openharmony/security_huks
1
0
Fork 0
mirror of https://gitee.com/openharmony/security_huks synced 2024-11-30 02:10:36 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/master'

Browse Source
This commit is contained in:
jinling10 2023-06-02 11:54:32 +08:00
commit a33177b167
6 changed files with 42 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
build/config.gni
View File

@ -58,8 +58,8 @@ declare_args() {
# whether enable upgrade root key component from V1 to V2, default as false
huks_enable_upgrade_rkc_v1tov2 = false
# whether enable upgrade key derivation algorithm, default as false
huks_enable_upgrade_derive_key_alg = false
# whether enable upgrade key derivation algorithm
huks_enable_upgrade_derive_key_alg = true
# default security level supported by huks is software
huks_security_level = "software"

63
services/huks_standard/huks_engine/main/core/src/hks_keyblob.c
View File

@ -103,8 +103,25 @@ static int32_t GetSalt(const struct HksParamSet *paramSet, const struct HksKeyBl
return ret;
}
static int32_t GetDeriveKey(enum HksKeyAlg deriveAlg, const struct HksParamSet *paramSet,
const struct HksKeyBlobInfo *keyBlobInfo, struct HksBlob *derivedKey)
static void GetDeriveKeyAlg(const struct HksParamSet *paramSet, uint32_t *algType)
{
*algType = HKS_ALG_HKDF;
#ifdef HKS_CHANGE_DERIVE_KEY_ALG_TO_HKDF
struct HksParam *keyVersion = NULL;
int32_t ret = HksGetParam(paramSet, HKS_TAG_KEY_VERSION, &keyVersion);
if (ret != HKS_SUCCESS) {
HKS_LOG_W("Get key version failed! Use the default derive algorithm.");
return;
}
const uint32_t hkdfStartVersion = 3;
if (keyVersion->uint32Param < hkdfStartVersion) {
*algType = HKS_ALG_PBKDF2;
}
#endif
}
static int32_t GetDeriveKey(const struct HksParamSet *paramSet, const struct HksKeyBlobInfo *keyBlobInfo,
struct HksBlob *derivedKey)
{
struct HksBlob salt = { 0, NULL };
int32_t ret = GetSalt(paramSet, keyBlobInfo, &salt);
@ -116,7 +133,8 @@ static int32_t GetDeriveKey(enum HksKeyAlg deriveAlg, const struct HksParamSet *
.digestAlg = HKS_DIGEST_SHA256,
};
struct HksKeySpec derivationSpec = { deriveAlg, HKS_KEY_BYTES(HKS_AES_KEY_SIZE_256), &derParam };
struct HksKeySpec derivationSpec = { HKS_ALG_HKDF, HKS_KEY_BYTES(HKS_AES_KEY_SIZE_256), &derParam };
GetDeriveKeyAlg(paramSet, &derivationSpec.algType);
uint8_t encryptKeyData[HKS_KEY_BLOB_MAIN_KEY_SIZE] = {0};
struct HksBlob encryptKey = { HKS_KEY_BLOB_MAIN_KEY_SIZE, encryptKeyData };
@ -176,21 +194,6 @@ static int32_t BuildKeyBlobUsageSpec(const struct HksBlob *aad, const struct Hks
return HKS_SUCCESS;
}
#ifdef HKS_CHANGE_DERIVE_KEY_ALG_TO_HKDF
static bool KekDerivedByPBKDF2(struct HksParamSet *paramSet)
{
struct HksParam *keyVersion = NULL;
int32_t ret = HksGetParam(paramSet, HKS_TAG_KEY_VERSION, &keyVersion);
HKS_IF_NOT_SUCC_LOGE_RETURN(false, ret, "get key version failed!")
uint32_t kekDerivedByHkdfSinceVersion = 3;
if (keyVersion->uint32Param < kekDerivedByHkdfSinceVersion) {
return true;
}
return false;
}
#endif
static int32_t EncryptAndDecryptKeyBlob(const struct HksBlob *aad, struct HksParamSet *paramSet, bool isEncrypt)
{
struct HksParam *keyParam = NULL;
@ -225,15 +228,8 @@ static int32_t EncryptAndDecryptKeyBlob(const struct HksBlob *aad, struct HksPar
struct HksBlob srcKey = { keySize, keyParam->blob.data + sizeof(*keyBlobInfo) };
struct HksBlob encKey = srcKey;
enum HksKeyAlg deriveAlg = HKS_ALG_HKDF;
#ifdef HKS_CHANGE_DERIVE_KEY_ALG_TO_HKDF
if (KekDerivedByPBKDF2(paramSet)) {
deriveAlg = HKS_ALG_PBKDF2;
}
#endif
struct HksBlob derivedKey = { 0, NULL };
ret = GetDeriveKey(deriveAlg, paramSet, keyBlobInfo, &derivedKey);
ret = GetDeriveKey(paramSet, keyBlobInfo, &derivedKey);
if (ret != HKS_SUCCESS) {
HksFreeUsageSpec(&usageSpec);
return ret;
@ -245,6 +241,7 @@ static int32_t EncryptAndDecryptKeyBlob(const struct HksBlob *aad, struct HksPar
} else {
ret = HksCryptoHalDecrypt(&derivedKey, usageSpec, &encKey, &srcKey);
}
HKS_IF_NOT_SUCC_LOGE(ret, "cipher key[0x%" LOG_PUBLIC "x] failed!", isEncrypt)
(void)memset_s(derivedKey.data, derivedKey.size, 0, derivedKey.size);
@ -587,18 +584,7 @@ int32_t HksBuildKeyBlobWithOutAddKeyParam(const struct HksParamSet *paramSet, st
ret = HksGetParamSet(paramSet, paramSet->paramSetSize, &keyBlobParamSet);
HKS_IF_NOT_SUCC_BREAK(ret)
keyOut->data = (uint8_t *)HksMalloc(keyBlobParamSet->paramSetSize);
if (keyOut->data == NULL) {
ret = HKS_ERROR_MALLOC_FAIL;
HKS_LOG_E("malloc keyblob out failed!");
break;
}
keyOut->size = keyBlobParamSet->paramSetSize;
ret = HksBuildKeyBlob2(keyBlobParamSet, keyOut);
if (ret != HKS_SUCCESS) {
HKS_FREE_BLOB(*keyOut);
}
} while (0);
HksFreeParamSet(&keyBlobParamSet);
@ -708,8 +694,7 @@ int32_t HksGetAuthTokenKey(struct HksAuthTokenKey *authTokenKey)
(void)HksMutexUnlock(g_genAtKeyMutex);
}
(void)memcpy_s(authTokenKey, sizeof(struct HksAuthTokenKey),
&g_cachedAuthTokenKey, sizeof(struct HksAuthTokenKey));
(void)memcpy_s(authTokenKey, sizeof(struct HksAuthTokenKey), &g_cachedAuthTokenKey, sizeof(struct HksAuthTokenKey));
return HKS_SUCCESS;
}

