1 /**************************************************************
2  *
3  * Licensed to the Apache Software Foundation (ASF) under one
4  * or more contributor license agreements.  See the NOTICE file
5  * distributed with this work for additional information
6  * regarding copyright ownership.  The ASF licenses this file
7  * to you under the Apache License, Version 2.0 (the
8  * "License"); you may not use this file except in compliance
9  * with the License.  You may obtain a copy of the License at
10  *
11  *   http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing,
14  * software distributed under the License is distributed on an
15  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
16  * KIND, either express or implied.  See the License for the
17  * specific language governing permissions and limitations
18  * under the License.
19  *
20  *************************************************************/
21 
22 
23 
24 
25 // MARKER(update_precomp.py): autogen include statement, do not remove
26 #include "precompiled_xmlsecurity.hxx"
27 
28 //todo before commit:  nssrenam.h is not delivered!!!
29 #ifndef __nssrenam_h_
30 #define CERT_NewTempCertificate __CERT_NewTempCertificate
31 #endif /* __nssrenam_h_ */
32 
33 #include "cert.h"
34 #include "secerr.h"
35 #include "ocsp.h"
36 
37 #include <sal/config.h>
38 #include "securityenvironment_nssimpl.hxx"
39 #include "x509certificate_nssimpl.hxx"
40 #include <rtl/uuid.h>
41 #include "../diagnose.hxx"
42 
43 #include <sal/types.h>
44 //For reasons that escape me, this is what xmlsec does when size_t is not 4
45 #if SAL_TYPES_SIZEOFPOINTER != 4
46 #    define XMLSEC_NO_SIZE_T
47 #endif
48 #include <xmlsec/xmlsec.h>
49 #include <xmlsec/keysmngr.h>
50 #include <xmlsec/crypto.h>
51 #include <xmlsec/base64.h>
52 #include <xmlsec/strings.h>
53 
54 #include <tools/string.hxx>
55 #include <rtl/ustrbuf.hxx>
56 #include <comphelper/processfactory.hxx>
57 #include <cppuhelper/servicefactory.hxx>
58 #include <comphelper/docpasswordrequest.hxx>
59 #include <xmlsecurity/biginteger.hxx>
60 #include <rtl/logfile.h>
61 #include <com/sun/star/task/XInteractionHandler.hpp>
62 #include <vector>
63 #include "boost/scoped_array.hpp"
64 
65 #include "secerror.hxx"
66 
67 // MM : added for password exception
68 #include <com/sun/star/security/NoPasswordException.hpp>
69 namespace csss = ::com::sun::star::security;
70 using namespace xmlsecurity;
71 using namespace ::com::sun::star::security;
72 using namespace com::sun::star;
73 using namespace ::com::sun::star::uno ;
74 using namespace ::com::sun::star::lang ;
75 using ::com::sun::star::lang::XMultiServiceFactory ;
76 using ::com::sun::star::lang::XSingleServiceFactory ;
77 using ::rtl::OUString ;
78 
79 using ::com::sun::star::xml::crypto::XSecurityEnvironment ;
80 using ::com::sun::star::security::XCertificate ;
81 
82 extern X509Certificate_NssImpl* NssCertToXCert( CERTCertificate* cert ) ;
83 extern X509Certificate_NssImpl* NssPrivKeyToXCert( SECKEYPrivateKey* ) ;
84 
85 
86 struct UsageDescription
87 {
88     SECCertificateUsage usage;
89     char const* description;
90 
UsageDescriptionUsageDescription91     UsageDescription()
92     : usage( certificateUsageCheckAllUsages )
93     , description( NULL )
94     {}
95 
UsageDescriptionUsageDescription96     UsageDescription( SECCertificateUsage i_usage, char const* i_description )
97     : usage( i_usage )
98     , description( i_description )
99     {}
100 
UsageDescriptionUsageDescription101     UsageDescription( const UsageDescription& aDescription )
102     : usage( aDescription.usage )
103     , description( aDescription.description )
104     {}
105 
operator =UsageDescription106     UsageDescription& operator =( const UsageDescription& aDescription )
107     {
108         usage = aDescription.usage;
109         description = aDescription.description;
110         return *this;
111     }
112 };
113 
114 
115 
GetPasswordFunction(PK11SlotInfo * pSlot,PRBool bRetry,void *)116 char* GetPasswordFunction( PK11SlotInfo* pSlot,	PRBool bRetry, void* /*arg*/ )
117 {
118     uno::Reference< lang::XMultiServiceFactory > xMSF( ::comphelper::getProcessServiceFactory() );
119     if ( xMSF.is() )
120     {
121         uno::Reference < task::XInteractionHandler > xInteractionHandler(
122             xMSF->createInstance( rtl::OUString::createFromAscii("com.sun.star.task.InteractionHandler") ), uno::UNO_QUERY );
123 
124         if ( xInteractionHandler.is() )
125         {
126             task::PasswordRequestMode eMode = bRetry ? task::PasswordRequestMode_PASSWORD_REENTER : task::PasswordRequestMode_PASSWORD_ENTER;
127             ::comphelper::DocPasswordRequest* pPasswordRequest = new ::comphelper::DocPasswordRequest(
128                 ::comphelper::DocPasswordRequestType_STANDARD, eMode, ::rtl::OUString::createFromAscii(PK11_GetTokenName(pSlot)) );
129 
130             uno::Reference< task::XInteractionRequest > xRequest( pPasswordRequest );
131 	        xInteractionHandler->handle( xRequest );
132 
133             if ( pPasswordRequest->isPassword() )
134 	        {
135                 ByteString aPassword = ByteString( String( pPasswordRequest->getPassword() ), gsl_getSystemTextEncoding() );
136                 sal_uInt16 nLen = aPassword.Len();
137                 char* pPassword = (char*) PORT_Alloc( nLen+1 ) ;
138                 pPassword[nLen] = 0;
139                 memcpy( pPassword, aPassword.GetBuffer(), nLen );
140 				return pPassword;
141 	        }
142         }
143     }
144     return NULL;
145 }
146 
SecurityEnvironment_NssImpl(const Reference<XMultiServiceFactory> &)147 SecurityEnvironment_NssImpl :: SecurityEnvironment_NssImpl( const Reference< XMultiServiceFactory >& ) :
148 m_pHandler( NULL ) , m_tSymKeyList() , m_tPubKeyList() , m_tPriKeyList() {
149 
150 	PK11_SetPasswordFunc( GetPasswordFunction ) ;
151 }
152 
~SecurityEnvironment_NssImpl()153 SecurityEnvironment_NssImpl :: ~SecurityEnvironment_NssImpl() {
154 
155 	PK11_SetPasswordFunc( NULL ) ;
156 
