net/cert/nss_cert_database.cc - Issue 111273002: NSSCertDatabaseChromeOS

Side by Side Diff: net/cert/nss_cert_database.cc

Issue 111273002: NSSCertDatabaseChromeOS (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: refactoring and review changes Created 7 years ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/cert/nss_cert_database.h"	5 #include "net/cert/nss_cert_database.h"

6	6

7 #include <cert.h>	7 #include <cert.h>

8 #include <certdb.h>	8 #include <certdb.h>

9 #include <keyhi.h>	9 #include <keyhi.h>

10 #include <pk11pub.h>	10 #include <pk11pub.h>

11 #include <secmod.h>	11 #include <secmod.h>

12	12

	13 #include "base/lazy_instance.h"

13 #include "base/logging.h"	14 #include "base/logging.h"

14 #include "base/memory/scoped_ptr.h"	15 #include "base/memory/scoped_ptr.h"

15 #include "base/memory/singleton.h"

16 #include "base/observer_list_threadsafe.h"	16 #include "base/observer_list_threadsafe.h"

17 #include "crypto/nss_util.h"	17 #include "crypto/nss_util.h"

18 #include "crypto/nss_util_internal.h"	18 #include "crypto/nss_util_internal.h"

19 #include "crypto/scoped_nss_types.h"	19 #include "crypto/scoped_nss_types.h"

20 #include "net/base/crypto_module.h"	20 #include "net/base/crypto_module.h"

21 #include "net/base/net_errors.h"	21 #include "net/base/net_errors.h"

22 #include "net/cert/cert_database.h"	22 #include "net/cert/cert_database.h"

23 #include "net/cert/x509_certificate.h"	23 #include "net/cert/x509_certificate.h"

24 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h"	24 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h"

25 #include "net/third_party/mozilla_security_manager/nsPKCS12Blob.h"	25 #include "net/third_party/mozilla_security_manager/nsPKCS12Blob.h"

26	26

27 // In NSS 3.13, CERTDB_VALID_PEER was renamed CERTDB_TERMINAL_RECORD. So we use	27 // In NSS 3.13, CERTDB_VALID_PEER was renamed CERTDB_TERMINAL_RECORD. So we use

28 // the new name of the macro.	28 // the new name of the macro.

29 #if !defined(CERTDB_TERMINAL_RECORD)	29 #if !defined(CERTDB_TERMINAL_RECORD)

30 #define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER	30 #define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER

31 #endif	31 #endif

32	32

33 // PSM = Mozilla's Personal Security Manager.	33 // PSM = Mozilla's Personal Security Manager.

34 namespace psm = mozilla_security_manager;	34 namespace psm = mozilla_security_manager;

35	35

36 namespace net {	36 namespace net {

37	37

	38 namespace {

	39

	40 base::LazyInstance<NSSCertDatabase>::Leaky

	41 g_nss_cert_database = LAZY_INSTANCE_INITIALIZER;

	42

	43 } // namespace

	44

	45

38 NSSCertDatabase::ImportCertFailure::ImportCertFailure(	46 NSSCertDatabase::ImportCertFailure::ImportCertFailure(

39 const scoped_refptr<X509Certificate>& cert,	47 const scoped_refptr<X509Certificate>& cert,

40 int err)	48 int err)

41 : certificate(cert), net_error(err) {}	49 : certificate(cert), net_error(err) {}

42	50

43 NSSCertDatabase::ImportCertFailure::~ImportCertFailure() {}	51 NSSCertDatabase::ImportCertFailure::~ImportCertFailure() {}

44	52

45 // static	53 // static

46 NSSCertDatabase* NSSCertDatabase::GetInstance() {	54 NSSCertDatabase* NSSCertDatabase::GetInstance() {

47 return Singleton<NSSCertDatabase,	55 #if defined(OS_CHROMEOS)

48 LeakySingletonTraits<NSSCertDatabase> >::get();	56 DVLOG(1) << "Using global NSSCertDatabase. Consider using "

	57 << "NSSCertDatabaseChromeOS instead.";
	Ryan Sleevi 2013/12/18 21:28:32 comment nit: Make this a stronger warning. "NSSCe comment nit: Make this a stronger warning. "NSSCertDatabase::GetInstance() is deprecated. See http://crbug.com/foo" I would suggest this at LOG(INFO) or LOG(ERROR) (similar to NOTIMPLEMENTED()) to provide clear guidance to the code paths being hit that shouldn't be using this. mattm 2013/12/19 22:35:00 Done. Show quoted text On 2013/12/18 21:28:32, Ryan Sleevi wrote: > comment nit: Make this a stronger warning. > > "NSSCertDatabase::GetInstance() is deprecated. See http://crbug.com/foo%22 > > I would suggest this at LOG(INFO) or LOG(ERROR) (similar to NOTIMPLEMENTED()) to > provide clear guidance to the code paths being hit that shouldn't be using this. Done.
	58 #endif

	59 return &g_nss_cert_database.Get();

49 }	60 }

50	61

51 NSSCertDatabase::NSSCertDatabase()	62 NSSCertDatabase::NSSCertDatabase()

52 : observer_list_(new ObserverListThreadSafe<Observer>) {	63 : observer_list_(new ObserverListThreadSafe<Observer>) {

53 crypto::EnsureNSSInit();	64 // This also makes sure that NSS has been initialized.

