SET(TARGET_CERT_SVC_LIB "cert-svc")
SET(TARGET_VCORE_LIB "cert-svc-vcore")
-SET(TARGET_SIGN_TOOL "dpkg-pki-sig")
+#SET(TARGET_SIGN_TOOL "dpkg-pki-sig")
# compiler options
SET(GC_SECTIONS_FLAGS "-fdata-sections -ffunction-sections -Wl,--gc-sections")
SET(CMAKE_SKIP_RPATH "TRUE")
SET(TZ_SYS_SHARE "${TZ_SYS_SHARE}")
SET(TZ_SYS_BIN "${TZ_SYS_BIN}")
+SET(TZ_SYS_ETC "${TZ_SYS_ETC}")
+#SET(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Werror -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wmissing-declarations")
################################################################################
# for libcert-svc.so
openssl
dlog
glib-2.0
+ libxml-2.0
libtzplatform-config
REQUIRED
)
${CERT_SVC_DEPS_INCLUDE_DIRS}
)
+ADD_DEFINITIONS("-DDPL_LOGS_ENABLED")
+IF(TIZEN_FEAT_PROFILE_CERT_SVC_OCSP_CRL)
+ADD_DEFINITIONS("-DTIZEN_FEATURE_CERT_SVC_OCSP_CRL")
+ENDIF()
+
ADD_LIBRARY(${TARGET_CERT_SVC_LIB} SHARED ${CERT_SVC_SOURCES})
SET_TARGET_PROPERTIES(${TARGET_CERT_SVC_LIB} PROPERTIES
${CERT_SVC_DEPS_LIBRARIES}
)
-################################################################################
-# for dpkg-pki-sig
-################################################################################
-
-SET(SIGN_TOOL_SOURCES
- ${PROJECT_SOURCE_DIR}/srcs/dpkg-pki-sig.c
- ${PROJECT_SOURCE_DIR}/srcs/cert-service-process.c
- ${PROJECT_SOURCE_DIR}/srcs/cert-service-util.c
-)
-
-ADD_EXECUTABLE(${TARGET_SIGN_TOOL} ${SIGN_TOOL_SOURCES})
-
-TARGET_LINK_LIBRARIES(${TARGET_SIGN_TOOL}
- ${TARGET_CERT_SVC_LIB}
- ${CERT_SVC_DEPS_LIBRARIES}
-)
################################################################################
DESTINATION ${LIB_INSTALL_DIR}/pkgconfig
)
INSTALL(FILES ${PROJECT_SOURCE_DIR}/targetinfo DESTINATION ${TZ_SYS_SHARE}/cert-svc/)
+#INSTALL(FILES ${PROJECT_SOURCE_DIR}/res/pin/.pin DESTINATION ${TZ_SYS_SHARE}/cert-svc/pin/)
INSTALL(FILES ${CMAKE_CURRENT_SOURCE_DIR}/include/cert-service.h DESTINATION ${INCLUDEDIR})
# Now we must create empty directory for certificates.
# Without this directories rpm package will fail during build.
-INSTALL(DIRECTORY ${PROJECT_SOURCE_DIR}/etc/empty
- DESTINATION /usr/share/cert-svc/ca-certs/code-signing/native
- FILES_MATCHING PATTERN THISPATTERNMUSTNOTMATCH
-)
-INSTALL(DIRECTORY ${PROJECT_SOURCE_DIR}/etc/empty
- DESTINATION /usr/share/cert-svc/ca-certs/code-signing/wac
- FILES_MATCHING PATTERN THISPATTERNMUSTNOTMATCH
-)
+#INSTALL(DIRECTORY ${PROJECT_SOURCE_DIR}/etc/empty
+# DESTINATION ${TZ_SYS_SHARE}/cert-svc/ca-certs/code-signing/native
+# FILES_MATCHING PATTERN THISPATTERNMUSTNOTMATCH
+#)
+#INSTALL(DIRECTORY ${PROJECT_SOURCE_DIR}/etc/empty
+# DESTINATION ${TZ_SYS_SHARE}/cert-svc/ca-certs/code-signing/wac
+# FILES_MATCHING PATTERN THISPATTERNMUSTNOTMATCH
+#)
INSTALL(DIRECTORY ${PROJECT_SOURCE_DIR}/etc/empty
DESTINATION ${TZ_SYS_SHARE}/cert-svc/certs/code-signing/wac
FILES_MATCHING PATTERN THISPATTERNMUSTNOTMATCH
DESTINATION ${TZ_SYS_SHARE}/cert-svc/certs/code-signing/tizen
FILES_MATCHING PATTERN THISPATTERNMUSTNOTMATCH
)
+IF(TIZEN_FEAT_PROFILE_CERT_SVC_OCSP_CRL)
+INSTALL(FILES ${PROJECT_SOURCE_DIR}/res/fota/FOTA_ROOT.cer
+ DESTINATION ${TZ_SYS_SHARE}/cert-svc/certs/fota
+)
+ENDIF()
INSTALL(DIRECTORY ${PROJECT_SOURCE_DIR}/etc/empty
DESTINATION ${TZ_SYS_SHARE}/cert-svc/certs/sim/operator
FILES_MATCHING PATTERN THISPATTERNMUSTNOTMATCH
rm -f ${TZ_SYS_DB}/.$name.db-journal
SQL="PRAGMA journal_mode = PERSIST;"
sqlite3 ${TZ_SYS_DB}/.$name.db "$SQL"
- SQL=".read /usr/share/cert-svc/"$name"_db.sql"
+ SQL=".read ${TZ_SYS_SHARE}/cert-svc/"$name"_db.sql"
sqlite3 ${TZ_SYS_DB}/.$name.db "$SQL"
touch ${TZ_SYS_DB}/.$name.db-journal
chown root:6026 ${TZ_SYS_DB}/.$name.db
chown root:6026 ${TZ_SYS_DB}/.$name.db-journal
chmod 660 ${TZ_SYS_DB}/.$name.db
chmod 660 ${TZ_SYS_DB}/.$name.db-journal
+ if [ -f /usr/lib/rpm-plugins/msm.so ]
+ then
+ chsmack -a "cert-svc::db" ${TZ_SYS_DB}/.$name.db
+ chsmack -a "cert-svc::db" ${TZ_SYS_DB}/.$name.db-journal
+ fi
done
/*
* certification service
*
- * Copyright (c) 2000 - 2011 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2000 - 2011 Samsung Electronics Co., Ltd All Rights Reserved
*
* Contact: Kidong Kim <kd0228.kim@samsung.com>
*
#define CERT_SERVICE_PROCESS_H
#include <time.h>
+#include <openssl/x509v3.h>
#ifdef __cplusplus
extern "C" {
/*********************************************************************************/
int parse_name_fld_data(unsigned char* str, cert_svc_name_fld_data* fld);
int parse_time_fld_data(unsigned char* before, unsigned char* after, cert_svc_validity_fld_data* fld);
+int _parse_name_fld_data(unsigned char* str, cert_svc_name_fld_data* fld);
int search_data_field(search_field fldName, char* fldData, cert_svc_cert_descriptor* certDesc);
int get_filelist_recur(char* dirName, cert_svc_filename_list* fileNames,
struct cert_svc_inode_set *visited);
int sort_cert_chain(cert_svc_linked_list** unsorted, cert_svc_linked_list** sorted);
cert_svc_linked_list* find_issuer_from_list(cert_svc_linked_list* list, cert_svc_linked_list* p);
-int is_CAcert(cert_svc_mem_buff* cert, int* isCA);
+int is_CACert(cert_svc_mem_buff* cert, int* isCA);
int compare_period(int year, int month, int day, int hour, int min, int sec, struct tm* tm);
int is_expired(cert_svc_mem_buff* cert, int* isExpired);
-
+int VerifyCallbackfunc(int ok, X509_STORE_CTX* store);
+int _get_all_certificates(char* const *paths, cert_svc_filename_list **lst);
+
int _verify_certificate(cert_svc_mem_buff* certBuf, cert_svc_linked_list** certList, cert_svc_filename_list* fileNames, int* validity);
+int _verify_certificate_with_caflag(cert_svc_mem_buff* certBuf, cert_svc_linked_list** certList, int checkCaFlag, cert_svc_filename_list* fileNames, int* validity);
int _verify_signature(cert_svc_mem_buff* certBuf, unsigned char* message, int msgLen, unsigned char* signature, char* algo, int* validity);
int _extract_certificate_data(cert_svc_mem_buff* cert, cert_svc_cert_descriptor* certDesc);
int _search_certificate(cert_svc_filename_list** fileNames, search_field fldName, char* fldData);
-int _check_ocsp_status(cert_svc_mem_buff* cert, const char* uri);
+#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
+int _check_ocsp_status(cert_svc_mem_buff* cert, cert_svc_linked_list** certList, const char* uri);
+#endif
+int _remove_selfsigned_cert_in_chain(cert_svc_linked_list** certList);
int release_certificate_buf(cert_svc_mem_buff* certBuf);
int release_certificate_data(cert_svc_cert_descriptor* certDesc);
int release_cert_list(cert_svc_linked_list* certList);
int release_filename_list(cert_svc_filename_list* fileNames);
-
+
+int get_visibility(CERT_CONTEXT* context, int* visibility);
+
#ifdef __cplusplus
}
#endif
#ifndef CERT_SERVICE_UTIL_H
#define CERT_SERVICE_UTIL_H
+#include <openssl/x509v3.h>
+
#ifdef __cplusplus
extern "C" {
#endif // __cplusplus
int cert_svc_util_get_file_size(const char* filepath, unsigned long int* length);
int cert_svc_util_load_file_to_buffer(const char* filePath, cert_svc_mem_buff* certBuf);
-int cert_svc_util_load_PFX_file_to_buffer(const char* filePath, cert_svc_mem_buff* certBuf, cert_svc_linked_list* certLink, unsigned char** privateKey, int* priKeyLen, char* passPhrase);
+int cert_svc_util_load_PFX_file_to_buffer(const char* filePath, cert_svc_mem_buff* certBuf, cert_svc_linked_list** certLink, unsigned char** privateKey, int* priKeyLen, char* passPhrase);
int cert_svc_util_get_cert_path(const char* fileName, const char* location, char* retBuf);
int cert_svc_util_base64_encode(char* in, int inLen, char* out, int* outLen);
int cert_svc_util_base64_decode(char* in, int inLen, char* out, int* outLen);
-
+int cert_svc_util_get_extension(const char* filePath, cert_svc_mem_buff* certBuf);
+int push_cert_into_linked_list(cert_svc_linked_list** certLink, X509* popedCert);
+int get_visibility_by_fingerprint(const char* fingerprint, int* visibility);
#ifdef __cplusplus
}
#endif // __cplusplus
#define CERT_SVC_ERR_INVALID_PARAMETER -15
#define CERT_SVC_ERR_PERMISSION_DENIED -16
#define CERT_SVC_ERR_IS_EXPIRED -17
+#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
+#define CERT_SVC_ERR_OCSP_REVOKED -18
+#define CERT_SVC_ERR_OCSP_UNKNOWN -19
+#define CERT_SVC_ERR_OCSP_VERIFICATION_ERROR -20
+#define CERT_SVC_ERR_OCSP_NO_SUPPORT -21
+#define CERT_SVC_ERR_OCSP_NETWORK_FAILED -22
+#define CERT_SVC_ERR_OCSP_INTERNAL -23
+#define CERT_SVC_ERR_OCSP_REMOTE -24
+#endif
/* default certificate file path */
#define CERT_SVC_STORE_PATH tzplatform_mkpath(TZ_SYS_SHARE, "cert-svc/certs/")
#define CERT_SVC_STORE_PATH_DEFAULT tzplatform_mkpath(TZ_SYS_SHARE, "cert-svc/certs/ssl/")
-#define CERT_SVC_SEARCH_PATH_RO "/usr/share/cert-svc/ca-certs/"
+#define CERT_SVC_SEARCH_PATH_RO tzplatform_mkpath(TZ_SYS_SHARE, "ca-certificates/tizen/")
#define CERT_SVC_SEARCH_PATH_RW tzplatform_mkpath(TZ_SYS_SHARE, "cert-svc/certs/")
/*********************************************************************************/
SEARCH_FIELD_END = 16,
} search_field;
+typedef enum cert_svc_visibility_t {
+ CERT_SVC_VISIBILITY_DEVELOPER = 1,
+ CERT_SVC_VISIBILITY_TEST = 1 << 1,
+ CERT_SVC_VISIBILITY_VERIFY = 1 << 2,
+ CERT_SVC_VISIBILITY_PUBLIC = 1 << 6,
+ CERT_SVC_VISIBILITY_PARTNER = 1 << 7,
+ CERT_SVC_VISIBILITY_PARTNER_OPERATOR = 1 << 8,
+ CERT_SVC_VISIBILITY_PARTNER_MANUFACTURER = 1 << 9,
+ CERT_SVC_VISIBILITY_PLATFORM = 1 << 10
+} cert_svc_visibility;
+
typedef struct {
unsigned int firstSecond;
unsigned int firstMinute;
int cert_svc_add_certificate_to_store(const char* filePath, const char* location);
int cert_svc_delete_certificate_from_store(const char* fileName, const char* location);
int cert_svc_verify_certificate(CERT_CONTEXT* ctx, int* validity);
+int cert_svc_verify_certificate_with_caflag(CERT_CONTEXT* ctx, int* validity);
int cert_svc_verify_signature(CERT_CONTEXT* ctx, unsigned char* message, int msgLen, unsigned char* signature, char* algo, int* validity);
int cert_svc_extract_certificate_data(CERT_CONTEXT* ctx);
int cert_svc_search_certificate(CERT_CONTEXT* ctx, search_field fldName, char* fldData);
+int cert_svc_get_visibility(CERT_CONTEXT* ctx, int* visibility);
+int cert_svc_get_visibility_by_root_certificate(const char* cert_data, int data_len, int* visibility);
+
+#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
int cert_svc_check_ocsp_status(CERT_CONTEXT* ctx, const char* uri);
+#endif
char* cert_svc_get_certificate_crt_file_path(void);
#ifdef __cplusplus
}
Source0: %{name}-%{version}.tar.gz
Source1001: %{name}.manifest
BuildRequires: cmake
+BuildRequires: boost-devel
BuildRequires: pkgconfig(dlog)
BuildRequires: pkgconfig(openssl)
BuildRequires: pkgconfig(evas)
%install
rm -rf %{buildroot}
-mkdir -p %{buildroot}/usr/share/license
-cp LICENSE.APLv2 %{buildroot}/usr/share/license/%{name}
+mkdir -p %{buildroot}%{TZ_SYS_SHARE}/license
+cp LICENSE.APLv2 %{buildroot}%{TZ_SYS_SHARE}/license/%{name}
%make_install
ln -sf %{TZ_SYS_ETC}/ssl/certs %{buildroot}%{TZ_SYS_SHARE}/cert-svc/certs/ssl
touch %{buildroot}%{TZ_SYS_SHARE}/cert-svc/pkcs12/storage
%post
/sbin/ldconfig
+%if 0%{?tizen_feature_certsvc_ocsp_crl}
if [ -z ${2} ]; then
echo "This is new install of wrt-security"
echo "Calling %{TZ_SYS_BIN}/cert_svc_create_clean_db.sh"
else
# Find out old and new version of databases
VCORE_OLD_DB_VERSION=`sqlite3 %{TZ_SYS_DB}/.cert_svc_vcore.db ".tables" | grep "DB_VERSION_"`
- VCORE_NEW_DB_VERSION=`cat /usr/share/cert-svc/cert_svc_vcore_db.sql | tr '[:blank:]' '\n' | grep DB_VERSION_`
+ VCORE_NEW_DB_VERSION=`cat %{TZ_SYS_SHARE}/cert-svc/cert_svc_vcore_db.sql | tr '[:blank:]' '\n' | grep DB_VERSION_`
echo "OLD vcore database version ${VCORE_OLD_DB_VERSION}"
echo "NEW vcore database version ${VCORE_NEW_DB_VERSION}"
fi
chsmack -a 'User' %TZ_SYS_DB/.cert_svc_vcore.db*
-
+%endif #tizen_feature_certsvc_ocsp_crl
%postun
/sbin/ldconfig
%files
-%manifest %{name}.manifest
+
%defattr(-,root,root,-)
+%manifest %{name}.manifest
%attr(0755,root,root) %{_bindir}/cert_svc_create_clean_db.sh
%{_libdir}/*.so.*
-%{_bindir}/dpkg-pki-sig
+#%{_bindir}/dpkg-pki-sig
%{TZ_SYS_SHARE}/cert-svc/targetinfo
+%if 0%{?tizen_feature_certsvc_ocsp_crl}
%{_datadir}/cert-svc/cert_svc_vcore_db.sql
+%endif
%{_datadir}/license/%{name}
-%dir %attr(0755,root,use_cert) /usr/share/cert-svc
-%dir %attr(0755,root,use_cert) /usr/share/cert-svc/ca-certs
-%dir %attr(0755,root,use_cert) /usr/share/cert-svc/ca-certs/code-signing
-%dir %attr(0755,root,use_cert) /usr/share/cert-svc/ca-certs/code-signing/native
-%dir %attr(0755,root,use_cert) /usr/share/cert-svc/ca-certs/code-signing/wac
+%dir %attr(0755,root,use_cert) %{TZ_SYS_SHARE}/cert-svc
+#%dir %attr(0755,root,use_cert) %{TZ_SYS_SHARE}/cert-svc/ca-certs
+#%dir %attr(0755,root,use_cert) %{TZ_SYS_SHARE}/cert-svc/ca-certs/code-signing
+#%dir %attr(0755,root,use_cert) %{TZ_SYS_SHARE}/cert-svc/ca-certs/code-signing/native
+#%dir %attr(0755,root,use_cert) %{TZ_SYS_SHARE}/cert-svc/ca-certs/code-signing/wac
+
+#%dir %attr(0775,root,use_cert) %{TZ_SYS_SHARE}/cert-svc/certs/code-signing
+#%dir %attr(0775,root,use_cert) %{TZ_SYS_SHARE}/cert-svc/certs/code-signing/wac
+#%dir %attr(0775,root,use_cert) %{TZ_SYS_SHARE}/cert-svc/certs/code-signing/tizen
%dir %attr(0775,root,use_cert) %{TZ_SYS_SHARE}/cert-svc
%dir %attr(0775,root,use_cert) %{TZ_SYS_SHARE}/cert-svc/certs
-%dir %attr(0775,root,use_cert) %{TZ_SYS_SHARE}/cert-svc/certs/code-signing
-%dir %attr(0775,root,use_cert) %{TZ_SYS_SHARE}/cert-svc/certs/code-signing/wac
-%dir %attr(0775,root,use_cert) %{TZ_SYS_SHARE}/cert-svc/certs/code-signing/tizen
%dir %attr(0775,root,use_cert) %{TZ_SYS_SHARE}/cert-svc/certs/sim
%dir %attr(0775,root,use_cert) %{TZ_SYS_SHARE}/cert-svc/certs/sim/operator
%dir %attr(0775,root,use_cert) %{TZ_SYS_SHARE}/cert-svc/certs/sim/thirdparty
%dir %attr(0775,root,use_cert) %{TZ_SYS_SHARE}/cert-svc/certs/mdm/security
%dir %attr(0775,root,use_cert) %{TZ_SYS_SHARE}/cert-svc/certs/mdm/security/cert
%dir %attr(0777,root,use_cert) %{TZ_SYS_SHARE}/cert-svc/pkcs12
+#%{TZ_SYS_SHARE}/cert-svc/pin/.pin
+%{TZ_SYS_SHARE}/cert-svc/certs/ssl
+%{TZ_SYS_SHARE}/cert-svc/pkcs12/storage
+#%dir %attr(0700, root, root) %{TZ_SYS_SHARE}/cert-svc/pin
+%if 0%{?tizen_feature_certsvc_ocsp_crl}
+%attr(0755,root,use_cert) %{TZ_SYS_SHARE}/cert-svc/certs/fota/*
+%endif
+#%{TZ_SYS_SHARE}/cert-svc/pin/.pin
%{TZ_SYS_SHARE}/cert-svc/certs/ssl
%{TZ_SYS_SHARE}/cert-svc/pkcs12/storage
#include <sys/stat.h>
#include <sys/types.h>
#include <fts.h>
-
-#include <openssl/x509.h>
+#include <unistd.h>
+#include <openssl/ssl.h>
+#include <openssl/ocsp.h>
#include "cert-service.h"
#include "cert-service-util.h"
int len;
} name_field;
-static char** __get_field_by_tag(unsigned char* str, int *tag_len, cert_svc_name_fld_data* fld)
+int _check_certificate_author(cert_svc_mem_buff* first, cert_svc_mem_buff* second);
+static unsigned char** __get_field_by_tag(unsigned char* str, int *tag_len, cert_svc_name_fld_data* fld)
{
const struct {
- char* name;
+ const char* name;
int len;
- char **field;
+ unsigned char **field;
} tags[] = {
{"C=", 2, &(fld->countryName)},
{"ST=", 3, &(fld->stateOrProvinceName)},
{"CN=", 3, &(fld->commonName)},
{"emailAddress=", 13, &(fld->emailAddress)}
};
- char **field = NULL;
+ unsigned char **field = NULL;
if (str[0] == '/') {
int i = sizeof(tags) / sizeof(tags[0]) - 1;
- while (i >= 0 && strncmp(str + 1, tags[i].name, tags[i].len)) {
+ while (i >= 0 && strncmp((const char*)(str + 1), (const char*)(tags[i].name), tags[i].len)) {
i--;
}
if (i >= 0) {
int parse_name_fld_data(unsigned char* str, cert_svc_name_fld_data* fld)
{
int ret = CERT_SVC_ERR_NO_ERROR;
- char **prev_field = NULL;
+ unsigned char **prev_field = NULL;
int i = 0, l = 0;
if (fld == NULL) {
ret = CERT_SVC_ERR_INVALID_PARAMETER;
memset(fld, 0, sizeof(cert_svc_name_fld_data));
while (str[i] != '\0') {
int tag_len;
- char **field = __get_field_by_tag(str + i, &tag_len, fld);
+ unsigned char **field = __get_field_by_tag(str + i, &tag_len, fld);
while (field == NULL && str[i] != '\0') {
i++;
field = __get_field_by_tag(str + i, &tag_len, fld);
}
if (prev_field != NULL) {
- *prev_field = strndup(str + l, i - l);
+ *prev_field = (unsigned char*)strndup((const char*)(str + l), i - l);
}
if (field != NULL) {
i += tag_len;
return ret;
}
-
int _parse_name_fld_data(unsigned char* str, cert_svc_name_fld_data* fld)
-//int parse_name_fld_data(unsigned char* str, cert_svc_name_fld_data* fld)
{
int ret = CERT_SVC_ERR_NO_ERROR;
int i = 0, j = 0, last = -1;
};
for(i = 0; i < 7; i++) {
- if((tmpAddr = strstr(str, tmpFld[i].unitName)) != NULL)
+ if((tmpAddr = strstr((const char*)str, (const char*)(tmpFld[i].unitName))) != NULL)
tmpFld[i].address = tmpAddr;
else
tmpFld[i].address = NULL;
for(j = i + 1; j < 7; j++) {
if(tmpFld[j].address != NULL) {
last = j;
- tmpFld[i].len = (int)(tmpFld[j].address) - (int)(tmpFld[i].address) - strlen(tmpFld[i].unitName);
+ tmpFld[i].len = (int)(tmpFld[j].address) - (int)(tmpFld[i].address) - strlen((const char*)(tmpFld[i].unitName));
break;
}
}
}
}
- tmpFld[last].len = strlen(str) - ((int)(tmpFld[last].address) - (int)str) - strlen(tmpFld[last].unitName);
+ tmpFld[last].len = strlen((const char*)str) - ((int)(tmpFld[last].address) - (int)str) - strlen((const char*)(tmpFld[last].unitName));
if(tmpFld[0].address != NULL) {
(*fld).countryName = (unsigned char*)malloc(sizeof(unsigned char) * (tmpFld[0].len + 1));
- memset((*fld).countryName, 0x00, (tmpFld[0].len + 1));
- memcpy((*fld).countryName, (tmpFld[0].address + strlen(tmpFld[0].unitName)), tmpFld[0].len);
+ if ((*fld).countryName != NULL)
+ {
+ memset((*fld).countryName, 0x00, (tmpFld[0].len + 1));
+ memcpy((*fld).countryName, (tmpFld[0].address + strlen((const char*)(tmpFld[0].unitName))), tmpFld[0].len);
+ }
}
else
(*fld).countryName = NULL;
if(tmpFld[1].address != NULL) {
(*fld).stateOrProvinceName = (unsigned char*)malloc(sizeof(unsigned char) * (tmpFld[1].len + 1));
- memset((*fld).stateOrProvinceName, 0x00, (tmpFld[1].len + 1));
- memcpy((*fld).stateOrProvinceName, (tmpFld[1].address + strlen(tmpFld[1].unitName)), tmpFld[1].len);
+ if ((*fld).stateOrProvinceName != NULL) {
+ memset((*fld).stateOrProvinceName, 0x00, (tmpFld[1].len + 1));
+ memcpy((*fld).stateOrProvinceName, (tmpFld[1].address + strlen((const char*)(tmpFld[1].unitName))), tmpFld[1].len);
+ }
}
else
(*fld).stateOrProvinceName = NULL;
if(tmpFld[2].address != NULL) {
(*fld).localityName = (unsigned char*)malloc(sizeof(unsigned char) * (tmpFld[2].len + 1));
- memset((*fld).localityName, 0x00, (tmpFld[2].len + 1));
- memcpy((*fld).localityName, (tmpFld[2].address + strlen(tmpFld[2].unitName)), tmpFld[2].len);
+ if ((*fld).localityName != NULL) {
+ memset((*fld).localityName, 0x00, (tmpFld[2].len + 1));
+ memcpy((*fld).localityName, (tmpFld[2].address + strlen((const char*)(tmpFld[2].unitName))), tmpFld[2].len);
+ }
}
else
(*fld).localityName = NULL;
if(tmpFld[3].address != NULL) {
(*fld).organizationName = (unsigned char*)malloc(sizeof(unsigned char) * (tmpFld[3].len + 1));
- memset((*fld).organizationName, 0x00, (tmpFld[3].len + 1));
- memcpy((*fld).organizationName, (tmpFld[3].address + strlen(tmpFld[3].unitName)), tmpFld[3].len);
+ if ((*fld).organizationName != NULL) {
+ memset((*fld).organizationName, 0x00, (tmpFld[3].len + 1));
+ memcpy((*fld).organizationName, (tmpFld[3].address + strlen((const char*)(tmpFld[3].unitName))), tmpFld[3].len);
+ }
}
else
(*fld).organizationName = NULL;
if(tmpFld[4].address != NULL) {
(*fld).organizationUnitName = (unsigned char*)malloc(sizeof(unsigned char) * (tmpFld[4].len + 1));
- memset((*fld).organizationUnitName, 0x00, (tmpFld[4].len + 1));
- memcpy((*fld).organizationUnitName, (tmpFld[4].address + strlen(tmpFld[4].unitName)), tmpFld[4].len);
+ if ((*fld).organizationUnitName != NULL) {
+ memset((*fld).organizationUnitName, 0x00, (tmpFld[4].len + 1));
+ memcpy((*fld).organizationUnitName, (tmpFld[4].address + strlen((const char*)(tmpFld[4].unitName))), tmpFld[4].len);
+ }
}
else
(*fld).organizationUnitName = NULL;
if(tmpFld[5].address != NULL) {
(*fld).commonName = (unsigned char*)malloc(sizeof(unsigned char) * (tmpFld[5].len + 1));
- memset((*fld).commonName, 0x00, (tmpFld[5].len + 1));
- memcpy((*fld).commonName, (tmpFld[5].address + strlen(tmpFld[5].unitName)), tmpFld[5].len);
+ if ((*fld).commonName != NULL) {
+ memset((*fld).commonName, 0x00, (tmpFld[5].len + 1));
+ memcpy((*fld).commonName, (tmpFld[5].address + strlen((const char*)(tmpFld[5].unitName))), tmpFld[5].len);
+ }
}
else
(*fld).commonName = NULL;
if(tmpFld[6].address != NULL) {
(*fld).emailAddress = (unsigned char*)malloc(sizeof(unsigned char) * (tmpFld[6].len + 1));
- memset((*fld).emailAddress, 0x00, (tmpFld[6].len + 1));
- memcpy((*fld).emailAddress, (tmpFld[6].address + strlen(tmpFld[6].unitName)), tmpFld[6].len);
+ if ((*fld).emailAddress != NULL) {
+ memset((*fld).emailAddress, 0x00, (tmpFld[6].len + 1));
+ memcpy((*fld).emailAddress, (tmpFld[6].address + strlen((const char*)(tmpFld[6].unitName))), tmpFld[6].len);
+ }
}
else
(*fld).emailAddress = NULL;
cert_svc_cert_descriptor* tmp2 = NULL;
tmp1 = (cert_svc_cert_descriptor*)malloc(sizeof(cert_svc_cert_descriptor));
+ if (tmp1 == NULL) {
+ SLOGE("[ERR][%s] Fail to allocate certificate descriptor.\n", __func__);
+ return NULL;
+ }
+
memset(tmp1, 0x00, sizeof(cert_svc_cert_descriptor));
if(_extract_certificate_data(p->certificate, tmp1) != CERT_SVC_ERR_NO_ERROR) {
for(q = list; q != NULL; q = q->next) {
tmp2 = (cert_svc_cert_descriptor*)malloc(sizeof(cert_svc_cert_descriptor));
+ if (tmp2 == NULL) {
+ SLOGE("[ERR][%s] Fail to allocate certificate descriptor.\n", __func__);
+ goto err;
+ }
+
memset(tmp2, 0x00, sizeof(cert_svc_cert_descriptor));
_extract_certificate_data(q->certificate, tmp2);
- if(!strncmp(tmp2->info.subjectStr, tmp1->info.issuerStr, strlen(tmp1->info.issuerStr))) { // success
+ if(!strncmp((const char*)(tmp2->info.subjectStr), (const char*)(tmp1->info.issuerStr), strlen((const char*)(tmp1->info.issuerStr)))) { // success
release_certificate_data(tmp1);
release_certificate_data(tmp2);
return q;
if((*unsorted) == NULL) {
for(p = (*sorted); p->next != NULL; p = p->next) {
tmp1 = (cert_svc_cert_descriptor*)malloc(sizeof(cert_svc_cert_descriptor));
+ if(tmp1 == NULL) {
+ SLOGE("[ERR][%s] Fail to allocate certificate descriptor.\n", __func__);
+ return CERT_SVC_ERR_MEMORY_ALLOCATION;
+ }
memset(tmp1, 0x00, sizeof(cert_svc_cert_descriptor));
tmp2 = (cert_svc_cert_descriptor*)malloc(sizeof(cert_svc_cert_descriptor));
+ if(tmp2 == NULL) {
+ release_certificate_data(tmp1);
+ SLOGE("[ERR][%s] Fail to allocate certificate descriptor.\n", __func__);
+ return CERT_SVC_ERR_MEMORY_ALLOCATION;
+ }
memset(tmp2, 0x00, sizeof(cert_svc_cert_descriptor));
_extract_certificate_data(p->certificate, tmp1);
_extract_certificate_data(p->next->certificate, tmp2);
- if(strncmp(tmp1->info.issuerStr, tmp2->info.subjectStr, strlen(tmp2->info.subjectStr))) {
+ if(strncmp((const char*)(tmp1->info.issuerStr), (const char*)(tmp2->info.subjectStr), strlen((const char*)(tmp2->info.subjectStr)))) {
SLOGE("[ERR][%s] Certificate chain is broken.\n", __func__);
release_certificate_data(tmp1);
release_certificate_data(tmp2);
{
int ret = CERT_SVC_ERR_NO_ERROR;
cert_svc_cert_descriptor* certDesc = NULL;
+ int visibility = 0;
time_t t;
struct tm* tm;
+ unsigned char * certdata = NULL;
+ int certSize = 0;
+ unsigned char *fingerprint = NULL;
// get current time
t = time(NULL);
// get descriptor
certDesc = (cert_svc_cert_descriptor*)malloc(sizeof(cert_svc_cert_descriptor));
