Author: jmagne
Update of /cvs/dirsec/esc/src/lib/coolkey
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv687
Modified Files:
CoolKey.cpp CoolKey.h NSSManager.cpp NSSManager.h
Log Message:
Latest bug fixes.
Index: CoolKey.cpp
===================================================================
RCS file: /cvs/dirsec/esc/src/lib/coolkey/CoolKey.cpp,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- CoolKey.cpp 24 Feb 2007 02:14:07 -0000 1.5
+++ CoolKey.cpp 7 May 2007 23:51:46 -0000 1.6
@@ -844,6 +844,16 @@
return NSSManager::GetKeyIssuedTo(aKey,aBuf,aBufLength);
}
+HRESULT
+CoolKeyGetIssuer(const CoolKey *aKey, char *aBuf, int aBufLength)
+{
+ if (!aKey || !aKey->mKeyID || !aBuf || aBufLength < 1)
+ return E_FAIL;
+
+ return NSSManager::GetKeyIssuer(aKey,aBuf,aBufLength);
+}
+
+
HRESULT CoolKeyGetATR(const CoolKey *aKey, char *aBuf, int aBufLen)
{
char tBuff[56];
Index: CoolKey.h
===================================================================
RCS file: /cvs/dirsec/esc/src/lib/coolkey/CoolKey.h,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- CoolKey.h 24 Feb 2007 02:15:00 -0000 1.4
+++ CoolKey.h 7 May 2007 23:51:46 -0000 1.5
@@ -134,6 +134,7 @@
COOLKEY_API HRESULT CoolKeyGetCertInfo(const CoolKey *aKey, char *aCertNickname,
std::string & aCertInfo);
COOLKEY_API HRESULT CoolKeyGetIssuedTo(const CoolKey *aKey, char *aBuf, int aBufLength);
+COOLKEY_API HRESULT CoolKeyGetIssuer(const CoolKey *aKey, char *aBuf, int aBufLength);
COOLKEY_API bool CoolKeyRequiresAuthentication(const CoolKey *aKey);
COOLKEY_API bool CoolKeyIsAuthenticated(const CoolKey *aKey);
Index: NSSManager.cpp
===================================================================
RCS file: /cvs/dirsec/esc/src/lib/coolkey/NSSManager.cpp,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- NSSManager.cpp 24 Feb 2007 02:20:22 -0000 1.3
+++ NSSManager.cpp 7 May 2007 23:51:46 -0000 1.4
@@ -51,6 +51,9 @@
char tBuff[56];
PR_LOG( coolKeyLogNSS, PR_LOG_DEBUG, ("%s
NSSManager::NSSManager:\n",GetTStamp(tBuff,56)));
mpSCMonitoringThread = NULL;
+#ifdef LINUX
+ systemCertDB = NULL;
+#endif
}
NSSManager::~NSSManager()
@@ -61,6 +64,7 @@
delete mpSCMonitoringThread;
mpSCMonitoringThread = NULL;
}
+
}
HRESULT NSSManager::InitNSS(const char *aAppDir)
@@ -110,6 +114,21 @@
return E_FAIL;
}
+#ifdef LINUX
+
+ // Load our Linux only database
+
+
+ const char *modspec = "configdir='/etc/pki/nssdb'
tokenDescripton='SystemDB' flags='readOnly'";
+ PK11SlotInfo *systemCertDB = SECMOD_OpenUserDB(modspec);
+
+ if(!systemCertDB)
+ {
+ PR_LOG( coolKeyLogNSS, PR_LOG_ALWAYS, ("%s NSSManager::InitNSS problem
loading Linux System Cert Database!\n",GetTStamp(tBuff,56)));
+ }
+
+#endif
+
mpSCMonitoringThread = new SmartCardMonitoringThread(userModule);
if (!mpSCMonitoringThread) {
SECMOD_UnloadUserModule(userModule);
@@ -132,6 +151,17 @@
// Logout all tokens.
