示例#1
0
bool CVerifyCertDialog::IsTrusted(CCertificateNotification const& notification)
{
	LoadTrustedCerts();

	unsigned int len;
	CCertificate cert =  notification.GetCertificates()[0];
	const unsigned char* data = cert.GetRawData(len);

	return IsTrusted(notification.GetHost(), notification.GetPort(), data, len, false);
}
示例#2
0
void CVerifyCertDialog::SetPermanentlyTrusted(CCertificateNotification const& notification)
{
	const CCertificate certificate = notification.GetCertificates()[0];
	unsigned int len;
	const unsigned char* const data = certificate.GetRawData(len);

	CReentrantInterProcessMutexLocker mutex(MUTEX_TRUSTEDCERTS);
	LoadTrustedCerts();

	if (IsTrusted(notification.GetHost(), notification.GetPort(), data, len, true))	{
		return;
	}

	t_certData cert;
	cert.host = notification.GetHost();
	cert.port = notification.GetPort();
	cert.len = len;
	cert.data = new unsigned char[len];
	memcpy(cert.data, data, len);
	m_trustedCerts.push_back(cert);

	if (COptions::Get()->GetOptionVal(OPTION_DEFAULT_KIOSKMODE) == 2) {
		return;
	}

	TiXmlElement* pElement = m_xmlFile.GetElement();
	if (!pElement) {
		return;
	}

	TiXmlElement* pCerts = pElement->FirstChildElement("TrustedCerts");
	if (!pCerts)
		pCerts = pElement->LinkEndChild(new TiXmlElement("TrustedCerts"))->ToElement();

	TiXmlElement* pCert = pCerts->LinkEndChild(new TiXmlElement("Certificate"))->ToElement();

	AddTextElement(pCert, "Data", ConvertHexToString(data, len));

	wxLongLong time = certificate.GetActivationTime().GetTicks();
	AddTextElement(pCert, "ActivationTime", time.ToString());

	time = certificate.GetExpirationTime().GetTicks();
	AddTextElement(pCert, "ExpirationTime", time.ToString());

	AddTextElement(pCert, "Host", notification.GetHost());
	AddTextElement(pCert, "Port", notification.GetPort());

	m_xmlFile.Save(true);
}
// -----------------------------------------------------------------------------
// CWimCertHandler::ParseCertPublicKeyL
// Parse public key from certificate.
// -----------------------------------------------------------------------------
//
void CWimCertHandler::ParseCertPublicKeyL(
    const TDesC8& aCertData,
    TDes8& aPublicKey,
    const TUint8 aCertType ) const
    {
    _WIMTRACE2(_L("WIM | WIMServer | CWimPublicKeyHandler::ParseCertPublicKeyL | Begin, type %d"), aCertType);
    CCertificate* certificate = NULL;
    CRSAPublicKey* publicKey = NULL;

    switch ( aCertType )
        {
        case WIMI_CT_WTLS:
            {
            certificate = CWTLSCertificate::NewLC( aCertData );
            publicKey = CWTLSRSAPublicKey::NewLC( certificate->PublicKey().KeyData() );
            break;
            }

        case WIMI_CT_X509:
            {
            certificate = CX509Certificate::NewLC( aCertData );
            publicKey = CX509RSAPublicKey::NewLC( certificate->PublicKey().KeyData() );
            break;
            }
        default:
            {
            _WIMTRACE2(_L("WIM|WIMServer|CWimCertHandler::ParseCertPublicKeyL, type %d not supported"), aCertType);
            User::Leave( KErrNotSupported );
            break;
            }
        }

    TX509RSAKeyEncoder encoder( *publicKey, ESHA1 );
    CASN1EncBase* encoded = encoder.EncodeKeyLC();

