search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
* new version 2.19.9993
[alpine.git] / pith / smkeys.c
blob9f6570c3d16ca97ca24eae49e3506881a9129270
1 #if !defined(lint) && !defined(DOS)
2 static char rcsid[] = "$Id: smkeys.c 1266 2009-07-14 18:39:12Z hubert@u.washington.edu $";
3 #endif
4
5 /*
6 * ========================================================================
7 * Copyright 2013-2014 Eduardo Chappa
8 * Copyright 2008 University of Washington
9 *
10 * Licensed under the Apache License, Version 2.0 (the "License");
11 * you may not use this file except in compliance with the License.
12 * You may obtain a copy of the License at
13 *
14 * http://www.apache.org/licenses/LICENSE-2.0
15 *
16 * ========================================================================
17 */
18
19 /*
20 * This is based on a contribution from Jonathan Paisley, see smime.c
21 */
22
23
24 #include "../pith/headers.h"
25
26 #ifdef SMIME
27
28 #include "../pith/status.h"
29 #include "../pith/conf.h"
30 #include "../pith/remote.h"
31 #include "../pith/tempfile.h"
32 #include "../pith/busy.h"
33 #include "../pith/osdep/lstcmpnt.h"
34 #include "../pith/util.h"
35 #include "../pith/mailindx.h"
36 #include "../pith/readfile.h"
37 #include "smkeys.h"
38
39 #ifdef APPLEKEYCHAIN
40 #include <Security/SecKeychain.h>
41 #include <Security/SecKeychainItem.h>
42 #include <Security/SecKeychainSearch.h>
43 #include <Security/SecCertificate.h>
44 #endif /* APPLEKEYCHAIN */
45
46
47 /* internal prototypes */
48 static char *emailstrclean(char *string);
49 static int mem_add_extra_cacerts(char *contents, X509_LOOKUP *lookup);
50 int compare_certs_by_name(const void *data1, const void *data2);
51
52 #define SMIME_BACKUP_DIR ".backup"
53 #define MAX_TRY_BACKUP 100
54
55 /* return value: 0 - success, -1 error
56 * Call this function after setting up paths in ps_global->smime
57 * and reading certificates names in certlist.
58 */
59 int
60 setup_certs_backup_by_type(WhichCerts ctype)
61 {
62 int rv = 0; /* assume success */
63 int len;
64 int i, done;
65 char *d;
66 char p[MAXPATH+1]; /* path to where the backup is */
67 char buf[MAXPATH+1], buf2[MAXPATH+1];
68 struct stat sbuf;
69 CertList *data, *cl;
70 DIR *dirp;
71 struct dirent *df; /* file in the directory */
72 CertList *cert, *cl2;
73 X509 *x;
74 BIO *in;
75
76 return rv; /* remove when this function is complete */
77
78 if(SMHOLDERTYPE(ctype) == Directory){
79 d = PATHCERTDIR(ctype);
80 if(d != NULL){
81 len = strlen(d) + strlen(S_FILESEP) + strlen(SMIME_BACKUP_DIR) + 1;
82 snprintf(p, MAXPATH, "%s%s%s", d, S_FILESEP, SMIME_BACKUP_DIR);
83 p[MAXPATH] = '\0';
84 if(our_stat(p, &sbuf) < 0){
85 if(our_mkpath(p, 0700) != 0)
86 return -1;
87 } else if((sbuf.st_mode & S_IFMT) != S_IFDIR){
88 for(i = 0, done = 0; done == 0 && i < MAX_TRY_BACKUP; i++){
89 snprintf(buf2, len+2, "%s%d", p, i);
90 if(our_stat(buf2, &sbuf) < 0){
91 if(our_mkpath(buf2, 0700) == 0)
92 done++;
93 }
94 else if((sbuf.st_mode & S_IFMT) == S_IFDIR)
95 done++;
96 if(done){
97 strncpy(p, buf2, MAXPATH);
98 p[MAXPATH] = '\0';
99 }
100 }
101 if(done == 0)
102 return -1;
103 }
104 /* if we are here, we have a backup directory where to
105 * backup certificates/keys, so now we will go
106 * through the list of certificates and back them up
107 * if we need to.
108 */
109 data = BACKUPDATACERT(ctype);
110 for(cl = DATACERT(ctype); cl; cl = cl->next){
111 char clname[MAXPATH+1];
112
113 snprintf(clname, MAXPATH, "%s%s", cl->name, ctype == Private ? ".key" : "");
114 clname[MAXPATH] = '\0';
115 len = strlen(d) + strlen(clname) + 2;
116 if(len < MAXPATH){
117 snprintf(buf, len, "%s%s%s", d, S_FILESEP, clname);
118 buf[sizeof(buf)-1] = '\0';
119 len = strlen(p) + strlen(clname) + strlen(cl->data.md5) + 3;
120 if(len < MAXPATH){
121 snprintf(buf2, len, "%s%s%s.%s", p, S_FILESEP, clname, cl->data.md5);
122 buf2[sizeof(buf2)-1] = '\0';
123 done = 0; /* recycle done: it means we have a file that may be a certifificate*/
124 if(stat(buf2, &sbuf) < 0){
125 if (our_copy(buf2, buf) == 0)
126 done++;
127 } else if((sbuf.st_mode & S_IFMT) == S_IFREG)
128 done++;
129
130 if(done){
131 switch(ctype){
132 case Public:
133 case CACert:
134 if((in = BIO_new_file(buf2, "r"))!=0){
135 cert = fs_get(sizeof(CertList));
136 memset((void *)cert, 0, sizeof(CertList));
137 cert->x509_cert = PEM_read_bio_X509(in, NULL, NULL, NULL);
138 if(cl->data.date_from != NULL)
139 cert->data.date_from = cpystr(cl->data.date_from);
140 if(cl->data.date_to != NULL)
141 cert->data.date_to = cpystr(cl->data.date_to);
142 if(cl->data.md5 != NULL)
143 cert->data.md5 = cpystr(cl->data.md5);
144 snprintf(buf2, len, "%s.%s", cl->name, cl->data.md5);
145 buf2[sizeof(buf2)-1] = '\0';
146 cert->name = cpystr(buf2);
147 if(data == NULL)
148 data = cert;
149 else{
150 for (cl2 = data; cl2 && cl2->next; cl2 = cl2->next);
151 cl2->next = cert;
152 }
153 BIO_free(in);
154 }
155 break;
156
157 case Private: break;
158 default: alpine_panic("Bad ctype (0)");
159 }
160 }
161 }
162 }
163 }
164 /* if we are here, it means we just loaded the backup variable with
165 * a copy of the data that comes from the certlist not coming from
166 * backup. Now we are going to load the contents of the .backup
167 * directory.
