Line data Source code
1 : /* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
2 : /*
3 : * This file is part of the LibreOffice project.
4 : *
5 : * This Source Code Form is subject to the terms of the Mozilla Public
6 : * License, v. 2.0. If a copy of the MPL was not distributed with this
7 : * file, You can obtain one at http://mozilla.org/MPL/2.0/.
8 : *
9 : * This file incorporates work covered by the following license notice:
10 : *
11 : * Licensed to the Apache Software Foundation (ASF) under one or more
12 : * contributor license agreements. See the NOTICE file distributed
13 : * with this work for additional information regarding copyright
14 : * ownership. The ASF licenses this file to you under the Apache
15 : * License, Version 2.0 (the "License"); you may not use this file
16 : * except in compliance with the License. You may obtain a copy of
17 : * the License at http://www.apache.org/licenses/LICENSE-2.0 .
18 : */
19 :
20 : #include "nssrenam.h"
21 : #include "cert.h"
22 : #include "secerr.h"
23 : #include "ocsp.h"
24 :
25 : #include <sal/config.h>
26 : #include <sal/macros.h>
27 : #include "securityenvironment_nssimpl.hxx"
28 : #include "x509certificate_nssimpl.hxx"
29 : #include <comphelper/servicehelper.hxx>
30 :
31 : #include "xmlsecurity/xmlsec-wrapper.h"
32 :
33 : #include <rtl/ustrbuf.hxx>
34 : #include <comphelper/processfactory.hxx>
35 : #include <comphelper/docpasswordrequest.hxx>
36 : #include <xmlsecurity/biginteger.hxx>
37 : #include <sal/log.hxx>
38 : #include <com/sun/star/task/InteractionHandler.hpp>
39 : #include <vector>
40 : #include <boost/scoped_array.hpp>
41 : #include <osl/thread.h>
42 :
43 : #include "secerror.hxx"
44 :
45 : // added for password exception
46 : #include <com/sun/star/security/NoPasswordException.hpp>
47 : namespace csss = ::com::sun::star::security;
48 : using namespace ::com::sun::star::security;
49 : using namespace com::sun::star;
50 : using namespace ::com::sun::star::uno ;
51 : using namespace ::com::sun::star::lang ;
52 : using ::com::sun::star::lang::XMultiServiceFactory ;
53 : using ::com::sun::star::lang::XSingleServiceFactory ;
54 :
55 : using ::com::sun::star::xml::crypto::XSecurityEnvironment ;
56 : using ::com::sun::star::security::XCertificate ;
57 :
58 : extern X509Certificate_NssImpl* NssCertToXCert( CERTCertificate* cert ) ;
59 : extern X509Certificate_NssImpl* NssPrivKeyToXCert( SECKEYPrivateKey* ) ;
60 :
61 :
62 : struct UsageDescription
63 : {
64 : SECCertificateUsage usage;
65 : char const* description;
66 :
67 0 : UsageDescription()
68 : : usage( certificateUsageCheckAllUsages )
69 0 : , description( NULL )
70 0 : {}
71 :
72 0 : UsageDescription( SECCertificateUsage i_usage, char const* i_description )
73 : : usage( i_usage )
74 0 : , description( i_description )
75 0 : {}
76 : };
77 :
78 :
79 :
80 0 : char* GetPasswordFunction( PK11SlotInfo* pSlot, PRBool bRetry, void* /*arg*/ )
81 : {
82 0 : uno::Reference< uno::XComponentContext > xContext( ::comphelper::getProcessComponentContext() );
83 : uno::Reference < task::XInteractionHandler2 > xInteractionHandler(
84 0 : task::InteractionHandler::createWithParent(xContext, 0) );
85 :
86 0 : task::PasswordRequestMode eMode = bRetry ? task::PasswordRequestMode_PASSWORD_REENTER : task::PasswordRequestMode_PASSWORD_ENTER;
87 : ::comphelper::DocPasswordRequest* pPasswordRequest = new ::comphelper::DocPasswordRequest(
88 0 : ::comphelper::DocPasswordRequestType_STANDARD, eMode, OUString::createFromAscii(PK11_GetTokenName(pSlot)) );
89 :
90 0 : uno::Reference< task::XInteractionRequest > xRequest( pPasswordRequest );
91 0 : xInteractionHandler->handle( xRequest );
92 :
93 0 : if ( pPasswordRequest->isPassword() )
94 : {
95 : OString aPassword(OUStringToOString(
96 : pPasswordRequest->getPassword(),
97 0 : osl_getThreadTextEncoding()));
98 0 : sal_Int32 nLen = aPassword.getLength();
99 0 : char* pPassword = (char*) PORT_Alloc( nLen+1 ) ;
100 0 : pPassword[nLen] = 0;
101 0 : memcpy( pPassword, aPassword.getStr(), nLen );
102 0 : return pPassword;
103 : }
104 0 : return NULL;
105 : }
106 :
107 2 : SecurityEnvironment_NssImpl :: SecurityEnvironment_NssImpl() :
108 2 : m_pHandler( NULL ) , m_tSymKeyList() , m_tPubKeyList() , m_tPriKeyList() {
109 :
110 2 : PK11_SetPasswordFunc( GetPasswordFunction ) ;
111 2 : }
112 :
113 6 : SecurityEnvironment_NssImpl :: ~SecurityEnvironment_NssImpl() {
114 :
115 2 : PK11_SetPasswordFunc( NULL ) ;
116 :
117 2 : for (CIT_SLOTS i = m_Slots.begin(); i != m_Slots.end(); i++)
118 : {
119 0 : PK11_FreeSlot(*i);
120 : }
121 :
122 2 : if( !m_tSymKeyList.empty() ) {