+ if(certDesc == NULL) {
+ SLOGE("[ERR][%s] Fail to allocate certificate descriptor.\n", __func__);
+ return CERT_SVC_ERR_MEMORY_ALLOCATION;
+ }
memset(certDesc, 0x00, sizeof(cert_svc_cert_descriptor));
if((ret = _extract_certificate_data(cert, certDesc)) != CERT_SVC_ERR_NO_ERROR) {
goto err;
}
- // compare with not before - MUST bigger than this
- if(compare_period(((int)certDesc->info.validPeriod.firstYear - 1900),
- ((int)certDesc->info.validPeriod.firstMonth - 1),
- (int)certDesc->info.validPeriod.firstDay,
- (int)certDesc->info.validPeriod.firstHour,
- (int)certDesc->info.validPeriod.firstMinute,
- (int)certDesc->info.validPeriod.firstSecond,
- tm) != 1) {
- SLOGE("[ERR][%s] Certificate is expired.\n", __func__);
- ret = CERT_SVC_ERR_IS_EXPIRED;
+ certdata = cert->data;
+ certSize = cert->size;
+
+ if(certdata == NULL || !certSize)
+ {
+ SLOGE("cert is or invalid!");
+ ret = CERT_SVC_ERR_INVALID_CERTIFICATE;
(*isExpired) = 1;
goto err;
}
- // compare with not after - MUST smaller than this
- if(compare_period(((int)certDesc->info.validPeriod.secondYear - 1900),
- ((int)certDesc->info.validPeriod.secondMonth - 1),
- (int)certDesc->info.validPeriod.secondDay,
- (int)certDesc->info.validPeriod.secondHour,
- (int)certDesc->info.validPeriod.secondMinute,
- (int)certDesc->info.validPeriod.secondSecond,
- tm) != -1) {
- SLOGE("[ERR][%s] Certificate is expired.\n", __func__);
- ret = CERT_SVC_ERR_IS_EXPIRED;
+ ret = get_certificate_fingerprint(certdata, certSize, &fingerprint);
+ if(ret != CERT_SVC_ERR_NO_ERROR)
+ {
+ SLOGE("Failed to get fingerprint data! %d", ret);
+ (*isExpired) = 1;
+ goto err;
+ }
+
+ ret = get_visibility_by_fingerprint(fingerprint, &visibility);
+ if(ret != CERT_SVC_ERR_NO_ERROR)
+ {
+ SLOGE("Failed to get visibility! %d", ret);
(*isExpired) = 1;
goto err;
}
- (*isExpired) = 0; // not expired
+ if(visibility == CERT_SVC_VISIBILITY_TEST || visibility == CERT_SVC_VISIBILITY_VERIFY)
+ {
+ // compare with not before - MUST bigger than this
+ if(compare_period(((int)certDesc->info.validPeriod.firstYear - 1900),
+ ((int)certDesc->info.validPeriod.firstMonth - 1),
+ (int)certDesc->info.validPeriod.firstDay,
+ (int)certDesc->info.validPeriod.firstHour,
+ (int)certDesc->info.validPeriod.firstMinute,
+ (int)certDesc->info.validPeriod.firstSecond,
+ tm) != 1) {
+ SLOGE("[ERR][%s] Certificate is expired.\n", __func__);
+ ret = CERT_SVC_ERR_IS_EXPIRED;
+ (*isExpired) = 1;
+ goto err;
+ }
+
+ // compare with not after - MUST smaller than this
+ if(compare_period(((int)certDesc->info.validPeriod.secondYear - 1900),
+ ((int)certDesc->info.validPeriod.secondMonth - 1),
+ (int)certDesc->info.validPeriod.secondDay,
+ (int)certDesc->info.validPeriod.secondHour,
+ (int)certDesc->info.validPeriod.secondMinute,
+ (int)certDesc->info.validPeriod.secondSecond,
+ tm) != -1) {
+ SLOGE("[ERR][%s] Certificate is expired.\n", __func__);
+ ret = CERT_SVC_ERR_IS_EXPIRED;
+ (*isExpired) = 1;
+ goto err;
+ }
+ }
+ else// ignore check cert time with local time (internal concept)
+ {
+ (*isExpired) = 0; // not expired
+ }
err:
release_certificate_data(certDesc);
deleted = current;
certdesc = (cert_svc_cert_descriptor*)malloc(sizeof(cert_svc_cert_descriptor));
+ if(certdesc == NULL) {
+ SLOGE("[ERR][%s] Fail to allocate certificate descriptor.\n", __func__);
+ return CERT_SVC_ERR_MEMORY_ALLOCATION;
+ }
memset(certdesc, 0x00, sizeof(cert_svc_cert_descriptor));
if((ret = _extract_certificate_data(current->certificate, certdesc)) != CERT_SVC_ERR_NO_ERROR) {
goto err;
}
- if(!strncmp(certdesc->info.subjectStr, certdesc->info.issuerStr, strlen(certdesc->info.issuerStr))) { // self-signed
+ if(!strncmp((const char*)(certdesc->info.subjectStr), (const char*)(certdesc->info.issuerStr), strlen((const char*)(certdesc->info.issuerStr)))) { // self-signed
if(first_tag == 0) { // first cert is self-signed
start = start->next;
prev = start;
return ret;
}
-int _verify_certificate(cert_svc_mem_buff* certBuf, cert_svc_linked_list** certList, cert_svc_filename_list* rootPath, int* validity)
+int _verify_certificate(cert_svc_mem_buff* certBuf, cert_svc_linked_list** certList, cert_svc_filename_list* rootPath, int* validity){
+ int ca_cflag_check_false = 0;
+
+ return _verify_certificate_with_caflag(certBuf, certList, ca_cflag_check_false, rootPath, validity);
+}
+
+int _verify_certificate_with_caflag(cert_svc_mem_buff* certBuf, cert_svc_linked_list** certList, int checkCaFlag, cert_svc_filename_list* rootPath, int* validity)
{
int ret = CERT_SVC_ERR_NO_ERROR;
cert_svc_linked_list* sorted = NULL;
X509** interCert = NULL;
X509* targetCert = NULL;
STACK_OF(X509) *tchain, *uchain;
+ STACK_OF(X509) *resultChain;
+ X509* tmpCert = NULL;
+ int caFlagValidity;
OpenSSL_add_all_algorithms();
tchain = sk_X509_new_null();
uchain = sk_X509_new_null();
findRoot = (cert_svc_cert_descriptor*)malloc(sizeof(cert_svc_cert_descriptor));
+ if(findRoot == NULL) {
+ SLOGE("[ERR][%s] Failed to allocate memory for certificate descriptor.\n", __func__);
+ ret = CERT_SVC_ERR_MEMORY_ALLOCATION;
+ goto err;
+ }
+
memset(findRoot, 0x00, sizeof(cert_svc_cert_descriptor));
if((*certList) != NULL) {
goto err;
}
- if((ret = _search_certificate(&fileNames, SUBJECT_STR, findRoot->info.issuerStr)) != CERT_SVC_ERR_NO_ERROR) {
+ if((ret = _search_certificate(&fileNames, SUBJECT_STR, (char*)findRoot->info.issuerStr)) != CERT_SVC_ERR_NO_ERROR) {
SLOGE("[ERR][%s] Fail to search root certificate\n", __func__);
goto err;
}
}
CACert = (cert_svc_mem_buff*)malloc(sizeof(cert_svc_mem_buff));
+ if(CACert == NULL) {
+ SLOGE("[ERR][%s] Failed to allocate memory for ca cert.\n", __func__);
+ ret = CERT_SVC_ERR_MEMORY_ALLOCATION;
+ goto err;
+ }
+
memset(CACert, 0x00, sizeof(cert_svc_mem_buff));
// use the first found CA cert - ignore other certificate(s). assume that there is JUST one CA cert
}
// store root certicate path into ctx
- strncpy(rootPath->filename, fileNames->filename, strlen(fileNames->filename));
+ strncpy(rootPath->filename, fileNames->filename, CERT_SVC_MAX_FILE_NAME_SIZE - 1);
+ rootPath->filename[CERT_SVC_MAX_FILE_NAME_SIZE - 1] = '\0';
/* check validity - is CA?, is expired? */
if((ret = is_CACert(CACert, &isCA)) != CERT_SVC_ERR_NO_ERROR) {
if(q != NULL) { // has 2 or more certificates
certIndex = 0;
interCert = (X509**)malloc(sizeof(X509*) * certNum);
+ if(interCert == NULL) {
+ SLOGE("[ERR][%s] Failed to allocate memory for interim certificate.\n", __func__);
+ ret = CERT_SVC_ERR_MEMORY_ALLOCATION;
+ goto err;
+ }
+
memset(interCert, 0x00, (sizeof(X509*) * certNum));
while(1) {
certContent = q->certificate->data;
if(((*validity) = X509_verify_cert(storeCtx)) != 1) {
SLOGE("[ERR][%s] Fail to verify certificate chain, validity: [%d]\n", __func__, (*validity));
SLOGE("err str: [%s]\n", X509_verify_cert_error_string(X509_STORE_CTX_get_error(storeCtx)));
+ goto err;
+ }
+
+ if(checkCaFlag) { // check strictly
+ resultChain = X509_STORE_CTX_get1_chain(storeCtx);
+ while((tmpCert = sk_X509_pop(resultChain))) {
+ caFlagValidity = X509_check_ca(tmpCert);
+ if(caFlagValidity != 1 && (tmpCert = sk_X509_pop(resultChain)) != NULL) { // the last one is not a CA.
+ (*validity) = 0;
+ SLOGE("[ERR][%s] Invalid CA Flag for CA Certificate, validity: [%d]\n", __func__, (*validity));
+ break;
+ }
+ }
}
err:
}
/* load signature and decode */
- sigLen = strlen(signature);
+ sigLen = strlen((const char*)signature);
decodedSigLen = ((sigLen / 4) * 3) + 1;
if(!(decodedSig = (unsigned char*)malloc(sizeof(unsigned char) * decodedSigLen))) {
goto err;
}
memset(decodedSig, 0x00, decodedSigLen);
- if((ret = cert_svc_util_base64_decode(signature, sigLen, decodedSig, &decodedSigLen)) != CERT_SVC_ERR_NO_ERROR) {
+ if((ret = cert_svc_util_base64_decode((char*)signature, sigLen, (char*)decodedSig, &decodedSigLen)) != CERT_SVC_ERR_NO_ERROR) {
SLOGE("[ERR][%s] Fail to base64 decode.\n", __func__);
ret = CERT_SVC_ERR_INVALID_OPERATION;
goto err;
unsigned char* pubkeyTmp = NULL;
int pkeyLen = 0;
EVP_PKEY* evp = NULL;
- // get issuerUID, subjectUID
- unsigned char* issuerUid = NULL;
- unsigned char* subjectUid = NULL;
int issuerUidLen = 0, subjectUidLen = 0;
// get extension values
X509_EXTENSION* ext = NULL;
/* get type */
strncpy(certDesc->type, cert->type, 3);
+ certDesc->type[3] = '\0';
/* get version and serial number */
certDesc->info.version = get_ASN1_INTEGER(x->cert_info->version) + 1; // default is 0 --> version 1
certDesc->info.serialNumber = get_ASN1_INTEGER(x->cert_info->serialNumber);
/* get signature algorithm */
signatureAlgo = (char*)get_ASN1_OBJECT(x->cert_info->signature->algorithm);
- sigLen = strlen((char*)signatureAlgo);
+ sigLen = strlen((const char*)signatureAlgo);
certDesc->info.sigAlgo = (unsigned char*)malloc(sizeof(unsigned char) * (sigLen + 1));
+ if(certDesc->info.sigAlgo == NULL) {
+ SLOGE("[ERR][%s] Failed to allocate memory.\n", __func__);
+ ret = CERT_SVC_ERR_MEMORY_ALLOCATION;
+ goto err;
+ }
memset(certDesc->info.sigAlgo, 0x00, (sigLen + 1));
memcpy(certDesc->info.sigAlgo, signatureAlgo, sigLen);
/* get issuer */
tmpIssuerStr = (unsigned char*)get_X509_NAME(x->cert_info->issuer);
- issuerStrLen = strlen(tmpIssuerStr);
+ issuerStrLen = strlen((const char*)tmpIssuerStr);
certDesc->info.issuerStr = (unsigned char*)malloc(sizeof(unsigned char) * (issuerStrLen + 1));
+ if(certDesc->info.issuerStr == NULL) {
+ SLOGE("[ERR][%s] Failed to allocate memory.\n", __func__);
+ ret = CERT_SVC_ERR_MEMORY_ALLOCATION;
+ goto err;
+ }
memset(certDesc->info.issuerStr, 0x00, (issuerStrLen + 1));
memcpy(certDesc->info.issuerStr, tmpIssuerStr, issuerStrLen);
goto err;
}
/* get subject */
- tmpSubjectStr = get_X509_NAME(x->cert_info->subject);
- subjectStrLen = strlen(tmpSubjectStr);
+ tmpSubjectStr = (unsigned char*)get_X509_NAME(x->cert_info->subject);
+ subjectStrLen = strlen((const char*)tmpSubjectStr);
certDesc->info.subjectStr = (unsigned char*)malloc(sizeof(unsigned char) * (subjectStrLen + 1));
+ if(certDesc->info.subjectStr == NULL) {
+ SLOGE("[ERR][%s] Failed to allocate memory.\n", __func__);
+ ret = CERT_SVC_ERR_MEMORY_ALLOCATION;
+ goto err;
+ }
memset(certDesc->info.subjectStr, 0x00, (subjectStrLen + 1));
memcpy(certDesc->info.subjectStr, tmpSubjectStr, subjectStrLen);
}
/* get public key algorithm */
publicKeyAlgo = (char*)get_ASN1_OBJECT(x->cert_info->key->algor->algorithm);
- publicKeyAlgoLen = strlen(publicKeyAlgo);
+ publicKeyAlgoLen = strlen((const char*)publicKeyAlgo);
certDesc->info.pubKeyAlgo = (unsigned char*)malloc(sizeof(unsigned char) * (publicKeyAlgoLen + 1));
+ if(certDesc->info.pubKeyAlgo == NULL) {
+ SLOGE("[ERR][%s] Failed to allocate memory.\n", __func__);
+ ret = CERT_SVC_ERR_MEMORY_ALLOCATION;
+ goto err;
+ }
memset(certDesc->info.pubKeyAlgo, 0x00, (publicKeyAlgoLen + 1));
memcpy(certDesc->info.pubKeyAlgo, publicKeyAlgo, publicKeyAlgoLen);
/* get public key */
}
pkeyLen = i2d_PublicKey(x->cert_info->key->pkey, NULL);
certDesc->info.pubKey = (unsigned char*)malloc(sizeof(unsigned char) * (pkeyLen + 1));
+ if(certDesc->info.pubKey == NULL) {
+ SLOGE("[ERR][%s] Failed to allocate memory.\n", __func__);
+ ret = CERT_SVC_ERR_MEMORY_ALLOCATION;
+ goto err;
+ }
pubkeyTmp = certDesc->info.pubKey;
i2d_PublicKey(x->cert_info->key->pkey, &pubkeyTmp);
certDesc->info.pubKeyLen = pkeyLen;
if(x->cert_info->issuerUID != NULL) {
issuerUidLen = x->cert_info->issuerUID->length;
certDesc->info.issuerUID = (unsigned char*)malloc(sizeof(unsigned char) * (issuerUidLen + 1));
+ if(certDesc->info.issuerUID == NULL) {
+ SLOGE("[ERR][%s] Failed to allocate memory.\n", __func__);
+ ret = CERT_SVC_ERR_MEMORY_ALLOCATION;
+ goto err;
+ }
memset(certDesc->info.issuerUID, 0x00, (issuerUidLen + 1));
memcpy(certDesc->info.issuerUID, x->cert_info->issuerUID->data, issuerUidLen);
}
if(x->cert_info->subjectUID != NULL) {
subjectUidLen = x->cert_info->subjectUID->length;
certDesc->info.subjectUID = (unsigned char*)malloc(sizeof(unsigned char) * (subjectUidLen + 1));
+ if(certDesc->info.subjectUID == NULL) {
+ SLOGE("[ERR][%s] Failed to allocate memory.\n", __func__);
+ ret = CERT_SVC_ERR_MEMORY_ALLOCATION;
+ goto err;
+ }
memset(certDesc->info.subjectUID, 0x00, (subjectUidLen + 1));
memcpy(certDesc->info.subjectUID, x->cert_info->subjectUID->data, subjectUidLen);
}
// certDesc->ext.numOfFields = x->cert_info->extensions->num;
certDesc->ext.numOfFields = sk_X509_EXTENSION_num(x->cert_info->extensions);
certDesc->ext.fields = (cert_svc_cert_fld_desc*)malloc(sizeof(cert_svc_cert_fld_desc) * certDesc->ext.numOfFields);
+ if(certDesc->ext.fields == NULL) {
+ SLOGE("[ERR][%s] Failed to allocate memory.\n", __func__);
+ ret = CERT_SVC_ERR_MEMORY_ALLOCATION;
+ goto err;
+ }
- for(i = 0; i < certDesc->ext.numOfFields; i++) {
+ for(i = 0; i < (int)certDesc->ext.numOfFields; i++) {
ext = sk_X509_EXTENSION_value(x->cert_info->extensions, i);
if(ext != NULL) {
extObject = (char*)get_ASN1_OBJECT(ext->object);
- extObjLen = strlen(extObject);
+ extObjLen = strlen((const char*)extObject);
certDesc->ext.fields[i].name = (unsigned char*)malloc(sizeof(unsigned char) * (extObjLen + 1));
+ if(certDesc->ext.fields[i].name == NULL) {
+ SLOGE("[ERR][%s] Failed to allocate memory.\n", __func__);
+ ret = CERT_SVC_ERR_MEMORY_ALLOCATION;
+ goto err;
+ }
memset(certDesc->ext.fields[i].name, 0x00, (extObjLen + 1));
memcpy(certDesc->ext.fields[i].name, extObject, extObjLen);
- extValue = ext->value->data;
+ extValue = (char*)ext->value->data;
extValLen = ext->value->length;
certDesc->ext.fields[i].data = (unsigned char*)malloc(sizeof(unsigned char) * (extValLen + 1));
+ if(certDesc->ext.fields[i].data == NULL) {
+ SLOGE("[ERR][%s] Failed to allocate memory.\n", __func__);
+ ret = CERT_SVC_ERR_MEMORY_ALLOCATION;
+ goto err;
+ }
memset(certDesc->ext.fields[i].data, 0x00, (extValLen + 1));
memcpy(certDesc->ext.fields[i].data, extValue, extValLen);
}
/* get signature algorithm and signature */
sigAlgo = (char*)get_ASN1_OBJECT(x->sig_alg->algorithm);
- sigAlgoLen = strlen(sigAlgo);
+ sigAlgoLen = strlen((const char*)sigAlgo);
certDesc->signatureAlgo = (unsigned char*)malloc(sizeof(unsigned char) * (sigAlgoLen + 1));
+ if(certDesc->signatureAlgo == NULL) {
+ SLOGE("[ERR][%s] Failed to allocate memory.\n", __func__);
+ ret = CERT_SVC_ERR_MEMORY_ALLOCATION;
+ goto err;
+ }
memset(certDesc->signatureAlgo, 0x00, (sigAlgoLen + 1));
memcpy(certDesc->signatureAlgo, sigAlgo, sigAlgoLen);
sigDataLen = x->signature->length;
certDesc->signatureLen = sigDataLen;
certDesc->signatureData = (unsigned char*)malloc(sizeof(unsigned char) * (sigDataLen + 1));
+ if(certDesc->signatureData == NULL) {
+ SLOGE("[ERR][%s] Failed to allocate memory.\n", __func__);
+ ret = CERT_SVC_ERR_MEMORY_ALLOCATION;
+ goto err;
+ }
memset(certDesc->signatureData, 0x00, (sigDataLen + 1));
memcpy(certDesc->signatureData, x->signature->data, sigDataLen);
switch(fldName) {
case ISSUER_COUNTRY:
if(certDesc->info.issuer.countryName) {
- len = strlen(certDesc->info.issuer.countryName);
- if(!strncmp(fldData, certDesc->info.issuer.countryName, len)) {
- if(strlen(fldData) == len) ret = 1;
+ len = strlen((const char*)(certDesc->info.issuer.countryName));
+ if(!strncmp((const char*)fldData, (const char*)(certDesc->info.issuer.countryName), len)) {
+ if((int)strlen((const char*)fldData) == len) ret = 1;
else ret = 0;
}
else ret = 0;
break;
case ISSUER_STATEORPROVINCE:
if(certDesc->info.issuer.stateOrProvinceName) {
- len = strlen(certDesc->info.issuer.stateOrProvinceName);
- if(!strncmp(fldData, certDesc->info.issuer.stateOrProvinceName, len)) {
- if(strlen(fldData) == len) ret = 1;
+ len = strlen((const char*)(certDesc->info.issuer.stateOrProvinceName));
+ if(!strncmp((const char*)fldData, (const char*)(certDesc->info.issuer.stateOrProvinceName), len)) {
+ if((int)strlen(fldData) == len) ret = 1;
else ret = 0;
}
else ret = 0;
break;
case ISSUER_LOCALITY:
if(certDesc->info.issuer.localityName) {
- len = strlen(certDesc->info.issuer.localityName);
- if(!strncmp(fldData, certDesc->info.issuer.localityName, len)) {
- if(strlen(fldData) == len) ret = 1;
+ len = strlen((const char*)(certDesc->info.issuer.localityName));
+ if(!strncmp((const char*)fldData, (const char*)(certDesc->info.issuer.localityName), len)) {
+ if((int)strlen((const char*)fldData) == len) ret = 1;
else ret = 0;
}
else ret = 0;
break;
case ISSUER_ORGANIZATION:
if(certDesc->info.issuer.organizationName) {
- len = strlen(certDesc->info.issuer.organizationName);
- if(!strncmp(fldData, certDesc->info.issuer.organizationName, len)) {
- if(strlen(fldData) == len) ret = 1;
+ len = strlen((const char*)(certDesc->info.issuer.organizationName));
+ if(!strncmp((const char*)fldData, (const char*)(certDesc->info.issuer.organizationName), len)) {
+ if((int)strlen((const char*)fldData) == len) ret = 1;
else ret = 0;
}
else ret = 0;
break;
case ISSUER_ORGANIZATIONUNIT:
if(certDesc->info.issuer.organizationUnitName) {
- len = strlen(certDesc->info.issuer.organizationUnitName);
- if(!strncmp(fldData, certDesc->info.issuer.organizationUnitName, len)) {
- if(strlen(fldData) == len) ret = 1;
+ len = strlen((const char*)(certDesc->info.issuer.organizationUnitName));
+ if(!strncmp((const char*)fldData, (const char*)(certDesc->info.issuer.organizationUnitName), len)) {
+ if((int)strlen((const char*)fldData) == len) ret = 1;
else ret = 0;
}
else ret = 0;
break;
case ISSUER_COMMONNAME:
if(certDesc->info.issuer.commonName) {
- len = strlen(certDesc->info.issuer.commonName);
- if(!strncmp(fldData, certDesc->info.issuer.commonName, len)) {
- if(strlen(fldData) == len) ret = 1;
+ len = strlen((const char*)(certDesc->info.issuer.commonName));
+ if(!strncmp((const char*)fldData, (const char*)(certDesc->info.issuer.commonName), len)) {
+ if((int)strlen((const char*)fldData) == len) ret = 1;
else ret = 0;
}
else ret = 0;
break;
case ISSUER_EMAILADDRESS:
if(certDesc->info.issuer.emailAddress) {
- len = strlen(certDesc->info.issuer.emailAddress);
- if(!strncmp(fldData, certDesc->info.issuer.emailAddress, len)) {
- if(strlen(fldData) == len) ret = 1;
+ len = strlen((const char*)(certDesc->info.issuer.emailAddress));
+ if(!strncmp((const char*)fldData, (const char*)(certDesc->info.issuer.emailAddress), len)) {
+ if((int)strlen((const char*)fldData) == len) ret = 1;
else ret = 0;
}
else ret = 0;
break;
case ISSUER_STR:
if(certDesc->info.issuerStr) {
- len = strlen(certDesc->info.issuerStr);
- if(!strncmp(fldData, certDesc->info.issuerStr, len)) {
- if(strlen(fldData) == len) ret = 1;
+ len = strlen((const char*)(certDesc->info.issuerStr));
+ if(!strncmp((const char*)fldData, (const char*)(certDesc->info.issuerStr), len)) {
+ if((int)strlen((const char*)fldData) == len) ret = 1;
else ret = 0;
}
else ret = 0;
break;
case SUBJECT_COUNTRY:
if(certDesc->info.subject.countryName) {
- len = strlen(certDesc->info.subject.countryName);
- if(!strncmp(fldData, certDesc->info.subject.countryName, len)) {
- if(strlen(fldData) == len) ret = 1;
+ len = strlen((const char*)(certDesc->info.subject.countryName));
+ if(!strncmp((const char*)fldData, (const char*)(certDesc->info.subject.countryName), len)) {
+ if((int)strlen((const char*)fldData) == len) ret = 1;
else ret = 0;
}
else ret = 0;
break;
case SUBJECT_STATEORPROVINCE:
if(certDesc->info.subject.stateOrProvinceName) {
- len = strlen(certDesc->info.subject.stateOrProvinceName);
- if(!strncmp(fldData, certDesc->info.subject.stateOrProvinceName, len)) {
- if(strlen(fldData) == len) ret = 1;
+ len = strlen((const char*)(certDesc->info.subject.stateOrProvinceName));
+ if(!strncmp((const char*)fldData, (const char*)(certDesc->info.subject.stateOrProvinceName), len)) {
+ if((int)strlen((const char*)fldData) == len) ret = 1;
else ret = 0;
}
else ret = 0;
break;
case SUBJECT_LOCALITY:
if(certDesc->info.subject.localityName) {
- len = strlen(certDesc->info.subject.localityName);
- if(!strncmp(fldData, certDesc->info.subject.localityName, len)) {
- if(strlen(fldData) == len) ret = 1;
+ len = strlen((const char*)(certDesc->info.subject.localityName));
+ if(!strncmp((const char*)fldData, (const char*)(certDesc->info.subject.localityName), len)) {
+ if((int)strlen((const char*)fldData) == len) ret = 1;
else ret = 0;
}
else ret = 0;
break;
case SUBJECT_ORGANIZATION:
if(certDesc->info.subject.organizationName) {
- len = strlen(certDesc->info.subject.organizationName);
- if(!strncmp(fldData, certDesc->info.subject.organizationName, len)) {
- if(strlen(fldData) == len) ret = 1;
+ len = strlen((const char*)(certDesc->info.subject.organizationName));
+ if(!strncmp((const char*)fldData, (const char*)(certDesc->info.subject.organizationName), len)) {
+ if((int)strlen((const char*)fldData) == len) ret = 1;
else ret = 0;
}
else ret = 0;
break;
case SUBJECT_ORGANIZATIONUNIT:
if(certDesc->info.subject.organizationUnitName) {
- len = strlen(certDesc->info.subject.organizationUnitName);
- if(!strncmp(fldData, certDesc->info.subject.organizationUnitName, len)) {
- if(strlen(fldData) == len) ret = 1;
+ len = strlen((const char*)(certDesc->info.subject.organizationUnitName));
+ if(!strncmp((const char*)fldData, (const char*)(certDesc->info.subject.organizationUnitName), len)) {
+ if((int)strlen((const char*)fldData) == len) ret = 1;
else ret = 0;
}
else ret = 0;
break;
case SUBJECT_COMMONNAME:
if(certDesc->info.subject.commonName) {
- len = strlen(certDesc->info.subject.commonName);
- if(!strncmp(fldData, certDesc->info.subject.commonName, len)) {
- if(strlen(fldData) == len) ret = 1;
+ len = strlen((const char*)(certDesc->info.subject.commonName));
+ if(!strncmp((const char*)fldData, (const char*)(certDesc->info.subject.commonName), len)) {
+ if((int)strlen((const char*)fldData) == len) ret = 1;
else ret = 0;
}
else ret = 0;
break;
case SUBJECT_EMAILADDRESS:
if(certDesc->info.subject.emailAddress) {
- len = strlen(certDesc->info.subject.emailAddress);
- if(!strncmp(fldData, certDesc->info.subject.emailAddress, len)) {
- if(strlen(fldData) == len) ret = 1;
+ len = strlen((const char*)(certDesc->info.subject.emailAddress));
+ if(!strncmp((const char*)fldData, (const char*)(certDesc->info.subject.emailAddress), len)) {
+ if((int)strlen((const char*)fldData) == len) ret = 1;
else ret = 0;
}
else ret = 0;
break;
case SUBJECT_STR:
if(certDesc->info.subjectStr) {
- len = strlen(certDesc->info.subjectStr);
- if(!strncmp(fldData, certDesc->info.subjectStr, len)) {
- if(strlen(fldData) == len) ret = 1;
+ len = strlen((const char*)(certDesc->info.subjectStr));
+ if(!strncmp((const char*)fldData, (const char*)(certDesc->info.subjectStr), len)) {
+ if((int)strlen((const char*)fldData) == len) ret = 1;
else ret = 0;
}
else ret = 0;
el->next = local;
local = el;
- len = strlen(ftsent->fts_path);
+ len = strlen((const char*)(ftsent->fts_path));
local->filename = (char*)malloc(len+1);
if (!local->filename) {
ret = CERT_SVC_ERR_MEMORY_ALLOCATION;
int get_all_certificates(cert_svc_filename_list** allCerts)
{
int ret;
- char ** buffer[] = {CERT_SVC_SEARCH_PATH_RO, CERT_SVC_SEARCH_PATH_RW, NULL};
+ char ** buffer[] = {(char **)CERT_SVC_SEARCH_PATH_RO, (char **)CERT_SVC_SEARCH_PATH_RW, NULL};
if (!allCerts) {
SLOGE("[ERR][%s] Invalid argument.\n", __func__);
cert_svc_filename_list* allCerts = NULL;
cert_svc_filename_list* p = NULL;
cert_svc_filename_list* q = NULL;
- cert_svc_filename_list* new = NULL;
+ cert_svc_filename_list* newNode = NULL;
cert_svc_mem_buff* certBuf = NULL;
cert_svc_cert_descriptor* certDesc = NULL;
int matched = 0;
if(search_data_field(fldName, fldData, certDesc) == 1) { // found!!
