From: Kyungwook Tak Date: Wed, 12 Aug 2015 08:37:10 +0000 (+0900) Subject: Remove useless APIs in cert-svc X-Git-Tag: accepted/tizen/mobile/20150824.134548^0 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fheads%2Ftizen_3.0.m1_mobile;p=platform%2Fcore%2Fsecurity%2Fcert-svc.git Remove useless APIs in cert-svc verify signature and visibility related APIs are not used in 3.0 there's only one installer (app-installer) and signature validation step is common code for all installer backends which uses SignatureValidator Change-Id: Iaefd8b3ebe4da9bf117074e0b7024fe2b9645091 Signed-off-by: Kyungwook Tak --- diff --git a/include/cert-service-debug.h b/include/cert-service-debug.h index d18d475..f3be3be 100644 --- a/include/cert-service-debug.h +++ b/include/cert-service-debug.h @@ -19,17 +19,13 @@ * */ -/* To prevent inadvertently including a header twice */ #ifndef CERT_SERVICE_DEBUG_H #define CERT_SERVICE_DEBUG_H #ifdef __cplusplus extern "C" { -#endif // __cplusplus +#endif -/*********************************************************************************/ -/* Logging */ -/*********************************************************************************/ #ifdef LOG_TAG #undef LOG_TAG #endif @@ -39,6 +35,6 @@ extern "C" { #ifdef __cplusplus } -#endif // __cplusplus +#endif -#endif // CERT_SERVICE_DEBUG_H +#endif // CERT_SERVICE_DEBUG_H diff --git a/include/cert-service-process.h b/include/cert-service-process.h index 99efc33..5b4aea9 100644 --- a/include/cert-service-process.h +++ b/include/cert-service-process.h @@ -19,32 +19,16 @@ * */ -/* To prevent inadvertently including a header twice */ #ifndef CERT_SERVICE_PROCESS_H #define CERT_SERVICE_PROCESS_H -#include -#include - #ifdef __cplusplus extern "C" { -#endif // __cplusplus -/*********************************************************************************/ -/* Variable definitions */ -/*********************************************************************************/ - -struct cert_svc_inode_set; +#endif -/*********************************************************************************/ -/* Variable definitions */ -/*********************************************************************************/ int parse_name_fld_data(unsigned char* str, cert_svc_name_fld_data* fld); -int search_data_field(search_field fldName, char* fldData, cert_svc_cert_descriptor* certDesc); -int get_filelist_recur(char* dirName, cert_svc_filename_list* fileNames, - struct cert_svc_inode_set *visited); int _verify_certificate_with_caflag(cert_svc_mem_buff* certBuf, cert_svc_linked_list** certList, int checkCaFlag, cert_svc_filename_list* fileNames, int* validity); -int _verify_signature(cert_svc_mem_buff* certBuf, unsigned char* message, int msgLen, unsigned char* signature, char* algo, int* validity); int _extract_certificate_data(cert_svc_mem_buff* cert, cert_svc_cert_descriptor* certDesc); int _search_certificate(cert_svc_filename_list** fileNames, search_field fldName, char* fldData); @@ -53,11 +37,8 @@ int release_certificate_data(cert_svc_cert_descriptor* certDesc); int release_cert_list(cert_svc_linked_list* certList); int release_filename_list(cert_svc_filename_list* fileNames); -int get_visibility(CERT_CONTEXT* context, int* visibility); -int get_certificate_type(CERT_CONTEXT* context, int* cert_type); - #ifdef __cplusplus } #endif -#endif // CERT_SERVICE_PROCESS_H +#endif // CERT_SERVICE_PROCESS_H diff --git a/include/cert-service-store.h b/include/cert-service-store.h index 2d75670..857cdb3 100644 --- a/include/cert-service-store.h +++ b/include/cert-service-store.h @@ -19,20 +19,18 @@ * */ -/* To prevent inadvertently including a header twice */ #ifndef CERT_SERVICE_STORE_H #define CERT_SERVICE_STORE_H #ifdef __cplusplus extern "C" { -#endif // __cplusplus +#endif -int get_file_full_path(char* originalName, const char* location, char* outBuf); int _add_certificate_to_store(const char* filePath, const char* location); int _delete_certificate_from_store(const char* filePath, const char* location); #ifdef __cplusplus } -#endif // __cplusplus +#endif -#endif // CERT_SERVICE_STORE_H +#endif // CERT_SERVICE_STORE_H diff --git a/include/cert-service-util.h b/include/cert-service-util.h index fcbff95..af25240 100755 --- a/include/cert-service-util.h +++ b/include/cert-service-util.h @@ -19,34 +19,21 @@ * */ -/* To prevent inadvertently including a header twice */ #ifndef CERT_SERVICE_UTIL_H #define CERT_SERVICE_UTIL_H -#include - #ifdef __cplusplus extern "C" { -#endif // __cplusplus -/*********************************************************************************/ -/* Variable definitions */ -/*********************************************************************************/ +#endif -/*********************************************************************************/ -/* Function definitions */ -/*********************************************************************************/ int cert_svc_util_get_file_size(const char* filepath, unsigned long int* length); int cert_svc_util_load_file_to_buffer(const char* filePath, cert_svc_mem_buff* certBuf); int cert_svc_util_load_PFX_file_to_buffer(const char* filePath, cert_svc_mem_buff* certBuf, cert_svc_linked_list** certLink, unsigned char** privateKey, int* priKeyLen, char* passPhrase); int cert_svc_util_base64_encode(const unsigned char* in, int inLen, unsigned char* out, int* outLen); int cert_svc_util_base64_decode(const unsigned char* in, int inLen, unsigned char* out, int* outLen); -int get_visibility_by_fingerprint(const char* fingerprint, int* visibility); -int get_visibility_by_certificate(const unsigned char* cert_data, int data_len, int* visibility); -int get_type_by_fingerprint(const char* fingerprint, int* cert_type); -int get_certificate_fingerprint(const unsigned char *cert, int cert_size, char** fingerprint); #ifdef __cplusplus } -#endif // __cplusplus +#endif -#endif // CERT_SERVICE_UTIL_H +#endif // CERT_SERVICE_UTIL_H diff --git a/include/cert-service.h b/include/cert-service.h index 77b6e1e..5ab0d8d 100755 --- a/include/cert-service.h +++ b/include/cert-service.h @@ -17,54 +17,48 @@ * See the License for the specific language governing permissions and * limitations under the License. * + * @file cert-service.h + * @author Kyungwook Tak (k.tak@samsung.com) + * @version 1.0 + * @brief cert-svc CAPI header */ -/* To prevent inadvertently including a header twice */ #ifndef CERT_SERVICE_H #define CERT_SERVICE_H #ifdef __cplusplus extern "C" { -#endif // __cplusplus +#endif -/*********************************************************************************/ -/* Constants */ -/*********************************************************************************/ /* max size */ -#define CERT_SVC_MAX_CERT_TYPE_SIZE 50 -#define CERT_SVC_MAX_FILE_NAME_SIZE 256 -#define CERT_SVC_MAX_BUFFER_SIZE (4 * 1024) +#define CERT_SVC_MAX_CERT_TYPE_SIZE 50 +#define CERT_SVC_MAX_FILE_NAME_SIZE 256 +#define CERT_SVC_MAX_BUFFER_SIZE (4 * 1024) + /* error codes */ -#define CERT_SVC_ERR_NO_ERROR 0 -#define CERT_SVC_ERR_UNKNOWN_ERROR -1 -#define CERT_SVC_ERR_BROKEN_CHAIN -2 -#define CERT_SVC_ERR_NO_ROOT_CERT -3 -#define CERT_SVC_ERR_INVALID_SIGNATURE -4 -#define CERT_SVC_ERR_INVALID_CERTIFICATE -5 -#define CERT_SVC_ERR_FILE_IO -6 -#define CERT_SVC_ERR_UNSUPPORTED_HASH_TYPE -7 -#define CERT_SVC_ERR_UNSUPPORTED_KEY_TYPE -8 -#define CERT_SVC_ERR_INVALID_OPERATION -9 -#define CERT_SVC_ERR_BUFFER_TOO_SMALL -10 -#define CERT_SVC_ERR_NO_MORE_CERTIFICATE -11 -#define CERT_SVC_ERR_DUPLICATED_CERTIFICATE -12 -#define CERT_SVC_ERR_SYSTEM_CALL -13 -#define CERT_SVC_ERR_MEMORY_ALLOCATION -14 -#define CERT_SVC_ERR_INVALID_PARAMETER -15 -#define CERT_SVC_ERR_PERMISSION_DENIED -16 -#define CERT_SVC_ERR_IS_EXPIRED -17 - -#define CERT_SVC_ERR_INVALID_NO_DEVICE_PROFILE -25 -#define CERT_SVC_ERR_INVALID_DEVICE_UNIQUE_ID -26 -#define CERT_SVC_ERR_INVALID_SDK_DEFAULT_AUTHOR_CERT -27 -#define CERT_SVC_ERR_IN_DISTRIBUTOR_CASE_AUTHOR_CERT -28 -#define CERT_SVC_ERR_IN_AUTHOR_CASE_DISTRIBUTOR_CERT -29 +#define CERT_SVC_ERR_NO_ERROR 0 +#define CERT_SVC_ERR_UNKNOWN_ERROR (-1) +#define CERT_SVC_ERR_BROKEN_CHAIN (-2) +#define CERT_SVC_ERR_NO_ROOT_CERT (-3) +#define CERT_SVC_ERR_INVALID_SIGNATURE (-4) +#define CERT_SVC_ERR_INVALID_CERTIFICATE (-5) +#define CERT_SVC_ERR_FILE_IO (-6) +#define CERT_SVC_ERR_UNSUPPORTED_HASH_TYPE (-7) +#define CERT_SVC_ERR_UNSUPPORTED_KEY_TYPE (-8) +#define CERT_SVC_ERR_INVALID_OPERATION (-9) +#define CERT_SVC_ERR_BUFFER_TOO_SMALL (-10) +#define CERT_SVC_ERR_NO_MORE_CERTIFICATE (-11) +#define CERT_SVC_ERR_DUPLICATED_CERTIFICATE (-12) +#define CERT_SVC_ERR_SYSTEM_CALL (-13) +#define CERT_SVC_ERR_MEMORY_ALLOCATION (-14) +#define CERT_SVC_ERR_INVALID_PARAMETER (-15) +#define CERT_SVC_ERR_PERMISSION_DENIED (-16) +#define CERT_SVC_ERR_IS_EXPIRED (-17) +#define CERT_SVC_ERR_INVALID_NO_DEVICE_PROFILE (-25) +#define CERT_SVC_ERR_INVALID_DEVICE_UNIQUE_ID (-26) #define CERT_SVC_STORE_PATH "/usr/share/cert-svc/certs/" -/*********************************************************************************/ -/* Type definitions */ -/*********************************************************************************/ typedef enum { SEARCH_FIELD_START = 0, ISSUER_COUNTRY = 0, @@ -86,22 +80,6 @@ typedef enum { SEARCH_FIELD_END = 16, } search_field; -typedef enum cert_svc_visibility_t { - CERT_SVC_VISIBILITY_DEVELOPER = 1, - CERT_SVC_VISIBILITY_PUBLIC = 1 << 6, - CERT_SVC_VISIBILITY_PARTNER = 1 << 7, - CERT_SVC_VISIBILITY_PARTNER_OPERATOR = 1 << 8, - CERT_SVC_VISIBILITY_PARTNER_MANUFACTURER = 1 << 9, - CERT_SVC_VISIBILITY_PLATFORM = 1 << 10 -} cert_svc_visibility; - -typedef enum cert_svc_type_t { - CERT_SVC_TYPE_NO_TYPE = 0, - CERT_SVC_TYPE_TEST = 1 << 1, - CERT_SVC_TYPE_VERIFY = 1 << 2, - CERT_SVC_TYPE_STORE = 1 << 3 -} cert_svc_type; - typedef struct { unsigned int firstSecond; unsigned int firstMinute; @@ -186,9 +164,6 @@ typedef struct { cert_svc_filename_list* fileNames; } CERT_CONTEXT; -/*********************************************************************************/ -/* Function definitions */ -/*********************************************************************************/ CERT_CONTEXT* cert_svc_cert_context_init(); int cert_svc_cert_context_final(CERT_CONTEXT* ctx); @@ -201,19 +176,16 @@ int cert_svc_push_file_into_context(CERT_CONTEXT* ctx, const char* filePath); int cert_svc_add_certificate_to_store(const char* filePath, const char* location); int cert_svc_delete_certificate_from_store(const char* fileName, const char* location); int cert_svc_verify_certificate(CERT_CONTEXT* ctx, int* validity); -int cert_svc_verify_package_certificate(CERT_CONTEXT* ctx, int* validity, const char* signatureFile); int cert_svc_verify_certificate_with_caflag(CERT_CONTEXT* ctx, int* validity); -int cert_svc_verify_signature(CERT_CONTEXT* ctx, unsigned char* message, int msgLen, unsigned char* signature, char* algo, int* validity); int cert_svc_extract_certificate_data(CERT_CONTEXT* ctx); int cert_svc_search_certificate(CERT_CONTEXT* ctx, search_field fldName, char* fldData); -int cert_svc_get_visibility(CERT_CONTEXT* ctx, int* visibility); -int cert_svc_get_visibility_by_root_certificate(const char* cert_data, int data_len, int* visibility); -char* cert_svc_get_certificate_crt_file_path(void); +char *cert_svc_get_certificate_crt_file_path(void); int cert_svc_util_parse_name_fld_data(unsigned char* str, cert_svc_name_fld_data* fld); + #ifdef __cplusplus } -#endif // __cplusplus +#endif -#endif // CERT_SERVICE_H +#endif // CERT_SERVICE_H diff --git a/srcs/cert-service-process.c b/srcs/cert-service-process.c index 6c84eac..c47df11 100644 --- a/srcs/cert-service-process.c +++ b/srcs/cert-service-process.c @@ -27,8 +27,10 @@ #include #include #include + +#include #include -#include +#include #include "cert-service.h" #include "cert-service-util.h" @@ -39,17 +41,6 @@ #define get_ASN1_OBJECT(x) OBJ_nid2ln(OBJ_obj2nid((x))) #define get_X509_NAME(x) X509_NAME_oneline((x), NULL, 0) - -struct verify_context { - int depth; -}; - -typedef struct { - char* unitName; - char* address; - int len; -} name_field; - static unsigned char** __get_field_by_tag(unsigned