net/cert/cert_database_nss.cc - Issue 15315003: Generate unique certificate nicknames on Linux/CrOS.

Side by Side Diff: net/cert/cert_database_nss.cc

Issue 15315003: Generate unique certificate nicknames on Linux/CrOS. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Update README Created 7 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/cert/cert_database.h"	5 #include "net/cert/cert_database.h"

6	6

7 #include <cert.h>	7 #include <cert.h>

8 #include <pk11pub.h>	8 #include <pk11pub.h>

9 #include <secmod.h>	9 #include <secmod.h>

10	10

11 #include "base/logging.h"	11 #include "base/logging.h"

12 #include "base/observer_list_threadsafe.h"	12 #include "base/observer_list_threadsafe.h"

13 #include "crypto/nss_util.h"	13 #include "crypto/nss_util.h"

	14 #include "crypto/scoped_nss_types.h"

14 #include "net/base/net_errors.h"	15 #include "net/base/net_errors.h"

15 #include "net/cert/nss_cert_database.h"	16 #include "net/cert/nss_cert_database.h"

16 #include "net/cert/x509_certificate.h"	17 #include "net/cert/x509_certificate.h"

	18 #include "net/cert/x509_util_nss.h"

17	19

18 namespace net {	20 namespace net {

19	21

20 // Helper that observes events from the NSSCertDatabase and forwards them to	22 // Helper that observes events from the NSSCertDatabase and forwards them to

21 // the given CertDatabase.	23 // the given CertDatabase.

22 class CertDatabase::Notifier : public NSSCertDatabase::Observer {	24 class CertDatabase::Notifier : public NSSCertDatabase::Observer {

23 public:	25 public:

24 explicit Notifier(CertDatabase* cert_db) : cert_db_(cert_db) {	26 explicit Notifier(CertDatabase* cert_db) : cert_db_(cert_db) {

25 NSSCertDatabase::GetInstance()->AddObserver(this);	27 NSSCertDatabase::GetInstance()->AddObserver(this);

26 }	28 }

(...skipping 48 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
75 if (!slot)	77 if (!slot)

76 return ERR_NO_PRIVATE_KEY_FOR_CERT;	78 return ERR_NO_PRIVATE_KEY_FOR_CERT;

77	79

78 PK11_FreeSlot(slot);	80 PK11_FreeSlot(slot);

79	81

80 return OK;	82 return OK;

81 }	83 }

82	84

83 int CertDatabase::AddUserCert(X509Certificate* cert_obj) {	85 int CertDatabase::AddUserCert(X509Certificate* cert_obj) {

84 CERTCertificate* cert = cert_obj->os_cert_handle();	86 CERTCertificate* cert = cert_obj->os_cert_handle();

85 PK11SlotInfo* slot = NULL;	87 CK_OBJECT_HANDLE key;

	88 crypto::ScopedPK11Slot slot(PK11_KeyForCertExists(cert, &key, NULL));

	89 if (!slot.get())

	90 return ERR_NO_PRIVATE_KEY_FOR_CERT;

86	91

	92 std::string nickname = x509_util::GetUniqueNicknameForSlot(

	93 cert_obj->GetDefaultNickname(USER_CERT),

	94 &cert->derSubject,

	95 slot.get());

	96

	97 SECStatus rv;

87 {	98 {

88 crypto::AutoNSSWriteLock lock;	99 crypto::AutoNSSWriteLock lock;

89 slot = PK11_ImportCertForKey(	100 rv = PK11_ImportCert(slot.get(), cert, key, nickname.c_str(), PR_FALSE);

90 cert,

91 cert_obj->GetDefaultNickname(net::USER_CERT).c_str(),

92 NULL);

93 }	101 }

94	102

95 if (!slot) {	103 if (rv != SECSuccess) {

96 LOG(ERROR) << "Couldn't import user certificate.";	104 LOG(ERROR) << "Couldn't import user certificate. " << PORT_GetError();
	wtc 2013/05/22 20:58:45 Should we also log an error message on line 90? Should we also log an error message on line 90? Ryan Sleevi 2013/05/22 23:20:19 I'm actually not a big fan of the current error me Show quoted text On 2013/05/22 20:58:45, wtc wrote: > > Should we also log an error message on line 90? I'm actually not a big fan of the current error message. It's superflous in the current implementation because it provides no additional context than the ERR_ADD_USER_CERT_FAILED (which we end up surfacing to the user). I added the Error code logging just to make it somewhat useful, since PK11_ImportCert has much more logic/points of failure for it.
97 return ERR_ADD_USER_CERT_FAILED;	105 return ERR_ADD_USER_CERT_FAILED;

98 }	106 }

99 PK11_FreeSlot(slot);	107

100 NotifyObserversOfCertAdded(cert_obj);	108 NotifyObserversOfCertAdded(cert_obj);

101 return OK;	109 return OK;

102 }	110 }

103	111

104 } // namespace net	112 } // namespace net

OLD	NEW

« no previous file with comments | « no previous file | net/cert/nss_cert_database_unittest.cc » ('j') | net/cert/nss_cert_database_unittest.cc » ('J')