| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/cert_database.h" | 5 #include "net/cert/cert_database.h" |
| 6 | 6 |
| 7 #include <Security/Security.h> | 7 #include <Security/Security.h> |
| 8 | 8 |
| 9 #include "base/logging.h" | 9 #include "base/logging.h" |
| 10 #include "base/mac/mac_logging.h" | 10 #include "base/mac/mac_logging.h" |
| 11 #include "base/message_loop/message_loop.h" | 11 #include "base/message_loop/message_loop.h" |
| 12 #include "base/observer_list_threadsafe.h" | 12 #include "base/observer_list_threadsafe.h" |
| 13 #include "base/process/process_handle.h" | 13 #include "base/process/process_handle.h" |
| 14 #include "base/single_thread_task_runner.h" | 14 #include "base/single_thread_task_runner.h" |
| 15 #include "base/synchronization/lock.h" | 15 #include "base/synchronization/lock.h" |
| 16 #include "crypto/mac_security_services_lock.h" | 16 #include "crypto/mac_security_services_lock.h" |
| 17 #include "net/base/net_errors.h" | 17 #include "net/base/net_errors.h" |
| 18 #include "net/cert/x509_certificate.h" | 18 #include "net/cert/x509_certificate.h" |
| 19 | 19 |
| 20 namespace net { | 20 namespace net { |
| 21 | 21 |
| 22 // Helper that observes events from the Keychain and forwards them to the | 22 // Helper that observes events from the Keychain and forwards them to the |
| 23 // given CertDatabase. | 23 // given CertDatabase. |
| 24 class CertDatabase::Notifier { | 24 class CertDatabase::Notifier { |
| 25 public: | 25 public: |
| 26 // Creates a new Notifier that will forward Keychain events to |cert_db|. | 26 // Creates a new Notifier that will forward Keychain events to |cert_db|. |
| 27 // |message_loop| must refer to a thread with an associated CFRunLoop - a | 27 // |message_loop| must refer to a thread with an associated CFRunLoop - a |
| 28 // TYPE_UI thread. Events will be dispatched from this message loop. | 28 // TYPE_UI thread. Events will be dispatched from this message loop. |
| 29 Notifier(CertDatabase* cert_db, base::MessageLoop* message_loop) | 29 Notifier(CertDatabase* cert_db, base::MessageLoop* message_loop) |
| 30 : cert_db_(cert_db), | 30 : cert_db_(cert_db), registered_(false), called_shutdown_(false) { |
| 31 registered_(false), | |
| 32 called_shutdown_(false) { | |
| 33 // Ensure an associated CFRunLoop. | 31 // Ensure an associated CFRunLoop. |
| 34 DCHECK(base::MessageLoopForUI::IsCurrent()); | 32 DCHECK(base::MessageLoopForUI::IsCurrent()); |
| 35 task_runner_ = message_loop->message_loop_proxy(); | 33 task_runner_ = message_loop->message_loop_proxy(); |
| 36 task_runner_->PostTask(FROM_HERE, | 34 task_runner_->PostTask(FROM_HERE, |
| 37 base::Bind(&Notifier::Init, | 35 base::Bind(&Notifier::Init, base::Unretained(this))); |
| 38 base::Unretained(this))); | |
| 39 } | 36 } |
| 40 | 37 |
| 41 // Should be called from the |task_runner_|'s thread. Use Shutdown() | 38 // Should be called from the |task_runner_|'s thread. Use Shutdown() |
| 42 // to shutdown on arbitrary threads. | 39 // to shutdown on arbitrary threads. |
| 43 ~Notifier() { | 40 ~Notifier() { |
| 44 DCHECK(called_shutdown_); | 41 DCHECK(called_shutdown_); |
| 45 // Only unregister from the same thread where registration was performed. | 42 // Only unregister from the same thread where registration was performed. |
| 46 if (registered_ && task_runner_->RunsTasksOnCurrentThread()) | 43 if (registered_ && task_runner_->RunsTasksOnCurrentThread()) |
| 47 SecKeychainRemoveCallback(&Notifier::KeychainCallback); | 44 SecKeychainRemoveCallback(&Notifier::KeychainCallback); |
| 48 } | 45 } |
| 49 | 46 |
| 50 void Shutdown() { | 47 void Shutdown() { |
| 51 called_shutdown_ = true; | 48 called_shutdown_ = true; |
| 52 if (!task_runner_->DeleteSoon(FROM_HERE, this)) { | 49 if (!task_runner_->DeleteSoon(FROM_HERE, this)) { |
| 53 // If the task runner is no longer running, it's safe to just delete | 50 // If the task runner is no longer running, it's safe to just delete |
| 54 // the object, since no further events will or can be delivered by | 51 // the object, since no further events will or can be delivered by |
