X-Git-Url: http://review.tizen.org/git/?a=blobdiff_plain;f=src%2Fjobs%2Fwidget_install%2Ftask_certify.cpp;h=128f022a865077d2700aa711ba0d0f65a208343f;hb=7318f9524c8f477b402ad3951496bfc2e27095b3;hp=4d22aca287bcf5f4bafcd64507466d8857913ffb;hpb=cddf49526f6ae72951c20e53af3cf5aa7f6d0cc2;p=framework%2Fweb%2Fwrt-installer.git diff --git a/src/jobs/widget_install/task_certify.cpp b/src/jobs/widget_install/task_certify.cpp index 4d22aca..128f022 100644 --- a/src/jobs/widget_install/task_certify.cpp +++ b/src/jobs/widget_install/task_certify.cpp @@ -33,7 +33,6 @@ #include #include #include -#include #include #include "wac_widget_id.h" @@ -41,7 +40,6 @@ #include #include #include -#include #include #include @@ -52,10 +50,6 @@ using namespace ValidationCore; using namespace WrtDB; namespace { -const std::string LABEL_NEW_LINE = "
"; -const std::string LABEL_NEW_LINE_2 = "

"; -const std::string UNTRUSTED_WIDGET ="It is an Untrusted Widget"; -const char *QUESTION ="Do you wanto to install?"; WidgetCertificateData toWidgetCertificateData(const SignatureData &data, bool root) @@ -63,6 +57,7 @@ WidgetCertificateData toWidgetCertificateData(const SignatureData &data, WidgetCertificateData result; result.chainId = data.getSignatureNumber(); + LogDebug("result.chainId : " << result.chainId); result.owner = data.isAuthorSignature() ? WidgetCertificateData::AUTHOR : WidgetCertificateData::DISTRIBUTOR; @@ -79,7 +74,7 @@ WidgetCertificateData toWidgetCertificateData(const SignatureData &data, } Assert(certificate && !certificate->getCommonName().IsNull() && - "CommonName is Null"); + "CommonName is Null"); result.strCommonName = *certificate->getCommonName(); @@ -93,53 +88,69 @@ WidgetCertificateData toWidgetCertificateData(const SignatureData &data, return result; } + +CertificatePtr getOldAuthorSignerCertificate(DPL::String appid) +{ + WidgetDAOReadOnly dao(appid); + CertificateChainList chainList = dao.getWidgetCertificate(SIGNATURE_AUTHOR); + + FOREACH(it, chainList) + { + ValidationCore::CertificateCollection chain; + if (false == chain.load(*it)) { + LogError("Chain is broken"); + } + + if (!chain.sort()) { + LogError("Chain failed at sorting"); + } + + ValidationCore::CertificateList list = chain.getCertificateList(); + + FOREACH(cert, list) + { + if (!(*cert)->isRootCert() && !(*cert)->isCA()) { + return *cert; + } + } + } + return CertificatePtr(NULL); +} } // namespace anonymous namespace Jobs { namespace WidgetInstall { TaskCertify::TaskCertify(InstallerContext &inCont) : DPL::TaskDecl(this), - m_contextData(inCont), - WidgetInstallPopup(inCont) + m_contextData(inCont) { AddStep(&TaskCertify::stepSignature); - - // Block until fixed popup issues - if (!GlobalSettings::PopupsTestModeEnabled() - && !m_installContext.m_quiet && !isTizenWebApp()) { - AddStep(&TaskCertify::stepWarningPopup); - AddStep(&TaskCertify::stepWarningPopupAnswer); - AddStep(&TaskCertify::stepAuthorInfoPopup); - AddStep(&TaskCertify::stepAuthorInfoPopupAnswer); - AddStep(&TaskCertify::StepDeletePopupWin); + // certi comparison determines whether the update. + if (true == m_contextData.isUpdateMode) { + AddStep(&TaskCertify::stepVerifyUpdate); } AddStep(&TaskCertify::stepFinalize); } -void TaskCertify::processDistributorSignature(const SignatureData &data, - bool first) +void TaskCertify::processDistributorSignature(const SignatureData &data) { // this signature is verified - // no point in check domain WAC_ROOT and WAC_RECOGNIZED m_contextData.wacSecurity.setDistributorSigned(true); - if (data.getStorageType().contains(CertStoreId::WAC_ROOT)) { - m_contextData.wacSecurity.setWacSigned(true); - } - CertificateCollection