ADD_DEFINITIONS("-DDPL_LOGS_ENABLED")
ENDIF (CMAKE_BUILD_TYPE MATCHES "DEBUG")
-IF(DEFINED TIZEN_FEAT_CERTSVC_OCSP_CRL)
-MESSAGE("TIZEN_FEAT_CERT_SVC_OCSP_CRL ENABLED")
-ADD_DEFINITIONS("-DTIZEN_FEATURE_CERT_SVC_OCSP_CRL")
-ENDIF(DEFINED TIZEN_FEAT_CERTSVC_OCSP_CRL)
-
SET(TARGET_CERT_SVC_LIB "cert-svc")
SET(TARGET_VCORE_LIB "cert-svc-vcore")
SET(TARGET_CERT_SERVER "cert-server")
OWNER_EXECUTE
)
-
-IF (DEFINED TIZEN_FEAT_CERTSVC_OCSP_CRL)
-INSTALL(FILES
- ${ETC_DIR}/cert_svc_create_clean_db.sh
- DESTINATION ${TZ_SYS_BIN}
- PERMISSIONS OWNER_READ
- OWNER_WRITE
- OWNER_EXECUTE
- )
-
-INSTALL(FILES
- ${ETC_DIR}/cert_svc_vcore_db.sql
- DESTINATION ${TZ_SYS_SHARE}/cert-svc
- )
-ENDIF (DEFINED TIZEN_FEAT_CERTSVC_OCSP_CRL)
-
-
INSTALL(FILES
${ETC_DIR}/initialize_store_db.sh
${ETC_DIR}/cert_svc_create_clean_store_db.sh
+++ /dev/null
-#!/bin/sh
-# Copyright (c) 2011 Samsung Electronics Co., Ltd All Rights Reserved
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-source /etc/tizen-platform.conf
-
-for name in cert_svc_vcore
-do
- rm -f ${TZ_SYS_DB}/.$name.db
- rm -f ${TZ_SYS_DB}/.$name.db-journal
- SQL="PRAGMA journal_mode = PERSIST;"
- sqlite3 ${TZ_SYS_DB}/.$name.db "$SQL"
- SQL=".read ${TZ_SYS_SHARE}/cert-svc/"$name"_db.sql"
- sqlite3 ${TZ_SYS_DB}/.$name.db "$SQL"
- touch ${TZ_SYS_DB}/.$name.db-journal
-
- chown system:system ${TZ_SYS_DB}/.$name
- chown system:system ${TZ_SYS_DB}/.$name-journal
-
- chmod 664 ${TZ_SYS_DB}/.$name
- chmod 664 ${TZ_SYS_DB}/.$name-journal
-done
-
-echo "cert_svc_create_clean_db.sh done"
+++ /dev/null
-
-
-
-PRAGMA foreign_keys = ON; BEGIN TRANSACTION;
-
-
-
-CREATE TABLE OCSPResponseStorage (
- cert_chain TEXT not null,
- end_entity_check INT ,
- ocsp_status INT ,
- next_update_time BIGINT ,
- PRIMARY KEY(cert_chain, end_entity_check) ,
-
-
-CHECK(1) );
-
-CREATE TABLE CRLResponseStorage (
- distribution_point TEXT primary key not null,
- crl_body TEXT not null,
- next_update_time BIGINT ,
-CHECK(1) );
-
-COMMIT;
-BEGIN TRANSACTION; CREATE TABLE DB_VERSION_6d8092083d41289ab1c349aeaad617bc (version INT); COMMIT;
-
-
int _verify_signature(cert_svc_mem_buff* certBuf, unsigned char* message, int msgLen, unsigned char* signature, char* algo, int* validity);
int _extract_certificate_data(cert_svc_mem_buff* cert, cert_svc_cert_descriptor* certDesc);
int _search_certificate(cert_svc_filename_list** fileNames, search_field fldName, char* fldData);
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
-int _check_ocsp_status(cert_svc_mem_buff* cert, cert_svc_linked_list** certList, const char* uri);
-#endif
int release_certificate_buf(cert_svc_mem_buff* certBuf);
int release_certificate_data(cert_svc_cert_descriptor* certDesc);
#define CERT_SVC_ERR_INVALID_PARAMETER -15
#define CERT_SVC_ERR_PERMISSION_DENIED -16
#define CERT_SVC_ERR_IS_EXPIRED -17
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
-#define CERT_SVC_ERR_OCSP_REVOKED -18
-#define CERT_SVC_ERR_OCSP_UNKNOWN -19
-#define CERT_SVC_ERR_OCSP_VERIFICATION_ERROR -20
-#define CERT_SVC_ERR_OCSP_NO_SUPPORT -21
-#define CERT_SVC_ERR_OCSP_NETWORK_FAILED -22
-#define CERT_SVC_ERR_OCSP_INTERNAL -23
-#define CERT_SVC_ERR_OCSP_REMOTE -24
-#endif
#define CERT_SVC_ERR_INVALID_NO_DEVICE_PROFILE -25
#define CERT_SVC_ERR_INVALID_DEVICE_UNIQUE_ID -26
int cert_svc_get_visibility(CERT_CONTEXT* ctx, int* visibility);
int cert_svc_get_visibility_by_root_certificate(const char* cert_data, int data_len, int* visibility);
-
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
-int cert_svc_check_ocsp_status(CERT_CONTEXT* ctx, const char* uri);
-#endif
char* cert_svc_get_certificate_crt_file_path(void);
-
int cert_svc_util_parse_name_fld_data(unsigned char* str, cert_svc_name_fld_data* fld);
#ifdef __cplusplus
-%define certsvc_feature_ocsp_crl 0
-%define certsvc_test_build 0
+%define certsvc_test_build 0
Name: cert-svc
Summary: Certification service
BuildRequires: pkgconfig(libtzplatform-config)
BuildRequires: pkgconfig(libsystemd-journal)
BuildRequires: boost-devel
-%if 0%{?certsvc_feature_ocsp_crl}
-BuildRequires: pkgconfig(vconf)
-BuildRequires: pkgconfig(sqlite3)
-%endif
Requires: pkgconfig(libtzplatform-config)
Requires: ca-certificates-tizen
Requires: ca-certificates-mozilla
-DTZ_SYS_ETC=%TZ_SYS_ETC \
-DTZ_SYS_RO_WRT_ENGINE=%TZ_SYS_RO_WRT_ENGINE \
-DTZ_SYS_DB=%TZ_SYS_DB \
-%if 0%{?certsvc_feature_ocsp_crl}
- -DTIZEN_FEAT_CERTSVC_OCSP_CRL=1 \
-%endif
%if 0%{?certsvc_test_build}
-DCERTSVC_TEST_BUILD=1 \
-DTZ_SYS_RO_APP=%TZ_SYS_RO_APP \
%{TZ_SYS_BIN}/make-ca-certificate.sh
rm %{TZ_SYS_BIN}/make-ca-certificate.sh
-echo "create .cert_svc_vcore.db"
-%if 0%{?certsvc_feature_ocsp_crl}
-if [ -z ${2} ]; then
- echo "This is new install of cert-svc"
- %{TZ_SYS_BIN}/cert_svc_create_clean_db.sh
-else
- echo "Find out old and new version of databases"
- VCORE_OLD_DB_VERSION=`sqlite3 %{TZ_SYS_DB}/.cert_svc_vcore.db ".tables" | grep "DB_VERSION_"`
- VCORE_NEW_DB_VERSION=`cat %{TZ_SYS_SHARE}/cert-svc/cert_svc_vcore_db.sql | tr '[:blank:]' '\n' | grep DB_VERSION_`
- echo "OLD vcore database version ${VCORE_OLD_DB_VERSION}"
- echo "NEW vcore database version ${VCORE_NEW_DB_VERSION}"
-
- if [ ${VCORE_OLD_DB_VERSION} -a ${VCORE_NEW_DB_VERSION} ]; then
- if [ ${VCORE_OLD_DB_VERSION} = ${VCORE_NEW_DB_VERSION} ]; then
- echo "Equal database detected so db installation ignored"
- else
- echo "Calling /usr/bin/cert_svc_create_clean_db.sh"
- %{TZ_SYS_BIN}/cert_svc_create_clean_db.sh
- fi
- else
- echo "Calling /usr/bin/cert_svc_create_clean_db.sh"
- %{TZ_SYS_BIN}/cert_svc_create_clean_db.sh
- fi
-fi
-rm %{TZ_SYS_SHARE}/cert-svc/cert_svc_vcore_db.sql
-rm %{TZ_SYS_BIN}/cert_svc_create_clean_db.sh
-%endif
-
echo "create certs-meta.db"
rm -rf %{TZ_SYS_SHARE}/cert-svc/dbspace/certs-meta.db
%{TZ_SYS_BIN}/cert_svc_create_clean_store_db.sh %{TZ_SYS_SHARE}/cert-svc/cert_svc_store_db.sql
%attr(755,root,root) %{TZ_SYS_BIN}/make-ca-certificate.sh
%attr(755,root,root) %{TZ_SYS_BIN}/initialize_store_db.sh
-%if 0%{?certsvc_feature_ocsp_crl}
-%attr(644,root,root) %{TZ_SYS_SHARE}/cert-svc/cert_svc_vcore_db.sql
-%attr(755,root,root) %{TZ_SYS_BIN}/cert_svc_create_clean_db.sh
-%endif
-
# Resource files install as system
%{TZ_SYS_SHARE}/cert-svc/certs/user
%{TZ_SYS_SHARE}/cert-svc/certs/trusteduser
%{TZ_SYS_SHARE}/cert-svc/cert-type/*
%{TZ_SYS_SHARE}/cert-svc/tests/orig_c/data/caflag/*
%{TZ_SYS_SHARE}/cert-svc/certs/root_ca*.der
-%{TZ_SYS_SHARE}/cert-svc/certs/second_ca*.der
%{TZ_SYS_SHARE}/cert-svc/tests/*
%endif
return ret;
}
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
-int __ocsp_verify(X509 *cert, X509 *issuer, STACK_OF(X509) *systemCerts, char *url, int *ocspStatus) {
- OCSP_REQUEST *req = NULL;
- OCSP_RESPONSE *resp = NULL;
- OCSP_BASICRESP *bs = NULL;
- OCSP_CERTID *certid = NULL;
- BIO *cbio = NULL;
- SSL_CTX *use_ssl_ctx = NULL;
- char *host = NULL, *port = NULL, *path = NULL;
- ASN1_GENERALIZEDTIME *rev = NULL;
- ASN1_GENERALIZEDTIME *thisupd = NULL;
- ASN1_GENERALIZEDTIME *nextupd = NULL;
- int use_ssl = 0;
- X509_OBJECT obj;
- int i,tmpIdx;
- long nsec = (5 * 60), maxage = -1; /* Maximum leeway in validity period: default 5 minutes */
- int ret = 0;
- char subj_buf[256];
- int reason;
- X509_STORE *trustedStore=NULL;
-
- ERR_load_crypto_strings();
- OpenSSL_add_all_algorithms();
-
- if (!OCSP_parse_url(url, &host, &port, &path, &use_ssl)) {
- /* report error */
- return CERT_SVC_ERR_OCSP_NO_SUPPORT;
- }
-
- cbio = BIO_new_connect(host);
- if (!cbio) {
- /*BIO_printf(bio_err, "Error creating connect BIO\n");*/
- /* report error */
- return CERT_SVC_ERR_OCSP_NO_SUPPORT;
- }
-
- if (port) {
- BIO_set_conn_port(cbio, port);
- }
-
- if (use_ssl == 1) {
- BIO *sbio;
- use_ssl_ctx = SSL_CTX_new(SSLv23_client_method());
- if (!use_ssl_ctx) {
- /* report error */
- return CERT_SVC_ERR_OCSP_INTERNAL;
- }
-
- SSL_CTX_set_mode(use_ssl_ctx, SSL_MODE_AUTO_RETRY);
- sbio = BIO_new_ssl(use_ssl_ctx, 1);
- if (!sbio) {
- /* report error */
- return CERT_SVC_ERR_OCSP_INTERNAL;
- }
-
- cbio = BIO_push(sbio, cbio);
- if (!cbio) {
- /* report error */
- return CERT_SVC_ERR_OCSP_INTERNAL;
- }
- }
-
- if (BIO_do_connect(cbio) <= 0) {
- /*BIO_printf(bio_err, "Error connecting BIO\n");*/
- /* report error */
- /* free stuff */
- if (host)
- OPENSSL_free(host);
- if (port)
- OPENSSL_free(port);
- if (path)
- OPENSSL_free(path);
- host = port = path = NULL;
- if (use_ssl && use_ssl_ctx)
- SSL_CTX_free(use_ssl_ctx);
- use_ssl_ctx = NULL;
- if (cbio)
- BIO_free_all(cbio);
- cbio = NULL;
- return CERT_SVC_ERR_OCSP_NETWORK_FAILED;
- }
-
- req = OCSP_REQUEST_new();
- if(!req) {
- return CERT_SVC_ERR_OCSP_INTERNAL;
- }
- certid = OCSP_cert_to_id(NULL, cert, issuer);
- if(certid == NULL) {
- return CERT_SVC_ERR_OCSP_INTERNAL;
- }
-
- if(!OCSP_request_add0_id(req, certid)) {
- return CERT_SVC_ERR_OCSP_INTERNAL;
- }
-
- resp = OCSP_sendreq_bio(cbio, path, req);
-
- /* free some stuff we no longer need */
- if (host)
- OPENSSL_free(host);
- if (port)
- OPENSSL_free(port);
- if (path)
- OPENSSL_free(path);
- host = port = path = NULL;
- if (use_ssl && use_ssl_ctx)
- SSL_CTX_free(use_ssl_ctx);
- use_ssl_ctx = NULL;
- if (cbio)
- BIO_free_all(cbio);
- cbio = NULL;
-
- if (!resp) {
- /*BIO_printf(bio_err, "Error querying OCSP responsder\n");*/
- /* report error */
- /* free stuff */
- OCSP_REQUEST_free(req);
- return CERT_SVC_ERR_OCSP_NETWORK_FAILED;
- }
-
- i = OCSP_response_status(resp);
-
- if (i != 0) { // OCSP_RESPONSE_STATUS_SUCCESSFUL
- /*BIO_printf(out, "Responder Error: %s (%ld)\n",
- OCSP_response_status_str(i), i); */
- /* report error */
- /* free stuff */
- OCSP_REQUEST_free(req);
- OCSP_RESPONSE_free(resp);
- return CERT_SVC_ERR_OCSP_REMOTE;
- }
-
- bs = OCSP_response_get1_basic(resp);
- if (!bs) {
- /* BIO_printf(bio_err, "Error parsing response\n");*/
- /* report error */
- /* free stuff */
- OCSP_REQUEST_free(req);
- OCSP_RESPONSE_free(resp);
- return CERT_SVC_ERR_OCSP_REMOTE;
- }
-
- if(systemCerts != NULL) {
- trustedStore = X509_STORE_new();
- for(tmpIdx=0; tmpIdx<sk_X509_num(systemCerts); tmpIdx++) {
- X509_STORE_add_cert(trustedStore, sk_X509_value(systemCerts, tmpIdx));
- }
- X509_STORE_add_cert(trustedStore, issuer);
- }
-
- int response = OCSP_basic_verify(bs, NULL, trustedStore, 0);
- if (response <= 0) {
- OCSP_REQUEST_free(req);
- OCSP_RESPONSE_free(resp);
- OCSP_BASICRESP_free(bs);
- X509_STORE_free(trustedStore);
-
-// int err = ERR_get_error();
-// char errStr[100];
-// ERR_error_string(err,errStr);
- return CERT_SVC_ERR_OCSP_VERIFICATION_ERROR;
- }
-
- if ((i = OCSP_check_nonce(req, bs)) <= 0) {
- if (i == -1) {
- /*BIO_printf(bio_err, "WARNING: no nonce in response\n");*/
- } else {
- /*BIO_printf(bio_err, "Nonce Verify error\n");*/
- /* report error */
- /* free stuff */
- OCSP_REQUEST_free(req);
- OCSP_RESPONSE_free(resp);
- OCSP_BASICRESP_free(bs);
- X509_STORE_free(trustedStore);
- return CERT_SVC_ERR_OCSP_REMOTE;
- }
- }
-
- ret = CERT_SVC_ERR_NO_ERROR;
-
- (void)X509_NAME_oneline(X509_get_subject_name(cert), subj_buf, 255);
- if(!OCSP_resp_find_status(bs, certid, ocspStatus, &reason,
- &rev, &thisupd, &nextupd)) {
- /* report error */
-
- /* free stuff */
- OCSP_RESPONSE_free(resp);
- OCSP_REQUEST_free(req);
- OCSP_BASICRESP_free(bs);
- X509_STORE_free(trustedStore);
-
- return CERT_SVC_ERR_OCSP_REMOTE;
- }
-
- /* Check validity: if invalid write to output BIO so we
- * know which response this refers to.
- */
- if (!OCSP_check_validity(thisupd, nextupd, nsec, maxage)) {
- /* ERR_print_errors(out); */
- /* report error */
-
- /* free stuff */
- OCSP_REQUEST_free(req);
- OCSP_RESPONSE_free(resp);
- OCSP_BASICRESP_free(bs);
- X509_STORE_free(trustedStore);
-
- return CERT_SVC_ERR_OCSP_VERIFICATION_ERROR;
- }
-
- if (req) {
- OCSP_REQUEST_free(req);
- req = NULL;
- }
-
- if (resp) {
- OCSP_RESPONSE_free(resp);
- resp = NULL;
- }
-
- if (bs) {
- OCSP_BASICRESP_free(bs);
- bs = NULL;
- }
-
- if(trustedStore) {
- X509_STORE_free(trustedStore);
- trustedStore = NULL;
- }
-
- if (reason != -1) {
- char *reason_str = NULL;
- reason_str = OCSP_crl_reason_str(reason);
- }
-
-
- return ret;
-}
-
-int _check_ocsp_status(cert_svc_mem_buff* certBuf, cert_svc_linked_list** certList, const char* uri)
-{
- int ret = CERT_SVC_ERR_NO_ERROR;
- int ocspStatus;
- cert_svc_linked_list* sorted = NULL;
- cert_svc_linked_list* p = NULL;
- cert_svc_linked_list* q = NULL;
- cert_svc_cert_descriptor* findRoot = NULL;
- cert_svc_filename_list* fileNames = NULL;
- cert_svc_mem_buff* CACert = NULL;
- // variables for verification
- int certNum = 0;
- cert_svc_mem_buff* childCert;
- cert_svc_mem_buff* parentCert;
-
- findRoot = (cert_svc_cert_descriptor*)malloc(sizeof(cert_svc_cert_descriptor));
- if(findRoot == NULL) {
- SLOGE("[ERR][%s] Failed to allocate memory for certificate descriptor.", __func__);
- ret = CERT_SVC_ERR_MEMORY_ALLOCATION;
- goto err;
- }
-
- memset(findRoot, 0x00, sizeof(cert_svc_cert_descriptor));
- if(certList != NULL && (*certList) != NULL) {
- /* remove self-signed certificate in certList */
- if((ret = _remove_selfsigned_cert_in_chain(certList)) != CERT_SVC_ERR_NO_ERROR) {
- SLOGE("[ERR][%s] Fail to remove self-signed certificate in chain.", __func__);
- goto err;
- }
- /* sort certList */
- if((ret = sort_cert_chain(certList, &sorted)) != CERT_SVC_ERR_NO_ERROR) {
- SLOGE("[ERR][%s] Fail to sort certificate chain.", __func__);
- goto err;
- }
-
- /* find root cert from store, the SUBJECT field of root cert is same with ISSUER field of certList[0] */
- p = sorted;
- while(p->next != NULL) {
- certNum++;
- p = p->next;
- }
- certNum++;
- ret = _extract_certificate_data(p->certificate, findRoot);
- }
- else {
- ret = _extract_certificate_data(certBuf, findRoot);
- }
-
- if(ret != CERT_SVC_ERR_NO_ERROR) {
- SLOGE("[ERR][%s] Fail to extract certificate data", __func__);
- goto err;
- }
- if((ret = _search_certificate(&fileNames, SUBJECT_STR, findRoot->info.issuerStr)) != CERT_SVC_ERR_NO_ERROR) {
- ret = CERT_SVC_ERR_NO_ROOT_CERT;
- SLOGE("[ERR][%s] Fail to search root certificate", __func__);
- goto err;
- }
- if(fileNames->filename == NULL) {
- SLOGE("[ERR][%s] There is no CA certificate.", __func__);
- ret = CERT_SVC_ERR_NO_ROOT_CERT;
- goto err;
- }
-
- CACert = (cert_svc_mem_buff*)malloc(sizeof(cert_svc_mem_buff));
- if(CACert == NULL) {
- SLOGE("[ERR][%s] Failed to allocate memory for ca cert.", __func__);
- ret = CERT_SVC_ERR_MEMORY_ALLOCATION;
- goto err;
- }
- memset(CACert, 0x00, sizeof(cert_svc_mem_buff));
- // use the first found CA cert - ignore other certificate(s). assume that there is JUST one CA cert
- if((ret = cert_svc_util_load_file_to_buffer(fileNames->filename, CACert)) != CERT_SVC_ERR_NO_ERROR) {
- SLOGE("[ERR][%s] Fail to load CA cert to buffer.", __func__);
- goto err;
- }
- // =============================
- q = sorted; // first item is the certificate that user want to verify
-
- childCert = certBuf;
- // To check oscp for all certificate chain except root
- if(q != NULL) { // has 2 or more certificates
- for( ; q != NULL; q = q->next) {
- parentCert = q->certificate;
- // OCSP Check
- if(CERT_SVC_ERR_NO_ERROR != (ret = _verify_ocsp(childCert, parentCert, uri, &ocspStatus))) {
- SLOGE("[ERR][%s] Error Occurred during OCSP Checking.", __func__);
- goto err;
- }
- if(ocspStatus != 0) { // CERT_SVC_OCSP_GOOD
- SLOGE("[ERR][%s] Invalid Certificate OCSP Status. ocspStatus=%d.", __func__, ocspStatus);
-
- switch(ocspStatus) {
- case 0 : //OCSP_GOOD
- ret = CERT_SVC_ERR_NO_ERROR;
- break;
- case 1 : //OCSP_REVOCKED
- ret = CERT_SVC_ERR_OCSP_REVOKED;
- break;
- case 2 : //OCSP_UNKNOWN
- ret = CERT_SVC_ERR_OCSP_UNKNOWN;
- break;
- default :
- ret = CERT_SVC_ERR_OCSP_REMOTE;
- break;
- }
- goto err;
- }
-
- // move to next
- childCert = parentCert;
- }
- }
-
- // Final OCSP Check
- parentCert = CACert;
- if(CERT_SVC_ERR_NO_ERROR != (ret = _verify_ocsp(childCert, parentCert, uri, &ocspStatus))) {
- SLOGE("[ERR][%s] Error Occurred during OCSP Checking.", __func__);
- goto err;
- }
- switch(ocspStatus) {
- case 0 : //OCSP_GOOD
- ret = CERT_SVC_ERR_NO_ERROR;
- break;
- case 1 : //OCSP_REVOCKED
- ret = CERT_SVC_ERR_OCSP_REVOKED;
- break;
- case 2 : //OCSP_UNKNOWN
- ret = CERT_SVC_ERR_OCSP_UNKNOWN;
- break;
- default :
- ret = CERT_SVC_ERR_OCSP_REMOTE;
- break;
- }
- if(ret != CERT_SVC_ERR_NO_ERROR) {
- SLOGE("[ERR][%s] Invalid Certificate OCSP Status. ocspStatus=%d.", __func__, ocspStatus);
- goto err;
- }
- // =============================
-err:
- release_certificate_buf(CACert);
- release_filename_list(fileNames);
- release_certificate_data(findRoot);
- release_cert_list(sorted);
- return ret;
-}
-
-int _verify_ocsp(cert_svc_mem_buff* child, cert_svc_mem_buff* parent, const char* uri, int* ocspStatus)
-{
- int ret = CERT_SVC_ERR_NO_ERROR;
-
- X509 *childCert = NULL;
- X509 *parentCert= NULL;
- char *childData=NULL;
- char *parentData=NULL;
- char *certAiaUrl= NULL;
- char *targetUrl= NULL;
- STACK_OF(OPENSSL_STRING) *aia = NULL;
- STACK_OF(X509) *systemCerts=NULL;
- int i;
- childData = malloc(child->size + 1);
- memset(childData, 0x00, (child->size + 1));
- memcpy(childData, (child->data), child->size);
- parentData = malloc(parent->size + 1);
- memset(parentData, 0x00, (parent->size + 1));
- memcpy(parentData, (parent->data), parent->size);
- d2i_X509(&childCert, &childData, child->size);
- d2i_X509(&parentCert, &parentData, parent->size);
- // check parameter
- // - 1. if AIA field of cert is exist, use that
- // - 2. if AIA field of cert is not exist, use uri
- // - 3. if AIA field of cert is not exist and uri is NULL, fail to check ocsp
- aia = X509_get1_ocsp(childCert);
- if (aia) {
- certAiaUrl = sk_OPENSSL_STRING_value(aia, 0);
- }
- if(uri != NULL) {
- targetUrl = uri;
- }else {
- targetUrl = certAiaUrl;
- }
- if(targetUrl == NULL) {
- SLOGE("[ERR][%s] No URI for OCSP.", __func__);
- ret = CERT_SVC_ERR_OCSP_NO_SUPPORT;
- goto err;
- }
-
- // Load Trusted Store
- systemCerts = sk_X509_new_null();
- ret = __loadSystemCerts(systemCerts) ;
- if(ret != CERT_SVC_ERR_NO_ERROR) {
- SLOGE("[ERR][%s] Fail to extract certificate data", __func__);
- goto err;
- }
-
- // Do OCSP Check
- ret = __ocsp_verify(childCert, parentCert, systemCerts, targetUrl, ocspStatus);
- SLOGD("[%s] OCSP Response. ocspstaus=%d, ret=%d.", __func__, *ocspStatus, ret);
-
-err:
- if(childData != NULL && *childData != NULL)
- free(childData);
- if(parentData != NULL && *parentData != NULL)
- free(parentData);
- if(childCert != NULL)
- X509_free(childCert);
- if(parentCert != NULL)
- X509_free(parentCert);
- if(aia != NULL)
- X509_email_free(aia);
- if(systemCerts != NULL) {
- for(i=0; i<sk_X509_num(systemCerts); i++)
- X509_free(sk_X509_value(systemCerts,i));
- sk_X509_free(systemCerts);
- }
- return ret;
-}
-#endif
-
int release_certificate_buf(cert_svc_mem_buff* certBuf)
{
int ret = CERT_SVC_ERR_NO_ERROR;
return CERT_SVC_ERR_NO_ERROR;
}
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
-CERT_SVC_API
-int cert_svc_check_ocsp_status(CERT_CONTEXT* ctx, const char* uri)
-{
- int ret = CERT_SVC_ERR_NO_ERROR;
- cert_svc_linked_list** certList=NULL;
-
- if (!ctx || !ctx->certBuf) {
- SLOGE("[ERR][%s] certBuf must have value.", __func__);
- return CERT_SVC_ERR_INVALID_PARAMETER;
- }
-
- if (ctx->certLink) {
- certList = &(ctx->certLink);
-
- if ((ret = _check_ocsp_status(ctx->certBuf, certList, uri)) != CERT_SVC_ERR_NO_ERROR) {
- SLOGE("[ERR][%s] Fail to check revocation status.", __func__);
- return ret;
- }
-
- return CERT_SVC_ERR_NO_ERROR;
-}
-#endif
-
CERT_SVC_API
char* cert_svc_get_certificate_crt_file_path(void)
{
#include <cert-svc/cinstance.h>
#include <cert-svc/ccert.h>
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
-#include <cert-svc/ccrl.h>
-#include <cert-svc/cocsp.h>
-#endif
#include <cert-svc/cpkcs12.h>
#include <cert-svc/cprimitives.h>
#include <api_tests.h>
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
-#include "crl_cache.h"
-#include <vcore/VCore.h>
-#endif
-
RUNNER_TEST_GROUP_INIT(CAPI)
/*
RUNNER_ASSERT_MSG(after == 1399939199, "TODO");
}
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
-/*
- * author: ---
- * test: Testing internal certificate extency.
- * description: Getting Certificate Revocation List (CRL)
- * expect: It should be possible to get CRL from certificate.
- */
-RUNNER_TEST(test05_get_clr_dist_points)
-{
- std::string google2nd =
- "MIIDIzCCAoygAwIBAgIEMAAAAjANBgkqhkiG9w0BAQUFADBfMQswCQYDVQQGEwJV"
- "UzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDMgUHVi"
- "bGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDQwNTEzMDAw"
- "MDAwWhcNMTQwNTEyMjM1OTU5WjBMMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhh"
- "d3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBD"
- "QTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1NNn0I0Vf67NMf59HZGhPwtx"
- "PKzMyGT7Y/wySweUvW+Aui/hBJPAM/wJMyPpC3QrccQDxtLN4i/1CWPN/0ilAL/g"
- "5/OIty0y3pg25gqtAHvEZEo7hHUD8nCSfQ5i9SGraTaEMXWQ+L/HbIgbBpV8yeWo"
- "3nWhLHpo39XKHIdYYBkCAwEAAaOB/jCB+zASBgNVHRMBAf8ECDAGAQH/AgEAMAsG"
- "A1UdDwQEAwIBBjARBglghkgBhvhCAQEEBAMCAQYwKAYDVR0RBCEwH6QdMBsxGTAX"
- "BgNVBAMTEFByaXZhdGVMYWJlbDMtMTUwMQYDVR0fBCowKDAmoCSgIoYgaHR0cDov"
- "L2NybC52ZXJpc2lnbi5jb20vcGNhMy5jcmwwMgYIKwYBBQUHAQEEJjAkMCIGCCsG"
- "AQUFBzABhhZodHRwOi8vb2NzcC50aGF3dGUuY29tMDQGA1UdJQQtMCsGCCsGAQUF"
- "BwMBBggrBgEFBQcDAgYJYIZIAYb4QgQBBgpghkgBhvhFAQgBMA0GCSqGSIb3DQEB"
- "BQUAA4GBAFWsY+reod3SkF+fC852vhNRj5PZBSvIG3dLrWlQoe7e3P3bB+noOZTc"
- "q3J5Lwa/q4FwxKjt6lM07e8eU9kGx1Yr0Vz00YqOtCuxN5BICEIlxT6Ky3/rbwTR"
- "bcV0oveifHtgPHfNDs5IAn8BL7abN+AqKjbc1YXWrOU/VG+WHgWv";
-
- CertSvcCertificate cert;
-
- int result = certsvc_certificate_new_from_memory(
- vinstance,
- (const unsigned char*)google2nd.c_str(),
- google2nd.size(),
- CERTSVC_FORM_DER_BASE64,
- &cert);
-
- RUNNER_ASSERT_MSG(CERTSVC_SUCCESS == result, "Error in reading certificate");
-
- CertSvcStringList stringList;
-
- result = certsvc_certificate_get_crl_distribution_points(cert, &stringList);
-
- RUNNER_ASSERT_MSG(CERTSVC_SUCCESS == result, "Error in reading distribution points");
-
- int size;
-
- result = certsvc_string_list_get_length(stringList, &size);
-
- RUNNER_ASSERT_MSG(CERTSVC_SUCCESS == result, "Error in string list");
-
-// RUNNER_ASSERT_MSG(1 == size, "Distribution point list is too small");
-
- CertSvcString vstring;
-
- result = certsvc_string_list_get_one(stringList, 0, &vstring);
-
- RUNNER_ASSERT_MSG(CERTSVC_SUCCESS == result, "Error in extracting result from list");
-
- int len;
- const char *ptr;
-
- certsvc_string_to_cstring(vstring, &ptr, &len);
-
- RUNNER_ASSERT_MSG(0 == strncmp(ptr,"http://crl.verisign.com/pca3.crl", len), "Check distribution points failed!");
-}
-#endif
-
/*
* author: ---
* test: Import fields from certificate.
RUNNER_ASSERT_MSG(status == CERTSVC_INVALID_SIGNATURE, "Error in verify message.");
}
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
-/*
- * author: ---
- * test: OCSP test.
- * description: Testing OCSP for certificate list.
- * expect: OCSP should return success.
- */
-RUNNER_TEST(test11_ocsp)
-{
- ValidationCore::VCoreInit();
-
- std::string certEE =
- "MIIE+zCCBGSgAwIBAgICAQ0wDQYJKoZIhvcNAQEFBQAwgbsxJDAiBgNVBAcTG1Zh"
- "bGlDZXJ0IFZhbGlkYXRpb24gTmV0d29yazEXMBUGA1UEChMOVmFsaUNlcnQsIElu"
- "Yy4xNTAzBgNVBAsTLFZhbGlDZXJ0IENsYXNzIDIgUG9saWN5IFZhbGlkYXRpb24g"
- "QXV0aG9yaXR5MSEwHwYDVQQDExhodHRwOi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAe"
- "BgkqhkiG9w0BCQEWEWluZm9AdmFsaWNlcnQuY29tMB4XDTA0MDYyOTE3MDYyMFoX"
- "DTI0MDYyOTE3MDYyMFowYzELMAkGA1UEBhMCVVMxITAfBgNVBAoTGFRoZSBHbyBE"
- "YWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28gRGFkZHkgQ2xhc3MgMiBDZXJ0"
- "aWZpY2F0aW9uIEF1dGhvcml0eTCCASAwDQYJKoZIhvcNAQEBBQADggENADCCAQgC"
- "ggEBAN6d1+pXGEmhW+vXX0iG6r7d/+TvZxz0ZWizV3GgXne77ZtJ6XCAPVYYYwhv"
- "2vLM0D9/AlQiVBDYsoHUwHU9S3/Hd8M+eKsaA7Ugay9qK7HFiH7Eux6wwdhFJ2+q"
- "N1j3hybX2C32qRe3H3I2TqYXP2WYktsqbl2i/ojgC95/5Y0V4evLOtXiEqITLdiO"
- "r18SPaAIBQi2XKVlOARFmR6jYGB0xUGlcmIbYsUfb18aQr4CUWWoriMYavx4A6lN"
- "f4DD+qta/KFApMoZFv6yyO9ecw3ud72a9nmYvLEHZ6IVDd2gWMZEewo+YihfukEH"
- "U1jPEX44dMX4/7VpkI+EdOqXG68CAQOjggHhMIIB3TAdBgNVHQ4EFgQU0sSw0pHU"
- "TBFxs2HLPaH+3ahq1OMwgdIGA1UdIwSByjCBx6GBwaSBvjCBuzEkMCIGA1UEBxMb"
- "VmFsaUNlcnQgVmFsaWRhdGlvbiBOZXR3b3JrMRcwFQYDVQQKEw5WYWxpQ2VydCwg"
- "SW5jLjE1MDMGA1UECxMsVmFsaUNlcnQgQ2xhc3MgMiBQb2xpY3kgVmFsaWRhdGlv"
- "biBBdXRob3JpdHkxITAfBgNVBAMTGGh0dHA6Ly93d3cudmFsaWNlcnQuY29tLzEg"
- "MB4GCSqGSIb3DQEJARYRaW5mb0B2YWxpY2VydC5jb22CAQEwDwYDVR0TAQH/BAUw"
- "AwEB/zAzBggrBgEFBQcBAQQnMCUwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLmdv"
- "ZGFkZHkuY29tMEQGA1UdHwQ9MDswOaA3oDWGM2h0dHA6Ly9jZXJ0aWZpY2F0ZXMu"
- "Z29kYWRkeS5jb20vcmVwb3NpdG9yeS9yb290LmNybDBLBgNVHSAERDBCMEAGBFUd"
- "IAAwODA2BggrBgEFBQcCARYqaHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNv"
- "bS9yZXBvc2l0b3J5MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQUFAAOBgQC1"
- "QPmnHfbq/qQaQlpE9xXUhUaJwL6e4+PrxeNYiY+Sn1eocSxI0YGyeR+sBjUZsE4O"
- "WBsUs5iB0QQeyAfJg594RAoYC5jcdnplDQ1tgMQLARzLrUc+cb53S8wGd9D0Vmsf"
- "SxOaFIqII6hR8INMqzW/Rn453HWkrugp++85j09VZw==";
-
-
- std::string certCA =
- "MIIE3jCCA8agAwIBAgICAwEwDQYJKoZIhvcNAQEFBQAwYzELMAkGA1UEBhMCVVMx"
- "ITAfBgNVBAoTGFRoZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28g"
- "RGFkZHkgQ2xhc3MgMiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNjExMTYw"
- "MTU0MzdaFw0yNjExMTYwMTU0MzdaMIHKMQswCQYDVQQGEwJVUzEQMA4GA1UECBMH"
- "QXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEaMBgGA1UEChMRR29EYWRkeS5j"
- "b20sIEluYy4xMzAxBgNVBAsTKmh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5j"
- "b20vcmVwb3NpdG9yeTEwMC4GA1UEAxMnR28gRGFkZHkgU2VjdXJlIENlcnRpZmlj"
- "YXRpb24gQXV0aG9yaXR5MREwDwYDVQQFEwgwNzk2OTI4NzCCASIwDQYJKoZIhvcN"
- "AQEBBQADggEPADCCAQoCggEBAMQt1RWMnCZM7DI161+4WQFapmGBWTtwY6vj3D3H"
- "KrjJM9N55DrtPDAjhI6zMBS2sofDPZVUBJ7fmd0LJR4h3mUpfjWoqVTr9vcyOdQm"
- "VZWt7/v+WIbXnvQAjYwqDL1CBM6nPwT27oDyqu9SoWlm2r4arV3aLGbqGmu75RpR"
- "SgAvSMeYddi5Kcju+GZtCpyz8/x4fKL4o/K1w/O5epHBp+YlLpyo7RJlbmr2EkRT"
- "cDCVw5wrWCs9CHRK8r5RsL+H0EwnWGu1NcWdrxcx+AuP7q2BNgWJCJjPOq8lh8BJ"
- "6qf9Z/dFjpfMFDniNoW1fho3/Rb2cRGadDAW/hOUoz+EDU8CAwEAAaOCATIwggEu"
- "MB0GA1UdDgQWBBT9rGEyk2xF1uLuhV+auud2mWjM5zAfBgNVHSMEGDAWgBTSxLDS"
- "kdRMEXGzYcs9of7dqGrU4zASBgNVHRMBAf8ECDAGAQH/AgEAMDMGCCsGAQUFBwEB"
- "BCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuZ29kYWRkeS5jb20wRgYDVR0f"
- "BD8wPTA7oDmgN4Y1aHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBv"
- "c2l0b3J5L2dkcm9vdC5jcmwwSwYDVR0gBEQwQjBABgRVHSAAMDgwNgYIKwYBBQUH"
- "AgEWKmh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeTAO"
- "BgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEFBQADggEBANKGwOy9+aG2Z+5mC6IG"
- "OgRQjhVyrEp0lVPLN8tESe8HkGsz2ZbwlFalEzAFPIUyIXvJxwqoJKSQ3kbTJSMU"
- "A2fCENZvD117esyfxVgqwcSeIaha86ykRvOe5GPLL5CkKSkB2XIsKd83ASe8T+5o"
- "0yGPwLPk9Qnt0hCqU7S+8MxZC9Y7lhyVJEnfzuz9p0iRFEUOOjZv2kWzRaJBydTX"
- "RE4+uXR21aITVSzGh6O1mawGhId/dQb8vxRMDsxuxN89txJx9OjxUUAiKEngHUuH"
- "qDTMBqLdElrRhjZkAzVvb3du6/KFUJheqwNTrZEjYx8WnM25sgVjOuH0aBsXBTWV"
- "U+4=";
-
- std::string certRCA =
- "MIIC5zCCAlACAQEwDQYJKoZIhvcNAQEFBQAwgbsxJDAiBgNVBAcTG1ZhbGlDZXJ0"
- "IFZhbGlkYXRpb24gTmV0d29yazEXMBUGA1UEChMOVmFsaUNlcnQsIEluYy4xNTAz"
- "BgNVBAsTLFZhbGlDZXJ0IENsYXNzIDIgUG9saWN5IFZhbGlkYXRpb24gQXV0aG9y"
- "aXR5MSEwHwYDVQQDExhodHRwOi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAeBgkqhkiG"
- "9w0BCQEWEWluZm9AdmFsaWNlcnQuY29tMB4XDTk5MDYyNjAwMTk1NFoXDTE5MDYy"
- "NjAwMTk1NFowgbsxJDAiBgNVBAcTG1ZhbGlDZXJ0IFZhbGlkYXRpb24gTmV0d29y"
- "azEXMBUGA1UEChMOVmFsaUNlcnQsIEluYy4xNTAzBgNVBAsTLFZhbGlDZXJ0IENs"
- "YXNzIDIgUG9saWN5IFZhbGlkYXRpb24gQXV0aG9yaXR5MSEwHwYDVQQDExhodHRw"
- "Oi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAeBgkqhkiG9w0BCQEWEWluZm9AdmFsaWNl"
- "cnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOOnHK5avIWZJV16vY"
- "dA757tn2VUdZZUcOBVXc65g2PFxTXdMwzzjsvUGJ7SVCCSRrCl6zfN1SLUzm1NZ9"
- "WlmpZdRJEy0kTRxQb7XBhVQ7/nHk01xC+YDgkRoKWzk2Z/M/VXwbP7RfZHM047QS"
- "v4dk+NoS/zcnwbNDu+97bi5p9wIDAQABMA0GCSqGSIb3DQEBBQUAA4GBADt/UG9v"
- "UJSZSWI4OB9L+KXIPqeCgfYrx+jFzug6EILLGACOTb2oWH+heQC1u+mNr0HZDzTu"
- "IYEZoDJJKPTEjlbVUjP9UNV+mWwD5MlM/Mtsq2azSiGM5bUMMj4QssxsodyamEwC"
- "W/POuZ6lcg5Ktz885hZo+L7tdEy8W9ViH0Pd";
-
- CertSvcCertificate cert1, cert2, cert3;
-
- int result = certsvc_certificate_new_from_memory(
- vinstance,
- (const unsigned char*)certEE.c_str(),
- certEE.size(),
- CERTSVC_FORM_DER_BASE64,
- &cert1);
-
- RUNNER_ASSERT_MSG(CERTSVC_SUCCESS == result, "Error in reading certificate.");
-
- result = certsvc_certificate_new_from_memory(
- vinstance,
- (const unsigned char*)certCA.c_str(),
- certCA.size(),
- CERTSVC_FORM_DER_BASE64,
- &cert2);
- RUNNER_ASSERT_MSG(CERTSVC_SUCCESS == result, "Error in reading certificate.");
-
- result = certsvc_certificate_new_from_memory(
- vinstance,
- (const unsigned char*)certRCA.c_str(),
- certRCA.size(),
- CERTSVC_FORM_DER_BASE64,
- &cert3);
- RUNNER_ASSERT_MSG(CERTSVC_SUCCESS == result, "Error in reading certificate.");
-
- CertSvcCertificate collection[3];
- collection[0] = cert1;
- collection[1] = cert2;
- collection[2] = cert3;
-
- int status;
- result = certsvc_ocsp_check(collection, 3, collection, 3, NULL, &status);
- RUNNER_ASSERT_MSG(CERTSVC_SUCCESS == result, "Error in ocsp check.");
-
- RUNNER_ASSERT_MSG(status & CERTSVC_OCSP_GOOD, "Error in ocsp.");
- ValidationCore::VCoreDeinit();
-}
-
-/*
- * author: ---
- * test: OCSP test.
