From 639e8080784f9b04efbb2d97e9f1b6b82fba24dc Mon Sep 17 00:00:00 2001 From: jl Date: Thu, 29 Oct 2009 11:31:59 +0100 Subject: #103420# use CERT_PKIXVerifyCert --- xmlsecurity/source/xmlsec/nss/certerrors.h | 384 +++++++++++++++++++++ xmlsecurity/source/xmlsec/nss/makefile.mk | 4 +- xmlsecurity/source/xmlsec/nss/secerror.cxx | 150 ++++++++ xmlsecurity/source/xmlsec/nss/secerror.hxx | 40 +++ .../xmlsec/nss/securityenvironment_nssimpl.cxx | 229 +++++++----- .../source/xmlsec/nss/seinitializer_nssimpl.cxx | 2 +- 6 files changed, 712 insertions(+), 97 deletions(-) create mode 100644 xmlsecurity/source/xmlsec/nss/certerrors.h create mode 100644 xmlsecurity/source/xmlsec/nss/secerror.cxx create mode 100644 xmlsecurity/source/xmlsec/nss/secerror.hxx diff --git a/xmlsecurity/source/xmlsec/nss/certerrors.h b/xmlsecurity/source/xmlsec/nss/certerrors.h new file mode 100644 index 000000000000..9b9801f21f59 --- /dev/null +++ b/xmlsecurity/source/xmlsec/nss/certerrors.h @@ -0,0 +1,384 @@ +/************************************************************************* + * + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * Copyright 2008 by Sun Microsystems, Inc. + * + * OpenOffice.org - a multi-platform office productivity suite + * + * $RCSfile: securityenvironment_nssimpl.cxx,v $ + * $Revision: 1.23 $ + * + * This file is part of OpenOffice.org. + * + * OpenOffice.org is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License version 3 + * only, as published by the Free Software Foundation. + * + * OpenOffice.org is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License version 3 for more details + * (a copy is included in the LICENSE file that accompanied this code). + * + * You should have received a copy of the GNU Lesser General Public License + * version 3 along with OpenOffice.org. If not, see + * + * for a copy of the LGPLv3 License. + * + ************************************************************************/ + + +{SEC_ERROR_IO, "An I/O error occurred during security authorization."}, + +{SEC_ERROR_LIBRARY_FAILURE, "security library failure."}, + +{SEC_ERROR_BAD_DATA, "security library: received bad data."}, + +{SEC_ERROR_OUTPUT_LEN, "security library: output length error."}, + +{SEC_ERROR_INPUT_LEN, "security library has experienced an input length error."}, + +{SEC_ERROR_INVALID_ARGS, "security library: invalid arguments."}, + +{SEC_ERROR_INVALID_ALGORITHM, "security library: invalid algorithm."}, + +{SEC_ERROR_INVALID_AVA, "security library: invalid AVA."}, + +{SEC_ERROR_INVALID_TIME, "Improperly formatted time string."}, + +{SEC_ERROR_BAD_DER, "security library: improperly formatted DER-encoded message."}, + +{SEC_ERROR_BAD_SIGNATURE, "Peer's certificate has an invalid signature."}, + +{SEC_ERROR_EXPIRED_CERTIFICATE, "Peer's Certificate has expired."}, + +{SEC_ERROR_REVOKED_CERTIFICATE, "Peer's Certificate has been revoked."}, + +{SEC_ERROR_UNKNOWN_ISSUER, "Peer's Certificate issuer is not recognized."}, + +{SEC_ERROR_BAD_KEY, "Peer's public key is invalid."}, + +{SEC_ERROR_BAD_PASSWORD, "The security password entered is incorrect."}, + +{SEC_ERROR_RETRY_PASSWORD, "New password entered incorrectly. Please try again."}, + +{SEC_ERROR_NO_NODELOCK, "security library: no nodelock."}, + +{SEC_ERROR_BAD_DATABASE, "security library: bad database."}, + +{SEC_ERROR_NO_MEMORY, "security library: memory allocation failure."}, + +{SEC_ERROR_UNTRUSTED_ISSUER, "Peer's certificate issuer has been marked as not trusted by the user."}, + +{SEC_ERROR_UNTRUSTED_CERT, "Peer's certificate has been marked as not trusted by the user."}, + +{SEC_ERROR_DUPLICATE_CERT, "Certificate already exists in your database."}, + +{SEC_ERROR_DUPLICATE_CERT_NAME, "Downloaded certificate's name duplicates one already in your database."}, + +{SEC_ERROR_ADDING_CERT, "Error adding certificate to database."}, + +{SEC_ERROR_FILING_KEY, "Error refiling the key for this certificate."}, + +{SEC_ERROR_NO_KEY, "The private key for this certificate cannot be found in key database"}, + +{SEC_ERROR_CERT_VALID, "This certificate is valid."}, + +{SEC_ERROR_CERT_NOT_VALID, "This certificate is not valid."}, + +{SEC_ERROR_CERT_NO_RESPONSE, "Cert Library: No Response"}, + +{SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE, "The certificate issuer's certificate has expired. Check your system date and time."}, + +{SEC_ERROR_CRL_EXPIRED, "The CRL for the certificate's issuer has expired. Update it or check your system date and time."}, + +{SEC_ERROR_CRL_BAD_SIGNATURE, "The CRL for the certificate's issuer has an invalid signature."}, + +{SEC_ERROR_CRL_INVALID, "New CRL has an invalid format."}, + +{SEC_ERROR_EXTENSION_VALUE_INVALID, "Certificate extension value is invalid."}, + +{SEC_ERROR_EXTENSION_NOT_FOUND, "Certificate extension not found."}, + +{SEC_ERROR_CA_CERT_INVALID, "Issuer certificate is invalid."}, + +{SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID, "Certificate path length constraint is invalid."}, + +{SEC_ERROR_CERT_USAGES_INVALID, "Certificate usages field is invalid."}, + +{SEC_INTERNAL_ONLY, "**Internal ONLY module**"}, + +{SEC_ERROR_INVALID_KEY, "The key does not support the requested operation."}, + +{SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION, "Certificate contains unknown critical extension."}, + +{SEC_ERROR_OLD_CRL, "New CRL is not later than the current one."}, + +{SEC_ERROR_NO_EMAIL_CERT, "Not encrypted or signed: you do not yet have an email certificate."}, + +{SEC_ERROR_NO_RECIPIENT_CERTS_QUERY, "Not encrypted: you do not have certificates for each of the recipients."}, + +{SEC_ERROR_NOT_A_RECIPIENT, "Cannot decrypt: you are not a recipient, or matching certificate and \ +private key not found."}, + +{SEC_ERROR_PKCS7_KEYALG_MISMATCH, "Cannot decrypt: key encryption algorithm does not match your certificate."}, + +{SEC_ERROR_PKCS7_BAD_SIGNATURE, "Signature verification failed: no signer found, too many signers found, \ +or improper or corrupted data."}, + +{SEC_ERROR_UNSUPPORTED_KEYALG, "Unsupported or unknown key algorithm."}, + +{SEC_ERROR_DECRYPTION_DISALLOWED, "Cannot decrypt: encrypted using a disallowed algorithm or key size."}, + + +/* Fortezza Alerts */ +{XP_SEC_FORTEZZA_BAD_CARD, "Fortezza card has not been properly initialized. \ +Please remove it and return it to your issuer."}, + +{XP_SEC_FORTEZZA_NO_CARD, "No Fortezza cards Found"}, + +{XP_SEC_FORTEZZA_NONE_SELECTED, "No Fortezza card selected"}, + +{XP_SEC_FORTEZZA_MORE_INFO, "Please select a personality to get more info on"}, + +{XP_SEC_FORTEZZA_PERSON_NOT_FOUND, "Personality not found"}, + +{XP_SEC_FORTEZZA_NO_MORE_INFO, "No more information on that Personality"}, + +{XP_SEC_FORTEZZA_BAD_PIN, "Invalid Pin"}, + +{XP_SEC_FORTEZZA_PERSON_ERROR, "Couldn't initialize Fortezza personalities."}, +/* end fortezza alerts. */ + +{SEC_ERROR_NO_KRL, "No KRL for this site's certificate has been found."}, + +{SEC_ERROR_KRL_EXPIRED, "The KRL for this site's certificate has expired."}, + +{SEC_ERROR_KRL_BAD_SIGNATURE, "The KRL for this site's certificate has an invalid signature."}, + +{SEC_ERROR_REVOKED_KEY, "The key for this site's certificate has been revoked."}, + +{SEC_ERROR_KRL_INVALID, "New KRL has an invalid format."}, + +{SEC_ERROR_NEED_RANDOM, "security library: need random data."}, + +{SEC_ERROR_NO_MODULE, "security library: no security module can perform the requested operation."}, + +{SEC_ERROR_NO_TOKEN, "The security card or token does not exist, needs to be initialized, or has been removed."}, + +{SEC_ERROR_READ_ONLY, "security library: read-only database."}, + +{SEC_ERROR_NO_SLOT_SELECTED, "No slot or token was selected."}, + +{SEC_ERROR_CERT_NICKNAME_COLLISION, "A certificate with the same nickname already exists."}, + +{SEC_ERROR_KEY_NICKNAME_COLLISION, "A key with the same nickname already exists."}, + +{SEC_ERROR_SAFE_NOT_CREATED, "error while creating safe object"}, + +{SEC_ERROR_BAGGAGE_NOT_CREATED, "error while creating baggage object"}, + +{XP_JAVA_REMOVE_PRINCIPAL_ERROR, "Couldn't remove the principal"}, + +{XP_JAVA_DELETE_PRIVILEGE_ERROR, "Couldn't delete the privilege"}, + +{XP_JAVA_CERT_NOT_EXISTS_ERROR, "This principal doesn't have a certificate"}, + +{SEC_ERROR_BAD_EXPORT_ALGORITHM, "Required algorithm is not allowed."}, + +{SEC_ERROR_EXPORTING_CERTIFICATES, "Error attempting to export certificates."}, + +{SEC_ERROR_IMPORTING_CERTIFICATES, "Error attempting to import certificates."}, + +{SEC_ERROR_PKCS12_DECODING_PFX, "Unable to import. Decoding error. File not valid."}, + +{SEC_ERROR_PKCS12_INVALID_MAC, "Unable to import. Invalid MAC. Incorrect password or corrupt file."}, + +{SEC_ERROR_PKCS12_UNSUPPORTED_MAC_ALGORITHM, "Unable to import. MAC algorithm not supported."}, + +{SEC_ERROR_PKCS12_UNSUPPORTED_TRANSPORT_MODE, "Unable to import. Only password integrity and privacy modes supported."}, + +{SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE, "Unable to import. File structure is corrupt."}, + +{SEC_ERROR_PKCS12_UNSUPPORTED_PBE_ALGORITHM, "Unable to import. Encryption algorithm not supported."}, + +{SEC_ERROR_PKCS12_UNSUPPORTED_VERSION, "Unable to import. File version not supported."}, + +{SEC_ERROR_PKCS12_PRIVACY_PASSWORD_INCORRECT, "Unable to import. Incorrect privacy password."}, + +{SEC_ERROR_PKCS12_CERT_COLLISION, "Unable to import. Same nickname already exists in database."}, + +{SEC_ERROR_USER_CANCELLED, "The user pressed cancel."}, + +{SEC_ERROR_PKCS12_DUPLICATE_DATA, "Not imported, already in database."}, + +{SEC_ERROR_MESSAGE_SEND_ABORTED, "Message not sent."}, + +{SEC_ERROR_INADEQUATE_KEY_USAGE, "Certificate key usage inadequate for attempted operation."}, + +{SEC_ERROR_INADEQUATE_CERT_TYPE, "Certificate type not approved for application."}, + +{SEC_ERROR_CERT_ADDR_MISMATCH, "Address in signing certificate does not match address in message headers."}, + +{SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY, "Unable to import. Error attempting to import private key."}, + +{SEC_ERROR_PKCS12_IMPORTING_CERT_CHAIN, "Unable to import. Error attempting to import certificate chain."}, + +{SEC_ERROR_PKCS12_UNABLE_TO_LOCATE_OBJECT_BY_NAME, "Unable to export. Unable to locate certificate or key by nickname."}, + +{SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY, "Unable to export. Private Key could not be located and exported."}, + +{SEC_ERROR_PKCS12_UNABLE_TO_WRITE, "Unable to export. Unable to write the export file."}, + +{SEC_ERROR_PKCS12_UNABLE_TO_READ, "Unable to import. Unable to read the import file."}, + +{SEC_ERROR_PKCS12_KEY_DATABASE_NOT_INITIALIZED, "Unable to export. Key database corrupt or deleted."}, + +{SEC_ERROR_KEYGEN_FAIL, "Unable to generate public/private key pair."}, + +{SEC_ERROR_INVALID_PASSWORD, "Password entered is invalid. Please pick a different one."}, + +{SEC_ERROR_RETRY_OLD_PASSWORD, "Old password entered incorrectly. Please try again."}, + +{SEC_ERROR_BAD_NICKNAME, "Certificate nickname already in use."}, + +{SEC_ERROR_NOT_FORTEZZA_ISSUER, "Peer FORTEZZA chain has a non-FORTEZZA Certificate."}, + +{SEC_ERROR_CANNOT_MOVE_SENSITIVE_KEY, "A sensitive key cannot be moved to the slot where it is needed."}, + +{SEC_ERROR_JS_INVALID_MODULE_NAME, "Invalid module name."