1*b1cdbd2cSJim Jagielski /**************************************************************
2*b1cdbd2cSJim Jagielski *
3*b1cdbd2cSJim Jagielski * Licensed to the Apache Software Foundation (ASF) under one
4*b1cdbd2cSJim Jagielski * or more contributor license agreements. See the NOTICE file
5*b1cdbd2cSJim Jagielski * distributed with this work for additional information
6*b1cdbd2cSJim Jagielski * regarding copyright ownership. The ASF licenses this file
7*b1cdbd2cSJim Jagielski * to you under the Apache License, Version 2.0 (the
8*b1cdbd2cSJim Jagielski * "License"); you may not use this file except in compliance
9*b1cdbd2cSJim Jagielski * with the License. You may obtain a copy of the License at
10*b1cdbd2cSJim Jagielski *
11*b1cdbd2cSJim Jagielski * http://www.apache.org/licenses/LICENSE-2.0
12*b1cdbd2cSJim Jagielski *
13*b1cdbd2cSJim Jagielski * Unless required by applicable law or agreed to in writing,
14*b1cdbd2cSJim Jagielski * software distributed under the License is distributed on an
15*b1cdbd2cSJim Jagielski * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
16*b1cdbd2cSJim Jagielski * KIND, either express or implied. See the License for the
17*b1cdbd2cSJim Jagielski * specific language governing permissions and limitations
18*b1cdbd2cSJim Jagielski * under the License.
19*b1cdbd2cSJim Jagielski *
20*b1cdbd2cSJim Jagielski *************************************************************/
21*b1cdbd2cSJim Jagielski
22*b1cdbd2cSJim Jagielski
23*b1cdbd2cSJim Jagielski
24*b1cdbd2cSJim Jagielski
25*b1cdbd2cSJim Jagielski // MARKER(update_precomp.py): autogen include statement, do not remove
26*b1cdbd2cSJim Jagielski #include "precompiled_xmlsecurity.hxx"
27*b1cdbd2cSJim Jagielski
28*b1cdbd2cSJim Jagielski //todo before commit: nssrenam.h is not delivered!!!
29*b1cdbd2cSJim Jagielski #ifndef __nssrenam_h_
30*b1cdbd2cSJim Jagielski #define CERT_NewTempCertificate __CERT_NewTempCertificate
31*b1cdbd2cSJim Jagielski #endif /* __nssrenam_h_ */
32*b1cdbd2cSJim Jagielski
33*b1cdbd2cSJim Jagielski #include "cert.h"
34*b1cdbd2cSJim Jagielski #include "secerr.h"
35*b1cdbd2cSJim Jagielski #include "ocsp.h"
36*b1cdbd2cSJim Jagielski
37*b1cdbd2cSJim Jagielski #include <sal/config.h>
38*b1cdbd2cSJim Jagielski #include "securityenvironment_nssimpl.hxx"
39*b1cdbd2cSJim Jagielski #include "x509certificate_nssimpl.hxx"
40*b1cdbd2cSJim Jagielski #include <rtl/uuid.h>
41*b1cdbd2cSJim Jagielski #include "../diagnose.hxx"
42*b1cdbd2cSJim Jagielski
43*b1cdbd2cSJim Jagielski #include <sal/types.h>
44*b1cdbd2cSJim Jagielski //For reasons that escape me, this is what xmlsec does when size_t is not 4
45*b1cdbd2cSJim Jagielski #if SAL_TYPES_SIZEOFPOINTER != 4
46*b1cdbd2cSJim Jagielski # define XMLSEC_NO_SIZE_T
47*b1cdbd2cSJim Jagielski #endif
48*b1cdbd2cSJim Jagielski #include <xmlsec/xmlsec.h>
49*b1cdbd2cSJim Jagielski #include <xmlsec/keysmngr.h>
50*b1cdbd2cSJim Jagielski #include <xmlsec/crypto.h>
51*b1cdbd2cSJim Jagielski #include <xmlsec/base64.h>
52*b1cdbd2cSJim Jagielski #include <xmlsec/strings.h>
53*b1cdbd2cSJim Jagielski
54*b1cdbd2cSJim Jagielski #include <tools/string.hxx>
55*b1cdbd2cSJim Jagielski #include <rtl/ustrbuf.hxx>
56*b1cdbd2cSJim Jagielski #include <comphelper/processfactory.hxx>
57*b1cdbd2cSJim Jagielski #include <cppuhelper/servicefactory.hxx>
58*b1cdbd2cSJim Jagielski #include <comphelper/docpasswordrequest.hxx>
59*b1cdbd2cSJim Jagielski #include <xmlsecurity/biginteger.hxx>
60*b1cdbd2cSJim Jagielski #include <rtl/logfile.h>
61*b1cdbd2cSJim Jagielski #include <com/sun/star/task/XInteractionHandler.hpp>
62*b1cdbd2cSJim Jagielski #include <vector>
63*b1cdbd2cSJim Jagielski #include "boost/scoped_array.hpp"
64*b1cdbd2cSJim Jagielski
65*b1cdbd2cSJim Jagielski #include "secerror.hxx"
66*b1cdbd2cSJim Jagielski
67*b1cdbd2cSJim Jagielski // MM : added for password exception
68*b1cdbd2cSJim Jagielski #include <com/sun/star/security/NoPasswordException.hpp>
69*b1cdbd2cSJim Jagielski namespace csss = ::com::sun::star::security;
70*b1cdbd2cSJim Jagielski using namespace xmlsecurity;
71*b1cdbd2cSJim Jagielski using namespace ::com::sun::star::security;
72*b1cdbd2cSJim Jagielski using namespace com::sun::star;
73*b1cdbd2cSJim Jagielski using namespace ::com::sun::star::uno ;
74*b1cdbd2cSJim Jagielski using namespace ::com::sun::star::lang ;
75*b1cdbd2cSJim Jagielski using ::com::sun::star::lang::XMultiServiceFactory ;
76*b1cdbd2cSJim Jagielski using ::com::sun::star::lang::XSingleServiceFactory ;
77*b1cdbd2cSJim Jagielski using ::rtl::OUString ;
78*b1cdbd2cSJim Jagielski
79*b1cdbd2cSJim Jagielski using ::com::sun::star::xml::crypto::XSecurityEnvironment ;
80*b1cdbd2cSJim Jagielski using ::com::sun::star::security::XCertificate ;
81*b1cdbd2cSJim Jagielski
82*b1cdbd2cSJim Jagielski extern X509Certificate_NssImpl* NssCertToXCert( CERTCertificate* cert ) ;
83*b1cdbd2cSJim Jagielski extern X509Certificate_NssImpl* NssPrivKeyToXCert( SECKEYPrivateKey* ) ;
84*b1cdbd2cSJim Jagielski
85*b1cdbd2cSJim Jagielski
86*b1cdbd2cSJim Jagielski struct UsageDescription
87*b1cdbd2cSJim Jagielski {
88*b1cdbd2cSJim Jagielski SECCertificateUsage usage;
89*b1cdbd2cSJim Jagielski char const* description;
90*b1cdbd2cSJim Jagielski
UsageDescriptionUsageDescription91*b1cdbd2cSJim Jagielski UsageDescription()
92*b1cdbd2cSJim Jagielski : usage( certificateUsageCheckAllUsages )
93*b1cdbd2cSJim Jagielski , description( NULL )
94*b1cdbd2cSJim Jagielski {}
95*b1cdbd2cSJim Jagielski
UsageDescriptionUsageDescription96*b1cdbd2cSJim Jagielski UsageDescription( SECCertificateUsage i_usage, char const* i_description )
97*b1cdbd2cSJim Jagielski : usage( i_usage )
98*b1cdbd2cSJim Jagielski , description( i_description )
99*b1cdbd2cSJim Jagielski {}
100*b1cdbd2cSJim Jagielski
UsageDescriptionUsageDescription101*b1cdbd2cSJim Jagielski UsageDescription( const UsageDescription& aDescription )
102*b1cdbd2cSJim Jagielski : usage( aDescription.usage )
103*b1cdbd2cSJim Jagielski , description( aDescription.description )
104*b1cdbd2cSJim Jagielski {}
105*b1cdbd2cSJim Jagielski
operator =UsageDescription106*b1cdbd2cSJim Jagielski UsageDescription& operator =( const UsageDescription& aDescription )
107*b1cdbd2cSJim Jagielski {
108*b1cdbd2cSJim Jagielski usage = aDescription.usage;
109*b1cdbd2cSJim Jagielski description = aDescription.description;
110*b1cdbd2cSJim Jagielski return *this;
111*b1cdbd2cSJim Jagielski }
112*b1cdbd2cSJim Jagielski };
113*b1cdbd2cSJim Jagielski
114*b1cdbd2cSJim Jagielski
115*b1cdbd2cSJim Jagielski
GetPasswordFunction(PK11SlotInfo * pSlot,PRBool bRetry,void *)116*b1cdbd2cSJim Jagielski char* GetPasswordFunction( PK11SlotInfo* pSlot, PRBool bRetry, void* /*arg*/ )
117*b1cdbd2cSJim Jagielski {
118*b1cdbd2cSJim Jagielski uno::Reference< lang::XMultiServiceFactory > xMSF( ::comphelper::getProcessServiceFactory() );
119*b1cdbd2cSJim Jagielski if ( xMSF.is() )
120*b1cdbd2cSJim Jagielski {
121*b1cdbd2cSJim Jagielski uno::Reference < task::XInteractionHandler > xInteractionHandler(
122*b1cdbd2cSJim Jagielski xMSF->createInstance( rtl::OUString::createFromAscii("com.sun.star.task.InteractionHandler") ), uno::UNO_QUERY );
123*b1cdbd2cSJim Jagielski
124*b1cdbd2cSJim Jagielski if ( xInteractionHandler.is() )
125*b1cdbd2cSJim Jagielski {
126*b1cdbd2cSJim Jagielski task::PasswordRequestMode eMode = bRetry ? task::PasswordRequestMode_PASSWORD_REENTER : task::PasswordRequestMode_PASSWORD_ENTER;
127*b1cdbd2cSJim Jagielski ::comphelper::DocPasswordRequest* pPasswordRequest = new ::comphelper::DocPasswordRequest(
128*b1cdbd2cSJim Jagielski ::comphelper::DocPasswordRequestType_STANDARD, eMode, ::rtl::OUString::createFromAscii(PK11_GetTokenName(pSlot)) );
129*b1cdbd2cSJim Jagielski
130*b1cdbd2cSJim Jagielski uno::Reference< task::XInteractionRequest > xRequest( pPasswordRequest );
131*b1cdbd2cSJim Jagielski xInteractionHandler->handle( xRequest );
132*b1cdbd2cSJim Jagielski
133*b1cdbd2cSJim Jagielski if ( pPasswordRequest->isPassword() )
134*b1cdbd2cSJim Jagielski {
135*b1cdbd2cSJim Jagielski ByteString aPassword = ByteString( String( pPasswordRequest->getPassword() ), gsl_getSystemTextEncoding() );
136*b1cdbd2cSJim Jagielski sal_uInt16 nLen = aPassword.Len();
137*b1cdbd2cSJim Jagielski char* pPassword = (char*) PORT_Alloc( nLen+1 ) ;
138*b1cdbd2cSJim Jagielski pPassword[nLen] = 0;
139*b1cdbd2cSJim Jagielski memcpy( pPassword, aPassword.GetBuffer(), nLen );
140*b1cdbd2cSJim Jagielski return pPassword;
141*b1cdbd2cSJim Jagielski }
142*b1cdbd2cSJim Jagielski }
143*b1cdbd2cSJim Jagielski }
144*b1cdbd2cSJim Jagielski return NULL;
145*b1cdbd2cSJim Jagielski }
146*b1cdbd2cSJim Jagielski
SecurityEnvironment_NssImpl(const Reference<XMultiServiceFactory> &)147*b1cdbd2cSJim Jagielski SecurityEnvironment_NssImpl :: SecurityEnvironment_NssImpl( const Reference< XMultiServiceFactory >& ) :
148*b1cdbd2cSJim Jagielski m_pHandler( NULL ) , m_tSymKeyList() , m_tPubKeyList() , m_tPriKeyList() {
149*b1cdbd2cSJim Jagielski
150*b1cdbd2cSJim Jagielski PK11_SetPasswordFunc( GetPasswordFunction ) ;
151*b1cdbd2cSJim Jagielski }
152*b1cdbd2cSJim Jagielski
~SecurityEnvironment_NssImpl()153*b1cdbd2cSJim Jagielski SecurityEnvironment_NssImpl :: ~SecurityEnvironment_NssImpl() {