168 */
169
170 /* Here is the plan: read the backup directory (in the variable "p")
171 * and attempt to add it. If already there, skip it; otherwise continue
172 */
173
174 if((dirp = opendir(p)) != NULL){
175 while((df=readdir(dirp)) != NULL){
176 if(df->d_name && *df->d_name == '.') /* no hidden files here */
177 continue;
178
179 /* make sure that we have a file */
180 snprintf(buf2, sizeof(buf2), "%s%s%s", p, S_FILESEP, df->d_name);
181 buf2[sizeof(buf2)-1] = '\0';
182 if(our_stat(buf2, &sbuf) == 0
183 && (sbuf.st_mode & S_IFMT) != S_IFREG)
184 continue;
185
186 /* make sure it is not already in the list */
187 for(cl = data; cl; cl = cl->next)
188 if(strcmp(cl->name, df->d_name) == 0)
189 break;
190 if(cl != NULL)
191 continue;
192
193 /* ok, if it is not in the list, and it is a certificate. Add it */
194 switch(ctype){
195 case Public:
196 case CACert:
197 if((in = BIO_new_file(buf2, "r"))!=0){
198 x = PEM_read_bio_X509(in, NULL, NULL, NULL);
199 if(x && x->cert_info){ /* for now copy this information */
200 cert = fs_get(sizeof(CertList));
201 memset((void *)cert, 0, sizeof(CertList));
202 cert->x509_cert = x;
203 cert->data.date_from = smime_get_date(x->cert_info->validity->notBefore);
204 cert->data.date_to = smime_get_date(x->cert_info->validity->notAfter);
205 get_fingerprint(x, EVP_md5(), buf, sizeof(buf), NULL);
206 cert->data.md5 = cpystr(buf);
207 cert->name = cpystr(df->d_name);
208 /* we will use the cert->data.md5 variable to find a backup
209 certificate, not the name */
210 if(data == NULL)
211 data = cert;
212 else{
213 for (cl2 = data; cl2 && cl2->next; cl2 = cl2->next);
214 cl2->next = cert;
215 }
216 }
217 BIO_free(in);
218 }
219 break;
220
221 case Private:
222 /* here we must check it is a key of some cert....*/
223 break;
224
225 default: alpine_panic("Bad ctype (1)");
226 } /* end switch */
227 }
228 closedir(dirp);
229 }
230
231 /* Now that we are here, we have all the information in the backup
232 * directory
233 */
234
235 switch(ctype){
236 case Public : ps_global->smime->backuppubliccertlist = data; break;
237 case Private: ps_global->smime->backupprivatecertlist = data; break;
238 case CACert : ps_global->smime->backupcacertlist = data; break;
239 default : alpine_panic("Bad ctype (n)");
240 }
241 }
242 } else if(SMHOLDERTYPE(ctype) == Container){
243
244 } /* else APPLEKEYCHAIN */
245 return rv;
246 }
247
248 int
249 compare_certs_by_name(const void *data1, const void *data2)
250 {
251 int rv, i, j;
252 char *s;
253
254 CertList *cl1 = *(CertList **) data1;
255 CertList *cl2 = *(CertList **) data2;
256
257 i = j = -1;
258 if((s = strchr(cl1->name, '@')) != NULL){
259 i = s - cl1->name;
260 *s = '\0';
261 }
262
263 if((s = strchr(cl2->name, '@')) != NULL){
264 j = s - cl2->name;
265 *s = '\0';
266 }
267
268 if((rv = strucmp(cl1->name, cl2->name)) == 0)
269 rv = strucmp(cl1->name + i + 1, cl2->name + j + 1);
270 if(i >= 0) cl1->name[i] = '@';
271 if(j >= 0) cl2->name[j] = '@';
272 return rv;
273 }
274
275 void
276 resort_certificates(CertList **data, WhichCerts ctype)
277 {
278 int i, j;
279 CertList *cl = *data;
280 CertList **cll;
281 char *s, *t;
282
283 if(cl == NULL)
284 return;
285
286 for(i = 0; cl; cl = cl->next, i++)
287 if(ctype != Private){ /* ctype == Public or ctype == CACerts */
288 for(t = s = cl->name; t = strstr(s, ".crt"); s = t+1);
289 if (s) *(s-1) = '\0';
290 }
291 j = i;
292 cll = fs_get(i*sizeof(CertList *));
293 for(cl = *data, i = 0; cl; cl = cl->next, i++)
294 cll[i] = cl;
295 qsort((void *)cll, j, sizeof(CertList *), compare_certs_by_name);
296 for(i = 0; i < j - 1; i++){
297 cll[i]->next = cll[i+1];
298 if(ctype != Private)
299 cll[i]->name[strlen(cll[i]->name)]= '.'; /* restore ".crt" part */
300 }
301 if(ctype != Private)
302 cll[j-1]->name[strlen(cll[j-1]->name)]= '.'; /* restore ".crt" part */
303 cll[j-1]->next = NULL;
304 *data = cll[0];
305 }
306
307
308 void
309 get_fingerprint(X509 *cert, const EVP_MD *type, char *buf, size_t maxLen, char *s)
310 {
311 unsigned char md[128];
312 char *b;
313 unsigned int len, i;
314
315 len = sizeof(md);
316
317 X509_digest(cert, type, md, &len);
318
319 b = buf;
320 *b = 0;
321 for(i=0; i<len; i++){
