dart:io | Add SecureSocket.importPrivateCertificates, that reads a PKCS#12 file.

runtime/bin/secure_socket.cc

 // Copyright (c) 2012, the Dart project authors.  Please see the AUTHORS file
 // for details. All rights reserved. Use of this source code is governed by a
 // BSD-style license that can be found in the LICENSE file.
 
 #include "bin/secure_socket.h"
 
 #include <errno.h>
 #include <fcntl.h>
 #include <sys/stat.h>
 #include <stdio.h>
 #include <string.h>
 
+#include <certdb.h>
 #include <key.h>
 #include <keyt.h>
 #include <nss.h>
+#include <p12.h>
+#include <p12plcy.h>
 #include <pk11pub.h>
 #include <prerror.h>
 #include <prinit.h>
 #include <prnetdb.h>
 #include <secmod.h>
 #include <ssl.h>
 #include <sslproto.h>
 
 #include "bin/builtin.h"
 #include "bin/dartutils.h"
 #include "bin/net/nss_memio.h"
 #include "bin/socket.h"
 #include "bin/thread.h"
 #include "bin/utils.h"
 #include "platform/utils.h"
 
 #include "include/dart_api.h"
 
 
 namespace dart {
 namespace bin {
 
 bool SSLFilter::library_initialized_ = false;
 // To protect library initialization.
 dart::Mutex* SSLFilter::mutex_ = new dart::Mutex();
 // The password is needed when creating secure server sockets.  It can
 // be null if only secure client sockets are used.
-const char* SSLFilter::password_ = NULL;
+char* SSLFilter::password_ = NULL;
 
 // Forward declaration.
 static void ProcessFilter(Dart_Port dest_port_id,
                           Dart_Port reply_port_id,
                           Dart_CObject* message);
 
 NativeService SSLFilter::filter_service_("FilterService", ProcessFilter, 16);
 
 static const int kSSLFilterNativeFieldIndex = 0;
 
@@ skipping 44 matching lines @@
 static void SetFilter(Dart_NativeArguments args, SSLFilter* filter) {
   Dart_Handle dart_this = ThrowIfError(Dart_GetNativeArgument(args, 0));
   ASSERT(Dart_IsInstance(dart_this));
   ThrowIfError(Dart_SetNativeInstanceField(
       dart_this,
       kSSLFilterNativeFieldIndex,
       reinterpret_cast<intptr_t>(filter)));
 }
 
 
+char* PasswordCallback(PK11SlotInfo* slot, PRBool retry, void* arg) {

[Bill Hesse, 2013/08/06 16:47:59]

Moved here from later in the source file.

+  if (!retry) {
+    return PL_strdup(static_cast<char*>(arg));  // Freed by NSS internals.
+  }
+  return NULL;
+}
+
+
 void FUNCTION_NAME(SecureSocket_Init)(Dart_NativeArguments args) {
   Dart_EnterScope();
   Dart_Handle dart_this = ThrowIfError(Dart_GetNativeArgument(args, 0));
   SSLFilter* filter = new SSLFilter;
   SetFilter(args, filter);
   filter->Init(dart_this);
   Dart_ExitScope();
 }
 
 
@@ skipping 144 matching lines @@
         "Password argument to SetCertificateDatabase is not a String or null"));
   }
 
   Dart_Handle builtin_roots_object =
       ThrowIfError(Dart_GetNativeArgument(args, 2));
   // Check that the type is boolean, and get the boolean value from it.
   bool builtin_roots = true;
   if (Dart_IsBoolean(builtin_roots_object)) {
     ThrowIfError(Dart_BooleanValue(builtin_roots_object, &builtin_roots));
   } else {
-    Dart_ThrowException(DartUtils::NewDartArgumentError(
-        "UseBuiltinRoots argument to SetCertificateDatabase is not a bool"));
+    Dart_ThrowException(DartUtils::NewDartArgumentError("Non-Boolean value for"
+        " argument useBuiltinRoots in SetCertificateDatabase"));
   }
 
