summaryrefslogtreecommitdiff
path: root/xmlsecurity
diff options
context:
space:
mode:
authorsb <sb@openoffice.org>2010-04-07 13:14:23 +0200
committersb <sb@openoffice.org>2010-04-07 13:14:23 +0200
commit55d474d85391d1eb9c9c6f04f88ed9a9f5161b13 (patch)
treef09b37fae8df408fbd154e93a7396c1517d1b802 /xmlsecurity
parentd11e7c65afe7eb24f8c696b5bd18898ae095f382 (diff)
parent1b192bd38a3695cc2965ece438d47d6f74958289 (diff)
sb118: merged in re/DEV300_next towards DEV300_m76
Diffstat (limited to 'xmlsecurity')
-rw-r--r--xmlsecurity/prj/d.lst8
-rw-r--r--xmlsecurity/source/dialogs/certificateviewer.cxx21
-rw-r--r--xmlsecurity/source/dialogs/digitalsignaturesdialog.cxx10
-rw-r--r--xmlsecurity/source/xmlsec/diagnose.cxx77
-rw-r--r--xmlsecurity/source/xmlsec/diagnose.hxx43
-rw-r--r--xmlsecurity/source/xmlsec/makefile.mk7
-rw-r--r--xmlsecurity/source/xmlsec/mscrypt/makefile.mk4
-rw-r--r--xmlsecurity/source/xmlsec/mscrypt/securityenvironment_mscryptimpl.cxx252
-rw-r--r--xmlsecurity/source/xmlsec/mscrypt/x509certificate_mscryptimpl.cxx2
-rw-r--r--xmlsecurity/source/xmlsec/nss/certerrors.h384
-rw-r--r--xmlsecurity/source/xmlsec/nss/makefile.mk8
-rw-r--r--xmlsecurity/source/xmlsec/nss/secerror.cxx165
-rw-r--r--xmlsecurity/source/xmlsec/nss/secerror.hxx40
-rw-r--r--xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx287
-rw-r--r--xmlsecurity/source/xmlsec/nss/seinitializer_nssimpl.cxx108
-rw-r--r--xmlsecurity/util/makefile.mk8
16 files changed, 1093 insertions, 331 deletions
diff --git a/xmlsecurity/prj/d.lst b/xmlsecurity/prj/d.lst
index f8e3722cc0b5..270415164c0f 100644
--- a/xmlsecurity/prj/d.lst
+++ b/xmlsecurity/prj/d.lst
@@ -3,8 +3,8 @@ mkdir: %COMMON_DEST%\bin%_EXT%\hid
..\%__SRC%\bin\xsec_fw.dll %_DEST%\bin%_EXT%\xsec_fw.dll
..\%__SRC%\bin\xsec_xmlsec.dll %_DEST%\bin%_EXT%\xsec_xmlsec.dll
..\%__SRC%\bin\xmlsecurity.dll %_DEST%\bin%_EXT%\xmlsecurity.dll
-..\%__SRC%\lib\libxsec_fw.so %_DEST%\bin%_EXT%\libxsec_fw.so
-..\%__SRC%\lib\libxsec_xmlsec.so %_DEST%\bin%_EXT%\libxsec_xmlsec.so
-..\%__SRC%\lib\libxmlsecurity.so %_DEST%\bin%_EXT%\libxmlsecurity.so
-..\%__SRC%\lib\*.dylib %_DEST%\bin%_EXT%\*
+..\%__SRC%\lib\libxsec_fw.so %_DEST%\lib%_EXT%\libxsec_fw.so
+..\%__SRC%\lib\libxsec_xmlsec.so %_DEST%\lib%_EXT%\libxsec_xmlsec.so
+..\%__SRC%\lib\libxmlsecurity.so %_DEST%\lib%_EXT%\libxmlsecurity.so
+..\%__SRC%\lib\*.dylib %_DEST%\lib%_EXT%\*
..\%__SRC%\bin\xmlsec*.res %_DEST%\bin%_EXT%\xmlsec*.res
diff --git a/xmlsecurity/source/dialogs/certificateviewer.cxx b/xmlsecurity/source/dialogs/certificateviewer.cxx
index 980bceec97c3..af2ffc4352ed 100644
--- a/xmlsecurity/source/dialogs/certificateviewer.cxx
+++ b/xmlsecurity/source/dialogs/certificateviewer.cxx
@@ -125,16 +125,8 @@ CertificateViewerGeneralTP::CertificateViewerGeneralTP( Window* _pParent, Certif
//Verify the certificate
sal_Int32 certStatus = mpDlg->mxSecurityEnvironment->verifyCertificate(mpDlg->mxCert,
Sequence<Reference<css::security::XCertificate> >());
- //We currently have two status
- //These errors are alloweds
- sal_Int32 validCertErrors = css::security::CertificateValidity::VALID
- | css::security::CertificateValidity::UNKNOWN_REVOKATION;
- //Build a mask to filter out the allowed errors
- sal_Int32 mask = ~validCertErrors;
- // "subtract" the allowed error flags from the result
- sal_Int32 certErrors = certStatus & mask;
- bool bCertValid = certErrors > 0 ? false : true;
+ bool bCertValid = certStatus == css::security::CertificateValidity::VALID ? true : false;
bool bHC = GetSettings().GetStyleSettings().GetHighContrastMode();
if ( !bCertValid )
@@ -485,16 +477,7 @@ void CertificateViewerCertPathTP::ActivatePage()
//Verify the certificate
sal_Int32 certStatus = mpDlg->mxSecurityEnvironment->verifyCertificate(rCert,
Sequence<Reference<css::security::XCertificate> >());
- //We currently have two status
- //These errors are alloweds
- sal_Int32 validCertErrors = css::security::CertificateValidity::VALID
- | css::security::CertificateValidity::UNKNOWN_REVOKATION;
-
- //Build a mask to filter out the allowed errors
- sal_Int32 mask = ~validCertErrors;
- // "subtract" the allowed error flags from the result
- sal_Int32 certErrors = certStatus & mask;
- bool bCertValid = certErrors > 0 ? false : true;
+ bool bCertValid = certStatus == css::security::CertificateValidity::VALID ? true : false;
pParent = InsertCert( pParent, sName, rCert, bCertValid);
}
diff --git a/xmlsecurity/source/dialogs/digitalsignaturesdialog.cxx b/xmlsecurity/source/dialogs/digitalsignaturesdialog.cxx
index cc62f883360c..5ea3fbb47a38 100644
--- a/xmlsecurity/source/dialogs/digitalsignaturesdialog.cxx
+++ b/xmlsecurity/source/dialogs/digitalsignaturesdialog.cxx
@@ -640,15 +640,7 @@ void DigitalSignaturesDialog::ImplFillSignaturesBox()
sal_Int32 certResult = xSecEnv->verifyCertificate(xCert,
Sequence<css::uno::Reference<css::security::XCertificate> >());
- //These errors are alloweds
- sal_Int32 validErrors = css::security::CertificateValidity::VALID
- | css::security::CertificateValidity::UNKNOWN_REVOKATION;
-
- //Build a mask to filter out the allowed errors
- sal_Int32 mask = ~validErrors;
- // "subtract" the allowed error flags from the result
- sal_Int32 errors = certResult & mask;
- bCertValid = errors > 0 ? false : true;
+ bCertValid = certResult == css::security::CertificateValidity::VALID ? true : false;
if ( bCertValid )
nValidCerts++;
diff --git a/xmlsecurity/source/xmlsec/diagnose.cxx b/xmlsecurity/source/xmlsec/diagnose.cxx
new file mode 100644
index 000000000000..1f17b12650b2
--- /dev/null
+++ b/xmlsecurity/source/xmlsec/diagnose.cxx
@@ -0,0 +1,77 @@
+/*************************************************************************
+ *
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * Copyright 2008 by Sun Microsystems, Inc.
+ *
+ * OpenOffice.org - a multi-platform office productivity suite
+ *
+ * $RCSfile: xmlstreamio.hxx,v $
+ * $Revision: 1.3 $
+ *
+ * This file is part of OpenOffice.org.
+ *
+ * OpenOffice.org is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License version 3
+ * only, as published by the Free Software Foundation.
+ *
+ * OpenOffice.org is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License version 3 for more details
+ * (a copy is included in the LICENSE file that accompanied this code).
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * version 3 along with OpenOffice.org. If not, see
+ * <http://www.openoffice.org/license.html>
+ * for a copy of the LGPLv3 License.
+ *
+ ************************************************************************/
+
+#include "diagnose.hxx"
+#include <stdio.h>
+#include <stdarg.h>
+#include "rtl/instance.hxx"
+#include "rtl/bootstrap.hxx"
+
+namespace xmlsecurity {
+
+struct UseDiagnose : public rtl::StaticWithInit<
+ const bool, UseDiagnose>
+{
+ const bool operator () ()
+ {
+ ::rtl::OUString value;
+ sal_Bool res = rtl::Bootstrap::get(
+ ::rtl::OUString(RTL_CONSTASCII_USTRINGPARAM("XMLSECURITY_TRACE")), value);
+ return res == sal_True ? true : false;
+ }
+};
+
+/* the function will print the string when
+ - build with debug
+ - the bootstrap variable XMLSECURITY_TRACE is set.
+ */
+void xmlsec_trace(const char* pszFormat, ...)
+{
+ bool bDebug = false;
+
+#if OSL_DEBUG_LEVEL > 1
+ bDebug = true;
+#endif
+ if (bDebug || UseDiagnose::get())
+ {
+ va_list args;
+ fprintf(stderr, "[xmlsecurity] ");
+ va_start(args, pszFormat);
+ vfprintf(stderr, pszFormat, args);
+ va_end(args);
+
+ fprintf(stderr,"\n");
+ fflush(stderr);
+ }
+}
+
+
+
+}
diff --git a/xmlsecurity/source/xmlsec/diagnose.hxx b/xmlsecurity/source/xmlsec/diagnose.hxx
new file mode 100644
index 000000000000..691d4e277c20
--- /dev/null
+++ b/xmlsecurity/source/xmlsec/diagnose.hxx
@@ -0,0 +1,43 @@
+/*************************************************************************
+ *
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * Copyright 2008 by Sun Microsystems, Inc.
+ *
+ * OpenOffice.org - a multi-platform office productivity suite
+ *
+ * $RCSfile: xmlstreamio.hxx,v $
+ * $Revision: 1.3 $
+ *
+ * This file is part of OpenOffice.org.
+ *
+ * OpenOffice.org is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License version 3
+ * only, as published by the Free Software Foundation.
+ *
+ * OpenOffice.org is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License version 3 for more details
+ * (a copy is included in the LICENSE file that accompanied this code).
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * version 3 along with OpenOffice.org. If not, see
+ * <http://www.openoffice.org/license.html>
+ * for a copy of the LGPLv3 License.
