Chromium Code Reviews Chromium Code Reviews
Issue 9940001:
Fix imported server certs being distrusted in NSS 3.13. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef NET_BASE_CERT_DATABASE_H_ | 5 #ifndef NET_BASE_CERT_DATABASE_H_ |
| 6 #define NET_BASE_CERT_DATABASE_H_ | 6 #define NET_BASE_CERT_DATABASE_H_ |
| 7 #pragma once | 7 #pragma once |
| 8 | 8 |
| 9 #include <string> | 9 #include <string> |
| 10 #include <vector> | 10 #include <vector> |
| (...skipping 62 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 73 | 73 |
| 74 // Constants that define which usages a certificate is trusted for. | 74 // Constants that define which usages a certificate is trusted for. |
| 75 // They are used in combination with CertType to specify trust for each type | 75 // They are used in combination with CertType to specify trust for each type |
| 76 // of certificate. | 76 // of certificate. |
| 77 // For a CA_CERT, they specify that the CA is trusted for issuing server and | 77 // For a CA_CERT, they specify that the CA is trusted for issuing server and |
| 78 // client certs of each type. | 78 // client certs of each type. |
| 79 // For SERVER_CERT, only TRUSTED_SSL makes sense, and specifies the cert is | 79 // For SERVER_CERT, only TRUSTED_SSL makes sense, and specifies the cert is |
| 80 // trusted as a server. | 80 // trusted as a server. |
| 81 // For EMAIL_CERT, only TRUSTED_EMAIL makes sense, and specifies the cert is | 81 // For EMAIL_CERT, only TRUSTED_EMAIL makes sense, and specifies the cert is |
| 82 // trusted for email. | 82 // trusted for email. |
| 83 // DISTRUSTED_* specifies that the cert should not be trusted for the given | |
| 84 // use, regardless of whether it would otherwise inherit trust from the issuer | |
|
wtc
2012/05/22 00:28:39
Nit: use => usage
mattm
2012/05/26 03:41:35
Done.
| |
| 85 // chain. | |
| 83 // NOTE: The actual constants are defined using an enum instead of static | 86 // NOTE: The actual constants are defined using an enum instead of static |
| 84 // consts due to compilation/linkage constraints with template functions. | 87 // consts due to compilation/linkage constraints with template functions. |
| 85 typedef uint32 TrustBits; | 88 typedef uint32 TrustBits; |
| 86 enum { | 89 enum { |
| 87 UNTRUSTED = 0, | 90 TRUST_DEFAULT = 0, |
|
wtc
2012/05/22 00:28:39
Please document TRUST_DEFAULT. You can copy from
mattm
2012/05/26 03:41:35
Done.
| |
| 88 TRUSTED_SSL = 1 << 0, | 91 TRUSTED_SSL = 1 << 0, |
| 89 TRUSTED_EMAIL = 1 << 1, | 92 TRUSTED_EMAIL = 1 << 1, |
| 90 TRUSTED_OBJ_SIGN = 1 << 2, | 93 TRUSTED_OBJ_SIGN = 1 << 2, |
| 94 DISTRUSTED_SSL = 1 << 3, | |
| 95 DISTRUSTED_EMAIL = 1 << 4, | |
| 96 DISTRUSTED_OBJ_SIGN = 1 << 5, | |
| 91 }; | 97 }; |
| 92 | 98 |
| 93 CertDatabase(); | 99 CertDatabase(); |
| 94 | 100 |
| 95 // Check whether this is a valid user cert that we have the private key for. | 101 // Check whether this is a valid user cert that we have the private key for. |
| 96 // Returns OK or a network error code such as ERR_CERT_CONTAINS_ERRORS. | 102 // Returns OK or a network error code such as ERR_CERT_CONTAINS_ERRORS. |
| 97 int CheckUserCert(X509Certificate* cert); | 103 int CheckUserCert(X509Certificate* cert); |
| 98 | 104 |
| 99 // Store user (client) certificate. Assumes CheckUserCert has already passed. | 105 // Store user (client) certificate. Assumes CheckUserCert has already passed. |
| 100 // Returns OK, or ERR_ADD_USER_CERT_FAILED if there was a problem saving to | 106 // Returns OK, or ERR_ADD_USER_CERT_FAILED if there was a problem saving to |
| 101 // the platform cert database, or possibly other network error codes. | 107 // the platform cert database, or possibly other network error codes. |
| 102 int AddUserCert(X509Certificate* cert); | 108 int AddUserCert(X509Certificate* cert); |
| 103 | 109 |
| 104 #if defined(USE_NSS) || defined(USE_OPENSSL) | 110 #if defined(USE_NSS) |
| 105 // Get a list of unique certificates in the certificate database (one | 111 // Get a list of unique certificates in the certificate database (one |
| 106 // instance of all certificates). | 112 // instance of all certificates). |