- * description: Testing OCSP for certificate list.
- * expect: OCSP should return success.
- */
-RUNNER_TEST(test12_ocsp)
-{
- ValidationCore::VCoreInit();
-
- std::string googleCA =
- "MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG"
- "A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz"
- "cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2"
- "MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV"
- "BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt"
- "YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN"
- "ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE"
- "BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is"
- "I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G"
- "CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do"
- "lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc"
- "AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k";
-
- std::string google2nd =
- "MIIDIzCCAoygAwIBAgIEMAAAAjANBgkqhkiG9w0BAQUFADBfMQswCQYDVQQGEwJV"
- "UzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDMgUHVi"
- "bGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDQwNTEzMDAw"
- "MDAwWhcNMTQwNTEyMjM1OTU5WjBMMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhh"
- "d3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBD"
- "QTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1NNn0I0Vf67NMf59HZGhPwtx"
- "PKzMyGT7Y/wySweUvW+Aui/hBJPAM/wJMyPpC3QrccQDxtLN4i/1CWPN/0ilAL/g"
- "5/OIty0y3pg25gqtAHvEZEo7hHUD8nCSfQ5i9SGraTaEMXWQ+L/HbIgbBpV8yeWo"
- "3nWhLHpo39XKHIdYYBkCAwEAAaOB/jCB+zASBgNVHRMBAf8ECDAGAQH/AgEAMAsG"
- "A1UdDwQEAwIBBjARBglghkgBhvhCAQEEBAMCAQYwKAYDVR0RBCEwH6QdMBsxGTAX"
- "BgNVBAMTEFByaXZhdGVMYWJlbDMtMTUwMQYDVR0fBCowKDAmoCSgIoYgaHR0cDov"
- "L2NybC52ZXJpc2lnbi5jb20vcGNhMy5jcmwwMgYIKwYBBQUHAQEEJjAkMCIGCCsG"
- "AQUFBzABhhZodHRwOi8vb2NzcC50aGF3dGUuY29tMDQGA1UdJQQtMCsGCCsGAQUF"
- "BwMBBggrBgEFBQcDAgYJYIZIAYb4QgQBBgpghkgBhvhFAQgBMA0GCSqGSIb3DQEB"
- "BQUAA4GBAFWsY+reod3SkF+fC852vhNRj5PZBSvIG3dLrWlQoe7e3P3bB+noOZTc"
- "q3J5Lwa/q4FwxKjt6lM07e8eU9kGx1Yr0Vz00YqOtCuxN5BICEIlxT6Ky3/rbwTR"
- "bcV0oveifHtgPHfNDs5IAn8BL7abN+AqKjbc1YXWrOU/VG+WHgWv";
-
- std::string google3rd =
- "MIIDIjCCAougAwIBAgIQK59+5colpiUUIEeCdTqbuTANBgkqhkiG9w0BAQUFADBM"
- "MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg"
- "THRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBDQTAeFw0xMTEwMjYwMDAwMDBaFw0x"
- "MzA5MzAyMzU5NTlaMGkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh"
- "MRYwFAYDVQQHFA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKFApHb29nbGUgSW5jMRgw"
- "FgYDVQQDFA9tYWlsLmdvb2dsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ"
- "AoGBAK85FZho5JL+T0/xu/8NLrD+Jaq9aARnJ+psQ0ynbcvIj36B7ocmJRASVDOe"
- "qj2bj46Ss0sB4/lKKcMP/ay300yXKT9pVc9wgwSvLgRudNYPFwn+niAkJOPHaJys"
- "Eb2S5LIbCfICMrtVGy0WXzASI+JMSo3C2j/huL/3OrGGvvDFAgMBAAGjgecwgeQw"
- "DAYDVR0TAQH/BAIwADA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vY3JsLnRoYXd0"
- "ZS5jb20vVGhhd3RlU0dDQ0EuY3JsMCgGA1UdJQQhMB8GCCsGAQUFBwMBBggrBgEF"
- "BQcDAgYJYIZIAYb4QgQBMHIGCCsGAQUFBwEBBGYwZDAiBggrBgEFBQcwAYYWaHR0"
- "cDovL29jc3AudGhhd3RlLmNvbTA+BggrBgEFBQcwAoYyaHR0cDovL3d3dy50aGF3"
- "dGUuY29tL3JlcG9zaXRvcnkvVGhhd3RlX1NHQ19DQS5jcnQwDQYJKoZIhvcNAQEF"
- "BQADgYEANYARzVI+hCn7wSjhIOUCj19xZVgdYnJXPOZeJWHTy60i+NiBpOf0rnzZ"
- "wW2qkw1iB5/yZ0eZNDNPPQJ09IHWOAgh6OKh+gVBnJzJ+fPIo+4NpddQVF4vfXm3"
- "fgp8tuIsqK7+lNfNFjBxBKqeecPStiSnJavwSI4vw6e7UN0Pz7A=";
-
- CertSvcCertificate cert1, cert2, cert3;
-
- int result = certsvc_certificate_new_from_memory(
- vinstance,
- (const unsigned char*)google3rd.c_str(),
- google3rd.size(),
- CERTSVC_FORM_DER_BASE64,
- &cert1);
-
- RUNNER_ASSERT_MSG(CERTSVC_SUCCESS == result, "Error in reading certificate.");
-
- result = certsvc_certificate_new_from_memory(
- vinstance,
- (const unsigned char*)google2nd.c_str(),
- google2nd.size(),
- CERTSVC_FORM_DER_BASE64,
- &cert2);
- RUNNER_ASSERT_MSG(CERTSVC_SUCCESS == result, "Error in reading certificate.");
-
- result = certsvc_certificate_new_from_memory(
- vinstance,
- (const unsigned char*)googleCA.c_str(),
- googleCA.size(),
- CERTSVC_FORM_DER_BASE64,
- &cert3);
- RUNNER_ASSERT_MSG(CERTSVC_SUCCESS == result, "Error in reading certificate.");
-
- CertSvcCertificate collection[3];
- collection[0] = cert1;
- collection[1] = cert2;
- collection[2] = cert3;
-
- int status;
- result = certsvc_ocsp_check(collection, 3, collection, 3, NULL, &status);
- RUNNER_ASSERT_MSG(CERTSVC_SUCCESS == result, "Error in ocsp check.");
-
- RUNNER_ASSERT_MSG(status & CERTSVC_OCSP_GOOD, "Error in ocsp.");
-
- // Invalid URL Test
- result = certsvc_ocsp_check(collection, 3, collection, 3, "http://127.0.0.1:9999", &status);
- RUNNER_ASSERT_MSG(CERTSVC_SUCCESS == result, "Error in ocsp check.");
-
- RUNNER_ASSERT_MSG(status & CERTSVC_OCSP_CONNECTION_FAILED, "Error in ocsp.");
- ValidationCore::VCoreDeinit();
-}
-
-/*
- * author: ---
- * test: Testing CRL.
- * description: Testing CRL of certificates.
- * expect: CRL test should return sucess.
- */
-RUNNER_TEST(test13_crl)
-{
- const int MAXC = 3;
- std::string cert[MAXC];
- cert[0] =
- "MIIDIjCCAougAwIBAgIQK59+5colpiUUIEeCdTqbuTANBgkqhkiG9w0BAQUFADBM"
- "MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg"
- "THRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBDQTAeFw0xMTEwMjYwMDAwMDBaFw0x"
- "MzA5MzAyMzU5NTlaMGkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh"
- "MRYwFAYDVQQHFA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKFApHb29nbGUgSW5jMRgw"
- "FgYDVQQDFA9tYWlsLmdvb2dsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ"
- "AoGBAK85FZho5JL+T0/xu/8NLrD+Jaq9aARnJ+psQ0ynbcvIj36B7ocmJRASVDOe"
- "qj2bj46Ss0sB4/lKKcMP/ay300yXKT9pVc9wgwSvLgRudNYPFwn+niAkJOPHaJys"
- "Eb2S5LIbCfICMrtVGy0WXzASI+JMSo3C2j/huL/3OrGGvvDFAgMBAAGjgecwgeQw"
- "DAYDVR0TAQH/BAIwADA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vY3JsLnRoYXd0"
- "ZS5jb20vVGhhd3RlU0dDQ0EuY3JsMCgGA1UdJQQhMB8GCCsGAQUFBwMBBggrBgEF"
- "BQcDAgYJYIZIAYb4QgQBMHIGCCsGAQUFBwEBBGYwZDAiBggrBgEFBQcwAYYWaHR0"
- "cDovL29jc3AudGhhd3RlLmNvbTA+BggrBgEFBQcwAoYyaHR0cDovL3d3dy50aGF3"
- "dGUuY29tL3JlcG9zaXRvcnkvVGhhd3RlX1NHQ19DQS5jcnQwDQYJKoZIhvcNAQEF"
- "BQADgYEANYARzVI+hCn7wSjhIOUCj19xZVgdYnJXPOZeJWHTy60i+NiBpOf0rnzZ"
- "wW2qkw1iB5/yZ0eZNDNPPQJ09IHWOAgh6OKh+gVBnJzJ+fPIo+4NpddQVF4vfXm3"
- "fgp8tuIsqK7+lNfNFjBxBKqeecPStiSnJavwSI4vw6e7UN0Pz7A=";
-
- cert[1] =
- "MIIDIzCCAoygAwIBAgIEMAAAAjANBgkqhkiG9w0BAQUFADBfMQswCQYDVQQGEwJV"
- "UzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDMgUHVi"
- "bGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDQwNTEzMDAw"
- "MDAwWhcNMTQwNTEyMjM1OTU5WjBMMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhh"
- "d3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBD"
- "QTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1NNn0I0Vf67NMf59HZGhPwtx"
- "PKzMyGT7Y/wySweUvW+Aui/hBJPAM/wJMyPpC3QrccQDxtLN4i/1CWPN/0ilAL/g"
- "5/OIty0y3pg25gqtAHvEZEo7hHUD8nCSfQ5i9SGraTaEMXWQ+L/HbIgbBpV8yeWo"
- "3nWhLHpo39XKHIdYYBkCAwEAAaOB/jCB+zASBgNVHRMBAf8ECDAGAQH/AgEAMAsG"
- "A1UdDwQEAwIBBjARBglghkgBhvhCAQEEBAMCAQYwKAYDVR0RBCEwH6QdMBsxGTAX"
- "BgNVBAMTEFByaXZhdGVMYWJlbDMtMTUwMQYDVR0fBCowKDAmoCSgIoYgaHR0cDov"
- "L2NybC52ZXJpc2lnbi5jb20vcGNhMy5jcmwwMgYIKwYBBQUHAQEEJjAkMCIGCCsG"
- "AQUFBzABhhZodHRwOi8vb2NzcC50aGF3dGUuY29tMDQGA1UdJQQtMCsGCCsGAQUF"
- "BwMBBggrBgEFBQcDAgYJYIZIAYb4QgQBBgpghkgBhvhFAQgBMA0GCSqGSIb3DQEB"
- "BQUAA4GBAFWsY+reod3SkF+fC852vhNRj5PZBSvIG3dLrWlQoe7e3P3bB+noOZTc"
- "q3J5Lwa/q4FwxKjt6lM07e8eU9kGx1Yr0Vz00YqOtCuxN5BICEIlxT6Ky3/rbwTR"
- "bcV0oveifHtgPHfNDs5IAn8BL7abN+AqKjbc1YXWrOU/VG+WHgWv";
-
- cert[2] =
- "MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG"
- "A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz"
- "cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2"
- "MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV"
- "BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt"
- "YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN"
- "ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE"
- "BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is"
- "I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G"
- "CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do"
- "lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc"
- "AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k";
-
-
- CertSvcCertificate certificate[MAXC];
-
- int result, status;
-
- for (int i=0; i<MAXC; ++i) {
- LogDebug("Reading certificate: " << i);
- int result = certsvc_certificate_new_from_memory(
- vinstance,
- (const unsigned char*)cert[i].c_str(),
- cert[i].size(),
- CERTSVC_FORM_DER_BASE64,
- &certificate[i]);
- RUNNER_ASSERT_MSG(CERTSVC_SUCCESS == result, "Error reading certificate");
- }
-
- certsvc_crl_cache_functions(
- vinstance,
- memoryCacheWrite,
- memoryCacheRead,
- memoryCacheFree);
-
- MemoryCache mcache;
-
- for (int i=0; i<MAXC; ++i) {
- LogDebug("Check " << i << " certificate.");
- result = certsvc_crl_check(certificate[i], certificate, MAXC, 0, &status, &mcache);
- RUNNER_ASSERT_MSG(CERTSVC_SUCCESS == result, "Error in crl.");
- if (i<2) {
- RUNNER_ASSERT_MSG(CERTSVC_CRL_GOOD & status, "Check of crl status failed.");
- } else {
- RUNNER_ASSERT_MSG(CERTSVC_CRL_NO_SUPPORT & status, "Check of crl status failed.");
- }
- LogDebug("Status: " << status);
- }
-}
-#endif
-
/*
* author: ---
* test: Certificate verification.
SET(CERT_SVC_OGIG_TESTS_SOURCES
${PROJECT_SOURCE_DIR}/tests/cert-svc/test_caflag.c
- ${PROJECT_SOURCE_DIR}/tests/cert-svc/test_ocsp.c
${PROJECT_SOURCE_DIR}/tests/cert-svc/test_suite_main.c
${VCORE_DPL_SOURCES}
)
INSTALL(FILES
${PROJECT_SOURCE_DIR}/tests/cert-svc/data/caflag/root_ca.der
${PROJECT_SOURCE_DIR}/tests/cert-svc/data/caflag/root_ca_v1.der
- ${PROJECT_SOURCE_DIR}/tests/cert-svc/data/ocsp/second_ca.der
DESTINATION ${TZ_SYS_SHARE}/cert-svc/certs
PERMISSIONS OWNER_READ
GROUP_READ
WORLD_READ
)
-
-IF(DEFINED TIZEN_FEAT_CERTSVC_OCSP_CRL)
-INSTALL(DIRECTORY
- ${PROJECT_SOURCE_DIR}/tests/cert-svc/data/ocsp/
- DESTINATION ${TZ_SYS_SHARE}/cert-svc/tests/orig_c/data/ocsp
- FILES_MATCHING
- PATTERN "*"
- PERMISSIONS OWNER_READ
- OWNER_WRITE
- OWNER_EXECUTE
- GROUP_READ
- GROUP_EXECUTE
- WORLD_READ
- WORLD_EXECUTE
- )
-
-INSTALL(FILES
- ${PROJECT_SOURCE_DIR}/tests/cert-svc/data/ocsp/cert-svc-tests-start-ocsp-server.sh
- ${PROJECT_SOURCE_DIR}/tests/cert-svc/data/ocsp/cert-svc-tests-kill-ocsp-server.sh
- DESTINATION ${TZ_SYS_BIN}
- PERMISSIONS OWNER_READ
- OWNER_WRITE
- OWNER_EXECUTE
- GROUP_READ
- GROUP_EXECUTE
- WORLD_READ
- WORLD_EXECUTE
- )
-ENDIF(DEFINED TIZEN_FEAT_CERTSVC_OCSP_CRL)
+++ /dev/null
-#!/bin/sh
-# Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-echo "--- Kill OCSP server..."
-pkill -9 openssl # if previously it was launched and openssl didn't close sockets
-
+++ /dev/null
-#!/bin/sh
-# Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-source /etc/tizen-platform.conf
-
-LOCAL_OCSP_WORKSPACE=${TZ_SYS_SHARE}/cert-svc/tests/orig_c/data/ocsp
-
-pkill -9 openssl # if previously it was launched and openssl didn't close sockets
-
-echo "starting OCSP server"
-OPENSSL_CONF=${LOCAL_OCSP_WORKSPACE}/demoCA/openssl.cnf openssl ocsp \
--index ${LOCAL_OCSP_WORKSPACE}/demoCA/index.txt \
--port 8888 -rsigner ${LOCAL_OCSP_WORKSPACE}/ocsp_signer.crt \
--rkey ${LOCAL_OCSP_WORKSPACE}/ocsp_signer.key \
--CA ${LOCAL_OCSP_WORKSPACE}/demoCA/cacert.pem -text \
--out ${LOCAL_OCSP_WORKSPACE}/log.txt &
-
-echo "--- OCSP server shutdown..."
-
+++ /dev/null
-Certificate:
- Data:
- Version: 3 (0x2)
- Serial Number: 1 (0x1)
- Signature Algorithm: sha1WithRSAEncryption
- Issuer: C=KR, ST=Seoul, O=Samsung, OU=Tizen Test, CN=Test Root CA/emailAddress=tt@gmail.com
- Validity
- Not Before: Jun 18 08:10:59 2014 GMT
- Not After : Jun 18 08:10:59 2015 GMT
- Subject: C=KR, ST=Seoul, O=Samsung, OU=Tizen Test, CN=Test Second CA/emailAddress=tt@gmail.com
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- Public-Key: (1024 bit)
- Modulus:
- 00:cb:26:b3:00:17:f2:73:c4:82:2b:43:34:3f:dc:
- 51:ad:ed:c1:80:50:46:1a:10:54:a8:fa:17:03:29:
- 84:57:69:90:b7:df:f9:24:54:03:58:16:1f:a5:a2:
- 0f:5e:30:95:14:96:dd:13:04:e8:3b:f6:d3:a7:4b:
- fe:4c:07:05:9a:54:b1:0e:2d:a9:6f:d1:48:f6:15:
- f8:c4:32:91:9d:ff:11:05:e9:5b:f7:e2:64:93:71:
- 66:9d:30:7c:83:c1:8c:03:65:5c:1d:16:4a:ef:3a:
- 40:3a:5b:08:30:4b:c5:d2:ae:96:c7:fe:79:0a:52:
- 42:a9:93:e6:18:96:32:84:cd
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- X509v3 Subject Key Identifier:
- A9:49:F3:5B:13:45:76:34:79:FF:57:97:FA:EB:4B:F6:71:6C:18:80
- X509v3 Authority Key Identifier:
- keyid:64:1E:4F:4B:9E:18:2F:BC:E2:30:C4:73:A6:6B:9E:05:1A:DF:12:08
-
- X509v3 Basic Constraints:
- CA:TRUE
- Authority Information Access:
- OCSP - URI:http://127.0.0.1:8888
- CA Issuers - URI:http://SVRSecure-G3-aia.verisign.com/SVRSecureG3.cer
-
- Signature Algorithm: sha1WithRSAEncryption
- 5a:27:0d:0c:ec:fd:3b:35:b0:40:d6:dd:fe:44:9a:e2:95:66:
- 5a:47:f6:c2:ec:b5:22:c9:c5:92:bc:fa:ff:3c:25:bc:f8:e7:
- 5f:cb:7f:c8:71:be:73:2f:dc:cc:04:c5:7a:fd:a8:f2:8f:96:
- f2:91:7e:3f:9b:6c:b0:79:29:31:1c:67:9c:e1:0e:92:7b:48:
- 36:1e:b1:d5:1d:44:a3:8c:48:dd:09:21:12:f7:24:e0:9d:60:
- 73:a7:26:4e:a8:fb:8e:6f:67:f4:cd:bf:49:6c:88:af:74:bf:
- 11:f6:8e:8d:84:5e:73:46:fa:37:b2:04:6c:29:fb:71:fa:45:
- 61:f0
------BEGIN CERTIFICATE-----
-MIIDLzCCApigAwIBAgIBATANBgkqhkiG9w0BAQUFADB4MQswCQYDVQQGEwJLUjEO
-MAwGA1UECAwFU2VvdWwxEDAOBgNVBAoMB1NhbXN1bmcxEzARBgNVBAsMClRpemVu
-IFRlc3QxFTATBgNVBAMMDFRlc3QgUm9vdCBDQTEbMBkGCSqGSIb3DQEJARYMdHRA
-Z21haWwuY29tMB4XDTE0MDYxODA4MTA1OVoXDTE1MDYxODA4MTA1OVowejELMAkG
-A1UEBhMCS1IxDjAMBgNVBAgMBVNlb3VsMRAwDgYDVQQKDAdTYW1zdW5nMRMwEQYD
-VQQLDApUaXplbiBUZXN0MRcwFQYDVQQDDA5UZXN0IFNlY29uZCBDQTEbMBkGCSqG
-SIb3DQEJARYMdHRAZ21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
-gQDLJrMAF/JzxIIrQzQ/3FGt7cGAUEYaEFSo+hcDKYRXaZC33/kkVANYFh+log9e
-MJUUlt0TBOg79tOnS/5MBwWaVLEOLalv0Uj2FfjEMpGd/xEF6Vv34mSTcWadMHyD
-wYwDZVwdFkrvOkA6WwgwS8XSrpbH/nkKUkKpk+YYljKEzQIDAQABo4HGMIHDMB0G
-A1UdDgQWBBSpSfNbE0V2NHn/V5f660v2cWwYgDAfBgNVHSMEGDAWgBRkHk9Lnhgv
-vOIwxHOma54FGt8SCDAMBgNVHRMEBTADAQH/MHMGCCsGAQUFBwEBBGcwZTAhBggr
-BgEFBQcwAYYVaHR0cDovLzEyNy4wLjAuMTo4ODg4MEAGCCsGAQUFBzAChjRodHRw
-Oi8vU1ZSU2VjdXJlLUczLWFpYS52ZXJpc2lnbi5jb20vU1ZSU2VjdXJlRzMuY2Vy
-MA0GCSqGSIb3DQEBBQUAA4GBAFonDQzs/Ts1sEDW3f5EmuKVZlpH9sLstSLJxZK8
-+v88Jbz451/Lf8hxvnMv3MwExXr9qPKPlvKRfj+bbLB5KTEcZ5zhDpJ7SDYesdUd
-RKOMSN0JIRL3JOCdYHOnJk6o+45vZ/TNv0lsiK90vxH2jo2EXnNG+jeyBGwp+3H6
-RWHw
------END CERTIFICATE-----
+++ /dev/null
-V 150618081051Z 00 unknown /C=KR/ST=Seoul/O=Samsung/OU=Tizen Test/CN=Test Root CA/emailAddress=tt@gmail.com
-V 150618081059Z 01 unknown /C=KR/ST=Seoul/O=Samsung/OU=Tizen Test/CN=Test Second CA/emailAddress=tt@gmail.com
-V 150618081104Z 02 unknown /C=KR/ST=Seoul/O=Samsung/OU=Tizen Test AIA/CN=Test Signer/emailAddress=tt@gmail.com
-R 150618081114Z 140618081114Z 03 unknown /C=KR/ST=Seoul/O=Samsung/OU=Tizen Test REVOKED/CN=Test Signer/emailAddress=tt@gmail.com
-V 150618081129Z 04 unknown /C=KR/ST=Seoul/O=Samsung/OU=Tizen Test NO AIA/CN=Test Signer/emailAddress=tt@gmail.com
-V 150618081146Z 05 unknown /C=KR/ST=Seoul/O=Samsung/OU=Tizen Test OCSP Response Signer/CN=OCSP Response Signer/emailAddress=tt@gmail.com
+++ /dev/null
-unique_subject = yes
+++ /dev/null
-unique_subject = yes
+++ /dev/null
-V 150618081051Z 00 unknown /C=KR/ST=Seoul/O=Samsung/OU=Tizen Test/CN=Test Root CA/emailAddress=tt@gmail.com
-V 150618081059Z 01 unknown /C=KR/ST=Seoul/O=Samsung/OU=Tizen Test/CN=Test Second CA/emailAddress=tt@gmail.com
-V 150618081104Z 02 unknown /C=KR/ST=Seoul/O=Samsung/OU=Tizen Test AIA/CN=Test Signer/emailAddress=tt@gmail.com
-R 150618081114Z 140618081114Z 03 unknown /C=KR/ST=Seoul/O=Samsung/OU=Tizen Test REVOKED/CN=Test Signer/emailAddress=tt@gmail.com
-V 150618081129Z 04 unknown /C=KR/ST=Seoul/O=Samsung/OU=Tizen Test NO AIA/CN=Test Signer/emailAddress=tt@gmail.com
+++ /dev/null
-Certificate:
- Data:
- Version: 3 (0x2)
- Serial Number: 0 (0x0)
- Signature Algorithm: sha1WithRSAEncryption
- Issuer: C=KR, ST=Seoul, O=Samsung, OU=Tizen Test, CN=Test Root CA/emailAddress=tt@gmail.com
- Validity
- Not Before: Jun 18 08:10:51 2014 GMT
- Not After : Jun 18 08:10:51 2015 GMT
- Subject: C=KR, ST=Seoul, O=Samsung, OU=Tizen Test, CN=Test Root CA/emailAddress=tt@gmail.com
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- Public-Key: (1024 bit)
- Modulus:
- 00:a3:a6:5e:82:c4:3d:85:27:0c:d7:20:fb:7a:3b:
- f8:e3:15:13:24:38:d3:95:c1:b0:78:78:7b:e8:89:
- b6:db:1e:b2:02:58:cc:db:e7:4a:76:3d:c4:21:51:
- ad:d0:10:37:ea:a7:59:16:5f:16:3b:1c:d0:19:c0:
- 33:41:8e:c6:14:e5:d0:56:88:38:52:3a:87:33:19:
- 96:c0:0c:79:8d:0c:81:cc:88:9e:02:3e:07:67:69:
- 6a:b8:f0:62:ca:22:1e:1c:0a:3a:b0:24:96:b3:19:
- e1:ec:fa:af:59:a0:32:a4:f6:55:12:a3:89:de:06:
- b9:ad:7c:83:09:c8:f3:43:c1
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- X509v3 Subject Key Identifier:
- 64:1E:4F:4B:9E:18:2F:BC:E2:30:C4:73:A6:6B:9E:05:1A:DF:12:08
- X509v3 Authority Key Identifier:
- keyid:64:1E:4F:4B:9E:18:2F:BC:E2:30:C4:73:A6:6B:9E:05:1A:DF:12:08
-
- X509v3 Basic Constraints:
- CA:TRUE
- Authority Information Access:
- OCSP - URI:http://127.0.0.1:8888
- CA Issuers - URI:http://SVRSecure-G3-aia.verisign.com/SVRSecureG3.cer
-
- Signature Algorithm: sha1WithRSAEncryption
- 32:44:95:d3:65:cc:11:0a:44:4d:19:94:02:3b:cb:71:1e:fa:
- e6:82:ff:2f:43:09:d9:64:5e:92:c3:26:3f:06:bc:b4:7e:69:
- 5e:86:d3:79:d8:d2:e3:8c:f1:06:ea:ef:58:15:87:f3:4a:48:
- d0:95:54:74:a9:f4:36:98:db:37:77:a0:0a:16:53:9d:64:e4:
- fa:72:e1:08:66:e2:9e:a4:36:f6:4f:1e:49:25:b2:0d:e8:dd:
- df:13:f9:55:49:6f:3c:2b:d6:92:08:5d:a7:d7:98:18:4d:25:
- 66:0f:48:ee:1e:e2:c0:a1:69:c8:89:c6:9a:f9:26:de:d9:3b:
- 23:01
------BEGIN CERTIFICATE-----
-MIIDLTCCApagAwIBAgIBADANBgkqhkiG9w0BAQUFADB4MQswCQYDVQQGEwJLUjEO
-MAwGA1UECAwFU2VvdWwxEDAOBgNVBAoMB1NhbXN1bmcxEzARBgNVBAsMClRpemVu
-IFRlc3QxFTATBgNVBAMMDFRlc3QgUm9vdCBDQTEbMBkGCSqGSIb3DQEJARYMdHRA
-Z21haWwuY29tMB4XDTE0MDYxODA4MTA1MVoXDTE1MDYxODA4MTA1MVoweDELMAkG
-A1UEBhMCS1IxDjAMBgNVBAgMBVNlb3VsMRAwDgYDVQQKDAdTYW1zdW5nMRMwEQYD
-VQQLDApUaXplbiBUZXN0MRUwEwYDVQQDDAxUZXN0IFJvb3QgQ0ExGzAZBgkqhkiG
-9w0BCQEWDHR0QGdtYWlsLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
-o6ZegsQ9hScM1yD7ejv44xUTJDjTlcGweHh76Im22x6yAljM2+dKdj3EIVGt0BA3
-6qdZFl8WOxzQGcAzQY7GFOXQVog4UjqHMxmWwAx5jQyBzIieAj4HZ2lquPBiyiIe
-HAo6sCSWsxnh7PqvWaAypPZVEqOJ3ga5rXyDCcjzQ8ECAwEAAaOBxjCBwzAdBgNV
-HQ4EFgQUZB5PS54YL7ziMMRzpmueBRrfEggwHwYDVR0jBBgwFoAUZB5PS54YL7zi
-MMRzpmueBRrfEggwDAYDVR0TBAUwAwEB/zBzBggrBgEFBQcBAQRnMGUwIQYIKwYB
-BQUHMAGGFWh0dHA6Ly8xMjcuMC4wLjE6ODg4ODBABggrBgEFBQcwAoY0aHR0cDov
-L1NWUlNlY3VyZS1HMy1haWEudmVyaXNpZ24uY29tL1NWUlNlY3VyZUczLmNlcjAN
-BgkqhkiG9w0BAQUFAAOBgQAyRJXTZcwRCkRNGZQCO8txHvrmgv8vQwnZZF6SwyY/
-Bry0fmlehtN52NLjjPEG6u9YFYfzSkjQlVR0qfQ2mNs3d6AKFlOdZOT6cuEIZuKe
-pDb2Tx5JJbIN6N3fE/lVSW88K9aSCF2n15gYTSVmD0juHuLAoWnIicaa+Sbe2Tsj
-AQ==
------END CERTIFICATE-----
+++ /dev/null
-Certificate:
- Data:
- Version: 3 (0x2)
- Serial Number: 1 (0x1)
- Signature Algorithm: sha1WithRSAEncryption
- Issuer: C=KR, ST=Seoul, O=Samsung, OU=Tizen Test, CN=Test Root CA/emailAddress=tt@gmail.com
- Validity
- Not Before: Jun 18 08:10:59 2014 GMT
- Not After : Jun 18 08:10:59 2015 GMT
- Subject: C=KR, ST=Seoul, O=Samsung, OU=Tizen Test, CN=Test Second CA/emailAddress=tt@gmail.com
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- Public-Key: (1024 bit)
- Modulus:
- 00:cb:26:b3:00:17:f2:73:c4:82:2b:43:34:3f:dc:
- 51:ad:ed:c1:80:50:46:1a:10:54:a8:fa:17:03:29:
- 84:57:69:90:b7:df:f9:24:54:03:58:16:1f:a5:a2:
- 0f:5e:30:95:14:96:dd:13:04:e8:3b:f6:d3:a7:4b:
- fe:4c:07:05:9a:54:b1:0e:2d:a9:6f:d1:48:f6:15:
- f8:c4:32:91:9d:ff:11:05:e9:5b:f7:e2:64:93:71:
- 66:9d:30:7c:83:c1:8c:03:65:5c:1d:16:4a:ef:3a:
- 40:3a:5b:08:30:4b:c5:d2:ae:96:c7:fe:79:0a:52:
- 42:a9:93:e6:18:96:32:84:cd
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- X509v3 Subject Key Identifier:
- A9:49:F3:5B:13:45:76:34:79:FF:57:97:FA:EB:4B:F6:71:6C:18:80
- X509v3 Authority Key Identifier:
- keyid:64:1E:4F:4B:9E:18:2F:BC:E2:30:C4:73:A6:6B:9E:05:1A:DF:12:08
-
- X509v3 Basic Constraints:
- CA:TRUE
- Authority Information Access:
- OCSP - URI:http://127.0.0.1:8888
- CA Issuers - URI:http://SVRSecure-G3-aia.verisign.com/SVRSecureG3.cer
-
- Signature Algorithm: sha1WithRSAEncryption
- 5a:27:0d:0c:ec:fd:3b:35:b0:40:d6:dd:fe:44:9a:e2:95:66:
- 5a:47:f6:c2:ec:b5:22:c9:c5:92:bc:fa:ff:3c:25:bc:f8:e7:
- 5f:cb:7f:c8:71:be:73:2f:dc:cc:04:c5:7a:fd:a8:f2:8f:96:
- f2:91:7e:3f:9b:6c:b0:79:29:31:1c:67:9c:e1:0e:92:7b:48:
- 36:1e:b1:d5:1d:44:a3:8c:48:dd:09:21:12:f7:24:e0:9d:60:
- 73:a7:26:4e:a8:fb:8e:6f:67:f4:cd:bf:49:6c:88:af:74:bf:
- 11:f6:8e:8d:84:5e:73:46:fa:37:b2:04:6c:29:fb:71:fa:45:
- 61:f0
------BEGIN CERTIFICATE-----
-MIIDLzCCApigAwIBAgIBATANBgkqhkiG9w0BAQUFADB4MQswCQYDVQQGEwJLUjEO
-MAwGA1UECAwFU2VvdWwxEDAOBgNVBAoMB1NhbXN1bmcxEzARBgNVBAsMClRpemVu
-IFRlc3QxFTATBgNVBAMMDFRlc3QgUm9vdCBDQTEbMBkGCSqGSIb3DQEJARYMdHRA
-Z21haWwuY29tMB4XDTE0MDYxODA4MTA1OVoXDTE1MDYxODA4MTA1OVowejELMAkG
-A1UEBhMCS1IxDjAMBgNVBAgMBVNlb3VsMRAwDgYDVQQKDAdTYW1zdW5nMRMwEQYD
-VQQLDApUaXplbiBUZXN0MRcwFQYDVQQDDA5UZXN0IFNlY29uZCBDQTEbMBkGCSqG
-SIb3DQEJARYMdHRAZ21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
-gQDLJrMAF/JzxIIrQzQ/3FGt7cGAUEYaEFSo+hcDKYRXaZC33/kkVANYFh+log9e
-MJUUlt0TBOg79tOnS/5MBwWaVLEOLalv0Uj2FfjEMpGd/xEF6Vv34mSTcWadMHyD
-wYwDZVwdFkrvOkA6WwgwS8XSrpbH/nkKUkKpk+YYljKEzQIDAQABo4HGMIHDMB0G
-A1UdDgQWBBSpSfNbE0V2NHn/V5f660v2cWwYgDAfBgNVHSMEGDAWgBRkHk9Lnhgv
-vOIwxHOma54FGt8SCDAMBgNVHRMEBTADAQH/MHMGCCsGAQUFBwEBBGcwZTAhBggr
-BgEFBQcwAYYVaHR0cDovLzEyNy4wLjAuMTo4ODg4MEAGCCsGAQUFBzAChjRodHRw
-Oi8vU1ZSU2VjdXJlLUczLWFpYS52ZXJpc2lnbi5jb20vU1ZSU2VjdXJlRzMuY2Vy
-MA0GCSqGSIb3DQEBBQUAA4GBAFonDQzs/Ts1sEDW3f5EmuKVZlpH9sLstSLJxZK8
-+v88Jbz451/Lf8hxvnMv3MwExXr9qPKPlvKRfj+bbLB5KTEcZ5zhDpJ7SDYesdUd
-RKOMSN0JIRL3JOCdYHOnJk6o+45vZ/TNv0lsiK90vxH2jo2EXnNG+jeyBGwp+3H6
-RWHw
------END CERTIFICATE-----
+++ /dev/null
-Certificate:
- Data:
- Version: 3 (0x2)
- Serial Number: 2 (0x2)
- Signature Algorithm: sha1WithRSAEncryption
- Issuer: C=KR, ST=Seoul, O=Samsung, OU=Tizen Test, CN=Test Second CA/emailAddress=tt@gmail.com
- Validity
- Not Before: Jun 18 08:11:04 2014 GMT
- Not After : Jun 18 08:11:04 2015 GMT
- Subject: C=KR, ST=Seoul, O=Samsung, OU=Tizen Test AIA, CN=Test Signer/emailAddress=tt@gmail.com
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- Public-Key: (1024 bit)
- Modulus:
- 00:b0:80:ac:3e:ff:bd:63:59:79:f1:e1:b2:cb:66:
- b4:cf:98:4f:8d:ac:37:c7:49:f6:71:f3:24:c6:61:
- e7:b0:33:33:fa:66:55:cc:f1:67:6e:c4:d8:aa:a6:
- a9:bb:1b:65:cd:d7:cd:86:11:7b:1d:a3:1c:1a:d3:
- d1:ed:31:51:aa:48:60:3f:04:26:a6:0f:56:7a:96:
- 21:ce:11:be:14:4c:1d:d1:38:9d:65:64:30:e4:c8:
- 9f:5a:81:93:9f:a1:9b:2d:fc:08:fc:f9:bc:15:df:
- 1d:e2:7b:ea:78:6b:6c:3f:f1:e4:ac:6a:5a:df:79:
- fd:a0:5f:a9:21:69:2b:09:3b
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- X509v3 Basic Constraints:
- CA:FALSE
- Netscape Comment:
- OpenSSL Generated Certificate
- X509v3 Subject Key Identifier:
- 4B:D2:72:A2:35:48:F3:87:5F:CB:3E:F6:68:A8:BB:E7:55:F3:99:AA
- X509v3 Authority Key Identifier:
- keyid:A9:49:F3:5B:13:45:76:34:79:FF:57:97:FA:EB:4B:F6:71:6C:18:80
-
- Authority Information Access:
- OCSP - URI:http://127.0.0.1:8888
- CA Issuers - URI:http://SVRSecure-G3-aia.verisign.com/SVRSecureG3.cer
-
- Signature Algorithm: sha1WithRSAEncryption
- 01:3f:ec:ab:bb:df:f6:6a:e6:78:7a:48:d5:d3:75:91:83:95:
- 6a:fe:ba:a6:38:70:eb:b8:c3:55:6d:9e:07:e0:f0:4b:44:b4:
- a9:0b:ff:ce:19:a8:60:12:05:0a:7b:cf:41:70:1d:74:95:48:
- b9:e4:3e:58:30:4d:c3:a3:cf:48:fa:11:6e:82:fd:01:3c:66:
- 80:db:4d:62:2c:e8:4b:ff:4b:b4:69:59:b5:c8:9c:4d:b7:56:
- 23:5b:67:cc:2a:a9:c2:1e:08:e8:1f:38:74:c1:00:b5:a4:86:
- f9:bf:12:6b:60:29:f7:3d:b8:66:97:b5:ba:24:f0:c3:24:77:
- e6:5d
------BEGIN CERTIFICATE-----
-MIIDXTCCAsagAwIBAgIBAjANBgkqhkiG9w0BAQUFADB6MQswCQYDVQQGEwJLUjEO
