summaryrefslogtreecommitdiff
path: root/src/service/certs.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'src/service/certs.cpp')
-rw-r--r--src/service/certs.cpp283
1 files changed, 146 insertions, 137 deletions
diff --git a/src/service/certs.cpp b/src/service/certs.cpp
index c06fe6f..8abdc43 100644
--- a/src/service/certs.cpp
+++ b/src/service/certs.cpp
@@ -39,65 +39,65 @@ namespace CCHECKER {
namespace {
struct PkgmgrinfoCertInfo {
- PkgmgrinfoCertInfo()
- {
- ret = pkgmgrinfo_pkginfo_create_certinfo(&handle);
- }
- ~PkgmgrinfoCertInfo()
- {
- pkgmgrinfo_pkginfo_destroy_certinfo(handle);
- }
-
- pkgmgrinfo_certinfo_h handle;
- int ret;
+ PkgmgrinfoCertInfo()
+ {
+ ret = pkgmgrinfo_pkginfo_create_certinfo(&handle);
+ }
+ ~PkgmgrinfoCertInfo()
+ {
+ pkgmgrinfo_pkginfo_destroy_certinfo(handle);
+ }
+
+ pkgmgrinfo_certinfo_h handle;
+ int ret;
};
static void get_cert_chain(const char *pkgid, uid_t uid, int sig_type, chain_t &chain)
{
- LogDebug("Get cert chain start. pkgid : " << pkgid << ", uid : " << uid);
- int ret;
- int cert_type;
- const char *cert_value;
-
- auto pm_certinfo = std::make_shared<PkgmgrinfoCertInfo>();
-
- if (pm_certinfo->ret != PMINFO_R_OK) {
- LogError("Get pkgmgrinfo certinfo failed. ret : " << ret);
- return;
- }
-
- ret = pkgmgrinfo_pkginfo_load_certinfo(pkgid, pm_certinfo->handle, uid);
- if (ret != PMINFO_R_OK) {
- LogError("Load pkgmgrinfo certinfo failed. ret : " << ret);
- return;
- }
-
- // add signer, intermediate, root certificates.
- for (int cert_cnt = 0; cert_cnt < 3; cert_cnt++) {
- cert_type = sig_type - cert_cnt;
- ret = pkgmgrinfo_pkginfo_get_cert_value(pm_certinfo->handle,
- static_cast<pkgmgrinfo_cert_type>(cert_type), &cert_value);
-
- if (ret != PMINFO_R_OK) {
- LogError("Get cert value from certinfo failed. ret : " << ret);
- return;
- }
-
- if (cert_value == NULL) {
- LogDebug("cert_type[" << cert_type << "] is null");
- } else {
- LogDebug("Add cert_type[" << cert_type << "] data : " << cert_value);
- chain.push_back(cert_value);
- }
- }
-
- return;
+ LogDebug("Get cert chain start. pkgid : " << pkgid << ", uid : " << uid);
+ int ret;
+ int cert_type;
+ const char *cert_value;
+ auto pm_certinfo = std::make_shared<PkgmgrinfoCertInfo>();
+
+ if (pm_certinfo->ret != PMINFO_R_OK) {
+ LogError("Get pkgmgrinfo certinfo failed. ret : " << ret);
+ return;
+ }
+
+ ret = pkgmgrinfo_pkginfo_load_certinfo(pkgid, pm_certinfo->handle, uid);
+
+ if (ret != PMINFO_R_OK) {
+ LogError("Load pkgmgrinfo certinfo failed. ret : " << ret);
+ return;
+ }
+
+ // add signer, intermediate, root certificates.
