From 135e1d6968e7205611aea943496f1fd3f5ba04fc Mon Sep 17 00:00:00 2001 From: Chris Toshok Date: Mon, 5 Jan 2004 20:49:44 +0000 Subject: new function, implement the password dialog for PK11 slot authentication. 2004-01-05 Chris Toshok * gui/component.c (smime_pk11_passwd): new function, implement the password dialog for PK11 slot authentication. (smime_component_init): new function, initialize any gui related signals that the backend exposes. * gui/certificate-manager.c (import_your): use e_cert_db_import_pkcs12_file. (delete_your): new function, implement. (view_your): same. (backup_your): new function, stub out. (backup_all_your): same. (create_yourcerts_treemodel): new function. (initialize_yourcerts_ui): do all the sorting foo, and hook up all the signals. (ainitialize_contactcerts_ui): same. (initialize_authoritycerts_ui): same. (view_contact): treemodel -> streemodel. (view_ca): same. (delete_contact): same, and convert from the sort iter to the child iter before we remove. (delete_ca): same. (import_contact): call gtk_tree_view_expand_all. (import_ca): same. (add_user_cert): append to the child model, not the sort model. (add_contact_cert): same. (add_ca_cert): same. (unload_certs): implement the E_CERT_USER case, and fix the USER/CA stuff to use the sorted treemodels. (load_certs): remove spew. (populate_ui): expand all the tree views. * lib/.cvsignore: ignore the generated marshalling files. * lib/Makefile.am: add the marshalling foo. * lib/smime-marshal.list (BOOL): new file. * lib/e-cert-db.c (pk11_password): new function, emit the pk11_passwd signal. (initialize_nss): new function, split out all the nss init code here, and add all the PKCS12 cipers. (install_loadable_roots): new function, split this code out from the class_init. (e_cert_db_class_init): call initialize_nss() and install_loadable_roots(). also register our pk11_passwd signal. (e_cert_db_import_pkcs12_file): implement. (e_cert_db_login_to_slot): new function, implement. * lib/e-cert-db.h (struct _ECertDBClass): add pk11_passwd signal, and add prototype for e_cert_db_login_to_slot. * lib/e-pkcs12.c (input_to_decoder): remove spew. (prompt_for_password): fix this. (import_from_file_helper): fix fix fix, and remove spew. (write_export_file): nuke, we don't need this. svn path=/trunk/; revision=24058 --- smime/lib/.cvsignore | 1 + smime/lib/Makefile.am | 7 +++ smime/lib/e-cert-db.c | 145 ++++++++++++++++++++++++++++++++++++------- smime/lib/e-cert-db.h | 5 ++ smime/lib/e-pkcs12.c | 136 ++++++++++++++++------------------------ smime/lib/smime-marshal.list | 1 + 6 files changed, 190 insertions(+), 105 deletions(-) create mode 100644 smime/lib/smime-marshal.list (limited to 'smime/lib') diff --git a/smime/lib/.cvsignore b/smime/lib/.cvsignore index 74b73492ca..7798e01d25 100644 --- a/smime/lib/.cvsignore +++ b/smime/lib/.cvsignore @@ -1,3 +1,4 @@ Makefile Makefile.in *.la +smime-marshal.