xref: /AOO41X/main/xmlsecurity/source/xmlsec/nss/securityenvironment_nssimpl.cxx (revision e00f6fb206bf9aa7b9a8a3f1144407ffb31ae9b8)

/*************************************************************************
 *
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * Copyright 2000, 2010 Oracle and/or its affiliates.
 *
 * OpenOffice.org - a multi-platform office productivity suite
 *
 * This file is part of OpenOffice.org.
 *
 * OpenOffice.org is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Lesser General Public License version 3
 * only, as published by the Free Software Foundation.
 *
 * OpenOffice.org is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Lesser General Public License version 3 for more details
 * (a copy is included in the LICENSE file that accompanied this code).
 *
 * You should have received a copy of the GNU Lesser General Public License
 * version 3 along with OpenOffice.org.  If not, see
 * <http://www.openoffice.org/license.html>
 * for a copy of the LGPLv3 License.
 *
 ************************************************************************/


// MARKER(update_precomp.py): autogen include statement, do not remove
#include "precompiled_xmlsecurity.hxx"

//todo before commit:  nssrenam.h is not delivered!!!
#ifndef __nssrenam_h_
#define CERT_NewTempCertificate __CERT_NewTempCertificate
#endif /* __nssrenam_h_ */

#include "cert.h"
#include "secerr.h"
#include "ocsp.h"

#include <sal/config.h>
#include "securityenvironment_nssimpl.hxx"
#include "x509certificate_nssimpl.hxx"
#include <rtl/uuid.h>
#include "../diagnose.hxx"

#include <sal/types.h>
//For reasons that escape me, this is what xmlsec does when size_t is not 4
#if SAL_TYPES_SIZEOFPOINTER != 4
#    define XMLSEC_NO_SIZE_T
#endif
#include <xmlsec/xmlsec.h>
#include <xmlsec/keysmngr.h>
#include <xmlsec/crypto.h>
#include <xmlsec/base64.h>
#include <xmlsec/strings.h>

#include <tools/string.hxx>
#include <rtl/ustrbuf.hxx>
#include <comphelper/processfactory.hxx>
#include <cppuhelper/servicefactory.hxx>
#include <comphelper/docpasswordrequest.hxx>
#include <xmlsecurity/biginteger.hxx>
#include <rtl/logfile.h>
#include <com/sun/star/task/XInteractionHandler.hpp>
#include <vector>
#include "boost/scoped_array.hpp"

#include "secerror.hxx"

// MM : added for password exception
#include <com/sun/star/security/NoPasswordException.hpp>
namespace csss = ::com::sun::star::security;
using namespace xmlsecurity;
using namespace ::com::sun::star::security;
using namespace com::sun::star;
using namespace ::com::sun::star::uno ;
using namespace ::com::sun::star::lang ;
using ::com::sun::star::lang::XMultiServiceFactory ;
using ::com::sun::star::lang::XSingleServiceFactory ;
using ::rtl::OUString ;

using ::com::sun::star::xml::crypto::XSecurityEnvironment ;
using ::com::sun::star::security::XCertificate ;

extern X509Certificate_NssImpl* NssCertToXCert( CERTCertificate* cert ) ;
extern X509Certificate_NssImpl* NssPrivKeyToXCert( SECKEYPrivateKey* ) ;


struct UsageDescription
{
    SECCertificateUsage usage;
    char const* description;

    UsageDescription()
    : usage( certificateUsageCheckAllUsages )
    , description( NULL )
    {}

    UsageDescription( SECCertificateUsage i_usage, char const* i_description )
    : usage( i_usage )
    , description( i_description )
    {}

    UsageDescription( const UsageDescription& aDescription )
    : usage( aDescription.usage )
    , description( aDescription.description )
    {}

    UsageDescription& operator =( const UsageDescription& aDescription )
    {
        usage = aDescription.usage;
        description = aDescription.description;
        return *this;
    }
};



char* GetPasswordFunction( PK11SlotInfo* pSlot,	PRBool bRetry, void* /*arg*/ )
{
    uno::Reference< lang::XMultiServiceFactory > xMSF( ::comphelper::getProcessServiceFactory() );
    if ( xMSF.is() )
    {
        uno::Reference < task::XInteractionHandler > xInteractionHandler(
            xMSF->createInstance( rtl::OUString::createFromAscii("com.sun.star.task.InteractionHandler") ), uno::UNO_QUERY );

        if ( xInteractionHandler.is() )
        {
            task::PasswordRequestMode eMode = bRetry ? task::PasswordRequestMode_PASSWORD_REENTER : task::PasswordRequestMode_PASSWORD_ENTER;
            ::comphelper::DocPasswordRequest* pPasswordRequest = new ::comphelper::DocPasswordRequest(
                ::comphelper::DocPasswordRequestType_STANDARD, eMode, ::rtl::OUString::createFromAscii(PK11_GetTokenName(pSlot)) );

            uno::Reference< task::XInteractionRequest > xRequest( pPasswordRequest );
	        xInteractionHandler->handle( xRequest );

            if ( pPasswordRequest->isPassword() )
	        {
                ByteString aPassword = ByteString( String( pPasswordRequest->getPassword() ), gsl_getSystemTextEncoding() );
                sal_uInt16 nLen = aPassword.Len();
                char* pPassword = (char*) PORT_Alloc( nLen+1 ) ;
                pPassword[nLen] = 0;
                memcpy( pPassword, aPassword.GetBuffer(), nLen );
				return pPassword;
	        }
        }
    }
    return NULL;
}

SecurityEnvironment_NssImpl :: SecurityEnvironment_NssImpl( const Reference< XMultiServiceFactory >& ) :
m_pHandler( NULL ) , m_tSymKeyList() , m_tPubKeyList() , m_tPriKeyList() {

