search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
update dev300-m58
[ooovba.git] / xmlsecurity / source / xmlsec / nss / securityenvironment_nssimpl.cxx
blob533a94d0f28471871b143981b8ea9db972dc72b1
1 /*************************************************************************
2 *
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * Copyright 2008 by Sun Microsystems, Inc.
6 *
7 * OpenOffice.org - a multi-platform office productivity suite
8 *
9 * $RCSfile: securityenvironment_nssimpl.cxx,v $
10 * $Revision: 1.23 $
11 *
12 * This file is part of OpenOffice.org.
13 *
14 * OpenOffice.org is free software: you can redistribute it and/or modify
15 * it under the terms of the GNU Lesser General Public License version 3
16 * only, as published by the Free Software Foundation.
17 *
18 * OpenOffice.org is distributed in the hope that it will be useful,
19 * but WITHOUT ANY WARRANTY; without even the implied warranty of
20 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21 * GNU Lesser General Public License version 3 for more details
22 * (a copy is included in the LICENSE file that accompanied this code).
23 *
24 * You should have received a copy of the GNU Lesser General Public License
25 * version 3 along with OpenOffice.org. If not, see
26 * <http://www.openoffice.org/license.html>
27 * for a copy of the LGPLv3 License.
28 *
29 ************************************************************************/
30
31
32 // MARKER(update_precomp.py): autogen include statement, do not remove
33 #include "precompiled_xmlsecurity.hxx"
34
35 //todo before commit: nssrenam.h is not delivered!!!
36 #include "nssrenam.h"
37 #include "cert.h"
38 #include "secerr.h"
39
40 #include <sal/config.h>
41 #include "securityenvironment_nssimpl.hxx"
42 #include "x509certificate_nssimpl.hxx"
43 #include <rtl/uuid.h>
44
45
46 #include <sal/types.h>
47 //For reasons that escape me, this is what xmlsec does when size_t is not 4
48 #if SAL_TYPES_SIZEOFPOINTER != 4
49 # define XMLSEC_NO_SIZE_T
50 #endif
51 #include <xmlsec/xmlsec.h>
52 #include <xmlsec/keysmngr.h>
53 #include <xmlsec/crypto.h>
54 #include <xmlsec/base64.h>
55 #include <xmlsec/strings.h>
56
57 #include <tools/string.hxx>
58 #include <rtl/ustrbuf.hxx>
59 #include <comphelper/processfactory.hxx>
60 #include <cppuhelper/servicefactory.hxx>
61 #include <comphelper/docpasswordrequest.hxx>
62 #include <xmlsecurity/biginteger.hxx>
63 #include <rtl/logfile.h>
64 #include <com/sun/star/task/XInteractionHandler.hpp>
65 #include <vector>
66 #include "boost/scoped_array.hpp"
67
68 // MM : added for password exception
69 #include <com/sun/star/security/NoPasswordException.hpp>
70 namespace csss = ::com::sun::star::security;
71 using namespace ::com::sun::star::security;
72 using namespace com::sun::star;
73 using namespace ::com::sun::star::uno ;
74 using namespace ::com::sun::star::lang ;
75 using ::com::sun::star::lang::XMultiServiceFactory ;
76 using ::com::sun::star::lang::XSingleServiceFactory ;
77 using ::rtl::OUString ;
78
79 using ::com::sun::star::xml::crypto::XSecurityEnvironment ;
80 using ::com::sun::star::security::XCertificate ;
81
82 extern X509Certificate_NssImpl* NssCertToXCert( CERTCertificate* cert ) ;
83 extern X509Certificate_NssImpl* NssPrivKeyToXCert( SECKEYPrivateKey* ) ;
84
85
86 char* GetPasswordFunction( PK11SlotInfo* pSlot, PRBool bRetry, void* /*arg*/ )
87 {
88 uno::Reference< lang::XMultiServiceFactory > xMSF( ::comphelper::getProcessServiceFactory() );
89 if ( xMSF.is() )
90 {
91 uno::Reference < task::XInteractionHandler > xInteractionHandler(
92 xMSF->createInstance( rtl::OUString::createFromAscii("com.sun.star.task.InteractionHandler") ), uno::UNO_QUERY );
93
94 if ( xInteractionHandler.is() )
95 {
96 task::PasswordRequestMode eMode = bRetry ? task::PasswordRequestMode_PASSWORD_REENTER : task::PasswordRequestMode_PASSWORD_ENTER;
97 ::comphelper::DocPasswordRequest* pPasswordRequest = new ::comphelper::DocPasswordRequest(
98 ::comphelper::DocPasswordRequestType_STANDARD, eMode, ::rtl::OUString::createFromAscii(PK11_GetTokenName(pSlot)) );
99
100 uno::Reference< task::XInteractionRequest > xRequest( pPasswordRequest );
101 xInteractionHandler->handle( xRequest );
102
103 if ( pPasswordRequest->isPassword() )
104 {
105 ByteString aPassword = ByteString( String( pPasswordRequest->getPassword() ), gsl_getSystemTextEncoding() );
106 USHORT nLen = aPassword.Len();
107 char* pPassword = (char*) PORT_Alloc( nLen+1 ) ;
108 pPassword[nLen] = 0;
109 memcpy( pPassword, aPassword.GetBuffer(), nLen );
110 return pPassword;
111 }
112 }
113 }
114 return NULL;
115 }
116
117 SecurityEnvironment_NssImpl :: SecurityEnvironment_NssImpl( const Reference< XMultiServiceFactory >& ) :
118 m_pHandler( NULL ) , m_tSymKeyList() , m_tPubKeyList() , m_tPriKeyList() {
119
120 PK11_SetPasswordFunc( GetPasswordFunction ) ;
121 }
122
123 SecurityEnvironment_NssImpl :: ~SecurityEnvironment_NssImpl() {
124
125 PK11_SetPasswordFunc( NULL ) ;
126
127 for (CIT_SLOTS i = m_Slots.begin(); i != m_Slots.end(); i++)
128 {
129 PK11_FreeSlot(*i);
130 }
131
132 if( !m_tSymKeyList.empty() ) {
133 std::list< PK11SymKey* >::iterator symKeyIt ;
