2 * Copyright (c) 2011 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 * @file WrtSignatureValidator.cpp
18 * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com)
20 * @brief Implementatin of tizen signature validation protocol.
22 #include <vcore/WrtSignatureValidator.h>
24 #include <vcore/CertificateVerifier.h>
25 #include <vcore/Certificate.h>
26 #include <vcore/OCSPCertMgrUtil.h>
27 #include <vcore/ReferenceValidator.h>
28 #include <vcore/ValidatorFactories.h>
29 #include <vcore/XmlsecAdapter.h>
31 #include <dpl/log/log.h>
34 const time_t TIMET_DAY = 60 * 60 * 24;
36 const std::string TOKEN_ROLE_AUTHOR_URI =
37 "http://www.w3.org/ns/widgets-digsig#role-author";
38 const std::string TOKEN_ROLE_DISTRIBUTOR_URI =
39 "http://www.w3.org/ns/widgets-digsig#role-distributor";
40 const std::string TOKEN_PROFILE_URI =
41 "http://www.w3.org/ns/widgets-digsig#profile";
43 } // namespace anonymouse
45 static tm _ASN1_GetTimeT(ASN1_TIME* time)
48 const char* str = (const char*) time->data;
51 memset(&t, 0, sizeof(t));
53 if (time->type == V_ASN1_UTCTIME) /* two digit year */
55 t.tm_year = (str[i] - '0') * 10 + (str[i+1] - '0');
60 else if (time->type == V_ASN1_GENERALIZEDTIME) /* four digit year */
64 + (str[i+1] - '0') * 100
65 + (str[i+2] - '0') * 10
70 t.tm_mon = ((str[i] - '0') * 10 + (str[i+1] - '0')) - 1; // -1 since January is 0 not 1.
71 t.tm_mday = (str[i+2] - '0') * 10 + (str[i+3] - '0');
72 t.tm_hour = (str[i+4] - '0') * 10 + (str[i+5] - '0');
73 t.tm_min = (str[i+6] - '0') * 10 + (str[i+7] - '0');
74 t.tm_sec = (str[i+8] - '0') * 10 + (str[i+9] - '0');
76 /* Note: we did not adjust the time based on time zone information */
81 namespace ValidationCore {
83 class WrtSignatureValidator::Impl {
85 virtual WrtSignatureValidator::Result check(
87 const std::string &widgetContentPath) = 0;
89 explicit Impl(bool ocspEnable,
92 : m_complianceModeEnabled(complianceMode)
94 #ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
95 m_ocspEnable = ocspEnable;
96 m_crlEnable = crlEnable;
105 bool checkRoleURI(const SignatureData &data) {
106 std::string roleURI = data.getRoleURI();
108 if (roleURI.empty()) {
109 LogWarning("URI attribute in Role tag couldn't be empty.");
113 if (roleURI != TOKEN_ROLE_AUTHOR_URI && data.isAuthorSignature()) {
114 LogWarning("URI attribute in Role tag does not "
115 "match with signature filename.");
119 if (roleURI != TOKEN_ROLE_DISTRIBUTOR_URI && !data.isAuthorSignature()) {
120 LogWarning("URI attribute in Role tag does not "
121 "match with signature filename.");
127 bool checkProfileURI(const SignatureData &data) {
128 if (TOKEN_PROFILE_URI != data.getProfileURI()) {
129 LogWarning("Profile tag contains unsupported value in URI attribute " << data.getProfileURI());
135 bool checkObjectReferences(const SignatureData &data) {
136 ObjectList objectList = data.getObjectList();
137 ObjectList::const_iterator iter;
138 for (iter = objectList.begin(); iter != objectList.end(); ++iter) {
139 if (!data.containObjectReference(*iter)) {
140 LogWarning("Signature does not contain reference for object " << *iter);
147 bool m_complianceModeEnabled;
148 #ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
155 class ImplTizen : public WrtSignatureValidator::Impl {
157 WrtSignatureValidator::Result check(SignatureData &data,
158 const std::string &widgetContentPath);
160 explicit ImplTizen(bool ocspEnable,
163 : Impl(ocspEnable, crlEnable, complianceMode)
166 virtual ~ImplTizen() {}
169 WrtSignatureValidator::Result ImplTizen::check(
