From: sunggun.jung Date: Sat, 13 Apr 2013 11:47:22 +0000 (+0900) Subject: RootCA certificate list modified. And author cert getBefore check modified. X-Git-Tag: 2.1b_release~2 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=ac39dd0e11f64ed21f01b71e774b3229717418b7;p=platform%2Fcore%2Fsecurity%2Fcert-svc.git RootCA certificate list modified. And author cert getBefore check modified. Signed-off-by: sunggun.jung Change-Id: I1ff6f794d9e6d142fedb6ed6af0d2dd04152892b --- diff --git a/vcore/src/vcore/CertStoreType.h b/vcore/src/vcore/CertStoreType.h index dc76afd..ca24b18 100644 --- a/vcore/src/vcore/CertStoreType.h +++ b/vcore/src/vcore/CertStoreType.h @@ -29,17 +29,9 @@ namespace CertStoreId { typedef unsigned int Type; // RootCA certificates for developer mode. -const Type DEVELOPER = 1; +const Type TIZEN_DEVELOPER = 1; // RootCA certificates for author signatures. -const Type WAC_PUBLISHER = 1 << 1; -// RootCA certificates for wac-signed widgets. -const Type WAC_ROOT = 1 << 2; -// RootCA certificates for wac-members ie. operators, manufacturers. -const Type WAC_MEMBER = 1 << 3; -// RootCA certificates for tizen-member ie. samsung and operators -const Type TIZEN_MEMBER = 1 << 4; -// RootCA certificates used by orange -const Type ORANGE_LEGACY = 1 << 5; +const Type TIZEN_TEST = 1 << 1; // RootCA's visibility level : public const Type VIS_PUBLIC = 1 << 6; diff --git a/vcore/src/vcore/CertificateConfigReader.cpp b/vcore/src/vcore/CertificateConfigReader.cpp index b44eee9..2fcbbba 100644 --- a/vcore/src/vcore/CertificateConfigReader.cpp +++ b/vcore/src/vcore/CertificateConfigReader.cpp @@ -33,13 +33,8 @@ const std::string TOKEN_CERTIFICATE_DOMAIN = "CertificateDomain"; const std::string TOKEN_FINGERPRINT_SHA1 = "FingerprintSHA1"; const std::string TOKEN_ATTR_NAME = "name"; -const std::string TOKEN_VALUE_WAC_ROOT = "wacroot"; -const std::string TOKEN_VALUE_WAC_PUBLISHER = "wacpublisher"; -const std::string TOKEN_VALUE_WAC_MEMBER = "wacmember"; -const std::string TOKEN_VALUE_DEVELOPER = "developer"; -const std::string TOKEN_VALUE_TIZEN_MEMBER = "tizenmember"; -const std::string TOKEN_VALUE_ORANGE_LEGACY = "orangelegacy"; - +const std::string TOKEN_VALUE_TIZEN_DEVELOPER = "tizen-developer"; +const std::string TOKEN_VALUE_TIZEN_TEST = "tizen-test"; const std::string TOKEN_VALUE_VISIBILITY_PUBLIC = "tizen-public"; const std::string TOKEN_VALUE_VISIBILITY_PARTNER = "tizen-partner"; const std::string TOKEN_VALUE_VISIBILITY_PARTNER_OPERATOR = "tizen-partner-operator"; @@ -106,18 +101,10 @@ void CertificateConfigReader::tokenCertificateDomain(CertificateIdentifier &) LogWarning("Invalid fingerprint file. Domain name is mandatory"); ThrowMsg(Exception::InvalidFile, "Invalid fingerprint file. Domain name is mandatory"); - } else if (name == TOKEN_VALUE_DEVELOPER) { - m_certificateDomain = CertStoreId::DEVELOPER; - } else if (name == TOKEN_VALUE_WAC_ROOT) { - m_certificateDomain = CertStoreId::WAC_ROOT; - } else if (name == TOKEN_VALUE_WAC_PUBLISHER) { - m_certificateDomain = CertStoreId::WAC_PUBLISHER; - } else if (name == TOKEN_VALUE_WAC_MEMBER) { - m_certificateDomain = CertStoreId::WAC_MEMBER; - } else if (name == TOKEN_VALUE_TIZEN_MEMBER) { - m_certificateDomain = CertStoreId::TIZEN_MEMBER; - } else if (name == TOKEN_VALUE_ORANGE_LEGACY) { - m_certificateDomain = CertStoreId::ORANGE_LEGACY; + } else if (name == TOKEN_VALUE_TIZEN_DEVELOPER) { + m_certificateDomain = CertStoreId::TIZEN_DEVELOPER; + } else if (name == TOKEN_VALUE_TIZEN_TEST) { + m_certificateDomain = CertStoreId::TIZEN_TEST; } else