| Index: net/base/nss_cert_database.cc
|
| diff --git a/net/base/cert_database_nss.cc b/net/base/nss_cert_database.cc
|
| similarity index 78%
|
| copy from net/base/cert_database_nss.cc
|
| copy to net/base/nss_cert_database.cc
|
| index be7ea740268acd17a72c20369c98436e8767675b..4834af2b38beed463ff54c1267c1d9bf7b233f62 100644
|
| --- a/net/base/cert_database_nss.cc
|
| +++ b/net/base/nss_cert_database.cc
|
| @@ -2,7 +2,7 @@
|
| // Use of this source code is governed by a BSD-style license that can be
|
| // found in the LICENSE file.
|
|
|
| -#include "net/base/cert_database.h"
|
| +#include "net/base/nss_cert_database.h"
|
|
|
| #include <cert.h>
|
| #include <certdb.h>
|
| @@ -12,8 +12,11 @@
|
|
|
| #include "base/logging.h"
|
| #include "base/memory/scoped_ptr.h"
|
| +#include "base/memory/singleton.h"
|
| +#include "base/observer_list_threadsafe.h"
|
| #include "crypto/nss_util.h"
|
| #include "crypto/nss_util_internal.h"
|
| +#include "net/base/cert_database.h"
|
| #include "net/base/crypto_module.h"
|
| #include "net/base/net_errors.h"
|
| #include "net/base/x509_certificate.h"
|
| @@ -31,56 +34,27 @@ namespace psm = mozilla_security_manager;
|
|
|
| namespace net {
|
|
|
| -CertDatabase::CertDatabase() {
|
| - crypto::EnsureNSSInit();
|
| - psm::EnsurePKCS12Init();
|
| -}
|
| -
|
| -int CertDatabase::CheckUserCert(X509Certificate* cert_obj) {
|
| - if (!cert_obj)
|
| - return ERR_CERT_INVALID;
|
| - if (cert_obj->HasExpired())
|
| - return ERR_CERT_DATE_INVALID;
|
| -
|
| - // Check if the private key corresponding to the certificate exist
|
| - // We shouldn't accept any random client certificate sent by a CA.
|
| -
|
| - // Note: The NSS source documentation wrongly suggests that this
|
| - // also imports the certificate if the private key exists. This
|
| - // doesn't seem to be the case.
|
| +NSSCertDatabase::ImportCertFailure::ImportCertFailure(
|
| + X509Certificate* cert, int err)
|
| + : certificate(cert),
|
| + net_error(err) {}
|
|
|
| - CERTCertificate* cert = cert_obj->os_cert_handle();
|
| - PK11SlotInfo* slot = PK11_KeyForCertExists(cert, NULL, NULL);
|
| - if (!slot)
|
| - return ERR_NO_PRIVATE_KEY_FOR_CERT;
|
| +NSSCertDatabase::ImportCertFailure::~ImportCertFailure() {}
|
|
|
| - PK11_FreeSlot(slot);
|
| -
|
| - return OK;
|
| +// static
|
| +NSSCertDatabase* NSSCertDatabase::GetInstance() {
|
| + return Singleton<NSSCertDatabase>::get();
|
| }
|
|
|
| -int CertDatabase::AddUserCert(X509Certificate* cert_obj) {
|
| - CERTCertificate* cert = cert_obj->os_cert_handle();
|
| - PK11SlotInfo* slot = NULL;
|
| -
|
| - {
|
| - crypto::AutoNSSWriteLock lock;
|
| - slot = PK11_ImportCertForKey(
|
| - cert,
|
| - cert_obj->GetDefaultNickname(net::USER_CERT).c_str(),
|
| - NULL);
|
| - }
|
| -
|
| - if (!slot) {
|
| - LOG(ERROR) << "Couldn't import user certificate.";
|
| - return ERR_ADD_USER_CERT_FAILED;
|
| - }
|
| - PK11_FreeSlot(slot);
|
| - CertDatabase::NotifyObserversOfUserCertAdded(cert_obj);
|
| - return OK;
|
| +NSSCertDatabase::NSSCertDatabase()
|
| + : observer_list_(new ObserverListThreadSafe<Observer>) {
|
| + crypto::EnsureNSSInit();
|
| + psm::EnsurePKCS12Init();
|
| }
|
|
|
| -void CertDatabase::ListCerts(CertificateList* certs) {
|
| +NSSCertDatabase::~NSSCertDatabase() {}
|
| +
|
