Line data Source code
1 : /* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
2 : /*
3 : * This file is part of the LibreOffice project.
4 : *
5 : * This Source Code Form is subject to the terms of the Mozilla Public
6 : * License, v. 2.0. If a copy of the MPL was not distributed with this
7 : * file, You can obtain one at http://mozilla.org/MPL/2.0/.
8 : *
9 : * This file incorporates work covered by the following license notice:
10 : *
11 : * Licensed to the Apache Software Foundation (ASF) under one or more
12 : * contributor license agreements. See the NOTICE file distributed
13 : * with this work for additional information regarding copyright
14 : * ownership. The ASF licenses this file to you under the Apache
15 : * License, Version 2.0 (the "License"); you may not use this file
16 : * except in compliance with the License. You may obtain a copy of
17 : * the License at http://www.apache.org/licenses/LICENSE-2.0 .
18 : */
19 :
20 : #include "nssrenam.h"
21 : #include "cert.h"
22 : #include "secerr.h"
23 : #include "ocsp.h"
24 :
25 : #include <sal/config.h>
26 : #include <sal/macros.h>
27 : #include "securityenvironment_nssimpl.hxx"
28 : #include "x509certificate_nssimpl.hxx"
29 : #include <comphelper/servicehelper.hxx>
30 : #include "../diagnose.hxx"
31 :
32 : #include "xmlsecurity/xmlsec-wrapper.h"
33 :
34 : #include <rtl/ustrbuf.hxx>
35 : #include <comphelper/processfactory.hxx>
36 : #include <comphelper/docpasswordrequest.hxx>
37 : #include <xmlsecurity/biginteger.hxx>
38 : #include <sal/log.hxx>
39 : #include <com/sun/star/task/InteractionHandler.hpp>
40 : #include <vector>
41 : #include "boost/scoped_array.hpp"
42 : #include <osl/thread.h>
43 :
44 : #include "secerror.hxx"
45 :
46 : // added for password exception
47 : #include <com/sun/star/security/NoPasswordException.hpp>
48 : namespace csss = ::com::sun::star::security;
49 : using namespace xmlsecurity;
50 : using namespace ::com::sun::star::security;
51 : using namespace com::sun::star;
52 : using namespace ::com::sun::star::uno ;
53 : using namespace ::com::sun::star::lang ;
54 : using ::com::sun::star::lang::XMultiServiceFactory ;
55 : using ::com::sun::star::lang::XSingleServiceFactory ;
56 :
57 : using ::com::sun::star::xml::crypto::XSecurityEnvironment ;
58 : using ::com::sun::star::security::XCertificate ;
59 :
60 : extern X509Certificate_NssImpl* NssCertToXCert( CERTCertificate* cert ) ;
61 : extern X509Certificate_NssImpl* NssPrivKeyToXCert( SECKEYPrivateKey* ) ;
62 :
63 :
64 : struct UsageDescription
65 : {
66 : SECCertificateUsage usage;
67 : char const* description;
68 :
69 0 : UsageDescription()
70 : : usage( certificateUsageCheckAllUsages )
71 0 : , description( NULL )
72 0 : {}
73 :
74 0 : UsageDescription( SECCertificateUsage i_usage, char const* i_description )
75 : : usage( i_usage )
76 0 : , description( i_description )
77 0 : {}
78 :
79 : UsageDescription( const UsageDescription& aDescription )
80 : : usage( aDescription.usage )
81 : , description( aDescription.description )
82 : {}
83 :
84 0 : UsageDescription& operator =( const UsageDescription& aDescription )
85 : {
86 0 : usage = aDescription.usage;
87 0 : description = aDescription.description;
88 0 : return *this;
89 : }
90 : };
91 :
92 :
93 :
94 0 : char* GetPasswordFunction( PK11SlotInfo* pSlot, PRBool bRetry, void* /*arg*/ )
95 : {
96 0 : uno::Reference< uno::XComponentContext > xContext( ::comphelper::getProcessComponentContext() );
97 : uno::Reference < task::XInteractionHandler2 > xInteractionHandler(
98 0 : task::InteractionHandler::createWithParent(xContext, 0) );
99 :
100 0 : task::PasswordRequestMode eMode = bRetry ? task::PasswordRequestMode_PASSWORD_REENTER : task::PasswordRequestMode_PASSWORD_ENTER;
101 : ::comphelper::DocPasswordRequest* pPasswordRequest = new ::comphelper::DocPasswordRequest(
102 0 : ::comphelper::DocPasswordRequestType_STANDARD, eMode, OUString::createFromAscii(PK11_GetTokenName(pSlot)) );
103 :
104 0 : uno::Reference< task::XInteractionRequest > xRequest( pPasswordRequest );
105 0 : xInteractionHandler->handle( xRequest );
106 :
107 0 : if ( pPasswordRequest->isPassword() )
108 : {
109 : OString aPassword(OUStringToOString(
110 : pPasswordRequest->getPassword(),
111 0 : osl_getThreadTextEncoding()));
112 0 : sal_Int32 nLen = aPassword.getLength();
113 0 : char* pPassword = (char*) PORT_Alloc( nLen+1 ) ;
114 0 : pPassword[nLen] = 0;
115 0 : memcpy( pPassword, aPassword.getStr(), nLen );
116 0 : return pPassword;
117 : }
118 0 : return NULL;
119 : }
120 :
121 1 : SecurityEnvironment_NssImpl :: SecurityEnvironment_NssImpl() :
122 1 : m_pHandler( NULL ) , m_tSymKeyList() , m_tPubKeyList() , m_tPriKeyList() {
123 :
124 1 : PK11_SetPasswordFunc( GetPasswordFunction ) ;
125 1 : }
126 :
127 3 : SecurityEnvironment_NssImpl :: ~SecurityEnvironment_NssImpl() {
