1 /* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
2 /*
3 * This file is part of the LibreOffice project.
4 *
5 * This Source Code Form is subject to the terms of the Mozilla Public
6 * License, v. 2.0. If a copy of the MPL was not distributed with this
7 * file, You can obtain one at http://mozilla.org/MPL/2.0/.
8 *
9 * This file incorporates work covered by the following license notice:
10 *
11 * Licensed to the Apache Software Foundation (ASF) under one or more
12 * contributor license agreements. See the NOTICE file distributed
13 * with this work for additional information regarding copyright
14 * ownership. The ASF licenses this file to you under the Apache
15 * License, Version 2.0 (the "License"); you may not use this file
16 * except in compliance with the License. You may obtain a copy of
17 * the License at http://www.apache.org/licenses/LICENSE-2.0 .
18 */
19
20 #include "nssrenam.h"
21 #include <cert.h>
22 #include <secerr.h>
23 #include <ocsp.h>
24
25 #include <sal/config.h>
26 #include <sal/macros.h>
27 #include <osl/diagnose.h>
28 #include "securityenvironment_nssimpl.hxx"
29 #include <comphelper/servicehelper.hxx>
30
31 #include <xmlsec-wrapper.h>
32
33 #include <rtl/ustrbuf.hxx>
34 #include <comphelper/processfactory.hxx>
35 #include <comphelper/docpasswordrequest.hxx>
36 #include <sal/log.hxx>
37 #include <com/sun/star/task/InteractionHandler.hpp>
38 #include <vector>
39 #include <memory>
40 #include <osl/thread.h>
41 #include <comphelper/sequence.hxx>
42
43 #include "x509certificate_nssimpl.hxx"
44 #include "secerror.hxx"
45 #include <prerror.h>
46 #include <keyhi.h>
47
48 // added for password exception
49 #include <com/sun/star/security/NoPasswordException.hpp>
50 #include <com/sun/star/security/CertificateCharacters.hpp>
51 #include <com/sun/star/security/CertificateValidity.hpp>
52
53 namespace csss = ::com::sun::star::security;
54 using namespace ::com::sun::star::security;
55 using namespace com::sun::star;
56 using namespace ::com::sun::star::uno ;
57 using namespace ::com::sun::star::lang ;
58 using ::com::sun::star::lang::XMultiServiceFactory ;
59
60 using ::com::sun::star::xml::crypto::XSecurityEnvironment ;
61 using ::com::sun::star::security::XCertificate ;
62
63 namespace std
64 {
65 template <> struct default_delete<PRArenaPool>
66 {
operator ()std::default_delete67 void operator()(PRArenaPool* ptr) { PORT_FreeArena(ptr, PR_FALSE); }
68 };
69 }
70
71 static X509Certificate_NssImpl* NssCertToXCert( CERTCertificate* cert ) ;
72 static X509Certificate_NssImpl* NssPrivKeyToXCert( SECKEYPrivateKey* ) ;
73
74
75 struct UsageDescription
76 {
77 SECCertificateUsage usage;
78 char const* description;
79
UsageDescriptionUsageDescription80 UsageDescription()
81 : usage( certificateUsageCheckAllUsages )
82 , description( nullptr )
83 {}
84
UsageDescriptionUsageDescription85 UsageDescription( SECCertificateUsage i_usage, char const* i_description )
86 : usage( i_usage )
87 , description( i_description )
88 {}
89 };
90
91
GetPasswordFunction(PK11SlotInfo * pSlot,PRBool bRetry,void *)92 static char* GetPasswordFunction( PK11SlotInfo* pSlot, PRBool bRetry, void* /*arg*/ )
93 {
94 uno::Reference< uno::XComponentContext > xContext( ::comphelper::getProcessComponentContext() );
95 uno::Reference < task::XInteractionHandler2 > xInteractionHandler(
96 task::InteractionHandler::createWithParent(xContext, nullptr) );
97
98 task::PasswordRequestMode eMode = bRetry ? task::PasswordRequestMode_PASSWORD_REENTER : task::PasswordRequestMode_PASSWORD_ENTER;
99 ::comphelper::DocPasswordRequest* pPasswordRequest = new ::comphelper::DocPasswordRequest(
100 ::comphelper::DocPasswordRequestType::Standard, eMode, OUString::createFromAscii(PK11_GetTokenName(pSlot)) );
101
102 uno::Reference< task::XInteractionRequest > xRequest( pPasswordRequest );
103 xInteractionHandler->handle( xRequest );
104
105 if ( pPasswordRequest->isPassword() )
106 {
107 OString aPassword(OUStringToOString(
108 pPasswordRequest->getPassword(),
109 osl_getThreadTextEncoding()));
110 sal_Int32 nLen = aPassword.getLength();
111 char* pPassword = static_cast<char*>(PORT_Alloc( nLen+1 ) );
112 pPassword[nLen] = 0;
113 memcpy( pPassword, aPassword.getStr(), nLen );
114 return pPassword;
115 }
116 return nullptr;
117 }
118
SecurityEnvironment_NssImpl()119 SecurityEnvironment_NssImpl::SecurityEnvironment_NssImpl() :
120 m_pHandler( nullptr ) , m_tSymKeyList() {
121 PK11_SetPasswordFunc( GetPasswordFunction ) ;