matched = 1;
- if(!(new = (cert_svc_filename_list*)malloc(sizeof(cert_svc_filename_list)))) {
+ if(!(newNode = (cert_svc_filename_list*)malloc(sizeof(cert_svc_filename_list)))) {
SLOGE("[ERR][%s] Fail to allocate memory.\n", __func__);
ret = CERT_SVC_ERR_MEMORY_ALLOCATION;
goto err;
}
- if(!(new->filename = (char*)malloc(sizeof(char) * CERT_SVC_MAX_FILE_NAME_SIZE))) {
+ if(!(newNode->filename = (char*)malloc(sizeof(char) * CERT_SVC_MAX_FILE_NAME_SIZE))) {
SLOGE("[ERR][%s] Fail to allocate memory.\n", __func__);
ret = CERT_SVC_ERR_MEMORY_ALLOCATION;
- free(new);
+ free(newNode);
goto err;
}
- memset(new->filename, 0x00, CERT_SVC_MAX_FILE_NAME_SIZE);
+ memset(newNode->filename, 0x00, CERT_SVC_MAX_FILE_NAME_SIZE);
- strncpy(new->filename, p->filename, strlen(p->filename));
- new->next = NULL;
+ strncpy(newNode->filename, p->filename, CERT_SVC_MAX_FILE_NAME_SIZE - 1);
+ newNode->filename[CERT_SVC_MAX_FILE_NAME_SIZE - 1] = '\0';
+
+ newNode->next = NULL;
if((*fileNames) == NULL)
- (*fileNames) = new;
+ (*fileNames) = newNode;
else {
q = (*fileNames);
while(q->next != NULL)
q = q->next;
- q->next = new;
+ q->next = newNode;
}
}
return ret;
}
+X509 *__loadCert(const char *file) {
+ FILE *fp = fopen(file, "r");
+ if(fp == NULL)
+ return NULL;
+ X509 *cert;
+ if(!(cert = d2i_X509_fp(fp, NULL))) {
+ fseek(fp, 0, SEEK_SET);
+ cert = PEM_read_X509(fp, NULL, NULL, NULL);
+ }
+ fclose(fp);
+ return cert;
+}
+
+int __loadSystemCerts(STACK_OF(X509) *systemCerts) {
+ int ret = CERT_SVC_ERR_NO_ERROR;
+ cert_svc_filename_list* allCerts = NULL;
+ cert_svc_filename_list* p = NULL;
+ struct stat file_info;
+ X509 *cert;
+
+ if((ret = get_all_certificates(&allCerts)) != CERT_SVC_ERR_NO_ERROR) {
+ SLOGE("[ERR][%s] Fail to get all certificate file list, ret: [%d]\n", __func__, ret);
+ goto err;
+ }
+
+ p = allCerts;
+ while(1) {
+ if((lstat(p->filename, &file_info)) < 0) { // get file information
+ SECURE_SLOGE("[ERR][%s] Fail to get file(%s) information.\n", __func__, p->filename);
+ ret = CERT_SVC_ERR_INVALID_OPERATION;
+ goto err;
+ }
+ if((file_info.st_mode & S_IFLNK) == S_IFLNK) { // if symbolic link, continue
+// SLOGD("[LOG][%s] %s is symbolic link, ignored.\n", __func__, p->filename);
+ goto fail_to_load_file;
+ }
+
+ cert = __loadCert(p->filename);
+ if(cert != NULL) {
+ sk_X509_push(systemCerts, cert);
+ }
+fail_to_load_file:
+ if(p->next == NULL)
+ break;
+ p = p->next;
+ }
+
+ ret = CERT_SVC_ERR_NO_ERROR;
+err:
+ release_filename_list(allCerts);
+
+ return ret;
+}
+
+#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
+int __ocsp_verify(X509 *cert, X509 *issuer, STACK_OF(X509) *systemCerts, char *url, int *ocspStatus) {
+ OCSP_REQUEST *req = NULL;
+ OCSP_RESPONSE *resp = NULL;
+ OCSP_BASICRESP *bs = NULL;
+ OCSP_CERTID *certid = NULL;
+ BIO *cbio = NULL;
+ SSL_CTX *use_ssl_ctx = NULL;
+ char *host = NULL, *port = NULL, *path = NULL;
+ ASN1_GENERALIZEDTIME *rev = NULL;
+ ASN1_GENERALIZEDTIME *thisupd = NULL;
+ ASN1_GENERALIZEDTIME *nextupd = NULL;
+ int use_ssl = 0;
+ X509_OBJECT obj;
+ int i,tmpIdx;
+ long nsec = (5 * 60), maxage = -1; /* Maximum leeway in validity period: default 5 minutes */
+ int ret = 0;
+ char subj_buf[256];
+ int reason;
+ X509_STORE *trustedStore=NULL;
+
+ ERR_load_crypto_strings();
+ OpenSSL_add_all_algorithms();
+
+ if (!OCSP_parse_url(url, &host, &port, &path, &use_ssl)) {
+ /* report error */
+ return CERT_SVC_ERR_OCSP_NO_SUPPORT;
+ }
+
+ cbio = BIO_new_connect(host);
+ if (!cbio) {
+ /*BIO_printf(bio_err, "Error creating connect BIO\n");*/
+ /* report error */
+ return CERT_SVC_ERR_OCSP_NO_SUPPORT;
+ }
+
+ if (port) {
+ BIO_set_conn_port(cbio, port);
+ }
+
+ if (use_ssl == 1) {
+ BIO *sbio;
+ use_ssl_ctx = SSL_CTX_new(SSLv23_client_method());
+ if (!use_ssl_ctx) {
+ /* report error */
+ return CERT_SVC_ERR_OCSP_INTERNAL;
+ }
+
+ SSL_CTX_set_mode(use_ssl_ctx, SSL_MODE_AUTO_RETRY);
+ sbio = BIO_new_ssl(use_ssl_ctx, 1);
+ if (!sbio) {
+ /* report error */
+ return CERT_SVC_ERR_OCSP_INTERNAL;
+ }
+
+ cbio = BIO_push(sbio, cbio);
+ if (!cbio) {
+ /* report error */
+ return CERT_SVC_ERR_OCSP_INTERNAL;
+ }
+ }
+
+ if (BIO_do_connect(cbio) <= 0) {
+ /*BIO_printf(bio_err, "Error connecting BIO\n");*/
+ /* report error */
+ /* free stuff */
+ if (host)
+ OPENSSL_free(host);
+ if (port)
+ OPENSSL_free(port);
+ if (path)
+ OPENSSL_free(path);
+ host = port = path = NULL;
+ if (use_ssl && use_ssl_ctx)
+ SSL_CTX_free(use_ssl_ctx);
+ use_ssl_ctx = NULL;
+ if (cbio)
+ BIO_free_all(cbio);
+ cbio = NULL;
+ return CERT_SVC_ERR_OCSP_NETWORK_FAILED;
+ }
+
+ req = OCSP_REQUEST_new();
+ if(!req) {
+ return CERT_SVC_ERR_OCSP_INTERNAL;
+ }
+ certid = OCSP_cert_to_id(NULL, cert, issuer);
+ if(certid == NULL) {
+ return CERT_SVC_ERR_OCSP_INTERNAL;
+ }
+
+ if(!OCSP_request_add0_id(req, certid)) {
+ return CERT_SVC_ERR_OCSP_INTERNAL;
+ }
+
+ resp = OCSP_sendreq_bio(cbio, path, req);
+
+ /* free some stuff we no longer need */
+ if (host)
+ OPENSSL_free(host);
+ if (port)
+ OPENSSL_free(port);
+ if (path)
+ OPENSSL_free(path);
+ host = port = path = NULL;
+ if (use_ssl && use_ssl_ctx)
+ SSL_CTX_free(use_ssl_ctx);
+ use_ssl_ctx = NULL;
+ if (cbio)
+ BIO_free_all(cbio);
+ cbio = NULL;
+
+ if (!resp) {
+ /*BIO_printf(bio_err, "Error querying OCSP responsder\n");*/
+ /* report error */
+ /* free stuff */
+ OCSP_REQUEST_free(req);
+ return CERT_SVC_ERR_OCSP_NETWORK_FAILED;
+ }
+
+ i = OCSP_response_status(resp);
+
+ if (i != 0) { // OCSP_RESPONSE_STATUS_SUCCESSFUL
+ /*BIO_printf(out, "Responder Error: %s (%ld)\n",
+ OCSP_response_status_str(i), i); */
+ /* report error */
+ /* free stuff */
+ OCSP_REQUEST_free(req);
+ OCSP_RESPONSE_free(resp);
+ return CERT_SVC_ERR_OCSP_REMOTE;
+ }
+
+ bs = OCSP_response_get1_basic(resp);
+ if (!bs) {
+ /* BIO_printf(bio_err, "Error parsing response\n");*/
+ /* report error */
+ /* free stuff */
+ OCSP_REQUEST_free(req);
+ OCSP_RESPONSE_free(resp);
+ return CERT_SVC_ERR_OCSP_REMOTE;
+ }
+
+ if(systemCerts != NULL) {
+ trustedStore = X509_STORE_new();
+ for(tmpIdx=0; tmpIdx<sk_X509_num(systemCerts); tmpIdx++) {
+ X509_STORE_add_cert(trustedStore, sk_X509_value(systemCerts, tmpIdx));
+ }
+ X509_STORE_add_cert(trustedStore, issuer);
+ }
+
+ int response = OCSP_basic_verify(bs, NULL, trustedStore, 0);
+ if (response <= 0) {
+ OCSP_REQUEST_free(req);
+ OCSP_RESPONSE_free(resp);
+ OCSP_BASICRESP_free(bs);
+ X509_STORE_free(trustedStore);
+
+// int err = ERR_get_error();
+// char errStr[100];
+// ERR_error_string(err,errStr);
+// printf("OCSP_basic_verify fail.error = %s\n", errStr);
+ return CERT_SVC_ERR_OCSP_VERIFICATION_ERROR;
+ }
-int _check_ocsp_status(cert_svc_mem_buff* cert, const char* uri)
+ if ((i = OCSP_check_nonce(req, bs)) <= 0) {
+ if (i == -1) {
+ /*BIO_printf(bio_err, "WARNING: no nonce in response\n");*/
+ } else {
+ /*BIO_printf(bio_err, "Nonce Verify error\n");*/
+ /* report error */
+ /* free stuff */
+ OCSP_REQUEST_free(req);
+ OCSP_RESPONSE_free(resp);
+ OCSP_BASICRESP_free(bs);
+ X509_STORE_free(trustedStore);
+ return CERT_SVC_ERR_OCSP_REMOTE;
+ }
+ }
+
+ ret = CERT_SVC_ERR_NO_ERROR;
+
+ (void)X509_NAME_oneline(X509_get_subject_name(cert), subj_buf, 255);
+ if(!OCSP_resp_find_status(bs, certid, ocspStatus, &reason,
+ &rev, &thisupd, &nextupd)) {
+ /* report error */
+
+ /* free stuff */
+ OCSP_RESPONSE_free(resp);
+ OCSP_REQUEST_free(req);
+ OCSP_BASICRESP_free(bs);
+ X509_STORE_free(trustedStore);
+
+ return CERT_SVC_ERR_OCSP_REMOTE;
+ }
+
+ /* Check validity: if invalid write to output BIO so we
+ * know which response this refers to.
+ */
+ if (!OCSP_check_validity(thisupd, nextupd, nsec, maxage)) {
+ /* ERR_print_errors(out); */
+ /* report error */
+
+ /* free stuff */
+ OCSP_REQUEST_free(req);
+ OCSP_RESPONSE_free(resp);
+ OCSP_BASICRESP_free(bs);
+ X509_STORE_free(trustedStore);
+
+ return CERT_SVC_ERR_OCSP_VERIFICATION_ERROR;
+ }
+
+ if (req) {
+ OCSP_REQUEST_free(req);
+ req = NULL;
+ }
+
+ if (resp) {
+ OCSP_RESPONSE_free(resp);
+ resp = NULL;
+ }
+
+ if (bs) {
+ OCSP_BASICRESP_free(bs);
+ bs = NULL;
+ }
+
+ if(trustedStore) {
+ X509_STORE_free(trustedStore);
+ trustedStore = NULL;
+ }
+
+ if (reason != -1) {
+ char *reason_str = NULL;
+ reason_str = OCSP_crl_reason_str(reason);
+ }
+
+
+ return ret;
+}
+
+int _check_ocsp_status(cert_svc_mem_buff* certBuf, cert_svc_linked_list** certList, const char* uri)
{
int ret = CERT_SVC_ERR_NO_ERROR;
+ int ocspStatus;
+ cert_svc_linked_list* sorted = NULL;
+ cert_svc_linked_list* p = NULL;
+ cert_svc_linked_list* q = NULL;
+ cert_svc_cert_descriptor* findRoot = NULL;
+ cert_svc_filename_list* fileNames = NULL;
+ cert_svc_mem_buff* CACert = NULL;
+ // variables for verification
+ int certNum = 0;
+ cert_svc_mem_buff* childCert;
+ cert_svc_mem_buff* parentCert;
+
+ findRoot = (cert_svc_cert_descriptor*)malloc(sizeof(cert_svc_cert_descriptor));
+ if(findRoot == NULL) {
+ SLOGE("[ERR][%s] Failed to allocate memory for certificate descriptor.\n", __func__);
+ ret = CERT_SVC_ERR_MEMORY_ALLOCATION;
+ goto err;
+ }
+
+ memset(findRoot, 0x00, sizeof(cert_svc_cert_descriptor));
+ if(certList != NULL && (*certList) != NULL) {
+ /* remove self-signed certificate in certList */
+ if((ret = _remove_selfsigned_cert_in_chain(certList)) != CERT_SVC_ERR_NO_ERROR) {
+ SLOGE("[ERR][%s] Fail to remove self-signed certificate in chain.\n", __func__);
+ goto err;
+ }
+ /* sort certList */
+ if((ret = sort_cert_chain(certList, &sorted)) != CERT_SVC_ERR_NO_ERROR) {
+ SLOGE("[ERR][%s] Fail to sort certificate chain.\n", __func__);
+ goto err;
+ }
+
+ /* find root cert from store, the SUBJECT field of root cert is same with ISSUER field of certList[0] */
+ p = sorted;
+ while(p->next != NULL) {
+ certNum++;
+ p = p->next;
+ }
+ certNum++;
+ ret = _extract_certificate_data(p->certificate, findRoot);
+ }
+ else {
+ ret = _extract_certificate_data(certBuf, findRoot);
+ }
+
+ if(ret != CERT_SVC_ERR_NO_ERROR) {
+ SLOGE("[ERR][%s] Fail to extract certificate data\n", __func__);
+ goto err;
+ }
+ if((ret = _search_certificate(&fileNames, SUBJECT_STR, findRoot->info.issuerStr)) != CERT_SVC_ERR_NO_ERROR) {
+ ret = CERT_SVC_ERR_NO_ROOT_CERT;
+ SLOGE("[ERR][%s] Fail to search root certificate\n", __func__);
+ goto err;
+ }
+ if(fileNames->filename == NULL) {
+ SLOGE("[ERR][%s] There is no CA certificate.\n", __func__);
+ ret = CERT_SVC_ERR_NO_ROOT_CERT;
+ goto err;
+ }
+ CACert = (cert_svc_mem_buff*)malloc(sizeof(cert_svc_mem_buff));
+ if(CACert == NULL) {
+ SLOGE("[ERR][%s] Failed to allocate memory for ca cert.\n", __func__);
+ ret = CERT_SVC_ERR_MEMORY_ALLOCATION;
+ goto err;
+ }
+ memset(CACert, 0x00, sizeof(cert_svc_mem_buff));
+ // use the first found CA cert - ignore other certificate(s). assume that there is JUST one CA cert
+ if((ret = cert_svc_util_load_file_to_buffer(fileNames->filename, CACert)) != CERT_SVC_ERR_NO_ERROR) {
+ SLOGE("[ERR][%s] Fail to load CA cert to buffer.\n", __func__);
+ goto err;
+ }
+ // =============================
+ q = sorted; // first item is the certificate that user want to verify
+
+ childCert = certBuf;
+ // To check oscp for all certificate chain except root
+ if(q != NULL) { // has 2 or more certificates
+ for( ; q != NULL; q = q->next) {
+ parentCert = q->certificate;
+ // OCSP Check
+ if(CERT_SVC_ERR_NO_ERROR != (ret = _verify_ocsp(childCert, parentCert, uri, &ocspStatus))) {
+ SLOGE("[ERR][%s] Error Occurred during OCSP Checking.\n", __func__);
+ goto err;
+ }
+ if(ocspStatus != 0) { // CERT_SVC_OCSP_GOOD
+ SLOGE("[ERR][%s] Invalid Certificate OCSP Status. ocspStatus=%d.\n", __func__, ocspStatus);
+
+ switch(ocspStatus) {
+ case 0 : //OCSP_GOOD
+ ret = CERT_SVC_ERR_NO_ERROR;
+ break;
+ case 1 : //OCSP_REVOCKED
+ ret = CERT_SVC_ERR_OCSP_REVOKED;
+ break;
+ case 2 : //OCSP_UNKNOWN
+ ret = CERT_SVC_ERR_OCSP_UNKNOWN;
+ break;
+ default :
+ ret = CERT_SVC_ERR_OCSP_REMOTE;
+ break;
+ }
+ goto err;
+ }
+
+ // move to next
+ childCert = parentCert;
+ }
+ }
+
+ // Final OCSP Check
+ parentCert = CACert;
+ if(CERT_SVC_ERR_NO_ERROR != (ret = _verify_ocsp(childCert, parentCert, uri, &ocspStatus))) {
+ SLOGE("[ERR][%s] Error Occurred during OCSP Checking.\n", __func__);
+ goto err;
+ }
+ switch(ocspStatus) {
+ case 0 : //OCSP_GOOD
+ ret = CERT_SVC_ERR_NO_ERROR;
+ break;
+ case 1 : //OCSP_REVOCKED
+ ret = CERT_SVC_ERR_OCSP_REVOKED;
+ break;
+ case 2 : //OCSP_UNKNOWN
+ ret = CERT_SVC_ERR_OCSP_UNKNOWN;
+ break;
+ default :
+ ret = CERT_SVC_ERR_OCSP_REMOTE;
+ break;
+ }
+ if(ret != CERT_SVC_ERR_NO_ERROR) {
+ SLOGE("[ERR][%s] Invalid Certificate OCSP Status. ocspStatus=%d.\n", __func__, ocspStatus);
+ goto err;
+ }
+ // =============================
+err:
+ release_certificate_buf(CACert);
+ release_filename_list(fileNames);
+ release_certificate_data(findRoot);
+ release_cert_list(sorted);
+ return ret;
+}
+
+int _verify_ocsp(cert_svc_mem_buff* child, cert_svc_mem_buff* parent, const char* uri, int* ocspStatus)
+{
+ int ret = CERT_SVC_ERR_NO_ERROR;
+
+ X509 *childCert = NULL;
+ X509 *parentCert= NULL;
+ char *childData=NULL;
+ char *parentData=NULL;
+ char *certAiaUrl= NULL;
+ char *targetUrl= NULL;
+ STACK_OF(OPENSSL_STRING) *aia = NULL;
+ STACK_OF(X509) *systemCerts=NULL;
+ int i;
+ childData = malloc(child->size + 1);
+ memset(childData, 0x00, (child->size + 1));
+ memcpy(childData, (child->data), child->size);
+ parentData = malloc(parent->size + 1);
+ memset(parentData, 0x00, (parent->size + 1));
+ memcpy(parentData, (parent->data), parent->size);
+ d2i_X509(&childCert, &childData, child->size);
+ d2i_X509(&parentCert, &parentData, parent->size);
// check parameter
// - 1. if AIA field of cert is exist, use that
// - 2. if AIA field of cert is not exist, use uri
// - 3. if AIA field of cert is not exist and uri is NULL, fail to check ocsp
+ aia = X509_get1_ocsp(childCert);
+ if (aia) {
+ certAiaUrl = sk_OPENSSL_STRING_value(aia, 0);
+ }
+ if(uri != NULL) {
+ targetUrl = uri;
+ }else {
+ targetUrl = certAiaUrl;
+ }
+ if(targetUrl == NULL) {
+ SLOGE("[ERR][%s] No URI for OCSP.\n", __func__);
+ ret = CERT_SVC_ERR_OCSP_NO_SUPPORT;
+ goto err;
+ }
+
+ // Load Trusted Store
+ systemCerts = sk_X509_new_null();
+ ret = __loadSystemCerts(systemCerts) ;
+ if(ret != CERT_SVC_ERR_NO_ERROR) {
+ SLOGE("[ERR][%s] Fail to extract certificate data\n", __func__);
+ goto err;
+ }
+ // Do OCSP Check
+ ret = __ocsp_verify(childCert, parentCert, systemCerts, targetUrl, ocspStatus);
+ SLOGD("[%s] OCSP Response. ocspstaus=%d, ret=%d.\n", __func__, *ocspStatus, ret);
+
+err:
+ if(childData != NULL && *childData != NULL)
+ free(childData);
+ if(parentData != NULL && *parentData != NULL)
+ free(parentData);
+ if(childCert != NULL)
+ X509_free(childCert);
+ if(parentCert != NULL)
+ X509_free(parentCert);
+ if(aia != NULL)
+ X509_email_free(aia);
+ if(systemCerts != NULL) {
+ for(i=0; i<sk_X509_num(systemCerts); i++)
+ X509_free(sk_X509_value(systemCerts,i));
+ sk_X509_free(systemCerts);
+ }
return ret;
}
+#endif
int release_certificate_buf(cert_svc_mem_buff* certBuf)
{
/* parse cert descriptor extension fields */
if(certDesc->ext.numOfFields > 0) {
- for(i = 0; i < certDesc->ext.numOfFields; i++) {
+ for(i = 0; i < (int)certDesc->ext.numOfFields; i++) {
if(certDesc->ext.fields[i].name != NULL) free(certDesc->ext.fields[i].name);
if(certDesc->ext.fields[i].data != NULL) free(certDesc->ext.fields[i].data);
}
while(1) {
curCert = startCert;
startCert = startCert->next;
-
+
if(curCert->certificate != NULL) {
if(curCert->certificate->data != NULL) {
free(curCert->certificate->data);
return ret;
}
+
+
+void __print_finger_print(const unsigned char *fingerPrint, unsigned int length)
+{
+ int i=0;
+ char buffer[21] = {0,};
+
+ for(; i<20; i++)
+ snprintf(buffer+i, 20, "%0X", fingerPrint[i]);
+
+ SLOGE("FingerPrint : %s", buffer);
+}
+
+int get_visibility(CERT_CONTEXT* context, int* visibility)
+{
+ int ret = CERT_SVC_ERR_NO_ERROR;
+ unsigned char * cert = NULL;
+ int certSize = 0;
+ unsigned char *fingerprint = NULL;
+
+ if(!context->certBuf)
+ {
+ LOGE("certBuf is NULL!");
+ return CERT_SVC_ERR_INVALID_PARAMETER;
+ }
+ if(!context->certBuf->size)
+ {
+ LOGE("certBuf size is wrong");
+ return CERT_SVC_ERR_INVALID_PARAMETER;
+ }
+
+ cert = context->certBuf->data;
+ certSize = context->certBuf->size;
+
+ if(cert == NULL || !certSize)
+ {
+ LOGE("cert is or invalid!");
+ return CERT_SVC_ERR_INVALID_CERTIFICATE;
+ }
+
+ ret = get_certificate_fingerprint(cert, certSize, &fingerprint);
+ if(ret != CERT_SVC_ERR_NO_ERROR)
+ {
+ SLOGE("Failed to get fingerprint data! %d", ret);
+ return ret;
+ }
+
+ ret = get_visibility_by_fingerprint(fingerprint, visibility);
+ if(ret != CERT_SVC_ERR_NO_ERROR)
+ {
+ SLOGE("Failed to get visibility! %d", ret);
+ return ret;
+ }
+
+ return CERT_SVC_ERR_NO_ERROR;
+}
char buf[CERT_SVC_MAX_FILE_NAME_SIZE];
char* token = NULL;
char seps[] = "_";
+ int nameSize = 0 ;
- memset(buf, 0x00, CERT_SVC_MAX_FILE_NAME_SIZE);
- memset(pathLocation, 0x00, CERT_SVC_MAX_FILE_NAME_SIZE);
+ if (originalName == NULL) {
+ SLOGE("[ERR][%s] Check your parameter. Maybe file path is NULL.\n", __func__);
+ ret = CERT_SVC_ERR_INVALID_PARAMETER;
+ goto err;
+ }
+
+ nameSize = strlen(originalName);
+
+ if (nameSize <= 0 || nameSize >= CERT_SVC_MAX_FILE_NAME_SIZE) {
+ SLOGE("[ERR][%s] Check your parameter. File path is too long.\n", __func__);
+ ret = CERT_SVC_ERR_INVALID_PARAMETER;
+ goto err;
+ }
+
+ memset(buf, 0x00, sizeof(buf));
+ memset(pathLocation, 0x00, sizeof(pathLocation));
- if(location == NULL) // use default path
- strncpy(buf, CERT_SVC_STORE_PATH_DEFAULT, strlen(CERT_SVC_STORE_PATH_DEFAULT)+1);
+ if(location == NULL) { // use default path
+ strncpy(buf, CERT_SVC_STORE_PATH_DEFAULT, sizeof(buf) - 1);
+ }
else {
- strncpy(pathLocation, location, strlen(location));
- strncpy(buf, CERT_SVC_STORE_PATH, strlen(CERT_SVC_STORE_PATH)+1);
+ int locSize = strlen(location) + strlen(CERT_SVC_STORE_PATH);
+
+ if (locSize <= 0 || locSize >= CERT_SVC_MAX_FILE_NAME_SIZE) {
+ SLOGE("[ERR][%s] Check your parameter. Location is too long.\n", __func__);
+ ret = CERT_SVC_ERR_INVALID_PARAMETER;
+ goto err;
+ }
+
+ strncpy(pathLocation, location, sizeof(pathLocation) - 1);
+
+ strncpy(buf, CERT_SVC_STORE_PATH, sizeof(buf) - 1);
+
token = strtok(pathLocation, seps);
+
while(token) {
- strncat(buf, token, strlen(token));
- strncat(buf, "/", 1);
- token = strtok(NULL, seps);
+ if((strlen(buf) + strlen(token)) < (CERT_SVC_MAX_FILE_NAME_SIZE - 1)) {
+ strncat(buf, token, strlen(token));
+ strncat(buf, "/", 1);
+ token = strtok(NULL, seps);
+ }
+ else {
+ ret = CERT_SVC_ERR_INVALID_PARAMETER;
+ goto err;
+ }
}
}
- strncat(buf, originalName, strlen(originalName));
- strncpy(outBuf, buf, CERT_SVC_MAX_FILE_NAME_SIZE);
