* limitations under the License.
*/
#include <string>
+#include <iostream>
#include <dpl/test/test_runner.h>
#include <vcore/SignatureFinder.h>
SignatureFinder::NO_ERROR == signatureFinder.find(signatureSet),
"SignatureFinder failed");
- for (SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin();
- iter != signatureSet.rend();
- ++iter) {
+ for (auto &sig : signatureSet) {
+ SignatureValidator validator(sig);
SignatureData data;
- SignatureValidator::Result valResult = SignatureValidator::check(
- *iter,
+ VCerr result = validator.check(
TestData::widget_path,
false,
true,
data);
if (data.isAuthorSignature())
- RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_DISREGARD,
+ RUNNER_ASSERT_MSG(result == E_SIG_DISREGARDED,
"Validation failed");
else
if (data.getSignatureNumber() == 1)
- RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_DISREGARD,
+ RUNNER_ASSERT_MSG(result == E_SIG_DISREGARDED,
"Validation failed");
else
- RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_VERIFIED,
+ RUNNER_ASSERT_MSG(result == E_SIG_NONE,
"Validation failed");
}
}
SignatureFinder::NO_ERROR == signatureFinder.find(signatureSet),
"SignatureFinder failed");
- for (SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin();
- iter != signatureSet.rend();
- ++iter) {
+ for (auto &sig : signatureSet) {
+ SignatureValidator validator(sig);
SignatureData data;
- SignatureValidator::Result valResult = SignatureValidator::check(
- *iter,
+ VCerr result = validator.check(
TestData::widget_negative_hash_path,
false,
true,
data);
if (!data.isAuthorSignature())
- RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_INVALID,
- "Wrong input file but success.. Errorcode : " << validatorErrorToString(valResult));
+ RUNNER_ASSERT_MSG(result == E_SIG_INVALID_FORMAT,
+ "Wrong input file but success.. Errorcode : " << validator.errorToString(result));
else
- RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_DISREGARD,
- "Wrong input file but success.. Errorcode : " << validatorErrorToString(valResult));
+ RUNNER_ASSERT_MSG(result == E_SIG_DISREGARDED,
+ "Wrong input file but success.. Errorcode : " << validator.errorToString(result));
}
}
SignatureFinder::NO_ERROR == signatureFinder.find(signatureSet),
"SignatureFinder failed");
- for (SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin();
- iter != signatureSet.rend();
- ++iter) {
+ for (auto &sig : signatureSet) {
+ SignatureValidator validator(sig);
SignatureData data;
- SignatureValidator::Result valResult = SignatureValidator::check(
- *iter,
+ VCerr result = validator.check(
TestData::widget_negative_signature_path,
false,
true,
data);
if (!data.isAuthorSignature())
- RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_INVALID,
- "Wrong input file but success.. Errorcode : " << validatorErrorToString(valResult));
+ RUNNER_ASSERT_MSG(result == E_SIG_INVALID_FORMAT,
+ "Wrong input file but success.. Errorcode : " << validator.errorToString(result));
else
- RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_DISREGARD,
- "Wrong input file but success.. Errorcode : " << validatorErrorToString(valResult));
+ RUNNER_ASSERT_MSG(result == E_SIG_DISREGARDED,
+ "Wrong input file but success.. Errorcode : " << validator.errorToString(result));
}
}
SignatureFinder::NO_ERROR == signatureFinder.find(signatureSet),
"SignatureFinder failed");
- for (SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin();
- iter != signatureSet.rend();
- ++iter) {
+ for (auto &sig : signatureSet) {
+ SignatureValidator validator(sig);
SignatureData data;
- SignatureValidator::Result valResult = SignatureValidator::check(
- *iter,
+ VCerr result = validator.check(
TestData::widget_partner_path,
false,
true,
data);
- RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_VERIFIED,
- "Wrong input file but success.. Errorcode : " << validatorErrorToString(valResult));
+ RUNNER_ASSERT_MSG(result == E_SIG_NONE,
+ "Wrong input file but success.. Errorcode : " << validator.errorToString(result));
if (!data.isAuthorSignature()) {
RUNNER_ASSERT_MSG(
data.getVisibilityLevel() == CertStoreId::VIS_PARTNER,
SignatureFinder::NO_ERROR == signatureFinder.find(signatureSet),
"SignatureFinder failed");
- for (SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin();
- iter != signatureSet.rend();
- ++iter) {
+
+ for (auto &sig : signatureSet) {
+ SignatureValidator validator(sig);
SignatureData data;
- SignatureValidator::Result valResult = SignatureValidator::check(
- *iter,
+ VCerr result = validator.check(
TestData::widget_path,
false,
false,
data);
if (data.isAuthorSignature())
- RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_DISREGARD,
+ RUNNER_ASSERT_MSG(result == E_SIG_DISREGARDED,
"Validation failed");
else
if (data.getSignatureNumber() == 1)
- RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_DISREGARD,
+ RUNNER_ASSERT_MSG(result == E_SIG_DISREGARDED,
"Validation failed");
else
- RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_VERIFIED,
+ RUNNER_ASSERT_MSG(result == E_SIG_NONE,
"Validation failed");
