Gtk-WARNING gtktreestore.c:1047: Invalid column number 1 added to iter
[LibreOffice.git] / xmlsecurity / source / xmlsec / nss / securityenvironment_nssimpl.cxx
blob152657af292f0fd236c5a50afa4df718c309496c
1 /* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
2 /*
3 * This file is part of the LibreOffice project.
5 * This Source Code Form is subject to the terms of the Mozilla Public
6 * License, v. 2.0. If a copy of the MPL was not distributed with this
7 * file, You can obtain one at http://mozilla.org/MPL/2.0/.
9 * This file incorporates work covered by the following license notice:
11 * Licensed to the Apache Software Foundation (ASF) under one or more
12 * contributor license agreements. See the NOTICE file distributed
13 * with this work for additional information regarding copyright
14 * ownership. The ASF licenses this file to you under the Apache
15 * License, Version 2.0 (the "License"); you may not use this file
16 * except in compliance with the License. You may obtain a copy of
17 * the License at http://www.apache.org/licenses/LICENSE-2.0 .
20 #include "nssrenam.h"
21 #include <nss.h>
22 #include <cert.h>
23 #include <pk11pub.h>
24 #include <secerr.h>
25 #include <ocsp.h>
27 #include <sal/config.h>
28 #include <osl/diagnose.h>
29 #include "securityenvironment_nssimpl.hxx"
30 #include <cppuhelper/supportsservice.hxx>
32 #include <rtl/ustrbuf.hxx>
33 #include <comphelper/processfactory.hxx>
34 #include <comphelper/docpasswordrequest.hxx>
35 #include <sal/log.hxx>
36 #include <com/sun/star/task/InteractionHandler.hpp>
37 #include <vector>
38 #include <memory>
39 #include <osl/thread.h>
40 #include <comphelper/sequence.hxx>
42 #include "x509certificate_nssimpl.hxx"
43 #include "secerror.hxx"
44 #include <prerror.h>
45 #include <keyhi.h>
46 #include <xmlsec/base64.h>
47 #include <xmlsec/keysmngr.h>
48 #include <xmlsec/nss/app.h>
49 #include <xmlsec/nss/pkikeys.h>
51 // added for password exception
52 #include <com/sun/star/security/NoPasswordException.hpp>
53 #include <com/sun/star/security/CertificateCharacters.hpp>
54 #include <com/sun/star/security/CertificateValidity.hpp>
55 #include <com/sun/star/xml/crypto/NSSInitializer.hpp>
57 namespace csss = ::com::sun::star::security;
58 using namespace ::com::sun::star::security;
59 using namespace com::sun::star;
60 using namespace ::com::sun::star::uno ;
61 using namespace ::com::sun::star::lang ;
63 using ::com::sun::star::security::XCertificate ;
65 namespace std
67 template <> struct default_delete<PRArenaPool>
69 void operator()(PRArenaPool* ptr) { PORT_FreeArena(ptr, PR_FALSE); }
73 static rtl::Reference<X509Certificate_NssImpl> NssCertToXCert( CERTCertificate* cert ) ;
74 static rtl::Reference<X509Certificate_NssImpl> NssPrivKeyToXCert( SECKEYPrivateKey* ) ;
76 namespace {
78 struct UsageDescription
80 SECCertificateUsage usage;
81 char const* description;
83 UsageDescription()
84 : usage( certificateUsageCheckAllUsages )
85 , description( nullptr )
88 UsageDescription( SECCertificateUsage i_usage, char const* i_description )
89 : usage( i_usage )
90 , description( i_description )
96 static char* GetPasswordFunction( PK11SlotInfo* pSlot, PRBool bRetry, void* /*arg*/ )
98 const uno::Reference< uno::XComponentContext >& xContext( ::comphelper::getProcessComponentContext() );
99 uno::Reference < task::XInteractionHandler2 > xInteractionHandler(
100 task::InteractionHandler::createWithParent(xContext, nullptr) );
102 task::PasswordRequestMode eMode = bRetry ? task::PasswordRequestMode_PASSWORD_REENTER : task::PasswordRequestMode_PASSWORD_ENTER;
103 OUString passwordLabel = xml::crypto::NSSInitializer::create(xContext)->getNSSPath();
104 if (!passwordLabel.isEmpty())
105 passwordLabel = ": " + passwordLabel;
106 passwordLabel = OUString::createFromAscii(PK11_GetTokenName(pSlot)) + passwordLabel;