134
135 for( symKeyIt = m_tSymKeyList.begin() ; symKeyIt != m_tSymKeyList.end() ; symKeyIt ++ )
136 PK11_FreeSymKey( *symKeyIt ) ;
137 }
138
139 if( !m_tPubKeyList.empty() ) {
140 std::list< SECKEYPublicKey* >::iterator pubKeyIt ;
141
142 for( pubKeyIt = m_tPubKeyList.begin() ; pubKeyIt != m_tPubKeyList.end() ; pubKeyIt ++ )
143 SECKEY_DestroyPublicKey( *pubKeyIt ) ;
144 }
145
146 if( !m_tPriKeyList.empty() ) {
147 std::list< SECKEYPrivateKey* >::iterator priKeyIt ;
148
149 for( priKeyIt = m_tPriKeyList.begin() ; priKeyIt != m_tPriKeyList.end() ; priKeyIt ++ )
150 SECKEY_DestroyPrivateKey( *priKeyIt ) ;
151 }
152 }
153
154 /* XInitialization */
155 void SAL_CALL SecurityEnvironment_NssImpl :: initialize( const Sequence< Any >& ) throw( Exception, RuntimeException ) {
156 // TBD
157 } ;
158
159 /* XServiceInfo */
160 OUString SAL_CALL SecurityEnvironment_NssImpl :: getImplementationName() throw( RuntimeException ) {
161 return impl_getImplementationName() ;
162 }
163
164 /* XServiceInfo */
165 sal_Bool SAL_CALL SecurityEnvironment_NssImpl :: supportsService( const OUString& serviceName) throw( RuntimeException ) {
166 Sequence< OUString > seqServiceNames = getSupportedServiceNames() ;
167 const OUString* pArray = seqServiceNames.getConstArray() ;
168 for( sal_Int32 i = 0 ; i < seqServiceNames.getLength() ; i ++ ) {
169 if( *( pArray + i ) == serviceName )
170 return sal_True ;
171 }
172 return sal_False ;
173 }
174
175 /* XServiceInfo */
176 Sequence< OUString > SAL_CALL SecurityEnvironment_NssImpl :: getSupportedServiceNames() throw( RuntimeException ) {
177 return impl_getSupportedServiceNames() ;
178 }
179
180 //Helper for XServiceInfo
181 Sequence< OUString > SecurityEnvironment_NssImpl :: impl_getSupportedServiceNames() {
182 ::osl::Guard< ::osl::Mutex > aGuard( ::osl::Mutex::getGlobalMutex() ) ;
183 Sequence< OUString > seqServiceNames( 1 ) ;
184 seqServiceNames.getArray()[0] = OUString::createFromAscii( "com.sun.star.xml.crypto.SecurityEnvironment" ) ;
185 return seqServiceNames ;
186 }
187
188 OUString SecurityEnvironment_NssImpl :: impl_getImplementationName() throw( RuntimeException ) {
189 return OUString::createFromAscii( "com.sun.star.xml.security.bridge.xmlsec.SecurityEnvironment_NssImpl" ) ;
190 }
191
192 //Helper for registry
193 Reference< XInterface > SAL_CALL SecurityEnvironment_NssImpl :: impl_createInstance( const Reference< XMultiServiceFactory >& aServiceManager ) throw( RuntimeException ) {
194 return Reference< XInterface >( *new SecurityEnvironment_NssImpl( aServiceManager ) ) ;
195 }
196
197 Reference< XSingleServiceFactory > SecurityEnvironment_NssImpl :: impl_createFactory( const Reference< XMultiServiceFactory >& aServiceManager ) {
198 //Reference< XSingleServiceFactory > xFactory ;
199 //xFactory = ::cppu::createSingleFactory( aServiceManager , impl_getImplementationName , impl_createInstance , impl_getSupportedServiceNames ) ;
200 //return xFactory ;
201 return ::cppu::createSingleFactory( aServiceManager , impl_getImplementationName() , impl_createInstance , impl_getSupportedServiceNames() ) ;
202 }
203
204 /* XUnoTunnel */
205 sal_Int64 SAL_CALL SecurityEnvironment_NssImpl :: getSomething( const Sequence< sal_Int8 >& aIdentifier )
206 throw( RuntimeException )
207 {
208 if( aIdentifier.getLength() == 16 && 0 == rtl_compareMemory( getUnoTunnelId().getConstArray(), aIdentifier.getConstArray(), 16 ) ) {
209 return sal::static_int_cast<sal_Int64>(reinterpret_cast<sal_uIntPtr>(this));
210 }
211 return 0 ;
212 }
213
214 /* XUnoTunnel extension */
215 const Sequence< sal_Int8>& SecurityEnvironment_NssImpl :: getUnoTunnelId() {
216 static Sequence< sal_Int8 >* pSeq = 0 ;
217 if( !pSeq ) {
218 ::osl::Guard< ::osl::Mutex > aGuard( ::osl::Mutex::getGlobalMutex() ) ;
219 if( !pSeq ) {
220 static Sequence< sal_Int8> aSeq( 16 ) ;
221 rtl_createUuid( ( sal_uInt8* )aSeq.getArray() , 0 , sal_True ) ;
222 pSeq = &aSeq ;
223 }
224 }
225 return *pSeq ;
226 }
227
228 /* XUnoTunnel extension */
229 SecurityEnvironment_NssImpl* SecurityEnvironment_NssImpl :: getImplementation( const Reference< XInterface > xObj ) {
230 Reference< XUnoTunnel > xUT( xObj , UNO_QUERY ) ;
231 if( xUT.is() ) {
232 return reinterpret_cast<SecurityEnvironment_NssImpl*>(
233 sal::static_int_cast<sal_uIntPtr>(xUT->getSomething( getUnoTunnelId() ))) ;
234 } else
235 return NULL ;
236 }
237
238
239 ::rtl::OUString SecurityEnvironment_NssImpl::getSecurityEnvironmentInformation() throw( ::com::sun::star::uno::RuntimeException )
240 {
241 rtl::OUString result;
242 ::rtl::OUStringBuffer buff;
243 for (CIT_SLOTS is = m_Slots.begin(); is != m_Slots.end(); is++)
244 {
245 buff.append(rtl::OUString::createFromAscii(PK11_GetTokenName(*is)));
246 buff.appendAscii("\n");
247 }
248 return buff.makeStringAndClear();
249 }
250
251 void SecurityEnvironment_NssImpl::addCryptoSlot( PK11SlotInfo* aSlot) throw( Exception , RuntimeException )
252 {
253 PK11_ReferenceSlot(aSlot);
254 m_Slots.push_back(aSlot);
255 }
256
257 CERTCertDBHandle* SecurityEnvironment_NssImpl :: getCertDb() throw( Exception , RuntimeException ) {
258 return m_pHandler ;
259 }
260
261 //Could we have multiple cert dbs?