    TUint pos = 0;
    aPublicKey.SetLength( KPublicKeyLength );
    // Check that Max. length is not exceeded
    if ( encoded->LengthDER() > static_cast< TUint >( KPublicKeyLength ) )
        {
        _WIMTRACE(_L("WIM|WIMServer|CWimCertHandler::ParseCertPublicKeyL, too long public key"));
        User::Leave( KErrBadDescriptor );
        }
    // Write encoded key to prealloced buffer
    encoded->WriteDERL( aPublicKey, pos );

    CleanupStack::PopAndDestroy( 3, certificate );  // encoded, publicKey, certificate
    _WIMTRACE(_L("WIM | WIMServer | CWimPublicKeyHandler::ParseCertPublicKeyL | End"));
    }
bool CVerifyCertDialog::IsTrusted(CCertificateNotification const& notification)
{
	if (notification.GetAlgorithmWarnings() != 0) {
		// These certs are never trusted.
		return false;
	}

	LoadTrustedCerts();

	unsigned int len;
	CCertificate cert =  notification.GetCertificates()[0];
	const unsigned char* data = cert.GetRawData(len);

	return IsTrusted(notification.GetHost(), notification.GetPort(), data, len, false);
}
void CVerifyCertDialog::SetPermanentlyTrusted(CCertificateNotification const& notification)
{
	const CCertificate certificate = notification.GetCertificates()[0];
	unsigned int len;
	const unsigned char* const data = certificate.GetRawData(len);

	CReentrantInterProcessMutexLocker mutex(MUTEX_TRUSTEDCERTS);
	LoadTrustedCerts();

	if (IsTrusted(notification.GetHost(), notification.GetPort(), data, len, true))	{
		return;
	}

	t_certData cert;
	cert.host = notification.GetHost();
	cert.port = notification.GetPort();
	cert.len = len;
	cert.data = new unsigned char[len];
	memcpy(cert.data, data, len);
	m_trustedCerts.push_back(cert);

	if (COptions::Get()->GetOptionVal(OPTION_DEFAULT_KIOSKMODE) == 2) {
		return;
	}

	auto element = m_xmlFile.GetElement();
	if (!element) {
		return;
	}

	auto certs = element.child("TrustedCerts");
	if (!certs)
		certs = element.append_child("TrustedCerts");

	auto xCert = certs.append_child("Certificate");
	AddTextElement(xCert, "Data", ConvertHexToString(data, len));
	AddTextElement(xCert, "ActivationTime", static_cast<int64_t>(certificate.GetActivationTime().get_time_t()));
	AddTextElement(xCert, "ExpirationTime", static_cast<int64_t>(certificate.GetExpirationTime().get_time_t()));
	AddTextElement(xCert, "Host", notification.GetHost());
	AddTextElement(xCert, "Port", notification.GetPort());

	m_xmlFile.Save(true);
}
void UIWizardImportAppPageBasic2::initializePage()
{
    /* Acquire appliance and certificate: */
    CAppliance *pAppliance = m_pApplianceWidget->appliance();
    CCertificate certificate = pAppliance->GetCertificate();
    if (certificate.isNull())
        m_enmCertText = kCertText_Unsigned;
    else
    {
        /* Pick a 'signed-by' name. */
        m_strSignedBy = certificate.GetFriendlyName();

        /* If trusted, just select the right message: */
        if (certificate.GetTrusted())
        {
            if (certificate.GetSelfSigned())
                m_enmCertText = !certificate.GetExpired() ? kCertText_SelfSignedTrusted : kCertText_SelfSignedExpired;
            else
                m_enmCertText = !certificate.GetExpired() ? kCertText_IssuedTrusted     : kCertText_IssuedExpired;
        }
        else
        {
            /* Not trusted!  Must ask the user whether to continue in this case: */
            m_enmCertText = certificate.GetSelfSigned() ? kCertText_SelfSignedUnverified : kCertText_IssuedUnverified;

            /* Translate page early: */
            retranslateUi();