-  SSLFilter::InitializeLibrary(certificate_database, password, builtin_roots);
+  Dart_Handle read_only_object =
+      ThrowIfError(Dart_GetNativeArgument(args, 3));
+  // Check that the type is boolean, and get the boolean value from it.
+  bool read_only = true;
+  if (Dart_IsBoolean(read_only_object)) {
+    ThrowIfError(Dart_BooleanValue(read_only_object, &read_only));
+  } else {
+    Dart_ThrowException(DartUtils::NewDartArgumentError(
+        "Non-Boolean value for argument readOnly in SetCertificateDatabase"));
+  }
+
+  SSLFilter::InitializeLibrary(
+      certificate_database, password, builtin_roots, read_only);
   Dart_ExitScope();
 }
 
 
 static Dart_Handle X509FromCertificate(CERTCertificate* certificate) {
   PRTime start_validity;
   PRTime end_validity;
   SECStatus status =
       CERT_GetCertTimes(certificate, &start_validity, &end_validity);
   if (status != SECSuccess) {
@@ skipping 63 matching lines @@
   SECStatus status = CERT_DecodeTrustString(&trust, trust_string);
   if (status != SECSuccess) {
     ThrowPRException("CertificateException", "Trust string cannot be decoded");
   }
 
   status = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), cert, &trust);
   if (status != SECSuccess) {
     ThrowPRException("CertificateException", "Cannot set trust attributes");
   }
 
+  status = SEC_PKCS12DecoderImportBags(NULL);
+
   Dart_SetReturnValue(args, X509FromCertificate(cert));
   Dart_ExitScope();
   return;
 }
 
