2 * Claws Mail -- a GTK+ based, lightweight, and fast e-mail client
3 * Copyright (C) 1999-2016 Colin Leroy <colin@colino.net>
4 * and the Claws Mail team
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "claws-features.h"
28 #include <gnutls/gnutls.h>
29 #include <gnutls/x509.h>
30 #include <sys/types.h>
37 #include <glib/gi18n.h>
40 #include "prefs_common.h"
42 #include "ssl_certificate.h"
44 #include "alertpanel.h"
47 static gboolean sslcertwindow_ask_new_cert(SSLCertificate *cert);
48 static gboolean sslcertwindow_ask_expired_cert(SSLCertificate *cert);
49 static gboolean sslcertwindow_ask_changed_cert(SSLCertificate *old_cert, SSLCertificate *new_cert);
51 static GtkWidget *cert_presenter(SSLCertificate *cert)
53 GtkWidget *vbox = NULL;
54 GtkWidget *hbox = NULL;
55 GtkWidget *frame_owner = NULL;
56 GtkWidget *frame_signer = NULL;
57 GtkWidget *frame_status = NULL;
58 GtkTable *owner_table = NULL;
59 GtkTable *signer_table = NULL;
60 GtkTable *status_table = NULL;
61 GtkWidget *label = NULL;
63 char *issuer_commonname, *issuer_location, *issuer_organization;
64 char *subject_commonname, *subject_location, *subject_organization;
65 char *sig_status, *exp_date;
66 char *md5_fingerprint, *sha1_fingerprint, *sha256_fingerprint, *fingerprint;
69 unsigned char md[128];
75 issuer_commonname = g_malloc(BUFFSIZE);
76 issuer_location = g_malloc(BUFFSIZE);
77 issuer_organization = g_malloc(BUFFSIZE);
78 subject_commonname = g_malloc(BUFFSIZE);
79 subject_location = g_malloc(BUFFSIZE);
80 subject_organization = g_malloc(BUFFSIZE);
83 if (gnutls_x509_crt_get_issuer_dn_by_oid(cert->x509_cert,
84 GNUTLS_OID_X520_COMMON_NAME, 0, 0, issuer_commonname, &n))
85 strncpy(issuer_commonname, _("<not in certificate>"), BUFFSIZE);
88 if (gnutls_x509_crt_get_issuer_dn_by_oid(cert->x509_cert,
89 GNUTLS_OID_X520_LOCALITY_NAME, 0, 0, issuer_location, &n)) {
90 if (gnutls_x509_crt_get_issuer_dn_by_oid(cert->x509_cert,
91 GNUTLS_OID_X520_COUNTRY_NAME, 0, 0, issuer_location, &n)) {
92 strncpy(issuer_location, _("<not in certificate>"), BUFFSIZE);
95 tmp = g_malloc(BUFFSIZE);
96 if (gnutls_x509_crt_get_issuer_dn_by_oid(cert->x509_cert,
97 GNUTLS_OID_X520_COUNTRY_NAME, 0, 0, tmp, &n) == 0) {
98 strncat(issuer_location, ", ", BUFFSIZE-strlen(issuer_location)-1);
99 strncat(issuer_location, tmp, BUFFSIZE-strlen(issuer_location)-1);
105 if (gnutls_x509_crt_get_issuer_dn_by_oid(cert->x509_cert,
106 GNUTLS_OID_X520_ORGANIZATION_NAME, 0, 0, issuer_organization, &n))
107 strncpy(issuer_organization, _("<not in certificate>"), BUFFSIZE);
110 if (gnutls_x509_crt_get_dn_by_oid(cert->x509_cert,
111 GNUTLS_OID_X520_COMMON_NAME, 0, 0, subject_commonname, &n))
112 strncpy(subject_commonname, _("<not in certificate>"), BUFFSIZE);
115 if (gnutls_x509_crt_get_dn_by_oid(cert->x509_cert,
116 GNUTLS_OID_X520_LOCALITY_NAME, 0, 0, subject_location, &n)) {
117 if (gnutls_x509_crt_get_dn_by_oid(cert->x509_cert,
118 GNUTLS_OID_X520_COUNTRY_NAME, 0, 0, subject_location, &n)) {
119 strncpy(subject_location, _("<not in certificate>"), BUFFSIZE);
122 tmp = g_malloc(BUFFSIZE);
123 if (gnutls_x509_crt_get_dn_by_oid(cert->x509_cert,
124 GNUTLS_OID_X520_COUNTRY_NAME, 0, 0, tmp, &n) == 0) {