128 :
129 1 : PK11_SetPasswordFunc( NULL ) ;
130 :
131 1 : for (CIT_SLOTS i = m_Slots.begin(); i != m_Slots.end(); i++)
132 : {
133 0 : PK11_FreeSlot(*i);
134 : }
135 :
136 1 : if( !m_tSymKeyList.empty() ) {
137 0 : std::list< PK11SymKey* >::iterator symKeyIt ;
138 :
139 0 : for( symKeyIt = m_tSymKeyList.begin() ; symKeyIt != m_tSymKeyList.end() ; ++symKeyIt )
140 0 : PK11_FreeSymKey( *symKeyIt ) ;
141 : }
142 :
143 1 : if( !m_tPubKeyList.empty() ) {
144 0 : std::list< SECKEYPublicKey* >::iterator pubKeyIt ;
145 :
146 0 : for( pubKeyIt = m_tPubKeyList.begin() ; pubKeyIt != m_tPubKeyList.end() ; ++pubKeyIt )
147 0 : SECKEY_DestroyPublicKey( *pubKeyIt ) ;
148 : }
149 :
150 1 : if( !m_tPriKeyList.empty() ) {
151 0 : std::list< SECKEYPrivateKey* >::iterator priKeyIt ;
152 :
153 0 : for( priKeyIt = m_tPriKeyList.begin() ; priKeyIt != m_tPriKeyList.end() ; ++priKeyIt )
154 0 : SECKEY_DestroyPrivateKey( *priKeyIt ) ;
155 : }
156 2 : }
157 :
158 : /* XServiceInfo */
159 0 : OUString SAL_CALL SecurityEnvironment_NssImpl :: getImplementationName() throw( RuntimeException, std::exception ) {
160 0 : return impl_getImplementationName() ;
161 : }
162 :
163 : /* XServiceInfo */
164 0 : sal_Bool SAL_CALL SecurityEnvironment_NssImpl :: supportsService( const OUString& serviceName) throw( RuntimeException, std::exception ) {
165 0 : Sequence< OUString > seqServiceNames = getSupportedServiceNames() ;
166 0 : const OUString* pArray = seqServiceNames.getConstArray() ;
167 0 : for( sal_Int32 i = 0 ; i < seqServiceNames.getLength() ; i ++ ) {
168 0 : if( *( pArray + i ) == serviceName )
169 0 : return sal_True ;
170 : }
171 0 : return sal_False ;
172 : }
173 :
174 : /* XServiceInfo */
175 0 : Sequence< OUString > SAL_CALL SecurityEnvironment_NssImpl :: getSupportedServiceNames() throw( RuntimeException, std::exception ) {
176 0 : return impl_getSupportedServiceNames() ;
177 : }
178 :
179 : //Helper for XServiceInfo
180 1 : Sequence< OUString > SecurityEnvironment_NssImpl :: impl_getSupportedServiceNames() {
181 1 : ::osl::Guard< ::osl::Mutex > aGuard( ::osl::Mutex::getGlobalMutex() ) ;
182 1 : Sequence< OUString > seqServiceNames( 1 ) ;
183 1 : seqServiceNames[0] = "com.sun.star.xml.crypto.SecurityEnvironment";
184 1 : return seqServiceNames ;
185 : }
186 :
187 2 : OUString SecurityEnvironment_NssImpl :: impl_getImplementationName() throw( RuntimeException ) {
188 2 : return OUString("com.sun.star.xml.security.bridge.xmlsec.SecurityEnvironment_NssImpl") ;
189 : }
190 :
191 : //Helper for registry
192 1 : Reference< XInterface > SAL_CALL SecurityEnvironment_NssImpl :: impl_createInstance( const Reference< XMultiServiceFactory >& ) throw( RuntimeException ) {
193 1 : return Reference< XInterface >( *new SecurityEnvironment_NssImpl ) ;
194 : }
195 :
196 1 : Reference< XSingleServiceFactory > SecurityEnvironment_NssImpl :: impl_createFactory( const Reference< XMultiServiceFactory >& aServiceManager ) {
197 1 : return ::cppu::createSingleFactory( aServiceManager , impl_getImplementationName() , impl_createInstance , impl_getSupportedServiceNames() ) ;
198 : }
199 :
200 : /* XUnoTunnel */
201 0 : sal_Int64 SAL_CALL SecurityEnvironment_NssImpl :: getSomething( const Sequence< sal_Int8 >& aIdentifier )
202 : throw( RuntimeException, std::exception )
203 : {
204 0 : if( aIdentifier.getLength() == 16 && 0 == memcmp( getUnoTunnelId().getConstArray(), aIdentifier.getConstArray(), 16 ) ) {
205 0 : return sal::static_int_cast<sal_Int64>(reinterpret_cast<sal_uIntPtr>(this));
206 : }
207 0 : return 0 ;
208 : }
209 :
210 : /* XUnoTunnel extension */
211 :
212 : namespace
213 : {
214 : class theSecurityEnvironment_NssImplUnoTunnelId : public rtl::Static< UnoTunnelIdInit, theSecurityEnvironment_NssImplUnoTunnelId > {};
215 : }
216 :
217 0 : const Sequence< sal_Int8>& SecurityEnvironment_NssImpl :: getUnoTunnelId() {
218 0 : return theSecurityEnvironment_NssImplUnoTunnelId::get().getSeq();
219 : }
220 :
221 0 : OUString SecurityEnvironment_NssImpl::getSecurityEnvironmentInformation() throw( ::com::sun::star::uno::RuntimeException, std::exception )
222 : {
223 0 : OUStringBuffer buff;
224 0 : for (CIT_SLOTS is = m_Slots.begin(); is != m_Slots.end(); is++)
225 : {
226 0 : buff.append(OUString::createFromAscii(PK11_GetTokenName(*is)));
227 0 : buff.appendAscii("\n");
228 : }
229 0 : return buff.makeStringAndClear();
230 : }
231 :
232 0 : void SecurityEnvironment_NssImpl::addCryptoSlot( PK11SlotInfo* aSlot) throw( Exception , RuntimeException )
233 : {
234 0 : PK11_ReferenceSlot(aSlot);
235 0 : m_Slots.push_back(aSlot);
236 0 : }
237 :
238 0 : CERTCertDBHandle* SecurityEnvironment_NssImpl :: getCertDb() throw( Exception , RuntimeException ) {
239 0 : return m_pHandler ;
240 : }
241 :
242 : //Could we have multiple cert dbs?
