Line data Source code
1 : /* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
2 : /*
3 : * This file is part of the LibreOffice project.
4 : *
5 : * This Source Code Form is subject to the terms of the Mozilla Public
6 : * License, v. 2.0. If a copy of the MPL was not distributed with this
7 : * file, You can obtain one at http://mozilla.org/MPL/2.0/.
8 : *
9 : * This file incorporates work covered by the following license notice:
10 : *
11 : * Licensed to the Apache Software Foundation (ASF) under one or more
12 : * contributor license agreements. See the NOTICE file distributed
13 : * with this work for additional information regarding copyright
14 : * ownership. The ASF licenses this file to you under the Apache
15 : * License, Version 2.0 (the "License"); you may not use this file
16 : * except in compliance with the License. You may obtain a copy of
17 : * the License at http://www.apache.org/licenses/LICENSE-2.0 .
18 : */
19 :
20 : #include "nssrenam.h" // rename problematic symbols
21 : #include "cert.h"
22 : #include "secerr.h"
23 : #include "ocsp.h"
24 :
25 : #include <sal/config.h>
26 : #include <sal/macros.h>
27 : #include "securityenvironment_nssimpl.hxx"
28 : #include "x509certificate_nssimpl.hxx"
29 : #include <comphelper/servicehelper.hxx>
30 : #include "../diagnose.hxx"
31 :
32 : #include <sal/types.h>
33 : //For reasons that escape me, this is what xmlsec does when size_t is not 4
34 : #if SAL_TYPES_SIZEOFPOINTER != 4
35 : # define XMLSEC_NO_SIZE_T
36 : #endif
37 : #include <xmlsec/xmlsec.h>
38 : #include <xmlsec/keysmngr.h>
39 : #include <xmlsec/crypto.h>
40 : #include <xmlsec/base64.h>
41 : #include <xmlsec/strings.h>
42 :
43 : #include <rtl/ustrbuf.hxx>
44 : #include <comphelper/processfactory.hxx>
45 : #include <cppuhelper/servicefactory.hxx>
46 : #include <comphelper/docpasswordrequest.hxx>
47 : #include <xmlsecurity/biginteger.hxx>
48 : #include <sal/log.hxx>
49 : #include <com/sun/star/task/InteractionHandler.hpp>
50 : #include <vector>
51 : #include "boost/scoped_array.hpp"
52 : #include <osl/thread.h>
53 :
54 : #include "secerror.hxx"
55 :
56 : // added for password exception
57 : #include <com/sun/star/security/NoPasswordException.hpp>
58 : namespace csss = ::com::sun::star::security;
59 : using namespace xmlsecurity;
60 : using namespace ::com::sun::star::security;
61 : using namespace com::sun::star;
62 : using namespace ::com::sun::star::uno ;
63 : using namespace ::com::sun::star::lang ;
64 : using ::com::sun::star::lang::XMultiServiceFactory ;
65 : using ::com::sun::star::lang::XSingleServiceFactory ;
66 : using ::rtl::OUString ;
67 :
68 : using ::com::sun::star::xml::crypto::XSecurityEnvironment ;
69 : using ::com::sun::star::security::XCertificate ;
70 :
71 : extern X509Certificate_NssImpl* NssCertToXCert( CERTCertificate* cert ) ;
72 : extern X509Certificate_NssImpl* NssPrivKeyToXCert( SECKEYPrivateKey* ) ;
73 :
74 :
75 : struct UsageDescription
76 : {
77 : SECCertificateUsage usage;
78 : char const* description;
79 :
80 0 : UsageDescription()
81 : : usage( certificateUsageCheckAllUsages )
82 0 : , description( NULL )
83 0 : {}
84 :
85 0 : UsageDescription( SECCertificateUsage i_usage, char const* i_description )
86 : : usage( i_usage )
87 0 : , description( i_description )
88 0 : {}
89 :
90 : UsageDescription( const UsageDescription& aDescription )
91 : : usage( aDescription.usage )
92 : , description( aDescription.description )
93 : {}
94 :
95 0 : UsageDescription& operator =( const UsageDescription& aDescription )
96 : {
97 0 : usage = aDescription.usage;
98 0 : description = aDescription.description;
99 0 : return *this;
100 : }
101 : };
102 :
103 :
104 :
105 0 : char* GetPasswordFunction( PK11SlotInfo* pSlot, PRBool bRetry, void* /*arg*/ )
106 : {
107 0 : uno::Reference< uno::XComponentContext > xContext( ::comphelper::getProcessComponentContext() );
108 : uno::Reference < task::XInteractionHandler2 > xInteractionHandler(
109 0 : task::InteractionHandler::createWithParent(xContext, 0) );
110 :
111 0 : task::PasswordRequestMode eMode = bRetry ? task::PasswordRequestMode_PASSWORD_REENTER : task::PasswordRequestMode_PASSWORD_ENTER;
112 : ::comphelper::DocPasswordRequest* pPasswordRequest = new ::comphelper::DocPasswordRequest(
113 0 : ::comphelper::DocPasswordRequestType_STANDARD, eMode, ::rtl::OUString::createFromAscii(PK11_GetTokenName(pSlot)) );
114 :
115 0 : uno::Reference< task::XInteractionRequest > xRequest( pPasswordRequest );
116 0 : xInteractionHandler->handle( xRequest );
117 :
118 0 : if ( pPasswordRequest->isPassword() )
119 : {
120 : rtl::OString aPassword(rtl::OUStringToOString(
121 : pPasswordRequest->getPassword(),
122 0 : osl_getThreadTextEncoding()));
123 0 : sal_Int32 nLen = aPassword.getLength();
124 0 : char* pPassword = (char*) PORT_Alloc( nLen+1 ) ;
125 0 : pPassword[nLen] = 0;
126 0 : memcpy( pPassword, aPassword.getStr(), nLen );
127 0 : return pPassword;
128 : }
129 0 : return NULL;
130 : }
131 :
132 0 : SecurityEnvironment_NssImpl :: SecurityEnvironment_NssImpl( const Reference< XMultiServiceFactory >& ) :
133 0 : m_pHandler( NULL ) , m_tSymKeyList() , m_tPubKeyList() , m_tPriKeyList() {