157 	for (CIT_SLOTS i = m_Slots.begin(); i != m_Slots.end(); i++)
158 	{
159 		PK11_FreeSlot(*i);
160 	}
161 
162 	if( !m_tSymKeyList.empty()  ) {
163 		std::list< PK11SymKey* >::iterator symKeyIt ;
164 
165 		for( symKeyIt = m_tSymKeyList.begin() ; symKeyIt != m_tSymKeyList.end() ; symKeyIt ++ )
166 			PK11_FreeSymKey( *symKeyIt ) ;
167 	}
168 
169 	if( !m_tPubKeyList.empty()  ) {
170 		std::list< SECKEYPublicKey* >::iterator pubKeyIt ;
171 
172 		for( pubKeyIt = m_tPubKeyList.begin() ; pubKeyIt != m_tPubKeyList.end() ; pubKeyIt ++ )
173 			SECKEY_DestroyPublicKey( *pubKeyIt ) ;
174 	}
175 
176 	if( !m_tPriKeyList.empty()  ) {
177 		std::list< SECKEYPrivateKey* >::iterator priKeyIt ;
178 
179 		for( priKeyIt = m_tPriKeyList.begin() ; priKeyIt != m_tPriKeyList.end() ; priKeyIt ++ )
180 			SECKEY_DestroyPrivateKey( *priKeyIt ) ;
181 	}
182 }
183 
184 /* XInitialization */
initialize(const Sequence<Any> &)185 void SAL_CALL SecurityEnvironment_NssImpl :: initialize( const Sequence< Any >& ) throw( Exception, RuntimeException ) {
186 	// TBD
187 } ;
188 
189 /* XServiceInfo */
getImplementationName()190 OUString SAL_CALL SecurityEnvironment_NssImpl :: getImplementationName() throw( RuntimeException ) {
191 	return impl_getImplementationName() ;
192 }
193 
194 /* XServiceInfo */
supportsService(const OUString & serviceName)195 sal_Bool SAL_CALL SecurityEnvironment_NssImpl :: supportsService( const OUString& serviceName) throw( RuntimeException ) {
196 	Sequence< OUString > seqServiceNames = getSupportedServiceNames() ;
197 	const OUString* pArray = seqServiceNames.getConstArray() ;
198 	for( sal_Int32 i = 0 ; i < seqServiceNames.getLength() ; i ++ ) {
199 		if( *( pArray + i ) == serviceName )
200 			return sal_True ;
201 	}
202 	return sal_False ;
203 }
204 
205 /* XServiceInfo */
getSupportedServiceNames()206 Sequence< OUString > SAL_CALL SecurityEnvironment_NssImpl :: getSupportedServiceNames() throw( RuntimeException ) {
207 	return impl_getSupportedServiceNames() ;
208 }
209 
210 //Helper for XServiceInfo
impl_getSupportedServiceNames()211 Sequence< OUString > SecurityEnvironment_NssImpl :: impl_getSupportedServiceNames() {
212 	::osl::Guard< ::osl::Mutex > aGuard( ::osl::Mutex::getGlobalMutex() ) ;
213 	Sequence< OUString > seqServiceNames( 1 ) ;
214 	seqServiceNames.getArray()[0] = OUString::createFromAscii( "com.sun.star.xml.crypto.SecurityEnvironment" ) ;
215 	return seqServiceNames ;
216 }
217 
impl_getImplementationName()218 OUString SecurityEnvironment_NssImpl :: impl_getImplementationName() throw( RuntimeException ) {
219 	return OUString::createFromAscii( "com.sun.star.xml.security.bridge.xmlsec.SecurityEnvironment_NssImpl" ) ;
220 }
221 
222 //Helper for registry
impl_createInstance(const Reference<XMultiServiceFactory> & aServiceManager)223 Reference< XInterface > SAL_CALL SecurityEnvironment_NssImpl :: impl_createInstance( const Reference< XMultiServiceFactory >& aServiceManager ) throw( RuntimeException ) {
224 	return Reference< XInterface >( *new SecurityEnvironment_NssImpl( aServiceManager ) ) ;
225 }
226 
impl_createFactory(const Reference<XMultiServiceFactory> & aServiceManager)227 Reference< XSingleServiceFactory > SecurityEnvironment_NssImpl :: impl_createFactory( const Reference< XMultiServiceFactory >& aServiceManager ) {
228 	//Reference< XSingleServiceFactory > xFactory ;
229 	//xFactory = ::cppu::createSingleFactory( aServiceManager , impl_getImplementationName , impl_createInstance , impl_getSupportedServiceNames ) ;
230 	//return xFactory ;
231 	return ::cppu::createSingleFactory( aServiceManager , impl_getImplementationName() , impl_createInstance , impl_getSupportedServiceNames() ) ;
232 }
233 
234 /* XUnoTunnel */
getSomething(const Sequence<sal_Int8> & aIdentifier)235 sal_Int64 SAL_CALL SecurityEnvironment_NssImpl :: getSomething( const Sequence< sal_Int8 >& aIdentifier )
236 	throw( RuntimeException )
237 {
238 	if( aIdentifier.getLength() == 16 && 0 == rtl_compareMemory( getUnoTunnelId().getConstArray(), aIdentifier.getConstArray(), 16 ) ) {
239         return sal::static_int_cast<sal_Int64>(reinterpret_cast<sal_uIntPtr>(this));
240 	}
241 	return 0 ;
242 }
243 
244 /* XUnoTunnel extension */
getUnoTunnelId()245 const Sequence< sal_Int8>& SecurityEnvironment_NssImpl :: getUnoTunnelId() {
246 	static Sequence< sal_Int8 >* pSeq = 0 ;
247 	if( !pSeq ) {
248 		::osl::Guard< ::osl::Mutex > aGuard( ::osl::Mutex::getGlobalMutex() ) ;
249 		if( !pSeq ) {
250 			static Sequence< sal_Int8> aSeq( 16 ) ;
251 			rtl_createUuid( ( sal_uInt8* )aSeq.getArray() , 0 , sal_True ) ;
252 			pSeq = &aSeq ;
253 		}
254 	}
255 	return *pSeq ;
256 }
257 
258 /* XUnoTunnel extension */
getImplementation(const Reference<XInterface> xObj)259 SecurityEnvironment_NssImpl* SecurityEnvironment_NssImpl :: getImplementation( const Reference< XInterface > xObj ) {
260 	Reference< XUnoTunnel > xUT( xObj , UNO_QUERY ) ;
261 	if( xUT.is() ) {
262         return reinterpret_cast<SecurityEnvironment_NssImpl*>(
263             sal::static_int_cast<sal_uIntPtr>(xUT->getSomething( getUnoTunnelId() ))) ;
264 	} else
265 		return NULL ;
266 }
267 
268 
getSecurityEnvironmentInformation()269 ::rtl::OUString SecurityEnvironment_NssImpl::getSecurityEnvironmentInformation() throw( ::com::sun::star::uno::RuntimeException )
270 {
271 	rtl::OUString result;
272 	::rtl::OUStringBuffer buff;
273 	for (CIT_SLOTS is = m_Slots.begin(); is != m_Slots.end(); is++)
274 	{
275 		buff.append(rtl::OUString::createFromAscii(PK11_GetTokenName(*is)));
276 		buff.appendAscii("\n");
277 	}
278 	return buff.makeStringAndClear();
279 }
280 
addCryptoSlot(PK11SlotInfo * aSlot)281 void SecurityEnvironment_NssImpl::addCryptoSlot( PK11SlotInfo* aSlot) throw( Exception , RuntimeException )
282 {
283 	PK11_ReferenceSlot(aSlot);
284 	m_Slots.push_back(aSlot);
285 }
286 
getCertDb()287 CERTCertDBHandle* SecurityEnvironment_NssImpl :: getCertDb() throw( Exception , RuntimeException ) {
288 	return m_pHandler ;
289 }
290 
291 //Could we have multiple cert dbs?
