!161 增加ocsp获取certId哈希算法可配置

Merge pull request !161 from hhhFun/master
2024-11-27 08:40:45 +00:00 · 2024-05-23 18:00:25 +00:00 · 2024-05-23 18:00:25 +00:00 · afc6f9472e
commit afc6f9472e
parent 72a5b2838a 440d144503
7 changed files with 72 additions and 5 deletions
--- a/README.md
+++ b/README.md
@ -52,7 +52,7 @@ base/security/certificate_framwork

 ## 约束

-[约束与限制](https://gitee.com/openharmony/docs/blob/master/zh-cn/application-dev/security/DeviceCertificateKit/certManager-overview.md)
+[约束与限制](https://gitee.com/openharmony/docs/blob/master/zh-cn/application-dev/security/DeviceCertificateKit/certificate-framework-overview.md#约束与限制)

 ## 说明

@ -62,7 +62,7 @@ base/security/certificate_framwork

 ### 使用说明

-[开发指导](https://gitee.com/openharmony/docs/blob/master/zh-cn/application-dev/security/DeviceCertificateKit/certManager-guidelines.md)
+[开发指导](https://gitee.com/openharmony/docs/blob/master/zh-cn/application-dev/security/DeviceCertificateKit/certificate-framework-overview.md)

 ## 相关仓

--- a/frameworks/adapter/v1.0/src/x509_cert_chain_openssl.c
+++ b/frameworks/adapter/v1.0/src/x509_cert_chain_openssl.c
@ -1185,7 +1185,29 @@ static CfResult ValidateOcspOnline(STACK_OF(X509) * x509CertChain, OCSP_CERTID *
    return res;
 }

-static OCSP_CERTID *GetCertId(STACK_OF(X509) * x509CertChain)
+static const EVP_MD *GetHashDigest(const CfBlob *ocspDigest)
+{
+    if (ocspDigest == NULL || ocspDigest->data == NULL) {
+        return EVP_sha256();
+    }
+    char *mdName = (char *)ocspDigest->data;
+    if (strcmp(mdName, "SHA1") == 0) {
+        return EVP_sha1();
+    } else if (strcmp(mdName, "SHA224") == 0) {
+        return EVP_sha224();
+    } else if (strcmp(mdName, "SHA256") == 0) {
+        return EVP_sha256();
+    } else if (strcmp(mdName, "SHA384") == 0) {
+        return EVP_sha384();
+    } else if (strcmp(mdName, "SHA512") == 0) {
+        return EVP_sha512();
+    } else if (strcmp(mdName, "MD5") == 0) {
+        return EVP_md5();
+    }
+    return EVP_sha256();
+}
+
+static OCSP_CERTID *GetCertId(STACK_OF(X509) * x509CertChain, const CfBlob *ocspDigest)
 {
    X509 *issuerCert = NULL;
    X509 *leafCert = NULL;
@ -1225,7 +1247,7 @@ static OCSP_CERTID *GetCertId(STACK_OF(X509) * x509CertChain)
            LOGE("Unable to get issuer.");
            break;
        }
-        ret = OCSP_cert_to_id(NULL, leafCert, issuerCert);
+        ret = OCSP_cert_to_id(GetHashDigest(ocspDigest), leafCert, issuerCert);
    } while (0);

    if (store != NULL) {
@ -1315,7 +1337,7 @@ static CfResult ValidateRevocation(

    if (params->revocationCheckParam && params->revocationCheckParam->options) {
        CfResult res = CF_INVALID_PARAMS;
-        OCSP_CERTID *certId = GetCertId(x509CertChain);
+        OCSP_CERTID *certId = GetCertId(x509CertChain, params->revocationCheckParam->ocspDigest);
        if (ContainsOption(params->revocationCheckParam->options, REVOCATION_CHECK_OPTION_ACCESS_NETWORK)) {
            res = ValidateRevocationOnLine(params, x509CertChain, trustAnchor, certId);
            if (res != CF_SUCCESS) {
--- a/frameworks/js/napi/certificate/inc/napi_cert_defines.h
+++ b/frameworks/js/napi/certificate/inc/napi_cert_defines.h
@ -107,6 +107,7 @@ const std::string CERT_CHAIN_VALIDATE_TAG_OCSP_RESP_CERT = "ocspResponderCert";
 const std::string CERT_CHAIN_VALIDATE_TAG_OCSP_RESPS = "ocspResponses";
 const std::string CERT_CHAIN_VALIDATE_TAG_CRL_DOWNLOAD_URI = "crlDownloadURI";
 const std::string CERT_CHAIN_VALIDATE_TAG_OPTIONS = "options";
+const std::string CERT_CHAIN_VALIDATE_TAG_OCSP_DIGEST = "ocspDigest";
 const std::string CERT_CHAIN_VALIDATE_TAG_POLICY = "policy";
 const std::string CERT_CHAIN_VALIDATE_TAG_SSLHOSTNAME = "sslHostname";
 const std::string CERT_CHAIN_VALIDATE_TAG_KEYUSAGE = "keyUsage";
--- a/frameworks/js/napi/certificate/src/napi_x509_cert_chain_validate_params.cpp
+++ b/frameworks/js/napi/certificate/src/napi_x509_cert_chain_validate_params.cpp
@ -216,6 +216,40 @@ static bool GetRevocationOptions(napi_env env, napi_value rckObj, HcfRevocationC
    return true;
 }

