| OLD | NEW |
|---|
| (Empty) |
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "net/base/nss_cert_database.h" | |
| 6 | |
| 7 #include <cert.h> | |
| 8 #include <certdb.h> | |
| 9 #include <keyhi.h> | |
| 10 #include <pk11pub.h> | |
| 11 #include <secmod.h> | |
| 12 | |
| 13 #include "base/logging.h" | |
| 14 #include "base/memory/scoped_ptr.h" | |
| 15 #include "base/memory/singleton.h" | |
| 16 #include "base/observer_list_threadsafe.h" | |
| 17 #include "crypto/nss_util.h" | |
| 18 #include "crypto/nss_util_internal.h" | |
| 19 #include "net/base/cert_database.h" | |
| 20 #include "net/base/crypto_module.h" | |
| 21 #include "net/base/net_errors.h" | |
| 22 #include "net/base/x509_certificate.h" | |
| 23 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h" | |
| 24 #include "net/third_party/mozilla_security_manager/nsPKCS12Blob.h" | |
| 25 | |
| 26 // In NSS 3.13, CERTDB_VALID_PEER was renamed CERTDB_TERMINAL_RECORD. So we use | |
| 27 // the new name of the macro. | |
| 28 #if !defined(CERTDB_TERMINAL_RECORD) | |
| 29 #define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER | |
| 30 #endif | |
| 31 | |
| 32 // PSM = Mozilla's Personal Security Manager. | |
| 33 namespace psm = mozilla_security_manager; | |
| 34 | |
| 35 namespace net { | |
| 36 | |
| 37 NSSCertDatabase::ImportCertFailure::ImportCertFailure( | |
| 38 X509Certificate* cert, int err) | |
| 39 : certificate(cert), | |
| 40 net_error(err) {} | |
| 41 | |
| 42 NSSCertDatabase::ImportCertFailure::~ImportCertFailure() {} | |
| 43 | |
| 44 // static | |
| 45 NSSCertDatabase* NSSCertDatabase::GetInstance() { | |
| 46 return Singleton<NSSCertDatabase>::get(); | |
| 47 } | |
| 48 | |
| 49 NSSCertDatabase::NSSCertDatabase() | |
| 50 : observer_list_(new ObserverListThreadSafe<Observer>) { | |
| 51 crypto::EnsureNSSInit(); | |
| 52 psm::EnsurePKCS12Init(); | |
| 53 } | |
| 54 | |
| 55 NSSCertDatabase::~NSSCertDatabase() {} | |
| 56 | |
| 57 void NSSCertDatabase::ListCerts(CertificateList* certs) { | |
| 58 certs->clear(); | |
| 59 | |
| 60 CERTCertList* cert_list = PK11_ListCerts(PK11CertListUnique, NULL); | |
| 61 CERTCertListNode* node; | |
| 62 for (node = CERT_LIST_HEAD(cert_list); | |
| 63 !CERT_LIST_END(node, cert_list); | |
| 64 node = CERT_LIST_NEXT(node)) { | |
| 65 certs->push_back(X509Certificate::CreateFromHandle( | |
| 66 node->cert, X509Certificate::OSCertHandles())); | |
| 67 } | |
| 68 CERT_DestroyCertList(cert_list); | |
| 69 } | |
| 70 | |
| 71 CryptoModule* NSSCertDatabase::GetPublicModule() const { | |
| 72 CryptoModule* module = | |
| 73 CryptoModule::CreateFromHandle(crypto::GetPublicNSSKeySlot()); | |
| 74 // The module is already referenced when returned from | |
| 75 // GetPublicNSSKeySlot, so we need to deref it once. | |
| 76 PK11_FreeSlot(module->os_module_handle()); | |
| 77 | |
| 78 return module; | |
| 79 } | |
| 80 | |
| 81 CryptoModule* NSSCertDatabase::GetPrivateModule() const { | |
| 82 CryptoModule* module = | |
| 83 CryptoModule::CreateFromHandle(crypto::GetPrivateNSSKeySlot()); | |
| 84 // The module is already referenced when returned from | |
| 85 // GetPrivateNSSKeySlot, so we need to deref it once. | |
| 86 PK11_FreeSlot(module->os_module_handle()); | |
| 87 | |
| 88 return module; | |
| 89 } | |
| 90 | |
| 91 void NSSCertDatabase::ListModules(CryptoModuleList* modules, | |
| 92 bool need_rw) const { | |
| 93 modules->clear(); | |
| 94 | |
| 95 PK11SlotList* slot_list = NULL; | |
