summaryrefslogtreecommitdiff
path: root/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx
diff options
context:
space:
mode:
authorMichael Stahl <mstahl@redhat.com>2012-01-28 20:52:45 +0100
committerMichael Stahl <mstahl@redhat.com>2012-01-28 20:52:45 +0100
commit2e626373db2412ac22e8c5c27a60d11cd29e875b (patch)
tree9e9f67205cd5b72f1031721273e1534a3a1e5b0f /xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx
parentf7ee7bbd5174b084f018c2ec94d8c70c98ee04da (diff)
replace obsolete "master" branch with README that points at new repoHEADmaster-deletedmaster
Diffstat (limited to 'xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx')
-rw-r--r--xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx1129
1 files changed, 0 insertions, 1129 deletions
diff --git a/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx b/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx
deleted file mode 100644
index 9928d5941..000000000
--- a/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx
+++ /dev/null
@@ -1,1129 +0,0 @@
-/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
-/*************************************************************************
- *
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * Copyright 2000, 2010 Oracle and/or its affiliates.
- *
- * OpenOffice.org - a multi-platform office productivity suite
- *
- * This file is part of OpenOffice.org.
- *
- * OpenOffice.org is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Lesser General Public License version 3
- * only, as published by the Free Software Foundation.
- *
- * OpenOffice.org is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU Lesser General Public License version 3 for more details
- * (a copy is included in the LICENSE file that accompanied this code).
- *
- * You should have received a copy of the GNU Lesser General Public License
- * version 3 along with OpenOffice.org. If not, see
- * <http://www.openoffice.org/license.html>
- * for a copy of the LGPLv3 License.
- *
- ************************************************************************/
-
-
-// MARKER(update_precomp.py): autogen include statement, do not remove
-#include "precompiled_xmlsecurity.hxx"
-
-//todo before commit: nssrenam.h is not delivered!!!
-#include "nssrenam.h"
-#include "cert.h"
-#include "secerr.h"
-#include "ocsp.h"
-
-#include <sal/config.h>
-#include <sal/macros.h>
-#include "securityenvironment_nssimpl.hxx"
-#include "x509certificate_nssimpl.hxx"
-#include <comphelper/servicehelper.hxx>
-#include "../diagnose.hxx"
-
-#include <sal/types.h>
-//For reasons that escape me, this is what xmlsec does when size_t is not 4
-#if SAL_TYPES_SIZEOFPOINTER != 4
-# define XMLSEC_NO_SIZE_T
-#endif
-#include <xmlsec/xmlsec.h>
-#include <xmlsec/keysmngr.h>
-#include <xmlsec/crypto.h>
-#include <xmlsec/base64.h>
-#include <xmlsec/strings.h>
-
-#include <tools/string.hxx>
-#include <rtl/ustrbuf.hxx>
-#include <comphelper/processfactory.hxx>
-#include <cppuhelper/servicefactory.hxx>
-#include <comphelper/docpasswordrequest.hxx>
-#include <xmlsecurity/biginteger.hxx>
-#include <rtl/logfile.h>
-#include <com/sun/star/task/XInteractionHandler.hpp>
-#include <vector>
-#include "boost/scoped_array.hpp"
-
-#include "secerror.hxx"
-
-// added for password exception
-#include <com/sun/star/security/NoPasswordException.hpp>
-namespace csss = ::com::sun::star::security;
-using namespace xmlsecurity;
-using namespace ::com::sun::star::security;
-using namespace com::sun::star;
-using namespace ::com::sun::star::uno ;
-using namespace ::com::sun::star::lang ;
-using ::com::sun::star::lang::XMultiServiceFactory ;
-using ::com::sun::star::lang::XSingleServiceFactory ;
-using ::rtl::OUString ;
-
-using ::com::sun::star::xml::crypto::XSecurityEnvironment ;
-using ::com::sun::star::security::XCertificate ;
-
-extern X509Certificate_NssImpl* NssCertToXCert( CERTCertificate* cert ) ;
-extern X509Certificate_NssImpl* NssPrivKeyToXCert( SECKEYPrivateKey* ) ;
-
-
-struct UsageDescription
-{
- SECCertificateUsage usage;
- char const* description;
-
- UsageDescription()
- : usage( certificateUsageCheckAllUsages )
- , description( NULL )
- {}
-
- UsageDescription( SECCertificateUsage i_usage, char const* i_description )
- : usage( i_usage )
- , description( i_description )
- {}
-
- UsageDescription( const UsageDescription& aDescription )
- : usage( aDescription.usage )
- , description( aDescription.description )
- {}
-
- UsageDescription& operator =( const UsageDescription& aDescription )
- {
- usage = aDescription.usage;
- description = aDescription.description;
- return *this;
- }
-};
-
-
-
-char* GetPasswordFunction( PK11SlotInfo* pSlot, PRBool bRetry, void* /*arg*/ )
-{
- uno::Reference< lang::XMultiServiceFactory > xMSF( ::comphelper::getProcessServiceFactory() );
- if ( xMSF.is() )
- {
- uno::Reference < task::XInteractionHandler > xInteractionHandler(
- xMSF->createInstance( rtl::OUString(RTL_CONSTASCII_USTRINGPARAM("com.sun.star.task.InteractionHandler")) ), uno::UNO_QUERY );
-
- if ( xInteractionHandler.is() )
- {
- task::PasswordRequestMode eMode = bRetry ? task::PasswordRequestMode_PASSWORD_REENTER : task::PasswordRequestMode_PASSWORD_ENTER;
- ::comphelper::DocPasswordRequest* pPasswordRequest = new ::comphelper::DocPasswordRequest(
- ::comphelper::DocPasswordRequestType_STANDARD, eMode, ::rtl::OUString::createFromAscii(PK11_GetTokenName(pSlot)) );
-
- uno::Reference< task::XInteractionRequest > xRequest( pPasswordRequest );
- xInteractionHandler->handle( xRequest );
