!1192 【StorageService】密钥备份

Merge pull request !1192 from 洪圣铨/master
2024-11-23 06:59:59 +00:00 · 2024-08-21 12:29:46 +00:00 · 2024-08-21 12:29:46 +00:00 · e066a94295
commit e066a94295
parent 35cc36bcde 9cb707b20f
7 changed files with 57 additions and 10 deletions
--- a/services/storage_daemon/crypto/src/base_key.cpp
+++ b/services/storage_daemon/crypto/src/base_key.cpp
@ -25,6 +25,7 @@
 #include "file_ex.h"
 #include "huks_master.h"
 #include "iam_client.h"
+#include "key_backup.h"
 #include "libfscrypt/key_control.h"
 #include "openssl_crypto.h"
 #include "storage_service_log.h"
@ -400,6 +401,10 @@ bool BaseKey::UpdateKey(const std::string &keypath)
        }
    }

+    std::string backupDir;
+    KeyBackup::GetInstance().GetBackupDir(dir_, backupDir);
+    KeyBackup::GetInstance().CreateBackup(dir_, backupDir, true);
+
    SyncKeyDir();
    return true;
 }
@ -472,7 +477,7 @@ bool BaseKey::RestoreKey(const UserAuth &auth)
    auto candidate = GetCandidateDir();
    if (candidate.empty()) {
        // no candidate dir, just restore from the latest
-        return DoRestoreKeyEx(auth, dir_ + PATH_LATEST);
+        return KeyBackup::GetInstance().TryRestoreKey(shared_from_this(), auth) == 0;
    }

    if (DoRestoreKeyEx(auth, candidate)) {
@ -660,7 +665,7 @@ bool BaseKey::DoRestoreKeyCeEceSece(const UserAuth &auth, const std::string &pat
 bool BaseKey::DoRestoreKey(const UserAuth &auth, const std::string &path)
 {
    std::string encryptType;
-    LoadStringFromFile(dir_ + PATH_LATEST + SUFFIX_NEED_UPDATE, encryptType);
+    LoadStringFromFile(path + SUFFIX_NEED_UPDATE, encryptType);
    LOGI("encrypt type : %{public}s, keyInfo empty: %{public}u", encryptType.c_str(), keyInfo_.key.IsEmpty());

    uint32_t keyType = GetTypeFromDir();
@ -757,6 +762,11 @@ bool BaseKey::ClearKey(const std::string &mnt)
    InactiveKey(USER_DESTROY, mnt);
    keyInfo_.key.Clear();
    WipingActionDir(dir_);
+    std::string backupDir;
+    KeyBackup::GetInstance().GetBackupDir(dir_, backupDir);
+    WipingActionDir(backupDir);
+    KeyBackup::GetInstance().RemoveNode(backupDir);
+    OHOS::ForceRemoveDirectory(backupDir);
    return OHOS::ForceRemoveDirectory(dir_);
    // use F2FS_IOC_SEC_TRIM_FILE
 }
--- a/services/storage_daemon/crypto/src/fscrypt_key_v1.cpp
+++ b/services/storage_daemon/crypto/src/fscrypt_key_v1.cpp
@ -20,6 +20,7 @@
 #include <unistd.h>

 #include "file_ex.h"
+#include "key_backup.h"
 #include "libfscrypt/key_control.h"
 #include "storage_service_log.h"

@ -247,7 +248,7 @@ bool FscryptKeyV1::DecryptClassE(const UserAuth &auth, bool &isSupport, uint32_t
    }
    LOGI("Decrypt keyPath is %{public}s", (dir_ + PATH_LATEST).c_str());
    KeyBlob decryptedKey(AES_256_HASH_RANDOM_SIZE);
-    if (!DecryptKeyBlob(auth, dir_ + PATH_LATEST, eSecretFBE, decryptedKey)) {
+    if (KeyBackup::GetInstance().TryRestoreUeceKey(shared_from_this(), auth, eSecretFBE, decryptedKey) != 0) {
        LOGE("DecryptKeyBlob Decrypt failed");
        eSecretFBE.Clear();
        return false;
--- a/services/storage_daemon/crypto/src/key_backup.cpp
+++ b/services/storage_daemon/crypto/src/key_backup.cpp
@ -102,7 +102,7 @@ int32_t KeyBackup::RemoveNode(const std::string &pathName)
    return rmdir(pathName.c_str());
 }

-int32_t KeyBackup::TryRestoreKey(std::shared_ptr<BaseKey> &baseKey, const UserAuth &auth)
+int32_t KeyBackup::TryRestoreKey(const std::shared_ptr<BaseKey> &baseKey, const UserAuth &auth)
 {
    if (baseKey == nullptr) {
        LOGE("basekey is nullptr");
@ -113,15 +113,45 @@ int32_t KeyBackup::TryRestoreKey(std::shared_ptr<BaseKey> &baseKey, const UserAu
    GetBackupDir(keyDir, backupDir);
    if (baseKey->DoRestoreKeyEx(auth, keyDir + PATH_LATEST)) {
        CheckAndFixFiles(keyDir, backupDir);
+        LOGI("Restore by main key success !");
        return 0;
    }
-    LOGI("origKey failed, try backupKey");
+    LOGE("origKey failed, try backupKey");
    if (baseKey->DoRestoreKeyEx(auth, backupDir + PATH_LATEST)) {
        CheckAndFixFiles(backupDir, keyDir);
+        LOGI("Restore by back key success !");
        return 0;
    }

