* Tag : cert-svc_1.0.1-28
-- Tomasz Swierczek <t.swierczek@samsung.com> Mon, 13 Aug 2012 18:51:00 +0200
+
+cert-svc (1.0.1-27) unstable; urgency=low
+
+ * Selection screen added as separate EFL gadget
+
+ * Git : slp/pkgs/c/cert-svc
+ * Tag : cert-svc_1.0.1-27
+
+ -- Tomasz Swierczek <t.swierczek@samsung.com> Tue, 31 Jul 2012 17:14:00 +0200
+
+cert-svc (1.0.1-26) unstable; urgency=low
+
+ * Selection screen runs correctly with another EFL app
+ * Added test for selection screen
+ * Corrected comments in cert-ui-api.h
+
+ * Git : slp/pkgs/c/cert-svc
+ * Tag : cert-svc_1.0.1-26
+
+ -- Tomasz Swierczek <t.swierczek@samsung.com> Wed, 25 Jul 2012 18:39:00 +0200
+
+cert-svc (1.0.1-25) unstable; urgency=low
+
+ * another RPMization
+ * added selection screen
+ * added pkcs12 container install/browse menu
+ * added cert-svc-ui-api library
+
+ * Git : slp/pkgs/c/cert-svc
+ * Tag : cert-svc_1.0.1-25
+
+ -- Tomasz Swierczek <t.swierczek@samsung.com> Tue, 24 Jul 2012 22:55:00 +0200
+
+cert-svc (1.0.1-24) unstable; urgency=low
+
+ * added selection screen
+ * added pkcs12 container install/browse menu
+ * added cert-svc-ui-api library
+
+ * Git : slp/pkgs/c/cert-svc
+ * Tag : cert-svc_1.0.1-24
+
+ -- Tomasz Swierczek <t.swierczek@samsung.com> Tue, 24 Jul 2012 22:55:00 +0200
+
+cert-svc (1.0.1-23) unstable; urgency=low
+
+ * Redebianized.
+ * Remove deprecated dependency from tapi and pkgmgr.
+
+ * Git : slp/pkgs/c/cert-svc
+ * Tag : cert-svc_1.0.1-23
+
+ -- Bartlomiej Grzelewski <b.grzelewski@samsung.com> Mon, 18 Jul 2012 18:05:11 +0100
+
+cert-svc (1.0.1-22) unstable; urgency=low
+
+ * Redebianized.
+ * Remove deprecated function call from lib.
+
+ * Git : slp/pkgs/c/cert-svc
+ * Tag : cert-svc_1.0.1-22
+
+ -- Bartlomiej Grzelewski <b.grzelewski@samsung.com> Mon, 17 Jul 2012 18:15:00 +0100
+
+cert-svc (1.0.1-19) unstable; urgency=low
+
+ * Redebianized
+
+ * Git : slp/pkgs/c/cert-svc
+ * Tag : cert-svc_1.0.1-19
+
+ -- Tomasz Swierczek <t.swierczek@samsung.com> Mon, 04 Jun 2012 17:41:00 +0100
+
+cert-svc (1.0.1-18) unstable; urgency=low
+
+ * Move VCore to cert-svc repository
+ * Add test for vcore c-api.
