Use per-user nssdb in onc certificate importer

chromeos/network/onc/onc_certificate_importer_impl.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chromeos/network/onc/onc_certificate_importer_impl.h"
 
 #include <cert.h>
 #include <keyhi.h>
 #include <pk11pub.h>
 
 #include "base/base64.h"
 #include "base/logging.h"
 #include "base/values.h"
 #include "chromeos/network/network_event_log.h"
 #include "chromeos/network/onc/onc_utils.h"
 #include "components/onc/onc_constants.h"
 #include "net/base/crypto_module.h"
 #include "net/base/net_errors.h"
 #include "net/cert/nss_cert_database.h"
 #include "net/cert/x509_certificate.h"
 
 #define ONC_LOG_WARNING(message)                                \
   NET_LOG_DEBUG("ONC Certificate Import Warning", message)
 #define ONC_LOG_ERROR(message)                                  \
   NET_LOG_ERROR("ONC Certificate Import Error", message)
 
 namespace chromeos {
 namespace onc {
 
-CertificateImporterImpl::CertificateImporterImpl() {
+CertificateImporterImpl::CertificateImporterImpl(
+    net::NSSCertDatabase* target_nssdb)
+    : target_nssdb_(target_nssdb) {
+  CHECK(target_nssdb);
 }
 
 bool CertificateImporterImpl::ImportCertificates(
     const base::ListValue& certificates,
     ::onc::ONCSource source,
     net::CertificateList* onc_trusted_certificates) {
   VLOG(2) << "ONC file has " << certificates.GetSize() << " certificates";
 
   // Web trust is only granted to certificates imported by the user.
   bool allow_trust_imports = source == ::onc::ONC_SOURCE_USER_IMPORT;
-  if (!ParseAndStoreCertificates(
-          allow_trust_imports, certificates, onc_trusted_certificates, NULL)) {
+  if (!ParseAndStoreCertificates(allow_trust_imports,
+                                 certificates,
+                                 onc_trusted_certificates,
+                                 NULL)) {
     LOG(ERROR) << "Cannot parse some of the certificates in the ONC from "
                << onc::GetSourceAsString(source);
     return false;
   }
   return true;
 }
 
 bool CertificateImporterImpl::ParseAndStoreCertificates(
     bool allow_trust_imports,
     const base::ListValue& certificates,
@@ skipping 15 matching lines @@
       ONC_LOG_ERROR(
           base::StringPrintf("Cannot parse certificate at index %zu", i));
     } else {
       VLOG(2) << "Successfully imported certificate at index " << i;
     }
   }
   return success;
 }
 
 // static
-void CertificateImporterImpl::ListCertsWithNickname(const std::string& label,
-                                                net::CertificateList* result) {
+void CertificateImporterImpl::ListCertsWithNickname(
+    const std::string& label,
+    net::CertificateList* result,
+    net::NSSCertDatabase* target_nssdb) {
   net::CertificateList all_certs;
-  net::NSSCertDatabase::GetInstance()->ListCerts(&all_certs);
+  target_nssdb->ListCerts(&all_certs);
   result->clear();
   for (net::CertificateList::iterator iter = all_certs.begin();
        iter != all_certs.end(); ++iter) {
     if (iter->get()->os_cert_handle()->nickname) {
       // Separate the nickname stored in the certificate at the colon, since
       // NSS likes to store it as token:nickname.
       const char* delimiter =
           ::strchr(iter->get()->os_cert_handle()->nickname, ':');
       if (delimiter) {
         ++delimiter;  // move past the colon.
@@ skipping 15 matching lines @@
       if (private_key_nickname && std::string(label) == private_key_nickname)
         result->push_back(*iter);
       PORT_Free(private_key_nickname);
       SECKEY_DestroyPrivateKey(private_key);
     }
   }
 }
 
 // static
 bool CertificateImporterImpl::DeleteCertAndKeyByNickname(
-    const std::string& label) {
+    const std::string& label,
+    net::NSSCertDatabase* target_nssdb) {
   net::CertificateList cert_list;
-  ListCertsWithNickname(label, &cert_list);
+  ListCertsWithNickname(label, &cert_list, target_nssdb);
   bool result = true;
   for (net::CertificateList::iterator iter = cert_list.begin();
        iter != cert_list.end(); ++iter) {
     // If we fail, we try and delete the rest still.
     // TODO(gspencer): this isn't very "transactional".  If we fail on some, but
     // not all, then it's possible to leave things in a weird state.
     // Luckily there should only be one cert with a particular
     // label, and the cert not being found is one of the few reasons the
     // delete could fail, but still...  The other choice is to return
     // failure immediately, but that doesn't seem to do what is intended.
-    if (!net::NSSCertDatabase::GetInstance()->DeleteCertAndKey(iter->get()))
+    if (!target_nssdb->DeleteCertAndKey(iter->get()))
       result = false;
   }
   return result;
 }
 
 bool CertificateImporterImpl::ParseAndStoreCertificate(
     bool allow_trust_imports,
     const base::DictionaryValue& certificate,
     net::CertificateList* onc_trusted_certificates,
     CertsByGUID* imported_server_and_ca_certs) {
   // Get out the attributes of the given certificate.
   std::string guid;
   certificate.GetStringWithoutPathExpansion(::onc::certificate::kGUID, &guid);
   DCHECK(!guid.empty());
 
   bool remove = false;
   if (certificate.GetBooleanWithoutPathExpansion(::onc::kRemove, &remove) &&
       remove) {
-    if (!DeleteCertAndKeyByNickname(guid)) {
+    if (!DeleteCertAndKeyByNickname(guid, target_nssdb_)) {
       ONC_LOG_ERROR("Unable to delete certificate");
       return false;
     } else {
       return true;
     }
   }
 