322 if(b-buf+3>=maxLen)
323 break;
324
325 if(i != 0 && s && *s)
326 *b++ = *s;
327
328 snprintf(b, maxLen - (b-buf), "%02x", md[i]);
329 b+=2;
330 }
331 }
332
333
334 /*
335 * Remove leading whitespace, trailing whitespace and convert
336 * to lowercase. Also remove slash characters
337 *
338 * Args: s, -- The string to clean
339 *
340 * Result: the cleaned string
341 */
342 static char *
343 emailstrclean(char *string)
344 {
345 char *s = string, *sc = NULL, *p = NULL;
346
347 for(; *s; s++){ /* single pass */
348 if(!isspace((unsigned char) (*s))){
349 p = NULL; /* not start of blanks */
350 if(!sc) /* first non-blank? */
351 sc = string; /* start copying */
352 }
353 else if(!p) /* it's OK if sc == NULL */
354 p = sc; /* start of blanks? */
355
356 if(sc && *s!='/' && *s!='\\') /* if copying, copy */
357 *sc++ = isupper((unsigned char) (*s))
358 ? (unsigned char) tolower((unsigned char) (*s))
359 : (unsigned char) (*s);
360 }
361
362 if(p) /* if ending blanks */
363 *p = '\0'; /* tie off beginning */
364 else if(!sc) /* never saw a non-blank */
365 *string = '\0'; /* so tie whole thing off */
366
367 return(string);
368 }
369
370
371 char *
372 smime_get_date(ASN1_GENERALIZEDTIME *tm)
373 {
374 BIO *mb = BIO_new(BIO_s_mem());
375 char iobuf[4096];
376 char date[MAILTMPLEN];
377 char buf[MAILTMPLEN];
378 char *m, *d, *t, *y, *z;
379 struct date smd;
380 struct tm smtm;
381
382 (void) BIO_reset(mb);
383 ASN1_UTCTIME_print(mb, tm);
384 (void) BIO_flush(mb);
385 BIO_read(mb, iobuf, sizeof(iobuf));
386
387 /* openssl returns the date in the format:
388 * "MONTH (as name) DAY (as number) TIME(hh:mm:ss) YEAR GMT"
389 */
390 m = iobuf;
391 d = strchr(iobuf, ' ');
392 *d++ = '\0';
393 while(*d == ' ') d++;
394 t = strchr(d+1, ' ');
395 *t++ = '\0';
396 while(*t == ' ') t++;
397 y = strchr(t+1, ' ');
398 *y++ = '\0';
399 while(*y == ' ') y++;
400 z = strchr(y+1, ' ');
401 *z++ = '\0';
402 while(*z == ' ') z++;
403
404 snprintf(date, sizeof(date), "%s %s %s %s (%s)", d, m, y, t, z);
405 date[sizeof(date)-1] = '\0';
406 if(F_ON(F_DATES_TO_LOCAL,ps_global)){
407 parse_date(convert_date_to_local(date), &smd);
408 memset(&smtm, 0, sizeof(smtm));
409 smtm.tm_year = MIN(MAX(smd.year-1900, 0), 2000) % 100 - 1900;
410 smtm.tm_mon = MIN(MAX(smd.month-1, 0), 11);
411 smtm.tm_mday = MIN(MAX(smd.day, 1), 31);
412 our_strftime(buf, sizeof(buf), "%x", &smtm);
413 }
414 else
415 snprintf(buf, sizeof(buf), "%s/%s/%s", m, d, y + strlen(y) - 2);
416 buf[sizeof(buf)-1] = '\0';
417
418 return cpystr(buf);
419 }
420
421 /*
422 * Add a lookup for each "*.crt*" file in the given directory.
423 */
424 int
425 add_certs_in_dir(X509_LOOKUP *lookup, char *path, char *ext, CertList **cdata)
426 {
427 char buf[MAXPATH];
428 struct direct *d;
429 DIR *dirp;
430 CertList *cert, *cl;
431 int ret = 0;
432
433 if((dirp = opendir(path)) != NULL){
434 while(!ret && (d=readdir(dirp)) != NULL){
435 if(srchrstr(d->d_name, ext)){
436 build_path(buf, path, d->d_name, sizeof(buf));
437
438 if(!X509_LOOKUP_load_file(lookup, buf, X509_FILETYPE_PEM)){
439 q_status_message1(SM_ORDER, 3, 3, _("Error loading file %s"), buf);
440 ret = -1;
441 } else {
442 if(cdata){
443 BIO *in;
444 X509 *x;
445
446 cert = fs_get(sizeof(CertList));
447 memset((void *)cert, 0, sizeof(CertList));
448 cert->name = cpystr(d->d_name);
449 /* read buf into a bio and fill the CertData structure */
450 if((in = BIO_new_file(buf, "r"))!=0){
451 x = PEM_read_bio_X509(in, NULL, NULL, NULL);
452 if(x && x->cert_info){
453 cert->data.date_from = smime_get_date(x->cert_info->validity->notBefore);
454 cert->data.date_to = smime_get_date(x->cert_info->validity->notAfter);
455 get_fingerprint(x, EVP_md5(), buf, sizeof(buf), NULL);
456 cert->data.md5 = cpystr(buf);
457 X509_free(x);
458 }
459 BIO_free(in);
460 }
461 if(*cdata == NULL)
462 *cdata = cert;
463 else{
464 for (cl = *cdata; cl && cl->next; cl = cl->next);
465 cl->next = cert;
466 }
467 }
468
469 }
470 }
471
472 }
473
474 closedir(dirp);
475 }
476
477 return ret;
478 }
479
480
481 /*
482 * Get an X509_STORE. This consists of the system
483 * certs directory and any certificates in the user's
484 * ~/.alpine-smime/ca directory.