-MAwGA1UECAwFU2VvdWwxEDAOBgNVBAoMB1NhbXN1bmcxEzARBgNVBAsMClRpemVu
-IFRlc3QxFzAVBgNVBAMMDlRlc3QgU2Vjb25kIENBMRswGQYJKoZIhvcNAQkBFgx0
-dEBnbWFpbC5jb20wHhcNMTQwNjE4MDgxMTA0WhcNMTUwNjE4MDgxMTA0WjB7MQsw
-CQYDVQQGEwJLUjEOMAwGA1UECAwFU2VvdWwxEDAOBgNVBAoMB1NhbXN1bmcxFzAV
-BgNVBAsMDlRpemVuIFRlc3QgQUlBMRQwEgYDVQQDDAtUZXN0IFNpZ25lcjEbMBkG
-CSqGSIb3DQEJARYMdHRAZ21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
-iQKBgQCwgKw+/71jWXnx4bLLZrTPmE+NrDfHSfZx8yTGYeewMzP6ZlXM8WduxNiq
-pqm7G2XN182GEXsdoxwa09HtMVGqSGA/BCamD1Z6liHOEb4UTB3ROJ1lZDDkyJ9a
-gZOfoZst/Aj8+bwV3x3ie+p4a2w/8eSsalrfef2gX6khaSsJOwIDAQABo4HxMIHu
-MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENl
-cnRpZmljYXRlMB0GA1UdDgQWBBRL0nKiNUjzh1/LPvZoqLvnVfOZqjAfBgNVHSME
-GDAWgBSpSfNbE0V2NHn/V5f660v2cWwYgDBzBggrBgEFBQcBAQRnMGUwIQYIKwYB
-BQUHMAGGFWh0dHA6Ly8xMjcuMC4wLjE6ODg4ODBABggrBgEFBQcwAoY0aHR0cDov
-L1NWUlNlY3VyZS1HMy1haWEudmVyaXNpZ24uY29tL1NWUlNlY3VyZUczLmNlcjAN
-BgkqhkiG9w0BAQUFAAOBgQABP+yru9/2auZ4ekjV03WRg5Vq/rqmOHDruMNVbZ4H
-4PBLRLSpC//OGahgEgUKe89BcB10lUi55D5YME3Do89I+hFugv0BPGaA201iLOhL
-/0u0aVm1yJxNt1YjW2fMKqnCHgjoHzh0wQC1pIb5vxJrYCn3Pbhml7W6JPDDJHfm
-XQ==
------END CERTIFICATE-----
+++ /dev/null
-Certificate:
- Data:
- Version: 3 (0x2)
- Serial Number: 3 (0x3)
- Signature Algorithm: sha1WithRSAEncryption
- Issuer: C=KR, ST=Seoul, O=Samsung, OU=Tizen Test, CN=Test Second CA/emailAddress=tt@gmail.com
- Validity
- Not Before: Jun 18 08:11:14 2014 GMT
- Not After : Jun 18 08:11:14 2015 GMT
- Subject: C=KR, ST=Seoul, O=Samsung, OU=Tizen Test REVOKED, CN=Test Signer/emailAddress=tt@gmail.com
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- Public-Key: (1024 bit)
- Modulus:
- 00:dc:f4:b7:27:44:70:33:76:f5:d7:cf:43:4a:c2:
- a8:0a:f0:f3:d0:df:02:dc:1c:1e:44:d4:be:d4:e3:
- 08:46:41:a3:b5:4f:3c:23:89:34:90:64:7b:cc:52:
- 15:93:07:4f:98:53:9d:db:cf:fd:8f:0a:70:ce:22:
- c3:ff:02:4b:df:94:41:49:02:e8:a7:d7:4b:c8:1e:
- 53:8b:82:9e:75:e2:db:ce:1e:33:34:4d:00:ac:3d:
- 3c:06:86:c1:dd:27:39:e1:4b:01:56:04:2e:bb:ff:
- 0f:ec:ed:57:bc:50:b6:ed:25:fe:0c:84:8c:22:59:
- 38:f9:84:54:83:94:af:aa:97
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- X509v3 Basic Constraints:
- CA:FALSE
- Netscape Comment:
- OpenSSL Generated Certificate
- X509v3 Subject Key Identifier:
- FE:35:D9:5C:69:D8:F6:D2:BA:37:31:35:93:33:91:81:B4:21:EB:E9
- X509v3 Authority Key Identifier:
- keyid:A9:49:F3:5B:13:45:76:34:79:FF:57:97:FA:EB:4B:F6:71:6C:18:80
-
- Authority Information Access:
- OCSP - URI:http://127.0.0.1:8888
- CA Issuers - URI:http://SVRSecure-G3-aia.verisign.com/SVRSecureG3.cer
-
- Signature Algorithm: sha1WithRSAEncryption
- a8:6a:83:c1:9b:b2:6b:0f:b0:0e:09:a3:02:bf:e1:ab:19:bb:
- 34:a9:24:ce:c9:f5:e1:a9:ba:20:ad:05:31:ec:f6:cc:47:f9:
- f0:5e:3c:70:f1:01:6e:ac:6a:a5:05:2b:40:c5:20:34:e4:b6:
- 3b:40:f9:c3:5f:0e:b7:0b:04:96:b1:be:25:e0:33:c3:64:63:
- 59:83:73:4b:df:0c:ab:83:d1:00:9b:44:c3:93:55:f4:0d:8b:
- fd:f9:55:59:b2:c0:13:7a:ed:b7:f1:4e:57:9f:1b:c5:3f:bd:
- bf:4d:f9:5b:50:55:98:19:c0:06:24:65:10:48:4d:ad:75:bb:
- 57:a6
------BEGIN CERTIFICATE-----
-MIIDYTCCAsqgAwIBAgIBAzANBgkqhkiG9w0BAQUFADB6MQswCQYDVQQGEwJLUjEO
-MAwGA1UECAwFU2VvdWwxEDAOBgNVBAoMB1NhbXN1bmcxEzARBgNVBAsMClRpemVu
-IFRlc3QxFzAVBgNVBAMMDlRlc3QgU2Vjb25kIENBMRswGQYJKoZIhvcNAQkBFgx0
-dEBnbWFpbC5jb20wHhcNMTQwNjE4MDgxMTE0WhcNMTUwNjE4MDgxMTE0WjB/MQsw
-CQYDVQQGEwJLUjEOMAwGA1UECAwFU2VvdWwxEDAOBgNVBAoMB1NhbXN1bmcxGzAZ
-BgNVBAsMElRpemVuIFRlc3QgUkVWT0tFRDEUMBIGA1UEAwwLVGVzdCBTaWduZXIx
-GzAZBgkqhkiG9w0BCQEWDHR0QGdtYWlsLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOB
-jQAwgYkCgYEA3PS3J0RwM3b1189DSsKoCvDz0N8C3BweRNS+1OMIRkGjtU88I4k0
-kGR7zFIVkwdPmFOd28/9jwpwziLD/wJL35RBSQLop9dLyB5Ti4KedeLbzh4zNE0A
-rD08BobB3Sc54UsBVgQuu/8P7O1XvFC27SX+DISMIlk4+YRUg5SvqpcCAwEAAaOB
-8TCB7jAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRl
-ZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU/jXZXGnY9tK6NzE1kzORgbQh6+kwHwYD
-VR0jBBgwFoAUqUnzWxNFdjR5/1eX+utL9nFsGIAwcwYIKwYBBQUHAQEEZzBlMCEG
-CCsGAQUFBzABhhVodHRwOi8vMTI3LjAuMC4xOjg4ODgwQAYIKwYBBQUHMAKGNGh0
-dHA6Ly9TVlJTZWN1cmUtRzMtYWlhLnZlcmlzaWduLmNvbS9TVlJTZWN1cmVHMy5j
-ZXIwDQYJKoZIhvcNAQEFBQADgYEAqGqDwZuyaw+wDgmjAr/hqxm7NKkkzsn14am6
-IK0FMez2zEf58F48cPEBbqxqpQUrQMUgNOS2O0D5w18OtwsElrG+JeAzw2RjWYNz
-S98Mq4PRAJtEw5NV9A2L/flVWbLAE3rtt/FOV58bxT+9v035W1BVmBnABiRlEEhN
-rXW7V6Y=
------END CERTIFICATE-----
+++ /dev/null
-Certificate:
- Data:
- Version: 3 (0x2)
- Serial Number: 4 (0x4)
- Signature Algorithm: sha1WithRSAEncryption
- Issuer: C=KR, ST=Seoul, O=Samsung, OU=Tizen Test, CN=Test Second CA/emailAddress=tt@gmail.com
- Validity
- Not Before: Jun 18 08:11:29 2014 GMT
- Not After : Jun 18 08:11:29 2015 GMT
- Subject: C=KR, ST=Seoul, O=Samsung, OU=Tizen Test NO AIA, CN=Test Signer/emailAddress=tt@gmail.com
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- Public-Key: (1024 bit)
- Modulus:
- 00:c9:92:88:32:45:4e:93:f6:be:6d:39:97:e7:a0:
- d1:93:1a:13:df:48:14:1b:e6:a8:85:ca:52:40:7f:
- 37:86:ba:05:37:4e:ed:c1:b1:c9:1f:0f:d1:c9:d4:
- 65:ee:db:2f:85:31:5a:04:7c:2d:d2:be:32:6d:a0:
- d9:3e:17:49:29:f8:ec:be:a4:a6:2b:e6:ee:02:0c:
- 20:39:0b:12:1c:7f:ac:bc:f8:a7:46:96:9c:0a:71:
- 5e:dd:6d:88:cd:af:a1:41:52:86:c2:60:da:af:5f:
- dc:44:a3:db:18:f9:fb:fd:9a:af:d1:1d:14:22:d0:
- cd:03:af:d5:aa:db:c1:ed:0d
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- X509v3 Basic Constraints:
- CA:FALSE
- Netscape Comment:
- OpenSSL Generated Certificate
- X509v3 Subject Key Identifier:
- EC:0E:07:A6:63:F0:9C:4C:80:6E:25:56:70:93:B5:54:68:77:97:FC
- X509v3 Authority Key Identifier:
- keyid:A9:49:F3:5B:13:45:76:34:79:FF:57:97:FA:EB:4B:F6:71:6C:18:80
-
- Signature Algorithm: sha1WithRSAEncryption
- c3:6a:ad:09:16:63:c5:4a:f5:84:75:25:79:c0:1d:4e:1d:cc:
- 15:df:e6:d9:46:6e:3b:0d:93:07:49:7d:ee:fa:4d:c6:39:03:
- 05:62:cf:3e:4f:a7:2b:03:9c:6c:dd:76:f4:92:ea:03:c4:e6:
- b3:b6:1d:4b:15:ea:ad:b6:11:a9:29:79:03:7d:a9:eb:6c:97:
- 4b:f8:cf:9f:0e:e3:29:50:c2:c5:5b:ec:f8:d0:dd:7d:0c:6b:
- 75:10:dc:08:0f:f2:38:6d:a6:e1:83:81:46:e6:8c:fe:3d:17:
- e6:84:d3:a9:bd:d9:ad:d5:ba:b4:e4:86:57:46:6f:81:89:5e:
- fe:bd
------BEGIN CERTIFICATE-----
-MIIC6TCCAlKgAwIBAgIBBDANBgkqhkiG9w0BAQUFADB6MQswCQYDVQQGEwJLUjEO
-MAwGA1UECAwFU2VvdWwxEDAOBgNVBAoMB1NhbXN1bmcxEzARBgNVBAsMClRpemVu
-IFRlc3QxFzAVBgNVBAMMDlRlc3QgU2Vjb25kIENBMRswGQYJKoZIhvcNAQkBFgx0
-dEBnbWFpbC5jb20wHhcNMTQwNjE4MDgxMTI5WhcNMTUwNjE4MDgxMTI5WjB+MQsw
-CQYDVQQGEwJLUjEOMAwGA1UECAwFU2VvdWwxEDAOBgNVBAoMB1NhbXN1bmcxGjAY
-BgNVBAsMEVRpemVuIFRlc3QgTk8gQUlBMRQwEgYDVQQDDAtUZXN0IFNpZ25lcjEb
-MBkGCSqGSIb3DQEJARYMdHRAZ21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GN
-ADCBiQKBgQDJkogyRU6T9r5tOZfnoNGTGhPfSBQb5qiFylJAfzeGugU3Tu3Bsckf
-D9HJ1GXu2y+FMVoEfC3SvjJtoNk+F0kp+Oy+pKYr5u4CDCA5CxIcf6y8+KdGlpwK
-cV7dbYjNr6FBUobCYNqvX9xEo9sY+fv9mq/RHRQi0M0Dr9Wq28HtDQIDAQABo3sw
-eTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBD
-ZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU7A4HpmPwnEyAbiVWcJO1VGh3l/wwHwYDVR0j
-BBgwFoAUqUnzWxNFdjR5/1eX+utL9nFsGIAwDQYJKoZIhvcNAQEFBQADgYEAw2qt
-CRZjxUr1hHUlecAdTh3MFd/m2UZuOw2TB0l97vpNxjkDBWLPPk+nKwOcbN129JLq
-A8Tms7YdSxXqrbYRqSl5A32p62yXS/jPnw7jKVDCxVvs+NDdfQxrdRDcCA/yOG2m
-4YOBRuaM/j0X5oTTqb3ZrdW6tOSGV0ZvgYle/r0=
------END CERTIFICATE-----
+++ /dev/null
-Certificate:
- Data:
- Version: 3 (0x2)
- Serial Number: 5 (0x5)
- Signature Algorithm: sha1WithRSAEncryption
- Issuer: C=KR, ST=Seoul, O=Samsung, OU=Tizen Test, CN=Test Second CA/emailAddress=tt@gmail.com
- Validity
- Not Before: Jun 18 08:11:46 2014 GMT
- Not After : Jun 18 08:11:46 2015 GMT
- Subject: C=KR, ST=Seoul, O=Samsung, OU=Tizen Test OCSP Response Signer, CN=OCSP Response Signer/emailAddress=tt@gmail.com
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- Public-Key: (1024 bit)
- Modulus:
- 00:cb:b2:52:c6:6d:75:32:a3:41:e5:7a:3c:21:a0:
- fd:e5:9d:d5:42:fe:3b:7d:e7:7d:8f:6d:b6:75:22:
- 39:51:9f:ba:2b:f2:ff:aa:9b:bc:4e:11:cc:42:1f:
- 84:04:4d:8f:fa:a1:86:e0:80:54:8b:84:6e:58:b9:
- 5c:f2:e2:99:3f:d4:e5:cd:d0:27:a3:f9:23:52:d1:
- d3:9d:59:ce:a3:db:2e:ce:6d:1d:6d:1b:a2:28:8c:
- 52:c2:c1:57:30:41:0c:c1:b9:3a:66:75:e5:da:2a:
- 41:cc:27:98:8b:03:f3:e6:a1:3e:ec:24:83:45:84:
- 47:21:54:25:53:33:3b:6d:01
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- X509v3 Basic Constraints:
- CA:FALSE
- X509v3 Key Usage:
- Digital Signature, Non Repudiation, Key Encipherment
- X509v3 Extended Key Usage:
- OCSP Signing
- Netscape Comment:
- OpenSSL Generated Certificate
- X509v3 Subject Key Identifier:
- BD:88:26:A9:60:B7:BB:51:73:06:06:4B:72:52:F6:44:50:3B:EE:90
- X509v3 Authority Key Identifier:
- keyid:A9:49:F3:5B:13:45:76:34:79:FF:57:97:FA:EB:4B:F6:71:6C:18:80
-
- Signature Algorithm: sha1WithRSAEncryption
- 33:1f:11:ca:e8:01:2a:92:df:5c:07:98:f3:0c:5e:61:a8:6c:
- 58:47:6e:24:d1:01:da:ea:7c:40:2d:e8:89:38:e4:5a:12:cd:
- 3f:e0:24:bd:bb:79:f0:0f:8f:6f:72:21:d5:a2:18:89:24:f8:
- 61:98:ed:66:59:64:4d:da:9b:6f:20:0b:6e:a4:7f:b0:0b:f1:
- ae:70:3a:54:0b:06:53:58:a0:28:22:67:78:4b:88:97:43:8d:
- 1c:58:d3:9b:77:49:6c:66:ed:46:01:e5:4f:6f:96:5a:e0:f8:
- 90:8c:6b:7d:cc:c6:45:6c:60:cf:2e:b0:c7:85:fe:21:41:67:
- e5:48
------BEGIN CERTIFICATE-----
-MIIDJTCCAo6gAwIBAgIBBTANBgkqhkiG9w0BAQUFADB6MQswCQYDVQQGEwJLUjEO
-MAwGA1UECAwFU2VvdWwxEDAOBgNVBAoMB1NhbXN1bmcxEzARBgNVBAsMClRpemVu
-IFRlc3QxFzAVBgNVBAMMDlRlc3QgU2Vjb25kIENBMRswGQYJKoZIhvcNAQkBFgx0
-dEBnbWFpbC5jb20wHhcNMTQwNjE4MDgxMTQ2WhcNMTUwNjE4MDgxMTQ2WjCBlTEL
-MAkGA1UEBhMCS1IxDjAMBgNVBAgMBVNlb3VsMRAwDgYDVQQKDAdTYW1zdW5nMSgw
-JgYDVQQLDB9UaXplbiBUZXN0IE9DU1AgUmVzcG9uc2UgU2lnbmVyMR0wGwYDVQQD
-DBRPQ1NQIFJlc3BvbnNlIFNpZ25lcjEbMBkGCSqGSIb3DQEJARYMdHRAZ21haWwu
-Y29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDLslLGbXUyo0HlejwhoP3l
-ndVC/jt9532PbbZ1IjlRn7or8v+qm7xOEcxCH4QETY/6oYbggFSLhG5YuVzy4pk/
-1OXN0Cej+SNS0dOdWc6j2y7ObR1tG6IojFLCwVcwQQzBuTpmdeXaKkHMJ5iLA/Pm
-oT7sJINFhEchVCVTMzttAQIDAQABo4GeMIGbMAkGA1UdEwQCMAAwCwYDVR0PBAQD
-AgXgMBMGA1UdJQQMMAoGCCsGAQUFBwMJMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NM
-IEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUvYgmqWC3u1FzBgZLclL2
-RFA77pAwHwYDVR0jBBgwFoAUqUnzWxNFdjR5/1eX+utL9nFsGIAwDQYJKoZIhvcN
-AQEFBQADgYEAMx8RyugBKpLfXAeY8wxeYahsWEduJNEB2up8QC3oiTjkWhLNP+Ak
-vbt58A+Pb3Ih1aIYiST4YZjtZllkTdqbbyALbqR/sAvxrnA6VAsGU1igKCJneEuI
-l0ONHFjTm3dJbGbtRgHlT2+WWuD4kIxrfczGRWxgzy6wx4X+IUFn5Ug=
------END CERTIFICATE-----
+++ /dev/null
-#
-# OpenSSL example configuration file.
-# This is mostly being used for generation of certificate requests.
-#
-
-# This definition stops the following lines choking if HOME isn't
-# defined.
-HOME = .
-RANDFILE = $ENV::HOME/.rnd
-
-# Extra OBJECT IDENTIFIER info:
-#oid_file = $ENV::HOME/.oid
-oid_section = new_oids
-
-# To use this configuration file with the "-extfile" option of the
-# "openssl x509" utility, name here the section containing the
-# X.509v3 extensions to use:
-# extensions =
-# (Alternatively, use a configuration file that has only
-# X.509v3 extensions in its main [= default] section.)
-
-[ new_oids ]
-
-# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
-# Add a simple OID like this:
-# testoid1=1.2.3.4
-# Or use config file substitution like this:
-# testoid2=${testoid1}.5.6
-
-# Policies used by the TSA examples.
-tsa_policy1 = 1.2.3.4.1
-tsa_policy2 = 1.2.3.4.5.6
-tsa_policy3 = 1.2.3.4.5.7
-
-####################################################################
-[ ca ]
-default_ca = CA_default # The default ca section
-
-####################################################################
-[ CA_default ]
-
-dir = ./demoCA # Where everything is kept
-certs = $dir/certs # Where the issued certs are kept
-crl_dir = $dir/crl # Where the issued crl are kept
-database = $dir/index.txt # database index file.
-#unique_subject = no # Set to 'no' to allow creation of
- # several ctificates with same subject.
-new_certs_dir = $dir/newcerts # default place for new certs.
-
-certificate = $dir/cacert.pem # The CA certificate
-serial = $dir/serial # The current serial number
-crlnumber = $dir/crlnumber # the current crl number
- # must be commented out to leave a V1 CRL
-crl = $dir/crl.pem # The current CRL
-private_key = $dir/private/cakey.pem# The private key
-RANDFILE = $dir/private/.rand # private random number file
-
-x509_extensions = usr_cert # The extentions to add to the cert
-
-# Comment out the following two lines for the "traditional"
-# (and highly broken) format.
-name_opt = ca_default # Subject Name options
-cert_opt = ca_default # Certificate field options
-
-# Extension copying option: use with caution.
-# copy_extensions = copy
-
-# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
-# so this is commented out by default to leave a V1 CRL.
-# crlnumber must also be commented out to leave a V1 CRL.
-# crl_extensions = crl_ext
-
-default_days = 365 # how long to certify for
-default_crl_days= 30 # how long before next CRL
-default_md = default # use public key default MD
-preserve = no # keep passed DN ordering
-
-# A few difference way of specifying how similar the request should look
-# For type CA, the listed attributes must be the same, and the optional
-# and supplied fields are just that :-)
-policy = policy_match
-
-# For the CA policy
-[ policy_match ]
-countryName = match
-stateOrProvinceName = match
-organizationName = match
-organizationalUnitName = optional
-commonName = supplied
-emailAddress = optional
-
-# For the 'anything' policy
-# At this point in time, you must list all acceptable 'object'
-# types.
-[ policy_anything ]
-countryName = optional
-stateOrProvinceName = optional
-localityName = optional
-organizationName = optional
-organizationalUnitName = optional
-commonName = supplied
-emailAddress = optional
-
-####################################################################
-[ req ]
-default_bits = 1024
-default_keyfile = privkey.pem
-distinguished_name = req_distinguished_name
-attributes = req_attributes
-x509_extensions = v3_ca # The extentions to add to the self signed cert
-
-# Passwords for private keys if not present they will be prompted for
-# input_password = secret
-# output_password = secret
-
-# This sets a mask for permitted string types. There are several options.
-# default: PrintableString, T61String, BMPString.
-# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
-# utf8only: only UTF8Strings (PKIX recommendation after 2004).
-# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
-# MASK:XXXX a literal mask value.
-# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
-string_mask = utf8only
-
-# req_extensions = v3_req # The extensions to add to a certificate request
-
-[ no_ext ]
-# no contents hear
-
-[ req_distinguished_name ]
-countryName = Country Name (2 letter code)
-countryName_default = AU
-countryName_min = 2
-countryName_max = 2
-
-stateOrProvinceName = State or Province Name (full name)
-stateOrProvinceName_default = Some-State
-
-localityName = Locality Name (eg, city)
-
-0.organizationName = Organization Name (eg, company)
-0.organizationName_default = Internet Widgits Pty Ltd
-
-# we can do this but it is not needed normally :-)
-#1.organizationName = Second Organization Name (eg, company)
-#1.organizationName_default = World Wide Web Pty Ltd
-
-organizationalUnitName = Organizational Unit Name (eg, section)
-#organizationalUnitName_default =
-
-commonName = Common Name (e.g. server FQDN or YOUR name)
-commonName_max = 64
-
-emailAddress = Email Address
-emailAddress_max = 64
-
-# SET-ex3 = SET extension number 3
-
-[ req_attributes ]
-challengePassword = A challenge password
-challengePassword_min = 4
-challengePassword_max = 20
-
-unstructuredName = An optional company name
-
-[ usr_cert ]
-
-# These extensions are added when 'ca' signs a request.
-
-# This goes against PKIX guidelines but some CAs do it and some software
-# requires this to avoid interpreting an end user certificate as a CA.
-
-basicConstraints=CA:FALSE
-
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-
-# This is OK for an SSL server.
-# nsCertType = server
-
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-
-# For normal client use this is typical
-# nsCertType = client, email
-
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-
-# This is typical in keyUsage for a client certificate.
-# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-# This will be displayed in Netscape's comment listbox.
-nsComment = "OpenSSL Generated Certificate"
-
-# PKIX recommendations harmless if included in all certificates.
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer
-
-# This stuff is for subjectAltName and issuerAltname.
-# Import the email address.
-# subjectAltName=email:copy
-# An alternative to produce certificates that aren't
-# deprecated according to PKIX.
-# subjectAltName=email:move
-
-# Copy subject details
-# issuerAltName=issuer:copy
-
-#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-
-# This is required for TSA certificates.
-# extendedKeyUsage = critical,timeStamping
-
-# AIA
-authorityInfoAccess = OCSP;URI:http://127.0.0.1:8888,caIssuers;URI:http://SVRSecure-G3-aia.verisign.com/SVRSecureG3.cer
-
-[ usr_cert_noaia ]
-
-# These extensions are added when 'ca' signs a request.
-
-# This goes against PKIX guidelines but some CAs do it and some software
-# requires this to avoid interpreting an end user certificate as a CA.
-
-basicConstraints=CA:FALSE
-
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-
-# This is OK for an SSL server.
-# nsCertType = server
-
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-
-# For normal client use this is typical
-# nsCertType = client, email
-
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-
-# This is typical in keyUsage for a client certificate.
-# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-# This will be displayed in Netscape's comment listbox.
-nsComment = "OpenSSL Generated Certificate"
-
-# PKIX recommendations harmless if included in all certificates.
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer
-
-# This stuff is for subjectAltName and issuerAltname.
-# Import the email address.
-# subjectAltName=email:copy
-# An alternative to produce certificates that aren't
-# deprecated according to PKIX.
-# subjectAltName=email:move
-
-# Copy subject details
-# issuerAltName=issuer:copy
-
-#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-
-
-[ v3_req ]
-
-# Extensions to add to a certificate request
-
-basicConstraints = CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-[ v3_ca ]
-# Extensions for a typical CA
-
-# PKIX recommendation.
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer
-
-# This is what PKIX recommends but some broken software chokes on critical
-# extensions.
-#basicConstraints = critical,CA:true
-# So we do this instead.
-basicConstraints = CA:true
-
-# Key usage: this is typical for a CA certificate. However since it will
-# prevent it being used as an test self-signed certificate it is best
-# left out by default.
-# keyUsage = cRLSign, keyCertSign
-
-# Some might want this also
-# nsCertType = sslCA, emailCA
-
-# Include email address in subject alt name: another PKIX recommendation
-# subjectAltName=email:copy
-# Copy issuer details
-# issuerAltName=issuer:copy
-
-# DER hex encoding of an extension: beware experts only!
-# obj=DER:02:03
-# Where 'obj' is a standard or added object
-# You can even override a supported extension:
-# basicConstraints= critical, DER:30:03:01:01:FF
-
-# AIA(Authority Information Access)
-#authorityInfoAccess = OCSP;URI:http://ocsp.verisign.com
-#authorityInfoAccess = caIssuers;URI:http://SVRSecure-G3-aia.verisign.com/SVRSecureG3.cer
-authorityInfoAccess = OCSP;URI:http://127.0.0.1:8888,caIssuers;URI:http://SVRSecure-G3-aia.verisign.com/SVRSecureG3.cer
-
-
-[ v3_ca_noaia ]
-# Extensions for a typical CA
-
-# PKIX recommendation.
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer
-
-# This is what PKIX recommends but some broken software chokes on critical
-# extensions.
-#basicConstraints = critical,CA:true
-# So we do this instead.
-basicConstraints = CA:true
-
-# Key usage: this is typical for a CA certificate. However since it will
-# prevent it being used as an test self-signed certificate it is best
-# left out by default.
-# keyUsage = cRLSign, keyCertSign
-
-# Some might want this also
-# nsCertType = sslCA, emailCA
-
-# Include email address in subject alt name: another PKIX recommendation
-# subjectAltName=email:copy
-# Copy issuer details
-# issuerAltName=issuer:copy
-
-# DER hex encoding of an extension: beware experts only!
-# obj=DER:02:03
-# Where 'obj' is a standard or added object
-# You can even override a supported extension:
-# basicConstraints= critical, DER:30:03:01:01:FF
-
-# AIA(Authority Information Access)
-#authorityInfoAccess = OCSP;URI:http://ocsp.verisign.com
-#authorityInfoAccess = caIssuers;URI:http://SVRSecure-G3-aia.verisign.com/SVRSecureG3.cer
-
-
-# CRL extensions.
-[ crl_ext ]
-
-# CRL extensions.
-# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
-
-# issuerAltName=issuer:copy
-authorityKeyIdentifier=keyid:always
-
-[ proxy_cert_ext ]
-# These extensions should be added when creating a proxy certificate
-
-# This goes against PKIX guidelines but some CAs do it and some software
-# requires this to avoid interpreting an end user certificate as a CA.
-
-basicConstraints=CA:FALSE
-
-# Here are some examples of the usage of nsCertType. If it is omitted
-# the certificate can be used for anything *except* object signing.
-
-# This is OK for an SSL server.
-# nsCertType = server
-
-# For an object signing certificate this would be used.
-# nsCertType = objsign
-
-# For normal client use this is typical
-# nsCertType = client, email
-
-# and for everything including object signing:
-# nsCertType = client, email, objsign
-
-# This is typical in keyUsage for a client certificate.
-# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-# This will be displayed in Netscape's comment listbox.
-nsComment = "OpenSSL Generated Certificate"
-
-# PKIX recommendations harmless if included in all certificates.
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer
-
-# This stuff is for subjectAltName and issuerAltname.
-# Import the email address.
-# subjectAltName=email:copy
-# An alternative to produce certificates that aren't
-# deprecated according to PKIX.
-# subjectAltName=email:move
-
-# Copy subject details
-# issuerAltName=issuer:copy
-
-#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-
-# This really needs to be in place for it to be a proxy certificate.
-proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
-
-####################################################################
-[ tsa ]
-
-default_tsa = tsa_config1 # the default TSA section
-
-[ tsa_config1 ]
-
-# These are used by the TSA reply generation only.
-dir = ./demoCA # TSA root directory
-serial = $dir/tsaserial # The current serial number (mandatory)
-crypto_device = builtin # OpenSSL engine to use for signing
-signer_cert = $dir/tsacert.pem # The TSA signing certificate
- # (optional)
-certs = $dir/cacert.pem # Certificate chain to include in reply
- # (optional)
-signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
-
-default_policy = tsa_policy1 # Policy if request did not specify it
- # (optional)
-other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
-digests = md5, sha1 # Acceptable message digests (mandatory)
-accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
-clock_precision_digits = 0 # number of digits after dot. (optional)
-ordering = yes # Is ordering defined for timestamps?
- # (optional, default: no)
-tsa_name = yes # Must the TSA name be included in the reply?
- # (optional, default: no)
-ess_cert_id_chain = no # Must the ESS cert id chain be included?