107 rtl::Reference<::comphelper::DocPasswordRequest> pPasswordRequest = new ::comphelper::DocPasswordRequest(
108 ::comphelper::DocPasswordRequestType::Standard, eMode, passwordLabel);
110 xInteractionHandler->handle( pPasswordRequest );
112 if ( pPasswordRequest->isPassword() )
114 OString aPassword(OUStringToOString(
115 pPasswordRequest->getPassword(),
116 osl_getThreadTextEncoding()));
117 sal_Int32 nLen = aPassword.getLength();
118 char* pPassword = static_cast<char*>(PORT_Alloc( nLen+1 ) );
119 pPassword[nLen] = 0;
120 memcpy( pPassword, aPassword.getStr(), nLen );
121 return pPassword;
123 return nullptr;
126 SecurityEnvironment_NssImpl::SecurityEnvironment_NssImpl() :
127 m_pHandler( nullptr ) {
128 PK11_SetPasswordFunc( GetPasswordFunction ) ;
131 SecurityEnvironment_NssImpl::~SecurityEnvironment_NssImpl() {
133 PK11_SetPasswordFunc( nullptr ) ;
135 for (auto& slot : m_Slots)
137 PK11_FreeSlot(slot);
140 for( auto& symKey : m_tSymKeyList )
141 PK11_FreeSymKey( symKey ) ;
144 /* XServiceInfo */
145 OUString SAL_CALL SecurityEnvironment_NssImpl::getImplementationName() {
146 return u"com.sun.star.xml.crypto.SecurityEnvironment"_ustr;
149 /* XServiceInfo */
150 sal_Bool SAL_CALL SecurityEnvironment_NssImpl::supportsService( const OUString& serviceName) {
151 return cppu::supportsService(this, serviceName);
154 /* XServiceInfo */
155 Sequence< OUString > SAL_CALL SecurityEnvironment_NssImpl::getSupportedServiceNames() {
156 Sequence<OUString> seqServiceNames{ u"com.sun.star.xml.crypto.SecurityEnvironment"_ustr };
157 return seqServiceNames;
160 OUString SecurityEnvironment_NssImpl::getSecurityEnvironmentInformation()
162 OUStringBuffer buff;
163 for (auto& slot : m_Slots)
165 buff.appendAscii(PK11_GetTokenName(slot));
166 buff.append("\n");
168 return buff.makeStringAndClear();
171 void SecurityEnvironment_NssImpl::addCryptoSlot( PK11SlotInfo* aSlot)
173 PK11_ReferenceSlot(aSlot);
174 m_Slots.push_back(aSlot);
177 //Could we have multiple cert dbs?
178 void SecurityEnvironment_NssImpl::setCertDb( CERTCertDBHandle* aCertDb ) {
179 m_pHandler = aCertDb ;
182 void SecurityEnvironment_NssImpl::adoptSymKey( PK11SymKey* aSymKey ) {
183 if( aSymKey == nullptr ) return;
185 //First try to find the key in the list
186 if (std::find(m_tSymKeyList.begin(), m_tSymKeyList.end(), aSymKey) != m_tSymKeyList.end())
187 return;
189 //If we do not find the key in the list, add a new node
190 PK11SymKey* symkey = PK11_ReferenceSymKey( aSymKey ) ;
191 if( symkey == nullptr )
192 throw RuntimeException() ;
194 try {
195 m_tSymKeyList.push_back( symkey ) ;
196 } catch ( Exception& ) {
197 PK11_FreeSymKey( symkey ) ;
201 void SecurityEnvironment_NssImpl::updateSlots()
203 //In case new tokens are present then we can obtain the corresponding slot
204 std::scoped_lock guard(m_mutex);
206 m_Slots.clear();
207 m_tSymKeyList.clear();
209 PK11SlotList * slotList = PK11_GetAllTokens( CKM_INVALID_MECHANISM, PR_FALSE, PR_FALSE, nullptr ) ;
210 if( slotList == nullptr )
211 return;
213 for (PK11SlotListElement* slotEle = slotList->head ; slotEle != nullptr; slotEle = slotEle->next)
215 PK11SlotInfo * pSlot = slotEle->slot ;
217 if(pSlot != nullptr)
219 SAL_INFO(
220 "xmlsecurity.xmlsec",
221 "Found a slot: SlotName=" << PK11_GetSlotName(pSlot)
222 << ", TokenName=" << PK11_GetTokenName(pSlot));
224 //The following code which is commented out checks if a slot, that is a smart card for example, is
225 // able to generate a symmetric key of type CKM_DES3_CBC. If this fails then this token
226 // will not be used. This key is possibly used for the encryption service. However, all
227 // interfaces and services used for public key signature and encryption are not published
228 // and the encryption is not used in OOo. Therefore it does not do any harm to remove
229 // this code, hence allowing smart cards which cannot generate this type of key.