243 0 : void SecurityEnvironment_NssImpl :: setCertDb( CERTCertDBHandle* aCertDb ) throw( Exception , RuntimeException ) {
244 0 : m_pHandler = aCertDb ;
245 0 : }
246 :
247 0 : void SecurityEnvironment_NssImpl :: adoptSymKey( PK11SymKey* aSymKey ) throw( Exception , RuntimeException ) {
248 : PK11SymKey* symkey ;
249 0 : std::list< PK11SymKey* >::iterator keyIt ;
250 :
251 0 : if( aSymKey != NULL ) {
252 : //First try to find the key in the list
253 0 : for( keyIt = m_tSymKeyList.begin() ; keyIt != m_tSymKeyList.end() ; ++keyIt ) {
254 0 : if( *keyIt == aSymKey )
255 0 : return ;
256 : }
257 :
258 : //If we do not find the key in the list, add a new node
259 0 : symkey = PK11_ReferenceSymKey( aSymKey ) ;
260 0 : if( symkey == NULL )
261 0 : throw RuntimeException() ;
262 :
263 : try {
264 0 : m_tSymKeyList.push_back( symkey ) ;
265 0 : } catch ( Exception& ) {
266 0 : PK11_FreeSymKey( symkey ) ;
267 : }
268 : }
269 : }
270 :
271 0 : void SecurityEnvironment_NssImpl :: rejectSymKey( PK11SymKey* aSymKey ) throw( Exception , RuntimeException ) {
272 : PK11SymKey* symkey ;
273 0 : std::list< PK11SymKey* >::iterator keyIt ;
274 :
275 0 : if( aSymKey != NULL ) {
276 0 : for( keyIt = m_tSymKeyList.begin() ; keyIt != m_tSymKeyList.end() ; ++keyIt ) {
277 0 : if( *keyIt == aSymKey ) {
278 0 : symkey = *keyIt ;
279 0 : PK11_FreeSymKey( symkey ) ;
280 0 : m_tSymKeyList.erase( keyIt ) ;
281 0 : break ;
282 : }
283 : }
284 : }
285 0 : }
286 :
287 0 : PK11SymKey* SecurityEnvironment_NssImpl :: getSymKey( unsigned int position ) throw( Exception , RuntimeException ) {
288 : PK11SymKey* symkey ;
289 0 : std::list< PK11SymKey* >::iterator keyIt ;
290 : unsigned int pos ;
291 :
292 0 : symkey = NULL ;
293 0 : for( pos = 0, keyIt = m_tSymKeyList.begin() ; pos < position && keyIt != m_tSymKeyList.end() ; pos ++ , keyIt ++ ) ;
294 :
295 0 : if( pos == position && keyIt != m_tSymKeyList.end() )
296 0 : symkey = *keyIt ;
297 :
298 0 : return symkey ;
299 : }
300 :
301 0 : void SecurityEnvironment_NssImpl :: adoptPubKey( SECKEYPublicKey* aPubKey ) throw( Exception , RuntimeException ) {
302 : SECKEYPublicKey* pubkey ;
303 0 : std::list< SECKEYPublicKey* >::iterator keyIt ;
304 :
305 0 : if( aPubKey != NULL ) {
306 : //First try to find the key in the list
307 0 : for( keyIt = m_tPubKeyList.begin() ; keyIt != m_tPubKeyList.end() ; ++keyIt ) {
308 0 : if( *keyIt == aPubKey )
309 0 : return ;
310 : }
311 :
312 : //If we do not find the key in the list, add a new node
313 0 : pubkey = SECKEY_CopyPublicKey( aPubKey ) ;
314 0 : if( pubkey == NULL )
315 0 : throw RuntimeException() ;
316 :
317 : try {
318 0 : m_tPubKeyList.push_back( pubkey ) ;
319 0 : } catch ( Exception& ) {
320 0 : SECKEY_DestroyPublicKey( pubkey ) ;
321 : }
322 : }
323 : }
324 :
325 0 : void SecurityEnvironment_NssImpl :: rejectPubKey( SECKEYPublicKey* aPubKey ) throw( Exception , RuntimeException ) {
326 : SECKEYPublicKey* pubkey ;
327 0 : std::list< SECKEYPublicKey* >::iterator keyIt ;
328 :
329 0 : if( aPubKey != NULL ) {
330 0 : for( keyIt = m_tPubKeyList.begin() ; keyIt != m_tPubKeyList.end() ; ++keyIt ) {
331 0 : if( *keyIt == aPubKey ) {
332 0 : pubkey = *keyIt ;
333 0 : SECKEY_DestroyPublicKey( pubkey ) ;
334 0 : m_tPubKeyList.erase( keyIt ) ;
335 0 : break ;
336 : }
337 : }
338 : }
339 0 : }
340 :
341 0 : SECKEYPublicKey* SecurityEnvironment_NssImpl :: getPubKey( unsigned int position ) throw( Exception , RuntimeException ) {
342 : SECKEYPublicKey* pubkey ;
343 0 : std::list< SECKEYPublicKey* >::iterator keyIt ;
344 : unsigned int pos ;
345 :
346 0 : pubkey = NULL ;
347 0 : for( pos = 0, keyIt = m_tPubKeyList.begin() ; pos < position && keyIt != m_tPubKeyList.end() ; pos ++ , keyIt ++ ) ;
348 :
349 0 : if( pos == position && keyIt != m_tPubKeyList.end() )
350 0 : pubkey = *keyIt ;
351 :
352 0 : return pubkey ;
353 : }
354 :
355 0 : void SecurityEnvironment_NssImpl :: adoptPriKey( SECKEYPrivateKey* aPriKey ) throw( Exception , RuntimeException ) {
356 : SECKEYPrivateKey* prikey ;
357 0 : std::list< SECKEYPrivateKey* >::iterator keyIt ;
358 :
359 0 : if( aPriKey != NULL ) {
360 : //First try to find the key in the list
361 0 : for( keyIt = m_tPriKeyList.begin() ; keyIt != m_tPriKeyList.end() ; ++keyIt ) {
362 0 : if( *keyIt == aPriKey )
363 0 : return ;
364 : }
365 :
366 : //If we do not find the key in the list, add a new node
367 0 : prikey = SECKEY_CopyPrivateKey( aPriKey ) ;
368 0 : if( prikey == NULL )
369 0 : throw RuntimeException() ;
370 :
371 : try {
372 0 : m_tPriKeyList.push_back( prikey ) ;
373 0 : } catch ( Exception& ) {
374 0 : SECKEY_DestroyPrivateKey( prikey ) ;
375 : }
376 : }
377 : }
378 :
379 0 : void SecurityEnvironment_NssImpl :: rejectPriKey( SECKEYPrivateKey* aPriKey ) throw( Exception , RuntimeException ) {
