*
*/
-/* To prevent inadvertently including a header twice */
#ifndef CERT_SERVICE_DEBUG_H
#define CERT_SERVICE_DEBUG_H
#ifdef __cplusplus
extern "C" {
-#endif // __cplusplus
+#endif
-/*********************************************************************************/
-/* Logging */
-/*********************************************************************************/
#ifdef LOG_TAG
#undef LOG_TAG
#endif
#ifdef __cplusplus
}
-#endif // __cplusplus
+#endif
-#endif // CERT_SERVICE_DEBUG_H
+#endif // CERT_SERVICE_DEBUG_H
*
*/
-/* To prevent inadvertently including a header twice */
#ifndef CERT_SERVICE_PROCESS_H
#define CERT_SERVICE_PROCESS_H
-#include <time.h>
-#include <openssl/x509v3.h>
-
#ifdef __cplusplus
extern "C" {
-#endif // __cplusplus
-/*********************************************************************************/
-/* Variable definitions */
-/*********************************************************************************/
-
-struct cert_svc_inode_set;
+#endif
-/*********************************************************************************/
-/* Variable definitions */
-/*********************************************************************************/
int parse_name_fld_data(unsigned char* str, cert_svc_name_fld_data* fld);
-int search_data_field(search_field fldName, char* fldData, cert_svc_cert_descriptor* certDesc);
-int get_filelist_recur(char* dirName, cert_svc_filename_list* fileNames,
- struct cert_svc_inode_set *visited);
int _verify_certificate_with_caflag(cert_svc_mem_buff* certBuf, cert_svc_linked_list** certList, int checkCaFlag, cert_svc_filename_list* fileNames, int* validity);
-int _verify_signature(cert_svc_mem_buff* certBuf, unsigned char* message, int msgLen, unsigned char* signature, char* algo, int* validity);
int _extract_certificate_data(cert_svc_mem_buff* cert, cert_svc_cert_descriptor* certDesc);
int _search_certificate(cert_svc_filename_list** fileNames, search_field fldName, char* fldData);
int release_cert_list(cert_svc_linked_list* certList);
int release_filename_list(cert_svc_filename_list* fileNames);
-int get_visibility(CERT_CONTEXT* context, int* visibility);
-int get_certificate_type(CERT_CONTEXT* context, int* cert_type);
-
#ifdef __cplusplus
}
#endif
-#endif // CERT_SERVICE_PROCESS_H
+#endif // CERT_SERVICE_PROCESS_H
*
*/
-/* To prevent inadvertently including a header twice */
#ifndef CERT_SERVICE_STORE_H
#define CERT_SERVICE_STORE_H
#ifdef __cplusplus
extern "C" {
-#endif // __cplusplus
+#endif
-int get_file_full_path(char* originalName, const char* location, char* outBuf);
int _add_certificate_to_store(const char* filePath, const char* location);
int _delete_certificate_from_store(const char* filePath, const char* location);
#ifdef __cplusplus
}
-#endif // __cplusplus
+#endif
-#endif // CERT_SERVICE_STORE_H
+#endif // CERT_SERVICE_STORE_H
*
*/
-/* To prevent inadvertently including a header twice */
#ifndef CERT_SERVICE_UTIL_H
#define CERT_SERVICE_UTIL_H
-#include <openssl/x509v3.h>
-
#ifdef __cplusplus
extern "C" {
-#endif // __cplusplus
-/*********************************************************************************/
-/* Variable definitions */
-/*********************************************************************************/
+#endif
-/*********************************************************************************/
-/* Function definitions */
-/*********************************************************************************/
int cert_svc_util_get_file_size(const char* filepath, unsigned long int* length);
int cert_svc_util_load_file_to_buffer(const char* filePath, cert_svc_mem_buff* certBuf);
int cert_svc_util_load_PFX_file_to_buffer(const char* filePath, cert_svc_mem_buff* certBuf, cert_svc_linked_list** certLink, unsigned char** privateKey, int* priKeyLen, char* passPhrase);
int cert_svc_util_base64_encode(const unsigned char* in, int inLen, unsigned char* out, int* outLen);
int cert_svc_util_base64_decode(const unsigned char* in, int inLen, unsigned char* out, int* outLen);
-int get_visibility_by_fingerprint(const char* fingerprint, int* visibility);
-int get_visibility_by_certificate(const unsigned char* cert_data, int data_len, int* visibility);
-int get_type_by_fingerprint(const char* fingerprint, int* cert_type);
-int get_certificate_fingerprint(const unsigned char *cert, int cert_size, char** fingerprint);
#ifdef __cplusplus
}
-#endif // __cplusplus
+#endif
-#endif // CERT_SERVICE_UTIL_H
+#endif // CERT_SERVICE_UTIL_H
* See the License for the specific language governing permissions and
* limitations under the License.
*
+ * @file cert-service.h
+ * @author Kyungwook Tak (k.tak@samsung.com)
+ * @version 1.0
+ * @brief cert-svc CAPI header
*/
-/* To prevent inadvertently including a header twice */
#ifndef CERT_SERVICE_H
#define CERT_SERVICE_H
#ifdef __cplusplus
extern "C" {
-#endif // __cplusplus
+#endif
-/*********************************************************************************/
-/* Constants */
-/*********************************************************************************/
/* max size */
-#define CERT_SVC_MAX_CERT_TYPE_SIZE 50
-#define CERT_SVC_MAX_FILE_NAME_SIZE 256
-#define CERT_SVC_MAX_BUFFER_SIZE (4 * 1024)
+#define CERT_SVC_MAX_CERT_TYPE_SIZE 50
+#define CERT_SVC_MAX_FILE_NAME_SIZE 256
+#define CERT_SVC_MAX_BUFFER_SIZE (4 * 1024)
+
/* error codes */
-#define CERT_SVC_ERR_NO_ERROR 0
-#define CERT_SVC_ERR_UNKNOWN_ERROR -1
-#define CERT_SVC_ERR_BROKEN_CHAIN -2
-#define CERT_SVC_ERR_NO_ROOT_CERT -3
-#define CERT_SVC_ERR_INVALID_SIGNATURE -4
-#define CERT_SVC_ERR_INVALID_CERTIFICATE -5
-#define CERT_SVC_ERR_FILE_IO -6
-#define CERT_SVC_ERR_UNSUPPORTED_HASH_TYPE -7
-#define CERT_SVC_ERR_UNSUPPORTED_KEY_TYPE -8
-#define CERT_SVC_ERR_INVALID_OPERATION -9
-#define CERT_SVC_ERR_BUFFER_TOO_SMALL -10
-#define CERT_SVC_ERR_NO_MORE_CERTIFICATE -11
