Line data Source code
1 : /* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
2 : /*
3 : * This file is part of the LibreOffice project.
4 : *
5 : * This Source Code Form is subject to the terms of the Mozilla Public
6 : * License, v. 2.0. If a copy of the MPL was not distributed with this
7 : * file, You can obtain one at http://mozilla.org/MPL/2.0/.
8 : *
9 : * This file incorporates work covered by the following license notice:
10 : *
11 : * Licensed to the Apache Software Foundation (ASF) under one or more
12 : * contributor license agreements. See the NOTICE file distributed
13 : * with this work for additional information regarding copyright
14 : * ownership. The ASF licenses this file to you under the Apache
15 : * License, Version 2.0 (the "License"); you may not use this file
16 : * except in compliance with the License. You may obtain a copy of
17 : * the License at http://www.apache.org/licenses/LICENSE-2.0 .
18 : */
19 :
20 : #include "nssrenam.h" // rename problematic symbols
21 : #include "cert.h"
22 : #include "secerr.h"
23 : #include "ocsp.h"
24 :
25 : #include <sal/config.h>
26 : #include <sal/macros.h>
27 : #include "securityenvironment_nssimpl.hxx"
28 : #include "x509certificate_nssimpl.hxx"
29 : #include <comphelper/servicehelper.hxx>
30 : #include "../diagnose.hxx"
31 :
32 : #include <sal/types.h>
33 : //For reasons that escape me, this is what xmlsec does when size_t is not 4
34 : #if SAL_TYPES_SIZEOFPOINTER != 4
35 : # define XMLSEC_NO_SIZE_T
36 : #endif
37 : #include <xmlsec/xmlsec.h>
38 : #include <xmlsec/keysmngr.h>
39 : #include <xmlsec/crypto.h>
40 : #include <xmlsec/base64.h>
41 : #include <xmlsec/strings.h>
42 :
43 : #include <rtl/ustrbuf.hxx>
44 : #include <comphelper/processfactory.hxx>
45 : #include <comphelper/docpasswordrequest.hxx>
46 : #include <xmlsecurity/biginteger.hxx>
47 : #include <sal/log.hxx>
48 : #include <com/sun/star/task/InteractionHandler.hpp>
49 : #include <vector>
50 : #include "boost/scoped_array.hpp"
51 : #include <osl/thread.h>
52 :
53 : #include "secerror.hxx"
54 :
55 : // added for password exception
56 : #include <com/sun/star/security/NoPasswordException.hpp>
57 : namespace csss = ::com::sun::star::security;
58 : using namespace xmlsecurity;
59 : using namespace ::com::sun::star::security;
60 : using namespace com::sun::star;
61 : using namespace ::com::sun::star::uno ;
62 : using namespace ::com::sun::star::lang ;
63 : using ::com::sun::star::lang::XMultiServiceFactory ;
64 : using ::com::sun::star::lang::XSingleServiceFactory ;
65 : using ::rtl::OUString ;
66 :
67 : using ::com::sun::star::xml::crypto::XSecurityEnvironment ;
68 : using ::com::sun::star::security::XCertificate ;
69 :
70 : extern X509Certificate_NssImpl* NssCertToXCert( CERTCertificate* cert ) ;
71 : extern X509Certificate_NssImpl* NssPrivKeyToXCert( SECKEYPrivateKey* ) ;
72 :
73 :
74 : struct UsageDescription
75 : {
76 : SECCertificateUsage usage;
77 : char const* description;
78 :
79 0 : UsageDescription()
80 : : usage( certificateUsageCheckAllUsages )
81 0 : , description( NULL )
82 0 : {}
83 :
84 0 : UsageDescription( SECCertificateUsage i_usage, char const* i_description )
85 : : usage( i_usage )
86 0 : , description( i_description )
87 0 : {}
88 :
89 : UsageDescription( const UsageDescription& aDescription )
90 : : usage( aDescription.usage )
91 : , description( aDescription.description )
92 : {}
93 :
94 0 : UsageDescription& operator =( const UsageDescription& aDescription )
95 : {
96 0 : usage = aDescription.usage;
97 0 : description = aDescription.description;
98 0 : return *this;
99 : }
100 : };
101 :
102 :
103 :
104 0 : char* GetPasswordFunction( PK11SlotInfo* pSlot, PRBool bRetry, void* /*arg*/ )
105 : {
106 0 : uno::Reference< uno::XComponentContext > xContext( ::comphelper::getProcessComponentContext() );
107 : uno::Reference < task::XInteractionHandler2 > xInteractionHandler(
108 0 : task::InteractionHandler::createWithParent(xContext, 0) );
109 :
110 0 : task::PasswordRequestMode eMode = bRetry ? task::PasswordRequestMode_PASSWORD_REENTER : task::PasswordRequestMode_PASSWORD_ENTER;
111 : ::comphelper::DocPasswordRequest* pPasswordRequest = new ::comphelper::DocPasswordRequest(
112 0 : ::comphelper::DocPasswordRequestType_STANDARD, eMode, ::rtl::OUString::createFromAscii(PK11_GetTokenName(pSlot)) );
113 :
114 0 : uno::Reference< task::XInteractionRequest > xRequest( pPasswordRequest );
115 0 : xInteractionHandler->handle( xRequest );
116 :
117 0 : if ( pPasswordRequest->isPassword() )
118 : {
119 : rtl::OString aPassword(rtl::OUStringToOString(
120 : pPasswordRequest->getPassword(),
121 0 : osl_getThreadTextEncoding()));
122 0 : sal_Int32 nLen = aPassword.getLength();
123 0 : char* pPassword = (char*) PORT_Alloc( nLen+1 ) ;
124 0 : pPassword[nLen] = 0;
125 0 : memcpy( pPassword, aPassword.getStr(), nLen );
126 0 : return pPassword;
127 : }
128 0 : return NULL;
129 : }
130 :
131 0 : SecurityEnvironment_NssImpl :: SecurityEnvironment_NssImpl( const Reference< XMultiServiceFactory >& ) :
132 0 : m_pHandler( NULL ) , m_tSymKeyList() , m_tPubKeyList() , m_tPriKeyList() {