if (name == TOKEN_VALUE_VISIBILITY_PUBLIC) { m_certificateDomain = CertStoreId::VIS_PUBLIC; } else if (name == TOKEN_VALUE_VISIBILITY_PARTNER) { diff --git a/vcore/src/vcore/SignatureValidator.cpp b/vcore/src/vcore/SignatureValidator.cpp index b8da0b0..366ea59 100644 --- a/vcore/src/vcore/SignatureValidator.cpp +++ b/vcore/src/vcore/SignatureValidator.cpp @@ -167,16 +167,10 @@ SignatureValidator::Result ImplTizenSignatureValidator::check( // Is Root CA certificate trusted? CertStoreId::Set storeIdSet = createCertificateIdentifier().find(root); - LogDebug("Is root certificate from WAC_PUBLISHER domain: " - << storeIdSet.contains(CertStoreId::WAC_PUBLISHER)); - LogDebug("Is root certificate from WAC_DEVELOPER domain: " - << storeIdSet.contains(CertStoreId::DEVELOPER)); - LogDebug("Is root certificate from WAC_ROOT domain: " - << storeIdSet.contains(CertStoreId::WAC_ROOT)); - LogDebug("Is root certificate from WAC_MEMBER domain: " - << storeIdSet.contains(CertStoreId::WAC_MEMBER)); - LogDebug("Is root certificate from TIZEN_MEMBER domain: " - << storeIdSet.contains(CertStoreId::TIZEN_MEMBER)); + LogDebug("Is root certificate from TIZEN_DEVELOPER domain: " + << storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER)); + LogDebug("Is root certificate from TIZEN_TEST domain: " + << storeIdSet.contains(CertStoreId::TIZEN_TEST)); LogDebug("Is root certificate from TIZEN_PUBLIC domain: " << storeIdSet.contains(CertStoreId::VIS_PUBLIC)); LogDebug("Is root certificate from TIZEN_PARTNER domain: " @@ -184,37 +178,40 @@ SignatureValidator::Result ImplTizenSignatureValidator::check( LogDebug("Is root certificate from TIZEN_PLATFORM domain: " << storeIdSet.contains(CertStoreId::VIS_PLATFORM)); - LogDebug(" visibility level is public : " + LogDebug("Visibility level is public : " << storeIdSet.contains(CertStoreId::VIS_PUBLIC)); - LogDebug(" visibility level is partner : " + LogDebug("Visibility level is partner : " << storeIdSet.contains(CertStoreId::VIS_PARTNER)); - LogDebug(" visibility level is partner-operator : " - << storeIdSet.contains(CertStoreId::VIS_PARTNER_OPERATOR)); - LogDebug(" visibility level is partner-manufacturer : " - << storeIdSet.contains(CertStoreId::VIS_PARTNER_MANUFACTURER)); - LogDebug(" visibility level is platform : " + LogDebug("Visibility level is platform : " << storeIdSet.contains(CertStoreId::VIS_PLATFORM)); -/* - // WAC chapter 3.2.1 - verified definition - if (data.isAuthorSignature()) { - if (!storeIdSet.contains(CertStoreId::WAC_PUBLISHER)) { - LogWarning("Author signature has got unrecognized Root CA " + if (data.isAuthorSignature()) + { + if (!storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER)) + { + LogWarning("author-signature.xml has got unrecognized Root CA " "certificate. Signature will be disregarded."); disregard = true; - } + } LogDebug("Root CA for author signature is correct."); - } else { - if (!storeIdSet.contains(CertStoreId::DEVELOPER) && - !storeIdSet.contains(CertStoreId::TIZEN_MEMBER)) - { - LogWarning("Distiributor signature has got unrecognized Root CA " - "certificate. Signature will be disregarded."); - disregard = true; - } else - LogDebug("Root CA for distributor signature is correct."); - } - */ + } + else + { + LogDebug("signaturefile name = " << data.getSignatureFileName().c_str()); + if (data.getSignatureNumber() == 1) + { + if (storeIdSet.contains(CertStoreId::VIS_PUBLIC) || storeIdSet.contains(CertStoreId::VIS_PARTNER) || storeIdSet.contains(CertStoreId::VIS_PLATFORM)) + { + LogDebug("Root CA for signature1.xml is correct."); + } + else + { + LogWarning("author-signature.xml has got unrecognized Root CA " + "certificate. Signature will be disregarded."); + disregard = true; + } + } + } data.setStorageType(storeIdSet); data.setSortedCertificateList(sortedCertificateList); @@ -230,18 +227,55 @@ SignatureValidator::Result ImplTizenSignatureValidator::check( // but still signature must be valid... Aaaaaa it's so stupid... if (!