-#define CERT_SVC_ERR_DUPLICATED_CERTIFICATE -12
-#define CERT_SVC_ERR_SYSTEM_CALL -13
-#define CERT_SVC_ERR_MEMORY_ALLOCATION -14
-#define CERT_SVC_ERR_INVALID_PARAMETER -15
-#define CERT_SVC_ERR_PERMISSION_DENIED -16
-#define CERT_SVC_ERR_IS_EXPIRED -17
-
-#define CERT_SVC_ERR_INVALID_NO_DEVICE_PROFILE -25
-#define CERT_SVC_ERR_INVALID_DEVICE_UNIQUE_ID -26
-#define CERT_SVC_ERR_INVALID_SDK_DEFAULT_AUTHOR_CERT -27
-#define CERT_SVC_ERR_IN_DISTRIBUTOR_CASE_AUTHOR_CERT -28
-#define CERT_SVC_ERR_IN_AUTHOR_CASE_DISTRIBUTOR_CERT -29
+#define CERT_SVC_ERR_NO_ERROR 0
+#define CERT_SVC_ERR_UNKNOWN_ERROR (-1)
+#define CERT_SVC_ERR_BROKEN_CHAIN (-2)
+#define CERT_SVC_ERR_NO_ROOT_CERT (-3)
+#define CERT_SVC_ERR_INVALID_SIGNATURE (-4)
+#define CERT_SVC_ERR_INVALID_CERTIFICATE (-5)
+#define CERT_SVC_ERR_FILE_IO (-6)
+#define CERT_SVC_ERR_UNSUPPORTED_HASH_TYPE (-7)
+#define CERT_SVC_ERR_UNSUPPORTED_KEY_TYPE (-8)
+#define CERT_SVC_ERR_INVALID_OPERATION (-9)
+#define CERT_SVC_ERR_BUFFER_TOO_SMALL (-10)
+#define CERT_SVC_ERR_NO_MORE_CERTIFICATE (-11)
+#define CERT_SVC_ERR_DUPLICATED_CERTIFICATE (-12)
+#define CERT_SVC_ERR_SYSTEM_CALL (-13)
+#define CERT_SVC_ERR_MEMORY_ALLOCATION (-14)
+#define CERT_SVC_ERR_INVALID_PARAMETER (-15)
+#define CERT_SVC_ERR_PERMISSION_DENIED (-16)
+#define CERT_SVC_ERR_IS_EXPIRED (-17)
+#define CERT_SVC_ERR_INVALID_NO_DEVICE_PROFILE (-25)
+#define CERT_SVC_ERR_INVALID_DEVICE_UNIQUE_ID (-26)
#define CERT_SVC_STORE_PATH "/usr/share/cert-svc/certs/"
-/*********************************************************************************/
-/* Type definitions */
-/*********************************************************************************/
typedef enum {
SEARCH_FIELD_START = 0,
ISSUER_COUNTRY = 0,
SEARCH_FIELD_END = 16,
} search_field;
-typedef enum cert_svc_visibility_t {
- CERT_SVC_VISIBILITY_DEVELOPER = 1,
- CERT_SVC_VISIBILITY_PUBLIC = 1 << 6,
- CERT_SVC_VISIBILITY_PARTNER = 1 << 7,
- CERT_SVC_VISIBILITY_PARTNER_OPERATOR = 1 << 8,
- CERT_SVC_VISIBILITY_PARTNER_MANUFACTURER = 1 << 9,
- CERT_SVC_VISIBILITY_PLATFORM = 1 << 10
-} cert_svc_visibility;
-
-typedef enum cert_svc_type_t {
- CERT_SVC_TYPE_NO_TYPE = 0,
- CERT_SVC_TYPE_TEST = 1 << 1,
- CERT_SVC_TYPE_VERIFY = 1 << 2,
- CERT_SVC_TYPE_STORE = 1 << 3
-} cert_svc_type;
-
typedef struct {
unsigned int firstSecond;
unsigned int firstMinute;
cert_svc_filename_list* fileNames;
} CERT_CONTEXT;
-/*********************************************************************************/
-/* Function definitions */
-/*********************************************************************************/
CERT_CONTEXT* cert_svc_cert_context_init();
int cert_svc_cert_context_final(CERT_CONTEXT* ctx);
int cert_svc_add_certificate_to_store(const char* filePath, const char* location);
int cert_svc_delete_certificate_from_store(const char* fileName, const char* location);
int cert_svc_verify_certificate(CERT_CONTEXT* ctx, int* validity);
-int cert_svc_verify_package_certificate(CERT_CONTEXT* ctx, int* validity, const char* signatureFile);
int cert_svc_verify_certificate_with_caflag(CERT_CONTEXT* ctx, int* validity);
-int cert_svc_verify_signature(CERT_CONTEXT* ctx, unsigned char* message, int msgLen, unsigned char* signature, char* algo, int* validity);
int cert_svc_extract_certificate_data(CERT_CONTEXT* ctx);
int cert_svc_search_certificate(CERT_CONTEXT* ctx, search_field fldName, char* fldData);
-int cert_svc_get_visibility(CERT_CONTEXT* ctx, int* visibility);
-int cert_svc_get_visibility_by_root_certificate(const char* cert_data, int data_len, int* visibility);
-char* cert_svc_get_certificate_crt_file_path(void);
+char *cert_svc_get_certificate_crt_file_path(void);
int cert_svc_util_parse_name_fld_data(unsigned char* str, cert_svc_name_fld_data* fld);
+
#ifdef __cplusplus
}
-#endif // __cplusplus
+#endif
-#endif // CERT_SERVICE_H
+#endif // CERT_SERVICE_H
#include <sys/types.h>
#include <fts.h>
#include <unistd.h>
+
+#include <openssl/crypto.h>
#include <openssl/ssl.h>
-#include <openssl/ocsp.h>
+#include <openssl/x509v3.h>
#include "cert-service.h"
#include "cert-service-util.h"
#define get_ASN1_OBJECT(x) OBJ_nid2ln(OBJ_obj2nid((x)))
#define get_X509_NAME(x) X509_NAME_oneline((x), NULL, 0)
-
-struct verify_context {
- int depth;
-};
-
-typedef struct {
- char* unitName;
- char* address;
- int len;
-} name_field;
-
static unsigned char** __get_field_by_tag(unsigned char* str, int *tag_len, cert_svc_name_fld_data* fld)
{
const struct {
return field;
}
+static X509 *_d2i_X509(cert_svc_mem_buff *certBuf, X509 **out)
+{
+ const unsigned char *certContent = certBuf->data;
+ return d2i_X509(out, &certContent, certBuf->size);
+}
+
/*SURC k.astrakhant 2011.07.14 : this version can parse info string with any order of tags*/
int parse_name_fld_data(unsigned char* str, cert_svc_name_fld_data* fld)
{
return sort_cert_chain(unsorted, sorted);
}
-int is_CACert(cert_svc_mem_buff* cert, int* isCA)
-{
- int ret = CERT_SVC_ERR_NO_ERROR;
- X509* x = NULL;
- const unsigned char* p = NULL;
-
- p = cert->data;
- d2i_X509(&x, &p, cert->size);
-
- if(x == NULL) {
- SLOGE("[ERR][%s] Certificate cannot be parsed.", __func__);
- ret = CERT_SVC_ERR_INVALID_CERTIFICATE;
- goto err;
- }
-
- if(X509_check_ca(x) > 0)
- (*isCA) = 1;
- else
- (*isCA) = 0;
-
-err:
- if(x != NULL)
- X509_free(x);
-
- return ret;
-}
-
-int VerifyCallbackfunc(int ok, X509_STORE_CTX* store)
-{
- char buf[256] = {0, };
- struct verify_context* verify_context = (struct verify_context*)X509_STORE_CTX_get_app_data(store);
-
- if(verify_context != NULL) {
- verify_context->depth += 1;
- }
-
- if(store->current_cert != NULL)
- X509_NAME_oneline(X509_get_subject_name(store->current_cert), buf, 256);
- else
- strncpy(buf, "test", 4);
-
- if(verify_context != NULL) {
- SLOGD("[%s] Certificate %i: %s", __func__, verify_context->depth, buf);
- }
-
- return ok;