            /* Instantiate the dialog: */
            QPointer<UIApplianceUnverifiedCertificateViewer> pDialog = new UIApplianceUnverifiedCertificateViewer(this, certificate);
            AssertPtrReturnVoid(pDialog.data());

            /* Show viewer in modal mode: */
            const int iResultCode = pDialog->exec();

            /* Leave if viewer destroyed prematurely: */
            if (!pDialog)
                return;
            /* Delete viewer finally: */
            delete pDialog;
            pDialog = 0;

            /* Dismiss the entire import-appliance wizard if user rejects certificate: */
            if (iResultCode == QDialog::Rejected)
                wizard()->reject();
        }
    }

    /* Translate page: */
    retranslateUi();
}
HRESULT CLocalCertStoreImp::AddCertificate(CCertificate &certificate)
{
    HRESULT hr = S_OK;
    DWORD nCertEncodedSize = 0;

    // cert store must be opened first...
    if (m_hCertStoreHandle == NULL)
    {
        return E_UNEXPECTED;
    }

    if (CertAddEncodedCertificateToStore(
        m_hCertStoreHandle, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
        certificate.get_EncodedData(nCertEncodedSize), nCertEncodedSize,
        CERT_STORE_ADD_NEW, NULL) == FALSE)
    {
        hr = HRESULT_FROM_WIN32(GetLastError());
    }
    
    return hr;
}
示例#8
0
bool CVerifyCertDialog::DisplayCert(wxDialogEx* pDlg, const CCertificate& cert)
{
	bool warning = false;
	if (cert.GetActivationTime().IsValid()) {
		if (cert.GetActivationTime() > wxDateTime::Now()) {
			pDlg->SetChildLabel(XRCID("ID_ACTIVATION_TIME"), wxString::Format(_("%s - Not yet valid!"), cert.GetActivationTime().FormatDate()));
			warning = true;
		}
		else
			pDlg->SetChildLabel(XRCID("ID_ACTIVATION_TIME"), cert.GetActivationTime().FormatDate());
	}
	else {
		warning = true;
		pDlg->SetChildLabel(XRCID("ID_ACTIVATION_TIME"), _("Invalid date"));
	}

	if (cert.GetExpirationTime().IsValid()) {
		if (cert.GetExpirationTime() < wxDateTime::Now()) {
			pDlg->SetChildLabel(XRCID("ID_EXPIRATION_TIME"), wxString::Format(_("%s - Certificate expired!"), cert.GetExpirationTime().FormatDate()));
			warning = true;
		}
		else
			pDlg->SetChildLabel(XRCID("ID_EXPIRATION_TIME"), cert.GetExpirationTime().FormatDate());
	}
	else {
		warning = true;
		pDlg->SetChildLabel(XRCID("ID_EXPIRATION_TIME"), _("Invalid date"));
	}

	if (!cert.GetSerial().empty())
		pDlg->SetChildLabel(XRCID("ID_SERIAL"), cert.GetSerial());
	else
		pDlg->SetChildLabel(XRCID("ID_SERIAL"), _("None"));

	pDlg->SetChildLabel(XRCID("ID_PKALGO"), wxString::Format(_("%s with %d bits"), cert.GetPkAlgoName(), cert.GetPkAlgoBits()));
	pDlg->SetChildLabel(XRCID("ID_SIGNALGO"), cert.GetSignatureAlgorithm());

	wxString const& sha256 = cert.GetFingerPrintSHA256();
	pDlg->SetChildLabel(XRCID("ID_FINGERPRINT_SHA256"), sha256.Left(sha256.size() / 2 + 1) + _T("\n") + sha256.Mid(sha256.size() / 2 + 1));
	pDlg->SetChildLabel(XRCID("ID_FINGERPRINT_SHA1"), cert.GetFingerPrintSHA1());

