49 #include "sisptrprovider.h" |
49 #include "sisptrprovider.h" |
50 #include <e32capability.h> |
50 #include <e32capability.h> |
51 #include <ocsp.h> |
51 #include <ocsp.h> |
52 #include "secutils.h" |
52 #include "secutils.h" |
53 #include "sislauncherclient.h" |
53 #include "sislauncherclient.h" |
54 #include "swicenrep.h" |
54 |
55 // Security settings. |
|
56 #include <x509certext.h> |
|
57 #include <pkixvalidationresult.h> |
|
58 #include <secsettings/secsettingsclient.h> |
|
59 #ifdef SYMBIAN_UNIVERSAL_INSTALL_FRAMEWORK |
55 #ifdef SYMBIAN_UNIVERSAL_INSTALL_FRAMEWORK |
60 #include "swi/sisversion.h" |
56 #include "swi/sisversion.h" |
61 #include "swi/nativecomponentinfo.h" |
57 #include "swi/nativecomponentinfo.h" |
62 #include <usif/usifcommon.h> |
58 #include <usif/usifcommon.h> |
63 #include <usif/scr/appregentries.h> |
|
64 #include "scrdbconstants.h" |
59 #include "scrdbconstants.h" |
65 #endif |
60 #endif |
66 |
61 |
67 using namespace Swi; |
62 using namespace Swi; |
68 using namespace Swi::Sis; |
63 using namespace Swi::Sis; |
69 |
64 |
70 _LIT(KExpressSignedOID, "1.2.826.0.1.1796587.1.1.2.1"); |
|
71 _LIT(KCertifiedSignedOID, "1.2.826.0.1.1796587.1.1.2.2"); |
|
72 _LIT(KCertifiedSignedWithVerisignOID, "1.2.826.0.1.1796587.1.1.2.3"); |
|
73 |
|
74 |
|
75 #ifdef SYMBIAN_UNIVERSAL_INSTALL_FRAMEWORK |
|
76 |
|
77 void DeRegisterForceRegisteredAppsL() |
|
78 { |
|
79 // Deregister the force registered applications from AppArc |
|
80 DEBUG_PRINTF(_L8("Deregistering the force registered applications with AppArc")); |
|
81 RSisLauncherSession launcher; |
|
82 CleanupClosePushL(launcher); |
|
83 User::LeaveIfError(launcher.Connect()); |
|
84 RArray<TAppUpdateInfo> emptyAppRegDataArray; |
|
85 launcher.NotifyNewAppsL(emptyAppRegDataArray); |
|
86 CleanupStack::PopAndDestroy(&launcher); |
|
87 } |
|
88 |
|
89 #endif |
|
90 |
65 |
91 // |
66 // |
92 // TInstallState |
67 // TInstallState |
93 // |
68 // |
94 |
69 |
516 |
487 |
517 break; |
488 break; |
518 } |
489 } |
519 |
490 |
520 case ESignatureSelfSigned: |
491 case ESignatureSelfSigned: |
521 { |
|
522 iInstallMachine.SetTrust(ESisPackageCertificateChainNoTrustAnchor); |
492 iInstallMachine.SetTrust(ESisPackageCertificateChainNoTrustAnchor); |
523 iInstallMachine.SetValidationStatus(EValidated); |
493 iInstallMachine.SetValidationStatus(EValidated); |
524 |
494 |
525 #ifdef SYMBIAN_UNIVERSAL_INSTALL_FRAMEWORK |
495 #ifdef SYMBIAN_UNIVERSAL_INSTALL_FRAMEWORK |
526 // Alert only when machine not runs in info collection mode |
496 // Alert only when machine not runs in info collection mode |
527 if(iInstallMachine.IsInInfoMode()) |
497 if(iInstallMachine.IsInInfoMode()) |
528 break; |
498 break; |
529 #endif |
499 #endif |
530 |
500 if (!SecurityAlertL(ETrue)) |
531 TBool allowSelfSigned(ETrue); |
501 User::Leave(KErrCancel); |
532 |
502 break; |
533 // Session to access Install Central Repository Server. |
503 |
534 SecuritySettingsServer::RSecSettingsSession secSettingsSession; |
504 |
535 |
|
536 // Connect to the Central Repository server. |
|
537 User::LeaveIfError(secSettingsSession.Connect()); |
|
538 |
|
539 CleanupClosePushL(secSettingsSession); |
|
540 |
|
541 // Read-in the values of the settings - KAllowSelfSignedInstallKey. |
