summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorsangwan.kwon <sangwan.kwon@samsung.com>2016-02-17 11:31:09 +0900
committersangwan.kwon <sangwan.kwon@samsung.com>2016-02-24 15:07:57 +0900
commita49b608fe94e1c8f6a16f721a24f605967948867 (patch)
treefde92afc97ee046d865e2a8f7cd906b72b6cf1db /src
parent18e4ddb82a037b7c31b488ffcd96a36a8f32218c (diff)
downloadcert-checker-a49b608fe94e1c8f6a16f721a24f605967948867.tar.gz
cert-checker-a49b608fe94e1c8f6a16f721a24f605967948867.tar.bz2
cert-checker-a49b608fe94e1c8f6a16f721a24f605967948867.zip
* cert-svc API, key-manager API -> pkgmgr-info API Change-Id: I1c3523dd73041f117fab1c1b0012d25c1535defe Signed-off-by: sangwan.kwon <sangwan.kwon@samsung.com>
Diffstat (limited to 'src')
-rw-r--r--src/certs.cpp144
-rw-r--r--src/include/cchecker/certs.h8
2 files changed, 89 insertions, 63 deletions
diff --git a/src/certs.cpp b/src/certs.cpp
index d982f41..9c76b71 100644
--- a/src/certs.cpp
+++ b/src/certs.cpp
@@ -27,6 +27,7 @@
#include <memory>
#include <string>
#include <vector>
+#include <map>
#include <vcore/SignatureValidator.h>
#include <vcore/SignatureFinder.h>
#include <vcore/Certificate.h>
@@ -39,6 +40,64 @@
namespace CCHECKER {
+namespace {
+struct PkgmgrinfoCertInfo {
+ PkgmgrinfoCertInfo()
+ {
+ ret = pkgmgrinfo_pkginfo_create_certinfo(&handle);
+ }
+ ~PkgmgrinfoCertInfo()
+ {
+ pkgmgrinfo_pkginfo_destroy_certinfo(handle);
+ }
+
+ pkgmgrinfo_certinfo_h handle;
+ int ret;
+};
+
+static void get_cert_chain(const char *pkgid, uid_t uid, int sig_type, chain_t &chain)
+{
+ LogDebug("Get cert chain start. pkgid : " << pkgid << ", uid : " << uid);
+ int ret;
+ int cert_type;
+ const char *cert_value;
+
+ auto pm_certinfo = std::make_shared<PkgmgrinfoCertInfo>();
+
+ if (pm_certinfo->ret != PMINFO_R_OK) {
+ LogError("Get pkgmgrinfo certinfo failed. ret : " << ret);
+ return;
+ }
+
+ ret = pkgmgrinfo_pkginfo_load_certinfo(pkgid, pm_certinfo->handle, uid);
+ if (ret != PMINFO_R_OK) {
+ LogError("Load pkgmgrinfo certinfo failed. ret : " << ret);
+ return;
+ }
+
+ // add signer, intermediate, root certificates.
+ for (int cert_cnt = 0; cert_cnt < 3; cert_cnt++) {
+ cert_type = sig_type - cert_cnt;
+ ret = pkgmgrinfo_pkginfo_get_cert_value(pm_certinfo->handle,
+ static_cast<pkgmgrinfo_cert_type>(cert_type), &cert_value);
+
+ if (ret != PMINFO_R_OK) {
+ LogError("Get cert value from certinfo failed. ret : " << ret);
+ return;
+ }
+
+ if (cert_value == NULL) {
+ LogDebug("cert_type[" << cert_type << "] is null");
+ } else {
+ LogDebug("Add cert_type[" << cert_type << "] data : " << cert_value);
+ chain.push_back(cert_value);
+ }
+ }
+
+ return;
+}
+}
+
Certs::Certs()
{
m_ckm = CKM::Manager::create();
@@ -49,9 +108,23 @@ Certs::~Certs()
void Certs::get_certificates (app_t &app, ocsp_urls_t &ocsp_urls)
{
- std::vector<std::string> signatures;
- (void) signatures;
+ // build chain using pkgmgr-info
+ std::map<int, int> sig_type;
+ sig_type[AUTHOR_SIG] = PMINFO_AUTHOR_SIGNER_CERT;
+ sig_type[DISTRIBUTOR_SIG] = PMINFO_DISTRIBUTOR_SIGNER_CERT;
+ sig_type[DISTRIBUTOR2_SIG] = PMINFO_DISTRIBUTOR2_SIGNER_CERT;
+
+ for (auto s : sig_type) {
+ chain_t chain;
+ get_cert_chain(app.pkg_id.c_str(), app.uid, s.second, chain);
+
+ if(!chain.empty()) {
+ LogDebug("Add certificates chain to app. Size of chain : " << chain.size());
+ app.signatures.emplace_back(std::move(chain));
+ }
+ }
+ // get ocsp urls using cert-svc
if (0 != tzplatform_set_user(app.uid)) {
LogError("Cannot set user: tzplatform_set_user has failed");
return;
@@ -66,7 +139,6 @@ void Certs::get_certificates (app_t &app, ocsp_urls_t &ocsp_urls)
std::string app_path = std::string(pkg_path) + std::string("/") + app.app_id;
find_app_signatures (app, app_path, ocsp_urls);
}
-
}
/* Since there's no information about application in signal,
@@ -101,6 +173,9 @@ void Certs::search_app (app_t &app, ocsp_urls_t &ocsp_urls)
// Together with certificates we can pull out OCSP URLs
