search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Version 7.6.3.2-android, tag libreoffice-7.6.3.2-android
[LibreOffice.git] / xmlsecurity / source / xmlsec / nss / securityenvironment_nssimpl.cxx
blob32ece48520d693639f82c1d832a989a370cbe06e
1 /* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
2 /*
3 * This file is part of the LibreOffice project.
4 *
5 * This Source Code Form is subject to the terms of the Mozilla Public
6 * License, v. 2.0. If a copy of the MPL was not distributed with this
7 * file, You can obtain one at http://mozilla.org/MPL/2.0/.
8 *
9 * This file incorporates work covered by the following license notice:
10 *
11 * Licensed to the Apache Software Foundation (ASF) under one or more
12 * contributor license agreements. See the NOTICE file distributed
13 * with this work for additional information regarding copyright
14 * ownership. The ASF licenses this file to you under the Apache
15 * License, Version 2.0 (the "License"); you may not use this file
16 * except in compliance with the License. You may obtain a copy of
17 * the License at http://www.apache.org/licenses/LICENSE-2.0 .
18 */
19
20 #include "nssrenam.h"
21 #include <cert.h>
22 #include <secerr.h>
23 #include <ocsp.h>
24
25 #include <sal/config.h>
26 #include <sal/macros.h>
27 #include <osl/diagnose.h>
28 #include "securityenvironment_nssimpl.hxx"
29 #include <cppuhelper/supportsservice.hxx>
30 #include <comphelper/servicehelper.hxx>
31
32 #include <xmlsec-wrapper.h>
33
34 #include <rtl/ustrbuf.hxx>
35 #include <comphelper/processfactory.hxx>
36 #include <comphelper/docpasswordrequest.hxx>
37 #include <sal/log.hxx>
38 #include <com/sun/star/task/InteractionHandler.hpp>
39 #include <vector>
40 #include <memory>
41 #include <osl/thread.h>
42 #include <comphelper/sequence.hxx>
43
44 #include "x509certificate_nssimpl.hxx"
45 #include "secerror.hxx"
46 #include <prerror.h>
47 #include <keyhi.h>
48
49 // added for password exception
50 #include <com/sun/star/security/NoPasswordException.hpp>
51 #include <com/sun/star/security/CertificateCharacters.hpp>
52 #include <com/sun/star/security/CertificateValidity.hpp>
53
54 namespace csss = ::com::sun::star::security;
55 using namespace ::com::sun::star::security;
56 using namespace com::sun::star;
57 using namespace ::com::sun::star::uno ;
58 using namespace ::com::sun::star::lang ;
59
60 using ::com::sun::star::security::XCertificate ;
61
62 namespace std
63 {
64 template <> struct default_delete<PRArenaPool>
65 {
66 void operator()(PRArenaPool* ptr) { PORT_FreeArena(ptr, PR_FALSE); }
67 };
68 }
69
70 static rtl::Reference<X509Certificate_NssImpl> NssCertToXCert( CERTCertificate* cert ) ;
71 static rtl::Reference<X509Certificate_NssImpl> NssPrivKeyToXCert( SECKEYPrivateKey* ) ;
72
73 namespace {
74
75 struct UsageDescription
76 {
77 SECCertificateUsage usage;
78 char const* description;
79
80 UsageDescription()
81 : usage( certificateUsageCheckAllUsages )
82 , description( nullptr )
83 {}
84
85 UsageDescription( SECCertificateUsage i_usage, char const* i_description )
86 : usage( i_usage )
87 , description( i_description )
88 {}
89 };
90
91 }
92
93 static char* GetPasswordFunction( PK11SlotInfo* pSlot, PRBool bRetry, void* /*arg*/ )
94 {
95 uno::Reference< uno::XComponentContext > xContext( ::comphelper::getProcessComponentContext() );
96 uno::Reference < task::XInteractionHandler2 > xInteractionHandler(
97 task::InteractionHandler::createWithParent(xContext, nullptr) );
98
99 task::PasswordRequestMode eMode = bRetry ? task::PasswordRequestMode_PASSWORD_REENTER : task::PasswordRequestMode_PASSWORD_ENTER;
100 rtl::Reference<::comphelper::DocPasswordRequest> pPasswordRequest = new ::comphelper::DocPasswordRequest(
101 ::comphelper::DocPasswordRequestType::Standard, eMode, OUString::createFromAscii(PK11_GetTokenName(pSlot)) );
102
103 xInteractionHandler->handle( pPasswordRequest );
104
105 if ( pPasswordRequest->isPassword() )
106 {