485 */
486 X509_STORE *
487 get_ca_store(void)
488 {
489 X509_LOOKUP *lookup;
490 X509_STORE *store = NULL;
491
492 dprint((9, "get_ca_store()"));
493
494 if(!(store=X509_STORE_new())){
495 dprint((9, "X509_STORE_new() failed"));
496 return store;
497 }
498
499 if(!(lookup=X509_STORE_add_lookup(store, X509_LOOKUP_file()))){
500 dprint((9, "X509_STORE_add_lookup() failed"));
501 X509_STORE_free(store);
502 return NULL;
503 }
504
505 if(ps_global->smime && ps_global->smime->catype == Container
506 && ps_global->smime->cacontent){
507
508 if(!mem_add_extra_cacerts(ps_global->smime->cacontent, lookup)){
509 X509_STORE_free(store);
510 return NULL;
511 }
512 }
513 else if(ps_global->smime && ps_global->smime->catype == Directory
514 && ps_global->smime->capath){
515 if(add_certs_in_dir(lookup, ps_global->smime->capath, ".crt", &ps_global->smime->cacertlist) < 0){
516 X509_STORE_free(store);
517 return NULL;
518 }
519 resort_certificates(&ps_global->smime->cacertlist, CACert);
520 }
521
522 if(!(lookup=X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir()))){
523 X509_STORE_free(store);
524 return NULL;
525 }
526
527 #ifdef SMIME_SSLCERTS
528 dprint((9, "get_ca_store(): adding cacerts from %s", SMIME_SSLCERTS));
529 X509_LOOKUP_add_dir(lookup, SMIME_SSLCERTS, X509_FILETYPE_PEM);
530 #endif
531
532 return store;
533 }
534
535
536 EVP_PKEY *
537 load_key(PERSONAL_CERT *pc, char *pass, int flag)
538 {
539 BIO *in;
540 EVP_PKEY *key = NULL;
541 char buf[MAXPATH], file[MAXPATH];
542
543 if(!(ps_global->smime && pc && pc->name))
544 return key;
545
546 if(ps_global->smime->privatetype == Container){
547 char *q;
548
549 if(pc->keytext && (q = strstr(pc->keytext, "-----END")) != NULL){
550 while(*q && *q != '\n')
551 q++;
552
553 if(*q == '\n')
554 q++;
555
556 if((in = BIO_new_mem_buf(pc->keytext, q-pc->keytext)) != NULL){
557 key = PEM_read_bio_PrivateKey(in, NULL, NULL, pass);
558 BIO_free(in);
559 }
560 }
561 }
562 else if(ps_global->smime->privatetype == Directory){
563 /* filename is path/name.key */
564 strncpy(buf, pc->name, sizeof(buf)-5);
565 buf[sizeof(buf)-5] = '\0';
566 strncat(buf, ".key", 5);
567 build_path(file, ps_global->smime->privatepath, buf, sizeof(file));
568
569 if(!(in = BIO_new_file(file, "r")))
570 return NULL;
571
572 key = PEM_read_bio_PrivateKey(in, NULL, NULL, pass);
573 BIO_free(in);
574 }
575
576 return key;
577 }
578
579
580 #include <openssl/x509v3.h>
581 /*
582 * This newer version is from Adrian Vogel. It looks for the email
583 * address not only in the email address field, but also in an
584 * X509v3 extension field, Subject Altenative Name.
585 */
586 char **
587 get_x509_subject_email(X509 *x)
588 {
589 char **result = NULL;
590 int i, n;
591 STACK_OF(OPENSSL_STRING) *emails = X509_get1_email(x);
592 if ((n = sk_OPENSSL_STRING_num(emails)) > 0) {
593 result = fs_get((n+1)*sizeof(char *));
594 for(i = 0; i < n; i++)
595 result[i] = cpystr(sk_OPENSSL_STRING_value(emails, i));
596 result[i] = NULL;
597 }
598 X509_email_free(emails);
599 return result;
600 }
601
602
603 /*
604 * Save the certificate for the given email address in
605 * ~/.alpine-smime/public.
606 *
607 * Should consider the security hazards in making a file with
608 * the email address that has come from the certificate.
609 *
610 * The argument email is destroyed.
611 *
612 * args: ctype says where the user wants to save the certificate
613 */
614 void
615 save_cert_for(char *email, X509 *cert, WhichCerts ctype)
616 {
617 if(!ps_global->smime || ctype == Private)
618 return;
619
620 dprint((9, "save_cert_for(%s, %s)", email ? email : "?", ctype == Public ? _("Public") : ctype == Private ? _("Private") : "CACert"));
621 emailstrclean(email);
622
623 if(ps_global->smime->publictype == Keychain){
624 #ifdef APPLEKEYCHAIN
625
626 OSStatus rc;
627 SecCertificateRef secCertificateRef;
628 CSSM_DATA certData;
629
630 memset((void *) &certData, 0, sizeof(certData));
631 memset((void *) &secCertificateRef, 0, sizeof(secCertificateRef));
632
633 /* convert OpenSSL X509 cert data to MacOS certData */
634 if((certData.Length = i2d_X509(cert, &(certData.Data))) > 0){
635
636 /*
637 * Put that certData into a SecCertificateRef.
