1 /************************************************************** 2 * 3 * Licensed to the Apache Software Foundation (ASF) under one 4 * or more contributor license agreements. See the NOTICE file 5 * distributed with this work for additional information 6 * regarding copyright ownership. The ASF licenses this file 7 * to you under the Apache License, Version 2.0 (the 8 * "License"); you may not use this file except in compliance 9 * with the License. You may obtain a copy of the License at 10 * 11 * http://www.apache.org/licenses/LICENSE-2.0 12 * 13 * Unless required by applicable law or agreed to in writing, 14 * software distributed under the License is distributed on an 15 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 16 * KIND, either express or implied. See the License for the 17 * specific language governing permissions and limitations 18 * under the License. 19 * 20 *************************************************************/ 21 22 23 24 25 // MARKER(update_precomp.py): autogen include statement, do not remove 26 #include "precompiled_xmlsecurity.hxx" 27 28 //todo before commit: nssrenam.h is not delivered!!! 29 #ifndef __nssrenam_h_ 30 #define CERT_NewTempCertificate __CERT_NewTempCertificate 31 #endif /* __nssrenam_h_ */ 32 33 #include "cert.h" 34 #include "secerr.h" 35 #include "ocsp.h" 36 37 #include <sal/config.h> 38 #include "securityenvironment_nssimpl.hxx" 39 #include "x509certificate_nssimpl.hxx" 40 #include <rtl/uuid.h> 41 #include "../diagnose.hxx" 42 43 #include <sal/types.h> 44 //For reasons that escape me, this is what xmlsec does when size_t is not 4 45 #if SAL_TYPES_SIZEOFPOINTER != 4 46 # define XMLSEC_NO_SIZE_T 47 #endif 48 #include <xmlsec/xmlsec.h> 49 #include <xmlsec/keysmngr.h> 50 #include <xmlsec/crypto.h> 51 #include <xmlsec/base64.h> 52 #include <xmlsec/strings.h> 53 54 #include <tools/string.hxx> 55 #include <rtl/ustrbuf.hxx> 56 #include <comphelper/processfactory.hxx> 57 #include <cppuhelper/servicefactory.hxx> 58 #include <comphelper/docpasswordrequest.hxx> 59 #include <xmlsecurity/biginteger.hxx> 60 #include <rtl/logfile.h> 61 #include <com/sun/star/task/XInteractionHandler.hpp> 62 #include <vector> 63 #include "boost/scoped_array.hpp" 64 65 #include "secerror.hxx" 66 67 // MM : added for password exception 68 #include <com/sun/star/security/NoPasswordException.hpp> 69 namespace csss = ::com::sun::star::security; 70 using namespace xmlsecurity; 71 using namespace ::com::sun::star::security; 72 using namespace com::sun::star; 73 using namespace ::com::sun::star::uno ; 74 using namespace ::com::sun::star::lang ; 75 using ::com::sun::star::lang::XMultiServiceFactory ; 76 using ::com::sun::star::lang::XSingleServiceFactory ; 77 using ::rtl::OUString ; 78 79 using ::com::sun::star::xml::crypto::XSecurityEnvironment ; 80 using ::com::sun::star::security::XCertificate ; 81 82 extern X509Certificate_NssImpl* NssCertToXCert( CERTCertificate* cert ) ; 83 extern X509Certificate_NssImpl* NssPrivKeyToXCert( SECKEYPrivateKey* ) ; 84 85 86 struct UsageDescription 87 { 88 SECCertificateUsage usage; 89 char const* description; 90 91 UsageDescription() 92 : usage( certificateUsageCheckAllUsages ) 93 , description( NULL ) 94 {} 95 96 UsageDescription( SECCertificateUsage i_usage, char const* i_description ) 97 : usage( i_usage ) 98 , description( i_description ) 99 {} 100 101 UsageDescription( const UsageDescription& aDescription ) 102 : usage( aDescription.usage ) 103 , description( aDescription.description ) 104 {} 105 106 UsageDescription& operator =( const UsageDescription& aDescription ) 107 { 108 usage = aDescription.usage; 109 description = aDescription.description; 110 return *this; 111 } 112 }; 113 114 115 116 char* GetPasswordFunction( PK11SlotInfo* pSlot, PRBool bRetry, void* /*arg*/ ) 117 { 118 uno::Reference< lang::XMultiServiceFactory > xMSF( ::comphelper::getProcessServiceFactory() ); 119 if ( xMSF.is() ) 120 { 121 uno::Reference < task::XInteractionHandler > xInteractionHandler( 122 xMSF->createInstance( rtl::OUString::createFromAscii("com.sun.star.task.InteractionHandler") ), uno::UNO_QUERY ); 123 124 if ( xInteractionHandler.is() ) 125 { 126 task::PasswordRequestMode eMode = bRetry ? task::PasswordRequestMode_PASSWORD_REENTER : task::PasswordRequestMode_PASSWORD_ENTER; 127 ::comphelper::DocPasswordRequest* pPasswordRequest = new ::comphelper::DocPasswordRequest( 128 ::comphelper::DocPasswordRequestType_STANDARD, eMode, ::rtl::OUString::createFromAscii(PK11_GetTokenName(pSlot)) ); 129 130 uno::Reference< task::XInteractionRequest > xRequest( pPasswordRequest ); 131 xInteractionHandler->handle( xRequest ); 132 133 if ( pPasswordRequest->isPassword() ) 134 { 135 ByteString aPassword = ByteString( String( pPasswordRequest->getPassword() ), gsl_getSystemTextEncoding() ); 136 sal_uInt16 nLen = aPassword.Len(); 137 char* pPassword = (char*) PORT_Alloc( nLen+1 ) ; 138 pPassword[nLen] = 0; 139 memcpy( pPassword, aPassword.GetBuffer(), nLen ); 140 return pPassword; 141 } 142 } 143 } 144 return NULL; 145 } 146 147 