OLD | NEW |
1 // Copyright (c) 2013, the Dart project authors. Please see the AUTHORS file | 1 // Copyright (c) 2013, the Dart project authors. Please see the AUTHORS file |
2 // for details. All rights reserved. Use of this source code is governed by a | 2 // for details. All rights reserved. Use of this source code is governed by a |
3 // BSD-style license that can be found in the LICENSE file. | 3 // BSD-style license that can be found in the LICENSE file. |
4 | 4 |
5 part of dart.io; | 5 part of dart.io; |
6 | 6 |
7 /** | 7 /** |
8 * A high-level class for communicating securely over a TCP socket, using | 8 * A high-level class for communicating securely over a TCP socket, using |
9 * TLS and SSL. The [SecureSocket] exposes both a [Stream] and an | 9 * TLS and SSL. The [SecureSocket] exposes both a [Stream] and an |
10 * [IOSink] interface, making it ideal for using together with | 10 * [IOSink] interface, making it ideal for using together with |
(...skipping 186 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
197 * useBuiltinRoots: false); | 197 * useBuiltinRoots: false); |
198 * | 198 * |
199 * The database should be an NSS certificate database directory | 199 * The database should be an NSS certificate database directory |
200 * containing a cert9.db file, not a cert8.db file. This version of | 200 * containing a cert9.db file, not a cert8.db file. This version of |
201 * the database can be created using the NSS certutil tool with "sql:" in | 201 * the database can be created using the NSS certutil tool with "sql:" in |
202 * front of the absolute path of the database directory, or setting the | 202 * front of the absolute path of the database directory, or setting the |
203 * environment variable [[NSS_DEFAULT_DB_TYPE]] to "sql". | 203 * environment variable [[NSS_DEFAULT_DB_TYPE]] to "sql". |
204 */ | 204 */ |
205 external static void initialize({String database, | 205 external static void initialize({String database, |
206 String password, | 206 String password, |
207 bool useBuiltinRoots: true, | 207 bool useBuiltinRoots: true}); |
208 bool readOnly: true}); | |
209 | |
210 /** | |
211 * Trust strings for use in [addCertificate] and [changeTrust]. | |
212 */ | |
213 static const String TRUST_ISSUE_SERVER_CERTIFICATES = 'C,,'; | |
214 static const String TRUST_ISSUE_CLIENT_CERTIFICATES = 'T,,'; | |
215 static const String TRUST_ISSUE_CLIENT_SERVER_CERTIFICATES = 'TC,,'; | |
216 static const String TRUST_CERTIFICATE = 'P,,'; | |
217 | |
218 /** | |
219 * Adds a X509 certificate (for SSL and TLS secure networking) to the | |
220 * in-memory certificate cache. Returns an X509Certificate object | |
221 * with information about the added certificate. | |
222 * | |
223 * The in-memory certificate cache is different from the certificate | |
224 * database opened by `SecureSocket.initialize`, and certificates added | |
225 * by [addCertificate] cannot be modified or removed by [changeTrust] | |
226 * or [removeCertificate]. However, if the certificate is already in the | |
227 * database, then [removeCertificate] will remove it from both the database | |
228 * and the in-memory cache. | |
229 * | |
230 * [certificate] must be a list of bytes encoding a certificate in | |
231 * PEM format: a base64 encoded DER certificate, enclosed between | |
232 * "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----". | |
233 * | |
234 * [trust] is a string specifying the allowed uses of this certificate. | |
235 * For example, 'TC,,' specifies that the certificate is for a certificate | |
236 * authority that is trusted to issue server and client certificates, so | |
237 * that a server or client certificate signed by this authority will be | |
238 * accepted. | |
239 * | |
240 * See the documentation of NSS certutil at | |
241 * http://developer.mozilla.org/en-US/docs/NSS_reference/NSS_tools_:_certutil | |
242 * or | |
243 * http://blogs.oracle.com/meena/entry/notes_about_trust_flags | |
244 * for more information about trust attributes. | |
245 */ | |
246 external static X509Certificate addCertificate(List<int> certificate, | |
247 String trust); | |
248 | |
249 /** | |
250 * Adds a X509 certificates (for SSL and TLS secure networking) with | |
251 * their private keys to the certificate database. SecureSocket.initialize | |
252 * must have been called with the path to a certificate database, and with | |
253 * readOnly set to `false`. | |
254 * | |
255 * [certificates] must be a list containing the bytes of a PKCS #12 encoded | |
256 * list of certificates and private keys. These are commonly called | |
257 * `.pfx` or `.p12` files. Only PKCS #12 files using | |
258 * 3-key triple-DES and 40 bit RC2 encryption are accepted. | |
259 * | |
260 * All certificates are imported with no default trust, and the appropriate | |
261 * uses of each certificate must be added with `SecureSocket.changeTrust`. | |
262 * | |
263 * See the documentation of NSS certutil at | |
264 * http://developer.mozilla.org/en-US/docs/NSS_reference/NSS_tools_:_certutil | |
265 * or | |
266 * http://blogs.oracle.com/meena/entry/notes_about_trust_flags | |
267 * for more information about trust attributes. | |
268 * | |
269 * Returns a CertificateError if it fails. The error code -8183 does not | |
270 * indicate that the PKCS #12 file is corrupt. It also is returned if | |
271 * the certificate database is read-only, or is the default internal database, | |
272 * or if the password for the file or database is incorrect. | |
273 */ | |
