From: sangwan.kwon Date: Thu, 14 Jan 2016 02:07:07 +0000 (+0900) Subject: Change distributor signature disregarded cases X-Git-Tag: accepted/tizen/mobile/20160115.111035^0 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fchanges%2F91%2F56991%2F3;p=platform%2Fcore%2Fsecurity%2Fcert-svc.git Change distributor signature disregarded cases * validated distributorN (Not 1) disregarded cases * 1. no root certs * 2. no visibility Change-Id: I1f88edbbeb421471b5500c966bf4029790afdf4a Signed-off-by: sangwan.kwon --- diff --git a/tests/vcore/CMakeLists.txt b/tests/vcore/CMakeLists.txt index 08c9a93..6fb77c6 100644 --- a/tests/vcore/CMakeLists.txt +++ b/tests/vcore/CMakeLists.txt @@ -56,6 +56,7 @@ INSTALL(TARGETS ${TARGET_VCORE_TEST} INSTALL( DIRECTORY resource/wgt + resource/wgt_dist22 resource/wgt_negative_hash resource/wgt_negative_signature resource/wgt_negative_certificate diff --git a/tests/vcore/resource/wgt_dist22/author-signature.xml b/tests/vcore/resource/wgt_dist22/author-signature.xml new file mode 100644 index 0000000..ff82da8 --- /dev/null +++ b/tests/vcore/resource/wgt_dist22/author-signature.xml @@ -0,0 +1,66 @@ + + + + + + + + xUKQbov3HL7JD2/zVUKpPEVGc5C6VWDXwxoDHzDs9y0= + + + + cIE41PzyhMnF++EmhJ3Ptnd4ZqXyBlRJgiIqxlutbV8= + + + + + + + MH34nIMXxv0fMQQ8bTV1wZUNLOrXTmpnxpADlNzmQ/4= + + + fhh+VQq76Uodq4upHhvcC2tgbVY8bL9DiiSe9wn1O4YrIFKMnEEYqYmpQbL1puWU +Zbht0hXpvEFXg1010q5kOZQxknqcyFg3hyVUpFDPARkJs1XhRNbFWJJF7qNXVgt5 +NyFrdXFv4lVFjkv+chSykaWu6V22z43E8kJcg+zGVU8= + + + MIIETTCCA7agAwIBAgIJANaOuOCRgiz3MA0GCSqGSIb3DQEBBQUAMIG8MQswCQYD +VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTE9MDsGA1UEChM0WE1MIFNlY3Vy +aXR5IExpYnJhcnkgKGh0dHA6Ly93d3cuYWxla3NleS5jb20veG1sc2VjKTEeMBwG +A1UECxMVVGVzdCBSb290IENlcnRpZmljYXRlMRYwFAYDVQQDEw1BbGVrc2V5IFNh +bmluMSEwHwYJKoZIhvcNAQkBFhJ4bWxzZWNAYWxla3NleS5jb20wHhcNMDUwNzEw +MDIyOTAxWhcNMTUwNzA4MDIyOTAxWjCBvDELMAkGA1UEBhMCVVMxEzARBgNVBAgT +CkNhbGlmb3JuaWExPTA7BgNVBAoTNFhNTCBTZWN1cml0eSBMaWJyYXJ5IChodHRw +Oi8vd3d3LmFsZWtzZXkuY29tL3htbHNlYykxHjAcBgNVBAsTFVRlc3QgUm9vdCBD +ZXJ0aWZpY2F0ZTEWMBQGA1UEAxMNQWxla3NleSBTYW5pbjEhMB8GCSqGSIb3DQEJ +ARYSeG1sc2VjQGFsZWtzZXkuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB +gQDayaFajJxOdVU+8EjwO31S2XqNmYxxbHfiUJO3w2h57OPUkKAcKe5Gvt9hJbPT +b3C4blPScOke2RexKnXS7pAXXbxFlgUlZ0QK0K2pdl559OSmrtH3mPP9BJvvDMlx +kcNj9/EeD+yGd8GN/yT6PTDh8G/4lszOXL+tyKIkC4Ys/wIDAQABo4IBUzCCAU8w +DAYDVR0TBAUwAwEB/zAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQg +Q2VydGlmaWNhdGUwHQYDVR0OBBYEFNpG6Wvmr9M9quUhS1LtymYo4P6FMIHxBgNV +HSMEgekwgeaAFNpG6Wvmr9M9quUhS1LtymYo4P6FoYHCpIG/MIG8MQswCQYDVQQG +EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTE9MDsGA1UEChM0WE1MIFNlY3VyaXR5 +IExpYnJhcnkgKGh0dHA6Ly93d3cuYWxla3NleS5jb20veG1sc2VjKTEeMBwGA1UE +CxMVVGVzdCBSb290IENlcnRpZmljYXRlMRYwFAYDVQQDEw1BbGVrc2V5IFNhbmlu +MSEwHwYJKoZIhvcNAQkBFhJ4bWxzZWNAYWxla3NleS5jb22CCQDWjrjgkYIs9zAN +BgkqhkiG9w0BAQUFAAOBgQBUXbdOTQwArcNrbxavzARp2JGOnzo6WzTm+OFSXC0F +08YwT8jWbht97e8lNNVOBU4Y/38ReZqYC9OqFofG1/O9AdQ58WL/FWg8DgP5MJPT +T9kRU3FU01jUiX2+kbdnghZAOJm0ziRNxfNPwIIWPKYXyXEKQQzrnxyFey1hP7cg +6A== + + + + + + + + + + + + + + + + diff --git a/tests/vcore/resource/wgt_dist22/config.xml b/tests/vcore/resource/wgt_dist22/config.xml new file mode 100644 index 0000000..82b077b --- /dev/null +++ b/tests/vcore/resource/wgt_dist22/config.xml @@ -0,0 +1,6 @@ + + Widget Name OK + 1.2.3.4 + A short description of widget + Author Name + diff --git a/tests/vcore/resource/wgt_dist22/index.html b/tests/vcore/resource/wgt_dist22/index.html new file mode 100644 index 0000000..c47b20a --- /dev/null +++ b/tests/vcore/resource/wgt_dist22/index.html @@ -0,0 +1,4 @@ + +Not tested + +

None

diff --git a/tests/vcore/resource/wgt_dist22/signature1.xml b/tests/vcore/resource/wgt_dist22/signature1.xml new file mode 100644 index 0000000..71a100b --- /dev/null +++ b/tests/vcore/resource/wgt_dist22/signature1.xml @@ -0,0 +1,62 @@ + + + + + + + + ZLhd8X2rzCIDGHkIvpDbCXq+dwq+DK7ZZaDD/fII8RU= + + + + xUKQbov3HL7JD2/zVUKpPEVGc5C6VWDXwxoDHzDs9y0= + + + + cIE41PzyhMnF++EmhJ3Ptnd4ZqXyBlRJgiIqxlutbV8= + + + + + + + ZxnfFPi1rAoxfpN98xSP3lv5tZg9ymJElAFdg3ejrXE= + + + Dwm15jQbvUxe7fa7p4RVRAUzYY6eGQmDJSWXnv2LBbouch163OMaXgjKXWOLU+ZA +MwwuUUXG44QvOIv5M3Kd/Pc6kwvyb9+xm8zqmFF/mhttmAHc7VjY5sfB+bYFt9/3 +8+upSqxiUGLXYzMD/9u4W9ociwAcLiOQytBF1/TCv/4= + + + MIIC4zCCAkygAwIBAgIJAMdKgvadG/Z+MA0GCSqGSIb3DQEBBQUAMHIxCzAJBgNV +BAYTAlBMMQwwCgYDVQQIEwNNYXoxEDAOBgNVBAoTB1NhbXN1bmcxDTALBgNVBAsT +BFNQUkMxEDAOBgNVBAMTB1NhbXN1bmcxIjAgBgkqhkiG9w0BCQEWE3NhbXN1bmdA +c2Ftc3VuZy5jb20wHhcNMTExMDA1MTIwMDUxWhcNMjExMDAyMTIwMDUxWjB4MQsw +CQYDVQQGEwJQTDEMMAoGA1UECBMDTUFaMQwwCgYDVQQHEwNMZWcxDDAKBgNVBAoT +A1NhbTENMAsGA1UECxMEU1BSQzEOMAwGA1UEAxMFRmlsaXAxIDAeBgkqhkiG9w0B +CQEWEWZpbGlwQHNhbXN1bmcuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB +gQDS/sS0wXSCb34ojN8bWFd4Pl9eTLHh18UNGsPpLpp4itdfuc/OgyqaSoDwBzVh +EWAVLCTxexUa4Ncva+41NbkW4RCsFzeGs0ktpu1+8Q+v0QEOGqVF2rQkgilzDF/o +O56Fxw9vG1OA+qdQd3yOAV2EqLNBPrEYB9K5GFyffrakSQIDAQABo3sweTAJBgNV +HRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZp +Y2F0ZTAdBgNVHQ4EFgQUeyy3iV75KtOkpPFd6mnR9dFGZMwwHwYDVR0jBBgwFoAU +ggh/2wAChuhTKqX6WK5nfxQ4yGAwDQYJKoZIhvcNAQEFBQADgYEADtv0CBrQ1QCM +H9jKFjpSpq7zFKMXQeVtb/Zie823//woicg8kxnP5sS4dJWNXNb1iMLdhgV80g1y +t3gTWPxTtFzprQyNiJHTmrbNWXLX1roRVGUE/I8Q4xexqpbNlJIW2Jjm/kqoKfnK +xORG6HNPXZV29NY2fDRPPOIYoFQzrXI= + + + + + + + + + + + + + + + + diff --git a/tests/vcore/resource/wgt_dist22/signature22.xml b/tests/vcore/resource/wgt_dist22/signature22.xml new file mode 100644 index 0000000..715a7cc --- /dev/null +++ b/tests/vcore/resource/wgt_dist22/signature22.xml @@ -0,0 +1,66 @@ + + + + + + + + ZLhd8X2rzCIDGHkIvpDbCXq+dwq+DK7ZZaDD/fII8RU= + + + + xUKQbov3HL7JD2/zVUKpPEVGc5C6VWDXwxoDHzDs9y0= + + + + cIE41PzyhMnF++EmhJ3Ptnd4ZqXyBlRJgiIqxlutbV8= + + + + + + + ZxnfFPi1rAoxfpN98xSP3lv5tZg9ymJElAFdg3ejrXE= + + + fV1J/120GG5L7qsxEkyH6fBvQh2atlpiGMbVM1+pb8Q6pHib5beV6A== + + + MIIEDzCCA3igAwIBAgIJAMdKgvadG/Z/MA0GCSqGSIb3DQEBBQUAMHIxCzAJBgNV +BAYTAlBMMQwwCgYDVQQIEwNNYXoxEDAOBgNVBAoTB1NhbXN1bmcxDTALBgNVBAsT +BFNQUkMxEDAOBgNVBAMTB1NhbXN1bmcxIjAgBgkqhkiG9w0BCQEWE3NhbXN1bmdA +c2Ftc3VuZy5jb20wHhcNMTExMDA1MTIxMTMzWhcNMjExMDAyMTIxMTMzWjCBijEL +MAkGA1UEBhMCUEwxFDASBgNVBAgTC01hem93aWVja2llMRIwEAYDVQQHEwlsZWdp +b25vd28xEDAOBgNVBAoTB3NhbXN1bmcxDTALBgNVBAsTBHNwcmMxDjAMBgNVBAMT +BW1hZ2RhMSAwHgYJKoZIhvcNAQkBFhFtYWdkYUBzYW1zdW5nLmNvbTCCAbcwggEr +BgcqhkjOOAQBMIIBHgKBgQC1PCOasFhlfMc1yjdcp7zkzXGiW+MpVuFlsdYwkAa9 +sIvNrQLi2ulxcnNBeCHKDbk7U+J3/QwO2XanapQMUqvfjfjL1QQ5Vf7ENUWPNP7c +Evx82Nb5jWdHyRfV//TciBZN8GLNEbfhtWlhI6CbDW1AaY0nPZ879rSIk7/aNKZ3 +FQIVALcr8uQAmnV+3DLIA5nTo0Bg0bjLAoGAJG7meUtQbMulRMdjzeCoya2FXdm+ +4acvInE9/+MybXTB3bFANMyw6WTvk4K9RK8tm52N95cykTjpAbxqTMaXwkdWbOFd +VKAKnyxi/UKtY9Q6NmwJB2hbA1GUzhPko8rEda66CGl0VbyM1lKMJjA+wp9pG110 +L0ov19Q9fvqKp5UDgYUAAoGBAKxAQg7MqCgkC0MJftYjNaKM5n1iZv4j1li49zKf +Y5nTLP+vYAvg0owLNYvJ5ncKfY1DACPU4/+tC7TTua95wgj5rwvAXnzgSyOGuSr0 +fK9DyrH6E0LfXT+WuIQHahm2iSbxqPrChlnp5/EXDTBaO6Qfdpq0BP48ClZebxcA ++TYFo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVy +YXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUmSpShswvWtEABd+l3WxccRcCydUw +HwYDVR0jBBgwFoAUggh/2wAChuhTKqX6WK5nfxQ4yGAwDQYJKoZIhvcNAQEFBQAD +gYEAgfnAu/gMJRC/BFwkgvrHL0TV4ffPVAf7RSnZS6ib4IHGgrvXJvL+Qh7vHykv +ZIqD2L96nY2EaSNr0yXrT81YROndOQUJNx4Y/W8m6asu4hzANNZqWCbApPDIMK6V +cPA1wrKgZqbWp218WBqI2v9pXV0O+jpzxq1+GeQV2UsbRwc= + + + + + + + + + + + + + + + + diff --git a/tests/vcore/test-common.cpp b/tests/vcore/test-common.cpp index e3efb8f..34fdfb5 100644 --- a/tests/vcore/test-common.cpp +++ b/tests/vcore/test-common.cpp @@ -17,6 +17,7 @@ #include "test-common.h" const std::string TestData::widget_path = std::string(TESTAPP_RES_DIR) + "apps/wgt"; +const std::string TestData::widget_dist22_path = std::string(TESTAPP_RES_DIR) + "apps/wgt_dist22"; const std::string TestData::widget_negative_hash_path = std::string(TESTAPP_RES_DIR) + "apps/wgt_negative_hash"; const std::string TestData::widget_negative_signature_path = std::string(TESTAPP_RES_DIR) + "apps/wgt_negative_signature"; const std::string TestData::widget_negative_certificate_path = std::string(TESTAPP_RES_DIR) + "apps/wgt_negative_certificate"; diff --git a/tests/vcore/test-common.h b/tests/vcore/test-common.h index 01cc4fa..e567e02 100644 --- a/tests/vcore/test-common.h +++ b/tests/vcore/test-common.h @@ -20,6 +20,7 @@ namespace TestData { extern const std::string widget_path; +extern const std::string widget_dist22_path; extern const std::string widget_negative_hash_path; extern const std::string widget_negative_signature_path; extern const std::string widget_negative_certificate_path; diff --git a/tests/vcore/test-signature-validator.cpp b/tests/vcore/test-signature-validator.cpp index 3e3d59b..0ac06cd 100644 --- a/tests/vcore/test-signature-validator.cpp +++ b/tests/vcore/test-signature-validator.cpp @@ -37,9 +37,9 @@ RUNNER_TEST(T00101_finder) RUNNER_ASSERT_MSG(signatureSet.size() == 2, "Some signature has not been found"); for (auto &fileInfo : signatureSet) - RUNNER_ASSERT_MSG( - ((fileInfo.getFileName().find("author-signature.xml") != std::string::npos && fileInfo.getFileNumber() == -1) - || (fileInfo.getFileName().find("signature1.xml") != std::string::npos && fileInfo.getFileNumber() == 1)), + RUNNER_ASSERT_MSG(( + (fileInfo.getFileName().find("author-signature.xml") != std::string::npos && fileInfo.getFileNumber() == -1) || + (fileInfo.getFileName().find("signature1.xml") != std::string::npos && fileInfo.getFileNumber() == 1)), "invalid signature xml found: " << fileInfo.getFileName() << " with number: " << fileInfo.getFileNumber()); } @@ -208,6 +208,39 @@ RUNNER_TEST(T00107_positive_tpk_with_userdata) } } +RUNNER_TEST(T00108_distributor_disregard_check) +{ + SignatureFileInfoSet