/************************************************************** * * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information * regarding copyright ownership. The ASF licenses this file * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, * software distributed under the License is distributed on an * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY * KIND, either express or implied. See the License for the * specific language governing permissions and limitations * under the License. * *************************************************************/ // MARKER(update_precomp.py): autogen include statement, do not remove #include "precompiled_xmlsecurity.hxx" #include #include #include "x509certificate_mscryptimpl.hxx" #include "certificateextension_xmlsecimpl.hxx" #include "sanextension_mscryptimpl.hxx" //MM : added by MM #include "oid.hxx" //MM : end //CP : added by CP #include #include #include #include //CP : end using namespace ::com::sun::star::uno ; using namespace ::com::sun::star::security ; using ::rtl::OUString ; using ::com::sun::star::security::XCertificate ; using ::com::sun::star::util::DateTime ; #define OUSTR(x) ::rtl::OUString( RTL_CONSTASCII_USTRINGPARAM(x) ) /*Resturns the index withing rRawString where sTypeName starts and where it ends. The starting index is pair.first. The ending index in pair.second points one char after the last character of the type. sTypeName can be "S" or "CN" (without ""). Do not use spaces at the beginning of the type name. If the type name is not found then pair.first and pair.second are -1. */ std::pair< sal_Int32, sal_Int32 > findTypeInDN(const OUString& rRawString, const OUString& sTypeName) { std::pair< sal_Int32, sal_Int32 > retVal; bool bInEscape = false; bool bInValue = false; bool bFound = false; sal_Int32 nTypeNameStart = 0; sal_Int32 length = rRawString.getLength(); for (sal_Int32 i = 0; i < length; i++) { sal_Unicode c = rRawString[i]; if (c == '=') { if (! bInValue) { OUString sType = rRawString.copy(nTypeNameStart, i - nTypeNameStart); sType = sType.trim(); if (sType.equalsIgnoreAsciiCase(sTypeName)) { bFound = true; break; } } } else if (c == '"') { if (!bInEscape) { //If this is the quote is the first of the couple which enclose the //whole value, because the value contains special characters //then we just drop it. That is, this character must be followed by //a character which is not '"'. if ( i + 1 < length && rRawString[i+1] == '"') bInEscape = true; else bInValue = !bInValue; //value is enclosed in " " } else { //This quote is escaped by a preceding quote and therefore is //part of the value bInEscape = false; } } else if (c == ',' || c == '+') { //The comma separate the attribute value pairs. //If the comma is not part of a value (the value would then be enclosed in '"'), //then we have reached the end of the value if (!bInValue) { //The next char is the start of the new type nTypeNameStart = i + 1; } } } //Found the Type Name, but there can still be spaces after the last comma //and the beginning of the type. if (bFound) { while (true) { sal_Unicode c = rRawString[nTypeNameStart]; if (c != ' ' && c != '\t') //found break; nTypeNameStart ++; } // search end (one after last letter) sal_Int32 nTypeNameEnd = nTypeNameStart; nTypeNameEnd++; while (true) { sal_Unicode c = rRawString[nTypeNameEnd]; if (c == ' ' || c == '\t' || c == '=') break; nTypeNameEnd++; } retVal = std::make_pair(nTypeNameStart, nTypeNameEnd); } else { retVal = std::make_pair(-1, -1); } return retVal; } /* MS Crypto uses the 'S' tag (equal to the 'ST' tag in NSS), but the NSS can't recognise it, so the 'S' tag should be changed to 'ST' tag. However