Use new cert-svc-vcore API: makeChainBySignature()

This change includes adding cert_order in DB. Chain of certificates should be created while reading/parsing signature. Certificates should be put into DB in right order - first should go end entity certificate. DB ensures that certificates will be loaded into the buffer in exactly same order (end entity will be the first element on the list). Verification: Run tests, all should pass. Change-Id: I09571bab7862bdb539dd3a957330fe23d687b48f
author: Janusz Kozerski <j.kozerski@samsung.com> 2015-08-04 11:59:59 +0200
committer: Janusz Kozerski <j.kozerski@samsung.com> 2015-09-08 09:40:51 +0200
commit: ae4a130374e96d383e09571f2e098ef237e28418 (patch)
tree: be1aec96429587bebab0b8395326c4dde558c56d /src
parent: 4373c73514186ce90d71a0486447fa66dcf0a6c1 (diff)
download: cert-checker-ae4a130374e96d383e09571f2e098ef237e28418.tar.gz
cert-checker-ae4a130374e96d383e09571f2e098ef237e28418.tar.bz2
cert-checker-ae4a130374e96d383e09571f2e098ef237e28418.zip
4 files changed, 52 insertions, 109 deletions
diff --git a/src/app.cpp b/src/app.cpp
index 08b79a5..29a9b2d 100644
--- a/src/app.cpp
+++ b/src/app.cpp
@@ -65,9 +65,11 @@ std::string app_t::str_certs(void) const
     std::stringstream ss;
 
     for (const auto &iter : signatures) {
+        ss << " { ";
         for (const auto iter_cert : iter) {
             ss << "\"" << iter_cert << "\", ";
         }
+        ss << " } ,";
     }
     return ss.str();
 }
diff --git a/src/certs.cpp b/src/certs.cpp
index 277546d..d2d44e0 100644
--- a/src/certs.cpp
+++ b/src/certs.cpp
@@ -27,11 +27,9 @@
 #include <memory>
 #include <string>
 #include <vector>
-#include <vcore/CertificateCollection.h>
-#include <vcore/SignatureReader.h>
+#include <vcore/SignatureValidator.h>
 #include <vcore/SignatureFinder.h>
-#include <vcore/WrtSignatureValidator.h>
-#include <vcore/VCore.h>
+#include <vcore/Certificate.h>
 #include <ckm/ckm-type.h>
 #include <ckm/ckm-raw-buffer.h>
 #include <tzplatform_config.h>
@@ -39,23 +37,15 @@
 #include <cchecker/certs.h>
 #include <cchecker/log.h>
 
-namespace {
-const std::string signatureXmlSchemaPath = std::string(tzplatform_getenv(TZ_SYS_SHARE))
-        + std::string("/app-installers/signature_schema.xsd");
-}
-
 namespace CCHECKER {
 
 Certs::Certs()
 {
-    ValidationCore::VCoreInit();
     m_ckm = CKM::Manager::create();
 }
 
 Certs::~Certs()
-{
-    ValidationCore::VCoreDeinit();
-}
+{}
 
 void Certs::get_certificates (app_t &app, ocsp_urls_t &ocsp_urls)
 {
@@ -122,36 +112,31 @@ void Certs::find_app_signatures (app_t &app, const std::string &app_path, ocsp_u
     LogDebug("Number of signature files: " << signature_files.size());
 
