2 * Copyright (c) 2011 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 * @file task_certify.cpp
18 * @author Pawel Sikorski (p.sikorski@samgsung.com)
26 #include <dpl/assert.h>
27 #include <appcore-common.h> //TODO is it necessary here?
31 #include <widget_install/task_certify.h>
32 #include <widget_install/job_widget_install.h>
33 #include <widget_install/widget_install_errors.h>
34 #include <widget_install/widget_install_context.h>
35 #include <dpl/log/log.h>
36 #include <dpl/wrt-dao-ro/global_config.h>
37 #include "wac_widget_id.h"
39 #include <vcore/Certificate.h>
40 #include <vcore/SignatureReader.h>
41 #include <vcore/SignatureFinder.h>
42 #include <vcore/WrtSignatureValidator.h>
43 #include <vcore/DeveloperModeValidator.h>
44 #include <dpl/utils/wrt_global_settings.h>
45 #include <dpl/wrt-dao-ro/global_dao_read_only.h>
47 #include <ITapiModem.h>
48 #include <tapi_common.h>
50 using namespace ValidationCore;
51 using namespace WrtDB;
54 const std::string LABEL_NEW_LINE = "<br>";
55 const std::string LABEL_NEW_LINE_2 = "<br><br>";
56 const std::string UNTRUSTED_WIDGET = "It is an Untrusted Widget";
57 const char *QUESTION = "Do you wanto to install?";
59 WidgetCertificateData toWidgetCertificateData(const SignatureData &data,
62 WidgetCertificateData result;
64 result.chainId = data.getSignatureNumber();
65 LogDebug("result.chainId : " << result.chainId);
67 result.owner = data.isAuthorSignature() ?
68 WidgetCertificateData::AUTHOR : WidgetCertificateData::DISTRIBUTOR;
71 WidgetCertificateData::ROOT : WidgetCertificateData::ENDENTITY;
73 CertificatePtr certificate;
76 certificate = data.getRootCaCertificatePtr();
78 certificate = data.getEndEntityCertificatePtr();
81 Assert(certificate && !certificate->getCommonName().IsNull() &&
82 "CommonName is Null");
84 result.strCommonName = *certificate->getCommonName();
86 result.strMD5Fingerprint = std::string("md5 ") +
87 Certificate::FingerprintToColonHex(
88 certificate->getFingerprint(Certificate::FINGERPRINT_MD5));
90 result.strSHA1Fingerprint = std::string("sha-1 ") +
91 Certificate::FingerprintToColonHex(
92 certificate->getFingerprint(Certificate::FINGERPRINT_SHA1));
97 CertificatePtr getOldAuthorSignerCertificate(DPL::String appid)
99 WidgetDAOReadOnly dao(appid);
100 CertificateChainList chainList = dao.getWidgetCertificate(SIGNATURE_AUTHOR);
102 FOREACH(it, chainList)
104 ValidationCore::CertificateCollection chain;
105 if (false == chain.load(*it)) {
106 LogError("Chain is broken");
110 LogError("Chain failed at sorting");
113 ValidationCore::CertificateList list = chain.getCertificateList();
117 if (!(*cert)->isRootCert() && !(*cert)->isCA()) {
122 return CertificatePtr(NULL);
124 } // namespace anonymous
127 namespace WidgetInstall {
128 TaskCertify::TaskCertify(InstallerContext &inCont) :
129 DPL::TaskDecl<TaskCertify>(this),
130 WidgetInstallPopup(inCont),
131 m_contextData(inCont)
133 AddStep(&TaskCertify::stepSignature);
134 // certi comparison determines whether the update.