SecurityEnvironment_NssImpl :: SecurityEnvironment_NssImpl( const Reference< XMultiServiceFactory >& ) : 148 m_pHandler( NULL ) , m_tSymKeyList() , m_tPubKeyList() , m_tPriKeyList() { 149 150 PK11_SetPasswordFunc( GetPasswordFunction ) ; 151 } 152 153 SecurityEnvironment_NssImpl :: ~SecurityEnvironment_NssImpl() { 154 155 PK11_SetPasswordFunc( NULL ) ; 156 157 for (CIT_SLOTS i = m_Slots.begin(); i != m_Slots.end(); i++) 158 { 159 PK11_FreeSlot(*i); 160 } 161 162 if( !m_tSymKeyList.empty() ) { 163 std::list< PK11SymKey* >::iterator symKeyIt ; 164 165 for( symKeyIt = m_tSymKeyList.begin() ; symKeyIt != m_tSymKeyList.end() ; symKeyIt ++ ) 166 PK11_FreeSymKey( *symKeyIt ) ; 167 } 168 169 if( !m_tPubKeyList.empty() ) { 170 std::list< SECKEYPublicKey* >::iterator pubKeyIt ; 171 172 for( pubKeyIt = m_tPubKeyList.begin() ; pubKeyIt != m_tPubKeyList.end() ; pubKeyIt ++ ) 173 SECKEY_DestroyPublicKey( *pubKeyIt ) ; 174 } 175 176 if( !m_tPriKeyList.empty() ) { 177 std::list< SECKEYPrivateKey* >::iterator priKeyIt ; 178 179 for( priKeyIt = m_tPriKeyList.begin() ; priKeyIt != m_tPriKeyList.end() ; priKeyIt ++ ) 180 SECKEY_DestroyPrivateKey( *priKeyIt ) ; 181 } 182 } 183 184 /* XInitialization */ 185 void SAL_CALL SecurityEnvironment_NssImpl :: initialize( const Sequence< Any >& ) throw( Exception, RuntimeException ) { 186 // TBD 187 } ; 188 189 /* XServiceInfo */ 190 OUString SAL_CALL SecurityEnvironment_NssImpl :: getImplementationName() throw( RuntimeException ) { 191 return impl_getImplementationName() ; 192 } 193 194 /* XServiceInfo */ 195 sal_Bool SAL_CALL SecurityEnvironment_NssImpl :: supportsService( const OUString& serviceName) throw( RuntimeException ) { 196 Sequence< OUString > seqServiceNames = getSupportedServiceNames() ; 197 const OUString* pArray = seqServiceNames.getConstArray() ; 198 for( sal_Int32 i = 0 ; i < seqServiceNames.getLength() ; i ++ ) { 199 if( *( pArray + i ) == serviceName ) 200 return sal_True ; 201 } 202 return sal_False ; 203 } 204 205 /* XServiceInfo */ 206 Sequence< OUString > SAL_CALL SecurityEnvironment_NssImpl :: getSupportedServiceNames() throw( RuntimeException ) { 207 return impl_getSupportedServiceNames() ; 208 } 209 210 //Helper for XServiceInfo 211 Sequence< OUString > SecurityEnvironment_NssImpl :: impl_getSupportedServiceNames() { 212 ::osl::Guard< ::osl::Mutex > aGuard( ::osl::Mutex::getGlobalMutex() ) ; 213 Sequence< OUString > seqServiceNames( 1 ) ; 214 seqServiceNames.getArray()[0] = OUString::createFromAscii( "com.sun.star.xml.crypto.SecurityEnvironment" ) ; 215 return seqServiceNames ; 216 } 217 218 OUString SecurityEnvironment_NssImpl :: impl_getImplementationName() throw( RuntimeException ) { 219 return OUString::createFromAscii( "com.sun.star.xml.security.bridge.xmlsec.SecurityEnvironment_NssImpl" ) ; 220 } 221 222 //Helper for registry 223 Reference< XInterface > SAL_CALL SecurityEnvironment_NssImpl :: impl_createInstance( const Reference< XMultiServiceFactory >& aServiceManager ) throw( RuntimeException ) { 224 return Reference< XInterface >( *new SecurityEnvironment_NssImpl( aServiceManager ) ) ; 225 } 226 227 Reference< XSingleServiceFactory > SecurityEnvironment_NssImpl :: impl_createFactory( const Reference< XMultiServiceFactory >& aServiceManager ) { 228 //Reference< XSingleServiceFactory > xFactory ; 229 //xFactory = ::cppu::createSingleFactory( aServiceManager , impl_getImplementationName , impl_createInstance , impl_getSupportedServiceNames ) ; 230 //return xFactory ; 231 return ::cppu::createSingleFactory( aServiceManager , impl_getImplementationName() , impl_createInstance , impl_getSupportedServiceNames() ) ; 232 } 233 234 /* XUnoTunnel */ 235 sal_Int64 SAL_CALL SecurityEnvironment_NssImpl :: getSomething( const Sequence< sal_Int8 >& aIdentifier ) 236 throw( RuntimeException ) 237 { 238 if( aIdentifier.getLength() == 16 && 0 == rtl_compareMemory( getUnoTunnelId().getConstArray(), aIdentifier.getConstArray(), 16 ) ) { 239 return sal::static_int_cast<sal_Int64>(reinterpret_cast<sal_uIntPtr>(this)); 240 } 241 return 0 ; 242 } 243 244 /* XUnoTunnel extension */ 245 const Sequence< sal_Int8>& SecurityEnvironment_NssImpl :: getUnoTunnelId() { 246 static Sequence< sal_Int8 >* pSeq = 0 ; 247 if( !pSeq ) { 248 ::osl::Guard< ::osl::Mutex > aGuard( ::osl::Mutex::getGlobalMutex() ) ; 249 if( !pSeq ) { 250 static Sequence< sal_Int8> aSeq( 16 ) ; 251 rtl_createUuid( ( sal_uInt8* )aSeq.getArray() , 0 , sal_True ) ; 252 pSeq = &aSeq ; 253 } 254 } 255 return *pSeq ; 256 } 257 258 /* XUnoTunnel extension */ 259 SecurityEnvironment_NssImpl* SecurityEnvironment_NssImpl :: getImplementation( const Reference< XInterface > xObj ) { 260 Reference< XUnoTunnel > xUT( xObj , UNO_QUERY ) ; 261 if( xUT.is() ) { 262 return reinterpret_cast<SecurityEnvironment_NssImpl*>( 263 sal::static_int_cast<sal_uIntPtr>(xUT->getSomething( getUnoTunnelId() ))) ; 264 } else 265 return NULL ; 266 } 267 268 269 ::rtl::OUString SecurityEnvironment_NssImpl::getSecurityEnvironmentInformation() throw( ::com::sun::star::uno::RuntimeException ) 270 { 271 rtl::OUString result; 272 ::rtl::OUStringBuffer buff; 273 for (CIT_SLOTS is = m_Slots.begin(); is != m_Slots.end(); is++) 274 { 275 buff.append(rtl::OUString::createFromAscii(PK11_GetTokenName(*is))); 276 buff.appendAscii("\n"); 277 } 278 return buff.makeStringAndClear(); 279 } 280 281 void SecurityEnvironment_NssImpl::addCryptoSlot( PK11SlotInfo* aSlot) throw( Exception , RuntimeException ) 282 { 283 PK11_ReferenceSlot(aSlot); 284 m_Slots.push_back(aSlot); 285 } 286 287 CERTCertDBHandle* SecurityEnvironment_NssImpl :: getCertDb() throw( Exception , RuntimeException ) { 288 return m_pHandler ; 289 } 290 291 //Could we have multiple cert dbs? 292 void SecurityEnvironment_NssImpl :: setCertDb( CERTCertDBHandle* aCertDb ) throw( Exception , RuntimeException ) { 293 m_pHandler = aCertDb ; 294 } 295 296 void SecurityEnvironment_NssImpl :: adoptSymKey( PK11SymKey* aSymKey ) throw( Exception , RuntimeException ) { 297 PK11SymKey* symkey ; 298 std::list< PK11SymKey* >::iterator keyIt ; 299 300 if( aSymKey != NULL ) { 301 //First try to find the key in the list 302 for( keyIt = m_tSymKeyList.begin() ; keyIt != m_tSymKeyList.end() ; keyIt ++ ) { 303 if( *keyIt == aSymKey ) 304 return ; 305 } 306 307 //If we do not find the key in the list, add a new node 308 symkey = PK11_ReferenceSymKey( aSymKey ) ; 309 if( symkey == NULL ) 310 throw RuntimeException() ; 311 312 try { 313 m_tSymKeyList.push_back( symkey ) ; 314 } catch ( Exception& ) { 315 PK11_FreeSymKey( symkey ) ; 316 } 317 } 318 } 319 320 void SecurityEnvironment_NssImpl :: rejectSymKey( PK11SymKey* aSymKey ) throw( Exception , RuntimeException ) { 321 PK11SymKey* symkey ; 322 std::list< PK11SymKey* >::iterator keyIt ; 323 324 if( aSymKey != NULL ) { 325 for( keyIt = m_tSymKeyList.begin() ; keyIt != m_tSymKeyList.end() ; keyIt ++ ) { 326 if( *keyIt == aSymKey ) { 327 symkey = *keyIt ; 328 PK11_FreeSymKey( symkey ) ; 329 m_tSymKeyList.erase( keyIt ) ; 330 break ; 331 } 332 } 333 } 334 } 335 336 PK11SymKey* SecurityEnvironment_NssImpl :: getSymKey( unsigned int position ) throw( Exception , RuntimeException ) { 337 PK11SymKey* symkey ; 338 std::list< PK11SymKey* >::iterator keyIt ; 339 unsigned int pos ; 340 341 symkey = NULL ; 342 for( pos = 0, keyIt = m_tSymKeyList.begin() ; pos < position && keyIt != m_tSymKeyList.end() ; pos ++ , keyIt ++ ) ; 343 344 if( pos == position && keyIt != m_tSymKeyList.end() ) 345 symkey = *keyIt ; 346 347 return symkey ; 348 } 349 350 void SecurityEnvironment_NssImpl :: adoptPubKey( SECKEYPublicKey* aPubKey ) throw( Exception , RuntimeException ) { 351 SECKEYPublicKey* pubkey ; 352 std::list< SECKEYPublicKey* >::iterator keyIt ; 353 354 if( aPubKey != NULL ) { 355 //First try to find the key in the list 356 for( keyIt = m_tPubKeyList.begin() ; keyIt != m_tPubKeyList.end() ; keyIt ++ ) { 357 if( *keyIt == aPubKey ) 358 return ; 359 } 360 361 //If we do not find the key in the list, add a new node 362 pubkey = SECKEY_CopyPublicKey( aPubKey ) ; 363 if( pubkey == NULL ) 364 throw RuntimeException() ; 365 366 try { 367 m_tPubKeyList.push_back( pubkey ) ; 368 } catch ( Exception& ) { 369 SECKEY_DestroyPublicKey( pubkey ) ; 370 } 371 } 372 } 373 374 void SecurityEnvironment_NssImpl :: rejectPubKey( SECKEYPublicKey* aPubKey ) throw( Exception , RuntimeException ) { 375 SECKEYPublicKey* pubkey ; 376 std::list< SECKEYPublicKey* >::iterator keyIt ; 377 378 if( aPubKey != NULL ) { 379 for( keyIt = m_tPubKeyList.begin() ; keyIt != m_tPubKeyList.end() ; keyIt ++ ) { 380 if( *keyIt == aPubKey ) { 381 pubkey = *keyIt ; 382 SECKEY_DestroyPublicKey( pubkey ) ; 383 m_tPubKeyList.erase( keyIt ) ; 384 break ; 385 } 386 } 387 } 388 } 389 390 SECKEYPublicKey* SecurityEnvironment_NssImpl :: getPubKey( unsigned int position ) throw( Exception , RuntimeException ) { 391 SECKEYPublicKey* pubkey ; 392 std::list< SECKEYPublicKey* >::iterator keyIt ; 393 unsigned int pos ; 394 395 pubkey = NULL ; 396 for( pos = 0, keyIt = m_tPubKeyList.begin() ; pos < position && keyIt != m_tPubKeyList.end() ; pos ++ , keyIt ++ ) ; 397 398 if( pos == position && keyIt != m_tPubKeyList.end() ) 399 pubkey = *keyIt ; 400 401 return pubkey ; 402 } 403 404 void SecurityEnvironment_NssImpl :: adoptPriKey( SECKEYPrivateKey* aPriKey ) throw( Exception , RuntimeException ) { 405 SECKEYPrivateKey* prikey ; 406 std::list< SECKEYPrivateKey* >::iterator keyIt ; 407 408 if( aPriKey != NULL ) { 409 //First try to find the key in the list 410 for( keyIt = m_tPriKeyList.begin() ; keyIt != m_tPriKeyList.end() ; keyIt ++ ) { 411 if( *keyIt == aPriKey ) 412 return ; 413 } 414 415 //If we do not find the key in the list, add a new node 416 prikey = SECKEY_CopyPrivateKey( aPriKey ) ; 417 if( prikey == NULL ) 418 throw RuntimeException() ; 419 420 try { 421 m_tPriKeyList.push_back( prikey ) ; 422 } catch ( Exception& ) { 423 SECKEY_DestroyPrivateKey( prikey ) ; 424 } 425 } 426 } 427 428 void SecurityEnvironment_NssImpl :: rejectPriKey( SECKEYPrivateKey* aPriKey ) throw( Exception , RuntimeException ) { 429 SECKEYPrivateKey* prikey ; 430 std::list< SECKEYPrivateKey* >::iterator keyIt ; 431 432 if( aPriKey != NULL ) { 433 for( keyIt = m_tPriKeyList.begin() ; keyIt != m_tPriKeyList.end() ; keyIt ++ ) { 434 if( *keyIt == aPriKey ) { 435 prikey = *keyIt ; 436 SECKEY_DestroyPrivateKey( prikey ) ; 437 m_tPriKeyList.erase( keyIt ) ; 438 break ; 439 } 440 } 441 } 442 } 443 444 SECKEYPrivateKey* SecurityEnvironment_NssImpl :: getPriKey( unsigned int position ) throw( ::com::sun::star::uno::Exception , ::com::sun::star::uno::RuntimeException ) { 445 SECKEYPrivateKey* prikey ; 446 std::list< SECKEYPrivateKey* >::iterator keyIt ; 447 unsigned int pos ; 448 449 prikey = NULL ; 450 for( pos = 0, keyIt = m_tPriKeyList.begin() ; pos < position && keyIt != m_tPriKeyList.end() ; pos ++ , keyIt ++ ) ; 451 452 if( pos == position && keyIt != m_tPriKeyList.end() ) 453 prikey = *keyIt ; 454 455 return prikey ; 456 } 457 458 void SecurityEnvironment_NssImpl::updateSlots() 459 { 460 //In case new tokens are present then we can obtain the corresponding slot 461 PK11SlotList * soltList = NULL; 462 PK11SlotListElement * soltEle = NULL; 463 PK11SlotInfo * pSlot = NULL; 464 PK11SymKey * pSymKey = NULL; 465 466 osl::MutexGuard guard(m_mutex); 467 468 m_Slots.clear(); 469 m_tSymKeyList.clear(); 470 471 soltList = PK11_GetAllTokens( CKM_INVALID_MECHANISM, PR_FALSE, PR_FALSE, NULL ) ; 472 if( soltList != NULL ) 473 { 474 for( soltEle = soltList->head ; soltEle != NULL; soltEle = soltEle->next ) 475 { 476 pSlot = soltEle->slot ; 477 478 if(pSlot != NULL) 479 { 480 RTL_LOGFILE_TRACE2( "XMLSEC: Found a slot: SlotName=%s, TokenName=%s", PK11_GetSlotName(pSlot), PK11_GetTokenName(pSlot) ); 481 482 //The following code which is commented out checks if a slot, that is a smart card for example, is 483 // able to generate a symmetric key of type CKM_DES3_CBC. If this fails then this token 484 // will not be used. This key is possibly used for the encryption service. However, all 485 // interfaces and services used for public key signature and encryption are not published 486 // and the encryption is not used in OOo. Therefore it does not do any harm to remove 487 // this code, hence allowing smart cards which cannot generate this type of key. 488 // 489 // By doing this, the encryption may fail if a smart card is being used which does not 490 // support this key generation. 491 // 492 pSymKey = PK11_KeyGen( pSlot , CKM_DES3_CBC, NULL, 128, NULL ) ; 493 // if( pSymKey == NULL ) 494 // { 495 // PK11_FreeSlot( pSlot ) ; 496 // RTL_LOGFILE_TRACE( "XMLSEC: Error - pSymKey is NULL" ); 497 // continue; 498 // } 499 addCryptoSlot(pSlot); 500 PK11_FreeSlot( pSlot ) ; 501 pSlot = NULL; 502 503 if (pSymKey != NULL) 504 { 505 adoptSymKey( pSymKey ) ; 506 PK11_FreeSymKey( pSymKey ) ; 507 pSymKey = NULL; 508 } 509 510 }// end of if(pSlot != NULL) 511 }// end of for 512 }// end of if( soltList != NULL ) 513 514 } 515 516 517 Sequence< Reference < XCertificate > > 518 SecurityEnvironment_NssImpl::getPersonalCertificates() throw( SecurityException , RuntimeException ) 519 { 520 sal_Int32 length ; 521 X509Certificate_NssImpl* xcert ; 522 std::list< X509Certificate_NssImpl* > certsList ; 523 524 updateSlots(); 525 //firstly, we try to find private keys in slot 526 for (CIT_SLOTS is = m_Slots.begin(); is != m_Slots.end(); is++) 527 { 528 PK11SlotInfo *slot = *is; 529 SECKEYPrivateKeyList* priKeyList ; 530 SECKEYPrivateKeyListNode* curPri ; 531 532 if( PK11_NeedLogin(slot ) ) { 533 SECStatus nRet = PK11_Authenticate(slot, PR_TRUE, NULL); 534 //PK11_Authenticate may fail in case the a slot has not been initialized. 535 //this is the case if the user has a new profile, so that they have never 536 //added a personal certificate. 537 if( nRet != SECSuccess && PORT_GetError() != SEC_ERROR_IO) { 538 throw NoPasswordException(); 539 } 540 } 541 542 priKeyList = PK11_ListPrivateKeysInSlot(slot) ; 543 if( priKeyList != NULL ) { 544 for( curPri = PRIVKEY_LIST_HEAD( priKeyList ); 545 !PRIVKEY_LIST_END( curPri, priKeyList ) && curPri != NULL ; 546 curPri = PRIVKEY_LIST_NEXT( curPri ) ) { 547 xcert = NssPrivKeyToXCert( curPri->key ) ; 548 if( xcert != NULL ) 549 certsList.push_back( xcert ) ; 550 } 551 } 552 553 SECKEY_DestroyPrivateKeyList( priKeyList ) ; 554 } 555 556 //secondly, we try to find certificate from registered private keys. 557 if( !m_tPriKeyList.empty() ) { 558 std::list< SECKEYPrivateKey* >::iterator priKeyIt ; 559 560 for( priKeyIt = m_tPriKeyList.begin() ; priKeyIt != m_tPriKeyList.end() ; priKeyIt ++ ) { 561 xcert = NssPrivKeyToXCert( *priKeyIt ) ; 562 if( xcert != NULL ) 563 certsList.push_back( xcert ) ; 564 } 565 } 566 567 length = certsList.size() ; 568 if( length != 0 ) { 569 int i ; 570 std::list< X509Certificate_NssImpl* >::iterator xcertIt ; 571 Sequence< Reference< XCertificate > > certSeq( length ) ; 572 573 for( i = 0, xcertIt = certsList.begin(); xcertIt != certsList.end(); xcertIt ++, i++ ) { 574 certSeq[i] = *xcertIt ; 575 } 576 577 return certSeq ; 578 } 579 580 return Sequence< Reference < XCertificate > > (); 581 } 582 583 Reference< XCertificate > SecurityEnvironment_NssImpl :: getCertificate( const OUString& issuerName, const Sequence< sal_Int8 >& serialNumber ) throw( SecurityException , RuntimeException ) 584 { 585 X509Certificate_NssImpl* xcert = NULL; 586 587 if( m_pHandler != NULL ) { 588 CERTIssuerAndSN issuerAndSN ; 589 CERTCertificate* cert ; 590 CERTName* nmIssuer ; 591 char* chIssuer ; 592 SECItem* derIssuer ; 593 PRArenaPool* arena ; 594 595 arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE ) ; 596 if( arena == NULL ) 597 throw RuntimeException() ; 598 599 /* 600 * mmi : because MS Crypto use the 'S' tag (equal to the 'ST' tag in NSS), but the NSS can't recognise 601 * it, so the 'S' tag should be changed to 'ST' tag 602 * 603 * PS : it can work, but inside libxmlsec, the 'S' tag is till used to find cert in NSS engine, so it 604 * is not useful at all. (comment out now) 605 */ 606 607 /* 608 sal_Int32 nIndex = 0; 609 OUString newIssuerName; 610 do 611 { 612 OUString aToken = issuerName.getToken( 0, ',', nIndex ).trim(); 613 if (aToken.compareToAscii("S=",2) == 0) 614 { 615 newIssuerName+=OUString::createFromAscii("ST="); 616 newIssuerName+=aToken.copy(2); 617 } 618 else 619 { 620 newIssuerName+=aToken; 621 } 622 623 if (nIndex >= 0) 624 { 625 newIssuerName+=OUString::createFromAscii(","); 626 } 627 } while ( nIndex >= 0 ); 628 */ 629 630 /* end */ 631 632 //Create cert info from issue and serial 633 rtl::OString ostr = rtl::OUStringToOString( issuerName , RTL_TEXTENCODING_UTF8 ) ; 634 chIssuer = PL_strndup( ( char* )ostr.getStr(), ( int )ostr.getLength() ) ; 635 nmIssuer = CERT_AsciiToName( chIssuer ) ; 636 if( nmIssuer == NULL ) { 637 PL_strfree( chIssuer ) ; 638 PORT_FreeArena( arena, PR_FALSE ) ; 639 640 /* 641 * i40394 642 * 643 * mmi : no need to throw exception 644 * just return "no found" 645 */ 646 //throw RuntimeException() ; 647 return NULL; 648 } 649 650 derIssuer = SEC_ASN1EncodeItem( arena, NULL, ( void* )nmIssuer, SEC_ASN1_GET( CERT_NameTemplate ) ) ; 651 if( derIssuer == NULL ) { 652 PL_strfree( chIssuer ) ; 653 CERT_DestroyName( nmIssuer ) ; 654 PORT_FreeArena( arena, PR_FALSE ) ; 655 throw RuntimeException() ; 656 } 657 658 memset( &issuerAndSN, 0, sizeof( issuerAndSN ) ) ; 659 660 issuerAndSN.derIssuer.data = derIssuer->data ; 661 issuerAndSN.derIssuer.len = derIssuer->len ; 662 663 issuerAndSN.serialNumber.data = ( unsigned char* )&serialNumber[0] ; 664 issuerAndSN.serialNumber.len = serialNumber.getLength() ; 665 666 cert = CERT_FindCertByIssuerAndSN( m_pHandler, &issuerAndSN ) ; 667 if( cert != NULL ) { 668 xcert = NssCertToXCert( cert ) ; 669 } else { 670 xcert = NULL ; 671 } 672 673 PL_strfree( chIssuer ) ; 674 CERT_DestroyName( nmIssuer ) ; 675 //SECITEM_FreeItem( derIssuer, PR_FALSE ) ; 676 CERT_DestroyCertificate( cert ) ; 677 PORT_FreeArena( arena, PR_FALSE ) ; 678 } else { 679 xcert = NULL ; 680 } 681 682 return xcert ; 683 } 684 685 Reference< XCertificate > SecurityEnvironment_NssImpl :: getCertificate( const OUString& issuerName, const OUString& serialNumber ) throw( SecurityException , RuntimeException ) { 686 Sequence< sal_Int8 > serial = numericStringToBigInteger( serialNumber ) ; 687 return getCertificate( issuerName, serial ) ; 688 } 689 690 Sequence< Reference < XCertificate > > SecurityEnvironment_NssImpl :: buildCertificatePath( const Reference< XCertificate >& begin ) throw( SecurityException , RuntimeException ) { 691 const X509Certificate_NssImpl* xcert ; 692 const CERTCertificate* cert ; 693 CERTCertList* certChain ; 694 695 Reference< XUnoTunnel > xCertTunnel( begin, UNO_QUERY ) ; 696 if( !xCertTunnel.is() ) { 697 throw RuntimeException() ; 698 } 699 700 xcert = reinterpret_cast<X509Certificate_NssImpl*>( 701 sal::static_int_cast<sal_uIntPtr>(xCertTunnel->getSomething( X509Certificate_NssImpl::getUnoTunnelId() ))) ; 702 if( xcert == NULL ) { 703 throw RuntimeException() ; 704 } 705 706 cert = xcert->getNssCert() ; 707 if( cert != NULL ) { 708 int64 timeboundary ; 709 710 //Get the system clock time 711 timeboundary = PR_Now() ; 712 713 certChain = CERT_GetCertChainFromCert( ( CERTCertificate* )cert, timeboundary, certUsageAnyCA ) ; 714 } else { 715 certChain = NULL ; 716 } 717 718 if( certChain != NULL ) { 719 X509Certificate_NssImpl* pCert ; 720 CERTCertListNode* node ; 721 int len ; 722 723 for( len = 0, node = CERT_LIST_HEAD( certChain ); !CERT_LIST_END( node, certChain ); node = CERT_LIST_NEXT( node ), len ++ ) ; 724 Sequence< Reference< XCertificate > > xCertChain( len ) ; 725 726 for( len = 0, node = CERT_LIST_HEAD( certChain ); !CERT_LIST_END( node, certChain ); node = CERT_LIST_NEXT( node ), len ++ ) { 727 pCert = new X509Certificate_NssImpl() ; 728 if( pCert == NULL ) { 729 CERT_DestroyCertList( certChain ) ; 730 throw RuntimeException() ; 731 } 732 733 pCert->setCert( node->cert ) ; 734 735 xCertChain[len] = pCert ; 736 } 737 738 CERT_DestroyCertList( certChain ) ; 739 740 return xCertChain ; 741 } 742 743 return Sequence< Reference < XCertificate > >(); 744 } 745 746 Reference< XCertificate > SecurityEnvironment_NssImpl :: createCertificateFromRaw( const Sequence< sal_Int8 >& rawCertificate ) throw( SecurityException , RuntimeException ) { 747 X509Certificate_NssImpl* xcert ; 748 749 if( rawCertificate.getLength() > 0 ) { 750 xcert = new X509Certificate_NssImpl() ; 751 if( xcert == NULL ) 752 throw RuntimeException() ; 753 754 xcert->setRawCert( rawCertificate ) ; 755 } else { 756 xcert = NULL ; 757 } 758 759 return xcert ; 760 } 761 762 Reference< XCertificate > SecurityEnvironment_NssImpl :: createCertificateFromAscii( const OUString& asciiCertificate ) throw( SecurityException , RuntimeException ) { 763 xmlChar* chCert ; 764 xmlSecSize certSize ; 765 766 rtl::OString oscert = rtl::OUStringToOString( asciiCertificate , RTL_TEXTENCODING_ASCII_US ) ; 767 768 chCert = xmlStrndup( ( const xmlChar* )oscert.getStr(), ( int )oscert.getLength() ) ; 769 770 certSize = xmlSecBase64Decode( chCert, ( xmlSecByte* )chCert, xmlStrlen( chCert ) ) ; 771 772 Sequence< sal_Int8 > rawCert( certSize ) ; 773 for( unsigned int i = 0 ; i < certSize ; i ++ ) 774 rawCert[i] = *( chCert + i ) ; 775 776 xmlFree( chCert ) ; 777 778 return createCertificateFromRaw( rawCert ) ; 779 } 780 781 sal_Int32 SecurityEnvironment_NssImpl :: 782 verifyCertificate( const Reference< csss::XCertificate >& aCert, 783 const Sequence< Reference< csss::XCertificate > >& intermediateCerts ) 784 throw( ::com::sun::star::uno::SecurityException, ::com::sun::star::uno::RuntimeException ) 785 { 786 sal_Int32 validity = csss::CertificateValidity::INVALID; 787 const X509Certificate_NssImpl* xcert ; 788 const CERTCertificate* cert ; 789 ::std::vector<CERTCertificate*> vecTmpNSSCertificates; 790 Reference< XUnoTunnel > xCertTunnel( aCert, UNO_QUERY ) ; 791 if( !xCertTunnel.is() ) { 792 throw RuntimeException() ; 793 } 794 795 xmlsec_trace("Start verification of certificate: \n %s \n", 796 OUStringToOString( 797 aCert->getSubjectName(), osl_getThreadTextEncoding()).getStr()); 798 799 xcert = reinterpret_cast<X509Certificate_NssImpl*>( 800 sal::static_int_cast<sal_uIntPtr>(xCertTunnel->getSomething( X509Certificate_NssImpl::getUnoTunnelId() ))) ; 801 if( xcert == NULL ) { 802 throw RuntimeException() ; 803 } 804 805 //CERT_PKIXVerifyCert does not take a db as argument. It will therefore 806 //internally use CERT_GetDefaultCertDB 807 //Make sure m_pHandler is the default DB 808 OSL_ASSERT(m_pHandler == CERT_GetDefaultCertDB()); 809 CERTCertDBHandle * certDb = m_pHandler != NULL ? m_pHandler : CERT_GetDefaultCertDB(); 810 cert = xcert->getNssCert() ; 811 if( cert != NULL ) 812 { 813 814 //prepare the intermediate certificates 815 for (sal_Int32 i = 0; i < intermediateCerts.getLength(); i++) 816 { 817 Sequence<sal_Int8> der = intermediateCerts[i]->getEncoded(); 818 SECItem item; 819 item.type = siBuffer; 820 item.data = (unsigned char*)der.getArray(); 821 item.len = der.getLength(); 822 823 CERTCertificate* certTmp = CERT_NewTempCertificate(certDb, &item, 824 NULL /* nickname */, 825 PR_FALSE /* isPerm */, 826 PR_TRUE /* copyDER */); 827 if (!certTmp) 828 { 829 xmlsec_trace("Failed to add a temporary certificate: %s", 830 OUStringToOString(intermediateCerts[i]->getIssuerName(), 831 osl_getThreadTextEncoding()).getStr()); 832 833 } 834 else 835 { 836 xmlsec_trace("Added temporary certificate: %s", 837 certTmp->subjectName ? certTmp->subjectName : ""); 838 vecTmpNSSCertificates.push_back(certTmp); 839 } 840 } 841 842 843 SECStatus status ; 844 845 CERTVerifyLog log; 846 log.arena = PORT_NewArena(512); 847 log.head = log.tail = NULL; 848 log.count = 0; 849 850 CERT_EnableOCSPChecking(certDb); 851 CERT_DisableOCSPDefaultResponder(certDb); 852 CERTValOutParam cvout[5]; 853 CERTValInParam cvin[3]; 854 855 cvin[0].type = cert_pi_useAIACertFetch; 856 cvin[0].value.scalar.b = PR_TRUE; 857 858 PRUint64 revFlagsLeaf[2]; 859 PRUint64 revFlagsChain[2]; 860 CERTRevocationFlags rev; 861 rev.leafTests.number_of_defined_methods = 2; 862 rev.leafTests.cert_rev_flags_per_method = revFlagsLeaf; 863 //the flags are defined in cert.h 864 //We check both leaf and chain. 865 //It is enough if one revocation method has fresh info, 866 //but at least one must have some. Otherwise validation fails. 867 //!!! using leaf test and CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE 868 // when validating a root certificate will result in "revoked". Usually 869 //there is no revocation information available for the root cert because 870 //it must be trusted anyway and it does itself issue revocation information. 871 //When we use the flag here and OOo shows the certification path then the root 872 //cert is invalid while all other can be valid. It would probably best if 873 //this interface method returned the whole chain. 