262 void SecurityEnvironment_NssImpl :: setCertDb( CERTCertDBHandle* aCertDb ) throw( Exception , RuntimeException ) {
263 m_pHandler = aCertDb ;
264 }
265
266 void SecurityEnvironment_NssImpl :: adoptSymKey( PK11SymKey* aSymKey ) throw( Exception , RuntimeException ) {
267 PK11SymKey* symkey ;
268 std::list< PK11SymKey* >::iterator keyIt ;
269
270 if( aSymKey != NULL ) {
271 //First try to find the key in the list
272 for( keyIt = m_tSymKeyList.begin() ; keyIt != m_tSymKeyList.end() ; keyIt ++ ) {
273 if( *keyIt == aSymKey )
274 return ;
275 }
276
277 //If we do not find the key in the list, add a new node
278 symkey = PK11_ReferenceSymKey( aSymKey ) ;
279 if( symkey == NULL )
280 throw RuntimeException() ;
281
282 try {
283 m_tSymKeyList.push_back( symkey ) ;
284 } catch ( Exception& ) {
285 PK11_FreeSymKey( symkey ) ;
286 }
287 }
288 }
289
290 void SecurityEnvironment_NssImpl :: rejectSymKey( PK11SymKey* aSymKey ) throw( Exception , RuntimeException ) {
291 PK11SymKey* symkey ;
292 std::list< PK11SymKey* >::iterator keyIt ;
293
294 if( aSymKey != NULL ) {
295 for( keyIt = m_tSymKeyList.begin() ; keyIt != m_tSymKeyList.end() ; keyIt ++ ) {
296 if( *keyIt == aSymKey ) {
297 symkey = *keyIt ;
298 PK11_FreeSymKey( symkey ) ;
299 m_tSymKeyList.erase( keyIt ) ;
300 break ;
301 }
302 }
303 }
304 }
305
306 PK11SymKey* SecurityEnvironment_NssImpl :: getSymKey( unsigned int position ) throw( Exception , RuntimeException ) {
307 PK11SymKey* symkey ;
308 std::list< PK11SymKey* >::iterator keyIt ;
309 unsigned int pos ;
310
311 symkey = NULL ;
312 for( pos = 0, keyIt = m_tSymKeyList.begin() ; pos < position && keyIt != m_tSymKeyList.end() ; pos ++ , keyIt ++ ) ;
313
314 if( pos == position && keyIt != m_tSymKeyList.end() )
315 symkey = *keyIt ;
316
317 return symkey ;
318 }
319
320 void SecurityEnvironment_NssImpl :: adoptPubKey( SECKEYPublicKey* aPubKey ) throw( Exception , RuntimeException ) {
321 SECKEYPublicKey* pubkey ;
322 std::list< SECKEYPublicKey* >::iterator keyIt ;
323
324 if( aPubKey != NULL ) {
325 //First try to find the key in the list
326 for( keyIt = m_tPubKeyList.begin() ; keyIt != m_tPubKeyList.end() ; keyIt ++ ) {
327 if( *keyIt == aPubKey )
328 return ;
329 }
330
331 //If we do not find the key in the list, add a new node
332 pubkey = SECKEY_CopyPublicKey( aPubKey ) ;
333 if( pubkey == NULL )
334 throw RuntimeException() ;
335
336 try {
337 m_tPubKeyList.push_back( pubkey ) ;
338 } catch ( Exception& ) {
339 SECKEY_DestroyPublicKey( pubkey ) ;
340 }
341 }
342 }
343
344 void SecurityEnvironment_NssImpl :: rejectPubKey( SECKEYPublicKey* aPubKey ) throw( Exception , RuntimeException ) {
345 SECKEYPublicKey* pubkey ;
346 std::list< SECKEYPublicKey* >::iterator keyIt ;
347
348 if( aPubKey != NULL ) {
349 for( keyIt = m_tPubKeyList.begin() ; keyIt != m_tPubKeyList.end() ; keyIt ++ ) {
350 if( *keyIt == aPubKey ) {
351 pubkey = *keyIt ;
352 SECKEY_DestroyPublicKey( pubkey ) ;
353 m_tPubKeyList.erase( keyIt ) ;
354 break ;
355 }
356 }
357 }
358 }
359
360 SECKEYPublicKey* SecurityEnvironment_NssImpl :: getPubKey( unsigned int position ) throw( Exception , RuntimeException ) {
361 SECKEYPublicKey* pubkey ;
362 std::list< SECKEYPublicKey* >::iterator keyIt ;
363 unsigned int pos ;
364
365 pubkey = NULL ;
366 for( pos = 0, keyIt = m_tPubKeyList.begin() ; pos < position && keyIt != m_tPubKeyList.end() ; pos ++ , keyIt ++ ) ;
367
368 if( pos == position && keyIt != m_tPubKeyList.end() )
369 pubkey = *keyIt ;
370
371 return pubkey ;
372 }
373
374 void SecurityEnvironment_NssImpl :: adoptPriKey( SECKEYPrivateKey* aPriKey ) throw( Exception , RuntimeException ) {
375 SECKEYPrivateKey* prikey ;
376 std::list< SECKEYPrivateKey* >::iterator keyIt ;
377
378 if( aPriKey != NULL ) {
379 //First try to find the key in the list
380 for( keyIt = m_tPriKeyList.begin() ; keyIt != m_tPriKeyList.end() ; keyIt ++ ) {
381 if( *keyIt == aPriKey )
382 return ;
383 }
384
385 //If we do not find the key in the list, add a new node
386 prikey = SECKEY_CopyPrivateKey( aPriKey ) ;
387 if( prikey == NULL )
388 throw RuntimeException() ;
389
390 try {
391 m_tPriKeyList.push_back( prikey ) ;
392 } catch ( Exception& ) {
393 SECKEY_DestroyPrivateKey( prikey ) ;
394 }
395 }
396 }
397
398 void SecurityEnvironment_NssImpl :: rejectPriKey( SECKEYPrivateKey* aPriKey ) throw( Exception , RuntimeException ) {