collection; collection.load(data.getCertList()); Assert(collection.sort() && - "Certificate collection can't sort"); + "Certificate collection can't sort"); Assert(collection.isChain() && "Certificate collection is not able to create chain. " "It is not possible to verify this signature."); m_contextData.wacSecurity.getCertificateChainListRef().push_back( - collection); + collection); - if (first) { + if (data.getSignatureNumber() == 1) { m_contextData.wacSecurity.getCertificateListRef().push_back( toWidgetCertificateData(data, true)); m_contextData.wacSecurity.getCertificateListRef().push_back( @@ -152,8 +163,9 @@ void TaskCertify::processAuthorSignature(const SignatureData &data) using namespace ValidationCore; LogInfo("DNS Identity match!"); // this signature is verified or widget is distributor signed - m_contextData.wacSecurity.getAuthorCertificatePtr() = - data.getEndEntityCertificatePtr(); + m_contextData.wacSecurity.setAuthorCertificatePtr(data.getEndEntityCertificatePtr()); + CertificatePtr test = m_contextData.wacSecurity.getAuthorCertificatePtr(); + m_contextData.wacSecurity.getCertificateListRef().push_back( toWidgetCertificateData(data, true)); m_contextData.wacSecurity.getCertificateListRef().push_back( @@ -174,7 +186,7 @@ void TaskCertify::processAuthorSignature(const SignatureData &data) "It is not possible to verify this signature."); m_contextData.wacSecurity.getAuthorsCertificateChainListRef().push_back( - collection); + collection); FOREACH(it, dnsIdentity){ if (widgetId.matchHost(*it)) { @@ -188,22 +200,26 @@ void TaskCertify::stepSignature() { LogInfo("================ Step: <> ENTER ==============="); - std::string widgetPath = m_contextData.locations->getTemporaryRootDir() + "/"; + std::string widgetPath; + if (m_contextData.widgetConfig.packagingType == + WrtDB::PKG_TYPE_DIRECTORY_WEB_APP) + { + widgetPath = m_contextData.locations->getSourceDir() + "/"; + } else { + widgetPath = m_contextData.locations->getTemporaryPackageDir() + "/"; + } SignatureFileInfoSet signatureFiles; SignatureFinder signatureFinder(widgetPath); if (SignatureFinder::NO_ERROR != signatureFinder.find(signatureFiles)) { LogError("Error in Signature Finder"); - ThrowMsg(Exceptions::InvalidPackage, + ThrowMsg(Exceptions::SignatureNotFound, "Error openig temporary widget directory"); } SignatureFileInfoSet::reverse_iterator iter = signatureFiles.rbegin(); LogInfo("Number of signatures: " << signatureFiles.size()); - bool firstDistributorSignature = true; - bool testCertificate = false; - bool complianceMode = GlobalDAOReadOnly::getComplianceMode(); for (; iter != signatureFiles.rend(); ++iter) { @@ -216,41 +232,47 @@ void TaskCertify::stepSignature() xml.initialize(data, GlobalConfig::GetSignatureXmlSchema()); xml.read(data); - WrtSignatureValidator::AppType appType = WrtSignatureValidator::WAC20; + WrtSignatureValidator::AppType appType = + WrtSignatureValidator::WAC20; - if (m_installContext.widgetConfig.webAppType == APP_TYPE_TIZENWEBAPP) { + if (m_contextData.widgetConfig.webAppType == + APP_TYPE_TIZENWEBAPP) + { appType = WrtSignatureValidator::TIZEN; } WrtSignatureValidator::Result result; + WrtSignatureValidator validator( + appType, + !GlobalSettings:: + OCSPTestModeEnabled(), + !GlobalSettings:: + CrlTestModeEnabled(), + complianceMode); + + result = validator.check(data, widgetPath); + if (m_contextData.widgetConfig.packagingType - == WrtDB::PKG_TYPE_DIRECTORY_WEB_APP) + == WrtDB::PKG_TYPE_DIRECTORY_WEB_APP || + m_contextData.job->getInstallerStruct().m_installMode + == InstallMode::INSTALL_MODE_PRELOAD) { // In directory installation mode, the validation is skipped. result = WrtSignatureValidator::SIGNATURE_VERIFIED; } - else - { - WrtSignatureValidator