1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: t; c-basic-offset: 8 -*- */
2 /* The following is the mozilla license blurb, as the bodies some of
3 * these functions were derived from the mozilla source. */
4 /*
5 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
6 *
7 * The contents of this file are subject to the Mozilla Public License Version
8 * 1.1 (the "License"); you may not use this file except in compliance with
9 * the License. You may obtain a copy of the License at
10 * http://www.mozilla.org/MPL/
11 *
12 * Software distributed under the License is distributed on an "AS IS" basis,
13 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
14 * for the specific language governing rights and limitations under the
15 * License.
16 *
17 * The Original Code is the Netscape security libraries.
18 *
19 * The Initial Developer of the Original Code is
20 * Netscape Communications Corporation.
21 * Portions created by the Initial Developer are Copyright (C) 1994-2000
22 * the Initial Developer. All Rights Reserved.
23 *
24 * Alternatively, the contents of this file may be used under the terms of
25 * either the GNU General Public License Version 2 or later (the "GPL"), or
26 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
27 * in which case the provisions of the GPL or the LGPL are applicable instead
28 * of those above. If you wish to allow use of your version of this file only
29 * under the terms of either the GPL or the LGPL, and not to allow others to
30 * use your version of this file under the terms of the MPL, indicate your
31 * decision by deleting the provisions above and replace them with the notice
32 * and other provisions required by the GPL or the LGPL. If you do not delete
33 * the provisions above, a recipient may use your version of this file under
34 * the terms of any one of the MPL, the GPL or the LGPL.
35 */
36
37 /*
38 * Author: Chris Toshok (toshok@ximian.com)
39 *
40 * Copyright (C) 1999-2008 Novell, Inc. (www.novell.com)
41 */
42
43 #include "evolution-config.h"
44
45 #include <time.h>
46
47 #include <glib/gi18n.h>
48
49 /* for e_utf8_strftime, what about e_time_format_time? */
50 #include <e-util/e-util.h>
51
52 #include "e-cert.h"
53 #include "e-cert-trust.h"
54 #include "pk11func.h"
55 #include "certdb.h"
56 #include "hasht.h"
57
58 /* XXX Hack to disable p11-kit's pkcs11.h header, since
59 * NSS headers supply the same PKCS #11 definitions. */
60 #define PKCS11_H 1
61
62 /* XXX Yeah, yeah */
63 #define GCR_API_SUBJECT_TO_CHANGE
64
65 #include <gcr/gcr-base.h>
66
67 #define E_CERT_GET_PRIVATE(obj) \
68 (G_TYPE_INSTANCE_GET_PRIVATE \
69 ((obj), E_TYPE_CERT, ECertPrivate))
70
71 struct _ECertPrivate {
72 CERTCertificate *cert;
73
74 /* pointers we cache since the nss implementation allocs the
75 * string */
76 gchar *org_name;
77 gchar *org_unit_name;
78 gchar *cn;
79
80 gchar *issuer_org_name;
81 gchar *issuer_org_unit_name;
82 gchar *issuer_cn;
83
84 PRTime issued_on;
85 PRTime expires_on;
86
87 gchar *issued_on_string;
88 gchar *expires_on_string;
89
90 gchar *serial_number;
91
92 gchar *usage_string;
