!704 A/B类加密能力无密码场景

Merge pull request !704 from 师瑜/master
This commit is contained in:
openharmony_ci 2023-12-09 12:41:31 +00:00 committed by Gitee
commit a4379d4eb9
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
10 changed files with 45 additions and 35 deletions

View File

@ -28,7 +28,9 @@ namespace StorageManager {
// PrepareAddUser flags
enum {
CRYPTO_FLAG_EL1 = 1,
CRYPTO_FLAG_EL2,
CRYPTO_FLAG_EL2 = 2,
CRYPTO_FLAG_EL3 = 4,
CRYPTO_FLAG_EL4 = 8,
};
class IStorageManager : public IRemoteBroker {
public:

View File

@ -485,10 +485,10 @@ int KeyManager::DeleteUserKeys(unsigned int user)
}
#ifdef USER_CRYPTO_MIGRATE_KEY
int KeyManager::UpdateUserAuth(unsigned int user, struct UserTokenSecret *userTokenSecret,
int KeyManager::UpdateUserAuth(unsigned int user, struct UserTokenSecret &userTokenSecret,
bool needGenerateShield)
#else
int KeyManager::UpdateUserAuth(unsigned int user, struct UserTokenSecret *userTokenSecret)
int KeyManager::UpdateUserAuth(unsigned int user, struct UserTokenSecret &userTokenSecret)
#endif
{
#ifdef USER_CRYPTO_MIGRATE_KEY
@ -496,32 +496,27 @@ int KeyManager::UpdateUserAuth(unsigned int user, struct UserTokenSecret *userTo
if (ret != 0) {
LOGE("user %{public}u UpdateUserAuth el2 key fail", user);
return -EFAULT;
;
}
ret = UpdateCeEceSeceUserAuth(user, userTokenSecret, userEl3Key_, needGenerateShield);
if (ret != 0) {
LOGE("user %{public}u UpdateUserAuth el3 key fail", user);
return -EFAULT;
;
}
ret = UpdateCeEceSeceUserAuth(user, userTokenSecret, userEl4Key_, needGenerateShield);
if (ret != 0) {
LOGE("user %{public}u UpdateUserAuth el4 key fail", user);
return -EFAULT;
;
}
#else
int ret = UpdateCeEceSeceUserAuth(user, userTokenSecret, userEl2Key_);
if (ret != 0) {
LOGE("user %{public}u UpdateUserAuth el2 key fail", user);
return -EFAULT;
;
}
ret = UpdateCeEceSeceUserAuth(user, userTokenSecret, userEl3Key_);
if (ret != 0) {
LOGE("user %{public}u UpdateUserAuth el3 key fail", user);
return -EFAULT;
;
}
ret = UpdateCeEceSeceUserAuth(user, userTokenSecret, userEl4Key_);
if (ret != 0) {
@ -529,18 +524,20 @@ int KeyManager::UpdateUserAuth(unsigned int user, struct UserTokenSecret *userTo
return -EFAULT;
}
#endif
std::lock_guard<std::mutex> lock(keyMutex_);
userPinProtect[user] = !userTokenSecret.newSecret.empty();
return ret;
}
#ifdef USER_CRYPTO_MIGRATE_KEY
int KeyManager::UpdateCeEceSeceUserAuth(unsigned int user,
struct UserTokenSecret *userTokenSecret,
struct UserTokenSecret &userTokenSecret,
std::map<unsigned int, std::shared_ptr<BaseKey>> &userElKey_,
bool needGenerateShield)
{
#else
int KeyManager::UpdateCeEceSeceUserAuth(unsigned int user,
struct UserTokenSecret *userTokenSecret,
struct UserTokenSecret &userTokenSecret,
std::map<unsigned int, std::shared_ptr<BaseKey>> &userElKey_)
{
#endif
@ -555,13 +552,13 @@ int KeyManager::UpdateCeEceSeceUserAuth(unsigned int user,
return -ENOENT;
}
auto item = userElKey_[user];
UserAuth auth = {userTokenSecret->token, userTokenSecret->oldSecret, userTokenSecret->secureUid};
UserAuth auth = {userTokenSecret.token, userTokenSecret.oldSecret, userTokenSecret.secureUid};
if ((item->RestoreKey(auth) == false) && (item->RestoreKey(NULL_KEY_AUTH) == false)) {
LOGE("Restore key error");
return -EFAULT;
}
auth.secret = userTokenSecret->newSecret;
auth.secret = userTokenSecret.newSecret;
#ifdef USER_CRYPTO_MIGRATE_KEY
if (item->StoreKey(auth, needGenerateShield) == false) {
#else
@ -596,6 +593,12 @@ int KeyManager::ActiveUserKey(unsigned int user, const std::vector<uint8_t> &tok
LOGI("Active user %{public}u el4 fail", user);
return -EFAULT;
}
std::lock_guard<std::mutex> lock(keyMutex_);
if (secret.empty()) {
userPinProtect.insert(std::make_pair(user, false));
} else {
userPinProtect.insert(std::make_pair(user, true));
}
return 0;
}
@ -716,10 +719,14 @@ int KeyManager::InActiveUserKey(unsigned int user)
int KeyManager::LockUserScreen(uint32_t user)
{
LOGI("start");
std::lock_guard<std::mutex> lock(keyMutex_);
auto iter = userPinProtect.find(user);
if (iter == userPinProtect.end() || iter->second == false) {
return 0;
}
if (!KeyCtrlHasFscryptSyspara()) {
return 0;
}
std::lock_guard<std::mutex> lock(keyMutex_);
if (userEl4Key_.find(user) == userEl4Key_.end()) {
LOGE("Have not found user %{public}u el3 or el4", user);
return -ENOENT;