154*b1cdbd2cSJim Jagielski
155*b1cdbd2cSJim Jagielski PK11_SetPasswordFunc( NULL ) ;
156*b1cdbd2cSJim Jagielski
157*b1cdbd2cSJim Jagielski for (CIT_SLOTS i = m_Slots.begin(); i != m_Slots.end(); i++)
158*b1cdbd2cSJim Jagielski {
159*b1cdbd2cSJim Jagielski PK11_FreeSlot(*i);
160*b1cdbd2cSJim Jagielski }
161*b1cdbd2cSJim Jagielski
162*b1cdbd2cSJim Jagielski if( !m_tSymKeyList.empty() ) {
163*b1cdbd2cSJim Jagielski std::list< PK11SymKey* >::iterator symKeyIt ;
164*b1cdbd2cSJim Jagielski
165*b1cdbd2cSJim Jagielski for( symKeyIt = m_tSymKeyList.begin() ; symKeyIt != m_tSymKeyList.end() ; symKeyIt ++ )
166*b1cdbd2cSJim Jagielski PK11_FreeSymKey( *symKeyIt ) ;
167*b1cdbd2cSJim Jagielski }
168*b1cdbd2cSJim Jagielski
169*b1cdbd2cSJim Jagielski if( !m_tPubKeyList.empty() ) {
170*b1cdbd2cSJim Jagielski std::list< SECKEYPublicKey* >::iterator pubKeyIt ;
171*b1cdbd2cSJim Jagielski
172*b1cdbd2cSJim Jagielski for( pubKeyIt = m_tPubKeyList.begin() ; pubKeyIt != m_tPubKeyList.end() ; pubKeyIt ++ )
173*b1cdbd2cSJim Jagielski SECKEY_DestroyPublicKey( *pubKeyIt ) ;
174*b1cdbd2cSJim Jagielski }
175*b1cdbd2cSJim Jagielski
176*b1cdbd2cSJim Jagielski if( !m_tPriKeyList.empty() ) {
177*b1cdbd2cSJim Jagielski std::list< SECKEYPrivateKey* >::iterator priKeyIt ;
178*b1cdbd2cSJim Jagielski
179*b1cdbd2cSJim Jagielski for( priKeyIt = m_tPriKeyList.begin() ; priKeyIt != m_tPriKeyList.end() ; priKeyIt ++ )
180*b1cdbd2cSJim Jagielski SECKEY_DestroyPrivateKey( *priKeyIt ) ;
181*b1cdbd2cSJim Jagielski }
182*b1cdbd2cSJim Jagielski }
183*b1cdbd2cSJim Jagielski
184*b1cdbd2cSJim Jagielski /* XInitialization */
initialize(const Sequence<Any> &)185*b1cdbd2cSJim Jagielski void SAL_CALL SecurityEnvironment_NssImpl :: initialize( const Sequence< Any >& ) throw( Exception, RuntimeException ) {
186*b1cdbd2cSJim Jagielski // TBD
187*b1cdbd2cSJim Jagielski } ;
188*b1cdbd2cSJim Jagielski
189*b1cdbd2cSJim Jagielski /* XServiceInfo */
getImplementationName()190*b1cdbd2cSJim Jagielski OUString SAL_CALL SecurityEnvironment_NssImpl :: getImplementationName() throw( RuntimeException ) {
191*b1cdbd2cSJim Jagielski return impl_getImplementationName() ;
192*b1cdbd2cSJim Jagielski }
193*b1cdbd2cSJim Jagielski
194*b1cdbd2cSJim Jagielski /* XServiceInfo */
supportsService(const OUString & serviceName)195*b1cdbd2cSJim Jagielski sal_Bool SAL_CALL SecurityEnvironment_NssImpl :: supportsService( const OUString& serviceName) throw( RuntimeException ) {
196*b1cdbd2cSJim Jagielski Sequence< OUString > seqServiceNames = getSupportedServiceNames() ;
197*b1cdbd2cSJim Jagielski const OUString* pArray = seqServiceNames.getConstArray() ;
198*b1cdbd2cSJim Jagielski for( sal_Int32 i = 0 ; i < seqServiceNames.getLength() ; i ++ ) {
199*b1cdbd2cSJim Jagielski if( *( pArray + i ) == serviceName )
200*b1cdbd2cSJim Jagielski return sal_True ;
201*b1cdbd2cSJim Jagielski }
202*b1cdbd2cSJim Jagielski return sal_False ;
203*b1cdbd2cSJim Jagielski }
204*b1cdbd2cSJim Jagielski
205*b1cdbd2cSJim Jagielski /* XServiceInfo */
getSupportedServiceNames()206*b1cdbd2cSJim Jagielski Sequence< OUString > SAL_CALL SecurityEnvironment_NssImpl :: getSupportedServiceNames() throw( RuntimeException ) {
207*b1cdbd2cSJim Jagielski return impl_getSupportedServiceNames() ;
208*b1cdbd2cSJim Jagielski }
209*b1cdbd2cSJim Jagielski
210*b1cdbd2cSJim Jagielski //Helper for XServiceInfo
impl_getSupportedServiceNames()211*b1cdbd2cSJim Jagielski Sequence< OUString > SecurityEnvironment_NssImpl :: impl_getSupportedServiceNames() {
212*b1cdbd2cSJim Jagielski ::osl::Guard< ::osl::Mutex > aGuard( ::osl::Mutex::getGlobalMutex() ) ;
213*b1cdbd2cSJim Jagielski Sequence< OUString > seqServiceNames( 1 ) ;
214*b1cdbd2cSJim Jagielski seqServiceNames.getArray()[0] = OUString::createFromAscii( "com.sun.star.xml.crypto.SecurityEnvironment" ) ;
215*b1cdbd2cSJim Jagielski return seqServiceNames ;
216*b1cdbd2cSJim Jagielski }
217*b1cdbd2cSJim Jagielski
impl_getImplementationName()218*b1cdbd2cSJim Jagielski OUString SecurityEnvironment_NssImpl :: impl_getImplementationName() throw( RuntimeException ) {
219*b1cdbd2cSJim Jagielski return OUString::createFromAscii( "com.sun.star.xml.security.bridge.xmlsec.SecurityEnvironment_NssImpl" ) ;
220*b1cdbd2cSJim Jagielski }
221*b1cdbd2cSJim Jagielski
222*b1cdbd2cSJim Jagielski //Helper for registry
impl_createInstance(const Reference<XMultiServiceFactory> & aServiceManager)223*b1cdbd2cSJim Jagielski Reference< XInterface > SAL_CALL SecurityEnvironment_NssImpl :: impl_createInstance( const Reference< XMultiServiceFactory >& aServiceManager ) throw( RuntimeException ) {
224*b1cdbd2cSJim Jagielski return Reference< XInterface >( *new SecurityEnvironment_NssImpl( aServiceManager ) ) ;
225*b1cdbd2cSJim Jagielski }
226*b1cdbd2cSJim Jagielski
impl_createFactory(const Reference<XMultiServiceFactory> & aServiceManager)227*b1cdbd2cSJim Jagielski Reference< XSingleServiceFactory > SecurityEnvironment_NssImpl :: impl_createFactory( const Reference< XMultiServiceFactory >& aServiceManager ) {
228*b1cdbd2cSJim Jagielski //Reference< XSingleServiceFactory > xFactory ;
229*b1cdbd2cSJim Jagielski //xFactory = ::cppu::createSingleFactory( aServiceManager , impl_getImplementationName , impl_createInstance , impl_getSupportedServiceNames ) ;
230*b1cdbd2cSJim Jagielski //return xFactory ;
231*b1cdbd2cSJim Jagielski return ::cppu::createSingleFactory( aServiceManager , impl_getImplementationName() , impl_createInstance , impl_getSupportedServiceNames() ) ;
232*b1cdbd2cSJim Jagielski }
233*b1cdbd2cSJim Jagielski
234*b1cdbd2cSJim Jagielski /* XUnoTunnel */
getSomething(const Sequence<sal_Int8> & aIdentifier)235*b1cdbd2cSJim Jagielski sal_Int64 SAL_CALL SecurityEnvironment_NssImpl :: getSomething( const Sequence< sal_Int8 >& aIdentifier )
236*b1cdbd2cSJim Jagielski throw( RuntimeException )
237*b1cdbd2cSJim Jagielski {
238*b1cdbd2cSJim Jagielski if( aIdentifier.getLength() == 16 && 0 == rtl_compareMemory( getUnoTunnelId().getConstArray(), aIdentifier.getConstArray(), 16 ) ) {
239*b1cdbd2cSJim Jagielski return sal::static_int_cast<sal_Int64>(reinterpret_cast<sal_uIntPtr>(this));
240*b1cdbd2cSJim Jagielski }
241*b1cdbd2cSJim Jagielski return 0 ;
242*b1cdbd2cSJim Jagielski }
243*b1cdbd2cSJim Jagielski
244*b1cdbd2cSJim Jagielski /* XUnoTunnel extension */
getUnoTunnelId()245*b1cdbd2cSJim Jagielski const Sequence< sal_Int8>& SecurityEnvironment_NssImpl :: getUnoTunnelId() {
246*b1cdbd2cSJim Jagielski static Sequence< sal_Int8 >* pSeq = 0 ;
247*b1cdbd2cSJim Jagielski if( !pSeq ) {
248*b1cdbd2cSJim Jagielski ::osl::Guard< ::osl::Mutex > aGuard( ::osl::Mutex::getGlobalMutex() ) ;
249*b1cdbd2cSJim Jagielski if( !pSeq ) {
250*b1cdbd2cSJim Jagielski static Sequence< sal_Int8> aSeq( 16 ) ;
251*b1cdbd2cSJim Jagielski rtl_createUuid( ( sal_uInt8* )aSeq.getArray() , 0 , sal_True ) ;
252*b1cdbd2cSJim Jagielski pSeq = &aSeq ;
253*b1cdbd2cSJim Jagielski }
254*b1cdbd2cSJim Jagielski }
255*b1cdbd2cSJim Jagielski return *pSeq ;
256*b1cdbd2cSJim Jagielski }
257*b1cdbd2cSJim Jagielski
258*b1cdbd2cSJim Jagielski /* XUnoTunnel extension */
getImplementation(const Reference<XInterface> xObj)259*b1cdbd2cSJim Jagielski SecurityEnvironment_NssImpl* SecurityEnvironment_NssImpl :: getImplementation( const Reference< XInterface > xObj ) {
260*b1cdbd2cSJim Jagielski Reference< XUnoTunnel > xUT( xObj , UNO_QUERY ) ;
261*b1cdbd2cSJim Jagielski if( xUT.is() ) {
262*b1cdbd2cSJim Jagielski return reinterpret_cast<SecurityEnvironment_NssImpl*>(
263*b1cdbd2cSJim Jagielski sal::static_int_cast<sal_uIntPtr>(xUT->getSomething( getUnoTunnelId() ))) ;
264*b1cdbd2cSJim Jagielski } else
265*b1cdbd2cSJim Jagielski return NULL ;
266*b1cdbd2cSJim Jagielski }
267*b1cdbd2cSJim Jagielski
268*b1cdbd2cSJim Jagielski
getSecurityEnvironmentInformation()269*b1cdbd2cSJim Jagielski ::rtl::OUString SecurityEnvironment_NssImpl::getSecurityEnvironmentInformation() throw( ::com::sun::star::uno::RuntimeException )
270*b1cdbd2cSJim Jagielski {
271*b1cdbd2cSJim Jagielski rtl::OUString result;
272*b1cdbd2cSJim Jagielski ::rtl::OUStringBuffer buff;
273*b1cdbd2cSJim Jagielski for (CIT_SLOTS is = m_Slots.begin(); is != m_Slots.end(); is++)
274*b1cdbd2cSJim Jagielski {
275*b1cdbd2cSJim Jagielski buff.append(rtl::OUString::createFromAscii(PK11_GetTokenName(*is)));
276*b1cdbd2cSJim Jagielski buff.appendAscii("\n");
277*b1cdbd2cSJim Jagielski }
278*b1cdbd2cSJim Jagielski return buff.makeStringAndClear();
279*b1cdbd2cSJim Jagielski }
280*b1cdbd2cSJim Jagielski
addCryptoSlot(PK11SlotInfo * aSlot)281*b1cdbd2cSJim Jagielski void SecurityEnvironment_NssImpl::addCryptoSlot( PK11SlotInfo* aSlot) throw( Exception , RuntimeException )
282*b1cdbd2cSJim Jagielski {
283*b1cdbd2cSJim Jagielski PK11_ReferenceSlot(aSlot);
284*b1cdbd2cSJim Jagielski m_Slots.push_back(aSlot);
285*b1cdbd2cSJim Jagielski }
286*b1cdbd2cSJim Jagielski
getCertDb()287*b1cdbd2cSJim Jagielski CERTCertDBHandle* SecurityEnvironment_NssImpl :: getCertDb() throw( Exception , RuntimeException ) {
288*b1cdbd2cSJim Jagielski return m_pHandler ;
289*b1cdbd2cSJim Jagielski }
290*b1cdbd2cSJim Jagielski
291*b1cdbd2cSJim Jagielski //Could we have multiple cert dbs?