133 :
134 0 : PK11_SetPasswordFunc( GetPasswordFunction ) ;
135 0 : }
136 :
137 0 : SecurityEnvironment_NssImpl :: ~SecurityEnvironment_NssImpl() {
138 :
139 0 : PK11_SetPasswordFunc( NULL ) ;
140 :
141 0 : for (CIT_SLOTS i = m_Slots.begin(); i != m_Slots.end(); i++)
142 : {
143 0 : PK11_FreeSlot(*i);
144 : }
145 :
146 0 : if( !m_tSymKeyList.empty() ) {
147 0 : std::list< PK11SymKey* >::iterator symKeyIt ;
148 :
149 0 : for( symKeyIt = m_tSymKeyList.begin() ; symKeyIt != m_tSymKeyList.end() ; ++symKeyIt )
150 0 : PK11_FreeSymKey( *symKeyIt ) ;
151 : }
152 :
153 0 : if( !m_tPubKeyList.empty() ) {
154 0 : std::list< SECKEYPublicKey* >::iterator pubKeyIt ;
155 :
156 0 : for( pubKeyIt = m_tPubKeyList.begin() ; pubKeyIt != m_tPubKeyList.end() ; ++pubKeyIt )
157 0 : SECKEY_DestroyPublicKey( *pubKeyIt ) ;
158 : }
159 :
160 0 : if( !m_tPriKeyList.empty() ) {
161 0 : std::list< SECKEYPrivateKey* >::iterator priKeyIt ;
162 :
163 0 : for( priKeyIt = m_tPriKeyList.begin() ; priKeyIt != m_tPriKeyList.end() ; ++priKeyIt )
164 0 : SECKEY_DestroyPrivateKey( *priKeyIt ) ;
165 : }
166 0 : }
167 :
168 : /* XInitialization */
169 0 : void SAL_CALL SecurityEnvironment_NssImpl :: initialize( const Sequence< Any >& ) throw( Exception, RuntimeException ) {
170 : // TBD
171 0 : } ;
172 :
173 : /* XServiceInfo */
174 0 : OUString SAL_CALL SecurityEnvironment_NssImpl :: getImplementationName() throw( RuntimeException ) {
175 0 : return impl_getImplementationName() ;
176 : }
177 :
178 : /* XServiceInfo */
179 0 : sal_Bool SAL_CALL SecurityEnvironment_NssImpl :: supportsService( const OUString& serviceName) throw( RuntimeException ) {
180 0 : Sequence< OUString > seqServiceNames = getSupportedServiceNames() ;
181 0 : const OUString* pArray = seqServiceNames.getConstArray() ;
182 0 : for( sal_Int32 i = 0 ; i < seqServiceNames.getLength() ; i ++ ) {
183 0 : if( *( pArray + i ) == serviceName )
184 0 : return sal_True ;
185 : }
186 0 : return sal_False ;
187 : }
188 :
189 : /* XServiceInfo */
190 0 : Sequence< OUString > SAL_CALL SecurityEnvironment_NssImpl :: getSupportedServiceNames() throw( RuntimeException ) {
191 0 : return impl_getSupportedServiceNames() ;
192 : }
193 :
194 : //Helper for XServiceInfo
195 0 : Sequence< OUString > SecurityEnvironment_NssImpl :: impl_getSupportedServiceNames() {
196 0 : ::osl::Guard< ::osl::Mutex > aGuard( ::osl::Mutex::getGlobalMutex() ) ;
197 0 : Sequence< OUString > seqServiceNames( 1 ) ;
198 0 : seqServiceNames.getArray()[0] = OUString("com.sun.star.xml.crypto.SecurityEnvironment") ;
199 0 : return seqServiceNames ;
200 : }
201 :
202 0 : OUString SecurityEnvironment_NssImpl :: impl_getImplementationName() throw( RuntimeException ) {
203 0 : return OUString("com.sun.star.xml.security.bridge.xmlsec.SecurityEnvironment_NssImpl") ;
204 : }
205 :
206 : //Helper for registry
207 0 : Reference< XInterface > SAL_CALL SecurityEnvironment_NssImpl :: impl_createInstance( const Reference< XMultiServiceFactory >& aServiceManager ) throw( RuntimeException ) {
208 0 : return Reference< XInterface >( *new SecurityEnvironment_NssImpl( aServiceManager ) ) ;
209 : }
210 :
211 0 : Reference< XSingleServiceFactory > SecurityEnvironment_NssImpl :: impl_createFactory( const Reference< XMultiServiceFactory >& aServiceManager ) {
212 0 : return ::cppu::createSingleFactory( aServiceManager , impl_getImplementationName() , impl_createInstance , impl_getSupportedServiceNames() ) ;
213 : }
214 :
215 : /* XUnoTunnel */
216 0 : sal_Int64 SAL_CALL SecurityEnvironment_NssImpl :: getSomething( const Sequence< sal_Int8 >& aIdentifier )
217 : throw( RuntimeException )
218 : {
219 0 : if( aIdentifier.getLength() == 16 && 0 == memcmp( getUnoTunnelId().getConstArray(), aIdentifier.getConstArray(), 16 ) ) {
220 0 : return sal::static_int_cast<sal_Int64>(reinterpret_cast<sal_uIntPtr>(this));
221 : }
222 0 : return 0 ;
223 : }
224 :
225 : /* XUnoTunnel extension */
226 :
227 : namespace
228 : {
229 : class theSecurityEnvironment_NssImplUnoTunnelId : public rtl::Static< UnoTunnelIdInit, theSecurityEnvironment_NssImplUnoTunnelId > {};
230 : }
231 :
232 0 : const Sequence< sal_Int8>& SecurityEnvironment_NssImpl :: getUnoTunnelId() {
233 0 : return theSecurityEnvironment_NssImplUnoTunnelId::get().getSeq();
234 : }
235 :
236 0 : ::rtl::OUString SecurityEnvironment_NssImpl::getSecurityEnvironmentInformation() throw( ::com::sun::star::uno::RuntimeException )
237 : {
238 0 : ::rtl::OUStringBuffer buff;
239 0 : for (CIT_SLOTS is = m_Slots.begin(); is != m_Slots.end(); is++)
240 : {
241 0 : buff.append(rtl::OUString::createFromAscii(PK11_GetTokenName(*is)));
242 0 : buff.appendAscii("\n");
243 : }
244 0 : return buff.makeStringAndClear();
245 : }
246 :
247 0 : void SecurityEnvironment_NssImpl::addCryptoSlot( PK11SlotInfo* aSlot) throw( Exception , RuntimeException )
248 : {
249 0 : PK11_ReferenceSlot(aSlot);
250 0 : m_Slots.push_back(aSlot);
251 0 : }
252 :
253 0 : CERTCertDBHandle* SecurityEnvironment_NssImpl :: getCertDb() throw( Exception , RuntimeException ) {
254 0 : return m_pHandler ;
255 : }
256 :
257 : //Could we have multiple cert dbs?
