/* -*- Mode: C; tab-width: 8; indent-tabs-mode: t; c-basic-offset: 8 -*- */
/* The following is the mozilla license blurb, as the bodies some of
* these functions were derived from the mozilla source. */
/* e-cert-db.c
*
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
*
* The contents of this file are subject to the Mozilla Public License Version
* 1.1 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
* http://www.mozilla.org/MPL/
*
* Software distributed under the License is distributed on an "AS IS" basis,
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
* for the specific language governing rights and limitations under the
* License.
*
* The Original Code is the Netscape security libraries.
*
* The Initial Developer of the Original Code is
* Netscape Communications Corporation.
* Portions created by the Initial Developer are Copyright (C) 1994-2000
* the Initial Developer. All Rights Reserved.
*
* Alternatively, the contents of this file may be used under the terms of
* either the GNU General Public License Version 2 or later (the "GPL"), or
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
* in which case the provisions of the GPL or the LGPL are applicable instead
* of those above. If you wish to allow use of your version of this file only
* under the terms of either the GPL or the LGPL, and not to allow others to
* use your version of this file under the terms of the MPL, indicate your
* decision by deleting the provisions above and replace them with the notice
* and other provisions required by the GPL or the LGPL. If you do not delete
* the provisions above, a recipient may use your version of this file under
* the terms of any one of the MPL, the GPL or the LGPL.
*/
/*
* Author: Chris Toshok (toshok@ximian.com)
*
* Copyright (C) 1999-2008 Novell, Inc. (www.novell.com)
*/
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#include <gtk/gtk.h>
#include <glib/gi18n.h>
#include <glib/gstdio.h>
#include <camel/camel.h> /* FIXME: this is where camel_init is defined; it shouldn't include everything else */
#include <libedataserverui/libedataserverui.h>
/* private NSS defines used by PSM */
/* (must be declated before cert.h) */
#define CERT_NewTempCertificate __CERT_NewTempCertificate
#define CERT_AddTempCertToPerm __CERT_AddTempCertToPerm
#include "e-cert-db.h"
#include "e-cert-trust.h"
#include "e-pkcs12.h"
#include "gmodule.h"
#include "nss.h"
#include "ssl.h"
#include "p12plcy.h"
#include "pk11func.h"
#include "nssckbi.h"
#include <secerr.h>
#include "secmod.h"
#include "certdb.h"
#include "plstr.h"
#include "prprf.h"
#include "prmem.h"
#include "e-util/e-util.h"
#include "e-util/e-util-private.h"
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
enum {
PK11_PASSWD,
PK11_CHANGE_PASSWD,
CONFIRM_CA_CERT_IMPORT,
LAST_SIGNAL
};
static guint e_cert_db_signals[LAST_SIGNAL];
G_DEFINE_TYPE (ECertDB, e_cert_db, G_TYPE_OBJECT)
GQuark
e_certdb_error_quark (void)
{
static GQuark q = 0;
if (q == 0)
q = g_quark_from_static_string ("e-certdb-error-quark");
return q;
}
static const gchar *
nss_error_to_string (glong errorcode)
{
#define cs(a,b) case a: return b;
switch (errorcode) {
cs (SEC_ERROR_IO, "An I/O error occurred during security authorization.")
cs (SEC_ERROR_LIBRARY_FAILURE, "security library failure.")
cs (SEC_ERROR_BAD_DATA, "security library: received bad data.")
cs (SEC_ERROR_OUTPUT_LEN, "security library: output length error.")
cs (SEC_ERROR_INPUT_LEN, "security library has experienced an input length error.")
cs (SEC_ERROR_INVALID_ARGS, "security library: invalid arguments.")
cs (SEC_ERROR_INVALID_ALGORITHM, "security library: invalid algorithm.")
cs (SEC_ERROR_INVALID_AVA, "security library: invalid AVA.")
cs (SEC_ERROR_INVALID_TIME, "Improperly formatted time string.")
cs (SEC_ERROR_BAD_DER, "security library: improperly formatted DER-encoded message.")
cs (SEC_ERROR_BAD_SIGNATURE, "Peer's certificate has an invalid signature.")
cs (SEC_ERROR_EXPIRED_CERTIFICATE, "Peer's Certificate has expired.")
cs (SEC_ERROR_REVOKED_CERTIFICATE, "Peer's Certificate has been revoked.")
cs (SEC_ERROR_UNKNOWN_ISSUER, "Peer's Certificate issuer is not recognized.")
cs (SEC_ERROR_BAD_KEY, "Peer's public key is invalid.")
cs (SEC_ERROR_BAD_PASSWORD, "The security password entered is incorrect.")
cs (SEC_ERROR_RETRY_PASSWORD, "New password entered incorrectly. Please try again.")
cs (SEC_ERROR_NO_NODELOCK, "security library: no nodelock.")
cs (SEC_ERROR_BAD_DATABASE, "security library: bad database.")
cs (SEC_ERROR_NO_MEMORY, "security library: memory allocation failure.")
cs (SEC_ERROR_UNTRUSTED_ISSUER, "Peer's certificate issuer has been marked as not trusted by the user.")
cs (SEC_ERROR_UNTRUSTED_CERT, "Peer's certificate has been marked as not trusted by the user.")
cs (SEC_ERROR_DUPLICATE_CERT, "Certificate already exists in your database.")
cs (SEC_ERROR_DUPLICATE_CERT_NAME, "Downloaded certificate's name duplicates one already in your database.")
cs (SEC_ERROR_ADDING_CERT, "Error adding certificate to database.")
cs (SEC_ERROR_FILING_KEY, "Error refiling the key for this certificate.")
cs (SEC_ERROR_NO_KEY, "The private key for this certificate cannot be found in key database")
cs (SEC_ERROR_CERT_VALID, "This certificate is valid.")
cs (SEC_ERROR_CERT_NOT_VALID, "This certificate is not valid.")
cs (SEC_ERROR_CERT_NO_RESPONSE, "Cert Library: No Response")
cs (SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE, "The certificate issuer's certificate has expired. Check your system date and time.")
cs (SEC_ERROR_CRL_EXPIRED, "The CRL for the certificate's issuer has expired. Update it or check your system date and time.")
cs (SEC_ERROR_CRL_BAD_SIGNATURE, "The CRL for the certificate's issuer has an invalid signature.")
cs (SEC_ERROR_CRL_INVALID, "New CRL has an invalid format.")
cs (SEC_ERROR_EXTENSION_VALUE_INVALID, "Certificate extension value is invalid.")
cs (SEC_ERROR_EXTENSION_NOT_FOUND, "Certificate extension not found.")
cs (SEC_ERROR_CA_CERT_INVALID, "Issuer certificate is invalid.")
cs (SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID, "Certificate path length constraint is invalid.")
cs (SEC_ERROR_CERT_USAGES_INVALID, "Certificate usages field is invalid.")
cs (SEC_INTERNAL_ONLY, "**Internal ONLY module**")
cs (SEC_ERROR_INVALID_KEY, "The key does not support the requested operation.")
cs (SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION, "Certificate contains unknown critical extension.")
cs (SEC_ERROR_OLD_CRL, "New CRL is not later than the current one.")