char* str, int *tag_len, cert_svc_name_fld_data* fld) { const struct { @@ -79,6 +70,12 @@ static unsigned char** __get_field_by_tag(unsigned char* str, int *tag_len, cert return field; } +static X509 *_d2i_X509(cert_svc_mem_buff *certBuf, X509 **out) +{ + const unsigned char *certContent = certBuf->data; + return d2i_X509(out, &certContent, certBuf->size); +} + /*SURC k.astrakhant 2011.07.14 : this version can parse info string with any order of tags*/ int parse_name_fld_data(unsigned char* str, cert_svc_name_fld_data* fld) { @@ -291,97 +288,6 @@ int sort_cert_chain(cert_svc_linked_list** unsorted, cert_svc_linked_list** sort return sort_cert_chain(unsorted, sorted); } -int is_CACert(cert_svc_mem_buff* cert, int* isCA) -{ - int ret = CERT_SVC_ERR_NO_ERROR; - X509* x = NULL; - const unsigned char* p = NULL; - - p = cert->data; - d2i_X509(&x, &p, cert->size); - - if(x == NULL) { - SLOGE("[ERR][%s] Certificate cannot be parsed.", __func__); - ret = CERT_SVC_ERR_INVALID_CERTIFICATE; - goto err; - } - - if(X509_check_ca(x) > 0) - (*isCA) = 1; - else - (*isCA) = 0; - -err: - if(x != NULL) - X509_free(x); - - return ret; -} - -int VerifyCallbackfunc(int ok, X509_STORE_CTX* store) -{ - char buf[256] = {0, }; - struct verify_context* verify_context = (struct verify_context*)X509_STORE_CTX_get_app_data(store); - - if(verify_context != NULL) { - verify_context->depth += 1; - } - - if(store->current_cert != NULL) - X509_NAME_oneline(X509_get_subject_name(store->current_cert), buf, 256); - else - strncpy(buf, "test", 4); - - if(verify_context != NULL) { - SLOGD("[%s] Certificate %i: %s", __func__, verify_context->depth, buf); - } - - return ok; -} - -int _is_default_sdk_author(cert_svc_mem_buff* signer_cert, int *is_default) -{ - static const char* _sdk_default_author_cert = - "MIIClTCCAX2gAwIBAgIGAUX+iaC6MA0GCSqGSIb3DQEBBQUAMFYxGjAYBgNVBAoMEVRpemVuIEFz" - "c29jaWF0aW9uMRowGAYDVQQLDBFUaXplbiBBc3NvY2lhdGlvbjEcMBoGA1UEAwwTVGl6ZW4gRGV2" - "ZWxvcGVycyBDQTAeFw0xMjExMDEwMDAwMDBaFw0xOTAxMDEwMDAwMDBaMBExDzANBgNVBAMMBmF1" - "dGhvcjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAgKCL2LL2sZ9wpS9IMO5GKXCSPAz5oKD0" - "o5HMsGMQThCKmSTFPm9J4qj+MYomrufm2RMA8xp1KyJ79KK2BKg4/DE/5vvWLf1Fh8Jwut9JpkfW" - "1b8vNul87ft5NJ7ji5cu7wtQYvxC55BcaXAu3yv0AB0/oXVCRuvluSK5X7lvLHsCAwEAAaMyMDAw" - "DAYDVR0TAQH/BAIwADALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJKoZIhvcN" - "AQEFBQADggEBADVYof211H9txSG7Bkmcv0erP4gu7uJt61A+4BYu7g2Gv0sVme8NTvu4289Kpdb8" - "pR5nosBnEL81eHJBuiCopWl1Yf12gc1hx/+nhlD8vdE3idXQUewCACLdaWNxJ5FO6RYZa3Stp6nO" - "y5U/hTktDpUMlq+ByR7DhjfIFd4D9O4IbQmp7VbsoGrMh8Jqm+q+mSQh6hth0qK2//Z5kHZLQGfi" - "m1q/W0L6BlE1+zPo8RdeLxEbsoRMYnvOzTYg2dgq5yPT64SCBEamRYeUdIOjbF+y86/1h6NMhmFu" - "12NOMj/hg9MfgsXIksRvusRX16blD7uOUz3DwsASa5YnlBdts48="; - - int encodeLen = (((signer_cert->size + 2) / 3) * 4) + 1; - int encodedLen = 0; - unsigned char *encodedBuffer = (unsigned char *)malloc(sizeof(unsigned char) * encodeLen); - if (encodedBuffer == NULL) - return CERT_SVC_ERR_MEMORY_ALLOCATION; - - int ret = cert_svc_util_base64_encode(signer_cert->data, signer_cert->size, encodedBuffer, &encodedLen); - if(ret != CERT_SVC_ERR_NO_ERROR) - { - SLOGE("Failed to encode certificate"); - free(encodedBuffer); - return CERT_SVC_ERR_INVALID_CERTIFICATE; - } - - if(!memcmp(_sdk_default_author_cert, encodedBuffer, encodedLen)) - { - SLOGE("Error! Author signature signed by SDK default certificate."); - *is_default = 1; - free(encodedBuffer); - return CERT_SVC_ERR_INVALID_SDK_DEFAULT_AUTHOR_CERT; - } - - free(encodedBuffer); - *is_default = 0; - return CERT_SVC_ERR_NO_ERROR; -} - int _remove_selfsigned_cert_in_chain(cert_svc_linked_list** certList) { int ret = CERT_SVC_ERR_NO_ERROR; @@ -448,266 +354,199 @@ err: return ret; } -int _verify_certificate_with_caflag(cert_svc_mem_buff* certBuf, cert_svc_linked_list** certList, int checkCaFlag, cert_svc_filename_list* rootPath, int* validity) +int _verify_certificate_with_caflag( + cert_svc_mem_buff *certBuf, + cert_svc_linked_list **certList, + int checkCaFlag, + cert_svc_filename_list *rootPath, + int *validity) { int ret = CERT_SVC_ERR_NO_ERROR; cert_svc_linked_list* sorted = NULL; - cert_svc_linked_list* p = NULL; - cert_svc_linked_list* q = NULL; + cert_svc_linked_list* tempNode = NULL; cert_svc_cert_descriptor* findRoot = NULL; cert_svc_filename_list* fileNames = NULL; cert_svc_mem_buff* CACert = NULL; - int isCA = -1; - // variables for verification + int certNum = 0; int certIndex = 0, i = 0; - const unsigned char* certContent = NULL; X509_STORE_CTX* storeCtx = NULL; X509* rootCert = NULL; X509** interCert = NULL; X509* targetCert = NULL; STACK_OF(X509) *tchain, *uchain; - STACK_OF(X509) *resultChain; - X509* tmpCert = NULL; int caFlagValidity; - int is_default_author = 0; OpenSSL_add_all_algorithms(); tchain = sk_X509_new_null(); uchain = sk_X509_new_null(); - - ret = _is_default_sdk_author(certBuf, &is_default_author); - if(ret == CERT_SVC_ERR_INVALID_SDK_DEFAULT_AUTHOR_CERT && is_default_author) - return CERT_SVC_ERR_INVALID_SDK_DEFAULT_AUTHOR_CERT; - - if(ret != CERT_SVC_ERR_NO_ERROR) - return CERT_SVC_ERR_INVALID_CERTIFICATE; findRoot = (cert_svc_cert_descriptor*)malloc(sizeof(cert_svc_cert_descriptor)); - if(findRoot == NULL) { - SLOGE("[ERR][%s] Failed to allocate memory for certificate descriptor.", __func__); + if (findRoot == NULL) { ret = CERT_SVC_ERR_MEMORY_ALLOCATION; goto err; } memset(findRoot, 0x00, sizeof(cert_svc_cert_descriptor)); - if((*certList) != NULL) { + if (*certList != NULL) { /* remove self-signed certificate in certList */ - if((ret = _remove_selfsigned_cert_in_chain(certList)) != CERT_SVC_ERR_NO_ERROR) { - SLOGE("[ERR][%s] Fail to remove self-signed certificate in chain.", __func__); + ret = _remove_selfsigned_cert_in_chain(certList); + if (ret != CERT_SVC_ERR_NO_ERROR) { + SLOGE("Fail to remove self-signed certificate in chain."); goto err; } + /* sort certList */ - if((ret = sort_cert_chain(certList, &sorted)) != CERT_SVC_ERR_NO_ERROR) { - SLOGE("[ERR][%s] Fail to sort certificate chain.", __func__); + ret = sort_cert_chain(certList, &sorted); + if (ret != CERT_SVC_ERR_NO_ERROR) { + SLOGE("Fail to sort certificate chain."); goto err; } - /* find root cert from store, the SUBJECT field of root cert is same with ISSUER field of certList[0] */ - p = sorted; - while(p->next != NULL) { + /* + * find root cert from store, the SUBJECT field of root cert + * is same with ISSUER field of certList[0] + */ + tempNode = sorted; + while (tempNode->next != NULL) { certNum++; - p = p->next; + tempNode = tempNode->next; } certNum++; - ret = _extract_certificate_data(p->certificate, findRoot); - } - else + ret = _extract_certificate_data(tempNode->certificate, findRoot); + } else { ret = _extract_certificate_data(certBuf, findRoot); + } - if(ret != CERT_SVC_ERR_NO_ERROR) { - SLOGE("[ERR][%s] Fail to extract certificate data", __func__); + if (ret != CERT_SVC_ERR_NO_ERROR) { + SLOGE("Fail to extract certificate data"); goto err; } - if((ret = _search_certificate(&fileNames, SUBJECT_STR, (char*)findRoot->info.issuerStr)) != CERT_SVC_ERR_NO_ERROR) { - SLOGE("[ERR][%s] Fail to search root certificate", __func__); + ret = _search_certificate(&fileNames, SUBJECT_STR, (char*)findRoot->info.issuerStr); + if (ret != CERT_SVC_ERR_NO_ERROR) { + SLOGE("Fail to search root certificate"); goto err; } - if(fileNames->filename == NULL) { - SLOGE("[ERR][%s] There is no CA certificate.", __func__); + if (fileNames->filename == NULL) { ret = CERT_SVC_ERR_NO_ROOT_CERT; goto err; } CACert = (cert_svc_mem_buff*)malloc(sizeof(cert_svc_mem_buff)); - if(CACert == NULL) { - SLOGE("[ERR][%s] Failed to allocate memory for ca cert.", __func__); + if (CACert == NULL) { ret = CERT_SVC_ERR_MEMORY_ALLOCATION; goto err; } memset(CACert, 0x00, sizeof(cert_svc_mem_buff)); - // use the first found CA cert - ignore other certificate(s). assume that there is JUST one CA cert - if((ret = cert_svc_util_load_file_to_buffer(fileNames->filename, CACert)) != CERT_SVC_ERR_NO_ERROR) { - SLOGE("[ERR][%s] Fail to load CA cert to buffer.", __func__); + /* use the first found CA cert - ignore other certificate(s). */ + ret = cert_svc_util_load_file_to_buffer(fileNames->filename, CACert); + if (ret != CERT_SVC_ERR_NO_ERROR) { + SLOGE("Fail to load CA cert to buffer."); goto err; } - // store root certicate path into ctx + /* store root certicate path into ctx */ strncpy(rootPath->filename, fileNames->filename, CERT_SVC_MAX_FILE_NAME_SIZE - 1); rootPath->filename[CERT_SVC_MAX_FILE_NAME_SIZE - 1] = '\0'; - if((ret = is_CACert(CACert, &isCA)) != CERT_SVC_ERR_NO_ERROR) { - SLOGE("[ERR][%s] CA certificate is invalid.", __func__); - goto err; - } - - if(isCA != 1) { // NOT CA certificate - SLOGE("[ERR][%s] Found certificate is NOT CA certificate.", __func__); - ret = CERT_SVC_ERR_NO_ROOT_CERT; - goto err; - } - - /* verify */ - // insert root certificate into trusted chain - certContent = CACert->data; - d2i_X509(&rootCert, &certContent, CACert->size); - if(!(sk_X509_push(tchain, rootCert))) { - SLOGE("[ERR][%s] Fail to push certificate into stack.", __func__); + /* insert root certificate into trusted chain */ + _d2i_X509(CACert, &rootCert); + if (!sk_X509_push(tchain, rootCert)) { + SLOGE("Fail to push certificate into stack."); ret = CERT_SVC_ERR_INVALID_OPERATION; goto err; } - certContent = certBuf->data; - d2i_X509(&targetCert, &certContent, certBuf->size); - - q = sorted; // first item is the certificate that user want to verify + _d2i_X509(certBuf, &targetCert); - // insert all certificate(s) into chain - if(q != NULL) { // has 2 or more certificates - certIndex = 0; + if (sorted != NULL) { interCert = (X509**)malloc(sizeof(X509*) * certNum); - if(interCert == NULL) { - SLOGE("[ERR][%s] Failed to allocate memory for interim certificate.", __func__); + if (interCert == NULL) { ret = CERT_SVC_ERR_MEMORY_ALLOCATION; goto err; } memset(interCert, 0x00, (sizeof(X509*) * certNum)); - while(1) { - certContent = q->certificate->data; - if(!d2i_X509(&interCert[certIndex], &certContent, q->certificate->size)) { - SLOGE("[ERR][%s] Fail to load certificate into memory.", __func__); + for (tempNode = sorted, certIndex = 0; + tempNode != NULL; + tempNode = tempNode->next, certIndex++) { + + _d2i_X509(tempNode->certificate, &interCert[certIndex]); + if (interCert[certIndex] == NULL) { + SLOGE("Invalid certificate. failed to parse certificate."); ret = CERT_SVC_ERR_INVALID_CERTIFICATE; goto err; } - if(!(sk_X509_push(uchain, interCert[certIndex]))) { - SLOGE("[ERR][%s] Fail to push certificate into stack.", __func__); + + /* insert all certificate(s) into chain */ + if (!sk_X509_push(uchain, interCert[certIndex])) { + SLOGE("Fail to push certificate into stack."); ret = CERT_SVC_ERR_INVALID_OPERATION; goto err; } - - if(q->next == NULL) - break; - else { - q = q->next; - certIndex++; - } } } storeCtx = X509_STORE_CTX_new(); - if(!X509_STORE_CTX_init(storeCtx, 0, targetCert, uchain)) { - SLOGE("[ERR][%s] Fail to initialize X509 store context.", __func__); + if (!X509_STORE_CTX_init(storeCtx, 0, targetCert, uchain)) { + SLOGE("Fail to initialize X509 store context."); + ret = CERT_SVC_ERR_INVALID_OPERATION; goto err; } - struct verify_context verify_context = { 0 }; - X509_STORE_CTX_set_app_data(storeCtx, &verify_context); - X509_STORE_CTX_set_verify_cb(storeCtx, VerifyCallbackfunc); + X509_STORE_CTX_trusted_stack(storeCtx, tchain); - SLOGD("verify signer certificate"); - if(((*validity) = X509_verify_cert(storeCtx)) != 1) { + *validity = X509_verify_cert(storeCtx); + if (*validity != 1) { int error = X509_STORE_CTX_get_error(storeCtx); - SLOGE("[ERR][%s] Fail to verify certificate chain, validity: [%d]", __func__, (*validity)); SLOGE("err str: [%s]", X509_verify_cert_error_string(error)); - - // check level - int cert_type=0; - char *fingerprint = NULL; - unsigned char *certdata = NULL; - int certSize = 0; - - certdata = CACert->data; - certSize = CACert->size; - - ret = get_certificate_fingerprint(certdata, certSize, &fingerprint); - if(ret != CERT_SVC_ERR_NO_ERROR) - { - SLOGE("Failed to get fingerprint data! %d", ret); - goto