diff options
| author | Release Engineers <releng@openoffice.org> | 2009-08-26 08:22:01 +0000 |
|---|---|---|
| committer | Release Engineers <releng@openoffice.org> | 2009-08-26 08:22:01 +0000 |
| commit | f63344dfd605937b34100fcfeee2ed5f93a777a9 (patch) | |
| tree | 36a6382e302fa78205f3d032bd82496d61424a70 /xmlsecurity | |
| parent | b84d6fb52b4ad1972a8158abdd18b2750538f6d1 (diff) | |
CWS-TOOLING: integrate CWS jl127
2009-07-30 10:12:10 +0200 jl r274470 : #i100873# switch on checking for symbol definitions. It works with the current xpcom lib.
2009-07-29 09:48:29 +0200 jl r274443 : #i100873#
2009-07-29 09:47:36 +0200 jl r274442 : #i100873# changes after resync with DEV300m53 which contains the seamonkey update
2009-07-28 10:00:03 +0200 jl r274389 : #100873# Patches from tono
2009-07-27 16:59:39 +0200 jl r274372 : CWS-TOOLING: rebase CWS jl127 to trunk@274203 (milestone: DEV300:m53)
2009-07-07 09:08:53 +0200 jl r273768 : #100873#
2009-07-06 17:16:10 +0200 jl r273754 : #100873#
2009-07-01 13:58:09 +0200 jl r273576 : #100873# added to readme
2009-07-01 13:15:02 +0200 jl r273573 : #100873# deliver lib files when building with MS compiler
2009-06-30 11:22:06 +0200 jl r273498 : #i100873# accidentally commented out patch_files
2009-06-30 09:01:10 +0200 jl r273489 : #100873# make rc.exe work in ooo windows build
2009-06-29 09:47:56 +0200 jl r273451 : #i100873# applied mingw patch from tono
2009-06-24 12:52:14 +0200 jl r273332 : #100873# reapplying the configure.in patch on version 273150
2009-06-24 12:51:12 +0200 jl r273331 : #100873# reapplying the patch on version 273150
2009-06-23 17:17:36 +0200 jl r273299 : #100873# manually modified patch from tono
2009-06-22 17:05:41 +0200 jl r273243 : #100873# applying mingw patch from tono
2009-06-22 17:02:30 +0200 jl r273242 : #100873# applying mingw patch from tono
2009-06-22 12:49:57 +0200 jl r273216 : #100873# dependency to stlport
2009-06-19 11:56:16 +0200 jl r273155 : #100873# undoing a previous change, instset_native complained about missing libjpipe.jnilib (jurt)
2009-06-19 10:13:03 +0200 jl r273150 : #100873# ooo builds shall also use the new nss by default
2009-06-18 14:32:07 +0200 jl r273117 : #110873# more debug output when verifying a certificate
2009-06-16 11:23:50 +0200 jl r273012 : #i10873#
2009-06-16 10:57:41 +0200 jl r273011 : #100873# wrong parameter definition in nsscrypto_initialize
2009-06-16 10:56:45 +0200 jl r273010 : #100873# wrong parameter definition in nsscrypto_initialize
2009-06-15 16:20:42 +0200 jl r272996 : #100873# initialization of NSS is now threadsafe
2009-06-10 12:50:46 +0200 jl r272804 : #100873# rename in foreach fails in 4nt
2009-06-09 13:43:00 +0200 jl r272768 : #i100873# deliver only .h from inc/nss otherwise we get a warning when nss/nssck.api is delivered
2009-06-08 16:15:44 +0200 jl r272739 : #i100873#
2009-06-08 16:04:54 +0200 jl r272738 : #i100873#
2009-06-08 15:45:52 +0200 jl r272736 : #i100873#
2009-06-08 15:44:15 +0200 jl r272735 : #i100873# unzipping of nss.tar.z not working with 4nt
2009-06-08 09:45:46 +0200 jl r272720 : #i100873#
2009-06-03 13:53:52 +0200 jl r272562 : #i100873# MOZILLABUILD not correct
2009-06-03 13:17:54 +0200 jl r272557 : #i100873# readme and makefile changes from cws jl125, support of new nss module
2009-06-03 09:57:40 +0200 jl r272544 : #i100873# added readme
2009-06-02 16:47:47 +0200 jl r272512 : #i100873# removed no longer needed stuff regarding jnilibs
2009-06-02 15:54:42 +0200 jl r272510 : #i100873# added NSS to BUILD_TYPE
2009-06-02 15:20:18 +0200 jl r272508 : #i100873# DEREFERENCE option for copy command
2009-06-02 13:00:12 +0200 jl r272496 : #i100873# PATCH_FILE_NAMES is now PATCH_FILES
2009-06-02 12:23:39 +0200 jl r272494 : #i100873# build dependency to nss
2009-05-29 16:21:40 +0200 jl r272470 : #i100873# seting ENABLE_NSS_MODULE==YES and includeing mozilla-build-1.3 folder in environment
2009-05-29 16:03:23 +0200 jl r272468 : #i100873# use intermediate certificates when validating a certificate
2009-05-29 15:57:16 +0200 jl r272466 : #i100873# use intermediate certificates when validating a certificate