2
services/huks_standard/huks_engine/main/core/src/hks_secure_access.c
View File

@ -103,7 +103,7 @@ static int32_t IsNeedSkipUserAuthAccessControl(const struct HksParamSet *keyBlob
ret = HksGetParam(initParamSet, HKS_TAG_PURPOSE, &keyPurposeParam);
HKS_IF_NOT_SUCC_LOGE_RETURN(ret, ret, "get key purpose param failed!")
if ((keyPurposeParam->uint32Param | userAuthKeyPurposeParam->uint32Param) ==
if ((keyPurposeParam->uint32Param | userAuthKeyPurposeParam->uint32Param) !=
userAuthKeyPurposeParam->uint32Param) {
HKS_LOG_E("it needs to skip user auth access control base on the current value of key purpose!");
return HKS_ERROR_NEED_SKIP_ACCESS_CONTROL;

6
services/huks_standard/huks_service/main/core/src/hks_client_service.c
View File

@ -114,6 +114,12 @@ static int32_t CheckAndUpgradeKeyIfNeed(const struct HksProcessInfo *processInfo
break;
}
newKey.data = (uint8_t *)HksMalloc(MAX_KEY_SIZE);
if (newKey.data == NULL) {
ret = HKS_ERROR_MALLOC_FAIL;
break;
}
newKey.size = MAX_KEY_SIZE;
ret = HksDoUpgradeKeyAccess(key, paramSet, &newKey);
HKS_IF_NOT_SUCC_LOGE_BREAK(ret, "do upgrade access failed!")
ret = HksStoreKeyBlob(processInfo, keyAlias, HKS_STORAGE_TYPE_KEY, &newKey);

6
services/huks_standard/huks_service/main/core/src/hks_upgrade_helper.c
View File

@ -173,6 +173,12 @@ static int32_t HksChangeKeyOwner(const struct HksProcessInfo *processInfo, const
break;
}
newKey.data = (uint8_t *)HksMalloc(MAX_KEY_SIZE);
if (newKey.data == NULL) {
ret = HKS_ERROR_MALLOC_FAIL;
break;
}
newKey.size = MAX_KEY_SIZE;
ret = HksDoUpgradeKeyAccess(&oldKey, upgradeParamSet, &newKey);
HKS_IF_NOT_SUCC_LOGE_BREAK(ret, "access change key owner failed!")

6
test/unittest/huks_standard_test/module_test/service_test/huks_engine/core/src/hks_secure_access_test.cpp
View File

@ -353,7 +353,7 @@ HWTEST_F(HksSecureAccessTest, HksSecureAccessTest012, TestSize.Level0)
/**
* @tc.name: HksSecureAccessTest.HksSecureAccessTest013
* @tc.desc: tdd HksCoreSecureAccessInitParams, skip user auth access control
* @tc.desc: tdd HksCoreSecureAccessInitParams, need user auth access control
* @tc.type: FUNC
*/
HWTEST_F(HksSecureAccessTest, HksSecureAccessTest013, TestSize.Level0)
@ -366,7 +366,7 @@ HWTEST_F(HksSecureAccessTest, HksSecureAccessTest013, TestSize.Level0)
},
{
.tag = HKS_TAG_KEY_AUTH_PURPOSE,
.uint32Param = HKS_KEY_PURPOSE_ENCRYPT
.uint32Param = HKS_KEY_PURPOSE_DECRYPT
}, {
.tag = HKS_TAG_PURPOSE,
.uint32Param = HKS_KEY_PURPOSE_DECRYPT
@ -388,7 +388,7 @@ HWTEST_F(HksSecureAccessTest, HksSecureAccessTest013, TestSize.Level0)
EXPECT_EQ(ret, HKS_SUCCESS) << "HksSecureAccessTest013 HksBuildParamSet failed";
struct HuksKeyNode keyNode = { { nullptr, nullptr }, paramSet, nullptr, nullptr, 0 };
ret = HksCoreSecureAccessInitParams(&keyNode, paramSet, &token);
ASSERT_EQ(ret, HKS_ERROR_PARAM_NOT_EXIST);
EXPECT_EQ(ret, HKS_ERROR_PARAM_NOT_EXIST);
HksFreeParamSet(&paramSet);
}
}