231 // By doing this, the encryption may fail if a smart card is being used which does not
232 // support this key generation.
234 PK11SymKey * pSymKey = PK11_KeyGen( pSlot , CKM_DES3_CBC, nullptr, 128, nullptr ) ;
235 // if( pSymKey == NULL )
236 // {
237 // PK11_FreeSlot( pSlot ) ;
238 // SAL_INFO( "xmlsecurity", "XMLSEC: Error - pSymKey is NULL" );
239 // continue;
240 // }
241 addCryptoSlot(pSlot);
243 if (pSymKey != nullptr)
245 adoptSymKey( pSymKey ) ;
246 PK11_FreeSymKey( pSymKey ) ;
247 pSymKey = nullptr;
250 }// end of if(pSlot != NULL)
251 }// end of for
253 PK11_FreeSlotList(slotList);
256 Sequence< Reference < XCertificate > >
257 SecurityEnvironment_NssImpl::getPersonalCertificates()
259 std::vector< rtl::Reference<X509Certificate_NssImpl> > certsList ;
261 updateSlots();
262 //firstly, we try to find private keys in slot
263 for (auto& slot : m_Slots)
265 SECKEYPrivateKeyList* priKeyList ;
267 if( PK11_NeedLogin(slot ) ) {
268 SECStatus nRet = PK11_Authenticate(slot, PR_TRUE, nullptr);
269 //PK11_Authenticate may fail in case the a slot has not been initialized.
270 //this is the case if the user has a new profile, so that they have never
271 //added a personal certificate.
272 if( nRet != SECSuccess && PORT_GetError() != SEC_ERROR_IO) {
273 throw NoPasswordException();
277 priKeyList = PK11_ListPrivateKeysInSlot(slot) ;
278 if( priKeyList != nullptr )
280 for (SECKEYPrivateKeyListNode* curPri = PRIVKEY_LIST_HEAD(priKeyList);
281 !PRIVKEY_LIST_END( curPri, priKeyList ) && curPri != nullptr;
282 curPri = PRIVKEY_LIST_NEXT(curPri))
284 rtl::Reference<X509Certificate_NssImpl> xcert = NssPrivKeyToXCert( curPri->key ) ;
285 if( xcert != nullptr )
286 certsList.push_back( xcert ) ;
288 SECKEY_DestroyPrivateKeyList( priKeyList ) ;
294 if( !certsList.empty() ) {
295 return comphelper::containerToSequence<Reference< XCertificate >>(certsList) ;
298 return Sequence< Reference < XCertificate > > ();
301 Reference< XCertificate > SecurityEnvironment_NssImpl::getCertificate( const OUString& issuerName, const Sequence< sal_Int8 >& serialNumber )
303 if( !m_pHandler )
304 return nullptr;
306 rtl::Reference<X509Certificate_NssImpl> xcert;
307 CERTIssuerAndSN issuerAndSN ;
308 CERTCertificate* cert ;
309 CERTName* nmIssuer ;
310 char* chIssuer ;
311 SECItem* derIssuer ;
312 std::unique_ptr<PRArenaPool> arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
313 if( arena == nullptr )
314 throw RuntimeException() ;
316 // Create cert info from issue and serial
317 OString ostr = OUStringToOString( issuerName , RTL_TEXTENCODING_UTF8 ) ;
318 chIssuer = PL_strndup( ostr.getStr(), static_cast<int>(ostr.getLength()) ) ;
319 nmIssuer = CERT_AsciiToName( chIssuer ) ;
320 if( nmIssuer == nullptr ) {
321 PL_strfree( chIssuer ) ;
322 return nullptr; // no need for exception cf. i40394
325 derIssuer = SEC_ASN1EncodeItem( arena.get(), nullptr, static_cast<void*>(nmIssuer), SEC_ASN1_GET( CERT_NameTemplate ) ) ;
326 if( derIssuer == nullptr ) {
327 PL_strfree( chIssuer ) ;
328 CERT_DestroyName( nmIssuer ) ;
329 throw RuntimeException() ;
332 memset( &issuerAndSN, 0, sizeof( issuerAndSN ) ) ;
334 issuerAndSN.derIssuer.data = derIssuer->data ;
335 issuerAndSN.derIssuer.len = derIssuer->len ;
337 issuerAndSN.serialNumber.data = reinterpret_cast<unsigned char *>(const_cast<sal_Int8 *>(serialNumber.getConstArray()));
338 issuerAndSN.serialNumber.len = serialNumber.getLength() ;
340 cert = CERT_FindCertByIssuerAndSN( m_pHandler, &issuerAndSN ) ;
341 if( cert != nullptr ) {
342 xcert = NssCertToXCert( cert ) ;
345 PL_strfree( chIssuer ) ;
346 CERT_DestroyName( nmIssuer ) ;
347 //SECITEM_FreeItem( derIssuer, PR_FALSE ) ;
348 CERT_DestroyCertificate( cert ) ;
350 return xcert ;
353 Sequence< Reference < XCertificate > > SecurityEnvironment_NssImpl::buildCertificatePath( const Reference< XCertificate >& begin ) {
355 X509Certificate_NssImpl* xcert = dynamic_cast<X509Certificate_NssImpl*>(begin.get());
356 if( xcert == nullptr ) {
357 throw RuntimeException() ;
360 // Remember the signing certificate.
