| OLD | NEW |
|---|
| (Empty) |
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "net/base/cert_database.h" | |
| 6 | |
| 7 #include <cert.h> | |
| 8 #include <pk11pub.h> | |
| 9 #include <secmod.h> | |
| 10 | |
| 11 #include "base/logging.h" | |
| 12 #include "base/observer_list_threadsafe.h" | |
| 13 #include "crypto/nss_util.h" | |
| 14 #include "net/base/net_errors.h" | |
| 15 #include "net/base/nss_cert_database.h" | |
| 16 #include "net/base/x509_certificate.h" | |
| 17 | |
| 18 namespace net { | |
| 19 | |
| 20 // Helper that observes events from the NSSCertDatabase and forwards them to | |
| 21 // the given CertDatabase. | |
| 22 class CertDatabase::Notifier : public NSSCertDatabase::Observer { | |
| 23 public: | |
| 24 explicit Notifier(CertDatabase* cert_db) : cert_db_(cert_db) { | |
| 25 NSSCertDatabase::GetInstance()->AddObserver(this); | |
| 26 } | |
| 27 | |
| 28 virtual ~Notifier() { | |
| 29 NSSCertDatabase::GetInstance()->RemoveObserver(this); | |
| 30 } | |
| 31 | |
| 32 // NSSCertDatabase::Observer implementation: | |
| 33 virtual void OnCertAdded(const X509Certificate* cert) OVERRIDE { | |
| 34 cert_db_->NotifyObserversOfCertAdded(cert); | |
| 35 } | |
| 36 | |
| 37 virtual void OnCertRemoved(const X509Certificate* cert) OVERRIDE { | |
| 38 cert_db_->NotifyObserversOfCertRemoved(cert); | |
| 39 } | |
| 40 | |
| 41 virtual void OnCertTrustChanged(const X509Certificate* cert) OVERRIDE { | |
| 42 cert_db_->NotifyObserversOfCertTrustChanged(cert); | |
| 43 } | |
| 44 | |
| 45 private: | |
| 46 CertDatabase* cert_db_; | |
| 47 | |
| 48 DISALLOW_COPY_AND_ASSIGN(Notifier); | |
| 49 }; | |
| 50 | |
| 51 CertDatabase::CertDatabase() | |
| 52 : observer_list_(new ObserverListThreadSafe<Observer>) { | |
| 53 // Observe NSSCertDatabase events and forward them to observers of | |
| 54 // CertDatabase. This also makes sure that NSS has been initialized. | |
| 55 notifier_.reset(new Notifier(this)); | |
| 56 } | |
| 57 | |
| 58 CertDatabase::~CertDatabase() {} | |
| 59 | |
| 60 int CertDatabase::CheckUserCert(X509Certificate* cert_obj) { | |
| 61 if (!cert_obj) | |
| 62 return ERR_CERT_INVALID; | |
| 63 if (cert_obj->HasExpired()) | |
| 64 return ERR_CERT_DATE_INVALID; | |
| 65 | |
| 66 // Check if the private key corresponding to the certificate exist | |
| 67 // We shouldn't accept any random client certificate sent by a CA. | |
| 68 | |
| 69 // Note: The NSS source documentation wrongly suggests that this | |
| 70 // also imports the certificate if the private key exists. This | |
| 71 // doesn't seem to be the case. | |
| 72 | |
| 73 CERTCertificate* cert = cert_obj->os_cert_handle(); | |
| 74 PK11SlotInfo* slot = PK11_KeyForCertExists(cert, NULL, NULL); | |
| 75 if (!slot) | |
| 76 return ERR_NO_PRIVATE_KEY_FOR_CERT; | |
| 77 | |
| 78 PK11_FreeSlot(slot); | |
| 79 | |
| 80 return OK; | |
| 81 } | |
| 82 | |
| 83 int CertDatabase::AddUserCert(X509Certificate* cert_obj) { | |
| 84 CERTCertificate* cert = cert_obj->os_cert_handle(); | |
| 85 PK11SlotInfo* slot = NULL; | |
| 86 | |
| 87 { | |
| 88 crypto::AutoNSSWriteLock lock; | |
| 89 slot = PK11_ImportCertForKey( | |
| 90 cert, | |
| 91 cert_obj->GetDefaultNickname(net::USER_CERT).c_str(), | |
| 92 NULL); | |
| 93 } | |
| 94 | |
| 95 if (!slot) { | |
| 96 LOG(ERROR) << "Couldn't import user certificate."; | |
| 97 return ERR_ADD_USER_CERT_FAILED; | |
| 98 } | |
| 99 PK11_FreeSlot(slot); | |
| 100 NotifyObserversOfCertAdded(cert_obj); | |
| 101 return OK; | |
| 102 } | |
| 103 | |
| 104 } // namespace net | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 13006020:
net: extract net/cert out of net/base (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src