25 #include <ksslconfig.h>
30 #include <QtCore/QString>
31 #include <QtCore/QStringList>
32 #include <QtCore/QFile>
42 #include <QtCore/QDate>
45 #include <sys/types.h>
47 #ifdef HAVE_SYS_STAT_H
54 #define crypt _openssl_crypt
55 #include <openssl/ssl.h>
56 #include <openssl/x509.h>
57 #include <openssl/x509v3.h>
58 #include <openssl/x509_vfy.h>
59 #include <openssl/pem.h>
69 static char hv[] = {
'0',
'1',
'2',
'3',
'4',
'5',
'6',
'7',
'8',
'9',
'A',
'B',
'C',
'D',
'E',
'F'};
72 class KSSLCertificatePrivate {
74 KSSLCertificatePrivate() {
75 kossl = KOSSL::self();
79 ~KSSLCertificatePrivate() {
94 d =
new KSSLCertificatePrivate;
95 d->m_stateCached =
false;
96 KGlobal::dirs()->addResourceType(
"kssl",
"data",
"kssl");
104 d =
new KSSLCertificatePrivate;
105 d->m_stateCached =
false;
106 KGlobal::dirs()->addResourceType(
"kssl",
"data",
"kssl");
109 setCert(KOSSL::self()->X509_dup(const_cast<KSSLCertificate&>(x).
getCert()));
121 d->kossl->X509_free(d->m_cert);
138 n->
setCert(KOSSL::self()->X509_dup(x5));
148 if (cert.isEmpty()) {
152 QByteArray qba = QByteArray::fromBase64(cert);
153 unsigned char *qbap =
reinterpret_cast<unsigned char *
>(qba.data());
154 X509 *x5c = KOSSL::self()->d2i_X509(NULL, &qbap, qba.size());
171 char *t = d->kossl->X509_NAME_oneline(d->kossl->X509_get_subject_name(d->m_cert), 0, 0);
176 d->kossl->OPENSSL_free(t);
186 ASN1_INTEGER *aint = d->kossl->X509_get_serialNumber(d->m_cert);
188 rc = ASN1_INTEGER_QString(aint);
203 i = d->kossl->OBJ_obj2nid(d->m_cert->sig_alg->algorithm);
204 rc =
i18n(
"Signature Algorithm: ");
205 rc += (i == NID_undef)?
i18n(
"Unknown"):
QString(d->kossl->OBJ_nid2ln(i));
208 rc +=
i18n(
"Signature Contents:");
209 n = d->m_cert->signature->length;
210 s = (
char *)d->m_cert->signature->data;
211 for (i = 0; i < n; ++i) {
218 rc.append(QChar(
hv[(s[i]&0xf0)>>4]));
219 rc.append(QChar(
hv[s[i]&0x0f]));
235 STACK *s = d->kossl->X509_get1_email(d->m_cert);
237 for(
int n=0; n < s->num; n++) {
238 to.append(d->kossl->sk_value(s,n));
240 d->kossl->X509_email_free(s);
253 int pos = k.lastIndexOf(
'(');
255 unsigned int len = k.length();
256 if (k.at(len-1) ==
')') {
257 rc = k.mid(pos+1, len-pos-2);
269 unsigned char md[EVP_MAX_MD_SIZE];
271 if (!d->kossl->X509_digest(d->m_cert, d->kossl->EVP_md5(), md, &n)) {
275 for (
unsigned int j = 0; j < n; j++) {
279 rc.append(QChar(
hv[(md[j]&0xf0)>>4]));
280 rc.append(QChar(
hv[md[j]&0x0f]));
295 unsigned char md[EVP_MAX_MD_SIZE];
297 if (!d->kossl->X509_digest(d->m_cert, d->kossl->EVP_md5(), md, &n)) {
301 for (
unsigned int j = 0; j < n; j++) {
302 rc.append(QLatin1Char(
hv[(md[j]&0xf0)>>4]));
303 rc.append(QLatin1Char(
hv[md[j]&0x0f]));
317 EVP_PKEY *pkey = d->kossl->X509_get_pubkey(d->m_cert);
320 if (pkey->type == EVP_PKEY_RSA) {
326 if (pkey->type == EVP_PKEY_DSA) {
332 d->kossl->EVP_PKEY_free(pkey);
346 EVP_PKEY *pkey = d->kossl->X509_get_pubkey(d->m_cert);
348 rc =
i18nc(
"Unknown",
"Unknown key algorithm");
350 if (pkey->type == EVP_PKEY_RSA) {
351 x = d->kossl->BN_bn2hex(pkey->pkey.rsa->n);
352 rc =
i18n(
"Key type: RSA (%1 bit)", strlen(x)*4) +
'\n';
354 rc +=
i18n(
"Modulus: ");
355 for (
unsigned int i = 0; i < strlen(x); i++) {
356 if (i%40 != 0 && i%2 == 0) {
