diff options
-rw-r--r-- | db/cert-checker.sql | 7 | ||||
-rw-r--r-- | db/cert-checker.xml | 15 | ||||
-rw-r--r-- | src/certs.cpp | 86 | ||||
-rw-r--r-- | src/db/sql_query.cpp | 80 | ||||
-rw-r--r-- | src/include/cchecker/app.h | 16 | ||||
-rw-r--r-- | src/include/cchecker/certs.h | 7 | ||||
-rw-r--r-- | src/include/cchecker/logic.h | 1 | ||||
-rw-r--r-- | src/include/cchecker/sql_query.h | 8 | ||||
-rw-r--r-- | src/logic.cpp | 16 | ||||
-rw-r--r-- | tests/certs_.cpp | 5 | ||||
-rw-r--r-- | tests/certs_.h | 1 | ||||
-rw-r--r-- | tests/stubs_.cpp | 19 | ||||
-rw-r--r-- | tests/test_db.cpp | 64 |
13 files changed, 17 insertions, 308 deletions
diff --git a/db/cert-checker.sql b/db/cert-checker.sql index 9ef86f4..4223e2b 100644 --- a/db/cert-checker.sql +++ b/db/cert-checker.sql @@ -14,13 +14,6 @@ CREATE TABLE IF NOT EXISTS to_check ( UNIQUE (app_id, pkg_id, uid) ON CONFLICT REPLACE ); --- Table 'ocsp_urls' -CREATE TABLE IF NOT EXISTS ocsp_urls ( - issuer TEXT NOT NULL PRIMARY KEY, - url TEXT NOT NULL, - date INTEGER NOT NULL -); - -- Table 'chains_to_check' CREATE TABLE IF NOT EXISTS chains_to_check ( chain_id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, diff --git a/db/cert-checker.xml b/db/cert-checker.xml index f3ee60f..34042e0 100644 --- a/db/cert-checker.xml +++ b/db/cert-checker.xml @@ -56,21 +56,6 @@ <part>check_id</part> </key> </table> -<table x="1222" y="211" name="ocsp_urls"> -<row name="issuer" null="0" autoincrement="0"> -<datatype>MEDIUMTEXT</datatype> -</row> -<row name="url" null="0" autoincrement="0"> -<datatype>MEDIUMTEXT</datatype> -</row> -<row name="date" null="0" autoincrement="0"> -<datatype>INT</datatype> -</row> -<key type="PRIMARY" name=""> -<part>issuer</part> -<part>url</part> -</key> -</table> <table x="897" y="211" name="certs_to_check"> <row name="check_id" null="0" autoincrement="0"> <datatype>INTEGER</datatype> diff --git a/src/certs.cpp b/src/certs.cpp index 9c76b71..67c6900 100644 --- a/src/certs.cpp +++ b/src/certs.cpp @@ -33,7 +33,6 @@ #include <vcore/Certificate.h> #include <ckm/ckm-type.h> #include <ckm/ckm-raw-buffer.h> -#include <tzplatform_config.h> #include <cchecker/certs.h> #include <cchecker/log.h> @@ -106,7 +105,7 @@ Certs::Certs() Certs::~Certs() {} -void Certs::get_certificates (app_t &app, ocsp_urls_t &ocsp_urls) +void Certs::get_certificates(app_t &app) { // build chain using pkgmgr-info std::map<int, int> sig_type; @@ -123,90 +122,9 @@ void Certs::get_certificates (app_t &app, ocsp_urls_t &ocsp_urls) app.signatures.emplace_back(std::move(chain)); } } - - // get ocsp urls using cert-svc - if (0 != tzplatform_set_user(app.uid)) { - LogError("Cannot set user: tzplatform_set_user has failed"); - return; - } - - if (app.app_id == TEMP_APP_ID) { - LogDebug("Temporary app_id. Searching for apps in package."); - search_app(app, ocsp_urls); - } - else { - const char *pkg_path = tzplatform_mkpath(TZ_USER_APP, app.pkg_id.c_str()); - std::string app_path = std::string(pkg_path) + std::string("/") + app.app_id; - find_app_signatures (app, app_path, ocsp_urls); - } -} - -/* Since there's no information about application in signal, - * and we've got information only about package, we have to check - * all applications that belongs to that package - */ -void Certs::search_app (app_t &app, ocsp_urls_t &ocsp_urls) -{ - DIR *dp; - struct dirent *entry; - const char *pkg_path = tzplatform_mkpath(TZ_USER_APP, app.pkg_id.c_str()); - if (!pkg_path) { - LogError("tzplatform_mkpath has returned NULL for TZ_USER_APP"); - return; - } - - dp = opendir(pkg_path); - if (dp != NULL) { - while ((entry = readdir(dp))) { - if (strcmp(entry->d_name, ".") != 0 && strcmp(entry->d_name, "..") != 0 && entry->d_type == DT_DIR) { - LogDebug("Found app: " << entry->d_name); - std::string app_path = std::string(pkg_path) + std::string("/") + std::string(entry->d_name); - find_app_signatures(app, app_path, ocsp_urls); - } - } - closedir(dp); //close directory - } - else - LogError("Couldn't open the package directory."); -} - -// Together with certificates we can pull out OCSP URLs -void Certs::find_app_signatures (app_t &app, const std::string &app_path, ocsp_urls_t &ocsp_urls) -{ - // FIXME : delete unuse parameter - (void) app; - - ValidationCore::SignatureFinder signature_finder(app_path); - ValidationCore::SignatureFileInfoSet signature_files; - - if (signature_finder.find(signature_files) != - ValidationCore::SignatureFinder::NO_ERROR) { - LogError("Error while searching for signatures in " << app_path.c_str()); - return; - } - LogDebug("Number of signature files: " << signature_files.size()); - - LogDebug("Searching for certificates"); - for (auto &iter : signature_files) { - LogDebug("Checking signature"); - ValidationCore::CertificateList certs; - ValidationCore::SignatureValidator validator(iter); - - for (auto &cert_iter : certs) { - // check OCSP URL - std::string ocsp_url = (*cert_iter).getOCSPURL(); - if (!ocsp_url.empty()) { - std::string issuer = (*cert_iter).getCommonName(ValidationCore::Certificate::FIELD_ISSUER); - int64_t time = (*cert_iter).getNotBefore(); - url_t url(issuer, ocsp_url, time); - ocsp_urls.push_back(url); - LogDebug("Found OCSP URL: " << ocsp_url << " for issuer: " << issuer << ", time: " << time); - } - } - } } -Certs::ocsp_response_t Certs::check_ocsp_chain (const chain_t &chain) +Certs::ocsp_response_t Certs::check_ocsp_chain(const chain_t &chain) { CKM::CertificateShPtrVector vect_ckm_chain; diff --git a/src/db/sql_query.cpp b/src/db/sql_query.cpp index b171bf5..800c144 100644 --- a/src/db/sql_query.cpp +++ b/src/db/sql_query.cpp @@ -27,16 +27,15 @@ namespace { #define DB_ISSUER 101 - #define DB_URL 102 - #define DB_DATE 103 - #define DB_APP_ID 104 - #define DB_PKG_ID 105 - #define DB_UID 106 - #define DB_CHECK_ID 107 - #define DB_CERTIFICATE 108 - #define DB_VERIFIED 109 - #define DB_CHAIN_ID 110 - #define DB_CERT_ORDER 111 + #define DB_DATE 102 + #define DB_APP_ID 103 + #define DB_PKG_ID 104 + #define DB_UID 105 + #define DB_CHECK_ID 106 + #define DB_CERTIFICATE 107 + #define DB_VERIFIED 108 + #define DB_CHAIN_ID 109 + #define DB_CERT_ORDER 110 // This changes define into question mark and a number in quotes // e.g. _(DB_ISSUER) -> "?" "101" @@ -48,16 +47,6 @@ namespace { const char *DB_CMD_GET_LAST_INSERTED_ROW = "SELECT last_insert_rowid();"; - // urls - const char *DB_CMD_GET_URL = - "SELECT url, date FROM ocsp_urls WHERE issuer = " _(DB_ISSUER) ";"; - - const char *DB_CMD_SET_URL = - "INSERT INTO ocsp_urls(issuer, url, date) VALUES(" _(DB_ISSUER) ", " _(DB_URL) ", " _(DB_DATE) ");"; - - const char *DB_CMD_UPDATE_URL = - "UPDATE ocsp_urls SET url=" _(DB_URL) ", date=" _(DB_DATE) " WHERE issuer=" _(DB_ISSUER) ";"; // Issuer should be unique - // apps const char *DB_CMD_ADD_APP = "INSERT