| 96 // The wincx arg is unused since we don't call PK11_SetIsLoggedInFunc. | |
| 97 slot_list = PK11_GetAllTokens(CKM_INVALID_MECHANISM, | |
| 98 need_rw ? PR_TRUE : PR_FALSE, // needRW | |
| 99 PR_TRUE, // loadCerts (unused) | |
| 100 NULL); // wincx | |
| 101 if (!slot_list) { | |
| 102 LOG(ERROR) << "PK11_GetAllTokens failed: " << PORT_GetError(); | |
| 103 return; | |
| 104 } | |
| 105 | |
| 106 PK11SlotListElement* slot_element = PK11_GetFirstSafe(slot_list); | |
| 107 while (slot_element) { | |
| 108 modules->push_back(CryptoModule::CreateFromHandle(slot_element->slot)); | |
| 109 slot_element = PK11_GetNextSafe(slot_list, slot_element, | |
| 110 PR_FALSE); // restart | |
| 111 } | |
| 112 | |
| 113 PK11_FreeSlotList(slot_list); | |
| 114 } | |
| 115 | |
| 116 int NSSCertDatabase::ImportFromPKCS12( | |
| 117 CryptoModule* module, | |
| 118 const std::string& data, | |
| 119 const string16& password, | |
| 120 bool is_extractable, | |
| 121 net::CertificateList* imported_certs) { | |
| 122 int result = psm::nsPKCS12Blob_Import(module->os_module_handle(), | |
| 123 data.data(), data.size(), | |
| 124 password, | |
| 125 is_extractable, | |
| 126 imported_certs); | |
| 127 if (result == net::OK) | |
| 128 NotifyObserversOfCertAdded(NULL); | |
| 129 | |
| 130 return result; | |
| 131 } | |
| 132 | |
| 133 int NSSCertDatabase::ExportToPKCS12( | |
| 134 const CertificateList& certs, | |
| 135 const string16& password, | |
| 136 std::string* output) const { | |
| 137 return psm::nsPKCS12Blob_Export(output, certs, password); | |
| 138 } | |
| 139 | |
| 140 X509Certificate* NSSCertDatabase::FindRootInList( | |
| 141 const CertificateList& certificates) const { | |
| 142 DCHECK_GT(certificates.size(), 0U); | |
| 143 | |
| 144 if (certificates.size() == 1) | |
| 145 return certificates[0].get(); | |
| 146 | |
| 147 X509Certificate* cert0 = certificates[0]; | |
| 148 X509Certificate* cert1 = certificates[1]; | |
| 149 X509Certificate* certn_2 = certificates[certificates.size() - 2]; | |
| 150 X509Certificate* certn_1 = certificates[certificates.size() - 1]; | |
| 151 | |
| 152 if (CERT_CompareName(&cert1->os_cert_handle()->issuer, | |
| 153 &cert0->os_cert_handle()->subject) == SECEqual) | |
| 154 return cert0; | |
| 155 if (CERT_CompareName(&certn_2->os_cert_handle()->issuer, | |
| 156 &certn_1->os_cert_handle()->subject) == SECEqual) | |
| 157 return certn_1; | |
| 158 | |
| 159 VLOG(1) << "certificate list is not a hierarchy"; | |
| 160 return cert0; | |
| 161 } | |
| 162 | |
| 163 bool NSSCertDatabase::ImportCACerts(const CertificateList& certificates, | |
| 164 TrustBits trust_bits, | |
| 165 ImportCertFailureList* not_imported) { | |
| 166 X509Certificate* root = FindRootInList(certificates); | |
| 167 bool success = psm::ImportCACerts(certificates, root, trust_bits, | |
| 168 not_imported); | |
| 169 if (success) | |
| 170 NotifyObserversOfCertTrustChanged(NULL); | |
| 171 | |
| 172 return success; | |
| 173 } | |
| 174 | |
| 175 bool NSSCertDatabase::ImportServerCert(const CertificateList& certificates, | |
| 176 TrustBits trust_bits, | |
| 177 ImportCertFailureList* not_imported) { | |
| 178 return psm::ImportServerCert(certificates, trust_bits, not_imported); | |
| 179 } | |
| 180 | |
| 181 NSSCertDatabase::TrustBits NSSCertDatabase::GetCertTrust( | |
| 182 const X509Certificate* cert, | |
| 183 CertType type) const { | |
| 184 CERTCertTrust trust; | |