PK11_LogoutAll();
+
+#ifdef LINUX
+ if(systemCertDB)
+ {
+ SECMOD_CloseUserDB(systemCertDB);
+
+ PK11_FreeSlot(systemCertDB);
+ systemCertDB = NULL;
+ }
+
+#endif
}
bool
@@ -326,7 +356,7 @@
return S_OK;
}
-HRESULT NSSManager::GetKeyIssuedTo(const CoolKey *aKey, char *aBuf, int aBufLength)
+HRESULT NSSManager::GetKeyIssuer(const CoolKey *aKey, char *aBuf, int aBufLength)
{
char tBuff[56];
if(!aBuf)
@@ -337,17 +367,89 @@
PR_LOG( coolKeyLogNSS, PR_LOG_DEBUG, ("%s NSSManager::GetKeyIssuedTo
\n",GetTStamp(tBuff,56)));
if(!aKey )
- {
return E_FAIL;
- }
PK11SlotInfo *slot = GetSlotForKeyID(aKey);
if (!slot)
+ return E_FAIL;
+
+ CERTCertList *certs = PK11_ListCerts(PK11CertListAll,NULL);
+
+ if (!certs)
{
+ PR_LOG( coolKeyLogNSS, PR_LOG_DEBUG, ("%sNSSManager::GetKeyIssuer no certs
found! \n",GetTStamp(tBuff,56)));
+ PK11_FreeSlot(slot);
return E_FAIL;
}
+ CERTCertListNode *node= NULL;
+
+ char *orgID = NULL;
+
+ for( node = CERT_LIST_HEAD(certs);
+ ! CERT_LIST_END(node, certs);
+ node = CERT_LIST_NEXT(node))
+ {
+ if(node->cert)
+ {
+ CERTCertificate *cert = node->cert;
+
+ if(cert)
+ {
+ if(cert->slot == slot)
+ {
+ if(IsCACert(cert))
+ {
+ continue;
+ }
+ orgID = CERT_GetOrgName(&cert->subject);
+ PR_LOG( coolKeyLogNSS, PR_LOG_DEBUG, ("%s
NSSManager::GetKeyIssuedTo ourSlot %p curSlot %p org %s
\n",GetTStamp(tBuff,56),slot,cert->slot,orgID));
+
+ }
+
+ if(orgID)
+ break;
+ }
+ }
+
+ }
+
+ if(orgID && ((int)strlen(orgID) < aBufLength))
+ {
+ strcpy(aBuf,orgID);
+ }
+
+ if(certs)
+ CERT_DestroyCertList(certs);
+
+ if(slot)
+ PK11_FreeSlot(slot);
+
+ if(orgID)
+ PORT_Free(orgID);
+
+ return S_OK;
+}
+
+HRESULT NSSManager::GetKeyIssuedTo(const CoolKey *aKey, char *aBuf, int aBufLength)
+{
+ char tBuff[56];
+ if(!aBuf)
+ return E_FAIL;
+
+ aBuf[0]=0;
+
+ PR_LOG( coolKeyLogNSS, PR_LOG_DEBUG, ("%s NSSManager::GetKeyIssuedTo
\n",GetTStamp(tBuff,56)));
+
+ if(!aKey )
+ return E_FAIL;
+
+ PK11SlotInfo *slot = GetSlotForKeyID(aKey);
+
+ if (!slot)
+ return E_FAIL;
+
CERTCertList *certs = PK11_ListCerts(PK11CertListAll,NULL);
if (!certs)
@@ -373,8 +475,14 @@
{
if(cert->slot == slot)
{
+ if(IsCACert(cert))
+ {
+ continue;
+ }
+
certID = CERT_GetCommonName(&cert->subject);
- PR_LOG( coolKeyLogNSS, PR_LOG_DEBUG, ("%s
NSSManager::GetKeyIssuedTo ourSlot %p curSlot %p certID %s
\n",GetTStamp(tBuff,56),slot,cert->slot,certID));
+
+ PR_LOG( coolKeyLogNSS, PR_LOG_DEBUG, ("%s
NSSManager::GetKeyIssuedTo ourSlot %p curSlot %p certID %s
\n",GetTStamp(tBuff,56),slot,cert->slot,certID));
}
@@ -627,3 +735,41 @@
return isAuthenticated;
}
+
+bool
+NSSManager::IsCACert(CERTCertificate *cert)
+{
+ char tBuff[56];
+ bool isCA = false;
+
+ if(!cert)
+ return isCA;
+
+ SECItem basicItem;
+ basicItem.data = 0;
+
+ SECStatus s = CERT_FindCertExtension(cert, SEC_OID_X509_BASIC_CONSTRAINTS,
&basicItem);
+
+ if(s != SECSuccess || !basicItem.data)
+ return isCA;
+
+ CERTBasicConstraints basic_value;
+
+ s = CERT_DecodeBasicConstraintValue(&basic_value,&basicItem);
+
+ if(s != SECSuccess)
+ return isCA;
+
+ PR_LOG( coolKeyLogNSS, PR_LOG_DEBUG, ("%sNSSManager::GetKeyIssuedTo isCA %d
\n",GetTStamp(tBuff,56),basic_value.isCA));
+
+ if(basic_value.isCA)
+ {
+ PR_LOG( coolKeyLogNSS, PR_LOG_DEBUG, ("%sNSSManager::GetKeyIssuedTo found a
CA cert , skipping! \n",GetTStamp(tBuff,56)));
+ isCA = true;
+ }
+
+ PORT_Free(basicItem.data);
+ basicItem.data = NULL;
+
+ return isCA;
+}
Index: NSSManager.h
===================================================================
RCS file: /cvs/dirsec/esc/src/lib/coolkey/NSSManager.h,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- NSSManager.h 27 Sep 2006 17:47:46 -0000 1.2
+++ NSSManager.h 7 May 2007 23:51:46 -0000 1.3
@@ -68,11 +68,16 @@
static HRESULT GetKeyIssuedTo(const CoolKey *aKey, char *aBuf, int aBufLength);
-
+ static HRESULT GetKeyIssuer(const CoolKey *aKey, char *aBuf, int aBufLength);
private:
+ static bool IsCACert(CERTCertificate *cert);
+
+#ifdef LINUX
+ PK11SlotInfo *systemCertDB;
+#endif
SmartCardMonitoringThread *mpSCMonitoringThread;
};