+ *
+ ************************************************************************/
+
+#ifndef XMLSECURITY_DIAGNOSE_HXX
+#define XMLSECURITY_DIAGNOSE_HXX
+
+
+namespace xmlsecurity
+{
+
+ void xmlsec_trace(const char* pszFormat, ...);
+}
+
+
+
+#endif //XMLSECURITY_DIAGNOSE_HXX
diff --git a/xmlsecurity/source/xmlsec/makefile.mk b/xmlsecurity/source/xmlsec/makefile.mk
index 1127419e12c8..44b668b84765 100644
--- a/xmlsecurity/source/xmlsec/makefile.mk
+++ b/xmlsecurity/source/xmlsec/makefile.mk
@@ -41,10 +41,12 @@ ENABLE_EXCEPTIONS = TRUE
CFLAGS+=-DSYSTEM_LIBXML $(LIBXML_CFLAGS)
.ENDIF
-.IF "$(WITH_MOZILLA)" == "NO"
+.IF "$(WITH_MOZILLA)" == "NO" || "$(ENABLE_NSS_MODULE)"!="YES"
+.IF "$(SYSTEM_MOZILLA)" != "YES"
@all:
@echo "No mozilla -> no nss -> no libxmlsec -> no xmlsecurity.."
.ENDIF
+.ENDIF
.IF "$(CRYPTO_ENGINE)" == "mscrypto"
CDEFS += -DXMLSEC_CRYPTO_MSCRYPTO -DXMLSEC_NO_XSLT
@@ -62,7 +64,8 @@ SLOFILES = \
$(SLO)$/certificateextension_xmlsecimpl.obj \
$(SLO)$/xmlstreamio.obj \
$(SLO)$/errorcallback.obj \
- $(SLO)$/xsec_xmlsec.obj
+ $(SLO)$/xsec_xmlsec.obj \
+ $(SLO)$/diagnose.obj
# --- Targets ------------------------------------------------------
diff --git a/xmlsecurity/source/xmlsec/mscrypt/makefile.mk b/xmlsecurity/source/xmlsec/mscrypt/makefile.mk
index fd02aa7767fa..20153edf18e6 100644
--- a/xmlsecurity/source/xmlsec/mscrypt/makefile.mk
+++ b/xmlsecurity/source/xmlsec/mscrypt/makefile.mk
@@ -43,10 +43,12 @@ LIBTARGET=NO
.IF "$(CRYPTO_ENGINE)" == "mscrypto"
-.IF "$(WITH_MOZILLA)" == "NO"
+.IF "$(WITH_MOZILLA)" == "NO" || "$(ENABLE_NSS_MODULE)"!="YES"
+.IF "$(SYSTEM_MOZILLA)" != "YES"
@all:
@echo "No mozilla -> no nss -> no libxmlsec -> no xmlsecurity/nss"
.ENDIF
+.ENDIF
CDEFS += -DXMLSEC_CRYPTO_MSCRYPTO -DXMLSEC_NO_XSLT
diff --git a/xmlsecurity/source/xmlsec/mscrypt/securityenvironment_mscryptimpl.cxx b/xmlsecurity/source/xmlsec/mscrypt/securityenvironment_mscryptimpl.cxx
index e84de0698016..71ff13fb3f82 100644
--- a/xmlsecurity/source/xmlsec/mscrypt/securityenvironment_mscryptimpl.cxx
+++ b/xmlsecurity/source/xmlsec/mscrypt/securityenvironment_mscryptimpl.cxx
@@ -37,6 +37,7 @@
#pragma warning(pop)
#endif
#include <sal/config.h>
+#include <osl/thread.h>
#include "securityenvironment_mscryptimpl.hxx"
#ifndef _X509CERTIFICATE_NSSIMPL_HXX_
@@ -60,7 +61,11 @@
#include <osl/process.h>
//CP : end
+#include <rtl/memory.h>
+#include "../diagnose.hxx"
+
+using namespace xmlsecurity;
using namespace ::com::sun::star::uno ;
using namespace ::com::sun::star::lang ;
using ::com::sun::star::lang::XMultiServiceFactory ;
@@ -69,9 +74,58 @@ using ::rtl::OUString ;
using ::com::sun::star::xml::crypto::XSecurityEnvironment ;
using ::com::sun::star::security::XCertificate ;
+namespace css = ::com::sun::star;
extern X509Certificate_MSCryptImpl* MswcryCertContextToXCert( PCCERT_CONTEXT cert ) ;
+struct CertErrorToString{
+ DWORD error;
+ char * name;
+};
+
+CertErrorToString arErrStrings[] =
+{
+ { 0x00000000, "CERT_TRUST_NO_ERROR"},
+ { 0x00000001, "CERT_TRUST_IS_NOT_TIME_VALID"},
+ { 0x00000002, "CERT_TRUST_IS_NOT_TIME_NESTED"},
+ { 0x00000004, "CERT_TRUST_IS_REVOKED" },
+ { 0x00000008, "CERT_TRUST_IS_NOT_SIGNATURE_VALID" },
+ { 0x00000010, "CERT_TRUST_IS_NOT_SIGNATURE_VALID"},
+ { 0x00000020, "CERT_TRUST_IS_UNTRUSTED_ROOT"},
+ { 0x00000040, "CERT_TRUST_REVOCATION_STATUS_UNKNOWN"},
+ { 0x00000080, "CERT_TRUST_IS_CYCLIC"},
+ { 0x00000100, "CERT_TRUST_INVALID_EXTENSION"},
+ { 0x00000200, "CERT_TRUST_INVALID_POLICY_CONSTRAINTS"},
+ { 0x00000400, "CERT_TRUST_INVALID_BASIC_CONSTRAINTS"},
+ { 0x00000800, "CERT_TRUST_INVALID_NAME_CONSTRAINTS"},
+ { 0x00001000, "CERT_TRUST_HAS_NOT_SUPPORTED_NAME_CONSTRAINT"},
+ { 0x00002000, "CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT"},
+ { 0x00004000, "CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT"},
+ { 0x00008000, "CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT"},
+ { 0x01000000, "CERT_TRUST_IS_OFFLINE_REVOCATION"},
+ { 0x02000000, "CERT_TRUST_NO_ISSUANCE_CHAIN_POLICY"},
+ { 0x04000000, "CERT_TRUST_IS_EXPLICIT_DISTRUST"},
+ { 0x08000000, "CERT_TRUST_HAS_NOT_SUPPORTED_CRITICAL_EXT"},
+ //Chain errors
+ { 0x00010000, "CERT_TRUST_IS_PARTIAL_CHAIN"},
+ { 0x00020000, "CERT_TRUST_CTL_IS_NOT_TIME_VALID"},
+ { 0x00040000, "CERT_TRUST_CTL_IS_NOT_SIGNATURE_VALID"},
+ { 0x00080000, "CERT_TRUST_CTL_IS_NOT_VALID_FOR_USAGE"}
+};
+
+void traceTrustStatus(DWORD err)
+{
+ int numErrors = sizeof(arErrStrings) / sizeof(CertErrorToString);
+ xmlsec_trace("The certificate error status is: ");
+ if (err == 0)
+ xmlsec_trace("%s", arErrStrings[0].name);
+ for (int i = 1; i < numErrors; i++)
+ {
+ if (arErrStrings[i].error & err)
+ xmlsec_trace("%s", arErrStrings[i].name);
+ }
+}
+
SecurityEnvironment_MSCryptImpl :: SecurityEnvironment_MSCryptImpl( const Reference< XMultiServiceFactory >& aFactory ) : m_hProv( NULL ) , m_pszContainer( NULL ) , m_hKeyStore( NULL ), m_hCertStore( NULL ), m_tSymKeyList() , m_tPubKeyList() , m_tPriKeyList(), m_xServiceManager( aFactory ), m_bEnableDefault( sal_False ) {
}
@@ -891,6 +945,11 @@ HCERTSTORE getCertStoreForIntermediatCerts(
for (int i = 0; i < seqCerts.getLength(); i++)
{
+ xmlsec_trace("Added temporary certificate: \n%s",
+ OUStringToOString(seqCerts[i]->getSubjectName(),
+ osl_getThreadTextEncoding()).getStr());
+
+
Sequence<sal_Int8> data = seqCerts[i]->getEncoded();
PCCERT_CONTEXT cert = CertCreateCertificateContext(
X509_ASN_ENCODING, ( const BYTE* )&data[0], data.getLength());
@@ -901,6 +960,11 @@ HCERTSTORE getCertStoreForIntermediatCerts(
}
return store;
}
+
+//We return only valid or invalid, as long as the API documentation expresses
+//explicitly that all validation steps are carried out even if one or several
+//errors occur. See also
+//http://wiki.services.openoffice.org/wiki/Certificate_Path_Validation#Validation_status
sal_Int32 SecurityEnvironment_MSCryptImpl :: verifyCertificate(
const Reference< ::com::sun::star::security::XCertificate >& aCert,
const Sequence< Reference< ::com::sun::star::security::XCertificate > >& seqCerts)
@@ -910,17 +974,16 @@ sal_Int32 SecurityEnvironment_MSCryptImpl :: verifyCertificate(
PCCERT_CHAIN_CONTEXT pChainContext = NULL;
PCCERT_CONTEXT pCertContext = NULL;
const X509Certificate_MSCryptImpl* xcert = NULL;
- DWORD chainStatus ;
-
- CERT_ENHKEY_USAGE enhKeyUsage ;
- CERT_USAGE_MATCH certUsage ;
- CERT_CHAIN_PARA chainPara ;
Reference< XUnoTunnel > xCertTunnel( aCert, UNO_QUERY ) ;
if( !xCertTunnel.is() ) {
throw RuntimeException() ;
}
+ xmlsec_trace("Start verification of certificate: \n %s",
+ OUStringToOString(
+ aCert->getSubjectName(), osl_getThreadTextEncoding()).getStr());
+
xcert = ( X509Certificate_MSCryptImpl* )xCertTunnel->getSomething( X509Certificate_MSCryptImpl::getUnoTunnelId() ) ;
if( xcert == NULL ) {
throw RuntimeException() ;
@@ -928,6 +991,11 @@ sal_Int32 SecurityEnvironment_MSCryptImpl :: verifyCertificate(
pCertContext = xcert->getMswcryCert() ;
+ CERT_ENHKEY_USAGE enhKeyUsage ;
+ CERT_USAGE_MATCH certUsage ;
+ CERT_CHAIN_PARA chainPara ;
+ rtl_zeroMemory(&chainPara, sizeof(CERT_CHAIN_PARA));
+
//Prepare parameter for CertGetCertificateChain
enhKeyUsage.cUsageIdentifier = 0 ;
enhKeyUsage.rgpszUsageIdentifier = NULL ;
@@ -975,130 +1043,92 @@ sal_Int32 SecurityEnvironment_MSCryptImpl :: verifyCertificate(
}
//CertGetCertificateChain searches by default in MY, CA, ROOT and TRUST
+ //We do not check revocation of the root. In most cases there are none.