-}
-
-int _is_default_sdk_author(cert_svc_mem_buff* signer_cert, int *is_default)
-{
- static const char* _sdk_default_author_cert =
- "MIIClTCCAX2gAwIBAgIGAUX+iaC6MA0GCSqGSIb3DQEBBQUAMFYxGjAYBgNVBAoMEVRpemVuIEFz"
- "c29jaWF0aW9uMRowGAYDVQQLDBFUaXplbiBBc3NvY2lhdGlvbjEcMBoGA1UEAwwTVGl6ZW4gRGV2"
- "ZWxvcGVycyBDQTAeFw0xMjExMDEwMDAwMDBaFw0xOTAxMDEwMDAwMDBaMBExDzANBgNVBAMMBmF1"
- "dGhvcjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAgKCL2LL2sZ9wpS9IMO5GKXCSPAz5oKD0"
- "o5HMsGMQThCKmSTFPm9J4qj+MYomrufm2RMA8xp1KyJ79KK2BKg4/DE/5vvWLf1Fh8Jwut9JpkfW"
- "1b8vNul87ft5NJ7ji5cu7wtQYvxC55BcaXAu3yv0AB0/oXVCRuvluSK5X7lvLHsCAwEAAaMyMDAw"
- "DAYDVR0TAQH/BAIwADALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJKoZIhvcN"
- "AQEFBQADggEBADVYof211H9txSG7Bkmcv0erP4gu7uJt61A+4BYu7g2Gv0sVme8NTvu4289Kpdb8"
- "pR5nosBnEL81eHJBuiCopWl1Yf12gc1hx/+nhlD8vdE3idXQUewCACLdaWNxJ5FO6RYZa3Stp6nO"
- "y5U/hTktDpUMlq+ByR7DhjfIFd4D9O4IbQmp7VbsoGrMh8Jqm+q+mSQh6hth0qK2//Z5kHZLQGfi"
- "m1q/W0L6BlE1+zPo8RdeLxEbsoRMYnvOzTYg2dgq5yPT64SCBEamRYeUdIOjbF+y86/1h6NMhmFu"
- "12NOMj/hg9MfgsXIksRvusRX16blD7uOUz3DwsASa5YnlBdts48=";
-
- int encodeLen = (((signer_cert->size + 2) / 3) * 4) + 1;
- int encodedLen = 0;
- unsigned char *encodedBuffer = (unsigned char *)malloc(sizeof(unsigned char) * encodeLen);
- if (encodedBuffer == NULL)
- return CERT_SVC_ERR_MEMORY_ALLOCATION;
-
- int ret = cert_svc_util_base64_encode(signer_cert->data, signer_cert->size, encodedBuffer, &encodedLen);
- if(ret != CERT_SVC_ERR_NO_ERROR)
- {
- SLOGE("Failed to encode certificate");
- free(encodedBuffer);
- return CERT_SVC_ERR_INVALID_CERTIFICATE;
- }
-
- if(!memcmp(_sdk_default_author_cert, encodedBuffer, encodedLen))
- {
- SLOGE("Error! Author signature signed by SDK default certificate.");
- *is_default = 1;
- free(encodedBuffer);
- return CERT_SVC_ERR_INVALID_SDK_DEFAULT_AUTHOR_CERT;
- }
-
- free(encodedBuffer);
- *is_default = 0;
- return CERT_SVC_ERR_NO_ERROR;
-}
-
int _remove_selfsigned_cert_in_chain(cert_svc_linked_list** certList)
{
int ret = CERT_SVC_ERR_NO_ERROR;
return ret;
}
-int _verify_certificate_with_caflag(cert_svc_mem_buff* certBuf, cert_svc_linked_list** certList, int checkCaFlag, cert_svc_filename_list* rootPath, int* validity)
+int _verify_certificate_with_caflag(
+ cert_svc_mem_buff *certBuf,
+ cert_svc_linked_list **certList,
+ int checkCaFlag,
+ cert_svc_filename_list *rootPath,
+ int *validity)
{
int ret = CERT_SVC_ERR_NO_ERROR;
cert_svc_linked_list* sorted = NULL;
- cert_svc_linked_list* p = NULL;
- cert_svc_linked_list* q = NULL;
+ cert_svc_linked_list* tempNode = NULL;
cert_svc_cert_descriptor* findRoot = NULL;
cert_svc_filename_list* fileNames = NULL;
cert_svc_mem_buff* CACert = NULL;
- int isCA = -1;
- // variables for verification
+
int certNum = 0;
int certIndex = 0, i = 0;
- const unsigned char* certContent = NULL;
X509_STORE_CTX* storeCtx = NULL;
X509* rootCert = NULL;
X509** interCert = NULL;
X509* targetCert = NULL;
STACK_OF(X509) *tchain, *uchain;
- STACK_OF(X509) *resultChain;
- X509* tmpCert = NULL;
int caFlagValidity;
- int is_default_author = 0;
OpenSSL_add_all_algorithms();
tchain = sk_X509_new_null();
uchain = sk_X509_new_null();
-
- ret = _is_default_sdk_author(certBuf, &is_default_author);
- if(ret == CERT_SVC_ERR_INVALID_SDK_DEFAULT_AUTHOR_CERT && is_default_author)
- return CERT_SVC_ERR_INVALID_SDK_DEFAULT_AUTHOR_CERT;
-
- if(ret != CERT_SVC_ERR_NO_ERROR)
- return CERT_SVC_ERR_INVALID_CERTIFICATE;
findRoot = (cert_svc_cert_descriptor*)malloc(sizeof(cert_svc_cert_descriptor));
- if(findRoot == NULL) {
- SLOGE("[ERR][%s] Failed to allocate memory for certificate descriptor.", __func__);
+ if (findRoot == NULL) {
ret = CERT_SVC_ERR_MEMORY_ALLOCATION;
goto err;
}
memset(findRoot, 0x00, sizeof(cert_svc_cert_descriptor));
- if((*certList) != NULL) {
+ if (*certList != NULL) {
/* remove self-signed certificate in certList */
- if((ret = _remove_selfsigned_cert_in_chain(certList)) != CERT_SVC_ERR_NO_ERROR) {
- SLOGE("[ERR][%s] Fail to remove self-signed certificate in chain.", __func__);
+ ret = _remove_selfsigned_cert_in_chain(certList);
+ if (ret != CERT_SVC_ERR_NO_ERROR) {
+ SLOGE("Fail to remove self-signed certificate in chain.");
goto err;
}
+
/* sort certList */
- if((ret = sort_cert_chain(certList, &sorted)) != CERT_SVC_ERR_NO_ERROR) {
- SLOGE("[ERR][%s] Fail to sort certificate chain.", __func__);
+ ret = sort_cert_chain(certList, &sorted);
+ if (ret != CERT_SVC_ERR_NO_ERROR) {
+ SLOGE("Fail to sort certificate chain.");
goto err;
}
- /* find root cert from store, the SUBJECT field of root cert is same with ISSUER field of certList[0] */
- p = sorted;
- while(p->next != NULL) {
+ /*
+ * find root cert from store, the SUBJECT field of root cert
+ * is same with ISSUER field of certList[0]
+ */
+ tempNode = sorted;
+ while (tempNode->next != NULL) {
certNum++;
- p = p->next;
+ tempNode = tempNode->next;
}
certNum++;
- ret = _extract_certificate_data(p->certificate, findRoot);
- }
- else
+ ret = _extract_certificate_data(tempNode->certificate, findRoot);
+ } else {
ret = _extract_certificate_data(certBuf, findRoot);
+ }
- if(ret != CERT_SVC_ERR_NO_ERROR) {
- SLOGE("[ERR][%s] Fail to extract certificate data", __func__);
+ if (ret != CERT_SVC_ERR_NO_ERROR) {
+ SLOGE("Fail to extract certificate data");
goto err;
}
- if((ret = _search_certificate(&fileNames, SUBJECT_STR, (char*)findRoot->info.issuerStr)) != CERT_SVC_ERR_NO_ERROR) {
- SLOGE("[ERR][%s] Fail to search root certificate", __func__);
+ ret = _search_certificate(&fileNames, SUBJECT_STR, (char*)findRoot->info.issuerStr);
+ if (ret != CERT_SVC_ERR_NO_ERROR) {
+ SLOGE("Fail to search root certificate");
goto err;
}
- if(fileNames->filename == NULL) {
- SLOGE("[ERR][%s] There is no CA certificate.", __func__);
+ if (fileNames->filename == NULL) {
ret = CERT_SVC_ERR_NO_ROOT_CERT;
goto err;
}
