X-Git-Url: http://review.tizen.org/git/?a=blobdiff_plain;f=src%2Fjobs%2Fwidget_install%2Ftask_certify.cpp;h=128f022a865077d2700aa711ba0d0f65a208343f;hb=7318f9524c8f477b402ad3951496bfc2e27095b3;hp=6b0040f93901d396f023d0946c8c3ad28f2ad88c;hpb=f56543848daf0a8585b6023c11cb1738b42b5e1e;p=framework%2Fweb%2Fwrt-installer.git diff --git a/src/jobs/widget_install/task_certify.cpp b/src/jobs/widget_install/task_certify.cpp index 6b0040f..128f022 100644 --- a/src/jobs/widget_install/task_certify.cpp +++ b/src/jobs/widget_install/task_certify.cpp @@ -40,7 +40,6 @@ #include #include #include -#include #include #include @@ -51,10 +50,6 @@ using namespace ValidationCore; using namespace WrtDB; namespace { -const std::string LABEL_NEW_LINE = "
"; -const std::string LABEL_NEW_LINE_2 = "

"; -const std::string UNTRUSTED_WIDGET = "It is an Untrusted Widget"; -const char *QUESTION = "Do you wanto to install?"; WidgetCertificateData toWidgetCertificateData(const SignatureData &data, bool root) @@ -62,6 +57,7 @@ WidgetCertificateData toWidgetCertificateData(const SignatureData &data, WidgetCertificateData result; result.chainId = data.getSignatureNumber(); + LogDebug("result.chainId : " << result.chainId); result.owner = data.isAuthorSignature() ? WidgetCertificateData::AUTHOR : WidgetCertificateData::DISTRIBUTOR; @@ -92,41 +88,56 @@ WidgetCertificateData toWidgetCertificateData(const SignatureData &data, return result; } + +CertificatePtr getOldAuthorSignerCertificate(DPL::String appid) +{ + WidgetDAOReadOnly dao(appid); + CertificateChainList chainList = dao.getWidgetCertificate(SIGNATURE_AUTHOR); + + FOREACH(it, chainList) + { + ValidationCore::CertificateCollection chain; + if (false == chain.load(*it)) { + LogError("Chain is broken"); + } + + if (!chain.sort()) { + LogError("Chain failed at sorting"); + } + + ValidationCore::CertificateList list = chain.getCertificateList(); + + FOREACH(cert, list) + { + if (!(*cert)->isRootCert() && !(*cert)->isCA()) { + return *cert; + } + } + } + return CertificatePtr(NULL); +} } // namespace anonymous namespace Jobs { namespace WidgetInstall { TaskCertify::TaskCertify(InstallerContext &inCont) : DPL::TaskDecl(this), - WidgetInstallPopup(inCont), m_contextData(inCont) { AddStep(&TaskCertify::stepSignature); - - // Block until fixed popup issues - if (!GlobalSettings::PopupsTestModeEnabled() - && !m_installContext.m_quiet && !isTizenWebApp()) - { - AddStep(&TaskCertify::stepWarningPopup); - AddStep(&TaskCertify::stepWarningPopupAnswer); - AddStep(&TaskCertify::stepAuthorInfoPopup); - AddStep(&TaskCertify::stepAuthorInfoPopupAnswer); - AddStep(&TaskCertify::StepDeletePopupWin); + // certi comparison determines whether the update. + if (true == m_contextData.isUpdateMode) { + AddStep(&TaskCertify::stepVerifyUpdate); } AddStep(&TaskCertify::stepFinalize); } -void TaskCertify::processDistributorSignature(const SignatureData &data, - bool first) +void TaskCertify::processDistributorSignature(const SignatureData &data) { // this signature is verified - // no point in check domain WAC_ROOT and WAC_RECOGNIZED m_contextData.wacSecurity.setDistributorSigned(true); - if (data.getStorageType().contains(CertStoreId::WAC_ROOT)) { - m_contextData.wacSecurity.setWacSigned(true); - } - CertificateCollection