1 /* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
3 * This file is part of the LibreOffice project.
5 * This Source Code Form is subject to the terms of the Mozilla Public
6 * License, v. 2.0. If a copy of the MPL was not distributed with this
7 * file, You can obtain one at http://mozilla.org/MPL/2.0/.
9 * This file incorporates work covered by the following license notice:
11 * Licensed to the Apache Software Foundation (ASF) under one or more
12 * contributor license agreements. See the NOTICE file distributed
13 * with this work for additional information regarding copyright
14 * ownership. The ASF licenses this file to you under the Apache
15 * License, Version 2.0 (the "License"); you may not use this file
16 * except in compliance with the License. You may obtain a copy of
17 * the License at http://www.apache.org/licenses/LICENSE-2.0 .
27 #include <sal/config.h>
28 #include <osl/diagnose.h>
29 #include "securityenvironment_nssimpl.hxx"
30 #include <cppuhelper/supportsservice.hxx>
32 #include <rtl/ustrbuf.hxx>
33 #include <comphelper/processfactory.hxx>
34 #include <comphelper/docpasswordrequest.hxx>
35 #include <sal/log.hxx>
36 #include <com/sun/star/task/InteractionHandler.hpp>
39 #include <osl/thread.h>
40 #include <comphelper/sequence.hxx>
42 #include "x509certificate_nssimpl.hxx"
43 #include "secerror.hxx"
46 #include <xmlsec/base64.h>
47 #include <xmlsec/keysmngr.h>
48 #include <xmlsec/nss/app.h>
49 #include <xmlsec/nss/pkikeys.h>
51 // added for password exception
52 #include <com/sun/star/security/NoPasswordException.hpp>
53 #include <com/sun/star/security/CertificateCharacters.hpp>
54 #include <com/sun/star/security/CertificateValidity.hpp>
55 #include <com/sun/star/xml/crypto/NSSInitializer.hpp>
57 namespace csss
= ::com::sun::star::security
;
58 using namespace ::com::sun::star::security
;
59 using namespace com::sun::star
;
60 using namespace ::com::sun::star::uno
;
61 using namespace ::com::sun::star::lang
;
63 using ::com::sun::star::security::XCertificate
;
67 template <> struct default_delete
<PRArenaPool
>
69 void operator()(PRArenaPool
* ptr
) { PORT_FreeArena(ptr
, PR_FALSE
); }
73 static rtl::Reference
<X509Certificate_NssImpl
> NssCertToXCert( CERTCertificate
* cert
) ;
74 static rtl::Reference
<X509Certificate_NssImpl
> NssPrivKeyToXCert( SECKEYPrivateKey
* ) ;
78 struct UsageDescription
80 SECCertificateUsage usage
;
81 char const* description
;
84 : usage( certificateUsageCheckAllUsages
)
85 , description( nullptr )
88 UsageDescription( SECCertificateUsage i_usage
, char const* i_description
)
90 , description( i_description
)
96 static char* GetPasswordFunction( PK11SlotInfo
* pSlot
, PRBool bRetry
, void* /*arg*/ )
98 const uno::Reference
< uno::XComponentContext
>& xContext( ::comphelper::getProcessComponentContext() );
99 uno::Reference
< task::XInteractionHandler2
> xInteractionHandler(
100 task::InteractionHandler::createWithParent(xContext
, nullptr) );
102 task::PasswordRequestMode eMode
= bRetry
? task::PasswordRequestMode_PASSWORD_REENTER
: task::PasswordRequestMode_PASSWORD_ENTER
;
103 OUString passwordLabel
= xml::crypto::NSSInitializer::create(xContext
)->getNSSPath();
104 if (!passwordLabel
.isEmpty())
105 passwordLabel
= ": " + passwordLabel
;
106 passwordLabel
= OUString::createFromAscii(PK11_GetTokenName(pSlot
)) + passwordLabel
;
107 rtl::Reference
<::comphelper::DocPasswordRequest
> pPasswordRequest
= new ::comphelper::DocPasswordRequest(
108 ::comphelper::DocPasswordRequestType::Standard
, eMode
, passwordLabel
);
110 xInteractionHandler