}, + +{SEC_ERROR_JS_INVALID_DLL, "Invalid module path/filename"}, + +{SEC_ERROR_JS_ADD_MOD_FAILURE, "Unable to add module"}, + +{SEC_ERROR_JS_DEL_MOD_FAILURE, "Unable to delete module"}, + +{SEC_ERROR_OLD_KRL, "New KRL is not later than the current one."}, + +{SEC_ERROR_CKL_CONFLICT, "New CKL has different issuer than current CKL. Delete current CKL."}, + +{SEC_ERROR_CERT_NOT_IN_NAME_SPACE, "The Certifying Authority for this certificate is not permitted to issue a \ +certificate with this name."}, + +{SEC_ERROR_KRL_NOT_YET_VALID, "The key revocation list for this certificate is not yet valid."}, + +{SEC_ERROR_CRL_NOT_YET_VALID, "The certificate revocation list for this certificate is not yet valid."}, + +{SEC_ERROR_UNKNOWN_CERT, "The requested certificate could not be found."}, + +{SEC_ERROR_UNKNOWN_SIGNER, "The signer's certificate could not be found."}, + +{SEC_ERROR_CERT_BAD_ACCESS_LOCATION, "The location for the certificate status server has invalid format."}, + +{SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE, "The OCSP response cannot be fully decoded; it is of an unknown type."}, + +{SEC_ERROR_OCSP_BAD_HTTP_RESPONSE, "The OCSP server returned unexpected/invalid HTTP data."}, + +{SEC_ERROR_OCSP_MALFORMED_REQUEST, "The OCSP server found the request to be corrupted or improperly formed."}, + +{SEC_ERROR_OCSP_SERVER_ERROR, "The OCSP server experienced an internal error."}, + +{SEC_ERROR_OCSP_TRY_SERVER_LATER, "The OCSP server suggests trying again later."}, + +{SEC_ERROR_OCSP_REQUEST_NEEDS_SIG, "The OCSP server requires a signature on this request."}, + +{SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST, "The OCSP server has refused this request as unauthorized."}, + +{SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS, "The OCSP server returned an unrecognizable status."}, + +{SEC_ERROR_OCSP_UNKNOWN_CERT, "The OCSP server has no status for the certificate."}, + +{SEC_ERROR_OCSP_NOT_ENABLED, "You must enable OCSP before performing this operation."}, + +{SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER, "You must set the OCSP default responder before performing this operation."}, + +{SEC_ERROR_OCSP_MALFORMED_RESPONSE, "The response from the OCSP server was corrupted or improperly formed."}, + +{SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE, "The signer of the OCSP response is not authorized to give status for \ +this certificate."}, + +{SEC_ERROR_OCSP_FUTURE_RESPONSE, "The OCSP response is not yet valid (contains a date in the future},."}, + +{SEC_ERROR_OCSP_OLD_RESPONSE, "The OCSP response contains out-of-date information."}, + +{SEC_ERROR_DIGEST_NOT_FOUND, "The CMS or PKCS #7 Digest was not found in signed message."}, + +{SEC_ERROR_UNSUPPORTED_MESSAGE_TYPE, "The CMS or PKCS #7 Message type is unsupported."}, + +{SEC_ERROR_MODULE_STUCK, "PKCS #11 module could not be removed because it is still in use."}, + +{SEC_ERROR_BAD_TEMPLATE, "Could not decode ASN.1 data. Specified template was invalid."}, + +{SEC_ERROR_CRL_NOT_FOUND, "No matching CRL was found."}, + +{SEC_ERROR_REUSED_ISSUER_AND_SERIAL, "You are attempting to import a cert with the same issuer/serial as \ +an existing cert, but that is not the same cert."}, + +{SEC_ERROR_BUSY, "NSS could not shutdown. Objects are still in use."}, + +{SEC_ERROR_EXTRA_INPUT, "DER-encoded message contained extra unused data."}, + +{SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE, "Unsupported elliptic curve."}, + +{SEC_ERROR_UNSUPPORTED_EC_POINT_FORM, "Unsupported elliptic curve point form."}, + +{SEC_ERROR_UNRECOGNIZED_OID, "Unrecognized Object Identifier."}, + +{SEC_ERROR_OCSP_INVALID_SIGNING_CERT, "Invalid OCSP signing certificate in OCSP response."}, + +{SEC_ERROR_REVOKED_CERTIFICATE_CRL, "Certificate is revoked in issuer's certificate revocation list."}, + +{SEC_ERROR_REVOKED_CERTIFICATE_OCSP, "Issuer's OCSP responder reports certificate is revoked."}, + +{SEC_ERROR_CRL_INVALID_VERSION, "Issuer's Certificate Revocation List has an unknown version number."}, + +{SEC_ERROR_CRL_V1_CRITICAL_EXTENSION, "Issuer's V1 Certificate Revocation List has a critical extension."}, + +{SEC_ERROR_CRL_UNKNOWN_CRITICAL_EXTENSION, "Issuer's V2 Certificate Revocation List has an unknown critical extension."}, + +{SEC_ERROR_UNKNOWN_OBJECT_TYPE, "Unknown object type specified."}, + +{SEC_ERROR_INCOMPATIBLE_PKCS11, "PKCS #11 driver violates the spec in an incompatible way."}, + +{SEC_ERROR_NO_EVENT, "No new slot event is available at this time."}, + +{SEC_ERROR_CRL_ALREADY_EXISTS, "CRL already exists."}, + +{SEC_ERROR_NOT_INITIALIZED, "NSS is not initialized."}, + +{SEC_ERROR_TOKEN_NOT_LOGGED_IN, "The operation failed because the PKCS#11 token is not logged in."}, + +{SEC_ERROR_OCSP_RESPONDER_CERT_INVALID, "Configured OCSP responder's certificate is invalid."}, + +{SEC_ERROR_OCSP_BAD_SIGNATURE, "OCSP response has an invalid signature."}, + +{SEC_ERROR_OUT_OF_SEARCH_LIMITS, "Cert validation search is out of search limits"}, + +{SEC_ERROR_INVALID_POLICY_MAPPING, "Policy mapping contains anypolicy"}, + +{SEC_ERROR_POLICY_VALIDATION_FAILED, "Cert chain fails policy validation"}, + +{SEC_ERROR_UNKNOWN_AIA_LOCATION_TYPE, "Unknown location type in cert AIA extension"}, + +{SEC_ERROR_BAD_HTTP_RESPONSE, "Server returned bad HTTP response"}, + +{SEC_ERROR_BAD_LDAP_RESPONSE, "Server returned bad LDAP response"}, + +{SEC_ERROR_FAILED_TO_ENCODE_DATA, "Failed to encode data with ASN1 encoder"}, + +{SEC_ERROR_BAD_INFO_ACCESS_LOCATION, "Bad information access location in cert extension"}, + +{SEC_ERROR_LIBPKIX_INTERNAL, "Libpkix internal error occured during cert validation."}, + +{SEC_ERROR_PKCS11_GENERAL_ERROR, "A PKCS #11 module returned CKR_GENERAL_ERROR, indicating that an unrecoverable error has occurred."}, + +{SEC_ERROR_PKCS11_FUNCTION_FAILED, "A PKCS #11 module returned CKR_FUNCTION_FAILED, indicating that the requested function could not be performed. Trying the same operation again might succeed."}, + +{SEC_ERROR_PKCS11_DEVICE_ERROR, "A PKCS #11 module returned CKR_DEVICE_ERROR, indicating that a problem has occurred with the token or slot."}, + +{SEC_ERROR_BAD_INFO_ACCESS_METHOD, "Unknown information access method in certificate extension."}, + +{SEC_ERROR_CRL_IMPORT_FAILED, "Error attempting to import a CRL."}, + diff --git a/xmlsecurity/source/xmlsec/nss/makefile.mk b/xmlsecurity/source/xmlsec/nss/makefile.mk index 94fdfd96e76c..a9f3f22b93f5 100644 --- a/xmlsecurity/source/xmlsec/nss/makefile.mk +++ b/xmlsecurity/source/xmlsec/nss/makefile.mk @@ -132,7 +132,9 @@ SLOFILES = \ $(SLO)$/xmlsignature_nssimpl.obj \ $(SLO)$/x509certificate_nssimpl.obj \ $(SLO)$/seinitializer_nssimpl.obj \ - $(SLO)$/xsec_nss.obj + $(SLO)$/xsec_nss.obj \ + $(SLO)$/secerror.obj + .ENDIF diff --git a/xmlsecurity/source/xmlsec/nss/secerror.cxx b/xmlsecurity/source/xmlsec/nss/secerror.cxx new file mode 100644 index 000000000000..1bd7ed126f33 --- /dev/null +++ b/xmlsecurity/source/xmlsec/nss/secerror.cxx @@ -0,0 +1,150 @@ +/************************************************************************* + * + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * Copyright 2008 by Sun Microsystems, Inc. + * + * OpenOffice.org - a multi-platform office productivity suite + * + * $RCSfile: securityenvironment_nssimpl.cxx,v $ + * $Revision: 1.23 $ + * + * This file is part of OpenOffice.org. + * + * OpenOffice.org is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License version 3 + * only, as published by the Free Software Foundation. + * + * OpenOffice.org is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License version 3 for more details + * (a copy is included in the LICENSE file that accompanied this code). + * + * You should have received a copy of the GNU Lesser General Public License + * version 3 along with OpenOffice.org. If not, see + * + * for a copy of the LGPLv3 License. + * + ************************************************************************/ +#include "secerr.h" +#include "sslerr.h" +#include "nspr.h" +#include "certt.h" + +struct ErrDesc { + PRErrorCode errNum; + const char * errString; +}; + + + +const ErrDesc allDesc[] = { + +#include "certerrors.h" + +}; + + + +/* Returns a UTF-8 encoded constant error string for "errNum". + * Returns NULL of errNum is unknown. + */ +const char * +getCertError(PRErrorCode errNum) +{ + static char sEmpty[] = ""; + const int numDesc = sizeof(allDesc) / sizeof(ErrDesc); + for (int i = 0; i < numDesc; i++) + { + if (allDesc[i].errNum == errNum) + return allDesc[i].errString; + } + + return sEmpty; +} + +void +printChainFailure(FILE *outfile, CERTVerifyLog *log) +{ + unsigned int errorFlags = 0; + unsigned int depth = (unsigned int)-1; + const char * specificError = NULL; + CERTVerifyLogNode *node = NULL; + + if (log->count > 0) + { + fprintf(outfile,"Bad certifcation path:\n"); + for (node = log->head; node; node = node->next) + { + if (depth != node->depth) + { + depth = node->depth; + fprintf(outfile,"Certificate: %d. %s %s:\n", depth, + node->cert->subjectName, + depth ? "[Certificate Authority]": ""); + } + fprintf(outfile," ERROR %ld: %s\n", node->error, + getCertError(node->error)); + specificError = NULL; + switch (node->error) + { + case SEC_ERROR_INADEQUATE_KEY_USAGE: + errorFlags = (unsigned int)node->arg; + switch (errorFlags) + { + case KU_DIGITAL_SIGNATURE: + specificError = "Certificate cannot sign."; + break; + case KU_KEY_ENCIPHERMENT: + specificError = "Certificate cannot encrypt."; + break; + case KU_KEY_CERT_SIGN: + specificError = "Certificate cannot sign other certs."; + break; + default: + specificError = "[unknown usage]."; + break; + } + case SEC_ERROR_INADEQUATE_CERT_TYPE: + errorFlags = (unsigned int)node->arg; + switch (errorFlags) + { + case NS_CERT_TYPE_SSL_CLIENT: + case NS_CERT_TYPE_SSL_SERVER: + specificError = "Certificate cannot be used for SSL."; + break; + case NS_CERT_TYPE_SSL_CA: + specificError = "Certificate cannot be used as an SSL CA."; + break; + case NS_CERT_TYPE_EMAIL: + specificError = "Certificate cannot be used for SMIME."; + break; + case NS_CERT_TYPE_EMAIL_CA: + specificError = "Certificate cannot be used as an SMIME CA."; + break; + case NS_CERT_TYPE_OBJECT_SIGNING: + specificError = "Certificate cannot be used for object signing."; + break; + case NS_CERT_TYPE_OBJECT_SIGNING_CA: + specificError = "Certificate cannot be used as an object signing CA."; + break; + default: + specificError = "[unknown usage]."; + break; + } + case SEC_ERROR_UNKNOWN_ISSUER: + case SEC_ERROR_UNTRUSTED_ISSUER: + case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE: + specificError = node->cert->issuerName; + break; + default: + break; + } + if (specificError) + { + fprintf(stderr,"%s\n",specificError); + } + } + } +} diff --git a/xmlsecurity/source/xmlsec/nss/secerror.hxx b/xmlsecurity/source/xmlsec/nss/secerror.hxx new file mode 100644 index 000000000000..951e638e3a72 --- /dev/null +++ b/xmlsecurity/source/xmlsec/nss/secerror.hxx @@ -0,0 +1,40 @@ +/************************************************************************* + * + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * Copyright 2008 by Sun Microsystems, Inc. + * + * OpenOffice.org - a multi-platform office productivity suite + * + * $RCSfile: securityenvironment_nssimpl.hxx,v $ + * $Revision: 1.9 $ + * + * This file is part of OpenOffice.org. + * + * OpenOffice.org is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License version 3 + * only, as published by the Free Software Foundation. + * + * OpenOffice.org is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License version 3 for more details + * (a copy is included in the LICENSE file that accompanied this code). + * + * You should have received a copy of the GNU Lesser General Public License + * version 3 along with OpenOffice.org. If not, see + * + * for a copy of the LGPLv3 License. + * + ************************************************************************/ + +#ifndef _XSECERROR_HXX_ +#define _XSECERROR_HXX_ + +const char * +getCertError(PRErrorCode errNum); + +void +printChainFailure(FILE *outfile, CERTVerifyLog *log); +#endif // _XSECERROR_HXX_ + diff --git a/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx b/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx index 90779823eca3..914fd520f9de 100644 --- a/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx +++ b/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx @@ -36,6 +36,7 @@ #include "nssrenam.h" #include "cert.h" #include "secerr.h" +#include "ocsp.h" #include #include "securityenvironment_nssimpl.hxx" @@ -65,6 +66,8 @@ #include #include "boost/scoped_array.hpp" +#include "secerror.hxx" + // MM : added for password exception #include namespace csss = ::com::sun::star::security; @@ -762,9 +765,9 @@ verifyCertificate( const Reference< csss::XCertificate >& aCert, throw RuntimeException() ; } - OSL_TRACE("[xmlsecurity] Start verification of certificate: %s", + OSL_TRACE("[xmlsecurity] Start verification of certificate: \n %s \n", OUStringToOString( - aCert->getIssuerName(), osl_getThreadTextEncoding()).getStr()); + aCert->getSubjectName(), osl_getThreadTextEncoding()).getStr()); xcert = reinterpret_cast( @@ -773,12 +776,15 @@ verifyCertificate( const Reference< csss::XCertificate >& aCert, throw RuntimeException() ; } + //ToDo CERT_PKIXVerifyCert does not take a db as argument. It will therefore + //internally use CERT_GetDefaultCertDB + //Make sure m_pHandler is the default DB + CERTCertDBHandle * certDb = m_pHandler != NULL ? m_pHandler : CERT_GetDefaultCertDB(); cert = xcert->getNssCert() ; if( cert != NULL ) { //prepare the intermediate certificates - CERTCertDBHandle * certDb = m_pHandler != NULL ? m_pHandler : CERT_GetDefaultCertDB(); for (sal_Int32 i = 0; i < intermediateCerts.getLength(); i++) { Sequence der = intermediateCerts[i]->getEncoded(); @@ -807,61 +813,114 @@ verifyCertificate( const Reference< csss::XCertificate >& aCert, } - int64 timeboundary ; SECStatus status ; - //Get the system clock time - timeboundary = PR_Now() ; - SECCertificateUsage usage = 0; + CERTVerifyLog log; + log.arena = PORT_NewArena(512); + log.head = log.tail = NULL; + log.count = 0; + + + CERT_EnableOCSPChecking(certDb); + CERT_DisableOCSPDefaultResponder(certDb); + CERTValOutParam cvout[5]; + CERTValInParam cvin[4]; + + cvin[0].type = cert_pi_useAIACertFetch; + cvin[0].value.scalar.b = PR_TRUE; + + PRUint64 revFlagsLeaf[2]; + PRUint64 revFlagsChain[2]; + CERTRevocationFlags rev; + rev.leafTests.number_of_defined_methods = 2; + rev.leafTests.cert_rev_flags_per_method = revFlagsLeaf; + //the flags are defined in cert.h + //We check both leaf and chain. + //It is enough if one revocation method has fresh info, + //but at least one must have some. Otherwise validation fails. + rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_crl] = + CERT_REV_M_TEST_USING_THIS_METHOD + | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE; + rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] = + CERT_REV_M_TEST_USING_THIS_METHOD + | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE; + rev.leafTests.number_of_preferred_methods = 0; + rev.leafTests.preferred_methods = NULL; + rev.leafTests.cert_rev_method_independent_flags = + CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST + | CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE; + + rev.chainTests.number_of_defined_methods = 2; + rev.chainTests.cert_rev_flags_per_method = revFlagsChain; + rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_crl] = + CERT_REV_M_TEST_USING_THIS_METHOD + | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE; + rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] = + CERT_REV_M_TEST_USING_THIS_METHOD + | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE; + rev.chainTests.number_of_preferred_methods = 0; + rev.chainTests.preferred_methods = NULL; + rev.chainTests.cert_rev_method_independent_flags = + CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST + | CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE; + + cvin[1].type = cert_pi_revocationFlags; + cvin[1].value.pointer.revocation = &rev; + // does not work +// cvin[2].type = cert_pi_keyusage; +// cvin[2].value.scalar.ui = KU_DIGITAL_SIGNATURE; + cvin[2].type = cert_pi_end; + + cvout[0].type = cert_po_trustAnchor; + cvout[0].value.pointer.cert = NULL; + cvout[1].type = cert_po_errorLog; + cvout[1].value.pointer.log = &log; + cvout[2].type = cert_po_usages; + cvout[2].value.scalar.usages = 0; + cvout[3].type = cert_po_keyUsage; + cvout[3].value.scalar.usages = 0; + cvout[4].type = cert_po_end; - // create log - CERTVerifyLog realLog; - CERTVerifyLog *log; + validity = csss::CertificateValidity::INVALID; - log = &realLog; + //never use the following usages because they are not checked properly + // certificateUsageUserCertImport + // certificateUsageVerifyCA + // certificateUsageAnyCA + // certificateUsageProtectedObjectSigner - log->count = 0; - log->head = NULL; - log->tail = NULL; - log->arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE ); - //CERTVerifyLog *log; - //PRArenaPool *arena; - //arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE ); - //log = PORT_ArenaZNew( arena, CERTVerifyLog ); - //log->arena = arena; - validity = csss::CertificateValidity::INVALID; - if( m_pHandler != NULL ) - { - //JL: We must not pass a particular usage in the requiredUsages argument (the 4th) because, - //then ONLY these are verified. For example, we pass - //certificateUsageSSLClient | certificateUsageSSLServer. Then checking a certificate which - // is a valid certificateUsageEmailSigner but no certificateUsageSSLClient | certificateUsageSSLServer - //will result in CertificateValidity::INVALID. - //Only if the argument "requiredUsages" has a value (other than zero) - //then the function will return SECFailure in case - //the certificate is not suitable for the provided usage. That is, in the previous - //example the function returns SECFailure. - status = CERT_VerifyCertificate( - m_pHandler, ( CERTCertificate* )cert, PR_TRUE, - (SECCertificateUsage)0, timeboundary , NULL, log, &usage); - } - else - { - status = CERT_VerifyCertificate( - CERT_GetDefaultCertDB(), ( CERTCertificate* )cert, - PR_TRUE, (SECCertificateUsage)0, timeboundary ,NULL, log, &usage); - } + SECCertificateUsage usage = + certificateUsageEmailSigner | + certificateUsageEmailRecipient | + certificateUsageSSLCA | + certificateUsageSSLServer | + certificateUsageSSLClient | + certificateUsageStatusResponder; + + fprintf(stderr,"### usage %x \n", (int) usage); + fprintf(stderr,"### usage %d\n", (int) (certificateUsageSSLCA | certificateUsageSSLServer)); + status = CERT_PKIXVerifyCert(const_cast(cert), 0, + cvin, cvout, NULL); + +// //JL: We must not pass a particular usage in the requiredUsages argument (the 4th) because, +// //then ONLY these are verified. For example, we pass +// //certificateUsageSSLClient | certificateUsageSSLServer. Then checking a certificate which +// // is a valid certificateUsageEmailSigner but no certificateUsageSSLClient | certificateUsageSSLServer +// //will result in CertificateValidity::INVALID. +// //Only if the argument "requiredUsages" has a value (other than zero) +// //then the function will return SECFailure in case +// //the certificate is not suitable for the provided usage. That is, in the previous +// //example the function returns SECFailure. + if( status == SECSuccess ) { - // JL & TKR : certificateUsageUserCertImport, - // certificateUsageVerifyCA and certificateUsageAnyCA dont check the chain - + OSL_TRACE("[xmlsecurity] CERT_PKIXVerifyCert returned SECSuccess."); //When an intermediate or root certificate is checked then we expect the usage //certificateUsageSSLCA. This, however, will be only set when in the trust settings dialog //the button "This certificate can identify websites" is checked. If for example only @@ -871,58 +930,38 @@ verifyCertificate( const Reference< csss::XCertificate >& aCert, //certificate path view the end certificate will be shown as valid but the others //will be displayed as invalid. - if (usage & certificateUsageEmailSigner - || usage & certificateUsageEmailRecipient - || usage & certificateUsageSSLCA - || usage & certificateUsageSSLServer - || usage & certificateUsageSSLClient - // || usage & certificateUsageUserCertImport - // || usage & certificateUsageVerifyCA - || usage & certificateUsageStatusResponder ) - // || usage & certificateUsageAnyCA ) - validity = csss::CertificateValidity::VALID; - else - validity = csss::CertificateValidity::INVALID; + validity = csss::CertificateValidity::VALID; + CERTCertificate * issuerCert = cvout[0].value.pointer.cert; + if (issuerCert) + { + OSL_TRACE("[xmlsecurity] Root certificate: %s \n", issuerCert->subjectName); + CERT_DestroyCertificate(issuerCert); + }; + + OSL_TRACE("[xmlsecurity] Usage: %X \n", cvout[2].value.scalar.usages); + OSL_TRACE("[xmlsecurity] Key usage: %X \n", cvout[3].value.scalar.usages); + + } + else + { +#if OSL_DEBUG_LEVEL > 1 + PRIntn err = PR_GetError(); + fprintf(stderr, "Error: , %d = %s\n", err, getCertError(err)); +#endif + /* Display validation results */ + if ( log.count > 0) + { + CERTVerifyLogNode *node = NULL; +#if OSL_DEBUG_LEVEL > 1 + printChainFailure(stderr, &log); +#endif + for (node = log.head; node; node = node->next) { + if (node->cert) + CERT_DestroyCertificate(node->cert); + } + } } - // always check what kind of error occured, even SECStatus says Success - //JL: When we call CERT_VerifyCertificate whit the parameter requiredUsages == 0 then all - //possible usages are checked. Then there are certainly usages for which the certificate - //is not intended. For these usages there will be NO flag set in the argument returnedUsages - // (the last arg) and there will be error codes set in the log. Therefore we cannot - //set the CertificateValidity to INVALID because there is a log entry. -// CERTVerifyLogNode *logNode = 0; - -// logNode = log->head; -// while ( logNode != NULL ) -// { -// sal_Int32 errorCode = 0; -// errorCode = logNode->error; - -// switch ( errorCode ) -// { -// // JL & TKR: Any error are treated as invalid because we cannot say that we get all occurred errors from NSS -// /* -// case ( SEC_ERROR_REVOKED_CERTIFICATE ): -// validity |= csss::CertificateValidity::REVOKED; -// break; -// case ( SEC_ERROR_EXPIRED_CERTIFICATE ): -// validity |= csss::CertificateValidity::TIME_INVALID; -// break; -// case ( SEC_ERROR_CERT_USAGES_INVALID): -// validity |= csss::CertificateValidity::INVALID; -// break; -// case ( SEC_ERROR_UNTRUSTED_ISSUER ): -// case ( SEC_ERROR_UNTRUSTED_CERT ): -// validity |= csss::CertificateValidity::UNTRUSTED; -// break; -// */ -// default: -// validity |= csss::CertificateValidity::INVALID; -// break; -// } -// logNode = logNode->next; -// } } else { diff --git a/xmlsecurity/source/xmlsec/nss/seinitializer_nssimpl.cxx b/xmlsecurity/source/xmlsec/nss/seinitializer_nssimpl.cxx index 3255a2d5bf58..efa31c8e0ccb 100644 --- a/xmlsecurity/source/xmlsec/nss/seinitializer_nssimpl.cxx +++ b/xmlsecurity/source/xmlsec/nss/seinitializer_nssimpl.cxx @@ -112,7 +112,7 @@ struct InitNSSInitialize bInitialized = nsscrypto_initialize(m_sProfile.getStr(), bNSSInit); if (bNSSInit) atexit(nsscrypto_finalize ); - return & bInitialized; + return & bInitialized; } }; -- cgit v1.2.3 From 1e0bc66d16aee28ce8bd9582ea32178c63841902 Mon Sep 17 00:00:00 2001 From: Joachim Lingner Date: Thu, 5 Nov 2009 16:55:26 +0100 Subject: jl137: #103420# better logging --- xmlsecurity/source/xmlsec/nss/secerror.cxx | 19 ++- .../xmlsec/nss/securityenvironment_nssimpl.cxx | 176 +++++++++++---------- 2 files changed, 104 insertions(+), 91 deletions(-) diff --git a/xmlsecurity/source/xmlsec/nss/secerror.cxx b/xmlsecurity/source/xmlsec/nss/secerror.cxx index 1bd7ed126f33..04406cce499e 100644 --- a/xmlsecurity/source/xmlsec/nss/secerror.cxx +++ b/xmlsecurity/source/xmlsec/nss/secerror.cxx @@ -69,7 +69,8 @@ printChainFailure(FILE *outfile, CERTVerifyLog *log) { unsigned int errorFlags = 0; unsigned int depth = (unsigned int)-1; - const char * specificError = NULL; + const char * specificError = NULL; + const char * issuer = NULL; CERTVerifyLogNode *node = NULL; if (log->count > 0) @@ -87,6 +88,7 @@ printChainFailure(FILE *outfile, CERTVerifyLog *log) fprintf(outfile," ERROR %ld: %s\n", node->error, getCertError(node->error)); specificError = NULL; + issuer = NULL; switch (node->error) { case SEC_ERROR_INADEQUATE_KEY_USAGE: @@ -134,17 +136,24 @@ printChainFailure(FILE *outfile, CERTVerifyLog *log) break; } case SEC_ERROR_UNKNOWN_ISSUER: + specificError = "Unknown issuer:"; + issuer = node->cert->issuerName; + break; case SEC_ERROR_UNTRUSTED_ISSUER: + specificError = "Untrusted issuer:"; + issuer = node->cert->issuerName; + break; case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE: - specificError = node->cert->issuerName; + specificError = "Expired issuer certificate:"; + issuer = node->cert->issuerName; break; default: break; } if (specificError) - { - fprintf(stderr,"%s\n",specificError); - } + fprintf(stderr,"%s\n", specificError); + if (issuer) + fprintf(stderr, "%s\n", issuer); } } } diff --git a/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx b/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx index 914fd520f9de..6f4e75ed2b8e 100644 --- a/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx +++ b/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx @@ -86,6 +86,14 @@ extern X509Certificate_NssImpl* NssCertToXCert( CERTCertificate* cert ) ; extern X509Certificate_NssImpl* NssPrivKeyToXCert( SECKEYPrivateKey* ) ; +struct UsageDescription +{ + SECCertificateUsage usage; + char const * const description; +}; + + + char* GetPasswordFunction( PK11SlotInfo* pSlot, PRBool bRetry, void* /*arg*/ ) { uno::Reference< lang::XMultiServiceFactory > xMSF( ::comphelper::getProcessServiceFactory() ); @@ -756,7 +764,7 @@ verifyCertificate( const Reference< csss::XCertificate >& aCert, const Sequence< Reference< csss::XCertificate > >& intermediateCerts ) throw( ::com::sun::star::uno::SecurityException, ::com::sun::star::uno::RuntimeException ) { - sal_Int32 validity = 0; + sal_Int32 validity = csss::CertificateValidity::INVALID; const X509Certificate_NssImpl* xcert ; const CERTCertificate* cert ; ::std::vector vecTmpNSSCertificates; @@ -769,16 +777,16 @@ verifyCertificate( const Reference< csss::XCertificate >& aCert, OUStringToOString( aCert->getSubjectName(), osl_getThreadTextEncoding()).getStr()); - xcert = reinterpret_cast( sal::static_int_cast(xCertTunnel->getSomething( X509Certificate_NssImpl::getUnoTunnelId() ))) ; if( xcert == NULL ) { throw RuntimeException() ; } - //ToDo CERT_PKIXVerifyCert does not take a db as argument. It will therefore + //CERT_PKIXVerifyCert does not take a db as argument. It will therefore //internally use CERT_GetDefaultCertDB //Make sure m_pHandler is the default DB + OSL_ASSERT(m_pHandler == CERT_GetDefaultCertDB()); CERTCertDBHandle * certDb = m_pHandler != NULL ? m_pHandler : CERT_GetDefaultCertDB(); cert = xcert->getNssCert() ; if( cert != NULL ) @@ -820,11 +828,10 @@ verifyCertificate( const Reference< csss::XCertificate >& aCert, log.head = log.tail = NULL; log.count = 0; - CERT_EnableOCSPChecking(certDb); CERT_DisableOCSPDefaultResponder(certDb); CERTValOutParam cvout[5]; - CERTValInParam cvin[4]; + CERTValInParam cvin[3]; cvin[0].type = cert_pi_useAIACertFetch; cvin[0].value.scalar.b = PR_TRUE; @@ -838,6 +845,15 @@ verifyCertificate( const Reference< csss::XCertificate >& aCert, //We check both leaf and chain. //It is enough if one revocation method has fresh info, //but at least one must have some. Otherwise validation fails. + //!!! using leaf test and CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE + // when validating a root certificate will result in "revoked". Usually + //there is no revocation information available for the root cert because + //it must be trusted anyway and it does itself issue revocation information. + //When we use the flag here and OOo shows the certification path then the root + //cert is invalid while all other can be valid. It would probably best if + //this interface method returned the whole chain. + //Otherwise we need to check if the certificate is self-signed and if it is + //then not use the flag when doing the leaf-test. rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_crl] = CERT_REV_M_TEST_USING_THIS_METHOD | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE; @@ -847,8 +863,8 @@ verifyCertificate( const Reference< csss::XCertificate >& aCert, rev.leafTests.number_of_preferred_methods = 0; rev.leafTests.preferred_methods = NULL; rev.leafTests.cert_rev_method_independent_flags = - CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST - | CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE; + CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST; +// | CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE; rev.chainTests.number_of_defined_methods = 2; rev.chainTests.cert_rev_flags_per_method = revFlagsChain; @@ -861,12 +877,13 @@ verifyCertificate( const Reference< csss::XCertificate >& aCert, rev.chainTests.number_of_preferred_methods = 0; rev.chainTests.preferred_methods = NULL; rev.chainTests.cert_rev_method_independent_flags = - CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST - | CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE; + CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST; +// | CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE; + cvin[1].type = cert_pi_revocationFlags; cvin[1].value.pointer.revocation = &rev; - // does not work + // does not work, not implemented yet in 3.12.4 // cvin[2].type = cert_pi_keyusage; // cvin[2].value.scalar.ui = KU_DIGITAL_SIGNATURE; cvin[2].type = cert_pi_end; @@ -875,15 +892,15 @@ verifyCertificate( const Reference< csss::XCertificate >& aCert, cvout[0].value.pointer.cert = NULL; cvout[1].type = cert_po_errorLog; cvout[1].value.pointer.log = &log; - cvout[2].type = cert_po_usages; - cvout[2].value.scalar.usages = 0; - cvout[3].type = cert_po_keyUsage; - cvout[3].value.scalar.usages = 0; - cvout[4].type = cert_po_end; - - - validity = csss::CertificateValidity::INVALID; + cvout[2].type = cert_po_end; + // We check SSL server certificates, CA certificates and signing sertificates. + // + // ToDo check keyusage, looking at CERT_KeyUsageAndTypeForCertUsage ( + // mozilla/security/nss/lib/certdb/certdb.c indicates that + // certificateUsageSSLClient, certificateUsageSSLServer and certificateUsageSSLCA + // are sufficient. They cover the key usages for digital signature, key agreement + // and encipherment and certificate signature //never use the following usages because they are not checked properly // certificateUsageUserCertImport @@ -891,81 +908,74 @@ verifyCertificate( const Reference< csss::XCertificate >& aCert, // certificateUsageAnyCA // certificateUsageProtectedObjectSigner - - - - SECCertificateUsage usage = - certificateUsageEmailSigner | - certificateUsageEmailRecipient | - certificateUsageSSLCA | - certificateUsageSSLServer | - certificateUsageSSLClient | - certificateUsageStatusResponder; - - fprintf(stderr,"### usage %x \n", (int) usage); - fprintf(stderr,"### usage %d\n", (int) (certificateUsageSSLCA | certificateUsageSSLServer)); - status = CERT_PKIXVerifyCert(const_cast(cert), 0, - cvin, cvout, NULL); - -// //JL: We must not pass a particular usage in the requiredUsages argument (the 4th) because, -// //then ONLY these are verified. For example, we pass -// //certificateUsageSSLClient | certificateUsageSSLServer. Then checking a certificate which -// // is a valid certificateUsageEmailSigner but no certificateUsageSSLClient | certificateUsageSSLServer -// //will result in CertificateValidity::INVALID. -// //Only if the argument "requiredUsages" has a value (other than zero) -// //then the function will return SECFailure in case -// //the certificate is not suitable for the provided usage. That is, in the previous -// //example the function returns SECFailure. - - - if( status == SECSuccess ) + UsageDescription arUsages[] = { - OSL_TRACE("[xmlsecurity] CERT_PKIXVerifyCert returned SECSuccess."); - //When an intermediate or root certificate is checked then we expect the usage - //certificateUsageSSLCA. This, however, will be only set when in the trust settings dialog - //the button "This certificate can identify websites" is checked. If for example only - //"This certificate can identify mail users" is set then the end certificate can - //be validated and the returned usage will conain certificateUsageEmailRecipient. - //But checking directly the root or intermediate certificate will fail. In the - //certificate path view the end certificate will be shown as valid but the others - //will be displayed as invalid. - - validity = csss::CertificateValidity::VALID; - CERTCertificate * issuerCert = cvout[0].value.pointer.cert; - if (issuerCert) - { - OSL_TRACE("[xmlsecurity] Root certificate: %s \n", issuerCert->subjectName); - CERT_DestroyCertificate(issuerCert); - }; + {certificateUsageSSLClient, "certificateUsageSSLClient" }, + {certificateUsageSSLServer, "certificateUsageSSLServer" }, + {certificateUsageSSLCA, "certificateUsageSSLCA" }, + {certificateUsageEmailSigner, "certificateUsageEmailSigner"}, //only usable for end certs +// {certificateUsageEmailRecipient, "certificateUsageEmailRecipient"}, +// {certificateUsageObjectSigner, "certificateUsageObjectSigner"} + }; + + int numUsages = sizeof(arUsages) / sizeof(UsageDescription); + for (int i = 0; i < numUsages; i++) + { + OSL_TRACE("[xmlsecurity] Testing usage %d of %d: %s (0x%x)", i + 1, + numUsages, arUsages[i].description, (int) arUsages[i].usage); - OSL_TRACE("[xmlsecurity] Usage: %X \n", cvout[2].value.scalar.usages); - OSL_TRACE("[xmlsecurity] Key usage: %X \n", cvout[3].value.scalar.usages); + status = CERT_PKIXVerifyCert(const_cast(cert), arUsages[i].usage, + cvin, cvout, NULL); + if( status == SECSuccess ) + { + OSL_TRACE("[xmlsecurity] CERT_PKIXVerifyCert returned SECSuccess."); + //When an intermediate or root certificate is checked then we expect the usage + //certificateUsageSSLCA. This, however, will be only set when in the trust settings dialog + //the button "This certificate can identify websites" is checked. If for example only + //"This certificate can identify mail users" is set then the end certificate can + //be validated and the returned usage will conain certificateUsageEmailRecipient. + //But checking directly the root or intermediate certificate will fail. In the + //certificate path view the end certificate will be shown as valid but the others + //will be displayed as invalid. + + validity = csss::CertificateValidity::VALID; + OSL_TRACE("[xmlsecurity] Certificate is valid.