 
+SECItem* nickname_collision_callback(SECItem *old_nickname,
+                                     PRBool *cancel,
+                                     void *arg) {
+  printf("Nickname collision callback hit\n");
+  return NULL;
+}
+
+
+void FUNCTION_NAME(SecureSocket_ImportPrivateCertificates)
+    (Dart_NativeArguments args) {
+  Dart_EnterScope();
+  Dart_Handle pk12_object =
+      ThrowIfError(Dart_GetNativeArgument(args, 0));
+  if (!Dart_IsList(pk12_object)) {
+    Dart_ThrowException(DartUtils::NewDartArgumentError(
+        "SecureSocket.importPrivateCertificates"));
+  }
+
+  intptr_t length;
+  ThrowIfError(Dart_ListLength(pk12_object, &length));
+  uint8_t* pk12 = reinterpret_cast<uint8_t*>(malloc(length + 1));
+  if (pk12 == NULL) {
+    FATAL("Out of memory in SecureSocket.addCertificate");
+  }
+  ThrowIfError(Dart_ListGetAsBytes(pk12_object, 0, pk12, length));
+
+  Dart_Handle password_object = ThrowIfError(Dart_GetNativeArgument(args, 1));
+  if (!Dart_IsString(password_object)) {
+    Dart_ThrowException(DartUtils::NewDartArgumentError(
+        "SecureSocket.importPrivateCertificates"));
+  }
+
+  // A big-endian Unicode (UTF16) password.
+  intptr_t password_length;
+  ThrowIfError(Dart_StringLength(password_object, &password_length));
+  password_length++;
+  uint16_t* password = reinterpret_cast<uint16_t*>(malloc(2 * password_length));
+  if (password == NULL) {
+    FATAL("Out of memory in SecureSocket.addCertificate");
+  }
+  intptr_t returned_length = password_length;
+  ThrowIfError(Dart_StringToUTF16(password_object, password, &returned_length));
+  ASSERT(password_length == returned_length + 1);
+  password[password_length - 1] = 0;
+  for (int i = 0; i < password_length; ++i) {
+    password[i] = Utils::HostToBigEndian16(password[i]);
+  }
+  SECItem p12_password;
+  p12_password.type = siBuffer;
+  p12_password.data = (unsigned char*)password;
+  p12_password.len = 2 * password_length;
+
+  Dart_SetReturnValue(args, Dart_Null());
+  PK11_SetPasswordFunc(PasswordCallback);
+  PK11SlotInfo* slot = PK11_GetInternalKeySlot();
+  SECStatus status = PK11_Authenticate(slot, PR_TRUE, SSLFilter::GetPassword());
+  if (status == SECFailure) {
+    printf("Failed PK11_Authenticate\n");
+    Dart_ExitScope();
+    return;
+  }
+
+  SEC_PKCS12DecoderContext* context = SEC_PKCS12DecoderStart(
+      &p12_password,
+      slot,
+      SSLFilter::GetPassword(),
+      NULL,
+      NULL,
+      NULL,
+      NULL,
+      NULL);
+  if (!context) {
+    Dart_ExitScope();
+    return;
+  }
+
+  if (SECSuccess == SEC_PKCS12DecoderUpdate(
+          context,
+          pk12,
+          length) &&
+      SECSuccess == SEC_PKCS12DecoderVerify(context) &&
+      SECSuccess ==
+          SEC_PKCS12DecoderValidateBags(context, nickname_collision_callback) &&
+      SECSuccess == SEC_PKCS12DecoderImportBags(context)) {
+    SEC_PKCS12DecoderFinish(context);
+    Dart_ExitScope();
+    return;
+  } else {
+    SEC_PKCS12DecoderFinish(context);
+    ThrowPRException("CertificateException",
+                     "Could not import PKCS#12 file");
+  }
+}
+
+
+void FUNCTION_NAME(SecureSocket_ChangeTrust)(Dart_NativeArguments args) {
+  Dart_EnterScope();
+  Dart_Handle nickname_object = ThrowIfError(Dart_GetNativeArgument(args, 0));
+  Dart_Handle trust_object = ThrowIfError(Dart_GetNativeArgument(args, 1));
+
+  if (!Dart_IsString(nickname_object) || !Dart_IsString(trust_object)) {
+    Dart_ThrowException(DartUtils::NewDartArgumentError(
+        "Bad argument to SecureSocket.changeTrust"));
+  }
+  const char* nickname;
+  ThrowIfError(Dart_StringToCString(nickname_object, &nickname));
+  const char* trust_string;
+  ThrowIfError(Dart_StringToCString(trust_object, &trust_string));
+
+  CERTCertificate* certificate =
+      PK11_FindCertFromNickname(nickname, SSLFilter::GetPassword());
+  if (certificate == NULL) {
+    ThrowCertificateException("Cannot find certificate by nickname: %s",
+                              nickname);
+  }
+  CERTCertTrust trust;
+  SECStatus status = CERT_DecodeTrustString(&trust, trust_string);
+  if (status != SECSuccess) {
+    ThrowPRException("CertificateException", "Trust string cannot be decoded");
+  }
+  status = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), certificate, &trust);
+  if (status != SECSuccess) {
+    ThrowCertificateException("Cannot set trust on certificate %s", nickname);
+  }
+
+  CERT_DestroyCertificate(certificate);
+  Dart_ExitScope();
+}
+
+
+void FUNCTION_NAME(SecureSocket_RemoveCertificate)(Dart_NativeArguments args) {
+  Dart_EnterScope();
+  Dart_Handle nickname_object =
+      ThrowIfError(Dart_GetNativeArgument(args, 0));
+  if (!Dart_IsString(nickname_object)) {
+    Dart_ThrowException(DartUtils::NewDartArgumentError(
+        "Bad argument to SecureSocket.removeCertificate"));
+  }
+  const char* nickname;
+  ThrowIfError(Dart_StringToCString(nickname_object, &nickname));
+
+  CERTCertificate* certificate =
+      PK11_FindCertFromNickname(nickname, SSLFilter::GetPassword());
+  if (certificate == NULL) {
+    ThrowCertificateException("Cannot find certificate by nickname: %s",
+                              nickname);
+  }
+
+  SECKEYPrivateKey* key =
+      PK11_FindKeyByAnyCert(certificate, SSLFilter::GetPassword());
+  if (key == NULL) {
+    SECStatus status = SEC_DeletePermCertificate(certificate);
+    if (status == SECFailure) {
+      CERT_DestroyCertificate(certificate);  // get-set prerror
+      ThrowCertificateException("Cannot remove certificate %s",
+                                nickname);
+    }
+  } else {
+    SECStatus status =
+        PK11_DeleteTokenCertAndKey(certificate, SSLFilter::GetPassword());
+    if (status == SECFailure) {
+      CERT_DestroyCertificate(certificate);  // get-set prerror
+      ThrowCertificateException("Cannot remove certificate %s",
+                                nickname);
+    }
+  }
+  Dart_ExitScope();
+}
+
 