-    LOGI("origKey failed, backupKey failed, so mix key");
+    LOGE("origKey failed, backupKey failed, so mix key");
+    return -1;
+}
+
+int32_t KeyBackup::TryRestoreUeceKey(const std::shared_ptr<BaseKey> &baseKey,
+                                     const UserAuth &auth,
+                                     KeyBlob &planKey,
+                                     KeyBlob &decryptedKey)
+{
+    if (baseKey == nullptr) {
+        LOGE("basekey is nullptr");
+        return -1;
+    }
+    std::string keyDir = baseKey->GetDir();
+    std::string backupDir;
+    GetBackupDir(keyDir, backupDir);
+    if (baseKey->DecryptKeyBlob(auth, keyDir + PATH_LATEST, planKey, decryptedKey)) {
+        CheckAndFixFiles(keyDir, backupDir);
+        LOGI("Restore uece by main key success !");
+        return 0;
+    }
+    LOGE("origKey failed, try backupKey");
+    if (baseKey->DecryptKeyBlob(auth, backupDir + PATH_LATEST, planKey, decryptedKey)) {
+        CheckAndFixFiles(backupDir, keyDir);
+        LOGI("Restore uece by back key success !");
+        return 0;
+    }
+
+    LOGE("origKey failed, backupKey failed, so mix key");
    return -1;
 }

--- a/services/storage_daemon/crypto/test/fscrypt_v1_test/BUILD.gn
+++ b/services/storage_daemon/crypto/test/fscrypt_v1_test/BUILD.gn
@ -45,6 +45,7 @@ ohos_moduletest("FscryptKeyV1Test") {
    "${storage_daemon_path}/crypto/src/fscrypt_key_v2.cpp",
    "${storage_daemon_path}/crypto/src/huks_master.cpp",
    "${storage_daemon_path}/crypto/src/iam_client.cpp",
+    "${storage_daemon_path}/crypto/src/key_backup.cpp",
    "${storage_daemon_path}/crypto/src/key_manager.cpp",
    "${storage_daemon_path}/crypto/src/openssl_crypto.cpp",
    "${storage_daemon_path}/crypto/test/fscrypt_v1_test/fscrypt_key_v1_test.cpp",
--- a/services/storage_daemon/crypto/test/key_manager_test/BUILD.gn
+++ b/services/storage_daemon/crypto/test/key_manager_test/BUILD.gn
@ -45,6 +45,7 @@ ohos_unittest("KeyManagerTest") {
    "${storage_daemon_path}/crypto/src/fscrypt_key_v1.cpp",
    "${storage_daemon_path}/crypto/src/fscrypt_key_v1_ext.cpp",
    "${storage_daemon_path}/crypto/src/iam_client.cpp",
+    "${storage_daemon_path}/crypto/src/key_backup.cpp",
    "${storage_daemon_path}/crypto/src/key_manager.cpp",
    "${storage_daemon_path}/mock/base_key_mock.cpp",
    "${storage_daemon_path}/mock/fscrypt_control_mock.cpp",
--- a/services/storage_daemon/include/crypto/base_key.h
+++ b/services/storage_daemon/include/crypto/base_key.h
@ -31,7 +31,7 @@ const uint32_t USER_ADD_AUTH = 0x0;
 const uint32_t USER_CHANGE_AUTH = 0x1;
 const std::string SUFFIX_NEED_UPDATE = "/need_update";
 const std::vector<uint8_t> NULL_SECRET = { '!' };
-class BaseKey {
+class BaseKey : public std::enable_shared_from_this<BaseKey> {
 public:
    BaseKey() = delete;
    BaseKey(const std::string &dir, uint8_t keyLen = CRYPTO_AES_256_XTS_KEY_SIZE);
--- a/services/storage_daemon/include/crypto/key_backup.h
+++ b/services/storage_daemon/include/crypto/key_backup.h
@ -43,13 +43,17 @@ public:

    void CreateBackup(const std::string &from, const std::string &to, bool removeOld = true);
    int32_t RemoveNode(const std::string &pathName);
-    int32_t TryRestoreKey(std::shared_ptr<BaseKey> &baseKey, const UserAuth &auth);
+    int32_t TryRestoreKey(const std::shared_ptr<BaseKey> &baseKey, const UserAuth &auth);
+    int32_t TryRestoreUeceKey(const std::shared_ptr<BaseKey> &baseKey,
+                              const UserAuth &auth,
+                              KeyBlob &planKey,
+                              KeyBlob &decryptedKey);
    int32_t GetBackupDir(std::string &origDir, std::string &backupDir);
    void ListAndCheckDir(std::string &origDir);

 private:
-    KeyBackup();
-    ~KeyBackup();
+    KeyBackup() {};
+    ~KeyBackup() {};
    KeyBackup(const KeyBackup &) = delete;
    KeyBackup &operator=(const KeyBackup &) = delete;