122 }
123
~SecurityEnvironment_NssImpl()124 SecurityEnvironment_NssImpl::~SecurityEnvironment_NssImpl() {
125
126 PK11_SetPasswordFunc( nullptr ) ;
127
128 for (auto& slot : m_Slots)
129 {
130 PK11_FreeSlot(slot);
131 }
132
133 for( auto& symKey : m_tSymKeyList )
134 PK11_FreeSymKey( symKey ) ;
135 }
136
137 /* XServiceInfo */
getImplementationName()138 OUString SAL_CALL SecurityEnvironment_NssImpl::getImplementationName() {
139 return "com.sun.star.xml.crypto.SecurityEnvironment";
140 }
141
142 /* XServiceInfo */
supportsService(const OUString & serviceName)143 sal_Bool SAL_CALL SecurityEnvironment_NssImpl::supportsService( const OUString& serviceName) {
144 Sequence< OUString > seqServiceNames = getSupportedServiceNames() ;
145 return comphelper::findValue(seqServiceNames, serviceName) != -1;
146 }
147
148 /* XServiceInfo */
getSupportedServiceNames()149 Sequence< OUString > SAL_CALL SecurityEnvironment_NssImpl::getSupportedServiceNames() {
150 Sequence<OUString> seqServiceNames{ "com.sun.star.xml.crypto.SecurityEnvironment" };
151 return seqServiceNames;
152 }
153
154 /* XUnoTunnel */
getSomething(const Sequence<sal_Int8> & aIdentifier)155 sal_Int64 SAL_CALL SecurityEnvironment_NssImpl::getSomething( const Sequence< sal_Int8 >& aIdentifier )
156 {
157 if( isUnoTunnelId<SecurityEnvironment_NssImpl>(aIdentifier) ) {
158 return sal::static_int_cast<sal_Int64>(reinterpret_cast<sal_uIntPtr>(this));
159 }
160 return 0 ;
161 }
162
163 /* XUnoTunnel extension */
164
165 namespace
166 {
167 class theSecurityEnvironment_NssImplUnoTunnelId : public rtl::Static< UnoTunnelIdInit, theSecurityEnvironment_NssImplUnoTunnelId > {};
168 }
169
getUnoTunnelId()170 const Sequence< sal_Int8>& SecurityEnvironment_NssImpl::getUnoTunnelId() {
171 return theSecurityEnvironment_NssImplUnoTunnelId::get().getSeq();
172 }
173
getSecurityEnvironmentInformation()174 OUString SecurityEnvironment_NssImpl::getSecurityEnvironmentInformation()
175 {
176 OUStringBuffer buff;
177 for (auto& slot : m_Slots)
178 {
179 buff.append(OUString::createFromAscii(PK11_GetTokenName(slot)));
180 buff.append("\n");
181 }
182 return buff.makeStringAndClear();
183 }
184
addCryptoSlot(PK11SlotInfo * aSlot)185 void SecurityEnvironment_NssImpl::addCryptoSlot( PK11SlotInfo* aSlot)
186 {
187 PK11_ReferenceSlot(aSlot);
188 m_Slots.push_back(aSlot);
189 }
190
191 //Could we have multiple cert dbs?
setCertDb(CERTCertDBHandle * aCertDb)192 void SecurityEnvironment_NssImpl::setCertDb( CERTCertDBHandle* aCertDb ) {
193 m_pHandler = aCertDb ;
194 }
195
adoptSymKey(PK11SymKey * aSymKey)196 void SecurityEnvironment_NssImpl::adoptSymKey( PK11SymKey* aSymKey ) {
197 if( aSymKey != nullptr ) {
198 //First try to find the key in the list
199 if (std::find(m_tSymKeyList.begin(), m_tSymKeyList.end(), aSymKey) != m_tSymKeyList.end())
200 return;
201
202 //If we do not find the key in the list, add a new node
203 PK11SymKey* symkey = PK11_ReferenceSymKey( aSymKey ) ;
204 if( symkey == nullptr )
205 throw RuntimeException() ;
206
207 try {
208 m_tSymKeyList.push_back( symkey ) ;
209 } catch ( Exception& ) {
210 PK11_FreeSymKey( symkey ) ;
211 }
212 }
213 }
214
updateSlots()215 void SecurityEnvironment_NssImpl::updateSlots()
216 {
217 //In case new tokens are present then we can obtain the corresponding slot
218 osl::MutexGuard guard(m_mutex);
219
220 m_Slots.clear();
221 m_tSymKeyList.clear();
222
223 PK11SlotList * soltList = PK11_GetAllTokens( CKM_INVALID_MECHANISM, PR_FALSE, PR_FALSE, nullptr ) ;
224 if( soltList != nullptr )
225 {
226 for (PK11SlotListElement* soltEle = soltList->head ; soltEle != nullptr; soltEle = soltEle->next)
227 {
228 PK11SlotInfo * pSlot = soltEle->slot ;
229
230 if(pSlot != nullptr)
231 {
232 SAL_INFO(
233 "xmlsecurity.xmlsec",
234 "Found a slot: SlotName=" << PK11_GetSlotName(pSlot)
235 << ", TokenName=" << PK11_GetTokenName(pSlot));
236
237 //The following code which is commented out checks if a slot, that is a smart card for example, is
238 // able to generate a symmetric key of type CKM_DES3_CBC. If this fails then this token
239 // will not be used. This key is possibly used for the encryption service. However, all
240 // interfaces and services used for public key signature and encryption are not published
241 // and the encryption is not used in OOo. Therefore it does not do any harm to remove
242 // this code, hence allowing smart cards which cannot generate this type of key.