274 external static importCertificatesWithPrivateKeys(List<int> certificates, | |
275 String password); | |
276 | |
277 /** | |
278 * Changes the trust settings for the certificate with nickname [nickname]. | |
279 * This certificate must exist in the certificate database. | |
280 * SecureSocket.initialize must have been called with the path to a | |
281 * certificate database, and with readOnly set to false. | |
282 * | |
283 * [trust] is a string specifying the allowed uses of this certificate. | |
284 * For example, 'TC,,' specifies that the certificate is for a certificate | |
285 * authority that is trusted to issue server and client certificates, so | |
286 * that a server or client certificate signed by this authority will be | |
287 * accepted. | |
288 * | |
289 * See the documentation of NSS certutil at | |
290 * http://developer.mozilla.org/en-US/docs/NSS_reference/NSS_tools_:_certutil | |
291 * or | |
292 * http://blogs.oracle.com/meena/entry/notes_about_trust_flags | |
293 * for more information about trust attributes. | |
294 */ | |
295 external static X509Certificate changeTrust(String nickname, | |
296 String trust); | |
297 | |
298 /** | |
299 * Gets the certificate with nickname [nickname] from | |
300 * the certificate database. Returns an X509Certificate object with | |
301 * information about the certificate. | |
302 * | |
303 * Throws a CertificateException if it cannot find the certificate with | |
304 * the given nickname. | |
305 */ | |
306 external static X509Certificate getCertificate(String nickname); | |
307 | |
308 /** | |
309 * Removes the certificate with nickname [nickname] permanently from | |
310 * the certificate database. | |
311 * This certificate must exist in the certificate database. | |
312 * SecureSocket.initialize must have been called with the path to a | |
313 * certificate database, and with readOnly set to false. | |
314 * | |
315 * Returns null if it cannot find the certificate with that nickname. | |
316 */ | |
317 external static removeCertificate(String nickname); | |
318 } | 208 } |
319 | 209 |
320 | 210 |
321 /** | 211 /** |
322 * RawSecureSocket provides a secure (SSL or TLS) network connection. | 212 * RawSecureSocket provides a secure (SSL or TLS) network connection. |
323 * Client connections to a server are provided by calling | 213 * Client connections to a server are provided by calling |
324 * RawSecureSocket.connect. A secure server, created with | 214 * RawSecureSocket.connect. A secure server, created with |
325 * RawSecureServerSocket, also returns RawSecureSocket objects representing | 215 * RawSecureServerSocket, also returns RawSecureSocket objects representing |
326 * the server end of a secure connection. | 216 * the server end of a secure connection. |
327 * The certificate provided by the server is checked | 217 * The certificate provided by the server is checked |
(...skipping 187 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
515 | 405 |
516 // Buffer identifiers. | 406 // Buffer identifiers. |
517 // These must agree with those in the native C++ implementation. | 407 // These must agree with those in the native C++ implementation. |
518 static final int READ_PLAINTEXT = 0; | 408 static final int READ_PLAINTEXT = 0; |
519 static final int WRITE_PLAINTEXT = 1; | 409 static final int WRITE_PLAINTEXT = 1; |
520 static final int READ_ENCRYPTED = 2; | 410 static final int READ_ENCRYPTED = 2; |
521 static final int WRITE_ENCRYPTED = 3; | 411 static final int WRITE_ENCRYPTED = 3; |
522 static final int NUM_BUFFERS = 4; | 412 static final int NUM_BUFFERS = 4; |
523 | 413 |
524 // Is a buffer identifier for an encrypted buffer? | 414 // Is a buffer identifier for an encrypted buffer? |
525 static bool _isBufferEncrypted(int identifier) => | 415 static bool _isBufferEncrypted(int identifier) => identifier >= READ_ENCRYPTED
; |
526 identifier >= READ_ENCRYPTED; | |
527 | 416 |
528 RawSocket _socket; | 417 RawSocket _socket; |
529 final Completer<_RawSecureSocket> _handshakeComplete = | 418 final Completer<_RawSecureSocket> _handshakeComplete = |
530 new Completer<_RawSecureSocket>(); | 419 new Completer<_RawSecureSocket>(); |
531 StreamController<RawSocketEvent> _controller; | 420 StreamController<RawSocketEvent> _controller; |
532 Stream<RawSocketEvent> _stream; | 421 Stream<RawSocketEvent> _stream; |
533 StreamSubscription<RawSocketEvent> _socketSubscription; | 422 StreamSubscription<RawSocketEvent> _socketSubscription; |
534 List<int> _bufferedData; | 423 List<int> _bufferedData; |
535 int _bufferedDataIndex = 0; | 424 int _bufferedDataIndex = 0; |
536 final InternetAddress address; | 425 final InternetAddress address; |
(...skipping 842 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1379 /** | 1268 /** |
1380 * An exception that happens in the handshake phase of establishing | 1269 * An exception that happens in the handshake phase of establishing |
1381 * a secure network connection, when looking up or verifying a | 1270 * a secure network connection, when looking up or verifying a |
1382 * certificate. | 1271 * certificate. |
1383 */ | 1272 */ |
1384 class CertificateException extends TlsException { | 1273 class CertificateException extends TlsException { |
1385 const CertificateException([String message = "", | 1274 const CertificateException([String message = "", |
1386 OSError osError = null]) | 1275 OSError osError = null]) |
1387 : super._("CertificateException", message, osError); | 1276 : super._("CertificateException", message, osError); |
1388 } | 1277 } |
OLD | NEW |