}
}
SignatureFinder::NO_ERROR == signatureFinder.find(signatureSet),
"SignatureFinder failed");
- for (SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin();
- iter != signatureSet.rend();
- ++iter) {
+ for (auto &sig : signatureSet) {
+ SignatureValidator validator(sig);
SignatureData data;
- SignatureValidator::Result valResult = SignatureValidator::check(
- *iter,
+ VCerr result = validator.check(
TestData::widget_negative_hash_path,
false,
false,
data);
if (!data.isAuthorSignature())
- RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_INVALID,
- "Wrong input file but success.. Errorcode : " << validatorErrorToString(valResult));
+ RUNNER_ASSERT_MSG(result == E_SIG_INVALID_FORMAT,
+ "Wrong input file but success.. Errorcode : " << validator.errorToString(result));
else
- RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_DISREGARD,
- "Wrong input file but success.. Errorcode : " << validatorErrorToString(valResult));
+ RUNNER_ASSERT_MSG(result == E_SIG_DISREGARDED,
+ "Wrong input file but success.. Errorcode : " << validator.errorToString(result));
}
}
SignatureFinder::NO_ERROR == signatureFinder.find(signatureSet),
"SignatureFinder failed");
- for (SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin();
- iter != signatureSet.rend();
- ++iter) {
+ for (auto &sig : signatureSet) {
+ SignatureValidator validator(sig);
SignatureData data;
- SignatureValidator::Result valResult = SignatureValidator::check(
- *iter,
+ VCerr result = validator.check(
TestData::widget_negative_signature_path,
false,
false,
data);
if (!data.isAuthorSignature())
- RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_INVALID,
- "Wrong input file but success.. Errorcode : " << validatorErrorToString(valResult));
+ RUNNER_ASSERT_MSG(result == E_SIG_INVALID_FORMAT,
+ "Wrong input file but success.. Errorcode : " << validator.errorToString(result));
else
- RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_DISREGARD,
- "Wrong input file but success.. Errorcode : " << validatorErrorToString(valResult));
+ RUNNER_ASSERT_MSG(result == E_SIG_DISREGARDED,
+ "Wrong input file but success.. Errorcode : " << validator.errorToString(result));
}
}
SignatureFinder::NO_ERROR == signatureFinder.find(signatureSet),
"SignatureFinder failed");
- for (SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin();
- iter != signatureSet.rend();
- ++iter) {
+ for (auto &sig : signatureSet) {
+ SignatureValidator validator(sig);
SignatureData data;
- SignatureValidator::Result valResult = SignatureValidator::check(
- *iter,
+ VCerr result = validator.check(
TestData::widget_partner_path,
false,
false,
data);
- RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_VERIFIED,
- "Wrong input file but success.. Errorcode : " << validatorErrorToString(valResult));
+ RUNNER_ASSERT_MSG(result == E_SIG_NONE,
+ "Wrong input file but success.. Errorcode : " << validator.errorToString(result));
if (!data.isAuthorSignature())
RUNNER_ASSERT_MSG(data.getVisibilityLevel() == CertStoreId::VIS_PARTNER,
SignatureFinder::NO_ERROR == signatureFinder.find(signatureSet),
"SignatureFinder failed");
- for (SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin();
- iter != signatureSet.rend();
- ++iter) {
+
+ for (auto &sig : signatureSet) {
+ SignatureValidator validator(sig);
SignatureData data;
- SignatureValidator::Result valResult = SignatureValidator::check(
- *iter,
+ VCerr result = validator.check(
TestData::widget_path,
false,
false,
data);
if (data.isAuthorSignature())
- RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_DISREGARD,
+ RUNNER_ASSERT_MSG(result == E_SIG_DISREGARDED,
"Validation failed");
else
if (data.getSignatureNumber() == 1)
- RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_DISREGARD,
+ RUNNER_ASSERT_MSG(result == E_SIG_DISREGARDED,
"Validation failed");
else
- RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_VERIFIED,
+ RUNNER_ASSERT_MSG(result == E_SIG_NONE,
"Validation failed");
-
-/*
- ReferenceValidator val(TestData::widget_path);
- int temp = val.checkReferences(data);
- RUNNER_ASSERT_MSG(ReferenceValidator::NO_ERROR == temp,
- "File[" << iter->getFileName()
- << "] FileNumber[" << iter->getFileNumber()
- << "] Errorcode : " << refValidatorErrorToString(temp));
-*/
}
}
*/
-RUNNER_TEST_GROUP_INIT(T0020_Certificate)
+RUNNER_TEST_GROUP_INIT(T0020_SigVal_errorstring)
+
+RUNNER_TEST(T0021)
+{
+ SignatureValidator validator(SignatureFileInfo("test-dummy", 1));
+
+ for (VCerr code = E_SCOPE_FIRST; code >= E_SCOPE_LAST; code--) {
+ std::cout << "E_SIG code["
+ << code << "] : "
+ << validator.errorToString(code) << std::endl;
+ }
+
+ /* print 10 more error code below last in case of plugin err exist */
+ for (VCerr code = E_SCOPE_LAST - 1; code >= E_SCOPE_LAST - 10; code--) {
+ std::cout << "VCerr from plugin["
+ << code << "] : "
+ << validator.errorToString(code) << std::endl;
+ }
+}
+
+RUNNER_TEST_GROUP_INIT(T0030_Certificate)
/*
* test: class Certificate
* description: Certificate should parse data passed to object constructor.
