|
1 /* |
|
2 * Copyright (c) 1997-2009 Nokia Corporation and/or its subsidiary(-ies). |
|
3 * All rights reserved. |
|
4 * This component and the accompanying materials are made available |
|
5 * under the terms of the License "Eclipse Public License v1.0" |
|
6 * which accompanies this distribution, and is available |
|
7 * at the URL "http://www.eclipse.org/legal/epl-v10.html". |
|
8 * |
|
9 * Initial Contributors: |
|
10 * Nokia Corporation - initial contribution. |
|
11 * |
|
12 * Contributors: |
|
13 * |
|
14 * Description: |
|
15 * |
|
16 */ |
|
17 |
|
18 |
|
19 /** |
|
20 @file |
|
21 @released |
|
22 @internalTechnology |
|
23 */ |
|
24 |
|
25 |
|
26 #ifndef __SECURITYMANAGER_H__ |
|
27 #define __SECURITYMANAGER_H__ |
|
28 |
|
29 #include <e32base.h> |
|
30 #include <securitydefs.h> |
|
31 #include <ct/rmpointerarray.h> |
|
32 #include <swi/msisuihandlers.h> |
|
33 #include "swi/siscontroller.h" |
|
34 #include "securitypolicy.h" |
|
35 #include <pkixcertchain.h> |
|
36 |
|
37 class CCTCertInfo; |
|
38 class CSWICertStore; |
|
39 class TCertMetaInfo; |
|
40 |
|
41 namespace Swi |
|
42 { |
|
43 |
|
44 class CChainValidator; |
|
45 class CCertificateRetriever; |
|
46 class CRevocationHandler; |
|
47 class CHashContainer; |
|
48 |
|
49 namespace Sis |
|
50 { |
|
51 class CSignatureCertificateChain; |
|
52 } |
|
53 |
|
54 class MSisDataProvider; |
|
55 |
|
56 enum TDevCertWarningState |
|
57 { |
|
58 ENoDevCerts =0, |
|
59 EFoundDevCerts =1, |
|
60 EDevCertsWarned =2 |
|
61 }; |
|
62 |
|
63 /** |
|
64 * The SecurityManager is the SWI component which takes care of the cryptographic |
|
65 * protections in the installation process. Specifically it verifies the signatures |
|
66 * in signed SISX files, validates their corresponding certificate chains, |
|
67 * builds the list of granted capabilities and enforces mandatory certificates |
|
68 * constraints. Moreover, driven from a compile time modifiable security policy, |
|
69 * enforces additional constraints on the valid certificates, e.g. Code Signing |
|
70 * and other X509 extensions. It performs OCSP checks for the relevant certificate |
|
71 * chains as well. |
|
72 * <P> |
|
73 * To accomplish its task the Security Manager relies on a number of helper |
|
74 * classes: |
|
75 * <ul> |
|
76 * <li> CCertificateRetriever to retrieve mandatory certificates |
|
77 * <li> CSignatureVerifier to verify signatures |
|
78 * <li> CChainValidator to validate PKIX certificate chains |
|
79 * <li> CRevocationHandler to perform OCSP checks |
|
80 * <li> CSecurityPolicy to access the compile time configurable security policy |
|
81 * </ul> |
|
82 * |
|
83 * @released |
|
84 * @internalTechnology |
|
85 */ |
|
86 class CSecurityManager : public CActive |
|
87 { |
|
88 |
|
89 public: // life-cycle methods |
|
90 |
|
91 /** |
|
92 * Constructs a new CSecurityManager object |
|
93 * |
|
94 * @return A new security manager |
|
95 */ |
|
96 IMPORT_C static CSecurityManager* NewL(); |
|
97 |
|
98 /** |
|
99 * Constructs a new CSecurityManager object and leaves it on the cleanup stack |
|
100 * |
|
101 * @return A new security manager |
|
102 */ |
|
103 IMPORT_C static CSecurityManager* NewLC(); |
|
104 |
|
105 virtual ~CSecurityManager(); |
|
106 |
|
107 public: // from CActive |
|
108 |
|
109 void RunL(); |
|
110 void DoCancel(); |
|
111 TInt RunError(TInt aError); |
|
112 |
|
113 |
|
114 public: // business methods |
|
115 |
|
116 /** |
|
117 * This method verifies a SISX controller. It checks: |
