/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ /* * This file is part of the LibreOffice project. * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. * * This file incorporates work covered by the following license notice: * * Licensed to the Apache Software Foundation (ASF) under one or more * contributor license agreements. See the NOTICE file distributed * with this work for additional information regarding copyright * ownership. The ASF licenses this file to you under the Apache * License, Version 2.0 (the "License"); you may not use this file * except in compliance with the License. You may obtain a copy of * the License at http://www.apache.org/licenses/LICENSE-2.0 . */ #include #include #include #include #include #include #include "x509certificate_mscryptimpl.hxx" #include #include #include "sanextension_mscryptimpl.hxx" #include "oid.hxx" #include #include #include #include #include #include #include #include #include #include #include #include #include using namespace com::sun::star; using namespace ::com::sun::star::uno ; using namespace ::com::sun::star::security ; using ::com::sun::star::security::XCertificate ; using ::com::sun::star::util::DateTime ; /*Returns the index within rRawString where sTypeName starts and where it ends. The starting index is pair.first. The ending index in pair.second points one char after the last character of the type. sTypeName can be "S" or "CN" (without ""). Do not use spaces at the beginning of the type name. If the type name is not found then pair.first and pair.second are -1. */ static std::pair< sal_Int32, sal_Int32 > findTypeInDN(const OUString& rRawString, std::u16string_view sTypeName) { std::pair< sal_Int32, sal_Int32 > retVal; bool bInEscape = false; bool bInValue = false; bool bFound = false; sal_Int32 nTypeNameStart = 0; sal_Int32 length = rRawString.getLength(); for (sal_Int32 i = 0; i < length; i++) { sal_Unicode c = rRawString[i]; if (c == '=') { if (! bInValue) { std::u16string_view sType = rRawString.subView(nTypeNameStart, i - nTypeNameStart); sType = o3tl::trim(sType); if (o3tl::equalsIgnoreAsciiCase(sType, sTypeName)) { bFound = true; break; } } } else if (c == '"') { if (!bInEscape) { //If this is the quote is the first of the couple which enclose the //whole value, because the value contains special characters //then we just drop it. That is, this character must be followed by //a character which is not '"'. if ( i + 1 < length && rRawString[i+1] == '"') bInEscape = true; else bInValue = !bInValue; //value is enclosed in " " } else { //This quote is escaped by a preceding quote and therefore is //part of the value bInEscape = false; } } else if (c == ',' || c == '+') { //The comma separate the attribute value pairs. //If the comma is not part of a value (the value would then be enclosed in '"'), //then we have reached the end of the value if (!bInValue) { //The next char is the start of the new type nTypeNameStart = i + 1; } } } //Found the Type Name, but there can still be spaces after the last comma //and the beginning of the type. if (bFound) { while (true) { sal_Unicode c = rRawString[nTypeNameStart]; if (c != ' ' && c != '\t') //found break; nTypeNameStart ++; } // search end (one after last letter) sal_Int32 nTypeNameEnd = nTypeNameStart; nTypeNameEnd++; while (true) { sal_Unicode c = rRawString[nTypeNameEnd]; if (c == ' ' || c == '\t' || c == '=') break; nTypeNameEnd++; } retVal = std::make_pair(nTypeNameStart, nTypeNameEnd); } else { retVal = std::make_pair(-1, -1); } return retVal; } /* MS Crypto uses the 'S' tag (equal to the 'ST' tag in NSS), but the NSS can't recognise it, so the 'S' tag should be changed to 'ST' tag. However I am not sure if this is necessary anymore, because we provide always the signers certificate when signing. So libmlsec can find the private key based on the provided certificate (X509Certificate element) and does not need the issuer name (X509IssuerName element). The issuer name in the xml signature has also no effect for the signature nor the certificate validation. In many RFCs, for example 4519, on speaks of 'ST'. However, the certificate does not contain strings for type names. Instead it uses OIDs. */ static OUString replaceTagSWithTagST(OUString const & oldDN) { std::pair pairIndex = findTypeInDN(oldDN, u"S"); if (pairIndex.first != -1) { return OUString::Concat(oldDN.subView(0, pairIndex.first))+"ST" +oldDN.subView(pairIndex.second); } return oldDN; } /* end */ X509Certificate_MSCryptImpl::X509Certificate_MSCryptImpl() : m_pCertContext( nullptr ) { } X509Certificate_MSCryptImpl::~X509Certificate_MSCryptImpl() { if( m_pCertContext != nullptr ) { CertFreeCertificateContext( m_pCertContext ) ; } } //Methods from XCertificate sal_Int16 SAL_CALL X509Certificate_MSCryptImpl::getVersion() { if( m_pCertContext != nullptr && m_pCertContext->pCertInfo != nullptr ) { return static_cast(m_pCertContext->pCertInfo->dwVersion) ; } else { return -1 ; } } css::uno::Sequence< sal_Int8 > SAL_CALL X509Certificate_MSCryptImpl::getSerialNumber() { if( m_pCertContext != nullptr && m_pCertContext->pCertInfo != nullptr ) { Sequence< sal_Int8 > serial( m_pCertContext->pCertInfo->SerialNumber.cbData ) ; auto serialRange = asNonConstRange(serial); for( unsigned int i = 0 ; i < m_pCertContext->pCertInfo->SerialNumber.cbData ; i ++ ) serialRange[i] = *( m_pCertContext->pCertInfo->SerialNumber.pbData + m_pCertContext->pCertInfo->SerialNumber.cbData - i - 1 ) ; return serial ; } else { return Sequence< sal_Int8 >(); } } OUString SAL_CALL X509Certificate_MSCryptImpl::getIssuerName() { if( m_pCertContext != nullptr && m_pCertContext->pCertInfo != nullptr ) { DWORD cchIssuer = CertNameToStrW( X509_ASN_ENCODING | PKCS_7_ASN_ENCODING , &( m_pCertContext->pCertInfo->Issuer ), CERT_X500_NAME_STR | CERT_NAME_STR_REVERSE_FLAG , nullptr, 0 ) ; // Here the cbIssuer count the last 0x00 , take care. if( cchIssuer != 0 ) { auto issuer = std::make_unique(cchIssuer); cchIssuer = CertNameToStrW( X509_ASN_ENCODING | PKCS_7_ASN_ENCODING , &( m_pCertContext->pCertInfo->Issuer ), CERT_X500_NAME_STR | CERT_NAME_STR_REVERSE_FLAG , issuer.get(), cchIssuer ) ; if( cchIssuer <= 0 ) { throw RuntimeException() ; } if(issuer.get()[cchIssuer -1] == 0) cchIssuer--; //delimit the last 0x00; OUString xIssuer(o3tl::toU(issuer.get()), cchIssuer) ; return replaceTagSWithTagST(xIssuer); } else { return OUString() ; } } else { return OUString() ; } } OUString SAL_CALL X509Certificate_MSCryptImpl::getSubjectName() { if( m_pCertContext != nullptr && m_pCertContext->pCertInfo != nullptr ) { DWORD cchSubject = CertNameToStrW( X509_ASN_ENCODING | PKCS_7_ASN_ENCODING , &( m_pCertContext->pCertInfo->Subject ), CERT_X500_NAME_STR | CERT_NAME_STR_REVERSE_FLAG , nullptr, 0 ) ; if( cchSubject != 0 ) { auto subject = std::make_unique(cchSubject); cchSubject = CertNameToStrW( X509_ASN_ENCODING | PKCS_7_ASN_ENCODING , &( m_pCertContext->pCertInfo->Subject ), CERT_X500_NAME_STR | CERT_NAME_STR_REVERSE_FLAG , subject.get(), cchSubject ) ; if( cchSubject <= 0 ) { throw RuntimeException() ; } OUString xSubject(o3tl::toU(subject.get())); return replaceTagSWithTagST(xSubject); } else { return OUString() ; } } else { return OUString() ; } } css::util::DateTime SAL_CALL X509Certificate_MSCryptImpl::getNotValidBefore() { if( m_pCertContext != nullptr && m_pCertContext->pCertInfo != nullptr ) { SYSTEMTIME explTime ; DateTime dateTime ; FILETIME localFileTime; if (FileTimeToLocalFileTime(&( m_pCertContext->pCertInfo->NotBefore ), &localFileTime)) { if( FileTimeToSystemTime( &localFileTime, &explTime ) ) { //Convert the time to readable local time dateTime.NanoSeconds = explTime.wMilliseconds * ::tools::Time::nanoPerMilli ; dateTime.Seconds = explTime.wSecond ; dateTime.Minutes = explTime.wMinute ; dateTime.Hours = explTime.wHour ; dateTime.Day = explTime.wDay ; dateTime.Month = explTime.wMonth ; dateTime.Year = explTime.wYear ; } } return dateTime ; } else { return DateTime() ; } } css::util::DateTime SAL_CALL X509Certificate_MSCryptImpl::getNotValidAfter() { if( m_pCertContext != nullptr && m_pCertContext->pCertInfo != nullptr ) { SYSTEMTIME explTime ; DateTime dateTime ; FILETIME localFileTime; if (FileTimeToLocalFileTime(&( m_pCertContext->pCertInfo->NotAfter ), &localFileTime)) { if( FileTimeToSystemTime( &localFileTime, &explTime ) ) { //Convert the time to readable local time dateTime.NanoSeconds = explTime.wMilliseconds * ::tools::Time::nanoPerMilli ; dateTime.Seconds = explTime.wSecond ; dateTime.Minutes = explTime.wMinute ; dateTime.Hours = explTime.wHour ; dateTime.Day = explTime.wDay ; dateTime.Month = explTime.wMonth ; dateTime.Year = explTime.wYear ; } } return dateTime ; } else { return DateTime() ; } } css::uno::Sequence< sal_Int8 > SAL_CALL X509Certificate_MSCryptImpl::getIssuerUniqueID() { if( m_pCertContext != nullptr && m_pCertContext->pCertInfo != nullptr ) { Sequence< sal_Int8 > issuerUid( m_pCertContext->pCertInfo->IssuerUniqueId.cbData ) ; auto issuerUidRange = asNonConstRange(issuerUid); for( unsigned int i = 0 ; i < m_pCertContext->pCertInfo->IssuerUniqueId.cbData; i ++ ) issuerUidRange[i] = *( m_pCertContext->pCertInfo->IssuerUniqueId.pbData + i ) ; return issuerUid ; } else { return Sequence< sal_Int8 >(); } } css::uno::Sequence< sal_Int8 > SAL_CALL X509Certificate_MSCryptImpl::getSubjectUniqueID() { if( m_pCertContext != nullptr && m_pCertContext->pCertInfo != nullptr ) { Sequence< sal_Int8 > subjectUid( m_pCertContext->pCertInfo->SubjectUniqueId.cbData ) ; auto subjectUidRange = asNonConstRange(subjectUid); for( unsigned int i = 0 ; i < m_pCertContext->pCertInfo->SubjectUniqueId.cbData; i ++ ) subjectUidRange[i] = *( m_pCertContext->pCertInfo->SubjectUniqueId.pbData + i ) ; return subjectUid ; } else { return Sequence< sal_Int8 >(); } } css::uno::Sequence< css::uno::Reference< css::security::XCertificateExtension > > SAL_CALL X509Certificate_MSCryptImpl::getExtensions() { if( m_pCertContext != nullptr && m_pCertContext->pCertInfo != nullptr && m_pCertContext->pCertInfo->cExtension != 0 ) { rtl::Reference xExtn ; Sequence< Reference< XCertificateExtension > > xExtns( m_pCertContext->pCertInfo->cExtension ) ; auto pExtns = xExtns.getArray(); for( unsigned int i = 0; i < m_pCertContext->pCertInfo->cExtension; i++ ) { CERT_EXTENSION* pExtn = &(m_pCertContext->pCertInfo->rgExtension[i]) ; OUString objId = OUString::createFromAscii( pExtn->pszObjId ); if ( objId == "2.5.29.17" ) xExtn = reinterpret_cast(new SanExtensionImpl()); else xExtn = new CertificateExtension_XmlSecImpl; xExtn->setCertExtn( pExtn->Value.pbData, pExtn->Value.cbData, reinterpret_cast(pExtn->pszObjId), strlen( pExtn->pszObjId ), pExtn->fCritical ) ; pExtns[i] = xExtn ; } return xExtns ; } else { return Sequence< Reference< XCertificateExtension > >(); } } css::uno::Reference< css::security::XCertificateExtension > SAL_CALL X509Certificate_MSCryptImpl::findCertificateExtension( const css::uno::Sequence< sal_Int8 >& /*oid*/ ) { if( m_pCertContext != nullptr && m_pCertContext->pCertInfo != nullptr && m_pCertContext->pCertInfo->cExtension != 0 ) { rtl::Reference xExtn ; for( unsigned int i = 0; i < m_pCertContext->pCertInfo->cExtension; i++ ) { CERT_EXTENSION* pExtn = &( m_pCertContext->pCertInfo->rgExtension[i] ) ; //TODO: Compare the oid if( false ) { xExtn = new CertificateExtension_XmlSecImpl; xExtn->setCertExtn( pExtn->Value.pbData, pExtn->Value.cbData, reinterpret_cast(pExtn->pszObjId), strlen( pExtn->pszObjId ), pExtn->fCritical ) ; } } return xExtn ; } else { return nullptr ; } } css::uno::Sequence< sal_Int8 > SAL_CALL X509Certificate_MSCryptImpl::getEncoded() { if( m_pCertContext != nullptr && m_pCertContext->cbCertEncoded > 0 ) { Sequence< sal_Int8 > rawCert( m_pCertContext->cbCertEncoded ) ; auto prawCert = rawCert.getArray(); for( unsigned int i = 0 ; i < m_pCertContext->cbCertEncoded ; i ++ ) prawCert[i] = *( m_pCertContext->pbCertEncoded + i ) ; return rawCert ; } else { return Sequence< sal_Int8 >(); } } //Helper methods void X509Certificate_MSCryptImpl::setMswcryCert( const CERT_CONTEXT* cert ) { if( m_pCertContext != nullptr ) { CertFreeCertificateContext( m_pCertContext ) ; m_pCertContext = nullptr ; } if( cert != nullptr ) { m_pCertContext = CertDuplicateCertificateContext( cert ) ; } } const CERT_CONTEXT* X509Certificate_MSCryptImpl::getMswcryCert() const { if( m_pCertContext != nullptr ) { return m_pCertContext ; } else { return nullptr ; } } void X509Certificate_MSCryptImpl::setRawCert( Sequence< sal_Int8 > const & rawCert ) { if( m_pCertContext != nullptr ) { CertFreeCertificateContext( m_pCertContext ) ; m_pCertContext = nullptr ; } if( rawCert.getLength() != 0 ) { m_pCertContext = CertCreateCertificateContext( X509_ASN_ENCODING, reinterpret_cast(&rawCert[0]), rawCert.getLength() ) ; } } static OUString findOIDDescription(char const *oid) { OUString ouOID = OUString::createFromAscii( oid ); for (int i=0; i getThumbprint(const CERT_CONTEXT* pCertContext, DWORD dwPropId) { if( pCertContext != nullptr ) { DWORD cbData = dwPropId == CERT_SHA256_HASH_PROP_ID ? 