security: fixing bugs and adding methods
1. changing getCertificate to take only one argument, now validation checking is always enforced.
2. changing KSK-... DSK-... to lower case ksk-..., dsk-...
3. adding a addCertificateAsSystemDefault method to facilitate setting default certificate of the system.
4. using static_cast<int> (rather than floor) to round time.
5. sanity checking for key name in SecPublicInfo and SecPublicInfoSqlite3.
Change-Id: Id67af9873efef3df92458ed7a87623f22167c558
diff --git a/src/c/util/time.c b/src/c/util/time.c
index 4c3be3a..29c20c6 100644
--- a/src/c/util/time.c
+++ b/src/c/util/time.c
@@ -43,7 +43,7 @@
// Don't expect this to happen.
fraction = ".000000";
- time_t seconds = (time_t)floor(secondsSince1970);
+ time_t seconds = (time_t)secondsSince1970;
struct tm* gmt = gmtime(&seconds);
sprintf(isoString, "%04d%02d%02dT%02d%02d%02d%s", 1900 + gmt->tm_year, gmt->tm_mon + 1, gmt->tm_mday,
gmt->tm_hour, gmt->tm_min, gmt->tm_sec, fraction);
diff --git a/src/security/certificate/identity-certificate.cpp b/src/security/certificate/identity-certificate.cpp
index aa2ad9c..1deb46f 100644
--- a/src/security/certificate/identity-certificate.cpp
+++ b/src/security/certificate/identity-certificate.cpp
@@ -59,17 +59,31 @@
{
int i = certificateName.size() - 1;
string idString("ID-CERT");
+ bool foundIdString = false;
for (; i >= 0; i--) {
if (certificateName.get(i).toEscapedString() == idString)
- break;
+ {
+ foundIdString = true;
+ break;
+ }
}
+
+ if(!foundIdString)
+ throw Error("Incorrect identity certificate name " + certificateName.toUri());
Name tmpName = certificateName.getSubName(0, i);
string keyString("KEY");
+ bool foundKeyString = false;
for (i = 0; i < tmpName.size(); i++) {
if (tmpName.get(i).toEscapedString() == keyString)
- break;
+ {
+ foundKeyString = true;
+ break;
+ }
}
+
+ if(!foundKeyString)
+ throw Error("Incorrect identity certificate name " + certificateName.toUri());
return tmpName.getSubName(0, i).append(tmpName.getSubName(i + 1, tmpName.size() - i - 1));
}
diff --git a/src/security/identity/sec-public-info-memory.cpp b/src/security/identity/sec-public-info-memory.cpp
index 3336547..966e574 100644
--- a/src/security/identity/sec-public-info-memory.cpp
+++ b/src/security/identity/sec-public-info-memory.cpp
@@ -119,7 +119,7 @@
}
ptr_lib::shared_ptr<IdentityCertificate>
-SecPublicInfoMemory::getCertificate(const Name& certificateName, bool allowAny)
+SecPublicInfoMemory::getCertificate(const Name& certificateName)
{
CertificateStore::iterator record = certificateStore_.find(certificateName.toUri());
if (record == certificateStore_.end())
diff --git a/src/security/identity/sec-public-info-sqlite3.cpp b/src/security/identity/sec-public-info-sqlite3.cpp
index 78ea986..8f80db9 100644
--- a/src/security/identity/sec-public-info-sqlite3.cpp
+++ b/src/security/identity/sec-public-info-sqlite3.cpp
@@ -222,6 +222,9 @@
bool
SecPublicInfoSqlite3::doesPublicKeyExist(const Name& keyName)
{
+ if(keyName.empty())
+ throw Error("Incorrect key name " + keyName.toUri());
+
string keyId = keyName.get(-1).toEscapedString();
Name identityName = keyName.getPrefix(-1);
@@ -248,6 +251,9 @@
void
SecPublicInfoSqlite3::addPublicKey(const Name& keyName, KeyType keyType, const PublicKey& publicKeyDer)
{
+ if(keyName.empty())
+ throw Error("Incorrect key name " + keyName.toUri());
+
string keyId = keyName.get(-1).toEscapedString();
Name identityName = keyName.getPrefix(-1);
@@ -302,6 +308,9 @@
void
SecPublicInfoSqlite3::updateKeyStatus(const Name& keyName, bool isActive)
{
+ if(keyName.empty())
+ throw Error("Incorrect key name " + keyName.toUri());
+
string keyId = keyName.get(-1).toEscapedString();
Name identityName = keyName.getPrefix(-1);
@@ -343,7 +352,10 @@
SecPublicInfoSqlite3::addAnyCertificate(const IdentityCertificate& certificate)
{
std::string certificateName = certificate.getName().toUri();
- Name keyName = certificate.getPublicKeyName();
+ Name keyName = IdentityCertificate::certificateNameToPublicKeyName(certificate.getName());
+
+ if(keyName.empty())
+ throw Error("Incorrect key name " + keyName.toUri());
std::string keyId = keyName.get(-1).toEscapedString();
std::string identityName = keyName.getPrefix(-1).toUri();
@@ -382,7 +394,7 @@
SecPublicInfoSqlite3::addCertificate(const IdentityCertificate& certificate)
{
const Name& certificateName = certificate.getName();
- Name keyName = certificate.getPublicKeyName();
+ Name keyName = IdentityCertificate::certificateNameToPublicKeyName(certificate.getName());
if (!doesPublicKeyExist(keyName))
throw Error("No corresponding Key record for certificate!" + keyName.toUri() + " " + certificateName.toUri());
@@ -421,8 +433,8 @@
sqlite3_bind_text(statement, 4, keyId, SQLITE_STATIC);
// Convert from milliseconds to seconds since 1/1/1970.