243 //
244 // By doing this, the encryption may fail if a smart card is being used which does not
245 // support this key generation.
246 //
247 PK11SymKey * pSymKey = PK11_KeyGen( pSlot , CKM_DES3_CBC, nullptr, 128, nullptr ) ;
248 // if( pSymKey == NULL )
249 // {
250 // PK11_FreeSlot( pSlot ) ;
251 // SAL_INFO( "xmlsecurity", "XMLSEC: Error - pSymKey is NULL" );
252 // continue;
253 // }
254 addCryptoSlot(pSlot);
255 PK11_FreeSlot( pSlot ) ;
256 pSlot = nullptr;
257
258 if (pSymKey != nullptr)
259 {
260 adoptSymKey( pSymKey ) ;
261 PK11_FreeSymKey( pSymKey ) ;
262 pSymKey = nullptr;
263 }
264
265 }// end of if(pSlot != NULL)
266 }// end of for
267 }// end of if( soltList != NULL )
268 }
269
270 Sequence< Reference < XCertificate > >
getPersonalCertificates()271 SecurityEnvironment_NssImpl::getPersonalCertificates()
272 {
273 sal_Int32 length ;
274 X509Certificate_NssImpl* xcert ;
275 std::vector< X509Certificate_NssImpl* > certsList ;
276
277 updateSlots();
278 //firstly, we try to find private keys in slot
279 for (auto& slot : m_Slots)
280 {
281 SECKEYPrivateKeyList* priKeyList ;
282
283 if( PK11_NeedLogin(slot ) ) {
284 SECStatus nRet = PK11_Authenticate(slot, PR_TRUE, nullptr);
285 //PK11_Authenticate may fail in case the a slot has not been initialized.
286 //this is the case if the user has a new profile, so that they have never
287 //added a personal certificate.
288 if( nRet != SECSuccess && PORT_GetError() != SEC_ERROR_IO) {
289 throw NoPasswordException();
290 }
291 }
292
293 priKeyList = PK11_ListPrivateKeysInSlot(slot) ;
294 if( priKeyList != nullptr )
295 {
296 for (SECKEYPrivateKeyListNode* curPri = PRIVKEY_LIST_HEAD(priKeyList);
297 !PRIVKEY_LIST_END( curPri, priKeyList ) && curPri != nullptr;
298 curPri = PRIVKEY_LIST_NEXT(curPri))
299 {
300 xcert = NssPrivKeyToXCert( curPri->key ) ;
301 if( xcert != nullptr )
302 certsList.push_back( xcert ) ;
303 }
304 SECKEY_DestroyPrivateKeyList( priKeyList ) ;
305 }
306
307
308 }
309
310 length = certsList.size() ;
311 if( length != 0 ) {
312 int i = 0;
313 Sequence< Reference< XCertificate > > certSeq( length ) ;
314
315 for( const auto& rXCert : certsList ) {
316 certSeq[i] = rXCert ;
317 ++i;
318 }
319
320 return certSeq ;
321 }
322
323 return Sequence< Reference < XCertificate > > ();
324 }
325
getCertificate(const OUString & issuerName,const Sequence<sal_Int8> & serialNumber)326 Reference< XCertificate > SecurityEnvironment_NssImpl::getCertificate( const OUString& issuerName, const Sequence< sal_Int8 >& serialNumber )
327 {
328 X509Certificate_NssImpl* xcert = nullptr;
329
330 if( m_pHandler != nullptr ) {
331 CERTIssuerAndSN issuerAndSN ;
332 CERTCertificate* cert ;
333 CERTName* nmIssuer ;
334 char* chIssuer ;
335 SECItem* derIssuer ;
336 std::unique_ptr<PRArenaPool> arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
337 if( arena == nullptr )
338 throw RuntimeException() ;
339
340 // Create cert info from issue and serial
341 OString ostr = OUStringToOString( issuerName , RTL_TEXTENCODING_UTF8 ) ;
342 chIssuer = PL_strndup( ostr.getStr(), static_cast<int>(ostr.getLength()) ) ;
343 nmIssuer = CERT_AsciiToName( chIssuer ) ;
344 if( nmIssuer == nullptr ) {
345 PL_strfree( chIssuer ) ;
346 return nullptr; // no need for exception cf. i40394
347 }
348
349 derIssuer = SEC_ASN1EncodeItem( arena.get(), nullptr, static_cast<void*>(nmIssuer), SEC_ASN1_GET( CERT_NameTemplate ) ) ;
350 if( derIssuer == nullptr ) {
351 PL_strfree( chIssuer ) ;
352 CERT_DestroyName( nmIssuer ) ;
353 throw RuntimeException() ;
354 }
355
356 memset( &issuerAndSN, 0, sizeof( issuerAndSN ) ) ;
357
358 issuerAndSN.derIssuer.data = derIssuer->data ;
359 issuerAndSN.derIssuer.len = derIssuer->len ;
360
361 issuerAndSN.serialNumber.data = reinterpret_cast<unsigned char *>(const_cast<sal_Int8 *>(serialNumber.getConstArray()));
362 issuerAndSN.serialNumber.len = serialNumber.getLength() ;
363
364 cert = CERT_FindCertByIssuerAndSN( m_pHandler, &issuerAndSN ) ;
365 if( cert != nullptr ) {
366 xcert = NssCertToXCert( cert ) ;
367 } else {
368 xcert = nullptr ;
369 }
370
371 PL_strfree( chIssuer ) ;
372 CERT_DestroyName( nmIssuer ) ;
373 //SECITEM_FreeItem( derIssuer, PR_FALSE ) ;
374 CERT_DestroyCertificate( cert ) ;
375 } else {
376 xcert = nullptr ;
377 }
378
379 return xcert ;
380 }
381
buildCertificatePath(const Reference<XCertificate> & begin)382 Sequence< Reference < XCertificate > > SecurityEnvironment_NssImpl::buildCertificatePath( const Reference< XCertificate >& begin ) {
383 // Remember the signing certificate.