399 SECKEYPrivateKey* prikey ;
400 std::list< SECKEYPrivateKey* >::iterator keyIt ;
401
402 if( aPriKey != NULL ) {
403 for( keyIt = m_tPriKeyList.begin() ; keyIt != m_tPriKeyList.end() ; keyIt ++ ) {
404 if( *keyIt == aPriKey ) {
405 prikey = *keyIt ;
406 SECKEY_DestroyPrivateKey( prikey ) ;
407 m_tPriKeyList.erase( keyIt ) ;
408 break ;
409 }
410 }
411 }
412 }
413
414 SECKEYPrivateKey* SecurityEnvironment_NssImpl :: getPriKey( unsigned int position ) throw( ::com::sun::star::uno::Exception , ::com::sun::star::uno::RuntimeException ) {
415 SECKEYPrivateKey* prikey ;
416 std::list< SECKEYPrivateKey* >::iterator keyIt ;
417 unsigned int pos ;
418
419 prikey = NULL ;
420 for( pos = 0, keyIt = m_tPriKeyList.begin() ; pos < position && keyIt != m_tPriKeyList.end() ; pos ++ , keyIt ++ ) ;
421
422 if( pos == position && keyIt != m_tPriKeyList.end() )
423 prikey = *keyIt ;
424
425 return prikey ;
426 }
427
428 void SecurityEnvironment_NssImpl::updateSlots()
429 {
430 //In case new tokens are present then we can obtain the corresponding slot
431 PK11SlotList * soltList = NULL;
432 PK11SlotListElement * soltEle = NULL;
433 PK11SlotInfo * pSlot = NULL;
434 PK11SymKey * pSymKey = NULL;
435
436 osl::MutexGuard guard(m_mutex);
437
438 m_Slots.clear();
439 m_tSymKeyList.clear();
440
441 soltList = PK11_GetAllTokens( CKM_INVALID_MECHANISM, PR_FALSE, PR_FALSE, NULL ) ;
442 if( soltList != NULL )
443 {
444 for( soltEle = soltList->head ; soltEle != NULL; soltEle = soltEle->next )
445 {
446 pSlot = soltEle->slot ;
447
448 if(pSlot != NULL)
449 {
450 RTL_LOGFILE_TRACE2( "XMLSEC: Found a slot: SlotName=%s, TokenName=%s", PK11_GetSlotName(pSlot), PK11_GetTokenName(pSlot) );
451
452 //The following code which is commented out checks if a slot, that is a smart card for example, is
453 // able to generate a symmetric key of type CKM_DES3_CBC. If this fails then this token
454 // will not be used. This key is possibly used for the encryption service. However, all
455 // interfaces and services used for public key signature and encryption are not published
456 // and the encryption is not used in OOo. Therefore it does not do any harm to remove
457 // this code, hence allowing smart cards which cannot generate this type of key.
458 //
459 // By doing this, the encryption may fail if a smart card is being used which does not
460 // support this key generation.
461 //
462 pSymKey = PK11_KeyGen( pSlot , CKM_DES3_CBC, NULL, 128, NULL ) ;
463 // if( pSymKey == NULL )
464 // {
465 // PK11_FreeSlot( pSlot ) ;
466 // RTL_LOGFILE_TRACE( "XMLSEC: Error - pSymKey is NULL" );
467 // continue;
468 // }
469 addCryptoSlot(pSlot);
470 PK11_FreeSlot( pSlot ) ;
471 pSlot = NULL;
472
473 if (pSymKey != NULL)
474 {
475 adoptSymKey( pSymKey ) ;
476 PK11_FreeSymKey( pSymKey ) ;
477 pSymKey = NULL;
478 }
479
480 }// end of if(pSlot != NULL)
481 }// end of for
482 }// end of if( soltList != NULL )
483
484 }
485
486
487 Sequence< Reference < XCertificate > >
488 SecurityEnvironment_NssImpl::getPersonalCertificates() throw( SecurityException , RuntimeException )
489 {
490 sal_Int32 length ;
491 X509Certificate_NssImpl* xcert ;
492 std::list< X509Certificate_NssImpl* > certsList ;
493
494 updateSlots();
495 //firstly, we try to find private keys in slot
496 for (CIT_SLOTS is = m_Slots.begin(); is != m_Slots.end(); is++)
497 {
498 PK11SlotInfo *slot = *is;
499 SECKEYPrivateKeyList* priKeyList ;
500 SECKEYPrivateKeyListNode* curPri ;
501
502 if( PK11_NeedLogin(slot ) ) {
503 SECStatus nRet = PK11_Authenticate(slot, PR_TRUE, NULL);
504 //PK11_Authenticate may fail in case the a slot has not been initialized.
505 //this is the case if the user has a new profile, so that they have never
506 //added a personal certificate.
507 if( nRet != SECSuccess && PORT_GetError() != SEC_ERROR_IO) {
508 throw NoPasswordException();
509 }
510 }
511
512 priKeyList = PK11_ListPrivateKeysInSlot(slot) ;
513 if( priKeyList != NULL ) {
514 for( curPri = PRIVKEY_LIST_HEAD( priKeyList );
515 !PRIVKEY_LIST_END( curPri, priKeyList ) && curPri != NULL ;
516 curPri = PRIVKEY_LIST_NEXT( curPri ) ) {
517 xcert = NssPrivKeyToXCert( curPri->key ) ;
518 if( xcert != NULL )
519 certsList.push_back( xcert ) ;
520 }
521 }
522
523 SECKEY_DestroyPrivateKeyList( priKeyList ) ;
524 }
525
526 //secondly, we try to find certificate from registered private keys.