874 //Otherwise we need to check if the certificate is self-signed and if it is 875 //then not use the flag when doing the leaf-test. 876 rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_crl] = 877 CERT_REV_M_TEST_USING_THIS_METHOD 878 | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE; 879 rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] = 880 CERT_REV_M_TEST_USING_THIS_METHOD 881 | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE; 882 rev.leafTests.number_of_preferred_methods = 0; 883 rev.leafTests.preferred_methods = NULL; 884 rev.leafTests.cert_rev_method_independent_flags = 885 CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST; 886 // | CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE; 887 888 rev.chainTests.number_of_defined_methods = 2; 889 rev.chainTests.cert_rev_flags_per_method = revFlagsChain; 890 rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_crl] = 891 CERT_REV_M_TEST_USING_THIS_METHOD 892 | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE; 893 rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] = 894 CERT_REV_M_TEST_USING_THIS_METHOD 895 | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE; 896 rev.chainTests.number_of_preferred_methods = 0; 897 rev.chainTests.preferred_methods = NULL; 898 rev.chainTests.cert_rev_method_independent_flags = 899 CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST; 900 // | CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE; 901 902 903 cvin[1].type = cert_pi_revocationFlags; 904 cvin[1].value.pointer.revocation = &rev; 905 // does not work, not implemented yet in 3.12.4 906 // cvin[2].type = cert_pi_keyusage; 907 // cvin[2].value.scalar.ui = KU_DIGITAL_SIGNATURE; 908 cvin[2].type = cert_pi_end; 909 910 cvout[0].type = cert_po_trustAnchor; 911 cvout[0].value.pointer.cert = NULL; 912 cvout[1].type = cert_po_errorLog; 913 cvout[1].value.pointer.log = &log; 914 cvout[2].type = cert_po_end; 915 916 // We check SSL server certificates, CA certificates and signing sertificates. 917 // 918 // ToDo check keyusage, looking at CERT_KeyUsageAndTypeForCertUsage ( 919 // mozilla/security/nss/lib/certdb/certdb.c indicates that 920 // certificateUsageSSLClient, certificateUsageSSLServer and certificateUsageSSLCA 921 // are sufficient. They cover the key usages for digital signature, key agreement 922 // and encipherment and certificate signature 923 924 //never use the following usages because they are not checked properly 925 // certificateUsageUserCertImport 926 // certificateUsageVerifyCA 927 // certificateUsageAnyCA 928 // certificateUsageProtectedObjectSigner 929 930 UsageDescription arUsages[5]; 931 arUsages[0] = UsageDescription( certificateUsageSSLClient, "certificateUsageSSLClient" ); 932 arUsages[1] = UsageDescription( certificateUsageSSLServer, "certificateUsageSSLServer" ); 933 arUsages[2] = UsageDescription( certificateUsageSSLCA, "certificateUsageSSLCA" ); 934 arUsages[3] = UsageDescription( certificateUsageEmailSigner, "certificateUsageEmailSigner" ); 935 arUsages[4] = UsageDescription( certificateUsageEmailRecipient, "certificateUsageEmailRecipient" ); 936 937 int numUsages = sizeof(arUsages) / sizeof(UsageDescription); 938 for (int i = 0; i < numUsages; i++) 939 { 940 xmlsec_trace("Testing usage %d of %d: %s (0x%x)", i + 1, 941 numUsages, arUsages[i].description, (int) arUsages[i].usage); 942 943 status = CERT_PKIXVerifyCert(const_cast<CERTCertificate *>(cert), arUsages[i].usage, 944 cvin, cvout, NULL); 945 if( status == SECSuccess ) 946 { 947 xmlsec_trace("CERT_PKIXVerifyCert returned SECSuccess."); 948 //When an intermediate or root certificate is checked then we expect the usage 949 //certificateUsageSSLCA. This, however, will be only set when in the trust settings dialog 950 //the button "This certificate can identify websites" is checked. If for example only 951 //"This certificate can identify mail users" is set then the end certificate can 952 //be validated and the returned usage will conain certificateUsageEmailRecipient. 953 //But checking directly the root or intermediate certificate will fail. In the 954 //certificate path view the end certificate will be shown as valid but the others 955 //will be displayed as invalid. 956 957 validity = csss::CertificateValidity::VALID; 958 xmlsec_trace("Certificate is valid.\n"); 959 CERTCertificate * issuerCert = cvout[0].value.pointer.cert; 960 if (issuerCert) 961 { 962 xmlsec_trace("Root certificate: %s", issuerCert->subjectName); 963 CERT_DestroyCertificate(issuerCert); 964 }; 965 966 break; 967 } 968 else 969 { 970 PRIntn err = PR_GetError(); 971 xmlsec_trace("Error: , %d = %s", err, getCertError(err)); 972 973 /* Display validation results */ 974 if ( log.count > 0) 975 { 976 CERTVerifyLogNode *node = NULL; 977 printChainFailure(&log); 978 979 for (node = log.head; node; node = node->next) { 980 if (node->cert) 981 CERT_DestroyCertificate(node->cert); 982 } 983 log.head = log.tail = NULL; 984 log.count = 0; 985 } 986 xmlsec_trace("Certificate is invalid.