-
- if ( pPasswordRequest->isPassword() )
- {
- ByteString aPassword = ByteString( String( pPasswordRequest->getPassword() ), gsl_getSystemTextEncoding() );
- sal_uInt16 nLen = aPassword.Len();
- char* pPassword = (char*) PORT_Alloc( nLen+1 ) ;
- pPassword[nLen] = 0;
- memcpy( pPassword, aPassword.GetBuffer(), nLen );
- return pPassword;
- }
- }
- }
- return NULL;
-}
-
-SecurityEnvironment_NssImpl :: SecurityEnvironment_NssImpl( const Reference< XMultiServiceFactory >& ) :
-m_pHandler( NULL ) , m_tSymKeyList() , m_tPubKeyList() , m_tPriKeyList() {
-
- PK11_SetPasswordFunc( GetPasswordFunction ) ;
-}
-
-SecurityEnvironment_NssImpl :: ~SecurityEnvironment_NssImpl() {
-
- PK11_SetPasswordFunc( NULL ) ;
-
- for (CIT_SLOTS i = m_Slots.begin(); i != m_Slots.end(); i++)
- {
- PK11_FreeSlot(*i);
- }
-
- if( !m_tSymKeyList.empty() ) {
- std::list< PK11SymKey* >::iterator symKeyIt ;
-
- for( symKeyIt = m_tSymKeyList.begin() ; symKeyIt != m_tSymKeyList.end() ; ++symKeyIt )
- PK11_FreeSymKey( *symKeyIt ) ;
- }
-
- if( !m_tPubKeyList.empty() ) {
- std::list< SECKEYPublicKey* >::iterator pubKeyIt ;
-
- for( pubKeyIt = m_tPubKeyList.begin() ; pubKeyIt != m_tPubKeyList.end() ; ++pubKeyIt )
- SECKEY_DestroyPublicKey( *pubKeyIt ) ;
- }
-
- if( !m_tPriKeyList.empty() ) {
- std::list< SECKEYPrivateKey* >::iterator priKeyIt ;
-
- for( priKeyIt = m_tPriKeyList.begin() ; priKeyIt != m_tPriKeyList.end() ; ++priKeyIt )
- SECKEY_DestroyPrivateKey( *priKeyIt ) ;
- }
-}
-
-/* XInitialization */
-void SAL_CALL SecurityEnvironment_NssImpl :: initialize( const Sequence< Any >& ) throw( Exception, RuntimeException ) {
- // TBD
-} ;
-
-/* XServiceInfo */
-OUString SAL_CALL SecurityEnvironment_NssImpl :: getImplementationName() throw( RuntimeException ) {
- return impl_getImplementationName() ;
-}
-
-/* XServiceInfo */
-sal_Bool SAL_CALL SecurityEnvironment_NssImpl :: supportsService( const OUString& serviceName) throw( RuntimeException ) {
- Sequence< OUString > seqServiceNames = getSupportedServiceNames() ;
- const OUString* pArray = seqServiceNames.getConstArray() ;
- for( sal_Int32 i = 0 ; i < seqServiceNames.getLength() ; i ++ ) {
- if( *( pArray + i ) == serviceName )
- return sal_True ;
- }
- return sal_False ;
-}
-
-/* XServiceInfo */
-Sequence< OUString > SAL_CALL SecurityEnvironment_NssImpl :: getSupportedServiceNames() throw( RuntimeException ) {
- return impl_getSupportedServiceNames() ;
-}
-
-//Helper for XServiceInfo
-Sequence< OUString > SecurityEnvironment_NssImpl :: impl_getSupportedServiceNames() {
- ::osl::Guard< ::osl::Mutex > aGuard( ::osl::Mutex::getGlobalMutex() ) ;
- Sequence< OUString > seqServiceNames( 1 ) ;
- seqServiceNames.getArray()[0] = OUString(RTL_CONSTASCII_USTRINGPARAM("com.sun.star.xml.crypto.SecurityEnvironment")) ;
- return seqServiceNames ;
-}
-
-OUString SecurityEnvironment_NssImpl :: impl_getImplementationName() throw( RuntimeException ) {
- return OUString(RTL_CONSTASCII_USTRINGPARAM("com.sun.star.xml.security.bridge.xmlsec.SecurityEnvironment_NssImpl")) ;
-}
-
-//Helper for registry
-Reference< XInterface > SAL_CALL SecurityEnvironment_NssImpl :: impl_createInstance( const Reference< XMultiServiceFactory >& aServiceManager ) throw( RuntimeException ) {
- return Reference< XInterface >( *new SecurityEnvironment_NssImpl( aServiceManager ) ) ;
-}
-
-Reference< XSingleServiceFactory > SecurityEnvironment_NssImpl :: impl_createFactory( const Reference< XMultiServiceFactory >& aServiceManager ) {
- return ::cppu::createSingleFactory( aServiceManager , impl_getImplementationName() , impl_createInstance , impl_getSupportedServiceNames() ) ;
-}
-
-/* XUnoTunnel */
-sal_Int64 SAL_CALL SecurityEnvironment_NssImpl :: getSomething( const Sequence< sal_Int8 >& aIdentifier )
- throw( RuntimeException )
-{
- if( aIdentifier.getLength() == 16 && 0 == rtl_compareMemory( getUnoTunnelId().getConstArray(), aIdentifier.getConstArray(), 16 ) ) {
- return sal::static_int_cast<sal_Int64>(reinterpret_cast<sal_uIntPtr>(this));
- }
- return 0 ;
-}
-
-/* XUnoTunnel extension */
-
-namespace
-{
- class theSecurityEnvironment_NssImplUnoTunnelId : public rtl::Static< UnoTunnelIdInit, theSecurityEnvironment_NssImplUnoTunnelId > {};
-}
-
-const Sequence< sal_Int8>& SecurityEnvironment_NssImpl :: getUnoTunnelId() {
- return theSecurityEnvironment_NssImplUnoTunnelId::get().getSeq();
-}
-
-/* XUnoTunnel extension */
-SecurityEnvironment_NssImpl* SecurityEnvironment_NssImpl :: getImplementation( const Reference< XInterface > xObj ) {
- Reference< XUnoTunnel > xUT( xObj , UNO_QUERY ) ;
- if( xUT.is() ) {
- return reinterpret_cast<SecurityEnvironment_NssImpl*>(
- sal::static_int_cast<sal_uIntPtr>(xUT->getSomething( getUnoTunnelId() ))) ;
- } else
- return NULL ;
-}
-
-
-::rtl::OUString SecurityEnvironment_NssImpl::getSecurityEnvironmentInformation() throw( ::com::sun::star::uno::RuntimeException )
-{
- rtl::OUString result;
- ::rtl::OUStringBuffer buff;
- for (CIT_SLOTS is = m_Slots.begin(); is != m_Slots.end(); is++)
- {
- buff.append(rtl::OUString::createFromAscii(PK11_GetTokenName(*is)));
- buff.appendAscii("\n");
- }
- return buff.makeStringAndClear();
-}
-
-void SecurityEnvironment_NssImpl::addCryptoSlot( PK11SlotInfo* aSlot) throw( Exception , RuntimeException )
-{
- PK11_ReferenceSlot(aSlot);
- m_Slots.push_back(aSlot);
-}
-
-CERTCertDBHandle* SecurityEnvironment_NssImpl :: getCertDb() throw( Exception , RuntimeException ) {
- return m_pHandler ;
-}
-
-//Could we have multiple cert dbs?