+ * Added Cert UI Package
+
+ * Git : slp/pkgs/c/cert-svc
+ * Tag : cert-svc_1.0.1-18
+
+ -- Tomasz Swierczek <t.swierczek@samsung.com> Mon, 04 Jun 2012 17:20:00 +0100
+
+cert-svc (1.0.1-17) unstable; urgency=low
+
+ * add certificate store for MDM
+ * Git: slp/pkgs/c/cert-svc
+ * Tag: cert-svc_1.0.1-17
+
+ -- Kidong Kim <kd0228.kim@samsung.com> Thu, 02 Feb 2012 09:29:17 +0900
+
+cert-svc (1.0.1-16) unstable; urgency=low
+
+ * 11/12/21
+ * - remove self-signed certificate from certificate chain
+ * Git: slp/pkgs/c/cert-svc
+ * Tag: cert-svc_1.0.1-16
+
+ -- Kidong Kim <kd0228.kim@samsung.com> Wed, 21 Dec 2011 10:06:41 +0900
+
+cert-svc (1.0.1-15) unstable; urgency=low
+
+ * 11/12/07
+ * - add boiler-plate on testcases
+ * Git: 165.213.180.234:slp/pkgs/c/cert-svc
+ * Tag: cert-svc_1.0.1-15
+
+ -- Kidong Kim <kd0228.kim@samsung.com> Wed, 07 Dec 2011 09:47:17 +0900
+
+cert-svc (1.0.1-14) unstable; urgency=low
+
+ * 11/12/02
+ * - change license : LGPL -> apache
+ * Git: 165.213.180.234:slp/pkgs/c/cert-svc
+ * Tag: cert-svc_1.0.1-14
+
+ -- Kidong Kim <kd0228.kim@samsung.com> Fri, 02 Dec 2011 16:59:02 +0900
+
+cert-svc (1.0.1-13) unstable; urgency=low
+
+ * 11/11/30
+ * - make all certificate stores and change ownership and permission of those
+ * - use dlog instead of console(fprintf) for logging
+ * - get length of private key when using PFX format certificate
+ * Git: 165.213.180.234:slp/pkgs/c/cert-svc
+ * Tag: cert-svc_1.0.1-13
+
+ -- Kidong Kim <kd0228.kim@samsung.com> Wed, 30 Nov 2011 16:17:49 +0900
+
+cert-svc (1.0.1-12) unstable; urgency=low
+
+ * add testcases
+ * Git: 165.213.180.234:slp/pkgs/c/cert-svc
+ * Tag: cert-svc_1.0.1-12
+
+ -- Kidong Kim <kd0228.kim@samsung.com> Fri, 14 Oct 2011 14:00:11 +0900
+
+cert-svc (1.0.1-11) unstable; urgency=low
+
+ * fix dependency problem
+ * Git: 165.213.180.234:slp/pkgs/c/cert-svc
+ * Tag: cert-svc_1.0.1-11
+
+ -- Kidong Kim <kd0228.kim@samsung.com> Mon, 29 Aug 2011 09:39:01 +0900
+
+cert-svc (1.0.1-10) unstable; urgency=low
+
+ * remove dnet dependency
+ * Git: 165.213.180.234:slp/pkgs/c/cert-svc
+ * Tag: cert-svc_1.0.1-10
+
+ -- Kidong Kim <kd0228.kim@samsung.com> Fri, 26 Aug 2011 10:18:08 +0900
+
+cert-svc (1.0.1-9) unstable; urgency=low
+
+ * fix name field parsing problem (temp)
+ * Git: 165.213.180.234:slp/pkgs/c/cert-svc
+ * Tag: cert-svc_1.0.1-9
+
+ -- Kidong Kim <kd0228.kim@samsung.com> Mon, 25 Jul 2011 17:22:13 +0900
+
+cert-svc (1.0.1-8) unstable; urgency=low
+
+ * fix search problem
+ * Git: 165.213.180.234:slp/pkgs/c/cert-svc
+ * Tag: cert-svc_1.0.1-8
+
+ -- Kidong Kim <kd0228.kim@samsung.com> Thu, 14 Jul 2011 10:04:11 +0900
+
+cert-svc (1.0.1-7) unstable; urgency=low
+
+ * fix install bug
+ * Git: 165.213.180.234:slp/pkgs/c/cert-svc
+ * Tag: cert-svc_1.0.1-7
+
+ -- Kidong Kim <kd0228.kim@samsung.com> Wed, 13 Jul 2011 12:27:53 +0900
+
+cert-svc (1.0.1-6) unstable; urgency=low
+
+ * fix boiler-plate