135 if (true == m_contextData.existingWidgetInfo.isExist) {
136 AddStep(&TaskCertify::stepVerifyUpdate);
139 // Block until fixed popup issues
140 if (!GlobalSettings::PopupsTestModeEnabled()
141 && !m_installContext.m_quiet && !isTizenWebApp())
143 AddStep(&TaskCertify::stepWarningPopup);
144 AddStep(&TaskCertify::stepWarningPopupAnswer);
145 AddStep(&TaskCertify::stepAuthorInfoPopup);
146 AddStep(&TaskCertify::stepAuthorInfoPopupAnswer);
147 AddStep(&TaskCertify::StepDeletePopupWin);
149 AddStep(&TaskCertify::stepFinalize);
152 void TaskCertify::processDistributorSignature(const SignatureData &data)
154 // this signature is verified -
155 // no point in check domain WAC_ROOT and WAC_RECOGNIZED
156 m_contextData.wacSecurity.setDistributorSigned(true);
158 if (data.getStorageType().contains(CertStoreId::WAC_ROOT)) {
159 m_contextData.wacSecurity.setWacSigned(true);
162 CertificateCollection collection;
163 collection.load(data.getCertList());
164 Assert(collection.sort() &&
165 "Certificate collection can't sort");
167 Assert(collection.isChain() &&
168 "Certificate collection is not able to create chain. "
169 "It is not possible to verify this signature.");
171 m_contextData.wacSecurity.getCertificateChainListRef().push_back(
174 if (data.getSignatureNumber() == 1) {
175 m_contextData.wacSecurity.getCertificateListRef().push_back(
176 toWidgetCertificateData(data, true));
177 m_contextData.wacSecurity.getCertificateListRef().push_back(
178 toWidgetCertificateData(data, false));
182 void TaskCertify::processAuthorSignature(const SignatureData &data)
184 using namespace ValidationCore;
185 LogInfo("DNS Identity match!");
186 // this signature is verified or widget is distributor signed
187 m_contextData.wacSecurity.setAuthorCertificatePtr(data.getEndEntityCertificatePtr());
188 CertificatePtr test = m_contextData.wacSecurity.getAuthorCertificatePtr();
190 m_contextData.wacSecurity.getCertificateListRef().push_back(
191 toWidgetCertificateData(data, true));
192 m_contextData.wacSecurity.getCertificateListRef().push_back(
193 toWidgetCertificateData(data, false));
195 // match widget_id with one from dns identity set
196 WacWidgetId widgetId(m_contextData.widgetConfig.configInfo.widget_id);
198 CertificatePtr cert = data.getEndEntityCertificatePtr();
200 Certificate::AltNameSet dnsIdentity = cert->getAlternativeNameDNS();
202 CertificateCollection collection;
203 collection.load(data.getCertList());
205 Assert(collection.isChain() &&
206 "Certificate collection is not able to create chain. "
207 "It is not possible to verify this signature.");
209 m_contextData.wacSecurity.getAuthorsCertificateChainListRef().push_back(
212 FOREACH(it, dnsIdentity){
213 if (widgetId.matchHost(*it)) {
214 m_contextData.wacSecurity.setRecognized(true);
220 void TaskCertify::stepSignature()
222 LogInfo("================ Step: <<Signature>> ENTER ===============");
224 std::string widgetPath;
225 if (m_contextData.widgetConfig.packagingType ==
226 WrtDB::PKG_TYPE_DIRECTORY_WEB_APP)
228 widgetPath = m_contextData.locations->getSourceDir() + "/";
230 widgetPath = m_contextData.locations->getTemporaryPackageDir() + "/";
233 SignatureFileInfoSet signatureFiles;
234 SignatureFinder signatureFinder(widgetPath);
235 if (SignatureFinder::NO_ERROR != signatureFinder.find(signatureFiles)) {
236 LogError("Error in Signature Finder");
237 ThrowMsg(Exceptions::InvalidPackage,
238 "Error openig temporary widget directory");
241 SignatureFileInfoSet::reverse_iterator iter = signatureFiles.rbegin();
242 LogInfo("Number of signatures: " << signatureFiles.size());
244 bool testCertificate = false;
246 bool complianceMode = GlobalDAOReadOnly::getComplianceMode();
248 for (; iter != signatureFiles.rend(); ++iter) {
249 LogInfo("Checking signature with id=" << iter->getFileNumber());
250 SignatureData data(widgetPath + iter->getFileName(),
251 iter->getFileNumber());
255 xml.initialize(data, GlobalConfig::GetSignatureXmlSchema());
258 WrtSignatureValidator::AppType appType =
259 WrtSignatureValidator::WAC20;
261 if (m_installContext.widgetConfig.webAppType ==
262 APP_TYPE_TIZENWEBAPP)
264 appType = WrtSignatureValidator::TIZEN;
267 WrtSignatureValidator::Result result;
269 WrtSignatureValidator validator(
272 OCSPTestModeEnabled(),
274 CrlTestModeEnabled(),
277 result = validator.check(data, widgetPath);
279 if (m_contextData.widgetConfig.packagingType
280 == WrtDB::PKG_TYPE_DIRECTORY_WEB_APP)
282 // In directory installation mode, the validation is skipped.