CACert = (cert_svc_mem_buff*)malloc(sizeof(cert_svc_mem_buff));
- if(CACert == NULL) {
- SLOGE("[ERR][%s] Failed to allocate memory for ca cert.", __func__);
+ if (CACert == NULL) {
ret = CERT_SVC_ERR_MEMORY_ALLOCATION;
goto err;
}
memset(CACert, 0x00, sizeof(cert_svc_mem_buff));
- // use the first found CA cert - ignore other certificate(s). assume that there is JUST one CA cert
- if((ret = cert_svc_util_load_file_to_buffer(fileNames->filename, CACert)) != CERT_SVC_ERR_NO_ERROR) {
- SLOGE("[ERR][%s] Fail to load CA cert to buffer.", __func__);
+ /* use the first found CA cert - ignore other certificate(s). */
+ ret = cert_svc_util_load_file_to_buffer(fileNames->filename, CACert);
+ if (ret != CERT_SVC_ERR_NO_ERROR) {
+ SLOGE("Fail to load CA cert to buffer.");
goto err;
}
- // store root certicate path into ctx
+ /* store root certicate path into ctx */
strncpy(rootPath->filename, fileNames->filename, CERT_SVC_MAX_FILE_NAME_SIZE - 1);
rootPath->filename[CERT_SVC_MAX_FILE_NAME_SIZE - 1] = '\0';
- if((ret = is_CACert(CACert, &isCA)) != CERT_SVC_ERR_NO_ERROR) {
- SLOGE("[ERR][%s] CA certificate is invalid.", __func__);
- goto err;
- }
-
- if(isCA != 1) { // NOT CA certificate
- SLOGE("[ERR][%s] Found certificate is NOT CA certificate.", __func__);
- ret = CERT_SVC_ERR_NO_ROOT_CERT;
- goto err;
- }
-
- /* verify */
- // insert root certificate into trusted chain
- certContent = CACert->data;
- d2i_X509(&rootCert, &certContent, CACert->size);
- if(!(sk_X509_push(tchain, rootCert))) {
- SLOGE("[ERR][%s] Fail to push certificate into stack.", __func__);
+ /* insert root certificate into trusted chain */
+ _d2i_X509(CACert, &rootCert);
+ if (!sk_X509_push(tchain, rootCert)) {
+ SLOGE("Fail to push certificate into stack.");
ret = CERT_SVC_ERR_INVALID_OPERATION;
goto err;
}
- certContent = certBuf->data;
- d2i_X509(&targetCert, &certContent, certBuf->size);
-
- q = sorted; // first item is the certificate that user want to verify
+ _d2i_X509(certBuf, &targetCert);
- // insert all certificate(s) into chain
- if(q != NULL) { // has 2 or more certificates
- certIndex = 0;
+ if (sorted != NULL) {
interCert = (X509**)malloc(sizeof(X509*) * certNum);
- if(interCert == NULL) {
- SLOGE("[ERR][%s] Failed to allocate memory for interim certificate.", __func__);
+ if (interCert == NULL) {
ret = CERT_SVC_ERR_MEMORY_ALLOCATION;
goto err;
}
memset(interCert, 0x00, (sizeof(X509*) * certNum));
- while(1) {
- certContent = q->certificate->data;
- if(!d2i_X509(&interCert[certIndex], &certContent, q->certificate->size)) {
- SLOGE("[ERR][%s] Fail to load certificate into memory.", __func__);
+ for (tempNode = sorted, certIndex = 0;
+ tempNode != NULL;
+ tempNode = tempNode->next, certIndex++) {
+
+ _d2i_X509(tempNode->certificate, &interCert[certIndex]);
+ if (interCert[certIndex] == NULL) {
+ SLOGE("Invalid certificate. failed to parse certificate.");
ret = CERT_SVC_ERR_INVALID_CERTIFICATE;
goto err;
}
- if(!(sk_X509_push(uchain, interCert[certIndex]))) {
- SLOGE("[ERR][%s] Fail to push certificate into stack.", __func__);
+
+ /* insert all certificate(s) into chain */
+ if (!sk_X509_push(uchain, interCert[certIndex])) {
+ SLOGE("Fail to push certificate into stack.");
ret = CERT_SVC_ERR_INVALID_OPERATION;
goto err;
}
-
- if(q->next == NULL)
- break;
- else {
- q = q->next;
- certIndex++;
- }
}
}
storeCtx = X509_STORE_CTX_new();
- if(!X509_STORE_CTX_init(storeCtx, 0, targetCert, uchain)) {
- SLOGE("[ERR][%s] Fail to initialize X509 store context.", __func__);
+ if (!X509_STORE_CTX_init(storeCtx, 0, targetCert, uchain)) {
+ SLOGE("Fail to initialize X509 store context.");
+ ret = CERT_SVC_ERR_INVALID_OPERATION;
goto err;
}
- struct verify_context verify_context = { 0 };
- X509_STORE_CTX_set_app_data(storeCtx, &verify_context);
- X509_STORE_CTX_set_verify_cb(storeCtx, VerifyCallbackfunc);
+
X509_STORE_CTX_trusted_stack(storeCtx, tchain);
- SLOGD("verify signer certificate");
- if(((*validity) = X509_verify_cert(storeCtx)) != 1) {
+ *validity = X509_verify_cert(storeCtx);
+ if (*validity != 1) {
int error = X509_STORE_CTX_get_error(storeCtx);
- SLOGE("[ERR][%s] Fail to verify certificate chain, validity: [%d]", __func__, (*validity));
SLOGE("err str: [%s]", X509_verify_cert_error_string(error));
-
- // check level
- int cert_type=0;
- char *fingerprint = NULL;
- unsigned char *certdata = NULL;
- int certSize = 0;
-
- certdata = CACert->data;
- certSize = CACert->size;
-
- ret = get_certificate_fingerprint(certdata, certSize, &fingerprint);
- if(ret != CERT_SVC_ERR_NO_ERROR)
- {
- SLOGE("Failed to get fingerprint data! %d", ret);
- goto err;
- }
-
- ret = get_type_by_fingerprint(fingerprint, &cert_type);
- if(ret != CERT_SVC_ERR_NO_ERROR)
- {
- SLOGE("Failed to get level! %d", ret);
- goto err;
- }
-
- SLOGD("cert_type = %d", cert_type);
- if(cert_type != CERT_SVC_TYPE_TEST && cert_type != CERT_SVC_TYPE_VERIFY){
-
- SLOGD("Level is not Test or Verity");
- if( error == X509_V_ERR_CERT_NOT_YET_VALID ||
- error == X509_V_ERR_CERT_HAS_EXPIRED ||
- error == X509_V_ERR_CRL_NOT_YET_VALID ||
- error == X509_V_ERR_CRL_HAS_EXPIRED ||
- error == X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD ||
- error == X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD ||
- error == X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD ||
- error == X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD) {
-
- SLOGD("Skip checking valid time of signer cert");
- (*validity) = 1;
- }
- }
- else{
- ret = CERT_SVC_ERR_IS_EXPIRED;
- goto err;
- }
+ ret = CERT_SVC_ERR_INVALID_CERTIFICATE;
+ goto err;
}
- if(checkCaFlag) { // check strictly
- resultChain = X509_STORE_CTX_get1_chain(storeCtx);
- while((tmpCert = sk_X509_pop(resultChain))) {
- caFlagValidity = X509_check_ca(tmpCert);
- if(caFlagValidity != 1 && (sk_X509_pop(resultChain)) != NULL) { // the last one is not a CA.