(root->isSignedBy(root))) { LogWarning("Root CA certificate not found. Chain is incomplete."); - context.allowBrokenChain = true; + // context.allowBrokenChain = true; } // WAC 2.0 SP-2066 The wrt must not block widget installation // due to expiration of the author certificate. time_t notAfter = data.getEndEntityCertificatePtr()->getNotAfter(); - bool expired = notAfter < time(NULL); - if (data.isAuthorSignature() && expired) { - context.validationTime = notAfter - TIMET_DAY; - } - // end + time_t notBefore = data.getEndEntityCertificatePtr()->getNotBefore(); + + time_t nowTime = time(NULL); + struct tm *t; + + if (data.isAuthorSignature()) + { + // time_t 2038 year bug exist. So, notAtter() cann't check... + /* + if (notAfter < nowTime) + { + context.validationTime = notAfter - TIMET_DAY; + LogWarning("Author certificate is expired. notAfter..."); + } + */ + + if (notBefore > nowTime) + { + LogWarning("Author certificate is expired. notBefore time is greater than system-time."); + + t = localtime(&nowTime); + LogDebug("System's current Year : " << t->tm_year + 1900); + LogDebug("System's current month : " << t->tm_mon + 1); + LogDebug("System's current day : " << t->tm_mday); + + t = localtime(¬Before); + LogDebug("Author certificate's notBefore Year : " << t->tm_year + 1900); + LogDebug("Author certificate's notBefore month : " << t->tm_mon + 1); + LogDebug("Author certificate's notBefore day : " << t->tm_mday); + + context.validationTime = notBefore + TIMET_DAY; + + t = localtime(&context.validationTime); + LogDebug("Modified current Year : " << t->tm_year + 1900); + LogDebug("Modified current notBefore month : " << t->tm_mon + 1); + LogDebug("Modified current notBefore day : " << t->tm_mday); + } + } + + // WAC 2.0 SP-2066 The wrt must not block widget installation + //context.allowBrokenChain = true; + // end if (XmlSec::NO_ERROR != XmlSecSingleton::Instance().validate(&context)) { LogWarning("Installation break - invalid package!"); return SignatureValidator::SIGNATURE_INVALID; @@ -274,11 +308,7 @@ SignatureValidator::Result ImplTizenSignatureValidator::check( return SignatureValidator::SIGNATURE_INVALID; } - // If ORANGE_LEGACY is set we cannot check ocsp - bool runOCSP = storeIdSet.contains(CertStoreId::ORANGE_LEGACY) ? - false : m_ocspEnable; - - CertificateVerifier verificator(runOCSP, m_crlEnable); + CertificateVerifier verificator(m_ocspEnable, m_crlEnable); VerificationStatus result = verificator.check(coll); if (result == VERIFICATION_STATUS_REVOKED) { @@ -293,7 +323,7 @@ SignatureValidator::Result ImplTizenSignatureValidator::check( } if (disregard) { - LogWarning("Signature is disregard."); + LogWarning("Signature is disregard. RootCA is not a member of Tizen."); return SignatureValidator::SIGNATURE_DISREGARD; } return SignatureValidator::SIGNATURE_VERIFIED; @@ -357,16 +387,10 @@ SignatureValidator::Result ImplWacSignatureValidator::check( // Is Root CA certificate trusted? CertStoreId::Set storeIdSet = createCertificateIdentifier().find(root); - LogDebug("Is root certificate from WAC_PUBLISHER domain: " - << storeIdSet.contains(CertStoreId::WAC_PUBLISHER)); - LogDebug("Is