258 0 : void SecurityEnvironment_NssImpl :: setCertDb( CERTCertDBHandle* aCertDb ) throw( Exception , RuntimeException ) {
259 0 : m_pHandler = aCertDb ;
260 0 : }
261 :
262 0 : void SecurityEnvironment_NssImpl :: adoptSymKey( PK11SymKey* aSymKey ) throw( Exception , RuntimeException ) {
263 : PK11SymKey* symkey ;
264 0 : std::list< PK11SymKey* >::iterator keyIt ;
265 :
266 0 : if( aSymKey != NULL ) {
267 : //First try to find the key in the list
268 0 : for( keyIt = m_tSymKeyList.begin() ; keyIt != m_tSymKeyList.end() ; ++keyIt ) {
269 0 : if( *keyIt == aSymKey )
270 0 : return ;
271 : }
272 :
273 : //If we do not find the key in the list, add a new node
274 0 : symkey = PK11_ReferenceSymKey( aSymKey ) ;
275 0 : if( symkey == NULL )
276 0 : throw RuntimeException() ;
277 :
278 : try {
279 0 : m_tSymKeyList.push_back( symkey ) ;
280 0 : } catch ( Exception& ) {
281 0 : PK11_FreeSymKey( symkey ) ;
282 : }
283 : }
284 : }
285 :
286 0 : void SecurityEnvironment_NssImpl :: rejectSymKey( PK11SymKey* aSymKey ) throw( Exception , RuntimeException ) {
287 : PK11SymKey* symkey ;
288 0 : std::list< PK11SymKey* >::iterator keyIt ;
289 :
290 0 : if( aSymKey != NULL ) {
291 0 : for( keyIt = m_tSymKeyList.begin() ; keyIt != m_tSymKeyList.end() ; ++keyIt ) {
292 0 : if( *keyIt == aSymKey ) {
293 0 : symkey = *keyIt ;
294 0 : PK11_FreeSymKey( symkey ) ;
295 0 : m_tSymKeyList.erase( keyIt ) ;
296 0 : break ;
297 : }
298 : }
299 : }
300 0 : }
301 :
302 0 : PK11SymKey* SecurityEnvironment_NssImpl :: getSymKey( unsigned int position ) throw( Exception , RuntimeException ) {
303 : PK11SymKey* symkey ;
304 0 : std::list< PK11SymKey* >::iterator keyIt ;
305 : unsigned int pos ;
306 :
307 0 : symkey = NULL ;
308 0 : for( pos = 0, keyIt = m_tSymKeyList.begin() ; pos < position && keyIt != m_tSymKeyList.end() ; pos ++ , keyIt ++ ) ;
309 :
310 0 : if( pos == position && keyIt != m_tSymKeyList.end() )
311 0 : symkey = *keyIt ;
312 :
313 0 : return symkey ;
314 : }
315 :
316 0 : void SecurityEnvironment_NssImpl :: adoptPubKey( SECKEYPublicKey* aPubKey ) throw( Exception , RuntimeException ) {
317 : SECKEYPublicKey* pubkey ;
318 0 : std::list< SECKEYPublicKey* >::iterator keyIt ;
319 :
320 0 : if( aPubKey != NULL ) {
321 : //First try to find the key in the list
322 0 : for( keyIt = m_tPubKeyList.begin() ; keyIt != m_tPubKeyList.end() ; ++keyIt ) {
323 0 : if( *keyIt == aPubKey )
324 0 : return ;
325 : }
326 :
327 : //If we do not find the key in the list, add a new node
328 0 : pubkey = SECKEY_CopyPublicKey( aPubKey ) ;
329 0 : if( pubkey == NULL )
330 0 : throw RuntimeException() ;
331 :
332 : try {
333 0 : m_tPubKeyList.push_back( pubkey ) ;
334 0 : } catch ( Exception& ) {
335 0 : SECKEY_DestroyPublicKey( pubkey ) ;
336 : }
337 : }
338 : }
339 :
340 0 : void SecurityEnvironment_NssImpl :: rejectPubKey( SECKEYPublicKey* aPubKey ) throw( Exception , RuntimeException ) {
341 : SECKEYPublicKey* pubkey ;
342 0 : std::list< SECKEYPublicKey* >::iterator keyIt ;
343 :
344 0 : if( aPubKey != NULL ) {
345 0 : for( keyIt = m_tPubKeyList.begin() ; keyIt != m_tPubKeyList.end() ; ++keyIt ) {
346 0 : if( *keyIt == aPubKey ) {
347 0 : pubkey = *keyIt ;
348 0 : SECKEY_DestroyPublicKey( pubkey ) ;
349 0 : m_tPubKeyList.erase( keyIt ) ;
350 0 : break ;
351 : }
352 : }
353 : }
354 0 : }
355 :
356 0 : SECKEYPublicKey* SecurityEnvironment_NssImpl :: getPubKey( unsigned int position ) throw( Exception , RuntimeException ) {
357 : SECKEYPublicKey* pubkey ;
358 0 : std::list< SECKEYPublicKey* >::iterator keyIt ;
359 : unsigned int pos ;
360 :
361 0 : pubkey = NULL ;
362 0 : for( pos = 0, keyIt = m_tPubKeyList.begin() ; pos < position && keyIt != m_tPubKeyList.end() ; pos ++ , keyIt ++ ) ;
363 :
364 0 : if( pos == position && keyIt != m_tPubKeyList.end() )
365 0 : pubkey = *keyIt ;
366 :
367 0 : return pubkey ;
368 : }
369 :
370 0 : void SecurityEnvironment_NssImpl :: adoptPriKey( SECKEYPrivateKey* aPriKey ) throw( Exception , RuntimeException ) {
371 : SECKEYPrivateKey* prikey ;
372 0 : std::list< SECKEYPrivateKey* >::iterator keyIt ;
373 :
374 0 : if( aPriKey != NULL ) {
375 : //First try to find the key in the list
376 0 : for( keyIt = m_tPriKeyList.begin() ; keyIt != m_tPriKeyList.end() ; ++keyIt ) {
377 0 : if( *keyIt == aPriKey )
378 0 : return ;
379 : }
380 :
381 : //If we do not find the key in the list, add a new node
382 0 : prikey = SECKEY_CopyPrivateKey( aPriKey ) ;
383 0 : if( prikey == NULL )
384 0 : throw RuntimeException() ;
385 :
386 : try {
387 0 : m_tPriKeyList.push_back( prikey ) ;
388 0 : } catch ( Exception& ) {
389 0 : SECKEY_DestroyPrivateKey( prikey ) ;
390 : }
391 : }
392 : }
393 :
394 0 : void SecurityEnvironment_NssImpl :: rejectPriKey( SECKEYPrivateKey* aPriKey ) throw( Exception , RuntimeException ) {
