* Integrate SignatureValidator and WrtSignatureValidator with checkReference param flag
* Client doesn't need to initialize xml before use SignatureValidator. SignatureValidator initialize it internally.
* Make SignatureValidator to static function to use it conveniently.
* OCSPCertMgrUtil moved to certificate collection
* Exclude some headers which used only inside of SignatureValidator
- CertificateCollection
- SignatureReader
- ParserSchema
- SaxReader
- Base64 : use certvsc/ccert.h API or member functions in Certificate.h instead
- CryptoHash : not used in anymore in 3.0
Change-Id: Ifde1768c51fc0eea2ad8a0e3c78b098ae46f02d3
Signed-off-by: Kyungwook Tak <k.tak@samsung.com>
ADD_DEFINITIONS("-DFINGERPRINT_LIST_PATH=\"${TZ_SYS_SHARE}/ca-certificates/fingerprint/fingerprint_list.xml\"")
ADD_DEFINITIONS("-DFINGERPRINT_LIST_SCHEMA_PATH=\"${TZ_SYS_SHARE}/ca-certificates/fingerprint/fingerprint_list.xsd\"")
ADD_DEFINITIONS("-DROOT_CA_CERTS_DIR=\"${TZ_SYS_SHARE}/ca-certificates/\"")
+ADD_DEFINITIONS("-DSIGNATURE_SCHEMA_PATH=\"${TZ_SYS_RO_WRT_ENGINE}/schema.xsd\"")
ADD_DEFINITIONS("-DCERTSVC_DIR=\"${TZ_SYS_SHARE}/cert-svc/certs/\"")
ADD_DEFINITIONS("-DCERTSVC_PKCS12_STORAGE_DIR=\"${TZ_SYS_SHARE}/cert-svc/pkcs12/\"")
Name: cert-svc-vcore
Description: cert-svc-vcore
Version: @VERSION@
-Requires: cert-svc libxml-2.0 libxslt openssl libsoup-2.4 xmlsec1 db-util
+Requires: cert-svc libxml-2.0 libxslt openssl xmlsec1
Libs: -L${libdir} -lcert-svc-vcore
Cflags: -I${includedir}/cert-svc
BuildRequires: pkgconfig(xmlsec1)
BuildRequires: pkgconfig(libxml-2.0)
BuildRequires: pkgconfig(libxslt)
-BuildRequires: pkgconfig(icu-i18n)
-BuildRequires: pkgconfig(libsoup-2.4)
BuildRequires: pkgconfig(db-util)
BuildRequires: pkgconfig(libsystemd-daemon)
BuildRequires: pkgconfig(key-manager)
int count = 0;
CREATE_INSTANCE
- //start time
- clock_t tic = clock();
size_t length = 0;
result = certsvc_pkcs12_get_certificate_list_from_store(instance, storeType, DISABLED, &certList, &length);
RUNNER_ASSERT_MSG(result==CERTSVC_SUCCESS, "Getting certificate list from system store failed");
- clock_t toc = clock();
- //time end
if(result == CERTSVC_SUCCESS)
{
tmpNode = certList;
}
/* Set the status of the certificate to disabled/enabled in system store and get the status */
-RUNNER_TEST(CERTSVC_PKCS12_1002_certsvc_set_cert_to_disabled_and_get_status_for_system_store) {
-
- char *gname = "Certum_Root_CA.pem";
+RUNNER_TEST(CERTSVC_PKCS12_1002_certsvc_set_cert_to_disabled_and_get_status_for_system_store)
+{
CertStoreType storeType = SYSTEM_STORE;
CertStatus Status;
CertStatus status;
CREATE_INSTANCE
- Alias.privateHandler = gname;
- Alias.privateLength = strlen((const char*)gname);
+ result = certsvc_string_new(instance, "Certum_Root_CA.pem", strlen("Certum_Root_CA.pem"), &Alias);
+ RUNNER_ASSERT_MSG(result == CERTSVC_SUCCESS, "certsvc_string_new failed. result : " << result);
result = certsvc_pkcs12_get_certificate_status_from_store(instance, storeType, Alias, &status);
RUNNER_ASSERT_MSG(result==CERTSVC_SUCCESS, "Get certificate status from system store failed.");
result = certsvc_pkcs12_get_certificate_status_from_store(instance, storeType, Alias, &status);
RUNNER_ASSERT_MSG(result==CERTSVC_SUCCESS, "Get certificate status from system store failed.");
+ certsvc_string_free(Alias);
+
FREE_INSTANCE
}
/* Install a CRT file to individual stores */
-RUNNER_TEST(CERTSVC_PKCS12_1003_add_pem_file_in_individual_store) {
-
- char path[] = "/usr/share/cert-svc/tests/wifi-server.pem";
+RUNNER_TEST(CERTSVC_PKCS12_1003_add_pem_file_in_individual_store)
+{
CertSvcStoreCertList* certList = NULL;
CertSvcStoreCertList* tmpNode = NULL;
CertSvcStoreCertList* tmp = NULL;
- char* pass = NULL;
CertStoreType type;
int result;
size_t length = 0;
const char *temp = NULL;
CertSvcCertificate certificate;
+ CertSvcString Alias;
+ CertSvcString Path;
+ CertSvcString Pass;
+
CREATE_INSTANCE
- CertSvcString Alias, Path, Pass;
- Pass.privateHandler = pass;
- Path.privateHandler = path;
- Path.privateLength = strlen(path);
+ Pass.privateHandler = NULL;
+
+ const char *path = "/usr/share/cert-svc/tests/wifi-server.pem";
+ result = certsvc_string_new(instance, path, strlen(path), &Path);
+ RUNNER_ASSERT_MSG(result == CERTSVC_SUCCESS, "certsvc_string_new failed. result : " << result);
type = WIFI_STORE;
- Alias.privateHandler = "PEM-wifi-server-1";
- Alias.privateLength = strlen(Alias.privateHandler);
+ const char *cAlias = "PEM-wifi-server-1";
+ result = certsvc_string_new(instance, cAlias, strlen(cAlias), &Alias);
+ RUNNER_ASSERT_MSG(result == CERTSVC_SUCCESS, "certsvc_string_new failed. result : " << result);
+
result = certsvc_pkcs12_import_from_file_to_store(instance, type, Path, Pass, Alias);
RUNNER_ASSERT_MSG(result==CERTSVC_SUCCESS, "Importing PEM file to WIFI store failed.");
+ certsvc_string_free(Alias);
type = VPN_STORE;
- Alias.privateHandler = "PEM-wifi-server-2";
- Alias.privateLength = strlen(Alias.privateHandler);
+ cAlias = "PEM-wifi-server-2";
+ result = certsvc_string_new(instance, cAlias, strlen(cAlias), &Alias);
+ RUNNER_ASSERT_MSG(result == CERTSVC_SUCCESS, "certsvc_string_new failed. result : " << result);
result = certsvc_pkcs12_import_from_file_to_store(instance, type, Path, Pass, Alias);
RUNNER_ASSERT_MSG(result==CERTSVC_SUCCESS, "Importing PEM file to VPN store failed.");
+ certsvc_string_free(Alias);
type = EMAIL_STORE;
- Alias.privateHandler = "PEM-wifi-server-3";
- Alias.privateLength = strlen(Alias.privateHandler);
+ cAlias = "PEM-wifi-server-3";
+ result = certsvc_string_new(instance, cAlias, strlen(cAlias), &Alias);
+ RUNNER_ASSERT_MSG(result == CERTSVC_SUCCESS, "certsvc_string_new failed. result : " << result);
+
result = certsvc_pkcs12_import_from_file_to_store(instance, type, Path, Pass, Alias);
RUNNER_ASSERT_MSG(result==CERTSVC_SUCCESS, "Importing PEM file to EMAIL store failed.");
+ certsvc_string_free(Alias);
type = (CertStoreType) (WIFI_STORE | VPN_STORE | EMAIL_STORE);
result = certsvc_pkcs12_get_certificate_list_from_store(instance, type, DISABLED, &certList, &length);
RUNNER_ASSERT_MSG(result==CERTSVC_SUCCESS, "Getting certificate list from store failed.");
certList1=certList;
count = 0;
- while(certList!=NULL)
- {
- gname.privateHandler = (char *)certList->gname;
- gname.privateLength = strlen(certList->gname);
+ while (certList) {
result = certsvc_pkcs12_get_certificate_from_store(instance, certList->storeType, certList->gname, &certificate);
RUNNER_ASSERT_MSG(result==CERTSVC_SUCCESS, "Failed to get certificate from store.");
certList=NULL;
certList1=NULL;
+ certsvc_string_free(Path);
+
FREE_INSTANCE
}
int result = CERTSVC_SUCCESS;
size_t length = 0;
CertSvcString gname;
- char *privatekey_path = NULL;
+ const char *privatekey_path = "/usr/share/cert-svc/pkcs12/temp.txt";
EVP_PKEY *privatekey = NULL;
CREATE_INSTANCE
result = certsvc_pkcs12_dup_evp_pkey_from_store(instance, storeType, gname, &privatekey);
RUNNER_ASSERT_MSG(result==CERTSVC_SUCCESS, "Getting duplicate private key from store failed.");
- privatekey_path = g_strdup_printf("%s", "/usr/share/cert-svc/pkcs12/temp.txt");
if ((fp = fopen(privatekey_path, "w")) == NULL) {
result = CERTSVC_FAIL;
RUNNER_ASSERT_MSG(result==CERTSVC_SUCCESS, "Failed to open file for writing.");
X509 *x509 = NULL;
FILE *fp = NULL;
EVP_PKEY *privatekey = NULL;
- char *privatekey_path = NULL;
- char *ca_cert_path = NULL;
- char *user_cert_path = NULL;
+ char privatekey_path[512];
+ char ca_cert_path[512];
+ char user_cert_path[512];
int cert_index = 0;
CREATE_INSTANCE
result = certsvc_certificate_list_get_length(cert_list, &cert_counts);
RUNNER_ASSERT_MSG(cert_counts >= 1, "there is no certificates");
- selected_certificate = g_try_new0(CertSvcCertificate, cert_counts);
+ selected_certificate = new CertSvcCertificate[cert_counts];
RUNNER_ASSERT_MSG(selected_certificate != NULL, "failed to allocate memory");
result = certsvc_certificate_list_get_one(cert_list, 0, &user_certificate);
result = certsvc_certificate_dup_x509(user_certificate, &x509);
- user_cert_path = g_strdup_printf("/usr/share/cert-svc/pkcs12/file_%d", count++);
+ sprintf(user_cert_path, "/usr/share/cert-svc/pkcs12/file_%d", count++);
fp = fopen(user_cert_path, "w");
RUNNER_ASSERT_MSG(fp != NULL, "Failed to open the file for writing");
cert_index = cert_counts - 1;
selected_certificate[0] = user_certificate;
- ca_cert_path = g_strdup_printf("%s%s_%s", EAP_TLS_PATH, certList->gname, EAP_TLS_CA_CERT_PATH);
+ sprintf(ca_cert_path, "%s%s_%s", EAP_TLS_PATH, certList->gname, EAP_TLS_CA_CERT_PATH);
while (cert_index) {
result = certsvc_certificate_list_get_one(cert_list, cert_index, &ca_certificate);
RUNNER_ASSERT_MSG(result==CERTSVC_SUCCESS, "Failed to certsvc_certificate_list_get_one");
result = certsvc_pkcs12_dup_evp_pkey_from_store(instance, WIFI_STORE, Alias, &privatekey);
RUNNER_ASSERT_MSG(result==CERTSVC_SUCCESS, "Failed to duplicate the private key for a certificate from wifi store");
- privatekey_path = g_strdup_printf("%s%s_%s", EAP_TLS_PATH, certList->gname, EAP_TLS_PRIVATEKEY_PATH);
-
+ sprintf(privatekey_path, "%s%s_%s", EAP_TLS_PATH, certList->gname, EAP_TLS_PRIVATEKEY_PATH);
fp = fopen(privatekey_path, "w");
RUNNER_ASSERT_MSG(fp != NULL, "Failed to open the file for writing");
certsvc_pkcs12_free_evp_pkey(privatekey);
}
+ delete []selected_certificate;
+
FREE_INSTANCE
}
*/
#include <string>
-
#include <dpl/test/test_runner.h>
-#include <vcore/CryptoHash.h>
#include <vcore/SignatureFinder.h>
-#include <vcore/SignatureReader.h>
#include <vcore/SignatureValidator.h>
-#include <vcore/WrtSignatureValidator.h>
#include "TestEnv.h"
-#include <vcore/RevocationCheckerBase.h>
namespace {
const std::string widget_partner_operator_path =
"/usr/apps/widget/tests/vcore_widget_uncompressed_partner_operator/";
-inline const char* GetSignatureXmlSchema()
-{
- return "/usr/share/wrt-engine/schema.xsd";
-}
-
const std::string keys_path = "/usr/apps/widget/tests/vcore_keys/";
const std::string widget_store_path = "/usr/apps/widget/tests/vcore_widgets/";
"9p58Enf5DWMrh17SPH586yIJeiWZtPez9G54ftY+XIqfn0X0zso0dnoXNJQYS043"
"/5vSnoHdRx/EmN8yjeEavZtC48moN0iJ38eB44uKgCD77rZW5s1XqA==";
-//class TestCleanup
-//{
-// public:
-// explicit TestCleanup(bool bCheckForFakeVerification = false)
-// {
-// if (bCheckForFakeVerification) {
-// bool bUnsetEnvVar = true;
-//
-// m_strEnvVar = "CHECK_ONLY_DOMAIN_INSTEAD_OF_VALIDATION";
-// if (getenv(m_strEnvVar.c_str()) != NULL) {
-// bUnsetEnvVar = false;
-// } else {
-// setenv(m_strEnvVar.c_str(), "1", 0);
-// }
-// }
-// }
-//
-// ~TestCleanup()
-// {
-// if (!m_strRootCAPath.empty()) {
-// removeCertGivenByFilename(m_strRootCAPath.c_str());
-// }
-//
-// if (!m_strEnvVar.empty()) {
-// unsetenv(m_strEnvVar.c_str());
-// }
-// }
-//
-// void setRootCAPath(const std::string& strRootCAPath)
-// {
-// m_strRootCAPath = strRootCAPath;
-// }
-//
-// private:
-// std::string m_strRootCAPath;
-// std::string m_strEnvVar;
-//};
-//
-//class PolicyChanger : public VcoreDPL::Event::EventListener<AceUpdateResponseEvent>
-//{
-// public:
-// PolicyChanger()
-// {
-// VcoreDPL::Event::EventDeliverySystem::AddListener<AceUpdateResponseEvent>(this);
-// }
-//
-// ~PolicyChanger()
-// {
-// VcoreDPL::Event::EventDeliverySystem::RemoveListener<AceUpdateResponseEvent>(this);
-// }
-//
-// void OnEventReceived(const AceUpdateResponseEvent& event)
-// {
-// if (0 != event.GetArg0()) {
-// LogError("Policy change failed");
-// }
-// Assert(0 == event.GetArg0() && "Policy change failed");
-// LoopControl::finish_wait_for_wrt_init();
-// }
-//
-// void updatePolicy(const std::string& path)
-// {
-// AceUpdateRequestEvent event(path);
-// VcoreDPL::Event::EventDeliverySystem::Publish(event);
-// LoopControl::wait_for_wrt_init();
-// }
-//};
-
} // namespace anonymous
using namespace ValidationCore;
-//////////////////////////////////////////////////
-//////// VALIDATION CORE TEST SUITE ////////////
-//////////////////////////////////////////////////
-
/*
* test: Class SignatureFinder
* description: SignatureFinder should search directory passed as
RUNNER_ASSERT_MSG(
SignatureFinder::NO_ERROR == signatureFinder.find(signatureSet),
"SignatureFinder failed");
- RUNNER_ASSERT_MSG(signatureSet.size() == 3,
- "Some signature has not been found");
-
- SignatureFileInfo first = *(signatureSet.begin());
- RUNNER_ASSERT_MSG(
- std::string("author-signature.xml") == first.getFileName(),
- "Author Signature");
- RUNNER_ASSERT_MSG(-1 == first.getFileNumber(), "Wrong signature number.");
- first = *(signatureSet.rbegin());
- RUNNER_ASSERT_MSG(std::string("signature22.xml") == first.getFileName(),
- "Wrong signature fileName.");
- RUNNER_ASSERT_MSG(22 == first.getFileNumber(), "Wrong signature number.");
-}
-
-/*
- * test: Class SignatureReader
- * description: SignatureReader should parse widget digigal signaturesignature
- * without any errors. Path to signature is passed to constructor.
- * param of destructor.
- * expected: SignatureReader should not throw any exception.
- */
-RUNNER_TEST(test02_signature_reader)
-{
- SignatureFileInfoSet signatureSet;
- SignatureFinder signatureFinder(widget_path);
- RUNNER_ASSERT_MSG(
- SignatureFinder::NO_ERROR == signatureFinder.find(signatureSet),
- "SignatureFinder failed");
-
- SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin();
-
- for (; iter != signatureSet.rend(); ++iter) {
- SignatureData data(widget_path + iter->getFileName(),
- iter->getFileNumber());
- SignatureReader xml;
- xml.initialize(data, GetSignatureXmlSchema());
- xml.read(data);
- }
+ RUNNER_ASSERT_MSG(signatureSet.size() == 3, "Some signature has not been found");
+
+ int count = 0;
+
+ auto iter = signatureSet.begin();
+ SignatureFileInfo fileInfo = *iter++;
+ std::string fileName = fileInfo.getFileName();
+ int fileNum = fileInfo.getFileNumber();
+ if ((fileName.find("author-signature.xml") != std::string::npos && fileNum == -1)
+ || (fileName.find("signature1.xml") != std::string::npos && fileNum == 1)
+ || (fileName.find("signature22.xml") != std::string::npos && fileNum == 22))
+ count++;
+ RUNNER_ASSERT_MSG(iter != signatureSet.end(), "There should be more items");
+
+ fileInfo = *iter++;
+ fileName = fileInfo.getFileName();
+ fileNum = fileInfo.getFileNumber();
+ if ((fileName.find("author-signature.xml") != std::string::npos && fileNum == -1)
+ || (fileName.find("signature1.xml") != std::string::npos && fileNum == 1)
+ || (fileName.find("signature22.xml") != std::string::npos && fileNum == 22))
+ count++;
+ RUNNER_ASSERT_MSG(iter != signatureSet.end(), "There should be more items");
+
+ fileInfo = *iter++;
+ fileName = fileInfo.getFileName();
+ fileNum = fileInfo.getFileNumber();
+ if ((fileName.find("author-signature.xml") != std::string::npos && fileNum == -1)
+ || (fileName.find("signature1.xml") != std::string::npos && fileNum == 1)
+ || (fileName.find("signature22.xml") != std::string::npos && fileNum == 22))
+ count++;
+ RUNNER_ASSERT_MSG(iter == signatureSet.end(), "It should be last item");
+
+ RUNNER_ASSERT_MSG(count == 3, "Wrong signature file count.");
}
/*
* expected: Verificator should DISREGARD author signature and VERIFY
* distrubutor signature.
