OLD | NEW |
(Empty) | |
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "net/cert/internal/trust_store_nss.h" |
| 6 |
| 7 #include <cert.h> |
| 8 #include <certdb.h> |
| 9 |
| 10 #include "base/callback_helpers.h" |
| 11 #include "base/memory/ptr_util.h" |
| 12 #include "base/memory/weak_ptr.h" |
| 13 #include "base/task_runner.h" |
| 14 #include "base/task_runner_util.h" |
| 15 #include "crypto/nss_util.h" |
| 16 #include "net/cert/internal/parsed_certificate.h" |
| 17 #include "net/cert/scoped_nss_types.h" |
| 18 |
| 19 // XXX structure so that supporting chromeos stuff is doable ( |
| 20 // TrustStoreChromeOS which uses net::NSSProfileFilterChromeOS.. similar to |
| 21 // CertVerifyProcChromeOS ) |
| 22 |
| 23 namespace net { |
| 24 |
| 25 namespace { |
| 26 |
| 27 bool CheckTrust(scoped_refptr<ParsedCertificate> cert) { |
| 28 SECItem der_cert; |
| 29 der_cert.data = const_cast<uint8_t*>(cert->der_cert().UnsafeData()); |
| 30 der_cert.len = base::checked_cast<unsigned>(cert->der_cert().Length()); |
| 31 der_cert.type = siDERCertBuffer; |
| 32 |
| 33 // XXX Is this an acceptable way to get the cert for checking trust? Should it |
| 34 // use CERT_NewTempCertificate instead? Or is there a way to get a trust value |
| 35 // directly without going through CERT_GetCertTrust? |
| 36 ScopedCERTCertificate nss_cert( |
| 37 CERT_FindCertByDERCert(CERT_GetDefaultCertDB(), &der_cert)); |
| 38 if (!nss_cert) |
| 39 return false; |
| 40 |
| 41 CERTCertTrust trust; |
| 42 if (CERT_GetCertTrust(nss_cert.get(), &trust) != SECSuccess) |
| 43 return false; |
| 44 |
| 45 // TODO(mattm): handle explicit distrust (blacklisting)? |
| 46 const int ca_trust = CERTDB_TRUSTED_CA; |
| 47 return (trust.sslFlags & ca_trust) == ca_trust; |
| 48 } |
| 49 |
| 50 class CheckTrustRequest : public TrustStore::Request { |
| 51 public: |
| 52 explicit CheckTrustRequest(const TrustStore::TrustCallback& callback); |
| 53 // Destruction of the Request cancels it. CheckTrust will still run, but the |
| 54 // callback will not be called since the WeakPtr will be invalidated. |
| 55 ~CheckTrustRequest() override = default; |
| 56 |
| 57 void Start(scoped_refptr<ParsedCertificate> cert, |
| 58 base::TaskRunner* task_runner); |
| 59 |
| 60 private: |
| 61 void HandleCheckTrust(bool trusted); |
| 62 |
| 63 scoped_refptr<ParsedCertificate> cert_; |
| 64 TrustStore::TrustCallback callback_; |
| 65 base::WeakPtrFactory<CheckTrustRequest> weak_ptr_factory_; |
| 66 }; |
| 67 |
| 68 CheckTrustRequest::CheckTrustRequest(const TrustStore::TrustCallback& callback) |
| 69 : callback_(callback), weak_ptr_factory_(this) {} |
| 70 |
| 71 void CheckTrustRequest::Start(scoped_refptr<ParsedCertificate> cert, |
| 72 base::TaskRunner* task_runner) { |
| 73 base::PostTaskAndReplyWithResult( |
| 74 task_runner, FROM_HERE, base::Bind(&CheckTrust, cert), |
| 75 base::Bind(&CheckTrustRequest::HandleCheckTrust, |
| 76 weak_ptr_factory_.GetWeakPtr())); |
| 77 } |
| 78 |
| 79 void CheckTrustRequest::HandleCheckTrust(bool trusted) { |
| 80 base::ResetAndReturn(&callback_).Run(trusted); |
| 81 // |this| may be deleted here. |
| 82 } |
| 83 |
| 84 std::unique_ptr<ParsedCertificateList> GetIssuers( |
| 85 scoped_refptr<ParsedCertificate> cert) { |
| 86 std::unique_ptr<ParsedCertificateList> result(new ParsedCertificateList); |
| 87 SECItem name; |
| 88 name.len = cert->tbs().issuer_tlv.Length(); |
| 89 name.data = const_cast<uint8_t*>(cert->tbs().issuer_tlv.UnsafeData()); |
| 90 //name.len = cert->normalized_issuer().Length(); |
| 91 //name.data = const_cast<uint8_t*>(cert->normalized_issuer().UnsafeData()); |
| 92 // XXX NSS doesn't seem to do normalization here ... |
| 93 CERTCertList* found_certs = CERT_CreateSubjectCertList( |
| 94 nullptr, CERT_GetDefaultCertDB(), &name, PR_Now() /* sorttime */, |
| 95 PR_FALSE /* validOnly */); |
| 96 if (!found_certs) { |
| 97 return result; |
| 98 } |
| 99 |
| 100 for (CERTCertListNode* node = CERT_LIST_HEAD(found_certs); |
| 101 !CERT_LIST_END(node, found_certs); node = CERT_LIST_NEXT(node)) { |
| 102 if (!ParsedCertificate::CreateAndAddToVector( |