171 const std::string &widgetContentPath)
173 bool disregard = false;
175 if (!checkRoleURI(data)) {
176 return WrtSignatureValidator::SIGNATURE_INVALID;
179 if (!checkProfileURI(data)) {
180 return WrtSignatureValidator::SIGNATURE_INVALID;
183 // CertificateList sortedCertificateList = data.getCertList();
185 CertificateCollection collection;
186 collection.load(data.getCertList());
188 // First step - sort certificate
189 if (!collection.sort()) {
190 LogWarning("Certificates do not form valid chain.");
191 return WrtSignatureValidator::SIGNATURE_INVALID_CERT_CHAIN;//SIGNATURE_INVALID;
195 if (collection.empty()) {
196 LogWarning("Certificate list in signature is empty.");
197 return WrtSignatureValidator::SIGNATURE_INVALID_CERT_CHAIN;//SIGNATURE_INVALID;
200 CertificateList sortedCertificateList = collection.getChain();
202 // TODO move it to CertificateCollection
203 // Add root CA and CA certificates (if chain is incomplete)
204 sortedCertificateList =
205 OCSPCertMgrUtil::completeCertificateChain(sortedCertificateList);
207 CertificatePtr root = sortedCertificateList.back();
209 // Is Root CA certificate trusted?
210 CertStoreId::Set storeIdSet = createCertificateIdentifier().find(root);
212 LogDebug("Is root certificate from TIZEN_DEVELOPER domain : " << storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER));
213 LogDebug("Is root certificate from TIZEN_TEST domain : " << storeIdSet.contains(CertStoreId::TIZEN_TEST));
214 LogDebug("Is root certificate from TIZEN_VERIFY domain : " << storeIdSet.contains(CertStoreId::TIZEN_VERIFY));
215 LogDebug("Is root certificate from TIZEN_PUBLIC domain : " << storeIdSet.contains(CertStoreId::VIS_PUBLIC));
216 LogDebug("Is root certificate from TIZEN_PARTNER domain : " << storeIdSet.contains(CertStoreId::VIS_PARTNER));
217 LogDebug("Is root certificate from TIZEN_PLATFORM domain : " << storeIdSet.contains(CertStoreId::VIS_PLATFORM));
218 LogDebug("Visibility level is public : " << storeIdSet.contains(CertStoreId::VIS_PUBLIC));
219 LogDebug("Visibility level is partner : " << storeIdSet.contains(CertStoreId::VIS_PARTNER));
220 LogDebug("Visibility level is platform : " << storeIdSet.contains(CertStoreId::VIS_PLATFORM));
222 if (data.isAuthorSignature())
224 if (!storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER))
226 LogWarning("author-signature.xml has got unrecognized Root CA "
227 "certificate. Signature will be disregarded.");
233 if (storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER))
235 LogWarning("distributor has author level siganture! Signature will be disregarded.");
236 return WrtSignatureValidator::SIGNATURE_IN_DISTRIBUTOR_CASE_AUTHOR_CERT;//SIGNATURE_INVALID;
238 LogDebug("signaturefile name = " << data.getSignatureFileName());
241 if (data.getSignatureNumber() == 1)
243 if (storeIdSet.contains(CertStoreId::VIS_PUBLIC) || storeIdSet.contains(CertStoreId::VIS_PARTNER) || storeIdSet.contains(CertStoreId::VIS_PLATFORM))
245 LogDebug("Root CA for signature1.xml is correct.");
249 LogWarning("signature1.xml has got unrecognized Root CA "
250 "certificate. Signature will be disregarded.");
256 data.setStorageType(storeIdSet);
257 data.setSortedCertificateList(sortedCertificateList);
259 // We add only Root CA certificate because WAC ensure that the rest
260 // of certificates are present in signature files ;-)
261 XmlSec::XmlSecContext context;
262 context.signatureFile = data.getSignatureFileName();
263 context.certificatePtr = root;
265 // Now we should have full certificate chain.