	PK11_SetPasswordFunc( GetPasswordFunction ) ;
}

SecurityEnvironment_NssImpl :: ~SecurityEnvironment_NssImpl() {

	PK11_SetPasswordFunc( NULL ) ;

	for (CIT_SLOTS i = m_Slots.begin(); i != m_Slots.end(); i++)
	{
		PK11_FreeSlot(*i);
	}

	if( !m_tSymKeyList.empty()  ) {
		std::list< PK11SymKey* >::iterator symKeyIt ;

		for( symKeyIt = m_tSymKeyList.begin() ; symKeyIt != m_tSymKeyList.end() ; symKeyIt ++ )
			PK11_FreeSymKey( *symKeyIt ) ;
	}

	if( !m_tPubKeyList.empty()  ) {
		std::list< SECKEYPublicKey* >::iterator pubKeyIt ;

		for( pubKeyIt = m_tPubKeyList.begin() ; pubKeyIt != m_tPubKeyList.end() ; pubKeyIt ++ )
			SECKEY_DestroyPublicKey( *pubKeyIt ) ;
	}

	if( !m_tPriKeyList.empty()  ) {
		std::list< SECKEYPrivateKey* >::iterator priKeyIt ;

		for( priKeyIt = m_tPriKeyList.begin() ; priKeyIt != m_tPriKeyList.end() ; priKeyIt ++ )
			SECKEY_DestroyPrivateKey( *priKeyIt ) ;
	}
}

/* XInitialization */
void SAL_CALL SecurityEnvironment_NssImpl :: initialize( const Sequence< Any >& ) throw( Exception, RuntimeException ) {
	// TBD
} ;

/* XServiceInfo */
OUString SAL_CALL SecurityEnvironment_NssImpl :: getImplementationName() throw( RuntimeException ) {
	return impl_getImplementationName() ;
}

/* XServiceInfo */
sal_Bool SAL_CALL SecurityEnvironment_NssImpl :: supportsService( const OUString& serviceName) throw( RuntimeException ) {
	Sequence< OUString > seqServiceNames = getSupportedServiceNames() ;
	const OUString* pArray = seqServiceNames.getConstArray() ;
	for( sal_Int32 i = 0 ; i < seqServiceNames.getLength() ; i ++ ) {
		if( *( pArray + i ) == serviceName )
			return sal_True ;
	}
	return sal_False ;
}

/* XServiceInfo */
Sequence< OUString > SAL_CALL SecurityEnvironment_NssImpl :: getSupportedServiceNames() throw( RuntimeException ) {
	return impl_getSupportedServiceNames() ;
}

//Helper for XServiceInfo
Sequence< OUString > SecurityEnvironment_NssImpl :: impl_getSupportedServiceNames() {
	::osl::Guard< ::osl::Mutex > aGuard( ::osl::Mutex::getGlobalMutex() ) ;
	Sequence< OUString > seqServiceNames( 1 ) ;
	seqServiceNames.getArray()[0] = OUString::createFromAscii( "com.sun.star.xml.crypto.SecurityEnvironment" ) ;
	return seqServiceNames ;
}

OUString SecurityEnvironment_NssImpl :: impl_getImplementationName() throw( RuntimeException ) {
	return OUString::createFromAscii( "com.sun.star.xml.security.bridge.xmlsec.SecurityEnvironment_NssImpl" ) ;
}

//Helper for registry
Reference< XInterface > SAL_CALL SecurityEnvironment_NssImpl :: impl_createInstance( const Reference< XMultiServiceFactory >& aServiceManager ) throw( RuntimeException ) {
	return Reference< XInterface >( *new SecurityEnvironment_NssImpl( aServiceManager ) ) ;
}

Reference< XSingleServiceFactory > SecurityEnvironment_NssImpl :: impl_createFactory( const Reference< XMultiServiceFactory >& aServiceManager ) {
	//Reference< XSingleServiceFactory > xFactory ;
	//xFactory = ::cppu::createSingleFactory( aServiceManager , impl_getImplementationName , impl_createInstance , impl_getSupportedServiceNames ) ;
	//return xFactory ;
	return ::cppu::createSingleFactory( aServiceManager , impl_getImplementationName() , impl_createInstance , impl_getSupportedServiceNames() ) ;
}

/* XUnoTunnel */
sal_Int64 SAL_CALL SecurityEnvironment_NssImpl :: getSomething( const Sequence< sal_Int8 >& aIdentifier )
	throw( RuntimeException )
{
	if( aIdentifier.getLength() == 16 && 0 == rtl_compareMemory( getUnoTunnelId().getConstArray(), aIdentifier.getConstArray(), 16 ) ) {
        return sal::static_int_cast<sal_Int64>(reinterpret_cast<sal_uIntPtr>(this));
	}
	return 0 ;
}

/* XUnoTunnel extension */
const Sequence< sal_Int8>& SecurityEnvironment_NssImpl :: getUnoTunnelId() {
	static Sequence< sal_Int8 >* pSeq = 0 ;
	if( !pSeq ) {
		::osl::Guard< ::osl::Mutex > aGuard( ::osl::Mutex::getGlobalMutex() ) ;
		if( !pSeq ) {
			static Sequence< sal_Int8> aSeq( 16 ) ;
			rtl_createUuid( ( sal_uInt8* )aSeq.getArray() , 0 , sal_True ) ;
			pSeq = &aSeq ;
		}
	}
	return *pSeq ;
}

/* XUnoTunnel extension */
SecurityEnvironment_NssImpl* SecurityEnvironment_NssImpl :: getImplementation( const Reference< XInterface > xObj ) {
	Reference< XUnoTunnel > xUT( xObj , UNO_QUERY ) ;
	if( xUT.is() ) {
        return reinterpret_cast<SecurityEnvironment_NssImpl*>(
            sal::static_int_cast<sal_uIntPtr>(xUT->getSomething( getUnoTunnelId() ))) ;
	} else
		return NULL ;
}