359 else if (i%40 == 0) {
365 d->kossl->OPENSSL_free(x);
367 x = d->kossl->BN_bn2hex(pkey->pkey.rsa->e);
368 rc +=
i18n(
"Exponent: 0x") + QLatin1String(x) +
370 d->kossl->OPENSSL_free(x);
374 if (pkey->type == EVP_PKEY_DSA) {
375 x = d->kossl->BN_bn2hex(pkey->pkey.dsa->p);
377 rc =
i18n(
"Key type: DSA (%1 bit)", strlen(x)*4) +
'\n';
379 rc +=
i18n(
"Prime: ");
380 for (
unsigned int i = 0; i < strlen(x); i++) {
381 if (i%40 != 0 && i%2 == 0) {
384 else if (i%40 == 0) {
390 d->kossl->OPENSSL_free(x);
392 x = d->kossl->BN_bn2hex(pkey->pkey.dsa->q);
393 rc +=
i18n(
"160 bit prime factor: ");
394 for (
unsigned int i = 0; i < strlen(x); i++) {
395 if (i%40 != 0 && i%2 == 0) {
398 else if (i%40 == 0) {
404 d->kossl->OPENSSL_free(x);
406 x = d->kossl->BN_bn2hex(pkey->pkey.dsa->g);
408 for (
unsigned int i = 0; i < strlen(x); i++) {
409 if (i%40 != 0 && i%2 == 0) {
412 else if (i%40 == 0) {
418 d->kossl->OPENSSL_free(x);
420 x = d->kossl->BN_bn2hex(pkey->pkey.dsa->pub_key);
421 rc +=
i18n(
"Public key: ");
422 for (
unsigned int i = 0; i < strlen(x); i++) {
423 if (i%40 != 0 && i%2 == 0) {
426 else if (i%40 == 0) {
432 d->kossl->OPENSSL_free(x);
435 d->kossl->EVP_PKEY_free(pkey);
448 char *t = d->kossl->X509_NAME_oneline(d->kossl->X509_get_issuer_name(d->m_cert), 0, 0);
455 d->kossl->OPENSSL_free(t);
463 d->_chain.setChain(c);
465 d->m_stateCached =
false;
473 d->_extensions.flags = 0;
474 d->kossl->X509_check_purpose(c, -1, 0);
477 kDebug(7029) <<
"---------------- Certificate ------------------"
482 for (
int j = 0; j < d->kossl->X509_PURPOSE_get_count(); j++) {
483 X509_PURPOSE *ptmp = d->kossl->X509_PURPOSE_get0(j);
484 int id = d->kossl->X509_PURPOSE_get_id(ptmp);
485 for (
int ca = 0; ca < 2; ca++) {
486 int idret = d->kossl->X509_check_purpose(c,
id, ca);
487 if (idret == 1 || idret == 2) {
490 d->_extensions.flags |= (1L <<(
id-1));
492 else d->_extensions.flags |= (1L <<(16+
id-1));
495 d->_extensions.flags &= ~(1L <<(
id-1));
497 else d->_extensions.flags &= ~(1L <<(16+
id-1));
508 if (c->ex_flags & EXFLAG_KUSAGE)
509 kDebug(7029) <<
" --- Key Usage extensions found";
510 else kDebug(7029) <<
" --- Key Usage extensions NOT found";
512 if (c->ex_flags & EXFLAG_XKUSAGE)
513 kDebug(7029) <<
" --- Extended key usage extensions found";
514 else kDebug(7029) <<
" --- Extended key usage extensions NOT found";
516 if (c->ex_flags & EXFLAG_NSCERT)
517 kDebug(7029) <<
" --- NS extensions found";
518 else kDebug(7029) <<
" --- NS extensions NOT found";
520 if (d->_extensions.certTypeSSLCA())
521 kDebug(7029) <<
"NOTE: this is an SSL CA file.";
522 else kDebug(7029) <<
"NOTE: this is NOT an SSL CA file.";
524 if (d->_extensions.certTypeEmailCA())
525 kDebug(7029) <<
"NOTE: this is an EMAIL CA file.";
526 else kDebug(7029) <<
"NOTE: this is NOT an EMAIL CA file.";
528 if (d->_extensions.certTypeCodeCA())
529 kDebug(7029) <<
"NOTE: this is a CODE CA file.";
530 else kDebug(7029) <<
"NOTE: this is NOT a CODE CA file.";
532 if (d->_extensions.certTypeSSLClient())
533 kDebug(7029) <<
"NOTE: this is an SSL client.";
534 else kDebug(7029) <<
"NOTE: this is NOT an SSL client.";
536 if (d->_extensions.certTypeSSLServer())
537 kDebug(7029) <<
"NOTE: this is an SSL server.";