     LogDebug("Searching for certificates");
-    for (auto iter = signature_files.begin(); iter != signature_files.end(); iter++) {
-        chain_t chain;
+    for (auto &iter : signature_files) {
         LogDebug("Checking signature");
-        ValidationCore::SignatureData data(app_path + std::string("/") + (*iter).getFileName(),
-                (*iter).getFileNumber());
-        LogDebug("signatureXmlSchemaPath: " << signatureXmlSchemaPath);
-        try {
-            ValidationCore::SignatureReader reader;
-            reader.initialize(data, signatureXmlSchemaPath);
-            reader.read(data);
-            ValidationCore::CertificateList certs = data.getCertList();
-            for (auto cert_iter = certs.begin(); cert_iter != certs.end(); cert_iter++ ){
-                std::string app_cert = (*cert_iter)->getBase64();
-                chain.push_back(app_cert);
-                LogDebug("Certificate: " << app_cert << " has been added");
-
-                // check OCSP URL
-                std::string ocsp_url = (*cert_iter)->getOCSPURL();
-                if (ocsp_url != std::string("")) {
-                    std::string issuer = (*cert_iter)->getCommonName(ValidationCore::Certificate::FIELD_ISSUER);
-                    int64_t time = (*cert_iter)->getNotBefore();
-                    url_t url(issuer, ocsp_url, time);
-                    ocsp_urls.push_back(url);
-                    LogDebug("Found OCSP URL: " << ocsp_url << " for issuer: " <<  issuer << ", time: " << time);
-
-                }
+        chain_t chain;
+        ValidationCore::CertificateList certs;
+        if (ValidationCore::SignatureValidator::makeChainBySignature(iter, false, certs) !=
+                ValidationCore::SignatureValidator::SIGNATURE_VALID) {
+            LogError("Signature: " << iter.getFileName() << " of " << app_path.c_str() << " is invalid");
+            continue;
+        }
+
+        for (auto &cert_iter : certs) {
+            std::string app_cert = (*cert_iter).getBase64();
+            chain.push_back(app_cert);
+            LogDebug("Certificate: " << app_cert << " has been added");
+
+            // check OCSP URL
+            std::string ocsp_url = (*cert_iter).getOCSPURL();
+            if (!ocsp_url.empty()) {
+                std::string issuer = (*cert_iter).getCommonName(ValidationCore::Certificate::FIELD_ISSUER);
+                int64_t time = (*cert_iter).getNotBefore();
+                url_t url(issuer, ocsp_url, time);
+                ocsp_urls.push_back(url);
+                LogDebug("Found OCSP URL: " << ocsp_url << " for issuer: " << issuer << ", time: " << time);
+
             }
-        } catch (const ValidationCore::ParserSchemaException::Base& exception) {
-            // Needs to catch parser exceptions
-            LogError("Error occured in ParserSchema: " << exception.DumpToString());
         }
         if (!chain.empty()) {
             app.signatures.push_back(chain);
@@ -160,66 +145,26 @@ void Certs::find_app_signatures (app_t &app, const std::string &app_path, ocsp_u
     }
 }
 
-bool Certs::ocsp_create_list (const chain_t &chain, ValidationCore::CertificateList &certs_list)
+// We assume that chain is sorted - first element is an end entity
+bool Certs::ocsp_build_chain (const chain_t &chain, CKM::CertificateShPtrVector &vect_ckm_chain)
 {
-    ValidationCore::CertificateCollection collection;
-    ValidationCore::CertificateList list;
-
-    LogDebug("Chain size: " << chain.size());
-    for (auto &iter : chain) {
-        try {
-            ValidationCore::CertificatePtr p_cert(
-                    new ValidationCore::Certificate(iter, ValidationCore::Certificate::FORM_BASE64));
-            list.push_back(p_cert);
-        } catch (const ValidationCore::Certificate::Exception::Base& exception) {
-            LogError("Error while creating certificate from BASE64: " << exception.DumpToString());
-            return false;
-        }
-        LogDebug("Load certificate to list: " << list.size());
-    }
-
-    // Function collection.load which takes certificate in std::string BASE64 fails for some reason,
-    // so load(const CertificateList &certList) is used.
-    collection.load(list);
-    LogDebug("Load certificate to CertificateCollection: " << collection.size());
-
-    if (!collection.sort()) {
-        LogError("Cannot make chain of certificates");
-        // What to do if chain cannot be build?
-        return false;
-    }
-
-    if (collection.isChain()) {
-        LogDebug("Build chain succeed, size: " << collection.size());
-    } else {
-        LogError("Building chain failed");
-        return false;
-    }
-
-    certs_list = collection.getCertificateList();
-
-    return true;
-}
-
-bool Certs::ocsp_build_chain (const ValidationCore::CertificateList &certs_list, CKM::CertificateShPtrVector &vect_ckm_chain)
-{
-    CKM::CertificateShPtrVector vect_untrusted;
-
     bool first = true;
     CKM::CertificateShPtr cert_end_entity;
-    LogDebug("Size of certs_list: " << certs_list.size());
-    for (auto &iter : certs_list) {
-        std::string cert_cp(iter->getBase64());
-        CKM::RawBuffer buff(cert_cp.begin(), cert_cp.end());
+    CKM::CertificateShPtrVector vect_untrusted;
+
+    LogDebug("Size of chain: " << chain.size());
+
+    for (auto &iter : chain) {
+        CKM::RawBuffer buff(iter.begin(), iter.end());
         CKM::CertificateShPtr cert = CKM::Certificate::create(buff, CKM::DataFormat::FORM_DER_BASE64);
 