::rtl::OUString SecurityEnvironment_NssImpl::getSecurityEnvironmentInformation() throw( ::com::sun::star::uno::RuntimeException )
{
	rtl::OUString result;
	::rtl::OUStringBuffer buff;
	for (CIT_SLOTS is = m_Slots.begin(); is != m_Slots.end(); is++)
	{
		buff.append(rtl::OUString::createFromAscii(PK11_GetTokenName(*is)));
		buff.appendAscii("\n");
	}
	return buff.makeStringAndClear();
}

void SecurityEnvironment_NssImpl::addCryptoSlot( PK11SlotInfo* aSlot) throw( Exception , RuntimeException )
{
	PK11_ReferenceSlot(aSlot);
	m_Slots.push_back(aSlot);
}

CERTCertDBHandle* SecurityEnvironment_NssImpl :: getCertDb() throw( Exception , RuntimeException ) {
	return m_pHandler ;
}

//Could we have multiple cert dbs?
void SecurityEnvironment_NssImpl :: setCertDb( CERTCertDBHandle* aCertDb ) throw( Exception , RuntimeException ) {
	m_pHandler = aCertDb ;
}

void SecurityEnvironment_NssImpl :: adoptSymKey( PK11SymKey* aSymKey ) throw( Exception , RuntimeException ) {
	PK11SymKey*	symkey ;
	std::list< PK11SymKey* >::iterator keyIt ;

	if( aSymKey != NULL ) {
		//First try to find the key in the list
		for( keyIt = m_tSymKeyList.begin() ; keyIt != m_tSymKeyList.end() ; keyIt ++ ) {
			if( *keyIt == aSymKey )
				return ;
		}

		//If we do not find the key in the list, add a new node
		symkey = PK11_ReferenceSymKey( aSymKey ) ;
		if( symkey == NULL )
			throw RuntimeException() ;

		try {
			m_tSymKeyList.push_back( symkey ) ;
		} catch ( Exception& ) {
			PK11_FreeSymKey( symkey ) ;
		}
	}
}

void SecurityEnvironment_NssImpl :: rejectSymKey( PK11SymKey* aSymKey ) throw( Exception , RuntimeException ) {
	PK11SymKey*	symkey ;
	std::list< PK11SymKey* >::iterator keyIt ;

	if( aSymKey != NULL ) {
		for( keyIt = m_tSymKeyList.begin() ; keyIt != m_tSymKeyList.end() ; keyIt ++ ) {
			if( *keyIt == aSymKey ) {
				symkey = *keyIt ;
				PK11_FreeSymKey( symkey ) ;
				m_tSymKeyList.erase( keyIt ) ;
				break ;
			}
		}
	}
}

PK11SymKey* SecurityEnvironment_NssImpl :: getSymKey( unsigned int position ) throw( Exception , RuntimeException ) {
	PK11SymKey* symkey ;
	std::list< PK11SymKey* >::iterator keyIt ;
	unsigned int pos ;

	symkey = NULL ;
	for( pos = 0, keyIt = m_tSymKeyList.begin() ; pos < position && keyIt != m_tSymKeyList.end() ; pos ++ , keyIt ++ ) ;

	if( pos == position && keyIt != m_tSymKeyList.end() )
		symkey = *keyIt ;

	return symkey ;
}

void SecurityEnvironment_NssImpl :: adoptPubKey( SECKEYPublicKey* aPubKey ) throw( Exception , RuntimeException ) {
	SECKEYPublicKey*	pubkey ;
	std::list< SECKEYPublicKey* >::iterator keyIt ;

	if( aPubKey != NULL ) {
		//First try to find the key in the list
		for( keyIt = m_tPubKeyList.begin() ; keyIt != m_tPubKeyList.end() ; keyIt ++ ) {
			if( *keyIt == aPubKey )
				return ;
		}

		//If we do not find the key in the list, add a new node
		pubkey = SECKEY_CopyPublicKey( aPubKey ) ;
		if( pubkey == NULL )
			throw RuntimeException() ;

		try {
			m_tPubKeyList.push_back( pubkey ) ;
		} catch ( Exception& ) {
			SECKEY_DestroyPublicKey( pubkey ) ;
		}
	}
}

void SecurityEnvironment_NssImpl :: rejectPubKey( SECKEYPublicKey* aPubKey ) throw( Exception , RuntimeException ) {
	SECKEYPublicKey*	pubkey ;
	std::list< SECKEYPublicKey* >::iterator keyIt ;

	if( aPubKey != NULL ) {
		for( keyIt = m_tPubKeyList.begin() ; keyIt != m_tPubKeyList.end() ; keyIt ++ ) {
			if( *keyIt == aPubKey ) {
				pubkey = *keyIt ;
				SECKEY_DestroyPublicKey( pubkey ) ;
				m_tPubKeyList.erase( keyIt ) ;
				break ;
			}
		}
	}
}

SECKEYPublicKey* SecurityEnvironment_NssImpl :: getPubKey( unsigned int position ) throw( Exception , RuntimeException ) {
	SECKEYPublicKey* pubkey ;
	std::list< SECKEYPublicKey* >::iterator keyIt ;
	unsigned int pos ;

	pubkey = NULL ;
	for( pos = 0, keyIt = m_tPubKeyList.begin() ; pos < position && keyIt != m_tPubKeyList.end() ; pos ++ , keyIt ++ ) ;

	if( pos == position && keyIt != m_tPubKeyList.end() )
		pubkey = *keyIt ;

	return pubkey ;
}

void SecurityEnvironment_NssImpl :: adoptPriKey( SECKEYPrivateKey* aPriKey ) throw( Exception , RuntimeException ) {
	SECKEYPrivateKey*	prikey ;
	std::list< SECKEYPrivateKey* >::iterator keyIt ;

	if( aPriKey != NULL ) {
		//First try to find the key in the list
		for( keyIt = m_tPriKeyList.begin() ; keyIt != m_tPriKeyList.end() ; keyIt ++ ) {
			if( *keyIt == aPriKey )
				return ;
		}