View File

@ -915,16 +915,16 @@ HWTEST_F(CryptoKeyTest, key_manager_generate_delete_user_keys, TestSize.Level1)
.newSecret = {'s', 'e', 'c', 'r', 'e', 't'}, .secureUid = 0};
UserTokenSecret userTokenSecretNull = {.token = {}, .oldSecret = {}, .newSecret = {}, .secureUid = 0};
#ifndef CRYPTO_TEST
KeyManager::GetInstance()->UpdateUserAuth(userId, &userTokenSecret);
KeyManager::GetInstance()->UpdateUserAuth(userId, userTokenSecret);
KeyManager::GetInstance()->InActiveUserKey(userId); // may fail on some platforms
#else
EXPECT_EQ(0, KeyManager::GetInstance()->GenerateUserKeys(userId, 0));
EXPECT_EQ(-EEXIST, KeyManager::GetInstance()->GenerateUserKeys(userId, 0)); // key existed
EXPECT_EQ(0, KeyManager::GetInstance()->SetDirectoryElPolicy(userId, EL1_KEY, {{userId, USER_EL1_DIR}}));
EXPECT_EQ(0, KeyManager::GetInstance()->SetDirectoryElPolicy(userId, EL2_KEY, {{userId, USER_EL2_DIR}}));
EXPECT_EQ(0, KeyManager::GetInstance()->UpdateUserAuth(userId, &userTokenSecretNull));
EXPECT_EQ(0, KeyManager::GetInstance()->UpdateUserAuth(userId, userTokenSecretNull));
EXPECT_EQ(0, KeyManager::GetInstance()->UpdateKeyContext(userId));
KeyManager::GetInstance()->UpdateUserAuth(userId, &userTokenSecret);
KeyManager::GetInstance()->UpdateUserAuth(userId, userTokenSecret);
EXPECT_EQ(-EFAULT, KeyManager::GetInstance()->UpdateKeyContext(userId)); // no need to update keycontext
KeyManager::GetInstance()->InActiveUserKey(userId); // may fail on some platforms
EXPECT_EQ(0, KeyManager::GetInstance()->ActiveUserKey(userId, {}, {}));
@ -940,7 +940,7 @@ HWTEST_F(CryptoKeyTest, key_manager_generate_delete_user_keys, TestSize.Level1)
EXPECT_EQ(-ENOENT, KeyManager::GetInstance()->SetDirectoryElPolicy(userId, EL2_KEY, {{userId, USER_EL2_DIR}}));
EXPECT_EQ(0, KeyManager::GetInstance()->SetDirectoryElPolicy(userId, static_cast<KeyType>(0),
{{userId, USER_EL2_DIR}})); // bad keytype
EXPECT_EQ(-ENOENT, KeyManager::GetInstance()->UpdateUserAuth(userId, &userTokenSecretNull));
EXPECT_EQ(-ENOENT, KeyManager::GetInstance()->UpdateUserAuth(userId, userTokenSecretNull));
EXPECT_EQ(-ENOENT, KeyManager::GetInstance()->UpdateKeyContext(userId));
EXPECT_EQ(-ENOENT, KeyManager::GetInstance()->InActiveUserKey(userId));
EXPECT_EQ(-ENOENT, KeyManager::GetInstance()->ActiveUserKey(userId, {}, {}));

