| OLD | NEW |
|---|
| (Empty) |
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #ifndef NET_BASE_NSS_CERT_DATABASE_H_ | |
| 6 #define NET_BASE_NSS_CERT_DATABASE_H_ | |
| 7 | |
| 8 #include <string> | |
| 9 #include <vector> | |
| 10 | |
| 11 #include "base/basictypes.h" | |
| 12 #include "base/memory/ref_counted.h" | |
| 13 #include "base/string16.h" | |
| 14 #include "net/base/cert_type.h" | |
| 15 #include "net/base/net_export.h" | |
| 16 #include "net/base/x509_certificate.h" | |
| 17 | |
| 18 template <typename T> struct DefaultSingletonTraits; | |
| 19 template <class ObserverType> class ObserverListThreadSafe; | |
| 20 | |
| 21 namespace net { | |
| 22 | |
| 23 class CryptoModule; | |
| 24 typedef std::vector<scoped_refptr<CryptoModule> > CryptoModuleList; | |
| 25 | |
| 26 // Provides functions to manipulate the NSS certificate stores. | |
| 27 class NET_EXPORT NSSCertDatabase { | |
| 28 public: | |
| 29 | |
| 30 class NET_EXPORT Observer { | |
| 31 public: | |
| 32 virtual ~Observer() {} | |
| 33 | |
| 34 // Will be called when a new certificate is added. | |
| 35 // Called with |cert| == NULL after importing a list of certificates | |
| 36 // in ImportFromPKCS12(). | |
| 37 virtual void OnCertAdded(const X509Certificate* cert) {} | |
| 38 | |
| 39 // Will be called when a certificate is removed. | |
| 40 virtual void OnCertRemoved(const X509Certificate* cert) {} | |
| 41 | |
| 42 // Will be called when a certificate's trust is changed. | |
| 43 // Called with |cert| == NULL after importing a list of certificates | |
| 44 // in ImportCACerts(). | |
| 45 virtual void OnCertTrustChanged(const X509Certificate* cert) {} | |
| 46 | |
| 47 protected: | |
| 48 Observer() {} | |
| 49 | |
| 50 private: | |
| 51 DISALLOW_COPY_AND_ASSIGN(Observer); | |
| 52 }; | |
| 53 | |
| 54 // Stores per-certificate error codes for import failures. | |
| 55 struct NET_EXPORT ImportCertFailure { | |
| 56 public: | |
| 57 ImportCertFailure(X509Certificate* cert, int err); | |
| 58 ~ImportCertFailure(); | |
| 59 | |
| 60 scoped_refptr<X509Certificate> certificate; | |
| 61 int net_error; | |
| 62 }; | |
| 63 typedef std::vector<ImportCertFailure> ImportCertFailureList; | |
| 64 | |
| 65 // Constants that define which usages a certificate is trusted for. | |
| 66 // They are used in combination with CertType to specify trust for each type | |
| 67 // of certificate. | |
| 68 // For a CA_CERT, they specify that the CA is trusted for issuing server and | |
| 69 // client certs of each type. | |
| 70 // For SERVER_CERT, only TRUSTED_SSL makes sense, and specifies the cert is | |
| 71 // trusted as a server. | |
| 72 // For EMAIL_CERT, only TRUSTED_EMAIL makes sense, and specifies the cert is | |
| 73 // trusted for email. | |
| 74 // DISTRUSTED_* specifies that the cert should not be trusted for the given | |
| 75 // usage, regardless of whether it would otherwise inherit trust from the | |
| 76 // issuer chain. | |
| 77 // Use TRUST_DEFAULT to inherit trust as normal. | |
| 78 // NOTE: The actual constants are defined using an enum instead of static | |
| 79 // consts due to compilation/linkage constraints with template functions. | |
| 80 typedef uint32 TrustBits; | |
| 81 enum { | |
| 82 TRUST_DEFAULT = 0, | |
| 83 TRUSTED_SSL = 1 << 0, | |
| 84 TRUSTED_EMAIL = 1 << 1, | |
| 85 TRUSTED_OBJ_SIGN = 1 << 2, | |
| 86 DISTRUSTED_SSL = 1 << 3, | |
| 87 DISTRUSTED_EMAIL = 1 << 4, | |
| 88 DISTRUSTED_OBJ_SIGN = 1 << 5, | |
| 89 }; | |
| 90 | |
| 91 static NSSCertDatabase* GetInstance(); | |
| 92 | |
| 93 // Get a list of unique certificates in the certificate database (one | |
| 94 // instance of all certificates). | |
| 95 void ListCerts(CertificateList* certs); | |
| 96 | |
| 97 // Get the default module for public key data. | |
| 98 // The returned pointer must be stored in a scoped_refptr<CryptoModule>. | |
| 99 CryptoModule* GetPublicModule() const; | |
| 100 | |
| 101 // Get the default module for private key or mixed private/public key data. | |
| 102 // The returned pointer must be stored in a scoped_refptr<CryptoModule>. | |
| 103 CryptoModule* GetPrivateModule() const; | |
| 104 | |
| 105 // Get all modules. | |
| 106 // If |need_rw| is true, only writable modules will be returned. | |
| 107 void ListModules(CryptoModuleList* modules, bool need_rw) const; | |
| 108 | |
| 109 // Import certificates and private keys from PKCS #12 blob into the module. | |
| 110 // If |is_extractable| is false, mark the private key as being unextractable | |
| 111 // from the module. | |
| 112 // Returns OK or a network error code such as ERR_PKCS12_IMPORT_BAD_PASSWORD | |
| 113 // or ERR_PKCS12_IMPORT_ERROR. |imported_certs|, if non-NULL, returns a list | |
| 114 // of certs that were imported. | |