err; - } - - ret = get_type_by_fingerprint(fingerprint, &cert_type); - if(ret != CERT_SVC_ERR_NO_ERROR) - { - SLOGE("Failed to get level! %d", ret); - goto err; - } - - SLOGD("cert_type = %d", cert_type); - if(cert_type != CERT_SVC_TYPE_TEST && cert_type != CERT_SVC_TYPE_VERIFY){ - - SLOGD("Level is not Test or Verity"); - if( error == X509_V_ERR_CERT_NOT_YET_VALID || - error == X509_V_ERR_CERT_HAS_EXPIRED || - error == X509_V_ERR_CRL_NOT_YET_VALID || - error == X509_V_ERR_CRL_HAS_EXPIRED || - error == X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD || - error == X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD || - error == X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD || - error == X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD) { - - SLOGD("Skip checking valid time of signer cert"); - (*validity) = 1; - } - } - else{ - ret = CERT_SVC_ERR_IS_EXPIRED; - goto err; - } + ret = CERT_SVC_ERR_INVALID_CERTIFICATE; + goto err; } - if(checkCaFlag) { // check strictly - resultChain = X509_STORE_CTX_get1_chain(storeCtx); - while((tmpCert = sk_X509_pop(resultChain))) { - caFlagValidity = X509_check_ca(tmpCert); - if(caFlagValidity != 1 && (sk_X509_pop(resultChain)) != NULL) { // the last one is not a CA. - (*validity) = 0; - SLOGE("[ERR][%s] Invalid CA Flag for CA Certificate, validity: [%d]", __func__, (*validity)); - break; - } + if (checkCaFlag) { + caFlagValidity = X509_check_ca(rootCert); + if (caFlagValidity != 1) { + *validity = 0; + SLOGE("Invalid CA Flag for CA Certificate, caFlagValidity: [%d]", caFlagValidity); } } err: - if(rootCert != NULL) + if (ret != CERT_SVC_ERR_NO_ERROR) + SLOGE("Error in cert-service-process. code[%d]", ret); + + if (rootCert != NULL) X509_free(rootCert); - if(targetCert != NULL) + + if (targetCert != NULL) X509_free(targetCert); - if(storeCtx != NULL) + + if (storeCtx != NULL) X509_STORE_CTX_free(storeCtx); - if(tchain != NULL) + + if (tchain != NULL) sk_X509_free(tchain); - if(uchain != NULL) + + if (uchain != NULL) sk_X509_free(uchain); - if(interCert != NULL) { - for(i = 0; i < certNum; i++) { - if(interCert[i] != NULL) + if (interCert != NULL) { + for (i = 0; i < certNum; i++) { + if (interCert[i] != NULL) X509_free(interCert[i]); } free(interCert); } - //EVP_cleanup(); release_certificate_buf(CACert); release_certificate_data(findRoot); release_filename_list(fileNames); @@ -716,108 +555,10 @@ err: return ret; } -int _verify_signature(cert_svc_mem_buff* certBuf, unsigned char* message, int msgLen, unsigned char* signature, char* algo, int* validity) -{ - int ret = CERT_SVC_ERR_NO_ERROR; - X509* x = NULL; - const unsigned char* p = NULL; - // hash - EVP_MD_CTX* mdctx = NULL; - const EVP_MD* md = NULL; - // signature - unsigned char* decodedSig = NULL; - int decodedSigLen = 0; - int sigLen = 0; - // public key - EVP_PKEY *pkey = NULL; - - OpenSSL_add_all_digests(); - - /* load certificate into buffer */ - p = certBuf->data; - d2i_X509(&x, &p, certBuf->size); - if(x == NULL) { - SLOGE("[ERR][%s] Fail to allocate X509 structure.", __func__); - ret = CERT_SVC_ERR_INVALID_CERTIFICATE; - goto err; - } - - /* load signature and decode */ - sigLen = strlen((const char*)signature); - decodedSigLen = ((sigLen / 4) * 3) + 1; - - if(!(decodedSig = (unsigned char*)malloc(sizeof(unsigned char) * decodedSigLen))) { - SLOGE("[ERR][%s] Fail to allocate memory.", __func__); - ret = CERT_SVC_ERR_MEMORY_ALLOCATION; - goto err; - } - memset(decodedSig, 0x00, decodedSigLen); - if((ret = cert_svc_util_base64_decode(signature, sigLen, decodedSig, &decodedSigLen)) != CERT_SVC_ERR_NO_ERROR) { - SLOGE("[ERR][%s] Fail to base64 decode.", __func__); - ret = CERT_SVC_ERR_INVALID_OPERATION; - goto err; - } - - /* get public key */ - pkey = X509_get_pubkey(x); - - /* make EVP_MD_CTX */ - if(!(mdctx = EVP_MD_CTX_create())) { - ret = CERT_SVC_ERR_MEMORY_ALLOCATION; - goto err; - } - - if(algo == NULL) { // if hash algorithm is not defined, - if(!(md = EVP_get_digestbyobj(x->cert_info->signature->algorithm))) { // get hash algorithm - SLOGE("[ERR][%s] Fail to get hash algorithm.", __func__); - ret = CERT_SVC_ERR_INVALID_CERTIFICATE; - goto err; - } - } - else { // if hash algorithm is defined, - if(!(md = EVP_get_digestbyname(algo))) { // get hash algorithm - SLOGE("[ERR][%s] Fail to get hash algorithm.", __func__); - ret = CERT_SVC_ERR_INVALID_CERTIFICATE; - goto err; - } - } - - /* initialization */ - if(EVP_VerifyInit_ex(mdctx, md, NULL) != 1) { - SLOGE("[ERR][%s] Fail to execute EVP_VerifyInit_ex().", __func__); - ret = CERT_SVC_ERR_INVALID_CERTIFICATE; - goto err; - } - if(EVP_VerifyUpdate(mdctx, message, msgLen) != 1) { - SLOGE("[ERR][%s] Fail to execute EVP_VerifyUpdate().", __func__); - ret = CERT_SVC_ERR_INVALID_CERTIFICATE; - goto err; - } - if(((*validity) = EVP_VerifyFinal(mdctx, decodedSig, decodedSigLen, pkey)) != 1) { - SLOGE("[ERR][%s] Fail to verify signature.", __func__); - ret = CERT_SVC_ERR_INVALID_SIGNATURE; - goto err; - } - -err: - if(x != NULL) - X509_free(x); - if(decodedSig != NULL) - free(decodedSig); - if(pkey != NULL) - EVP_PKEY_free(pkey); - if(mdctx != NULL) - EVP_MD_CTX_destroy(mdctx); - //EVP_cleanup(); - - return ret; -} - int _extract_certificate_data(cert_svc_mem_buff* cert, cert_svc_cert_descriptor* certDesc) { int ret = CERT_SVC_ERR_NO_ERROR; X509* x = NULL; - const unsigned char* p = NULL; int i = 0; // get signature algorithm char* signatureAlgo = NULL; @@ -852,8 +593,7 @@ int _extract_certificate_data(cert_svc_mem_buff* cert, cert_svc_cert_descriptor* memset(certDesc, 0x00, sizeof(cert_svc_cert_descriptor)); - p = cert->data; - d2i_X509(&x, &p, cert->size); + _d2i_X509(cert, &x); if(x == NULL) { SLOGE("[ERR][%s] Fail to allocate X509 structure.", __func__); ret = CERT_SVC_ERR_INVALID_CERTIFICATE; @@ -1330,11 +1070,12 @@ out: int get_all_certificates(cert_svc_filename_list** allCerts) { int ret; - char *buffer[3]; + char *buffer[4]; buffer[0] = ROOT_CA_CERTS_DIR; buffer[1] = CERTSVC_DIR; - buffer[2] = NULL; + buffer[2] = SYSTEM_CERT_DIR; + buffer[3] = NULL; if (!allCerts) { SLOGE("[ERR][%s] Invalid