134 :
135 0 : PK11_SetPasswordFunc( GetPasswordFunction ) ;
136 0 : }
137 :
138 0 : SecurityEnvironment_NssImpl :: ~SecurityEnvironment_NssImpl() {
139 :
140 0 : PK11_SetPasswordFunc( NULL ) ;
141 :
142 0 : for (CIT_SLOTS i = m_Slots.begin(); i != m_Slots.end(); i++)
143 : {
144 0 : PK11_FreeSlot(*i);
145 : }
146 :
147 0 : if( !m_tSymKeyList.empty() ) {
148 0 : std::list< PK11SymKey* >::iterator symKeyIt ;
149 :
150 0 : for( symKeyIt = m_tSymKeyList.begin() ; symKeyIt != m_tSymKeyList.end() ; ++symKeyIt )
151 0 : PK11_FreeSymKey( *symKeyIt ) ;
152 : }
153 :
154 0 : if( !m_tPubKeyList.empty() ) {
155 0 : std::list< SECKEYPublicKey* >::iterator pubKeyIt ;
156 :
157 0 : for( pubKeyIt = m_tPubKeyList.begin() ; pubKeyIt != m_tPubKeyList.end() ; ++pubKeyIt )
158 0 : SECKEY_DestroyPublicKey( *pubKeyIt ) ;
159 : }
160 :
161 0 : if( !m_tPriKeyList.empty() ) {
162 0 : std::list< SECKEYPrivateKey* >::iterator priKeyIt ;
163 :
164 0 : for( priKeyIt = m_tPriKeyList.begin() ; priKeyIt != m_tPriKeyList.end() ; ++priKeyIt )
165 0 : SECKEY_DestroyPrivateKey( *priKeyIt ) ;
166 : }
167 0 : }
168 :
169 : /* XInitialization */
170 0 : void SAL_CALL SecurityEnvironment_NssImpl :: initialize( const Sequence< Any >& ) throw( Exception, RuntimeException ) {
171 : // TBD
172 0 : } ;
173 :
174 : /* XServiceInfo */
175 0 : OUString SAL_CALL SecurityEnvironment_NssImpl :: getImplementationName() throw( RuntimeException ) {
176 0 : return impl_getImplementationName() ;
177 : }
178 :
179 : /* XServiceInfo */
180 0 : sal_Bool SAL_CALL SecurityEnvironment_NssImpl :: supportsService( const OUString& serviceName) throw( RuntimeException ) {
181 0 : Sequence< OUString > seqServiceNames = getSupportedServiceNames() ;
182 0 : const OUString* pArray = seqServiceNames.getConstArray() ;
183 0 : for( sal_Int32 i = 0 ; i < seqServiceNames.getLength() ; i ++ ) {
184 0 : if( *( pArray + i ) == serviceName )
185 0 : return sal_True ;
186 : }
187 0 : return sal_False ;
188 : }
189 :
190 : /* XServiceInfo */
191 0 : Sequence< OUString > SAL_CALL SecurityEnvironment_NssImpl :: getSupportedServiceNames() throw( RuntimeException ) {
192 0 : return impl_getSupportedServiceNames() ;
193 : }
194 :
195 : //Helper for XServiceInfo
196 0 : Sequence< OUString > SecurityEnvironment_NssImpl :: impl_getSupportedServiceNames() {
197 0 : ::osl::Guard< ::osl::Mutex > aGuard( ::osl::Mutex::getGlobalMutex() ) ;
198 0 : Sequence< OUString > seqServiceNames( 1 ) ;
199 0 : seqServiceNames.getArray()[0] = OUString("com.sun.star.xml.crypto.SecurityEnvironment") ;
200 0 : return seqServiceNames ;
201 : }
202 :
203 0 : OUString SecurityEnvironment_NssImpl :: impl_getImplementationName() throw( RuntimeException ) {
204 0 : return OUString("com.sun.star.xml.security.bridge.xmlsec.SecurityEnvironment_NssImpl") ;
205 : }
206 :
207 : //Helper for registry
208 0 : Reference< XInterface > SAL_CALL SecurityEnvironment_NssImpl :: impl_createInstance( const Reference< XMultiServiceFactory >& aServiceManager ) throw( RuntimeException ) {
209 0 : return Reference< XInterface >( *new SecurityEnvironment_NssImpl( aServiceManager ) ) ;
210 : }
211 :
212 0 : Reference< XSingleServiceFactory > SecurityEnvironment_NssImpl :: impl_createFactory( const Reference< XMultiServiceFactory >& aServiceManager ) {
213 0 : return ::cppu::createSingleFactory( aServiceManager , impl_getImplementationName() , impl_createInstance , impl_getSupportedServiceNames() ) ;
214 : }
215 :
216 : /* XUnoTunnel */
217 0 : sal_Int64 SAL_CALL SecurityEnvironment_NssImpl :: getSomething( const Sequence< sal_Int8 >& aIdentifier )
218 : throw( RuntimeException )
219 : {
220 0 : if( aIdentifier.getLength() == 16 && 0 == memcmp( getUnoTunnelId().getConstArray(), aIdentifier.getConstArray(), 16 ) ) {
221 0 : return sal::static_int_cast<sal_Int64>(reinterpret_cast<sal_uIntPtr>(this));
222 : }
223 0 : return 0 ;
224 : }
225 :
226 : /* XUnoTunnel extension */
227 :
228 : namespace
229 : {
230 : class theSecurityEnvironment_NssImplUnoTunnelId : public rtl::Static< UnoTunnelIdInit, theSecurityEnvironment_NssImplUnoTunnelId > {};
231 : }
232 :
233 0 : const Sequence< sal_Int8>& SecurityEnvironment_NssImpl :: getUnoTunnelId() {
234 0 : return theSecurityEnvironment_NssImplUnoTunnelId::get().getSeq();
235 : }
236 :
237 0 : ::rtl::OUString SecurityEnvironment_NssImpl::getSecurityEnvironmentInformation() throw( ::com::sun::star::uno::RuntimeException )
238 : {
239 0 : ::rtl::OUStringBuffer buff;
240 0 : for (CIT_SLOTS is = m_Slots.begin(); is != m_Slots.end(); is++)
241 : {
242 0 : buff.append(rtl::OUString::createFromAscii(PK11_GetTokenName(*is)));
243 0 : buff.appendAscii("\n");
244 : }
245 0 : return buff.makeStringAndClear();
246 : }
247 :
248 0 : void SecurityEnvironment_NssImpl::addCryptoSlot( PK11SlotInfo* aSlot) throw( Exception , RuntimeException )
249 : {
250 0 : PK11_ReferenceSlot(aSlot);
251 0 : m_Slots.push_back(aSlot);
252 0 : }
253 :
254 0 : CERTCertDBHandle* SecurityEnvironment_NssImpl :: getCertDb() throw( Exception , RuntimeException ) {
255 0 : return m_pHandler ;
256 : }
257 :
258 : //Could we have multiple cert dbs?
