OLD | NEW |
1 // Copyright (c) 2009 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/base/cert_database.h" | 5 #include "net/base/cert_database.h" |
6 | 6 |
| 7 #include <windows.h> |
| 8 #include <wincrypt.h> |
| 9 #pragma comment(lib, "crypt32.lib") |
| 10 |
7 #include "base/logging.h" | 11 #include "base/logging.h" |
| 12 #include "base/string_util.h" |
| 13 #include "net/base/keygen_handler.h" |
8 #include "net/base/net_errors.h" | 14 #include "net/base/net_errors.h" |
| 15 #include "net/base/x509_certificate.h" |
9 | 16 |
10 namespace net { | 17 namespace net { |
11 | 18 |
| 19 namespace { |
| 20 |
| 21 // Returns an encoded version of SubjectPublicKeyInfo from |cert| that is |
| 22 // compatible with KeygenHandler::Cache. If the cert cannot be converted, an |
| 23 // empty string is returned. |
| 24 std::string GetSubjectPublicKeyInfo(const X509Certificate* cert) { |
| 25 DCHECK(cert); |
| 26 |
| 27 std::string result; |
| 28 if (!cert->os_cert_handle() || !cert->os_cert_handle()->pCertInfo) |
| 29 return result; |
| 30 |
| 31 BOOL ok; |
| 32 DWORD size = 0; |
| 33 PCERT_PUBLIC_KEY_INFO key_info = |
| 34 &(cert->os_cert_handle()->pCertInfo->SubjectPublicKeyInfo); |
| 35 ok = CryptEncodeObject(X509_ASN_ENCODING, X509_PUBLIC_KEY_INFO, key_info, |
| 36 NULL, &size); |
| 37 if (!ok) |
| 38 return result; |
| 39 |
| 40 ok = CryptEncodeObject(X509_ASN_ENCODING, X509_PUBLIC_KEY_INFO, key_info, |
| 41 reinterpret_cast<BYTE*>(WriteInto(&result, size + 1)), |
| 42 &size); |
| 43 if (!ok) { |
| 44 result.clear(); |
| 45 return result; |
| 46 } |
| 47 |
| 48 // Per MSDN, the resultant structure may be smaller than the original size |
| 49 // supplied, so shrink to the actual size output. |
| 50 result.resize(size); |
| 51 |
| 52 return result; |
| 53 } |
| 54 |
| 55 // Returns true if |cert| was successfully modified to reference |location| to |
| 56 // obtain the associated private key. |
| 57 bool LinkCertToPrivateKey(X509Certificate* cert, |
| 58 KeygenHandler::KeyLocation location) { |
| 59 DCHECK(cert); |
| 60 |
| 61 CRYPT_KEY_PROV_INFO prov_info = { 0 }; |
| 62 prov_info.pwszContainerName = |
| 63 const_cast<LPWSTR>(location.container_name.c_str()); |
| 64 prov_info.pwszProvName = |
| 65 const_cast<LPWSTR>(location.provider_name.c_str()); |
| 66 |
| 67 // Implicit by it being from KeygenHandler, which only supports RSA keys. |
| 68 prov_info.dwProvType = PROV_RSA_FULL; |
| 69 prov_info.dwKeySpec = AT_KEYEXCHANGE; |
| 70 |
| 71 BOOL ok = CertSetCertificateContextProperty(cert->os_cert_handle(), |
| 72 CERT_KEY_PROV_INFO_PROP_ID, 0, |
| 73 &prov_info); |
| 74 return ok != FALSE; |
| 75 } |
| 76 |
| 77 } // namespace |
| 78 |
12 CertDatabase::CertDatabase() { | 79 CertDatabase::CertDatabase() { |
13 NOTIMPLEMENTED(); | |
14 } | 80 } |
15 | 81 |
16 int CertDatabase::CheckUserCert(X509Certificate* cert) { | 82 int CertDatabase::CheckUserCert(X509Certificate* cert) { |
17 NOTIMPLEMENTED(); | 83 if (!cert) |
18 return ERR_NOT_IMPLEMENTED; | 84 return ERR_CERT_INVALID; |
| 85 if (cert->HasExpired()) |
| 86 return ERR_CERT_DATE_INVALID; |
| 87 |
| 88 std::string encoded_info = GetSubjectPublicKeyInfo(cert); |
| 89 KeygenHandler::Cache* cache = KeygenHandler::Cache::GetInstance(); |
| 90 KeygenHandler::KeyLocation location; |
| 91 |
| 92 if (encoded_info.empty() || !cache->Find(encoded_info, &location) || |
| 93 !LinkCertToPrivateKey(cert, location)) |
| 94 return ERR_NO_PRIVATE_KEY_FOR_CERT; |
| 95 |
| 96 return OK; |
19 } | 97 } |
20 | 98 |
21 int CertDatabase::AddUserCert(X509Certificate* cert) { | 99 int CertDatabase::AddUserCert(X509Certificate* cert) { |
22 NOTIMPLEMENTED(); | 100 // TODO(rsleevi): Would it be more appropriate to have the CertDatabase take |
23 return ERR_NOT_IMPLEMENTED; | 101 // construction parameters (Keychain filepath on Mac OS X, PKCS #11 slot on |
24 } | 102 // NSS, and Store Type / Path) here? For now, certs will be stashed into the |
| 103 // user's personal store, which will not automatically mark them as trusted, |
| 104 // but will allow them to be used for client auth. |
| 105 HCERTSTORE cert_db = CertOpenSystemStore(NULL, L"MY"); |
| 106 if (!cert_db) |
| 107 return ERR_ADD_USER_CERT_FAILED; |
25 | 108 |
26 void CertDatabase::Init() { | 109 BOOL added = CertAddCertificateContextToStore(cert_db, |
27 NOTIMPLEMENTED(); | 110 cert->os_cert_handle(), |
| 111 CERT_STORE_ADD_USE_EXISTING, |
| 112 NULL); |
| 113 |
| 114 CertCloseStore(cert_db, 0); |
| 115 |
| 116 if (!added) |
| 117 return ERR_ADD_USER_CERT_FAILED; |
| 118 |
| 119 return OK; |
28 } | 120 } |
29 | 121 |
30 } // namespace net | 122 } // namespace net |
OLD | NEW |