125 strncat(subject_location, ", ", BUFFSIZE-strlen(subject_location)-1);
126 strncat(subject_location, tmp, BUFFSIZE-strlen(subject_location)-1);
132 if (gnutls_x509_crt_get_dn_by_oid(cert->x509_cert,
133 GNUTLS_OID_X520_ORGANIZATION_NAME, 0, 0, subject_organization, &n))
134 strncpy(subject_organization, _("<not in certificate>"), BUFFSIZE);
136 exp_time_t = gnutls_x509_crt_get_expiration_time(cert->x509_cert);
138 memset(buf, 0, sizeof(buf));
139 if (exp_time_t > 0) {
140 fast_strftime(buf, sizeof(buf)-1, prefs_common.date_format, localtime_r(&exp_time_t, <));
141 exp_date = (*buf) ? g_strdup(buf):g_strdup("?");
143 exp_date = g_strdup("");
147 gnutls_x509_crt_get_fingerprint(cert->x509_cert, GNUTLS_DIG_MD5, md, &n);
148 md5_fingerprint = readable_fingerprint(md, (int)n);
150 gnutls_x509_crt_get_fingerprint(cert->x509_cert, GNUTLS_DIG_SHA1, md, &n);
151 sha1_fingerprint = readable_fingerprint(md, (int)n);
153 gnutls_x509_crt_get_fingerprint(cert->x509_cert, GNUTLS_DIG_SHA256, md, &n);
154 sha256_fingerprint = readable_fingerprint(md, (int)n);
158 sig_status = ssl_certificate_check_signer(cert, cert->status);
160 if (sig_status==NULL)
161 sig_status = g_strdup(_("Correct"));
163 vbox = gtk_vbox_new(FALSE, 5);
164 hbox = gtk_hbox_new(FALSE, 5);
166 frame_owner = gtk_frame_new(_("Owner"));
167 frame_signer = gtk_frame_new(_("Signer"));
168 frame_status = gtk_frame_new(_("Status"));
170 owner_table = GTK_TABLE(gtk_table_new(3, 2, FALSE));
171 signer_table = GTK_TABLE(gtk_table_new(3, 2, FALSE));
172 status_table = GTK_TABLE(gtk_table_new(3, 2, FALSE));
174 label = gtk_label_new(_("Name: "));
175 gtk_misc_set_alignment (GTK_MISC (label), 1, 0.5);
176 gtk_table_attach(owner_table, label, 0, 1, 0, 1, GTK_EXPAND|GTK_FILL, 0, 0, 0);
177 label = gtk_label_new(subject_commonname);
178 gtk_label_set_selectable(GTK_LABEL(label), TRUE);
179 gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
180 gtk_table_attach(owner_table, label, 1, 2, 0, 1, GTK_EXPAND|GTK_FILL, 0, 0, 0);
182 label = gtk_label_new(_("Organization: "));
183 gtk_misc_set_alignment (GTK_MISC (label), 1, 0.5);
184 gtk_table_attach(owner_table, label, 0, 1, 1, 2, GTK_EXPAND|GTK_FILL, 0, 0, 0);
185 label = gtk_label_new(subject_organization);
186 gtk_label_set_selectable(GTK_LABEL(label), TRUE);
187 gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
188 gtk_table_attach(owner_table, label, 1, 2, 1, 2, GTK_EXPAND|GTK_FILL, 0, 0, 0);
190 label = gtk_label_new(_("Location: "));
191 gtk_misc_set_alignment (GTK_MISC (label), 1, 0.5);
192 gtk_table_attach(owner_table, label, 0, 1, 2, 3, GTK_EXPAND|GTK_FILL, 0, 0, 0);
193 label = gtk_label_new(subject_location);
194 gtk_label_set_selectable(GTK_LABEL(label), TRUE);
195 gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
196 gtk_table_attach(owner_table, label, 1, 2, 2, 3, GTK_EXPAND|GTK_FILL, 0, 0, 0);
198 label = gtk_label_new(_("Name: "));
199 gtk_misc_set_alignment (GTK_MISC (label), 1, 0.5);
200 gtk_table_attach(signer_table, label, 0, 1, 0, 1, GTK_EXPAND|GTK_FILL, 0, 0, 0);
201 label = gtk_label_new(issuer_commonname);
202 gtk_label_set_selectable(GTK_LABEL(label), TRUE);
203 gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