- # (optional, default: no)
-
-###########################################################################33
-[ v3_ocsp ]
-basicConstraints=CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-extendedKeyUsage = OCSPSigning
-
-nsComment = "OpenSSL Generated Certificate"
-
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer
-
+++ /dev/null
------BEGIN RSA PRIVATE KEY-----
-MIICXQIBAAKBgQDLJrMAF/JzxIIrQzQ/3FGt7cGAUEYaEFSo+hcDKYRXaZC33/kk
-VANYFh+log9eMJUUlt0TBOg79tOnS/5MBwWaVLEOLalv0Uj2FfjEMpGd/xEF6Vv3
-4mSTcWadMHyDwYwDZVwdFkrvOkA6WwgwS8XSrpbH/nkKUkKpk+YYljKEzQIDAQAB
-AoGBAKzIUV42/+Mus3eQRRQ7kszXdshnffgVA6xkaMYrvX+LLab2O7SGMAHvbyM0
-3tVBhMpqNcVDWzIFEKctny+SmVPRr1SWmweLCs32Q3qgH/MPIHJ4rCFRBQACQLET
-aXiv1pF5HchwfA94S5qmwEDYBSBoGfm/0gP4FSEAWf8UgccRAkEA60uR5Mqokm/w
-8ev+XN+7nKiLkl2G98BCX+LxCDVvGfatLY9wEUs7MyPE4SUj3nkpSJ0IvMT+QVzn
-aqM9aIGgWwJBAN0HB5n64EaSNq653D/LQigegkVdOfH6yMb/kdTJwNJavuEJYoh1
-oH9tWe1ajcaloWtwbwWvsbUvM2StdzqL9/cCQHY6OIp/kghSmvzUGbFM8hYbUlYv
-DHw8bJ2FiJsZTkP7gLTd1++4n3xowqpmYQmOU8IataM0UJVDOzyH3Xk/ePUCQGV6
-9siB4TtFoomymCdKIYPeDh3e4d3yMQD9Em3KfBeYxo74Ch9xMlGPWXya2QFdxrFX
-nAHWWxc/Jq+Q3W8qGJ0CQQCOsjHigGpEKvhH0D4UFRyZ7MtqEsQqG6g2QuWxUcwH
-MbC8QKgM7psAQxR55aXOeIdOKA3sxURBNuLI0HP4wQap
------END RSA PRIVATE KEY-----
+++ /dev/null
------BEGIN CERTIFICATE-----
-MIICpzCCAhCgAwIBAgIBADANBgkqhkiG9w0BAQUFADBbMQswCQYDVQQGEwJDUjEM
-MAoGA1UECBMDU1RSMQswCQYDVQQKEwJPUjEMMAoGA1UECxMDT1VSMQwwCgYDVQQD
-EwNDTlIxFTATBgkqhkiG9w0BCQEWBkVtYWlsUjAeFw0wNzEyMTkwNTE5MjBaFw0x
-MDEyMTgwNTE5MjBaMFsxCzAJBgNVBAYTAkNSMQwwCgYDVQQIEwNTVFIxCzAJBgNV
-BAoTAk9SMQwwCgYDVQQLEwNPVVIxDDAKBgNVBAMTA0NOUjEVMBMGCSqGSIb3DQEJ
-ARYGRW1haWxSMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDG2dhVCOuBD2i4
-mjWLU8vkQpRVylojbSzxvO3uynaOZAnhqLxu2F2ugR1NLJOlrgbjq13xCO4FjKZj
-eb4kln5HJl7GLCNz8ns2+kAtwiVfpZnQ8U6Y/1BLiB7sLH+ONB4g6Rm9cgST1e6H
-e/EJMkzU75+wkj94ORZ4TINDU4kU4QIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCG
-SAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4E
-FgQUX0cbXBYMGt9k4/HRapEA9XUlKk4wHwYDVR0jBBgwFoAUX0cbXBYMGt9k4/HR
-apEA9XUlKk4wDQYJKoZIhvcNAQEFBQADgYEAXyKHjF6k0yNY/og30g1+SsNxYNqC
-yzGEbCywXELFakhQ1qmx12VY6qkeo+khyuiRfp9cDx8sSQ2asypIYeO9ctRNmp4D
-lC8YNI7BdY/g4Xq7uy4BKeng8Mv8VNAtdBaKreJqSk5RvQmepXRiTJgo2DzGlCU5
-3aU1rQ6vF96wFt4=
------END CERTIFICATE-----
+++ /dev/null
------BEGIN CERTIFICATE-----
-MIIE3jCCA8agAwIBAgICAwEwDQYJKoZIhvcNAQEFBQAwYzELMAkGA1UEBhMCVVMx
-ITAfBgNVBAoTGFRoZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28g
-RGFkZHkgQ2xhc3MgMiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNjExMTYw
-MTU0MzdaFw0yNjExMTYwMTU0MzdaMIHKMQswCQYDVQQGEwJVUzEQMA4GA1UECBMH
-QXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEaMBgGA1UEChMRR29EYWRkeS5j
-b20sIEluYy4xMzAxBgNVBAsTKmh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5j
-b20vcmVwb3NpdG9yeTEwMC4GA1UEAxMnR28gRGFkZHkgU2VjdXJlIENlcnRpZmlj
-YXRpb24gQXV0aG9yaXR5MREwDwYDVQQFEwgwNzk2OTI4NzCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAMQt1RWMnCZM7DI161+4WQFapmGBWTtwY6vj3D3H
-KrjJM9N55DrtPDAjhI6zMBS2sofDPZVUBJ7fmd0LJR4h3mUpfjWoqVTr9vcyOdQm
-VZWt7/v+WIbXnvQAjYwqDL1CBM6nPwT27oDyqu9SoWlm2r4arV3aLGbqGmu75RpR
-SgAvSMeYddi5Kcju+GZtCpyz8/x4fKL4o/K1w/O5epHBp+YlLpyo7RJlbmr2EkRT
-cDCVw5wrWCs9CHRK8r5RsL+H0EwnWGu1NcWdrxcx+AuP7q2BNgWJCJjPOq8lh8BJ
-6qf9Z/dFjpfMFDniNoW1fho3/Rb2cRGadDAW/hOUoz+EDU8CAwEAAaOCATIwggEu
-MB0GA1UdDgQWBBT9rGEyk2xF1uLuhV+auud2mWjM5zAfBgNVHSMEGDAWgBTSxLDS
-kdRMEXGzYcs9of7dqGrU4zASBgNVHRMBAf8ECDAGAQH/AgEAMDMGCCsGAQUFBwEB
-BCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuZ29kYWRkeS5jb20wRgYDVR0f
-BD8wPTA7oDmgN4Y1aHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBv
-c2l0b3J5L2dkcm9vdC5jcmwwSwYDVR0gBEQwQjBABgRVHSAAMDgwNgYIKwYBBQUH
-AgEWKmh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeTAO
-BgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEFBQADggEBANKGwOy9+aG2Z+5mC6IG
-OgRQjhVyrEp0lVPLN8tESe8HkGsz2ZbwlFalEzAFPIUyIXvJxwqoJKSQ3kbTJSMU
-A2fCENZvD117esyfxVgqwcSeIaha86ykRvOe5GPLL5CkKSkB2XIsKd83ASe8T+5o
-0yGPwLPk9Qnt0hCqU7S+8MxZC9Y7lhyVJEnfzuz9p0iRFEUOOjZv2kWzRaJBydTX
-RE4+uXR21aITVSzGh6O1mawGhId/dQb8vxRMDsxuxN89txJx9OjxUUAiKEngHUuH
-qDTMBqLdElrRhjZkAzVvb3du6/KFUJheqwNTrZEjYx8WnM25sgVjOuH0aBsXBTWV
-U+4=
------END CERTIFICATE-----
+++ /dev/null
------BEGIN CERTIFICATE-----
-MIIE+zCCBGSgAwIBAgICAQ0wDQYJKoZIhvcNAQEFBQAwgbsxJDAiBgNVBAcTG1Zh
-bGlDZXJ0IFZhbGlkYXRpb24gTmV0d29yazEXMBUGA1UEChMOVmFsaUNlcnQsIElu
-Yy4xNTAzBgNVBAsTLFZhbGlDZXJ0IENsYXNzIDIgUG9saWN5IFZhbGlkYXRpb24g
-QXV0aG9yaXR5MSEwHwYDVQQDExhodHRwOi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAe
-BgkqhkiG9w0BCQEWEWluZm9AdmFsaWNlcnQuY29tMB4XDTA0MDYyOTE3MDYyMFoX
-DTI0MDYyOTE3MDYyMFowYzELMAkGA1UEBhMCVVMxITAfBgNVBAoTGFRoZSBHbyBE
-YWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28gRGFkZHkgQ2xhc3MgMiBDZXJ0
-aWZpY2F0aW9uIEF1dGhvcml0eTCCASAwDQYJKoZIhvcNAQEBBQADggENADCCAQgC
-ggEBAN6d1+pXGEmhW+vXX0iG6r7d/+TvZxz0ZWizV3GgXne77ZtJ6XCAPVYYYwhv
-2vLM0D9/AlQiVBDYsoHUwHU9S3/Hd8M+eKsaA7Ugay9qK7HFiH7Eux6wwdhFJ2+q
-N1j3hybX2C32qRe3H3I2TqYXP2WYktsqbl2i/ojgC95/5Y0V4evLOtXiEqITLdiO
-r18SPaAIBQi2XKVlOARFmR6jYGB0xUGlcmIbYsUfb18aQr4CUWWoriMYavx4A6lN
-f4DD+qta/KFApMoZFv6yyO9ecw3ud72a9nmYvLEHZ6IVDd2gWMZEewo+YihfukEH
-U1jPEX44dMX4/7VpkI+EdOqXG68CAQOjggHhMIIB3TAdBgNVHQ4EFgQU0sSw0pHU
-TBFxs2HLPaH+3ahq1OMwgdIGA1UdIwSByjCBx6GBwaSBvjCBuzEkMCIGA1UEBxMb
-VmFsaUNlcnQgVmFsaWRhdGlvbiBOZXR3b3JrMRcwFQYDVQQKEw5WYWxpQ2VydCwg
-SW5jLjE1MDMGA1UECxMsVmFsaUNlcnQgQ2xhc3MgMiBQb2xpY3kgVmFsaWRhdGlv
-biBBdXRob3JpdHkxITAfBgNVBAMTGGh0dHA6Ly93d3cudmFsaWNlcnQuY29tLzEg
-MB4GCSqGSIb3DQEJARYRaW5mb0B2YWxpY2VydC5jb22CAQEwDwYDVR0TAQH/BAUw
-AwEB/zAzBggrBgEFBQcBAQQnMCUwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLmdv
-ZGFkZHkuY29tMEQGA1UdHwQ9MDswOaA3oDWGM2h0dHA6Ly9jZXJ0aWZpY2F0ZXMu
-Z29kYWRkeS5jb20vcmVwb3NpdG9yeS9yb290LmNybDBLBgNVHSAERDBCMEAGBFUd
-IAAwODA2BggrBgEFBQcCARYqaHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNv
-bS9yZXBvc2l0b3J5MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQUFAAOBgQC1
-QPmnHfbq/qQaQlpE9xXUhUaJwL6e4+PrxeNYiY+Sn1eocSxI0YGyeR+sBjUZsE4O
-WBsUs5iB0QQeyAfJg594RAoYC5jcdnplDQ1tgMQLARzLrUc+cb53S8wGd9D0Vmsf
-SxOaFIqII6hR8INMqzW/Rn453HWkrugp++85j09VZw==
------END CERTIFICATE-----
+++ /dev/null
------BEGIN CERTIFICATE-----\r
-MIIC5zCCAlACAQEwDQYJKoZIhvcNAQEFBQAwgbsxJDAiBgNVBAcTG1ZhbGlDZXJ0\r
-IFZhbGlkYXRpb24gTmV0d29yazEXMBUGA1UEChMOVmFsaUNlcnQsIEluYy4xNTAz\r
-BgNVBAsTLFZhbGlDZXJ0IENsYXNzIDIgUG9saWN5IFZhbGlkYXRpb24gQXV0aG9y\r
-aXR5MSEwHwYDVQQDExhodHRwOi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAeBgkqhkiG\r
-9w0BCQEWEWluZm9AdmFsaWNlcnQuY29tMB4XDTk5MDYyNjAwMTk1NFoXDTE5MDYy\r
-NjAwMTk1NFowgbsxJDAiBgNVBAcTG1ZhbGlDZXJ0IFZhbGlkYXRpb24gTmV0d29y\r
-azEXMBUGA1UEChMOVmFsaUNlcnQsIEluYy4xNTAzBgNVBAsTLFZhbGlDZXJ0IENs\r
-YXNzIDIgUG9saWN5IFZhbGlkYXRpb24gQXV0aG9yaXR5MSEwHwYDVQQDExhodHRw\r
-Oi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAeBgkqhkiG9w0BCQEWEWluZm9AdmFsaWNl\r
-cnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOOnHK5avIWZJV16vY\r
-dA757tn2VUdZZUcOBVXc65g2PFxTXdMwzzjsvUGJ7SVCCSRrCl6zfN1SLUzm1NZ9\r
-WlmpZdRJEy0kTRxQb7XBhVQ7/nHk01xC+YDgkRoKWzk2Z/M/VXwbP7RfZHM047QS\r
-v4dk+NoS/zcnwbNDu+97bi5p9wIDAQABMA0GCSqGSIb3DQEBBQUAA4GBADt/UG9v\r
-UJSZSWI4OB9L+KXIPqeCgfYrx+jFzug6EILLGACOTb2oWH+heQC1u+mNr0HZDzTu\r
-IYEZoDJJKPTEjlbVUjP9UNV+mWwD5MlM/Mtsq2azSiGM5bUMMj4QssxsodyamEwC\r
-W/POuZ6lcg5Ktz885hZo+L7tdEy8W9ViH0Pd\r
------END CERTIFICATE-----\r
+++ /dev/null
-Certificate:
- Data:
- Version: 3 (0x2)
- Serial Number: 5 (0x5)
- Signature Algorithm: sha1WithRSAEncryption
- Issuer: C=KR, ST=Seoul, O=Samsung, OU=Tizen Test, CN=Test Second CA/emailAddress=tt@gmail.com
- Validity
- Not Before: Jun 18 08:11:46 2014 GMT
- Not After : Jun 18 08:11:46 2015 GMT
- Subject: C=KR, ST=Seoul, O=Samsung, OU=Tizen Test OCSP Response Signer, CN=OCSP Response Signer/emailAddress=tt@gmail.com
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- Public-Key: (1024 bit)
- Modulus:
- 00:cb:b2:52:c6:6d:75:32:a3:41:e5:7a:3c:21:a0:
- fd:e5:9d:d5:42:fe:3b:7d:e7:7d:8f:6d:b6:75:22:
- 39:51:9f:ba:2b:f2:ff:aa:9b:bc:4e:11:cc:42:1f:
- 84:04:4d:8f:fa:a1:86:e0:80:54:8b:84:6e:58:b9:
- 5c:f2:e2:99:3f:d4:e5:cd:d0:27:a3:f9:23:52:d1:
- d3:9d:59:ce:a3:db:2e:ce:6d:1d:6d:1b:a2:28:8c:
- 52:c2:c1:57:30:41:0c:c1:b9:3a:66:75:e5:da:2a:
- 41:cc:27:98:8b:03:f3:e6:a1:3e:ec:24:83:45:84:
- 47:21:54:25:53:33:3b:6d:01
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- X509v3 Basic Constraints:
- CA:FALSE
- X509v3 Key Usage:
- Digital Signature, Non Repudiation, Key Encipherment
- X509v3 Extended Key Usage:
- OCSP Signing
- Netscape Comment:
- OpenSSL Generated Certificate
- X509v3 Subject Key Identifier:
- BD:88:26:A9:60:B7:BB:51:73:06:06:4B:72:52:F6:44:50:3B:EE:90
- X509v3 Authority Key Identifier:
- keyid:A9:49:F3:5B:13:45:76:34:79:FF:57:97:FA:EB:4B:F6:71:6C:18:80
-
- Signature Algorithm: sha1WithRSAEncryption
- 33:1f:11:ca:e8:01:2a:92:df:5c:07:98:f3:0c:5e:61:a8:6c:
- 58:47:6e:24:d1:01:da:ea:7c:40:2d:e8:89:38:e4:5a:12:cd:
- 3f:e0:24:bd:bb:79:f0:0f:8f:6f:72:21:d5:a2:18:89:24:f8:
- 61:98:ed:66:59:64:4d:da:9b:6f:20:0b:6e:a4:7f:b0:0b:f1:
- ae:70:3a:54:0b:06:53:58:a0:28:22:67:78:4b:88:97:43:8d:
- 1c:58:d3:9b:77:49:6c:66:ed:46:01:e5:4f:6f:96:5a:e0:f8:
- 90:8c:6b:7d:cc:c6:45:6c:60:cf:2e:b0:c7:85:fe:21:41:67:
- e5:48
------BEGIN CERTIFICATE-----
-MIIDJTCCAo6gAwIBAgIBBTANBgkqhkiG9w0BAQUFADB6MQswCQYDVQQGEwJLUjEO
-MAwGA1UECAwFU2VvdWwxEDAOBgNVBAoMB1NhbXN1bmcxEzARBgNVBAsMClRpemVu
-IFRlc3QxFzAVBgNVBAMMDlRlc3QgU2Vjb25kIENBMRswGQYJKoZIhvcNAQkBFgx0
-dEBnbWFpbC5jb20wHhcNMTQwNjE4MDgxMTQ2WhcNMTUwNjE4MDgxMTQ2WjCBlTEL
-MAkGA1UEBhMCS1IxDjAMBgNVBAgMBVNlb3VsMRAwDgYDVQQKDAdTYW1zdW5nMSgw
-JgYDVQQLDB9UaXplbiBUZXN0IE9DU1AgUmVzcG9uc2UgU2lnbmVyMR0wGwYDVQQD
-DBRPQ1NQIFJlc3BvbnNlIFNpZ25lcjEbMBkGCSqGSIb3DQEJARYMdHRAZ21haWwu
-Y29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDLslLGbXUyo0HlejwhoP3l
-ndVC/jt9532PbbZ1IjlRn7or8v+qm7xOEcxCH4QETY/6oYbggFSLhG5YuVzy4pk/
-1OXN0Cej+SNS0dOdWc6j2y7ObR1tG6IojFLCwVcwQQzBuTpmdeXaKkHMJ5iLA/Pm
-oT7sJINFhEchVCVTMzttAQIDAQABo4GeMIGbMAkGA1UdEwQCMAAwCwYDVR0PBAQD
-AgXgMBMGA1UdJQQMMAoGCCsGAQUFBwMJMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NM
-IEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUvYgmqWC3u1FzBgZLclL2
-RFA77pAwHwYDVR0jBBgwFoAUqUnzWxNFdjR5/1eX+utL9nFsGIAwDQYJKoZIhvcN
-AQEFBQADgYEAMx8RyugBKpLfXAeY8wxeYahsWEduJNEB2up8QC3oiTjkWhLNP+Ak
-vbt58A+Pb3Ih1aIYiST4YZjtZllkTdqbbyALbqR/sAvxrnA6VAsGU1igKCJneEuI
-l0ONHFjTm3dJbGbtRgHlT2+WWuD4kIxrfczGRWxgzy6wx4X+IUFn5Ug=
------END CERTIFICATE-----
+++ /dev/null
------BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQDLslLGbXUyo0HlejwhoP3lndVC/jt9532PbbZ1IjlRn7or8v+q
-m7xOEcxCH4QETY/6oYbggFSLhG5YuVzy4pk/1OXN0Cej+SNS0dOdWc6j2y7ObR1t
-G6IojFLCwVcwQQzBuTpmdeXaKkHMJ5iLA/PmoT7sJINFhEchVCVTMzttAQIDAQAB
-AoGAR6q7+Nh2DZTnEGgLVAGikvEPIXz1TXzu7lG5iki6Rf+eruvWDB6zB/y3EuSn
-vCPV7mZ6X+6G0HeNo2XEUChtpij9kFPvvzDtFh5QEH9Opj/CFX4j1FcxMH7RyZv7
-VjBnfa1c9futYYJGLMynX7J+paSYC02FMMqXdwWeBfCeQ2ECQQDmj2GtiCkzQJS6
-D0G10l5Ion4UUXHbzaEXLyqkuBYka8m5WPPhmHKI+QLb6zL6mQHw+bHVwlJHCThk
-oePKJbUlAkEA4iwhMwgTAIxD4kYA1GEb6V2PB1taXRn3nUKWYePkC7wDbPGkZmPG
-LqThVZQdgYYlmhGrUCWrAloGi322FNwHrQJAQ0rl/3gWTlczEXsSercDvb9vfQ6o
-ZLcHpXSmxZzVGZw8LFTCGb4c781+ACINpwaxglveg71LtmACjZySl5WZ4QJAcpJm
-UwKhFaL4dHR/0RZMXGBPpyto0EbqP5jOs1INYMBif9q9LD0Y1OIjYAXDGK0K+UxA
-Gz6prWxLanhJN7HqlQJBAL2WPV7Et9Uy1iNULd34n2FGHShvhNL99maT/pUGxpna
-ltX8KGsHS3cCvSG3zmiReDYG1xJw69c59OfMPRufJRk=
------END RSA PRIVATE KEY-----
+++ /dev/null
-/*
- * Copyright (c) 2011 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-
-
-
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
-#include <cert-service.h>
-#include <openssl/bio.h>
-#include <openssl/err.h>
-#include <cert-service-util.h>
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-
-
-#define CERT_FILE_ROOT_CA "/usr/share/cert-svc/tests/orig_c/data/ocsp/root_ca.der"
-#define CERT_FILE_SECOND_CA "/usr/share/cert-svc/tests/orig_c/data/ocsp/second_ca.der"
-#define CERT_FILE_SIGNER_AIA "/usr/share/cert-svc/tests/orig_c/data/ocsp/aia_signer.der"
-#define CERT_FILE_SIGNER_REVOKED "/usr/share/cert-svc/tests/orig_c/data/ocsp/rev_signer.der"
-#define CERT_FILE_SIGNER_NOAIA "/usr/share/cert-svc/tests/orig_c/data/ocsp/noaia_signer.der"
-
-#define CERT_FILE_NO_ROOT_CERT "/usr/share/cert-svc/tests/orig_c/data/ocsp/noroot_cert.pem"
-
-#define CERT_FILE_REAL_LEVEL1_CERT "/usr/share/cert-svc/tests/orig_c/data/ocsp/ocsp_level1.crt"
-#define CERT_FILE_REAL_LEVEL2_CA "/usr/share/cert-svc/tests/orig_c/data/ocsp/ocsp_level2.crt"
-#define CERT_FILE_REAL_ROOT_CA "/usr/share/cert-svc/tests/orig_c/data/ocsp/ocsp_rootca.crt"
-
-/*
- * author: ---
- * test: ocsp success:AIA information
- * description: Test for the ocsp success case using certificate's AIA information
- * expect: *.pem should load with no error.
- */
-int ocsp_success_with_aia() {
- int ret = CERT_SVC_ERR_NO_ERROR;
- CERT_CONTEXT* ctx = cert_svc_cert_context_init();
-
- // load certificate to context
- ret = cert_svc_load_file_to_context(ctx, CERT_FILE_SIGNER_AIA);
- if(ret != CERT_SVC_ERR_NO_ERROR) {
- printf("....fail..cert_svc_push_file_to_context. ret=%d\n", ret); fflush(stderr);
- goto err;
- }
-
- // check ocsp
- ret = cert_svc_check_ocsp_status(ctx, NULL);
- if(ret != CERT_SVC_ERR_NO_ERROR) {
- printf("....fail..cert_svc_check_ocsp_status. ret=%d\n", ret); fflush(stderr);
- goto err;
- }
-
-err:
- cert_svc_cert_context_final(ctx);
- return ret;
-}
-
-
-/*
- * author: ---
- * test: ocsp success:no AIA information
- * description: Test for the ocsp success case using privided OCSP url
- * expect: *.der file should load with no error.
- */
-int ocsp_success_with_no_aia()
-{
- int ret = CERT_SVC_ERR_NO_ERROR;
- char *uri = "http://127.0.0.1:8888";
- CERT_CONTEXT* ctx = cert_svc_cert_context_init();
-
- // load certificate to context
- ret = cert_svc_load_file_to_context(ctx, CERT_FILE_SIGNER_NOAIA);
- if(ret != CERT_SVC_ERR_NO_ERROR) {
- printf("....fail..cert_svc_push_file_to_context. ret=%d\n", ret); fflush(stderr);
- goto err;
- }
-
- // check ocsp
- ret = cert_svc_check_ocsp_status(ctx, uri);
- if(ret != CERT_SVC_ERR_NO_ERROR) {
- printf("....fail..cert_svc_check_ocsp_status. ret=%d\n", ret); fflush(stderr);
- goto err;
- }
-
-err:
- cert_svc_cert_context_final(ctx);
- return ret;
-}
-
-/*
- * author: ---
- * test: ocsp fail: revokation.
- * description: Test for the ocsp fail case due to the revokation
- * expect: *.pom file should not load and return error.
- */
-int ocsp_fail_revokation()
-{
- int ret = CERT_SVC_ERR_NO_ERROR;
- char *uri = "http://127.0.0.1:8888";
- CERT_CONTEXT* ctx = cert_svc_cert_context_init();
-
- // load certificate to context
- ret = cert_svc_load_file_to_context(ctx, CERT_FILE_SIGNER_REVOKED);
- if(ret != CERT_SVC_ERR_NO_ERROR) {
- printf("....fail..cert_svc_push_file_to_context. ret=%d\n", ret); fflush(stderr);
- goto err;
- }
-
- // check ocsp
- ret = cert_svc_check_ocsp_status(ctx, uri);
- if(ret != CERT_SVC_ERR_OCSP_REVOKED) {
- printf("....fail..CERT_SVC_ERR_OCSP_REVOKED Error expected. ret=%d\n", ret); fflush(stderr);
- goto err;
- }
-
- ret = 0;
-err:
- cert_svc_cert_context_final(ctx);
- return ret;
-}
-
-
-/*
- * author: ---
- * test: No URI
- * description: Test for the ocsp fail case due to no OCSP URL and AIA Information
- * expect: .
- */
-int ocsp_fail_no_uri()
-{
- int ret = CERT_SVC_ERR_NO_ERROR;
- CERT_CONTEXT* ctx = cert_svc_cert_context_init();
-
- // load certificate to context
- ret = cert_svc_load_file_to_context(ctx, CERT_FILE_SIGNER_NOAIA);
- if(ret != CERT_SVC_ERR_NO_ERROR) {
- printf("....fail..cert_svc_push_file_to_context. ret=%d\n", ret); fflush(stderr);
- goto err;
- }
-
- // check ocsp
- ret = cert_svc_check_ocsp_status(ctx, NULL);
- if(ret != CERT_SVC_ERR_OCSP_NO_SUPPORT) {
- printf("....fail..CERT_SVC_ERR_OCSP_NO_SUPPORT Error expected. ret=%d\n", ret); fflush(stderr);
- goto err;
- }
- ret = 0;
-err:
- cert_svc_cert_context_final(ctx);
- return ret;
-}
-
-/*
- * author: ---
- * test: Invalid URI
- * description: Test for the ocsp fail case due to Invalid OCSP URL
- * expect: .
- */
-int ocsp_fail_no_network()
-{
- int ret = CERT_SVC_ERR_NO_ERROR;
- char *uri = "http://127.0.0.1:7171";
- CERT_CONTEXT* ctx = cert_svc_cert_context_init();
-
- // load certificate to context
- ret = cert_svc_load_file_to_context(ctx, CERT_FILE_SIGNER_NOAIA);
- if(ret != CERT_SVC_ERR_NO_ERROR) {
- printf("....fail..cert_svc_push_file_to_context. ret=%d\n", ret); fflush(stderr);
- goto err;
- }
-
- // check ocsp
- ret = cert_svc_check_ocsp_status(ctx, uri);
- if(ret != CERT_SVC_ERR_OCSP_NETWORK_FAILED) {
- printf("....fail..CERT_SVC_ERR_OCSP_NETWORK_FAILED Error expected. ret=%d\n", ret); fflush(stderr);
- goto err;
- }
- ret = 0;
-err:
- cert_svc_cert_context_final(ctx);
- return ret;
-}
-
-/*
- * author: ---
- * test: Invalid Cert Chain
- * description: Test for the ocsp fail case due to Invalid Cert Chain
- * expect: .
- */
-int ocsp_fail_invalid_cert_chain()
-{
- int ret = CERT_SVC_ERR_NO_ERROR;
- char *url = NULL;
- CERT_CONTEXT* ctx = cert_svc_cert_context_init();
-
- // load certificate to context
- ret = cert_svc_load_file_to_context(ctx, CERT_FILE_NO_ROOT_CERT);
- if(ret != CERT_SVC_ERR_NO_ERROR) {
- printf("....fail..cert_svc_push_file_to_context. ret=%d\n", ret); fflush(stderr);
- goto err;
- }
-
- // check ocsp
- ret = cert_svc_check_ocsp_status(ctx, NULL);
- if(ret != CERT_SVC_ERR_NO_ROOT_CERT) {
- printf("....fail..CERT_SVC_ERR_NO_ROOT_CERT Error expected. ret=%d\n", ret); fflush(stderr);
- goto err;
- }
- ret = 0;
-err:
- cert_svc_cert_context_final(ctx);
- return ret;
-}
-
-/*
- * author: ---
- * test: Null Certificate
- * description: Test for the ocsp fail case due to Null Certificate
- * expect: .
- */
-int ocsp_fail_null_cert()
-{
- int ret = CERT_SVC_ERR_NO_ERROR;
- char *uri = "http://127.0.0.1:8888";
- CERT_CONTEXT* ctx = cert_svc_cert_context_init();
-
- // don't load certificate to context
-
- // check ocsp
- ret = cert_svc_check_ocsp_status(ctx, uri);
- if(ret != CERT_SVC_ERR_INVALID_PARAMETER) {
- printf("....fail..CERT_SVC_ERR_INVALID_PARAMETER Error expected. ret=%d\n", ret); fflush(stderr);
- goto err;
- }
- ret = 0;
-err:
- cert_svc_cert_context_final(ctx);
- return ret;
-}
-
-/*
- * author: ---
- * test: OCSP test.
- * description: Testing OCSP for certificate list.
- * expect: OCSP should return success.
- */
-int ocsp_success_real_cert()
-{
-
- int ret = CERT_SVC_ERR_NO_ERROR;
- char *url = NULL;
- CERT_CONTEXT* ctx = cert_svc_cert_context_init();
-
- // load certificate to context
- ret = cert_svc_load_file_to_context(ctx, CERT_FILE_REAL_LEVEL1_CERT);
- if(ret != CERT_SVC_ERR_NO_ERROR) {
- printf("....fail..cert_svc_push_file_to_context. file=%s, ret=%d\n", CERT_FILE_REAL_LEVEL1_CERT, ret); fflush(stderr);
- goto err;
- }
-
- ret = cert_svc_push_file_into_context(ctx, CERT_FILE_REAL_LEVEL2_CA);
- if(ret != CERT_SVC_ERR_NO_ERROR) {
- printf("....fail..cert_svc_push_file_to_context. file=%s, ret=%d\n", CERT_FILE_REAL_LEVEL2_CA, ret); fflush(stderr);
- goto err;
- }
-
-// ret = cert_svc_push_file_into_context(ctx, CERT_FILE_REAL_ROOT_CA);
-// if(ret != CERT_SVC_ERR_NO_ERROR) {
-// printf("....fail..cert_svc_push_file_to_context. file=%s, ret=%d\n", CERT_FILE_REAL_ROOT_CA, ret); fflush(stderr);
-// goto err;
-// }
-
- // check ocsp
- ret = cert_svc_check_ocsp_status(ctx, NULL);
- if(ret != CERT_SVC_ERR_NO_ERROR) {
- printf("....fail..cert_svc_check_ocsp_status. ret=%d\n", ret); fflush(stderr);
- goto err;
- }
-
-err:
- cert_svc_cert_context_final(ctx);
- return ret;
-}
-
-
-typedef struct {
- unsigned long size,resident,share,text,lib,data,dt;
-} statm_t;
-
-void read_off_memory_status(statm_t *result)
-{
- unsigned long dummy;
- const char* statm_path = "/proc/self/statm";
-
-// /proc/[pid]/statm
-// Provides information about memory usage, measured in pages.
-// The columns are:
-// size total program size(same as VmSize in /proc/[pid]/status)
-// resident resident set size(same as VmRSS in /proc/[pid]/status)
-// share shared pages (from shared mappings)
-// text text (code)
-// lib library (unused in Linux 2.6)
-// data data + stack
-// dt dirty pages (unused in Linux 2.6)
-
-
- FILE *f = fopen(statm_path,"r");
- if(!f){
- perror(statm_path);
- abort();
- }
- if(7 != fscanf(f,"%ld %ld %ld %ld %ld %ld %ld",
- &result->size,&result->resident,&result->share,&result->text,&result->lib,&result->data,&result->dt))
- {
- perror(statm_path);
- abort();
- }
- fclose(f);
-}
-
-/*
- * author: ---
- * test: Memory Leak Test
- * description: Test for Memory Leak
- * expect: .
- */
-int ocsp_success_memory_leak()
-{
- int ret = CERT_SVC_ERR_NO_ERROR;
- statm_t memStatus;
- cert_svc_linked_list* sorted = NULL;
- int i;
-
- for(i=0; i<100; i++ ){
- ocsp_success_with_aia();
- ocsp_success_with_no_aia();
- ocsp_fail_revokation();
- ocsp_fail_no_uri();
- ocsp_fail_no_network();
- ocsp_fail_invalid_cert_chain();
- ocsp_fail_null_cert();
- read_off_memory_status(&memStatus);
- printf("loop %d th : size=%d, resident=%d, share=%d, text=%d, lib=%d, data=%d, dt=%d\n", i,
- memStatus.size, memStatus.resident, memStatus.share, memStatus.text,
- memStatus.lib, memStatus.data, memStatus.dt);
- }
-}
-
-void run_test(int (*function)(), const char *function_name) {
- int ret = 0;
-
- printf("\n-- %s start\n", function_name);
- ret = (*function)();
- printf("---- result : ");
- if(ret == 0) {
- printf("success\n");
- }else {
- printf("fail\n");
- }
-}
-
-int test_ocsp(){
- int ret;
- printf("\n[test_ocsp started]\n");
-
- system("cert-svc-tests-start-ocsp-server.sh");
- sleep(1);
-
- run_test(&ocsp_success_with_aia, "ocsp_success_with_aia");
- run_test(&ocsp_success_with_no_aia, "ocsp_success_with_no_aia");
- run_test(&ocsp_fail_revokation, "ocsp_fail_revokation");
- run_test(&ocsp_fail_no_uri, "ocsp_fail_no_uri");
- run_test(&ocsp_fail_no_network, "ocsp_fail_no_network");
- run_test(&ocsp_fail_invalid_cert_chain, "ocsp_fail_invalid_cert_chain");
- run_test(&ocsp_fail_null_cert, "ocsp_fail_null_cert");
- run_test(&ocsp_success_real_cert, "ocsp_success_real_cert");
-// run_test(&ocsp_success_memory_leak, "ocsp_success_memory_leak");
-
- printf("\n");
- system("cert-svc-tests-kill-ocsp-server.sh");
-
- printf("\n[test_ocsp finished]\n");
- return ret;
-}
-
-#endif
int test_caflag();
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
-int test_ocsp();
-#endif
-
#endif /* TEST_CAFLAG_H_ */
int main() {
int ret;
ret = test_caflag();
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
- ret = test_ocsp();
-#endif
return ret;
}
#include <cert-svc/cinstance.h>
#include <cert-svc/ccert.h>
#include <glib.h>
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
-#include <cert-svc/ccrl.h>
-#include <cert-svc/cocsp.h>
-#endif
#include <cert-svc/cpkcs12.h>
#include <cert-svc/cerror.h>
#include <cert-svc/cprimitives.h>
WORLD_EXECUTE
)
-IF(DEFINED TIZEN_FEAT_CERTSVC_OCSP_CRL)
-INSTALL(FILES ${PROJECT_SOURCE_DIR}/tests/vcore/cert-svc-tests-vcore-ocsp-server.sh
- DESTINATION ${TZ_SYS_BIN}
- PERMISSIONS OWNER_READ
- OWNER_WRITE
- OWNER_EXECUTE
- GROUP_READ
- GROUP_EXECUTE
- WORLD_READ
- WORLD_EXECUTE
- )
-ENDIF(DEFINED TIZEN_FEAT_CERTSVC_OCSP_CRL)
-
ADD_CUSTOM_COMMAND(TARGET ${TARGET_VCORE_TEST} POST_BUILD
COMMAND ${PROJECT_SOURCE_DIR}/tests/vcore/certificate-generator/create_certs.sh
WORKING_DIRECTORY ${PROJECT_SOURCE_DIR}/tests/vcore/certificate-generator/
${TZ_SYS_RO_APP}/widget/tests/vcore_keys
)
-IF(DEFINED TIZEN_FEAT_CERTSVC_OCSP_CRL)
-INSTALL(FILES
- ${PROJECT_SOURCE_DIR}/tests/vcore/test-cases/keys/ocsp_level0deprecated.crt
- ${PROJECT_SOURCE_DIR}/tests/vcore/test-cases/keys/ocsp_level1.crt
- ${PROJECT_SOURCE_DIR}/tests/vcore/test-cases/keys/ocsp_level2.crt
- ${PROJECT_SOURCE_DIR}/tests/vcore/test-cases/keys/ocsp_rootca.crt
- DESTINATION
- ${TZ_SYS_RO_APP}/widget/tests/vcore_keys
- )
-ENDIF(DEFINED TIZEN_FEAT_CERTSVC_OCSP_CRL)
-
INSTALL(FILES
${PROJECT_SOURCE_DIR}/tests/vcore/test-cases/config/fin_list.xml
${PROJECT_SOURCE_DIR}/tests/vcore/test-cases/config/fin_list.xsd
${TZ_SYS_RO_APP}/widget/tests/vcore_certs/
)
-IF(DEFINED TIZEN_FEAT_CERTSVC_OCSP_CRL)
-INSTALL(FILES
- ${PROJECT_SOURCE_DIR}/tests/vcore/certificate-generator/cacrl1.pem
- ${PROJECT_SOURCE_DIR}/tests/vcore/certificate-generator/cacrl2.pem
- DESTINATION
- ${TZ_SYS_RO_APP}/widget/tests/vcore_certs/
- )
-ENDIF(DEFINED TIZEN_FEAT_CERTSVC_OCSP_CRL)
-
INSTALL(DIRECTORY
${PROJECT_SOURCE_DIR}/tests/vcore/certificate-generator/demoCA
DESTINATION
#include "TestEnv.h"
#include <vcore/RevocationCheckerBase.h>
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
-#include <vcore/OCSP.h>
-#include <vcore/CachedOCSP.h>
-#include <vcore/SSLContainers.h>
-#include <vcore/CRL.h>
-#include <vcore/CachedCRL.h>
-#include <vcore/CertificateCacheDAO.h>
-#endif
-
namespace {
const std::string widget_path =
const std::string keys_path = "/usr/apps/widget/tests/vcore_keys/";
const std::string widget_store_path = "/usr/apps/widget/tests/vcore_widgets/";
const std::string cert_store_path = "/usr/apps/widget/tests/vcore_certs/";
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
-const std::string crl_URI = "http://localhost/my.crl";
-#endif
const std::string anka_ec_key_type = "urn:oid:1.2.840.10045.3.1.7";
const std::string anka_ec_public_key =
RUNNER_ASSERT(cert3.isCA() == 0);
}
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
-/*
- * test: class CertificateCollection
- * description: It's not allowed to call function isChain before funciton sort.
- * expected: Function isChain should throw exception WrongUsage because
- * function sort was not called before.
- */
-RUNNER_TEST(test09t01_CertificateCollection)
-{
- CertificateList list;
- list.push_back(CertificatePtr(
- new Certificate(google2nd, Certificate::FORM_BASE64)));
- list.push_back(CertificatePtr(
- new Certificate(googleCA, Certificate::FORM_BASE64)));
- list.push_back(CertificatePtr(
- new Certificate(google3rd, Certificate::FORM_BASE64)));
-
- CertificateCollection collection;
- collection.load(list);
-
- bool exception = false;
-
- Try {
- RUNNER_ASSERT(collection.isChain());
- } Catch (CertificateCollection::Exception::WrongUsage) {
- exception = true;
- }
-
- RUNNER_ASSERT_MSG(exception, "Exception expected!");
-
- RUNNER_ASSERT_MSG(collection.sort(), "Sort failed");
-
- RUNNER_ASSERT(collection.isChain());
-
- std::string encoded = collection.toBase64String();
-
- collection.clear();
-
- RUNNER_ASSERT_MSG(collection.size() == 0, "Function clear failed.");
-
- collection.load(encoded);
-
- RUNNER_ASSERT_MSG(collection.sort(), "Sort failed");
-
- list = collection.getChain();
-
- RUNNER_ASSERT(!list.front().get()->getCommonName().compare("mail.google.com"));
- RUNNER_ASSERT(!list.back().get()->getOrganizationName().compare("VeriSign, Inc."));
-}
-
-/*
- * test: class OCSP, VerificationStatusSet
- * description: OCSP should check certificate chain. One of the certificate
- * is GOOD and one is broken.
- * expected: Status from OCSP check should contain status GOOD and status
- * VERIFICATION_ERROR.
- */
-RUNNER_TEST(test51t01_ocsp_validation_negative)
-{
- CertificateCacheDAO::clearCertificateCache();
-
- CertificateList lOCSPCertificates;
- CertificatePtr certificatePtr;
- CertificatePtr pCert0;
- CertificatePtr pCert1;
- CertificatePtr pCert2;
- CertificatePtr pRootCert;
- std::string caRootPath(keys_path + "ocsp_rootca.crt"),
- certLevel0Path(keys_path + "ocsp_level0deprecated.crt"),
- certLevel1Path(keys_path + "ocsp_level1.crt"),
- certLevel2Path(keys_path + "ocsp_level2.crt");
-
- pRootCert = RevocationCheckerBase::loadPEMFile(caRootPath.c_str());
- if (!pRootCert) {
- RUNNER_ASSERT_MSG(false, "Couldn't load ocsp_rootca.crt");
- }
- lOCSPCertificates.push_back(pRootCert);
-
- pCert0 = RevocationCheckerBase::loadPEMFile(certLevel0Path.c_str());
- if (!pCert0) {
- RUNNER_ASSERT_MSG(false, "Couldn't load ocsp_level0.crt");
- }
- lOCSPCertificates.push_back(CertificatePtr(pCert0));
-
- pCert1 = RevocationCheckerBase::loadPEMFile(certLevel1Path.c_str());
- if (!pCert1) {
- RUNNER_ASSERT_MSG(false, "Couldn't load ocsp_level1.crt");
- }
- lOCSPCertificates.push_back(CertificatePtr(pCert1));
-
- pCert2 = RevocationCheckerBase::loadPEMFile(certLevel2Path.c_str());
- if (!pCert2) {
- RUNNER_ASSERT_MSG(false, "Couldn't load ocsp_level2.crt");
- }
- lOCSPCertificates.push_back(CertificatePtr(pCert2));
-
- OCSP ocsp;
- ocsp.setDigestAlgorithmForCertId(ValidationCore::OCSP::SHA1);
- ocsp.setDigestAlgorithmForRequest(ValidationCore::OCSP::SHA1);
-
- CertificateCollection collection;
- collection.load(lOCSPCertificates);
- RUNNER_ASSERT(collection.sort());
- CertificateList sorted = collection.getChain();
-
- ocsp.setTrustedStore(sorted);
- VerificationStatusSet status = ocsp.validateCertificateList(sorted);
-
- RUNNER_ASSERT_MSG(!status.contains(VERIFICATION_STATUS_CONNECTION_FAILED),
- "Caught OCSP connection error from store exception");
- RUNNER_ASSERT_MSG(status.contains(VERIFICATION_STATUS_GOOD),
- "Caught OCSP verification error exception");
- RUNNER_ASSERT_MSG(status.contains(VERIFICATION_STATUS_VERIFICATION_ERROR),
- "Caught OCSP verification error exception");
-
- CertificateCacheDAO::clearCertificateCache();
-}
-
-/*
- * test: class OCSP, VerificationStatusSet
- * description: OCSP should check certificate chain. All certificates are GOOD.
- * expected: Status from OCSP check should contain only status GOOD.
- */
-RUNNER_TEST(test51t02_ocsp_validation_positive)
-{
- CertificateCacheDAO::clearCertificateCache();
-
- CertificateList lOCSPCertificates;
- CertificatePtr certificatePtr;
- CertificatePtr pCert0;
- CertificatePtr pCert1;
- CertificatePtr pCert2;
- CertificatePtr pRootCert;
- std::string caRootPath(keys_path + "ocsp_rootca.crt"),
- certLevel1Path(keys_path + "ocsp_level1.crt"),
- certLevel2Path(keys_path + "ocsp_level2.crt");
-
- pRootCert = RevocationCheckerBase::loadPEMFile(caRootPath.c_str());
- if (!pRootCert) {
- RUNNER_ASSERT_MSG(false, "Couldn't load ocsp_rootca.crt");
- }
- lOCSPCertificates.push_back(pRootCert);
-
- pCert1 = RevocationCheckerBase::loadPEMFile(certLevel1Path.c_str());
- if (!pCert1) {
- RUNNER_ASSERT_MSG(false, "Couldn't load ocsp_level1.crt");
- }
- lOCSPCertificates.push_back(CertificatePtr(pCert1));
-
- pCert2 = RevocationCheckerBase::loadPEMFile(certLevel2Path.c_str());
- if (!pCert2) {
- RUNNER_ASSERT_MSG(false, "Couldn't load ocsp_level2.crt");
- }
- lOCSPCertificates.push_back(CertificatePtr(pCert2));
-
- OCSP ocsp;
- ocsp.setDigestAlgorithmForCertId(ValidationCore::OCSP::SHA1);
- ocsp.setDigestAlgorithmForRequest(ValidationCore::OCSP::SHA1);
-
- CertificateCollection collection;
- collection.load(lOCSPCertificates);
- RUNNER_ASSERT(collection.sort());
- CertificateList sorted = collection.getChain();
-
- ocsp.setTrustedStore(sorted);
- VerificationStatusSet status = ocsp.validateCertificateList(sorted);
-
- RUNNER_ASSERT_MSG(!status.contains(VERIFICATION_STATUS_CONNECTION_FAILED),
- "Caught OCSP connection error from store exception");
- RUNNER_ASSERT_MSG(status.contains(VERIFICATION_STATUS_GOOD),
- "Caught OCSP verification error exception");
- RUNNER_ASSERT_MSG(!status.contains(VERIFICATION_STATUS_VERIFICATION_ERROR),
- "Caught OCSP verification error exception");
-
- CertificateCacheDAO::clearCertificateCache();
-}
-
-/*
- * test: class OCSP, VerificationStatusSet
- * description: OCSP should check end entity certificate.