	ParseDN(XRCCTRL(*pDlg, "ID_ISSUER_BOX", wxStaticBox), cert.GetIssuer(), m_pIssuerSizer);

	auto subjectBox = XRCCTRL(*pDlg, "ID_SUBJECT_BOX", wxStaticBox);
	ParseDN(subjectBox, cert.GetSubject(), m_pSubjectSizer);

	auto const& altNames = cert.GetAltSubjectNames();
	if (!altNames.empty()) {
		wxString str;
		for (auto const& altName : altNames) {
			str += altName + _T("\n");
		}
		str.RemoveLast();
		m_pSubjectSizer->Add(new wxStaticText(subjectBox, wxID_ANY, wxPLURAL("Alternative name:", "Alternative names:", altNames.size())));
		m_pSubjectSizer->Add(new wxStaticText(subjectBox, wxID_ANY, str));
	}

	return warning;
}
bool CVerifyCertDialog::DisplayCert(wxDialogEx* pDlg, const CCertificate& cert)
{
	bool warning = false;
	if (cert.GetActivationTime().empty()) {
		if (cert.GetActivationTime() > fz::datetime::now()) {
			pDlg->SetChildLabel(XRCID("ID_ACTIVATION_TIME"), wxString::Format(_("%s - Not yet valid!"), CTimeFormat::Format(cert.GetActivationTime())));
			xrc_call(*pDlg, "ID_ACTIVATION_TIME", &wxWindow::SetForegroundColour, wxColour(255, 0, 0));
			warning = true;
		}
		else
			pDlg->SetChildLabel(XRCID("ID_ACTIVATION_TIME"), CTimeFormat::Format(cert.GetActivationTime()));
	}
	else {
		warning = true;
		pDlg->SetChildLabel(XRCID("ID_ACTIVATION_TIME"), _("Invalid date"));
	}

	if (cert.GetExpirationTime().empty()) {
		if (cert.GetExpirationTime() < fz::datetime::now()) {
			pDlg->SetChildLabel(XRCID("ID_EXPIRATION_TIME"), wxString::Format(_("%s - Certificate expired!"), CTimeFormat::Format(cert.GetExpirationTime())));
			xrc_call(*pDlg, "ID_EXPIRATION_TIME", &wxWindow::SetForegroundColour, wxColour(255, 0, 0));
			warning = true;
		}
		else
			pDlg->SetChildLabel(XRCID("ID_EXPIRATION_TIME"), CTimeFormat::Format(cert.GetExpirationTime()));
	}
	else {
		warning = true;
		pDlg->SetChildLabel(XRCID("ID_EXPIRATION_TIME"), _("Invalid date"));
	}

	if (!cert.GetSerial().empty())
		pDlg->SetChildLabel(XRCID("ID_SERIAL"), cert.GetSerial());
	else
		pDlg->SetChildLabel(XRCID("ID_SERIAL"), _("None"));

	pDlg->SetChildLabel(XRCID("ID_PKALGO"), wxString::Format(_("%s with %d bits"), cert.GetPkAlgoName(), cert.GetPkAlgoBits()));
	pDlg->SetChildLabel(XRCID("ID_SIGNALGO"), cert.GetSignatureAlgorithm());

	wxString const& sha256 = cert.GetFingerPrintSHA256();
	pDlg->SetChildLabel(XRCID("ID_FINGERPRINT_SHA256"), sha256.Left(sha256.size() / 2 + 1) + _T("\n") + sha256.Mid(sha256.size() / 2 + 1));
	pDlg->SetChildLabel(XRCID("ID_FINGERPRINT_SHA1"), cert.GetFingerPrintSHA1());

	ParseDN(XRCCTRL(*pDlg, "ID_ISSUER_BOX", wxStaticBox), cert.GetIssuer(), m_pIssuerSizer);

	auto subjectPanel = XRCCTRL(*pDlg, "ID_SUBJECT_PANEL", wxScrolledWindow);
	subjectPanel->Freeze();

