| /** |
| * Licensed to the Apache Software Foundation (ASF) under one |
| * or more contributor license agreements. See the NOTICE file |
| * distributed with this work for additional information |
| * regarding copyright ownership. The ASF licenses this file |
| * to you under the Apache License, Version 2.0 (the |
| * "License"); you may not use this file except in compliance |
| * with the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, |
| * software distributed under the License is distributed on an |
| * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| * KIND, either express or implied. See the License for the |
| * specific language governing permissions and limitations |
| * under the License. |
| */ |
| |
| /* |
| * XSEC |
| * |
| * NSSCryptoX509:= NSS based class for handling X509 (V3) certificates |
| * |
| * Author(s): Milan Tomic |
| * |
| */ |
| |
| #include <xsec/framework/XSECDefs.hpp> |
| #include <xsec/framework/XSECError.hpp> |
| #include <xsec/enc/NSS/NSSCryptoProvider.hpp> |
| #include <xsec/enc/NSS/NSSCryptoX509.hpp> |
| #include <xsec/enc/NSS/NSSCryptoKeyDSA.hpp> |
| #include <xsec/enc/NSS/NSSCryptoKeyRSA.hpp> |
| #include <xsec/enc/XSECCryptoException.hpp> |
| #include <xsec/enc/XSCrypt/XSCryptCryptoBase64.hpp> |
| |
| #if defined (XSEC_HAVE_NSS) |
| |
| extern "C" { |
| |
| extern CERTCertificate * |
| __CERT_DecodeDERCertificate (SECItem *derSignedCert, PRBool copyDER, char *nickname); |
| |
| } |
| |
| #include <xercesc/util/Janitor.hpp> |
| |
| XSEC_USING_XERCES(ArrayJanitor); |
| |
| // -------------------------------------------------------------------------------- |
| // Constructor |
| // -------------------------------------------------------------------------------- |
| |
| NSSCryptoX509::NSSCryptoX509() : m_DERX509(""), mp_cert(NULL) { |
| |
| |
| } |
| |
| // -------------------------------------------------------------------------------- |
| // Constructor |
| // -------------------------------------------------------------------------------- |
| |
| NSSCryptoX509::NSSCryptoX509(CERTCertificate * pCert) { |
| |
| // Build this from an existing CERTCertificate structure |
| |
| mp_cert = pCert; |
| |
| unsigned char * encCert; |
| unsigned long len = mp_cert->derCert.len * 2; |
| XSECnew(encCert, unsigned char [len]); |
| ArrayJanitor<unsigned char> j_encCert(encCert); |
| |
| // Base64 Encode |
| XSCryptCryptoBase64 b64; |
| |
| b64.encodeInit(); |
| unsigned long encCertLen = b64.encode(mp_cert->derCert.data, mp_cert->derCert.len, encCert, len); |
| encCertLen += b64.encodeFinish(&encCert[encCertLen], len - encCertLen); |
| |
| // Check the result |
| if (encCert == NULL) { |
| |
| throw XSECCryptoException(XSECCryptoException::X509Error, |
| "NSSX509:NSSX509 - Error encoding certificate"); |
| |
| } |
| |
| m_DERX509.sbMemcpyIn(encCert, encCertLen); |
| m_DERX509[encCertLen] = '\0'; |
| |
| } |
| |
| // -------------------------------------------------------------------------------- |
| // Destructor |
| // -------------------------------------------------------------------------------- |
| |
| NSSCryptoX509::~NSSCryptoX509() { |
| |
| if (mp_cert != 0) |
| CERT_DestroyCertificate(mp_cert); |
| |
| } |
| |
| // -------------------------------------------------------------------------------- |
| // Load X509 |
| // -------------------------------------------------------------------------------- |
| |
| void NSSCryptoX509::loadX509Base64Bin(const char * buf, unsigned int len) { |
| |
| unsigned char * rawCert; |
| XSECnew(rawCert, unsigned char [len]); |
| ArrayJanitor<unsigned char> j_rawCert(rawCert); |
| |
| // Base64 Decode |
| XSCryptCryptoBase64 b64; |
| |
| b64.decodeInit(); |
| unsigned int rawCertLen = b64.decode((unsigned char *) buf, len, rawCert, len); |
| rawCertLen += b64.decodeFinish(&rawCert[rawCertLen], len - rawCertLen); |
