dart:io | Add SecureSocket.importPrivateCertificates, that reads a PKCS#12 file.

sdk/lib/io/secure_socket.dart

 // Copyright (c) 2013, the Dart project authors.  Please see the AUTHORS file
 // for details. All rights reserved. Use of this source code is governed by a
 // BSD-style license that can be found in the LICENSE file.
 
 part of dart.io;
 
 /**
  * A high-level class for communicating securely over a TCP socket, using
  * TLS and SSL. The [SecureSocket] exposes both a [Stream] and an
  * [IOSink] interface, making it ideal for using together with
@@ skipping 78 matching lines @@
             host: host,
             sendClientCertificate: sendClientCertificate,
             onBadCertificate: onBadCertificate);
           })
         .then((raw) {
           completer.complete(new SecureSocket._(raw));
         });
     return completer.future;
   }
 
-
   /**
    * Takes an already connected [socket] and starts server side TLS
    * handshake to make the communication secure. When the returned
    * future completes the [SecureSocket] has completed the TLS
    * handshake. Using this function requires that the other end of the
    * connection is going to start the TLS handshake.
    *
    * If the [socket] already has a subscription, this subscription
    * will no longer receive and events. In most cases calling
    * [:pause:] on this subscription before starting TLS handshake is
@@ skipping 88 matching lines @@
    *                             useBuiltinRoots: false);
    *
    * The database should be an NSS certificate database directory
    * containing a cert9.db file, not a cert8.db file.  This version of
    * the database can be created using the NSS certutil tool with "sql:" in
    * front of the absolute path of the database directory, or setting the
    * environment variable [[NSS_DEFAULT_DB_TYPE]] to "sql".
    */
   external static void initialize({String database,
                                    String password,
-                                   bool useBuiltinRoots: true});
-
+                                   bool useBuiltinRoots: true,
+                                   bool readOnly: true});
 
   /**
-   * Trust strings for use in [addCertificate].
+   * Trust strings for use in [addCertificate] and [changeTrust].
    */
   static const String TRUST_ISSUE_SERVER_CERTIFICATES = 'C,,';
   static const String TRUST_ISSUE_CLIENT_CERTIFICATES = 'T,,';
   static const String TRUST_ISSUE_CLIENT_SERVER_CERTIFICATES = 'TC,,';
   static const String TRUST_CERTIFICATE = 'P,,';
 
-
   /**
    * Adds a X509 certificate (for SSL and TLS secure networking) to the
-   * in-memory certificate database.  Returns an X509Certificate object
+   * in-memory certificate cache.  Returns an X509Certificate object
    * with information about the added certificate.
    *
+   * The in-memory certificate cache is different from the certificate
+   * database opened by `SecureSocket.initialize`, and certificates added
+   * by [addCertificate] cannot be modified or removed by [changeTrust]
+   * or [removeCertificate].  However, if the certificate is already in the
+   * database, then [removeCertificate] will remove it from both the database
+   * and the in-memory cache.
+   *
    * [certificate] must be a list of bytes encoding a certificate in
    *  PEM format: a base64 encoded DER certificate, enclosed between
    * "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----".
    *
    * [trust] is a string specifying the allowed uses of this certificate.
    * For example, 'TC,,' specifies that the certificate is for a certificate
    * authority that is trusted to issue server and client certificates, so
    * that a server or client certificate signed by this authority will be
    * accepted.
    *
    * See the documentation of NSS certutil at
    * http://developer.mozilla.org/en-US/docs/NSS_reference/NSS_tools_:_certutil
    * or
    * http://blogs.oracle.com/meena/entry/notes_about_trust_flags
    * for more information about trust attributes.
    */
   external static X509Certificate addCertificate(List<int> certificate,
                                                  String trust);
+
+  /**
+   * Adds a X509 certificates (for SSL and TLS secure networking) with
+   * their private keys to the certificate database.  SecureSocket.initialize
+   * must have been called with the path to a certificate database, and with
+   * readOnly set to false.

[Søren Gjesse, 2013/08/08 19:03:42]

`` around false.

[Bill Hesse, 2013/08/09 13:24:05]

Done.

+   *
+   * [certificates] must be a list containing the bytes of a PKCS #12 encoded
+   * list of certificates and private keys.  These are commonly called
+   * `.pfx` or `.p12` files.  Only PKCS #12 files using
+   * 3-key triple-DES and 40 bit RC2 encryption are accepted.
+   *
+   * All certificates are imported with no default trust, and the appropriate
+   * uses of each certificate must be added with `SecureSocket.changeTrust`.
+   *
+   * See the documentation of NSS certutil at
+   * http://developer.mozilla.org/en-US/docs/NSS_reference/NSS_tools_:_certutil
+   * or
+   * http://blogs.oracle.com/meena/entry/notes_about_trust_flags
+   * for more information about trust attributes.
+   *
+   * Returns a CertificateError if it fails. The error code -8183 does not
+   * indicate that the PKCS #12 file is corrupt.  It also is returned if
+   * the certificate database is read-only, or is the default internal database,
+   * or if the password for the file or database is incorrect.
+   */
+  external static importCertificatesWithPrivateKeys(List<int> certificates,
+                                                    String password);
+
+  /**
+   * Changes the trust settings for the certificate with nickname [nickname].
+   * This certificate must exist in the certificate database.
+   * SecureSocket.initialize must have been called with the path to a
+   * certificate database, and with readOnly set to false.
+   *
+   * [trust] is a string specifying the allowed uses of this certificate.
+   * For example, 'TC,,' specifies that the certificate is for a certificate
+   * authority that is trusted to issue server and client certificates, so
+   * that a server or client certificate signed by this authority will be
+   * accepted.
+   *
+   * See the documentation of NSS certutil at
+   * http://developer.mozilla.org/en-US/docs/NSS_reference/NSS_tools_:_certutil
+   * or
+   * http://blogs.oracle.com/meena/entry/notes_about_trust_flags
+   * for more information about trust attributes.
+   */
+  external static X509Certificate changeTrust(String nickname,
+                                              String trust);
+
+  /**
+   * Gets the certificate with nickname [nickname] from
+   * the certificate database.  Returns an X509Certificate object with
+   * information about the certificate.
+   *
+   * Throws a CertificateException if it cannot find the certificate with
+   * the given nickname.
+   */
+  external static X509Certificate getCertificate(String nickname);
+
+  /**
+   * Removes the certificate with nickname [nickname] permanently from
+   * the certificate database.
+   * This certificate must exist in the certificate database.
+   * SecureSocket.initialize must have been called with the path to a
+   * certificate database, and with readOnly set to false.
+   *
+   * Returns null if it cannot find the certificate with that nickname.
+   */
+  external static removeCertificate(String nickname);
 }
 
 
 /**
  * RawSecureSocket provides a secure (SSL or TLS) network connection.
  * Client connections to a server are provided by calling
  * RawSecureSocket.connect.  A secure server, created with
  * RawSecureServerSocket, also returns RawSecureSocket objects representing
  * the server end of a secure connection.
  * The certificate provided by the server is checked
@@ skipping 1051 matching lines @@
 /**
  * An exception that happens in the handshake phase of establishing
  * a secure network connection, when looking up or verifying a
  * certificate.
  */
 class CertificateException extends TlsException {
   const CertificateException([String message = "",
                             OSError osError = null])
      : super._("CertificateException", message, osError);
 }