+ //Then we would get CERT_TRUST_REVOCATION_STATUS_UNKNOWN
+ xmlsec_trace("Verifying cert using revocation information.");
bChain = CertGetCertificateChain(
NULL ,
pCertContext ,
NULL , //use current system time
hCollectionStore,
&chainPara ,
- CERT_CHAIN_REVOCATION_CHECK_CHAIN | CERT_CHAIN_TIMESTAMP_TIME ,
+ CERT_CHAIN_REVOCATION_CHECK_CHAIN | CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT,
NULL ,
&pChainContext);
- if (!bChain)
- pChainContext = NULL;
-
- }
-
- if(bChain && pChainContext != NULL )
- {
- chainStatus = pChainContext->TrustStatus.dwErrorStatus ;
-
- // JL & TKR: Until we have a test suite to test all error types we just say that the cert is
- // valid or invalid with no further separation.
- // Error CERT_TRUST_IS_OFFLINE_REVOCATION and CERT_TRUST_REVOCATION_STATUS_UNKNOWN are treated separate
- // because they are ignored ( Bad! ) in the currently situation
-
- if( chainStatus == CERT_TRUST_NO_ERROR )
- {
- validity = ::com::sun::star::security::CertificateValidity::VALID ;
- }
-
- if ( ( chainStatus & CERT_TRUST_IS_OFFLINE_REVOCATION ) == CERT_TRUST_IS_OFFLINE_REVOCATION ) {
- validity |= ::com::sun::star::security::CertificateValidity::UNKNOWN_REVOKATION ;
- }
-
- if ( ( chainStatus & CERT_TRUST_REVOCATION_STATUS_UNKNOWN ) == CERT_TRUST_REVOCATION_STATUS_UNKNOWN ) {
- validity |= ::com::sun::star::security::CertificateValidity::UNKNOWN_REVOKATION ;
- }
-
- if (chainStatus & CERT_TRUST_IS_NOT_VALID_FOR_USAGE
- || chainStatus & CERT_TRUST_IS_CYCLIC
- || chainStatus & CERT_TRUST_INVALID_POLICY_CONSTRAINTS
- || chainStatus & CERT_TRUST_INVALID_BASIC_CONSTRAINTS
- || chainStatus & CERT_TRUST_INVALID_NAME_CONSTRAINTS
- || chainStatus & CERT_TRUST_HAS_NOT_SUPPORTED_NAME_CONSTRAINT
- || chainStatus & CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT
- || chainStatus & CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT
- || chainStatus & CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT
- || chainStatus & CERT_TRUST_NO_ISSUANCE_CHAIN_POLICY
- || chainStatus & CERT_TRUST_CTL_IS_NOT_TIME_VALID
- || chainStatus & CERT_TRUST_CTL_IS_NOT_SIGNATURE_VALID
- || chainStatus & CERT_TRUST_CTL_IS_NOT_VALID_FOR_USAGE
- || chainStatus & CERT_TRUST_IS_NOT_TIME_VALID
- || chainStatus & CERT_TRUST_IS_NOT_TIME_NESTED
- || chainStatus & CERT_TRUST_IS_REVOKED
- || chainStatus & CERT_TRUST_IS_NOT_SIGNATURE_VALID
- || chainStatus & CERT_TRUST_IS_UNTRUSTED_ROOT
- || chainStatus & CERT_TRUST_INVALID_EXTENSION
- || chainStatus & CERT_TRUST_IS_PARTIAL_CHAIN )
+ if (bChain && pChainContext->cChain > 0)
{
- validity = ::com::sun::star::security::CertificateValidity::INVALID;
- }
-/*
+ xmlsec_trace("Overall error status (all chains):");
+ traceTrustStatus(pChainContext->TrustStatus.dwErrorStatus);
+ //highest quality chains come first
+ PCERT_SIMPLE_CHAIN pSimpleChain = pChainContext->rgpChain[0];
+ xmlsec_trace("Error status of first chain: ");
+ traceTrustStatus(pSimpleChain->TrustStatus.dwErrorStatus);
+
+ //CERT_TRUST_REVOCATION_STATUS_UNKNOWN is also set if a certificate
+ //has no AIA(OCSP) or CRLDP extension and there is no CRL locally installed.
+ DWORD revocationFlags = CERT_TRUST_REVOCATION_STATUS_UNKNOWN |
+ CERT_TRUST_IS_OFFLINE_REVOCATION;
+ DWORD otherErrorsMask = ~revocationFlags;
+ if( !(pSimpleChain->TrustStatus.dwErrorStatus & otherErrorsMask))
- if( ( chainStatus & CERT_TRUST_IS_NOT_TIME_VALID ) == CERT_TRUST_IS_NOT_TIME_VALID ) {
- validity |= ::com::sun::star::security::CertificateValidity::TIME_INVALID ;
- }
-
- if( ( chainStatus & CERT_TRUST_IS_NOT_TIME_NESTED ) == CERT_TRUST_IS_NOT_TIME_NESTED ) {
- validity |= ::com::sun::star::security::CertificateValidity::NOT_TIME_NESTED;
- }
-
- if( ( chainStatus & CERT_TRUST_IS_REVOKED ) == CERT_TRUST_IS_REVOKED ) {
- validity |= ::com::sun::star::security::CertificateValidity::REVOKED ;
- }
-
- //JL My interpretation is that CERT_TRUST_IS_OFFLINE_REVOCATION does not mean that the certificate was revoked.
- //Instead the CRL cannot be retrieved from the net, or an available CRL is stale (too old).
- //This error may also occurs if the certificate does not contain the CDP (Certificate Distribution Point)extension
- if( ( chainStatus & CERT_TRUST_IS_OFFLINE_REVOCATION ) == CERT_TRUST_IS_OFFLINE_REVOCATION ) {
- validity |= ::com::sun::star::security::CertificateValidity::UNKNOWN_REVOKATION ;
- }
-
- if( ( chainStatus & CERT_TRUST_IS_NOT_SIGNATURE_VALID ) == CERT_TRUST_IS_NOT_SIGNATURE_VALID ) {
- validity |= ::com::sun::star::security::CertificateValidity::SIGNATURE_INVALID ;
- }
-
- if( ( chainStatus & CERT_TRUST_IS_UNTRUSTED_ROOT ) == CERT_TRUST_IS_UNTRUSTED_ROOT ) {
- validity |= ::com::sun::star::security::CertificateValidity::ROOT_UNTRUSTED ;
- }
-
- if( ( chainStatus & CERT_TRUST_REVOCATION_STATUS_UNKNOWN ) == CERT_TRUST_REVOCATION_STATUS_UNKNOWN ) {
- validity |= ::com::sun::star::security::CertificateValidity::UNKNOWN_REVOKATION ;
- }
-
- if( ( chainStatus & CERT_TRUST_INVALID_EXTENSION ) == CERT_TRUST_INVALID_EXTENSION ) {
- validity |= ::com::sun::star::security::CertificateValidity::EXTENSION_INVALID ;
- }
-
- if( ( chainStatus & CERT_TRUST_IS_PARTIAL_CHAIN ) == CERT_TRUST_IS_PARTIAL_CHAIN ) {
- validity |= ::com::sun::star::security::CertificateValidity::CHAIN_INCOMPLETE ;
+ {
+ //No errors except maybe those caused by missing revocation information
+ //Check if there are errors
+ if ( pSimpleChain->TrustStatus.dwErrorStatus & revocationFlags)
+ {
+ //No revocation information. Because MSDN documentation is not
+ //clear about if all other tests are performed if an error occurrs,
+ //we test again, without requiring revocation checking.
+ CertFreeCertificateChain(pChainContext);
+ pChainContext = NULL;
+ xmlsec_trace("Checking again but without requiring revocation information.");
+ bChain = CertGetCertificateChain(
+ NULL ,
+ pCertContext ,
+ NULL , //use current system time
+ hCollectionStore,
+ &chainPara ,
+ 0,
+ NULL ,
+ &pChainContext);
+ if (bChain
+ && pChainContext->cChain > 0
+ && pChainContext->rgpChain[0]->TrustStatus.dwErrorStatus == CERT_TRUST_NO_ERROR)
+ {
+ xmlsec_trace("Certificate is valid.\n");
+ validity = ::com::sun::star::security::CertificateValidity::VALID;
+ }
+ else
+ {
+ xmlsec_trace("Certificate is invalid.\n");
+ }
+ }
+ else
+ {
+ //valid and revocation information available
+ xmlsec_trace("Certificate is valid.\n");
+ validity = ::com::sun::star::security::CertificateValidity::VALID;
+ }
+ }
+ else
+ {
+ //invalid
+ xmlsec_trace("Certificate is invalid.\n");
+ validity = ::com::sun::star::security::CertificateValidity::INVALID ;
+ }
}
- //todo
- if (chainStatus & CERT_TRUST_IS_NOT_VALID_FOR_USAGE
- || chainStatus & CERT_TRUST_IS_CYCLIC
- || chainStatus & CERT_TRUST_INVALID_POLICY_CONSTRAINTS
- || chainStatus & CERT_TRUST_INVALID_BASIC_CONSTRAINTS
- || chainStatus & CERT_TRUST_INVALID_NAME_CONSTRAINTS
- || chainStatus & CERT_TRUST_HAS_NOT_SUPPORTED_NAME_CONSTRAINT
- || chainStatus & CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT
- || chainStatus & CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT
- || chainStatus & CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT
- || chainStatus & CERT_TRUST_NO_ISSUANCE_CHAIN_POLICY
- || chainStatus & CERT_TRUST_CTL_IS_NOT_TIME_VALID
- || chainStatus & CERT_TRUST_CTL_IS_NOT_SIGNATURE_VALID
- || chainStatus & CERT_TRUST_CTL_IS_NOT_VALID_FOR_USAGE)
+ else
{
- validity = ::com::sun::star::security::CertificateValidity::INVALID;
+ xmlsec_trace("CertGetCertificateChaine failed.\n");
}
-*/
- } else {
- validity = ::com::sun::star::security::CertificateValidity::INVALID ;
}
if (pChainContext)
+ {
CertFreeCertificateChain(pChainContext);
+ pChainContext = NULL;
+ }
//Close the additional store, do not destroy the contained certs
CertCloseStore(hCollectionStore, CERT_CLOSE_STORE_CHECK_FLAG);
diff --git a/xmlsecurity/source/xmlsec/mscrypt/x509certificate_mscryptimpl.cxx b/xmlsecurity/source/xmlsec/mscrypt/x509certificate_mscryptimpl.cxx
index 9c505800388f..8f983dae05de 100644
--- a/xmlsecurity/source/xmlsec/mscrypt/x509certificate_mscryptimpl.cxx
+++ b/xmlsecurity/source/xmlsec/mscrypt/x509certificate_mscryptimpl.cxx
@@ -292,7 +292,7 @@ sal_Int16 SAL_CALL X509Certificate_MSCryptImpl :: getVersion() throw ( ::com::su
throw RuntimeException() ;
}
- OUString xSubject(subject);
+ OUString xSubject(reinterpret_cast<const sal_Unicode*>(subject));
delete [] subject ;
return replaceTagSWithTagST(xSubject);
diff --git a/xmlsecurity/source/xmlsec/nss/certerrors.h b/xmlsecurity/source/xmlsec/nss/certerrors.h
new file mode 100644
index 000000000000..9b9801f21f59
--- /dev/null
+++ b/xmlsecurity/source/xmlsec/nss/certerrors.h
@@ -0,0 +1,384 @@
+/*************************************************************************
+ *
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * Copyright 2008 by Sun Microsystems, Inc.
