Skip to content

CryptoHelper implementation #354

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 17 commits into
base: feature_unification
Choose a base branch
from
Open

CryptoHelper implementation #354

wants to merge 17 commits into from
+6,439 −283

Conversation

mykola-kobets-epam
Copy link
Contributor

No description provided.

@al1img al1img mentioned this pull request Sep 10, 2025
Open
@mykola-kobets-epam mykola-kobets-epam changed the base branch from develop to feature_unification September 11, 2025 08:50
MykolaSuperman
MykolaSuperman reviewed Sep 11, 2025
View reviewed changes
mlohvynenko
mlohvynenko approved these changes Sep 11, 2025
View reviewed changes
Copy link
Member

@mlohvynenko mlohvynenko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed-by: Mykhailo Lohvynenko <[email protected]>

al1img
al1img reviewed Sep 11, 2025
View reviewed changes
@al1img
Copy link
Collaborator

al1img commented Sep 11, 2025

Move all crypto interfaces into itf folder and crypto.md with class diagram and basic module description. I've added separate task to add full crypto design document.

al1img
al1img reviewed Sep 12, 2025
View reviewed changes
src/core/common/crypto/cryptohelper.hpp
* @param[out] urls result URLs.
* @return Error.
*/
Error GetServiceDiscoveryURLs(Array<StaticString<cURLLen>>& urls);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess this function should be moved to communication module

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

under discussion

al1img
al1img reviewed Sep 12, 2025
View reviewed changes
src/core/common/crypto/tests/cryptohelper.cpp Outdated
/**
* Stub implementation of CertProviderItf.
*/
class CertProviderStub : public iam::certhandler::CertProviderItf {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It could be usefull to put it into separate file under common/tests/stubs/certproviderstub.hpp

al1img
al1img reviewed Sep 12, 2025
View reviewed changes
src/core/common/config.hpp Outdated
/**
* Maximum number of private keys in crypto provider.
*/
#ifndef AOS_CONFIG_CRYPTO_MAX_PRIV_KEY_COUNT
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have AOS_CONFIG_CRYPTO_KEYS_COUNT I guess it can be used here

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

al1img
al1img reviewed Sep 12, 2025
View reviewed changes
al1img
al1img reviewed Sep 12, 2025
View reviewed changes
al1img
al1img reviewed Sep 12, 2025
View reviewed changes
al1img
al1img reviewed Sep 15, 2025
View reviewed changes
al1img
al1img reviewed Sep 15, 2025
View reviewed changes
src/core/common/crypto/mbedtls/cryptoprovider.cpp Outdated
* Private
**********************************************************************************************************************/

Time MbedTLSCryptoProvider::mCurrentTime;
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Move to static section

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

removed in the latest commit

al1img
al1img reviewed Sep 15, 2025
View reviewed changes
al1img
al1img reviewed Sep 17, 2025
View reviewed changes
src/core/common/pkcs11/privatekey.cpp
const Array<uint8_t>& cipher, const crypto::DecryptionOptions& options, Array<uint8_t>& result) const
{
CK_MECHANISM mechanism = {CKM_RSA_PKCS, nullptr, 0};
struct PCKS11MechConverter : public StaticVisitor<RetWithError<CK_MECHANISM>> {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But it could be used by some other methods in future

src/core/common/crypto/crypto.hpp
/**
* Max number of certificates.
*/
constexpr auto cMaxNumCertificates = AOS_CONFIG_CRYPTO_MAX_NUM_CERTIFICATES;
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we move it to types?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

basically, it mostly used in crypto module. all others still have to include crypto to have certificate type. so I'd keep it here.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Then other consts related to crypto should be moved there, for example:

/**

  • SHA256 size.
    */
    constexpr auto cSHA256Size = 32;

/**

  • SHA3-224 size.
    */
    constexpr auto cSHA3_224Size = 28;

src/core/common/tools/tests/thread.cpp
auto worker = [&]() {
LockGuard lock {sem};

int cur = ++currentRunning;
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is potential race condition between inc currentRunning and store load max running. Butter to do not use atomic here but just use mutex.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed with mutex

src/core/common/crypto/cryptohelper.hpp Outdated

static constexpr size_t cReadChunkSize = 1024;

static constexpr auto cMaxSimultaneousThreads = 2;
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add AOS_CONFIG_TYPES_MUX_CONCURRENT_ITEMS to types. It will be used for other modules as well.

src/core/common/crypto/tests/cryptohelper.cpp Outdated
std::vector<TestData> testData = {
{{online, intermediateCA, secondaryCA}, CreateCertChain("online", {"online", "intermediateCA", "secondaryCA"}),
CreateSigns("online", "RSA/SHA256/PKCS1v1_5")},

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove empty line

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

src/core/common/crypto/mbedtls/cryptoprovider.cpp Outdated
// Verify target certificate.
uint32_t flags = 0;
int ret = mbedtls_x509_crt_verify(&interm, &root, nullptr, nullptr, &flags, nullptr, nullptr);
int ret = mbedtls_x509_crt_verify(
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

empty line

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

src/core/common/crypto/mbedtls/cryptoprovider.cpp
if (!err.IsNone()) {
*flags |= MBEDTLS_X509_BADCERT_OTHER;

return 1;
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

return MBEDTLS_ERR_X509_CERT_VERIFY_FAILED; ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it seems MBEDTLS_ERR_X509_CERT_VERIFY_FAILED is an error code, not flag