107 OString aPassword(OUStringToOString(
108 pPasswordRequest->getPassword(),
109 osl_getThreadTextEncoding()));
110 sal_Int32 nLen = aPassword.getLength();
111 char* pPassword = static_cast<char*>(PORT_Alloc( nLen+1 ) );
112 pPassword[nLen] = 0;
113 memcpy( pPassword, aPassword.getStr(), nLen );
114 return pPassword;
115 }
116 return nullptr;
117 }
118
119 SecurityEnvironment_NssImpl::SecurityEnvironment_NssImpl() :
120 m_pHandler( nullptr ) {
121 PK11_SetPasswordFunc( GetPasswordFunction ) ;
122 }
123
124 SecurityEnvironment_NssImpl::~SecurityEnvironment_NssImpl() {
125
126 PK11_SetPasswordFunc( nullptr ) ;
127
128 for (auto& slot : m_Slots)
129 {
130 PK11_FreeSlot(slot);
131 }
132
133 for( auto& symKey : m_tSymKeyList )
134 PK11_FreeSymKey( symKey ) ;
135 }
136
137 /* XServiceInfo */
138 OUString SAL_CALL SecurityEnvironment_NssImpl::getImplementationName() {
139 return "com.sun.star.xml.crypto.SecurityEnvironment";
140 }
141
142 /* XServiceInfo */
143 sal_Bool SAL_CALL SecurityEnvironment_NssImpl::supportsService( const OUString& serviceName) {
144 return cppu::supportsService(this, serviceName);
145 }
146
147 /* XServiceInfo */
148 Sequence< OUString > SAL_CALL SecurityEnvironment_NssImpl::getSupportedServiceNames() {
149 Sequence<OUString> seqServiceNames{ "com.sun.star.xml.crypto.SecurityEnvironment" };
150 return seqServiceNames;
151 }
152
153 OUString SecurityEnvironment_NssImpl::getSecurityEnvironmentInformation()
154 {
155 OUStringBuffer buff;
156 for (auto& slot : m_Slots)
157 {
158 buff.appendAscii(PK11_GetTokenName(slot));
159 buff.append("\n");
160 }
161 return buff.makeStringAndClear();
162 }
163
164 void SecurityEnvironment_NssImpl::addCryptoSlot( PK11SlotInfo* aSlot)
165 {
166 PK11_ReferenceSlot(aSlot);
167 m_Slots.push_back(aSlot);
168 }
169
170 //Could we have multiple cert dbs?
171 void SecurityEnvironment_NssImpl::setCertDb( CERTCertDBHandle* aCertDb ) {
172 m_pHandler = aCertDb ;
173 }
174
175 void SecurityEnvironment_NssImpl::adoptSymKey( PK11SymKey* aSymKey ) {
176 if( aSymKey == nullptr ) return;
177
178 //First try to find the key in the list
179 if (std::find(m_tSymKeyList.begin(), m_tSymKeyList.end(), aSymKey) != m_tSymKeyList.end())
180 return;
181
182 //If we do not find the key in the list, add a new node
183 PK11SymKey* symkey = PK11_ReferenceSymKey( aSymKey ) ;
184 if( symkey == nullptr )
185 throw RuntimeException() ;
186
187 try {
188 m_tSymKeyList.push_back( symkey ) ;
189 } catch ( Exception& ) {
190 PK11_FreeSymKey( symkey ) ;
191 }
192 }
193
194 void SecurityEnvironment_NssImpl::updateSlots()
195 {
196 //In case new tokens are present then we can obtain the corresponding slot
197 std::scoped_lock guard(m_mutex);
198
199 m_Slots.clear();
200 m_tSymKeyList.clear();
201
202 PK11SlotList * slotList = PK11_GetAllTokens( CKM_INVALID_MECHANISM, PR_FALSE, PR_FALSE, nullptr ) ;
203 if( slotList == nullptr )
204 return;
205
206 for (PK11SlotListElement* slotEle = slotList->head ; slotEle != nullptr; slotEle = slotEle->next)
207 {
208 PK11SlotInfo * pSlot = slotEle->slot ;
209
210 if(pSlot != nullptr)
211 {
212 SAL_INFO(
213 "xmlsecurity.xmlsec",
214 "Found a slot: SlotName=" << PK11_GetSlotName(pSlot)
215 << ", TokenName=" << PK11_GetTokenName(pSlot));
216
217 //The following code which is commented out checks if a slot, that is a smart card for example, is
218 // able to generate a symmetric key of type CKM_DES3_CBC. If this fails then this token
219 // will not be used. This key is possibly used for the encryption service. However, all
220 // interfaces and services used for public key signature and encryption are not published
221 // and the encryption is not used in OOo. Therefore it does not do any harm to remove
222 // this code, hence allowing smart cards which cannot generate this type of key.
223 //
224 // By doing this, the encryption may fail if a smart card is being used which does not
225 // support this key generation.
