Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(22)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: chromeos/network/onc/onc_certificate_importer_impl.cc

Issue 148183013: Use per-user nssdb in onc certificate importer (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: . Created 6 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« chrome/browser/ui/webui/net_internals/net_internals_ui.cc ('K') | « chromeos/network/onc/onc_certificate_importer_impl.h ('k') | chromeos/network/onc/onc_certificate_importer_impl_unittest.cc » ('j') | chromeos/network/onc/onc_certificate_importer_impl_unittest.cc » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: chromeos/network/onc/onc_certificate_importer_impl.cc
diff --git a/chromeos/network/onc/onc_certificate_importer_impl.cc b/chromeos/network/onc/onc_certificate_importer_impl.cc
index 4e466262b453dfe00d4ad8e0316b5b3f8c447357..64b0e590b54afc9534a9a23a46f8b664b461bfa5 100644
--- a/chromeos/network/onc/onc_certificate_importer_impl.cc
+++ b/chromeos/network/onc/onc_certificate_importer_impl.cc
@@ -33,13 +33,17 @@ CertificateImporterImpl::CertificateImporterImpl() {
bool CertificateImporterImpl::ImportCertificates(
const base::ListValue& certificates,
::onc::ONCSource source,
+ net::NSSCertDatabase* target_nssdb,
net::CertificateList* onc_trusted_certificates) {
VLOG(2) << "ONC file has " << certificates.GetSize() << " certificates";
// Web trust is only granted to certificates imported by the user.
bool allow_trust_imports = source == ::onc::ONC_SOURCE_USER_IMPORT;
- if (!ParseAndStoreCertificates(
- allow_trust_imports, certificates, onc_trusted_certificates, NULL)) {
+ if (!ParseAndStoreCertificates(allow_trust_imports,
+ certificates,
+ onc_trusted_certificates,
+ target_nssdb,
+ NULL)) {
LOG(ERROR) << "Cannot parse some of the certificates in the ONC from "
<< onc::GetSourceAsString(source);
return false;
@@ -51,7 +55,10 @@ bool CertificateImporterImpl::ParseAndStoreCertificates(
bool allow_trust_imports,
const base::ListValue& certificates,
net::CertificateList* onc_trusted_certificates,
+ net::NSSCertDatabase* target_nssdb,
CertsByGUID* imported_server_and_ca_certs) {
+ DCHECK(target_nssdb);
+
bool success = true;
for (size_t i = 0; i < certificates.GetSize(); ++i) {
const base::DictionaryValue* certificate = NULL;
@@ -63,6 +70,7 @@ bool CertificateImporterImpl::ParseAndStoreCertificates(
if (!ParseAndStoreCertificate(allow_trust_imports,
*certificate,
onc_trusted_certificates,
+ target_nssdb,
imported_server_and_ca_certs)) {
success = false;
ONC_LOG_ERROR(
@@ -75,10 +83,12 @@ bool CertificateImporterImpl::ParseAndStoreCertificates(
}
// static
-void CertificateImporterImpl::ListCertsWithNickname(const std::string& label,
- net::CertificateList* result) {
+void CertificateImporterImpl::ListCertsWithNickname(
+ const std::string& label,
+ net::CertificateList* result,
+ net::NSSCertDatabase* target_nssdb) {
net::CertificateList all_certs;
- net::NSSCertDatabase::GetInstance()->ListCerts(&all_certs);
+ target_nssdb->ListCerts(&all_certs);
result->clear();
for (net::CertificateList::iterator iter = all_certs.begin();
iter != all_certs.end(); ++iter) {
@@ -114,9 +124,10 @@ void CertificateImporterImpl::ListCertsWithNickname(const std::string& label,
// static
bool CertificateImporterImpl::DeleteCertAndKeyByNickname(
- const std::string& label) {
+ const std::string& label,
+ net::NSSCertDatabase* target_nssdb) {
net::CertificateList cert_list;
- ListCertsWithNickname(label, &cert_list);
+ ListCertsWithNickname(label, &cert_list, target_nssdb);
bool result = true;
for (net::CertificateList::iterator iter = cert_list.begin();
iter != cert_list.end(); ++iter) {
@@ -127,7 +138,7 @@ bool CertificateImporterImpl::DeleteCertAndKeyByNickname(
// label, and the cert not being found is one of the few reasons the
// delete could fail, but still... The other choice is to return
// failure immediately, but that doesn't seem to do what is intended.