2009-05-29 15:49:58 +0200 jl r272464 : #i100873# using ENABLE_NSS_MODULE
2009-05-29 15:33:14 +0200 jl r272463 : #i100873# using ENABLE_NSS_MODULE
2009-05-29 15:28:39 +0200 jl r272461 : #i100873# build dependency to nss module
2009-05-29 15:24:57 +0200 jl r272460 : #i100873# pass additional certificates into verifyCertificate function
2009-05-29 14:49:40 +0200 jl r272458 : #i100873# new NSS module
2009-05-29 14:43:44 +0200 jl r272457 : #i100873# new NSS module
Diffstat (limited to 'xmlsecurity')
11 files changed, 382 insertions, 109 deletions
diff --git a/xmlsecurity/prj/build.lst b/xmlsecurity/prj/build.lst index b9853a77c6f2..cd438326bd00 100644 --- a/xmlsecurity/prj/build.lst +++ b/xmlsecurity/prj/build.lst @@ -1,4 +1,4 @@ -xs xmlsecurity : l10n xmloff unotools offapi unoil svx MOZ:moz SO:moz_prebuilt LIBXMLSEC:libxmlsec NULL +xs xmlsecurity : l10n xmloff unotools offapi unoil svx MOZ:moz SO:moz_prebuilt LIBXMLSEC:libxmlsec NSS:nss NULL xs xmlsecurity usr1 - all xs_mkout NULL xs xmlsecurity\inc nmake - all xs_inc NULL xs xmlsecurity\source\framework nmake - all xs_fw xs_inc NULL diff --git a/xmlsecurity/source/component/documentdigitalsignatures.cxx b/xmlsecurity/source/component/documentdigitalsignatures.cxx index 831eb48befae..c65aed21dd3f 100644 --- a/xmlsecurity/source/component/documentdigitalsignatures.cxx +++ b/xmlsecurity/source/component/documentdigitalsignatures.cxx @@ -254,7 +254,8 @@ Sequence< ::com::sun::star::security::DocumentSignatureInformation > DocumentDig if (rSigInfo.Signer.is()) { try { - rSigInfo.CertificateStatus = xSecEnv->verifyCertificate(rSigInfo.Signer); + rSigInfo.CertificateStatus = xSecEnv->verifyCertificate(rSigInfo.Signer, + Sequence<Reference<css::security::XCertificate> >()); } catch (SecurityException& ) { OSL_ENSURE(0, "Verification of certificate failed"); rSigInfo.CertificateStatus = css::security::CertificateValidity::INVALID; diff --git a/xmlsecurity/source/dialogs/certificateviewer.cxx b/xmlsecurity/source/dialogs/certificateviewer.cxx index 0d77d05df31c..fb9b41d5f637 100644 --- a/xmlsecurity/source/dialogs/certificateviewer.cxx +++ b/xmlsecurity/source/dialogs/certificateviewer.cxx @@ -126,7 +126,8 @@ CertificateViewerGeneralTP::CertificateViewerGeneralTP( Window* _pParent, Certif maKeyImg.SetImage( Image( XMLSEC_RES( IMG_KEY_HC ) ) ); //Verify the certificate - sal_Int32 certStatus = mpDlg->mxSecurityEnvironment->verifyCertificate(mpDlg->mxCert); + sal_Int32 certStatus = mpDlg->mxSecurityEnvironment->verifyCertificate(mpDlg->mxCert, + Sequence<Reference<css::security::XCertificate> >()); //We currently have two status //These errors are alloweds sal_Int32 validCertErrors = css::security::CertificateValidity::VALID @@ -481,7 +482,8 @@ void CertificateViewerCertPathTP::ActivatePage() const Reference< security::XCertificate > rCert = pCertPath[ --i ]; String sName = XmlSec::GetContentPart( rCert->getSubjectName() ); //Verify the certificate - sal_Int32 certStatus = mpDlg->mxSecurityEnvironment->verifyCertificate(rCert); + sal_Int32 certStatus = mpDlg->mxSecurityEnvironment->verifyCertificate(rCert, + Sequence<Reference<css::security::XCertificate> >()); //We currently have two status //These errors are alloweds sal_Int32 validCertErrors = css::security::CertificateValidity::VALID diff --git a/xmlsecurity/source/dialogs/digitalsignaturesdialog.cxx b/xmlsecurity/source/dialogs/digitalsignaturesdialog.cxx index e0c27b59c3c0..109959be1554 100644 --- a/xmlsecurity/source/dialogs/digitalsignaturesdialog.cxx +++ b/xmlsecurity/source/dialogs/digitalsignaturesdialog.cxx @@ -530,7 +530,8 @@ void DigitalSignaturesDialog::ImplFillSignaturesBox() { //check the validity of the cert try { - sal_Int32 certResult = xSecEnv->verifyCertificate(xCert); + sal_Int32 certResult = xSecEnv->verifyCertificate(xCert, + Sequence<css::uno::Reference<css::security::XCertificate> >()); //These errors are alloweds sal_Int32 validErrors = css::security::CertificateValidity::VALID diff --git