diff options
author | sangwan.kwon <sangwan.kwon@samsung.com> | 2016-02-17 11:31:09 +0900 |
---|---|---|
committer | sangwan.kwon <sangwan.kwon@samsung.com> | 2016-02-24 15:07:57 +0900 |
commit | a49b608fe94e1c8f6a16f721a24f605967948867 (patch) | |
tree | fde92afc97ee046d865e2a8f7cd906b72b6cf1db /src | |
parent | 18e4ddb82a037b7c31b488ffcd96a36a8f32218c (diff) | |
download | cert-checker-a49b608fe94e1c8f6a16f721a24f605967948867.tar.gz cert-checker-a49b608fe94e1c8f6a16f721a24f605967948867.tar.bz2 cert-checker-a49b608fe94e1c8f6a16f721a24f605967948867.zip |
Change building certificate chain APIsubmit/tizen/20160224.080105accepted/tizen/wearable/20160225.080701accepted/tizen/tv/20160225.080643accepted/tizen/mobile/20160225.080627accepted/tizen/ivi/20160225.080714
* cert-svc API, key-manager API -> pkgmgr-info API
Change-Id: I1c3523dd73041f117fab1c1b0012d25c1535defe
Signed-off-by: sangwan.kwon <sangwan.kwon@samsung.com>
Diffstat (limited to 'src')
-rw-r--r-- | src/certs.cpp | 144 | ||||
-rw-r--r-- | src/include/cchecker/certs.h | 8 |
2 files changed, 89 insertions, 63 deletions
diff --git a/src/certs.cpp b/src/certs.cpp index d982f41..9c76b71 100644 --- a/src/certs.cpp +++ b/src/certs.cpp @@ -27,6 +27,7 @@ #include <memory> #include <string> #include <vector> +#include <map> #include <vcore/SignatureValidator.h> #include <vcore/SignatureFinder.h> #include <vcore/Certificate.h> @@ -39,6 +40,64 @@ namespace CCHECKER { +namespace { +struct PkgmgrinfoCertInfo { + PkgmgrinfoCertInfo() + { + ret = pkgmgrinfo_pkginfo_create_certinfo(&handle); + } + ~PkgmgrinfoCertInfo() + { + pkgmgrinfo_pkginfo_destroy_certinfo(handle); + } + + pkgmgrinfo_certinfo_h handle; + int ret; +}; + +static void get_cert_chain(const char *pkgid, uid_t uid, int sig_type, chain_t &chain) +{ + LogDebug("Get cert chain start. pkgid : " << pkgid << ", uid : " << uid); + int ret; + int cert_type; + const char *cert_value; + + auto pm_certinfo = std::make_shared<PkgmgrinfoCertInfo>(); + + if (pm_certinfo->ret != PMINFO_R_OK) { + LogError("Get pkgmgrinfo certinfo failed. ret : " << ret); + return; + } + + ret = pkgmgrinfo_pkginfo_load_certinfo(pkgid, pm_certinfo->handle, uid); + if (ret != PMINFO_R_OK) { + LogError("Load pkgmgrinfo certinfo failed. ret : " << ret); + return; + } + + // add signer, intermediate, root certificates. + for (int cert_cnt = 0; cert_cnt < 3; cert_cnt++) { + cert_type = sig_type - cert_cnt; + ret = pkgmgrinfo_pkginfo_get_cert_value(pm_certinfo->handle, + static_cast<pkgmgrinfo_cert_type>(cert_type), &cert_value); + + if (ret != PMINFO_R_OK) { + LogError("Get cert value from certinfo failed. ret : " << ret); + return; + } + + if (cert_value == NULL) { + LogDebug("cert_type[" << cert_type << "] is null"); + } else { + LogDebug("Add cert_type[" << cert_type << "] data : " << cert_value); + chain.push_back(cert_value); + } + } + + return; +} +} + Certs::Certs() { m_ckm = CKM::Manager::create(); @@ -49,9 +108,23 @@ Certs::~Certs() void Certs::get_certificates (app_t &app, ocsp_urls_t &ocsp_urls) { - std::vector<std::string> signatures; - (void) signatures; + // build chain using pkgmgr-info + std::map<int, int> sig_type; + sig_type[AUTHOR_SIG] = PMINFO_AUTHOR_SIGNER_CERT; + sig_type[DISTRIBUTOR_SIG] = PMINFO_DISTRIBUTOR_SIGNER_CERT; + sig_type[DISTRIBUTOR2_SIG] = PMINFO_DISTRIBUTOR2_SIGNER_CERT; + + for (auto s : sig_type) { + chain_t chain; + get_cert_chain(app.pkg_id.c_str(), app.uid, s.second, chain); + + if(!chain.empty()) { + LogDebug("Add certificates chain to app. Size of chain : " << chain.size()); + app.signatures.emplace_back(std::move(chain)); + } + } + // get ocsp urls using cert-svc if (0 != tzplatform_set_user(app.uid)) { LogError("Cannot set user: tzplatform_set_user has failed"); return; @@ -66,7 +139,6 @@ void Certs::get_certificates (app_t &app, ocsp_urls_t &ocsp_urls) std::string app_path = std::string(pkg_path) + std::string("/") + app.app_id; find_app_signatures (app, app_path, ocsp_urls); } - } /* Since there's no information about application in signal, @@ -101,6 +173,9 @@ void Certs::search_app (app_t &app, ocsp_urls_t &ocsp_urls) // Together with certificates we can pull out OCSP URLs void Certs::find_app_signatures (app_t &app, const std::string &app_path, ocsp_urls_t &ocsp_urls) { + // FIXME : delete unuse parameter + (void) app; + ValidationCore::SignatureFinder signature_finder(app_path); ValidationCore::SignatureFileInfoSet signature_files; @@ -114,19 +189,10 @@ void Certs::find_app_signatures (app_t &app, const std::string &app_path, ocsp_u LogDebug("Searching for certificates"); for (auto &iter : signature_files) { LogDebug("Checking signature"); - chain_t chain; ValidationCore::CertificateList certs; ValidationCore::SignatureValidator validator(iter); - if (validator.makeChainBySignature(false, certs) != ValidationCore::E_SIG_NONE) { - LogError("Signature: " << iter.getFileName() << " of " << app_path.c_str() << " is invalid"); - continue; - } for (auto &cert_iter : certs) { - std::string app_cert = (*cert_iter).getBase64(); - chain.push_back(app_cert); - LogDebug("Certificate: " << app_cert << " has been added"); - // check OCSP URL std::string ocsp_url = (*cert_iter).getOCSPURL(); if (!ocsp_url.empty()) { @@ -135,66 +201,20 @@ void Certs::find_app_signatures (app_t &app, const std::string &app_path, ocsp_u url_t url(issuer, ocsp_url, time); ocsp_urls.push_back(url); LogDebug("Found OCSP URL: " << ocsp_url << " for issuer: " << issuer << ", time: " << time); - } } - if (!chain.empty()) { - app.signatures.push_back(chain); - LogDebug("Certificates chain added to the app"); - } } } -// We assume that chain is sorted - first element is an end entity -bool Certs::ocsp_build_chain (const chain_t &chain, CKM::CertificateShPtrVector &vect_ckm_chain) +Certs::ocsp_response_t Certs::check_ocsp_chain (const chain_t &chain) { - bool first = true; - CKM::CertificateShPtr cert_end_entity; - CKM::CertificateShPtrVector vect_untrusted; + CKM::CertificateShPtrVector vect_ckm_chain; LogDebug("Size of chain: " << chain.size()); - for (auto &iter : chain) { CKM::RawBuffer buff(iter.begin(), iter.end()); - CKM::CertificateShPtr cert = CKM::Certificate::create(buff, CKM::DataFormat::FORM_DER_BASE64); - - if (!cert) { - LogError("CKM failed to create certificate"); - return false; - } - if (first) { - first = false; - cert_end_entity = cert; - LogDebug("Found end entity certificate"); - } - else { - vect_untrusted.push_back(cert); - LogDebug("Found untrusted certificate"); - } - } - - int ret = m_ckm->getCertificateChain( - cert_end_entity, - vect_untrusted, - CKM::CertificateShPtrVector(), - true, // useTrustedSystemCertificates - vect_ckm_chain); - if (ret != CKM_API_SUCCESS) { - LogError("CKM getCertificateChain returned: " << ret); - // TODO: Add handling for different errors codes? - return false; - } - - return true; -} - -Certs::ocsp_response_t Certs::check_ocsp_chain (const chain_t &chain) -{ - CKM::CertificateShPtrVector vect_ckm_chain; - - if (!ocsp_build_chain(chain, vect_ckm_chain)) { - LogError("Error while build chain of certificates"); - return Certs::ocsp_response_t::OCSP_CERT_ERROR; + auto cert = CKM::Certificate::create(buff, CKM::DataFormat::FORM_DER_BASE64); + vect_ckm_chain.emplace_back(std::move(cert)); } int status = CKM_API_OCSP_STATUS_UNKNOWN; diff --git a/src/include/cchecker/certs.h b/src/include/cchecker/certs.h index 643c2c1..9b1d762 100644 --- a/src/include/cchecker/certs.h +++ b/src/include/cchecker/certs.h @@ -27,12 +27,19 @@ #include <ckm/ckm-certificate.h> #include <vcore/Certificate.h> +#include <pkgmgr-info.h> #include <cchecker/app.h> #include <ckm/ckm-manager.h> namespace CCHECKER { +enum sig_t { + AUTHOR_SIG, + DISTRIBUTOR_SIG, + DISTRIBUTOR2_SIG +}; + class Certs { public: enum class ocsp_response_t { @@ -49,7 +56,6 @@ class Certs { ocsp_response_t check_ocsp_chain (const chain_t &chain); void find_app_signatures (app_t &app, const std::string &app_path, ocsp_urls_t &ocsp_urls); void search_app (app_t &app, ocsp_urls_t &ocsp_urls); - bool ocsp_build_chain (const chain_t &chain, CKM::CertificateShPtrVector &vect_ckm_chain); //private: CKM::ManagerShPtr m_ckm; |