|
118 * <ul> |
|
119 * <li> Whether the controller is signed |
|
120 * <li> Whether at least a signature per certificate chain can be |
|
121 * verified |
|
122 * <li> Whether at least a certificate chain can be validated |
|
123 * successfully |
|
124 * <li> Whether we can meet all the mandatory certificate requirements |
|
125 * <li> Hands over a collection of capabilities the controller has been |
|
126 * signed for |
|
127 * </ul> |
|
128 * |
|
129 * @param aControllerBinary The raw controller data. |
|
130 * @param aController An instance of Sis::CController representing |
|
131 * the raw data |
|
132 * @param aResultOut A global result of the operation |
|
133 * @param aPkixResultsOut A list of PKIX validation results. To each of |
|
134 * this corresponds an end entity certificate in |
|
135 * aCertsOut |
|
136 * @param aCertsOut A list of end entity certificates |
|
137 * @param aCapabilitySetOut The set of capabilities the controller has been |
|
138 * signed for |
|
139 * @param aAllowUnsigned Receives policy flag that controls installation |
|
140 * of unsigned SIS files |
|
141 * @param aIsEmbeddedController Controller is embedded. |
|
142 * @param aStatus The client request status |
|
143 * @param aCheckDateAndTime Indicates whether the validity periods of the certificates |
|
144 in the chain are checked and verified. A value of ETrue |
|
145 indicates they are. |
|
146 */ |
|
147 IMPORT_C void VerifyControllerL( |
|
148 TDesC8& aControllerBinary, |
|
149 const Sis::CController& aController, |
|
150 TSignatureValidationResult* aResultOut, |
|
151 RPointerArray<CPKIXValidationResultBase>& aPkixResultsOut, |
|
152 RPointerArray<CX509Certificate>& aCertsOut, |
|
153 TCapabilitySet* aCapabilitySetOut, |
|
154 TBool& aAllowUnsigned, |
|
155 TBool& aIsEmbeddedController, |
|
156 TRequestStatus& aStatus, |
|
157 TBool aCheckDateAndTime = ETrue); |
|
158 |
|
159 /** |
|
160 * This method verifies a SISX controller given a list of chain indices. |
|
161 * It checks: |
|
162 * <ul> |
|
163 * <li> Whether the controller is signed |
|
164 * <li> Whether at least a signature per certificate chain can be |
|
165 * verified |
|
166 * <li> Whether at least a certificate chain can be validated |
|
167 * successfully |
|
168 * <li> Whether we can meet all the mandatory certificate requirements |
|
169 * <li> Hands over a collection of capabilities the controller has been |
|
170 * signed for |
|
171 * </ul> |
|
172 * |
|
173 * @param aControllerBinary The raw controller data. |
|
174 * @param aController An instance of Sis::CController representing |
|
175 * the raw data. |
|
176 * @param aChainListIndices List of indices to chains to be validated. |
|
177 * @param aResultOut A global result of the operation. |
|
178 * @param aPkixResultsOut A list of PKIX validation results. To each of |
|
179 * this corresponds an end entity certificate in |
|
180 * aCertsOut. |
|
181 * @param aCertsOut A list of end entity certificates |
|
182 * @param aCapabilitySetOut The set of capabilities the controller has been |
|
183 * signed for. |
|
184 * @param aAllowUnsigned Receives policy flag that controls installation |
|
185 * of unsigned SIS files. |
|
186 * @param aStatus The client request status. |
|
187 */ |
|
188 IMPORT_C void ReverifyControllerL( |
|
189 TDesC8& aControllerBinary, |
|
190 const Sis::CController& aController, |
|
191 const RArray<TInt>& aChainListIndices, |
|
192 TSignatureValidationResult* aResultOut, |
|