->handle( pPasswordRequest
);
112 if ( pPasswordRequest
->isPassword() )
114 OString
aPassword(OUStringToOString(
115 pPasswordRequest
->getPassword(),
116 osl_getThreadTextEncoding()));
117 sal_Int32 nLen
= aPassword
.getLength();
118 char* pPassword
= static_cast<char*>(PORT_Alloc( nLen
+1 ) );
120 memcpy( pPassword
, aPassword
.getStr(), nLen
);
126 SecurityEnvironment_NssImpl::SecurityEnvironment_NssImpl() :
127 m_pHandler( nullptr ) {
128 PK11_SetPasswordFunc( GetPasswordFunction
) ;
131 SecurityEnvironment_NssImpl::~SecurityEnvironment_NssImpl() {
133 PK11_SetPasswordFunc( nullptr ) ;
135 for (auto& slot
: m_Slots
)
140 for( auto& symKey
: m_tSymKeyList
)
141 PK11_FreeSymKey( symKey
) ;
145 OUString SAL_CALL
SecurityEnvironment_NssImpl::getImplementationName() {
146 return u
"com.sun.star.xml.crypto.SecurityEnvironment"_ustr
;
150 sal_Bool SAL_CALL
SecurityEnvironment_NssImpl::supportsService( const OUString
& serviceName
) {
151 return cppu::supportsService(this, serviceName
);
155 Sequence
< OUString
> SAL_CALL
SecurityEnvironment_NssImpl::getSupportedServiceNames() {
156 Sequence
<OUString
> seqServiceNames
{ u
"com.sun.star.xml.crypto.SecurityEnvironment"_ustr
};
157 return seqServiceNames
;
160 OUString
SecurityEnvironment_NssImpl::getSecurityEnvironmentInformation()
163 for (auto& slot
: m_Slots
)
165 buff
.appendAscii(PK11_GetTokenName(slot
));
168 return buff
.makeStringAndClear();
171 void SecurityEnvironment_NssImpl::addCryptoSlot( PK11SlotInfo
* aSlot
)
173 PK11_ReferenceSlot(aSlot
);
174 m_Slots
.push_back(aSlot
);
177 //Could we have multiple cert dbs?
178 void SecurityEnvironment_NssImpl::setCertDb( CERTCertDBHandle
* aCertDb
) {
179 m_pHandler
= aCertDb
;
182 void SecurityEnvironment_NssImpl::adoptSymKey( PK11SymKey
* aSymKey
) {
183 if( aSymKey
== nullptr ) return;
185 //First try to find the key in the list
186 if (std::find(m_tSymKeyList
.begin(), m_tSymKeyList
.end(), aSymKey
) != m_tSymKeyList
.end())
189 //If we do not find the key in the list, add a new node
190 PK11SymKey
* symkey
= PK11_ReferenceSymKey( aSymKey
) ;
191 if( symkey
== nullptr )
192 throw RuntimeException() ;
195 m_tSymKeyList
.push_back( symkey
) ;
196 } catch ( Exception
& ) {
197 PK11_FreeSymKey( symkey
) ;
201 void SecurityEnvironment_NssImpl::updateSlots()
203 //In case new tokens are present then we can obtain the corresponding slot
204 std::scoped_lock
guard(m_mutex
);
207 m_tSymKeyList
.clear();
209 PK11SlotList
* slotList
= PK11_GetAllTokens( CKM_INVALID_MECHANISM
, PR_FALSE
, PR_FALSE
, nullptr ) ;
210 if( slotList
== nullptr )
213 for (PK11SlotListElement
* slotEle
= slotList
->head
; slotEle
!= nullptr; slotEle
= slotEle
->next
)
215 PK11SlotInfo
* pSlot
= slotEle
->slot
;
220 "xmlsecurity.xmlsec",
221 "Found a slot: SlotName=" << PK11_GetSlotName(pSlot
)
222 << ", TokenName=" << PK11_GetTokenName(pSlot
));
224 //The following code which is commented out checks if a slot, that is a smart card for example, is
225 // able to generate a symmetric key of type CKM_DES3_CBC. If this fails then this token
226 // will not be used. This key is possibly used for the encryption service. However, all
227 // interfaces and services used for public key signature and encryption are not published
228 // and the encryption is not used in OOo. Therefore it does not do any harm to remove
229 // this code, hence allowing smart cards which cannot generate this type of key.
231 // By doing this, the encryption may fail if a smart card is being used which does not
232 // support this key generation.