361 m_xSigningCertificate = xcert;
363 const CERTCertificate* cert = xcert->getNssCert() ;
364 if (!cert)
365 return {};
367 //Get the system clock time
368 int64 timeboundary = PR_Now() ;
369 CERTCertList* certChain = CERT_GetCertChainFromCert( const_cast<CERTCertificate*>(cert), timeboundary, certUsageAnyCA ) ;
371 if( !certChain )
372 return {};
374 std::vector<uno::Reference<security::XCertificate>> aCertChain;
376 for (CERTCertListNode* node = CERT_LIST_HEAD(certChain); !CERT_LIST_END(node, certChain); node = CERT_LIST_NEXT(node)) {
377 rtl::Reference<X509Certificate_NssImpl> pCert = new X509Certificate_NssImpl();
378 if( pCert == nullptr ) {
379 CERT_DestroyCertList( certChain ) ;
380 throw RuntimeException() ;
383 pCert->setCert( node->cert ) ;
385 aCertChain.push_back(pCert);
388 CERT_DestroyCertList( certChain ) ;
390 return comphelper::containerToSequence(aCertChain);
393 rtl::Reference<X509Certificate_NssImpl> SecurityEnvironment_NssImpl::createAndAddCertificateFromPackage(
394 const css::uno::Sequence<sal_Int8>& raDERCertificate,
395 std::u16string_view raString)
397 auto pCertificateBytes = reinterpret_cast<char *>(const_cast<sal_Int8 *>(raDERCertificate.getConstArray()));
398 CERTCertificate* pCERTCertificate = CERT_DecodeCertFromPackage(pCertificateBytes, raDERCertificate.getLength());
400 if (!pCERTCertificate)
401 return nullptr;
403 SECStatus aStatus;
405 OString aTrustString = OUStringToOString(raString, RTL_TEXTENCODING_ASCII_US);
406 CERTCertTrust aTrust;
408 aStatus = CERT_DecodeTrustString(&aTrust, aTrustString.getStr());
410 if (aStatus != SECSuccess)
412 PRIntn err = PR_GetError();
413 SAL_WARN("xmlsecurity.xmlsec", "Error: " << err << ": " << getCertError(err));
414 return nullptr;
417 PK11SlotInfo* pSlot = PK11_GetInternalKeySlot();
419 if (!pSlot)
420 return nullptr;
422 aStatus = PK11_ImportCert(pSlot, pCERTCertificate, CK_INVALID_HANDLE, nullptr, PR_FALSE);
424 if (aStatus != SECSuccess)
426 PRIntn err = PR_GetError();
427 SAL_WARN("xmlsecurity.xmlsec", "Error: " << err << ": " << getCertError(err));
428 return nullptr;
431 aStatus = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), pCERTCertificate, &aTrust);
433 if (aStatus != SECSuccess)
435 PRIntn err = PR_GetError();
436 SAL_WARN("xmlsecurity.xmlsec", "Error: " << err << ": " << getCertError(err));
437 return nullptr;
440 PK11_FreeSlot(pSlot);
442 rtl::Reference<X509Certificate_NssImpl> pX509Certificate = new X509Certificate_NssImpl();
443 pX509Certificate->setCert(pCERTCertificate);
444 return pX509Certificate;
447 rtl::Reference<X509Certificate_NssImpl> SecurityEnvironment_NssImpl::createX509CertificateFromDER(const css::uno::Sequence<sal_Int8>& aDerCertificate)
449 rtl::Reference<X509Certificate_NssImpl> pX509Certificate;
451 if (aDerCertificate.hasElements())
453 pX509Certificate = new X509Certificate_NssImpl();
454 if (pX509Certificate == nullptr)
455 throw RuntimeException();
456 pX509Certificate->setRawCert(aDerCertificate);
458 return pX509Certificate;
461 Reference<XCertificate> SecurityEnvironment_NssImpl::createCertificateFromRaw(const Sequence< sal_Int8 >& rawCertificate)
463 return createX509CertificateFromDER(rawCertificate);
466 Reference< XCertificate > SecurityEnvironment_NssImpl::createCertificateFromAscii( const OUString& asciiCertificate )