+ if ((nameSize + strlen(buf)) >= CERT_SVC_MAX_FILE_NAME_SIZE) {
+ SLOGE("[ERR][%s] Check your parameter. File path is too long.\n", __func__);
+ ret = CERT_SVC_ERR_INVALID_PARAMETER;
+ goto err;
+ }
+
+ strncat(buf, originalName, nameSize);
+ strncpy(outBuf, buf, CERT_SVC_MAX_FILE_NAME_SIZE - 1);
+ outBuf[ CERT_SVC_MAX_FILE_NAME_SIZE - 1] = '\0';
+
+err:
return ret;
}
FILE* fp_out = NULL;
unsigned long int inFileLen = 0;
char* fileContent = NULL;
- /* check certificate or not */
- X509* x = NULL;
/* initialize variable */
fileFullPath = (char*)malloc(sizeof(char) * CERT_SVC_MAX_FILE_NAME_SIZE);
#include <string.h>
#include <stdlib.h>
-#include <openssl/x509.h>
#include <openssl/pkcs12.h>
+#include <openssl/pem.h>
#include "cert-service.h"
#include "cert-service-util.h"
#include "cert-service-debug.h"
#include "cert-service-process.h"
+#include <libxml/parser.h>
+#include <libxml/tree.h>
+
#ifndef CERT_SVC_API
#define CERT_SVC_API __attribute__((visibility("default")))
#endif
int decodedSize = 0;
int i = 0, j = 0;
- if(!content) {
- ret = CERT_SVC_ERR_INVALID_PARAMETER;
- goto err;
- }
- startPEM = strstr((const char *)content, CERT_BODY_PREFIX);
- startPEM = (startPEM) ? startPEM + strlen(CERT_BODY_PREFIX) : NULL;
- endPEM = strstr((const char *)content, CERT_BODY_SUFIX);
- if(!startPEM || !endPEM) {
- startPEM = strstr((const char *)content, ICERT_BODY_PREFIX);
- startPEM = (startPEM) ? startPEM + strlen(ICERT_BODY_PREFIX) : NULL;
- endPEM = strstr((const char *)content, ICERT_BODY_SUFIX);
- }
- if(!startPEM || !endPEM) {
- ret = CERT_SVC_ERR_UNKNOWN_ERROR;
- goto err;
- }
- else {
- ++startPEM;
- --endPEM;
- size = (long)endPEM - (long)startPEM;
- }
+ if(!content) {
+ ret = CERT_SVC_ERR_INVALID_PARAMETER;
+ goto err;
+ }
+ startPEM = strstr((const char *)content, CERT_BODY_PREFIX);
+ startPEM = (startPEM) ? startPEM + strlen(CERT_BODY_PREFIX) : NULL;
+ endPEM = strstr((const char *)content, CERT_BODY_SUFIX);
+ if(!startPEM || !endPEM) {
+ startPEM = strstr((const char *)content, ICERT_BODY_PREFIX);
+ startPEM = (startPEM) ? startPEM + strlen(ICERT_BODY_PREFIX) : NULL;
+ endPEM = strstr((const char *)content, ICERT_BODY_SUFIX);
+ }
+ if(!startPEM || !endPEM) {
+ ret = CERT_SVC_ERR_UNKNOWN_ERROR;
+ goto err;
+ }
+ else {
+ ++startPEM;
+ --endPEM;
+ size = (long)endPEM - (long)startPEM;
+ }
if(!(original = (char*)malloc(sizeof(char) * (size + 1)))) {
SLOGE("[ERR][%s] Fail to allocate memory.\n", __func__);
FILE* fp_in = NULL;
unsigned char* content = NULL;
unsigned long int fileSize = 0;
- // get extension, type of certificate
- const char* extension = NULL;
/* get file size */
if((ret = cert_svc_util_get_file_size(filePath, &fileSize)) != CERT_SVC_ERR_NO_ERROR) {
{
int ret = CERT_SVC_ERR_NO_ERROR;
cert_svc_linked_list* cur = NULL;
- cert_svc_linked_list* new = NULL;
+ cert_svc_linked_list* newNode = NULL;
unsigned char* pCert = NULL;
unsigned char* bufCert = NULL;
int certLen = 0;
- if(!(new = (cert_svc_linked_list*)malloc(sizeof(cert_svc_linked_list)))) {
+ if(!(newNode = (cert_svc_linked_list*)malloc(sizeof(cert_svc_linked_list)))) {
SLOGE("[ERR][%s] Fail to allocate memory.\n", __func__);
ret = CERT_SVC_ERR_MEMORY_ALLOCATION;
goto err;
}
- if(!(new->certificate = (cert_svc_mem_buff*)malloc(sizeof(cert_svc_mem_buff)))) {
+ if(!(newNode->certificate = (cert_svc_mem_buff*)malloc(sizeof(cert_svc_mem_buff)))) {
SLOGE("[ERR][%s] Fail to allocate memory.\n", __func__);
- free(new);
+ free(newNode);
ret = CERT_SVC_ERR_MEMORY_ALLOCATION;
goto err;
}
/* get certificate data and store in certLink */
if((certLen = i2d_X509(popedCert, NULL)) < 0) {
SLOGE("[ERR][%s] Fail to convert certificate.\n", __func__);
- release_cert_list(new);
+ release_cert_list(newNode);
ret = CERT_SVC_ERR_INVALID_OPERATION;
goto err;
}
if(!(bufCert = (unsigned char*)malloc(sizeof(unsigned char) * certLen))) {
SLOGE("[ERR][%s] Fail to allocate memory.\n", __func__);
ret = CERT_SVC_ERR_MEMORY_ALLOCATION;
- release_cert_list(new);
+ release_cert_list(newNode);
goto err;
}
pCert = bufCert;
i2d_X509(popedCert, &pCert);
- new->certificate->data = bufCert;
- new->certificate->size = certLen;
+ newNode->certificate->data = bufCert;
+ newNode->certificate->size = certLen;
if(NULL == *certLink) { // first item
- *certLink = new;
+ *certLink = newNode;
}
else {
/* attach to linked list */
cur = *certLink;
while(cur->next)
cur = cur->next;
- cur->next = new;
+ cur->next = newNode;
}
err:
return ret;
}
-int cert_svc_util_load_PFX_file_to_buffer(const char* filePath, cert_svc_mem_buff* certBuf, cert_svc_linked_list* certLink, unsigned char** privateKey, int* priKeyLen, char* passPhrase)
+int cert_svc_util_load_PFX_file_to_buffer(const char* filePath, cert_svc_mem_buff* certBuf, cert_svc_linked_list** certLink, unsigned char** privateKey, int* priKeyLen, char* passPhrase)
{
int ret = CERT_SVC_ERR_NO_ERROR;
// related pkcs12 and x509
err:
return ret;
}
+
+// fingerprint format - AA:BB:CC:DD:EE...
+// cert - der(binary) format
+int get_certificate_fingerprint(const char *cert, int cert_size, unsigned char** fingerprint)
+{
+ X509* x509Cert = NULL;
+ unsigned char x509_fingerprint[EVP_MAX_MD_SIZE] = {0,};
+ char* uniformedFingerprint[EVP_MAX_MD_SIZE *3] = {0,};
+ int fp_len = 0;
+ int i = 0;
+ char buff[8] = {0,};
+ int x509_length = 0;
+
+ if(d2i_X509(&x509Cert, &cert, cert_size) == NULL)
+ {
+ SLOGE("d2i_x509 failed!");
+ *fingerprint = NULL;
+ return CERT_SVC_ERR_INVALID_CERTIFICATE;
+ }
+
+ if(!X509_digest(x509Cert, EVP_sha1(), x509_fingerprint, &x509_length))
+ {
+ SLOGE("X509_digest failed");
+ X509_free(x509Cert);
+ *fingerprint = NULL;
+ return CERT_SVC_ERR_INVALID_CERTIFICATE;
+ }
+
+ for(i=0; i < x509_length; i++)
+ {
+ snprintf(buff, sizeof(buff), "%02X:", x509_fingerprint[i]);
+ strncat(uniformedFingerprint, buff, 3);
+ }
+ uniformedFingerprint[x509_length*3-1] = 0; // remove last :
+ fp_len = strlen(uniformedFingerprint);
+
+ *fingerprint = (char*)calloc(sizeof(char),fp_len + 1);
+ if(*fingerprint == NULL)
+ {
+ SLOGE("Failed to allocate memory");
+ X509_free(x509Cert);
+ *fingerprint = NULL;
+ return CERT_SVC_ERR_MEMORY_ALLOCATION;
+ }
+
+ memcpy(*fingerprint, uniformedFingerprint, fp_len-1);
+
+ LOGD("fingerprint : %s", *fingerprint);
+
+ X509_free(x509Cert);
+
+ return CERT_SVC_ERR_NO_ERROR;
+}
+
+int get_visibility_by_fingerprint(const char* fingerprint, int* visibility)
+{
+ LOGD("fingerprint : %s", fingerprint);
+ int ret = 0;
+ xmlChar *xmlPathCertificateSet = (xmlChar*) "CertificateSet";
+ xmlChar *xmlPathCertificateDomain = (xmlChar*) "CertificateDomain";// name=\"tizen-platform\"";
+ xmlChar *xmlPathDomainPlatform = (xmlChar*) "tizen-platform";
+ xmlChar *xmlPathDomainPublic = (xmlChar*) "tizen-public";
+ xmlChar *xmlPathDomainPartner = (xmlChar*) "tizen-partner";
+ xmlChar *xmlPathDomainDeveloper = (xmlChar*) "tizen-developer";
+ xmlChar *xmlPathDomainTest = (xmlChar*) "tizen-test";
+ xmlChar *xmlPathDomainVerify = (xmlChar*) "tizen-verify";
+ xmlChar *xmlPathFingerPrintSHA1 = (xmlChar*) "FingerprintSHA1";
+
+ /* load file */
+ xmlDocPtr doc = xmlParseFile(tzplatform_mkpath(TZ_SYS_SHARE, "ca-certificates/fingerprint/fingerprint_list.xml"));
+
+ if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL))
+ {
+ LOGE("Failed to prase fingerprint_list.xml");
+ return CERT_SVC_ERR_FILE_IO;
+ }
+
+ xmlNodePtr curPtr = xmlFirstElementChild(xmlDocGetRootElement(doc));
+ if(curPtr == NULL)
+ {
+ LOGE("Can not find root");
+ xmlFreeDoc(doc);
+ return CERT_SVC_ERR_FILE_IO;
+ }
+
+ while(curPtr != NULL)
+ {
+ xmlAttr* attr = curPtr->properties;
+ if(!attr->children || !attr->children->content)
+ {
+ LOGE("Failed to get fingerprints from list");
+ ret = CERT_SVC_ERR_NO_ROOT_CERT;
+ goto out;
+ }
+
+ xmlChar* strLevel = attr->children->content;
+ xmlNodePtr FpPtr = xmlFirstElementChild(curPtr);
+ if(FpPtr == NULL)
+ {
+ LOGE("Could not find fingerprint");
+ ret = CERT_SVC_ERR_NO_ROOT_CERT;
+ goto out;
+ }
+
+ while(FpPtr)
+ {
+ xmlChar *content = xmlNodeGetContent(FpPtr);
+ if(xmlStrcmp(content, (xmlChar*)fingerprint) == 0)
+ {
+ LOGD("fingerprint : %s are %s", content, strLevel);
+ if(!xmlStrcmp(strLevel, xmlPathDomainPlatform)){
+ *visibility = CERT_SVC_VISIBILITY_PLATFORM;
+ ret = CERT_SVC_ERR_NO_ERROR;
+ goto out;
+ }
+ else if(!xmlStrcmp(strLevel, xmlPathDomainPublic)){
+ *visibility = CERT_SVC_VISIBILITY_PUBLIC;
+ ret = CERT_SVC_ERR_NO_ERROR;
+ goto out;
+ }
+ else if(!xmlStrcmp(strLevel, xmlPathDomainPartner)){
+ *visibility = CERT_SVC_VISIBILITY_PARTNER;
+ ret = CERT_SVC_ERR_NO_ERROR;
+ goto out;
+ }
+ else if(!xmlStrcmp(strLevel, xmlPathDomainDeveloper)){
+ *visibility = CERT_SVC_VISIBILITY_DEVELOPER;
+ ret = CERT_SVC_ERR_NO_ERROR;
+ goto out;
+ }
+ else if(!xmlStrcmp(strLevel, xmlPathDomainTest)){
+ *visibility = CERT_SVC_VISIBILITY_TEST;
+ ret = CERT_SVC_ERR_NO_ERROR;
+ goto out;
+ }
+ else if(!xmlStrcmp(strLevel, xmlPathDomainVerify)){
+ *visibility = CERT_SVC_VISIBILITY_VERIFY;
+ ret = CERT_SVC_ERR_NO_ERROR;
+ goto out;
+ }
+ }
+ FpPtr = xmlNextElementSibling(FpPtr);
+ }
+ curPtr = xmlNextElementSibling(curPtr);
+ }
+
+ xmlFreeDoc(doc);
+ return CERT_SVC_ERR_NO_ROOT_CERT;
+
+out:
+ xmlFreeDoc(doc);
+ return ret;
+}
+
+
+// expect input cert data is base64 encoded format
+int get_visibility_by_certificate(const char* cert_data, int data_len, int* visibility)
+{
+ if(!cert_data || !data_len)
+ {
+ return CERT_SVC_ERR_INVALID_PARAMETER;
+ }
+
+ int decodedSize = ((data_len / 4) * 3) + 1;
+ char* decoded = NULL;
+ char* fingerprint = NULL;
+ int ret = CERT_SVC_ERR_NO_ERROR;
+
+ if(!(decoded = (char*)malloc(sizeof(char) * decodedSize))) {
+ SLOGE("Fail to allocate memory.");
+ return CERT_SVC_ERR_MEMORY_ALLOCATION;
+ }
+ memset(decoded, 0x00, decodedSize);
+
+ if((ret = cert_svc_util_base64_decode(cert_data, data_len, decoded, &decodedSize)) != CERT_SVC_ERR_NO_ERROR)
+ {
+ SLOGE("Failed to decode data %d", ret);
+ free(decoded);
+ return ret;
+ }
+
+ ret = get_certificate_fingerprint(decoded, decodedSize, &fingerprint);
+ if(ret != CERT_SVC_ERR_NO_ERROR)
+ {
+ LOGE("Can not get fingerprint! %d", ret);
+ return ret;
+ }
+
+ ret = get_visibility_by_fingerprint(fingerprint, visibility);
+ if(ret != CERT_SVC_ERR_NO_ERROR)
+ {
+ LOGE("Can not find visibility %d", ret);
+ return ret;
+ }
+
+ free(decoded);
+ free(fingerprint);
+ return CERT_SVC_ERR_NO_ERROR;
+}
/*
* certification service
*
- * Copyright (c) 2000 - 2011 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2000 - 2011 Samsung Electronics Co., Ltd All Rights Reserved
*
* Contact: Kidong Kim <kd0228.kim@samsung.com>
*
{
int ret = CERT_SVC_ERR_NO_ERROR;
char _filePath[CERT_SVC_MAX_FILE_NAME_SIZE];
-
- memset(_filePath, 0x00, CERT_SVC_MAX_FILE_NAME_SIZE);
+ int pathSize = 0;
if(filePath == NULL) {
SLOGE("[ERR][%s] Check your parameter. Maybe file path is NULL.\n", __func__);
goto err;
}
+ pathSize = strlen(filePath);
+
+ if (pathSize <= 0 || pathSize >= CERT_SVC_MAX_FILE_NAME_SIZE) {
+ SLOGE("[ERR][%s] Check your parameter. Maybe file path is NULL.\n", __func__);
+ ret = CERT_SVC_ERR_INVALID_PARAMETER;
+ goto err;
+ }
+
+ memset(_filePath, 0x0, sizeof(_filePath));
+
if(filePath[0] != '/') { // not absolute path, this is regarded relative file path
- getcwd(_filePath, CERT_SVC_MAX_FILE_NAME_SIZE);
- strncat(_filePath, "/", 1);
- strncat(_filePath, filePath, strlen(filePath));
+ if (getcwd(_filePath, sizeof(_filePath))) {
+ int cwdSize = 0;
+ //just in case
+ _filePath[sizeof(_filePath) - 1] = '\0';
+
+ cwdSize = strlen(_filePath);
+
+ if (cwdSize <=0 || (cwdSize + pathSize + 1) >= CERT_SVC_MAX_FILE_NAME_SIZE) {
+ SLOGE("[ERR][%s] Check your parameter. Maybe file path is NULL.\n", __func__);
+ ret = CERT_SVC_ERR_INVALID_OPERATION;
+ goto err;
+ }
+
+ strncat(_filePath, "/", 1);
+ strncat(_filePath, filePath, pathSize);
+
+ } else {
+ SLOGE("[ERR][%s] Check your parameter. Maybe file path is NULL.\n", __func__);
+ ret = CERT_SVC_ERR_INVALID_OPERATION;
+ goto err;
+ }
+ }
+ else {
+ strncpy(_filePath, filePath, pathSize);
}
- else
- strncpy(_filePath, filePath, strlen(filePath));
ret = _add_certificate_to_store(_filePath, location);
return ret;
}
-CERT_SVC_API
-int cert_svc_verify_certificate(CERT_CONTEXT* ctx, int* validity)
+int _cert_svc_verify_certificate_with_caflag(CERT_CONTEXT* ctx, int checkCAFlag, int* validity)
{
int ret = CERT_SVC_ERR_NO_ERROR;
ctx->fileNames->next = NULL;
/* call verify function */
- if((ret = _verify_certificate(ctx->certBuf, &(ctx->certLink), ctx->fileNames, validity)) != CERT_SVC_ERR_NO_ERROR) {
+ if((ret = _verify_certificate_with_caflag(ctx->certBuf, &(ctx->certLink), checkCAFlag, ctx->fileNames, validity)) != CERT_SVC_ERR_NO_ERROR) {
SLOGE("[ERR][%s] Fail to verify certificate.\n", __func__);
goto err;
}
return ret;
}
+CERT_SVC_API
+int cert_svc_verify_certificate(CERT_CONTEXT* ctx, int* validity)
+{
+ int ca_cflag_check_false = 0;
+ return _cert_svc_verify_certificate_with_caflag(ctx, ca_cflag_check_false, validity);
+}
+
+CERT_SVC_API
+int cert_svc_verify_certificate_with_caflag(CERT_CONTEXT* ctx, int* validity)
+{
+ int ca_cflag_check_true = 1;
+ return _cert_svc_verify_certificate_with_caflag(ctx, ca_cflag_check_true, validity);
+}
+
/*
* message : unsigned character string
* signature : base64 encoded string
{
int ret = CERT_SVC_ERR_NO_ERROR;
- /* check parameter */
- if((ctx == NULL) || (fldName < SEARCH_FIELD_START ) || (fldName > SEARCH_FIELD_END) || (fldData == NULL)) {
+ /* check parameter, fldName is unsigned int. It will never be negative */
+ if((ctx == NULL) || (fldName > SEARCH_FIELD_END) || (fldData == NULL)) {
SLOGE("[ERR][%s] Invalid parameter. Check your parameter\n", __func__);
ret = CERT_SVC_ERR_INVALID_PARAMETER;
goto err;
/* search specific field */
if((ret = _search_certificate(&(ctx->fileNames), fldName, fldData)) != CERT_SVC_ERR_NO_ERROR) {
- SLOGE("[ERR][%s] Fail to search sertificate.\n", __func__);
+ SLOGE("[ERR][%s] Fail to search certificate.\n", __func__);
+ SLOGE("[ERR][%s] Fail to search certificate.\n", ctx->fileNames);
goto err;
}
SLOGD("[%s] Success to search certificate(s).\n", __func__);
goto err;
}
if(!(ctx->certBuf = (cert_svc_mem_buff*)malloc(sizeof(cert_svc_mem_buff)))) {
- SLOGE("[ERR][%s] Fail to allovate memory.\n", __func__);
+ SLOGE("[ERR][%s] Fail to allocate memory.\n", __func__);
ret = CERT_SVC_ERR_MEMORY_ALLOCATION;
goto err;
}
memset(ctx->certBuf, 0x00, sizeof(cert_svc_mem_buff));
/* memory allocation for decoded string */
- size = strlen(buf);
+ size = strlen((char*)buf);
decodedSize = ((size / 4) * 3) + 1;
if(!(decodedStr = (char*)malloc(sizeof(char) * decodedSize))) {
}
/* decode */
- if((ret = cert_svc_util_base64_decode(buf, size, decodedStr, &decodedSize)) != CERT_SVC_ERR_NO_ERROR) {
+ if((ret = cert_svc_util_base64_decode((char*)buf, size, decodedStr, &decodedSize)) != CERT_SVC_ERR_NO_ERROR) {
SLOGE("[ERR][%s] Fail to decode string, ret: [%d]\n", __func__, ret);
ret = CERT_SVC_ERR_INVALID_OPERATION;
free(decodedStr);
}
/* load content to CERT_CONTEXT */
- ctx->certBuf->data = decodedStr;
+ ctx->certBuf->data = (unsigned char*)decodedStr;
ctx->certBuf->size = decodedSize;
SLOGD("[%s] Success to load certificate buffer content to context.\n", __func__);
goto err;
}
if(!(ctx->certBuf = (cert_svc_mem_buff*)malloc(sizeof(cert_svc_mem_buff)))) {
- SLOGE("[ERR][%s] Fail to allovate memory.\n", __func__);
+ SLOGE("[ERR][%s] Fail to allocate memory.\n", __func__);
ret = CERT_SVC_ERR_MEMORY_ALLOCATION;
goto err;
}
ret = CERT_SVC_ERR_INVALID_OPERATION;
goto err;
}
-
+
SLOGD("[%s] Success to load certificate file content to context.\n", __func__);
err:
/* memory alloction new item */
if(!(new = (cert_svc_linked_list*)malloc(sizeof(cert_svc_linked_list)))) {
- SLOGE("[ERR][%s] Fail to allcate memory.\n", __func__);
+ SLOGE("[ERR][%s] Fail to allocate memory.\n", __func__);
ret = CERT_SVC_ERR_MEMORY_ALLOCATION;
goto err;
}
if(!(new->certificate = (cert_svc_mem_buff*)malloc(sizeof(cert_svc_mem_buff)))) {
- SLOGE("[ERR][%s] Fail to allcate memory.\n", __func__);
+ SLOGE("[ERR][%s] Fail to allocate memory.\n", __func__);
free(new);
ret = CERT_SVC_ERR_MEMORY_ALLOCATION;
goto err;
}
/* memory allocation for decoded string */
- size = strlen(buf);
+ size = strlen((char*)buf);
decodedSize = ((size / 4) * 3) + 1;
if(!(decodedStr = (char*)malloc(sizeof(char) * decodedSize))) {
}
/* decode */
- if((ret = cert_svc_util_base64_decode(buf, size, decodedStr, &decodedSize)) != CERT_SVC_ERR_NO_ERROR) {
+ if((ret = cert_svc_util_base64_decode((char*)buf, size, decodedStr, &decodedSize)) != CERT_SVC_ERR_NO_ERROR) {
SLOGE("[ERR][%s] Fail to decode string, ret: [%d]\n", __func__, ret);
release_cert_list(new);
free(decodedStr);
}
/* load content to CERT_CONTEXT */
- new->certificate->data = decodedStr;
+ new->certificate->data = (unsigned char*)decodedStr;
new->certificate->size = decodedSize;
new->next = NULL;
cur = cur->next;
cur->next = new;
}
-
+
SLOGD("[%s] Success to push certificate buffer content to context.\n", __func__);
err:
/* memory alloction new item */
if(!(new = (cert_svc_linked_list*)malloc(sizeof(cert_svc_linked_list)))) {
- SLOGE("[ERR][%s] Fail to allcate memory.\n", __func__);
+ SLOGE("[ERR][%s] Fail to allocate memory.\n", __func__);
ret = CERT_SVC_ERR_MEMORY_ALLOCATION;
goto err;
}
memset(new, 0x00, sizeof(cert_svc_linked_list));
if(!(new->certificate = (cert_svc_mem_buff*)malloc(sizeof(cert_svc_mem_buff)))) {
- SLOGE("[ERR][%s] Fail to allcate memory.\n", __func__);
+ SLOGE("[ERR][%s] Fail to allocate memory.\n", __func__);
ret = CERT_SVC_ERR_MEMORY_ALLOCATION;
free(new);
goto err;
cur->next = new;
}
-
+
SLOGD("[%s] Success to push certificate file content to context.\n", __func__);
err:
goto err;
}
if(!(ctx->certBuf = (cert_svc_mem_buff*)malloc(sizeof(cert_svc_mem_buff)))) {
- SLOGE("[ERR][%s] Fail to allovate memory.\n", __func__);
+ SLOGE("[ERR][%s] Fail to allocate memory.\n", __func__);
ret = CERT_SVC_ERR_MEMORY_ALLOCATION;
goto err;
}
memset(ctx->certBuf, 0x00, sizeof(cert_svc_mem_buff));
/* get content to ctx->certBuf */
- if((ret = cert_svc_util_load_PFX_file_to_buffer(filePath, ctx->certBuf, ctx->certLink, privateKey, priKeyLen, passPhrase)) != CERT_SVC_ERR_NO_ERROR) {
+ if((ret = cert_svc_util_load_PFX_file_to_buffer(filePath, ctx->certBuf, &ctx->certLink, privateKey, priKeyLen, passPhrase)) != CERT_SVC_ERR_NO_ERROR) {
SECURE_SLOGE("[ERR][%s] Fail to load file, filepath: [%s], ret: [%d]\n", __func__, filePath, ret);
ret = CERT_SVC_ERR_INVALID_OPERATION;
goto err;
}
-
+
SLOGD("[%s] Success to load certificate file content to context.\n", __func__);
err:
return ret;
}
+#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
CERT_SVC_API