   // Not removing, so let's get the data we need to add this certificate.
   std::string cert_type;
   certificate.GetStringWithoutPathExpansion(::onc::certificate::kType,
@@ skipping 67 matching lines @@
   if (!x509_cert.get()) {
     ONC_LOG_ERROR("Unable to create certificate from PEM encoding, type: " +
                   cert_type);
     return false;
   }
 
   net::NSSCertDatabase::TrustBits trust = (import_with_ssl_trust ?
                                            net::NSSCertDatabase::TRUSTED_SSL :
                                            net::NSSCertDatabase::TRUST_DEFAULT);
 
-  net::NSSCertDatabase* cert_database = net::NSSCertDatabase::GetInstance();
   if (x509_cert->os_cert_handle()->isperm) {
     net::CertType net_cert_type =
         cert_type == ::onc::certificate::kServer ? net::SERVER_CERT
                                                  : net::CA_CERT;
     VLOG(1) << "Certificate is already installed.";
     net::NSSCertDatabase::TrustBits missing_trust_bits =
-        trust & ~cert_database->GetCertTrust(x509_cert.get(), net_cert_type);
+        trust & ~target_nssdb_->GetCertTrust(x509_cert.get(), net_cert_type);
     if (missing_trust_bits) {
       std::string error_reason;
       bool success = false;
-      if (cert_database->IsReadOnly(x509_cert.get())) {
+      if (target_nssdb_->IsReadOnly(x509_cert.get())) {
         error_reason = " Certificate is stored read-only.";
       } else {
-        success = cert_database->SetCertTrust(x509_cert.get(),
+        success = target_nssdb_->SetCertTrust(x509_cert.get(),
                                               net_cert_type,
                                               trust);
       }
       if (!success) {
         ONC_LOG_ERROR("Certificate of type " + cert_type +
                       " was already present, but trust couldn't be set." +
                       error_reason);
       }
     }
   } else {
     net::CertificateList cert_list;
     cert_list.push_back(x509_cert);
     net::NSSCertDatabase::ImportCertFailureList failures;
     bool success = false;
     if (cert_type == ::onc::certificate::kServer)
-      success = cert_database->ImportServerCert(cert_list, trust, &failures);
+      success = target_nssdb_->ImportServerCert(cert_list, trust, &failures);
     else  // Authority cert
-      success = cert_database->ImportCACerts(cert_list, trust, &failures);
+      success = target_nssdb_->ImportCACerts(cert_list, trust, &failures);
 
     if (!failures.empty()) {
       ONC_LOG_ERROR(
           base::StringPrintf("Error ( %s ) importing %s certificate",
                              net::ErrorToString(failures[0].net_error),
                              cert_type.c_str()));
       return false;
     }
 
     if (!success) {
@@ skipping 23 matching lines @@
   }
 
   std::string decoded_pkcs12;
   if (!base::Base64Decode(pkcs12_data, &decoded_pkcs12)) {
     ONC_LOG_ERROR(
         "Unable to base64 decode PKCS#12 data: \"" + pkcs12_data + "\".");
     return false;
   }
 
   // Since this has a private key, always use the private module.
-  net::NSSCertDatabase* cert_database = net::NSSCertDatabase::GetInstance();
-  scoped_refptr<net::CryptoModule> module(cert_database->GetPrivateModule());
+  scoped_refptr<net::CryptoModule> module(net::CryptoModule::CreateFromHandle(
+      target_nssdb_->GetPrivateSlot().get()));
   net::CertificateList imported_certs;
 
-  int import_result = cert_database->ImportFromPKCS12(
+  int import_result = target_nssdb_->ImportFromPKCS12(
       module.get(), decoded_pkcs12, base::string16(), false, &imported_certs);
   if (import_result != net::OK) {
     ONC_LOG_ERROR(
         base::StringPrintf("Unable to import client certificate (error %s)",
                            net::ErrorToString(import_result)));
     return false;
   }
 
   if (imported_certs.size() == 0) {
     ONC_LOG_WARNING("PKCS12 data contains no importable certificates.");
@@ skipping 17 matching lines @@
     PK11_SetPrivateKeyNickname(private_key, const_cast<char*>(guid.c_str()));
     SECKEY_DestroyPrivateKey(private_key);
   } else {
     ONC_LOG_WARNING("Unable to find private key for certificate.");
   }
   return true;
 }
 
 }  // namespace onc
 }  // namespace chromeos