-void SecurityEnvironment_NssImpl :: setCertDb( CERTCertDBHandle* aCertDb ) throw( Exception , RuntimeException ) {
- m_pHandler = aCertDb ;
-}
-
-void SecurityEnvironment_NssImpl :: adoptSymKey( PK11SymKey* aSymKey ) throw( Exception , RuntimeException ) {
- PK11SymKey* symkey ;
- std::list< PK11SymKey* >::iterator keyIt ;
-
- if( aSymKey != NULL ) {
- //First try to find the key in the list
- for( keyIt = m_tSymKeyList.begin() ; keyIt != m_tSymKeyList.end() ; ++keyIt ) {
- if( *keyIt == aSymKey )
- return ;
- }
-
- //If we do not find the key in the list, add a new node
- symkey = PK11_ReferenceSymKey( aSymKey ) ;
- if( symkey == NULL )
- throw RuntimeException() ;
-
- try {
- m_tSymKeyList.push_back( symkey ) ;
- } catch ( Exception& ) {
- PK11_FreeSymKey( symkey ) ;
- }
- }
-}
-
-void SecurityEnvironment_NssImpl :: rejectSymKey( PK11SymKey* aSymKey ) throw( Exception , RuntimeException ) {
- PK11SymKey* symkey ;
- std::list< PK11SymKey* >::iterator keyIt ;
-
- if( aSymKey != NULL ) {
- for( keyIt = m_tSymKeyList.begin() ; keyIt != m_tSymKeyList.end() ; ++keyIt ) {
- if( *keyIt == aSymKey ) {
- symkey = *keyIt ;
- PK11_FreeSymKey( symkey ) ;
- m_tSymKeyList.erase( keyIt ) ;
- break ;
- }
- }
- }
-}
-
-PK11SymKey* SecurityEnvironment_NssImpl :: getSymKey( unsigned int position ) throw( Exception , RuntimeException ) {
- PK11SymKey* symkey ;
- std::list< PK11SymKey* >::iterator keyIt ;
- unsigned int pos ;
-
- symkey = NULL ;
- for( pos = 0, keyIt = m_tSymKeyList.begin() ; pos < position && keyIt != m_tSymKeyList.end() ; pos ++ , keyIt ++ ) ;
-
- if( pos == position && keyIt != m_tSymKeyList.end() )
- symkey = *keyIt ;
-
- return symkey ;
-}
-
-void SecurityEnvironment_NssImpl :: adoptPubKey( SECKEYPublicKey* aPubKey ) throw( Exception , RuntimeException ) {
- SECKEYPublicKey* pubkey ;
- std::list< SECKEYPublicKey* >::iterator keyIt ;
-
- if( aPubKey != NULL ) {
- //First try to find the key in the list
- for( keyIt = m_tPubKeyList.begin() ; keyIt != m_tPubKeyList.end() ; ++keyIt ) {
- if( *keyIt == aPubKey )
- return ;
- }
-
- //If we do not find the key in the list, add a new node
- pubkey = SECKEY_CopyPublicKey( aPubKey ) ;
- if( pubkey == NULL )
- throw RuntimeException() ;
-
- try {
- m_tPubKeyList.push_back( pubkey ) ;
- } catch ( Exception& ) {
- SECKEY_DestroyPublicKey( pubkey ) ;
- }
- }
-}
-
-void SecurityEnvironment_NssImpl :: rejectPubKey( SECKEYPublicKey* aPubKey ) throw( Exception , RuntimeException ) {
- SECKEYPublicKey* pubkey ;
- std::list< SECKEYPublicKey* >::iterator keyIt ;
-
- if( aPubKey != NULL ) {
- for( keyIt = m_tPubKeyList.begin() ; keyIt != m_tPubKeyList.end() ; ++keyIt ) {
- if( *keyIt == aPubKey ) {
- pubkey = *keyIt ;
- SECKEY_DestroyPublicKey( pubkey ) ;
- m_tPubKeyList.erase( keyIt ) ;
- break ;
- }
- }
- }
-}
-
-SECKEYPublicKey* SecurityEnvironment_NssImpl :: getPubKey( unsigned int position ) throw( Exception , RuntimeException ) {
- SECKEYPublicKey* pubkey ;
- std::list< SECKEYPublicKey* >::iterator keyIt ;
- unsigned int pos ;
-
- pubkey = NULL ;
- for( pos = 0, keyIt = m_tPubKeyList.begin() ; pos < position && keyIt != m_tPubKeyList.end() ; pos ++ , keyIt ++ ) ;
-
- if( pos == position && keyIt != m_tPubKeyList.end() )
- pubkey = *keyIt ;
-
- return pubkey ;
-}
-
-void SecurityEnvironment_NssImpl :: adoptPriKey( SECKEYPrivateKey* aPriKey ) throw( Exception , RuntimeException ) {
- SECKEYPrivateKey* prikey ;
- std::list< SECKEYPrivateKey* >::iterator keyIt ;
-
- if( aPriKey != NULL ) {
- //First try to find the key in the list
- for( keyIt = m_tPriKeyList.begin() ; keyIt != m_tPriKeyList.end() ; ++keyIt ) {
- if( *keyIt == aPriKey )
- return ;
- }
-
- //If we do not find the key in the list, add a new node
- prikey = SECKEY_CopyPrivateKey( aPriKey ) ;
- if( prikey == NULL )
- throw RuntimeException() ;
-
- try {
- m_tPriKeyList.push_back( prikey ) ;
- } catch ( Exception& ) {
- SECKEY_DestroyPrivateKey( prikey ) ;
- }
- }
-}
-
-void SecurityEnvironment_NssImpl :: rejectPriKey( SECKEYPrivateKey* aPriKey ) throw( Exception , RuntimeException ) {