|
542 // These will retain the default values if any error occurs. |
|
543 TRAPD(err, (allowSelfSigned = secSettingsSession.SettingValueL(KUidInstallationRepository , KAllowSelfSignedInstallKey))); |
|
544 if (err == KErrNone || err == KErrSettingNotFound || err == KErrNotFound || err == KErrCorrupt) |
|
545 { |
|
546 if (err == KErrCorrupt) |
|
547 { |
|
548 DEBUG_PRINTF(_L8("Install Machine - CenRep file 2002cff6.txt is corrupt. Using Default Value to Install.")); |
|
549 } |
|
550 |
|
551 if (!allowSelfSigned || !SecurityAlertL(ETrue)) |
|
552 { |
|
553 User::Leave(KErrCancel); |
|
554 } |
|
555 } |
|
556 else |
|
557 { |
|
558 User::Leave(err); |
|
559 } |
|
560 CleanupStack::PopAndDestroy(&secSettingsSession); |
|
561 break; |
|
562 } |
|
563 case ECertificateValidationError: |
505 case ECertificateValidationError: |
564 case ENoCertificate: |
506 case ENoCertificate: |
565 case ENoCodeSigningExtension: |
507 case ENoCodeSigningExtension: |
566 case ENoSupportedPolicyExtension: |
508 case ENoSupportedPolicyExtension: |
567 { |
509 { |
689 // Determine is the check is necessary. |
630 // Determine is the check is necessary. |
690 iNeedOcsp = iInstallMachine.iInstallPrefs->PerformRevocationCheck() && iInstallMachine.iSecurityManager->SecurityPolicy().OcspEnabled(); |
631 iNeedOcsp = iInstallMachine.iInstallPrefs->PerformRevocationCheck() && iInstallMachine.iSecurityManager->SecurityPolicy().OcspEnabled(); |
691 |
632 |
692 if ((iInstallMachine.iCertificates.Count()) && iNeedOcsp) |
633 if ((iInstallMachine.iCertificates.Count()) && iNeedOcsp) |
693 { |
634 { |
694 TInt checkOCSPForExpressSignedPkg = 1; |
635 // We haven't done the planning phase so we need to use the default |
695 TInt checkOCSPForSelfSignedPkg = 1; |
636 TAppInfo appInfo(iInstallMachine.iCurrentContentProvider->DefaultLanguageAppInfoL()); |
696 TInt checkOCSPForCertifiedSignedPkg = 1; |
637 |
697 TInt checkOCSPForCertifiedWithVeriSignPkg = 1; |
638 // Signal OCSP check starting |
698 |
639 CHandleCancellableInstallEvent* cmd = CHandleCancellableInstallEvent::NewLC(appInfo, EEventOcspCheckStart, 0, KNullDesC); |
699 // Session to access Security Central Repository Server. |
640 iInstallMachine.UiHandler().ExecuteL(*cmd); |
700 SecuritySettingsServer::RSecSettingsSession secSettingsSession; |
641 CleanupStack::PopAndDestroy(cmd); |
701 |
642 |
702 // Connect to the Security Central Repository server. |
643 // Start OCSP check. |
703 User::LeaveIfError(secSettingsSession.Connect()); |
644 TBuf8<256> ocspUri(iInstallMachine.iInstallPrefs->RevocationServerUri()); |
704 |
645 iInstallMachine.iSecurityManager->PerformOcspL(ocspUri, iInstallMachine.iIap, |
705 CleanupClosePushL(secSettingsSession); |
646 &iInstallMachine.iOcspMsg,iInstallMachine.iOcspOutcomes, |
706 |
647 iInstallMachine.iCertificates,iInstallMachine.iStatus); |
707 // Read-in the values of the settings from the Install Central Repository. |
648 |
708 // These will retain the default values if any error occurs. |
649 TTime time; |
709 TRAPD(err, checkOCSPForExpressSignedPkg = secSettingsSession.SettingValueL(KUidInstallationRepository, KCheckOCSPForExpressedSignedPkgKey)); |
650 time.UniversalTime(); |