- * expected: Status from OCSP check should contain only status GOOD.
- */
-RUNNER_TEST(test51t04_ocsp_request)
-{
- CertificateList lTrustedCerts;
-
- lTrustedCerts.push_back(CertificatePtr(
- new Certificate(google3rd, Certificate::FORM_BASE64)));
- lTrustedCerts.push_back(CertificatePtr(
- new Certificate(google2nd, Certificate::FORM_BASE64)));
- lTrustedCerts.push_back(CertificatePtr(
- new Certificate(googleCA, Certificate::FORM_BASE64)));
-
- CertificateCollection chain;
- chain.load(lTrustedCerts);
- RUNNER_ASSERT(chain.sort());
-
- OCSP ocsp;
- ocsp.setDigestAlgorithmForCertId(OCSP::SHA1);
- ocsp.setDigestAlgorithmForRequest(OCSP::SHA1);
- ocsp.setTrustedStore(lTrustedCerts);
- VerificationStatus result = ocsp.checkEndEntity(chain);
-
- RUNNER_ASSERT(VERIFICATION_STATUS_GOOD == result);
-}
-
-/*
- * test: class OCSP, VerificationStatusSet, CertificateCachedDao
- * description: Call OCSP twice. Result of second call should be extracted
- * from cache.
- * expected: Both results should be equal.
- */
-RUNNER_TEST(test51t05_cached_ocsp_validation_negative)
-{
- CertificateCacheDAO::clearCertificateCache();
-
- CertificateList lOCSPCertificates;
- CertificatePtr certificatePtr;
- CertificatePtr pCert0;
- CertificatePtr pCert1;
- CertificatePtr pCert2;
- CertificatePtr pRootCert;
- std::string caRootPath(keys_path + "ocsp_rootca.crt"),
- certLevel0Path(keys_path + "ocsp_level0deprecated.crt"),
- certLevel1Path(keys_path + "ocsp_level1.crt"),
- certLevel2Path(keys_path + "ocsp_level2.crt");
-
- pRootCert = RevocationCheckerBase::loadPEMFile(caRootPath.c_str());
- RUNNER_ASSERT_MSG(pRootCert, "Couldn't load ocsp_rootca.crt");
- lOCSPCertificates.push_back(pRootCert);
-
- pCert0 = RevocationCheckerBase::loadPEMFile(certLevel0Path.c_str());
- RUNNER_ASSERT_MSG(pCert0, "Couldn't load ocsp_level0.crt");
- lOCSPCertificates.push_back(CertificatePtr(pCert0));
-
- pCert1 = RevocationCheckerBase::loadPEMFile(certLevel1Path.c_str());
- RUNNER_ASSERT_MSG(pCert1, "Couldn't load ocsp_level1.crt");
- lOCSPCertificates.push_back(CertificatePtr(pCert1));
-
- pCert2 = RevocationCheckerBase::loadPEMFile(certLevel2Path.c_str());
- RUNNER_ASSERT_MSG(pCert2, "Couldn't load ocsp_level2.crt");
- lOCSPCertificates.push_back(CertificatePtr(pCert2));
-
- CachedOCSP ocsp;
-
- CertificateCollection collection;
- collection.load(lOCSPCertificates);
- RUNNER_ASSERT(collection.sort());
-
- VerificationStatus status = ocsp.check(collection);
-
- RUNNER_ASSERT_MSG(status != VERIFICATION_STATUS_GOOD,
- "Caught OCSP verification error exception");
-
- OCSPCachedStatusList respList;
- CertificateCacheDAO::getOCSPStatusList(&respList);
- unsigned len = respList.size();
-
- status = ocsp.check(collection);
-
- RUNNER_ASSERT_MSG(status != VERIFICATION_STATUS_GOOD,
- "Caught OCSP verification error exception");
-
- respList.clear();
- CertificateCacheDAO::getOCSPStatusList(&respList);
- RUNNER_ASSERT_MSG(respList.size() == len && len > 0,
- "Caught OCSP cache error exception");
-
- CertificateCacheDAO::clearCertificateCache();
-}
-
-/*
- * test: class OCSP, VerificationStatusSet, CertificateCachedDao
- * description: Call OCSP twice. Result of second call should be extracted
- * from cache.
- * expected: Both results should be equal.
- */
-RUNNER_TEST(test51t06_cached_ocsp_validation_positive)
-{
- CertificateCacheDAO::clearCertificateCache();
-
- CertificateList lOCSPCertificates;
- CertificatePtr certificatePtr;
- CertificatePtr pCert0;
- CertificatePtr pCert1;
- CertificatePtr pCert2;
- CertificatePtr pRootCert;
- std::string caRootPath(keys_path + "ocsp_rootca.crt"),
- certLevel1Path(keys_path + "ocsp_level1.crt"),
- certLevel2Path(keys_path + "ocsp_level2.crt");
-
- pRootCert = RevocationCheckerBase::loadPEMFile(caRootPath.c_str());
- RUNNER_ASSERT_MSG(pRootCert, "Couldn't load ocsp_rootca.crt");
- lOCSPCertificates.push_back(pRootCert);
-
- pCert1 = RevocationCheckerBase::loadPEMFile(certLevel1Path.c_str());
- RUNNER_ASSERT_MSG(pCert1, "Couldn't load ocsp_level1.crt");
- lOCSPCertificates.push_back(CertificatePtr(pCert1));
-
- pCert2 = RevocationCheckerBase::loadPEMFile(certLevel2Path.c_str());
- RUNNER_ASSERT_MSG(pCert2, "Couldn't load ocsp_level2.crt");
- lOCSPCertificates.push_back(CertificatePtr(pCert2));
-
- CachedOCSP ocsp;
-
- CertificateCollection collection;
- collection.load(lOCSPCertificates);
- RUNNER_ASSERT(collection.sort());
-
- VerificationStatus status = ocsp.check(collection);
-
- RUNNER_ASSERT_MSG(status == VERIFICATION_STATUS_GOOD,
- "Caught OCSP verification error exception");
-
- OCSPCachedStatusList respList;
- CertificateCacheDAO::getOCSPStatusList(&respList);
- unsigned len = respList.size();
-
- status = ocsp.check(collection);
-
- RUNNER_ASSERT_MSG(status == VERIFICATION_STATUS_GOOD,
- "Caught OCSP verification error exception");
-
- respList.clear();
- CertificateCacheDAO::getOCSPStatusList(&respList);
- RUNNER_ASSERT_MSG(respList.size() == len && len > 0,
- "Caught OCSP cache error exception");
-
- CertificateCacheDAO::clearCertificateCache();
-}
-
-/*
- * test: class OCSP
- * description: All certificates are valid.
- * expected: Only status VERIFICATION_STATUS_GOOD should be set.
- */
-RUNNER_TEST(test70_ocsp_local_validation_positive)
-{
- CertificateCacheDAO::clearCertificateCache();
-
- CertificateList lOCSPCertificates;
- CertificatePtr certificatePtr;
- CertificatePtr pCert0;
- CertificatePtr pRootCert;
- std::string caRootPath(cert_store_path + "cacert.pem"),
- certLevel0Path(cert_store_path + "1second_level.pem");
-
- pRootCert = RevocationCheckerBase::loadPEMFile(caRootPath.c_str());
- if (!pRootCert) {
- RUNNER_ASSERT_MSG(false, "Couldn't load cacert.pem");
- }
- lOCSPCertificates.push_back(pRootCert);
-
- pCert0 = RevocationCheckerBase::loadPEMFile(certLevel0Path.c_str());
- if (!pCert0) {
- RUNNER_ASSERT_MSG(false, "Couldn't load 1second_level.pem");
- }
- lOCSPCertificates.push_back(CertificatePtr(pCert0));
-
- OCSP ocsp;
- ocsp.setDigestAlgorithmForCertId(ValidationCore::OCSP::SHA1);
- ocsp.setDigestAlgorithmForRequest(ValidationCore::OCSP::SHA1);
-
- CertificateCollection collection;
- collection.load(lOCSPCertificates);
- RUNNER_ASSERT(collection.sort());
- CertificateList sorted = collection.getChain();
-
- ocsp.setTrustedStore(sorted);
- VerificationStatusSet status = ocsp.validateCertificateList(sorted);
-
- RUNNER_ASSERT_MSG(!status.contains(VERIFICATION_STATUS_CONNECTION_FAILED),
- "Caught OCSP connection error - check if "
- "wrt-tests-vcore-ocsp-server.sh is running!");
- RUNNER_ASSERT_MSG(status.contains(VERIFICATION_STATUS_GOOD),
- "Caught OCSP verification error exception");
- RUNNER_ASSERT_MSG(!status.contains(VERIFICATION_STATUS_VERIFICATION_ERROR),
- "Caught OCSP verification error exception");
-
- CertificateCacheDAO::clearCertificateCache();
-}
-
-/*
- * test: class OCSP
- * description: All certificates are valid.
- * expected: Only status VERIFICATION_STATUS_GOOD should be set.
- */
-RUNNER_TEST(test71_ocsp_local_validation_positive)
-{
- CertificateCacheDAO::clearCertificateCache();
-
- CertificateList lOCSPCertificates;
- CertificatePtr certificatePtr;
- CertificatePtr pCert0;
- CertificatePtr pRootCert;
- std::string caRootPath(cert_store_path + "cacert.pem"),
- certLevel0Path(cert_store_path + "3second_level.pem");
-
- pRootCert = RevocationCheckerBase::loadPEMFile(caRootPath.c_str());
- if (!pRootCert) {
- RUNNER_ASSERT_MSG(false, "Couldn't load cacert.pem");
- }
- lOCSPCertificates.push_back(pRootCert);
-
- pCert0 = RevocationCheckerBase::loadPEMFile(certLevel0Path.c_str());
- if (!pCert0) {
- RUNNER_ASSERT_MSG(false, "Couldn't load 3second_level.pem");
- }
- lOCSPCertificates.push_back(CertificatePtr(pCert0));
-
- OCSP ocsp;
- ocsp.setDigestAlgorithmForCertId(ValidationCore::OCSP::SHA1);
- ocsp.setDigestAlgorithmForRequest(ValidationCore::OCSP::SHA1);
-
- CertificateCollection collection;
- collection.load(lOCSPCertificates);
- RUNNER_ASSERT(collection.sort());
- CertificateList sorted = collection.getChain();
-
- ocsp.setTrustedStore(sorted);
- VerificationStatusSet status = ocsp.validateCertificateList(sorted);
-
- RUNNER_ASSERT_MSG(!status.contains(VERIFICATION_STATUS_CONNECTION_FAILED),
- "Caught OCSP connection error - check if "
- "wrt-tests-vcore-ocsp-server.sh is running!");
- RUNNER_ASSERT_MSG(status.contains(VERIFICATION_STATUS_GOOD),
- "Caught OCSP verification error exception");
- RUNNER_ASSERT_MSG(!status.contains(VERIFICATION_STATUS_VERIFICATION_ERROR),
- "Caught OCSP verification error exception");
-
- CertificateCacheDAO::clearCertificateCache();
-}
-
-/*
- * test: class OCSP
- * description: Second certificate is revoked. Root CA certificate wont be checked.
- * expected: Only status VERIFICATION_STATUS_REVOKED should be set.
- */
-RUNNER_TEST(test72_ocsp_local_validation_revoked)
-{
- CertificateCacheDAO::clearCertificateCache();
-
- CertificateList lOCSPCertificates;
- CertificatePtr certificatePtr;
- CertificatePtr pCert0;
- CertificatePtr pRootCert;
- std::string caRootPath(cert_store_path + "cacert.pem"),
- certLevel0Path(cert_store_path + "2second_level.pem");
-
- pRootCert = RevocationCheckerBase::loadPEMFile(caRootPath.c_str());
- if (!pRootCert) {
- RUNNER_ASSERT_MSG(false, "Couldn't load cacert.pem");
- }
- lOCSPCertificates.push_back(pRootCert);
-
- pCert0 = RevocationCheckerBase::loadPEMFile(certLevel0Path.c_str());
- if (!pCert0) {
- RUNNER_ASSERT_MSG(false, "Couldn't load 2second_level.pem");
- }
- lOCSPCertificates.push_back(CertificatePtr(pCert0));
-
- OCSP ocsp;
- ocsp.setDigestAlgorithmForCertId(ValidationCore::OCSP::SHA1);
- ocsp.setDigestAlgorithmForRequest(ValidationCore::OCSP::SHA1);
-
- CertificateCollection collection;
- collection.load(lOCSPCertificates);
- RUNNER_ASSERT(collection.sort());
- CertificateList sorted = collection.getChain();
-
- ocsp.setTrustedStore(sorted);
- VerificationStatusSet status = ocsp.validateCertificateList(sorted);
-
- RUNNER_ASSERT_MSG(!status.contains(VERIFICATION_STATUS_CONNECTION_FAILED),
- "Caught OCSP connection error - check if "
- "wrt-tests-vcore-ocsp-server.sh is running!");
- RUNNER_ASSERT_MSG(!status.contains(VERIFICATION_STATUS_GOOD),
- "Caught OCSP verification error exception");
- RUNNER_ASSERT_MSG(status.contains(VERIFICATION_STATUS_REVOKED),
- "Caught OCSP verification error exception");
- RUNNER_ASSERT_MSG(!status.contains(VERIFICATION_STATUS_UNKNOWN),
- "Caught OCSP verification error exception");
- RUNNER_ASSERT_MSG(!status.contains(VERIFICATION_STATUS_VERIFICATION_ERROR),
- "Caught OCSP verification error exception");
-
- CertificateCacheDAO::clearCertificateCache();
-}
-
-/*
- * test: class OCSP
- * description: N/A
- * expected: Status VERIFICATION_STATUS_GOOD and VERIFICATION_STATUS_VERIFICATION_ERROR
- * should be set.
- */
-RUNNER_TEST(test73_ocsp_local_validation_error_unknown_cert)
-{
- CertificateCacheDAO::clearCertificateCache();
-
- CertificateList lOCSPCertificates;
- CertificatePtr certificatePtr;
- CertificatePtr pCert0;
- CertificatePtr pCert1;
- CertificatePtr pRootCert;
- std::string caRootPath(cert_store_path + "cacert.pem"),
- certLevel0Path(cert_store_path + "1second_level.pem"),
- certLevel1Path(cert_store_path + "1third_level.pem");
-
- pRootCert = RevocationCheckerBase::loadPEMFile(caRootPath.c_str());
- if (!pRootCert) {
- RUNNER_ASSERT_MSG(false, "Couldn't load cacerr.pem");
- }
- lOCSPCertificates.push_back(pRootCert);
-
- pCert0 = RevocationCheckerBase::loadPEMFile(certLevel0Path.c_str());
- if (!pCert0) {
- RUNNER_ASSERT_MSG(false, "Couldn't load 1second_level.pem");
- }
- lOCSPCertificates.push_back(CertificatePtr(pCert0));
-
- pCert1 = RevocationCheckerBase::loadPEMFile(certLevel1Path.c_str());
- if (!pCert1) {
- RUNNER_ASSERT_MSG(false, "Couldn't load 1third_level.pem");
- }
- lOCSPCertificates.push_back(CertificatePtr(pCert1));
-
- OCSP ocsp;
- ocsp.setDigestAlgorithmForCertId(ValidationCore::OCSP::SHA1);
- ocsp.setDigestAlgorithmForRequest(ValidationCore::OCSP::SHA1);
-
- CertificateCollection collection;
- collection.load(lOCSPCertificates);
- RUNNER_ASSERT(collection.sort());
- CertificateList sorted = collection.getChain();
-
- ocsp.setTrustedStore(sorted);
- VerificationStatusSet status = ocsp.validateCertificateList(sorted);
-
- RUNNER_ASSERT_MSG(!status.contains(VERIFICATION_STATUS_CONNECTION_FAILED),
- "Caught OCSP connection error - check if "
- "wrt-tests-vcore-ocsp-server.sh is running!");
- RUNNER_ASSERT_MSG(status.contains(VERIFICATION_STATUS_GOOD),
- "Caught OCSP verification error exception");
- RUNNER_ASSERT_MSG(!status.contains(VERIFICATION_STATUS_REVOKED),
- "Caught OCSP verification error exception");
- RUNNER_ASSERT_MSG(status.contains(VERIFICATION_STATUS_VERIFICATION_ERROR),
- "Caught OCSP verification error exception");
- RUNNER_ASSERT_MSG(!status.contains(VERIFICATION_STATUS_UNKNOWN),
- "Caught OCSP verification error exception");
-
- CertificateCacheDAO::clearCertificateCache();
-}
-#endif
-
#define CRYPTO_HASH_TEST(text,expected,FUN) \
do { \
ValidationCore::Crypto::Hash::Base *crypto; \
-#DB vcore
-IF(DEFINED TIZEN_FEAT_CERTSVC_OCSP_CRL)
-
-ADD_CUSTOM_COMMAND(
- OUTPUT ${CMAKE_BINARY_DIR}/vcore/src/database_checksum_vcore.h
- COMMAND ${CMAKE_SOURCE_DIR}/vcore/src/orm/gen_db_md5.sh
- ARGS ${CMAKE_BINARY_DIR}/vcore/src/database_checksum_vcore.h
- ${CMAKE_SOURCE_DIR}/vcore/src/orm/vcore_db
- DEPENDS ${CMAKE_SOURCE_DIR}/vcore/src/orm/vcore_db
- ${CMAKE_SOURCE_DIR}/vcore/src/orm/gen_db_md5.sh
- COMMENT "Generating VCORE database checksum"
- )
-
-ADD_CUSTOM_COMMAND( OUTPUT .cert_svc_vcore.db
- COMMAND rm -f ${CMAKE_CURRENT_BINARY_DIR}/.cert_svc_vcore.db
- COMMAND CPATH=${DEPENDENCIES} gcc -Wall -include ${CMAKE_BINARY_DIR}/vcore/src/database_checksum_vcore.h -I${PROJECT_SOURCE_DIR}/vcore/src/orm -I${PROJECT_SOURCE_DIR}/vcore/src/dpl/db/include -E ${PROJECT_SOURCE_DIR}/vcore/src/orm/vcore_db_sql_generator.h | grep --invert-match "^#" > ${PROJECT_SOURCE_DIR}/etc/cert_svc_vcore_db.sql
- COMMAND sqlite3 ${CMAKE_CURRENT_BINARY_DIR}/.cert_svc_vcore.db ".read ${PROJECT_SOURCE_DIR}/etc/cert_svc_vcore_db.sql" || rm -f ${CMAKE_CURRENT_BINARY_DIR}/.cert_svc_vcore.db
- DEPENDS ${CMAKE_BINARY_DIR}/vcore/src/database_checksum_vcore.h ${PROJECT_SOURCE_DIR}/vcore/src/orm/vcore_db_sql_generator.h ${PROJECT_SOURCE_DIR}/vcore/src/orm/vcore_db
- )
-
-ADD_CUSTOM_COMMAND( OUTPUT .cert_svc_vcore.db-journal
- COMMAND touch
- ARGS ${CMAKE_CURRENT_BINARY_DIR}/.cert_svc_vcore.db-journal
- )
-
-ADD_CUSTOM_TARGET(Sqlite3DbVCORE ALL DEPENDS .cert_svc_vcore.db .cert_svc_vcore.db-journal)
-
-ENDIF(DEFINED TIZEN_FEAT_CERTSVC_OCSP_CRL)
-
ADD_SUBDIRECTORY(src)
ADD_DEFINITIONS("-Wextra")
ADD_DEFINITIONS("-Werror")
-IF(DEFINED TIZEN_FEAT_CERTSVC_OCSP_CRL)
-PKG_CHECK_MODULES(VCORE_DEPS
- REQUIRED
- glib-2.0
- libxml-2.0
- libpcrecpp
- openssl
- xmlsec1
- dlog
- secure-storage
- icu-uc
- libsoup-2.4
- db-util
- libsystemd-journal
-
- sqlite3
- vconf
- )
-ELSE(DEFINED TIZEN_FEAT_CERTSVC_OCSP_CRL)
PKG_CHECK_MODULES(VCORE_DEPS
REQUIRED
glib-2.0
db-util
libsystemd-journal
)
-ENDIF(DEFINED TIZEN_FEAT_CERTSVC_OCSP_CRL)
ADD_DEFINITIONS(${VCORE_DEPS_CFLAGS})
ADD_DEFINITIONS(${VCORE_DEPS_CFLAGS_OTHER})
${VCORE_SRC_DIR}/cert-svc-client.c
)
-SET(VCORE_OCSP_CRL_SOURCES
- ${VCORE_SRC_DIR}/CachedCRL.cpp
- ${VCORE_SRC_DIR}/CachedOCSP.cpp
- ${VCORE_SRC_DIR}/CertificateCacheDAO.cpp
- ${VCORE_SRC_DIR}/CertificateVerifier.cpp
- ${VCORE_SRC_DIR}/CRL.cpp
- ${VCORE_SRC_DIR}/CRLImpl.cpp
- ${VCORE_SRC_DIR}/CRLCacheDAO.cpp
- ${VCORE_SRC_DIR}/Database.cpp
- ${VCORE_SRC_DIR}/OCSP.cpp
- ${VCORE_SRC_DIR}/OCSPImpl.cpp
- ${VCORE_SRC_DIR}/SoupMessageSendBase.cpp
- ${VCORE_SRC_DIR}/SoupMessageSendSync.cpp
- ${VCORE_SRC_DIR}/OCSPUtil.c
- )
-
SET(VCORE_INCLUDES
${VCORE_DEPS_INCLUDE_DIRS}
${VCORE_SRC_DIR}
${VCORE_DIR}/src/legacy
)
-SET(VCORE_INCLUDES_OCSP_CRL
- ${VCORE_DIR}/src/orm
- )
########### VCORE SOURCES ########
-IF(DEFINED TIZEN_FEAT_CERTSVC_OCSP_CRL)
SET(VCORE_ALL_SOURCES
${VCORE_SOURCES}
${VCORE_DPL_CORE_SOURCES}
- ${VCORE_DPL_DB_SOURCES}
${VCORE_DPL_LOG_SOURCES}
- ${VCORE_OCSP_CRL_SOURCES}
)
SET(VCORE_ALL_INCLUDES
${PROJECT_SOURCE_DIR}/include
${VCORE_INCLUDES}
${VCORE_DPL_DIR}/core/include
- ${VCORE_DPL_DIR}/db/include
${VCORE_DPL_DIR}/log/include
- ${VCORE_INCLUDES_OCSP_CRL}
)
-ELSE(DEFINED TIZEN_FEAT_CERTSVC_OCSP_CRL)
-SET(VCORE_ALL_SOURCES
- ${VCORE_SOURCES}
- ${VCORE_DPL_CORE_SOURCES}
- ${VCORE_DPL_LOG_SOURCES}
- )
-SET(VCORE_ALL_INCLUDES
- ${PROJECT_SOURCE_DIR}/include
- ${VCORE_INCLUDES}
- ${VCORE_DPL_DIR}/core/include
- ${VCORE_DPL_DIR}/log/include
- )
-ENDIF(DEFINED TIZEN_FEAT_CERTSVC_OCSP_CRL)
INCLUDE_DIRECTORIES(SYSTEM ${VCORE_ALL_INCLUDES})
SOVERSION ${SO_VERSION}
VERSION ${VERSION})
-IF(DEFINED TIZEN_FEAT_CERTSVC_OCSP_CRL)
-ADD_DEPENDENCIES(${TARGET_VCORE_LIB} Sqlite3DbWTF)
-ENDIF(DEFINED TIZEN_FEAT_CERTSVC_OCSP_CRL)
-
TARGET_LINK_LIBRARIES(${TARGET_VCORE_LIB}
${VCORE_DEPS_LIBRARIES}
${TARGET_CERT_SVC_LIB}
${VCORE_DIR}/src/cert-svc/cstring.h
DESTINATION ${INCLUDEDIR}/cert-svc/cert-svc
)
-
-IF(DEFINED TIZEN_FEAT_CERTSVC_OCSP_CRL)
-INSTALL(FILES
- ${VCORE_SRC_DIR}/IAbstractResponseCache.h
- ${VCORE_SRC_DIR}/VerificationStatus.h
- ${VCORE_SRC_DIR}/CachedCRL.h
- ${VCORE_SRC_DIR}/CachedOCSP.h
- ${VCORE_SRC_DIR}/CRL.h
- ${VCORE_SRC_DIR}/CRLCacheInterface.h
- ${VCORE_SRC_DIR}/OCSP.h
- ${VCORE_SRC_DIR}/OCSPCertMgrUtil.h
- DESTINATION ${INCLUDEDIR}/cert-svc/vcore
- )
-
-INSTALL(FILES
- ${VCORE_DIR}/src/cert-svc/ccrl.h
- ${VCORE_DIR}/src/cert-svc/cocsp.h
- DESTINATION ${INCLUDEDIR}/cert-svc/cert-svc
- )
-ENDIF(DEFINED TIZEN_FEAT_CERTSVC_OCSP_CRL)
int certsvc_certificate_is_root_ca(CertSvcCertificate certificate, int *status);
/**
- * Extract all distribution point from certificate.
- *
- * @param[in] certificate Certificate with distribution points.
- * @param[out] hander Handler to set of string.
- * @return CERTSVC_SUCCESS, CERTSVC_FAIL, CERTSVC_WRONG_ARGUMENT
- *
- * Usage example:
- *
- * int max;
- * CertSvcStringList handler;
- * certsvc_certificate_get_crl_distribution_points(instance, some_certificate, &handler);
- * certsvc_certificate_list_get_length(handler, &max);
- * for(int i=0; i<max; ++i)
- * char *buffer;
- * int len;
- * CertSvcString string;
- * certsvc_string_list_get_one(handler, i, &string);
- * printf("%s\n", buffer);
- * certsvc_string_free(buffer); // optional
- * }
- * certsvc_string_list_free(handler); // optional
- */
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
-int certsvc_certificate_get_crl_distribution_points(CertSvcCertificate certificate,
- CertSvcStringList *handler);
-#endif
-
-/**
* Sort certificates chain. This fuction modifies certificate_array.
*
* If function success:
+++ /dev/null
-Scripts required to create vcoredatabase.
+++ /dev/null
-#!/bin/sh
-CHECKSUM=`cat ${2} ${3} 2>/dev/null | md5sum 2>/dev/null | cut -d\ -f1 2>/dev/null`
-echo "#define DB_CHECKSUM DB_VERSION_${CHECKSUM}" > ${1}
-echo "#define DB_CHECKSUM_STR \"DB_VERSION_${CHECKSUM}\"" >> ${1}
-
+++ /dev/null
-/*
- * Copyright (c) 2011 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ORM_GENERATOR_VCORE_H
-#define ORM_GENERATOR_VCORE_H
-
-#define ORM_GENERATOR_DATABASE_NAME vcore_db_definitions
-#include <dpl/db/orm_generator.h>
-#undef ORM_GENERATOR_DATABASE_NAME
-
-#endif // ORM_GENERATOR_VCORE_H
+++ /dev/null
-SQL(
- PRAGMA foreign_keys = ON;
- BEGIN TRANSACTION;
-)
-CREATE_TABLE(OCSPResponseStorage)
- COLUMN_NOT_NULL(cert_chain, TEXT,)
- COLUMN(end_entity_check, INT,)
- COLUMN(ocsp_status, INT,)
- COLUMN(next_update_time, BIGINT,)
- TABLE_CONSTRAINTS(
- PRIMARY KEY(cert_chain, end_entity_check)
- )
-CREATE_TABLE_END()
-
-CREATE_TABLE(CRLResponseStorage)
- COLUMN_NOT_NULL(distribution_point,TEXT, primary key)
- COLUMN_NOT_NULL(crl_body, TEXT,)
- COLUMN(next_update_time, BIGINT,)
-CREATE_TABLE_END()
-
-SQL(
- COMMIT;
-)
+++ /dev/null
-DATABASE_START(vcore)
-
-#include "vcore_db"
-#include "version_db"
-
-DATABASE_END()
+++ /dev/null
-/*
- * Copyright (c) 2011 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-//Do not include this file directly! It is used only for SQL code generation.
-
-#include <dpl/db/orm_macros.h>
-
-#include "vcore_db_definitions"
+++ /dev/null
-SQL(
- BEGIN TRANSACTION;
- CREATE TABLE DB_CHECKSUM (version INT);
- COMMIT;
-)
+++ /dev/null
-/*
- * Copyright (c) 2011 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-/*!
- * @author Bartlomiej Grzelewski(b.grzelewski@samsung.com)
- * @version 0.2
- * @file CRL.cpp
- * @brief Routines for certificate validation over CRL
- */
-
-#include <vcore/CRL.h>
-#include <vcore/CRLImpl.h>
-
-namespace ValidationCore {
-
-CRL::CRL(CRLCacheInterface *ptr)
- : m_impl(new CRLImpl(ptr))
-{}
-
-CRL::~CRL() {
- delete m_impl;
-}
-
-CRL::RevocationStatus CRL::checkCertificate(const CertificatePtr &argCert) {
- return m_impl->checkCertificate(argCert);
-}
-
-CRL::RevocationStatus CRL::checkCertificateChain(
- CertificateCollection certChain)
-{
- return m_impl->checkCertificateChain(certChain);
-}
-
-VerificationStatus CRL::checkEndEntity(CertificateCollection &chain) {
- return m_impl->checkEndEntity(chain);
-}
-
-void CRL::addToStore(const CertificatePtr &argCert) {
- m_impl->addToStore(argCert);
-}
-
-bool CRL::updateList(const CertificatePtr &argCert,
- const UpdatePolicy updatePolicy)
-{
- return m_impl->updateList(argCert, updatePolicy);
-}
-
-void CRL::addToStore(const CertificateCollection &collection) {
- m_impl->addToStore(collection);
-}
-
-bool CRL::updateList(const CertificateCollection &collection,
- UpdatePolicy updatePolicy)
-{
- return m_impl->updateList(collection, updatePolicy);
-}
-
-} // namespace ValidationCore
+++ /dev/null
-/*
- * Copyright (c) 2011 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-/*!
- * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com)
- * @version 0.5
- * @file CRL.h
- * @brief Routines for certificate validation over CRL
- */
-
-#ifndef _VALIDATION_CORE_ENGINE_CRL_H_
-#define _VALIDATION_CORE_ENGINE_CRL_H_
-
-#include <list>
-#include <string>
-
-#include <vcore/Certificate.h>
-#include <vcore/CertificateCollection.h>
-#include <vcore/VerificationStatus.h>
-#include <vcore/CRLCacheInterface.h>
-#include <vcore/exception.h>
-
-namespace ValidationCore {
-namespace CRLException {
-VCORE_DECLARE_EXCEPTION_TYPE(ValidationCore::Exception, Base)
-VCORE_DECLARE_EXCEPTION_TYPE(Base, StorageError)
-VCORE_DECLARE_EXCEPTION_TYPE(Base, InternalError)
-VCORE_DECLARE_EXCEPTION_TYPE(Base, InvalidParameter)
-
-} // namespace CRLException
-
-class CRLImpl;
-
-class CRL {
-public:
- typedef std::list<std::string> StringList;
-
- enum UpdatePolicy
- {
- UPDATE_ON_EXPIRED, /**< Download and update CRL only when next update
- date has expired */
- UPDATE_ON_DEMAND /**< Download and update CRL regardless next update
- date */
- };
-
- struct RevocationStatus
- {
- bool isCRLValid; /**< True when CRL was valid during
- certificate validation */
- bool isRevoked; /**< True when certificate is revoked */
- };
-
- CRL() = delete;
- CRL(CRLCacheInterface *ptr);
- virtual ~CRL();
-
- /**
- * @brief Checks if given certificate is revoked.
- *
- * @details This function doesn't update CRL list. If related CRL
- * is out of date the #isCRLValid return parameter is set to false.
- *
- * @param[in] argCert The certificate to check against revocation.
- * @return RevocationStatus.isRevoked True when certificate is revoked,
- * false otherwise.
- * RevocationStatus.isCRLValid True if related CRL has not expired,
- * false otherwise.
- */
- RevocationStatus checkCertificate(const CertificatePtr &argCert);
-
- /**
- * @brief Checks if any certificate from certificate chain is revoked.
- *
- * @details This function doesn't update CRL lists. If any of related
- * CRL is out of date the #isCRLValid parameter is set to true.
- * This function adds valid certificates from the chain to internal storage
- * map so they'll be available in further check operations for current
- * CRL object.
- *
- * @param[in] argCert The certificate chain to check against revocation.
- * @return RevocationStatus.isRevoked True when any from certificate chain
- * is revoked, false otherwise.
- * RevocationStatus.isCRLValid True if all of related CRLs has
- * not expired, false otherwise.
- */
- RevocationStatus checkCertificateChain(CertificateCollection certChain);
-
- VerificationStatus checkEndEntity(CertificateCollection &chain);
-
- /**
- * @brief Updates CRL related with given certificate.
- *
- * @details This function updates CRL list related with given certificate.
- * If CRL related with given certificate is not stored in database
- * then this function will download CRL and store it in database.
- *
- * @param[in] argCert The certificate for which the CRL will be updated
- * @param[in] updatePolicy Determine when CRL will be downloaded and updated
- * @return True when CRL for given certificate was updated successfully,
- * false otherwise.
- */
- bool updateList(const CertificatePtr &argCert,
- const UpdatePolicy updatePolicy);
-
- /**
- * @brief Updates CRL related with given certificates.
- *
- * @details This function updates CRL lists related with given certificates.
- * If CRL related with given certificate is not stored in database
- * then this function will download CRL and store it in database.
- *
- * @param[in] collection The certificate collection for which the CRL will
- * be updated
- * @param[in] updatePolicy Determine when CRL will be downloaded and updated
- * @return True when CRL for given certificate was updated successfully,
- * false otherwise.
- */
- bool updateList(const CertificateCollection &collection,
- const UpdatePolicy updatePolisy);
-
- /**
- * @brief Add certificates to trusted certificates store.
- *
- * @param[in] collection The certificate collection which will be
- * added to known certificate store.
- */
- void addToStore(const CertificateCollection &collection);
-
- /**
- * @brief Add one certificate to trusted certificates store.
- *
- * @param[in] collection The certificate collection which will be
- * added to known certificate store.
- */
- void addToStore(const CertificatePtr &argCert);
-private:
- friend class CachedCRL;
- CRLImpl *m_impl;
-
- CRL(const CRL &);
- const CRL &operator=(const CRL &);
-};
-
-} // namespace ValidationCore
-
-#endif // _VALIDATION_CORE_ENGINE_CRL_H_
+++ /dev/null
-/*
- * Copyright (c) 2011 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-/*
- * @author Bartlomiej Grzelewski(b.grzelewski@samsung.com)
- * @version 0.1
- * @file CRLCacheDAO.cpp
- * @brief CRLCacheInterface implementation.
- */
-
-#include <vcore/CRLCacheDAO.h>
-#include <vcore/CertificateCacheDAO.h>
-
-namespace ValidationCore {
-
-bool CRLCacheDAO::getCRLResponse(CRLCachedData *ptr){
- return CertificateCacheDAO::getCRLResponse(ptr);
-}
-
-void CRLCacheDAO::setCRLResponse(CRLCachedData *ptr){
- CertificateCacheDAO::setCRLResponse(ptr);
-}
-
-} // namespace ValidationCore
+++ /dev/null
-/*
- * Copyright (c) 2011 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-/*
- * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com)
- * @version 0.1
- * @file CRLCacheDAO.h
- * @brief CRLCacheInterface implementation.
- */
-#ifndef _CRLCACHEDAO_H_
-#define _CRLCACHEDAO_H_
-
-#include <vcore/CRLCacheInterface.h>
-
-namespace ValidationCore {
-
-class CRLCacheDAO : public CRLCacheInterface {
-public:
- virtual bool getCRLResponse(CRLCachedData *ptr);
- virtual void setCRLResponse(CRLCachedData *ptr);
-};
-
-} // namespace ValidationCore
-
-#endif
+++ /dev/null
-/*
- * Copyright (c) 2011 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-/*!
- * @author Piotr Marcinkiewicz(p.marcinkiew@samsung.com)
- * @version 0.2
- * @file CRLImpl.cpp
- * @brief Routines for certificate validation over CRL
- */
-
-#include <vcore/CRL.h>
-#include <vcore/CRLImpl.h>
-
-#include <set>
-#include <algorithm>
-
-#include <openssl/err.h>
-#include <openssl/objects.h>
-#include <openssl/ocsp.h>
-#include <openssl/pem.h>
-#include <openssl/x509v3.h>
-
-#include <dpl/log/log.h>
-#include <dpl/assert.h>
-#include <dpl/db/orm.h>
-#include <dpl/foreach.h>
-
-#include <vcore/Base64.h>
-#include <vcore/Certificate.h>
-#include <vcore/SoupMessageSendSync.h>
-#include <vcore/CRLCacheInterface.h>
-
-namespace {
-const char *CRL_LOOKUP_DIR = "/usr/share/ca-certificates/wac";
-} //anonymous namespace
-
-namespace ValidationCore {
-
-CRL::StringList CRLImpl::getCrlUris(const CertificatePtr &argCert)
-{
- CRL::StringList result = argCert->getCrlUris();
-
- if (!result.empty())
- return result;
-
- LogInfo("No distribution points found. Getting from CA cert.");
- X509_STORE_CTX *ctx = createContext(argCert);
- X509_OBJECT obj;
-
- //Try to get distribution points from CA certificate
- int retVal = X509_STORE_get_by_subject(ctx, X509_LU_X509,
- X509_get_issuer_name(argCert->
- getX509()),
- &obj);
- X509_STORE_CTX_free(ctx);
- if (0 >= retVal) {
- LogError("No dedicated CA certificate available");
- return result;
- }
- CertificatePtr caCert(new Certificate(obj.data.x509));
- X509_OBJECT_free_contents(&obj);
- return caCert->getCrlUris();
-}
-
-CRLImpl::CRLImpl(CRLCacheInterface *ptr)
- : m_crlCache(ptr)
-{
- Assert(m_crlCache != NULL);
-
- LogInfo("CRL storage initialization.");
- m_store = X509_STORE_new();
- if (!m_store)
- VcoreThrowMsg(CRLException::StorageError,
- "impossible to create new store");
-
- m_lookup = X509_STORE_add_lookup(m_store, X509_LOOKUP_hash_dir());
- if (!m_lookup) {
- cleanup();
- VcoreThrowMsg(CRLException::StorageError,
- "impossible to add hash dir lookup");
- }
- // Add hash dir pathname for CRL checks
- bool retVal = X509_LOOKUP_add_dir(m_lookup, CRL_LOOKUP_DIR, X509_FILETYPE_PEM) == 1;
- retVal &= X509_LOOKUP_add_dir(m_lookup, CRL_LOOKUP_DIR, X509_FILETYPE_ASN1) == 1;
- if (!retVal) {
- cleanup();
- VcoreThrowMsg(CRLException::StorageError,
- "Failed to add lookup dir for PEM files");
- }
- LogInfo("CRL storage initialization complete.");
-}
-
-CRLImpl::~CRLImpl()
-{
- cleanup();
- delete m_crlCache;
-}
-
-void CRLImpl::cleanup()
-{
- LogInfo("Free CRL storage");
- // STORE is responsible for LOOKUP release
- // X509_LOOKUP_free(m_lookup);
- X509_STORE_free(m_store);
-}
-
-CRL::RevocationStatus CRLImpl::checkCertificate(const CertificatePtr &argCert)
-{
- CRL::RevocationStatus retStatus = {false, false};
- int retVal = 0;
- CRL::StringList crlUris = getCrlUris(argCert);
- FOREACH(it, crlUris) {
- CRLDataPtr crl = getCRL(*it);
- if (!crl) {
- LogDebug("CRL not found for URI: " << *it);
- continue;
- }
- X509_CRL *crlInternal = convertToInternal(crl);
-
- //Check date
- if (X509_CRL_get_nextUpdate(crlInternal)) {
- retVal = X509_cmp_current_time(
- X509_CRL_get_nextUpdate(crlInternal));
- retStatus.isCRLValid = retVal > 0;
- } else {
- // If nextUpdate is not set assume it is actual.