266 // If the end certificate is not ROOT CA we should disregard signature
267 // but still signature must be valid... Aaaaaa it's so stupid...
268 if (!(root->isSignedBy(root))) {
269 LogWarning("Root CA certificate not found. Chain is incomplete.");
270 //context.allowBrokenChain = true;
273 // WAC 2.0 SP-2066 The wrt must not block widget installation
274 // due to expiration of the author certificate.
275 time_t nowTime = time(NULL);
279 ASN1_TIME* notAfterTime = data.getEndEntityCertificatePtr()->getNotAfterTime();
280 ASN1_TIME* notBeforeTime = data.getEndEntityCertificatePtr()->getNotBeforeTime();
282 if (X509_cmp_time(notBeforeTime, &nowTime) > 0 || X509_cmp_time(notAfterTime, &nowTime) < 0)
285 struct tm ta, tb, tc;
288 t = localtime(&nowTime);
290 return WrtSignatureValidator::SIGNATURE_INVALID_CERT_TIME;
292 memset(&tc, 0, sizeof(tc));
294 snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", t->tm_year + 1900, t->tm_mon + 1,t->tm_mday );
295 LogDebug("## System's currentTime : " << msg);
296 fprintf(stderr, "## System's currentTime : %s\n", msg);
298 tb = _ASN1_GetTimeT(notBeforeTime);
299 snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", tb.tm_year + 1900, tb.tm_mon + 1,tb.tm_mday );
300 LogDebug("## certificate's notBeforeTime : " << msg);
301 fprintf(stderr, "## certificate's notBeforeTime : %s\n", msg);
303 ta = _ASN1_GetTimeT(notAfterTime);
304 snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", ta.tm_year + 1900, ta.tm_mon + 1,ta.tm_mday );
305 LogDebug("## certificate's notAfterTime : " << msg);
306 fprintf(stderr, "## certificate's notAfterTime : %s\n", msg);
308 if (storeIdSet.contains(CertStoreId::TIZEN_TEST) || storeIdSet.contains(CertStoreId::TIZEN_VERIFY))
310 LogDebug("## TIZEN_VERIFY : check certificate Time : FALSE");
311 fprintf(stderr, "## TIZEN_VERIFY : check certificate Time : FALSE\n");
312 return WrtSignatureValidator::SIGNATURE_INVALID_CERT_TIME;//SIGNATURE_INVALID;
315 int year = (ta.tm_year - tb.tm_year) / 4;
319 tc.tm_year = tb.tm_year;
320 tc.tm_mon = tb.tm_mon + 1;
321 tc.tm_mday = tb.tm_mday;
325 tc.tm_year = ta.tm_year;
326 tc.tm_mon = ta.tm_mon - 1;
327 tc.tm_mday = ta.tm_mday;
331 tc.tm_year = ta.tm_year;
332 tc.tm_mon = ta.tm_mon;
333 tc.tm_mday = ta.tm_mday -1;
337 tc.tm_year = tb.tm_year;
338 tc.tm_mon = tb.tm_mon;
339 tc.tm_mday = tb.tm_mday +1;
345 tc.tm_year = tb.tm_year + year;
346 tc.tm_mon = (tb.tm_mon + ta.tm_mon )/2;
347 tc.tm_mday = (tb.tm_mday + ta.tm_mday)/2;
350 snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", tc.tm_year + 1900, tc.tm_mon + 1,tc.tm_mday );
351 LogDebug("## cmp cert with validation time : " << msg);
352 fprintf(stderr, "## cmp cert with validation time : %s\n", msg);
354 time_t outCurrent = mktime(&tc);
355 context.validationTime = outCurrent;
357 fprintf(stderr, "## cmp outCurrent time : %ld\n", outCurrent);
359 //return WrtSignatureValidator::SIGNATURE_INVALID;
365 time_t notAfter = data.getEndEntityCertificatePtr()->getNotAfter();
366 time_t notBefore = data.getEndEntityCertificatePtr()->getNotBefore();
370 if (data.isAuthorSignature())
372 // time_t 2038 year bug exist. So, notAtter() cann't check...
