diff options
| author | Janusz Kozerski <j.kozerski@samsung.com> | 2015-08-04 11:59:59 +0200 |
|---|---|---|
| committer | Janusz Kozerski <j.kozerski@samsung.com> | 2015-09-08 09:40:51 +0200 |
| commit | ae4a130374e96d383e09571f2e098ef237e28418 (patch) | |
| tree | be1aec96429587bebab0b8395326c4dde558c56d /src/certs.cpp | |
| parent | 4373c73514186ce90d71a0486447fa66dcf0a6c1 (diff) | |
| download | cert-checker-ae4a130374e96d383e09571f2e098ef237e28418.tar.gz cert-checker-ae4a130374e96d383e09571f2e098ef237e28418.tar.bz2 cert-checker-ae4a130374e96d383e09571f2e098ef237e28418.zip | |
Use new cert-svc-vcore API: makeChainBySignature()
This change includes adding cert_order in DB.
Chain of certificates should be created while reading/parsing signature.
Certificates should be put into DB in right order - first should go
end entity certificate. DB ensures that certificates will be loaded into the
buffer in exactly same order (end entity will be the first element on the list).
Verification: Run tests, all should pass.
Change-Id: I09571bab7862bdb539dd3a957330fe23d687b48f
Diffstat (limited to 'src/certs.cpp')
| -rw-r--r-- | src/certs.cpp | 137 |
1 files changed, 38 insertions, 99 deletions
diff --git a/src/certs.cpp b/src/certs.cpp index 277546d..d2d44e0 100644 --- a/src/certs.cpp +++ b/src/certs.cpp @@ -27,11 +27,9 @@ #include <memory> #include <string> #include <vector> -#include <vcore/CertificateCollection.h> -#include <vcore/SignatureReader.h> +#include <vcore/SignatureValidator.h> #include <vcore/SignatureFinder.h> -#include <vcore/WrtSignatureValidator.h> -#include <vcore/VCore.h> +#include <vcore/Certificate.h> #include <ckm/ckm-type.h> #include <ckm/ckm-raw-buffer.h> #include <tzplatform_config.h> @@ -39,23 +37,15 @@ #include <cchecker/certs.h> #include <cchecker/log.h> -namespace { -const std::string signatureXmlSchemaPath = std::string(tzplatform_getenv(TZ_SYS_SHARE)) - + std::string("/app-installers/signature_schema.xsd"); -} - namespace CCHECKER { Certs::Certs() { - ValidationCore::VCoreInit(); m_ckm = CKM::Manager::create(); } Certs::~Certs() -{ - ValidationCore::VCoreDeinit(); -} +{} void Certs::get_certificates (app_t &app, ocsp_urls_t &ocsp_urls) { @@ -122,36 +112,31 @@ void Certs::find_app_signatures (app_t &app, const std::string &app_path, ocsp_u LogDebug("Number of signature files: " << signature_files.size()); LogDebug("Searching for certificates"); - for (auto iter = signature_files.begin(); iter != signature_files.end(); iter++) { - chain_t chain; + for (auto &iter : signature_files) { LogDebug("Checking signature"); - ValidationCore::SignatureData data(app_path + std::string("/") + (*iter).getFileName(), - (*iter).getFileNumber()); - LogDebug("signatureXmlSchemaPath: " << signatureXmlSchemaPath); - try { - ValidationCore::SignatureReader reader; - reader.initialize(data, signatureXmlSchemaPath); - reader.read(data); - ValidationCore::CertificateList certs = data.getCertList(); - for (auto cert_iter = certs.begin(); cert_iter != certs.end(); cert_iter++ ){ - std::string app_cert = (*cert_iter)->getBase64(); - chain.push_back(app_cert); - LogDebug("Certificate: " << app_cert << " has been added"); - - // check OCSP URL - std::string ocsp_url = (*cert_iter)->getOCSPURL(); - if (ocsp_url != std::string("")) { - std::string issuer = (*cert_iter)->getCommonName(ValidationCore::Certificate::FIELD_ISSUER); - int64_t time = (*cert_iter)->getNotBefore(); - url_t url(issuer, ocsp_url, time); - ocsp_urls.push_back(url); - LogDebug("Found OCSP URL: " << ocsp_url << " for issuer: " << issuer << ", time: " << time); - - } + chain_t chain; + ValidationCore::CertificateList certs; + if (ValidationCore::SignatureValidator::makeChainBySignature(iter, false, certs) != + ValidationCore::SignatureValidator::SIGNATURE_VALID) { + LogError("Signature: " << iter.getFileName() << " of " << app_path.c_str() << " is invalid"); + continue; + } + + for (auto &cert_iter : certs) { + std::string app_cert = (*cert_iter).getBase64(); + chain.push_back(app_cert); + LogDebug("Certificate: " << app_cert << " has been added"); + + // check OCSP URL + std::string ocsp_url = (*cert_iter).getOCSPURL(); + if (!ocsp_url.empty()) { + std::string issuer = (*cert_iter).getCommonName(ValidationCore::Certificate::FIELD_ISSUER); + int64_t time = (*cert_iter).getNotBefore(); + url_t url(issuer, ocsp_url, time); + ocsp_urls.push_back(url); + LogDebug("Found OCSP URL: " << ocsp_url << " for issuer: " << issuer << ", time: " << time); + } - } catch (const ValidationCore::ParserSchemaException::Base& exception) { - // Needs to catch parser exceptions - LogError("Error occured in ParserSchema: " << exception.DumpToString()); } if (!chain.empty()) { app.signatures.push_back(chain); @@ -160,66 +145,26 @@ void Certs::find_app_signatures (app_t &app, const std::string &app_path, ocsp_u } } -bool Certs::ocsp_create_list (const chain_t &chain, ValidationCore::CertificateList &certs_list) +// We assume that chain is sorted - first element is an end entity +bool Certs::ocsp_build_chain (const chain_t &chain, CKM::CertificateShPtrVector &vect_ckm_chain) { - ValidationCore::CertificateCollection collection; - ValidationCore::CertificateList list; - - LogDebug("Chain size: " << chain.size()); - for (auto &iter : chain) { - try { - ValidationCore::CertificatePtr p_cert( - new ValidationCore::Certificate(iter, ValidationCore::Certificate::FORM_BASE64)); - list.push_back(p_cert); - } catch (const ValidationCore::Certificate::Exception::Base& exception) { - LogError("Error while creating certificate from BASE64: " << exception.DumpToString()); - return false; - } - LogDebug("Load certificate to list: " << list.size()); - } - - // Function collection.load which takes certificate in std::string BASE64 fails for some reason, - // so load(const CertificateList &certList) is used. - collection.load(list); - LogDebug("Load certificate to CertificateCollection: " << collection.size()); - - if (!collection.sort()) { - LogError("Cannot make chain of certificates"); - // What to do if chain cannot be build? - return false; - } - - if (collection.isChain()) { - LogDebug("Build chain succeed, size: " << collection.size()); - } else { - LogError("Building chain failed"); - return false; - } - - certs_list = collection.getCertificateList(); - - return true; -} - -bool Certs::ocsp_build_chain (const ValidationCore::CertificateList &certs_list, CKM::CertificateShPtrVector &vect_ckm_chain) -{ - CKM::CertificateShPtrVector vect_untrusted; - bool first = true; CKM::CertificateShPtr cert_end_entity; - LogDebug("Size of certs_list: " << certs_list.size()); - for (auto &iter : certs_list) { - std::string cert_cp(iter->getBase64()); - CKM::RawBuffer buff(cert_cp.begin(), cert_cp.end()); + CKM::CertificateShPtrVector vect_untrusted; + + LogDebug("Size of chain: " << chain.size()); + + for (auto &iter : chain) { + CKM::RawBuffer buff(iter.begin(), iter.end()); CKM::CertificateShPtr cert = CKM::Certificate::create(buff, CKM::DataFormat::FORM_DER_BASE64); if (!cert) { - LogDebug("CKM failed to create certificate"); + LogError("CKM failed to create certificate"); return false; } - else if (first) { - cert_end_entity = cert; + if (first) { first = false; + cert_end_entity = cert; LogDebug("Found end entity certificate"); } else { @@ -245,15 +190,9 @@ bool Certs::ocsp_build_chain (const ValidationCore::CertificateList &certs_list, Certs::ocsp_response_t Certs::check_ocsp_chain (const chain_t &chain) { - ValidationCore::CertificateList certs_list; - if (!ocsp_create_list(chain, certs_list)) { - LogError("Error while build list of certificates"); - return Certs::ocsp_response_t::OCSP_CERT_ERROR; - } - CKM::CertificateShPtrVector vect_ckm_chain; - if (!ocsp_build_chain(certs_list, vect_ckm_chain)) { + if (!ocsp_build_chain(chain, vect_ckm_chain)) { LogError("Error while build chain of certificates"); return Certs::ocsp_response_t::OCSP_CERT_ERROR; } |