- retStatus.isCRLValid = true;
- }
- LogInfo("CRL valid: " << retStatus.isCRLValid);
- X509_REVOKED rev;
- rev.serialNumber = X509_get_serialNumber(argCert->getX509());
- // sk_X509_REVOKED_find returns index if serial number is found on list
- retVal = sk_X509_REVOKED_find(crlInternal->crl->revoked, &rev);
- X509_CRL_free(crlInternal);
- retStatus.isRevoked = retVal != -1;
- LogInfo("CRL revoked: " << retStatus.isRevoked);
-
- if (!retStatus.isRevoked && isOutOfDate(crl)) {
- LogDebug("Certificate is not Revoked, but CRL is outOfDate.");
- continue;
- }
-
- return retStatus;
- }
- // If there is no CRL for any of URIs it means it's not possible to
- // tell anything about revocation status but it's is not an error.
- return retStatus;
-}
-
-CRL::RevocationStatus CRLImpl::checkCertificateChain(CertificateCollection certChain)
-{
- if (!certChain.sort())
- VcoreThrowMsg(CRLException::InvalidParameter,
- "Certificate list doesn't create chain.");
-
- CRL::RevocationStatus ret;
- ret.isCRLValid = true;
- ret.isRevoked = false;
- const CertificateList &certList = certChain.getChain();
- FOREACH(it, certList) {
- if (!(*it)->isRootCert()) {
- LogInfo("Certificate common name: " << (*it)->getCommonName());
- CRL::RevocationStatus certResult = checkCertificate(*it);
- ret.isCRLValid &= certResult.isCRLValid;
- ret.isRevoked |= certResult.isRevoked;
- if (ret.isCRLValid && !ret.isRevoked) {
- addToStore(*it);
- }
-
- if (ret.isRevoked) {
- return ret;
- }
- }
- }
-
- return ret;
-}
-
-VerificationStatus CRLImpl::checkEndEntity(CertificateCollection &chain)
-{
- if (!chain.sort() && !chain.empty()) {
- LogInfo("Could not find End Entity certificate. "
- "Collection does not form chain.");
- return VERIFICATION_STATUS_ERROR;
- }
- CertificateList::const_iterator iter = chain.begin();
- CRL::RevocationStatus stat = checkCertificate(*iter);
- if (stat.isRevoked) {
- return VERIFICATION_STATUS_REVOKED;
- }
- if (stat.isCRLValid) {
- return VERIFICATION_STATUS_GOOD;
- }
- return VERIFICATION_STATUS_ERROR;
-}
-
-void CRLImpl::addToStore(const CertificatePtr &argCert)
-{
- X509_STORE_add_cert(m_store, argCert->getX509());
-}
-
-bool CRLImpl::isOutOfDate(const CRLDataPtr &crl) const {
- X509_CRL *crlInternal = convertToInternal(crl);
-
- bool result = false;
- if (X509_CRL_get_nextUpdate(crlInternal)) {
- if (0 > X509_cmp_current_time(X509_CRL_get_nextUpdate(crlInternal))) {
- result = true;
- } else {
- result = false;
- }
- } else {
- result = true;
- }
- X509_CRL_free(crlInternal);
- return result;
-}
-
-bool CRLImpl::updateList(const CertificatePtr &argCert,
- const CRL::UpdatePolicy updatePolicy)
-{
- LogInfo("Update CRL for certificate");
-
- // Retrieve distribution points
- CRL::StringList crlUris = getCrlUris(argCert);
- FOREACH(it, crlUris) {
- // Try to get CRL from database
- LogInfo("Getting CRL for URI: " << *it);
-
- bool downloaded = false;
-
- CRLDataPtr crl;
-
- // If updatePolicy == UPDATE_ON_DEMAND we dont care
- // about data in cache. New crl must be downloaded.
- if (updatePolicy == CRL::UPDATE_ON_EXPIRED) {
- crl = getCRL(*it);
- }
-
- if (!!crl && isOutOfDate(crl)) {
- LogDebug("Crl out of date - downloading.");
- crl = downloadCRL(*it);
- downloaded = true;
- }
-
- if (!crl) {
- LogDebug("Crl not found in cache - downloading.");
- crl = downloadCRL(*it);
- downloaded = true;
- }
-
- if (!crl) {
- LogDebug("Failed to obtain CRL. URL: " << *it);
- continue;
- }
-
- if (!!crl && isOutOfDate(crl)) {
- LogError("CRL out of date. Broken URL: " << *it);
- }
-
- // Make X509 internal structure
- X509_CRL *crlInternal = convertToInternal(crl);
-
- //Check if CRL is signed
- if (!verifyCRL(crlInternal, argCert)) {
- LogError("Failed to verify CRL. URI: " << (crl->uri).c_str());
- X509_CRL_free(crlInternal);
- return false;
- }
- X509_CRL_free(crlInternal);
-
- if (downloaded) {
- updateCRL(crl);
- }
- return true;
- }
-
- return false;
-}
-
-void CRLImpl::addToStore(const CertificateCollection &collection)
-{
- FOREACH(it, collection){
- addToStore(*it);
- }
-}
-
-bool CRLImpl::updateList(const CertificateCollection &collection,
- CRL::UpdatePolicy updatePolicy)
-{
- bool failed = false;
-
- FOREACH(it, collection){
- failed |= !updateList(*it, updatePolicy);
- }
-
- return !failed;
-}
-
-bool CRLImpl::verifyCRL(X509_CRL *crl,
- const CertificatePtr &cert)
-{
- X509_OBJECT obj;
- X509_STORE_CTX *ctx = createContext(cert);
-
- /* get issuer certificate */
- int retVal = X509_STORE_get_by_subject(ctx, X509_LU_X509,
- X509_CRL_get_issuer(crl), &obj);
- X509_STORE_CTX_free(ctx);
- if (0 >= retVal) {
- LogError("Unknown CRL issuer certificate!");
- return false;
- }
-
- /* extract public key and verify signature */
- EVP_PKEY *pkey = X509_get_pubkey(obj.data.x509);
- X509_OBJECT_free_contents(&obj);
- if (!pkey) {
- LogError("Failed to get issuer's public key.");
- return false;
- }
- retVal = X509_CRL_verify(crl, pkey);
- EVP_PKEY_free(pkey);
- if (0 > retVal) {
- LogError("Failed to verify CRL.");
- return false;
- } else if (0 == retVal) {
- LogError("CRL is invalid");
- return false;
- }
- LogInfo("CRL is valid.");
- return true;
-}
-
-bool CRLImpl::isPEMFormat(const CRLDataPtr &crl) const
-{
- const char *pattern = "-----BEGIN X509 CRL-----";
- std::string content(crl->buffer, crl->length);
- if (content.find(pattern) != std::string::npos) {
- LogInfo("CRL is in PEM format.");
- return true;
- }
- LogInfo("CRL is in DER format.");
- return false;
-}
-
-X509_CRL *CRLImpl::convertToInternal(const CRLDataPtr &crl) const
-{
- //At this point it's not clear does crl have DER or PEM format
- X509_CRL *ret = NULL;
- if (isPEMFormat(crl)) {
- BIO *bmem = BIO_new_mem_buf(crl->buffer, crl->length);
- if (!bmem)
- VcoreThrowMsg(CRLException::InternalError,
- "Failed to allocate memory in BIO");
-
- ret = PEM_read_bio_X509_CRL(bmem, NULL, NULL, NULL);
- BIO_free_all(bmem);
- } else {
- //If it's not PEM it must be DER format
- std::string content(crl->buffer, crl->length);
- const unsigned char *buffer =
- reinterpret_cast<unsigned char*>(crl->buffer);
- ret = d2i_X509_CRL(NULL, &buffer, crl->length);
- }
-
- if (!ret)
- VcoreThrowMsg(CRLException::InternalError,
- "Failed to convert to internal structure");
- return ret;
-}
-
-X509_STORE_CTX *CRLImpl::createContext(const CertificatePtr &argCert)
-{
- X509_STORE_CTX *ctx;
- ctx = X509_STORE_CTX_new();
- if (!ctx)
- VcoreThrowMsg(CRLException::StorageError, "Failed to create new ctx");
-
- X509_STORE_CTX_init(ctx, m_store, argCert->getX509(), NULL);
- return ctx;
-}
-
-CRLImpl::CRLDataPtr CRLImpl::downloadCRL(const std::string &uri)
-{
- using namespace SoupWrapper;
-
- char *cport = 0, *chost = 0,*cpath = 0;
- int use_ssl = 0;
-
- if (!OCSP_parse_url(const_cast<char*>(uri.c_str()),
- &chost,
- &cport,
- &cpath,
- &use_ssl))
- {
- LogWarning("Error in OCSP_parse_url");
- return CRLDataPtr();
- }
-
- std::string host = chost;
- if (cport) {
- host += ":";
- host += cport;
- }
-
- free(cport);
- free(chost);
- free(cpath);
-
- SoupMessageSendSync message;
- message.setHost(uri);
- message.setHeader("Host", host);
-
- if (SoupMessageSendSync::REQUEST_STATUS_OK != message.sendSync()) {
- LogWarning("Error in sending network request.");
- return CRLDataPtr();
- }
-
- SoupMessageSendBase::MessageBuffer mBuffer = message.getResponse();
- return CRLDataPtr(new CRLData(mBuffer,uri));
-}
-
-CRLImpl::CRLDataPtr CRLImpl::getCRL(const std::string &uri) const
-{
- CRLCachedData cachedCrl;
- cachedCrl.distribution_point = uri;
- if (!(m_crlCache->getCRLResponse(&cachedCrl))) {
- LogInfo("CRL not present in database. URI: " << uri);
- return CRLDataPtr();
- }
-
- std::string body = cachedCrl.crl_body;
-
- LogInfo("CRL found in database.");
- //TODO: remove when ORM::blob available
- //Encode buffer to base64 format to store in database
-
- Base64Decoder decoder;
- decoder.append(body);
- if (!decoder.finalize())
- VcoreThrowMsg(CRLException::StorageError,
- "Failed to decode base64 format.");
- std::string crlBody = decoder.get();
-
- std::unique_ptr<char[]> bodyBuffer(new char[crlBody.length()]);
- crlBody.copy(bodyBuffer.get(), crlBody.length());
- return CRLDataPtr(new CRLData(bodyBuffer.release(), crlBody.length(),
- uri));
-}
-
-void CRLImpl::updateCRL(const CRLDataPtr &crl)
-{
- //TODO: remove when ORM::blob available
- //Encode buffer to base64 format to store in database
- Base64Encoder encoder;
- if (!crl || !crl->buffer)
- VcoreThrowMsg(CRLException::InternalError, "CRL buffer is empty");
-
- encoder.append(std::string(crl->buffer, crl->length));
- encoder.finalize();
- std::string b64CRLBody = encoder.get();
-
- time_t nextUpdateTime = 0;
- X509_CRL *crlInternal = convertToInternal(crl);
-
- if (X509_CRL_get_nextUpdate(crlInternal)) {
- asn1TimeToTimeT(X509_CRL_get_nextUpdate(crlInternal),
- &nextUpdateTime);
- }
-
- X509_CRL_free(crlInternal);
- //Update/insert crl body
- CRLCachedData data;
- data.distribution_point = crl->uri;
- data.crl_body = b64CRLBody;
- data.next_update_time = nextUpdateTime;
-
- m_crlCache->setCRLResponse(&data);
-}
-
-} // namespace ValidationCore
+++ /dev/null
-/*
- * Copyright (c) 2011 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-/*!
- * @author Piotr Marcinkiewicz(p.marcinkiew@samsung.com)
- * @version 0.4
- * @file CRLImpl.h
- * @brief Routines for certificate validation over CRL
- */
-
-#ifndef _VALIDATION_CORE_ENGINE_CRLIMPL_H_
-#define _VALIDATION_CORE_ENGINE_CRLIMPL_H_
-
-#include <string.h>
-#include <memory>
-#include <openssl/x509.h>
-
-#include <dpl/noncopyable.h>
-
-#include <vcore/Certificate.h>
-#include <vcore/CertificateCollection.h>
-#include <vcore/SoupMessageSendBase.h>
-#include <vcore/VerificationStatus.h>
-#include <vcore/CRLCacheInterface.h>
-#include <vcore/TimeConversion.h>
-
-#include <vcore/CRL.h>
-
-namespace ValidationCore {
-
-class CRLImpl : VcoreDPL::Noncopyable {
-protected:
- X509_STORE *m_store;
- X509_LOOKUP *m_lookup;
- CRLCacheInterface *m_crlCache;
-
- class CRLData : VcoreDPL::Noncopyable {
- public:
- //TODO: change to SharedArray when available
- char *buffer;
- size_t length;
- std::string uri;
-
- CRLData(char* _buffer,
- size_t _length,
- const std::string &_uri) :
- buffer(_buffer),
- length(_length),
- uri(_uri)
- {
- }
-
- CRLData(const SoupWrapper::SoupMessageSendBase::MessageBuffer &mBuff,
- const std::string &mUri)
- : uri(mUri)
- {
- buffer = new char[mBuff.size()];
- length = mBuff.size();
- memcpy(buffer, &mBuff[0], mBuff.size());
- }
-
- ~CRLData()
- {
- delete[] buffer;
- }
- };
- typedef std::shared_ptr<CRLData> CRLDataPtr;
-
- CRLDataPtr getCRL(const std::string &uri) const;
- CRLDataPtr downloadCRL(const std::string &uri);
- X509_STORE_CTX *createContext(const CertificatePtr &argCert);
- void updateCRL(const CRLDataPtr &crl);
- X509_CRL *convertToInternal(const CRLDataPtr &crl) const;
- CRL::StringList getCrlUris(const CertificatePtr &argCert);
- bool isPEMFormat(const CRLDataPtr &crl) const;
- bool verifyCRL(X509_CRL *crl,
- const CertificatePtr &cert);
- void cleanup();
- bool isOutOfDate(const CRLDataPtr &crl) const;
-
- friend class CachedCRL;
-
-public:
- CRLImpl(CRLCacheInterface *ptr);
- ~CRLImpl();
-
- /**
- * @brief Checks if given certificate is revoked.
- *
- * @details This function doesn't update CRL list. If related CRL
- * is out of date the #isCRLValid return parameter is set to false.
- *
- * @param[in] argCert The certificate to check against revocation.
- * @return RevocationStatus.isRevoked True when certificate is revoked,
- * false otherwise.
- * RevocationStatus.isCRLValid True if related CRL has not expired,
- * false otherwise.
- */
- CRL::RevocationStatus checkCertificate(const CertificatePtr &argCert);
-
- /**
- * @brief Checks if any certificate from certificate chain is revoked.
- *
- * @details This function doesn't update CRL lists. If any of related
- * CRL is out of date the #isCRLValid parameter is set to true.
- * This function adds valid certificates from the chain to internal storage
- * map so they'll be available in further check operations for current
- * CRL object.
- *
- * @param[in] argCert The certificate chain to check against revocation.
- * @return RevocationStatus.isRevoked True when any from certificate chain
- * is revoked, false otherwise.
- * RevocationStatus.isCRLValid True if all of related CRLs has
- * not expired, false otherwise.
- */
- CRL::RevocationStatus checkCertificateChain(CertificateCollection certChain);
-
- VerificationStatus checkEndEntity(CertificateCollection &chain);
-
- /**
- * @brief Updates CRL related with given certificate.
- *
- * @details This function updates CRL list related with given certificate.
- * If CRL related with given certificate is not stored in database
- * then this function will download CRL and store it in database.
- *
- * @param[in] argCert The certificate for which the CRL will be updated
- * @param[in] updatePolicy Determine when CRL will be downloaded and updated
- * @return True when CRL for given certificate was updated successfully,
- * false otherwise.
- */
- bool updateList(const CertificatePtr &argCert,
- const CRL::UpdatePolicy updatePolicy);
-
- /**
- * @brief Updates CRL related with given certificates.
- *
- * @details This function updates CRL lists related with given certificates.
- * If CRL related with given certificate is not stored in database
- * then this function will download CRL and store it in database.
- *
- * @param[in] collection The certificate collection for which the CRL will
- * be updated
- * @param[in] updatePolicy Determine when CRL will be downloaded and updated
- * @return True when CRL for given certificate was updated successfully,
- * false otherwise.
- */
- bool updateList(const CertificateCollection &collection,
- const CRL::UpdatePolicy updatePolisy);
-
- /**
- * @brief Add certificates to trusted certificates store.
- *
- * @param[in] collection The certificate collection which will be
- * added to known certificate store.
- */
- void addToStore(const CertificateCollection &collection);
-
- /**
- * @brief Add one certificate to trusted certificates store.
- *
- * @param[in] collection The certificate collection which will be
- * added to known certificate store.
- */
- void addToStore(const CertificatePtr &argCert);
-};
-
-} // ValidationCore
-
-#endif // _VALIDATION_CORE_ENGINE_CRLIMPL_H_
+++ /dev/null
-/*
- * Copyright (c) 2011 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-/**
- *
- * @file CachedCRL.cpp
- * @author Tomasz Swierczek (t.swierczek@samsung.com)
- * @version 0.2
- * @brief Cached CRL class implementation
- */
-#include <vcore/CachedCRL.h>
-
-#include <dpl/foreach.h>
-#include <dpl/log/log.h>
-
-#include <vcore/CRLImpl.h>
-#include <vcore/CertificateCacheDAO.h>
-#include <vcore/CRLCacheDAO.h>
-
-namespace {
-
-const time_t CRL_minTimeValid = 3600; // one hour in seconds
-
-const time_t CRL_maxTimeValid = 3600 * 24 * 7; // one week in seconds
-
-const time_t CRL_refreshBefore = 3600; // one hour in seconds
-
-time_t getNextUpdateTime(time_t now, time_t response_validity)
-{
- time_t min = now + CRL_minTimeValid;
- time_t max = now + CRL_maxTimeValid;
- if (response_validity < min) {
- return min;
- }
- if (response_validity > max) {
- return max;
- }
- return response_validity;
-}
-
-} // namespace anonymous
-
-namespace ValidationCore {
-
-time_t CachedCRL::getCRLMinTimeValid() {
- return CRL_minTimeValid;
-}
-
-time_t CachedCRL::getCRLMaxTimeValid() {
- return CRL_maxTimeValid;
-}
-
-time_t CachedCRL::getCRLRefreshBefore() {
- return CRL_refreshBefore;
-}
-
-CachedCRL::CachedCRL(){}
-CachedCRL::~CachedCRL(){}
-
-VerificationStatus CachedCRL::check(const CertificateCollection &certs)
-{
- CRLImpl crl(new CRLCacheDAO);
- bool allValid = true;
- // we dont check CRL validity since
- // we may use crl for longer time
- // in smart cache than in regular CRL class (time clamping)
- crl.addToStore(certs);
- FOREACH(cert, certs){
- CRL::StringList crlUris = crl.getCrlUris(*cert);
- FOREACH(uri, crlUris) {
- allValid = allValid && updateCRLForUri(*uri,false);
- }
- }
- if (!allValid) {
- // problems with CRL validity
- LogDebug("Some CRLs not valid");
- }
- CRL::RevocationStatus stat;
- Try {
- stat = crl.checkCertificateChain(certs);
- } Catch(CRLException::InvalidParameter) {
- // List does not form a chain
- return VERIFICATION_STATUS_ERROR;
- }
- if (stat.isRevoked) {
- LogDebug("Status REVOKED");
- return VERIFICATION_STATUS_REVOKED;
- }
- LogDebug("Status GOOD");
- return VERIFICATION_STATUS_GOOD;
-}
-
-VerificationStatus CachedCRL::checkEndEntity(CertificateCollection &certs)
-{
- if (certs.empty()) {
- LogError("Collection empty. This should never happen.");
- return VERIFICATION_STATUS_ERROR;
- }
- if (!certs.sort()) {
- LogError("Could not find End Entity certificate. "
- "Collection does not form chain.");
- return VERIFICATION_STATUS_ERROR;
- }
- CRLImpl crl(new CRLCacheDAO);
- bool allValid = true;
- // we dont check CRL validity since
- // we may use crl for longer time
- // in smart cache than in regular CRL class (time clamping)
- crl.addToStore(certs);
- CertificateList::const_iterator icert = certs.begin();
- if (icert != certs.end()) {
- CRL::StringList crlUris = crl.getCrlUris(*icert);
- FOREACH(uri, crlUris) {
- allValid = allValid && updateCRLForUri(*uri,false);
- }
- }
- if (!allValid) {
- // problems with CRL validity
- LogDebug("Some CRLs not valid");
- }
- CertificateList::const_iterator iter = certs.begin();
- CRL::RevocationStatus stat = crl.checkCertificate(*iter);
- if (stat.isRevoked) {
- LogDebug("Status REVOKED");
- return VERIFICATION_STATUS_REVOKED;
- }
- LogDebug("Status GOOD");
- return VERIFICATION_STATUS_GOOD;
-}
-
-void CachedCRL::updateCache()
-{
- CRLCachedDataList list;
- CertificateCacheDAO::getCRLResponseList(&list);
- FOREACH(db_crl, list) {
- updateCRLForUri(db_crl->distribution_point, true);
- }
-}
-
-bool CachedCRL::updateCRLForUri(const std::string &uri, bool useExpiredShift)
-{
- using namespace ValidationCore;
- CRLCachedData cachedCRL;
- cachedCRL.distribution_point = uri;
- time_t now;
- time(&now);
- if (useExpiredShift) {
- now += CRL_refreshBefore;
- }
- if (CertificateCacheDAO::getCRLResponse(&cachedCRL)) {
- if (now < cachedCRL.next_update_time) {
- LogDebug("Cached CRL still valid for : " << uri);
- return true;
- }
- }
- // need to download new CRL
- CRLImpl crl(new CRLCacheDAO);
- CRLImpl::CRLDataPtr list = crl.downloadCRL(uri);
- if (!list) {
- LogWarning("Could not retreive CRL from " << uri);
- return false;
- }
- crl.updateCRL(list);
- CertificateCacheDAO::getCRLResponse(&cachedCRL); // save it the way CRL does
- cachedCRL.next_update_time =
- getNextUpdateTime(now,cachedCRL.next_update_time);
- CertificateCacheDAO::setCRLResponse(cachedCRL.distribution_point,
- cachedCRL.crl_body,
- cachedCRL.next_update_time);
- return true;
-}
-
-} // namespace ValidationCore
+++ /dev/null
-/*
- * Copyright (c) 2011 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-/**
- *
- * @file CachedCRL.h
- * @author Tomasz Swierczek (t.swierczek@samsung.com)
- * @version 0.2
- * @brief Header file for smart cached CRL class
- */
-
-#ifndef _VALIDATION_CORE_CACHED_CRL_H_
-#define _VALIDATION_CORE_CACHED_CRL_H_
-
-#include <ctime>
-#include <string>
-
-#include <vcore/Certificate.h>
-#include <vcore/CertificateCollection.h>
-#include <vcore/VerificationStatus.h>
-#include <vcore/IAbstractResponseCache.h>
-
-namespace ValidationCore {
-
-class CachedCRL : public IAbstractResponseCache {
-public:
- // cache can't be refreshed more frequently than CRL_minTimeValid
- static time_t getCRLMinTimeValid();
-
- // to be even more secure, cache will be refreshed for certificate at least
- // after CRL_maxTimeValid from last response
- static time_t getCRLMaxTimeValid();
-
- // upon cache refresh, responses that will be invalid in CRL_refreshBefore
- // seconds will be refreshed
- static time_t getCRLRefreshBefore();
-
- VerificationStatus check(const CertificateCollection &certs);
- VerificationStatus checkEndEntity(CertificateCollection &certs);
- void updateCache();
-
- CachedCRL();
-
- virtual ~CachedCRL();
-
-private:
-
- // updates CRL cache for distributor URI
- // useExpiredShift ==true should be used in cron/global cache update
- // since it updates all CRLs that will be out of date in next
- // CRL_refreshBefore seconds
- bool updateCRLForUri(const std::string & uri, bool useExpiredShift);
-};
-
-} // namespace ValidationCore
-
-#endif /* _VALIDATION_CORE_CACHED_CRL_ */
+++ /dev/null
-/*
- * Copyright (c) 2011 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-/**
- *
- * @file CachedOCSP.cpp
- * @author Tomasz Swierczek (t.swierczek@samsung.com)
- * @version 0.1
- * @brief Cached OCSP class implementation
- */
-
-#include <string>
-#include <time.h>
-
-#include <dpl/foreach.h>
-#include <dpl/log/log.h>
-
-#include <vcore/OCSP.h>
-#include <vcore/OCSPImpl.h>
-#include <vcore/CachedOCSP.h>
-#include <vcore/Certificate.h>
-#include <vcore/CertificateCacheDAO.h>
-
-namespace {
-
-// one hour in seconds
-const time_t OCSP_minTimeValid = 3600; // one hour in seconds
-
-// one week in seconds
-const time_t OCSP_maxTimeValid = 3600 * 24 * 7;
-
-// one hour in seconds
-const time_t OCSP_refreshBefore = 3600;
-
-} // anonymous namespace
-
-namespace ValidationCore {
-
-time_t CachedOCSP::getOCSPMinTimeValid() {
- return OCSP_minTimeValid;
-}
-
-time_t CachedOCSP::getOCSPMaxTimeValid() {
- return OCSP_maxTimeValid;
-}
-
-time_t CachedOCSP::getOCSPRefreshBefore() {
- return OCSP_refreshBefore;
-}
-
-CachedOCSP::CachedOCSP(){}
-
-CachedOCSP::~CachedOCSP(){}
-
-VerificationStatus CachedOCSP::check(const CertificateCollection &certs)
-{
- OCSPCachedStatus db_status;
- time_t now;
- time(&now);
-
- db_status.cert_chain = certs.toBase64String();
- db_status.end_entity_check = false;
-
- if (CertificateCacheDAO::getOCSPStatus(&db_status)) {
- LogDebug("Found cache entry for OCSP");
- if (now < db_status.next_update_time) {
- LogDebug("Cache response valid");
- return db_status.ocsp_status;
- }
- }
-
- // here we need to get OCSP result and add/update cache
- OCSP ocsp;
- CertificateList list = certs.getChain();
- ocsp.setTrustedStore(list);
-
- VerificationStatusSet statusSet = ocsp.validateCertificateList(list);
- db_status.ocsp_status = statusSet.convertToStatus();
- db_status.next_update_time = ocsp.getResponseValidity();
- CertificateCacheDAO::setOCSPStatus(db_status.cert_chain,
- db_status.ocsp_status,
- db_status.end_entity_check,
- getNextUpdateTime(
- now,
- db_status.next_update_time));
- return db_status.ocsp_status;
-}
-
-VerificationStatus CachedOCSP::checkEndEntity(CertificateCollection &certs)
-{
- OCSPCachedStatus db_status;
- time_t now;
- time(&now);
-
- db_status.cert_chain = certs.toBase64String();
- db_status.end_entity_check = true;
-
- if (CertificateCacheDAO::getOCSPStatus(&db_status)) {
- LogDebug("Found cache entry for OCSP");
- if (now < db_status.next_update_time) {
- LogDebug("Cache response valid");
- return db_status.ocsp_status;
- }
- }
-
- // here we need to send request via OCSP and add/update cache
- CertificateList clst;
- getCertsForEndEntity(certs, &clst);
-
- OCSP ocsp;
- ocsp.setTrustedStore(certs.getCertificateList());
-
- VerificationStatusSet statusSet = ocsp.validateCertificateList(clst);
- db_status.ocsp_status = statusSet.convertToStatus();
- db_status.next_update_time = ocsp.getResponseValidity();
-
- CertificateCacheDAO::setOCSPStatus(db_status.cert_chain,
- db_status.ocsp_status,
- db_status.end_entity_check,
- getNextUpdateTime(
- now,
- db_status.next_update_time));
-
- return db_status.ocsp_status;
-}
-
-void CachedOCSP::updateCache()
-{
- time_t now;
- time(&now);
- now += OCSP_refreshBefore;
- OCSPCachedStatusList list;
- CertificateCacheDAO::getOCSPStatusList(&list);
- FOREACH(db_status, list) {
- if (now >= db_status->next_update_time) {
- // this response needs to be refreshed
- CertificateCollection col;
- col.load(db_status->cert_chain);
- if (!col.sort()) {
- LogError("Certificate collection does not create chain.");
- continue;
- }
-
- OCSP ocsp;
- CertificateList chain = col.getChain();
- ocsp.setTrustedStore(chain);
-
- VerificationStatusSet statusSet;
-
- if (db_status->end_entity_check) {
- CertificateList clst;
- getCertsForEndEntity(col, &clst);
- statusSet = ocsp.validateCertificateList(clst);
- } else {
- statusSet = ocsp.validateCertificateList(chain);
- }
-
- db_status->ocsp_status = statusSet.convertToStatus();
- db_status->next_update_time = ocsp.getResponseValidity();
-
- CertificateCacheDAO::setOCSPStatus(db_status->cert_chain,
- db_status->ocsp_status,
- db_status->end_entity_check,
- db_status->next_update_time);
- }
- }
-}
-
-void CachedOCSP::getCertsForEndEntity(
- const CertificateCollection &certs, CertificateList* clst)
-{
- if (NULL == clst) {
- LogError("NULL pointer");
- return;
- }
-
- if (certs.isChain() && certs.size() >= 2) {
- CertificateList::const_iterator icert = certs.begin();
- clst->push_back(*icert);
- ++icert;
- clst->push_back(*icert);
- }
-}
-
-time_t CachedOCSP::getNextUpdateTime(time_t now, time_t response_validity)
-{
- long min = now + OCSP_minTimeValid;
- long max = now + OCSP_maxTimeValid;
- if (response_validity < min) {
- return min;
- }
- if (response_validity > max) {
- return max;
- }
- return response_validity;
-}
-
-} // namespace ValidationCore
+++ /dev/null
-/*
- * Copyright (c) 2011 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-/**
- *
- * @file CachedOCSP.h
- * @author Tomasz Swierczek (t.swierczek@samsung.com)
- * @version 0.1
- * @brief Header file for smart cached OCSP class
- */
-
-#ifndef _SRC_VALIDATION_CORE_CACHED_OCSP_
-#define _SRC_VALIDATION_CORE_CACHED_OCSP_
-
-#include <vcore/OCSP.h>
-#include <vcore/IAbstractResponseCache.h>
-
-namespace ValidationCore {
-
-class CachedOCSP : public IAbstractResponseCache {
- public:
- // cache can't be refreshed more frequently than OCSP_minTimeValid
- static time_t getOCSPMinTimeValid();
- // to be even more secure, cache will be refreshed for certificate at least
- // after OCSP_minTimeValid from last response
- static time_t getOCSPMaxTimeValid();
-
- // upon cache refresh, responses that will be invalid in OCSP_refreshBefore
- // seconds will be refreshed
- static time_t getOCSPRefreshBefore();
-
- VerificationStatus check(const CertificateCollection &certs);
- VerificationStatus checkEndEntity(CertificateCollection &certs);
- void updateCache();
-
- CachedOCSP();
-
- virtual ~CachedOCSP();
-
- private:
-
- void getCertsForEndEntity(const CertificateCollection &certs,
- CertificateList* clst);
- time_t getNextUpdateTime(time_t now, time_t response_validity);
-};
-
-} // namespace ValidationCore
-
-#endif /* _SRC_VALIDATION_CORE_CACHED_OCSP_ */
Set::Set()
: m_certificateStorage(0)
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
- , m_ocspUrl(NULL)
-#endif
{}
Set::~Set()
{
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
- delete[] m_ocspUrl;
-#endif
}
void Set::add(Type second)
m_certificateStorage |= second;
}
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
-void Set::add(std::string ocspUrl)
-{
-
- if (ocspUrl.length() == 0)
- return;
-
- m_ocspUrl = new char[ocspUrl.length() + 1];
- if (m_ocspUrl)
- strncpy(m_ocspUrl, ocspUrl.c_str(), ocspUrl.length() + 1);
-}
-#endif
bool Set::contains(Type second) const
{
return m_certificateStorage == 0;
}
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
-char* Set::getOcspUrl()
-{
- return m_ocspUrl;
-}
-#endif
-
} // namespace CertStoreId
} // namespace ValidationCore
void add(Type second);
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
- void add(std::string ocspUrl);
- char* getOcspUrl();
-#endif
bool contains(Type second) const;
bool isEmpty() const;
- private:
+private:
Type m_certificateStorage;
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
- char* m_ocspUrl;
-#endif
};
} // namespace CertStoreId
return isSignedBy(this->shared_from_this());
}
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
-std::list<std::string>
-Certificate::getCrlUris() const
-{
- std::list<std::string> result;
-
- STACK_OF(DIST_POINT)* distPoints =
- static_cast<STACK_OF(DIST_POINT)*>(
- X509_get_ext_d2i(
- getX509(),
- NID_crl_distribution_points,
- NULL,
- NULL));
- if (!distPoints) {
- LogDebug("No distribution points in certificate.");
- return result;
- }
-
- int count = sk_DIST_POINT_num(distPoints);
- for (int i = 0; i < count; ++i) {
- DIST_POINT* point = sk_DIST_POINT_value(distPoints, i);
- if (!point) {
- LogError("Failed to get distribution point.");
- continue;
- }
- if (point->distpoint != NULL &&
- point->distpoint->name.fullname != NULL)
- {
- int countName =
- sk_GENERAL_NAME_num(point->distpoint->name.fullname);
- for (int j = 0; j < countName; ++j) {
- GENERAL_NAME* name = sk_GENERAL_NAME_value(
- point->distpoint->name.fullname, j);
- if (name != NULL && GEN_URI == name->type) {
- char *crlUri =
- reinterpret_cast<char*>(name->d.ia5->data);
- if (!crlUri) {
- LogError("Failed to get URI.");
- continue;
- }
- result.push_back(crlUri);
- }
- }
- }
- }
- sk_DIST_POINT_pop_free(distPoints, DIST_POINT_free);
- return result;
-}
-#endif
-
long Certificate::getVersion() const
{
return X509_get_version(m_x509);
+++ /dev/null
-/*
- * Copyright (c) 2011 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-/**
- *
- *
- * @file CertificateCacheDAO.cpp
- * @author Tomasz Swierczek (t.swierczek@samsung.com)
- * @version 0.1
- * @brief CertificateCacheDAO implementation
- */
-
-#include <vcore/CertificateCacheDAO.h>
-#include <vcore/VCorePrivate.h>
-
-#include <dpl/foreach.h>
-#include <dpl/log/log.h>
-#include <dpl/db/orm.h>
-#include <orm_generator_vcore.h>
-#include <vcore/Database.h>
-
-using namespace VcoreDPL::DB::ORM;
-using namespace VcoreDPL::DB::ORM::vcore;
-
-namespace ValidationCore {
-
-void CertificateCacheDAO::setOCSPStatus(const std::string& cert_chain,
- VerificationStatus ocsp_status,
- bool end_entity_check,
- time_t next_update_time)
-{
- Try {
- ScopedTransaction transaction(&ThreadInterface());
- OCSPCachedStatus status;
- status.cert_chain = cert_chain;
- status.end_entity_check = end_entity_check;
- if (getOCSPStatus(&status)) {
- // only need to update data in DB
- Equals<OCSPResponseStorage::cert_chain> e1(
- VcoreDPL::FromUTF8String(cert_chain));
- Equals<OCSPResponseStorage::end_entity_check> e2(
- end_entity_check ? 1 : 0);
-
- OCSPResponseStorage::Row row;
-
- row.Set_ocsp_status(ocsp_status);
- row.Set_next_update_time(next_update_time);
-
- VCORE_DB_UPDATE(update, OCSPResponseStorage, &ThreadInterface())
- update->Where(And(e1,e2));
- update->Values(row);
- update->Execute();
- } else {
- // need to insert data
- OCSPResponseStorage::Row row;
-
- row.Set_cert_chain(VcoreDPL::FromUTF8String(cert_chain));
- row.Set_ocsp_status(ocsp_status);
- row.Set_next_update_time(next_update_time);
- row.Set_end_entity_check(end_entity_check ? 1 : 0);
-
- VCORE_DB_INSERT(insert, OCSPResponseStorage, &ThreadInterface())
- insert->Values(row);
- insert->Execute();
- }
- transaction.Commit();
- } Catch(VcoreDPL::DB::SqlConnection::Exception::Base) {
- ReThrowMsg(Exception::DatabaseError, "Failed to setOCSPStatus");
- }
-}
-
-bool CertificateCacheDAO::getOCSPStatus(OCSPCachedStatus* cached_status)
-{
- if (NULL == cached_status) {
- LogError("NULL pointer");
- return false;
- }
- Try {
- Equals<OCSPResponseStorage::cert_chain> e1(
- VcoreDPL::FromUTF8String(cached_status->cert_chain));
- Equals<OCSPResponseStorage::end_entity_check> e2(
- cached_status->end_entity_check ? 1 : 0);
-
- VCORE_DB_SELECT(select, OCSPResponseStorage, &ThreadInterface())
-
- select->Where(And(e1,e2));
- std::list<OCSPResponseStorage::Row> rows = select->GetRowList();
- if (1 == rows.size()) {
- OCSPResponseStorage::Row row = rows.front();
- cached_status->ocsp_status = intToVerificationStatus(
- *(row.Get_ocsp_status()));
- cached_status->next_update_time = *(row.Get_next_update_time());
- return true;
- }
-
- LogDebug("Cached OCSP status not found");
- return false;
- }
- Catch(VcoreDPL::DB::SqlConnection::Exception::Base) {
- ReThrowMsg(Exception::DatabaseError, "Failed to getOCSPStatus");
- }
-}
-
-void CertificateCacheDAO::getOCSPStatusList(
- OCSPCachedStatusList* cached_status_list)
-{
- if (NULL == cached_status_list) {
- LogError("NULL pointer");
- return;
- }
- Try {
- VCORE_DB_SELECT(select, OCSPResponseStorage, &ThreadInterface())
- typedef std::list<OCSPResponseStorage::Row> RowList;
- RowList list = select->GetRowList();
-
- FOREACH(i, list) {
- OCSPCachedStatus status;
- status.cert_chain = VcoreDPL::ToUTF8String(i->Get_cert_chain());
- status.ocsp_status = intToVerificationStatus(
- *(i->Get_ocsp_status()));
- status.end_entity_check =
- *(i->Get_end_entity_check()) == 1 ? true : false;
- status.next_update_time = *(i->Get_next_update_time());
- cached_status_list->push_back(status);
- }
-
- }
- Catch(VcoreDPL::DB::SqlConnection::Exception::Base) {
- ReThrowMsg(Exception::DatabaseError, "Failed to getOCSPStatusList");
- }
-}
-
-
-void CertificateCacheDAO::setCRLResponse(const std::string& distribution_point,
- const std::string& crl_body,
- time_t next_update_time)
-{
- Try {
- ScopedTransaction transaction(&ThreadInterface());
- CRLCachedData data;
- data.distribution_point = distribution_point;
- if (getCRLResponse(&data)) {
- // only need to update data in DB
- VCORE_DB_UPDATE(update, CRLResponseStorage, &ThreadInterface())
- Equals<CRLResponseStorage::distribution_point> e1(
- VcoreDPL::FromUTF8String(distribution_point));
- CRLResponseStorage::Row row;
-
- update->Where(e1);
- row.Set_crl_body(VcoreDPL::FromUTF8String(crl_body));
- row.Set_next_update_time(next_update_time);
- update->Values(row);
- update->Execute();
- } else {
- // need to insert data
- VCORE_DB_INSERT(insert, CRLResponseStorage, &ThreadInterface())
- CRLResponseStorage::Row row;
-
- row.Set_distribution_point(VcoreDPL::FromUTF8String(distribution_point));
- row.Set_crl_body(VcoreDPL::FromUTF8String(crl_body));
- row.Set_next_update_time(next_update_time);
- insert->Values(row);
- insert->Execute();
- }
- transaction.Commit();
- } Catch(VcoreDPL::DB::SqlConnection::Exception::Base) {
- ReThrowMsg(Exception::DatabaseError, "Failed to setOCSPStatus");
- }
-}
-
-bool CertificateCacheDAO::getCRLResponse(CRLCachedData* cached_data)
-{
- if (NULL == cached_data) {
- LogError("NULL pointer");
- return false;
- }
- Try {
- VCORE_DB_SELECT(select, CRLResponseStorage, &ThreadInterface())
- Equals<CRLResponseStorage::distribution_point> e1(
- VcoreDPL::FromUTF8String(cached_data->distribution_point));
-
- select->Where(e1);
- std::list<CRLResponseStorage::Row> rows = select->GetRowList();
- if (1 == rows.size()) {
- CRLResponseStorage::Row row = rows.front();
- cached_data->crl_body = VcoreDPL::ToUTF8String(row.Get_crl_body());
- cached_data->next_update_time = *(row.Get_next_update_time());
- return true;
- }
-
- LogDebug("Cached CRL not found");
- return false;
- }
- Catch(VcoreDPL::DB::SqlConnection::Exception::Base) {
- ReThrowMsg(Exception::DatabaseError, "Failed to getCRLResponse");
- }
-}
-
-void CertificateCacheDAO::getCRLResponseList(
- CRLCachedDataList* cached_data_list)
-{
- if (NULL == cached_data_list) {
- LogError("NULL pointer");
- return;
- }
- Try {
- VCORE_DB_SELECT(select, CRLResponseStorage, &ThreadInterface())
- typedef std::list<CRLResponseStorage::Row> RowList;
- RowList list = select->GetRowList();
-
- FOREACH(i, list) {
- CRLCachedData response;
- response.distribution_point = VcoreDPL::ToUTF8String(
- i->Get_distribution_point());
- response.crl_body = VcoreDPL::ToUTF8String(i->Get_crl_body());
- response.next_update_time = *(i->Get_next_update_time());
- cached_data_list->push_back(response);
- }
-
- }
- Catch(VcoreDPL::DB::SqlConnection::Exception::Base) {
- ReThrowMsg(Exception::DatabaseError, "Failed to getCRLResponses");
- }
-}
-
-void CertificateCacheDAO::clearCertificateCache()
-{
- Try {
- ScopedTransaction transaction(&ThreadInterface());
- VCORE_DB_DELETE(del1, OCSPResponseStorage, &ThreadInterface())
- del1->Execute();
- VCORE_DB_DELETE(del2, CRLResponseStorage, &ThreadInterface())
- del2->Execute();
- transaction.Commit();
- }
- Catch(VcoreDPL::DB::SqlConnection::Exception::Base) {
- ReThrowMsg(Exception::DatabaseError, "Failed to clearUserSettings");
- }
-}
-
-VerificationStatus CertificateCacheDAO::intToVerificationStatus(int p)
-{
- switch (p) {
- case 1:
- return VERIFICATION_STATUS_GOOD;
- case 1 << 1:
- return VERIFICATION_STATUS_REVOKED;
- case 1 << 2:
- return VERIFICATION_STATUS_UNKNOWN;
- case 1 << 3:
- return VERIFICATION_STATUS_VERIFICATION_ERROR;
- case 1 << 4:
- return VERIFICATION_STATUS_NOT_SUPPORT;
- case 1 << 5:
- return VERIFICATION_STATUS_CONNECTION_FAILED;
- case 1 << 6:
- return VERIFICATION_STATUS_ERROR;
- default:
- return VERIFICATION_STATUS_ERROR;
- }
-}
-
-} // namespace ValidationCore
+++ /dev/null
-/*
- * Copyright (c) 2011 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-/**
- *
- *
- * @file CertificateCacheDAO.h
- * @author Tomasz Swierczek (t.swierczek@samsung.com)
- * @version 0.1
- * @brief Header file for class managing CRL and OCSP cached responses
- */
-
-#ifndef _WRT_SRC_CONFIGURATION_CERTIFICATE_CACHE_DAO_H_
-#define _WRT_SRC_CONFIGURATION_CERTIFICATE_CACHE_DAO_H_
-
-#include <string>
-#include <list>
-
-#include <dpl/exception.h>
-
-#include <vcore/VerificationStatus.h>
-#include <vcore/CRLCacheInterface.h>
-
-namespace ValidationCore {
-
-struct OCSPCachedStatus
-{
- std::string cert_chain;
- VerificationStatus ocsp_status;
- bool end_entity_check;
- time_t next_update_time;
-};
-
-typedef std::list<OCSPCachedStatus> OCSPCachedStatusList;
-
-typedef std::list<CRLCachedData> CRLCachedDataList;
-
-class CertificateCacheDAO {
- public:
- class Exception
- {
- public:
- DECLARE_EXCEPTION_TYPE(VcoreDPL::Exception, Base)
- DECLARE_EXCEPTION_TYPE(Base, DatabaseError)
- };
-
- // OCSP statuses
-
- static void setOCSPStatus(const std::string& cert_chain,
- VerificationStatus ocsp_status,
- bool end_entity_check,
- time_t next_update_time);
-
- /*
- * fill cert_chain and end_entity_check in cached_status
- * returns true iff cached status found without errors
- */
- static bool getOCSPStatus(OCSPCachedStatus* cached_status);
- static void getOCSPStatusList(OCSPCachedStatusList* cached_status_list);
-
- // CRL responses
-
- static void setCRLResponse(const std::string& distribution_point,
- const std::string& crl_body,
- time_t next_update_time);
- static void setCRLResponse(CRLCachedData *ptr) {
- setCRLResponse(
- ptr->distribution_point,
- ptr->crl_body,
- ptr->next_update_time);
- }
- /*
- * fill distribution_point
- * returns true iff cached list for dist. point found without errors
- */
- static bool getCRLResponse(CRLCachedData* cached_data);
- static void getCRLResponseList(CRLCachedDataList* cached_data_list);
-
-
- // clears CRL and OCSP cached data
- static void clearCertificateCache();
-
- private:
-
- static VerificationStatus intToVerificationStatus(int p);
-
- CertificateCacheDAO()
- {
- }
-};
-
-} // namespace ValidationCore
-
-#endif /* _WRT_SRC_CONFIGURATION_CERTIFICATE_CACHE_DAO_H_ */
const std::string TOKEN_FINGERPRINT_SHA1 = "FingerprintSHA1";
const std::string TOKEN_ATTR_NAME = "name";
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
-const std::string TOKEN_ATTR_URL_NAME = "ocspUrl";
-#endif
const std::string TOKEN_VALUE_TIZEN_DEVELOPER = "tizen-developer";
const std::string TOKEN_VALUE_TIZEN_TEST = "tizen-test";
const std::string TOKEN_VALUE_TIZEN_VERIFY = "tizen-verify";
void CertificateConfigReader::tokenEndFingerprintSHA1(
CertificateIdentifier &identificator)
{
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
- std::string url = m_parserSchema.getReader().attribute(TOKEN_ATTR_URL_NAME);
-#endif
-
std::string text = m_parserSchema.getText();
text += ":"; // add guard at the end of fingerprint
Certificate::Fingerprint fingerprint;
}
identificator.add(fingerprint, m_certificateDomain);
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
- identificator.add(fingerprint, url);
-#endif
}
} // namespace ValidationCore
fingerPrintMap[fingerprint].add(domain);
}
- #ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
- void add(const Certificate::Fingerprint &fingerprint,
- std::string ocspUrl)
- {
- fingerPrintMap[fingerprint].add(ocspUrl);
- }
- #endif
-
CertStoreId::Set find(const Certificate::Fingerprint &fingerprint) const
{
FingerPrintMap::const_iterator iter = fingerPrintMap.find(fingerprint);
#include <vcore/Base64.h>
#include <vcore/CertificateLoader.h>
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
-#include <vcore/SSLContainers.h>
-#endif
-
namespace {
const int MIN_RSA_KEY_LENGTH = 1024;
} // namespace anonymous
+++ /dev/null
-/*
- * Copyright (c) 2011 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-/*!