374 if (notAfter < nowTime)
376 context.validationTime = notAfter - TIMET_DAY;
377 LogWarning("Author certificate is expired. notAfter...");
381 if (notBefore > nowTime)
383 LogWarning("Author certificate is expired. notBefore time is greater than system-time.");
385 t = localtime(&nowTime);
386 LogDebug("System's current Year : " << (t->tm_year + 1900));
387 LogDebug("System's current month : " << (t->tm_mon + 1));
388 LogDebug("System's current day : " << (t->tm_mday));
390 t = localtime(¬Before);
391 LogDebug("Author certificate's notBefore Year : " << (t->tm_year + 1900));
392 LogDebug("Author certificate's notBefore month : " << (t->tm_mon + 1));
393 LogDebug("Author certificate's notBefore day : " << (t->tm_mday));
395 context.validationTime = notBefore + TIMET_DAY;
397 t = localtime(&context.validationTime);
398 LogDebug("Modified current Year : " << (t->tm_year + 1900));
399 LogDebug("Modified current notBefore month : " << (t->tm_mon + 1));
400 LogDebug("Modified current notBefore day : " << (t->tm_mday));
404 // WAC 2.0 SP-2066 The wrt must not block widget installation
405 //context.allowBrokenChain = true;
408 if (!data.isAuthorSignature())
410 if (XmlSec::NO_ERROR != XmlSecSingleton::Instance().validate(&context)) {
411 LogWarning("Installation break - invalid package!");
412 return WrtSignatureValidator::SIGNATURE_INVALID_HASH_SIGNATURE;//SIGNATURE_INVALID;
415 data.setReference(context.referenceSet);
417 if (!checkObjectReferences(data)) {
418 LogWarning("Failed to check Object References");
419 return WrtSignatureValidator::SIGNATURE_INVALID_HASH_SIGNATURE;//SIGNATURE_INVALID;
422 ReferenceValidator fileValidator(widgetContentPath);
423 if (ReferenceValidator::NO_ERROR != fileValidator.checkReferences(data)) {
424 LogWarning("Invalid package - file references broken");
425 return WrtSignatureValidator::SIGNATURE_INVALID_NO_HASH_FILE;//SIGNATURE_INVALID;
429 #ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
430 // It is good time to do OCSP check
431 // ocspCheck will throw an exception on any error.
432 // TODO Probably we should catch this exception and add
433 // some information to SignatureData.