204 gtk_table_attach(signer_table, label, 1, 2, 0, 1, GTK_EXPAND|GTK_FILL, 0, 0, 0);
206 label = gtk_label_new(_("Organization: "));
207 gtk_misc_set_alignment (GTK_MISC (label), 1, 0.5);
208 gtk_table_attach(signer_table, label, 0, 1, 1, 2, GTK_EXPAND|GTK_FILL, 0, 0, 0);
209 label = gtk_label_new(issuer_organization);
210 gtk_label_set_selectable(GTK_LABEL(label), TRUE);
211 gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
212 gtk_table_attach(signer_table, label, 1, 2, 1, 2, GTK_EXPAND|GTK_FILL, 0, 0, 0);
214 label = gtk_label_new(_("Location: "));
215 gtk_misc_set_alignment (GTK_MISC (label), 1, 0.5);
216 gtk_table_attach(signer_table, label, 0, 1, 2, 3, GTK_EXPAND|GTK_FILL, 0, 0, 0);
217 label = gtk_label_new(issuer_location);
218 gtk_label_set_selectable(GTK_LABEL(label), TRUE);
219 gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
220 gtk_table_attach(signer_table, label, 1, 2, 2, 3, GTK_EXPAND|GTK_FILL, 0, 0, 0);
222 label = gtk_label_new(_("Fingerprint: \n"));
223 gtk_misc_set_alignment (GTK_MISC (label), 1, 0.5);
224 gtk_table_attach(status_table, label, 0, 1, 0, 1, GTK_EXPAND|GTK_FILL, 0, 0, 0);
225 fingerprint = g_strdup_printf("MD5: %s\nSHA1: %s\nSHA256: %s",
226 md5_fingerprint, sha1_fingerprint, sha256_fingerprint);
227 label = gtk_label_new(fingerprint);
229 gtk_label_set_selectable(GTK_LABEL(label), TRUE);
230 gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
231 gtk_table_attach(status_table, label, 1, 2, 0, 1, GTK_EXPAND|GTK_FILL, 0, 0, 0);
232 label = gtk_label_new(_("Signature status: "));
233 gtk_misc_set_alignment (GTK_MISC (label), 1, 0.5);
234 gtk_table_attach(status_table, label, 0, 1, 1, 2, GTK_EXPAND|GTK_FILL, 0, 0, 0);
235 label = gtk_label_new(sig_status);
236 gtk_label_set_selectable(GTK_LABEL(label), TRUE);
237 gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
238 gtk_table_attach(status_table, label, 1, 2, 1, 2, GTK_EXPAND|GTK_FILL, 0, 0, 0);
239 label = gtk_label_new(_("Expires on: "));
240 gtk_misc_set_alignment (GTK_MISC (label), 1, 0.5);
241 gtk_table_attach(status_table, label, 0, 1, 2, 3, GTK_EXPAND|GTK_FILL, 0, 0, 0);
242 label = gtk_label_new(exp_date);
243 gtk_label_set_selectable(GTK_LABEL(label), TRUE);
244 gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
245 gtk_table_attach(status_table, label, 1, 2, 2, 3, GTK_EXPAND|GTK_FILL, 0, 0, 0);
247 gtk_container_add(GTK_CONTAINER(frame_owner), GTK_WIDGET(owner_table));
248 gtk_container_add(GTK_CONTAINER(frame_signer), GTK_WIDGET(signer_table));
249 gtk_container_add(GTK_CONTAINER(frame_status), GTK_WIDGET(status_table));
251 gtk_box_pack_end(GTK_BOX(hbox), frame_signer, TRUE, TRUE, 0);
252 gtk_box_pack_end(GTK_BOX(hbox), frame_owner, TRUE, TRUE, 0);
253 gtk_box_pack_end(GTK_BOX(vbox), frame_status, TRUE, TRUE, 0);
254 gtk_box_pack_end(GTK_BOX(vbox), hbox, TRUE, TRUE, 0);
256 gtk_widget_show_all(vbox);
258 g_free(issuer_commonname);
259 g_free(issuer_location);
260 g_free(issuer_organization);
261 g_free(subject_commonname);
262 g_free(subject_location);
263 g_free(subject_organization);
264 g_free(md5_fingerprint);
265 g_free(sha1_fingerprint);
266 g_free(sha256_fingerprint);
272 static gboolean sslcert_ask_hook(gpointer source, gpointer data)