468 OString oscert = OUStringToOString( asciiCertificate , RTL_TEXTENCODING_ASCII_US ) ;
469 xmlChar* chCert = xmlStrndup( reinterpret_cast<const xmlChar*>(oscert.getStr()), static_cast<int>(oscert.getLength()) ) ;
470 xmlSecSize certSize;
471 int nRet = xmlSecBase64Decode_ex( chCert, reinterpret_cast<xmlSecByte*>(chCert), xmlStrlen( chCert ), &certSize ) ;
472 if (nRet < 0 || certSize == 0)
474 xmlFree(chCert);
475 return nullptr;
478 Sequence< sal_Int8 > rawCert(comphelper::arrayToSequence<sal_Int8>(chCert, certSize)) ;
480 xmlFree( chCert ) ;
482 return createCertificateFromRaw( rawCert ) ;
485 sal_Int32 SecurityEnvironment_NssImpl ::
486 verifyCertificate( const Reference< csss::XCertificate >& aCert,
487 const Sequence< Reference< csss::XCertificate > >& intermediateCerts )
489 sal_Int32 validity = csss::CertificateValidity::INVALID;
490 const CERTCertificate* cert ;
492 SAL_INFO("xmlsecurity.xmlsec", "Start verification of certificate: " << aCert->getSubjectName());
494 const X509Certificate_NssImpl* xcert = dynamic_cast<X509Certificate_NssImpl*>(aCert.get());
495 if( xcert == nullptr ) {
496 throw RuntimeException() ;
499 //CERT_PKIXVerifyCert does not take a db as argument. It will therefore
500 //internally use CERT_GetDefaultCertDB
501 //Make sure m_pHandler is the default DB
502 OSL_ASSERT(m_pHandler == CERT_GetDefaultCertDB());
503 CERTCertDBHandle * certDb = m_pHandler != nullptr ? m_pHandler : CERT_GetDefaultCertDB();
504 cert = xcert->getNssCert() ;
505 if( !cert )
506 return css::security::CertificateValidity::INVALID;
509 ::std::vector<CERTCertificate*> vecTmpNSSCertificates;
511 //prepare the intermediate certificates
512 for (const auto& rIntermediateCert : intermediateCerts)
514 Sequence<sal_Int8> der = rIntermediateCert->getEncoded();
515 SECItem item;
516 item.type = siBuffer;
517 item.data = reinterpret_cast<unsigned char*>(der.getArray());
518 item.len = der.getLength();
520 CERTCertificate* certTmp = CERT_NewTempCertificate(certDb, &item,
521 nullptr /* nickname */,
522 PR_FALSE /* isPerm */,
523 PR_TRUE /* copyDER */);
524 if (!certTmp)
526 SAL_INFO("xmlsecurity.xmlsec", "Failed to add a temporary certificate: " << rIntermediateCert->getIssuerName());
529 else
531 SAL_INFO("xmlsecurity.xmlsec", "Added temporary certificate: " <<
532 (certTmp->subjectName ? certTmp->subjectName : ""));
533 vecTmpNSSCertificates.push_back(certTmp);
538 SECStatus status ;
540 CERTVerifyLog log;
541 log.arena = PORT_NewArena(512);
542 log.head = log.tail = nullptr;
543 log.count = 0;
545 CERT_EnableOCSPChecking(certDb);
546 CERT_DisableOCSPDefaultResponder(certDb);
547 CERTValOutParam cvout[5];
548 CERTValInParam cvin[3];
549 int ncvinCount=0;
551 #if ( NSS_VMAJOR > 3 ) || ( NSS_VMAJOR == 3 && NSS_VMINOR > 12 ) || ( NSS_VMAJOR == 3 && NSS_VMINOR == 12 && NSS_VPATCH > 0 )
552 cvin[ncvinCount].type = cert_pi_useAIACertFetch;
553 cvin[ncvinCount].value.scalar.b = PR_TRUE;
554 ncvinCount++;
555 #endif
557 PRUint64 revFlagsLeaf[2];
558 PRUint64 revFlagsChain[2];
559 CERTRevocationFlags rev;
560 rev.leafTests.number_of_defined_methods = 2;
561 rev.leafTests.cert_rev_flags_per_method = revFlagsLeaf;
562 //the flags are defined in cert.h
563 //We check both leaf and chain.