setCertDb(CERTCertDBHandle * aCertDb)292*b1cdbd2cSJim Jagielski void SecurityEnvironment_NssImpl :: setCertDb( CERTCertDBHandle* aCertDb ) throw( Exception , RuntimeException ) {
293*b1cdbd2cSJim Jagielski m_pHandler = aCertDb ;
294*b1cdbd2cSJim Jagielski }
295*b1cdbd2cSJim Jagielski
adoptSymKey(PK11SymKey * aSymKey)296*b1cdbd2cSJim Jagielski void SecurityEnvironment_NssImpl :: adoptSymKey( PK11SymKey* aSymKey ) throw( Exception , RuntimeException ) {
297*b1cdbd2cSJim Jagielski PK11SymKey* symkey ;
298*b1cdbd2cSJim Jagielski std::list< PK11SymKey* >::iterator keyIt ;
299*b1cdbd2cSJim Jagielski
300*b1cdbd2cSJim Jagielski if( aSymKey != NULL ) {
301*b1cdbd2cSJim Jagielski //First try to find the key in the list
302*b1cdbd2cSJim Jagielski for( keyIt = m_tSymKeyList.begin() ; keyIt != m_tSymKeyList.end() ; keyIt ++ ) {
303*b1cdbd2cSJim Jagielski if( *keyIt == aSymKey )
304*b1cdbd2cSJim Jagielski return ;
305*b1cdbd2cSJim Jagielski }
306*b1cdbd2cSJim Jagielski
307*b1cdbd2cSJim Jagielski //If we do not find the key in the list, add a new node
308*b1cdbd2cSJim Jagielski symkey = PK11_ReferenceSymKey( aSymKey ) ;
309*b1cdbd2cSJim Jagielski if( symkey == NULL )
310*b1cdbd2cSJim Jagielski throw RuntimeException() ;
311*b1cdbd2cSJim Jagielski
312*b1cdbd2cSJim Jagielski try {
313*b1cdbd2cSJim Jagielski m_tSymKeyList.push_back( symkey ) ;
314*b1cdbd2cSJim Jagielski } catch ( Exception& ) {
315*b1cdbd2cSJim Jagielski PK11_FreeSymKey( symkey ) ;
316*b1cdbd2cSJim Jagielski }
317*b1cdbd2cSJim Jagielski }
318*b1cdbd2cSJim Jagielski }
319*b1cdbd2cSJim Jagielski
rejectSymKey(PK11SymKey * aSymKey)320*b1cdbd2cSJim Jagielski void SecurityEnvironment_NssImpl :: rejectSymKey( PK11SymKey* aSymKey ) throw( Exception , RuntimeException ) {
321*b1cdbd2cSJim Jagielski PK11SymKey* symkey ;
322*b1cdbd2cSJim Jagielski std::list< PK11SymKey* >::iterator keyIt ;
323*b1cdbd2cSJim Jagielski
324*b1cdbd2cSJim Jagielski if( aSymKey != NULL ) {
325*b1cdbd2cSJim Jagielski for( keyIt = m_tSymKeyList.begin() ; keyIt != m_tSymKeyList.end() ; keyIt ++ ) {
326*b1cdbd2cSJim Jagielski if( *keyIt == aSymKey ) {
327*b1cdbd2cSJim Jagielski symkey = *keyIt ;
328*b1cdbd2cSJim Jagielski PK11_FreeSymKey( symkey ) ;
329*b1cdbd2cSJim Jagielski m_tSymKeyList.erase( keyIt ) ;
330*b1cdbd2cSJim Jagielski break ;
331*b1cdbd2cSJim Jagielski }
332*b1cdbd2cSJim Jagielski }
333*b1cdbd2cSJim Jagielski }
334*b1cdbd2cSJim Jagielski }
335*b1cdbd2cSJim Jagielski
getSymKey(unsigned int position)336*b1cdbd2cSJim Jagielski PK11SymKey* SecurityEnvironment_NssImpl :: getSymKey( unsigned int position ) throw( Exception , RuntimeException ) {
337*b1cdbd2cSJim Jagielski PK11SymKey* symkey ;
338*b1cdbd2cSJim Jagielski std::list< PK11SymKey* >::iterator keyIt ;
339*b1cdbd2cSJim Jagielski unsigned int pos ;
340*b1cdbd2cSJim Jagielski
341*b1cdbd2cSJim Jagielski symkey = NULL ;
342*b1cdbd2cSJim Jagielski for( pos = 0, keyIt = m_tSymKeyList.begin() ; pos < position && keyIt != m_tSymKeyList.end() ; pos ++ , keyIt ++ ) ;
343*b1cdbd2cSJim Jagielski
344*b1cdbd2cSJim Jagielski if( pos == position && keyIt != m_tSymKeyList.end() )
345*b1cdbd2cSJim Jagielski symkey = *keyIt ;
346*b1cdbd2cSJim Jagielski
347*b1cdbd2cSJim Jagielski return symkey ;
348*b1cdbd2cSJim Jagielski }
349*b1cdbd2cSJim Jagielski
adoptPubKey(SECKEYPublicKey * aPubKey)350*b1cdbd2cSJim Jagielski void SecurityEnvironment_NssImpl :: adoptPubKey( SECKEYPublicKey* aPubKey ) throw( Exception , RuntimeException ) {
351*b1cdbd2cSJim Jagielski SECKEYPublicKey* pubkey ;
352*b1cdbd2cSJim Jagielski std::list< SECKEYPublicKey* >::iterator keyIt ;
353*b1cdbd2cSJim Jagielski
354*b1cdbd2cSJim Jagielski if( aPubKey != NULL ) {
355*b1cdbd2cSJim Jagielski //First try to find the key in the list
356*b1cdbd2cSJim Jagielski for( keyIt = m_tPubKeyList.begin() ; keyIt != m_tPubKeyList.end() ; keyIt ++ ) {
357*b1cdbd2cSJim Jagielski if( *keyIt == aPubKey )
358*b1cdbd2cSJim Jagielski return ;
359*b1cdbd2cSJim Jagielski }
360*b1cdbd2cSJim Jagielski
361*b1cdbd2cSJim Jagielski //If we do not find the key in the list, add a new node
362*b1cdbd2cSJim Jagielski pubkey = SECKEY_CopyPublicKey( aPubKey ) ;
363*b1cdbd2cSJim Jagielski if( pubkey == NULL )
364*b1cdbd2cSJim Jagielski throw RuntimeException() ;
365*b1cdbd2cSJim Jagielski
366*b1cdbd2cSJim Jagielski try {
367*b1cdbd2cSJim Jagielski m_tPubKeyList.push_back( pubkey ) ;
368*b1cdbd2cSJim Jagielski } catch ( Exception& ) {
369*b1cdbd2cSJim Jagielski SECKEY_DestroyPublicKey( pubkey ) ;
370*b1cdbd2cSJim Jagielski }
371*b1cdbd2cSJim Jagielski }
372*b1cdbd2cSJim Jagielski }
373*b1cdbd2cSJim Jagielski
rejectPubKey(SECKEYPublicKey * aPubKey)374*b1cdbd2cSJim Jagielski void SecurityEnvironment_NssImpl :: rejectPubKey( SECKEYPublicKey* aPubKey ) throw( Exception , RuntimeException ) {
375*b1cdbd2cSJim Jagielski SECKEYPublicKey* pubkey ;
376*b1cdbd2cSJim Jagielski std::list< SECKEYPublicKey* >::iterator keyIt ;
377*b1cdbd2cSJim Jagielski
378*b1cdbd2cSJim Jagielski if( aPubKey != NULL ) {
379*b1cdbd2cSJim Jagielski for( keyIt = m_tPubKeyList.begin() ; keyIt != m_tPubKeyList.end() ; keyIt ++ ) {
380*b1cdbd2cSJim Jagielski if( *keyIt == aPubKey ) {
381*b1cdbd2cSJim Jagielski pubkey = *keyIt ;
382*b1cdbd2cSJim Jagielski SECKEY_DestroyPublicKey( pubkey ) ;
383*b1cdbd2cSJim Jagielski m_tPubKeyList.erase( keyIt ) ;
384*b1cdbd2cSJim Jagielski break ;
385*b1cdbd2cSJim Jagielski }
386*b1cdbd2cSJim Jagielski }
387*b1cdbd2cSJim Jagielski }
388*b1cdbd2cSJim Jagielski }
389*b1cdbd2cSJim Jagielski
getPubKey(unsigned int position)390*b1cdbd2cSJim Jagielski SECKEYPublicKey* SecurityEnvironment_NssImpl :: getPubKey( unsigned int position ) throw( Exception , RuntimeException ) {
391*b1cdbd2cSJim Jagielski SECKEYPublicKey* pubkey ;
392*b1cdbd2cSJim Jagielski std::list< SECKEYPublicKey* >::iterator keyIt ;
393*b1cdbd2cSJim Jagielski unsigned int pos ;
394*b1cdbd2cSJim Jagielski
395*b1cdbd2cSJim Jagielski pubkey = NULL ;
396*b1cdbd2cSJim Jagielski for( pos = 0, keyIt = m_tPubKeyList.begin() ; pos < position && keyIt != m_tPubKeyList.end() ; pos ++ , keyIt ++ ) ;
397*b1cdbd2cSJim Jagielski
398*b1cdbd2cSJim Jagielski if( pos == position && keyIt != m_tPubKeyList.end() )
399*b1cdbd2cSJim Jagielski pubkey = *keyIt ;
400*b1cdbd2cSJim Jagielski
401*b1cdbd2cSJim Jagielski return pubkey ;
402*b1cdbd2cSJim Jagielski }
403*b1cdbd2cSJim Jagielski
adoptPriKey(SECKEYPrivateKey * aPriKey)404*b1cdbd2cSJim Jagielski void SecurityEnvironment_NssImpl :: adoptPriKey( SECKEYPrivateKey* aPriKey ) throw( Exception , RuntimeException ) {
405*b1cdbd2cSJim Jagielski SECKEYPrivateKey* prikey ;
406*b1cdbd2cSJim Jagielski std::list< SECKEYPrivateKey* >::iterator keyIt ;
407*b1cdbd2cSJim Jagielski
408*b1cdbd2cSJim Jagielski if( aPriKey != NULL ) {
409*b1cdbd2cSJim Jagielski //First try to find the key in the list
410*b1cdbd2cSJim Jagielski for( keyIt = m_tPriKeyList.begin() ; keyIt != m_tPriKeyList.end() ; keyIt ++ ) {
411*b1cdbd2cSJim Jagielski if( *keyIt == aPriKey )
412*b1cdbd2cSJim Jagielski return ;
413*b1cdbd2cSJim Jagielski }
414*b1cdbd2cSJim Jagielski
415*b1cdbd2cSJim Jagielski //If we do not find the key in the list, add a new node
416*b1cdbd2cSJim Jagielski prikey = SECKEY_CopyPrivateKey( aPriKey ) ;
417*b1cdbd2cSJim Jagielski if( prikey == NULL )
418*b1cdbd2cSJim Jagielski throw RuntimeException() ;
419*b1cdbd2cSJim Jagielski
420*b1cdbd2cSJim Jagielski try {
421*b1cdbd2cSJim Jagielski m_tPriKeyList.push_back( prikey ) ;
422*b1cdbd2cSJim Jagielski } catch ( Exception& ) {
423*b1cdbd2cSJim Jagielski SECKEY_DestroyPrivateKey( prikey ) ;
424*b1cdbd2cSJim Jagielski }
425*b1cdbd2cSJim Jagielski }
