summaryrefslogtreecommitdiff
path: root/src/components/security_manager/include/security_manager
diff options
context:
space:
mode:
Diffstat (limited to 'src/components/security_manager/include/security_manager')
-rw-r--r--src/components/security_manager/include/security_manager/crypto_manager_impl.h77
-rw-r--r--src/components/security_manager/include/security_manager/crypto_manager_settings_impl.h29
-rw-r--r--src/components/security_manager/include/security_manager/security_manager_impl.h89
3 files changed, 177 insertions, 18 deletions
diff --git a/src/components/security_manager/include/security_manager/crypto_manager_impl.h b/src/components/security_manager/include/security_manager/crypto_manager_impl.h
index 4e48858e5c..5fd7a95155 100644
--- a/src/components/security_manager/include/security_manager/crypto_manager_impl.h
+++ b/src/components/security_manager/include/security_manager/crypto_manager_impl.h
@@ -46,7 +46,6 @@
#include "utils/macro.h"
#include "utils/lock.h"
-#include "utils/shared_ptr.h"
namespace security_manager {
class CryptoManagerImpl : public CryptoManager {
@@ -71,6 +70,8 @@ class CryptoManagerImpl : public CryptoManager {
size_t* out_data_size) OVERRIDE;
bool IsInitCompleted() const OVERRIDE;
bool IsHandshakePending() const OVERRIDE;
+ bool GetCertificateDueDate(time_t& due_date) const OVERRIDE;
+ bool HasCertificate() const OVERRIDE;
size_t get_max_block_size(size_t mtu) const OVERRIDE;
std::string LastError() const OVERRIDE;
void ResetConnection() OVERRIDE;
@@ -101,6 +102,22 @@ class CryptoManagerImpl : public CryptoManager {
std::string GetTextBy(X509_NAME* name, int object) const;
+ /**
+ * @brief Pulls number stored in buffer of chars
+ * and returns it as integer
+ * @param buf where symbols stored
+ * @param idx index of required char to be converted
+ * @return number in integer representation
+ */
+ int get_number_from_char_buf(char* buf, int* idx) const;
+ /**
+ * @brief Converts time from ASN1 format (used in OpenSSL)
+ * to time_t data type
+ * @param time_to_convert time to be converted
+ * @return time in time_t format
+ */
+ time_t convert_asn1_time_to_time_t(ASN1_TIME* time_to_convert) const;
+
SSL* connection_;
BIO* bioIn_;
BIO* bioOut_;
@@ -120,7 +137,7 @@ class CryptoManagerImpl : public CryptoManager {
public:
explicit CryptoManagerImpl(
- const utils::SharedPtr<const CryptoManagerSettings> set);
+ const std::shared_ptr<const CryptoManagerSettings> set);
~CryptoManagerImpl();
bool Init() OVERRIDE;
@@ -128,23 +145,65 @@ class CryptoManagerImpl : public CryptoManager {
SSLContext* CreateSSLContext() OVERRIDE;
void ReleaseSSLContext(SSLContext* context) OVERRIDE;
std::string LastError() const OVERRIDE;
- virtual bool IsCertificateUpdateRequired() const OVERRIDE;
+ bool IsCertificateUpdateRequired(
+ const time_t system_time, const time_t certificates_time) const OVERRIDE;
virtual const CryptoManagerSettings& get_settings() const OVERRIDE;
private:
+ bool AreForceProtectionSettingsCorrect() const;
bool set_certificate(const std::string& cert_data);
- int pull_number_from_buf(char* buf, int* idx);
- void asn1_time_to_tm(ASN1_TIME* time);
+ /**
+ * @brief Saves new certificate data on the file system
+ * @param cert_data certificate data in PEM format
+ * @return true if new certificate data was successfully saved on the file
+ * system, otherwise returns false
+ */
+ bool SaveCertificateData(const std::string& cert_data) const;
+
+ /**
+ * @brief Updates certificate and private key for the current SSL context
+ * @param certificate new certificate to update
+ * @param key new private key to update
+ * @return true if certificate and private key were updated successfully,
+ * otherwise returns false
+ */
+ bool UpdateModuleCertificateData(X509* certificate, EVP_PKEY* key);
+
+ /**
+ * @brief Loads X509 certificate from file specified in CryptoManagerSettings
+ * @return returns pointer to the loaded X509 certificate in case of success
+ * otherwise returns NULL
+ */
+ X509* LoadModuleCertificateFromFile();
+
+ /**
+ * @brief Loads private key from file specified in CryptoManagerSettings
+ * @return returns pointer to the loaded private key in case of success
+ * otherwise returns NULL
+ */
+ EVP_PKEY* LoadModulePrivateKeyFromFile();
+
+ /**
+ * @brief Saves new X509 certificate data to file specified in
