7 * This is free software; see Copyright file in the source
8 * distribution for preciese wording.
10 * Copyright (c) 2003 America Online, Inc. All rights reserved.
14 #ifndef XMLSEC_NO_X509
30 #include <libxml/tree.h>
32 #include <xmlsec/xmlsec.h>
33 #include <xmlsec/xmltree.h>
34 #include <xmlsec/keys.h>
35 #include <xmlsec/keyinfo.h>
36 #include <xmlsec/keysmngr.h>
37 #include <xmlsec/x509.h>
38 #include <xmlsec/base64.h>
39 #include <xmlsec/errors.h>
41 #include <xmlsec/nss/crypto.h>
42 #include <xmlsec/nss/x509.h>
43 #include <xmlsec/nss/pkikeys.h>
46 /* workaround - NSS exports this but doesn't declare it */
47 extern CERTCertificate * __CERT_NewTempCertificate(CERTCertDBHandle *handle,
53 /*************************************************************************
55 * X509 utility functions
57 ************************************************************************/
58 static int xmlSecNssX509DataNodeRead (xmlSecKeyDataPtr data,
60 xmlSecKeyInfoCtxPtr keyInfoCtx);
61 static int xmlSecNssX509CertificateNodeRead (xmlSecKeyDataPtr data,
63 xmlSecKeyInfoCtxPtr keyInfoCtx);
64 static int xmlSecNssX509CertificateNodeWrite (CERTCertificate* cert,
66 xmlSecKeyInfoCtxPtr keyInfoCtx);
67 static int xmlSecNssX509SubjectNameNodeRead (xmlSecKeyDataPtr data,
69 xmlSecKeyInfoCtxPtr keyInfoCtx);
70 static int xmlSecNssX509SubjectNameNodeWrite (CERTCertificate* cert,
72 xmlSecKeyInfoCtxPtr keyInfoCtx);
73 static int xmlSecNssX509IssuerSerialNodeRead (xmlSecKeyDataPtr data,
75 xmlSecKeyInfoCtxPtr keyInfoCtx);
76 static int xmlSecNssX509IssuerSerialNodeWrite (CERTCertificate* cert,
78 xmlSecKeyInfoCtxPtr keyInfoCtx);
79 static int xmlSecNssX509SKINodeRead (xmlSecKeyDataPtr data,
81 xmlSecKeyInfoCtxPtr keyInfoCtx);
82 static int xmlSecNssX509SKINodeWrite (CERTCertificate* cert,
84 xmlSecKeyInfoCtxPtr keyInfoCtx);
85 static int xmlSecNssX509CRLNodeRead (xmlSecKeyDataPtr data,
87 xmlSecKeyInfoCtxPtr keyInfoCtx);
88 static int xmlSecNssX509CRLNodeWrite (CERTSignedCrl* crl,
90 xmlSecKeyInfoCtxPtr keyInfoCtx);
91 static int xmlSecNssKeyDataX509VerifyAndExtractKey(xmlSecKeyDataPtr data,
93 xmlSecKeyInfoCtxPtr keyInfoCtx);
95 static CERTCertificate* xmlSecNssX509CertDerRead (const xmlSecByte* buf,
97 static CERTCertificate* xmlSecNssX509CertBase64DerRead (xmlChar* buf);
98 static xmlChar* xmlSecNssX509CertBase64DerWrite (CERTCertificate* cert,
100 static CERTSignedCrl* xmlSecNssX509CrlDerRead (xmlSecByte* buf,
102 xmlSecKeyInfoCtxPtr keyInfoCtx);
103 static CERTSignedCrl* xmlSecNssX509CrlBase64DerRead (xmlChar* buf,
104 xmlSecKeyInfoCtxPtr keyInfoCtx);
105 static xmlChar* xmlSecNssX509CrlBase64DerWrite (CERTSignedCrl* crl,
107 static xmlChar* xmlSecNssX509NameWrite (CERTName* nm);
108 static xmlChar* xmlSecNssASN1IntegerWrite (SECItem *num);
109 static xmlChar* xmlSecNssX509SKIWrite (CERTCertificate* cert);
110 static void xmlSecNssX509CertDebugDump (CERTCertificate* cert,
112 static void xmlSecNssX509CertDebugXmlDump (CERTCertificate* cert,
114 static int xmlSecNssX509CertGetTime (PRTime* t,
117 /*************************************************************************
119 * Internal NSS X509 data CTX
121 ************************************************************************/
122 typedef struct _xmlSecNssX509DataCtx xmlSecNssX509DataCtx,
123 *xmlSecNssX509DataCtxPtr;
124 typedef struct _xmlSecNssX509CrlNode xmlSecNssX509CrlNode,
125 *xmlSecNssX509CrlNodePtr;
126 struct _xmlSecNssX509CrlNode {
127 xmlSecNssX509CrlNodePtr next;
131 struct _xmlSecNssX509DataCtx {
132 CERTCertificate* keyCert;
134 CERTCertList* certsList;
135 unsigned int numCerts;
137 xmlSecNssX509CrlNodePtr crlsList;
138 unsigned int numCrls;
141 /**************************************************************************
143 * <dsig:X509Data> processing
146 * The X509Data Element (http://www.w3.org/TR/xmldsig-core/#sec-X509Data)
148 * An X509Data element within KeyInfo contains one or more identifiers of keys
149 * or X509 certificates (or certificates' identifiers or a revocation list).
150 * The content of X509Data is:
152 * 1. At least one element, from the following set of element types; any of these may appear together or more than once iff (if and only if) each instance describes or is related to the same certificate:
154 * * The X509IssuerSerial element, which contains an X.509 issuer
155 * distinguished name/serial number pair that SHOULD be compliant
156 * with RFC2253 [LDAP-DN],
157 * * The X509SubjectName element, which contains an X.509 subject
158 * distinguished name that SHOULD be compliant with RFC2253 [LDAP-DN],
159 * * The X509SKI element, which contains the base64 encoded plain (i.e.
160 * non-DER-encoded) value of a X509 V.3 SubjectKeyIdentifier extension.
161 * * The X509Certificate element, which contains a base64-encoded [X509v3]
163 * * Elements from an external namespace which accompanies/complements any
164 * of the elements above.
165 * * The X509CRL element, which contains a base64-encoded certificate
166 * revocation list (CRL) [X509v3].
168 * Any X509IssuerSerial, X509SKI, and X509SubjectName elements that appear
169 * MUST refer to the certificate or certificates containing the validation key.
170 * All such elements that refer to a particular individual certificate MUST be
171 * grouped inside a single X509Data element and if the certificate to which
172 * they refer appears, it MUST also be in that X509Data element.
174 * Any X509IssuerSerial, X509SKI, and X509SubjectName elements that relate to
175 * the same key but different certificates MUST be grouped within a single
176 * KeyInfo but MAY occur in multiple X509Data elements.
178 * All certificates appearing in an X509Data element MUST relate to the
179 * validation key by either containing it or being part of a certification
180 * chain that terminates in a certificate containing the validation key.
182 * No ordering is implied by the above constraints.
