From: Kyungwook Tak Date: Thu, 23 Jul 2015 05:20:09 +0000 (+0900) Subject: Refactor SignatureValidator and reduce interface headers X-Git-Tag: accepted/tizen/mobile/20150811.091445~3 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=6cf02b1b3ab453f691f888b929c040ac921dfc54;p=platform%2Fcore%2Fsecurity%2Fcert-svc.git Refactor SignatureValidator and reduce interface headers * Integrate SignatureValidator and WrtSignatureValidator with checkReference param flag * Client doesn't need to initialize xml before use SignatureValidator. SignatureValidator initialize it internally. * Make SignatureValidator to static function to use it conveniently. * OCSPCertMgrUtil moved to certificate collection * Exclude some headers which used only inside of SignatureValidator - CertificateCollection - SignatureReader - ParserSchema - SaxReader - Base64 : use certvsc/ccert.h API or member functions in Certificate.h instead - CryptoHash : not used in anymore in 3.0 Change-Id: Ifde1768c51fc0eea2ad8a0e3c78b098ae46f02d3 Signed-off-by: Kyungwook Tak --- diff --git a/CMakeLists.txt b/CMakeLists.txt index ff3efef..b4bfe53 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -42,6 +42,7 @@ ADD_DEFINITIONS("-DCERTSVC_CRT_FILE_PATH=\"${TZ_SYS_SHARE}/cert-svc/ca-certifica ADD_DEFINITIONS("-DFINGERPRINT_LIST_PATH=\"${TZ_SYS_SHARE}/ca-certificates/fingerprint/fingerprint_list.xml\"") ADD_DEFINITIONS("-DFINGERPRINT_LIST_SCHEMA_PATH=\"${TZ_SYS_SHARE}/ca-certificates/fingerprint/fingerprint_list.xsd\"") ADD_DEFINITIONS("-DROOT_CA_CERTS_DIR=\"${TZ_SYS_SHARE}/ca-certificates/\"") +ADD_DEFINITIONS("-DSIGNATURE_SCHEMA_PATH=\"${TZ_SYS_RO_WRT_ENGINE}/schema.xsd\"") ADD_DEFINITIONS("-DCERTSVC_DIR=\"${TZ_SYS_SHARE}/cert-svc/certs/\"") ADD_DEFINITIONS("-DCERTSVC_PKCS12_STORAGE_DIR=\"${TZ_SYS_SHARE}/cert-svc/pkcs12/\"") diff --git a/cert-svc-vcore.pc.in b/cert-svc-vcore.pc.in index d7582b5..f5c4b82 100644 --- a/cert-svc-vcore.pc.in +++ b/cert-svc-vcore.pc.in @@ -6,6 +6,6 @@ includedir=@INCLUDEDIR@ Name: cert-svc-vcore Description: cert-svc-vcore Version: @VERSION@ -Requires: cert-svc libxml-2.0 libxslt openssl libsoup-2.4 xmlsec1 db-util +Requires: cert-svc libxml-2.0 libxslt openssl xmlsec1 Libs: -L${libdir} -lcert-svc-vcore Cflags: -I${includedir}/cert-svc diff --git a/packaging/cert-svc.spec b/packaging/cert-svc.spec index 4dbd9ae..047c0ad 100644 --- a/packaging/cert-svc.spec +++ b/packaging/cert-svc.spec @@ -16,8 +16,6 @@ BuildRequires: pkgconfig(libpcrecpp) BuildRequires: pkgconfig(xmlsec1) BuildRequires: pkgconfig(libxml-2.0) BuildRequires: pkgconfig(libxslt) -BuildRequires: pkgconfig(icu-i18n) -BuildRequires: pkgconfig(libsoup-2.4) BuildRequires: pkgconfig(db-util) BuildRequires: pkgconfig(libsystemd-daemon) BuildRequires: pkgconfig(key-manager) diff --git a/tests/pkcs12/new_test_cases.cpp b/tests/pkcs12/new_test_cases.cpp index 8ec1b93..c304ba2 100644 --- a/tests/pkcs12/new_test_cases.cpp +++ b/tests/pkcs12/new_test_cases.cpp @@ -57,13 +57,9 @@ RUNNER_TEST(CERTSVC_PKCS12_1001_certsvc_get_root_cert_list) { int count = 0; CREATE_INSTANCE - //start time - clock_t tic = clock(); size_t length = 0; result = certsvc_pkcs12_get_certificate_list_from_store(instance, storeType, DISABLED, &certList, &length); RUNNER_ASSERT_MSG(result==CERTSVC_SUCCESS, "Getting certificate list from system store failed"); - clock_t toc = clock(); - //time end if(result == CERTSVC_SUCCESS) { tmpNode = certList; @@ -81,9 +77,8 @@ RUNNER_TEST(CERTSVC_PKCS12_1001_certsvc_get_root_cert_list) { } /* Set the status of the certificate to disabled/enabled in system store and get the status */ -RUNNER_TEST(CERTSVC_PKCS12_1002_certsvc_set_cert_to_disabled_and_get_status_for_system_store) { - - char *gname = "Certum_Root_CA.pem"; +RUNNER_TEST(CERTSVC_PKCS12_1002_certsvc_set_cert_to_disabled_and_get_status_for_system_store) +{ CertStoreType storeType = SYSTEM_STORE; CertStatus Status; CertStatus status; @@ -92,8 +87,8 @@ RUNNER_TEST(CERTSVC_PKCS12_1002_certsvc_set_cert_to_disabled_and_get_status_for_ CREATE_INSTANCE - Alias.privateHandler = gname; - Alias.privateLength = strlen((const char*)gname); + result = certsvc_string_new(instance, "Certum_Root_CA.pem", strlen("Certum_Root_CA.pem"), &Alias); + RUNNER_ASSERT_MSG(result == CERTSVC_SUCCESS, "certsvc_string_new failed. result : " << result); result = certsvc_pkcs12_get_certificate_status_from_store(instance, storeType, Alias, &status); RUNNER_ASSERT_MSG(result==CERTSVC_SUCCESS, "Get certificate status from system store failed."); @@ -118,17 +113,17 @@ RUNNER_TEST(CERTSVC_PKCS12_1002_certsvc_set_cert_to_disabled_and_get_status_for_ result = certsvc_pkcs12_get_certificate_status_from_store(instance, storeType, Alias, &status); RUNNER_ASSERT_MSG(result==CERTSVC_SUCCESS, "Get certificate status from system store failed."); + certsvc_string_free(Alias); + FREE_INSTANCE } /* Install a CRT file to individual stores */ -RUNNER_TEST(CERTSVC_PKCS12_1003_add_pem_file_in_individual_store) { - - char path[] = "/usr/share/cert-svc/tests/wifi-server.pem"; +RUNNER_TEST(CERTSVC_PKCS12_1003_add_pem_file_in_individual_store) +{ CertSvcStoreCertList* certList = NULL; CertSvcStoreCertList* tmpNode = NULL; CertSvcStoreCertList* tmp = NULL; - char* pass = NULL; CertStoreType type; int result; size_t length = 0; @@ -140,30 +135,43 @@ RUNNER_TEST(CERTSVC_PKCS12_1003_add_pem_file_in_individual_store) { const char *temp = NULL; CertSvcCertificate certificate; + CertSvcString Alias; + CertSvcString Path; + CertSvcString Pass; + CREATE_INSTANCE - CertSvcString Alias, Path, Pass; - Pass.privateHandler = pass; - Path.privateHandler = path; - Path.privateLength = strlen(path); + Pass.privateHandler = NULL; + + const char *path = "/usr/share/cert-svc/tests/wifi-server.pem"; + result = certsvc_string_new(instance, path, strlen(path), &Path); + RUNNER_ASSERT_MSG(result == CERTSVC_SUCCESS, "certsvc_string_new failed. result : " << result); type = WIFI_STORE; - Alias.privateHandler = "PEM-wifi-server-1"; - Alias.privateLength = strlen(Alias.privateHandler); + const char *cAlias = "PEM-wifi-server-1"; + result = certsvc_string_new(instance, cAlias, strlen(cAlias), &Alias); + RUNNER_ASSERT_MSG(result == CERTSVC_SUCCESS, "certsvc_string_new failed. result : " << result); + result = certsvc_pkcs12_import_from_file_to_store(instance, type, Path, Pass, Alias); RUNNER_ASSERT_MSG(result==CERTSVC_SUCCESS, "Importing PEM file to WIFI store failed."); + certsvc_string_free(Alias); type = VPN_STORE; - Alias.privateHandler = "PEM-wifi-server-2"; - Alias.privateLength = strlen(Alias.privateHandler); + cAlias = "PEM-wifi-server-2"; + result = certsvc_string_new(instance, cAlias, strlen(cAlias), &Alias); + RUNNER_ASSERT_MSG(result == CERTSVC_SUCCESS, "certsvc_string_new failed. result : " << result); result = certsvc_pkcs12_import_from_file_to_store(instance, type, Path, Pass, Alias); RUNNER_ASSERT_MSG(result==CERTSVC_SUCCESS, "Importing PEM file to VPN store failed."); + certsvc_string_free(Alias); type = EMAIL_STORE; - Alias.privateHandler = "PEM-wifi-server-3"; - Alias.privateLength = strlen(Alias.privateHandler); + cAlias = "PEM-wifi-server-3"; + result = certsvc_string_new(instance, cAlias, strlen(cAlias), &Alias); + RUNNER_ASSERT_MSG(result == CERTSVC_SUCCESS, "certsvc_string_new failed. result : " << result); + result = certsvc_pkcs12_import_from_file_to_store(instance, type, Path, Pass, Alias); RUNNER_ASSERT_MSG(result==CERTSVC_SUCCESS, "Importing PEM file to EMAIL store failed."); + certsvc_string_free(Alias); type = (CertStoreType) (WIFI_STORE | VPN_STORE | EMAIL_STORE); result = certsvc_pkcs12_get_certificate_list_from_store(instance, type, DISABLED, &certList, &length); @@ -190,10 +198,7 @@ RUNNER_TEST(CERTSVC_PKCS12_1003_add_pem_file_in_individual_store) { RUNNER_ASSERT_MSG(result==CERTSVC_SUCCESS, "Getting certificate list from store failed."); certList1=certList; count = 0; - while(certList!=NULL) - { - gname.privateHandler = (char *)certList->gname; - gname.privateLength = strlen(certList->gname); + while (certList) { result = certsvc_pkcs12_get_certificate_from_store(instance, certList->storeType, certList->gname, &certificate); RUNNER_ASSERT_MSG(result==CERTSVC_SUCCESS, "Failed to get certificate from store."); @@ -218,6 +223,8 @@ RUNNER_TEST(CERTSVC_PKCS12_1003_add_pem_file_in_individual_store) { certList=NULL; certList1=NULL; + certsvc_string_free(Path); + FREE_INSTANCE } @@ -981,7 +988,7 @@ RUNNER_TEST(CERTSVC_PKCS12_1018_get_duplicate_private_key) { int result = CERTSVC_SUCCESS; size_t length = 0; CertSvcString gname; - char *privatekey_path = NULL; + const char *privatekey_path = "/usr/share/cert-svc/pkcs12/temp.txt"; EVP_PKEY *privatekey = NULL; CREATE_INSTANCE @@ -996,7 +1003,6 @@ RUNNER_TEST(CERTSVC_PKCS12_1018_get_duplicate_private_key) { result = certsvc_pkcs12_dup_evp_pkey_from_store(instance, storeType, gname, &privatekey); RUNNER_ASSERT_MSG(result==CERTSVC_SUCCESS, "Getting duplicate private key from store failed."); - privatekey_path = g_strdup_printf("%s", "/usr/share/cert-svc/pkcs12/temp.txt"); if ((fp = fopen(privatekey_path, "w")) == NULL) { result = CERTSVC_FAIL; RUNNER_ASSERT_MSG(result==CERTSVC_SUCCESS, "Failed to open file for writing."); @@ -1371,9 +1377,9 @@ RUNNER_TEST(CERTSVC_PKCS12_1027_get_alias_name_from_gname_from_store) { X509 *x509 = NULL; FILE *fp = NULL; EVP_PKEY *privatekey = NULL; - char *privatekey_path = NULL; - char *ca_cert_path = NULL; - char *user_cert_path = NULL; + char privatekey_path[512]; + char ca_cert_path[512]; + char user_cert_path[512]; int cert_index = 0; CREATE_INSTANCE @@ -1394,7 +1400,7 @@ RUNNER_TEST(CERTSVC_PKCS12_1027_get_alias_name_from_gname_from_store) { result = certsvc_certificate_list_get_length(cert_list, &cert_counts); RUNNER_ASSERT_MSG(cert_counts >= 1, "there is no certificates"); - selected_certificate = g_try_new0(CertSvcCertificate, cert_counts); + selected_certificate = new CertSvcCertificate[cert_counts]; RUNNER_ASSERT_MSG(selected_certificate != NULL, "failed to allocate memory"); result = certsvc_certificate_list_get_one(cert_list, 0, &user_certificate); @@ -1402,7 +1408,7 @@ RUNNER_TEST(CERTSVC_PKCS12_1027_get_alias_name_from_gname_from_store) { result = certsvc_certificate_dup_x509(user_certificate, &x509); - user_cert_path = g_strdup_printf("/usr/share/cert-svc/pkcs12/file_%d", count++); + sprintf(user_cert_path, "/usr/share/cert-svc/pkcs12/file_%d", count++); fp = fopen(user_cert_path, "w"); RUNNER_ASSERT_MSG(fp != NULL, "Failed to open the file for writing"); @@ -1416,7 +1422,7 @@ RUNNER_TEST(CERTSVC_PKCS12_1027_get_alias_name_from_gname_from_store) { cert_index = cert_counts - 1; selected_certificate[0] = user_certificate; - ca_cert_path = g_strdup_printf("%s%s_%s", EAP_TLS_PATH, certList->gname, EAP_TLS_CA_CERT_PATH); + sprintf(ca_cert_path, "%s%s_%s", EAP_TLS_PATH, certList->gname, EAP_TLS_CA_CERT_PATH); while (cert_index) { result = certsvc_certificate_list_get_one(cert_list, cert_index, &ca_certificate); RUNNER_ASSERT_MSG(result==CERTSVC_SUCCESS, "Failed to certsvc_certificate_list_get_one"); @@ -1440,8 +1446,7 @@ RUNNER_TEST(CERTSVC_PKCS12_1027_get_alias_name_from_gname_from_store) { result = certsvc_pkcs12_dup_evp_pkey_from_store(instance, WIFI_STORE, Alias, &privatekey); RUNNER_ASSERT_MSG(result==CERTSVC_SUCCESS, "Failed to duplicate the private key for a certificate from wifi store"); - privatekey_path = g_strdup_printf("%s%s_%s", EAP_TLS_PATH, certList->gname, EAP_TLS_PRIVATEKEY_PATH); - + sprintf(privatekey_path, "%s%s_%s", EAP_TLS_PATH, certList->gname, EAP_TLS_PRIVATEKEY_PATH); fp = fopen(privatekey_path, "w"); RUNNER_ASSERT_MSG(fp != NULL, "Failed to open the file for writing"); @@ -1450,6 +1455,8 @@ RUNNER_TEST(CERTSVC_PKCS12_1027_get_alias_name_from_gname_from_store) { certsvc_pkcs12_free_evp_pkey(privatekey); } + delete []selected_certificate; + FREE_INSTANCE } diff --git a/tests/vcore/TestCases.cpp b/tests/vcore/TestCases.cpp index c843922..90d8552 100644 --- a/tests/vcore/TestCases.cpp +++ b/tests/vcore/TestCases.cpp @@ -16,15 +16,10 @@ */ #include - #include -#include #include -#include #include -#include #include "TestEnv.h" -#include namespace { @@ -41,11 +36,6 @@ const std::string widget_partner_path = const std::string widget_partner_operator_path = "/usr/apps/widget/tests/vcore_widget_uncompressed_partner_operator/"; -inline const char* GetSignatureXmlSchema() -{ - return "/usr/share/wrt-engine/schema.xsd"; -} - const std::string keys_path = "/usr/apps/widget/tests/vcore_keys/"; const std::string widget_store_path = "/usr/apps/widget/tests/vcore_widgets/"; @@ -230,82 +220,10 @@ const std::string crlExampleCertificate = "9p58Enf5DWMrh17SPH586yIJeiWZtPez9G54ftY+XIqfn0X0zso0dnoXNJQYS043" "/5vSnoHdRx/EmN8yjeEavZtC48moN0iJ38eB44uKgCD77rZW5s1XqA=="; -//class TestCleanup -//{ -// public: -// explicit TestCleanup(bool bCheckForFakeVerification = false) -// { -// if (bCheckForFakeVerification) { -// bool bUnsetEnvVar = true; -// -// m_strEnvVar = "CHECK_ONLY_DOMAIN_INSTEAD_OF_VALIDATION"; -// if (getenv(m_strEnvVar.c_str()) != NULL) { -// bUnsetEnvVar = false; -// } else { -// setenv(m_strEnvVar.c_str(), "1", 0); -// } -// } -// } -// -// ~TestCleanup() -// { -// if (!m_strRootCAPath.empty()) { -// removeCertGivenByFilename(m_strRootCAPath.c_str()); -// } -// -// if (!m_strEnvVar.empty()) { -// unsetenv(m_strEnvVar.c_str()); -// } -// } -// -// void setRootCAPath(const std::string& strRootCAPath) -// { -// m_strRootCAPath = strRootCAPath; -// } -// -// private: -// std::string m_strRootCAPath; -// std::string m_strEnvVar; -//}; -// -//class PolicyChanger : public VcoreDPL::Event::EventListener -//{ -// public: -// PolicyChanger() -// { -// VcoreDPL::Event::EventDeliverySystem::AddListener(this); -// } -// -// ~PolicyChanger() -// { -// VcoreDPL::Event::EventDeliverySystem::RemoveListener(this); -// } -// -// void OnEventReceived(const AceUpdateResponseEvent& event) -// { -// if (0 != event.GetArg0()) { -// LogError("Policy change failed"); -// } -// Assert(0 == event.GetArg0() && "Policy change failed"); -// LoopControl::finish_wait_for_wrt_init(); -// } -// -// void updatePolicy(const std::string& path) -// { -// AceUpdateRequestEvent event(path); -// VcoreDPL::Event::EventDeliverySystem::Publish(event); -// LoopControl::wait_for_wrt_init(); -// } -//}; - } // namespace anonymous using namespace ValidationCore; -////////////////////////////////////////////////// -//////// VALIDATION CORE TEST SUITE //////////// -////////////////////////////////////////////////// - /* * test: Class SignatureFinder * description: SignatureFinder should search directory passed as @@ -320,44 +238,39 @@ RUNNER_TEST(test01_signature_finder) RUNNER_ASSERT_MSG( SignatureFinder::NO_ERROR == signatureFinder.find(signatureSet), "SignatureFinder failed"); - RUNNER_ASSERT_MSG(signatureSet.size() == 3, - "Some signature has not been found"); - - SignatureFileInfo first = *(signatureSet.begin()); - RUNNER_ASSERT_MSG( - std::string("author-signature.xml") == first.getFileName(), - "Author Signature"); - RUNNER_ASSERT_MSG(-1 == first.getFileNumber(), "Wrong signature number."); - first = *(signatureSet.rbegin()); - RUNNER_ASSERT_MSG(std::string("signature22.xml") == first.getFileName(), - "Wrong signature fileName."); - RUNNER_ASSERT_MSG(22 == first.getFileNumber(), "Wrong signature number."); -} - -/* - * test: Class SignatureReader - * description: SignatureReader should parse widget digigal signaturesignature - * without any errors. Path to signature is passed to constructor. - * param of destructor. - * expected: SignatureReader should not throw any exception. - */ -RUNNER_TEST(test02_signature_reader) -{ - SignatureFileInfoSet signatureSet; - SignatureFinder signatureFinder(widget_path); - RUNNER_ASSERT_MSG( - SignatureFinder::NO_ERROR == signatureFinder.find(signatureSet), - "SignatureFinder failed"); - - SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin(); - - for (; iter != signatureSet.rend(); ++iter) { - SignatureData data(widget_path + iter->getFileName(), - iter->getFileNumber()); - SignatureReader xml; - xml.initialize(data, GetSignatureXmlSchema()); - xml.read(data); - } + RUNNER_ASSERT_MSG(signatureSet.size() == 3, "Some signature has not been found"); + + int count = 0; + + auto iter = signatureSet.begin(); + SignatureFileInfo fileInfo = *iter++; + std::string fileName = fileInfo.getFileName(); + int fileNum = fileInfo.getFileNumber(); + if ((fileName.find("author-signature.xml") != std::string::npos && fileNum == -1) + || (fileName.find("signature1.xml") != std::string::npos && fileNum == 1) + || (fileName.find("signature22.xml") != std::string::npos && fileNum == 22)) + count++; + RUNNER_ASSERT_MSG(iter != signatureSet.end(), "There should be more items"); + + fileInfo = *iter++; + fileName = fileInfo.getFileName(); + fileNum = fileInfo.getFileNumber(); + if ((fileName.find("author-signature.xml") != std::string::npos && fileNum == -1) + || (fileName.find("signature1.xml") != std::string::npos && fileNum == 1) + || (fileName.find("signature22.xml") != std::string::npos && fileNum == 22)) + count++; + RUNNER_ASSERT_MSG(iter != signatureSet.end(), "There should be more items"); + + fileInfo = *iter++; + fileName = fileInfo.getFileName(); + fileNum = fileInfo.getFileNumber(); + if ((fileName.find("author-signature.xml") != std::string::npos && fileNum == -1) + || (fileName.find("signature1.xml") != std::string::npos && fileNum == 1) + || (fileName.find("signature22.xml") != std::string::npos && fileNum == 22)) + count++; + RUNNER_ASSERT_MSG(iter == signatureSet.end(), "It should be last item"); + + RUNNER_ASSERT_MSG(count == 3, "Wrong signature file count."); } /* @@ -368,7 +281,7 @@ RUNNER_TEST(test02_signature_reader) * expected: Verificator should DISREGARD author signature and VERIFY * distrubutor signature. */ -RUNNER_TEST(test03t01_wrtsignature_validator) +RUNNER_TEST(test03t01_signature_validator) { SignatureFileInfoSet signatureSet; SignatureFinder signatureFinder(widget_path); @@ -376,50 +289,31 @@ RUNNER_TEST(test03t01_wrtsignature_validator) SignatureFinder::NO_ERROR == signatureFinder.find(signatureSet), "SignatureFinder failed"); - SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin(); - for (; iter != signatureSet.rend(); ++iter) { - SignatureData data(widget_path + iter->getFileName(), - iter->getFileNumber()); - SignatureReader xml; - xml.initialize(data, GetSignatureXmlSchema()); - xml.read(data); - - WrtSignatureValidator validator( - WrtSignatureValidator::WAC20, - false, - false, - false); - - if (data.isAuthorSignature()) { - RUNNER_ASSERT_MSG( - WrtSignatureValidator::SIGNATURE_DISREGARD == - validator.check(data, widget_path), + for (SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin(); + iter != signatureSet.rend(); + ++iter) { + SignatureData data; + SignatureValidator::Result valResult = SignatureValidator::check( + *iter, + widget_path, + false, + true, + data); + + if (data.isAuthorSignature()) + RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_DISREGARD, "Validation failed"); - } else { + else if (data.getSignatureNumber() == 1) - { - WrtSignatureValidator::Result temp = validator.check(data, widget_path); - - RUNNER_ASSERT_MSG( - WrtSignatureValidator::SIGNATURE_DISREGARD == - temp, - "Validation failed"); - - } + RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_DISREGARD, + "Validation failed"); else - { - WrtSignatureValidator::Result temp = validator.check(data, widget_path); - - RUNNER_ASSERT_MSG( - WrtSignatureValidator::SIGNATURE_VERIFIED == - temp, - "Validation failed"); - } - } + RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_VERIFIED, + "Validation failed"); } } -RUNNER_TEST(test03t02_wrtsignature_validator_negative_hash_input) +RUNNER_TEST(test03t02_signature_validator_negative_hash_input) { SignatureFileInfoSet signatureSet; SignatureFinder signatureFinder(widget_negative_hash_path); @@ -427,29 +321,26 @@ RUNNER_TEST(test03t02_wrtsignature_validator_negative_hash_input) SignatureFinder::NO_ERROR == signatureFinder.find(signatureSet), "SignatureFinder failed"); - SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin(); - for (; iter != signatureSet.rend(); ++iter) { - SignatureData data(widget_negative_hash_path + iter->getFileName(), - iter->getFileNumber()); - SignatureReader xml; - xml.initialize(data, GetSignatureXmlSchema()); - xml.read(data); - - WrtSignatureValidator validator( - WrtSignatureValidator::WAC20, - false, - false, - false); - - int temp = validator.check(data, widget_negative_hash_path); - RUNNER_ASSERT_MSG( - (WrtSignatureValidator::SIGNATURE_INVALID == temp - || WrtSignatureValidator::SIGNATURE_DISREGARD == temp), - "Wrong input file but success.. Errorcode : " << wrtValidatorErrorToString(temp)); + for (SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin(); + iter != signatureSet.rend(); + ++iter) { + SignatureData data; + SignatureValidator::Result valResult = SignatureValidator::check( + *iter, + widget_negative_hash_path, + false, + true, + data); + if (!data.isAuthorSignature()) + RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_INVALID, + "Wrong input file but success.. Errorcode : " << validatorErrorToString(valResult)); + else + RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_DISREGARD, + "Wrong input file but success.. Errorcode : " << validatorErrorToString(valResult)); } } -RUNNER_TEST(test03t03_wrtsignature_validator_negative_signature_input) +RUNNER_TEST(test03t03_signature_validator_negative_signature_input) { SignatureFileInfoSet signatureSet; SignatureFinder signatureFinder(widget_negative_signature_path); @@ -457,29 +348,27 @@ RUNNER_TEST(test03t03_wrtsignature_validator_negative_signature_input) SignatureFinder::NO_ERROR == signatureFinder.find(signatureSet), "SignatureFinder failed"); - SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin(); - for (; iter != signatureSet.rend(); ++iter) { - SignatureData data(widget_negative_signature_path + iter->getFileName(), - iter->getFileNumber()); - SignatureReader xml; - xml.initialize(data, GetSignatureXmlSchema()); - xml.read(data); - - WrtSignatureValidator validator( - WrtSignatureValidator::WAC20, - false, - false, - false); - - int temp = validator.check(data, widget_negative_signature_path); - RUNNER_ASSERT_MSG( - (WrtSignatureValidator::SIGNATURE_INVALID == temp - || WrtSignatureValidator::SIGNATURE_DISREGARD == temp), - "Wrong input file but success.. Errorcode : " << wrtValidatorErrorToString(temp)); + for (SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin(); + iter != signatureSet.rend(); + ++iter) { + SignatureData data; + SignatureValidator::Result valResult = SignatureValidator::check( + *iter, + widget_negative_signature_path, + false, + true, + data); + + if (!data.isAuthorSignature()) + RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_INVALID, + "Wrong input file but success.. Errorcode : " << validatorErrorToString(valResult)); + else + RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_DISREGARD, + "Wrong input file but success.. Errorcode : " << validatorErrorToString(valResult)); } } -RUNNER_TEST(test03t04_wrtsignature_validator_partner) +RUNNER_TEST(test03t04_signature_validator_partner) { SignatureFileInfoSet signatureSet; SignatureFinder signatureFinder(widget_partner_path); @@ -487,24 +376,19 @@ RUNNER_TEST(test03t04_wrtsignature_validator_partner) SignatureFinder::NO_ERROR == signatureFinder.find(signatureSet), "SignatureFinder failed"); - SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin(); - for (; iter != signatureSet.rend(); ++iter) { - SignatureData data(widget_partner_path + iter->getFileName(), - iter->getFileNumber()); - SignatureReader xml; - xml.initialize(data, GetSignatureXmlSchema()); - xml.read(data); - - WrtSignatureValidator validator( - WrtSignatureValidator::WAC20, - false, - false, - false); - - int temp = validator.check(data, widget_partner_path); - RUNNER_ASSERT_MSG( - WrtSignatureValidator::SIGNATURE_VERIFIED == temp, - "Wrong input file but success.. Errorcode : " << wrtValidatorErrorToString(temp)); + for (SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin(); + iter != signatureSet.rend(); + ++iter) { + SignatureData data; + SignatureValidator::Result valResult = SignatureValidator::check( + *iter, + widget_partner_path, + false, + true, + data); + + RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_VERIFIED, + "Wrong input file but success.. Errorcode : " << validatorErrorToString(valResult)); if (!data.isAuthorSignature()) { RUNNER_ASSERT_MSG( data.getVisibilityLevel() == CertStoreId::VIS_PARTNER, @@ -512,94 +396,6 @@ RUNNER_TEST(test03t04_wrtsignature_validator_partner) } } } -/* // no partner_operator certificate in kiran emlulator -RUNNER_TEST(test03t05_wrtsignature_validator_partner_operator) -{ - SignatureFileInfoSet signatureSet; - SignatureFinder signatureFinder(widget_partner_operator_path); - LogError("Size: " << signatureSet.size()); - RUNNER_ASSERT_MSG( - SignatureFinder::NO_ERROR == signatureFinder.find(signatureSet), - "SignatureFinder failed"); - - SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin(); - LogError("Size: " << signatureSet.size()); - for (; iter != signatureSet.rend(); ++iter) { - SignatureData data(widget_partner_operator_path + iter->getFileName(), - iter->getFileNumber()); - SignatureReader xml; - xml.initialize(data, GetSignatureXmlSchema()); - xml.read(data); - - WrtSignatureValidator validator( - WrtSignatureValidator::WAC20, - false, - false, - false); - - if (data.isAuthorSignature()) { - LogError("Author"); - RUNNER_ASSERT_MSG( - WrtSignatureValidator::SIGNATURE_VERIFIED == - validator.check(data, widget_partner_operator_path), - "Wrong input file but success.."); - } else { - LogError("Distributor"); - RUNNER_ASSERT_MSG( - WrtSignatureValidator::SIGNATURE_VERIFIED == - validator.check(data, widget_partner_operator_path), - "Wrong input file but success.."); - - RUNNER_ASSERT_MSG( - data.getVisibilityLevel() == CertStoreId::VIS_PLATFORM, - "visibility check failed."); - } - } -} -*/ - -/* -RUNNER_TEST(test03t04_wrtsignature_validator_negative_certificate_input) -{ - SignatureFileInfoSet signatureSet; - SignatureFinder signatureFinder(widget_negative_certificate_path); - LogError("Size: " << signatureSet.size()); - RUNNER_ASSERT_MSG( - SignatureFinder::NO_ERROR == signatureFinder.find(signatureSet), - "SignatureFinder failed"); - - SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin(); - LogError("Size: " << signatureSet.size()); - for (; iter != signatureSet.rend(); ++iter) { - SignatureData data(widget_negative_certificate_path + iter->getFileName(), - iter->getFileNumber()); - SignatureReader xml; - xml.initialize(data, GetSignatureXmlSchema()); - xml.read(data); - - WrtSignatureValidator validator( - WrtSignatureValidator::WAC20, - false, - false, - false); - - if (data.isAuthorSignature()) { - LogError("Author"); - RUNNER_ASSERT_MSG( - WrtSignatureValidator::SIGNATURE_INVALID == - validator.check(data, widget_negative_certificate_path), - "Wrong input file but success.."); - } else { - LogError("Distributor"); - RUNNER_ASSERT_MSG( - WrtSignatureValidator::SIGNATURE_DISREGARD == - validator.check(data, widget_negative_certificate_path), - "Wrong input file but success.."); - } - } -} -*/ - /* * test: Integration test of SignatureFinder, SignatureReader, * SignatureValidator @@ -616,45 +412,27 @@ RUNNER_TEST(test04t01_signature_validator) SignatureFinder::NO_ERROR == signatureFinder.find(signatureSet), "SignatureFinder failed"); - SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin(); - for (; iter != signatureSet.rend(); ++iter) { - SignatureData data(widget_path + iter->getFileName(), - iter->getFileNumber()); - SignatureReader xml; - xml.initialize(data, GetSignatureXmlSchema()); - xml.read(data); - - SignatureValidator validator( - SignatureValidator::WAC20, - false, - false, - false); - - if (data.isAuthorSignature()) { - RUNNER_ASSERT_MSG( - SignatureValidator::SIGNATURE_DISREGARD == - validator.check(data, widget_path), + for (SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin(); + iter != signatureSet.rend(); + ++iter) { + SignatureData data; + SignatureValidator::Result valResult = SignatureValidator::check( + *iter, + widget_path, + false, + false, + data); + + if (data.isAuthorSignature()) + RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_DISREGARD, "Validation failed"); - } else { + else if (data.getSignatureNumber() == 1) - { - SignatureValidator::Result temp = validator.check(data, widget_path); - - RUNNER_ASSERT_MSG( - SignatureValidator::SIGNATURE_DISREGARD == - temp, + RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_DISREGARD, "Validation failed"); - } else - { - SignatureValidator::Result temp = validator.check(data, widget_path); - - RUNNER_ASSERT_MSG( - SignatureValidator::SIGNATURE_VERIFIED == - temp, + RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_VERIFIED, "Validation failed"); - } - } } } @@ -666,25 +444,23 @@ RUNNER_TEST(test04t02_signature_validator_negative_hash_input) SignatureFinder::NO_ERROR == signatureFinder.find(signatureSet), "SignatureFinder failed"); - SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin(); - for (; iter != signatureSet.rend(); ++iter) { - SignatureData data(widget_negative_hash_path + iter->getFileName(), - iter->getFileNumber()); - SignatureReader xml; - xml.initialize(data, GetSignatureXmlSchema()); - xml.read(data); - - SignatureValidator validator( - SignatureValidator::WAC20, - false, - false, - false); - - int temp = validator.check(data, widget_negative_hash_path); - RUNNER_ASSERT_MSG( - (WrtSignatureValidator::SIGNATURE_INVALID == temp - || WrtSignatureValidator::SIGNATURE_DISREGARD == temp), - "Wrong input file but success.. Errorcode : " << wrtValidatorErrorToString(temp)); + for (SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin(); + iter != signatureSet.rend(); + ++iter) { + SignatureData data; + SignatureValidator::Result valResult = SignatureValidator::check( + *iter, + widget_negative_hash_path, + false, + false, + data); + + if (!data.isAuthorSignature()) + RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_INVALID, + "Wrong input file but success.. Errorcode : " << validatorErrorToString(valResult)); + else + RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_DISREGARD, + "Wrong input file but success.. Errorcode : " << validatorErrorToString(valResult)); } } @@ -696,25 +472,23 @@ RUNNER_TEST(test04t03_signature_validator_negative_signature_input) SignatureFinder::NO_ERROR == signatureFinder.find(signatureSet), "SignatureFinder failed"); - SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin(); - for (; iter != signatureSet.rend(); ++iter) { - SignatureData data(widget_negative_signature_path + iter->getFileName(), - iter->getFileNumber()); - SignatureReader xml; - xml.initialize(data, GetSignatureXmlSchema()); - xml.read(data); - - SignatureValidator validator( - SignatureValidator::WAC20, - false, - false, - false); - - int temp = validator.check(data, widget_negative_signature_path); - RUNNER_ASSERT_MSG( - (WrtSignatureValidator::SIGNATURE_INVALID == temp - || WrtSignatureValidator::SIGNATURE_DISREGARD == temp), - "Wrong input file but success.. Errorcode : " << wrtValidatorErrorToString(temp)); + for (SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin(); + iter != signatureSet.rend(); + ++iter) { + SignatureData data; + SignatureValidator::Result valResult = SignatureValidator::check( + *iter, + widget_negative_signature_path, + false, + false, + data); + + if (!data.isAuthorSignature()) + RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_INVALID, + "Wrong input file but success.. Errorcode : " << validatorErrorToString(valResult)); + else + RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_DISREGARD, + "Wrong input file but success.. Errorcode : " << validatorErrorToString(valResult)); } } @@ -726,118 +500,25 @@ RUNNER_TEST(test04t04_signature_validator_partner) SignatureFinder::NO_ERROR == signatureFinder.find(signatureSet), "SignatureFinder failed"); - SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin(); - for (; iter != signatureSet.rend(); ++iter) { - SignatureData data(widget_partner_path + iter->getFileName(), - iter->getFileNumber()); - SignatureReader xml; - xml.initialize(data, GetSignatureXmlSchema()); - xml.read(data); - - SignatureValidator validator( - SignatureValidator::TIZEN, - false, - false, - false); - - int temp = validator.check(data, widget_partner_path); - RUNNER_ASSERT_MSG(SignatureValidator::SIGNATURE_VERIFIED == temp, - "Wrong input file but success.. Errorcode : " << wrtValidatorErrorToString(temp)); - - if (!data.isAuthorSignature()) { - RUNNER_ASSERT_MSG( - data.getVisibilityLevel() == CertStoreId::VIS_PARTNER, - "visibility check failed."); - } - } -} -/* // no partner_operator certificate in kiran emulator -RUNNER_TEST(test04t05_signature_validator_partner_operator) -{ - SignatureFileInfoSet signatureSet; - SignatureFinder signatureFinder(widget_partner_operator_path); - LogError("Size: " << signatureSet.size()); - RUNNER_ASSERT_MSG( - SignatureFinder::NO_ERROR == signatureFinder.find(signatureSet), - "SignatureFinder failed"); - - SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin(); - LogError("Size: " << signatureSet.size()); - for (; iter != signatureSet.rend(); ++iter) { - SignatureData data(widget_partner_operator_path + iter->getFileName(), - iter->getFileNumber()); - SignatureReader xml; - xml.initialize(data, GetSignatureXmlSchema()); - xml.read(data); - - SignatureValidator validator( - SignatureValidator::TIZEN, - false, - false, - false); - - if (data.isAuthorSignature()) { - LogError("Author"); - RUNNER_ASSERT_MSG( - SignatureValidator::SIGNATURE_VERIFIED == - validator.check(data, widget_partner_operator_path), - "Wrong input file but success.."); - } else { - LogError("Distributor"); - RUNNER_ASSERT_MSG( - SignatureValidator::SIGNATURE_VERIFIED == - validator.check(data, widget_partner_operator_path), - "Wrong input file but success.."); - - RUNNER_ASSERT_MSG( - data.getVisibilityLevel() == CertStoreId::VIS_PLATFORM, + for (SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin(); + iter != signatureSet.rend(); + ++iter) { + SignatureData data; + SignatureValidator::Result valResult = SignatureValidator::check( + *iter, + widget_partner_path, + false, + false, + data); + + RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_VERIFIED, + "Wrong