32 : 20; unsigned char fingerprint[32]; if (CertGetCertificateContextProperty(pCertContext, dwPropId, fingerprint, &cbData)) { Sequence< sal_Int8 > thumbprint( cbData ) ; auto pthumbprint = thumbprint.getArray(); for( unsigned int i = 0 ; i < cbData ; i ++ ) { pthumbprint[i] = fingerprint[i]; } return thumbprint; } else { DWORD e = GetLastError(); cbData = e; } } return Sequence< sal_Int8 >(); } OUString SAL_CALL X509Certificate_MSCryptImpl::getSubjectPublicKeyAlgorithm() { if( m_pCertContext != nullptr && m_pCertContext->pCertInfo != nullptr ) { CRYPT_ALGORITHM_IDENTIFIER algorithm = m_pCertContext->pCertInfo->SubjectPublicKeyInfo.Algorithm; return findOIDDescription( algorithm.pszObjId ) ; } else { return OUString() ; } } css::uno::Sequence< sal_Int8 > SAL_CALL X509Certificate_MSCryptImpl::getSubjectPublicKeyValue() { if( m_pCertContext != nullptr && m_pCertContext->pCertInfo != nullptr ) { CRYPT_BIT_BLOB publicKey = m_pCertContext->pCertInfo->SubjectPublicKeyInfo.PublicKey; Sequence< sal_Int8 > key( publicKey.cbData ) ; auto keyRange = asNonConstRange(key); for( unsigned int i = 0 ; i < publicKey.cbData ; i++ ) { keyRange[i] = *(publicKey.pbData + i) ; } return key; } else { return Sequence< sal_Int8 >(); } } OUString SAL_CALL X509Certificate_MSCryptImpl::getSignatureAlgorithm() { if( m_pCertContext != nullptr && m_pCertContext->pCertInfo != nullptr ) { CRYPT_ALGORITHM_IDENTIFIER algorithm = m_pCertContext->pCertInfo->SignatureAlgorithm; return findOIDDescription( algorithm.pszObjId ) ; } else { return OUString() ; } } uno::Sequence X509Certificate_MSCryptImpl::getSHA256Thumbprint() { return getThumbprint(m_pCertContext, CERT_SHA256_HASH_PROP_ID); } svl::crypto::SignatureMethodAlgorithm X509Certificate_MSCryptImpl::getSignatureMethodAlgorithm() { svl::crypto::SignatureMethodAlgorithm nRet = svl::crypto::SignatureMethodAlgorithm::RSA; if (!m_pCertContext || !m_pCertContext->pCertInfo) return nRet; CRYPT_ALGORITHM_IDENTIFIER algorithm = m_pCertContext->pCertInfo->SubjectPublicKeyInfo.Algorithm; OString aObjId(algorithm.pszObjId); if (aObjId == szOID_ECC_PUBLIC_KEY) nRet = svl::crypto::SignatureMethodAlgorithm::ECDSA; return nRet; } css::uno::Sequence< sal_Int8 > SAL_CALL X509Certificate_MSCryptImpl::getSHA1Thumbprint() { return getThumbprint(m_pCertContext, CERT_SHA1_HASH_PROP_ID); } css::uno::Sequence< sal_Int8 > SAL_CALL X509Certificate_MSCryptImpl::getMD5Thumbprint() { return getThumbprint(m_pCertContext, CERT_MD5_HASH_PROP_ID); } CertificateKind SAL_CALL X509Certificate_MSCryptImpl::getCertificateKind() { return CertificateKind_X509; } sal_Int32 SAL_CALL X509Certificate_MSCryptImpl::getCertificateUsage( ) { sal_Int32 usage = CERT_DATA_ENCIPHERMENT_KEY_USAGE | CERT_DIGITAL_SIGNATURE_KEY_USAGE | CERT_KEY_AGREEMENT_KEY_USAGE | CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_KEY_ENCIPHERMENT_KEY_USAGE | CERT_NON_REPUDIATION_KEY_USAGE | CERT_OFFLINE_CRL_SIGN_KEY_USAGE; if( m_pCertContext != nullptr && m_pCertContext->pCertInfo != nullptr && m_pCertContext->pCertInfo->cExtension != 0 ) { CERT_EXTENSION* pExtn = CertFindExtension( szOID_KEY_USAGE, m_pCertContext->pCertInfo->cExtension, m_pCertContext->pCertInfo->rgExtension); if (pExtn != nullptr) { DWORD length = 0; bool rc = CryptDecodeObject( X509_ASN_ENCODING, X509_KEY_USAGE, pExtn->Value.pbData, pExtn->Value.cbData, 0, nullptr, &length); if (!rc) SAL_WARN("xmlsecurity.xmlsec", "CryptDecodeObject failed: " << WindowsErrorString(GetLastError())); else { std::vectorbuffer(length); rc = CryptDecodeObject( X509_ASN_ENCODING, X509_KEY_USAGE, pExtn->Value.pbData, pExtn->Value.cbData, 0, buffer.data(), &length); CRYPT_BIT_BLOB *blob = reinterpret_cast(buffer.data()); if (!rc) SAL_WARN("xmlsecurity.xmlsec", "CryptDecodeObject failed: " << WindowsErrorString(GetLastError())); else if (blob->cbData == 1) usage = blob->pbData[0]; else