/************************************************************************* * * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * Copyright 2008 by Sun Microsystems, Inc. * * OpenOffice.org - a multi-platform office productivity suite * * $RCSfile: seinitializer_nssimpl.cxx,v $ * $Revision: 1.22 $ * * This file is part of OpenOffice.org. * * OpenOffice.org is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License version 3 * only, as published by the Free Software Foundation. * * OpenOffice.org is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU Lesser General Public License version 3 for more details * (a copy is included in the LICENSE file that accompanied this code). * * You should have received a copy of the GNU Lesser General Public License * version 3 along with OpenOffice.org. If not, see * * for a copy of the LGPLv3 License. * ************************************************************************/ // MARKER(update_precomp.py): autogen include statement, do not remove #include "precompiled_xmlsecurity.hxx" /* * Turn off DEBUG Assertions */ #ifdef _DEBUG #define _DEBUG_WAS_DEFINED _DEBUG #undef _DEBUG #else #undef _DEBUG_WAS_DEFINED #endif /* * and turn off the additional virtual methods which are part of some interfaces when compiled * with debug */ #ifdef DEBUG #define DEBUG_WAS_DEFINED DEBUG #undef DEBUG #else #undef DEBUG_WAS_DEFINED #endif #include #include "rtl/instance.hxx" #include "rtl/bootstrap.hxx" #include "rtl/string.hxx" #include "rtl/strbuf.hxx" #include "osl/file.hxx" #include "osl/thread.h" #include #include #include "seinitializer_nssimpl.hxx" #include "securityenvironment_nssimpl.hxx" #include #include "nspr.h" #include "cert.h" #include "nss.h" #include "secmod.h" #include "nssckbi.h" namespace cssu = com::sun::star::uno; namespace cssl = com::sun::star::lang; namespace cssxc = com::sun::star::xml::crypto; using namespace com::sun::star; using ::rtl::OUString; using ::rtl::OString; #define SERVICE_NAME "com.sun.star.xml.crypto.SEInitializer" #define IMPLEMENTATION_NAME "com.sun.star.xml.security.bridge.xmlsec.SEInitializer_NssImpl" #define SECURITY_ENVIRONMENT "com.sun.star.xml.crypto.SecurityEnvironment" #define SECURITY_CONTEXT "com.sun.star.xml.crypto.XMLSecurityContext" #define ROOT_CERTS "Root Certs for OpenOffice.org" extern "C" void nsscrypto_finalize(); namespace { bool nsscrypto_initialize( const char * sProfile, bool & out_nss_init); struct InitNSSInitialize { //path to the database folder const OString m_sProfile; InitNSSInitialize(const OString & sProfile): m_sProfile(sProfile) {}; bool * operator()() { static bool bInitialized = false; bool bNSSInit = false; bInitialized = nsscrypto_initialize(m_sProfile.getStr(), bNSSInit); if (bNSSInit) atexit(nsscrypto_finalize ); return & bInitialized; } }; bool * initNSS(const OString & sProfile) { return rtl_Instance< bool, InitNSSInitialize, ::osl::MutexGuard, ::osl::GetGlobalMutex >::create( InitNSSInitialize(sProfile), ::osl::GetGlobalMutex()); } void deleteRootsModule() { SECMODModule *RootsModule = 0; SECMODModuleList *list = SECMOD_GetDefaultModuleList(); SECMODListLock *lock = SECMOD_GetDefaultModuleListLock(); SECMOD_GetReadLock(lock); while (!RootsModule && list) { SECMODModule *module = list->module; for (int i=0; i < module->slotCount; i++) { PK11SlotInfo *slot = module->slots[i]; if (PK11_IsPresent(slot)) { if (PK11_HasRootCerts(slot)) { OSL_TRACE("[xmlsecurity] The root certifificates module \"%s" "\" is already loaded: \n%s", module->commonName, module->dllName); RootsModule = SECMOD_ReferenceModule(module); break; } } } list = list->next; } SECMOD_ReleaseReadLock(lock); if (RootsModule) { PRInt32 modType; if (SECSuccess == SECMOD_DeleteModule(RootsModule->commonName, &modType)) { OSL_TRACE("[xmlsecurity] Deleted module \"%s\".", RootsModule->commonName); } else { OSL_TRACE("[xmlsecurity] Failed to delete \"%s\" : \n%s", RootsModule->commonName, RootsModule->dllName); } SECMOD_DestroyModule(RootsModule); RootsModule = 0; } } //Older versions of Firefox (FF), for example FF2, and Thunderbird (TB) 2 write //the roots certificate module (libnssckbi.so), which they use, into the //profile. This module will then already be loaded during NSS_Init (and the //other init functions). This fails in two cases. First, FF3 was used to create //the profile, or possibly used that profile before, and second the profile was //used on a different platform. // //Then one needs to add the roots module oneself. This should be done with //SECMOD_LoadUserModule rather then SECMOD_AddNewModule. The latter would write //the location of the roots module to the profile, which makes FF2 and TB2 use //it instead of there own module. // //When using SYSTEM_MOZILLA then the libnss3.so lib is typically found in ///usr/lib. This folder may, however, NOT contain the roots certificate //module. That is, just providing the library name in SECMOD_LoadUserModule or //SECMOD_AddNewModule will FAIL to load the mozilla unless the LD_LIBRARY_PATH //contains an FF or TB installation. //ATTENTION: DO NOT call this function directly instead use initNSS //return true - whole initialization was successful //param out_nss_init = true: at least the NSS initialization (NSS_InitReadWrite //was successful and therefor NSS_Shutdown should be called when terminating. bool nsscrypto_initialize( const char* token, bool & out_nss_init ) { bool return_value = true; OSL_TRACE("[xmlsecurity] Using profile: %s", token); PR_Init( PR_USER_THREAD, PR_PRIORITY_NORMAL, 1 ) ; if( NSS_InitReadWrite( token ) != SECSuccess ) { char * error = NULL; PR_GetErrorText(error); if (error) printf("%s",error); return false ; } out_nss_init = true; #if defined SYSTEM_MOZILLA if (!SECMOD_HasRootCerts()) { #endif deleteRootsModule(); #if defined SYSTEM_MOZILLA OUString rootModule(RTL_CONSTASCII_USTRINGPARAM("libnssckbi"SAL_DLLEXTENSION)); #else OUString rootModule(RTL_CONSTASCII_USTRINGPARAM("${OOO_BASE_DIR}/program/libnssckbi"SAL_DLLEXTENSION)); #endif ::rtl::Bootstrap::expandMacros(rootModule); OUString rootModulePath; if (::osl::File::E_None == ::osl::File::getSystemPathFromFileURL(rootModule, rootModulePath)) { ::rtl::OString ospath = ::rtl::OUStringToOString(rootModulePath, osl_getThreadTextEncoding()); ::rtl::OStringBuffer pkcs11moduleSpec; pkcs11moduleSpec.append("name=\""); pkcs11moduleSpec.append(ROOT_CERTS); pkcs11moduleSpec.append("\" library=\""); pkcs11moduleSpec.append(ospath.getStr()); pkcs11moduleSpec.append("\""); SECMODModule * RootsModule = SECMOD_LoadUserModule( const_cast(pkcs11moduleSpec.makeStringAndClear().getStr()), 0, // no parent PR_FALSE); // do not recurse if (RootsModule) { bool found = RootsModule->loaded; SECMOD_DestroyModule(RootsModule); RootsModule = 0; if (found) OSL_TRACE("[xmlsecurity] Added new root certificate module " "\""ROOT_CERTS"\" contained in \n%s", ospath.getStr()); else { OSL_TRACE("[xmlsecurity] FAILED to load the new root certificate module " "\""ROOT_CERTS"\" contained in \n%s", ospath.getStr()); return_value = false; } } else { OSL_TRACE("[xmlsecurity] FAILED to add new root certifice module: " "\""ROOT_CERTS"\" contained