384 m_xSigningCertificate = begin;
385
386 const X509Certificate_NssImpl* xcert ;
387 const CERTCertificate* cert ;
388 CERTCertList* certChain ;
389
390 Reference< XUnoTunnel > xCertTunnel( begin, UNO_QUERY_THROW ) ;
391 xcert = reinterpret_cast<X509Certificate_NssImpl*>(
392 sal::static_int_cast<sal_uIntPtr>(xCertTunnel->getSomething( X509Certificate_NssImpl::getUnoTunnelId() ))) ;
393 if( xcert == nullptr ) {
394 throw RuntimeException() ;
395 }
396
397 cert = xcert->getNssCert() ;
398 if( cert != nullptr ) {
399 int64 timeboundary ;
400
401 //Get the system clock time
402 timeboundary = PR_Now() ;
403
404 certChain = CERT_GetCertChainFromCert( const_cast<CERTCertificate*>(cert), timeboundary, certUsageAnyCA ) ;
405 } else {
406 certChain = nullptr ;
407 }
408
409 if( certChain != nullptr ) {
410 std::vector<uno::Reference<security::XCertificate>> aCertChain;
411
412 for (CERTCertListNode* node = CERT_LIST_HEAD(certChain); !CERT_LIST_END(node, certChain); node = CERT_LIST_NEXT(node)) {
413 X509Certificate_NssImpl* pCert = new X509Certificate_NssImpl();
414 if( pCert == nullptr ) {
415 CERT_DestroyCertList( certChain ) ;
416 throw RuntimeException() ;
417 }
418
419 pCert->setCert( node->cert ) ;
420
421 aCertChain.push_back(pCert);
422 }
423
424 CERT_DestroyCertList( certChain ) ;
425
426 return comphelper::containerToSequence(aCertChain);
427 }
428
429 return Sequence< Reference < XCertificate > >();
430 }
431
createAndAddCertificateFromPackage(const css::uno::Sequence<sal_Int8> & raDERCertificate,OUString const & raString)432 X509Certificate_NssImpl* SecurityEnvironment_NssImpl::createAndAddCertificateFromPackage(
433 const css::uno::Sequence<sal_Int8>& raDERCertificate,
434 OUString const & raString)
435 {
436 auto pCertificateBytes = reinterpret_cast<char *>(const_cast<sal_Int8 *>(raDERCertificate.getConstArray()));
437 CERTCertificate* pCERTCertificate = CERT_DecodeCertFromPackage(pCertificateBytes, raDERCertificate.getLength());
438
439 if (!pCERTCertificate)
440 return nullptr;
441
442 SECStatus aStatus;
443
444 OString aTrustString = OUStringToOString(raString, RTL_TEXTENCODING_ASCII_US);
445 CERTCertTrust aTrust;
446
447 aStatus = CERT_DecodeTrustString(&aTrust, aTrustString.getStr());
448
449 if (aStatus != SECSuccess)
450 return nullptr;
451
452 PK11SlotInfo* pSlot = PK11_GetInternalKeySlot();
453
454 if (!pSlot)
455 return nullptr;
456
457 aStatus = PK11_ImportCert(pSlot, pCERTCertificate, CK_INVALID_HANDLE, nullptr, PR_FALSE);
458
459 if (aStatus != SECSuccess)
460 return nullptr;
461
462 aStatus = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), pCERTCertificate, &aTrust);
463
464 if (aStatus != SECSuccess)
465 return nullptr;
466
467
468 PK11_FreeSlot(pSlot);
469
470 X509Certificate_NssImpl* pX509Certificate = new X509Certificate_NssImpl();
471 pX509Certificate->setCert(pCERTCertificate);
472 return pX509Certificate;
473 }
474
createX509CertificateFromDER(const css::uno::Sequence<sal_Int8> & aDerCertificate)475 X509Certificate_NssImpl* SecurityEnvironment_NssImpl::createX509CertificateFromDER(const css::uno::Sequence<sal_Int8>& aDerCertificate)
476 {
477 X509Certificate_NssImpl* pX509Certificate = nullptr;
478
479 if (aDerCertificate.hasElements())
480 {
481 pX509Certificate = new X509Certificate_NssImpl();
482 if (pX509Certificate == nullptr)
483 throw RuntimeException();
484 pX509Certificate->setRawCert(aDerCertificate);
485 }
486 return pX509Certificate;
487 }
488
createCertificateFromRaw(const Sequence<sal_Int8> & rawCertificate)489 Reference<XCertificate> SecurityEnvironment_NssImpl::createCertificateFromRaw(const Sequence< sal_Int8 >& rawCertificate)
490 {
491 return createX509CertificateFromDER(rawCertificate);
492 }
493