226 //
227 PK11SymKey * pSymKey = PK11_KeyGen( pSlot , CKM_DES3_CBC, nullptr, 128, nullptr ) ;
228 // if( pSymKey == NULL )
229 // {
230 // PK11_FreeSlot( pSlot ) ;
231 // SAL_INFO( "xmlsecurity", "XMLSEC: Error - pSymKey is NULL" );
232 // continue;
233 // }
234 addCryptoSlot(pSlot);
235
236 if (pSymKey != nullptr)
237 {
238 adoptSymKey( pSymKey ) ;
239 PK11_FreeSymKey( pSymKey ) ;
240 pSymKey = nullptr;
241 }
242
243 }// end of if(pSlot != NULL)
244 }// end of for
245
246 PK11_FreeSlotList(slotList);
247 }
248
249 Sequence< Reference < XCertificate > >
250 SecurityEnvironment_NssImpl::getPersonalCertificates()
251 {
252 std::vector< rtl::Reference<X509Certificate_NssImpl> > certsList ;
253
254 updateSlots();
255 //firstly, we try to find private keys in slot
256 for (auto& slot : m_Slots)
257 {
258 SECKEYPrivateKeyList* priKeyList ;
259
260 if( PK11_NeedLogin(slot ) ) {
261 SECStatus nRet = PK11_Authenticate(slot, PR_TRUE, nullptr);
262 //PK11_Authenticate may fail in case the a slot has not been initialized.
263 //this is the case if the user has a new profile, so that they have never
264 //added a personal certificate.
265 if( nRet != SECSuccess && PORT_GetError() != SEC_ERROR_IO) {
266 throw NoPasswordException();
267 }
268 }
269
270 priKeyList = PK11_ListPrivateKeysInSlot(slot) ;
271 if( priKeyList != nullptr )
272 {
273 for (SECKEYPrivateKeyListNode* curPri = PRIVKEY_LIST_HEAD(priKeyList);
274 !PRIVKEY_LIST_END( curPri, priKeyList ) && curPri != nullptr;
275 curPri = PRIVKEY_LIST_NEXT(curPri))
276 {
277 rtl::Reference<X509Certificate_NssImpl> xcert = NssPrivKeyToXCert( curPri->key ) ;
278 if( xcert != nullptr )
279 certsList.push_back( xcert ) ;
280 }
281 SECKEY_DestroyPrivateKeyList( priKeyList ) ;
282 }
283
284
285 }
286
287 if( certsList.size() != 0 ) {
288 return comphelper::containerToSequence<Reference< XCertificate >>(certsList) ;
289 }
290
291 return Sequence< Reference < XCertificate > > ();
292 }
293
294 Reference< XCertificate > SecurityEnvironment_NssImpl::getCertificate( const OUString& issuerName, const Sequence< sal_Int8 >& serialNumber )
295 {
296 if( !m_pHandler )
297 return nullptr;
298
299 rtl::Reference<X509Certificate_NssImpl> xcert;
300 CERTIssuerAndSN issuerAndSN ;
301 CERTCertificate* cert ;
302 CERTName* nmIssuer ;
303 char* chIssuer ;
304 SECItem* derIssuer ;
305 std::unique_ptr<PRArenaPool> arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
306 if( arena == nullptr )
307 throw RuntimeException() ;
308
309 // Create cert info from issue and serial
310 OString ostr = OUStringToOString( issuerName , RTL_TEXTENCODING_UTF8 ) ;
311 chIssuer = PL_strndup( ostr.getStr(), static_cast<int>(ostr.getLength()) ) ;
312 nmIssuer = CERT_AsciiToName( chIssuer ) ;
313 if( nmIssuer == nullptr ) {
314 PL_strfree( chIssuer ) ;
315 return nullptr; // no need for exception cf. i40394
316 }
317
318 derIssuer = SEC_ASN1EncodeItem( arena.get(), nullptr, static_cast<void*>(nmIssuer), SEC_ASN1_GET( CERT_NameTemplate ) ) ;
319 if( derIssuer == nullptr ) {
320 PL_strfree( chIssuer ) ;
321 CERT_DestroyName( nmIssuer ) ;
322 throw RuntimeException() ;
323 }
324
325 memset( &issuerAndSN, 0, sizeof( issuerAndSN ) ) ;
326
327 issuerAndSN.derIssuer.data = derIssuer->data ;
328 issuerAndSN.derIssuer.len = derIssuer->len ;
329
330 issuerAndSN.serialNumber.data = reinterpret_cast<unsigned char *>(const_cast<sal_Int8 *>(serialNumber.getConstArray()));
331 issuerAndSN.serialNumber.len = serialNumber.getLength() ;
332
333 cert = CERT_FindCertByIssuerAndSN( m_pHandler, &issuerAndSN ) ;
334 if( cert != nullptr ) {
335 xcert = NssCertToXCert( cert ) ;
336 }
337
338 PL_strfree( chIssuer ) ;
339 CERT_DestroyName( nmIssuer ) ;
340 //SECITEM_FreeItem( derIssuer, PR_FALSE ) ;
341 CERT_DestroyCertificate( cert ) ;
342
343 return xcert ;
344 }
345
346 Sequence< Reference < XCertificate > > SecurityEnvironment_NssImpl::buildCertificatePath( const Reference< XCertificate >& begin ) {
347 // Remember the signing certificate.