93
94 gchar *sha256_fingerprint;
95 gchar *sha1_fingerprint;
96 gchar *md5_fingerprint;
97
98 gboolean delete;
99 };
100
101 /* Forward Declarations */
102 static void e_cert_gcr_certificate_init
103 (GcrCertificateIface *iface);
104
G_DEFINE_TYPE_WITH_CODE(ECert,e_cert,G_TYPE_OBJECT,GCR_CERTIFICATE_MIXIN_IMPLEMENT_COMPARABLE ()G_IMPLEMENT_INTERFACE (GCR_TYPE_CERTIFICATE,e_cert_gcr_certificate_init))105 G_DEFINE_TYPE_WITH_CODE (
106 ECert,
107 e_cert,
108 G_TYPE_OBJECT,
109 GCR_CERTIFICATE_MIXIN_IMPLEMENT_COMPARABLE ()
110 G_IMPLEMENT_INTERFACE (
111 GCR_TYPE_CERTIFICATE,
112 e_cert_gcr_certificate_init))
113
114 static void
115 e_cert_finalize (GObject *object)
116 {
117 ECertPrivate *priv;
118
119 priv = E_CERT_GET_PRIVATE (object);
120
121 if (priv->org_name)
122 PORT_Free (priv->org_name);
123 if (priv->org_unit_name)
124 PORT_Free (priv->org_unit_name);
125 if (priv->cn)
126 PORT_Free (priv->cn);
127
128 if (priv->issuer_org_name)
129 PORT_Free (priv->issuer_org_name);
130 if (priv->issuer_org_unit_name)
131 PORT_Free (priv->issuer_org_unit_name);
132 if (priv->issuer_cn)
133 PORT_Free (priv->issuer_cn);
134
135 if (priv->issued_on_string)
136 PORT_Free (priv->issued_on_string);
137 if (priv->expires_on_string)
138 PORT_Free (priv->expires_on_string);
139 if (priv->serial_number)
140 PORT_Free (priv->serial_number);
141
142 g_free (priv->usage_string);
143
144 if (priv->sha256_fingerprint)
145 PORT_Free (priv->sha256_fingerprint);
146 if (priv->sha1_fingerprint)
147 PORT_Free (priv->sha1_fingerprint);
148 if (priv->md5_fingerprint)
149 PORT_Free (priv->md5_fingerprint);
150
151 if (priv->delete) {
152 printf ("attempting to delete cert marked for deletion\n");
153 if (e_cert_get_cert_type (E_CERT (object)) == E_CERT_USER) {
154 PK11_DeleteTokenCertAndKey (priv->cert, NULL);
155 } else if (!PK11_IsReadOnly (priv->cert->slot)) {
156 /* If the list of built-ins does contain a non-removable
157 * copy of this certificate, our call will not remove
158 * the certificate permanently, but rather remove all trust. */
159 SEC_DeletePermCertificate (priv->cert);
160 }
161 }
162
163 if (priv->cert)
164 CERT_DestroyCertificate (priv->cert);
165
166 /* Chain up to parent's finalize() method. */
167 G_OBJECT_CLASS (e_cert_parent_class)->finalize (object);
168 }
169
170 static const guchar *
cert_get_der_data(GcrCertificate * certificate,gsize * n_data)171 cert_get_der_data (GcrCertificate *certificate,
172 gsize *n_data)
173 {
174 ECertPrivate *priv = E_CERT_GET_PRIVATE (certificate);
175
176 *n_data = priv->cert->derCert.len;
177
178 return priv->cert->derCert.data;
179 }
180
181 static void
e_cert_class_init(ECertClass * class)182 e_cert_class_init (ECertClass *class)
183 {
184 GObjectClass *object_class;
185
186 g_type_class_add_private (class, sizeof (ECertPrivate));
187
188 object_class = G_OBJECT_CLASS (class);
189 object_class->get_property = gcr_certificate_mixin_get_property;
190 object_class->finalize = e_cert_finalize;
191
192 gcr_certificate_mixin_class_init (object_class);
193 }
194
195 static void