380 : SECKEYPrivateKey* prikey ;
381 0 : std::list< SECKEYPrivateKey* >::iterator keyIt ;
382 :
383 0 : if( aPriKey != NULL ) {
384 0 : for( keyIt = m_tPriKeyList.begin() ; keyIt != m_tPriKeyList.end() ; ++keyIt ) {
385 0 : if( *keyIt == aPriKey ) {
386 0 : prikey = *keyIt ;
387 0 : SECKEY_DestroyPrivateKey( prikey ) ;
388 0 : m_tPriKeyList.erase( keyIt ) ;
389 0 : break ;
390 : }
391 : }
392 : }
393 0 : }
394 :
395 0 : SECKEYPrivateKey* SecurityEnvironment_NssImpl :: getPriKey( unsigned int position ) throw( ::com::sun::star::uno::Exception , ::com::sun::star::uno::RuntimeException ) {
396 : SECKEYPrivateKey* prikey ;
397 0 : std::list< SECKEYPrivateKey* >::iterator keyIt ;
398 : unsigned int pos ;
399 :
400 0 : prikey = NULL ;
401 0 : for( pos = 0, keyIt = m_tPriKeyList.begin() ; pos < position && keyIt != m_tPriKeyList.end() ; pos ++ , keyIt ++ ) ;
402 :
403 0 : if( pos == position && keyIt != m_tPriKeyList.end() )
404 0 : prikey = *keyIt ;
405 :
406 0 : return prikey ;
407 : }
408 :
409 0 : void SecurityEnvironment_NssImpl::updateSlots()
410 : {
411 : //In case new tokens are present then we can obtain the corresponding slot
412 0 : PK11SlotList * soltList = NULL;
413 0 : PK11SlotListElement * soltEle = NULL;
414 0 : PK11SlotInfo * pSlot = NULL;
415 0 : PK11SymKey * pSymKey = NULL;
416 :
417 0 : osl::MutexGuard guard(m_mutex);
418 :
419 0 : m_Slots.clear();
420 0 : m_tSymKeyList.clear();
421 :
422 0 : soltList = PK11_GetAllTokens( CKM_INVALID_MECHANISM, PR_FALSE, PR_FALSE, NULL ) ;
423 0 : if( soltList != NULL )
424 : {
425 0 : for( soltEle = soltList->head ; soltEle != NULL; soltEle = soltEle->next )
426 : {
427 0 : pSlot = soltEle->slot ;
428 :
429 0 : if(pSlot != NULL)
430 : {
431 : SAL_INFO(
432 : "xmlsecurity.xmlsec",
433 : "Found a slot: SlotName=" << PK11_GetSlotName(pSlot)
434 : << ", TokenName=" << PK11_GetTokenName(pSlot));
435 :
436 : //The following code which is commented out checks if a slot, that is a smart card for example, is
437 : // able to generate a symmetric key of type CKM_DES3_CBC. If this fails then this token
438 : // will not be used. This key is possibly used for the encryption service. However, all
439 : // interfaces and services used for public key signature and encryption are not published
440 : // and the encryption is not used in OOo. Therefore it does not do any harm to remove
441 : // this code, hence allowing smart cards which cannot generate this type of key.
442 : //
443 : // By doing this, the encryption may fail if a smart card is being used which does not
444 : // support this key generation.
445 : //
446 0 : pSymKey = PK11_KeyGen( pSlot , CKM_DES3_CBC, NULL, 128, NULL ) ;
447 : // if( pSymKey == NULL )
448 : // {
449 : // PK11_FreeSlot( pSlot ) ;
450 : // SAL_INFO( "xmlsecurity", "XMLSEC: Error - pSymKey is NULL" );
451 : // continue;
452 : // }
453 0 : addCryptoSlot(pSlot);
454 0 : PK11_FreeSlot( pSlot ) ;
455 0 : pSlot = NULL;
456 :
457 0 : if (pSymKey != NULL)
458 : {
459 0 : adoptSymKey( pSymKey ) ;
460 0 : PK11_FreeSymKey( pSymKey ) ;
461 0 : pSymKey = NULL;
462 : }
463 :
464 : }// end of if(pSlot != NULL)
465 : }// end of for
466 0 : }// end of if( soltList != NULL )
467 :
468 0 : }
469 :
470 :
471 : Sequence< Reference < XCertificate > >
472 0 : SecurityEnvironment_NssImpl::getPersonalCertificates() throw( SecurityException , RuntimeException, std::exception )
473 : {
474 : sal_Int32 length ;
475 : X509Certificate_NssImpl* xcert ;
476 0 : std::list< X509Certificate_NssImpl* > certsList ;
477 :
478 0 : updateSlots();
479 : //firstly, we try to find private keys in slot
480 0 : for (CIT_SLOTS is = m_Slots.begin(); is != m_Slots.end(); is++)
481 : {
482 0 : PK11SlotInfo *slot = *is;
483 : SECKEYPrivateKeyList* priKeyList ;
484 : SECKEYPrivateKeyListNode* curPri ;
485 :
486 0 : if( PK11_NeedLogin(slot ) ) {
487 0 : SECStatus nRet = PK11_Authenticate(slot, PR_TRUE, NULL);
488 : //PK11_Authenticate may fail in case the a slot has not been initialized.
489 : //this is the case if the user has a new profile, so that they have never
490 : //added a personal certificate.
491 0 : if( nRet != SECSuccess && PORT_GetError() != SEC_ERROR_IO) {
492 0 : throw NoPasswordException();
493 : }
494 : }
495 :
496 0 : priKeyList = PK11_ListPrivateKeysInSlot(slot) ;
497 0 : if( priKeyList != NULL )
498 : {
499 0 : for( curPri = PRIVKEY_LIST_HEAD( priKeyList );
500 0 : !PRIVKEY_LIST_END( curPri, priKeyList ) && curPri != NULL ;
501 : curPri = PRIVKEY_LIST_NEXT( curPri ) )
502 : {
503 0 : xcert = NssPrivKeyToXCert( curPri->key ) ;
504 0 : if( xcert != NULL )
505 0 : certsList.push_back( xcert ) ;
506 : }
507 0 : SECKEY_DestroyPrivateKeyList( priKeyList ) ;
508 : }
509 :
510 :
511 : }
512 :
513 : //secondly, we try to find certificate from registered private keys.