710 TRAP(err, checkOCSPForSelfSignedPkg = secSettingsSession.SettingValueL(KUidInstallationRepository, KCheckOCSPForSelfSignedPkgKey)); |
651 TSisTrustStatus& trustStatus = iInstallMachine.iController->TrustStatus(); |
711 TRAP(err, checkOCSPForCertifiedSignedPkg = secSettingsSession.SettingValueL(KUidInstallationRepository, KCheckOCSPForCertifiedSignedPkgKey)); |
652 trustStatus.SetLastCheckDate(time); |
712 TRAP(err, checkOCSPForCertifiedWithVeriSignPkg = secSettingsSession.SettingValueL(KUidInstallationRepository, KCheckOCSPForCertifiedWithVeriSignPkgKey)); |
|
713 |
|
714 CleanupStack::PopAndDestroy(&secSettingsSession); |
|
715 |
|
716 TBool makeOcspCheck = (checkOCSPForExpressSignedPkg == 1) && (checkOCSPForSelfSignedPkg == 1) && (checkOCSPForCertifiedSignedPkg == 1) && (checkOCSPForCertifiedWithVeriSignPkg == 1); |
|
717 |
|
718 //Find the OID of the certificate and make ocsp check based on settings retreived from cenrep |
|
719 for (TInt i=0; i<iInstallMachine.iCertificates.Count(); ++i) |
|
720 { |
|
721 if(makeOcspCheck)//Could be true if set in the previous iCertificates. |
|
722 { |
|
723 break; |
|
724 } |
|
725 CX509Certificate* cert = iInstallMachine.iCertificates[i]; |
|
726 const CX509CertExtension* certExt = cert->Extension(KCertPolicies); |
|
727 if (certExt == NULL) |
|
728 { |
|
729 makeOcspCheck = ETrue; |
|
730 continue; |
|
731 } |
|
732 CX509CertPoliciesExt* policyExt = CX509CertPoliciesExt::NewLC(certExt->Data()); |
|
733 const CArrayPtrFlat<CX509CertPolicyInfo>& policies = policyExt->Policies(); |
|
734 if(policies.Count() == 0) |
|
735 { |
|
736 makeOcspCheck = ETrue; |
|
737 } |
|
738 for(TInt j=0; j<policies.Count(); ++j) |
|
739 { |
|
740 HBufC* oid = (policies[j])->Id().AllocLC(); |
|
741 if (oid->Compare(KExpressSignedOID) == 0) |
|
742 { |
|
743 makeOcspCheck = (checkOCSPForExpressSignedPkg==1); |
|
744 } |
|
745 else if(oid->Compare(KCertifiedSignedOID) == 0) |
|
746 { |
|
747 makeOcspCheck = (checkOCSPForCertifiedSignedPkg==1); |
|
748 } |
|
749 else if(oid->Compare(KCertifiedSignedWithVerisignOID) == 0) |
|
750 { |
|
751 makeOcspCheck = (checkOCSPForCertifiedWithVeriSignPkg==1); |
|
752 } |
|
753 else if(iInstallMachine.iSigValidationResult == ESignatureSelfSigned) |
|
754 { |
|
755 makeOcspCheck = (checkOCSPForSelfSignedPkg==1); |
|
756 } |
|
757 CleanupStack::PopAndDestroy(oid); |
|
758 if(makeOcspCheck) |
|
759 { |
|
760 break; |
|
761 } |
|
762 } |
|
763 CleanupStack::PopAndDestroy(policyExt); |
|
764 } |
|
765 |
|
766 if (makeOcspCheck) |
|
767 { |
|
768 // We haven't done the planning phase so we need to use the default |
|
769 TAppInfo appInfo(iInstallMachine.iCurrentContentProvider->DefaultLanguageAppInfoL()); |
|
770 |
|
771 // Signal OCSP check starting |
|
772 CHandleCancellableInstallEvent* cmd = CHandleCancellableInstallEvent::NewLC(appInfo, EEventOcspCheckStart, 0, KNullDesC); |
|
773 iInstallMachine.UiHandler().ExecuteL(*cmd); |
|
774 CleanupStack::PopAndDestroy(cmd); |
|
775 |
|
776 // Start OCSP check. |
|
777 TBuf8<256> ocspUri(iInstallMachine.iInstallPrefs->RevocationServerUri()); |
|
778 iInstallMachine.iSecurityManager->PerformOcspL(ocspUri, iInstallMachine.iIap, |
|