input file but success.. Errorcode : " << validatorErrorToString(valResult)); + + if (!data.isAuthorSignature()) + RUNNER_ASSERT_MSG(data.getVisibilityLevel() == CertStoreId::VIS_PARTNER, "visibility check failed."); - } - } -} -*/ - -/* -RUNNER_TEST(test04t04_signature_validator_negative_certificate_input) -{ - SignatureFileInfoSet signatureSet; - SignatureFinder signatureFinder(widget_negative_certificate_path); - LogError("Size: " << signatureSet.size()); - RUNNER_ASSERT_MSG( - SignatureFinder::NO_ERROR == signatureFinder.find(signatureSet), - "SignatureFinder failed"); - - SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin(); - LogError("Size: " << signatureSet.size()); - for (; iter != signatureSet.rend(); ++iter) { - SignatureData data(widget_negative_certificate_path + iter->getFileName(), - iter->getFileNumber()); - SignatureReader xml; - xml.initialize(data, GetSignatureXmlSchema()); - xml.read(data); - - SignatureValidator validator( - SignatureValidator::WAC20, - false, - false, - false); - - if (data.isAuthorSignature()) { - LogError("Author"); - RUNNER_ASSERT_MSG( - SignatureValidator::SIGNATURE_DISREGARD == - validator.check(data, widget_negative_certificate_path), - "Wrong input file but success.."); - } else { - LogError("Distributor"); - RUNNER_ASSERT_MSG( - SignatureValidator::SIGNATURE_DISREGARD == - validator.check(data, widget_negative_certificate_path), - "Wrong input file but success.."); - } } } -*/ /* * test: Integration test of SignatureFinder, SignatureReader, @@ -853,42 +534,27 @@ RUNNER_TEST(test05t01_signature_reference) SignatureFinder::NO_ERROR == signatureFinder.find(signatureSet), "SignatureFinder failed"); - SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin(); - - for (; iter != signatureSet.rend(); ++iter) { - SignatureData data(widget_path + iter->getFileName(), - iter->getFileNumber()); - SignatureReader xml; - xml.initialize(data, GetSignatureXmlSchema()); - xml.read(data); - - WrtSignatureValidator sval( - WrtSignatureValidator::WAC20, - false, - false, - false); - - if (data.isAuthorSignature()) { - RUNNER_ASSERT_MSG( - WrtSignatureValidator::SIGNATURE_DISREGARD == - sval.check(data, widget_path), + for (SignatureFileInfoSet::reverse_iterator iter = signatureSet.rbegin(); + iter != signatureSet.rend(); + ++iter) { + SignatureData data; + SignatureValidator::Result valResult = SignatureValidator::check( + *iter, + widget_path, + false, + false, + data); + + if (data.isAuthorSignature()) + RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_DISREGARD, "Validation failed"); - } else { + else if (data.getSignatureNumber() == 1) - { - RUNNER_ASSERT_MSG( - WrtSignatureValidator::SIGNATURE_DISREGARD == - sval.check(data, widget_path), - "Validation failed"); - } + RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_DISREGARD, + "Validation failed"); else - { - RUNNER_ASSERT_MSG( - WrtSignatureValidator::SIGNATURE_VERIFIED == - sval.check(data, widget_path), - "Validation failed"); - } - } + RUNNER_ASSERT_MSG(valResult == SignatureValidator::SIGNATURE_VERIFIED, + "Validation failed"); /* ReferenceValidator val(widget_path); @@ -1112,132 +778,6 @@ RUNNER_TEST(test08t04_Certificate_isCA) RUNNER_ASSERT(cert3.isCA() == 0); } -#define CRYPTO_HASH_TEST(text,expected,FUN) \ - do { \ - ValidationCore::Crypto::Hash::Base *crypto; \ - crypto = new ValidationCore::Crypto::Hash::FUN(); \ - std::string input = text; \ - crypto->Append(text); \ - crypto->Finish(); \ - std::string result = crypto->ToBase64String(); \ - RUNNER_ASSERT_MSG(result == expected, \ - "Hash function failed"); \ - } while(0) - -/* - * test: class ValidationCore::Crypto::Hash::MD4 - * description: Test implementation of MD4 hash algorithm - * expected: Value counted by algorithm should be eqal to value encoded in test. - */ -RUNNER_TEST(test80_crypto_md4) -{ - CRYPTO_HASH_TEST("Hi, my name is Bart.", - "Rj5V34qqMQmHh2bn3Cb/vQ==", - MD4); -} - -/* - * test: class ValidationCore::Crypto::Hash::MD5 - * description: Test implementation of hash algorithm - * expected: Value counted by algorithm should be eqal to value encoded in test. - */ -RUNNER_TEST(test81_crypto_md5) -{ - CRYPTO_HASH_TEST("Hi, my name is Bart.", - "4y2iI6QtFC7+0xurBOfcsg==", - MD5); -} - -/* - * test: class ValidationCore::Crypto::Hash::SHA - * description: Test implementation of hash algorithm - * expected: Value counted by algorithm should be eqal to value encoded in test. - */ -RUNNER_TEST(test82_crypto_sha) -{ - CRYPTO_HASH_TEST("Hi, my name is Bart.", - "v7w8XNvzQkZPoID+bbdrLwI6zPA=", - SHA); -} - -/* - * test: class ValidationCore::Crypto::Hash::SHA1 - * description: Test implementation of hash algorithm - * expected: Value counted by algorithm should be eqal to value encoded in test. - */ -RUNNER_TEST(test83_crypto_sha1) -{ - CRYPTO_HASH_TEST("Hi, my name is Bart.", - "Srydq14dzpuLn+xlkGz7ZyFLe1w=", - SHA1); -} - -/* - * test: class ValidationCore::Crypto::Hash::SHA224 - * description: Test implementation of hash algorithm - * expected: Value counted by algorithm should be eqal to value encoded in test. - */ -RUNNER_TEST(test84_crypto_sha224) -{ - CRYPTO_HASH_TEST("Hi, my name is Bart.", - "Ss2MKa2Mxrf0/hrl8bf0fOSz/e5nQv4J/yX6ig==", - SHA224); -} - -/* - * test: class ValidationCore::Crypto::Hash::SHA256 - * description: Test implementation of hash algorithm - * expected: Value counted by algorithm should be eqal to value encoded in test. - */ -RUNNER_TEST(test85_crypto_sha256) -{ - CRYPTO_HASH_TEST("Hi, my name is Bart.", - "Bja/IuUJHLPlHYYB2hBcuuOlRWPy1RdF6gzL0VWxeps=", - SHA256); -} - -/* - * test: class ValidationCore::Crypto::Hash::SHA384 - * description: Test implementation of hash algorithm - * expected: Value counted by algorithm should be eqal to value encoded in test. - */ -RUNNER_TEST(test86_crypto_sha384) -{ - CRYPTO_HASH_TEST("Hi, my name is Bart.", - "5RjtzCnGAt+P6J8h32Dzrmka+5i5MMvDRVz+s9jA7TW508sUZOnKliliad5nUJrj", - SHA384); -} - -/* - * test: class ValidationCore::Crypto::Hash::SHA512 - * description: Test implementation of hash algorithm - * expected: Value counted by algorithm should be eqal to value encoded in test. - */ -RUNNER_TEST(test87_crypto_sha512) -{ - CRYPTO_HASH_TEST("Hi, my name is Bart.", - "LxemzcQNf5erjA4a6PnTXfL+putB3uElitOjc5QCQ9Mg4ZuxTpre8VIBAviwRcTnui2Y0/Yg7cB40OG3XJMfbA==", - SHA512); -} - -/* - * test: class ValidationCore::Crypto::Hash::SHA1 - * description: This example was implemented to show how to count SHA1 value from certificate. - * expected: Value counted by algorithm should be eqal to value encoded in test. - */ -RUNNER_TEST(test88_crypto_sha1_certificate) -{ - Certificate cert(certVerisign, Certificate::FORM_BASE64); - - ValidationCore::Crypto::Hash::SHA1 sha1; - sha1.Append(cert.getDER()); - sha1.Finish(); - std::string result = sha1.ToBase64String(); - - RUNNER_ASSERT_MSG(result == "uXIe1UntvzGE2CcM/gMRGd/CKwo=", - "Certificate hash does not match."); -} - /* * test: CertificateIdentifier::find(Fingerprint) * description: Check implementation of fingerprint_list. @@ -1416,15 +956,6 @@ RUNNER_TEST(test95_certificate_identifier_negative) CertStoreId::Set domain = certIdent.find(cert.getFingerprint(Certificate::FINGERPRINT_SHA1)); - RUNNER_ASSERT(!domain.contains(CertStoreId::WAC_PUBLISHER)); - RUNNER_ASSERT(!domain.contains(CertStoreId::DEVELOPER)); - RUNNER_ASSERT(!domain.contains(CertStoreId::WAC_ROOT)); - RUNNER_ASSERT(!domain.contains(CertStoreId::WAC_MEMBER)); - RUNNER_ASSERT(!domain.contains(CertStoreId::TIZEN_MEMBER)); - RUNNER_ASSERT(!domain.contains(CertStoreId::ORANGE_LEGACY)); - RUNNER_ASSERT(!domain.contains(CertStoreId::VIS_PUBLIC)); - RUNNER_ASSERT(!domain.contains(CertStoreId::VIS_PARTNER)); - RUNNER_ASSERT(!domain.contains(CertStoreId::VIS_PARTNER_OPERATOR)); - RUNNER_ASSERT(!domain.contains(CertStoreId::VIS_PARTNER_MANUFACTURER)); + RUNNER_ASSERT_MSG(domain.getTypeString().empty(), "Domain should be empty."); } */ diff --git a/tests/vcore/TestEnv.cpp b/tests/vcore/TestEnv.cpp index 678c1f9..8249446 100644 --- a/tests/vcore/TestEnv.cpp +++ b/tests/vcore/TestEnv.cpp @@ -13,31 +13,20 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -#include - #include "TestEnv.h" -#define WRTSIGNATURE_ERRORDESCRIBE(name) case ValidationCore::WrtSignatureValidator::name: return #name -const char *wrtValidatorErrorToString(int error) +#define SIGNATURE_ERRORDESCRIBE(name) case ValidationCore::SignatureValidator::name: return #name +const char *validatorErrorToString(ValidationCore::SignatureValidator::Result error) { switch (error) { - WRTSIGNATURE_ERRORDESCRIBE(SIGNATURE_VALID); - WRTSIGNATURE_ERRORDESCRIBE(SIGNATURE_INVALID); - WRTSIGNATURE_ERRORDESCRIBE(SIGNATURE_VERIFIED); - WRTSIGNATURE_ERRORDESCRIBE(SIGNATURE_DISREGARD); - WRTSIGNATURE_ERRORDESCRIBE(SIGNATURE_REVOKED); - WRTSIGNATURE_ERRORDESCRIBE(SIGNATURE_INVALID_CERT_CHAIN); - WRTSIGNATURE_ERRORDESCRIBE(SIGNATURE_INVALID_DISTRIBUTOR_CERT); - WRTSIGNATURE_ERRORDESCRIBE(SIGNATURE_INVALID_SDK_DEFAULT_AUTHOR_CERT); - WRTSIGNATURE_ERRORDESCRIBE(SIGNATURE_IN_DISTRIBUTOR_CASE_AUTHOR_CERT); - WRTSIGNATURE_ERRORDESCRIBE(SIGNATURE_INVALID_CERT_TIME); - WRTSIGNATURE_ERRORDESCRIBE(SIGNATURE_NO_DEVICE_PROFILE); - WRTSIGNATURE_ERRORDESCRIBE(SIGNATURE_INVALID_DEVICE_UNIQUE_ID); - WRTSIGNATURE_ERRORDESCRIBE(SIGNATURE_INVALID_NO_HASH_FILE); - WRTSIGNATURE_ERRORDESCRIBE(SIGNATURE_INVALID_HASH_SIGNATURE); + SIGNATURE_ERRORDESCRIBE(SIGNATURE_VALID); + SIGNATURE_ERRORDESCRIBE(SIGNATURE_INVALID); + SIGNATURE_ERRORDESCRIBE(SIGNATURE_VERIFIED); + SIGNATURE_ERRORDESCRIBE(SIGNATURE_DISREGARD); + SIGNATURE_ERRORDESCRIBE(SIGNATURE_REVOKED); default: return "Invalid error code."; } } -#undef WRTSIGNATURE_ERRORDESCRIBE +#undef SIGNATURE_ERRORDESCRIBE diff --git a/tests/vcore/TestEnv.h b/tests/vcore/TestEnv.h index 7cff828..60757f8 100644 --- a/tests/vcore/TestEnv.h +++ b/tests/vcore/TestEnv.h @@ -16,6 +16,8 @@ #ifndef _TESTENV_H_ #define _TESTENV_H_ -const char *wrtValidatorErrorToString(int error); +#include + +const char *validatorErrorToString(ValidationCore::SignatureValidator::Result error); #endif diff --git a/vcore/src/CMakeLists.txt b/vcore/src/CMakeLists.txt index dc40a5e..da69300 100644 --- a/vcore/src/CMakeLists.txt +++ b/vcore/src/CMakeLists.txt @@ -10,15 +10,11 @@ PKG_CHECK_MODULES(VCORE_DEPS openssl xmlsec1 dlog - icu-uc - libsoup-2.4 - db-util libsystemd-journal ) ADD_DEFINITIONS(${VCORE_DEPS_CFLAGS}) ADD_DEFINITIONS(${VCORE_DEPS_CFLAGS_OTHER}) -ADD_DEFINITIONS("-DSEPARATED_SINGLETON_IMPLEMENTATION") SET(VCORE_DIR ${PROJECT_SOURCE_DIR}/vcore @@ -53,16 +49,6 @@ SET(VCORE_DPL_CORE_SOURCES ${VCORE_DPL_CORE_SRC_DIR}/waitable_handle_watch_support.cpp ) -SET(VCORE_DPL_DB_SRC_DIR - ${VCORE_DPL_DIR}/db/src - ) -SET(VCORE_DPL_DB_SOURCES - ${VCORE_DPL_DB_SRC_DIR}/naive_synchronization_object.cpp - ${VCORE_DPL_DB_SRC_DIR}/orm.cpp - ${VCORE_DPL_DB_SRC_DIR}/sql_connection.cpp - ${VCORE_DPL_DB_SRC_DIR}/thread_database_support.cpp - ) - SET(VCORE_DPL_LOG_SRC_DIR ${VCORE_DPL_DIR}/log/src ) @@ -85,8 +71,6 @@ SET(VCORE_SOURCES ${VCORE_SRC_DIR}/CertificateConfigReader.cpp ${VCORE_SRC_DIR}/CertificateLoader.cpp ${VCORE_SRC_DIR}/CertStoreType.cpp - ${VCORE_SRC_DIR}/CryptoHash.cpp - ${VCORE_SRC_DIR}/OCSPCertMgrUtil.cpp ${VCORE_SRC_DIR}/ReferenceValidator.cpp ${VCORE_SRC_DIR}/RevocationCheckerBase.cpp ${VCORE_SRC_DIR}/SaxReader.cpp @@ -96,7 +80,6 @@ SET(VCORE_SOURCES ${VCORE_SRC_DIR}/TimeConversion.cpp ${VCORE_SRC_DIR}/VerificationStatus.cpp ${VCORE_SRC_DIR}/ValidatorFactories.cpp - ${VCORE_SRC_DIR}/WrtSignatureValidator.cpp ${VCORE_SRC_DIR}/SignatureValidator.cpp ${VCORE_SRC_DIR}/XmlsecAdapter.cpp ${VCORE_SRC_DIR}/pkcs12.cpp @@ -191,16 +174,8 @@ INSTALL(TARGETS ${TARGET_VCORE_LIB} ) INSTALL(FILES - ${VCORE_SRC_DIR}/WrtSignatureValidator.h ${VCORE_SRC_DIR}/SignatureValidator.h ${VCORE_SRC_DIR}/SignatureFinder.h - ${VCORE_SRC_DIR}/SignatureReader.h - ${VCORE_SRC_DIR}/CertificateCollection.h - ${VCORE_SRC_DIR}/CryptoHash.h - ${VCORE_SRC_DIR}/Base64.h - - ${VCORE_SRC_DIR}/ParserSchema.h - ${VCORE_SRC_DIR}/SaxReader.h ${VCORE_SRC_DIR}/Certificate.h ${VCORE_SRC_DIR}/SignatureData.h diff --git a/vcore/src/cert-svc/ccert.h b/vcore/src/cert-svc/ccert.h index 94df06b..0715651 100644 --- a/vcore/src/cert-svc/ccert.h +++ b/vcore/src/cert-svc/ccert.h @@ -218,6 +218,14 @@ int certsvc_certificate_list_get_length(CertSvcCertificateList handler, void certsvc_certificate_list_free(CertSvcCertificateList handler); /** + * This function will free list. It will free all certificates on the list. + * You should ""NOT"" free each certificate with certsvc_certificate_free. + * + * @param[in] handler Handler to search result. + */ +void certsvc_certificate_list_all_free(CertSvcCertificateList handler); + +/** * Compare parent certificate subject with child issuer field. * * @param[in] child diff --git a/vcore/src/cert-svc/cinstance.h b/vcore/src/cert-svc/cinstance.h index 93ee23d..4f1849d 100644 --- a/vcore/src/cert-svc/cinstance.h +++ b/vcore/src/cert-svc/cinstance.h @@ -34,8 +34,7 @@ typedef struct CertSvcInstance_t { /** * Allocate internal data of CertSvc library and put it in the CertSvcInstance structure. - * Initialize Openssl interanal structures, initialize all structures required by libsoup - * (libsoup is used by ocps and crl functions). + * Initialize Openssl interanal structures. * * @param[out] instance Pointer to CertSvcInstance. * @return CERTSVC_SUCCESS or CERTSVC_FAIL. diff --git a/vcore/src/vcore/CertStoreType.cpp b/vcore/src/vcore/CertStoreType.cpp index 91372a3..bced091 100644 --- a/vcore/src/vcore/CertStoreType.cpp +++ b/vcore/src/vcore/CertStoreType.cpp @@ -23,8 +23,6 @@ */ #include -#include - namespace ValidationCore { namespace CertStoreId { @@ -41,16 +39,57 @@ void Set::add(Type second) m_certificateStorage |= second; } - bool Set::contains(Type second) const { return static_cast(m_certificateStorage & second); } +bool Set::isContainsVis() const +{ + Type visType = VIS_PUBLIC; + visType |= VIS_PARTNER; + visType |= VIS_PARTNER_OPERATOR; + visType |= VIS_PARTNER_MANUFACTURER; + visType |= VIS_PLATFORM; + + visType &= m_certificateStorage; + + if (visType == 0) + return false; + + return true; +} + bool Set::isEmpty() const { return m_certificateStorage == 0; } +std::string Set::typeToString() const +{ + std::string ret; + + if (m_certificateStorage & TIZEN_DEVELOPER) + ret += "TIZEN_DEVELOPER "; + if (m_certificateStorage & TIZEN_TEST) + ret += "TIZEN_TEST "; + if (m_certificateStorage & TIZEN_VERIFY) + ret += "TIZEN_VERIFY "; + if (m_certificateStorage & TIZEN_STORE) + ret += "TIZEN_STORE "; + if (m_certificateStorage & VIS_PUBLIC) + ret += "VIS_PUBLIC "; + if (m_certificateStorage & VIS_PARTNER) + ret += "VIS_PARTNER "; + if (m_certificateStorage & VIS_PARTNER_OPERATOR) + ret += "VIS_PARTNER_OPERATOR "; + if (m_certificateStorage & VIS_PARTNER_MANUFACTURER) + ret += "VIS_PARTNER_MANUFACTURER "; + if (m_certificateStorage & VIS_PLATFORM) + ret += "VIS_PLATFORM "; + + return ret; +} + } // namespace CertStoreId } // namespace ValidationCore diff --git a/vcore/src/vcore/CertStoreType.h b/vcore/src/vcore/CertStoreType.h index cd2b796..4dec061 100644 --- a/vcore/src/vcore/CertStoreType.h +++ b/vcore/src/vcore/CertStoreType.h @@ -53,11 +53,12 @@ public: virtual ~Set(); void add(Type second); - - bool contains(Type second) const; + bool isContainsVis() const; bool isEmpty() const; + std::string typeToString() const; + private: Type m_certificateStorage; }; diff --git a/vcore/src/vcore/CertificateCollection.cpp b/vcore/src/vcore/CertificateCollection.cpp index 8fe8953..80df380 100644 --- a/vcore/src/vcore/CertificateCollection.cpp +++ b/vcore/src/vcore/CertificateCollection.cpp @@ -19,14 +19,22 @@ * @version 0.1 * @brief */ -#include -#include +#include +#include + +#include + +#include +#include +#include + #include #include #include +#include -#include +#include namespace { @@ -39,6 +47,63 @@ inline std::string toBinaryString(int data) return std::string(buffer, sizeof(int)); } +CertificatePtr getCertFromStore(X509_NAME *subject) +{ + if (!subject) { + LogError("Invalid input!"); + return CertificatePtr(); + } + + CertSvcInstance instance; + if (certsvc_instance_new(&instance) != CERTSVC_SUCCESS) { + LogError("Failed to make instance"); + return CertificatePtr(); + } + + char buffer[1024]; + X509_NAME_oneline(subject, buffer, 1024); + + LogDebug("Search certificate with subject: " << buffer); + CertSvcCertificateList certList; + int result = certsvc_certificate_search(instance, CERTSVC_SUBJECT, buffer, &certList); + if (result != CERTSVC_SUCCESS) { + LogError("Error during certificate search. result : " << result); + certsvc_instance_free(instance); + return CertificatePtr(); + } + + size_t listSize = 0; + result = certsvc_certificate_list_get_length(certList, &listSize); + if (result != CERTSVC_SUCCESS || listSize <= 0) { + LogError("Error in certsvc_certificate_list_get_length. result : " << result); + certsvc_instance_free(instance); + return CertificatePtr(); + } + + CertSvcCertificate cert; + result = certsvc_certificate_list_get_one(certList, 0, &cert); + if (result != CERTSVC_SUCCESS) { + LogError("Failed to get cert from cert list. result : " << result); + certsvc_certificate_list_all_free(certList); + certsvc_instance_free(instance); + return CertificatePtr(); + } + + X509 *pCertX509 = NULL; + result = certsvc_certificate_dup_x509(cert, &pCertX509); + certsvc_certificate_list_all_free(certList); + certsvc_instance_free(instance); + + if (result != CERTSVC_SUCCESS || !pCertX509) { + LogError("Error during certificate dup x509. result : " << result); + return CertificatePtr(); + } + + CertificatePtr parentCert(new Certificate(pCertX509)); + X509_free(pCertX509); + + return parentCert; +} } // namespace namespace ValidationCore { @@ -146,6 +211,7 @@ CertificateList CertificateCollection::getChain() const if (COLLECTION_SORTED != m_collectionStatus) VcoreThrowMsg(CertificateCollection::Exception::WrongUsage, "You must sort certificates first"); + return m_certList; } @@ -208,6 +274,28 @@ void CertificateCollection::sortCollection() m_certList = sorted; } +/* + * Precondition : cert list sorted and has more than one cert + */ +bool CertificateCollection::completeCertificateChain() +{ + CertificatePtr last = m_certList.back(); + if (last->isSignedBy(last)) + return true; + + /* TODO Add getIssuerName function to Certificate.h */ + CertificatePtr parent = getCertFromStore(X509_get_issuer_name(last->getX509())); + + if (!parent.get()) + return false; + + m_certList.push_back(parent); + if (!parent->isSignedBy(parent)) + return false; + + return true; +} + size_t CertificateCollection::size() const { return m_certList.size(); } diff --git a/vcore/src/vcore/CertificateCollection.h b/vcore/src/vcore/CertificateCollection.h index 9b9a6c4..e47e3f6 100644 --- a/vcore/src/vcore/CertificateCollection.h +++ b/vcore/src/vcore/CertificateCollection.h @@ -105,6 +105,12 @@ public: bool sort(); /* + * Precondition : cert list sorted and has more than on cert. + * This function add root cert in cert list to complete cert chain + */ + bool completeCertificateChain(); + + /* * This function will return Certificate chain. * * First certificate on the list is EndEntity certificate. diff --git a/vcore/src/vcore/CertificateIdentifier.h b/vcore/src/vcore/CertificateIdentifier.h index bff231b..06ac498 100644 --- a/vcore/src/vcore/CertificateIdentifier.h +++ b/vcore/src/vcore/CertificateIdentifier.h @@ -59,8 +59,7 @@ public: CertStoreId::Set find(const CertificatePtr &certificate) const { - return - find(certificate->getFingerprint(Certificate::FINGERPRINT_SHA1)); + return find(certificate->getFingerprint(Certificate::FINGERPRINT_SHA1)); } private: diff --git a/vcore/src/vcore/CryptoHash.cpp b/vcore/src/vcore/CryptoHash.cpp deleted file mode 100644 index 7ec4869..0000000 --- a/vcore/src/vcore/CryptoHash.cpp +++ /dev/null @@ -1,184 +0,0 @@ -/* - * Copyright (c) 2011 Samsung Electronics Co., Ltd All Rights Reserved - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -/* - * @file wrt_crypto_hash.cpp - * @author Przemyslaw Dobrowolski (p.dobrowolsk@samsung.com) - * @version 1.0 - * @brief This file is the implementation file of cryptographic hasing algorithms - */ -#include - -#include -#include -#include -#include - -#include - -namespace ValidationCore -{ -namespace Crypto -{ -namespace Hash -{ -namespace // anonymous -{ -const size_t HASH_DIGEST_STREAM_FEED_SIZE = 1024; -} // namespace anonymous - -Base::Base() - : m_hasFinal(false) -{ -} - -Base::~Base() -{ -} - -void Base::Append(const char *buffer) -{ - if (m_hasFinal) - VcoreThrowMsg(Crypto::Hash::OutOfSequence, - "Cannot append hash after final update!"); - - HashUpdate(buffer, strlen(buffer)); -} - -void Base::Append(const char *buffer, size_t bufferSize) -{ - if (m_hasFinal) - VcoreThrowMsg(Crypto::Hash::OutOfSequence, - "Cannot append hash after final update!"); - - HashUpdate(buffer, bufferSize); -} - -void Base::Append(const std::string &buffer) -{ - if (m_hasFinal) - VcoreThrowMsg(Crypto::Hash::OutOfSequence, - "Cannot append hash after final update!"); - - HashUpdate(buffer.c_str(), buffer.size()); -} - -void Base::Append(std::istream &stream) -{ - if (m_hasFinal) - VcoreThrowMsg(Crypto::Hash::OutOfSequence, - "Cannot append hash after final update!"); - - char buffer[HASH_DIGEST_STREAM_FEED_SIZE]; - - do - { - stream.read(buffer, HASH_DIGEST_STREAM_FEED_SIZE); - - if (stream.gcount() > 0) - Append(static_cast(buffer), static_cast(stream.gcount())); - - } while (stream.gcount() > 0); -} - -void Base::Append(const void *data, size_t dataSize) -{ - if (m_hasFinal) - VcoreThrowMsg(Crypto::Hash::OutOfSequence, - "Cannot append hash after final update!"); - - HashUpdate(data, dataSize); -} - -void Base::Finish() -{ - if (m_hasFinal) - return; - - // Finalize hashing algorithm - m_raw = HashFinal(); - - // Convert to base 64 string - Base64Encoder encoder; - encoder.reset(); - encoder.append(std::string(m_raw.begin(), m_raw.end())); - encoder.finalize(); - m_base64StringHash = encoder.get(); - - m_hasFinal = true; -} - -std::string Base::ToBase64String() const -{ - return m_base64StringHash; -} - -Raw Base::GetHash() const -{ - return m_raw; -} - -OpenSSL::OpenSSL(const EVP_MD *evpMd) - : m_finalized(false) -{ - EVP_MD_CTX_init(&m_context); - - if (EVP_DigestInit(&m_context, evpMd) != 1) - VcoreThrowMsg(Crypto::Hash::AppendFailed, - "EVP_DigestInit failed!"); -} - -OpenSSL::~OpenSSL() -{ - if (!m_finalized) - { - // Just clean context - EVP_MD_CTX_cleanup(&m_context); - m_finalized = true; - } -} - -void OpenSSL::HashUpdate(const void *data, size_t dataSize) -{ - if (m_finalized) - VcoreThrowMsg(Crypto::Hash::AppendFailed, - "OpenSSLHash hash already finalized!"); - - if (EVP_DigestUpdate(&m_context, data, dataSize) != 1) - VcoreThrowMsg(Crypto::Hash::AppendFailed, - "EVP_DigestUpdate failed!"); -} - -Hash::Raw OpenSSL::HashFinal() -{ - if (m_finalized) - VcoreThrowMsg(Crypto::Hash::AppendFailed, - "OpenSSLHash hash already finalized!"); - - unsigned char hash[EVP_MAX_MD_SIZE] = {}; - unsigned int hashLength; - - // Also cleans context - if (EVP_DigestFinal(&m_context, hash, &hashLength) != 1) - VcoreThrowMsg(Crypto::Hash::AppendFailed, - "EVP_DigestFinal failed!"); - - m_finalized = true; - return Raw(hash, hash + hashLength); -} - -} // namespace Hash -} // namespace Crypto -} // namespace ValidationCore diff --git a/vcore/src/vcore/CryptoHash.h b/vcore/src/vcore/CryptoHash.h deleted file mode 100644 index 5611daf..0000000 --- a/vcore/src/vcore/CryptoHash.h +++ /dev/null @@ -1,117 +0,0 @@ -/* - * Copyright (c) 2011 Samsung Electronics Co., Ltd All Rights Reserved - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -/* - * @file crypto_hash.h - * @author Przemyslaw Dobrowolski (p.dobrowolsk@samsung.com) - * @version 1.0 - * @brief This file is the implementation file of cryptographic hasing algorithms - */ -#ifndef _CRYPTO_HASH_H_ -#define _CRYPTO_HASH_H_ - -#include -#include -#include -#include - -#include - -namespace ValidationCore -{ -namespace Crypto -{ -namespace Hash -{ -typedef std::vector Raw; - -VCORE_DECLARE_EXCEPTION_TYPE(ValidationCore::Exception, OutOfSequence) -VCORE_DECLARE_EXCEPTION_TYPE(ValidationCore::Exception, AppendFailed) - -class Base -{ -private: - Raw m_raw; - std::string m_base64StringHash; - bool m_hasFinal; - -protected: - virtual void HashUpdate(const void *data, size_t dataSize) = 0; - virtual Raw HashFinal() = 0; - -public: - Base(); - virtual ~Base(); - - virtual void Append(const char *buffer); - virtual void Append(const char *buffer, size_t bufferSize); - virtual void Append(const std::string &buffer); - virtual void Append(std::istream &stream); - virtual void Append(const void *data, size_t dataSize); - - virtual void Finish(); - - virtual std::string ToBase64String() const; - virtual Raw GetHash() const; -}; - -/** - * OpenSSL hashing algorithm base - */ -class OpenSSL - : public Base -{ -private: - EVP_MD_CTX m_context; - bool m_finalized; - -protected: - virtual void HashUpdate(const void *data, size_t dataSize); - virtual Raw HashFinal(); - -public: - OpenSSL(const EVP_MD *evpMd); - virtual ~OpenSSL(); -}; - -#define DECLARE_OPENSSL_HASH_ALGORITHM(ClassName, EvpMd) \ - class ClassName \ - : public OpenSSL \ - { \ - public: \ - ClassName() : OpenSSL(EvpMd()) {} \ - virtual ~ClassName() {} \ - }; - -DECLARE_OPENSSL_HASH_ALGORITHM(MD2, EVP_md2) -DECLARE_OPENSSL_HASH_ALGORITHM(MD4, EVP_md4) -DECLARE_OPENSSL_HASH_ALGORITHM(MD5, EVP_md5) -DECLARE_OPENSSL_HASH_ALGORITHM(SHA, EVP_sha) -DECLARE_OPENSSL_HASH_ALGORITHM(SHA1, EVP_sha1) -DECLARE_OPENSSL_HASH_ALGORITHM(DSS, EVP_dss) -DECLARE_OPENSSL_HASH_ALGORITHM(DSS1, EVP_dss1) -DECLARE_OPENSSL_HASH_ALGORITHM(ECDSA, EVP_ecdsa) -DECLARE_OPENSSL_HASH_ALGORITHM(SHA224, EVP_sha224) -DECLARE_OPENSSL_HASH_ALGORITHM(SHA256, EVP_sha256) -DECLARE_OPENSSL_HASH_ALGORITHM(SHA384, EVP_sha384) -DECLARE_OPENSSL_HASH_ALGORITHM(SHA512, EVP_sha512) - -#undef DECLARE_OPENSSL_HASH_ALGORITHM - -} // namespace Hash -} // namespace Crypto -} // namespace ValidationCore - -#endif // DPL_CRYPTO_HASH_H diff --git a/vcore/src/vcore/OCSPCertMgrUtil.cpp b/vcore/src/vcore/OCSPCertMgrUtil.cpp deleted file mode 100644 index aa10925..0000000 --- a/vcore/src/vcore/OCSPCertMgrUtil.cpp +++ /dev/null @@ -1,178 +0,0 @@ -/* - * Copyright (c) 2011 Samsung Electronics Co., Ltd All Rights Reserved - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -/* - * @author Michal Ciepielski(m.ciepielski@samsung.com) - * @version 0.3 - * @brief - */ - -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#include - -#include - -namespace { -const int MAX_BUF = 1024; - -struct ContextDeleter -{ - typedef CERT_CONTEXT* Type; - static Type NullValue() - { - return NULL; - } - static void Destroy(Type context) - { - if (context) { - cert_svc_cert_context_final(context); - } - } -}; -} - -namespace ValidationCore { -namespace OCSPCertMgrUtil { -/* - * TODO This API function should be changed to: - * CertifiatePtr getCertFromStore(const std::string &subject); - * - * All of cert_svc function could return error because input - * data are corruped. That's why I dont want to throw exceptions - * in this function. - */ -void getCertFromStore(X509_NAME *subject, - X509 **xcert) -{ - if (!xcert || *xcert || !subject) { - LogError("Invalid input!"); - return; - } - - typedef VcoreDPL::ScopedResource ScopedContext; - - int result; - char buffer[MAX_BUF]; - const unsigned char* ptr = NULL; - X509 *pCertificate = NULL; - cert_svc_filename_list *fileList = NULL; - - X509_NAME_oneline(subject, buffer, MAX_BUF); - - ScopedContext ctx(cert_svc_cert_context_init()); - if (ctx.Get() == NULL) { - LogWarning("Error in cert_svc_cert_context_init."); - return; - } - - LogDebug("Search certificate with subject: " << buffer); - result = cert_svc_search_certificate(ctx.Get(), SUBJECT_STR, buffer); - LogDebug("Search finished!"); - - if (CERT_SVC_ERR_NO_ERROR != result) { - LogWarning("Error during certificate search"); - return; - } - - fileList = ctx.Get()->fileNames; - - if (fileList == NULL) { - LogDebug("No certificate found"); - return; - } - - if (fileList->filename == NULL) { - LogWarning("Empty filename"); - return; - } - - LogDebug("Found cert file: " << fileList->filename); - ScopedContext ctx2(cert_svc_cert_context_init()); - - if (ctx2.Get() == NULL) { - LogWarning("Error in cert_svc_cert_context_init."); - return; - } - - // TODO add read_certifcate_from_file function to Certificate.h - if (CERT_SVC_ERR_NO_ERROR != - cert_svc_load_file_to_context(ctx2.Get(), fileList->filename)) { - LogWarning("Error in cert_svc_load_file_to_context"); - return; - } - - ptr = ctx2.Get()->certBuf->data; - // create a certificate from mem buff - pCertificate = d2i_X509(NULL, &ptr, ctx2.Get()->certBuf->size); - - if (pCertificate == NULL) { - LogWarning("Error during certificate conversion in d2i_X509"); - return; - } - - *xcert = pCertificate; - if (fileList->next != NULL) { - LogError("There is more then one certificate with same subject :/"); - // TODO Implement me. - for (fileList = fileList->next; - fileList != NULL; - fileList = fileList->next) { - LogError("Additional certificate with same subject: " << fileList->filename); - } - } -} - -CertificatePtr getParentFromStore(const CertificatePtr &certificate) -{ - Assert(certificate.get()); - X509* rawPtr = certificate->getX509(); - - /* TODO Add getIssuerName function to Certificate.h */ - X509_NAME *name = X509_get_issuer_name(rawPtr); - - X509* rawTemp = NULL; - getCertFromStore(name, &rawTemp); - - if (rawTemp == NULL) { - return CertificatePtr(); - } - SSLSmartContainer scope(rawTemp); - return CertificatePtr(new Certificate(rawTemp)); -} - -CertificateList completeCertificateChain(const CertificateList &certificateList) -{ - CertificateList result = certificateList; - CertificatePtr last = result.back(); - if (last->isSignedBy(last)) { - return result; - } - CertificatePtr parent = getParentFromStore(last); - if (parent.get()) { - result.push_back(parent); - } - return result; -} -} // namespace OCSPCertMgrUtil -} // namespace ValidationCore diff --git a/vcore/src/vcore/OCSPCertMgrUtil.h b/vcore/src/vcore/OCSPCertMgrUtil.h deleted file mode 100644 index 5c0e2eb..0000000 --- a/vcore/src/vcore/OCSPCertMgrUtil.h +++ /dev/null @@ -1,41 +0,0 @@ -/* - * Copyright (c) 2011 Samsung Electronics Co., Ltd All Rights Reserved - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -/* - * @author Tomasz Morawski(t.morawski@samsung.com) - * @author Michal Ciepielski(m.ciepielski@samsung.com) - * @version 0.2 - * @brief - */ - -#ifndef _OCSP_CERT_MGR_UTIL_H_ -#define _OCSP_CERT_MGR_UTIL_H_ - -#include - -namespace ValidationCore { -namespace OCSPCertMgrUtil { -void getCertFromStore(X509_NAME *subject, - X509 **xcert); -CertificatePtr getParentFromStore(const CertificatePtr &certificate); -/* - * Look for "parent" certificate from store. - * It returns new certificate chain. - */ -CertificateList completeCertificateChain(const CertificateList &certList); -} // namespace OCSPCertMgrUtil -} // namespace ValidationCore -#endif - diff --git a/vcore/src/vcore/SignatureData.cpp b/vcore/src/vcore/SignatureData.cpp index a8a84fa..d90ff43 100644 --- a/vcore/src/vcore/SignatureData.cpp +++ b/vcore/src/vcore/SignatureData.cpp @@ -109,6 +109,11 @@ const CertStoreId::Set& SignatureData::getStorageType() const CertStoreId::Type SignatureData::getVisibilityLevel() const { + if (!m_storeIdSet.isContainsVis()) { + LogWarning("Visibility level was broken."); + return 0; + } + if (m_storeIdSet.contains(CertStoreId::VIS_PLATFORM)) return CertStoreId::VIS_PLATFORM; else if (m_storeIdSet.contains(CertStoreId::VIS_PARTNER_MANUFACTURER)) @@ -117,12 +122,8 @@ CertStoreId::Type SignatureData::getVisibilityLevel() const return CertStoreId::VIS_PLATFORM; else if (m_storeIdSet.contains(CertStoreId::VIS_PARTNER)) return CertStoreId::VIS_PARTNER; - else if (m_storeIdSet.contains(CertStoreId::VIS_PUBLIC)) + else return CertStoreId::VIS_PUBLIC; - else { - LogWarning("Visibility level was broken."); - return 0; - } } const SignatureData::IMEIList& SignatureData::getIMEIList() const diff --git a/vcore/src/vcore/SignatureFinder.cpp b/vcore/src/vcore/SignatureFinder.cpp index 0c9e60f..fd2db17 100644 --- a/vcore/src/vcore/SignatureFinder.cpp +++ b/vcore/src/vcore/SignatureFinder.cpp @@ -29,6 +29,9 @@ #include +namespace { + +} namespace ValidationCore { static const char *SIGNATURE_AUTHOR = "author-signature.xml"; @@ -47,33 +50,46 @@ public: Result find(SignatureFileInfoSet &set); private: + std::string getFullPath(const std::string &file); + std::string m_dir; pcrecpp::RE m_signatureRegexp; }; +std::string SignatureFinder::Impl::getFullPath(const std::string &file) +{ + std::string fullPath = m_dir; + + if (fullPath.back() != '/') + fullPath += "/"; + + fullPath += file; + + return fullPath; +} + SignatureFinder::Result SignatureFinder::Impl::find(SignatureFileInfoSet &set) { DIR *dp; struct dirent *dirp; - /* - * find a dir - */ if ((dp = opendir(m_dir.c_str())) == NULL) { LogError("Error opening directory: " << m_dir); return ERROR_OPENING_DIR; } for (errno = 0; (dirp = readdir(dp)) != NULL; errno = 0) { - /** - * check if it's author signature - */ + /* number for author signature is -1 */ if (!strcmp(dirp->d_name, SIGNATURE_AUTHOR)) { - set.insert(SignatureFileInfo(std::string(dirp->d_name), -1)); + std::string fullPath = getFullPath(std::string(dirp->d_name)); + LogDebug("Found author signature file full path : " << fullPath); + set.insert(SignatureFileInfo(fullPath, -1)); continue; } - std::string sig, num, xml; + std::string sig; + std::string num; + std::string xml; /* just for cutting out .xml */ if (m_signatureRegexp.FullMatch(dirp->d_name, &sig, &num, &xml)) { std::istringstream stream(num); int number; @@ -84,7 +100,9 @@ SignatureFinder::Result SignatureFinder::Impl::find(SignatureFileInfoSet &set) return ERROR_ISTREAM; } - set.insert(SignatureFileInfo(std::string(dirp->d_name), number)); + std::string fullPath = getFullPath(std::string(dirp->d_name)); + LogDebug("Found signature file full path : " << fullPath); + set.insert(SignatureFileInfo(fullPath, number)); } } diff --git a/vcore/src/vcore/SignatureValidator.cpp b/vcore/src/vcore/SignatureValidator.cpp index 349b905..52f04b5 100644 --- a/vcore/src/vcore/SignatureValidator.cpp +++ b/vcore/src/vcore/SignatureValidator.cpp @@ -19,935 +19,391 @@ * @version 1.0 * @brief Implementatin of tizen signature validation protocol. */ + #include #include #include -#include #include #include #include +#include +#include #include namespace { -const time_t TIMET_DAY = 60 * 60 * 24; const std::string TOKEN_ROLE_AUTHOR_URI = - "http://www.w3.org/ns/widgets-digsig#role-author"; + "http://www.w3.org/ns/widgets-digsig#role-author"; const std::string TOKEN_ROLE_DISTRIBUTOR_URI = - "http://www.w3.org/ns/widgets-digsig#role-distributor"; + "http://www.w3.org/ns/widgets-digsig#role-distributor"; const std::string TOKEN_PROFILE_URI = - "http://www.w3.org/ns/widgets-digsig#profile"; - -} // namespace anonymouse + "http://www.w3.org/ns/widgets-digsig#profile"; - -static tm _ASN1_GetTimeT(ASN1_TIME* time) +static tm _ASN1_GetTimeT(ASN1_TIME *time) { - struct tm t; - const char* str = (const char*) time->data; - size_t i = 0; - - memset(&t, 0, sizeof(t)); - - if (time->type == V_ASN1_UTCTIME) /* two digit year */ - { - t.tm_year = (str[i] - '0') * 10 + (str[i+1] - '0'); - i += 2; - if (t.tm_year < 70) - t.tm_year += 100; - } - else if (time->type == V_ASN1_GENERALIZEDTIME) /* four digit year */ - { - t.tm_year = - (str[i] - '0') * 1000 - + (str[i+1] - '0') * 100 - + (str[i+2] - '0') * 10 - + (str[i+3] - '0'); - i += 4; - t.tm_year -= 1900; - } - t.tm_mon = ((str[i] - '0') * 10 + (str[i+1] - '0')) - 1; // -1 since January is 0 not 1. - t.tm_mday = (str[i+2] - '0') * 10 + (str[i+3] - '0'); - t.tm_hour = (str[i+4] - '0') * 10 + (str[i+5] - '0'); - t.tm_min = (str[i+6] - '0') * 10 + (str[i+7] - '0'); - t.tm_sec = (str[i+8] - '0') * 10 + (str[i+9] - '0'); - - /* Note: we did not adjust the time based on time zone information */ - return t; -} + struct tm t; + const char* str = (const char *)time->data; + size_t i = 0; + + memset(&t, 0, sizeof(t)); + + if (time->type == V_ASN1_UTCTIME) { + /* two digit year */ + t.tm_year = (str[i] - '0') * 10 + (str[i + 1] - '0'); + i += 2; + if (t.tm_year < 70) + t.tm_year += 100; + } else if (time->type == V_ASN1_GENERALIZEDTIME) { + /* four digit year */ + t.tm_year = + (str[i] - '0') * 1000 + + (str[i + 1] - '0') * 100 + + (str[i + 2] - '0') * 10 + + (str[i + 3] - '0'); + i += 4; + t.tm_year -= 1900; + } + t.tm_mon = (str[i] - '0') * 10 + (str[i + 1] - '0') - 1; // -1 since January is 0 not 1. + t.tm_mday = (str[i + 2] - '0') * 10 + (str[i + 3] - '0'); + t.tm_hour = (str[i + 4] - '0') * 10 + (str[i + 5] - '0'); + t.tm_min = (str[i + 6] - '0') * 10 + (str[i + 7] - '0'); + t.tm_sec = (str[i + 8] - '0') * 10 + (str[i + 9] - '0'); -namespace ValidationCore { + /* Note: we did not adjust the time based on time zone information */ + return t; +} -class SignatureValidator::ImplSignatureValidator { -public: - virtual SignatureValidator::Result check( - SignatureData &data, - const std::string &widgetContentPath) = 0; - - virtual SignatureValidator::Result checkList( - SignatureData &data, - const std::string &widgetContentPath, - const std::list& uriList) = 0; - - explicit ImplSignatureValidator(bool ocspEnable, - bool crlEnable, - bool complianceMode) - : m_complianceModeEnabled(complianceMode) - { - (void) ocspEnable; - (void) crlEnable; - } - - virtual ~ImplSignatureValidator(){ } - - bool checkRoleURI(const SignatureData &data) { - std::string roleURI = data.getRoleURI(); - - if (roleURI.empty()) { - LogWarning("URI attribute in Role tag couldn't be empty."); - return false; - } - - if (roleURI != TOKEN_ROLE_AUTHOR_URI && data.isAuthorSignature()) { - LogWarning("URI attribute in Role tag does not " - "match with signature filename."); - return false; - } - - if (roleURI != TOKEN_ROLE_DISTRIBUTOR_URI && !data.isAuthorSignature()) { - LogWarning("URI attribute in Role tag does not " - "match with signature filename."); - return false; - } - return true; - } - - bool checkProfileURI(const SignatureData &data) { - if (TOKEN_PROFILE_URI != data.getProfileURI()) { - LogWarning( - "Profile tag contains unsupported value in URI attribute " << data.getProfileURI()); - return false; - } - return true; - } - - bool checkObjectReferences(const SignatureData &data) { - ObjectList objectList = data.getObjectList(); - ObjectList::const_iterator iter; - for (iter = objectList.begin(); iter != objectList.end(); ++iter) { - if (!data.containObjectReference(*iter)) { - LogWarning("Signature does not contain reference for object " << *iter); - return false; - } - } - return true; - } -protected: - bool m_complianceModeEnabled; -}; - -class ImplTizenSignatureValidator : public SignatureValidator::ImplSignatureValidator -{ - public: - SignatureValidator::Result check(SignatureData &data, - const std::string &widgetContentPath); - - SignatureValidator::Result checkList(SignatureData &data, - const std::string &widgetContentPath, - const std::list& uriList); - explicit ImplTizenSignatureValidator(bool ocspEnable, - bool crlEnable, - bool complianceMode) - : ImplSignatureValidator(ocspEnable, crlEnable, complianceMode) - {} - - virtual ~ImplTizenSignatureValidator() {} -}; - -SignatureValidator::Result ImplTizenSignatureValidator::check( - SignatureData &data, - const std::string &widgetContentPath) +static bool checkRoleURI(const ValidationCore::SignatureData &data) { - bool disregard = false; - - if (!checkRoleURI(data)) { - return SignatureValidator::SIGNATURE_INVALID; - } - - if (!checkProfileURI(data)) { - return SignatureValidator::SIGNATURE_INVALID; - } - - // CertificateList sortedCertificateList = data.getCertList(); - - CertificateCollection collection; - collection.load(data.getCertList()); - - // First step - sort certificate - if (!collection.sort()) { - LogWarning("Certificates do not form valid chain."); - return SignatureValidator::SIGNATURE_INVALID_CERT_CHAIN;//SIGNATURE_INVALID; - } - - // Check for error - if (collection.empty()) { - LogWarning("Certificate list in signature is empty."); - return SignatureValidator::SIGNATURE_INVALID_CERT_CHAIN;//SIGNATURE_INVALID; - } - - CertificateList sortedCertificateList = collection.getChain(); - - // TODO move it to CertificateCollection - // Add root CA and CA certificates (if chain is incomplete) - sortedCertificateList = - OCSPCertMgrUtil::completeCertificateChain(sortedCertificateList); - - CertificatePtr root = sortedCertificateList.back(); - - // Is Root CA certificate trusted? - CertStoreId::Set storeIdSet = createCertificateIdentifier().find(root); - - LogDebug("Is root certificate from TIZEN_DEVELOPER domain : " << storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER)); - LogDebug("Is root certificate from TIZEN_TEST domain : " << storeIdSet.contains(CertStoreId::TIZEN_TEST)); - LogDebug("Is root certificate from TIZEN_VERIFY domain : " << storeIdSet.contains(CertStoreId::TIZEN_VERIFY)); - LogDebug("Is root certificate from TIZEN_STORE domain : " << storeIdSet.contains(CertStoreId::TIZEN_STORE)); - LogDebug("Is root certificate from TIZEN_PUBLIC domain : " << storeIdSet.contains(CertStoreId::VIS_PUBLIC)); - LogDebug("Is root certificate from TIZEN_PARTNER domain : " << storeIdSet.contains(CertStoreId::VIS_PARTNER)); - LogDebug("Is root certificate from TIZEN_PLATFORM domain : " << storeIdSet.contains(CertStoreId::VIS_PLATFORM)); - - LogDebug("Visibility level is public : " << storeIdSet.contains(CertStoreId::VIS_PUBLIC)); - LogDebug("Visibility level is partner : " << storeIdSet.contains(CertStoreId::VIS_PARTNER)); - LogDebug("Visibility level is platform : " << storeIdSet.contains(CertStoreId::VIS_PLATFORM)); - - if (data.isAuthorSignature()) - { - if (!storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER)) - { - LogWarning("author-signature.xml has got unrecognized Root CA " - "certificate. Signature will be disregarded."); - disregard = true; - } - } - else - { - LogDebug("signaturefile name = " << data.getSignatureFileName()); - if (storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER)) - { - LogError("distributor has author level siganture! Signature will be disregarded."); - return SignatureValidator::SIGNATURE_IN_DISTRIBUTOR_CASE_AUTHOR_CERT;//SIGNATURE_INVALID; - } - + std::string roleURI = data.getRoleURI(); - if (data.getSignatureNumber() == 1) - { - if (storeIdSet.contains(CertStoreId::VIS_PUBLIC) || storeIdSet.contains(CertStoreId::VIS_PARTNER) || storeIdSet.contains(CertStoreId::VIS_PLATFORM)) - { - LogDebug("Root CA for signature1.xml is correct."); - } - else - { - LogWarning("signature1.xml has got unrecognized Root CA " - "certificate. Signature will be disregarded."); - disregard = true; - } - } - } - - data.setStorageType(storeIdSet); - data.setSortedCertificateList(sortedCertificateList); - - // We add only Root CA certificate because WAC ensure that the rest - // of certificates are present in signature files ;-) - XmlSec::XmlSecContext context; - context.signatureFile = data.getSignatureFileName(); - context.certificatePtr = root; - - // Now we should have full certificate chain. - // If the end certificate is not ROOT CA we should disregard signature - // but still signature must be valid... Aaaaaa it's so stupid... - if (!(root->isSignedBy(root))) { - LogWarning("Root CA certificate not found. Chain is incomplete."); - // context.allowBrokenChain = true; - } - - time_t nowTime = time(NULL); - -#define CHECK_TIME -#ifdef CHECK_TIME - - ASN1_TIME* notAfterTime = data.getEndEntityCertificatePtr()->getNotAfterTime(); - ASN1_TIME* notBeforeTime = data.getEndEntityCertificatePtr()->getNotBeforeTime(); - - if (X509_cmp_time(notBeforeTime, &nowTime) > 0 || X509_cmp_time(notAfterTime, &nowTime) < 0) - { - struct tm *t; - struct tm ta, tb, tc; - char msg[1024]; - - t = localtime(&nowTime); - if (!t) - return SignatureValidator::SIGNATURE_INVALID_CERT_TIME; - - memset(&tc, 0, sizeof(tc)); - - snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", t->tm_year + 1900, t->tm_mon + 1,t->tm_mday ); - LogDebug("## System's currentTime : " << msg); - fprintf(stderr, "## System's currentTime : %s\n", msg); - - tb = _ASN1_GetTimeT(notBeforeTime); - snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", tb.tm_year + 1900, tb.tm_mon + 1,tb.tm_mday ); - LogDebug("## certificate's notBeforeTime : " << msg); - fprintf(stderr, "## certificate's notBeforeTime : %s\n", msg); - - ta = _ASN1_GetTimeT(notAfterTime); - snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", ta.tm_year + 1900, ta.tm_mon + 1,ta.tm_mday ); - LogDebug("## certificate's notAfterTime : " << msg); - fprintf(stderr, "## certificate's notAfterTime : %s\n", msg); - - if (storeIdSet.contains(CertStoreId::TIZEN_TEST) || storeIdSet.contains(CertStoreId::TIZEN_VERIFY)) - { - LogDebug("## TIZEN_VERIFY : check certificate Time : FALSE"); - fprintf(stderr, "## TIZEN_VERIFY : check certificate Time : FALSE\n"); - return SignatureValidator::SIGNATURE_INVALID_CERT_TIME;//SIGNATURE_INVALID; - } - - int year = (ta.tm_year - tb.tm_year) / 4; - - if(year == 0) - { - tc.tm_year = tb.tm_year; - tc.tm_mon = tb.tm_mon + 1; - tc.tm_mday = tb.tm_mday; - - if(tc.tm_mon == 12) - { - tc.tm_year = ta.tm_year; - tc.tm_mon = ta.tm_mon - 1; - tc.tm_mday = ta.tm_mday; - - if(tc.tm_mon < 0) - { - tc.tm_year = ta.tm_year; - tc.tm_mon = ta.tm_mon; - tc.tm_mday = ta.tm_mday -1; - - if(tc.tm_mday == 0) - { - tc.tm_year = tb.tm_year; - tc.tm_mon = tb.tm_mon; - tc.tm_mday = tb.tm_mday +1; - } - } - } - } - else{ - tc.tm_year = tb.tm_year + year; - tc.tm_mon = (tb.tm_mon + ta.tm_mon )/2; - tc.tm_mday = (tb.tm_mday + ta.tm_mday)/2; - } - - snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", tc.tm_year + 1900, tc.tm_mon + 1,tc.tm_mday ); - LogDebug("## cmp cert with validation time : " << msg); - fprintf(stderr, "## cmp cert with validation time : %s\n", msg); - - time_t outCurrent = mktime(&tc); - context.validationTime = outCurrent; - fprintf(stderr, "## cmp outCurrent time : %ld\n", outCurrent); - //return SignatureValidator::SIGNATURE_INVALID; - } - -#endif - // WAC 2.0 SP-2066 The wrt must not block widget installation - // due to expiration of the author certificate. -#if 0 - time_t notAfter = data.getEndEntityCertificatePtr()->getNotAfter(); - time_t notBefore = data.getEndEntityCertificatePtr()->getNotBefore(); - - struct tm *t; - - if (data.isAuthorSignature()) - { - // time_t 2038 year bug exist. So, notAtter() cann't check... - /* - if (notAfter < nowTime) - { - context.validationTime = notAfter - TIMET_DAY; - LogWarning("Author certificate is expired. notAfter..."); - } - */ - - if (notBefore > nowTime) - { - LogWarning("Author certificate is expired. notBefore time is greater than system-time."); - - t = localtime(&nowTime); - - t = localtime(¬Before); - - context.validationTime = notBefore + TIMET_DAY; - - t = localtime(&context.validationTime); - } - } -#endif - // WAC 2.0 SP-2066 The wrt must not block widget installation - //context.allowBrokenChain = true; - - // end - - if (!data.isAuthorSignature()) - { - if (XmlSec::NO_ERROR != XmlSecSingleton::Instance().validate(&context)) { - LogWarning("Installation break - invalid package!"); - return SignatureValidator::SIGNATURE_INVALID_HASH_SIGNATURE;//SIGNATURE_INVALID; - } - - data.setReference(context.referenceSet); - if (!checkObjectReferences(data)) { - LogWarning("Failed to check Object References"); - return SignatureValidator::SIGNATURE_INVALID_HASH_SIGNATURE;//SIGNATURE_INVALID; - } + if (roleURI.empty()) { + LogWarning("URI attribute in Role tag couldn't be empty."); + return false; + } - (void) widgetContentPath; - /* - ReferenceValidator fileValidator(widgetContentPath); - if (ReferenceValidator::NO_ERROR != fileValidator.checkReferences(data)) { - LogWarning("Invalid package - file references broken"); - return SignatureValidator::SIGNATURE_INVALID_NO_HASH_FILE;//SIGNATURE_INVALID; - } - */ + if (roleURI != TOKEN_ROLE_AUTHOR_URI && data.isAuthorSignature()) { + LogWarning("URI attribute in Role tag does not " + "match with signature filename."); + return false; } - if (disregard) { - LogWarning("Signature is disregard. RootCA is not a member of Tizen"); - return SignatureValidator::SIGNATURE_INVALID_DISTRIBUTOR_CERT;//SIGNATURE_DISREGARD; - } - return SignatureValidator::SIGNATURE_VERIFIED; + if (roleURI != TOKEN_ROLE_DISTRIBUTOR_URI && !data.isAuthorSignature()) { + LogWarning("URI attribute in Role tag does not " + "match with signature filename."); + return false; + } + return true; } -SignatureValidator::Result ImplTizenSignatureValidator::checkList(SignatureData &data, - const std::string &widgetContentPath, - const std::list& uriList) +static bool checkProfileURI(const ValidationCore::SignatureData &data) { - if(uriList.size() == 0 ) - LogWarning("checkList >> no hash"); - - bool disregard = false; - - if (!checkRoleURI(data)) { - return SignatureValidator::SIGNATURE_INVALID; - } - - if (!checkProfileURI(data)) { - return SignatureValidator::SIGNATURE_INVALID; - } - - // CertificateList sortedCertificateList = data.getCertList(); - - CertificateCollection collection; - collection.load(data.getCertList()); - - // First step - sort certificate - if (!collection.sort()) { - LogWarning("Certificates do not form valid chain."); - return SignatureValidator::SIGNATURE_INVALID; - } - - // Check for error - if (collection.empty()) { - LogWarning("Certificate list in signature is empty."); - return SignatureValidator::SIGNATURE_INVALID; - } - - CertificateList sortedCertificateList = collection.getChain(); - - // TODO move it to CertificateCollection - // Add root CA and CA certificates (if chain is incomplete) - sortedCertificateList = - OCSPCertMgrUtil::completeCertificateChain(sortedCertificateList); - - CertificatePtr root = sortedCertificateList.back(); - - // Is Root CA certificate trusted? - CertStoreId::Set storeIdSet = createCertificateIdentifier().find(root); - - LogDebug("Is root certificate from TIZEN_DEVELOPER domain : " << storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER)); - LogDebug("Is root certificate from TIZEN_TEST domain : " << storeIdSet.contains(CertStoreId::TIZEN_TEST)); - LogDebug("Is root certificate from TIZEN_VERIFY domain : " << storeIdSet.contains(CertStoreId::TIZEN_VERIFY)); - LogDebug("Is root certificate from TIZEN_PUBLIC domain : " << storeIdSet.contains(CertStoreId::VIS_PUBLIC)); - LogDebug("Is root certificate from TIZEN_PARTNER domain : " << storeIdSet.contains(CertStoreId::VIS_PARTNER)); - LogDebug("Is root certificate from TIZEN_PLATFORM domain : " << storeIdSet.contains(CertStoreId::VIS_PLATFORM)); - - LogDebug("Visibility level is public : " << storeIdSet.contains(CertStoreId::VIS_PUBLIC)); - LogDebug("Visibility level is partner : " << storeIdSet.contains(CertStoreId::VIS_PARTNER)); - LogDebug("Visibility level is platform : " << storeIdSet.contains(CertStoreId::VIS_PLATFORM)); - - if (data.isAuthorSignature()) - { - if (!storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER)) - { - LogWarning("author-signature.xml has got unrecognized Root CA " - "certificate. Signature will be disregarded."); - disregard = true; - } - LogDebug("Root CA for author signature is correct."); - } - else - { - LogDebug("signaturefile name = " << data.getSignatureFileName()); - - if (data.getSignatureNumber() == 1) - { - if (storeIdSet.contains(CertStoreId::VIS_PUBLIC) || storeIdSet.contains(CertStoreId::VIS_PARTNER) || storeIdSet.contains(CertStoreId::VIS_PLATFORM)) - { - LogDebug("Root CA for signature1.xml is correct."); - } - else - { - LogWarning("signature1.xml has got unrecognized Root CA " - "certificate. Signature will be disregarded."); - disregard = true; - } - } - } - - data.setStorageType(storeIdSet); - data.setSortedCertificateList(sortedCertificateList); - - // We add only Root CA certificate because WAC ensure that the rest - // of certificates are present in signature files ;-) - XmlSec::XmlSecContext context; - context.signatureFile = data.getSignatureFileName(); - context.certificatePtr = root; - - // Now we should have full certificate chain. - // If the end certificate is not ROOT CA we should disregard signature - // but still signature must be valid... Aaaaaa it's so stupid... - if (!