* expected: Getters should be able to return certificate information.
*/
-RUNNER_TEST(T0021_Certificate)
+RUNNER_TEST(T0031_Certificate)
{
Certificate cert(TestData::certVerisign, Certificate::FORM_BASE64);
std::string result;
* description: Certificate should parse data passed to object constructor.
* expected: Function fingerprint should return valid fingerprint.
*/
-RUNNER_TEST(T0022_Certificate)
+RUNNER_TEST(T0032_Certificate)
{
Certificate cert(TestData::certVerisign, Certificate::FORM_BASE64);
* expected: Function getAlternativeNameDNS should return list of
* alternativeNames hardcoded in certificate.
*/
-RUNNER_TEST(T0023_Certificate)
+RUNNER_TEST(T0033_Certificate)
{
Certificate cert(TestData::certVerisign, Certificate::FORM_BASE64);
* description: Certificate should parse data passed to object constructor.
* expected: 1st and 2nd certificate should be identified as CA.
*/
-RUNNER_TEST(T0024_Certificate_isCA)
+RUNNER_TEST(T0034_Certificate_isCA)
{
Certificate cert1(TestData::googleCA, Certificate::FORM_BASE64);
RUNNER_ASSERT(cert1.isCA() > 0);
* @brief Implementatin of tizen signature validation protocol.
*/
+#include <memory>
+#include <string>
+#include <utility>
+
#include <dpl/log/log.h>
#include <vcore/CertificateCollection.h>
#include <vcore/SignatureValidator.h>
+using namespace ValidationCore::CertStoreId;
+
namespace {
-const std::string TOKEN_ROLE_AUTHOR_URI =
- "http://www.w3.org/ns/widgets-digsig#role-author";
-const std::string TOKEN_ROLE_DISTRIBUTOR_URI =
- "http://www.w3.org/ns/widgets-digsig#role-distributor";
-const std::string TOKEN_PROFILE_URI =
- "http://www.w3.org/ns/widgets-digsig#profile";
+const std::string TOKEN_PREFIX = "http://www.w3.org/ns/widgets-digsig#";
+const std::string TOKEN_ROLE_AUTHOR_URI = TOKEN_PREFIX + "role-author";
+const std::string TOKEN_ROLE_DIST_URI = TOKEN_PREFIX + "role-distributor";
+const std::string TOKEN_PROFILE_URI = TOKEN_PREFIX + "profile";
+
+enum class CertTimeStatus : int {
+ VALID,
+ NOT_YET,
+ EXPIRED
+};
-static tm _ASN1_GetTimeT(ASN1_TIME *time)
+struct tm _ASN1_GetTimeT(ASN1_TIME *time)
{
struct tm t;
- const char* str = (const char *)time->data;
+ const char *str = (const char *)time->data;
size_t i = 0;
memset(&t, 0, sizeof(t));
return t;
}
-static bool checkRoleURI(const ValidationCore::SignatureData &data)
-{
- std::string roleURI = data.getRoleURI();
-
- if (roleURI.empty()) {
- LogWarning("URI attribute in Role tag couldn't be empty.");
- return false;
- }
-
- if (roleURI != TOKEN_ROLE_AUTHOR_URI && data.isAuthorSignature()) {
- LogWarning("URI attribute in Role tag does not "
- "match with signature filename.");
- return false;
- }
-
- if (roleURI != TOKEN_ROLE_DISTRIBUTOR_URI && !data.isAuthorSignature()) {
- LogWarning("URI attribute in Role tag does not "
- "match with signature filename.");
- return false;
- }
- return true;
-}
-
-static bool checkProfileURI(const ValidationCore::SignatureData &data)
-{
- if (TOKEN_PROFILE_URI != data.getProfileURI()) {
- LogWarning("Profile tag contains unsupported value "
- "in URI attribute " << data.getProfileURI());
- return false;
- }
- return true;
-}
-
-static bool checkObjectReferences(const ValidationCore::SignatureData &data)
-{
- ValidationCore::ObjectList objectList = data.getObjectList();
- ValidationCore::ObjectList::const_iterator iter;
- for (iter = objectList.begin(); iter != objectList.end(); ++iter) {
- if (!data.containObjectReference(*iter)) {
- LogWarning("Signature does not contain reference for object " << *iter);
- return false;
- }
- }
- return true;
-}
-
-static struct tm getMidTime(const struct tm &tb, const struct tm &ta)
+struct tm getMidTime(const struct tm &tb, const struct tm &ta)