426*b1cdbd2cSJim Jagielski }
427*b1cdbd2cSJim Jagielski
rejectPriKey(SECKEYPrivateKey * aPriKey)428*b1cdbd2cSJim Jagielski void SecurityEnvironment_NssImpl :: rejectPriKey( SECKEYPrivateKey* aPriKey ) throw( Exception , RuntimeException ) {
429*b1cdbd2cSJim Jagielski SECKEYPrivateKey* prikey ;
430*b1cdbd2cSJim Jagielski std::list< SECKEYPrivateKey* >::iterator keyIt ;
431*b1cdbd2cSJim Jagielski
432*b1cdbd2cSJim Jagielski if( aPriKey != NULL ) {
433*b1cdbd2cSJim Jagielski for( keyIt = m_tPriKeyList.begin() ; keyIt != m_tPriKeyList.end() ; keyIt ++ ) {
434*b1cdbd2cSJim Jagielski if( *keyIt == aPriKey ) {
435*b1cdbd2cSJim Jagielski prikey = *keyIt ;
436*b1cdbd2cSJim Jagielski SECKEY_DestroyPrivateKey( prikey ) ;
437*b1cdbd2cSJim Jagielski m_tPriKeyList.erase( keyIt ) ;
438*b1cdbd2cSJim Jagielski break ;
439*b1cdbd2cSJim Jagielski }
440*b1cdbd2cSJim Jagielski }
441*b1cdbd2cSJim Jagielski }
442*b1cdbd2cSJim Jagielski }
443*b1cdbd2cSJim Jagielski
getPriKey(unsigned int position)444*b1cdbd2cSJim Jagielski SECKEYPrivateKey* SecurityEnvironment_NssImpl :: getPriKey( unsigned int position ) throw( ::com::sun::star::uno::Exception , ::com::sun::star::uno::RuntimeException ) {
445*b1cdbd2cSJim Jagielski SECKEYPrivateKey* prikey ;
446*b1cdbd2cSJim Jagielski std::list< SECKEYPrivateKey* >::iterator keyIt ;
447*b1cdbd2cSJim Jagielski unsigned int pos ;
448*b1cdbd2cSJim Jagielski
449*b1cdbd2cSJim Jagielski prikey = NULL ;
450*b1cdbd2cSJim Jagielski for( pos = 0, keyIt = m_tPriKeyList.begin() ; pos < position && keyIt != m_tPriKeyList.end() ; pos ++ , keyIt ++ ) ;
451*b1cdbd2cSJim Jagielski
452*b1cdbd2cSJim Jagielski if( pos == position && keyIt != m_tPriKeyList.end() )
453*b1cdbd2cSJim Jagielski prikey = *keyIt ;
454*b1cdbd2cSJim Jagielski
455*b1cdbd2cSJim Jagielski return prikey ;
456*b1cdbd2cSJim Jagielski }
457*b1cdbd2cSJim Jagielski
updateSlots()458*b1cdbd2cSJim Jagielski void SecurityEnvironment_NssImpl::updateSlots()
459*b1cdbd2cSJim Jagielski {
460*b1cdbd2cSJim Jagielski //In case new tokens are present then we can obtain the corresponding slot
461*b1cdbd2cSJim Jagielski PK11SlotList * soltList = NULL;
462*b1cdbd2cSJim Jagielski PK11SlotListElement * soltEle = NULL;
463*b1cdbd2cSJim Jagielski PK11SlotInfo * pSlot = NULL;
464*b1cdbd2cSJim Jagielski PK11SymKey * pSymKey = NULL;
465*b1cdbd2cSJim Jagielski
466*b1cdbd2cSJim Jagielski osl::MutexGuard guard(m_mutex);
467*b1cdbd2cSJim Jagielski
468*b1cdbd2cSJim Jagielski m_Slots.clear();
469*b1cdbd2cSJim Jagielski m_tSymKeyList.clear();
470*b1cdbd2cSJim Jagielski
471*b1cdbd2cSJim Jagielski soltList = PK11_GetAllTokens( CKM_INVALID_MECHANISM, PR_FALSE, PR_FALSE, NULL ) ;
472*b1cdbd2cSJim Jagielski if( soltList != NULL )
473*b1cdbd2cSJim Jagielski {
474*b1cdbd2cSJim Jagielski for( soltEle = soltList->head ; soltEle != NULL; soltEle = soltEle->next )
475*b1cdbd2cSJim Jagielski {
476*b1cdbd2cSJim Jagielski pSlot = soltEle->slot ;
477*b1cdbd2cSJim Jagielski
478*b1cdbd2cSJim Jagielski if(pSlot != NULL)
479*b1cdbd2cSJim Jagielski {
480*b1cdbd2cSJim Jagielski RTL_LOGFILE_TRACE2( "XMLSEC: Found a slot: SlotName=%s, TokenName=%s", PK11_GetSlotName(pSlot), PK11_GetTokenName(pSlot) );
481*b1cdbd2cSJim Jagielski
482*b1cdbd2cSJim Jagielski //The following code which is commented out checks if a slot, that is a smart card for example, is
483*b1cdbd2cSJim Jagielski // able to generate a symmetric key of type CKM_DES3_CBC. If this fails then this token
484*b1cdbd2cSJim Jagielski // will not be used. This key is possibly used for the encryption service. However, all
485*b1cdbd2cSJim Jagielski // interfaces and services used for public key signature and encryption are not published
486*b1cdbd2cSJim Jagielski // and the encryption is not used in OOo. Therefore it does not do any harm to remove
487*b1cdbd2cSJim Jagielski // this code, hence allowing smart cards which cannot generate this type of key.
488*b1cdbd2cSJim Jagielski //
489*b1cdbd2cSJim Jagielski // By doing this, the encryption may fail if a smart card is being used which does not
490*b1cdbd2cSJim Jagielski // support this key generation.
491*b1cdbd2cSJim Jagielski //
492*b1cdbd2cSJim Jagielski pSymKey = PK11_KeyGen( pSlot , CKM_DES3_CBC, NULL, 128, NULL ) ;
493*b1cdbd2cSJim Jagielski // if( pSymKey == NULL )
494*b1cdbd2cSJim Jagielski // {
495*b1cdbd2cSJim Jagielski // PK11_FreeSlot( pSlot ) ;
496*b1cdbd2cSJim Jagielski // RTL_LOGFILE_TRACE( "XMLSEC: Error - pSymKey is NULL" );
497*b1cdbd2cSJim Jagielski // continue;
498*b1cdbd2cSJim Jagielski // }
499*b1cdbd2cSJim Jagielski addCryptoSlot(pSlot);
500*b1cdbd2cSJim Jagielski PK11_FreeSlot( pSlot ) ;
501*b1cdbd2cSJim Jagielski pSlot = NULL;
502*b1cdbd2cSJim Jagielski
503*b1cdbd2cSJim Jagielski if (pSymKey != NULL)
504*b1cdbd2cSJim Jagielski {
505*b1cdbd2cSJim Jagielski adoptSymKey( pSymKey ) ;
506*b1cdbd2cSJim Jagielski PK11_FreeSymKey( pSymKey ) ;
507*b1cdbd2cSJim Jagielski pSymKey = NULL;
508*b1cdbd2cSJim Jagielski }
509*b1cdbd2cSJim Jagielski
510*b1cdbd2cSJim Jagielski }// end of if(pSlot != NULL)
511*b1cdbd2cSJim Jagielski }// end of for
512*b1cdbd2cSJim Jagielski }// end of if( soltList != NULL )
513*b1cdbd2cSJim Jagielski
514*b1cdbd2cSJim Jagielski }
515*b1cdbd2cSJim Jagielski
516*b1cdbd2cSJim Jagielski
517*b1cdbd2cSJim Jagielski Sequence< Reference < XCertificate > >
getPersonalCertificates()518*b1cdbd2cSJim Jagielski SecurityEnvironment_NssImpl::getPersonalCertificates() throw( SecurityException , RuntimeException )
519*b1cdbd2cSJim Jagielski {
520*b1cdbd2cSJim Jagielski sal_Int32 length ;
521*b1cdbd2cSJim Jagielski X509Certificate_NssImpl* xcert ;
522*b1cdbd2cSJim Jagielski std::list< X509Certificate_NssImpl* > certsList ;
523*b1cdbd2cSJim Jagielski
524*b1cdbd2cSJim Jagielski updateSlots();
525*b1cdbd2cSJim Jagielski //firstly, we try to find private keys in slot
526*b1cdbd2cSJim Jagielski for (CIT_SLOTS is = m_Slots.begin(); is != m_Slots.end(); is++)
527*b1cdbd2cSJim Jagielski {
528*b1cdbd2cSJim Jagielski PK11SlotInfo *slot = *is;
529*b1cdbd2cSJim Jagielski SECKEYPrivateKeyList* priKeyList ;
530*b1cdbd2cSJim Jagielski SECKEYPrivateKeyListNode* curPri ;
531*b1cdbd2cSJim Jagielski
532*b1cdbd2cSJim Jagielski if( PK11_NeedLogin(slot ) ) {
533*b1cdbd2cSJim Jagielski SECStatus nRet = PK11_Authenticate(slot, PR_TRUE, NULL);
534*b1cdbd2cSJim Jagielski //PK11_Authenticate may fail in case the a slot has not been initialized.
535*b1cdbd2cSJim Jagielski //this is the case if the user has a new profile, so that they have never
536*b1cdbd2cSJim Jagielski //added a personal certificate.
537*b1cdbd2cSJim Jagielski if( nRet != SECSuccess && PORT_GetError() != SEC_ERROR_IO) {
538*b1cdbd2cSJim Jagielski throw NoPasswordException();
539*b1cdbd2cSJim Jagielski }
540*b1cdbd2cSJim Jagielski }
541*b1cdbd2cSJim Jagielski
542*b1cdbd2cSJim Jagielski priKeyList = PK11_ListPrivateKeysInSlot(slot) ;
543*b1cdbd2cSJim Jagielski if( priKeyList != NULL ) {
544*b1cdbd2cSJim Jagielski for( curPri = PRIVKEY_LIST_HEAD( priKeyList );
545*b1cdbd2cSJim Jagielski !PRIVKEY_LIST_END( curPri, priKeyList ) && curPri != NULL ;
546*b1cdbd2cSJim Jagielski curPri = PRIVKEY_LIST_NEXT( curPri ) ) {
547*b1cdbd2cSJim Jagielski xcert = NssPrivKeyToXCert( curPri->key ) ;
548*b1cdbd2cSJim Jagielski if( xcert != NULL )
549*b1cdbd2cSJim Jagielski certsList.push_back( xcert ) ;
550*b1cdbd2cSJim Jagielski }
551*b1cdbd2cSJim Jagielski }
552*b1cdbd2cSJim Jagielski
553*b1cdbd2cSJim Jagielski SECKEY_DestroyPrivateKeyList( priKeyList ) ;
554*b1cdbd2cSJim Jagielski }
555*b1cdbd2cSJim Jagielski
556*b1cdbd2cSJim Jagielski //secondly, we try to find certificate from registered private keys.
