Add built-in root certificates to dart:io SecureSocket.

runtime/bin/secure_socket.cc

 // Copyright (c) 2012, the Dart project authors.  Please see the AUTHORS file
 // for details. All rights reserved. Use of this source code is governed by a
 // BSD-style license that can be found in the LICENSE file.
 
 #include "bin/secure_socket.h"
 
 #include <errno.h>
 #include <fcntl.h>
 #include <sys/stat.h>
 #include <stdio.h>
@@ skipping 141 matching lines @@
         "Illegal argument to ProcessBuffer"));
   }
 
   intptr_t bytes_read =
       GetFilter(args)->ProcessBuffer(static_cast<int>(buffer_id));
   Dart_SetReturnValue(args, Dart_NewInteger(bytes_read));
   Dart_ExitScope();
 }
 
 
-void FUNCTION_NAME(SecureSocket_SetCertificateDatabase)
+void FUNCTION_NAME(SecureSocket_InitializeLibrary)
     (Dart_NativeArguments args) {
   Dart_EnterScope();
   Dart_Handle certificate_database_object =
       ThrowIfError(Dart_GetNativeArgument(args, 0));
   // Check that the type is string, and get the UTF-8 C string value from it.
   const char* certificate_database = NULL;
   if (Dart_IsString(certificate_database_object)) {
     ThrowIfError(Dart_StringToCString(certificate_database_object,
                                       &certificate_database));
-  } else {
+  } else if (!Dart_IsNull(certificate_database_object)) {
     Dart_ThrowException(DartUtils::NewDartArgumentError(
         "Non-String certificate directory argument to SetCertificateDatabase"));
   }
+  // Leave certificate_database as NULL if no value was provided.
 
   Dart_Handle password_object = ThrowIfError(Dart_GetNativeArgument(args, 1));
   // Check that the type is string or null,
   // and get the UTF-8 C string value from it.
   const char* password = NULL;
   if (Dart_IsString(password_object)) {
     ThrowIfError(Dart_StringToCString(password_object, &password));
   } else if (Dart_IsNull(password_object)) {
     // Pass the empty string as the password.
     password = "";
   } else {
     Dart_ThrowException(DartUtils::NewDartArgumentError(
         "Password argument to SetCertificateDatabase is not a String or null"));
   }
 
-  SSLFilter::InitializeLibrary(certificate_database, password);
+  Dart_Handle builtin_roots_object =
+      ThrowIfError(Dart_GetNativeArgument(args, 2));
+  // Check that the type is boolean, and get the boolean value from it.
+  bool builtin_roots = true;
+  if (Dart_IsBoolean(builtin_roots_object)) {
+    ThrowIfError(Dart_BooleanValue(builtin_roots_object, &builtin_roots));
+  } else {
+    Dart_ThrowException(DartUtils::NewDartArgumentError(
+        "UseBuiltinRoots argument to SetCertificateDatabase is not a bool"));
+  }
+
+  SSLFilter::InitializeLibrary(certificate_database, password, builtin_roots);
   Dart_ExitScope();
 }
 
 
 void SSLFilter::Init(Dart_Handle dart_this) {
   string_start_ = ThrowIfError(
       Dart_NewPersistentHandle(DartUtils::NewString("start")));
   string_length_ = ThrowIfError(
       Dart_NewPersistentHandle(DartUtils::NewString("length")));
 
@@ skipping 32 matching lines @@
 }
 
 
 void SSLFilter::RegisterHandshakeCompleteCallback(Dart_Handle complete) {
   ASSERT(NULL == handshake_complete_);
   handshake_complete_ = ThrowIfError(Dart_NewPersistentHandle(complete));
 }
 
 
 void SSLFilter::InitializeLibrary(const char* certificate_database,
-                                  const char* password) {
+                                  const char* password,
+                                  bool use_builtin_root_certificates) {
   MutexLocker locker(&mutex_);
   if (!library_initialized_) {
     library_initialized_ = true;
     password_ = strdup(password);  // This one copy persists until Dart exits.
     PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);
     // TODO(whesse): Verify there are no UTF-8 issues here.
-    SECStatus status = NSS_Init(certificate_database);
+    PRUint32 init_flags = NSS_INIT_READONLY;
+    if (certificate_database == NULL) {
+      // This will not open a database in the current directory, even if it

[Mads Ager (google), 2012/12/03 09:15:09]

This looks strange. The documentation just says that this ignores failures to
open the database. Can you provide a pointer to the documentation that this will
not open a database?

Based on the documentation I would have guessed that NSS_INIT_NOCERTDB would be
the right flag?

[Bill Hesse, 2012/12/03 12:20:04]

I was referring only to passing "" as the database path, and saying that that is
different than passing "." as the database path.  The flag has nothing to do
with it, except that it would otherwise signal an error.  The code for
NSS_Init_NoDB passes the FORCEOPEN flag, along with the others.

The NOCERTDB flag causes Windows to fail.  The documentation sounds as if it
should be the right thing to set, but in practice it does not work.

Changed the comment to be more explicit.

[Mads Ager (google), 2012/12/03 13:00:13]

Thanks for updating the comment. Please add the part about NOCERTDB not working
on Windows as well. I would add it as a TODO to figure out why that does not
work. Please document the way in which Windows does not work when using NOCERTDB
as well.

+      // exists.
+      certificate_database = "";
+      init_flags |= NSS_INIT_FORCEOPEN;
+    }
+    if (!use_builtin_root_certificates) {
+      init_flags |= NSS_INIT_NOMODDB;
+    }
+    SECStatus status = NSS_Initialize(certificate_database,
+                                      "",
+                                      "",
+                                      SECMOD_DB,
+                                      init_flags);
     if (status != SECSuccess) {
       ThrowPRException("Unsuccessful NSS_Init call.");
     }
 
     status = NSS_SetDomesticPolicy();
     if (status != SECSuccess) {
       ThrowPRException("Unsuccessful NSS_SetDomesticPolicy call.");
     }
     // Enable TLS, as well as SSL3 and SSL2.
     status = SSL_OptionSetDefault(SSL_ENABLE_TLS, PR_TRUE);
@@ skipping 218 matching lines @@
         if (PR_WOULD_BLOCK_ERROR != pr_error) {
           ThrowPRException("Error reading plaintext from SSLFilter");
         }
         bytes_processed = 0;
       }
       break;
     }
   }
   return bytes_processed;
 }