int cert_svc_check_ocsp_status(CERT_CONTEXT* ctx, const char* uri)
{
int ret = CERT_SVC_ERR_NO_ERROR;
+ cert_svc_linked_list** certList=NULL;
+ /* check revocation status */
/* check parameter */
if((ctx == NULL) || (ctx->certBuf == NULL)) {
SLOGE("[ERR][%s] certBuf must have value.\n", __func__);
- ret = CERT_SVC_ERR_INVALID_OPERATION;
+ ret = CERT_SVC_ERR_INVALID_PARAMETER;
goto err;
}
/* check revocation status */
- if((ret = _check_ocsp_status(ctx->certBuf, uri)) != CERT_SVC_ERR_NO_ERROR) {
+ if(ctx->certLink != NULL) {
+ certList = &(ctx->certLink);
+ }
+ if((ret = _check_ocsp_status(ctx->certBuf, certList, uri)) != CERT_SVC_ERR_NO_ERROR) {
SLOGE("[ERR][%s] Fail to check revocation status.\n", __func__);
- ret = CERT_SVC_ERR_INVALID_CERTIFICATE;
goto err;
}
err:
return ret;
}
+#endif
CERT_SVC_API
char* cert_svc_get_certificate_crt_file_path(void)
return CRT_FILE_PATH;
}
+CERT_SVC_API
+int cert_svc_get_visibility(CERT_CONTEXT *ctx, int* visibility)
+{
+ CERT_CONTEXT* context = NULL;
+ int ret = CERT_SVC_ERR_NO_ERROR;
+ const char* root_cert_path = NULL;
+
+ if(!ctx || !visibility)
+ {
+ SLOGE("Invalid prameters");
+ return CERT_SVC_ERR_INVALID_PARAMETER;
+ }
+
+ if(!ctx->fileNames || !ctx->fileNames->filename)
+ {
+ SLOGE("Can not find root certificate path");
+ return CERT_SVC_ERR_INVALID_PARAMETER;
+ }
+
+ context = cert_svc_cert_context_init();
+ if(!context)
+ {
+ SLOGE("Out of memory");
+ return CERT_SVC_ERR_MEMORY_ALLOCATION;
+ }
+
+ ret = cert_svc_load_file_to_context(context, ctx->fileNames->filename);
+ if(ret != CERT_SVC_ERR_NO_ERROR)
+ {
+ SLOGE("failed to load root certficiate");
+ cert_svc_cert_context_final(context);
+ return CERT_SVC_ERR_INVALID_CERTIFICATE;
+ }
+
+ ret = get_visibility(context, visibility);
+
+ cert_svc_cert_context_final(context);
+
+ return ret;
+}
+
+CERT_SVC_API
+int cert_svc_get_visibility_by_root_certificate(const char* base64_encoded_data, int data_len, int* visibility)
+{
+ if(!base64_encoded_data|| !data_len)
+ {
+ return CERT_SVC_ERR_INVALID_PARAMETER;
+ }
+
+ int ret = get_visibility_by_certificate(base64_encoded_data, data_len, visibility);
+ if(ret != CERT_SVC_ERR_NO_ERROR)
+ {
+ SLOGE("Failed to get_visibility :%d", ret);
+ return ret;
+ }
+ return CERT_SVC_ERR_NO_ERROR;
+}
#DB vcore
+IF(TIZEN_FEAT_PROFILE_CERT_SVC_OCSP_CRL)
PKG_CHECK_MODULES(VCORE_DB_DEP
dpl-efl
REQUIRED)
ADD_CUSTOM_TARGET(Sqlite3DbVCORE ALL DEPENDS .cert_svc_vcore.db .cert_svc_vcore.db-journal)
INSTALL(FILES ${CMAKE_CURRENT_BINARY_DIR}/cert_svc_vcore_db.sql
- DESTINATION /usr/share/cert-svc/
+ DESTINATION ${TZ_SYS_SHARE}/cert-svc/
)
-
+ENDIF()
ADD_SUBDIRECTORY(src)
secure-storage
REQUIRED)
+IF(TIZEN_FEAT_PROFILE_CERT_SVC_OCSP_CRL)
+PKG_CHECK_MODULES(VCORE_DEPS
+ dpl-db-efl
+ )
+ENDIF()
+
+IF(TIZEN_FEAT_OSP_DISABLE EQUAL 1)
+ADD_DEFINITIONS("-DTIZEN_FEATURE_OSP_DISABLE")
+ENDIF()
+
+SET(LIBCRYPTSVC_DIR
+ ${PROJECT_SOURCE_DIR}/vcore
+ )
+
+INCLUDE_DIRECTORIES(${PROJECT_SOURCE_DIR}/include)
+
SET(VCORE_DIR
${PROJECT_SOURCE_DIR}/vcore
)
SET(VCORE_SOURCES
${VCORE_SRC_DIR}/api.cpp
${VCORE_SRC_DIR}/Base64.cpp
- ${VCORE_SRC_DIR}/CachedCRL.cpp
- ${VCORE_SRC_DIR}/CachedOCSP.cpp
${VCORE_SRC_DIR}/Certificate.cpp
- ${VCORE_SRC_DIR}/CertificateCacheDAO.cpp
${VCORE_SRC_DIR}/CertificateCollection.cpp
${VCORE_SRC_DIR}/CertificateConfigReader.cpp
${VCORE_SRC_DIR}/CertificateLoader.cpp
- ${VCORE_SRC_DIR}/CertificateVerifier.cpp
${VCORE_SRC_DIR}/CertStoreType.cpp
${VCORE_SRC_DIR}/Config.cpp
- ${VCORE_SRC_DIR}/CRL.cpp
- ${VCORE_SRC_DIR}/CRLImpl.cpp
- ${VCORE_SRC_DIR}/CRLCacheDAO.cpp
${VCORE_SRC_DIR}/CryptoHash.cpp
- ${VCORE_SRC_DIR}/Database.cpp
- ${VCORE_SRC_DIR}/DeveloperModeValidator.cpp
- ${VCORE_SRC_DIR}/OCSP.cpp
- ${VCORE_SRC_DIR}/OCSPImpl.cpp
${VCORE_SRC_DIR}/OCSPCertMgrUtil.cpp
- ${VCORE_SRC_DIR}/OCSPUtil.c
${VCORE_SRC_DIR}/ReferenceValidator.cpp
${VCORE_SRC_DIR}/RevocationCheckerBase.cpp
${VCORE_SRC_DIR}/SaxReader.cpp
${VCORE_SRC_DIR}/SignatureFinder.cpp
${VCORE_SRC_DIR}/SignatureReader.cpp
- ${VCORE_SRC_DIR}/SoupMessageSendBase.cpp
- ${VCORE_SRC_DIR}/SoupMessageSendSync.cpp
- ${VCORE_SRC_DIR}/SoupMessageSendAsync.cpp
${VCORE_SRC_DIR}/TimeConversion.cpp
${VCORE_SRC_DIR}/VerificationStatus.cpp
${VCORE_SRC_DIR}/ValidatorFactories.cpp
${VCORE_SRC_DIR}/SignatureValidator.cpp
${VCORE_SRC_DIR}/XmlsecAdapter.cpp
${VCORE_SRC_DIR}/pkcs12.c
+ )
+
+IF(TIZEN_FEAT_PROFILE_CERT_SVC_OCSP_CRL)
+SET(VCORE_SOURCES
+ ${VCORE_SRC_DIR}/api.cpp
+ ${VCORE_SRC_DIR}/Base64.cpp
+ ${VCORE_SRC_DIR}/Certificate.cpp
+ ${VCORE_SRC_DIR}/CertificateCollection.cpp
+ ${VCORE_SRC_DIR}/CertificateConfigReader.cpp
+ ${VCORE_SRC_DIR}/CertificateLoader.cpp
+ ${VCORE_SRC_DIR}/CertStoreType.cpp
+ ${VCORE_SRC_DIR}/Config.cpp
+ ${VCORE_SRC_DIR}/CryptoHash.cpp
+ ${VCORE_SRC_DIR}/OCSPCertMgrUtil.cpp
+ ${VCORE_SRC_DIR}/ReferenceValidator.cpp
+ ${VCORE_SRC_DIR}/RevocationCheckerBase.cpp
+ ${VCORE_SRC_DIR}/SaxReader.cpp
+ ${VCORE_SRC_DIR}/SignatureFinder.cpp
+ ${VCORE_SRC_DIR}/SignatureReader.cpp
+ ${VCORE_SRC_DIR}/TimeConversion.cpp
+ ${VCORE_SRC_DIR}/VerificationStatus.cpp
+ ${VCORE_SRC_DIR}/ValidatorFactories.cpp
+ ${VCORE_SRC_DIR}/VCore.cpp
+ ${VCORE_SRC_DIR}/DUID.cpp
+ ${VCORE_SRC_DIR}/WrtSignatureValidator.cpp
+ ${VCORE_SRC_DIR}/SignatureValidator.cpp
+ ${VCORE_SRC_DIR}/XmlsecAdapter.cpp
+ ${VCORE_SRC_DIR}/pkcs12.c
+ ${VCORE_SRC_DIR}/CachedCRL.cpp
+ ${VCORE_SRC_DIR}/CachedOCSP.cpp
+ ${VCORE_SRC_DIR}/CertificateCacheDAO.cpp
+ ${VCORE_SRC_DIR}/CertificateVerifier.cpp
+ ${VCORE_SRC_DIR}/CRL.cpp
+ ${VCORE_SRC_DIR}/CRLImpl.cpp
+ ${VCORE_SRC_DIR}/CRLCacheDAO.cpp
+ ${VCORE_SRC_DIR}/Database.cpp
+ ${VCORE_SRC_DIR}/OCSP.cpp
+ ${VCORE_SRC_DIR}/OCSPImpl.cpp
+ ${VCORE_SRC_DIR}/SoupMessageSendBase.cpp
+ ${VCORE_SRC_DIR}/SoupMessageSendSync.cpp
+ ${VCORE_SRC_DIR}/SoupMessageSendAsync.cpp
+ ${VCORE_SRC_DIR}/OCSPUtil.c
)
+ENDIF()
SET(VCORE_INCLUDES
${VCORE_DEPS_INCLUDE_DIRS}
${VCORE_SRC_DIR}
${VCORE_DIR}/src
+IF(TIZEN_FEAT_PROFILE_CERT_SVC_OCSP_CRL)
${VCORE_DIR}/src/orm
+ENDIF()
${VCORE_DIR}/src/legacy
${CMAKE_BINARY_DIR}/vcore/src
)
ADD_DEFINITIONS("-DSEPARATED_SINGLETON_IMPLEMENTATION")
ADD_DEFINITIONS("-DDPL_LOGS_ENABLED")
ADD_DEFINITIONS("-DCERT_SVC_LOG")
+IF(TIZEN_FEAT_PROFILE_CERT_SVC_OCSP_CRL)
+ADD_DEFINITIONS("-DTIZENUCT_FEATURE_CERT_SVC_OCSP_CRL")
+ENDIF()
INCLUDE_DIRECTORIES(${VCORE_INCLUDES})
SET_TARGET_PROPERTIES(${TARGET_VCORE_LIB} PROPERTIES
SOVERSION ${SO_VERSION}
VERSION ${VERSION})
-
+IF(TIZEN_FEAT_PROFILE_CERT_SVC_OCSP_CRL)
ADD_DEPENDENCIES(${TARGET_VCORE_LIB} Sqlite3DbWTF)
+ENDIF()
+IF(TIZEN_FEAT_PROFILE_CERT_SVC_OCSP_CRL)
TARGET_LINK_LIBRARIES(${TARGET_VCORE_LIB}
${VCORE_DEPS_LIBRARIES}
${TARGET_CERT_SVC_LIB}
+ dpl-db-efl
)
-
+ELSE()
+TARGET_LINK_LIBRARIES(${TARGET_VCORE_LIB}
+ ${VCORE_DEPS_LIBRARIES}
+ ${TARGET_CERT_SVC_LIB}
+ )
+ENDIF ()
INSTALL(TARGETS ${TARGET_VCORE_LIB}
DESTINATION ${LIB_INSTALL_DIR}
)
INSTALL(FILES
${VCORE_SRC_DIR}/Base64.h
- ${VCORE_SRC_DIR}/CachedCRL.h
- ${VCORE_SRC_DIR}/CachedOCSP.h
${VCORE_SRC_DIR}/Certificate.h
${VCORE_SRC_DIR}/CertificateCollection.h
${VCORE_SRC_DIR}/CertStoreType.h
- ${VCORE_SRC_DIR}/CRL.h
- ${VCORE_SRC_DIR}/CRLCacheInterface.h
${VCORE_SRC_DIR}/CryptoHash.h
- ${VCORE_SRC_DIR}/DeveloperModeValidator.h
${VCORE_SRC_DIR}/IAbstractResponseCache.h
- ${VCORE_SRC_DIR}/OCSP.h
- ${VCORE_SRC_DIR}/OCSPCertMgrUtil.h
${VCORE_SRC_DIR}/ParserSchema.h
${VCORE_SRC_DIR}/ReferenceValidator.h
${VCORE_SRC_DIR}/SaxReader.h
DESTINATION ${INCLUDEDIR}/cert-svc/vcore
)
+IF(TIZEN_FEAT_PROFILE_CERT_SVC_OCSP_CRL)
+INSTALL(FILES
+ ${VCORE_SRC_DIR}/CachedCRL.h
+ ${VCORE_SRC_DIR}/CachedOCSP.h
+ ${VCORE_SRC_DIR}/CRL.h
+ ${VCORE_SRC_DIR}/CRLCacheInterface.h
+ ${VCORE_SRC_DIR}/OCSP.h
+ ${VCORE_SRC_DIR}/OCSPCertMgrUtil.h
+ DESTINATION ${INCLUDEDIR}/cert-svc/vcore
+ )
+ENDIF()
+
INSTALL(FILES
${VCORE_DIR}/src/cert-svc/ccert.h
- ${VCORE_DIR}/src/cert-svc/ccrl.h
${VCORE_DIR}/src/cert-svc/cinstance.h
${VCORE_DIR}/src/cert-svc/cerror.h
- ${VCORE_DIR}/src/cert-svc/cocsp.h
${VCORE_DIR}/src/cert-svc/cpkcs12.h
${VCORE_DIR}/src/cert-svc/cprimitives.h
${VCORE_DIR}/src/cert-svc/cstring.h
DESTINATION ${INCLUDEDIR}/cert-svc/cert-svc
)
-#FILE(MAKE_DIRECTORY /opt/share/cert-svc/pkcs12)
+IF(TIZEN_FEAT_PROFILE_CERT_SVC_OCSP_CRL)
+INSTALL(FILES
+ ${VCORE_DIR}/src/cert-svc/ccrl.h
+ ${VCORE_DIR}/src/cert-svc/cocsp.h
+ DESTINATION ${INCLUDEDIR}/cert-svc/cert-svc
+ )
+ENDIF()
+
+#FILE(MAKE_DIRECTORY %{TZ_SYS_SHARE}/cert-svc/pkcs12)
CERTSVC_SIGNATURE_ALGORITHM
} CertSvcCertificateField;
+typedef enum CertSvcVisibility_t {
+ CERTSVC_VISIBILITY_DEVELOPER = 1,
+ CERTSVC_VISIBILITY_TEST = 1 << 1,
+ CERTSVC_VISIBILITY_PUBLIC = 1 << 6,
+ CERTSVC_VISIBILITY_PARTNER = 1 << 7,
+ CERTSVC_VISIBILITY_PARTNER_OPERATOR = 1 << 8,
+ CERTSVC_VISIBILITY_PARTNER_MANUFACTURER = 1 << 9,
+ CERTSVC_VISIBILITY_PLATFORM = 1 << 10
+} CertSvcVisibility;
+
/**
* Read certificate from file. Certificate must be in PEM/CER/DER format.
*
* }
* certsvc_string_list_free(handler); // optional
*/
+#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
int certsvc_certificate_get_crl_distribution_points(CertSvcCertificate certificate,
CertSvcStringList *handler);
+#endif
/**
* Sort certificates chain. This fuction modifies certificate_array.
int untrustedSize,
int *status);
+/**
+ * This function will create full chain and verify in.
+ * And this function checks the CA Flag strictly.
+ *
+ * First argument of function will be treatet as endentity certificate.
+ *
+ * This function will success if root CA certificate is stored in
+ * trusted array.
+ *
+ * @param[in] certificate Certificate to verify.
+ * @param[in] trusted Array with trusted certificates.
+ * @param[in] trustedSize Number of trusted certificates in array.
+ * @param[in] untrusted Array with untrusted certificates.
+ * @param[in] untrustedSize Number of untrusted certificate in array.
+ * @param[out] status Will be set only if function return CERTSVC_SUCCESS.
+ * It could be set to: CERTSVC_SUCCESS, CERTSVC_FAIL
+ * @return CERTSVC_SUCCESS, CERTSVC_FAIL, CERTSVC_WRONG_ARGUMENT
+ */
+int certsvc_certificate_verify_with_caflag(
+ CertSvcCertificate certificate,
+ CertSvcCertificate *trusted,
+ int trustedSize,
+ CertSvcCertificate *untrusted,
+ int untrustedSize,
+ int *status);
+
+/**
+ * This function returns visibility of input certificate.
+ *
+ * @param[in] The root certificate to check visibility.
+ * @param[out] Visibility level
+ * @return CERTSVC_SUCCESS, CERTSVC_FAIL, CERTSVC_IO_ERROR
+ *
+ */
+int certsvc_certificate_get_visibility(CertSvcCertificate certificate, int* visibility);
+
#ifdef __cplusplus
}
#endif
#define CERTSVC_OCSP_UNKNOWN (1<<2)
#define CERTSVC_OCSP_VERIFICATION_ERROR (1<<3)
#define CERTSVC_OCSP_NO_SUPPORT (1<<4)
-#define CERTSVC_OCSP_ERROR (1<<5)
-
+#define CERTSVC_OCSP_CONNECTION_FAILED (1<<5)
+#define CERTSVC_OCSP_ERROR (1<<6)
/**
* Implementation of ocsp call.
*
#include <string>
#include <dpl/exception.h>
-#include <dpl/shared_ptr.h>
#include <dpl/noncopyable.h>
#include <dpl/log/log.h>
#include <dpl/log/log.h>
#include <dpl/assert.h>
#include <dpl/exception.h>
-#include <dpl/scoped_ptr.h>
-#include <dpl/scoped_array.h>
#include <dpl/db/orm.h>
#include <dpl/foreach.h>
#include <tzplatform_config.h>
namespace {
-const char *CRL_LOOKUP_DIR_1 = "/usr/share/cert-svc/ca-certs/code-signing/wac";
+const char *CRL_LOOKUP_DIR_1 = tzplatform_mkpath(TZ_SYS_SHARE, "cert-svc/ca-certs/code-signing/wac");
const char *CRL_LOOKUP_DIR_2 = tzplatform_mkpath(TZ_SYS_SHARE, "cert-svc/certs/code-signing/wac");
} //anonymous namespace
}
std::string crlBody = decoder.get();
- DPL::ScopedArray<char> bodyBuffer(new char[crlBody.length()]);
- crlBody.copy(bodyBuffer.Get(), crlBody.length());
- return CRLDataPtr(new CRLData(bodyBuffer.Release(), crlBody.length(),
+ std::unique_ptr<char[]> bodyBuffer(new char[crlBody.length()]);
+ crlBody.copy(bodyBuffer.get(), crlBody.length());
+ return CRLDataPtr(new CRLData(bodyBuffer.release(), crlBody.length(),
uri));
}
#define _VALIDATION_CORE_ENGINE_CRLIMPL_H_
#include <dpl/exception.h>
-#include <dpl/shared_ptr.h>
+#include <memory>
#include <dpl/noncopyable.h>
#include <dpl/log/log.h>
delete[] buffer;
}
};
- typedef DPL::SharedPtr<CRLData> CRLDataPtr;
+ typedef std::shared_ptr<CRLData> CRLDataPtr;
CRLDataPtr getCRL(const std::string &uri) const;
CRLDataPtr downloadCRL(const std::string &uri);
OCSP ocsp;
ocsp.setTrustedStore(certs.getCertificateList());
- const char *defResponderURI = getenv(OCSPImpl::DEFAULT_RESPONDER_URI_ENV);
-
- if (defResponderURI) {
- ocsp.setUseDefaultResponder(true);
- ocsp.setDefaultResponder(defResponderURI);
- }
-
VerificationStatusSet statusSet = ocsp.validateCertificateList(clst);
db_status.ocsp_status = statusSet.convertToStatus();
db_status.next_update_time = ocsp.getResponseValidity();
Set::Set()
: m_certificateStorage(0)
+ #ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
+ , m_ocspUrl(NULL)
+ #endif
{}
void Set::add(Type second) {
m_certificateStorage |= second;
}
+#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
+void Set::add(std::string ocspUrl) {
+
+ if (strlen(ocspUrl.c_str()) == 0)
+ {
+ return;
+ }
+
+ m_ocspUrl = new char[ocspUrl.size() + 1];
+ if (m_ocspUrl != NULL) {
+ strncpy(m_ocspUrl, ocspUrl.c_str(), ocspUrl.size() + 1);
+ }
+}
+#endif
+
bool Set::contains(Type second) const {
return static_cast<bool>(m_certificateStorage & second);
}
return m_certificateStorage == 0;
}
+#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
+char* Set::getOcspUrl() {
+ return m_ocspUrl;
+}
+#endif
+
} // namespace CertStoreId
} // namespace ValidationCore
#ifndef _VALIDATION_CORE_CERTSTORETYPE_H_
#define _VALIDATION_CORE_CERTSTORETYPE_H_
+#include <string.h>
+#include <boost/optional.hpp>
+
namespace ValidationCore {
namespace CertStoreId {
typedef unsigned int Type;
const Type TIZEN_DEVELOPER = 1;
// RootCA certificates for author signatures.
const Type TIZEN_TEST = 1 << 1;
-
+const Type TIZEN_VERIFY = 1 << 2;
// RootCA's visibility level : public
const Type VIS_PUBLIC = 1 << 6;
// RootCA's visibility level : partner
void add(Type second);
- bool contains(Type second) const;
+ #ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
+ void add(std::string ocspUrl);
+ char* getOcspUrl();
+ #endif
+ bool contains(Type second) const;
bool isEmpty() const;
private:
Type m_certificateStorage;
+ #ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
+ char* m_ocspUrl;
+ #endif
};
} // namespace CertStoreId
Base64Decoder base64;
base64.reset();
base64.append(der);
- base64.finalize();
+ if (!base64.finalize()) {
+ LogWarning("Error during decoding");
+ }
tmp = base64.get();
ptr = reinterpret_cast<const unsigned char*>(tmp.c_str());
size = static_cast<int>(tmp.size());
Certificate::Fingerprint Certificate::getFingerprint(
Certificate::FingerprintType type) const
{
- unsigned int fingerprintlength = EVP_MAX_MD_SIZE; //EVP_MAX_MD_SIZE is smaller than 2^64
+ size_t fingerprintlength = EVP_MAX_MD_SIZE;
unsigned char fingerprint[EVP_MAX_MD_SIZE];
Fingerprint raw;
return DPL::FromUTF8String(buffer);
}
-DPL::OptionalString Certificate::getField(FieldType type,
+boost::optional<DPL::String> Certificate::getField(FieldType type,
int fieldNid) const
{
X509_NAME *subjectName = getX509Name(type);
X509_NAME_ENTRY *subjectEntry = NULL;
- DPL::Optional < DPL::String > output;
+ boost::optional < DPL::String > output;
int entryCount = X509_NAME_entry_count(subjectName);
for (int i = 0; i < entryCount; ++i) {
return output;
}
-DPL::OptionalString Certificate::getCommonName(FieldType type) const
+boost::optional<DPL::String> Certificate::getCommonName(FieldType type) const
{
return getField(type, NID_commonName);
}
-DPL::OptionalString Certificate::getCountryName(FieldType type) const
+boost::optional<DPL::String> Certificate::getCountryName(FieldType type) const
{
return getField(type, NID_countryName);
}
-DPL::OptionalString Certificate::getStateOrProvinceName(FieldType type) const
+boost::optional<DPL::String> Certificate::getStateOrProvinceName(FieldType type) const
{
return getField(type, NID_stateOrProvinceName);
}
-DPL::OptionalString Certificate::getLocalityName(FieldType type) const
+boost::optional<DPL::String> Certificate::getLocalityName(FieldType type) const
{
return getField(type, NID_localityName);
}
-DPL::OptionalString Certificate::getOrganizationName(FieldType type) const
+boost::optional<DPL::String> Certificate::getOrganizationName(FieldType type) const
{
return getField(type, NID_organizationName);
}
-DPL::OptionalString Certificate::getOrganizationalUnitName(FieldType type) const
+boost::optional<DPL::String> Certificate::getOrganizationalUnitName(FieldType type) const
{
return getField(type, NID_organizationalUnitName);
}
-DPL::OptionalString Certificate::getEmailAddres(FieldType type) const
+boost::optional<DPL::String> Certificate::getEmailAddres(FieldType type) const
{
return getField(type, NID_pkcs9_emailAddress);
}
-DPL::OptionalString Certificate::getOCSPURL() const
+boost::optional<DPL::String> Certificate::getOCSPURL() const
{
// TODO verify this code
- DPL::OptionalString retValue;
+ boost::optional<DPL::String> retValue;
AUTHORITY_INFO_ACCESS *aia = static_cast<AUTHORITY_INFO_ACCESS*>(
X509_get_ext_d2i(m_x509,
NID_info_access,
ad->location->type == GEN_URI)
{
void* data = ASN1_STRING_data(ad->location->d.ia5);
- retValue = DPL::OptionalString(DPL::FromUTF8String(
+ retValue = boost::optional<DPL::String>(DPL::FromUTF8String(
static_cast<char*>(data)));
break;
return retValue;
}
+
+
Certificate::AltNameSet Certificate::getAlternativeNameDNS() const
{
AltNameSet set;
bool Certificate::isRootCert()
{
// based on that root certificate has the same subject as issuer name
- return isSignedBy(this->SharedFromThis());
+ return isSignedBy(this->shared_from_this());
}
+#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
std::list<std::string>
Certificate::getCrlUris() const
{
sk_DIST_POINT_pop_free(distPoints, DIST_POINT_free);
return result;
}
+#endif
long Certificate::getVersion() const
{
#include <dpl/exception.h>
#include <dpl/noncopyable.h>
-#include <dpl/shared_ptr.h>
-#include <dpl/enable_shared_from_this.h>
-#include <dpl/optional.h>
-#include <dpl/optional_typedefs.h>
+#include <memory>
#include <dpl/string.h>
+#include <boost/optional.hpp>
+
#include <openssl/x509.h>
class Certificate;
-typedef DPL::SharedPtr<Certificate> CertificatePtr;
+typedef std::shared_ptr<Certificate> CertificatePtr;
typedef std::list<CertificatePtr> CertificateList;
-class Certificate : public DPL::EnableSharedFromThis<Certificate>
+class Certificate : public std::enable_shared_from_this<Certificate>
{
public:
typedef std::vector<unsigned char> Fingerprint;
// getName uses deprecated functions. Usage is strongly discouraged.
