No issues found
1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: t; c-basic-offset: 8 -*- */
2 /* The following is the mozilla license blurb, as the bodies some of
3 * these functions were derived from the mozilla source. */
4 /*
5 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
6 *
7 * The contents of this file are subject to the Mozilla Public License Version
8 * 1.1 (the "License"); you may not use this file except in compliance with
9 * the License. You may obtain a copy of the License at
10 * http://www.mozilla.org/MPL/
11 *
12 * Software distributed under the License is distributed on an "AS IS" basis,
13 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
14 * for the specific language governing rights and limitations under the
15 * License.
16 *
17 * The Original Code is the Netscape security libraries.
18 *
19 * The Initial Developer of the Original Code is
20 * Netscape Communications Corporation.
21 * Portions created by the Initial Developer are Copyright (C) 1994-2000
22 * the Initial Developer. All Rights Reserved.
23 *
24 * Alternatively, the contents of this file may be used under the terms of
25 * either the GNU General Public License Version 2 or later (the "GPL"), or
26 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
27 * in which case the provisions of the GPL or the LGPL are applicable instead
28 * of those above. If you wish to allow use of your version of this file only
29 * under the terms of either the GPL or the LGPL, and not to allow others to
30 * use your version of this file under the terms of the MPL, indicate your
31 * decision by deleting the provisions above and replace them with the notice
32 * and other provisions required by the GPL or the LGPL. If you do not delete
33 * the provisions above, a recipient may use your version of this file under
34 * the terms of any one of the MPL, the GPL or the LGPL.
35 */
36
37 /*
38 * Author: Chris Toshok (toshok@ximian.com)
39 *
40 * Copyright (C) 1999-2008 Novell, Inc. (www.novell.com)
41 */
42 #ifdef HAVE_CONFIG_H
43 #include <config.h>
44 #endif
45
46 #include <glib/gstdio.h>
47 #include <gtk/gtk.h>
48 #include <glib/gi18n.h>
49
50 #include <time.h>
51 #include <fcntl.h>
52 #include <unistd.h>
53
54 #include <libedataserverui/libedataserverui.h>
55
56 #include "e-cert-db.h"
57 #include "e-pkcs12.h"
58
59 #include "prmem.h"
60 #include "nss.h"
61 #include "ssl.h"
62 #include "pkcs12.h"
63 #include "p12plcy.h"
64 #include "pk11func.h"
65 #include "secerr.h"
66
67 /* static callback functions for the NSS PKCS#12 library */
68 static SECItem * PR_CALLBACK nickname_collision (SECItem *, PRBool *, gpointer);
69
70 static gboolean handle_error (gint myerr);
71
72 #define PKCS12_BUFFER_SIZE 2048
73 #define PKCS12_RESTORE_OK 1
74 #define PKCS12_BACKUP_OK 2
75 #define PKCS12_USER_CANCELED 3
76 #define PKCS12_NOSMARTCARD_EXPORT 4
77 #define PKCS12_RESTORE_FAILED 5
78 #define PKCS12_BACKUP_FAILED 6
79 #define PKCS12_NSS_ERROR 7
80
81 G_DEFINE_TYPE (EPKCS12, e_pkcs12, G_TYPE_OBJECT)
82
83 static void
84 e_pkcs12_class_init (EPKCS12Class *class)
85 {
86 }
87
88 static void
89 e_pkcs12_init (EPKCS12 *ec)
90 {
91 }
92
93 EPKCS12 *
94 e_pkcs12_new (void)
95 {
96 return g_object_new (E_TYPE_PKCS12, NULL);
97 }
98
99 static gboolean
100 input_to_decoder (SEC_PKCS12DecoderContext *dcx,
101 const gchar *path,
102 GError **error)
103 {
104 /* nsNSSShutDownPreventionLock locker; */
105 SECStatus srv;
106 gint amount;
107 gchar buf[PKCS12_BUFFER_SIZE];
108 FILE *fp;
109
110 /* open path */
111 fp = g_fopen (path, "rb");
112 if (!fp) {
113 /* XXX gerror */
114 printf ("couldn't open '%s'\n", path);
115 return FALSE;
116 }
117
118 while (TRUE) {
119 amount = fread (buf, 1, sizeof (buf), fp);
120 if (amount < 0) {
121 fclose (fp);
122 return FALSE;
123 }
124
125 /* feed the file data into the decoder */
126 srv = SEC_PKCS12DecoderUpdate (
127 dcx, (guchar *) buf, amount);
128 if (srv) {
129 /* XXX g_error */
130 fclose (fp);
131 return FALSE;
132 }
133 if (amount < PKCS12_BUFFER_SIZE)
134 break;
135 }
136 fclose (fp);
137 return TRUE;
138 }
139
140 /* XXX toshok - this needs to be done using a signal as in the
141 * e_cert_db_login_to_slot stuff, instead of a direct gui dep here..