348 m_xSigningCertificate = begin;
349
350 const X509Certificate_NssImpl* xcert = dynamic_cast<X509Certificate_NssImpl*>(begin.get());
351 if( xcert == nullptr ) {
352 throw RuntimeException() ;
353 }
354
355 const CERTCertificate* cert = xcert->getNssCert() ;
356 if (!cert)
357 return {};
358
359 //Get the system clock time
360 int64 timeboundary = PR_Now() ;
361 CERTCertList* certChain = CERT_GetCertChainFromCert( const_cast<CERTCertificate*>(cert), timeboundary, certUsageAnyCA ) ;
362
363 if( !certChain )
364 return {};
365
366 std::vector<uno::Reference<security::XCertificate>> aCertChain;
367
368 for (CERTCertListNode* node = CERT_LIST_HEAD(certChain); !CERT_LIST_END(node, certChain); node = CERT_LIST_NEXT(node)) {
369 rtl::Reference<X509Certificate_NssImpl> pCert = new X509Certificate_NssImpl();
370 if( pCert == nullptr ) {
371 CERT_DestroyCertList( certChain ) ;
372 throw RuntimeException() ;
373 }
374
375 pCert->setCert( node->cert ) ;
376
377 aCertChain.push_back(pCert);
378 }
379
380 CERT_DestroyCertList( certChain ) ;
381
382 return comphelper::containerToSequence(aCertChain);
383 }
384
385 rtl::Reference<X509Certificate_NssImpl> SecurityEnvironment_NssImpl::createAndAddCertificateFromPackage(
386 const css::uno::Sequence<sal_Int8>& raDERCertificate,
387 std::u16string_view raString)
388 {
389 auto pCertificateBytes = reinterpret_cast<char *>(const_cast<sal_Int8 *>(raDERCertificate.getConstArray()));
390 CERTCertificate* pCERTCertificate = CERT_DecodeCertFromPackage(pCertificateBytes, raDERCertificate.getLength());
391
392 if (!pCERTCertificate)
393 return nullptr;
394
395 SECStatus aStatus;
396
397 OString aTrustString = OUStringToOString(raString, RTL_TEXTENCODING_ASCII_US);
398 CERTCertTrust aTrust;
399
400 aStatus = CERT_DecodeTrustString(&aTrust, aTrustString.getStr());
401
402 if (aStatus != SECSuccess)
403 {
404 PRIntn err = PR_GetError();
405 SAL_WARN("xmlsecurity.xmlsec", "Error: " << err << ": " << getCertError(err));
406 return nullptr;
407 }
408
409 PK11SlotInfo* pSlot = PK11_GetInternalKeySlot();
410
411 if (!pSlot)
412 return nullptr;
413
414 aStatus = PK11_ImportCert(pSlot, pCERTCertificate, CK_INVALID_HANDLE, nullptr, PR_FALSE);
415
416 if (aStatus != SECSuccess)
417 {
418 PRIntn err = PR_GetError();
419 SAL_WARN("xmlsecurity.xmlsec", "Error: " << err << ": " << getCertError(err));
420 return nullptr;
421 }
422
423 aStatus = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), pCERTCertificate, &aTrust);
424
425 if (aStatus != SECSuccess)
426 {
427 PRIntn err = PR_GetError();
428 SAL_WARN("xmlsecurity.xmlsec", "Error: " << err << ": " << getCertError(err));
429 return nullptr;
430 }
431
432 PK11_FreeSlot(pSlot);
433
434 rtl::Reference<X509Certificate_NssImpl> pX509Certificate = new X509Certificate_NssImpl();
435 pX509Certificate->setCert(pCERTCertificate);
436 return pX509Certificate;
437 }
438
439 rtl::Reference<X509Certificate_NssImpl> SecurityEnvironment_NssImpl::createX509CertificateFromDER(const css::uno::Sequence<sal_Int8>& aDerCertificate)
440 {
441 rtl::Reference<X509Certificate_NssImpl> pX509Certificate;
442
443 if (aDerCertificate.hasElements())
444 {
445 pX509Certificate = new X509Certificate_NssImpl();
446 if (pX509Certificate == nullptr)
447 throw RuntimeException();
448 pX509Certificate->setRawCert(aDerCertificate);
449 }
450 return pX509Certificate;
451 }
452
453 Reference<XCertificate> SecurityEnvironment_NssImpl::createCertificateFromRaw(const Sequence< sal_Int8 >& rawCertificate)
454 {
455 return createX509CertificateFromDER(rawCertificate);