 void FUNCTION_NAME(SecureSocket_PeerCertificate)
     (Dart_NativeArguments args) {
   Dart_EnterScope();
   Dart_SetReturnValue(args, GetFilter(args)->PeerCertificate());
   Dart_ExitScope();
 }
 
 
 void FUNCTION_NAME(SecureSocket_FilterPointer)(Dart_NativeArguments args) {
@@ skipping 133 matching lines @@
       default:
         UNREACHABLE();
     }
   }
   return true;
 }
 
 
 void SSLFilter::Init(Dart_Handle dart_this) {
   if (!library_initialized_) {
-    InitializeLibrary(NULL, "", true, false);
+    InitializeLibrary(NULL, "", true, true, false);
   }
   ASSERT(string_start_ == NULL);
   string_start_ = Dart_NewPersistentHandle(DartUtils::NewString("start"));
   ASSERT(string_start_ != NULL);
   ASSERT(string_length_ == NULL);
   string_length_ = Dart_NewPersistentHandle(DartUtils::NewString("length"));
   ASSERT(string_length_ != NULL);
   ASSERT(bad_certificate_callback_ == NULL);
   bad_certificate_callback_ = Dart_NewPersistentHandle(Dart_Null());
   ASSERT(bad_certificate_callback_ != NULL);
@@ skipping 52 matching lines @@
 
 
 void SSLFilter::RegisterBadCertificateCallback(Dart_Handle callback) {
   ASSERT(bad_certificate_callback_ != NULL);
   Dart_DeletePersistentHandle(bad_certificate_callback_);
   bad_certificate_callback_ = Dart_NewPersistentHandle(callback);
   ASSERT(bad_certificate_callback_ != NULL);
 }
 
 
-char* PasswordCallback(PK11SlotInfo* slot, PRBool retry, void* arg) {
-  if (!retry) {
-    return PL_strdup(static_cast<char*>(arg));  // Freed by NSS internals.
-  }
-  return NULL;
-}
-
-
 static const char* builtin_roots_module =
 #if defined(TARGET_OS_LINUX) || defined(TARGET_OS_ANDROID)
     "name=\"Root Certs\" library=\"libnssckbi.so\"";
 #elif defined(TARGET_OS_MACOS)
     "name=\"Root Certs\" library=\"libnssckbi.dylib\"";
 #elif defined(TARGET_OS_WINDOWS)
     "name=\"Root Certs\" library=\"nssckbi.dll\"";
 #else
 #error Automatic target os detection failed.
 #endif
 
 
 