[ch] diff --git a/smime/lib/Makefile.am b/smime/lib/Makefile.am index f534fd01f3..a9068e3b18 100644 --- a/smime/lib/Makefile.am +++ b/smime/lib/Makefile.am @@ -16,6 +16,7 @@ INCLUDES = \ noinst_LTLIBRARIES = libessmime.la libessmime_la_SOURCES = \ + $(MARSHAL_GENERATED) \ e-asn1-object.c \ e-asn1-object.h \ e-cert.c \ @@ -26,3 +27,9 @@ libessmime_la_SOURCES = \ e-cert-db.h \ e-pkcs12.c \ e-pkcs12.h + +MARSHAL_GENERATED = smime-marshal.c smime-marshal.h +@EVO_MARSHAL_RULE@ + +BUILT_SOURCES = $(MARSHAL_GENERATED) +CLEANFILES = $(BUILT_SOURCES) diff --git a/smime/lib/e-cert-db.c b/smime/lib/e-cert-db.c index 5acdf4e847..d37805d7c4 100644 --- a/smime/lib/e-cert-db.c +++ b/smime/lib/e-cert-db.c @@ -62,18 +62,23 @@ #define CERT_NewTempCertificate __CERT_NewTempCertificate #define CERT_AddTempCertToPerm __CERT_AddTempCertToPerm +#include "smime-marshal.h" #include "e-cert-db.h" #include "e-cert-trust.h" +#include "e-pkcs12.h" #include "gmodule.h" #include "nss.h" +#include "ssl.h" +#include "p12plcy.h" #include "pk11func.h" #include "secmod.h" #include "certdb.h" #include "plstr.h" #include "prprf.h" #include "prmem.h" +#include "e-util/e-passwords.h" #include "e-util/e-dialog-utils.h" #include #include @@ -82,6 +87,13 @@ #include #include +enum { + PK11_PASSWD, + LAST_SIGNAL +}; + +static guint e_cert_db_signals[LAST_SIGNAL]; + struct _ECertDBPrivate { }; @@ -109,21 +121,45 @@ e_cert_db_dispose (GObject *object) G_OBJECT_CLASS (parent_class)->dispose (object); } +PRBool +ucs2_ascii_conversion_fn (PRBool toUnicode, + unsigned char *inBuf, + unsigned int inBufLen, + unsigned char *outBuf, + unsigned int maxOutBufLen, + unsigned int *outBufLen, + PRBool swapBytes) +{ + printf ("in ucs2_ascii_conversion_fn\n"); +} + +static char* PR_CALLBACK +pk11_password (PK11SlotInfo* slot, PRBool retry, void* arg) +{ + char *pwd; + char *nsspwd; + + gboolean rv = FALSE; + + g_signal_emit (e_cert_db_peek (), + e_cert_db_signals[PK11_PASSWD], 0, + slot, + retry, + &pwd, + &rv); + + nsspwd = PORT_Strdup (pwd); + memset (pwd, 0, strlen (pwd)); + g_free (pwd); + return nsspwd; +} + static void -e_cert_db_class_init (ECertDBClass *klass) +initialize_nss (void) { - GObjectClass *object_class; char *evolution_dir_path; gboolean success; - gboolean has_roots; - PK11SlotList *list; - object_class = G_OBJECT_CLASS(klass); - - parent_class = g_type_class_ref (PARENT_TYPE); - - object_class->dispose = e_cert_db_dispose; - evolution_dir_path = g_build_path ("/", g_get_home_dir (), ".evolution", NULL); /* we initialize NSS here to make sure it only happens once */ @@ -142,11 +178,29 @@ e_cert_db_class_init (ECertDBClass *klass) if (!success) { g_warning ("Failed all methods for initializing NSS"); + return; } - /* - * check to see if you have a rootcert module installed - */ + NSS_SetDomesticPolicy(); + + PK11_SetPasswordFunc(pk11_password); + + /* Enable ciphers for PKCS#12 */ + SEC_PKCS12EnableCipher(PKCS12_RC4_40, 1); + SEC_PKCS12EnableCipher(PKCS12_RC4_128, 1); + SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_40, 1); + SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_128, 1); + SEC_PKCS12EnableCipher(PKCS12_DES_56, 1); + SEC_PKCS12EnableCipher(PKCS12_DES_EDE3_168, 1); + SEC_PKCS12SetPreferredCipher(PKCS12_DES_EDE3_168, 1); + PORT_SetUCS2_ASCIIConversionFunction(ucs2_ascii_conversion_fn); +} + +static void +install_loadable_roots (void) +{ + gboolean has_roots; + PK11SlotList *list; has_roots = FALSE; list = PK11_GetAllTokens(CKM_INVALID_MECHANISM, PR_FALSE, PR_FALSE, NULL); @@ -188,6 +242,32 @@ e_cert_db_class_init (ECertDBClass *klass) } } +static void +e_cert_db_class_init (ECertDBClass *klass) +{ + GObjectClass *object_class; + + object_class = G_OBJECT_CLASS(klass); + + parent_class = g_type_class_ref (PARENT_TYPE); + + object_class->dispose = e_cert_db_dispose; + + initialize_nss(); + /* check to see if you have a rootcert module installed */ + install_loadable_roots(); + + e_cert_db_signals[PK11_PASSWD] = + g_signal_new ("pk11_passwd", + G_OBJECT_CLASS_TYPE (object_class), + G_SIGNAL_RUN_LAST, + G_STRUCT_OFFSET (ECertDBClass, pk11_passwd), + NULL, NULL, + smime_marshal_BOOLEAN__POINTER_BOOLEAN_POINTER, + G_TYPE_BOOLEAN, 3, + G_TYPE_POINTER, G_TYPE_BOOLEAN, G_TYPE_POINTER); +} + static void e_cert_db_init (ECertDB *ec) { @@ -250,14 +330,6 @@ e_cert_db_find_cert_by_nickname (ECertDB *certdb, CERTCertificate *cert = NULL; /*PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Getting \"%s\"\n", asciiname));*/ -#if 0 - /* what it should be, but for now...*/ - if (aToken) { - cert = PK11_FindCertFromNickname(asciiname, NULL); - } else { - cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), asciiname); - } -#endif cert = PK11_FindCertFromNickname((char*)nickname, NULL); if (!cert) { cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), (char*)nickname); @@ -1013,6 +1085,15 @@ e_cert_db_import_pkcs12_file (ECertDB *cert_db, const char *file_path, GError **error) { + EPKCS12 *pkcs12 = e_pkcs12_new (); + GError *e = NULL; + + if (!e_pkcs12_import_from_file (pkcs12, file_path, &e)) { + g_propagate_error (error, e); + return FALSE; + } + + return TRUE; } gboolean @@ -1023,6 +1104,28 @@ e_cert_db_export_pkcs12_file (ECertDB *cert_db, { } +gboolean +e_cert_db_login_to_slot (ECertDB *cert_db, + PK11SlotInfo *slot) +{ + if (PK11_NeedLogin (slot)) { + PK11_Logout (slot); + + if (PK11_NeedUserInit (slot)) { + printf ("initializing slot password\n"); + /* the user needs to specify the initial password */ + PK11_InitPin (slot, "", "farcl."); + } + + if (PK11_Authenticate (slot, PR_TRUE, NULL) != SECSuccess) { + printf ("PK11_Authenticate failed (err = %d/%d)\n", PORT_GetError(), PORT_GetError() + 0x2000); + return FALSE; + } + } + + return TRUE; +} + static SECStatus PR_CALLBACK diff --git a/smime/lib/e-cert-db.h b/smime/lib/e-cert-db.h index ffc381587a..d31fc02186 100644 --- a/smime/lib/e-cert-db.h +++ b/smime/lib/e-cert-db.h @@ -47,6 +47,9 @@ struct _ECertDB { struct _ECertDBClass { GObjectClass parent_class; + /* signals */ + gboolean (*pk11_passwd) (ECertDB *db, PK11SlotInfo *slot, gboolean retry, char **passwd); + /* Padding for future expansion */ void (*_ecert_reserved0) (void); void (*_ecert_reserved1) (void); @@ -124,5 +127,7 @@ gboolean e_cert_db_export_pkcs12_file (ECertDB *cert_db, GList *certs, GError **error); +gboolean e_cert_db_login_to_slot (ECertDB *cert_db, + PK11SlotInfo *slot); #endif /* _E_CERT_DB_H_ */ diff --git a/smime/lib/e-pkcs12.c b/smime/lib/e-pkcs12.c index 3092944196..0a9bb3bc74 100644 --- a/smime/lib/e-pkcs12.c +++ b/smime/lib/e-pkcs12.c @@ -63,30 +63,29 @@ #include #include "e-util/e-passwords.h" +#include "e-cert-db.h" #include "e-pkcs12.h" #include "prmem.h" #include "nss.h" +#include "ssl.h" #include "pkcs12.h" #include "p12plcy.h" #include "pk11func.h" #include "secerr.h" struct _EPKCS12Private { - int tmp_fd; - char *tmp_path; + int mumble; }; #define PARENT_TYPE G_TYPE_OBJECT static GObjectClass *parent_class; -// static callback functions for the NSS PKCS#12 library +/* static callback functions for the NSS PKCS#12 library */ static SECItem * PR_CALLBACK nickname_collision(SECItem *, PRBool *, void *); -static void PR_CALLBACK