| +void NSSCertDatabase::ListCerts(CertificateList* certs) {
|
| certs->clear();
|
|
|
| CERTCertList* cert_list = PK11_ListCerts(PK11CertListUnique, NULL);
|
| @@ -94,7 +68,7 @@ void CertDatabase::ListCerts(CertificateList* certs) {
|
| CERT_DestroyCertList(cert_list);
|
| }
|
|
|
| -CryptoModule* CertDatabase::GetPublicModule() const {
|
| +CryptoModule* NSSCertDatabase::GetPublicModule() const {
|
| CryptoModule* module =
|
| CryptoModule::CreateFromHandle(crypto::GetPublicNSSKeySlot());
|
| // The module is already referenced when returned from
|
| @@ -104,7 +78,7 @@ CryptoModule* CertDatabase::GetPublicModule() const {
|
| return module;
|
| }
|
|
|
| -CryptoModule* CertDatabase::GetPrivateModule() const {
|
| +CryptoModule* NSSCertDatabase::GetPrivateModule() const {
|
| CryptoModule* module =
|
| CryptoModule::CreateFromHandle(crypto::GetPrivateNSSKeySlot());
|
| // The module is already referenced when returned from
|
| @@ -114,7 +88,8 @@ CryptoModule* CertDatabase::GetPrivateModule() const {
|
| return module;
|
| }
|
|
|
| -void CertDatabase::ListModules(CryptoModuleList* modules, bool need_rw) const {
|
| +void NSSCertDatabase::ListModules(CryptoModuleList* modules,
|
| + bool need_rw) const {
|
| modules->clear();
|
|
|
| PK11SlotList* slot_list = NULL;
|
| @@ -138,7 +113,7 @@ void CertDatabase::ListModules(CryptoModuleList* modules, bool need_rw) const {
|
| PK11_FreeSlotList(slot_list);
|
| }
|
|
|
| -int CertDatabase::ImportFromPKCS12(
|
| +int NSSCertDatabase::ImportFromPKCS12(
|
| CryptoModule* module,
|
| const std::string& data,
|
| const string16& password,
|
| @@ -150,19 +125,19 @@ int CertDatabase::ImportFromPKCS12(
|
| is_extractable,
|
| imported_certs);
|
| if (result == net::OK)
|
| - CertDatabase::NotifyObserversOfUserCertAdded(NULL);
|
| + NotifyObserversOfCertAdded(NULL);
|
|
|
| return result;
|
| }
|
|
|
| -int CertDatabase::ExportToPKCS12(
|
| +int NSSCertDatabase::ExportToPKCS12(
|
| const CertificateList& certs,
|
| const string16& password,
|
| std::string* output) const {
|
| return psm::nsPKCS12Blob_Export(output, certs, password);
|
| }
|
|
|
| -X509Certificate* CertDatabase::FindRootInList(
|
| +X509Certificate* NSSCertDatabase::FindRootInList(
|
| const CertificateList& certificates) const {
|
| DCHECK_GT(certificates.size(), 0U);
|
|
|
| @@ -185,26 +160,27 @@ X509Certificate* CertDatabase::FindRootInList(
|
| return cert0;
|
| }
|
|
|
| -bool CertDatabase::ImportCACerts(const CertificateList& certificates,
|
| - TrustBits trust_bits,
|
| - ImportCertFailureList* not_imported) {
|
| +bool NSSCertDatabase::ImportCACerts(const CertificateList& certificates,
|
| + TrustBits trust_bits,
|
| + ImportCertFailureList* not_imported) {
|
| X509Certificate* root = FindRootInList(certificates);
|
| bool success = psm::ImportCACerts(certificates, root, trust_bits,
|
| not_imported);
|
| if (success)
|
| - CertDatabase::NotifyObserversOfCertTrustChanged(NULL);
|
| + NotifyObserversOfCertTrustChanged(NULL);
|
|
|
| return success;
|
| }
|
|
|
| -bool CertDatabase::ImportServerCert(const CertificateList& certificates,
|
| - TrustBits trust_bits,
|
| - ImportCertFailureList* not_imported) {
|
| +bool NSSCertDatabase::ImportServerCert(const CertificateList& certificates,
|
| + TrustBits trust_bits,
|
