Extension API enterprise.platformKeys.

net/cert/nss_cert_database.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/nss_cert_database.h"
 
 #include <cert.h>
 #include <certdb.h>
 #include <keyhi.h>
 #include <pk11pub.h>
 #include <secmod.h>
 
 #include "base/bind.h"
 #include "base/callback.h"
 #include "base/lazy_instance.h"
 #include "base/logging.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/observer_list_threadsafe.h"
 #include "base/task_runner.h"
+#include "base/task_runner_util.h"
 #include "base/threading/worker_pool.h"
 #include "crypto/nss_util.h"
 #include "crypto/nss_util_internal.h"
 #include "crypto/scoped_nss_types.h"
 #include "net/base/crypto_module.h"
 #include "net/base/net_errors.h"
 #include "net/cert/cert_database.h"
 #include "net/cert/x509_certificate.h"
 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h"
 #include "net/third_party/mozilla_security_manager/nsPKCS12Blob.h"
@@ skipping 28 matching lines @@
   // TODO(mattm): Remove this ifdef guard once the linux impl of
   // GetNSSCertDatabaseForResourceContext does not call GetInstance.
 #if defined(OS_CHROMEOS)
   LOG(ERROR) << "NSSCertDatabase::GetInstance() is deprecated."
              << "See http://crbug.com/329735.";
 #endif
   return &g_nss_cert_database.Get();
 }
 
 NSSCertDatabase::NSSCertDatabase()
-    : observer_list_(new ObserverListThreadSafe<Observer>) {
+    : observer_list_(new ObserverListThreadSafe<Observer>),
+      weak_factory_(this) {
   // This also makes sure that NSS has been initialized.
   CertDatabase::GetInstance()->ObserveNSSCertDatabase(this);
 
   psm::EnsurePKCS12Init();
 }
 
 NSSCertDatabase::~NSSCertDatabase() {}
 
 void NSSCertDatabase::ListCertsSync(CertificateList* certs) {
-  ListCertsImpl(certs);
+  ListCertsImpl(crypto::ScopedPK11Slot(), certs);
 }
 
 void NSSCertDatabase::ListCerts(
     const base::Callback<void(scoped_ptr<CertificateList> certs)>& callback) {
   scoped_ptr<CertificateList> certs(new CertificateList());
 
-  // base::Pased will NULL out |certs|, so cache the underlying pointer here.
+  // base::Passed will NULL out |certs|, so cache the underlying pointer here.
   CertificateList* raw_certs = certs.get();
   GetSlowTaskRunner()->PostTaskAndReply(
       FROM_HERE,
       base::Bind(&NSSCertDatabase::ListCertsImpl,
+                 base::Passed(crypto::ScopedPK11Slot()),
                  base::Unretained(raw_certs)),
       base::Bind(callback, base::Passed(&certs)));
 }
+
+void NSSCertDatabase::ListCertsInSlot(const ListCertsCallback& callback,
+                                      PK11SlotInfo* slot) {
+  DCHECK(slot);
+  scoped_ptr<CertificateList> certs(new CertificateList());
+
+  // base::Passed will NULL out |certs|, so cache the underlying pointer here.
+  CertificateList* raw_certs = certs.get();
+  GetSlowTaskRunner()->PostTaskAndReply(
+      FROM_HERE,
+      base::Bind(&NSSCertDatabase::ListCertsImpl,
+                 base::Passed(crypto::ScopedPK11Slot(PK11_ReferenceSlot(slot))),
+                 base::Unretained(raw_certs)),
+      base::Bind(callback, base::Passed(&certs)));
+}
 
 crypto::ScopedPK11Slot NSSCertDatabase::GetPublicSlot() const {
   return crypto::ScopedPK11Slot(crypto::GetPublicNSSKeySlot());
 }
 
 crypto::ScopedPK11Slot NSSCertDatabase::GetPrivateSlot() const {
   return crypto::ScopedPK11Slot(crypto::GetPrivateNSSKeySlot());
 }
 
 CryptoModule* NSSCertDatabase::GetPublicModule() const {
@@ skipping 203 matching lines @@
 bool NSSCertDatabase::SetCertTrust(const X509Certificate* cert,
                                 CertType type,
                                 TrustBits trust_bits) {
   bool success = psm::SetCertTrust(cert, type, trust_bits);
   if (success)
     NotifyObserversOfCACertChanged(cert);
 
   return success;
 }
 
-bool NSSCertDatabase::DeleteCertAndKey(const X509Certificate* cert) {
-  // For some reason, PK11_DeleteTokenCertAndKey only calls
-  // SEC_DeletePermCertificate if the private key is found.  So, we check
-  // whether a private key exists before deciding which function to call to
-  // delete the cert.
-  SECKEYPrivateKey *privKey = PK11_FindKeyByAnyCert(cert->os_cert_handle(),
-                                                    NULL);
-  if (privKey) {
-    SECKEY_DestroyPrivateKey(privKey);
-    if (PK11_DeleteTokenCertAndKey(cert->os_cert_handle(), NULL)) {
-      LOG(ERROR) << "PK11_DeleteTokenCertAndKey failed: " << PORT_GetError();
-      return false;
-    }
-  } else {
-    if (SEC_DeletePermCertificate(cert->os_cert_handle())) {
-      LOG(ERROR) << "SEC_DeletePermCertificate failed: " << PORT_GetError();
-      return false;
-    }
-  }
+bool NSSCertDatabase::DeleteCertAndKey(X509Certificate* cert) {
+  if (!DeleteCertAndKeyImpl(cert))
+    return false;
+  NotifyObserversOfCertRemoved(cert);
+  return true;
+}
 