argument.", __func__); @@ -1660,92 +1401,3 @@ int release_filename_list(cert_svc_filename_list* fileNames) return ret; } - -int get_visibility(CERT_CONTEXT* context, int* visibility) -{ - int ret = CERT_SVC_ERR_NO_ERROR; - unsigned char * cert = NULL; - int certSize = 0; - char *fingerprint = NULL; - - if(!context->certBuf) - { - SLOGE("certBuf is NULL!"); - return CERT_SVC_ERR_INVALID_PARAMETER; - } - if(!context->certBuf->size) - { - SLOGE("certBuf size is wrong"); - return CERT_SVC_ERR_INVALID_PARAMETER; - } - - cert = context->certBuf->data; - certSize = context->certBuf->size; - - if(cert == NULL || !certSize) - { - SLOGE("cert is or invalid!"); - return CERT_SVC_ERR_INVALID_CERTIFICATE; - } - - ret = get_certificate_fingerprint(cert, certSize, &fingerprint); - if(ret != CERT_SVC_ERR_NO_ERROR) - { - SLOGE("Failed to get fingerprint data! %d", ret); - return ret; - } - - ret = get_visibility_by_fingerprint(fingerprint, visibility); - if(ret != CERT_SVC_ERR_NO_ERROR) - { - SLOGE("Failed to get visibility! %d", ret); - return ret; - } - - return CERT_SVC_ERR_NO_ERROR; -} - -int get_certificate_type(CERT_CONTEXT* context, int* cert_type) -{ - int ret = CERT_SVC_ERR_NO_ERROR; - unsigned char * cert = NULL; - int certSize = 0; - char *fingerprint = NULL; - - if(!context->certBuf) - { - SLOGE("certBuf is NULL!"); - return CERT_SVC_ERR_INVALID_PARAMETER; - } - if(!context->certBuf->size) - { - SLOGE("certBuf size is wrong"); - return CERT_SVC_ERR_INVALID_PARAMETER; - } - - cert = context->certBuf->data; - certSize = context->certBuf->size; - - if(cert == NULL || !certSize) - { - SLOGE("cert is or invalid!"); - return CERT_SVC_ERR_INVALID_CERTIFICATE; - } - - ret = get_certificate_fingerprint(cert, certSize, &fingerprint); - if(ret != CERT_SVC_ERR_NO_ERROR) - { - SLOGE("Failed to get fingerprint data! %d", ret); - return ret; - } - - ret = get_type_by_fingerprint(fingerprint, cert_type); - if(ret != CERT_SVC_ERR_NO_ERROR) - { - SLOGE("Failed to get visibility! %d", ret); - return ret; - } - - return CERT_SVC_ERR_NO_ERROR; -} - diff --git a/srcs/cert-service-store.c b/srcs/cert-service-store.c index b88ce4a..82bc401 100644 --- a/srcs/cert-service-store.c +++ b/srcs/cert-service-store.c @@ -32,7 +32,7 @@ #include "cert-service-debug.h" #include "cert-service-store.h" -int get_file_full_path(char* originalName, const char* location, char* outBuf) +static int get_file_full_path(char* originalName, const char* location, char* outBuf) { int ret = CERT_SVC_ERR_NO_ERROR; char pathLocation[CERT_SVC_MAX_FILE_NAME_SIZE]; diff --git a/srcs/cert-service-util.c b/srcs/cert-service-util.c index 21cdfff..944a84e 100644 --- a/srcs/cert-service-util.c +++ b/srcs/cert-service-util.c @@ -543,263 +543,3 @@ err: return ret; } -// fingerprint format - AA:BB:CC:DD:EE... -// cert - der(binary) format -int get_certificate_fingerprint(const unsigned char *cert, int cert_size, char** fingerprint) -{ - X509* x509Cert = NULL; - unsigned char x509_fingerprint[EVP_MAX_MD_SIZE] = {0}; - char uniformedFingerprint[EVP_MAX_MD_SIZE * 3] = {0}; - int fp_len = 0; - char buff[8] = {0}; - unsigned int x509_length = 0; - unsigned int i = 0; - - if(!d2i_X509(&x509Cert, &cert, cert_size)) - { - SLOGE("d2i_x509 failed!"); - *fingerprint = NULL; - return CERT_SVC_ERR_INVALID_CERTIFICATE; - } - - if(!X509_digest(x509Cert, EVP_sha1(), x509_fingerprint, &x509_length)) - { - SLOGE("X509_digest failed"); - X509_free(x509Cert); - *fingerprint = NULL; - return CERT_SVC_ERR_INVALID_CERTIFICATE; - } - - for(i = 0; i < x509_length; i++) - { - snprintf(buff, sizeof(buff), "%02X:", x509_fingerprint[i]); - strncat(uniformedFingerprint, buff, 3); - } - uniformedFingerprint[x509_length * 3 - 1] = 0; // remove last : - fp_len = strlen(uniformedFingerprint); - - *fingerprint = (char*)calloc(sizeof(char), fp_len + 1); - if(*fingerprint == NULL) - { - SLOGE("Failed to allocate memory"); - X509_free(x509Cert); - *fingerprint = NULL; - return CERT_SVC_ERR_MEMORY_ALLOCATION; - } - - memcpy(*fingerprint, uniformedFingerprint, fp_len + 1); - - SLOGD("fingerprint : %s", *fingerprint); - - X509_free(x509Cert); - - return CERT_SVC_ERR_NO_ERROR; -} - -int get_visibility_by_fingerprint(const char* fingerprint, int* visibility) -{ - SLOGD("fingerprint : %s", fingerprint); - int ret = 0; - xmlChar *xmlPathDomainPlatform = (xmlChar*) "tizen-platform"; - xmlChar *xmlPathDomainPublic = (xmlChar*) "tizen-public"; - xmlChar *xmlPathDomainPartner = (xmlChar*) "tizen-partner"; - xmlChar *xmlPathDomainDeveloper = (xmlChar*) "tizen-developer"; - - /* load file */ - xmlDocPtr doc = xmlParseFile(FINGERPRINT_LIST_PATH); - if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)) - { - SLOGE("Failed to prase fingerprint_list.xml"); - return CERT_SVC_ERR_FILE_IO; - } - - xmlNodePtr curPtr = xmlFirstElementChild(xmlDocGetRootElement(doc)); - if(curPtr == NULL) - { - SLOGE("Can not find root"); - xmlFreeDoc(doc); - return CERT_SVC_ERR_FILE_IO; - } - - while(curPtr != NULL) - { - xmlAttr* attr = curPtr->properties; - if(!attr->children || !attr->children->content) - { - SLOGE("Failed to get fingerprints from list"); - ret = CERT_SVC_ERR_NO_ROOT_CERT; - goto out; - } - - xmlChar* strLevel = attr->children->content; - xmlNodePtr FpPtr = xmlFirstElementChild(curPtr); - - /* - if(FpPtr == NULL) - { - SLOGE("Could not find fingerprint"); - ret = CERT_SVC_ERR_NO_ROOT_CERT; - goto out; - } - */ - - while(FpPtr) - { - xmlChar *content = xmlNodeGetContent(FpPtr); - if(xmlStrcmp(content, (xmlChar*)fingerprint) == 0) - { - SLOGD("fingerprint : %s are %s", content, strLevel); - if(!xmlStrcmp(strLevel, xmlPathDomainPlatform)){ - *visibility = CERT_SVC_VISIBILITY_PLATFORM; - ret = CERT_SVC_ERR_NO_ERROR; - goto out; - } - else if(!xmlStrcmp(strLevel, xmlPathDomainPublic)){ - *visibility = CERT_SVC_VISIBILITY_PUBLIC; - ret = CERT_SVC_ERR_NO_ERROR; - goto out; - } - else if(!xmlStrcmp(strLevel, xmlPathDomainPartner)){ - *visibility = CERT_SVC_VISIBILITY_PARTNER; - ret = CERT_SVC_ERR_NO_ERROR; - goto out; - } - else