123 0 : std::list< PK11SymKey* >::iterator symKeyIt ;
124 :
125 0 : for( symKeyIt = m_tSymKeyList.begin() ; symKeyIt != m_tSymKeyList.end() ; ++symKeyIt )
126 0 : PK11_FreeSymKey( *symKeyIt ) ;
127 : }
128 :
129 2 : if( !m_tPubKeyList.empty() ) {
130 0 : std::list< SECKEYPublicKey* >::iterator pubKeyIt ;
131 :
132 0 : for( pubKeyIt = m_tPubKeyList.begin() ; pubKeyIt != m_tPubKeyList.end() ; ++pubKeyIt )
133 0 : SECKEY_DestroyPublicKey( *pubKeyIt ) ;
134 : }
135 :
136 2 : if( !m_tPriKeyList.empty() ) {
137 0 : std::list< SECKEYPrivateKey* >::iterator priKeyIt ;
138 :
139 0 : for( priKeyIt = m_tPriKeyList.begin() ; priKeyIt != m_tPriKeyList.end() ; ++priKeyIt )
140 0 : SECKEY_DestroyPrivateKey( *priKeyIt ) ;
141 : }
142 4 : }
143 :
144 : /* XServiceInfo */
145 0 : OUString SAL_CALL SecurityEnvironment_NssImpl :: getImplementationName() throw( RuntimeException, std::exception ) {
146 0 : return impl_getImplementationName() ;
147 : }
148 :
149 : /* XServiceInfo */
150 0 : sal_Bool SAL_CALL SecurityEnvironment_NssImpl :: supportsService( const OUString& serviceName) throw( RuntimeException, std::exception ) {
151 0 : Sequence< OUString > seqServiceNames = getSupportedServiceNames() ;
152 0 : const OUString* pArray = seqServiceNames.getConstArray() ;
153 0 : for( sal_Int32 i = 0 ; i < seqServiceNames.getLength() ; i ++ ) {
154 0 : if( *( pArray + i ) == serviceName )
155 0 : return sal_True ;
156 : }
157 0 : return sal_False ;
158 : }
159 :
160 : /* XServiceInfo */
161 0 : Sequence< OUString > SAL_CALL SecurityEnvironment_NssImpl :: getSupportedServiceNames() throw( RuntimeException, std::exception ) {
162 0 : return impl_getSupportedServiceNames() ;
163 : }
164 :
165 : //Helper for XServiceInfo
166 2 : Sequence< OUString > SecurityEnvironment_NssImpl :: impl_getSupportedServiceNames() {
167 2 : ::osl::Guard< ::osl::Mutex > aGuard( ::osl::Mutex::getGlobalMutex() ) ;
168 2 : Sequence< OUString > seqServiceNames( 1 ) ;
169 2 : seqServiceNames[0] = "com.sun.star.xml.crypto.SecurityEnvironment";
170 2 : return seqServiceNames ;
171 : }
172 :
173 4 : OUString SecurityEnvironment_NssImpl :: impl_getImplementationName() throw( RuntimeException ) {
174 4 : return OUString("com.sun.star.xml.security.bridge.xmlsec.SecurityEnvironment_NssImpl") ;
175 : }
176 :
177 : //Helper for registry
178 2 : Reference< XInterface > SAL_CALL SecurityEnvironment_NssImpl :: impl_createInstance( const Reference< XMultiServiceFactory >& ) throw( RuntimeException ) {
179 2 : return Reference< XInterface >( *new SecurityEnvironment_NssImpl ) ;
180 : }
181 :
182 2 : Reference< XSingleServiceFactory > SecurityEnvironment_NssImpl :: impl_createFactory( const Reference< XMultiServiceFactory >& aServiceManager ) {
183 2 : return ::cppu::createSingleFactory( aServiceManager , impl_getImplementationName() , impl_createInstance , impl_getSupportedServiceNames() ) ;
184 : }
185 :
186 : /* XUnoTunnel */
187 0 : sal_Int64 SAL_CALL SecurityEnvironment_NssImpl :: getSomething( const Sequence< sal_Int8 >& aIdentifier )
188 : throw( RuntimeException, std::exception )
189 : {
190 0 : if( aIdentifier.getLength() == 16 && 0 == memcmp( getUnoTunnelId().getConstArray(), aIdentifier.getConstArray(), 16 ) ) {
191 0 : return sal::static_int_cast<sal_Int64>(reinterpret_cast<sal_uIntPtr>(this));
192 : }
193 0 : return 0 ;
194 : }
195 :
196 : /* XUnoTunnel extension */
197 :
198 : namespace
199 : {
200 : class theSecurityEnvironment_NssImplUnoTunnelId : public rtl::Static< UnoTunnelIdInit, theSecurityEnvironment_NssImplUnoTunnelId > {};
201 : }
202 :
203 0 : const Sequence< sal_Int8>& SecurityEnvironment_NssImpl :: getUnoTunnelId() {
204 0 : return theSecurityEnvironment_NssImplUnoTunnelId::get().getSeq();
205 : }
206 :
207 0 : OUString SecurityEnvironment_NssImpl::getSecurityEnvironmentInformation() throw( ::com::sun::star::uno::RuntimeException, std::exception )
208 : {
209 0 : OUStringBuffer buff;
210 0 : for (CIT_SLOTS is = m_Slots.begin(); is != m_Slots.end(); is++)
211 : {
212 0 : buff.append(OUString::createFromAscii(PK11_GetTokenName(*is)));
213 0 : buff.appendAscii("\n");
214 : }
215 0 : return buff.makeStringAndClear();
216 : }
217 :
218 0 : void SecurityEnvironment_NssImpl::addCryptoSlot( PK11SlotInfo* aSlot) throw( Exception , RuntimeException )
219 : {
220 0 : PK11_ReferenceSlot(aSlot);
221 0 : m_Slots.push_back(aSlot);
222 0 : }
223 :
224 0 : CERTCertDBHandle* SecurityEnvironment_NssImpl :: getCertDb() throw( Exception , RuntimeException ) {
225 0 : return m_pHandler ;
226 : }
227 :
228 : //Could we have multiple cert dbs?