\n"); + CERTCertificate * issuerCert = cvout[0].value.pointer.cert; + if (issuerCert) + { + OSL_TRACE("[xmlsecurity] Root certificate: %s", issuerCert->subjectName); + CERT_DestroyCertificate(issuerCert); + }; - } - else - { + break; + } + else + { #if OSL_DEBUG_LEVEL > 1 - PRIntn err = PR_GetError(); - fprintf(stderr, "Error: , %d = %s\n", err, getCertError(err)); + PRIntn err = PR_GetError(); + fprintf(stderr, "Error: , %d = %s\n", err, getCertError(err)); #endif - /* Display validation results */ - if ( log.count > 0) - { - CERTVerifyLogNode *node = NULL; + /* Display validation results */ + if ( log.count > 0) + { + CERTVerifyLogNode *node = NULL; #if OSL_DEBUG_LEVEL > 1 - printChainFailure(stderr, &log); + printChainFailure(stderr, &log); #endif - for (node = log.head; node; node = node->next) { - if (node->cert) - CERT_DestroyCertificate(node->cert); + for (node = log.head; node; node = node->next) { + if (node->cert) + CERT_DestroyCertificate(node->cert); + } + log.head = log.tail = NULL; + log.count = 0; } + OSL_TRACE("[xmlsecurity] Certificate is invalid."); } - } + } else { - validity = ::com::sun::star::security::CertificateValidity::INVALID ; } @@ -976,12 +986,6 @@ verifyCertificate( const Reference< csss::XCertificate >& aCert, OSL_TRACE("[xmlsecurity] Destroying temporary certificate"); CERT_DestroyCertificate(*cert_i); } -#if OSL_DEBUG_LEVEL > 1 - if (validity == ::com::sun::star::security::CertificateValidity::VALID) - OSL_TRACE("[xmlsecurity] Certificate is valid."); - else - OSL_TRACE("[xmlsecurity] Certificate is invalid."); -#endif return validity ; } -- cgit v1.2.3 From 571f1b108037267691784e09812ac9a3b624e805 Mon Sep 17 00:00:00 2001 From: Joachim Lingner Date: Mon, 9 Nov 2009 16:49:25 +0100 Subject: jl137: #i103420# better allow tracing in product built depending on bootstrap var XMLSECURITY_TRACE --- xmlsecurity/source/xmlsec/makefile.mk | 3 +- xmlsecurity/source/xmlsec/nss/secerror.cxx | 18 ++++++++---- xmlsecurity/source/xmlsec/nss/secerror.hxx | 2 +- .../xmlsec/nss/securityenvironment_nssimpl.cxx | 34 ++++++++++------------ .../source/xmlsec/nss/seinitializer_nssimpl.cxx | 24 ++++++++------- 5 files changed, 44 insertions(+), 37 deletions(-) diff --git a/xmlsecurity/source/xmlsec/makefile.mk b/xmlsecurity/source/xmlsec/makefile.mk index 233b5c370620..0479c24e8c91 100644 --- a/xmlsecurity/source/xmlsec/makefile.mk +++ b/xmlsecurity/source/xmlsec/makefile.mk @@ -66,7 +66,8 @@ SLOFILES = \ $(SLO)$/certificateextension_xmlsecimpl.obj \ $(SLO)$/xmlstreamio.obj \ $(SLO)$/errorcallback.obj \ - $(SLO)$/xsec_xmlsec.obj + $(SLO)$/xsec_xmlsec.obj \ + $(SLO)$/diagnose.obj # --- Targets ------------------------------------------------------ diff --git a/xmlsecurity/source/xmlsec/nss/secerror.cxx b/xmlsecurity/source/xmlsec/nss/secerror.cxx index 04406cce499e..71e108434484 100644 --- a/xmlsecurity/source/xmlsec/nss/secerror.cxx +++ b/xmlsecurity/source/xmlsec/nss/secerror.cxx @@ -27,11 +27,17 @@ * for a copy of the LGPLv3 License. * ************************************************************************/ + + #include "secerr.h" #include "sslerr.h" #include "nspr.h" #include "certt.h" +#include "../diagnose.hxx" + +using namespace xmlsecurity; + struct ErrDesc { PRErrorCode errNum; const char * errString; @@ -65,7 +71,7 @@ getCertError(PRErrorCode errNum) } void -printChainFailure(FILE *outfile, CERTVerifyLog *log) +printChainFailure(CERTVerifyLog *log) { unsigned int errorFlags = 0; unsigned int depth = (unsigned int)-1; @@ -75,17 +81,17 @@ printChainFailure(FILE *outfile, CERTVerifyLog *log) if (log->count > 0) { - fprintf(outfile,"Bad certifcation path:\n"); + xmlsec_trace("Bad certifcation path:"); for (node = log->head; node; node = node->next) { if (depth != node->depth) { depth = node->depth; - fprintf(outfile,"Certificate: %d. %s %s:\n", depth, + xmlsec_trace("Certificate: %d. %s %s:", depth, node->cert->subjectName, depth ? "[Certificate Authority]": ""); } - fprintf(outfile," ERROR %ld: %s\n", node->error, + xmlsec_trace(" ERROR %ld: %s", node->error, getCertError(node->error)); specificError = NULL; issuer = NULL; @@ -151,9 +157,9 @@ printChainFailure(FILE *outfile, CERTVerifyLog *log) break; } if (specificError) - fprintf(stderr,"%s\n", specificError); + xmlsec_trace("%s", specificError); if (issuer) - fprintf(stderr, "%s\n", issuer); + xmlsec_trace("%s", issuer); } } } diff --git a/xmlsecurity/source/xmlsec/nss/secerror.hxx b/xmlsecurity/source/xmlsec/nss/secerror.hxx index 951e638e3a72..732fef5fd03e 100644 --- a/xmlsecurity/source/xmlsec/nss/secerror.hxx +++ b/xmlsecurity/source/xmlsec/nss/secerror.hxx @@ -35,6 +35,6 @@ const char * getCertError(PRErrorCode errNum); void -printChainFailure(FILE *outfile, CERTVerifyLog *log); +printChainFailure(CERTVerifyLog *log); #endif // _XSECERROR_HXX_ diff --git a/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx b/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx index 6f4e75ed2b8e..ed4fc24de4ce 100644 --- a/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx +++ b/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx @@ -42,7 +42,7 @@ #include "securityenvironment_nssimpl.hxx" #include "x509certificate_nssimpl.hxx" #include - +#include "../diagnose.hxx" #include //For reasons that escape me, this is what xmlsec does when size_t is not 4 @@ -71,6 +71,7 @@ // MM : added for password exception #include namespace csss = ::com::sun::star::security; +using namespace xmlsecurity; using namespace ::com::sun::star::security; using namespace com::sun::star; using namespace ::com::sun::star::uno ; @@ -773,7 +774,7 @@ verifyCertificate( const Reference< csss::XCertificate >& aCert, throw RuntimeException() ; } - OSL_TRACE("[xmlsecurity] Start verification of certificate: \n %s \n", + xmlsec_trace("Start verification of certificate: \n %s \n", OUStringToOString( aCert->getSubjectName(), osl_getThreadTextEncoding()).getStr()); @@ -807,14 +808,14 @@ verifyCertificate( const Reference< csss::XCertificate >& aCert, PR_TRUE /* copyDER */); if (!certTmp) { - OSL_TRACE("[xmlsecurity] Failed to add a temporary certificate: %s", + xmlsec_trace("Failed to add a temporary certificate: %s", OUStringToOString(intermediateCerts[i]->getIssuerName(), osl_getThreadTextEncoding()).getStr()); } else { - OSL_TRACE("[xmlsecurity] Added temporary certificate: %s", + xmlsec_trace("Added temporary certificate: %s", certTmp->subjectName ? certTmp->subjectName : ""); vecTmpNSSCertificates.push_back(certTmp); } @@ -914,21 +915,20 @@ verifyCertificate( const Reference< csss::XCertificate >& aCert, {certificateUsageSSLServer, "certificateUsageSSLServer" }, {certificateUsageSSLCA, "certificateUsageSSLCA" }, {certificateUsageEmailSigner, "certificateUsageEmailSigner"}, //only usable for end certs -// {certificateUsageEmailRecipient, "certificateUsageEmailRecipient"}, -// {certificateUsageObjectSigner, "certificateUsageObjectSigner"} + {certificateUsageEmailRecipient, "certificateUsageEmailRecipient"} }; int numUsages = sizeof(arUsages) / sizeof(UsageDescription); for (int i = 0; i < numUsages; i++) { - OSL_TRACE("[xmlsecurity] Testing usage %d of %d: %s (0x%x)", i + 1, + xmlsec_trace("Testing usage %d of %d: %s (0x%x)", i + 1, numUsages, arUsages[i].description, (int) arUsages[i].usage); status = CERT_PKIXVerifyCert(const_cast(cert), arUsages[i].usage, cvin, cvout, NULL); if( status == SECSuccess ) { - OSL_TRACE("[xmlsecurity] CERT_PKIXVerifyCert returned SECSuccess."); + xmlsec_trace("CERT_PKIXVerifyCert returned SECSuccess."); //When an intermediate or root certificate is checked then we expect the usage //certificateUsageSSLCA. This, however, will be only set when in the trust settings dialog //the button "This certificate can identify websites" is checked. If for example only @@ -939,11 +939,11 @@ verifyCertificate( const Reference< csss::XCertificate >& aCert, //will be displayed as invalid. validity = csss::CertificateValidity::VALID; - OSL_TRACE("[xmlsecurity] Certificate is valid.\n"); + xmlsec_trace("Certificate is valid.\n"); CERTCertificate * issuerCert = cvout[0].value.pointer.cert; if (issuerCert) { - OSL_TRACE("[xmlsecurity] Root certificate: %s", issuerCert->subjectName); + xmlsec_trace("Root certificate: %s", issuerCert->subjectName); CERT_DestroyCertificate(issuerCert); }; @@ -951,17 +951,15 @@ verifyCertificate( const Reference< csss::XCertificate >& aCert, } else { -#if OSL_DEBUG_LEVEL > 1 PRIntn err = PR_GetError(); - fprintf(stderr, "Error: , %d = %s\n", err, getCertError(err)); -#endif + xmlsec_trace("Error: , %d = %s", err, getCertError(err)); + /* Display validation results */ if ( log.count > 0) { CERTVerifyLogNode *node = NULL; -#if OSL_DEBUG_LEVEL > 1 - printChainFailure(stderr, &log); -#endif + printChainFailure(&log); + for (node = log.head; node; node = node->next) { if (node->cert) CERT_DestroyCertificate(node->cert); @@ -969,7 +967,7 @@ verifyCertificate( const Reference< csss::XCertificate >& aCert, log.head = log.tail = NULL; log.count = 0; } - OSL_TRACE("[xmlsecurity] Certificate is invalid."); + xmlsec_trace("Certificate is invalid.