274 SSLCertHookData *hookdata = (SSLCertHookData *)source;
276 if (hookdata == NULL) {
280 if (prefs_common.skip_ssl_cert_check) {
281 hookdata->accept = TRUE;
285 if (hookdata->old_cert == NULL) {
286 if (hookdata->expired)
287 hookdata->accept = sslcertwindow_ask_expired_cert(hookdata->cert);
289 hookdata->accept = sslcertwindow_ask_new_cert(hookdata->cert);
291 hookdata->accept = sslcertwindow_ask_changed_cert(hookdata->old_cert, hookdata->cert);
297 void sslcertwindow_register_hook(void)
299 hooks_register_hook(SSLCERT_ASK_HOOKLIST, sslcert_ask_hook, NULL);
302 void sslcertwindow_show_cert(SSLCertificate *cert)
304 GtkWidget *cert_widget = cert_presenter(cert);
307 buf = g_strdup_printf(_("SSL/TLS certificate for %s"), cert->host);
308 alertpanel_full(buf, NULL, GTK_STOCK_CLOSE, NULL, NULL,
309 ALERTFOCUS_FIRST, FALSE, cert_widget, ALERT_NOTICE);
313 static gchar *sslcertwindow_get_invalid_str(SSLCertificate *cert)
315 gchar *subject_cn = NULL;
318 if (ssl_certificate_check_subject_cn(cert))
321 subject_cn = ssl_certificate_get_subject_cn(cert);
323 str = g_strdup_printf(_("Certificate is for %s, but connection is to %s.\n"
324 "You may be connecting to a rogue server.\n\n"),
325 subject_cn, cert->host);
331 static gboolean sslcertwindow_ask_new_cert(SSLCertificate *cert)
333 gchar *buf, *sig_status;
338 GtkWidget *cert_widget;
339 gchar *invalid_str = sslcertwindow_get_invalid_str(cert);
342 vbox = gtk_vbox_new(FALSE, 5);
343 buf = g_strdup_printf(_("Certificate for %s is unknown.\n%sDo you want to accept it?"), cert->host, invalid_str);
346 label = gtk_label_new(buf);
347 gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
348 gtk_box_pack_start(GTK_BOX(vbox), label, TRUE, TRUE, 0);
351 sig_status = ssl_certificate_check_signer(cert, cert->status);
352 if (sig_status==NULL)
353 sig_status = g_strdup(_("Correct"));
355 buf = g_strdup_printf(_("Signature status: %s"), sig_status);
356 label = gtk_label_new(buf);
357 gtk_label_set_selectable(GTK_LABEL(label), TRUE);
358 gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
359 gtk_box_pack_start(GTK_BOX(vbox), label, TRUE, TRUE, 0);
363 button = gtk_expander_new_with_mnemonic(_("_View certificate"));
364 gtk_box_pack_start(GTK_BOX(vbox), button, FALSE, FALSE, 0);
365 cert_widget = cert_presenter(cert);
366 gtk_container_add(GTK_CONTAINER(button), cert_widget);
368 if (!ssl_certificate_check_subject_cn(cert))
369 title = _("SSL/TLS certificate is invalid");
371 title = _("SSL/TLS certificate is unknown");
373 val = alertpanel_full(title, NULL,
374 _("_Cancel connection"), _("_Accept and save"), NULL,
375 ALERTFOCUS_FIRST, FALSE, vbox, ALERT_QUESTION);
377 return (val == G_ALERTALTERNATE);
380 static gboolean sslcertwindow_ask_expired_cert(SSLCertificate *cert)
382 gchar *buf, *sig_status;
387 GtkWidget *cert_widget;
388 gchar *invalid_str = sslcertwindow_get_invalid_str(cert);
391 vbox = gtk_vbox_new(FALSE, 5);
392 buf = g_strdup_printf(_("Certificate for %s is expired.\n%sDo you want to continue?"), cert->host, invalid_str);
395 label = gtk_label_new(buf);
396 gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
397 gtk_box_pack_start(GTK_BOX(vbox), label, TRUE, TRUE, 0);