527 if( !m_tPriKeyList.empty() ) {
528 std::list< SECKEYPrivateKey* >::iterator priKeyIt ;
529
530 for( priKeyIt = m_tPriKeyList.begin() ; priKeyIt != m_tPriKeyList.end() ; priKeyIt ++ ) {
531 xcert = NssPrivKeyToXCert( *priKeyIt ) ;
532 if( xcert != NULL )
533 certsList.push_back( xcert ) ;
534 }
535 }
536
537 length = certsList.size() ;
538 if( length != 0 ) {
539 int i ;
540 std::list< X509Certificate_NssImpl* >::iterator xcertIt ;
541 Sequence< Reference< XCertificate > > certSeq( length ) ;
542
543 for( i = 0, xcertIt = certsList.begin(); xcertIt != certsList.end(); xcertIt ++, i++ ) {
544 certSeq[i] = *xcertIt ;
545 }
546
547 return certSeq ;
548 }
549
550 return Sequence< Reference < XCertificate > > ();
551 }
552
553 Reference< XCertificate > SecurityEnvironment_NssImpl :: getCertificate( const OUString& issuerName, const Sequence< sal_Int8 >& serialNumber ) throw( SecurityException , RuntimeException )
554 {
555 X509Certificate_NssImpl* xcert = NULL;
556
557 if( m_pHandler != NULL ) {
558 CERTIssuerAndSN issuerAndSN ;
559 CERTCertificate* cert ;
560 CERTName* nmIssuer ;
561 char* chIssuer ;
562 SECItem* derIssuer ;
563 PRArenaPool* arena ;
564
565 arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE ) ;
566 if( arena == NULL )
567 throw RuntimeException() ;
568
569 /*
570 * mmi : because MS Crypto use the 'S' tag (equal to the 'ST' tag in NSS), but the NSS can't recognise
571 * it, so the 'S' tag should be changed to 'ST' tag
572 *
573 * PS : it can work, but inside libxmlsec, the 'S' tag is till used to find cert in NSS engine, so it
574 * is not useful at all. (comment out now)
575 */
576
577 /*
578 sal_Int32 nIndex = 0;
579 OUString newIssuerName;
580 do
581 {
582 OUString aToken = issuerName.getToken( 0, ',', nIndex ).trim();
583 if (aToken.compareToAscii("S=",2) == 0)
584 {
585 newIssuerName+=OUString::createFromAscii("ST=");
586 newIssuerName+=aToken.copy(2);
587 }
588 else
589 {
590 newIssuerName+=aToken;
591 }
592
593 if (nIndex >= 0)
594 {
595 newIssuerName+=OUString::createFromAscii(",");
596 }
597 } while ( nIndex >= 0 );
598 */
599
600 /* end */
601
602 //Create cert info from issue and serial
603 rtl::OString ostr = rtl::OUStringToOString( issuerName , RTL_TEXTENCODING_UTF8 ) ;
604 chIssuer = PL_strndup( ( char* )ostr.getStr(), ( int )ostr.getLength() ) ;
605 nmIssuer = CERT_AsciiToName( chIssuer ) ;
606 if( nmIssuer == NULL ) {
607 PL_strfree( chIssuer ) ;
608 PORT_FreeArena( arena, PR_FALSE ) ;
609
610 /*
611 * i40394
612 *
613 * mmi : no need to throw exception
614 * just return "no found"
615 */
616 //throw RuntimeException() ;
617 return NULL;
618 }
619
620 derIssuer = SEC_ASN1EncodeItem( arena, NULL, ( void* )nmIssuer, SEC_ASN1_GET( CERT_NameTemplate ) ) ;
621 if( derIssuer == NULL ) {
622 PL_strfree( chIssuer ) ;
623 CERT_DestroyName( nmIssuer ) ;
624 PORT_FreeArena( arena, PR_FALSE ) ;
625 throw RuntimeException() ;
626 }
627
628 memset( &issuerAndSN, 0, sizeof( issuerAndSN ) ) ;
629
630 issuerAndSN.derIssuer.data = derIssuer->data ;
631 issuerAndSN.derIssuer.len = derIssuer->len ;
632
633 issuerAndSN.serialNumber.data = ( unsigned char* )&serialNumber[0] ;
634 issuerAndSN.serialNumber.len = serialNumber.getLength() ;
635
636 cert = CERT_FindCertByIssuerAndSN( m_pHandler, &issuerAndSN ) ;
637 if( cert != NULL ) {
638 xcert = NssCertToXCert( cert ) ;
639 } else {
640 xcert = NULL ;
641 }
642
643 PL_strfree( chIssuer ) ;
644 CERT_DestroyName( nmIssuer ) ;
645 //SECITEM_FreeItem( derIssuer, PR_FALSE ) ;
646 CERT_DestroyCertificate( cert ) ;
647 PORT_FreeArena( arena, PR_FALSE ) ;
648 } else {
649 xcert = NULL ;
650 }
651
652 return xcert ;
653 }
654
655 Reference< XCertificate > SecurityEnvironment_NssImpl :: getCertificate( const OUString& issuerName, const OUString& serialNumber ) throw( SecurityException , RuntimeException ) {
656 Sequence< sal_Int8 > serial = numericStringToBigInteger( serialNumber ) ;
657 return getCertificate( issuerName, serial ) ;
658 }
659
660 Sequence< Reference < XCertificate > > SecurityEnvironment_NssImpl :: buildCertificatePath( const Reference< XCertificate >& begin ) throw( SecurityException , RuntimeException ) {
661 const X509Certificate_NssImpl* xcert ;
662 const CERTCertificate* cert ;
663 CERTCertList* certChain ;
664
665 Reference< XUnoTunnel > xCertTunnel( begin, UNO_QUERY ) ;
666 if( !xCertTunnel.is() ) {
667 throw RuntimeException() ;
668 }
669
670 xcert = reinterpret_cast<X509Certificate_NssImpl*>(
671 sal::static_int_cast<sal_uIntPtr>(xCertTunnel->getSomething( X509Certificate_NssImpl::getUnoTunnelId() ))) ;
672 if( xcert == NULL ) {
673 throw RuntimeException() ;
674 }
675
676 cert = xcert->getNssCert() ;
677 if( cert != NULL ) {
678 int64 timeboundary ;
679
680 //Get the system clock time
681 timeboundary = PR_Now() ;
682
683 certChain = CERT_GetCertChainFromCert( ( CERTCertificate* )cert, timeboundary, certUsageAnyCA ) ;
684 } else {
685 certChain = NULL ;
686 }
687
688 if( certChain != NULL ) {
689 X509Certificate_NssImpl* pCert ;
690 CERTCertListNode* node ;
691 int len ;
