| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/nss_cert_database.h" | 5 #include "net/cert/nss_cert_database.h" |
| 6 | 6 |
| 7 #include <cert.h> | 7 #include <cert.h> |
| 8 #include <certdb.h> | 8 #include <certdb.h> |
| 9 #include <keyhi.h> | 9 #include <keyhi.h> |
| 10 #include <pk11pub.h> | 10 #include <pk11pub.h> |
| (...skipping 24 matching lines...) Expand all Loading... |
| 35 | 35 |
| 36 namespace net { | 36 namespace net { |
| 37 | 37 |
| 38 NSSCertDatabase::ImportCertFailure::ImportCertFailure( | 38 NSSCertDatabase::ImportCertFailure::ImportCertFailure( |
| 39 const scoped_refptr<X509Certificate>& cert, | 39 const scoped_refptr<X509Certificate>& cert, |
| 40 int err) | 40 int err) |
| 41 : certificate(cert), net_error(err) {} | 41 : certificate(cert), net_error(err) {} |
| 42 | 42 |
| 43 NSSCertDatabase::ImportCertFailure::~ImportCertFailure() {} | 43 NSSCertDatabase::ImportCertFailure::~ImportCertFailure() {} |
| 44 | 44 |
| 45 // On ChromeOS we want to return the default instance of |
| 46 // NSSCertDatabaseChromeOS, not NSSCertDatabase. |
| 47 #if !defined(OS_CHROMEOS) |
| 45 // static | 48 // static |
| 46 NSSCertDatabase* NSSCertDatabase::GetInstance() { | 49 NSSCertDatabase* NSSCertDatabase::GetInstance() { |
| 47 return Singleton<NSSCertDatabase, | 50 return Singleton<NSSCertDatabase, |
| 48 LeakySingletonTraits<NSSCertDatabase> >::get(); | 51 LeakySingletonTraits<NSSCertDatabase> >::get(); |
| 49 } | 52 } |
| 53 #endif |
| 50 | 54 |
| 51 NSSCertDatabase::NSSCertDatabase() | 55 NSSCertDatabase::NSSCertDatabase() |
| 52 : observer_list_(new ObserverListThreadSafe<Observer>) { | 56 : observer_list_(new ObserverListThreadSafe<Observer>) { |
| 53 crypto::EnsureNSSInit(); | 57 // This also makes sure that NSS has been initialized. |
| 58 CertDatabase::GetInstance()->AddSource(this); |
| 59 |
| 54 psm::EnsurePKCS12Init(); | 60 psm::EnsurePKCS12Init(); |
| 55 } | 61 } |
| 56 | 62 |
| 57 NSSCertDatabase::~NSSCertDatabase() {} | 63 NSSCertDatabase::~NSSCertDatabase() {} |
| 58 | 64 |
| 59 void NSSCertDatabase::ListCerts(CertificateList* certs) { | 65 void NSSCertDatabase::ListCerts(CertificateList* certs) { |
| 60 certs->clear(); | 66 certs->clear(); |
| 61 | 67 |
| 62 CERTCertList* cert_list = PK11_ListCerts(PK11CertListUnique, NULL); | 68 CERTCertList* cert_list = PK11_ListCerts(PK11CertListUnique, NULL); |
| 63 CERTCertListNode* node; | 69 CERTCertListNode* node; |
| 64 for (node = CERT_LIST_HEAD(cert_list); | 70 for (node = CERT_LIST_HEAD(cert_list); |
| 65 !CERT_LIST_END(node, cert_list); | 71 !CERT_LIST_END(node, cert_list); |
| 66 node = CERT_LIST_NEXT(node)) { | 72 node = CERT_LIST_NEXT(node)) { |
| 67 certs->push_back(X509Certificate::CreateFromHandle( | 73 certs->push_back(X509Certificate::CreateFromHandle( |
| 68 node->cert, X509Certificate::OSCertHandles())); | 74 node->cert, X509Certificate::OSCertHandles())); |
| 69 } | 75 } |
| 70 CERT_DestroyCertList(cert_list); | 76 CERT_DestroyCertList(cert_list); |
| 71 } | 77 } |
| 72 | 78 |
| 73 CryptoModule* NSSCertDatabase::GetPublicModule() const { | 79 CryptoModule* NSSCertDatabase::GetPublicModule() const { |
| 74 CryptoModule* module = | 80 crypto::ScopedPK11Slot slot(GetPublicSlot()); |
| 75 CryptoModule::CreateFromHandle(crypto::GetPublicNSSKeySlot()); | 81 CryptoModule* module = CryptoModule::CreateFromHandle(slot.get()); |
| 76 // The module is already referenced when returned from | |
| 77 // GetPublicNSSKeySlot, so we need to deref it once. | |
| 78 PK11_FreeSlot(module->os_module_handle()); | |
| 79 | 82 |
| 80 return module; | 83 return module; |