- * @author Bartlomiej Grzelewski (b.grzelewski@gmail.com)
- * @version 0.1
- * @file CertificateVerifier.cpp
- * @brief This class integrates OCSP and CRL.
- */
-#include <vcore/CertificateVerifier.h>
-
-#include <dpl/assert.h>
-#include <dpl/foreach.h>
-#include <dpl/log/log.h>
-
-namespace ValidationCore {
-
-CertificateVerifier::CertificateVerifier(bool enableOcsp, bool enableCrl)
-: m_enableOcsp(enableOcsp)
-, m_enableCrl(enableCrl)
-{}
-
-VerificationStatus CertificateVerifier::check(
- CertificateCollection &certCollection) const
-{
- LogDebug("== Certificate collection validation start ==");
- Assert(certCollection.isChain() && "Collection must form chain.");
-
- VerificationStatus statusOcsp;
- VerificationStatus statusCrl;
-
- if (m_enableOcsp) {
- statusOcsp = obtainOcspStatus(certCollection);
- } else {
- statusOcsp = VERIFICATION_STATUS_GOOD;
- }
-
- if (m_enableCrl) {
- statusCrl = obtainCrlStatus(certCollection);
- } else {
- statusCrl = VERIFICATION_STATUS_GOOD;
- }
- LogDebug("== Certificate collection validation end ==");
- return getStatus(statusOcsp, statusCrl);
-}
-
-VerificationStatus CertificateVerifier::obtainOcspStatus(
- const CertificateCollection &chain) const
-{
- LogDebug("== Obtain ocsp status ==");
- CachedOCSP ocsp;
- return ocsp.check(chain);
-}
-
-VerificationStatus CertificateVerifier::obtainCrlStatus(
- const CertificateCollection &chain) const
-{
- LogDebug("== Obtain crl status ==");
- CachedCRL crl;
- return crl.check(chain);
-}
-
-VerificationStatus CertificateVerifier::getStatus(
- VerificationStatus ocsp,
- VerificationStatus crl) const
-{
- if (ocsp == VERIFICATION_STATUS_REVOKED ||
- crl == VERIFICATION_STATUS_REVOKED)
- {
- LogDebug("Return status: REVOKED");
- return VERIFICATION_STATUS_REVOKED;
- }
-
- if (ocsp == VERIFICATION_STATUS_GOOD) {
- LogDebug("Return status: GOOD");
- return VERIFICATION_STATUS_GOOD;
- }
-
- if (ocsp == VERIFICATION_STATUS_UNKNOWN) {
- LogDebug("Return status: UNKNOWN");
- return VERIFICATION_STATUS_UNKNOWN;
- }
-
- if (ocsp == VERIFICATION_STATUS_NOT_SUPPORT) {
- LogDebug("Return status: NOT_SUPPORT");
- return VERIFICATION_STATUS_GOOD;
- }
-
- LogDebug("Return status: ERROR");
- return VERIFICATION_STATUS_ERROR;
-}
-
-VerificationStatus CertificateVerifier::checkEndEntity(
- CertificateCollectionList &collectionList) const
-{
- VerificationStatusSet statusOcsp;
- VerificationStatusSet statusCrl;
-
- if (m_enableOcsp) {
- CachedOCSP ocsp;
- FOREACH(it, collectionList){
- statusOcsp.add(ocsp.checkEndEntity(*it));
- }
- } else {
- statusOcsp.add(VERIFICATION_STATUS_GOOD);
- }
-
- if (m_enableCrl) {
- CachedCRL crl;
- FOREACH(it, collectionList){
- statusCrl.add(crl.checkEndEntity(*it));
- }
- } else {
- statusCrl.add(VERIFICATION_STATUS_GOOD);
- }
- LogDebug("== Certificate collection validateion end ==");
- return getStatus(statusOcsp.convertToStatus(), statusCrl.convertToStatus());
-}
-
-} // namespace ValidationCore
+++ /dev/null
-/*
- * Copyright (c) 2011 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-/*!
- * @author Bartlomiej Grzelewski (b.grzelewski@gmail.com)
- * @version 0.1
- * @file CertificateVerifier.h
- * @brief This class integrates OCSP and CRL into one module.
- */
-#ifndef _VALIDATION_CORE_CERTIFICATE_VERIFIER_H_
-#define _VALIDATION_CORE_CERTIFICATE_VERIFIER_H_
-
-#include <vcore/Certificate.h>
-#include <vcore/CertificateCollection.h>
-#include <vcore/CachedCRL.h>
-#include <vcore/CachedOCSP.h>
-#include <vcore/VerificationStatus.h>
-
-namespace ValidationCore {
-
-class CertificateVerifier {
- public:
- explicit CertificateVerifier(bool enableOcsp, bool enableCrl);
- ~CertificateVerifier(){}
-
- /*
- * Run OCSP and CRL for all certificates in collection.
- * Collection must represent chain.
- *
- * Evaluate status. This function converts ocsp status set
- * into one status - the most restricted. This one ocsp status
- * and status from crl is evaluated to end result.
- *
- * Algorithm to evaluate result is represented in table:
- *
- * +--------------+-------+-------+-------+------------+---------+
- * | OCSP |Good |Revoked|Unknown|Undetermined|Not |
- * | | | | | |supported|
- * | CRL | | | | | |
- * +--------------+-------+-------+-------+------------+---------+
- * | GOOD |GOOD |Revoked|Unknown|Undetermined|Good |
- * +--------------+-------+-------+-------+------------+---------+
- * | REVOKED |Revoked|Revoked|Revoked|Revoked |Revoked |
- * +--------------+-------+-------+-------+------------+---------+
- * | UNDETERMINED |Good |Revoked|Unknown|Undetermined|Good |
- * +--------------+-------+-------+-------+------------+---------+
- * | Not supported|Good |Revoked|Unknown|Undetermined|Good |
- * +--------------+-------+-------+-------+------------+---------+
- *
- * As Undetermind function returns VERIFICATION_STATUS_ERROR.
- */
-
- VerificationStatus check(CertificateCollection &certCollection) const;
-
- VerificationStatus checkEndEntity(
- CertificateCollectionList &certCollectionList) const;
-
- private:
- VerificationStatus obtainOcspStatus(
- const CertificateCollection &chain) const;
- VerificationStatus obtainCrlStatus(
- const CertificateCollection &chain) const;
- VerificationStatus getStatus(VerificationStatus ocsp,
- VerificationStatus crl) const;
-
- bool m_enableOcsp;
- bool m_enableCrl;
-};
-
-} // namespace ValidationCore
-
-#endif // _VALIDATION_CORE_CERTIFICATE_VERIFIER_H_
-
+++ /dev/null
-/*
- * Copyright (c) 2011 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-/*
- * @file webruntime_database.cpp
- * @author Przemyslaw Dobrowolski (p.dobrowolsk@samsung.com)
- * @version 1.0
- * @brief This file contains the definition of webruntime database
- */
-#include <vcore/Database.h>
-#include <mutex>
-
-std::mutex g_vcoreDbQueriesMutex;
+++ /dev/null
-/*
- * Copyright (c) 2011 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-/*
- * @file webruntime_database.h
- * @author Przemyslaw Dobrowolski (p.dobrowolsk@samsung.com)
- * @version 1.0
- * @brief This file contains the declaration of webruntime database
- */
-#ifndef VCORE_SRC_VCORE_DATABASE_H
-#define VCORE_SRC_VCORE_DATABASE_H
-
-#include <dpl/db/thread_database_support.h>
-#include <dpl/db/sql_connection.h>
-#include <dpl/thread.h>
-#include <mutex>
-
-extern std::mutex g_vcoreDbQueriesMutex;
-
-#define VCORE_DB_INTERNAL(tlsCommand, InternalType, interface) \
- static VcoreDPL::ThreadLocalVariable<InternalType> *tlsCommand ## Ptr = NULL; \
- { \
- std::lock_guard<std::mutex> lock(g_vcoreDbQueriesMutex); \
- if (!tlsCommand ## Ptr) { \
- static VcoreDPL::ThreadLocalVariable<InternalType> tmp; \
- tlsCommand ## Ptr = &tmp; \
- } \
- } \
- VcoreDPL::ThreadLocalVariable<InternalType> &tlsCommand = *tlsCommand ## Ptr; \
- if (tlsCommand.IsNull()) { tlsCommand = InternalType(interface); }
-
-#define VCORE_DB_SELECT(name, type, interface) \
- VCORE_DB_INTERNAL(name, type::Select, interface)
-
-#define VCORE_DB_INSERT(name, type, interface) \
- VCORE_DB_INTERNAL(name, type::Insert, interface)
-
-#define VCORE_DB_UPDATE(name, type, interface) \
- VCORE_DB_INTERNAL(name, type::Update, interface)
-
-#define VCORE_DB_DELETE(name, type, interface) \
- VCORE_DB_INTERNAL(name, type::Delete, interface)
-
-#endif // define VCORE_SRC_VCORE_DATABASE_H
+++ /dev/null
-/*
- * Copyright (c) 2011 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-/*!
- * @author Bartlomiej Grzelewski(b.grzelewski@samsung.com)
- * @version 0.5
- * @file OCPS.cpp
- * @brief This class is used for hide OCSP implementation.
- */
-
-#include <vcore/OCSPImpl.h>
-
-namespace ValidationCore {
-
-OCSP::OCSP()
- : m_impl(new OCSPImpl())
-{}
-
-OCSP::~OCSP()
-{
- delete m_impl;
-}
-
-ValidationCore::VerificationStatusSet OCSP::validateCertificateList(
- const CertificateList &certs)
-{
- return m_impl->validateCertificateList(certs);
-}
-
-VerificationStatus OCSP::checkEndEntity(
- const CertificateCollection &chain)
-{
- return m_impl->checkEndEntity(chain);
-}
-
-VerificationStatus OCSP::validateCertificate(CertificatePtr argCert,
- CertificatePtr argIssuer)
-{
- return m_impl->validateCertificate(argCert, argIssuer);
-}
-
-void OCSP::setDigestAlgorithmForCertId(DigestAlgorithm alg) {
- return m_impl->setDigestAlgorithmForCertId(alg);
-}
-
-void OCSP::setDigestAlgorithmForRequest(DigestAlgorithm alg) {
- return m_impl->setDigestAlgorithmForRequest(alg);
-}
-
-void OCSP::setTrustedStore(const CertificateList& certs) {
- m_impl->setTrustedStore(certs);
-}
-
-void OCSP::setDefaultResponder(const char *uri) {
- m_impl->setDefaultResponder(uri);
-}
-
-void OCSP::setUseDefaultResponder(bool value) {
- m_impl->setUseDefaultResponder(value);
-}
-
-time_t OCSP::getResponseValidity() {
- return m_impl->getResponseValidity();
-}
-
-} // namespace ValidationCore
+++ /dev/null
-/*
- * Copyright (c) 2011 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-/*!
- * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com)
- * @version 0.5
- * @file OCPS.h
- * @brief This class is used to hide OCSP implementation.
- */
-
-#ifndef _VALIDATION_CORE_OCSP_H_
-#define _VALIDATION_CORE_OCSP_H_
-
-#include <ctime>
-
-#include <vcore/Certificate.h>
-#include <vcore/CertificateCollection.h>
-#include <vcore/VerificationStatus.h>
-
-namespace ValidationCore {
-
-class OCSPImpl;
-
-class OCSP {
-public:
-
- OCSP(const OCSP &) = delete;
- const OCSP &operator=(const OCSP &) = delete;
-
- OCSP();
-
- VerificationStatus checkEndEntity(const CertificateCollection &certList);
-
- enum DigestAlgorithm
- {
- SHA1,
- SHA224,
- SHA256,
- SHA384,
- SHA512
- };
-
- /**
- * Sets digest algorithm for certid in ocsp request
- */
- void setDigestAlgorithmForCertId(DigestAlgorithm alg);
-
- /**
- * Sets digest algorithm for certid in ocsp request
- */
- void setDigestAlgorithmForRequest(DigestAlgorithm alg);
-
- void setTrustedStore(const CertificateList& certs);
-
- VerificationStatusSet validateCertificateList(const CertificateList &certs);
-
- VerificationStatus validateCertificate(CertificatePtr argCert,
- CertificatePtr argIssuer);
-
- void setDefaultResponder(const char* uri);
-
- void setUseDefaultResponder(bool value);
-
- /**
- * @return time when response will become invalid - for list of
- * certificates, this is the minimum of all validities; value is
- * valid only for not-revoked certificates (non error validation result)
- */
- time_t getResponseValidity();
-
- virtual ~OCSP();
-private:
- OCSPImpl *m_impl;
-
-};
-
-} // namespace ValidationCore
-
-#endif //ifndef _VALIDATION_CORE_OCSP_H_
#include <vcore/OCSPCertMgrUtil.h>
#include <vcore/SSLContainers.h>
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
-#include <openssl/ocsp.h>
-#endif
#include <openssl/pem.h>
#include <openssl/x509.h>
+++ /dev/null
-/*
- * Copyright (c) 2011 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-/*!
- * @author Tomasz Morawski(t.morawski@samsung.com)
- * @author Michal Ciepielski(m.ciepielski@samsung.com)
- * @author Piotr Marcinkiewicz(p.marcinkiew@samsung.com)
- * @version 0.4
- * @file OCSP.cpp
- * @brief Routines for certificate validation over OCSP
- */
-
-#include <vcore/OCSPImpl.h>
-
-#include <string.h>
-#include <algorithm>
-
-#include <openssl/ssl.h>
-#include <openssl/crypto.h>
-#include <openssl/err.h>
-#include <openssl/x509v3.h>
-#include <boost/optional.hpp>
-
-#include <dpl/log/log.h>
-#include <dpl/assert.h>
-#include <dpl/foreach.h>
-#include <dpl/scoped_free.h>
-
-#include <libsoup/soup.h>
-
-#include <vcore/Certificate.h>
-#include <vcore/SoupMessageSendSync.h>
-#include <vcore/ValidatorFactories.h>
-
-extern "C" {
-// This function is needed to fix "Invalid conversion from void*
-// to unsigned char*" C++ compiler error during calling
-// i2d_OCSP_REQUEST_bio macro
-extern bool convertToBuffer(OCSP_REQUEST* req,
- char** buf,
- int* size);
-}
-
-namespace {
-const int ConnectionTimeoutInSeconds = 6;
-const int ConnectionRetryCount = 3;
-
-//! Maximum leeway in validity period in seconds: default 1 day
-//! (@see checkRevocationStatus function code)
-
-//! Maximum validity time for revocation status (1 day)
-const int MaxValidatyPeriodInSeconds = 24 * 60 * 60;
-
-//! Max age (@see checkRevocationStatus function code)
-const int MaxAge = -1;
-} // anonymous namespace
-
-namespace ValidationCore {
-
-const char* OCSPImpl::DEFAULT_RESPONDER_URI_ENV = "OCSP_DEFAULT_RESPONDER_URI";
-
-static const EVP_MD* getDigestAlg(OCSP::DigestAlgorithm alg)
-{
- switch (alg) {
- case OCSP::SHA1:
- return EVP_sha1();
- case OCSP::SHA224:
- return EVP_sha224();
- case OCSP::SHA256:
- return EVP_sha256();
- case OCSP::SHA384:
- return EVP_sha384();
- case OCSP::SHA512:
- return EVP_sha512();
- default:
- return NULL;
- }
-}
-
-OCSPImpl::OCSPImpl() :
- /* Upgrade of openssl is required to support sha256 */
- // m_pCertIdDigestAlg(EVP_sha256()),
- // m_pRequestDigestAlg(EVP_sha256()),
- m_pCertIdDigestAlg(EVP_sha1()),
- m_pRequestDigestAlg(EVP_sha1()),
- m_bUseNonce(false),
- m_bUseDefResponder(false),
- m_bSignRequest(false),
- m_pSignKey(0)
-{}
-
-SoupWrapper::SoupMessageSendBase::RequestStatus OCSPImpl::sendOcspRequest(
- OCSP_REQUEST* argRequest,
- const std::string& argUri)
-{
- using namespace SoupWrapper;
- // convert OCSP_REQUEST to memory buffer
- char* requestBuffer;
- int requestSizeInt;
- if (!convertToBuffer(argRequest, &requestBuffer, &requestSizeInt)) {
- VcoreThrowMsg(OCSPImpl::Exception::VerificationError,
- "OCSP: failed to convert OCSP_REQUEST to mem buffer");
- }
-
- Assert(requestSizeInt >= 0);
-
- SoupMessageSendBase::MessageBuffer buffer;
- buffer.resize(requestSizeInt);
- memcpy(&buffer[0], requestBuffer, requestSizeInt);
- free(requestBuffer);
-
- char *cport = 0,*chost = 0,*cpath = 0;
- int use_ssl = 0;
-
- if (!OCSP_parse_url(const_cast<char*>(argUri.c_str()),
- &chost,
- &cport,
- &cpath,
- &use_ssl))
- {
- LogWarning("Error in OCSP_parse_url");
- return SoupMessageSendBase::REQUEST_STATUS_CONNECTION_ERROR;
- }
-
- std::string host = chost;
-
- if (cport) {
- host += ":";
- host += cport;
- }
-
- free(cport);
- free(chost);
- free(cpath);
-
- m_soupMessage.setHost(argUri);
- m_soupMessage.setHeader("Host", host);
- m_soupMessage.setRequest(std::string("application/ocsp-request"),
- buffer);
-
- return m_soupMessage.sendSync();
-}
-
-ValidationCore::VerificationStatusSet OCSPImpl::validateCertificateList(
- const CertificateList &certs)
-{
- VerificationStatusSet statusSet;
-
- if (certs.size() < 2) {
- // no certificates to verify, just return a error
- LogWarning("No validation will be proceed. OCSP require at"
- " least 2 certificates in chain. Found only " << certs.size());
- statusSet.add(VERIFICATION_STATUS_ERROR);
- return statusSet;
- }
-
- CertificatePtr root = certs.back();
- CertStoreId::Set storedSetId = createCertificateIdentifier().find(root);
- char* ocspUrl = storedSetId.getOcspUrl();
-
- if (ocspUrl != NULL)
- {
- setUseDefaultResponder(true);
- setDefaultResponder(ocspUrl);
- }
-
- CertificateList::const_iterator iter = certs.begin();
- CertificateList::const_iterator parent = iter;
-
- time_t minValidity = 0;
- for (++parent; parent != certs.end(); ++iter, ++parent) {
- LogDebug("Certificate validation (CN:" << (*iter)->getOneLine() << ")");
- LogDebug("Parent certificate (CN:" << (*parent)->getOneLine() << ")");
- statusSet.add(validateCertificate(*iter, *parent));
- if ((0 == minValidity || minValidity > m_responseValidity) &&
- m_responseValidity > 0)
- {
- minValidity = m_responseValidity;
- }
- }
- m_responseValidity = minValidity;
-
- return statusSet;
-}
-
-VerificationStatus OCSPImpl::checkEndEntity(
- const CertificateCollection &chain)
-{
- // this is temporary fix. it must be rewriten
- VerificationStatusSet verSet;
-
- CertificateList clst;
- if (chain.isChain() && chain.size() >= 2) {
- CertificateList::const_iterator icert = chain.begin();
- clst.push_back(*icert);
- ++icert;
- clst.push_back(*icert);
- }
- verSet += validateCertificateList(clst);
-
- return verSet.convertToStatus();
-}
-
-VerificationStatus OCSPImpl::validateCertificate(CertificatePtr argCert,
- CertificatePtr argIssuer)
-{
- using namespace SoupWrapper;
-
- Assert(!!argCert);
- Assert(!!argIssuer);
-
- VcoreTry {
- std::string uri;
-
- if (!m_bUseDefResponder) {
- uri = argCert->getOCSPURL();
- if (uri.empty()) {
- return VERIFICATION_STATUS_NOT_SUPPORT;
- }
- } else {
- if (m_strResponderURI.empty()) {
- VcoreThrowMsg(OCSPImpl::Exception::VerificationError,
- "Default responder is not set");
- }
- LogWarning("Default responder will be used");
-
- uri = m_strResponderURI;
- }
-
- // creates a request
- CreateRequestResult newRequest = createRequest(argCert, argIssuer);
- if (!newRequest.success) {
- VcoreThrowMsg(OCSPImpl::Exception::VerificationError, "Request creation failed");
- }
-
- // SSLSmartContainer <OCSP_CERTID> certIdCont(certId);
- // this smart ptr is commented out in purpose. request
- // manages certIdmemory (which was done in createRequest above)
- SSLSmartContainer <OCSP_REQUEST> requestCont(newRequest.ocspRequest);
-
- SoupMessageSendBase::RequestStatus requestStatus;
- requestStatus = sendOcspRequest(requestCont, uri);
-
- if (requestStatus != SoupMessageSendBase::REQUEST_STATUS_OK) {
- return VERIFICATION_STATUS_CONNECTION_FAILED;
- }
-
- // Response is m_soupMessage, convert it to OCSP_RESPONSE
- OcspResponse response = convertToResponse();
-
- if (!response.first) {
- VcoreThrowMsg(OCSPImpl::Exception::VerificationError,
- "OCSP: failed to convert mem buffer to OCSP_RESPONSE");
- }
-
- SSLSmartContainer <OCSP_RESPONSE> responseCont(response.second);
- // verify response eg. check response status,
- // validate responder certificate
- validateResponse(requestCont,
- responseCont,
- newRequest.ocspCertId);
- } VcoreCatch(OCSPImpl::Exception::ConnectionError) {
- LogWarning("OCSP: ConnectionError");
- return VERIFICATION_STATUS_CONNECTION_FAILED;
- } VcoreCatch(OCSPImpl::Exception::CertificateRevoked) {
- LogWarning("OCSP: Revoked");
- return VERIFICATION_STATUS_REVOKED;
- } VcoreCatch(OCSPImpl::Exception::CertificateUnknown) {
- LogWarning("OCSP: Unknown");
- return VERIFICATION_STATUS_UNKNOWN;
- } VcoreCatch(OCSPImpl::Exception::VerificationError) {
- LogWarning("OCSP: Verification error");
- return VERIFICATION_STATUS_VERIFICATION_ERROR;
- } VcoreCatch(OCSPImpl::Exception::Base) {
- LogWarning("OCSP: Error");
- return VERIFICATION_STATUS_ERROR;
- }
- LogWarning("OCSP: Good");
- return VERIFICATION_STATUS_GOOD;
-}
-
-void OCSPImpl::setDefaultResponder(const char *uri)
-{
- Assert(uri);
- m_strResponderURI = std::string(uri);
-}
-
-void OCSPImpl::setUseDefaultResponder(bool value)
-{
- m_bUseDefResponder = value;
-}
-
-time_t OCSPImpl::getResponseValidity()
-{
- return m_responseValidity;
-}
-
-OCSPImpl::CreateRequestResult OCSPImpl::createRequest(CertificatePtr argCert,
- CertificatePtr argIssuer)
-{
- OCSP_REQUEST* newRequest = OCSP_REQUEST_new();
-
- if (!newRequest) {
- LogWarning("OCSP: Failed to create a request");
- return CreateRequestResult();
- }
-
- SSLSmartContainer <OCSP_REQUEST> requestCont(newRequest);
-
- OCSP_CERTID* certId = addSerial(argCert, argIssuer);
-
- if (!certId) {
- LogWarning("OCSP: Unable to create a serial id");
- return CreateRequestResult();
- }
- SSLSmartContainer <OCSP_CERTID> certIdCont(certId);
-
- // Inserting certificate ID to request
- if (!OCSP_request_add0_id(requestCont, certIdCont)) {
- LogWarning("OCSP: Unable to create a certificate id");
- return CreateRequestResult();
- }
-
- if (m_bUseNonce) {
- OCSP_request_add1_nonce(requestCont, 0, -1);
- }
-
- if (m_bSignRequest) {
- if (!m_pSignCert || !m_pSignKey) {
- LogWarning("OCSP: Unable to sign request if "
- "SignCert or SignKey was not set");
- return CreateRequestResult();
- }
-
- if (!OCSP_request_sign(requestCont,
- m_pSignCert->getX509(),
- m_pSignKey,
- m_pRequestDigestAlg,
- 0,
- 0))
- {
- LogWarning("OCSP: Unable to sign request");
- return CreateRequestResult();
- }
- }
- return CreateRequestResult(true,
- requestCont.DetachPtr(),
- certIdCont.DetachPtr());
-}
-
-OCSP_CERTID* OCSPImpl::addSerial(CertificatePtr argCert,
- CertificatePtr argIssuer)
-{
- X509_NAME* iname = X509_get_subject_name(argIssuer->getX509());
- ASN1_BIT_STRING* ikey = X509_get0_pubkey_bitstr(argIssuer->getX509());
- ASN1_INTEGER* serial = X509_get_serialNumber(argCert->getX509());
-
- return OCSP_cert_id_new(m_pCertIdDigestAlg, iname, ikey, serial);
-}
-
-void OCSPImpl::setDigestAlgorithmForCertId(OCSP::DigestAlgorithm alg)
-{
- const EVP_MD* foundAlg = getDigestAlg(alg);
-
- if (NULL != foundAlg) {
- m_pCertIdDigestAlg = foundAlg;
- } else {
- LogDebug("Request for unsupported CertId digest algorithm ignored!");
- }
-}
-
-void OCSPImpl::setDigestAlgorithmForRequest(OCSP::DigestAlgorithm alg)
-{
- const EVP_MD* foundAlg = getDigestAlg(alg);
-
- if (NULL != foundAlg) {
- m_pRequestDigestAlg = foundAlg;
- } else {
- LogDebug("Request for unsupported OCSP request digest algorithm ignored!");
- }
-}
-
-void OCSPImpl::setTrustedStore(const CertificateList& certs)
-{
- X509_STORE *store = X509_STORE_new();
- m_pTrustedStore = store;
- // create a trusted store basing on certificate chain from a signature
- FOREACH(iter, certs) {
- X509_STORE_add_cert(store, (*iter)->getX509());
- }
-}
-
-void OCSPImpl::validateResponse(OCSP_REQUEST* argRequest,
- OCSP_RESPONSE* argResponse,
- OCSP_CERTID* argCertId)
-{
- int result = OCSP_response_status(argResponse);
-
- if (result != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
- handleInvalidResponse(result);
- VcoreThrowMsg(OCSPImpl::Exception::VerificationError, "OCSP_response_status failed");
- }
-
- // get response object
- OCSP_BASICRESP* basic = OCSP_response_get1_basic(argResponse);
- if (!basic) {
- VcoreThrowMsg(OCSPImpl::Exception::VerificationError,
- "OCSP: Unable to get a BASICRESP object.");
- }
-
- SSLSmartContainer <OCSP_BASICRESP> basicRespCont(basic);
- if (m_bUseNonce && OCSP_check_nonce(argRequest, basicRespCont) <= 0) {
- VcoreThrowMsg(OCSPImpl::Exception::VerificationError, "OCSP: Invalid nonce");
- }
-
- if (!verifyResponse(basic)) {
- VcoreThrowMsg(OCSPImpl::Exception::VerificationError,
- "Unable to verify the OCSP responder's certificate");
- }
-
- checkRevocationStatus(basicRespCont, argCertId);
-}
-
-bool OCSPImpl::verifyResponse(OCSP_BASICRESP* basic)
-{
- Assert(m_pTrustedStore);
- // verify ocsp response
- int response = OCSP_basic_verify(basic, NULL, m_pTrustedStore, 0);
- if (response <= 0) {
- LogWarning("OCSP verification failed");
- }
-
- return response > 0;
-}
-
-void OCSPImpl::checkRevocationStatus(OCSP_BASICRESP* basic,
- OCSP_CERTID* id)
-{
- ASN1_GENERALIZEDTIME* producedAt;
- ASN1_GENERALIZEDTIME* thisUpdate;
- ASN1_GENERALIZEDTIME* nextUpdate;
- int reason;
- int status;
-
- m_responseValidity = 0;
-
- if (!OCSP_resp_find_status(basic,
- id,
- &status,
- &reason,
- &producedAt,
- &thisUpdate,
- &nextUpdate))
- {
- VcoreThrowMsg(OCSPImpl::Exception::VerificationError,
- "OCSP: Failed to find certificate status.");
- }
-
- if (!OCSP_check_validity(thisUpdate,
- nextUpdate,
- MaxValidatyPeriodInSeconds,
- MaxAge))
- {
- VcoreThrowMsg(OCSPImpl::Exception::VerificationError,
- "OCSP: Failed to check certificate validate.");
- }
-
- if (nextUpdate) {
- asn1GeneralizedTimeToTimeT(nextUpdate,&m_responseValidity);
- time_t now;
- time(&now);
- LogDebug("Time of next OCSP update got from server: " << m_responseValidity);
- LogDebug("Expires in: " << (m_responseValidity - now));
- LogDebug("Original: " << nextUpdate->data);
- }
-
- switch (status) {
- case V_OCSP_CERTSTATUS_GOOD:
- return;
- case V_OCSP_CERTSTATUS_REVOKED:
- VcoreThrowMsg(OCSPImpl::Exception::CertificateRevoked, "Certificate is Revoked");
- case V_OCSP_CERTSTATUS_UNKNOWN:
- VcoreThrowMsg(OCSPImpl::Exception::CertificateUnknown, "Certificate is Unknown");
- default:
- Assert(false && "Invalid status");
- }
-}
-
-OCSPImpl::OcspResponse OCSPImpl::convertToResponse()
-{
- using namespace SoupWrapper;
-
- // convert memory buffer to ocsp response object
- BUF_MEM res_bmem;
- OCSP_RESPONSE* response;
-
- SoupMessageSendBase::MessageBuffer buffer = m_soupMessage.getResponse();
-
- res_bmem.length = buffer.size();
- res_bmem.data = &buffer[0];
- res_bmem.max = buffer.size();
-
- BIO* res_mem_bio = BIO_new(BIO_s_mem());
- BIO_set_mem_buf(res_mem_bio, &res_bmem, BIO_NOCLOSE);
-
- response = d2i_OCSP_RESPONSE_bio(res_mem_bio, NULL);
- BIO_free_all(res_mem_bio);
-
- if (!response) {
- LogWarning("OCSP: Failed to convert OCSP Response to DER format");
- return std::make_pair(false, static_cast<OCSP_RESPONSE*>(NULL));
- }
-
- return std::make_pair(true, response);
-}
-
-void OCSPImpl::handleInvalidResponse(int result)
-{
- switch (result) {
- case OCSP_RESPONSE_STATUS_MALFORMEDREQUEST:
- LogWarning("OCSP: Server returns "
- "OCSP_RESPONSE_STATUS_MALFORMEDREQUEST status");
- break;
- case OCSP_RESPONSE_STATUS_INTERNALERROR:
- LogWarning("OCSP: Server returns "
- "OCSP_RESPONSE_STATUS_INTERNALERROR status");
- break;
- case OCSP_RESPONSE_STATUS_TRYLATER:
- LogWarning("OCSP: Server returns "
- "OCSP_RESPONSE_STATUS_TRYLATER status");
- break;
- case OCSP_RESPONSE_STATUS_SIGREQUIRED:
- LogWarning("OCSP: Server returns "
- "OCSP_RESPONSE_STATUS_SIGREQUIRED status");
- break;
- case OCSP_RESPONSE_STATUS_UNAUTHORIZED:
- LogWarning("OCSP: Server returns "
- "OCSP_RESPONSE_STATUS_UNAUTHORIZED status");
- break;
- default:
- Assert(false && "Invalid result value");
- }
-}
-} // namespace ValidationCore
+++ /dev/null
-/*
- * Copyright (c) 2011 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-/*!