+ *
+ * OpenOffice.org - a multi-platform office productivity suite
+ *
+ * $RCSfile: securityenvironment_nssimpl.cxx,v $
+ * $Revision: 1.23 $
+ *
+ * This file is part of OpenOffice.org.
+ *
+ * OpenOffice.org is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License version 3
+ * only, as published by the Free Software Foundation.
+ *
+ * OpenOffice.org is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License version 3 for more details
+ * (a copy is included in the LICENSE file that accompanied this code).
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * version 3 along with OpenOffice.org. If not, see
+ * <http://www.openoffice.org/license.html>
+ * for a copy of the LGPLv3 License.
+ *
+ ************************************************************************/
+
+
+{SEC_ERROR_IO, "An I/O error occurred during security authorization."},
+
+{SEC_ERROR_LIBRARY_FAILURE, "security library failure."},
+
+{SEC_ERROR_BAD_DATA, "security library: received bad data."},
+
+{SEC_ERROR_OUTPUT_LEN, "security library: output length error."},
+
+{SEC_ERROR_INPUT_LEN, "security library has experienced an input length error."},
+
+{SEC_ERROR_INVALID_ARGS, "security library: invalid arguments."},
+
+{SEC_ERROR_INVALID_ALGORITHM, "security library: invalid algorithm."},
+
+{SEC_ERROR_INVALID_AVA, "security library: invalid AVA."},
+
+{SEC_ERROR_INVALID_TIME, "Improperly formatted time string."},
+
+{SEC_ERROR_BAD_DER, "security library: improperly formatted DER-encoded message."},
+
+{SEC_ERROR_BAD_SIGNATURE, "Peer's certificate has an invalid signature."},
+
+{SEC_ERROR_EXPIRED_CERTIFICATE, "Peer's Certificate has expired."},
+
+{SEC_ERROR_REVOKED_CERTIFICATE, "Peer's Certificate has been revoked."},
+
+{SEC_ERROR_UNKNOWN_ISSUER, "Peer's Certificate issuer is not recognized."},
+
+{SEC_ERROR_BAD_KEY, "Peer's public key is invalid."},
+
+{SEC_ERROR_BAD_PASSWORD, "The security password entered is incorrect."},
+
+{SEC_ERROR_RETRY_PASSWORD, "New password entered incorrectly. Please try again."},
+
+{SEC_ERROR_NO_NODELOCK, "security library: no nodelock."},
+
+{SEC_ERROR_BAD_DATABASE, "security library: bad database."},
+
+{SEC_ERROR_NO_MEMORY, "security library: memory allocation failure."},
+
+{SEC_ERROR_UNTRUSTED_ISSUER, "Peer's certificate issuer has been marked as not trusted by the user."},
+
+{SEC_ERROR_UNTRUSTED_CERT, "Peer's certificate has been marked as not trusted by the user."},
+
+{SEC_ERROR_DUPLICATE_CERT, "Certificate already exists in your database."},
+
+{SEC_ERROR_DUPLICATE_CERT_NAME, "Downloaded certificate's name duplicates one already in your database."},
+
+{SEC_ERROR_ADDING_CERT, "Error adding certificate to database."},
+
+{SEC_ERROR_FILING_KEY, "Error refiling the key for this certificate."},
+
+{SEC_ERROR_NO_KEY, "The private key for this certificate cannot be found in key database"},
+
+{SEC_ERROR_CERT_VALID, "This certificate is valid."},
+
+{SEC_ERROR_CERT_NOT_VALID, "This certificate is not valid."},
+
+{SEC_ERROR_CERT_NO_RESPONSE, "Cert Library: No Response"},
+
+{SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE, "The certificate issuer's certificate has expired. Check your system date and time."},
+
+{SEC_ERROR_CRL_EXPIRED, "The CRL for the certificate's issuer has expired. Update it or check your system date and time."},
+
+{SEC_ERROR_CRL_BAD_SIGNATURE, "The CRL for the certificate's issuer has an invalid signature."},
+
+{SEC_ERROR_CRL_INVALID, "New CRL has an invalid format."},
+
+{SEC_ERROR_EXTENSION_VALUE_INVALID, "Certificate extension value is invalid."},
+
+{SEC_ERROR_EXTENSION_NOT_FOUND, "Certificate extension not found."},
+
+{SEC_ERROR_CA_CERT_INVALID, "Issuer certificate is invalid."},
+
+{SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID, "Certificate path length constraint is invalid."},
+
+{SEC_ERROR_CERT_USAGES_INVALID, "Certificate usages field is invalid."},
+
+{SEC_INTERNAL_ONLY, "**Internal ONLY module**"},
+
+{SEC_ERROR_INVALID_KEY, "The key does not support the requested operation."},
+
+{SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION, "Certificate contains unknown critical extension."},
+
+{SEC_ERROR_OLD_CRL, "New CRL is not later than the current one."},
+
+{SEC_ERROR_NO_EMAIL_CERT, "Not encrypted or signed: you do not yet have an email certificate."},
+
+{SEC_ERROR_NO_RECIPIENT_CERTS_QUERY, "Not encrypted: you do not have certificates for each of the recipients."},
+
+{SEC_ERROR_NOT_A_RECIPIENT, "Cannot decrypt: you are not a recipient, or matching certificate and \
+private key not found."},
+
+{SEC_ERROR_PKCS7_KEYALG_MISMATCH, "Cannot decrypt: key encryption algorithm does not match your certificate."},
+
+{SEC_ERROR_PKCS7_BAD_SIGNATURE, "Signature verification failed: no signer found, too many signers found, \
+or improper or corrupted data."},
+
+{SEC_ERROR_UNSUPPORTED_KEYALG, "Unsupported or unknown key algorithm."},
+
+{SEC_ERROR_DECRYPTION_DISALLOWED, "Cannot decrypt: encrypted using a disallowed algorithm or key size."},
+
+
+/* Fortezza Alerts */
+{XP_SEC_FORTEZZA_BAD_CARD, "Fortezza card has not been properly initialized. \
+Please remove it and return it to your issuer."},
+
+{XP_SEC_FORTEZZA_NO_CARD, "No Fortezza cards Found"},
+
+{XP_SEC_FORTEZZA_NONE_SELECTED, "No Fortezza card selected"},
+
+{XP_SEC_FORTEZZA_MORE_INFO, "Please select a personality to get more info on"},
+
+{XP_SEC_FORTEZZA_PERSON_NOT_FOUND, "Personality not found"},
+
+{XP_SEC_FORTEZZA_NO_MORE_INFO, "No more information on that Personality"},
+
+{XP_SEC_FORTEZZA_BAD_PIN, "Invalid Pin"},
+
+{XP_SEC_FORTEZZA_PERSON_ERROR, "Couldn't initialize Fortezza personalities."},
+/* end fortezza alerts. */
+
+{SEC_ERROR_NO_KRL, "No KRL for this site's certificate has been found."},
+
+{SEC_ERROR_KRL_EXPIRED, "The KRL for this site's certificate has expired."},
+
+{SEC_ERROR_KRL_BAD_SIGNATURE, "The KRL for this site's certificate has an invalid signature."},
+
+{SEC_ERROR_REVOKED_KEY, "The key for this site's certificate has been revoked."},
+
+{SEC_ERROR_KRL_INVALID, "New KRL has an invalid format."},
+
+{SEC_ERROR_NEED_RANDOM, "security library: need random data."},
+
+{SEC_ERROR_NO_MODULE, "security library: no security module can perform the requested operation."},
+
+{SEC_ERROR_NO_TOKEN, "The security card or token does not exist, needs to be initialized, or has been removed."},
+
+{SEC_ERROR_READ_ONLY, "security library: read-only database."},
+
+{SEC_ERROR_NO_SLOT_SELECTED, "No slot or token was selected."},
+
+{SEC_ERROR_CERT_NICKNAME_COLLISION, "A certificate with the same nickname already exists."},
+
+{SEC_ERROR_KEY_NICKNAME_COLLISION, "A key with the same nickname already exists."},
+
+{SEC_ERROR_SAFE_NOT_CREATED, "error while creating safe object"},
+
+{SEC_ERROR_BAGGAGE_NOT_CREATED, "error while creating baggage object"},
+
+{XP_JAVA_REMOVE_PRINCIPAL_ERROR, "Couldn't remove the principal"},
+
+{XP_JAVA_DELETE_PRIVILEGE_ERROR, "Couldn't delete the privilege"},
+
+{XP_JAVA_CERT_NOT_EXISTS_ERROR, "This principal doesn't have a certificate"},
+
+{SEC_ERROR_BAD_EXPORT_ALGORITHM, "Required algorithm is not allowed."},
+
+{SEC_ERROR_EXPORTING_CERTIFICATES, "Error attempting to export certificates."},
+
+{SEC_ERROR_IMPORTING_CERTIFICATES, "Error attempting to import certificates."},
+
+{SEC_ERROR_PKCS12_DECODING_PFX, "Unable to import. Decoding error. File not valid."},
+
+{SEC_ERROR_PKCS12_INVALID_MAC, "Unable to import. Invalid MAC. Incorrect password or corrupt file."},
+
+{SEC_ERROR_PKCS12_UNSUPPORTED_MAC_ALGORITHM, "Unable to import. MAC algorithm not supported."},
+
+{SEC_ERROR_PKCS12_UNSUPPORTED_TRANSPORT_MODE, "Unable to import. Only password integrity and privacy modes supported."},
+
+{SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE, "Unable to import. File structure is corrupt."},
+
+{SEC_ERROR_PKCS12_UNSUPPORTED_PBE_ALGORITHM, "Unable to import. Encryption algorithm not supported."},
+
+{SEC_ERROR_PKCS12_UNSUPPORTED_VERSION, "Unable to import. File version not supported."},
+
+{SEC_ERROR_PKCS12_PRIVACY_PASSWORD_INCORRECT, "Unable to import. Incorrect privacy password."},
+
+{SEC_ERROR_PKCS12_CERT_COLLISION, "Unable to import. Same nickname already exists in database."},
+
+{SEC_ERROR_USER_CANCELLED, "The user pressed cancel."},
+
+{SEC_ERROR_PKCS12_DUPLICATE_DATA, "Not imported, already in database."},
+
+{SEC_ERROR_MESSAGE_SEND_ABORTED, "Message not sent."},
+
+{SEC_ERROR_INADEQUATE_KEY_USAGE, "Certificate key usage inadequate for attempted operation."},
+
+{SEC_ERROR_INADEQUATE_CERT_TYPE, "Certificate type not approved for application."},
+
+{SEC_ERROR_CERT_ADDR_MISMATCH, "Address in signing certificate does not match address in message headers."},
+
+{SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY, "Unable to import. Error attempting to import private key."},
