From: Kyungwook Tak Date: Tue, 21 Jul 2015 11:06:39 +0000 (+0900) Subject: cert-svc signature validator API changed X-Git-Tag: accepted/tizen/mobile/20150811.091449^0 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fchanges%2F53%2F45353%2F3;p=platform%2Fcore%2Fappfw%2Fapp-installers.git cert-svc signature validator API changed Refer cert-svc change : 6cf02b1b3ab453f691f888b929c040ac921dfc54 Change-Id: I4b293c11aef938f5f808cd88286770a847f48f0f Signed-off-by: Kyungwook Tak --- diff --git a/CMakeLists.txt b/CMakeLists.txt index 0b92d1c..ff1c88d 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -54,5 +54,4 @@ PKG_CHECK_MODULES(ENCRYPTION_DEPS REQUIRED libwebappenc) FIND_PACKAGE(Boost REQUIRED COMPONENTS system filesystem regex) FIND_PACKAGE(GTest REQUIRED) -ADD_SUBDIRECTORY(data) ADD_SUBDIRECTORY(src) diff --git a/data/CMakeLists.txt b/data/CMakeLists.txt deleted file mode 100644 index 5ebfd2f..0000000 --- a/data/CMakeLists.txt +++ /dev/null @@ -1 +0,0 @@ -INSTALL(FILES "signature_schema.xsd" DESTINATION "share/app-installers/") diff --git a/data/signature_schema.xsd b/data/signature_schema.xsd deleted file mode 100644 index 8028f3e..0000000 --- a/data/signature_schema.xsd +++ /dev/null @@ -1,415 +0,0 @@ - - - - - - ]> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/packaging/app-installers.spec b/packaging/app-installers.spec index c139072..fc09acf 100644 --- a/packaging/app-installers.spec +++ b/packaging/app-installers.spec @@ -88,7 +88,6 @@ ln -s %{_bindir}/tpk-backend %{buildroot}%{_sysconfdir}/package-manager/backend/ %files %defattr(-,root,root) %{_libdir}/libcommon-installer.so* -%{_datarootdir}/app-installers/signature_schema.xsd %license LICENSE %files -n wgt-backend diff --git a/src/common/step/step_check_signature.cc b/src/common/step/step_check_signature.cc index 1137a4b..37979bb 100644 --- a/src/common/step/step_check_signature.cc +++ b/src/common/step/step_check_signature.cc @@ -8,12 +8,9 @@ #include #include #include -#include -#include -#include + #include -#include -#include +#include #include #include @@ -25,10 +22,6 @@ namespace bf = boost::filesystem; namespace { -const bf::path kSignatureXmlSchemaPath = - bf::path(tzplatform_getenv(TZ_SYS_SHARE)) - / "app-installers/signature_schema.xsd"; - common_installer::PrivilegeLevel CertStoreIdToPrivilegeLevel( ValidationCore::CertStoreId::Type id) { switch (id) { @@ -64,59 +57,50 @@ common_installer::Step::Status ValidateSignatureFile( common_installer::CertificateInfo* cert_info) { bf::path path = base_path / file_info.getFileName(); LOG(INFO) << "Processing signature: " << path; - ValidationCore::SignatureData data(path.string(), file_info.getFileNumber()); - try { - // Validate file syntax and schema - ValidationCore::SignatureReader xml; - xml.initialize(data, kSignatureXmlSchemaPath.string()); - xml.read(data); - - // Validate file semantic - ValidationCore::WrtSignatureValidator validator( - ValidationCore::WrtSignatureValidator::TIZEN, true, true, false); - ValidationCore::WrtSignatureValidator::Result result = - validator.check(data, base_path.string()); - - switch (result) { - case ValidationCore::WrtSignatureValidator::SIGNATURE_REVOKED: { - LOG(ERROR) << "Certificate is revoked"; - return common_installer::Step::Status::ERROR; - }; - case ValidationCore::WrtSignatureValidator::SIGNATURE_INVALID: { - LOG(ERROR) << "Certificate is invalid"; - return common_installer::Step::Status::ERROR; - }; - case ValidationCore::WrtSignatureValidator::SIGNATURE_DISREGARD: { - if (data.isAuthorSignature()) { - LOG(ERROR) << "Author-signiture is disregarded"; - return common_installer::Step::Status::ERROR; - } - LOG(WARNING) << "Signature disregarded: " << path; - break; - }; - case ValidationCore::WrtSignatureValidator::SIGNATURE_VERIFIED: { - if (!data.isAuthorSignature()) { - // First distributor signature sets the privilege level - // (wrt spec. 0620.) - if (file_info.getFileNumber() == 1 && - *level == common_installer::PrivilegeLevel::UNTRUSTED) { - *level = CertStoreIdToPrivilegeLevel(data.getVisibilityLevel()); - } - } else { - // set author certificate to be saved in pkgmgr - cert_info->author_certificate.set(data.getEndEntityCertificatePtr()); + + ValidationCore::SignatureData data; + ValidationCore::SignatureValidator::Result result = + ValidationCore::SignatureValidator::check( + file_info, // signature file info + base_path.string(), // app content path for checking hash of file ref. + true, // ocsp check flag + true, // file reference hash check flag + data); // output signature data + + switch (result) { + case ValidationCore::SignatureValidator::SIGNATURE_REVOKED: { + LOG(ERROR) << "Certificate is revoked"; + return common_installer::Step::Status::ERROR; + }; + case ValidationCore::SignatureValidator::SIGNATURE_INVALID: { + LOG(ERROR) << "Certificate is invalid"; + return common_installer::Step::Status::ERROR; + }; + case ValidationCore::SignatureValidator::SIGNATURE_DISREGARD: { + if (data.isAuthorSignature()) { + LOG(ERROR) << "Author-signiture is disregarded"; + return common_installer::Step::Status::ERROR; } + LOG(WARNING) << "Signature disregarded: " << path; break; - }; - default: { - return common_installer::Step::Status::ERROR; - }; - } - } catch (const ValidationCore::ParserSchemaException::Base& exception) { - // Needs to catch parser exceptions - LOG(ERROR) << "Error occured in ParserSchema: " - << exception.DumpToString(); + }; + case ValidationCore::SignatureValidator::SIGNATURE_VERIFIED: { + if (!data.isAuthorSignature()) { + // First distributor signature sets the privilege level + // (wrt spec. 0620.) + if (file_info.getFileNumber() == 1 && + *level == common_installer::PrivilegeLevel::UNTRUSTED) { + *level = CertStoreIdToPrivilegeLevel(data.getVisibilityLevel()); + } + } else { + // set author certificate to be saved in pkgmgr + cert_info->author_certificate.set(data.getEndEntityCertificatePtr()); + } + break; + }; + default: { return common_installer::Step::Status::ERROR; + }; } return common_installer::Step::Status::OK; } @@ -169,14 +153,12 @@ namespace security { Step::Status ValidateSignatures(const bf::path& base_path, PrivilegeLevel* level, common_installer::CertificateInfo* cert_info) { - ValidationCore::VCoreInit(); // Find signature files ValidationCore::SignatureFileInfoSet signature_files; ValidationCore::SignatureFinder signature_finder(base_path.string()); if (signature_finder.find(signature_files) != ValidationCore::SignatureFinder::NO_ERROR) { LOG(ERROR) << "Error while searching for signatures"; - ValidationCore::VCoreDeinit(); return Step::Status::ERROR; } LOG(INFO) << "Number of signature files: " << signature_files.size(); @@ -186,11 +168,9 @@ Step::Status ValidateSignatures(const bf::path& base_path, Step::Status status = ValidateSignatureFile(base_path, file_info, level, cert_info); if (status != Step::Status::OK) { - ValidationCore::VCoreDeinit(); return status; } } - ValidationCore::VCoreDeinit(); return Step::Status::OK; }