cs (SEC_ERROR_NO_EMAIL_CERT, "Not encrypted or signed: you do not yet have an email certificate.")
cs (SEC_ERROR_NO_RECIPIENT_CERTS_QUERY, "Not encrypted: you do not have certificates for each of the recipients.")
cs (SEC_ERROR_NOT_A_RECIPIENT, "Cannot decrypt: you are not a recipient, or matching certificate and private key not found.")
cs (SEC_ERROR_PKCS7_KEYALG_MISMATCH, "Cannot decrypt: key encryption algorithm does not match your certificate.")
cs (SEC_ERROR_PKCS7_BAD_SIGNATURE, "Signature verification failed: no signer found, too many signers found, or improper or corrupted data.")
cs (SEC_ERROR_UNSUPPORTED_KEYALG, "Unsupported or unknown key algorithm.")
cs (SEC_ERROR_DECRYPTION_DISALLOWED, "Cannot decrypt: encrypted using a disallowed algorithm or key size.")
cs (XP_SEC_FORTEZZA_BAD_CARD, "Fortezza card has not been properly initialized. Please remove it and return it to your issuer.")
cs (XP_SEC_FORTEZZA_NO_CARD, "No Fortezza cards Found")
cs (XP_SEC_FORTEZZA_NONE_SELECTED, "No Fortezza card selected")
cs (XP_SEC_FORTEZZA_MORE_INFO, "Please select a personality to get more info on")
cs (XP_SEC_FORTEZZA_PERSON_NOT_FOUND, "Personality not found")
cs (XP_SEC_FORTEZZA_NO_MORE_INFO, "No more information on that Personality")
cs (XP_SEC_FORTEZZA_BAD_PIN, "Invalid Pin")
cs (XP_SEC_FORTEZZA_PERSON_ERROR, "Couldn't initialize Fortezza personalities.")
cs (SEC_ERROR_NO_KRL, "No KRL for this site's certificate has been found.")
cs (SEC_ERROR_KRL_EXPIRED, "The KRL for this site's certificate has expired.")
cs (SEC_ERROR_KRL_BAD_SIGNATURE, "The KRL for this site's certificate has an invalid signature.")
cs (SEC_ERROR_REVOKED_KEY, "The key for this site's certificate has been revoked.")
cs (SEC_ERROR_KRL_INVALID, "New KRL has an invalid format.")
cs (SEC_ERROR_NEED_RANDOM, "security library: need random data.")
cs (SEC_ERROR_NO_MODULE, "security library: no security module can perform the requested operation.")
cs (SEC_ERROR_NO_TOKEN, "The security card or token does not exist, needs to be initialized, or has been removed.")
cs (SEC_ERROR_READ_ONLY, "security library: read-only database.")
cs (SEC_ERROR_NO_SLOT_SELECTED, "No slot or token was selected.")
cs (SEC_ERROR_CERT_NICKNAME_COLLISION, "A certificate with the same nickname already exists.")
cs (SEC_ERROR_KEY_NICKNAME_COLLISION, "A key with the same nickname already exists.")
cs (SEC_ERROR_SAFE_NOT_CREATED, "error while creating safe object")
cs (SEC_ERROR_BAGGAGE_NOT_CREATED, "error while creating baggage object")
cs (XP_JAVA_REMOVE_PRINCIPAL_ERROR, "Couldn't remove the principal")
cs (XP_JAVA_DELETE_PRIVILEGE_ERROR, "Couldn't delete the privilege")
cs (XP_JAVA_CERT_NOT_EXISTS_ERROR, "This principal doesn't have a certificate")
cs (SEC_ERROR_BAD_EXPORT_ALGORITHM, "Required algorithm is not allowed.")
cs (SEC_ERROR_EXPORTING_CERTIFICATES, "Error attempting to export certificates.")
cs (SEC_ERROR_IMPORTING_CERTIFICATES, "Error attempting to import certificates.")
cs (SEC_ERROR_PKCS12_DECODING_PFX, "Unable to import. Decoding error. File not valid.")
cs (SEC_ERROR_PKCS12_INVALID_MAC, "Unable to import. Invalid MAC. Incorrect password or corrupt file.")
cs (SEC_ERROR_PKCS12_UNSUPPORTED_MAC_ALGORITHM, "Unable to import. MAC algorithm not supported.")
cs (SEC_ERROR_PKCS12_UNSUPPORTED_TRANSPORT_MODE, "Unable to import. Only password integrity and privacy modes supported.")
cs (SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE, "Unable to import. File structure is corrupt.")
cs (SEC_ERROR_PKCS12_UNSUPPORTED_PBE_ALGORITHM, "Unable to import. Encryption algorithm not supported.")
cs (SEC_ERROR_PKCS12_UNSUPPORTED_VERSION, "Unable to import. File version not supported.")
cs (SEC_ERROR_PKCS12_PRIVACY_PASSWORD_INCORRECT, "Unable to import. Incorrect privacy password.")
cs (SEC_ERROR_PKCS12_CERT_COLLISION, "Unable to import. Same nickname already exists in database.")
cs (SEC_ERROR_USER_CANCELLED, "The user pressed cancel.")
cs (SEC_ERROR_PKCS12_DUPLICATE_DATA, "Not imported, already in database.")
cs (SEC_ERROR_MESSAGE_SEND_ABORTED, "Message not sent.")
cs (SEC_ERROR_INADEQUATE_KEY_USAGE, "Certificate key usage inadequate for attempted operation.")
cs (SEC_ERROR_INADEQUATE_CERT_TYPE, "Certificate type not approved for application.")
cs (SEC_ERROR_CERT_ADDR_MISMATCH, "Address in signing certificate does not match address in message headers.")
cs (SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY, "Unable to import. Error attempting to import private key.")
cs (SEC_ERROR_PKCS12_IMPORTING_CERT_CHAIN, "Unable to import. Error attempting to import certificate chain.")
cs (SEC_ERROR_PKCS12_UNABLE_TO_LOCATE_OBJECT_BY_NAME, "Unable to export. Unable to locate certificate or key by nickname.")
cs (SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY, "Unable to export. Private Key could not be located and exported.")
cs (SEC_ERROR_PKCS12_UNABLE_TO_WRITE, "Unable to export. Unable to write the export file.")
cs (SEC_ERROR_PKCS12_UNABLE_TO_READ, "Unable to import. Unable to read the import file.")
cs (SEC_ERROR_PKCS12_KEY_DATABASE_NOT_INITIALIZED, "Unable to export. Key database corrupt or deleted.")
cs (SEC_ERROR_KEYGEN_FAIL, "Unable to generate public/private key pair.")
cs (SEC_ERROR_INVALID_PASSWORD, "Password entered is invalid. Please pick a different one.")
cs (SEC_ERROR_RETRY_OLD_PASSWORD, "Old password entered incorrectly. Please try again.")
cs (SEC_ERROR_BAD_NICKNAME, "Certificate nickname already in use.")
cs (SEC_ERROR_NOT_FORTEZZA_ISSUER, "Peer FORTEZZA chain has a non-FORTEZZA Certificate.")