createCertificateFromAscii(const OUString & asciiCertificate)494 Reference< XCertificate > SecurityEnvironment_NssImpl::createCertificateFromAscii( const OUString& asciiCertificate )
495 {
496 OString oscert = OUStringToOString( asciiCertificate , RTL_TEXTENCODING_ASCII_US ) ;
497 xmlChar* chCert = xmlStrndup( reinterpret_cast<const xmlChar*>(oscert.getStr()), static_cast<int>(oscert.getLength()) ) ;
498 int certSize = xmlSecBase64Decode( chCert, reinterpret_cast<xmlSecByte*>(chCert), xmlStrlen( chCert ) ) ;
499 if (certSize > 0)
500 {
501 Sequence< sal_Int8 > rawCert(certSize) ;
502 for (int i = 0 ; i < certSize; ++i)
503 rawCert[i] = *( chCert + i ) ;
504
505 xmlFree( chCert ) ;
506
507 return createCertificateFromRaw( rawCert ) ;
508 }
509 else
510 {
511 return nullptr;
512 }
513 }
514
515 sal_Int32 SecurityEnvironment_NssImpl ::
verifyCertificate(const Reference<csss::XCertificate> & aCert,const Sequence<Reference<csss::XCertificate>> & intermediateCerts)516 verifyCertificate( const Reference< csss::XCertificate >& aCert,
517 const Sequence< Reference< csss::XCertificate > >& intermediateCerts )
518 {
519 sal_Int32 validity = csss::CertificateValidity::INVALID;
520 const X509Certificate_NssImpl* xcert ;
521 const CERTCertificate* cert ;
522 ::std::vector<CERTCertificate*> vecTmpNSSCertificates;
523 Reference< XUnoTunnel > xCertTunnel( aCert, UNO_QUERY_THROW ) ;
524
525 SAL_INFO("xmlsecurity.xmlsec", "Start verification of certificate: " << aCert->getSubjectName());
526
527 xcert = reinterpret_cast<X509Certificate_NssImpl*>(
528 sal::static_int_cast<sal_uIntPtr>(xCertTunnel->getSomething( X509Certificate_NssImpl::getUnoTunnelId() ))) ;
529 if( xcert == nullptr ) {
530 throw RuntimeException() ;
531 }
532
533 //CERT_PKIXVerifyCert does not take a db as argument. It will therefore
534 //internally use CERT_GetDefaultCertDB
535 //Make sure m_pHandler is the default DB
536 OSL_ASSERT(m_pHandler == CERT_GetDefaultCertDB());
537 CERTCertDBHandle * certDb = m_pHandler != nullptr ? m_pHandler : CERT_GetDefaultCertDB();
538 cert = xcert->getNssCert() ;
539 if( cert != nullptr )
540 {
541
542 //prepare the intermediate certificates
543 for (const auto& rIntermediateCert : intermediateCerts)
544 {
545 Sequence<sal_Int8> der = rIntermediateCert->getEncoded();
546 SECItem item;
547 item.type = siBuffer;
548 item.data = reinterpret_cast<unsigned char*>(der.getArray());
549 item.len = der.getLength();
550
551 CERTCertificate* certTmp = CERT_NewTempCertificate(certDb, &item,
552 nullptr /* nickname */,
553 PR_FALSE /* isPerm */,
554 PR_TRUE /* copyDER */);
555 if (!certTmp)
556 {
557 SAL_INFO("xmlsecurity.xmlsec", "Failed to add a temporary certificate: " << rIntermediateCert->getIssuerName());
558
559 }
560 else
561 {
562 SAL_INFO("xmlsecurity.xmlsec", "Added temporary certificate: " <<
563 (certTmp->subjectName ? certTmp->subjectName : ""));
564 vecTmpNSSCertificates.push_back(certTmp);
565 }
566 }
567
568
569 SECStatus status ;
570
571 CERTVerifyLog log;
572 log.arena = PORT_NewArena(512);
573 log.head = log.tail = nullptr;
574 log.count = 0;
575
576 CERT_EnableOCSPChecking(certDb);
577 CERT_DisableOCSPDefaultResponder(certDb);
578 CERTValOutParam cvout[5];
579 CERTValInParam cvin[3];
580 int ncvinCount=0;
581
582 #if ( NSS_VMAJOR > 3 ) || ( NSS_VMAJOR == 3 && NSS_VMINOR > 12 ) || ( NSS_VMAJOR == 3 && NSS_VMINOR == 12 && NSS_VPATCH > 0 )
583 cvin[ncvinCount].type = cert_pi_useAIACertFetch;
584 cvin[ncvinCount].value.scalar.b = PR_TRUE;
585 ncvinCount++;
586 #endif
587
588 PRUint64 revFlagsLeaf[2];
589 PRUint64 revFlagsChain[2];
590 CERTRevocationFlags rev;
591 rev.leafTests.number_of_defined_methods = 2;
592 rev.leafTests.cert_rev_flags_per_method = revFlagsLeaf;
593 //the flags are defined in cert.h
594 //We check both leaf and chain.
