diff --git a/plugins/qca-pkcs11/README b/plugins/qca-pkcs11/README index 099093c0..8ea3fdde 100644 --- a/plugins/qca-pkcs11/README +++ b/plugins/qca-pkcs11/README @@ -22,6 +22,12 @@ CONFIGURATION $ qcatool --config save qca-pkcs11 Attributes: + allow_load_rootca (Boolean) + Allow loading root certificate authorities' certificate + from token. Loading root certificates from PKCS#11 enabled + tokens is highly insecure, as public objects can be added + without user notice. + allow_protected_authentication (Boolean) Enable/disable global protected authentication support. If disabled, no protected authentication will be allowed, diff --git a/plugins/qca-pkcs11/qca-pkcs11.cpp b/plugins/qca-pkcs11/qca-pkcs11.cpp index 1a640fcb..fe585d03 100644 --- a/plugins/qca-pkcs11/qca-pkcs11.cpp +++ b/plugins/qca-pkcs11/qca-pkcs11.cpp @@ -55,11 +55,14 @@ class pkcs11Provider : public Provider private: static const int _CONFIG_MAX_PROVIDERS; - bool _fLowLevelInitialized; - bool _fSlotEventsActive; - bool _fSlotEventsLowLevelActive; + bool _lowLevelInitialized; + bool _slotEventsActive; + bool _slotEventsLowLevelActive; QStringList _providers; +public: + bool _allowLoadRootCA; + public: pkcs11Provider (); ~pkcs11Provider (); @@ -1862,6 +1865,18 @@ pkcs11KeyStoreListContext::entryList (int id) { entry->registerCertificates (listIssuers + listCerts); QMap friendlyNames = entry->friendlyNames (); + QList listIssuersForComplete; + if (dynamic_cast (provider ())->_allowLoadRootCA) { + listIssuersForComplete = listIssuers; + } + else { + foreach (Certificate c, listIssuers) { + if (!c.isSelfSigned ()) { + listIssuersForComplete += c; + } + } + } + for ( i=0, current=issuers; current!=NULL; @@ -1872,13 +1887,18 @@ pkcs11KeyStoreListContext::entryList (int id) { throw pkcs11Exception (CKR_ARGUMENTS_BAD, "Invalid certificate"); } - CertificateChain chain = CertificateChain (listIssuers[i]).complete (listIssuers); - out += _keyStoreEntryByCertificateId ( - current->certificate_id, - false, - chain, - friendlyNames[certificateHash (chain.primary ())] - ); + if ( + listIssuers[i].isSelfSigned () && + dynamic_cast (provider ())->_allowLoadRootCA + ) { + CertificateChain chain = CertificateChain (listIssuers[i]).complete (listIssuersForComplete); + out += _keyStoreEntryByCertificateId ( + current->certificate_id, + false, + chain, + friendlyNames[certificateHash (chain.primary ())] + ); + } } catch (const pkcs11Exception &e) { s_keyStoreList->_emit_diagnosticText ( @@ -1901,7 +1921,7 @@ pkcs11KeyStoreListContext::entryList (int id) { throw pkcs11Exception (CKR_ARGUMENTS_BAD, "Invalid certificate"); } - CertificateChain chain = CertificateChain (listCerts[i]).complete (listIssuers); + CertificateChain chain = CertificateChain (listCerts[i]).complete (listIssuersForComplete); out += _keyStoreEntryByCertificateId ( current->certificate_id, true, @@ -2547,9 +2567,10 @@ pkcs11Provider::pkcs11Provider () { Logger::Debug ); - _fLowLevelInitialized = false; - _fSlotEventsActive = false; - _fSlotEventsLowLevelActive = false; + _lowLevelInitialized = false; + _slotEventsActive = false; + _slotEventsLowLevelActive = false; + _allowLoadRootCA = false; QCA_logTextMessage ( "pkcs11Provider::pkcs11Provider - return", @@ -2630,7 +2651,7 @@ void pkcs11Provider::init () { throw pkcs11Exception (rv, "Cannot set hook"); } - _fLowLevelInitialized = true; + _lowLevelInitialized = true; } catch (const pkcs11Exception &e) { QCA_logTextMessage (e.message (), Logger::Error); @@ -2682,7 +2703,7 @@ pkcs11Provider::createContext (const QString &type) { Logger::Debug ); - if (_fLowLevelInitialized) { + if (_lowLevelInitialized) { if (type == "keystorelist") { if (s_keyStoreList == NULL) { s_keyStoreList = new pkcs11KeyStoreListContext (this); @@ -2711,8 +2732,8 @@ pkcs11Provider::startSlotEvents () { Logger::Debug ); - if (_fLowLevelInitialized) { - if (!_fSlotEventsLowLevelActive) { + if (_lowLevelInitialized) { + if (!_slotEventsLowLevelActive) { if ( (rv = pkcs11h_setSlotEventHook ( __slotEventHook, @@ -2722,10 +2743,10 @@ pkcs11Provider::startSlotEvents () { throw pkcs11Exception (rv, "Cannot start slot events"); } - _fSlotEventsLowLevelActive = true; + _slotEventsLowLevelActive = true; } - _fSlotEventsActive = true; + _slotEventsActive = true; } QCA_logTextMessage ( @@ -2741,7 +2762,7 @@ pkcs11Provider::stopSlotEvents () { Logger::Debug ); - _fSlotEventsActive = false; + _slotEventsActive = false; } QVariantMap @@ -2754,6 +2775,7 @@ pkcs11Provider::defaultConfig () const { ); mytemplate["formtype"] = "http://affinix.com/qca/forms/qca-pkcs11#1.0"; + mytemplate["allow_load_rootca"] = false; mytemplate["allow_protected_authentication"] = true; mytemplate["pin_cache"] = PKCS11H_PIN_CACHE_INFINITE; mytemplate["log_level"] = 0; @@ -2780,11 +2802,13 @@ pkcs11Provider::configChanged (const QVariantMap &config) { Logger::Debug ); - if (!_fLowLevelInitialized) { + if (!_lowLevelInitialized) { QCA_logTextMessage ("PKCS#11: Not initialized", Logger::Error); return; } + _allowLoadRootCA = config["allow_load_rootca"].toBool (); + pkcs11h_setLogLevel (config["log_level"].toInt ()); pkcs11h_setProtectedAuthentication ( config["allow_protected_authentication"].toBool () != false ? TRUE : FALSE //krazy:exclude=captruefalse @@ -2963,7 +2987,7 @@ pkcs11Provider::_slotEventHook () { * This is called from a separate * thread. */ - if (s_keyStoreList != NULL && _fSlotEventsActive) { + if (s_keyStoreList != NULL && _slotEventsActive) { QMetaObject::invokeMethod(s_keyStoreList, "doUpdated", Qt::QueuedConnection); } }