*/
-RUNNER_TEST(test03t01_wrtsignature_validator)
+RUNNER_TEST(test03t01_signature_validator)
{
SignatureFileInfoSet signatureSet;
SignatureFinder signatureFinder(widget_path);
SignatureFinder::NO_ERROR == signatureFinder.find(signatureSet),
"SignatureFinder failed");
- SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin();
- for (; iter != signatureSet.rend(); ++iter) {
- SignatureData data(widget_path + iter->getFileName(),
- iter->getFileNumber());
- SignatureReader xml;
- xml.initialize(data, GetSignatureXmlSchema());
- xml.read(data);
-
- WrtSignatureValidator validator(
- WrtSignatureValidator::WAC20,
- false,
- false,
- false);
-
- if (data.isAuthorSignature()) {
- RUNNER_ASSERT_MSG(
- WrtSignatureValidator::SIGNATURE_DISREGARD ==
- validator.check(data, widget_path),
+ for (SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin();
+ iter != signatureSet.rend();
+ ++iter) {
+ SignatureData data;
+ SignatureValidator::Result valResult = SignatureValidator::check(
+ *iter,
+ widget_path,
+ false,
+ true,
+ data);
+
+ if (data.isAuthorSignature())
+ RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_DISREGARD,
"Validation failed");
- } else {
+ else
if (data.getSignatureNumber() == 1)
- {
- WrtSignatureValidator::Result temp = validator.check(data, widget_path);
-
- RUNNER_ASSERT_MSG(
- WrtSignatureValidator::SIGNATURE_DISREGARD ==
- temp,
- "Validation failed");
-
- }
+ RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_DISREGARD,
+ "Validation failed");
else
- {
- WrtSignatureValidator::Result temp = validator.check(data, widget_path);
-
- RUNNER_ASSERT_MSG(
- WrtSignatureValidator::SIGNATURE_VERIFIED ==
- temp,
- "Validation failed");
- }
- }
+ RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_VERIFIED,
+ "Validation failed");
}
}
-RUNNER_TEST(test03t02_wrtsignature_validator_negative_hash_input)
+RUNNER_TEST(test03t02_signature_validator_negative_hash_input)
{
SignatureFileInfoSet signatureSet;
SignatureFinder signatureFinder(widget_negative_hash_path);
SignatureFinder::NO_ERROR == signatureFinder.find(signatureSet),
"SignatureFinder failed");
- SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin();
- for (; iter != signatureSet.rend(); ++iter) {
- SignatureData data(widget_negative_hash_path + iter->getFileName(),
- iter->getFileNumber());
- SignatureReader xml;
- xml.initialize(data, GetSignatureXmlSchema());
- xml.read(data);
-
- WrtSignatureValidator validator(
- WrtSignatureValidator::WAC20,
- false,
- false,
- false);
-
- int temp = validator.check(data, widget_negative_hash_path);
- RUNNER_ASSERT_MSG(
- (WrtSignatureValidator::SIGNATURE_INVALID == temp
- || WrtSignatureValidator::SIGNATURE_DISREGARD == temp),
- "Wrong input file but success.. Errorcode : " << wrtValidatorErrorToString(temp));
+ for (SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin();
+ iter != signatureSet.rend();
+ ++iter) {
+ SignatureData data;
+ SignatureValidator::Result valResult = SignatureValidator::check(
+ *iter,
+ widget_negative_hash_path,
+ false,
+ true,
+ data);
+ if (!data.isAuthorSignature())
+ RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_INVALID,
+ "Wrong input file but success.. Errorcode : " << validatorErrorToString(valResult));
+ else
+ RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_DISREGARD,
+ "Wrong input file but success.. Errorcode : " << validatorErrorToString(valResult));
}
}
-RUNNER_TEST(test03t03_wrtsignature_validator_negative_signature_input)
+RUNNER_TEST(test03t03_signature_validator_negative_signature_input)
{
SignatureFileInfoSet signatureSet;
SignatureFinder signatureFinder(widget_negative_signature_path);
SignatureFinder::NO_ERROR == signatureFinder.find(signatureSet),
"SignatureFinder failed");
- SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin();
- for (; iter != signatureSet.rend(); ++iter) {
- SignatureData data(widget_negative_signature_path + iter->getFileName(),
- iter->getFileNumber());
- SignatureReader xml;
- xml.initialize(data, GetSignatureXmlSchema());
- xml.read(data);
-
- WrtSignatureValidator validator(
- WrtSignatureValidator::WAC20,
- false,
- false,
- false);
-
- int temp = validator.check(data, widget_negative_signature_path);
- RUNNER_ASSERT_MSG(
- (WrtSignatureValidator::SIGNATURE_INVALID == temp
- || WrtSignatureValidator::SIGNATURE_DISREGARD == temp),
- "Wrong input file but success.. Errorcode : " << wrtValidatorErrorToString(temp));
+ for (SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin();
+ iter != signatureSet.rend();
+ ++iter) {
+ SignatureData data;
+ SignatureValidator::Result valResult = SignatureValidator::check(
+ *iter,
+ widget_negative_signature_path,
+ false,
+ true,
+ data);
+
+ if (!data.isAuthorSignature())
+ RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_INVALID,
+ "Wrong input file but success.. Errorcode : " << validatorErrorToString(valResult));
+ else
+ RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_DISREGARD,
+ "Wrong input file but success.. Errorcode : " << validatorErrorToString(valResult));
}
}
-RUNNER_TEST(test03t04_wrtsignature_validator_partner)
+RUNNER_TEST(test03t04_signature_validator_partner)
{
SignatureFileInfoSet signatureSet;
SignatureFinder signatureFinder(widget_partner_path);
SignatureFinder::NO_ERROR == signatureFinder.find(signatureSet),
"SignatureFinder failed");
- SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin();
- for (; iter != signatureSet.rend(); ++iter) {
- SignatureData data(widget_partner_path + iter->getFileName(),
- iter->getFileNumber());
- SignatureReader xml;
- xml.initialize(data, GetSignatureXmlSchema());
- xml.read(data);
-
- WrtSignatureValidator validator(
- WrtSignatureValidator::WAC20,
- false,
- false,
- false);
-
- int temp = validator.check(data, widget_partner_path);
- RUNNER_ASSERT_MSG(
- WrtSignatureValidator::SIGNATURE_VERIFIED == temp,
- "Wrong input file but success.. Errorcode : " << wrtValidatorErrorToString(temp));
+ for (SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin();
+ iter != signatureSet.rend();
+ ++iter) {
+ SignatureData data;
+ SignatureValidator::Result valResult = SignatureValidator::check(
+ *iter,
+ widget_partner_path,
+ false,
+ true,
+ data);
+
+ RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_VERIFIED,
+ "Wrong input file but success.. Errorcode : " << validatorErrorToString(valResult));
if (!data.isAuthorSignature()) {
RUNNER_ASSERT_MSG(
data.getVisibilityLevel() == CertStoreId::VIS_PARTNER,
}
}
}
-/* // no partner_operator certificate in kiran emlulator
-RUNNER_TEST(test03t05_wrtsignature_validator_partner_operator)
-{
- SignatureFileInfoSet signatureSet;
- SignatureFinder signatureFinder(widget_partner_operator_path);
- LogError("Size: " << signatureSet.size());
- RUNNER_ASSERT_MSG(
- SignatureFinder::NO_ERROR == signatureFinder.find(signatureSet),
- "SignatureFinder failed");
-
- SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin();
- LogError("Size: " << signatureSet.size());
- for (; iter != signatureSet.rend(); ++iter) {
- SignatureData data(widget_partner_operator_path + iter->getFileName(),
- iter->getFileNumber());
- SignatureReader xml;
- xml.initialize(data, GetSignatureXmlSchema());
- xml.read(data);
-
- WrtSignatureValidator validator(
- WrtSignatureValidator::WAC20,
- false,
- false,
- false);
-
- if (data.isAuthorSignature()) {
- LogError("Author");
- RUNNER_ASSERT_MSG(
- WrtSignatureValidator::SIGNATURE_VERIFIED ==
- validator.check(data, widget_partner_operator_path),
- "Wrong input file but success..");
- } else {
- LogError("Distributor");
- RUNNER_ASSERT_MSG(
- WrtSignatureValidator::SIGNATURE_VERIFIED ==
- validator.check(data, widget_partner_operator_path),
- "Wrong input file but success..");
-
- RUNNER_ASSERT_MSG(
- data.getVisibilityLevel() == CertStoreId::VIS_PLATFORM,
- "visibility check failed.");
- }
- }
-}
-*/
-
-/*
-RUNNER_TEST(test03t04_wrtsignature_validator_negative_certificate_input)
-{
- SignatureFileInfoSet signatureSet;
- SignatureFinder signatureFinder(widget_negative_certificate_path);
- LogError("Size: " << signatureSet.size());
- RUNNER_ASSERT_MSG(
- SignatureFinder::NO_ERROR == signatureFinder.find(signatureSet),
- "SignatureFinder failed");
-
- SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin();
- LogError("Size: " << signatureSet.size());
- for (; iter != signatureSet.rend(); ++iter) {
- SignatureData data(widget_negative_certificate_path + iter->getFileName(),
- iter->getFileNumber());
- SignatureReader xml;
- xml.initialize(data, GetSignatureXmlSchema());
- xml.read(data);
-
- WrtSignatureValidator validator(
- WrtSignatureValidator::WAC20,
- false,
- false,
- false);
-
- if (data.isAuthorSignature()) {
- LogError("Author");
- RUNNER_ASSERT_MSG(
- WrtSignatureValidator::SIGNATURE_INVALID ==
- validator.check(data, widget_negative_certificate_path),
- "Wrong input file but success..");
- } else {
- LogError("Distributor");
- RUNNER_ASSERT_MSG(
- WrtSignatureValidator::SIGNATURE_DISREGARD ==
- validator.check(data, widget_negative_certificate_path),
- "Wrong input file but success..");
- }
- }
-}
-*/
-
/*
* test: Integration test of SignatureFinder, SignatureReader,
* SignatureValidator
SignatureFinder::NO_ERROR == signatureFinder.find(signatureSet),
"SignatureFinder failed");
- SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin();
- for (; iter != signatureSet.rend(); ++iter) {
- SignatureData data(widget_path + iter->getFileName(),
- iter->getFileNumber());
- SignatureReader xml;
- xml.initialize(data, GetSignatureXmlSchema());
- xml.read(data);
-
- SignatureValidator validator(
- SignatureValidator::WAC20,
- false,
- false,
- false);
-
- if (data.isAuthorSignature()) {
- RUNNER_ASSERT_MSG(
- SignatureValidator::SIGNATURE_DISREGARD ==
- validator.check(data, widget_path),
+ for (SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin();
+ iter != signatureSet.rend();
+ ++iter) {
+ SignatureData data;
+ SignatureValidator::Result valResult = SignatureValidator::check(
+ *iter,
+ widget_path,
+ false,
+ false,
+ data);
+
+ if (data.isAuthorSignature())
+ RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_DISREGARD,
"Validation failed");
- } else {
+ else
if (data.getSignatureNumber() == 1)
- {
- SignatureValidator::Result temp = validator.check(data, widget_path);
-
- RUNNER_ASSERT_MSG(
- SignatureValidator::SIGNATURE_DISREGARD ==
- temp,
+ RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_DISREGARD,
"Validation failed");
- }
else
- {
- SignatureValidator::Result temp = validator.check(data, widget_path);
-
- RUNNER_ASSERT_MSG(
- SignatureValidator::SIGNATURE_VERIFIED ==
- temp,
+ RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_VERIFIED,
"Validation failed");
- }
- }
}
}
SignatureFinder::NO_ERROR == signatureFinder.find(signatureSet),
"SignatureFinder failed");
- SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin();
- for (; iter != signatureSet.rend(); ++iter) {
- SignatureData data(widget_negative_hash_path + iter->getFileName(),
- iter->getFileNumber());
- SignatureReader xml;
- xml.initialize(data, GetSignatureXmlSchema());
- xml.read(data);
-
- SignatureValidator validator(
- SignatureValidator::WAC20,
- false,
- false,
- false);
-
- int temp = validator.check(data, widget_negative_hash_path);
- RUNNER_ASSERT_MSG(
- (WrtSignatureValidator::SIGNATURE_INVALID == temp
- || WrtSignatureValidator::SIGNATURE_DISREGARD == temp),
- "Wrong input file but success.. Errorcode : " << wrtValidatorErrorToString(temp));
+ for (SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin();
+ iter != signatureSet.rend();
+ ++iter) {
+ SignatureData data;
+ SignatureValidator::Result valResult = SignatureValidator::check(
+ *iter,
+ widget_negative_hash_path,
+ false,
+ false,
+ data);
+
+ if (!data.isAuthorSignature())
+ RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_INVALID,
+ "Wrong input file but success.. Errorcode : " << validatorErrorToString(valResult));
+ else
+ RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_DISREGARD,
+ "Wrong input file but success.. Errorcode : " << validatorErrorToString(valResult));
}
}
SignatureFinder::NO_ERROR == signatureFinder.find(signatureSet),
"SignatureFinder failed");
- SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin();
- for (; iter != signatureSet.rend(); ++iter) {
- SignatureData data(widget_negative_signature_path + iter->getFileName(),
- iter->getFileNumber());
- SignatureReader xml;
- xml.initialize(data, GetSignatureXmlSchema());
- xml.read(data);
-
- SignatureValidator validator(
- SignatureValidator::WAC20,
- false,
- false,
- false);
-
- int temp = validator.check(data, widget_negative_signature_path);
- RUNNER_ASSERT_MSG(
- (WrtSignatureValidator::SIGNATURE_INVALID == temp
- || WrtSignatureValidator::SIGNATURE_DISREGARD == temp),
- "Wrong input file but success.. Errorcode : " << wrtValidatorErrorToString(temp));
+ for (SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin();
+ iter != signatureSet.rend();
+ ++iter) {
+ SignatureData data;
+ SignatureValidator::Result valResult = SignatureValidator::check(
+ *iter,
+ widget_negative_signature_path,
+ false,
+ false,
+ data);
+
+ if (!data.isAuthorSignature())
+ RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_INVALID,
+ "Wrong input file but success.. Errorcode : " << validatorErrorToString(valResult));
+ else
+ RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_DISREGARD,
+ "Wrong input file but success.. Errorcode : " << validatorErrorToString(valResult));
}
}
SignatureFinder::NO_ERROR == signatureFinder.find(signatureSet),
"SignatureFinder failed");
- SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin();
- for (; iter != signatureSet.rend(); ++iter) {
- SignatureData data(widget_partner_path + iter->getFileName(),
- iter->getFileNumber());
- SignatureReader xml;
- xml.initialize(data, GetSignatureXmlSchema());
- xml.read(data);
-
- SignatureValidator validator(
- SignatureValidator::TIZEN,
- false,
- false,
- false);
-
- int temp = validator.check(data, widget_partner_path);
- RUNNER_ASSERT_MSG(SignatureValidator::SIGNATURE_VERIFIED == temp,
- "Wrong input file but success.. Errorcode : " << wrtValidatorErrorToString(temp));
-
- if (!data.isAuthorSignature()) {
- RUNNER_ASSERT_MSG(
- data.getVisibilityLevel() == CertStoreId::VIS_PARTNER,
- "visibility check failed.");
- }
- }
-}
-/* // no partner_operator certificate in kiran emulator
-RUNNER_TEST(test04t05_signature_validator_partner_operator)
-{
- SignatureFileInfoSet signatureSet;
- SignatureFinder signatureFinder(widget_partner_operator_path);
- LogError("Size: " << signatureSet.size());
- RUNNER_ASSERT_MSG(
- SignatureFinder::NO_ERROR == signatureFinder.find(signatureSet),
- "SignatureFinder failed");
-
- SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin();
- LogError("Size: " << signatureSet.size());
- for (; iter != signatureSet.rend(); ++iter) {
- SignatureData data(widget_partner_operator_path + iter->getFileName(),
- iter->getFileNumber());
- SignatureReader xml;
- xml.initialize(data, GetSignatureXmlSchema());
- xml.read(data);
-
- SignatureValidator validator(
- SignatureValidator::TIZEN,
- false,
- false,
- false);
-
- if (data.isAuthorSignature()) {
- LogError("Author");
- RUNNER_ASSERT_MSG(
- SignatureValidator::SIGNATURE_VERIFIED ==
- validator.check(data, widget_partner_operator_path),
- "Wrong input file but success..");
- } else {
- LogError("Distributor");
- RUNNER_ASSERT_MSG(
- SignatureValidator::SIGNATURE_VERIFIED ==
- validator.check(data, widget_partner_operator_path),
- "Wrong input file but success..");
-
- RUNNER_ASSERT_MSG(
- data.getVisibilityLevel() == CertStoreId::VIS_PLATFORM,
+ for (SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin();
+ iter != signatureSet.rend();
+ ++iter) {
+ SignatureData data;
+ SignatureValidator::Result valResult = SignatureValidator::check(
+ *iter,
+ widget_partner_path,
+ false,
+ false,
+ data);
+
+ RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_VERIFIED,
+ "Wrong input file but success.. Errorcode : " << validatorErrorToString(valResult));
+
+ if (!data.isAuthorSignature())
+ RUNNER_ASSERT_MSG(data.getVisibilityLevel() == CertStoreId::VIS_PARTNER,
"visibility check failed.");
- }
- }
-}
-*/
-
-/*
-RUNNER_TEST(test04t04_signature_validator_negative_certificate_input)
-{
- SignatureFileInfoSet signatureSet;
- SignatureFinder signatureFinder(widget_negative_certificate_path);
- LogError("Size: " << signatureSet.size());
- RUNNER_ASSERT_MSG(
- SignatureFinder::NO_ERROR == signatureFinder.find(signatureSet),
- "SignatureFinder failed");
-
- SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin();
- LogError("Size: " << signatureSet.size());
- for (; iter != signatureSet.rend(); ++iter) {
- SignatureData data(widget_negative_certificate_path + iter->getFileName(),
- iter->getFileNumber());
- SignatureReader xml;
- xml.initialize(data, GetSignatureXmlSchema());
- xml.read(data);
-
- SignatureValidator validator(
- SignatureValidator::WAC20,
- false,
- false,
- false);
-
- if (data.isAuthorSignature()) {
- LogError("Author");
- RUNNER_ASSERT_MSG(
- SignatureValidator::SIGNATURE_DISREGARD ==
- validator.check(data, widget_negative_certificate_path),
- "Wrong input file but success..");
- } else {
- LogError("Distributor");
- RUNNER_ASSERT_MSG(
- SignatureValidator::SIGNATURE_DISREGARD ==
- validator.check(data, widget_negative_certificate_path),
- "Wrong input file but success..");
- }
}
}
-*/
/*
* test: Integration test of SignatureFinder, SignatureReader,
SignatureFinder::NO_ERROR == signatureFinder.find(signatureSet),
"SignatureFinder failed");
- SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin();
-
- for (; iter != signatureSet.rend(); ++iter) {
- SignatureData data(widget_path + iter->getFileName(),
- iter->getFileNumber());
- SignatureReader xml;
- xml.initialize(data, GetSignatureXmlSchema());
- xml.read(data);
-
- WrtSignatureValidator sval(
- WrtSignatureValidator::WAC20,
- false,
- false,
- false);
-
- if (data.isAuthorSignature()) {
- RUNNER_ASSERT_MSG(
- WrtSignatureValidator::SIGNATURE_DISREGARD ==
- sval.check(data, widget_path),
+ for (SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin();
+ iter != signatureSet.rend();
+ ++iter) {
+ SignatureData data;
+ SignatureValidator::Result valResult = SignatureValidator::check(
+ *iter,
+ widget_path,
+ false,
+ false,
+ data);
+
+ if (data.isAuthorSignature())
+ RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_DISREGARD,
"Validation failed");
- } else {
+ else
if (data.getSignatureNumber() == 1)
- {
- RUNNER_ASSERT_MSG(
- WrtSignatureValidator::SIGNATURE_DISREGARD ==
- sval.check(data, widget_path),
- "Validation failed");
- }
+ RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_DISREGARD,
+ "Validation failed");
else
- {
- RUNNER_ASSERT_MSG(
- WrtSignatureValidator::SIGNATURE_VERIFIED ==
- sval.check(data, widget_path),
- "Validation failed");
- }
- }
+ RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_VERIFIED,
+ "Validation failed");
/*
ReferenceValidator val(widget_path);
RUNNER_ASSERT(cert3.isCA() == 0);
}
-#define CRYPTO_HASH_TEST(text,expected,FUN) \
- do { \
- ValidationCore::Crypto::Hash::Base *crypto; \
- crypto = new ValidationCore::Crypto::Hash::FUN(); \
- std::string input = text; \
- crypto->Append(text); \
- crypto->Finish(); \
- std::string result = crypto->ToBase64String(); \
- RUNNER_ASSERT_MSG(result == expected, \
- "Hash function failed"); \
- } while(0)
-
-/*
- * test: class ValidationCore::Crypto::Hash::MD4
- * description: Test implementation of MD4 hash algorithm
- * expected: Value counted by algorithm should be eqal to value encoded in test.