+
+{SEC_ERROR_PKCS12_IMPORTING_CERT_CHAIN, "Unable to import. Error attempting to import certificate chain."},
+
+{SEC_ERROR_PKCS12_UNABLE_TO_LOCATE_OBJECT_BY_NAME, "Unable to export. Unable to locate certificate or key by nickname."},
+
+{SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY, "Unable to export. Private Key could not be located and exported."},
+
+{SEC_ERROR_PKCS12_UNABLE_TO_WRITE, "Unable to export. Unable to write the export file."},
+
+{SEC_ERROR_PKCS12_UNABLE_TO_READ, "Unable to import. Unable to read the import file."},
+
+{SEC_ERROR_PKCS12_KEY_DATABASE_NOT_INITIALIZED, "Unable to export. Key database corrupt or deleted."},
+
+{SEC_ERROR_KEYGEN_FAIL, "Unable to generate public/private key pair."},
+
+{SEC_ERROR_INVALID_PASSWORD, "Password entered is invalid. Please pick a different one."},
+
+{SEC_ERROR_RETRY_OLD_PASSWORD, "Old password entered incorrectly. Please try again."},
+
+{SEC_ERROR_BAD_NICKNAME, "Certificate nickname already in use."},
+
+{SEC_ERROR_NOT_FORTEZZA_ISSUER, "Peer FORTEZZA chain has a non-FORTEZZA Certificate."},
+
+{SEC_ERROR_CANNOT_MOVE_SENSITIVE_KEY, "A sensitive key cannot be moved to the slot where it is needed."},
+
+{SEC_ERROR_JS_INVALID_MODULE_NAME, "Invalid module name."},
+
+{SEC_ERROR_JS_INVALID_DLL, "Invalid module path/filename"},
+
+{SEC_ERROR_JS_ADD_MOD_FAILURE, "Unable to add module"},
+
+{SEC_ERROR_JS_DEL_MOD_FAILURE, "Unable to delete module"},
+
+{SEC_ERROR_OLD_KRL, "New KRL is not later than the current one."},
+
+{SEC_ERROR_CKL_CONFLICT, "New CKL has different issuer than current CKL. Delete current CKL."},
+
+{SEC_ERROR_CERT_NOT_IN_NAME_SPACE, "The Certifying Authority for this certificate is not permitted to issue a \
+certificate with this name."},
+
+{SEC_ERROR_KRL_NOT_YET_VALID, "The key revocation list for this certificate is not yet valid."},
+
+{SEC_ERROR_CRL_NOT_YET_VALID, "The certificate revocation list for this certificate is not yet valid."},
+
+{SEC_ERROR_UNKNOWN_CERT, "The requested certificate could not be found."},
+
+{SEC_ERROR_UNKNOWN_SIGNER, "The signer's certificate could not be found."},
+
+{SEC_ERROR_CERT_BAD_ACCESS_LOCATION, "The location for the certificate status server has invalid format."},
+
+{SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE, "The OCSP response cannot be fully decoded; it is of an unknown type."},
+
+{SEC_ERROR_OCSP_BAD_HTTP_RESPONSE, "The OCSP server returned unexpected/invalid HTTP data."},
+
+{SEC_ERROR_OCSP_MALFORMED_REQUEST, "The OCSP server found the request to be corrupted or improperly formed."},
+
+{SEC_ERROR_OCSP_SERVER_ERROR, "The OCSP server experienced an internal error."},
+
+{SEC_ERROR_OCSP_TRY_SERVER_LATER, "The OCSP server suggests trying again later."},
+
+{SEC_ERROR_OCSP_REQUEST_NEEDS_SIG, "The OCSP server requires a signature on this request."},
+
+{SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST, "The OCSP server has refused this request as unauthorized."},
+
+{SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS, "The OCSP server returned an unrecognizable status."},
+
+{SEC_ERROR_OCSP_UNKNOWN_CERT, "The OCSP server has no status for the certificate."},
+
+{SEC_ERROR_OCSP_NOT_ENABLED, "You must enable OCSP before performing this operation."},
+
+{SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER, "You must set the OCSP default responder before performing this operation."},
+
+{SEC_ERROR_OCSP_MALFORMED_RESPONSE, "The response from the OCSP server was corrupted or improperly formed."},
+
+{SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE, "The signer of the OCSP response is not authorized to give status for \
+this certificate."},
+
+{SEC_ERROR_OCSP_FUTURE_RESPONSE, "The OCSP response is not yet valid (contains a date in the future},."},
+
+{SEC_ERROR_OCSP_OLD_RESPONSE, "The OCSP response contains out-of-date information."},
+
+{SEC_ERROR_DIGEST_NOT_FOUND, "The CMS or PKCS #7 Digest was not found in signed message."},
+
+{SEC_ERROR_UNSUPPORTED_MESSAGE_TYPE, "The CMS or PKCS #7 Message type is unsupported."},
+
+{SEC_ERROR_MODULE_STUCK, "PKCS #11 module could not be removed because it is still in use."},
+
+{SEC_ERROR_BAD_TEMPLATE, "Could not decode ASN.1 data. Specified template was invalid."},
+
+{SEC_ERROR_CRL_NOT_FOUND, "No matching CRL was found."},
+
+{SEC_ERROR_REUSED_ISSUER_AND_SERIAL, "You are attempting to import a cert with the same issuer/serial as \
+an existing cert, but that is not the same cert."},
+
+{SEC_ERROR_BUSY, "NSS could not shutdown. Objects are still in use."},
+
+{SEC_ERROR_EXTRA_INPUT, "DER-encoded message contained extra unused data."},
+
+{SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE, "Unsupported elliptic curve."},
+
+{SEC_ERROR_UNSUPPORTED_EC_POINT_FORM, "Unsupported elliptic curve point form."},
+
+{SEC_ERROR_UNRECOGNIZED_OID, "Unrecognized Object Identifier."},
+
+{SEC_ERROR_OCSP_INVALID_SIGNING_CERT, "Invalid OCSP signing certificate in OCSP response."},
+
+{SEC_ERROR_REVOKED_CERTIFICATE_CRL, "Certificate is revoked in issuer's certificate revocation list."},
+
+{SEC_ERROR_REVOKED_CERTIFICATE_OCSP, "Issuer's OCSP responder reports certificate is revoked."},
+
+{SEC_ERROR_CRL_INVALID_VERSION, "Issuer's Certificate Revocation List has an unknown version number."},
+
+{SEC_ERROR_CRL_V1_CRITICAL_EXTENSION, "Issuer's V1 Certificate Revocation List has a critical extension."},
+
+{SEC_ERROR_CRL_UNKNOWN_CRITICAL_EXTENSION, "Issuer's V2 Certificate Revocation List has an unknown critical extension."},
+
+{SEC_ERROR_UNKNOWN_OBJECT_TYPE, "Unknown object type specified."},
+
+{SEC_ERROR_INCOMPATIBLE_PKCS11, "PKCS #11 driver violates the spec in an incompatible way."},
+
+{SEC_ERROR_NO_EVENT, "No new slot event is available at this time."},
+
+{SEC_ERROR_CRL_ALREADY_EXISTS, "CRL already exists."},
+
+{SEC_ERROR_NOT_INITIALIZED, "NSS is not initialized."},
+
+{SEC_ERROR_TOKEN_NOT_LOGGED_IN, "The operation failed because the PKCS#11 token is not logged in."},
+
+{SEC_ERROR_OCSP_RESPONDER_CERT_INVALID, "Configured OCSP responder's certificate is invalid."},
+
+{SEC_ERROR_OCSP_BAD_SIGNATURE, "OCSP response has an invalid signature."},
+
+{SEC_ERROR_OUT_OF_SEARCH_LIMITS, "Cert validation search is out of search limits"},
+
+{SEC_ERROR_INVALID_POLICY_MAPPING, "Policy mapping contains anypolicy"},
+
+{SEC_ERROR_POLICY_VALIDATION_FAILED, "Cert chain fails policy validation"},
+
+{SEC_ERROR_UNKNOWN_AIA_LOCATION_TYPE, "Unknown location type in cert AIA extension"},
+
+{SEC_ERROR_BAD_HTTP_RESPONSE, "Server returned bad HTTP response"},
+
+{SEC_ERROR_BAD_LDAP_RESPONSE, "Server returned bad LDAP response"},
+
+{SEC_ERROR_FAILED_TO_ENCODE_DATA, "Failed to encode data with ASN1 encoder"},
+
+{SEC_ERROR_BAD_INFO_ACCESS_LOCATION, "Bad information access location in cert extension"},
+
+{SEC_ERROR_LIBPKIX_INTERNAL, "Libpkix internal error occured during cert validation."},
+
+{SEC_ERROR_PKCS11_GENERAL_ERROR, "A PKCS #11 module returned CKR_GENERAL_ERROR, indicating that an unrecoverable error has occurred."},
+
+{SEC_ERROR_PKCS11_FUNCTION_FAILED, "A PKCS #11 module returned CKR_FUNCTION_FAILED, indicating that the requested function could not be performed. Trying the same operation again might succeed."},
+
+{SEC_ERROR_PKCS11_DEVICE_ERROR, "A PKCS #11 module returned CKR_DEVICE_ERROR, indicating that a problem has occurred with the token or slot."},
+
+{SEC_ERROR_BAD_INFO_ACCESS_METHOD, "Unknown information access method in certificate extension."},
+
+{SEC_ERROR_CRL_IMPORT_FAILED, "Error attempting to import a CRL."},
+
diff --git a/xmlsecurity/source/xmlsec/nss/makefile.mk b/xmlsecurity/source/xmlsec/nss/makefile.mk
index df5bb7131a55..227b6de88477 100644
--- a/xmlsecurity/source/xmlsec/nss/makefile.mk
+++ b/xmlsecurity/source/xmlsec/nss/makefile.mk
@@ -47,10 +47,12 @@ LIBTARGET=NO
.IF "$(CRYPTO_ENGINE)" == "nss"
-.IF "$(WITH_MOZILLA)" == "NO"
+.IF "$(WITH_MOZILLA)" == "NO" || "$(ENABLE_NSS_MODULE)"!="YES"
+.IF "$(SYSTEM_MOZILLA)" != "YES"
@all:
@echo "No mozilla -> no nss -> no libxmlsec -> no xmlsecurity/nss"
.ENDIF
+.ENDIF
.IF "$(SYSTEM_MOZILLA)" != "YES"
MOZ_INC = $(SOLARVERSION)$/$(INPATH)$/inc$(UPDMINOREXT)$/mozilla
@@ -128,7 +130,9 @@ SLOFILES = \
$(SLO)$/xmlsignature_nssimpl.obj \
$(SLO)$/x509certificate_nssimpl.obj \
$(SLO)$/seinitializer_nssimpl.obj \
- $(SLO)$/xsec_nss.obj
+ $(SLO)$/xsec_nss.obj \
+ $(SLO)$/secerror.obj
+
.ENDIF
diff --git a/xmlsecurity/source/xmlsec/nss/secerror.cxx b/xmlsecurity/source/xmlsec/nss/secerror.cxx
new file mode 100644
index 000000000000..4a9ee3622bc4
--- /dev/null
+++ b/xmlsecurity/source/xmlsec/nss/secerror.cxx
@@ -0,0 +1,165 @@
+/*************************************************************************
+ *
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * Copyright 2008 by Sun Microsystems, Inc.