514 0 : if( !m_tPriKeyList.empty() ) {
515 0 : std::list< SECKEYPrivateKey* >::iterator priKeyIt ;
516 :
517 0 : for( priKeyIt = m_tPriKeyList.begin() ; priKeyIt != m_tPriKeyList.end() ; ++priKeyIt ) {
518 0 : xcert = NssPrivKeyToXCert( *priKeyIt ) ;
519 0 : if( xcert != NULL )
520 0 : certsList.push_back( xcert ) ;
521 : }
522 : }
523 :
524 0 : length = certsList.size() ;
525 0 : if( length != 0 ) {
526 : int i ;
527 0 : std::list< X509Certificate_NssImpl* >::iterator xcertIt ;
528 0 : Sequence< Reference< XCertificate > > certSeq( length ) ;
529 :
530 0 : for( i = 0, xcertIt = certsList.begin(); xcertIt != certsList.end(); ++xcertIt, ++i ) {
531 0 : certSeq[i] = *xcertIt ;
532 : }
533 :
534 0 : return certSeq ;
535 : }
536 :
537 0 : return Sequence< Reference < XCertificate > > ();
538 : }
539 :
540 0 : Reference< XCertificate > SecurityEnvironment_NssImpl :: getCertificate( const OUString& issuerName, const Sequence< sal_Int8 >& serialNumber ) throw( SecurityException , RuntimeException, std::exception )
541 : {
542 0 : X509Certificate_NssImpl* xcert = NULL;
543 :
544 0 : if( m_pHandler != NULL ) {
545 : CERTIssuerAndSN issuerAndSN ;
546 : CERTCertificate* cert ;
547 : CERTName* nmIssuer ;
548 : char* chIssuer ;
549 : SECItem* derIssuer ;
550 : PRArenaPool* arena ;
551 :
552 0 : arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE ) ;
553 0 : if( arena == NULL )
554 0 : throw RuntimeException() ;
555 :
556 : // Create cert info from issue and serial
557 0 : OString ostr = OUStringToOString( issuerName , RTL_TEXTENCODING_UTF8 ) ;
558 0 : chIssuer = PL_strndup( ( char* )ostr.getStr(), ( int )ostr.getLength() ) ;
559 0 : nmIssuer = CERT_AsciiToName( chIssuer ) ;
560 0 : if( nmIssuer == NULL ) {
561 0 : PL_strfree( chIssuer ) ;
562 0 : PORT_FreeArena( arena, PR_FALSE ) ;
563 0 : return NULL; // no need for exception cf. i40394
564 : }
565 :
566 0 : derIssuer = SEC_ASN1EncodeItem( arena, NULL, ( void* )nmIssuer, SEC_ASN1_GET( CERT_NameTemplate ) ) ;
567 0 : if( derIssuer == NULL ) {
568 0 : PL_strfree( chIssuer ) ;
569 0 : CERT_DestroyName( nmIssuer ) ;
570 0 : PORT_FreeArena( arena, PR_FALSE ) ;
571 0 : throw RuntimeException() ;
572 : }
573 :
574 0 : memset( &issuerAndSN, 0, sizeof( issuerAndSN ) ) ;
575 :
576 0 : issuerAndSN.derIssuer.data = derIssuer->data ;
577 0 : issuerAndSN.derIssuer.len = derIssuer->len ;
578 :
579 0 : issuerAndSN.serialNumber.data = ( unsigned char* )&serialNumber[0] ;
580 0 : issuerAndSN.serialNumber.len = serialNumber.getLength() ;
581 :
582 0 : cert = CERT_FindCertByIssuerAndSN( m_pHandler, &issuerAndSN ) ;
583 0 : if( cert != NULL ) {
584 0 : xcert = NssCertToXCert( cert ) ;
585 : } else {
586 0 : xcert = NULL ;
587 : }
588 :
589 0 : PL_strfree( chIssuer ) ;
590 0 : CERT_DestroyName( nmIssuer ) ;
591 : //SECITEM_FreeItem( derIssuer, PR_FALSE ) ;
592 0 : CERT_DestroyCertificate( cert ) ;
593 0 : PORT_FreeArena( arena, PR_FALSE ) ;
594 : } else {
595 0 : xcert = NULL ;
596 : }
597 :
598 0 : return xcert ;
599 : }
600 :
601 0 : Reference< XCertificate > SecurityEnvironment_NssImpl :: getCertificate( const OUString& issuerName, const OUString& serialNumber ) throw( SecurityException , RuntimeException ) {
602 0 : Sequence< sal_Int8 > serial = numericStringToBigInteger( serialNumber ) ;
603 0 : return getCertificate( issuerName, serial ) ;
604 : }
605 :
606 0 : Sequence< Reference < XCertificate > > SecurityEnvironment_NssImpl :: buildCertificatePath( const Reference< XCertificate >& begin ) throw( SecurityException , RuntimeException, std::exception ) {
607 : const X509Certificate_NssImpl* xcert ;
608 : const CERTCertificate* cert ;
609 : CERTCertList* certChain ;
610 :
611 0 : Reference< XUnoTunnel > xCertTunnel( begin, UNO_QUERY ) ;
612 0 : if( !xCertTunnel.is() ) {
613 0 : throw RuntimeException() ;
614 : }
615 :
616 : xcert = reinterpret_cast<X509Certificate_NssImpl*>(
617 0 : sal::static_int_cast<sal_uIntPtr>(xCertTunnel->getSomething( X509Certificate_NssImpl::getUnoTunnelId() ))) ;
618 0 : if( xcert == NULL ) {
619 0 : throw RuntimeException() ;
620 : }
621 :
622 0 : cert = xcert->getNssCert() ;
623 0 : if( cert != NULL ) {
624 : int64 timeboundary ;
625 :
626 : //Get the system clock time
627 0 : timeboundary = PR_Now() ;
628 :
629 0 : certChain = CERT_GetCertChainFromCert( ( CERTCertificate* )cert, timeboundary, certUsageAnyCA ) ;
630 : } else {
631 0 : certChain = NULL ;
632 : }
633 :
634 0 : if( certChain != NULL ) {
635 : X509Certificate_NssImpl* pCert ;
636 : CERTCertListNode* node ;
637 : int len ;
638 :
639 0 : for( len = 0, node = CERT_LIST_HEAD( certChain ); !CERT_LIST_END( node, certChain ); node = CERT_LIST_NEXT( node ), len ++ ) ;
640 0 : Sequence< Reference< XCertificate > > xCertChain( len ) ;
641 :
642 0 : for( len = 0, node = CERT_LIST_HEAD( certChain ); !CERT_LIST_END( node, certChain ); node = CERT_LIST_NEXT( node ), len ++ ) {
643 0 : pCert = new X509Certificate_NssImpl() ;
644 0 : if( pCert == NULL ) {
645 0 : CERT_DestroyCertList( certChain ) ;
646 0 : throw RuntimeException() ;
647 : }
648 :
649 0 : pCert->setCert( node->cert ) ;
650 :
651 0 : xCertChain[len] = pCert ;
652 : }
653 :
654 0 : CERT_DestroyCertList( certChain ) ;
655 :
656 0 : return xCertChain ;
657 : }
658 :
659 0 : return Sequence< Reference < XCertificate > >();
660 : }
661 :
662 0 : Reference< XCertificate > SecurityEnvironment_NssImpl :: createCertificateFromRaw( const Sequence< sal_Int8 >& rawCertificate ) throw( SecurityException , RuntimeException, std::exception ) {