234 PK11SymKey
* pSymKey
= PK11_KeyGen( pSlot
, CKM_DES3_CBC
, nullptr, 128, nullptr ) ;
235 // if( pSymKey == NULL )
237 // PK11_FreeSlot( pSlot ) ;
238 // SAL_INFO( "xmlsecurity", "XMLSEC: Error - pSymKey is NULL" );
241 addCryptoSlot(pSlot
);
243 if (pSymKey
!= nullptr)
245 adoptSymKey( pSymKey
) ;
246 PK11_FreeSymKey( pSymKey
) ;
250 }// end of if(pSlot != NULL)
253 PK11_FreeSlotList(slotList
);
256 Sequence
< Reference
< XCertificate
> >
257 SecurityEnvironment_NssImpl::getPersonalCertificates()
259 std::vector
< rtl::Reference
<X509Certificate_NssImpl
> > certsList
;
262 //firstly, we try to find private keys in slot
263 for (auto& slot
: m_Slots
)
265 SECKEYPrivateKeyList
* priKeyList
;
267 if( PK11_NeedLogin(slot
) ) {
268 SECStatus nRet
= PK11_Authenticate(slot
, PR_TRUE
, nullptr);
269 //PK11_Authenticate may fail in case the a slot has not been initialized.
270 //this is the case if the user has a new profile, so that they have never
271 //added a personal certificate.
272 if( nRet
!= SECSuccess
&& PORT_GetError() != SEC_ERROR_IO
) {
273 throw NoPasswordException();
277 priKeyList
= PK11_ListPrivateKeysInSlot(slot
) ;
278 if( priKeyList
!= nullptr )
280 for (SECKEYPrivateKeyListNode
* curPri
= PRIVKEY_LIST_HEAD(priKeyList
);
281 !PRIVKEY_LIST_END( curPri
, priKeyList
) && curPri
!= nullptr;
282 curPri
= PRIVKEY_LIST_NEXT(curPri
))
284 rtl::Reference
<X509Certificate_NssImpl
> xcert
= NssPrivKeyToXCert( curPri
->key
) ;
285 if( xcert
!= nullptr )
286 certsList
.push_back( xcert
) ;
288 SECKEY_DestroyPrivateKeyList( priKeyList
) ;
294 if( !certsList
.empty() ) {
295 return comphelper::containerToSequence
<Reference
< XCertificate
>>(certsList
) ;
298 return Sequence
< Reference
< XCertificate
> > ();
301 Reference
< XCertificate
> SecurityEnvironment_NssImpl::getCertificate( const OUString
& issuerName
, const Sequence
< sal_Int8
>& serialNumber
)
306 rtl::Reference
<X509Certificate_NssImpl
> xcert
;
307 CERTIssuerAndSN issuerAndSN
;
308 CERTCertificate
* cert
;
312 std::unique_ptr
<PRArenaPool
> arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE
));
313 if( arena
== nullptr )
314 throw RuntimeException() ;
316 // Create cert info from issue and serial
317 OString ostr
= OUStringToOString( issuerName
, RTL_TEXTENCODING_UTF8
) ;
318 chIssuer
= PL_strndup( ostr
.getStr(), static_cast<int>(ostr
.getLength()) ) ;
319 nmIssuer
= CERT_AsciiToName( chIssuer
) ;
320 if( nmIssuer
== nullptr ) {
321 PL_strfree( chIssuer
) ;
322 return nullptr; // no need for exception cf. i40394
325 derIssuer
= SEC_ASN1EncodeItem( arena
.get(), nullptr, static_cast<void*>(nmIssuer
), SEC_ASN1_GET( CERT_NameTemplate
) ) ;
326 if( derIssuer
== nullptr ) {
327 PL_strfree( chIssuer
) ;
328 CERT_DestroyName( nmIssuer
) ;
329 throw RuntimeException() ;
332 memset( &issuerAndSN
, 0, sizeof( issuerAndSN
) ) ;
334 issuerAndSN
.derIssuer
.data
= derIssuer
->data
;
335 issuerAndSN
.derIssuer
.len
= derIssuer
->len
;
337 issuerAndSN
.serialNumber
.data
= reinterpret_cast<unsigned char *>(const_cast<sal_Int8
*>(serialNumber
.getConstArray()));
338 issuerAndSN
.serialNumber
.len
= serialNumber
.getLength() ;
340 cert
= CERT_FindCertByIssuerAndSN( m_pHandler
, &issuerAndSN
) ;
341 if( cert
!= nullptr ) {
342 xcert
= NssCertToXCert( cert
) ;
345 PL_strfree( chIssuer
) ;
346 CERT_DestroyName( nmIssuer
) ;
347 //SECITEM_FreeItem( derIssuer, PR_FALSE ) ;
348 CERT_DestroyCertificate( cert
) ;
353 Sequence
< Reference
< XCertificate
> > SecurityEnvironment_NssImpl::buildCertificatePath( const Reference
< XCertificate
>& begin
) {
355 X509Certificate_NssImpl
* xcert
= dynamic_cast<X509Certificate_NssImpl
*>(begin
.get());
356 if( xcert
== nullptr ) {
357 throw RuntimeException() ;
360 // Remember the signing certificate.