193 RPointerArray<CPKIXValidationResultBase>& aPkixResultsOut, |
|
194 RPointerArray<CX509Certificate>& aCertsOut, |
|
195 TCapabilitySet* aCapabilitySetOut, |
|
196 TBool& aAllowUnsigned, |
|
197 TRequestStatus& aStatus); |
|
198 |
|
199 /** |
|
200 * Verifies the hash of a the data pointed to by a given data provider. |
|
201 * |
|
202 * @param aDataProvider A data provider which gives access to the file we want to check |
|
203 * @param aDigest The digest of the data pointed to by the given data provider |
|
204 * |
|
205 * @return ETrue if the has could be verified, EFalse otherwise. |
|
206 */ |
|
207 IMPORT_C TBool VerifyFileHashL(MSisDataProvider& aDataProvider, |
|
208 const CHashContainer& aDigest); |
|
209 |
|
210 /** |
|
211 * Perform an OCSP check on the certificate chain which have been |
|
212 * previously validated by a call to VerifyControllerL(). This method can |
|
213 * be called \b only after VerifyControllerL(). This makes the Security |
|
214 * Manager a stateful object. But this is better than requiring the caller |
|
215 * to store all the intermediate data. |
|
216 * |
|
217 * @param aOcspUri [in] The default OCSP URI as specified by |
|
218 * the UI or read from the policy. |
|
219 * @param aIap [in, out] The IAP to use for this connection |
|
220 * (zero means show dialog) |
|
221 * @param aRevocationMessageOut [out] An output paramter containing the |
|
222 * result of the check |
|
223 * @param aOcspOutcomeOut [out] A list of OCSP outcomes. To each of |
|
224 * this corresponds a certificate in the |
|
225 * \e aCertOut list. |
|
226 * @param aCertOut [out] A list of end entity certificates. |
|
227 * @param aStatus [in,out] The client status which will be |
|
228 * completed upon termination. |
|
229 */ |
|
230 IMPORT_C void PerformOcspL(const TDesC8& aOcspUri, |
|
231 TUint32& aIap, |
|
232 TRevocationDialogMessage* aRevocationMessageOut, |
|
233 RPointerArray<TOCSPOutcome>& aOcspOutcomeOut, |
|
234 RPointerArray<CX509Certificate>& aCertOut, |
|
235 TRequestStatus& aStatus); |
|
236 |
|
237 /** |
|
238 * Fills certificate info array from the X509 certificate array which was |
|
239 * filled by the security manager. |
|
240 * |
|
241 * @param aCertificates [in] Array of X509 certificates constructed from |
|
242 * controller. |
|
243 * @param aCertInfos [out] Array of certificate info objects. |
|
244 */ |
|
245 IMPORT_C static void FillCertInfoArrayL( |
|
246 const RPointerArray<CX509Certificate>& aCertificates, |
|
247 RPointerArray<CCertificateInfo>& aCertInfos); |
|
248 |
|
249 /** |
|
250 * Retrieves end certificates from iController and stores them in |
|
251 * iCertificates. |
|
252 * |
|
253 * @param aController [in] SIS controller object. |
|
254 * @param aCerts [out] Receives EE certificates from the controller. |
|
255 */ |
|
256 IMPORT_C void GetCertificatesFromControllerL( |
|
257 const Sis::CController& aController, |
|
258 RPointerArray<CX509Certificate>& aCerts); |
|
259 |
|
260 /** |
|
261 * Returns the security policy associated with the security manager. |
|
262 * |
|
263 * @return The security policy object associated with the security manager. |
|
264 */ |
|
265 IMPORT_C CSecurityPolicy& SecurityPolicy() const; |
|
266 |
|
267 /** |
|
268 * Returns the DeviceIDs retrieved from the Mobile. |
|
269 * |
|
270 * @return The array of the device IDs. |
|
271 */ |
|
272 IMPORT_C const RPointerArray<HBufC>& DeviceIDsInfo() const; |
|
273 |
|
274 /** |
|
275 * Resets Security Manager's list of valid certificate chains. |