- SECKEYPrivateKey* prikey ;
- std::list< SECKEYPrivateKey* >::iterator keyIt ;
-
- if( aPriKey != NULL ) {
- for( keyIt = m_tPriKeyList.begin() ; keyIt != m_tPriKeyList.end() ; ++keyIt ) {
- if( *keyIt == aPriKey ) {
- prikey = *keyIt ;
- SECKEY_DestroyPrivateKey( prikey ) ;
- m_tPriKeyList.erase( keyIt ) ;
- break ;
- }
- }
- }
-}
-
-SECKEYPrivateKey* SecurityEnvironment_NssImpl :: getPriKey( unsigned int position ) throw( ::com::sun::star::uno::Exception , ::com::sun::star::uno::RuntimeException ) {
- SECKEYPrivateKey* prikey ;
- std::list< SECKEYPrivateKey* >::iterator keyIt ;
- unsigned int pos ;
-
- prikey = NULL ;
- for( pos = 0, keyIt = m_tPriKeyList.begin() ; pos < position && keyIt != m_tPriKeyList.end() ; pos ++ , keyIt ++ ) ;
-
- if( pos == position && keyIt != m_tPriKeyList.end() )
- prikey = *keyIt ;
-
- return prikey ;
-}
-
-void SecurityEnvironment_NssImpl::updateSlots()
-{
- //In case new tokens are present then we can obtain the corresponding slot
- PK11SlotList * soltList = NULL;
- PK11SlotListElement * soltEle = NULL;
- PK11SlotInfo * pSlot = NULL;
- PK11SymKey * pSymKey = NULL;
-
- osl::MutexGuard guard(m_mutex);
-
- m_Slots.clear();
- m_tSymKeyList.clear();
-
- soltList = PK11_GetAllTokens( CKM_INVALID_MECHANISM, PR_FALSE, PR_FALSE, NULL ) ;
- if( soltList != NULL )
- {
- for( soltEle = soltList->head ; soltEle != NULL; soltEle = soltEle->next )
- {
- pSlot = soltEle->slot ;
-
- if(pSlot != NULL)
- {
- RTL_LOGFILE_TRACE2( "XMLSEC: Found a slot: SlotName=%s, TokenName=%s", PK11_GetSlotName(pSlot), PK11_GetTokenName(pSlot) );
-
-//The following code which is commented out checks if a slot, that is a smart card for example, is
-// able to generate a symmetric key of type CKM_DES3_CBC. If this fails then this token
-// will not be used. This key is possibly used for the encryption service. However, all
-// interfaces and services used for public key signature and encryption are not published
-// and the encryption is not used in OOo. Therefore it does not do any harm to remove
-// this code, hence allowing smart cards which cannot generate this type of key.
-//
-// By doing this, the encryption may fail if a smart card is being used which does not
-// support this key generation.
-//
- pSymKey = PK11_KeyGen( pSlot , CKM_DES3_CBC, NULL, 128, NULL ) ;
-// if( pSymKey == NULL )
-// {
-// PK11_FreeSlot( pSlot ) ;
-// RTL_LOGFILE_TRACE( "XMLSEC: Error - pSymKey is NULL" );
-// continue;
-// }
- addCryptoSlot(pSlot);
- PK11_FreeSlot( pSlot ) ;
- pSlot = NULL;
-
- if (pSymKey != NULL)
- {
- adoptSymKey( pSymKey ) ;
- PK11_FreeSymKey( pSymKey ) ;
- pSymKey = NULL;
- }
-
- }// end of if(pSlot != NULL)
- }// end of for
- }// end of if( soltList != NULL )
-
-}
-
-
-Sequence< Reference < XCertificate > >
-SecurityEnvironment_NssImpl::getPersonalCertificates() throw( SecurityException , RuntimeException )
-{
- sal_Int32 length ;
- X509Certificate_NssImpl* xcert ;
- std::list< X509Certificate_NssImpl* > certsList ;
-
- updateSlots();
- //firstly, we try to find private keys in slot
- for (CIT_SLOTS is = m_Slots.begin(); is != m_Slots.end(); is++)
- {
- PK11SlotInfo *slot = *is;
- SECKEYPrivateKeyList* priKeyList ;
- SECKEYPrivateKeyListNode* curPri ;
-
- if( PK11_NeedLogin(slot ) ) {
- SECStatus nRet = PK11_Authenticate(slot, PR_TRUE, NULL);
- //PK11_Authenticate may fail in case the a slot has not been initialized.
- //this is the case if the user has a new profile, so that they have never
- //added a personal certificate.
- if( nRet != SECSuccess && PORT_GetError() != SEC_ERROR_IO) {
- throw NoPasswordException();
- }
- }
-
- priKeyList = PK11_ListPrivateKeysInSlot(slot) ;
- if( priKeyList != NULL ) {
- for( curPri = PRIVKEY_LIST_HEAD( priKeyList );
- !PRIVKEY_LIST_END( curPri, priKeyList ) && curPri != NULL ;
- curPri = PRIVKEY_LIST_NEXT( curPri ) ) {
- xcert = NssPrivKeyToXCert( curPri->key ) ;
- if( xcert != NULL )
- certsList.push_back( xcert ) ;
- }
- }
-
- SECKEY_DestroyPrivateKeyList( priKeyList ) ;
- }
-
- //secondly, we try to find certificate from registered private keys.