361 m_xSigningCertificate
= xcert
;
363 const CERTCertificate
* cert
= xcert
->getNssCert() ;
367 //Get the system clock time
368 int64 timeboundary
= PR_Now() ;
369 CERTCertList
* certChain
= CERT_GetCertChainFromCert( const_cast<CERTCertificate
*>(cert
), timeboundary
, certUsageAnyCA
) ;
374 std::vector
<uno::Reference
<security::XCertificate
>> aCertChain
;
376 for (CERTCertListNode
* node
= CERT_LIST_HEAD(certChain
); !CERT_LIST_END(node
, certChain
); node
= CERT_LIST_NEXT(node
)) {
377 rtl::Reference
<X509Certificate_NssImpl
> pCert
= new X509Certificate_NssImpl();
378 if( pCert
== nullptr ) {
379 CERT_DestroyCertList( certChain
) ;
380 throw RuntimeException() ;
383 pCert
->setCert( node
->cert
) ;
385 aCertChain
.push_back(pCert
);
388 CERT_DestroyCertList( certChain
) ;
390 return comphelper::containerToSequence(aCertChain
);
393 rtl::Reference
<X509Certificate_NssImpl
> SecurityEnvironment_NssImpl::createAndAddCertificateFromPackage(
394 const css::uno::Sequence
<sal_Int8
>& raDERCertificate
,
395 std::u16string_view raString
)
397 auto pCertificateBytes
= reinterpret_cast<char *>(const_cast<sal_Int8
*>(raDERCertificate
.getConstArray()));
398 CERTCertificate
* pCERTCertificate
= CERT_DecodeCertFromPackage(pCertificateBytes
, raDERCertificate
.getLength());
400 if (!pCERTCertificate
)
405 OString aTrustString
= OUStringToOString(raString
, RTL_TEXTENCODING_ASCII_US
);
406 CERTCertTrust aTrust
;
408 aStatus
= CERT_DecodeTrustString(&aTrust
, aTrustString
.getStr());
410 if (aStatus
!= SECSuccess
)
412 PRIntn err
= PR_GetError();
413 SAL_WARN("xmlsecurity.xmlsec", "Error: " << err
<< ": " << getCertError(err
));
417 PK11SlotInfo
* pSlot
= PK11_GetInternalKeySlot();
422 aStatus
= PK11_ImportCert(pSlot
, pCERTCertificate
, CK_INVALID_HANDLE
, nullptr, PR_FALSE
);
424 if (aStatus
!= SECSuccess
)
426 PRIntn err
= PR_GetError();
427 SAL_WARN("xmlsecurity.xmlsec", "Error: " << err
<< ": " << getCertError(err
));
431 aStatus
= CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), pCERTCertificate
, &aTrust
);
433 if (aStatus
!= SECSuccess
)
435 PRIntn err
= PR_GetError();
436 SAL_WARN("xmlsecurity.xmlsec", "Error: " << err
<< ": " << getCertError(err
));
440 PK11_FreeSlot(pSlot
);
442 rtl::Reference
<X509Certificate_NssImpl
> pX509Certificate
= new X509Certificate_NssImpl();
443 pX509Certificate
->setCert(pCERTCertificate
);
444 return pX509Certificate
;
447 rtl::Reference
<X509Certificate_NssImpl
> SecurityEnvironment_NssImpl::createX509CertificateFromDER(const css::uno::Sequence
<sal_Int8
>& aDerCertificate
)
449 rtl::Reference
<X509Certificate_NssImpl
> pX509Certificate
;
451 if (aDerCertificate
.hasElements())
453 pX509Certificate
= new X509Certificate_NssImpl();
454 if (pX509Certificate
== nullptr)
455 throw RuntimeException();
456 pX509Certificate
->setRawCert(aDerCertificate
);
458 return pX509Certificate
;
461 Reference
<XCertificate
> SecurityEnvironment_NssImpl::createCertificateFromRaw(const Sequence
< sal_Int8
>& rawCertificate
)
463 return createX509CertificateFromDER(rawCertificate
);
466 Reference
< XCertificate
> SecurityEnvironment_NssImpl::createCertificateFromAscii( const OUString
& asciiCertificate
)
468 OString oscert
= OUStringToOString( asciiCertificate
, RTL_TEXTENCODING_ASCII_US
) ;
469 xmlChar
* chCert
= xmlStrndup( reinterpret_cast<const xmlChar