|
276 * This is required to ensure that embedded SIS files do not include the certificate |
|
277 * chains of their parent SIS file. |
|
278 */ |
|
279 IMPORT_C void ResetValidCertChains(); |
|
280 |
|
281 /** Calculates the hash of a file |
|
282 @param aDataProvider Provides access to the data from the file |
|
283 @param aAlgorithm The algorithm used to generate the hash |
|
284 @return A buffer containing the hash result |
|
285 */ |
|
286 IMPORT_C HBufC8* CalculateHashLC(MSisDataProvider& aDataProvider, CMessageDigest::THashId aAlgorithm); |
|
287 |
|
288 /** |
|
289 Set the devcert warning state. |
|
290 @param aDevCertWarningState developer mode certificate warning state |
|
291 @return none |
|
292 */ |
|
293 IMPORT_C void SetDevCertWarningState(TInt aDevCertWarningState); |
|
294 |
|
295 /** |
|
296 Get the devcert warning state. |
|
297 @param aDevCertWarningState developer mode certificate warning state |
|
298 @return none |
|
299 */ |
|
300 IMPORT_C TInt GetDevCertWarningState(); |
|
301 |
|
302 /* |
|
303 * This function sets the user provided list of root certs. These certs will be used |
|
304 * for validation instead of fetching root certs from the certstore for validation. |
|
305 * |
|
306 * @param aX509CertArray caller provided list of root certs. |
|
307 * @return none |
|
308 */ |
|
309 IMPORT_C void SetRootCerts(RPointerArray<CX509Certificate>* aX509CertArray); |
|
310 |
|
311 |
|
312 protected: // Helper functions |
|
313 |
|
314 /** |
|
315 * This helper function verifies a given certificate/signature block. |
|
316 * The signature block structure is defined in |
|
317 * SGL.GT0188.251 Paragraph 4.3 |
|
318 * Each block may contain multiple signatures using different |
|
319 * signature schemes. |
|
320 * |
|
321 * @param aChainIndex The index of the chain in iChains which is to be verified. |
|
322 */ |
|
323 void VerifyBlockL(TInt aChainIndex); |
|
324 |
|
325 /** |
|
326 * This helper function calculates the size of the raw |
|
327 * SISX controller data. |
|
328 * |
|
329 * @param iChainsToAdd How many certificate/signature chains to add to the size |
|
330 * starting from the most internal one. |
|
331 * |
|
332 * @return The controller size (including iChainsToAdd certificate chains) |
|
333 */ |
|
334 TInt SignedSize(TInt iChainsToAdd) const; |
|
335 |
|
336 /** |
|
337 * It reduces the count based on the given certificate from the iMandatoryCertDNCount (count of mandatory |
|
338 * certificates). If the certificate is not found nothing happens. Note |
|
339 * that for a controller to be successfully validated the iMandatoryCertDNCount must |
|
340 * be zero. |
|
341 * |
|
342 * @param aCertificate The certificate to be compared |
|
343 */ |
|
344 void UpdateListOfMissingRequiredCertsL(const CCertificate& aCertificate); |
|
345 |
|
346 /** |
|
347 * It update the given certificate to be validated by System upgrade if the certificate is found in the |
|
348 * trust anchors list. If the certificate is not found nothing happens. |
|
349 * |
|
350 * @param aCertificate The certificate to be compared |
|
351 */ |
|
352 void UpdateSystemUpgradeCertStatusL(const CCertificate& aCertificate); |
|
353 |
|
354 /** |
|
355 * Translates the set of TOCSPOutcome values into a single |
|
356 * TRevocationDialogMessage value and sets iRevocationMessage to this value. |
|
357 */ |
|
358 void ProcessOcspOutcomesL(); |
|
359 |
|
360 private: |
|
361 |
|
362 CSecurityManager(); |
|