229 0 : void SecurityEnvironment_NssImpl :: setCertDb( CERTCertDBHandle* aCertDb ) throw( Exception , RuntimeException ) {
230 0 : m_pHandler = aCertDb ;
231 0 : }
232 :
233 0 : void SecurityEnvironment_NssImpl :: adoptSymKey( PK11SymKey* aSymKey ) throw( Exception , RuntimeException ) {
234 : PK11SymKey* symkey ;
235 0 : std::list< PK11SymKey* >::iterator keyIt ;
236 :
237 0 : if( aSymKey != NULL ) {
238 : //First try to find the key in the list
239 0 : for( keyIt = m_tSymKeyList.begin() ; keyIt != m_tSymKeyList.end() ; ++keyIt ) {
240 0 : if( *keyIt == aSymKey )
241 0 : return ;
242 : }
243 :
244 : //If we do not find the key in the list, add a new node
245 0 : symkey = PK11_ReferenceSymKey( aSymKey ) ;
246 0 : if( symkey == NULL )
247 0 : throw RuntimeException() ;
248 :
249 : try {
250 0 : m_tSymKeyList.push_back( symkey ) ;
251 0 : } catch ( Exception& ) {
252 0 : PK11_FreeSymKey( symkey ) ;
253 : }
254 : }
255 : }
256 :
257 0 : void SecurityEnvironment_NssImpl :: rejectSymKey( PK11SymKey* aSymKey ) throw( Exception , RuntimeException ) {
258 : PK11SymKey* symkey ;
259 0 : std::list< PK11SymKey* >::iterator keyIt ;
260 :
261 0 : if( aSymKey != NULL ) {
262 0 : for( keyIt = m_tSymKeyList.begin() ; keyIt != m_tSymKeyList.end() ; ++keyIt ) {
263 0 : if( *keyIt == aSymKey ) {
264 0 : symkey = *keyIt ;
265 0 : PK11_FreeSymKey( symkey ) ;
266 0 : m_tSymKeyList.erase( keyIt ) ;
267 0 : break ;
268 : }
269 : }
270 : }
271 0 : }
272 :
273 0 : PK11SymKey* SecurityEnvironment_NssImpl :: getSymKey( unsigned int position ) throw( Exception , RuntimeException ) {
274 : PK11SymKey* symkey ;
275 0 : std::list< PK11SymKey* >::iterator keyIt ;
276 : unsigned int pos ;
277 :
278 0 : symkey = NULL ;
279 0 : for( pos = 0, keyIt = m_tSymKeyList.begin() ; pos < position && keyIt != m_tSymKeyList.end() ; pos ++ , ++keyIt ) ;
280 :
281 0 : if( pos == position && keyIt != m_tSymKeyList.end() )
282 0 : symkey = *keyIt ;
283 :
284 0 : return symkey ;
285 : }
286 :
287 0 : void SecurityEnvironment_NssImpl :: adoptPubKey( SECKEYPublicKey* aPubKey ) throw( Exception , RuntimeException ) {
288 : SECKEYPublicKey* pubkey ;
289 0 : std::list< SECKEYPublicKey* >::iterator keyIt ;
290 :
291 0 : if( aPubKey != NULL ) {
292 : //First try to find the key in the list
293 0 : for( keyIt = m_tPubKeyList.begin() ; keyIt != m_tPubKeyList.end() ; ++keyIt ) {
294 0 : if( *keyIt == aPubKey )
295 0 : return ;
296 : }
297 :
298 : //If we do not find the key in the list, add a new node
299 0 : pubkey = SECKEY_CopyPublicKey( aPubKey ) ;
300 0 : if( pubkey == NULL )
301 0 : throw RuntimeException() ;
302 :
303 : try {
304 0 : m_tPubKeyList.push_back( pubkey ) ;
305 0 : } catch ( Exception& ) {
306 0 : SECKEY_DestroyPublicKey( pubkey ) ;
307 : }
308 : }
309 : }
310 :
311 0 : void SecurityEnvironment_NssImpl :: rejectPubKey( SECKEYPublicKey* aPubKey ) throw( Exception , RuntimeException ) {
312 : SECKEYPublicKey* pubkey ;
313 0 : std::list< SECKEYPublicKey* >::iterator keyIt ;
314 :
315 0 : if( aPubKey != NULL ) {
316 0 : for( keyIt = m_tPubKeyList.begin() ; keyIt != m_tPubKeyList.end() ; ++keyIt ) {
317 0 : if( *keyIt == aPubKey ) {
318 0 : pubkey = *keyIt ;
319 0 : SECKEY_DestroyPublicKey( pubkey ) ;
320 0 : m_tPubKeyList.erase( keyIt ) ;
321 0 : break ;
322 : }
323 : }
324 : }
325 0 : }
326 :
327 0 : SECKEYPublicKey* SecurityEnvironment_NssImpl :: getPubKey( unsigned int position ) throw( Exception , RuntimeException ) {
328 : SECKEYPublicKey* pubkey ;
329 0 : std::list< SECKEYPublicKey* >::iterator keyIt ;
330 : unsigned int pos ;
331 :
332 0 : pubkey = NULL ;
333 0 : for( pos = 0, keyIt = m_tPubKeyList.begin() ; pos < position && keyIt != m_tPubKeyList.end() ; pos ++ , ++keyIt ) ;
334 :
335 0 : if( pos == position && keyIt != m_tPubKeyList.end() )
336 0 : pubkey = *keyIt ;
337 :
338 0 : return pubkey ;
339 : }
340 :
341 0 : void SecurityEnvironment_NssImpl :: adoptPriKey( SECKEYPrivateKey* aPriKey ) throw( Exception , RuntimeException ) {
342 : SECKEYPrivateKey* prikey ;
343 0 : std::list< SECKEYPrivateKey* >::iterator keyIt ;
344 :
345 0 : if( aPriKey != NULL ) {
346 : //First try to find the key in the list
347 0 : for( keyIt = m_tPriKeyList.begin() ; keyIt != m_tPriKeyList.end() ; ++keyIt ) {
348 0 : if( *keyIt == aPriKey )
349 0 : return ;
350 : }
351 :
352 : //If we do not find the key in the list, add a new node
353 0 : prikey = SECKEY_CopyPrivateKey( aPriKey ) ;
354 0 : if( prikey == NULL )
355 0 : throw RuntimeException() ;
356 :
357 : try {
358 0 : m_tPriKeyList.push_back( prikey ) ;
359 0 : } catch ( Exception& ) {
360 0 : SECKEY_DestroyPrivateKey( prikey ) ;
361 : }
362 : }
363 : }
364 :
365 0 : void SecurityEnvironment_NssImpl :: rejectPriKey( SECKEYPrivateKey* aPriKey ) throw( Exception , RuntimeException ) {
366 : SECKEYPrivateKey* prikey ;
367 0 : std::list< SECKEYPrivateKey* >::iterator keyIt ;
368 :
369 0 : if( aPriKey != NULL ) {
370 0 : for( keyIt = m_tPriKeyList.begin() ; keyIt != m_tPriKeyList.end() ; ++keyIt ) {
371 0 : if( *keyIt == aPriKey ) {
372 0 : prikey = *keyIt ;
373 0 : SECKEY_DestroyPrivateKey( prikey ) ;
374 0 : m_tPriKeyList.erase( keyIt ) ;
375 0 : break ;
376 : }
377 : }
378 : }
379 0 : }
380 :
381 0 : SECKEYPrivateKey* SecurityEnvironment_NssImpl :: getPriKey( unsigned int position ) throw( ::com::sun::star::uno::Exception , ::com::sun::star::uno::RuntimeException ) {
382 : SECKEYPrivateKey* prikey ;
383 0 : std::list< SECKEYPrivateKey* >::iterator keyIt ;
384 : unsigned int pos ;
385 :
386 0 : prikey = NULL ;
387 0 : for( pos = 0, keyIt = m_tPriKeyList.begin() ; pos < position && keyIt != m_tPriKeyList.end() ; pos ++ , ++keyIt ) ;
388 :
389 0 : if( pos == position && keyIt != m_tPriKeyList.end() )
390 0 : prikey = *keyIt ;
391 :
392 0 : return prikey ;
393 : }
394 :
395 0 : void SecurityEnvironment_NssImpl::updateSlots()
396 : {
397 : //In case new tokens are present then we can obtain the corresponding slot
398 0 : PK11SlotList * soltList = NULL;
399 0 : PK11SlotListElement * soltEle = NULL;
400 0 : PK11SlotInfo * pSlot = NULL;
401 0 : PK11SymKey * pSymKey = NULL;
402 :
403 0 : osl::MutexGuard guard(m_mutex);
404 :
405 0 : m_Slots.clear();
406 0 : m_tSymKeyList.clear();
407 :
408 0 : soltList = PK11_GetAllTokens( CKM_INVALID_MECHANISM, PR_FALSE, PR_FALSE, NULL ) ;
409 0 : if( soltList != NULL )
410 : {
411 0 : for( soltEle = soltList->head ; soltEle != NULL; soltEle = soltEle->next )
412 : {
413 0 : pSlot = soltEle->slot ;
414 :
415 0 : if(pSlot != NULL)
416 : {
417 : SAL_INFO(
418 : "xmlsecurity.xmlsec",
419 : "Found a slot: SlotName=" << PK11_GetSlotName(pSlot)
420 : << ", TokenName=" << PK11_GetTokenName(pSlot));
421 :
422 : //The following code which is commented out checks if a slot, that is a smart card for example, is
423 : // able to generate a symmetric key of type CKM_DES3_CBC. If this fails then this token
424 : // will not be used. This key is possibly used for the encryption service. However, all
425 : // interfaces and services used for public key signature and encryption are not published
426 : // and the encryption is not used in OOo. Therefore it does not do any harm to remove
427 : // this code, hence allowing smart cards which cannot generate this type of key.