{
struct tm tMid;
memset(&tMid, 0, sizeof(tMid));
return tMid;
}
-} // namespace anonymous
+inline CertTimeStatus timeValidation(ASN1_TIME *min, ASN1_TIME *max, time_t *cur)
+{
+ if (X509_cmp_time(min, cur) > 0)
+ return CertTimeStatus::NOT_YET;
+ else if (X509_cmp_time(max, cur) < 0)
+ return CertTimeStatus::EXPIRED;
+ else
+ return CertTimeStatus::VALID;
+}
+
+inline bool isTimeStrict(const Set &stores)
+{
+ return (stores.contains(TIZEN_TEST) || stores.contains(TIZEN_VERIFY))
+ ? true : false;
+}
+} // namespace anonymous
namespace ValidationCore {
-static SignatureValidator::Result additionalCheck(SignatureValidator::Result result, SignatureData &data)
+class SignatureValidator::Impl {
+public:
+ Impl(const SignatureFileInfo &info);
+ virtual ~Impl() {};
+
+ VCerr check(
+ const std::string &contentPath,
+ bool checkOcsp,
+ bool checkReferences,
+ SignatureData &outData);
+
+ VCerr checkList(
+ const std::string &contentPath,
+ const UriList &uriList,
+ bool checkOcsp,
+ bool checkReferences,
+ SignatureData &outData);
+
+ VCerr makeChainBySignature(
+ bool completeWithSystemCert,
+ CertificateList &certList);
+
+ std::string errorToString(VCerr code);
+
+private:
+ VCerr baseCheck(
+ const std::string &contentPath,
+ bool checkOcsp,
+ bool checkReferences);
+
+ VCerr baseCheckList(
+ const std::string &contentPath,
+ const UriList &uriList,
+ bool checkOcsp,
+ bool checkReferences);
+
+ VCerr makeDataBySignature(bool completeWithSystemCert);
+ VCerr additionalCheck(VCerr result);
+
+ VCerr parseSignature(void);
+ VCerr preStep(void);
+ bool checkRoleURI(void);
+ bool checkProfileURI(void);
+ bool checkObjectReferences(void);
+
+ PluginHandler m_pluginHandler;
+ SignatureFileInfo m_fileInfo;
+ XmlSec::XmlSecContext m_context;
+ SignatureData m_data;
+ bool m_disregarded;
+};
+
+
+SignatureValidator::Impl::Impl(const SignatureFileInfo &info)
+ : m_fileInfo(info)
+ , m_disregarded(false)
+{
+}
+
+bool SignatureValidator::Impl::checkRoleURI(void)
+{
+ std::string roleURI = m_data.getRoleURI();
+
+ if (roleURI.empty()) {
+ LogWarning("URI attribute in Role tag couldn't be empty.");
+ return false;
+ }
+
+ if (roleURI != TOKEN_ROLE_AUTHOR_URI && m_data.isAuthorSignature()) {
+ LogWarning("URI attribute in Role tag does not "
+ "match with signature filename.");
+ return false;
+ }
+
+ if (roleURI != TOKEN_ROLE_DIST_URI && !m_data.isAuthorSignature()) {
+ LogWarning("URI attribute in Role tag does not "
+ "match with signature filename.");
+ return false;
+ }
+ return true;
+}
+
+
+bool SignatureValidator::Impl::checkProfileURI(void)
+{
+ if (TOKEN_PROFILE_URI != m_data.getProfileURI()) {
+ LogWarning("Profile tag contains unsupported value "
+ "in URI attribute " << m_data.getProfileURI());
+ return false;
+ }
+ return true;
+}
+
+bool SignatureValidator::Impl::checkObjectReferences(void)
+{
+ for (const auto &object : m_data.getObjectList()) {
+ if (!m_data.containObjectReference(object)) {
+ LogWarning("Signature does not contain reference for object " << object);
+ return false;
+ }
+ }
+
+ return true;
+}
+
+VCerr SignatureValidator::Impl::additionalCheck(VCerr result)
{
try {
- PluginHandler handler;
- if (handler.fail()) {
+ if (m_pluginHandler.fail()) {
LogInfo("No validator plugin found. Skip additional check.");
return result;
}
- return handler.step(result, data);
+ return m_pluginHandler.step(result, m_data);
} catch (...) {
LogError("Exception in additional check by plugin.");
- return SignatureValidator::SIGNATURE_INVALID;
+ return E_SIG_PLUGIN;
}
}
-/*
- * Parse xml and save info to signature data.
- *
- * [out] outData : signature data for validating and will be finally returned to client.
