Chromium Code Reviews Chromium Code Reviews
Issue 21716004:
dart:io | Add SecureSocket.importPrivateCertificates, that reads a PKCS#12 file. (Closed)
Base URL: https://dart.googlecode.com/svn/branches/bleeding_edge/dart| Index: runtime/bin/secure_socket.cc |
| diff --git a/runtime/bin/secure_socket.cc b/runtime/bin/secure_socket.cc |
| index ad6ae8209e48fbb292dd26ea8476b7a1ece759ec..8c1e7d747f8213c9973ad98584c2a825bbf1c5c5 100644 |
| --- a/runtime/bin/secure_socket.cc |
| +++ b/runtime/bin/secure_socket.cc |
| @@ -10,9 +10,12 @@ |
| #include <stdio.h> |
| #include <string.h> |
| +#include <certdb.h> |
| #include <key.h> |
| #include <keyt.h> |
| #include <nss.h> |
| +#include <p12.h> |
| +#include <p12plcy.h> |
| #include <pk11pub.h> |
| #include <prerror.h> |
| #include <prinit.h> |
| @@ -40,7 +43,7 @@ bool SSLFilter::library_initialized_ = false; |
| dart::Mutex* SSLFilter::mutex_ = new dart::Mutex(); |
| // The password is needed when creating secure server sockets. It can |
| // be null if only secure client sockets are used. |
| -const char* SSLFilter::password_ = NULL; |
| +char* SSLFilter::password_ = NULL; |
| // Forward declaration. |
| static void ProcessFilter(Dart_Port dest_port_id, |
| @@ -105,6 +108,14 @@ static void SetFilter(Dart_NativeArguments args, SSLFilter* filter) { |
| } |
| +char* PasswordCallback(PK11SlotInfo* slot, PRBool retry, void* arg) { |
|
Bill Hesse
2013/08/06 16:47:59
Moved here from later in the source file.
|
| + if (!retry) { |
| + return PL_strdup(static_cast<char*>(arg)); // Freed by NSS internals. |
| + } |
| + return NULL; |
| +} |
| + |
| + |
| void FUNCTION_NAME(SecureSocket_Init)(Dart_NativeArguments args) { |
| Dart_EnterScope(); |
| Dart_Handle dart_this = ThrowIfError(Dart_GetNativeArgument(args, 0)); |
| @@ -269,11 +280,23 @@ void FUNCTION_NAME(SecureSocket_InitializeLibrary) |
| if (Dart_IsBoolean(builtin_roots_object)) { |
| ThrowIfError(Dart_BooleanValue(builtin_roots_object, &builtin_roots)); |
| } else { |
| + Dart_ThrowException(DartUtils::NewDartArgumentError("Non-Boolean value for" |
| + " argument useBuiltinRoots in SetCertificateDatabase")); |
| + } |
| + |
| + Dart_Handle read_only_object = |
| + ThrowIfError(Dart_GetNativeArgument(args, 3)); |
| + // Check that the type is boolean, and get the boolean value from it. |
| + bool read_only = true; |
| + if (Dart_IsBoolean(read_only_object)) { |
| + ThrowIfError(Dart_BooleanValue(read_only_object, &read_only)); |
| + } else { |
| Dart_ThrowException(DartUtils::NewDartArgumentError( |
| - "UseBuiltinRoots argument to SetCertificateDatabase is not a bool")); |
| + "Non-Boolean value for argument readOnly in SetCertificateDatabase")); |
| } |
| - SSLFilter::InitializeLibrary(certificate_database, password, builtin_roots); |
| + SSLFilter::InitializeLibrary( |
| + certificate_database, password, builtin_roots, read_only); |
| Dart_ExitScope(); |
| } |
| @@ -357,12 +380,183 @@ void FUNCTION_NAME(SecureSocket_AddCertificate) |
| ThrowPRException("CertificateException", "Cannot set trust attributes"); |
| } |
| + status = SEC_PKCS12DecoderImportBags(NULL); |
| + |
| Dart_SetReturnValue(args, X509FromCertificate(cert)); |
| Dart_ExitScope(); |
| return; |
| } |
| +SECItem* nickname_collision_callback(SECItem *old_nickname, |
| + PRBool *cancel, |
| + void *arg) { |
| + printf("Nickname collision callback hit\n"); |
| + return NULL; |
| +} |
| + |
| + |
| +void FUNCTION_NAME(SecureSocket_ImportPrivateCertificates) |
| + (Dart_NativeArguments args) { |
| + Dart_EnterScope(); |
| + Dart_Handle pk12_object = |
| + ThrowIfError(Dart_GetNativeArgument(args, 0)); |
| + if (!Dart_IsList(pk12_object)) { |
| + Dart_ThrowException(DartUtils::NewDartArgumentError( |
| + "SecureSocket.importPrivateCertificates")); |
| + } |
| + |
| + intptr_t length; |
| + ThrowIfError(Dart_ListLength(pk12_object, &length)); |
| + uint8_t* pk12 = reinterpret_cast<uint8_t*>(malloc(length + 1)); |
| + if (pk12 == NULL) { |
| + FATAL("Out of memory in SecureSocket.addCertificate"); |
| + } |
| + ThrowIfError(Dart_ListGetAsBytes(pk12_object, 0, pk12, length)); |