428 : //
429 : // By doing this, the encryption may fail if a smart card is being used which does not
430 : // support this key generation.
431 : //
432 0 : pSymKey = PK11_KeyGen( pSlot , CKM_DES3_CBC, NULL, 128, NULL ) ;
433 : // if( pSymKey == NULL )
434 : // {
435 : // PK11_FreeSlot( pSlot ) ;
436 : // SAL_INFO( "xmlsecurity", "XMLSEC: Error - pSymKey is NULL" );
437 : // continue;
438 : // }
439 0 : addCryptoSlot(pSlot);
440 0 : PK11_FreeSlot( pSlot ) ;
441 0 : pSlot = NULL;
442 :
443 0 : if (pSymKey != NULL)
444 : {
445 0 : adoptSymKey( pSymKey ) ;
446 0 : PK11_FreeSymKey( pSymKey ) ;
447 0 : pSymKey = NULL;
448 : }
449 :
450 : }// end of if(pSlot != NULL)
451 : }// end of for
452 0 : }// end of if( soltList != NULL )
453 :
454 0 : }
455 :
456 :
457 : Sequence< Reference < XCertificate > >
458 0 : SecurityEnvironment_NssImpl::getPersonalCertificates() throw( SecurityException , RuntimeException, std::exception )
459 : {
460 : sal_Int32 length ;
461 : X509Certificate_NssImpl* xcert ;
462 0 : std::list< X509Certificate_NssImpl* > certsList ;
463 :
464 0 : updateSlots();
465 : //firstly, we try to find private keys in slot
466 0 : for (CIT_SLOTS is = m_Slots.begin(); is != m_Slots.end(); is++)
467 : {
468 0 : PK11SlotInfo *slot = *is;
469 : SECKEYPrivateKeyList* priKeyList ;
470 : SECKEYPrivateKeyListNode* curPri ;
471 :
472 0 : if( PK11_NeedLogin(slot ) ) {
473 0 : SECStatus nRet = PK11_Authenticate(slot, PR_TRUE, NULL);
474 : //PK11_Authenticate may fail in case the a slot has not been initialized.
475 : //this is the case if the user has a new profile, so that they have never
476 : //added a personal certificate.
477 0 : if( nRet != SECSuccess && PORT_GetError() != SEC_ERROR_IO) {
478 0 : throw NoPasswordException();
479 : }
480 : }
481 :
482 0 : priKeyList = PK11_ListPrivateKeysInSlot(slot) ;
483 0 : if( priKeyList != NULL )
484 : {
485 0 : for( curPri = PRIVKEY_LIST_HEAD( priKeyList );
486 0 : !PRIVKEY_LIST_END( curPri, priKeyList ) && curPri != NULL ;
487 : curPri = PRIVKEY_LIST_NEXT( curPri ) )
488 : {
489 0 : xcert = NssPrivKeyToXCert( curPri->key ) ;
490 0 : if( xcert != NULL )
491 0 : certsList.push_back( xcert ) ;
492 : }
493 0 : SECKEY_DestroyPrivateKeyList( priKeyList ) ;
494 : }
495 :
496 :
497 : }
498 :
499 : //secondly, we try to find certificate from registered private keys.