| 107 void ListCerts(CertificateList* certs); | 113 void ListCerts(CertificateList* certs); |
| 108 | 114 |
| 109 // Get the default module for public key data. | 115 // Get the default module for public key data. |
| 110 // The returned pointer must be stored in a scoped_refptr<CryptoModule>. | 116 // The returned pointer must be stored in a scoped_refptr<CryptoModule>. |
| 111 CryptoModule* GetPublicModule() const; | 117 CryptoModule* GetPublicModule() const; |
| 112 | 118 |
| 113 // Get the default module for private key or mixed private/public key data. | 119 // Get the default module for private key or mixed private/public key data. |
| 114 // The returned pointer must be stored in a scoped_refptr<CryptoModule>. | 120 // The returned pointer must be stored in a scoped_refptr<CryptoModule>. |
| (...skipping 36 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 151 // imported. | 157 // imported. |
| 152 bool ImportCACerts(const CertificateList& certificates, | 158 bool ImportCACerts(const CertificateList& certificates, |
| 153 TrustBits trust_bits, | 159 TrustBits trust_bits, |
| 154 ImportCertFailureList* not_imported); | 160 ImportCertFailureList* not_imported); |
| 155 | 161 |
| 156 // Import server certificate. The first cert should be the server cert. Any | 162 // Import server certificate. The first cert should be the server cert. Any |
| 157 // additional certs should be intermediate/CA certs and will be imported but | 163 // additional certs should be intermediate/CA certs and will be imported but |
| 158 // not given any trust. | 164 // not given any trust. |
| 159 // Any certificates that could not be imported will be listed in | 165 // Any certificates that could not be imported will be listed in |
| 160 // |not_imported|. | 166 // |not_imported|. |
| 167 // |trust_bits| can be set to explicitly trust or distrust the certificate, or | |
| 168 // use TRUST_DEFAULT to inherit trust as normal. | |
| 161 // Returns false if there is an internal error, otherwise true is returned and | 169 // Returns false if there is an internal error, otherwise true is returned and |
| 162 // |not_imported| should be checked for any certificates that were not | 170 // |not_imported| should be checked for any certificates that were not |
| 163 // imported. | 171 // imported. |
| 164 bool ImportServerCert(const CertificateList& certificates, | 172 bool ImportServerCert(const CertificateList& certificates, |
| 173 TrustBits trust_bits, | |
| 165 ImportCertFailureList* not_imported); | 174 ImportCertFailureList* not_imported); |
| 166 | 175 |
| 167 // Get trust bits for certificate. | 176 // Get trust bits for certificate. |
| 168 TrustBits GetCertTrust(const X509Certificate* cert, CertType type) const; | 177 TrustBits GetCertTrust(const X509Certificate* cert, CertType type) const; |
| 169 | 178 |
| 170 // IsUntrusted returns true if |cert| is specifically untrusted. These | 179 // IsUntrusted returns true if |cert| is specifically untrusted. These |
| 171 // certificates are stored in the database for the specific purpose of | 180 // certificates are stored in the database for the specific purpose of |
| 172 // rejecting them. | 181 // rejecting them. |
| 173 bool IsUntrusted(const X509Certificate* cert) const; | 182 bool IsUntrusted(const X509Certificate* cert) const; |
| 174 | 183 |
| (...skipping 26 matching lines...) Expand all Loading... | |
| 201 static void NotifyObserversOfUserCertAdded(const X509Certificate* cert); | 210 static void NotifyObserversOfUserCertAdded(const X509Certificate* cert); |
| 202 static void NotifyObserversOfUserCertRemoved(const X509Certificate* cert); | 211 static void NotifyObserversOfUserCertRemoved(const X509Certificate* cert); |
| 203 static void NotifyObserversOfCertTrustChanged(const X509Certificate* cert); | 212 static void NotifyObserversOfCertTrustChanged(const X509Certificate* cert); |
| 204 | 213 |
| 205 DISALLOW_COPY_AND_ASSIGN(CertDatabase); | 214 DISALLOW_COPY_AND_ASSIGN(CertDatabase); |
| 206 }; | 215 }; |
| 207 | 216 |
| 208 } // namespace net | 217 } // namespace net |
| 209 | 218 |
| 210 #endif // NET_BASE_CERT_DATABASE_H_ | 219 #endif // NET_BASE_CERT_DATABASE_H_ |
| OLD | NEW |