692
693 for( len = 0, node = CERT_LIST_HEAD( certChain ); !CERT_LIST_END( node, certChain ); node = CERT_LIST_NEXT( node ), len ++ ) ;
694 Sequence< Reference< XCertificate > > xCertChain( len ) ;
695
696 for( len = 0, node = CERT_LIST_HEAD( certChain ); !CERT_LIST_END( node, certChain ); node = CERT_LIST_NEXT( node ), len ++ ) {
697 pCert = new X509Certificate_NssImpl() ;
698 if( pCert == NULL ) {
699 CERT_DestroyCertList( certChain ) ;
700 throw RuntimeException() ;
701 }
702
703 pCert->setCert( node->cert ) ;
704
705 xCertChain[len] = pCert ;
706 }
707
708 CERT_DestroyCertList( certChain ) ;
709
710 return xCertChain ;
711 }
712
713 return Sequence< Reference < XCertificate > >();
714 }
715
716 Reference< XCertificate > SecurityEnvironment_NssImpl :: createCertificateFromRaw( const Sequence< sal_Int8 >& rawCertificate ) throw( SecurityException , RuntimeException ) {
717 X509Certificate_NssImpl* xcert ;
718
719 if( rawCertificate.getLength() > 0 ) {
720 xcert = new X509Certificate_NssImpl() ;
721 if( xcert == NULL )
722 throw RuntimeException() ;
723
724 xcert->setRawCert( rawCertificate ) ;
725 } else {
726 xcert = NULL ;
727 }
728
729 return xcert ;
730 }
731
732 Reference< XCertificate > SecurityEnvironment_NssImpl :: createCertificateFromAscii( const OUString& asciiCertificate ) throw( SecurityException , RuntimeException ) {
733 xmlChar* chCert ;
734 xmlSecSize certSize ;
735
736 rtl::OString oscert = rtl::OUStringToOString( asciiCertificate , RTL_TEXTENCODING_ASCII_US ) ;
737
738 chCert = xmlStrndup( ( const xmlChar* )oscert.getStr(), ( int )oscert.getLength() ) ;
739
740 certSize = xmlSecBase64Decode( chCert, ( xmlSecByte* )chCert, xmlStrlen( chCert ) ) ;
741
742 Sequence< sal_Int8 > rawCert( certSize ) ;
743 for( unsigned int i = 0 ; i < certSize ; i ++ )
744 rawCert[i] = *( chCert + i ) ;
745
746 xmlFree( chCert ) ;
747
748 return createCertificateFromRaw( rawCert ) ;
749 }
750
751 sal_Int32 SecurityEnvironment_NssImpl ::
752 verifyCertificate( const Reference< csss::XCertificate >& aCert,
753 const Sequence< Reference< csss::XCertificate > >& intermediateCerts )
754 throw( ::com::sun::star::uno::SecurityException, ::com::sun::star::uno::RuntimeException )
755 {
756 sal_Int32 validity = 0;
757 const X509Certificate_NssImpl* xcert ;
758 const CERTCertificate* cert ;
759 ::std::vector<CERTCertificate*> vecTmpNSSCertificates;
760 Reference< XUnoTunnel > xCertTunnel( aCert, UNO_QUERY ) ;
761 if( !xCertTunnel.is() ) {
762 throw RuntimeException() ;
763 }
764
765 OSL_TRACE("[xmlsecurity] Start verification of certificate: %s",
766 OUStringToOString(
767 aCert->getIssuerName(), osl_getThreadTextEncoding()).getStr());
768
769
770 xcert = reinterpret_cast<X509Certificate_NssImpl*>(
771 sal::static_int_cast<sal_uIntPtr>(xCertTunnel->getSomething( X509Certificate_NssImpl::getUnoTunnelId() ))) ;
772 if( xcert == NULL ) {
773 throw RuntimeException() ;
774 }
775
776 cert = xcert->getNssCert() ;
777 if( cert != NULL )
778 {
779
780 //prepare the intermediate certificates
781 CERTCertDBHandle * certDb = m_pHandler != NULL ? m_pHandler : CERT_GetDefaultCertDB();
782 for (sal_Int32 i = 0; i < intermediateCerts.getLength(); i++)
783 {
784 Sequence<sal_Int8> der = intermediateCerts[i]->getEncoded();
785 SECItem item;
786 item.type = siBuffer;
787 item.data = (unsigned char*)der.getArray();
788 item.len = der.getLength();
789
790 CERTCertificate* certTmp = CERT_NewTempCertificate(certDb, &item,
791 NULL /* nickname */,
792 PR_FALSE /* isPerm */,
793 PR_TRUE /* copyDER */);
794 if (!certTmp)
795 {
796 OSL_TRACE("[xmlsecurity] Failed to add a temporary certificate: %s",
797 OUStringToOString(intermediateCerts[i]->getIssuerName(),
798 osl_getThreadTextEncoding()).getStr());
799
800 }
801 else
802 {
803 OSL_TRACE("[xmlsecurity] Added temporary certificate: %s",
804 certTmp->subjectName ? certTmp->subjectName : "");
805 vecTmpNSSCertificates.push_back(certTmp);
806 }
807 }
808
809
810 int64 timeboundary ;
811 SECStatus status ;
812
813 //Get the system clock time
814 timeboundary = PR_Now() ;
815 SECCertificateUsage usage = 0;
816
817 // create log
818
819 CERTVerifyLog realLog;
820 CERTVerifyLog *log;
821
822 log = &realLog;
823
824
825 log->count = 0;
826 log->head = NULL;
827 log->tail = NULL;
828 log->arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE );
829
830 //CERTVerifyLog *log;
831 //PRArenaPool *arena;
832
833 //arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE );
834 //log = PORT_ArenaZNew( arena, CERTVerifyLog );
835 //log->arena = arena;
836 validity = csss::CertificateValidity::INVALID;
837
838 if( m_pHandler != NULL )
839 {
840 //JL: We must not pass a particular usage in the requiredUsages argument (the 4th) because,
841 //then ONLY these are verified. For example, we pass
842 //certificateUsageSSLClient | certificateUsageSSLServer. Then checking a certificate which
843 // is a valid certificateUsageEmailSigner but no certificateUsageSSLClient | certificateUsageSSLServer
844 //will result in CertificateValidity::INVALID.