		//If we do not find the key in the list, add a new node
		prikey = SECKEY_CopyPrivateKey( aPriKey ) ;
		if( prikey == NULL )
			throw RuntimeException() ;

		try {
			m_tPriKeyList.push_back( prikey ) ;
		} catch ( Exception& ) {
			SECKEY_DestroyPrivateKey( prikey ) ;
		}
	}
}

void SecurityEnvironment_NssImpl :: rejectPriKey( SECKEYPrivateKey* aPriKey ) throw( Exception , RuntimeException ) {
	SECKEYPrivateKey*	prikey ;
	std::list< SECKEYPrivateKey* >::iterator keyIt ;

	if( aPriKey != NULL ) {
		for( keyIt = m_tPriKeyList.begin() ; keyIt != m_tPriKeyList.end() ; keyIt ++ ) {
			if( *keyIt == aPriKey ) {
				prikey = *keyIt ;
				SECKEY_DestroyPrivateKey( prikey ) ;
				m_tPriKeyList.erase( keyIt ) ;
				break ;
			}
		}
	}
}

SECKEYPrivateKey* SecurityEnvironment_NssImpl :: getPriKey( unsigned int position ) throw( ::com::sun::star::uno::Exception , ::com::sun::star::uno::RuntimeException )  {
	SECKEYPrivateKey* prikey ;
	std::list< SECKEYPrivateKey* >::iterator keyIt ;
	unsigned int pos ;

	prikey = NULL ;
	for( pos = 0, keyIt = m_tPriKeyList.begin() ; pos < position && keyIt != m_tPriKeyList.end() ; pos ++ , keyIt ++ ) ;

	if( pos == position && keyIt != m_tPriKeyList.end() )
		prikey = *keyIt ;

	return prikey ;
}

void SecurityEnvironment_NssImpl::updateSlots()
{
    //In case new tokens are present then we can obtain the corresponding slot
	PK11SlotList * soltList = NULL;
	PK11SlotListElement * soltEle = NULL;
    PK11SlotInfo * pSlot = NULL;
   	PK11SymKey * pSymKey = NULL;

    osl::MutexGuard guard(m_mutex);

    m_Slots.clear();
    m_tSymKeyList.clear();

	soltList = PK11_GetAllTokens( CKM_INVALID_MECHANISM, PR_FALSE, PR_FALSE, NULL ) ;
	if( soltList != NULL )
	{
		for( soltEle = soltList->head ; soltEle != NULL; soltEle = soltEle->next )
		{
			pSlot = soltEle->slot ;

			if(pSlot != NULL)
			{
				RTL_LOGFILE_TRACE2( "XMLSEC: Found a slot: SlotName=%s, TokenName=%s", PK11_GetSlotName(pSlot), PK11_GetTokenName(pSlot) );

//The following code which is commented out checks if a slot, that is a smart card for example, is
//				able to generate a symmetric key of type CKM_DES3_CBC. If this fails then this token
//				will not be used. This key is possibly used for the encryption service. However, all
//				interfaces and services used for public key signature and encryption are not published
//				and the encryption is not used in OOo. Therefore it does not do any harm to remove
//				this code, hence allowing smart cards which cannot generate this type of key.
//
//              By doing this, the encryption may fail if a smart card is being used which does not
//              support this key generation.
//
				pSymKey = PK11_KeyGen( pSlot , CKM_DES3_CBC, NULL, 128, NULL ) ;
// 				if( pSymKey == NULL )
// 				{
// 					PK11_FreeSlot( pSlot ) ;
// 					RTL_LOGFILE_TRACE( "XMLSEC: Error - pSymKey is NULL" );
// 					continue;
// 				}
				addCryptoSlot(pSlot);
                PK11_FreeSlot( pSlot ) ;
				pSlot = NULL;

                if (pSymKey != NULL)
                {
                    adoptSymKey( pSymKey ) ;
                    PK11_FreeSymKey( pSymKey ) ;
                    pSymKey = NULL;
                }

			}// end of if(pSlot != NULL)
		}// end of for
	}// end of if( soltList != NULL )

}


Sequence< Reference < XCertificate > >
SecurityEnvironment_NssImpl::getPersonalCertificates() throw( SecurityException , RuntimeException )
{
	sal_Int32 length ;
	X509Certificate_NssImpl* xcert ;
	std::list< X509Certificate_NssImpl* > certsList ;

    updateSlots();
	//firstly, we try to find private keys in slot
	for (CIT_SLOTS is = m_Slots.begin(); is != m_Slots.end(); is++)
	{
		PK11SlotInfo *slot = *is;
		SECKEYPrivateKeyList* priKeyList ;
		SECKEYPrivateKeyListNode* curPri ;

		if( PK11_NeedLogin(slot ) ) {
			SECStatus nRet = PK11_Authenticate(slot, PR_TRUE, NULL);
			//PK11_Authenticate may fail in case the a slot has not been initialized.
			//this is the case if the user has a new profile, so that they have never
			//added a personal certificate.
			if( nRet != SECSuccess && PORT_GetError() != SEC_ERROR_IO) {
				throw NoPasswordException();
			}
		}

		priKeyList = PK11_ListPrivateKeysInSlot(slot) ;
		if( priKeyList != NULL ) {
			for( curPri = PRIVKEY_LIST_HEAD( priKeyList );
				!PRIVKEY_LIST_END( curPri, priKeyList ) && curPri != NULL ;
				curPri = PRIVKEY_LIST_NEXT( curPri ) ) {
				xcert = NssPrivKeyToXCert( curPri->key ) ;
				if( xcert != NULL )
					certsList.push_back( xcert ) ;
			}
		}