638 * Version 3 should work for versions 1-3.
639 */
640 if(!(rc=SecCertificateCreateFromData(&certData,
641 CSSM_CERT_X_509v3,
642 CSSM_CERT_ENCODING_DER,
643 &secCertificateRef))){
644
645 /* add it to the default keychain */
646 if(!(rc=SecCertificateAddToKeychain(secCertificateRef, NULL))){
647 /* ok */
648 }
649 else if(rc == errSecDuplicateItem){
650 dprint((9, "save_cert_for: certificate for %s already in keychain", email));
651 }
652 else{
653 dprint((9, "SecCertificateAddToKeychain failed"));
654 }
655 }
656 else{
657 dprint((9, "SecCertificateCreateFromData failed"));
658 }
659 }
660 else{
661 dprint((9, "i2d_X509 failed"));
662 }
663
664 #endif /* APPLEKEYCHAIN */
665 }
666 else if(SMHOLDERTYPE(ctype) == Container){
667 REMDATA_S *rd = NULL;
668 char *ret_dir = NULL;
669 char path[MAXPATH];
670 char fpath[MAXPATH];
671 char *upath = PATHCERTDIR(ctype);
672 char *tempfile = NULL;
673 int err = 0;
674 CertList *clist = DATACERT(ctype);
675
676 add_to_end_of_certlist(&clist, email, X509_dup(cert));
677
678 switch(ctype){
679 case Private: ps_global->smime->privatecertlist = clist; break;
680 case Public : ps_global->smime->publiccertlist = clist; break;
681 case CACert : ps_global->smime->cacertlist = clist; break;
682 default: break;
683 }
684
685 if(!upath)
686 return;
687
688 if(IS_REMOTE(upath)){
689 rd = rd_create_remote(RemImap, upath, REMOTE_SMIME_SUBTYPE,
690 NULL, "Error: ",
691 _("Can't access remote smime configuration."));
692 if(!rd){
693 return;
694 }
695
696 (void) rd_read_metadata(rd);
697
698 if(rd->access == MaybeRorW){
699 if(rd->read_status == 'R')
700 rd->access = ReadOnly;
701 else
702 rd->access = ReadWrite;
703 }
704
705 if(rd->access != NoExists){
706
707 rd_check_remvalid(rd, 1L);
708
709 /*
710 * If the cached info says it is readonly but
711 * it looks like it's been fixed now, change it to readwrite.
712 */
713 if(rd->read_status == 'R'){
714 rd_check_readonly_access(rd);
715 if(rd->read_status == 'W'){
716 rd->access = ReadWrite;
717 rd->flags |= REM_OUTOFDATE;
718 }
719 else
720 rd->access = ReadOnly;
721 }
722 }
723
724 if(rd->flags & REM_OUTOFDATE){
725 if(rd_update_local(rd) != 0){
726
727 dprint((1, "save_cert_for: rd_update_local failed\n"));
728 rd_close_remdata(&rd);
729 return;
730 }
731 }
732 else
733 rd_open_remote(rd);
734
735 if(rd->access != ReadWrite || rd_remote_is_readonly(rd)){
736 rd_close_remdata(&rd);
737 return;
738 }
739
740 rd->flags |= DO_REMTRIM;
741
742 strncpy(path, rd->lf, sizeof(path)-1);
743 path[sizeof(path)-1] = '\0';
744 }
745 else{
746 strncpy(path, upath, sizeof(path)-1);
747 path[sizeof(path)-1] = '\0';
748 }
749
750 tempfile = tempfile_in_same_dir(path, "az", &ret_dir);
751 if(tempfile){
752 if(certlist_to_file(tempfile, DATACERT(ctype)))
753 err++;
754
755 if(!err && ret_dir){
756 if(strlen(path) + strlen(tempfile) - strlen(ret_dir) + 1 < sizeof(path))
757 snprintf(fpath, sizeof(fpath), "%s%c%s",
758 path, tempfile[strlen(ret_dir)], tempfile + strlen(ret_dir) + 1);
759 else
760 err++;
761 }
762 else err++;
763
764 fs_give((void **)&ret_dir);
765
766 if(!err){
767 if(rename_file(tempfile, fpath) < 0){
768 q_status_message2(SM_ORDER, 3, 3,
769 _("Can't rename %s to %s"), tempfile, fpath);
770 err++;
771 }
772 }
773
774 if(!err && IS_REMOTE(upath)){
775 int e, we_cancel;
776 char datebuf[200];
777
778 datebuf[0] = '\0';
779
780 we_cancel = busy_cue(_("Copying to remote smime container"), NULL, 1);
781 if((e = rd_update_remote(rd, datebuf)) != 0){
782 if(e == -1){
783 q_status_message2(SM_ORDER | SM_DING, 3, 5,
784 _("Error opening temporary smime file %s: %s"),
785 rd->lf, error_description(errno));
786 dprint((1,
787 "write_remote_smime: error opening temp file %s\n",
788 rd->lf ? rd->lf : "?"));
789 }
790 else{
791 q_status_message2(SM_ORDER | SM_DING, 3, 5,
792 _("Error copying to %s: %s"),
793 rd->rn, error_description(errno));
794 dprint((1,
795 "write_remote_smime: error copying from %s to %s\n",
796 rd->lf ? rd->lf : "?", rd->rn ? rd->rn : "?"));
797 }
798
799 q_status_message(SM_ORDER | SM_DING, 5, 5,
800 _("Copy of smime cert to remote folder failed, changes NOT saved remotely"));
801 }
802 else{
803 rd_update_metadata(rd, datebuf);
804 rd->read_status = 'W';
805 }
806
807 rd_close_remdata(&rd);
808
809 if(we_cancel)
810 cancel_busy_cue(-1);
811 }
812
813 fs_give((void **) &tempfile);
814 }
815 }
816 else if(SMHOLDERTYPE(ctype) == Directory){
817 char *path = PATHCERTDIR(ctype);
818 char certfilename[MAXPATH];
819 BIO *bio_out;
820
821 build_path(certfilename, path, email, sizeof(certfilename));
822 strncat(certfilename, ".crt", sizeof(certfilename)-1-strlen(certfilename));
823 certfilename[sizeof(certfilename)-1] = 0;
824
825 bio_out = BIO_new_file(certfilename, "w");
826 if(bio_out){
827 PEM_write_bio_X509(bio_out, cert);
828 BIO_free(bio_out);
829 q_status_message1(SM_ORDER, 1, 1, _("Saved certificate for <%s>"), email);
830 }
831 else{
832 q_status_message1(SM_ORDER, 1, 1, _("Couldn't save certificate for <%s>"), email);
833 }
834 }
835 }
836
837
838 /*
839 * Try to retrieve the certificate for the given email address.