557*b1cdbd2cSJim Jagielski if( !m_tPriKeyList.empty() ) {
558*b1cdbd2cSJim Jagielski std::list< SECKEYPrivateKey* >::iterator priKeyIt ;
559*b1cdbd2cSJim Jagielski
560*b1cdbd2cSJim Jagielski for( priKeyIt = m_tPriKeyList.begin() ; priKeyIt != m_tPriKeyList.end() ; priKeyIt ++ ) {
561*b1cdbd2cSJim Jagielski xcert = NssPrivKeyToXCert( *priKeyIt ) ;
562*b1cdbd2cSJim Jagielski if( xcert != NULL )
563*b1cdbd2cSJim Jagielski certsList.push_back( xcert ) ;
564*b1cdbd2cSJim Jagielski }
565*b1cdbd2cSJim Jagielski }
566*b1cdbd2cSJim Jagielski
567*b1cdbd2cSJim Jagielski length = certsList.size() ;
568*b1cdbd2cSJim Jagielski if( length != 0 ) {
569*b1cdbd2cSJim Jagielski int i ;
570*b1cdbd2cSJim Jagielski std::list< X509Certificate_NssImpl* >::iterator xcertIt ;
571*b1cdbd2cSJim Jagielski Sequence< Reference< XCertificate > > certSeq( length ) ;
572*b1cdbd2cSJim Jagielski
573*b1cdbd2cSJim Jagielski for( i = 0, xcertIt = certsList.begin(); xcertIt != certsList.end(); xcertIt ++, i++ ) {
574*b1cdbd2cSJim Jagielski certSeq[i] = *xcertIt ;
575*b1cdbd2cSJim Jagielski }
576*b1cdbd2cSJim Jagielski
577*b1cdbd2cSJim Jagielski return certSeq ;
578*b1cdbd2cSJim Jagielski }
579*b1cdbd2cSJim Jagielski
580*b1cdbd2cSJim Jagielski return Sequence< Reference < XCertificate > > ();
581*b1cdbd2cSJim Jagielski }
582*b1cdbd2cSJim Jagielski
getCertificate(const OUString & issuerName,const Sequence<sal_Int8> & serialNumber)583*b1cdbd2cSJim Jagielski Reference< XCertificate > SecurityEnvironment_NssImpl :: getCertificate( const OUString& issuerName, const Sequence< sal_Int8 >& serialNumber ) throw( SecurityException , RuntimeException )
584*b1cdbd2cSJim Jagielski {
585*b1cdbd2cSJim Jagielski X509Certificate_NssImpl* xcert = NULL;
586*b1cdbd2cSJim Jagielski
587*b1cdbd2cSJim Jagielski if( m_pHandler != NULL ) {
588*b1cdbd2cSJim Jagielski CERTIssuerAndSN issuerAndSN ;
589*b1cdbd2cSJim Jagielski CERTCertificate* cert ;
590*b1cdbd2cSJim Jagielski CERTName* nmIssuer ;
591*b1cdbd2cSJim Jagielski char* chIssuer ;
592*b1cdbd2cSJim Jagielski SECItem* derIssuer ;
593*b1cdbd2cSJim Jagielski PRArenaPool* arena ;
594*b1cdbd2cSJim Jagielski
595*b1cdbd2cSJim Jagielski arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE ) ;
596*b1cdbd2cSJim Jagielski if( arena == NULL )
597*b1cdbd2cSJim Jagielski throw RuntimeException() ;
598*b1cdbd2cSJim Jagielski
599*b1cdbd2cSJim Jagielski /*
600*b1cdbd2cSJim Jagielski * mmi : because MS Crypto use the 'S' tag (equal to the 'ST' tag in NSS), but the NSS can't recognise
601*b1cdbd2cSJim Jagielski * it, so the 'S' tag should be changed to 'ST' tag
602*b1cdbd2cSJim Jagielski *
603*b1cdbd2cSJim Jagielski * PS : it can work, but inside libxmlsec, the 'S' tag is till used to find cert in NSS engine, so it
604*b1cdbd2cSJim Jagielski * is not useful at all. (comment out now)
605*b1cdbd2cSJim Jagielski */
606*b1cdbd2cSJim Jagielski
607*b1cdbd2cSJim Jagielski /*
608*b1cdbd2cSJim Jagielski sal_Int32 nIndex = 0;
609*b1cdbd2cSJim Jagielski OUString newIssuerName;
610*b1cdbd2cSJim Jagielski do
611*b1cdbd2cSJim Jagielski {
612*b1cdbd2cSJim Jagielski OUString aToken = issuerName.getToken( 0, ',', nIndex ).trim();
613*b1cdbd2cSJim Jagielski if (aToken.compareToAscii("S=",2) == 0)
614*b1cdbd2cSJim Jagielski {
615*b1cdbd2cSJim Jagielski newIssuerName+=OUString::createFromAscii("ST=");
616*b1cdbd2cSJim Jagielski newIssuerName+=aToken.copy(2);
617*b1cdbd2cSJim Jagielski }
618*b1cdbd2cSJim Jagielski else
619*b1cdbd2cSJim Jagielski {
620*b1cdbd2cSJim Jagielski newIssuerName+=aToken;
621*b1cdbd2cSJim Jagielski }
622*b1cdbd2cSJim Jagielski
623*b1cdbd2cSJim Jagielski if (nIndex >= 0)
624*b1cdbd2cSJim Jagielski {
625*b1cdbd2cSJim Jagielski newIssuerName+=OUString::createFromAscii(",");
626*b1cdbd2cSJim Jagielski }
627*b1cdbd2cSJim Jagielski } while ( nIndex >= 0 );
628*b1cdbd2cSJim Jagielski */
629*b1cdbd2cSJim Jagielski
630*b1cdbd2cSJim Jagielski /* end */
631*b1cdbd2cSJim Jagielski
632*b1cdbd2cSJim Jagielski //Create cert info from issue and serial
633*b1cdbd2cSJim Jagielski rtl::OString ostr = rtl::OUStringToOString( issuerName , RTL_TEXTENCODING_UTF8 ) ;
634*b1cdbd2cSJim Jagielski chIssuer = PL_strndup( ( char* )ostr.getStr(), ( int )ostr.getLength() ) ;
635*b1cdbd2cSJim Jagielski nmIssuer = CERT_AsciiToName( chIssuer ) ;
636*b1cdbd2cSJim Jagielski if( nmIssuer == NULL ) {
637*b1cdbd2cSJim Jagielski PL_strfree( chIssuer ) ;
638*b1cdbd2cSJim Jagielski PORT_FreeArena( arena, PR_FALSE ) ;
639*b1cdbd2cSJim Jagielski
640*b1cdbd2cSJim Jagielski /*
641*b1cdbd2cSJim Jagielski * i40394
642*b1cdbd2cSJim Jagielski *
643*b1cdbd2cSJim Jagielski * mmi : no need to throw exception
644*b1cdbd2cSJim Jagielski * just return "no found"
645*b1cdbd2cSJim Jagielski */
646*b1cdbd2cSJim Jagielski //throw RuntimeException() ;
647*b1cdbd2cSJim Jagielski return NULL;
648*b1cdbd2cSJim Jagielski }
649*b1cdbd2cSJim Jagielski
650*b1cdbd2cSJim Jagielski derIssuer = SEC_ASN1EncodeItem( arena, NULL, ( void* )nmIssuer, SEC_ASN1_GET( CERT_NameTemplate ) ) ;
651*b1cdbd2cSJim Jagielski if( derIssuer == NULL ) {
652*b1cdbd2cSJim Jagielski PL_strfree( chIssuer ) ;
653*b1cdbd2cSJim Jagielski CERT_DestroyName( nmIssuer ) ;
654*b1cdbd2cSJim Jagielski PORT_FreeArena( arena, PR_FALSE ) ;
655*b1cdbd2cSJim Jagielski throw RuntimeException() ;
656*b1cdbd2cSJim Jagielski }
657*b1cdbd2cSJim Jagielski
658*b1cdbd2cSJim Jagielski memset( &issuerAndSN, 0, sizeof( issuerAndSN ) ) ;
659*b1cdbd2cSJim Jagielski
660*b1cdbd2cSJim Jagielski issuerAndSN.derIssuer.data = derIssuer->data ;
661*b1cdbd2cSJim Jagielski issuerAndSN.derIssuer.len = derIssuer->len ;
662*b1cdbd2cSJim Jagielski
663*b1cdbd2cSJim Jagielski issuerAndSN.serialNumber.data = ( unsigned char* )&serialNumber[0] ;
664*b1cdbd2cSJim Jagielski issuerAndSN.serialNumber.len = serialNumber.getLength() ;
665*b1cdbd2cSJim Jagielski
666*b1cdbd2cSJim Jagielski cert = CERT_FindCertByIssuerAndSN( m_pHandler, &issuerAndSN ) ;
667*b1cdbd2cSJim Jagielski if( cert != NULL ) {
668*b1cdbd2cSJim Jagielski xcert = NssCertToXCert( cert ) ;
669*b1cdbd2cSJim Jagielski } else {
670*b1cdbd2cSJim Jagielski xcert = NULL ;
671*b1cdbd2cSJim Jagielski }
672*b1cdbd2cSJim Jagielski
673*b1cdbd2cSJim Jagielski PL_strfree( chIssuer ) ;
674*b1cdbd2cSJim Jagielski CERT_DestroyName( nmIssuer ) ;
675*b1cdbd2cSJim Jagielski //SECITEM_FreeItem( derIssuer, PR_FALSE ) ;
676*b1cdbd2cSJim Jagielski CERT_DestroyCertificate( cert ) ;
677*b1cdbd2cSJim Jagielski PORT_FreeArena( arena, PR_FALSE ) ;
678*b1cdbd2cSJim Jagielski } else {
679*b1cdbd2cSJim Jagielski xcert = NULL ;
680*b1cdbd2cSJim Jagielski }
681*b1cdbd2cSJim Jagielski
682*b1cdbd2cSJim Jagielski return xcert ;
683*b1cdbd2cSJim Jagielski }
684*b1cdbd2cSJim Jagielski
getCertificate(const OUString & issuerName,const OUString & serialNumber)685*b1cdbd2cSJim Jagielski Reference< XCertificate > SecurityEnvironment_NssImpl :: getCertificate( const OUString& issuerName, const OUString& serialNumber ) throw( SecurityException , RuntimeException ) {
686*b1cdbd2cSJim Jagielski Sequence< sal_Int8 > serial = numericStringToBigInteger( serialNumber ) ;
687*b1cdbd2cSJim Jagielski return getCertificate( issuerName, serial ) ;
688*b1cdbd2cSJim Jagielski }
689*b1cdbd2cSJim Jagielski
buildCertificatePath(const Reference<XCertificate> & begin)690*b1cdbd2cSJim Jagielski Sequence< Reference < XCertificate > > SecurityEnvironment_NssImpl :: buildCertificatePath( const Reference< XCertificate >& begin ) throw( SecurityException , RuntimeException ) {
691*b1cdbd2cSJim Jagielski const X509Certificate_NssImpl* xcert ;
692*b1cdbd2cSJim Jagielski const CERTCertificate* cert ;
693*b1cdbd2cSJim Jagielski CERTCertList* certChain ;
694*b1cdbd2cSJim Jagielski
695*b1cdbd2cSJim Jagielski Reference< XUnoTunnel > xCertTunnel( begin, UNO_QUERY ) ;
696*b1cdbd2cSJim Jagielski if( !xCertTunnel.is() ) {
697*b1cdbd2cSJim Jagielski throw RuntimeException() ;
698*b1cdbd2cSJim Jagielski }
699*b1cdbd2cSJim Jagielski
700*b1cdbd2cSJim Jagielski xcert = reinterpret_cast<X509Certificate_NssImpl*>(
701*b1cdbd2cSJim Jagielski sal::static_int_cast<sal_uIntPtr>(xCertTunnel->getSomething( X509Certificate_NssImpl::getUnoTunnelId() ))) ;
702*b1cdbd2cSJim Jagielski if( xcert == NULL ) {
703*b1cdbd2cSJim Jagielski throw RuntimeException() ;
704*b1cdbd2cSJim Jagielski }
705*b1cdbd2cSJim Jagielski
706*b1cdbd2cSJim Jagielski cert = xcert->getNssCert() ;
707*b1cdbd2cSJim Jagielski if( cert != NULL ) {
708*b1cdbd2cSJim Jagielski int64 timeboundary ;
709*b1cdbd2cSJim Jagielski
710*b1cdbd2cSJim Jagielski //Get the system clock time
711*b1cdbd2cSJim Jagielski timeboundary = PR_Now() ;
712*b1cdbd2cSJim Jagielski
713*b1cdbd2cSJim Jagielski certChain = CERT_GetCertChainFromCert( ( CERTCertificate* )cert, timeboundary, certUsageAnyCA ) ;
714*b1cdbd2cSJim Jagielski } else {
715*b1cdbd2cSJim Jagielski certChain = NULL ;
716*b1cdbd2cSJim Jagielski }
717*b1cdbd2cSJim Jagielski
718*b1cdbd2cSJim Jagielski if( certChain != NULL ) {
719*b1cdbd2cSJim Jagielski X509Certificate_NssImpl* pCert ;
720*b1cdbd2cSJim Jagielski CERTCertListNode* node ;