setCertDb(CERTCertDBHandle * aCertDb)292 void SecurityEnvironment_NssImpl :: setCertDb( CERTCertDBHandle* aCertDb ) throw( Exception , RuntimeException ) {
293 	m_pHandler = aCertDb ;
294 }
295 
adoptSymKey(PK11SymKey * aSymKey)296 void SecurityEnvironment_NssImpl :: adoptSymKey( PK11SymKey* aSymKey ) throw( Exception , RuntimeException ) {
297 	PK11SymKey*	symkey ;
298 	std::list< PK11SymKey* >::iterator keyIt ;
299 
300 	if( aSymKey != NULL ) {
301 		//First try to find the key in the list
302 		for( keyIt = m_tSymKeyList.begin() ; keyIt != m_tSymKeyList.end() ; keyIt ++ ) {
303 			if( *keyIt == aSymKey )
304 				return ;
305 		}
306 
307 		//If we do not find the key in the list, add a new node
308 		symkey = PK11_ReferenceSymKey( aSymKey ) ;
309 		if( symkey == NULL )
310 			throw RuntimeException() ;
311 
312 		try {
313 			m_tSymKeyList.push_back( symkey ) ;
314 		} catch ( Exception& ) {
315 			PK11_FreeSymKey( symkey ) ;
316 		}
317 	}
318 }
319 
rejectSymKey(PK11SymKey * aSymKey)320 void SecurityEnvironment_NssImpl :: rejectSymKey( PK11SymKey* aSymKey ) throw( Exception , RuntimeException ) {
321 	PK11SymKey*	symkey ;
322 	std::list< PK11SymKey* >::iterator keyIt ;
323 
324 	if( aSymKey != NULL ) {
325 		for( keyIt = m_tSymKeyList.begin() ; keyIt != m_tSymKeyList.end() ; keyIt ++ ) {
326 			if( *keyIt == aSymKey ) {
327 				symkey = *keyIt ;
328 				PK11_FreeSymKey( symkey ) ;
329 				m_tSymKeyList.erase( keyIt ) ;
330 				break ;
331 			}
332 		}
333 	}
334 }
335 
getSymKey(unsigned int position)336 PK11SymKey* SecurityEnvironment_NssImpl :: getSymKey( unsigned int position ) throw( Exception , RuntimeException ) {
337 	PK11SymKey* symkey ;
338 	std::list< PK11SymKey* >::iterator keyIt ;
339 	unsigned int pos ;
340 
341 	symkey = NULL ;
342 	for( pos = 0, keyIt = m_tSymKeyList.begin() ; pos < position && keyIt != m_tSymKeyList.end() ; pos ++ , keyIt ++ ) ;
343 
344 	if( pos == position && keyIt != m_tSymKeyList.end() )
345 		symkey = *keyIt ;
346 
347 	return symkey ;
348 }
349 
adoptPubKey(SECKEYPublicKey * aPubKey)350 void SecurityEnvironment_NssImpl :: adoptPubKey( SECKEYPublicKey* aPubKey ) throw( Exception , RuntimeException ) {
351 	SECKEYPublicKey*	pubkey ;
352 	std::list< SECKEYPublicKey* >::iterator keyIt ;
353 
354 	if( aPubKey != NULL ) {
355 		//First try to find the key in the list
356 		for( keyIt = m_tPubKeyList.begin() ; keyIt != m_tPubKeyList.end() ; keyIt ++ ) {
357 			if( *keyIt == aPubKey )
358 				return ;
359 		}
360 
361 		//If we do not find the key in the list, add a new node
362 		pubkey = SECKEY_CopyPublicKey( aPubKey ) ;
363 		if( pubkey == NULL )
364 			throw RuntimeException() ;
365 
366 		try {
367 			m_tPubKeyList.push_back( pubkey ) ;
368 		} catch ( Exception& ) {
369 			SECKEY_DestroyPublicKey( pubkey ) ;
370 		}
371 	}
372 }
373 
rejectPubKey(SECKEYPublicKey * aPubKey)374 void SecurityEnvironment_NssImpl :: rejectPubKey( SECKEYPublicKey* aPubKey ) throw( Exception , RuntimeException ) {
375 	SECKEYPublicKey*	pubkey ;
376 	std::list< SECKEYPublicKey* >::iterator keyIt ;
377 
378 	if( aPubKey != NULL ) {
379 		for( keyIt = m_tPubKeyList.begin() ; keyIt != m_tPubKeyList.end() ; keyIt ++ ) {
380 			if( *keyIt == aPubKey ) {
381 				pubkey = *keyIt ;
382 				SECKEY_DestroyPublicKey( pubkey ) ;
383 				m_tPubKeyList.erase( keyIt ) ;
384 				break ;
385 			}
386 		}
387 	}
388 }
389 
getPubKey(unsigned int position)390 SECKEYPublicKey* SecurityEnvironment_NssImpl :: getPubKey( unsigned int position ) throw( Exception , RuntimeException ) {
391 	SECKEYPublicKey* pubkey ;
392 	std::list< SECKEYPublicKey* >::iterator keyIt ;
393 	unsigned int pos ;
394 
395 	pubkey = NULL ;
396 	for( pos = 0, keyIt = m_tPubKeyList.begin() ; pos < position && keyIt != m_tPubKeyList.end() ; pos ++ , keyIt ++ ) ;
397 
398 	if( pos == position && keyIt != m_tPubKeyList.end() )
399 		pubkey = *keyIt ;
400 
401 	return pubkey ;
402 }
403 
adoptPriKey(SECKEYPrivateKey * aPriKey)404 void SecurityEnvironment_NssImpl :: adoptPriKey( SECKEYPrivateKey* aPriKey ) throw( Exception , RuntimeException ) {
405 	SECKEYPrivateKey*	prikey ;
406 	std::list< SECKEYPrivateKey* >::iterator keyIt ;
407 
408 	if( aPriKey != NULL ) {
409 		//First try to find the key in the list
410 		for( keyIt = m_tPriKeyList.begin() ; keyIt != m_tPriKeyList.end() ; keyIt ++ ) {
411 			if( *keyIt == aPriKey )
412 				return ;
413 		}
414 
415 		//If we do not find the key in the list, add a new node
416 		prikey = SECKEY_CopyPrivateKey( aPriKey ) ;
417 		if( prikey == NULL )
418 			throw RuntimeException() ;
419 
420 		try {
421 			m_tPriKeyList.push_back( prikey ) ;
422 		} catch ( Exception& ) {
423 			SECKEY_DestroyPrivateKey( prikey ) ;
424 		}
425 	}
426 }
427 
rejectPriKey(SECKEYPrivateKey * aPriKey)428 void SecurityEnvironment_NssImpl :: rejectPriKey( SECKEYPrivateKey* aPriKey ) throw( Exception , RuntimeException ) {