+ * Git: 165.213.180.234:slp/pkgs/c/cert-svc
+ * Tag: cert-svc_1.0.1-6
+
+ -- Kidong Kim <kd0228.kim@samsung.com> Wed, 13 Jul 2011 10:12:13 +0900
+
+cert-svc (1.0.1-5) unstable; urgency=low
+
+ * fix bug - verify certificate, postinst
+ * Git: 165.213.180.234:slp/pkgs/c/cert-svc
+ * Tag: cert-svc_1.0.1-5
+
+ -- Kidong Kim <kd0228.kim@samsung.com> Thu, 23 Jun 2011 15:27:48 +0900
+
+cert-svc (1.0.1-4) unstable; urgency=low
+
+ * fix bug - cannot calculate message length if message is not character string
+ * Git: 165.213.180.234:slp/pkgs/c/cert-svc
+ * Tag: cert-svc_1.0.1-4
+
+ -- Kidong Kim <kd0228.kim@samsung.com> Sat, 18 Jun 2011 12:56:47 +0900
+
+cert-svc (1.0.1-3) unstable; urgency=low
+
+ * fix full-build error
+ * Git: 165.213.180.234:slp/pkgs/c/cert-svc
+ * Tag: cert-svc_1.0.1-3
+
+ -- Kidong Kim <kd0228.kim@samsung.com> Tue, 14 Jun 2011 10:15:33 +0900
+
+cert-svc (1.0.1-2) unstable; urgency=low
+
+ * fix installation bug
+ * Git: 165.213.180.234:slp/pkgs/c/cert-svc
+ * Tag: cert-svc_1.0.1-2
+
+ -- Kidong Kim <kd0228.kim@samsung.com> Sat, 11 Jun 2011 10:36:30 +0900
+
+cert-svc (1.0.1-1) unstable; urgency=low
+
+ * add dpkg-pki-sig, fix some bugs
+ * Git: 165.213.180.234:slp/pkgs/c/cert-svc
+ * Tag: cert-svc_1.0.1-1
+
+ -- Kidong Kim <kd0228.kim@samsung.com> Fri, 10 Jun 2011 11:38:26 +0900
+
+cert-svc (1.0.0-1) unstable; urgency=low
+
+ * Initial Release
+ * Git: 165.213.180.234:slp/pkgs/c/cert-svc
+ * Tag: cert-svc_1.0.0-1
+
+ -- Kidong Kim <kd0228.kim@samsung.com> Tue, 07 Jun 2011 13:48:44 +0900
--- /dev/null
+/*
+ * Copyright (c) 2011 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/*
+ * @file SignatureValidator.cpp
+ * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com)
+ * @version 1.0
+ * @brief Implementatin of tizen signature validation protocol.
+ */
+#include <vcore/SignatureValidator.h>
+
+#include <dpl/log/log.h>
+
+#include <vcore/CertificateVerifier.h>
+#include <vcore/Certificate.h>
+#include <vcore/OCSPCertMgrUtil.h>
+#include <vcore/ReferenceValidator.h>
+#include <vcore/ValidatorFactories.h>
+#include <vcore/XmlsecAdapter.h>
+
+namespace {
+const time_t TIMET_DAY = 60 * 60 * 24;
+
+const std::string TOKEN_ROLE_AUTHOR_URI =
+ "http://www.w3.org/ns/widgets-digsig#role-author";
+const std::string TOKEN_ROLE_DISTRIBUTOR_URI =
+ "http://www.w3.org/ns/widgets-digsig#role-distributor";
+const std::string TOKEN_PROFILE_URI =
+ "http://www.w3.org/ns/widgets-digsig#profile";
+} // namespace anonymouse
+
+namespace ValidationCore {
+
+class SignatureValidator::ImplSignatureValidator {
+public:
+ virtual SignatureValidator::Result check(
+ SignatureData &data,
+ const std::string &widgetContentPath) = 0;
+
+ explicit ImplSignatureValidator(bool ocspEnable,
+ bool crlEnable,
+ bool complianceMode)
+ : m_ocspEnable(ocspEnable)
+ , m_crlEnable(crlEnable)
+ , m_complianceModeEnabled(complianceMode)
+ {}
+
+ virtual ~ImplSignatureValidator(){}