259 0 : void SecurityEnvironment_NssImpl :: setCertDb( CERTCertDBHandle* aCertDb ) throw( Exception , RuntimeException ) {
260 0 : m_pHandler = aCertDb ;
261 0 : }
262 :
263 0 : void SecurityEnvironment_NssImpl :: adoptSymKey( PK11SymKey* aSymKey ) throw( Exception , RuntimeException ) {
264 : PK11SymKey* symkey ;
265 0 : std::list< PK11SymKey* >::iterator keyIt ;
266 :
267 0 : if( aSymKey != NULL ) {
268 : //First try to find the key in the list
269 0 : for( keyIt = m_tSymKeyList.begin() ; keyIt != m_tSymKeyList.end() ; ++keyIt ) {
270 0 : if( *keyIt == aSymKey )
271 0 : return ;
272 : }
273 :
274 : //If we do not find the key in the list, add a new node
275 0 : symkey = PK11_ReferenceSymKey( aSymKey ) ;
276 0 : if( symkey == NULL )
277 0 : throw RuntimeException() ;
278 :
279 : try {
280 0 : m_tSymKeyList.push_back( symkey ) ;
281 0 : } catch ( Exception& ) {
282 0 : PK11_FreeSymKey( symkey ) ;
283 : }
284 : }
285 : }
286 :
287 0 : void SecurityEnvironment_NssImpl :: rejectSymKey( PK11SymKey* aSymKey ) throw( Exception , RuntimeException ) {
288 : PK11SymKey* symkey ;
289 0 : std::list< PK11SymKey* >::iterator keyIt ;
290 :
291 0 : if( aSymKey != NULL ) {
292 0 : for( keyIt = m_tSymKeyList.begin() ; keyIt != m_tSymKeyList.end() ; ++keyIt ) {
293 0 : if( *keyIt == aSymKey ) {
294 0 : symkey = *keyIt ;
295 0 : PK11_FreeSymKey( symkey ) ;
296 0 : m_tSymKeyList.erase( keyIt ) ;
297 0 : break ;
298 : }
299 : }
300 : }
301 0 : }
302 :
303 0 : PK11SymKey* SecurityEnvironment_NssImpl :: getSymKey( unsigned int position ) throw( Exception , RuntimeException ) {
304 : PK11SymKey* symkey ;
305 0 : std::list< PK11SymKey* >::iterator keyIt ;
306 : unsigned int pos ;
307 :
308 0 : symkey = NULL ;
309 0 : for( pos = 0, keyIt = m_tSymKeyList.begin() ; pos < position && keyIt != m_tSymKeyList.end() ; pos ++ , keyIt ++ ) ;
310 :
311 0 : if( pos == position && keyIt != m_tSymKeyList.end() )
312 0 : symkey = *keyIt ;
313 :
314 0 : return symkey ;
315 : }
316 :
317 0 : void SecurityEnvironment_NssImpl :: adoptPubKey( SECKEYPublicKey* aPubKey ) throw( Exception , RuntimeException ) {
318 : SECKEYPublicKey* pubkey ;
319 0 : std::list< SECKEYPublicKey* >::iterator keyIt ;
320 :
321 0 : if( aPubKey != NULL ) {
322 : //First try to find the key in the list
323 0 : for( keyIt = m_tPubKeyList.begin() ; keyIt != m_tPubKeyList.end() ; ++keyIt ) {
324 0 : if( *keyIt == aPubKey )
325 0 : return ;
326 : }
327 :
328 : //If we do not find the key in the list, add a new node
329 0 : pubkey = SECKEY_CopyPublicKey( aPubKey ) ;
330 0 : if( pubkey == NULL )
331 0 : throw RuntimeException() ;
332 :
333 : try {
334 0 : m_tPubKeyList.push_back( pubkey ) ;
335 0 : } catch ( Exception& ) {
336 0 : SECKEY_DestroyPublicKey( pubkey ) ;
337 : }
338 : }
339 : }
340 :
341 0 : void SecurityEnvironment_NssImpl :: rejectPubKey( SECKEYPublicKey* aPubKey ) throw( Exception , RuntimeException ) {
342 : SECKEYPublicKey* pubkey ;
343 0 : std::list< SECKEYPublicKey* >::iterator keyIt ;
344 :
345 0 : if( aPubKey != NULL ) {
346 0 : for( keyIt = m_tPubKeyList.begin() ; keyIt != m_tPubKeyList.end() ; ++keyIt ) {
347 0 : if( *keyIt == aPubKey ) {
348 0 : pubkey = *keyIt ;
349 0 : SECKEY_DestroyPublicKey( pubkey ) ;
350 0 : m_tPubKeyList.erase( keyIt ) ;
351 0 : break ;
352 : }
353 : }
354 : }
355 0 : }
356 :
357 0 : SECKEYPublicKey* SecurityEnvironment_NssImpl :: getPubKey( unsigned int position ) throw( Exception , RuntimeException ) {
358 : SECKEYPublicKey* pubkey ;
359 0 : std::list< SECKEYPublicKey* >::iterator keyIt ;
360 : unsigned int pos ;
361 :
362 0 : pubkey = NULL ;
363 0 : for( pos = 0, keyIt = m_tPubKeyList.begin() ; pos < position && keyIt != m_tPubKeyList.end() ; pos ++ , keyIt ++ ) ;
364 :
365 0 : if( pos == position && keyIt != m_tPubKeyList.end() )
366 0 : pubkey = *keyIt ;
367 :
368 0 : return pubkey ;
369 : }
370 :
371 0 : void SecurityEnvironment_NssImpl :: adoptPriKey( SECKEYPrivateKey* aPriKey ) throw( Exception , RuntimeException ) {
372 : SECKEYPrivateKey* prikey ;
373 0 : std::list< SECKEYPrivateKey* >::iterator keyIt ;
374 :
375 0 : if( aPriKey != NULL ) {
376 : //First try to find the key in the list
377 0 : for( keyIt = m_tPriKeyList.begin() ; keyIt != m_tPriKeyList.end() ; ++keyIt ) {
378 0 : if( *keyIt == aPriKey )
379 0 : return ;
380 : }
381 :
382 : //If we do not find the key in the list, add a new node
383 0 : prikey = SECKEY_CopyPrivateKey( aPriKey ) ;
384 0 : if( prikey == NULL )
385 0 : throw RuntimeException() ;
386 :
387 : try {
388 0 : m_tPriKeyList.push_back( prikey ) ;
389 0 : } catch ( Exception& ) {
390 0 : SECKEY_DestroyPrivateKey( prikey ) ;
391 : }
392 : }
393 : }
394 :
395 0 : void SecurityEnvironment_NssImpl :: rejectPriKey( SECKEYPrivateKey* aPriKey ) throw( Exception , RuntimeException ) {