| + ImportCertFailureList* not_imported) {
|
| return psm::ImportServerCert(certificates, trust_bits, not_imported);
|
| }
|
|
|
| -CertDatabase::TrustBits CertDatabase::GetCertTrust(const X509Certificate* cert,
|
| - CertType type) const {
|
| +NSSCertDatabase::TrustBits NSSCertDatabase::GetCertTrust(
|
| + const X509Certificate* cert,
|
| + CertType type) const {
|
| CERTCertTrust trust;
|
| SECStatus srv = CERT_GetCertTrust(cert->os_cert_handle(), &trust);
|
| if (srv != SECSuccess) {
|
| @@ -249,7 +225,7 @@ CertDatabase::TrustBits CertDatabase::GetCertTrust(const X509Certificate* cert,
|
| }
|
| }
|
|
|
| -bool CertDatabase::IsUntrusted(const X509Certificate* cert) const {
|
| +bool NSSCertDatabase::IsUntrusted(const X509Certificate* cert) const {
|
| CERTCertTrust nsstrust;
|
| SECStatus rv = CERT_GetCertTrust(cert->os_cert_handle(), &nsstrust);
|
| if (rv != SECSuccess) {
|
| @@ -302,17 +278,17 @@ bool CertDatabase::IsUntrusted(const X509Certificate* cert) const {
|
| return false;
|
| }
|
|
|
| -bool CertDatabase::SetCertTrust(const X509Certificate* cert,
|
| +bool NSSCertDatabase::SetCertTrust(const X509Certificate* cert,
|
| CertType type,
|
| TrustBits trust_bits) {
|
| bool success = psm::SetCertTrust(cert, type, trust_bits);
|
| if (success)
|
| - CertDatabase::NotifyObserversOfCertTrustChanged(cert);
|
| + NotifyObserversOfCertTrustChanged(cert);
|
|
|
| return success;
|
| }
|
|
|
| -bool CertDatabase::DeleteCertAndKey(const X509Certificate* cert) {
|
| +bool NSSCertDatabase::DeleteCertAndKey(const X509Certificate* cert) {
|
| // For some reason, PK11_DeleteTokenCertAndKey only calls
|
| // SEC_DeletePermCertificate if the private key is found. So, we check
|
| // whether a private key exists before deciding which function to call to
|
| @@ -332,14 +308,37 @@ bool CertDatabase::DeleteCertAndKey(const X509Certificate* cert) {
|
| }
|
| }
|
|
|
| - CertDatabase::NotifyObserversOfUserCertRemoved(cert);
|
| + NotifyObserversOfCertRemoved(cert);
|
|
|
| return true;
|
| }
|
|
|
| -bool CertDatabase::IsReadOnly(const X509Certificate* cert) const {
|
| +bool NSSCertDatabase::IsReadOnly(const X509Certificate* cert) const {
|
| PK11SlotInfo* slot = cert->os_cert_handle()->slot;
|
| return slot && PK11_IsReadOnly(slot);
|
| }
|
|
|
| +void NSSCertDatabase::AddObserver(Observer* observer) {
|
| + observer_list_->AddObserver(observer);
|
| +}
|
| +
|
| +void NSSCertDatabase::RemoveObserver(Observer* observer) {
|
| + observer_list_->RemoveObserver(observer);
|
| +}
|
| +
|
| +void NSSCertDatabase::NotifyObserversOfCertAdded(const X509Certificate* cert) {
|
| + observer_list_->Notify(&Observer::OnCertAdded, make_scoped_refptr(cert));
|
| +}
|
| +
|
| +void NSSCertDatabase::NotifyObserversOfCertRemoved(
|
| + const X509Certificate* cert) {
|
| + observer_list_->Notify(&Observer::OnCertRemoved, make_scoped_refptr(cert));
|
| +}
|
| +
|
| +void NSSCertDatabase::NotifyObserversOfCertTrustChanged(
|
| + const X509Certificate* cert) {
|
| + observer_list_->Notify(
|
| + &Observer::OnCertTrustChanged, make_scoped_refptr(cert));
|
| +}
|
| +
|
| } // namespace net
|
|
|
Chromium Code Reviews
Issue 10916094:
Move the NSS functions out of CertDatabase into a new NSSCertDatabase class. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src