- if( !m_tPriKeyList.empty() ) {
- std::list< SECKEYPrivateKey* >::iterator priKeyIt ;
-
- for( priKeyIt = m_tPriKeyList.begin() ; priKeyIt != m_tPriKeyList.end() ; ++priKeyIt ) {
- xcert = NssPrivKeyToXCert( *priKeyIt ) ;
- if( xcert != NULL )
- certsList.push_back( xcert ) ;
- }
- }
-
- length = certsList.size() ;
- if( length != 0 ) {
- int i ;
- std::list< X509Certificate_NssImpl* >::iterator xcertIt ;
- Sequence< Reference< XCertificate > > certSeq( length ) ;
-
- for( i = 0, xcertIt = certsList.begin(); xcertIt != certsList.end(); ++xcertIt, ++i ) {
- certSeq[i] = *xcertIt ;
- }
-
- return certSeq ;
- }
-
- return Sequence< Reference < XCertificate > > ();
-}
-
-Reference< XCertificate > SecurityEnvironment_NssImpl :: getCertificate( const OUString& issuerName, const Sequence< sal_Int8 >& serialNumber ) throw( SecurityException , RuntimeException )
-{
- X509Certificate_NssImpl* xcert = NULL;
-
- if( m_pHandler != NULL ) {
- CERTIssuerAndSN issuerAndSN ;
- CERTCertificate* cert ;
- CERTName* nmIssuer ;
- char* chIssuer ;
- SECItem* derIssuer ;
- PRArenaPool* arena ;
-
- arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE ) ;
- if( arena == NULL )
- throw RuntimeException() ;
-
- // Create cert info from issue and serial
- rtl::OString ostr = rtl::OUStringToOString( issuerName , RTL_TEXTENCODING_UTF8 ) ;
- chIssuer = PL_strndup( ( char* )ostr.getStr(), ( int )ostr.getLength() ) ;
- nmIssuer = CERT_AsciiToName( chIssuer ) ;
- if( nmIssuer == NULL ) {
- PL_strfree( chIssuer ) ;
- PORT_FreeArena( arena, PR_FALSE ) ;
- return NULL; // no need for exception cf. i40394
- }
-
- derIssuer = SEC_ASN1EncodeItem( arena, NULL, ( void* )nmIssuer, SEC_ASN1_GET( CERT_NameTemplate ) ) ;
- if( derIssuer == NULL ) {
- PL_strfree( chIssuer ) ;
- CERT_DestroyName( nmIssuer ) ;
- PORT_FreeArena( arena, PR_FALSE ) ;
- throw RuntimeException() ;
- }
-
- memset( &issuerAndSN, 0, sizeof( issuerAndSN ) ) ;
-
- issuerAndSN.derIssuer.data = derIssuer->data ;
- issuerAndSN.derIssuer.len = derIssuer->len ;
-
- issuerAndSN.serialNumber.data = ( unsigned char* )&serialNumber[0] ;
- issuerAndSN.serialNumber.len = serialNumber.getLength() ;
-
- cert = CERT_FindCertByIssuerAndSN( m_pHandler, &issuerAndSN ) ;
- if( cert != NULL ) {
- xcert = NssCertToXCert( cert ) ;
- } else {
- xcert = NULL ;
- }
-
- PL_strfree( chIssuer ) ;
- CERT_DestroyName( nmIssuer ) ;
- //SECITEM_FreeItem( derIssuer, PR_FALSE ) ;
- CERT_DestroyCertificate( cert ) ;
- PORT_FreeArena( arena, PR_FALSE ) ;
- } else {
- xcert = NULL ;
- }
-
- return xcert ;
-}
-
-Reference< XCertificate > SecurityEnvironment_NssImpl :: getCertificate( const OUString& issuerName, const OUString& serialNumber ) throw( SecurityException , RuntimeException ) {
- Sequence< sal_Int8 > serial = numericStringToBigInteger( serialNumber ) ;
- return getCertificate( issuerName, serial ) ;
-}
-
-Sequence< Reference < XCertificate > > SecurityEnvironment_NssImpl :: buildCertificatePath( const Reference< XCertificate >& begin ) throw( SecurityException , RuntimeException ) {
- const X509Certificate_NssImpl* xcert ;
- const CERTCertificate* cert ;
- CERTCertList* certChain ;
-
- Reference< XUnoTunnel > xCertTunnel( begin, UNO_QUERY ) ;
- if( !xCertTunnel.is() ) {
- throw RuntimeException() ;
- }
-
- xcert = reinterpret_cast<X509Certificate_NssImpl*>(
- sal::static_int_cast<sal_uIntPtr>(xCertTunnel->getSomething( X509Certificate_NssImpl::getUnoTunnelId() ))) ;
- if( xcert == NULL ) {
- throw RuntimeException() ;
- }
-
- cert = xcert->getNssCert() ;
- if( cert != NULL ) {
- int64 timeboundary ;
-
- //Get the system clock time
- timeboundary = PR_Now() ;
-
- certChain = CERT_GetCertChainFromCert( ( CERTCertificate* )cert, timeboundary, certUsageAnyCA ) ;
- } else {
- certChain = NULL ;
- }
-
- if( certChain != NULL ) {
- X509Certificate_NssImpl* pCert ;
- CERTCertListNode* node ;
- int len ;
-
- for( len = 0, node = CERT_LIST_HEAD( certChain ); !CERT_LIST_END( node, certChain ); node = CERT_LIST_NEXT( node ), len ++ ) ;
- Sequence< Reference< XCertificate > > xCertChain( len ) ;
-
- for( len = 0, node = CERT_LIST_HEAD( certChain ); !CERT_LIST_END( node, certChain ); node = CERT_LIST_NEXT( node ), len ++ ) {
- pCert = new X509Certificate_NssImpl() ;
- if( pCert == NULL ) {
- CERT_DestroyCertList( certChain ) ;
- throw RuntimeException() ;
- }
-