564 //It is enough if one revocation method has fresh info,
565 //but at least one must have some. Otherwise validation fails.
566 //!!! using leaf test and CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE
567 // when validating a root certificate will result in "revoked". Usually
568 //there is no revocation information available for the root cert because
569 //it must be trusted anyway and it does itself issue revocation information.
570 //When we use the flag here and OOo shows the certification path then the root
571 //cert is invalid while all other can be valid. It would probably best if
572 //this interface method returned the whole chain.
573 //Otherwise we need to check if the certificate is self-signed and if it is
574 //then not use the flag when doing the leaf-test.
575 rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_crl] =
576 CERT_REV_M_TEST_USING_THIS_METHOD
577 | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE;
578 rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] =
579 CERT_REV_M_TEST_USING_THIS_METHOD
580 | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE;
581 rev.leafTests.number_of_preferred_methods = 0;
582 rev.leafTests.preferred_methods = nullptr;
583 rev.leafTests.cert_rev_method_independent_flags =
584 CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST;
586 rev.chainTests.number_of_defined_methods = 2;
587 rev.chainTests.cert_rev_flags_per_method = revFlagsChain;
588 rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_crl] =
589 CERT_REV_M_TEST_USING_THIS_METHOD
590 | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE;
591 rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] =
592 CERT_REV_M_TEST_USING_THIS_METHOD
593 | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE;
594 rev.chainTests.number_of_preferred_methods = 0;
595 rev.chainTests.preferred_methods = nullptr;
596 rev.chainTests.cert_rev_method_independent_flags =
597 CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST;
600 cvin[ncvinCount].type = cert_pi_revocationFlags;
601 cvin[ncvinCount].value.pointer.revocation = &rev;
602 ncvinCount++;
603 // does not work, not implemented yet in 3.12.4
604 // cvin[ncvinCount].type = cert_pi_keyusage;
605 // cvin[ncvinCount].value.scalar.ui = KU_DIGITAL_SIGNATURE;
606 // ncvinCount++;
607 cvin[ncvinCount].type = cert_pi_end;
609 cvout[0].type = cert_po_trustAnchor;
610 cvout[0].value.pointer.cert = nullptr;
611 cvout[1].type = cert_po_errorLog;
612 cvout[1].value.pointer.log = &log;
613 cvout[2].type = cert_po_end;
615 // We check SSL server certificates, CA certificates and signing certificates.
617 // ToDo check keyusage, looking at CERT_KeyUsageAndTypeForCertUsage (
618 // mozilla/security/nss/lib/certdb/certdb.c indicates that
619 // certificateUsageSSLClient, certificateUsageSSLServer and certificateUsageSSLCA
620 // are sufficient. They cover the key usages for digital signature, key agreement
621 // and encipherment and certificate signature
623 //never use the following usages because they are not checked properly
624 // certificateUsageUserCertImport
625 // certificateUsageVerifyCA
626 // certificateUsageAnyCA
627 // certificateUsageProtectedObjectSigner
629 UsageDescription arUsages[5];
630 arUsages[0] = UsageDescription( certificateUsageSSLClient, "certificateUsageSSLClient" );
631 arUsages[1] = UsageDescription( certificateUsageSSLServer, "certificateUsageSSLServer" );
632 arUsages[2] = UsageDescription( certificateUsageSSLCA, "certificateUsageSSLCA" );
633 arUsages[3] = UsageDescription( certificateUsageEmailSigner, "certificateUsageEmailSigner" );
634 arUsages[4] = UsageDescription( certificateUsageEmailRecipient, "certificateUsageEmailRecipient" );
636 int numUsages = std::size(arUsages);
637 for (int i = 0; i < numUsages; i++)
639 SAL_INFO("xmlsecurity.xmlsec", "Testing usage " << i+1 <<
640 " of " << numUsages << ": " <<
641 arUsages[i].description <<
642 " (0x" << std::hex << static_cast<int>(arUsages[i].usage) << ")" << std::dec);
644 status = CERT_PKIXVerifyCert(const_cast<CERTCertificate *>(cert), arUsages[i].usage,
645 cvin, cvout, nullptr);
646 if( status == SECSuccess )
648 SAL_INFO("xmlsecurity.xmlsec", "CERT_PKIXVerifyCert returned SECSuccess.");
649 //When an intermediate or root certificate is checked then we expect the usage
650 //certificateUsageSSLCA. This, however, will be only set when in the trust settings dialog
651 //the button "This certificate can identify websites" is checked. If for example only
652 //"This certificate can identify mail users" is set then the end certificate can
653 //be validated and the returned usage will contain certificateUsageEmailRecipient.