721*b1cdbd2cSJim Jagielski int len ;
722*b1cdbd2cSJim Jagielski
723*b1cdbd2cSJim Jagielski for( len = 0, node = CERT_LIST_HEAD( certChain ); !CERT_LIST_END( node, certChain ); node = CERT_LIST_NEXT( node ), len ++ ) ;
724*b1cdbd2cSJim Jagielski Sequence< Reference< XCertificate > > xCertChain( len ) ;
725*b1cdbd2cSJim Jagielski
726*b1cdbd2cSJim Jagielski for( len = 0, node = CERT_LIST_HEAD( certChain ); !CERT_LIST_END( node, certChain ); node = CERT_LIST_NEXT( node ), len ++ ) {
727*b1cdbd2cSJim Jagielski pCert = new X509Certificate_NssImpl() ;
728*b1cdbd2cSJim Jagielski if( pCert == NULL ) {
729*b1cdbd2cSJim Jagielski CERT_DestroyCertList( certChain ) ;
730*b1cdbd2cSJim Jagielski throw RuntimeException() ;
731*b1cdbd2cSJim Jagielski }
732*b1cdbd2cSJim Jagielski
733*b1cdbd2cSJim Jagielski pCert->setCert( node->cert ) ;
734*b1cdbd2cSJim Jagielski
735*b1cdbd2cSJim Jagielski xCertChain[len] = pCert ;
736*b1cdbd2cSJim Jagielski }
737*b1cdbd2cSJim Jagielski
738*b1cdbd2cSJim Jagielski CERT_DestroyCertList( certChain ) ;
739*b1cdbd2cSJim Jagielski
740*b1cdbd2cSJim Jagielski return xCertChain ;
741*b1cdbd2cSJim Jagielski }
742*b1cdbd2cSJim Jagielski
743*b1cdbd2cSJim Jagielski return Sequence< Reference < XCertificate > >();
744*b1cdbd2cSJim Jagielski }
745*b1cdbd2cSJim Jagielski
createCertificateFromRaw(const Sequence<sal_Int8> & rawCertificate)746*b1cdbd2cSJim Jagielski Reference< XCertificate > SecurityEnvironment_NssImpl :: createCertificateFromRaw( const Sequence< sal_Int8 >& rawCertificate ) throw( SecurityException , RuntimeException ) {
747*b1cdbd2cSJim Jagielski X509Certificate_NssImpl* xcert ;
748*b1cdbd2cSJim Jagielski
749*b1cdbd2cSJim Jagielski if( rawCertificate.getLength() > 0 ) {
750*b1cdbd2cSJim Jagielski xcert = new X509Certificate_NssImpl() ;
751*b1cdbd2cSJim Jagielski if( xcert == NULL )
752*b1cdbd2cSJim Jagielski throw RuntimeException() ;
753*b1cdbd2cSJim Jagielski
754*b1cdbd2cSJim Jagielski xcert->setRawCert( rawCertificate ) ;
755*b1cdbd2cSJim Jagielski } else {
756*b1cdbd2cSJim Jagielski xcert = NULL ;
757*b1cdbd2cSJim Jagielski }
758*b1cdbd2cSJim Jagielski
759*b1cdbd2cSJim Jagielski return xcert ;
760*b1cdbd2cSJim Jagielski }
761*b1cdbd2cSJim Jagielski
createCertificateFromAscii(const OUString & asciiCertificate)762*b1cdbd2cSJim Jagielski Reference< XCertificate > SecurityEnvironment_NssImpl :: createCertificateFromAscii( const OUString& asciiCertificate ) throw( SecurityException , RuntimeException ) {
763*b1cdbd2cSJim Jagielski xmlChar* chCert ;
764*b1cdbd2cSJim Jagielski xmlSecSize certSize ;
765*b1cdbd2cSJim Jagielski
766*b1cdbd2cSJim Jagielski rtl::OString oscert = rtl::OUStringToOString( asciiCertificate , RTL_TEXTENCODING_ASCII_US ) ;
767*b1cdbd2cSJim Jagielski
768*b1cdbd2cSJim Jagielski chCert = xmlStrndup( ( const xmlChar* )oscert.getStr(), ( int )oscert.getLength() ) ;
769*b1cdbd2cSJim Jagielski
770*b1cdbd2cSJim Jagielski certSize = xmlSecBase64Decode( chCert, ( xmlSecByte* )chCert, xmlStrlen( chCert ) ) ;
771*b1cdbd2cSJim Jagielski
772*b1cdbd2cSJim Jagielski Sequence< sal_Int8 > rawCert( certSize ) ;
773*b1cdbd2cSJim Jagielski for( unsigned int i = 0 ; i < certSize ; i ++ )
774*b1cdbd2cSJim Jagielski rawCert[i] = *( chCert + i ) ;
775*b1cdbd2cSJim Jagielski
776*b1cdbd2cSJim Jagielski xmlFree( chCert ) ;
777*b1cdbd2cSJim Jagielski
778*b1cdbd2cSJim Jagielski return createCertificateFromRaw( rawCert ) ;
779*b1cdbd2cSJim Jagielski }
780*b1cdbd2cSJim Jagielski
781*b1cdbd2cSJim Jagielski sal_Int32 SecurityEnvironment_NssImpl ::
verifyCertificate(const Reference<csss::XCertificate> & aCert,const Sequence<Reference<csss::XCertificate>> & intermediateCerts)782*b1cdbd2cSJim Jagielski verifyCertificate( const Reference< csss::XCertificate >& aCert,
783*b1cdbd2cSJim Jagielski const Sequence< Reference< csss::XCertificate > >& intermediateCerts )
784*b1cdbd2cSJim Jagielski throw( ::com::sun::star::uno::SecurityException, ::com::sun::star::uno::RuntimeException )
785*b1cdbd2cSJim Jagielski {
786*b1cdbd2cSJim Jagielski sal_Int32 validity = csss::CertificateValidity::INVALID;
787*b1cdbd2cSJim Jagielski const X509Certificate_NssImpl* xcert ;
788*b1cdbd2cSJim Jagielski const CERTCertificate* cert ;
789*b1cdbd2cSJim Jagielski ::std::vector<CERTCertificate*> vecTmpNSSCertificates;
790*b1cdbd2cSJim Jagielski Reference< XUnoTunnel > xCertTunnel( aCert, UNO_QUERY ) ;
791*b1cdbd2cSJim Jagielski if( !xCertTunnel.is() ) {
792*b1cdbd2cSJim Jagielski throw RuntimeException() ;
793*b1cdbd2cSJim Jagielski }
794*b1cdbd2cSJim Jagielski
795*b1cdbd2cSJim Jagielski xmlsec_trace("Start verification of certificate: \n %s \n",
796*b1cdbd2cSJim Jagielski OUStringToOString(
797*b1cdbd2cSJim Jagielski aCert->getSubjectName(), osl_getThreadTextEncoding()).getStr());
798*b1cdbd2cSJim Jagielski
799*b1cdbd2cSJim Jagielski xcert = reinterpret_cast<X509Certificate_NssImpl*>(
800*b1cdbd2cSJim Jagielski sal::static_int_cast<sal_uIntPtr>(xCertTunnel->getSomething( X509Certificate_NssImpl::getUnoTunnelId() ))) ;
801*b1cdbd2cSJim Jagielski if( xcert == NULL ) {
802*b1cdbd2cSJim Jagielski throw RuntimeException() ;
803*b1cdbd2cSJim Jagielski }
804*b1cdbd2cSJim Jagielski
805*b1cdbd2cSJim Jagielski //CERT_PKIXVerifyCert does not take a db as argument. It will therefore
806*b1cdbd2cSJim Jagielski //internally use CERT_GetDefaultCertDB
807*b1cdbd2cSJim Jagielski //Make sure m_pHandler is the default DB
808*b1cdbd2cSJim Jagielski OSL_ASSERT(m_pHandler == CERT_GetDefaultCertDB());
809*b1cdbd2cSJim Jagielski CERTCertDBHandle * certDb = m_pHandler != NULL ? m_pHandler : CERT_GetDefaultCertDB();
810*b1cdbd2cSJim Jagielski cert = xcert->getNssCert() ;
811*b1cdbd2cSJim Jagielski if( cert != NULL )
812*b1cdbd2cSJim Jagielski {
813*b1cdbd2cSJim Jagielski
814*b1cdbd2cSJim Jagielski //prepare the intermediate certificates
815*b1cdbd2cSJim Jagielski for (sal_Int32 i = 0; i < intermediateCerts.getLength(); i++)
816*b1cdbd2cSJim Jagielski {
817*b1cdbd2cSJim Jagielski Sequence<sal_Int8> der = intermediateCerts[i]->getEncoded();
818*b1cdbd2cSJim Jagielski SECItem item;
819*b1cdbd2cSJim Jagielski item.type = siBuffer;
820*b1cdbd2cSJim Jagielski item.data = (unsigned char*)der.getArray();
821*b1cdbd2cSJim Jagielski item.len = der.getLength();
822*b1cdbd2cSJim Jagielski
823*b1cdbd2cSJim Jagielski CERTCertificate* certTmp = CERT_NewTempCertificate(certDb, &item,
824*b1cdbd2cSJim Jagielski NULL /* nickname */,
825*b1cdbd2cSJim Jagielski PR_FALSE /* isPerm */,
826*b1cdbd2cSJim Jagielski PR_TRUE /* copyDER */);
827*b1cdbd2cSJim Jagielski if (!certTmp)
828*b1cdbd2cSJim Jagielski {
829*b1cdbd2cSJim Jagielski xmlsec_trace("Failed to add a temporary certificate: %s",
830*b1cdbd2cSJim Jagielski OUStringToOString(intermediateCerts[i]->getIssuerName(),
831*b1cdbd2cSJim Jagielski osl_getThreadTextEncoding()).getStr());
832*b1cdbd2cSJim Jagielski
833*b1cdbd2cSJim Jagielski }
834*b1cdbd2cSJim Jagielski else
835*b1cdbd2cSJim Jagielski {
836*b1cdbd2cSJim Jagielski xmlsec_trace("Added temporary certificate: %s",
837*b1cdbd2cSJim Jagielski certTmp->subjectName ? certTmp->subjectName : "");
838*b1cdbd2cSJim Jagielski vecTmpNSSCertificates.push_back(certTmp);
839*b1cdbd2cSJim Jagielski }
840*b1cdbd2cSJim Jagielski }
841*b1cdbd2cSJim Jagielski
842*b1cdbd2cSJim Jagielski
843*b1cdbd2cSJim Jagielski SECStatus status ;
844*b1cdbd2cSJim Jagielski
845*b1cdbd2cSJim Jagielski CERTVerifyLog log;
846*b1cdbd2cSJim Jagielski log.arena = PORT_NewArena(512);
847*b1cdbd2cSJim Jagielski log.head = log.tail = NULL;
848*b1cdbd2cSJim Jagielski log.count = 0;
849*b1cdbd2cSJim Jagielski
850*b1cdbd2cSJim Jagielski CERT_EnableOCSPChecking(certDb);
851*b1cdbd2cSJim Jagielski CERT_DisableOCSPDefaultResponder(certDb);
852*b1cdbd2cSJim Jagielski CERTValOutParam cvout[5];
853*b1cdbd2cSJim Jagielski CERTValInParam cvin[3];
854*b1cdbd2cSJim Jagielski
855*b1cdbd2cSJim Jagielski cvin[0].type = cert_pi_useAIACertFetch;
856*b1cdbd2cSJim Jagielski cvin[0].value.scalar.b = PR_TRUE;
857*b1cdbd2cSJim Jagielski
858*b1cdbd2cSJim Jagielski PRUint64 revFlagsLeaf[2];
859*b1cdbd2cSJim Jagielski PRUint64 revFlagsChain[2];
860*b1cdbd2cSJim Jagielski CERTRevocationFlags rev;
861*b1cdbd2cSJim Jagielski rev.leafTests.number_of_defined_methods = 2;
862*b1cdbd2cSJim Jagielski rev.leafTests.cert_rev_flags_per_method = revFlagsLeaf;
863*b1cdbd2cSJim Jagielski //the flags are defined in cert.h
864*b1cdbd2cSJim Jagielski //We check both leaf and chain.
865*b1cdbd2cSJim Jagielski //It is enough if one revocation method has fresh info,
866*b1cdbd2cSJim Jagielski //but at least one must have some. Otherwise validation fails.
867*b1cdbd2cSJim Jagielski //!!! using leaf test and CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE
868*b1cdbd2cSJim Jagielski // when validating a root certificate will result in "revoked". Usually
869*b1cdbd2cSJim Jagielski //there is no revocation information available for the root cert because
870*b1cdbd2cSJim Jagielski //it must be trusted anyway and it does itself issue revocation information.