cs (SEC_ERROR_CANNOT_MOVE_SENSITIVE_KEY, "A sensitive key cannot be moved to the slot where it is needed.")
cs (SEC_ERROR_JS_INVALID_MODULE_NAME, "Invalid module name.")
cs (SEC_ERROR_JS_INVALID_DLL, "Invalid module path/filename")
cs (SEC_ERROR_JS_ADD_MOD_FAILURE, "Unable to add module")
cs (SEC_ERROR_JS_DEL_MOD_FAILURE, "Unable to delete module")
cs (SEC_ERROR_OLD_KRL, "New KRL is not later than the current one.")
cs (SEC_ERROR_CKL_CONFLICT, "New CKL has different issuer than current CKL. Delete current CKL.")
cs (SEC_ERROR_CERT_NOT_IN_NAME_SPACE, "The Certifying Authority for this certificate is not permitted to issue a certificate with this name.")
cs (SEC_ERROR_KRL_NOT_YET_VALID, "The key revocation list for this certificate is not yet valid.")
cs (SEC_ERROR_CRL_NOT_YET_VALID, "The certificate revocation list for this certificate is not yet valid.")
cs (SEC_ERROR_UNKNOWN_CERT, "The requested certificate could not be found.")
cs (SEC_ERROR_UNKNOWN_SIGNER, "The signer's certificate could not be found.")
cs (SEC_ERROR_CERT_BAD_ACCESS_LOCATION, "The location for the certificate status server has invalid format.")
cs (SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE, "The OCSP response cannot be fully decoded; it is of an unknown type.")
cs (SEC_ERROR_OCSP_BAD_HTTP_RESPONSE, "The OCSP server returned unexpected/invalid HTTP data.")
cs (SEC_ERROR_OCSP_MALFORMED_REQUEST, "The OCSP server found the request to be corrupted or improperly formed.")
cs (SEC_ERROR_OCSP_SERVER_ERROR, "The OCSP server experienced an internal error.")
cs (SEC_ERROR_OCSP_TRY_SERVER_LATER, "The OCSP server suggests trying again later.")
cs (SEC_ERROR_OCSP_REQUEST_NEEDS_SIG, "The OCSP server requires a signature on this request.")
cs (SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST, "The OCSP server has refused this request as unauthorized.")
cs (SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS, "The OCSP server returned an unrecognizable status.")
cs (SEC_ERROR_OCSP_UNKNOWN_CERT, "The OCSP server has no status for the certificate.")
cs (SEC_ERROR_OCSP_NOT_ENABLED, "You must enable OCSP before performing this operation.")
cs (SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER, "You must set the OCSP default responder before performing this operation.")
cs (SEC_ERROR_OCSP_MALFORMED_RESPONSE, "The response from the OCSP server was corrupted or improperly formed.")
cs (SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE, "The signer of the OCSP response is not authorized to give status for this certificate.")
cs (SEC_ERROR_OCSP_FUTURE_RESPONSE, "The OCSP response is not yet valid (contains a date in the future).")
cs (SEC_ERROR_OCSP_OLD_RESPONSE, "The OCSP response contains out-of-date information.")
cs (SEC_ERROR_DIGEST_NOT_FOUND, "The CMS or PKCS #7 Digest was not found in signed message.")
cs (SEC_ERROR_UNSUPPORTED_MESSAGE_TYPE, "The CMS or PKCS #7 Message type is unsupported.")
cs (SEC_ERROR_MODULE_STUCK, "PKCS #11 module could not be removed because it is still in use.")
cs (SEC_ERROR_BAD_TEMPLATE, "Could not decode ASN.1 data. Specified template was invalid.")
cs (SEC_ERROR_CRL_NOT_FOUND, "No matching CRL was found.")
cs (SEC_ERROR_REUSED_ISSUER_AND_SERIAL, "You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.")
cs (SEC_ERROR_BUSY, "NSS could not shutdown. Objects are still in use.")
cs (SEC_ERROR_EXTRA_INPUT, "DER-encoded message contained extra unused data.")
cs (SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE, "Unsupported elliptic curve.")
cs (SEC_ERROR_UNSUPPORTED_EC_POINT_FORM, "Unsupported elliptic curve point form.")
cs (SEC_ERROR_UNRECOGNIZED_OID, "Unrecognized Object Identifier.")
cs (SEC_ERROR_OCSP_INVALID_SIGNING_CERT, "Invalid OCSP signing certificate in OCSP response.")
cs (SEC_ERROR_REVOKED_CERTIFICATE_CRL, "Certificate is revoked in issuer's certificate revocation list.")
cs (SEC_ERROR_REVOKED_CERTIFICATE_OCSP, "Issuer's OCSP responder reports certificate is revoked.")
cs (SEC_ERROR_CRL_INVALID_VERSION, "Issuer's Certificate Revocation List has an unknown version number.")
cs (SEC_ERROR_CRL_V1_CRITICAL_EXTENSION, "Issuer's V1 Certificate Revocation List has a critical extension.")
cs (SEC_ERROR_CRL_UNKNOWN_CRITICAL_EXTENSION, "Issuer's V2 Certificate Revocation List has an unknown critical extension.")
cs (SEC_ERROR_UNKNOWN_OBJECT_TYPE, "Unknown object type specified.")
cs (SEC_ERROR_INCOMPATIBLE_PKCS11, "PKCS #11 driver violates the spec in an incompatible way.")
cs (SEC_ERROR_NO_EVENT, "No new slot event is available at this time.")
cs (SEC_ERROR_CRL_ALREADY_EXISTS, "CRL already exists.")
cs (SEC_ERROR_NOT_INITIALIZED, "NSS is not initialized.")
cs (SEC_ERROR_TOKEN_NOT_LOGGED_IN, "The operation failed because the PKCS#11 token is not logged in.")
cs (SEC_ERROR_OCSP_RESPONDER_CERT_INVALID, "Configured OCSP responder's certificate is invalid.")
cs (SEC_ERROR_OCSP_BAD_SIGNATURE, "OCSP response has an invalid signature.")
#if defined (NSS_VMAJOR) && defined (NSS_VMINOR) && defined (NSS_VPATCH) && (NSS_VMAJOR > 3 || (NSS_VMAJOR == 3 && NSS_VMINOR > 12) || (NSS_VMAJOR == 3 && NSS_VMINOR == 12 && NSS_VPATCH >= 2))
cs (SEC_ERROR_OUT_OF_SEARCH_LIMITS, "Cert validation search is out of search limits")
cs (SEC_ERROR_INVALID_POLICY_MAPPING, "Policy mapping contains anypolicy")
cs (SEC_ERROR_POLICY_VALIDATION_FAILED, "Cert chain fails policy validation")
cs (SEC_ERROR_UNKNOWN_AIA_LOCATION_TYPE, "Unknown location type in cert AIA extension")
cs (SEC_ERROR_BAD_HTTP_RESPONSE, "Server returned bad HTTP response")
cs (SEC_ERROR_BAD_LDAP_RESPONSE, "Server returned bad LDAP response")
cs (SEC_ERROR_FAILED_TO_ENCODE_DATA, "Failed to encode data with ASN1 encoder")
cs (SEC_ERROR_BAD_INFO_ACCESS_LOCATION, "Bad information access location in cert extension")
cs (SEC_ERROR_LIBPKIX_INTERNAL, "Libpkix internal error occured during cert validation.")
cs (SEC_ERROR_PKCS11_GENERAL_ERROR, "A PKCS #11 module returned CKR_GENERAL_ERROR, indicating that an unrecoverable error has occurred.")
cs (SEC_ERROR_PKCS11_FUNCTION_FAILED, "A PKCS #11 module returned CKR_FUNCTION_FAILED, indicating that the requested function could not be performed. Trying the same operation again might succeed.")
cs (SEC_ERROR_PKCS11_DEVICE_ERROR, "A PKCS #11 module returned CKR_DEVICE_ERROR, indicating that a problem has occurred with the token or slot.")
