From b08954c7541afe553f717eb8655a4b4e139545ed Mon Sep 17 00:00:00 2001 From: "sangwan.kwon" Date: Mon, 18 Apr 2016 11:28:04 +0900 Subject: [PATCH] Allow fingerprint list extention file * If certificates's domain is not in fingerprint_list.xml * Then, search in fingerprint_list_ext.xml one more * extention file's directory should be same with the original file Change-Id: Ieeb70ac5c9b07ef8f9da0455a2203d56c06f4e3a --- CMakeLists.txt | 1 + vcore/vcore/SignatureValidator.cpp | 7 ++++-- vcore/vcore/ValidatorFactories.cpp | 45 +++++++++++++++++++++++++++----------- vcore/vcore/api.cpp | 19 +++++++++++----- 4 files changed, 51 insertions(+), 21 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 4fbe446..2e5bdd4 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -39,6 +39,7 @@ ADD_DEFINITIONS("-DTZ_SYS_CA_BUNDLE=\"${TZ_SYS_CA_BUNDLE}\"") SET(CA_CERTS_PATH ${TZ_SYS_RO_SHARE}/ca-certificates) ADD_DEFINITIONS("-DTZ_SYS_CA_CERTS_TIZEN=\"${CA_CERTS_PATH}/tizen\"") ADD_DEFINITIONS("-DFINGERPRINT_LIST_PATH=\"${CA_CERTS_PATH}/fingerprint/fingerprint_list.xml\"") +ADD_DEFINITIONS("-DFINGERPRINT_LIST_EXT_PATH=\"${CA_CERTS_PATH}/fingerprint/fingerprint_list_ext.xml\"") ADD_DEFINITIONS("-DFINGERPRINT_LIST_SCHEMA_PATH=\"${CA_CERTS_PATH}/fingerprint/fingerprint_list.xsd\"") CONFIGURE_FILE(cert-svc-vcore.pc.in cert-svc-vcore.pc @ONLY) diff --git a/vcore/vcore/SignatureValidator.cpp b/vcore/vcore/SignatureValidator.cpp index 14f75c0..64e0fd3 100644 --- a/vcore/vcore/SignatureValidator.cpp +++ b/vcore/vcore/SignatureValidator.cpp @@ -16,6 +16,7 @@ /* * @file SignatureValidator.cpp * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com) + * @author Sangwan Kwon (sangwan.kwon@samsung.com) * @version 1.0 * @brief Implementatin of tizen signature validation protocol. */ @@ -269,9 +270,11 @@ VCerr SignatureValidator::Impl::preStep(void) if (result != E_SIG_NONE) return result; - // Is Root CA certificate trusted? - Set storeIdSet = createCertificateIdentifier().find(m_data.getCertList().back()); + // Get Identifier from fingerprint original, extention file. + auto certificatePtr = m_data.getCertList().back(); + auto storeIdSet = createCertificateIdentifier().find(certificatePtr); + // Is Root CA certificate trusted? LogDebug("root certificate from " << storeIdSet.typeToString() << " domain"); if (m_data.isAuthorSignature()) { if (!storeIdSet.contains(TIZEN_DEVELOPER)) { diff --git a/vcore/vcore/ValidatorFactories.cpp b/vcore/vcore/ValidatorFactories.cpp index 51b07c3..2c2f01d 100644 --- a/vcore/vcore/ValidatorFactories.cpp +++ b/vcore/vcore/ValidatorFactories.cpp @@ -16,6 +16,7 @@ /* * @file * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com) + * @author Sangwan kwon (sangwan.kwon@samsung.com) * @version 1.0 * @brief */ @@ -26,24 +27,42 @@ #include #include +#include +#include namespace ValidationCore { const CertificateIdentifier& createCertificateIdentifier() { - static CertificateIdentifier certificateIdentifier; - static bool initialized = false; - if (!initialized) { - CertificateConfigReader reader; - std::string file(FINGERPRINT_LIST_PATH); - LogDebug("File with fingerprint list is : " << file); - std::string schema(FINGERPRINT_LIST_SCHEMA_PATH); - LogDebug("File with fingerprint list schema is : " << schema); - reader.initialize(file, schema); - reader.read(certificateIdentifier); - - initialized = true; - } + static CertificateIdentifier certificateIdentifier; + static bool initialized = false; + + if (!initialized) { + std::string file(FINGERPRINT_LIST_PATH); + std::string schema(FINGERPRINT_LIST_SCHEMA_PATH); + LogDebug("File with fingerprint list is : " << file); + LogDebug("File with fingerprint list schema is : " << schema); + + // Read the fingerprint original list. + CertificateConfigReader reader; + reader.initialize(file, schema); + reader.read(certificateIdentifier); + + // Check the fingerprint extention list exist. + if (std::ifstream(FINGERPRINT_LIST_EXT_PATH)) + { + std::string extFile(FINGERPRINT_LIST_EXT_PATH); + LogDebug("Exist fingerprint extention file, add it."); + + // Read the fingerprint extention list. + CertificateConfigReader extReader; + extReader.initialize(extFile, schema); + extReader.read(certificateIdentifier); + } + + initialized = true; + } + return certificateIdentifier; } diff --git a/vcore/vcore/api.cpp b/vcore/vcore/api.cpp index 417ec80..ed1f1f3 100644 --- a/vcore/vcore/api.cpp +++ b/vcore/vcore/api.cpp @@ -17,6 +17,7 @@ * @file api.cpp * @author Bartlomiej Grzelewski (b.grzelewski@samsung.com) * @author Jacek Migacz (j.migacz@samsung.com) + * @author Sangwan Kwon (sangwan.kwon@samsung.com) * @version 1.0 * @brief This is part of C-api proposition for cert-svc. */ @@ -740,7 +741,8 @@ public: return CERTSVC_SUCCESS; } - int getVisibility(CertSvcCertificate certificate, CertSvcVisibility *visibility) + // TODO : sangan.kwon, modify method by using CertificateIdentifier + int getVisibility(CertSvcCertificate certificate, CertSvcVisibility *visibility, const char *fingerprintListPath) { int ret = CERTSVC_FAIL; //xmlChar *xmlPathCertificateSet = (xmlChar*) "CertificateSet"; /*unused variable*/ @@ -760,7 +762,7 @@ public: std::string fingerprint = Certificate::FingerprintToColonHex(certPtr->getFingerprint(Certificate::FINGERPRINT_SHA1)); /* load file */ - xmlDocPtr doc = xmlParseFile(FINGERPRINT_LIST_PATH); + xmlDocPtr doc = xmlParseFile(fingerprintListPath); if ((doc == NULL) || (xmlDocGetRootElement(doc) == NULL)) { LogError("Failed to prase fingerprint_list.xml"); @@ -1425,11 +1427,16 @@ int certsvc_certificate_verify_with_caflag( int certsvc_certificate_get_visibility(CertSvcCertificate certificate, CertSvcVisibility *visibility) { try { - return impl(certificate.privateInstance)->getVisibility(certificate, visibility); + int result = impl(certificate.privateInstance)->getVisibility(certificate, visibility, FINGERPRINT_LIST_PATH); + if (result != CERTSVC_SUCCESS) { + LogDebug("Cannot find store id in FINGERPRINT_LIST_PATH. Find it in extention continue."); + result = impl(certificate.privateInstance)->getVisibility(certificate, visibility, FINGERPRINT_LIST_EXT_PATH); + } + return result; } catch (...) - { - LogError("exception occur"); - } + { + LogError("exception occur"); + } return CERTSVC_FAIL; } -- 2.7.4