- sqlite3_bind_int64(statement, 5, (sqlite3_int64)floor(certificate.getNotBefore() / 1000.0));
- sqlite3_bind_int64(statement, 6, (sqlite3_int64)floor(certificate.getNotAfter() / 1000.0));
+ sqlite3_bind_int64(statement, 5, static_cast<sqlite3_int64>(certificate.getNotBefore() / 1000));
+ sqlite3_bind_int64(statement, 6, static_cast<sqlite3_int64>(certificate.getNotAfter() / 1000));
sqlite3_bind_blob(statement, 7, certificate.wireEncode().wire(), certificate.wireEncode().size(), SQLITE_TRANSIENT);
@@ -432,24 +444,17 @@
}
ptr_lib::shared_ptr<IdentityCertificate>
-SecPublicInfoSqlite3::getCertificate(const Name &certificateName, bool allowAny)
+SecPublicInfoSqlite3::getCertificate(const Name &certificateName)
{
if (doesCertificateExist(certificateName)) {
sqlite3_stmt *statement;
- if (!allowAny) {
- sqlite3_prepare_v2(database_,
- "SELECT certificate_data FROM Certificate \
- WHERE cert_name=? AND not_before<datetime('now') AND not_after>datetime('now') and valid_flag=1",
- -1, &statement, 0);
-
- sqlite3_bind_text(statement, 1, certificateName.toUri(), SQLITE_TRANSIENT);
- }
- else {
- sqlite3_prepare_v2(database_,
- "SELECT certificate_data FROM Certificate WHERE cert_name=?", -1, &statement, 0);
- sqlite3_bind_text(statement, 1, certificateName.toUri(), SQLITE_TRANSIENT);
- }
+ sqlite3_prepare_v2(database_,
+ "SELECT certificate_data FROM Certificate \
+ WHERE cert_name=? AND not_before<datetime('now') AND not_after>datetime('now') and valid_flag=1",
+ -1, &statement, 0);
+
+ sqlite3_bind_text(statement, 1, certificateName.toUri(), SQLITE_TRANSIENT);
int res = sqlite3_step(statement);
@@ -532,6 +537,9 @@
void
SecPublicInfoSqlite3::setDefaultKeyNameForIdentityInternal(const Name& keyName)
{
+ if(keyName.empty())
+ throw Error("Incorrect key name " + keyName.toUri());
+
string keyId = keyName.get(-1).toEscapedString();
Name identityName = keyName.getPrefix(-1);
@@ -561,6 +569,9 @@
Name
SecPublicInfoSqlite3::getDefaultCertificateNameForKey(const Name& keyName)
{
+ if(keyName.empty())
+ return Name();
+
string keyId = keyName.get(-1).toEscapedString();
Name identityName = keyName.getPrefix(-1);
@@ -586,6 +597,9 @@
SecPublicInfoSqlite3::setDefaultCertificateNameForKeyInternal(const Name& certificateName)
{
Name keyName = IdentityCertificate::certificateNameToPublicKeyName(certificateName);
+ if(keyName.empty())
+ throw Error("Incorrect key name for certificate " + certificateName.toUri());
+
string keyId = keyName.get(-1).toEscapedString();
Name identityName = keyName.getPrefix(-1);
@@ -693,6 +707,9 @@
vector<Name>
SecPublicInfoSqlite3::getAllCertificateNamesOfKey(const Name& keyName, bool isDefault)
{
+ if(keyName.empty())
+ return vector<Name>();
+
sqlite3_stmt *stmt;
if(isDefault)
sqlite3_prepare_v2 (database_, "SELECT cert_name FROM Certificate WHERE default_cert=1 and identity_name=? and key_identifier=?", -1, &stmt, 0);