395 : SECKEYPrivateKey* prikey ;
396 0 : std::list< SECKEYPrivateKey* >::iterator keyIt ;
397 :
398 0 : if( aPriKey != NULL ) {
399 0 : for( keyIt = m_tPriKeyList.begin() ; keyIt != m_tPriKeyList.end() ; ++keyIt ) {
400 0 : if( *keyIt == aPriKey ) {
401 0 : prikey = *keyIt ;
402 0 : SECKEY_DestroyPrivateKey( prikey ) ;
403 0 : m_tPriKeyList.erase( keyIt ) ;
404 0 : break ;
405 : }
406 : }
407 : }
408 0 : }
409 :
410 0 : SECKEYPrivateKey* SecurityEnvironment_NssImpl :: getPriKey( unsigned int position ) throw( ::com::sun::star::uno::Exception , ::com::sun::star::uno::RuntimeException ) {
411 : SECKEYPrivateKey* prikey ;
412 0 : std::list< SECKEYPrivateKey* >::iterator keyIt ;
413 : unsigned int pos ;
414 :
415 0 : prikey = NULL ;
416 0 : for( pos = 0, keyIt = m_tPriKeyList.begin() ; pos < position && keyIt != m_tPriKeyList.end() ; pos ++ , keyIt ++ ) ;
417 :
418 0 : if( pos == position && keyIt != m_tPriKeyList.end() )
419 0 : prikey = *keyIt ;
420 :
421 0 : return prikey ;
422 : }
423 :
424 0 : void SecurityEnvironment_NssImpl::updateSlots()
425 : {
426 : //In case new tokens are present then we can obtain the corresponding slot
427 0 : PK11SlotList * soltList = NULL;
428 0 : PK11SlotListElement * soltEle = NULL;
429 0 : PK11SlotInfo * pSlot = NULL;
430 0 : PK11SymKey * pSymKey = NULL;
431 :
432 0 : osl::MutexGuard guard(m_mutex);
433 :
434 0 : m_Slots.clear();
435 0 : m_tSymKeyList.clear();
436 :
437 0 : soltList = PK11_GetAllTokens( CKM_INVALID_MECHANISM, PR_FALSE, PR_FALSE, NULL ) ;
438 0 : if( soltList != NULL )
439 : {
440 0 : for( soltEle = soltList->head ; soltEle != NULL; soltEle = soltEle->next )
441 : {
442 0 : pSlot = soltEle->slot ;
443 :
444 0 : if(pSlot != NULL)
445 : {
446 : SAL_INFO(
447 : "xmlsecurity.xmlsec",
448 : "Found a slot: SlotName=" << PK11_GetSlotName(pSlot)
449 : << ", TokenName=" << PK11_GetTokenName(pSlot));
450 :
451 : //The following code which is commented out checks if a slot, that is a smart card for example, is
452 : // able to generate a symmetric key of type CKM_DES3_CBC. If this fails then this token
453 : // will not be used. This key is possibly used for the encryption service. However, all
454 : // interfaces and services used for public key signature and encryption are not published
455 : // and the encryption is not used in OOo. Therefore it does not do any harm to remove
456 : // this code, hence allowing smart cards which cannot generate this type of key.
457 : //
458 : // By doing this, the encryption may fail if a smart card is being used which does not
459 : // support this key generation.
460 : //
461 0 : pSymKey = PK11_KeyGen( pSlot , CKM_DES3_CBC, NULL, 128, NULL ) ;
462 : // if( pSymKey == NULL )
463 : // {
464 : // PK11_FreeSlot( pSlot ) ;
465 : // RTL_LOGFILE_TRACE( "XMLSEC: Error - pSymKey is NULL" );
466 : // continue;
467 : // }
468 0 : addCryptoSlot(pSlot);
469 0 : PK11_FreeSlot( pSlot ) ;
470 0 : pSlot = NULL;
471 :
472 0 : if (pSymKey != NULL)
473 : {
474 0 : adoptSymKey( pSymKey ) ;
475 0 : PK11_FreeSymKey( pSymKey ) ;
476 0 : pSymKey = NULL;
477 : }
478 :
479 : }// end of if(pSlot != NULL)
480 : }// end of for
481 0 : }// end of if( soltList != NULL )
482 :
483 0 : }
484 :
485 :
486 : Sequence< Reference < XCertificate > >
487 0 : SecurityEnvironment_NssImpl::getPersonalCertificates() throw( SecurityException , RuntimeException )
488 : {
489 : sal_Int32 length ;
490 : X509Certificate_NssImpl* xcert ;
491 0 : std::list< X509Certificate_NssImpl* > certsList ;
492 :
493 0 : updateSlots();
494 : //firstly, we try to find private keys in slot
495 0 : for (CIT_SLOTS is = m_Slots.begin(); is != m_Slots.end(); is++)
496 : {
497 0 : PK11SlotInfo *slot = *is;
498 : SECKEYPrivateKeyList* priKeyList ;
499 : SECKEYPrivateKeyListNode* curPri ;
500 :
501 0 : if( PK11_NeedLogin(slot ) ) {
502 0 : SECStatus nRet = PK11_Authenticate(slot, PR_TRUE, NULL);
503 : //PK11_Authenticate may fail in case the a slot has not been initialized.
504 : //this is the case if the user has a new profile, so that they have never
505 : //added a personal certificate.
506 0 : if( nRet != SECSuccess && PORT_GetError() != SEC_ERROR_IO) {
507 0 : throw NoPasswordException();
508 : }
509 : }
510 :
511 0 : priKeyList = PK11_ListPrivateKeysInSlot(slot) ;
512 0 : if( priKeyList != NULL ) {
513 0 : for( curPri = PRIVKEY_LIST_HEAD( priKeyList );
514 0 : !PRIVKEY_LIST_END( curPri, priKeyList ) && curPri != NULL ;
515 : curPri = PRIVKEY_LIST_NEXT( curPri ) ) {
516 0 : xcert = NssPrivKeyToXCert( curPri->key ) ;
517 0 : if( xcert != NULL )
518 0 : certsList.push_back( xcert ) ;
519 : }
520 : }
521 :
522 0 : SECKEY_DestroyPrivateKeyList( priKeyList ) ;
523 : }
524 :
525 : //secondly, we try to find certificate from registered private keys.