-  NotifyObserversOfCertRemoved(cert);
-
-  return true;
+void NSSCertDatabase::DeleteCertAndKeyAsync(
+    const scoped_refptr<X509Certificate>& cert,
+    const DeleteCertCallback& callback) {
+  base::PostTaskAndReplyWithResult(
+      GetSlowTaskRunner().get(),
+      FROM_HERE,
+      base::Bind(&NSSCertDatabase::DeleteCertAndKeyImpl, cert),
+      base::Bind(&NSSCertDatabase::NotifyCertRemovalAndCallBack,
+                 weak_factory_.GetWeakPtr(),
+                 cert,
+                 callback));
 }
 
 bool NSSCertDatabase::IsReadOnly(const X509Certificate* cert) const {
   PK11SlotInfo* slot = cert->os_cert_handle()->slot;
   return slot && PK11_IsReadOnly(slot);
 }
 
 bool NSSCertDatabase::IsHardwareBacked(const X509Certificate* cert) const {
   PK11SlotInfo* slot = cert->os_cert_handle()->slot;
   return slot && PK11_IsHW(slot);
 }
 
 void NSSCertDatabase::AddObserver(Observer* observer) {
   observer_list_->AddObserver(observer);
 }
 
 void NSSCertDatabase::RemoveObserver(Observer* observer) {
   observer_list_->RemoveObserver(observer);
 }
 
 void NSSCertDatabase::SetSlowTaskRunnerForTest(
     const scoped_refptr<base::TaskRunner>& task_runner) {
   slow_task_runner_for_test_ = task_runner;
 }
 
 // static
-void NSSCertDatabase::ListCertsImpl(CertificateList* certs) {
+void NSSCertDatabase::ListCertsImpl(crypto::ScopedPK11Slot slot,
+                                    CertificateList* certs) {
   certs->clear();
 
-  CERTCertList* cert_list = PK11_ListCerts(PK11CertListUnique, NULL);
+  CERTCertList* cert_list = NULL;
+  if (slot)
+    cert_list = PK11_ListCertsInSlot(slot.get());
+  else
+    cert_list = PK11_ListCerts(PK11CertListUnique, NULL);
+
   CERTCertListNode* node;
-  for (node = CERT_LIST_HEAD(cert_list);
-       !CERT_LIST_END(node, cert_list);
+  for (node = CERT_LIST_HEAD(cert_list); !CERT_LIST_END(node, cert_list);
        node = CERT_LIST_NEXT(node)) {
     certs->push_back(X509Certificate::CreateFromHandle(
         node->cert, X509Certificate::OSCertHandles()));
   }
   CERT_DestroyCertList(cert_list);
 }
 
 scoped_refptr<base::TaskRunner> NSSCertDatabase::GetSlowTaskRunner() const {
   if (slow_task_runner_for_test_)
     return slow_task_runner_for_test_;
   return base::WorkerPool::GetTaskRunner(true /*task is slow*/);
 }
 
+void NSSCertDatabase::NotifyCertRemovalAndCallBack(
+    scoped_refptr<X509Certificate> cert,
+    const DeleteCertCallback& callback,
+    bool success) {
+  if (success)
+    NotifyObserversOfCertRemoved(cert);
+  callback.Run(success);
+}
+
 void NSSCertDatabase::NotifyObserversOfCertAdded(const X509Certificate* cert) {
   observer_list_->Notify(&Observer::OnCertAdded, make_scoped_refptr(cert));
 }
 
 void NSSCertDatabase::NotifyObserversOfCertRemoved(
     const X509Certificate* cert) {
   observer_list_->Notify(&Observer::OnCertRemoved, make_scoped_refptr(cert));
 }
 
 void NSSCertDatabase::NotifyObserversOfCACertChanged(
     const X509Certificate* cert) {
   observer_list_->Notify(
       &Observer::OnCACertChanged, make_scoped_refptr(cert));
 }
 
+// static
+bool NSSCertDatabase::DeleteCertAndKeyImpl(
+    scoped_refptr<X509Certificate> cert) {
+  // For some reason, PK11_DeleteTokenCertAndKey only calls
+  // SEC_DeletePermCertificate if the private key is found.  So, we check
+  // whether a private key exists before deciding which function to call to
+  // delete the cert.
+  SECKEYPrivateKey *privKey = PK11_FindKeyByAnyCert(cert->os_cert_handle(),
+                                                    NULL);
+  if (privKey) {
+    SECKEY_DestroyPrivateKey(privKey);
+    if (PK11_DeleteTokenCertAndKey(cert->os_cert_handle(), NULL)) {
+      LOG(ERROR) << "PK11_DeleteTokenCertAndKey failed: " << PORT_GetError();
+      return false;
+    }
+  } else {
+    if (SEC_DeletePermCertificate(cert->os_cert_handle())) {
+      LOG(ERROR) << "SEC_DeletePermCertificate failed: " << PORT_GetError();
+      return false;
+    }
+  }
+  return true;
+}
+
 }  // namespace net