184 * Note, there is no direct provision for a PKCS#7 encoded "bag" of
185 * certificates or CRLs. However, a set of certificates and CRLs can occur
186 * within an X509Data element and multiple X509Data elements can occur in a
187 * KeyInfo. Whenever multiple certificates occur in an X509Data element, at
188 * least one such certificate must contain the public key which verifies the
193 * <element name="X509Data" type="ds:X509DataType"/>
194 * <complexType name="X509DataType">
195 * <sequence maxOccurs="unbounded">
197 * <element name="X509IssuerSerial" type="ds:X509IssuerSerialType"/>
198 * <element name="X509SKI" type="base64Binary"/>
199 * <element name="X509SubjectName" type="string"/>
200 * <element name="X509Certificate" type="base64Binary"/>
201 * <element name="X509CRL" type="base64Binary"/>
202 * <any namespace="##other" processContents="lax"/>
206 * <complexType name="X509IssuerSerialType">
208 * <element name="X509IssuerName" type="string"/>
209 * <element name="X509SerialNumber" type="integer"/>
215 * <!ELEMENT X509Data ((X509IssuerSerial | X509SKI | X509SubjectName |
216 * X509Certificate | X509CRL)+ %X509.ANY;)>
217 * <!ELEMENT X509IssuerSerial (X509IssuerName, X509SerialNumber) >
218 * <!ELEMENT X509IssuerName (#PCDATA) >
219 * <!ELEMENT X509SubjectName (#PCDATA) >
220 * <!ELEMENT X509SerialNumber (#PCDATA) >
221 * <!ELEMENT X509SKI (#PCDATA) >
222 * <!ELEMENT X509Certificate (#PCDATA) >
223 * <!ELEMENT X509CRL (#PCDATA) >
225 * -----------------------------------------------------------------------
227 * xmlSecNssX509DataCtx is located after xmlSecTransform
229 *************************************************************************/
230 #define xmlSecNssX509DataSize \
231 (sizeof(xmlSecKeyData) + sizeof(xmlSecNssX509DataCtx))
232 #define xmlSecNssX509DataGetCtx(data) \
233 ((xmlSecNssX509DataCtxPtr)(((xmlSecByte*)(data)) + sizeof(xmlSecKeyData)))
235 static int xmlSecNssKeyDataX509Initialize (xmlSecKeyDataPtr data);
236 static int xmlSecNssKeyDataX509Duplicate (xmlSecKeyDataPtr dst,
237 xmlSecKeyDataPtr src);
238 static void xmlSecNssKeyDataX509Finalize (xmlSecKeyDataPtr data);
239 static int xmlSecNssKeyDataX509XmlRead (xmlSecKeyDataId id,
242 xmlSecKeyInfoCtxPtr keyInfoCtx);
243 static int xmlSecNssKeyDataX509XmlWrite (xmlSecKeyDataId id,
246 xmlSecKeyInfoCtxPtr keyInfoCtx);
247 static xmlSecKeyDataType xmlSecNssKeyDataX509GetType (xmlSecKeyDataPtr data);
248 static const xmlChar* xmlSecNssKeyDataX509GetIdentifier (xmlSecKeyDataPtr data);
250 static void xmlSecNssKeyDataX509DebugDump (xmlSecKeyDataPtr data,
252 static void xmlSecNssKeyDataX509DebugXmlDump(xmlSecKeyDataPtr data,
257 static xmlSecKeyDataKlass xmlSecNssKeyDataX509Klass = {
258 sizeof(xmlSecKeyDataKlass),
259 xmlSecNssX509DataSize,
263 xmlSecKeyDataUsageKeyInfoNode | xmlSecKeyDataUsageRetrievalMethodNodeXml,
264 /* xmlSecKeyDataUsage usage; */
265 xmlSecHrefX509Data, /* const xmlChar* href; */
266 xmlSecNodeX509Data, /* const xmlChar* dataNodeName; */
267 xmlSecDSigNs, /* const xmlChar* dataNodeNs; */
269 /* constructors/destructor */
270 xmlSecNssKeyDataX509Initialize, /* xmlSecKeyDataInitializeMethod initialize; */
271 xmlSecNssKeyDataX509Duplicate, /* xmlSecKeyDataDuplicateMethod duplicate; */
272 xmlSecNssKeyDataX509Finalize, /* xmlSecKeyDataFinalizeMethod finalize; */
273 NULL, /* xmlSecKeyDataGenerateMethod generate; */
276 xmlSecNssKeyDataX509GetType, /* xmlSecKeyDataGetTypeMethod getType; */
277 NULL, /* xmlSecKeyDataGetSizeMethod getSize; */
278 xmlSecNssKeyDataX509GetIdentifier, /* xmlSecKeyDataGetIdentifier getIdentifier; */
281 xmlSecNssKeyDataX509XmlRead, /* xmlSecKeyDataXmlReadMethod xmlRead; */
282 xmlSecNssKeyDataX509XmlWrite, /* xmlSecKeyDataXmlWriteMethod xmlWrite; */
283 NULL, /* xmlSecKeyDataBinReadMethod binRead; */
284 NULL, /* xmlSecKeyDataBinWriteMethod binWrite; */
287 xmlSecNssKeyDataX509DebugDump, /* xmlSecKeyDataDebugDumpMethod debugDump; */
288 xmlSecNssKeyDataX509DebugXmlDump, /* xmlSecKeyDataDebugDumpMethod debugXmlDump; */
290 /* reserved for the future */
291 NULL, /* void* reserved0; */
292 NULL, /* void* reserved1; */
296 * xmlSecNssKeyDataX509GetKlass:
298 * The NSS X509 key data klass (http://www.w3.org/TR/xmldsig-core/#sec-X509Data).
300 * Returns: the X509 data klass.
303 xmlSecNssKeyDataX509GetKlass(void) {
304 return(&xmlSecNssKeyDataX509Klass);
308 * xmlSecNssKeyDataX509GetKeyCert:
309 * @data: the pointer to X509 key data.
311 * Gets the certificate from which the key was extracted.
313 * Returns: the key's certificate or NULL if key data was not used for key
314 * extraction or an error occurs.
317 xmlSecNssKeyDataX509GetKeyCert(xmlSecKeyDataPtr data) {
318 xmlSecNssX509DataCtxPtr ctx;
320 xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataX509Id), NULL);
322 ctx = xmlSecNssX509DataGetCtx(data);
323 xmlSecAssert2(ctx != NULL, NULL);
325 return(ctx->keyCert);
329 * xmlSecNssKeyDataX509AdoptKeyCert:
330 * @data: the pointer to X509 key data.
331 * @cert: the pointer to NSS X509 certificate.
333 * Sets the key's certificate in @data.
335 * Returns: 0 on success or a negative value if an error occurs.
338 xmlSecNssKeyDataX509AdoptKeyCert(xmlSecKeyDataPtr data, CERTCertificate* cert) {
339 xmlSecNssX509DataCtxPtr ctx;
341 xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataX509Id), -1);
342 xmlSecAssert2(cert != NULL, -1);
344 ctx = xmlSecNssX509DataGetCtx(data);
345 xmlSecAssert2(ctx != NULL, -1);
347 if(ctx->keyCert != NULL) {
348 CERT_DestroyCertificate(ctx->keyCert);
355 * xmlSecNssKeyDataX509AdoptCert:
356 * @data: the pointer to X509 key data.
357 * @cert: the pointer to NSS X509 certificate.
359 * Adds certificate to the X509 key data.
361 * Returns: 0 on success or a negative value if an error occurs.
364 xmlSecNssKeyDataX509AdoptCert(xmlSecKeyDataPtr data, CERTCertificate* cert) {
365 xmlSecNssX509DataCtxPtr ctx;
368 xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataX509Id), -1);
369 xmlSecAssert2(cert != NULL, -1);
371 ctx = xmlSecNssX509DataGetCtx(data);
372 xmlSecAssert2(ctx != NULL, -1);
374 if(ctx->certsList == NULL) {
375 ctx->certsList = CERT_NewCertList();
376 if(ctx->certsList == NULL) {
377 xmlSecError(XMLSEC_ERRORS_HERE,
378 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
380 XMLSEC_ERRORS_R_CRYPTO_FAILED,
381 "error code=%d", PORT_GetError());
386 ret = CERT_AddCertToListTail(ctx->certsList, cert);
387 if(ret != SECSuccess) {
388 xmlSecError(XMLSEC_ERRORS_HERE,
389 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
390 "CERT_AddCertToListTail",
391 XMLSEC_ERRORS_R_CRYPTO_FAILED,
392 "error code=%d", PORT_GetError());
401 * xmlSecNssKeyDataX509GetCert:
402 * @data: the pointer to X509 key data.
403 * @pos: the desired certificate position.
405 * Gets a certificate from X509 key data.
407 * Returns: the pointer to certificate or NULL if @pos is larger than the
408 * number of certificates in @data or an error occurs.
411 xmlSecNssKeyDataX509GetCert(xmlSecKeyDataPtr data, xmlSecSize pos) {
412 xmlSecNssX509DataCtxPtr ctx;
413 CERTCertListNode* head;
415 xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataX509Id), NULL);
417 ctx = xmlSecNssX509DataGetCtx(data);
418 xmlSecAssert2(ctx != NULL, NULL);
419 xmlSecAssert2(ctx->certsList != NULL, NULL);
420 xmlSecAssert2(pos < ctx->numCerts, NULL);
422 head = CERT_LIST_HEAD(ctx->certsList);
425 head = CERT_LIST_NEXT(head);
433 * xmlSecNssKeyDataX509GetCertsSize:
434 * @data: the pointer to X509 key data.
436 * Gets the number of certificates in @data.
438 * Returns: te number of certificates in @data.
441 xmlSecNssKeyDataX509GetCertsSize(xmlSecKeyDataPtr data) {
442 xmlSecNssX509DataCtxPtr ctx;
444 xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataX509Id), 0);
446 ctx = xmlSecNssX509DataGetCtx(data);
447 xmlSecAssert2(ctx != NULL, 0);
449 return(ctx->numCerts);
453 * xmlSecNssKeyDataX509AdoptCrl:
454 * @data: the pointer to X509 key data.
455 * @crl: the pointer to NSS X509 CRL.
457 * Adds CRL to the X509 key data.
459 * Returns: 0 on success or a negative value if an error occurs.
462 xmlSecNssKeyDataX509AdoptCrl(xmlSecKeyDataPtr data, CERTSignedCrl* crl) {
463 xmlSecNssX509DataCtxPtr ctx;
464 xmlSecNssX509CrlNodePtr crlnode;
466 xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataX509Id), -1);
467 xmlSecAssert2(crl != NULL, -1);
469 ctx = xmlSecNssX509DataGetCtx(data);
470 xmlSecAssert2(ctx != NULL, -1);
472 crlnode = (xmlSecNssX509CrlNodePtr)PR_Malloc(sizeof(xmlSecNssX509CrlNode));
474 if(crlnode == NULL) {
475 xmlSecError(XMLSEC_ERRORS_HERE,
476 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
478 XMLSEC_ERRORS_R_MALLOC_FAILED,
479 XMLSEC_ERRORS_NO_MESSAGE);
483 memset(crlnode, 0, sizeof(xmlSecNssX509CrlNode));
484 crlnode->next = ctx->crlsList;
486 ctx->crlsList = crlnode;
493 * xmlSecNssKeyDataX509GetCrl:
494 * @data: the pointer to X509 key data.
495 * @pos: the desired CRL position.
497 * Gets a CRL from X509 key data.
499 * Returns: the pointer to CRL or NULL if @pos is larger than the
500 * number of CRLs in @data or an error occurs.