845 //Only if the argument "requiredUsages" has a value (other than zero)
846 //then the function will return SECFailure in case
847 //the certificate is not suitable for the provided usage. That is, in the previous
848 //example the function returns SECFailure.
849 status = CERT_VerifyCertificate(
850 m_pHandler, ( CERTCertificate* )cert, PR_TRUE,
851 (SECCertificateUsage)0, timeboundary , NULL, log, &usage);
852 }
853 else
854 {
855 status = CERT_VerifyCertificate(
856 CERT_GetDefaultCertDB(), ( CERTCertificate* )cert,
857 PR_TRUE, (SECCertificateUsage)0, timeboundary ,NULL, log, &usage);
858 }
859
860 if( status == SECSuccess )
861 {
862 // JL & TKR : certificateUsageUserCertImport,
863 // certificateUsageVerifyCA and certificateUsageAnyCA dont check the chain
864
865 //When an intermediate or root certificate is checked then we expect the usage
866 //certificateUsageSSLCA. This, however, will be only set when in the trust settings dialog
867 //the button "This certificate can identify websites" is checked. If for example only
868 //"This certificate can identify mail users" is set then the end certificate can
869 //be validated and the returned usage will conain certificateUsageEmailRecipient.
870 //But checking directly the root or intermediate certificate will fail. In the
871 //certificate path view the end certificate will be shown as valid but the others
872 //will be displayed as invalid.
873
874 if (usage & certificateUsageEmailSigner
875 || usage & certificateUsageEmailRecipient
876 || usage & certificateUsageSSLCA
877 || usage & certificateUsageSSLServer
878 || usage & certificateUsageSSLClient
879 || usage & certificateUsageProtectedObjectSigner
880 || usage & certificateUsageObjectSigner
881 // || usage & certificateUsageUserCertImport
882 // || usage & certificateUsageVerifyCA
883 || usage & certificateUsageStatusResponder )
884 // || usage & certificateUsageAnyCA )
885 validity = csss::CertificateValidity::VALID;
886 else
887 validity = csss::CertificateValidity::INVALID;
888
889 }
890 // always check what kind of error occured, even SECStatus says Success
891 //JL: When we call CERT_VerifyCertificate whit the parameter requiredUsages == 0 then all
892 //possible usages are checked. Then there are certainly usages for which the certificate
893 //is not intended. For these usages there will be NO flag set in the argument returnedUsages
894 // (the last arg) and there will be error codes set in the log. Therefore we cannot
895 //set the CertificateValidity to INVALID because there is a log entry.
896 // CERTVerifyLogNode *logNode = 0;
897
898 // logNode = log->head;
899 // while ( logNode != NULL )
900 // {
901 // sal_Int32 errorCode = 0;
902 // errorCode = logNode->error;
903
904 // switch ( errorCode )
905 // {
906 // // JL & TKR: Any error are treated as invalid because we cannot say that we get all occurred errors from NSS
907 // /*
908 // case ( SEC_ERROR_REVOKED_CERTIFICATE ):
909 // validity |= csss::CertificateValidity::REVOKED;
910 // break;
911 // case ( SEC_ERROR_EXPIRED_CERTIFICATE ):
912 // validity |= csss::CertificateValidity::TIME_INVALID;
913 // break;
914 // case ( SEC_ERROR_CERT_USAGES_INVALID):
915 // validity |= csss::CertificateValidity::INVALID;
916 // break;
917 // case ( SEC_ERROR_UNTRUSTED_ISSUER ):
918 // case ( SEC_ERROR_UNTRUSTED_CERT ):
919 // validity |= csss::CertificateValidity::UNTRUSTED;
920 // break;
921 // */
922 // default:
923 // validity |= csss::CertificateValidity::INVALID;
924 // break;
925 // }
926 // logNode = logNode->next;
927 // }
928 }
929 else
930 {
931
932 validity = ::com::sun::star::security::CertificateValidity::INVALID ;
933 }
934
935 //Destroying the temporary certificates
936 std::vector<CERTCertificate*>::const_iterator cert_i;
937 for (cert_i = vecTmpNSSCertificates.begin(); cert_i != vecTmpNSSCertificates.end(); cert_i++)
938 {
939 OSL_TRACE("[xmlsecurity] Destroying temporary certificate");
940 CERT_DestroyCertificate(*cert_i);
941 }
942 #if OSL_DEBUG_LEVEL > 1
943 if (validity == ::com::sun::star::security::CertificateValidity::VALID)
944 OSL_TRACE("[xmlsecurity] Certificate is valid.");
945 else
946 OSL_TRACE("[xmlsecurity] Certificate is invalid.");
947 #endif
948 return validity ;
949 }
950
951 sal_Int32 SecurityEnvironment_NssImpl::getCertificateCharacters(
952 const ::com::sun::star::uno::Reference< ::com::sun::star::security::XCertificate >& aCert ) throw( ::com::sun::star::uno::SecurityException, ::com::sun::star::uno::RuntimeException ) {
953 sal_Int32 characters ;
954 const X509Certificate_NssImpl* xcert ;
955 const CERTCertificate* cert ;
956
957 Reference< XUnoTunnel > xCertTunnel( aCert, UNO_QUERY ) ;
958 if( !xCertTunnel.is() ) {
959 throw RuntimeException() ;
960 }
961
962 xcert = reinterpret_cast<X509Certificate_NssImpl*>(
963 sal::static_int_cast<sal_uIntPtr>(xCertTunnel->getSomething( X509Certificate_NssImpl::getUnoTunnelId() ))) ;
964 if( xcert == NULL ) {
965 throw RuntimeException() ;
966 }
967
968 cert = xcert->getNssCert() ;
969
970 characters = 0x00000000 ;
971
972 //Firstly, find out whether or not the cert is self-signed.