I am not sure if this is necessary anymore, because we provide always the signers certificate when signing. So libmlsec can find the private key based on the provided certificate (X509Certificate element) and does not need the issuer name (X509IssuerName element). The issuer name in the xml signature has also no effect for the signature nor the certificate validation. In many RFCs, for example 4519, on speaks of 'ST'. However, the certificate does not contain strings for type names. Instead it uses OIDs. */ OUString replaceTagSWithTagST(OUString oldDN) { std::pair pairIndex = findTypeInDN(oldDN, OUSTR("S")); if (pairIndex.first != -1) { OUString newDN = oldDN.copy(0, pairIndex.first); newDN += OUSTR("ST"); newDN += oldDN.copy(pairIndex.second); return newDN; } return oldDN; } /* end */ X509Certificate_MSCryptImpl :: X509Certificate_MSCryptImpl() : m_pCertContext( NULL ) { } X509Certificate_MSCryptImpl :: ~X509Certificate_MSCryptImpl() { if( m_pCertContext != NULL ) { CertFreeCertificateContext( m_pCertContext ) ; } } //Methods from XCertificate sal_Int16 SAL_CALL X509Certificate_MSCryptImpl :: getVersion() throw ( ::com::sun::star::uno::RuntimeException) { if( m_pCertContext != NULL && m_pCertContext->pCertInfo != NULL ) { return ( char )m_pCertContext->pCertInfo->dwVersion ; } else { return -1 ; } } ::com::sun::star::uno::Sequence< sal_Int8 > SAL_CALL X509Certificate_MSCryptImpl :: getSerialNumber() throw ( ::com::sun::star::uno::RuntimeException) { if( m_pCertContext != NULL && m_pCertContext->pCertInfo != NULL ) { Sequence< sal_Int8 > serial( m_pCertContext->pCertInfo->SerialNumber.cbData ) ; for( unsigned int i = 0 ; i < m_pCertContext->pCertInfo->SerialNumber.cbData ; i ++ ) serial[i] = *( m_pCertContext->pCertInfo->SerialNumber.pbData + m_pCertContext->pCertInfo->SerialNumber.cbData - i - 1 ) ; return serial ; } else { return Sequence< sal_Int8 >(); } } ::rtl::OUString SAL_CALL X509Certificate_MSCryptImpl :: getIssuerName() throw ( ::com::sun::star::uno::RuntimeException) { if( m_pCertContext != NULL && m_pCertContext->pCertInfo != NULL ) { char* issuer ; DWORD cbIssuer ; cbIssuer = CertNameToStr( X509_ASN_ENCODING | PKCS_7_ASN_ENCODING , &( m_pCertContext->pCertInfo->Issuer ), CERT_X500_NAME_STR | CERT_NAME_STR_REVERSE_FLAG , NULL, 0 ) ; // Here the cbIssuer count the last 0x00 , take care. if( cbIssuer != 0 ) { issuer = new char[ cbIssuer ] ; if( issuer == NULL ) throw RuntimeException() ; cbIssuer = CertNameToStr( X509_ASN_ENCODING | PKCS_7_ASN_ENCODING , &( m_pCertContext->pCertInfo->Issuer ), CERT_X500_NAME_STR | CERT_NAME_STR_REVERSE_FLAG , issuer, cbIssuer ) ; if( cbIssuer <= 0 ) { delete [] issuer ; throw RuntimeException() ; } // By CP , for correct encoding sal_uInt16 encoding ; rtl_Locale *pLocale = NULL ; osl_getProcessLocale( &pLocale ) ; encoding = osl_getTextEncodingFromLocale( pLocale ) ; // CP end if(issuer[cbIssuer-1] == 0) cbIssuer--; //delimit the last 0x00; OUString xIssuer(issuer , cbIssuer ,encoding ) ; //By CP delete [] issuer ; return replaceTagSWithTagST(xIssuer); } else { return OUString() ; } } else { return OUString() ; } } ::rtl::OUString SAL_CALL X509Certificate_MSCryptImpl :: getSubjectName() throw ( ::com::sun::star::uno::RuntimeException) { if( m_pCertContext != NULL && m_pCertContext->pCertInfo != NULL ) { wchar_t* subject ; DWORD cbSubject ; cbSubject = CertNameToStrW( X509_ASN_ENCODING | PKCS_7_ASN_ENCODING , &( m_pCertContext->pCertInfo->Subject ), CERT_X500_NAME_STR | CERT_NAME_STR_REVERSE_FLAG , NULL, 0 ) ; if( cbSubject != 0 ) { subject = new wchar_t[ cbSubject ] ; if( subject == NULL ) throw RuntimeException() ; cbSubject = CertNameToStrW( X509_ASN_ENCODING | PKCS_7_ASN_ENCODING , &( m_pCertContext->pCertInfo->Subject ), CERT_X500_NAME_STR | CERT_NAME_STR_REVERSE_FLAG , subject, cbSubject ) ; if( cbSubject <= 0 ) { delete [] subject ; throw RuntimeException() ; } OUString xSubject(reinterpret_cast(subject)); delete [] subject ; return replaceTagSWithTagST(xSubject); } else { return OUString() ; } } else { return OUString() ; } } ::com::sun::star::util::DateTime SAL_CALL X509Certificate_MSCryptImpl :: getNotValidBefore() throw ( ::com::sun::star::uno::RuntimeException ) { if( m_pCertContext != NULL && m_pCertContext->pCertInfo != NULL ) { SYSTEMTIME explTime ; DateTime dateTime ; FILETIME localFileTime; if (FileTimeToLocalFileTime(&( m_pCertContext->pCertInfo->NotBefore ), &localFileTime)) { if( FileTimeToSystemTime( &localFileTime, &explTime ) ) { //Convert the time to readable local time dateTime.HundredthSeconds = explTime.wMilliseconds / 100 ; dateTime.Seconds = explTime.wSecond ; dateTime.Minutes = explTime.wMinute ; dateTime.Hours = explTime.wHour ; dateTime.Day = explTime.wDay ; dateTime.Month = explTime.wMonth ; dateTime.Year = explTime.wYear ; } } return dateTime ; } else { return DateTime() ; } } ::com::sun::star::util::DateTime SAL_CALL X509Certificate_MSCryptImpl :: getNotValidAfter() throw ( ::com::sun::star::uno::RuntimeException) { if( m_pCertContext != NULL && m_pCertContext->pCertInfo != NULL ) { SYSTEMTIME explTime ; DateTime dateTime ; FILETIME localFileTime; if (FileTimeToLocalFileTime(&( m_pCertContext->pCertInfo->NotAfter ), &localFileTime)) { if( FileTimeToSystemTime( &localFileTime, &explTime ) ) { //Convert the time to readable local time dateTime.HundredthSeconds = explTime.wMilliseconds / 100 ; dateTime.Seconds = explTime.wSecond ; dateTime.Minutes = explTime.wMinute ; dateTime.Hours = explTime.wHour ; dateTime.Day = explTime.wDay ; dateTime.Month = explTime.wMonth ; dateTime.Year = explTime.wYear ; } } return dateTime ; } else { return DateTime() ; } } ::com::sun::star::uno::Sequence< sal_Int8 > SAL_CALL X509Certificate_MSCryptImpl :: getIssuerUniqueID() throw ( ::com::sun::star::uno::RuntimeException) { if( m_pCertContext != NULL && m_pCertContext->pCertInfo != NULL ) { Sequence< sal_Int8 > issuerUid( m_pCertContext->pCertInfo->IssuerUniqueId.cbData ) ; for( unsigned int i = 0 ; i < m_pCertContext->pCertInfo->IssuerUniqueId.cbData; i ++ ) issuerUid[i] = *( m_pCertContext->pCertInfo->IssuerUniqueId.pbData + i ) ; return issuerUid ; } else { return Sequence< sal_Int8 >(); } } ::com::sun::star::uno::Sequence< sal_Int8 > SAL_CALL X509Certificate_MSCryptImpl :: getSubjectUniqueID() throw ( ::com::sun::star::uno::RuntimeException ) { if( m_pCertContext != NULL && m_pCertContext->pCertInfo != NULL ) { Sequence< sal_Int8 > subjectUid( m_pCertContext->pCertInfo->SubjectUniqueId.cbData ) ; for( unsigned int i = 0 ; i < m_pCertContext->pCertInfo->SubjectUniqueId.cbData; i ++ ) subjectUid[i] = *( m_pCertContext->pCertInfo->SubjectUniqueId.pbData + i ) ; return subjectUid ; } else { return Sequence< sal_Int8 >(); } } ::com::sun::star::uno::Sequence< ::com::sun::star::uno::Reference< ::com::sun::star::security::XCertificateExtension > > SAL_CALL X509Certificate_MSCryptImpl :: getExtensions() throw ( ::com::sun::star::uno::RuntimeException ) { if( m_pCertContext != NULL && m_pCertContext->pCertInfo != NULL && m_pCertContext->pCertInfo->cExtension != 0 ) { CertificateExtension_XmlSecImpl* xExtn ; CERT_EXTENSION* pExtn ; Sequence< Reference< XCertificateExtension > > xExtns( m_pCertContext->pCertInfo->cExtension ) ; for( unsigned int i = 0; i < m_pCertContext->pCertInfo->cExtension; i++ ) { pExtn = &(m_pCertContext->pCertInfo->rgExtension[i]) ; ::rtl::OUString objId = ::rtl::OUString::createFromAscii( pExtn->pszObjId ); if ( objId.equalsAscii("2.5.29.17") ) xExtn = (CertificateExtension_XmlSecImpl*) new SanExtensionImpl() ; else xExtn = new CertificateExtension_XmlSecImpl() ; if( xExtn == NULL ) throw RuntimeException() ; xExtn->setCertExtn( pExtn->Value.pbData, pExtn->Value.cbData, ( unsigned char* )pExtn->pszObjId, strlen( pExtn->pszObjId ), sal::static_int_cast(pExtn->fCritical) ) ; xExtns[i] = xExtn ; } return xExtns ; } else { return Sequence< Reference< XCertificateExtension > >(); } } ::com::sun::star::uno::Reference< ::com::sun::star::security::XCertificateExtension > SAL_CALL X509Certificate_MSCryptImpl :: findCertificateExtension( const ::com::sun::star::uno::Sequence< sal_Int8 >& /*oid*/ ) throw (::com::sun::star::uno::RuntimeException) { if( m_pCertContext != NULL && m_pCertContext->pCertInfo != NULL && m_pCertContext->pCertInfo->cExtension != 0 ) { CertificateExtension_XmlSecImpl* xExtn ; CERT_EXTENSION* pExtn ; Sequence< Reference< XCertificateExtension > > xExtns( m_pCertContext->pCertInfo->cExtension ) ; xExtn = NULL ; for( unsigned int i = 0; i < m_pCertContext->pCertInfo->cExtension; i++ ) { pExtn = &( m_pCertContext->pCertInfo->rgExtension[i] ) ; //TODO: Compare the oid if( 0 ) { xExtn = new CertificateExtension_XmlSecImpl() ; if( xExtn == NULL ) throw RuntimeException() ; xExtn->setCertExtn( pExtn->Value.pbData, pExtn->Value.cbData, ( unsigned char* )pExtn->pszObjId, strlen( pExtn->pszObjId ), sal::static_int_cast(pExtn->fCritical) ) ; } } return xExtn ; } else { return NULL ; } } ::com::sun::star::uno::Sequence< sal_Int8 > SAL_CALL X509Certificate_MSCryptImpl :: getEncoded() throw ( ::com::sun::star::uno::RuntimeException) { if( m_pCertContext != NULL && m_pCertContext->cbCertEncoded > 0 ) { Sequence< sal_Int8 > rawCert( m_pCertContext->cbCertEncoded ) ; for( unsigned int i = 0 ; i < m_pCertContext->cbCertEncoded ; i ++ ) rawCert[i] = *( m_pCertContext->pbCertEncoded + i ) ; return rawCert ; } else { return Sequence< sal_Int8 >(); } } //Helper methods void X509Certificate_MSCryptImpl :: setMswcryCert( const CERT_CONTEXT* cert ) { if( m_pCertContext != NULL ) { CertFreeCertificateContext( m_pCertContext ) ; m_pCertContext = NULL ; } if( cert != NULL ) { m_pCertContext = CertDuplicateCertificateContext( cert ) ; } } const CERT_CONTEXT* X509Certificate_MSCryptImpl :: getMswcryCert() const { if( m_pCertContext != NULL ) { return m_pCertContext ; } else { return NULL ; } } void X509Certificate_MSCryptImpl :: setRawCert( Sequence< sal_Int8 > rawCert ) throw ( ::com::sun::star::uno::RuntimeException) { if( m_pCertContext != NULL ) { CertFreeCertificateContext( m_pCertContext ) ; m_pCertContext = NULL ; } if( rawCert.getLength() != 0 ) { m_pCertContext = CertCreateCertificateContext( X509_ASN_ENCODING, ( const sal_uInt8* )&rawCert[0], rawCert.getLength() ) ; } } /* XUnoTunnel */ sal_Int64 SAL_CALL X509Certificate_MSCryptImpl :: getSomething( const Sequence< sal_Int8 >& aIdentifier ) throw( RuntimeException ) { if( aIdentifier.getLength() == 16 && 0 == rtl_compareMemory( getUnoTunnelId().getConstArray(), aIdentifier.getConstArray(), 16 ) ) { return ( sal_Int64 )this ; } return 0 ; } /* XUnoTunnel extension */ const Sequence< sal_Int8>& X509Certificate_MSCryptImpl :: getUnoTunnelId() { static Sequence< sal_Int8 >* pSeq = 0 ; if( !pSeq ) { ::osl::Guard< ::osl::Mutex > aGuard( ::osl::Mutex::getGlobalMutex() ) ; if( !pSeq ) { static Sequence< sal_Int8> aSeq( 16 ) ; rtl_createUuid( ( sal_uInt8* )aSeq.getArray() , 0 , sal_True ) ; pSeq = &aSeq ; } } return *pSeq ; } /* XUnoTunnel extension */ X509Certificate_MSCryptImpl* X509Certificate_MSCryptImpl :: getImplementation( const Reference< XInterface > xObj ) { Reference< XUnoTunnel > xUT( xObj , UNO_QUERY ) ; if( xUT.is() ) { return ( X509Certificate_MSCryptImpl* )xUT->getSomething( getUnoTunnelId() ) ; } else return NULL ; } // MM : added by MM ::rtl::OUString findOIDDescription(char *oid) { OUString ouOID = OUString::createFromAscii( oid ); for (int i=0; i getThumbprint(const CERT_CONTEXT* pCertContext, DWORD dwPropId) { if( pCertContext != NULL ) { DWORD cbData = 20; unsigned char fingerprint[20]; if (CertGetCertificateContextProperty(pCertContext, dwPropId, (void*)fingerprint, &cbData)) { Sequence< sal_Int8 > thumbprint( cbData ) ; for( unsigned int i = 0 ; i < cbData ; i ++ ) { thumbprint[i] = fingerprint[i]; } return thumbprint; } else { DWORD e = GetLastError(); cbData = e; } } return Sequence< sal_Int8 >(); } ::rtl::OUString SAL_CALL X509Certificate_MSCryptImpl::getSubjectPublicKeyAlgorithm() throw ( ::com::sun::star::uno::RuntimeException) { if( m_pCertContext != NULL && m_pCertContext->pCertInfo != NULL ) { CRYPT_ALGORITHM_IDENTIFIER algorithm = m_pCertContext->pCertInfo->SubjectPublicKeyInfo.Algorithm; return findOIDDescription( algorithm.pszObjId ) ; } else { return OUString() ; } } ::com::sun::star::uno::Sequence< sal_Int8 > SAL_CALL X509Certificate_MSCryptImpl::getSubjectPublicKeyValue() throw ( ::com::sun::star::uno::RuntimeException) { if( m_pCertContext != NULL && m_pCertContext->pCertInfo != NULL ) { CRYPT_BIT_BLOB publicKey = m_pCertContext->pCertInfo->SubjectPublicKeyInfo.PublicKey; Sequence< sal_Int8 > key( publicKey.cbData ) ; for( unsigned int i = 0 ; i < publicKey.cbData ; i++ ) { key[i] = *(publicKey.pbData + i) ; } return key; } else { return Sequence< sal_Int8 >(); } } ::rtl::OUString SAL_CALL X509Certificate_MSCryptImpl::getSignatureAlgorithm() throw ( ::com::sun::star::uno::RuntimeException) { if( m_pCertContext != NULL && m_pCertContext->pCertInfo != NULL ) { CRYPT_ALGORITHM_IDENTIFIER algorithm = m_pCertContext->pCertInfo->SignatureAlgorithm; return findOIDDescription( algorithm.pszObjId ) ; } else { return OUString() ; } } ::com::sun::star::uno::Sequence< sal_Int8 > SAL_CALL X509Certificate_MSCryptImpl::getSHA1Thumbprint() throw ( ::com::sun::star::uno::RuntimeException) { return getThumbprint(m_pCertContext, CERT_SHA1_HASH_PROP_ID); } ::com::sun::star::uno::Sequence< sal_Int8 > SAL_CALL X509Certificate_MSCryptImpl::getMD5Thumbprint() throw ( ::com::sun::star::uno::RuntimeException) { return getThumbprint(m_pCertContext, CERT_MD5_HASH_PROP_ID); } sal_Int32 SAL_CALL X509Certificate_MSCryptImpl::getCertificateUsage( ) throw ( ::com::sun::star::uno::RuntimeException) { sal_Int32 usage = CERT_DATA_ENCIPHERMENT_KEY_USAGE | CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_KEY_AGREEMENT_KEY_USAGE | CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_KEY_ENCIPHERMENT_KEY_USAGE | CERT_NON_REPUDIATION_KEY_USAGE | CERT_OFFLINE_CRL_SIGN_KEY_USAGE; if( m_pCertContext != NULL && m_pCertContext->pCertInfo != NULL && m_pCertContext->pCertInfo->cExtension != 0 ) { CERT_EXTENSION* pExtn = CertFindExtension( szOID_KEY_USAGE, m_pCertContext->pCertInfo->cExtension, m_pCertContext->pCertInfo->rgExtension); if (pExtn != NULL) { CERT_KEY_USAGE_RESTRICTION_INFO keyUsage; DWORD length = sizeof(CERT_KEY_USAGE_RESTRICTION_INFO); bool rc = CryptDecodeObject( X509_ASN_ENCODING, X509_KEY_USAGE, pExtn->Value.pbData, pExtn->Value.cbData, CRYPT_DECODE_NOCOPY_FLAG, (void *)&keyUsage, &length); if (rc && keyUsage.RestrictedKeyUsage.cbData!=0) { usage = (sal_Int32)keyUsage.RestrictedKeyUsage.pbData; } } } return usage; } // MM : end