| + |
| + Dart_Handle password_object = ThrowIfError(Dart_GetNativeArgument(args, 1)); |
| + if (!Dart_IsString(password_object)) { |
| + Dart_ThrowException(DartUtils::NewDartArgumentError( |
| + "SecureSocket.importPrivateCertificates")); |
| + } |
| + |
| + // A big-endian Unicode (UTF16) password. |
| + intptr_t password_length; |
| + ThrowIfError(Dart_StringLength(password_object, &password_length)); |
| + password_length++; |
| + uint16_t* password = reinterpret_cast<uint16_t*>(malloc(2 * password_length)); |
| + if (password == NULL) { |
| + FATAL("Out of memory in SecureSocket.addCertificate"); |
| + } |
| + intptr_t returned_length = password_length; |
| + ThrowIfError(Dart_StringToUTF16(password_object, password, &returned_length)); |
| + ASSERT(password_length == returned_length + 1); |
| + password[password_length - 1] = 0; |
| + for (int i = 0; i < password_length; ++i) { |
| + password[i] = Utils::HostToBigEndian16(password[i]); |
| + } |
| + SECItem p12_password; |
| + p12_password.type = siBuffer; |
| + p12_password.data = (unsigned char*)password; |
| + p12_password.len = 2 * password_length; |
| + |
| + Dart_SetReturnValue(args, Dart_Null()); |
| + PK11_SetPasswordFunc(PasswordCallback); |
| + PK11SlotInfo* slot = PK11_GetInternalKeySlot(); |
| + SECStatus status = PK11_Authenticate(slot, PR_TRUE, SSLFilter::GetPassword()); |
| + if (status == SECFailure) { |
| + printf("Failed PK11_Authenticate\n"); |
| + Dart_ExitScope(); |
| + return; |
| + } |
| + |
| + SEC_PKCS12DecoderContext* context = SEC_PKCS12DecoderStart( |
| + &p12_password, |
| + slot, |
| + SSLFilter::GetPassword(), |
| + NULL, |
| + NULL, |
| + NULL, |
| + NULL, |
| + NULL); |
| + if (!context) { |
| + Dart_ExitScope(); |
| + return; |
| + } |
| + |
| + if (SECSuccess == SEC_PKCS12DecoderUpdate( |
| + context, |
| + pk12, |
| + length) && |
| + SECSuccess == SEC_PKCS12DecoderVerify(context) && |
| + SECSuccess == |
| + SEC_PKCS12DecoderValidateBags(context, nickname_collision_callback) && |
| + SECSuccess == SEC_PKCS12DecoderImportBags(context)) { |
| + SEC_PKCS12DecoderFinish(context); |
| + Dart_ExitScope(); |
| + return; |
| + } else { |
| + SEC_PKCS12DecoderFinish(context); |
| + ThrowPRException("CertificateException", |
| + "Could not import PKCS#12 file"); |
| + } |
| +} |
| + |
| + |
| +void FUNCTION_NAME(SecureSocket_ChangeTrust)(Dart_NativeArguments args) { |
| + Dart_EnterScope(); |
| + Dart_Handle nickname_object = ThrowIfError(Dart_GetNativeArgument(args, 0)); |
| + Dart_Handle trust_object = ThrowIfError(Dart_GetNativeArgument(args, 1)); |
| + |
| + if (!Dart_IsString(nickname_object) || !Dart_IsString(trust_object)) { |
| + Dart_ThrowException(DartUtils::NewDartArgumentError( |
| + "Bad argument to SecureSocket.changeTrust")); |
| + } |
| + const char* nickname; |
| + ThrowIfError(Dart_StringToCString(nickname_object, &nickname)); |
| + const char* trust_string; |
| + ThrowIfError(Dart_StringToCString(trust_object, &trust_string)); |
| + |
| + CERTCertificate* certificate = |
| + PK11_FindCertFromNickname(nickname, SSLFilter::GetPassword()); |
| + if (certificate == NULL) { |
| + ThrowCertificateException("Cannot find certificate by nickname: %s", |
| + nickname); |
| + } |
| + CERTCertTrust trust; |
| + SECStatus status = CERT_DecodeTrustString(&trust, trust_string); |
| + if (status != SECSuccess) { |
| + ThrowPRException("CertificateException", "Trust string cannot be decoded"); |
| + } |
| + status = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), certificate, &trust); |
| + if (status != SECSuccess) { |
| + ThrowCertificateException("Cannot set trust on certificate %s", nickname); |
| + } |
| + |
| + CERT_DestroyCertificate(certificate); |
| + Dart_ExitScope(); |
| +} |
| + |
| + |
| +void FUNCTION_NAME(SecureSocket_RemoveCertificate)(Dart_NativeArguments args) { |
| + Dart_EnterScope(); |
| + Dart_Handle nickname_object = |
| + ThrowIfError(Dart_GetNativeArgument(args, 0)); |
| + if (!Dart_IsString(nickname_object)) { |
| + Dart_ThrowException(DartUtils::NewDartArgumentError( |