| |
| // Now load certificate |
| |
| SECItem i; |
| i.type = siBuffer; |
| i.data = rawCert; |
| i.len = rawCertLen; |
| |
| SECItem *certs[1]; |
| certs[0] = &i; |
| |
| // For returning |
| CERTCertificate **certArray = NULL; |
| |
| /* mp_cert = __CERT_DecodeDERCertificate(&i, PR_TRUE, NULL); */ |
| CERT_ImportCerts(CERT_GetDefaultCertDB(), certUsageUserCertImport, 1, certs, |
| &certArray, PR_FALSE, PR_FALSE, NULL); |
| // 1. If you got an compiler error here add into "nss/cert.h" delacarion for |
| // CERT_DecodeDERCertificate() (the same parameters as for __CERT_DecodeDERCertificate()) |
| // 2. Since __CERT_DecodeDERCertificate is a private function we might consider using |
| // __CERT_NewTempCertificate() or CERT_ImportCerts() instead. |
| |
| // Now map to our cert |
| if (certArray == NULL) { |
| throw XSECCryptoException(XSECCryptoException::X509Error, |
| "NSSX509:loadX509Base64Bin - Error decoding certificate"); |
| } |
| |
| mp_cert = certArray[0]; |
| |
| if (mp_cert == 0) { |
| |
| throw XSECCryptoException(XSECCryptoException::X509Error, |
| "NSSX509:loadX509Base64Bin - Error decoding certificate"); |
| |
| } |
| |
| m_DERX509.sbMemcpyIn(buf, len); |
| m_DERX509[len] = '\0'; |
| |
| } |
| |
| // -------------------------------------------------------------------------------- |
| // Get NSS provider name |
| // -------------------------------------------------------------------------------- |
| |
| const XMLCh * NSSCryptoX509::getProviderName() const { |
| |
| return DSIGConstants::s_unicodeStrPROVNSS; |
| |
| } |
| |
| // -------------------------------------------------------------------------------- |
| // Get publickey type: RSA or DSA |
| // -------------------------------------------------------------------------------- |
| |
| XSECCryptoKey::KeyType NSSCryptoX509::getPublicKeyType() const { |
| |
| if (mp_cert == NULL) { |
| |
| throw XSECCryptoException(XSECCryptoException::X509Error, |
| "NSS:X509 - getPublicKeyType called before X509 loaded"); |
| |
| } |
| |
| XSECCryptoKey::KeyType kt = XSECCryptoKey::KEY_NONE; |
| |
| SECKEYPublicKey * pubkey = CERT_ExtractPublicKey(mp_cert); |
| |
| if (pubkey == 0) { |
| |
| throw XSECCryptoException(XSECCryptoException::X509Error, |
| "NSS:X509 - Error extracting public key from X509 certificate"); |
| |
| } |
| |
| if (pubkey->keyType == dsaKey) |
| kt = XSECCryptoKey::KEY_DSA_PUBLIC; |
| |
| if (pubkey->keyType == rsaKey) |
| kt = XSECCryptoKey::KEY_RSA_PUBLIC; |
| |
| SECKEY_DestroyPublicKey(pubkey); |
| |
| return kt; |
| |
| } |
| |
| // -------------------------------------------------------------------------------- |
| // Replicate public key |
| // -------------------------------------------------------------------------------- |
| |
| XSECCryptoKey * NSSCryptoX509::clonePublicKey() const { |
| |
| if (mp_cert == NULL) { |
| |
| throw XSECCryptoException(XSECCryptoException::X509Error, |
| "NSS:X509 - clonePublicKey called before X509 loaded"); |
| |
| } |
| |
| // Import the key into the provider to get a pointer to the key |
| |
| if (getPublicKeyType() == XSECCryptoKey::KEY_DSA_PUBLIC) { |
| |
| SECKEYPublicKey * pubkey = CERT_ExtractPublicKey(mp_cert); |
| |
| // Now that we have a handle for the DSA key, create a DSA Key object to |
| // wrap it in |
| |
| NSSCryptoKeyDSA * ret; |
| XSECnew(ret, NSSCryptoKeyDSA(pubkey)); |
| |
| return ret; |
| |
| } |
| |
| if (getPublicKeyType() == XSECCryptoKey::KEY_RSA_PUBLIC) { |
| |
| SECKEYPublicKey * pubkey = CERT_ExtractPublicKey(mp_cert); |
| |
| // Now that we have a handle for the DSA key, create a DSA Key object to |
| // wrap it in |
| |
| NSSCryptoKeyRSA * ret; |
| XSECnew(ret, NSSCryptoKeyRSA(pubkey)); |
| |
| return ret; |
| |
| } |
| |
| return NULL; // Unknown key type, but not necessarily an error |
| |
| } |
| |
| #endif /* XSEC_HAVE_NSS */ |