+static bool GetRevocationocspDigest(napi_env env, napi_value rckObj, HcfRevocationCheckParam *&out)
+{
+    napi_value obj = GetProp(env, rckObj, CERT_CHAIN_VALIDATE_TAG_OCSP_DIGEST.c_str());
+    if (obj == nullptr) {
+        return true;
+    }
+
+    out->ocspDigest = CertGetBlobFromStringJSParams(env, obj);
+    if (out->ocspDigest == nullptr) {
+        return false;
+    }
+
+    char *mdName = (char *)out->ocspDigest->data;
+    if (strcmp(mdName, "SHA1") == 0) {
+        return true;
+    } else if (strcmp(mdName, "SHA224") == 0) {
+        return true;
+    } else if (strcmp(mdName, "SHA256") == 0) {
+        return true;
+    } else if (strcmp(mdName, "SHA384") == 0) {
+        return true;
+    } else if (strcmp(mdName, "SHA512") == 0) {
+        return true;
+    } else if (strcmp(mdName, "MD5") == 0) {
+        return true;
+    }
+
+    CfFree(out->ocspDigest->data);
+    out->ocspDigest->data = nullptr;
+    CfFree(out->ocspDigest);
+    out->ocspDigest = nullptr;
+    return false;
+}
+
 static bool GetRevocationDetail(napi_env env, napi_value rckObj, HcfRevocationCheckParam *&out)
 {
    napi_value obj = GetProp(env, rckObj, CERT_CHAIN_VALIDATE_TAG_OCSP_REQ_EXTENSION.c_str());
@ -259,6 +293,9 @@ static bool GetRevocationDetail(napi_env env, napi_value rckObj, HcfRevocationCh
            return false;
        }
    }
+    if (!GetRevocationocspDigest(env, rckObj, out)) {
+        return false;
+    }
    return GetRevocationOptions(env, rckObj, out);
 }

--- a/interfaces/innerkits/certificate/x509_cert_chain_validate_params.h
+++ b/interfaces/innerkits/certificate/x509_cert_chain_validate_params.h
@ -66,6 +66,7 @@ struct HcfRevocationCheckParam {
    CfBlob *ocspResponses;
    CfBlob *crlDownloadURI;
    HcfRevChkOpArray *options;
+    CfBlob *ocspDigest;
 };

 typedef struct HcfX509CertChainValidateParams HcfX509CertChainValidateParams;
--- a/test/unittest/v1.0/include/crypto_x509_cert_chain_data_pem_ex.h
+++ b/test/unittest/v1.0/include/crypto_x509_cert_chain_data_pem_ex.h
@ -436,6 +436,8 @@ static const uint8_t g_testOcspResponses[] = {
 static const char g_crlDownloadURI[] =
    "http://crl3.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl";

+static const char g_digest[] = "SHA1";
+
 static const char g_crlDownloadURIHttps[] = "https://ocsp.digicert.cn";

 static const char g_crlDownloadURIHttpsInvalid[] = "https://www.123.com";
--- a/test/unittest/v1.0/src/crypto_x509_cert_chain_test_part2.cpp
+++ b/test/unittest/v1.0/src/crypto_x509_cert_chain_test_part2.cpp
@ -83,6 +83,9 @@ static CfBlob g_blobDownloadURIHttpsInvalid2 = { .data = reinterpret_cast<uint8_
                                                     const_cast<char *>(g_crlDownloadURIHttpsInvalid)),
    .size = strlen(g_crlDownloadURIHttpsInvalid) + 1 };

+static CfBlob g_ocspDigest = { .data = reinterpret_cast<uint8_t *>(const_cast<char *>(g_digest)),
+    .size = strlen(g_digest) + 1 };
+
 static void FreeHcfRevocationCheckParam(HcfRevocationCheckParam *param)
 {
    if (param == nullptr) {
@ -148,6 +151,7 @@ static HcfRevocationCheckParam *ConstructHcfRevocationCheckParam(HcfRevChkOption
    param->ocspResponses = resp;
    param->ocspResponderURI = ocspResponderURI;
    param->crlDownloadURI = crlDownloadURI;
+    param->ocspDigest = &g_ocspDigest;

    if (ocspResponderCertStream != NULL) {
        (void)HcfX509CertificateCreate(&g_inStreamOcspResponderCert, &(param->ocspResponderCert));