	ParseDN(subjectPanel, cert.GetSubject(), m_pSubjectSizer);

	auto const& altNames = cert.GetAltSubjectNames();
	if (!altNames.empty()) {
		wxString str;
		for (auto const& altName : altNames) {
			str += altName + _T("\n");
		}
		str.RemoveLast();
		m_pSubjectSizer->Add(new wxStaticText(subjectPanel, wxID_ANY, wxPLURAL("Alternative name:", "Alternative names:", altNames.size())));
		m_pSubjectSizer->Add(new wxStaticText(subjectPanel, wxID_ANY, str));
	}
	m_pSubjectSizer->Fit(subjectPanel);

	wxSize min = m_pSubjectSizer->CalcMin();
	int const maxHeight = (line_height_ + m_pDlg->ConvertDialogToPixels(wxPoint(0, 1)).y) * 15;
	if (min.y >= maxHeight) {
		min.y = maxHeight;
		min.x += wxSystemSettings::GetMetric(wxSYS_VSCROLL_X);
	}

	// Add extra safety margin to prevent squishing on OS X.
	min.x += 2;

	subjectPanel->SetMinSize(min);
	subjectPanel->Thaw();

	return warning;
}
void CCheckedCertStore::ComputeAndCheckSubjectKeyIdL()
    {
	switch (iFormat)
        {
		case EX509Certificate:
            {
			TPtr8 thePtr(iCertificate->Des());
			CX509Certificate* cert = CX509Certificate::NewLC(thePtr);

			TKeyUsageX509 x509Usage = EX509UsageNone;
			const CX509CertExtension* ext = cert->Extension(KKeyUsage);

			if (!ext)
                {
				x509Usage = EX509UsageAll;
                }
			else
                {
				CX509KeyUsageExt* keyUsageExt = CX509KeyUsageExt::NewLC(ext->Data());
				
				if (keyUsageExt->IsSet(EX509DigitalSignature))
					{
					x509Usage |= EX509UsageDigitalSignature;
					}
				if (keyUsageExt->IsSet(EX509NonRepudiation))
					{
					x509Usage |= EX509UsageNonRepudiation;
					}
				if (keyUsageExt->IsSet(EX509KeyEncipherment))
					{
					x509Usage |= EX509UsageKeyEncipherment;
					}
				if (keyUsageExt->IsSet(EX509DataEncipherment))
					{
					x509Usage |= EX509UsageDataEncipherment;
					}
				if (keyUsageExt->IsSet(EX509KeyAgreement))
					{
					x509Usage |= EX509UsageKeyAgreement;
					}
				if (keyUsageExt->IsSet(EX509KeyCertSign))
					{
					x509Usage |= EX509UsageKeyCertSign;
					}
				if (keyUsageExt->IsSet(EX509CRLSign))
					{
					x509Usage |= EX509UsageCRLSign;
					}
				if (keyUsageExt->IsSet(EX509EncipherOnly))
					{
					x509Usage |= EX509UsageEncipherOnly;
					}
				if (keyUsageExt->IsSet(EX509DecipherOnly))
					{
					x509Usage |= EX509UsageDecipherOnly;
					}

				CleanupStack::PopAndDestroy(keyUsageExt);
                }

			iKeyFilter.iUsage = KeyUsageX509ToPKCS15Private(x509Usage);
			
			iComputedSubjectKeyId.Zero();
			// For non-user ceriticates (i.e. CA certificates), we use the SubjectKeyIdentifier API, as it
			// tries to get the extension from cert., and calculates a value only if it is not found. This behaviour corresponds to the RFC.
			// For user ceritificates, the key identifier is used for matching key store with cert store, so we cannot use the value in the certificate itself.
			if (iCertificateOwnerType != EUserCertificate)
				{
				iComputedSubjectKeyId = cert->SubjectKeyIdentifierL();
				}
			else
				{
				// For non-CA certs, use the recommended method of computing it from RFC3280, section 4.2.1.2
				iComputedSubjectKeyId = cert->KeyIdentifierL();									
				}
			if (!iSubjectKeyId || *iSubjectKeyId == KNullDesC8)
                {
				iSubjectKeyId = &iComputedSubjectKeyId;
                }
			else if (iSubjectKeyId->Compare(iComputedSubjectKeyId)!=0)
                {//	Different subject ids
				User::Leave(KErrArgument);
                }
			
