summaryrefslogtreecommitdiffstats
path: root/uui/source/iahndl-ssl.cxx
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-15 05:54:39 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-15 05:54:39 +0000
commit267c6f2ac71f92999e969232431ba04678e7437e (patch)
tree358c9467650e1d0a1d7227a21dac2e3d08b622b2 /uui/source/iahndl-ssl.cxx
parentInitial commit. (diff)
downloadlibreoffice-267c6f2ac71f92999e969232431ba04678e7437e.tar.xz
libreoffice-267c6f2ac71f92999e969232431ba04678e7437e.zip
Adding upstream version 4:24.2.0.upstream/4%24.2.0
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'uui/source/iahndl-ssl.cxx')
-rw-r--r--uui/source/iahndl-ssl.cxx365
1 files changed, 365 insertions, 0 deletions
diff --git a/uui/source/iahndl-ssl.cxx b/uui/source/iahndl-ssl.cxx
new file mode 100644
index 0000000000..24737d4a03
--- /dev/null
+++ b/uui/source/iahndl-ssl.cxx
@@ -0,0 +1,365 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * This file incorporates work covered by the following license notice:
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed
+ * with this work for additional information regarding copyright
+ * ownership. The ASF licenses this file to you under the Apache
+ * License, Version 2.0 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.apache.org/licenses/LICENSE-2.0 .
+ */
+
+
+#include <com/sun/star/security/CertificateValidity.hpp>
+#include <com/sun/star/security/XCertificateExtension.hpp>
+#include <com/sun/star/security/XSanExtension.hpp>
+#include <com/sun/star/security/ExtAltNameType.hpp>
+#include <com/sun/star/task/XInteractionAbort.hpp>
+#include <com/sun/star/task/XInteractionApprove.hpp>
+#include <com/sun/star/task/XInteractionRequest.hpp>
+#include <com/sun/star/ucb/CertificateValidationRequest.hpp>
+#include <com/sun/star/uno/Reference.hxx>
+
+#include <comphelper/lok.hxx>
+#include <comphelper/sequence.hxx>
+#include <com/sun/star/uno/Sequence.hxx>
+#include <o3tl/string_view.hxx>
+#include <svl/numformat.hxx>
+#include <svl/zforlist.hxx>
+#include <unotools/resmgr.hxx>
+#include <vcl/svapp.hxx>
+#include <vcl/settings.hxx>
+
+#include <ids.hrc>
+#include "getcontinuations.hxx"
+#include "sslwarndlg.hxx"
+#include "unknownauthdlg.hxx"
+
+#include "iahndl.hxx"
+
+#include <memory>
+
+#define OID_SUBJECT_ALTERNATIVE_NAME "2.5.29.17"
+
+
+using namespace com::sun::star;
+
+namespace {
+
+OUString
+getContentPart( std::u16string_view _rRawString )
+{
+ // search over some parts to find a string
+ static char const * aIDs[] = { "CN=", "OU=", "O=", "E=", nullptr };
+ OUString sPart;
+ int i = 0;
+ while ( aIDs[i] )
+ {
+ OUString sPartId = OUString::createFromAscii( aIDs[i++] );
+ size_t nContStart = _rRawString.find( sPartId );
+ if ( nContStart != std::u16string_view::npos )
+ {
+ nContStart += sPartId.getLength();
+ size_t nContEnd = _rRawString.find( ',', nContStart );
+ if ( nContEnd != std::u16string_view::npos )
+ sPart = _rRawString.substr( nContStart, nContEnd - nContStart );
+ else
+ sPart = _rRawString.substr( nContStart );
+ break;
+ }
+ }
+ return sPart;
+}
+
+bool
+isDomainMatch(
+ std::u16string_view hostName, const uno::Sequence< OUString >& certHostNames)
+{
+ for ( const OUString& element : certHostNames){
+ if (element.isEmpty())
+ continue;
+
+ if (o3tl::equalsIgnoreAsciiCase( hostName, element ))
+ return true;
+
+ if (element.startsWith("*") &&
+ sal_Int32(hostName.size()) >= element.getLength() )
+ {
+ OUString cmpStr = element.copy( 1 );
+ if ( o3tl::matchIgnoreAsciiCase(hostName,
+ cmpStr, hostName.size() - cmpStr.getLength()) )
+ return true;
+ }
+ }
+
+ return false;
+}
+
+OUString
+getLocalizedDatTimeStr(
+ uno::Reference< uno::XComponentContext> const & xContext,
+ util::DateTime const & rDateTime )
+{
+ OUString aDateTimeStr;
+ Date aDate( Date::EMPTY );
+ tools::Time aTime( tools::Time::EMPTY );
+
