Add built-in root certificates to dart:io SecureSocket.

runtime/bin/secure_socket.cc

 // Copyright (c) 2012, the Dart project authors.  Please see the AUTHORS file
 // for details. All rights reserved. Use of this source code is governed by a
 // BSD-style license that can be found in the LICENSE file.
 
 #include "bin/secure_socket.h"
 
 #include <errno.h>
 #include <fcntl.h>
 #include <sys/stat.h>
 #include <stdio.h>
@@ skipping 141 matching lines @@
         "Illegal argument to ProcessBuffer"));
   }
 
   intptr_t bytes_read =
       GetFilter(args)->ProcessBuffer(static_cast<int>(buffer_id));
   Dart_SetReturnValue(args, Dart_NewInteger(bytes_read));
   Dart_ExitScope();
 }
 
 
-void FUNCTION_NAME(SecureSocket_SetCertificateDatabase)
+void FUNCTION_NAME(SecureSocket_InitializeLibrary)
     (Dart_NativeArguments args) {
   Dart_EnterScope();
   Dart_Handle certificate_database_object =
       ThrowIfError(Dart_GetNativeArgument(args, 0));
   // Check that the type is string, and get the UTF-8 C string value from it.
   const char* certificate_database = NULL;
   if (Dart_IsString(certificate_database_object)) {
     ThrowIfError(Dart_StringToCString(certificate_database_object,
                                       &certificate_database));
-  } else {
+  } else if (!Dart_IsNull(certificate_database_object)) {
     Dart_ThrowException(DartUtils::NewDartArgumentError(
         "Non-String certificate directory argument to SetCertificateDatabase"));
   }
+  // Leave certificate_database as NULL if no value was provided.
 
   Dart_Handle password_object = ThrowIfError(Dart_GetNativeArgument(args, 1));
   // Check that the type is string or null,
   // and get the UTF-8 C string value from it.
   const char* password = NULL;
   if (Dart_IsString(password_object)) {
     ThrowIfError(Dart_StringToCString(password_object, &password));
   } else if (Dart_IsNull(password_object)) {
     // Pass the empty string as the password.
     password = "";
   } else {
     Dart_ThrowException(DartUtils::NewDartArgumentError(
         "Password argument to SetCertificateDatabase is not a String or null"));
   }
 
-  SSLFilter::InitializeLibrary(certificate_database, password);
+  Dart_Handle builtin_roots_object =
+      ThrowIfError(Dart_GetNativeArgument(args, 2));
+  // Check that the type is boolean, and get the boolean value from it.
+  bool builtin_roots = true;
+  if (Dart_IsBoolean(builtin_roots_object)) {
+    ThrowIfError(Dart_BooleanValue(builtin_roots_object, &builtin_roots));
+  } else {
+    Dart_ThrowException(DartUtils::NewDartArgumentError(
+        "UseBuiltinRoots argument to SetCertificateDatabase is not a bool"));
+  }
+
+  SSLFilter::InitializeLibrary(certificate_database, password, builtin_roots);
   Dart_ExitScope();
 }
 
 
 void SSLFilter::Init(Dart_Handle dart_this) {
   string_start_ = ThrowIfError(
       Dart_NewPersistentHandle(DartUtils::NewString("start")));
   string_length_ = ThrowIfError(
       Dart_NewPersistentHandle(DartUtils::NewString("length")));
 
@@ skipping 32 matching lines @@
 }
 
 
 void SSLFilter::RegisterHandshakeCompleteCallback(Dart_Handle complete) {
   ASSERT(NULL == handshake_complete_);
   handshake_complete_ = ThrowIfError(Dart_NewPersistentHandle(complete));
 }
 
 
 void SSLFilter::InitializeLibrary(const char* certificate_database,
-                                  const char* password) {
+                                  const char* password,
+                                  bool use_builtin_root_certificates) {
   MutexLocker locker(&mutex_);
   if (!library_initialized_) {
     library_initialized_ = true;
     password_ = strdup(password);  // This one copy persists until Dart exits.
     PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);
     // TODO(whesse): Verify there are no UTF-8 issues here.
-    SECStatus status = NSS_Init(certificate_database);
+    PRUint32 init_flags = NSS_INIT_READONLY;
+    if (certificate_database == NULL) {
+      // Passing the empty string as the database path does not try to open
+      // a database in the current directory.
+      certificate_database = "";
+      init_flags |= NSS_INIT_FORCEOPEN;
+    }
+    if (!use_builtin_root_certificates) {
+      init_flags |= NSS_INIT_NOMODDB;
+    }
+    SECStatus status = NSS_Initialize(certificate_database,
+                                      "",
+                                      "",
+                                      SECMOD_DB,
+                                      init_flags);
     if (status != SECSuccess) {
       ThrowPRException("Unsuccessful NSS_Init call.");
     }
 
     status = NSS_SetDomesticPolicy();
     if (status != SECSuccess) {
       ThrowPRException("Unsuccessful NSS_SetDomesticPolicy call.");
     }
     // Enable TLS, as well as SSL3 and SSL2.
     status = SSL_OptionSetDefault(SSL_ENABLE_TLS, PR_TRUE);
@@ skipping 218 matching lines @@
         if (PR_WOULD_BLOCK_ERROR != pr_error) {
           ThrowPRException("Error reading plaintext from SSLFilter");
         }
         bytes_processed = 0;
       }
       break;
     }
   }
   return bytes_processed;
 }