503 xmlSecNssKeyDataX509GetCrl(xmlSecKeyDataPtr data, xmlSecSize pos) {
504 xmlSecNssX509DataCtxPtr ctx;
505 xmlSecNssX509CrlNodePtr head;
507 xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataX509Id), NULL);
508 ctx = xmlSecNssX509DataGetCtx(data);
509 xmlSecAssert2(ctx != NULL, NULL);
511 xmlSecAssert2(ctx->crlsList != NULL, NULL);
512 xmlSecAssert2(pos < ctx->numCrls, NULL);
514 head = ctx->crlsList;
525 * xmlSecNssKeyDataX509GetCrlsSize:
526 * @data: the pointer to X509 key data.
528 * Gets the number of CRLs in @data.
530 * Returns: te number of CRLs in @data.
533 xmlSecNssKeyDataX509GetCrlsSize(xmlSecKeyDataPtr data) {
534 xmlSecNssX509DataCtxPtr ctx;
536 xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataX509Id), 0);
538 ctx = xmlSecNssX509DataGetCtx(data);
539 xmlSecAssert2(ctx != NULL, 0);
541 return(ctx->numCrls);
545 xmlSecNssKeyDataX509Initialize(xmlSecKeyDataPtr data) {
546 xmlSecNssX509DataCtxPtr ctx;
548 xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataX509Id), -1);
550 ctx = xmlSecNssX509DataGetCtx(data);
551 xmlSecAssert2(ctx != NULL, -1);
553 memset(ctx, 0, sizeof(xmlSecNssX509DataCtx));
558 xmlSecNssKeyDataX509Duplicate(xmlSecKeyDataPtr dst, xmlSecKeyDataPtr src) {
559 CERTCertificate* certSrc;
560 CERTCertificate* certDst;
561 CERTSignedCrl* crlSrc;
562 CERTSignedCrl* crlDst;
563 xmlSecSize size, pos;
566 xmlSecAssert2(xmlSecKeyDataCheckId(dst, xmlSecNssKeyDataX509Id), -1);
567 xmlSecAssert2(xmlSecKeyDataCheckId(src, xmlSecNssKeyDataX509Id), -1);
570 size = xmlSecNssKeyDataX509GetCertsSize(src);
571 for(pos = 0; pos < size; ++pos) {
572 /* TBD: function below does linear scan, eliminate loop within
575 certSrc = xmlSecNssKeyDataX509GetCert(src, pos);
576 if(certSrc == NULL) {
577 xmlSecError(XMLSEC_ERRORS_HERE,
578 xmlSecErrorsSafeString(xmlSecKeyDataGetName(src)),
579 "xmlSecNssKeyDataX509GetCert",
580 XMLSEC_ERRORS_R_XMLSEC_FAILED,
585 certDst = CERT_DupCertificate(certSrc);
586 if(certDst == NULL) {
587 xmlSecError(XMLSEC_ERRORS_HERE,
588 xmlSecErrorsSafeString(xmlSecKeyDataGetName(dst)),
589 "CERT_DupCertificate",
590 XMLSEC_ERRORS_R_CRYPTO_FAILED,
591 "error code=%d", PORT_GetError());
595 ret = xmlSecNssKeyDataX509AdoptCert(dst, certDst);
597 xmlSecError(XMLSEC_ERRORS_HERE,
598 xmlSecErrorsSafeString(xmlSecKeyDataGetName(dst)),
599 "xmlSecNssKeyDataX509AdoptCert",
600 XMLSEC_ERRORS_R_XMLSEC_FAILED,
601 XMLSEC_ERRORS_NO_MESSAGE);
602 CERT_DestroyCertificate(certDst);
608 size = xmlSecNssKeyDataX509GetCrlsSize(src);
609 for(pos = 0; pos < size; ++pos) {
610 crlSrc = xmlSecNssKeyDataX509GetCrl(src, pos);
612 xmlSecError(XMLSEC_ERRORS_HERE,
613 xmlSecErrorsSafeString(xmlSecKeyDataGetName(src)),
614 "xmlSecNssKeyDataX509GetCrl",
615 XMLSEC_ERRORS_R_XMLSEC_FAILED,
620 /* TBD: SEC_DupCrl isn't exported by NSS yet */
621 /*crlDst = SEC_DupCrl(crlSrc);*/
623 PR_AtomicIncrement(&(crlSrc->referenceCount));
626 xmlSecError(XMLSEC_ERRORS_HERE,
627 xmlSecErrorsSafeString(xmlSecKeyDataGetName(dst)),
629 XMLSEC_ERRORS_R_CRYPTO_FAILED,
630 "error code=%d", PORT_GetError());
634 ret = xmlSecNssKeyDataX509AdoptCrl(dst, crlDst);
636 xmlSecError(XMLSEC_ERRORS_HERE,
637 xmlSecErrorsSafeString(xmlSecKeyDataGetName(dst)),
638 "xmlSecNssKeyDataX509AdoptCrl",
639 XMLSEC_ERRORS_R_XMLSEC_FAILED,
640 XMLSEC_ERRORS_NO_MESSAGE);
641 SEC_DestroyCrl(crlDst);
646 /* copy key cert if exist */
647 certSrc = xmlSecNssKeyDataX509GetKeyCert(src);
648 if(certSrc != NULL) {
649 certDst = CERT_DupCertificate(certSrc);
650 if(certDst == NULL) {
651 xmlSecError(XMLSEC_ERRORS_HERE,
652 xmlSecErrorsSafeString(xmlSecKeyDataGetName(dst)),
653 "CERT_DupCertificate",
654 XMLSEC_ERRORS_R_CRYPTO_FAILED,
655 "error code=%d", PORT_GetError());
658 ret = xmlSecNssKeyDataX509AdoptKeyCert(dst, certDst);
660 xmlSecError(XMLSEC_ERRORS_HERE,
661 xmlSecErrorsSafeString(xmlSecKeyDataGetName(dst)),
662 "xmlSecNssKeyDataX509AdoptKeyCert",
663 XMLSEC_ERRORS_R_XMLSEC_FAILED,
664 XMLSEC_ERRORS_NO_MESSAGE);
665 CERT_DestroyCertificate(certDst);
673 xmlSecNssKeyDataX509Finalize(xmlSecKeyDataPtr data) {
674 xmlSecNssX509DataCtxPtr ctx;
676 xmlSecAssert(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataX509Id));
678 ctx = xmlSecNssX509DataGetCtx(data);
679 xmlSecAssert(ctx != NULL);
681 if(ctx->certsList != NULL) {
682 CERT_DestroyCertList(ctx->certsList);
685 if(ctx->crlsList != NULL) {
686 xmlSecNssX509CrlNodePtr head;
687 xmlSecNssX509CrlNodePtr tmp;
689 head = ctx->crlsList;
693 SEC_DestroyCrl(head->crl);
699 if(ctx->keyCert != NULL) {
700 CERT_DestroyCertificate(ctx->keyCert);
703 memset(ctx, 0, sizeof(xmlSecNssX509DataCtx));
707 xmlSecNssKeyDataX509XmlRead(xmlSecKeyDataId id, xmlSecKeyPtr key,
708 xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
709 xmlSecKeyDataPtr data;
712 xmlSecAssert2(id == xmlSecNssKeyDataX509Id, -1);
713 xmlSecAssert2(key != NULL, -1);
714 xmlSecAssert2(node != NULL, -1);
715 xmlSecAssert2(keyInfoCtx != NULL, -1);
717 data = xmlSecKeyEnsureData(key, id);
719 xmlSecError(XMLSEC_ERRORS_HERE,
720 xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
721 "xmlSecKeyEnsureData",
722 XMLSEC_ERRORS_R_XMLSEC_FAILED,
723 XMLSEC_ERRORS_NO_MESSAGE);
727 ret = xmlSecNssX509DataNodeRead(data, node, keyInfoCtx);
729 xmlSecError(XMLSEC_ERRORS_HERE,
730 xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
731 "xmlSecNssX509DataNodeRead",
732 XMLSEC_ERRORS_R_XMLSEC_FAILED,
733 XMLSEC_ERRORS_NO_MESSAGE);
737 if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS) == 0) {
738 ret = xmlSecNssKeyDataX509VerifyAndExtractKey(data, key, keyInfoCtx);
740 xmlSecError(XMLSEC_ERRORS_HERE,
741 xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
742 "xmlSecNssKeyDataX509VerifyAndExtractKey",
743 XMLSEC_ERRORS_R_XMLSEC_FAILED,
744 XMLSEC_ERRORS_NO_MESSAGE);
752 xmlSecNssKeyDataX509XmlWrite(xmlSecKeyDataId id, xmlSecKeyPtr key,
753 xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
754 xmlSecKeyDataPtr data;
755 CERTCertificate* cert;
757 xmlSecSize size, pos;
761 xmlSecAssert2(id == xmlSecNssKeyDataX509Id, -1);
762 xmlSecAssert2(key != NULL, -1);
763 xmlSecAssert2(node != NULL, -1);
764 xmlSecAssert2(keyInfoCtx != NULL, -1);
766 content = xmlSecX509DataGetNodeContent (node, 1, keyInfoCtx);
768 xmlSecError(XMLSEC_ERRORS_HERE,
769 xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
770 "xmlSecX509DataGetNodeContent",
771 XMLSEC_ERRORS_R_XMLSEC_FAILED,
772 "content=%d", content);
774 } else if(content == 0) {
775 /* by default we are writing certificates and crls */
776 content = XMLSEC_X509DATA_DEFAULT;
780 data = xmlSecKeyGetData(key, id);
782 /* no x509 data in the key */
787 size = xmlSecNssKeyDataX509GetCertsSize(data);
788 for(pos = 0; pos < size; ++pos) {
789 cert = xmlSecNssKeyDataX509GetCert(data, pos);
791 xmlSecError(XMLSEC_ERRORS_HERE,
792 xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
793 "xmlSecNssKeyDataX509GetCert",
794 XMLSEC_ERRORS_R_XMLSEC_FAILED,
799 if((content & XMLSEC_X509DATA_CERTIFICATE_NODE) != 0) {