396 : SECKEYPrivateKey* prikey ;
397 0 : std::list< SECKEYPrivateKey* >::iterator keyIt ;
398 :
399 0 : if( aPriKey != NULL ) {
400 0 : for( keyIt = m_tPriKeyList.begin() ; keyIt != m_tPriKeyList.end() ; ++keyIt ) {
401 0 : if( *keyIt == aPriKey ) {
402 0 : prikey = *keyIt ;
403 0 : SECKEY_DestroyPrivateKey( prikey ) ;
404 0 : m_tPriKeyList.erase( keyIt ) ;
405 0 : break ;
406 : }
407 : }
408 : }
409 0 : }
410 :
411 0 : SECKEYPrivateKey* SecurityEnvironment_NssImpl :: getPriKey( unsigned int position ) throw( ::com::sun::star::uno::Exception , ::com::sun::star::uno::RuntimeException ) {
412 : SECKEYPrivateKey* prikey ;
413 0 : std::list< SECKEYPrivateKey* >::iterator keyIt ;
414 : unsigned int pos ;
415 :
416 0 : prikey = NULL ;
417 0 : for( pos = 0, keyIt = m_tPriKeyList.begin() ; pos < position && keyIt != m_tPriKeyList.end() ; pos ++ , keyIt ++ ) ;
418 :
419 0 : if( pos == position && keyIt != m_tPriKeyList.end() )
420 0 : prikey = *keyIt ;
421 :
422 0 : return prikey ;
423 : }
424 :
425 0 : void SecurityEnvironment_NssImpl::updateSlots()
426 : {
427 : //In case new tokens are present then we can obtain the corresponding slot
428 0 : PK11SlotList * soltList = NULL;
429 0 : PK11SlotListElement * soltEle = NULL;
430 0 : PK11SlotInfo * pSlot = NULL;
431 0 : PK11SymKey * pSymKey = NULL;
432 :
433 0 : osl::MutexGuard guard(m_mutex);
434 :
435 0 : m_Slots.clear();
436 0 : m_tSymKeyList.clear();
437 :
438 0 : soltList = PK11_GetAllTokens( CKM_INVALID_MECHANISM, PR_FALSE, PR_FALSE, NULL ) ;
439 0 : if( soltList != NULL )
440 : {
441 0 : for( soltEle = soltList->head ; soltEle != NULL; soltEle = soltEle->next )
442 : {
443 0 : pSlot = soltEle->slot ;
444 :
445 0 : if(pSlot != NULL)
446 : {
447 : SAL_INFO(
448 : "xmlsecurity.xmlsec",
449 : "Found a slot: SlotName=" << PK11_GetSlotName(pSlot)
450 : << ", TokenName=" << PK11_GetTokenName(pSlot));
451 :
452 : //The following code which is commented out checks if a slot, that is a smart card for example, is
453 : // able to generate a symmetric key of type CKM_DES3_CBC. If this fails then this token
454 : // will not be used. This key is possibly used for the encryption service. However, all
455 : // interfaces and services used for public key signature and encryption are not published
456 : // and the encryption is not used in OOo. Therefore it does not do any harm to remove
457 : // this code, hence allowing smart cards which cannot generate this type of key.
458 : //
459 : // By doing this, the encryption may fail if a smart card is being used which does not
460 : // support this key generation.
461 : //
462 0 : pSymKey = PK11_KeyGen( pSlot , CKM_DES3_CBC, NULL, 128, NULL ) ;
463 : // if( pSymKey == NULL )
464 : // {
465 : // PK11_FreeSlot( pSlot ) ;
466 : // RTL_LOGFILE_TRACE( "XMLSEC: Error - pSymKey is NULL" );
467 : // continue;
468 : // }
469 0 : addCryptoSlot(pSlot);
470 0 : PK11_FreeSlot( pSlot ) ;
471 0 : pSlot = NULL;
472 :
473 0 : if (pSymKey != NULL)
474 : {
475 0 : adoptSymKey( pSymKey ) ;
476 0 : PK11_FreeSymKey( pSymKey ) ;
477 0 : pSymKey = NULL;
478 : }
479 :
480 : }// end of if(pSlot != NULL)
481 : }// end of for
482 0 : }// end of if( soltList != NULL )
483 :
484 0 : }
485 :
486 :
487 : Sequence< Reference < XCertificate > >
488 0 : SecurityEnvironment_NssImpl::getPersonalCertificates() throw( SecurityException , RuntimeException )
489 : {
490 : sal_Int32 length ;
491 : X509Certificate_NssImpl* xcert ;
492 0 : std::list< X509Certificate_NssImpl* > certsList ;
493 :
494 0 : updateSlots();
495 : //firstly, we try to find private keys in slot
496 0 : for (CIT_SLOTS is = m_Slots.begin(); is != m_Slots.end(); is++)
497 : {
498 0 : PK11SlotInfo *slot = *is;
499 : SECKEYPrivateKeyList* priKeyList ;
500 : SECKEYPrivateKeyListNode* curPri ;
501 :
502 0 : if( PK11_NeedLogin(slot ) ) {
503 0 : SECStatus nRet = PK11_Authenticate(slot, PR_TRUE, NULL);
504 : //PK11_Authenticate may fail in case the a slot has not been initialized.
505 : //this is the case if the user has a new profile, so that they have never
506 : //added a personal certificate.
507 0 : if( nRet != SECSuccess && PORT_GetError() != SEC_ERROR_IO) {
508 0 : throw NoPasswordException();
509 : }
510 : }
511 :
512 0 : priKeyList = PK11_ListPrivateKeysInSlot(slot) ;
513 0 : if( priKeyList != NULL ) {
514 0 : for( curPri = PRIVKEY_LIST_HEAD( priKeyList );
515 0 : !PRIVKEY_LIST_END( curPri, priKeyList ) && curPri != NULL ;
516 : curPri = PRIVKEY_LIST_NEXT( curPri ) ) {
517 0 : xcert = NssPrivKeyToXCert( curPri->key ) ;
518 0 : if( xcert != NULL )
519 0 : certsList.push_back( xcert ) ;
520 : }
521 : }
522 :
523 0 : SECKEY_DestroyPrivateKeyList( priKeyList ) ;
524 : }
525 :
526 : //secondly, we try to find certificate from registered private keys.