@mykola-kobets-epam
common: Change DesiredStatus::mTrustedTimestamp type to Time
f242a69 
Signed-off-by: Mykola Kobets <[email protected]>
@mykola-kobets-epam
tools: add File class for block read/write-ing
bdb1fbf 
Signed-off-by: Mykola Kobets <[email protected]>
@mykola-kobets-epam
types: add cSHA384Size const
d42fc38 
Signed-off-by: Mykola Kobets <[email protected]>
@mykola-kobets-epam
pkcs11: add DecryptionOptions to PrivateKeyItf::Decrypt method
82fadd0 
Signed-off-by: Mykola Kobets <[email protected]>
@mykola-kobets-epam
crypto: add issuer URLs to x509::Certificate
406d86b 
Signed-off-by: Mykola Kobets <[email protected]>
@mykola-kobets-epam
crypto: add eSHA512_224/eSHA512_256 to crypto interface
7fe25e4 
Signed-off-by: Mykola Kobets <[email protected]>
@mykola-kobets-epam
crypto: common: rename const for priv keys(AOS_CONFIG_CRYPTO_KEYS_COUNT)
a74156e 
Add AES encoder/decoder interfaces

Signed-off-by: Mykola Kobets <[email protected]>
@mykola-kobets-epam
common: move cMaxNumCertificates to crypto
9d73d40 
Signed-off-by: Mykola Kobets <[email protected]>
@mykola-kobets-epam
crypto: add ASN1 decoder interface
95dad8a 
Signed-off-by: Mykola Kobets <[email protected]>
@mykola-kobets-epam
crypto: add Verify signature/cert chain methods to x509::ProviderItf
c550b02 
Signed-off-by: Mykola Kobets <[email protected]>
@mykola-kobets-epam
common: fix lint errors
32efc60 
Signed-off-by: Mykola Kobets <[email protected]>
@codecov Codecov
Copy link

codecov bot commented Sep 19, 2025

Codecov Report

❌ Patch coverage is 70.80925% with 707 lines in your changes missing coverage. Please review.
✅ Project coverage is 80.28%. Comparing base (ae6ed40) to head (32efc60).

Files with missing lines Patch % Lines
src/core/common/crypto/openssl/cryptoprovider.cpp 56.85% 258 Missing ⚠️
src/core/common/crypto/mbedtls/cryptoprovider.cpp 69.31% 205 Missing ⚠️
src/core/common/crypto/cryptohelper.cpp 70.85% 153 Missing ⚠️
src/core/common/pkcs11/privatekey.cpp 17.77% 37 Missing ⚠️
src/core/common/crypto/openssl/opensslprovider.cpp 27.27% 16 Missing ⚠️
...e/common/tests/crypto/providers/opensslfactory.cpp 7.14% 13 Missing ⚠️
src/core/common/tools/fs.cpp 84.78% 7 Missing ⚠️
...rc/core/common/crypto/tests/stubs/certprovider.hpp 73.68% 5 Missing ⚠️
src/core/common/crypto/tests/cryptohelper.cpp 97.19% 3 Missing ⚠️
...e/common/tests/crypto/providers/mbedtlsfactory.cpp 89.28% 3 Missing ⚠️
... and 4 more
Additional details and impacted files 
@@                   Coverage Diff                   @@
##           feature_unification     #354      +/-   ##
=======================================================
- Coverage                81.44%   80.28%   -1.17%     
=======================================================
  Files                      179      183       +4     
  Lines                    17231    19487    +2256     
  Branches                  2320     2730     +410     
=======================================================
+ Hits                     14034    15645    +1611     
- Misses                    3197     3842     +645

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Failed Quality Gate failed

Failed conditions
2 Security Hotspots
34.4% Coverage on New Code (required ≥ 80%)
8.7% Duplication on New Code (required ≤ 3%)
C Reliability Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

MykolaSuperman
MykolaSuperman approved these changes Sep 20, 2025
View reviewed changes
Copy link

@MykolaSuperman MykolaSuperman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed-by: Mykola Solianko <[email protected]>

mlohvynenko
mlohvynenko reviewed Sep 22, 2025
View reviewed changes
src/core/common/tools/fs.hpp
* @param[out] buffer destination buffer.
* @return Error.
*/
Error WriteBlock(Array<uint8_t>& buffer);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

consider accepting a const ref and returning RetWithError<size_t> bytes written

mlohvynenko
mlohvynenko reviewed Sep 22, 2025
View reviewed changes
src/core/common/crypto/tests/cmake/gencertificates.cmake
@@ -0,0 +1,406 @@
#
# Copyright (C) 2024 Renesas Electronics Corporation.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# Copyright (C) 2024 Renesas Electronics Corporation.

mlohvynenko
mlohvynenko reviewed Sep 22, 2025
View reviewed changes
src/core/common/crypto/tests/cmake/gencertificates.cmake
@@ -0,0 +1,406 @@
#
# Copyright (C) 2024 Renesas Electronics Corporation.
# Copyright (C) 2024 EPAM Systems, Inc.
Copy link
Member

@mlohvynenko mlohvynenko Sep 22, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# Copyright (C) 2024 EPAM Systems, Inc.
# Copyright (C) 2025 EPAM Systems, Inc.

mlohvynenko
mlohvynenko approved these changes Sep 22, 2025
View reviewed changes
Copy link
Member

@mlohvynenko mlohvynenko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed-by: Mykhailo Lohvynenko <[email protected]>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@al1img al1img al1img left review comments

@MykolaSuperman MykolaSuperman MykolaSuperman approved these changes

@mlohvynenko mlohvynenko mlohvynenko approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mykola-kobets-epam @al1img @MykolaSuperman @mlohvynenko