- (*validity) = 0;
- SLOGE("[ERR][%s] Invalid CA Flag for CA Certificate, validity: [%d]", __func__, (*validity));
- break;
- }
+ if (checkCaFlag) {
+ caFlagValidity = X509_check_ca(rootCert);
+ if (caFlagValidity != 1) {
+ *validity = 0;
+ SLOGE("Invalid CA Flag for CA Certificate, caFlagValidity: [%d]", caFlagValidity);
}
}
err:
- if(rootCert != NULL)
+ if (ret != CERT_SVC_ERR_NO_ERROR)
+ SLOGE("Error in cert-service-process. code[%d]", ret);
+
+ if (rootCert != NULL)
X509_free(rootCert);
- if(targetCert != NULL)
+
+ if (targetCert != NULL)
X509_free(targetCert);
- if(storeCtx != NULL)
+
+ if (storeCtx != NULL)
X509_STORE_CTX_free(storeCtx);
- if(tchain != NULL)
+
+ if (tchain != NULL)
sk_X509_free(tchain);
- if(uchain != NULL)
+
+ if (uchain != NULL)
sk_X509_free(uchain);
- if(interCert != NULL) {
- for(i = 0; i < certNum; i++) {
- if(interCert[i] != NULL)
+ if (interCert != NULL) {
+ for (i = 0; i < certNum; i++) {
+ if (interCert[i] != NULL)
X509_free(interCert[i]);
}
free(interCert);
}
- //EVP_cleanup();
release_certificate_buf(CACert);
release_certificate_data(findRoot);
release_filename_list(fileNames);
return ret;
}
-int _verify_signature(cert_svc_mem_buff* certBuf, unsigned char* message, int msgLen, unsigned char* signature, char* algo, int* validity)
-{
- int ret = CERT_SVC_ERR_NO_ERROR;
- X509* x = NULL;
- const unsigned char* p = NULL;
- // hash
- EVP_MD_CTX* mdctx = NULL;
- const EVP_MD* md = NULL;
- // signature
- unsigned char* decodedSig = NULL;
- int decodedSigLen = 0;
- int sigLen = 0;
- // public key
- EVP_PKEY *pkey = NULL;
-
- OpenSSL_add_all_digests();
-
- /* load certificate into buffer */
- p = certBuf->data;
- d2i_X509(&x, &p, certBuf->size);
- if(x == NULL) {
- SLOGE("[ERR][%s] Fail to allocate X509 structure.", __func__);
- ret = CERT_SVC_ERR_INVALID_CERTIFICATE;
- goto err;
- }
-
- /* load signature and decode */
- sigLen = strlen((const char*)signature);
- decodedSigLen = ((sigLen / 4) * 3) + 1;
-
- if(!(decodedSig = (unsigned char*)malloc(sizeof(unsigned char) * decodedSigLen))) {
- SLOGE("[ERR][%s] Fail to allocate memory.", __func__);
- ret = CERT_SVC_ERR_MEMORY_ALLOCATION;
- goto err;
- }
- memset(decodedSig, 0x00, decodedSigLen);
- if((ret = cert_svc_util_base64_decode(signature, sigLen, decodedSig, &decodedSigLen)) != CERT_SVC_ERR_NO_ERROR) {
- SLOGE("[ERR][%s] Fail to base64 decode.", __func__);
- ret = CERT_SVC_ERR_INVALID_OPERATION;
- goto err;
- }
-
- /* get public key */
- pkey = X509_get_pubkey(x);
-
- /* make EVP_MD_CTX */
- if(!(mdctx = EVP_MD_CTX_create())) {
- ret = CERT_SVC_ERR_MEMORY_ALLOCATION;
- goto err;
- }
-
- if(algo == NULL) { // if hash algorithm is not defined,
- if(!(md = EVP_get_digestbyobj(x->cert_info->signature->algorithm))) { // get hash algorithm
- SLOGE("[ERR][%s] Fail to get hash algorithm.", __func__);
- ret = CERT_SVC_ERR_INVALID_CERTIFICATE;
- goto err;
- }
- }
- else { // if hash algorithm is defined,
- if(!(md = EVP_get_digestbyname(algo))) { // get hash algorithm
- SLOGE("[ERR][%s] Fail to get hash algorithm.", __func__);
- ret = CERT_SVC_ERR_INVALID_CERTIFICATE;
- goto err;
- }
- }
-
- /* initialization */
- if(EVP_VerifyInit_ex(mdctx, md, NULL) != 1) {
- SLOGE("[ERR][%s] Fail to execute EVP_VerifyInit_ex().", __func__);
- ret = CERT_SVC_ERR_INVALID_CERTIFICATE;
- goto err;
- }
- if(EVP_VerifyUpdate(mdctx, message, msgLen) != 1) {
- SLOGE("[ERR][%s] Fail to execute EVP_VerifyUpdate().", __func__);
- ret = CERT_SVC_ERR_INVALID_CERTIFICATE;
- goto err;
- }
- if(((*validity) = EVP_VerifyFinal(mdctx, decodedSig, decodedSigLen, pkey)) != 1) {
- SLOGE("[ERR][%s] Fail to verify signature.", __func__);
- ret = CERT_SVC_ERR_INVALID_SIGNATURE;
- goto err;
- }
-
-err:
- if(x != NULL)
- X509_free(x);
- if(decodedSig != NULL)
- free(decodedSig);
- if(pkey != NULL)
- EVP_PKEY_free(pkey);
- if(mdctx != NULL)
- EVP_MD_CTX_destroy(mdctx);
- //EVP_cleanup();
-
- return ret;
-}
-
int _extract_certificate_data(cert_svc_mem_buff* cert, cert_svc_cert_descriptor* certDesc)
{
int ret = CERT_SVC_ERR_NO_ERROR;
X509* x = NULL;
- const unsigned char* p = NULL;
int i = 0;
// get signature algorithm
char* signatureAlgo = NULL;
memset(certDesc, 0x00, sizeof(cert_svc_cert_descriptor));
- p = cert->data;
- d2i_X509(&x, &p, cert->size);
+ _d2i_X509(cert, &x);
if(x == NULL) {
SLOGE("[ERR][%s] Fail to allocate X509 structure.", __func__);
ret = CERT_SVC_ERR_INVALID_CERTIFICATE;
int get_all_certificates(cert_svc_filename_list** allCerts)
{
int ret;
- char *buffer[3];
+ char *buffer[4];
buffer[0] = ROOT_CA_CERTS_DIR;
buffer[1] = CERTSVC_DIR;
- buffer[2] = NULL;
+ buffer[2] = SYSTEM_CERT_DIR;
+ buffer[3] = NULL;
if (!allCerts) {
SLOGE("[ERR][%s] Invalid argument.", __func__);
return ret;
}
-
-int get_visibility(CERT_CONTEXT* context, int* visibility)
-{
- int ret = CERT_SVC_ERR_NO_ERROR;
- unsigned char * cert = NULL;
- int certSize = 0;
- char *fingerprint = NULL;
-
- if(!context->certBuf)
- {
- SLOGE("certBuf is NULL!");
- return CERT_SVC_ERR_INVALID_PARAMETER;
- }
- if(!context->certBuf->size)
- {
- SLOGE("certBuf size is wrong");
- return CERT_SVC_ERR_INVALID_PARAMETER;
- }
-
- cert = context->certBuf->data;
- certSize = context->certBuf->size;
-
- if(cert == NULL || !certSize)
- {
- SLOGE("cert is or invalid!");
- return CERT_SVC_ERR_INVALID_CERTIFICATE;
- }
-
- ret = get_certificate_fingerprint(cert, certSize, &fingerprint);