*>(oscert
.getStr()), static_cast<int>(oscert
.getLength()) ) ;
471 int nRet
= xmlSecBase64Decode_ex( chCert
, reinterpret_cast<xmlSecByte
*>(chCert
), xmlStrlen( chCert
), &certSize
) ;
472 if (nRet
< 0 || certSize
== 0)
478 Sequence
< sal_Int8
> rawCert(comphelper::arrayToSequence
<sal_Int8
>(chCert
, certSize
)) ;
482 return createCertificateFromRaw( rawCert
) ;
485 sal_Int32
SecurityEnvironment_NssImpl ::
486 verifyCertificate( const Reference
< csss::XCertificate
>& aCert
,
487 const Sequence
< Reference
< csss::XCertificate
> >& intermediateCerts
)
489 sal_Int32 validity
= csss::CertificateValidity::INVALID
;
490 const CERTCertificate
* cert
;
492 SAL_INFO("xmlsecurity.xmlsec", "Start verification of certificate: " << aCert
->getSubjectName());
494 const X509Certificate_NssImpl
* xcert
= dynamic_cast<X509Certificate_NssImpl
*>(aCert
.get());
495 if( xcert
== nullptr ) {
496 throw RuntimeException() ;
499 //CERT_PKIXVerifyCert does not take a db as argument. It will therefore
500 //internally use CERT_GetDefaultCertDB
501 //Make sure m_pHandler is the default DB
502 OSL_ASSERT(m_pHandler
== CERT_GetDefaultCertDB());
503 CERTCertDBHandle
* certDb
= m_pHandler
!= nullptr ? m_pHandler
: CERT_GetDefaultCertDB();
504 cert
= xcert
->getNssCert() ;
506 return css::security::CertificateValidity::INVALID
;
509 ::std::vector
<CERTCertificate
*> vecTmpNSSCertificates
;
511 //prepare the intermediate certificates
512 for (const auto& rIntermediateCert
: intermediateCerts
)
514 Sequence
<sal_Int8
> der
= rIntermediateCert
->getEncoded();
516 item
.type
= siBuffer
;
517 item
.data
= reinterpret_cast<unsigned char*>(der
.getArray());
518 item
.len
= der
.getLength();
520 CERTCertificate
* certTmp
= CERT_NewTempCertificate(certDb
, &item
,
521 nullptr /* nickname */,
522 PR_FALSE
/* isPerm */,
523 PR_TRUE
/* copyDER */);
526 SAL_INFO("xmlsecurity.xmlsec", "Failed to add a temporary certificate: " << rIntermediateCert
->getIssuerName());
531 SAL_INFO("xmlsecurity.xmlsec", "Added temporary certificate: " <<
532 (certTmp
->subjectName
? certTmp
->subjectName
: ""));
533 vecTmpNSSCertificates
.push_back(certTmp
);
541 log
.arena
= PORT_NewArena(512);
542 log
.head
= log
.tail
= nullptr;
545 CERT_EnableOCSPChecking(certDb
);
546 CERT_DisableOCSPDefaultResponder(certDb
);
547 CERTValOutParam cvout
[5];
548 CERTValInParam cvin
[3];
551 #if ( NSS_VMAJOR > 3 ) || ( NSS_VMAJOR == 3 && NSS_VMINOR > 12 ) || ( NSS_VMAJOR == 3 && NSS_VMINOR == 12 && NSS_VPATCH > 0 )
552 cvin
[ncvinCount
].type
= cert_pi_useAIACertFetch
;
553 cvin
[ncvinCount
].value
.scalar
.b
= PR_TRUE
;
557 PRUint64 revFlagsLeaf
[2];
558 PRUint64 revFlagsChain
[2];
559 CERTRevocationFlags rev
;
560 rev
.leafTests
.number_of_defined_methods
= 2;
561 rev
.leafTests
.cert_rev_flags_per_method
= revFlagsLeaf
;
562 //the flags are defined in cert.h
563 //We check both leaf and chain.
564 //It is enough if one revocation method has fresh info,
565 //but at least one must have some. Otherwise validation fails.
566 //!!! using leaf test and CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE
567 // when validating a root certificate will result in "revoked". Usually
568 //there is no revocation information available for the root cert because
569 //it must be trusted anyway and it does itself issue revocation information.