+ *
+ * OpenOffice.org - a multi-platform office productivity suite
+ *
+ * $RCSfile: securityenvironment_nssimpl.cxx,v $
+ * $Revision: 1.23 $
+ *
+ * This file is part of OpenOffice.org.
+ *
+ * OpenOffice.org is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License version 3
+ * only, as published by the Free Software Foundation.
+ *
+ * OpenOffice.org is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License version 3 for more details
+ * (a copy is included in the LICENSE file that accompanied this code).
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * version 3 along with OpenOffice.org. If not, see
+ * <http://www.openoffice.org/license.html>
+ * for a copy of the LGPLv3 License.
+ *
+ ************************************************************************/
+
+
+#include "secerr.h"
+#include "sslerr.h"
+#include "nspr.h"
+#include "certt.h"
+
+#include "../diagnose.hxx"
+
+using namespace xmlsecurity;
+
+struct ErrDesc {
+ PRErrorCode errNum;
+ const char * errString;
+};
+
+
+
+const ErrDesc allDesc[] = {
+
+#include "certerrors.h"
+
+};
+
+
+
+/* Returns a UTF-8 encoded constant error string for "errNum".
+ * Returns NULL of errNum is unknown.
+ */
+const char *
+getCertError(PRErrorCode errNum)
+{
+ static char sEmpty[] = "";
+ const int numDesc = sizeof(allDesc) / sizeof(ErrDesc);
+ for (int i = 0; i < numDesc; i++)
+ {
+ if (allDesc[i].errNum == errNum)
+ return allDesc[i].errString;
+ }
+
+ return sEmpty;
+}
+
+void
+printChainFailure(CERTVerifyLog *log)
+{
+ unsigned long errorFlags = 0;
+ unsigned int depth = (unsigned int)-1;
+ const char * specificError = NULL;
+ const char * issuer = NULL;
+ CERTVerifyLogNode *node = NULL;
+
+ if (log->count > 0)
+ {
+ xmlsec_trace("Bad certifcation path:");
+ for (node = log->head; node; node = node->next)
+ {
+ if (depth != node->depth)
+ {
+ depth = node->depth;
+ xmlsec_trace("Certificate: %d. %s %s:", depth,
+ node->cert->subjectName,
+ depth ? "[Certificate Authority]": "");
+ }
+ xmlsec_trace(" ERROR %ld: %s", node->error,
+ getCertError(node->error));
+ specificError = NULL;
+ issuer = NULL;
+ switch (node->error)
+ {
+ case SEC_ERROR_INADEQUATE_KEY_USAGE:
+ errorFlags = (unsigned long)node->arg;
+ switch (errorFlags)
+ {
+ case KU_DIGITAL_SIGNATURE:
+ specificError = "Certificate cannot sign.";
+ break;
+ case KU_KEY_ENCIPHERMENT:
+ specificError = "Certificate cannot encrypt.";
+ break;
+ case KU_KEY_CERT_SIGN:
+ specificError = "Certificate cannot sign other certs.";
+ break;
+ default:
+ specificError = "[unknown usage].";
+ break;
+ }
+ case SEC_ERROR_INADEQUATE_CERT_TYPE:
+ errorFlags = (unsigned long)node->arg;
+ switch (errorFlags)
+ {
+ case NS_CERT_TYPE_SSL_CLIENT:
+ case NS_CERT_TYPE_SSL_SERVER:
+ specificError = "Certificate cannot be used for SSL.";
+ break;
+ case NS_CERT_TYPE_SSL_CA:
+ specificError = "Certificate cannot be used as an SSL CA.";
+ break;
+ case NS_CERT_TYPE_EMAIL:
+ specificError = "Certificate cannot be used for SMIME.";
+ break;
+ case NS_CERT_TYPE_EMAIL_CA:
+ specificError = "Certificate cannot be used as an SMIME CA.";
+ break;
+ case NS_CERT_TYPE_OBJECT_SIGNING:
+ specificError = "Certificate cannot be used for object signing.";
+ break;
+ case NS_CERT_TYPE_OBJECT_SIGNING_CA:
+ specificError = "Certificate cannot be used as an object signing CA.";
+ break;
+ default:
+ specificError = "[unknown usage].";
+ break;
+ }
+ case SEC_ERROR_UNKNOWN_ISSUER:
+ specificError = "Unknown issuer:";
+ issuer = node->cert->issuerName;
+ break;
+ case SEC_ERROR_UNTRUSTED_ISSUER:
+ specificError = "Untrusted issuer:";
+ issuer = node->cert->issuerName;
+ break;
+ case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
+ specificError = "Expired issuer certificate:";
+ issuer = node->cert->issuerName;
+ break;
+ default:
+ break;
+ }
+ if (specificError)
+ xmlsec_trace("%s", specificError);
+ if (issuer)
+ xmlsec_trace("%s", issuer);
+ }
+ }
+}
diff --git a/xmlsecurity/source/xmlsec/nss/secerror.hxx b/xmlsecurity/source/xmlsec/nss/secerror.hxx
new file mode 100644
index 000000000000..732fef5fd03e
--- /dev/null
+++ b/xmlsecurity/source/xmlsec/nss/secerror.hxx
@@ -0,0 +1,40 @@
+/*************************************************************************
+ *
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * Copyright 2008 by Sun Microsystems, Inc.
+ *
+ * OpenOffice.org - a multi-platform office productivity suite
+ *
+ * $RCSfile: securityenvironment_nssimpl.hxx,v $
+ * $Revision: 1.9 $
+ *
+ * This file is part of OpenOffice.org.
+ *
+ * OpenOffice.org is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License version 3
+ * only, as published by the Free Software Foundation.
+ *
+ * OpenOffice.org is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License version 3 for more details
+ * (a copy is included in the LICENSE file that accompanied this code).
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * version 3 along with OpenOffice.org. If not, see
+ * <http://www.openoffice.org/license.html>
+ * for a copy of the LGPLv3 License.
+ *
+ ************************************************************************/
+
+#ifndef _XSECERROR_HXX_
+#define _XSECERROR_HXX_
+
+const char *
+getCertError(PRErrorCode errNum);
+
+void
+printChainFailure(CERTVerifyLog *log);
+#endif // _XSECERROR_HXX_
+
diff --git a/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx b/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx
index 0f8cfb744e5d..9458424afa7c 100644
--- a/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx
+++ b/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx
@@ -33,12 +33,13 @@
#include "nssrenam.h"
#include "cert.h"
#include "secerr.h"
+#include "ocsp.h"
#include <sal/config.h>
#include "securityenvironment_nssimpl.hxx"
#include "x509certificate_nssimpl.hxx"
#include <rtl/uuid.h>
-
+#include "../diagnose.hxx"
#include <sal/types.h>
//For reasons that escape me, this is what xmlsec does when size_t is not 4
@@ -62,9 +63,12 @@
#include <vector>
#include "boost/scoped_array.hpp"
+#include "secerror.hxx"
+
// MM : added for password exception
#include <com/sun/star/security/NoPasswordException.hpp>
namespace csss = ::com::sun::star::security;
+using namespace xmlsecurity;
using namespace ::com::sun::star::security;
using namespace com::sun::star;
using namespace ::com::sun::star::uno ;
@@ -80,6 +84,14 @@ extern X509Certificate_NssImpl* NssCertToXCert( CERTCertificate* cert ) ;
extern X509Certificate_NssImpl* NssPrivKeyToXCert( SECKEYPrivateKey* ) ;
+struct UsageDescription
+{
+ SECCertificateUsage usage;
+ char const * const description;
+};
+
+
+
char* GetPasswordFunction( PK11SlotInfo* pSlot, PRBool bRetry, void* /*arg*/ )
{
uno::Reference< lang::XMultiServiceFactory > xMSF( ::comphelper::getProcessServiceFactory() );
@@ -750,7 +762,7 @@ verifyCertificate( const Reference< csss::XCertificate >& aCert,
const Sequence< Reference< csss::XCertificate > >& intermediateCerts )
throw( ::com::sun::star::uno::SecurityException, ::com::sun::star::uno::RuntimeException )
{
- sal_Int32 validity = 0;
+ sal_Int32 validity = csss::CertificateValidity::INVALID;
const X509Certificate_NssImpl* xcert ;
const CERTCertificate* cert ;
::std::vector<CERTCertificate*> vecTmpNSSCertificates;
@@ -759,10 +771,9 @@ verifyCertificate( const Reference< csss::XCertificate >& aCert,
throw RuntimeException() ;
}
- OSL_TRACE("[xmlsecurity] Start verification of certificate: %s",
+ xmlsec_trace("Start verification of certificate: \n %s \n",
OUStringToOString(
- aCert->getIssuerName(), osl_getThreadTextEncoding()).getStr());
-
+ aCert->getSubjectName(), osl_getThreadTextEncoding()).getStr());
xcert = reinterpret_cast<X509Certificate_NssImpl*>(
sal::static_int_cast<sal_uIntPtr>(xCertTunnel->getSomething( X509Certificate_NssImpl::getUnoTunnelId() ))) ;
@@ -770,12 +781,16 @@ verifyCertificate( const Reference< csss::XCertificate >& aCert,
throw RuntimeException() ;
}
+ //CERT_PKIXVerifyCert does not take a db as argument. It will therefore
+ //internally use CERT_GetDefaultCertDB
+ //Make sure m_pHandler is the default DB
+ OSL_ASSERT(m_pHandler == CERT_GetDefaultCertDB());
+ CERTCertDBHandle * certDb = m_pHandler != NULL ? m_pHandler : CERT_GetDefaultCertDB();
cert = xcert->getNssCert() ;
if( cert != NULL )
{
//prepare the intermediate certificates
- CERTCertDBHandle * certDb = m_pHandler != NULL ? m_pHandler : CERT_GetDefaultCertDB();
for (sal_Int32 i = 0; i < intermediateCerts.getLength(); i++)
{
Sequence<sal_Int8> der = intermediateCerts[i]->getEncoded();
@@ -790,140 +805,172 @@ verifyCertificate( const Reference< csss::XCertificate >& aCert,
PR_TRUE /* copyDER */);
if (!certTmp)
{
- OSL_TRACE("[xmlsecurity] Failed to add a temporary certificate: %s",
+ xmlsec_trace("Failed to add a temporary certificate: %s",
OUStringToOString(intermediateCerts[i]->getIssuerName(),
osl_getThreadTextEncoding()).getStr());
}
else
{
- OSL_TRACE("[xmlsecurity] Added temporary certificate: %s",
+ xmlsec_trace("Added temporary certificate: %s",
certTmp->subjectName ? certTmp->subjectName : "");
vecTmpNSSCertificates.push_back(certTmp);
}
}
- int64 timeboundary ;
SECStatus status ;
- //Get the system clock time
- timeboundary = PR_Now() ;
- SECCertificateUsage usage = 0;
-
- // create log
-
- CERTVerifyLog realLog;
- CERTVerifyLog *log;
-
- log = &realLog;
-
-
- log->count = 0;
- log->head = NULL;
- log->tail = NULL;
- log->arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE );
-
- //CERTVerifyLog *log;
- //PRArenaPool *arena;
-
- //arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE );
- //log = PORT_ArenaZNew( arena, CERTVerifyLog );
- //log->arena = arena;
- validity = csss::CertificateValidity::INVALID;
-
- if( m_pHandler != NULL )
+ CERTVerifyLog log;
+ log.arena = PORT_NewArena(512);
+ log.head = log.tail = NULL;
+ log.count = 0;
+
+ CERT_EnableOCSPChecking(certDb);
+ CERT_DisableOCSPDefaultResponder(certDb);
+ CERTValOutParam cvout[5];
+ CERTValInParam cvin[3];
+
+ cvin[0].type = cert_pi_useAIACertFetch;
+ cvin[0].value.scalar.b = PR_TRUE;
+
+ PRUint64 revFlagsLeaf[2];
+ PRUint64 revFlagsChain[2];
+ CERTRevocationFlags rev;
+ rev.leafTests.number_of_defined_methods = 2;
+ rev.leafTests.cert_rev_flags_per_method = revFlagsLeaf;
+ //the flags are defined in cert.h
+ //We check both leaf and chain.