973 if( SECITEM_CompareItem( &(cert->derIssuer), &(cert->derSubject) ) == SECEqual ) {
974 characters |= ::com::sun::star::security::CertificateCharacters::SELF_SIGNED ;
975 } else {
976 characters &= ~ ::com::sun::star::security::CertificateCharacters::SELF_SIGNED ;
977 }
978
979 //Secondly, find out whether or not the cert has a private key.
980
981 /*
982 * i40394
983 *
984 * mmi : need to check whether the cert's slot is valid first
985 */
986 SECKEYPrivateKey* priKey = NULL;
987
988 if (cert->slot != NULL)
989 {
990 priKey = PK11_FindPrivateKeyFromCert( cert->slot, ( CERTCertificate* )cert, NULL ) ;
991 }
992 if(priKey == NULL)
993 {
994 for (CIT_SLOTS is = m_Slots.begin(); is != m_Slots.end(); is++)
995 {
996 priKey = PK11_FindPrivateKeyFromCert(*is, (CERTCertificate*)cert, NULL);
997 if (priKey)
998 break;
999 }
1000 }
1001 if( priKey != NULL ) {
1002 characters |= ::com::sun::star::security::CertificateCharacters::HAS_PRIVATE_KEY ;
1003
1004 SECKEY_DestroyPrivateKey( priKey ) ;
1005 } else {
1006 characters &= ~ ::com::sun::star::security::CertificateCharacters::HAS_PRIVATE_KEY ;
1007 }
1008
1009 return characters ;
1010 }
1011
1012 X509Certificate_NssImpl* NssCertToXCert( CERTCertificate* cert )
1013 {
1014 X509Certificate_NssImpl* xcert ;
1015
1016 if( cert != NULL ) {
1017 xcert = new X509Certificate_NssImpl() ;
1018 if( xcert == NULL ) {
1019 xcert = NULL ;
1020 } else {
1021 xcert->setCert( cert ) ;
1022 }
1023 } else {
1024 xcert = NULL ;
1025 }
1026
1027 return xcert ;
1028 }
1029
1030 X509Certificate_NssImpl* NssPrivKeyToXCert( SECKEYPrivateKey* priKey )
1031 {
1032 CERTCertificate* cert ;
1033 X509Certificate_NssImpl* xcert ;
1034
1035 if( priKey != NULL ) {
1036 cert = PK11_GetCertFromPrivateKey( priKey ) ;
1037
1038 if( cert != NULL ) {
1039 xcert = NssCertToXCert( cert ) ;
1040 } else {
1041 xcert = NULL ;
1042 }
1043
1044 CERT_DestroyCertificate( cert ) ;
1045 } else {
1046 xcert = NULL ;
1047 }
1048
1049 return xcert ;
1050 }
1051
1052
1053 /* Native methods */
1054 xmlSecKeysMngrPtr SecurityEnvironment_NssImpl::createKeysManager() throw( Exception, RuntimeException ) {
1055
1056 unsigned int i ;
1057 CERTCertDBHandle* handler = NULL ;
1058 PK11SymKey* symKey = NULL ;
1059 SECKEYPublicKey* pubKey = NULL ;
1060 SECKEYPrivateKey* priKey = NULL ;
1061 xmlSecKeysMngrPtr pKeysMngr = NULL ;
1062
1063 handler = this->getCertDb() ;
1064
1065 /*-
1066 * The following lines is based on the private version of xmlSec-NSS
1067 * crypto engine
1068 */
1069 int cSlots = m_Slots.size();
1070 boost::scoped_array<PK11SlotInfo*> sarSlots(new PK11SlotInfo*[cSlots]);
1071 PK11SlotInfo** slots = sarSlots.get();
1072 int count = 0;
1073 for (CIT_SLOTS islots = m_Slots.begin();islots != m_Slots.end(); islots++, count++)
1074 slots[count] = *islots;
1075
1076 pKeysMngr = xmlSecNssAppliedKeysMngrCreate(slots, cSlots, handler ) ;
1077 if( pKeysMngr == NULL )
1078 throw RuntimeException() ;
1079
1080 /*-
1081 * Adopt symmetric key into keys manager
1082 */
1083 for( i = 0 ; ( symKey = this->getSymKey( i ) ) != NULL ; i ++ ) {
1084 if( xmlSecNssAppliedKeysMngrSymKeyLoad( pKeysMngr, symKey ) < 0 ) {
1085 throw RuntimeException() ;
1086 }
1087 }
1088
1089 /*-
1090 * Adopt asymmetric public key into keys manager
1091 */
1092 for( i = 0 ; ( pubKey = this->getPubKey( i ) ) != NULL ; i ++ ) {
1093 if( xmlSecNssAppliedKeysMngrPubKeyLoad( pKeysMngr, pubKey ) < 0 ) {
1094 throw RuntimeException() ;
1095 }
1096 }
1097
1098 /*-
1099 * Adopt asymmetric private key into keys manager
1100 */
1101 for( i = 0 ; ( priKey = this->getPriKey( i ) ) != NULL ; i ++ ) {
1102 if( xmlSecNssAppliedKeysMngrPriKeyLoad( pKeysMngr, priKey ) < 0 ) {
1103 throw RuntimeException() ;
1104 }
1105 }
1106 return pKeysMngr ;
1107 }
1108 void SecurityEnvironment_NssImpl::destroyKeysManager(xmlSecKeysMngrPtr pKeysMngr) throw( Exception, RuntimeException ) {
1109 if( pKeysMngr != NULL ) {
1110 xmlSecKeysMngrDestroy( pKeysMngr ) ;
1111 }
1112 }
vba interoperability for OOo