#endif
}
#undef cs
return NULL;
}
static void
set_nss_error (GError **error)
{
glong err_code;
const gchar *err_str;
if (!error)
return;
g_return_if_fail (*error == NULL);
err_code = PORT_GetError ();
if (!err_code)
return;
err_str = nss_error_to_string (err_code);
if (!err_str)
return;
*error = g_error_new_literal (E_CERTDB_ERROR, err_code, err_str);
}
static SECStatus PR_CALLBACK
collect_certs (gpointer arg,
SECItem **certs,
gint numcerts)
{
CERTDERCerts *collectArgs;
SECItem *cert;
SECStatus rv;
collectArgs = (CERTDERCerts *) arg;
collectArgs->numcerts = numcerts;
collectArgs->rawCerts = (SECItem *) PORT_ArenaZAlloc (
collectArgs->arena, sizeof (SECItem) * numcerts);
if (collectArgs->rawCerts == NULL)
return (SECFailure);
cert = collectArgs->rawCerts;
while (numcerts--) {
rv = SECITEM_CopyItem (collectArgs->arena, cert, *certs);
if (rv == SECFailure)
return (SECFailure);
cert++;
certs++;
}
return (SECSuccess);
}
static CERTDERCerts *
e_cert_db_get_certs_from_package (PRArenaPool *arena,
gchar *data,
guint32 length)
{
/*nsNSSShutDownPreventionLock locker;*/
CERTDERCerts *collectArgs =
(CERTDERCerts *) PORT_ArenaZAlloc (arena, sizeof (CERTDERCerts));
SECStatus sec_rv;
if (!collectArgs)
return NULL;
collectArgs->arena = arena;
sec_rv = CERT_DecodeCertPackage (data,
length, collect_certs,
(gpointer) collectArgs);
if (sec_rv != SECSuccess)
return NULL;
return collectArgs;
}
#ifdef notyet
PRBool
ucs2_ascii_conversion_fn (PRBool toUnicode,
guchar *inBuf,
guint inBufLen,
guchar *outBuf,
guint maxOutBufLen,
guint *outBufLen,
PRBool swapBytes)
{
printf ("in ucs2_ascii_conversion_fn\n");
}
#endif
static gchar * PR_CALLBACK
pk11_password (PK11SlotInfo *slot,
PRBool retry,
gpointer arg)
{
gchar *pwd;
gchar *nsspwd;
gboolean rv = FALSE;
g_signal_emit (e_cert_db_peek (),
e_cert_db_signals[PK11_PASSWD], 0,
slot,
retry,
&pwd,
&rv);
if (pwd == NULL)
return NULL;
nsspwd = PORT_Strdup (pwd);
memset (pwd, 0, strlen (pwd));
g_free (pwd);
return nsspwd;
}
static void
initialize_nss (void)
{
/* Use camel_init() to initialise NSS consistently... */
camel_init (e_get_user_data_dir (), TRUE);
/* ... except for the bits we only seem to do here. FIXME */
PK11_SetPasswordFunc (pk11_password);
/* Enable ciphers for PKCS#12 */
SEC_PKCS12EnableCipher (PKCS12_RC4_40, 1);
SEC_PKCS12EnableCipher (PKCS12_RC4_128, 1);
SEC_PKCS12EnableCipher (PKCS12_RC2_CBC_40, 1);
SEC_PKCS12EnableCipher (PKCS12_RC2_CBC_128, 1);
SEC_PKCS12EnableCipher (PKCS12_DES_56, 1);
SEC_PKCS12EnableCipher (PKCS12_DES_EDE3_168, 1);
SEC_PKCS12SetPreferredCipher (PKCS12_DES_EDE3_168, 1);
#ifdef notyet
PORT_SetUCS2_ASCIIConversionFunction (ucs2_ascii_conversion_fn);
#endif
}
static void
install_loadable_roots (void)
{
SECMODModuleList *list = SECMOD_GetDefaultModuleList ();
SECMODListLock *lock = SECMOD_GetDefaultModuleListLock ();
SECMODModule *RootsModule = NULL;
gint i;
SECMOD_GetReadLock (lock);
while (!RootsModule && list) {
SECMODModule *module = list->module;
for (i = 0; i < module->slotCount; i++) {
PK11SlotInfo *slot = module->slots[i];
if (PK11_IsPresent (slot)) {
if (PK11_HasRootCerts (slot)) {
RootsModule = module;
break;
}
}
}
list = list->next;
}
SECMOD_ReleaseReadLock (lock);
if (RootsModule) {
/* Check version, and unload module if it is too old */
CK_INFO info;
if (PK11_GetModInfo (RootsModule, &info) != SECSuccess) {
/* Do not use this module */
RootsModule = NULL;
} else {
/* NSS_BUILTINS_LIBRARY_VERSION_MAJOR and NSS_BUILTINS_LIBRARY_VERSION_MINOR
* define the version we expect to have.
* Later version are fine.
* Older versions are not ok, and we will replace with our own version.
*/
if ((info.libraryVersion.major < NSS_BUILTINS_LIBRARY_VERSION_MAJOR)
|| (info.libraryVersion.major == NSS_BUILTINS_LIBRARY_VERSION_MAJOR
&& info.libraryVersion.minor < NSS_BUILTINS_LIBRARY_VERSION_MINOR)) {
PRInt32 modType;
SECMOD_DeleteModule (RootsModule->commonName, &modType);
RootsModule = NULL;
}
}
}
if (!RootsModule) {
#ifndef G_OS_WIN32
/* grovel in various places for mozilla's built-in
* cert module.
*
* XXX yes this is gross. *sigh *
*/
const gchar *paths_to_check[] = {
#ifdef MOZILLA_NSS_LIB_DIR
MOZILLA_NSS_LIB_DIR,
#endif
"/usr/lib",
"/usr/lib/mozilla",
"/opt/mozilla/lib",
"/opt/mozilla/lib/mozilla"
};
for (i = 0; i < G_N_ELEMENTS (paths_to_check); i++) {
gchar *dll_path = g_module_build_path (paths_to_check[i], "nssckbi");
if (g_file_test (dll_path, G_FILE_TEST_EXISTS)) {
PRInt32 modType;
/* Delete the existing module */
SECMOD_DeleteModule ("Mozilla Root Certs", &modType);
SECMOD_AddNewModule ("Mozilla Root Certs",dll_path, 0, 0);
g_free (dll_path);
break;
}
g_free (dll_path);
}
#else
/* FIXME: Might be useful to look up if there is a
* Mozilla installation on the machine and use the
* nssckbi.dll from there.