write_export_file(void *arg, const char *buf, unsigned long len); static gboolean handle_error(int myerr); -#define PKCS12_TMPFILENAME ".p12tmp" #define PKCS12_BUFFER_SIZE 2048 #define PKCS12_RESTORE_OK 1 #define PKCS12_BACKUP_OK 2 @@ -185,20 +184,16 @@ input_to_decoder (SEC_PKCS12DecoderContext *dcx, const char *path, GError **erro while (TRUE) { amount = fread (buf, 1, sizeof (buf), fp); if (amount < 0) { - printf ("got -1 fread\n"); fclose (fp); return FALSE; } + /* feed the file data into the decoder */ srv = SEC_PKCS12DecoderUpdate(dcx, (unsigned char*) buf, amount); if (srv) { - /* don't allow the close call to overwrite our precious error code */ /* XXX g_error */ - int pr_err = PORT_GetError(); - PORT_SetError(pr_err); - printf ("SEC_PKCS12DecoderUpdate returned %d\n", srv); fclose (fp); return FALSE; } @@ -209,6 +204,9 @@ input_to_decoder (SEC_PKCS12DecoderContext *dcx, const char *path, GError **erro return TRUE; } +/* XXX toshok - this needs to be done using a signal as in the + e_cert_db_login_to_slot stuff, instead of a direct gui dep here.. + for now, though, it stays. */ static gboolean prompt_for_password (char *title, char *prompt, SECItem *pwd) { @@ -219,8 +217,27 @@ prompt_for_password (char *title, char *prompt, SECItem *pwd) NULL); if (passwd) { - SECITEM_AllocItem(NULL, pwd, PL_strlen (passwd)); - memcpy (pwd->data, passwd, strlen (passwd)); + int len = g_utf8_strlen (passwd, -1); + gunichar2 uni; + int i; + char *p; + + SECITEM_AllocItem(NULL, pwd, sizeof (gunichar2) * (len + 1)); + memset (pwd->data, 0, sizeof (gunichar2) * (len + 1)); + +#ifdef IS_LITTLE_ENDIAN + p = passwd; + for (i=0; i < len; i++) { + uni = (gunichar2)(g_utf8_get_char (p) & 0xFFFF); + p = g_utf8_next_char (p); + + pwd->data[2*i] = (unsigned char)(uni >> 8); + pwd->data[2*i+1] = (unsigned char)(uni & 0xFF); + } +#else + memcpy (pwd->data, uni, pwd->len-2); +#endif + memset (passwd, 0, strlen (passwd)); g_free (passwd); } @@ -228,19 +245,17 @@ prompt_for_password (char *title, char *prompt, SECItem *pwd) } static gboolean -import_from_file_helper (EPKCS12 *pkcs12, const char *path, gboolean *aWantRetry, GError **error) +import_from_file_helper (EPKCS12 *pkcs12, PK11SlotInfo *slot, + const char *path, gboolean *aWantRetry, GError **error) { /*nsNSSShutDownPreventionLock locker; */ - gboolean rv = TRUE; + gboolean rv; SECStatus srv = SECSuccess; SEC_PKCS12DecoderContext *dcx = NULL; SECItem passwd; GError *err = NULL; - PK11SlotInfo *slot = PK11_GetInternalKeySlot (); /* XXX toshok - we - hardcode this - here */ - *aWantRetry = FALSE; + *aWantRetry = FALSE; passwd.data = NULL; rv = prompt_for_password (_("PKCS12 File Password"), _("Enter password for PKCS12 file:"), &passwd); @@ -250,32 +265,14 @@ import_from_file_helper (EPKCS12 *pkcs12, const char *path, gboolean *aWantRetry return TRUE; } -#if notyet - /* XXX we don't need this block as long as we hardcode the - slot above */ - nsXPIDLString tokenName; - nsXPIDLCString tokenNameCString; - const char *tokNameRef; - - - mToken->GetTokenName (getter_Copies(tokenName)); - tokenNameCString.Adopt (ToNewUTF8String(tokenName)); - tokNameRef = tokenNameCString; /* I do this here so that the - NS_CONST_CAST below doesn't - break the build on Win32 */ - - slot = PK11_FindSlotByName (NS_CONST_CAST(char*,tokNameRef)); - if (!slot) { - srv = SECFailure; - goto