526 0 : if( !m_tPriKeyList.empty() ) {
527 0 : std::list< SECKEYPrivateKey* >::iterator priKeyIt ;
528 :
529 0 : for( priKeyIt = m_tPriKeyList.begin() ; priKeyIt != m_tPriKeyList.end() ; ++priKeyIt ) {
530 0 : xcert = NssPrivKeyToXCert( *priKeyIt ) ;
531 0 : if( xcert != NULL )
532 0 : certsList.push_back( xcert ) ;
533 : }
534 : }
535 :
536 0 : length = certsList.size() ;
537 0 : if( length != 0 ) {
538 : int i ;
539 0 : std::list< X509Certificate_NssImpl* >::iterator xcertIt ;
540 0 : Sequence< Reference< XCertificate > > certSeq( length ) ;
541 :
542 0 : for( i = 0, xcertIt = certsList.begin(); xcertIt != certsList.end(); ++xcertIt, ++i ) {
543 0 : certSeq[i] = *xcertIt ;
544 : }
545 :
546 0 : return certSeq ;
547 : }
548 :
549 0 : return Sequence< Reference < XCertificate > > ();
550 : }
551 :
552 0 : Reference< XCertificate > SecurityEnvironment_NssImpl :: getCertificate( const OUString& issuerName, const Sequence< sal_Int8 >& serialNumber ) throw( SecurityException , RuntimeException )
553 : {
554 0 : X509Certificate_NssImpl* xcert = NULL;
555 :
556 0 : if( m_pHandler != NULL ) {
557 : CERTIssuerAndSN issuerAndSN ;
558 : CERTCertificate* cert ;
559 : CERTName* nmIssuer ;
560 : char* chIssuer ;
561 : SECItem* derIssuer ;
562 : PRArenaPool* arena ;
563 :
564 0 : arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE ) ;
565 0 : if( arena == NULL )
566 0 : throw RuntimeException() ;
567 :
568 : // Create cert info from issue and serial
569 0 : rtl::OString ostr = rtl::OUStringToOString( issuerName , RTL_TEXTENCODING_UTF8 ) ;
570 0 : chIssuer = PL_strndup( ( char* )ostr.getStr(), ( int )ostr.getLength() ) ;
571 0 : nmIssuer = CERT_AsciiToName( chIssuer ) ;
572 0 : if( nmIssuer == NULL ) {
573 0 : PL_strfree( chIssuer ) ;
574 0 : PORT_FreeArena( arena, PR_FALSE ) ;
575 0 : return NULL; // no need for exception cf. i40394
576 : }
577 :
578 0 : derIssuer = SEC_ASN1EncodeItem( arena, NULL, ( void* )nmIssuer, SEC_ASN1_GET( CERT_NameTemplate ) ) ;
579 0 : if( derIssuer == NULL ) {
580 0 : PL_strfree( chIssuer ) ;
581 0 : CERT_DestroyName( nmIssuer ) ;
582 0 : PORT_FreeArena( arena, PR_FALSE ) ;
583 0 : throw RuntimeException() ;
584 : }
585 :
586 0 : memset( &issuerAndSN, 0, sizeof( issuerAndSN ) ) ;
587 :
588 0 : issuerAndSN.derIssuer.data = derIssuer->data ;
589 0 : issuerAndSN.derIssuer.len = derIssuer->len ;
590 :
591 0 : issuerAndSN.serialNumber.data = ( unsigned char* )&serialNumber[0] ;
592 0 : issuerAndSN.serialNumber.len = serialNumber.getLength() ;
593 :
594 0 : cert = CERT_FindCertByIssuerAndSN( m_pHandler, &issuerAndSN ) ;
595 0 : if( cert != NULL ) {
596 0 : xcert = NssCertToXCert( cert ) ;
597 : } else {
598 0 : xcert = NULL ;
599 : }
600 :
601 0 : PL_strfree( chIssuer ) ;
602 0 : CERT_DestroyName( nmIssuer ) ;
603 : //SECITEM_FreeItem( derIssuer, PR_FALSE ) ;
604 0 : CERT_DestroyCertificate( cert ) ;
605 0 : PORT_FreeArena( arena, PR_FALSE ) ;
606 : } else {
607 0 : xcert = NULL ;
608 : }
609 :
610 0 : return xcert ;
611 : }
612 :
613 0 : Reference< XCertificate > SecurityEnvironment_NssImpl :: getCertificate( const OUString& issuerName, const OUString& serialNumber ) throw( SecurityException , RuntimeException ) {
614 0 : Sequence< sal_Int8 > serial = numericStringToBigInteger( serialNumber ) ;
615 0 : return getCertificate( issuerName, serial ) ;
616 : }
617 :
618 0 : Sequence< Reference < XCertificate > > SecurityEnvironment_NssImpl :: buildCertificatePath( const Reference< XCertificate >& begin ) throw( SecurityException , RuntimeException ) {
619 : const X509Certificate_NssImpl* xcert ;
620 : const CERTCertificate* cert ;
621 : CERTCertList* certChain ;
622 :
623 0 : Reference< XUnoTunnel > xCertTunnel( begin, UNO_QUERY ) ;
624 0 : if( !xCertTunnel.is() ) {
625 0 : throw RuntimeException() ;
626 : }
627 :
628 : xcert = reinterpret_cast<X509Certificate_NssImpl*>(
629 0 : sal::static_int_cast<sal_uIntPtr>(xCertTunnel->getSomething( X509Certificate_NssImpl::getUnoTunnelId() ))) ;
630 0 : if( xcert == NULL ) {
631 0 : throw RuntimeException() ;
632 : }
633 :
634 0 : cert = xcert->getNssCert() ;
635 0 : if( cert != NULL ) {
636 : int64 timeboundary ;
637 :
638 : //Get the system clock time
639 0 : timeboundary = PR_Now() ;
640 :
641 0 : certChain = CERT_GetCertChainFromCert( ( CERTCertificate* )cert, timeboundary, certUsageAnyCA ) ;
642 : } else {
643 0 : certChain = NULL ;
644 : }
645 :
646 0 : if( certChain != NULL ) {
647 : X509Certificate_NssImpl* pCert ;
648 : CERTCertListNode* node ;
649 : int len ;
650 :
651 0 : for( len = 0, node = CERT_LIST_HEAD( certChain ); !CERT_LIST_END( node, certChain ); node = CERT_LIST_NEXT( node ), len ++ ) ;
652 0 : Sequence< Reference< XCertificate > > xCertChain( len ) ;
653 :
654 0 : for( len = 0, node = CERT_LIST_HEAD( certChain ); !CERT_LIST_END( node, certChain ); node = CERT_LIST_NEXT( node ), len ++ ) {
655 0 : pCert = new X509Certificate_NssImpl() ;
656 0 : if( pCert == NULL ) {
657 0 : CERT_DestroyCertList( certChain ) ;
658 0 : throw RuntimeException() ;
659 : }
660 :
661 0 : pCert->setCert( node->cert ) ;
662 :
663 0 : xCertChain[len] = pCert ;
664 : }
665 :
666 0 : CERT_DestroyCertList( certChain ) ;
667 :
668 0 : return xCertChain ;
669 : }
670 :
671 0 : return Sequence< Reference < XCertificate > >();
672 : }
673 :
674 0 : Reference< XCertificate > SecurityEnvironment_NssImpl :: createCertificateFromRaw( const Sequence< sal_Int8 >& rawCertificate ) throw( SecurityException , RuntimeException ) {