validator(appType, - !GlobalSettings::OCSPTestModeEnabled(), - !GlobalSettings::CrlTestModeEnabled(), - complianceMode); - - result = validator.check(data, widgetPath); - } if (result == WrtSignatureValidator::SIGNATURE_REVOKED) { LogWarning("Certificate is REVOKED"); - ThrowMsg(Exceptions::InvalidPackage, + ThrowMsg(Exceptions::CertificateExpired, "Certificate is REVOKED"); } if (result == WrtSignatureValidator::SIGNATURE_INVALID) { LogWarning("Signature is INVALID"); // TODO change exception name - ThrowMsg(Exceptions::InvalidPackage, + ThrowMsg(Exceptions::SignatureInvalid, "Invalid Package"); } @@ -259,60 +281,20 @@ void TaskCertify::stepSignature() m_contextData.wacSecurity.isDistributorSigned()) { processAuthorSignature(data); - } else if (result == WrtSignatureValidator::SIGNATURE_DISREGARD) { + } else if (result == + WrtSignatureValidator::SIGNATURE_DISREGARD) + { continue; } } else { - if (result == WrtSignatureValidator::SIGNATURE_DISREGARD) { - continue; - } // now signature _must_ be verified - processDistributorSignature(data, firstDistributorSignature); - firstDistributorSignature = false; + processDistributorSignature(data); } - - bool developerMode = GlobalDAOReadOnly::GetDeveloperMode(); - - std::string realMEID; - TapiHandle *tapiHandle = tel_init(NULL); - char *meid = tel_get_misc_me_sn_sync(tapiHandle); - if (meid) - { - realMEID = meid; - free(meid); - } - tel_deinit(tapiHandle); - - DeveloperModeValidator developerModeValidator( - complianceMode, - developerMode, - GlobalDAOReadOnly::getComplianceFakeImei(), - GlobalDAOReadOnly::getComplianceFakeMeid(), - realMEID); - - developerModeValidator.check(data); - - testCertificate |= - data.getStorageType().contains(CertStoreId::DEVELOPER); - - if (testCertificate && !developerMode) { - LogError("Widget signed by test certificate, " - "but developer mode is off."); - ThrowMsg(Exceptions::InvalidPackage, - "Widget signed by test certificate, " - "but developer mode is off."); - } - m_contextData.widgetConfig.isTestWidget = testCertificate; } Catch(ParserSchemaException::Base) { LogError("Error occured in ParserSchema."); - ReThrowMsg(Exceptions::InvalidPackage, + ReThrowMsg(Exceptions::SignatureInvalid, "Error occured in ParserSchema."); } - Catch(DeveloperModeValidator::Exception::Base) { - LogError("Cannot validate developer certificate."); - ReThrowMsg(Exceptions::InvalidPackage, - "Cannot validate developer certificate."); - } } if (signatureFiles.empty()) { @@ -326,99 +308,6 @@ void TaskCertify::stepSignature() "Widget Signature checked"); } -void TaskCertify::createInstallPopup(PopupType type, const std::string &label) -{ - m_contextData.job->Pause(); - if(m_popup) - destroyPopup(); - bool ret = createPopup(); - if(ret) - { - loadPopup(type, label); - showPopup(); - } -} -void TaskCertify::StepDeletePopupWin() -{ - destroyPopup(); -} - -void TaskCertify::stepWarningPopup() -{ - LogInfo("Step:: <>"); - // SP-2151: If widget is not recognized (OCSP status of any of certificates - // it is signed with is not recognized) WRT must notify user that - // widget cannot be installed as a trusted application, and let the - // user decide whether it should be installed as an untrusted - // application. - if (!m_contextData.wacSecurity.isDistributorSigned()) { - std::string label = UNTRUSTED_WIDGET + - LABEL_NEW_LINE_2 + - QUESTION; - createInstallPopup(PopupType::WIDGET_UNRECOGNIZED, label); - } -} - -std::string TaskCertify::createAuthorWidgetInfo() const -{ - std::string authorInfo; - if (m_contextData.wacSecurity.isRecognized()) { - //authorInfo += _("IDS_IM_WIDGET_RECOGNISED"); - authorInfo += _("WIDGET RECOGNISED"); - } else { - //authorInfo += _("IDS_IM_WIDGET_UNRECOGNISED"); - authorInfo += _("WIDGET UNRECOGNISED"); - } - - authorInfo += LABEL_NEW_LINE_2; - ValidationCore::CertificatePtr authorCert = - m_contextData.wacSecurity.getAuthorCertificatePtr(); - if (!!authorCert) { - DPL::Optional < DPL::String > organizationName = - authorCert->getOrganizationName(); - - //authorInfo += _("IDS_IM_WIDGET_AUTHOR_ORGANIZATION_NAME"); - authorInfo += _("AUTHOR ORGANIZATION NAME"); - authorInfo += LABEL_NEW_LINE; - - if (!organizationName.IsNull()) { - authorInfo += DPL::ToUTF8String(*organizationName); - } else { - //authorInfo += _("IDS_IM_WIDGET_ORGANIZATION_UNKNOWN"); - authorInfo += _("WIDGET ORGANIZATION UNKNOWN"); - } - - authorInfo += LABEL_NEW_LINE_2; - - DPL::Optional < DPL::String > countryName = - authorCert->getCountryName(); - - //authorInfo += _("IDS_IM_WIDGET_COUNTRY_NAME"); - authorInfo += _("WIDGET COUNTRY NAME"); - authorInfo += LABEL_NEW_LINE; - - if (!countryName.IsNull()) { - authorInfo += DPL::ToUTF8String(*countryName); - } else { - //authorInfo += _("IDS_IM_WIDGET_COUNTRY_UNKNOWN"); - authorInfo += _("WIDGET COUNTRY UNKNOWN"); - } - } else { - authorInfo += - //_("IDS_IM_WIDGET_DOES_NOT_CONTAIN_RECOGNIZED_AUTHOR_SIGNATURE"); - _("Widget does not contain recognized author signature"); - } - return authorInfo; -} - -void TaskCertify::stepAuthorInfoPopup() -{ - LogInfo("Step:: <>"); - std::string label - = createAuthorWidgetInfo() + LABEL_NEW_LINE_2 + QUESTION; - createInstallPopup(PopupType::WIDGET_AUTHOR_INFO, label); -} - void TaskCertify::stepFinalize() { LogInfo("Step: <>"); @@ -428,39 +317,43 @@ void TaskCertify::stepFinalize() "Widget Certification Check Finished"); } - -void TaskCertify::stepWarningPopupAnswer() +bool TaskCertify::isTizenWebApp() const { - LogInfo("Step: <>"); - if (false == m_contextData.wacSecurity.isDistributorSigned() && - WRT_POPUP_BUTTON_CANCEL == m_installCancel) + bool ret = FALSE; + if (m_contextData.widgetConfig.webAppType.appType + == WrtDB::AppType::APP_TYPE_TIZENWEBAPP) { - LogWarning("User does not agreed to install unsigned widgets!"); - m_installCancel = WRT_POPUP_BUTTON; - destroyPopup(); - ThrowMsg(Exceptions::NotAllowed, "Widget not allowed"); + ret = TRUE; } -} -void TaskCertify::stepAuthorInfoPopupAnswer() -{ - LogInfo("Step: <>"); - if ( WRT_POPUP_BUTTON_CANCEL == m_installCancel) { - LogWarning("User does not agreed to install widget!"); - m_installCancel = WRT_POPUP_BUTTON; - destroyPopup(); - ThrowMsg(Exceptions::NotAllowed, "Widget not allowed"); - } + return ret; } -bool TaskCertify::isTizenWebApp() const +void TaskCertify::stepVerifyUpdate() { - bool ret = FALSE; - if (m_installContext.widgetConfig.webAppType.appType - == WrtDB::AppType::APP_TYPE_TIZENWEBAPP) - ret = TRUE; - - return ret; + LogInfo("Step: <>"); + CertificatePtr newCertificate = + m_contextData.wacSecurity.getAuthorCertificatePtr(); + CertificatePtr oldCertificate = + getOldAuthorSignerCertificate(m_contextData.widgetConfig.tzAppid); + + if (!!newCertificate && !!oldCertificate) { + if (0 != newCertificate->getBase64().compare(oldCertificate->getBase64())) { + LogDebug("old widget's author signer certificate : " << + oldCertificate->getBase64()); + LogDebug("new widget's author signer certificate : " << + newCertificate->getBase64()); + ThrowMsg(Exceptions::NotMatchedCertification, + "Author signer certificates doesn't match \ + between old widget and installing widget"); + } + } else { + if (!(NULL == newCertificate.Get() && NULL == oldCertificate.Get())) { + ThrowMsg(Exceptions::NotMatchedCertification, + "Author signer certificates doesn't match \ + between old widget and installing widget"); + } + } } } //namespace WidgetInstall } //namespace Jobs