663 : X509Certificate_NssImpl* xcert ;
664 :
665 0 : if( rawCertificate.getLength() > 0 ) {
666 0 : xcert = new X509Certificate_NssImpl() ;
667 0 : if( xcert == NULL )
668 0 : throw RuntimeException() ;
669 :
670 0 : xcert->setRawCert( rawCertificate ) ;
671 : } else {
672 0 : xcert = NULL ;
673 : }
674 :
675 0 : return xcert ;
676 : }
677 :
678 0 : Reference< XCertificate > SecurityEnvironment_NssImpl :: createCertificateFromAscii( const OUString& asciiCertificate ) throw( SecurityException , RuntimeException, std::exception )
679 : {
680 : xmlChar* chCert ;
681 : xmlSecSize certSize ;
682 :
683 0 : OString oscert = OUStringToOString( asciiCertificate , RTL_TEXTENCODING_ASCII_US ) ;
684 :
685 0 : chCert = xmlStrndup( ( const xmlChar* )oscert.getStr(), ( int )oscert.getLength() ) ;
686 :
687 0 : certSize = xmlSecBase64Decode( chCert, ( xmlSecByte* )chCert, xmlStrlen( chCert ) ) ;
688 :
689 0 : if(certSize > 0)
690 : {
691 0 : Sequence< sal_Int8 > rawCert( certSize ) ;
692 0 : for( unsigned int i = 0 ; i < certSize ; i ++ )
693 0 : rawCert[i] = *( chCert + i ) ;
694 :
695 0 : xmlFree( chCert ) ;
696 :
697 0 : return createCertificateFromRaw( rawCert ) ;
698 : }
699 : else
700 : {
701 0 : return NULL;
702 0 : }
703 : }
704 :
705 0 : sal_Int32 SecurityEnvironment_NssImpl ::
706 : verifyCertificate( const Reference< csss::XCertificate >& aCert,
707 : const Sequence< Reference< csss::XCertificate > >& intermediateCerts )
708 : throw( ::com::sun::star::uno::SecurityException, ::com::sun::star::uno::RuntimeException, std::exception )
709 : {
710 0 : sal_Int32 validity = csss::CertificateValidity::INVALID;
711 : const X509Certificate_NssImpl* xcert ;
712 : const CERTCertificate* cert ;
713 0 : ::std::vector<CERTCertificate*> vecTmpNSSCertificates;
714 0 : Reference< XUnoTunnel > xCertTunnel( aCert, UNO_QUERY ) ;
715 0 : if( !xCertTunnel.is() ) {
716 0 : throw RuntimeException() ;
717 : }
718 :
719 : xmlsec_trace("Start verification of certificate: \n %s \n",
720 : OUStringToOString(
721 0 : aCert->getSubjectName(), osl_getThreadTextEncoding()).getStr());
722 :
723 : xcert = reinterpret_cast<X509Certificate_NssImpl*>(
724 0 : sal::static_int_cast<sal_uIntPtr>(xCertTunnel->getSomething( X509Certificate_NssImpl::getUnoTunnelId() ))) ;
725 0 : if( xcert == NULL ) {
726 0 : throw RuntimeException() ;
727 : }
728 :
729 : //CERT_PKIXVerifyCert does not take a db as argument. It will therefore
730 : //internally use CERT_GetDefaultCertDB
731 : //Make sure m_pHandler is the default DB
732 : OSL_ASSERT(m_pHandler == CERT_GetDefaultCertDB());
733 0 : CERTCertDBHandle * certDb = m_pHandler != NULL ? m_pHandler : CERT_GetDefaultCertDB();
734 0 : cert = xcert->getNssCert() ;
735 0 : if( cert != NULL )
736 : {
737 :
738 : //prepare the intermediate certificates
739 0 : for (sal_Int32 i = 0; i < intermediateCerts.getLength(); i++)
740 : {
741 0 : Sequence<sal_Int8> der = intermediateCerts[i]->getEncoded();
742 : SECItem item;
743 0 : item.type = siBuffer;
744 0 : item.data = (unsigned char*)der.getArray();
745 0 : item.len = der.getLength();
746 :
747 : CERTCertificate* certTmp = CERT_NewTempCertificate(certDb, &item,
748 : NULL /* nickname */,
749 : PR_FALSE /* isPerm */,
750 0 : PR_TRUE /* copyDER */);
751 0 : if (!certTmp)
752 : {
753 : xmlsec_trace("Failed to add a temporary certificate: %s",
754 0 : OUStringToOString(intermediateCerts[i]->getIssuerName(),
755 0 : osl_getThreadTextEncoding()).getStr());
756 :
757 : }
758 : else
759 : {
760 : xmlsec_trace("Added temporary certificate: %s",
761 0 : certTmp->subjectName ? certTmp->subjectName : "");
762 0 : vecTmpNSSCertificates.push_back(certTmp);
763 : }
764 0 : }
765 :
766 :
767 : SECStatus status ;
768 :
769 : CERTVerifyLog log;
770 0 : log.arena = PORT_NewArena(512);
771 0 : log.head = log.tail = NULL;
772 0 : log.count = 0;
773 :
774 0 : CERT_EnableOCSPChecking(certDb);
775 0 : CERT_DisableOCSPDefaultResponder(certDb);
776 : CERTValOutParam cvout[5];
777 : CERTValInParam cvin[3];
778 0 : int ncvinCount=0;
779 :
780 : #if ( NSS_VMAJOR > 3 ) || ( NSS_VMAJOR == 3 && NSS_VMINOR > 12 ) || ( NSS_VMAJOR == 3 && NSS_VMINOR == 12 && NSS_VPATCH > 0 )
781 0 : cvin[ncvinCount].type = cert_pi_useAIACertFetch;
782 0 : cvin[ncvinCount].value.scalar.b = PR_TRUE;
783 0 : ncvinCount++;
784 : #endif
785 :
786 : PRUint64 revFlagsLeaf[2];
787 : PRUint64 revFlagsChain[2];
788 : CERTRevocationFlags rev;
789 0 : rev.leafTests.number_of_defined_methods = 2;
790 0 : rev.leafTests.cert_rev_flags_per_method = revFlagsLeaf;
791 : //the flags are defined in cert.h
792 : //We check both leaf and chain.
793 : //It is enough if one revocation method has fresh info,
794 : //but at least one must have some. Otherwise validation fails.
795 : //!!! using leaf test and CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE
796 : // when validating a root certificate will result in "revoked". Usually
797 : //there is no revocation information available for the root cert because
798 : //it must be trusted anyway and it does itself issue revocation information.
799 : //When we use the flag here and OOo shows the certification path then the root
800 : //cert is invalid while all other can be valid. It would probably best if
801 : //this interface method returned the whole chain.
802 : //Otherwise we need to check if the certificate is self-signed and if it is
803 : //then not use the flag when doing the leaf-test.