	65 CertDatabase::GetInstance()->ObserveNSSCertDatabase(this);

	66

54 psm::EnsurePKCS12Init();	67 psm::EnsurePKCS12Init();

55 }	68 }

56	69

57 NSSCertDatabase::~NSSCertDatabase() {}	70 NSSCertDatabase::~NSSCertDatabase() {}

58	71

59 void NSSCertDatabase::ListCerts(CertificateList* certs) {	72 void NSSCertDatabase::ListCerts(CertificateList* certs) {

60 certs->clear();	73 certs->clear();

61	74

62 CERTCertList* cert_list = PK11_ListCerts(PK11CertListUnique, NULL);	75 CERTCertList* cert_list = PK11_ListCerts(PK11CertListUnique, NULL);

63 CERTCertListNode* node;	76 CERTCertListNode* node;

(...skipping 46 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
110 PR_FALSE); // restart	123 PR_FALSE); // restart

111 }	124 }

112 }	125 }

113	126

114 int NSSCertDatabase::ImportFromPKCS12(	127 int NSSCertDatabase::ImportFromPKCS12(

115 CryptoModule* module,	128 CryptoModule* module,

116 const std::string& data,	129 const std::string& data,

117 const base::string16& password,	130 const base::string16& password,

118 bool is_extractable,	131 bool is_extractable,

119 net::CertificateList* imported_certs) {	132 net::CertificateList* imported_certs) {

	133 DVLOG(1) << __func__ << " "

	134 << PK11_GetModuleID(module->os_module_handle()) << ":"

	135 << PK11_GetSlotID(module->os_module_handle());

120 int result = psm::nsPKCS12Blob_Import(module->os_module_handle(),	136 int result = psm::nsPKCS12Blob_Import(module->os_module_handle(),

121 data.data(), data.size(),	137 data.data(), data.size(),

122 password,	138 password,

123 is_extractable,	139 is_extractable,

124 imported_certs);	140 imported_certs);

125 if (result == net::OK)	141 if (result == net::OK)

126 NotifyObserversOfCertAdded(NULL);	142 NotifyObserversOfCertAdded(NULL);

127	143

128 return result;	144 return result;

129 }	145 }

(...skipping 17 matching lines...) Expand all Loading...
147 X509Certificate* certn_2 = certificates[certificates.size() - 2].get();	163 X509Certificate* certn_2 = certificates[certificates.size() - 2].get();

148 X509Certificate* certn_1 = certificates[certificates.size() - 1].get();	164 X509Certificate* certn_1 = certificates[certificates.size() - 1].get();

149	165

150 if (CERT_CompareName(&cert1->os_cert_handle()->issuer,	166 if (CERT_CompareName(&cert1->os_cert_handle()->issuer,

151 &cert0->os_cert_handle()->subject) == SECEqual)	167 &cert0->os_cert_handle()->subject) == SECEqual)

152 return cert0;	168 return cert0;

153 if (CERT_CompareName(&certn_2->os_cert_handle()->issuer,	169 if (CERT_CompareName(&certn_2->os_cert_handle()->issuer,

154 &certn_1->os_cert_handle()->subject) == SECEqual)	170 &certn_1->os_cert_handle()->subject) == SECEqual)

155 return certn_1;	171 return certn_1;

156	172

157 VLOG(1) << "certificate list is not a hierarchy";	173 LOG(WARNING) << "certificate list is not a hierarchy";

158 return cert0;	174 return cert0;

159 }	175 }

160	176

161 bool NSSCertDatabase::ImportCACerts(const CertificateList& certificates,	177 bool NSSCertDatabase::ImportCACerts(const CertificateList& certificates,

162 TrustBits trust_bits,	178 TrustBits trust_bits,

163 ImportCertFailureList* not_imported) {	179 ImportCertFailureList* not_imported) {

164 crypto::ScopedPK11Slot slot(GetPublicSlot());	180 crypto::ScopedPK11Slot slot(GetPublicSlot());

165 X509Certificate* root = FindRootInList(certificates);	181 X509Certificate* root = FindRootInList(certificates);

166 bool success = psm::ImportCACerts(	182 bool success = psm::ImportCACerts(

167 slot.get(), certificates, root, trust_bits, not_imported);	183 slot.get(), certificates, root, trust_bits, not_imported);

(...skipping 173 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
341 observer_list_->Notify(&Observer::OnCertRemoved, make_scoped_refptr(cert));	357 observer_list_->Notify(&Observer::OnCertRemoved, make_scoped_refptr(cert));

342 }	358 }

343	359

344 void NSSCertDatabase::NotifyObserversOfCACertChanged(	360 void NSSCertDatabase::NotifyObserversOfCACertChanged(

345 const X509Certificate* cert) {	361 const X509Certificate* cert) {

346 observer_list_->Notify(	362 observer_list_->Notify(

347 &Observer::OnCACertChanged, make_scoped_refptr(cert));	363 &Observer::OnCACertChanged, make_scoped_refptr(cert));

348 }	364 }

349	365

350 } // namespace net	366 } // namespace net

OLD	NEW

« net/cert/cert_database.h ('K') | « net/cert/nss_cert_database.h ('k') | net/cert/nss_cert_database_chromeos.h » ('j') | net/cert/nss_cert_database_chromeos_unittest.cc » ('J')