a/xmlsecurity/source/xmlsec/mscrypt/securityenvironment_mscryptimpl.cxx b/xmlsecurity/source/xmlsec/mscrypt/securityenvironment_mscryptimpl.cxx index c6c71c01a677..1b35d2b968bc 100644 --- a/xmlsecurity/source/xmlsec/mscrypt/securityenvironment_mscryptimpl.cxx +++ b/xmlsecurity/source/xmlsec/mscrypt/securityenvironment_mscryptimpl.cxx @@ -882,7 +882,33 @@ Reference< XCertificate > SecurityEnvironment_MSCryptImpl :: createCertificateFr return createCertificateFromRaw( rawCert ) ; } -sal_Int32 SecurityEnvironment_MSCryptImpl :: verifyCertificate( const ::com::sun::star::uno::Reference< ::com::sun::star::security::XCertificate >& aCert ) throw( ::com::sun::star::uno::SecurityException, ::com::sun::star::uno::RuntimeException ) { + +HCERTSTORE getCertStoreForIntermediatCerts( + const Sequence< Reference< ::com::sun::star::security::XCertificate > >& seqCerts) +{ + HCERTSTORE store = NULL; + store = CertOpenStore( + CERT_STORE_PROV_MEMORY, 0, NULL, 0, NULL); + if (store == NULL) + return NULL; + + for (int i = 0; i < seqCerts.getLength(); i++) + { + Sequence<sal_Int8> data = seqCerts[i]->getEncoded(); + PCCERT_CONTEXT cert = CertCreateCertificateContext( + X509_ASN_ENCODING, ( const BYTE* )&data[0], data.getLength()); + //Adding the certificate creates a copy and not just increases the ref count + //Therefore we free later the certificate that we now add + CertAddCertificateContextToStore(store, cert, CERT_STORE_ADD_ALWAYS, NULL); + CertFreeCertificateContext(cert); + } + return store; +} +sal_Int32 SecurityEnvironment_MSCryptImpl :: verifyCertificate( + const Reference< ::com::sun::star::security::XCertificate >& aCert, + const Sequence< Reference< ::com::sun::star::security::XCertificate > >& seqCerts) + throw( ::com::sun::star::uno::SecurityException, ::com::sun::star::uno::RuntimeException ) +{ sal_Int32 validity = 0; PCCERT_CHAIN_CONTEXT pChainContext = NULL; PCCERT_CONTEXT pCertContext = NULL; @@ -913,52 +939,50 @@ sal_Int32 SecurityEnvironment_MSCryptImpl :: verifyCertificate( const ::com::sun chainPara.cbSize = sizeof( CERT_CHAIN_PARA ) ; chainPara.RequestedUsage = certUsage ; + + HCERTSTORE hCollectionStore = NULL; + HCERTSTORE hIntermediateCertsStore = NULL; BOOL bChain = FALSE; if( pCertContext != NULL ) { - HCERTSTORE hAdditionalStore = NULL; - HCERTSTORE hCollectionStore = NULL; - if (m_hCertStore && m_hKeyStore) + hIntermediateCertsStore = + getCertStoreForIntermediatCerts(seqCerts); + + //Merge m_hCertStore and m_hKeyStore and the store of the intermediate + //certificates into one store. + hCollectionStore = CertOpenStore( + CERT_STORE_PROV_COLLECTION , + 0 , + NULL , + 0 , + NULL + ) ; + if (hCollectionStore != NULL) { - //Merge m_hCertStore and m_hKeyStore into one store. - hCollectionStore = CertOpenStore( - CERT_STORE_PROV_COLLECTION , - 0 , - NULL , - 0 , - NULL - ) ; - if (hCollectionStore != NULL) - { - CertAddStoreToCollection ( - hCollectionStore , - m_hCertStore , - CERT_PHYSICAL_STORE_ADD_ENABLE_FLAG , - 0) ; - CertAddStoreToCollection ( - hCollectionStore , - m_hCertStore , - CERT_PHYSICAL_STORE_ADD_ENABLE_FLAG , - 0) ; - hAdditionalStore = hCollectionStore; - } + CertAddStoreToCollection ( + hCollectionStore , + m_hCertStore , + CERT_PHYSICAL_STORE_ADD_ENABLE_FLAG , + 0) ; + CertAddStoreToCollection ( + hCollectionStore , + m_hCertStore , + CERT_PHYSICAL_STORE_ADD_ENABLE_FLAG , + 0) ; + CertAddStoreToCollection ( + hCollectionStore, + hIntermediateCertsStore, + CERT_PHYSICAL_STORE_ADD_ENABLE_FLAG, + 0); } - //if the merge of both stores failed then we add only m_hCertStore - if (hAdditionalStore == NULL && m_hCertStore) - hAdditionalStore = m_hCertStore; - else if (hAdditionalStore == NULL && m_hKeyStore) - hAdditionalStore = m_hKeyStore; - else - hAdditionalStore = NULL; - //CertGetCertificateChain searches by default in MY, CA, ROOT and TRUST bChain = CertGetCertificateChain( NULL , pCertContext , NULL , //use current system time - hAdditionalStore, + hCollectionStore, &chainPara , CERT_CHAIN_REVOCATION_CHECK_CHAIN | CERT_CHAIN_TIMESTAMP_TIME , NULL , @@ -967,8 +991,6 @@ sal_Int32 SecurityEnvironment_MSCryptImpl :: verifyCertificate( const ::com::sun if (!bChain) pChainContext = NULL; - //Close the additional store - CertCloseStore(hCollectionStore, CERT_CLOSE_STORE_CHECK_FLAG); } if(bChain && pChainContext != NULL ) @@ -1081,6 +1103,12 @@ sal_Int32 SecurityEnvironment_MSCryptImpl :: verifyCertificate( const ::com::sun if (pChainContext) CertFreeCertificateChain(pChainContext); + //Close the additional store, do not destroy the contained certs + CertCloseStore(hCollectionStore, CERT_CLOSE_STORE_CHECK_FLAG); + //Close the temporary store containing the intermediate certificates and make + //sure all certificates are deleted. + CertCloseStore(hIntermediateCertsStore, CERT_CLOSE_STORE_CHECK_FLAG); + return validity ; } diff --git a/xmlsecurity/source/xmlsec/mscrypt/securityenvironment_mscryptimpl.hxx b/xmlsecurity/source/xmlsec/mscrypt/securityenvironment_mscryptimpl.hxx index 9770d5c1cba7..f1441184602f 100644 --- a/xmlsecurity/source/xmlsec/mscrypt/securityenvironment_mscryptimpl.hxx +++ b/xmlsecurity/source/xmlsec/mscrypt/securityenvironment_mscryptimpl.hxx @@ -108,7 +108,11 @@ class SecurityEnvironment_MSCryptImpl : public ::cppu::WeakImplHelper4< virtual ::com::sun::star::uno::Reference< ::com::sun::star::security::XCertificate > SAL_CALL createCertificateFromAscii( const ::rtl::OUString& asciiCertificate ) throw( ::com::sun::star::uno::SecurityException , ::com::sun::star::uno::RuntimeException ) ; - virtual ::sal_Int32 SAL_CALL verifyCertificate( const ::com::sun::star::uno::Reference< ::com::sun::star::security::XCertificate >& xCert ) throw (::com::sun::star::uno::SecurityException, ::com::sun::star::uno::RuntimeException) ; + virtual ::sal_Int32 SAL_CALL verifyCertificate( + const ::com::sun::star::uno::Reference< ::com::sun::star::security::XCertificate >& xCert, + const ::com::sun::star::uno::Sequence< ::com::sun::star::uno::Reference< + ::com::sun::star::security::XCertificate > >& intermediateCertificates) + throw (::com::sun::star::uno::SecurityException, ::com::sun::star::uno::RuntimeException) ; virtual ::sal_Int32 SAL_CALL getCertificateCharacters( const ::com::sun::star::uno::Reference< ::com::sun::star::security::XCertificate >& xCert ) throw (::com::sun::star::uno::SecurityException, ::com::sun::star::uno::RuntimeException) ; virtual ::rtl::OUString SAL_CALL getSecurityEnvironmentInformation( ) throw (::com::sun::star::uno::RuntimeException); diff --git a/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx b/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx index d0e6670fd2ff..4a290ae2feb5 100644 --- a/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx +++ b/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx @@ -28,22 +28,20 @@ * ************************************************************************/ + // MARKER(update_precomp.py): autogen include statement, do not remove #include "precompiled_xmlsecurity.hxx" + +//todo before commit: nssrenam.h is not delivered!!! +#include "nssrenam.h" +#include "cert.h" +#include "secerr.h" + #include <sal/config.h> #include "securityenvironment_nssimpl.hxx" #include "x509certificate_nssimpl.hxx" #include <rtl/uuid.h> -#include "nspr.h" -#include "nss.h" -#include "secport.h" -#include "secitem.h" -#include "secder.h" -#include "secerr.h" -#include "limits.h" -#include "certt.h" -#include "prerror.h" #include <sal/types.h> //For reasons that escape me, this is what xmlsec does when size_t is not 4 @@ -64,7 +62,7 @@ #include <xmlsecurity/biginteger.hxx> #include <rtl/logfile.h> #include <com/sun/star/task/XInteractionHandler.hpp> - +#include <vector> #include "boost/scoped_array.hpp" // MM : added for password exception @@ -84,6 +82,7 @@ using ::com::sun::star::security::XCertificate ; extern X509Certificate_NssImpl* NssCertToXCert( CERTCertificate* cert ) ; extern X509Certificate_NssImpl* NssPrivKeyToXCert( SECKEYPrivateKey* ) ; + char* GetPasswordFunction( PK11SlotInfo* pSlot, PRBool bRetry, void* /*arg*/ ) { uno::Reference< lang::XMultiServiceFactory > xMSF( ::comphelper::getProcessServiceFactory() ); @@ -748,17 +747,23 @@ Reference< XCertificate > SecurityEnvironment_NssImpl :: createCertificateFromAs return createCertificateFromRaw( rawCert ) ; } -sal_Int32 SecurityEnvironment_NssImpl :: verifyCertificate( const ::com::sun::star::uno::Reference< ::com::sun::star::security::XCertificate >& aCert ) throw( ::com::sun::star::uno::SecurityException, ::com::sun::star::uno::RuntimeException ) { +sal_Int32 SecurityEnvironment_NssImpl :: +verifyCertificate( const Reference< csss::XCertificate >& aCert, + const Sequence< Reference< csss::XCertificate > >& intermediateCerts ) + throw( ::com::sun::star::uno::SecurityException, ::com::sun::star::uno::RuntimeException ) +{ sal_Int32 validity = 0; const X509Certificate_NssImpl* xcert ; const CERTCertificate* cert ; - + ::std::vector<CERTCertificate*> vecTmpNSSCertificates; Reference< XUnoTunnel > xCertTunnel( aCert, UNO_QUERY ) ; if( !xCertTunnel.is() ) { throw RuntimeException() ; } - + OSL_TRACE("[xmlsecurity] Start verification of certificate: %s", + OUStringToOString( + aCert->getIssuerName(), osl_getThreadTextEncoding()).getStr()); xcert = reinterpret_cast<X509Certificate_NssImpl*>( @@ -769,7 +774,38 @@ sal_Int32 SecurityEnvironment_NssImpl :: verifyCertificate( const ::com::sun::st cert = xcert->getNssCert() ; if( cert != NULL ) + { + + //prepare the intermediate certificates + CERTCertDBHandle * certDb = m_pHandler != NULL ? m_pHandler : CERT_GetDefaultCertDB(); + for (sal_Int32 i = 0; i < intermediateCerts.getLength(); i++) { + Sequence<sal_Int8> der = intermediateCerts[i]->getEncoded(); + SECItem item; + item.type = siBuffer; + item.data = (unsigned char*)der.getArray(); + item.len = der.getLength(); + + CERTCertificate* certTmp = CERT_NewTempCertificate(certDb, &item, + NULL /* nickname */, + PR_FALSE /* isPerm */, + PR_TRUE /* copyDER */); + if (!certTmp) + { + OSL_TRACE("[xmlsecurity] Failed to add a temporary certificate: %s", + OUStringToOString(intermediateCerts[i]->getIssuerName(), + osl_getThreadTextEncoding()).getStr()); + + } + else + { + OSL_TRACE("[xmlsecurity] Added temporary certificate: %s", + certTmp->subjectName ? certTmp->subjectName : ""); + vecTmpNSSCertificates.push_back(certTmp); + } + } + + int64 timeboundary ; SECStatus status ; @@ -779,15 +815,15 @@ sal_Int32 SecurityEnvironment_NssImpl :: verifyCertificate( const ::com::sun::st // create log - CERTVerifyLog realLog; + CERTVerifyLog realLog; CERTVerifyLog *log; - log = &realLog; + log = &realLog; - log->count = 0; - log->head = NULL; - log->tail = NULL; + log->count = 0; + log->head = NULL; + log->tail = NULL; log->arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE ); //CERTVerifyLog *log; @@ -798,11 +834,6 @@ sal_Int32 SecurityEnvironment_NssImpl :: verifyCertificate( const ::com::sun::st //log->arena = arena; validity = csss::CertificateValidity::INVALID; - CERTCertificateList * certList; - - certList = CERT_CertChainFromCert( (CERTCertificateStr *) cert, (SECCertUsage) 0, 0); - - if( m_pHandler != NULL ) { //JL: We must not pass a particular usage in the requiredUsages argument (the 4th) because, @@ -894,9 +925,23 @@ sal_Int32 SecurityEnvironment_NssImpl :: verifyCertificate( const ::com::sun::st } else { + validity = ::com::sun::star::security::CertificateValidity::INVALID ; } + //Destroying the temporary certificates + std::vector<CERTCertificate*>::const_iterator cert_i; + for (cert_i = vecTmpNSSCertificates.begin(); cert_i != vecTmpNSSCertificates.end(); cert_i++) + { + OSL_TRACE("[xmlsecurity] Destroying temporary certificate"); + CERT_DestroyCertificate(*cert_i); + } +#if OSL_DEBUG_LEVEL > 1 + if (validity == ::com::sun::star::security::CertificateValidity::VALID) + OSL_TRACE("[xmlsecurity] Certificate is valid."); + else + OSL_TRACE("[xmlsecurity] Certificate is invalid."); +#endif return validity ; } diff --git a/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.hxx b/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.hxx index bfa9295e50fe..d6586794bea5 100644 --- a/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.hxx +++ b/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.hxx @@ -115,7 +115,13 @@ private : static ::com::sun::star::uno::Reference< ::com::sun::star::lang::XSingleServiceFactory > impl_createFactory( const ::com::sun::star::uno::Reference< ::com::sun::star::lang::XMultiServiceFactory >& aServiceManager ) ; - virtual ::sal_Int32 SAL_CALL verifyCertificate( const ::com::sun::star::uno::Reference< ::com::sun::star::security::XCertificate >& xCert ) throw (::com::sun::star::uno::SecurityException, ::com::sun::star::uno::RuntimeException) ; + virtual ::sal_Int32 SAL_CALL verifyCertificate( + const ::com::sun::star::uno::Reference< + ::com::sun::star::security::XCertificate >& xCert, + const ::com::sun::star::uno::Sequence< + ::com::sun::star::uno::Reference< ::com::sun::star::security::XCertificate > > & + intermediateCerts) + throw (::com::sun::star::uno::SecurityException, ::com::sun::star::uno::RuntimeException) ; virtual ::sal_Int32 SAL_CALL getCertificateCharacters( const ::com::sun::star::uno::Reference< ::com::sun::star::security::XCertificate >& xCert ) throw (::com::sun::star::uno::SecurityException, ::com::sun::star::uno::RuntimeException) ; diff --git a/xmlsecurity/source/xmlsec/nss/seinitializer_nssimpl.cxx b/xmlsecurity/source/xmlsec/nss/seinitializer_nssimpl.cxx index 5a3c80dfb162..3255a2d5bf58 100644 --- a/xmlsecurity/source/xmlsec/nss/seinitializer_nssimpl.cxx +++ b/xmlsecurity/source/xmlsec/nss/seinitializer_nssimpl.cxx @@ -54,7 +54,12 @@ #include <sal/types.h> - +#include "rtl/instance.hxx" +#include "rtl/bootstrap.hxx" +#include "rtl/string.hxx" +#include "rtl/strbuf.hxx" +#include "osl/file.hxx" +#include "osl/thread.h" #include <tools/debug.hxx> #include <rtl/logfile.hxx> @@ -64,18 +69,10 @@ #include <com/sun/star/mozilla/XMozillaBootstrap.hpp> #include "nspr.h" -#include "prtypes.h" -#include "pk11func.h" -#ifdef SYSTEM_MOZILLA -#include "nssrenam.h" -#include "secmod.h" -#endif #include "cert.h" -#include "cryptohi.h" -#include "certdb.h" #include "nss.h" -#include "prerror.h" - +#include "secmod.h" +#include "nssckbi.h" namespace cssu = com::sun::star::uno; @@ -83,49 +80,234 @@ namespace cssl = com::sun::star::lang; namespace cssxc = com::sun::star::xml::crypto; using namespace com::sun::star; +using ::rtl::OUString; +using ::rtl::OString; #define SERVICE_NAME "com.sun.star.xml.crypto.SEInitializer" #define IMPLEMENTATION_NAME "com.sun.star.xml.security.bridge.xmlsec.SEInitializer_NssImpl" #define SECURITY_ENVIRONMENT "com.sun.star.xml.crypto.SecurityEnvironment" #define SECURITY_CONTEXT "com.sun.star.xml.crypto.XMLSecurityContext" -bool nsscrypto_initialize( const char* token ) { - static char initialized = 0 ; - //PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1 ) ; - if( !initialized ) { - PR_Init( PR_USER_THREAD, PR_PRIORITY_NORMAL, 1 ) ; +#define ROOT_CERTS "Root Certs for OpenOffice.org" + + +extern "C" void nsscrypto_finalize(); + + +namespace +{ - if( NSS_InitReadWrite( token ) != SECSuccess ) +bool nsscrypto_initialize( const char * sProfile, bool & out_nss_init); + +struct InitNSSInitialize +{ + //path to the database folder + const OString m_sProfile; + InitNSSInitialize(const OString & sProfile): m_sProfile(sProfile) {}; + bool * operator()() + { + static bool bInitialized = false; + bool bNSSInit = false; + bInitialized = nsscrypto_initialize(m_sProfile.getStr(), bNSSInit); + if (bNSSInit) + atexit(nsscrypto_finalize ); + return & bInitialized; + + } +}; + +bool * initNSS(const OString & sProfile) +{ + return rtl_Instance< bool, InitNSSInitialize, + ::osl::MutexGuard, ::osl::GetGlobalMutex >::create( + InitNSSInitialize(sProfile), ::osl::GetGlobalMutex()); +} + +void deleteRootsModule() +{ + SECMODModule *RootsModule = 0; + SECMODModuleList *list = SECMOD_GetDefaultModuleList(); + SECMODListLock *lock = SECMOD_GetDefaultModuleListLock(); + SECMOD_GetReadLock(lock); + + while (!RootsModule && list) + { + SECMODModule *module = list->module; + + for (int i=0; i < module->slotCount; i++) + { + PK11SlotInfo *slot = module->slots[i]; + if (PK11_IsPresent(slot)) + { + if (PK11_HasRootCerts(slot)) { - char * error = NULL; + OSL_TRACE("[xmlsecurity] The root certifificates module \"%s" + "\" is already loaded: \n%s", + module->commonName, module->dllName); - PR_GetErrorText(error); - if (error) - printf("%s",error); - return false ; + RootsModule = SECMOD_ReferenceModule(module); + break; } + } + } + list = list->next; + } + SECMOD_ReleaseReadLock(lock); -#ifdef SYSTEM_MOZILLA - if (!SECMOD_HasRootCerts()) + if (RootsModule) + { + PRInt32 modType; + if (SECSuccess == SECMOD_DeleteModule(RootsModule->commonName, &modType)) + { + OSL_TRACE("[xmlsecurity] Deleted module \"%s\".", RootsModule->commonName); + } + else { - SECMOD_AddNewModule("Root Certs", "libnssckbi" SAL_DLLEXTENSION, - 0, 0); + OSL_TRACE("[xmlsecurity] Failed to delete \"%s\" : \n%s", + RootsModule->commonName, RootsModule->dllName); } + SECMOD_DestroyModule(RootsModule); + RootsModule = 0; + } +} + +//Older versions of Firefox (FF), for example FF2, and Thunderbird (TB) 2 write +//the roots certificate module (libnssckbi.so), which they use, into the +//profile. This module will then already be loaded during NSS_Init (and the +//other init functions). This fails in two cases. First, FF3 was used to create +//the profile, or possibly used that profile before, and second the profile was +//used on a different platform. +// +//Then one needs to add the roots module oneself. This should be done with +//SECMOD_LoadUserModule rather then SECMOD_AddNewModule. The latter would write +//the location of the roots module to the profile, which makes FF2 and TB2 use +//it instead of there own module. +// +//When using SYSTEM_MOZILLA then the libnss3.so lib is typically found in +///usr/lib. This folder may, however, NOT contain the roots certificate +//module. That is, just providing the library name in SECMOD_LoadUserModule or +//SECMOD_AddNewModule will FAIL to load the mozilla unless the LD_LIBRARY_PATH +//contains an FF or TB installation. +//ATTENTION: DO NOT call this function directly instead use initNSS +//return true - whole initialization was successful +//param out_nss_init = true: at least the NSS initialization (NSS_InitReadWrite +//was successful and therefor NSS_Shutdown should be called when terminating. +bool nsscrypto_initialize( const char* token, bool & out_nss_init ) +{ + bool return_value = true; + + OSL_TRACE("[xmlsecurity] Using profile: %s", token); + + PR_Init( PR_USER_THREAD, PR_PRIORITY_NORMAL, 1 ) ; + + if( NSS_InitReadWrite( token ) != SECSuccess ) + { + char * error = NULL; + + PR_GetErrorText(error); + if (error) + printf("%s",error); + return false ; + } + out_nss_init = true; + +#if defined SYSTEM_MOZILLA + if (!SECMOD_HasRootCerts()) + { #endif + deleteRootsModule(); + +#if defined SYSTEM_MOZILLA + OUString rootModule(RTL_CONSTASCII_USTRINGPARAM("libnssckbi"SAL_DLLEXTENSION)); +#else + OUString rootModule(RTL_CONSTASCII_USTRINGPARAM("${OOO_BASE_DIR}/program/libnssckbi"SAL_DLLEXTENSION)); +#endif + ::rtl::Bootstrap::expandMacros(rootModule); + + OUString rootModulePath; + if (::osl::File::E_None == ::osl::File::getSystemPathFromFileURL(rootModule, rootModulePath)) + { + ::rtl::OString ospath = ::rtl::OUStringToOString(rootModulePath, osl_getThreadTextEncoding()); + ::rtl::OStringBuffer pkcs11moduleSpec; + pkcs11moduleSpec.append("name=\""); + pkcs11moduleSpec.append(ROOT_CERTS); + pkcs11moduleSpec.append("\" library=\""); + pkcs11moduleSpec.append(ospath.getStr()); + pkcs11moduleSpec.append("\""); + + SECMODModule * RootsModule = + SECMOD_LoadUserModule( + const_cast<char*>(pkcs11moduleSpec.makeStringAndClear().getStr()), + 0, // no parent + PR_FALSE); // do not recurse + + if (RootsModule) + { + + bool found = RootsModule->loaded; + + SECMOD_DestroyModule(RootsModule); + RootsModule = 0; + if (found) + OSL_TRACE("[xmlsecurity] Added new root certificate module " + "\""ROOT_CERTS"\" contained in \n%s", ospath.getStr()); + else + { + OSL_TRACE("[xmlsecurity] FAILED