*/
#endif
}
}
static void
e_cert_db_class_init (ECertDBClass *class)
{
GObjectClass *object_class;
object_class = G_OBJECT_CLASS (class);
initialize_nss ();
/* check to see if you have a rootcert module installed */
install_loadable_roots ();
e_cert_db_signals[PK11_PASSWD] =
g_signal_new ("pk11_passwd",
G_OBJECT_CLASS_TYPE (object_class),
G_SIGNAL_RUN_LAST,
G_STRUCT_OFFSET (ECertDBClass, pk11_passwd),
NULL, NULL,
e_marshal_BOOLEAN__POINTER_BOOLEAN_POINTER,
G_TYPE_BOOLEAN, 3,
G_TYPE_POINTER, G_TYPE_BOOLEAN, G_TYPE_POINTER);
e_cert_db_signals[PK11_CHANGE_PASSWD] =
g_signal_new ("pk11_change_passwd",
G_OBJECT_CLASS_TYPE (object_class),
G_SIGNAL_RUN_LAST,
G_STRUCT_OFFSET (ECertDBClass, pk11_change_passwd),
NULL, NULL,
e_marshal_BOOLEAN__POINTER_POINTER,
G_TYPE_BOOLEAN, 2,
G_TYPE_POINTER, G_TYPE_POINTER);
e_cert_db_signals[CONFIRM_CA_CERT_IMPORT] =
g_signal_new ("confirm_ca_cert_import",
G_OBJECT_CLASS_TYPE (object_class),
G_SIGNAL_RUN_LAST,
G_STRUCT_OFFSET (ECertDBClass, confirm_ca_cert_import),
NULL, NULL,
e_marshal_BOOLEAN__POINTER_POINTER_POINTER_POINTER,
G_TYPE_BOOLEAN, 4,
G_TYPE_POINTER, G_TYPE_POINTER, G_TYPE_POINTER, G_TYPE_POINTER);
}
static void
e_cert_db_init (ECertDB *ec)
{
}
GStaticMutex init_mutex = G_STATIC_MUTEX_INIT;
static ECertDB *cert_db = NULL;
ECertDB *
e_cert_db_peek (void)
{
g_static_mutex_lock (&init_mutex);
if (!cert_db)
cert_db = g_object_new (E_TYPE_CERT_DB, NULL);
g_static_mutex_unlock (&init_mutex);
return cert_db;
}
void
e_cert_db_shutdown (void)
{
/* XXX */
}
/* searching for certificates */
ECert *
e_cert_db_find_cert_by_nickname (ECertDB *certdb,
const gchar *nickname,
GError **error)
{
/* nsNSSShutDownPreventionLock locker;*/
CERTCertificate *cert = NULL;
/*PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Getting \"%s\"\n", asciiname));*/
cert = PK11_FindCertFromNickname ((gchar *) nickname, NULL);
if (!cert) {
cert = CERT_FindCertByNickname (CERT_GetDefaultCertDB (), (gchar *) nickname);
}
if (cert) {
/* PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("got it\n"));*/
ECert *ecert = e_cert_new (cert);
return ecert;
}
else {
set_nss_error (error);
return NULL;
}
}
#ifdef notyet
ECert *
e_cert_db_find_cert_by_key (ECertDB *certdb,
const gchar *db_key,
GError **error)
{
/* nsNSSShutDownPreventionLock locker;*/
SECItem keyItem = {siBuffer, NULL, 0};
SECItem *dummy;
CERTIssuerAndSN issuerSN;
gulong moduleID,slotID;
CERTCertificate *cert;
if (!db_key) {
set_nss_error (error);
return NULL;
}
dummy = NSSBase64_DecodeBuffer (NULL, &keyItem, db_key,
(PRUint32) PL_strlen (db_key));
/* someday maybe we can speed up the search using the moduleID and slotID*/
moduleID = NS_NSS_GET_LONG (keyItem.data);
slotID = NS_NSS_GET_LONG (&keyItem.data[NS_NSS_LONG]);
/* build the issuer/SN structure*/
issuerSN.serialNumber.len = NS_NSS_GET_LONG (&keyItem.data[NS_NSS_LONG *2]);
issuerSN.derIssuer.len = NS_NSS_GET_LONG (&keyItem.data[NS_NSS_LONG *3]);
issuerSN.serialNumber.data= &keyItem.data[NS_NSS_LONG *4];
issuerSN.derIssuer.data= &keyItem.data[NS_NSS_LONG *4+
issuerSN.serialNumber.len];
cert = CERT_FindCertByIssuerAndSN (CERT_GetDefaultCertDB (), &issuerSN);
PR_FREEIF (keyItem.data);
if (cert) {
ECert *ecert = e_cert_new (cert);
return e_cert;
}
set_nss_error (error);
return NULL;
}
GList *
e_cert_db_get_cert_nicknames (ECertDB *certdb,
ECertType cert_type,
GError **error)
{
}
ECert *
e_cert_db_find_email_encryption_cert (ECertDB *certdb,
const gchar *nickname,
GError **error)
{
}
ECert *
e_cert_db_find_email_signing_cert (ECertDB *certdb,
const gchar *nickname,
GError **error)
{
}
#endif
ECert *
e_cert_db_find_cert_by_email_address (ECertDB *certdb,
const gchar *email,
GError **error)
{
/* nsNSSShutDownPreventionLock locker; */
ECert *cert;
CERTCertificate *any_cert;
CERTCertList *certlist;
any_cert = CERT_FindCertByNicknameOrEmailAddr (
CERT_GetDefaultCertDB (), (gchar *) email);
if (!any_cert) {
set_nss_error (error);
return NULL;
}
/* any_cert now contains a cert with the right subject,
* but it might not have the correct usage. */
certlist = CERT_CreateSubjectCertList (NULL,
CERT_GetDefaultCertDB (),
&any_cert->derSubject,
PR_Now (), PR_TRUE);
if (!certlist) {
set_nss_error (error);
CERT_DestroyCertificate (any_cert);
return NULL;
}
if (SECSuccess != CERT_FilterCertListByUsage (
certlist, certUsageEmailRecipient, PR_FALSE)) {
set_nss_error (error);
CERT_DestroyCertificate (any_cert);
CERT_DestroyCertList (certlist);
return NULL;
}
if (CERT_LIST_END (CERT_LIST_HEAD (certlist), certlist)) {
set_nss_error (error);
CERT_DestroyCertificate (any_cert);
CERT_DestroyCertList (certlist);
return NULL;
}
cert = e_cert_new (CERT_DupCertificate (CERT_LIST_HEAD (certlist)->cert));
CERT_DestroyCertList (certlist);
CERT_DestroyCertificate (any_cert);
return cert;
}
static gboolean
confirm_download_ca_cert (ECertDB *cert_db,
ECert *cert,
gboolean *trust_ssl,
gboolean *trust_email,
gboolean *trust_objsign)
{
gboolean rv = FALSE;
*trust_ssl =
*trust_email =
*trust_objsign = FALSE;
g_signal_emit (e_cert_db_peek (),
e_cert_db_signals[CONFIRM_CA_CERT_IMPORT], 0,
cert,
trust_ssl,
trust_email,
trust_objsign,
&rv);
return rv;
}
static gboolean
handle_ca_cert_download (ECertDB *cert_db,
GList *certs,
GError **error)
{
ECert *certToShow;
SECItem der;
gchar *raw_der = NULL;
CERTCertificate *tmpCert;
/* First thing we have to do is figure out which certificate
* we're gonna present to the user. The CA may have sent down
* a list of certs which may or may not be a chained list of
* certs. Until the day we can design some solid UI for the
* general case, we'll code to the > 90% case. That case is
* where a CA sends down a list that is a chain up to its root
* in either ascending or descending order. What we're gonna
* do is compare the first 2 entries, if the first was signed
* by the second, we assume the leaf cert is the first cert
* and display it. If the second cert was signed by the first
* cert, then we assume the first cert is the root and the
* last cert in the array is the leaf. In this case we
* display the last cert.