- */
-static int parseSignature(SignatureData &outData)
+VCerr SignatureValidator::Impl::parseSignature(void)
{
try {
SignatureReader xml;
- xml.initialize(outData, SIGNATURE_SCHEMA_PATH);
- xml.read(outData);
+ xml.initialize(m_data, SIGNATURE_SCHEMA_PATH);
+ xml.read(m_data);
} catch (...) {
LogError("Failed to parse signature file by signature reader.");
- return -1;
+ return E_SIG_INVALID_FORMAT;
}
- return 0;
+ return E_SIG_NONE;
}
/*
* Make SignatureData by parsing signature file.
* and get certificate chain with attached certificate in signature
*/
-static int makeDataBySignature(
- const SignatureFileInfo &fileInfo,
- bool completeWithSystemCert,
- SignatureData &data)
+VCerr SignatureValidator::Impl::makeDataBySignature(bool completeWithSystemCert)
{
- data = SignatureData(fileInfo.getFileName(), fileInfo.getFileNumber());
+ m_data = SignatureData(m_fileInfo.getFileName(), m_fileInfo.getFileNumber());
- if (parseSignature(data)) {
+ if (parseSignature()) {
LogError("Failed to parse signature.");
- return -1;
+ return E_SIG_INVALID_FORMAT;
}
- if (!checkRoleURI(data) || !checkProfileURI(data))
- return -1;
+ if (!checkRoleURI() || !checkProfileURI())
+ return E_SIG_INVALID_FORMAT;
try {
CertificateCollection collection;
- collection.load(data.getCertList());
+ collection.load(m_data.getCertList());
if (!collection.sort() || collection.empty()) {
LogError("Certificates do not form valid chain.");
- return -1;
+ return E_SIG_INVALID_CHAIN;
}
if (completeWithSystemCert && !collection.completeCertificateChain()) {
LogError("Failed to complete cert chain with system cert");
- return -1;
+ return E_SIG_INVALID_CHAIN;
}
- data.setSortedCertificateList(collection.getChain());
- return 0;
+ m_data.setSortedCertificateList(collection.getChain());
} catch (const CertificateCollection::Exception::Base &e) {
LogError("CertificateCollection exception : " << e.DumpToString());
- return -1;
+ return E_SIG_INVALID_CHAIN;
} catch (const std::exception &e) {
LogError("std exception occured : " << e.what());
- return -1;
+ return E_SIG_UNKNOWN;
} catch (...) {
LogError("Unknown exception in SignatureValidator::makeChainBySignature");
- return -1;
+ return E_SIG_UNKNOWN;
}
+
+ return E_SIG_NONE;
}
-/*
- * Same logic (check, checkList) is functionalized here.
- *
- * [in] fileInfo : file info of signature to check
- * [out] disregard : distributor signature disregard flag.
- * [out] context : xml sec for validating.
- * [out] data : signature data for validationg and will be finally returned to client.
- */
-static SignatureValidator::Result preStep(
- const SignatureFileInfo &fileInfo,
- bool &disregard,
- XmlSec::XmlSecContext &context,
- SignatureData &data)
+VCerr SignatureValidator::Impl::preStep(void)
{
- if (makeDataBySignature(fileInfo, true, data))
- return SignatureValidator::SIGNATURE_INVALID;
+ VCerr result = makeDataBySignature(true);
+ if (result != E_SIG_NONE)
+ return result;
// Is Root CA certificate trusted?
- CertStoreId::Set storeIdSet = createCertificateIdentifier().find(data.getCertList().back());
+ Set storeIdSet = createCertificateIdentifier().find(m_data.getCertList().back());
LogDebug("root certificate from " << storeIdSet.typeToString() << " domain");
- if (data.isAuthorSignature()) {
- if (!storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER)) {
- LogWarning("author-signature.xml has got unrecognized Root CA "
- "certificate. Signature will be disregarded.");
- disregard = true;
+ if (m_data.isAuthorSignature()) {
+ if (!storeIdSet.contains(TIZEN_DEVELOPER)) {
+ LogWarning("author-signature.xml has got unrecognized Root CA certificate. "
+ "Signature will be disregarded.");
+ m_disregarded = true;
}
} else {
- LogDebug("signaturefile name = " << data.getSignatureFileName());
- if (storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER)) {
- LogError("distributor has author level siganture! Signature will be disregarded.");
- return SignatureValidator::SIGNATURE_INVALID;
+ LogDebug("signaturefile name = " << m_data.getSignatureFileName());
+ if (storeIdSet.contains(TIZEN_DEVELOPER)) {
+ LogError("distributor has author level siganture! "