800 ret = xmlSecNssX509CertificateNodeWrite(cert, node, keyInfoCtx);
802 xmlSecError(XMLSEC_ERRORS_HERE,
803 xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
804 "xmlSecNssX509CertificateNodeWrite",
805 XMLSEC_ERRORS_R_XMLSEC_FAILED,
811 if((content & XMLSEC_X509DATA_SUBJECTNAME_NODE) != 0) {
812 ret = xmlSecNssX509SubjectNameNodeWrite(cert, node, keyInfoCtx);
814 xmlSecError(XMLSEC_ERRORS_HERE,
815 xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
816 "xmlSecNssX509SubjectNameNodeWrite",
817 XMLSEC_ERRORS_R_XMLSEC_FAILED,
823 if((content & XMLSEC_X509DATA_ISSUERSERIAL_NODE) != 0) {
824 ret = xmlSecNssX509IssuerSerialNodeWrite(cert, node, keyInfoCtx);
826 xmlSecError(XMLSEC_ERRORS_HERE,
827 xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
828 "xmlSecNssX509IssuerSerialNodeWrite",
829 XMLSEC_ERRORS_R_XMLSEC_FAILED,
835 if((content & XMLSEC_X509DATA_SKI_NODE) != 0) {
836 ret = xmlSecNssX509SKINodeWrite(cert, node, keyInfoCtx);
838 xmlSecError(XMLSEC_ERRORS_HERE,
839 xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
840 "xmlSecNssX509SKINodeWrite",
841 XMLSEC_ERRORS_R_XMLSEC_FAILED,
848 /* write crls if needed */
849 if((content & XMLSEC_X509DATA_CRL_NODE) != 0) {
850 size = xmlSecNssKeyDataX509GetCrlsSize(data);
851 for(pos = 0; pos < size; ++pos) {
852 crl = xmlSecNssKeyDataX509GetCrl(data, pos);
854 xmlSecError(XMLSEC_ERRORS_HERE,
855 xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
856 "xmlSecNssKeyDataX509GetCrl",
857 XMLSEC_ERRORS_R_XMLSEC_FAILED,
862 ret = xmlSecNssX509CRLNodeWrite(crl, node, keyInfoCtx);
864 xmlSecError(XMLSEC_ERRORS_HERE,
865 xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
866 "xmlSecNssX509CRLNodeWrite",
867 XMLSEC_ERRORS_R_XMLSEC_FAILED,
877 static xmlSecKeyDataType
878 xmlSecNssKeyDataX509GetType(xmlSecKeyDataPtr data) {
879 xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataX509Id), xmlSecKeyDataTypeUnknown);
881 /* TODO: return verified/not verified status */
882 return(xmlSecKeyDataTypeUnknown);
885 static const xmlChar*
886 xmlSecNssKeyDataX509GetIdentifier(xmlSecKeyDataPtr data) {
887 xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataX509Id), NULL);
894 xmlSecNssKeyDataX509DebugDump(xmlSecKeyDataPtr data, FILE* output) {
895 CERTCertificate* cert;
896 xmlSecSize size, pos;
898 xmlSecAssert(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataX509Id));
899 xmlSecAssert(output != NULL);
901 fprintf(output, "=== X509 Data:\n");
902 cert = xmlSecNssKeyDataX509GetKeyCert(data);
904 fprintf(output, "==== Key Certificate:\n");
905 xmlSecNssX509CertDebugDump(cert, output);
908 size = xmlSecNssKeyDataX509GetCertsSize(data);
909 for(pos = 0; pos < size; ++pos) {
910 cert = xmlSecNssKeyDataX509GetCert(data, pos);
912 xmlSecError(XMLSEC_ERRORS_HERE,
913 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
914 "xmlSecNssKeyDataX509GetCert",
915 XMLSEC_ERRORS_R_XMLSEC_FAILED,
919 fprintf(output, "==== Certificate:\n");
920 xmlSecNssX509CertDebugDump(cert, output);
923 /* we don't print out crls */
927 xmlSecNssKeyDataX509DebugXmlDump(xmlSecKeyDataPtr data, FILE* output) {
928 CERTCertificate* cert;
929 xmlSecSize size, pos;
931 xmlSecAssert(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataX509Id));
932 xmlSecAssert(output != NULL);
934 fprintf(output, "<X509Data>\n");
935 cert = xmlSecNssKeyDataX509GetKeyCert(data);
937 fprintf(output, "<KeyCertificate>\n");
938 xmlSecNssX509CertDebugXmlDump(cert, output);
939 fprintf(output, "</KeyCertificate>\n");
942 size = xmlSecNssKeyDataX509GetCertsSize(data);
943 for(pos = 0; pos < size; ++pos) {
944 cert = xmlSecNssKeyDataX509GetCert(data, pos);
946 xmlSecError(XMLSEC_ERRORS_HERE,
947 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
948 "xmlSecNssKeyDataX509GetCert",
949 XMLSEC_ERRORS_R_XMLSEC_FAILED,
953 fprintf(output, "<Certificate>\n");
954 xmlSecNssX509CertDebugXmlDump(cert, output);
955 fprintf(output, "</Certificate>\n");
958 /* we don't print out crls */
959 fprintf(output, "</X509Data>\n");
963 xmlSecNssX509DataNodeRead(xmlSecKeyDataPtr data, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
967 xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataX509Id), -1);
968 xmlSecAssert2(node != NULL, -1);
969 xmlSecAssert2(keyInfoCtx != NULL, -1);
971 for(cur = xmlSecGetNextElementNode(node->children);
973 cur = xmlSecGetNextElementNode(cur->next)) {
976 if(xmlSecCheckNodeName(cur, xmlSecNodeX509Certificate, xmlSecDSigNs)) {
977 ret = xmlSecNssX509CertificateNodeRead(data, cur, keyInfoCtx);
978 } else if(xmlSecCheckNodeName(cur, xmlSecNodeX509SubjectName, xmlSecDSigNs)) {
979 ret = xmlSecNssX509SubjectNameNodeRead(data, cur, keyInfoCtx);
980 } else if(xmlSecCheckNodeName(cur, xmlSecNodeX509IssuerSerial, xmlSecDSigNs)) {
981 ret = xmlSecNssX509IssuerSerialNodeRead(data, cur, keyInfoCtx);
982 } else if(xmlSecCheckNodeName(cur, xmlSecNodeX509SKI, xmlSecDSigNs)) {
983 ret = xmlSecNssX509SKINodeRead(data, cur, keyInfoCtx);
984 } else if(xmlSecCheckNodeName(cur, xmlSecNodeX509CRL, xmlSecDSigNs)) {
985 ret = xmlSecNssX509CRLNodeRead(data, cur, keyInfoCtx);
986 } else if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_X509DATA_STOP_ON_UNKNOWN_CHILD) != 0) {
987 /* laxi schema validation: ignore unknown nodes */
988 xmlSecError(XMLSEC_ERRORS_HERE,
989 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
990 xmlSecErrorsSafeString(xmlSecNodeGetName(cur)),
991 XMLSEC_ERRORS_R_UNEXPECTED_NODE,
992 XMLSEC_ERRORS_NO_MESSAGE);
996 xmlSecError(XMLSEC_ERRORS_HERE,
997 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
998 xmlSecErrorsSafeString(xmlSecNodeGetName(cur)),
999 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1000 "read node failed");
1008 xmlSecNssX509CertificateNodeRead(xmlSecKeyDataPtr data, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
1010 CERTCertificate* cert;
1013 xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataX509Id), -1);
1014 xmlSecAssert2(node != NULL, -1);
1015 xmlSecAssert2(keyInfoCtx != NULL, -1);
1017 content = xmlNodeGetContent(node);
1018 if((content == NULL) || (xmlSecIsEmptyString(content) == 1)) {
1019 if(content != NULL) {
1022 if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_STOP_ON_EMPTY_NODE) != 0) {
1023 xmlSecError(XMLSEC_ERRORS_HERE,
1024 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1025 xmlSecErrorsSafeString(xmlSecNodeGetName(node)),
1026 XMLSEC_ERRORS_R_INVALID_NODE_CONTENT,
1027 XMLSEC_ERRORS_NO_MESSAGE);
1033 cert = xmlSecNssX509CertBase64DerRead(content);
1035 xmlSecError(XMLSEC_ERRORS_HERE,
1036 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1037 "xmlSecNssX509CertBase64DerRead",
1038 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1039 XMLSEC_ERRORS_NO_MESSAGE);
1044 ret = xmlSecNssKeyDataX509AdoptCert(data, cert);
1046 xmlSecError(XMLSEC_ERRORS_HERE,
1047 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1048 "xmlSecNssKeyDataX509AdoptCert",
