diff options
Diffstat (limited to 'src/certs.cpp')
-rw-r--r-- | src/certs.cpp | 144 |
1 files changed, 82 insertions, 62 deletions
diff --git a/src/certs.cpp b/src/certs.cpp index d982f41..9c76b71 100644 --- a/src/certs.cpp +++ b/src/certs.cpp @@ -27,6 +27,7 @@ #include <memory> #include <string> #include <vector> +#include <map> #include <vcore/SignatureValidator.h> #include <vcore/SignatureFinder.h> #include <vcore/Certificate.h> @@ -39,6 +40,64 @@ namespace CCHECKER { +namespace { +struct PkgmgrinfoCertInfo { + PkgmgrinfoCertInfo() + { + ret = pkgmgrinfo_pkginfo_create_certinfo(&handle); + } + ~PkgmgrinfoCertInfo() + { + pkgmgrinfo_pkginfo_destroy_certinfo(handle); + } + + pkgmgrinfo_certinfo_h handle; + int ret; +}; + +static void get_cert_chain(const char *pkgid, uid_t uid, int sig_type, chain_t &chain) +{ + LogDebug("Get cert chain start. pkgid : " << pkgid << ", uid : " << uid); + int ret; + int cert_type; + const char *cert_value; + + auto pm_certinfo = std::make_shared<PkgmgrinfoCertInfo>(); + + if (pm_certinfo->ret != PMINFO_R_OK) { + LogError("Get pkgmgrinfo certinfo failed. ret : " << ret); + return; + } + + ret = pkgmgrinfo_pkginfo_load_certinfo(pkgid, pm_certinfo->handle, uid); + if (ret != PMINFO_R_OK) { + LogError("Load pkgmgrinfo certinfo failed. ret : " << ret); + return; + } + + // add signer, intermediate, root certificates. + for (int cert_cnt = 0; cert_cnt < 3; cert_cnt++) { + cert_type = sig_type - cert_cnt; + ret = pkgmgrinfo_pkginfo_get_cert_value(pm_certinfo->handle, + static_cast<pkgmgrinfo_cert_type>(cert_type), &cert_value); + + if (ret != PMINFO_R_OK) { + LogError("Get cert value from certinfo failed. ret : " << ret); + return; + } + + if (cert_value == NULL) { + LogDebug("cert_type[" << cert_type << "] is null"); + } else { + LogDebug("Add cert_type[" << cert_type << "] data : " << cert_value); + chain.push_back(cert_value); + } + } + + return; +} +} + Certs::Certs() { m_ckm = CKM::Manager::create(); @@ -49,9 +108,23 @@ Certs::~Certs() void Certs::get_certificates (app_t &app, ocsp_urls_t &ocsp_urls) { - std::vector<std::string> signatures; - (void) signatures; + // build chain using pkgmgr-info + std::map<int, int> sig_type; + sig_type[AUTHOR_SIG] = PMINFO_AUTHOR_SIGNER_CERT; + sig_type[DISTRIBUTOR_SIG] = PMINFO_DISTRIBUTOR_SIGNER_CERT; + sig_type[DISTRIBUTOR2_SIG] = PMINFO_DISTRIBUTOR2_SIGNER_CERT; + + for (auto s : sig_type) { + chain_t chain; + get_cert_chain(app.pkg_id.c_str(), app.uid, s.second, chain); + + if(!chain.empty()) { + LogDebug("Add certificates chain to app. Size of chain : " << chain.size()); + app.signatures.emplace_back(std::move(chain)); + } + } + // get ocsp urls using cert-svc if (0 != tzplatform_set_user(app.uid)) { LogError("Cannot set user: tzplatform_set_user has failed"); return; @@ -66,7 +139,6 @@ void Certs::get_certificates (app_t &app, ocsp_urls_t &ocsp_urls) std::string app_path = std::string(pkg_path) + std::string("/") + app.app_id; find_app_signatures (app, app_path, ocsp_urls); } - } /* Since there's no information about application in signal, @@ -101,6 +173,9 @@ void Certs::search_app (app_t &app, ocsp_urls_t &ocsp_urls) // Together with