456 }
457
458 Reference< XCertificate > SecurityEnvironment_NssImpl::createCertificateFromAscii( const OUString& asciiCertificate )
459 {
460 OString oscert = OUStringToOString( asciiCertificate , RTL_TEXTENCODING_ASCII_US ) ;
461 xmlChar* chCert = xmlStrndup( reinterpret_cast<const xmlChar*>(oscert.getStr()), static_cast<int>(oscert.getLength()) ) ;
462 xmlSecSize certSize;
463 int nRet = xmlSecBase64Decode_ex( chCert, reinterpret_cast<xmlSecByte*>(chCert), xmlStrlen( chCert ), &certSize ) ;
464 if (nRet < 0 || certSize == 0)
465 {
466 xmlFree(chCert);
467 return nullptr;
468 }
469
470 Sequence< sal_Int8 > rawCert(comphelper::arrayToSequence<sal_Int8>(chCert, certSize)) ;
471
472 xmlFree( chCert ) ;
473
474 return createCertificateFromRaw( rawCert ) ;
475 }
476
477 sal_Int32 SecurityEnvironment_NssImpl ::
478 verifyCertificate( const Reference< csss::XCertificate >& aCert,
479 const Sequence< Reference< csss::XCertificate > >& intermediateCerts )
480 {
481 sal_Int32 validity = csss::CertificateValidity::INVALID;
482 const CERTCertificate* cert ;
483
484 SAL_INFO("xmlsecurity.xmlsec", "Start verification of certificate: " << aCert->getSubjectName());
485
486 const X509Certificate_NssImpl* xcert = dynamic_cast<X509Certificate_NssImpl*>(aCert.get());
487 if( xcert == nullptr ) {
488 throw RuntimeException() ;
489 }
490
491 //CERT_PKIXVerifyCert does not take a db as argument. It will therefore
492 //internally use CERT_GetDefaultCertDB
493 //Make sure m_pHandler is the default DB
494 OSL_ASSERT(m_pHandler == CERT_GetDefaultCertDB());
495 CERTCertDBHandle * certDb = m_pHandler != nullptr ? m_pHandler : CERT_GetDefaultCertDB();
496 cert = xcert->getNssCert() ;
497 if( !cert )
498 return css::security::CertificateValidity::INVALID;
499
500
501 ::std::vector<CERTCertificate*> vecTmpNSSCertificates;
502
503 //prepare the intermediate certificates
504 for (const auto& rIntermediateCert : intermediateCerts)
505 {
506 Sequence<sal_Int8> der = rIntermediateCert->getEncoded();
507 SECItem item;
508 item.type = siBuffer;
509 item.data = reinterpret_cast<unsigned char*>(der.getArray());
510 item.len = der.getLength();
511
512 CERTCertificate* certTmp = CERT_NewTempCertificate(certDb, &item,
513 nullptr /* nickname */,
514 PR_FALSE /* isPerm */,
515 PR_TRUE /* copyDER */);
516 if (!certTmp)
517 {
518 SAL_INFO("xmlsecurity.xmlsec", "Failed to add a temporary certificate: " << rIntermediateCert->getIssuerName());
519
520 }
521 else
522 {
523 SAL_INFO("xmlsecurity.xmlsec", "Added temporary certificate: " <<
524 (certTmp->subjectName ? certTmp->subjectName : ""));
525 vecTmpNSSCertificates.push_back(certTmp);
526 }
527 }
528
529
530 SECStatus status ;
531
532 CERTVerifyLog log;
533 log.arena = PORT_NewArena(512);
534 log.head = log.tail = nullptr;
535 log.count = 0;
536
537 CERT_EnableOCSPChecking(certDb);
538 CERT_DisableOCSPDefaultResponder(certDb);
539 CERTValOutParam cvout[5];
540 CERTValInParam cvin[3];
541 int ncvinCount=0;
542
543 #if ( NSS_VMAJOR > 3 ) || ( NSS_VMAJOR == 3 && NSS_VMINOR > 12 ) || ( NSS_VMAJOR == 3 && NSS_VMINOR == 12 && NSS_VPATCH > 0 )
544 cvin[ncvinCount].type = cert_pi_useAIACertFetch;
545 cvin[ncvinCount].value.scalar.b = PR_TRUE;
546 ncvinCount++;
547 #endif
548
549 PRUint64 revFlagsLeaf[2];
550 PRUint64 revFlagsChain[2];
551 CERTRevocationFlags rev;
552 rev.leafTests.number_of_defined_methods = 2;
553 rev.leafTests.cert_rev_flags_per_method = revFlagsLeaf;
554 //the flags are defined in cert.h
555 //We check both leaf and chain.