SAL_WARN("xmlsecurity.xmlsec", "CryptDecodeObject(X509_KEY_USAGE) returned unexpected amount of data: " << blob->cbData); } } } return usage; } /* XServiceInfo */ OUString SAL_CALL X509Certificate_MSCryptImpl::getImplementationName() { return "com.sun.star.xml.security.gpg.XCertificate_MsCryptImpl"; } /* XServiceInfo */ sal_Bool SAL_CALL X509Certificate_MSCryptImpl::supportsService(const OUString& serviceName) { return cppu::supportsService(this, serviceName); } /* XServiceInfo */ Sequence SAL_CALL X509Certificate_MSCryptImpl::getSupportedServiceNames() { return { OUString() }; } namespace xmlsecurity { // based on some guesswork and: // https://datatracker.ietf.org/doc/html/rfc1485 // https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certnametostra#CERT_X500_NAME_STR // the main problem appears to be that in values NSS uses \ escapes but CryptoAPI requires " quotes around value static OUString CompatDNNSS(OUString const& rDN) { OUStringBuffer buf(rDN.getLength()); enum { DEFAULT, INVALUE, INQUOTE } state(DEFAULT); for (sal_Int32 i = 0; i < rDN.getLength(); ++i) { if (state == DEFAULT) { buf.append(rDN[i]); if (rDN[i] == '=') { if (rDN.getLength() == i+1) { break; // invalid? } else { buf.append('"'); state = INVALUE; } } } else if (state == INVALUE) { if (rDN[i] == '+' || rDN[i] == ',' || rDN[i] == ';') { buf.append("\"" + OUStringChar(rDN[i])); state = DEFAULT; } else if (rDN[i] == '\\') { if (rDN.getLength() == i+1) { break; // invalid? } if (rDN[i+1] == '"') { buf.append('"'); } buf.append(rDN[i+1]); ++i; } else { buf.append(rDN[i]); } if (i+1 == rDN.getLength()) { buf.append('"'); state = DEFAULT; } } } return buf.makeStringAndClear(); } static bool EncodeDistinguishedName(std::u16string_view const rName, CERT_NAME_BLOB & rBlob) { LPCWSTR pszError; if (!CertStrToNameW(X509_ASN_ENCODING, reinterpret_cast(rName.data()), CERT_X500_NAME_STR, nullptr, nullptr, &rBlob.cbData, &pszError)) { SAL_INFO("xmlsecurity.xmlsec", "CertStrToNameW failed: " << WindowsErrorString(GetLastError()) << "; " << OUString(o3tl::toU(pszError))); return false; } rBlob.pbData = new BYTE[rBlob.cbData]; if (!CertStrToNameW(X509_ASN_ENCODING, reinterpret_cast(rName.data()), CERT_X500_NAME_STR, nullptr, rBlob.pbData, &rBlob.cbData, &pszError)) { SAL_INFO("xmlsecurity.xmlsec", "CertStrToNameW failed: " << WindowsErrorString(GetLastError()) << "; " << OUString(o3tl::toU(pszError))); return false; } return true; } bool EqualDistinguishedNames( std::u16string_view const rName1, std::u16string_view const rName2, EqualMode const eMode) { if (eMode == COMPAT_BOTH && !rName1.empty() && rName1 == rName2) { // handle case where both need to be converted return true; } CERT_NAME_BLOB blob1; if (!EncodeDistinguishedName(rName1, blob1)) { return false; } CERT_NAME_BLOB blob2; bool ret(false); if (EncodeDistinguishedName(rName2, blob2)) { ret = CertCompareCertificateName(X509_ASN_ENCODING, &blob1, &blob2) == TRUE; delete[] blob2.pbData; } if (!ret && eMode == COMPAT_2ND) { CERT_NAME_BLOB blob2compat; if (!EncodeDistinguishedName(CompatDNNSS(OUString(rName2)), blob2compat)) { delete[] blob1.pbData; return false; } ret = CertCompareCertificateName(X509_ASN_ENCODING, &blob1, &blob2compat) == TRUE; delete[] blob2compat.pbData; } delete[] blob1.pbData; return ret; } } // namespace xmlsecurity /* vim:set shiftwidth=4 softtabstop=4 expandtab: */