if(!xmlStrcmp(strLevel, xmlPathDomainDeveloper)){ - *visibility = CERT_SVC_VISIBILITY_DEVELOPER; - ret = CERT_SVC_ERR_NO_ERROR; - goto out; - } - } - FpPtr = xmlNextElementSibling(FpPtr); - } - curPtr = xmlNextElementSibling(curPtr); - } - - SLOGE("Could not find fingerrpint"); - - xmlFreeDoc(doc); - return CERT_SVC_ERR_NO_ROOT_CERT; - -out: - xmlFreeDoc(doc); - return ret; -} - -int get_type_by_fingerprint(const char* fingerprint, int* cert_type) -{ - int ret = CERT_SVC_ERR_NO_ERROR; - xmlChar *xmlPathDomainTest = (xmlChar*) "tizen-test"; - xmlChar *xmlPathDomainVerify = (xmlChar*) "tizen-verify"; - xmlChar *xmlPathDomainStore = (xmlChar*) "tizen-store"; - - /* load file */ - xmlDocPtr doc = xmlParseFile(FINGERPRINT_LIST_PATH); - if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)) - { - SLOGE("Failed to prase fingerprint_list.xml"); - return CERT_SVC_ERR_FILE_IO; - } - - xmlNodePtr curPtr = xmlFirstElementChild(xmlDocGetRootElement(doc)); - if(curPtr == NULL) - { - SLOGE("Can not find root"); - xmlFreeDoc(doc); - return CERT_SVC_ERR_FILE_IO; - } - - while(curPtr != NULL) - { - xmlAttr* attr = curPtr->properties; - if(!attr->children || !attr->children->content) - { - SLOGE("Failed to get fingerprints from list"); - ret = CERT_SVC_ERR_NO_ROOT_CERT; - goto out; - } - - xmlChar* strLevel = attr->children->content; - xmlNodePtr FpPtr = xmlFirstElementChild(curPtr); - - while(FpPtr) - { - xmlChar *content = xmlNodeGetContent(FpPtr); - if(xmlStrcmp(content, (xmlChar*)fingerprint) == 0) - { - SLOGD("fingerprint : %s matched %s", content, strLevel); - if(!xmlStrcmp(strLevel, xmlPathDomainTest)){ - *cert_type = CERT_SVC_TYPE_TEST; - ret = CERT_SVC_ERR_NO_ERROR; - goto out; - } - else if(!xmlStrcmp(strLevel, xmlPathDomainVerify)){ - *cert_type = CERT_SVC_TYPE_VERIFY; - ret = CERT_SVC_ERR_NO_ERROR; - goto out; - } - else if(!xmlStrcmp(strLevel, xmlPathDomainStore)){ - *cert_type = CERT_SVC_TYPE_STORE; - ret = CERT_SVC_ERR_NO_ERROR; - goto out; - } - } - FpPtr = xmlNextElementSibling(FpPtr); - } - curPtr = xmlNextElementSibling(curPtr); - } - - SLOGD("Could not find fingerprint"); - xmlFreeDoc(doc); - *cert_type = CERT_SVC_TYPE_NO_TYPE; - return CERT_SVC_ERR_NO_ERROR; - -out: - xmlFreeDoc(doc); - return ret; -} - - -// expect input cert data is base64 encoded format -int get_visibility_by_certificate(const unsigned char *cert_data, int data_len, int* visibility) -{ - if(!cert_data || !data_len) - { - return CERT_SVC_ERR_INVALID_PARAMETER; - } - - int decodedSize = ((data_len / 4) * 3) + 1; - unsigned char *decoded = NULL; - char *fingerprint = NULL; - int ret = CERT_SVC_ERR_NO_ERROR; - - if(!(decoded = (unsigned char *)malloc(sizeof(unsigned char) * decodedSize))) { - SLOGE("Fail to allocate memory."); - return CERT_SVC_ERR_MEMORY_ALLOCATION; - } - memset(decoded, 0x00, decodedSize); - - if((ret = cert_svc_util_base64_decode(cert_data, data_len, decoded, &decodedSize)) != CERT_SVC_ERR_NO_ERROR) - { - SLOGE("Failed to decode data %d", ret); - free(decoded); - return ret; - } - - ret = get_certificate_fingerprint(decoded, decodedSize, &fingerprint); - if(ret != CERT_SVC_ERR_NO_ERROR) - { - SLOGE("Can not get fingerprint! %d", ret); - return ret; - } - - ret = get_visibility_by_fingerprint(fingerprint, visibility); - if(ret != CERT_SVC_ERR_NO_ERROR) - { - SLOGE("Can not find visibility %d", ret); - return ret; - } - - free(decoded); - free(fingerprint); - return CERT_SVC_ERR_NO_ERROR; -} diff --git a/srcs/cert-service.c b/srcs/cert-service.c index 0bf970c..185c7ab 100644 --- a/srcs/cert-service.c +++ b/srcs/cert-service.c @@ -93,62 +93,15 @@ err: return result; } -int cert_svc_get_certificate_type(CERT_CONTEXT *ctx, int* cert_type) -{ - CERT_CONTEXT* context = NULL; - int ret = CERT_SVC_ERR_NO_ERROR; - - if (!ctx || !cert_type) { - SLOGE("Invalid prameters"); - return CERT_SVC_ERR_INVALID_PARAMETER; - } - - if (!ctx->fileNames || !ctx->fileNames->filename) { - SLOGE("Can not find root certificate path"); - return CERT_SVC_ERR_INVALID_PARAMETER; - } - - context = cert_svc_cert_context_init(); - if (!context) { - SLOGE("Out of memory"); - return CERT_SVC_ERR_MEMORY_ALLOCATION; - } - - ret = cert_svc_load_file_to_context(context, ctx->fileNames->filename); - if (ret != CERT_SVC_ERR_NO_ERROR) { - SLOGE("failed to load root certficiate"); - cert_svc_cert_context_final(context); - return CERT_SVC_ERR_INVALID_CERTIFICATE; - } - - ret = get_certificate_type(context, cert_type); - - cert_svc_cert_context_final(context); - - return ret; -} - int _cert_svc_verify_certificate_with_caflag(CERT_CONTEXT* ctx, int checkCAFlag, int* validity) { int ret = CERT_SVC_ERR_NO_ERROR; - int cert_type = 0; - unsigned char *cert = NULL; - int size=0; - int result = 0; - - if (!ctx || !ctx->certBuf || !ctx->certLink || !ctx->certLink->certificate || ctx->fileNames) { + if (!ctx || !ctx->certBuf || ctx->fileNames) { SLOGE("[ERR][%s] Check your parameter. Cannot find certificate.", __func__); return CERT_SVC_ERR_INVALID_PARAMETER; } - size = ctx->certLink->certificate->size; - cert = (unsigned char *)calloc(size, 1); - if (!cert) - return CERT_SVC_ERR_MEMORY_ALLOCATION; - - memcpy(cert, ctx->certLink->certificate->data, size); - if(!