View File

@ -38,7 +38,7 @@ int32_t KeyManager::DeleteUserKeys(unsigned int user)
{
return E_OK;
}
int32_t KeyManager::UpdateUserAuth(unsigned int user, struct UserTokenSecret *userTokenSecret)
int32_t KeyManager::UpdateUserAuth(unsigned int user, struct UserTokenSecret &userTokenSecret)
{
return E_OK;
}

View File

@ -49,13 +49,13 @@ public:
int DeleteUserKeys(unsigned int user);
#ifdef USER_CRYPTO_MIGRATE_KEY
int UpdateUserAuth(unsigned int user, struct UserTokenSecret *userTokenSecret,
int UpdateUserAuth(unsigned int user, struct UserTokenSecret &userTokenSecret,
bool needGenerateShield = true);
int UpdateCeEceSeceUserAuth(unsigned int user, struct UserTokenSecret *userTokenSecret,
int UpdateCeEceSeceUserAuth(unsigned int user, struct UserTokenSecret &userTokenSecret,
std::map<unsigned int, std::shared_ptr<BaseKey>> &userElKey_, bool needGenerateShield);
#else
int UpdateUserAuth(unsigned int user, struct UserTokenSecret *userTokenSecret);
int UpdateCeEceSeceUserAuth(unsigned int user, struct UserTokenSecret *userTokenSecret,
int UpdateUserAuth(unsigned int user, struct UserTokenSecret &userTokenSecret);
int UpdateCeEceSeceUserAuth(unsigned int user, struct UserTokenSecret &userTokenSecret,
std::map<unsigned int, std::shared_ptr<BaseKey>> &userElKey_);
#endif
@ -99,6 +99,7 @@ private:
std::map<unsigned int, std::shared_ptr<BaseKey>> userEl3Key_;
std::map<unsigned int, std::shared_ptr<BaseKey>> userEl4Key_;
std::shared_ptr<BaseKey> globalEl1Key_ { nullptr };
std::map<unsigned int, bool> userPinProtect;
std::mutex keyMutex_;
bool hasGlobalDeviceKey_;

View File

@ -270,7 +270,7 @@ int32_t StorageDaemon::UpdateUserAuth(uint32_t userId, uint64_t secureUid,
UserTokenSecret userTokenSecret = {
.token = token, .oldSecret = oldSecret, .newSecret = newSecret, .secureUid = secureUid};
#ifdef USER_CRYPTO_MANAGER
return KeyManager::GetInstance()->UpdateUserAuth(userId, &userTokenSecret);
return KeyManager::GetInstance()->UpdateUserAuth(userId, userTokenSecret);
#else
return E_OK;
#endif
@ -287,7 +287,7 @@ int32_t StorageDaemon::PrepareUserDirsAndUpdateUserAuth(uint32_t userId, const s
return ret;
}
UserTokenSecret userTokenSecret = {.token = token, .oldSecret = {'!'}, .newSecret = secret, .secureUid = 0};
ret = KeyManager::GetInstance()->UpdateUserAuth(userId, &userTokenSecret);
ret = KeyManager::GetInstance()->UpdateUserAuth(userId, userTokenSecret);
if (ret != E_OK) {
return ret;
}

View File

@ -436,7 +436,7 @@ HWTEST_F(StorageDaemonProxyTest, StorageDaemonProxyTest_LockUserScreen_001, Test
.WillOnce(testing::Invoke(mock_.GetRefPtr(), &StorageDaemonServiceMock::InvokeSendRequest));
int32_t ret = proxy_->LockUserScreen(USER_ID1);
ASSERT_TRUE(ret == E_OK);
ASSERT_TRUE(static_cast<int32_t>(StorageDaemonInterfaceCode::INACTIVE_USER_KEY) == mock_->code_);
ASSERT_TRUE(static_cast<int32_t>(StorageDaemonInterfaceCode::LOCK_USER_SCREEN) == mock_->code_);
GTEST_LOG_(INFO) << "StorageDaemonProxyTest_LockUserScreen_001 end";
}
@ -456,7 +456,7 @@ HWTEST_F(StorageDaemonProxyTest, StorageDaemonProxyTest_UnlockUserScreen_001, Te
.WillOnce(testing::Invoke(mock_.GetRefPtr(), &StorageDaemonServiceMock::InvokeSendRequest));
int32_t ret = proxy_->UnlockUserScreen(USER_ID1);
ASSERT_TRUE(ret == E_OK);
ASSERT_TRUE(static_cast<int32_t>(StorageDaemonInterfaceCode::INACTIVE_USER_KEY) == mock_->code_);
ASSERT_TRUE(static_cast<int32_t>(StorageDaemonInterfaceCode::UNLOCK_USER_SCREEN) == mock_->code_);
GTEST_LOG_(INFO) << "StorageDaemonProxyTest_UnlockUserScreen_001 end";
}