*/
/* nsNSSShutDownPreventionLock locker;*/
if (certs == NULL) {
g_warning ("Didn't get any certs to import.");
return TRUE;
}
else if (certs->next == NULL) {
/* there's 1 cert */
certToShow = E_CERT (certs->data);
}
else {
/* there are multiple certs */
ECert *cert0;
ECert *cert1;
const gchar * cert0SubjectName;
const gchar * cert0IssuerName;
const gchar * cert1SubjectName;
const gchar * cert1IssuerName;
cert0 = E_CERT (certs->data);
cert1 = E_CERT (certs->next->data);
cert0IssuerName = e_cert_get_issuer_name (cert0);
cert0SubjectName = e_cert_get_subject_name (cert0);
cert1IssuerName = e_cert_get_issuer_name (cert1);
cert1SubjectName = e_cert_get_subject_name (cert1);
if (!strcmp (cert1IssuerName, cert0SubjectName)) {
/* In this case, the first cert in the list signed the second,
* so the first cert is the root. Let's display the last cert
* in the list. */
certToShow = E_CERT (g_list_last (certs)->data);
}
else if (!strcmp (cert0IssuerName, cert1SubjectName)) {
/* In this case the second cert has signed the first cert. The
* first cert is the leaf, so let's display it. */
certToShow = cert0;
} else {
/* It's not a chain, so let's just show the first one in the
* downloaded list. */
certToShow = cert0;
}
}
if (!certToShow) {
set_nss_error (error);
return FALSE;
}
if (!e_cert_get_raw_der (certToShow, &raw_der, &der.len)) {
set_nss_error (error);
return FALSE;
}
der.data = (guchar *) raw_der;
{
/*PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Creating temp cert\n"));*/
CERTCertDBHandle *certdb = CERT_GetDefaultCertDB ();
tmpCert = CERT_FindCertByDERCert (certdb, &der);
if (!tmpCert) {
tmpCert = CERT_NewTempCertificate (certdb, &der,
NULL, PR_FALSE, PR_TRUE);
}
if (!tmpCert) {
g_warning ("Couldn't create cert from DER blob");
set_nss_error (error);
return FALSE;
}
}
#if 0
CERTCertificateCleaner tmpCertCleaner (tmpCert);
#endif
if (tmpCert->isperm) {
if (error && !*error)
*error = g_error_new_literal (E_CERTDB_ERROR, 0, _("Certificate already exists"));
return FALSE;
}
else {
gboolean trust_ssl, trust_email, trust_objsign;
gchar *nickname;
SECStatus srv;
CERTCertTrust trust;
if (!confirm_download_ca_cert (
cert_db, certToShow, &trust_ssl,
&trust_email, &trust_objsign)) {
set_nss_error (error);
return FALSE;
}
/*PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("trust is %d\n", trustBits));*/
nickname = CERT_MakeCANickname (tmpCert);
/*PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Created nick \"%s\"\n", nickname.get()));*/
e_cert_trust_init (&trust);
e_cert_trust_set_valid_ca (&trust);
e_cert_trust_add_ca_trust (&trust,
trust_ssl,
trust_email,
trust_objsign);
srv = CERT_AddTempCertToPerm (tmpCert,
nickname,
&trust);
/* If we aren't logged into the token, then what *should*
* happen is the above call should fail, and we should
* authenticate and then try again. But see NSS bug #595861.
* With NSS 3.12.6 at least, the above call will fail, but
* it *will* have added the cert to the database, with
* random trust bits. We have to authenticate and then set
* the trust bits correctly. And calling
* CERT_AddTempCertToPerm() again doesn't work either -- it'll
* fail even though it arguably ought to succeed (which is
* probably another NSS bug).
* So if we get SEC_ERROR_TOKEN_NOT_LOGGED_IN, we first try
* CERT_ChangeCertTrust(), and if that doesn't work we hope
* we're on a fixed version of NSS and we try calling
* CERT_AddTempCertToPerm() again instead. */
if (srv != SECSuccess &&
PORT_GetError () == SEC_ERROR_TOKEN_NOT_LOGGED_IN &&
e_cert_db_login_to_slot (NULL, PK11_GetInternalKeySlot ())) {
srv = CERT_ChangeCertTrust (CERT_GetDefaultCertDB (),
tmpCert, &trust);
if (srv != SECSuccess)
srv = CERT_AddTempCertToPerm (tmpCert,
nickname,
&trust);
}
if (srv != SECSuccess) {
set_nss_error (error);
return FALSE;
}
#if 0
/* Now it's time to add the rest of the certs we just downloaded.