(root->isSignedBy(root))) { - LogWarning("Root CA certificate not found. Chain is incomplete."); - // context.allowBrokenChain = true; - } - - // WAC 2.0 SP-2066 The wrt must not block widget installation - // due to expiration of the author certificate. - time_t nowTime = time(NULL); - -#define CHECK_TIME -#ifdef CHECK_TIME - - ASN1_TIME* notAfterTime = data.getEndEntityCertificatePtr()->getNotAfterTime(); - ASN1_TIME* notBeforeTime = data.getEndEntityCertificatePtr()->getNotBeforeTime(); - - - if (X509_cmp_time(notBeforeTime, &nowTime) > 0 || X509_cmp_time(notAfterTime, &nowTime) < 0) - { - struct tm *t; - struct tm ta, tb, tc; - char msg[1024]; - - t = localtime(&nowTime); - if (!t) - return SignatureValidator::SIGNATURE_INVALID_CERT_TIME; - - memset(&tc, 0, sizeof(tc)); - - snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", t->tm_year + 1900, t->tm_mon + 1,t->tm_mday ); - LogDebug("## System's currentTime : " << msg); - fprintf(stderr, "## System's currentTime : %s\n", msg); - - tb = _ASN1_GetTimeT(notBeforeTime); - snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", tb.tm_year + 1900, tb.tm_mon + 1,tb.tm_mday ); - LogDebug("## certificate's notBeforeTime : " << msg); - fprintf(stderr, "## certificate's notBeforeTime : %s\n", msg); - - ta = _ASN1_GetTimeT(notAfterTime); - snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", ta.tm_year + 1900, ta.tm_mon + 1,ta.tm_mday ); - LogDebug("## certificate's notAfterTime : " << msg); - fprintf(stderr, "## certificate's notAfterTime : %s\n", msg); - - if (storeIdSet.contains(CertStoreId::TIZEN_VERIFY)) - { - LogDebug("## TIZEN_VERIFY : check certificate Time : FALSE"); - fprintf(stderr, "## TIZEN_VERIFY : check certificate Time : FALSE\n"); - return SignatureValidator::SIGNATURE_INVALID; - } - - int year = (ta.tm_year - tb.tm_year) / 4; - tc.tm_year = tb.tm_year + year; - tc.tm_mon = (tb.tm_mon + ta.tm_mon )/2; - tc.tm_mday = (tb.tm_mday + ta.tm_mday)/2; - - snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", tc.tm_year + 1900, tc.tm_mon + 1,tc.tm_mday ); - LogDebug("## cmp cert with validation time : " << msg); - fprintf(stderr, "## cmp cert with validation time : %s\n", msg); - - time_t outCurrent = mktime(&tc); - context.validationTime = outCurrent; - //return SignatureValidator::SIGNATURE_INVALID; - } - -#endif - -#if 0 - time_t notAfter = data.getEndEntityCertificatePtr()->getNotAfter(); - time_t notBefore = data.getEndEntityCertificatePtr()->getNotBefore(); - - struct tm *t; - - if (data.isAuthorSignature()) - { - // time_t 2038 year bug exist. So, notAtter() cann't check... - /* - if (notAfter < nowTime) - { - context.validationTime = notAfter - TIMET_DAY; - LogWarning("Author certificate is expired. notAfter..."); - } - */ - - if (notBefore > nowTime) - { - LogWarning("Author certificate is expired. notBefore time is greater than system-time."); - - t = localtime(&nowTime); - - t = localtime(¬Before); - - context.validationTime = notBefore + TIMET_DAY; - - t = localtime(&context.validationTime); - } - } -#endif - // WAC 2.0 SP-2066 The wrt must not block widget installation - //context.allowBrokenChain = true; - - // end - if(uriList.size() == 0) - { - if (XmlSec::NO_ERROR != XmlSecSingleton::Instance().validateNoHash(&context)) { - LogWarning("Installation break - invalid package! >> validateNoHash"); - return SignatureValidator::SIGNATURE_INVALID; - } - } - else if(uriList.size() != 0) - { - XmlSecSingleton::Instance().setPartialHashList(uriList); - if (XmlSec::NO_ERROR != XmlSecSingleton::Instance().validatePartialHash(&context)) { - LogWarning("Installation break - invalid package! >> validatePartialHash"); - return SignatureValidator::SIGNATURE_INVALID; - } - } - - data.setReference(context.referenceSet); - //if (!checkObjectReferences(data)) { - // return SignatureValidator::SIGNATURE_INVALID; - // } - - (void) widgetContentPath; - /* - ReferenceValidator fileValidator(widgetContentPath); - if (ReferenceValidator::NO_ERROR != fileValidator.checkReferences(data)) { - LogWarning("Invalid package - file references broken"); - return SignatureValidator::SIGNATURE_INVALID; - } - */ - - if (disregard) { - LogWarning("Signature is disregard. RootCA is not a member of Tizen."); - return SignatureValidator::SIGNATURE_DISREGARD; - } - return SignatureValidator::SIGNATURE_VERIFIED; + if (TOKEN_PROFILE_URI != data.getProfileURI()) { + LogWarning("Profile tag contains unsupported value " + "in URI attribute " << data.getProfileURI()); + return false; + } + return true; } -class ImplWacSignatureValidator : public SignatureValidator::ImplSignatureValidator -{ - public: - SignatureValidator::Result check(SignatureData &data, - const std::string &widgetContentPath); - - SignatureValidator::Result checkList(SignatureData &data, - const std::string &widgetContentPath, - const std::list& uriList); - explicit ImplWacSignatureValidator(bool ocspEnable, - bool crlEnable, - bool complianceMode) - : ImplSignatureValidator(ocspEnable, crlEnable, complianceMode) - {} - - virtual ~ImplWacSignatureValidator() {} -}; - - -SignatureValidator::Result ImplWacSignatureValidator::checkList( - SignatureData & /* data */, - const std::string & /* widgetContentPath */, - const std::list& /* uriList */) +static bool checkObjectReferences(const ValidationCore::SignatureData &data) { - return SignatureValidator::SIGNATURE_INVALID; + ValidationCore::ObjectList objectList = data.getObjectList(); + ValidationCore::ObjectList::const_iterator iter; + for (iter = objectList.begin(); iter != objectList.end(); ++iter) { + if (!data.containObjectReference(*iter)) { + LogWarning("Signature does not contain reference for object " << *iter); + return false; + } + } + return true; } - -SignatureValidator::Result ImplWacSignatureValidator::check( - SignatureData &data, - const std::string &widgetContentPath) +static struct tm getMidTime(const struct tm &tb, const struct tm &ta) { - bool disregard = false; + struct tm tMid; + memset(&tMid, 0, sizeof(tMid)); + + LogDebug("Certificate's notBeforeTime : Year[" + << (tb.tm_year + 1900) + << "] Month[" << (tb.tm_mon + 1) + << "] Day[" << tb.tm_mday << "] "); + + LogDebug("Certificate's notAfterTime : Year[" + << (ta.tm_year + 1900) + << "] Month[" << (ta.tm_mon + 1) + << "] Day[" << ta.tm_mday << "] "); + + int year = (ta.tm_year - tb.tm_year) / 4; + + if (year == 0) { + tMid.tm_year = tb.tm_year; + tMid.tm_mon = tb.tm_mon + 1; + tMid.tm_mday = tb.tm_mday; + + if (tMid.tm_mon == 12) { + tMid.tm_year = ta.tm_year; + tMid.tm_mon = ta.tm_mon - 1; + tMid.tm_mday = ta.tm_mday; + + if (tMid.tm_mon < 0) { + tMid.tm_year = ta.tm_year; + tMid.tm_mon = ta.tm_mon; + tMid.tm_mday = ta.tm_mday - 1; + + if (tMid.tm_mday == 0) { + tMid.tm_year = tb.tm_year; + tMid.tm_mon = tb.tm_mon; + tMid.tm_mday = tb.tm_mday + 1; + } + } + } + } else { + tMid.tm_year = tb.tm_year + year; + tMid.tm_mon = (tb.tm_mon + ta.tm_mon) / 2; + tMid.tm_mday = (tb.tm_mday + ta.tm_mday) / 2; + } - if (!checkRoleURI(data)) { - return SignatureValidator::SIGNATURE_INVALID; - } + LogDebug("cmp cert with validation time. Year[" + << (tMid.tm_year + 1900) + << "] Month[" << (tMid.tm_mon + 1) + << "] Day[" << tMid.tm_mday << "] "); - if (!checkProfileURI(data)) { - return SignatureValidator::SIGNATURE_INVALID; - } + return tMid; +} - // CertificateList sortedCertificateList = data.getCertList(); +} // namespace anonymouse - CertificateCollection collection; - collection.load(data.getCertList()); - // First step - sort certificate - if (!collection.sort()) { - LogWarning("Certificates do not form valid chain."); - return SignatureValidator::SIGNATURE_INVALID; - } - // Check for error - if (collection.empty()) { - LogWarning("Certificate list in signature is empty."); - return SignatureValidator::SIGNATURE_INVALID; - } +namespace ValidationCore { - CertificateList sortedCertificateList = collection.getChain(); +/* + * Prepare to check / checklist. parse xml and save info to signature data. + * + * [in] fileInfo : signature file information to check. file path should be absolute path + * which is made by SignatureFinder. + * [out] outData : signature data for validating and will be finally returned to client. + */ +int prepareToCheck(const SignatureFileInfo &fileInfo, SignatureData &outData) +{ + outData = SignatureData(fileInfo.getFileName(), fileInfo.getFileNumber()); + + try { + SignatureReader xml; + xml.initialize(outData, SIGNATURE_SCHEMA_PATH); + xml.read(outData); + } catch (...) { + LogError("Failed to parse signature file by signature reader."); + return -1; + } - // TODO move it to CertificateCollection - // Add root CA and CA certificates (if chain is incomplete) - sortedCertificateList = - OCSPCertMgrUtil::completeCertificateChain(sortedCertificateList); + return 0; +} - CertificatePtr root = sortedCertificateList.back(); +/* + * Same logic (check, checkList) is functionalized here. + * + * [in] checkOcsp : If on, check ocsp. + * [out] disregard : distributor signature disregard flag. + * [out] context : xml sec for validating. + * [out] data : signature data for validationg and will be finally returned to client. + */ +static SignatureValidator::Result checkInternal( + bool checkOcsp, + bool &disregard, + XmlSec::XmlSecContext &context, + SignatureData &data) +{ + // TODO: impl ocsp check + (void) checkOcsp; + + if (!checkRoleURI(data) || !checkProfileURI(data)) + return SignatureValidator::SIGNATURE_INVALID; + + CertificateCollection collection; + collection.load(data.getCertList()); - // Is Root CA certificate trusted? - CertStoreId::Set storeIdSet = createCertificateIdentifier().find(root); + if (!collection.sort() || collection.empty() || !collection.completeCertificateChain()) { + LogWarning("Certificates do not form valid chain."); + return SignatureValidator::SIGNATURE_INVALID; + } - LogDebug("Is root certificate from TIZEN_DEVELOPER domain : " << storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER)); - LogDebug("Is root certificate from TIZEN_TEST domain : " << storeIdSet.contains(CertStoreId::TIZEN_TEST)); - LogDebug("Is root certificate from TIZEN_VERIFY domain : " << storeIdSet.contains(CertStoreId::TIZEN_VERIFY)); - LogDebug("Is root certificate from TIZEN_PUBLIC domain : " << storeIdSet.contains(CertStoreId::VIS_PUBLIC)); - LogDebug("Is root certificate from TIZEN_PARTNER domain : " << storeIdSet.contains(CertStoreId::VIS_PARTNER)); - LogDebug("Is root certificate from TIZEN_PLATFORM domain : " << storeIdSet.contains(CertStoreId::VIS_PLATFORM)); + CertificateList sortedCertificateList = collection.getChain(); + CertificatePtr root = sortedCertificateList.back(); - LogDebug("Visibility level is public : " << storeIdSet.contains(CertStoreId::VIS_PUBLIC)); - LogDebug("Visibility level is partner : " << storeIdSet.contains(CertStoreId::VIS_PARTNER)); - LogDebug("Visibility level is platform : " << storeIdSet.contains(CertStoreId::VIS_PLATFORM)); + // Is Root CA certificate trusted? + CertStoreId::Set storeIdSet = createCertificateIdentifier().find(root); - if (data.isAuthorSignature()) - { - if (!storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER)) - { + LogDebug("root certificate from " << storeIdSet.typeToString() << " domain"); + if (data.isAuthorSignature()) { + if (!storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER)) { LogWarning("author-signature.xml has got unrecognized Root CA " - "certificate. Signature will be disregarded."); + "certificate. Signature will be disregarded."); disregard = true; } } else { - LogDebug("signaturefile name = " << data.getSignatureFileName()); - if (storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER)) - { + LogDebug("signaturefile name = " << data.getSignatureFileName()); + if (storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER)) { LogError("distributor has author level siganture! Signature will be disregarded."); return SignatureValidator::SIGNATURE_INVALID; } - - if (data.getSignatureNumber() == 1) - { - if (storeIdSet.contains(CertStoreId::VIS_PUBLIC) || storeIdSet.contains(CertStoreId::VIS_PARTNER) || storeIdSet.contains(CertStoreId::VIS_PLATFORM)) - { - LogDebug("Root CA for signature1.xml is correct."); - } - else - { - LogWarning("signature1.xml has got unrecognized Root CA " - "certificate. Signature will be disregarded."); - disregard = true; - } - } - } - - data.setStorageType(storeIdSet); - data.setSortedCertificateList(sortedCertificateList); - - // We add only Root CA certificate because WAC ensure that the rest - // of certificates are present in signature files ;-) - XmlSec::XmlSecContext context; - context.signatureFile = data.getSignatureFileName(); - context.certificatePtr = root; - - // Now we should have full certificate chain. - // If the end certificate is not ROOT CA we should disregard signature - // but still signature must be valid... Aaaaaa it's so stupid... - if (!(root->isSignedBy(root))) { - LogWarning("Root CA certificate not found. Chain is incomplete."); -// context.allowBrokenChain = true; - } - - time_t nowTime = time(NULL); - // WAC 2.0 SP-2066 The wrt must not block widget installation - // due to expiration of the author certificate. -#define CHECK_TIME -#ifdef CHECK_TIME - - ASN1_TIME* notAfterTime = data.getEndEntityCertificatePtr()->getNotAfterTime(); - ASN1_TIME* notBeforeTime = data.getEndEntityCertificatePtr()->getNotBeforeTime(); - - if (X509_cmp_time(notBeforeTime, &nowTime) > 0 || X509_cmp_time(notAfterTime, &nowTime) < 0) - { - struct tm *t; - struct tm ta, tb, tc; - char msg[1024]; - - t = localtime(&nowTime); - if (!t) - return SignatureValidator::SIGNATURE_INVALID_CERT_TIME; - - memset(&tc, 0, sizeof(tc)); - - snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", t->tm_year + 1900, t->tm_mon + 1,t->tm_mday ); - LogDebug("## System's currentTime : " << msg); - fprintf(stderr, "## System's currentTime : %s\n", msg); - - tb = _ASN1_GetTimeT(notBeforeTime); - snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", tb.tm_year + 1900, tb.tm_mon + 1,tb.tm_mday ); - LogDebug("## certificate's notBeforeTime : " << msg); - fprintf(stderr, "## certificate's notBeforeTime : %s\n", msg); - - ta = _ASN1_GetTimeT(notAfterTime); - snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", ta.tm_year + 1900, ta.tm_mon + 1,ta.tm_mday ); - LogDebug("## certificate's notAfterTime : " << msg); - fprintf(stderr, "## certificate's notAfterTime : %s\n", msg); - - if (storeIdSet.contains(CertStoreId::TIZEN_VERIFY)) - { - LogDebug("## TIZEN_VERIFY : check certificate Time : FALSE"); - fprintf(stderr, "## TIZEN_VERIFY : check certificate Time : FALSE\n"); - return SignatureValidator::SIGNATURE_INVALID; - } - - int year = (ta.tm_year - tb.tm_year) / 4; - tc.tm_year = tb.tm_year + year; - tc.tm_mon = (tb.tm_mon + ta.tm_mon )/2; - tc.tm_mday = (tb.tm_mday + ta.tm_mday)/2; - - snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", tc.tm_year + 1900, tc.tm_mon + 1,tc.tm_mday ); - LogDebug("## cmp cert with validation time : " << msg); - fprintf(stderr, "## cmp cert with validation time : %s\n", msg); - - time_t outCurrent = mktime(&tc); - context.validationTime = outCurrent; - //return SignatureValidator::SIGNATURE_INVALID; - } - -#endif - -#if 0 - time_t notAfter = data.getEndEntityCertificatePtr()->getNotAfter(); - time_t notBefore = data.getEndEntityCertificatePtr()->getNotBefore(); - - struct tm *t; - - if (data.isAuthorSignature()) - { - // time_t 2038 year bug exist. So, notAtter() cann't check... - /* - if (notAfter < nowTime) - { - context.validationTime = notAfter - TIMET_DAY; - LogWarning("Author certificate is expired. notAfter..."); - } - */ - - if (notBefore > nowTime) - { - LogWarning("Author certificate is expired. notBefore time is greater than system-time."); - - t = localtime(&nowTime); - - t = localtime(¬Before); - - context.validationTime = notBefore + TIMET_DAY; - - t = localtime(&context.validationTime); - } - } -#endif - if (!data.isAuthorSignature()) - { - if (XmlSec::NO_ERROR != XmlSecSingleton::Instance().validate(&context)) { - LogWarning("Installation break - invalid package!"); - return SignatureValidator::SIGNATURE_INVALID; + if (data.getSignatureNumber() == 1 && !storeIdSet.isContainsVis()) { + LogWarning("signature1.xml has got unrecognized Root CA " + "certificate. Signature will be disregarded."); + disregard = true; } + } - data.setReference(context.referenceSet); + data.setStorageType(storeIdSet); + data.setSortedCertificateList(sortedCertificateList); - if (!checkObjectReferences(data)) { - return SignatureValidator::SIGNATURE_INVALID; - } + /* + * We add only Root CA certificate because the rest + * of certificates are present in signature files ;-) + */ + context.signatureFile = data.getSignatureFileName(); + context.certificatePtr = root; - ReferenceValidator fileValidator(widgetContentPath); - if (ReferenceValidator::NO_ERROR != fileValidator.checkReferences(data)) { - LogWarning("Invalid package - file references broken"); + /* certificate time check */ + ASN1_TIME* notAfterTime = data.getEndEntityCertificatePtr()->getNotAfterTime(); + ASN1_TIME* notBeforeTime = data.getEndEntityCertificatePtr()->getNotBeforeTime(); + + time_t nowTime = time(NULL); + + if (X509_cmp_time(notBeforeTime, &nowTime) > 0 || X509_cmp_time(notAfterTime, &nowTime) < 0) { + if (storeIdSet.contains(CertStoreId::TIZEN_TEST) || storeIdSet.contains(CertStoreId::TIZEN_VERIFY)) { + LogError("TIZEN_VERIFY : check certificate Time : FALSE"); return SignatureValidator::SIGNATURE_INVALID; } - } - if (disregard) { - LogWarning("Signature is disregard. RootCA is not a member of Tizen."); - return SignatureValidator::SIGNATURE_DISREGARD; - } - return SignatureValidator::SIGNATURE_VERIFIED; -} - -// Implementation of SignatureValidator + struct tm tMid = getMidTime(_ASN1_GetTimeT(notBeforeTime), _ASN1_GetTimeT(notAfterTime)); -SignatureValidator::SignatureValidator( - AppType appType, - bool ocspEnable, - bool crlEnable, - bool complianceMode) - : m_impl(0) -{ - LogDebug( "appType : " << appType ); - - if(appType == TIZEN) - { - m_impl = new ImplTizenSignatureValidator(ocspEnable,crlEnable,complianceMode); - } - else if(appType == WAC20) - { - m_impl = new ImplWacSignatureValidator(ocspEnable,crlEnable,complianceMode); - } -} + context.validationTime = mktime(&tMid); + } -SignatureValidator::~SignatureValidator() { - delete m_impl; + return SignatureValidator::SIGNATURE_VERIFIED; } SignatureValidator::Result SignatureValidator::check( - SignatureData &data, - const std::string &widgetContentPath) + const SignatureFileInfo &fileInfo, + const std::string &widgetContentPath, + bool checkOcsp, + bool checkReferences, + SignatureData &outData) { - return m_impl->check(data, widgetContentPath); + if (prepareToCheck(fileInfo, outData)) { + LogError("Failed to prepare to check."); + return SIGNATURE_INVALID; + } + + bool disregard = false; + + try { + XmlSec::XmlSecContext context; + Result result = checkInternal(checkOcsp, disregard, context, outData); + if (result != SIGNATURE_VERIFIED) + return result; + + if (!outData.isAuthorSignature()) { + if (XmlSec::NO_ERROR != XmlSecSingleton::Instance().validate(&context)) { + LogWarning("Installation break - invalid package!"); + return SIGNATURE_INVALID; + } + + outData.setReference(context.referenceSet); + if (!checkObjectReferences(outData)) { + LogWarning("Failed to check Object References"); + return SIGNATURE_INVALID; + } + + if (checkReferences) { + ReferenceValidator fileValidator(widgetContentPath); + if (ReferenceValidator::NO_ERROR != fileValidator.checkReferences(outData)) { + LogWarning("Invalid package - file references broken"); + return SIGNATURE_INVALID; + } + } + } + } catch (const CertificateCollection::Exception::Base &e) { + LogError("CertificateCollection exception : " << e.DumpToString()); + return SIGNATURE_INVALID; + } catch (const XmlSec::Exception::Base &e) { + LogError("XmlSec exception : " << e.DumpToString()); + return SIGNATURE_INVALID; + } catch (...) { + LogError("Unknown exception in SignatureValidator::check"); + return SIGNATURE_INVALID; + } + + return disregard ? SIGNATURE_DISREGARD : SIGNATURE_VERIFIED; } SignatureValidator::Result SignatureValidator::checkList( - SignatureData &data, - const std::string &widgetContentPath, - const std::list& uriList) + const SignatureFileInfo &fileInfo, + const std::string &widgetContentPath, + const std::list &uriList, + bool checkOcsp, + bool checkReferences, + SignatureData &outData) { - return m_impl->checkList(data, widgetContentPath, uriList); + if (prepareToCheck(fileInfo, outData)) { + LogError("Failed to prepare to check."); + return SIGNATURE_INVALID; + } + + bool disregard = false; + try { + XmlSec::XmlSecContext context; + Result result = checkInternal(checkOcsp, disregard, context, outData); + if (result != SIGNATURE_VERIFIED) + return result; + + if (uriList.size() == 0) { + if (XmlSec::NO_ERROR != XmlSecSingleton::Instance().validateNoHash(&context)) { + LogWarning("Installation break - invalid package! >> validateNoHash"); + return SIGNATURE_INVALID; + } + } else { + XmlSecSingleton::Instance().setPartialHashList(uriList); + if (XmlSec::NO_ERROR != XmlSecSingleton::Instance().validatePartialHash(&context)) { + LogWarning("Installation break - invalid package! >> validatePartialHash"); + return SIGNATURE_INVALID; + } + } + + outData.setReference(context.referenceSet); + /* + if (!checkObjectReferences(outData)) { + LogWarning("Failed to check Object References"); + return SIGNATURE_INVALID; + } + */ + + if (checkReferences) { + ReferenceValidator fileValidator(widgetContentPath); + if (ReferenceValidator::NO_ERROR != fileValidator.checkReferences(outData)) { + LogWarning("Invalid package - file references broken"); + return SIGNATURE_INVALID; + } + } + } catch (const CertificateCollection::Exception::Base &e) { + LogError("CertificateCollection exception : " << e.DumpToString()); + return SIGNATURE_INVALID; + } catch (const XmlSec::Exception::Base &e) { + LogError("XmlSec exception : " << e.DumpToString()); + return SIGNATURE_INVALID; + } catch (...) { + LogError("Unknown exception in SignatureValidator::checkList"); + return SIGNATURE_INVALID; + } + + return disregard ? SIGNATURE_DISREGARD : SIGNATURE_VERIFIED; } + } // namespace ValidationCore diff --git a/vcore/src/vcore/SignatureValidator.h b/vcore/src/vcore/SignatureValidator.h index 1f3900c..8154f8c 100644 --- a/vcore/src/vcore/SignatureValidator.h +++ b/vcore/src/vcore/SignatureValidator.h @@ -16,77 +16,52 @@ /* * @file SignatureValidator.h * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com) - * @version 1.0 + * @version 1.1 * @brief Implementatin of tizen signature validation protocol. */ #ifndef _VALIDATION_CORE_SIGNATUREVALIDATOR_H_ #define _VALIDATION_CORE_SIGNATUREVALIDATOR_H_ -#ifndef LOG_TAG -#undef LOG_TAG -#define LOG_TAG "OSP" -#endif - #include - +#include #include +#include namespace ValidationCore { class SignatureValidator { public: - class ImplSignatureValidator; - - enum AppType - { - TIZEN, - WAC20 - }; - enum Result { SIGNATURE_VALID, SIGNATURE_INVALID, SIGNATURE_VERIFIED, - SIGNATURE_DISREGARD, // no ocsp response or ocsp return unknown status - SIGNATURE_REVOKED, - SIGNATURE_INVALID_CERT_CHAIN, //5, from here, new error enum - SIGNATURE_INVALID_DISTRIBUTOR_CERT, - SIGNATURE_INVALID_SDK_DEFAULT_AUTHOR_CERT, - SIGNATURE_IN_DISTRIBUTOR_CASE_AUTHOR_CERT, - SIGNATURE_INVALID_CERT_TIME, - SIGNATURE_NO_DEVICE_PROFILE, - SIGNATURE_INVALID_DEVICE_UNIQUE_ID, - SIGNATURE_INVALID_NO_HASH_FILE, - SIGNATURE_INVALID_HASH_SIGNATURE + SIGNATURE_DISREGARD, + SIGNATURE_REVOKED }; SignatureValidator() = delete; SignatureValidator(const SignatureValidator &) = delete; const SignatureValidator &operator=(const SignatureValidator &) = delete; - explicit SignatureValidator( - AppType appType, - bool ocspEnable, - bool crlEnable, - bool complianceMode); - virtual ~SignatureValidator(); - Result check( - SignatureData &data, - const std::string &widgetContentPath); - - Result checkList( - SignatureData &data, + static Result check( + const SignatureFileInfo &fileInfo, const std::string &widgetContentPath, - const std::list& uriList); + bool checkOcsp, + bool checkReferences, + SignatureData &outData); -private: - ImplSignatureValidator *m_impl; + static Result checkList( + const SignatureFileInfo &fileInfo, + const std::string &widgetContentPath, + const std::list &uriList, + bool checkOcsp, + bool checkReferences, + SignatureData &outData); }; } // namespace ValidationCore -#endif // _VALIDATION_CORE_TIZENSIGNATUREVALIDATOR_H_ - +#endif // _VALIDATION_CORE_SIGNATUREVALIDATOR_H_ diff --git a/vcore/src/vcore/WrtSignatureValidator.cpp b/vcore/src/vcore/WrtSignatureValidator.cpp deleted file mode 100644 index d03f4f5..0000000 --- a/vcore/src/vcore/WrtSignatureValidator.cpp +++ /dev/null @@ -1,732 +0,0 @@ -/* - * Copyright (c) 2011 Samsung Electronics Co., Ltd All Rights Reserved - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -/* - * @file WrtSignatureValidator.cpp - * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com) - * @version 1.0 - * @brief Implementatin of tizen signature validation protocol. - */ -#include - -#include -#include -#include -#include -#include -#include - -#include - -namespace { -const time_t TIMET_DAY = 60 * 60 * 24; - -const std::string TOKEN_ROLE_AUTHOR_URI = - "http://www.w3.org/ns/widgets-digsig#role-author"; -const std::string TOKEN_ROLE_DISTRIBUTOR_URI = - "http://www.w3.org/ns/widgets-digsig#role-distributor"; -const std::string TOKEN_PROFILE_URI = - "http://www.w3.org/ns/widgets-digsig#profile"; - -} // namespace anonymouse - -static tm _ASN1_GetTimeT(ASN1_TIME* time) -{ - struct tm t; - const char* str = (const char*) time->data; - size_t i = 0; - - memset(&t, 0, sizeof(t)); - - if (time->type == V_ASN1_UTCTIME) /* two digit year */ - { - t.tm_year = (str[i] - '0') * 10 + (str[i+1] - '0'); - i += 2; - if (t.tm_year < 70) - t.tm_year += 100; - } - else if (time->type == V_ASN1_GENERALIZEDTIME) /* four digit year */ - { - t.tm_year = - (str[i] - '0') * 1000 - + (str[i+1] - '0') * 100 - + (str[i+2] - '0') * 10 - + (str[i+3] - '0'); - i += 4; - t.tm_year -= 1900; - } - t.tm_mon = ((str[i] - '0') * 10 + (str[i+1] - '0')) - 1; // -1 since January is 0 not 1. - t.tm_mday = (str[i+2] - '0') * 10 + (str[i+3] - '0'); - t.tm_hour = (str[i+4] - '0') * 10 + (str[i+5] - '0'); - t.tm_min = (str[i+6] - '0') * 10 + (str[i+7] - '0'); - t.tm_sec = (str[i+8] - '0') * 10 + (str[i+9] - '0'); - - /* Note: we did not adjust the time based on time zone information */ - return t; -} - - -namespace ValidationCore { - -class WrtSignatureValidator::Impl { -public: - virtual WrtSignatureValidator::Result check( - SignatureData &data, - const std::string &widgetContentPath) = 0; - - explicit Impl(bool ocspEnable, - bool crlEnable, - bool complianceMode) - : m_complianceModeEnabled(complianceMode) - { - (void) ocspEnable; - (void) crlEnable; - } - - virtual ~Impl() {} - - bool checkRoleURI(const SignatureData &data) { - std::string roleURI = data.getRoleURI(); - - if (roleURI.empty()) { - LogWarning("URI attribute in Role tag couldn't be empty."); - return false; - } - - if (roleURI != TOKEN_ROLE_AUTHOR_URI && data.isAuthorSignature()) { - LogWarning("URI attribute in Role tag does not " - "match with signature filename."); - return false; - } - - if (roleURI != TOKEN_ROLE_DISTRIBUTOR_URI && !data.isAuthorSignature()) { - LogWarning("URI attribute in Role tag does not " - "match with signature filename."); - return false; - } - return true; - } - - bool checkProfileURI(const SignatureData &data) { - if (TOKEN_PROFILE_URI != data.getProfileURI()) { - LogWarning("Profile tag contains unsupported value in URI attribute " << data.getProfileURI()); - return false; - } - return true; - } - - bool checkObjectReferences(const SignatureData &data) { - ObjectList objectList = data.getObjectList(); - ObjectList::const_iterator iter; - for (iter = objectList.begin(); iter != objectList.end(); ++iter) { - if (!data.containObjectReference(*iter)) { - LogWarning("Signature does not contain reference for object " << *iter); - return false; - } - } - return true; - } -protected: - bool m_complianceModeEnabled; - -}; - -class ImplTizen : public WrtSignatureValidator::Impl { -public: - WrtSignatureValidator::Result check(SignatureData &data, - const std::string &widgetContentPath); - - explicit ImplTizen(bool ocspEnable, - bool crlEnable, - bool complianceMode) - : Impl(ocspEnable, crlEnable, complianceMode) - {} - - virtual ~ImplTizen() {} -}; - -WrtSignatureValidator::Result ImplTizen::check( - SignatureData &data, - const std::string &widgetContentPath) -{ - bool disregard = false; - - if (!checkRoleURI(data)) { - return WrtSignatureValidator::SIGNATURE_INVALID; - } - - if (!checkProfileURI(data)) { - return WrtSignatureValidator::SIGNATURE_INVALID; - } - - // CertificateList sortedCertificateList = data.getCertList(); - - CertificateCollection collection; - collection.load(data.getCertList()); - - // First step - sort certificate - if (!collection.sort()) { - LogWarning("Certificates do not form valid chain."); - return WrtSignatureValidator::SIGNATURE_INVALID_CERT_CHAIN;//SIGNATURE_INVALID; - } - - // Check for error - if (collection.empty()) { - LogWarning("Certificate list in signature is empty."); - return WrtSignatureValidator::SIGNATURE_INVALID_CERT_CHAIN;//SIGNATURE_INVALID; - } - - CertificateList sortedCertificateList = collection.getChain(); - - // TODO move it to CertificateCollection - // Add root CA and CA certificates (if chain is incomplete) - sortedCertificateList = - OCSPCertMgrUtil::completeCertificateChain(sortedCertificateList); - - CertificatePtr root = sortedCertificateList.back(); - - // Is Root CA certificate trusted? - CertStoreId::Set storeIdSet = createCertificateIdentifier().find(root); - - LogDebug("Is root certificate from TIZEN_DEVELOPER domain : " << storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER)); - LogDebug("Is root certificate from TIZEN_TEST domain : " << storeIdSet.contains(CertStoreId::TIZEN_TEST)); - LogDebug("Is root certificate from TIZEN_VERIFY domain : " << storeIdSet.contains(CertStoreId::TIZEN_VERIFY)); - LogDebug("Is root certificate from TIZEN_PUBLIC domain : " << storeIdSet.contains(CertStoreId::VIS_PUBLIC)); - LogDebug("Is root certificate from TIZEN_PARTNER domain : " << storeIdSet.contains(CertStoreId::VIS_PARTNER)); - LogDebug("Is root certificate from TIZEN_PLATFORM domain : " << storeIdSet.contains(CertStoreId::VIS_PLATFORM)); - LogDebug("Visibility level is public : " << storeIdSet.contains(CertStoreId::VIS_PUBLIC)); - LogDebug("Visibility level is partner : " << storeIdSet.contains(CertStoreId::VIS_PARTNER)); - LogDebug("Visibility level is platform : " << storeIdSet.contains(CertStoreId::VIS_PLATFORM)); - - if (data.isAuthorSignature()) - { - if (!storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER)) - { - LogWarning("author-signature.xml has got unrecognized Root CA " - "certificate. Signature will be disregarded."); - disregard = true; - } - } - else // distributor - { - if (storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER)) - { - LogWarning("distributor has author level siganture! Signature will be disregarded."); - return WrtSignatureValidator::SIGNATURE_IN_DISTRIBUTOR_CASE_AUTHOR_CERT;//SIGNATURE_INVALID; - } - LogDebug("signaturefile name = " << data.getSignatureFileName()); - - - if (data.getSignatureNumber() == 1) - { - if (storeIdSet.contains(CertStoreId::VIS_PUBLIC) || storeIdSet.contains(CertStoreId::VIS_PARTNER) || storeIdSet.contains(CertStoreId::VIS_PLATFORM)) - { - LogDebug("Root CA for signature1.xml is correct."); - } - else - { - LogWarning("signature1.xml has got unrecognized Root CA " - "certificate. Signature will be disregarded."); - disregard = true; - } - } - } - - data.setStorageType(storeIdSet); - data.setSortedCertificateList(sortedCertificateList); - - // We add only Root CA certificate because WAC ensure that the rest - // of certificates are present in signature files ;-) - XmlSec::XmlSecContext context; - context.signatureFile = data.getSignatureFileName(); - context.certificatePtr = root; - - // Now we should have full certificate chain. - // If the end certificate is not ROOT CA we should disregard signature - // but still signature must be valid... Aaaaaa it's so stupid... - if (!