| + "Bad argument to SecureSocket.removeCertificate")); |
| + } |
| + const char* nickname; |
| + ThrowIfError(Dart_StringToCString(nickname_object, &nickname)); |
| + |
| + CERTCertificate* certificate = |
| + PK11_FindCertFromNickname(nickname, SSLFilter::GetPassword()); |
| + if (certificate == NULL) { |
| + ThrowCertificateException("Cannot find certificate by nickname: %s", |
| + nickname); |
| + } |
| + |
| + SECKEYPrivateKey* key = |
| + PK11_FindKeyByAnyCert(certificate, SSLFilter::GetPassword()); |
| + if (key == NULL) { |
| + SECStatus status = SEC_DeletePermCertificate(certificate); |
| + if (status == SECFailure) { |
| + CERT_DestroyCertificate(certificate); // get-set prerror |
| + ThrowCertificateException("Cannot remove certificate %s", |
| + nickname); |
| + } |
| + } else { |
| + SECStatus status = |
| + PK11_DeleteTokenCertAndKey(certificate, SSLFilter::GetPassword()); |
| + if (status == SECFailure) { |
| + CERT_DestroyCertificate(certificate); // get-set prerror |
| + ThrowCertificateException("Cannot remove certificate %s", |
| + nickname); |
| + } |
| + } |
| + Dart_ExitScope(); |
| +} |
| + |
| void FUNCTION_NAME(SecureSocket_PeerCertificate) |
| (Dart_NativeArguments args) { |
| @@ -516,7 +710,7 @@ bool SSLFilter::ProcessAllBuffers(int starts[kNumBuffers], |
| void SSLFilter::Init(Dart_Handle dart_this) { |
| if (!library_initialized_) { |
| - InitializeLibrary(NULL, "", true, false); |
| + InitializeLibrary(NULL, "", true, true, false); |
| } |
| ASSERT(string_start_ == NULL); |
| string_start_ = Dart_NewPersistentHandle(DartUtils::NewString("start")); |
| @@ -589,14 +783,6 @@ void SSLFilter::RegisterBadCertificateCallback(Dart_Handle callback) { |
| } |
| -char* PasswordCallback(PK11SlotInfo* slot, PRBool retry, void* arg) { |
| - if (!retry) { |
| - return PL_strdup(static_cast<char*>(arg)); // Freed by NSS internals. |
| - } |
| - return NULL; |
| -} |
| - |
| - |
| static const char* builtin_roots_module = |
| #if defined(TARGET_OS_LINUX) || defined(TARGET_OS_ANDROID) |
| "name=\"Root Certs\" library=\"libnssckbi.so\""; |
| @@ -613,6 +799,7 @@ static const char* builtin_roots_module = |
| void SSLFilter::InitializeLibrary(const char* certificate_database, |
| const char* password, |
| bool use_builtin_root_certificates, |
| + bool read_only, |
| bool report_duplicate_initialization) { |
| MutexLocker locker(mutex_); |
| SECStatus status; |
| @@ -636,7 +823,7 @@ void SSLFilter::InitializeLibrary(const char* certificate_database, |
| } |
| } |
| } else { |
| - PRUint32 init_flags = NSS_INIT_READONLY; |
| + PRUint32 init_flags = read_only ? NSS_INIT_READONLY : 0; |
| if (!use_builtin_root_certificates) { |
| init_flags |= NSS_INIT_NOMODDB; |
| } |
| @@ -661,6 +848,16 @@ void SSLFilter::InitializeLibrary(const char* certificate_database, |
| ThrowPRException("TlsException", |
| "Failed NSS_SetDomesticPolicy call."); |
| } |
| + |
| + // Allow encoding and decoding of private keys in PKCS#12 files (.pk files). |
| + SEC_PKCS12EnableCipher(PKCS12_RC4_40, 1); |
| + SEC_PKCS12EnableCipher(PKCS12_RC4_128, 1); |
| + SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_40, 1); |
| + SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_128, 1); |
| + SEC_PKCS12EnableCipher(PKCS12_DES_56, 1); |
| + SEC_PKCS12EnableCipher(PKCS12_DES_EDE3_168, 1); |
| + SEC_PKCS12SetPreferredCipher(PKCS12_DES_EDE3_168, 1); |
| + |
| // Enable TLS, as well as SSL3 and SSL2. |
| status = SSL_OptionSetDefault(SSL_ENABLE_TLS, PR_TRUE); |
| if (status != SECSuccess) { |
| @@ -757,8 +954,8 @@ void SSLFilter::Connect(const char* host_name, |
| } else { |
| // Look up certificate using the nickname certificate_name. |
| certificate = PK11_FindCertFromNickname( |
| - const_cast<char*>(certificate_name), |
| - static_cast<void*>(const_cast<char*>(password_))); |
| + const_cast<char*>(certificate_name), GetPassword()); |
| + // static_cast<void*>(const_cast<char*>(password_))); |
| if (certificate == NULL) { |
| ThrowCertificateException( |
| "Cannot find server certificate by nickname: %s", |