e_cert_gcr_certificate_init(GcrCertificateIface * iface)196 e_cert_gcr_certificate_init (GcrCertificateIface *iface)
197 {
198 iface->get_der_data = cert_get_der_data;
199 }
200
201 static void
e_cert_init(ECert * ec)202 e_cert_init (ECert *ec)
203 {
204 ec->priv = E_CERT_GET_PRIVATE (ec);
205 }
206
207 static void
e_cert_populate(ECert * cert)208 e_cert_populate (ECert *cert)
209 {
210 CERTCertificate *c = cert->priv->cert;
211 guchar fingerprint[MAX (SHA256_LENGTH, MAX (SHA1_LENGTH, MD5_LENGTH)) + 1];
212 SECItem fpItem;
213
214 cert->priv->org_name = CERT_GetOrgName (&c->subject);
215 cert->priv->org_unit_name = CERT_GetOrgUnitName (&c->subject);
216
217 cert->priv->issuer_org_name = CERT_GetOrgName (&c->issuer);
218 cert->priv->issuer_org_unit_name = CERT_GetOrgUnitName (&c->issuer);
219
220 cert->priv->cn = CERT_GetCommonName (&c->subject);
221 cert->priv->issuer_cn = CERT_GetCommonName (&c->issuer);
222
223 if (SECSuccess == CERT_GetCertTimes (
224 c, &cert->priv->issued_on, &cert->priv->expires_on)) {
225 PRExplodedTime explodedTime;
226 struct tm exploded_tm;
227
228 memset (&exploded_tm, 0, sizeof (struct tm));
229
230 PR_ExplodeTime (
231 cert->priv->issued_on,
232 PR_LocalTimeParameters, &explodedTime);
233 exploded_tm.tm_sec = explodedTime.tm_sec;
234 exploded_tm.tm_min = explodedTime.tm_min;
235 exploded_tm.tm_hour = explodedTime.tm_hour;
236 exploded_tm.tm_mday = explodedTime.tm_mday;
237 exploded_tm.tm_mon = explodedTime.tm_month;
238 exploded_tm.tm_year = explodedTime.tm_year - 1900;
239 cert->priv->issued_on_string = e_datetime_format_format_tm ("mail", "table", DTFormatKindDate, &exploded_tm);
240
241 PR_ExplodeTime (
242 cert->priv->expires_on,
243 PR_LocalTimeParameters, &explodedTime);
244 exploded_tm.tm_sec = explodedTime.tm_sec;
245 exploded_tm.tm_min = explodedTime.tm_min;
246 exploded_tm.tm_hour = explodedTime.tm_hour;
247 exploded_tm.tm_mday = explodedTime.tm_mday;
248 exploded_tm.tm_mon = explodedTime.tm_month;
249 exploded_tm.tm_year = explodedTime.tm_year - 1900;
250 cert->priv->expires_on_string = e_datetime_format_format_tm ("mail", "table", DTFormatKindDate, &exploded_tm);
251 }
252
253 cert->priv->serial_number = CERT_Hexify (&cert->priv->cert->serialNumber, TRUE);
254
255 memset (fingerprint, 0, sizeof fingerprint);
256 PK11_HashBuf (
257 SEC_OID_SHA256, fingerprint,
258 cert->priv->cert->derCert.data,
259 cert->priv->cert->derCert.len);
260 fpItem.data = fingerprint;
261 fpItem.len = SHA256_LENGTH;
262 cert->priv->sha256_fingerprint = CERT_Hexify (&fpItem, TRUE);
263
264 memset (fingerprint, 0, sizeof fingerprint);
265 PK11_HashBuf (
266 SEC_OID_SHA1, fingerprint,
267 cert->priv->cert->derCert.data,
268 cert->priv->cert->derCert.len);
269 fpItem.data = fingerprint;
270 fpItem.len = SHA1_LENGTH;
271 cert->priv->sha1_fingerprint = CERT_Hexify (&fpItem, TRUE);
272
273 memset (fingerprint, 0, sizeof fingerprint);
274 PK11_HashBuf (
275 SEC_OID_MD5, fingerprint,
276 cert->priv->cert->derCert.data,
277 cert->priv->cert->derCert.len);
278 fpItem.data = fingerprint;
279 fpItem.len = MD5_LENGTH;
280 cert->priv->md5_fingerprint = CERT_Hexify (&fpItem, TRUE);
281 }
282
283 ECert *