(ctx->fileNames = (cert_svc_filename_list*)malloc(sizeof(cert_svc_filename_list)))) { SLOGE("[ERR][%s] Fail to allocate memory.", __func__); ret = CERT_SVC_ERR_MEMORY_ALLOCATION; @@ -167,38 +120,13 @@ int _cert_svc_verify_certificate_with_caflag(CERT_CONTEXT* ctx, int checkCAFlag, goto err; } - SECURE_LOGD("root cert path : %s", ctx->fileNames->filename); - ret = cert_svc_get_certificate_type(ctx, &cert_type); - if (ret != CERT_SVC_ERR_NO_ERROR) { - SLOGE("failed to cert_svc_get_certificate_type"); - goto err; - } - - SLOGD("cert_type = %d", cert_type); - if (cert_type == CERT_SVC_TYPE_TEST) { - SLOGD("Checking DUID"); - result = __is_certified_device(cert, size); - - if (result == -1){ - SLOGE("Device profile file does not exist in Device."); - ret = CERT_SVC_ERR_INVALID_NO_DEVICE_PROFILE; - goto err; - } else if (result == 0) { - SLOGE("Device Unique ID (DUID) is not registered."); - ret = CERT_SVC_ERR_INVALID_DEVICE_UNIQUE_ID; - goto err; - } - } - - SLOGD("[%s] Success to verify certificate.", __func__); + SLOGD("root cert path : %s", ctx->fileNames->filename); + SLOGD("Success to verify certificate."); err: - free(cert); return ret; } - - CERT_SVC_API int cert_svc_add_certificate_to_store(const char* filePath, const char* location) { @@ -274,46 +202,6 @@ int cert_svc_delete_certificate_from_store(const char* fileName, const char* loc return CERT_SVC_ERR_NO_ERROR; } - -CERT_SVC_API -int cert_svc_verify_package_certificate(CERT_CONTEXT* ctx, int* validity, const char* signatureFile) -{ - SLOGD("cert_svc_verify_package_certificate"); - int ca_cflag_check_false = 0; - - int ret = _cert_svc_verify_certificate_with_caflag(ctx, ca_cflag_check_false, validity); - if (ret != CERT_SVC_ERR_NO_ERROR) - return ret; - - int visibility = 0; - ret = cert_svc_get_visibility(ctx, &visibility); - if (ret != CERT_SVC_ERR_NO_ERROR) - return ret; - - char* sig_file_name = NULL; - if ((sig_file_name = strstr(signatureFile, AUTHOR_SIGNATURE))) { - SLOGD("signature file : %s %d", sig_file_name, visibility); - if (strncmp(sig_file_name, AUTHOR_SIGNATURE, strlen(sig_file_name)) == 0) { - if (visibility != CERT_SVC_VISIBILITY_DEVELOPER) { - SLOGE("Author signature signed as distributor signature. Invalid!"); - *validity = 0; - return CERT_SVC_ERR_IN_AUTHOR_CASE_DISTRIBUTOR_CERT; - } - } - } else if ((sig_file_name = strstr(signatureFile, DISTRIBUTOR_SIGNATURE))) { - SLOGD("signature file : %s %d", sig_file_name, visibility); - if (strncmp(sig_file_name, DISTRIBUTOR_SIGNATURE, strlen(sig_file_name)) == 0) { - if (visibility == CERT_SVC_VISIBILITY_DEVELOPER) { - SLOGE("Distributor signature signed as author signature. Invalid!"); - *validity = 0; - return CERT_SVC_ERR_IN_DISTRIBUTOR_CASE_AUTHOR_CERT; - } - } - } - - return CERT_SVC_ERR_NO_ERROR; -} - CERT_SVC_API int cert_svc_verify_certificate(CERT_CONTEXT* ctx, int* validity) { @@ -326,30 +214,6 @@ int cert_svc_verify_certificate_with_caflag(CERT_CONTEXT* ctx, int* validity) return _cert_svc_verify_certificate_with_caflag(ctx, 1, validity); } -/* - * message : unsigned character string - * signature : base64 encoded string - */ -CERT_SVC_API -int cert_svc_verify_signature(CERT_CONTEXT* ctx, unsigned char* message, int msgLen, unsigned char* signature, char* algo, int* validity) -{ - int ret = CERT_SVC_ERR_NO_ERROR; - - if (!message || !signature || !ctx || !ctx->certBuf) { - SLOGE("[ERR][%s] Invalid parameter, please check your parameter", __func__); - return CERT_SVC_ERR_INVALID_PARAMETER; - } - - if ((ret = _verify_signature(ctx->certBuf, message, msgLen, signature, algo, validity)) != CERT_SVC_ERR_NO_ERROR) { - SLOGE("[ERR][%s] Fail to verify signature.", __func__); - return ret; - } - - SLOGD("[%s] Success to verify signature.", __func__); - - return CERT_SVC_ERR_NO_ERROR; -} - CERT_SVC_API int cert_svc_extract_certificate_data(CERT_CONTEXT* ctx) { @@ -682,84 +546,7 @@ char* cert_svc_get_certificate_crt_file_path(void) } CERT_SVC_API -int cert_svc_get_visibility(CERT_CONTEXT *ctx, int* visibility) -{ - CERT_CONTEXT* context = NULL; - int ret = CERT_SVC_ERR_NO_ERROR; - - if (!ctx || !visibility) { - SLOGE("Invalid prameters"); - return CERT_SVC_ERR_INVALID_PARAMETER; - } - - if (!ctx->fileNames || !ctx->fileNames->filename) { - SLOGE("Can not find root certificate path"); - return CERT_SVC_ERR_INVALID_PARAMETER; - } - - context = cert_svc_cert_context_init(); - if (!context) { - SLOGE("Out of memory"); - return CERT_SVC_ERR_MEMORY_ALLOCATION; - } - - ret = cert_svc_load_file_to_context(context, ctx->fileNames->filename); - if (ret != CERT_SVC_ERR_NO_ERROR) { - SLOGE("failed to load root certficiate"); - cert_svc_cert_context_final(context); - return CERT_SVC_ERR_INVALID_CERTIFICATE; - } - - ret = get_visibility(context, visibility); - - cert_svc_cert_context_final(context); - - return ret; -} - - -CERT_SVC_API -int cert_svc_get_visibility_by_root_certificate(const char* base64_encoded_data, int data_len, int* visibility) -{ - if (!base64_encoded_data|| !data_len) { - return CERT_SVC_ERR_INVALID_PARAMETER; - } - - int ret = get_visibility_by_certificate((const unsigned char *)base64_encoded_data, data_len, visibility); - if (ret != CERT_SVC_ERR_NO_ERROR) { - SLOGE("Failed to get_visibility :%d", ret); - return ret; - } - - return CERT_SVC_ERR_NO_ERROR; -} - -CERT_SVC_API int cert_svc_util_parse_name_fld_data(unsigned char* str, cert_svc_name_fld_data* fld) { return parse_name_fld_data(str, fld); } - -void hex_encoder(const char *src, int srcLen, char *out) -{ - int i = 0; - unsigned char cLow = 0; - unsigned char cHigh = 0; - - for (i = 0; i < srcLen ; i++) { - cLow = src[i] & 0x0f; - cHigh = (src[i] >> 4) & 0x0f; - - if (cLow <= 9) - out[i * 2 + 1] = cLow + '0'; - else - out[i * 2 + 1] = cLow - 10 + 'A'; - - if (cHigh <= 9) - out[i * 2] = cHigh + '0'; - else - out[i * 2] = cHigh - 10 + 'A'; - } - -} - diff --git a/tests/cert-svc/test_caflag.c b/tests/cert-svc/test_caflag.c index 741e939..c768970 100644 --- a/tests/cert-svc/test_caflag.c +++ b/tests/cert-svc/test_caflag.c @@ -75,7 +75,6 @@ int test_verify_certificate_succ_nocaflag_cert() { int ret = CERT_SVC_ERR_NO_ERROR; CERT_CONTEXT* ctx = cert_svc_cert_context_init(); - // load certificate to context ret = cert_svc_load_file_to_context(ctx, CERT_FILE_SIGNER_V1); if(ret != CERT_SVC_ERR_NO_ERROR) { printf("....fail..cert_svc_load_file_to_context. ret=%d\n", ret); fflush(stderr); @@ -104,7 +103,6 @@ int test_verify_certificate_with_caflag_succ() { int ret = CERT_SVC_ERR_NO_ERROR; CERT_CONTEXT* ctx = cert_svc_cert_context_init(); - // load certificate to context ret = cert_svc_load_file_to_context(ctx, CERT_FILE_SIGNER_AIA); if(ret != CERT_SVC_ERR_NO_ERROR) { printf("....fail..cert_svc_load_file_to_context. ret=%d\n", ret); fflush(stderr); diff --git a/vcore/vcore/api.cpp b/vcore/vcore/api.cpp index ec62504..1c9383c 100644 --- a/vcore/vcore/api.cpp +++ b/vcore/vcore/api.cpp @@ -45,6 +45,8 @@ #include +#include + #include #include #include