+
+ bool checkRoleURI(const SignatureData &data) {
+ std::string roleURI = data.getRoleURI();
+
+ if (roleURI.empty()) {
+ LogWarning("URI attribute in Role tag couldn't be empty.");
+ return false;
+ }
+
+ if (roleURI != TOKEN_ROLE_AUTHOR_URI && data.isAuthorSignature()) {
+ LogWarning("URI attribute in Role tag does not "
+ "match with signature filename.");
+ return false;
+ }
+
+ if (roleURI != TOKEN_ROLE_DISTRIBUTOR_URI && !data.isAuthorSignature()) {
+ LogWarning("URI attribute in Role tag does not "
+ "match with signature filename.");
+ return false;
+ }
+ return true;
+ }
+
+ bool checkProfileURI(const SignatureData &data) {
+ if (TOKEN_PROFILE_URI != data.getProfileURI()) {
+ LogWarning(
+ "Profile tag contains unsupported value in URI attribute(" <<
+ data.getProfileURI() << ").");
+ return false;
+ }
+ return true;
+ }
+
+ bool checkObjectReferences(const SignatureData &data) {
+ ObjectList objectList = data.getObjectList();
+ ObjectList::const_iterator iter;
+ for (iter = objectList.begin(); iter != objectList.end(); ++iter) {
+ if (!data.containObjectReference(*iter)) {
+ LogWarning("Signature does not contain reference for object " <<
+ *iter);
+ return false;
+ }
+ }
+ return true;
+ }
+protected:
+ bool m_ocspEnable;
+ bool m_crlEnable;
+ bool m_complianceModeEnabled;
+};
+
+class ImplTizenSignatureValidator : public SignatureValidator::ImplSignatureValidator
+{
+ public:
+ SignatureValidator::Result check(SignatureData &data,
+ const std::string &widgetContentPath);
+
+ explicit ImplTizenSignatureValidator(bool ocspEnable,
+ bool crlEnable,
+ bool complianceMode)
+ : ImplSignatureValidator(ocspEnable, crlEnable, complianceMode)
+ {}
+
+ virtual ~ImplTizenSignatureValidator() {}
+};
+
+SignatureValidator::Result ImplTizenSignatureValidator::check(
+ SignatureData &data,
+ const std::string &widgetContentPath)
+{
+ bool disregard = false;
+
+ if (!checkRoleURI(data)) {
+ return SignatureValidator::SIGNATURE_INVALID;
+ }
+
+ if (!checkProfileURI(data)) {
+ return SignatureValidator::SIGNATURE_INVALID;
+ }
+
+ // CertificateList sortedCertificateList = data.getCertList();
+
+ CertificateCollection collection;
+ collection.load(data.getCertList());
+
+ // First step - sort certificate
+ if (!collection.sort()) {
+ LogWarning("Certificates do not form valid chain.");
+ return SignatureValidator::SIGNATURE_INVALID;
+ }
+
+ // Check for error
+ if (collection.empty()) {
+ LogWarning("Certificate list in signature is empty.");
+ return SignatureValidator::SIGNATURE_INVALID;
+ }
+
+ CertificateList sortedCertificateList = collection.getChain();
+
+ // TODO move it to CertificateCollection
+ // Add root CA and CA certificates (if chain is incomplete)
+ sortedCertificateList =
+ OCSPCertMgrUtil::completeCertificateChain(sortedCertificateList);
+
+ CertificatePtr root = sortedCertificateList.back();
+
+ // Is Root CA certificate trusted?