363 |
|
364 /** |
|
365 * Second phase constructor for CSecurityManager. It attempts to construct |
|
366 * a CSecurityPolicy object, consequently it accesses the security policy |
|
367 * file. If for any reason no such file is present this method will leave. |
|
368 * This renders impossible to create a security manager and, hence, to |
|
369 * perform an installation. |
|
370 */ |
|
371 void ConstructL(); |
|
372 |
|
373 |
|
374 private: // fields |
|
375 |
|
376 /** |
|
377 * The list of SisSignatureCertificateChain blocks in the actual |
|
378 * controller. Each of these must be validated. |
|
379 * |
|
380 */ |
|
381 RPointerArray<Sis::CSignatureCertificateChain> iChains; // We do not own this! |
|
382 |
|
383 /** |
|
384 * The list of the validation results. Each of this corresponds |
|
385 * to the SisSignatureCertificateChain in iChains of corresponding |
|
386 * index. This list is populated by VerifyBlockL(), the PKIX |
|
387 * validator sets the result during the validation process. |
|
388 */ |
|
389 RPointerArray<CPKIXValidationResultBase>* iValidationResultsOut; |
|
390 |
|
391 /** |
|
392 * List of the successfully constructed PKIX chains. |
|
393 * This list contains only the chains which have been |
|
394 * successfully validated. |
|
395 */ |
|
396 RPointerArray<CX509Certificate>* iEndCertificatesOut; |
|
397 |
|
398 /** |
|
399 * The total capabilities so far. This is the union of the |
|
400 * capabilities of every root of every pkix chain which |
|
401 * has validated successfully. |
|
402 */ |
|
403 TCapabilitySet* iTotalCapabilitiesOut; |
|
404 |
|
405 RPointerArray<TOCSPOutcome>* iOcspOutcomeOut; |
|
406 |
|
407 TRevocationDialogMessage* iRevocationMessage; |
|
408 |
|
409 TSignatureValidationResult* iResult; |
|
410 |
|
411 /** |
|
412 * Count of the mandatory certificates in the certstore. |
|
413 * SISX files must be signed by chains which resolve |
|
414 * to <b>all</b> of them. See SGL.GT0209.201 |
|
415 */ |
|
416 TInt iMandatoryCertDNCount; |
|
417 |
|
418 /** |
|
419 * A parsed version of the SisController which is signed. |
|
420 * This is passed to us by the client. We need it to calculate |
|
421 * the amount of data signed by each signature. |
|
422 */ |
|
423 const Sis::CController* iController; // We do not own this! |
|
424 |
|
425 /** |
|
426 * A raw version of the SisController which is signed. |
|
427 * This is passed to us by the client. We need it to verify |
|
428 * the signatures. |
|
429 */ |
|
430 TPtrC8 iRawController; |
|
431 |
|
432 /** |
|
433 * A book keeping index pointing to the current certificate chain |
|
434 * being examined. It starts from 0 (the innermost certificate chain |
|
435 * in the controller) |
|
436 */ |
|
437 TInt iCurrentChain; |
|
438 |
|
439 /** |
|
440 * A book keeping flag indicating whether any certificate chain has |
|
441 * been validated successfully. |
|
442 */ |
|
443 TBool iHasValidated; |
|
444 |
|
445 /** |
|
446 * The capability set associated with the root (if any) of the |
|
447 * current certificate. This value is set by the chain validator. |
|
448 */ |
|
449 TCapabilitySet iCurrentCapabilities; |
|
450 |
|
451 /** |
|
452 * The current PKIX chain which is being constructed. |
|
453 */ |
|
454 CPKIXCertChainBase* iCurrentPkixChain; |
|
455 |
|
456 /** |
|
457 * A list of all the PKIX chains which have been successfully |
|
458 * validated. If an OCSP check is requested, these chains will |
|
459 * undergo the check. |
|
460 */ |
|