\n"); } } @@ -983,7 +981,7 @@ verifyCertificate( const Reference< csss::XCertificate >& aCert, std::vector::const_iterator cert_i; for (cert_i = vecTmpNSSCertificates.begin(); cert_i != vecTmpNSSCertificates.end(); cert_i++) { - OSL_TRACE("[xmlsecurity] Destroying temporary certificate"); + xmlsec_trace("Destroying temporary certificate"); CERT_DestroyCertificate(*cert_i); } return validity ; diff --git a/xmlsecurity/source/xmlsec/nss/seinitializer_nssimpl.cxx b/xmlsecurity/source/xmlsec/nss/seinitializer_nssimpl.cxx index efa31c8e0ccb..f858a5a31421 100644 --- a/xmlsecurity/source/xmlsec/nss/seinitializer_nssimpl.cxx +++ b/xmlsecurity/source/xmlsec/nss/seinitializer_nssimpl.cxx @@ -64,6 +64,7 @@ #include #include "seinitializer_nssimpl.hxx" +#include "../diagnose.hxx" #include "securityenvironment_nssimpl.hxx" #include @@ -79,6 +80,7 @@ namespace cssu = com::sun::star::uno; namespace cssl = com::sun::star::lang; namespace cssxc = com::sun::star::xml::crypto; +using namespace xmlsecurity; using namespace com::sun::star; using ::rtl::OUString; using ::rtl::OString; @@ -142,7 +144,7 @@ void deleteRootsModule() { if (PK11_HasRootCerts(slot)) { - OSL_TRACE("[xmlsecurity] The root certifificates module \"%s" + xmlsec_trace("The root certifificates module \"%s" "\" is already loaded: \n%s", module->commonName, module->dllName); @@ -160,11 +162,11 @@ void deleteRootsModule() PRInt32 modType; if (SECSuccess == SECMOD_DeleteModule(RootsModule->commonName, &modType)) { - OSL_TRACE("[xmlsecurity] Deleted module \"%s\".", RootsModule->commonName); + xmlsec_trace("Deleted module \"%s\".", RootsModule->commonName); } else { - OSL_TRACE("[xmlsecurity] Failed to delete \"%s\" : \n%s", + xmlsec_trace("Failed to delete \"%s\" : \n%s", RootsModule->commonName, RootsModule->dllName); } SECMOD_DestroyModule(RootsModule); @@ -197,7 +199,7 @@ bool nsscrypto_initialize( const char* token, bool & out_nss_init ) { bool return_value = true; - OSL_TRACE("[xmlsecurity] Using profile: %s", token); + xmlsec_trace("Using profile: %s", token); PR_Init( PR_USER_THREAD, PR_PRIORITY_NORMAL, 1 ) ; @@ -250,18 +252,18 @@ bool nsscrypto_initialize( const char* token, bool & out_nss_init ) SECMOD_DestroyModule(RootsModule); RootsModule = 0; if (found) - OSL_TRACE("[xmlsecurity] Added new root certificate module " + xmlsec_trace("Added new root certificate module " "\""ROOT_CERTS"\" contained in \n%s", ospath.getStr()); else { - OSL_TRACE("[xmlsecurity] FAILED to load the new root certificate module " + xmlsec_trace("FAILED to load the new root certificate module " "\""ROOT_CERTS"\" contained in \n%s", ospath.getStr()); return_value = false; } } else { - OSL_TRACE("[xmlsecurity] FAILED to add new root certifice module: " + xmlsec_trace("FAILED to add new root certifice module: " "\""ROOT_CERTS"\" contained in \n%s", ospath.getStr()); return_value = false; @@ -269,7 +271,7 @@ bool nsscrypto_initialize( const char* token, bool & out_nss_init ) } else { - OSL_TRACE("[xmlsecurity] Adding new root certificate module failed."); + xmlsec_trace("Adding new root certificate module failed."); return_value = false; } #if SYSTEM_MOZILLA @@ -290,17 +292,17 @@ extern "C" void nsscrypto_finalize() if (SECSuccess == SECMOD_UnloadUserModule(RootsModule)) { - OSL_TRACE("[xmlsecurity] Unloaded module \""ROOT_CERTS"\"."); + xmlsec_trace("Unloaded module \""ROOT_CERTS"\"."); } else { - OSL_TRACE("[xmlsecurity] Failed unloadeding module \""ROOT_CERTS"\"."); + xmlsec_trace("Failed unloadeding module \""ROOT_CERTS"\"."); } SECMOD_DestroyModule(RootsModule); } else { - OSL_TRACE("[xmlsecurity] Unloading module \""ROOT_CERTS + xmlsec_trace("Unloading module \""ROOT_CERTS "\" failed because it was not found."); } PK11_LogoutAll(); -- cgit v1.2.3 From f2a492bbf52cffbbd146685cf1c5f82202ec53c7 Mon Sep 17 00:00:00 2001 From: Joachim Lingner Date: Mon, 9 Nov 2009 16:50:39 +0100 Subject: jl137: #i103420# better allow tracing in product built depending on bootstrap var XMLSECURITY_TRACE --- xmlsecurity/source/xmlsec/diagnose.cxx | 77 ++++++++++++++++++++++++++++++++++ xmlsecurity/source/xmlsec/diagnose.hxx | 43 +++++++++++++++++++ 2 files changed, 120 insertions(+) create mode 100644 xmlsecurity/source/xmlsec/diagnose.cxx create mode 100644 xmlsecurity/source/xmlsec/diagnose.hxx diff --git a/xmlsecurity/source/xmlsec/diagnose.cxx b/xmlsecurity/source/xmlsec/diagnose.cxx new file mode 100644 index 000000000000..dc24d21e2752 --- /dev/null +++ b/xmlsecurity/source/xmlsec/diagnose.cxx @@ -0,0 +1,77 @@ +/************************************************************************* + * + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * Copyright 2008 by Sun Microsystems, Inc. + * + * OpenOffice.org - a multi-platform office productivity suite + * + * $RCSfile: xmlstreamio.hxx,v $ + * $Revision: 1.3 $ + * + * This file is part of OpenOffice.org. + * + * OpenOffice.org is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License version 3 + * only, as published by the Free Software Foundation. + * + * OpenOffice.org is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License version 3 for more details + * (a copy is included in the LICENSE file that accompanied this code). + * + * You should have received a copy of the GNU Lesser General Public License + * version 3 along with OpenOffice.org. If not, see + * + * for a copy of the LGPLv3 License. + * + ************************************************************************/ + +#include "diagnose.hxx" +#include +#include +#include "rtl/instance.hxx" +#include "rtl/bootstrap.hxx" + +namespace xmlsecurity { + +struct UseDiagnose : public rtl::StaticWithInit< + const bool, UseDiagnose> +{ + const bool operator () () + { + ::rtl::OUString value; + sal_Bool res = rtl::Bootstrap::get( + ::rtl::OUString(RTL_CONSTASCII_USTRINGPARAM("XMLSECURITY_TRACE")), value); + return res == sal_True ? true : false; + } +}; + +/* the function will print the string when + - build with debug + - the bootstrap variable XMLSECURITY_DIAGNOSE is set. + */ +void xmlsec_trace(const char* pszFormat, ...) +{ + bool bDebug = false; + +#if OSL_DEBUG_LEVEL > 1 + bDebug = true; +#endif + if (bDebug || UseDiagnose::get()) + { + va_list args; + fprintf(stderr, "[xmlsecurity] "); + va_start(args, pszFormat); + vfprintf(stderr, pszFormat, args); + va_end(args); + + fprintf(stderr,"\n"); + fflush(stderr); + } +} + + + +} diff --git a/xmlsecurity/source/xmlsec/diagnose.hxx b/xmlsecurity/source/xmlsec/diagnose.hxx new file mode 100644 index 000000000000..691d4e277c20 --- /dev/null +++ b/xmlsecurity/source/xmlsec/diagnose.hxx @@ -0,0 +1,43 @@ +/************************************************************************* + * + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * Copyright 2008 by Sun Microsystems, Inc. + * + * OpenOffice.org - a multi-platform office productivity suite + * + * $RCSfile: xmlstreamio.hxx,v $ + * $Revision: 1.3 $ + * + * This file is part of OpenOffice.org. + * + * OpenOffice.org is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License version 3 + * only, as published by the Free Software Foundation. + * + * OpenOffice.org is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License version 3 for more details + * (a copy is included in the LICENSE file that accompanied this code). + * + * You should have received a copy of the GNU Lesser General Public License + * version 3 along with OpenOffice.org. If not, see + * + * for a copy of the LGPLv3 License. + * + ************************************************************************/ + +#ifndef XMLSECURITY_DIAGNOSE_HXX +#define XMLSECURITY_DIAGNOSE_HXX + + +namespace xmlsecurity +{ + + void xmlsec_trace(const char* pszFormat, ...); +} + + + +#endif //XMLSECURITY_DIAGNOSE_HXX -- cgit v1.2.3 From 596cda938fb457e0c4ed764b99341cab06700c32 Mon Sep 17 00:00:00 2001 From: Joachim Lingner Date: Tue, 10 Nov 2009 10:26:42 +0100 Subject: jl137: #i103420# changed comment --- xmlsecurity/source/xmlsec/diagnose.cxx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xmlsecurity/source/xmlsec/diagnose.cxx b/xmlsecurity/source/xmlsec/diagnose.cxx index dc24d21e2752..1f17b12650b2 100644 --- a/xmlsecurity/source/xmlsec/diagnose.cxx +++ b/xmlsecurity/source/xmlsec/diagnose.cxx @@ -50,7 +50,7 @@ struct UseDiagnose : public rtl::StaticWithInit< /* the function will print the string when - build with debug - - the bootstrap variable XMLSECURITY_DIAGNOSE is set. + - the bootstrap variable XMLSECURITY_TRACE is set. */ void xmlsec_trace(const char* pszFormat, ...) { -- cgit v1.2.3 From cb83dca227b5f2738ef20f66989e5d6708901117 Mon Sep 17 00:00:00 2001 From: Joachim Lingner Date: Fri, 13 Nov 2009 13:51:33 +0100 Subject: jl137: #i103420# fixed windows certificate verfification regarding revocation --- xmlsecurity/source/dialogs/certificateviewer.cxx | 21 +- .../source/dialogs/digitalsignaturesdialog.cxx | 10 +- .../mscrypt/securityenvironment_mscryptimpl.cxx | 250 ++++++++++++--------- 3 files changed, 142 insertions(+), 139 deletions(-) diff --git a/xmlsecurity/source/dialogs/certificateviewer.cxx b/xmlsecurity/source/dialogs/certificateviewer.cxx index 7f04872f7a63..4efd22aadc32 100644 --- a/xmlsecurity/source/dialogs/certificateviewer.cxx +++ b/xmlsecurity/source/dialogs/certificateviewer.cxx @@ -128,16 +128,8 @@ CertificateViewerGeneralTP::CertificateViewerGeneralTP( Window* _pParent, Certif //Verify the certificate sal_Int32 certStatus = mpDlg->mxSecurityEnvironment->verifyCertificate(mpDlg->mxCert, Sequence >()); - //We currently have two status - //These errors are alloweds - sal_Int32 validCertErrors = css::security::CertificateValidity::VALID - | css::security::CertificateValidity::UNKNOWN_REVOKATION; - //Build a mask to filter out the allowed errors - sal_Int32 mask = ~validCertErrors; - // "subtract" the allowed error flags from the result - sal_Int32 certErrors = certStatus & mask; - bool bCertValid = certErrors > 0 ? false : true; + bool bCertValid = certStatus == css::security::CertificateValidity::VALID ? true : false; bool bIsDark = ( GetSettings().GetStyleSettings().GetWindowColor().IsDark() != FALSE ); if ( !bCertValid ) @@ -488,16 +480,7 @@ void CertificateViewerCertPathTP::ActivatePage() //Verify the certificate sal_Int32 certStatus = mpDlg->mxSecurityEnvironment->verifyCertificate(rCert, Sequence >()); - //We currently have two status - //These errors are alloweds - sal_Int32 validCertErrors = css::security::CertificateValidity::VALID - | css::security::CertificateValidity::UNKNOWN_REVOKATION; - - //Build a mask to filter out the allowed errors - sal_Int32 mask = ~validCertErrors; - // "subtract" the allowed error flags from the result - sal_Int32 certErrors = certStatus & mask; - bool bCertValid = certErrors > 0 ? false : true; + bool bCertValid = certStatus == css::security::CertificateValidity::VALID ? true : false; pParent = InsertCert( pParent, sName, rCert, bCertValid); } diff --git a/xmlsecurity/source/dialogs/digitalsignaturesdialog.cxx b/xmlsecurity/source/dialogs/digitalsignaturesdialog.cxx index cf07edb7023e..eb89b3a82f11 100644 --- a/xmlsecurity/source/dialogs/digitalsignaturesdialog.cxx +++ b/xmlsecurity/source/dialogs/digitalsignaturesdialog.cxx @@ -638,15 +638,7 @@ void DigitalSignaturesDialog::ImplFillSignaturesBox() sal_Int32 certResult = xSecEnv->verifyCertificate(xCert, Sequence >()); - //These errors are alloweds - sal_Int32 validErrors = css::security::CertificateValidity::VALID - | css::security::CertificateValidity::UNKNOWN_REVOKATION; - - //Build a mask to filter out the allowed errors - sal_Int32 mask = ~validErrors; - // "subtract" the allowed error flags from the result - sal_Int32 errors = certResult & mask; - bCertValid = errors > 0 ? false : true; + bCertValid = certResult == css::security::CertificateValidity::VALID ? true : false; if ( bCertValid ) nValidCerts++; diff --git a/xmlsecurity/source/xmlsec/mscrypt/securityenvironment_mscryptimpl.cxx b/xmlsecurity/source/xmlsec/mscrypt/securityenvironment_mscryptimpl.cxx index 1b35d2b968bc..5cbbc421f01d 100644 --- a/xmlsecurity/source/xmlsec/mscrypt/securityenvironment_mscryptimpl.cxx +++ b/xmlsecurity/source/xmlsec/mscrypt/securityenvironment_mscryptimpl.cxx @@ -40,6 +40,7 @@ #pragma warning(pop) #endif #include +#include #include "securityenvironment_mscryptimpl.hxx" #ifndef _X509CERTIFICATE_NSSIMPL_HXX_ @@ -63,7 +64,9 @@ #include //CP : end +#include "../diagnose.hxx" +using namespace xmlsecurity; using namespace ::com::sun::star::uno ; using namespace ::com::sun::star::lang ; using ::com::sun::star::lang::XMultiServiceFactory ; @@ -72,9 +75,58 @@ using ::rtl::OUString ; using ::com::sun::star::xml::crypto::XSecurityEnvironment ; using ::com::sun::star::security::XCertificate ; +namespace css = ::com::sun::star; extern X509Certificate_MSCryptImpl* MswcryCertContextToXCert( PCCERT_CONTEXT cert ) ; +struct CertErrorToString{ + DWORD error; + char * name; +}; + +CertErrorToString arErrStrings[] = +{ + { 0x00000000, "CERT_TRUST_NO_ERROR"}, + { 0x00000001, "CERT_TRUST_IS_NOT_TIME_VALID"}, + { 0x00000002, "CERT_TRUST_IS_NOT_TIME_NESTED"}, + { 0x00000004, "CERT_TRUST_IS_REVOKED" }, + { 0x00000008, "CERT_TRUST_IS_NOT_SIGNATURE_VALID" }, + { 0x00000010, "CERT_TRUST_IS_NOT_SIGNATURE_VALID"}, + { 0x00000020, "CERT_TRUST_IS_UNTRUSTED_ROOT"}, + { 0x00000040, "CERT_TRUST_REVOCATION_STATUS_UNKNOWN"}, + { 0x00000080, "CERT_TRUST_IS_CYCLIC"}, + { 0x00000100, "CERT_TRUST_INVALID_EXTENSION"}, + { 0x00000200, "CERT_TRUST_INVALID_POLICY_CONSTRAINTS"}, + { 0x00000400, "CERT_TRUST_INVALID_BASIC_CONSTRAINTS"}, + { 0x00000800, "CERT_TRUST_INVALID_NAME_CONSTRAINTS"}, + { 0x00001000, "CERT_TRUST_HAS_NOT_SUPPORTED_NAME_CONSTRAINT"}, + { 0x00002000, "CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT"}, + { 0x00004000, "CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT"}, + { 0x00008000, "CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT"}, + { 0x01000000, "CERT_TRUST_IS_OFFLINE_REVOCATION"}, + { 0x02000000, "CERT_TRUST_NO_ISSUANCE_CHAIN_POLICY"}, + { 0x04000000, "CERT_TRUST_IS_EXPLICIT_DISTRUST"}, + { 0x08000000, "CERT_TRUST_HAS_NOT_SUPPORTED_CRITICAL_EXT"}, + //Chain errors + { 0x00010000, "CERT_TRUST_IS_PARTIAL_CHAIN"}, + { 0x00020000, "CERT_TRUST_CTL_IS_NOT_TIME_VALID"}, + { 0x00040000, "CERT_TRUST_CTL_IS_NOT_SIGNATURE_VALID"}, + { 0x00080000, "CERT_TRUST_CTL_IS_NOT_VALID_FOR_USAGE"} +}; + +void traceTrustStatus(DWORD err) +{ + int numErrors = sizeof(arErrStrings) / sizeof(CertErrorToString); + xmlsec_trace("The certificate error status is: "); + if (err == 0) + xmlsec_trace("%s", arErrStrings[0].name); + for (int i = 1; i < numErrors; i++) + { + if (arErrStrings[i].error & err) + xmlsec_trace("%s", arErrStrings[i].name); + } +} + SecurityEnvironment_MSCryptImpl :: SecurityEnvironment_MSCryptImpl( const Reference< XMultiServiceFactory >& aFactory ) : m_hProv( NULL ) , m_pszContainer( NULL ) , m_hKeyStore( NULL ), m_hCertStore( NULL ), m_tSymKeyList() , m_tPubKeyList() , m_tPriKeyList(), m_xServiceManager( aFactory ), m_bEnableDefault( sal_False ) { } @@ -894,6 +946,11 @@ HCERTSTORE getCertStoreForIntermediatCerts( for (int i = 0; i < seqCerts.getLength(); i++) { + xmlsec_trace("Added temporary certificate: \n%s", + OUStringToOString(seqCerts[i]->getSubjectName(), + osl_getThreadTextEncoding()).getStr()); + + Sequence data = seqCerts[i]->getEncoded(); PCCERT_CONTEXT cert = CertCreateCertificateContext( X509_ASN_ENCODING, ( const BYTE* )&data[0], data.getLength()); @@ -904,6 +961,11 @@ HCERTSTORE getCertStoreForIntermediatCerts( } return store; } + +//We return only valid or invalid, as long as the API documentation expresses +//explicitly that all validation steps are carried out even if one or several +//errors occur. See also +//http://wiki.services.openoffice.org/wiki/Certificate_Path_Validation#Validation_status sal_Int32 SecurityEnvironment_MSCryptImpl :: verifyCertificate( const Reference< ::com::sun::star::security::XCertificate >& aCert, const Sequence< Reference< ::com::sun::star::security::XCertificate > >& seqCerts) @@ -913,17 +975,16 @@ sal_Int32 SecurityEnvironment_MSCryptImpl :: verifyCertificate( PCCERT_CHAIN_CONTEXT pChainContext = NULL; PCCERT_CONTEXT pCertContext = NULL; const X509Certificate_MSCryptImpl* xcert = NULL; - DWORD chainStatus ; - - CERT_ENHKEY_USAGE enhKeyUsage ; - CERT_USAGE_MATCH certUsage ; - CERT_CHAIN_PARA chainPara ; Reference< XUnoTunnel > xCertTunnel( aCert, UNO_QUERY ) ; if( !xCertTunnel.is() ) { throw RuntimeException() ; } + xmlsec_trace("Start verification of certificate: \n %s", + OUStringToOString( + aCert->getSubjectName(), osl_getThreadTextEncoding()).getStr()); + xcert = ( X509Certificate_MSCryptImpl* )xCertTunnel->getSomething( X509Certificate_MSCryptImpl::getUnoTunnelId() ) ; if( xcert == NULL ) { throw RuntimeException() ; @@ -931,6 +992,11 @@ sal_Int32 SecurityEnvironment_MSCryptImpl :: verifyCertificate( pCertContext = xcert->getMswcryCert() ; + CERT_ENHKEY_USAGE enhKeyUsage ; + CERT_USAGE_MATCH certUsage ; + CERT_CHAIN_PARA chainPara ; + SecureZeroMemory(&chainPara, sizeof(CERT_CHAIN_PARA)); + //Prepare parameter for CertGetCertificateChain enhKeyUsage.cUsageIdentifier = 0 ; enhKeyUsage.rgpszUsageIdentifier = NULL ; @@ -978,130 +1044,92 @@ sal_Int32 SecurityEnvironment_MSCryptImpl :: verifyCertificate( } //CertGetCertificateChain searches by default in MY, CA, ROOT and TRUST + //We do not check revocation of the root. In most cases there are none. + //Then we would get CERT_TRUST_REVOCATION_STATUS_UNKNOWN + xmlsec_trace("Verifying cert using revocation information."); bChain = CertGetCertificateChain( NULL , pCertContext , NULL , //use current system time hCollectionStore, &chainPara , - CERT_CHAIN_REVOCATION_CHECK_CHAIN | CERT_CHAIN_TIMESTAMP_TIME , + CERT_CHAIN_REVOCATION_CHECK_CHAIN | CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT, NULL , &pChainContext); - if (!bChain) - pChainContext = NULL; - - } - - if(bChain && pChainContext != NULL ) - { - chainStatus = pChainContext->TrustStatus.dwErrorStatus ; - - // JL & TKR: Until we have a test suite to test all error types we just say that the cert is - // valid or invalid with no further separation. - // Error CERT_TRUST_IS_OFFLINE_REVOCATION and CERT_TRUST_REVOCATION_STATUS_UNKNOWN are treated separate - // because they are ignored ( Bad! ) in the currently situation - - if( chainStatus == CERT_TRUST_NO_ERROR ) + if (bChain && pChainContext->cChain > 0) { - validity = ::com::sun::star::security::CertificateValidity::VALID ; - } - - if ( ( chainStatus & CERT_TRUST_IS_OFFLINE_REVOCATION ) == CERT_TRUST_IS_OFFLINE_REVOCATION ) { - validity |= ::com::sun::star::security::CertificateValidity::UNKNOWN_REVOKATION ; - } - - if ( ( chainStatus & CERT_TRUST_REVOCATION_STATUS_UNKNOWN ) == CERT_TRUST_REVOCATION_STATUS_UNKNOWN ) { - validity |= ::com::sun::star::security::CertificateValidity::UNKNOWN_REVOKATION ; - } + xmlsec_trace("Overall error status (all chains):"); + traceTrustStatus(pChainContext->TrustStatus.dwErrorStatus); + //highest quality chains come first + PCERT_SIMPLE_CHAIN pSimpleChain = pChainContext->rgpChain[0]; + xmlsec_trace("Error status of first chain: "); + traceTrustStatus(pSimpleChain->TrustStatus.dwErrorStatus); + + //CERT_TRUST_REVOCATION_STATUS_UNKNOWN is also set if a certificate + //has no AIA(OCSP) or CRLDP extension and there is no CRL locally installed. + DWORD revocationFlags = CERT_TRUST_REVOCATION_STATUS_UNKNOWN | + CERT_TRUST_IS_OFFLINE_REVOCATION; + DWORD otherErrorsMask = ~revocationFlags; + if( !(pSimpleChain->TrustStatus.dwErrorStatus & otherErrorsMask)) - if (chainStatus & CERT_TRUST_IS_NOT_VALID_FOR_USAGE - || chainStatus & CERT_TRUST_IS_CYCLIC - || chainStatus & CERT_TRUST_INVALID_POLICY_CONSTRAINTS - || chainStatus & CERT_TRUST_INVALID_BASIC_CONSTRAINTS - || chainStatus & CERT_TRUST_INVALID_NAME_CONSTRAINTS - || chainStatus & CERT_TRUST_HAS_NOT_SUPPORTED_NAME_CONSTRAINT - || chainStatus & CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT - || chainStatus & CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT - || chainStatus & CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT - || chainStatus & CERT_TRUST_NO_ISSUANCE_CHAIN_POLICY - || chainStatus & CERT_TRUST_CTL_IS_NOT_TIME_VALID - || chainStatus & CERT_TRUST_CTL_IS_NOT_SIGNATURE_VALID - || chainStatus & CERT_TRUST_CTL_IS_NOT_VALID_FOR_USAGE - || chainStatus & CERT_TRUST_IS_NOT_TIME_VALID - || chainStatus & CERT_TRUST_IS_NOT_TIME_NESTED - || chainStatus & CERT_TRUST_IS_REVOKED - || chainStatus & CERT_TRUST_IS_NOT_SIGNATURE_VALID - || chainStatus & CERT_TRUST_IS_UNTRUSTED_ROOT - || chainStatus & CERT_TRUST_INVALID_EXTENSION - || chainStatus & CERT_TRUST_IS_PARTIAL_CHAIN ) - { - validity = ::com::sun::star::security::CertificateValidity::INVALID; - } -/* - - if( ( chainStatus & CERT_TRUST_IS_NOT_TIME_VALID ) == CERT_TRUST_IS_NOT_TIME_VALID ) { - validity |= ::com::sun::star::security::CertificateValidity::TIME_INVALID ; - } - - if( ( chainStatus & CERT_TRUST_IS_NOT_TIME_NESTED ) == CERT_TRUST_IS_NOT_TIME_NESTED ) { - validity |= ::com::sun::star::security::CertificateValidity::NOT_TIME_NESTED; - } - - if( ( chainStatus & CERT_TRUST_IS_REVOKED ) == CERT_TRUST_IS_REVOKED ) { - validity |= ::com::sun::star::security::CertificateValidity::REVOKED ; - } - - //JL My interpretation is that CERT_TRUST_IS_OFFLINE_REVOCATION does not mean that the certificate was revoked. - //Instead the CRL cannot be retrieved from the net, or an available CRL is stale (too old). - //This error may also occurs if the certificate does not contain the CDP (Certificate Distribution Point)extension - if( ( chainStatus & CERT_TRUST_IS_OFFLINE_REVOCATION ) == CERT_TRUST_IS_OFFLINE_REVOCATION ) { - validity |= ::com::sun::star::security::CertificateValidity::UNKNOWN_REVOKATION ; - } - - if( ( chainStatus & CERT_TRUST_IS_NOT_SIGNATURE_VALID ) == CERT_TRUST_IS_NOT_SIGNATURE_VALID ) { - validity |= ::com::sun::star::security::CertificateValidity::SIGNATURE_INVALID ; - } - - if( ( chainStatus & CERT_TRUST_IS_UNTRUSTED_ROOT ) == CERT_TRUST_IS_UNTRUSTED_ROOT ) { - validity |= ::com::sun::star::security::CertificateValidity::ROOT_UNTRUSTED ; - } - - if( ( chainStatus & CERT_TRUST_REVOCATION_STATUS_UNKNOWN ) == CERT_TRUST_REVOCATION_STATUS_UNKNOWN ) { - validity |= ::com::sun::star::security::CertificateValidity::UNKNOWN_REVOKATION ; - } - - if( ( chainStatus & CERT_TRUST_INVALID_EXTENSION ) == CERT_TRUST_INVALID_EXTENSION ) { - validity |= ::com::sun::star::security::CertificateValidity::EXTENSION_INVALID ; - } - - if( ( chainStatus & CERT_TRUST_IS_PARTIAL_CHAIN ) == CERT_TRUST_IS_PARTIAL_CHAIN ) { - validity |= ::com::sun::star::security::CertificateValidity::CHAIN_INCOMPLETE ; + { + //No errors except maybe those caused by missing revocation information + //Check if there are errors + if ( pSimpleChain->TrustStatus.dwErrorStatus & revocationFlags) + { + //No revocation information. Because MSDN documentation is not + //clear about if all other tests are performed if an error occurrs, + //we test again, without requiring revocation checking. + CertFreeCertificateChain(pChainContext); + pChainContext = NULL; + xmlsec_trace("Checking again but without requiring revocation information."); + bChain = CertGetCertificateChain( + NULL , + pCertContext , + NULL , //use current system time + hCollectionStore, + &chainPara , + 0, + NULL , + &pChainContext); + if (bChain + && pChainContext->cChain > 0 + && pChainContext->rgpChain[0]->TrustStatus.dwErrorStatus == CERT_TRUST_NO_ERROR) + { + xmlsec_trace("Certificate is valid.