\n"); 987 } 988 } 989 990 } 991 else 992 { 993 validity = ::com::sun::star::security::CertificateValidity::INVALID ; 994 } 995 996 //Destroying the temporary certificates 997 std::vector<CERTCertificate*>::const_iterator cert_i; 998 for (cert_i = vecTmpNSSCertificates.begin(); cert_i != vecTmpNSSCertificates.end(); cert_i++) 999 { 1000 xmlsec_trace("Destroying temporary certificate"); 1001 CERT_DestroyCertificate(*cert_i); 1002 } 1003 return validity ; 1004 } 1005 1006 sal_Int32 SecurityEnvironment_NssImpl::getCertificateCharacters( 1007 const ::com::sun::star::uno::Reference< ::com::sun::star::security::XCertificate >& aCert ) throw( ::com::sun::star::uno::SecurityException, ::com::sun::star::uno::RuntimeException ) { 1008 sal_Int32 characters ; 1009 const X509Certificate_NssImpl* xcert ; 1010 const CERTCertificate* cert ; 1011 1012 Reference< XUnoTunnel > xCertTunnel( aCert, UNO_QUERY ) ; 1013 if( !xCertTunnel.is() ) { 1014 throw RuntimeException() ; 1015 } 1016 1017 xcert = reinterpret_cast<X509Certificate_NssImpl*>( 1018 sal::static_int_cast<sal_uIntPtr>(xCertTunnel->getSomething( X509Certificate_NssImpl::getUnoTunnelId() ))) ; 1019 if( xcert == NULL ) { 1020 throw RuntimeException() ; 1021 } 1022 1023 cert = xcert->getNssCert() ; 1024 1025 characters = 0x00000000 ; 1026 1027 //Firstly, find out whether or not the cert is self-signed. 1028 if( SECITEM_CompareItem( &(cert->derIssuer), &(cert->derSubject) ) == SECEqual ) { 1029 characters |= ::com::sun::star::security::CertificateCharacters::SELF_SIGNED ; 1030 } else { 1031 characters &= ~ ::com::sun::star::security::CertificateCharacters::SELF_SIGNED ; 1032 } 1033 1034 //Secondly, find out whether or not the cert has a private key. 1035 1036 /* 1037 * i40394 1038 * 1039 * mmi : need to check whether the cert's slot is valid first 1040 */ 1041 SECKEYPrivateKey* priKey = NULL; 1042 1043 if (cert->slot != NULL) 1044 { 1045 priKey = PK11_FindPrivateKeyFromCert( cert->slot, ( CERTCertificate* )cert, NULL ) ; 1046 } 1047 if(priKey == NULL) 1048 { 1049 for (CIT_SLOTS is = m_Slots.begin(); is != m_Slots.end(); is++) 1050 { 1051 priKey = PK11_FindPrivateKeyFromCert(*is, (CERTCertificate*)cert, NULL); 1052 if (priKey) 1053 break; 1054 } 1055 } 1056 if( priKey != NULL ) { 1057 characters |= ::com::sun::star::security::CertificateCharacters::HAS_PRIVATE_KEY ; 1058 1059 SECKEY_DestroyPrivateKey( priKey ) ; 1060 } else { 1061 characters &= ~ ::com::sun::star::security::CertificateCharacters::HAS_PRIVATE_KEY ; 1062 } 1063 1064 return characters ; 1065 } 1066 1067 X509Certificate_NssImpl* NssCertToXCert( CERTCertificate* cert ) 1068 { 1069 X509Certificate_NssImpl* xcert ; 1070 1071 if( cert != NULL ) { 1072 xcert = new X509Certificate_NssImpl() ; 1073 if( xcert == NULL ) { 1074 xcert = NULL ; 1075 } else { 1076 xcert->setCert( cert ) ; 1077 } 1078 } else { 1079 xcert = NULL ; 1080 } 1081 1082 return xcert ; 1083 } 1084 1085 X509Certificate_NssImpl* NssPrivKeyToXCert( SECKEYPrivateKey* priKey ) 1086 { 1087 CERTCertificate* cert ; 1088 X509Certificate_NssImpl* xcert ; 1089 1090 if( priKey != NULL ) { 1091 cert = PK11_GetCertFromPrivateKey( priKey ) ; 1092 1093 if( cert != NULL ) { 1094 xcert = NssCertToXCert( cert ) ; 1095 } else { 1096 xcert = NULL ; 1097 } 1098 1099 CERT_DestroyCertificate( cert ) ; 1100 } else { 1101 xcert = NULL ; 1102 } 1103 1104 return xcert ; 1105 } 1106 1107 1108 /* Native methods */ 1109 xmlSecKeysMngrPtr SecurityEnvironment_NssImpl::createKeysManager() throw( Exception, RuntimeException ) { 1110 1111 unsigned int i ; 1112 CERTCertDBHandle* handler = NULL ; 1113 PK11SymKey* symKey = NULL ; 1114 SECKEYPublicKey* pubKey = NULL ; 1115 SECKEYPrivateKey* priKey = NULL ; 1116 xmlSecKeysMngrPtr pKeysMngr = NULL ; 1117 1118 handler = this->getCertDb() ; 1119 1120 /*- 1121 * The following lines is based on the private version of xmlSec-NSS 1122 * crypto engine 1123 */ 1124 int cSlots = m_Slots.size(); 1125 boost::scoped_array<PK11SlotInfo*> sarSlots(new PK11SlotInfo*[cSlots]); 1126 PK11SlotInfo** slots = sarSlots.get(); 1127 int count = 0; 1128 for (CIT_SLOTS islots = m_Slots.begin();islots != m_Slots.end(); islots++, count++) 1129 slots[count] = *islots; 1130 1131 pKeysMngr = xmlSecNssAppliedKeysMngrCreate(slots, cSlots, handler ) ; 1132 if( pKeysMngr == NULL ) 1133 throw RuntimeException() ; 1134 1135 /*- 1136 * Adopt symmetric key into keys manager 1137 */ 1138 for( i = 0 ; ( symKey = this->getSymKey( i ) ) != NULL ; i ++ ) { 1139 if( xmlSecNssAppliedKeysMngrSymKeyLoad( pKeysMngr, symKey ) < 0 ) { 1140 throw RuntimeException() ; 1141 } 1142 } 1143 1144 /*- 1145 * Adopt asymmetric public key into keys manager 1146 */ 1147 for( i = 0 ; ( pubKey = this->getPubKey( i ) ) != NULL ; i ++ ) { 1148 if( xmlSecNssAppliedKeysMngrPubKeyLoad( pKeysMngr, pubKey ) < 0 ) { 1149 throw RuntimeException() ; 1150 } 1151 } 1152 1153 /*- 1154 * Adopt asymmetric private key into keys manager 1155 */ 1156 for( i = 0 ; ( priKey = this->getPriKey( i ) ) != NULL ; i ++ ) { 1157 if( xmlSecNssAppliedKeysMngrPriKeyLoad( pKeysMngr, priKey ) < 0 ) { 1158 throw RuntimeException() ; 1159 } 1160 } 1161 return pKeysMngr ; 1162 } 1163 void SecurityEnvironment_NssImpl::destroyKeysManager(xmlSecKeysMngrPtr pKeysMngr) throw( Exception, RuntimeException ) { 1164 if( pKeysMngr != NULL ) { 1165 xmlSecKeysMngrDestroy( pKeysMngr ) ; 1166 } 1167 } 1168