signatureSet; + SignatureFinder signatureFinder(TestData::widget_dist22_path); + RUNNER_ASSERT_MSG( + SignatureFinder::NO_ERROR == signatureFinder.find(signatureSet), + "SignatureFinder failed"); + + for (auto &sig : signatureSet) { + SignatureValidator validator(sig); + SignatureData data; + VCerr result = validator.check( + TestData::widget_dist22_path, + true, + true, + data); + + if (data.isAuthorSignature()) + RUNNER_ASSERT_MSG(result == E_SIG_INVALID_CHAIN, + "author sig validation should be fail : " + << validator.errorToString(result)); + else + if (data.getSignatureNumber() == 1) + RUNNER_ASSERT_MSG(result == E_SIG_INVALID_CHAIN, + "dist1 sig validation should be fail: " + << validator.errorToString(result)); + else + RUNNER_ASSERT_MSG(result == E_SIG_DISREGARDED, + "dist22 sig validation should be disregarded: " + << validator.errorToString(result)); + } +} + RUNNER_TEST(T00151_negative_hash_check_ref) { SignatureFileInfoSet signatureSet; diff --git a/vcore/vcore/SignatureValidator.cpp b/vcore/vcore/SignatureValidator.cpp index 8b90895..14f75c0 100644 --- a/vcore/vcore/SignatureValidator.cpp +++ b/vcore/vcore/SignatureValidator.cpp @@ -238,8 +238,13 @@ VCerr SignatureValidator::Impl::makeDataBySignature(bool completeWithSystemCert) } if (completeWithSystemCert && !collection.completeCertificateChain()) { - LogError("Failed to complete cert chain with system cert"); - return E_SIG_INVALID_CHAIN; + if (m_data.isAuthorSignature() || m_data.getSignatureNumber() == 1) { + LogError("Failed to complete cert chain with system cert"); + return E_SIG_INVALID_CHAIN; + } else { + LogError("distributor's signature has got unrecognized root CA certificate."); + m_disregarded = true; + } } m_data.setSortedCertificateList(collection.getChain()); @@ -280,6 +285,9 @@ VCerr SignatureValidator::Impl::preStep(void) } if (m_data.getSignatureNumber() == 1 && !storeIdSet.isContainsVis()) { LogError("signature1.xml has got unrecognized root CA certificate."); + return E_SIG_INVALID_CHAIN; + } else if (!storeIdSet.isContainsVis()) { + LogError("signatureN.xml (not 1) has got unrecognized root CA certificate."); m_disregarded = true; } } @@ -327,6 +335,9 @@ VCerr SignatureValidator::Impl::baseCheck( return result; if (!m_data.isAuthorSignature()) { + if (!m_data.getSignatureNumber() != 1) + m_context.allowBrokenChain = true; + XmlSecSingleton::Instance().validate(m_context); m_data.setReference(m_context.referenceSet);