500 0 : if( !m_tPriKeyList.empty() ) {
501 0 : std::list< SECKEYPrivateKey* >::iterator priKeyIt ;
502 :
503 0 : for( priKeyIt = m_tPriKeyList.begin() ; priKeyIt != m_tPriKeyList.end() ; ++priKeyIt ) {
504 0 : xcert = NssPrivKeyToXCert( *priKeyIt ) ;
505 0 : if( xcert != NULL )
506 0 : certsList.push_back( xcert ) ;
507 : }
508 : }
509 :
510 0 : length = certsList.size() ;
511 0 : if( length != 0 ) {
512 : int i ;
513 0 : std::list< X509Certificate_NssImpl* >::iterator xcertIt ;
514 0 : Sequence< Reference< XCertificate > > certSeq( length ) ;
515 :
516 0 : for( i = 0, xcertIt = certsList.begin(); xcertIt != certsList.end(); ++xcertIt, ++i ) {
517 0 : certSeq[i] = *xcertIt ;
518 : }
519 :
520 0 : return certSeq ;
521 : }
522 :
523 0 : return Sequence< Reference < XCertificate > > ();
524 : }
525 :
526 0 : Reference< XCertificate > SecurityEnvironment_NssImpl :: getCertificate( const OUString& issuerName, const Sequence< sal_Int8 >& serialNumber ) throw( SecurityException , RuntimeException, std::exception )
527 : {
528 0 : X509Certificate_NssImpl* xcert = NULL;
529 :
530 0 : if( m_pHandler != NULL ) {
531 : CERTIssuerAndSN issuerAndSN ;
532 : CERTCertificate* cert ;
533 : CERTName* nmIssuer ;
534 : char* chIssuer ;
535 : SECItem* derIssuer ;
536 : PRArenaPool* arena ;
537 :
538 0 : arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE ) ;
539 0 : if( arena == NULL )
540 0 : throw RuntimeException() ;
541 :
542 : // Create cert info from issue and serial
543 0 : OString ostr = OUStringToOString( issuerName , RTL_TEXTENCODING_UTF8 ) ;
544 0 : chIssuer = PL_strndup( ( char* )ostr.getStr(), ( int )ostr.getLength() ) ;
545 0 : nmIssuer = CERT_AsciiToName( chIssuer ) ;
546 0 : if( nmIssuer == NULL ) {
547 0 : PL_strfree( chIssuer ) ;
548 0 : PORT_FreeArena( arena, PR_FALSE ) ;
549 0 : return NULL; // no need for exception cf. i40394
550 : }
551 :
552 0 : derIssuer = SEC_ASN1EncodeItem( arena, NULL, ( void* )nmIssuer, SEC_ASN1_GET( CERT_NameTemplate ) ) ;
553 0 : if( derIssuer == NULL ) {
554 0 : PL_strfree( chIssuer ) ;
555 0 : CERT_DestroyName( nmIssuer ) ;
556 0 : PORT_FreeArena( arena, PR_FALSE ) ;
557 0 : throw RuntimeException() ;
558 : }
559 :
560 0 : memset( &issuerAndSN, 0, sizeof( issuerAndSN ) ) ;
561 :
562 0 : issuerAndSN.derIssuer.data = derIssuer->data ;
563 0 : issuerAndSN.derIssuer.len = derIssuer->len ;
564 :
565 0 : issuerAndSN.serialNumber.data = ( unsigned char* )&serialNumber[0] ;
566 0 : issuerAndSN.serialNumber.len = serialNumber.getLength() ;
567 :
568 0 : cert = CERT_FindCertByIssuerAndSN( m_pHandler, &issuerAndSN ) ;
569 0 : if( cert != NULL ) {
570 0 : xcert = NssCertToXCert( cert ) ;
571 : } else {
572 0 : xcert = NULL ;
573 : }
574 :
575 0 : PL_strfree( chIssuer ) ;
576 0 : CERT_DestroyName( nmIssuer ) ;
577 : //SECITEM_FreeItem( derIssuer, PR_FALSE ) ;
578 0 : CERT_DestroyCertificate( cert ) ;
579 0 : PORT_FreeArena( arena, PR_FALSE ) ;
580 : } else {
581 0 : xcert = NULL ;
582 : }
583 :
584 0 : return xcert ;
585 : }
586 :
587 0 : Reference< XCertificate > SecurityEnvironment_NssImpl :: getCertificate( const OUString& issuerName, const OUString& serialNumber ) throw( SecurityException , RuntimeException ) {
588 0 : Sequence< sal_Int8 > serial = numericStringToBigInteger( serialNumber ) ;
589 0 : return getCertificate( issuerName, serial ) ;
590 : }
591 :
592 0 : Sequence< Reference < XCertificate > > SecurityEnvironment_NssImpl :: buildCertificatePath( const Reference< XCertificate >& begin ) throw( SecurityException , RuntimeException, std::exception ) {
593 : const X509Certificate_NssImpl* xcert ;
594 : const CERTCertificate* cert ;
595 : CERTCertList* certChain ;
596 :
597 0 : Reference< XUnoTunnel > xCertTunnel( begin, UNO_QUERY ) ;
598 0 : if( !xCertTunnel.is() ) {
599 0 : throw RuntimeException() ;
600 : }
601 :
602 : xcert = reinterpret_cast<X509Certificate_NssImpl*>(
603 0 : sal::static_int_cast<sal_uIntPtr>(xCertTunnel->getSomething( X509Certificate_NssImpl::getUnoTunnelId() ))) ;
604 0 : if( xcert == NULL ) {
605 0 : throw RuntimeException() ;
606 : }
607 :
608 0 : cert = xcert->getNssCert() ;
609 0 : if( cert != NULL ) {
610 : int64 timeboundary ;
611 :
612 : //Get the system clock time
613 0 : timeboundary = PR_Now() ;
614 :
615 0 : certChain = CERT_GetCertChainFromCert( ( CERTCertificate* )cert, timeboundary, certUsageAnyCA ) ;
616 : } else {
617 0 : certChain = NULL ;
618 : }
619 :
620 0 : if( certChain != NULL ) {
621 : X509Certificate_NssImpl* pCert ;
622 : CERTCertListNode* node ;
623 : int len ;
624 :
625 0 : for( len = 0, node = CERT_LIST_HEAD( certChain ); !CERT_LIST_END( node, certChain ); node = CERT_LIST_NEXT( node ), len ++ ) ;
626 0 : Sequence< Reference< XCertificate > > xCertChain( len ) ;
627 :
628 0 : for( len = 0, node = CERT_LIST_HEAD( certChain ); !CERT_LIST_END( node, certChain ); node = CERT_LIST_NEXT( node ), len ++ ) {
629 0 : pCert = new X509Certificate_NssImpl() ;
630 0 : if( pCert == NULL ) {
631 0 : CERT_DestroyCertList( certChain ) ;
632 0 : throw RuntimeException() ;
633 : }
634 :
635 0 : pCert->setCert( node->cert ) ;
636 :
637 0 : xCertChain[len] = pCert ;
638 : }
639 :
640 0 : CERT_DestroyCertList( certChain ) ;
641 :
642 0 : return xCertChain ;
643 : }
644 :
645 0 : return Sequence< Reference < XCertificate > >();
646 : }
647 :