570 //When we use the flag here and OOo shows the certification path then the root
571 //cert is invalid while all other can be valid. It would probably best if
572 //this interface method returned the whole chain.
573 //Otherwise we need to check if the certificate is self-signed and if it is
574 //then not use the flag when doing the leaf-test.
575 rev
.leafTests
.cert_rev_flags_per_method
[cert_revocation_method_crl
] =
576 CERT_REV_M_TEST_USING_THIS_METHOD
577 | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE
;
578 rev
.leafTests
.cert_rev_flags_per_method
[cert_revocation_method_ocsp
] =
579 CERT_REV_M_TEST_USING_THIS_METHOD
580 | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE
;
581 rev
.leafTests
.number_of_preferred_methods
= 0;
582 rev
.leafTests
.preferred_methods
= nullptr;
583 rev
.leafTests
.cert_rev_method_independent_flags
=
584 CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST
;
586 rev
.chainTests
.number_of_defined_methods
= 2;
587 rev
.chainTests
.cert_rev_flags_per_method
= revFlagsChain
;
588 rev
.chainTests
.cert_rev_flags_per_method
[cert_revocation_method_crl
] =
589 CERT_REV_M_TEST_USING_THIS_METHOD
590 | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE
;
591 rev
.chainTests
.cert_rev_flags_per_method
[cert_revocation_method_ocsp
] =
592 CERT_REV_M_TEST_USING_THIS_METHOD
593 | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE
;
594 rev
.chainTests
.number_of_preferred_methods
= 0;
595 rev
.chainTests
.preferred_methods
= nullptr;
596 rev
.chainTests
.cert_rev_method_independent_flags
=
597 CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST
;
600 cvin
[ncvinCount
].type
= cert_pi_revocationFlags
;
601 cvin
[ncvinCount
].value
.pointer
.revocation
= &rev
;
603 // does not work, not implemented yet in 3.12.4
604 // cvin[ncvinCount].type = cert_pi_keyusage;
605 // cvin[ncvinCount].value.scalar.ui = KU_DIGITAL_SIGNATURE;
607 cvin
[ncvinCount
].type
= cert_pi_end
;
609 cvout
[0].type
= cert_po_trustAnchor
;
610 cvout
[0].value
.pointer
.cert
= nullptr;
611 cvout
[1].type
= cert_po_errorLog
;
612 cvout
[1].value
.pointer
.log
= &log
;
613 cvout
[2].type
= cert_po_end
;
615 // We check SSL server certificates, CA certificates and signing certificates.
617 // ToDo check keyusage, looking at CERT_KeyUsageAndTypeForCertUsage (
618 // mozilla/security/nss/lib/certdb/certdb.c indicates that
619 // certificateUsageSSLClient, certificateUsageSSLServer and certificateUsageSSLCA
620 // are sufficient. They cover the key usages for digital signature, key agreement
621 // and encipherment and certificate signature
623 //never use the following usages because they are not checked properly
624 // certificateUsageUserCertImport
625 // certificateUsageVerifyCA
626 // certificateUsageAnyCA
627 // certificateUsageProtectedObjectSigner
629 UsageDescription arUsages
[5];
630 arUsages
[0] = UsageDescription( certificateUsageSSLClient
, "certificateUsageSSLClient" );
631 arUsages
[1] = UsageDescription( certificateUsageSSLServer
, "certificateUsageSSLServer" );
632 arUsages
[2] = UsageDescription( certificateUsageSSLCA
, "certificateUsageSSLCA" );
633 arUsages
[3] = UsageDescription( certificateUsageEmailSigner
, "certificateUsageEmailSigner" );
634 arUsages
[4] = UsageDescription( certificateUsageEmailRecipient
, "certificateUsageEmailRecipient" );
636 int numUsages
= std::size(arUsages
);
637 for (int i
= 0; i
< numUsages
; i
++)
639 SAL_INFO("xmlsecurity.xmlsec", "Testing usage " << i
+1 <<
640 " of " << numUsages
<< ": " <<
641 arUsages
[i
].description
<<
642 " (0x" << std::hex
<< static_cast<int>(arUsages
[i
].usage
) << ")" << std::dec
);
644 status
= CERT_PKIXVerifyCert(const_cast<CERTCertificate
*>(cert
), arUsages
[i
].usage
,
645 cvin
, cvout
, nullptr);
646 if( status
== SECSuccess
)
648 SAL_INFO("xmlsecurity.xmlsec", "CERT_PKIXVerifyCert returned SECSuccess.");
649 //When an intermediate or root certificate is checked then we expect the usage
650 //certificateUsageSSLCA. This, however, will be only set when in the trust settings dialog
651 //the button "This certificate can identify websites" is checked. If for example only
652 //"This certificate can identify mail users" is set then the end certificate can
653 //be validated and the returned usage will contain certificateUsageEmailRecipient.