804 0 : rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_crl] =
805 : CERT_REV_M_TEST_USING_THIS_METHOD
806 0 : | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE;
807 0 : rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] =
808 : CERT_REV_M_TEST_USING_THIS_METHOD
809 0 : | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE;
810 0 : rev.leafTests.number_of_preferred_methods = 0;
811 0 : rev.leafTests.preferred_methods = NULL;
812 : rev.leafTests.cert_rev_method_independent_flags =
813 0 : CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST;
814 :
815 0 : rev.chainTests.number_of_defined_methods = 2;
816 0 : rev.chainTests.cert_rev_flags_per_method = revFlagsChain;
817 0 : rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_crl] =
818 : CERT_REV_M_TEST_USING_THIS_METHOD
819 0 : | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE;
820 0 : rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] =
821 : CERT_REV_M_TEST_USING_THIS_METHOD
822 0 : | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE;
823 0 : rev.chainTests.number_of_preferred_methods = 0;
824 0 : rev.chainTests.preferred_methods = NULL;
825 : rev.chainTests.cert_rev_method_independent_flags =
826 0 : CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST;
827 :
828 :
829 0 : cvin[ncvinCount].type = cert_pi_revocationFlags;
830 0 : cvin[ncvinCount].value.pointer.revocation = &rev;
831 0 : ncvinCount++;
832 : // does not work, not implemented yet in 3.12.4
833 : // cvin[ncvinCount].type = cert_pi_keyusage;
834 : // cvin[ncvinCount].value.scalar.ui = KU_DIGITAL_SIGNATURE;
835 : // ncvinCount++;
836 0 : cvin[ncvinCount].type = cert_pi_end;
837 :
838 0 : cvout[0].type = cert_po_trustAnchor;
839 0 : cvout[0].value.pointer.cert = NULL;
840 0 : cvout[1].type = cert_po_errorLog;
841 0 : cvout[1].value.pointer.log = &log;
842 0 : cvout[2].type = cert_po_end;
843 :
844 : // We check SSL server certificates, CA certificates and signing sertificates.
845 : //
846 : // ToDo check keyusage, looking at CERT_KeyUsageAndTypeForCertUsage (
847 : // mozilla/security/nss/lib/certdb/certdb.c indicates that
848 : // certificateUsageSSLClient, certificateUsageSSLServer and certificateUsageSSLCA
849 : // are sufficient. They cover the key usages for digital signature, key agreement
850 : // and encipherment and certificate signature
851 :
852 : //never use the following usages because they are not checked properly
853 : // certificateUsageUserCertImport
854 : // certificateUsageVerifyCA
855 : // certificateUsageAnyCA
856 : // certificateUsageProtectedObjectSigner
857 :
858 0 : UsageDescription arUsages[5];
859 0 : arUsages[0] = UsageDescription( certificateUsageSSLClient, "certificateUsageSSLClient" );
860 0 : arUsages[1] = UsageDescription( certificateUsageSSLServer, "certificateUsageSSLServer" );
861 0 : arUsages[2] = UsageDescription( certificateUsageSSLCA, "certificateUsageSSLCA" );
862 0 : arUsages[3] = UsageDescription( certificateUsageEmailSigner, "certificateUsageEmailSigner" );
863 0 : arUsages[4] = UsageDescription( certificateUsageEmailRecipient, "certificateUsageEmailRecipient" );
864 :
865 0 : int numUsages = SAL_N_ELEMENTS(arUsages);
866 0 : for (int i = 0; i < numUsages; i++)
867 : {
868 : xmlsec_trace("Testing usage %d of %d: %s (0x%x)", i + 1,
869 0 : numUsages, arUsages[i].description, (int) arUsages[i].usage);
870 :
871 : status = CERT_PKIXVerifyCert(const_cast<CERTCertificate *>(cert), arUsages[i].usage,
872 0 : cvin, cvout, NULL);
873 0 : if( status == SECSuccess )
874 : {
875 0 : xmlsec_trace("CERT_PKIXVerifyCert returned SECSuccess.");
876 : //When an intermediate or root certificate is checked then we expect the usage
877 : //certificateUsageSSLCA. This, however, will be only set when in the trust settings dialog
878 : //the button "This certificate can identify websites" is checked. If for example only
879 : //"This certificate can identify mail users" is set then the end certificate can
880 : //be validated and the returned usage will conain certificateUsageEmailRecipient.
881 : //But checking directly the root or intermediate certificate will fail. In the
882 : //certificate path view the end certificate will be shown as valid but the others
883 : //will be displayed as invalid.
884 :
885 0 : validity = csss::CertificateValidity::VALID;
886 0 : xmlsec_trace("Certificate is valid.\n");
887 0 : CERTCertificate * issuerCert = cvout[0].value.pointer.cert;
888 0 : if (issuerCert)
889 : {
890 0 : xmlsec_trace("Root certificate: %s", issuerCert->subjectName);
891 0 : CERT_DestroyCertificate(issuerCert);
892 : };
893 :
894 0 : break;
895 : }
896 : else
897 : {
898 0 : PRIntn err = PR_GetError();
899 0 : xmlsec_trace("Error: , %d = %s", err, getCertError(err));
900 :
901 : /* Display validation results */
902 0 : if ( log.count > 0)
903 : {
904 0 : CERTVerifyLogNode *node = NULL;
905 0 : printChainFailure(&log);
906 :
907 0 : for (node = log.head; node; node = node->next) {
908 0 : if (node->cert)
909 0 : CERT_DestroyCertificate(node->cert);
910 : }
911 0 : log.head = log.tail = NULL;
912 0 : log.count = 0;
913 : }
914 0 : xmlsec_trace("Certificate is invalid.\n");
915 : }
916 : }
917 :
918 : }
919 : else
920 : {
921 0 : validity = ::com::sun::star::security::CertificateValidity::INVALID ;
922 : }
923 :
924 : //Destroying the temporary certificates
925 0 : std::vector<CERTCertificate*>::const_iterator cert_i;
926 0 : for (cert_i = vecTmpNSSCertificates.begin(); cert_i != vecTmpNSSCertificates.end(); ++cert_i)
927 : {
928 0 : xmlsec_trace("Destroying temporary certificate");
929 0 : CERT_DestroyCertificate(*cert_i);
930 : }
931 0 : return validity ;
932 : }
933 :
934 0 : sal_Int32 SecurityEnvironment_NssImpl::getCertificateCharacters(
935 : const ::com::sun::star::uno::Reference< ::com::sun::star::security::XCertificate >& aCert ) throw( ::com::sun::star::uno::SecurityException, ::com::sun::star::uno::RuntimeException, std::exception ) {
936 : sal_Int32 characters ;
937 : const X509Certificate_NssImpl* xcert ;
938 : const CERTCertificate* cert ;
939 :
940 0 : Reference< XUnoTunnel > xCertTunnel( aCert, UNO_QUERY ) ;
941 0 : if( !xCertTunnel.is() ) {
942 0 : throw RuntimeException() ;
943 : }
944 :
945 : xcert = reinterpret_cast<X509Certificate_NssImpl*>(
946 0 : sal::static_int_cast<sal_uIntPtr>(xCertTunnel->getSomething( X509Certificate_NssImpl::getUnoTunnelId() ))) ;
947 0 : if( xcert == NULL ) {
948 0 : throw RuntimeException() ;
949 : }
950 :
951 0 : cert = xcert->getNssCert() ;
952 :
953 0 : characters = 0x00000000 ;
954 :
955 : //Firstly, find out whether or not the cert is self-signed.