(root->isSignedBy(root))) { - LogWarning("Root CA certificate not found. Chain is incomplete."); - //context.allowBrokenChain = true; - } - - // WAC 2.0 SP-2066 The wrt must not block widget installation - // due to expiration of the author certificate. - time_t nowTime = time(NULL); -#define CHECK_TIME -#ifdef CHECK_TIME - - ASN1_TIME* notAfterTime = data.getEndEntityCertificatePtr()->getNotAfterTime(); - ASN1_TIME* notBeforeTime = data.getEndEntityCertificatePtr()->getNotBeforeTime(); - - if (X509_cmp_time(notBeforeTime, &nowTime) > 0 || X509_cmp_time(notAfterTime, &nowTime) < 0) - { - struct tm *t; - struct tm ta, tb, tc; - char msg[1024]; - - t = localtime(&nowTime); - if (!t) - return WrtSignatureValidator::SIGNATURE_INVALID_CERT_TIME; - - memset(&tc, 0, sizeof(tc)); - - snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", t->tm_year + 1900, t->tm_mon + 1,t->tm_mday ); - LogDebug("## System's currentTime : " << msg); - fprintf(stderr, "## System's currentTime : %s\n", msg); - - tb = _ASN1_GetTimeT(notBeforeTime); - snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", tb.tm_year + 1900, tb.tm_mon + 1,tb.tm_mday ); - LogDebug("## certificate's notBeforeTime : " << msg); - fprintf(stderr, "## certificate's notBeforeTime : %s\n", msg); - - ta = _ASN1_GetTimeT(notAfterTime); - snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", ta.tm_year + 1900, ta.tm_mon + 1,ta.tm_mday ); - LogDebug("## certificate's notAfterTime : " << msg); - fprintf(stderr, "## certificate's notAfterTime : %s\n", msg); - - if (storeIdSet.contains(CertStoreId::TIZEN_TEST) || storeIdSet.contains(CertStoreId::TIZEN_VERIFY)) - { - LogDebug("## TIZEN_VERIFY : check certificate Time : FALSE"); - fprintf(stderr, "## TIZEN_VERIFY : check certificate Time : FALSE\n"); - return WrtSignatureValidator::SIGNATURE_INVALID_CERT_TIME;//SIGNATURE_INVALID; - } - - int year = (ta.tm_year - tb.tm_year) / 4; - - if(year == 0) - { - tc.tm_year = tb.tm_year; - tc.tm_mon = tb.tm_mon + 1; - tc.tm_mday = tb.tm_mday; - - if(tc.tm_mon == 12) - { - tc.tm_year = ta.tm_year; - tc.tm_mon = ta.tm_mon - 1; - tc.tm_mday = ta.tm_mday; - - if(tc.tm_mon < 0) - { - tc.tm_year = ta.tm_year; - tc.tm_mon = ta.tm_mon; - tc.tm_mday = ta.tm_mday -1; - - if(tc.tm_mday == 0) - { - tc.tm_year = tb.tm_year; - tc.tm_mon = tb.tm_mon; - tc.tm_mday = tb.tm_mday +1; - } - } - } - } - else{ - tc.tm_year = tb.tm_year + year; - tc.tm_mon = (tb.tm_mon + ta.tm_mon )/2; - tc.tm_mday = (tb.tm_mday + ta.tm_mday)/2; - } - - snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", tc.tm_year + 1900, tc.tm_mon + 1,tc.tm_mday ); - LogDebug("## cmp cert with validation time : " << msg); - fprintf(stderr, "## cmp cert with validation time : %s\n", msg); - - time_t outCurrent = mktime(&tc); - context.validationTime = outCurrent; - - fprintf(stderr, "## cmp outCurrent time : %ld\n", outCurrent); - - //return WrtSignatureValidator::SIGNATURE_INVALID; - } - -#endif - -#if 0 - time_t notAfter = data.getEndEntityCertificatePtr()->getNotAfter(); - time_t notBefore = data.getEndEntityCertificatePtr()->getNotBefore(); - - struct tm *t; - - if (data.isAuthorSignature()) - { - // time_t 2038 year bug exist. So, notAtter() cann't check... - /* - if (notAfter < nowTime) - { - context.validationTime = notAfter - TIMET_DAY; - LogWarning("Author certificate is expired. notAfter..."); - } - */ - - if (notBefore > nowTime) - { - LogWarning("Author certificate is expired. notBefore time is greater than system-time."); - - t = localtime(&nowTime); - LogDebug("System's current Year : " << (t->tm_year + 1900)); - LogDebug("System's current month : " << (t->tm_mon + 1)); - LogDebug("System's current day : " << (t->tm_mday)); - - t = localtime(¬Before); - LogDebug("Author certificate's notBefore Year : " << (t->tm_year + 1900)); - LogDebug("Author certificate's notBefore month : " << (t->tm_mon + 1)); - LogDebug("Author certificate's notBefore day : " << (t->tm_mday)); - - context.validationTime = notBefore + TIMET_DAY; - - t = localtime(&context.validationTime); - LogDebug("Modified current Year : " << (t->tm_year + 1900)); - LogDebug("Modified current notBefore month : " << (t->tm_mon + 1)); - LogDebug("Modified current notBefore day : " << (t->tm_mday)); - } - } -#endif - // WAC 2.0 SP-2066 The wrt must not block widget installation - //context.allowBrokenChain = true; - - // end - if (!data.isAuthorSignature()) - { - if (XmlSec::NO_ERROR != XmlSecSingleton::Instance().validate(&context)) { - LogWarning("Installation break - invalid package!"); - return WrtSignatureValidator::SIGNATURE_INVALID_HASH_SIGNATURE;//SIGNATURE_INVALID; - } - - data.setReference(context.referenceSet); - - if (!checkObjectReferences(data)) { - LogWarning("Failed to check Object References"); - return WrtSignatureValidator::SIGNATURE_INVALID_HASH_SIGNATURE;//SIGNATURE_INVALID; - } - - ReferenceValidator fileValidator(widgetContentPath); - if (ReferenceValidator::NO_ERROR != fileValidator.checkReferences(data)) { - LogWarning("Invalid package - file references broken"); - return WrtSignatureValidator::SIGNATURE_INVALID_NO_HASH_FILE;//SIGNATURE_INVALID; - } - } - - if (disregard) { - LogWarning("Signature is disregard. RootCA is not a member of Tizen"); - return WrtSignatureValidator::SIGNATURE_INVALID_DISTRIBUTOR_CERT;//SIGNATURE_DISREGARD; - } - return WrtSignatureValidator::SIGNATURE_VERIFIED; -} - -class ImplWac : public WrtSignatureValidator::Impl -{ -public: - WrtSignatureValidator::Result check(SignatureData &data, - const std::string &widgetContentPath); - - explicit ImplWac(bool ocspEnable, - bool crlEnable, - bool complianceMode) - : Impl(ocspEnable, crlEnable, complianceMode) - {} - - virtual ~ImplWac() {} -}; - -WrtSignatureValidator::Result ImplWac::check( - SignatureData &data, - const std::string &widgetContentPath) -{ - bool disregard = false; - - if (!checkRoleURI(data)) { - return WrtSignatureValidator::SIGNATURE_INVALID; - } - - if (!checkProfileURI(data)) { - return WrtSignatureValidator::SIGNATURE_INVALID; - } - - // CertificateList sortedCertificateList = data.getCertList(); - - CertificateCollection collection; - collection.load(data.getCertList()); - - // First step - sort certificate - if (!collection.sort()) { - LogWarning("Certificates do not form valid chain."); - return WrtSignatureValidator::SIGNATURE_INVALID; - } - - // Check for error - if (collection.empty()) { - LogWarning("Certificate list in signature is empty."); - return WrtSignatureValidator::SIGNATURE_INVALID; - } - - CertificateList sortedCertificateList = collection.getChain(); - - // TODO move it to CertificateCollection - // Add root CA and CA certificates (if chain is incomplete) - sortedCertificateList = - OCSPCertMgrUtil::completeCertificateChain(sortedCertificateList); - - CertificatePtr root = sortedCertificateList.back(); - - // Is Root CA certificate trusted? - CertStoreId::Set storeIdSet = createCertificateIdentifier().find(root); - - LogDebug("Is root certificate from TIZEN_DEVELOPER domain : " << storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER)); - LogDebug("Is root certificate from TIZEN_TEST domain : " << storeIdSet.contains(CertStoreId::TIZEN_TEST)); - LogDebug("Is root certificate from TIZEN_VERIFY domain : " << storeIdSet.contains(CertStoreId::TIZEN_VERIFY)); - LogDebug("Is root certificate from TIZEN_PUBLIC domain : " << storeIdSet.contains(CertStoreId::VIS_PUBLIC)); - LogDebug("Is root certificate from TIZEN_PARTNER domain : " << storeIdSet.contains(CertStoreId::VIS_PARTNER)); - LogDebug("Is root certificate from TIZEN_PLATFORM domain : " << storeIdSet.contains(CertStoreId::VIS_PLATFORM)); - LogDebug("Visibility level is public : " << storeIdSet.contains(CertStoreId::VIS_PUBLIC)); - LogDebug("Visibility level is partner : " << storeIdSet.contains(CertStoreId::VIS_PARTNER)); - LogDebug("Visibility level is platform : " << storeIdSet.contains(CertStoreId::VIS_PLATFORM)); - - if (data.isAuthorSignature()) - { - if (!storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER)) - { - LogWarning("author-signature.xml has got unrecognized Root CA " - "certificate. Signature will be disregarded."); - disregard = true; - } - } - else - { - if (storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER)) - { - LogWarning("distributor has author level siganture! Signature will be disregarded."); - return WrtSignatureValidator::SIGNATURE_INVALID; - } - LogDebug("signaturefile name = " << data.getSignatureFileName()); - - if (data.getSignatureNumber() == 1) - { - if (storeIdSet.contains(CertStoreId::VIS_PUBLIC) || storeIdSet.contains(CertStoreId::VIS_PARTNER) || storeIdSet.contains(CertStoreId::VIS_PLATFORM)) - { - LogDebug("Root CA for signature1.xml is correct."); - } - else - { - LogWarning("signature1.xml has got unrecognized Root CA " - "certificate. Signature will be disregarded."); - disregard = true; - } - } - } - - data.setStorageType(storeIdSet); - data.setSortedCertificateList(sortedCertificateList); - - // We add only Root CA certificate because WAC ensure that the rest - // of certificates are present in signature files ;-) - XmlSec::XmlSecContext context; - context.signatureFile = data.getSignatureFileName(); - context.certificatePtr = root; - - // Now we should have full certificate chain. - // If the end certificate is not ROOT CA we should disregard signature - // but still signature must be valid... Aaaaaa it's so stupid... - if (!(root->isSignedBy(root))) { - LogWarning("Root CA certificate not found. Chain is incomplete."); -// context.allowBrokenChain = true; - } - - time_t nowTime = time(NULL); - // WAC 2.0 SP-2066 The wrt must not block widget installation - // due to expiration of the author certificate. -#define CHECK_TIME -#ifdef CHECK_TIME - - ASN1_TIME* notAfterTime = data.getEndEntityCertificatePtr()->getNotAfterTime(); - ASN1_TIME* notBeforeTime = data.getEndEntityCertificatePtr()->getNotBeforeTime(); - - if (X509_cmp_time(notBeforeTime, &nowTime) > 0 || X509_cmp_time(notAfterTime, &nowTime) < 0) - { - struct tm *t; - struct tm ta, tb, tc; - char msg[1024]; - - t = localtime(&nowTime); - if (!t) - return WrtSignatureValidator::SIGNATURE_INVALID_CERT_TIME; - - memset(&tc, 0, sizeof(tc)); - - snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", t->tm_year + 1900, t->tm_mon + 1,t->tm_mday ); - LogDebug("## System's currentTime : " << msg); - fprintf(stderr, "## System's currentTime : %s\n", msg); - - tb = _ASN1_GetTimeT(notBeforeTime); - snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", tb.tm_year + 1900, tb.tm_mon + 1,tb.tm_mday ); - LogDebug("## certificate's notBeforeTime : " << msg); - fprintf(stderr, "## certificate's notBeforeTime : %s\n", msg); - - ta = _ASN1_GetTimeT(notAfterTime); - snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", ta.tm_year + 1900, ta.tm_mon + 1,ta.tm_mday ); - LogDebug("## certificate's notAfterTime : " << msg); - fprintf(stderr, "## certificate's notAfterTime : %s\n", msg); - - if (storeIdSet.contains(CertStoreId::TIZEN_VERIFY)) - { - LogDebug("## TIZEN_VERIFY : check certificate Time : FALSE"); - fprintf(stderr, "## TIZEN_VERIFY : check certificate Time : FALSE\n"); - return WrtSignatureValidator::SIGNATURE_INVALID; - } - - int year = (ta.tm_year - tb.tm_year) / 4; - - if(year == 0) - { - tc.tm_year = tb.tm_year; - tc.tm_mon = tb.tm_mon + 1; - tc.tm_mday = tb.tm_mday; - - if(tc.tm_mon == 12) - { - tc.tm_year = ta.tm_year; - tc.tm_mon = ta.tm_mon - 1; - tc.tm_mday = ta.tm_mday; - - if(tc.tm_mon < 0) - { - tc.tm_year = ta.tm_year; - tc.tm_mon = ta.tm_mon; - tc.tm_mday = ta.tm_mday -1; - - if(tc.tm_mday == 0) - { - tc.tm_year = tb.tm_year; - tc.tm_mon = tb.tm_mon; - tc.tm_mday = tb.tm_mday +1; - } - } - } - } - else{ - tc.tm_year = tb.tm_year + year; - tc.tm_mon = (tb.tm_mon + ta.tm_mon )/2; - tc.tm_mday = (tb.tm_mday + ta.tm_mday)/2; - } - - snprintf(msg, sizeof(msg), "Year: %d, month: %d, day : %d", tc.tm_year + 1900, tc.tm_mon + 1,tc.tm_mday ); - LogDebug("## cmp cert with validation time : " << msg); - fprintf(stderr, "## cmp cert with validation time : %s\n", msg); - - time_t outCurrent = mktime(&tc); - - fprintf(stderr, "## cmp outCurrent time : %ld\n", outCurrent); - - context.validationTime = outCurrent; - //return WrtSignatureValidator::SIGNATURE_INVALID; - } - -#endif - -#if 0 - time_t notAfter = data.getEndEntityCertificatePtr()->getNotAfter(); - time_t notBefore = data.getEndEntityCertificatePtr()->getNotBefore(); - - struct tm *t; - - if (data.isAuthorSignature()) - { - // time_t 2038 year bug exist. So, notAtter() cann't check... - /* - if (notAfter < nowTime) - { - context.validationTime = notAfter - TIMET_DAY; - LogWarning("Author certificate is expired. notAfter..."); - } - */ - - if (notBefore > nowTime) - { - LogWarning("Author certificate is expired. notBefore time is greater than system-time."); - - t = localtime(&nowTime); - LogDebug("System's current Year : " << (t->tm_year + 1900)); - LogDebug("System's current month : " << (t->tm_mon + 1)); - LogDebug("System's current day : " << (t->tm_mday)); - - t = localtime(¬Before); - LogDebug("Author certificate's notBefore Year : " << (t->tm_year + 1900)); - LogDebug("Author certificate's notBefore month : " << (t->tm_mon + 1)); - LogDebug("Author certificate's notBefore day : " << (t->tm_mday)); - - context.validationTime = notBefore + TIMET_DAY; - - t = localtime(&context.validationTime); - LogDebug("Modified current Year : " << (t->tm_year + 1900)); - LogDebug("Modified current notBefore month : " << (t->tm_mon + 1)); - LogDebug("Modified current notBefore day : " << (t->tm_mday)); - } - } -#endif - - if (!data.isAuthorSignature()) - { - if (XmlSec::NO_ERROR != XmlSecSingleton::Instance().validate(&context)) { - LogWarning("Installation break - invalid package!"); - return WrtSignatureValidator::SIGNATURE_INVALID; - } - - data.setReference(context.referenceSet); - - if (!checkObjectReferences(data)) { - return WrtSignatureValidator::SIGNATURE_INVALID; - } - - ReferenceValidator fileValidator(widgetContentPath); - if (ReferenceValidator::NO_ERROR != fileValidator.checkReferences(data)) { - LogWarning("Invalid package - file references broken"); - return WrtSignatureValidator::SIGNATURE_INVALID; - } - } - - if (disregard) { - LogWarning("Signature is disregard. RootCA is not a member of Tizen."); - return WrtSignatureValidator::SIGNATURE_DISREGARD; - } - return WrtSignatureValidator::SIGNATURE_VERIFIED; -} - -// Implementation of WrtSignatureValidator - -WrtSignatureValidator::WrtSignatureValidator( - AppType appType, - bool ocspEnable, - bool crlEnable, - bool complianceMode) - : m_impl(0) -{ - if (appType == TIZEN) - m_impl = new ImplTizen(ocspEnable,crlEnable,complianceMode); - else - m_impl = new ImplWac(ocspEnable,crlEnable,complianceMode); -} - -WrtSignatureValidator::~WrtSignatureValidator() -{ - delete m_impl; -} - -WrtSignatureValidator::Result WrtSignatureValidator::check( - SignatureData &data, - const std::string &widgetContentPath) -{ - return m_impl->check(data, widgetContentPath); -} - -} // namespace ValidationCore - diff --git a/vcore/src/vcore/WrtSignatureValidator.h b/vcore/src/vcore/WrtSignatureValidator.h deleted file mode 100644 index 04a8434..0000000 --- a/vcore/src/vcore/WrtSignatureValidator.h +++ /dev/null @@ -1,84 +0,0 @@ -/* - * Copyright (c) 2011 Samsung Electronics Co., Ltd All Rights Reserved - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -/* - * @file WrtSignatureValidator.h - * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com) - * @version 1.0 - * @brief Implementatin of tizen signature validation protocol. - */ -#ifndef _VALIDATION_CORE_TIZENSIGNATUREVALIDATOR_H_ -#define _VALIDATION_CORE_TIZENSIGNATUREVALIDATOR_H_ - -#include - -#include - -namespace ValidationCore { - -class WrtSignatureValidator { -public: - - class Impl; - - enum AppType - { - TIZEN, - WAC20 - }; - - enum Result - { - SIGNATURE_VALID, - SIGNATURE_INVALID, - SIGNATURE_VERIFIED, - SIGNATURE_DISREGARD, // no ocsp response or ocsp return unknown status - SIGNATURE_REVOKED, - SIGNATURE_INVALID_CERT_CHAIN, //5, from here, new error enum - SIGNATURE_INVALID_DISTRIBUTOR_CERT, - SIGNATURE_INVALID_SDK_DEFAULT_AUTHOR_CERT, - SIGNATURE_IN_DISTRIBUTOR_CASE_AUTHOR_CERT, - SIGNATURE_INVALID_CERT_TIME, - SIGNATURE_NO_DEVICE_PROFILE, - SIGNATURE_INVALID_DEVICE_UNIQUE_ID, - SIGNATURE_INVALID_NO_HASH_FILE, - SIGNATURE_INVALID_HASH_SIGNATURE - }; - - WrtSignatureValidator() = delete; - WrtSignatureValidator(const WrtSignatureValidator &) = delete; - const WrtSignatureValidator &operator=(const WrtSignatureValidator &) = delete; - - explicit WrtSignatureValidator( - AppType appType, - bool ocspEnable, - bool crlEnable, - bool complianceMode); - - virtual ~WrtSignatureValidator(); - - Result check( - SignatureData &data, - const std::string &widgetContentPath); - -private: - Impl *m_impl; - -}; - -} // namespace ValidationCore - -#endif // _VALIDATION_CORE_TIZENSIGNATUREVALIDATOR_H_ - diff --git a/vcore/src/vcore/api.cpp b/vcore/src/vcore/api.cpp index 930212b..6918dfc 100644 --- a/vcore/src/vcore/api.cpp +++ b/vcore/src/vcore/api.cpp @@ -143,6 +143,22 @@ public: m_idListMap.erase(iter); } + inline void removeCertListAll(const CertSvcCertificateList &handler) { + auto iter = m_idListMap.find(handler.privateHandler); + if (iter == m_idListMap.end()) + return; + + for (size_t pos = 0; pos < iter->second.size(); ++pos) { + auto iterCert = m_certificateMap.find((iter->second)[pos]); + if (iterCert == m_certificateMap.end()) + return; + + m_certificateMap.erase(iterCert); + } + + m_idListMap.erase(iter); + } + inline int isSignedBy(const CertSvcCertificate &child, const CertSvcCertificate &parent, int *status) @@ -1051,7 +1067,7 @@ inline CertSvcInstanceImpl *impl(CertSvcInstance instance) { int certsvc_instance_new(CertSvcInstance *instance) { static int init = 1; if (init) { - SSL_library_init(); // required by message verification + OpenSSL_add_ssl_algorithms(); OpenSSL_add_all_digests(); init = 0; } @@ -1181,6 +1197,11 @@ void certsvc_certificate_list_free(CertSvcCertificateList handler) impl(handler.privateInstance)->removeCertList(handler); } +void certsvc_certificate_list_all_free(CertSvcCertificateList handler) +{ + impl(handler.privateInstance)->removeCertListAll(handler); +} + int certsvc_certificate_is_signed_by( CertSvcCertificate child, CertSvcCertificate parent,