1049 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1050 XMLSEC_ERRORS_NO_MESSAGE);
1051 CERT_DestroyCertificate(cert);
1061 xmlSecNssX509CertificateNodeWrite(CERTCertificate* cert, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
1065 xmlSecAssert2(cert != NULL, -1);
1066 xmlSecAssert2(node != NULL, -1);
1067 xmlSecAssert2(keyInfoCtx != NULL, -1);
1069 /* set base64 lines size from context */
1070 buf = xmlSecNssX509CertBase64DerWrite(cert, keyInfoCtx->base64LineSize);
1072 xmlSecError(XMLSEC_ERRORS_HERE,
1074 "xmlSecNssX509CertBase64DerWrite",
1075 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1076 XMLSEC_ERRORS_NO_MESSAGE);
1080 cur = xmlSecAddChild(node, xmlSecNodeX509Certificate, xmlSecDSigNs);
1082 xmlSecError(XMLSEC_ERRORS_HERE,
1085 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1087 xmlSecErrorsSafeString(xmlSecNodeX509Certificate));
1092 /* todo: add \n around base64 data - from context */
1093 /* todo: add errors check */
1094 xmlNodeSetContent(cur, xmlSecStringCR);
1095 xmlNodeSetContent(cur, buf);
1101 xmlSecNssX509SubjectNameNodeRead(xmlSecKeyDataPtr data, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
1102 xmlSecKeyDataStorePtr x509Store;
1104 CERTCertificate* cert;
1107 xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataX509Id), -1);
1108 xmlSecAssert2(node != NULL, -1);
1109 xmlSecAssert2(keyInfoCtx != NULL, -1);
1110 xmlSecAssert2(keyInfoCtx->keysMngr != NULL, -1);
1112 x509Store = xmlSecKeysMngrGetDataStore(keyInfoCtx->keysMngr, xmlSecNssX509StoreId);
1113 if(x509Store == NULL) {
1114 xmlSecError(XMLSEC_ERRORS_HERE,
1115 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1116 "xmlSecKeysMngrGetDataStore",
1117 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1118 XMLSEC_ERRORS_NO_MESSAGE);
1122 subject = xmlNodeGetContent(node);
1123 if((subject == NULL) || (xmlSecIsEmptyString(subject) == 1)) {
1124 if(subject != NULL) {
1127 if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_STOP_ON_EMPTY_NODE) != 0) {
1128 xmlSecError(XMLSEC_ERRORS_HERE,
1129 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1130 xmlSecErrorsSafeString(xmlSecNodeGetName(node)),
1131 XMLSEC_ERRORS_R_INVALID_NODE_CONTENT,
1132 XMLSEC_ERRORS_NO_MESSAGE);
1138 cert = xmlSecNssX509StoreFindCert(x509Store, subject, NULL, NULL, NULL, keyInfoCtx);
1141 if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_X509DATA_STOP_ON_UNKNOWN_CERT) != 0) {
1142 xmlSecError(XMLSEC_ERRORS_HERE,
1143 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1145 XMLSEC_ERRORS_R_CERT_NOT_FOUND,
1147 xmlSecErrorsSafeString(subject));
1156 ret = xmlSecNssKeyDataX509AdoptCert(data, cert);
1158 xmlSecError(XMLSEC_ERRORS_HERE,
1159 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1160 "xmlSecNssKeyDataX509AdoptCert",
1161 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1162 XMLSEC_ERRORS_NO_MESSAGE);
1163 CERT_DestroyCertificate(cert);
1173 xmlSecNssX509SubjectNameNodeWrite(CERTCertificate* cert, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx ATTRIBUTE_UNUSED) {
1174 xmlChar* buf = NULL;
1175 xmlNodePtr cur = NULL;
1177 xmlSecAssert2(cert != NULL, -1);
1178 xmlSecAssert2(node != NULL, -1);
1180 buf = xmlSecNssX509NameWrite(&(cert->subject));
1182 xmlSecError(XMLSEC_ERRORS_HERE,
1184 "xmlSecNssX509NameWrite(&(cert->subject))",
1185 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1186 XMLSEC_ERRORS_NO_MESSAGE);
1190 cur = xmlSecAddChild(node, xmlSecNodeX509SubjectName, xmlSecDSigNs);
1192 xmlSecError(XMLSEC_ERRORS_HERE,
1195 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1197 xmlSecErrorsSafeString(xmlSecNodeX509SubjectName));
1201 xmlSecNodeEncodeAndSetContent(cur, buf);
1207 xmlSecNssX509IssuerSerialNodeRead(xmlSecKeyDataPtr data, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
1208 xmlSecKeyDataStorePtr x509Store;
1210 xmlChar *issuerName;
1211 xmlChar *issuerSerial;
1212 CERTCertificate* cert;
1215 xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataX509Id), -1);
1216 xmlSecAssert2(node != NULL, -1);
1217 xmlSecAssert2(keyInfoCtx != NULL, -1);
1218 xmlSecAssert2(keyInfoCtx->keysMngr != NULL, -1);
1220 x509Store = xmlSecKeysMngrGetDataStore(keyInfoCtx->keysMngr, xmlSecNssX509StoreId);
1221 if(x509Store == NULL) {
1222 xmlSecError(XMLSEC_ERRORS_HERE,
1223 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1224 "xmlSecKeysMngrGetDataStore",
1225 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1226 XMLSEC_ERRORS_NO_MESSAGE);
1230 cur = xmlSecGetNextElementNode(node->children);
1232 if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_STOP_ON_EMPTY_NODE) != 0) {
1233 xmlSecError(XMLSEC_ERRORS_HERE,
1234 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1235 xmlSecErrorsSafeString(xmlSecNodeX509IssuerName),
1236 XMLSEC_ERRORS_R_NODE_NOT_FOUND,
1238 xmlSecErrorsSafeString(xmlSecNodeGetName(cur)));
1244 /* the first is required node X509IssuerName */
1245 if(!xmlSecCheckNodeName(cur, xmlSecNodeX509IssuerName, xmlSecDSigNs)) {
1246 xmlSecError(XMLSEC_ERRORS_HERE,
1247 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1248 xmlSecErrorsSafeString(xmlSecNodeX509IssuerName),
1249 XMLSEC_ERRORS_R_NODE_NOT_FOUND,
1251 xmlSecErrorsSafeString(xmlSecNodeGetName(cur)));
1254 issuerName = xmlNodeGetContent(cur);
1255 if(issuerName == NULL) {
1256 xmlSecError(XMLSEC_ERRORS_HERE,
1257 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1258 xmlSecErrorsSafeString(xmlSecNodeGetName(cur)),
1259 XMLSEC_ERRORS_R_INVALID_NODE_CONTENT,
1261 xmlSecErrorsSafeString(xmlSecNodeX509IssuerName));
1264 cur = xmlSecGetNextElementNode(cur->next);
1266 /* next is required node X509SerialNumber */
1267 if((cur == NULL) || !xmlSecCheckNodeName(cur, xmlSecNodeX509SerialNumber, xmlSecDSigNs)) {
1268 xmlSecError(XMLSEC_ERRORS_HERE,
1269 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1270 xmlSecErrorsSafeString(xmlSecNodeGetName(cur)),
1271 XMLSEC_ERRORS_R_NODE_NOT_FOUND,
1273 xmlSecErrorsSafeString(xmlSecNodeX509SerialNumber));
1274 xmlFree(issuerName);
1277 issuerSerial = xmlNodeGetContent(cur);
1278 if(issuerSerial == NULL) {
1279 xmlSecError(XMLSEC_ERRORS_HERE,
1280 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1281 xmlSecErrorsSafeString(xmlSecNodeX509SerialNumber),
1282 XMLSEC_ERRORS_R_INVALID_NODE_CONTENT,
1284 xmlSecErrorsSafeString(xmlSecNodeGetName(cur)));
1285 xmlFree(issuerName);
1288 cur = xmlSecGetNextElementNode(cur->next);
1291 xmlSecError(XMLSEC_ERRORS_HERE,
1292 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1293 xmlSecErrorsSafeString(xmlSecNodeGetName(cur)),
1294 XMLSEC_ERRORS_R_UNEXPECTED_NODE,
1295 XMLSEC_ERRORS_NO_MESSAGE);
1296 xmlFree(issuerSerial);
1297 xmlFree(issuerName);
1301 cert = xmlSecNssX509StoreFindCert(x509Store, NULL, issuerName, issuerSerial, NULL, keyInfoCtx);
1303 if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_X509DATA_STOP_ON_UNKNOWN_CERT) != 0) {
1304 xmlSecError(XMLSEC_ERRORS_HERE,
1305 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1307 XMLSEC_ERRORS_R_CERT_NOT_FOUND,