142 * for now, though, it stays. */
143 static gboolean
144 prompt_for_password (gchar *title,
145 gchar *prompt,
146 SECItem *pwd)
147 {
148 gchar *passwd;
149
150 passwd = e_passwords_ask_password (
151 title, NULL, "", prompt,
152 E_PASSWORDS_REMEMBER_NEVER | E_PASSWORDS_SECRET,
153 NULL, NULL);
154
155 if (passwd) {
156 gsize len = strlen (passwd);
157 const gchar *inptr = passwd;
158 guchar *outptr;
159 gunichar2 c;
160
161 SECITEM_AllocItem (NULL, pwd, sizeof (gunichar2) * (len + 1));
162
163 outptr = pwd->data;
164 while (inptr && (c = (gunichar2) (g_utf8_get_char (inptr) & 0xffff))) {
165 inptr = g_utf8_next_char (inptr);
166 c = GUINT16_TO_BE (c);
167 *outptr++ = ((gchar *) &c)[0];
168 *outptr++ = ((gchar *) &c)[1];
169 }
170
171 outptr[0] = 0;
172 outptr[1] = 0;
173
174 memset (passwd, 0, strlen (passwd));
175 g_free (passwd);
176 }
177
178 return TRUE;
179 }
180
181 static gboolean
182 import_from_file_helper (EPKCS12 *pkcs12,
183 PK11SlotInfo *slot,
184 const gchar *path,
185 gboolean *aWantRetry,
186 GError **error)
187 {
188 /*nsNSSShutDownPreventionLock locker; */
189 gboolean rv;
190 SECStatus srv = SECSuccess;
191 SEC_PKCS12DecoderContext *dcx = NULL;
192 SECItem passwd;
193 GError *err = NULL;
194
195 *aWantRetry = FALSE;
196
197 passwd.data = NULL;
198 rv = prompt_for_password (
199 _("PKCS12 File Password"),
200 _("Enter password for PKCS12 file:"), &passwd);
201 if (!rv) goto finish;
202 if (passwd.data == NULL) {
203 handle_error (PKCS12_USER_CANCELED);
204 return TRUE;
205 }
206
207 /* initialize the decoder */
208 dcx = SEC_PKCS12DecoderStart (
209 &passwd,
210 slot,
211 /* we specify NULL for all the
212 * funcs + data so it'll use the
213 * default pk11wrap functions */
214 NULL, NULL, NULL,
215 NULL, NULL, NULL);
216 if (!dcx) {
217 srv = SECFailure;
218 goto finish;
219 }
220 /* read input file and feed it to the decoder */
221 rv = input_to_decoder (dcx, path, &err);
222 if (!rv) {
223 #ifdef notyet
224 /* XXX we need this to check the gerror */
225 if (NS_ERROR_ABORT == rv) {
226 /* inputToDecoder indicated a NSS error */
227 srv = SECFailure;
228 }
229 #else
230 srv = SECFailure;
231 #endif
232 goto finish;
233 }
234
235 /* verify the blob */
236 srv = SEC_PKCS12DecoderVerify (dcx);
237 if (srv) goto finish;
238 /* validate bags */
239 srv = SEC_PKCS12DecoderValidateBags (dcx, nickname_collision);
240 if (srv) goto finish;
241 /* import cert and key */
242 srv = SEC_PKCS12DecoderImportBags (dcx);
243 if (srv) goto finish;
244 /* Later - check to see if this should become default email cert */
245 handle_error (PKCS12_RESTORE_OK);
246 finish:
247 /* If srv != SECSuccess, NSS probably set a specific error code.