+ "Signature will be disregarded.");
+ return E_SIG_INVALID_FORMAT;
}
- if (data.getSignatureNumber() == 1 && !storeIdSet.isContainsVis()) {
- LogWarning("signature1.xml has got unrecognized Root CA "
- "certificate. Signature will be disregarded.");
- disregard = true;
+ if (m_data.getSignatureNumber() == 1 && !storeIdSet.isContainsVis()) {
+ LogWarning("signature1.xml has got unrecognized Root CA certificate. "
+ "Signature will be disregarded.");
+ m_disregarded = true;
}
}
- data.setStorageType(storeIdSet);
+ m_data.setStorageType(storeIdSet);
/*
* We add only Root CA certificate because the rest
* of certificates are present in signature files ;-)
*/
- context.signatureFile = data.getSignatureFileName();
- context.certificatePtr = data.getCertList().back();
+ m_context.signatureFile = m_data.getSignatureFileName();
+ m_context.certificatePtr = m_data.getCertList().back();
/* certificate time check */
- ASN1_TIME* notAfterTime = data.getEndEntityCertificatePtr()->getNotAfterTime();
- ASN1_TIME* notBeforeTime = data.getEndEntityCertificatePtr()->getNotBeforeTime();
+ ASN1_TIME *notAfterTime = m_data.getEndEntityCertificatePtr()->getNotAfterTime();
+ ASN1_TIME *notBeforeTime = m_data.getEndEntityCertificatePtr()->getNotBeforeTime();
time_t nowTime = time(NULL);
- if (X509_cmp_time(notBeforeTime, &nowTime) > 0 || X509_cmp_time(notAfterTime, &nowTime) < 0) {
- if (storeIdSet.contains(CertStoreId::TIZEN_TEST) || storeIdSet.contains(CertStoreId::TIZEN_VERIFY)) {
- LogError("TIZEN_VERIFY : check certificate Time : FALSE");
- return SignatureValidator::SIGNATURE_INVALID;
- }
+ CertTimeStatus status = timeValidation(notBeforeTime, notAfterTime, &nowTime);
+ if (status != CertTimeStatus::VALID) {
+ if (isTimeStrict(storeIdSet))
+ return status == CertTimeStatus::EXPIRED
+ ? E_SIG_CERT_EXPIRED : E_SIG_CERT_NOT_YET;
- struct tm tMid = getMidTime(_ASN1_GetTimeT(notBeforeTime), _ASN1_GetTimeT(notAfterTime));
+ struct tm tMid = getMidTime(
+ _ASN1_GetTimeT(notBeforeTime),
+ _ASN1_GetTimeT(notAfterTime));
- context.validationTime = mktime(&tMid);
+ m_context.validationTime = mktime(&tMid);
}
- return SignatureValidator::SIGNATURE_VERIFIED;
+ return E_SIG_NONE;
}
-SignatureValidator::Result baseCheck(
- const SignatureFileInfo &fileInfo,
- const std::string &widgetContentPath,
+VCerr SignatureValidator::Impl::baseCheck(
+ const std::string &contentPath,
bool checkOcsp,
- bool checkReferences,
- SignatureData &outData)
+ bool checkReferences)
{
- bool disregard = false;
- SignatureValidator::Result result = SignatureValidator::SIGNATURE_INVALID;
-
try {
- XmlSec::XmlSecContext context;
- result = preStep(fileInfo, disregard, context, outData);
- if (result != SignatureValidator::SIGNATURE_VERIFIED)
+ VCerr result = preStep();
+ if (result != E_SIG_NONE)
return result;
- if (!outData.isAuthorSignature()) {
- if (XmlSec::NO_ERROR != XmlSecSingleton::Instance().validate(&context)) {
+ if (!m_data.isAuthorSignature()) {
+ if (XmlSec::NO_ERROR != XmlSecSingleton::Instance().validate(&m_context)) {
LogWarning("Installation break - invalid package!");
- return SignatureValidator::SIGNATURE_INVALID;
+ return E_SIG_INVALID_FORMAT;
}
- outData.setReference(context.referenceSet);
- if (!checkObjectReferences(outData)) {
+ m_data.setReference(m_context.referenceSet);
+ if (!checkObjectReferences()) {
LogWarning("Failed to check Object References");
- return SignatureValidator::SIGNATURE_INVALID;
+ return E_SIG_INVALID_REF;
}
if (checkReferences) {
- ReferenceValidator fileValidator(widgetContentPath);
- if (ReferenceValidator::NO_ERROR != fileValidator.checkReferences(outData)) {
+ ReferenceValidator fileValidator(contentPath);
+ if (ReferenceValidator::NO_ERROR != fileValidator.checkReferences(m_data)) {
LogWarning("Invalid package - file references broken");
- return SignatureValidator::SIGNATURE_INVALID;
+ return E_SIG_INVALID_REF;
}
}
}
- if (checkOcsp && Ocsp::check(outData) == Ocsp::Result::REVOKED) {
+ if (checkOcsp && Ocsp::check(m_data) == Ocsp::Result::REVOKED) {
LogError("Certificate is Revoked by OCSP server.");
- return SignatureValidator::SIGNATURE_REVOKED;