648 0 : Reference< XCertificate > SecurityEnvironment_NssImpl :: createCertificateFromRaw( const Sequence< sal_Int8 >& rawCertificate ) throw( SecurityException , RuntimeException, std::exception ) {
649 : X509Certificate_NssImpl* xcert ;
650 :
651 0 : if( rawCertificate.getLength() > 0 ) {
652 0 : xcert = new X509Certificate_NssImpl() ;
653 0 : if( xcert == NULL )
654 0 : throw RuntimeException() ;
655 :
656 0 : xcert->setRawCert( rawCertificate ) ;
657 : } else {
658 0 : xcert = NULL ;
659 : }
660 :
661 0 : return xcert ;
662 : }
663 :
664 0 : Reference< XCertificate > SecurityEnvironment_NssImpl :: createCertificateFromAscii( const OUString& asciiCertificate ) throw( SecurityException , RuntimeException, std::exception )
665 : {
666 0 : OString oscert = OUStringToOString( asciiCertificate , RTL_TEXTENCODING_ASCII_US ) ;
667 0 : xmlChar* chCert = xmlStrndup( ( const xmlChar* )oscert.getStr(), ( int )oscert.getLength() ) ;
668 0 : int certSize = xmlSecBase64Decode( chCert, ( xmlSecByte* )chCert, xmlStrlen( chCert ) ) ;
669 0 : if (certSize > 0)
670 : {
671 0 : Sequence< sal_Int8 > rawCert(certSize) ;
672 0 : for (int i = 0 ; i < certSize; ++i)
673 0 : rawCert[i] = *( chCert + i ) ;
674 :
675 0 : xmlFree( chCert ) ;
676 :
677 0 : return createCertificateFromRaw( rawCert ) ;
678 : }
679 : else
680 : {
681 0 : return NULL;
682 0 : }
683 : }
684 :
685 0 : sal_Int32 SecurityEnvironment_NssImpl ::
686 : verifyCertificate( const Reference< csss::XCertificate >& aCert,
687 : const Sequence< Reference< csss::XCertificate > >& intermediateCerts )
688 : throw( ::com::sun::star::uno::SecurityException, ::com::sun::star::uno::RuntimeException, std::exception )
689 : {
690 0 : sal_Int32 validity = csss::CertificateValidity::INVALID;
691 : const X509Certificate_NssImpl* xcert ;
692 : const CERTCertificate* cert ;
693 0 : ::std::vector<CERTCertificate*> vecTmpNSSCertificates;
694 0 : Reference< XUnoTunnel > xCertTunnel( aCert, UNO_QUERY ) ;
695 0 : if( !xCertTunnel.is() ) {
696 0 : throw RuntimeException() ;
697 : }
698 :
699 : SAL_INFO("xmlsecurity.xmlsec", "Start verification of certificate: " << aCert->getSubjectName());
700 :
701 : xcert = reinterpret_cast<X509Certificate_NssImpl*>(
702 0 : sal::static_int_cast<sal_uIntPtr>(xCertTunnel->getSomething( X509Certificate_NssImpl::getUnoTunnelId() ))) ;
703 0 : if( xcert == NULL ) {
704 0 : throw RuntimeException() ;
705 : }
706 :
707 : //CERT_PKIXVerifyCert does not take a db as argument. It will therefore
708 : //internally use CERT_GetDefaultCertDB
709 : //Make sure m_pHandler is the default DB
710 : OSL_ASSERT(m_pHandler == CERT_GetDefaultCertDB());
711 0 : CERTCertDBHandle * certDb = m_pHandler != NULL ? m_pHandler : CERT_GetDefaultCertDB();
712 0 : cert = xcert->getNssCert() ;
713 0 : if( cert != NULL )
714 : {
715 :
716 : //prepare the intermediate certificates
717 0 : for (sal_Int32 i = 0; i < intermediateCerts.getLength(); i++)
718 : {
719 0 : Sequence<sal_Int8> der = intermediateCerts[i]->getEncoded();
720 : SECItem item;
721 0 : item.type = siBuffer;
722 0 : item.data = (unsigned char*)der.getArray();
723 0 : item.len = der.getLength();
724 :
725 : CERTCertificate* certTmp = CERT_NewTempCertificate(certDb, &item,
726 : NULL /* nickname */,
727 : PR_FALSE /* isPerm */,
728 0 : PR_TRUE /* copyDER */);
729 0 : if (!certTmp)
730 : {
731 : SAL_INFO("xmlsecurity.xmlsec", "Failed to add a temporary certificate: " << intermediateCerts[i]->getIssuerName());
732 :
733 : }
734 : else
735 : {
736 : SAL_INFO("xmlsecurity.xmlsec", "Added temporary certificate: " <<
737 : (certTmp->subjectName ? certTmp->subjectName : ""));
738 0 : vecTmpNSSCertificates.push_back(certTmp);
739 : }
740 0 : }
741 :
742 :
743 : SECStatus status ;
744 :
745 : CERTVerifyLog log;
746 0 : log.arena = PORT_NewArena(512);
747 0 : log.head = log.tail = NULL;
748 0 : log.count = 0;
749 :
750 0 : CERT_EnableOCSPChecking(certDb);
751 0 : CERT_DisableOCSPDefaultResponder(certDb);
752 : CERTValOutParam cvout[5];
753 : CERTValInParam cvin[3];
754 0 : int ncvinCount=0;
755 :
756 : #if ( NSS_VMAJOR > 3 ) || ( NSS_VMAJOR == 3 && NSS_VMINOR > 12 ) || ( NSS_VMAJOR == 3 && NSS_VMINOR == 12 && NSS_VPATCH > 0 )
757 0 : cvin[ncvinCount].type = cert_pi_useAIACertFetch;
758 0 : cvin[ncvinCount].value.scalar.b = PR_TRUE;
759 0 : ncvinCount++;
760 : #endif
761 :
762 : PRUint64 revFlagsLeaf[2];
763 : PRUint64 revFlagsChain[2];
764 : CERTRevocationFlags rev;
765 0 : rev.leafTests.number_of_defined_methods = 2;
766 0 : rev.leafTests.cert_rev_flags_per_method = revFlagsLeaf;
767 : //the flags are defined in cert.h
768 : //We check both leaf and chain.
769 : //It is enough if one revocation method has fresh info,
770 : //but at least one must have some. Otherwise validation fails.
771 : //!!! using leaf test and CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE
772 : // when validating a root certificate will result in "revoked". Usually
773 : //there is no revocation information available for the root cert because
774 : //it must be trusted anyway and it does itself issue revocation information.
775 : //When we use the flag here and OOo shows the certification path then the root
776 : //cert is invalid while all other can be valid. It would probably best if
777 : //this interface method returned the whole chain.
778 : //Otherwise we need to check if the certificate is self-signed and if it is
779 : //then not use the flag when doing the leaf-test.