675 : X509Certificate_NssImpl* xcert ;
676 :
677 0 : if( rawCertificate.getLength() > 0 ) {
678 0 : xcert = new X509Certificate_NssImpl() ;
679 0 : if( xcert == NULL )
680 0 : throw RuntimeException() ;
681 :
682 0 : xcert->setRawCert( rawCertificate ) ;
683 : } else {
684 0 : xcert = NULL ;
685 : }
686 :
687 0 : return xcert ;
688 : }
689 :
690 0 : Reference< XCertificate > SecurityEnvironment_NssImpl :: createCertificateFromAscii( const OUString& asciiCertificate ) throw( SecurityException , RuntimeException ) {
691 : xmlChar* chCert ;
692 : xmlSecSize certSize ;
693 :
694 0 : rtl::OString oscert = rtl::OUStringToOString( asciiCertificate , RTL_TEXTENCODING_ASCII_US ) ;
695 :
696 0 : chCert = xmlStrndup( ( const xmlChar* )oscert.getStr(), ( int )oscert.getLength() ) ;
697 :
698 0 : certSize = xmlSecBase64Decode( chCert, ( xmlSecByte* )chCert, xmlStrlen( chCert ) ) ;
699 :
700 0 : Sequence< sal_Int8 > rawCert( certSize ) ;
701 0 : for( unsigned int i = 0 ; i < certSize ; i ++ )
702 0 : rawCert[i] = *( chCert + i ) ;
703 :
704 0 : xmlFree( chCert ) ;
705 :
706 0 : return createCertificateFromRaw( rawCert ) ;
707 : }
708 :
709 0 : sal_Int32 SecurityEnvironment_NssImpl ::
710 : verifyCertificate( const Reference< csss::XCertificate >& aCert,
711 : const Sequence< Reference< csss::XCertificate > >& intermediateCerts )
712 : throw( ::com::sun::star::uno::SecurityException, ::com::sun::star::uno::RuntimeException )
713 : {
714 0 : sal_Int32 validity = csss::CertificateValidity::INVALID;
715 : const X509Certificate_NssImpl* xcert ;
716 : const CERTCertificate* cert ;
717 0 : ::std::vector<CERTCertificate*> vecTmpNSSCertificates;
718 0 : Reference< XUnoTunnel > xCertTunnel( aCert, UNO_QUERY ) ;
719 0 : if( !xCertTunnel.is() ) {
720 0 : throw RuntimeException() ;
721 : }
722 :
723 : xmlsec_trace("Start verification of certificate: \n %s \n",
724 : OUStringToOString(
725 0 : aCert->getSubjectName(), osl_getThreadTextEncoding()).getStr());
726 :
727 : xcert = reinterpret_cast<X509Certificate_NssImpl*>(
728 0 : sal::static_int_cast<sal_uIntPtr>(xCertTunnel->getSomething( X509Certificate_NssImpl::getUnoTunnelId() ))) ;
729 0 : if( xcert == NULL ) {
730 0 : throw RuntimeException() ;
731 : }
732 :
733 : //CERT_PKIXVerifyCert does not take a db as argument. It will therefore
734 : //internally use CERT_GetDefaultCertDB
735 : //Make sure m_pHandler is the default DB
736 : OSL_ASSERT(m_pHandler == CERT_GetDefaultCertDB());
737 0 : CERTCertDBHandle * certDb = m_pHandler != NULL ? m_pHandler : CERT_GetDefaultCertDB();
738 0 : cert = xcert->getNssCert() ;
739 0 : if( cert != NULL )
740 : {
741 :
742 : //prepare the intermediate certificates
743 0 : for (sal_Int32 i = 0; i < intermediateCerts.getLength(); i++)
744 : {
745 0 : Sequence<sal_Int8> der = intermediateCerts[i]->getEncoded();
746 : SECItem item;
747 0 : item.type = siBuffer;
748 0 : item.data = (unsigned char*)der.getArray();
749 0 : item.len = der.getLength();
750 :
751 : CERTCertificate* certTmp = CERT_NewTempCertificate(certDb, &item,
752 : NULL /* nickname */,
753 : PR_FALSE /* isPerm */,
754 0 : PR_TRUE /* copyDER */);
755 0 : if (!certTmp)
756 : {
757 : xmlsec_trace("Failed to add a temporary certificate: %s",
758 0 : OUStringToOString(intermediateCerts[i]->getIssuerName(),
759 0 : osl_getThreadTextEncoding()).getStr());
760 :
761 : }
762 : else
763 : {
764 : xmlsec_trace("Added temporary certificate: %s",
765 0 : certTmp->subjectName ? certTmp->subjectName : "");
766 0 : vecTmpNSSCertificates.push_back(certTmp);
767 : }
768 0 : }
769 :
770 :
771 : SECStatus status ;
772 :
773 : CERTVerifyLog log;
774 0 : log.arena = PORT_NewArena(512);
775 0 : log.head = log.tail = NULL;
776 0 : log.count = 0;
777 :
778 0 : CERT_EnableOCSPChecking(certDb);
779 0 : CERT_DisableOCSPDefaultResponder(certDb);
780 : CERTValOutParam cvout[5];
781 : CERTValInParam cvin[3];
782 0 : int ncvinCount=0;
783 :
784 : #if ( NSS_VMAJOR > 3 ) || ( NSS_VMAJOR == 3 && NSS_VMINOR > 12 ) || ( NSS_VMAJOR == 3 && NSS_VMINOR == 12 && NSS_VPATCH > 0 )
785 0 : cvin[ncvinCount].type = cert_pi_useAIACertFetch;
786 0 : cvin[ncvinCount].value.scalar.b = PR_TRUE;
787 0 : ncvinCount++;
788 : #endif
789 :
790 : PRUint64 revFlagsLeaf[2];
791 : PRUint64 revFlagsChain[2];
792 : CERTRevocationFlags rev;
793 0 : rev.leafTests.number_of_defined_methods = 2;
794 0 : rev.leafTests.cert_rev_flags_per_method = revFlagsLeaf;
795 : //the flags are defined in cert.h
796 : //We check both leaf and chain.
797 : //It is enough if one revocation method has fresh info,
798 : //but at least one must have some. Otherwise validation fails.
799 : //!!! using leaf test and CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE
800 : // when validating a root certificate will result in "revoked". Usually
801 : //there is no revocation information available for the root cert because
802 : //it must be trusted anyway and it does itself issue revocation information.
803 : //When we use the flag here and OOo shows the certification path then the root
804 : //cert is invalid while all other can be valid. It would probably best if
805 : //this interface method returned the whole chain.
806 : //Otherwise we need to check if the certificate is self-signed and if it is
807 : //then not use the flag when doing the leaf-test.
