OLD | NEW |
---|---|
(Empty) | |
1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "net/base/temporary_root_certs.h" | |
6 | |
7 #include <cert.h> | |
8 | |
9 #include "base/logging.h" | |
10 #include "base/nss_util.h" | |
11 #include "net/base/x509_certificate.h" | |
12 | |
13 namespace net { | |
14 | |
15 class TemporaryRootCerts::TrustEntry { | |
16 public: | |
17 TrustEntry(CERTCertificate* certificate, CERTCertTrust trust); | |
18 TrustEntry(const TrustEntry& entry); | |
19 ~TrustEntry(); | |
20 | |
21 TrustEntry& operator=(const TrustEntry& entry); | |
22 | |
23 CERTCertificate* certificate() const { return certificate_; } | |
24 CERTCertTrust trust() const { return trust_; } | |
25 | |
26 private: | |
27 // The temporary root certificate. | |
28 CERTCertificate* certificate_; | |
29 | |
30 // The original trust settings, before |certificate_| was manipulated to | |
31 // be a temporarily trusted root. | |
32 CERTCertTrust trust_; | |
33 }; | |
34 | |
35 TemporaryRootCerts::TrustEntry::TrustEntry(CERTCertificate* certificate, | |
36 CERTCertTrust trust) | |
37 : certificate_(CERT_DupCertificate(certificate)), | |
38 trust_(trust) {} | |
39 | |
40 TemporaryRootCerts::TrustEntry::TrustEntry(const TrustEntry& entry) | |
wtc
2010/11/16 23:24:01
It seems that this is exactly what the compiler ca
Ryan Sleevi
2010/11/17 09:37:43
My understanding is that the implicitly generated
| |
41 : certificate_(NULL) { | |
42 *this = entry; | |
43 } | |
44 | |
45 TemporaryRootCerts::TrustEntry::~TrustEntry() { | |
46 CERT_DestroyCertificate(certificate_); | |
47 } | |
48 | |
49 TemporaryRootCerts::TrustEntry& | |
50 TemporaryRootCerts::TrustEntry::operator=(const TrustEntry& entry) { | |
51 CERT_DestroyCertificate(certificate_); | |
52 certificate_ = CERT_DupCertificate(entry.certificate_); | |
53 trust_ = entry.trust_; | |
54 return *this; | |
55 } | |
56 | |
57 bool TemporaryRootCerts::Add(X509Certificate* certificate) { | |
58 if (cert_trust_map_.find(certificate->fingerprint()) != | |
59 cert_trust_map_.end()) | |
60 return true; | |
61 | |
62 // Preserve the original trust bits so that they can be restored when | |
63 // the certificate is removed. | |
64 CERTCertTrust nss_trust; | |
65 SECStatus rv = CERT_GetCertTrust(certificate->os_cert_handle(), | |
66 &nss_trust); | |
67 // TODO(rsleevi): Not checking rv because an untrusted (ephemeral) cert | |
68 // will return SECFailure, rather than initializing an empty trust | |
69 // structure. | |
70 | |
71 TrustEntry entry(certificate->os_cert_handle(), nss_trust); | |
bulach
2010/11/09 16:21:09
could move this further down to 88
Ryan Sleevi
2010/11/17 09:37:43
No, this copies |nss_trust|, which is then modifie
| |
72 | |
73 // Change the trust bits to unconditionally trust this certificate. | |
74 // TODO(port): remove this const_cast after NSS 3.12.3 is released. | |
wtc
2010/11/16 23:24:01
Nit: you can remove this TODO comment and the cons
| |
75 rv = CERT_DecodeTrustString(&nss_trust, const_cast<char*>("TCu,Cu,Tu")); | |
76 if (rv != SECSuccess) { | |
77 LOG(ERROR) << "Cannot decode certificate trust string."; | |
78 return false; | |
79 } | |
80 | |
81 rv = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), | |
82 certificate->os_cert_handle(), | |
83 &nss_trust); | |
84 if (rv != SECSuccess) { | |
85 LOG(ERROR) << "Cannot change certificate trust."; | |
86 return false; | |
87 } | |
88 | |
89 cert_trust_map_.insert(std::make_pair(certificate->fingerprint(), entry)); | |
wtc
2010/11/16 23:24:01
Isn't this equivalent to
cert_trust_map_[certifi
Ryan Sleevi
2010/11/17 09:37:43
Depends :) Using operator[] for a map<Key, T> forc
| |
90 return true; | |
91 } | |
92 | |
93 void TemporaryRootCerts::Remove(X509Certificate* certificate) { | |
94 CertTrustMap::iterator it = | |
95 cert_trust_map_.find(certificate->fingerprint()); | |
96 if (it == cert_trust_map_.end()) | |
97 return; | |
98 | |
99 CERTCertTrust original_trust = it->second.trust(); | |
100 cert_trust_map_.erase(it); | |
101 | |
102 CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), | |
103 certificate->os_cert_handle(), | |
104 &original_trust); | |
105 } | |
106 | |
107 TemporaryRootCerts::TemporaryRootCerts() { | |
108 base::EnsureNSSInit(); | |
109 } | |
110 | |
111 TemporaryRootCerts::~TemporaryRootCerts() { | |
112 // Restore the certificate trusts to what they were originally. | |
113 for (CertTrustMap::iterator it = cert_trust_map_.begin(); | |
114 it != cert_trust_map_.end(); ++it) { | |
115 CERTCertTrust original_trust = it->second.trust(); | |
116 CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), | |
117 it->second.certificate(), | |
118 &original_trust); | |
119 } | |
120 } | |
121 | |
122 } // namespace net | |
OLD | NEW |