		SECKEY_DestroyPrivateKeyList( priKeyList ) ;
	}

	//secondly, we try to find certificate from registered private keys.
	if( !m_tPriKeyList.empty()  ) {
		std::list< SECKEYPrivateKey* >::iterator priKeyIt ;

		for( priKeyIt = m_tPriKeyList.begin() ; priKeyIt != m_tPriKeyList.end() ; priKeyIt ++ ) {
			xcert = NssPrivKeyToXCert( *priKeyIt ) ;
			if( xcert != NULL )
				certsList.push_back( xcert ) ;
		}
	}

	length = certsList.size() ;
	if( length != 0 ) {
		int i ;
		std::list< X509Certificate_NssImpl* >::iterator xcertIt ;
		Sequence< Reference< XCertificate > > certSeq( length ) ;

		for( i = 0, xcertIt = certsList.begin(); xcertIt != certsList.end(); xcertIt ++, i++ ) {
			certSeq[i] = *xcertIt ;
		}

		return certSeq ;
	}

	return Sequence< Reference < XCertificate > > ();
}

Reference< XCertificate > SecurityEnvironment_NssImpl :: getCertificate( const OUString& issuerName, const Sequence< sal_Int8 >& serialNumber ) throw( SecurityException , RuntimeException )
{
	X509Certificate_NssImpl* xcert = NULL;

	if( m_pHandler != NULL ) {
		CERTIssuerAndSN issuerAndSN ;
		CERTCertificate* cert ;
		CERTName* nmIssuer ;
		char* chIssuer ;
		SECItem* derIssuer ;
		PRArenaPool* arena ;

		arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE ) ;
		if( arena == NULL )
			throw RuntimeException() ;

                /*
                 * mmi : because MS Crypto use the 'S' tag (equal to the 'ST' tag in NSS), but the NSS can't recognise
                 *      it, so the 'S' tag should be changed to 'ST' tag
                 *
                 * PS  : it can work, but inside libxmlsec, the 'S' tag is till used to find cert in NSS engine, so it
                 *       is not useful at all. (comment out now)
                 */

                /*
                sal_Int32 nIndex = 0;
                OUString newIssuerName;
                do
                {
                	OUString aToken = issuerName.getToken( 0, ',', nIndex ).trim();
                	if (aToken.compareToAscii("S=",2) == 0)
                	{
                		newIssuerName+=OUString::createFromAscii("ST=");
                		newIssuerName+=aToken.copy(2);
                	}
                	else
                	{
                		newIssuerName+=aToken;
                	}

                	if (nIndex >= 0)
                	{
                		newIssuerName+=OUString::createFromAscii(",");
                	}
                } while ( nIndex >= 0 );
                */

                /* end */

		//Create cert info from issue and serial
		rtl::OString ostr = rtl::OUStringToOString( issuerName , RTL_TEXTENCODING_UTF8 ) ;
		chIssuer = PL_strndup( ( char* )ostr.getStr(), ( int )ostr.getLength() ) ;
		nmIssuer = CERT_AsciiToName( chIssuer ) ;
		if( nmIssuer == NULL ) {
			PL_strfree( chIssuer ) ;
			PORT_FreeArena( arena, PR_FALSE ) ;

			/*
			 * i40394
			 *
			 * mmi : no need to throw exception
			 *       just return "no found"
			 */
			//throw RuntimeException() ;
			return NULL;
		}

		derIssuer = SEC_ASN1EncodeItem( arena, NULL, ( void* )nmIssuer, SEC_ASN1_GET( CERT_NameTemplate ) ) ;
		if( derIssuer == NULL ) {
			PL_strfree( chIssuer ) ;
			CERT_DestroyName( nmIssuer ) ;
			PORT_FreeArena( arena, PR_FALSE ) ;
			throw RuntimeException() ;
		}

		memset( &issuerAndSN, 0, sizeof( issuerAndSN ) ) ;

		issuerAndSN.derIssuer.data = derIssuer->data ;
		issuerAndSN.derIssuer.len = derIssuer->len ;

		issuerAndSN.serialNumber.data = ( unsigned char* )&serialNumber[0] ;
		issuerAndSN.serialNumber.len = serialNumber.getLength() ;

		cert = CERT_FindCertByIssuerAndSN( m_pHandler, &issuerAndSN ) ;
		if( cert != NULL ) {
			xcert = NssCertToXCert( cert ) ;
		} else {
			xcert = NULL ;
		}

		PL_strfree( chIssuer ) ;
		CERT_DestroyName( nmIssuer ) ;
		//SECITEM_FreeItem( derIssuer, PR_FALSE ) ;
		CERT_DestroyCertificate( cert ) ;
		PORT_FreeArena( arena, PR_FALSE ) ;
	} else {
		xcert = NULL ;
	}

	return xcert ;
}

Reference< XCertificate > SecurityEnvironment_NssImpl :: getCertificate( const OUString& issuerName, const OUString& serialNumber ) throw( SecurityException , RuntimeException ) {
	Sequence< sal_Int8 > serial = numericStringToBigInteger( serialNumber ) ;
	return getCertificate( issuerName, serial ) ;
}

Sequence< Reference < XCertificate > > SecurityEnvironment_NssImpl :: buildCertificatePath( const Reference< XCertificate >& begin ) throw( SecurityException , RuntimeException ) {
	const X509Certificate_NssImpl* xcert ;
	const CERTCertificate* cert ;
	CERTCertList* certChain ;

	Reference< XUnoTunnel > xCertTunnel( begin, UNO_QUERY ) ;
	if( !xCertTunnel.is() ) {
		throw RuntimeException() ;
	}

	xcert = reinterpret_cast<X509Certificate_NssImpl*>(
        sal::static_int_cast<sal_uIntPtr>(xCertTunnel->getSomething( X509Certificate_NssImpl::getUnoTunnelId() ))) ;
	if( xcert == NULL ) {
		throw RuntimeException() ;
	}

	cert = xcert->getNssCert() ;
	if( cert != NULL ) {
		int64 timeboundary ;