779 &iInstallMachine.iOcspMsg,iInstallMachine.iOcspOutcomes, |
|
780 iInstallMachine.iCertificates,iInstallMachine.iStatus); |
|
781 |
|
782 TTime time; |
|
783 time.UniversalTime(); |
|
784 TSisTrustStatus& trustStatus = iInstallMachine.iController->TrustStatus(); |
|
785 trustStatus.SetLastCheckDate(time); |
|
786 } |
|
787 else |
|
788 { |
|
789 iNeedOcsp = EFalse; |
|
790 iInstallMachine.CompleteSelf(); |
|
791 } |
|
792 } |
653 } |
793 else |
654 else |
794 { |
655 { |
795 iNeedOcsp = EFalse; |
656 iNeedOcsp = EFalse; |
796 iInstallMachine.CompleteSelf(); |
657 iInstallMachine.CompleteSelf(); |
1038 // Get the Capabilities required by the executables in the given component and set it in current controller. |
899 // Get the Capabilities required by the executables in the given component and set it in current controller. |
1039 //Setting the HasExecutable flag in the current contoller if it |
900 //Setting the HasExecutable flag in the current contoller if it |
1040 //contains any executable(.exe or .dll). |
901 //contains any executable(.exe or .dll). |
1041 if (iInstallMachine.IsInInfoMode()) |
902 if (iInstallMachine.IsInInfoMode()) |
1042 { |
903 { |
|
904 TCapabilitySet userGrantableCaps; |
|
905 userGrantableCaps.SetEmpty(); |
|
906 iInstallMachine.GetRequestedCapabilities(userGrantableCaps, filesToCapabilityCheck); |
|
907 iInstallMachine.SetUserGrantableCapabilities(userGrantableCaps); |
|
908 |
1043 Sis::CController& controller = const_cast <Sis::CController&>(iInstallMachine.iPlanner->CurrentController()); |
909 Sis::CController& controller = const_cast <Sis::CController&>(iInstallMachine.iPlanner->CurrentController()); |
1044 controller.SetHasExecutable(EFalse); |
910 controller.SetHasExecutable(EFalse); |
1045 TInt noOfFiles = filesToCapabilityCheck.Count(); |
911 TInt noOfFiles = filesToCapabilityCheck.Count(); |
1046 for(TInt i = 0 ; i < noOfFiles ; i++) |
912 for(TInt i = 0 ; i < noOfFiles ; i++) |
1047 { |
913 { |
1320 } |
1185 } |
1321 |
1186 |
1322 void CInstallMachine::PostJournalFinalizationL(TInt aError) |
1187 void CInstallMachine::PostJournalFinalizationL(TInt aError) |
1323 { |
1188 { |
1324 DEBUG_PRINTF(_L8("Install Machine - PostJournalFinalization")); |
1189 DEBUG_PRINTF(_L8("Install Machine - PostJournalFinalization")); |
1325 |
1190 |
1326 #ifdef SYMBIAN_UNIVERSAL_INSTALL_FRAMEWORK |
1191 #ifdef SYMBIAN_UNIVERSAL_INSTALL_FRAMEWORK |
1327 // Do nothing in info mode |
1192 // Do nothing in info mode |
1328 if(IsInInfoMode()) |
1193 if(IsInInfoMode()) |
1329 { |
1194 { |
1330 return; |
1195 return; |
1331 } |
1196 } |
1332 #endif |
1197 #endif |
1333 |
|
1334 if (!iPlan) |
1198 if (!iPlan) |
1335 { |
1199 { |
1336 return; |
1200 return; |
1337 } |
1201 } |
1338 const RPointerArray<CSisRegistryFileDescription>& filesToRun = iPlan->FilesToRunAfterInstall(); |
1202 const RPointerArray<CSisRegistryFileDescription>& filesToRun = iPlan->FilesToRunAfterInstall(); |
1339 RSisLauncherSession launcher; |
1203 |
1340 if (launcher.Connect() != KErrNone) |
1204 TInt numFiles = filesToRun.Count(); |
1341 { |
1205 |
1342 DEBUG_PRINTF(_L8("Install Machine - Failed to connect to SisLauncher")); |
|
1343 return; |
|
1344 } |
|
1345 CleanupClosePushL(launcher); |
|
1346 |
|