956 0 : if( SECITEM_CompareItem( &(cert->derIssuer), &(cert->derSubject) ) == SECEqual ) {
957 0 : characters |= ::com::sun::star::security::CertificateCharacters::SELF_SIGNED ;
958 : } else {
959 0 : characters &= ~ ::com::sun::star::security::CertificateCharacters::SELF_SIGNED ;
960 : }
961 :
962 : //Secondly, find out whether or not the cert has a private key.
963 :
964 : /*
965 : * i40394
966 : *
967 : * mmi : need to check whether the cert's slot is valid first
968 : */
969 0 : SECKEYPrivateKey* priKey = NULL;
970 :
971 0 : if (cert->slot != NULL)
972 : {
973 0 : priKey = PK11_FindPrivateKeyFromCert( cert->slot, ( CERTCertificate* )cert, NULL ) ;
974 : }
975 0 : if(priKey == NULL)
976 : {
977 0 : for (CIT_SLOTS is = m_Slots.begin(); is != m_Slots.end(); is++)
978 : {
979 0 : priKey = PK11_FindPrivateKeyFromCert(*is, (CERTCertificate*)cert, NULL);
980 0 : if (priKey)
981 0 : break;
982 : }
983 : }
984 0 : if( priKey != NULL ) {
985 0 : characters |= ::com::sun::star::security::CertificateCharacters::HAS_PRIVATE_KEY ;
986 :
987 0 : SECKEY_DestroyPrivateKey( priKey ) ;
988 : } else {
989 0 : characters &= ~ ::com::sun::star::security::CertificateCharacters::HAS_PRIVATE_KEY ;
990 : }
991 :
992 0 : return characters ;
993 : }
994 :
995 0 : X509Certificate_NssImpl* NssCertToXCert( CERTCertificate* cert )
996 : {
997 : X509Certificate_NssImpl* xcert ;
998 :
999 0 : if( cert != NULL ) {
1000 0 : xcert = new X509Certificate_NssImpl() ;
1001 0 : if( xcert == NULL ) {
1002 0 : xcert = NULL ;
1003 : } else {
1004 0 : xcert->setCert( cert ) ;
1005 : }
1006 : } else {
1007 0 : xcert = NULL ;
1008 : }
1009 :
1010 0 : return xcert ;
1011 : }
1012 :
1013 0 : X509Certificate_NssImpl* NssPrivKeyToXCert( SECKEYPrivateKey* priKey )
1014 : {
1015 : CERTCertificate* cert ;
1016 : X509Certificate_NssImpl* xcert ;
1017 :
1018 0 : if( priKey != NULL ) {
1019 0 : cert = PK11_GetCertFromPrivateKey( priKey ) ;
1020 :
1021 0 : if( cert != NULL ) {
1022 0 : xcert = NssCertToXCert( cert ) ;
1023 : } else {
1024 0 : xcert = NULL ;
1025 : }
1026 :
1027 0 : CERT_DestroyCertificate( cert ) ;
1028 : } else {
1029 0 : xcert = NULL ;
1030 : }
1031 :
1032 0 : return xcert ;
1033 : }
1034 :
1035 :
1036 : /* Native methods */
1037 0 : xmlSecKeysMngrPtr SecurityEnvironment_NssImpl::createKeysManager() throw( Exception, RuntimeException ) {
1038 :
1039 : unsigned int i ;
1040 0 : CERTCertDBHandle* handler = NULL ;
1041 0 : PK11SymKey* symKey = NULL ;
1042 0 : SECKEYPublicKey* pubKey = NULL ;
1043 0 : SECKEYPrivateKey* priKey = NULL ;
1044 0 : xmlSecKeysMngrPtr pKeysMngr = NULL ;
1045 :
1046 0 : handler = this->getCertDb() ;
1047 :
1048 : /*-
1049 : * The following lines is based on the private version of xmlSec-NSS
1050 : * crypto engine
1051 : */
1052 0 : int cSlots = m_Slots.size();
1053 0 : boost::scoped_array<PK11SlotInfo*> sarSlots(new PK11SlotInfo*[cSlots]);
1054 0 : PK11SlotInfo** slots = sarSlots.get();
1055 0 : int count = 0;
1056 0 : for (CIT_SLOTS islots = m_Slots.begin();islots != m_Slots.end(); islots++, count++)
1057 0 : slots[count] = *islots;
1058 :
1059 0 : pKeysMngr = xmlSecNssAppliedKeysMngrCreate(slots, cSlots, handler ) ;
1060 0 : if( pKeysMngr == NULL )
1061 0 : throw RuntimeException() ;
1062 :
1063 : /*-
1064 : * Adopt symmetric key into keys manager
1065 : */
1066 0 : for( i = 0 ; ( symKey = this->getSymKey( i ) ) != NULL ; i ++ ) {
1067 0 : if( xmlSecNssAppliedKeysMngrSymKeyLoad( pKeysMngr, symKey ) < 0 ) {
1068 0 : throw RuntimeException() ;
1069 : }
1070 : }
1071 :
1072 : /*-
1073 : * Adopt asymmetric public key into keys manager
1074 : */
1075 0 : for( i = 0 ; ( pubKey = this->getPubKey( i ) ) != NULL ; i ++ ) {
1076 0 : if( xmlSecNssAppliedKeysMngrPubKeyLoad( pKeysMngr, pubKey ) < 0 ) {
1077 0 : throw RuntimeException() ;
1078 : }
1079 : }
1080 :
1081 : /*-
1082 : * Adopt asymmetric private key into keys manager
1083 : */
1084 0 : for( i = 0 ; ( priKey = this->getPriKey( i ) ) != NULL ; i ++ ) {
1085 0 : if( xmlSecNssAppliedKeysMngrPriKeyLoad( pKeysMngr, priKey ) < 0 ) {
1086 0 : throw RuntimeException() ;
1087 : }
1088 : }
1089 0 : return pKeysMngr ;
1090 : }
1091 0 : void SecurityEnvironment_NssImpl::destroyKeysManager(xmlSecKeysMngrPtr pKeysMngr) throw( Exception, RuntimeException ) {
1092 0 : if( pKeysMngr != NULL ) {
1093 0 : xmlSecKeysMngrDestroy( pKeysMngr ) ;
1094 : }
1095 0 : }
1096 :
1097 : /* vim:set shiftwidth=4 softtabstop=4 expandtab: */
|