527 0 : if( !m_tPriKeyList.empty() ) {
528 0 : std::list< SECKEYPrivateKey* >::iterator priKeyIt ;
529 :
530 0 : for( priKeyIt = m_tPriKeyList.begin() ; priKeyIt != m_tPriKeyList.end() ; ++priKeyIt ) {
531 0 : xcert = NssPrivKeyToXCert( *priKeyIt ) ;
532 0 : if( xcert != NULL )
533 0 : certsList.push_back( xcert ) ;
534 : }
535 : }
536 :
537 0 : length = certsList.size() ;
538 0 : if( length != 0 ) {
539 : int i ;
540 0 : std::list< X509Certificate_NssImpl* >::iterator xcertIt ;
541 0 : Sequence< Reference< XCertificate > > certSeq( length ) ;
542 :
543 0 : for( i = 0, xcertIt = certsList.begin(); xcertIt != certsList.end(); ++xcertIt, ++i ) {
544 0 : certSeq[i] = *xcertIt ;
545 : }
546 :
547 0 : return certSeq ;
548 : }
549 :
550 0 : return Sequence< Reference < XCertificate > > ();
551 : }
552 :
553 0 : Reference< XCertificate > SecurityEnvironment_NssImpl :: getCertificate( const OUString& issuerName, const Sequence< sal_Int8 >& serialNumber ) throw( SecurityException , RuntimeException )
554 : {
555 0 : X509Certificate_NssImpl* xcert = NULL;
556 :
557 0 : if( m_pHandler != NULL ) {
558 : CERTIssuerAndSN issuerAndSN ;
559 : CERTCertificate* cert ;
560 : CERTName* nmIssuer ;
561 : char* chIssuer ;
562 : SECItem* derIssuer ;
563 : PRArenaPool* arena ;
564 :
565 0 : arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE ) ;
566 0 : if( arena == NULL )
567 0 : throw RuntimeException() ;
568 :
569 : // Create cert info from issue and serial
570 0 : rtl::OString ostr = rtl::OUStringToOString( issuerName , RTL_TEXTENCODING_UTF8 ) ;
571 0 : chIssuer = PL_strndup( ( char* )ostr.getStr(), ( int )ostr.getLength() ) ;
572 0 : nmIssuer = CERT_AsciiToName( chIssuer ) ;
573 0 : if( nmIssuer == NULL ) {
574 0 : PL_strfree( chIssuer ) ;
575 0 : PORT_FreeArena( arena, PR_FALSE ) ;
576 0 : return NULL; // no need for exception cf. i40394
577 : }
578 :
579 0 : derIssuer = SEC_ASN1EncodeItem( arena, NULL, ( void* )nmIssuer, SEC_ASN1_GET( CERT_NameTemplate ) ) ;
580 0 : if( derIssuer == NULL ) {
581 0 : PL_strfree( chIssuer ) ;
582 0 : CERT_DestroyName( nmIssuer ) ;
583 0 : PORT_FreeArena( arena, PR_FALSE ) ;
584 0 : throw RuntimeException() ;
585 : }
586 :
587 0 : memset( &issuerAndSN, 0, sizeof( issuerAndSN ) ) ;
588 :
589 0 : issuerAndSN.derIssuer.data = derIssuer->data ;
590 0 : issuerAndSN.derIssuer.len = derIssuer->len ;
591 :
592 0 : issuerAndSN.serialNumber.data = ( unsigned char* )&serialNumber[0] ;
593 0 : issuerAndSN.serialNumber.len = serialNumber.getLength() ;
594 :
595 0 : cert = CERT_FindCertByIssuerAndSN( m_pHandler, &issuerAndSN ) ;
596 0 : if( cert != NULL ) {
597 0 : xcert = NssCertToXCert( cert ) ;
598 : } else {
599 0 : xcert = NULL ;
600 : }
601 :
602 0 : PL_strfree( chIssuer ) ;
603 0 : CERT_DestroyName( nmIssuer ) ;
604 : //SECITEM_FreeItem( derIssuer, PR_FALSE ) ;
605 0 : CERT_DestroyCertificate( cert ) ;
606 0 : PORT_FreeArena( arena, PR_FALSE ) ;
607 : } else {
608 0 : xcert = NULL ;
609 : }
610 :
611 0 : return xcert ;
612 : }
613 :
614 0 : Reference< XCertificate > SecurityEnvironment_NssImpl :: getCertificate( const OUString& issuerName, const OUString& serialNumber ) throw( SecurityException , RuntimeException ) {
615 0 : Sequence< sal_Int8 > serial = numericStringToBigInteger( serialNumber ) ;
616 0 : return getCertificate( issuerName, serial ) ;
617 : }
618 :
619 0 : Sequence< Reference < XCertificate > > SecurityEnvironment_NssImpl :: buildCertificatePath( const Reference< XCertificate >& begin ) throw( SecurityException , RuntimeException ) {
620 : const X509Certificate_NssImpl* xcert ;
621 : const CERTCertificate* cert ;
622 : CERTCertList* certChain ;
623 :
624 0 : Reference< XUnoTunnel > xCertTunnel( begin, UNO_QUERY ) ;
625 0 : if( !xCertTunnel.is() ) {
626 0 : throw RuntimeException() ;
627 : }
628 :
629 : xcert = reinterpret_cast<X509Certificate_NssImpl*>(
630 0 : sal::static_int_cast<sal_uIntPtr>(xCertTunnel->getSomething( X509Certificate_NssImpl::getUnoTunnelId() ))) ;
631 0 : if( xcert == NULL ) {
632 0 : throw RuntimeException() ;
633 : }
634 :
635 0 : cert = xcert->getNssCert() ;
636 0 : if( cert != NULL ) {
637 : int64 timeboundary ;
638 :
639 : //Get the system clock time
640 0 : timeboundary = PR_Now() ;
641 :
642 0 : certChain = CERT_GetCertChainFromCert( ( CERTCertificate* )cert, timeboundary, certUsageAnyCA ) ;
643 : } else {
644 0 : certChain = NULL ;
645 : }
646 :
647 0 : if( certChain != NULL ) {
648 : X509Certificate_NssImpl* pCert ;
649 : CERTCertListNode* node ;
650 : int len ;
651 :
652 0 : for( len = 0, node = CERT_LIST_HEAD( certChain ); !CERT_LIST_END( node, certChain ); node = CERT_LIST_NEXT( node ), len ++ ) ;
653 0 : Sequence< Reference< XCertificate > > xCertChain( len ) ;
654 :
655 0 : for( len = 0, node = CERT_LIST_HEAD( certChain ); !CERT_LIST_END( node, certChain ); node = CERT_LIST_NEXT( node ), len ++ ) {
656 0 : pCert = new X509Certificate_NssImpl() ;
657 0 : if( pCert == NULL ) {
658 0 : CERT_DestroyCertList( certChain ) ;
659 0 : throw RuntimeException() ;
660 : }
661 :
662 0 : pCert->setCert( node->cert ) ;
663 :
664 0 : xCertChain[len] = pCert ;
665 : }
666 :
667 0 : CERT_DestroyCertList( certChain ) ;
668 :
669 0 : return xCertChain ;
670 : }
671 :
672 0 : return Sequence< Reference < XCertificate > >();
673 : }
674 :
675 0 : Reference< XCertificate > SecurityEnvironment_NssImpl :: createCertificateFromRaw( const Sequence< sal_Int8 >& rawCertificate ) throw( SecurityException , RuntimeException ) {