| 103 node->cert->derCert.data, node->cert->derCert.len, |
| 104 ParsedCertificate::DataSource::INTERNAL_COPY, {}, result.get())) { |
| 105 // TODO(mattm): return errors better. |
| 106 LOG(ERROR) << "error parsing issuer certificate"; |
| 107 } |
| 108 // TODO(mattm): check trust of cert here, cache it in the TrustStoreNSS so |
| 109 // that IsTrustedCertificate can be synchronous. (Assuming cache only |
| 110 // applies to one verification.) |
| 111 } |
| 112 CERT_DestroyCertList(found_certs); |
| 113 return result; |
| 114 } |
| 115 |
| 116 class GetIssuersRequest : public CertIssuerSource::Request { |
| 117 public: |
| 118 explicit GetIssuersRequest(const CertIssuerSource::IssuerCallback& callback); |
| 119 // Destruction of the Request cancels it. CheckTrust will still run, but the |
| 120 // callback will not be called since the WeakPtr will be invalidated. |
| 121 ~GetIssuersRequest() override = default; |
| 122 |
| 123 void Start(scoped_refptr<ParsedCertificate> cert, |
| 124 base::TaskRunner* task_runner); |
| 125 |
| 126 // CertIssuerSource::Request implementation: |
| 127 CompletionStatus GetNext(scoped_refptr<ParsedCertificate>* out_cert) override; |
| 128 |
| 129 private: |
| 130 void HandleGetIssuers(std::unique_ptr<ParsedCertificateList> issuers_list); |
| 131 |
| 132 scoped_refptr<ParsedCertificate> cert_; |
| 133 std::unique_ptr<ParsedCertificateList> issuers_; |
| 134 size_t current_result_ = 0; |
| 135 CertIssuerSource::IssuerCallback callback_; |
| 136 base::WeakPtrFactory<GetIssuersRequest> weak_ptr_factory_; |
| 137 }; |
| 138 |
| 139 GetIssuersRequest::GetIssuersRequest( |
| 140 const CertIssuerSource::IssuerCallback& callback) |
| 141 : callback_(callback), weak_ptr_factory_(this) {} |
| 142 |
| 143 void GetIssuersRequest::Start(scoped_refptr<ParsedCertificate> cert, |
| 144 base::TaskRunner* task_runner) { |
| 145 base::PostTaskAndReplyWithResult( |
| 146 task_runner, FROM_HERE, base::Bind(&GetIssuers, cert), |
| 147 base::Bind(&GetIssuersRequest::HandleGetIssuers, |
| 148 weak_ptr_factory_.GetWeakPtr())); |
| 149 } |
| 150 |
| 151 CompletionStatus GetIssuersRequest::GetNext( |
| 152 scoped_refptr<ParsedCertificate>* out_cert) { |
| 153 DCHECK(issuers_); |
| 154 if (current_result_ < issuers_->size()) |
| 155 *out_cert = std::move((*issuers_)[current_result_++]); |
| 156 else |
| 157 *out_cert = nullptr; |
| 158 return CompletionStatus::SYNC; |
| 159 } |
| 160 |
| 161 void GetIssuersRequest::HandleGetIssuers( |
| 162 std::unique_ptr<ParsedCertificateList> issuers_list) { |
| 163 issuers_ = std::move(issuers_list); |
| 164 base::ResetAndReturn(&callback_).Run(this); |
| 165 // |this| may be deleted here. |
| 166 } |
| 167 |
| 168 } // namespace |
| 169 |
| 170 TrustStoreNSS::TrustStoreNSS(scoped_refptr<base::TaskRunner> nss_task_runner) |
| 171 : nss_task_runner_(std::move(nss_task_runner)) { |
| 172 crypto::EnsureNSSInit(); |
| 173 } |
| 174 |
| 175 TrustStoreNSS::~TrustStoreNSS() = default; |
| 176 |
| 177 void TrustStoreNSS::IsTrustedCertificate( |
| 178 scoped_refptr<ParsedCertificate> cert, |
| 179 const TrustCallback& callback, |
| 180 bool* out_trusted, |
| 181 std::unique_ptr<TrustStore::Request>* out_req) const { |
| 182 std::unique_ptr<CheckTrustRequest> req; |
| 183 req = base::WrapUnique(new CheckTrustRequest(callback)); |
| 184 req->Start(std::move(cert), nss_task_runner_.get()); |
| 185 *out_req = std::move(req); |
| 186 } |
| 187 |
| 188 void TrustStoreNSS::SyncGetIssuersOf(const ParsedCertificate* cert, |
| 189 ParsedCertificateList* issuers) { |
| 190 // TrustStoreNSS never returns synchronous issuer results. |
| 191 } |
| 192 |
| 193 void TrustStoreNSS::AsyncGetIssuersOf( |
| 194 scoped_refptr<ParsedCertificate> cert, |
| 195 const IssuerCallback& callback, |
| 196 std::unique_ptr<CertIssuerSource::Request>* out_req) { |
| 197 std::unique_ptr<GetIssuersRequest> req; |
| 198 req = base::WrapUnique(new GetIssuersRequest(callback)); |
| 199 req->Start(std::move(cert), nss_task_runner_.get()); |
| 200 *out_req = std::move(req); |
| 201 } |
| 202 |
| 203 } // namespace net |
OLD | NEW |