556 //It is enough if one revocation method has fresh info,
557 //but at least one must have some. Otherwise validation fails.
558 //!!! using leaf test and CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE
559 // when validating a root certificate will result in "revoked". Usually
560 //there is no revocation information available for the root cert because
561 //it must be trusted anyway and it does itself issue revocation information.
562 //When we use the flag here and OOo shows the certification path then the root
563 //cert is invalid while all other can be valid. It would probably best if
564 //this interface method returned the whole chain.
565 //Otherwise we need to check if the certificate is self-signed and if it is
566 //then not use the flag when doing the leaf-test.
567 rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_crl] =
568 CERT_REV_M_TEST_USING_THIS_METHOD
569 | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE;
570 rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] =
571 CERT_REV_M_TEST_USING_THIS_METHOD
572 | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE;
573 rev.leafTests.number_of_preferred_methods = 0;
574 rev.leafTests.preferred_methods = nullptr;
575 rev.leafTests.cert_rev_method_independent_flags =
576 CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST;
577
578 rev.chainTests.number_of_defined_methods = 2;
579 rev.chainTests.cert_rev_flags_per_method = revFlagsChain;
580 rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_crl] =
581 CERT_REV_M_TEST_USING_THIS_METHOD
582 | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE;
583 rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] =
584 CERT_REV_M_TEST_USING_THIS_METHOD
585 | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE;
586 rev.chainTests.number_of_preferred_methods = 0;
587 rev.chainTests.preferred_methods = nullptr;
588 rev.chainTests.cert_rev_method_independent_flags =
589 CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST;
590
591
592 cvin[ncvinCount].type = cert_pi_revocationFlags;
593 cvin[ncvinCount].value.pointer.revocation = &rev;
594 ncvinCount++;
595 // does not work, not implemented yet in 3.12.4
596 // cvin[ncvinCount].type = cert_pi_keyusage;
597 // cvin[ncvinCount].value.scalar.ui = KU_DIGITAL_SIGNATURE;
598 // ncvinCount++;
599 cvin[ncvinCount].type = cert_pi_end;
600
601 cvout[0].type = cert_po_trustAnchor;
602 cvout[0].value.pointer.cert = nullptr;
603 cvout[1].type = cert_po_errorLog;
604 cvout[1].value.pointer.log = &log;
605 cvout[2].type = cert_po_end;
606
607 // We check SSL server certificates, CA certificates and signing certificates.
608 //
609 // ToDo check keyusage, looking at CERT_KeyUsageAndTypeForCertUsage (
610 // mozilla/security/nss/lib/certdb/certdb.c indicates that
611 // certificateUsageSSLClient, certificateUsageSSLServer and certificateUsageSSLCA
612 // are sufficient. They cover the key usages for digital signature, key agreement
613 // and encipherment and certificate signature
614
615 //never use the following usages because they are not checked properly
616 // certificateUsageUserCertImport
617 // certificateUsageVerifyCA
618 // certificateUsageAnyCA
619 // certificateUsageProtectedObjectSigner
620
621 UsageDescription arUsages[5];
622 arUsages[0] = UsageDescription( certificateUsageSSLClient, "certificateUsageSSLClient" );
623 arUsages[1] = UsageDescription( certificateUsageSSLServer, "certificateUsageSSLServer" );
624 arUsages[2] = UsageDescription( certificateUsageSSLCA, "certificateUsageSSLCA" );
625 arUsages[3] = UsageDescription( certificateUsageEmailSigner, "certificateUsageEmailSigner" );
626 arUsages[4] = UsageDescription( certificateUsageEmailRecipient, "certificateUsageEmailRecipient" );
627
628 int numUsages = std::size(arUsages);
629 for (int i = 0; i < numUsages; i++)
630 {
631 SAL_INFO("xmlsecurity.xmlsec", "Testing usage " << i+1 <<
632 " of " << numUsages << ": " <<
633 arUsages[i].description <<
634 " (0x" << std::hex << static_cast<int>(arUsages[i].usage) << ")" << std::dec);
635
636 status = CERT_PKIXVerifyCert(const_cast<CERTCertificate *>(cert), arUsages[i].usage,
637 cvin, cvout, nullptr);
638 if( status == SECSuccess )
639 {
640 SAL_INFO("xmlsecurity.xmlsec", "CERT_PKIXVerifyCert returned SECSuccess.");
641 //When an intermediate or root certificate is checked then we expect the usage
642 //certificateUsageSSLCA. This, however, will be only set when in the trust settings dialog
643 //the button "This certificate can identify websites" is checked. If for example only
644 //"This certificate can identify mail users" is set then the end certificate can
645 //be validated and the returned usage will contain certificateUsageEmailRecipient.