676 : X509Certificate_NssImpl* xcert ;
677 :
678 0 : if( rawCertificate.getLength() > 0 ) {
679 0 : xcert = new X509Certificate_NssImpl() ;
680 0 : if( xcert == NULL )
681 0 : throw RuntimeException() ;
682 :
683 0 : xcert->setRawCert( rawCertificate ) ;
684 : } else {
685 0 : xcert = NULL ;
686 : }
687 :
688 0 : return xcert ;
689 : }
690 :
691 0 : Reference< XCertificate > SecurityEnvironment_NssImpl :: createCertificateFromAscii( const OUString& asciiCertificate ) throw( SecurityException , RuntimeException ) {
692 : xmlChar* chCert ;
693 : xmlSecSize certSize ;
694 :
695 0 : rtl::OString oscert = rtl::OUStringToOString( asciiCertificate , RTL_TEXTENCODING_ASCII_US ) ;
696 :
697 0 : chCert = xmlStrndup( ( const xmlChar* )oscert.getStr(), ( int )oscert.getLength() ) ;
698 :
699 0 : certSize = xmlSecBase64Decode( chCert, ( xmlSecByte* )chCert, xmlStrlen( chCert ) ) ;
700 :
701 0 : Sequence< sal_Int8 > rawCert( certSize ) ;
702 0 : for( unsigned int i = 0 ; i < certSize ; i ++ )
703 0 : rawCert[i] = *( chCert + i ) ;
704 :
705 0 : xmlFree( chCert ) ;
706 :
707 0 : return createCertificateFromRaw( rawCert ) ;
708 : }
709 :
710 0 : sal_Int32 SecurityEnvironment_NssImpl ::
711 : verifyCertificate( const Reference< csss::XCertificate >& aCert,
712 : const Sequence< Reference< csss::XCertificate > >& intermediateCerts )
713 : throw( ::com::sun::star::uno::SecurityException, ::com::sun::star::uno::RuntimeException )
714 : {
715 0 : sal_Int32 validity = csss::CertificateValidity::INVALID;
716 : const X509Certificate_NssImpl* xcert ;
717 : const CERTCertificate* cert ;
718 0 : ::std::vector<CERTCertificate*> vecTmpNSSCertificates;
719 0 : Reference< XUnoTunnel > xCertTunnel( aCert, UNO_QUERY ) ;
720 0 : if( !xCertTunnel.is() ) {
721 0 : throw RuntimeException() ;
722 : }
723 :
724 : xmlsec_trace("Start verification of certificate: \n %s \n",
725 : OUStringToOString(
726 0 : aCert->getSubjectName(), osl_getThreadTextEncoding()).getStr());
727 :
728 : xcert = reinterpret_cast<X509Certificate_NssImpl*>(
729 0 : sal::static_int_cast<sal_uIntPtr>(xCertTunnel->getSomething( X509Certificate_NssImpl::getUnoTunnelId() ))) ;
730 0 : if( xcert == NULL ) {
731 0 : throw RuntimeException() ;
732 : }
733 :
734 : //CERT_PKIXVerifyCert does not take a db as argument. It will therefore
735 : //internally use CERT_GetDefaultCertDB
736 : //Make sure m_pHandler is the default DB
737 : OSL_ASSERT(m_pHandler == CERT_GetDefaultCertDB());
738 0 : CERTCertDBHandle * certDb = m_pHandler != NULL ? m_pHandler : CERT_GetDefaultCertDB();
739 0 : cert = xcert->getNssCert() ;
740 0 : if( cert != NULL )
741 : {
742 :
743 : //prepare the intermediate certificates
744 0 : for (sal_Int32 i = 0; i < intermediateCerts.getLength(); i++)
745 : {
746 0 : Sequence<sal_Int8> der = intermediateCerts[i]->getEncoded();
747 : SECItem item;
748 0 : item.type = siBuffer;
749 0 : item.data = (unsigned char*)der.getArray();
750 0 : item.len = der.getLength();
751 :
752 : CERTCertificate* certTmp = CERT_NewTempCertificate(certDb, &item,
753 : NULL /* nickname */,
754 : PR_FALSE /* isPerm */,
755 0 : PR_TRUE /* copyDER */);
756 0 : if (!certTmp)
757 : {
758 : xmlsec_trace("Failed to add a temporary certificate: %s",
759 0 : OUStringToOString(intermediateCerts[i]->getIssuerName(),
760 0 : osl_getThreadTextEncoding()).getStr());
761 :
762 : }
763 : else
764 : {
765 : xmlsec_trace("Added temporary certificate: %s",
766 0 : certTmp->subjectName ? certTmp->subjectName : "");
767 0 : vecTmpNSSCertificates.push_back(certTmp);
768 : }
769 0 : }
770 :
771 :
772 : SECStatus status ;
773 :
774 : CERTVerifyLog log;
775 0 : log.arena = PORT_NewArena(512);
776 0 : log.head = log.tail = NULL;
777 0 : log.count = 0;
778 :
779 0 : CERT_EnableOCSPChecking(certDb);
780 0 : CERT_DisableOCSPDefaultResponder(certDb);
781 : CERTValOutParam cvout[5];
782 : CERTValInParam cvin[3];
783 0 : int ncvinCount=0;
784 :
785 : #if ( NSS_VMAJOR > 3 ) || ( NSS_VMAJOR == 3 && NSS_VMINOR > 12 ) || ( NSS_VMAJOR == 3 && NSS_VMINOR == 12 && NSS_VPATCH > 0 )
786 0 : cvin[ncvinCount].type = cert_pi_useAIACertFetch;
787 0 : cvin[ncvinCount].value.scalar.b = PR_TRUE;
788 0 : ncvinCount++;
789 : #endif
790 :
791 : PRUint64 revFlagsLeaf[2];
792 : PRUint64 revFlagsChain[2];
793 : CERTRevocationFlags rev;
794 0 : rev.leafTests.number_of_defined_methods = 2;
795 0 : rev.leafTests.cert_rev_flags_per_method = revFlagsLeaf;
796 : //the flags are defined in cert.h
797 : //We check both leaf and chain.
798 : //It is enough if one revocation method has fresh info,
799 : //but at least one must have some. Otherwise validation fails.
800 : //!!! using leaf test and CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE
801 : // when validating a root certificate will result in "revoked". Usually
802 : //there is no revocation information available for the root cert because
803 : //it must be trusted anyway and it does itself issue revocation information.
804 : //When we use the flag here and OOo shows the certification path then the root
805 : //cert is invalid while all other can be valid. It would probably best if
806 : //this interface method returned the whole chain.
807 : //Otherwise we need to check if the certificate is self-signed and if it is
808 : //then not use the flag when doing the leaf-test.
