src/common/signature.cc

   1 // Copyright (c) 2019 Samsung Electronics Co., Ltd All Rights Reserved
   2 // Use of this source code is governed by an apache-2.0 license that can be
   3 // found in the LICENSE file.
   4
   5 #include "common/signature.h"
   6
   7 #include <tzplatform_config.h>
   8 #include <unistd.h>
   9
  10 #include <filesystem>
  11 #include <fstream>
  12 #include <string>
  13 #include <regex>
  14
  15 #include "common/certificate_validation.h"
  16 #include "common/utils/pkgmgr_query.h"
  17 #include "common/utils/glist_range.h"
  18 #include "common/utils/file_util.h"
  19 #include "common/utils/request.h"
  20
  21 namespace ci = common_installer;
  22 namespace fs = std::filesystem;
  23
  24 namespace common_installer {
  25
  26 bool Signature::SetPath() {
  27   fs::path path = fs::path((is_readonly_package_) ?
  28       tzplatform_getenv(TZ_SYS_RO_SHARE) : tzplatform_getenv(TZ_SYS_SHARE)) /
  29       "signatures";
  30   if (!CreateDir(path))
  31     return false;
  32
  33   file_path_ = path / std::string(pkgid_ + ".txt");
  34   backup_path_ = path / std::string(pkgid_ + "_backup.txt");
  35   if (fs::exists(backup_path_))
  36     fs::remove(backup_path_);
  37   if (fs::exists(file_path_))
  38     fs::rename(file_path_, backup_path_);
  39   return true;
  40 }
  41
  42 bool Signature::CheckSignatures(bool check_reference, PrivilegeLevel* level,
  43                     std::filesystem::path sig_root_path,
  44                     std::string *error_message) {
  45   if (!ValidateSignatures(sig_root_path, level, cert_info_,
  46                           check_reference, error_message))
  47     return false;
  48   return true;
  49 }
  50
  51 bool Signature::GetPrivilegeLevel(std::filesystem::path sig_root_path,
  52                                  PrivilegeLevel* level,
  53                                  std::string* error_message) {
  54   bool check_reference = true;
  55   if (request_type_ == ci::RequestType::Reinstall ||
  56       request_type_ == ci::RequestType::ReadonlyUpdateUninstall ||
  57       (getuid() == 0 &&
  58       (skip_check_reference_ ||
  59       request_type_ == ci::RequestType::ManifestDirectInstall ||
  60       request_type_ == ci::RequestType::ManifestDirectUpdate ||
  61       request_type_ == ci::RequestType::ManifestPartialInstall ||
  62       request_type_ == ci::RequestType::ManifestPartialUpdate)))
  63     check_reference = false;
  64   if (!CheckSignatures(check_reference, level, std::move(sig_root_path),
  65       error_message))
  66     return false;
  67
  68   if (*level == PrivilegeLevel::UNTRUSTED)
  69     if (!GetSignatureFromFile(pkgid_, is_readonly_package_, level, cert_info_))
  70       LOG(INFO) << "Unable to get privilege level from file";
  71
  72   if (is_readonly_package_)
  73     *level = PrivilegeLevel::PLATFORM;
  74
  75   return true;
  76 }
  77
  78 bool Signature::CheckMetadataPrivilege(PrivilegeLevel level,
  79                                       manifest_x* manifest,
  80                                       std::string* error_message) {
  81   if (is_readonly_package_)
  82     return true;
  83   for (application_x* app : GListRange<application_x*>(manifest->application)) {
  84     if (!ValidateMetadataPrivilege(level, manifest->api_version,
  85         app->metadata, error_message))
  86       return false;
  87   }
  88   return true;
  89 }
  90
  91 bool Signature::StoreSignature(std::ofstream* ofs,
  92     const ValidationCore::CertificatePtr& cert,
  93     const ValidationCore::CertificatePtr& im_cert,
  94     const ValidationCore::CertificatePtr& root_cert) {
  95   if (!ofs)
  96     return false;
  97   *ofs << ((cert) ? cert->getBase64() : "") << std::endl;
  98   *ofs << ((im_cert) ? im_cert->getBase64() : "") << std::endl;
  99   *ofs << ((root_cert) ? root_cert->getBase64() : "") << std::endl;
 100   return true;
 101 }
 102
 103 bool Signature::Store() {
 104   bool ret = true;
 105   std::ofstream ofs(file_path_);
 106   if (!StoreSignature(&ofs,
 107                       cert_info_->dist2_cert.get(),
 108                       cert_info_->dist2_im_cert.get(),
 109                       cert_info_->dist2_root_cert.get()) ||
 110       !StoreSignature(&ofs,
 111                       cert_info_->dist_cert.get(),
 112                       cert_info_->dist_im_cert.get(),
 113                       cert_info_->dist_root_cert.get()))
 114     ret = false;
 115   ofs.flush();
 116   ofs.close();
 117   SyncFile(file_path_);
 118   return ret;
 119 }
 120
 121 bool Signature::RemoveSignature(const fs::path& path) {
 122   // dist signatures cannot be removed when mount install/update
 123   if (request_type_ == RequestType::MountInstall ||
 124       request_type_ == RequestType::MountUpdate)
 125     return true;
 126
 127   for (fs::directory_iterator file(path);
 128       file != fs::directory_iterator();
 129       ++file) {
 130     try {
 131       fs::path file_path(file->path());
 132
 133       if (fs::is_symlink(symlink_status(file_path)) ||
 134           fs::is_directory(file_path))
 135         continue;
 136
 137       std::regex distributor_regex("^(signature)([1-9][0-9]*)(\\.xml)");
 138       if (std::regex_search(file_path.filename().string(), distributor_regex)) {
 139         if (!common_installer::Remove(file_path)) {
 140           LOG(ERROR) << "Failed to remove signature file";
 141           return false;
 142         }
 143       }
 144     } catch (const fs::filesystem_error& error) {
 145       LOG(ERROR) << "Failed to remove signature files: " << error.what();
 146       return false;
 147     }
 148   }
 149
 150   sync();
 151   return true;
 152 }
 153
 154 bool Signature::SaveSignature(const fs::path& path) {
 155   if (!SetPath() || !Store() || !RemoveSignature(path))
 156     return false;
 157   return true;
 158 }
 159
 160 const fs::path& Signature::GetFilePath() const {
 161   return file_path_;
 162 }
 163
 164 const fs::path& Signature::GetBackupPath() const {
 165   return backup_path_;
 166 }
 167
 168 }  // namespace common_installer