summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSamuel Lidén Borell <samuel@kodafritt.se>2014-08-20 19:56:16 (GMT)
committerSamuel Lidén Borell <samuel@kodafritt.se>2014-08-20 19:56:16 (GMT)
commit25a38131993ae715fe584d7b612e67b75fa3ef9c (patch)
treefd847766f58cfc31428a8d0f14fcc0f79d1ffb40
parentd6ec1e4d28c794a1d3fa92956a313d6dca46fead (diff)
downloadfribid-25a38131993ae715fe584d7b612e67b75fa3ef9c.zip
fribid-25a38131993ae715fe584d7b612e67b75fa3ef9c.tar.gz
fribid-25a38131993ae715fe584d7b612e67b75fa3ef9c.tar.bz2
Add a config option to dump retrieved certificates on error
-rw-r--r--client/certutil.c29
-rw-r--r--client/certutil.h1
-rw-r--r--client/main.c5
-rw-r--r--client/misc.c21
-rw-r--r--client/misc.h1
-rw-r--r--client/platform.h1
-rw-r--r--client/posix.c27
-rw-r--r--client/prefs.c9
-rw-r--r--client/prefs.h3
-rw-r--r--doc/fribid.79
-rw-r--r--doc/fribid.sv.79
11 files changed, 110 insertions, 5 deletions
diff --git a/client/certutil.c b/client/certutil.c
index b9087d7..cdc6117 100644
--- a/client/certutil.c
+++ b/client/certutil.c
@@ -386,6 +386,35 @@ PKCS7 *certutil_parseP7SignedData(const char *p7data, size_t length) {
}
/**
+ * Dumps the given base64 encoded PKCS#7 certificate container
+ * into a PEM encoded PKCS#7 file in the ~/cbt directory.
+ */
+int certutil_dumpCertsP7(const char *b64pkcs7) {
+ char *dumpname = platform_getDumpFilename("storecerts-", ".pem");
+ fprintf(stderr, BINNAME ": dumping certificates to \"%s\"\n",
+ dumpname);
+
+ int ok = 0;
+ FILE *df = fopen(dumpname, "wb");
+ if (df) {
+ static char pem_template[] =
+ "-----BEGIN PKCS7-----\n"
+ "%s"
+ "-----END PKCS7-----\n";
+ char *lines = base64_add_linebreaks(b64pkcs7);
+
+ ok = (fprintf(df, pem_template, lines) > 0) &
+ (fclose(df) >= 0);
+ free(lines);
+ }
+ if (!ok) {
+ fprintf(stderr, BINNAME ": failed to write dump\n");
+ }
+ free(dumpname);
+ return ok;
+}
+
+/**
* Makes a filename for a certificate.
*/
char *certutil_makeFilename(X509_NAME *xname) {
diff --git a/client/certutil.h b/client/certutil.h
index dc03a0c..3a99d70 100644
--- a/client/certutil.h
+++ b/client/certutil.h
@@ -50,6 +50,7 @@ X509 *certutil_findCert(const STACK_OF(X509) *certList,
bool certutil_addToList(char ***list, size_t *count, X509 *cert);
void certutil_freeList(char ***list, size_t *count);
PKCS7 *certutil_parseP7SignedData(const char *p7data, size_t length);
+int certutil_dumpCertsP7(const char *b64pkcs7);
char *certutil_makeFilename(X509_NAME *xname);
char *certutil_getBagAttr(PKCS12_SAFEBAG *bag, ASN1_OBJECT *oid);
void certutil_clearErrorString(void);
diff --git a/client/main.c b/client/main.c
index c84c650..0938533 100644
--- a/client/main.c
+++ b/client/main.c
@@ -31,6 +31,7 @@
#include "../common/pipe.h"
#include "backend.h"
#include "bankid.h"
+#include "certutil.h"
#include "platform.h"
#include "prefs.h"
#include "misc.h"
@@ -298,7 +299,9 @@ void pipeCommand(PipeCommand command, const char *url, const char *hostname,
BankIDError error = bankid_storeCertificates(certs, hostname,
&tokenError);
if (error != BIDERR_OK) {
- /* TODO should perhaps dump the certificate data to a file? */
+ if (prefs_debug_dump) {
+ certutil_dumpCertsP7(certs);
+ }
platform_showError(tokenError);
}
diff --git a/client/misc.c b/client/misc.c
index 834de1d..1739535 100644
--- a/client/misc.c
+++ b/client/misc.c
@@ -150,6 +150,27 @@ char *base64_encode(const char *data, int length) {
return base64;
}
+char *base64_add_linebreaks(const char *encoded) {
+ size_t datalen;
+ char *data = base64_decode_binary(encoded, &datalen);
+ if (!data) return NULL;
+
+ size_t enclen = (datalen/3+1)*4 + 4;
+ size_t alloclen = enclen + enclen/72 + 1+5;
+ char *ret = malloc(alloclen);
+ gchar *out = (gchar*)ret;