| 81 } | 84 } |
| 82 | 85 |
| 83 CryptoModule* NSSCertDatabase::GetPrivateModule() const { | 86 CryptoModule* NSSCertDatabase::GetPrivateModule() const { |
| 84 CryptoModule* module = | 87 crypto::ScopedPK11Slot slot(GetPrivateSlot()); |
| 85 CryptoModule::CreateFromHandle(crypto::GetPrivateNSSKeySlot()); | 88 CryptoModule* module = CryptoModule::CreateFromHandle(slot.get()); |
| 86 // The module is already referenced when returned from | |
| 87 // GetPrivateNSSKeySlot, so we need to deref it once. | |
| 88 PK11_FreeSlot(module->os_module_handle()); | |
| 89 | 89 |
| 90 return module; | 90 return module; |
| 91 } | 91 } |
| 92 | 92 |
| 93 crypto::ScopedPK11Slot NSSCertDatabase::GetPublicSlot() const { |
| 94 return crypto::ScopedPK11Slot(crypto::GetPublicNSSKeySlot()); |
| 95 } |
| 96 |
| 97 crypto::ScopedPK11Slot NSSCertDatabase::GetPrivateSlot() const { |
| 98 return crypto::ScopedPK11Slot(crypto::GetPrivateNSSKeySlot()); |
| 99 } |
| 100 |
| 93 void NSSCertDatabase::ListModules(CryptoModuleList* modules, | 101 void NSSCertDatabase::ListModules(CryptoModuleList* modules, |
| 94 bool need_rw) const { | 102 bool need_rw) const { |
| 95 modules->clear(); | 103 modules->clear(); |
| 96 | 104 |
| 97 // The wincx arg is unused since we don't call PK11_SetIsLoggedInFunc. | 105 // The wincx arg is unused since we don't call PK11_SetIsLoggedInFunc. |
| 98 crypto::ScopedPK11SlotList slot_list( | 106 crypto::ScopedPK11SlotList slot_list( |
| 99 PK11_GetAllTokens(CKM_INVALID_MECHANISM, | 107 PK11_GetAllTokens(CKM_INVALID_MECHANISM, |
| 100 need_rw ? PR_TRUE : PR_FALSE, // needRW | 108 need_rw ? PR_TRUE : PR_FALSE, // needRW |
| 101 PR_TRUE, // loadCerts (unused) | 109 PR_TRUE, // loadCerts (unused) |
| 102 NULL)); // wincx | 110 NULL)); // wincx |
| 103 if (!slot_list) { | 111 if (!slot_list) { |
| 104 LOG(ERROR) << "PK11_GetAllTokens failed: " << PORT_GetError(); | 112 LOG(ERROR) << "PK11_GetAllTokens failed: " << PORT_GetError(); |
| 105 return; | 113 return; |
| 106 } | 114 } |
| 107 | 115 |
| 108 PK11SlotListElement* slot_element = PK11_GetFirstSafe(slot_list.get()); | 116 PK11SlotListElement* slot_element = PK11_GetFirstSafe(slot_list.get()); |
| 109 while (slot_element) { | 117 while (slot_element) { |
| 110 modules->push_back(CryptoModule::CreateFromHandle(slot_element->slot)); | 118 modules->push_back(CryptoModule::CreateFromHandle(slot_element->slot)); |
| 111 slot_element = PK11_GetNextSafe(slot_list.get(), slot_element, | 119 slot_element = PK11_GetNextSafe(slot_list.get(), slot_element, |
| 112 PR_FALSE); // restart | 120 PR_FALSE); // restart |
| 113 } | 121 } |
| 114 } | 122 } |
| 115 | 123 |
| 116 int NSSCertDatabase::ImportFromPKCS12( | 124 int NSSCertDatabase::ImportFromPKCS12( |
| 117 CryptoModule* module, | 125 CryptoModule* module, |
| 118 const std::string& data, | 126 const std::string& data, |
| 119 const base::string16& password, | 127 const base::string16& password, |
| 120 bool is_extractable, | 128 bool is_extractable, |
| 121 net::CertificateList* imported_certs) { | 129 net::CertificateList* imported_certs) { |
| 130 VLOG(1) << __func__ << " " |
| 131 << PK11_GetModuleID(module->os_module_handle()) << ":" |
| 132 << PK11_GetSlotID(module->os_module_handle()); |
| 122 int result = psm::nsPKCS12Blob_Import(module->os_module_handle(), | 133 int result = psm::nsPKCS12Blob_Import(module->os_module_handle(), |
| 123 data.data(), data.size(), | 134 data.data(), data.size(), |
| 124 password, | 135 password, |
| 125 is_extractable, | 136 is_extractable, |
| 126 imported_certs); | 137 imported_certs); |