+ return E_SIG_REVOKED;
}
LogDebug("Signature validation check done successfully ");
} catch (const CertificateCollection::Exception::Base &e) {
LogError("CertificateCollection exception : " << e.DumpToString());
- return SignatureValidator::SIGNATURE_INVALID;
+ return E_SIG_INVALID_CHAIN;
} catch (const XmlSec::Exception::Base &e) {
LogError("XmlSec exception : " << e.DumpToString());
- return SignatureValidator::SIGNATURE_INVALID;
+ return E_SIG_INVALID_FORMAT;
} catch (const Ocsp::Exception::Base &e) {
LogInfo("OCSP will be handled by cert-checker later. : " << e.DumpToString());
/*
*/
} catch (const std::exception &e) {
LogError("std exception occured : " << e.what());
- return SignatureValidator::SIGNATURE_INVALID;
+ return E_SIG_UNKNOWN;
} catch (...) {
LogError("Unknown exception in SignatureValidator::check");
- return SignatureValidator::SIGNATURE_INVALID;
+ return E_SIG_UNKNOWN;
}
- return disregard ? SignatureValidator::SIGNATURE_DISREGARD : SignatureValidator::SIGNATURE_VERIFIED;
+ return m_disregarded ? E_SIG_DISREGARDED : E_SIG_NONE;
}
-SignatureValidator::Result baseCheckList(
- const SignatureFileInfo &fileInfo,
- const std::string &widgetContentPath,
- const std::list<std::string> &uriList,
+VCerr SignatureValidator::Impl::baseCheckList(
+ const std::string &contentPath,
+ const UriList &uriList,
bool checkOcsp,
- bool checkReferences,
- SignatureData &outData)
+ bool checkReferences)
{
- bool disregard = false;
- SignatureValidator::Result result = SignatureValidator::SIGNATURE_INVALID;
-
try {
- XmlSec::XmlSecContext context;
- result = preStep(fileInfo, disregard, context, outData);
- if (result != SignatureValidator::SIGNATURE_VERIFIED)
+ VCerr result = preStep();
+ if (result != E_SIG_NONE)
return result;
if (uriList.size() == 0) {
- if (XmlSec::NO_ERROR != XmlSecSingleton::Instance().validateNoHash(&context)) {
+ if (XmlSec::NO_ERROR != XmlSecSingleton::Instance().validateNoHash(&m_context)) {
LogWarning("Installation break - invalid package! >> validateNoHash");
- return SignatureValidator::SIGNATURE_INVALID;
+ return E_SIG_INVALID_FORMAT;
}
} else {
XmlSecSingleton::Instance().setPartialHashList(uriList);
- if (XmlSec::NO_ERROR != XmlSecSingleton::Instance().validatePartialHash(&context)) {
+ if (XmlSec::NO_ERROR != XmlSecSingleton::Instance().validatePartialHash(&m_context)) {
LogWarning("Installation break - invalid package! >> validatePartialHash");
- return SignatureValidator::SIGNATURE_INVALID;
+ return E_SIG_INVALID_FORMAT;
}
}
- outData.setReference(context.referenceSet);
+ m_data.setReference(m_context.referenceSet);
/*
- if (!checkObjectReferences(outData)) {
+ if (!checkObjectReferences()) {
LogWarning("Failed to check Object References");
- return SIGNATURE_INVALID;
+ return E_SIG_INVALID_REF;
}
*/
if (checkReferences) {
- ReferenceValidator fileValidator(widgetContentPath);
- if (ReferenceValidator::NO_ERROR != fileValidator.checkReferences(outData)) {
+ ReferenceValidator fileValidator(contentPath);
+ if (ReferenceValidator::NO_ERROR != fileValidator.checkReferences(m_data)) {
LogWarning("Invalid package - file references broken");
- return SignatureValidator::SIGNATURE_INVALID;
+ return E_SIG_INVALID_REF;
}
}
- if (checkOcsp && Ocsp::check(outData) == Ocsp::Result::REVOKED) {
+ if (checkOcsp && Ocsp::check(m_data) == Ocsp::Result::REVOKED) {
LogError("Certificate is Revoked by OCSP server.");
- return SignatureValidator::SIGNATURE_REVOKED;
+ return E_SIG_REVOKED;
}
LogDebug("Signature validation of check list done successfully ");
} catch (const CertificateCollection::Exception::Base &e) {
LogError("CertificateCollection exception : " << e.DumpToString());
- return SignatureValidator::SIGNATURE_INVALID;
+ return E_SIG_INVALID_CHAIN;
} catch (const XmlSec::Exception::Base &e) {
LogError("XmlSec exception : " << e.DumpToString());
- return SignatureValidator::SIGNATURE_INVALID;
+ return E_SIG_INVALID_FORMAT;
} catch (const Ocsp::Exception::Base &e) {
LogInfo("OCSP will be handled by cert-checker later. : " << e.DumpToString());
/*
*/
} catch (...) {
LogError("Unknown exception in SignatureValidator::checkList");