- * @author Tomasz Morawski(t.morawski@samsung.com)
- * @author Michal Ciepielski(m.ciepielski@samsung.com)
- * @author Piotr Marcinkiewicz(p.marcinkiew@samsung.com)
- * @author Bartlomiej Grzelewski(b.grzelewski@samsung.com)
- * @version 0.4
- * @file OCPS.h
- * @brief Routines for certificate validation over OCSP
- */
-
-#ifndef _VALIDATION_CORE_OCSPIMPL_H_
-#define _VALIDATION_CORE_OCSPIMPL_H_
-
-#include <vcore/OCSP.h>
-
-#include <string>
-#include <vector>
-#include <list>
-
-#include <openssl/pem.h>
-#include <openssl/ocsp.h>
-#include <libsoup/soup.h>
-
-#include <vcore/scoped_gpointer.h>
-#include <vcore/OCSPCertMgrUtil.h>
-#include <vcore/CertificateCollection.h>
-#include <vcore/CertificateStorage.h>
-#include <vcore/VerificationStatus.h>
-#include <vcore/SSLContainers.h>
-#include <vcore/SoupMessageSendBase.h>
-#include <vcore/SoupMessageSendSync.h>
-#include <vcore/TimeConversion.h>
-#include <vcore/exception.h>
-/*
- * The WRT MUST NOT allow installation of widgets with revoked signatures.
- *
- * The WRT MUST NOT allow use of widgets with revoked signatures.
- *
- * The WRT MUST support checking for revocation of widget signatures via
- * OCSP [RFC 2560] at widget installation time, according to the following:
- *
- * At widget installation time, the WRT shall make several attempts
- * (5 attempts at 6 seconds apart recommended) to establish contact with
- * the OCSP server.
- *
- * If connectivity is successful and the application is validated, the
- * installation process shall continue.
- *
- * If connectivity is successful and if the widget signature is
- * determined to be revoked, the WRT shall issue a suitable error message
- * and cancel installation.
- *
- * If connectivity is successful and revocation status is unknown or if
- * connectivity is unsuccessful, the user must be notified that the
- * widget was unable to be installed as trusted - the certification of
- * the widget signature has not been validated -, and prompt the user to allow
- * the user to install the widget as an untrusted application, or reject
- * the installation.
- *
- * The WRT MUST support checking for revocation of widget signatures via OCSP
- * [RFC 2560] at widget runtime.
- *
- * The WRT MUST support OCSP access policy.
- */
-
-namespace ValidationCore {
-
-class OCSPImpl {
-public:
- OCSPImpl();
-
- static const char* DEFAULT_RESPONDER_URI_ENV;
-
- VerificationStatus checkEndEntity(const CertificateCollection &certList);
-
- /**
- * Sets digest algorithm for certid in ocsp request
- */
- void setDigestAlgorithmForCertId(OCSP::DigestAlgorithm alg);
-
- /**
- * Sets digest algorithm for certid in ocsp request
- */
- void setDigestAlgorithmForRequest(OCSP::DigestAlgorithm alg);
-
- void setTrustedStore(const CertificateList& certs);
-
- VerificationStatusSet validateCertificateList(const CertificateList &certs);
-
- VerificationStatus validateCertificate(CertificatePtr argCert,
- CertificatePtr argIssuer);
-
- void setDefaultResponder(const char* uri);
-
- void setUseDefaultResponder(bool value);
-
- /**
- * @return time when response will become invalid - for list of
- * certificates, this is the minimum of all validities; value is
- * valid only for not-revoked certificates (non error validation result)
- */
- time_t getResponseValidity();
-
-private:
- class Exception {
- public:
- VCORE_DECLARE_EXCEPTION_TYPE(ValidationCore::Exception, Base)
- VCORE_DECLARE_EXCEPTION_TYPE(Base, ConnectionError)
- VCORE_DECLARE_EXCEPTION_TYPE(Base, CertificateRevoked)
- VCORE_DECLARE_EXCEPTION_TYPE(Base, CertificateUnknown)
- VCORE_DECLARE_EXCEPTION_TYPE(Base, VerificationError)
- VCORE_DECLARE_EXCEPTION_TYPE(Base, RetrieveCertFromStoreError)
- VCORE_DECLARE_EXCEPTION_TYPE(Base, VerificationNotSupport)
- };
- typedef WRT::ScopedGPointer<SoupSession> ScopedSoupSession;
- typedef WRT::ScopedGPointer<SoupMessage> ScopedSoupMessage;
-
- void handleInvalidResponse(int result);
- void sendHTTPRequest(ScopedSoupSession& session,
- ScopedSoupMessage& msg,
- const char* host,
- const char* port,
- const char* path,
- char* requestBuffer,
- size_t reqestSize);
- void sendRequest(const std::string& uri,
- char* requestBuffer,
- size_t requestSize,
- char** responseBuffer,
- size_t* responseSize);
-
- const EVP_MD* m_pCertIdDigestAlg;
- const EVP_MD* m_pRequestDigestAlg;
-
- typedef std::pair<char*, size_t> HttpResponseBuffer;
-
- SoupWrapper::SoupMessageSendBase::RequestStatus sendOcspRequest(
- OCSP_REQUEST* argRequest,
- const std::string& argUri);
-
-
-
- //! Validates a single certificate
- /*!
- * @param cert The certificate to check
- * @param issuer A certificate used to sign the certificate to check.
- */
-
- struct CreateRequestResult
- {
- bool success;
- OCSP_REQUEST* ocspRequest;
- OCSP_CERTID* ocspCertId;
- CreateRequestResult(bool argSuccess = false,
- OCSP_REQUEST* argOcspRequest = NULL,
- OCSP_CERTID* argOcspCertId = NULL) :
- success(argSuccess),
- ocspRequest(argOcspRequest),
- ocspCertId(argOcspCertId)
- {
- }
- };
-
- //! Creates a OCSP request
- /*!
- * @param request Returns created OCSP_REQUEST
- * @param id Returns CertId that is used to find proper OCSP result in
- * the OCSP response (@see checkRevocationStatus for more details).
- *
- */
- CreateRequestResult createRequest(CertificatePtr argCert,
- CertificatePtr argIssuer);
-
- OCSP_CERTID* addSerial(CertificatePtr argCert,
- CertificatePtr argIssuer);
-
- void validateResponse(OCSP_REQUEST* argRequest,
- OCSP_RESPONSE* argResponse,
- OCSP_CERTID* argCertId);
-
- //! Create a X509 store
- bool verifyResponse(OCSP_BASICRESP* argResponse);
-
- void checkRevocationStatus(OCSP_BASICRESP* argBasicResponse,
- OCSP_CERTID* argCertId);
-
- typedef std::pair<bool, OCSP_RESPONSE*> OcspResponse;
-
- OcspResponse convertToResponse();
-
- time_t m_responseValidity;
- bool m_bUseNonce;
- bool m_bUseDefResponder;
- std::string m_strResponderURI;
- bool m_bSignRequest;
- EVP_PKEY* m_pSignKey;
- CertificatePtr m_pSignCert;
- SSLSmartContainer <X509_STORE> m_pTrustedStore;
- SoupWrapper::SoupMessageSendSync m_soupMessage;
-};
-
-} // ValidationCore
-
-#endif // _VALIDATION_CORE_OCSPIMPL_H_
+++ /dev/null
-/*
- * Copyright (c) 2011 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-/*
- * @author Tomasz Morawski(t.morawski@samsung.com)
- * @version 0.1
- * @brief
- */
-
-#include <openssl/ocsp.h>
-
-/*
- * This function is needed to fix "Invalid conversion from void* to unsigned char*"
- * C++ compiler error during calling i2d_OCSP_REQUEST_bio macro
- */
-int convertToBuffer(OCSP_REQUEST *req, char **buf, int *size);
-
-int convertToBuffer(OCSP_REQUEST *req, char **buf, int *size) {
- BIO *req_mem_bio;
- BUF_MEM req_bmem;
-
- /*
- * size and membuffer for request
- */
- *size = i2d_OCSP_REQUEST(req, NULL);
- *buf = (char*) malloc(*size);
-
- if (!*buf)
- return 0;
-
- /* copy request into buffer */
- req_bmem.length = 0;
- req_bmem.data = *buf;
- req_bmem.max = *size;
-
- /*
- * create a new buffer using openssl
- */
- req_mem_bio = BIO_new(BIO_s_mem());
-
- if (!req_mem_bio) {
- /*
- * creation failed, return
- */
- free(*buf);
- *buf = NULL;
- return 0;
- }
-
- BIO_set_mem_buf(req_mem_bio, &req_bmem, BIO_NOCLOSE);
-
- /*
- * prepare request
- */
- if (i2d_OCSP_REQUEST_bio(req_mem_bio, req) <= 0) {
- free(*buf);
- *buf = NULL;
- BIO_free_all(req_mem_bio);
- return 0;
- }
-
- /*
- * check consistency
- */
- if (*size != ((int)req_bmem.length) || req_bmem.length != req_bmem.max)
- {
- free(*buf);
- *buf = NULL;
- BIO_free_all(req_mem_bio);
- return 0;
- }
-
- /*
- * free all reserved memory
- */
- BIO_free_all(req_mem_bio);
-
- /*
- * and return success
- */
- return 1;
-}
#include <vcore/ReferenceValidator.h>
#include <vcore/ValidatorFactories.h>
#include <vcore/XmlsecAdapter.h>
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
-#include <vcore/CertificateVerifier.h>
-#endif
#include <dpl/log/log.h>
bool complianceMode)
: m_complianceModeEnabled(complianceMode)
{
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
- m_ocspEnable = ocspEnable;
- m_crlEnable = crlEnable;
-#else
(void) ocspEnable;
(void) crlEnable;
-#endif
}
virtual ~ImplSignatureValidator(){ }
}
protected:
bool m_complianceModeEnabled;
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
- bool m_ocspEnable;
- bool m_crlEnable;
-#endif
};
class ImplTizenSignatureValidator : public SignatureValidator::ImplSignatureValidator
*/
}
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
- // It is good time to do OCSP check
- // ocspCheck will throw an exception on any error.
- // TODO Probably we should catch this exception and add
- // some information to SignatureData.
- if (!m_complianceModeEnabled && !data.isAuthorSignature()) {
- CertificateCollection coll;
- coll.load(sortedCertificateList);
-
- if (!coll.sort()) {
- LogDebug("Collection does not contain chain!");
- return SignatureValidator::SIGNATURE_INVALID_CERT_CHAIN;//SIGNATURE_INVALID;
- }
-
- CertificateVerifier verificator(m_ocspEnable, m_crlEnable);
- VerificationStatus result = verificator.check(coll);
-
- if (result == VERIFICATION_STATUS_REVOKED) {
- return SignatureValidator::SIGNATURE_REVOKED;
- }
-
- if (result == VERIFICATION_STATUS_UNKNOWN ||
- result == VERIFICATION_STATUS_ERROR)
- {
- #ifdef _OCSP_POLICY_DISREGARD_UNKNOWN_OR_ERROR_CERTS_
- disregard = true;
- #endif
- }
- }
-#endif
-
if (disregard) {
LogWarning("Signature is disregard. RootCA is not a member of Tizen");
return SignatureValidator::SIGNATURE_INVALID_DISTRIBUTOR_CERT;//SIGNATURE_DISREGARD;
}
*/
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
- // It is good time to do OCSP check
- // ocspCheck will throw an exception on any error.
- // TODO Probably we should catch this exception and add
- // some information to SignatureData.
- if (!m_complianceModeEnabled && !data.isAuthorSignature()) {
- CertificateCollection coll;
- coll.load(sortedCertificateList);
-
- if (!coll.sort()) {
- LogDebug("Collection does not contain chain!");
- return SignatureValidator::SIGNATURE_INVALID;
- }
-
- CertificateVerifier verificator(m_ocspEnable, m_crlEnable);
- VerificationStatus result = verificator.check(coll);
-
- if (result == VERIFICATION_STATUS_REVOKED) {
- return SignatureValidator::SIGNATURE_REVOKED;
- }
-
- if (result == VERIFICATION_STATUS_UNKNOWN ||
- result == VERIFICATION_STATUS_ERROR)
- {
- #ifdef _OCSP_POLICY_DISREGARD_UNKNOWN_OR_ERROR_CERTS_
- disregard = true;
- #endif
- }
- }
-#endif
-
if (disregard) {
LogWarning("Signature is disregard. RootCA is not a member of Tizen.");
return SignatureValidator::SIGNATURE_DISREGARD;
}
}
- #ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
- // It is good time to do OCSP check
- // ocspCheck will throw an exception on any error.
- // TODO Probably we should catch this exception and add
- // some information to SignatureData.
- if (!m_complianceModeEnabled && !data.isAuthorSignature()) {
- CertificateCollection coll;
- coll.load(sortedCertificateList);
-
- if (!coll.sort()) {
- LogDebug("Collection does not contain chain!");
- return SignatureValidator::SIGNATURE_INVALID;
- }
-
- CertificateVerifier verificator(m_ocspEnable, m_crlEnable);
- VerificationStatus result = verificator.check(coll);
-
- if (result == VERIFICATION_STATUS_REVOKED) {
- return SignatureValidator::SIGNATURE_REVOKED;
- }
-
- if (result == VERIFICATION_STATUS_UNKNOWN ||
- result == VERIFICATION_STATUS_ERROR)
- {
- #ifdef _OCSP_POLICY_DISREGARD_UNKNOWN_OR_ERROR_CERTS_
- disregard = true;
- #endif
- }
- }
-#endif
-
if (disregard) {
LogWarning("Signature is disregard. RootCA is not a member of Tizen.");
return SignatureValidator::SIGNATURE_DISREGARD;
+++ /dev/null
-/*
- * Copyright (c) 2011 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-/*!
- * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com)
- * @version 0.1
- * @file SoupMessageSendBase.cpp
- * @brief Simple wrapper for soup.
- */
-#include <vcore/SoupMessageSendBase.h>
-
-#include <dpl/assert.h>
-#include <dpl/foreach.h>
-#include <dpl/log/log.h>
-
-namespace SoupWrapper {
-
-SoupMessageSendBase::SoupMessageSendBase()
- : m_status(STATUS_IDLE)
- , m_timeout(30)
- , m_tryCount(5)
-{}
-
-SoupMessageSendBase::~SoupMessageSendBase(){
- Assert(m_status == STATUS_IDLE);
-}
-
-void SoupMessageSendBase::setHeader(const std::string &property, const std::string &value){
- Assert(m_status == STATUS_IDLE);
- m_headerMap[property] = value;
-}
-
-void SoupMessageSendBase::setHost(const std::string &host){
- Assert(m_status == STATUS_IDLE);
- m_host = host;
-}
-
-void SoupMessageSendBase::setRequest(const std::string &contentType, const MessageBuffer &message){
- Assert(m_status == STATUS_IDLE);
- m_requestType = contentType;
- m_requestBuffer = message;
-}
-
-SoupMessageSendBase::MessageBuffer SoupMessageSendBase::getResponse() const {
- Assert(m_status == STATUS_IDLE);
- return m_responseBuffer;
-}
-
-void SoupMessageSendBase::setTimeout(int seconds) {
- Assert(m_status == STATUS_IDLE);
- Assert(seconds >= 0);
- m_timeout = seconds;
-}
-
-void SoupMessageSendBase::setRetry(int retry) {
- Assert(m_status == STATUS_IDLE);
- Assert(retry >= 0);
- m_tryCount = retry + 1;
-}
-
-
-SoupMessage* SoupMessageSendBase::createRequest(){
- SoupMessage *message;
-
- LogInfo("Soup message will be send to : " << m_host);
-
- if (!m_requestBuffer.empty()) {
- message = soup_message_new("POST", m_host.c_str());
- } else {
- message = soup_message_new("GET", m_host.c_str());
- }
-
- if (!message) {
- LogError("Error creating request!");
- return 0;
- }
-
- FOREACH(it, m_headerMap){
- soup_message_headers_append(message->request_headers,
- it->first.c_str(),
- it->second.c_str());
- }
-
- if (!m_requestBuffer.empty()) {
- soup_message_set_http_version(message, SOUP_HTTP_1_0);
- soup_message_set_request(message,
- m_requestType.c_str(),
- SOUP_MEMORY_COPY,
- &m_requestBuffer[0],
- m_requestBuffer.size());
- }
-// soup_message_set_flags(message, SOUP_MESSAGE_NO_REDIRECT);
- return message;
-}
-
-} // namespace ValidationCore
+++ /dev/null
-/*
- * Copyright (c) 2011 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-/*!
- * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com)
- * @version 0.1
- * @file SoupMessageSendBase.h
- * @brief Simple wrapper for soup.
- */
-#ifndef _SRC_VALIDATION_CORE_SOUP_MESSAGE_SEND_BASE_H_
-#define _SRC_VALIDATION_CORE_SOUP_MESSAGE_SEND_BASE_H_
-
-#include <map>
-#include <vector>
-#include <string>
-
-#include <libsoup/soup.h>
-
-namespace SoupWrapper {
-
-class SoupMessageSendBase {
- public:
-
- typedef std::vector<char> MessageBuffer;
- typedef std::map<std::string,std::string> HeaderMap;
-
- enum RequestStatus {
- REQUEST_STATUS_OK,
- REQUEST_STATUS_CONNECTION_ERROR
- };
-
- SoupMessageSendBase();
-
- virtual ~SoupMessageSendBase();
-
- /**
- * Add specific information to request header.
- *
- * @param[in] property property name (for example "Host")
- * @param[in] value property value (for example "onet.pl:80")
- */
- void setHeader(const std::string &property,
- const std::string &value);
-
- /**
- * Set request destination.
- *
- * @param[in] host - full path to source (http://onet.pl/index.html)
- */
- void setHost(const std::string &host);
-
- /**
- * Set body of request.
- *
- * @param[in] contentType (for example: "application/ocsp-request")
- * @param[in] message body of reqeust
- */
- void setRequest(const std::string &contentType,
- const MessageBuffer &message);
-
- /**
- * Set network timeout. Default is 30 seconds.
- *
- * @param[in] seconds timeout in seconds
- */
- void setTimeout(int seconds);
-
- /**
- * How many erros soup will accept before he will terminate connection.
- * Default is 5.
- *
- * @param[in] retry number
- */
- void setRetry(int retry);
-
- /**
- * Get response from serwer.
- */
- MessageBuffer getResponse() const;
-
- protected:
-
- SoupMessage* createRequest();
-
- enum Status {
- STATUS_IDLE,
- STATUS_SEND_SYNC,
- STATUS_SEND_ASYNC
- };
-
- Status m_status;
-
- int m_timeout;
- int m_tryCount;
-
- std::string m_host;
- std::string m_requestType;
- MessageBuffer m_requestBuffer;
- MessageBuffer m_responseBuffer;
- HeaderMap m_headerMap;
-};
-
-} // namespace ValidationCore
-
-#endif
+++ /dev/null
-/*
- * Copyright (c) 2011 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-/*!
- * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com)
- * @version 0.1
- * @file SoupMessageSendSync.cpp
- * @brief Implementation of soup synchronous interface.
- */
-#include <vcore/SoupMessageSendSync.h>
-
-#include <memory>
-#include <functional>
-
-#include <vconf.h>
-
-#include <dpl/log/log.h>
-
-namespace SoupWrapper {
-
-SoupMessageSendBase::RequestStatus SoupMessageSendSync::sendSync()
-{
- Assert(m_status == STATUS_IDLE);
- m_status = STATUS_SEND_SYNC;
-
- ScopedGMainContext context(g_main_context_new());
-
- std::unique_ptr<char,std::function<void(void*)> >
- proxy(vconf_get_str(VCONFKEY_NETWORK_PROXY), free);
-
- std::unique_ptr <SoupURI, std::function<void(SoupURI*)> >
- proxyURI(soup_uri_new (proxy.get()), soup_uri_free);
-
- for(int tryCount = 0; tryCount < m_tryCount; ++ tryCount){
- LogDebug("Try(" << tryCount << ") to download " << m_host);
-
- ScopedSoupSession session(soup_session_async_new_with_options(
- SOUP_SESSION_ASYNC_CONTEXT,
- &*context,
- SOUP_SESSION_TIMEOUT,
- m_timeout,
- SOUP_SESSION_PROXY_URI,
- proxyURI.get(),
- NULL));
-
- ScopedSoupMessage msg;
-
- msg.Reset(createRequest());
-
- if (!msg) {
- LogError("Unable to send HTTP request.");
- m_status = STATUS_IDLE;
- return REQUEST_STATUS_CONNECTION_ERROR;
- }
- soup_session_send_message(&*session, &*msg);
-
- // if (SOUP_STATUS_IS_SUCCESSFUL(msg->status_code))
-
- if (msg->status_code == SOUP_STATUS_OK) {
- m_responseBuffer.resize(msg->response_body->length);
- memcpy(&m_responseBuffer[0],
- msg->response_body->data,
- msg->response_body->length);
- // We are done.
- m_status = STATUS_IDLE;
- return REQUEST_STATUS_OK;
- } else {
- LogWarning("Soup failed with code [" << msg->status_code << "] message [" << msg->response_body->data << "]");
- }
- }
-
- m_status = STATUS_IDLE;
- return REQUEST_STATUS_CONNECTION_ERROR;
-}
-
-} // namespave ValidationCore
+++ /dev/null
-/*
- * Copyright (c) 2011 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-/*!
- * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com)
- * @version 0.1
- * @file SoupMessageSendSync.h
- * @brief Wrapper for soup synchronous interface.
- */
-#ifndef _VALIDATION_CORE_SOUP_MESSAGE_SEND_SYNC_H_
-#define _VALIDATION_CORE_SOUP_MESSAGE_SEND_SYNC_H_
-
-#include <vcore/SoupMessageSendBase.h>
-
-#include <vcore/scoped_gpointer.h>
-
-namespace SoupWrapper {
-
-class SoupMessageSendSync : public SoupMessageSendBase {
- public:
- RequestStatus sendSync();
- protected:
- typedef WRT::ScopedGPointer<SoupMessage> ScopedSoupMessage;
- typedef WRT::ScopedGPointer<SoupSession> ScopedSoupSession;
- typedef WRT::ScopedGPointer<GMainContext> ScopedGMainContext;
-};
-
-} // namespace ValidationCore
-
-#endif
#include <vcore/VCorePrivate.h>
#include <vcore/Config.h>
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
-#include <vcore/Database.h>
-#include <database_checksum_vcore.h>
-#endif
#include <openssl/ssl.h>
#include <glib.h>
#include <glib-object.h>
#include <dpl/assert.h>
#include <dpl/log/log.h>
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
-namespace {
-VcoreDPL::DB::ThreadDatabaseSupport *threadInterface = NULL;
-} // namespace anonymous
-#endif
-
namespace ValidationCore {
void AttachToThreadRO(void)
{
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
- Assert(threadInterface);
- static bool check = true;
- threadInterface->AttachToThread(
- VcoreDPL::DB::SqlConnection::Flag::RO);
- // We can have race condition here but CheckTableExist
- // is thread safe and nothing bad will happend.
- if (check) {
- check = false;
- Assert(ThreadInterface().CheckTableExist(DB_CHECKSUM_STR) &&
- "Not a valid vcore database version");
- }
-#endif
}
void AttachToThreadRW(void)
{
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
- Assert(threadInterface);
- static bool check = true;
- threadInterface->AttachToThread(
- VcoreDPL::DB::SqlConnection::Flag::RW);
- // We can have race condition here but CheckTableExist
- // is thread safe and nothing bad will happend.
- if (check) {
- check = false;
- Assert(ThreadInterface().CheckTableExist(DB_CHECKSUM_STR) &&
- "Not a valid vcore database version");
- }
-#endif
}
-void DetachFromThread(void){
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
- Assert(threadInterface);
- threadInterface->DetachFromThread();
-#endif
-}
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
-VcoreDPL::DB::ThreadDatabaseSupport& ThreadInterface(void) {
- Assert(threadInterface);
- return *threadInterface;
+void DetachFromThread(void)
+{
}
-#endif
void VCoreInit()
{
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
- if (threadInterface) {
- LogDebug("Already Initialized");
- return true;
- }
-
- threadInterface = new VcoreDPL::DB::ThreadDatabaseSupport(
- CERTSVC_VCORE_DB,
- VcoreDPL::DB::SqlConnection::Flag::UseLucene);
-#endif
-
SSL_library_init();
Config &globalConfig = ConfigSingleton::Instance();
void VCoreDeinit()
{
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
- Assert(threadInterface && "Not initialized or already deinitialized");
- delete threadInterface;
- threadInterface = NULL;
-#endif
}
} // namespace ValidationCore
#include <string>
#include <VCore.h>
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
-#include <database_checksum_vcore.h>
-#include <dpl/db/thread_database_support.h>
-#endif
-
namespace ValidationCore {
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
-VcoreDPL::DB::ThreadDatabaseSupport& ThreadInterface(void);
-#endif
} // namespace ValidationCore
#endif // _VCORE_SRC_VCORE_VCORE_H_
*/
#include <vcore/WrtSignatureValidator.h>
-#include <vcore/CertificateVerifier.h>
+#include <vcore/CertificateCollection.h>
#include <vcore/Certificate.h>
#include <vcore/OCSPCertMgrUtil.h>
#include <vcore/ReferenceValidator.h>
bool complianceMode)
: m_complianceModeEnabled(complianceMode)
{
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
- m_ocspEnable = ocspEnable;
- m_crlEnable = crlEnable;
-#else
(void) ocspEnable;
(void) crlEnable;
-#endif
}
virtual ~Impl() {}
}
protected:
bool m_complianceModeEnabled;
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
- bool m_ocspEnable;
- bool m_crlEnable;
-#endif
};
}
}
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
- // It is good time to do OCSP check
- // ocspCheck will throw an exception on any error.
- // TODO Probably we should catch this exception and add
- // some information to SignatureData.
- if (!m_complianceModeEnabled && !data.isAuthorSignature()) {
- CertificateCollection coll;
- coll.load(sortedCertificateList);
-
- if (!coll.sort()) {
- LogDebug("Collection does not contain chain!");
- return WrtSignatureValidator::SIGNATURE_INVALID_CERT_CHAIN;//SIGNATURE_INVALID;
- }
-
- CertificateVerifier verificator(m_ocspEnable, m_crlEnable);
- VerificationStatus result = verificator.check(coll);
-
- if (result == VERIFICATION_STATUS_REVOKED) {
- return WrtSignatureValidator::SIGNATURE_REVOKED;
- }
-
- if (result == VERIFICATION_STATUS_UNKNOWN ||
- result == VERIFICATION_STATUS_ERROR)
- {
-#ifdef _OCSP_POLICY_DISREGARD_UNKNOWN_OR_ERROR_CERTS_
- disregard = true;
-#endif
- }
- }
-#endif
-
if (disregard) {
LogWarning("Signature is disregard. RootCA is not a member of Tizen");
return WrtSignatureValidator::SIGNATURE_INVALID_DISTRIBUTOR_CERT;//SIGNATURE_DISREGARD;
}
}
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
- // It is good time to do OCSP check
- // ocspCheck will throw an exception on any error.
- // TODO Probably we should catch this exception and add
- // some information to SignatureData.
- if (!m_complianceModeEnabled && !data.isAuthorSignature()) {
- CertificateCollection coll;
- coll.load(sortedCertificateList);
-
- if (!coll.sort()) {
- LogDebug("Collection does not contain chain!");
- return WrtSignatureValidator::SIGNATURE_INVALID;
- }
-
- CertificateVerifier verificator(m_ocspEnable, m_crlEnable);
- VerificationStatus result = verificator.check(coll);
-
- if (result == VERIFICATION_STATUS_REVOKED) {
- return WrtSignatureValidator::SIGNATURE_REVOKED;
- }
-
- if (result == VERIFICATION_STATUS_UNKNOWN ||
- result == VERIFICATION_STATUS_ERROR)
- {
-#ifdef _OCSP_POLICY_DISREGARD_UNKNOWN_OR_ERROR_CERTS_
- disregard = true;
-#endif //_OCSP_POLICY_DISREGARD_UNKNOWN_OR_ERROR_CERTS_
- }
- }
-#endif
-
if (disregard) {
LogWarning("Signature is disregard. RootCA is not a member of Tizen.");
return WrtSignatureValidator::SIGNATURE_DISREGARD;
#include <vcore/CertificateCollection.h>
#include <vcore/pkcs12.h>
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
-#include <cert-svc/ccrl.h>
-#include <cert-svc/cocsp.h>
-#include <vcore/OCSP.h>
-#include <vcore/CRL.h>
-#include <vcore/CRLCacheInterface.h>
-#endif
-
#include <libxml/parser.h>
#include <libxml/tree.h>
typedef std::unique_ptr<CERT_CONTEXT, std::function<int(CERT_CONTEXT*)> > ScopedCertCtx;
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
-class CRLCacheCAPI : public CRLCacheInterface {
-public:
- CRLCacheCAPI(
- CertSvcCrlCacheWrite crlWrite,
- CertSvcCrlCacheRead crlRead,
- CertSvcCrlFree crlFree,
- void *userParam)
- : m_crlWrite(crlWrite)
- , m_crlRead(crlRead)
- , m_crlFree(crlFree)
- , m_userParam(userParam)
- {}
-
- bool getCRLResponse(CRLCachedData *ptr){
- if (!m_crlRead || !m_crlFree)
- return false;
-
- char *buffer;
- int size;
-
- bool result = m_crlRead(
- ptr->distribution_point.c_str(),
- &buffer,
- &size,
- &(ptr->next_update_time),
- m_userParam);
-
- if (result) {
- ptr->crl_body.clear();
- ptr->crl_body.append(buffer, size);
- m_crlFree(buffer, m_userParam);
- }
-
- return result;
- }
- void setCRLResponse(CRLCachedData *ptr){
- if (m_crlWrite) {
- m_crlWrite(
- ptr->distribution_point.c_str(),
- ptr->crl_body.c_str(),
- ptr->crl_body.size(),
- ptr->next_update_time,
- m_userParam);
- }
- }
-
-private:
- CertSvcCrlCacheWrite m_crlWrite;
- CertSvcCrlCacheRead m_crlRead;
- CertSvcCrlFree m_crlFree;
- void *m_userParam;
-};
-#endif
-
class CertSvcInstanceImpl {
public:
CertSvcInstanceImpl()
: m_certificateCounter(0)
, m_idListCounter(0)
, m_stringListCounter(0)
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
- , m_crlWrite(NULL)
- , m_crlRead(NULL)
- , m_crlFree(NULL)
-#endif
{}
~CertSvcInstanceImpl(){
return CERTSVC_SUCCESS;
}
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
- inline int getCrl(const CertSvcCertificate &cert, CertSvcStringList *handler){
- auto iter = m_certificateMap.find(cert.privateHandler);
- if (iter == m_certificateMap.end()) {
- return CERTSVC_WRONG_ARGUMENT;
- }
- int position = m_stringListCounter++;
-
- std::list<std::string> temp = iter->second->getCrlUris();
- std::copy(temp.begin(),
- temp.end(),
- back_inserter(m_stringListMap[position]));
-
- handler->privateHandler = position;
- handler->privateInstance = cert.privateInstance;
-
- return CERTSVC_SUCCESS;
- }
-#endif
-
inline int getStringFromList(
const CertSvcStringList &handler,
int position,
return CERTSVC_SUCCESS;
}
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
- inline int ocspCheck(const CertSvcCertificate *chain,
- int chain_size,
- const CertSvcCertificate *trusted,
- int trusted_size,
- const char *url,
- int *status)
- {
- auto instance = chain[0].privateInstance.privatePtr;
-
- for(int i=1; i<chain_size; ++i) {
- if (instance != chain[i].privateInstance.privatePtr)
- {
- return CERTSVC_WRONG_ARGUMENT;
- }
- }
- CertificateList chainList, trustedList;
-
- for(int i=0; i<chain_size; ++i) {
- auto cert = m_certificateMap.find(chain[i].privateHandler);
- if (cert == m_certificateMap.end()) {
- return CERTSVC_WRONG_ARGUMENT;
- }
- chainList.push_back(cert->second);
- }
-
- for(int i=0; i<trusted_size; ++i) {
- if (instance != trusted[i].privateInstance.privatePtr)
- {
- return CERTSVC_WRONG_ARGUMENT;
- }
- }
-
- for(int i=0; i<trusted_size; ++i) {
- auto cert = m_certificateMap.find(trusted[i].privateHandler);
- if (cert == m_certificateMap.end()) {
- return CERTSVC_WRONG_ARGUMENT;
- }
- trustedList.push_back(cert->second);
- }
-
- OCSP ocsp;
-// ocsp.setDigestAlgorithmForCertId(OCSP::SHA1);
-// ocsp.setDigestAlgorithmForRequest(OCSP::SHA1);
- ocsp.setTrustedStore(trustedList);
-
- if (url) {
- ocsp.setUseDefaultResponder(true);
- ocsp.setDefaultResponder(url);
- }
-
- CertificateCollection collection;
- collection.load(chainList);
- if (!collection.sort()) {
- return CERTSVC_WRONG_ARGUMENT;
- }
-
- chainList = collection.getChain();
-
- VerificationStatusSet statusSet = ocsp.validateCertificateList(chainList);
-
- int ret = 0;
- if (statusSet.contains(VERIFICATION_STATUS_GOOD)) {
- ret |= CERTSVC_OCSP_GOOD;
- }
- if (statusSet.contains(VERIFICATION_STATUS_REVOKED)) {
- ret |= CERTSVC_OCSP_REVOKED;
- }
- if (statusSet.contains(VERIFICATION_STATUS_UNKNOWN)) {
- ret |= CERTSVC_OCSP_UNKNOWN;
- }
- if (statusSet.contains(VERIFICATION_STATUS_VERIFICATION_ERROR)) {
- ret |= CERTSVC_OCSP_VERIFICATION_ERROR;
- }
- if (statusSet.contains(VERIFICATION_STATUS_NOT_SUPPORT)) {
- ret |= CERTSVC_OCSP_NO_SUPPORT;
- }
- if (statusSet.contains(VERIFICATION_STATUS_CONNECTION_FAILED)) {
- ret |= CERTSVC_OCSP_CONNECTION_FAILED;
- }
- if (statusSet.contains(VERIFICATION_STATUS_ERROR)) {
- ret |= CERTSVC_OCSP_ERROR;
- }
-
- *status = ret;
- return CERTSVC_SUCCESS;
- }
-#endif
-
inline int verify(
CertSvcCertificate certificate,
CertSvcString &message,
return CERTSVC_SUCCESS;
}
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
- inline void setCRLFunction(
- CertSvcCrlCacheWrite writePtr,
- CertSvcCrlCacheRead readPtr,
- CertSvcCrlFree freePtr)
- {
- m_crlWrite = writePtr;
- m_crlRead = readPtr;
- m_crlFree = freePtr;
- }
-
- inline int crlCheck(
- CertSvcCertificate certificate,
- CertSvcCertificate *trustedStore,
- int storeSize,
- int force,
- int *status,
- void *userParam)
- {
- for(int i=1; i<storeSize; ++i) {
- if (certificate.privateInstance.privatePtr
- != trustedStore[i].privateInstance.privatePtr)
- {
- return CERTSVC_WRONG_ARGUMENT;
- }
- }
-
- CRL crl(new CRLCacheCAPI(m_crlWrite, m_crlRead, m_crlFree, userParam));
-
- for (int i=0; i<storeSize; ++i) {
- auto iter = m_certificateMap.find(trustedStore[i].privateHandler);
- if (iter == m_certificateMap.end()) {
- return CERTSVC_WRONG_ARGUMENT;
- }
- crl.addToStore(iter->second);
- }
-
- auto iter = m_certificateMap.find(certificate.privateHandler);
- if (iter == m_certificateMap.end()) {
- return CERTSVC_WRONG_ARGUMENT;
- }
- if (iter->second->getCrlUris().empty()) {
- *status = CERTSVC_CRL_NO_SUPPORT;
- return CERTSVC_SUCCESS;
- }
- crl.updateList(iter->second, force ? CRL::UPDATE_ON_DEMAND: CRL::UPDATE_ON_EXPIRED);
- CRL::RevocationStatus st = crl.checkCertificate(iter->second);
- *status = 0;
-
- if (!st.isCRLValid) {
- *status |= CERTSVC_CRL_VERIFICATION_ERROR;
- return CERTSVC_SUCCESS;
- }
-
- if (st.isRevoked) {
- *status |= CERTSVC_CRL_REVOKED;
- } else {
- *status |= CERTSVC_CRL_GOOD;
- }
-
- return CERTSVC_SUCCESS;
- }
-#endif
-
inline int certificateVerify(
CertSvcCertificate certificate,
CertSvcCertificate *trusted,
std::map<int, std::vector<std::string> > m_stringListMap;
std::set<char *> m_allocatedStringSet;
-
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
- CertSvcCrlCacheWrite m_crlWrite;
- CertSvcCrlCacheRead m_crlRead;
- CertSvcCrlFree m_crlFree;
-#endif
};
inline CertSvcInstanceImpl *impl(CertSvcInstance instance) {
return impl(certificate.privateInstance)->isRootCA(certificate, status);
}
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
-int certsvc_certificate_get_crl_distribution_points(
- CertSvcCertificate certificate,
- CertSvcStringList *handler)
-{
- try {
- return impl(certificate.privateInstance)->getCrl(certificate, handler);
- } catch (...) {}
- return CERTSVC_FAIL;
-}
-#endif
-
int certsvc_string_list_get_one(
CertSvcStringList handler,
int position,
EVP_PKEY_free(pkey);
}
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
-int certsvc_ocsp_check(
- CertSvcCertificate *chain,
- int chain_size,
- CertSvcCertificate *trusted,
- int trusted_size,
- const char *url,
- int *status)
-{
- try {
- if (!chain || !trusted) {
- return CERTSVC_WRONG_ARGUMENT;
- }
- return impl(chain[0].privateInstance)->
- ocspCheck(chain,
- chain_size,
- trusted,
- trusted_size,
- url,
- status);
- } catch (std::bad_alloc &) {
- return CERTSVC_BAD_ALLOC;
- } catch (...) {}
- return CERTSVC_FAIL;
-}
-#endif
-
int certsvc_message_verify(
CertSvcCertificate certificate,
CertSvcString message,
return CERTSVC_SUCCESS;
}
-#ifdef TIZEN_FEATURE_CERT_SVC_OCSP_CRL
-void certsvc_crl_cache_functions(
- CertSvcInstance instance,
- CertSvcCrlCacheWrite writePtr,
- CertSvcCrlCacheRead readPtr,
- CertSvcCrlFree freePtr)
-{
- impl(instance)->setCRLFunction(writePtr, readPtr, freePtr);
-}
-
-int certsvc_crl_check(
- CertSvcCertificate certificate,
- CertSvcCertificate *trustedStore,
- int storeSize,
- int force,
- int *status,
- void *userParam)
-{
- try {
- return impl(certificate.privateInstance)->crlCheck(
- certificate,
- trustedStore,
- storeSize,
- force,
- status,
- userParam);
- } catch (...) {}
- return CERTSVC_FAIL;
-}
-#endif
-
int certsvc_certificate_verify(
CertSvcCertificate certificate,
CertSvcCertificate *trusted,