| 185 SECStatus srv = CERT_GetCertTrust(cert->os_cert_handle(), &trust); | |
| 186 if (srv != SECSuccess) { | |
| 187 LOG(ERROR) << "CERT_GetCertTrust failed with error " << PORT_GetError(); | |
| 188 return TRUST_DEFAULT; | |
| 189 } | |
| 190 // We define our own more "friendly" TrustBits, which means we aren't able to | |
| 191 // round-trip all possible NSS trust flag combinations. We try to map them in | |
| 192 // a sensible way. | |
| 193 switch (type) { | |
| 194 case CA_CERT: { | |
| 195 const unsigned kTrustedCA = CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA; | |
| 196 const unsigned kCAFlags = kTrustedCA | CERTDB_TERMINAL_RECORD; | |
| 197 | |
| 198 TrustBits trust_bits = TRUST_DEFAULT; | |
| 199 if ((trust.sslFlags & kCAFlags) == CERTDB_TERMINAL_RECORD) | |
| 200 trust_bits |= DISTRUSTED_SSL; | |
| 201 else if (trust.sslFlags & kTrustedCA) | |
| 202 trust_bits |= TRUSTED_SSL; | |
| 203 | |
| 204 if ((trust.emailFlags & kCAFlags) == CERTDB_TERMINAL_RECORD) | |
| 205 trust_bits |= DISTRUSTED_EMAIL; | |
| 206 else if (trust.emailFlags & kTrustedCA) | |
| 207 trust_bits |= TRUSTED_EMAIL; | |
| 208 | |
| 209 if ((trust.objectSigningFlags & kCAFlags) == CERTDB_TERMINAL_RECORD) | |
| 210 trust_bits |= DISTRUSTED_OBJ_SIGN; | |
| 211 else if (trust.objectSigningFlags & kTrustedCA) | |
| 212 trust_bits |= TRUSTED_OBJ_SIGN; | |
| 213 | |
| 214 return trust_bits; | |
| 215 } | |
| 216 case SERVER_CERT: | |
| 217 if (trust.sslFlags & CERTDB_TERMINAL_RECORD) { | |
| 218 if (trust.sslFlags & CERTDB_TRUSTED) | |
| 219 return TRUSTED_SSL; | |
| 220 return DISTRUSTED_SSL; | |
| 221 } | |
| 222 return TRUST_DEFAULT; | |
| 223 default: | |
| 224 return TRUST_DEFAULT; | |
| 225 } | |
| 226 } | |
| 227 | |
| 228 bool NSSCertDatabase::IsUntrusted(const X509Certificate* cert) const { | |
| 229 CERTCertTrust nsstrust; | |
| 230 SECStatus rv = CERT_GetCertTrust(cert->os_cert_handle(), &nsstrust); | |
| 231 if (rv != SECSuccess) { | |
| 232 LOG(ERROR) << "CERT_GetCertTrust failed with error " << PORT_GetError(); | |
| 233 return false; | |
| 234 } | |
| 235 | |
| 236 // The CERTCertTrust structure contains three trust records: | |
| 237 // sslFlags, emailFlags, and objectSigningFlags. The three | |
| 238 // trust records are independent of each other. | |
| 239 // | |
| 240 // If the CERTDB_TERMINAL_RECORD bit in a trust record is set, | |
| 241 // then that trust record is a terminal record. A terminal | |
| 242 // record is used for explicit trust and distrust of an | |
| 243 // end-entity or intermediate CA cert. | |
| 244 // | |
| 245 // In a terminal record, if neither CERTDB_TRUSTED_CA nor | |
| 246 // CERTDB_TRUSTED is set, then the terminal record means | |
| 247 // explicit distrust. On the other hand, if the terminal | |
| 248 // record has either CERTDB_TRUSTED_CA or CERTDB_TRUSTED bit | |
| 249 // set, then the terminal record means explicit trust. | |
| 250 // | |
| 251 // For a root CA, the trust record does not have | |
| 252 // the CERTDB_TERMINAL_RECORD bit set. | |
| 253 | |
| 254 static const unsigned int kTrusted = CERTDB_TRUSTED_CA | CERTDB_TRUSTED; | |
| 255 if ((nsstrust.sslFlags & CERTDB_TERMINAL_RECORD) != 0 && | |
| 256 (nsstrust.sslFlags & kTrusted) == 0) { | |
| 257 return true; | |
| 258 } | |
| 259 if ((nsstrust.emailFlags & CERTDB_TERMINAL_RECORD) != 0 && | |
| 260 (nsstrust.emailFlags & kTrusted) == 0) { | |
| 261 return true; | |
| 262 } | |