429 	SECKEYPrivateKey*	prikey ;
430 	std::list< SECKEYPrivateKey* >::iterator keyIt ;
431 
432 	if( aPriKey != NULL ) {
433 		for( keyIt = m_tPriKeyList.begin() ; keyIt != m_tPriKeyList.end() ; keyIt ++ ) {
434 			if( *keyIt == aPriKey ) {
435 				prikey = *keyIt ;
436 				SECKEY_DestroyPrivateKey( prikey ) ;
437 				m_tPriKeyList.erase( keyIt ) ;
438 				break ;
439 			}
440 		}
441 	}
442 }
443 
getPriKey(unsigned int position)444 SECKEYPrivateKey* SecurityEnvironment_NssImpl :: getPriKey( unsigned int position ) throw( ::com::sun::star::uno::Exception , ::com::sun::star::uno::RuntimeException )  {
445 	SECKEYPrivateKey* prikey ;
446 	std::list< SECKEYPrivateKey* >::iterator keyIt ;
447 	unsigned int pos ;
448 
449 	prikey = NULL ;
450 	for( pos = 0, keyIt = m_tPriKeyList.begin() ; pos < position && keyIt != m_tPriKeyList.end() ; pos ++ , keyIt ++ ) ;
451 
452 	if( pos == position && keyIt != m_tPriKeyList.end() )
453 		prikey = *keyIt ;
454 
455 	return prikey ;
456 }
457 
updateSlots()458 void SecurityEnvironment_NssImpl::updateSlots()
459 {
460     //In case new tokens are present then we can obtain the corresponding slot
461 	PK11SlotList * soltList = NULL;
462 	PK11SlotListElement * soltEle = NULL;
463     PK11SlotInfo * pSlot = NULL;
464    	PK11SymKey * pSymKey = NULL;
465 
466     osl::MutexGuard guard(m_mutex);
467 
468     m_Slots.clear();
469     m_tSymKeyList.clear();
470 
471 	soltList = PK11_GetAllTokens( CKM_INVALID_MECHANISM, PR_FALSE, PR_FALSE, NULL ) ;
472 	if( soltList != NULL )
473 	{
474 		for( soltEle = soltList->head ; soltEle != NULL; soltEle = soltEle->next )
475 		{
476 			pSlot = soltEle->slot ;
477 
478 			if(pSlot != NULL)
479 			{
480 				RTL_LOGFILE_TRACE2( "XMLSEC: Found a slot: SlotName=%s, TokenName=%s", PK11_GetSlotName(pSlot), PK11_GetTokenName(pSlot) );
481 
482 //The following code which is commented out checks if a slot, that is a smart card for example, is
483 //				able to generate a symmetric key of type CKM_DES3_CBC. If this fails then this token
484 //				will not be used. This key is possibly used for the encryption service. However, all
485 //				interfaces and services used for public key signature and encryption are not published
486 //				and the encryption is not used in OOo. Therefore it does not do any harm to remove
487 //				this code, hence allowing smart cards which cannot generate this type of key.
488 //
489 //              By doing this, the encryption may fail if a smart card is being used which does not
490 //              support this key generation.
491 //
492 				pSymKey = PK11_KeyGen( pSlot , CKM_DES3_CBC, NULL, 128, NULL ) ;
493 // 				if( pSymKey == NULL )
494 // 				{
495 // 					PK11_FreeSlot( pSlot ) ;
496 // 					RTL_LOGFILE_TRACE( "XMLSEC: Error - pSymKey is NULL" );
497 // 					continue;
498 // 				}
499 				addCryptoSlot(pSlot);
500                 PK11_FreeSlot( pSlot ) ;
501 				pSlot = NULL;
502 
503                 if (pSymKey != NULL)
504                 {
505                     adoptSymKey( pSymKey ) ;
506                     PK11_FreeSymKey( pSymKey ) ;
507                     pSymKey = NULL;
508                 }
509 
510 			}// end of if(pSlot != NULL)
511 		}// end of for
512 	}// end of if( soltList != NULL )
513 
514 }
515 
516 
517 Sequence< Reference < XCertificate > >
getPersonalCertificates()518 SecurityEnvironment_NssImpl::getPersonalCertificates() throw( SecurityException , RuntimeException )
519 {
520 	sal_Int32 length ;
521 	X509Certificate_NssImpl* xcert ;
522 	std::list< X509Certificate_NssImpl* > certsList ;
523 
524     updateSlots();
525 	//firstly, we try to find private keys in slot
526 	for (CIT_SLOTS is = m_Slots.begin(); is != m_Slots.end(); is++)
527 	{
528 		PK11SlotInfo *slot = *is;
529 		SECKEYPrivateKeyList* priKeyList ;
530 		SECKEYPrivateKeyListNode* curPri ;
531 
532 		if( PK11_NeedLogin(slot ) ) {
533 			SECStatus nRet = PK11_Authenticate(slot, PR_TRUE, NULL);
534 			//PK11_Authenticate may fail in case the a slot has not been initialized.
535 			//this is the case if the user has a new profile, so that they have never
536 			//added a personal certificate.
537 			if( nRet != SECSuccess && PORT_GetError() != SEC_ERROR_IO) {
538 				throw NoPasswordException();
539 			}
540 		}
541 
542 		priKeyList = PK11_ListPrivateKeysInSlot(slot) ;
543 		if( priKeyList != NULL ) {
544 			for( curPri = PRIVKEY_LIST_HEAD( priKeyList );
545 				!PRIVKEY_LIST_END( curPri, priKeyList ) && curPri != NULL ;
546 				curPri = PRIVKEY_LIST_NEXT( curPri ) ) {
547 				xcert = NssPrivKeyToXCert( curPri->key ) ;
548 				if( xcert != NULL )
549 					certsList.push_back( xcert ) ;
550 			}
551 		}
552 
553 		SECKEY_DestroyPrivateKeyList( priKeyList ) ;
554 	}
555 
556 	//secondly, we try to find certificate from registered private keys.