		//Get the system clock time
		timeboundary = PR_Now() ;

		certChain = CERT_GetCertChainFromCert( ( CERTCertificate* )cert, timeboundary, certUsageAnyCA ) ;
	} else {
		certChain = NULL ;
	}

	if( certChain != NULL ) {
		X509Certificate_NssImpl* pCert ;
		CERTCertListNode* node ;
		int len ;

		for( len = 0, node = CERT_LIST_HEAD( certChain ); !CERT_LIST_END( node, certChain ); node = CERT_LIST_NEXT( node ), len ++ ) ;
		Sequence< Reference< XCertificate > > xCertChain( len ) ;

		for( len = 0, node = CERT_LIST_HEAD( certChain ); !CERT_LIST_END( node, certChain ); node = CERT_LIST_NEXT( node ), len ++ ) {
			pCert = new X509Certificate_NssImpl() ;
			if( pCert == NULL ) {
				CERT_DestroyCertList( certChain ) ;
				throw RuntimeException() ;
			}

			pCert->setCert( node->cert ) ;

			xCertChain[len] = pCert ;
		}

		CERT_DestroyCertList( certChain ) ;

		return xCertChain ;
	}

	return Sequence< Reference < XCertificate > >();
}

Reference< XCertificate > SecurityEnvironment_NssImpl :: createCertificateFromRaw( const Sequence< sal_Int8 >& rawCertificate ) throw( SecurityException , RuntimeException ) {
	X509Certificate_NssImpl* xcert ;

	if( rawCertificate.getLength() > 0 ) {
		xcert = new X509Certificate_NssImpl() ;
		if( xcert == NULL )
			throw RuntimeException() ;

		xcert->setRawCert( rawCertificate ) ;
	} else {
		xcert = NULL ;
	}

	return xcert ;
}

Reference< XCertificate > SecurityEnvironment_NssImpl :: createCertificateFromAscii( const OUString& asciiCertificate ) throw( SecurityException , RuntimeException ) {
	xmlChar* chCert ;
	xmlSecSize certSize ;

	rtl::OString oscert = rtl::OUStringToOString( asciiCertificate , RTL_TEXTENCODING_ASCII_US ) ;

	chCert = xmlStrndup( ( const xmlChar* )oscert.getStr(), ( int )oscert.getLength() ) ;

	certSize = xmlSecBase64Decode( chCert, ( xmlSecByte* )chCert, xmlStrlen( chCert ) ) ;

	Sequence< sal_Int8 > rawCert( certSize ) ;
	for( unsigned int i = 0 ; i < certSize ; i ++ )
		rawCert[i] = *( chCert + i ) ;

	xmlFree( chCert ) ;

	return createCertificateFromRaw( rawCert ) ;
}

sal_Int32 SecurityEnvironment_NssImpl ::
verifyCertificate( const Reference< csss::XCertificate >& aCert,
                   const Sequence< Reference< csss::XCertificate > >&  intermediateCerts )
    throw( ::com::sun::star::uno::SecurityException, ::com::sun::star::uno::RuntimeException )
{
	sal_Int32 validity = csss::CertificateValidity::INVALID;
	const X509Certificate_NssImpl* xcert ;
	const CERTCertificate* cert ;
    ::std::vector<CERTCertificate*> vecTmpNSSCertificates;
	Reference< XUnoTunnel > xCertTunnel( aCert, UNO_QUERY ) ;
	if( !xCertTunnel.is() ) {
		throw RuntimeException() ;
	}

    xmlsec_trace("Start verification of certificate: \n %s \n",
              OUStringToOString(
                  aCert->getSubjectName(), osl_getThreadTextEncoding()).getStr());

	xcert = reinterpret_cast<X509Certificate_NssImpl*>(
       sal::static_int_cast<sal_uIntPtr>(xCertTunnel->getSomething( X509Certificate_NssImpl::getUnoTunnelId() ))) ;
	if( xcert == NULL ) {
		throw RuntimeException() ;
	}

    //CERT_PKIXVerifyCert does not take a db as argument. It will therefore
    //internally use CERT_GetDefaultCertDB
    //Make sure m_pHandler is the default DB
    OSL_ASSERT(m_pHandler == CERT_GetDefaultCertDB());
    CERTCertDBHandle * certDb = m_pHandler != NULL ? m_pHandler : CERT_GetDefaultCertDB();
	cert = xcert->getNssCert() ;
	if( cert != NULL )
    {

        //prepare the intermediate certificates
        for (sal_Int32 i = 0; i < intermediateCerts.getLength(); i++)
        {
            Sequence<sal_Int8> der = intermediateCerts[i]->getEncoded();
            SECItem item;
            item.type = siBuffer;
            item.data = (unsigned char*)der.getArray();
            item.len = der.getLength();

            CERTCertificate* certTmp = CERT_NewTempCertificate(certDb, &item,
                                           NULL     /* nickname */,
                                           PR_FALSE /* isPerm */,
                                           PR_TRUE  /* copyDER */);
             if (!certTmp)
             {
                 xmlsec_trace("Failed to add a temporary certificate: %s",
                           OUStringToOString(intermediateCerts[i]->getIssuerName(),
                                             osl_getThreadTextEncoding()).getStr());

             }
             else
             {
                 xmlsec_trace("Added temporary certificate: %s",
                           certTmp->subjectName ? certTmp->subjectName : "");
                 vecTmpNSSCertificates.push_back(certTmp);
             }
        }


		SECStatus status ;

        CERTVerifyLog log;
        log.arena = PORT_NewArena(512);
        log.head = log.tail = NULL;
        log.count = 0;

        CERT_EnableOCSPChecking(certDb);
        CERT_DisableOCSPDefaultResponder(certDb);
        CERTValOutParam cvout[5];
        CERTValInParam cvin[3];

        cvin[0].type = cert_pi_useAIACertFetch;
        cvin[0].value.scalar.b = PR_TRUE;