View File

@ -282,9 +282,9 @@ HWTEST_F(StorageManagerClientTest, Client_manager_service_LockUserScreen_0000, T
ASSERT_TRUE(storageManagerClient_ != nullptr);
uint32_t userId = 107;
uint32_t userId = 100;
int32_t ret = storageManagerClient_->LockUserScreen(userId);
EXPECT_TRUE(ret == E_OK);
EXPECT_TRUE(ret == E_PERMISSION_DENIED);
GTEST_LOG_(INFO) << "Client_manager_service_LockUserScreen_0000 end";
}
@ -304,9 +304,9 @@ HWTEST_F(StorageManagerClientTest, Client_manager_service_UnlockUserScreen_0000,
ASSERT_TRUE(storageManagerClient_ != nullptr);
uint32_t userId = 107;
uint32_t ret = storageManagerClient_->UnlockUserScreen(userId);
EXPECT_TRUE(ret == E_OK);
uint32_t userId = 104;
int32_t ret = storageManagerClient_->UnlockUserScreen(userId);
EXPECT_TRUE(ret == E_PERMISSION_DENIED);
GTEST_LOG_(INFO) << "Client_manager_service_UnlockUserScreen_0000 end";
}

View File

@ -254,7 +254,7 @@ HWTEST_F(FileSystemCryptoTest, Storage_manager_crypto_LockUserScreen_0000, TestS
GTEST_LOG_(INFO) << "FileSystemCryptoTest-start Storage_manager_crypto_LockUserScreen_0000";
std::shared_ptr<FileSystemCrypto> fileSystemCrypto_ =
DelayedSingleton<FileSystemCrypto>::GetInstance();
int32_t userId = 102;
int32_t userId = 100;
int32_t ret = fileSystemCrypto_->LockUserScreen(userId);
EXPECT_EQ(ret, E_OK);
@ -276,7 +276,7 @@ HWTEST_F(FileSystemCryptoTest, Storage_manager_crypto_UnlockUserScreen_0000, Tes
GTEST_LOG_(INFO) << "FileSystemCryptoTest-start Storage_manager_crypto_UnlockUserScreen_0000";
std::shared_ptr<FileSystemCrypto> fileSystemCrypto_ =
DelayedSingleton<FileSystemCrypto>::GetInstance();
int32_t userId = 102;
int32_t userId = 100;
int32_t ret = fileSystemCrypto_->UnlockUserScreen(userId);
EXPECT_EQ(ret, E_OK);

View File

@ -473,7 +473,7 @@ HWTEST_F(StorageDaemonCommunicationTest, Daemon_communication_LockUserScreen_000
GTEST_LOG_(INFO) << "StorageDaemonCommunicationTest-begin Daemon_communication_LockUserScreen_0000 SUCCESS";
std::shared_ptr<StorageDaemonCommunication> sdCommunication =
DelayedSingleton<StorageDaemonCommunication>::GetInstance();
uint32_t userId = 102;
uint32_t userId = 100;
int32_t result = sdCommunication->LockUserScreen(userId);
EXPECT_EQ(result, E_OK);
@ -494,7 +494,7 @@ HWTEST_F(StorageDaemonCommunicationTest, Daemon_communication_UnlockUserScreen_0
GTEST_LOG_(INFO) << "StorageDaemonCommunicationTest-begin Daemon_communication_UnlockUserScreen_0000 SUCCESS";
std::shared_ptr<StorageDaemonCommunication> sdCommunication =
DelayedSingleton<StorageDaemonCommunication>::GetInstance();
uint32_t userId = 102;
uint32_t userId = 100;
int32_t result = sdCommunication->UnlockUserScreen(userId);
EXPECT_EQ(result, E_OK);