- if(ret != CERT_SVC_ERR_NO_ERROR)
- {
- SLOGE("Failed to get fingerprint data! %d", ret);
- return ret;
- }
-
- ret = get_visibility_by_fingerprint(fingerprint, visibility);
- if(ret != CERT_SVC_ERR_NO_ERROR)
- {
- SLOGE("Failed to get visibility! %d", ret);
- return ret;
- }
-
- return CERT_SVC_ERR_NO_ERROR;
-}
-
-int get_certificate_type(CERT_CONTEXT* context, int* cert_type)
-{
- int ret = CERT_SVC_ERR_NO_ERROR;
- unsigned char * cert = NULL;
- int certSize = 0;
- char *fingerprint = NULL;
-
- if(!context->certBuf)
- {
- SLOGE("certBuf is NULL!");
- return CERT_SVC_ERR_INVALID_PARAMETER;
- }
- if(!context->certBuf->size)
- {
- SLOGE("certBuf size is wrong");
- return CERT_SVC_ERR_INVALID_PARAMETER;
- }
-
- cert = context->certBuf->data;
- certSize = context->certBuf->size;
-
- if(cert == NULL || !certSize)
- {
- SLOGE("cert is or invalid!");
- return CERT_SVC_ERR_INVALID_CERTIFICATE;
- }
-
- ret = get_certificate_fingerprint(cert, certSize, &fingerprint);
- if(ret != CERT_SVC_ERR_NO_ERROR)
- {
- SLOGE("Failed to get fingerprint data! %d", ret);
- return ret;
- }
-
- ret = get_type_by_fingerprint(fingerprint, cert_type);
- if(ret != CERT_SVC_ERR_NO_ERROR)
- {
- SLOGE("Failed to get visibility! %d", ret);
- return ret;
- }
-
- return CERT_SVC_ERR_NO_ERROR;
-}
-
#include "cert-service-debug.h"
#include "cert-service-store.h"
-int get_file_full_path(char* originalName, const char* location, char* outBuf)
+static int get_file_full_path(char* originalName, const char* location, char* outBuf)
{
int ret = CERT_SVC_ERR_NO_ERROR;
char pathLocation[CERT_SVC_MAX_FILE_NAME_SIZE];
return ret;
}
-// fingerprint format - AA:BB:CC:DD:EE...
-// cert - der(binary) format
-int get_certificate_fingerprint(const unsigned char *cert, int cert_size, char** fingerprint)
-{
- X509* x509Cert = NULL;
- unsigned char x509_fingerprint[EVP_MAX_MD_SIZE] = {0};
- char uniformedFingerprint[EVP_MAX_MD_SIZE * 3] = {0};
- int fp_len = 0;
- char buff[8] = {0};
- unsigned int x509_length = 0;
- unsigned int i = 0;
-
- if(!d2i_X509(&x509Cert, &cert, cert_size))
- {
- SLOGE("d2i_x509 failed!");
- *fingerprint = NULL;
- return CERT_SVC_ERR_INVALID_CERTIFICATE;
- }
-
- if(!X509_digest(x509Cert, EVP_sha1(), x509_fingerprint, &x509_length))
- {
- SLOGE("X509_digest failed");
- X509_free(x509Cert);
- *fingerprint = NULL;
- return CERT_SVC_ERR_INVALID_CERTIFICATE;
- }
-
- for(i = 0; i < x509_length; i++)
- {
- snprintf(buff, sizeof(buff), "%02X:", x509_fingerprint[i]);
- strncat(uniformedFingerprint, buff, 3);
- }
- uniformedFingerprint[x509_length * 3 - 1] = 0; // remove last :
- fp_len = strlen(uniformedFingerprint);
-
- *fingerprint = (char*)calloc(sizeof(char), fp_len + 1);
- if(*fingerprint == NULL)
- {
- SLOGE("Failed to allocate memory");
- X509_free(x509Cert);
- *fingerprint = NULL;
- return CERT_SVC_ERR_MEMORY_ALLOCATION;
- }
-
- memcpy(*fingerprint, uniformedFingerprint, fp_len + 1);
-
- SLOGD("fingerprint : %s", *fingerprint);
-
- X509_free(x509Cert);
-
- return CERT_SVC_ERR_NO_ERROR;
-}
-
-int get_visibility_by_fingerprint(const char* fingerprint, int* visibility)
-{
- SLOGD("fingerprint : %s", fingerprint);
- int ret = 0;
- xmlChar *xmlPathDomainPlatform = (xmlChar*) "tizen-platform";
- xmlChar *xmlPathDomainPublic = (xmlChar*) "tizen-public";
- xmlChar *xmlPathDomainPartner = (xmlChar*) "tizen-partner";
- xmlChar *xmlPathDomainDeveloper = (xmlChar*) "tizen-developer";
-
- /* load file */
- xmlDocPtr doc = xmlParseFile(FINGERPRINT_LIST_PATH);
- if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL))
- {
- SLOGE("Failed to prase fingerprint_list.xml");
- return CERT_SVC_ERR_FILE_IO;
- }
-
- xmlNodePtr curPtr = xmlFirstElementChild(xmlDocGetRootElement(doc));
- if(curPtr == NULL)
- {
- SLOGE("Can not find root");
- xmlFreeDoc(doc);
- return CERT_SVC_ERR_FILE_IO;
- }
-
- while(curPtr != NULL)
- {
- xmlAttr* attr = curPtr->properties;
- if(!attr->children || !attr->children->content)
- {
- SLOGE("Failed to get fingerprints from list");
- ret = CERT_SVC_ERR_NO_ROOT_CERT;
- goto out;
- }
-
- xmlChar* strLevel = attr->children->content;
- xmlNodePtr FpPtr = xmlFirstElementChild(curPtr);
-
- /*
- if(FpPtr == NULL)
- {
- SLOGE("Could not find fingerprint");
- ret = CERT_SVC_ERR_NO_ROOT_CERT;
- goto out;
- }
- */
-
- while(FpPtr)
- {
- xmlChar *content = xmlNodeGetContent(FpPtr);
- if(xmlStrcmp(content, (xmlChar*)fingerprint) == 0)
- {
- SLOGD("fingerprint : %s are %s", content, strLevel);
- if(!xmlStrcmp(strLevel, xmlPathDomainPlatform)){
- *visibility = CERT_SVC_VISIBILITY_PLATFORM;
- ret = CERT_SVC_ERR_NO_ERROR;
- goto out;
- }
- else if(!xmlStrcmp(strLevel, xmlPathDomainPublic)){
- *visibility = CERT_SVC_VISIBILITY_PUBLIC;
- ret = CERT_SVC_ERR_NO_ERROR;
- goto out;
- }
- else if(!xmlStrcmp(strLevel, xmlPathDomainPartner)){
- *visibility = CERT_SVC_VISIBILITY_PARTNER;
- ret = CERT_SVC_ERR_NO_ERROR;
- goto out;
- }
- else if(!xmlStrcmp(strLevel, xmlPathDomainDeveloper)){
- *visibility = CERT_SVC_VISIBILITY_DEVELOPER;
- ret = CERT_SVC_ERR_NO_ERROR;
- goto out;
- }
- }
- FpPtr = xmlNextElementSibling(FpPtr);
- }
- curPtr = xmlNextElementSibling(curPtr);
- }
-
- SLOGE("Could not find fingerrpint");
-
- xmlFreeDoc(doc);
- return CERT_SVC_ERR_NO_ROOT_CERT;
-
-out:
- xmlFreeDoc(doc);
- return ret;
-}
-
-int get_type_by_fingerprint(const char* fingerprint, int* cert_type)
-{
- int ret = CERT_SVC_ERR_NO_ERROR;