root certificate from WAC_DEVELOPER domain: " - << storeIdSet.contains(CertStoreId::DEVELOPER)); - LogDebug("Is root certificate from WAC_ROOT domain: " - << storeIdSet.contains(CertStoreId::WAC_ROOT)); - LogDebug("Is root certificate from WAC_MEMBER domain: " - << storeIdSet.contains(CertStoreId::WAC_MEMBER)); - LogDebug("Is root certificate from TIZEN_MEMBER domain: " - << storeIdSet.contains(CertStoreId::TIZEN_MEMBER)); + LogDebug("Is root certificate from TIZEN_DEVELOPER domain: " + << storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER)); + LogDebug("Is root certificate from TIZEN_TEST domain: " + << storeIdSet.contains(CertStoreId::TIZEN_TEST)); LogDebug("Is root certificate from TIZEN_PUBLIC domain: " << storeIdSet.contains(CertStoreId::VIS_PUBLIC)); LogDebug("Is root certificate from TIZEN_PARTNER domain: " @@ -374,37 +398,40 @@ SignatureValidator::Result ImplWacSignatureValidator::check( LogDebug("Is root certificate from TIZEN_PLATFORM domain: " << storeIdSet.contains(CertStoreId::VIS_PLATFORM)); - LogDebug(" visibility level is public : " + LogDebug("Visibility level is public : " << storeIdSet.contains(CertStoreId::VIS_PUBLIC)); - LogDebug(" visibility level is partner : " + LogDebug("Visibility level is partner : " << storeIdSet.contains(CertStoreId::VIS_PARTNER)); - LogDebug(" visibility level is partner-operator : " - << storeIdSet.contains(CertStoreId::VIS_PARTNER_OPERATOR)); - LogDebug(" visibility level is partner-manufacturer : " - << storeIdSet.contains(CertStoreId::VIS_PARTNER_MANUFACTURER)); - LogDebug(" visibility level is platform : " + LogDebug("Visibility level is platform : " << storeIdSet.contains(CertStoreId::VIS_PLATFORM)); - // WAC chapter 3.2.1 - verified definition - if (data.isAuthorSignature()) { - if (!storeIdSet.contains(CertStoreId::WAC_PUBLISHER)) { - LogWarning("Author signature has got unrecognized Root CA " + if (data.isAuthorSignature()) + { + if (!storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER)) + { + LogWarning("author-signature.xml has got unrecognized Root CA " "certificate. Signature will be disregarded."); disregard = true; - } + } LogDebug("Root CA for author signature is correct."); - } else { - if (!storeIdSet.contains(CertStoreId::DEVELOPER) && - !storeIdSet.contains(CertStoreId::WAC_ROOT) && - !storeIdSet.contains(CertStoreId::WAC_MEMBER)) - { - LogWarning("Distiributor signature has got unrecognized Root CA " - "certificate. Signature will be disregarded."); - disregard = true; - } else { - LogDebug("Root CA for distributor signature is correct."); - } - } + } + else + { + LogDebug("signaturefile name = " << data.getSignatureFileName().c_str()); + if (data.getSignatureNumber() == 1) + { + if (storeIdSet.contains(CertStoreId::VIS_PUBLIC) || storeIdSet.contains(CertStoreId::VIS_PARTNER) || storeIdSet.contains(CertStoreId::VIS_PLATFORM)) + { + LogDebug("Root CA for signature1.xml is correct."); + } + else + { + LogWarning("author-signature.xml has got unrecognized Root CA " + "certificate. Signature will be disregarded."); + disregard = true; + } + } + } data.setStorageType(storeIdSet); data.setSortedCertificateList(sortedCertificateList); @@ -420,17 +447,50 @@ SignatureValidator::Result ImplWacSignatureValidator::check( // but still signature must be valid... Aaaaaa it's so stupid... if (!