+ //It is enough if one revocation method has fresh info,
+ //but at least one must have some. Otherwise validation fails.
+ //!!! using leaf test and CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE
+ // when validating a root certificate will result in "revoked". Usually
+ //there is no revocation information available for the root cert because
+ //it must be trusted anyway and it does itself issue revocation information.
+ //When we use the flag here and OOo shows the certification path then the root
+ //cert is invalid while all other can be valid. It would probably best if
+ //this interface method returned the whole chain.
+ //Otherwise we need to check if the certificate is self-signed and if it is
+ //then not use the flag when doing the leaf-test.
+ rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_crl] =
+ CERT_REV_M_TEST_USING_THIS_METHOD
+ | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE;
+ rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] =
+ CERT_REV_M_TEST_USING_THIS_METHOD
+ | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE;
+ rev.leafTests.number_of_preferred_methods = 0;
+ rev.leafTests.preferred_methods = NULL;
+ rev.leafTests.cert_rev_method_independent_flags =
+ CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST;
+// | CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE;
+
+ rev.chainTests.number_of_defined_methods = 2;
+ rev.chainTests.cert_rev_flags_per_method = revFlagsChain;
+ rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_crl] =
+ CERT_REV_M_TEST_USING_THIS_METHOD
+ | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE;
+ rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] =
+ CERT_REV_M_TEST_USING_THIS_METHOD
+ | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE;
+ rev.chainTests.number_of_preferred_methods = 0;
+ rev.chainTests.preferred_methods = NULL;
+ rev.chainTests.cert_rev_method_independent_flags =
+ CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST;
+// | CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE;
+
+
+ cvin[1].type = cert_pi_revocationFlags;
+ cvin[1].value.pointer.revocation = &rev;
+ // does not work, not implemented yet in 3.12.4
+// cvin[2].type = cert_pi_keyusage;
+// cvin[2].value.scalar.ui = KU_DIGITAL_SIGNATURE;
+ cvin[2].type = cert_pi_end;
+
+ cvout[0].type = cert_po_trustAnchor;
+ cvout[0].value.pointer.cert = NULL;
+ cvout[1].type = cert_po_errorLog;
+ cvout[1].value.pointer.log = &log;
+ cvout[2].type = cert_po_end;
+
+ // We check SSL server certificates, CA certificates and signing sertificates.
+ //
+ // ToDo check keyusage, looking at CERT_KeyUsageAndTypeForCertUsage (
+ // mozilla/security/nss/lib/certdb/certdb.c indicates that
+ // certificateUsageSSLClient, certificateUsageSSLServer and certificateUsageSSLCA
+ // are sufficient. They cover the key usages for digital signature, key agreement
+ // and encipherment and certificate signature
+
+ //never use the following usages because they are not checked properly
+ // certificateUsageUserCertImport
+ // certificateUsageVerifyCA
+ // certificateUsageAnyCA
+ // certificateUsageProtectedObjectSigner
+
+ UsageDescription arUsages[] =
{
- //JL: We must not pass a particular usage in the requiredUsages argument (the 4th) because,
- //then ONLY these are verified. For example, we pass
- //certificateUsageSSLClient | certificateUsageSSLServer. Then checking a certificate which
- // is a valid certificateUsageEmailSigner but no certificateUsageSSLClient | certificateUsageSSLServer
- //will result in CertificateValidity::INVALID.
- //Only if the argument "requiredUsages" has a value (other than zero)
- //then the function will return SECFailure in case
- //the certificate is not suitable for the provided usage. That is, in the previous
- //example the function returns SECFailure.
- status = CERT_VerifyCertificate(
- m_pHandler, ( CERTCertificate* )cert, PR_TRUE,
- (SECCertificateUsage)0, timeboundary , NULL, log, &usage);
- }
- else
+ {certificateUsageSSLClient, "certificateUsageSSLClient" },
+ {certificateUsageSSLServer, "certificateUsageSSLServer" },
+ {certificateUsageSSLCA, "certificateUsageSSLCA" },
+ {certificateUsageEmailSigner, "certificateUsageEmailSigner"}, //only usable for end certs
+ {certificateUsageEmailRecipient, "certificateUsageEmailRecipient"}
+ };
+
+ int numUsages = sizeof(arUsages) / sizeof(UsageDescription);
+ for (int i = 0; i < numUsages; i++)
{
- status = CERT_VerifyCertificate(
- CERT_GetDefaultCertDB(), ( CERTCertificate* )cert,
- PR_TRUE, (SECCertificateUsage)0, timeboundary ,NULL, log, &usage);
- }
+ xmlsec_trace("Testing usage %d of %d: %s (0x%x)", i + 1,
+ numUsages, arUsages[i].description, (int) arUsages[i].usage);
+
+ status = CERT_PKIXVerifyCert(const_cast<CERTCertificate *>(cert), arUsages[i].usage,
+ cvin, cvout, NULL);
+ if( status == SECSuccess )
+ {
+ xmlsec_trace("CERT_PKIXVerifyCert returned SECSuccess.");
+ //When an intermediate or root certificate is checked then we expect the usage
+ //certificateUsageSSLCA. This, however, will be only set when in the trust settings dialog
+ //the button "This certificate can identify websites" is checked. If for example only
+ //"This certificate can identify mail users" is set then the end certificate can
+ //be validated and the returned usage will conain certificateUsageEmailRecipient.
+ //But checking directly the root or intermediate certificate will fail. In the
+ //certificate path view the end certificate will be shown as valid but the others
+ //will be displayed as invalid.
- if( status == SECSuccess )
- {
- // JL & TKR : certificateUsageUserCertImport,
- // certificateUsageVerifyCA and certificateUsageAnyCA dont check the chain
-
- //When an intermediate or root certificate is checked then we expect the usage
- //certificateUsageSSLCA. This, however, will be only set when in the trust settings dialog
- //the button "This certificate can identify websites" is checked. If for example only
- //"This certificate can identify mail users" is set then the end certificate can
- //be validated and the returned usage will conain certificateUsageEmailRecipient.
- //But checking directly the root or intermediate certificate will fail. In the
- //certificate path view the end certificate will be shown as valid but the others
- //will be displayed as invalid.
-
- if (usage & certificateUsageEmailSigner
- || usage & certificateUsageEmailRecipient
- || usage & certificateUsageSSLCA
- || usage & certificateUsageSSLServer
- || usage & certificateUsageSSLClient
- // || usage & certificateUsageUserCertImport
- // || usage & certificateUsageVerifyCA
- || usage & certificateUsageStatusResponder )
- // || usage & certificateUsageAnyCA )
validity = csss::CertificateValidity::VALID;
+ xmlsec_trace("Certificate is valid.\n");
+ CERTCertificate * issuerCert = cvout[0].value.pointer.cert;
+ if (issuerCert)
+ {
+ xmlsec_trace("Root certificate: %s", issuerCert->subjectName);
+ CERT_DestroyCertificate(issuerCert);
+ };
+
+ break;
+ }
else
- validity = csss::CertificateValidity::INVALID;
+ {
+ PRIntn err = PR_GetError();
+ xmlsec_trace("Error: , %d = %s", err, getCertError(err));
+ /* Display validation results */
+ if ( log.count > 0)
+ {
+ CERTVerifyLogNode *node = NULL;
+ printChainFailure(&log);
+
+ for (node = log.head; node; node = node->next) {
+ if (node->cert)
+ CERT_DestroyCertificate(node->cert);
+ }
+ log.head = log.tail = NULL;
+ log.count = 0;
+ }
+ xmlsec_trace("Certificate is invalid.\n");
+ }
}
- // always check what kind of error occured, even SECStatus says Success
- //JL: When we call CERT_VerifyCertificate whit the parameter requiredUsages == 0 then all
- //possible usages are checked. Then there are certainly usages for which the certificate
- //is not intended. For these usages there will be NO flag set in the argument returnedUsages
- // (the last arg) and there will be error codes set in the log. Therefore we cannot
- //set the CertificateValidity to INVALID because there is a log entry.
