|
|
|
#include "smartcardauth.h"
|
|
|
|
#include "pindialog.h"
|
|
|
|
#include <QtNetwork/private/qsslsocket_openssl_symbols_p.h>
|
|
|
|
|
|
|
|
#include "engine_sct.h"
|
|
|
|
|
|
|
|
#include <string>
|
|
|
|
|
|
|
|
#include <QtCore/QDebug>
|
|
|
|
|
|
|
|
ENGINE* SmartCardAuth::e=NULL;
|
|
|
|
enum_certs_s* SmartCardAuth::certs_found=NULL;
|
|
|
|
QWidget* SmartCardAuth::parent=0;
|
|
|
|
bool SmartCardAuth::pin_configured=false;
|
|
|
|
bool SmartCardAuth::pin_rejected=false;
|
|
|
|
|
|
|
|
void SmartCardAuth::initialize() {
|
|
|
|
//QSslSocketPrivate::ensureInitialized();
|
|
|
|
|
|
|
|
ENGINE_load_dynamic();
|
|
|
|
e = ENGINE_by_id("dynamic");
|
|
|
|
Q_ASSERT(e);
|
|
|
|
|
|
|
|
int r=ENGINE_ctrl_cmd_string(e, "SO_PATH", "../openssl-act-engine/src/.libs/libengine_act.so", 0);
|
|
|
|
Q_ASSERT(r);
|
|
|
|
r=ENGINE_ctrl_cmd_string(e, "ID", "act", 0);
|
|
|
|
Q_ASSERT(r);
|
|
|
|
r=ENGINE_ctrl_cmd_string(e, "LIST_ADD", "1", 0);
|
|
|
|
Q_ASSERT(r);
|
|
|
|
r=ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0);
|
|
|
|
Q_ASSERT(r);
|
|
|
|
|
|
|
|
if(!r)
|
|
|
|
{
|
|
|
|
unsigned int err = 0;
|
|
|
|
while((err = q_ERR_get_error()))
|
|
|
|
{
|
|
|
|
char *str = q_ERR_error_string(err, NULL);
|
|
|
|
fprintf(stderr,"%s\n", str);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
r=ENGINE_init(e);
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
void SmartCardAuth::deinitialize() {
|
|
|
|
q_ENGINE_finish(e);
|
|
|
|
q_ENGINE_cleanup();
|
|
|
|
}
|
|
|
|
|
|
|
|
void SmartCardAuth::setPinDlgParent(QWidget* p) {
|
|
|
|
parent=p;
|
|
|
|
}
|
|
|
|
|
|
|
|
int SmartCardAuth::client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
|
|
|
|
{
|
|
|
|
// NB: Keep in mind that this function is called for EVERY SSL connection to be opened.
|
|
|
|
|
|
|
|
for(size_t i=certs_found->num_certs;i--;)
|
|
|
|
{
|
|
|
|
const char *id_p = certs_found->certificate[i].id;
|
|
|
|
|
|
|
|
if(id_p == NULL) continue;
|
|
|
|
|
|
|
|
// Name has the format "slot-x-name-SwissSign_digSig" for the certificate/key we're looking for
|
|
|
|
std::string name(certs_found->certificate[i].name);
|
|
|
|
qDebug()<<"Certificate:"<<name.c_str();
|
|
|
|
std::string compare("-name-SwissSign_digSig");
|
|
|
|
|
|
|
|
// Compare the rightmost part of the retrieved name to locate the certificate/keypair
|
|
|
|
size_t pos = name.length() - compare.length();
|
|
|
|
if(name.substr(pos) != compare)
|
|
|
|
continue;
|
|
|
|
|
|
|
|
// // Filter out the correct certificate depending on well-known sorting criteria
|
|
|
|
// // Given example searches for a keyword in the certificate's subject, but since we've got
|
|
|
|
// // the decoded certificate as an X509* structure we can check all the fields.