| 127 if (result == net::OK) | 138 if (result == net::OK) |
| 128 NotifyObserversOfCertAdded(NULL); | 139 NotifyObserversOfCertAdded(NULL); |
| 129 | 140 |
| 130 return result; | 141 return result; |
| 131 } | 142 } |
| (...skipping 25 matching lines...) Expand all Loading... |
| 157 return certn_1; | 168 return certn_1; |
| 158 | 169 |
| 159 VLOG(1) << "certificate list is not a hierarchy"; | 170 VLOG(1) << "certificate list is not a hierarchy"; |
| 160 return cert0; | 171 return cert0; |
| 161 } | 172 } |
| 162 | 173 |
| 163 bool NSSCertDatabase::ImportCACerts(const CertificateList& certificates, | 174 bool NSSCertDatabase::ImportCACerts(const CertificateList& certificates, |
| 164 TrustBits trust_bits, | 175 TrustBits trust_bits, |
| 165 ImportCertFailureList* not_imported) { | 176 ImportCertFailureList* not_imported) { |
| 166 X509Certificate* root = FindRootInList(certificates); | 177 X509Certificate* root = FindRootInList(certificates); |
| 167 bool success = psm::ImportCACerts(certificates, root, trust_bits, | 178 bool success = psm::ImportCACerts( |
| 168 not_imported); | 179 GetPublicSlot(), |
| 180 certificates, |
| 181 root, |
| 182 trust_bits, |
| 183 not_imported); |
| 169 if (success) | 184 if (success) |
| 170 NotifyObserversOfCertTrustChanged(NULL); | 185 NotifyObserversOfCertTrustChanged(NULL); |
| 171 | 186 |
| 172 return success; | 187 return success; |
| 173 } | 188 } |
| 174 | 189 |
| 175 bool NSSCertDatabase::ImportServerCert(const CertificateList& certificates, | 190 bool NSSCertDatabase::ImportServerCert(const CertificateList& certificates, |
| 176 TrustBits trust_bits, | 191 TrustBits trust_bits, |
| 177 ImportCertFailureList* not_imported) { | 192 ImportCertFailureList* not_imported) { |
| 178 return psm::ImportServerCert(certificates, trust_bits, not_imported); | 193 return psm::ImportServerCert( |
| 194 GetPublicSlot(), |
| 195 certificates, |
| 196 trust_bits, |
| 197 not_imported); |
| 179 } | 198 } |
| 180 | 199 |
| 181 NSSCertDatabase::TrustBits NSSCertDatabase::GetCertTrust( | 200 NSSCertDatabase::TrustBits NSSCertDatabase::GetCertTrust( |
| 182 const X509Certificate* cert, | 201 const X509Certificate* cert, |
| 183 CertType type) const { | 202 CertType type) const { |
| 184 CERTCertTrust trust; | 203 CERTCertTrust trust; |
| 185 SECStatus srv = CERT_GetCertTrust(cert->os_cert_handle(), &trust); | 204 SECStatus srv = CERT_GetCertTrust(cert->os_cert_handle(), &trust); |
| 186 if (srv != SECSuccess) { | 205 if (srv != SECSuccess) { |
| 187 LOG(ERROR) << "CERT_GetCertTrust failed with error " << PORT_GetError(); | 206 LOG(ERROR) << "CERT_GetCertTrust failed with error " << PORT_GetError(); |
| 188 return TRUST_DEFAULT; | 207 return TRUST_DEFAULT; |
| (...skipping 146 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 335 observer_list_->Notify(&Observer::OnCertRemoved, make_scoped_refptr(cert)); | 354 observer_list_->Notify(&Observer::OnCertRemoved, make_scoped_refptr(cert)); |
| 336 } | 355 } |
| 337 | 356 |
| 338 void NSSCertDatabase::NotifyObserversOfCertTrustChanged( | 357 void NSSCertDatabase::NotifyObserversOfCertTrustChanged( |
| 339 const X509Certificate* cert) { | 358 const X509Certificate* cert) { |
| 340 observer_list_->Notify( | 359 observer_list_->Notify( |
| 341 &Observer::OnCertTrustChanged, make_scoped_refptr(cert)); | 360 &Observer::OnCertTrustChanged, make_scoped_refptr(cert)); |
| 342 } | 361 } |
| 343 | 362 |
| 344 } // namespace net | 363 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 18121007:
*WIP* Store NSS slots per profile. Move keygen to chrome. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src