538 else kDebug(7029) <<
"NOTE: this is NOT an SSL server.";
540 if (d->_extensions.certTypeNSSSLServer())
541 kDebug(7029) <<
"NOTE: this is a NETSCAPE SSL server.";
542 else kDebug(7029) <<
"NOTE: this is NOT a NETSCAPE SSL server.";
544 if (d->_extensions.certTypeSMIME())
545 kDebug(7029) <<
"NOTE: this is an SMIME certificate.";
546 else kDebug(7029) <<
"NOTE: this is NOT an SMIME certificate.";
548 if (d->_extensions.certTypeSMIMEEncrypt())
549 kDebug(7029) <<
"NOTE: this is an SMIME encrypt cert.";
550 else kDebug(7029) <<
"NOTE: this is NOT an SMIME encrypt cert.";
552 if (d->_extensions.certTypeSMIMESign())
553 kDebug(7029) <<
"NOTE: this is an SMIME sign cert.";
554 else kDebug(7029) <<
"NOTE: this is NOT an SMIME sign cert.";
556 if (d->_extensions.certTypeCRLSign())
557 kDebug(7029) <<
"NOTE: this is a CRL signer.";
558 else kDebug(7029) <<
"NOTE: this is NOT a CRL signer.";
560 kDebug(7029) <<
"-----------------------------------------------"
565 d->m_stateCached =
false;
579 #include "ksslcallback.c"
596 rc = X509_PURPOSE_SSL_SERVER;
598 rc = X509_PURPOSE_SSL_CLIENT;
600 rc = X509_PURPOSE_SMIME_ENCRYPT;
602 rc = X509_PURPOSE_SMIME_SIGN;
604 rc = X509_PURPOSE_ANY;
619 if (result.isEmpty()) {
623 return result.first();
639 if (ca || (d->_lastPurpose != purpose)) {
640 d->m_stateCached =
false;
643 if (!d->m_stateCached) {
644 d->_lastPurpose = purpose;
648 X509_STORE *certStore;
649 X509_LOOKUP *certLookup;
650 X509_STORE_CTX *certStoreCTX;
658 if (d->m_stateCached) {
659 errors << d->m_stateCache;
663 const QStringList qsl = KGlobal::dirs()->resourceDirs(
"kssl");
672 for (QStringList::ConstIterator j = qsl.begin(); j != qsl.end(); ++j) {
674 QString _j = (*j) +
"ca-bundle.crt";
675 if (-1 == KDE_stat(_j.toLatin1().constData(), &sb)) {
679 certStore = d->kossl->X509_STORE_new();
685 X509_STORE_set_verify_cb_func(certStore, X509Callback);
687 certLookup = d->kossl->X509_STORE_add_lookup(certStore, d->kossl->X509_LOOKUP_file());
690 d->kossl->X509_STORE_free(certStore);
694 if (!d->kossl->X509_LOOKUP_load_file(certLookup, _j.toLatin1().constData(), X509_FILETYPE_PEM)) {
696 kDebug(7029) <<
"KSSL couldn't read CA root: "
699 d->kossl->X509_STORE_free(certStore);
704 certStoreCTX = d->kossl->X509_STORE_CTX_new();
709 kDebug(7029) <<
"KSSL couldn't create an X509 store context.";
710 d->kossl->X509_STORE_free(certStore);
714 d->kossl->X509_STORE_CTX_init(certStoreCTX, certStore, d->m_cert, NULL);
715 if (d->_chain.isValid()) {
716 d->kossl->X509_STORE_CTX_set_chain(certStoreCTX, (
STACK_OF(X509)*)d->_chain.rawChain());
722 d->kossl->X509_STORE_CTX_set_purpose(certStoreCTX, purposeToOpenSSL(purpose));
724 KSSL_X509CallBack_ca = ca ? ca->d->m_cert : 0;
725 KSSL_X509CallBack_ca_found =
false;
727 certStoreCTX->error = X509_V_OK;
728 rc = d->kossl->X509_verify_cert(certStoreCTX);
729 int errcode = certStoreCTX->error;
730 if (ca && !KSSL_X509CallBack_ca_found) {
739 d->kossl->X509_STORE_CTX_set_purpose(certStoreCTX,
740 X509_PURPOSE_NS_SSL_SERVER);
742 certStoreCTX->error = X509_V_OK;
743 rc = d->kossl->X509_verify_cert(certStoreCTX);
744 errcode = certStoreCTX->error;
747 d->kossl->X509_STORE_CTX_free(certStoreCTX);
748 d->kossl->X509_STORE_free(certStore);