646 //But checking directly the root or intermediate certificate will fail. In the
647 //certificate path view the end certificate will be shown as valid but the others
648 //will be displayed as invalid.
649
650 validity = csss::CertificateValidity::VALID;
651 SAL_INFO("xmlsecurity.xmlsec", "Certificate is valid.");
652 CERTCertificate * issuerCert = cvout[0].value.pointer.cert;
653 if (issuerCert)
654 {
655 SAL_INFO("xmlsecurity.xmlsec", "Root certificate: " << issuerCert->subjectName);
656 CERT_DestroyCertificate(issuerCert);
657 };
658
659 break;
660 }
661 else
662 {
663 PRIntn err = PR_GetError();
664 SAL_INFO("xmlsecurity.xmlsec", "Error: " << err << ": " << getCertError(err));
665
666 /* Display validation results */
667 if ( log.count > 0)
668 {
669 CERTVerifyLogNode *node = nullptr;
670 printChainFailure(&log);
671
672 for (node = log.head; node; node = node->next) {
673 if (node->cert)
674 CERT_DestroyCertificate(node->cert);
675 }
676 log.head = log.tail = nullptr;
677 log.count = 0;
678 }
679 SAL_INFO("xmlsecurity.xmlsec", "Certificate is invalid.");
680 }
681 }
682
683 //Destroying the temporary certificates
684 for (auto& tmpCert : vecTmpNSSCertificates)
685 {
686 SAL_INFO("xmlsecurity.xmlsec", "Destroying temporary certificate");
687 CERT_DestroyCertificate(tmpCert);
688 }
689 PORT_FreeArena(log.arena, true);
690 return validity ;
691 }
692
693 sal_Int32 SecurityEnvironment_NssImpl::getCertificateCharacters(
694 const css::uno::Reference< css::security::XCertificate >& aCert ) {
695 sal_Int32 characters ;
696 const CERTCertificate* cert ;
697
698 const X509Certificate_NssImpl* xcert = dynamic_cast<X509Certificate_NssImpl*>(aCert.get());
699 if( xcert == nullptr ) {
700 throw RuntimeException() ;
701 }
702
703 cert = xcert->getNssCert() ;
704
705 characters = 0x00000000 ;
706
707 //Firstly, find out whether or not the cert is self-signed.
708 if( SECITEM_CompareItem( &(cert->derIssuer), &(cert->derSubject) ) == SECEqual ) {
709 characters |= css::security::CertificateCharacters::SELF_SIGNED ;
710 } else {
711 characters &= ~ css::security::CertificateCharacters::SELF_SIGNED ;
712 }
713
714 //Secondly, find out whether or not the cert has a private key.
715
716 /*
717 * i40394
718 *
719 * mmi : need to check whether the cert's slot is valid first
720 */
721 SECKEYPrivateKey* priKey = nullptr;
722
723 if (cert->slot != nullptr)
724 {
725 priKey = PK11_FindPrivateKeyFromCert( cert->slot, const_cast<CERTCertificate*>(cert), nullptr ) ;
726 }
727 if(priKey == nullptr)
728 {
729 for (auto& slot : m_Slots)
730 {
731 priKey = PK11_FindPrivateKeyFromCert(slot, const_cast<CERTCertificate*>(cert), nullptr);
732 if (priKey)
733 break;
734 }
735 }
736 if( priKey != nullptr ) {
737 characters |= css::security::CertificateCharacters::HAS_PRIVATE_KEY ;
738
739 SECKEY_DestroyPrivateKey( priKey ) ;
740 } else {
741 characters &= ~ css::security::CertificateCharacters::HAS_PRIVATE_KEY ;
742 }
743
744 return characters ;
745 }
746
747 rtl::Reference<X509Certificate_NssImpl> NssCertToXCert( CERTCertificate* cert )
748 {
749 if( cert != nullptr ) {
750 rtl::Reference<X509Certificate_NssImpl> xcert = new X509Certificate_NssImpl() ;
751 xcert->setCert( cert ) ;
752 return xcert;
753 }
754
755 return nullptr;
756 }
757
758 rtl::Reference<X509Certificate_NssImpl> NssPrivKeyToXCert( SECKEYPrivateKey* priKey )
759 {
760 if( priKey != nullptr ) {
761 rtl::Reference<X509Certificate_NssImpl> xcert;
762 CERTCertificate* cert = PK11_GetCertFromPrivateKey( priKey ) ;
763
764 if( cert != nullptr ) {
765 xcert = NssCertToXCert( cert ) ;
766 }
767
768 CERT_DestroyCertificate( cert ) ;
769 return xcert;
770 }
771
772 return nullptr;
773 }
774
775 xmlSecKeysMngrPtr SecurityEnvironment_NssImpl::createKeysManager() {
776
777 /*-
778 * The following lines is based on the private version of xmlSec-NSS
779 * crypto engine
780 */
781 int cSlots = m_Slots.size();
782 std::unique_ptr<PK11SlotInfo*[]> sarSlots(new PK11SlotInfo*[cSlots]);
783 PK11SlotInfo** slots = sarSlots.get();
784 int count = 0;
785 for (const auto& slot : m_Slots)
786 {
787 slots[count] = slot;
788 ++count;
789 }
790
791 xmlSecKeysMngrPtr pKeysMngr = xmlSecKeysMngrCreate();
792 if (!pKeysMngr)
793 throw RuntimeException();
794
795 if (xmlSecNssAppDefaultKeysMngrInit(pKeysMngr) < 0)
796 throw RuntimeException();
797
798 // Adopt the private key of the signing certificate, if it has any.