- */
-RUNNER_TEST(test80_crypto_md4)
-{
- CRYPTO_HASH_TEST("Hi, my name is Bart.",
- "Rj5V34qqMQmHh2bn3Cb/vQ==",
- MD4);
-}
-
-/*
- * test: class ValidationCore::Crypto::Hash::MD5
- * description: Test implementation of hash algorithm
- * expected: Value counted by algorithm should be eqal to value encoded in test.
- */
-RUNNER_TEST(test81_crypto_md5)
-{
- CRYPTO_HASH_TEST("Hi, my name is Bart.",
- "4y2iI6QtFC7+0xurBOfcsg==",
- MD5);
-}
-
-/*
- * test: class ValidationCore::Crypto::Hash::SHA
- * description: Test implementation of hash algorithm
- * expected: Value counted by algorithm should be eqal to value encoded in test.
- */
-RUNNER_TEST(test82_crypto_sha)
-{
- CRYPTO_HASH_TEST("Hi, my name is Bart.",
- "v7w8XNvzQkZPoID+bbdrLwI6zPA=",
- SHA);
-}
-
-/*
- * test: class ValidationCore::Crypto::Hash::SHA1
- * description: Test implementation of hash algorithm
- * expected: Value counted by algorithm should be eqal to value encoded in test.
- */
-RUNNER_TEST(test83_crypto_sha1)
-{
- CRYPTO_HASH_TEST("Hi, my name is Bart.",
- "Srydq14dzpuLn+xlkGz7ZyFLe1w=",
- SHA1);
-}
-
-/*
- * test: class ValidationCore::Crypto::Hash::SHA224
- * description: Test implementation of hash algorithm
- * expected: Value counted by algorithm should be eqal to value encoded in test.
- */
-RUNNER_TEST(test84_crypto_sha224)
-{
- CRYPTO_HASH_TEST("Hi, my name is Bart.",
- "Ss2MKa2Mxrf0/hrl8bf0fOSz/e5nQv4J/yX6ig==",
- SHA224);
-}
-
-/*
- * test: class ValidationCore::Crypto::Hash::SHA256
- * description: Test implementation of hash algorithm
- * expected: Value counted by algorithm should be eqal to value encoded in test.
- */
-RUNNER_TEST(test85_crypto_sha256)
-{
- CRYPTO_HASH_TEST("Hi, my name is Bart.",
- "Bja/IuUJHLPlHYYB2hBcuuOlRWPy1RdF6gzL0VWxeps=",
- SHA256);
-}
-
-/*
- * test: class ValidationCore::Crypto::Hash::SHA384
- * description: Test implementation of hash algorithm
- * expected: Value counted by algorithm should be eqal to value encoded in test.
- */
-RUNNER_TEST(test86_crypto_sha384)
-{
- CRYPTO_HASH_TEST("Hi, my name is Bart.",
- "5RjtzCnGAt+P6J8h32Dzrmka+5i5MMvDRVz+s9jA7TW508sUZOnKliliad5nUJrj",
- SHA384);
-}
-
-/*
- * test: class ValidationCore::Crypto::Hash::SHA512
- * description: Test implementation of hash algorithm
- * expected: Value counted by algorithm should be eqal to value encoded in test.
- */
-RUNNER_TEST(test87_crypto_sha512)
-{
- CRYPTO_HASH_TEST("Hi, my name is Bart.",
- "LxemzcQNf5erjA4a6PnTXfL+putB3uElitOjc5QCQ9Mg4ZuxTpre8VIBAviwRcTnui2Y0/Yg7cB40OG3XJMfbA==",
- SHA512);
-}
-
-/*
- * test: class ValidationCore::Crypto::Hash::SHA1
- * description: This example was implemented to show how to count SHA1 value from certificate.
- * expected: Value counted by algorithm should be eqal to value encoded in test.
- */
-RUNNER_TEST(test88_crypto_sha1_certificate)
-{
- Certificate cert(certVerisign, Certificate::FORM_BASE64);
-
- ValidationCore::Crypto::Hash::SHA1 sha1;
- sha1.Append(cert.getDER());
- sha1.Finish();
- std::string result = sha1.ToBase64String();
-
- RUNNER_ASSERT_MSG(result == "uXIe1UntvzGE2CcM/gMRGd/CKwo=",
- "Certificate hash does not match.");
-}
-
/*
* test: CertificateIdentifier::find(Fingerprint)
* description: Check implementation of fingerprint_list.
CertStoreId::Set domain =
certIdent.find(cert.getFingerprint(Certificate::FINGERPRINT_SHA1));
- RUNNER_ASSERT(!domain.contains(CertStoreId::WAC_PUBLISHER));
- RUNNER_ASSERT(!domain.contains(CertStoreId::DEVELOPER));
- RUNNER_ASSERT(!domain.contains(CertStoreId::WAC_ROOT));
- RUNNER_ASSERT(!domain.contains(CertStoreId::WAC_MEMBER));
- RUNNER_ASSERT(!domain.contains(CertStoreId::TIZEN_MEMBER));
- RUNNER_ASSERT(!domain.contains(CertStoreId::ORANGE_LEGACY));
- RUNNER_ASSERT(!domain.contains(CertStoreId::VIS_PUBLIC));
- RUNNER_ASSERT(!domain.contains(CertStoreId::VIS_PARTNER));
- RUNNER_ASSERT(!domain.contains(CertStoreId::VIS_PARTNER_OPERATOR));
- RUNNER_ASSERT(!domain.contains(CertStoreId::VIS_PARTNER_MANUFACTURER));
+ RUNNER_ASSERT_MSG(domain.getTypeString().empty(), "Domain should be empty.");
}
*/
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-#include <vcore/WrtSignatureValidator.h>
-
#include "TestEnv.h"
-#define WRTSIGNATURE_ERRORDESCRIBE(name) case ValidationCore::WrtSignatureValidator::name: return #name
-const char *wrtValidatorErrorToString(int error)
+#define SIGNATURE_ERRORDESCRIBE(name) case ValidationCore::SignatureValidator::name: return #name
+const char *validatorErrorToString(ValidationCore::SignatureValidator::Result error)
{
switch (error) {
- WRTSIGNATURE_ERRORDESCRIBE(SIGNATURE_VALID);
- WRTSIGNATURE_ERRORDESCRIBE(SIGNATURE_INVALID);
- WRTSIGNATURE_ERRORDESCRIBE(SIGNATURE_VERIFIED);
- WRTSIGNATURE_ERRORDESCRIBE(SIGNATURE_DISREGARD);
- WRTSIGNATURE_ERRORDESCRIBE(SIGNATURE_REVOKED);
- WRTSIGNATURE_ERRORDESCRIBE(SIGNATURE_INVALID_CERT_CHAIN);
- WRTSIGNATURE_ERRORDESCRIBE(SIGNATURE_INVALID_DISTRIBUTOR_CERT);
- WRTSIGNATURE_ERRORDESCRIBE(SIGNATURE_INVALID_SDK_DEFAULT_AUTHOR_CERT);
- WRTSIGNATURE_ERRORDESCRIBE(SIGNATURE_IN_DISTRIBUTOR_CASE_AUTHOR_CERT);
- WRTSIGNATURE_ERRORDESCRIBE(SIGNATURE_INVALID_CERT_TIME);
- WRTSIGNATURE_ERRORDESCRIBE(SIGNATURE_NO_DEVICE_PROFILE);
- WRTSIGNATURE_ERRORDESCRIBE(SIGNATURE_INVALID_DEVICE_UNIQUE_ID);
- WRTSIGNATURE_ERRORDESCRIBE(SIGNATURE_INVALID_NO_HASH_FILE);
- WRTSIGNATURE_ERRORDESCRIBE(SIGNATURE_INVALID_HASH_SIGNATURE);
+ SIGNATURE_ERRORDESCRIBE(SIGNATURE_VALID);
+ SIGNATURE_ERRORDESCRIBE(SIGNATURE_INVALID);
+ SIGNATURE_ERRORDESCRIBE(SIGNATURE_VERIFIED);
+ SIGNATURE_ERRORDESCRIBE(SIGNATURE_DISREGARD);
+ SIGNATURE_ERRORDESCRIBE(SIGNATURE_REVOKED);
default:
return "Invalid error code.";
}
}
-#undef WRTSIGNATURE_ERRORDESCRIBE
+#undef SIGNATURE_ERRORDESCRIBE
#ifndef _TESTENV_H_
#define _TESTENV_H_
-const char *wrtValidatorErrorToString(int error);
+#include <vcore/SignatureValidator.h>
+
+const char *validatorErrorToString(ValidationCore::SignatureValidator::Result error);
#endif
openssl
xmlsec1
dlog
- icu-uc
- libsoup-2.4
- db-util
libsystemd-journal
)
ADD_DEFINITIONS(${VCORE_DEPS_CFLAGS})
ADD_DEFINITIONS(${VCORE_DEPS_CFLAGS_OTHER})
-ADD_DEFINITIONS("-DSEPARATED_SINGLETON_IMPLEMENTATION")
SET(VCORE_DIR
${PROJECT_SOURCE_DIR}/vcore
${VCORE_DPL_CORE_SRC_DIR}/waitable_handle_watch_support.cpp
)
-SET(VCORE_DPL_DB_SRC_DIR
- ${VCORE_DPL_DIR}/db/src
- )
-SET(VCORE_DPL_DB_SOURCES
- ${VCORE_DPL_DB_SRC_DIR}/naive_synchronization_object.cpp
- ${VCORE_DPL_DB_SRC_DIR}/orm.cpp
- ${VCORE_DPL_DB_SRC_DIR}/sql_connection.cpp
- ${VCORE_DPL_DB_SRC_DIR}/thread_database_support.cpp
- )
-
SET(VCORE_DPL_LOG_SRC_DIR
${VCORE_DPL_DIR}/log/src
)
${VCORE_SRC_DIR}/CertificateConfigReader.cpp
${VCORE_SRC_DIR}/CertificateLoader.cpp
${VCORE_SRC_DIR}/CertStoreType.cpp
- ${VCORE_SRC_DIR}/CryptoHash.cpp
- ${VCORE_SRC_DIR}/OCSPCertMgrUtil.cpp
${VCORE_SRC_DIR}/ReferenceValidator.cpp
${VCORE_SRC_DIR}/RevocationCheckerBase.cpp
${VCORE_SRC_DIR}/SaxReader.cpp
${VCORE_SRC_DIR}/TimeConversion.cpp
${VCORE_SRC_DIR}/VerificationStatus.cpp
${VCORE_SRC_DIR}/ValidatorFactories.cpp
- ${VCORE_SRC_DIR}/WrtSignatureValidator.cpp
${VCORE_SRC_DIR}/SignatureValidator.cpp
${VCORE_SRC_DIR}/XmlsecAdapter.cpp
${VCORE_SRC_DIR}/pkcs12.cpp
)
INSTALL(FILES
- ${VCORE_SRC_DIR}/WrtSignatureValidator.h
${VCORE_SRC_DIR}/SignatureValidator.h
${VCORE_SRC_DIR}/SignatureFinder.h
- ${VCORE_SRC_DIR}/SignatureReader.h
- ${VCORE_SRC_DIR}/CertificateCollection.h
- ${VCORE_SRC_DIR}/CryptoHash.h
- ${VCORE_SRC_DIR}/Base64.h
-
- ${VCORE_SRC_DIR}/ParserSchema.h
- ${VCORE_SRC_DIR}/SaxReader.h
${VCORE_SRC_DIR}/Certificate.h
${VCORE_SRC_DIR}/SignatureData.h
void certsvc_certificate_list_free(CertSvcCertificateList handler);
/**
+ * This function will free list. It will free all certificates on the list.
+ * You should ""NOT"" free each certificate with certsvc_certificate_free.
+ *
+ * @param[in] handler Handler to search result.
+ */
+void certsvc_certificate_list_all_free(CertSvcCertificateList handler);
+
+/**
* Compare parent certificate subject with child issuer field.
*
* @param[in] child
/**
* Allocate internal data of CertSvc library and put it in the CertSvcInstance structure.
- * Initialize Openssl interanal structures, initialize all structures required by libsoup
- * (libsoup is used by ocps and crl functions).
+ * Initialize Openssl interanal structures.
*
* @param[out] instance Pointer to CertSvcInstance.
* @return CERTSVC_SUCCESS or CERTSVC_FAIL.
*/
#include <vcore/CertStoreType.h>
-#include <string.h>
-
namespace ValidationCore {
namespace CertStoreId {
m_certificateStorage |= second;
}
-
bool Set::contains(Type second) const
{
return static_cast<bool>(m_certificateStorage & second);
}
+bool Set::isContainsVis() const
+{
+ Type visType = VIS_PUBLIC;
+ visType |= VIS_PARTNER;
+ visType |= VIS_PARTNER_OPERATOR;
+ visType |= VIS_PARTNER_MANUFACTURER;
+ visType |= VIS_PLATFORM;
+
+ visType &= m_certificateStorage;
+
+ if (visType == 0)
+ return false;
+
+ return true;
+}
+
bool Set::isEmpty() const
{
return m_certificateStorage == 0;
}
+std::string Set::typeToString() const
+{
+ std::string ret;
+
+ if (m_certificateStorage & TIZEN_DEVELOPER)
+ ret += "TIZEN_DEVELOPER ";
+ if (m_certificateStorage & TIZEN_TEST)
+ ret += "TIZEN_TEST ";
+ if (m_certificateStorage & TIZEN_VERIFY)
+ ret += "TIZEN_VERIFY ";
+ if (m_certificateStorage & TIZEN_STORE)
+ ret += "TIZEN_STORE ";
+ if (m_certificateStorage & VIS_PUBLIC)
+ ret += "VIS_PUBLIC ";
+ if (m_certificateStorage & VIS_PARTNER)
+ ret += "VIS_PARTNER ";
+ if (m_certificateStorage & VIS_PARTNER_OPERATOR)
+ ret += "VIS_PARTNER_OPERATOR ";
+ if (m_certificateStorage & VIS_PARTNER_MANUFACTURER)
+ ret += "VIS_PARTNER_MANUFACTURER ";
+ if (m_certificateStorage & VIS_PLATFORM)
+ ret += "VIS_PLATFORM ";
+
+ return ret;
+}
+
} // namespace CertStoreId
} // namespace ValidationCore
virtual ~Set();
void add(Type second);
-
-
bool contains(Type second) const;
+ bool isContainsVis() const;
bool isEmpty() const;
+ std::string typeToString() const;
+
private:
Type m_certificateStorage;
};
* @version 0.1
* @brief
*/
-#include <vcore/CertificateCollection.h>
-#include <vcore/Base64.h>
+#include <openssl/pem.h>
+#include <openssl/x509.h>
+
+#include <algorithm>
+
+#include <cert-svc/cinstance.h>
+#include <cert-svc/ccert.h>
+#include <cert-svc/cprimitives.h>
+
#include <dpl/binary_queue.h>
#include <dpl/foreach.h>
#include <dpl/log/log.h>
+#include <vcore/Base64.h>
-#include <algorithm>
+#include <vcore/CertificateCollection.h>
namespace {
return std::string(buffer, sizeof(int));
}
+CertificatePtr getCertFromStore(X509_NAME *subject)
+{
+ if (!subject) {
+ LogError("Invalid input!");
+ return CertificatePtr();
+ }
+
+ CertSvcInstance instance;
+ if (certsvc_instance_new(&instance) != CERTSVC_SUCCESS) {
+ LogError("Failed to make instance");
+ return CertificatePtr();
+ }
+
+ char buffer[1024];
+ X509_NAME_oneline(subject, buffer, 1024);
+
+ LogDebug("Search certificate with subject: " << buffer);
+ CertSvcCertificateList certList;
+ int result = certsvc_certificate_search(instance, CERTSVC_SUBJECT, buffer, &certList);
+ if (result != CERTSVC_SUCCESS) {
+ LogError("Error during certificate search. result : " << result);
+ certsvc_instance_free(instance);
+ return CertificatePtr();
+ }
+
+ size_t listSize = 0;
+ result = certsvc_certificate_list_get_length(certList, &listSize);
+ if (result != CERTSVC_SUCCESS || listSize <= 0) {
+ LogError("Error in certsvc_certificate_list_get_length. result : " << result);
+ certsvc_instance_free(instance);
+ return CertificatePtr();
+ }
+
+ CertSvcCertificate cert;
+ result = certsvc_certificate_list_get_one(certList, 0, &cert);
+ if (result != CERTSVC_SUCCESS) {
+ LogError("Failed to get cert from cert list. result : " << result);
+ certsvc_certificate_list_all_free(certList);
+ certsvc_instance_free(instance);
+ return CertificatePtr();
+ }
+
+ X509 *pCertX509 = NULL;
+ result = certsvc_certificate_dup_x509(cert, &pCertX509);
+ certsvc_certificate_list_all_free(certList);
+ certsvc_instance_free(instance);
+
+ if (result != CERTSVC_SUCCESS || !pCertX509) {
+ LogError("Error during certificate dup x509. result : " << result);
+ return CertificatePtr();
+ }
+
+ CertificatePtr parentCert(new Certificate(pCertX509));
+ X509_free(pCertX509);
+
+ return parentCert;
+}
} // namespace
namespace ValidationCore {
if (COLLECTION_SORTED != m_collectionStatus)
VcoreThrowMsg(CertificateCollection::Exception::WrongUsage,
"You must sort certificates first");
+
return m_certList;
}
m_certList = sorted;
}
+/*
+ * Precondition : cert list sorted and has more than one cert
+ */
+bool CertificateCollection::completeCertificateChain()
+{
+ CertificatePtr last = m_certList.back();
+ if (last->isSignedBy(last))
+ return true;
+
+ /* TODO Add getIssuerName function to Certificate.h */
+ CertificatePtr parent = getCertFromStore(X509_get_issuer_name(last->getX509()));
+
+ if (!parent.get())
+ return false;
+
+ m_certList.push_back(parent);
+ if (!parent->isSignedBy(parent))
+ return false;
+
+ return true;
+}
+
size_t CertificateCollection::size() const {
return m_certList.size();
}
bool sort();
/*
+ * Precondition : cert list sorted and has more than on cert.
+ * This function add root cert in cert list to complete cert chain
+ */
+ bool completeCertificateChain();
+
+ /*
* This function will return Certificate chain.
*
* First certificate on the list is EndEntity certificate.
