Add TrustStoreNSS and TrustStoreCollection

net/cert/internal/trust_store_nss.cc

+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/cert/internal/trust_store_nss.h"
+
+#include <cert.h>
+#include <certdb.h>
+
+#include "base/bind.h"
+#include "base/callback_helpers.h"
+#include "base/memory/ptr_util.h"
+#include "base/memory/weak_ptr.h"
+#include "base/task_runner.h"
+#include "crypto/nss_util.h"
+#include "net/cert/internal/parsed_certificate.h"
+
+// TODO(mattm): structure so that supporting chromeos stuff is doable (
+// TrustStoreChromeOS which uses net::NSSProfileFilterChromeOS.. similar to
+// CertVerifyProcChromeOS )
+//   Could have protected version of FindTrustAnchorsForCert that takes a
+//   cert_filter callback param, which is then passed into GetAnchors, and
+//   subclass of TrustStoreNSS that calls that? Or take the callback in
+//   constructor?
+
+namespace net {
+
+namespace {
+
+// Get all certs in NSS which have a subject matching |der_name| and which are
+// marked as a trusted CA.
+void GetAnchors(const std::string& der_name, TrustAnchors* out_anchors) {
+  crypto::EnsureNSSInit();
+
+  SECItem name;
+  name.len = der_name.size();
+  name.data =
+      const_cast<uint8_t*>(reinterpret_cast<const uint8_t*>((der_name.data())));
+  CERTCertList* found_certs = CERT_CreateSubjectCertList(
+      nullptr /* certList */, CERT_GetDefaultCertDB(), &name,
+      PR_Now() /* sorttime */, PR_FALSE /* validOnly */);
+  if (!found_certs)
+    return;
+
+  for (CERTCertListNode* node = CERT_LIST_HEAD(found_certs);
+       !CERT_LIST_END(node, found_certs); node = CERT_LIST_NEXT(node)) {
+    CERTCertTrust trust;
+    if (CERT_GetCertTrust(node->cert, &trust) != SECSuccess)
+      continue;
+
+    // TODO(mattm): handle explicit distrust (blacklisting)?
+    const int ca_trust = CERTDB_TRUSTED_CA;
+    if ((trust.sslFlags & ca_trust) != ca_trust)
+      continue;
+
+    scoped_refptr<ParsedCertificate> cert =
+        ParsedCertificate::CreateFromCertificateData(
+            node->cert->derCert.data, node->cert->derCert.len,
+            ParsedCertificate::DataSource::INTERNAL_COPY, {});

[eroman, 2016/08/23 18:48:54]

side-comment: I am thinking we may want to refactor this at some point
(cumbersome to type and a bit confusing). I am thinking we should either get rid
of the non-copy version, or make it a bit more hidden since it is pretty niche
and tricky to use correctly.

+    if (!cert) {
+      // TODO(mattm): return errors better.
+      LOG(ERROR) << "error parsing issuer certificate";
+      continue;
+    }
+
+    out_anchors->push_back(
+        TrustAnchor::CreateFromCertificateNoConstraints(std::move(cert)));
+  }
+  CERT_DestroyCertList(found_certs);
+}
+
+class GetAnchorsRequest : public TrustStore::Request {
+ public:
+  explicit GetAnchorsRequest(const TrustStore::TrustAnchorCallback& callback);
+  // Destruction of the Request cancels it. GetAnchors will still run, but the
+  // callback will not be called since the WeakPtr will be invalidated.
+  ~GetAnchorsRequest() override = default;
+
+  void Start(const der::Input& name, base::TaskRunner* task_runner);
+
+ private:
+  void HandleGetAnchors(std::unique_ptr<TrustAnchors> anchors);
+
+  TrustStore::TrustAnchorCallback callback_;
+  base::WeakPtrFactory<GetAnchorsRequest> weak_ptr_factory_;
+};
+
+GetAnchorsRequest::GetAnchorsRequest(
+    const TrustStore::TrustAnchorCallback& callback)
+    : callback_(callback), weak_ptr_factory_(this) {}
+
+void GetAnchorsRequest::Start(const der::Input& name,
+                              base::TaskRunner* task_runner) {
+  auto anchors = base::MakeUnique<TrustAnchors>();
+  auto* anchors_ptr = anchors.get();
+  task_runner->PostTaskAndReply(
+      FROM_HERE, base::Bind(&GetAnchors, name.AsString(), anchors_ptr),
+      base::Bind(&GetAnchorsRequest::HandleGetAnchors,
+                 weak_ptr_factory_.GetWeakPtr(), base::Passed(&anchors)));
+}
+
+void GetAnchorsRequest::HandleGetAnchors(
+    std::unique_ptr<TrustAnchors> anchors) {
+  base::ResetAndReturn(&callback_).Run(std::move(anchors));
+  // |this| may be deleted here.
+}
+
+}  // namespace
+
+TrustStoreNSS::TrustStoreNSS(scoped_refptr<base::TaskRunner> nss_task_runner)
+    : nss_task_runner_(std::move(nss_task_runner)) {}
+
+TrustStoreNSS::~TrustStoreNSS() = default;
+
+void TrustStoreNSS::FindTrustAnchorsForCert(
+    const ParsedCertificate* cert,
+    const TrustAnchorCallback& callback,
+    TrustAnchors* out_matches,
+    std::unique_ptr<Request>* out_req) const {
+  if (callback.is_null()) {
+    *out_req = nullptr;
+    return;
+  }
+
+  auto req(base::MakeUnique<GetAnchorsRequest>(callback));
+  req->Start(cert->tbs().issuer_tlv, nss_task_runner_.get());

[eroman, 2016/08/23 18:48:54]

This could be a problem in the case of cancellation -- I believe |cert| might be
deleted before the task completes, and the task is holding onto a der::Input
which just aliases the data.

I suggest instead passing a reference of the cert to the task, or copying the
issuer name out here.

[mattm, 2016/08/27 00:37:02]

it was making a copy of the name inside Start() before posting a task. But I
think that design was still sort of just a holdover from the previous interface
being FindTrustAnchorsByNormalizedName. I've changed it to take a reference to
the cert.

+  *out_req = std::move(req);
+}
+
+}  // namespace net