| 115 int ImportFromPKCS12(CryptoModule* module, | |
| 116 const std::string& data, | |
| 117 const base::string16& password, | |
| 118 bool is_extractable, | |
| 119 CertificateList* imported_certs); | |
| 120 | |
| 121 // Export the given certificates and private keys into a PKCS #12 blob, | |
| 122 // storing into |output|. | |
| 123 // Returns the number of certificates successfully exported. | |
| 124 int ExportToPKCS12(const CertificateList& certs, | |
| 125 const base::string16& password, | |
| 126 std::string* output) const; | |
| 127 | |
| 128 // Uses similar logic to nsNSSCertificateDB::handleCACertDownload to find the | |
| 129 // root. Assumes the list is an ordered hierarchy with the root being either | |
| 130 // the first or last element. | |
| 131 // TODO(mattm): improve this to handle any order. | |
| 132 X509Certificate* FindRootInList(const CertificateList& certificates) const; | |
| 133 | |
| 134 // Import CA certificates. | |
| 135 // Tries to import all the certificates given. The root will be trusted | |
| 136 // according to |trust_bits|. Any certificates that could not be imported | |
| 137 // will be listed in |not_imported|. | |
| 138 // Returns false if there is an internal error, otherwise true is returned and | |
| 139 // |not_imported| should be checked for any certificates that were not | |
| 140 // imported. | |
| 141 bool ImportCACerts(const CertificateList& certificates, | |
| 142 TrustBits trust_bits, | |
| 143 ImportCertFailureList* not_imported); | |
| 144 | |
| 145 // Import server certificate. The first cert should be the server cert. Any | |
| 146 // additional certs should be intermediate/CA certs and will be imported but | |
| 147 // not given any trust. | |
| 148 // Any certificates that could not be imported will be listed in | |
| 149 // |not_imported|. | |
| 150 // |trust_bits| can be set to explicitly trust or distrust the certificate, or | |
| 151 // use TRUST_DEFAULT to inherit trust as normal. | |
| 152 // Returns false if there is an internal error, otherwise true is returned and | |
| 153 // |not_imported| should be checked for any certificates that were not | |
| 154 // imported. | |
| 155 bool ImportServerCert(const CertificateList& certificates, | |
| 156 TrustBits trust_bits, | |
| 157 ImportCertFailureList* not_imported); | |
| 158 | |
| 159 // Get trust bits for certificate. | |
| 160 TrustBits GetCertTrust(const X509Certificate* cert, CertType type) const; | |
| 161 | |
| 162 // IsUntrusted returns true if |cert| is specifically untrusted. These | |
| 163 // certificates are stored in the database for the specific purpose of | |
| 164 // rejecting them. | |
| 165 bool IsUntrusted(const X509Certificate* cert) const; | |
| 166 | |
| 167 // Set trust values for certificate. | |
| 168 // Returns true on success or false on failure. | |
| 169 bool SetCertTrust(const X509Certificate* cert, | |
| 170 CertType type, | |
| 171 TrustBits trust_bits); | |
| 172 | |
| 173 // Delete certificate and associated private key (if one exists). | |
| 174 // |cert| is still valid when this function returns. Returns true on | |
| 175 // success. | |
| 176 bool DeleteCertAndKey(const X509Certificate* cert); | |
| 177 | |
| 178 // Check whether cert is stored in a readonly slot. | |
| 179 bool IsReadOnly(const X509Certificate* cert) const; | |
| 180 | |
| 181 // Registers |observer| to receive notifications of certificate changes. The | |
| 182 // thread on which this is called is the thread on which |observer| will be | |
| 183 // called back with notifications. | |
| 184 void AddObserver(Observer* observer); | |
| 185 | |
| 186 // Unregisters |observer| from receiving notifications. This must be called | |
| 187 // on the same thread on which AddObserver() was called. | |
| 188 void RemoveObserver(Observer* observer); | |
| 189 | |
| 190 private: | |
| 191 friend struct DefaultSingletonTraits<NSSCertDatabase>; | |
| 192 | |
| 193 NSSCertDatabase(); | |
| 194 ~NSSCertDatabase(); | |
| 195 | |
| 196 // Broadcasts notifications to all registered observers. | |
| 197 void NotifyObserversOfCertAdded(const X509Certificate* cert); | |
| 198 void NotifyObserversOfCertRemoved(const X509Certificate* cert); | |
| 199 void NotifyObserversOfCertTrustChanged(const X509Certificate* cert); | |
| 200 | |
| 201 const scoped_refptr<ObserverListThreadSafe<Observer> > observer_list_; | |
| 202 | |
| 203 DISALLOW_COPY_AND_ASSIGN(NSSCertDatabase); | |
| 204 }; | |
| 205 | |
| 206 } // namespace net | |
| 207 | |
| 208 #endif // NET_BASE_NSS_CERT_DATABASE_H_ | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 13006020:
net: extract net/cert out of net/base (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src