         if (!cert) {
-            LogDebug("CKM failed to create certificate");
+            LogError("CKM failed to create certificate");
             return false;
         }
-        else if (first) {
-            cert_end_entity = cert;
+        if (first) {
             first = false;
+            cert_end_entity = cert;
             LogDebug("Found end entity certificate");
         }
         else {
@@ -245,15 +190,9 @@ bool Certs::ocsp_build_chain (const ValidationCore::CertificateList &certs_list,
 
 Certs::ocsp_response_t Certs::check_ocsp_chain (const chain_t &chain)
 {
-    ValidationCore::CertificateList certs_list;
-    if (!ocsp_create_list(chain, certs_list)) {
-        LogError("Error while build list of certificates");
-        return Certs::ocsp_response_t::OCSP_CERT_ERROR;
-    }
-
     CKM::CertificateShPtrVector vect_ckm_chain;
 
-    if (!ocsp_build_chain(certs_list, vect_ckm_chain)) {
+    if (!ocsp_build_chain(chain, vect_ckm_chain)) {
         LogError("Error while build chain of certificates");
         return Certs::ocsp_response_t::OCSP_CERT_ERROR;
     }
diff --git a/src/db/sql_query.cpp b/src/db/sql_query.cpp
index ad77553..b171bf5 100644
--- a/src/db/sql_query.cpp
+++ b/src/db/sql_query.cpp
@@ -36,6 +36,7 @@ namespace {
     #define DB_CERTIFICATE 108
     #define DB_VERIFIED    109
     #define DB_CHAIN_ID    110
+    #define DB_CERT_ORDER  111
 
     // This changes define into question mark and a number in quotes
     // e.g. _(DB_ISSUER) -> "?" "101"
@@ -68,7 +69,7 @@ namespace {
             "INSERT INTO chains_to_check(check_id) VALUES(" _(DB_CHECK_ID) ");";
 
     const char *DB_CMD_ADD_CERT =
-            "INSERT INTO certs_to_check(chain_id, certificate) VALUES(" _(DB_CHAIN_ID) ", " _(DB_CERTIFICATE) ");";
+            "INSERT INTO certs_to_check(chain_id, certificate, cert_order) VALUES(" _(DB_CHAIN_ID) ", " _(DB_CERTIFICATE) ", " _(DB_CERT_ORDER) ");";
 
     const char *DB_CMD_GET_CHAINS =
             "SELECT chain_id FROM chains_to_check INNER JOIN to_check ON chains_to_check.check_id=to_check.check_id WHERE to_check.app_id="
@@ -81,7 +82,7 @@ namespace {
             "SELECT app_id, pkg_id, uid, verified FROM to_check";
 
