From: cc1.yim Date: Wed, 7 Aug 2013 08:11:36 +0000 (+0900) Subject: fix the hash bug api X-Git-Tag: accepted/tizen/20130912.082418^2~5 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=52a4355c542f3690500043223b19a779128e8765;p=platform%2Fcore%2Fsecurity%2Fcert-svc.git fix the hash bug api Change-Id: I24895777f572744ddb50ef77021e614a44c87868 Signed-off-by: cc1.yim --- diff --git a/vcore/src/vcore/ReferenceValidator.cpp b/vcore/src/vcore/ReferenceValidator.cpp index e983c69..e1a9532 100644 --- a/vcore/src/vcore/ReferenceValidator.cpp +++ b/vcore/src/vcore/ReferenceValidator.cpp @@ -178,11 +178,11 @@ ReferenceValidator::Result ReferenceValidator::Impl::dfsCheckDirectories( return result; } } else if (dirp->d_type == DT_REG) { - LogDebug("Found file: " << (directory + dirp->d_name)); - if (referenceSet.end() == referenceSet.find(directory + dirp->d_name)) { + LogDebug("Found file: " << (directory + dirp->d_name)); + LogError("Unknown ERROR_REFERENCE_NOT_FOUND."); closedir(dp); m_errorDescription = directory + dirp->d_name; return ERROR_REFERENCE_NOT_FOUND; diff --git a/vcore/src/vcore/SignatureValidator.cpp b/vcore/src/vcore/SignatureValidator.cpp index fabd0ff..4fec182 100644 --- a/vcore/src/vcore/SignatureValidator.cpp +++ b/vcore/src/vcore/SignatureValidator.cpp @@ -50,14 +50,12 @@ class SignatureValidator::ImplSignatureValidator { public: virtual SignatureValidator::Result check( SignatureData &data, - const std::string &widgetContentPath, - AppInstallPath appInstallPath = TIZEN_STORE) = 0; + const std::string &widgetContentPath) = 0; virtual SignatureValidator::Result checkList( SignatureData &data, const std::string &widgetContentPath, - const std::list& uriList, - bool exceptionUriHash = false) = 0; + const std::list& uriList) = 0; explicit ImplSignatureValidator(bool ocspEnable, bool crlEnable, @@ -123,14 +121,11 @@ class ImplTizenSignatureValidator : public SignatureValidator::ImplSignatureVali { public: SignatureValidator::Result check(SignatureData &data, - const std::string &widgetContentPath, - SignatureValidator::AppInstallPath appInstallPath = SignatureValidator::TIZEN_STORE); + const std::string &widgetContentPath); SignatureValidator::Result checkList(SignatureData &data, const std::string &widgetContentPath, - const std::list& uriList, - bool exceptionUriHash = false); - + const std::list& uriList); explicit ImplTizenSignatureValidator(bool ocspEnable, bool crlEnable, bool complianceMode) @@ -142,11 +137,11 @@ class ImplTizenSignatureValidator : public SignatureValidator::ImplSignatureVali SignatureValidator::Result ImplTizenSignatureValidator::check( SignatureData &data, - const std::string &widgetContentPath, - SignatureValidator::AppInstallPath appInstallPath) + const std::string &widgetContentPath) { bool disregard = false; + DPL::Log::LogSystemSingleton::Instance().SetTag("OSP"); if (!checkRoleURI(data)) { return SignatureValidator::SIGNATURE_INVALID; } @@ -233,46 +228,20 @@ SignatureValidator::Result ImplTizenSignatureValidator::check( data.setStorageType(storeIdSet); data.setSortedCertificateList(sortedCertificateList); - if (data.getSignatureNumber() == 1 && appInstallPath != SignatureValidator::TIZEN_STORE) - { - CertificatePtr endCert = data.getEndEntityCertificatePtr(); - DPL::String subjectD = endCert->getOneLine(Certificate::FIELD_SUBJECT); - std::string subject = DPL::ToUTF8String(subjectD); - LogDebug("endCert subject : " << subject); - - char* subString = (char*)subject.c_str(); - char* findCN = NULL; - findCN = strstr(subString, "/CN="); - if(findCN == NULL) - { - LogDebug("### Signature is invalid. CN does not exist."); - fprintf(stderr, "### Signature is invalid. CN does not exist.\n"); - return SignatureValidator::SIGNATURE_INVALID; - } - - findCN += strlen("/CN="); - int cmp = -1; - cmp = strncmp(findCN, TIZEN_STORE_CN, strlen(TIZEN_STORE_CN)); - - if(cmp == 0) - { - LogDebug("### Signature is invalid. End Issure is Tizen Store."); - fprintf(stderr, "### Signature is invalid. End Issure is Tizen Store.