1347 #ifdef SYMBIAN_UNIVERSAL_INSTALL_FRAMEWORK |
|
1348 //Notify apparc for the the change in the Applications |
|
1349 RArray<TAppUpdateInfo> affectedApps; |
|
1350 iPlan->GetAffectedApps(affectedApps); |
|
1351 if (affectedApps.Count() > 0) |
|
1352 { |
|
1353 launcher.NotifyNewAppsL(affectedApps); |
|
1354 } |
|
1355 affectedApps.Close(); |
|
1356 #endif |
|
1357 |
|
1358 TInt numFiles = filesToRun.Count(); |
|
1359 if (aError != KErrNone || numFiles <= 0) |
1206 if (aError != KErrNone || numFiles <= 0) |
1360 { |
1207 { |
1361 CleanupStack::PopAndDestroy(&launcher); |
|
1362 return; |
1208 return; |
1363 } |
1209 } |
1364 |
1210 |
1365 // Check the top level application, if it's not trusted and the policy says no |
1211 // Check the top level application, if it's not trusted and the policy says no |
1366 // then don't run anything. |
1212 // then don't run anything. |
1370 { |
1216 { |
1371 DEBUG_PRINTF(_L8("Install Machine - Toplevel controller is untrusted, not running files after install")); |
1217 DEBUG_PRINTF(_L8("Install Machine - Toplevel controller is untrusted, not running files after install")); |
1372 return; |
1218 return; |
1373 } |
1219 } |
1374 |
1220 |
1375 DEBUG_PRINTF(_L8("Install Machine - Processing files to run after install")); |
1221 DEBUG_PRINTF(_L8("Install Machine - Processing files to run after install")); |
1376 |
1222 RSisLauncherSession launcher; |
1377 #ifndef SYMBIAN_UNIVERSAL_INSTALL_FRAMEWORK |
1223 |
1378 |
1224 if (launcher.Connect() != KErrNone) |
|
1225 { |
|
1226 DEBUG_PRINTF(_L8("Install Machine - Failed to connect to SisLauncher, continuing...")); |
|
1227 return; |
|
1228 } |
|
1229 CleanupClosePushL(launcher); |
1379 launcher.NotifyNewAppsL(iPlan->AppArcRegFiles()); |
1230 launcher.NotifyNewAppsL(iPlan->AppArcRegFiles()); |
1380 #endif |
1231 |
1381 if (iPlan->ContainsPlugins()) |
1232 if (iPlan->ContainsPlugins()) |
1382 |
1233 |
1383 { |
1234 { |
1384 // set the "I'm done" propererty AFTER running ECOM reliant files. |
1235 // set the "I'm done" propererty AFTER running ECOM reliant files. |
1385 launcher.RunAfterEcomNotificationL(filesToRun); |
1236 launcher.RunAfterEcomNotificationL(filesToRun); |
1711 |
1559 |
1712 // Any capabilities left in requestedCaps after this are not signed for and not in the certs constraints. |
1560 // Any capabilities left in requestedCaps after this are not signed for and not in the certs constraints. |
1713 // Check if any of them are system capabilities. If so, bail out. |
1561 // Check if any of them are system capabilities. If so, bail out. |
1714 TCapabilitySet requiredExtraSysCaps(requestedCaps); |
1562 TCapabilitySet requiredExtraSysCaps(requestedCaps); |
1715 SecurityCheckUtil::RemoveUserCaps(requiredExtraSysCaps, *iSecurityManager); |
1563 SecurityCheckUtil::RemoveUserCaps(requiredExtraSysCaps, *iSecurityManager); |
1716 |
1564 TAppInfo appInfo(iCurrentContentProvider->DefaultLanguageAppInfoL()); |
|
1565 |
1717 #ifdef SYMBIAN_UNIVERSAL_INSTALL_FRAMEWORK |
1566 #ifdef SYMBIAN_UNIVERSAL_INSTALL_FRAMEWORK |
1718 // Report the error to the user only when machine not runs in info collection mode |
1567 // Report the error to the user only when machine not runs in info collection mode |