- xmlChar *xmlPathDomainTest = (xmlChar*) "tizen-test";
- xmlChar *xmlPathDomainVerify = (xmlChar*) "tizen-verify";
- xmlChar *xmlPathDomainStore = (xmlChar*) "tizen-store";
-
- /* load file */
- xmlDocPtr doc = xmlParseFile(FINGERPRINT_LIST_PATH);
- if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL))
- {
- SLOGE("Failed to prase fingerprint_list.xml");
- return CERT_SVC_ERR_FILE_IO;
- }
-
- xmlNodePtr curPtr = xmlFirstElementChild(xmlDocGetRootElement(doc));
- if(curPtr == NULL)
- {
- SLOGE("Can not find root");
- xmlFreeDoc(doc);
- return CERT_SVC_ERR_FILE_IO;
- }
-
- while(curPtr != NULL)
- {
- xmlAttr* attr = curPtr->properties;
- if(!attr->children || !attr->children->content)
- {
- SLOGE("Failed to get fingerprints from list");
- ret = CERT_SVC_ERR_NO_ROOT_CERT;
- goto out;
- }
-
- xmlChar* strLevel = attr->children->content;
- xmlNodePtr FpPtr = xmlFirstElementChild(curPtr);
-
- while(FpPtr)
- {
- xmlChar *content = xmlNodeGetContent(FpPtr);
- if(xmlStrcmp(content, (xmlChar*)fingerprint) == 0)
- {
- SLOGD("fingerprint : %s matched %s", content, strLevel);
- if(!xmlStrcmp(strLevel, xmlPathDomainTest)){
- *cert_type = CERT_SVC_TYPE_TEST;
- ret = CERT_SVC_ERR_NO_ERROR;
- goto out;
- }
- else if(!xmlStrcmp(strLevel, xmlPathDomainVerify)){
- *cert_type = CERT_SVC_TYPE_VERIFY;
- ret = CERT_SVC_ERR_NO_ERROR;
- goto out;
- }
- else if(!xmlStrcmp(strLevel, xmlPathDomainStore)){
- *cert_type = CERT_SVC_TYPE_STORE;
- ret = CERT_SVC_ERR_NO_ERROR;
- goto out;
- }
- }
- FpPtr = xmlNextElementSibling(FpPtr);
- }
- curPtr = xmlNextElementSibling(curPtr);
- }
-
- SLOGD("Could not find fingerprint");
- xmlFreeDoc(doc);
- *cert_type = CERT_SVC_TYPE_NO_TYPE;
- return CERT_SVC_ERR_NO_ERROR;
-
-out:
- xmlFreeDoc(doc);
- return ret;
-}
-
-
-// expect input cert data is base64 encoded format
-int get_visibility_by_certificate(const unsigned char *cert_data, int data_len, int* visibility)
-{
- if(!cert_data || !data_len)
- {
- return CERT_SVC_ERR_INVALID_PARAMETER;
- }
-
- int decodedSize = ((data_len / 4) * 3) + 1;
- unsigned char *decoded = NULL;
- char *fingerprint = NULL;
- int ret = CERT_SVC_ERR_NO_ERROR;
-
- if(!(decoded = (unsigned char *)malloc(sizeof(unsigned char) * decodedSize))) {
- SLOGE("Fail to allocate memory.");
- return CERT_SVC_ERR_MEMORY_ALLOCATION;
- }
- memset(decoded, 0x00, decodedSize);
-
- if((ret = cert_svc_util_base64_decode(cert_data, data_len, decoded, &decodedSize)) != CERT_SVC_ERR_NO_ERROR)
- {
- SLOGE("Failed to decode data %d", ret);
- free(decoded);
- return ret;
- }
-
- ret = get_certificate_fingerprint(decoded, decodedSize, &fingerprint);
- if(ret != CERT_SVC_ERR_NO_ERROR)
- {
- SLOGE("Can not get fingerprint! %d", ret);
- return ret;
- }
-
- ret = get_visibility_by_fingerprint(fingerprint, visibility);
- if(ret != CERT_SVC_ERR_NO_ERROR)
- {
- SLOGE("Can not find visibility %d", ret);
- return ret;
- }
-
- free(decoded);
- free(fingerprint);
- return CERT_SVC_ERR_NO_ERROR;
-}
return result;
}
-int cert_svc_get_certificate_type(CERT_CONTEXT *ctx, int* cert_type)
-{
- CERT_CONTEXT* context = NULL;
- int ret = CERT_SVC_ERR_NO_ERROR;
-
- if (!ctx || !cert_type) {
- SLOGE("Invalid prameters");
- return CERT_SVC_ERR_INVALID_PARAMETER;
- }
-
- if (!ctx->fileNames || !ctx->fileNames->filename) {
- SLOGE("Can not find root certificate path");
- return CERT_SVC_ERR_INVALID_PARAMETER;
- }
-
- context = cert_svc_cert_context_init();
- if (!context) {
- SLOGE("Out of memory");
- return CERT_SVC_ERR_MEMORY_ALLOCATION;
- }
-
- ret = cert_svc_load_file_to_context(context, ctx->fileNames->filename);
- if (ret != CERT_SVC_ERR_NO_ERROR) {
- SLOGE("failed to load root certficiate");
- cert_svc_cert_context_final(context);
- return CERT_SVC_ERR_INVALID_CERTIFICATE;
- }
-
- ret = get_certificate_type(context, cert_type);
-
- cert_svc_cert_context_final(context);
-
- return ret;
-}
-
int _cert_svc_verify_certificate_with_caflag(CERT_CONTEXT* ctx, int checkCAFlag, int* validity)
{
int ret = CERT_SVC_ERR_NO_ERROR;
- int cert_type = 0;
- unsigned char *cert = NULL;
- int size=0;
- int result = 0;
-
- if (!ctx || !ctx->certBuf || !ctx->certLink || !ctx->certLink->certificate || ctx->fileNames) {
+ if (!ctx || !ctx->certBuf || ctx->fileNames) {
SLOGE("[ERR][%s] Check your parameter. Cannot find certificate.", __func__);
return CERT_SVC_ERR_INVALID_PARAMETER;
}
- size = ctx->certLink->certificate->size;
- cert = (unsigned char *)calloc(size, 1);
- if (!cert)
- return CERT_SVC_ERR_MEMORY_ALLOCATION;
-
- memcpy(cert, ctx->certLink->certificate->data, size);
-
if(!(ctx->fileNames = (cert_svc_filename_list*)malloc(sizeof(cert_svc_filename_list)))) {
SLOGE("[ERR][%s] Fail to allocate memory.", __func__);
ret = CERT_SVC_ERR_MEMORY_ALLOCATION;
goto err;
}
- SECURE_LOGD("root cert path : %s", ctx->fileNames->filename);
- ret = cert_svc_get_certificate_type(ctx, &cert_type);
- if (ret != CERT_SVC_ERR_NO_ERROR) {
- SLOGE("failed to cert_svc_get_certificate_type");
- goto err;
- }
-
- SLOGD("cert_type = %d", cert_type);
- if (cert_type == CERT_SVC_TYPE_TEST) {
- SLOGD("Checking DUID");
- result = __is_certified_device(cert, size);
-
- if (result == -1){
- SLOGE("Device profile file does not exist in Device.");
- ret = CERT_SVC_ERR_INVALID_NO_DEVICE_PROFILE;
- goto err;
- } else if (result == 0) {
- SLOGE("Device Unique ID (DUID) is not registered.");
- ret = CERT_SVC_ERR_INVALID_DEVICE_UNIQUE_ID;