840 * The caller should free the cert.
841 */
842 X509 *
843 get_cert_for(char *email, WhichCerts ctype)
844 {
845 char certfilename[MAXPATH];
846 char emailaddr[MAXPATH];
847 X509 *cert = NULL;
848 BIO *in;
849
850 if(!ps_global->smime)
851 return cert;
852
853 dprint((9, "get_cert_for(%s, %s)", email ? email : "?", "none yet"));
854
855 if(ctype == Private) /* there is no private certificate info */
856 ctype = Public; /* return public information instead */
857 strncpy(emailaddr, email, sizeof(emailaddr)-1);
858 emailaddr[sizeof(emailaddr)-1] = 0;
859
860 /* clean it up (lowercase, space removal) */
861 emailstrclean(emailaddr);
862
863 if(ps_global->smime->publictype == Keychain){
864 #ifdef APPLEKEYCHAIN
865
866 OSStatus rc;
867 SecKeychainItemRef itemRef = nil;
868 SecKeychainAttributeList attrList;
869 SecKeychainAttribute attrib;
870 SecKeychainSearchRef searchRef = nil;
871 CSSM_DATA certData;
872
873 /* low-level form of MacOS data */
874 memset((void *) &certData, 0, sizeof(certData));
875
876 attrList.count = 1;
877 attrList.attr = &attrib;
878
879 /* kSecAlias means email address for a certificate */
880 attrib.tag = kSecAlias;
881 attrib.data = emailaddr;
882 attrib.length = strlen(attrib.data);
883
884 /* Find the certificate in the default keychain */
885 if(!(rc=SecKeychainSearchCreateFromAttributes(NULL,
886 kSecCertificateItemClass,
887 &attrList,
888 &searchRef))){
889
890 if(!(rc=SecKeychainSearchCopyNext(searchRef, &itemRef))){
891
892 /* extract the data portion of the certificate */
893 if(!(rc=SecCertificateGetData((SecCertificateRef) itemRef, &certData))){
894
895 /*
896 * Convert it from MacOS form to OpenSSL form.
897 * The input is certData from above and the output
898 * is the X509 *cert.
899 */
900 if(!d2i_X509(&cert, &(certData.Data), certData.Length)){
901 dprint((9, "d2i_X509 failed"));
902 }
903 }
904 else{
905 dprint((9, "SecCertificateGetData failed"));
906 }
907 }
908 else if(rc == errSecItemNotFound){
909 dprint((9, "get_cert_for: Public cert for %s not found", emailaddr));
910 }
911 else{
912 dprint((9, "SecKeychainSearchCopyNext failed"));
913 }
914 }
915 else{
916 dprint((9, "SecKeychainSearchCreateFromAttributes failed"));
917 }
918
919 if(searchRef)
920 CFRelease(searchRef);
921
922 #endif /* APPLEKEYCHAIN */
923 }
924 else if(SMHOLDERTYPE(ctype) == Container){
925 CertList *cl;
926
927 for(cl = DATACERT(ctype); cl; cl = cl->next){
928 if(cl->name && !strucmp(emailaddr, cl->name))
929 break;
930 }
931
932 if(cl)
933 cert = X509_dup((X509 *) cl->x509_cert);
934 }
935 else if(SMHOLDERTYPE(ctype) == Directory){
936 build_path(certfilename, PATHCERTDIR(ctype), emailaddr, sizeof(certfilename));
937 strncat(certfilename, EXTCERT(ctype), sizeof(certfilename)-1-strlen(certfilename));
938 certfilename[sizeof(certfilename)-1] = 0;
939
940 if((in = BIO_new_file(certfilename, "r"))!=0){
941
942 cert = PEM_read_bio_X509(in, NULL, NULL, NULL);
943
944 if(cert){
945 /* could check email addr in cert matches */
946 }
947
948 BIO_free(in);
949 }
950 }
951
952 return cert;
953 }
954
955 /*
956 * load_cert_for_key finds a certificate in pathdir that matches a private key
957 * pkey. It returns its name in certfile, and the certificate in *pcert.
958 * return value: success: different from zero, failure 0. If both certfile
959 * and pcert are NULL, this function returns if there is certificate that
960 * matches the given key.