871*b1cdbd2cSJim Jagielski //When we use the flag here and OOo shows the certification path then the root
872*b1cdbd2cSJim Jagielski //cert is invalid while all other can be valid. It would probably best if
873*b1cdbd2cSJim Jagielski //this interface method returned the whole chain.
874*b1cdbd2cSJim Jagielski //Otherwise we need to check if the certificate is self-signed and if it is
875*b1cdbd2cSJim Jagielski //then not use the flag when doing the leaf-test.
876*b1cdbd2cSJim Jagielski rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_crl] =
877*b1cdbd2cSJim Jagielski CERT_REV_M_TEST_USING_THIS_METHOD
878*b1cdbd2cSJim Jagielski | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE;
879*b1cdbd2cSJim Jagielski rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] =
880*b1cdbd2cSJim Jagielski CERT_REV_M_TEST_USING_THIS_METHOD
881*b1cdbd2cSJim Jagielski | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE;
882*b1cdbd2cSJim Jagielski rev.leafTests.number_of_preferred_methods = 0;
883*b1cdbd2cSJim Jagielski rev.leafTests.preferred_methods = NULL;
884*b1cdbd2cSJim Jagielski rev.leafTests.cert_rev_method_independent_flags =
885*b1cdbd2cSJim Jagielski CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST;
886*b1cdbd2cSJim Jagielski // | CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE;
887*b1cdbd2cSJim Jagielski
888*b1cdbd2cSJim Jagielski rev.chainTests.number_of_defined_methods = 2;
889*b1cdbd2cSJim Jagielski rev.chainTests.cert_rev_flags_per_method = revFlagsChain;
890*b1cdbd2cSJim Jagielski rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_crl] =
891*b1cdbd2cSJim Jagielski CERT_REV_M_TEST_USING_THIS_METHOD
892*b1cdbd2cSJim Jagielski | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE;
893*b1cdbd2cSJim Jagielski rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] =
894*b1cdbd2cSJim Jagielski CERT_REV_M_TEST_USING_THIS_METHOD
895*b1cdbd2cSJim Jagielski | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE;
896*b1cdbd2cSJim Jagielski rev.chainTests.number_of_preferred_methods = 0;
897*b1cdbd2cSJim Jagielski rev.chainTests.preferred_methods = NULL;
898*b1cdbd2cSJim Jagielski rev.chainTests.cert_rev_method_independent_flags =
899*b1cdbd2cSJim Jagielski CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST;
900*b1cdbd2cSJim Jagielski // | CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE;
901*b1cdbd2cSJim Jagielski
902*b1cdbd2cSJim Jagielski
903*b1cdbd2cSJim Jagielski cvin[1].type = cert_pi_revocationFlags;
904*b1cdbd2cSJim Jagielski cvin[1].value.pointer.revocation = &rev;
905*b1cdbd2cSJim Jagielski // does not work, not implemented yet in 3.12.4
906*b1cdbd2cSJim Jagielski // cvin[2].type = cert_pi_keyusage;
907*b1cdbd2cSJim Jagielski // cvin[2].value.scalar.ui = KU_DIGITAL_SIGNATURE;
908*b1cdbd2cSJim Jagielski cvin[2].type = cert_pi_end;
909*b1cdbd2cSJim Jagielski
910*b1cdbd2cSJim Jagielski cvout[0].type = cert_po_trustAnchor;
911*b1cdbd2cSJim Jagielski cvout[0].value.pointer.cert = NULL;
912*b1cdbd2cSJim Jagielski cvout[1].type = cert_po_errorLog;
913*b1cdbd2cSJim Jagielski cvout[1].value.pointer.log = &log;
914*b1cdbd2cSJim Jagielski cvout[2].type = cert_po_end;
915*b1cdbd2cSJim Jagielski
916*b1cdbd2cSJim Jagielski // We check SSL server certificates, CA certificates and signing sertificates.
917*b1cdbd2cSJim Jagielski //
918*b1cdbd2cSJim Jagielski // ToDo check keyusage, looking at CERT_KeyUsageAndTypeForCertUsage (
919*b1cdbd2cSJim Jagielski // mozilla/security/nss/lib/certdb/certdb.c indicates that
920*b1cdbd2cSJim Jagielski // certificateUsageSSLClient, certificateUsageSSLServer and certificateUsageSSLCA
921*b1cdbd2cSJim Jagielski // are sufficient. They cover the key usages for digital signature, key agreement
922*b1cdbd2cSJim Jagielski // and encipherment and certificate signature
923*b1cdbd2cSJim Jagielski
924*b1cdbd2cSJim Jagielski //never use the following usages because they are not checked properly
925*b1cdbd2cSJim Jagielski // certificateUsageUserCertImport
926*b1cdbd2cSJim Jagielski // certificateUsageVerifyCA
927*b1cdbd2cSJim Jagielski // certificateUsageAnyCA
928*b1cdbd2cSJim Jagielski // certificateUsageProtectedObjectSigner
929*b1cdbd2cSJim Jagielski
930*b1cdbd2cSJim Jagielski UsageDescription arUsages[5];
931*b1cdbd2cSJim Jagielski arUsages[0] = UsageDescription( certificateUsageSSLClient, "certificateUsageSSLClient" );
932*b1cdbd2cSJim Jagielski arUsages[1] = UsageDescription( certificateUsageSSLServer, "certificateUsageSSLServer" );
933*b1cdbd2cSJim Jagielski arUsages[2] = UsageDescription( certificateUsageSSLCA, "certificateUsageSSLCA" );
934*b1cdbd2cSJim Jagielski arUsages[3] = UsageDescription( certificateUsageEmailSigner, "certificateUsageEmailSigner" );
935*b1cdbd2cSJim Jagielski arUsages[4] = UsageDescription( certificateUsageEmailRecipient, "certificateUsageEmailRecipient" );
936*b1cdbd2cSJim Jagielski
937*b1cdbd2cSJim Jagielski int numUsages = sizeof(arUsages) / sizeof(UsageDescription);
938*b1cdbd2cSJim Jagielski for (int i = 0; i < numUsages; i++)
939*b1cdbd2cSJim Jagielski {
940*b1cdbd2cSJim Jagielski xmlsec_trace("Testing usage %d of %d: %s (0x%x)", i + 1,
941*b1cdbd2cSJim Jagielski numUsages, arUsages[i].description, (int) arUsages[i].usage);
942*b1cdbd2cSJim Jagielski
943*b1cdbd2cSJim Jagielski status = CERT_PKIXVerifyCert(const_cast<CERTCertificate *>(cert), arUsages[i].usage,
944*b1cdbd2cSJim Jagielski cvin, cvout, NULL);
945*b1cdbd2cSJim Jagielski if( status == SECSuccess )
946*b1cdbd2cSJim Jagielski {
947*b1cdbd2cSJim Jagielski xmlsec_trace("CERT_PKIXVerifyCert returned SECSuccess.");
948*b1cdbd2cSJim Jagielski //When an intermediate or root certificate is checked then we expect the usage
949*b1cdbd2cSJim Jagielski //certificateUsageSSLCA. This, however, will be only set when in the trust settings dialog
950*b1cdbd2cSJim Jagielski //the button "This certificate can identify websites" is checked. If for example only
951*b1cdbd2cSJim Jagielski //"This certificate can identify mail users" is set then the end certificate can
952*b1cdbd2cSJim Jagielski //be validated and the returned usage will conain certificateUsageEmailRecipient.
953*b1cdbd2cSJim Jagielski //But checking directly the root or intermediate certificate will fail. In the
954*b1cdbd2cSJim Jagielski //certificate path view the end certificate will be shown as valid but the others
955*b1cdbd2cSJim Jagielski //will be displayed as invalid.
956*b1cdbd2cSJim Jagielski
957*b1cdbd2cSJim Jagielski validity = csss::CertificateValidity::VALID;
958*b1cdbd2cSJim Jagielski xmlsec_trace("Certificate is valid.\n");
959*b1cdbd2cSJim Jagielski CERTCertificate * issuerCert = cvout[0].value.pointer.cert;
960*b1cdbd2cSJim Jagielski if (issuerCert)
961*b1cdbd2cSJim Jagielski {
962*b1cdbd2cSJim Jagielski xmlsec_trace("Root certificate: %s", issuerCert->subjectName);
963*b1cdbd2cSJim Jagielski CERT_DestroyCertificate(issuerCert);
964*b1cdbd2cSJim Jagielski };
965*b1cdbd2cSJim Jagielski
966*b1cdbd2cSJim Jagielski break;
967*b1cdbd2cSJim Jagielski }
968*b1cdbd2cSJim Jagielski else
969*b1cdbd2cSJim Jagielski {
970*b1cdbd2cSJim Jagielski PRIntn err = PR_GetError();
971*b1cdbd2cSJim Jagielski xmlsec_trace("Error: , %d = %s", err, getCertError(err));
972*b1cdbd2cSJim Jagielski
973*b1cdbd2cSJim Jagielski /* Display validation results */
974*b1cdbd2cSJim Jagielski if ( log.count > 0)
975*b1cdbd2cSJim Jagielski {
976*b1cdbd2cSJim Jagielski CERTVerifyLogNode *node = NULL;
977*b1cdbd2cSJim Jagielski printChainFailure(&log);
978*b1cdbd2cSJim Jagielski
979*b1cdbd2cSJim Jagielski for (node = log.head; node; node = node->next) {
980*b1cdbd2cSJim Jagielski if (node->cert)
981*b1cdbd2cSJim Jagielski CERT_DestroyCertificate(node->cert);
982*b1cdbd2cSJim Jagielski }
983*b1cdbd2cSJim Jagielski log.head = log.tail = NULL;
984*b1cdbd2cSJim Jagielski log.count = 0;
985*b1cdbd2cSJim Jagielski }
986*b1cdbd2cSJim Jagielski xmlsec_trace("Certificate is invalid.\n");
987*b1cdbd2cSJim Jagielski }
988*b1cdbd2cSJim Jagielski }
989*b1cdbd2cSJim Jagielski
990*b1cdbd2cSJim Jagielski }
991*b1cdbd2cSJim Jagielski else
992*b1cdbd2cSJim Jagielski {
993*b1cdbd2cSJim Jagielski validity = ::com::sun::star::security::CertificateValidity::INVALID ;
994*b1cdbd2cSJim Jagielski }
995*b1cdbd2cSJim Jagielski
996*b1cdbd2cSJim Jagielski //Destroying the temporary certificates
997*b1cdbd2cSJim Jagielski std::vector<CERTCertificate*>::const_iterator cert_i;
998*b1cdbd2cSJim Jagielski for (cert_i = vecTmpNSSCertificates.begin(); cert_i != vecTmpNSSCertificates.end(); cert_i++)
999*b1cdbd2cSJim Jagielski {
1000*b1cdbd2cSJim Jagielski xmlsec_trace("Destroying temporary certificate");
1001*b1cdbd2cSJim Jagielski CERT_DestroyCertificate(*cert_i);
1002*b1cdbd2cSJim Jagielski }
1003*b1cdbd2cSJim Jagielski return validity ;
1004*b1cdbd2cSJim Jagielski }
1005*b1cdbd2cSJim Jagielski
getCertificateCharacters(const::com::sun::star::uno::Reference<::com::sun::star::security::XCertificate> & aCert)1006*b1cdbd2cSJim Jagielski sal_Int32 SecurityEnvironment_NssImpl::getCertificateCharacters(
1007*b1cdbd2cSJim Jagielski const ::com::sun::star::uno::Reference< ::com::sun::star::security::XCertificate >& aCert ) throw( ::com::sun::star::uno::SecurityException, ::com::sun::star::uno::RuntimeException ) {
1008*b1cdbd2cSJim Jagielski sal_Int32 characters ;
1009*b1cdbd2cSJim Jagielski const X509Certificate_NssImpl* xcert ;
1010*b1cdbd2cSJim Jagielski const CERTCertificate* cert ;
1011*b1cdbd2cSJim Jagielski
1012*b1cdbd2cSJim Jagielski Reference< XUnoTunnel > xCertTunnel( aCert, UNO_QUERY ) ;
1013*b1cdbd2cSJim Jagielski if( !xCertTunnel.is() ) {
1014*b1cdbd2cSJim Jagielski throw RuntimeException() ;
1015*b1cdbd2cSJim Jagielski }
1016*b1cdbd2cSJim Jagielski
1017*b1cdbd2cSJim Jagielski xcert = reinterpret_cast<X509Certificate_NssImpl*>(
1018*b1cdbd2cSJim Jagielski sal::static_int_cast<sal_uIntPtr>(xCertTunnel->getSomething( X509Certificate_NssImpl::getUnoTunnelId() ))) ;
1019*b1cdbd2cSJim Jagielski if( xcert == NULL ) {
1020*b1cdbd2cSJim Jagielski throw RuntimeException() ;
1021*b1cdbd2cSJim Jagielski }
1022*b1cdbd2cSJim Jagielski
1023*b1cdbd2cSJim Jagielski cert = xcert->getNssCert() ;
1024*b1cdbd2cSJim Jagielski
1025*b1cdbd2cSJim Jagielski characters = 0x00000000 ;
1026*b1cdbd2cSJim Jagielski
1027*b1cdbd2cSJim Jagielski //Firstly, find out whether or not the cert is self-signed.