+ aDate = Date( rDateTime.Day, rDateTime.Month, rDateTime.Year );
+ aTime = tools::Time( rDateTime.Hours, rDateTime.Minutes, rDateTime.Seconds );
+
+ LanguageType eUILang = Application::GetSettings().GetUILanguageTag().getLanguageType();
+ SvNumberFormatter *pNumberFormatter = new SvNumberFormatter( xContext, eUILang );
+ OUString aTmpStr;
+ const Color* pColor = nullptr;
+ const Date& rNullDate = pNumberFormatter->GetNullDate();
+ sal_uInt32 nFormat
+ = pNumberFormatter->GetStandardFormat( SvNumFormatType::DATE, eUILang );
+
+ pNumberFormatter->GetOutputString( aDate - rNullDate, nFormat, aTmpStr, &pColor );
+ aDateTimeStr = aTmpStr + " ";
+
+ nFormat = pNumberFormatter->GetStandardFormat( SvNumFormatType::TIME, eUILang );
+ pNumberFormatter->GetOutputString(
+ aTime.GetTimeInDays(), nFormat, aTmpStr, &pColor );
+ aDateTimeStr += aTmpStr;
+
+ return aDateTimeStr;
+}
+
+bool
+executeUnknownAuthDialog(
+ weld::Window * pParent,
+ uno::Reference< uno::XComponentContext > const & xContext,
+ const uno::Reference< security::XCertificate >& rXCert)
+{
+ SolarMutexGuard aGuard;
+
+ UnknownAuthDialog aDialog(pParent, rXCert, xContext);
+
+ // Get correct resource string
+ OUString aMessage;
+
+ std::vector< OUString > aArguments { getContentPart( rXCert->getSubjectName()) };
+
+ std::locale aResLocale(Translate::Create("uui"));
+
+ aMessage = Translate::get(STR_UUI_UNKNOWNAUTH_UNTRUSTED, aResLocale);
+ aMessage = UUIInteractionHelper::replaceMessageWithArguments(
+ aMessage, aArguments );
+ aDialog.setDescriptionText( aMessage );
+
+ return static_cast<bool>(aDialog.run());
+}
+
+enum class SslWarnType {
+ DOMAINMISMATCH, EXPIRED, INVALID
+};
+
+bool
+executeSSLWarnDialog(
+ weld::Window * pParent,
+ uno::Reference< uno::XComponentContext > const & xContext,
+ const uno::Reference< security::XCertificate >& rXCert,
+ SslWarnType failure,
+ const OUString & hostName )
+{
+ SolarMutexGuard aGuard;
+
+ SSLWarnDialog aDialog(pParent, rXCert, xContext);
+
+ // Get correct resource string
+ std::vector< OUString > aArguments_1;
+ TranslateId pMessageKey;
+ TranslateId pTitleKey;
+
+ switch( failure )
+ {
+ case SslWarnType::DOMAINMISMATCH:
+ pMessageKey = STR_UUI_SSLWARN_DOMAINMISMATCH;
+ pTitleKey = STR_UUI_SSLWARN_DOMAINMISMATCH_TITLE;
+ aArguments_1.push_back( hostName );
+ aArguments_1.push_back(
+ getContentPart( rXCert->getSubjectName()) );
+ aArguments_1.push_back( hostName );
+ break;
+ case SslWarnType::EXPIRED:
+ pMessageKey = STR_UUI_SSLWARN_EXPIRED;
+ pTitleKey = STR_UUI_SSLWARN_EXPIRED_TITLE;
+ aArguments_1.push_back(
+ getContentPart( rXCert->getSubjectName()) );
+ aArguments_1.push_back(
+ getLocalizedDatTimeStr( xContext,
+ rXCert->getNotValidAfter() ) );
+ aArguments_1.push_back(
+ getLocalizedDatTimeStr( xContext,
+ rXCert->getNotValidAfter() ) );
+ break;
+ case SslWarnType::INVALID:
+ pMessageKey = STR_UUI_SSLWARN_INVALID;
+ pTitleKey = STR_UUI_SSLWARN_INVALID_TITLE;
+ break;
+ default: assert(false);
+ }
+
+ std::locale aResLocale(Translate::Create("uui"));
+
+ OUString aMessage_1 = Translate::get(pMessageKey, aResLocale);
+ aMessage_1 = UUIInteractionHelper::replaceMessageWithArguments(
+ aMessage_1, aArguments_1 );
+ aDialog.setDescription1Text( aMessage_1 );
+
+ OUString aTitle = Translate::get(pTitleKey, aResLocale);
+ aDialog.set_title(aTitle);
+
+ return static_cast<bool>(aDialog.run());
+}
+
+void
+handleCertificateValidationRequest_(
+ weld::Window * pParent,
+ uno::Reference< uno::XComponentContext > const & xContext,
+ ucb::CertificateValidationRequest const & rRequest,
+ uno::Sequence< uno::Reference< task::XInteractionContinuation > > const &
+ rContinuations)
+{
+ uno::Reference< task::XInteractionApprove > xApprove;
+ uno::Reference< task::XInteractionAbort > xAbort;
+ getContinuations(rContinuations, &xApprove, &xAbort);
+
+ if ( comphelper::LibreOfficeKit::isActive() && xApprove.is() )