+ * CryptoManagerSettings
+ * @param certificate new X509 certificate data
+ * @return true if certificate data was saved to the file system otherwise
+ * returns false
+ */
+ bool SaveModuleCertificateToFile(X509* certificate) const;
/**
- * @brief Sets initial certificate datetime
+ * @brief Saves new private key data to file specified in
+ * CryptoManagerSettings
+ * @param key new private key data
+ * @return true if private key data was saved to the file system otherwise
+ * returns false
*/
- void InitCertExpTime();
+ bool SaveModuleKeyToFile(EVP_PKEY* key) const;
- const utils::SharedPtr<const CryptoManagerSettings> settings_;
+ const std::shared_ptr<const CryptoManagerSettings> settings_;
SSL_CTX* context_;
- mutable struct tm expiration_time_;
static uint32_t instance_count_;
static sync_primitives::Lock instance_lock_;
DISALLOW_COPY_AND_ASSIGN(CryptoManagerImpl);
diff --git a/src/components/security_manager/include/security_manager/crypto_manager_settings_impl.h b/src/components/security_manager/include/security_manager/crypto_manager_settings_impl.h
index 1e4699b77a..f20d3e4034 100644
--- a/src/components/security_manager/include/security_manager/crypto_manager_settings_impl.h
+++ b/src/components/security_manager/include/security_manager/crypto_manager_settings_impl.h
@@ -17,6 +17,7 @@ class CryptoManagerSettingsImpl : public CryptoManagerSettings {
return profile_.ssl_mode() == "SERVER" ? security_manager::SERVER
: security_manager::CLIENT;
}
+
Protocol security_manager_protocol_name() const OVERRIDE {
CREATE_LOGGERPTR_LOCAL(logger_, "SecurityManager")
@@ -33,33 +34,59 @@ class CryptoManagerSettingsImpl : public CryptoManagerSettings {
if (protocol_str == "SSLv3") {
return security_manager::SSLv3;
}
+ if (protocol_str == "DTLSv1.0") {
+ return security_manager::DTLSv1;
+ }
+
LOG4CXX_ERROR(
logger_,
"Unknown protocol: " << profile_.security_manager_protocol_name());
return static_cast<security_manager::Protocol>(-1);
}
+
bool verify_peer() const OVERRIDE {
return profile_.verify_peer();
}
+
const std::string& certificate_data() const OVERRIDE {
return certificate_data_;
}
+
const std::string& ciphers_list() const OVERRIDE {
return profile_.ciphers_list();
}
+
const std::string& ca_cert_path() const OVERRIDE {
return profile_.ca_cert_path();
}
+
+ const std::string& module_cert_path() const OVERRIDE {
+ return profile_.cert_path();
+ }
+
+ const std::string& module_key_path() const OVERRIDE {
+ return profile_.key_path();
+ }
+
size_t update_before_hours() const OVERRIDE {
return profile_.update_before_hours();
}
+
size_t maximum_payload_size() const OVERRIDE {
return profile_.maximum_payload_size();
}
+ const std::vector<int>& force_protected_service() const {
+ return profile_.force_protected_service();
+ }
+
+ const std::vector<int>& force_unprotected_service() const {
+ return profile_.force_unprotected_service();
+ }
+
private:
const profile::Profile& profile_;
const std::string certificate_data_;
};
-}
+} // namespace security_manager
#endif // SRC_COMPONENTS_SECURITY_MANAGER_INCLUDE_SECURITY_MANAGER_CRYPTO_MANAGER_SETTINGS_IMPL_H_
diff --git a/src/components/security_manager/include/security_manager/security_manager_impl.h b/src/components/security_manager/include/security_manager/security_manager_impl.h
index 469b97d1e1..c53d39ba87 100644
--- a/src/components/security_manager/include/security_manager/security_manager_impl.h
+++ b/src/components/security_manager/include/security_manager/security_manager_impl.h
@@ -35,6 +35,8 @@
#include <list>
#include <string>
+#include <set>
+#include <memory>
#include "utils/macro.h"
#include "utils/message_queue.h"
@@ -44,6 +46,7 @@
#include "security_manager/security_query.h"
#include "protocol_handler/protocol_handler.h"
#include "protocol/common.h"
+#include "utils/system_time_handler.h"
namespace security_manager {
/**
@@ -67,12 +70,21 @@ typedef threads::MessageLoopThread<SecurityMessageQueue> SecurityMessageLoop;
* \brief SecurityManagerImpl class implements SecurityManager interface
*/
class SecurityManagerImpl : public SecurityManager,
- public SecurityMessageLoop::Handler {
+ public SecurityMessageLoop::Handler,
+ public utils::SystemTimeListener {
public:
/**
* \brief Constructor
+ * \param system_time_handler allows to work with system time.