799 if (auto pCertificate
800 = dynamic_cast<X509Certificate_NssImpl*>(m_xSigningCertificate.get()))
801 {
802 SECKEYPrivateKey* pPrivateKey = SECKEY_CopyPrivateKey(pCertificate->getPrivateKey());
803 if (pPrivateKey)
804 {
805 xmlSecKeyDataPtr pKeyData = xmlSecNssPKIAdoptKey(pPrivateKey, nullptr);
806 xmlSecKeyPtr pKey = xmlSecKeyCreate();
807 xmlSecKeySetValue(pKey, pKeyData);
808 xmlSecNssAppDefaultKeysMngrAdoptKey(pKeysMngr, pKey);
809 }
810 else
811 {
812 SAL_WARN("xmlsecurity.xmlsec", "Can't get the private key from the certificate.");
813 }
814 }
815
816 return pKeysMngr;
817 }
818
819 void SecurityEnvironment_NssImpl::destroyKeysManager(xmlSecKeysMngrPtr pKeysMngr) {
820 if( pKeysMngr != nullptr ) {
821 xmlSecKeysMngrDestroy( pKeysMngr ) ;
822 }
823 }
824
825 SECKEYPrivateKey* SecurityEnvironment_NssImpl::insertPrivateKey(css::uno::Sequence<sal_Int8> const & raPrivateKey)
826 {
827 PK11SlotInfo* pSlot = PK11_GetInternalKeySlot();
828
829 if (!pSlot)
830 return nullptr;
831
832 SECItem aDerPrivateKeyInfo;
833 aDerPrivateKeyInfo.data = reinterpret_cast<unsigned char *>(const_cast<sal_Int8 *>(raPrivateKey.getConstArray()));
834 aDerPrivateKeyInfo.len = raPrivateKey.getLength();
835
836 const unsigned int aKeyUsage = KU_ALL;
837 SECKEYPrivateKey* pPrivateKey = nullptr;
838
839 bool bPermanent = PR_FALSE;
840 bool bPrivate = PR_TRUE;
841
842 SECStatus nStatus = PK11_ImportDERPrivateKeyInfoAndReturnKey(
843 pSlot, &aDerPrivateKeyInfo, nullptr, nullptr, bPermanent, bPrivate,
844 aKeyUsage, &pPrivateKey, nullptr);
845
846 if (nStatus != SECSuccess)
847 return nullptr;
848
849 PK11_FreeSlot(pSlot);
850
851 return pPrivateKey;
852 }
853
854 uno::Reference<security::XCertificate> SecurityEnvironment_NssImpl::createDERCertificateWithPrivateKey(
855 Sequence<sal_Int8> const & raDERCertificate, Sequence<sal_Int8> const & raPrivateKey)
856 {
857 SECKEYPrivateKey* pPrivateKey = insertPrivateKey(raPrivateKey);
858
859 if (!pPrivateKey)
860 return uno::Reference<security::XCertificate>();
861
862 return createAndAddCertificateFromPackage(raDERCertificate, u"TCu,TCu,TCu");
863 }
864
865 uno::Reference<security::XCertificate> SecurityEnvironment_NssImpl::addDERCertificateToTheDatabase(
866 uno::Sequence<sal_Int8> const & raDERCertificate, OUString const & raTrustString)
867 {
868 return createAndAddCertificateFromPackage(raDERCertificate, raTrustString);
869 }
870
871 extern "C" SAL_DLLPUBLIC_EXPORT uno::XInterface*
872 com_sun_star_xml_crypto_SecurityEnvironment_get_implementation(
873 uno::XComponentContext* /*pCtx*/, uno::Sequence<uno::Any> const& /*rSeq*/)
874 {
875 return cppu::acquire(new SecurityEnvironment_NssImpl);
876 }
877
878 /* vim:set shiftwidth=4 softtabstop=4 expandtab: */
FREE OFFICE SUITE