+
+ gint tmp1 = 0, tmp2 = 0;
+ size_t bytesout = g_base64_encode_step((guchar*)data, datalen, true,
+ out, &tmp1, &tmp2);
+ out += bytesout;
+ bytesout += g_base64_encode_close(true, out, &tmp1, &tmp2);
+ ret[bytesout] = '\0';
+
+ free(data);
+ return ret;
+}
+
char *base64_decode(const char *encoded) {
gsize length;
diff --git a/client/misc.h b/client/misc.h
index 100b016..487c26f 100644
--- a/client/misc.h
+++ b/client/misc.h
@@ -48,6 +48,7 @@ void *guaranteed_memset(void *v, int c, size_t n);
char *base64_encode(const char *data, const int length);
char *base64_decode(const char *encoded);
char *base64_decode_binary(const char *encoded, size_t *decodedLength);
+char *base64_add_linebreaks(const char *encoded);
bool is_canonical_base64(const char *encoded);
char *sha_base64(const char *str);
diff --git a/client/platform.h b/client/platform.h
index 1159f49..30b890f 100644
--- a/client/platform.h
+++ b/client/platform.h
@@ -55,6 +55,7 @@ void platform_keyDirs(char*** path, size_t* len);
PlatformDirIter *platform_openKeysDir(char *path);
char *platform_filterFilename(const char *filename);
char *platform_getFilenameForKey(const char *nameAttr);
+char *platform_getDumpFilename(const char *prefix, const char *suffix);
/* Configuration */
char *platform_getConfigPath(const char *appname);
diff --git a/client/posix.c b/client/posix.c
index 90c6639..2886d14 100644
--- a/client/posix.c
+++ b/client/posix.c
@@ -235,6 +235,33 @@ char *platform_getFilenameForKey(const char *nameAttr) {
}
/**
+ * Generates a filename for dump file for debugging.
+ * The filename will have this format: ~/cbt/prefix123456-123456suffix
+ */
+char *platform_getDumpFilename(const char *prefix, const char *suffix) {
+ char *basename = platform_filterFilename(prefix);
+ char *filename = NULL;
+
+ if (!basename || !*basename) goto end;
+
+ // Get key store path
+ size_t numPaths;
+ char **paths;
+ platform_keyDirs(&paths, &numPaths);
+
+ // Create directory
+ if (mkdir(paths[0], 0700) != 0 && errno != EEXIST) goto end;
+
+ // Merge
+ filename = rasprintf("%s/%s%d-%d%s", paths[0], basename,
+ time(NULL), rand(), suffix);
+
+ end:
+ if (basename) free(basename);
+ return filename;
+}
+
+/**
* Returns a flock struct used as an argument to fcntl to
* lock a file.
*/
diff --git a/client/prefs.c b/client/prefs.c
index 5b6b7d1..7bf0101 100644
--- a/client/prefs.c
+++ b/client/prefs.c
@@ -31,6 +31,7 @@
const char *prefs_pkcs11_module;
#endif
const char *prefs_bankid_emulatedversion;
+bool prefs_debug_dump;
/**
* Loads the preferences from ~/.config/fribid/config
@@ -41,9 +42,12 @@ void prefs_load(void) {
/* Set defaults */
prefs_pkcs11_module = DEFAULT_PKCS11_MODULE;
prefs_bankid_emulatedversion = NULL;
+ prefs_debug_dump = false;
if (cfg) {
char *s;
+ bool b;
+
/* Which PKCS#11 module to use */
#if ENABLE_PKCS11
if (platform_getConfigString(cfg, "pkcs11", "module", &s)) {
@@ -56,6 +60,11 @@ void prefs_load(void) {
prefs_bankid_emulatedversion = s;
}
+ /* Should debug data be dumped on errors etc.? */
+ if (platform_getConfigBool(cfg, "debug", "dump", &b)) {
+ prefs_debug_dump = b;
+ }
+
platform_freeConfig(cfg);
}
}
diff --git a/client/prefs.h b/client/prefs.h
index 97f637e..18e8374 100644
--- a/client/prefs.h
+++ b/client/prefs.h
@@ -25,10 +25,13 @@
#ifndef PREFS_H
#define PREFS_H
+#include <stdbool.h>
+
#ifdef ENABLE_PKCS11
extern const char *prefs_pkcs11_module;
#endif
extern const char *prefs_bankid_emulatedversion;
+extern bool prefs_debug_dump;
void prefs_load(void);
diff --git a/doc/fribid.7 b/doc/fribid.7
index 624a66b..6dd3105 100644
--- a/doc/fribid.7
+++ b/doc/fribid.7
@@ -18,7 +18,7 @@
.\" OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
.\" THE SOFTWARE.