400 sig_status = ssl_certificate_check_signer(cert, cert->status);
402 if (sig_status==NULL)
403 sig_status = g_strdup(_("Correct"));
405 buf = g_strdup_printf(_("Signature status: %s"), sig_status);
406 label = gtk_label_new(buf);
407 gtk_label_set_selectable(GTK_LABEL(label), TRUE);
408 gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
409 gtk_box_pack_start(GTK_BOX(vbox), label, TRUE, TRUE, 0);
413 button = gtk_expander_new_with_mnemonic(_("_View certificate"));
414 gtk_box_pack_start(GTK_BOX(vbox), button, FALSE, FALSE, 0);
415 cert_widget = cert_presenter(cert);
416 gtk_container_add(GTK_CONTAINER(button), cert_widget);
418 if (!ssl_certificate_check_subject_cn(cert))
419 title = _("SSL/TLS certificate is invalid and expired");
421 title = _("SSL/TLS certificate is expired");
423 val = alertpanel_full(title, NULL,
424 _("_Cancel connection"), _("_Accept"), NULL,
425 ALERTFOCUS_FIRST, FALSE, vbox, ALERT_QUESTION);
427 return (val == G_ALERTALTERNATE);
430 static gboolean sslcertwindow_ask_changed_cert(SSLCertificate *old_cert, SSLCertificate *new_cert)
432 GtkWidget *old_cert_widget = cert_presenter(old_cert);
433 GtkWidget *new_cert_widget = cert_presenter(new_cert);
435 gchar *buf, *sig_status;
440 gchar *invalid_str = sslcertwindow_get_invalid_str(new_cert);
443 vbox = gtk_vbox_new(FALSE, 5);
444 label = gtk_label_new(_("New certificate:"));
445 gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
446 gtk_box_pack_end(GTK_BOX(vbox), new_cert_widget, TRUE, TRUE, 0);
447 gtk_box_pack_end(GTK_BOX(vbox), label, TRUE, TRUE, 0);
448 gtk_box_pack_end(GTK_BOX(vbox), gtk_hseparator_new(), TRUE, TRUE, 0);
449 label = gtk_label_new(_("Known certificate:"));
450 gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
451 gtk_box_pack_end(GTK_BOX(vbox), old_cert_widget, TRUE, TRUE, 0);
452 gtk_box_pack_end(GTK_BOX(vbox), label, TRUE, TRUE, 0);
453 gtk_widget_show_all(vbox);
455 vbox2 = gtk_vbox_new(FALSE, 5);
456 buf = g_strdup_printf(_("Certificate for %s has changed.\n%sDo you want to accept it?"), new_cert->host, invalid_str);
459 label = gtk_label_new(buf);
460 gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
461 gtk_box_pack_start(GTK_BOX(vbox2), label, TRUE, TRUE, 0);
464 sig_status = ssl_certificate_check_signer(new_cert, new_cert->status);
466 if (sig_status==NULL)
467 sig_status = g_strdup(_("Correct"));
469 buf = g_strdup_printf(_("Signature status: %s"), sig_status);
470 label = gtk_label_new(buf);
471 gtk_label_set_selectable(GTK_LABEL(label), TRUE);
472 gtk_misc_set_alignment (GTK_MISC (label), 0, 0.5);
473 gtk_box_pack_start(GTK_BOX(vbox2), label, TRUE, TRUE, 0);
477 button = gtk_expander_new_with_mnemonic(_("_View certificates"));
478 gtk_box_pack_start(GTK_BOX(vbox2), button, FALSE, FALSE, 0);
479 gtk_container_add(GTK_CONTAINER(button), vbox);
481 if (!ssl_certificate_check_subject_cn(new_cert))
482 title = _("SSL/TLS certificate changed and is invalid");
484 title = _("SSL/TLS certificate changed");
485 val = alertpanel_full(title, NULL,
486 _("_Cancel connection"), _("_Accept and save"), NULL,
487 ALERTFOCUS_FIRST, FALSE, vbox2, ALERT_WARNING);
489 return (val == G_ALERTALTERNATE);