+ for (int cert_cnt = 0; cert_cnt < 3; cert_cnt++) {
+ cert_type = sig_type - cert_cnt;
+ ret = pkgmgrinfo_pkginfo_get_cert_value(pm_certinfo->handle,
+ static_cast<pkgmgrinfo_cert_type>(cert_type), &cert_value);
+
+ if (ret != PMINFO_R_OK) {
+ LogError("Get cert value from certinfo failed. ret : " << ret);
+ return;
+ }
+
+ if (cert_value == NULL) {
+ LogDebug("cert_type[" << cert_type << "] is null");
+ } else {
+ LogDebug("Add cert_type[" << cert_type << "] data : " << cert_value);
+ chain.push_back(cert_value);
+ }
+ }
+
+ return;
}
}
Certs::Certs()
{
- m_ckm = CKM::Manager::create();
+ m_ckm = CKM::Manager::create();
}
Certs::~Certs()
@@ -105,100 +105,109 @@ Certs::~Certs()
void Certs::get_certificates(app_t &app)
{
- // build chain using pkgmgr-info
- std::map<int, int> sig_type;
- sig_type[AUTHOR_SIG] = PMINFO_AUTHOR_SIGNER_CERT;
- sig_type[DISTRIBUTOR_SIG] = PMINFO_DISTRIBUTOR_SIGNER_CERT;
- sig_type[DISTRIBUTOR2_SIG] = PMINFO_DISTRIBUTOR2_SIGNER_CERT;
-
- for (auto s : sig_type) {
- chain_t chain;
- get_cert_chain(app.pkg_id.c_str(), app.uid, s.second, chain);
-
- if(!chain.empty()) {
- LogDebug("Add certificates chain to app. Size of chain : " << chain.size());
- app.signatures.emplace_back(std::move(chain));
- }
- }
+ // build chain using pkgmgr-info
+ std::map<int, int> sig_type;
+ sig_type[AUTHOR_SIG] = PMINFO_AUTHOR_SIGNER_CERT;
+ sig_type[DISTRIBUTOR_SIG] = PMINFO_DISTRIBUTOR_SIGNER_CERT;
+ sig_type[DISTRIBUTOR2_SIG] = PMINFO_DISTRIBUTOR2_SIGNER_CERT;
+
+ for (auto s : sig_type) {
+ chain_t chain;
+ get_cert_chain(app.pkg_id.c_str(), app.uid, s.second, chain);
+
+ if (!chain.empty()) {
+ LogDebug("Add certificates chain to app. Size of chain : " << chain.size());
+ app.signatures.emplace_back(std::move(chain));
+ }
+ }
}
Certs::ocsp_response_t Certs::check_ocsp_chain(const chain_t &chain)
{
- CKM::CertificateShPtrVector vect_ckm_chain;
-
- LogDebug("Size of chain: " << chain.size());
- for (auto &iter : chain) {
- CKM::RawBuffer buff(iter.begin(), iter.end());
- auto cert = CKM::Certificate::create(buff, CKM::DataFormat::FORM_DER_BASE64);
- vect_ckm_chain.emplace_back(std::move(cert));
- }
-
- int status = CKM_API_OCSP_STATUS_UNKNOWN;
- int ret = m_ckm->ocspCheck(vect_ckm_chain, status);
- if (ret != CKM_API_SUCCESS) {
- LogError("CKM ckeck OCSP returned " << ret);
- // Add handling for different errors codes
- // For these we can try to check ocsp again later:
- switch (ret) {
- case CKM_API_ERROR_NOT_SUPPORTED:
- LogDebug("Key-manager OCSP API temporary diabled.");
- case CKM_API_ERROR_SOCKET:
- case CKM_API_ERROR_BAD_REQUEST:
- case CKM_API_ERROR_BAD_RESPONSE:
- case CKM_API_ERROR_SEND_FAILED:
- case CKM_API_ERROR_RECV_FAILED:
- case CKM_API_ERROR_SERVER_ERROR:
- case CKM_API_ERROR_OUT_OF_MEMORY:
- return Certs::ocsp_response_t::OCSP_CHECK_AGAIN;
- // Any other error should be recurrent - checking the same app again
- // should give the same result.