DPL::String getOneLine(FieldType type = FIELD_SUBJECT) const;
- DPL::OptionalString getCommonName(FieldType type = FIELD_SUBJECT) const;
- DPL::OptionalString getCountryName(FieldType type = FIELD_SUBJECT) const;
- DPL::OptionalString getStateOrProvinceName(
+
+ boost::optional<DPL::String> getCommonName(FieldType type = FIELD_SUBJECT) const;
+ boost::optional<DPL::String> getCountryName(FieldType type = FIELD_SUBJECT) const;
+ boost::optional<DPL::String> getStateOrProvinceName(
FieldType type = FIELD_SUBJECT) const;
- DPL::OptionalString getLocalityName(FieldType type = FIELD_SUBJECT) const;
- DPL::OptionalString getOrganizationName(
+ boost::optional<DPL::String> getLocalityName(FieldType type = FIELD_SUBJECT) const;
+ boost::optional<DPL::String> getOrganizationName(
FieldType type = FIELD_SUBJECT) const;
- DPL::OptionalString getOrganizationalUnitName(
+ boost::optional<DPL::String> getOrganizationalUnitName(
FieldType type = FIELD_SUBJECT) const;
- DPL::OptionalString getEmailAddres(FieldType type = FIELD_SUBJECT) const;
- DPL::OptionalString getOCSPURL() const;
+ boost::optional<DPL::String> getEmailAddres(FieldType type = FIELD_SUBJECT) const;
+ boost::optional<DPL::String> getOCSPURL() const;
+
// Openssl supports 9 types of alternative name filed.
// 4 of them are "string similar" types so it is possible
protected:
X509_NAME *getX509Name(FieldType type) const;
- DPL::OptionalString getField(FieldType type,
+ boost::optional<DPL::String> getField(FieldType type,
int fieldNid) const;
X509 *m_x509;
{
char buffer[sizeof(int)];
memcpy(buffer, &data, sizeof(int));
- return std::string(buffer, buffer + sizeof(int));
+ return std::string(buffer, sizeof(int));
}
} // namespace
const std::string TOKEN_FINGERPRINT_SHA1 = "FingerprintSHA1";
const std::string TOKEN_ATTR_NAME = "name";
+#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
+const std::string TOKEN_ATTR_URL_NAME = "ocspUrl";
+#endif
const std::string TOKEN_VALUE_TIZEN_DEVELOPER = "tizen-developer";
const std::string TOKEN_VALUE_TIZEN_TEST = "tizen-test";
+const std::string TOKEN_VALUE_TIZEN_VERIFY = "tizen-verify";
const std::string TOKEN_VALUE_VISIBILITY_PUBLIC = "tizen-public";
const std::string TOKEN_VALUE_VISIBILITY_PARTNER = "tizen-partner";
const std::string TOKEN_VALUE_VISIBILITY_PARTNER_OPERATOR = "tizen-partner-operator";
void CertificateConfigReader::tokenCertificateDomain(CertificateIdentifier &)
{
std::string name = m_parserSchema.getReader().
- attribute(TOKEN_ATTR_NAME, SaxReader::THROW_DISABLE);
+ attribute(TOKEN_ATTR_NAME, SaxReader::THROW_DISABLE);
if (name.empty()) {
LogWarning("Invalid fingerprint file. Domain name is mandatory");
m_certificateDomain = CertStoreId::TIZEN_DEVELOPER;
} else if (name == TOKEN_VALUE_TIZEN_TEST) {
m_certificateDomain = CertStoreId::TIZEN_TEST;
+ } else if (name == TOKEN_VALUE_TIZEN_VERIFY) {
+ m_certificateDomain = CertStoreId::TIZEN_VERIFY;
} else if (name == TOKEN_VALUE_VISIBILITY_PUBLIC) {
m_certificateDomain = CertStoreId::VIS_PUBLIC;
} else if (name == TOKEN_VALUE_VISIBILITY_PARTNER) {
void CertificateConfigReader::tokenEndFingerprintSHA1(
CertificateIdentifier &identificator)
{
+ #ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
+ std::string url = m_parserSchema.getReader().attribute(TOKEN_ATTR_URL_NAME, SaxReader::THROW_DISABLE);
+ #endif
+
std::string text = m_parserSchema.getText();
text += ":"; // add guard at the end of fingerprint
Certificate::Fingerprint fingerprint;
Assert(0 && "Unussported fingerprint format in xml file.");
}
}
+
identificator.add(fingerprint, m_certificateDomain);
+ #ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
+ identificator.add(fingerprint, url);
+ #endif
}
} // namespace ValidationCore
_WRT_ENGINE_SRC_INSTALLER_CORE_VALIDATION_CORE_CERTIFICATEIDENTIFICATOR_H_
#include <map>
-
#include <dpl/noncopyable.h>
#include "Certificate.h"
namespace ValidationCore {
class CertificateIdentifier : public DPL::Noncopyable
{
- public:
+public:
typedef std::map<Certificate::Fingerprint, CertStoreId::Set> FingerPrintMap;
CertificateIdentifier()
fingerPrintMap[fingerprint].add(domain);
}
+ #ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
+ void add(const Certificate::Fingerprint &fingerprint,
+ std::string ocspUrl)
+ {
+ fingerPrintMap[fingerprint].add(ocspUrl);
+ }
+ #endif
+
CertStoreId::Set find(const Certificate::Fingerprint &fingerprint) const
{
FingerPrintMap::const_iterator iter = fingerPrintMap.find(fingerprint);
#include <vcore/Base64.h>
#include <vcore/CertificateLoader.h>
+#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
#include <vcore/SSLContainers.h>
+#endif
namespace {
const int MIN_RSA_KEY_LENGTH = 1024;
#include <vcore/OCSPCertMgrUtil.h>
#include <vcore/SSLContainers.h>
+#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
+#include <openssl/ocsp.h>
+#endif
#include <openssl/pem.h>
-#include <openssl/ocsp.h>
#include <openssl/x509.h>
#include <dpl/log/log.h>
#include <dpl/scoped_resource.h>
CertificatePtr getParentFromStore(const CertificatePtr &certificate)
{
- Assert(certificate.Get());
+ Assert(certificate.get());
X509* rawPtr = certificate->getX509();
/* TODO Add getIssuerName function to Certificate.h */
if (rawTemp == NULL) {
return CertificatePtr();
}
-
SSLSmartContainer<X509> scope(rawTemp);
return CertificatePtr(new Certificate(rawTemp));
}
return result;
}
CertificatePtr parent = getParentFromStore(last);
- if (parent.Get()) {
+ if (parent.get()) {
result.push_back(parent);
}
return result;
* @author Michal Ciepielski(m.ciepielski@samsung.com)
* @author Piotr Marcinkiewicz(p.marcinkiew@samsung.com)
* @version 0.4
- * @file OCPS.cpp
+ * @file OCSP.cpp
* @brief Routines for certificate validation over OCSP
*/
#include <vcore/Certificate.h>
#include <vcore/SoupMessageSendSync.h>
+#include <vcore/ValidatorFactories.h>
extern "C" {
// This function is needed to fix "Invalid conversion from void*
// to unsigned char*" C++ compiler error during calling
// i2d_OCSP_REQUEST_bio macro
- extern bool convertToBuffer(OCSP_REQUEST* req,
- char** buf,
- int* size);
+extern bool convertToBuffer(OCSP_REQUEST* req,
+ char** buf,
+ int* size);
}
namespace {
ValidationCore::VerificationStatusSet OCSPImpl::validateCertificateList(
const CertificateList &certs)
{
- VerificationStatusSet statusSet;
+ VerificationStatusSet statusSet;
if (certs.size() < 2) {
// no certificates to verify, just return a error
return statusSet;
}
- CertificateList::const_iterator iter = certs.begin();
+ CertificatePtr root = certs.back();
+ CertStoreId::Set storedSetId = createCertificateIdentifier().find(root);
+ char* ocspUrl = storedSetId.getOcspUrl();
+
+ if (ocspUrl != NULL)
+ {
+ setUseDefaultResponder(true);
+ setDefaultResponder(ocspUrl);
+ }
+
+ CertificateList::const_iterator iter = certs.begin();
CertificateList::const_iterator parent = iter;
time_t minValidity = 0;
}
m_responseValidity = minValidity;
- return statusSet;
+ return statusSet;
}
VerificationStatus OCSPImpl::checkEndEntity(
- const CertificateCollection &chain)
+ const CertificateCollection &chain)
{
- const char *defResponderURI = getenv(OCSPImpl::DEFAULT_RESPONDER_URI_ENV);
-
- VerificationStatusSet verSet;
- if (defResponderURI) {
- setUseDefaultResponder(true);
- setDefaultResponder(defResponderURI);
- }
+ // this is temporary fix. it must be rewriten
+ VerificationStatusSet verSet;
- // this is temporary fix. it must be rewriten
- CertificateList clst;
+ CertificateList clst;
if (chain.isChain() && chain.size() >= 2) {
CertificateList::const_iterator icert = chain.begin();
clst.push_back(*icert);
}
verSet += validateCertificateList(clst);
- return verSet.convertToStatus();
+ return verSet.convertToStatus();
}
VerificationStatus OCSPImpl::validateCertificate(CertificatePtr argCert,
#include <dpl/assert.h>
#include <dpl/exception.h>
-#include <dpl/optional_typedefs.h>
+#include <boost/optional.hpp>
+
#include <vcore/scoped_gpointer.h>
#include <vcore/OCSPCertMgrUtil.h>
typedef std::pair<char*, size_t> HttpResponseBuffer;
SoupWrapper::SoupMessageSendBase::RequestStatus sendOcspRequest(
- OCSP_REQUEST* argRequest,
- const DPL::OptionalString& argUri);
+ OCSP_REQUEST* argRequest,
+ const boost::optional<DPL::String>& argUri);
+
+
//! Validates a single certificate
/*!
* This function is needed to fix "Invalid conversion from void* to unsigned char*"
* C++ compiler error during calling i2d_OCSP_REQUEST_bio macro
*/
+int convertToBuffer(OCSP_REQUEST *req, char **buf, int *size);
+
int convertToBuffer(OCSP_REQUEST *req, char **buf, int *size) {
BIO *req_mem_bio;
BUF_MEM req_bmem;
* @brief Implementatin of tizen signature validation protocol.
*/
#include <vcore/SignatureValidator.h>
-
+#include <vcore/CertificateCollection.h>
#include <dpl/log/log.h>
-
+#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
#include <vcore/CertificateVerifier.h>
+#endif
#include <vcore/Certificate.h>
#include <vcore/OCSPCertMgrUtil.h>
#include <vcore/ReferenceValidator.h>
const std::string TOKEN_PROFILE_URI =
"http://www.w3.org/ns/widgets-digsig#profile";
-const char* TIZEN_STORE_CN = "Tizen Store";
+//const char* TIZEN_STORE_CN = "Tizen Store"; //un-used variable
} // namespace anonymouse
{
t.tm_year = (str[i++] - '0') * 10 + (str[++i] - '0');
if (t.tm_year < 70)
- t.tm_year += 100;
+ t.tm_year += 100;
}
else if (time->type == V_ASN1_GENERALIZEDTIME) /* four digit year */
{
explicit ImplSignatureValidator(bool ocspEnable,
bool crlEnable,
bool complianceMode)
- : m_ocspEnable(ocspEnable)
+ : m_complianceModeEnabled(complianceMode)
+ #ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
+ , m_ocspEnable(ocspEnable)
, m_crlEnable(crlEnable)
- , m_complianceModeEnabled(complianceMode)
+ #endif
{}
virtual ~ImplSignatureValidator(){ }
return true;
}
protected:
+ bool m_complianceModeEnabled;
+#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
bool m_ocspEnable;
bool m_crlEnable;
- bool m_complianceModeEnabled;
+#endif
};
class ImplTizenSignatureValidator : public SignatureValidator::ImplSignatureValidator
<< storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER));
LogDebug("Is root certificate from TIZEN_TEST domain: "
<< storeIdSet.contains(CertStoreId::TIZEN_TEST));
+ LogDebug("Is root certificate from TIZEN_VERIFY domain: "
+ << storeIdSet.contains(CertStoreId::TIZEN_VERIFY));
LogDebug("Is root certificate from TIZEN_PUBLIC domain: "
<< storeIdSet.contains(CertStoreId::VIS_PUBLIC));
LogDebug("Is root certificate from TIZEN_PARTNER domain: "
}
else
{
- LogDebug("signaturefile name = " << data.getSignatureFileName().c_str());
+LogDebug("signaturefile name = " << data.getSignatureFileName().c_str());
+ //Additional Check for certificate registration
+
if (data.getSignatureNumber() == 1)
{
if (storeIdSet.contains(CertStoreId::VIS_PUBLIC) || storeIdSet.contains(CertStoreId::VIS_PARTNER) || storeIdSet.contains(CertStoreId::VIS_PLATFORM))
}
else
{
- LogWarning("author-signature.xml has got unrecognized Root CA "
+ LogWarning("signature1.xml has got unrecognized Root CA "
"certificate. Signature will be disregarded.");
disregard = true;
}
data.setStorageType(storeIdSet);
data.setSortedCertificateList(sortedCertificateList);
+ // We add only Root CA certificate because WAC ensure that the rest
+ // of certificates are present in signature files ;-)
XmlSec::XmlSecContext context;
context.signatureFile = data.getSignatureFileName();
context.certificatePtr = root;
- if (!(root->isSignedBy(root))) {
- LogWarning("Root CA certificate not found. Chain is incomplete.");
+ // Now we should have full certificate chain.
+ // If the end certificate is not ROOT CA we should disregard signature
+ // but still signature must be valid... Aaaaaa it's so stupid...
+ if (!(root->isSignedBy(root))) {
+ LogWarning("Root CA certificate not found. Chain is incomplete.");
// context.allowBrokenChain = true;
}
ASN1_TIME* notBeforeTime = data.getEndEntityCertificatePtr()->getNotBeforeTime();
if (X509_cmp_time(notBeforeTime, &nowTime) > 0 || X509_cmp_time(notAfterTime, &nowTime) < 0)
- {
- struct tm *t;
- struct tm ta;
- char msg[1024];
-
- t = localtime(&nowTime);
-
- sprintf(msg, "Year: %d, month: %d, day : %d", t->tm_year + 1900, t->tm_mon + 1,t->tm_mday );
- LogDebug("## System's current Year : " << msg);
- fprintf(stderr, "## System's current Year : %s\n", msg);
-
- ta = _ASN1_GetTimeT(notBeforeTime);
- sprintf(msg, "Year: %d, month: %d, day : %d", ta.tm_year + 1900, ta.tm_mon + 1,ta.tm_mday );
- LogDebug("## certificate's notBefore Year : " << msg);
- fprintf(stderr, "## certificate's notAfterTime Year : %s\n", msg);
-
- ta = _ASN1_GetTimeT(notAfterTime);
- sprintf(msg, "Year: %d, month: %d, day : %d", ta.tm_year + 1900, ta.tm_mon + 1,ta.tm_mday );
- LogDebug("## certificate's notAfterTime Year : " << msg);
- fprintf(stderr, "## certificate's notAfterTime Year : %s\n", msg);
-
- return SignatureValidator::SIGNATURE_INVALID;
- }
+ {
+ struct tm *t;
+ struct tm ta, tb, tc;
+ char msg[1024];
+
+ t = localtime(&nowTime);
+
+ memset(&tc, 0, sizeof(tc));
+
+ snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", t->tm_year + 1900, t->tm_mon + 1,t->tm_mday );
+ LogDebug("## System's currentTime : " << msg);
+ fprintf(stderr, "## System's currentTime : %s\n", msg);
+
+ tb = _ASN1_GetTimeT(notBeforeTime);
+ snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", tb.tm_year + 1900, tb.tm_mon + 1,tb.tm_mday );
+ LogDebug("## certificate's notBeforeTime : " << msg);
+ fprintf(stderr, "## certificate's notBeforeTime : %s\n", msg);
+
+ ta = _ASN1_GetTimeT(notAfterTime);
+ snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", ta.tm_year + 1900, ta.tm_mon + 1,ta.tm_mday );
+ LogDebug("## certificate's notAfterTime : " << msg);
+ fprintf(stderr, "## certificate's notAfterTime : %s\n", msg);
+
+ if (storeIdSet.contains(CertStoreId::TIZEN_VERIFY))
+ {
+ LogDebug("## TIZEN_VERIFY : check certificate Time : FALSE");
+ fprintf(stderr, "## TIZEN_VERIFY : check certificate Time : FALSE\n");
+ return SignatureValidator::SIGNATURE_INVALID;
+ }
+
+ int year = (ta.tm_year - tb.tm_year) / 4;
+
+ if(year == 0)
+ {
+ tc.tm_year = tb.tm_year;
+ tc.tm_mon = tb.tm_mon + 1;
+ tc.tm_mday = tb.tm_mday;
+
+ if(tc.tm_mon == 12)
+ {
+ tc.tm_year = ta.tm_year;
+ tc.tm_mon = ta.tm_mon - 1;
+ tc.tm_mday = ta.tm_mday;
+
+ if(tc.tm_mon < 0)
+ {
+ tc.tm_year = ta.tm_year;
+ tc.tm_mon = ta.tm_mon;
+ tc.tm_mday = ta.tm_mday -1;
+
+ if(tc.tm_mday == 0)
+ {
+ tc.tm_year = tb.tm_year;
+ tc.tm_mon = tb.tm_mon;
+ tc.tm_mday = tb.tm_mday +1;
+ }
+ }
+ }
+ }
+ else{
+ tc.tm_year = tb.tm_year + year;
+ tc.tm_mon = (tb.tm_mon + ta.tm_mon )/2;
+ tc.tm_mday = (tb.tm_mday + ta.tm_mday)/2;
+ }
+
+ snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", tc.tm_year + 1900, tc.tm_mon + 1,tc.tm_mday );
+ LogDebug("## cmp cert with validation time : " << msg);
+ fprintf(stderr, "## cmp cert with validation time : %s\n", msg);
+
+ time_t outCurrent = mktime(&tc);
+ context.validationTime = outCurrent;
+ fprintf(stderr, "## cmp outCurrent time : %ld\n", outCurrent);
+ //return SignatureValidator::SIGNATURE_INVALID;
+ }
#endif
// WAC 2.0 SP-2066 The wrt must not block widget installation
}
*/
+#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
// It is good time to do OCSP check
// ocspCheck will throw an exception on any error.
// TODO Probably we should catch this exception and add
if (result == VERIFICATION_STATUS_UNKNOWN ||
result == VERIFICATION_STATUS_ERROR)
{
+ #ifdef _OCSP_POLICY_DISREGARD_UNKNOWN_OR_ERROR_CERTS_
disregard = true;
+ #endif
}
}
+#endif
if (disregard) {
LogWarning("Signature is disregard. RootCA is not a member of Tizen.");
<< storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER));
LogDebug("Is root certificate from TIZEN_TEST domain: "
<< storeIdSet.contains(CertStoreId::TIZEN_TEST));
+ LogDebug("Is root certificate from TIZEN_VERIFY domain: "
+ << storeIdSet.contains(CertStoreId::TIZEN_VERIFY));
LogDebug("Is root certificate from TIZEN_PUBLIC domain: "
<< storeIdSet.contains(CertStoreId::VIS_PUBLIC));
LogDebug("Is root certificate from TIZEN_PARTNER domain: "
}
else
{
- LogDebug("signaturefile name = " << data.getSignatureFileName().c_str());
+ LogDebug("signaturefile name = " << data.getSignatureFileName().c_str());
+ //Additional Check for certificate registration
+
if (data.getSignatureNumber() == 1)
{
if (storeIdSet.contains(CertStoreId::VIS_PUBLIC) || storeIdSet.contains(CertStoreId::VIS_PARTNER) || storeIdSet.contains(CertStoreId::VIS_PLATFORM))
}
else
{
- LogWarning("author-signature.xml has got unrecognized Root CA "
+ LogWarning("signature1.xml has got unrecognized Root CA "
"certificate. Signature will be disregarded.");
disregard = true;
}
ASN1_TIME* notAfterTime = data.getEndEntityCertificatePtr()->getNotAfterTime();
ASN1_TIME* notBeforeTime = data.getEndEntityCertificatePtr()->getNotBeforeTime();
-
+
if (X509_cmp_time(notBeforeTime, &nowTime) > 0 || X509_cmp_time(notAfterTime, &nowTime) < 0)
{
- struct tm *t;
- struct tm ta;
- char msg[1024];
-
- t = localtime(&nowTime);
-
- sprintf(msg, "Year: %d, month: %d, day : %d", t->tm_year + 1900, t->tm_mon + 1,t->tm_mday );
- LogDebug("## System's current Year : " << msg);
- fprintf(stderr, "## System's current Year : %s\n", msg);
-
- ta = _ASN1_GetTimeT(notBeforeTime);
- sprintf(msg, "Year: %d, month: %d, day : %d", ta.tm_year + 1900, ta.tm_mon + 1,ta.tm_mday );
- LogDebug("## certificate's notBefore Year : " << msg);
- fprintf(stderr, "## certificate's notAfterTime Year : %s\n", msg);
-
- ta = _ASN1_GetTimeT(notAfterTime);
- sprintf(msg, "Year: %d, month: %d, day : %d", ta.tm_year + 1900, ta.tm_mon + 1,ta.tm_mday );
- LogDebug("## certificate's notAfterTime Year : " << msg);
- fprintf(stderr, "## certificate's notAfterTime Year : %s\n", msg);
-
- return SignatureValidator::SIGNATURE_INVALID;
- }
+ struct tm *t;
+ struct tm ta, tb, tc;
+ char msg[1024];
+
+ t = localtime(&nowTime);
+
+ memset(&tc, 0, sizeof(tc));
+
+ snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", t->tm_year + 1900, t->tm_mon + 1,t->tm_mday );
+ LogDebug("## System's currentTime : " << msg);
+ fprintf(stderr, "## System's currentTime : %s\n", msg);
+
+ tb = _ASN1_GetTimeT(notBeforeTime);
+ snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", tb.tm_year + 1900, tb.tm_mon + 1,tb.tm_mday );
+ LogDebug("## certificate's notBeforeTime : " << msg);
+ fprintf(stderr, "## certificate's notBeforeTime : %s\n", msg);
+
+ ta = _ASN1_GetTimeT(notAfterTime);
+ snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", ta.tm_year + 1900, ta.tm_mon + 1,ta.tm_mday );
+ LogDebug("## certificate's notAfterTime : " << msg);
+ fprintf(stderr, "## certificate's notAfterTime : %s\n", msg);
+
+ if (storeIdSet.contains(CertStoreId::TIZEN_VERIFY))
+ {
+ LogDebug("## TIZEN_VERIFY : check certificate Time : FALSE");
+ fprintf(stderr, "## TIZEN_VERIFY : check certificate Time : FALSE\n");
+ return SignatureValidator::SIGNATURE_INVALID;
+ }
+
+ int year = (ta.tm_year - tb.tm_year) / 4;
+ tc.tm_year = tb.tm_year + year;
+ tc.tm_mon = (tb.tm_mon + ta.tm_mon )/2;
+ tc.tm_mday = (tb.tm_mday + ta.tm_mday)/2;
+
+ snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", tc.tm_year + 1900, tc.tm_mon + 1,tc.tm_mday );
+ LogDebug("## cmp cert with validation time : " << msg);
+ fprintf(stderr, "## cmp cert with validation time : %s\n", msg);
+
+ time_t outCurrent = mktime(&tc);
+ context.validationTime = outCurrent;
+ //return SignatureValidator::SIGNATURE_INVALID;
+ }
#endif
data.setReference(context.referenceSet);
//if (!checkObjectReferences(data)) {
// return SignatureValidator::SIGNATURE_INVALID;
- //}
+ // }
/*
ReferenceValidator fileValidator(widgetContentPath);
}
*/
+#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
// It is good time to do OCSP check
// ocspCheck will throw an exception on any error.