654 //But checking directly the root or intermediate certificate will fail. In the
655 //certificate path view the end certificate will be shown as valid but the others
656 //will be displayed as invalid.
658 validity
= csss::CertificateValidity::VALID
;
659 SAL_INFO("xmlsecurity.xmlsec", "Certificate is valid.");
660 CERTCertificate
* issuerCert
= cvout
[0].value
.pointer
.cert
;
663 SAL_INFO("xmlsecurity.xmlsec", "Root certificate: " << issuerCert
->subjectName
);
664 CERT_DestroyCertificate(issuerCert
);
671 PRIntn err
= PR_GetError();
672 SAL_INFO("xmlsecurity.xmlsec", "Error: " << err
<< ": " << getCertError(err
));
674 /* Display validation results */
677 CERTVerifyLogNode
*node
= nullptr;
678 printChainFailure(&log
);
680 for (node
= log
.head
; node
; node
= node
->next
) {
682 CERT_DestroyCertificate(node
->cert
);
684 log
.head
= log
.tail
= nullptr;
687 SAL_INFO("xmlsecurity.xmlsec", "Certificate is invalid.");
691 //Destroying the temporary certificates
692 for (auto& tmpCert
: vecTmpNSSCertificates
)
694 SAL_INFO("xmlsecurity.xmlsec", "Destroying temporary certificate");
695 CERT_DestroyCertificate(tmpCert
);
697 PORT_FreeArena(log
.arena
, true);
701 sal_Int32
SecurityEnvironment_NssImpl::getCertificateCharacters(
702 const css::uno::Reference
< css::security::XCertificate
>& aCert
) {
703 sal_Int32 characters
;
704 const CERTCertificate
* cert
;
706 const X509Certificate_NssImpl
* xcert
= dynamic_cast<X509Certificate_NssImpl
*>(aCert
.get());
707 if( xcert
== nullptr ) {
708 throw RuntimeException() ;
711 cert
= xcert
->getNssCert() ;
713 characters
= 0x00000000 ;
715 //Firstly, find out whether or not the cert is self-signed.
716 if( SECITEM_CompareItem( &(cert
->derIssuer
), &(cert
->derSubject
) ) == SECEqual
) {
717 characters
|= css::security::CertificateCharacters::SELF_SIGNED
;
719 characters
&= ~ css::security::CertificateCharacters::SELF_SIGNED
;
722 //Secondly, find out whether or not the cert has a private key.
727 * mmi : need to check whether the cert's slot is valid first
729 SECKEYPrivateKey
* priKey
= nullptr;
731 if (cert
->slot
!= nullptr)
733 priKey
= PK11_FindPrivateKeyFromCert( cert
->slot
, const_cast<CERTCertificate
*>(cert
), nullptr ) ;
735 if(priKey
== nullptr)
737 for (auto& slot
: m_Slots
)
739 priKey
= PK11_FindPrivateKeyFromCert(slot
, const_cast<CERTCertificate
*>(cert
), nullptr);
744 if( priKey
!= nullptr ) {
745 characters
|= css::security::CertificateCharacters::HAS_PRIVATE_KEY
;
747 SECKEY_DestroyPrivateKey( priKey
) ;
749 characters
&= ~ css::security::CertificateCharacters::HAS_PRIVATE_KEY
;
755 rtl::Reference
<X509Certificate_NssImpl
> NssCertToXCert( CERTCertificate
* cert
)
757 if( cert
!= nullptr ) {
758 rtl::Reference
<X509Certificate_NssImpl
> xcert
= new X509Certificate_NssImpl() ;
759 xcert
->setCert( cert
) ;
766 rtl::Reference
<X509Certificate_NssImpl
> NssPrivKeyToXCert( SECKEYPrivateKey
* priKey
)
768 if( priKey
!= nullptr ) {
769 rtl::Reference
<X509Certificate_NssImpl
> xcert
;
770 CERTCertificate
* cert
= PK11_GetCertFromPrivateKey( priKey
) ;
772 if( cert
!= nullptr ) {
773 xcert
= NssCertToXCert( cert
) ;
776 CERT_DestroyCertificate( cert
) ;
783 xmlSecKeysMngrPtr
SecurityEnvironment_NssImpl::createKeysManager() {
786 * The following lines is based on the private version of xmlSec-NSS
789 int cSlots
= m_Slots
.size();
790 std::unique_ptr
<PK11SlotInfo
*[]> sarSlots(new PK11SlotInfo
*[cSlots
]);
791 PK11SlotInfo
** slots
= sarSlots
.get();
793 for (const auto& slot
: m_Slots
)
799 xmlSecKeysMngrPtr pKeysMngr
= xmlSecKeysMngrCreate();
801 throw RuntimeException();
803 if (xmlSecNssAppDefaultKeysMngrInit(pKeysMngr
) < 0)
804 throw RuntimeException();
806 // Adopt the private key of the signing certificate, if it has any.