| 55 // Keychain Services. | 52 // Keychain Services. |
| 56 delete this; | 53 delete this; |
| 57 } | 54 } |
| 58 } | 55 } |
| 59 | 56 |
| 60 private: | 57 private: |
| 61 void Init() { | 58 void Init() { |
| 62 SecKeychainEventMask event_mask = | 59 SecKeychainEventMask event_mask = |
| 63 kSecKeychainListChangedMask | kSecTrustSettingsChangedEventMask; | 60 kSecKeychainListChangedMask | kSecTrustSettingsChangedEventMask; |
| 64 OSStatus status = SecKeychainAddCallback(&Notifier::KeychainCallback, | 61 OSStatus status = |
| 65 event_mask, this); | 62 SecKeychainAddCallback(&Notifier::KeychainCallback, event_mask, this); |
| 66 if (status == noErr) | 63 if (status == noErr) |
| 67 registered_ = true; | 64 registered_ = true; |
| 68 } | 65 } |
| 69 | 66 |
| 70 // SecKeychainCallback function that receives notifications from securityd | 67 // SecKeychainCallback function that receives notifications from securityd |
| 71 // and forwards them to the |cert_db_|. | 68 // and forwards them to the |cert_db_|. |
| 72 static OSStatus KeychainCallback(SecKeychainEvent keychain_event, | 69 static OSStatus KeychainCallback(SecKeychainEvent keychain_event, |
| 73 SecKeychainCallbackInfo* info, | 70 SecKeychainCallbackInfo* info, |
| 74 void* context); | 71 void* context); |
| 75 | 72 |
| (...skipping 53 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 129 } | 126 } |
| 130 | 127 |
| 131 int CertDatabase::CheckUserCert(X509Certificate* cert) { | 128 int CertDatabase::CheckUserCert(X509Certificate* cert) { |
| 132 if (!cert) | 129 if (!cert) |
| 133 return ERR_CERT_INVALID; | 130 return ERR_CERT_INVALID; |
| 134 if (cert->HasExpired()) | 131 if (cert->HasExpired()) |
| 135 return ERR_CERT_DATE_INVALID; | 132 return ERR_CERT_DATE_INVALID; |
| 136 | 133 |
| 137 // Verify the Keychain already has the corresponding private key: | 134 // Verify the Keychain already has the corresponding private key: |
| 138 SecIdentityRef identity = NULL; | 135 SecIdentityRef identity = NULL; |
| 139 OSStatus err = SecIdentityCreateWithCertificate(NULL, cert->os_cert_handle(), | 136 OSStatus err = |
| 140 &identity); | 137 SecIdentityCreateWithCertificate(NULL, cert->os_cert_handle(), &identity); |
| 141 if (err == errSecItemNotFound) | 138 if (err == errSecItemNotFound) |
| 142 return ERR_NO_PRIVATE_KEY_FOR_CERT; | 139 return ERR_NO_PRIVATE_KEY_FOR_CERT; |
| 143 | 140 |
| 144 if (err != noErr || !identity) { | 141 if (err != noErr || !identity) { |
| 145 // TODO(snej): Map the error code more intelligently. | 142 // TODO(snej): Map the error code more intelligently. |
| 146 return ERR_CERT_INVALID; | 143 return ERR_CERT_INVALID; |
| 147 } | 144 } |
| 148 | 145 |
| 149 CFRelease(identity); | 146 CFRelease(identity); |
| 150 return OK; | 147 return OK; |
| 151 } | 148 } |
| 152 | 149 |
| 153 int CertDatabase::AddUserCert(X509Certificate* cert) { | 150 int CertDatabase::AddUserCert(X509Certificate* cert) { |
| 154 OSStatus err; | 151 OSStatus err; |
| 155 { | 152 { |
| 156 base::AutoLock locked(crypto::GetMacSecurityServicesLock()); | 153 base::AutoLock locked(crypto::GetMacSecurityServicesLock()); |
| 157 err = SecCertificateAddToKeychain(cert->os_cert_handle(), NULL); | 154 err = SecCertificateAddToKeychain(cert->os_cert_handle(), NULL); |
| 158 } | 155 } |
| 159 switch (err) { | 156 switch (err) { |
| 160 case noErr: | 157 case noErr: |
| 161 CertDatabase::NotifyObserversOfCertAdded(cert); | 158 CertDatabase::NotifyObserversOfCertAdded(cert); |
| 162 // Fall through. | 159 // Fall through. |
| 163 case errSecDuplicateItem: | 160 case errSecDuplicateItem: |
| 164 return OK; | 161 return OK; |
| 165 default: | 162 default: |
| 166 OSSTATUS_LOG(ERROR, err) << "CertDatabase failed to add cert to keychain"; | 163 OSSTATUS_LOG(ERROR, err) << "CertDatabase failed to add cert to keychain"; |
| 167 // TODO(snej): Map the error code more intelligently. | 164 // TODO(snej): Map the error code more intelligently. |
| 168 return ERR_ADD_USER_CERT_FAILED; | 165 return ERR_ADD_USER_CERT_FAILED; |
| 169 } | 166 } |
| 170 } | 167 } |
| 171 | 168 |
| 172 } // namespace net | 169 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