CertStoreId::Set find(const CertificatePtr &certificate) const
{
- return
- find(certificate->getFingerprint(Certificate::FINGERPRINT_SHA1));
+ return find(certificate->getFingerprint(Certificate::FINGERPRINT_SHA1));
}
private:
+++ /dev/null
-/*
- * Copyright (c) 2011 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-/*
- * @file wrt_crypto_hash.cpp
- * @author Przemyslaw Dobrowolski (p.dobrowolsk@samsung.com)
- * @version 1.0
- * @brief This file is the implementation file of cryptographic hasing algorithms
- */
-#include <vcore/CryptoHash.h>
-
-#include <openssl/bio.h>
-#include <openssl/ssl.h>
-#include <openssl/evp.h>
-#include <stdexcept>
-
-#include <vcore/Base64.h>
-
-namespace ValidationCore
-{
-namespace Crypto
-{
-namespace Hash
-{
-namespace // anonymous
-{
-const size_t HASH_DIGEST_STREAM_FEED_SIZE = 1024;
-} // namespace anonymous
-
-Base::Base()
- : m_hasFinal(false)
-{
-}
-
-Base::~Base()
-{
-}
-
-void Base::Append(const char *buffer)
-{
- if (m_hasFinal)
- VcoreThrowMsg(Crypto::Hash::OutOfSequence,
- "Cannot append hash after final update!");
-
- HashUpdate(buffer, strlen(buffer));
-}
-
-void Base::Append(const char *buffer, size_t bufferSize)
-{
- if (m_hasFinal)
- VcoreThrowMsg(Crypto::Hash::OutOfSequence,
- "Cannot append hash after final update!");
-
- HashUpdate(buffer, bufferSize);
-}
-
-void Base::Append(const std::string &buffer)
-{
- if (m_hasFinal)
- VcoreThrowMsg(Crypto::Hash::OutOfSequence,
- "Cannot append hash after final update!");
-
- HashUpdate(buffer.c_str(), buffer.size());
-}
-
-void Base::Append(std::istream &stream)
-{
- if (m_hasFinal)
- VcoreThrowMsg(Crypto::Hash::OutOfSequence,
- "Cannot append hash after final update!");
-
- char buffer[HASH_DIGEST_STREAM_FEED_SIZE];
-
- do
- {
- stream.read(buffer, HASH_DIGEST_STREAM_FEED_SIZE);
-
- if (stream.gcount() > 0)
- Append(static_cast<void *>(buffer), static_cast<size_t>(stream.gcount()));
-
- } while (stream.gcount() > 0);
-}
-
-void Base::Append(const void *data, size_t dataSize)
-{
- if (m_hasFinal)
- VcoreThrowMsg(Crypto::Hash::OutOfSequence,
- "Cannot append hash after final update!");
-
- HashUpdate(data, dataSize);
-}
-
-void Base::Finish()
-{
- if (m_hasFinal)
- return;
-
- // Finalize hashing algorithm
- m_raw = HashFinal();
-
- // Convert to base 64 string
- Base64Encoder encoder;
- encoder.reset();
- encoder.append(std::string(m_raw.begin(), m_raw.end()));
- encoder.finalize();
- m_base64StringHash = encoder.get();
-
- m_hasFinal = true;
-}
-
-std::string Base::ToBase64String() const
-{
- return m_base64StringHash;
-}
-
-Raw Base::GetHash() const
-{
- return m_raw;
-}
-
-OpenSSL::OpenSSL(const EVP_MD *evpMd)
- : m_finalized(false)
-{
- EVP_MD_CTX_init(&m_context);
-
- if (EVP_DigestInit(&m_context, evpMd) != 1)
- VcoreThrowMsg(Crypto::Hash::AppendFailed,
- "EVP_DigestInit failed!");
-}
-
-OpenSSL::~OpenSSL()
-{
- if (!m_finalized)
- {
- // Just clean context
- EVP_MD_CTX_cleanup(&m_context);
- m_finalized = true;
- }
-}
-
-void OpenSSL::HashUpdate(const void *data, size_t dataSize)
-{
- if (m_finalized)
- VcoreThrowMsg(Crypto::Hash::AppendFailed,
- "OpenSSLHash hash already finalized!");
-
- if (EVP_DigestUpdate(&m_context, data, dataSize) != 1)
- VcoreThrowMsg(Crypto::Hash::AppendFailed,
- "EVP_DigestUpdate failed!");
-}
-
-Hash::Raw OpenSSL::HashFinal()
-{
- if (m_finalized)
- VcoreThrowMsg(Crypto::Hash::AppendFailed,
- "OpenSSLHash hash already finalized!");
-
- unsigned char hash[EVP_MAX_MD_SIZE] = {};
- unsigned int hashLength;
-
- // Also cleans context
- if (EVP_DigestFinal(&m_context, hash, &hashLength) != 1)
- VcoreThrowMsg(Crypto::Hash::AppendFailed,
- "EVP_DigestFinal failed!");
-
- m_finalized = true;
- return Raw(hash, hash + hashLength);
-}
-
-} // namespace Hash
-} // namespace Crypto
-} // namespace ValidationCore
+++ /dev/null
-/*
- * Copyright (c) 2011 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-/*
- * @file crypto_hash.h
- * @author Przemyslaw Dobrowolski (p.dobrowolsk@samsung.com)
- * @version 1.0
- * @brief This file is the implementation file of cryptographic hasing algorithms
- */
-#ifndef _CRYPTO_HASH_H_
-#define _CRYPTO_HASH_H_
-
-#include <openssl/evp.h>
-#include <istream>
-#include <string>
-#include <vector>
-
-#include <vcore/exception.h>
-
-namespace ValidationCore
-{
-namespace Crypto
-{
-namespace Hash
-{
-typedef std::vector<unsigned char> Raw;
-
-VCORE_DECLARE_EXCEPTION_TYPE(ValidationCore::Exception, OutOfSequence)
-VCORE_DECLARE_EXCEPTION_TYPE(ValidationCore::Exception, AppendFailed)
-
-class Base
-{
-private:
- Raw m_raw;
- std::string m_base64StringHash;
- bool m_hasFinal;
-
-protected:
- virtual void HashUpdate(const void *data, size_t dataSize) = 0;
- virtual Raw HashFinal() = 0;
-
-public:
- Base();
- virtual ~Base();
-
- virtual void Append(const char *buffer);
- virtual void Append(const char *buffer, size_t bufferSize);
- virtual void Append(const std::string &buffer);
- virtual void Append(std::istream &stream);
- virtual void Append(const void *data, size_t dataSize);
-
- virtual void Finish();
-
- virtual std::string ToBase64String() const;
- virtual Raw GetHash() const;
-};
-
-/**
- * OpenSSL hashing algorithm base
- */
-class OpenSSL
- : public Base
-{
-private:
- EVP_MD_CTX m_context;
- bool m_finalized;
-
-protected:
- virtual void HashUpdate(const void *data, size_t dataSize);
- virtual Raw HashFinal();
-
-public:
- OpenSSL(const EVP_MD *evpMd);
- virtual ~OpenSSL();
-};
-
-#define DECLARE_OPENSSL_HASH_ALGORITHM(ClassName, EvpMd) \
- class ClassName \
- : public OpenSSL \
- { \
- public: \
- ClassName() : OpenSSL(EvpMd()) {} \
- virtual ~ClassName() {} \
- };
-
-DECLARE_OPENSSL_HASH_ALGORITHM(MD2, EVP_md2)
-DECLARE_OPENSSL_HASH_ALGORITHM(MD4, EVP_md4)
-DECLARE_OPENSSL_HASH_ALGORITHM(MD5, EVP_md5)
-DECLARE_OPENSSL_HASH_ALGORITHM(SHA, EVP_sha)
-DECLARE_OPENSSL_HASH_ALGORITHM(SHA1, EVP_sha1)
-DECLARE_OPENSSL_HASH_ALGORITHM(DSS, EVP_dss)
-DECLARE_OPENSSL_HASH_ALGORITHM(DSS1, EVP_dss1)
-DECLARE_OPENSSL_HASH_ALGORITHM(ECDSA, EVP_ecdsa)
-DECLARE_OPENSSL_HASH_ALGORITHM(SHA224, EVP_sha224)
-DECLARE_OPENSSL_HASH_ALGORITHM(SHA256, EVP_sha256)
-DECLARE_OPENSSL_HASH_ALGORITHM(SHA384, EVP_sha384)
-DECLARE_OPENSSL_HASH_ALGORITHM(SHA512, EVP_sha512)
-
-#undef DECLARE_OPENSSL_HASH_ALGORITHM
-
-} // namespace Hash
-} // namespace Crypto
-} // namespace ValidationCore
-
-#endif // DPL_CRYPTO_HASH_H
+++ /dev/null
-/*
- * Copyright (c) 2011 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-/*
- * @author Michal Ciepielski(m.ciepielski@samsung.com)
- * @version 0.3
- * @brief
- */
-
-#include <vcore/OCSPCertMgrUtil.h>
-#include <vcore/SSLContainers.h>
-
-#include <openssl/pem.h>
-#include <openssl/x509.h>
-#include <dpl/assert.h>
-#include <dpl/log/log.h>
-#include <dpl/scoped_resource.h>
-#include <string.h>
-#include <iostream>
-#include <string>
-
-#include <cert-service.h>
-
-namespace {
-const int MAX_BUF = 1024;
-
-struct ContextDeleter
-{
- typedef CERT_CONTEXT* Type;
- static Type NullValue()
- {
- return NULL;
- }
- static void Destroy(Type context)
- {
- if (context) {
- cert_svc_cert_context_final(context);
- }
- }
-};
-}
-
-namespace ValidationCore {
-namespace OCSPCertMgrUtil {
-/*
- * TODO This API function should be changed to:
- * CertifiatePtr getCertFromStore(const std::string &subject);
- *
- * All of cert_svc function could return error because input
- * data are corruped. That's why I dont want to throw exceptions
- * in this function.
- */
-void getCertFromStore(X509_NAME *subject,
- X509 **xcert)
-{
- if (!xcert || *xcert || !subject) {
- LogError("Invalid input!");
- return;
- }
-
- typedef VcoreDPL::ScopedResource<ContextDeleter> ScopedContext;
-
- int result;
- char buffer[MAX_BUF];
- const unsigned char* ptr = NULL;
- X509 *pCertificate = NULL;
- cert_svc_filename_list *fileList = NULL;
-
- X509_NAME_oneline(subject, buffer, MAX_BUF);
-
- ScopedContext ctx(cert_svc_cert_context_init());
- if (ctx.Get() == NULL) {
- LogWarning("Error in cert_svc_cert_context_init.");
- return;
- }
-
- LogDebug("Search certificate with subject: " << buffer);
- result = cert_svc_search_certificate(ctx.Get(), SUBJECT_STR, buffer);
- LogDebug("Search finished!");
-
- if (CERT_SVC_ERR_NO_ERROR != result) {
- LogWarning("Error during certificate search");
- return;
- }
-
- fileList = ctx.Get()->fileNames;
-
- if (fileList == NULL) {
- LogDebug("No certificate found");
- return;
- }
-
- if (fileList->filename == NULL) {
- LogWarning("Empty filename");
- return;
- }
-
- LogDebug("Found cert file: " << fileList->filename);
- ScopedContext ctx2(cert_svc_cert_context_init());
-
- if (ctx2.Get() == NULL) {
- LogWarning("Error in cert_svc_cert_context_init.");
- return;
- }
-
- // TODO add read_certifcate_from_file function to Certificate.h
- if (CERT_SVC_ERR_NO_ERROR !=
- cert_svc_load_file_to_context(ctx2.Get(), fileList->filename)) {
- LogWarning("Error in cert_svc_load_file_to_context");
- return;
- }
-
- ptr = ctx2.Get()->certBuf->data;
- // create a certificate from mem buff
- pCertificate = d2i_X509(NULL, &ptr, ctx2.Get()->certBuf->size);
-
- if (pCertificate == NULL) {
- LogWarning("Error during certificate conversion in d2i_X509");
- return;
- }
-
- *xcert = pCertificate;
- if (fileList->next != NULL) {
- LogError("There is more then one certificate with same subject :/");
- // TODO Implement me.
- for (fileList = fileList->next;
- fileList != NULL;
- fileList = fileList->next) {
- LogError("Additional certificate with same subject: " << fileList->filename);
- }
- }
-}
-
-CertificatePtr getParentFromStore(const CertificatePtr &certificate)
-{
- Assert(certificate.get());
- X509* rawPtr = certificate->getX509();
-
- /* TODO Add getIssuerName function to Certificate.h */
- X509_NAME *name = X509_get_issuer_name(rawPtr);
-
- X509* rawTemp = NULL;
- getCertFromStore(name, &rawTemp);
-
- if (rawTemp == NULL) {
- return CertificatePtr();
- }
- SSLSmartContainer<X509> scope(rawTemp);
- return CertificatePtr(new Certificate(rawTemp));
-}
-
-CertificateList completeCertificateChain(const CertificateList &certificateList)
-{
- CertificateList result = certificateList;
- CertificatePtr last = result.back();
- if (last->isSignedBy(last)) {
- return result;
- }
- CertificatePtr parent = getParentFromStore(last);
- if (parent.get()) {
- result.push_back(parent);
- }
- return result;
-}
-} // namespace OCSPCertMgrUtil
-} // namespace ValidationCore
+++ /dev/null
-/*
- * Copyright (c) 2011 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-/*
- * @author Tomasz Morawski(t.morawski@samsung.com)
- * @author Michal Ciepielski(m.ciepielski@samsung.com)
- * @version 0.2
- * @brief
- */
-
-#ifndef _OCSP_CERT_MGR_UTIL_H_
-#define _OCSP_CERT_MGR_UTIL_H_
-
-#include <vcore/Certificate.h>
-
-namespace ValidationCore {
-namespace OCSPCertMgrUtil {
-void getCertFromStore(X509_NAME *subject,
- X509 **xcert);
-CertificatePtr getParentFromStore(const CertificatePtr &certificate);
-/*
- * Look for "parent" certificate from store.
- * It returns new certificate chain.
- */
-CertificateList completeCertificateChain(const CertificateList &certList);
-} // namespace OCSPCertMgrUtil
-} // namespace ValidationCore
-#endif
-
CertStoreId::Type SignatureData::getVisibilityLevel() const
{
+ if (!m_storeIdSet.isContainsVis()) {
+ LogWarning("Visibility level was broken.");
+ return 0;
+ }
+
if (m_storeIdSet.contains(CertStoreId::VIS_PLATFORM))
return CertStoreId::VIS_PLATFORM;
else if (m_storeIdSet.contains(CertStoreId::VIS_PARTNER_MANUFACTURER))
return CertStoreId::VIS_PLATFORM;
else if (m_storeIdSet.contains(CertStoreId::VIS_PARTNER))
return CertStoreId::VIS_PARTNER;
- else if (m_storeIdSet.contains(CertStoreId::VIS_PUBLIC))
+ else
return CertStoreId::VIS_PUBLIC;
- else {
- LogWarning("Visibility level was broken.");
- return 0;
- }
}
const SignatureData::IMEIList& SignatureData::getIMEIList() const
#include <pcrecpp.h>
+namespace {
+
+}
namespace ValidationCore {
static const char *SIGNATURE_AUTHOR = "author-signature.xml";
Result find(SignatureFileInfoSet &set);
private:
+ std::string getFullPath(const std::string &file);
+
std::string m_dir;
pcrecpp::RE m_signatureRegexp;
};
+std::string SignatureFinder::Impl::getFullPath(const std::string &file)
+{
+ std::string fullPath = m_dir;
+
+ if (fullPath.back() != '/')
+ fullPath += "/";
+
+ fullPath += file;
+
+ return fullPath;
+}
+
SignatureFinder::Result SignatureFinder::Impl::find(SignatureFileInfoSet &set)
{
DIR *dp;
struct dirent *dirp;
- /*
- * find a dir
- */
if ((dp = opendir(m_dir.c_str())) == NULL) {
LogError("Error opening directory: " << m_dir);
return ERROR_OPENING_DIR;
}
for (errno = 0; (dirp = readdir(dp)) != NULL; errno = 0) {
- /**
- * check if it's author signature
- */
+ /* number for author signature is -1 */
if (!strcmp(dirp->d_name, SIGNATURE_AUTHOR)) {
- set.insert(SignatureFileInfo(std::string(dirp->d_name), -1));
+ std::string fullPath = getFullPath(std::string(dirp->d_name));
+ LogDebug("Found author signature file full path : " << fullPath);
+ set.insert(SignatureFileInfo(fullPath, -1));
continue;
}
- std::string sig, num, xml;
+ std::string sig;
+ std::string num;
+ std::string xml; /* just for cutting out .xml */
if (m_signatureRegexp.FullMatch(dirp->d_name, &sig, &num, &xml)) {
std::istringstream stream(num);
int number;
return ERROR_ISTREAM;
}
- set.insert(SignatureFileInfo(std::string(dirp->d_name), number));
+ std::string fullPath = getFullPath(std::string(dirp->d_name));
+ LogDebug("Found signature file full path : " << fullPath);
+ set.insert(SignatureFileInfo(fullPath, number));
}
}
* @version 1.0
* @brief Implementatin of tizen signature validation protocol.
*/
+
#include <vcore/SignatureValidator.h>
#include <vcore/CertificateCollection.h>
#include <vcore/Certificate.h>
-#include <vcore/OCSPCertMgrUtil.h>
#include <vcore/ReferenceValidator.h>
#include <vcore/ValidatorFactories.h>
#include <vcore/XmlsecAdapter.h>
+#include <vcore/SignatureReader.h>
+#include <vcore/SignatureFinder.h>
#include <dpl/log/log.h>
namespace {
-const time_t TIMET_DAY = 60 * 60 * 24;
const std::string TOKEN_ROLE_AUTHOR_URI =
- "http://www.w3.org/ns/widgets-digsig#role-author";
+ "http://www.w3.org/ns/widgets-digsig#role-author";
const std::string TOKEN_ROLE_DISTRIBUTOR_URI =
- "http://www.w3.org/ns/widgets-digsig#role-distributor";
+ "http://www.w3.org/ns/widgets-digsig#role-distributor";
const std::string TOKEN_PROFILE_URI =
- "http://www.w3.org/ns/widgets-digsig#profile";
-
-} // namespace anonymouse
+ "http://www.w3.org/ns/widgets-digsig#profile";
-
-static tm _ASN1_GetTimeT(ASN1_TIME* time)
+static tm _ASN1_GetTimeT(ASN1_TIME *time)
{
- struct tm t;
- const char* str = (const char*) time->data;
- size_t i = 0;
-
- memset(&t, 0, sizeof(t));
-
- if (time->type == V_ASN1_UTCTIME) /* two digit year */
- {
- t.tm_year = (str[i] - '0') * 10 + (str[i+1] - '0');
- i += 2;
- if (t.tm_year < 70)
- t.tm_year += 100;
- }
- else if (time->type == V_ASN1_GENERALIZEDTIME) /* four digit year */
- {
- t.tm_year =
- (str[i] - '0') * 1000
- + (str[i+1] - '0') * 100
- + (str[i+2] - '0') * 10
- + (str[i+3] - '0');
- i += 4;
- t.tm_year -= 1900;
- }
- t.tm_mon = ((str[i] - '0') * 10 + (str[i+1] - '0')) - 1; // -1 since January is 0 not 1.
- t.tm_mday = (str[i+2] - '0') * 10 + (str[i+3] - '0');
- t.tm_hour = (str[i+4] - '0') * 10 + (str[i+5] - '0');
- t.tm_min = (str[i+6] - '0') * 10 + (str[i+7] - '0');
- t.tm_sec = (str[i+8] - '0') * 10 + (str[i+9] - '0');
-
- /* Note: we did not adjust the time based on time zone information */
- return t;
-}
+ struct tm t;
+ const char* str = (const char *)time->data;
+ size_t i = 0;
+
+ memset(&t, 0, sizeof(t));
+
+ if (time->type == V_ASN1_UTCTIME) {
+ /* two digit year */
+ t.tm_year = (str[i] - '0') * 10 + (str[i + 1] - '0');
+ i += 2;
+ if (t.tm_year < 70)
+ t.tm_year += 100;
+ } else if (time->type == V_ASN1_GENERALIZEDTIME) {
+ /* four digit year */
+ t.tm_year =
+ (str[i] - '0') * 1000
+ + (str[i + 1] - '0') * 100
+ + (str[i + 2] - '0') * 10
+ + (str[i + 3] - '0');
+ i += 4;
+ t.tm_year -= 1900;
+ }
+ t.tm_mon = (str[i] - '0') * 10 + (str[i + 1] - '0') - 1; // -1 since January is 0 not 1.