807 if (m_xSigningCertificate
)
809 SECKEYPrivateKey
* pPrivateKey
= SECKEY_CopyPrivateKey(m_xSigningCertificate
->getPrivateKey());
812 xmlSecKeyDataPtr pKeyData
= xmlSecNssPKIAdoptKey(pPrivateKey
, nullptr);
813 xmlSecKeyPtr pKey
= xmlSecKeyCreate();
814 xmlSecKeySetValue(pKey
, pKeyData
);
815 xmlSecNssAppDefaultKeysMngrAdoptKey(pKeysMngr
, pKey
);
819 SAL_WARN("xmlsecurity.xmlsec", "Can't get the private key from the certificate.");
826 void SecurityEnvironment_NssImpl::destroyKeysManager(xmlSecKeysMngrPtr pKeysMngr
) {
827 if( pKeysMngr
!= nullptr ) {
828 xmlSecKeysMngrDestroy( pKeysMngr
) ;
832 SECKEYPrivateKey
* SecurityEnvironment_NssImpl::insertPrivateKey(css::uno::Sequence
<sal_Int8
> const & raPrivateKey
)
834 PK11SlotInfo
* pSlot
= PK11_GetInternalKeySlot();
839 SECItem aDerPrivateKeyInfo
;
840 aDerPrivateKeyInfo
.data
= reinterpret_cast<unsigned char *>(const_cast<sal_Int8
*>(raPrivateKey
.getConstArray()));
841 aDerPrivateKeyInfo
.len
= raPrivateKey
.getLength();
843 const unsigned int aKeyUsage
= KU_ALL
;
844 SECKEYPrivateKey
* pPrivateKey
= nullptr;
846 // If the import is not permanent, then later we won't be able to find the private key when
847 // searching for keys and signing will fail.
848 bool bPermanent
= PR_TRUE
;
849 bool bPrivate
= PR_TRUE
;
851 SECStatus nStatus
= PK11_ImportDERPrivateKeyInfoAndReturnKey(
852 pSlot
, &aDerPrivateKeyInfo
, nullptr, nullptr, bPermanent
, bPrivate
,
853 aKeyUsage
, &pPrivateKey
, nullptr);
855 if (nStatus
!= SECSuccess
)
858 PK11_FreeSlot(pSlot
);
863 uno::Reference
<security::XCertificate
> SecurityEnvironment_NssImpl::createDERCertificateWithPrivateKey(
864 Sequence
<sal_Int8
> const & raDERCertificate
, Sequence
<sal_Int8
> const & raPrivateKey
)
866 SECKEYPrivateKey
* pPrivateKey
= insertPrivateKey(raPrivateKey
);
869 return uno::Reference
<security::XCertificate
>();
871 return createAndAddCertificateFromPackage(raDERCertificate
, u
"TCu,TCu,TCu");
874 uno::Reference
<security::XCertificate
> SecurityEnvironment_NssImpl::addDERCertificateToTheDatabase(
875 uno::Sequence
<sal_Int8
> const & raDERCertificate
, OUString
const & raTrustString
)
877 return createAndAddCertificateFromPackage(raDERCertificate
, raTrustString
);
880 extern "C" SAL_DLLPUBLIC_EXPORT
uno::XInterface
*
881 com_sun_star_xml_crypto_SecurityEnvironment_get_implementation(
882 uno::XComponentContext
* /*pCtx*/, uno::Sequence
<uno::Any
> const& /*rSeq*/)
884 return cppu::acquire(new SecurityEnvironment_NssImpl
);
887 /* vim:set shiftwidth=4 softtabstop=4 expandtab: */