|
|
|
|
// X509_NAME* subj_name = q_X509_get_subject_name(certs_found->certificate[i].cert);
|
|
|
|
// int maxlen = 2048;
|
|
|
|
// char buf[maxlen+1];
|
|
|
|
// buf[maxlen]=0;
|
|
|
|
// q_X509_NAME_oneline(subj_name, buf, maxlen);
|
|
|
|
// std::string subject(buf);
|
|
|
|
|
|
|
|
// const char *compare="CN=Carsten Pluntke";
|
|
|
|
// if(subject.find(compare) == std::string::npos)
|
|
|
|
// continue;
|
|
|
|
|
|
|
|
// Here we found a suitable certificate.
|
|
|
|
|
|
|
|
// Now prepare the reference to the SmartCard's private key and a copy of the certificate
|
|
|
|
// to pass back to the caller.
|
|
|
|
*x509 = q_X509_dup(certs_found->certificate[i].cert);
|
|
|
|
*pkey = NULL;
|
|
|
|
|
|
|
|
// If we don't have a PIN yet, pop up a dialog, ask for a PIN and pass it along to the engine
|
|
|
|
// for usage.
|
|
|
|
if(!pin_configured)
|
|
|
|
{
|
|
|
|
PinDialog dlg(parent);
|
|
|
|
int ok=dlg.exec();
|
|
|
|
if(ok!=1) return 0; // User cancelled
|
|
|
|
QByteArray pinByteArray=dlg.pin().toAscii();
|
|
|
|
char *pin_str = pinByteArray.data();
|
|
|
|
|
|
|
|
// The engine control command takes a copy and overwrites the source array
|
|
|
|
if(q_ENGINE_ctrl_cmd_string(e, "PIN", pin_str, 0))
|
|
|
|
pin_configured = true;
|
|
|
|
else
|
|
|
|
return 0; // Engine refuses to take the PIN
|
|
|
|
|
|
|
|
*pkey = q_ENGINE_load_private_key(e, id_p, NULL, NULL);
|
|
|
|
|
|
|
|
// We do a test authorization on loading of the private key. If the operation fails at all,
|
|
|
|
// DON'T try again (see below) or we would instantly lock the card in a single session because
|
|
|
|
// of the retries!
|
|
|
|
if(!*pkey)
|
|
|
|
pin_rejected = true;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Second to nth iteration: We skipped the PIN dialog here, now load the key if we don't have the
|
|
|
|
// explicit information not to do it (because the PIN is wrong)
|
|
|
|
if(!*pkey && !pin_rejected)
|
|
|
|
*pkey = q_ENGINE_load_private_key(e, id_p, NULL, NULL);
|
|
|
|
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
if(!*x509) {
|
|
|
|
qWarning("Unable to load certificate");
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
if(!*pkey) {
|
|
|
|
qWarning("Unable to load key");
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
bool SmartCardAuth::hookInitSslContext(SSL_CTX *ctx)
|
|
|
|
{
|
|
|
|
bool result = false;
|
|
|
|
|
|
|
|
if(!certs_found)
|
|
|
|
result = (q_ENGINE_ctrl_cmd(e, "ENUM_CERTS", 0, &certs_found, NULL, 0) != 0);
|
|
|
|
else
|
|
|
|
result = true;
|
|
|
|
|
|
|
|
#ifdef USE_CERTIFICATE_FILE
|
|
|
|
// Load a specific intermediate certificate from a file
|
|
|
|
//! @todo PEM-File
|
|
|
|
BIO* cert_file= q_BIO_new_file("swsign_interm.pem", "r");
|
|
|
|
X509* interm=q_PEM_read_bio_X509(cert_file,NULL,NULL, NULL);
|
|
|
|
q_BIO_free(cert_file);
|
|
|
|
|
|
|
|
q_SSL_CTX_add_extra_chain_cert(ctx,interm);
|
|
|
|
#else
|
|
|
|
// Add all of the card's certificates without a private key as intermediate certs
|
|
|
|
for(size_t i=certs_found->num_certs;i--;)
|
|
|
|
{
|
|
|
|
if(certs_found->certificate[i].id == NULL)
|
|
|
|
q_SSL_CTX_add_extra_chain_cert(ctx, q_X509_dup(certs_found->certificate[i].cert));
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
|
|
|
q_SSL_CTX_set_client_cert_cb(ctx,client_cert_cb);
|
|
|
|
return true;
|
|
|
|
}
|