(root->isSignedBy(root))) { LogWarning("Root CA certificate not found. Chain is incomplete."); - context.allowBrokenChain = true; +// context.allowBrokenChain = true; } // WAC 2.0 SP-2066 The wrt must not block widget installation - // due to expiration of the author certificate. - time_t notAfter = data.getEndEntityCertificatePtr()->getNotAfter(); - bool expired = notAfter < time(NULL); - if (data.isAuthorSignature() && expired) { - context.validationTime = notAfter - TIMET_DAY; - } - // end + // due to expiration of the author certificate. + time_t notAfter = data.getEndEntityCertificatePtr()->getNotAfter(); + time_t notBefore = data.getEndEntityCertificatePtr()->getNotBefore(); + + time_t nowTime = time(NULL); + struct tm *t; + + if (data.isAuthorSignature()) + { + // time_t 2038 year bug exist. So, notAtter() cann't check... + /* + if (notAfter < nowTime) + { + context.validationTime = notAfter - TIMET_DAY; + LogWarning("Author certificate is expired. notAfter..."); + } + */ + + if (notBefore > nowTime) + { + LogWarning("Author certificate is expired. notBefore time is greater than system-time."); + + t = localtime(&nowTime); + LogDebug("System's current Year : " << t->tm_year + 1900); + LogDebug("System's current month : " << t->tm_mon + 1); + LogDebug("System's current day : " << t->tm_mday); + + t = localtime(¬Before); + LogDebug("Author certificate's notBefore Year : " << t->tm_year + 1900); + LogDebug("Author certificate's notBefore month : " << t->tm_mon + 1); + LogDebug("Author certificate's notBefore day : " << t->tm_mday); + + context.validationTime = notBefore + TIMET_DAY; + + t = localtime(&context.validationTime); + LogDebug("Modified current Year : " << t->tm_year + 1900); + LogDebug("Modified current notBefore month : " << t->tm_mon + 1); + LogDebug("Modified current notBefore day : " << t->tm_mday); + } + } if (XmlSec::NO_ERROR != XmlSecSingleton::Instance().validate(&context)) { LogWarning("Installation break - invalid package!"); @@ -477,7 +537,7 @@ SignatureValidator::Result ImplWacSignatureValidator::check( } if (disregard) { - LogWarning("Signature is disregard."); + LogWarning("Signature is disregard. RootCA is not a member of Tizen."); return SignatureValidator::SIGNATURE_DISREGARD; } return SignatureValidator::SIGNATURE_VERIFIED; diff --git a/vcore/src/vcore/WrtSignatureValidator.cpp b/vcore/src/vcore/WrtSignatureValidator.cpp index c0a1454..9de5f5c 100644 --- a/vcore/src/vcore/WrtSignatureValidator.cpp +++ b/vcore/src/vcore/WrtSignatureValidator.cpp @@ -167,47 +167,52 @@ WrtSignatureValidator::Result ImplTizen::check( // Is Root CA certificate trusted? CertStoreId::Set storeIdSet = createCertificateIdentifier().find(root); - LogDebug("Is root certificate from WAC_PUBLISHER domain: " - << storeIdSet.contains(CertStoreId::WAC_PUBLISHER)); - LogDebug("Is root certificate from WAC_DEVELOPER domain: " - << storeIdSet.contains(CertStoreId::DEVELOPER)); - LogDebug("Is root certificate from WAC_ROOT domain: " - << storeIdSet.contains(CertStoreId::WAC_ROOT)); - LogDebug("Is root certificate from WAC_MEMBER domain: " - << storeIdSet.contains(CertStoreId::WAC_MEMBER)); - LogDebug("Is root certificate from TIZEN_MEMBER domain: " - << storeIdSet.contains(CertStoreId::TIZEN_MEMBER)); - LogDebug("Is root certificate from TIZEN_ORANGE domain: " - << storeIdSet.contains(CertStoreId::ORANGE_LEGACY)); - - LogDebug(" visibility level is public : " + LogDebug("Is root certificate from TIZEN_DEVELOPER domain: " + << storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER)); + LogDebug("Is root certificate from TIZEN_TEST domain: " + << storeIdSet.contains(CertStoreId::TIZEN_TEST)); + LogDebug("Is root certificate from TIZEN_PUBLIC domain: " << storeIdSet.contains(CertStoreId::VIS_PUBLIC)); - LogDebug(" visibility