From 68fe4650fc237a98a1c5b3181b152e1d920eb67a Mon Sep 17 00:00:00 2001
From: Soyoung Kim <sy037.kim@samsung.com>
Date: Fri, 8 Mar 2013 18:39:27 +0900
Subject: [PATCH] check certificate during update

[Issue#] N/A
[Problem] N/A
[Cause] N/A
[Solution] Request from docomo.
check certificate between previous and current during update.
if previous and current cerificate is not matched, widget installation fail.
[SCMRequest] N/A

Change-Id: Icf80eb3af1209c1764d4cffb54234f0d50943e1a
---
 src/jobs/widget_install/task_certify.cpp | 71 +++++++++++++++++++++++++++++++-
 src/jobs/widget_install/task_certify.h   |  1 +
 src/jobs/widget_install/wac_security.h   |  4 ++
 3 files changed, 74 insertions(+), 2 deletions(-)

diff --git a/src/jobs/widget_install/task_certify.cpp b/src/jobs/widget_install/task_certify.cpp
index 6b0040f..cd38d74 100644
--- a/src/jobs/widget_install/task_certify.cpp
+++ b/src/jobs/widget_install/task_certify.cpp
@@ -92,6 +92,34 @@ WidgetCertificateData toWidgetCertificateData(const SignatureData &data,
 
     return result;
 }
+
+CertificatePtr getOldAuthorSignerCertificate(DPL::String appid)
+{
+    WidgetDAOReadOnly dao(appid);
+    CertificateChainList chainList = dao.getWidgetCertificate(SIGNATURE_AUTHOR);
+
+    FOREACH(it, chainList)
+    {
+        ValidationCore::CertificateCollection chain;
+        if (false == chain.load(*it)) {
+            LogError("Chain is broken");
+        }
+
+        if (!chain.sort()) {
+            LogError("Chain failed at sorting");
+        }
+
+        ValidationCore::CertificateList list = chain.getCertificateList();
+
+        FOREACH(cert, list)
+        {
+            if (!(*cert)->isRootCert() && !(*cert)->isCA()) {
+                return *cert;
+            }
+        }
+    }
+    return CertificatePtr(NULL);
+}
 } // namespace anonymous
 
 namespace Jobs {
@@ -102,6 +130,10 @@ TaskCertify::TaskCertify(InstallerContext &inCont) :
     m_contextData(inCont)
 {
     AddStep(&TaskCertify::stepSignature);
+    // certi comparison determines whether the update.
+    if (true == m_contextData.existingWidgetInfo.isExist) {
+        AddStep(&TaskCertify::stepVerifyUpdate);
+    }
 
     // Block until fixed popup issues
     if (!GlobalSettings::PopupsTestModeEnabled()
@@ -152,8 +184,9 @@ void TaskCertify::processAuthorSignature(const SignatureData &data)
     using namespace ValidationCore;
     LogInfo("DNS Identity match!");
     // this signature is verified or widget is distributor signed
-    m_contextData.wacSecurity.getAuthorCertificatePtr() =
-        data.getEndEntityCertificatePtr();
+    m_contextData.wacSecurity.setAuthorCertificatePtr(data.getEndEntityCertificatePtr());
+    CertificatePtr test = m_contextData.wacSecurity.getAuthorCertificatePtr();
+
     m_contextData.wacSecurity.getCertificateListRef().push_back(
         toWidgetCertificateData(data, true));
     m_contextData.wacSecurity.getCertificateListRef().push_back(
@@ -469,6 +502,40 @@ bool TaskCertify::isTizenWebApp() const
 
     return ret;
 }
+
+void TaskCertify::stepVerifyUpdate()
+{
+    LogInfo("Step: <<Check Update>>");
+    CertificatePtr newCertificate =
+        m_contextData.wacSecurity.getAuthorCertificatePtr();
+    CertificatePtr oldCertificate =
+        getOldAuthorSignerCertificate(m_installContext.widgetConfig.tzAppid);
+
+    if (!!newCertificate && !!oldCertificate) {
+        if (0 != newCertificate->getBase64().compare(oldCertificate->getBase64())) {
+            LogDebug("old widget's author signer certificate : " <<
+                    oldCertificate->getBase64());
+            LogDebug("new widget's author signer certificate : " <<
+                    newCertificate->getBase64());
+            ThrowMsg(Exceptions::InvalidPackage,
+                    "Author signer certificates doesn't match \
+                    between old widget and installing widget");
+        }
+    } else {
+        if (NULL == newCertificate.Get() )
+            LogDebug("@@@@ new certificate nul");
+
+        if (NULL == oldCertificate.Get() )
+            LogDebug("@@@@ old certificate nul");
+
+        if (!(NULL == newCertificate.Get() && NULL == oldCertificate.Get())) {
+        LogDebug("@@@@");
+            ThrowMsg(Exceptions::InvalidPackage,
+                    "Author signer certificates doesn't match \
+                    between old widget and installing widget");
+        }
+    }
+}
 } //namespace WidgetInstall
 } //namespace Jobs
 
diff --git a/src/jobs/widget_install/task_certify.h b/src/jobs/widget_install/task_certify.h
index 8ee7e2b..315a500 100644
--- a/src/jobs/widget_install/task_certify.h
+++ b/src/jobs/widget_install/task_certify.h
@@ -51,6 +51,7 @@ class TaskCertify :
 
     //steps
     void stepSignature();
+    void stepVerifyUpdate();
     void stepWarningPopup();
     void stepAuthorInfoPopup();
     void stepWarningPopupAnswer();
diff --git a/src/jobs/widget_install/wac_security.h b/src/jobs/widget_install/wac_security.h
index b12e067..d343fd9 100644
--- a/src/jobs/widget_install/wac_security.h
+++ b/src/jobs/widget_install/wac_security.h
@@ -75,6 +75,10 @@ class WacSecurity : public WrtDB::IWacSecurity
     {
         mWacSigned = wacSigned;
     }
+    void setAuthorCertificatePtr(ValidationCore::CertificatePtr certPtr)
+    {
+        mAuthorCertificate = certPtr;
+    }
 
     ValidationCore::CertificatePtr getAuthorCertificatePtr() const
     {
-- 
2.7.4