760 d->m_stateCached =
true;
761 d->m_stateCache = ksslv;
783 d->m_stateCached =
false;
804 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
809 case X509_V_ERR_UNABLE_TO_GET_CRL:
814 case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
819 case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
824 case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
829 case X509_V_ERR_CERT_SIGNATURE_FAILURE:
834 case X509_V_ERR_CRL_SIGNATURE_FAILURE:
839 case X509_V_ERR_CERT_NOT_YET_VALID:
844 case X509_V_ERR_CERT_HAS_EXPIRED:
846 kDebug(7029) <<
"KSSL apparently this is expired. Not after: "
851 case X509_V_ERR_CRL_NOT_YET_VALID:
856 case X509_V_ERR_CRL_HAS_EXPIRED:
861 case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
866 case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
871 case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
876 case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
881 case X509_V_ERR_OUT_OF_MEM:
886 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
891 case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
896 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
901 case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
906 case X509_V_ERR_CERT_CHAIN_TOO_LONG:
911 case X509_V_ERR_CERT_REVOKED:
916 case X509_V_ERR_INVALID_CA:
921 case X509_V_ERR_PATH_LENGTH_EXCEEDED:
926 case X509_V_ERR_INVALID_PURPOSE:
931 case X509_V_ERR_CERT_UNTRUSTED:
936 case X509_V_ERR_CERT_REJECTED:
941 case X509_V_ERR_SUBJECT_ISSUER_MISMATCH:
946 case X509_V_ERR_AKID_SKID_MISMATCH:
951 case X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH:
956 case X509_V_ERR_KEYUSAGE_NO_CERTSIGN:
962 case X509_V_ERR_APPLICATION_VERIFICATION:
972 d->m_stateCache = rc;
973 d->m_stateCached =
true;
981 return ASN1_UTCTIME_QString(X509_get_notBefore(d->m_cert));
990 return ASN1_UTCTIME_QString(X509_get_notAfter(d->m_cert));
999 return ASN1_UTCTIME_QDateTime(X509_get_notBefore(d->m_cert), NULL);
1001 return QDateTime::currentDateTime();
1007 #ifdef KSSL_HAVE_SSL
1008 return ASN1_UTCTIME_QDateTime(X509_get_notAfter(d->m_cert), NULL);
1010 return QDateTime::currentDateTime();
1016 #ifndef KSSL_HAVE_SSL
1031 #ifdef KSSL_HAVE_SSL
1043 return toDer().toBase64();
1051 return i18n(
"The certificate is valid.");
1053 return i18n(
"Retrieval of the issuer certificate failed. This means the CA's (Certificate Authority) certificate can not be found.");
1055 return i18n(
"Retrieval of the CRL (Certificate Revocation List) failed. This means the CA's (Certificate Authority) CRL can not be found.");
1057 return i18n(
"The decryption of the certificate's signature failed. This means it could not even be calculated as opposed to just not matching the expected result.");
1059 return i18n(
"The decryption of the CRL's (Certificate Revocation List) signature failed. This means it could not even be calculated as opposed to just not matching the expected result.");
1061 return i18n(
"The decoding of the public key of the issuer failed. This means that the CA's (Certificate Authority) certificate can not be used to verify the certificate you wanted to use.");
1063 return i18n(
"The certificate's signature is invalid. This means that the certificate can not be verified.");