level is partner : " + LogDebug("Is root certificate from TIZEN_PARTNER domain: " << storeIdSet.contains(CertStoreId::VIS_PARTNER)); - LogDebug(" visibility level is partner-operator : " - << storeIdSet.contains(CertStoreId::VIS_PARTNER_OPERATOR)); - LogDebug(" visibility level is partner-manufacturer : " - << storeIdSet.contains(CertStoreId::VIS_PARTNER_MANUFACTURER)); - - // WAC chapter 3.2.1 - verified definition -/* if (data.isAuthorSignature()) { - if (!storeIdSet.contains(CertStoreId::WAC_PUBLISHER)) { - LogWarning("Author signature has got unrecognized Root CA " + LogDebug("Is root certificate from TIZEN_PLATFORM domain: " + << storeIdSet.contains(CertStoreId::VIS_PLATFORM)); + + LogDebug("Visibility level is public : " + << storeIdSet.contains(CertStoreId::VIS_PUBLIC)); + LogDebug("Visibility level is partner : " + << storeIdSet.contains(CertStoreId::VIS_PARTNER)); + LogDebug("Visibility level is platform : " + << storeIdSet.contains(CertStoreId::VIS_PLATFORM)); + + if (data.isAuthorSignature()) + { + if (!storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER)) + { + LogWarning("author-signature.xml has got unrecognized Root CA " "certificate. Signature will be disregarded."); disregard = true; - } + } LogDebug("Root CA for author signature is correct."); - } else { - if (!storeIdSet.contains(CertStoreId::DEVELOPER) && - !storeIdSet.contains(CertStoreId::TIZEN_MEMBER)) - { - LogWarning("Distiributor signature has got unrecognized Root CA " - "certificate. Signature will be disregarded."); - disregard = true; - } else - LogDebug("Root CA for distributor signature is correct."); - } -*/ + } + else + { + LogDebug("signaturefile name = " << data.getSignatureFileName().c_str()); + if (data.getSignatureNumber() == 1) + { + if (storeIdSet.contains(CertStoreId::VIS_PUBLIC) || storeIdSet.contains(CertStoreId::VIS_PARTNER) || storeIdSet.contains(CertStoreId::VIS_PLATFORM)) + { + LogDebug("Root CA for signature1.xml is correct."); + } + else + { + LogWarning("author-signature.xml has got unrecognized Root CA " + "certificate. Signature will be disregarded."); + disregard = true; + } + } + } + data.setStorageType(storeIdSet); data.setSortedCertificateList(sortedCertificateList); @@ -228,12 +233,49 @@ WrtSignatureValidator::Result ImplTizen::check( // WAC 2.0 SP-2066 The wrt must not block widget installation // due to expiration of the author certificate. time_t notAfter = data.getEndEntityCertificatePtr()->getNotAfter(); - bool expired = notAfter < time(NULL); - if (data.isAuthorSignature() && expired) { - context.validationTime = notAfter - TIMET_DAY; - } - // end + time_t notBefore = data.getEndEntityCertificatePtr()->getNotBefore(); + + time_t nowTime = time(NULL); + struct tm *t; + + if (data.isAuthorSignature()) + { + // time_t 2038 year bug exist. So, notAtter() cann't check... + /* + if (notAfter < nowTime) + { + context.validationTime = notAfter - TIMET_DAY; + LogWarning("Author certificate is expired. notAfter..."); + } + */ + + if (notBefore > nowTime) + { + LogWarning("Author certificate is expired. notBefore time is greater than system-time."); + + t = localtime(&nowTime); + LogDebug("System's current Year : " << t->tm_year + 1900); + LogDebug("System's current month : " << t->tm_mon + 1); + LogDebug("System's current day : " << t->tm_mday); + + t = localtime(¬Before); + LogDebug("Author certificate's notBefore Year : " << t->tm_year + 1900); + LogDebug("Author certificate's notBefore month : " << t->tm_mon + 1); + LogDebug("Author certificate's notBefore