961 */
962 int
963 load_cert_for_key(char *pathdir, EVP_PKEY *pkey, char **certfile, X509 **pcert)
964 {
965 DIR *dirp;
966 struct dirent *d;
967 int rv = 0;
968 BIO *in;
969 X509 *x;
970 char buf[MAXPATH+1], pathcert[MAXPATH+1];
971
972 if(pathdir == NULL || pkey == NULL)
973 return 0;
974
975 if(certfile) *certfile = NULL;
976 if(pcert) *pcert = NULL;
977
978 if((dirp = opendir(pathdir)) != NULL){
979 while(rv == 0 && (d=readdir(dirp)) != NULL){
980 size_t ll;
981
982 if((ll=strlen(d->d_name)) && ll > 4){
983 if(!strcmp(d->d_name+ll-4, ".crt")){
984 strncpy(buf, d->d_name, sizeof(buf));
985 buf[sizeof(buf)-1] = '\0';
986 build_path(pathcert, pathdir, buf, sizeof(pathcert));
987 if((in = BIO_new_file(pathcert, "r")) != NULL){
988 if((x = PEM_read_bio_X509(in, NULL, NULL, NULL)) != NULL){
989 if(X509_check_private_key(x, pkey) > 0){
990 rv = 1;
991 if(certfile) *certfile = cpystr(buf);
992 if(pcert) *pcert = x;
993 }
994 else
995 X509_free(x);
996 }
997 BIO_free(in);
998 }
999 }
1000 }
1001 }
1002 closedir(dirp);
1003 }
1004 return rv;
1005 }
1006
1007
1008 PERSONAL_CERT *
1009 mem_to_personal_certs(char *contents)
1010 {
1011 PERSONAL_CERT *result = NULL;
1012 char *p, *q, *line, *name, *keytext, *save_p;
1013 X509 *cert = NULL;
1014
1015 if(contents && *contents){
1016 for(p = contents; *p != '\0';){
1017 line = p;
1018
1019 while(*p && *p != '\n')
1020 p++;
1021
1022 save_p = NULL;
1023 if(*p == '\n'){
1024 save_p = p;
1025 *p++ = '\0';
1026 }
1027
1028 if(strncmp(EMAILADDRLEADER, line, strlen(EMAILADDRLEADER)) == 0){
1029 name = line + strlen(EMAILADDRLEADER);
1030 cert = get_cert_for(name, Public);
1031 keytext = p;
1032
1033 /* advance p past this record */
1034 if((q = strstr(keytext, "-----END")) != NULL){
1035 while(*q && *q != '\n')
1036 q++;
1037
1038 if(*q == '\n')
1039 q++;
1040
1041 p = q;
1042 }
1043 else{
1044 p = p + strlen(p);
1045 q_status_message(SM_ORDER | SM_DING, 3, 3, _("Error in privatekey container, missing END"));
1046 }
1047
1048 if(cert){
1049 PERSONAL_CERT *pc;
1050
1051 pc = (PERSONAL_CERT *) fs_get(sizeof(*pc));
1052 pc->cert = cert;
1053 pc->name = cpystr(name);
1054 pc->keytext = keytext; /* a pointer into contents */
1055
1056 pc->key = load_key(pc, "", SM_NORMALCERT);
1057
1058 pc->next = result;
1059 result = pc;
1060 }
1061 }
1062
1063 if(save_p)
1064 *save_p = '\n';
1065 }
1066 }
1067
1068 return result;
1069 }
1070
1071
1072 CertList *
1073 mem_to_certlist(char *contents, WhichCerts ctype)
1074 {
1075 CertList *ret = NULL;
1076 char *p, *q, *line, *name, *certtext, *save_p;
1077 X509 *cert = NULL;
1078 BIO *in;
1079 char *sep = (ctype == Public || ctype == Private)
1080 ? EMAILADDRLEADER : CACERTSTORELEADER;
1081
1082 if(contents && *contents){
1083 for(p = contents; *p != '\0';){
1084 line = p;
1085
1086 while(*p && *p != '\n')
1087 p++;
1088
1089 save_p = NULL;
1090 if(*p == '\n'){
1091 save_p = p;
1092 *p++ = '\0';
1093 }
1094
1095 if(strncmp(sep, line, strlen(sep)) == 0){
1096 name = line + strlen(sep);
1097 cert = NULL;
1098 certtext = strstr(p, "-----BEGIN");
1099 if(certtext != NULL){
1100 if((q = strstr(certtext, sep)) != NULL)
1101 p = q;
1102 else
1103 p = q = certtext+strlen(certtext);
1104
1105 if((in = BIO_new_mem_buf(certtext, q-certtext)) != 0){
1106 cert = PEM_read_bio_X509(in, NULL, NULL, NULL);
1107 BIO_free(in);
1108 }
1109 }
1110 else{
1111 q_status_message2(SM_ORDER | SM_DING, 3, 3, _("Error in %scert container, missing BEGIN, certtext=%s"), ctype == Public ? _("public") : _("ca"), p);
1112 p = p + strlen(p);
1113 }
1114
1115 if(name && cert)
1116 add_to_end_of_certlist(&ret, name, cert);
1117 }
1118
1119 if(save_p)
1120 *save_p = '\n';
1121 }
1122 }
1123
1124 return ret;
1125 }
1126
1127
1128 /*
1129 * Add the CACert Container contents into the CACert store.