1065 return i18n(
"The CRL's (Certificate Revocation List) signature is invalid. This means that the CRL can not be verified.");
1067 return i18n(
"The certificate is not valid, yet.");
1069 return i18n(
"The certificate is not valid, any more.");
1071 return i18n(
"The CRL (Certificate Revocation List) is not valid, yet.");
1073 return i18n(
"The CRL (Certificate Revocation List) is not valid, yet.");
1075 return i18n(
"The time format of the certificate's 'notBefore' field is invalid.");
1077 return i18n(
"The time format of the certificate's 'notAfter' field is invalid.");
1079 return i18n(
"The time format of the CRL's (Certificate Revocation List) 'lastUpdate' field is invalid.");
1081 return i18n(
"The time format of the CRL's (Certificate Revocation List) 'nextUpdate' field is invalid.");
1083 return i18n(
"The OpenSSL process ran out of memory.");
1085 return i18n(
"The certificate is self-signed and not in the list of trusted certificates. If you want to accept this certificate, import it into the list of trusted certificates.");
1088 return i18n(
"The certificate is self-signed. While the trust chain could be built up, the root CA's (Certificate Authority) certificate can not be found.");
1090 return i18n(
"The CA's (Certificate Authority) certificate can not be found. Most likely, your trust chain is broken.");
1092 return i18n(
"The certificate can not be verified as it is the only certificate in the trust chain and not self-signed. If you self-sign the certificate, make sure to import it into the list of trusted certificates.");
1094 return i18n(
"The certificate chain is longer than the maximum depth specified.");
1097 return i18n(
"The certificate has been revoked.");
1099 return i18n(
"The certificate's CA (Certificate Authority) is invalid.");
1101 return i18n(
"The length of the trust chain exceeded one of the CA's (Certificate Authority) 'pathlength' parameters, making all subsequent signatures invalid.");
1103 return i18n(
"The certificate has not been signed for the purpose you tried to use it for. This means the CA (Certificate Authority) does not allow this usage.");
1106 return i18n(
"The root CA (Certificate Authority) is not trusted for the purpose you tried to use this certificate for.");
1109 return i18n(
"The root CA (Certificate Authority) has been marked to be rejected for the purpose you tried to use it for.");
1111 return i18n(
"The certificate's CA (Certificate Authority) does not match the CA name of the certificate.");
1113 return i18n(
"The CA (Certificate Authority) certificate's key ID does not match the key ID in the 'Issuer' section of the certificate you are trying to use.");
1115 return i18n(
"The CA (Certificate Authority) certificate's key ID and name do not match the key ID and name in the 'Issuer' section of the certificate you are trying to use.");
1117 return i18n(
"The certificate's CA (Certificate Authority) is not allowed to sign certificates.");
1119 return i18n(
"OpenSSL could not be verified.");
1124 return i18n(