in \n%s", ospath.getStr()); return_value = false; } } else { OSL_TRACE("[xmlsecurity] Adding new root certificate module failed."); return_value = false; } #if SYSTEM_MOZILLA } #endif return return_value; } // must be extern "C" because we pass the function pointer to atexit extern "C" void nsscrypto_finalize() { SECMODModule *RootsModule = SECMOD_FindModule(ROOT_CERTS); if (RootsModule) { if (SECSuccess == SECMOD_UnloadUserModule(RootsModule)) { OSL_TRACE("[xmlsecurity] Unloaded module \""ROOT_CERTS"\"."); } else { OSL_TRACE("[xmlsecurity] Failed unloadeding module \""ROOT_CERTS"\"."); } SECMOD_DestroyModule(RootsModule); } else { OSL_TRACE("[xmlsecurity] Unloading module \""ROOT_CERTS "\" failed because it was not found."); } PK11_LogoutAll(); NSS_Shutdown(); } bool getMozillaCurrentProfile( const com::sun::star::uno::Reference< com::sun::star::lang::XMultiServiceFactory > &rxMSF, rtl::OUString& profilePath) { /* * first, try to get the profile from "MOZILLA_CERTIFICATE_FOLDER" */ char * env = getenv("MOZILLA_CERTIFICATE_FOLDER"); if (env) { profilePath = rtl::OUString::createFromAscii( env ); RTL_LOGFILE_PRODUCT_TRACE1( "XMLSEC: Using env MOZILLA_CERTIFICATE_FOLDER: %s", rtl::OUStringToOString( profilePath, RTL_TEXTENCODING_ASCII_US ).getStr() ); return true; } else { RTL_LOGFILE_TRACE( "getMozillaCurrentProfile: Using MozillaBootstrap..." ); mozilla::MozillaProductType productTypes[4] = { mozilla::MozillaProductType_Thunderbird, mozilla::MozillaProductType_Mozilla, mozilla::MozillaProductType_Firefox, mozilla::MozillaProductType_Default }; int nProduct = 4; uno::Reference xInstance = rxMSF->createInstance( ::rtl::OUString( RTL_CONSTASCII_USTRINGPARAM("com.sun.star.mozilla.MozillaBootstrap")) ); OSL_ENSURE( xInstance.is(), "failed to create instance" ); uno::Reference xMozillaBootstrap = uno::Reference(xInstance,uno::UNO_QUERY); OSL_ENSURE( xMozillaBootstrap.is(), "failed to create instance" ); if (xMozillaBootstrap.is()) { for (int i=0; igetDefaultProfile(productTypes[i]); RTL_LOGFILE_TRACE2( "getMozillaCurrentProfile: getDefaultProfile [%i] returns %s", i, rtl::OUStringToOString( profile, RTL_TEXTENCODING_ASCII_US ).getStr() ); if (profile != NULL && profile.getLength()>0) { profilePath = xMozillaBootstrap->getProfilePath(productTypes[i],profile); RTL_LOGFILE_PRODUCT_TRACE1( "XMLSEC: Using Mozilla Profile: %s", rtl::OUStringToOString( profilePath, RTL_TEXTENCODING_ASCII_US ).getStr() ); return true; } } } RTL_LOGFILE_PRODUCT_TRACE( "XMLSEC: No Mozilla Profile found!" ); return false; } } } // namespace SEInitializer_NssImpl::SEInitializer_NssImpl( const com::sun::star::uno::Reference< com::sun::star::lang::XMultiServiceFactory > &rxMSF) :mxMSF( rxMSF ) { } SEInitializer_NssImpl::~SEInitializer_NssImpl() { } /* XSEInitializer */ cssu::Reference< cssxc::XXMLSecurityContext > SAL_CALL SEInitializer_NssImpl::createSecurityContext( const rtl::OUString& sCertDB ) throw (cssu::RuntimeException) { CERTCertDBHandle *pCertHandle = NULL ; rtl::OString sCertDir; if( sCertDB.getLength() ) { sCertDir = rtl::OString(sCertDB, sCertDB.getLength(), RTL_TEXTENCODING_ASCII_US); } else { static rtl::OString* pDefaultCertDir = NULL; if ( !pDefaultCertDir ) { pDefaultCertDir = new rtl::OString; rtl::OUString ouCertDir; if ( getMozillaCurrentProfile(mxMSF, ouCertDir) ) *pDefaultCertDir = rtl::OString(ouCertDir, ouCertDir.getLength(), RTL_TEXTENCODING_ASCII_US); } sCertDir = *pDefaultCertDir; } if( !sCertDir.getLength() ) { RTL_LOGFILE_TRACE( "XMLSEC: Error - No certificate directory!" ); // return NULL; } /* Initialize