- default:
- return Certs::ocsp_response_t::OCSP_CERT_ERROR;
- }
- }
-
- LogDebug("OCSP status: " << status);
- switch (status) {
- // Remove app from "to-check" list:
- case CKM_API_OCSP_STATUS_GOOD:
- return Certs::ocsp_response_t::OCSP_APP_OK;
- case CKM_API_OCSP_STATUS_UNSUPPORTED:
- case CKM_API_OCSP_STATUS_UNKNOWN:
- case CKM_API_OCSP_STATUS_INVALID_URL:
- return Certs::ocsp_response_t::OCSP_CERT_ERROR;
-
- //Show popup to user and remove app from "to-check" list
- case CKM_API_OCSP_STATUS_REVOKED:
- return Certs::ocsp_response_t::OCSP_APP_REVOKED;
-
- //Keep app for checking it again later:
- case CKM_API_OCSP_STATUS_NET_ERROR:
- case CKM_API_OCSP_STATUS_INVALID_RESPONSE:
- case CKM_API_OCSP_STATUS_REMOTE_ERROR:
- case CKM_API_OCSP_STATUS_INTERNAL_ERROR:
- return Certs::ocsp_response_t::OCSP_CHECK_AGAIN;
-
- default:
- // This should never happen
- return Certs::ocsp_response_t::OCSP_CERT_ERROR;
- }
+ CKM::CertificateShPtrVector vect_ckm_chain;
+ LogDebug("Size of chain: " << chain.size());
+
+ for (auto &iter : chain) {
+ CKM::RawBuffer buff(iter.begin(), iter.end());
+ auto cert = CKM::Certificate::create(buff, CKM::DataFormat::FORM_DER_BASE64);
+ vect_ckm_chain.emplace_back(std::move(cert));
+ }
+
+ int status = CKM_API_OCSP_STATUS_UNKNOWN;
+ int ret = m_ckm->ocspCheck(vect_ckm_chain, status);
+
+ if (ret != CKM_API_SUCCESS) {
+ LogError("CKM ckeck OCSP returned " << ret);
+
+ // Add handling for different errors codes
+ // For these we can try to check ocsp again later:
+ switch (ret) {
+ case CKM_API_ERROR_NOT_SUPPORTED:
+ LogDebug("Key-manager OCSP API temporary diabled.");
+
+ case CKM_API_ERROR_SOCKET:
+ case CKM_API_ERROR_BAD_REQUEST:
+ case CKM_API_ERROR_BAD_RESPONSE:
+ case CKM_API_ERROR_SEND_FAILED:
+ case CKM_API_ERROR_RECV_FAILED:
+ case CKM_API_ERROR_SERVER_ERROR:
+ case CKM_API_ERROR_OUT_OF_MEMORY:
+ return Certs::ocsp_response_t::OCSP_CHECK_AGAIN;
+
+ // Any other error should be recurrent - checking the same app again
+ // should give the same result.
+ default:
+ return Certs::ocsp_response_t::OCSP_CERT_ERROR;
+ }
+ }
+
+ LogDebug("OCSP status: " << status);
+
+ switch (status) {
+ // Remove app from "to-check" list:
+ case CKM_API_OCSP_STATUS_GOOD:
+ return Certs::ocsp_response_t::OCSP_APP_OK;
+
+ case CKM_API_OCSP_STATUS_UNSUPPORTED:
+ case CKM_API_OCSP_STATUS_UNKNOWN:
+ case CKM_API_OCSP_STATUS_INVALID_URL:
+ return Certs::ocsp_response_t::OCSP_CERT_ERROR;
+
+ //Show popup to user and remove app from "to-check" list
+ case CKM_API_OCSP_STATUS_REVOKED:
+ return Certs::ocsp_response_t::OCSP_APP_REVOKED;
+
+ //Keep app for checking it again later:
+ case CKM_API_OCSP_STATUS_NET_ERROR:
+ case CKM_API_OCSP_STATUS_INVALID_RESPONSE:
+ case CKM_API_OCSP_STATUS_REMOTE_ERROR:
+ case CKM_API_OCSP_STATUS_INTERNAL_ERROR:
+ return Certs::ocsp_response_t::OCSP_CHECK_AGAIN;
+
+ default:
+ // This should never happen
+ return Certs::ocsp_response_t::OCSP_CERT_ERROR;
+ }
}
-Certs::ocsp_response_t Certs::check_ocsp (const app_t &app)
+Certs::ocsp_response_t Certs::check_ocsp(const app_t &app)
{
- bool check_again = false;
-
- for (auto &iter : app.signatures) {
- Certs::ocsp_response_t resp = check_ocsp_chain(iter);
- if (resp == Certs::ocsp_response_t::OCSP_APP_REVOKED)
- return Certs::ocsp_response_t::OCSP_APP_REVOKED;
- if (resp == Certs::ocsp_response_t::OCSP_CHECK_AGAIN)
- check_again = true;
- }
-
- if (check_again)
- return Certs::ocsp_response_t::OCSP_CHECK_AGAIN;
- return Certs::ocsp_response_t::OCSP_APP_OK;
+ bool check_again = false;
+
+ for (auto &iter : app.signatures) {
+ Certs::ocsp_response_t resp = check_ocsp_chain(iter);
+
+ if (resp == Certs::ocsp_response_t::OCSP_APP_REVOKED)
+ return Certs::ocsp_response_t::OCSP_APP_REVOKED;
+
+ if (resp == Certs::ocsp_response_t::OCSP_CHECK_AGAIN)
+ check_again = true;
+ }
+
+ if (check_again)
+ return Certs::ocsp_response_t::OCSP_CHECK_AGAIN;
+
+ return Certs::ocsp_response_t::OCSP_APP_OK;
}
} // CCHECKER
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-23 12:46:06 +0000