"The signature test for this certificate failed. This could mean that the signature of this certificate or any in its trust path are invalid, could not be decoded or that the CRL (Certificate Revocation List) could not be verified. If you see this message, please let the author of the software you are using know that he or she should use the new, more specific error messages.");
1126 return i18n(
"This certificate, any in its trust path or its CA's (Certificate Authority) CRL (Certificate Revocation List) is not valid. Any of them could not be valid yet or not valid any more. If you see this message, please let the author of the software you are using know that he or she should use the new, more specific error messages.");
1132 return i18n(
"Certificate signing authority root files could not be found so the certificate is not verified.");
1134 return i18n(
"SSL support was not found.");
1136 return i18n(
"Private key test failed.");
1138 return i18n(
"The certificate has not been issued for this host.");
1140 return i18n(
"This certificate is not relevant.");
1145 return i18n(
"The certificate is invalid.");
1151 #ifdef KSSL_HAVE_SSL
1152 int certlen = d->kossl->i2d_X509(
getCert(), NULL);
1156 char *cert =
new char[certlen];
1157 unsigned char *p = (
unsigned char *)cert;
1159 d->kossl->i2d_X509(
getCert(), &p);
1162 qba = QByteArray(cert, certlen);
1174 const char *
header =
"-----BEGIN CERTIFICATE-----\n";
1175 const char *footer =
"-----END CERTIFICATE-----\n";
1179 unsigned int xx = thecert.length() - 1;
1180 for (
unsigned int i = 0; i < xx/64; i++) {
1181 thecert.insert(64*(i+1)+i,
'\n');
1184 thecert.prepend(header);
1186 if (thecert[thecert.length()-1] !=
'\n') {
1190 thecert.append(footer);
1192 qba = thecert.toLocal8Bit();
1197 #define NETSCAPE_CERT_HDR "certificate"
1199 #ifdef KSSL_HAVE_SSL
1200 #if OPENSSL_VERSION_NUMBER < 0x00909000L
1202 typedef struct NETSCAPE_X509_st
1204 ASN1_OCTET_STRING *
header;
1213 #ifdef KSSL_HAVE_SSL
1215 ASN1_OCTET_STRING hdr;
1218 FILE *ktf_fs =
fopen(ktf.fileName().toLatin1(),
"r+");
1225 d->kossl->ASN1_item_i2d_fp(ktf_fs,(
unsigned char *)&nx);
1228 QFile qf(ktf.fileName());
1229 if (qf.open(QIODevice::ReadOnly)) {
1240 #ifdef KSSL_HAVE_SSL
1243 FILE *ktf_fs =
fopen(ktf.fileName().toLatin1(),
"r+");
1245 d->kossl->X509_print(ktf_fs,
getCert());
1248 QFile qf(ktf.fileName());
1249 qf.open(QIODevice::ReadOnly);
1250 char *buf =
new char[qf.size()+1];
1251 qf.read(buf, qf.size());
1261 #ifdef KSSL_HAVE_SSL
1262 QByteArray qba, qbb = cert.toLocal8Bit();
1263 qba = QByteArray::fromBase64(qbb);
1264 unsigned char *qbap =
reinterpret_cast<unsigned char *
>(qba.data());
1265 X509 *x5c = KOSSL::self()->d2i_X509(NULL, &qbap, qba.size());
1276 return d->_extensions;
1281 return d->_extensions.certTypeCA();
1287 #ifdef KSSL_HAVE_SSL
1289 names = (
STACK_OF(GENERAL_NAME)*)d->kossl->X509_get_ext_d2i(d->m_cert, NID_subject_alt_name, 0, 0);
1295 int cnt = d->kossl->sk_GENERAL_NAME_num(names);
1297 for (
int i = 0; i < cnt; i++) {
1298 const GENERAL_NAME *val = (
const GENERAL_NAME *)d->kossl->sk_value(names, i);
1299 if (val->type != GEN_DNS) {
1303 QString s = (
const char *)d->kossl->ASN1_STRING_data(val->d.ia5);
1306 s.length() == d->kossl->ASN1_STRING_length(val->d.ia5)) {
1310 d->kossl->sk_free(names);
1325 s << const_cast<KSSLCertificate&>(r).toString() << qsl;
1337 if (r.
setCert(cert) && !qsl.isEmpty()) {