collection; collection.load(data.getCertList()); Assert(collection.sort() && @@ -139,7 +150,7 @@ void TaskCertify::processDistributorSignature(const SignatureData &data, m_contextData.wacSecurity.getCertificateChainListRef().push_back( collection); - if (first) { + if (data.getSignatureNumber() == 1) { m_contextData.wacSecurity.getCertificateListRef().push_back( toWidgetCertificateData(data, true)); m_contextData.wacSecurity.getCertificateListRef().push_back( @@ -152,8 +163,9 @@ void TaskCertify::processAuthorSignature(const SignatureData &data) using namespace ValidationCore; LogInfo("DNS Identity match!"); // this signature is verified or widget is distributor signed - m_contextData.wacSecurity.getAuthorCertificatePtr() = - data.getEndEntityCertificatePtr(); + m_contextData.wacSecurity.setAuthorCertificatePtr(data.getEndEntityCertificatePtr()); + CertificatePtr test = m_contextData.wacSecurity.getAuthorCertificatePtr(); + m_contextData.wacSecurity.getCertificateListRef().push_back( toWidgetCertificateData(data, true)); m_contextData.wacSecurity.getCertificateListRef().push_back( @@ -188,23 +200,26 @@ void TaskCertify::stepSignature() { LogInfo("================ Step: <> ENTER ==============="); - std::string widgetPath = m_contextData.locations->getTemporaryRootDir() + - "/"; + std::string widgetPath; + if (m_contextData.widgetConfig.packagingType == + WrtDB::PKG_TYPE_DIRECTORY_WEB_APP) + { + widgetPath = m_contextData.locations->getSourceDir() + "/"; + } else { + widgetPath = m_contextData.locations->getTemporaryPackageDir() + "/"; + } SignatureFileInfoSet signatureFiles; SignatureFinder signatureFinder(widgetPath); if (SignatureFinder::NO_ERROR != signatureFinder.find(signatureFiles)) { LogError("Error in Signature Finder"); - ThrowMsg(Exceptions::InvalidPackage, + ThrowMsg(Exceptions::SignatureNotFound, "Error openig temporary widget directory"); } SignatureFileInfoSet::reverse_iterator iter = signatureFiles.rbegin(); LogInfo("Number of signatures: " << signatureFiles.size()); - bool firstDistributorSignature = true; - bool testCertificate = false; - bool complianceMode = GlobalDAOReadOnly::getComplianceMode(); for (; iter != signatureFiles.rend(); ++iter) { @@ -220,7 +235,7 @@ void TaskCertify::stepSignature() WrtSignatureValidator::AppType appType = WrtSignatureValidator::WAC20; - if (m_installContext.widgetConfig.webAppType == + if (m_contextData.widgetConfig.webAppType == APP_TYPE_TIZENWEBAPP) { appType = WrtSignatureValidator::TIZEN; @@ -239,7 +254,9 @@ void TaskCertify::stepSignature() result = validator.check(data, widgetPath); if (m_contextData.widgetConfig.packagingType - == WrtDB::PKG_TYPE_DIRECTORY_WEB_APP) + == WrtDB::PKG_TYPE_DIRECTORY_WEB_APP || + m_contextData.job->getInstallerStruct().m_installMode + == InstallMode::INSTALL_MODE_PRELOAD) { // In directory installation mode, the validation is skipped. @@ -248,14 +265,14 @@ void TaskCertify::stepSignature() if (result == WrtSignatureValidator::SIGNATURE_REVOKED) { LogWarning("Certificate is REVOKED"); - ThrowMsg(Exceptions::InvalidPackage, + ThrowMsg(Exceptions::CertificateExpired, "Certificate is REVOKED"); } if (result == WrtSignatureValidator::SIGNATURE_INVALID) { LogWarning("Signature is INVALID"); // TODO change exception name - ThrowMsg(Exceptions::InvalidPackage, + ThrowMsg(Exceptions::SignatureInvalid, "Invalid Package"); } @@ -270,55 +287,14 @@ void TaskCertify::stepSignature() continue; } } else { - if (result == WrtSignatureValidator::SIGNATURE_DISREGARD) { - continue; - } // now signature _must_ be verified - processDistributorSignature(data, firstDistributorSignature); - firstDistributorSignature = false; + processDistributorSignature(data); } - - bool developerMode = GlobalDAOReadOnly::GetDeveloperMode(); - - std::string realMEID; - TapiHandle *tapiHandle = tel_init(NULL); - char *meid = tel_get_misc_me_sn_sync(tapiHandle); - if (meid) { - realMEID = meid; - free(meid); - } - tel_deinit(tapiHandle); - - DeveloperModeValidator developerModeValidator( - complianceMode, - developerMode, - GlobalDAOReadOnly::getComplianceFakeImei(), - GlobalDAOReadOnly::getComplianceFakeMeid(), - realMEID); - - developerModeValidator.check(data); - - testCertificate |= - data.getStorageType().contains(CertStoreId::DEVELOPER); - - if (testCertificate && !developerMode) { - LogError("Widget signed by test certificate, " - "but developer mode is off."); - ThrowMsg(Exceptions::InvalidPackage, - "Widget signed by test certificate, " - "but developer mode is off."); - } - m_contextData.widgetConfig.isTestWidget = testCertificate; } Catch(ParserSchemaException::Base) { LogError("Error occured in ParserSchema."); - ReThrowMsg(Exceptions::InvalidPackage, + ReThrowMsg(Exceptions::SignatureInvalid, "Error occured in ParserSchema."); } - Catch(DeveloperModeValidator::Exception::Base) { - LogError("Cannot validate developer certificate."); - ReThrowMsg(Exceptions::InvalidPackage, - "Cannot validate developer certificate."); - } } if (signatureFiles.empty()) { @@ -332,99 +308,6 @@ void TaskCertify::stepSignature() "Widget Signature checked"); } -void TaskCertify::createInstallPopup(PopupType type, const std::string &label) -{ - m_contextData.job->Pause(); - if (m_popup) { - destroyPopup(); - } - bool ret = createPopup(); - if (ret) { - loadPopup(type, label); - showPopup(); - } -} -void TaskCertify::StepDeletePopupWin() -{ - destroyPopup(); -} - -void TaskCertify::stepWarningPopup() -{ - LogInfo("Step:: <>"); - // SP-2151: If widget is not recognized (OCSP status of any of certificates - // it is signed with is not recognized) WRT must notify user that - // widget cannot be installed as a trusted application, and let the - // user decide whether it should be installed as an untrusted - // application. - if (!m_contextData.wacSecurity.isDistributorSigned()) { - std::string label = UNTRUSTED_WIDGET + - LABEL_NEW_LINE_2 + - QUESTION; - createInstallPopup(PopupType::WIDGET_UNRECOGNIZED, label); - } -} - -std::string TaskCertify::createAuthorWidgetInfo() const -{ - std::string authorInfo; - if (m_contextData.wacSecurity.isRecognized()) { - //authorInfo += _("IDS_IM_WIDGET_RECOGNISED"); - authorInfo += _("WIDGET RECOGNISED"); - } else { - //authorInfo += _("IDS_IM_WIDGET_UNRECOGNISED"); - authorInfo += _("WIDGET UNRECOGNISED"); - } - - authorInfo += LABEL_NEW_LINE_2; - ValidationCore::CertificatePtr authorCert = - m_contextData.wacSecurity.getAuthorCertificatePtr(); - if (!!authorCert) { - DPL::Optional < DPL::String > organizationName = - authorCert->getOrganizationName(); - - //authorInfo += _("IDS_IM_WIDGET_AUTHOR_ORGANIZATION_NAME"); - authorInfo += _("AUTHOR ORGANIZATION NAME"); - authorInfo += LABEL_NEW_LINE; - - if (!organizationName.IsNull()) { - authorInfo += DPL::ToUTF8String(*organizationName); - } else { - //authorInfo += _("IDS_IM_WIDGET_ORGANIZATION_UNKNOWN"); - authorInfo += _("WIDGET ORGANIZATION UNKNOWN"); - } - - authorInfo += LABEL_NEW_LINE_2; - - DPL::Optional < DPL::String > countryName = - authorCert->getCountryName(); - - //authorInfo += _("IDS_IM_WIDGET_COUNTRY_NAME"); - authorInfo += _("WIDGET COUNTRY NAME"); - authorInfo += LABEL_NEW_LINE; - - if (!countryName.IsNull()) { - authorInfo += DPL::ToUTF8String(*countryName); - } else { - //authorInfo += _("IDS_IM_WIDGET_COUNTRY_UNKNOWN"); - authorInfo += _("WIDGET COUNTRY UNKNOWN"); - } - } else { - authorInfo += - //_("IDS_IM_WIDGET_DOES_NOT_CONTAIN_RECOGNIZED_AUTHOR_SIGNATURE"); - _("Widget does not contain recognized author signature"); - } - return authorInfo; -} - -void TaskCertify::stepAuthorInfoPopup() -{ - LogInfo("Step:: <>"); - std::string label - = createAuthorWidgetInfo() + LABEL_NEW_LINE_2 + QUESTION; - createInstallPopup(PopupType::WIDGET_AUTHOR_INFO, label); -} - void TaskCertify::stepFinalize() { LogInfo("Step: <>"); @@ -434,34 +317,10 @@ void TaskCertify::stepFinalize() "Widget Certification Check Finished"); } -void TaskCertify::stepWarningPopupAnswer() -{ - LogInfo("Step: <>"); - if (false == m_contextData.wacSecurity.isDistributorSigned() && - WRT_POPUP_BUTTON_CANCEL == m_installCancel) - { - LogWarning("User does not agreed to install unsigned widgets!"); - m_installCancel = WRT_POPUP_BUTTON; - destroyPopup(); - ThrowMsg(Exceptions::NotAllowed, "Widget not allowed"); - } -} - -void TaskCertify::stepAuthorInfoPopupAnswer() -{ - LogInfo("Step: <>"); - if (WRT_POPUP_BUTTON_CANCEL == m_installCancel) { - LogWarning("User does not agreed to install widget!"); - m_installCancel = WRT_POPUP_BUTTON; - destroyPopup(); - ThrowMsg(Exceptions::NotAllowed, "Widget not allowed"); - } -} - bool TaskCertify::isTizenWebApp() const { bool ret = FALSE; - if (m_installContext.widgetConfig.webAppType.appType + if (m_contextData.widgetConfig.webAppType.appType == WrtDB::AppType::APP_TYPE_TIZENWEBAPP) { ret = TRUE; @@ -469,6 +328,33 @@ bool TaskCertify::isTizenWebApp() const return ret; } + +void TaskCertify::stepVerifyUpdate() +{ + LogInfo("Step: <>"); + CertificatePtr newCertificate = + m_contextData.wacSecurity.getAuthorCertificatePtr(); + CertificatePtr oldCertificate = + getOldAuthorSignerCertificate(m_contextData.widgetConfig.tzAppid); + + if (!!newCertificate && !!oldCertificate) { + if (0 != newCertificate->getBase64().compare(oldCertificate->getBase64())) { + LogDebug("old widget's author signer certificate : " << + oldCertificate->getBase64()); + LogDebug("new widget's author signer certificate : " << + newCertificate->getBase64()); + ThrowMsg(Exceptions::NotMatchedCertification, + "Author signer certificates doesn't match \ + between old widget and installing widget"); + } + } else { + if (!(NULL == newCertificate.Get() && NULL == oldCertificate.Get())) { + ThrowMsg(Exceptions::NotMatchedCertification, + "Author signer certificates doesn't match \ + between old widget and installing widget"); + } + } +} } //namespace WidgetInstall } //namespace Jobs