void Certs::find_app_signatures (app_t &app, const std::string &app_path, ocsp_urls_t &ocsp_urls)
{
+ // FIXME : delete unuse parameter
+ (void) app;
+
ValidationCore::SignatureFinder signature_finder(app_path);
ValidationCore::SignatureFileInfoSet signature_files;
@@ -114,19 +189,10 @@ void Certs::find_app_signatures (app_t &app, const std::string &app_path, ocsp_u
LogDebug("Searching for certificates");
for (auto &iter : signature_files) {
LogDebug("Checking signature");
- chain_t chain;
ValidationCore::CertificateList certs;
ValidationCore::SignatureValidator validator(iter);
- if (validator.makeChainBySignature(false, certs) != ValidationCore::E_SIG_NONE) {
- LogError("Signature: " << iter.getFileName() << " of " << app_path.c_str() << " is invalid");
- continue;
- }
for (auto &cert_iter : certs) {
- std::string app_cert = (*cert_iter).getBase64();
- chain.push_back(app_cert);
- LogDebug("Certificate: " << app_cert << " has been added");
-
// check OCSP URL
std::string ocsp_url = (*cert_iter).getOCSPURL();
if (!ocsp_url.empty()) {
@@ -135,66 +201,20 @@ void Certs::find_app_signatures (app_t &app, const std::string &app_path, ocsp_u
url_t url(issuer, ocsp_url, time);
ocsp_urls.push_back(url);
LogDebug("Found OCSP URL: " << ocsp_url << " for issuer: " << issuer << ", time: " << time);
-
}
}
- if (!chain.empty()) {
- app.signatures.push_back(chain);
- LogDebug("Certificates chain added to the app");
- }
}
}
-// We assume that chain is sorted - first element is an end entity
-bool Certs::ocsp_build_chain (const chain_t &chain, CKM::CertificateShPtrVector &vect_ckm_chain)
+Certs::ocsp_response_t Certs::check_ocsp_chain (const chain_t &chain)
{
- bool first = true;
- CKM::CertificateShPtr cert_end_entity;
- CKM::CertificateShPtrVector vect_untrusted;
+ CKM::CertificateShPtrVector vect_ckm_chain;
LogDebug("Size of chain: " << chain.size());
-
for (auto &iter : chain) {
CKM::RawBuffer buff(iter.begin(), iter.end());
- CKM::CertificateShPtr cert = CKM::Certificate::create(buff, CKM::DataFormat::FORM_DER_BASE64);
-
- if (!cert) {
- LogError("CKM failed to create certificate");
- return false;
- }
- if (first) {
- first = false;
- cert_end_entity = cert;
- LogDebug("Found end entity certificate");
- }
- else {
- vect_untrusted.push_back(cert);
- LogDebug("Found untrusted certificate");
- }
- }
-
- int ret = m_ckm->getCertificateChain(
- cert_end_entity,
- vect_untrusted,
- CKM::CertificateShPtrVector(),
- true, // useTrustedSystemCertificates
- vect_ckm_chain);
- if (ret != CKM_API_SUCCESS) {
- LogError("CKM getCertificateChain returned: " << ret);
- // TODO: Add handling for different errors codes?
- return false;
- }
-
- return true;
-}
-
-Certs::ocsp_response_t Certs::check_ocsp_chain (const chain_t &chain)
-{
- CKM::CertificateShPtrVector vect_ckm_chain;
-
- if (!ocsp_build_chain(chain, vect_ckm_chain)) {
- LogError("Error while build chain of certificates");
- return Certs::ocsp_response_t::OCSP_CERT_ERROR;
+ auto cert = CKM::Certificate::create(buff, CKM::DataFormat::FORM_DER_BASE64);
+ vect_ckm_chain.emplace_back(std::move(cert));
}
int status = CKM_API_OCSP_STATUS_UNKNOWN;
diff --git a/src/include/cchecker/certs.h b/src/include/cchecker/certs.h
index 643c2c1..9b1d762 100644
--- a/src/include/cchecker/certs.h
+++ b/src/include/cchecker/certs.h
@@ -27,12 +27,19 @@
#include <ckm/ckm-certificate.h>
#include <vcore/Certificate.h>
+#include <pkgmgr-info.h>
#include <cchecker/app.h>
#include <ckm/ckm-manager.h>
namespace CCHECKER {
+enum sig_t {
+ AUTHOR_SIG,
+ DISTRIBUTOR_SIG,
+ DISTRIBUTOR2_SIG
+};
+
class Certs {
public:
enum class ocsp_response_t {
@@ -49,7 +56,6 @@ class Certs {
ocsp_response_t check_ocsp_chain (const chain_t &chain);
void find_app_signatures (app_t &app, const std::string &app_path, ocsp_urls_t &ocsp_urls);
void search_app (app_t &app, ocsp_urls_t &ocsp_urls);
- bool ocsp_build_chain (const chain_t &chain, CKM::CertificateShPtrVector &vect_ckm_chain);
//private:
CKM::ManagerShPtr m_ckm;