+ t.tm_mday = (str[i + 2] - '0') * 10 + (str[i + 3] - '0');
+ t.tm_hour = (str[i + 4] - '0') * 10 + (str[i + 5] - '0');
+ t.tm_min = (str[i + 6] - '0') * 10 + (str[i + 7] - '0');
+ t.tm_sec = (str[i + 8] - '0') * 10 + (str[i + 9] - '0');
-namespace ValidationCore {
+ /* Note: we did not adjust the time based on time zone information */
+ return t;
+}
-class SignatureValidator::ImplSignatureValidator {
-public:
- virtual SignatureValidator::Result check(
- SignatureData &data,
- const std::string &widgetContentPath) = 0;
-
- virtual SignatureValidator::Result checkList(
- SignatureData &data,
- const std::string &widgetContentPath,
- const std::list<std::string>& uriList) = 0;
-
- explicit ImplSignatureValidator(bool ocspEnable,
- bool crlEnable,
- bool complianceMode)
- : m_complianceModeEnabled(complianceMode)
- {
- (void) ocspEnable;
- (void) crlEnable;
- }
-
- virtual ~ImplSignatureValidator(){ }
-
- bool checkRoleURI(const SignatureData &data) {
- std::string roleURI = data.getRoleURI();
-
- if (roleURI.empty()) {
- LogWarning("URI attribute in Role tag couldn't be empty.");
- return false;
- }
-
- if (roleURI != TOKEN_ROLE_AUTHOR_URI && data.isAuthorSignature()) {
- LogWarning("URI attribute in Role tag does not "
- "match with signature filename.");
- return false;
- }
-
- if (roleURI != TOKEN_ROLE_DISTRIBUTOR_URI && !data.isAuthorSignature()) {
- LogWarning("URI attribute in Role tag does not "
- "match with signature filename.");
- return false;
- }
- return true;
- }
-
- bool checkProfileURI(const SignatureData &data) {
- if (TOKEN_PROFILE_URI != data.getProfileURI()) {
- LogWarning(
- "Profile tag contains unsupported value in URI attribute " << data.getProfileURI());
- return false;
- }
- return true;
- }
-
- bool checkObjectReferences(const SignatureData &data) {
- ObjectList objectList = data.getObjectList();
- ObjectList::const_iterator iter;
- for (iter = objectList.begin(); iter != objectList.end(); ++iter) {
- if (!data.containObjectReference(*iter)) {
- LogWarning("Signature does not contain reference for object " << *iter);
- return false;
- }
- }
- return true;
- }
-protected:
- bool m_complianceModeEnabled;
-};
-
-class ImplTizenSignatureValidator : public SignatureValidator::ImplSignatureValidator
-{
- public:
- SignatureValidator::Result check(SignatureData &data,
- const std::string &widgetContentPath);
-
- SignatureValidator::Result checkList(SignatureData &data,
- const std::string &widgetContentPath,
- const std::list<std::string>& uriList);
- explicit ImplTizenSignatureValidator(bool ocspEnable,
- bool crlEnable,
- bool complianceMode)
- : ImplSignatureValidator(ocspEnable, crlEnable, complianceMode)
- {}
-
- virtual ~ImplTizenSignatureValidator() {}
-};
-
-SignatureValidator::Result ImplTizenSignatureValidator::check(
- SignatureData &data,
- const std::string &widgetContentPath)
+static bool checkRoleURI(const ValidationCore::SignatureData &data)
{
- bool disregard = false;
-
- if (!checkRoleURI(data)) {
- return SignatureValidator::SIGNATURE_INVALID;
- }
-
- if (!checkProfileURI(data)) {
- return SignatureValidator::SIGNATURE_INVALID;
- }
-
- // CertificateList sortedCertificateList = data.getCertList();
-
- CertificateCollection collection;
- collection.load(data.getCertList());
-
- // First step - sort certificate
- if (!collection.sort()) {
- LogWarning("Certificates do not form valid chain.");
- return SignatureValidator::SIGNATURE_INVALID_CERT_CHAIN;//SIGNATURE_INVALID;
- }
-
- // Check for error
- if (collection.empty()) {
- LogWarning("Certificate list in signature is empty.");
- return SignatureValidator::SIGNATURE_INVALID_CERT_CHAIN;//SIGNATURE_INVALID;
- }
-
- CertificateList sortedCertificateList = collection.getChain();
-
- // TODO move it to CertificateCollection
- // Add root CA and CA certificates (if chain is incomplete)
- sortedCertificateList =
- OCSPCertMgrUtil::completeCertificateChain(sortedCertificateList);
-
- CertificatePtr root = sortedCertificateList.back();
-
- // Is Root CA certificate trusted?
- CertStoreId::Set storeIdSet = createCertificateIdentifier().find(root);
-
- LogDebug("Is root certificate from TIZEN_DEVELOPER domain : " << storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER));
- LogDebug("Is root certificate from TIZEN_TEST domain : " << storeIdSet.contains(CertStoreId::TIZEN_TEST));
- LogDebug("Is root certificate from TIZEN_VERIFY domain : " << storeIdSet.contains(CertStoreId::TIZEN_VERIFY));
- LogDebug("Is root certificate from TIZEN_STORE domain : " << storeIdSet.contains(CertStoreId::TIZEN_STORE));
- LogDebug("Is root certificate from TIZEN_PUBLIC domain : " << storeIdSet.contains(CertStoreId::VIS_PUBLIC));
- LogDebug("Is root certificate from TIZEN_PARTNER domain : " << storeIdSet.contains(CertStoreId::VIS_PARTNER));
- LogDebug("Is root certificate from TIZEN_PLATFORM domain : " << storeIdSet.contains(CertStoreId::VIS_PLATFORM));
-
- LogDebug("Visibility level is public : " << storeIdSet.contains(CertStoreId::VIS_PUBLIC));
- LogDebug("Visibility level is partner : " << storeIdSet.contains(CertStoreId::VIS_PARTNER));
- LogDebug("Visibility level is platform : " << storeIdSet.contains(CertStoreId::VIS_PLATFORM));
-
- if (data.isAuthorSignature())
- {
- if (!storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER))
- {
- LogWarning("author-signature.xml has got unrecognized Root CA "
- "certificate. Signature will be disregarded.");
- disregard = true;
- }
- }
- else
- {
- LogDebug("signaturefile name = " << data.getSignatureFileName());
- if (storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER))
- {
- LogError("distributor has author level siganture! Signature will be disregarded.");
- return SignatureValidator::SIGNATURE_IN_DISTRIBUTOR_CASE_AUTHOR_CERT;//SIGNATURE_INVALID;
- }
-
+ std::string roleURI = data.getRoleURI();
- if (data.getSignatureNumber() == 1)
- {
- if (storeIdSet.contains(CertStoreId::VIS_PUBLIC) || storeIdSet.contains(CertStoreId::VIS_PARTNER) || storeIdSet.contains(CertStoreId::VIS_PLATFORM))
- {
- LogDebug("Root CA for signature1.xml is correct.");
- }
- else
- {
- LogWarning("signature1.xml has got unrecognized Root CA "
- "certificate. Signature will be disregarded.");
- disregard = true;
- }
- }
- }
-
- data.setStorageType(storeIdSet);
- data.setSortedCertificateList(sortedCertificateList);
-
- // We add only Root CA certificate because WAC ensure that the rest
- // of certificates are present in signature files ;-)
- XmlSec::XmlSecContext context;
- context.signatureFile = data.getSignatureFileName();
- context.certificatePtr = root;
-
- // Now we should have full certificate chain.
- // If the end certificate is not ROOT CA we should disregard signature
- // but still signature must be valid... Aaaaaa it's so stupid...
- if (!(root->isSignedBy(root))) {
- LogWarning("Root CA certificate not found. Chain is incomplete.");
- // context.allowBrokenChain = true;
- }
-
- time_t nowTime = time(NULL);
-
-#define CHECK_TIME
-#ifdef CHECK_TIME
-
- ASN1_TIME* notAfterTime = data.getEndEntityCertificatePtr()->getNotAfterTime();
- ASN1_TIME* notBeforeTime = data.getEndEntityCertificatePtr()->getNotBeforeTime();
-
- if (X509_cmp_time(notBeforeTime, &nowTime) > 0 || X509_cmp_time(notAfterTime, &nowTime) < 0)
- {
- struct tm *t;
- struct tm ta, tb, tc;
- char msg[1024];
-
- t = localtime(&nowTime);
- if (!t)
- return SignatureValidator::SIGNATURE_INVALID_CERT_TIME;
-
- memset(&tc, 0, sizeof(tc));
-
- snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", t->tm_year + 1900, t->tm_mon + 1,t->tm_mday );
- LogDebug("## System's currentTime : " << msg);
- fprintf(stderr, "## System's currentTime : %s\n", msg);
-
- tb = _ASN1_GetTimeT(notBeforeTime);
- snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", tb.tm_year + 1900, tb.tm_mon + 1,tb.tm_mday );
- LogDebug("## certificate's notBeforeTime : " << msg);
- fprintf(stderr, "## certificate's notBeforeTime : %s\n", msg);
-
- ta = _ASN1_GetTimeT(notAfterTime);
- snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", ta.tm_year + 1900, ta.tm_mon + 1,ta.tm_mday );
- LogDebug("## certificate's notAfterTime : " << msg);
- fprintf(stderr, "## certificate's notAfterTime : %s\n", msg);
-
- if (storeIdSet.contains(CertStoreId::TIZEN_TEST) || storeIdSet.contains(CertStoreId::TIZEN_VERIFY))
- {
- LogDebug("## TIZEN_VERIFY : check certificate Time : FALSE");
- fprintf(stderr, "## TIZEN_VERIFY : check certificate Time : FALSE\n");
- return SignatureValidator::SIGNATURE_INVALID_CERT_TIME;//SIGNATURE_INVALID;
- }
-
- int year = (ta.tm_year - tb.tm_year) / 4;
-
- if(year == 0)
- {
- tc.tm_year = tb.tm_year;
- tc.tm_mon = tb.tm_mon + 1;
- tc.tm_mday = tb.tm_mday;
-
- if(tc.tm_mon == 12)
- {
- tc.tm_year = ta.tm_year;
- tc.tm_mon = ta.tm_mon - 1;
- tc.tm_mday = ta.tm_mday;
-
- if(tc.tm_mon < 0)
- {
- tc.tm_year = ta.tm_year;
- tc.tm_mon = ta.tm_mon;
- tc.tm_mday = ta.tm_mday -1;
-
- if(tc.tm_mday == 0)
- {
- tc.tm_year = tb.tm_year;
- tc.tm_mon = tb.tm_mon;
- tc.tm_mday = tb.tm_mday +1;
- }
- }
- }
- }
- else{
- tc.tm_year = tb.tm_year + year;
- tc.tm_mon = (tb.tm_mon + ta.tm_mon )/2;
- tc.tm_mday = (tb.tm_mday + ta.tm_mday)/2;
- }
-
- snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", tc.tm_year + 1900, tc.tm_mon + 1,tc.tm_mday );
- LogDebug("## cmp cert with validation time : " << msg);
- fprintf(stderr, "## cmp cert with validation time : %s\n", msg);
-
- time_t outCurrent = mktime(&tc);
- context.validationTime = outCurrent;
- fprintf(stderr, "## cmp outCurrent time : %ld\n", outCurrent);
- //return SignatureValidator::SIGNATURE_INVALID;
- }
-
-#endif
- // WAC 2.0 SP-2066 The wrt must not block widget installation
- // due to expiration of the author certificate.
-#if 0
- time_t notAfter = data.getEndEntityCertificatePtr()->getNotAfter();
- time_t notBefore = data.getEndEntityCertificatePtr()->getNotBefore();
-
- struct tm *t;
-
- if (data.isAuthorSignature())
- {
- // time_t 2038 year bug exist. So, notAtter() cann't check...
- /*
- if (notAfter < nowTime)
- {
- context.validationTime = notAfter - TIMET_DAY;
- LogWarning("Author certificate is expired. notAfter...");
- }
- */
-
- if (notBefore > nowTime)
- {
- LogWarning("Author certificate is expired. notBefore time is greater than system-time.");
-
- t = localtime(&nowTime);
-
- t = localtime(¬Before);
-
- context.validationTime = notBefore + TIMET_DAY;
-
- t = localtime(&context.validationTime);
- }
- }
-#endif
- // WAC 2.0 SP-2066 The wrt must not block widget installation
- //context.allowBrokenChain = true;
-
- // end
-
- if (!data.isAuthorSignature())
- {
- if (XmlSec::NO_ERROR != XmlSecSingleton::Instance().validate(&context)) {
- LogWarning("Installation break - invalid package!");
- return SignatureValidator::SIGNATURE_INVALID_HASH_SIGNATURE;//SIGNATURE_INVALID;
- }
-
- data.setReference(context.referenceSet);
- if (!checkObjectReferences(data)) {
- LogWarning("Failed to check Object References");
- return SignatureValidator::SIGNATURE_INVALID_HASH_SIGNATURE;//SIGNATURE_INVALID;
- }
+ if (roleURI.empty()) {
+ LogWarning("URI attribute in Role tag couldn't be empty.");
+ return false;
+ }
- (void) widgetContentPath;
- /*
- ReferenceValidator fileValidator(widgetContentPath);
- if (ReferenceValidator::NO_ERROR != fileValidator.checkReferences(data)) {
- LogWarning("Invalid package - file references broken");
- return SignatureValidator::SIGNATURE_INVALID_NO_HASH_FILE;//SIGNATURE_INVALID;
- }
- */
+ if (roleURI != TOKEN_ROLE_AUTHOR_URI && data.isAuthorSignature()) {
+ LogWarning("URI attribute in Role tag does not "
+ "match with signature filename.");
+ return false;
}
- if (disregard) {
- LogWarning("Signature is disregard. RootCA is not a member of Tizen");
- return SignatureValidator::SIGNATURE_INVALID_DISTRIBUTOR_CERT;//SIGNATURE_DISREGARD;
- }
- return SignatureValidator::SIGNATURE_VERIFIED;
+ if (roleURI != TOKEN_ROLE_DISTRIBUTOR_URI && !data.isAuthorSignature()) {
+ LogWarning("URI attribute in Role tag does not "
+ "match with signature filename.");
+ return false;
+ }
+ return true;
}
-SignatureValidator::Result ImplTizenSignatureValidator::checkList(SignatureData &data,
- const std::string &widgetContentPath,
- const std::list<std::string>& uriList)
+static bool checkProfileURI(const ValidationCore::SignatureData &data)
{
- if(uriList.size() == 0 )
- LogWarning("checkList >> no hash");
-
- bool disregard = false;
-
- if (!checkRoleURI(data)) {
- return SignatureValidator::SIGNATURE_INVALID;
- }
-
- if (!checkProfileURI(data)) {
- return SignatureValidator::SIGNATURE_INVALID;
- }
-
- // CertificateList sortedCertificateList = data.getCertList();
-
- CertificateCollection collection;
- collection.load(data.getCertList());
-
- // First step - sort certificate
- if (!collection.sort()) {
- LogWarning("Certificates do not form valid chain.");
- return SignatureValidator::SIGNATURE_INVALID;
- }
-
- // Check for error
- if (collection.empty()) {
- LogWarning("Certificate list in signature is empty.");
- return SignatureValidator::SIGNATURE_INVALID;
- }
-
- CertificateList sortedCertificateList = collection.getChain();
-
- // TODO move it to CertificateCollection
- // Add root CA and CA certificates (if chain is incomplete)
- sortedCertificateList =
- OCSPCertMgrUtil::completeCertificateChain(sortedCertificateList);
-
- CertificatePtr root = sortedCertificateList.back();
-
- // Is Root CA certificate trusted?
- CertStoreId::Set storeIdSet = createCertificateIdentifier().find(root);
-
- LogDebug("Is root certificate from TIZEN_DEVELOPER domain : " << storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER));
- LogDebug("Is root certificate from TIZEN_TEST domain : " << storeIdSet.contains(CertStoreId::TIZEN_TEST));
- LogDebug("Is root certificate from TIZEN_VERIFY domain : " << storeIdSet.contains(CertStoreId::TIZEN_VERIFY));
- LogDebug("Is root certificate from TIZEN_PUBLIC domain : " << storeIdSet.contains(CertStoreId::VIS_PUBLIC));
- LogDebug("Is root certificate from TIZEN_PARTNER domain : " << storeIdSet.contains(CertStoreId::VIS_PARTNER));
- LogDebug("Is root certificate from TIZEN_PLATFORM domain : " << storeIdSet.contains(CertStoreId::VIS_PLATFORM));
-
- LogDebug("Visibility level is public : " << storeIdSet.contains(CertStoreId::VIS_PUBLIC));
- LogDebug("Visibility level is partner : " << storeIdSet.contains(CertStoreId::VIS_PARTNER));
- LogDebug("Visibility level is platform : " << storeIdSet.contains(CertStoreId::VIS_PLATFORM));
-
- if (data.isAuthorSignature())
- {
- if (!storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER))
- {
- LogWarning("author-signature.xml has got unrecognized Root CA "
- "certificate. Signature will be disregarded.");
- disregard = true;
- }
- LogDebug("Root CA for author signature is correct.");
- }
- else
- {
- LogDebug("signaturefile name = " << data.getSignatureFileName());
-
- if (data.getSignatureNumber() == 1)
- {
- if (storeIdSet.contains(CertStoreId::VIS_PUBLIC) || storeIdSet.contains(CertStoreId::VIS_PARTNER) || storeIdSet.contains(CertStoreId::VIS_PLATFORM))
- {
- LogDebug("Root CA for signature1.xml is correct.");
- }
- else
- {
- LogWarning("signature1.xml has got unrecognized Root CA "
- "certificate. Signature will be disregarded.");
- disregard = true;
- }
- }
- }
-
- data.setStorageType(storeIdSet);
- data.setSortedCertificateList(sortedCertificateList);
-
- // We add only Root CA certificate because WAC ensure that the rest
- // of certificates are present in signature files ;-)
- XmlSec::XmlSecContext context;
- context.signatureFile = data.getSignatureFileName();
- context.certificatePtr = root;
-
- // Now we should have full certificate chain.
- // If the end certificate is not ROOT CA we should disregard signature
- // but still signature must be valid... Aaaaaa it's so stupid...
- if (!(root->isSignedBy(root))) {
- LogWarning("Root CA certificate not found. Chain is incomplete.");
- // context.allowBrokenChain = true;
- }
-
- // WAC 2.0 SP-2066 The wrt must not block widget installation
- // due to expiration of the author certificate.