day : " << t->tm_mday); + + context.validationTime = notBefore + TIMET_DAY; + + t = localtime(&context.validationTime); + LogDebug("Modified current Year : " << t->tm_year + 1900); + LogDebug("Modified current notBefore month : " << t->tm_mon + 1); + LogDebug("Modified current notBefore day : " << t->tm_mday); + } + } + + // WAC 2.0 SP-2066 The wrt must not block widget installation + //context.allowBrokenChain = true; + // end if (XmlSec::NO_ERROR != XmlSecSingleton::Instance().validate(&context)) { LogWarning("Installation break - invalid package!"); return WrtSignatureValidator::SIGNATURE_INVALID; @@ -264,11 +306,7 @@ WrtSignatureValidator::Result ImplTizen::check( return WrtSignatureValidator::SIGNATURE_INVALID; } - // If ORANGE_LEGACY is set we cannot check ocsp - bool runOCSP = storeIdSet.contains(CertStoreId::ORANGE_LEGACY) ? - false : m_ocspEnable; - - CertificateVerifier verificator(runOCSP, m_crlEnable); + CertificateVerifier verificator(m_ocspEnable, m_crlEnable); VerificationStatus result = verificator.check(coll); if (result == VERIFICATION_STATUS_REVOKED) { @@ -283,7 +321,7 @@ WrtSignatureValidator::Result ImplTizen::check( } if (disregard) { - LogWarning("Signature is disregard."); + LogWarning("Signature is disregard. RootCA is not a member of Tizen"); return WrtSignatureValidator::SIGNATURE_DISREGARD; } return WrtSignatureValidator::SIGNATURE_VERIFIED; @@ -347,48 +385,51 @@ WrtSignatureValidator::Result ImplWac::check( // Is Root CA certificate trusted? CertStoreId::Set storeIdSet = createCertificateIdentifier().find(root); - LogDebug("Is root certificate from WAC_PUBLISHER domain: " - << storeIdSet.contains(CertStoreId::WAC_PUBLISHER)); - LogDebug("Is root certificate from WAC_DEVELOPER domain: " - << storeIdSet.contains(CertStoreId::DEVELOPER)); - LogDebug("Is root certificate from WAC_ROOT domain: " - << storeIdSet.contains(CertStoreId::WAC_ROOT)); - LogDebug("Is root certificate from WAC_MEMBER domain: " - << storeIdSet.contains(CertStoreId::WAC_MEMBER)); - LogDebug("Is root certificate from TIZEN_MEMBER domain: " - << storeIdSet.contains(CertStoreId::TIZEN_MEMBER)); - LogDebug("Is root certificate from ORANGE_LEGACY domain: " - << storeIdSet.contains(CertStoreId::ORANGE_LEGACY)); - - LogDebug(" visibility level is public : " + LogDebug("Is root certificate from TIZEN_DEVELOPER domain: " + << storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER)); + LogDebug("Is root certificate from TIZEN_TEST domain: " + << storeIdSet.contains(CertStoreId::TIZEN_TEST)); + LogDebug("Is root certificate from TIZEN_PUBLIC domain: " << storeIdSet.contains(CertStoreId::VIS_PUBLIC)); - LogDebug(" visibility level is partner : " + LogDebug("Is root certificate from TIZEN_PARTNER domain: " << storeIdSet.contains(CertStoreId::VIS_PARTNER)); - LogDebug(" visibility level is partner-operator : " - << storeIdSet.contains(CertStoreId::VIS_PARTNER_OPERATOR)); - LogDebug(" visibility level is partner-manufacturer : " - << storeIdSet.contains(CertStoreId::VIS_PARTNER_MANUFACTURER)); - - // WAC chapter 3.2.1 - verified definition - if (data.isAuthorSignature()) { - if (!storeIdSet.contains(CertStoreId::WAC_PUBLISHER)) { - LogWarning("Author signature has got unrecognized Root CA " + LogDebug("Is root certificate from TIZEN_PLATFORM domain: " + << storeIdSet.contains(CertStoreId::VIS_PLATFORM)); + + LogDebug("Visibility level is public : " + << storeIdSet.contains(CertStoreId::VIS_PUBLIC)); + LogDebug("Visibility level is partner : " + << storeIdSet.contains(CertStoreId::VIS_PARTNER)); + LogDebug("Visibility