1719 if(IsInInfoMode()) |
1568 if(IsInInfoMode()) |
1720 { |
1569 { |
1721 TCapabilitySet requiredUserCaps(requestedCaps); |
1570 SetUserGrantableCapabilities(requestedCaps); |
1722 requiredUserCaps.Remove(requiredExtraSysCaps); |
|
1723 SetUserGrantableCapabilities(requiredUserCaps); |
|
1724 return; |
1571 return; |
1725 } |
1572 } |
1726 #endif |
1573 #endif |
1727 |
1574 |
1728 TAppInfo appInfo(iCurrentContentProvider->DefaultLanguageAppInfoL()); |
|
1729 if (SecurityCheckUtil::NotEmpty(requiredExtraSysCaps)||(SecurityCheckUtil::NotEmpty(requestedCaps) && EFalse==iSecurityManager->SecurityPolicy().AllowGrantUserCaps())) |
1575 if (SecurityCheckUtil::NotEmpty(requiredExtraSysCaps)||(SecurityCheckUtil::NotEmpty(requestedCaps) && EFalse==iSecurityManager->SecurityPolicy().AllowGrantUserCaps())) |
1730 { |
1576 { |
1731 // Report error to the user. Include the list of capabilities that are left in requestedCaps. |
1577 // Report error to the user. Include the list of capabilities that are left in requestedCaps. |
1732 // Among these will be at least one cap that is not allowed. This is because |
1578 // Among these will be at least one cap that is not allowed. This is because |
1733 // - it is a system cap which hasn't been granted or |
1579 // - it is a system cap which hasn't been granted or |
1962 aNativeComponentInfo->iMaxInstalledSize += fileDescriptions[i]->UncompressedLength(); |
1806 aNativeComponentInfo->iMaxInstalledSize += fileDescriptions[i]->UncompressedLength(); |
1963 } |
1807 } |
1964 |
1808 |
1965 //Setting the HasExecutable flag |
1809 //Setting the HasExecutable flag |
1966 aNativeComponentInfo->iHasExe = controller.HasExecutable(); |
1810 aNativeComponentInfo->iHasExe = controller.HasExecutable(); |
1967 |
|
1968 //Setting the drive selection requird flag |
|
1969 aNativeComponentInfo->iIsDriveSelectionRequired = controller.DriveSelectionRequired(); |
|
1970 |
|
1971 //Populate ApplicationInfo, copy the app info from controller's iApplicationInfo to install machines's iApplicationInfo |
|
1972 RCPointerArray<CNativeComponentInfo::CNativeApplicationInfo> applications; |
|
1973 applications = const_cast<CController&>(aController).GetApplicationInfo(); |
|
1974 for(TInt i = 0 ; i < applications.Count() ; i++) |
|
1975 { |
|
1976 CNativeComponentInfo::CNativeApplicationInfo* appInfo = NULL; |
|
1977 appInfo = CNativeComponentInfo::CNativeApplicationInfo::NewLC(applications[i]->AppUid(), applications[i]->Name(), applications[i]->GroupName(), applications[i]->IconFileName()); |
|
1978 aNativeComponentInfo->iApplications.AppendL(appInfo); |
|
1979 CleanupStack::Pop(appInfo); |
|
1980 } |
|
1981 |
1811 |
1982 const RPointerArray<CController>& embeddedControllers = aController.InstallBlock().EmbeddedControllers(); |
1812 const RPointerArray<CController>& embeddedControllers = aController.InstallBlock().EmbeddedControllers(); |
1983 TInt totalEmbeddedControllers = embeddedControllers.Count(); |
1813 TInt totalEmbeddedControllers = embeddedControllers.Count(); |
1984 for (TInt controller = 0; controller < totalEmbeddedControllers; controller++) |
1814 for (TInt controller = 0; controller < totalEmbeddedControllers; controller++) |
1985 { |
1815 { |