284 result = WrtSignatureValidator::SIGNATURE_VERIFIED;
287 if (result == WrtSignatureValidator::SIGNATURE_REVOKED) {
288 LogWarning("Certificate is REVOKED");
289 ThrowMsg(Exceptions::InvalidPackage,
290 "Certificate is REVOKED");
293 if (result == WrtSignatureValidator::SIGNATURE_INVALID) {
294 LogWarning("Signature is INVALID");
295 // TODO change exception name
296 ThrowMsg(Exceptions::InvalidPackage,
300 if (data.isAuthorSignature()) {
301 if (result == WrtSignatureValidator::SIGNATURE_VERIFIED ||
302 m_contextData.wacSecurity.isDistributorSigned())
304 processAuthorSignature(data);
306 WrtSignatureValidator::SIGNATURE_DISREGARD)
311 if (result == WrtSignatureValidator::SIGNATURE_DISREGARD) {
314 // now signature _must_ be verified
315 processDistributorSignature(data);
318 bool developerMode = GlobalDAOReadOnly::GetDeveloperMode();
320 std::string realMEID;
322 TapiHandle *tapiHandle = tel_init(NULL);
323 char *meid = tel_get_misc_me_sn_sync(tapiHandle);
328 tel_deinit(tapiHandle);
331 DeveloperModeValidator developerModeValidator(
334 GlobalDAOReadOnly::getComplianceFakeImei(),
335 GlobalDAOReadOnly::getComplianceFakeMeid(),
338 developerModeValidator.check(data);
341 data.getStorageType().contains(CertStoreId::DEVELOPER);
343 if (testCertificate && !developerMode) {
344 LogError("Widget signed by test certificate, "
345 "but developer mode is off.");
346 ThrowMsg(Exceptions::InvalidPackage,
347 "Widget signed by test certificate, "
348 "but developer mode is off.");
350 m_contextData.widgetConfig.isTestWidget = testCertificate;
351 } Catch(ParserSchemaException::Base) {
352 LogError("Error occured in ParserSchema.");
353 ReThrowMsg(Exceptions::InvalidPackage,
354 "Error occured in ParserSchema.");
356 Catch(DeveloperModeValidator::Exception::Base) {
357 LogError("Cannot validate developer certificate.");
358 ReThrowMsg(Exceptions::InvalidPackage,
359 "Cannot validate developer certificate.");
363 if (signatureFiles.empty()) {
364 LogInfo("No signature files has been found.");
367 LogInfo("================ Step: <<Signature>> DONE ================");
369 m_contextData.job->UpdateProgress(
370 InstallerContext::INSTALL_DIGSIG_CHECK,
371 "Widget Signature checked");
374 void TaskCertify::createInstallPopup(PopupType type, const std::string &label)
376 m_contextData.job->Pause();
380 bool ret = createPopup();
382 loadPopup(type, label);
386 void TaskCertify::StepDeletePopupWin()
391 void TaskCertify::stepWarningPopup()
393 LogInfo("Step:: <<Warning Popup>>");
394 // SP-2151: If widget is not recognized (OCSP status of any of certificates
395 // it is signed with is not recognized) WRT must notify user that
396 // widget cannot be installed as a trusted application, and let the
397 // user decide whether it should be installed as an untrusted
399 if (!m_contextData.wacSecurity.isDistributorSigned()) {
400 std::string label = UNTRUSTED_WIDGET +
403 createInstallPopup(PopupType::WIDGET_UNRECOGNIZED, label);
407 std::string TaskCertify::createAuthorWidgetInfo() const
409 std::string authorInfo;
410 if (m_contextData.wacSecurity.isRecognized()) {
411 //authorInfo += _("IDS_IM_WIDGET_RECOGNISED");
412 authorInfo += _("WIDGET RECOGNISED");
414 //authorInfo += _("IDS_IM_WIDGET_UNRECOGNISED");
415 authorInfo += _("WIDGET UNRECOGNISED");
418 authorInfo += LABEL_NEW_LINE_2;