654 //But checking directly the root or intermediate certificate will fail. In the
655 //certificate path view the end certificate will be shown as valid but the others
656 //will be displayed as invalid.
658 validity = csss::CertificateValidity::VALID;
659 SAL_INFO("xmlsecurity.xmlsec", "Certificate is valid.");
660 CERTCertificate * issuerCert = cvout[0].value.pointer.cert;
661 if (issuerCert)
663 SAL_INFO("xmlsecurity.xmlsec", "Root certificate: " << issuerCert->subjectName);
664 CERT_DestroyCertificate(issuerCert);
667 break;
669 else
671 PRIntn err = PR_GetError();
672 SAL_INFO("xmlsecurity.xmlsec", "Error: " << err << ": " << getCertError(err));
674 /* Display validation results */
675 if ( log.count > 0)
677 CERTVerifyLogNode *node = nullptr;
678 printChainFailure(&log);
680 for (node = log.head; node; node = node->next) {
681 if (node->cert)
682 CERT_DestroyCertificate(node->cert);
684 log.head = log.tail = nullptr;
685 log.count = 0;
687 SAL_INFO("xmlsecurity.xmlsec", "Certificate is invalid.");
691 //Destroying the temporary certificates
692 for (auto& tmpCert : vecTmpNSSCertificates)
694 SAL_INFO("xmlsecurity.xmlsec", "Destroying temporary certificate");
695 CERT_DestroyCertificate(tmpCert);
697 PORT_FreeArena(log.arena, true);
698 return validity ;
701 sal_Int32 SecurityEnvironment_NssImpl::getCertificateCharacters(
702 const css::uno::Reference< css::security::XCertificate >& aCert ) {
703 sal_Int32 characters ;
704 const CERTCertificate* cert ;
706 const X509Certificate_NssImpl* xcert = dynamic_cast<X509Certificate_NssImpl*>(aCert.get());
707 if( xcert == nullptr ) {
708 throw RuntimeException() ;
711 cert = xcert->getNssCert() ;
713 characters = 0x00000000 ;
715 //Firstly, find out whether or not the cert is self-signed.
716 if( SECITEM_CompareItem( &(cert->derIssuer), &(cert->derSubject) ) == SECEqual ) {
717 characters |= css::security::CertificateCharacters::SELF_SIGNED ;
718 } else {
719 characters &= ~ css::security::CertificateCharacters::SELF_SIGNED ;
722 //Secondly, find out whether or not the cert has a private key.
725 * i40394
727 * mmi : need to check whether the cert's slot is valid first
729 SECKEYPrivateKey* priKey = nullptr;
731 if (cert->slot != nullptr)
733 priKey = PK11_FindPrivateKeyFromCert( cert->slot, const_cast<CERTCertificate*>(cert), nullptr ) ;
735 if(priKey == nullptr)
737 for (auto& slot : m_Slots)
739 priKey = PK11_FindPrivateKeyFromCert(slot, const_cast<CERTCertificate*>(cert), nullptr);
740 if (priKey)
741 break;
744 if( priKey != nullptr ) {
745 characters |= css::security::CertificateCharacters::HAS_PRIVATE_KEY ;
747 SECKEY_DestroyPrivateKey( priKey ) ;
748 } else {
749 characters &= ~ css::security::CertificateCharacters::HAS_PRIVATE_KEY ;
752 return characters ;
755 rtl::Reference<X509Certificate_NssImpl> NssCertToXCert( CERTCertificate* cert )
757 if( cert != nullptr ) {
758 rtl::Reference<X509Certificate_NssImpl> xcert = new X509Certificate_NssImpl() ;
759 xcert->setCert( cert ) ;
760 return xcert;
763 return nullptr;
766 rtl::Reference<X509Certificate_NssImpl> NssPrivKeyToXCert( SECKEYPrivateKey* priKey )
768 if( priKey != nullptr ) {
769 rtl::Reference<X509Certificate_NssImpl> xcert;
770 CERTCertificate* cert = PK11_GetCertFromPrivateKey( priKey ) ;
772 if( cert != nullptr ) {
773 xcert = NssCertToXCert( cert ) ;
776 CERT_DestroyCertificate( cert ) ;
777 return xcert;
780 return nullptr;
783 xmlSecKeysMngrPtr SecurityEnvironment_NssImpl::createKeysManager() {
786 * The following lines is based on the private version of xmlSec-NSS
787 * crypto engine
789 int cSlots = m_Slots.size();
790 std::unique_ptr<PK11SlotInfo*[]> sarSlots(new PK11SlotInfo*[cSlots]);
791 PK11SlotInfo** slots = sarSlots.get();
792 int count = 0;
793 for (const auto& slot : m_Slots)
795 slots[count] = slot;
796 ++count;
799 xmlSecKeysMngrPtr pKeysMngr = xmlSecKeysMngrCreate();
800 if (!pKeysMngr)
801 throw RuntimeException();
803 if (xmlSecNssAppDefaultKeysMngrInit(pKeysMngr) < 0)
804 throw RuntimeException();
806 // Adopt the private key of the signing certificate, if it has any.