        PRUint64 revFlagsLeaf[2];
        PRUint64 revFlagsChain[2];
        CERTRevocationFlags rev;
        rev.leafTests.number_of_defined_methods = 2;
        rev.leafTests.cert_rev_flags_per_method = revFlagsLeaf;
        //the flags are defined in cert.h
        //We check both leaf and chain.
        //It is enough if one revocation method has fresh info,
        //but at least one must have some. Otherwise validation fails.
        //!!! using leaf test and CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE
        // when validating a root certificate will result in "revoked". Usually
        //there is no revocation information available for the root cert because
        //it must be trusted anyway and it does itself issue revocation information.
        //When we use the flag here and OOo shows the certification path then the root
        //cert is invalid while all other can be valid. It would probably best if
        //this interface method returned the whole chain.
        //Otherwise we need to check if the certificate is self-signed and if it is
        //then not use the flag when doing the leaf-test.
        rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_crl] =
            CERT_REV_M_TEST_USING_THIS_METHOD
            | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE;
        rev.leafTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] =
            CERT_REV_M_TEST_USING_THIS_METHOD
            | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE;
        rev.leafTests.number_of_preferred_methods = 0;
        rev.leafTests.preferred_methods = NULL;
        rev.leafTests.cert_rev_method_independent_flags =
            CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST;
//            | CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE;

        rev.chainTests.number_of_defined_methods = 2;
        rev.chainTests.cert_rev_flags_per_method = revFlagsChain;
        rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_crl] =
            CERT_REV_M_TEST_USING_THIS_METHOD
            | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE;
        rev.chainTests.cert_rev_flags_per_method[cert_revocation_method_ocsp] =
            CERT_REV_M_TEST_USING_THIS_METHOD
            | CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE;
        rev.chainTests.number_of_preferred_methods = 0;
        rev.chainTests.preferred_methods = NULL;
        rev.chainTests.cert_rev_method_independent_flags =
            CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST;
//            | CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE;


        cvin[1].type = cert_pi_revocationFlags;
        cvin[1].value.pointer.revocation = &rev;
        // does not work, not implemented yet in 3.12.4
//         cvin[2].type = cert_pi_keyusage;
//         cvin[2].value.scalar.ui = KU_DIGITAL_SIGNATURE;
        cvin[2].type = cert_pi_end;

        cvout[0].type = cert_po_trustAnchor;
        cvout[0].value.pointer.cert = NULL;
        cvout[1].type = cert_po_errorLog;
        cvout[1].value.pointer.log = &log;
        cvout[2].type = cert_po_end;

        // We check SSL server certificates, CA certificates and signing sertificates.
        //
        // ToDo check keyusage, looking at CERT_KeyUsageAndTypeForCertUsage (
        // mozilla/security/nss/lib/certdb/certdb.c indicates that
        // certificateUsageSSLClient, certificateUsageSSLServer and certificateUsageSSLCA
        // are sufficient. They cover the key usages for digital signature, key agreement
        // and encipherment and certificate signature

        //never use the following usages because they are not checked properly
        // certificateUsageUserCertImport
        // certificateUsageVerifyCA
        // certificateUsageAnyCA
        // certificateUsageProtectedObjectSigner

        UsageDescription arUsages[5];
        arUsages[0] = UsageDescription( certificateUsageSSLClient, "certificateUsageSSLClient"  );
        arUsages[1] = UsageDescription( certificateUsageSSLServer, "certificateUsageSSLServer"  );
        arUsages[2] = UsageDescription( certificateUsageSSLCA, "certificateUsageSSLCA"  );
        arUsages[3] = UsageDescription( certificateUsageEmailSigner, "certificateUsageEmailSigner" );
        arUsages[4] = UsageDescription( certificateUsageEmailRecipient, "certificateUsageEmailRecipient" );

        int numUsages = sizeof(arUsages) / sizeof(UsageDescription);
        for (int i = 0; i < numUsages; i++)
        {
            xmlsec_trace("Testing usage %d of %d: %s (0x%x)", i + 1,
                      numUsages, arUsages[i].description, (int) arUsages[i].usage);

            status = CERT_PKIXVerifyCert(const_cast<CERTCertificate *>(cert), arUsages[i].usage,
                                         cvin, cvout, NULL);
            if( status == SECSuccess )
            {
                xmlsec_trace("CERT_PKIXVerifyCert returned SECSuccess.");
                //When an intermediate or root certificate is checked then we expect the usage
                //certificateUsageSSLCA. This, however, will be only set when in the trust settings dialog
                //the button "This certificate can identify websites" is checked. If for example only
                //"This certificate can identify mail users" is set then the end certificate can
                //be validated and the returned usage will conain certificateUsageEmailRecipient.
                //But checking directly the root or intermediate certificate will fail. In the
                //certificate path view the end certificate will be shown as valid but the others
                //will be displayed as invalid.

                validity = csss::CertificateValidity::VALID;
                xmlsec_trace("Certificate is valid.\n");
                CERTCertificate * issuerCert = cvout[0].value.pointer.cert;
                if (issuerCert)
                {
                    xmlsec_trace("Root certificate: %s", issuerCert->subjectName);
                    CERT_DestroyCertificate(issuerCert);
                };

                break;
            }
            else
            {
                PRIntn err = PR_GetError();
                xmlsec_trace("Error: , %d = %s", err, getCertError(err));

                /* Display validation results */
                if ( log.count > 0)
                {
                    CERTVerifyLogNode *node = NULL;
                    printChainFailure(&log);

                    for (node = log.head; node; node = node->next) {
                        if (node->cert)
                            CERT_DestroyCertificate(node->cert);
                    }
                    log.head = log.tail = NULL;
                    log.count = 0;
                }
                xmlsec_trace("Certificate is invalid.\n");
            }
        }

    }
    else
    {
        validity = ::com::sun::star::security::CertificateValidity::INVALID ;
    }

    //Destroying the temporary certificates
    std::vector<CERTCertificate*>::const_iterator cert_i;
    for (cert_i = vecTmpNSSCertificates.begin(); cert_i != vecTmpNSSCertificates.end(); cert_i++)
    {
        xmlsec_trace("Destroying temporary certificate");
        CERT_DestroyCertificate(*cert_i);
    }
	return validity ;
}

sal_Int32 SecurityEnvironment_NssImpl::getCertificateCharacters(
	const ::com::sun::star::uno::Reference< ::com::sun::star::security::XCertificate >& aCert ) throw( ::com::sun::star::uno::SecurityException, ::com::sun::star::uno::RuntimeException ) {
	sal_Int32 characters ;
	const X509Certificate_NssImpl* xcert ;
	const CERTCertificate* cert ;