finish; - } -#endif - /* initialize the decoder */ - dcx = SEC_PKCS12DecoderStart (&passwd, slot, NULL, - NULL, NULL, - NULL, NULL, - pkcs12); + dcx = SEC_PKCS12DecoderStart (&passwd, + slot, + /* we specify NULL for all the + funcs + data so it'll use the + default pk11wrap functions */ + NULL, NULL, NULL, + NULL, NULL, NULL); if (!dcx) { srv = SECFailure; goto finish; @@ -289,19 +286,21 @@ import_from_file_helper (EPKCS12 *pkcs12, const char *path, gboolean *aWantRetry // inputToDecoder indicated a NSS error srv = SECFailure; } +#else + srv = SECFailure; #endif goto finish; } /* verify the blob */ srv = SEC_PKCS12DecoderVerify (dcx); - if (srv) { printf ("decoderverify failed\n"); goto finish; } + if (srv) goto finish; /* validate bags */ srv = SEC_PKCS12DecoderValidateBags (dcx, nickname_collision); - if (srv) { printf ("decodervalidatebags failed\n"); goto finish; } + if (srv) goto finish; /* import cert and key */ srv = SEC_PKCS12DecoderImportBags (dcx); - if (srv) { printf ("decoderimportbags failed\n"); goto finish; } + if (srv) goto finish; /* Later - check to see if this should become default email cert */ handle_error (PKCS12_RESTORE_OK); finish: @@ -309,18 +308,14 @@ import_from_file_helper (EPKCS12 *pkcs12, const char *path, gboolean *aWantRetry We should use that error code instead of inventing a new one for every error possible. */ if (srv != SECSuccess) { - printf ("srv != SECSuccess\n"); if (SEC_ERROR_BAD_PASSWORD == PORT_GetError()) { - printf ("BAD PASSWORD\n"); *aWantRetry = TRUE; } handle_error(PKCS12_NSS_ERROR); } else if (!rv) { handle_error(PKCS12_RESTORE_FAILED); } - if (slot) - PK11_FreeSlot(slot); - // finish the decoder + /* finish the decoder */ if (dcx) SEC_PKCS12DecoderFinish(dcx); return TRUE; @@ -332,32 +327,17 @@ e_pkcs12_import_from_file (EPKCS12 *pkcs12, const char *path, GError **error) /*nsNSSShutDownPreventionLock locker;*/ gboolean rv = TRUE; gboolean wantRetry; + PK11SlotInfo *slot; + printf ("importing pkcs12 from `%s'\n", path); -#if 0 - /* XXX we don't use tokens yet */ - if (!mToken) { - if (!mTokenSet) { - rv = SetToken(NULL); // Ask the user to pick a slot - if (NS_FAILED(rv)) { - handle_error(PKCS12_USER_CANCELED); - return rv; - } - } - } + slot = PK11_GetInternalKeySlot(); - if (!mToken) { - handle_error(PKCS12_RESTORE_FAILED); - return NS_ERROR_NOT_AVAILABLE; - } + if (!e_cert_db_login_to_slot (e_cert_db_peek (), slot)) + return FALSE; - /* init slot */ - rv = mToken->Login(PR_TRUE); - if (NS_FAILED(rv)) return rv; -#endif - do { - rv = import_from_file_helper (pkcs12, path, &wantRetry, error); + rv = import_from_file_helper (pkcs12, slot, path, &wantRetry, error); } while (rv && wantRetry); return rv; @@ -433,18 +413,6 @@ nickname_collision(SECItem *oldNick, PRBool *cancel, void *wincx) return new_nick; } -/* write bytes to the exported PKCS#12 file */ -static void PR_CALLBACK -write_export_file(void *arg, const char *buf, unsigned long len) -{ - EPKCS12 *pkcs12 = E_PKCS12 (arg); - EPKCS12Private *priv = pkcs12->priv; - - printf ("write_export_file\n"); - - write (priv->tmp_fd, buf, len); -} - static gboolean handle_error(int myerr) { diff --git a/smime/lib/smime-marshal.list b/smime/lib/smime-marshal.list new file mode 100644 index 0000000000..97c7a93233 --- /dev/null +++ b/smime/lib/smime-marshal.list @@ -0,0 +1 @@ +BOOL:POINTER,BOOL,POINTER -- cgit v1.2.3