809 0 : rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_crl] =
810 : CERT_REV_M_TEST_USING_THIS_METHOD
811 0 : | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE;
812 0 : rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] =
813 : CERT_REV_M_TEST_USING_THIS_METHOD
814 0 : | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE;
815 0 : rev.leafTests.number_of_preferred_methods = 0;
816 0 : rev.leafTests.preferred_methods = NULL;
817 : rev.leafTests.cert_rev_method_independent_flags =
818 0 : CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST;
819 :
820 0 : rev.chainTests.number_of_defined_methods = 2;
821 0 : rev.chainTests.cert_rev_flags_per_method = revFlagsChain;
822 0 : rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_crl] =
823 : CERT_REV_M_TEST_USING_THIS_METHOD
824 0 : | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE;
825 0 : rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] =
826 : CERT_REV_M_TEST_USING_THIS_METHOD
827 0 : | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE;
828 0 : rev.chainTests.number_of_preferred_methods = 0;
829 0 : rev.chainTests.preferred_methods = NULL;
830 : rev.chainTests.cert_rev_method_independent_flags =
831 0 : CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST;
832 :
833 :
834 0 : cvin[ncvinCount].type = cert_pi_revocationFlags;
835 0 : cvin[ncvinCount].value.pointer.revocation = &rev;
836 0 : ncvinCount++;
837 : // does not work, not implemented yet in 3.12.4
838 : // cvin[ncvinCount].type = cert_pi_keyusage;
839 : // cvin[ncvinCount].value.scalar.ui = KU_DIGITAL_SIGNATURE;
840 : // ncvinCount++;
841 0 : cvin[ncvinCount].type = cert_pi_end;
842 :
843 0 : cvout[0].type = cert_po_trustAnchor;
844 0 : cvout[0].value.pointer.cert = NULL;
845 0 : cvout[1].type = cert_po_errorLog;
846 0 : cvout[1].value.pointer.log = &log;
847 0 : cvout[2].type = cert_po_end;
848 :
849 : // We check SSL server certificates, CA certificates and signing sertificates.
850 : //
851 : // ToDo check keyusage, looking at CERT_KeyUsageAndTypeForCertUsage (
852 : // mozilla/security/nss/lib/certdb/certdb.c indicates that
853 : // certificateUsageSSLClient, certificateUsageSSLServer and certificateUsageSSLCA
854 : // are sufficient. They cover the key usages for digital signature, key agreement
855 : // and encipherment and certificate signature
856 :
857 : //never use the following usages because they are not checked properly
858 : // certificateUsageUserCertImport
859 : // certificateUsageVerifyCA
860 : // certificateUsageAnyCA
861 : // certificateUsageProtectedObjectSigner
862 :
863 0 : UsageDescription arUsages[5];
864 0 : arUsages[0] = UsageDescription( certificateUsageSSLClient, "certificateUsageSSLClient" );
865 0 : arUsages[1] = UsageDescription( certificateUsageSSLServer, "certificateUsageSSLServer" );
866 0 : arUsages[2] = UsageDescription( certificateUsageSSLCA, "certificateUsageSSLCA" );
867 0 : arUsages[3] = UsageDescription( certificateUsageEmailSigner, "certificateUsageEmailSigner" );
868 0 : arUsages[4] = UsageDescription( certificateUsageEmailRecipient, "certificateUsageEmailRecipient" );
869 :
870 0 : int numUsages = SAL_N_ELEMENTS(arUsages);
871 0 : for (int i = 0; i < numUsages; i++)
872 : {
873 : xmlsec_trace("Testing usage %d of %d: %s (0x%x)", i + 1,
874 0 : numUsages, arUsages[i].description, (int) arUsages[i].usage);
875 :
876 : status = CERT_PKIXVerifyCert(const_cast<CERTCertificate *>(cert), arUsages[i].usage,
877 0 : cvin, cvout, NULL);
878 0 : if( status == SECSuccess )
879 : {
880 0 : xmlsec_trace("CERT_PKIXVerifyCert returned SECSuccess.");
881 : //When an intermediate or root certificate is checked then we expect the usage
882 : //certificateUsageSSLCA. This, however, will be only set when in the trust settings dialog
883 : //the button "This certificate can identify websites" is checked. If for example only
884 : //"This certificate can identify mail users" is set then the end certificate can
885 : //be validated and the returned usage will conain certificateUsageEmailRecipient.
886 : //But checking directly the root or intermediate certificate will fail. In the
887 : //certificate path view the end certificate will be shown as valid but the others
888 : //will be displayed as invalid.
889 :
890 0 : validity = csss::CertificateValidity::VALID;
891 0 : xmlsec_trace("Certificate is valid.\n");
892 0 : CERTCertificate * issuerCert = cvout[0].value.pointer.cert;
893 0 : if (issuerCert)
894 : {
895 0 : xmlsec_trace("Root certificate: %s", issuerCert->subjectName);
896 0 : CERT_DestroyCertificate(issuerCert);
897 : };
898 :
899 0 : break;
900 : }
901 : else
902 : {
903 0 : PRIntn err = PR_GetError();
904 0 : xmlsec_trace("Error: , %d = %s", err, getCertError(err));
905 :
906 : /* Display validation results */
907 0 : if ( log.count > 0)
908 : {
909 0 : CERTVerifyLogNode *node = NULL;
910 0 : printChainFailure(&log);
911 :
912 0 : for (node = log.head; node; node = node->next) {
913 0 : if (node->cert)
914 0 : CERT_DestroyCertificate(node->cert);
915 : }
916 0 : log.head = log.tail = NULL;
917 0 : log.count = 0;
918 : }
919 0 : xmlsec_trace("Certificate is invalid.\n");
920 : }
921 : }
922 :
923 : }
924 : else
925 : {
926 0 : validity = ::com::sun::star::security::CertificateValidity::INVALID ;
927 : }
928 :
929 : //Destroying the temporary certificates
930 0 : std::vector<CERTCertificate*>::const_iterator cert_i;
931 0 : for (cert_i = vecTmpNSSCertificates.begin(); cert_i != vecTmpNSSCertificates.end(); ++cert_i)
932 : {
933 0 : xmlsec_trace("Destroying temporary certificate");
934 0 : CERT_DestroyCertificate(*cert_i);
935 : }
936 0 : return validity ;
937 : }
938 :
939 0 : sal_Int32 SecurityEnvironment_NssImpl::getCertificateCharacters(
940 : const ::com::sun::star::uno::Reference< ::com::sun::star::security::XCertificate >& aCert ) throw( ::com::sun::star::uno::SecurityException, ::com::sun::star::uno::RuntimeException ) {
941 : sal_Int32 characters ;
942 : const X509Certificate_NssImpl* xcert ;
943 : const CERTCertificate* cert ;
944 :
945 0 : Reference< XUnoTunnel > xCertTunnel( aCert, UNO_QUERY ) ;
946 0 : if( !xCertTunnel.is() ) {
947 0 : throw RuntimeException() ;
948 : }
949 :
950 : xcert = reinterpret_cast<X509Certificate_NssImpl*>(
951 0 : sal::static_int_cast<sal_uIntPtr>(xCertTunnel->getSomething( X509Certificate_NssImpl::getUnoTunnelId() ))) ;
952 0 : if( xcert == NULL ) {
953 0 : throw RuntimeException() ;
954 : }
955 :
956 0 : cert = xcert->getNssCert() ;
957 :
958 0 : characters = 0x00000000 ;
959 :
960 : //Firstly, find out whether or not the cert is self-signed.