557 	if( !m_tPriKeyList.empty()  ) {
558 		std::list< SECKEYPrivateKey* >::iterator priKeyIt ;
559 
560 		for( priKeyIt = m_tPriKeyList.begin() ; priKeyIt != m_tPriKeyList.end() ; priKeyIt ++ ) {
561 			xcert = NssPrivKeyToXCert( *priKeyIt ) ;
562 			if( xcert != NULL )
563 				certsList.push_back( xcert ) ;
564 		}
565 	}
566 
567 	length = certsList.size() ;
568 	if( length != 0 ) {
569 		int i ;
570 		std::list< X509Certificate_NssImpl* >::iterator xcertIt ;
571 		Sequence< Reference< XCertificate > > certSeq( length ) ;
572 
573 		for( i = 0, xcertIt = certsList.begin(); xcertIt != certsList.end(); xcertIt ++, i++ ) {
574 			certSeq[i] = *xcertIt ;
575 		}
576 
577 		return certSeq ;
578 	}
579 
580 	return Sequence< Reference < XCertificate > > ();
581 }
582 
getCertificate(const OUString & issuerName,const Sequence<sal_Int8> & serialNumber)583 Reference< XCertificate > SecurityEnvironment_NssImpl :: getCertificate( const OUString& issuerName, const Sequence< sal_Int8 >& serialNumber ) throw( SecurityException , RuntimeException )
584 {
585 	X509Certificate_NssImpl* xcert = NULL;
586 
587 	if( m_pHandler != NULL ) {
588 		CERTIssuerAndSN issuerAndSN ;
589 		CERTCertificate* cert ;
590 		CERTName* nmIssuer ;
591 		char* chIssuer ;
592 		SECItem* derIssuer ;
593 		PRArenaPool* arena ;
594 
595 		arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE ) ;
596 		if( arena == NULL )
597 			throw RuntimeException() ;
598 
599                 /*
600                  * mmi : because MS Crypto use the 'S' tag (equal to the 'ST' tag in NSS), but the NSS can't recognise
601                  *      it, so the 'S' tag should be changed to 'ST' tag
602                  *
603                  * PS  : it can work, but inside libxmlsec, the 'S' tag is till used to find cert in NSS engine, so it
604                  *       is not useful at all. (comment out now)
605                  */
606 
607                 /*
608                 sal_Int32 nIndex = 0;
609                 OUString newIssuerName;
610                 do
611                 {
612                 	OUString aToken = issuerName.getToken( 0, ',', nIndex ).trim();
613                 	if (aToken.compareToAscii("S=",2) == 0)
614                 	{
615                 		newIssuerName+=OUString::createFromAscii("ST=");
616                 		newIssuerName+=aToken.copy(2);
617                 	}
618                 	else
619                 	{
620                 		newIssuerName+=aToken;
621                 	}
622 
623                 	if (nIndex >= 0)
624                 	{
625                 		newIssuerName+=OUString::createFromAscii(",");
626                 	}
627                 } while ( nIndex >= 0 );
628                 */
629 
630                 /* end */
631 
632 		//Create cert info from issue and serial
633 		rtl::OString ostr = rtl::OUStringToOString( issuerName , RTL_TEXTENCODING_UTF8 ) ;
634 		chIssuer = PL_strndup( ( char* )ostr.getStr(), ( int )ostr.getLength() ) ;
635 		nmIssuer = CERT_AsciiToName( chIssuer ) ;
636 		if( nmIssuer == NULL ) {
637 			PL_strfree( chIssuer ) ;
638 			PORT_FreeArena( arena, PR_FALSE ) ;
639 
640 			/*
641 			 * i40394
642 			 *
643 			 * mmi : no need to throw exception
644 			 *       just return "no found"
645 			 */
646 			//throw RuntimeException() ;
647 			return NULL;
648 		}
649 
650 		derIssuer = SEC_ASN1EncodeItem( arena, NULL, ( void* )nmIssuer, SEC_ASN1_GET( CERT_NameTemplate ) ) ;
651 		if( derIssuer == NULL ) {
652 			PL_strfree( chIssuer ) ;
653 			CERT_DestroyName( nmIssuer ) ;
654 			PORT_FreeArena( arena, PR_FALSE ) ;
655 			throw RuntimeException() ;
656 		}
657 
658 		memset( &issuerAndSN, 0, sizeof( issuerAndSN ) ) ;
659 
660 		issuerAndSN.derIssuer.data = derIssuer->data ;
661 		issuerAndSN.derIssuer.len = derIssuer->len ;
662 
663 		issuerAndSN.serialNumber.data = ( unsigned char* )&serialNumber[0] ;
664 		issuerAndSN.serialNumber.len = serialNumber.getLength() ;
665 
666 		cert = CERT_FindCertByIssuerAndSN( m_pHandler, &issuerAndSN ) ;
667 		if( cert != NULL ) {
668 			xcert = NssCertToXCert( cert ) ;
669 		} else {
670 			xcert = NULL ;
671 		}
672 
673 		PL_strfree( chIssuer ) ;
674 		CERT_DestroyName( nmIssuer ) ;
675 		//SECITEM_FreeItem( derIssuer, PR_FALSE ) ;
676 		CERT_DestroyCertificate( cert ) ;
677 		PORT_FreeArena( arena, PR_FALSE ) ;
678 	} else {
679 		xcert = NULL ;
680 	}
681 
682 	return xcert ;
683 }
684 
getCertificate(const OUString & issuerName,const OUString & serialNumber)685 Reference< XCertificate > SecurityEnvironment_NssImpl :: getCertificate( const OUString& issuerName, const OUString& serialNumber ) throw( SecurityException , RuntimeException ) {
686 	Sequence< sal_Int8 > serial = numericStringToBigInteger( serialNumber ) ;
687 	return getCertificate( issuerName, serial ) ;
688 }
689 
buildCertificatePath(const Reference<XCertificate> & begin)690 Sequence< Reference < XCertificate > > SecurityEnvironment_NssImpl :: buildCertificatePath( const Reference< XCertificate >& begin ) throw( SecurityException , RuntimeException ) {
691 	const X509Certificate_NssImpl* xcert ;
692 	const CERTCertificate* cert ;
693 	CERTCertList* certChain ;
694 
695 	Reference< XUnoTunnel > xCertTunnel( begin, UNO_QUERY ) ;
696 	if( !xCertTunnel.is() ) {
697 		throw RuntimeException() ;
698 	}
699 
700 	xcert = reinterpret_cast<X509Certificate_NssImpl*>(
701         sal::static_int_cast<sal_uIntPtr>(xCertTunnel->getSomething( X509Certificate_NssImpl::getUnoTunnelId() ))) ;
702 	if( xcert == NULL ) {
703 		throw RuntimeException() ;
704 	}
705 
706 	cert = xcert->getNssCert() ;
707 	if( cert != NULL ) {
708 		int64 timeboundary ;
709 
710 		//Get the system clock time
711 		timeboundary = PR_Now() ;
712 
713 		certChain = CERT_GetCertChainFromCert( ( CERTCertificate* )cert, timeboundary, certUsageAnyCA ) ;
714 	} else {
715 		certChain = NULL ;
716 	}
717 
718 	if( certChain != NULL ) {
719 		X509Certificate_NssImpl* pCert ;
