OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/cert_database.h" | 5 #include "net/cert/cert_database.h" |
6 | 6 |
7 #include <cert.h> | 7 #include <cert.h> |
8 #include <pk11pub.h> | 8 #include <pk11pub.h> |
9 #include <secmod.h> | 9 #include <secmod.h> |
10 | 10 |
11 #include <vector> | 11 #include <vector> |
12 | 12 |
13 #include "base/logging.h" | 13 #include "base/logging.h" |
14 #include "base/observer_list_threadsafe.h" | 14 #include "base/observer_list_threadsafe.h" |
15 #include "crypto/nss_util.h" | |
16 #include "crypto/scoped_nss_types.h" | |
17 #include "net/base/net_errors.h" | |
18 #include "net/cert/x509_certificate.h" | |
19 #include "net/cert/x509_util_nss.h" | |
20 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h" | |
21 | |
22 // PSM = Mozilla's Personal Security Manager. | |
23 namespace psm = mozilla_security_manager; | |
24 | 15 |
25 namespace net { | 16 namespace net { |
26 | 17 |
27 CertDatabase::CertDatabase() | 18 CertDatabase::CertDatabase() |
28 : observer_list_(new base::ObserverListThreadSafe<Observer>) { | 19 : observer_list_(new base::ObserverListThreadSafe<Observer>) { |
29 crypto::EnsureNSSInit(); | |
30 } | 20 } |
31 | 21 |
32 CertDatabase::~CertDatabase() {} | 22 CertDatabase::~CertDatabase() {} |
33 | 23 |
34 int CertDatabase::CheckUserCert(X509Certificate* cert_obj) { | |
35 if (!cert_obj) | |
36 return ERR_CERT_INVALID; | |
37 if (cert_obj->HasExpired()) | |
38 return ERR_CERT_DATE_INVALID; | |
39 | |
40 // Check if the private key corresponding to the certificate exist | |
41 // We shouldn't accept any random client certificate sent by a CA. | |
42 | |
43 // Note: The NSS source documentation wrongly suggests that this | |
44 // also imports the certificate if the private key exists. This | |
45 // doesn't seem to be the case. | |
46 | |
47 CERTCertificate* cert = cert_obj->os_cert_handle(); | |
48 PK11SlotInfo* slot = PK11_KeyForCertExists(cert, NULL, NULL); | |
49 if (!slot) | |
50 return ERR_NO_PRIVATE_KEY_FOR_CERT; | |
51 | |
52 PK11_FreeSlot(slot); | |
53 | |
54 return OK; | |
55 } | |
56 | |
57 int CertDatabase::AddUserCert(X509Certificate* cert_obj) { | |
58 CertificateList cert_list; | |
59 cert_list.push_back(cert_obj); | |
60 int result = psm::ImportUserCert(cert_list); | |
61 | |
62 if (result == OK) | |
63 NotifyObserversOfCertAdded(NULL); | |
64 | |
65 return result; | |
66 } | |
67 | |
68 } // namespace net | 24 } // namespace net |
OLD | NEW |