- pCert->setCert( node->cert ) ;
-
- xCertChain[len] = pCert ;
- }
-
- CERT_DestroyCertList( certChain ) ;
-
- return xCertChain ;
- }
-
- return Sequence< Reference < XCertificate > >();
-}
-
-Reference< XCertificate > SecurityEnvironment_NssImpl :: createCertificateFromRaw( const Sequence< sal_Int8 >& rawCertificate ) throw( SecurityException , RuntimeException ) {
- X509Certificate_NssImpl* xcert ;
-
- if( rawCertificate.getLength() > 0 ) {
- xcert = new X509Certificate_NssImpl() ;
- if( xcert == NULL )
- throw RuntimeException() ;
-
- xcert->setRawCert( rawCertificate ) ;
- } else {
- xcert = NULL ;
- }
-
- return xcert ;
-}
-
-Reference< XCertificate > SecurityEnvironment_NssImpl :: createCertificateFromAscii( const OUString& asciiCertificate ) throw( SecurityException , RuntimeException ) {
- xmlChar* chCert ;
- xmlSecSize certSize ;
-
- rtl::OString oscert = rtl::OUStringToOString( asciiCertificate , RTL_TEXTENCODING_ASCII_US ) ;
-
- chCert = xmlStrndup( ( const xmlChar* )oscert.getStr(), ( int )oscert.getLength() ) ;
-
- certSize = xmlSecBase64Decode( chCert, ( xmlSecByte* )chCert, xmlStrlen( chCert ) ) ;
-
- Sequence< sal_Int8 > rawCert( certSize ) ;
- for( unsigned int i = 0 ; i < certSize ; i ++ )
- rawCert[i] = *( chCert + i ) ;
-
- xmlFree( chCert ) ;
-
- return createCertificateFromRaw( rawCert ) ;
-}
-
-sal_Int32 SecurityEnvironment_NssImpl ::
-verifyCertificate( const Reference< csss::XCertificate >& aCert,
- const Sequence< Reference< csss::XCertificate > >& intermediateCerts )
- throw( ::com::sun::star::uno::SecurityException, ::com::sun::star::uno::RuntimeException )
-{
- sal_Int32 validity = csss::CertificateValidity::INVALID;
- const X509Certificate_NssImpl* xcert ;
- const CERTCertificate* cert ;
- ::std::vector<CERTCertificate*> vecTmpNSSCertificates;
- Reference< XUnoTunnel > xCertTunnel( aCert, UNO_QUERY ) ;
- if( !xCertTunnel.is() ) {
- throw RuntimeException() ;
- }
-
- xmlsec_trace("Start verification of certificate: \n %s \n",
- OUStringToOString(
- aCert->getSubjectName(), osl_getThreadTextEncoding()).getStr());
-
- xcert = reinterpret_cast<X509Certificate_NssImpl*>(
- sal::static_int_cast<sal_uIntPtr>(xCertTunnel->getSomething( X509Certificate_NssImpl::getUnoTunnelId() ))) ;
- if( xcert == NULL ) {
- throw RuntimeException() ;
- }
-
- //CERT_PKIXVerifyCert does not take a db as argument. It will therefore
- //internally use CERT_GetDefaultCertDB
- //Make sure m_pHandler is the default DB
- OSL_ASSERT(m_pHandler == CERT_GetDefaultCertDB());
- CERTCertDBHandle * certDb = m_pHandler != NULL ? m_pHandler : CERT_GetDefaultCertDB();
- cert = xcert->getNssCert() ;
- if( cert != NULL )
- {
-
- //prepare the intermediate certificates
- for (sal_Int32 i = 0; i < intermediateCerts.getLength(); i++)
- {
- Sequence<sal_Int8> der = intermediateCerts[i]->getEncoded();
- SECItem item;
- item.type = siBuffer;
- item.data = (unsigned char*)der.getArray();
- item.len = der.getLength();
-
- CERTCertificate* certTmp = CERT_NewTempCertificate(certDb, &item,
- NULL /* nickname */,
- PR_FALSE /* isPerm */,
- PR_TRUE /* copyDER */);
- if (!certTmp)
- {
- xmlsec_trace("Failed to add a temporary certificate: %s",
- OUStringToOString(intermediateCerts[i]->getIssuerName(),
- osl_getThreadTextEncoding()).getStr());
-
- }
- else
- {
- xmlsec_trace("Added temporary certificate: %s",
- certTmp->subjectName ? certTmp->subjectName : "");
- vecTmpNSSCertificates.push_back(certTmp);
- }
- }
-
-
- SECStatus status ;
-
- CERTVerifyLog log;
- log.arena = PORT_NewArena(512);
- log.head = log.tail = NULL;
- log.count = 0;
-
- CERT_EnableOCSPChecking(certDb);
- CERT_DisableOCSPDefaultResponder(certDb);
- CERTValOutParam cvout[5];
- CERTValInParam cvin[3];
- int ncvinCount=0;
-
-#if ( NSS_VMAJOR > 3 ) || ( NSS_VMAJOR == 3 && NSS_VMINOR > 12 ) || ( NSS_VMAJOR == 3 && NSS_VMINOR == 12 && NSS_VPATCH > 0 )
- cvin[ncvinCount].type = cert_pi_useAIACertFetch;
- cvin[ncvinCount].value.scalar.b = PR_TRUE;
- ncvinCount++;
-#endif
-
- PRUint64 revFlagsLeaf[2];
- PRUint64 revFlagsChain[2];
- CERTRevocationFlags rev;
- rev.leafTests.number_of_defined_methods = 2;
- rev.leafTests.cert_rev_flags_per_method = revFlagsLeaf;
- //the flags are defined in cert.h
- //We check both leaf and chain.
- //It is enough if one revocation method has fresh info,
- //but at least one must have some. Otherwise validation fails.