- return SignatureValidator::SIGNATURE_INVALID;
+ return E_SIG_UNKNOWN;
}
- return disregard ? SignatureValidator::SIGNATURE_DISREGARD : SignatureValidator::SIGNATURE_VERIFIED;
+ return m_disregarded ? E_SIG_DISREGARDED : E_SIG_NONE;
}
-SignatureValidator::Result SignatureValidator::check(
- const SignatureFileInfo &fileInfo,
- const std::string &widgetContentPath,
+VCerr SignatureValidator::Impl::check(
+ const std::string &contentPath,
bool checkOcsp,
bool checkReferences,
SignatureData &outData)
{
- Result result = baseCheck(fileInfo, widgetContentPath, checkOcsp, checkReferences, outData);
+ VCerr result;
+
+ result = baseCheck(contentPath, checkOcsp, checkReferences);
+ result = additionalCheck(result);
- return additionalCheck(result, outData);
+ outData = m_data;
+
+ return result;
}
-SignatureValidator::Result SignatureValidator::checkList(
- const SignatureFileInfo &fileInfo,
- const std::string &widgetContentPath,
- const std::list<std::string> &uriList,
+VCerr SignatureValidator::Impl::checkList(
+ const std::string &contentPath,
+ const UriList &uriList,
bool checkOcsp,
bool checkReferences,
SignatureData &outData)
{
- Result result = baseCheckList(fileInfo, widgetContentPath, uriList, checkOcsp, checkReferences, outData);
+ VCerr result;
+
+ result = baseCheckList(contentPath, uriList, checkOcsp, checkReferences);
+ result = additionalCheck(result);
- return additionalCheck(result, outData);
+ outData = m_data;
+
+ return result;
}
-SignatureValidator::Result SignatureValidator::makeChainBySignature(
- const SignatureFileInfo &fileInfo,
+VCerr SignatureValidator::Impl::makeChainBySignature(
bool completeWithSystemCert,
CertificateList &certList)
{
- SignatureData data;
- if (makeDataBySignature(fileInfo, completeWithSystemCert, data))
- return SIGNATURE_INVALID;
+ VCerr result = makeDataBySignature(completeWithSystemCert);
+ if (result != E_SIG_NONE)
+ return result;
+
+ certList = m_data.getCertList();
+
+ return E_SIG_NONE;
+}
+
+std::string SignatureValidator::Impl::errorToString(VCerr code)
+{
+ switch (code) {
+ case E_SIG_NONE: return "E_SIG_NONE";
+ case E_SIG_INVALID_FORMAT: return "E_SIG_INVALID_FORMAT";
+ case E_SIG_INVALID_CERT: return "E_SIG_INVALID_CERT";
+ case E_SIG_INVALID_CHAIN: return "E_SIG_INVALID_CHAIN";
+ case E_SIG_INVALID_REF: return "E_SIG_INVALID_REF";
+ case E_SIG_CERT_EXPIRED: return "E_SIG_CERT_EXPIRED";
+ case E_SIG_CERT_NOT_YET: return "E_SIG_CERT_NOT_YET";
+ case E_SIG_DISREGARDED: return "E_SIG_DISREGARDED";
+ case E_SIG_REVOKED: return "E_SIG_REVOKED";
+ case E_SIG_PLUGIN: return "E_SIG_PLUGIN";
+ case E_SIG_OUT_OF_MEM: return "E_SIG_OUT_OF_MEM";
+ case E_SIG_UNKNOWN: return "E_SIG_UNKNOWN";
+ default: return m_pluginHandler.errorToString(code);
+ }
+}
+
+
+SignatureValidator::SignatureValidator(const SignatureFileInfo &info)
+{
+ std::unique_ptr<SignatureValidator::Impl> impl(new(std::nothrow) SignatureValidator::Impl(info))
+;
+ m_pImpl = std::move(impl);
+}
+SignatureValidator::~SignatureValidator() {}
+
+std::string SignatureValidator::errorToString(VCerr code)
+{
+ if (!m_pImpl)
+ return "out of memory. error.";
- certList = data.getCertList();
+ return m_pImpl->errorToString(code);
+}
+
+VCerr SignatureValidator::check(
+ const std::string &contentPath,
+ bool checkOcsp,
+ bool checkReferences,
+ SignatureData &outData)
+{
+ if (!m_pImpl)
+ return E_SIG_OUT_OF_MEM;
+
+ return m_pImpl->check(
+ contentPath,
+ checkOcsp,
+ checkReferences,
+ outData);
+}
- return SIGNATURE_VALID;
+VCerr SignatureValidator::checkList(
+ const std::string &contentPath,
+ const UriList &uriList,
+ bool checkOcsp,
+ bool checkReferences,
+ SignatureData &outData)
+{
+ if (!m_pImpl)
+ return E_SIG_OUT_OF_MEM;
+
+ return m_pImpl->checkList(
+ contentPath,
+ uriList,
+ checkOcsp,
+ checkReferences,
+ outData);
}
+VCerr SignatureValidator::makeChainBySignature(
+ bool completeWithSystemCert,
+ CertificateList &certList)
+{
+ if (!m_pImpl)
+ return E_SIG_OUT_OF_MEM;
+
+ return m_pImpl->makeChainBySignature(completeWithSystemCert, certList);
+}
} // namespace ValidationCore
projects / platform / core / security / cert-svc.git / commitdiff