1130 *
1131 * Returns > 0 for success, 0 for failure
1132 */
1133 int
1134 mem_add_extra_cacerts(char *contents, X509_LOOKUP *lookup)
1135 {
1136 char *p, *q, *line, *certtext, *save_p;
1137 BIO *in, *out;
1138 int len, failed = 0;
1139 char *tempfile;
1140 char iobuf[4096];
1141
1142 /*
1143 * The most straight-forward way to do this is to write
1144 * the container contents to a temp file and then load the
1145 * contents of the file with X509_LOOKUP_load_file(), like
1146 * is done in add_certs_in_dir(). What we don't know is if
1147 * each file should consist of one cacert or if they can all
1148 * just be jammed together into one file. To be safe, we'll use
1149 * one file per and do each in a separate operation.
1150 */
1151
1152 if(contents && *contents){
1153 for(p = contents; *p != '\0';){
1154 line = p;
1155
1156 while(*p && *p != '\n')
1157 p++;
1158
1159 save_p = NULL;
1160 if(*p == '\n'){
1161 save_p = p;
1162 *p++ = '\0';
1163 }
1164
1165 /* look for separator line */
1166 if(strncmp(CACERTSTORELEADER, line, strlen(CACERTSTORELEADER)) == 0){
1167 /* certtext is the content that should go in a file */
1168 certtext = strstr(p, "-----BEGIN");
1169 if(certtext != NULL){
1170 if((q = strstr(certtext, CACERTSTORELEADER)) != NULL){
1171 p = q;
1172 }
1173 else{ /* end of file */
1174 q = certtext + strlen(certtext);
1175 p = q;
1176 }
1177
1178 in = BIO_new_mem_buf(certtext, q-certtext);
1179 if(in){
1180 tempfile = temp_nam(NULL, "az");
1181 out = NULL;
1182 if(tempfile)
1183 out = BIO_new_file(tempfile, "w");
1184
1185 if(out){
1186 while((len = BIO_read(in, iobuf, sizeof(iobuf))) > 0)
1187 BIO_write(out, iobuf, len);
1188
1189 BIO_free(out);
1190 if(!X509_LOOKUP_load_file(lookup, tempfile, X509_FILETYPE_PEM))
1191 failed++;
1192
1193 fs_give((void **) &tempfile);
1194 }
1195
1196 BIO_free(in);
1197 }
1198 }
1199 else{
1200 p = p + strlen(p);
1201 q_status_message1(SM_ORDER | SM_DING, 3, 3, _("Error in cacert container, missing BEGIN, certtext=%s"), certtext);
1202 }
1203 }
1204 else{
1205 p = p + strlen(p);
1206 q_status_message1(SM_ORDER | SM_DING, 3, 3, _("Error in cacert container, missing separator, line=%s"), line);
1207 }
1208
1209 if(save_p)
1210 *save_p = '\n';
1211 }
1212 }
1213
1214 return(!failed);
1215 }
1216
1217
1218 int
1219 certlist_to_file(char *filename, CertList *certlist)
1220 {
1221 CertList *cl;
1222 BIO *bio_out = NULL;
1223 int ret = -1;
1224
1225 if(filename && (bio_out=BIO_new_file(filename, "w")) != NULL){
1226 ret = 0;
1227 for(cl = certlist; cl; cl = cl->next){
1228 if(cl->name && cl->name[0] && cl->x509_cert){
1229 if(!((BIO_puts(bio_out, EMAILADDRLEADER) > 0)
1230 && (BIO_puts(bio_out, cl->name) > 0)
1231 && (BIO_puts(bio_out, "\n") > 0)))
1232 ret = -1;
1233
1234 if(!PEM_write_bio_X509(bio_out, (X509 *) cl->x509_cert))
1235 ret = -1;
1236 }
1237 }
1238
1239 BIO_free(bio_out);
1240 }
1241
1242 return ret;
1243 }
1244
1245
1246 void
1247 add_to_end_of_certlist(CertList **cl, char *name, X509 *cert)
1248 {
1249 CertList *new, *clp;
1250
1251 if(!cl)
1252 return;
1253
1254 new = (CertList *) fs_get(sizeof(*new));
1255 memset((void *) new, 0, sizeof(*new));
1256 new->x509_cert = cert;
1257 new->name = name ? cpystr(name) : NULL;
1258
1259 if(!*cl){
1260 *cl = new;
1261 }
1262 else{
1263 for(clp = (*cl); clp->next; clp = clp->next)
1264 ;
1265
1266 clp->next = new;
1267 }
1268 }
1269
1270
1271 void
1272 free_certlist(CertList **cl)
1273 {
1274 if(cl && *cl){
1275 if((*cl)->data.date_from)
1276 fs_give((void **) &(*cl)->data.date_from);
1277
1278 if((*cl)->data.date_to)
1279 fs_give((void **) &(*cl)->data.date_to);
1280
1281 if((*cl)->data.md5)
1282 fs_give((void **) &(*cl)->data.md5);
1283
1284 if((*cl)->name)
1285 fs_give((void **) &(*cl)->name);
1286
1287 if((*cl)->x509_cert)
1288 X509_free((X509 *) (*cl)->x509_cert);
1289
1290 free_certlist(&(*cl)->next);
1291
1292 fs_give((void **) cl);
1293 }
1294 }
1295
1296
1297 void
1298 free_personal_certs(PERSONAL_CERT **pc)
1299 {
1300 if(pc && *pc){
1301 free_personal_certs(&(*pc)->next);
1302 if((*pc)->name)
1303 fs_give((void **) &(*pc)->name);
1304
1305 if((*pc)->name)
1306 fs_give((void **) &(*pc)->name);
1307
1308 if((*pc)->cert)
1309 X509_free((*pc)->cert);
1310
1311 if((*pc)->key)
1312 EVP_PKEY_free((*pc)->key);
1313
1314 fs_give((void **) pc);
1315 }
1316 }
1317
1318 #endif /* SMIME */
Alpine is a program to manage e-mail