e_cert_new(CERTCertificate * cert)284 e_cert_new (CERTCertificate *cert)
285 {
286 ECert *ecert = E_CERT (g_object_new (E_TYPE_CERT, NULL));
287
288 /* ECert owns a reference to the 'cert', which will be freed on ECert finalize */
289 ecert->priv->cert = cert;
290
291 e_cert_populate (ecert);
292
293 return ecert;
294 }
295
296 ECert *
e_cert_new_from_der(gchar * data,guint32 len)297 e_cert_new_from_der (gchar *data,
298 guint32 len)
299 {
300 CERTCertificate *cert = CERT_DecodeCertFromPackage (data, len);
301
302 if (!cert)
303 return NULL;
304
305 if (cert->dbhandle == NULL)
306 cert->dbhandle = CERT_GetDefaultCertDB ();
307
308 return e_cert_new (cert);
309 }
310
311 CERTCertificate *
e_cert_get_internal_cert(ECert * cert)312 e_cert_get_internal_cert (ECert *cert)
313 {
314 /* XXX should this refcnt it? */
315 return cert->priv->cert;
316 }
317
318 gboolean
e_cert_get_raw_der(ECert * cert,gchar ** data,guint32 * len)319 e_cert_get_raw_der (ECert *cert,
320 gchar **data,
321 guint32 *len)
322 {
323 /* XXX do we really need to check if cert->priv->cert is NULL
324 * here? it should always be non - null if we have the
325 * ECert.. */
326 if (cert->priv->cert) {
327 *data = (gchar *)cert->priv->cert->derCert.data;
328 *len = (guint32)cert->priv->cert->derCert.len;
329 return TRUE;
330 }
331
332 *len = 0;
333 return FALSE;
334
335 }
336
337 const gchar *
e_cert_get_nickname(ECert * cert)338 e_cert_get_nickname (ECert *cert)
339 {
340 return cert->priv->cert->nickname;
341 }
342
343 const gchar *
e_cert_get_email(ECert * cert)344 e_cert_get_email (ECert *cert)
345 {
346 return cert->priv->cert->emailAddr;
347 }
348
349 const gchar *
e_cert_get_org(ECert * cert)350 e_cert_get_org (ECert *cert)
351 {
352 return cert->priv->org_name;
353 }
354
355 const gchar *
e_cert_get_org_unit(ECert * cert)356 e_cert_get_org_unit (ECert *cert)
357 {
358 return cert->priv->org_unit_name;
359 }
360
361 const gchar *
e_cert_get_cn(ECert * cert)362 e_cert_get_cn (ECert *cert)
363 {
364 return cert->priv->cn;
365 }
366
367 const gchar *
e_cert_get_issuer_name(ECert * cert)368 e_cert_get_issuer_name (ECert *cert)
369 {
370 return cert->priv->cert->issuerName;
371 }
372
373 const gchar *
e_cert_get_issuer_cn(ECert * cert)374 e_cert_get_issuer_cn (ECert *cert)
375 {
376 return cert->priv->issuer_cn;
377 }
378
379 const gchar *
e_cert_get_issuer_org(ECert * cert)380 e_cert_get_issuer_org (ECert *cert)
381 {
382 return cert->priv->issuer_org_name;
383 }
384
385 const gchar *
e_cert_get_issuer_org_unit(ECert * cert)386 e_cert_get_issuer_org_unit (ECert *cert)
387 {
388 return cert->priv->issuer_org_unit_name;
389 }
390
391 const gchar *
e_cert_get_subject_name(ECert * cert)392 e_cert_get_subject_name (ECert *cert)
393 {
394 return cert->priv->cert->subjectName;
395 }
396
397 const gchar *
e_cert_get_issued_on(ECert * cert)398 e_cert_get_issued_on (ECert *cert)
399 {
400 return cert->priv->issued_on_string;
401 }
402
403 const gchar *
e_cert_get_expires_on(ECert * cert)404 e_cert_get_expires_on (ECert *cert)
405 {
406 return cert->priv->expires_on_string;
407 }
408
409 static struct {