- //!!! using leaf test and CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE
- // when validating a root certificate will result in "revoked". Usually
- //there is no revocation information available for the root cert because
- //it must be trusted anyway and it does itself issue revocation information.
- //When we use the flag here and OOo shows the certification path then the root
- //cert is invalid while all other can be valid. It would probably best if
- //this interface method returned the whole chain.
- //Otherwise we need to check if the certificate is self-signed and if it is
- //then not use the flag when doing the leaf-test.
- rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_crl] =
- CERT_REV_M_TEST_USING_THIS_METHOD
- | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE;
- rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] =
- CERT_REV_M_TEST_USING_THIS_METHOD
- | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE;
- rev.leafTests.number_of_preferred_methods = 0;
- rev.leafTests.preferred_methods = NULL;
- rev.leafTests.cert_rev_method_independent_flags =
- CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST;
-
- rev.chainTests.number_of_defined_methods = 2;
- rev.chainTests.cert_rev_flags_per_method = revFlagsChain;
- rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_crl] =
- CERT_REV_M_TEST_USING_THIS_METHOD
- | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE;
- rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] =
- CERT_REV_M_TEST_USING_THIS_METHOD
- | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE;
- rev.chainTests.number_of_preferred_methods = 0;
- rev.chainTests.preferred_methods = NULL;
- rev.chainTests.cert_rev_method_independent_flags =
- CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST;
-
-
- cvin[ncvinCount].type = cert_pi_revocationFlags;
- cvin[ncvinCount].value.pointer.revocation = &rev;
- ncvinCount++;
- // does not work, not implemented yet in 3.12.4
-// cvin[ncvinCount].type = cert_pi_keyusage;
-// cvin[ncvinCount].value.scalar.ui = KU_DIGITAL_SIGNATURE;
-// ncvinCount++;
- cvin[ncvinCount].type = cert_pi_end;
-
- cvout[0].type = cert_po_trustAnchor;
- cvout[0].value.pointer.cert = NULL;
- cvout[1].type = cert_po_errorLog;
- cvout[1].value.pointer.log = &log;
- cvout[2].type = cert_po_end;
-
- // We check SSL server certificates, CA certificates and signing sertificates.
- //
- // ToDo check keyusage, looking at CERT_KeyUsageAndTypeForCertUsage (
- // mozilla/security/nss/lib/certdb/certdb.c indicates that
- // certificateUsageSSLClient, certificateUsageSSLServer and certificateUsageSSLCA
- // are sufficient. They cover the key usages for digital signature, key agreement
- // and encipherment and certificate signature
-
- //never use the following usages because they are not checked properly
- // certificateUsageUserCertImport
- // certificateUsageVerifyCA
- // certificateUsageAnyCA
- // certificateUsageProtectedObjectSigner
-
- UsageDescription arUsages[5];
- arUsages[0] = UsageDescription( certificateUsageSSLClient, "certificateUsageSSLClient" );
- arUsages[1] = UsageDescription( certificateUsageSSLServer, "certificateUsageSSLServer" );
- arUsages[2] = UsageDescription( certificateUsageSSLCA, "certificateUsageSSLCA" );
- arUsages[3] = UsageDescription( certificateUsageEmailSigner, "certificateUsageEmailSigner" );
- arUsages[4] = UsageDescription( certificateUsageEmailRecipient, "certificateUsageEmailRecipient" );
-
- int numUsages = SAL_N_ELEMENTS(arUsages);
- for (int i = 0; i < numUsages; i++)
- {
- xmlsec_trace("Testing usage %d of %d: %s (0x%x)", i + 1,
- numUsages, arUsages[i].description, (int) arUsages[i].usage);
-
- status = CERT_PKIXVerifyCert(const_cast<CERTCertificate *>(cert), arUsages[i].usage,
- cvin, cvout, NULL);
- if( status == SECSuccess )
- {
- xmlsec_trace("CERT_PKIXVerifyCert returned SECSuccess.");
- //When an intermediate or root certificate is checked then we expect the usage
- //certificateUsageSSLCA. This, however, will be only set when in the trust settings dialog
- //the button "This certificate can identify websites" is checked. If for example only
- //"This certificate can identify mail users" is set then the end certificate can
- //be validated and the returned usage will conain certificateUsageEmailRecipient.
- //But checking directly the root or intermediate certificate will fail. In the
- //certificate path view the end certificate will be shown as valid but the others
- //will be displayed as invalid.
-
- validity = csss::CertificateValidity::VALID;
- xmlsec_trace("Certificate is valid.\n");
- CERTCertificate * issuerCert = cvout[0].value.pointer.cert;
- if (issuerCert)
- {
- xmlsec_trace("Root certificate: %s", issuerCert->subjectName);
- CERT_DestroyCertificate(issuerCert);
- };
-
- break;
- }
- else
- {
- PRIntn err = PR_GetError();
- xmlsec_trace("Error: , %d = %s", err, getCertError(err));
-
- /* Display validation results */
- if ( log.count > 0)
- {
- CERTVerifyLogNode *node = NULL;
- printChainFailure(&log);
-
- for (node = log.head; node; node = node->next) {
- if (node->cert)
- CERT_DestroyCertificate(node->cert);
- }
- log.head = log.tail = NULL;
- log.count = 0;
- }
- xmlsec_trace("Certificate is invalid.\n");
- }
- }
-
- }
- else
- {
- validity = ::com::sun::star::security::CertificateValidity::INVALID ;
- }
-
- //Destroying the temporary certificates
- std::vector<CERTCertificate*>::const_iterator cert_i;
- for (cert_i = vecTmpNSSCertificates.begin(); cert_i != vecTmpNSSCertificates.end(); ++cert_i)
- {
- xmlsec_trace("Destroying temporary certificate");
- CERT_DestroyCertificate(*cert_i);
- }
- return validity ;
-}
-
-sal_Int32 SecurityEnvironment_NssImpl::getCertificateCharacters(
- const ::com::sun::star::uno::Reference< ::com::sun::star::security::XCertificate >& aCert ) throw( ::com::sun::star::uno::SecurityException, ::com::sun::star::uno::RuntimeException ) {
- sal_Int32 characters ;
- const X509Certificate_NssImpl* xcert ;
- const CERTCertificate* cert ;
-
- Reference< XUnoTunnel > xCertTunnel( aCert, UNO_QUERY ) ;
- if( !xCertTunnel.is() ) {
- throw RuntimeException() ;
- }
-
- xcert = reinterpret_cast<X509Certificate_NssImpl*>(
- sal::static_int_cast<sal_uIntPtr>(xCertTunnel->getSomething( X509Certificate_NssImpl::getUnoTunnelId() ))) ;
- if( xcert == NULL ) {
- throw RuntimeException() ;
- }
-
- cert = xcert->getNssCert() ;
-
- characters = 0x00000000 ;
-
- //Firstly, find out whether or not the cert is self-signed.