- time_t nowTime = time(NULL);
-
-#define CHECK_TIME
-#ifdef CHECK_TIME
-
- ASN1_TIME* notAfterTime = data.getEndEntityCertificatePtr()->getNotAfterTime();
- ASN1_TIME* notBeforeTime = data.getEndEntityCertificatePtr()->getNotBeforeTime();
-
-
- if (X509_cmp_time(notBeforeTime, &nowTime) > 0 || X509_cmp_time(notAfterTime, &nowTime) < 0)
- {
- struct tm *t;
- struct tm ta, tb, tc;
- char msg[1024];
-
- t = localtime(&nowTime);
- if (!t)
- return SignatureValidator::SIGNATURE_INVALID_CERT_TIME;
-
- memset(&tc, 0, sizeof(tc));
-
- snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", t->tm_year + 1900, t->tm_mon + 1,t->tm_mday );
- LogDebug("## System's currentTime : " << msg);
- fprintf(stderr, "## System's currentTime : %s\n", msg);
-
- tb = _ASN1_GetTimeT(notBeforeTime);
- snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", tb.tm_year + 1900, tb.tm_mon + 1,tb.tm_mday );
- LogDebug("## certificate's notBeforeTime : " << msg);
- fprintf(stderr, "## certificate's notBeforeTime : %s\n", msg);
-
- ta = _ASN1_GetTimeT(notAfterTime);
- snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", ta.tm_year + 1900, ta.tm_mon + 1,ta.tm_mday );
- LogDebug("## certificate's notAfterTime : " << msg);
- fprintf(stderr, "## certificate's notAfterTime : %s\n", msg);
-
- if (storeIdSet.contains(CertStoreId::TIZEN_VERIFY))
- {
- LogDebug("## TIZEN_VERIFY : check certificate Time : FALSE");
- fprintf(stderr, "## TIZEN_VERIFY : check certificate Time : FALSE\n");
- return SignatureValidator::SIGNATURE_INVALID;
- }
-
- int year = (ta.tm_year - tb.tm_year) / 4;
- tc.tm_year = tb.tm_year + year;
- tc.tm_mon = (tb.tm_mon + ta.tm_mon )/2;
- tc.tm_mday = (tb.tm_mday + ta.tm_mday)/2;
-
- snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", tc.tm_year + 1900, tc.tm_mon + 1,tc.tm_mday );
- LogDebug("## cmp cert with validation time : " << msg);
- fprintf(stderr, "## cmp cert with validation time : %s\n", msg);
-
- time_t outCurrent = mktime(&tc);
- context.validationTime = outCurrent;
- //return SignatureValidator::SIGNATURE_INVALID;
- }
-
-#endif
-
-#if 0
- time_t notAfter = data.getEndEntityCertificatePtr()->getNotAfter();
- time_t notBefore = data.getEndEntityCertificatePtr()->getNotBefore();
-
- struct tm *t;
-
- if (data.isAuthorSignature())
- {
- // time_t 2038 year bug exist. So, notAtter() cann't check...
- /*
- if (notAfter < nowTime)
- {
- context.validationTime = notAfter - TIMET_DAY;
- LogWarning("Author certificate is expired. notAfter...");
- }
- */
-
- if (notBefore > nowTime)
- {
- LogWarning("Author certificate is expired. notBefore time is greater than system-time.");
-
- t = localtime(&nowTime);
-
- t = localtime(¬Before);
-
- context.validationTime = notBefore + TIMET_DAY;
-
- t = localtime(&context.validationTime);
- }
- }
-#endif
- // WAC 2.0 SP-2066 The wrt must not block widget installation
- //context.allowBrokenChain = true;
-
- // end
- if(uriList.size() == 0)
- {
- if (XmlSec::NO_ERROR != XmlSecSingleton::Instance().validateNoHash(&context)) {
- LogWarning("Installation break - invalid package! >> validateNoHash");
- return SignatureValidator::SIGNATURE_INVALID;
- }
- }
- else if(uriList.size() != 0)
- {
- XmlSecSingleton::Instance().setPartialHashList(uriList);
- if (XmlSec::NO_ERROR != XmlSecSingleton::Instance().validatePartialHash(&context)) {
- LogWarning("Installation break - invalid package! >> validatePartialHash");
- return SignatureValidator::SIGNATURE_INVALID;
- }
- }
-
- data.setReference(context.referenceSet);
- //if (!checkObjectReferences(data)) {
- // return SignatureValidator::SIGNATURE_INVALID;
- // }
-
- (void) widgetContentPath;
- /*
- ReferenceValidator fileValidator(widgetContentPath);
- if (ReferenceValidator::NO_ERROR != fileValidator.checkReferences(data)) {
- LogWarning("Invalid package - file references broken");
- return SignatureValidator::SIGNATURE_INVALID;
- }
- */
-
- if (disregard) {
- LogWarning("Signature is disregard. RootCA is not a member of Tizen.");
- return SignatureValidator::SIGNATURE_DISREGARD;
- }
- return SignatureValidator::SIGNATURE_VERIFIED;
+ if (TOKEN_PROFILE_URI != data.getProfileURI()) {
+ LogWarning("Profile tag contains unsupported value "
+ "in URI attribute " << data.getProfileURI());
+ return false;
+ }
+ return true;
}
-class ImplWacSignatureValidator : public SignatureValidator::ImplSignatureValidator
-{
- public:
- SignatureValidator::Result check(SignatureData &data,
- const std::string &widgetContentPath);
-
- SignatureValidator::Result checkList(SignatureData &data,
- const std::string &widgetContentPath,
- const std::list<std::string>& uriList);
- explicit ImplWacSignatureValidator(bool ocspEnable,
- bool crlEnable,
- bool complianceMode)
- : ImplSignatureValidator(ocspEnable, crlEnable, complianceMode)
- {}
-
- virtual ~ImplWacSignatureValidator() {}
-};
-
-
-SignatureValidator::Result ImplWacSignatureValidator::checkList(
- SignatureData & /* data */,
- const std::string & /* widgetContentPath */,
- const std::list<std::string>& /* uriList */)
+static bool checkObjectReferences(const ValidationCore::SignatureData &data)
{
- return SignatureValidator::SIGNATURE_INVALID;
+ ValidationCore::ObjectList objectList = data.getObjectList();
+ ValidationCore::ObjectList::const_iterator iter;
+ for (iter = objectList.begin(); iter != objectList.end(); ++iter) {
+ if (!data.containObjectReference(*iter)) {
+ LogWarning("Signature does not contain reference for object " << *iter);
+ return false;
+ }
+ }
+ return true;
}
-
-SignatureValidator::Result ImplWacSignatureValidator::check(
- SignatureData &data,
- const std::string &widgetContentPath)
+static struct tm getMidTime(const struct tm &tb, const struct tm &ta)
{
- bool disregard = false;
+ struct tm tMid;
+ memset(&tMid, 0, sizeof(tMid));
+
+ LogDebug("Certificate's notBeforeTime : Year["
+ << (tb.tm_year + 1900)
+ << "] Month[" << (tb.tm_mon + 1)
+ << "] Day[" << tb.tm_mday << "] ");
+
+ LogDebug("Certificate's notAfterTime : Year["
+ << (ta.tm_year + 1900)
+ << "] Month[" << (ta.tm_mon + 1)
+ << "] Day[" << ta.tm_mday << "] ");
+
+ int year = (ta.tm_year - tb.tm_year) / 4;
+
+ if (year == 0) {
+ tMid.tm_year = tb.tm_year;
+ tMid.tm_mon = tb.tm_mon + 1;
+ tMid.tm_mday = tb.tm_mday;
+
+ if (tMid.tm_mon == 12) {
+ tMid.tm_year = ta.tm_year;
+ tMid.tm_mon = ta.tm_mon - 1;
+ tMid.tm_mday = ta.tm_mday;
+
+ if (tMid.tm_mon < 0) {
+ tMid.tm_year = ta.tm_year;
+ tMid.tm_mon = ta.tm_mon;
+ tMid.tm_mday = ta.tm_mday - 1;
+
+ if (tMid.tm_mday == 0) {
+ tMid.tm_year = tb.tm_year;
+ tMid.tm_mon = tb.tm_mon;
+ tMid.tm_mday = tb.tm_mday + 1;
+ }
+ }
+ }
+ } else {
+ tMid.tm_year = tb.tm_year + year;
+ tMid.tm_mon = (tb.tm_mon + ta.tm_mon) / 2;
+ tMid.tm_mday = (tb.tm_mday + ta.tm_mday) / 2;
+ }
- if (!checkRoleURI(data)) {
- return SignatureValidator::SIGNATURE_INVALID;
- }
+ LogDebug("cmp cert with validation time. Year["
+ << (tMid.tm_year + 1900)
+ << "] Month[" << (tMid.tm_mon + 1)
+ << "] Day[" << tMid.tm_mday << "] ");
- if (!checkProfileURI(data)) {
- return SignatureValidator::SIGNATURE_INVALID;
- }
+ return tMid;
+}
- // CertificateList sortedCertificateList = data.getCertList();
+} // namespace anonymouse
- CertificateCollection collection;
- collection.load(data.getCertList());
- // First step - sort certificate
- if (!collection.sort()) {
- LogWarning("Certificates do not form valid chain.");
- return SignatureValidator::SIGNATURE_INVALID;
- }
- // Check for error
- if (collection.empty()) {
- LogWarning("Certificate list in signature is empty.");
- return SignatureValidator::SIGNATURE_INVALID;
- }
+namespace ValidationCore {
- CertificateList sortedCertificateList = collection.getChain();
+/*
+ * Prepare to check / checklist. parse xml and save info to signature data.
+ *
+ * [in] fileInfo : signature file information to check. file path should be absolute path
+ * which is made by SignatureFinder.
+ * [out] outData : signature data for validating and will be finally returned to client.
+ */
+int prepareToCheck(const SignatureFileInfo &fileInfo, SignatureData &outData)
+{
+ outData = SignatureData(fileInfo.getFileName(), fileInfo.getFileNumber());
+
+ try {
+ SignatureReader xml;
+ xml.initialize(outData, SIGNATURE_SCHEMA_PATH);
+ xml.read(outData);
+ } catch (...) {
+ LogError("Failed to parse signature file by signature reader.");
+ return -1;
+ }
- // TODO move it to CertificateCollection
- // Add root CA and CA certificates (if chain is incomplete)
- sortedCertificateList =
- OCSPCertMgrUtil::completeCertificateChain(sortedCertificateList);
+ return 0;
+}
- CertificatePtr root = sortedCertificateList.back();
+/*
+ * Same logic (check, checkList) is functionalized here.
+ *
+ * [in] checkOcsp : If on, check ocsp.
+ * [out] disregard : distributor signature disregard flag.
+ * [out] context : xml sec for validating.
+ * [out] data : signature data for validationg and will be finally returned to client.
+ */
+static SignatureValidator::Result checkInternal(
+ bool checkOcsp,
+ bool &disregard,
+ XmlSec::XmlSecContext &context,
+ SignatureData &data)
+{
+ // TODO: impl ocsp check
+ (void) checkOcsp;
+
+ if (!checkRoleURI(data) || !checkProfileURI(data))
+ return SignatureValidator::SIGNATURE_INVALID;
+
+ CertificateCollection collection;
+ collection.load(data.getCertList());
- // Is Root CA certificate trusted?
- CertStoreId::Set storeIdSet = createCertificateIdentifier().find(root);
+ if (!collection.sort() || collection.empty() || !collection.completeCertificateChain()) {
+ LogWarning("Certificates do not form valid chain.");
+ return SignatureValidator::SIGNATURE_INVALID;
+ }
- LogDebug("Is root certificate from TIZEN_DEVELOPER domain : " << storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER));
- LogDebug("Is root certificate from TIZEN_TEST domain : " << storeIdSet.contains(CertStoreId::TIZEN_TEST));
- LogDebug("Is root certificate from TIZEN_VERIFY domain : " << storeIdSet.contains(CertStoreId::TIZEN_VERIFY));
- LogDebug("Is root certificate from TIZEN_PUBLIC domain : " << storeIdSet.contains(CertStoreId::VIS_PUBLIC));
- LogDebug("Is root certificate from TIZEN_PARTNER domain : " << storeIdSet.contains(CertStoreId::VIS_PARTNER));
- LogDebug("Is root certificate from TIZEN_PLATFORM domain : " << storeIdSet.contains(CertStoreId::VIS_PLATFORM));
+ CertificateList sortedCertificateList = collection.getChain();
+ CertificatePtr root = sortedCertificateList.back();
- LogDebug("Visibility level is public : " << storeIdSet.contains(CertStoreId::VIS_PUBLIC));
- LogDebug("Visibility level is partner : " << storeIdSet.contains(CertStoreId::VIS_PARTNER));
- LogDebug("Visibility level is platform : " << storeIdSet.contains(CertStoreId::VIS_PLATFORM));
+ // Is Root CA certificate trusted?
+ CertStoreId::Set storeIdSet = createCertificateIdentifier().find(root);
- if (data.isAuthorSignature())
- {
- if (!storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER))
- {
+ LogDebug("root certificate from " << storeIdSet.typeToString() << " domain");
+ if (data.isAuthorSignature()) {
+ if (!storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER)) {
LogWarning("author-signature.xml has got unrecognized Root CA "
- "certificate. Signature will be disregarded.");
+ "certificate. Signature will be disregarded.");
disregard = true;
}
} else {
- LogDebug("signaturefile name = " << data.getSignatureFileName());
- if (storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER))
- {
+ LogDebug("signaturefile name = " << data.getSignatureFileName());
+ if (storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER)) {
LogError("distributor has author level siganture! Signature will be disregarded.");
return SignatureValidator::SIGNATURE_INVALID;
}
-
- if (data.getSignatureNumber() == 1)
- {
- if (storeIdSet.contains(CertStoreId::VIS_PUBLIC) || storeIdSet.contains(CertStoreId::VIS_PARTNER) || storeIdSet.contains(CertStoreId::VIS_PLATFORM))
- {
- LogDebug("Root CA for signature1.xml is correct.");
- }
- else
- {
- LogWarning("signature1.xml has got unrecognized Root CA "
- "certificate. Signature will be disregarded.");
- disregard = true;
- }
- }
- }
-
- data.setStorageType(storeIdSet);
- data.setSortedCertificateList(sortedCertificateList);
-
- // We add only Root CA certificate because WAC ensure that the rest
- // of certificates are present in signature files ;-)
- XmlSec::XmlSecContext context;
- context.signatureFile = data.getSignatureFileName();
- context.certificatePtr = root;
-
- // Now we should have full certificate chain.
- // If the end certificate is not ROOT CA we should disregard signature
- // but still signature must be valid... Aaaaaa it's so stupid...
- if (!(root->isSignedBy(root))) {
- LogWarning("Root CA certificate not found. Chain is incomplete.");
-// context.allowBrokenChain = true;
- }
-
- time_t nowTime = time(NULL);
- // WAC 2.0 SP-2066 The wrt must not block widget installation
- // due to expiration of the author certificate.
-#define CHECK_TIME
-#ifdef CHECK_TIME
-
- ASN1_TIME* notAfterTime = data.getEndEntityCertificatePtr()->getNotAfterTime();
- ASN1_TIME* notBeforeTime = data.getEndEntityCertificatePtr()->getNotBeforeTime();
-
- if (X509_cmp_time(notBeforeTime, &nowTime) > 0 || X509_cmp_time(notAfterTime, &nowTime) < 0)
- {
- struct tm *t;
- struct tm ta, tb, tc;
- char msg[1024];
-
- t = localtime(&nowTime);
- if (!t)
- return SignatureValidator::SIGNATURE_INVALID_CERT_TIME;
-
- memset(&tc, 0, sizeof(tc));
-
- snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", t->tm_year + 1900, t->tm_mon + 1,t->tm_mday );
- LogDebug("## System's currentTime : " << msg);
- fprintf(stderr, "## System's currentTime : %s\n", msg);
-
- tb = _ASN1_GetTimeT(notBeforeTime);
- snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", tb.tm_year + 1900, tb.tm_mon + 1,tb.tm_mday );
- LogDebug("## certificate's notBeforeTime : " << msg);
- fprintf(stderr, "## certificate's notBeforeTime : %s\n", msg);
-
- ta = _ASN1_GetTimeT(notAfterTime);
- snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", ta.tm_year + 1900, ta.tm_mon + 1,ta.tm_mday );
- LogDebug("## certificate's notAfterTime : " << msg);
- fprintf(stderr, "## certificate's notAfterTime : %s\n", msg);
-
- if (storeIdSet.contains(CertStoreId::TIZEN_VERIFY))
- {
- LogDebug("## TIZEN_VERIFY : check certificate Time : FALSE");
- fprintf(stderr, "## TIZEN_VERIFY : check certificate Time : FALSE\n");
- return SignatureValidator::SIGNATURE_INVALID;
- }
-
- int year = (ta.tm_year - tb.tm_year) / 4;
- tc.tm_year = tb.tm_year + year;
- tc.tm_mon = (tb.tm_mon + ta.tm_mon )/2;
- tc.tm_mday = (tb.tm_mday + ta.tm_mday)/2;
-
- snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", tc.tm_year + 1900, tc.tm_mon + 1,tc.tm_mday );
- LogDebug("## cmp cert with validation time : " << msg);
- fprintf(stderr, "## cmp cert with validation time : %s\n", msg);
-
- time_t outCurrent = mktime(&tc);
- context.validationTime = outCurrent;
- //return SignatureValidator::SIGNATURE_INVALID;
- }
-
-#endif
-
-#if 0
- time_t notAfter = data.getEndEntityCertificatePtr()->getNotAfter();
- time_t notBefore = data.getEndEntityCertificatePtr()->getNotBefore();
-
- struct tm *t;
-
- if (data.isAuthorSignature())
- {
- // time_t 2038 year bug exist. So, notAtter() cann't check...