808 0 : rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_crl] =
809 : CERT_REV_M_TEST_USING_THIS_METHOD
810 0 : | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE;
811 0 : rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] =
812 : CERT_REV_M_TEST_USING_THIS_METHOD
813 0 : | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE;
814 0 : rev.leafTests.number_of_preferred_methods = 0;
815 0 : rev.leafTests.preferred_methods = NULL;
816 : rev.leafTests.cert_rev_method_independent_flags =
817 0 : CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST;
818 :
819 0 : rev.chainTests.number_of_defined_methods = 2;
820 0 : rev.chainTests.cert_rev_flags_per_method = revFlagsChain;
821 0 : rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_crl] =
822 : CERT_REV_M_TEST_USING_THIS_METHOD
823 0 : | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE;
824 0 : rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] =
825 : CERT_REV_M_TEST_USING_THIS_METHOD
826 0 : | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE;
827 0 : rev.chainTests.number_of_preferred_methods = 0;
828 0 : rev.chainTests.preferred_methods = NULL;
829 : rev.chainTests.cert_rev_method_independent_flags =
830 0 : CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST;
831 :
832 :
833 0 : cvin[ncvinCount].type = cert_pi_revocationFlags;
834 0 : cvin[ncvinCount].value.pointer.revocation = &rev;
835 0 : ncvinCount++;
836 : // does not work, not implemented yet in 3.12.4
837 : // cvin[ncvinCount].type = cert_pi_keyusage;
838 : // cvin[ncvinCount].value.scalar.ui = KU_DIGITAL_SIGNATURE;
839 : // ncvinCount++;
840 0 : cvin[ncvinCount].type = cert_pi_end;
841 :
842 0 : cvout[0].type = cert_po_trustAnchor;
843 0 : cvout[0].value.pointer.cert = NULL;
844 0 : cvout[1].type = cert_po_errorLog;
845 0 : cvout[1].value.pointer.log = &log;
846 0 : cvout[2].type = cert_po_end;
847 :
848 : // We check SSL server certificates, CA certificates and signing sertificates.
849 : //
850 : // ToDo check keyusage, looking at CERT_KeyUsageAndTypeForCertUsage (
851 : // mozilla/security/nss/lib/certdb/certdb.c indicates that
852 : // certificateUsageSSLClient, certificateUsageSSLServer and certificateUsageSSLCA
853 : // are sufficient. They cover the key usages for digital signature, key agreement
854 : // and encipherment and certificate signature
855 :
856 : //never use the following usages because they are not checked properly
857 : // certificateUsageUserCertImport
858 : // certificateUsageVerifyCA
859 : // certificateUsageAnyCA
860 : // certificateUsageProtectedObjectSigner
861 :
862 0 : UsageDescription arUsages[5];
863 0 : arUsages[0] = UsageDescription( certificateUsageSSLClient, "certificateUsageSSLClient" );
864 0 : arUsages[1] = UsageDescription( certificateUsageSSLServer, "certificateUsageSSLServer" );
865 0 : arUsages[2] = UsageDescription( certificateUsageSSLCA, "certificateUsageSSLCA" );
866 0 : arUsages[3] = UsageDescription( certificateUsageEmailSigner, "certificateUsageEmailSigner" );
867 0 : arUsages[4] = UsageDescription( certificateUsageEmailRecipient, "certificateUsageEmailRecipient" );
868 :
869 0 : int numUsages = SAL_N_ELEMENTS(arUsages);
870 0 : for (int i = 0; i < numUsages; i++)
871 : {
872 : xmlsec_trace("Testing usage %d of %d: %s (0x%x)", i + 1,
873 0 : numUsages, arUsages[i].description, (int) arUsages[i].usage);
874 :
875 : status = CERT_PKIXVerifyCert(const_cast<CERTCertificate *>(cert), arUsages[i].usage,
876 0 : cvin, cvout, NULL);
877 0 : if( status == SECSuccess )
878 : {
879 0 : xmlsec_trace("CERT_PKIXVerifyCert returned SECSuccess.");
880 : //When an intermediate or root certificate is checked then we expect the usage
881 : //certificateUsageSSLCA. This, however, will be only set when in the trust settings dialog
882 : //the button "This certificate can identify websites" is checked. If for example only
883 : //"This certificate can identify mail users" is set then the end certificate can
884 : //be validated and the returned usage will conain certificateUsageEmailRecipient.
885 : //But checking directly the root or intermediate certificate will fail. In the
886 : //certificate path view the end certificate will be shown as valid but the others
887 : //will be displayed as invalid.
888 :
889 0 : validity = csss::CertificateValidity::VALID;
890 0 : xmlsec_trace("Certificate is valid.\n");
891 0 : CERTCertificate * issuerCert = cvout[0].value.pointer.cert;
892 0 : if (issuerCert)
893 : {
894 0 : xmlsec_trace("Root certificate: %s", issuerCert->subjectName);
895 0 : CERT_DestroyCertificate(issuerCert);
896 : };
897 :
898 0 : break;
899 : }
900 : else
901 : {
902 0 : PRIntn err = PR_GetError();
903 0 : xmlsec_trace("Error: , %d = %s", err, getCertError(err));
904 :
905 : /* Display validation results */
906 0 : if ( log.count > 0)
907 : {
908 0 : CERTVerifyLogNode *node = NULL;
909 0 : printChainFailure(&log);
910 :
911 0 : for (node = log.head; node; node = node->next) {
912 0 : if (node->cert)
913 0 : CERT_DestroyCertificate(node->cert);
914 : }
915 0 : log.head = log.tail = NULL;
916 0 : log.count = 0;
917 : }
918 0 : xmlsec_trace("Certificate is invalid.\n");
919 : }
920 : }
921 :
922 : }
923 : else
924 : {
925 0 : validity = ::com::sun::star::security::CertificateValidity::INVALID ;
926 : }
927 :
928 : //Destroying the temporary certificates
929 0 : std::vector<CERTCertificate*>::const_iterator cert_i;
930 0 : for (cert_i = vecTmpNSSCertificates.begin(); cert_i != vecTmpNSSCertificates.end(); ++cert_i)
931 : {
932 0 : xmlsec_trace("Destroying temporary certificate");
933 0 : CERT_DestroyCertificate(*cert_i);
934 : }
935 0 : return validity ;
936 : }
937 :
938 0 : sal_Int32 SecurityEnvironment_NssImpl::getCertificateCharacters(
939 : const ::com::sun::star::uno::Reference< ::com::sun::star::security::XCertificate >& aCert ) throw( ::com::sun::star::uno::SecurityException, ::com::sun::star::uno::RuntimeException ) {
940 : sal_Int32 characters ;
941 : const X509Certificate_NssImpl* xcert ;
942 : const CERTCertificate* cert ;
943 :
944 0 : Reference< XUnoTunnel > xCertTunnel( aCert, UNO_QUERY ) ;
945 0 : if( !xCertTunnel.is() ) {
946 0 : throw RuntimeException() ;
947 : }
948 :
949 : xcert = reinterpret_cast<X509Certificate_NssImpl*>(
950 0 : sal::static_int_cast<sal_uIntPtr>(xCertTunnel->getSomething( X509Certificate_NssImpl::getUnoTunnelId() ))) ;
951 0 : if( xcert == NULL ) {
952 0 : throw RuntimeException() ;
953 : }
954 :
955 0 : cert = xcert->getNssCert() ;
956 :
957 0 : characters = 0x00000000 ;
958 :
959 : //Firstly, find out whether or not the cert is self-signed.