- if( SECITEM_CompareItem( &(cert->derIssuer), &(cert->derSubject) ) == SECEqual ) {
- characters |= ::com::sun::star::security::CertificateCharacters::SELF_SIGNED ;
- } else {
- characters &= ~ ::com::sun::star::security::CertificateCharacters::SELF_SIGNED ;
- }
-
- //Secondly, find out whether or not the cert has a private key.
-
- /*
- * i40394
- *
- * mmi : need to check whether the cert's slot is valid first
- */
- SECKEYPrivateKey* priKey = NULL;
-
- if (cert->slot != NULL)
- {
- priKey = PK11_FindPrivateKeyFromCert( cert->slot, ( CERTCertificate* )cert, NULL ) ;
- }
- if(priKey == NULL)
- {
- for (CIT_SLOTS is = m_Slots.begin(); is != m_Slots.end(); is++)
- {
- priKey = PK11_FindPrivateKeyFromCert(*is, (CERTCertificate*)cert, NULL);
- if (priKey)
- break;
- }
- }
- if( priKey != NULL ) {
- characters |= ::com::sun::star::security::CertificateCharacters::HAS_PRIVATE_KEY ;
-
- SECKEY_DestroyPrivateKey( priKey ) ;
- } else {
- characters &= ~ ::com::sun::star::security::CertificateCharacters::HAS_PRIVATE_KEY ;
- }
-
- return characters ;
-}
-
-X509Certificate_NssImpl* NssCertToXCert( CERTCertificate* cert )
-{
- X509Certificate_NssImpl* xcert ;
-
- if( cert != NULL ) {
- xcert = new X509Certificate_NssImpl() ;
- if( xcert == NULL ) {
- xcert = NULL ;
- } else {
- xcert->setCert( cert ) ;
- }
- } else {
- xcert = NULL ;
- }
-
- return xcert ;
-}
-
-X509Certificate_NssImpl* NssPrivKeyToXCert( SECKEYPrivateKey* priKey )
-{
- CERTCertificate* cert ;
- X509Certificate_NssImpl* xcert ;
-
- if( priKey != NULL ) {
- cert = PK11_GetCertFromPrivateKey( priKey ) ;
-
- if( cert != NULL ) {
- xcert = NssCertToXCert( cert ) ;
- } else {
- xcert = NULL ;
- }
-
- CERT_DestroyCertificate( cert ) ;
- } else {
- xcert = NULL ;
- }
-
- return xcert ;
-}
-
-
-/* Native methods */
-xmlSecKeysMngrPtr SecurityEnvironment_NssImpl::createKeysManager() throw( Exception, RuntimeException ) {
-
- unsigned int i ;
- CERTCertDBHandle* handler = NULL ;
- PK11SymKey* symKey = NULL ;
- SECKEYPublicKey* pubKey = NULL ;
- SECKEYPrivateKey* priKey = NULL ;
- xmlSecKeysMngrPtr pKeysMngr = NULL ;
-
- handler = this->getCertDb() ;
-
- /*-
- * The following lines is based on the private version of xmlSec-NSS
- * crypto engine
- */
- int cSlots = m_Slots.size();
- boost::scoped_array<PK11SlotInfo*> sarSlots(new PK11SlotInfo*[cSlots]);
- PK11SlotInfo** slots = sarSlots.get();
- int count = 0;
- for (CIT_SLOTS islots = m_Slots.begin();islots != m_Slots.end(); islots++, count++)
- slots[count] = *islots;
-
- pKeysMngr = xmlSecNssAppliedKeysMngrCreate(slots, cSlots, handler ) ;
- if( pKeysMngr == NULL )
- throw RuntimeException() ;
-
- /*-
- * Adopt symmetric key into keys manager
- */
- for( i = 0 ; ( symKey = this->getSymKey( i ) ) != NULL ; i ++ ) {
- if( xmlSecNssAppliedKeysMngrSymKeyLoad( pKeysMngr, symKey ) < 0 ) {
- throw RuntimeException() ;
- }
- }
-
- /*-
- * Adopt asymmetric public key into keys manager
- */
- for( i = 0 ; ( pubKey = this->getPubKey( i ) ) != NULL ; i ++ ) {
- if( xmlSecNssAppliedKeysMngrPubKeyLoad( pKeysMngr, pubKey ) < 0 ) {
- throw RuntimeException() ;
- }
- }
-
- /*-
- * Adopt asymmetric private key into keys manager
- */
- for( i = 0 ; ( priKey = this->getPriKey( i ) ) != NULL ; i ++ ) {
- if( xmlSecNssAppliedKeysMngrPriKeyLoad( pKeysMngr, priKey ) < 0 ) {
- throw RuntimeException() ;
- }
- }
- return pKeysMngr ;
-}
-void SecurityEnvironment_NssImpl::destroyKeysManager(xmlSecKeysMngrPtr pKeysMngr) throw( Exception, RuntimeException ) {
- if( pKeysMngr != NULL ) {
- xmlSecKeysMngrDestroy( pKeysMngr ) ;
- }
-}
-
-/* vim:set shiftwidth=4 softtabstop=4 expandtab: */