+ CertStoreId::Set storeIdSet = createCertificateIdentifier().find(root);
+
+ LogDebug("Is root certificate from WAC_PUBLISHER domain: "
+ << storeIdSet.contains(CertStoreId::WAC_PUBLISHER));
+ LogDebug("Is root certificate from WAC_DEVELOPER domain: "
+ << storeIdSet.contains(CertStoreId::DEVELOPER));
+ LogDebug("Is root certificate from WAC_ROOT domain: "
+ << storeIdSet.contains(CertStoreId::WAC_ROOT));
+ LogDebug("Is root certificate from WAC_MEMBER domain: "
+ << storeIdSet.contains(CertStoreId::WAC_MEMBER));
+ LogDebug("Is root certificate from TIZEN_MEMBER domain: "
+ << storeIdSet.contains(CertStoreId::TIZEN_MEMBER));
+ LogDebug("Is root certificate from TIZEN_ORANGE domain: "
+ << storeIdSet.contains(CertStoreId::ORANGE_LEGACY));
+
+ LogDebug(" visibility level is public : "
+ << storeIdSet.contains(CertStoreId::VIS_PUBLIC));
+ LogDebug(" visibility level is partner : "
+ << storeIdSet.contains(CertStoreId::VIS_PARTNER));
+ LogDebug(" visibility level is partner-operator : "
+ << storeIdSet.contains(CertStoreId::VIS_PARTNER_OPERATOR));
+ LogDebug(" visibility level is partner-manufacturer : "
+ << storeIdSet.contains(CertStoreId::VIS_PARTNER_MANUFACTURER));
+
+/*
+ // WAC chapter 3.2.1 - verified definition
+ if (data.isAuthorSignature()) {
+ if (!storeIdSet.contains(CertStoreId::WAC_PUBLISHER)) {
+ LogWarning("Author signature has got unrecognized Root CA "
+ "certificate. Signature will be disregarded.");
+ disregard = true;
+ }
+ LogDebug("Root CA for author signature is correct.");
+ } else {
+ if (!storeIdSet.contains(CertStoreId::DEVELOPER) &&
+ !storeIdSet.contains(CertStoreId::TIZEN_MEMBER))
+ {
+ LogWarning("Distiributor signature has got unrecognized Root CA "
+ "certificate. Signature will be disregarded.");
+ disregard = true;
+ } else
+ LogDebug("Root CA for distributor signature is correct.");
+ }
+ */
+
+ data.setStorageType(storeIdSet);
+ data.setSortedCertificateList(sortedCertificateList);
+
+ // We add only Root CA certificate because WAC ensure that the rest
+ // of certificates are present in signature files ;-)
+ XmlSec::XmlSecContext context;
+ context.signatureFile = data.getSignatureFileName();
+ context.certificatePtr = root;
+
+ // Now we should have full certificate chain.
+ // If the end certificate is not ROOT CA we should disregard signature
+ // but still signature must be valid... Aaaaaa it's so stupid...
+ if (!(root->isSignedBy(root))) {
+ LogWarning("Root CA certificate not found. Chain is incomplete.");
+ context.allowBrokenChain = true;
+ }
+
+ // WAC 2.0 SP-2066 The wrt must not block widget installation
+ // due to expiration of the author certificate.
+ time_t notAfter = data.getEndEntityCertificatePtr()->getNotAfter();
+ bool expired = notAfter < time(NULL);
+ if (data.isAuthorSignature() && expired) {
+ context.validationTime = notAfter - TIMET_DAY;
+ }
+ // end
+
+ if (XmlSec::NO_ERROR != XmlSecSingleton::Instance().validate(&context)) {
+ LogWarning("Installation break - invalid package!");
+ return SignatureValidator::SIGNATURE_INVALID;
+ }
+
+ data.setReference(context.referenceSet);
+
+ if (!checkObjectReferences(data)) {
+ return SignatureValidator::SIGNATURE_INVALID;
+ }
+
+ ReferenceValidator fileValidator(widgetContentPath);
+ if (ReferenceValidator::NO_ERROR != fileValidator.checkReferences(data)) {
+ LogWarning("Invalid package - file references broken");
+ return SignatureValidator::SIGNATURE_INVALID;
+ }
+
+ // It is good time to do OCSP check
+ // ocspCheck will throw an exception on any error.
+ // TODO Probably we should catch this exception and add
+ // some information to SignatureData.
+ if (!m_complianceModeEnabled && !data.isAuthorSignature()) {
+ CertificateCollection coll;
+ coll.load(sortedCertificateList);
+
+ if (!coll.sort()) {
+ LogDebug("Collection does not contain chain!");
+ return SignatureValidator::SIGNATURE_INVALID;
+ }
+
+ // If ORANGE_LEGACY is set we cannot check ocsp
+ bool runOCSP = storeIdSet.contains(CertStoreId::ORANGE_LEGACY) ?
