SSL_X509_V_ERR_CERT_UNTRUSTED}; 85 86 static const std::multiset<uint32_t> SslErrorCodeSetSinceAPI12{SSL_NONE_ERR, 87 SSL_ERROR_CODE_BASE, 88 SSL_X509_V_ERR_UNSPECIFIED, 89 SSL_X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, 90 SSL_X509_V_ERR_UNABLE_TO_GET_CRL, 91 SSL_X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, 92 SSL_X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, 93 SSL_X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, 94 SSL_X509_V_ERR_CERT_SIGNATURE_FAILURE, 95 SSL_X509_V_ERR_CRL_SIGNATURE_FAILURE, 96 SSL_X509_V_ERR_CERT_NOT_YET_VALID, 97 SSL_X509_V_ERR_CERT_HAS_EXPIRED, 98 SSL_X509_V_ERR_CRL_NOT_YET_VALID, 99 SSL_X509_V_ERR_CRL_HAS_EXPIRED, 100 SSL_X509_V_ERR_CERT_REVOKED, 101 SSL_X509_V_ERR_INVALID_CA, 102 SSL_X509_V_ERR_CERT_UNTRUSTED, 103 // New error code since API12. 104 SSL_X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, 105 SSL_X509_V_ERR_INVALID_CALL, 106 SSL_X509_V_ERR_OUT_OF_MEMORY}; 107 108 std::string GetUserInstalledCaPath(); 109 110 X509 *PemToX509(const uint8_t *pemCert, size_t pemSize); 111 112 X509 *DerToX509(const uint8_t *derCert, size_t derSize); 113 114 X509 *CertBlobToX509(const CertBlob *cert); 115 116 uint32_t VerifyCert(const CertBlob *cert); 117 118 uint32_t VerifyCert(const CertBlob *cert, const CertBlob *caCert); 119 120 void FreeResources(X509 **certX509, X509 **caX509, X509_STORE **store, X509_STORE_CTX **ctx); 121 } // namespace Ssl 122 } // namespace NetStack 123 } // namespace OHOS 124 125 #endif // COMMUNICATIONNETSTACK_VERIFY_CERT_H 126