960 0 : if( SECITEM_CompareItem( &(cert->derIssuer), &(cert->derSubject) ) == SECEqual ) {
961 0 : characters |= ::com::sun::star::security::CertificateCharacters::SELF_SIGNED ;
962 : } else {
963 0 : characters &= ~ ::com::sun::star::security::CertificateCharacters::SELF_SIGNED ;
964 : }
965 :
966 : //Secondly, find out whether or not the cert has a private key.
967 :
968 : /*
969 : * i40394
970 : *
971 : * mmi : need to check whether the cert's slot is valid first
972 : */
973 0 : SECKEYPrivateKey* priKey = NULL;
974 :
975 0 : if (cert->slot != NULL)
976 : {
977 0 : priKey = PK11_FindPrivateKeyFromCert( cert->slot, ( CERTCertificate* )cert, NULL ) ;
978 : }
979 0 : if(priKey == NULL)
980 : {
981 0 : for (CIT_SLOTS is = m_Slots.begin(); is != m_Slots.end(); is++)
982 : {
983 0 : priKey = PK11_FindPrivateKeyFromCert(*is, (CERTCertificate*)cert, NULL);
984 0 : if (priKey)
985 0 : break;
986 : }
987 : }
988 0 : if( priKey != NULL ) {
989 0 : characters |= ::com::sun::star::security::CertificateCharacters::HAS_PRIVATE_KEY ;
990 :
991 0 : SECKEY_DestroyPrivateKey( priKey ) ;
992 : } else {
993 0 : characters &= ~ ::com::sun::star::security::CertificateCharacters::HAS_PRIVATE_KEY ;
994 : }
995 :
996 0 : return characters ;
997 : }
998 :
999 0 : X509Certificate_NssImpl* NssCertToXCert( CERTCertificate* cert )
1000 : {
1001 : X509Certificate_NssImpl* xcert ;
1002 :
1003 0 : if( cert != NULL ) {
1004 0 : xcert = new X509Certificate_NssImpl() ;
1005 0 : if( xcert == NULL ) {
1006 0 : xcert = NULL ;
1007 : } else {
1008 0 : xcert->setCert( cert ) ;
1009 : }
1010 : } else {
1011 0 : xcert = NULL ;
1012 : }
1013 :
1014 0 : return xcert ;
1015 : }
1016 :
1017 0 : X509Certificate_NssImpl* NssPrivKeyToXCert( SECKEYPrivateKey* priKey )
1018 : {
1019 : CERTCertificate* cert ;
1020 : X509Certificate_NssImpl* xcert ;
1021 :
1022 0 : if( priKey != NULL ) {
1023 0 : cert = PK11_GetCertFromPrivateKey( priKey ) ;
1024 :
1025 0 : if( cert != NULL ) {
1026 0 : xcert = NssCertToXCert( cert ) ;
1027 : } else {
1028 0 : xcert = NULL ;
1029 : }
1030 :
1031 0 : CERT_DestroyCertificate( cert ) ;
1032 : } else {
1033 0 : xcert = NULL ;
1034 : }
1035 :
1036 0 : return xcert ;
1037 : }
1038 :
1039 :
1040 : /* Native methods */
1041 0 : xmlSecKeysMngrPtr SecurityEnvironment_NssImpl::createKeysManager() throw( Exception, RuntimeException ) {
1042 :
1043 : unsigned int i ;
1044 0 : CERTCertDBHandle* handler = NULL ;
1045 0 : PK11SymKey* symKey = NULL ;
1046 0 : SECKEYPublicKey* pubKey = NULL ;
1047 0 : SECKEYPrivateKey* priKey = NULL ;
1048 0 : xmlSecKeysMngrPtr pKeysMngr = NULL ;
1049 :
1050 0 : handler = this->getCertDb() ;
1051 :
1052 : /*-
1053 : * The following lines is based on the private version of xmlSec-NSS
1054 : * crypto engine
1055 : */
1056 0 : int cSlots = m_Slots.size();
1057 0 : boost::scoped_array<PK11SlotInfo*> sarSlots(new PK11SlotInfo*[cSlots]);
1058 0 : PK11SlotInfo** slots = sarSlots.get();
1059 0 : int count = 0;
1060 0 : for (CIT_SLOTS islots = m_Slots.begin();islots != m_Slots.end(); islots++, count++)
1061 0 : slots[count] = *islots;
1062 :
1063 0 : pKeysMngr = xmlSecNssAppliedKeysMngrCreate(slots, cSlots, handler ) ;
1064 0 : if( pKeysMngr == NULL )
1065 0 : throw RuntimeException() ;
1066 :
1067 : /*-
1068 : * Adopt symmetric key into keys manager
1069 : */
1070 0 : for( i = 0 ; ( symKey = this->getSymKey( i ) ) != NULL ; i ++ ) {
1071 0 : if( xmlSecNssAppliedKeysMngrSymKeyLoad( pKeysMngr, symKey ) < 0 ) {
1072 0 : throw RuntimeException() ;
1073 : }
1074 : }
1075 :
1076 : /*-
1077 : * Adopt asymmetric public key into keys manager
1078 : */
1079 0 : for( i = 0 ; ( pubKey = this->getPubKey( i ) ) != NULL ; i ++ ) {
1080 0 : if( xmlSecNssAppliedKeysMngrPubKeyLoad( pKeysMngr, pubKey ) < 0 ) {
1081 0 : throw RuntimeException() ;
1082 : }
1083 : }
1084 :
1085 : /*-
1086 : * Adopt asymmetric private key into keys manager
1087 : */
1088 0 : for( i = 0 ; ( priKey = this->getPriKey( i ) ) != NULL ; i ++ ) {
1089 0 : if( xmlSecNssAppliedKeysMngrPriKeyLoad( pKeysMngr, priKey ) < 0 ) {
1090 0 : throw RuntimeException() ;
1091 : }
1092 : }
1093 0 : return pKeysMngr ;
1094 : }
1095 0 : void SecurityEnvironment_NssImpl::destroyKeysManager(xmlSecKeysMngrPtr pKeysMngr) throw( Exception, RuntimeException ) {
1096 0 : if( pKeysMngr != NULL ) {
1097 0 : xmlSecKeysMngrDestroy( pKeysMngr ) ;
1098 : }
1099 0 : }
1100 :
1101 : /* vim:set shiftwidth=4 softtabstop=4 expandtab: */
|