INTO to_check(app_id, pkg_id, uid, verified) VALUES(" _(DB_APP_ID) ", " _(DB_PKG_ID) ", " _(DB_UID) ", " _(DB_VERIFIED) ");"; @@ -130,57 +119,6 @@ SqlQuery::~SqlQuery() delete m_connection; } -bool SqlQuery::get_url(const std::string &issuer, std::string &url) -{ - SqlConnection::DataCommandAutoPtr getUrlCommand = - m_connection->PrepareDataCommand(DB_CMD_GET_URL); - getUrlCommand->BindString(DB_ISSUER, issuer.c_str()); - - if (getUrlCommand->Step()) { - url = getUrlCommand->GetColumnString(0); - LogDebug("Url for " << issuer << " found in databse: " << url); - return true; - } - - LogDebug("No url for " << issuer << " in databse."); - return false; -} - -void SqlQuery::set_url(const std::string &issuer, const std::string &url, const int64_t &date) -{ - m_connection->BeginTransaction(); - SqlConnection::DataCommandAutoPtr getUrlCommand = - m_connection->PrepareDataCommand(DB_CMD_GET_URL); - getUrlCommand->BindString(DB_ISSUER, issuer.c_str()); - - if (getUrlCommand->Step()) { // This means that url already exists in database for this issuer - // There's need to check the date - LogDebug("Url for " << issuer << " already exists. Checking the date"); - int64_t db_date = getUrlCommand->GetColumnInt64(1); - if (db_date < date) { - LogDebug("Url for " << issuer << " in database is older. Update is needed"); - // Url in DB is older - update is needed - SqlConnection::DataCommandAutoPtr updateUrlCommand = - m_connection->PrepareDataCommand(DB_CMD_UPDATE_URL); - updateUrlCommand->BindString(DB_ISSUER, issuer.c_str()); - updateUrlCommand->BindString(DB_URL, url.c_str()); - updateUrlCommand->BindInt64(DB_DATE, date); - updateUrlCommand->Step(); - } else // Url in DB is up-to-date, no need for update - LogDebug("Url for " << issuer << " in databse is up-to-date. No update needed"); - - } else { // No url in database for this issuer, add the new one - LogDebug("No url for "<< issuer << " in databse. Adding the new one."); - SqlConnection::DataCommandAutoPtr setUrlCommand = - m_connection->PrepareDataCommand(DB_CMD_SET_URL); - setUrlCommand->BindString(DB_ISSUER, issuer.c_str()); - setUrlCommand->BindString(DB_URL, url.c_str()); - setUrlCommand->BindInt64(DB_DATE, date); - setUrlCommand->Step(); - } - m_connection->CommitTransaction(); -} - bool SqlQuery::check_if_app_exists(const app_t &app) { int32_t check_id; diff --git a/src/include/cchecker/app.h b/src/include/cchecker/app.h index 46fd9b6..df4a860 100644 --- a/src/include/cchecker/app.h +++ b/src/include/cchecker/app.h @@ -57,22 +57,6 @@ struct app_t { std::string str_certs(void) const; }; -struct url_t { - std::string issuer; - std::string url; - int64_t date; - - url_t(const std::string &_issuer, - const std::string &_url, - int64_t _date): - issuer(_issuer), - url(_url), - date(_date) - {}; -}; - -typedef std::list<url_t> ocsp_urls_t; - } //CCHECKER #endif //CCHECKER_APP_H diff --git a/src/include/cchecker/certs.h b/src/include/cchecker/certs.h index 9b1d762..8cd0538 100644 --- a/src/include/cchecker/certs.h +++ b/src/include/cchecker/certs.h @@ -50,12 +50,11 @@ class Certs { }; Certs(); virtual ~Certs(); - void get_certificates (app_t &app, ocsp_urls_t &ocsp_urls); - ocsp_response_t check_ocsp (const app_t &app); // TODO: add custom url support + void get_certificates (app_t &app); + ocsp_response_t check_ocsp (const app_t &app); + protected: // Needed for tests ocsp_response_t