720 		CERTCertListNode* node ;
721 		int len ;
722 
723 		for( len = 0, node = CERT_LIST_HEAD( certChain ); !CERT_LIST_END( node, certChain ); node = CERT_LIST_NEXT( node ), len ++ ) ;
724 		Sequence< Reference< XCertificate > > xCertChain( len ) ;
725 
726 		for( len = 0, node = CERT_LIST_HEAD( certChain ); !CERT_LIST_END( node, certChain ); node = CERT_LIST_NEXT( node ), len ++ ) {
727 			pCert = new X509Certificate_NssImpl() ;
728 			if( pCert == NULL ) {
729 				CERT_DestroyCertList( certChain ) ;
730 				throw RuntimeException() ;
731 			}
732 
733 			pCert->setCert( node->cert ) ;
734 
735 			xCertChain[len] = pCert ;
736 		}
737 
738 		CERT_DestroyCertList( certChain ) ;
739 
740 		return xCertChain ;
741 	}
742 
743 	return Sequence< Reference < XCertificate > >();
744 }
745 
createCertificateFromRaw(const Sequence<sal_Int8> & rawCertificate)746 Reference< XCertificate > SecurityEnvironment_NssImpl :: createCertificateFromRaw( const Sequence< sal_Int8 >& rawCertificate ) throw( SecurityException , RuntimeException ) {
747 	X509Certificate_NssImpl* xcert ;
748 
749 	if( rawCertificate.getLength() > 0 ) {
750 		xcert = new X509Certificate_NssImpl() ;
751 		if( xcert == NULL )
752 			throw RuntimeException() ;
753 
754 		xcert->setRawCert( rawCertificate ) ;
755 	} else {
756 		xcert = NULL ;
757 	}
758 
759 	return xcert ;
760 }
761 
createCertificateFromAscii(const OUString & asciiCertificate)762 Reference< XCertificate > SecurityEnvironment_NssImpl :: createCertificateFromAscii( const OUString& asciiCertificate ) throw( SecurityException , RuntimeException ) {
763 	xmlChar* chCert ;
764 	xmlSecSize certSize ;
765 
766 	rtl::OString oscert = rtl::OUStringToOString( asciiCertificate , RTL_TEXTENCODING_ASCII_US ) ;
767 
768 	chCert = xmlStrndup( ( const xmlChar* )oscert.getStr(), ( int )oscert.getLength() ) ;
769 
770 	certSize = xmlSecBase64Decode( chCert, ( xmlSecByte* )chCert, xmlStrlen( chCert ) ) ;
771 
772 	Sequence< sal_Int8 > rawCert( certSize ) ;
773 	for( unsigned int i = 0 ; i < certSize ; i ++ )
774 		rawCert[i] = *( chCert + i ) ;
775 
776 	xmlFree( chCert ) ;
777 
778 	return createCertificateFromRaw( rawCert ) ;
779 }
780 
781 sal_Int32 SecurityEnvironment_NssImpl ::
verifyCertificate(const Reference<csss::XCertificate> & aCert,const Sequence<Reference<csss::XCertificate>> & intermediateCerts)782 verifyCertificate( const Reference< csss::XCertificate >& aCert,
783                    const Sequence< Reference< csss::XCertificate > >&  intermediateCerts )
784     throw( ::com::sun::star::uno::SecurityException, ::com::sun::star::uno::RuntimeException )
785 {
786 	sal_Int32 validity = csss::CertificateValidity::INVALID;
787 	const X509Certificate_NssImpl* xcert ;
788 	const CERTCertificate* cert ;
789     ::std::vector<CERTCertificate*> vecTmpNSSCertificates;
790 	Reference< XUnoTunnel > xCertTunnel( aCert, UNO_QUERY ) ;
791 	if( !xCertTunnel.is() ) {
792 		throw RuntimeException() ;
793 	}
794 
795     xmlsec_trace("Start verification of certificate: \n %s \n",
796               OUStringToOString(
797                   aCert->getSubjectName(), osl_getThreadTextEncoding()).getStr());
798 
799 	xcert = reinterpret_cast<X509Certificate_NssImpl*>(
800        sal::static_int_cast<sal_uIntPtr>(xCertTunnel->getSomething( X509Certificate_NssImpl::getUnoTunnelId() ))) ;
801 	if( xcert == NULL ) {
802 		throw RuntimeException() ;
803 	}
804 
805     //CERT_PKIXVerifyCert does not take a db as argument. It will therefore
806     //internally use CERT_GetDefaultCertDB
807     //Make sure m_pHandler is the default DB
808     OSL_ASSERT(m_pHandler == CERT_GetDefaultCertDB());
809     CERTCertDBHandle * certDb = m_pHandler != NULL ? m_pHandler : CERT_GetDefaultCertDB();
810 	cert = xcert->getNssCert() ;
811 	if( cert != NULL )
812     {
813 
814         //prepare the intermediate certificates
815         for (sal_Int32 i = 0; i < intermediateCerts.getLength(); i++)
816         {
817             Sequence<sal_Int8> der = intermediateCerts[i]->getEncoded();
818             SECItem item;
819             item.type = siBuffer;
820             item.data = (unsigned char*)der.getArray();
821             item.len = der.getLength();
822 
823             CERTCertificate* certTmp = CERT_NewTempCertificate(certDb, &item,
824                                            NULL     /* nickname */,
825                                            PR_FALSE /* isPerm */,
826                                            PR_TRUE  /* copyDER */);
827              if (!certTmp)
828              {
829                  xmlsec_trace("Failed to add a temporary certificate: %s",
830                            OUStringToOString(intermediateCerts[i]->getIssuerName(),
831                                              osl_getThreadTextEncoding()).getStr());
832 
833              }
834              else
835              {
836                  xmlsec_trace("Added temporary certificate: %s",
837                            certTmp->subjectName ? certTmp->subjectName : "");
838                  vecTmpNSSCertificates.push_back(certTmp);
839              }
840         }
841 
842 
843 		SECStatus status ;
844 
845         CERTVerifyLog log;
846         log.arena = PORT_NewArena(512);
847         log.head = log.tail = NULL;
848         log.count = 0;
849 
850         CERT_EnableOCSPChecking(certDb);
851         CERT_DisableOCSPDefaultResponder(certDb);
852         CERTValOutParam cvout[5];
853         CERTValInParam cvin[3];
854 
855         cvin[0].type = cert_pi_useAIACertFetch;
856         cvin[0].value.scalar.b = PR_TRUE;
857 
858         PRUint64 revFlagsLeaf[2];
859         PRUint64 revFlagsChain[2];
860         CERTRevocationFlags rev;
861         rev.leafTests.number_of_defined_methods = 2;
862         rev.leafTests.cert_rev_flags_per_method = revFlagsLeaf;
863         //the flags are defined in cert.h
864         //We check both leaf and chain.