248 * We should use that error code instead of inventing a new one
249 * for every error possible. */
250 if (srv != SECSuccess) {
251 if (SEC_ERROR_BAD_PASSWORD == PORT_GetError ()) {
252 *aWantRetry = TRUE;
253 }
254 handle_error (PKCS12_NSS_ERROR);
255 } else if (!rv) {
256 handle_error (PKCS12_RESTORE_FAILED);
257 }
258 /* finish the decoder */
259 if (dcx)
260 SEC_PKCS12DecoderFinish (dcx);
261 return TRUE;
262 }
263
264 gboolean
265 e_pkcs12_import_from_file (EPKCS12 *pkcs12,
266 const gchar *path,
267 GError **error)
268 {
269 /*nsNSSShutDownPreventionLock locker;*/
270 gboolean rv = TRUE;
271 gboolean wantRetry;
272 PK11SlotInfo *slot;
273
274 printf ("importing pkcs12 from '%s'\n", path);
275
276 slot = PK11_GetInternalKeySlot ();
277
278 if (!e_cert_db_login_to_slot (e_cert_db_peek (), slot))
279 return FALSE;
280
281 do {
282 rv = import_from_file_helper (pkcs12, slot, path, &wantRetry, error);
283 } while (rv && wantRetry);
284
285 return rv;
286 }
287
288 gboolean
289 e_pkcs12_export_to_file (EPKCS12 *pkcs12,
290 const gchar *path,
291 GList *certs,
292 GError **error)
293 {
294 return FALSE;
295 }
296
297 /* what to do when the nickname collides with one already in the db.
298 * TODO: not handled, throw a dialog allowing the nick to be changed? */
299 static SECItem * PR_CALLBACK
300 nickname_collision (SECItem *oldNick,
301 PRBool *cancel,
302 gpointer wincx)
303 {
304 /* nsNSSShutDownPreventionLock locker; */
305 gint count = 1;
306 gchar *nickname = NULL;
307 gchar *default_nickname = _("Imported Certificate");
308 SECItem *new_nick;
309
310 *cancel = PR_FALSE;
311 printf ("nickname_collision\n");
312
313 /* The user is trying to import a PKCS#12 file that doesn't have the
314 * attribute we use to set the nickname. So in order to reduce the
315 * number of interactions we require with the user, we'll build a nickname
316 * for the user. The nickname isn't prominently displayed in the UI,
317 * so it's OK if we generate one on our own here.
318 * XXX If the NSS API were smarter and actually passed a pointer to
319 * the CERTCertificate * we're importing we could actually just
320 * call default_nickname (which is what the issuance code path
321 * does) and come up with a reasonable nickname. Alas, the NSS
322 * API limits our ability to produce a useful nickname without
323 * bugging the user. :(
324 */
325 while (1) {
326 CERTCertificate *cert;
327
328 /* If we've gotten this far, that means there isn't a certificate
329 * in the database that has the same subject name as the cert we're
330 * trying to import. So we need to come up with a "nickname" to
331 * satisfy the NSS requirement or fail in trying to import.
332 * Basically we use a default nickname from a properties file and
333 * see if a certificate exists with that nickname. If there isn't, then
334 * create update the count by one and append the string '#1' Or
335 * whatever the count currently is, and look for a cert with
336 * that nickname. Keep updating the count until we find a nickname
337 * without a corresponding cert.
338 * XXX If a user imports *many * certs without the 'friendly name'
339 * attribute, then this may take a long time. :(
340 */
341 if (count > 1) {
342 g_free (nickname);
343 nickname = g_strdup_printf ("%s #%d", default_nickname, count);
344 } else {
345 g_free (nickname);
346 nickname = g_strdup (default_nickname);
347 }
348 cert = CERT_FindCertByNickname (
349 CERT_GetDefaultCertDB (),
350 nickname);
351 if (!cert) {
352 break;
353 }
354 CERT_DestroyCertificate (cert);
355 count++;
356 }
357
358 new_nick = PR_Malloc (sizeof (SECItem));
359 new_nick->type = siAsciiString;
360 new_nick->data = (guchar *) nickname;
361 new_nick->len = strlen ((gchar *) new_nick->data);
362 return new_nick;
363 }
364
365 static gboolean
366 handle_error (gint myerr)
367 {
368 printf ("handle_error (%d)\n", myerr);
369
370 return FALSE;
371 }