1028*b1cdbd2cSJim Jagielski if( SECITEM_CompareItem( &(cert->derIssuer), &(cert->derSubject) ) == SECEqual ) {
1029*b1cdbd2cSJim Jagielski characters |= ::com::sun::star::security::CertificateCharacters::SELF_SIGNED ;
1030*b1cdbd2cSJim Jagielski } else {
1031*b1cdbd2cSJim Jagielski characters &= ~ ::com::sun::star::security::CertificateCharacters::SELF_SIGNED ;
1032*b1cdbd2cSJim Jagielski }
1033*b1cdbd2cSJim Jagielski
1034*b1cdbd2cSJim Jagielski //Secondly, find out whether or not the cert has a private key.
1035*b1cdbd2cSJim Jagielski
1036*b1cdbd2cSJim Jagielski /*
1037*b1cdbd2cSJim Jagielski * i40394
1038*b1cdbd2cSJim Jagielski *
1039*b1cdbd2cSJim Jagielski * mmi : need to check whether the cert's slot is valid first
1040*b1cdbd2cSJim Jagielski */
1041*b1cdbd2cSJim Jagielski SECKEYPrivateKey* priKey = NULL;
1042*b1cdbd2cSJim Jagielski
1043*b1cdbd2cSJim Jagielski if (cert->slot != NULL)
1044*b1cdbd2cSJim Jagielski {
1045*b1cdbd2cSJim Jagielski priKey = PK11_FindPrivateKeyFromCert( cert->slot, ( CERTCertificate* )cert, NULL ) ;
1046*b1cdbd2cSJim Jagielski }
1047*b1cdbd2cSJim Jagielski if(priKey == NULL)
1048*b1cdbd2cSJim Jagielski {
1049*b1cdbd2cSJim Jagielski for (CIT_SLOTS is = m_Slots.begin(); is != m_Slots.end(); is++)
1050*b1cdbd2cSJim Jagielski {
1051*b1cdbd2cSJim Jagielski priKey = PK11_FindPrivateKeyFromCert(*is, (CERTCertificate*)cert, NULL);
1052*b1cdbd2cSJim Jagielski if (priKey)
1053*b1cdbd2cSJim Jagielski break;
1054*b1cdbd2cSJim Jagielski }
1055*b1cdbd2cSJim Jagielski }
1056*b1cdbd2cSJim Jagielski if( priKey != NULL ) {
1057*b1cdbd2cSJim Jagielski characters |= ::com::sun::star::security::CertificateCharacters::HAS_PRIVATE_KEY ;
1058*b1cdbd2cSJim Jagielski
1059*b1cdbd2cSJim Jagielski SECKEY_DestroyPrivateKey( priKey ) ;
1060*b1cdbd2cSJim Jagielski } else {
1061*b1cdbd2cSJim Jagielski characters &= ~ ::com::sun::star::security::CertificateCharacters::HAS_PRIVATE_KEY ;
1062*b1cdbd2cSJim Jagielski }
1063*b1cdbd2cSJim Jagielski
1064*b1cdbd2cSJim Jagielski return characters ;
1065*b1cdbd2cSJim Jagielski }
1066*b1cdbd2cSJim Jagielski
NssCertToXCert(CERTCertificate * cert)1067*b1cdbd2cSJim Jagielski X509Certificate_NssImpl* NssCertToXCert( CERTCertificate* cert )
1068*b1cdbd2cSJim Jagielski {
1069*b1cdbd2cSJim Jagielski X509Certificate_NssImpl* xcert ;
1070*b1cdbd2cSJim Jagielski
1071*b1cdbd2cSJim Jagielski if( cert != NULL ) {
1072*b1cdbd2cSJim Jagielski xcert = new X509Certificate_NssImpl() ;
1073*b1cdbd2cSJim Jagielski if( xcert == NULL ) {
1074*b1cdbd2cSJim Jagielski xcert = NULL ;
1075*b1cdbd2cSJim Jagielski } else {
1076*b1cdbd2cSJim Jagielski xcert->setCert( cert ) ;
1077*b1cdbd2cSJim Jagielski }
1078*b1cdbd2cSJim Jagielski } else {
1079*b1cdbd2cSJim Jagielski xcert = NULL ;
1080*b1cdbd2cSJim Jagielski }
1081*b1cdbd2cSJim Jagielski
1082*b1cdbd2cSJim Jagielski return xcert ;
1083*b1cdbd2cSJim Jagielski }
1084*b1cdbd2cSJim Jagielski
NssPrivKeyToXCert(SECKEYPrivateKey * priKey)1085*b1cdbd2cSJim Jagielski X509Certificate_NssImpl* NssPrivKeyToXCert( SECKEYPrivateKey* priKey )
1086*b1cdbd2cSJim Jagielski {
1087*b1cdbd2cSJim Jagielski CERTCertificate* cert ;
1088*b1cdbd2cSJim Jagielski X509Certificate_NssImpl* xcert ;
1089*b1cdbd2cSJim Jagielski
1090*b1cdbd2cSJim Jagielski if( priKey != NULL ) {
1091*b1cdbd2cSJim Jagielski cert = PK11_GetCertFromPrivateKey( priKey ) ;
1092*b1cdbd2cSJim Jagielski
1093*b1cdbd2cSJim Jagielski if( cert != NULL ) {
1094*b1cdbd2cSJim Jagielski xcert = NssCertToXCert( cert ) ;
1095*b1cdbd2cSJim Jagielski } else {
1096*b1cdbd2cSJim Jagielski xcert = NULL ;
1097*b1cdbd2cSJim Jagielski }
1098*b1cdbd2cSJim Jagielski
1099*b1cdbd2cSJim Jagielski CERT_DestroyCertificate( cert ) ;
1100*b1cdbd2cSJim Jagielski } else {
1101*b1cdbd2cSJim Jagielski xcert = NULL ;
1102*b1cdbd2cSJim Jagielski }
1103*b1cdbd2cSJim Jagielski
1104*b1cdbd2cSJim Jagielski return xcert ;
1105*b1cdbd2cSJim Jagielski }
1106*b1cdbd2cSJim Jagielski
1107*b1cdbd2cSJim Jagielski
1108*b1cdbd2cSJim Jagielski /* Native methods */
createKeysManager()1109*b1cdbd2cSJim Jagielski xmlSecKeysMngrPtr SecurityEnvironment_NssImpl::createKeysManager() throw( Exception, RuntimeException ) {
1110*b1cdbd2cSJim Jagielski
1111*b1cdbd2cSJim Jagielski unsigned int i ;
1112*b1cdbd2cSJim Jagielski CERTCertDBHandle* handler = NULL ;
1113*b1cdbd2cSJim Jagielski PK11SymKey* symKey = NULL ;
1114*b1cdbd2cSJim Jagielski SECKEYPublicKey* pubKey = NULL ;
1115*b1cdbd2cSJim Jagielski SECKEYPrivateKey* priKey = NULL ;
1116*b1cdbd2cSJim Jagielski xmlSecKeysMngrPtr pKeysMngr = NULL ;
1117*b1cdbd2cSJim Jagielski
1118*b1cdbd2cSJim Jagielski handler = this->getCertDb() ;
1119*b1cdbd2cSJim Jagielski
1120*b1cdbd2cSJim Jagielski /*-
1121*b1cdbd2cSJim Jagielski * The following lines is based on the private version of xmlSec-NSS
1122*b1cdbd2cSJim Jagielski * crypto engine
1123*b1cdbd2cSJim Jagielski */
1124*b1cdbd2cSJim Jagielski int cSlots = m_Slots.size();
1125*b1cdbd2cSJim Jagielski boost::scoped_array<PK11SlotInfo*> sarSlots(new PK11SlotInfo*[cSlots]);
1126*b1cdbd2cSJim Jagielski PK11SlotInfo** slots = sarSlots.get();
1127*b1cdbd2cSJim Jagielski int count = 0;
1128*b1cdbd2cSJim Jagielski for (CIT_SLOTS islots = m_Slots.begin();islots != m_Slots.end(); islots++, count++)
1129*b1cdbd2cSJim Jagielski slots[count] = *islots;
1130*b1cdbd2cSJim Jagielski
1131*b1cdbd2cSJim Jagielski pKeysMngr = xmlSecNssAppliedKeysMngrCreate(slots, cSlots, handler ) ;
1132*b1cdbd2cSJim Jagielski if( pKeysMngr == NULL )
1133*b1cdbd2cSJim Jagielski throw RuntimeException() ;
1134*b1cdbd2cSJim Jagielski
1135*b1cdbd2cSJim Jagielski /*-
1136*b1cdbd2cSJim Jagielski * Adopt symmetric key into keys manager
1137*b1cdbd2cSJim Jagielski */
1138*b1cdbd2cSJim Jagielski for( i = 0 ; ( symKey = this->getSymKey( i ) ) != NULL ; i ++ ) {
1139*b1cdbd2cSJim Jagielski if( xmlSecNssAppliedKeysMngrSymKeyLoad( pKeysMngr, symKey ) < 0 ) {
1140*b1cdbd2cSJim Jagielski throw RuntimeException() ;
1141*b1cdbd2cSJim Jagielski }
1142*b1cdbd2cSJim Jagielski }
1143*b1cdbd2cSJim Jagielski
1144*b1cdbd2cSJim Jagielski /*-
1145*b1cdbd2cSJim Jagielski * Adopt asymmetric public key into keys manager
1146*b1cdbd2cSJim Jagielski */
1147*b1cdbd2cSJim Jagielski for( i = 0 ; ( pubKey = this->getPubKey( i ) ) != NULL ; i ++ ) {
1148*b1cdbd2cSJim Jagielski if( xmlSecNssAppliedKeysMngrPubKeyLoad( pKeysMngr, pubKey ) < 0 ) {
1149*b1cdbd2cSJim Jagielski throw RuntimeException() ;
1150*b1cdbd2cSJim Jagielski }
1151*b1cdbd2cSJim Jagielski }
1152*b1cdbd2cSJim Jagielski
1153*b1cdbd2cSJim Jagielski /*-
1154*b1cdbd2cSJim Jagielski * Adopt asymmetric private key into keys manager
1155*b1cdbd2cSJim Jagielski */
1156*b1cdbd2cSJim Jagielski for( i = 0 ; ( priKey = this->getPriKey( i ) ) != NULL ; i ++ ) {
1157*b1cdbd2cSJim Jagielski if( xmlSecNssAppliedKeysMngrPriKeyLoad( pKeysMngr, priKey ) < 0 ) {
1158*b1cdbd2cSJim Jagielski throw RuntimeException() ;
1159*b1cdbd2cSJim Jagielski }
1160*b1cdbd2cSJim Jagielski }
1161*b1cdbd2cSJim Jagielski return pKeysMngr ;
1162*b1cdbd2cSJim Jagielski }
destroyKeysManager(xmlSecKeysMngrPtr pKeysMngr)1163*b1cdbd2cSJim Jagielski void SecurityEnvironment_NssImpl::destroyKeysManager(xmlSecKeysMngrPtr pKeysMngr) throw( Exception, RuntimeException ) {
1164*b1cdbd2cSJim Jagielski if( pKeysMngr != NULL ) {
1165*b1cdbd2cSJim Jagielski xmlSecKeysMngrDestroy( pKeysMngr ) ;
1166*b1cdbd2cSJim Jagielski }
1167*b1cdbd2cSJim Jagielski }
1168