// TODO Probably we should catch this exception and add
if (result == VERIFICATION_STATUS_UNKNOWN ||
result == VERIFICATION_STATUS_ERROR)
{
+ #ifdef _OCSP_POLICY_DISREGARD_UNKNOWN_OR_ERROR_CERTS_
disregard = true;
+ #endif
}
}
+#endif
if (disregard) {
LogWarning("Signature is disregard. RootCA is not a member of Tizen.");
<< storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER));
LogDebug("Is root certificate from TIZEN_TEST domain: "
<< storeIdSet.contains(CertStoreId::TIZEN_TEST));
+ LogDebug("Is root certificate from TIZEN_VERIFY domain: "
+ << storeIdSet.contains(CertStoreId::TIZEN_VERIFY));
LogDebug("Is root certificate from TIZEN_PUBLIC domain: "
<< storeIdSet.contains(CertStoreId::VIS_PUBLIC));
LogDebug("Is root certificate from TIZEN_PARTNER domain: "
LogDebug("Root CA for author signature is correct.");
} else {
LogDebug("signaturefile name = " << data.getSignatureFileName().c_str());
+
+ //Additional Check for certificate registration
+
if (data.getSignatureNumber() == 1)
{
if (storeIdSet.contains(CertStoreId::VIS_PUBLIC) || storeIdSet.contains(CertStoreId::VIS_PARTNER) || storeIdSet.contains(CertStoreId::VIS_PLATFORM))
}
else
{
- LogWarning("author-signature.xml has got unrecognized Root CA "
+ LogWarning("signature1.xml has got unrecognized Root CA "
"certificate. Signature will be disregarded.");
disregard = true;
}
ASN1_TIME* notAfterTime = data.getEndEntityCertificatePtr()->getNotAfterTime();
ASN1_TIME* notBeforeTime = data.getEndEntityCertificatePtr()->getNotBeforeTime();
-
- if (X509_cmp_time(notBeforeTime, &nowTime) > 0 || X509_cmp_time(notAfterTime, &nowTime) < 0)
+ if (X509_cmp_time(notBeforeTime, &nowTime) > 0 || X509_cmp_time(notAfterTime, &nowTime) < 0)
{
- struct tm *t;
- struct tm ta;
- char msg[1024];
-
- t = localtime(&nowTime);
-
- sprintf(msg, "Year: %d, month: %d, day : %d", t->tm_year + 1900, t->tm_mon + 1,t->tm_mday );
- LogDebug("## System's current Year : " << msg);
- fprintf(stderr, "## System's current Year : %s\n", msg);
-
- ta = _ASN1_GetTimeT(notBeforeTime);
- sprintf(msg, "Year: %d, month: %d, day : %d", ta.tm_year + 1900, ta.tm_mon + 1,ta.tm_mday );
- LogDebug("## certificate's notBefore Year : " << msg);
- fprintf(stderr, "## certificate's notAfterTime Year : %s\n", msg);
-
- ta = _ASN1_GetTimeT(notAfterTime);
- sprintf(msg, "Year: %d, month: %d, day : %d", ta.tm_year + 1900, ta.tm_mon + 1,ta.tm_mday );
- LogDebug("## certificate's notAfterTime Year : " << msg);
- fprintf(stderr, "## certificate's notAfterTime Year : %s\n", msg);
-
- return SignatureValidator::SIGNATURE_INVALID;
- }
-
+ struct tm *t;
+ struct tm ta, tb, tc;
+ char msg[1024];
+
+ t = localtime(&nowTime);
+
+ memset(&tc, 0, sizeof(tc));
+
+ snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", t->tm_year + 1900, t->tm_mon + 1,t->tm_mday );
+ LogDebug("## System's currentTime : " << msg);
+ fprintf(stderr, "## System's currentTime : %s\n", msg);
+
+ tb = _ASN1_GetTimeT(notBeforeTime);
+ snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", tb.tm_year + 1900, tb.tm_mon + 1,tb.tm_mday );
+ LogDebug("## certificate's notBeforeTime : " << msg);
+ fprintf(stderr, "## certificate's notBeforeTime : %s\n", msg);
+
+ ta = _ASN1_GetTimeT(notAfterTime);
+ snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", ta.tm_year + 1900, ta.tm_mon + 1,ta.tm_mday );
+ LogDebug("## certificate's notAfterTime : " << msg);
+ fprintf(stderr, "## certificate's notAfterTime : %s\n", msg);
+
+ if (storeIdSet.contains(CertStoreId::TIZEN_VERIFY))
+ {
+ LogDebug("## TIZEN_VERIFY : check certificate Time : FALSE");
+ fprintf(stderr, "## TIZEN_VERIFY : check certificate Time : FALSE\n");
+ return SignatureValidator::SIGNATURE_INVALID;
+ }
+
+ int year = (ta.tm_year - tb.tm_year) / 4;
+ tc.tm_year = tb.tm_year + year;
+ tc.tm_mon = (tb.tm_mon + ta.tm_mon )/2;
+ tc.tm_mday = (tb.tm_mday + ta.tm_mday)/2;
+
+ snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", tc.tm_year + 1900, tc.tm_mon + 1,tc.tm_mday );
+ LogDebug("## cmp cert with validation time : " << msg);
+ fprintf(stderr, "## cmp cert with validation time : %s\n", msg);
+
+ time_t outCurrent = mktime(&tc);
+ context.validationTime = outCurrent;
+ //return SignatureValidator::SIGNATURE_INVALID;
+ }
+
#endif
#if 0
return SignatureValidator::SIGNATURE_INVALID;
}
+ #ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
// It is good time to do OCSP check
// ocspCheck will throw an exception on any error.
// TODO Probably we should catch this exception and add
if (result == VERIFICATION_STATUS_UNKNOWN ||
result == VERIFICATION_STATUS_ERROR)
{
+ #ifdef _OCSP_POLICY_DISREGARD_UNKNOWN_OR_ERROR_CERTS_
disregard = true;
+ #endif
}
}
+#endif
if (disregard) {
LogWarning("Signature is disregard. RootCA is not a member of Tizen.");
#include <vcore/VCorePrivate.h>
#include <vcore/Config.h>
+#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
#include <vcore/Database.h>
-#include <openssl/ssl.h>
#include <database_checksum_vcore.h>
+#endif
+#include <openssl/ssl.h>
#include <glib.h>
#include <glib-object.h>
#include <dpl/assert.h>
#include <dpl/log/log.h>
+#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
namespace {
DPL::DB::ThreadDatabaseSupport *threadInterface = NULL;
} // namespace anonymous
+#endif
namespace ValidationCore {
void AttachToThreadRO(void)
{
+#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
Assert(threadInterface);
static bool check = true;
threadInterface->AttachToThread(
check = false;
Assert(ThreadInterface().CheckTableExist(DB_CHECKSUM_STR) &&
"Not a valid vcore database version");
- }
+ }
+#endif
}
void AttachToThreadRW(void)
{
- Assert(threadInterface);
+#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
+ Assert(threadInterface);
static bool check = true;
threadInterface->AttachToThread(
DPL::DB::SqlConnection::Flag::RW);
Assert(ThreadInterface().CheckTableExist(DB_CHECKSUM_STR) &&
"Not a valid vcore database version");
}
+#endif
}
void DetachFromThread(void){
+#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
Assert(threadInterface);
threadInterface->DetachFromThread();
+#endif
}
-
+#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
DPL::DB::ThreadDatabaseSupport& ThreadInterface(void) {
Assert(threadInterface);
return *threadInterface;
}
-
+#endif
bool VCoreInit(const std::string& configFilePath,
const std::string& configSchemaPath,
const std::string& databasePath)
{
- if(threadInterface) {
+#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
+ if(threadInterface) {
LogDebug("Already Initialized");
return true;
}
threadInterface = new DPL::DB::ThreadDatabaseSupport(
databasePath.c_str(),
DPL::DB::SqlConnection::Flag::UseLucene);
-
+#endif
SSL_library_init();
// g_thread_init(NULL);
g_type_init();
void VCoreDeinit()
{
+#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
Assert(threadInterface && "Not initialized or already deinitialized");
delete threadInterface;
threadInterface = NULL;
+#endif
}
} // namespace ValidationCore
#include <string>
#include <VCore.h>
+#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
#include <database_checksum_vcore.h>
#include <dpl/db/thread_database_support.h>
+#endif
namespace ValidationCore {
+#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
DPL::DB::ThreadDatabaseSupport& ThreadInterface(void);
+#endif
} // namespace ValidationCore
#endif // _VCORE_SRC_VCORE_VCORE_H_
#include <vcore/WrtSignatureValidator.h>
#include <dpl/log/log.h>
-
#include <vcore/CertificateVerifier.h>
#include <vcore/Certificate.h>
#include <vcore/OCSPCertMgrUtil.h>
"http://www.w3.org/ns/widgets-digsig#profile";
} // namespace anonymouse
+static tm _ASN1_GetTimeT(ASN1_TIME* time)
+{
+ struct tm t;
+ const char* str = (const char*) time->data;
+ size_t i = 0;
+
+ memset(&t, 0, sizeof(t));
+
+ if (time->type == V_ASN1_UTCTIME) /* two digit year */
+ {
+ t.tm_year = (str[i++] - '0') * 10 + (str[++i] - '0');
+ if (t.tm_year < 70)
+ t.tm_year += 100;
+ }
+ else if (time->type == V_ASN1_GENERALIZEDTIME) /* four digit year */
+ {
+ t.tm_year = (str[i++] - '0') * 1000 + (str[++i] - '0') * 100 + (str[++i] - '0') * 10 + (str[++i] - '0');
+ t.tm_year -= 1900;
+ }
+ t.tm_mon = ((str[i++] - '0') * 10 + (str[++i] - '0')) - 1; // -1 since January is 0 not 1.
+ t.tm_mday = (str[i++] - '0') * 10 + (str[++i] - '0');
+ t.tm_hour = (str[i++] - '0') * 10 + (str[++i] - '0');
+ t.tm_min = (str[i++] - '0') * 10 + (str[++i] - '0');
+ t.tm_sec = (str[i++] - '0') * 10 + (str[++i] - '0');
+
+ /* Note: we did not adjust the time based on time zone information */
+ return t;
+}
+
+
namespace ValidationCore {
class WrtSignatureValidator::Impl {
explicit Impl(bool ocspEnable,
bool crlEnable,
bool complianceMode)
- : m_ocspEnable(ocspEnable)
+ : m_complianceModeEnabled(complianceMode)
+ #ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
+ , m_ocspEnable(ocspEnable)
, m_crlEnable(crlEnable)
- , m_complianceModeEnabled(complianceMode)
+ #endif
{}
virtual ~Impl(){}
return true;
}
protected:
+ bool m_complianceModeEnabled;
+#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
bool m_ocspEnable;
bool m_crlEnable;
- bool m_complianceModeEnabled;
+#endif
+
};
class ImplTizen : public WrtSignatureValidator::Impl
<< storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER));
LogDebug("Is root certificate from TIZEN_TEST domain: "
<< storeIdSet.contains(CertStoreId::TIZEN_TEST));
+ LogDebug("Is root certificate from TIZEN_VERIFY domain: "
+ << storeIdSet.contains(CertStoreId::TIZEN_VERIFY));
LogDebug("Is root certificate from TIZEN_PUBLIC domain: "
<< storeIdSet.contains(CertStoreId::VIS_PUBLIC));
LogDebug("Is root certificate from TIZEN_PARTNER domain: "
<< storeIdSet.contains(CertStoreId::VIS_PARTNER));
LogDebug("Is root certificate from TIZEN_PLATFORM domain: "
<< storeIdSet.contains(CertStoreId::VIS_PLATFORM));
-
LogDebug("Visibility level is public : "
<< storeIdSet.contains(CertStoreId::VIS_PUBLIC));
LogDebug("Visibility level is partner : "
else
{
LogDebug("signaturefile name = " << data.getSignatureFileName().c_str());
+
if (data.getSignatureNumber() == 1)
{
if (storeIdSet.contains(CertStoreId::VIS_PUBLIC) || storeIdSet.contains(CertStoreId::VIS_PARTNER) || storeIdSet.contains(CertStoreId::VIS_PLATFORM))
}
else
{
- LogWarning("author-signature.xml has got unrecognized Root CA "
+ LogWarning("signature1.xml has got unrecognized Root CA "
"certificate. Signature will be disregarded.");
disregard = true;
}
// but still signature must be valid... Aaaaaa it's so stupid...
if (!(root->isSignedBy(root))) {
LogWarning("Root CA certificate not found. Chain is incomplete.");
- context.allowBrokenChain = true;
+ //context.allowBrokenChain = true;
}
// WAC 2.0 SP-2066 The wrt must not block widget installation
ASN1_TIME* notAfterTime = data.getEndEntityCertificatePtr()->getNotAfterTime();
ASN1_TIME* notBeforeTime = data.getEndEntityCertificatePtr()->getNotBeforeTime();
- if (data.isAuthorSignature())
- {
- if (X509_cmp_time(notBeforeTime, &nowTime) > 0)
- {
- LogDebug("notBeforeTime is greater then current time");
- return WrtSignatureValidator::SIGNATURE_INVALID;
- }
+ if (X509_cmp_time(notBeforeTime, &nowTime) > 0 || X509_cmp_time(notAfterTime, &nowTime) < 0)
+ {
+ struct tm *t;
+ struct tm ta, tb, tc;
+ char msg[1024];
+
+ t = localtime(&nowTime);
+
+ memset(&tc, 0, sizeof(tc));
+
+ snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", t->tm_year + 1900, t->tm_mon + 1,t->tm_mday );
+ LogDebug("## System's currentTime : " << msg);
+ fprintf(stderr, "## System's currentTime : %s\n", msg);
+
+ tb = _ASN1_GetTimeT(notBeforeTime);
+ snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", tb.tm_year + 1900, tb.tm_mon + 1,tb.tm_mday );
+ LogDebug("## certificate's notBeforeTime : " << msg);
+ fprintf(stderr, "## certificate's notBeforeTime : %s\n", msg);
+
+ ta = _ASN1_GetTimeT(notAfterTime);
+ snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", ta.tm_year + 1900, ta.tm_mon + 1,ta.tm_mday );
+ LogDebug("## certificate's notAfterTime : " << msg);
+ fprintf(stderr, "## certificate's notAfterTime : %s\n", msg);
+
+ if (storeIdSet.contains(CertStoreId::TIZEN_VERIFY))
+ {
+ LogDebug("## TIZEN_VERIFY : check certificate Time : FALSE");
+ fprintf(stderr, "## TIZEN_VERIFY : check certificate Time : FALSE\n");
+ return WrtSignatureValidator::SIGNATURE_INVALID;
+ }
+
+ int year = (ta.tm_year - tb.tm_year) / 4;
+
+ if(year == 0)
+ {
+ tc.tm_year = tb.tm_year;
+ tc.tm_mon = tb.tm_mon + 1;
+ tc.tm_mday = tb.tm_mday;
+
+ if(tc.tm_mon == 12)
+ {
+ tc.tm_year = ta.tm_year;
+ tc.tm_mon = ta.tm_mon - 1;
+ tc.tm_mday = ta.tm_mday;
+
+ if(tc.tm_mon < 0)
+ {
+ tc.tm_year = ta.tm_year;
+ tc.tm_mon = ta.tm_mon;
+ tc.tm_mday = ta.tm_mday -1;
+
+ if(tc.tm_mday == 0)
+ {
+ tc.tm_year = tb.tm_year;
+ tc.tm_mon = tb.tm_mon;
+ tc.tm_mday = tb.tm_mday +1;
+ }
+ }
+ }
+ }
+ else{
+ tc.tm_year = tb.tm_year + year;
+ tc.tm_mon = (tb.tm_mon + ta.tm_mon )/2;
+ tc.tm_mday = (tb.tm_mday + ta.tm_mday)/2;
+ }
+
+ snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", tc.tm_year + 1900, tc.tm_mon + 1,tc.tm_mday );
+ LogDebug("## cmp cert with validation time : " << msg);
+ fprintf(stderr, "## cmp cert with validation time : %s\n", msg);
+
+ time_t outCurrent = mktime(&tc);
+ context.validationTime = outCurrent;
+
+ fprintf(stderr, "## cmp outCurrent time : %ld\n", outCurrent);
+
+ //return WrtSignatureValidator::SIGNATURE_INVALID;
+ }
- if (X509_cmp_time(notAfterTime, &nowTime) < 0)
- {
- LogDebug("notAfterTime is less then current time");
- return WrtSignatureValidator::SIGNATURE_INVALID;
- }
- }
#endif
#if 0
return WrtSignatureValidator::SIGNATURE_INVALID;
}
+#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
// It is good time to do OCSP check
// ocspCheck will throw an exception on any error.
// TODO Probably we should catch this exception and add
if (result == VERIFICATION_STATUS_UNKNOWN ||
result == VERIFICATION_STATUS_ERROR)
{
+ #ifdef _OCSP_POLICY_DISREGARD_UNKNOWN_OR_ERROR_CERTS_
disregard = true;
+ #endif
}
}
+#endif
if (disregard) {
LogWarning("Signature is disregard. RootCA is not a member of Tizen");
<< storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER));
LogDebug("Is root certificate from TIZEN_TEST domain: "
<< storeIdSet.contains(CertStoreId::TIZEN_TEST));
+ LogDebug("Is root certificate from TIZEN_VERIFY domain: "
+ << storeIdSet.contains(CertStoreId::TIZEN_VERIFY));
LogDebug("Is root certificate from TIZEN_PUBLIC domain: "
<< storeIdSet.contains(CertStoreId::VIS_PUBLIC));
LogDebug("Is root certificate from TIZEN_PARTNER domain: "
else
{
LogDebug("signaturefile name = " << data.getSignatureFileName().c_str());
+ //Additional Check for certificate registration
+
if (data.getSignatureNumber() == 1)
{
if (storeIdSet.contains(CertStoreId::VIS_PUBLIC) || storeIdSet.contains(CertStoreId::VIS_PARTNER) || storeIdSet.contains(CertStoreId::VIS_PLATFORM))
}
else
{
- LogWarning("author-signature.xml has got unrecognized Root CA "
+ LogWarning("signature1.xml has got unrecognized Root CA "
"certificate. Signature will be disregarded.");
disregard = true;
}
// but still signature must be valid... Aaaaaa it's so stupid...
if (!(root->isSignedBy(root))) {
LogWarning("Root CA certificate not found. Chain is incomplete.");
- context.allowBrokenChain = true;
+// context.allowBrokenChain = true;
}
time_t nowTime = time(NULL);
ASN1_TIME* notAfterTime = data.getEndEntityCertificatePtr()->getNotAfterTime();
ASN1_TIME* notBeforeTime = data.getEndEntityCertificatePtr()->getNotBeforeTime();
- if (data.isAuthorSignature())
- {
- if (X509_cmp_time(notBeforeTime, &nowTime) > 0)
- {
- LogDebug("notBeforeTime is greater then current time");
- return WrtSignatureValidator::SIGNATURE_INVALID;
- }
+ if (X509_cmp_time(notBeforeTime, &nowTime) > 0 || X509_cmp_time(notAfterTime, &nowTime) < 0)
+ {
+ struct tm *t;
+ struct tm ta, tb, tc;
+ char msg[1024];
+
+ t = localtime(&nowTime);
+
+ memset(&tc, 0, sizeof(tc));
+
+ snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", t->tm_year + 1900, t->tm_mon + 1,t->tm_mday );
+ LogDebug("## System's currentTime : " << msg);
+ fprintf(stderr, "## System's currentTime : %s\n", msg);
+
+ tb = _ASN1_GetTimeT(notBeforeTime);
+ snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", tb.tm_year + 1900, tb.tm_mon + 1,tb.tm_mday );
+ LogDebug("## certificate's notBeforeTime : " << msg);
+ fprintf(stderr, "## certificate's notBeforeTime : %s\n", msg);
+
+ ta = _ASN1_GetTimeT(notAfterTime);
+ snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", ta.tm_year + 1900, ta.tm_mon + 1,ta.tm_mday );
+ LogDebug("## certificate's notAfterTime : " << msg);
+ fprintf(stderr, "## certificate's notAfterTime : %s\n", msg);
+
+ if (storeIdSet.contains(CertStoreId::TIZEN_VERIFY))
+ {
+ LogDebug("## TIZEN_VERIFY : check certificate Time : FALSE");
+ fprintf(stderr, "## TIZEN_VERIFY : check certificate Time : FALSE\n");
+ return WrtSignatureValidator::SIGNATURE_INVALID;
+ }
+
+ int year = (ta.tm_year - tb.tm_year) / 4;
+
+ if(year == 0)
+ {
+ tc.tm_year = tb.tm_year;
+ tc.tm_mon = tb.tm_mon + 1;
+ tc.tm_mday = tb.tm_mday;
+
+ if(tc.tm_mon == 12)
+ {
+ tc.tm_year = ta.tm_year;
+ tc.tm_mon = ta.tm_mon - 1;
+ tc.tm_mday = ta.tm_mday;
+
+ if(tc.tm_mon < 0)
+ {
+ tc.tm_year = ta.tm_year;
+ tc.tm_mon = ta.tm_mon;
+ tc.tm_mday = ta.tm_mday -1;
+
+ if(tc.tm_mday == 0)
+ {
+ tc.tm_year = tb.tm_year;
+ tc.tm_mon = tb.tm_mon;
+ tc.tm_mday = tb.tm_mday +1;
+ }
+ }
+ }
+ }
+ else{
+ tc.tm_year = tb.tm_year + year;
+ tc.tm_mon = (tb.tm_mon + ta.tm_mon )/2;
+ tc.tm_mday = (tb.tm_mday + ta.tm_mday)/2;
+ }
+
+ snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", tc.tm_year + 1900, tc.tm_mon + 1,tc.tm_mday );
+ LogDebug("## cmp cert with validation time : " << msg);
+ fprintf(stderr, "## cmp cert with validation time : %s\n", msg);
+
+ time_t outCurrent = mktime(&tc);
+
+ fprintf(stderr, "## cmp outCurrent time : %ld\n", outCurrent);
+
+ context.validationTime = outCurrent;
+ //return WrtSignatureValidator::SIGNATURE_INVALID;
+ }
- if (X509_cmp_time(notAfterTime, &nowTime) < 0)
- {
- LogDebug("notAfterTime is less then current time");
- return WrtSignatureValidator::SIGNATURE_INVALID;
- }
- }
#endif
#if 0
return WrtSignatureValidator::SIGNATURE_INVALID;
}
+#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
// It is good time to do OCSP check
// ocspCheck will throw an exception on any error.
// TODO Probably we should catch this exception and add
if (result == VERIFICATION_STATUS_UNKNOWN ||
result == VERIFICATION_STATUS_ERROR)
{
+#ifdef _OCSP_POLICY_DISREGARD_UNKNOWN_OR_ERROR_CERTS_
disregard = true;
+#endif //_OCSP_POLICY_DISREGARD_UNKNOWN_OR_ERROR_CERTS_
}
}
+#endif
if (disregard) {
LogWarning("Signature is disregard. RootCA is not a member of Tizen.");
}
}
-void LogDebugPrint(const char* file, int line, const char* func,
- const char* errorObject, const char* errorSubject,
+void LogDebugPrint(const char* file, int line, const char* func,
+ const char* errorObject, const char* errorSubject,
int reason, const char* msg)
{
char total[1024];
- sprintf(total, "[%s(%d)] : [%s] : [%s] : [%s]", func, line, errorObject, errorSubject, msg);
+ snprintf(total, sizeof(total), "[%s(%d)] : [%s] : [%s] : [%s]", func, line, errorObject, errorSubject, msg);
if(reason != 256)
{
char* uri = NULL;
int len;
- for(itr; itr != m_pList->end(); ++itr) {
+ for(; itr != m_pList->end(); ++itr) {
tmpString = (*itr);
uri = (char*)tmpString.c_str();
len = strlen(uri);
{
Assert(context);
Assert(!(context->signatureFile.empty()));
- Assert(context->certificatePtr.Get() || !(context->certificatePath.empty()));
+ Assert(context->certificatePtr.get() || !(context->certificatePath.empty()));
xmlSecErrorsSetCallback(LogDebugPrint);
}
context->referenceSet.clear();
- if (context->certificatePtr.Get()) {
+ if (context->certificatePtr.get()) {
loadDERCertificateMemory(context, mngr.get());
}
#include <openssl/pem.h>
#include <openssl/ssl.h>
-#include <openssl/x509.h>
+#include <openssl/x509v3.h>
#include <openssl/pkcs12.h>
#include <openssl/err.h>
#include <openssl/sha.h>
#include <cert-svc/cinstance.h>
#include <cert-svc/ccert.h>
-#include <cert-svc/cocsp.h>
#include <cert-svc/cpkcs12.h>
-#include <cert-svc/ccrl.h>
#include <cert-svc/cpkcs12.h>
#include <cert-svc/cprimitives.h>
#include <vcore/Base64.h>
#include <vcore/Certificate.h>
#include <vcore/CertificateCollection.h>
+#include <vcore/pkcs12.h>
+
+#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
+#include <cert-svc/ccrl.h>
+#include <cert-svc/cocsp.h>
#include <vcore/OCSP.h>
#include <vcore/CRL.h>
#include <vcore/CRLCacheInterface.h>
-#include <vcore/pkcs12.h>
+#endif
+
+#include <libxml/parser.h>
+#include <libxml/tree.h>
+#define LOG_TAG "CERT_SVC"
using namespace ValidationCore;
namespace {
typedef std::unique_ptr<CERT_CONTEXT, std::function<int(CERT_CONTEXT*)> > ScopedCertCtx;
+#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
class CRLCacheCAPI : public CRLCacheInterface {
public:
CRLCacheCAPI(
CertSvcCrlFree m_crlFree;
void *m_userParam;
};
+#endif
class CertSvcInstanceImpl {
public:
: m_certificateCounter(0)
, m_idListCounter(0)
, m_stringListCounter(0)
+#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
, m_crlWrite(NULL)
, m_crlRead(NULL)
, m_crlFree(NULL)
+#endif
{}
~CertSvcInstanceImpl(){
}
auto certPtr = iter->second;
- DPL::OptionalString result;
+
+ boost::optional<DPL::String> result;
switch(field) {
case CERTSVC_SUBJECT:
- result = DPL::OptionalString(certPtr->getOneLine());
+ result = boost::optional<DPL::String>(certPtr->getOneLine());
break;
case CERTSVC_ISSUER:
- result = DPL::OptionalString(certPtr->getOneLine(Certificate::FIELD_ISSUER));
+ result = boost::optional<DPL::String>(certPtr->getOneLine(Certificate::FIELD_ISSUER));
break;
case CERTSVC_SUBJECT_COMMON_NAME:
result = certPtr->getCommonName();
{
std::stringstream stream;
stream << (certPtr->getVersion()+1);
- result = DPL::OptionalString(DPL::FromUTF8String(stream.str()));
+ result = boost::optional<DPL::String>(DPL::FromUTF8String(stream.str()));
break;
}
case CERTSVC_SERIAL_NUMBER:
- result = DPL::OptionalString(certPtr->getSerialNumberString());
+ result = boost::optional<DPL::String>(certPtr->getSerialNumberString());
break;
case CERTSVC_KEY_USAGE:
- result = DPL::OptionalString(certPtr->getKeyUsageString());
+ result = boost::optional<DPL::String>(certPtr->getKeyUsageString());
break;
case CERTSVC_KEY:
- result = DPL::OptionalString(certPtr->getPublicKeyString());
+ result = boost::optional<DPL::String>(certPtr->getPublicKeyString());
break;
case CERTSVC_SIGNATURE_ALGORITHM:
- result = DPL::OptionalString(certPtr->getSignatureAlgorithmString());
+ result = boost::optional<DPL::String>(certPtr->getSignatureAlgorithmString());
break;
default:
break;
}
- if (result.IsNull()) {
+ if (!result) {
buffer->privateHandler = NULL;
buffer->privateLength = 0;
buffer->privateInstance = cert.privateInstance;
std::string output = DPL::ToUTF8String(*result);
char *cstring = new char[output.size()+1];
+ if (cstring == NULL) {
+ buffer->privateHandler = NULL;
+ buffer->privateLength = 0;
+ buffer->privateInstance = cert.privateInstance;
+ return CERTSVC_BAD_ALLOC;
+ }
+
strncpy(cstring, output.c_str(), output.size()+1);
buffer->privateHandler = cstring;
return CERTSVC_SUCCESS;
}
+#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
inline int getCrl(const CertSvcCertificate &cert, CertSvcStringList *handler){
auto iter = m_certificateMap.find(cert.privateHandler);
if (iter == m_certificateMap.end()) {
return CERTSVC_SUCCESS;
}
+#endif
inline int getStringFromList(
const CertSvcStringList &handler,
if (cert == m_certificateMap.end()) {
return CERTSVC_WRONG_ARGUMENT;
}
- translator[cert->second.Get()] = pos;
+ translator[cert->second.get()] = pos;
certList.push_back(cert->second);
}
int i=0;
for (auto iter = chain.begin(); iter != chain.end() && i<size; ++iter, ++i) {
- certificate_array[i].privateHandler = translator[iter->Get()];
+ certificate_array[i].privateHandler = translator[iter->get()];
}
return CERTSVC_SUCCESS;
return CERTSVC_SUCCESS;
}
+#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
inline int ocspCheck(const CertSvcCertificate *chain,
int chain_size,
const CertSvcCertificate *trusted,
if (statusSet.contains(VERIFICATION_STATUS_NOT_SUPPORT)) {
ret |= CERTSVC_OCSP_NO_SUPPORT;
}
+ if (statusSet.contains(VERIFICATION_STATUS_CONNECTION_FAILED)) {
+ ret |= CERTSVC_OCSP_CONNECTION_FAILED;
+ }
if (statusSet.contains(VERIFICATION_STATUS_ERROR)) {
ret |= CERTSVC_OCSP_ERROR;
}
*status = ret;
return CERTSVC_SUCCESS;
}
+#endif
inline int verify(
CertSvcCertificate certificate,
base.finalize();
info = base.get();
char *ptr = new char[info.size()+1];
+ if(ptr == NULL) {
+ return CERTSVC_BAD_ALLOC;
+ }
memcpy(ptr, info.c_str(), info.size()+1);
m_allocatedStringSet.insert(ptr);
base64->privateHandler = ptr;
}
info = base.get();
char *ptr = new char[info.size()+1];
+ if(ptr == NULL) {
+ return CERTSVC_BAD_ALLOC;
+ }
memcpy(ptr, info.c_str(), info.size()+1);
m_allocatedStringSet.insert(ptr);
message->privateHandler = ptr;
allocSize++;
char *ptr = new char[allocSize];
+ if(ptr == NULL) {
+ return CERTSVC_BAD_ALLOC;
+ }
memcpy(ptr, str, size);
ptr[allocSize-1] = 0;
return CERTSVC_SUCCESS;
}
+#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
inline void setCRLFunction(
CertSvcCrlCacheWrite writePtr,
CertSvcCrlCacheRead readPtr,
return CERTSVC_SUCCESS;
}
+#endif
inline int certificateVerify(
CertSvcCertificate certificate,
int trustedSize,
CertSvcCertificate *untrusted,
int untrustedSize,
+ int checkCaFlag,
int *status)
{
if (!trusted || !status) {
X509_STORE_CTX context;
X509_STORE_CTX_init(&context, store, cert, ustore);
int result = X509_verify_cert(&context);
+
+ if(result == 1 && checkCaFlag) { // check strictly
+ STACK_OF(X509) *resultChain = X509_STORE_CTX_get1_chain(&context);
+ X509* tmpCert = NULL;
+ int caFlagValidity;
+ while((tmpCert = sk_X509_pop(resultChain))) {
+ caFlagValidity = X509_check_ca(tmpCert);
+ if(caFlagValidity != 1 && (tmpCert = sk_X509_pop(resultChain)) != NULL) { // the last one is not a CA.