- /*
- if (notAfter < nowTime)
- {
- context.validationTime = notAfter - TIMET_DAY;
- LogWarning("Author certificate is expired. notAfter...");
- }
- */
-
- if (notBefore > nowTime)
- {
- LogWarning("Author certificate is expired. notBefore time is greater than system-time.");
-
- t = localtime(&nowTime);
-
- t = localtime(¬Before);
-
- context.validationTime = notBefore + TIMET_DAY;
-
- t = localtime(&context.validationTime);
- }
- }
-#endif
- if (!data.isAuthorSignature())
- {
- if (XmlSec::NO_ERROR != XmlSecSingleton::Instance().validate(&context)) {
- LogWarning("Installation break - invalid package!");
- return SignatureValidator::SIGNATURE_INVALID;
+ if (data.getSignatureNumber() == 1 && !storeIdSet.isContainsVis()) {
+ LogWarning("signature1.xml has got unrecognized Root CA "
+ "certificate. Signature will be disregarded.");
+ disregard = true;
}
+ }
- data.setReference(context.referenceSet);
+ data.setStorageType(storeIdSet);
+ data.setSortedCertificateList(sortedCertificateList);
- if (!checkObjectReferences(data)) {
- return SignatureValidator::SIGNATURE_INVALID;
- }
+ /*
+ * We add only Root CA certificate because the rest
+ * of certificates are present in signature files ;-)
+ */
+ context.signatureFile = data.getSignatureFileName();
+ context.certificatePtr = root;
- ReferenceValidator fileValidator(widgetContentPath);
- if (ReferenceValidator::NO_ERROR != fileValidator.checkReferences(data)) {
- LogWarning("Invalid package - file references broken");
+ /* certificate time check */
+ ASN1_TIME* notAfterTime = data.getEndEntityCertificatePtr()->getNotAfterTime();
+ ASN1_TIME* notBeforeTime = data.getEndEntityCertificatePtr()->getNotBeforeTime();
+
+ time_t nowTime = time(NULL);
+
+ if (X509_cmp_time(notBeforeTime, &nowTime) > 0 || X509_cmp_time(notAfterTime, &nowTime) < 0) {
+ if (storeIdSet.contains(CertStoreId::TIZEN_TEST) || storeIdSet.contains(CertStoreId::TIZEN_VERIFY)) {
+ LogError("TIZEN_VERIFY : check certificate Time : FALSE");
return SignatureValidator::SIGNATURE_INVALID;
}
- }
- if (disregard) {
- LogWarning("Signature is disregard. RootCA is not a member of Tizen.");
- return SignatureValidator::SIGNATURE_DISREGARD;
- }
- return SignatureValidator::SIGNATURE_VERIFIED;
-}
-
-// Implementation of SignatureValidator
+ struct tm tMid = getMidTime(_ASN1_GetTimeT(notBeforeTime), _ASN1_GetTimeT(notAfterTime));
-SignatureValidator::SignatureValidator(
- AppType appType,
- bool ocspEnable,
- bool crlEnable,
- bool complianceMode)
- : m_impl(0)
-{
- LogDebug( "appType : " << appType );
-
- if(appType == TIZEN)
- {
- m_impl = new ImplTizenSignatureValidator(ocspEnable,crlEnable,complianceMode);
- }
- else if(appType == WAC20)
- {
- m_impl = new ImplWacSignatureValidator(ocspEnable,crlEnable,complianceMode);
- }
-}
+ context.validationTime = mktime(&tMid);
+ }
-SignatureValidator::~SignatureValidator() {
- delete m_impl;
+ return SignatureValidator::SIGNATURE_VERIFIED;
}
SignatureValidator::Result SignatureValidator::check(
- SignatureData &data,
- const std::string &widgetContentPath)
+ const SignatureFileInfo &fileInfo,
+ const std::string &widgetContentPath,
+ bool checkOcsp,
+ bool checkReferences,
+ SignatureData &outData)
{
- return m_impl->check(data, widgetContentPath);
+ if (prepareToCheck(fileInfo, outData)) {
+ LogError("Failed to prepare to check.");
+ return SIGNATURE_INVALID;
+ }
+
+ bool disregard = false;
+
+ try {
+ XmlSec::XmlSecContext context;
+ Result result = checkInternal(checkOcsp, disregard, context, outData);
+ if (result != SIGNATURE_VERIFIED)
+ return result;
+
+ if (!outData.isAuthorSignature()) {
+ if (XmlSec::NO_ERROR != XmlSecSingleton::Instance().validate(&context)) {
+ LogWarning("Installation break - invalid package!");
+ return SIGNATURE_INVALID;
+ }
+
+ outData.setReference(context.referenceSet);
+ if (!checkObjectReferences(outData)) {
+ LogWarning("Failed to check Object References");
+ return SIGNATURE_INVALID;
+ }
+
+ if (checkReferences) {
+ ReferenceValidator fileValidator(widgetContentPath);
+ if (ReferenceValidator::NO_ERROR != fileValidator.checkReferences(outData)) {
+ LogWarning("Invalid package - file references broken");
+ return SIGNATURE_INVALID;
+ }
+ }
+ }
+ } catch (const CertificateCollection::Exception::Base &e) {
+ LogError("CertificateCollection exception : " << e.DumpToString());
+ return SIGNATURE_INVALID;
+ } catch (const XmlSec::Exception::Base &e) {
+ LogError("XmlSec exception : " << e.DumpToString());
+ return SIGNATURE_INVALID;
+ } catch (...) {
+ LogError("Unknown exception in SignatureValidator::check");
+ return SIGNATURE_INVALID;
+ }
+
+ return disregard ? SIGNATURE_DISREGARD : SIGNATURE_VERIFIED;
}
SignatureValidator::Result SignatureValidator::checkList(
- SignatureData &data,
- const std::string &widgetContentPath,
- const std::list<std::string>& uriList)
+ const SignatureFileInfo &fileInfo,
+ const std::string &widgetContentPath,
+ const std::list<std::string> &uriList,
+ bool checkOcsp,
+ bool checkReferences,
+ SignatureData &outData)
{
- return m_impl->checkList(data, widgetContentPath, uriList);
+ if (prepareToCheck(fileInfo, outData)) {
+ LogError("Failed to prepare to check.");
+ return SIGNATURE_INVALID;
+ }
+
+ bool disregard = false;
+ try {
+ XmlSec::XmlSecContext context;
+ Result result = checkInternal(checkOcsp, disregard, context, outData);
+ if (result != SIGNATURE_VERIFIED)
+ return result;
+
+ if (uriList.size() == 0) {
+ if (XmlSec::NO_ERROR != XmlSecSingleton::Instance().validateNoHash(&context)) {
+ LogWarning("Installation break - invalid package! >> validateNoHash");
+ return SIGNATURE_INVALID;
+ }
+ } else {
+ XmlSecSingleton::Instance().setPartialHashList(uriList);
+ if (XmlSec::NO_ERROR != XmlSecSingleton::Instance().validatePartialHash(&context)) {
+ LogWarning("Installation break - invalid package! >> validatePartialHash");
+ return SIGNATURE_INVALID;
+ }
+ }
+
+ outData.setReference(context.referenceSet);
+ /*
+ if (!checkObjectReferences(outData)) {
+ LogWarning("Failed to check Object References");
+ return SIGNATURE_INVALID;
+ }
+ */
+
+ if (checkReferences) {
+ ReferenceValidator fileValidator(widgetContentPath);
+ if (ReferenceValidator::NO_ERROR != fileValidator.checkReferences(outData)) {
+ LogWarning("Invalid package - file references broken");
+ return SIGNATURE_INVALID;
+ }
+ }
+ } catch (const CertificateCollection::Exception::Base &e) {
+ LogError("CertificateCollection exception : " << e.DumpToString());
+ return SIGNATURE_INVALID;
+ } catch (const XmlSec::Exception::Base &e) {
+ LogError("XmlSec exception : " << e.DumpToString());
+ return SIGNATURE_INVALID;
+ } catch (...) {
+ LogError("Unknown exception in SignatureValidator::checkList");
+ return SIGNATURE_INVALID;
+ }
+
+ return disregard ? SIGNATURE_DISREGARD : SIGNATURE_VERIFIED;
}
+
} // namespace ValidationCore
/*
* @file SignatureValidator.h
* @author Bartlomiej Grzelewski (b.grzelewski@samsung.com)
- * @version 1.0
+ * @version 1.1
* @brief Implementatin of tizen signature validation protocol.
*/
#ifndef _VALIDATION_CORE_SIGNATUREVALIDATOR_H_
#define _VALIDATION_CORE_SIGNATUREVALIDATOR_H_
-#ifndef LOG_TAG
-#undef LOG_TAG
-#define LOG_TAG "OSP"
-#endif
-
#include <string>
-
+#include <list>
#include <vcore/SignatureData.h>
+#include <vcore/SignatureFinder.h>
namespace ValidationCore {
class SignatureValidator {
public:
- class ImplSignatureValidator;
-
- enum AppType
- {
- TIZEN,
- WAC20
- };
-
enum Result
{
SIGNATURE_VALID,
SIGNATURE_INVALID,
SIGNATURE_VERIFIED,
- SIGNATURE_DISREGARD, // no ocsp response or ocsp return unknown status
- SIGNATURE_REVOKED,
- SIGNATURE_INVALID_CERT_CHAIN, //5, from here, new error enum
- SIGNATURE_INVALID_DISTRIBUTOR_CERT,
- SIGNATURE_INVALID_SDK_DEFAULT_AUTHOR_CERT,
- SIGNATURE_IN_DISTRIBUTOR_CASE_AUTHOR_CERT,
- SIGNATURE_INVALID_CERT_TIME,
- SIGNATURE_NO_DEVICE_PROFILE,
- SIGNATURE_INVALID_DEVICE_UNIQUE_ID,
- SIGNATURE_INVALID_NO_HASH_FILE,
- SIGNATURE_INVALID_HASH_SIGNATURE
+ SIGNATURE_DISREGARD,
+ SIGNATURE_REVOKED
};
SignatureValidator() = delete;
SignatureValidator(const SignatureValidator &) = delete;
const SignatureValidator &operator=(const SignatureValidator &) = delete;
- explicit SignatureValidator(
- AppType appType,
- bool ocspEnable,
- bool crlEnable,
- bool complianceMode);
-
virtual ~SignatureValidator();
- Result check(
- SignatureData &data,
- const std::string &widgetContentPath);
-
- Result checkList(
- SignatureData &data,
+ static Result check(
+ const SignatureFileInfo &fileInfo,
const std::string &widgetContentPath,
- const std::list<std::string>& uriList);
+ bool checkOcsp,
+ bool checkReferences,
+ SignatureData &outData);
-private:
- ImplSignatureValidator *m_impl;
+ static Result checkList(
+ const SignatureFileInfo &fileInfo,
+ const std::string &widgetContentPath,
+ const std::list<std::string> &uriList,
+ bool checkOcsp,
+ bool checkReferences,
+ SignatureData &outData);
};
} // namespace ValidationCore
-#endif // _VALIDATION_CORE_TIZENSIGNATUREVALIDATOR_H_
-
+#endif // _VALIDATION_CORE_SIGNATUREVALIDATOR_H_
+++ /dev/null
-/*
- * Copyright (c) 2011 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-/*
- * @file WrtSignatureValidator.cpp
- * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com)
- * @version 1.0
- * @brief Implementatin of tizen signature validation protocol.
- */
-#include <vcore/WrtSignatureValidator.h>
-
-#include <vcore/CertificateCollection.h>
-#include <vcore/Certificate.h>
-#include <vcore/OCSPCertMgrUtil.h>
-#include <vcore/ReferenceValidator.h>
-#include <vcore/ValidatorFactories.h>
-#include <vcore/XmlsecAdapter.h>
-
-#include <dpl/log/log.h>
-
-namespace {
-const time_t TIMET_DAY = 60 * 60 * 24;
-
-const std::string TOKEN_ROLE_AUTHOR_URI =
- "http://www.w3.org/ns/widgets-digsig#role-author";
-const std::string TOKEN_ROLE_DISTRIBUTOR_URI =
- "http://www.w3.org/ns/widgets-digsig#role-distributor";
-const std::string TOKEN_PROFILE_URI =
- "http://www.w3.org/ns/widgets-digsig#profile";
-
-} // namespace anonymouse
-
-static tm _ASN1_GetTimeT(ASN1_TIME* time)
-{
- struct tm t;
- const char* str = (const char*) time->data;
- size_t i = 0;
-
- memset(&t, 0, sizeof(t));
-
- if (time->type == V_ASN1_UTCTIME) /* two digit year */
- {
- t.tm_year = (str[i] - '0') * 10 + (str[i+1] - '0');
- i += 2;
- if (t.tm_year < 70)
- t.tm_year += 100;
- }
- else if (time->type == V_ASN1_GENERALIZEDTIME) /* four digit year */
- {
- t.tm_year =
- (str[i] - '0') * 1000
- + (str[i+1] - '0') * 100
- + (str[i+2] - '0') * 10
- + (str[i+3] - '0');
- i += 4;
- t.tm_year -= 1900;
- }
- t.tm_mon = ((str[i] - '0') * 10 + (str[i+1] - '0')) - 1; // -1 since January is 0 not 1.
- t.tm_mday = (str[i+2] - '0') * 10 + (str[i+3] - '0');
- t.tm_hour = (str[i+4] - '0') * 10 + (str[i+5] - '0');
- t.tm_min = (str[i+6] - '0') * 10 + (str[i+7] - '0');
- t.tm_sec = (str[i+8] - '0') * 10 + (str[i+9] - '0');
-
- /* Note: we did not adjust the time based on time zone information */
- return t;
-}
-
-
-namespace ValidationCore {
-
-class WrtSignatureValidator::Impl {
-public:
- virtual WrtSignatureValidator::Result check(
- SignatureData &data,
- const std::string &widgetContentPath) = 0;
-
- explicit Impl(bool ocspEnable,
- bool crlEnable,
- bool complianceMode)
- : m_complianceModeEnabled(complianceMode)
- {
- (void) ocspEnable;
- (void) crlEnable;
- }
-
- virtual ~Impl() {}
-
- bool checkRoleURI(const SignatureData &data) {
- std::string roleURI = data.getRoleURI();
-
- if (roleURI.empty()) {
- LogWarning("URI attribute in Role tag couldn't be empty.");
- return false;
- }
-
- if (roleURI != TOKEN_ROLE_AUTHOR_URI && data.isAuthorSignature()) {
- LogWarning("URI attribute in Role tag does not "
- "match with signature filename.");
- return false;
- }
-
- if (roleURI != TOKEN_ROLE_DISTRIBUTOR_URI && !data.isAuthorSignature()) {
- LogWarning("URI attribute in Role tag does not "
- "match with signature filename.");
- return false;
- }
- return true;
- }
-
- bool checkProfileURI(const SignatureData &data) {
- if (TOKEN_PROFILE_URI != data.getProfileURI()) {
- LogWarning("Profile tag contains unsupported value in URI attribute " << data.getProfileURI());
- return false;
- }
- return true;
- }
-
- bool checkObjectReferences(const SignatureData &data) {
- ObjectList objectList = data.getObjectList();
- ObjectList::const_iterator iter;
- for (iter = objectList.begin(); iter != objectList.end(); ++iter) {
- if (!data.containObjectReference(*iter)) {
- LogWarning("Signature does not contain reference for object " << *iter);
- return false;
- }
- }
- return true;
- }
-protected:
- bool m_complianceModeEnabled;
-
-};
-
-class ImplTizen : public WrtSignatureValidator::Impl {
-public:
- WrtSignatureValidator::Result check(SignatureData &data,
- const std::string &widgetContentPath);
-
- explicit ImplTizen(bool ocspEnable,
- bool crlEnable,
- bool complianceMode)
- : Impl(ocspEnable, crlEnable, complianceMode)
- {}
-
- virtual ~ImplTizen() {}
-};
-
-WrtSignatureValidator::Result ImplTizen::check(
- SignatureData &data,
- const std::string &widgetContentPath)
-{
- bool disregard = false;
-
- if (!checkRoleURI(data)) {
- return WrtSignatureValidator::SIGNATURE_INVALID;
- }
-
- if (!checkProfileURI(data)) {
- return WrtSignatureValidator::SIGNATURE_INVALID;
- }
-
- // CertificateList sortedCertificateList = data.getCertList();
-
- CertificateCollection collection;
- collection.load(data.getCertList());
-
- // First step - sort certificate
- if (!collection.sort()) {
- LogWarning("Certificates do not form valid chain.");
- return WrtSignatureValidator::SIGNATURE_INVALID_CERT_CHAIN;//SIGNATURE_INVALID;
- }
-
- // Check for error
- if (collection.empty()) {
- LogWarning("Certificate list in signature is empty.");
- return WrtSignatureValidator::SIGNATURE_INVALID_CERT_CHAIN;//SIGNATURE_INVALID;
- }
-
- CertificateList sortedCertificateList = collection.getChain();
-
- // TODO move it to CertificateCollection
- // Add root CA and CA certificates (if chain is incomplete)
- sortedCertificateList =
- OCSPCertMgrUtil::completeCertificateChain(sortedCertificateList);
-
- CertificatePtr root = sortedCertificateList.back();
-
- // Is Root CA certificate trusted?
- CertStoreId::Set storeIdSet = createCertificateIdentifier().find(root);
-
- LogDebug("Is root certificate from TIZEN_DEVELOPER domain : " << storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER));
- LogDebug("Is root certificate from TIZEN_TEST domain : " << storeIdSet.contains(CertStoreId::TIZEN_TEST));
- LogDebug("Is root certificate from TIZEN_VERIFY domain : " << storeIdSet.contains(CertStoreId::TIZEN_VERIFY));
- LogDebug("Is root certificate from TIZEN_PUBLIC domain : " << storeIdSet.contains(CertStoreId::VIS_PUBLIC));
- LogDebug("Is root certificate from TIZEN_PARTNER domain : " << storeIdSet.contains(CertStoreId::VIS_PARTNER));
- LogDebug("Is root certificate from TIZEN_PLATFORM domain : " << storeIdSet.contains(CertStoreId::VIS_PLATFORM));
- LogDebug("Visibility level is public : " << storeIdSet.contains(CertStoreId::VIS_PUBLIC));
- LogDebug("Visibility level is partner : " << storeIdSet.contains(CertStoreId::VIS_PARTNER));
- LogDebug("Visibility level is platform : " << storeIdSet.contains(CertStoreId::VIS_PLATFORM));
-
- if (data.isAuthorSignature())
- {
- if (!storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER))
- {
- LogWarning("author-signature.xml has got unrecognized Root CA "
- "certificate. Signature will be disregarded.");
- disregard = true;
- }
- }
- else // distributor
- {
- if (storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER))
- {
- LogWarning("distributor has author level siganture! Signature will be disregarded.");
- return WrtSignatureValidator::SIGNATURE_IN_DISTRIBUTOR_CASE_AUTHOR_CERT;//SIGNATURE_INVALID;
- }
- LogDebug("signaturefile name = " << data.getSignatureFileName());
-
-
- if (data.getSignatureNumber() == 1)
- {
- if (storeIdSet.contains(CertStoreId::VIS_PUBLIC) || storeIdSet.contains(CertStoreId::VIS_PARTNER) || storeIdSet.contains(CertStoreId::VIS_PLATFORM))
- {
- LogDebug("Root CA for signature1.xml is correct.");
- }
- else
- {
- LogWarning("signature1.xml has got unrecognized Root CA "
- "certificate. Signature will be disregarded.");
- disregard = true;
- }
- }
- }
-
- data.setStorageType(storeIdSet);
- data.setSortedCertificateList(sortedCertificateList);
-
- // We add only Root CA certificate because WAC ensure that the rest
- // of certificates are present in signature files ;-)
- XmlSec::XmlSecContext context;
- context.signatureFile = data.getSignatureFileName();
- context.certificatePtr = root;
-
- // Now we should have full certificate chain.
- // If the end certificate is not ROOT CA we should disregard signature
- // but still signature must be valid... Aaaaaa it's so stupid...
- if (!(root->isSignedBy(root))) {
- LogWarning("Root CA certificate not found. Chain is incomplete.");
- //context.allowBrokenChain = true;
- }
-
- // WAC 2.0 SP-2066 The wrt must not block widget installation
- // due to expiration of the author certificate.