595 //It is enough if one revocation method has fresh info,
596 //but at least one must have some. Otherwise validation fails.
597 //!!! using leaf test and CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE
598 // when validating a root certificate will result in "revoked". Usually
599 //there is no revocation information available for the root cert because
600 //it must be trusted anyway and it does itself issue revocation information.
601 //When we use the flag here and OOo shows the certification path then the root
602 //cert is invalid while all other can be valid. It would probably best if
603 //this interface method returned the whole chain.
604 //Otherwise we need to check if the certificate is self-signed and if it is
605 //then not use the flag when doing the leaf-test.
606 rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_crl] =
607 CERT_REV_M_TEST_USING_THIS_METHOD
608 | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE;
609 rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] =
610 CERT_REV_M_TEST_USING_THIS_METHOD
611 | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE;
612 rev.leafTests.number_of_preferred_methods = 0;
613 rev.leafTests.preferred_methods = nullptr;
614 rev.leafTests.cert_rev_method_independent_flags =
615 CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST;
616
617 rev.chainTests.number_of_defined_methods = 2;
618 rev.chainTests.cert_rev_flags_per_method = revFlagsChain;
619 rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_crl] =
620 CERT_REV_M_TEST_USING_THIS_METHOD
621 | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE;
622 rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] =
623 CERT_REV_M_TEST_USING_THIS_METHOD
624 | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE;
625 rev.chainTests.number_of_preferred_methods = 0;
626 rev.chainTests.preferred_methods = nullptr;
627 rev.chainTests.cert_rev_method_independent_flags =
628 CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST;
629
630
631 cvin[ncvinCount].type = cert_pi_revocationFlags;
632 cvin[ncvinCount].value.pointer.revocation = &rev;
633 ncvinCount++;
634 // does not work, not implemented yet in 3.12.4
635 // cvin[ncvinCount].type = cert_pi_keyusage;
636 // cvin[ncvinCount].value.scalar.ui = KU_DIGITAL_SIGNATURE;
637 // ncvinCount++;
638 cvin[ncvinCount].type = cert_pi_end;
639
640 cvout[0].type = cert_po_trustAnchor;
641 cvout[0].value.pointer.cert = nullptr;
642 cvout[1].type = cert_po_errorLog;
643 cvout[1].value.pointer.log = &log;
644 cvout[2].type = cert_po_end;
645
646 // We check SSL server certificates, CA certificates and signing certificates.
647 //
648 // ToDo check keyusage, looking at CERT_KeyUsageAndTypeForCertUsage (
649 // mozilla/security/nss/lib/certdb/certdb.c indicates that
650 // certificateUsageSSLClient, certificateUsageSSLServer and certificateUsageSSLCA
651 // are sufficient. They cover the key usages for digital signature, key agreement
652 // and encipherment and certificate signature
653
654 //never use the following usages because they are not checked properly
655 // certificateUsageUserCertImport
656 // certificateUsageVerifyCA
657 // certificateUsageAnyCA
658 // certificateUsageProtectedObjectSigner
659
660 UsageDescription arUsages[5];
661 arUsages[0] = UsageDescription( certificateUsageSSLClient, "certificateUsageSSLClient" );
662 arUsages[1] = UsageDescription( certificateUsageSSLServer, "certificateUsageSSLServer" );
663 arUsages[2] = UsageDescription( certificateUsageSSLCA, "certificateUsageSSLCA" );
664 arUsages[3] = UsageDescription( certificateUsageEmailSigner, "certificateUsageEmailSigner" );
665 arUsages[4] = UsageDescription( certificateUsageEmailRecipient, "certificateUsageEmailRecipient" );
666
667 int numUsages = SAL_N_ELEMENTS(arUsages);
668 for (int i = 0; i < numUsages; i++)
669 {
670 SAL_INFO("xmlsecurity.xmlsec", "Testing usage " << i+1 <<
671 " of " << numUsages << ": " <<
672 arUsages[i].description <<
673 " (0x" << std::hex << static_cast<int>(arUsages[i].usage) << ")" << std::dec);
674
675 status = CERT_PKIXVerifyCert(const_cast<CERTCertificate *>(cert), arUsages[i].usage,
676 cvin, cvout, nullptr);
677 if( status == SECSuccess )
678 {
679 SAL_INFO("xmlsecurity.xmlsec", "CERT_PKIXVerifyCert returned SECSuccess.");
680 //When an intermediate or root certificate is checked then we expect the usage
681 //certificateUsageSSLCA. This, however, will be only set when in the trust settings dialog
682 //the button "This certificate can identify websites" is checked. If for example only
683 //"This certificate can identify mail users" is set then the end certificate can
684 //be validated and the returned usage will contain certificateUsageEmailRecipient.
685 //But checking directly the root or intermediate certificate will fail. In the
686 //certificate path view the end certificate will be shown as valid but the others
687 //will be displayed as invalid.