| 263 if ((nsstrust.objectSigningFlags & CERTDB_TERMINAL_RECORD) != 0 && | |
| 264 (nsstrust.objectSigningFlags & kTrusted) == 0) { | |
| 265 return true; | |
| 266 } | |
| 267 | |
| 268 // Self-signed certificates that don't have any trust bits set are untrusted. | |
| 269 // Other certificates that don't have any trust bits set may still be trusted | |
| 270 // if they chain up to a trust anchor. | |
| 271 if (CERT_CompareName(&cert->os_cert_handle()->issuer, | |
| 272 &cert->os_cert_handle()->subject) == SECEqual) { | |
| 273 return (nsstrust.sslFlags & kTrusted) == 0 && | |
| 274 (nsstrust.emailFlags & kTrusted) == 0 && | |
| 275 (nsstrust.objectSigningFlags & kTrusted) == 0; | |
| 276 } | |
| 277 | |
| 278 return false; | |
| 279 } | |
| 280 | |
| 281 bool NSSCertDatabase::SetCertTrust(const X509Certificate* cert, | |
| 282 CertType type, | |
| 283 TrustBits trust_bits) { | |
| 284 bool success = psm::SetCertTrust(cert, type, trust_bits); | |
| 285 if (success) | |
| 286 NotifyObserversOfCertTrustChanged(cert); | |
| 287 | |
| 288 return success; | |
| 289 } | |
| 290 | |
| 291 bool NSSCertDatabase::DeleteCertAndKey(const X509Certificate* cert) { | |
| 292 // For some reason, PK11_DeleteTokenCertAndKey only calls | |
| 293 // SEC_DeletePermCertificate if the private key is found. So, we check | |
| 294 // whether a private key exists before deciding which function to call to | |
| 295 // delete the cert. | |
| 296 SECKEYPrivateKey *privKey = PK11_FindKeyByAnyCert(cert->os_cert_handle(), | |
| 297 NULL); | |
| 298 if (privKey) { | |
| 299 SECKEY_DestroyPrivateKey(privKey); | |
| 300 if (PK11_DeleteTokenCertAndKey(cert->os_cert_handle(), NULL)) { | |
| 301 LOG(ERROR) << "PK11_DeleteTokenCertAndKey failed: " << PORT_GetError(); | |
| 302 return false; | |
| 303 } | |
| 304 } else { | |
| 305 if (SEC_DeletePermCertificate(cert->os_cert_handle())) { | |
| 306 LOG(ERROR) << "SEC_DeletePermCertificate failed: " << PORT_GetError(); | |
| 307 return false; | |
| 308 } | |
| 309 } | |
| 310 | |
| 311 NotifyObserversOfCertRemoved(cert); | |
| 312 | |
| 313 return true; | |
| 314 } | |
| 315 | |
| 316 bool NSSCertDatabase::IsReadOnly(const X509Certificate* cert) const { | |
| 317 PK11SlotInfo* slot = cert->os_cert_handle()->slot; | |
| 318 return slot && PK11_IsReadOnly(slot); | |
| 319 } | |
| 320 | |
| 321 void NSSCertDatabase::AddObserver(Observer* observer) { | |
| 322 observer_list_->AddObserver(observer); | |
| 323 } | |
| 324 | |
| 325 void NSSCertDatabase::RemoveObserver(Observer* observer) { | |
| 326 observer_list_->RemoveObserver(observer); | |
| 327 } | |
| 328 | |
| 329 void NSSCertDatabase::NotifyObserversOfCertAdded(const X509Certificate* cert) { | |
| 330 observer_list_->Notify(&Observer::OnCertAdded, make_scoped_refptr(cert)); | |
| 331 } | |
| 332 | |
| 333 void NSSCertDatabase::NotifyObserversOfCertRemoved( | |
| 334 const X509Certificate* cert) { | |
| 335 observer_list_->Notify(&Observer::OnCertRemoved, make_scoped_refptr(cert)); | |
| 336 } | |
| 337 | |
| 338 void NSSCertDatabase::NotifyObserversOfCertTrustChanged( | |
| 339 const X509Certificate* cert) { | |
| 340 observer_list_->Notify( | |
| 341 &Observer::OnCertTrustChanged, make_scoped_refptr(cert)); | |
| 342 } | |
| 343 | |
| 344 } // namespace net | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 13006020:
net: extract net/cert out of net/base (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src