Add built-in root certificates to dart:io SecureSocket.

sdk/lib/io/secure_socket.dart

 // Copyright (c) 2012, the Dart project authors.  Please see the AUTHORS file
 // for details. All rights reserved. Use of this source code is governed by a
 // BSD-style license that can be found in the LICENSE file.
 
 /**
  * SecureSocket provides a secure (SSL or TLS) client connection to a server.
  * The certificate provided by the server is checked
  * using the certificate database provided in setCertificateDatabase.
  */
 abstract class SecureSocket implements Socket {
   /**
    * Constructs a new secure client socket and connect it to the given
    * host on the given port. The returned socket is not yet connected
    * but ready for registration of callbacks.
    */
   factory SecureSocket(String host, int port) => new _SecureSocket(host, port);
 
    /**
    * Initializes the NSS library with the path to a certificate database

[Mads Ager (google), 2012/12/03 09:15:09]

We should revisit this comment more. We should provide a couple of examples:

// Use only builtin db.
init(useBuiltinRoots: true);
// Use own db and merge with builtin db.
init(database: 'mydb', password: 'mypass');
// Use only own db.
init(database: 'mydb', password:'mypass', useBuiltinRoots: false);  

    * containing root certificates for verifying certificate paths on
    * client connections, and server certificates to provide on server
    * connections.  The password argument should be used when creating
    * secure server sockets, to allow the private key of the server
-   * certificate to be fetched.
+   * certificate to be fetched.  If useBuiltinRoots is true (the default),
+   * then a built-in set of root certificates for trusted certificate
+   * authorities is merged with the certificates in the database.
    *
    * The database should be an NSS certificate database directory
    * containing a cert9.db file, not a cert8.db file.  This version of
    * the database can be created using the NSS certutil tool with "sql:" in
    * front of the absolute path of the database directory, or setting the
    * environment variable NSS_DEFAULT_DB_TYPE to "sql".
    */
-  external static void setCertificateDatabase(String certificateDatabase,
-                                              [String password]);
+  external static void initialize({String database,
+                                   String password,
+                                   bool useBuiltinRoots: true});
 }
 
 
 class _SecureSocket implements SecureSocket {
   // Status states
   static final int NOT_CONNECTED = 200;
   static final int HANDSHAKE = 201;
   static final int CONNECTED = 202;
   static final int CLOSED = 203;
 
@@ skipping 145 matching lines @@
         scheduledDataEvent.cancel();
       }
       _status = CLOSED;
     }
   }
 
   void _closeWrite() => close(true);
 
   List<int> read([int len]) {
     if (_closedRead) {
-      throw new SocketException("Reading from a closed socket");
+      throw new SocketIOException("Reading from a closed socket");
     }
     if (_status != CONNECTED) {
       return new List<int>(0);
     }
     var buffer = _secureFilter.buffers[READ_PLAINTEXT];
     _readEncryptedData();
     int toRead = buffer.length;
     if (len != null) {
       if (len is! int || len < 0) {
         throw new ArgumentError(
             "Invalid len parameter in SecureSocket.read (len: $len)");
       }
       if (len < toRead) {
         toRead = len;
       }
     }
     List<int> result = buffer.data.getRange(buffer.start, toRead);
     buffer.advanceStart(toRead);
     _setHandlersAfterRead();
     return result;
   }
 
   int readList(List<int> data, int offset, int bytes) {
     if (_closedRead) {
-      throw new SocketException("Reading from a closed socket");
+      throw new SocketIOException("Reading from a closed socket");
     }
     if (offset < 0 || bytes < 0 || offset + bytes > data.length) {
       throw new ArgumentError(
           "Invalid offset or bytes in SecureSocket.readList");
     }
     if (_status != CONNECTED && _status != CLOSED) {
       return 0;
     }
 
     int bytesRead = 0;
@@ skipping 13 matching lines @@
 
     _setHandlersAfterRead();
     return bytesRead;
   }
 
   // Write the data to the socket, and flush it as much as possible
   // until it would block.  If the write would block, _writeEncryptedData sets
   // up handlers to flush the pipeline when possible.
   int writeList(List<int> data, int offset, int bytes) {
     if (_closedWrite) {
-      throw new SocketException("Writing to a closed socket");
+      throw new SocketIOException("Writing to a closed socket");
     }
     if (_status != CONNECTED) return 0;
     var buffer = _secureFilter.buffers[WRITE_PLAINTEXT];
     if (bytes > buffer.free) {
       bytes = buffer.free;
     }
     if (bytes > 0) {
       buffer.data.setRange(buffer.start + buffer.length, bytes, data, offset);
       buffer.length += bytes;
     }
@@ skipping 22 matching lines @@
       // We must be able to set onWrite from the onWrite callback.
       var handler = _socketWriteHandler;
       // Reset the one-shot handler.
       _socketWriteHandler = null;
       handler();
     }
   }
 
   void _secureDataHandler() {
     if (_status == HANDSHAKE) {
-      _secureHandshake();
+      try {
+        _secureHandshake();
+      } catch (e) { _reportError(e, "SecureSocket error"); }
     } else {
-      _writeEncryptedData();  // TODO(whesse): Removing this causes a failure.
-      _readEncryptedData();
+      try {
+        _writeEncryptedData();  // TODO(whesse): Removing this causes a failure.
+        _readEncryptedData();
+      } catch (e) { _reportError(e, "SecureSocket error"); }
       if (!_filterReadEmpty) {
         // Call the onData event.
         if (scheduledDataEvent != null) {
           scheduledDataEvent.cancel();
           scheduledDataEvent = null;
         }
         if (_socketDataHandler != null) {
           _socketDataHandler();
         }
       }
     }
   }
 
   void _secureErrorHandler(e) {
     _reportError(e, 'Error on underlying Socket');
   }
 
   void _reportError(error, String message) {
     // TODO(whesse): Call _reportError from all internal functions that throw.
     var e;
     if (error is SocketIOException) {
       e = new SocketIOException('$message (${error.message})', error.osError);
     } else if (error is OSError) {
       e = new SocketIOException(message, error);
     } else {
       e = new SocketIOException('$message (${error.toString()})', null);
     }
+    close(false);
     bool reported = false;
     if (_socketErrorHandler != null) {
       reported = true;
       _socketErrorHandler(e);
     }
     if (_inputStream != null) {
       reported = reported || _inputStream._onSocketError(e);
     }
     if (_outputStream != null) {
       reported = reported || _outputStream._onSocketError(e);
     }
-
     if (!reported) throw e;
   }
 
   void _secureCloseHandler() {
     _socketClosedRead = true;
     if (_filterReadEmpty) {
       _closedRead = true;
       _fireCloseEvent();
       if (_socketClosedWrite) {
         _secureFilter.destroy();
@@ skipping 207 matching lines @@
                bool is_server,
                String certificateName);
   void destroy();
   void handshake();
   void init();
   int processBuffer(int bufferIndex);
   void registerHandshakeCompleteCallback(Function handshakeCompleteHandler);
 
   List<_ExternalBuffer> get buffers;
 }