\n"); - return SignatureValidator::SIGNATURE_INVALID; - } - } - XmlSec::XmlSecContext context; context.signatureFile = data.getSignatureFileName(); context.certificatePtr = root; - if (!(root->isSignedBy(root))) { - LogWarning("Root CA certificate not found. Chain is incomplete."); + if (!(root->isSignedBy(root))) { + LogWarning("Root CA certificate not found. Chain is incomplete."); // context.allowBrokenChain = true; } time_t nowTime = time(NULL); +#define CHECK_TIME +#ifdef CHECK_TIME + ASN1_TIME* notAfterTime = data.getEndEntityCertificatePtr()->getNotAfterTime(); ASN1_TIME* notBeforeTime = data.getEndEntityCertificatePtr()->getNotBeforeTime(); @@ -290,6 +259,7 @@ SignatureValidator::Result ImplTizenSignatureValidator::check( return SignatureValidator::SIGNATURE_INVALID; } } +#endif // WAC 2.0 SP-2066 The wrt must not block widget installation // due to expiration of the author certificate. #if 0 @@ -391,17 +361,14 @@ SignatureValidator::Result ImplTizenSignatureValidator::check( SignatureValidator::Result ImplTizenSignatureValidator::checkList(SignatureData &data, const std::string &widgetContentPath, - const std::list& uriList, - bool exceptionUriHash) + const std::list& uriList) { - if(exceptionUriHash == true && uriList.size() != 0 ) - { - LogWarning("Installation break >> invalid input parameter"); - return SignatureValidator::SIGNATURE_INVALID; - } + DPL::Log::LogSystemSingleton::Instance().SetTag("OSP"); + if(uriList.size() == 0 ) + LogWarning("checkList >> no hash"); bool disregard = false; - bool partialHash; + bool partialHash = false; if (!checkRoleURI(data)) { return SignatureValidator::SIGNATURE_INVALID; @@ -573,30 +540,26 @@ SignatureValidator::Result ImplTizenSignatureValidator::checkList(SignatureData //context.allowBrokenChain = true; // end - if(exceptionUriHash == true || uriList.size() == 0) + if(uriList.size() == 0) { if (XmlSec::NO_ERROR != XmlSecSingleton::Instance().validateNoHash(&context)) { LogWarning("Installation break - invalid package! >> validateNoHash"); return SignatureValidator::SIGNATURE_INVALID; } } - else if(uriList.size() != 0) - { - partialHash = true; - XmlSecSingleton::Instance().setPartialHashList(uriList); - if (XmlSec::NO_ERROR != XmlSecSingleton::Instance().validatePartialHash(&context)) { - LogWarning("Installation break - invalid package! >> validatePartialHash"); - return SignatureValidator::SIGNATURE_INVALID; - } - } - - if(exceptionUriHash != true && partialHash != true) + else if(uriList.size() != 0) { - data.setReference(context.referenceSet); - - if (!checkObjectReferences(data)) { + partialHash = true; + XmlSecSingleton::Instance().setPartialHashList(uriList); + if (XmlSec::NO_ERROR != XmlSecSingleton::Instance().validatePartialHash(&context)) { + LogWarning("Installation break - invalid package! >> validatePartialHash"); return SignatureValidator::SIGNATURE_INVALID; - } + } + } + + data.setReference(context.referenceSet); + //if (!checkObjectReferences(data)) { + // return SignatureValidator::SIGNATURE_INVALID; } /* @@ -645,14 +608,11 @@ class ImplWacSignatureValidator : public SignatureValidator::ImplSignatureValida { public: SignatureValidator::Result check(SignatureData &data, - const std::string &widgetContentPath, - SignatureValidator::AppInstallPath appInstallPath); + const std::string &widgetContentPath); SignatureValidator::Result checkList(SignatureData &data, const std::string &widgetContentPath, - const std::list& uriList, - bool exceptionUriHash = false); - + const std::list& uriList); explicit ImplWacSignatureValidator(bool ocspEnable, bool crlEnable, bool complianceMode) @@ -666,8 +626,7 @@ class ImplWacSignatureValidator : public SignatureValidator::ImplSignatureValida SignatureValidator::Result ImplWacSignatureValidator::checkList( SignatureData &data, const std::string &widgetContentPath, - const std::list& uriList, - bool exceptionUriHash) + const std::list& uriList) { return SignatureValidator::SIGNATURE_INVALID; } @@ -675,8 +634,7 @@ SignatureValidator::Result ImplWacSignatureValidator::checkList( SignatureValidator::Result ImplWacSignatureValidator::check( SignatureData &data, - const std::string &widgetContentPath, - SignatureValidator::AppInstallPath appInstallPath) + const std::string &widgetContentPath) { bool disregard = false; @@ -921,19 +879,17 @@ SignatureValidator::~SignatureValidator() { SignatureValidator::Result SignatureValidator::check( SignatureData &data, - const std::string &widgetContentPath, - AppInstallPath appInstallPath) + const std::string &widgetContentPath) { - return m_impl->check(data, widgetContentPath, appInstallPath); + return m_impl->check(data, widgetContentPath); } SignatureValidator::Result SignatureValidator::checkList( SignatureData &data, const std::string &widgetContentPath, - const std::list& uriList, - bool exceptionUriHash) + const std::list& uriList) { - return m_impl->checkList(data, widgetContentPath, uriList, exceptionUriHash ); + return m_impl->checkList(data, widgetContentPath, uriList); } } // namespace ValidationCore diff --git a/vcore/src/vcore/SignatureValidator.h b/vcore/src/vcore/SignatureValidator.h index 05d62ef..512cd6b 100644 --- a/vcore/src/vcore/SignatureValidator.h +++ b/vcore/src/vcore/SignatureValidator.h @@ -49,12 +49,6 @@ public: SIGNATURE_REVOKED }; - enum AppInstallPath - { - TIZEN_STORE, - OTHER_PATH - }; - explicit SignatureValidator( AppType appType, bool ocspEnable, @@ -65,14 +59,12 @@ public: Result check( SignatureData &data, - const std::string &widgetContentPath, - AppInstallPath appInstallPath = TIZEN_STORE); + const std::string &widgetContentPath); Result checkList( SignatureData &data, const std::string &widgetContentPath, - const std::list& uriList, - bool exceptionUriHash = false); + const std::list& uriList); private: ImplSignatureValidator *m_impl; diff --git a/vcore/src/vcore/XmlsecAdapter.cpp b/vcore/src/vcore/XmlsecAdapter.cpp index 5c14dca..e41e1ed 100644 --- a/vcore/src/vcore/XmlsecAdapter.cpp +++ b/vcore/src/vcore/XmlsecAdapter.cpp @@ -78,7 +78,7 @@ void* XmlSec::fileOpenCallback(const char *filename) { std::string path = s_prefixPath + filename; - LogDebug("Xmlsec opening: " << path); + // LogDebug("Xmlsec opening: " << path); return new FileWrapper(xmlFileOpen(path.c_str()),false); } @@ -100,7 +100,7 @@ int XmlSec::fileReadCallback(void *context, int XmlSec::fileCloseCallback(void *context) { - LogDebug("Xmlsec closing: "); + //LogDebug("Xmlsec closing: "); FileWrapper *fw = static_cast(context); int output = 0; if (!(fw->released)) { @@ -318,7 +318,7 @@ XmlSec::Result XmlSec::validateFile(XmlSecContext *context, } pList[n] = '\0'; - res = xmlSecDSigCtxVerifyEx(dsigCtx, node, 1, (void*)pList); + res = xmlSecDSigCtxVerifyEx(dsigCtx, node, 0, (void*)pList); i = 0; while(pList[i] != NULL) { free(pList[i]); @@ -363,8 +363,8 @@ XmlSec::Result XmlSec::validateFile(XmlSecContext *context, if (dsigCtx->c14nMethod && dsigCtx->c14nMethod->id && dsigCtx->c14nMethod->id->name) { - LogInfo("Canonicalization method: " << - reinterpret_cast(dsigCtx->c14nMethod->id->name)); + // LogInfo("Canonicalization method: " << + // reinterpret_cast(dsigCtx->c14nMethod->id->name)); } size = xmlSecPtrListGetSize(&(dsigCtx->signedInfoReferences)); @@ -380,10 +380,10 @@ XmlSec::Result XmlSec::validateFile(XmlSecContext *context, reinterpret_cast(dsigRefCtx->digestMethod->id ->name); std::string strDigest(pDigest); - LogInfo("reference digest method: " << - reinterpret_cast(dsigRefCtx->digestMethod + /*LogInfo("reference digest method: " << + reinterpret_cast(dsigRefCtx->digestMethod ->id - ->name)); + ->name));*/ if (strDigest == DIGEST_MD5) { LogWarning("MD5 digest method used! Please use sha"); res = -1;