410 gint bit;
411 const gchar *text;
412 } usageinfo[] = {
413 /* x509 certificate usage types */
414 { certificateUsageEmailSigner, N_("Sign") },
415 { certificateUsageEmailRecipient, N_("Encrypt") },
416 };
417
418 const gchar *
e_cert_get_usage(ECert * cert)419 e_cert_get_usage (ECert *cert)
420 {
421 if (cert->priv->usage_string == NULL) {
422 gint i;
423 GString *str = g_string_new ("");
424 CERTCertificate *icert = e_cert_get_internal_cert (cert);
425
426 for (i = 0; i < G_N_ELEMENTS (usageinfo); i++) {
427 if (icert->keyUsage & usageinfo[i].bit) {
428 if (str->len != 0)
429 g_string_append (str, ", ");
430 g_string_append (str, _(usageinfo[i].text));
431 }
432 }
433
434 cert->priv->usage_string = g_string_free (str, FALSE);
435 }
436
437 return cert->priv->usage_string;
438 }
439
440 const gchar *
e_cert_get_serial_number(ECert * cert)441 e_cert_get_serial_number (ECert *cert)
442 {
443 return cert->priv->serial_number;
444 }
445
446 const gchar *
e_cert_get_sha256_fingerprint(ECert * cert)447 e_cert_get_sha256_fingerprint (ECert *cert)
448 {
449 return cert->priv->sha256_fingerprint;
450 }
451
452 const gchar *
e_cert_get_sha1_fingerprint(ECert * cert)453 e_cert_get_sha1_fingerprint (ECert *cert)
454 {
455 return cert->priv->sha1_fingerprint;
456 }
457
458 const gchar *
e_cert_get_md5_fingerprint(ECert * cert)459 e_cert_get_md5_fingerprint (ECert *cert)
460 {
461 return cert->priv->md5_fingerprint;
462 }
463
464 ECert *
e_cert_get_ca_cert(ECert * ecert)465 e_cert_get_ca_cert (ECert *ecert)
466 {
467 CERTCertificate *cert, *next = e_cert_get_internal_cert (ecert), *internal;
468
469 cert = next;
470 internal = cert;
471 do {
472 if (cert != next && cert != internal)
473 CERT_DestroyCertificate (cert);
474
475 cert = next;
476 next = CERT_FindCertIssuer (cert, PR_Now (), certUsageAnyCA);
477 } while (next && next != cert);
478
479 if (cert == internal)
480 return g_object_ref (ecert);
481 else
482 return e_cert_new (cert);
483 }
484
485 gboolean
e_cert_mark_for_deletion(ECert * cert)486 e_cert_mark_for_deletion (ECert *cert)
487 {
488 if (PK11_NeedLogin (cert->priv->cert->slot)
489 && !PK11_NeedUserInit (cert->priv->cert->slot)
490 && !PK11_IsInternal (cert->priv->cert->slot)) {
491 if (PK11_Authenticate (cert->priv->cert->slot, PR_TRUE, NULL) != SECSuccess) {
492 return FALSE;
493 }
494 }
495
496 cert->priv->delete = TRUE;
497
498 return TRUE;
499 }
500
501 ECertType
e_cert_get_cert_type(ECert * ecert)502 e_cert_get_cert_type (ECert *ecert)
503 {
504 const gchar *nick = e_cert_get_nickname (ecert);
505 const gchar *email = e_cert_get_email (ecert);
506 CERTCertificate *cert = ecert->priv->cert;
507
508 if (nick) {
509 if (e_cert_trust_has_any_user (cert->trust))
510 return E_CERT_USER;
511 if (e_cert_trust_has_any_ca (cert->trust)
512 || CERT_IsCACert (cert,NULL))
513 return E_CERT_CA;
514 if (e_cert_trust_has_peer (cert->trust, PR_TRUE, PR_FALSE, PR_FALSE))
515 return E_CERT_SITE;
516 }
517 if (email && e_cert_trust_has_peer (cert->trust, PR_FALSE, PR_TRUE, PR_FALSE))
518 return E_CERT_CONTACT;
519
520 return E_CERT_UNKNOWN;
521 }
522