+ false : m_ocspEnable;
+
+ CertificateVerifier verificator(runOCSP, m_crlEnable);
+ VerificationStatus result = verificator.check(coll);
+
+ if (result == VERIFICATION_STATUS_REVOKED) {
+ return SignatureValidator::SIGNATURE_REVOKED;
+ }
+
+ if (result == VERIFICATION_STATUS_UNKNOWN ||
+ result == VERIFICATION_STATUS_ERROR)
+ {
+ disregard = true;
+ }
+ }
+
+ if (disregard) {
+ LogWarning("Signature is disregard.");
+ return SignatureValidator::SIGNATURE_DISREGARD;
+ }
+ return SignatureValidator::SIGNATURE_VERIFIED;
+}
+
+class ImplWacSignatureValidator : public SignatureValidator::ImplSignatureValidator
+{
+ public:
+ SignatureValidator::Result check(SignatureData &data,
+ const std::string &widgetContentPath);
+
+ explicit ImplWacSignatureValidator(bool ocspEnable,
+ bool crlEnable,
+ bool complianceMode)
+ : ImplSignatureValidator(ocspEnable, crlEnable, complianceMode)
+ {}
+
+ virtual ~ImplWacSignatureValidator() {}
+};
+
+SignatureValidator::Result ImplWacSignatureValidator::check(
+ SignatureData &data,
+ const std::string &widgetContentPath)
+{
+ bool disregard = false;
+
+ if (!checkRoleURI(data)) {
+ return SignatureValidator::SIGNATURE_INVALID;
+ }
+
+ if (!checkProfileURI(data)) {
+ return SignatureValidator::SIGNATURE_INVALID;
+ }
+
+ // CertificateList sortedCertificateList = data.getCertList();
+
+ CertificateCollection collection;
+ collection.load(data.getCertList());
+
+ // First step - sort certificate
+ if (!collection.sort()) {
+ LogWarning("Certificates do not form valid chain.");
+ return SignatureValidator::SIGNATURE_INVALID;
+ }
+
+ // Check for error
+ if (collection.empty()) {
+ LogWarning("Certificate list in signature is empty.");
+ return SignatureValidator::SIGNATURE_INVALID;
+ }
+
+ CertificateList sortedCertificateList = collection.getChain();
+
+ // TODO move it to CertificateCollection
+ // Add root CA and CA certificates (if chain is incomplete)
+ sortedCertificateList =
+ OCSPCertMgrUtil::completeCertificateChain(sortedCertificateList);
+
+ CertificatePtr root = sortedCertificateList.back();
+
+ // Is Root CA certificate trusted?
+ CertStoreId::Set storeIdSet = createCertificateIdentifier().find(root);
+
+ LogDebug("Is root certificate from WAC_PUBLISHER domain: "
+ << storeIdSet.contains(CertStoreId::WAC_PUBLISHER));
+ LogDebug("Is root certificate from WAC_DEVELOPER domain: "
+ << storeIdSet.contains(CertStoreId::DEVELOPER));
+ LogDebug("Is root certificate from WAC_ROOT domain: "
+ << storeIdSet.contains(CertStoreId::WAC_ROOT));
+ LogDebug("Is root certificate from WAC_MEMBER domain: "
+ << storeIdSet.contains(CertStoreId::WAC_MEMBER));
+ LogDebug("Is root certificate from TIZEN_MEMBER domain: "
+ << storeIdSet.contains(CertStoreId::TIZEN_MEMBER));
+ LogDebug("Is root certificate from ORANGE_LEGACY domain: "
+ << storeIdSet.contains(CertStoreId::ORANGE_LEGACY));
+
+ LogDebug(" visibility level is public : "
+ << storeIdSet.contains(CertStoreId::VIS_PUBLIC));
+ LogDebug(" visibility level is partner : "
+ << storeIdSet.contains(CertStoreId::VIS_PARTNER));
+ LogDebug(" visibility level is partner-operator : "
+ << storeIdSet.contains(CertStoreId::VIS_PARTNER_OPERATOR));
+ LogDebug(" visibility level is partner-manufacturer : "
+ << storeIdSet.contains(CertStoreId::VIS_PARTNER_MANUFACTURER));
+
+ // WAC chapter 3.2.1 - verified definition
+ if (data.isAuthorSignature()) {
+ if (!storeIdSet.contains(CertStoreId::WAC_PUBLISHER)) {
+ LogWarning("Author signature has got unrecognized Root CA "
+ "certificate. Signature will be disregarded.");
+ disregard = true;
+ }
+ LogDebug("Root CA for author signature is correct.");
+ } else {
+ if (!storeIdSet.contains(CertStoreId::DEVELOPER) &&
+ !storeIdSet.contains(CertStoreId::WAC_ROOT) &&
+ !storeIdSet.contains(CertStoreId::WAC_MEMBER))
+ {
+ LogWarning("Distiributor signature has got unrecognized Root CA "
+ "certificate. Signature will be disregarded.");
+ disregard = true;
+ } else {
+ LogDebug("Root CA for distributor signature is correct.");
+ }
+ }
+
+ data.setStorageType(storeIdSet);
+ data.setSortedCertificateList(sortedCertificateList);
+
+ // We add only Root CA certificate because WAC ensure that the rest
+ // of certificates are present in signature files ;-)
+ XmlSec::XmlSecContext context;
+ context.signatureFile = data.getSignatureFileName();
+ context.certificatePtr = root;
+
+ // Now we should have full certificate chain.