- if (!net::NSSCertDatabase::GetInstance()->DeleteCertAndKey(iter->get()))
+ if (!target_nssdb->DeleteCertAndKey(iter->get()))
result = false;
}
return result;
@@ -137,6 +148,7 @@ bool CertificateImporterImpl::ParseAndStoreCertificate(
bool allow_trust_imports,
const base::DictionaryValue& certificate,
net::CertificateList* onc_trusted_certificates,
+ net::NSSCertDatabase* target_nssdb,
CertsByGUID* imported_server_and_ca_certs) {
// Get out the attributes of the given certificate.
std::string guid;
@@ -146,7 +158,7 @@ bool CertificateImporterImpl::ParseAndStoreCertificate(
bool remove = false;
if (certificate.GetBooleanWithoutPathExpansion(::onc::kRemove, &remove) &&
remove) {
- if (!DeleteCertAndKeyByNickname(guid)) {
+ if (!DeleteCertAndKeyByNickname(guid, target_nssdb)) {
ONC_LOG_ERROR("Unable to delete certificate");
return false;
} else {
@@ -165,9 +177,10 @@ bool CertificateImporterImpl::ParseAndStoreCertificate(
guid,
certificate,
onc_trusted_certificates,
+ target_nssdb,
imported_server_and_ca_certs);
} else if (cert_type == ::onc::certificate::kClient) {
- return ParseClientCertificate(guid, certificate);
+ return ParseClientCertificate(guid, certificate, target_nssdb);
}
NOTREACHED();
@@ -180,6 +193,7 @@ bool CertificateImporterImpl::ParseServerOrCaCertificate(
const std::string& guid,
const base::DictionaryValue& certificate,
net::CertificateList* onc_trusted_certificates,
+ net::NSSCertDatabase* target_nssdb,
CertsByGUID* imported_server_and_ca_certs) {
bool web_trust_flag = false;
const base::ListValue* trust_list = NULL;
@@ -234,23 +248,22 @@ bool CertificateImporterImpl::ParseServerOrCaCertificate(
net::NSSCertDatabase::TRUSTED_SSL :
net::NSSCertDatabase::TRUST_DEFAULT);
- net::NSSCertDatabase* cert_database = net::NSSCertDatabase::GetInstance();
if (x509_cert->os_cert_handle()->isperm) {
net::CertType net_cert_type =
cert_type == ::onc::certificate::kServer ? net::SERVER_CERT
: net::CA_CERT;
VLOG(1) << "Certificate is already installed.";
net::NSSCertDatabase::TrustBits missing_trust_bits =
- trust & ~cert_database->GetCertTrust(x509_cert.get(), net_cert_type);
+ trust & ~target_nssdb->GetCertTrust(x509_cert.get(), net_cert_type);
if (missing_trust_bits) {
std::string error_reason;
bool success = false;
- if (cert_database->IsReadOnly(x509_cert.get())) {
+ if (target_nssdb->IsReadOnly(x509_cert.get())) {
error_reason = " Certificate is stored read-only.";
} else {
- success = cert_database->SetCertTrust(x509_cert.get(),
- net_cert_type,
- trust);
+ success = target_nssdb->SetCertTrust(x509_cert.get(),
+ net_cert_type,
+ trust);
}
if (!success) {
ONC_LOG_ERROR("Certificate of type " + cert_type +
@@ -264,9 +277,9 @@ bool CertificateImporterImpl::ParseServerOrCaCertificate(
net::NSSCertDatabase::ImportCertFailureList failures;
bool success = false;
if (cert_type == ::onc::certificate::kServer)
- success = cert_database->ImportServerCert(cert_list, trust, &failures);
+ success = target_nssdb->ImportServerCert(cert_list, trust, &failures);
else // Authority cert
- success = cert_database->ImportCACerts(cert_list, trust, &failures);
+ success = target_nssdb->ImportCACerts(cert_list, trust, &failures);
if (!failures.empty()) {
ONC_LOG_ERROR(
@@ -293,7 +306,8 @@ bool CertificateImporterImpl::ParseServerOrCaCertificate(
bool CertificateImporterImpl::ParseClientCertificate(
const std::string& guid,
- const base::DictionaryValue& certificate) {
+ const base::DictionaryValue& certificate,
+ net::NSSCertDatabase* target_nssdb) {
std::string pkcs12_data;
if (!certificate.GetStringWithoutPathExpansion(::onc::certificate::kPKCS12,
&pkcs12_data) ||
@@ -310,11 +324,11 @@ bool CertificateImporterImpl::ParseClientCertificate(
}
// Since this has a private key, always use the private module.
- net::NSSCertDatabase* cert_database = net::NSSCertDatabase::GetInstance();
- scoped_refptr<net::CryptoModule> module(cert_database->GetPrivateModule());
+ scoped_refptr<net::CryptoModule> module(net::CryptoModule::CreateFromHandle(
+ target_nssdb->GetPrivateSlot().get()));
net::CertificateList imported_certs;
- int import_result = cert_database->ImportFromPKCS12(
+ int import_result = target_nssdb->ImportFromPKCS12(
module.get(), decoded_pkcs12, base::string16(), false, &imported_certs);
if (import_result != net::OK) {
ONC_LOG_ERROR(
« chrome/browser/ui/webui/net_internals/net_internals_ui.cc ('K') | « chromeos/network/onc/onc_certificate_importer_impl.h ('k') | chromeos/network/onc/onc_certificate_importer_impl_unittest.cc » ('j') | chromeos/network/onc/onc_certificate_importer_impl_unittest.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698