-// CERTVerifyLogNode *logNode = 0;
-
-// logNode = log->head;
-// while ( logNode != NULL )
-// {
-// sal_Int32 errorCode = 0;
-// errorCode = logNode->error;
-
-// switch ( errorCode )
-// {
-// // JL & TKR: Any error are treated as invalid because we cannot say that we get all occurred errors from NSS
-// /*
-// case ( SEC_ERROR_REVOKED_CERTIFICATE ):
-// validity |= csss::CertificateValidity::REVOKED;
-// break;
-// case ( SEC_ERROR_EXPIRED_CERTIFICATE ):
-// validity |= csss::CertificateValidity::TIME_INVALID;
-// break;
-// case ( SEC_ERROR_CERT_USAGES_INVALID):
-// validity |= csss::CertificateValidity::INVALID;
-// break;
-// case ( SEC_ERROR_UNTRUSTED_ISSUER ):
-// case ( SEC_ERROR_UNTRUSTED_CERT ):
-// validity |= csss::CertificateValidity::UNTRUSTED;
-// break;
-// */
-// default:
-// validity |= csss::CertificateValidity::INVALID;
-// break;
-// }
-// logNode = logNode->next;
-// }
+
}
else
{
-
validity = ::com::sun::star::security::CertificateValidity::INVALID ;
}
@@ -931,15 +978,9 @@ verifyCertificate( const Reference< csss::XCertificate >& aCert,
std::vector<CERTCertificate*>::const_iterator cert_i;
for (cert_i = vecTmpNSSCertificates.begin(); cert_i != vecTmpNSSCertificates.end(); cert_i++)
{
- OSL_TRACE("[xmlsecurity] Destroying temporary certificate");
+ xmlsec_trace("Destroying temporary certificate");
CERT_DestroyCertificate(*cert_i);
}
-#if OSL_DEBUG_LEVEL > 1
- if (validity == ::com::sun::star::security::CertificateValidity::VALID)
- OSL_TRACE("[xmlsecurity] Certificate is valid.");
- else
- OSL_TRACE("[xmlsecurity] Certificate is invalid.");
-#endif
return validity ;
}
diff --git a/xmlsecurity/source/xmlsec/nss/seinitializer_nssimpl.cxx b/xmlsecurity/source/xmlsec/nss/seinitializer_nssimpl.cxx
index 4aad18fa2c10..127d7fa43fe6 100644
--- a/xmlsecurity/source/xmlsec/nss/seinitializer_nssimpl.cxx
+++ b/xmlsecurity/source/xmlsec/nss/seinitializer_nssimpl.cxx
@@ -61,6 +61,7 @@
#include <rtl/logfile.hxx>
#include "seinitializer_nssimpl.hxx"
+#include "../diagnose.hxx"
#include "securityenvironment_nssimpl.hxx"
#include <com/sun/star/mozilla/XMozillaBootstrap.hpp>
@@ -76,6 +77,7 @@ namespace cssu = com::sun::star::uno;
namespace cssl = com::sun::star::lang;
namespace cssxc = com::sun::star::xml::crypto;
+using namespace xmlsecurity;
using namespace com::sun::star;
using ::rtl::OUString;
using ::rtl::OString;
@@ -109,7 +111,7 @@ struct InitNSSInitialize
bInitialized = nsscrypto_initialize(m_sProfile.getStr(), bNSSInit);
if (bNSSInit)
atexit(nsscrypto_finalize );
- return & bInitialized;
+ return & bInitialized;
}
};
@@ -139,7 +141,7 @@ void deleteRootsModule()
{
if (PK11_HasRootCerts(slot))
{
- OSL_TRACE("[xmlsecurity] The root certifificates module \"%s"
+ xmlsec_trace("The root certifificates module \"%s"
"\" is already loaded: \n%s",
module->commonName, module->dllName);
@@ -157,11 +159,11 @@ void deleteRootsModule()
PRInt32 modType;
if (SECSuccess == SECMOD_DeleteModule(RootsModule->commonName, &modType))
{
- OSL_TRACE("[xmlsecurity] Deleted module \"%s\".", RootsModule->commonName);
+ xmlsec_trace("Deleted module \"%s\".", RootsModule->commonName);
}
else
{
- OSL_TRACE("[xmlsecurity] Failed to delete \"%s\" : \n%s",
+ xmlsec_trace("Failed to delete \"%s\" : \n%s",
RootsModule->commonName, RootsModule->dllName);
}
SECMOD_DestroyModule(RootsModule);
@@ -194,18 +196,36 @@ bool nsscrypto_initialize( const char* token, bool & out_nss_init )
{
bool return_value = true;
- OSL_TRACE("[xmlsecurity] Using profile: %s", token);
+ xmlsec_trace("Using profile: %s", token);
PR_Init( PR_USER_THREAD, PR_PRIORITY_NORMAL, 1 ) ;
- if( NSS_InitReadWrite( token ) != SECSuccess )
+ //token may be an empty string
+ if (token != NULL && strlen(token) > 0)
{
- char * error = NULL;
+ if( NSS_InitReadWrite( token ) != SECSuccess )
+ {
+ xmlsec_trace("Initializing NSS with profile failed.");
+ char * error = NULL;
- PR_GetErrorText(error);
- if (error)
- printf("%s",error);
- return false ;
+ PR_GetErrorText(error);
+ if (error)
+ xmlsec_trace("%s",error);
+ return false ;
+ }
+ }
+ else
+ {
+ xmlsec_trace("Initializing NSS without profile.");
+ if ( NSS_NoDB_Init(NULL) != SECSuccess )
+ {
+ xmlsec_trace("Initializing NSS without profile failed.");
+ char * error = NULL;
+ PR_GetErrorText(error);
+ if (error)
+ xmlsec_trace("%s",error);
+ return false ;
+ }
}
out_nss_init = true;
@@ -247,18 +267,18 @@ bool nsscrypto_initialize( const char* token, bool & out_nss_init )
SECMOD_DestroyModule(RootsModule);
RootsModule = 0;
if (found)
- OSL_TRACE("[xmlsecurity] Added new root certificate module "
+ xmlsec_trace("Added new root certificate module "
"\""ROOT_CERTS"\" contained in \n%s", ospath.getStr());
else
{
- OSL_TRACE("[xmlsecurity] FAILED to load the new root certificate module "
+ xmlsec_trace("FAILED to load the new root certificate module "
"\""ROOT_CERTS"\" contained in \n%s", ospath.getStr());
return_value = false;
}
}
else
{
- OSL_TRACE("[xmlsecurity] FAILED to add new root certifice module: "
+ xmlsec_trace("FAILED to add new root certifice module: "
"\""ROOT_CERTS"\" contained in \n%s", ospath.getStr());
return_value = false;
@@ -266,7 +286,7 @@ bool nsscrypto_initialize( const char* token, bool & out_nss_init )
}
else
{
- OSL_TRACE("[xmlsecurity] Adding new root certificate module failed.");
+ xmlsec_trace("Adding new root certificate module failed.");
return_value = false;
}
#if SYSTEM_MOZILLA
@@ -287,17 +307,17 @@ extern "C" void nsscrypto_finalize()
if (SECSuccess == SECMOD_UnloadUserModule(RootsModule))
{
- OSL_TRACE("[xmlsecurity] Unloaded module \""ROOT_CERTS"\".");
+ xmlsec_trace("Unloaded module \""ROOT_CERTS"\".");
}
else
{
- OSL_TRACE("[xmlsecurity] Failed unloadeding module \""ROOT_CERTS"\".");
+ xmlsec_trace("Failed unloadeding module \""ROOT_CERTS"\".");
}
SECMOD_DestroyModule(RootsModule);
}
else
{
- OSL_TRACE("[xmlsecurity] Unloading module \""ROOT_CERTS
+ xmlsec_trace("Unloading module \""ROOT_CERTS
"\" failed because it was not found.");
}
PK11_LogoutAll();
@@ -312,17 +332,16 @@ bool getMozillaCurrentProfile(
/*
* first, try to get the profile from "MOZILLA_CERTIFICATE_FOLDER"
*/
- char * env = getenv("MOZILLA_CERTIFICATE_FOLDER");
- if (env)
- {
- profilePath = rtl::OUString::createFromAscii( env );
- RTL_LOGFILE_PRODUCT_TRACE1( "XMLSEC: Using env MOZILLA_CERTIFICATE_FOLDER: %s", rtl::OUStringToOString( profilePath, RTL_TEXTENCODING_ASCII_US ).getStr() );
- return true;
- }
- else
- {
- RTL_LOGFILE_TRACE( "getMozillaCurrentProfile: Using MozillaBootstrap..." );
- mozilla::MozillaProductType productTypes[4] = {
+ char * env = getenv("MOZILLA_CERTIFICATE_FOLDER");
+ if (env)
+ {
+ profilePath = rtl::OUString::createFromAscii( env );
+ RTL_LOGFILE_PRODUCT_TRACE1( "XMLSEC: Using env MOZILLA_CERTIFICATE_FOLDER: %s", rtl::OUStringToOString( profilePath, RTL_TEXTENCODING_ASCII_US ).getStr() );
+ return true;
+ }
+ else
+ {
+ mozilla::MozillaProductType productTypes[4] = {
mozilla::MozillaProductType_Thunderbird,
mozilla::MozillaProductType_Mozilla,
mozilla::MozillaProductType_Firefox,
@@ -343,8 +362,6 @@ bool getMozillaCurrentProfile(
{
::rtl::OUString profile = xMozillaBootstrap->getDefaultProfile(productTypes[i]);
- RTL_LOGFILE_TRACE2( "getMozillaCurrentProfile: getDefaultProfile [%i] returns %s", i, rtl::OUStringToOString( profile, RTL_TEXTENCODING_ASCII_US ).getStr() );
-
if (profile != NULL && profile.getLength()>0)
{
profilePath = xMozillaBootstrap->getProfilePath(productTypes[i],profile);
@@ -401,36 +418,9 @@ cssu::Reference< cssxc::XXMLSecurityContext > SAL_CALL
}
- if( !sCertDir.getLength() )
- {
- RTL_LOGFILE_TRACE( "XMLSEC: Error - No certificate directory!" );
- // return NULL;
- }
-
-
- /* Initialize NSPR and NSS */
- /* Replaced with new methods by AF. ----
- //PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1 ) ;
- PR_Init( PR_USER_THREAD, PR_PRIORITY_NORMAL, 1 ) ;
-
- if (NSS_Init(sCertDir.getStr()) != SECSuccess )
- {
- PK11_LogoutAll();
- return NULL;
- }
- ----*/
if( ! *initNSS( sCertDir.getStr() ) )
{
- RTL_LOGFILE_TRACE( "XMLSEC: Error - nsscrypto_initialize() failed." );
- if ( NSS_NoDB_Init(NULL) != SECSuccess )
- {
- RTL_LOGFILE_TRACE( "XMLSEC: NSS_NoDB_Init also failed, NSS Security not available!" );
- return NULL;
- }
- else
- {
- RTL_LOGFILE_TRACE( "XMLSEC: NSS_NoDB_Init works, enough for verifying signatures..." );
- }
+ return NULL;
}
pCertHandle = CERT_GetDefaultCertDB() ;
diff --git a/xmlsecurity/util/makefile.mk b/xmlsecurity/util/makefile.mk
index 582a40cd9a73..6ef221c7e309 100644
--- a/xmlsecurity/util/makefile.mk
+++ b/xmlsecurity/util/makefile.mk
@@ -70,8 +70,13 @@ DEF1EXPORTFILE = xsec_fw.dxp
#
# The 2nd shared library
#
+
SHL2NAME=xsec_xmlsec
SHL2TARGET= $(SHL2NAME)
+
+
+.IF "$(ENABLE_NSS_MODULE)"=="YES" || "$(SYSTEM_MOZILLA)" == "YES"
+
SHL2LIBS= \
$(SLB)$/xs_comm.lib
@@ -83,6 +88,9 @@ SHL2LIBS += \
$(SLB)$/xs_nss.lib
.ENDIF
+.ENDIF
+
+
SHL2STDLIBS += \
$(SALLIB) \
$(CPPULIB) \