check_ocsp_chain (const chain_t &chain); - void find_app_signatures (app_t &app, const std::string &app_path, ocsp_urls_t &ocsp_urls); - void search_app (app_t &app, ocsp_urls_t &ocsp_urls); //private: CKM::ManagerShPtr m_ckm; diff --git a/src/include/cchecker/logic.h b/src/include/cchecker/logic.h index 1ad9cd4..888fe07 100644 --- a/src/include/cchecker/logic.h +++ b/src/include/cchecker/logic.h @@ -75,7 +75,6 @@ class Logic { error_t setup_db(); void load_database_to_buffer(); - void add_ocsp_url(const std::string &issuer, const std::string &url, int64_t date); void add_app_to_buffer_and_database(const app_t &app); void remove_app_from_buffer_and_database(const app_t &app); diff --git a/src/include/cchecker/sql_query.h b/src/include/cchecker/sql_query.h index e4cc582..fd28fd5 100644 --- a/src/include/cchecker/sql_query.h +++ b/src/include/cchecker/sql_query.h @@ -46,14 +46,6 @@ class SqlQuery { // Connecting outside the constructor bool connect(const std::string& path); - // OCSP urls - /** - * Returns true if url has been found in database, - * or false in other case. - */ - bool get_url(const std::string &issuer, std::string &url); - void set_url(const std::string &issuer, const std::string &url, const int64_t &date); - // Apps bool add_app_to_check_list(const app_t &app); void remove_app_from_check_list(const app_t &app); diff --git a/src/logic.cpp b/src/logic.cpp index 6326e1d..6865ef1 100644 --- a/src/logic.cpp +++ b/src/logic.cpp @@ -439,11 +439,6 @@ void Logic::connman_callback(GDBusProxy */*proxy*/, } } -void Logic::add_ocsp_url(const string &issuer, const string &url, int64_t date) -{ - m_sqlquery->set_url(issuer, url, date); -} - void Logic::load_database_to_buffer() { LogDebug("Loading database to the buffer"); @@ -562,17 +557,8 @@ void Logic::process_event(const event_t &event) if (event.event_type == event_t::event_type_t::APP_INSTALL) { // pulling out certificates from signatures app_t app = event.app; - ocsp_urls_t ocsp_urls; - m_certs.get_certificates(app, ocsp_urls); + m_certs.get_certificates(app); add_app_to_buffer_and_database(app); - - // Adding OCSP URLs - if found any - if (!ocsp_urls.empty()){ - LogDebug("Some OCSP url has been found. Adding to database"); - for (auto iter = ocsp_urls.begin(); iter != ocsp_urls.end(); iter++){ - m_sqlquery->set_url(iter->issuer, iter->url, iter->date); - } - } } else if (event.event_type == event_t::event_type_t::APP_UNINSTALL) { remove_app_from_buffer_and_database(event.app); diff --git a/tests/certs_.cpp b/tests/certs_.cpp index 8155b90..b63c48b 100644 --- a/tests/certs_.cpp +++ b/tests/certs_.cpp @@ -31,8 +31,3 @@ Certs_::ocsp_response_t Certs_::check_ocsp_chain_ (const chain_t &chain) { return this->check_ocsp_chain(chain); } - -void Certs_::find_app_signatures_ (app_t &app, const std::string &app_path, ocsp_urls_t &ocsp_urls) -{ - return this->find_app_signatures(app, app_path, ocsp_urls); -} diff --git a/tests/certs_.h b/tests/certs_.h index 70dece5..ba1daab 100644 --- a/tests/certs_.h +++ b/tests/certs_.h @@ -31,7 +31,6 @@ class Certs_ : public Certs { public: virtual ~Certs_(); ocsp_response_t check_ocsp_chain_ (const chain_t &chain); - void find_app_signatures_ (app_t &app, const std::string &app_path, ocsp_urls_t &ocsp_urls); }; #endif //CCHECKER_DBFIXTURE_H diff --git a/tests/stubs_.cpp b/tests/stubs_.cpp index 9eb8cfa..c63c668 100644 --- a/tests/stubs_.cpp +++ b/tests/stubs_.cpp @@ -35,14 +35,13 @@ Certs::Certs() Certs::~Certs() {} -void Certs::get_certificates (app_t &app, ocsp_urls_t &ocsp_urls) +void Certs::get_certificates(app_t &app) { (void)app; - (void)ocsp_urls; } // Only the public functions need to be stubbed for testing all possibilities -Certs::ocsp_response_t Certs::check_ocsp (const app_t &app) +Certs::ocsp_response_t Certs::check_ocsp(const app_t &app) { if (app.signatures.empty()) return ocsp_response_t::OCSP_APP_OK; @@ -74,20 +73,6 @@ DB::SqlQuery::SqlQuery(const std::string &path) DB::SqlQuery::~SqlQuery() {} -bool DB::SqlQuery::get_url(const std::string &issuer, std::string &url) -{ - (void)issuer; - (void)url; - return false; -} - -void DB::SqlQuery::set_url(const std::string &issuer, const std::string &url, const int64_t &date) -{ - (void)issuer; - (void)url; - (void)date; -} - bool DB::SqlQuery::add_app_to_check_list(const app_t &app) { (void)app; diff --git a/tests/test_db.cpp b/tests/test_db.cpp index 95267e5..31e7bf6 100644 --- a/tests/test_db.cpp +++ b/tests/test_db.cpp @@ -30,70 +30,6 @@ BOOST_FIXTURE_TEST_SUITE(DB_TEST, DBFixture) -BOOST_AUTO_TEST_CASE(DB_url) { - std::string url; - std::string url_org = "url://url"; - std::string url_update = "http://issuer"; - std::string url_org2 = "address"; - std::string url_update2 = "random_text"; - std::string url_org3 = "########"; - std::string url_update3 = "@@@"; - - // No url in database - BOOST_REQUIRE(get_url("Issuer_test1", url)==false); - BOOST_REQUIRE(get_url("Issuer_test2", url)==false); - BOOST_REQUIRE(get_url("Issuer_test3", url)==false); - - // Url should be added - set_url("Issuer_test1", url_org, 500); - BOOST_REQUIRE(get_url("Issuer_test1", url)==true); - BOOST_REQUIRE(url==url_org); - - // Url for issuer 2 and 3 should remain empty - BOOST_REQUIRE(get_url("Issuer_test2", url)==false); - BOOST_REQUIRE(get_url("Issuer_test3", url)==false); - - // Should NOT be updated. Should get original url. - set_url("Issuer_test1", url_update, 400); - BOOST_REQUIRE(get_url("Issuer_test1", url)==true); - BOOST_REQUIRE(url==url_org); - - // Should be updated. Should get updated url. - set_url("Issuer_test1", url_update, 600); - BOOST_REQUIRE(get_url("Issuer_test1", url)==true); - BOOST_REQUIRE(url==url_update); - - // Add url for new issuer - set_url("Issuer_test2", url_org2, 200); - BOOST_REQUIRE(get_url("Issuer_test2", url)==true); - BOOST_REQUIRE(url==url_org2); - - // Url for issuer 3 should remain empty - BOOST_REQUIRE(get_url("Issuer_test3", url)==false); - - // Add url for issuer 3 - set_url("Issuer_test3", url_org3, 1000); - BOOST_REQUIRE(get_url("Issuer_test3", url)==true); - BOOST_REQUIRE(url==url_org3); - - // Urls for issuer 1 and 2 should remain as they were - BOOST_REQUIRE(get_url("Issuer_test1", url)==true); - BOOST_REQUIRE(url==url_update); - BOOST_REQUIRE(get_url("Issuer_test2", url)==true); - BOOST_REQUIRE(url==url_org2); - - // Update url for issuer 3 - set_url("Issuer_test3", url_update3, 1001); - BOOST_REQUIRE(get_url("Issuer_test3", url)==true); - BOOST_REQUIRE(url==url_update3); - - // Urls for issuer 1 and 2 should remain as they were - BOOST_REQUIRE(get_url("Issuer_test1", url)==true); - BOOST_REQUIRE(url==url_update); - BOOST_REQUIRE(get_url("Issuer_test2", url)==true); - BOOST_REQUIRE(url==url_org2); -} - BOOST_AUTO_TEST_CASE(DB_app_positive) { std::list<app_t> buffer; |