461 RPointerArray<CPKIXCertChainBase> iValidPkixChains; |
|
462 |
|
463 /** |
|
464 * Access the SWIS security policy which drives some of our |
|
465 * decision making. E.g. whether end certificated must contain |
|
466 * a CodeSigning extension, etc. |
|
467 */ |
|
468 CSecurityPolicy* iSecPolicy; |
|
469 |
|
470 /** |
|
471 * The underlying backend certificate store |
|
472 */ |
|
473 CSWICertStore* iCertStore; |
|
474 |
|
475 /** |
|
476 * Helper class which retrieves all the <i>mandatory</i> |
|
477 * certificates in the certstore. |
|
478 */ |
|
479 CCertificateRetriever* iCertificateRetriever; |
|
480 |
|
481 /** |
|
482 * Helper class to validate a certificate chain. |
|
483 * It also collects the capabilities associated with |
|
484 * its root (if any) and whether the root (if any) is |
|
485 * marked as mandatory. |
|
486 */ |
|
487 CChainValidator* iChainValidator; |
|
488 |
|
489 /** |
|
490 * Helper class which takes care of OCSP checks |
|
491 */ |
|
492 CRevocationHandler* iRevocationHandler; |
|
493 |
|
494 /** |
|
495 * |
|
496 * A list of self-signed, untrusted root certificates |
|
497 * included in the chain currently being validated. |
|
498 * |
|
499 */ |
|
500 RPointerArray<CX509Certificate> iUntrustedRoots; |
|
501 |
|
502 // A book keeping flag indicating at least one |
|
503 // chain has validated that isn't self signed |
|
504 |
|
505 TBool iHasValidatedTrusted; |
|
506 |
|
507 // A list of all the roots in the SWI certstore |
|
508 |
|
509 RMPointerArray<CCTCertInfo> iTrustedRoots; |
|
510 |
|
511 TBool iIsEmbeddedController; |
|
512 |
|
513 /** |
|
514 * |
|
515 * A list chain indices to be validated by ReverifyControllerL. |
|
516 * |
|
517 */ |
|
518 const RArray<TInt>* iChainListIndices; |
|
519 |
|
520 /** |
|
521 * The internal state of the security manager. |
|
522 */ |
|
523 enum TSecManState |
|
524 { |
|
525 // Verification and validation |
|
526 EBuildCertificateList, |
|
527 EValidatingChain, |
|
528 |
|
529 // Reverification and validation of chain set for revocation check |
|
530 ERevalidatingChain, |
|
531 |
|
532 // OCSP Check |
|
533 EOCSPCheck, |
|
534 EChecksDone, |
|
535 ERetrievedTrustedRoots |
|
536 } iState; |
|
537 |
|
538 /** |
|
539 * A pointer to the client request status. |
|
540 */ |
|
541 TRequestStatus* iClientStatus; |
|
542 |
|
543 /** |
|
544 * Handle to File server session |
|
545 */ |
|
546 RFs iFs; |
|
547 |
|
548 /** |
|
549 * Device ID retrieved from the device using RDeviceInfo API |
|
550 */ |
|
551 RPointerArray<HBufC> iDeviceIDs; |
|
552 |
|
553 /** |
|
554 Represent if the deveploper mode certificate is in the cert chains of an application, |
|
555 or it is found but not warned to the user, or the user has been warned. |
|
556 */ |
|
557 TDevCertWarningState iDevCertWarningState; |
|
558 |
|
559 /* |
|
560 * This member pointer is used to hold user provided list of root cert for |
|
561 * certificate validation. The ownership of this variable remains with the |
|
562 * caller of SetRootCerts function. |
|
563 */ |
|
564 |
|
565 RPointerArray<CX509Certificate>* iRootCerts; |
|
566 |
|
567 /** |
|
568 * Additional Information about the Certificate in the Certstore. |
|
569 */ |
|
570 RArray<TCertMetaInfo> iCertMetaInfo; |
|
571 |
|
572 /** |
|
573 * Indicates when verifying the certificate if we check the validity period. |
|
574 */ |
|
575 TBool iCheckDateAndTime; |
|
576 }; |
|
577 |
|
578 } //namespace Swi |
|
579 |
|
580 #endif // #ifndef __SECURITYMANAGER_H__ |