- goto err;
- }
- }
-
- SLOGD("[%s] Success to verify certificate.", __func__);
+ SLOGD("root cert path : %s", ctx->fileNames->filename);
+ SLOGD("Success to verify certificate.");
err:
- free(cert);
return ret;
}
-
-
CERT_SVC_API
int cert_svc_add_certificate_to_store(const char* filePath, const char* location)
{
return CERT_SVC_ERR_NO_ERROR;
}
-
-CERT_SVC_API
-int cert_svc_verify_package_certificate(CERT_CONTEXT* ctx, int* validity, const char* signatureFile)
-{
- SLOGD("cert_svc_verify_package_certificate");
- int ca_cflag_check_false = 0;
-
- int ret = _cert_svc_verify_certificate_with_caflag(ctx, ca_cflag_check_false, validity);
- if (ret != CERT_SVC_ERR_NO_ERROR)
- return ret;
-
- int visibility = 0;
- ret = cert_svc_get_visibility(ctx, &visibility);
- if (ret != CERT_SVC_ERR_NO_ERROR)
- return ret;
-
- char* sig_file_name = NULL;
- if ((sig_file_name = strstr(signatureFile, AUTHOR_SIGNATURE))) {
- SLOGD("signature file : %s %d", sig_file_name, visibility);
- if (strncmp(sig_file_name, AUTHOR_SIGNATURE, strlen(sig_file_name)) == 0) {
- if (visibility != CERT_SVC_VISIBILITY_DEVELOPER) {
- SLOGE("Author signature signed as distributor signature. Invalid!");
- *validity = 0;
- return CERT_SVC_ERR_IN_AUTHOR_CASE_DISTRIBUTOR_CERT;
- }
- }
- } else if ((sig_file_name = strstr(signatureFile, DISTRIBUTOR_SIGNATURE))) {
- SLOGD("signature file : %s %d", sig_file_name, visibility);
- if (strncmp(sig_file_name, DISTRIBUTOR_SIGNATURE, strlen(sig_file_name)) == 0) {
- if (visibility == CERT_SVC_VISIBILITY_DEVELOPER) {
- SLOGE("Distributor signature signed as author signature. Invalid!");
- *validity = 0;
- return CERT_SVC_ERR_IN_DISTRIBUTOR_CASE_AUTHOR_CERT;
- }
- }
- }
-
- return CERT_SVC_ERR_NO_ERROR;
-}
-
CERT_SVC_API
int cert_svc_verify_certificate(CERT_CONTEXT* ctx, int* validity)
{
return _cert_svc_verify_certificate_with_caflag(ctx, 1, validity);
}
-/*
- * message : unsigned character string
- * signature : base64 encoded string
- */
-CERT_SVC_API
-int cert_svc_verify_signature(CERT_CONTEXT* ctx, unsigned char* message, int msgLen, unsigned char* signature, char* algo, int* validity)
-{
- int ret = CERT_SVC_ERR_NO_ERROR;
-
- if (!message || !signature || !ctx || !ctx->certBuf) {
- SLOGE("[ERR][%s] Invalid parameter, please check your parameter", __func__);
- return CERT_SVC_ERR_INVALID_PARAMETER;
- }
-
- if ((ret = _verify_signature(ctx->certBuf, message, msgLen, signature, algo, validity)) != CERT_SVC_ERR_NO_ERROR) {
- SLOGE("[ERR][%s] Fail to verify signature.", __func__);
- return ret;
- }
-
- SLOGD("[%s] Success to verify signature.", __func__);
-
- return CERT_SVC_ERR_NO_ERROR;
-}
-
CERT_SVC_API
int cert_svc_extract_certificate_data(CERT_CONTEXT* ctx)
{
}
CERT_SVC_API
-int cert_svc_get_visibility(CERT_CONTEXT *ctx, int* visibility)
-{
- CERT_CONTEXT* context = NULL;
- int ret = CERT_SVC_ERR_NO_ERROR;
-
- if (!ctx || !visibility) {
- SLOGE("Invalid prameters");
- return CERT_SVC_ERR_INVALID_PARAMETER;
- }
-
- if (!ctx->fileNames || !ctx->fileNames->filename) {
- SLOGE("Can not find root certificate path");
- return CERT_SVC_ERR_INVALID_PARAMETER;
- }
-
- context = cert_svc_cert_context_init();
- if (!context) {
- SLOGE("Out of memory");
- return CERT_SVC_ERR_MEMORY_ALLOCATION;
- }
-
- ret = cert_svc_load_file_to_context(context, ctx->fileNames->filename);
- if (ret != CERT_SVC_ERR_NO_ERROR) {
- SLOGE("failed to load root certficiate");
- cert_svc_cert_context_final(context);
- return CERT_SVC_ERR_INVALID_CERTIFICATE;
- }
-
- ret = get_visibility(context, visibility);
-
- cert_svc_cert_context_final(context);
-
- return ret;
-}
-
-
-CERT_SVC_API
-int cert_svc_get_visibility_by_root_certificate(const char* base64_encoded_data, int data_len, int* visibility)
-{
- if (!base64_encoded_data|| !data_len) {
- return CERT_SVC_ERR_INVALID_PARAMETER;
- }
-
- int ret = get_visibility_by_certificate((const unsigned char *)base64_encoded_data, data_len, visibility);
- if (ret != CERT_SVC_ERR_NO_ERROR) {
- SLOGE("Failed to get_visibility :%d", ret);
- return ret;
- }
-
- return CERT_SVC_ERR_NO_ERROR;
-}
-
-CERT_SVC_API
int cert_svc_util_parse_name_fld_data(unsigned char* str, cert_svc_name_fld_data* fld)
{
return parse_name_fld_data(str, fld);
}
-
-void hex_encoder(const char *src, int srcLen, char *out)
-{
- int i = 0;
- unsigned char cLow = 0;
- unsigned char cHigh = 0;
-
- for (i = 0; i < srcLen ; i++) {
- cLow = src[i] & 0x0f;
- cHigh = (src[i] >> 4) & 0x0f;
-
- if (cLow <= 9)
- out[i * 2 + 1] = cLow + '0';
- else
- out[i * 2 + 1] = cLow - 10 + 'A';
-
- if (cHigh <= 9)
- out[i * 2] = cHigh + '0';
- else
- out[i * 2] = cHigh - 10 + 'A';
- }
-
-}
-
int ret = CERT_SVC_ERR_NO_ERROR;
CERT_CONTEXT* ctx = cert_svc_cert_context_init();
- // load certificate to context
ret = cert_svc_load_file_to_context(ctx, CERT_FILE_SIGNER_V1);
if(ret != CERT_SVC_ERR_NO_ERROR) {
printf("....fail..cert_svc_load_file_to_context. ret=%d\n", ret); fflush(stderr);
int ret = CERT_SVC_ERR_NO_ERROR;
CERT_CONTEXT* ctx = cert_svc_cert_context_init();
- // load certificate to context
ret = cert_svc_load_file_to_context(ctx, CERT_FILE_SIGNER_AIA);
if(ret != CERT_SVC_ERR_NO_ERROR) {
printf("....fail..cert_svc_load_file_to_context. ret=%d\n", ret); fflush(stderr);
#include <dpl/log/log.h>
+#include <cert-service.h>
+
#include <cert-svc/cinstance.h>
#include <cert-svc/ccert.h>
#include <cert-svc/cpkcs12.h>