780 0 : rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_crl] =
781 : CERT_REV_M_TEST_USING_THIS_METHOD
782 0 : | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE;
783 0 : rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] =
784 : CERT_REV_M_TEST_USING_THIS_METHOD
785 0 : | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE;
786 0 : rev.leafTests.number_of_preferred_methods = 0;
787 0 : rev.leafTests.preferred_methods = NULL;
788 : rev.leafTests.cert_rev_method_independent_flags =
789 0 : CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST;
790 :
791 0 : rev.chainTests.number_of_defined_methods = 2;
792 0 : rev.chainTests.cert_rev_flags_per_method = revFlagsChain;
793 0 : rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_crl] =
794 : CERT_REV_M_TEST_USING_THIS_METHOD
795 0 : | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE;
796 0 : rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] =
797 : CERT_REV_M_TEST_USING_THIS_METHOD
798 0 : | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE;
799 0 : rev.chainTests.number_of_preferred_methods = 0;
800 0 : rev.chainTests.preferred_methods = NULL;
801 : rev.chainTests.cert_rev_method_independent_flags =
802 0 : CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST;
803 :
804 :
805 0 : cvin[ncvinCount].type = cert_pi_revocationFlags;
806 0 : cvin[ncvinCount].value.pointer.revocation = &rev;
807 0 : ncvinCount++;
808 : // does not work, not implemented yet in 3.12.4
809 : // cvin[ncvinCount].type = cert_pi_keyusage;
810 : // cvin[ncvinCount].value.scalar.ui = KU_DIGITAL_SIGNATURE;
811 : // ncvinCount++;
812 0 : cvin[ncvinCount].type = cert_pi_end;
813 :
814 0 : cvout[0].type = cert_po_trustAnchor;
815 0 : cvout[0].value.pointer.cert = NULL;
816 0 : cvout[1].type = cert_po_errorLog;
817 0 : cvout[1].value.pointer.log = &log;
818 0 : cvout[2].type = cert_po_end;
819 :
820 : // We check SSL server certificates, CA certificates and signing sertificates.
821 : //
822 : // ToDo check keyusage, looking at CERT_KeyUsageAndTypeForCertUsage (
823 : // mozilla/security/nss/lib/certdb/certdb.c indicates that
824 : // certificateUsageSSLClient, certificateUsageSSLServer and certificateUsageSSLCA
825 : // are sufficient. They cover the key usages for digital signature, key agreement
826 : // and encipherment and certificate signature
827 :
828 : //never use the following usages because they are not checked properly
829 : // certificateUsageUserCertImport
830 : // certificateUsageVerifyCA
831 : // certificateUsageAnyCA
832 : // certificateUsageProtectedObjectSigner
833 :
834 0 : UsageDescription arUsages[5];
835 0 : arUsages[0] = UsageDescription( certificateUsageSSLClient, "certificateUsageSSLClient" );
836 0 : arUsages[1] = UsageDescription( certificateUsageSSLServer, "certificateUsageSSLServer" );
837 0 : arUsages[2] = UsageDescription( certificateUsageSSLCA, "certificateUsageSSLCA" );
838 0 : arUsages[3] = UsageDescription( certificateUsageEmailSigner, "certificateUsageEmailSigner" );
839 0 : arUsages[4] = UsageDescription( certificateUsageEmailRecipient, "certificateUsageEmailRecipient" );
840 :
841 0 : int numUsages = SAL_N_ELEMENTS(arUsages);
842 0 : for (int i = 0; i < numUsages; i++)
843 : {
844 : SAL_INFO("xmlsecurity.xmlsec", "Testing usage " << i+1 <<
845 : " of " << numUsages << ": " <<
846 : arUsages[i].description <<
847 : " (0x" << std::hex << (int) arUsages[i].usage << ")" << std::dec);
848 :
849 : status = CERT_PKIXVerifyCert(const_cast<CERTCertificate *>(cert), arUsages[i].usage,
850 0 : cvin, cvout, NULL);
851 0 : if( status == SECSuccess )
852 : {
853 : SAL_INFO("xmlsecurity.xmlsec", "CERT_PKIXVerifyCert returned SECSuccess.");
854 : //When an intermediate or root certificate is checked then we expect the usage
855 : //certificateUsageSSLCA. This, however, will be only set when in the trust settings dialog
856 : //the button "This certificate can identify websites" is checked. If for example only
857 : //"This certificate can identify mail users" is set then the end certificate can
858 : //be validated and the returned usage will conain certificateUsageEmailRecipient.
859 : //But checking directly the root or intermediate certificate will fail. In the
860 : //certificate path view the end certificate will be shown as valid but the others
861 : //will be displayed as invalid.
862 :
863 0 : validity = csss::CertificateValidity::VALID;
864 : SAL_INFO("xmlsecurity.xmlsec", "Certificate is valid.");
865 0 : CERTCertificate * issuerCert = cvout[0].value.pointer.cert;
866 0 : if (issuerCert)
867 : {
868 : SAL_INFO("xmlsecurity.xmlsec", "Root certificate: " << issuerCert->subjectName);
869 0 : CERT_DestroyCertificate(issuerCert);
870 : };
871 :
872 0 : break;
873 : }
874 : else
875 : {
876 0 : PRIntn err = PR_GetError();
877 : SAL_INFO("xmlsecurity.xmlsec", "Error: " << err << ": " << getCertError(err));
878 :
879 : /* Display validation results */
880 0 : if ( log.count > 0)
881 : {
882 0 : CERTVerifyLogNode *node = NULL;
883 0 : printChainFailure(&log);
884 :
885 0 : for (node = log.head; node; node = node->next) {
886 0 : if (node->cert)
887 0 : CERT_DestroyCertificate(node->cert);
888 : }
889 0 : log.head = log.tail = NULL;
890 0 : log.count = 0;
891 : }
892 : SAL_INFO("xmlsecurity.xmlsec", "Certificate is invalid.");
893 : }
894 : }
895 :
896 : }
897 : else
898 : {
899 0 : validity = ::com::sun::star::security::CertificateValidity::INVALID ;
900 : }
901 :
902 : //Destroying the temporary certificates
903 0 : std::vector<CERTCertificate*>::const_iterator cert_i;
904 0 : for (cert_i = vecTmpNSSCertificates.begin(); cert_i != vecTmpNSSCertificates.end(); ++cert_i)
905 : {
906 : SAL_INFO("xmlsecurity.xmlsec", "Destroying temporary certificate");
907 0 : CERT_DestroyCertificate(*cert_i);
908 : }
909 0 : return validity ;
910 : }
911 :
912 0 : sal_Int32 SecurityEnvironment_NssImpl::getCertificateCharacters(
913 : const ::com::sun::star::uno::Reference< ::com::sun::star::security::XCertificate >& aCert ) throw( ::com::sun::star::uno::SecurityException, ::com::sun::star::uno::RuntimeException, std::exception ) {
914 : sal_Int32 characters ;
915 : const X509Certificate_NssImpl* xcert ;
916 : const CERTCertificate* cert ;
917 :
918 0 : Reference< XUnoTunnel > xCertTunnel( aCert, UNO_QUERY ) ;
919 0 : if( !xCertTunnel.is() ) {
920 0 : throw RuntimeException() ;
921 : }
922 :
923 : xcert = reinterpret_cast<X509Certificate_NssImpl*>(
924 0 : sal::static_int_cast<sal_uIntPtr>(xCertTunnel->getSomething( X509Certificate_NssImpl::getUnoTunnelId() ))) ;
925 0 : if( xcert == NULL ) {
926 0 : throw RuntimeException() ;
927 : }
928 :
929 0 : cert = xcert->getNssCert() ;
930 :
931 0 : characters = 0x00000000 ;
932 :
933 : //Firstly, find out whether or not the cert is self-signed.