- time_t nowTime = time(NULL);
-#define CHECK_TIME
-#ifdef CHECK_TIME
-
- ASN1_TIME* notAfterTime = data.getEndEntityCertificatePtr()->getNotAfterTime();
- ASN1_TIME* notBeforeTime = data.getEndEntityCertificatePtr()->getNotBeforeTime();
-
- if (X509_cmp_time(notBeforeTime, &nowTime) > 0 || X509_cmp_time(notAfterTime, &nowTime) < 0)
- {
- struct tm *t;
- struct tm ta, tb, tc;
- char msg[1024];
-
- t = localtime(&nowTime);
- if (!t)
- return WrtSignatureValidator::SIGNATURE_INVALID_CERT_TIME;
-
- memset(&tc, 0, sizeof(tc));
-
- snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", t->tm_year + 1900, t->tm_mon + 1,t->tm_mday );
- LogDebug("## System's currentTime : " << msg);
- fprintf(stderr, "## System's currentTime : %s\n", msg);
-
- tb = _ASN1_GetTimeT(notBeforeTime);
- snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", tb.tm_year + 1900, tb.tm_mon + 1,tb.tm_mday );
- LogDebug("## certificate's notBeforeTime : " << msg);
- fprintf(stderr, "## certificate's notBeforeTime : %s\n", msg);
-
- ta = _ASN1_GetTimeT(notAfterTime);
- snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", ta.tm_year + 1900, ta.tm_mon + 1,ta.tm_mday );
- LogDebug("## certificate's notAfterTime : " << msg);
- fprintf(stderr, "## certificate's notAfterTime : %s\n", msg);
-
- if (storeIdSet.contains(CertStoreId::TIZEN_TEST) || storeIdSet.contains(CertStoreId::TIZEN_VERIFY))
- {
- LogDebug("## TIZEN_VERIFY : check certificate Time : FALSE");
- fprintf(stderr, "## TIZEN_VERIFY : check certificate Time : FALSE\n");
- return WrtSignatureValidator::SIGNATURE_INVALID_CERT_TIME;//SIGNATURE_INVALID;
- }
-
- int year = (ta.tm_year - tb.tm_year) / 4;
-
- if(year == 0)
- {
- tc.tm_year = tb.tm_year;
- tc.tm_mon = tb.tm_mon + 1;
- tc.tm_mday = tb.tm_mday;
-
- if(tc.tm_mon == 12)
- {
- tc.tm_year = ta.tm_year;
- tc.tm_mon = ta.tm_mon - 1;
- tc.tm_mday = ta.tm_mday;
-
- if(tc.tm_mon < 0)
- {
- tc.tm_year = ta.tm_year;
- tc.tm_mon = ta.tm_mon;
- tc.tm_mday = ta.tm_mday -1;
-
- if(tc.tm_mday == 0)
- {
- tc.tm_year = tb.tm_year;
- tc.tm_mon = tb.tm_mon;
- tc.tm_mday = tb.tm_mday +1;
- }
- }
- }
- }
- else{
- tc.tm_year = tb.tm_year + year;
- tc.tm_mon = (tb.tm_mon + ta.tm_mon )/2;
- tc.tm_mday = (tb.tm_mday + ta.tm_mday)/2;
- }
-
- snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", tc.tm_year + 1900, tc.tm_mon + 1,tc.tm_mday );
- LogDebug("## cmp cert with validation time : " << msg);
- fprintf(stderr, "## cmp cert with validation time : %s\n", msg);
-
- time_t outCurrent = mktime(&tc);
- context.validationTime = outCurrent;
-
- fprintf(stderr, "## cmp outCurrent time : %ld\n", outCurrent);
-
- //return WrtSignatureValidator::SIGNATURE_INVALID;
- }
-
-#endif
-
-#if 0
- time_t notAfter = data.getEndEntityCertificatePtr()->getNotAfter();
- time_t notBefore = data.getEndEntityCertificatePtr()->getNotBefore();
-
- struct tm *t;
-
- if (data.isAuthorSignature())
- {
- // time_t 2038 year bug exist. So, notAtter() cann't check...
- /*
- if (notAfter < nowTime)
- {
- context.validationTime = notAfter - TIMET_DAY;
- LogWarning("Author certificate is expired. notAfter...");
- }
- */
-
- if (notBefore > nowTime)
- {
- LogWarning("Author certificate is expired. notBefore time is greater than system-time.");
-
- t = localtime(&nowTime);
- LogDebug("System's current Year : " << (t->tm_year + 1900));
- LogDebug("System's current month : " << (t->tm_mon + 1));
- LogDebug("System's current day : " << (t->tm_mday));
-
- t = localtime(¬Before);
- LogDebug("Author certificate's notBefore Year : " << (t->tm_year + 1900));
- LogDebug("Author certificate's notBefore month : " << (t->tm_mon + 1));
- LogDebug("Author certificate's notBefore day : " << (t->tm_mday));
-
- context.validationTime = notBefore + TIMET_DAY;
-
- t = localtime(&context.validationTime);
- LogDebug("Modified current Year : " << (t->tm_year + 1900));
- LogDebug("Modified current notBefore month : " << (t->tm_mon + 1));
- LogDebug("Modified current notBefore day : " << (t->tm_mday));
- }
- }
-#endif
- // WAC 2.0 SP-2066 The wrt must not block widget installation
- //context.allowBrokenChain = true;
-
- // end
- if (!data.isAuthorSignature())
- {
- if (XmlSec::NO_ERROR != XmlSecSingleton::Instance().validate(&context)) {
- LogWarning("Installation break - invalid package!");
- return WrtSignatureValidator::SIGNATURE_INVALID_HASH_SIGNATURE;//SIGNATURE_INVALID;
- }
-
- data.setReference(context.referenceSet);
-
- if (!checkObjectReferences(data)) {
- LogWarning("Failed to check Object References");
- return WrtSignatureValidator::SIGNATURE_INVALID_HASH_SIGNATURE;//SIGNATURE_INVALID;
- }
-
- ReferenceValidator fileValidator(widgetContentPath);
- if (ReferenceValidator::NO_ERROR != fileValidator.checkReferences(data)) {
- LogWarning("Invalid package - file references broken");
- return WrtSignatureValidator::SIGNATURE_INVALID_NO_HASH_FILE;//SIGNATURE_INVALID;
- }
- }
-
- if (disregard) {
- LogWarning("Signature is disregard. RootCA is not a member of Tizen");
- return WrtSignatureValidator::SIGNATURE_INVALID_DISTRIBUTOR_CERT;//SIGNATURE_DISREGARD;
- }
- return WrtSignatureValidator::SIGNATURE_VERIFIED;
-}
-
-class ImplWac : public WrtSignatureValidator::Impl
-{
-public:
- WrtSignatureValidator::Result check(SignatureData &data,
- const std::string &widgetContentPath);
-
- explicit ImplWac(bool ocspEnable,
- bool crlEnable,
- bool complianceMode)
- : Impl(ocspEnable, crlEnable, complianceMode)
- {}
-
- virtual ~ImplWac() {}
-};
-
-WrtSignatureValidator::Result ImplWac::check(
- SignatureData &data,
- const std::string &widgetContentPath)
-{
- bool disregard = false;
-
- if (!checkRoleURI(data)) {
- return WrtSignatureValidator::SIGNATURE_INVALID;
- }
-
- if (!checkProfileURI(data)) {
- return WrtSignatureValidator::SIGNATURE_INVALID;
- }
-
- // CertificateList sortedCertificateList = data.getCertList();
-
- CertificateCollection collection;
- collection.load(data.getCertList());
-
- // First step - sort certificate
- if (!collection.sort()) {
- LogWarning("Certificates do not form valid chain.");
- return WrtSignatureValidator::SIGNATURE_INVALID;
- }
-
- // Check for error
- if (collection.empty()) {
- LogWarning("Certificate list in signature is empty.");
- return WrtSignatureValidator::SIGNATURE_INVALID;
- }
-
- CertificateList sortedCertificateList = collection.getChain();
-
- // TODO move it to CertificateCollection
- // Add root CA and CA certificates (if chain is incomplete)
- sortedCertificateList =
- OCSPCertMgrUtil::completeCertificateChain(sortedCertificateList);
-
- CertificatePtr root = sortedCertificateList.back();
-
- // Is Root CA certificate trusted?
- CertStoreId::Set storeIdSet = createCertificateIdentifier().find(root);
-
- LogDebug("Is root certificate from TIZEN_DEVELOPER domain : " << storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER));
- LogDebug("Is root certificate from TIZEN_TEST domain : " << storeIdSet.contains(CertStoreId::TIZEN_TEST));
- LogDebug("Is root certificate from TIZEN_VERIFY domain : " << storeIdSet.contains(CertStoreId::TIZEN_VERIFY));
- LogDebug("Is root certificate from TIZEN_PUBLIC domain : " << storeIdSet.contains(CertStoreId::VIS_PUBLIC));
- LogDebug("Is root certificate from TIZEN_PARTNER domain : " << storeIdSet.contains(CertStoreId::VIS_PARTNER));
- LogDebug("Is root certificate from TIZEN_PLATFORM domain : " << storeIdSet.contains(CertStoreId::VIS_PLATFORM));
- LogDebug("Visibility level is public : " << storeIdSet.contains(CertStoreId::VIS_PUBLIC));
- LogDebug("Visibility level is partner : " << storeIdSet.contains(CertStoreId::VIS_PARTNER));
- LogDebug("Visibility level is platform : " << storeIdSet.contains(CertStoreId::VIS_PLATFORM));
-
- if (data.isAuthorSignature())
- {
- if (!storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER))
- {
- LogWarning("author-signature.xml has got unrecognized Root CA "
- "certificate. Signature will be disregarded.");
- disregard = true;
- }
- }
- else
- {
- if (storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER))
- {
- LogWarning("distributor has author level siganture! Signature will be disregarded.");
- return WrtSignatureValidator::SIGNATURE_INVALID;
- }
- LogDebug("signaturefile name = " << data.getSignatureFileName());
-
- if (data.getSignatureNumber() == 1)
- {
- if (storeIdSet.contains(CertStoreId::VIS_PUBLIC) || storeIdSet.contains(CertStoreId::VIS_PARTNER) || storeIdSet.contains(CertStoreId::VIS_PLATFORM))
- {
- LogDebug("Root CA for signature1.xml is correct.");
- }
- else
- {
- LogWarning("signature1.xml has got unrecognized Root CA "
- "certificate. Signature will be disregarded.");
- disregard = true;
- }
- }
- }
-
- data.setStorageType(storeIdSet);
- data.setSortedCertificateList(sortedCertificateList);
-
- // We add only Root CA certificate because WAC ensure that the rest
- // of certificates are present in signature files ;-)
- XmlSec::XmlSecContext context;
- context.signatureFile = data.getSignatureFileName();
- context.certificatePtr = root;
-
- // Now we should have full certificate chain.
- // If the end certificate is not ROOT CA we should disregard signature
- // but still signature must be valid... Aaaaaa it's so stupid...
- if (!(root->isSignedBy(root))) {
- LogWarning("Root CA certificate not found. Chain is incomplete.");
-// context.allowBrokenChain = true;
- }
-
- time_t nowTime = time(NULL);
- // WAC 2.0 SP-2066 The wrt must not block widget installation
- // due to expiration of the author certificate.
-#define CHECK_TIME
-#ifdef CHECK_TIME
-
- ASN1_TIME* notAfterTime = data.getEndEntityCertificatePtr()->getNotAfterTime();
- ASN1_TIME* notBeforeTime = data.getEndEntityCertificatePtr()->getNotBeforeTime();
-
- if (X509_cmp_time(notBeforeTime, &nowTime) > 0 || X509_cmp_time(notAfterTime, &nowTime) < 0)
- {
- struct tm *t;
- struct tm ta, tb, tc;
- char msg[1024];
-
- t = localtime(&nowTime);
- if (!t)
- return WrtSignatureValidator::SIGNATURE_INVALID_CERT_TIME;
-
- memset(&tc, 0, sizeof(tc));
-
- snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", t->tm_year + 1900, t->tm_mon + 1,t->tm_mday );
- LogDebug("## System's currentTime : " << msg);
- fprintf(stderr, "## System's currentTime : %s\n", msg);
-
- tb = _ASN1_GetTimeT(notBeforeTime);
- snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", tb.tm_year + 1900, tb.tm_mon + 1,tb.tm_mday );
- LogDebug("## certificate's notBeforeTime : " << msg);
- fprintf(stderr, "## certificate's notBeforeTime : %s\n", msg);
-
- ta = _ASN1_GetTimeT(notAfterTime);
- snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", ta.tm_year + 1900, ta.tm_mon + 1,ta.tm_mday );
- LogDebug("## certificate's notAfterTime : " << msg);
- fprintf(stderr, "## certificate's notAfterTime : %s\n", msg);
-
- if (storeIdSet.contains(CertStoreId::TIZEN_VERIFY))
- {
- LogDebug("## TIZEN_VERIFY : check certificate Time : FALSE");
- fprintf(stderr, "## TIZEN_VERIFY : check certificate Time : FALSE\n");
- return WrtSignatureValidator::SIGNATURE_INVALID;
- }
-
- int year = (ta.tm_year - tb.tm_year) / 4;
-
- if(year == 0)
- {
- tc.tm_year = tb.tm_year;
- tc.tm_mon = tb.tm_mon + 1;
- tc.tm_mday = tb.tm_mday;
-
- if(tc.tm_mon == 12)
- {
- tc.tm_year = ta.tm_year;
- tc.tm_mon = ta.tm_mon - 1;
- tc.tm_mday = ta.tm_mday;
-
- if(tc.tm_mon < 0)
- {
- tc.tm_year = ta.tm_year;
- tc.tm_mon = ta.tm_mon;
- tc.tm_mday = ta.tm_mday -1;
-
- if(tc.tm_mday == 0)
- {
- tc.tm_year = tb.tm_year;
- tc.tm_mon = tb.tm_mon;
- tc.tm_mday = tb.tm_mday +1;
- }
- }
- }
- }
- else{
- tc.tm_year = tb.tm_year + year;
- tc.tm_mon = (tb.tm_mon + ta.tm_mon )/2;
- tc.tm_mday = (tb.tm_mday + ta.tm_mday)/2;
- }
-
- snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", tc.tm_year + 1900, tc.tm_mon + 1,tc.tm_mday );
- LogDebug("## cmp cert with validation time : " << msg);
- fprintf(stderr, "## cmp cert with validation time : %s\n", msg);
-
- time_t outCurrent = mktime(&tc);
-
- fprintf(stderr, "## cmp outCurrent time : %ld\n", outCurrent);
-
- context.validationTime = outCurrent;
- //return WrtSignatureValidator::SIGNATURE_INVALID;
- }
-
-#endif
-
-#if 0
- time_t notAfter = data.getEndEntityCertificatePtr()->getNotAfter();
- time_t notBefore = data.getEndEntityCertificatePtr()->getNotBefore();
-
- struct tm *t;
-
- if (data.isAuthorSignature())
- {
- // time_t 2038 year bug exist. So, notAtter() cann't check...
- /*
- if (notAfter < nowTime)
- {
- context.validationTime = notAfter - TIMET_DAY;
- LogWarning("Author certificate is expired. notAfter...");
- }
- */
-
- if (notBefore > nowTime)
- {
- LogWarning("Author certificate is expired. notBefore time is greater than system-time.");
-
- t = localtime(&nowTime);
- LogDebug("System's current Year : " << (t->tm_year + 1900));
- LogDebug("System's current month : " << (t->tm_mon + 1));
- LogDebug("System's current day : " << (t->tm_mday));
-
- t = localtime(¬Before);
- LogDebug("Author certificate's notBefore Year : " << (t->tm_year + 1900));
- LogDebug("Author certificate's notBefore month : " << (t->tm_mon + 1));
- LogDebug("Author certificate's notBefore day : " << (t->tm_mday));
-
- context.validationTime = notBefore + TIMET_DAY;
-
- t = localtime(&context.validationTime);
- LogDebug("Modified current Year : " << (t->tm_year + 1900));
- LogDebug("Modified current notBefore month : " << (t->tm_mon + 1));
- LogDebug("Modified current notBefore day : " << (t->tm_mday));
- }
- }
-#endif
-
- if (!data.isAuthorSignature())
- {
- if (XmlSec::NO_ERROR != XmlSecSingleton::Instance().validate(&context)) {
- LogWarning("Installation break - invalid package!");
- return WrtSignatureValidator::SIGNATURE_INVALID;
- }
-
- data.setReference(context.referenceSet);
-
- if (!checkObjectReferences(data)) {
- return WrtSignatureValidator::SIGNATURE_INVALID;
- }
-
- ReferenceValidator fileValidator(widgetContentPath);
- if (ReferenceValidator::NO_ERROR != fileValidator.checkReferences(data)) {
- LogWarning("Invalid package - file references broken");
- return WrtSignatureValidator::SIGNATURE_INVALID;
- }
- }
-
- if (disregard) {
- LogWarning("Signature is disregard. RootCA is not a member of Tizen.");
- return WrtSignatureValidator::SIGNATURE_DISREGARD;
- }
- return WrtSignatureValidator::SIGNATURE_VERIFIED;
-}
-
-// Implementation of WrtSignatureValidator
-
-WrtSignatureValidator::WrtSignatureValidator(
- AppType appType,
- bool ocspEnable,
- bool crlEnable,
- bool complianceMode)
- : m_impl(0)
-{
- if (appType == TIZEN)
- m_impl = new ImplTizen(ocspEnable,crlEnable,complianceMode);
- else
- m_impl = new ImplWac(ocspEnable,crlEnable,complianceMode);
-}
-
-WrtSignatureValidator::~WrtSignatureValidator()
-{
- delete m_impl;
-}
-
-WrtSignatureValidator::Result WrtSignatureValidator::check(
- SignatureData &data,
- const std::string &widgetContentPath)
-{
- return m_impl->check(data, widgetContentPath);
-}
-
-} // namespace ValidationCore
-
+++ /dev/null
-/*
- * Copyright (c) 2011 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-/*
- * @file WrtSignatureValidator.h
- * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com)
- * @version 1.0
- * @brief Implementatin of tizen signature validation protocol.
- */
-#ifndef _VALIDATION_CORE_TIZENSIGNATUREVALIDATOR_H_
-#define _VALIDATION_CORE_TIZENSIGNATUREVALIDATOR_H_
-
-#include <string>
-
-#include <vcore/SignatureData.h>
-
-namespace ValidationCore {
-
-class WrtSignatureValidator {
-public:
-
- class Impl;
-
- enum AppType
- {
- TIZEN,
- WAC20
- };
-
- enum Result
- {
- SIGNATURE_VALID,
- SIGNATURE_INVALID,
- SIGNATURE_VERIFIED,
- SIGNATURE_DISREGARD, // no ocsp response or ocsp return unknown status
- SIGNATURE_REVOKED,
- SIGNATURE_INVALID_CERT_CHAIN, //5, from here, new error enum
- SIGNATURE_INVALID_DISTRIBUTOR_CERT,
- SIGNATURE_INVALID_SDK_DEFAULT_AUTHOR_CERT,
- SIGNATURE_IN_DISTRIBUTOR_CASE_AUTHOR_CERT,
- SIGNATURE_INVALID_CERT_TIME,
- SIGNATURE_NO_DEVICE_PROFILE,
- SIGNATURE_INVALID_DEVICE_UNIQUE_ID,
- SIGNATURE_INVALID_NO_HASH_FILE,
- SIGNATURE_INVALID_HASH_SIGNATURE
- };
-
- WrtSignatureValidator() = delete;
- WrtSignatureValidator(const WrtSignatureValidator &) = delete;
- const WrtSignatureValidator &operator=(const WrtSignatureValidator &) = delete;
-
- explicit WrtSignatureValidator(
- AppType appType,
- bool ocspEnable,
- bool crlEnable,
- bool complianceMode);
-
- virtual ~WrtSignatureValidator();
-
- Result check(
- SignatureData &data,
- const std::string &widgetContentPath);
-
-private:
- Impl *m_impl;
-
-};
-
-} // namespace ValidationCore
-
-#endif // _VALIDATION_CORE_TIZENSIGNATUREVALIDATOR_H_
-
m_idListMap.erase(iter);
}
+ inline void removeCertListAll(const CertSvcCertificateList &handler) {
+ auto iter = m_idListMap.find(handler.privateHandler);
+ if (iter == m_idListMap.end())
+ return;
+
+ for (size_t pos = 0; pos < iter->second.size(); ++pos) {
+ auto iterCert = m_certificateMap.find((iter->second)[pos]);
+ if (iterCert == m_certificateMap.end())
+ return;
+
+ m_certificateMap.erase(iterCert);
+ }
+
+ m_idListMap.erase(iter);
+ }
+
inline int isSignedBy(const CertSvcCertificate &child,
const CertSvcCertificate &parent,
int *status)
int certsvc_instance_new(CertSvcInstance *instance) {
static int init = 1;
if (init) {
- SSL_library_init(); // required by message verification
+ OpenSSL_add_ssl_algorithms();
OpenSSL_add_all_digests();
init = 0;
}
impl(handler.privateInstance)->removeCertList(handler);
}
+void certsvc_certificate_list_all_free(CertSvcCertificateList handler)
+{
+ impl(handler.privateInstance)->removeCertListAll(handler);
+}
+
int certsvc_certificate_is_signed_by(
CertSvcCertificate child,
CertSvcCertificate parent,
projects / platform / core / security / cert-svc.git / commitdiff