434 if (!m_complianceModeEnabled && !data.isAuthorSignature()) {
435 CertificateCollection coll;
436 coll.load(sortedCertificateList);
439 LogDebug("Collection does not contain chain!");
440 return WrtSignatureValidator::SIGNATURE_INVALID_CERT_CHAIN;//SIGNATURE_INVALID;
443 CertificateVerifier verificator(m_ocspEnable, m_crlEnable);
444 VerificationStatus result = verificator.check(coll);
446 if (result == VERIFICATION_STATUS_REVOKED) {
447 return WrtSignatureValidator::SIGNATURE_REVOKED;
450 if (result == VERIFICATION_STATUS_UNKNOWN ||
451 result == VERIFICATION_STATUS_ERROR)
453 #ifdef _OCSP_POLICY_DISREGARD_UNKNOWN_OR_ERROR_CERTS_
461 LogWarning("Signature is disregard. RootCA is not a member of Tizen");
462 return WrtSignatureValidator::SIGNATURE_INVALID_DISTRIBUTOR_CERT;//SIGNATURE_DISREGARD;
464 return WrtSignatureValidator::SIGNATURE_VERIFIED;
467 class ImplWac : public WrtSignatureValidator::Impl
470 WrtSignatureValidator::Result check(SignatureData &data,
471 const std::string &widgetContentPath);
473 explicit ImplWac(bool ocspEnable,
476 : Impl(ocspEnable, crlEnable, complianceMode)
479 virtual ~ImplWac() {}
482 WrtSignatureValidator::Result ImplWac::check(
484 const std::string &widgetContentPath)
486 bool disregard = false;
488 if (!checkRoleURI(data)) {
489 return WrtSignatureValidator::SIGNATURE_INVALID;
492 if (!checkProfileURI(data)) {
493 return WrtSignatureValidator::SIGNATURE_INVALID;
496 // CertificateList sortedCertificateList = data.getCertList();
498 CertificateCollection collection;
499 collection.load(data.getCertList());
501 // First step - sort certificate
502 if (!collection.sort()) {
503 LogWarning("Certificates do not form valid chain.");
504 return WrtSignatureValidator::SIGNATURE_INVALID;
508 if (collection.empty()) {
509 LogWarning("Certificate list in signature is empty.");
510 return WrtSignatureValidator::SIGNATURE_INVALID;
513 CertificateList sortedCertificateList = collection.getChain();
515 // TODO move it to CertificateCollection
516 // Add root CA and CA certificates (if chain is incomplete)
517 sortedCertificateList =
518 OCSPCertMgrUtil::completeCertificateChain(sortedCertificateList);
520 CertificatePtr root = sortedCertificateList.back();
522 // Is Root CA certificate trusted?
523 CertStoreId::Set storeIdSet = createCertificateIdentifier().find(root);
525 LogDebug("Is root certificate from TIZEN_DEVELOPER domain : " << storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER));
526 LogDebug("Is root certificate from TIZEN_TEST domain : " << storeIdSet.contains(CertStoreId::TIZEN_TEST));
527 LogDebug("Is root certificate from TIZEN_VERIFY domain : " << storeIdSet.contains(CertStoreId::TIZEN_VERIFY));
528 LogDebug("Is root certificate from TIZEN_PUBLIC domain : " << storeIdSet.contains(CertStoreId::VIS_PUBLIC));
529 LogDebug("Is root certificate from TIZEN_PARTNER domain : " << storeIdSet.contains(CertStoreId::VIS_PARTNER));
530 LogDebug("Is root certificate from TIZEN_PLATFORM domain : " << storeIdSet.contains(CertStoreId::VIS_PLATFORM));
531 LogDebug("Visibility level is public : " << storeIdSet.contains(CertStoreId::VIS_PUBLIC));
532 LogDebug("Visibility level is partner : " << storeIdSet.contains(CertStoreId::VIS_PARTNER));
533 LogDebug("Visibility level is platform : " << storeIdSet.contains(CertStoreId::VIS_PLATFORM));
535 if (data.isAuthorSignature())
537 if (!storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER))
539 LogWarning("author-signature.xml has got unrecognized Root CA "
540 "certificate. Signature will be disregarded.");
546 if (storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER))
548 LogWarning("distributor has author level siganture! Signature will be disregarded.");
549 return WrtSignatureValidator::SIGNATURE_INVALID;
551 LogDebug("signaturefile name = " << data.getSignatureFileName());
553 if (data.getSignatureNumber() == 1)
555 if (storeIdSet.contains(CertStoreId::VIS_PUBLIC) || storeIdSet.contains(CertStoreId::VIS_PARTNER) || storeIdSet.contains(CertStoreId::VIS_PLATFORM))
557 LogDebug("Root CA for signature1.xml is correct.");
561 LogWarning("signature1.xml has got unrecognized Root CA "
562 "certificate. Signature will be disregarded.");
568 data.setStorageType(storeIdSet);
569 data.setSortedCertificateList(sortedCertificateList);
571 // We add only Root CA certificate because WAC ensure that the rest
572 // of certificates are present in signature files ;-)
573 XmlSec::XmlSecContext context;
574 context.signatureFile = data.getSignatureFileName();
575 context.certificatePtr = root;
577 // Now we should have full certificate chain.