1308 "issuerName=%s;issuerSerial=%s",
1309 xmlSecErrorsSafeString(issuerName),
1310 xmlSecErrorsSafeString(issuerSerial));
1311 xmlFree(issuerSerial);
1312 xmlFree(issuerName);
1316 xmlFree(issuerSerial);
1317 xmlFree(issuerName);
1321 ret = xmlSecNssKeyDataX509AdoptCert(data, cert);
1323 xmlSecError(XMLSEC_ERRORS_HERE,
1324 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1325 "xmlSecNssKeyDataX509AdoptCert",
1326 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1327 XMLSEC_ERRORS_NO_MESSAGE);
1328 CERT_DestroyCertificate(cert);
1329 xmlFree(issuerSerial);
1330 xmlFree(issuerName);
1334 xmlFree(issuerSerial);
1335 xmlFree(issuerName);
1340 xmlSecNssX509IssuerSerialNodeWrite(CERTCertificate* cert, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx ATTRIBUTE_UNUSED) {
1342 xmlNodePtr issuerNameNode;
1343 xmlNodePtr issuerNumberNode;
1346 xmlSecAssert2(cert != NULL, -1);
1347 xmlSecAssert2(node != NULL, -1);
1349 /* create xml nodes */
1350 cur = xmlSecAddChild(node, xmlSecNodeX509IssuerSerial, xmlSecDSigNs);
1352 xmlSecError(XMLSEC_ERRORS_HERE,
1355 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1357 xmlSecErrorsSafeString(xmlSecNodeX509IssuerSerial));
1361 issuerNameNode = xmlSecAddChild(cur, xmlSecNodeX509IssuerName, xmlSecDSigNs);
1362 if(issuerNameNode == NULL) {
1363 xmlSecError(XMLSEC_ERRORS_HERE,
1366 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1368 xmlSecErrorsSafeString(xmlSecNodeX509IssuerName));
1372 issuerNumberNode = xmlSecAddChild(cur, xmlSecNodeX509SerialNumber, xmlSecDSigNs);
1373 if(issuerNumberNode == NULL) {
1374 xmlSecError(XMLSEC_ERRORS_HERE,
1377 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1379 xmlSecErrorsSafeString(xmlSecNodeX509SerialNumber));
1384 buf = xmlSecNssX509NameWrite(&(cert->issuer));
1386 xmlSecError(XMLSEC_ERRORS_HERE,
1388 "xmlSecNssX509NameWrite(&(cert->issuer))",
1389 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1390 XMLSEC_ERRORS_NO_MESSAGE);
1393 xmlSecNodeEncodeAndSetContent(issuerNameNode, buf);
1396 buf = xmlSecNssASN1IntegerWrite(&(cert->serialNumber));
1398 xmlSecError(XMLSEC_ERRORS_HERE,
1400 "xmlSecNssASN1IntegerWrite(&(cert->serialNumber))",
1401 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1402 XMLSEC_ERRORS_NO_MESSAGE);
1405 xmlNodeSetContent(issuerNumberNode, buf);
1412 xmlSecNssX509SKINodeRead(xmlSecKeyDataPtr data, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
1413 xmlSecKeyDataStorePtr x509Store;
1415 CERTCertificate* cert;
1418 xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataX509Id), -1);
1419 xmlSecAssert2(node != NULL, -1);
1420 xmlSecAssert2(keyInfoCtx != NULL, -1);
1421 xmlSecAssert2(keyInfoCtx->keysMngr != NULL, -1);
1423 x509Store = xmlSecKeysMngrGetDataStore(keyInfoCtx->keysMngr, xmlSecNssX509StoreId);
1424 if(x509Store == NULL) {
1425 xmlSecError(XMLSEC_ERRORS_HERE,
1426 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1427 "xmlSecKeysMngrGetDataStore",
1428 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1429 XMLSEC_ERRORS_NO_MESSAGE);
1433 ski = xmlNodeGetContent(node);
1434 if((ski == NULL) || (xmlSecIsEmptyString(ski) == 1)) {
1438 if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_STOP_ON_EMPTY_NODE) != 0) {
1439 xmlSecError(XMLSEC_ERRORS_HERE,
1440 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1441 xmlSecErrorsSafeString(xmlSecNodeGetName(node)),
1442 XMLSEC_ERRORS_R_INVALID_NODE_CONTENT,
1444 xmlSecErrorsSafeString(xmlSecNodeX509SKI));
1450 cert = xmlSecNssX509StoreFindCert(x509Store, NULL, NULL, NULL, ski, keyInfoCtx);
1454 if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_X509DATA_STOP_ON_UNKNOWN_CERT) != 0) {
1455 xmlSecError(XMLSEC_ERRORS_HERE,
1456 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1458 XMLSEC_ERRORS_R_CERT_NOT_FOUND,
1460 xmlSecErrorsSafeString(ski));
1466 ret = xmlSecNssKeyDataX509AdoptCert(data, cert);
1468 xmlSecError(XMLSEC_ERRORS_HERE,
1469 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1470 "xmlSecNssKeyDataX509AdoptCert",
1471 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1472 XMLSEC_ERRORS_NO_MESSAGE);
1473 CERT_DestroyCertificate(cert);
1483 xmlSecNssX509SKINodeWrite(CERTCertificate* cert, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx ATTRIBUTE_UNUSED) {
1484 xmlChar *buf = NULL;
1485 xmlNodePtr cur = NULL;
1487 xmlSecAssert2(cert != NULL, -1);
1488 xmlSecAssert2(node != NULL, -1);
1490 buf = xmlSecNssX509SKIWrite(cert);
1492 xmlSecError(XMLSEC_ERRORS_HERE,
1494 "xmlSecNssX509SKIWrite",
1495 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1496 XMLSEC_ERRORS_NO_MESSAGE);
1500 cur = xmlSecAddChild(node, xmlSecNodeX509SKI, xmlSecDSigNs);
1502 xmlSecError(XMLSEC_ERRORS_HERE,
1505 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1507 xmlSecErrorsSafeString(xmlSecNodeX509SKI));
1511 xmlSecNodeEncodeAndSetContent(cur, buf);
1518 xmlSecNssX509CRLNodeRead(xmlSecKeyDataPtr data, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
1522 xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataX509Id), -1);
1523 xmlSecAssert2(node != NULL, -1);
1524 xmlSecAssert2(keyInfoCtx != NULL, -1);
1526 content = xmlNodeGetContent(node);
1527 if((content == NULL) || (xmlSecIsEmptyString(content) == 1)) {
1528 if(content != NULL) {
1531 if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_STOP_ON_EMPTY_NODE) != 0) {
1532 xmlSecError(XMLSEC_ERRORS_HERE,
1533 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1534 xmlSecErrorsSafeString(xmlSecNodeGetName(node)),
1535 XMLSEC_ERRORS_R_INVALID_NODE_CONTENT,
1536 XMLSEC_ERRORS_NO_MESSAGE);
1542 crl = xmlSecNssX509CrlBase64DerRead(content, keyInfoCtx);
1544 xmlSecError(XMLSEC_ERRORS_HERE,
1545 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1546 "xmlSecNssX509CrlBase64DerRead",
1547 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1548 XMLSEC_ERRORS_NO_MESSAGE);
1553 SEC_DestroyCrl(crl);
1559 xmlSecNssX509CRLNodeWrite(CERTSignedCrl* crl, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
1560 xmlChar* buf = NULL;
1561 xmlNodePtr cur = NULL;
1563 xmlSecAssert2(crl != NULL, -1);
1564 xmlSecAssert2(node != NULL, -1);
1565 xmlSecAssert2(keyInfoCtx != NULL, -1);
1567 /* set base64 lines size from context */
1568 buf = xmlSecNssX509CrlBase64DerWrite(crl, keyInfoCtx->base64LineSize);
1570 xmlSecError(XMLSEC_ERRORS_HERE,
1572 "xmlSecNssX509CrlBase64DerWrite",
1573 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1574 XMLSEC_ERRORS_NO_MESSAGE);
1578 cur = xmlSecAddChild(node, xmlSecNodeX509CRL, xmlSecDSigNs);
1580 xmlSecError(XMLSEC_ERRORS_HERE,
1583 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1585 xmlSecErrorsSafeString(xmlSecNodeX509CRL));
1589 /* todo: add \n around base64 data - from context */
1590 /* todo: add errors check */
1591 xmlNodeSetContent(cur, xmlSecStringCR);
1592 xmlNodeSetContent(cur, buf);
1600 xmlSecNssKeyDataX509VerifyAndExtractKey(xmlSecKeyDataPtr data, xmlSecKeyPtr key,
1601 xmlSecKeyInfoCtxPtr keyInfoCtx) {