level is platform : " + << storeIdSet.contains(CertStoreId::VIS_PLATFORM)); + + if (data.isAuthorSignature()) + { + if (!storeIdSet.contains(CertStoreId::TIZEN_DEVELOPER)) + { + LogWarning("author-signature.xml has got unrecognized Root CA " "certificate. Signature will be disregarded."); disregard = true; - } + } LogDebug("Root CA for author signature is correct."); - } else { - if (!storeIdSet.contains(CertStoreId::DEVELOPER) && - !storeIdSet.contains(CertStoreId::WAC_ROOT) && - !storeIdSet.contains(CertStoreId::WAC_MEMBER)) - { - LogWarning("Distiributor signature has got unrecognized Root CA " - "certificate. Signature will be disregarded."); - disregard = true; - } else { - LogDebug("Root CA for distributor signature is correct."); - } - } + } + else + { + LogDebug("signaturefile name = " << data.getSignatureFileName().c_str()); + if (data.getSignatureNumber() == 1) + { + if (storeIdSet.contains(CertStoreId::VIS_PUBLIC) || storeIdSet.contains(CertStoreId::VIS_PARTNER) || storeIdSet.contains(CertStoreId::VIS_PLATFORM)) + { + LogDebug("Root CA for signature1.xml is correct."); + } + else + { + LogWarning("author-signature.xml has got unrecognized Root CA " + "certificate. Signature will be disregarded."); + disregard = true; + } + } + } data.setStorageType(storeIdSet); data.setSortedCertificateList(sortedCertificateList); @@ -408,13 +449,46 @@ WrtSignatureValidator::Result ImplWac::check( } // WAC 2.0 SP-2066 The wrt must not block widget installation - // due to expiration of the author certificate. - time_t notAfter = data.getEndEntityCertificatePtr()->getNotAfter(); - bool expired = notAfter < time(NULL); - if (data.isAuthorSignature() && expired) { - context.validationTime = notAfter - TIMET_DAY; - } - // end + // due to expiration of the author certificate. + time_t notAfter = data.getEndEntityCertificatePtr()->getNotAfter(); + time_t notBefore = data.getEndEntityCertificatePtr()->getNotBefore(); + + time_t nowTime = time(NULL); + struct tm *t; + + if (data.isAuthorSignature()) + { + // time_t 2038 year bug exist. So, notAtter() cann't check... + /* + if (notAfter < nowTime) + { + context.validationTime = notAfter - TIMET_DAY; + LogWarning("Author certificate is expired. notAfter..."); + } + */ + + if (notBefore > nowTime) + { + LogWarning("Author certificate is expired. notBefore time is greater than system-time."); + + t = localtime(&nowTime); + LogDebug("System's current Year : " << t->tm_year + 1900); + LogDebug("System's current month : " << t->tm_mon + 1); + LogDebug("System's current day : " << t->tm_mday); + + t = localtime(¬Before); + LogDebug("Author certificate's notBefore Year : " << t->tm_year + 1900); + LogDebug("Author certificate's notBefore month : " << t->tm_mon + 1); + LogDebug("Author certificate's notBefore day : " << t->tm_mday); + + context.validationTime = notBefore + TIMET_DAY; + + t = localtime(&context.validationTime); + LogDebug("Modified current Year : " << t->tm_year + 1900); + LogDebug("Modified current notBefore month : " << t->tm_mon + 1); + LogDebug("Modified current notBefore day : " << t->tm_mday); + } + } if (XmlSec::NO_ERROR != XmlSecSingleton::Instance().validate(&context)) { LogWarning("Installation break - invalid package!"); @@ -461,7 +535,7 @@ WrtSignatureValidator::Result ImplWac::check( } if (disregard) { - LogWarning("Signature is disregard."); + LogWarning("Signature is disregard. RootCA is not a member of Tizen."); return WrtSignatureValidator::SIGNATURE_DISREGARD; } return WrtSignatureValidator::SIGNATURE_VERIFIED;