865         //It is enough if one revocation method has fresh info,
866         //but at least one must have some. Otherwise validation fails.
867         //!!! using leaf test and CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE
868         // when validating a root certificate will result in "revoked". Usually
869         //there is no revocation information available for the root cert because
870         //it must be trusted anyway and it does itself issue revocation information.
871         //When we use the flag here and OOo shows the certification path then the root
872         //cert is invalid while all other can be valid. It would probably best if
873         //this interface method returned the whole chain.
874         //Otherwise we need to check if the certificate is self-signed and if it is
875         //then not use the flag when doing the leaf-test.
876         rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_crl] =
877             CERT_REV_M_TEST_USING_THIS_METHOD
878             | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE;
879         rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] =
880             CERT_REV_M_TEST_USING_THIS_METHOD
881             | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE;
882         rev.leafTests.number_of_preferred_methods = 0;
883         rev.leafTests.preferred_methods = NULL;
884         rev.leafTests.cert_rev_method_independent_flags =
885             CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST;
886 //            | CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE;
887 
888         rev.chainTests.number_of_defined_methods = 2;
889         rev.chainTests.cert_rev_flags_per_method = revFlagsChain;
890         rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_crl] =
891             CERT_REV_M_TEST_USING_THIS_METHOD
892             | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE;
893         rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] =
894             CERT_REV_M_TEST_USING_THIS_METHOD
895             | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE;
896         rev.chainTests.number_of_preferred_methods = 0;
897         rev.chainTests.preferred_methods = NULL;
898         rev.chainTests.cert_rev_method_independent_flags =
899             CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST;
900 //            | CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE;
901 
902 
903         cvin[1].type = cert_pi_revocationFlags;
904         cvin[1].value.pointer.revocation = &rev;
905         // does not work, not implemented yet in 3.12.4
906 //         cvin[2].type = cert_pi_keyusage;
907 //         cvin[2].value.scalar.ui = KU_DIGITAL_SIGNATURE;
908         cvin[2].type = cert_pi_end;
909 
910         cvout[0].type = cert_po_trustAnchor;
911         cvout[0].value.pointer.cert = NULL;
912         cvout[1].type = cert_po_errorLog;
913         cvout[1].value.pointer.log = &log;
914         cvout[2].type = cert_po_end;
915 
916         // We check SSL server certificates, CA certificates and signing sertificates.
917         //
918         // ToDo check keyusage, looking at CERT_KeyUsageAndTypeForCertUsage (
919         // mozilla/security/nss/lib/certdb/certdb.c indicates that
920         // certificateUsageSSLClient, certificateUsageSSLServer and certificateUsageSSLCA
921         // are sufficient. They cover the key usages for digital signature, key agreement
922         // and encipherment and certificate signature
923 
924         //never use the following usages because they are not checked properly
925         // certificateUsageUserCertImport
926         // certificateUsageVerifyCA
927         // certificateUsageAnyCA
928         // certificateUsageProtectedObjectSigner
929 
930         UsageDescription arUsages[5];
931         arUsages[0] = UsageDescription( certificateUsageSSLClient, "certificateUsageSSLClient"  );
932         arUsages[1] = UsageDescription( certificateUsageSSLServer, "certificateUsageSSLServer"  );
933         arUsages[2] = UsageDescription( certificateUsageSSLCA, "certificateUsageSSLCA"  );
934         arUsages[3] = UsageDescription( certificateUsageEmailSigner, "certificateUsageEmailSigner" );
935         arUsages[4] = UsageDescription( certificateUsageEmailRecipient, "certificateUsageEmailRecipient" );
936 
937         int numUsages = sizeof(arUsages) / sizeof(UsageDescription);
938         for (int i = 0; i < numUsages; i++)
939         {
940             xmlsec_trace("Testing usage %d of %d: %s (0x%x)", i + 1,
941                       numUsages, arUsages[i].description, (int) arUsages[i].usage);
942 
943             status = CERT_PKIXVerifyCert(const_cast<CERTCertificate *>(cert), arUsages[i].usage,
944                                          cvin, cvout, NULL);
945             if( status == SECSuccess )
946             {
947                 xmlsec_trace("CERT_PKIXVerifyCert returned SECSuccess.");
948                 //When an intermediate or root certificate is checked then we expect the usage
949                 //certificateUsageSSLCA. This, however, will be only set when in the trust settings dialog
950                 //the button "This certificate can identify websites" is checked. If for example only
951                 //"This certificate can identify mail users" is set then the end certificate can
952                 //be validated and the returned usage will conain certificateUsageEmailRecipient.
953                 //But checking directly the root or intermediate certificate will fail. In the
954                 //certificate path view the end certificate will be shown as valid but the others
955                 //will be displayed as invalid.
956 
957                 validity = csss::CertificateValidity::VALID;
958                 xmlsec_trace("Certificate is valid.\n");
959                 CERTCertificate * issuerCert = cvout[0].value.pointer.cert;
960                 if (issuerCert)
961                 {
962                     xmlsec_trace("Root certificate: %s", issuerCert->subjectName);
963                     CERT_DestroyCertificate(issuerCert);
964                 };
965 
966                 break;
967             }
968             else
969             {
970                 PRIntn err = PR_GetError();
971                 xmlsec_trace("Error: , %d = %s", err, getCertError(err));
972 
973                 /* Display validation results */
974                 if ( log.count > 0)
975                 {
976                     CERTVerifyLogNode *node = NULL;
977                     printChainFailure(&log);
978 
979                     for (node = log.head; node; node = node->next) {
980                         if (node->cert)
981                             CERT_DestroyCertificate(node->cert);
982                     }
983                     log.head = log.tail = NULL;
984                     log.count = 0;
985                 }
986                 xmlsec_trace("Certificate is invalid.\n");
987             }
988         }
989 
990     }
991     else
992     {
993         validity = ::com::sun::star::security::CertificateValidity::INVALID ;
994     }
995 
996     //Destroying the temporary certificates
997     std::vector<CERTCertificate*>::const_iterator cert_i;
998     for (cert_i = vecTmpNSSCertificates.begin(); cert_i != vecTmpNSSCertificates.end(); cert_i++)
999     {
1000         xmlsec_trace("Destroying temporary certificate");
1001         CERT_DestroyCertificate(*cert_i);
1002     }
1003 	return validity ;
1004 }
1005 
getCertificateCharacters(const::com::sun::star::uno::Reference<::com::sun::star::security::XCertificate> & aCert)1006 sal_Int32 SecurityEnvironment_NssImpl::getCertificateCharacters(
1007 	const ::com::sun::star::uno::Reference< ::com::sun::star::security::XCertificate >& aCert ) throw( ::com::sun::star::uno::SecurityException, ::com::sun::star::uno::RuntimeException ) {
1008 	sal_Int32 characters ;
1009 	const X509Certificate_NssImpl* xcert ;
1010 	const CERTCertificate* cert ;
1011 
1012 	Reference< XUnoTunnel > xCertTunnel( aCert, UNO_QUERY ) ;
1013 	if( !xCertTunnel.is() ) {
1014 		throw RuntimeException() ;
1015 	}
1016 
1017 	xcert = reinterpret_cast<X509Certificate_NssImpl*>(
1018         sal::static_int_cast<sal_uIntPtr>(xCertTunnel->getSomething( X509Certificate_NssImpl::getUnoTunnelId() ))) ;
1019 	if( xcert == NULL ) {
1020 		throw RuntimeException() ;
1021 	}
1022 
1023 	cert = xcert->getNssCert() ;
1024 
1025 	characters = 0x00000000 ;
1026 
1027 	//Firstly, find out whether or not the cert is self-signed.