1602 xmlSecNssX509DataCtxPtr ctx;
1603 xmlSecKeyDataStorePtr x509Store;
1606 PRTime notBefore, notAfter;
1608 xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataX509Id), -1);
1609 xmlSecAssert2(key != NULL, -1);
1610 xmlSecAssert2(keyInfoCtx != NULL, -1);
1611 xmlSecAssert2(keyInfoCtx->keysMngr != NULL, -1);
1613 ctx = xmlSecNssX509DataGetCtx(data);
1614 xmlSecAssert2(ctx != NULL, -1);
1616 x509Store = xmlSecKeysMngrGetDataStore(keyInfoCtx->keysMngr, xmlSecNssX509StoreId);
1617 if(x509Store == NULL) {
1618 xmlSecError(XMLSEC_ERRORS_HERE,
1619 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1620 "xmlSecKeysMngrGetDataStore",
1621 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1622 XMLSEC_ERRORS_NO_MESSAGE);
1626 if((ctx->keyCert == NULL) && (ctx->certsList != NULL) && (xmlSecKeyGetValue(key) == NULL)) {
1627 CERTCertificate* cert;
1629 cert = xmlSecNssX509StoreVerify(x509Store, ctx->certsList, keyInfoCtx);
1631 xmlSecKeyDataPtr keyValue;
1633 ctx->keyCert = CERT_DupCertificate(cert);
1634 if(ctx->keyCert == NULL) {
1635 xmlSecError(XMLSEC_ERRORS_HERE,
1636 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1637 "CERT_DupCertificate",
1638 XMLSEC_ERRORS_R_CRYPTO_FAILED,
1639 XMLSEC_ERRORS_NO_MESSAGE);
1643 keyValue = xmlSecNssX509CertGetKey(ctx->keyCert);
1644 if(keyValue == NULL) {
1645 xmlSecError(XMLSEC_ERRORS_HERE,
1646 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1647 "xmlSecNssX509CertGetKey",
1648 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1649 XMLSEC_ERRORS_NO_MESSAGE);
1653 /* verify that the key matches our expectations */
1654 if(xmlSecKeyReqMatchKeyValue(&(keyInfoCtx->keyReq), keyValue) != 1) {
1655 xmlSecError(XMLSEC_ERRORS_HERE,
1656 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1657 "xmlSecKeyReqMatchKeyValue",
1658 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1659 XMLSEC_ERRORS_NO_MESSAGE);
1660 xmlSecKeyDataDestroy(keyValue);
1664 ret = xmlSecKeySetValue(key, keyValue);
1666 xmlSecError(XMLSEC_ERRORS_HERE,
1667 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1668 "xmlSecKeySetValue",
1669 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1670 XMLSEC_ERRORS_NO_MESSAGE);
1671 xmlSecKeyDataDestroy(keyValue);
1675 status = CERT_GetCertTimes(ctx->keyCert, ¬Before, ¬After);
1676 if (status == SECSuccess) {
1677 ret = xmlSecNssX509CertGetTime(¬Before, &(key->notValidBefore));
1679 xmlSecError(XMLSEC_ERRORS_HERE,
1680 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1681 "xmlSecNssX509CertGetTime",
1682 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1686 ret = xmlSecNssX509CertGetTime(¬After, &(key->notValidAfter));
1688 xmlSecError(XMLSEC_ERRORS_HERE,
1689 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1690 "xmlSecNssX509CertGetTime",
1691 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1696 key->notValidBefore = key->notValidAfter = 0;
1698 } else if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_X509DATA_STOP_ON_INVALID_CERT) != 0) {
1699 xmlSecError(XMLSEC_ERRORS_HERE,
1700 xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
1702 XMLSEC_ERRORS_R_CERT_NOT_FOUND,
1703 XMLSEC_ERRORS_NO_MESSAGE);
1711 xmlSecNssX509CertGetTime(PRTime* t, time_t* res) {
1713 PRTime tmp64_1, tmp64_2;
1714 PRUint32 tmp32 = 1000000;
1716 xmlSecAssert2(t != NULL, -1);
1717 xmlSecAssert2(res != NULL, -1);
1719 /* PRTime is time in microseconds since epoch. Divide by 1000000 to
1720 * convert to seconds, then convert to an unsigned 32 bit number
1723 LL_UI2L(tmp64_1, tmp32);
1724 LL_DIV(tmp64_2, *t, tmp64_1);
1725 LL_L2UI(tmp32, tmp64_2);
1727 (*res) = (time_t)(tmp32);
1733 * xmlSecNssX509CertGetKey:
1734 * @cert: the certificate.
1736 * Extracts public key from the @cert.
1738 * Returns: public key value or NULL if an error occurs.
1741 xmlSecNssX509CertGetKey(CERTCertificate* cert) {
1742 xmlSecKeyDataPtr data;
1743 SECKEYPublicKey *pubkey = NULL;
1745 xmlSecAssert2(cert != NULL, NULL);
1747 pubkey = CERT_ExtractPublicKey(cert);
1748 if(pubkey == NULL) {
1749 xmlSecError(XMLSEC_ERRORS_HERE,
1751 "CERT_ExtractPublicKey",
1752 XMLSEC_ERRORS_R_CRYPTO_FAILED,
1753 "error code=%d", PORT_GetError());
1757 data = xmlSecNssPKIAdoptKey(NULL, pubkey);
1759 xmlSecError(XMLSEC_ERRORS_HERE,
1761 "xmlSecNssPKIAdoptKey",
1762 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1763 XMLSEC_ERRORS_NO_MESSAGE);
1764 SECKEY_DestroyPublicKey(pubkey);
1771 static CERTCertificate*
1772 xmlSecNssX509CertBase64DerRead(xmlChar* buf) {
1775 xmlSecAssert2(buf != NULL, NULL);
1777 /* usual trick with base64 decoding "in-place" */
1778 ret = xmlSecBase64Decode(buf, (xmlSecByte*)buf, xmlStrlen(buf));
1780 xmlSecError(XMLSEC_ERRORS_HERE,
1782 "xmlSecBase64Decode",
1783 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1784 XMLSEC_ERRORS_NO_MESSAGE);
1788 return(xmlSecNssX509CertDerRead((xmlSecByte*)buf, ret));
1792 static CERTCertificate*
1793 xmlSecNssX509CertDerRead(const xmlSecByte* buf, xmlSecSize size) {
1794 CERTCertificate *cert;
1797 xmlSecAssert2(buf != NULL, NULL);
1798 xmlSecAssert2(size > 0, NULL);
1800 derCert.data = (unsigned char *)buf;
1803 /* decode cert and import to temporary cert db */
1804 cert = __CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &derCert,
1805 NULL, PR_FALSE, PR_TRUE);
1807 xmlSecError(XMLSEC_ERRORS_HERE,
1809 "__CERT_NewTempCertificate",
1810 XMLSEC_ERRORS_R_CRYPTO_FAILED,
1811 "error code=%d", PORT_GetError());
1820 xmlSecNssX509CertBase64DerWrite(CERTCertificate* cert, int base64LineWrap) {
1821 xmlChar *res = NULL;
1822 xmlSecByte *p = NULL;
1825 xmlSecAssert2(cert != NULL, NULL);
1827 p = cert->derCert.data;
1828 size = cert->derCert.len;
1829 if((size <= 0) || (p == NULL)){
1830 xmlSecError(XMLSEC_ERRORS_HERE,
1833 XMLSEC_ERRORS_R_CRYPTO_FAILED,
1834 "error code=%d", PORT_GetError());
1838 res = xmlSecBase64Encode(p, size, base64LineWrap);
1840 xmlSecError(XMLSEC_ERRORS_HERE,
1842 "xmlSecBase64Encode",
1843 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1844 XMLSEC_ERRORS_NO_MESSAGE);
1851 static CERTSignedCrl*
1852 xmlSecNssX509CrlBase64DerRead(xmlChar* buf,
1853 xmlSecKeyInfoCtxPtr keyInfoCtx) {
1856 xmlSecAssert2(buf != NULL, NULL);
1858 /* usual trick with base64 decoding "in-place" */
1859 ret = xmlSecBase64Decode(buf, (xmlSecByte*)buf, xmlStrlen(buf));
1861 xmlSecError(XMLSEC_ERRORS_HERE,
1863 "xmlSecBase64Decode",
1864 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1865 XMLSEC_ERRORS_NO_MESSAGE);
1869 return(xmlSecNssX509CrlDerRead((xmlSecByte*)buf, ret, keyInfoCtx));
1873 static CERTSignedCrl*
1874 xmlSecNssX509CrlDerRead(xmlSecByte* buf, xmlSecSize size,
1875 xmlSecKeyInfoCtxPtr keyInfoCtx) {
1876 CERTSignedCrl *crl = NULL;
1878 PK11SlotInfo *slot = NULL;
1879 PRInt32 importOptions = CRL_IMPORT_DEFAULT_OPTIONS;
1881 xmlSecAssert2(buf != NULL, NULL);
1882 xmlSecAssert2(keyInfoCtx != NULL, NULL);
1883 xmlSecAssert2(size > 0, NULL);
1888 /* we're importing a CRL, it is ok to use the internal slot.