* Since we didn't prompt the user about any of these certs, we
* won't set any trust bits for them. */
e_cert_trust_init (&trust);
e_cert_trust_set_valid_ca (&trust);
e_cert_trusts_add_ca_trust (&trust, 0, 0, 0);
for (PRUint32 i = 0; i < numCerts; i++) {
if (i == selCertIndex)
continue;
certToShow = do_QueryElementAt (x509Certs, i);
certToShow->GetRawDER (&der.len, (PRUint8 **) &der.data);
CERTCertificate *tmpCert2 =
CERT_NewTempCertificate (certdb, &der, nsnull, PR_FALSE, PR_TRUE);
if (!tmpCert2) {
NS_ASSERTION (0, "Couldn't create temp cert from DER blob\n");
continue; /* Let's try to import the rest of 'em */
}
nickname.Adopt (CERT_MakeCANickname (tmpCert2));
CERT_AddTempCertToPerm (tmpCert2, NS_CONST_CAST (gchar *,nickname.get ()),
defaultTrust.GetTrust ());
CERT_DestroyCertificate (tmpCert2);
}
#endif
return TRUE;
}
}
gboolean e_cert_db_change_cert_trust (CERTCertificate *cert, CERTCertTrust *trust)
{
SECStatus srv;
srv = CERT_ChangeCertTrust (CERT_GetDefaultCertDB (),
cert, trust);
if (srv != SECSuccess &&
PORT_GetError () == SEC_ERROR_TOKEN_NOT_LOGGED_IN &&
e_cert_db_login_to_slot (NULL, PK11_GetInternalKeySlot ()))
srv = CERT_ChangeCertTrust (CERT_GetDefaultCertDB (),
cert, trust);
if (srv != SECSuccess) {
glong err = PORT_GetError ();
g_warning ("CERT_ChangeCertTrust() failed: %s\n",
nss_error_to_string (err));
return FALSE;
}
return TRUE;
}
/* deleting certificates */
gboolean
e_cert_db_delete_cert (ECertDB *certdb,
ECert *ecert)
{
/* nsNSSShutDownPreventionLock locker;
* nsNSSCertificate *nssCert = NS_STATIC_CAST (nsNSSCertificate *, aCert); */
CERTCertificate *cert;
if (!e_cert_mark_for_deletion (ecert)) {
return FALSE;
}
cert = e_cert_get_internal_cert (ecert);
if (cert->slot && e_cert_get_cert_type (ecert) != E_CERT_USER) {
/* To delete a cert of a slot (builtin, most likely), mark it as
* completely untrusted. This way we keep a copy cached in the
* local database, and next time we try to load it off of the
* external token/slot, we'll know not to trust it. We don't
* want to do that with user certs, because a user may re-store
* the cert onto the card again at which point we *will* want to
* trust that cert if it chains up properly. */
CERTCertTrust trust;
e_cert_trust_init_with_values (&trust, 0, 0, 0);
return e_cert_db_change_cert_trust (cert, &trust);
}
return TRUE;
}
/* importing certificates */
gboolean
e_cert_db_import_certs (ECertDB *certdb,
gchar *data,
guint32 length,
ECertType cert_type,
GSList **imported_certs,
GError **error)
{
/*nsNSSShutDownPreventionLock locker;*/
PRArenaPool *arena = PORT_NewArena (DER_DEFAULT_CHUNKSIZE);
GList *certs = NULL;
CERTDERCerts *certCollection = e_cert_db_get_certs_from_package (arena, data, length);
gint i;
gboolean rv;
if (!certCollection) {
set_nss_error (error);
PORT_FreeArena (arena, PR_FALSE);
return FALSE;
}
/* Now let's create some certs to work with */
for (i = 0; i < certCollection->numcerts; i++) {
SECItem *currItem = &certCollection->rawCerts[i];
ECert *cert;
cert = e_cert_new_from_der ((gchar *) currItem->data, currItem->len);
if (!cert) {
set_nss_error (error);
g_list_foreach (certs, (GFunc) g_object_unref, NULL);
g_list_free (certs);
PORT_FreeArena (arena, PR_FALSE);
return FALSE;
}
certs = g_list_append (certs, cert);
}
switch (cert_type) {
case E_CERT_CA:
rv = handle_ca_cert_download (certdb, certs, error);
if (rv && imported_certs) {
GList *l;
/* copy certificates to the caller */
*imported_certs = NULL;
for (l = certs; l; l = l->next) {
ECert *cert = l->data;
if (cert)
*imported_certs = g_slist_prepend (*imported_certs, g_object_ref (cert));
}
*imported_certs = g_slist_reverse (*imported_certs);
}
break;
default:
/* We only deal with import CA certs in this method currently.*/
set_nss_error (error);
PORT_FreeArena (arena, PR_FALSE);
rv = FALSE;
}
g_list_foreach (certs, (GFunc) g_object_unref, NULL);
g_list_free (certs);
PORT_FreeArena (arena, PR_FALSE);
return rv;
}
gboolean
e_cert_db_import_email_cert (ECertDB *certdb,
gchar *data,
guint32 length,
GSList **imported_certs,
GError **error)
{
/*nsNSSShutDownPreventionLock locker;*/
SECStatus srv = SECFailure;
gboolean rv = TRUE;
CERTCertificate * cert;
SECItem **rawCerts;
gint numcerts;
gint i;
PRArenaPool *arena = PORT_NewArena (DER_DEFAULT_CHUNKSIZE);
CERTDERCerts *certCollection = e_cert_db_get_certs_from_package (arena, data, length);
if (!certCollection) {
set_nss_error (error);
PORT_FreeArena (arena, PR_FALSE);
return FALSE;
}
cert = CERT_NewTempCertificate (CERT_GetDefaultCertDB (), certCollection->rawCerts,
(gchar *) NULL, PR_FALSE, PR_TRUE);
if (!cert) {
set_nss_error (error);
rv = FALSE;
goto loser;
}
numcerts = certCollection->numcerts;
rawCerts = (SECItem **) PORT_Alloc (sizeof (SECItem *) * numcerts);
if (!rawCerts) {
set_nss_error (error);
rv = FALSE;
goto loser;
}
for (i = 0; i < numcerts; i++) {
rawCerts[i] = &certCollection->rawCerts[i];
}
srv = CERT_ImportCerts (CERT_GetDefaultCertDB (), certUsageEmailSigner,
numcerts, rawCerts, NULL, PR_TRUE, PR_FALSE,
NULL);
if (srv != SECSuccess) {
set_nss_error (error);
rv = FALSE;
goto loser;
}
CERT_SaveSMimeProfile (cert, NULL, NULL);
if (imported_certs) {
*imported_certs = NULL;
for (i = 0; i < certCollection->numcerts; i++) {
SECItem *currItem = &certCollection->rawCerts[i];
ECert *cert;
cert = e_cert_new_from_der ((gchar *) currItem->data, currItem->len);
if (cert)
*imported_certs = g_slist_prepend (*imported_certs, cert);
}
*imported_certs = g_slist_reverse (*imported_certs);
}
PORT_Free (rawCerts);
loser:
if (cert)
CERT_DestroyCertificate (cert);
if (arena)
PORT_FreeArena (arena, PR_TRUE);
return rv;
}
static gchar *
default_nickname (CERTCertificate *cert)
{
/* nsNSSShutDownPreventionLock locker; */
gchar *username = NULL;
gchar *caname = NULL;
gchar *nickname = NULL;
gchar *tmp = NULL;
gint count;
const gchar *nickFmt = NULL;
CERTCertificate *dummycert;
PK11SlotInfo *slot = NULL;
CK_OBJECT_HANDLE keyHandle;
CERTCertDBHandle *defaultcertdb = CERT_GetDefaultCertDB ();
username = CERT_GetCommonName (&cert->subject);
if (username == NULL)
username = PL_strdup ("");
if (username == NULL)
goto loser;
caname = CERT_GetOrgName (&cert->issuer);
if (caname == NULL)
caname = PL_strdup ("");
if (caname == NULL)
goto loser;
count = 1;
nickFmt = "%1$s's %2$s ID";
nickname = PR_smprintf (nickFmt, username, caname);
/*
* We need to see if the private key exists on a token, if it does
* then we need to check for nicknames that already exist on the smart
* card.
*/
slot = PK11_KeyForCertExists (cert, &keyHandle, NULL);
if (slot == NULL) {
goto loser;
}
if (!PK11_IsInternal (slot)) {
tmp = PR_smprintf ("%s:%s", PK11_GetTokenName (slot), nickname);
PR_Free (nickname);
nickname = tmp;
tmp = NULL;
}
tmp = nickname;
while (1) {
if (count > 1) {
nickname = PR_smprintf ("%s #%d", tmp, count);
}
if (nickname == NULL)
goto loser;
if (PK11_IsInternal (slot)) {
/* look up the nickname to make sure it isn't in use already */
dummycert = CERT_FindCertByNickname (defaultcertdb, nickname);
} else {
/*
* Check the cert against others that already live on the smart
* card.