419 ValidationCore::CertificatePtr authorCert =
420 m_contextData.wacSecurity.getAuthorCertificatePtr();
422 DPL::Optional < DPL::String > organizationName =
423 authorCert->getOrganizationName();
425 //authorInfo += _("IDS_IM_WIDGET_AUTHOR_ORGANIZATION_NAME");
426 authorInfo += _("AUTHOR ORGANIZATION NAME");
427 authorInfo += LABEL_NEW_LINE;
429 if (!organizationName.IsNull()) {
430 authorInfo += DPL::ToUTF8String(*organizationName);
432 //authorInfo += _("IDS_IM_WIDGET_ORGANIZATION_UNKNOWN");
433 authorInfo += _("WIDGET ORGANIZATION UNKNOWN");
436 authorInfo += LABEL_NEW_LINE_2;
438 DPL::Optional < DPL::String > countryName =
439 authorCert->getCountryName();
441 //authorInfo += _("IDS_IM_WIDGET_COUNTRY_NAME");
442 authorInfo += _("WIDGET COUNTRY NAME");
443 authorInfo += LABEL_NEW_LINE;
445 if (!countryName.IsNull()) {
446 authorInfo += DPL::ToUTF8String(*countryName);
448 //authorInfo += _("IDS_IM_WIDGET_COUNTRY_UNKNOWN");
449 authorInfo += _("WIDGET COUNTRY UNKNOWN");
453 //_("IDS_IM_WIDGET_DOES_NOT_CONTAIN_RECOGNIZED_AUTHOR_SIGNATURE");
454 _("Widget does not contain recognized author signature");
459 void TaskCertify::stepAuthorInfoPopup()
461 LogInfo("Step:: <<Author Popup Information>>");
463 = createAuthorWidgetInfo() + LABEL_NEW_LINE_2 + QUESTION;
464 createInstallPopup(PopupType::WIDGET_AUTHOR_INFO, label);
467 void TaskCertify::stepFinalize()
469 LogInfo("Step: <<CERTYFYING DONE>>");
471 m_contextData.job->UpdateProgress(
472 InstallerContext::INSTALL_CERT_CHECK,
473 "Widget Certification Check Finished");
476 void TaskCertify::stepWarningPopupAnswer()
478 LogInfo("Step: <<Warning Popup Answer>>");
479 if (false == m_contextData.wacSecurity.isDistributorSigned() &&
480 WRT_POPUP_BUTTON_CANCEL == m_installCancel)
482 LogWarning("User does not agreed to install unsigned widgets!");
483 m_installCancel = WRT_POPUP_BUTTON;
485 ThrowMsg(Exceptions::NotAllowed, "Widget not allowed");
489 void TaskCertify::stepAuthorInfoPopupAnswer()
491 LogInfo("Step: <<Author Info Popup Answer>>");
492 if (WRT_POPUP_BUTTON_CANCEL == m_installCancel) {
493 LogWarning("User does not agreed to install widget!");
494 m_installCancel = WRT_POPUP_BUTTON;
496 ThrowMsg(Exceptions::NotAllowed, "Widget not allowed");
500 bool TaskCertify::isTizenWebApp() const
503 if (m_installContext.widgetConfig.webAppType.appType
504 == WrtDB::AppType::APP_TYPE_TIZENWEBAPP)
512 void TaskCertify::stepVerifyUpdate()
514 LogInfo("Step: <<Check Update>>");
515 CertificatePtr newCertificate =
516 m_contextData.wacSecurity.getAuthorCertificatePtr();
517 CertificatePtr oldCertificate =
518 getOldAuthorSignerCertificate(m_installContext.widgetConfig.tzAppid);
520 if (!!newCertificate && !!oldCertificate) {
521 if (0 != newCertificate->getBase64().compare(oldCertificate->getBase64())) {
522 LogDebug("old widget's author signer certificate : " <<
523 oldCertificate->getBase64());
524 LogDebug("new widget's author signer certificate : " <<
525 newCertificate->getBase64());
526 ThrowMsg(Exceptions::InvalidPackage,
527 "Author signer certificates doesn't match \
528 between old widget and installing widget");
531 if (!(NULL == newCertificate.Get() && NULL == oldCertificate.Get())) {
532 ThrowMsg(Exceptions::InvalidPackage,
533 "Author signer certificates doesn't match \
534 between old widget and installing widget");
538 } //namespace WidgetInstall