certificates we can pull out OCSP URLs void Certs::find_app_signatures (app_t &app, const std::string &app_path, ocsp_urls_t &ocsp_urls) { + // FIXME : delete unuse parameter + (void) app; + ValidationCore::SignatureFinder signature_finder(app_path); ValidationCore::SignatureFileInfoSet signature_files; @@ -114,19 +189,10 @@ void Certs::find_app_signatures (app_t &app, const std::string &app_path, ocsp_u LogDebug("Searching for certificates"); for (auto &iter : signature_files) { LogDebug("Checking signature"); - chain_t chain; ValidationCore::CertificateList certs; ValidationCore::SignatureValidator validator(iter); - if (validator.makeChainBySignature(false, certs) != ValidationCore::E_SIG_NONE) { - LogError("Signature: " << iter.getFileName() << " of " << app_path.c_str() << " is invalid"); - continue; - } for (auto &cert_iter : certs) { - std::string app_cert = (*cert_iter).getBase64(); - chain.push_back(app_cert); - LogDebug("Certificate: " << app_cert << " has been added"); - // check OCSP URL std::string ocsp_url = (*cert_iter).getOCSPURL(); if (!ocsp_url.empty()) { @@ -135,66 +201,20 @@ void Certs::find_app_signatures (app_t &app, const std::string &app_path, ocsp_u url_t url(issuer, ocsp_url, time); ocsp_urls.push_back(url); LogDebug("Found OCSP URL: " << ocsp_url << " for issuer: " << issuer << ", time: " << time); - } } - if (!chain.empty()) { - app.signatures.push_back(chain); - LogDebug("Certificates chain added to the app"); - } } } -// We assume that chain is sorted - first element is an end entity -bool Certs::ocsp_build_chain (const chain_t &chain, CKM::CertificateShPtrVector &vect_ckm_chain) +Certs::ocsp_response_t Certs::check_ocsp_chain (const chain_t &chain) { - bool first = true; - CKM::CertificateShPtr cert_end_entity; - CKM::CertificateShPtrVector vect_untrusted; + CKM::CertificateShPtrVector vect_ckm_chain; LogDebug("Size of chain: " << chain.size()); - for (auto &iter : chain) { CKM::RawBuffer buff(iter.begin(), iter.end()); - CKM::CertificateShPtr cert = CKM::Certificate::create(buff, CKM::DataFormat::FORM_DER_BASE64); - - if (!cert) { - LogError("CKM failed to create certificate"); - return false; - } - if (first) { - first = false; - cert_end_entity = cert; - LogDebug("Found end entity certificate"); - } - else { - vect_untrusted.push_back(cert); - LogDebug("Found untrusted certificate"); - } - } - - int ret = m_ckm->getCertificateChain( - cert_end_entity, - vect_untrusted, - CKM::CertificateShPtrVector(), - true, // useTrustedSystemCertificates - vect_ckm_chain); - if (ret != CKM_API_SUCCESS) { - LogError("CKM getCertificateChain returned: " << ret); - // TODO: Add handling for different errors codes? - return false; - } - - return true; -} - -Certs::ocsp_response_t Certs::check_ocsp_chain (const chain_t &chain) -{ - CKM::CertificateShPtrVector vect_ckm_chain; - - if (!ocsp_build_chain(chain, vect_ckm_chain)) { - LogError("Error while build chain of certificates"); - return Certs::ocsp_response_t::OCSP_CERT_ERROR; + auto cert = CKM::Certificate::create(buff, CKM::DataFormat::FORM_DER_BASE64); + vect_ckm_chain.emplace_back(std::move(cert)); } int status = CKM_API_OCSP_STATUS_UNKNOWN; |