*/
- SecurityManagerImpl();
+ explicit SecurityManagerImpl(
+ std::unique_ptr<utils::SystemTimeHandler>&& system_time_handler);
+
+ /**
+ * \brief Destructor
+ */
+ ~SecurityManagerImpl();
+
/**
* \brief Add received from Mobile Application message
* Overriden ProtocolObserver::OnMessageReceived method
@@ -131,9 +143,11 @@ class SecurityManagerImpl : public SecurityManager,
* Do not notify listeners, send security error on occure
* \param connection_key Unique key used by other components as session
* identifier
+ * @param cc_strategy - SSL context creation strategy
* @return new \c SSLContext or \c NULL on any error
*/
- SSLContext* CreateSSLContext(const uint32_t& connection_key) OVERRIDE;
+ SSLContext* CreateSSLContext(const uint32_t& connection_key,
+ ContextCreationStrategy cc_strategy) OVERRIDE;
/**
* \brief Start handshake as SSL client
@@ -141,16 +155,33 @@ class SecurityManagerImpl : public SecurityManager,
void StartHandshake(uint32_t connection_key) OVERRIDE;
/**
+ * @brief PostponeHandshake allows to postpone handshake. It notifies
+ * cryptomanager that certificate should be updated and adds specified
+ * connection key to the list of the certificate awaiting connections.
+ * @param connection_key the identifier for connection to postpone handshake.
+ */
+ void PostponeHandshake(const uint32_t connection_key) OVERRIDE;
+
+ /**
* @brief Checks whether certificate should be updated
+ * @param connection_key the connection identifier to check certificate for.
* @return true if certificate should be updated otherwise false
*/
- bool IsCertificateUpdateRequired() OVERRIDE;
+ bool IsCertificateUpdateRequired(const uint32_t connection_key) OVERRIDE;
+
+ /**
+ * @brief Checks whether system time ready notification
+ * was received from hmi
+ * @return true if received otherwise false
+ */
+ bool IsSystemTimeProviderReady() const OVERRIDE;
/**
* \brief Add/Remove for SecurityManagerListener
*/
void AddListener(SecurityManagerListener* const listener) OVERRIDE;
void RemoveListener(SecurityManagerListener* const listener) OVERRIDE;
+
/**
* \brief Notifiers for listeners
* \param connection_key Unique key used by other components as session
@@ -164,13 +195,12 @@ class SecurityManagerImpl : public SecurityManager,
* @brief Notifiers for listeners.
* Allows to notify that certificate should be updated
*/
- DEPRECATED void NotifyOnCertififcateUpdateRequired();
+ void NotifyOnCertificateUpdateRequired() OVERRIDE;
/**
- * @brief Notifiers for listeners.
- * Allows to notify that certificate should be updated
+ * @brief Notify all listeners that handshake was failed
*/
- void NotifyOnCertificateUpdateRequired() OVERRIDE;
+ void NotifyListenersOnHandshakeFailed() OVERRIDE;
/**
* @brief Check is policy certificate data is empty
@@ -217,6 +247,39 @@ class SecurityManagerImpl : public SecurityManager,
*/
void SendQuery(const SecurityQuery& query, const uint32_t connection_key);
+ /**
+ * @brief OnCertificateUpdated allows to obtain notification when certificate
+ * has been updated with policy table update. Pass this certificate to crypto
+ * manager for further processing. Also process postopnes handshake for the
+ * certain connection key.
+ *
+ * @param data the certificates content.
+ * @return always true.
+ */
+ bool OnCertificateUpdated(const std::string& data) OVERRIDE;
+
+ /**
+ * @brief ResumeHandshake allows to resume handshake after certificate has
+ * been updated.
+ * @param connection_key the connection identifier to start handshake.
+ */
+ void ResumeHandshake(uint32_t connection_key);
+
+ /**
+ * @brief ProceedHandshake starts the handshake process.
+ * @param ssl_context ssl context for the handshake. COntains certificate,
+ * keys, etc.
+ * @param connection_key the connection identifier to process handshake.
+ */
+ void ProceedHandshake(SSLContext* ssl_context, uint32_t connection_key);
+
+ /**
+ * @brief OnSystemTimeArrived method which notifies
+ * crypto manager with updated time in order to check certificate validity
+ * @param utc_time the current system time.
+ */
+ void OnSystemTimeArrived(const time_t utc_time) OVERRIDE;
+
// Thread that pumps handshake data
SecurityMessageLoop security_messages_;
@@ -235,7 +298,17 @@ class SecurityManagerImpl : public SecurityManager,
/**
*\brief List of listeners for notify handshake done result
*/
+
std::list<SecurityManagerListener*> listeners_;
+
+ std::unique_ptr<utils::SystemTimeHandler> system_time_handler_;
+ sync_primitives::Lock connections_lock_;
+ std::set<uint32_t> awaiting_certificate_connections_;
+ std::set<uint32_t> awaiting_time_connections_;
+
+ mutable sync_primitives::Lock waiters_lock_;
+ volatile bool waiting_for_certificate_;
+ volatile bool waiting_for_time_;
DISALLOW_COPY_AND_ASSIGN(SecurityManagerImpl);
};
} // namespace security_manager