578 // If the end certificate is not ROOT CA we should disregard signature
579 // but still signature must be valid... Aaaaaa it's so stupid...
580 if (!(root->isSignedBy(root))) {
581 LogWarning("Root CA certificate not found. Chain is incomplete.");
582 // context.allowBrokenChain = true;
585 time_t nowTime = time(NULL);
586 // WAC 2.0 SP-2066 The wrt must not block widget installation
587 // due to expiration of the author certificate.
591 ASN1_TIME* notAfterTime = data.getEndEntityCertificatePtr()->getNotAfterTime();
592 ASN1_TIME* notBeforeTime = data.getEndEntityCertificatePtr()->getNotBeforeTime();
594 if (X509_cmp_time(notBeforeTime, &nowTime) > 0 || X509_cmp_time(notAfterTime, &nowTime) < 0)
597 struct tm ta, tb, tc;
600 t = localtime(&nowTime);
602 return WrtSignatureValidator::SIGNATURE_INVALID_CERT_TIME;
604 memset(&tc, 0, sizeof(tc));
606 snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", t->tm_year + 1900, t->tm_mon + 1,t->tm_mday );
607 LogDebug("## System's currentTime : " << msg);
608 fprintf(stderr, "## System's currentTime : %s\n", msg);
610 tb = _ASN1_GetTimeT(notBeforeTime);
611 snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", tb.tm_year + 1900, tb.tm_mon + 1,tb.tm_mday );
612 LogDebug("## certificate's notBeforeTime : " << msg);
613 fprintf(stderr, "## certificate's notBeforeTime : %s\n", msg);
615 ta = _ASN1_GetTimeT(notAfterTime);
616 snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", ta.tm_year + 1900, ta.tm_mon + 1,ta.tm_mday );
617 LogDebug("## certificate's notAfterTime : " << msg);
618 fprintf(stderr, "## certificate's notAfterTime : %s\n", msg);
620 if (storeIdSet.contains(CertStoreId::TIZEN_VERIFY))
622 LogDebug("## TIZEN_VERIFY : check certificate Time : FALSE");
623 fprintf(stderr, "## TIZEN_VERIFY : check certificate Time : FALSE\n");
624 return WrtSignatureValidator::SIGNATURE_INVALID;
627 int year = (ta.tm_year - tb.tm_year) / 4;
631 tc.tm_year = tb.tm_year;
632 tc.tm_mon = tb.tm_mon + 1;
633 tc.tm_mday = tb.tm_mday;
637 tc.tm_year = ta.tm_year;
638 tc.tm_mon = ta.tm_mon - 1;
639 tc.tm_mday = ta.tm_mday;
643 tc.tm_year = ta.tm_year;
644 tc.tm_mon = ta.tm_mon;
645 tc.tm_mday = ta.tm_mday -1;
649 tc.tm_year = tb.tm_year;
650 tc.tm_mon = tb.tm_mon;
651 tc.tm_mday = tb.tm_mday +1;
657 tc.tm_year = tb.tm_year + year;
658 tc.tm_mon = (tb.tm_mon + ta.tm_mon )/2;
659 tc.tm_mday = (tb.tm_mday + ta.tm_mday)/2;
662 snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", tc.tm_year + 1900, tc.tm_mon + 1,tc.tm_mday );
663 LogDebug("## cmp cert with validation time : " << msg);
664 fprintf(stderr, "## cmp cert with validation time : %s\n", msg);
666 time_t outCurrent = mktime(&tc);
668 fprintf(stderr, "## cmp outCurrent time : %ld\n", outCurrent);
670 context.validationTime = outCurrent;
671 //return WrtSignatureValidator::SIGNATURE_INVALID;
677 time_t notAfter = data.getEndEntityCertificatePtr()->getNotAfter();
678 time_t notBefore = data.getEndEntityCertificatePtr()->getNotBefore();
682 if (data.isAuthorSignature())
684 // time_t 2038 year bug exist. So, notAtter() cann't check...