+ {
+ xApprove->select();
+ return;
+ }
+
+ sal_Int32 failures = rRequest.CertificateValidity;
+ bool trustCert = true;
+
+ if ( ((failures & security::CertificateValidity::UNTRUSTED)
+ == security::CertificateValidity::UNTRUSTED ) ||
+ ((failures & security::CertificateValidity::ISSUER_UNTRUSTED)
+ == security::CertificateValidity::ISSUER_UNTRUSTED) ||
+ ((failures & security::CertificateValidity::ROOT_UNTRUSTED)
+ == security::CertificateValidity::ROOT_UNTRUSTED) )
+ {
+ trustCert = executeUnknownAuthDialog( pParent,
+ xContext,
+ rRequest.Certificate );
+ }
+
+ const uno::Sequence< uno::Reference< security::XCertificateExtension > > extensions = rRequest.Certificate->getExtensions();
+ uno::Reference< security::XSanExtension > sanExtension;
+ auto pExtension = std::find_if(extensions.begin(), extensions.end(),
+ [](const uno::Reference< security::XCertificateExtension >& element) {
+ OString aId ( reinterpret_cast<const char *>(element->getExtensionId().getConstArray()), element->getExtensionId().getLength());
+ return aId == OID_SUBJECT_ALTERNATIVE_NAME;
+ });
+ if (pExtension != extensions.end())
+ {
+ sanExtension = uno::Reference<security::XSanExtension>(*pExtension, uno::UNO_QUERY);
+ }
+
+ std::vector<security::CertAltNameEntry> altNames;
+ if (sanExtension.is())
+ {
+ altNames = comphelper::sequenceToContainer<std::vector<security::CertAltNameEntry>>(sanExtension->getAlternativeNames());
+ }
+
+ OUString certHostName = getContentPart( rRequest.Certificate->getSubjectName() );
+ uno::Sequence< OUString > certHostNames(altNames.size() + 1);
+ auto pcertHostNames = certHostNames.getArray();
+ pcertHostNames[0] = certHostName;
+
+ for (size_t n = 0; n < altNames.size(); ++n)
+ {
+ if (altNames[n].Type == security::ExtAltNameType_DNS_NAME)
+ {
+ altNames[n].Value >>= pcertHostNames[n+1];
+ }
+ }
+
+ if ( (!isDomainMatch(
+ rRequest.HostName,
+ certHostNames )) &&
+ trustCert )
+ {
+ trustCert = executeSSLWarnDialog( pParent,
+ xContext,
+ rRequest.Certificate,
+ SslWarnType::DOMAINMISMATCH,
+ rRequest.HostName );
+ }
+
+ else if ( (((failures & security::CertificateValidity::TIME_INVALID)
+ == security::CertificateValidity::TIME_INVALID) ||
+ ((failures & security::CertificateValidity::NOT_TIME_NESTED)
+ == security::CertificateValidity::NOT_TIME_NESTED)) &&
+ trustCert )
+ {
+ trustCert = executeSSLWarnDialog( pParent,
+ xContext,
+ rRequest.Certificate,
+ SslWarnType::EXPIRED,
+ rRequest.HostName );
+ }
+
+ else if ( (((failures & security::CertificateValidity::REVOKED)
+ == security::CertificateValidity::REVOKED) ||
+ ((failures & security::CertificateValidity::SIGNATURE_INVALID)
+ == security::CertificateValidity::SIGNATURE_INVALID) ||
+ ((failures & security::CertificateValidity::EXTENSION_INVALID)
+ == security::CertificateValidity::EXTENSION_INVALID) ||
+ ((failures & security::CertificateValidity::INVALID)
+ == security::CertificateValidity::INVALID)) &&
+ trustCert )
+ {
+ trustCert = executeSSLWarnDialog( pParent,
+ xContext,
+ rRequest.Certificate,
+ SslWarnType::INVALID,
+ rRequest.HostName );
+ }
+
+ if ( trustCert )
+ {
+ if (xApprove.is())
+ xApprove->select();
+ }
+ else
+ {
+ if (xAbort.is())
+ xAbort->select();
+ }
+}
+
+} // namespace
+
+bool
+UUIInteractionHelper::handleCertificateValidationRequest(
+ uno::Reference< task::XInteractionRequest > const & rRequest)
+{
+ uno::Any aAnyRequest(rRequest->getRequest());
+
+ ucb::CertificateValidationRequest aCertificateValidationRequest;
+ if (aAnyRequest >>= aCertificateValidationRequest)
+ {
+ uno::Reference<awt::XWindow> xParent = getParentXWindow();
+ handleCertificateValidationRequest_(Application::GetFrameWeld(xParent),
+ m_xContext,
+ aCertificateValidationRequest,
+ rRequest->getContinuations());
+ return true;
+ }
+
+ return false;
+}
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab: */