+ // If the end certificate is not ROOT CA we should disregard signature
+ // but still signature must be valid... Aaaaaa it's so stupid...
+ if (!(root->isSignedBy(root))) {
+ LogWarning("Root CA certificate not found. Chain is incomplete.");
+ context.allowBrokenChain = true;
+ }
+
+ // WAC 2.0 SP-2066 The wrt must not block widget installation
+ // due to expiration of the author certificate.
+ time_t notAfter = data.getEndEntityCertificatePtr()->getNotAfter();
+ bool expired = notAfter < time(NULL);
+ if (data.isAuthorSignature() && expired) {
+ context.validationTime = notAfter - TIMET_DAY;
+ }
+ // end
+
+ if (XmlSec::NO_ERROR != XmlSecSingleton::Instance().validate(&context)) {
+ LogWarning("Installation break - invalid package!");
+ return SignatureValidator::SIGNATURE_INVALID;
+ }
+
+ data.setReference(context.referenceSet);
+
+ if (!checkObjectReferences(data)) {
+ return SignatureValidator::SIGNATURE_INVALID;
+ }
+
+ ReferenceValidator fileValidator(widgetContentPath);
+ if (ReferenceValidator::NO_ERROR != fileValidator.checkReferences(data)) {
+ LogWarning("Invalid package - file references broken");
+ return SignatureValidator::SIGNATURE_INVALID;
+ }
+
+ // It is good time to do OCSP check
+ // ocspCheck will throw an exception on any error.
+ // TODO Probably we should catch this exception and add
+ // some information to SignatureData.
+ if (!m_complianceModeEnabled && !data.isAuthorSignature()) {
+ CertificateCollection coll;
+ coll.load(sortedCertificateList);
+
+ if (!coll.sort()) {
+ LogDebug("Collection does not contain chain!");
+ return SignatureValidator::SIGNATURE_INVALID;
+ }
+
+ CertificateVerifier verificator(m_ocspEnable, m_crlEnable);
+ VerificationStatus result = verificator.check(coll);
+
+ if (result == VERIFICATION_STATUS_REVOKED) {
+ return SignatureValidator::SIGNATURE_REVOKED;
+ }
+
+ if (result == VERIFICATION_STATUS_UNKNOWN ||
+ result == VERIFICATION_STATUS_ERROR)
+ {
+ disregard = true;
+ }
+ }
+
+ if (disregard) {
+ LogWarning("Signature is disregard.");
+ return SignatureValidator::SIGNATURE_DISREGARD;
+ }
+ return SignatureValidator::SIGNATURE_VERIFIED;
+}
+
+// Implementation of SignatureValidator
+
+SignatureValidator::SignatureValidator(
+ AppType appType,
+ bool ocspEnable,
+ bool crlEnable,
+ bool complianceMode)
+ : m_impl(0)
+{
+ if (appType == TIZEN)
+ m_impl = new ImplTizenSignatureValidator(ocspEnable,crlEnable,complianceMode);
+ else
+ m_impl = new ImplWacSignatureValidator(ocspEnable,crlEnable,complianceMode);
+}
+
+SignatureValidator::~SignatureValidator() {
+ delete m_impl;
+}
+
+SignatureValidator::Result SignatureValidator::check(
+ SignatureData &data,
+ const std::string &widgetContentPath)
+{
+ return m_impl->check(data, widgetContentPath);
+}
+
+} // namespace ValidationCore
+