1889 * crlutil does it :)
1891 slot = xmlSecNssGetInternalKeySlot();
1893 xmlSecError(XMLSEC_ERRORS_HERE,
1895 "xmlSecNssGetInternalKeySlot",
1896 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1897 XMLSEC_ERRORS_NO_MESSAGE);
1901 if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_X509DATA_SKIP_STRICT_CHECKS) != 0)
1902 importOptions |= CRL_IMPORT_BYPASS_CHECKS;
1904 crl = PK11_ImportCRL(slot, &derCrl, NULL, SEC_CRL_TYPE, NULL,
1905 importOptions, NULL, CRL_DECODE_DEFAULT_OPTIONS);
1908 xmlSecError(XMLSEC_ERRORS_HERE,
1911 XMLSEC_ERRORS_R_CRYPTO_FAILED,
1912 "error code=%d", PORT_GetError());
1913 PK11_FreeSlot(slot);
1917 PK11_FreeSlot(slot);
1922 xmlSecNssX509CrlBase64DerWrite(CERTSignedCrl* crl, int base64LineWrap) {
1923 xmlChar *res = NULL;
1924 xmlSecByte *p = NULL;
1927 xmlSecAssert2(crl != NULL && crl->derCrl != NULL, NULL);
1929 p = crl->derCrl->data;
1930 size = crl->derCrl->len;
1931 if((size <= 0) || (p == NULL)){
1932 xmlSecError(XMLSEC_ERRORS_HERE,
1935 XMLSEC_ERRORS_R_CRYPTO_FAILED,
1936 "error code=%d", PORT_GetError());
1940 res = xmlSecBase64Encode(p, size, base64LineWrap);
1942 xmlSecError(XMLSEC_ERRORS_HERE,
1944 "xmlSecBase64Encode",
1945 XMLSEC_ERRORS_R_XMLSEC_FAILED,
1946 XMLSEC_ERRORS_NO_MESSAGE);
1954 xmlSecNssX509NameWrite(CERTName* nm) {
1955 xmlChar *res = NULL;
1958 xmlSecAssert2(nm != NULL, NULL);
1960 str = CERT_NameToAscii(nm);
1962 xmlSecError(XMLSEC_ERRORS_HERE,
1965 XMLSEC_ERRORS_R_CRYPTO_FAILED,
1966 XMLSEC_ERRORS_NO_MESSAGE);
1970 res = xmlStrdup(BAD_CAST str);
1972 xmlSecError(XMLSEC_ERRORS_HERE,
1975 XMLSEC_ERRORS_R_MALLOC_FAILED,
1976 XMLSEC_ERRORS_NO_MESSAGE);
1985 xmlSecNssASN1IntegerWrite(SECItem *num) {
1986 xmlChar *res = NULL;
1988 xmlSecAssert2(num != NULL, NULL);
1990 /* TODO : to be implemented after
1991 * NSS bug http://bugzilla.mozilla.org/show_bug.cgi?id=212864 is fixed
1997 xmlSecNssX509SKIWrite(CERTCertificate* cert) {
1998 xmlChar *res = NULL;
2002 xmlSecAssert2(cert != NULL, NULL);
2004 memset(&ski, 0, sizeof(ski));
2006 rv = CERT_FindSubjectKeyIDExtension(cert, &ski);
2007 if (rv != SECSuccess) {
2008 xmlSecError(XMLSEC_ERRORS_HERE,
2010 "CERT_FindSubjectKeyIDExtension",
2011 XMLSEC_ERRORS_R_CRYPTO_FAILED,
2012 XMLSEC_ERRORS_NO_MESSAGE);
2013 SECITEM_FreeItem(&ski, PR_FALSE);
2017 res = xmlSecBase64Encode(ski.data, ski.len, 0);
2019 xmlSecError(XMLSEC_ERRORS_HERE,
2021 "xmlSecBase64Encode",
2022 XMLSEC_ERRORS_R_XMLSEC_FAILED,
2023 XMLSEC_ERRORS_NO_MESSAGE);
2024 SECITEM_FreeItem(&ski, PR_FALSE);
2027 SECITEM_FreeItem(&ski, PR_FALSE);
2034 xmlSecNssX509CertDebugDump(CERTCertificate* cert, FILE* output) {
2038 xmlSecAssert(cert != NULL);
2039 xmlSecAssert(output != NULL);
2041 fprintf(output, "==== Subject Name: %s\n", cert->subjectName);
2042 fprintf(output, "==== Issuer Name: %s\n", cert->issuerName);
2043 sn = &cert->serialNumber;
2045 for (i = 0; i < sn->len; i++) {
2046 if (i != sn->len - 1) {
2047 fprintf(output, "%02x:", sn->data[i]);
2049 fprintf(output, "%02x", sn->data[i]);
2052 fprintf(output, "\n");
2057 xmlSecNssX509CertDebugXmlDump(CERTCertificate* cert, FILE* output) {
2061 xmlSecAssert(cert != NULL);
2062 xmlSecAssert(output != NULL);
2064 fprintf(output, "<SubjectName>");
2065 xmlSecPrintXmlString(output, BAD_CAST cert->subjectName);
2066 fprintf(output, "</SubjectName>\n");
2068 fprintf(output, "<IssuerName>");
2069 xmlSecPrintXmlString(output, BAD_CAST cert->issuerName);
2070 fprintf(output, "</IssuerName>\n");
2072 fprintf(output, "<SerialNumber>");
2073 sn = &cert->serialNumber;
2074 for (i = 0; i < sn->len; i++) {
2075 if (i != sn->len - 1) {
2076 fprintf(output, "%02x:", sn->data[i]);
2078 fprintf(output, "%02x", sn->data[i]);
2081 fprintf(output, "</SerialNumber>\n");
2085 /**************************************************************************
2087 * Raw X509 Certificate processing
2090 *************************************************************************/
2091 static int xmlSecNssKeyDataRawX509CertBinRead (xmlSecKeyDataId id,
2093 const xmlSecByte* buf,
2095 xmlSecKeyInfoCtxPtr keyInfoCtx);
2097 static xmlSecKeyDataKlass xmlSecNssKeyDataRawX509CertKlass = {
2098 sizeof(xmlSecKeyDataKlass),
2099 sizeof(xmlSecKeyData),
2102 xmlSecNameRawX509Cert,
2103 xmlSecKeyDataUsageRetrievalMethodNodeBin,
2104 /* xmlSecKeyDataUsage usage; */
2105 xmlSecHrefRawX509Cert, /* const xmlChar* href; */
2106 NULL, /* const xmlChar* dataNodeName; */
2107 xmlSecDSigNs, /* const xmlChar* dataNodeNs; */
2109 /* constructors/destructor */
2110 NULL, /* xmlSecKeyDataInitializeMethod initialize; */
2111 NULL, /* xmlSecKeyDataDuplicateMethod duplicate; */
2112 NULL, /* xmlSecKeyDataFinalizeMethod finalize; */
2113 NULL, /* xmlSecKeyDataGenerateMethod generate; */
2116 NULL, /* xmlSecKeyDataGetTypeMethod getType; */
2117 NULL, /* xmlSecKeyDataGetSizeMethod getSize; */
2118 NULL, /* xmlSecKeyDataGetIdentifier getIdentifier; */
2121 NULL, /* xmlSecKeyDataXmlReadMethod xmlRead; */
2122 NULL, /* xmlSecKeyDataXmlWriteMethod xmlWrite; */
2123 xmlSecNssKeyDataRawX509CertBinRead, /* xmlSecKeyDataBinReadMethod binRead; */
2124 NULL, /* xmlSecKeyDataBinWriteMethod binWrite; */
2127 NULL, /* xmlSecKeyDataDebugDumpMethod debugDump; */
2128 NULL, /* xmlSecKeyDataDebugDumpMethod debugXmlDump; */
2130 /* reserved for the future */
2131 NULL, /* void* reserved0; */
2132 NULL, /* void* reserved1; */
2136 * xmlSecNssKeyDataRawX509CertGetKlass:
2138 * The raw X509 certificates key data klass.
2140 * Returns: raw X509 certificates key data klass.
2143 xmlSecNssKeyDataRawX509CertGetKlass(void) {
2144 return(&xmlSecNssKeyDataRawX509CertKlass);
2148 xmlSecNssKeyDataRawX509CertBinRead(xmlSecKeyDataId id, xmlSecKeyPtr key,
2149 const xmlSecByte* buf, xmlSecSize bufSize,
2150 xmlSecKeyInfoCtxPtr keyInfoCtx) {
2151 xmlSecKeyDataPtr data;
2152 CERTCertificate* cert;
2155 xmlSecAssert2(id == xmlSecNssKeyDataRawX509CertId, -1);
2156 xmlSecAssert2(key != NULL, -1);
2157 xmlSecAssert2(buf != NULL, -1);
2158 xmlSecAssert2(bufSize > 0, -1);
2159 xmlSecAssert2(keyInfoCtx != NULL, -1);
2161 cert = xmlSecNssX509CertDerRead(buf, bufSize);
2163 xmlSecError(XMLSEC_ERRORS_HERE,
2165 "xmlSecNssX509CertDerRead",
2166 XMLSEC_ERRORS_R_XMLSEC_FAILED,
2167 XMLSEC_ERRORS_NO_MESSAGE);
2171 data = xmlSecKeyEnsureData(key, xmlSecNssKeyDataX509Id);
2173 xmlSecError(XMLSEC_ERRORS_HERE,
2174 xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
2175 "xmlSecKeyEnsureData",
2176 XMLSEC_ERRORS_R_XMLSEC_FAILED,
2177 XMLSEC_ERRORS_NO_MESSAGE);
2178 CERT_DestroyCertificate(cert);
2182 ret = xmlSecNssKeyDataX509AdoptCert(data, cert);
2184 xmlSecError(XMLSEC_ERRORS_HERE,
2185 xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
2186 "xmlSecNssKeyDataX509AdoptCert",
2187 XMLSEC_ERRORS_R_XMLSEC_FAILED,
2188 XMLSEC_ERRORS_NO_MESSAGE);
2189 CERT_DestroyCertificate(cert);
2193 ret = xmlSecNssKeyDataX509VerifyAndExtractKey(data, key, keyInfoCtx);
2195 xmlSecError(XMLSEC_ERRORS_HERE,
2196 xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
2197 "xmlSecNssKeyDataX509VerifyAndExtractKey",
2198 XMLSEC_ERRORS_R_XMLSEC_FAILED,
2199 XMLSEC_ERRORS_NO_MESSAGE);
2205 #endif /* XMLSEC_NO_X509 */