\n"); + validity = ::com::sun::star::security::CertificateValidity::VALID; + } + else + { + xmlsec_trace("Certificate is invalid.\n"); + } + } + else + { + //valid and revocation information available + xmlsec_trace("Certificate is valid.\n"); + validity = ::com::sun::star::security::CertificateValidity::VALID; + } + } + else + { + //invalid + xmlsec_trace("Certificate is invalid.\n"); + validity = ::com::sun::star::security::CertificateValidity::INVALID ; + } } - //todo - if (chainStatus & CERT_TRUST_IS_NOT_VALID_FOR_USAGE - || chainStatus & CERT_TRUST_IS_CYCLIC - || chainStatus & CERT_TRUST_INVALID_POLICY_CONSTRAINTS - || chainStatus & CERT_TRUST_INVALID_BASIC_CONSTRAINTS - || chainStatus & CERT_TRUST_INVALID_NAME_CONSTRAINTS - || chainStatus & CERT_TRUST_HAS_NOT_SUPPORTED_NAME_CONSTRAINT - || chainStatus & CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT - || chainStatus & CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT - || chainStatus & CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT - || chainStatus & CERT_TRUST_NO_ISSUANCE_CHAIN_POLICY - || chainStatus & CERT_TRUST_CTL_IS_NOT_TIME_VALID - || chainStatus & CERT_TRUST_CTL_IS_NOT_SIGNATURE_VALID - || chainStatus & CERT_TRUST_CTL_IS_NOT_VALID_FOR_USAGE) + else { - validity = ::com::sun::star::security::CertificateValidity::INVALID; + xmlsec_trace("CertGetCertificateChaine failed.\n"); } -*/ - } else { - validity = ::com::sun::star::security::CertificateValidity::INVALID ; } if (pChainContext) + { CertFreeCertificateChain(pChainContext); + pChainContext = NULL; + } //Close the additional store, do not destroy the contained certs CertCloseStore(hCollectionStore, CERT_CLOSE_STORE_CHECK_FLAG); -- cgit v1.2.3 From 0896dd6ff00761933796beea59187f3d1211becc Mon Sep 17 00:00:00 2001 From: Joachim Lingner Date: Mon, 23 Nov 2009 17:10:39 +0100 Subject: jl137: #i107145# improve NSS initialization without profile --- .../source/xmlsec/nss/seinitializer_nssimpl.cxx | 82 +++++++++------------- 1 file changed, 35 insertions(+), 47 deletions(-) diff --git a/xmlsecurity/source/xmlsec/nss/seinitializer_nssimpl.cxx b/xmlsecurity/source/xmlsec/nss/seinitializer_nssimpl.cxx index f858a5a31421..aa0f29b62e3d 100644 --- a/xmlsecurity/source/xmlsec/nss/seinitializer_nssimpl.cxx +++ b/xmlsecurity/source/xmlsec/nss/seinitializer_nssimpl.cxx @@ -203,14 +203,32 @@ bool nsscrypto_initialize( const char* token, bool & out_nss_init ) PR_Init( PR_USER_THREAD, PR_PRIORITY_NORMAL, 1 ) ; - if( NSS_InitReadWrite( token ) != SECSuccess ) + //token may be an empty string + if (token != NULL && strlen(token) > 0) { - char * error = NULL; + if( NSS_InitReadWrite( token ) != SECSuccess ) + { + xmlsec_trace("Initializing NSS with profile failed."); + char * error = NULL; - PR_GetErrorText(error); - if (error) - printf("%s",error); - return false ; + PR_GetErrorText(error); + if (error) + xmlsec_trace("%s",error); + return false ; + } + } + else + { + xmlsec_trace("Initializing NSS without profile."); + if ( NSS_NoDB_Init(NULL) != SECSuccess ) + { + xmlsec_trace("Initializing NSS without profile failed."); + char * error = NULL; + PR_GetErrorText(error); + if (error) + xmlsec_trace("%s",error); + return false ; + } } out_nss_init = true; @@ -317,17 +335,16 @@ bool getMozillaCurrentProfile( /* * first, try to get the profile from "MOZILLA_CERTIFICATE_FOLDER" */ - char * env = getenv("MOZILLA_CERTIFICATE_FOLDER"); - if (env) - { - profilePath = rtl::OUString::createFromAscii( env ); - RTL_LOGFILE_PRODUCT_TRACE1( "XMLSEC: Using env MOZILLA_CERTIFICATE_FOLDER: %s", rtl::OUStringToOString( profilePath, RTL_TEXTENCODING_ASCII_US ).getStr() ); - return true; - } - else - { - RTL_LOGFILE_TRACE( "getMozillaCurrentProfile: Using MozillaBootstrap..." ); - mozilla::MozillaProductType productTypes[4] = { + char * env = getenv("MOZILLA_CERTIFICATE_FOLDER"); + if (env) + { + profilePath = rtl::OUString::createFromAscii( env ); + RTL_LOGFILE_PRODUCT_TRACE1( "XMLSEC: Using env MOZILLA_CERTIFICATE_FOLDER: %s", rtl::OUStringToOString( profilePath, RTL_TEXTENCODING_ASCII_US ).getStr() ); + return true; + } + else + { + mozilla::MozillaProductType productTypes[4] = { mozilla::MozillaProductType_Thunderbird, mozilla::MozillaProductType_Mozilla, mozilla::MozillaProductType_Firefox, @@ -348,8 +365,6 @@ bool getMozillaCurrentProfile( { ::rtl::OUString profile = xMozillaBootstrap->getDefaultProfile(productTypes[i]); - RTL_LOGFILE_TRACE2( "getMozillaCurrentProfile: getDefaultProfile [%i] returns %s", i, rtl::OUStringToOString( profile, RTL_TEXTENCODING_ASCII_US ).getStr() ); - if (profile != NULL && profile.getLength()>0) { profilePath = xMozillaBootstrap->getProfilePath(productTypes[i],profile); @@ -406,36 +421,9 @@ cssu::Reference< cssxc::XXMLSecurityContext > SAL_CALL } - if( !sCertDir.getLength() ) - { - RTL_LOGFILE_TRACE( "XMLSEC: Error - No certificate directory!" ); - // return NULL; - } - - - /* Initialize NSPR and NSS */ - /* Replaced with new methods by AF. ---- - //PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1 ) ; - PR_Init( PR_USER_THREAD, PR_PRIORITY_NORMAL, 1 ) ; - - if (NSS_Init(sCertDir.getStr()) != SECSuccess ) - { - PK11_LogoutAll(); - return NULL; - } - ----*/ if( ! *initNSS( sCertDir.getStr() ) ) { - RTL_LOGFILE_TRACE( "XMLSEC: Error - nsscrypto_initialize() failed." ); - if ( NSS_NoDB_Init(NULL) != SECSuccess ) - { - RTL_LOGFILE_TRACE( "XMLSEC: NSS_NoDB_Init also failed, NSS Security not available!" ); - return NULL; - } - else - { - RTL_LOGFILE_TRACE( "XMLSEC: NSS_NoDB_Init works, enough for verifying signatures..." ); - } + return NULL; } pCertHandle = CERT_GetDefaultCertDB() ; -- cgit v1.2.3 From 14ba823d19427730dfcaaf6a55d9e2cbd4ef0502 Mon Sep 17 00:00:00 2001 From: Joachim Lingner Date: Fri, 27 Nov 2009 08:41:27 +0100 Subject: jl137: #103420# xmlsecurity needs latest NSS otherwise not building --- xmlsecurity/source/xmlsec/makefile.mk | 4 +++- xmlsecurity/source/xmlsec/mscrypt/makefile.mk | 4 +++- xmlsecurity/source/xmlsec/nss/makefile.mk | 4 +++- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/xmlsecurity/source/xmlsec/makefile.mk b/xmlsecurity/source/xmlsec/makefile.mk index 0479c24e8c91..4d78ea9882b3 100644 --- a/xmlsecurity/source/xmlsec/makefile.mk +++ b/xmlsecurity/source/xmlsec/makefile.mk @@ -45,10 +45,12 @@ ENABLE_EXCEPTIONS = TRUE CFLAGS+=-DSYSTEM_LIBXML $(LIBXML_CFLAGS) .ENDIF -.IF "$(WITH_MOZILLA)" == "NO" +.IF "$(WITH_MOZILLA)" == "NO" || "$(ENABLE_NSS_MODULE)"!="YES" +.IF "$(SYSTEM_MOZILLA)" != "YES" @all: @echo "No mozilla -> no nss -> no libxmlsec -> no xmlsecurity.." .ENDIF +.ENDIF .IF "$(CRYPTO_ENGINE)" == "mscrypto" CDEFS += -DXMLSEC_CRYPTO_MSCRYPTO -DXMLSEC_NO_XSLT diff --git a/xmlsecurity/source/xmlsec/mscrypt/makefile.mk b/xmlsecurity/source/xmlsec/mscrypt/makefile.mk index 100ade634e13..50d20b8b7716 100644 --- a/xmlsecurity/source/xmlsec/mscrypt/makefile.mk +++ b/xmlsecurity/source/xmlsec/mscrypt/makefile.mk @@ -47,10 +47,12 @@ LIBTARGET=NO .IF "$(CRYPTO_ENGINE)" == "mscrypto" -.IF "$(WITH_MOZILLA)" == "NO" +.IF "$(WITH_MOZILLA)" == "NO" || "$(ENABLE_NSS_MODULE)"!="YES" +.IF "$(SYSTEM_MOZILLA)" != "YES" @all: @echo "No mozilla -> no nss -> no libxmlsec -> no xmlsecurity/nss" .ENDIF +.ENDIF CDEFS += -DXMLSEC_CRYPTO_MSCRYPTO -DXMLSEC_NO_XSLT diff --git a/xmlsecurity/source/xmlsec/nss/makefile.mk b/xmlsecurity/source/xmlsec/nss/makefile.mk index a9f3f22b93f5..b5eb9a6eb65c 100644 --- a/xmlsecurity/source/xmlsec/nss/makefile.mk +++ b/xmlsecurity/source/xmlsec/nss/makefile.mk @@ -51,10 +51,12 @@ LIBTARGET=NO .IF "$(CRYPTO_ENGINE)" == "nss" -.IF "$(WITH_MOZILLA)" == "NO" +.IF "$(WITH_MOZILLA)" == "NO" || "$(ENABLE_NSS_MODULE)"!="YES" +.IF "$(SYSTEM_MOZILLA)" != "YES" @all: @echo "No mozilla -> no nss -> no libxmlsec -> no xmlsecurity/nss" .ENDIF +.ENDIF .IF "$(SYSTEM_MOZILLA)" != "YES" MOZ_INC = $(SOLARVERSION)$/$(INPATH)$/inc$(UPDMINOREXT)$/mozilla -- cgit v1.2.3 From 8169109e434e10c5238f342f5a71dd5aaf72a9d2 Mon Sep 17 00:00:00 2001 From: Joachim Lingner Date: Fri, 27 Nov 2009 10:35:49 +0100 Subject: jl137: #103420# build error in util when ENABLE_NSS_MODULE==NO --- xmlsecurity/util/makefile.mk | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/xmlsecurity/util/makefile.mk b/xmlsecurity/util/makefile.mk index cfc012a78cd2..e976210ec69f 100644 --- a/xmlsecurity/util/makefile.mk +++ b/xmlsecurity/util/makefile.mk @@ -74,8 +74,13 @@ DEF1EXPORTFILE = xsec_fw.dxp # # The 2nd shared library # + SHL2NAME=xsec_xmlsec SHL2TARGET= $(SHL2NAME) + + +.IF "$(ENABLE_NSS_MODULE)"=="YES" || "$(SYSTEM_MOZILLA)" == "YES" + SHL2LIBS= \ $(SLB)$/xs_comm.lib @@ -87,6 +92,9 @@ SHL2LIBS += \ $(SLB)$/xs_nss.lib .ENDIF +.ENDIF + + SHL2STDLIBS += \ $(SALLIB) \ $(CPPULIB) \ -- cgit v1.2.3 From 0fac9b6505860bdacb92638f4d4d5dba6fc55795 Mon Sep 17 00:00:00 2001 From: Joachim Lingner Date: Mon, 30 Nov 2009 15:26:03 +0100 Subject: jl137: casting CERTVerfiyLog.arg, which is void* not working on Linux x86_64 --- xmlsecurity/source/xmlsec/nss/secerror.cxx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/xmlsecurity/source/xmlsec/nss/secerror.cxx b/xmlsecurity/source/xmlsec/nss/secerror.cxx index 71e108434484..4a9ee3622bc4 100644 --- a/xmlsecurity/source/xmlsec/nss/secerror.cxx +++ b/xmlsecurity/source/xmlsec/nss/secerror.cxx @@ -73,7 +73,7 @@ getCertError(PRErrorCode errNum) void printChainFailure(CERTVerifyLog *log) { - unsigned int errorFlags = 0; + unsigned long errorFlags = 0; unsigned int depth = (unsigned int)-1; const char * specificError = NULL; const char * issuer = NULL; @@ -98,7 +98,7 @@ printChainFailure(CERTVerifyLog *log) switch (node->error) { case SEC_ERROR_INADEQUATE_KEY_USAGE: - errorFlags = (unsigned int)node->arg; + errorFlags = (unsigned long)node->arg; switch (errorFlags) { case KU_DIGITAL_SIGNATURE: @@ -115,7 +115,7 @@ printChainFailure(CERTVerifyLog *log) break; } case SEC_ERROR_INADEQUATE_CERT_TYPE: - errorFlags = (unsigned int)node->arg; + errorFlags = (unsigned long)node->arg; switch (errorFlags) { case NS_CERT_TYPE_SSL_CLIENT: -- cgit v1.2.3 From fbca305db0ca6c39dfe78f7356521d2eada1c15e Mon Sep 17 00:00:00 2001 From: Joachim Lingner Date: Tue, 8 Dec 2009 12:49:19 +0100 Subject: jl137: #i103420# MinGW struggles with SecureZeroMemory. Using rtl_zeroMemory --- xmlsecurity/source/xmlsec/mscrypt/securityenvironment_mscryptimpl.cxx | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/xmlsecurity/source/xmlsec/mscrypt/securityenvironment_mscryptimpl.cxx b/xmlsecurity/source/xmlsec/mscrypt/securityenvironment_mscryptimpl.cxx index 5cbbc421f01d..2800ed7a9064 100644 --- a/xmlsecurity/source/xmlsec/mscrypt/securityenvironment_mscryptimpl.cxx +++ b/xmlsecurity/source/xmlsec/mscrypt/securityenvironment_mscryptimpl.cxx @@ -64,6 +64,8 @@ #include //CP : end +#include + #include "../diagnose.hxx" using namespace xmlsecurity; @@ -995,7 +997,7 @@ sal_Int32 SecurityEnvironment_MSCryptImpl :: verifyCertificate( CERT_ENHKEY_USAGE enhKeyUsage ; CERT_USAGE_MATCH certUsage ; CERT_CHAIN_PARA chainPara ; - SecureZeroMemory(&chainPara, sizeof(CERT_CHAIN_PARA)); + rtl_zeroMemory(&chainPara, sizeof(CERT_CHAIN_PARA)); //Prepare parameter for CertGetCertificateChain enhKeyUsage.cUsageIdentifier = 0 ; -- cgit v1.2.3