-.TH fribid 7 "2012-04-06" "" "FriBID"
+.TH fribid 7 "2014-08-20" "" "FriBID"
.SH NAME
fribid \- a web browser plugin for BankID
@@ -51,7 +51,7 @@ and
.SH CONFIGURATION
FriBID loads the configuration file
.B ~/.config/fribid/config
-if it exists. Below is an example. The first option controls which PKCS#11 module to use for smartcard support (or for other cryptographic tokens). The default is to use OpenSC's PKCS#11 module. The second option sets the software version that FriBID should pretend to be. The default is 4.15.0.14, since FriBID doesn't support some features in the more recent versions yet.
+if it exists. Below is an example. The first option controls which PKCS#11 module to use for smartcard support (or for other cryptographic tokens). The default is to use OpenSC's PKCS#11 module. The second option sets the software version that FriBID should pretend to be. The default is 4.15.0.14, since FriBID doesn't support some features in the more recent versions yet. The last option is for troubleshooting and enables dumping of retreived certificates to files in ~/cbt/ when an error occurs. It is disabled by default.
.IP
[pkcs11]
@@ -64,6 +64,11 @@ module=/path/to/pkcs11/module
.br
version-to-emulate=4.19.0.11351
+.br
+[debug]
+.br
+dump=true
+
.SH USING FRIBID
FriBID will start automatically when you visit a web page that uses BankID for the log in system or to sign information. You can check that FriBID works on this page:
.LP
diff --git a/doc/fribid.sv.7 b/doc/fribid.sv.7
index 7a991d7..88c63af 100644
--- a/doc/fribid.sv.7
+++ b/doc/fribid.sv.7
@@ -18,7 +18,7 @@
.\" OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
.\" THE SOFTWARE.
-.TH fribid 7 "2012-04-06" "" "FriBID"
+.TH fribid 7 "2014-08-20" "" "FriBID"
.SH NAMN
fribid \- en webbläsarplugin för BankID
@@ -52,7 +52,7 @@ och
.SH INSTÄLLNINGAR
FriBID läser in konfigurationsfilen
.B ~/.config/fribid/config
-om den finns. Här nedan är ett exempel. Den första inställningen styr vilken PKCS#11-modul som ska användas för smartkortsstöd (eller för andra kryptografiska enheter). Standardvalet är att använda OpenSCs PKCS#11-modul. Den andra inställningen styr vilken version som FriBID ska låtsas vara. Standardvalet är 4.15.0.14, eftersom FriBID inte stöder vissa funktioner i de senare versionerna.
+om den finns. Här nedan är ett exempel. Den första inställningen styr vilken PKCS#11-modul som ska användas för smartkortsstöd (eller för andra kryptografiska enheter). Standardvalet är att använda OpenSCs PKCS#11-modul. Den andra inställningen styr vilken version som FriBID ska låtsas vara. Standardvalet är 4.15.0.14, eftersom FriBID inte stöder vissa funktioner i de senare versionerna. Den sista inställningen används för felsökning och styr om hämtade certifikat ska dumpas till filer i ~/cbt/ ifall ett fel uppstår. Den är inaktiverad som standard.
.IP
[pkcs11]
@@ -65,6 +65,11 @@ module=/sökväg/till/pkcs11-modul
.br
version-to-emulate=4.19.0.11351
+.br
+[debug]
+.br
+dump=true
+
.SH ATT ANVÄNDA FRIBID
FriBID startas automatiskt när du besöker en webbsida som använder BankID för inloggning eller signering. Du kan testa att FriBID fungerar på denna sida:
.LP