	Reference< XUnoTunnel > xCertTunnel( aCert, UNO_QUERY ) ;
	if( !xCertTunnel.is() ) {
		throw RuntimeException() ;
	}

	xcert = reinterpret_cast<X509Certificate_NssImpl*>(
        sal::static_int_cast<sal_uIntPtr>(xCertTunnel->getSomething( X509Certificate_NssImpl::getUnoTunnelId() ))) ;
	if( xcert == NULL ) {
		throw RuntimeException() ;
	}

	cert = xcert->getNssCert() ;

	characters = 0x00000000 ;

	//Firstly, find out whether or not the cert is self-signed.
	if( SECITEM_CompareItem( &(cert->derIssuer), &(cert->derSubject) ) == SECEqual ) {
		characters |= ::com::sun::star::security::CertificateCharacters::SELF_SIGNED ;
	} else {
		characters &= ~ ::com::sun::star::security::CertificateCharacters::SELF_SIGNED ;
	}

	//Secondly, find out whether or not the cert has a private key.

	/*
	 * i40394
	 *
	 * mmi : need to check whether the cert's slot is valid first
	 */
	SECKEYPrivateKey* priKey = NULL;

	if (cert->slot != NULL)
	{
		priKey = PK11_FindPrivateKeyFromCert( cert->slot, ( CERTCertificate* )cert, NULL ) ;
	}
	if(priKey == NULL)
	{
		for (CIT_SLOTS is = m_Slots.begin(); is != m_Slots.end(); is++)
		{
			priKey = PK11_FindPrivateKeyFromCert(*is, (CERTCertificate*)cert, NULL);
			if (priKey)
				break;
		}
	}
	if( priKey != NULL ) {
		characters |=  ::com::sun::star::security::CertificateCharacters::HAS_PRIVATE_KEY ;

		SECKEY_DestroyPrivateKey( priKey ) ;
	} else {
		characters &= ~ ::com::sun::star::security::CertificateCharacters::HAS_PRIVATE_KEY ;
	}

	return characters ;
}

X509Certificate_NssImpl* NssCertToXCert( CERTCertificate* cert )
{
	X509Certificate_NssImpl* xcert ;

	if( cert != NULL ) {
		xcert = new X509Certificate_NssImpl() ;
		if( xcert == NULL ) {
			xcert = NULL ;
		} else {
			xcert->setCert( cert ) ;
		}
	} else {
		xcert = NULL ;
	}

	return xcert ;
}

X509Certificate_NssImpl* NssPrivKeyToXCert( SECKEYPrivateKey* priKey )
{
	CERTCertificate* cert ;
	X509Certificate_NssImpl* xcert ;

	if( priKey != NULL ) {
		cert = PK11_GetCertFromPrivateKey( priKey ) ;

		if( cert != NULL ) {
			xcert = NssCertToXCert( cert ) ;
		} else {
			xcert = NULL ;
		}

		CERT_DestroyCertificate( cert ) ;
	} else {
		xcert = NULL ;
	}

	return xcert ;
}


/* Native methods */
xmlSecKeysMngrPtr SecurityEnvironment_NssImpl::createKeysManager() throw( Exception, RuntimeException ) {

	unsigned int i ;
	CERTCertDBHandle* handler = NULL ;
	PK11SymKey* symKey = NULL ;
	SECKEYPublicKey* pubKey = NULL ;
	SECKEYPrivateKey* priKey = NULL ;
	xmlSecKeysMngrPtr pKeysMngr = NULL ;

	handler = this->getCertDb() ;

	/*-
	 * The following lines is based on the private version of xmlSec-NSS
	 * crypto engine
	 */
	int cSlots = m_Slots.size();
	boost::scoped_array<PK11SlotInfo*> sarSlots(new PK11SlotInfo*[cSlots]);
	PK11SlotInfo**  slots = sarSlots.get();
	int count = 0;
	for (CIT_SLOTS islots = m_Slots.begin();islots != m_Slots.end(); islots++, count++)
		slots[count] = *islots;

	pKeysMngr = xmlSecNssAppliedKeysMngrCreate(slots, cSlots, handler ) ;
	if( pKeysMngr == NULL )
		throw RuntimeException() ;

	/*-
	 * Adopt symmetric key into keys manager
	 */
	for( i = 0 ; ( symKey = this->getSymKey( i ) ) != NULL ; i ++ ) {
		if( xmlSecNssAppliedKeysMngrSymKeyLoad( pKeysMngr, symKey ) < 0 ) {
			throw RuntimeException() ;
		}
	}

	/*-
	 * Adopt asymmetric public key into keys manager
	 */
	for( i = 0 ; ( pubKey = this->getPubKey( i ) ) != NULL ; i ++ ) {
		if( xmlSecNssAppliedKeysMngrPubKeyLoad( pKeysMngr, pubKey ) < 0 ) {
			throw RuntimeException() ;
		}
	}

	/*-
	 * Adopt asymmetric private key into keys manager
	 */
	for( i = 0 ; ( priKey = this->getPriKey( i ) ) != NULL ; i ++ ) {
		if( xmlSecNssAppliedKeysMngrPriKeyLoad( pKeysMngr, priKey ) < 0 ) {
			throw RuntimeException() ;
		}
	}
	return pKeysMngr ;
}
void SecurityEnvironment_NssImpl::destroyKeysManager(xmlSecKeysMngrPtr pKeysMngr) throw( Exception, RuntimeException ) {
	if( pKeysMngr != NULL ) {
		xmlSecKeysMngrDestroy( pKeysMngr ) ;
	}
}