     const char *DB_CMD_GET_CERTS =
-            "SELECT certificate FROM certs_to_check WHERE chain_id=" _(DB_CHAIN_ID) ";";
+            "SELECT certificate FROM certs_to_check WHERE chain_id=" _(DB_CHAIN_ID) " ORDER BY cert_order ASC;";
 
     const char *DB_CMD_SET_APP_AS_VERIFIED =
             "UPDATE to_check SET verified=" _(DB_VERIFIED) " WHERE check_id=" _(DB_CHECK_ID) ";";
@@ -253,13 +254,16 @@ bool SqlQuery::add_app_to_check_list(const app_t &app)
     for (const auto &iter : app.signatures) {
         // Add chain
         if (add_chain_id(check_id, chain_id)) {
-            // add certificates from chain
+            // add certificates from chain in right order (start with 1) - end entity go first
+            int32_t cert_order = 1;
             for (const auto &iter_cert : iter) {
                 SqlConnection::DataCommandAutoPtr addCertCommand =
                         m_connection->PrepareDataCommand(DB_CMD_ADD_CERT);
                 addCertCommand->BindInt32(DB_CHAIN_ID, chain_id);
                 addCertCommand->BindString(DB_CERTIFICATE, iter_cert.c_str());
+                addCertCommand->BindInt32(DB_CERT_ORDER, cert_order);
                 addCertCommand->Step();
+                cert_order++;
                 LogDebug("Certificate for app " << app.app_id << "added");
             }
         } else {
@@ -268,9 +272,9 @@ bool SqlQuery::add_app_to_check_list(const app_t &app)
             return false;
         }
 
-     }
-     m_connection->CommitTransaction();
-     return true;
+    }
+    m_connection->CommitTransaction();
+    return true;
 }
 
 void SqlQuery::remove_app_from_check_list(const app_t &app)
@@ -336,7 +340,7 @@ void SqlQuery::get_app_list(std::list<app_t> &apps_buffer)
         getChainsCommand->BindString(DB_PKG_ID, iter_app.pkg_id.c_str());
         getChainsCommand->BindInt32(DB_UID, iter_app.uid);
 
-        // Get all certs from chain
+        // Get all certs from chain - certs will be sorted - end entity go first
         while (getChainsCommand->Step()) {
             chain_t chain;
             int32_t chain_id;
diff --git a/src/include/cchecker/certs.h b/src/include/cchecker/certs.h
index 7da95e6..643c2c1 100644
--- a/src/include/cchecker/certs.h
+++ b/src/include/cchecker/certs.h
@@ -49,9 +49,7 @@ class Certs {
         ocsp_response_t check_ocsp_chain (const chain_t &chain);
         void find_app_signatures (app_t &app, const std::string &app_path, ocsp_urls_t &ocsp_urls);
         void search_app (app_t &app, ocsp_urls_t &ocsp_urls);
-        bool ocsp_create_list(const chain_t &chain, ValidationCore::CertificateList &certs_list);
-        bool ocsp_build_chain (const ValidationCore::CertificateList &certs_list,
-                CKM::CertificateShPtrVector &vect_ckm_chain);
+        bool ocsp_build_chain (const chain_t &chain, CKM::CertificateShPtrVector &vect_ckm_chain);
 
     //private:
         CKM::ManagerShPtr m_ckm;
author	Janusz Kozerski <j.kozerski@samsung.com>	2015-08-04 11:59:59 +0200
committer	Janusz Kozerski <j.kozerski@samsung.com>	2015-09-08 09:40:51 +0200
commit	ae4a130374e96d383e09571f2e098ef237e28418 (patch)
tree	be1aec96429587bebab0b8395326c4dde558c56d /src
parent	4373c73514186ce90d71a0486447fa66dcf0a6c1 (diff)
download	cert-checker-ae4a130374e96d383e09571f2e098ef237e28418.tar.gz cert-checker-ae4a130374e96d383e09571f2e098ef237e28418.tar.bz2 cert-checker-ae4a130374e96d383e09571f2e098ef237e28418.zip