934 0 : if( SECITEM_CompareItem( &(cert->derIssuer), &(cert->derSubject) ) == SECEqual ) {
935 0 : characters |= ::com::sun::star::security::CertificateCharacters::SELF_SIGNED ;
936 : } else {
937 0 : characters &= ~ ::com::sun::star::security::CertificateCharacters::SELF_SIGNED ;
938 : }
939 :
940 : //Secondly, find out whether or not the cert has a private key.
941 :
942 : /*
943 : * i40394
944 : *
945 : * mmi : need to check whether the cert's slot is valid first
946 : */
947 0 : SECKEYPrivateKey* priKey = NULL;
948 :
949 0 : if (cert->slot != NULL)
950 : {
951 0 : priKey = PK11_FindPrivateKeyFromCert( cert->slot, ( CERTCertificate* )cert, NULL ) ;
952 : }
953 0 : if(priKey == NULL)
954 : {
955 0 : for (CIT_SLOTS is = m_Slots.begin(); is != m_Slots.end(); is++)
956 : {
957 0 : priKey = PK11_FindPrivateKeyFromCert(*is, (CERTCertificate*)cert, NULL);
958 0 : if (priKey)
959 0 : break;
960 : }
961 : }
962 0 : if( priKey != NULL ) {
963 0 : characters |= ::com::sun::star::security::CertificateCharacters::HAS_PRIVATE_KEY ;
964 :
965 0 : SECKEY_DestroyPrivateKey( priKey ) ;
966 : } else {
967 0 : characters &= ~ ::com::sun::star::security::CertificateCharacters::HAS_PRIVATE_KEY ;
968 : }
969 :
970 0 : return characters ;
971 : }
972 :
973 0 : X509Certificate_NssImpl* NssCertToXCert( CERTCertificate* cert )
974 : {
975 : X509Certificate_NssImpl* xcert ;
976 :
977 0 : if( cert != NULL ) {
978 0 : xcert = new X509Certificate_NssImpl() ;
979 0 : if( xcert == NULL ) {
980 0 : xcert = NULL ;
981 : } else {
982 0 : xcert->setCert( cert ) ;
983 : }
984 : } else {
985 0 : xcert = NULL ;
986 : }
987 :
988 0 : return xcert ;
989 : }
990 :
991 0 : X509Certificate_NssImpl* NssPrivKeyToXCert( SECKEYPrivateKey* priKey )
992 : {
993 : CERTCertificate* cert ;
994 : X509Certificate_NssImpl* xcert ;
995 :
996 0 : if( priKey != NULL ) {
997 0 : cert = PK11_GetCertFromPrivateKey( priKey ) ;
998 :
999 0 : if( cert != NULL ) {
1000 0 : xcert = NssCertToXCert( cert ) ;
1001 : } else {
1002 0 : xcert = NULL ;
1003 : }
1004 :
1005 0 : CERT_DestroyCertificate( cert ) ;
1006 : } else {
1007 0 : xcert = NULL ;
1008 : }
1009 :
1010 0 : return xcert ;
1011 : }
1012 :
1013 :
1014 : /* Native methods */
1015 0 : xmlSecKeysMngrPtr SecurityEnvironment_NssImpl::createKeysManager() throw( Exception, RuntimeException ) {
1016 :
1017 : unsigned int i ;
1018 0 : CERTCertDBHandle* handler = NULL ;
1019 0 : PK11SymKey* symKey = NULL ;
1020 0 : SECKEYPublicKey* pubKey = NULL ;
1021 0 : SECKEYPrivateKey* priKey = NULL ;
1022 0 : xmlSecKeysMngrPtr pKeysMngr = NULL ;
1023 :
1024 0 : handler = this->getCertDb() ;
1025 :
1026 : /*-
1027 : * The following lines is based on the private version of xmlSec-NSS
1028 : * crypto engine
1029 : */
1030 0 : int cSlots = m_Slots.size();
1031 0 : boost::scoped_array<PK11SlotInfo*> sarSlots(new PK11SlotInfo*[cSlots]);
1032 0 : PK11SlotInfo** slots = sarSlots.get();
1033 0 : int count = 0;
1034 0 : for (CIT_SLOTS islots = m_Slots.begin();islots != m_Slots.end(); islots++, count++)
1035 0 : slots[count] = *islots;
1036 :
1037 0 : pKeysMngr = xmlSecNssAppliedKeysMngrCreate(slots, cSlots, handler ) ;
1038 0 : if( pKeysMngr == NULL )
1039 0 : throw RuntimeException() ;
1040 :
1041 : /*-
1042 : * Adopt symmetric key into keys manager
1043 : */
1044 0 : for( i = 0 ; ( symKey = this->getSymKey( i ) ) != NULL ; i ++ ) {
1045 0 : if( xmlSecNssAppliedKeysMngrSymKeyLoad( pKeysMngr, symKey ) < 0 ) {
1046 0 : throw RuntimeException() ;
1047 : }
1048 : }
1049 :
1050 : /*-
1051 : * Adopt asymmetric public key into keys manager
1052 : */
1053 0 : for( i = 0 ; ( pubKey = this->getPubKey( i ) ) != NULL ; i ++ ) {
1054 0 : if( xmlSecNssAppliedKeysMngrPubKeyLoad( pKeysMngr, pubKey ) < 0 ) {
1055 0 : throw RuntimeException() ;
1056 : }
1057 : }
1058 :
1059 : /*-
1060 : * Adopt asymmetric private key into keys manager
1061 : */
1062 0 : for( i = 0 ; ( priKey = this->getPriKey( i ) ) != NULL ; i ++ ) {
1063 0 : if( xmlSecNssAppliedKeysMngrPriKeyLoad( pKeysMngr, priKey ) < 0 ) {
1064 0 : throw RuntimeException() ;
1065 : }
1066 : }
1067 0 : return pKeysMngr ;
1068 : }
1069 0 : void SecurityEnvironment_NssImpl::destroyKeysManager(xmlSecKeysMngrPtr pKeysMngr) throw( Exception, RuntimeException ) {
1070 0 : if( pKeysMngr != NULL ) {
1071 0 : xmlSecKeysMngrDestroy( pKeysMngr ) ;
1072 : }
1073 0 : }
1074 :
1075 : /* vim:set shiftwidth=4 softtabstop=4 expandtab: */
|