+ result = 0;
+ break;
+ }
+ }
+ }
+
X509_STORE_CTX_cleanup(&context);
X509_STORE_free(store);
sk_X509_free(ustore);
return CERTSVC_SUCCESS;
}
+ int getVisibility(CertSvcCertificate certificate, int* visibility)
+ {
+ int ret = CERTSVC_FAIL;
+ xmlChar *xmlPathCertificateSet = (xmlChar*) "CertificateSet";
+ xmlChar *xmlPathCertificateDomain = (xmlChar*) "CertificateDomain";// name=\"tizen-platform\"";
+ xmlChar *xmlPathDomainPlatform = (xmlChar*) "tizen-platform";
+ xmlChar *xmlPathDomainPublic = (xmlChar*) "tizen-public";
+ xmlChar *xmlPathDomainPartner = (xmlChar*) "tizen-partner";
+ xmlChar *xmlPathDomainDeveloper = (xmlChar*) "tizen-developer";
+ xmlChar *xmlPathFingerPrintSHA1 = (xmlChar*) "FingerprintSHA1";
+
+ CertificatePtr certPtr = m_certificateMap[0];
+ if(certPtr == NULL)
+ {
+ LOGE("Invalid Parameter. certificate is not initialized");
+ return CERTSVC_FAIL;
+ }
+ std::string fingerprint = Certificate::FingerprintToColonHex(certPtr->getFingerprint(Certificate::FINGERPRINT_SHA1));
+
+ /* load file */
+ xmlDocPtr doc = xmlParseFile(tzplatform_mkpath(TZ_SYS_SHARE, "ca-certificates/fingerprint/fingerprint_list.xml"));
+ if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL))
+ {
+ LOGE("Failed to prase fingerprint_list.xml\n");
+ return CERTSVC_IO_ERROR;
+ }
+
+ xmlNodePtr curPtr = xmlFirstElementChild(xmlDocGetRootElement(doc));
+ if(curPtr == NULL)
+ {
+ LOGE("Can not find root");
+ ret = CERTSVC_IO_ERROR;
+ goto out;
+ }
+
+ while(curPtr != NULL)
+ {
+ xmlAttr* attr = curPtr->properties;
+ if(!attr->children || !attr->children->content)
+ {
+ LOGE("Failed to get fingerprints from list");
+ ret = CERTSVC_FAIL;
+ goto out;
+ }
+
+ xmlChar* strLevel = attr->children->content;
+ xmlNodePtr FpPtr = xmlFirstElementChild(curPtr);
+ if(FpPtr == NULL)
+ {
+ LOGE("Could not find fingerprint");
+ ret = CERTSVC_FAIL;
+ goto out;
+ }
+
+ LOGD("Retrieve level : %s", strLevel);
+ while(FpPtr)
+ {
+ xmlChar *content = xmlNodeGetContent(FpPtr);
+ if(xmlStrcmp(content, (xmlChar*)fingerprint.c_str()) == 0)
+ {
+ LOGD("fingerprint : %s are %s", content, strLevel);
+ if(!xmlStrcmp(strLevel, xmlPathDomainPlatform))
+ {
+ *visibility = CERTSVC_VISIBILITY_PLATFORM;
+ ret = CERTSVC_SUCCESS;
+ goto out;
+ }
+ else if(!xmlStrcmp(strLevel, xmlPathDomainPublic))
+ {
+ *visibility = CERTSVC_VISIBILITY_PUBLIC;
+ ret = CERTSVC_SUCCESS;
+ goto out;
+ }
+ else if(!xmlStrcmp(strLevel, xmlPathDomainPartner))
+ {
+ *visibility = CERTSVC_VISIBILITY_PARTNER;
+ ret = CERTSVC_SUCCESS;
+ goto out;
+ }
+ else if(!xmlStrcmp(strLevel, xmlPathDomainDeveloper))
+ {
+ *visibility = CERTSVC_VISIBILITY_DEVELOPER;
+ ret = CERTSVC_SUCCESS;
+ goto out;
+ }
+ }
+ FpPtr = xmlNextElementSibling(FpPtr);
+ }
+ curPtr = xmlNextElementSibling(curPtr);
+ }
+ xmlFreeDoc(doc);
+ return CERTSVC_FAIL;
+out:
+ xmlFreeDoc(doc);
+ return ret;
+ }
+
inline int pkcsNameIsUnique(
CertSvcString pfxIdString,
int *is_unique)
std::set<char *> m_allocatedStringSet;
+#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
CertSvcCrlCacheWrite m_crlWrite;
CertSvcCrlCacheRead m_crlRead;
CertSvcCrlFree m_crlFree;
+#endif
};
inline CertSvcInstanceImpl *impl(CertSvcInstance instance) {
void certsvc_certificate_free(CertSvcCertificate certificate)
{
- impl(certificate.privateInstance)->removeCert(certificate);
+ if (certificate.privateHandler != 0)
+ impl(certificate.privateInstance)->removeCert(certificate);
}
int certsvc_certificate_save_file(
return impl(certificate.privateInstance)->isRootCA(certificate, status);
}
+#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
int certsvc_certificate_get_crl_distribution_points(
CertSvcCertificate certificate,
CertSvcStringList *handler)
} catch (...) {}
return CERTSVC_FAIL;
}
+#endif
int certsvc_string_list_get_one(
CertSvcStringList handler,
void certsvc_string_list_free(CertSvcStringList handler)
{
- impl(handler.privateInstance)->removeStringList(handler);
+ if (handler.privateHandler != 0)
+ {
+ impl(handler.privateInstance)->removeStringList(handler);
+ handler.privateHandler = 0;
+ }
}
void certsvc_string_free(CertSvcString string)
{
- impl(string.privateInstance)->removeString(string);
+ if (string.privateHandler)
+ impl(string.privateInstance)->removeString(string);
}
void certsvc_string_to_cstring(
void certsvc_certificate_free_x509(X509 *x509)
{
- X509_free(x509);
+ if (x509)
+ X509_free(x509);
}
int certsvc_pkcs12_dup_evp_pkey(
EVP_PKEY_free(pkey);
}
+#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
int certsvc_ocsp_check(
CertSvcCertificate *chain,
int chain_size,
} catch (...) {}
return CERTSVC_FAIL;
}
+#endif
int certsvc_message_verify(
CertSvcCertificate certificate,
return CERTSVC_SUCCESS;
}
+#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
void certsvc_crl_cache_functions(
CertSvcInstance instance,
CertSvcCrlCacheWrite writePtr,
} catch (...) {}
return CERTSVC_FAIL;
}
+#endif
int certsvc_certificate_verify(
CertSvcCertificate certificate,
int *status)
{
try {
+ int check_caflag_false = 0;
+ return impl(certificate.privateInstance)->certificateVerify(
+ certificate,
+ trusted,
+ trustedSize,
+ untrusted,
+ untrustedSize,
+ check_caflag_false,
+ status);
+ } catch (...) {}
+ return CERTSVC_FAIL;
+}
+
+int certsvc_certificate_verify_with_caflag(
+ CertSvcCertificate certificate,
+ CertSvcCertificate *trusted,
+ int trustedSize,
+ CertSvcCertificate *untrusted,
+ int untrustedSize,
+ int *status)
+{
+ try {
+ int check_caflag_true = 1;
return impl(certificate.privateInstance)->certificateVerify(
certificate,
trusted,
trustedSize,
untrusted,
untrustedSize,
+ check_caflag_true,
status);
} catch (...) {}
return CERTSVC_FAIL;
}
+int certsvc_certificate_get_visibility(CertSvcCertificate certificate, int* visibility)
+{
+ try {
+ return impl(certificate.privateInstance)->getVisibility(certificate, visibility);
+ } catch (...)
+ {
+ LOGE("exception occur");
+ }
+ return CERTSVC_FAIL;
+}
+
int certsvc_pkcs12_alias_exists(CertSvcInstance instance,
CertSvcString pfxIdString,
int *is_unique)
#define _GNU_SOURCE
#define _CERT_SVC_VERIFY_PKCS12
+#include <cert-service.h>
+#include "cert-service-util.h"
#include "pkcs12.h"
#include <cert-svc/cerror.h>
#include <unistd.h>
#include <dlfcn.h>
#include <cert-service-debug.h>
#include <tzplatform_config.h>
+#include <tizen.h>
#define SYSCALL(call) while(((call) == -1) && (errno == EINTR))
#define CERTSVC_PKCS12_STORAGE_DIR tzplatform_mkpath(TZ_SYS_SHARE, "cert-svc/pkcs12")
#define CERTSVC_PKCS12_STORAGE_FILE "storage"
#define CERTSVC_PKCS12_STORAGE_PATH tzplatform_mkpath3(TZ_SYS_SHARE,"cert-svc/pkcs12", CERTSVC_PKCS12_STORAGE_FILE)
+#define MAX_PASSWORD_SIZE 32
+#define MAX_SEND_DATA_SIZE 4096 // internal buffer = 4KB
+
+typedef enum
+{
+ SSA_PARAM_ERROR = TIZEN_ERROR_SYSTEM_CLASS | 0x01, /** < Invalid parameters */
+ SSA_AUTHENTICATION_ERROR = TIZEN_ERROR_SYSTEM_CLASS | 0x02, /** < Authentication error */
+ SSA_TZ_ERROR = TIZEN_ERROR_SYSTEM_CLASS | 0x03, /** < Trust zone error */
+ SSA_SOCKET_ERROR = TIZEN_ERROR_CONNECTION, /** < Connection error */
+ SSA_PERMISSION_ERROR = TIZEN_ERROR_PERMISSION_DENIED, /** < Permission denied */
+ SSA_SECURITY_SERVER_ERROR = TIZEN_ERROR_SYSTEM_CLASS | 0x04,/** < Security server error */
+ SSA_CIPHER_ERROR = TIZEN_ERROR_SYSTEM_CLASS | 0x05, /** < Encryption / Decryption error */
+ SSA_IO_ERROR = TIZEN_ERROR_IO_ERROR, /** < I/O error */
+ SSA_OUT_OF_MEMORY = TIZEN_ERROR_OUT_OF_MEMORY, /** < Out of memory */
+ SSA_UNKNOWN_ERROR = TIZEN_ERROR_UNKNOWN, /** < Unknown error */
+} ssa_error_e;
static const char CERTSVC_PKCS12_STORAGE_KEY_PKEY[] = "pkey";
static const char CERTSVC_PKCS12_STORAGE_KEY_CERTS[] = "certs";
int result;
ssm_file_info_t sfi;
gboolean exists;
+ char* data = NULL;
+ char* tempfilepath = NULL;
trial = 0U;
try_again:
++trial;
- result = generate_random_filepath(filepath);
+ result = generate_random_filepath(&tempfilepath);
if(result != CERTSVC_SUCCESS)
return result;
if(with_secure_storage)
- exists = (access(*filepath, F_OK) == 0 || ssm_getinfo(*filepath, &sfi, SSM_FLAG_DATA, CERTSVC_PKCS12_UNIX_GROUP) == 0);
+ exists = (access(*tempfilepath, F_OK) == 0 || ssm_getinfo(*filepath, &sfi, SSM_FLAG_DATA, CERTSVC_PKCS12_UNIX_GROUP) == 0);
else
- exists = (access(*filepath, F_OK) == 0);
- if(exists) {
- free(*filepath);
+ exists = (access(*tempfilepath, F_OK) == 0);
+
+ if(!exists) {
+ *filepath = tempfilepath;
+ }
+ else {
+ if(data){
+ free(data);
+ data = NULL;
+ }
+ free(tempfilepath);
if(trial + 1 > attempts)
return CERTSVC_FAIL;
else
STACK_OF(X509) *certv;
int nicerts;
char *unique;
- int result;
+ int result = 0;
struct stat st;
int wr_res;
+ void* dlHandle = NULL;
GKeyFile *keyfile;
gchar *bare;
gchar *pkvalue;
gsize length;
static int initFlag = 0;
const char appInfo[] = "certsvcp12";
+ int readLen = 0;
+ char fileBuffer[4096] = {0,};
certv = NULL;
pkvalue = NULL;
result = CERTSVC_FAIL;
goto free_keyfile;
}
+
+#ifdef TIZEN_FEATURE_OSP_DISABLE
+ LOGD("TIZEN_FEAT_OSP_DISABLE is 1");
+#endif
+
+#ifndef TIZEN_FEATURE_OSP_DISABLE
+ LOGD("TIZEN_FEAT_OSP_DISABLE is 0");
+#endif
+
+#ifndef TIZEN_FEATURE_OSP_DISABLE
+ dlHandle = dlopen("/usr/lib/osp/libosp-appfw.so", RTLD_LAZY);
+ if (!dlHandle)
+ {
+ LOGD("Failed to open so with reason : %s", dlerror());
+ goto free_keyfile;
+ }
+#endif
result = PKCS12_parse(container, password, &key, &cert, &certv);
PKCS12_free(container);
if (result == 0)
{
+ LOGD("Failed to parse PKCS12");
result = CERTSVC_FAIL;
goto free_keyfile;
}
if (strcmp((const char*)pSubject, (const char*)pIssuerName) == 0)
{
//self signed..
- isSelfSigned = 1;
+ //isSelfSigned = 1;
EVP_PKEY* pKey = X509_get_pubkey(cert);
if (!pKey)
}
else
{
- isSelfSigned = 0;
+ //isSelfSigned = 0;
int res = 0;
X509_STORE_CTX *cert_ctx = NULL;
X509_STORE *cert_store = NULL;
result = unique_filename(&unique, TRUE);
if(result != CERTSVC_SUCCESS)
goto clean_cert_chain_and_pkey;
- if((stream = fopen(unique, "w")) == NULL) {
+ if((stream = fopen(unique, "w+")) == NULL) {
free(unique);
result = CERTSVC_IO_ERROR;
goto clean_cert_chain_and_pkey;
}
result = PEM_write_PrivateKey(stream, key, NULL, NULL, 0, NULL, NULL);
- fclose(stream);
if(result == 0) {
result = CERTSVC_FAIL;
+ fclose(stream);
+ free(unique);
+ goto clean_cert_chain_and_pkey;
+ }
+
+ fseek(stream, 0, SEEK_SET);
+
+ readLen = fread(fileBuffer, sizeof(char), 4096, stream);
+ fclose(stream);
+ if(readLen <= 0){
+ free(unique);
+ result = CERTSVC_FAIL;
+ SLOGE("failed to read key file");
goto clean_cert_chain_and_pkey;
}
wr_res = ssm_write_file(unique, SSM_FLAG_DATA, CERTSVC_PKCS12_UNIX_GROUP);
result = CERTSVC_FAIL;
goto clean_cert_chain_and_pkey;
}
+ unlink(unique);
+
bare = bare_filename(unique);
if(bare) {
pkvalue = g_strdup(bare);
if(bare)
cvaluev[n++] = g_strdup(bare);
free(unique);
- for(i = 0; i < nicerts; i++) {
+ for(i = 0; i < (unsigned int)nicerts; i++) {
result = unique_filename(&unique, FALSE);
if(result != CERTSVC_SUCCESS)
goto clean_cert_chain_and_pkey;
}
result = CERTSVC_SUCCESS;
-#if 1
- SECURE_LOGD("( %s, %s)", path, password);
- void* pSymAddr = NULL;
- void* pInitAddr = NULL;
- typedef int (*InsertPkcs12FuncPointer)(const char*, const char*);
- typedef void (*InitAppInfoPointer)(const char*, const char*);
+ SECURE_LOGD("( %s, %s)", path, password);
+#ifndef TIZEN_FEATURE_OSP_DISABLE
- InsertPkcs12FuncPointer pInsertPkcs12FuncPointer = NULL;
- InitAppInfoPointer pInit = NULL;
+ typedef int (*InsertPkcs12FuncPointer)(const char*, const char*);
+ typedef void (*InitAppInfoPointer)(const char*, const char*);
- void* dlHandle = dlopen("/usr/lib/osp/libosp-appfw.so", RTLD_LAZY);
- if (!dlHandle)
- {
- LOGD("Failed to open so with reason : %s", dlerror());
- goto free_data;
- }
+ InsertPkcs12FuncPointer pInsertPkcs12FuncPointer = NULL;
+ InitAppInfoPointer pInit = NULL;
- pInsertPkcs12FuncPointer = (InsertPkcs12FuncPointer)dlsym(dlHandle, "InsertPkcs12Content");
- if (dlerror() != NULL)
- {
- LOGD("Failed to find InsertPkcs12Content symbol : %s", dlerror());
- goto free_data;
- }
- if(initFlag == 0)
- {
- pInit = (InitAppInfoPointer)dlsym(dlHandle, "InitWebAppInfo");
- if (dlerror() != NULL)
- {
- LOGD("Failed to find InitWebAppInfo symbol : %s", dlerror());
- goto free_data;
- }
+ pInsertPkcs12FuncPointer = (InsertPkcs12FuncPointer)dlsym(dlHandle, "InsertPkcs12Content");
+ if (dlerror() != NULL)
+ {
+ LOGD("Failed to find InsertPkcs12Content symbol : %s", dlerror());
+ result = CERTSVC_FAIL;
+ goto free_data;
+ }
- pInit(appInfo, NULL);
- initFlag = 1;
- }
+ if(initFlag == 0)
+ {
+ pInit = (InitAppInfoPointer)dlsym(dlHandle, "InitWebAppInfo");
+ if (dlerror() != NULL)
+ {
+ LOGD("Failed to find InitWebAppInfo symbol : %s", dlerror());
+ result = CERTSVC_FAIL;
+ goto free_data;
+ }
+
+ pInit(appInfo, NULL);
+ initFlag = 1;
+ }
- int errCode = pInsertPkcs12FuncPointer(path, password);
- if (errCode != 0)
- {
- LOGD("dlHandle is not able to call function");
- goto free_data;
- }
- dlclose(dlHandle);
+ int errCode = pInsertPkcs12FuncPointer(path, password);
+ if (errCode != 0)
+ {
+ LOGD("dlHandle is not able to call function");
+ c_certsvc_pkcs12_delete(alias);
+ result = CERTSVC_FAIL;
+ goto free_data;
+ }
#endif
-
free_data:
g_free(data);
- if(dlHandle){
- dlclose(dlHandle);
- }
+
clean_cert_chain_and_pkey:
EVP_PKEY_free(key);
X509_free(cert);
free(cvaluev);
free_keyfile:
g_key_file_free(keyfile);
+#ifndef TIZEN_FEATURE_OSP_DISABLE
+ if(dlHandle){
+ dlclose(dlHandle);
+ }
+#endif
return result;
}
free(buffer);
}
+static void _delete_from_osp_cert_mgr(const char* path);
+
+static void
+_delete_from_osp_cert_mgr(const char* path)
+{
+
+ typedef int (*RemoveUserCertificatePointer)(unsigned char*, int);
+ typedef void (*InitAppInfoPointer)(const char*, const char*);
+
+ static int initFlag = 0;
+
+ unsigned char* pCertBuffer = NULL;
+ int certBufferLen = 0;
+ const char appInfo[] = "certsvcp12";
+
+ RemoveUserCertificatePointer pRemoveUserCertificatePointer = NULL;
+ InitAppInfoPointer pInit = NULL;
+ void* dlHandle = dlopen("/usr/lib/osp/libosp-appfw.so", RTLD_LAZY);
+ if (!dlHandle)
+ {
+ LOGD("Failed to open so with reason : %s", dlerror());
+ goto end_of_func;
+ }
+
+ pRemoveUserCertificatePointer = (RemoveUserCertificatePointer)dlsym(dlHandle, "RemoveUserCertificate");
+ if (dlerror() != NULL)
+ {
+ LOGD("Failed to find RemoveUserCertificate symbol : %s", dlerror());
+ goto end_of_func;
+ }
+
+ if(initFlag == 0)
+ {
+ pInit = (InitAppInfoPointer)dlsym(dlHandle, "InitWebAppInfo");
+ if (dlerror() != NULL)
+ {
+ LOGD("Failed to find InitWebAppInfo symbol : %s", dlerror());
+ goto end_of_func;
+ }
+
+ pInit(appInfo, NULL);
+ initFlag = 1;
+ }
+
+ int result = certsvc_load_file_to_buffer(path, &pCertBuffer, &certBufferLen);
+ if (result != 0 )
+ {
+ LOGD("certsvc_load_file_to_buffer Failed.");
+ goto end_of_func;
+ }
+ int errCode = pRemoveUserCertificatePointer(pCertBuffer, certBufferLen);
+ if (errCode != 0)
+ {
+ LOGD("dlHandle is not able to call function");
+ goto end_of_func;
+ }
+
+end_of_func:
+
+ if(dlHandle){
+ dlclose(dlHandle);
+ }
+ return;
+}
+
+
+int certsvc_load_file_to_buffer(const char* filePath, unsigned char** certBuf, int* length)
+{
+ int ret = CERT_SVC_ERR_NO_ERROR;
+ FILE* fp_in = NULL;
+ unsigned long int fileSize = 0;
+
+ /* get file size */
+ if((ret = cert_svc_get_file_size(filePath, &fileSize)) != CERT_SVC_ERR_NO_ERROR) {
+ SECURE_SLOGE("[ERR][%s] Fail to get file size, [%s]\n", __func__, filePath);
+ return CERT_SVC_ERR_FILE_IO;
+ }
+ /* open file and write to buffer */
+ if(!(fp_in = fopen(filePath, "rb"))) {
+ SECURE_SLOGE("[ERR][%s] Fail to open file, [%s]\n", __func__, filePath);
+ return CERT_SVC_ERR_FILE_IO;
+ }
+
+ if(!(*certBuf = (unsigned char*)malloc(sizeof(unsigned char) * (unsigned int)(fileSize + 1)))) {
+ SLOGE("[ERR][%s] Fail to allocate memory.\n", __func__);
+ ret = CERT_SVC_ERR_MEMORY_ALLOCATION;
+ goto err;
+ }
+ memset(*certBuf, 0x00, (fileSize + 1));
+ if(fread(*certBuf, sizeof(unsigned char), fileSize, fp_in) != fileSize) {
+ SECURE_SLOGE("[ERR][%s] Fail to read file, [%s]\n", __func__, filePath);
+ ret = CERT_SVC_ERR_FILE_IO;
+ goto err;
+ }
+
+ *length = fileSize;
+
+err:
+ if(fp_in != NULL)
+ fclose(fp_in);
+ return ret;
+}
+
int c_certsvc_pkcs12_delete(const gchar *alias) {
gchar **certs;
gsize ncerts;
goto data_free;
}
}
+
+ _delete_from_osp_cert_mgr(certs[0]);
for(i = 0; i < ncerts; i++)
+ {
unlink(certs[i]);
+ }
if(pkey != NULL) {
if(asprintf(&spkp, "%s/%s", CERTSVC_PKCS12_STORAGE_DIR, pkey) == -1) {
result = CERTSVC_BAD_ALLOC;
load_certificates_failed:
return result;
}
+
+
+int cert_svc_get_file_size(const char* filepath, unsigned long int* length)
+{
+ int ret = CERT_SVC_ERR_NO_ERROR;
+ FILE* fp_in = NULL;
+
+ if(!(fp_in = fopen(filepath, "r"))) {
+ SECURE_SLOGE("[ERR][%s] Fail to open file, [%s]\n", __func__, filepath);
+ ret = CERT_SVC_ERR_FILE_IO;
+ goto err;
+ }
+
+ fseek(fp_in, 0L, SEEK_END);
+ (*length) = ftell(fp_in);
+
+err:
+ if(fp_in != NULL)
+ fclose(fp_in);
+
+ return ret;
+}
int c_certsvc_pkcs12_private_key_load(const gchar *alias, char **pkey, gsize *count);
void c_certsvc_pkcs12_private_key_free(char *buffer);
int c_certsvc_pkcs12_delete(const gchar *alias);
+//static void _delete_from_osp_cert_mgr(const char* path);
+int certsvc_load_file_to_buffer(const char* filePath, unsigned char** certBuf, int* length);
+int cert_svc_get_file_size(const char* filepath, unsigned long int* length);
#ifdef __cplusplus
}