			CleanupStack::PopAndDestroy(cert);
            }	
            break;
	
        case EWTLSCertificate:
            {
            CCertificate* cert = CWTLSCertificate::NewLC(*iCertificate);
            iComputedSubjectKeyId = cert->KeyIdentifierL();
            if (!iSubjectKeyId || *iSubjectKeyId == KNullDesC8)
                {
                iSubjectKeyId = &iComputedSubjectKeyId;
                }
            else if (iSubjectKeyId->Compare(iComputedSubjectKeyId)!=0)
                {//	Different subject ids
                User::Leave(KErrArgument);
                }
	
            CleanupStack::PopAndDestroy(cert);
            }
            break;

        case EX509CertificateUrl:
            {
            iKeyFilter.iUsage = EPKCS15UsageAll;
		
            if (!iSubjectKeyId || *iSubjectKeyId == KNullDesC8)
                {
                User::Leave(KErrArgument);
                }
            }
            break;

        default:
            User::Leave(KErrNotSupported);	
            break;
        }

	iKeyFilter.iKeyId = *iSubjectKeyId;
    }
void UIWizardImportAppPageBasic2::initializePage()
{
    /* Update widget visibility: */
    updatePageAppearance();

    /* Check whether there was cloud source selected: */
    const bool fIsSourceCloudOne = field("isSourceCloudOne").toBool();

    if (fIsSourceCloudOne)
        populateFormPropertiesTable();
    else
    {
        /* Acquire appliance: */
        CAppliance *pAppliance = m_pApplianceWidget->appliance();

        /* Check if pAppliance is alive. If not just return here.
         * This prevents crashes when an invalid ova file is supllied: */
        if (!pAppliance)
        {
            if (wizard())
                wizard()->reject();
            return;
        }

        /* Acquire certificate: */
        CCertificate comCertificate = pAppliance->GetCertificate();
        if (comCertificate.isNull())
            m_enmCertText = kCertText_Unsigned;
        else
        {
            /* Pick a 'signed-by' name: */
            m_strSignedBy = comCertificate.GetFriendlyName();

            /* If trusted, just select the right message: */
            if (comCertificate.GetTrusted())
            {
                if (comCertificate.GetSelfSigned())
                    m_enmCertText = !comCertificate.GetExpired() ? kCertText_SelfSignedTrusted : kCertText_SelfSignedExpired;
                else
                    m_enmCertText = !comCertificate.GetExpired() ? kCertText_IssuedTrusted     : kCertText_IssuedExpired;
            }
            else
            {
                /* Not trusted!  Must ask the user whether to continue in this case: */
                m_enmCertText = comCertificate.GetSelfSigned() ? kCertText_SelfSignedUnverified : kCertText_IssuedUnverified;

                /* Translate page early: */
                retranslateUi();

                /* Instantiate the dialog: */
                QPointer<UIApplianceUnverifiedCertificateViewer> pDialog = new UIApplianceUnverifiedCertificateViewer(this, comCertificate);
                AssertPtrReturnVoid(pDialog.data());

                /* Show viewer in modal mode: */
                const int iResultCode = pDialog->exec();

                /* Leave if viewer destroyed prematurely: */
                if (!pDialog)
                    return;
                /* Delete viewer finally: */
                delete pDialog;

                /* Dismiss the entire import-appliance wizard if user rejects certificate: */
                if (iResultCode == QDialog::Rejected)
                    wizard()->reject();
            }
        }
    }

    /* Translate page: */
    retranslateUi();
}