807 if (m_xSigningCertificate)
809 SECKEYPrivateKey* pPrivateKey = SECKEY_CopyPrivateKey(m_xSigningCertificate->getPrivateKey());
810 if (pPrivateKey)
812 xmlSecKeyDataPtr pKeyData = xmlSecNssPKIAdoptKey(pPrivateKey, nullptr);
813 xmlSecKeyPtr pKey = xmlSecKeyCreate();
814 xmlSecKeySetValue(pKey, pKeyData);
815 xmlSecNssAppDefaultKeysMngrAdoptKey(pKeysMngr, pKey);
817 else
819 SAL_WARN("xmlsecurity.xmlsec", "Can't get the private key from the certificate.");
823 return pKeysMngr;
826 void SecurityEnvironment_NssImpl::destroyKeysManager(xmlSecKeysMngrPtr pKeysMngr) {
827 if( pKeysMngr != nullptr ) {
828 xmlSecKeysMngrDestroy( pKeysMngr ) ;
832 SECKEYPrivateKey* SecurityEnvironment_NssImpl::insertPrivateKey(css::uno::Sequence<sal_Int8> const & raPrivateKey)
834 PK11SlotInfo* pSlot = PK11_GetInternalKeySlot();
836 if (!pSlot)
837 return nullptr;
839 SECItem aDerPrivateKeyInfo;
840 aDerPrivateKeyInfo.data = reinterpret_cast<unsigned char *>(const_cast<sal_Int8 *>(raPrivateKey.getConstArray()));
841 aDerPrivateKeyInfo.len = raPrivateKey.getLength();
843 const unsigned int aKeyUsage = KU_ALL;
844 SECKEYPrivateKey* pPrivateKey = nullptr;
846 // If the import is not permanent, then later we won't be able to find the private key when
847 // searching for keys and signing will fail.
848 bool bPermanent = PR_TRUE;
849 bool bPrivate = PR_TRUE;
851 SECStatus nStatus = PK11_ImportDERPrivateKeyInfoAndReturnKey(
852 pSlot, &aDerPrivateKeyInfo, nullptr, nullptr, bPermanent, bPrivate,
853 aKeyUsage, &pPrivateKey, nullptr);
855 if (nStatus != SECSuccess)
856 return nullptr;
858 PK11_FreeSlot(pSlot);
860 return pPrivateKey;
863 uno::Reference<security::XCertificate> SecurityEnvironment_NssImpl::createDERCertificateWithPrivateKey(
864 Sequence<sal_Int8> const & raDERCertificate, Sequence<sal_Int8> const & raPrivateKey)
866 SECKEYPrivateKey* pPrivateKey = insertPrivateKey(raPrivateKey);
868 if (!pPrivateKey)
869 return uno::Reference<security::XCertificate>();
871 return createAndAddCertificateFromPackage(raDERCertificate, u"TCu,TCu,TCu");
874 uno::Reference<security::XCertificate> SecurityEnvironment_NssImpl::addDERCertificateToTheDatabase(
875 uno::Sequence<sal_Int8> const & raDERCertificate, OUString const & raTrustString)
877 return createAndAddCertificateFromPackage(raDERCertificate, raTrustString);
880 extern "C" SAL_DLLPUBLIC_EXPORT uno::XInterface*
881 com_sun_star_xml_crypto_SecurityEnvironment_get_implementation(
882 uno::XComponentContext* /*pCtx*/, uno::Sequence<uno::Any> const& /*rSeq*/)
884 return cppu::acquire(new SecurityEnvironment_NssImpl);
887 /* vim:set shiftwidth=4 softtabstop=4 expandtab: */