961 0 : if( SECITEM_CompareItem( &(cert->derIssuer), &(cert->derSubject) ) == SECEqual ) {
962 0 : characters |= ::com::sun::star::security::CertificateCharacters::SELF_SIGNED ;
963 : } else {
964 0 : characters &= ~ ::com::sun::star::security::CertificateCharacters::SELF_SIGNED ;
965 : }
966 :
967 : //Secondly, find out whether or not the cert has a private key.
968 :
969 : /*
970 : * i40394
971 : *
972 : * mmi : need to check whether the cert's slot is valid first
973 : */
974 0 : SECKEYPrivateKey* priKey = NULL;
975 :
976 0 : if (cert->slot != NULL)
977 : {
978 0 : priKey = PK11_FindPrivateKeyFromCert( cert->slot, ( CERTCertificate* )cert, NULL ) ;
979 : }
980 0 : if(priKey == NULL)
981 : {
982 0 : for (CIT_SLOTS is = m_Slots.begin(); is != m_Slots.end(); is++)
983 : {
984 0 : priKey = PK11_FindPrivateKeyFromCert(*is, (CERTCertificate*)cert, NULL);
985 0 : if (priKey)
986 0 : break;
987 : }
988 : }
989 0 : if( priKey != NULL ) {
990 0 : characters |= ::com::sun::star::security::CertificateCharacters::HAS_PRIVATE_KEY ;
991 :
992 0 : SECKEY_DestroyPrivateKey( priKey ) ;
993 : } else {
994 0 : characters &= ~ ::com::sun::star::security::CertificateCharacters::HAS_PRIVATE_KEY ;
995 : }
996 :
997 0 : return characters ;
998 : }
999 :
1000 0 : X509Certificate_NssImpl* NssCertToXCert( CERTCertificate* cert )
1001 : {
1002 : X509Certificate_NssImpl* xcert ;
1003 :
1004 0 : if( cert != NULL ) {
1005 0 : xcert = new X509Certificate_NssImpl() ;
1006 0 : if( xcert == NULL ) {
1007 0 : xcert = NULL ;
1008 : } else {
1009 0 : xcert->setCert( cert ) ;
1010 : }
1011 : } else {
1012 0 : xcert = NULL ;
1013 : }
1014 :
1015 0 : return xcert ;
1016 : }
1017 :
1018 0 : X509Certificate_NssImpl* NssPrivKeyToXCert( SECKEYPrivateKey* priKey )
1019 : {
1020 : CERTCertificate* cert ;
1021 : X509Certificate_NssImpl* xcert ;
1022 :
1023 0 : if( priKey != NULL ) {
1024 0 : cert = PK11_GetCertFromPrivateKey( priKey ) ;
1025 :
1026 0 : if( cert != NULL ) {
1027 0 : xcert = NssCertToXCert( cert ) ;
1028 : } else {
1029 0 : xcert = NULL ;
1030 : }
1031 :
1032 0 : CERT_DestroyCertificate( cert ) ;
1033 : } else {
1034 0 : xcert = NULL ;
1035 : }
1036 :
1037 0 : return xcert ;
1038 : }
1039 :
1040 :
1041 : /* Native methods */
1042 0 : xmlSecKeysMngrPtr SecurityEnvironment_NssImpl::createKeysManager() throw( Exception, RuntimeException ) {
1043 :
1044 : unsigned int i ;
1045 0 : CERTCertDBHandle* handler = NULL ;
1046 0 : PK11SymKey* symKey = NULL ;
1047 0 : SECKEYPublicKey* pubKey = NULL ;
1048 0 : SECKEYPrivateKey* priKey = NULL ;
1049 0 : xmlSecKeysMngrPtr pKeysMngr = NULL ;
1050 :
1051 0 : handler = this->getCertDb() ;
1052 :
1053 : /*-
1054 : * The following lines is based on the private version of xmlSec-NSS
1055 : * crypto engine
1056 : */
1057 0 : int cSlots = m_Slots.size();
1058 0 : boost::scoped_array<PK11SlotInfo*> sarSlots(new PK11SlotInfo*[cSlots]);
1059 0 : PK11SlotInfo** slots = sarSlots.get();
1060 0 : int count = 0;
1061 0 : for (CIT_SLOTS islots = m_Slots.begin();islots != m_Slots.end(); islots++, count++)
1062 0 : slots[count] = *islots;
1063 :
1064 0 : pKeysMngr = xmlSecNssAppliedKeysMngrCreate(slots, cSlots, handler ) ;
1065 0 : if( pKeysMngr == NULL )
1066 0 : throw RuntimeException() ;
1067 :
1068 : /*-
1069 : * Adopt symmetric key into keys manager
1070 : */
1071 0 : for( i = 0 ; ( symKey = this->getSymKey( i ) ) != NULL ; i ++ ) {
1072 0 : if( xmlSecNssAppliedKeysMngrSymKeyLoad( pKeysMngr, symKey ) < 0 ) {
1073 0 : throw RuntimeException() ;
1074 : }
1075 : }
1076 :
1077 : /*-
1078 : * Adopt asymmetric public key into keys manager
1079 : */
1080 0 : for( i = 0 ; ( pubKey = this->getPubKey( i ) ) != NULL ; i ++ ) {
1081 0 : if( xmlSecNssAppliedKeysMngrPubKeyLoad( pKeysMngr, pubKey ) < 0 ) {
1082 0 : throw RuntimeException() ;
1083 : }
1084 : }
1085 :
1086 : /*-
1087 : * Adopt asymmetric private key into keys manager
1088 : */
1089 0 : for( i = 0 ; ( priKey = this->getPriKey( i ) ) != NULL ; i ++ ) {
1090 0 : if( xmlSecNssAppliedKeysMngrPriKeyLoad( pKeysMngr, priKey ) < 0 ) {
1091 0 : throw RuntimeException() ;
1092 : }
1093 : }
1094 0 : return pKeysMngr ;
1095 : }
1096 0 : void SecurityEnvironment_NssImpl::destroyKeysManager(xmlSecKeysMngrPtr pKeysMngr) throw( Exception, RuntimeException ) {
1097 0 : if( pKeysMngr != NULL ) {
1098 0 : xmlSecKeysMngrDestroy( pKeysMngr ) ;
1099 : }
1100 0 : }
1101 :
1102 : /* vim:set shiftwidth=4 softtabstop=4 expandtab: */
|