686 if (notAfter < nowTime)
688 context.validationTime = notAfter - TIMET_DAY;
689 LogWarning("Author certificate is expired. notAfter...");
693 if (notBefore > nowTime)
695 LogWarning("Author certificate is expired. notBefore time is greater than system-time.");
697 t = localtime(&nowTime);
698 LogDebug("System's current Year : " << (t->tm_year + 1900));
699 LogDebug("System's current month : " << (t->tm_mon + 1));
700 LogDebug("System's current day : " << (t->tm_mday));
702 t = localtime(¬Before);
703 LogDebug("Author certificate's notBefore Year : " << (t->tm_year + 1900));
704 LogDebug("Author certificate's notBefore month : " << (t->tm_mon + 1));
705 LogDebug("Author certificate's notBefore day : " << (t->tm_mday));
707 context.validationTime = notBefore + TIMET_DAY;
709 t = localtime(&context.validationTime);
710 LogDebug("Modified current Year : " << (t->tm_year + 1900));
711 LogDebug("Modified current notBefore month : " << (t->tm_mon + 1));
712 LogDebug("Modified current notBefore day : " << (t->tm_mday));
717 if (!data.isAuthorSignature())
719 if (XmlSec::NO_ERROR != XmlSecSingleton::Instance().validate(&context)) {
720 LogWarning("Installation break - invalid package!");
721 return WrtSignatureValidator::SIGNATURE_INVALID;
724 data.setReference(context.referenceSet);
726 if (!checkObjectReferences(data)) {
727 return WrtSignatureValidator::SIGNATURE_INVALID;
730 ReferenceValidator fileValidator(widgetContentPath);
731 if (ReferenceValidator::NO_ERROR != fileValidator.checkReferences(data)) {
732 LogWarning("Invalid package - file references broken");
733 return WrtSignatureValidator::SIGNATURE_INVALID;
737 #ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
738 // It is good time to do OCSP check
739 // ocspCheck will throw an exception on any error.
740 // TODO Probably we should catch this exception and add
741 // some information to SignatureData.
742 if (!m_complianceModeEnabled && !data.isAuthorSignature()) {
743 CertificateCollection coll;
744 coll.load(sortedCertificateList);
747 LogDebug("Collection does not contain chain!");
748 return WrtSignatureValidator::SIGNATURE_INVALID;
751 CertificateVerifier verificator(m_ocspEnable, m_crlEnable);
752 VerificationStatus result = verificator.check(coll);
754 if (result == VERIFICATION_STATUS_REVOKED) {
755 return WrtSignatureValidator::SIGNATURE_REVOKED;
758 if (result == VERIFICATION_STATUS_UNKNOWN ||
759 result == VERIFICATION_STATUS_ERROR)
761 #ifdef _OCSP_POLICY_DISREGARD_UNKNOWN_OR_ERROR_CERTS_
763 #endif //_OCSP_POLICY_DISREGARD_UNKNOWN_OR_ERROR_CERTS_
769 LogWarning("Signature is disregard. RootCA is not a member of Tizen.");
770 return WrtSignatureValidator::SIGNATURE_DISREGARD;
772 return WrtSignatureValidator::SIGNATURE_VERIFIED;
775 // Implementation of WrtSignatureValidator
777 WrtSignatureValidator::WrtSignatureValidator(
784 if (appType == TIZEN)
785 m_impl = new ImplTizen(ocspEnable,crlEnable,complianceMode);
787 m_impl = new ImplWac(ocspEnable,crlEnable,complianceMode);
790 WrtSignatureValidator::~WrtSignatureValidator()
795 WrtSignatureValidator::Result WrtSignatureValidator::check(
797 const std::string &widgetContentPath)
799 return m_impl->check(data, widgetContentPath);
802 } // namespace ValidationCore