688
689 validity = csss::CertificateValidity::VALID;
690 SAL_INFO("xmlsecurity.xmlsec", "Certificate is valid.");
691 CERTCertificate * issuerCert = cvout[0].value.pointer.cert;
692 if (issuerCert)
693 {
694 SAL_INFO("xmlsecurity.xmlsec", "Root certificate: " << issuerCert->subjectName);
695 CERT_DestroyCertificate(issuerCert);
696 };
697
698 break;
699 }
700 else
701 {
702 PRIntn err = PR_GetError();
703 SAL_INFO("xmlsecurity.xmlsec", "Error: " << err << ": " << getCertError(err));
704
705 /* Display validation results */
706 if ( log.count > 0)
707 {
708 CERTVerifyLogNode *node = nullptr;
709 printChainFailure(&log);
710
711 for (node = log.head; node; node = node->next) {
712 if (node->cert)
713 CERT_DestroyCertificate(node->cert);
714 }
715 log.head = log.tail = nullptr;
716 log.count = 0;
717 }
718 SAL_INFO("xmlsecurity.xmlsec", "Certificate is invalid.");
719 }
720 }
721
722 }
723 else
724 {
725 validity = css::security::CertificateValidity::INVALID ;
726 }
727
728 //Destroying the temporary certificates
729 for (auto& tmpCert : vecTmpNSSCertificates)
730 {
731 SAL_INFO("xmlsecurity.xmlsec", "Destroying temporary certificate");
732 CERT_DestroyCertificate(tmpCert);
733 }
734 return validity ;
735 }
736
getCertificateCharacters(const css::uno::Reference<css::security::XCertificate> & aCert)737 sal_Int32 SecurityEnvironment_NssImpl::getCertificateCharacters(
738 const css::uno::Reference< css::security::XCertificate >& aCert ) {
739 sal_Int32 characters ;
740 const X509Certificate_NssImpl* xcert ;
741 const CERTCertificate* cert ;
742
743 Reference< XUnoTunnel > xCertTunnel( aCert, UNO_QUERY_THROW ) ;
744 xcert = reinterpret_cast<X509Certificate_NssImpl*>(
745 sal::static_int_cast<sal_uIntPtr>(xCertTunnel->getSomething( X509Certificate_NssImpl::getUnoTunnelId() ))) ;
746 if( xcert == nullptr ) {
747 throw RuntimeException() ;
748 }
749
750 cert = xcert->getNssCert() ;
751
752 characters = 0x00000000 ;
753
754 //Firstly, find out whether or not the cert is self-signed.
755 if( SECITEM_CompareItem( &(cert->derIssuer), &(cert->derSubject) ) == SECEqual ) {
756 characters |= css::security::CertificateCharacters::SELF_SIGNED ;
757 } else {
758 characters &= ~ css::security::CertificateCharacters::SELF_SIGNED ;
759 }
760
761 //Secondly, find out whether or not the cert has a private key.
762
763 /*
764 * i40394
765 *
766 * mmi : need to check whether the cert's slot is valid first
767 */
768 SECKEYPrivateKey* priKey = nullptr;
769
770 if (cert->slot != nullptr)
771 {
772 priKey = PK11_FindPrivateKeyFromCert( cert->slot, const_cast<CERTCertificate*>(cert), nullptr ) ;
773 }
774 if(priKey == nullptr)
775 {
776 for (auto& slot : m_Slots)
777 {
778 priKey = PK11_FindPrivateKeyFromCert(slot, const_cast<CERTCertificate*>(cert), nullptr);
779 if (priKey)
780 break;
781 }
782 }
783 if( priKey != nullptr ) {
784 characters |= css::security::CertificateCharacters::HAS_PRIVATE_KEY ;
785
786 SECKEY_DestroyPrivateKey( priKey ) ;
787 } else {
788 characters &= ~ css::security::CertificateCharacters::HAS_PRIVATE_KEY ;
789 }
790
791 return characters ;
792 }
793
NssCertToXCert(CERTCertificate * cert)794 X509Certificate_NssImpl* NssCertToXCert( CERTCertificate* cert )
795 {
796 X509Certificate_NssImpl* xcert ;
797
798 if( cert != nullptr ) {
799 xcert = new X509Certificate_NssImpl() ;
800 xcert->setCert( cert ) ;
801 } else {
802 xcert = nullptr ;
803 }
804
805 return xcert ;
806 }
807
NssPrivKeyToXCert(SECKEYPrivateKey * priKey)808 X509Certificate_NssImpl* NssPrivKeyToXCert( SECKEYPrivateKey* priKey )
809 {
810 X509Certificate_NssImpl* xcert ;
811
812 if( priKey != nullptr ) {
813 CERTCertificate* cert = PK11_GetCertFromPrivateKey( priKey ) ;
814
815 if( cert != nullptr ) {
816 xcert = NssCertToXCert( cert ) ;
817 } else {
818 xcert = nullptr ;
819 }
820
821 CERT_DestroyCertificate( cert ) ;
822 } else {
823 xcert = nullptr ;
824 }
825
826 return xcert ;
827 }
828
createKeysManager()829 xmlSecKeysMngrPtr SecurityEnvironment_NssImpl::createKeysManager() {
830
831 /*-
832 * The following lines is based on the private version of xmlSec-NSS
833 * crypto engine
834 */
835 int cSlots = m_Slots.size();
836 std::unique_ptr<PK11SlotInfo*[]> sarSlots(new PK11SlotInfo*[cSlots]);
837 PK11SlotInfo** slots = sarSlots.get();
838 int count = 0;
839 for (const auto& slot : m_Slots)
840 {
841 slots[count] = slot;
842 ++count;
843 }
844
845 xmlSecKeysMngrPtr pKeysMngr = xmlSecKeysMngrCreate();
846 if (!pKeysMngr)
847 throw RuntimeException();
848
849 if (xmlSecNssAppDefaultKeysMngrInit(pKeysMngr) < 0)
850 throw RuntimeException();
851
852 // Adopt the private key of the signing certificate, if it has any.