1028 	if( SECITEM_CompareItem( &(cert->derIssuer), &(cert->derSubject) ) == SECEqual ) {
1029 		characters |= ::com::sun::star::security::CertificateCharacters::SELF_SIGNED ;
1030 	} else {
1031 		characters &= ~ ::com::sun::star::security::CertificateCharacters::SELF_SIGNED ;
1032 	}
1033 
1034 	//Secondly, find out whether or not the cert has a private key.
1035 
1036 	/*
1037 	 * i40394
1038 	 *
1039 	 * mmi : need to check whether the cert's slot is valid first
1040 	 */
1041 	SECKEYPrivateKey* priKey = NULL;
1042 
1043 	if (cert->slot != NULL)
1044 	{
1045 		priKey = PK11_FindPrivateKeyFromCert( cert->slot, ( CERTCertificate* )cert, NULL ) ;
1046 	}
1047 	if(priKey == NULL)
1048 	{
1049 		for (CIT_SLOTS is = m_Slots.begin(); is != m_Slots.end(); is++)
1050 		{
1051 			priKey = PK11_FindPrivateKeyFromCert(*is, (CERTCertificate*)cert, NULL);
1052 			if (priKey)
1053 				break;
1054 		}
1055 	}
1056 	if( priKey != NULL ) {
1057 		characters |=  ::com::sun::star::security::CertificateCharacters::HAS_PRIVATE_KEY ;
1058 
1059 		SECKEY_DestroyPrivateKey( priKey ) ;
1060 	} else {
1061 		characters &= ~ ::com::sun::star::security::CertificateCharacters::HAS_PRIVATE_KEY ;
1062 	}
1063 
1064 	return characters ;
1065 }
1066 
NssCertToXCert(CERTCertificate * cert)1067 X509Certificate_NssImpl* NssCertToXCert( CERTCertificate* cert )
1068 {
1069 	X509Certificate_NssImpl* xcert ;
1070 
1071 	if( cert != NULL ) {
1072 		xcert = new X509Certificate_NssImpl() ;
1073 		if( xcert == NULL ) {
1074 			xcert = NULL ;
1075 		} else {
1076 			xcert->setCert( cert ) ;
1077 		}
1078 	} else {
1079 		xcert = NULL ;
1080 	}
1081 
1082 	return xcert ;
1083 }
1084 
NssPrivKeyToXCert(SECKEYPrivateKey * priKey)1085 X509Certificate_NssImpl* NssPrivKeyToXCert( SECKEYPrivateKey* priKey )
1086 {
1087 	CERTCertificate* cert ;
1088 	X509Certificate_NssImpl* xcert ;
1089 
1090 	if( priKey != NULL ) {
1091 		cert = PK11_GetCertFromPrivateKey( priKey ) ;
1092 
1093 		if( cert != NULL ) {
1094 			xcert = NssCertToXCert( cert ) ;
1095 		} else {
1096 			xcert = NULL ;
1097 		}
1098 
1099 		CERT_DestroyCertificate( cert ) ;
1100 	} else {
1101 		xcert = NULL ;
1102 	}
1103 
1104 	return xcert ;
1105 }
1106 
1107 
1108 /* Native methods */
createKeysManager()1109 xmlSecKeysMngrPtr SecurityEnvironment_NssImpl::createKeysManager() throw( Exception, RuntimeException ) {
1110 
1111 	unsigned int i ;
1112 	CERTCertDBHandle* handler = NULL ;
1113 	PK11SymKey* symKey = NULL ;
1114 	SECKEYPublicKey* pubKey = NULL ;
1115 	SECKEYPrivateKey* priKey = NULL ;
1116 	xmlSecKeysMngrPtr pKeysMngr = NULL ;
1117 
1118 	handler = this->getCertDb() ;
1119 
1120 	/*-
1121 	 * The following lines is based on the private version of xmlSec-NSS
1122 	 * crypto engine
1123 	 */
1124 	int cSlots = m_Slots.size();
1125 	boost::scoped_array<PK11SlotInfo*> sarSlots(new PK11SlotInfo*[cSlots]);
1126 	PK11SlotInfo**  slots = sarSlots.get();
1127 	int count = 0;
1128 	for (CIT_SLOTS islots = m_Slots.begin();islots != m_Slots.end(); islots++, count++)
1129 		slots[count] = *islots;
1130 
1131 	pKeysMngr = xmlSecNssAppliedKeysMngrCreate(slots, cSlots, handler ) ;
1132 	if( pKeysMngr == NULL )
1133 		throw RuntimeException() ;
1134 
1135 	/*-
1136 	 * Adopt symmetric key into keys manager
1137 	 */
1138 	for( i = 0 ; ( symKey = this->getSymKey( i ) ) != NULL ; i ++ ) {
1139 		if( xmlSecNssAppliedKeysMngrSymKeyLoad( pKeysMngr, symKey ) < 0 ) {
1140 			throw RuntimeException() ;
1141 		}
1142 	}
1143 
1144 	/*-
1145 	 * Adopt asymmetric public key into keys manager
1146 	 */
1147 	for( i = 0 ; ( pubKey = this->getPubKey( i ) ) != NULL ; i ++ ) {
1148 		if( xmlSecNssAppliedKeysMngrPubKeyLoad( pKeysMngr, pubKey ) < 0 ) {
1149 			throw RuntimeException() ;
1150 		}
1151 	}
1152 
1153 	/*-
1154 	 * Adopt asymmetric private key into keys manager
1155 	 */
1156 	for( i = 0 ; ( priKey = this->getPriKey( i ) ) != NULL ; i ++ ) {
1157 		if( xmlSecNssAppliedKeysMngrPriKeyLoad( pKeysMngr, priKey ) < 0 ) {
1158 			throw RuntimeException() ;
1159 		}
1160 	}
1161 	return pKeysMngr ;
1162 }
destroyKeysManager(xmlSecKeysMngrPtr pKeysMngr)1163 void SecurityEnvironment_NssImpl::destroyKeysManager(xmlSecKeysMngrPtr pKeysMngr) throw( Exception, RuntimeException ) {
1164 	if( pKeysMngr != NULL ) {
1165 		xmlSecKeysMngrDestroy( pKeysMngr ) ;
1166 	}
1167 }
1168