NSPR and NSS */ /* Replaced with new methods by AF. ---- //PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1 ) ; PR_Init( PR_USER_THREAD, PR_PRIORITY_NORMAL, 1 ) ; if (NSS_Init(sCertDir.getStr()) != SECSuccess ) { PK11_LogoutAll(); return NULL; } ----*/ if( ! *initNSS( sCertDir.getStr() ) ) { RTL_LOGFILE_TRACE( "XMLSEC: Error - nsscrypto_initialize() failed." ); if ( NSS_NoDB_Init(NULL) != SECSuccess ) { RTL_LOGFILE_TRACE( "XMLSEC: NSS_NoDB_Init also failed, NSS Security not available!" ); return NULL; } else { RTL_LOGFILE_TRACE( "XMLSEC: NSS_NoDB_Init works, enough for verifying signatures..." ); } } pCertHandle = CERT_GetDefaultCertDB() ; try { /* Build XML Security Context */ const rtl::OUString sSecyrutyContext ( RTL_CONSTASCII_USTRINGPARAM( SECURITY_CONTEXT ) ); cssu::Reference< cssxc::XXMLSecurityContext > xSecCtx( mxMSF->createInstance ( sSecyrutyContext ), cssu::UNO_QUERY ); if( !xSecCtx.is() ) return NULL; const rtl::OUString sSecyrutyEnvironment ( RTL_CONSTASCII_USTRINGPARAM( SECURITY_ENVIRONMENT ) ); cssu::Reference< cssxc::XSecurityEnvironment > xSecEnv( mxMSF->createInstance ( sSecyrutyEnvironment ), cssu::UNO_QUERY ); cssu::Reference< cssl::XUnoTunnel > xEnvTunnel( xSecEnv , cssu::UNO_QUERY ) ; if( !xEnvTunnel.is() ) return NULL; SecurityEnvironment_NssImpl* pSecEnv = reinterpret_cast( sal::static_int_cast( xEnvTunnel->getSomething(SecurityEnvironment_NssImpl::getUnoTunnelId() ))) ; pSecEnv->setCertDb(pCertHandle); sal_Int32 n = xSecCtx->addSecurityEnvironment(xSecEnv); //originally the SecurityEnvironment with the internal slot was set as default xSecCtx->setDefaultSecurityEnvironmentIndex( n ); return xSecCtx; } catch( cssu::Exception& ) { //PK11_LogoutAll(); //NSS_Shutdown(); return NULL; } } void SAL_CALL SEInitializer_NssImpl::freeSecurityContext( const cssu::Reference< cssxc::XXMLSecurityContext >& ) throw (cssu::RuntimeException) { /* * because the security context will free all its content when it * is destructed, so here no free process for the security context * is needed. */ //PK11_LogoutAll(); //NSS_Shutdown(); } rtl::OUString SEInitializer_NssImpl_getImplementationName () throw (cssu::RuntimeException) { return rtl::OUString ( RTL_CONSTASCII_USTRINGPARAM ( IMPLEMENTATION_NAME ) ); } sal_Bool SAL_CALL SEInitializer_NssImpl_supportsService( const rtl::OUString& ServiceName ) throw (cssu::RuntimeException) { return ServiceName.equalsAsciiL( RTL_CONSTASCII_STRINGPARAM ( SERVICE_NAME )); } cssu::Sequence< rtl::OUString > SAL_CALL SEInitializer_NssImpl_getSupportedServiceNames( ) throw (cssu::RuntimeException) { cssu::Sequence < rtl::OUString > aRet(1); rtl::OUString* pArray = aRet.getArray(); pArray[0] = rtl::OUString ( RTL_CONSTASCII_USTRINGPARAM ( SERVICE_NAME ) ); return aRet; } #undef SERVICE_NAME cssu::Reference< cssu::XInterface > SAL_CALL SEInitializer_NssImpl_createInstance( const cssu::Reference< cssl::XMultiServiceFactory > & rSMgr) throw( cssu::Exception ) { return (cppu::OWeakObject*) new SEInitializer_NssImpl(rSMgr); } /* XServiceInfo */ rtl::OUString SAL_CALL SEInitializer_NssImpl::getImplementationName( ) throw (cssu::RuntimeException) { return SEInitializer_NssImpl_getImplementationName(); } sal_Bool SAL_CALL SEInitializer_NssImpl::supportsService( const rtl::OUString& rServiceName ) throw (cssu::RuntimeException) { return SEInitializer_NssImpl_supportsService( rServiceName ); } cssu::Sequence< rtl::OUString > SAL_CALL SEInitializer_NssImpl::getSupportedServiceNames( ) throw (cssu::RuntimeException) { return SEInitializer_NssImpl_getSupportedServiceNames(); }