 void SSLFilter::InitializeLibrary(const char* certificate_database,
                                   const char* password,
                                   bool use_builtin_root_certificates,
+                                  bool read_only,
                                   bool report_duplicate_initialization) {
   MutexLocker locker(mutex_);
   SECStatus status;
   if (!library_initialized_) {
     PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);
     // TODO(whesse): Verify there are no UTF-8 issues here.
     if (certificate_database == NULL || certificate_database[0] == '\0') {
       status = NSS_NoDB_Init(NULL);
       if (status != SECSuccess) {
         mutex_->Unlock();  // MutexLocker destructor not called when throwing.
         ThrowPRException("TlsException",
                          "Failed NSS_NoDB_Init call.");
       }
       if (use_builtin_root_certificates) {
         SECMODModule* module = SECMOD_LoadUserModule(
             const_cast<char*>(builtin_roots_module), NULL, PR_FALSE);
         if (!module) {
           mutex_->Unlock();  // MutexLocker destructor not called when throwing.
           ThrowPRException("TlsException",
                            "Failed to load builtin root certificates.");
         }
       }
     } else {
-      PRUint32 init_flags = NSS_INIT_READONLY;
+      PRUint32 init_flags = read_only ? NSS_INIT_READONLY : 0;
       if (!use_builtin_root_certificates) {
         init_flags |= NSS_INIT_NOMODDB;
       }
       status = NSS_Initialize(certificate_database,
                               "",
                               "",
                               SECMOD_DB,
                               init_flags);
       if (status != SECSuccess) {
         mutex_->Unlock();  // MutexLocker destructor not called when throwing.
         ThrowPRException("TlsException",
                          "Failed NSS_Init call.");
       }
       password_ = strdup(password);  // This one copy persists until Dart exits.
       PK11_SetPasswordFunc(PasswordCallback);
     }
     library_initialized_ = true;
 
     status = NSS_SetDomesticPolicy();
     if (status != SECSuccess) {
       mutex_->Unlock();  // MutexLocker destructor not called when throwing.
       ThrowPRException("TlsException",
                        "Failed NSS_SetDomesticPolicy call.");
     }
+
+    // Allow encoding and decoding of private keys in PKCS#12 files (.pk files).
+    SEC_PKCS12EnableCipher(PKCS12_RC4_40, 1);
+    SEC_PKCS12EnableCipher(PKCS12_RC4_128, 1);
+    SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_40, 1);
+    SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_128, 1);
+    SEC_PKCS12EnableCipher(PKCS12_DES_56, 1);
+    SEC_PKCS12EnableCipher(PKCS12_DES_EDE3_168, 1);
+    SEC_PKCS12SetPreferredCipher(PKCS12_DES_EDE3_168, 1);
+
     // Enable TLS, as well as SSL3 and SSL2.
     status = SSL_OptionSetDefault(SSL_ENABLE_TLS, PR_TRUE);
     if (status != SECSuccess) {
       mutex_->Unlock();  // MutexLocker destructor not called when throwing.
       ThrowPRException("TlsException",
                        "Failed SSL_OptionSetDefault enable TLS call.");
     }
     status = SSL_ConfigServerSessionIDCache(0, 0, 0, NULL);
     if (status != SECSuccess) {
       mutex_->Unlock();  // MutexLocker destructor not called when throwing.
@@ skipping 76 matching lines @@
       certificate = CERT_FindCertByNameString(certificate_database,
           const_cast<char*>(certificate_name));
       if (certificate == NULL) {
         ThrowCertificateException(
             "Cannot find server certificate by distinguished name: %s",
             certificate_name);
       }
     } else {
       // Look up certificate using the nickname certificate_name.
       certificate = PK11_FindCertFromNickname(
-          const_cast<char*>(certificate_name),
-          static_cast<void*>(const_cast<char*>(password_)));
+          const_cast<char*>(certificate_name), GetPassword());
+          //  static_cast<void*>(const_cast<char*>(password_)));
       if (certificate == NULL) {
         ThrowCertificateException(
             "Cannot find server certificate by nickname: %s",
             certificate_name);
       }
     }
     SECKEYPrivateKey* key = PK11_FindKeyByAnyCert(
         certificate,
         static_cast<void*>(const_cast<char*>(password_)));
     if (key == NULL) {
@@ skipping 274 matching lines @@
     // Return a send port for the service port.
     Dart_Handle send_port = Dart_NewSendPort(service_port);
     Dart_SetReturnValue(args, send_port);
   }
   Dart_ExitScope();
 }
 
 
 }  // namespace bin
 }  // namespace dart