853 if (auto pCertificate = dynamic_cast<X509Certificate_NssImpl*>(m_xSigningCertificate.get()))
854 {
855 SECKEYPrivateKey* pPrivateKey = SECKEY_CopyPrivateKey(pCertificate->getPrivateKey());
856 if (pPrivateKey)
857 {
858 xmlSecKeyDataPtr pKeyData = xmlSecNssPKIAdoptKey(pPrivateKey, nullptr);
859 xmlSecKeyPtr pKey = xmlSecKeyCreate();
860 xmlSecKeySetValue(pKey, pKeyData);
861 xmlSecNssAppDefaultKeysMngrAdoptKey(pKeysMngr, pKey);
862 }
863 else
864 {
865 SAL_WARN("xmlsecurity.xmlsec", "Can't get the private key from the certificate.");
866 }
867 }
868
869 return pKeysMngr;
870 }
871
destroyKeysManager(xmlSecKeysMngrPtr pKeysMngr)872 void SecurityEnvironment_NssImpl::destroyKeysManager(xmlSecKeysMngrPtr pKeysMngr) {
873 if( pKeysMngr != nullptr ) {
874 xmlSecKeysMngrDestroy( pKeysMngr ) ;
875 }
876 }
877
insertPrivateKey(css::uno::Sequence<sal_Int8> const & raPrivateKey)878 SECKEYPrivateKey* SecurityEnvironment_NssImpl::insertPrivateKey(css::uno::Sequence<sal_Int8> const & raPrivateKey)
879 {
880 PK11SlotInfo* pSlot = PK11_GetInternalKeySlot();
881
882 if (!pSlot)
883 return nullptr;
884
885 SECItem aDerPrivateKeyInfo;
886 aDerPrivateKeyInfo.data = reinterpret_cast<unsigned char *>(const_cast<sal_Int8 *>(raPrivateKey.getConstArray()));
887 aDerPrivateKeyInfo.len = raPrivateKey.getLength();
888
889 const unsigned int aKeyUsage = KU_ALL;
890 SECKEYPrivateKey* pPrivateKey = nullptr;
891
892 bool bPermanent = PR_FALSE;
893 bool bPrivate = PR_TRUE;
894
895 SECStatus nStatus = PK11_ImportDERPrivateKeyInfoAndReturnKey(
896 pSlot, &aDerPrivateKeyInfo, nullptr, nullptr, bPermanent, bPrivate,
897 aKeyUsage, &pPrivateKey, nullptr);
898
899 if (nStatus != SECSuccess)
900 return nullptr;
901
902 PK11_FreeSlot(pSlot);
903
904 return pPrivateKey;
905 }
906
createDERCertificateWithPrivateKey(Sequence<sal_Int8> const & raDERCertificate,Sequence<sal_Int8> const & raPrivateKey)907 uno::Reference<security::XCertificate> SecurityEnvironment_NssImpl::createDERCertificateWithPrivateKey(
908 Sequence<sal_Int8> const & raDERCertificate, Sequence<sal_Int8> const & raPrivateKey)
909 {
910 SECKEYPrivateKey* pPrivateKey = insertPrivateKey(raPrivateKey);
911
912 if (!pPrivateKey)
913 return uno::Reference<security::XCertificate>();
914
915 X509Certificate_NssImpl* pX509Certificate = createAndAddCertificateFromPackage(raDERCertificate, "TCu,TCu,TCu");
916 if (!pX509Certificate)
917 return uno::Reference<security::XCertificate>();
918
919 return pX509Certificate;
920 }
921
addDERCertificateToTheDatabase(uno::Sequence<sal_Int8> const & raDERCertificate,OUString const & raTrustString)922 uno::Reference<security::XCertificate> SecurityEnvironment_NssImpl::addDERCertificateToTheDatabase(
923 uno::Sequence<sal_Int8> const & raDERCertificate, OUString const & raTrustString)
924 {
925 X509Certificate_NssImpl* pX509Certificate = createAndAddCertificateFromPackage(raDERCertificate, raTrustString);
926 return pX509Certificate;
927 }
928
929 extern "C" SAL_DLLPUBLIC_EXPORT uno::XInterface*
com_sun_star_xml_crypto_SecurityEnvironment_get_implementation(uno::XComponentContext *,uno::Sequence<uno::Any> const &)930 com_sun_star_xml_crypto_SecurityEnvironment_get_implementation(
931 uno::XComponentContext* /*pCtx*/, uno::Sequence<uno::Any> const& /*rSeq*/)
932 {
933 return cppu::acquire(new SecurityEnvironment_NssImpl);
934 }
935
936 /* vim:set shiftwidth=4 softtabstop=4 expandtab: */
937