*/
dummycert = PK11_FindCertFromNickname (nickname, NULL);
if (dummycert != NULL) {
/*
* Make sure the subject names are different.
*/
if (CERT_CompareName (&cert->subject, &dummycert->subject) == SECEqual) {
/*
* There is another certificate with the same nickname and
* the same subject name on the smart card, so let's use this
* nickname.
*/
CERT_DestroyCertificate (dummycert);
dummycert = NULL;
}
}
}
if (dummycert == NULL)
goto done;
/* found a cert, destroy it and loop */
CERT_DestroyCertificate (dummycert);
if (tmp != nickname) PR_Free (nickname);
count++;
} /* end of while (1) */
loser:
if (nickname) {
PR_Free (nickname);
}
nickname = NULL;
done:
if (caname) {
PR_Free (caname);
}
if (username) {
PR_Free (username);
}
if (slot != NULL) {
PK11_FreeSlot (slot);
if (nickname != NULL) {
tmp = nickname;
nickname = strchr (tmp, ':');
if (nickname != NULL) {
nickname++;
nickname = PL_strdup (nickname);
PR_Free (tmp);
tmp = NULL;
} else {
nickname = tmp;
tmp = NULL;
}
}
}
PR_FREEIF (tmp);
return (nickname);
}
gboolean
e_cert_db_import_user_cert (ECertDB *certdb,
gchar *data,
guint32 length,
GError **error)
{
/* nsNSSShutDownPreventionLock locker;*/
PK11SlotInfo *slot;
gchar * nickname = NULL;
gboolean rv = FALSE;
gint numCACerts;
SECItem *CACerts;
CERTDERCerts * collectArgs;
PRArenaPool *arena;
CERTCertificate * cert = NULL;
arena = PORT_NewArena (DER_DEFAULT_CHUNKSIZE);
if (arena == NULL) {
set_nss_error (error);
goto loser;
}
collectArgs = e_cert_db_get_certs_from_package (arena, data, length);
if (!collectArgs) {
set_nss_error (error);
goto loser;
}
cert = CERT_NewTempCertificate (CERT_GetDefaultCertDB (), collectArgs->rawCerts,
(gchar *) NULL, PR_FALSE, PR_TRUE);
if (!cert) {
set_nss_error (error);
goto loser;
}
slot = PK11_KeyForCertExists (cert, NULL, NULL);
if (slot == NULL) {
set_nss_error (error);
goto loser;
}
PK11_FreeSlot (slot);
/* pick a nickname for the cert */
if (cert->nickname) {
/* sigh, we need a call to look up other certs with this subject and
* identify nicknames from them. We can no longer walk down internal
* database structures rjr */
nickname = cert->nickname;
}
else {
nickname = default_nickname (cert);
}
/* user wants to import the cert */
slot = PK11_ImportCertForKey (cert, nickname, NULL);
if (!slot) {
set_nss_error (error);
goto loser;
}
PK11_FreeSlot (slot);
numCACerts = collectArgs->numcerts - 1;
if (numCACerts) {
CACerts = collectArgs->rawCerts + 1;
if (!CERT_ImportCAChain (CACerts, numCACerts, certUsageUserCertImport)) {
rv = TRUE;
}
}
loser:
if (arena) {
PORT_FreeArena (arena, PR_FALSE);
}
if (cert) {
CERT_DestroyCertificate (cert);
}
return rv;
}
gboolean
e_cert_db_import_server_cert (ECertDB *certdb,
gchar *data,
guint32 length,
GSList **imported_certs,
GError **error)
{
/* not c&p'ing this over at the moment, as we don't have a UI
* for server certs anyway */
return FALSE;
}
gboolean
e_cert_db_import_certs_from_file (ECertDB *cert_db,
const gchar *file_path,
ECertType cert_type,
GSList **imported_certs,
GError **error)
{
gboolean rv;
gint fd;
struct stat sb;
gchar *buf;
gint bytes_read;
switch (cert_type) {
case E_CERT_CA:
case E_CERT_CONTACT:
case E_CERT_SITE:
/* good */
break;
default:
/* not supported (yet) */
set_nss_error (error);
return FALSE;
}
fd = g_open (file_path, O_RDONLY | O_BINARY, 0);
if (fd == -1) {
set_nss_error (error);
return FALSE;
}
if (-1 == fstat (fd, &sb)) {
set_nss_error (error);
close (fd);
return FALSE;
}
buf = g_malloc (sb.st_size);
if (!buf) {
set_nss_error (error);
close (fd);
return FALSE;
}
bytes_read = read (fd, buf, sb.st_size);
close (fd);
if (bytes_read != sb.st_size) {
set_nss_error (error);
rv = FALSE;
}
else {
printf ("importing %d bytes from '%s'\n", bytes_read, file_path);
switch (cert_type) {
case E_CERT_CA:
rv = e_cert_db_import_certs (cert_db, buf, bytes_read, cert_type, imported_certs, error);
break;
case E_CERT_SITE:
rv = e_cert_db_import_server_cert (cert_db, buf, bytes_read, imported_certs, error);
break;
case E_CERT_CONTACT:
rv = e_cert_db_import_email_cert (cert_db, buf, bytes_read, imported_certs, error);
break;
default:
rv = FALSE;
break;
}
}
g_free (buf);
return rv;
}
gboolean
e_cert_db_import_pkcs12_file (ECertDB *cert_db,
const gchar *file_path,
GError **error)
{
EPKCS12 *pkcs12 = e_pkcs12_new ();
GError *e = NULL;
if (!e_pkcs12_import_from_file (pkcs12, file_path, &e)) {
g_propagate_error (error, e);
return FALSE;
}
return TRUE;
}
#ifdef notyet
gboolean
e_cert_db_export_pkcs12_file (ECertDB *cert_db,
const gchar *file_path,
GList *certs,
GError **error)
{
}
#endif
gboolean
e_cert_db_login_to_slot (ECertDB *cert_db,
PK11SlotInfo *slot)
{
if (PK11_NeedLogin (slot)) {
PK11_Logout (slot);
if (PK11_NeedUserInit (slot)) {
gchar *pwd;
gboolean rv = FALSE;
printf ("initializing slot password\n");
g_signal_emit (e_cert_db_peek (),
e_cert_db_signals[PK11_CHANGE_PASSWD], 0,
NULL,
&pwd,
&rv);
if (!rv)
return FALSE;
/* the user needs to specify the initial password */
PK11_InitPin (slot, "", pwd);
}
PK11_SetPasswordFunc (pk11_password);
if (PK11_Authenticate (slot, PR_TRUE, NULL) != SECSuccess) {
printf ("PK11_Authenticate failed (err = %d/%d)\n",
PORT_GetError (), PORT_GetError () + 0x2000);
return FALSE;
}
}
return TRUE;
}