to load the new root certificate module " + "\""ROOT_CERTS"\" contained in \n%s", ospath.getStr()); + return_value = false; + } + } + else + { + OSL_TRACE("[xmlsecurity] FAILED to add new root certifice module: " + "\""ROOT_CERTS"\" contained in \n%s", ospath.getStr()); + return_value = false; - initialized = 1 ; + } + } + else + { + OSL_TRACE("[xmlsecurity] Adding new root certificate module failed."); + return_value = false; + } +#if SYSTEM_MOZILLA } +#endif - return true ; + return return_value; } + // must be extern "C" because we pass the function pointer to atexit -extern "C" void nsscrypto_finalize() { +extern "C" void nsscrypto_finalize() +{ + SECMODModule *RootsModule = SECMOD_FindModule(ROOT_CERTS); + + if (RootsModule) + { + + if (SECSuccess == SECMOD_UnloadUserModule(RootsModule)) + { + OSL_TRACE("[xmlsecurity] Unloaded module \""ROOT_CERTS"\"."); + } + else + { + OSL_TRACE("[xmlsecurity] Failed unloadeding module \""ROOT_CERTS"\"."); + } + SECMOD_DestroyModule(RootsModule); + } + else + { + OSL_TRACE("[xmlsecurity] Unloading module \""ROOT_CERTS + "\" failed because it was not found."); + } PK11_LogoutAll(); NSS_Shutdown(); } + bool getMozillaCurrentProfile( const com::sun::star::uno::Reference< com::sun::star::lang::XMultiServiceFactory > &rxMSF, rtl::OUString& profilePath) @@ -143,7 +325,7 @@ bool getMozillaCurrentProfile( else { RTL_LOGFILE_TRACE( "getMozillaCurrentProfile: Using MozillaBootstrap..." ); - mozilla::MozillaProductType productTypes[4] = { + mozilla::MozillaProductType productTypes[4] = { mozilla::MozillaProductType_Thunderbird, mozilla::MozillaProductType_Mozilla, mozilla::MozillaProductType_Firefox, @@ -180,6 +362,8 @@ bool getMozillaCurrentProfile( } } +} // namespace + SEInitializer_NssImpl::SEInitializer_NssImpl( const com::sun::star::uno::Reference< com::sun::star::lang::XMultiServiceFactory > &rxMSF) :mxMSF( rxMSF ) @@ -238,7 +422,7 @@ cssu::Reference< cssxc::XXMLSecurityContext > SAL_CALL return NULL; } ----*/ - if( !nsscrypto_initialize( sCertDir.getStr() ) ) + if( ! *initNSS( sCertDir.getStr() ) ) { RTL_LOGFILE_TRACE( "XMLSEC: Error - nsscrypto_initialize() failed." ); if ( NSS_NoDB_Init(NULL) != SECSuccess ) @@ -251,8 +435,6 @@ cssu::Reference< cssxc::XXMLSecurityContext > SAL_CALL RTL_LOGFILE_TRACE( "XMLSEC: NSS_NoDB_Init works, enough for verifying signatures..." ); } } - else - atexit(nsscrypto_finalize ); pCertHandle = CERT_GetDefaultCertDB() ; diff --git a/xmlsecurity/source/xmlsec/nss/x509certificate_nssimpl.cxx b/xmlsecurity/source/xmlsec/nss/x509certificate_nssimpl.cxx index c457b4fb8a30..d6b5e189330e 100644 --- a/xmlsecurity/source/xmlsec/nss/x509certificate_nssimpl.cxx +++ b/xmlsecurity/source/xmlsec/nss/x509certificate_nssimpl.cxx @@ -30,14 +30,10 @@ // MARKER(update_precomp.py): autogen include statement, do not remove #include "precompiled_xmlsecurity.hxx" -#include <sal/config.h> -#include <rtl/uuid.h> -#include "x509certificate_nssimpl.hxx" -#ifndef _CERTIFICATEEXTENSION_NSSIMPL_HXX_ -#include "certificateextension_xmlsecimpl.hxx" -#endif + +#include "nssrenam.h" #include "nspr.h" #include "nss.h" #include "secder.h" @@ -48,6 +44,17 @@ #include "pk11func.h" //MM : end + + +#include <sal/config.h> +#include <rtl/uuid.h> +#include "x509certificate_nssimpl.hxx" + +#ifndef _CERTIFICATEEXTENSION_NSSIMPL_HXX_ +#include "certificateextension_xmlsecimpl.hxx" +#endif + + using namespace ::com::sun::star::uno ; using namespace ::com::sun::star::security ; using ::rtl::OUString ; diff --git a/xmlsecurity/source/xmlsec/nss/x509certificate_nssimpl.hxx b/xmlsecurity/source/xmlsec/nss/x509certificate_nssimpl.hxx index 51b2b2fd1d7f..bb16bcc7fb6e 100644 --- a/xmlsecurity/source/xmlsec/nss/x509certificate_nssimpl.hxx +++ b/xmlsecurity/source/xmlsec/nss/x509certificate_nssimpl.hxx @@ -40,9 +40,6 @@ #include "com/sun/star/uno/SecurityException.hpp" #include <com/sun/star/security/XCertificate.hpp> -#ifdef SYSTEM_MOZILLA -#include "nssrenam.h" -#endif #include "cert.h" class X509Certificate_NssImpl : public ::cppu::WeakImplHelper2< |