OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/base/cert_database.h" | 5 #include "net/base/cert_database.h" |
6 | 6 |
7 #include <cert.h> | 7 #include <cert.h> |
8 #include <certdb.h> | 8 #include <certdb.h> |
9 #include <keyhi.h> | 9 #include <keyhi.h> |
10 #include <pk11pub.h> | 10 #include <pk11pub.h> |
(...skipping 20 matching lines...) Expand all Loading... | |
31 namespace psm = mozilla_security_manager; | 31 namespace psm = mozilla_security_manager; |
32 | 32 |
33 namespace net { | 33 namespace net { |
34 | 34 |
35 CertDatabase::CertDatabase() { | 35 CertDatabase::CertDatabase() { |
36 crypto::EnsureNSSInit(); | 36 crypto::EnsureNSSInit(); |
37 psm::EnsurePKCS12Init(); | 37 psm::EnsurePKCS12Init(); |
38 } | 38 } |
39 | 39 |
40 int CertDatabase::CheckUserCert(X509Certificate* cert_obj) { | 40 int CertDatabase::CheckUserCert(X509Certificate* cert_obj) { |
41 // TODO(wtc) a null cert_obj means we could not decode the | |
42 // application/x-x509-user-cert response. Should we check that | |
43 // here or in the caller? | |
Ryan Sleevi
2012/04/27 00:55:48
Presuming a CertificateList, I would assume it's t
| |
41 if (!cert_obj) | 44 if (!cert_obj) |
42 return ERR_CERT_INVALID; | 45 return ERR_CERT_INVALID; |
43 if (cert_obj->HasExpired()) | 46 if (cert_obj->HasExpired()) |
44 return ERR_CERT_DATE_INVALID; | 47 return ERR_CERT_DATE_INVALID; |
45 | 48 |
46 // Check if the private key corresponding to the certificate exist | 49 // Check if the private key corresponding to the certificate exist |
47 // We shouldn't accept any random client certificate sent by a CA. | 50 // We shouldn't accept any random client certificate sent by a CA. |
48 | 51 |
49 // Note: The NSS source documentation wrongly suggests that this | 52 // Note: The NSS source documentation wrongly suggests that this |
50 // also imports the certificate if the private key exists. This | 53 // also imports the certificate if the private key exists. This |
(...skipping 18 matching lines...) Expand all Loading... | |
69 slot = PK11_ImportCertForKey( | 72 slot = PK11_ImportCertForKey( |
70 cert, | 73 cert, |
71 cert_obj->GetDefaultNickname(net::USER_CERT).c_str(), | 74 cert_obj->GetDefaultNickname(net::USER_CERT).c_str(), |
72 NULL); | 75 NULL); |
73 } | 76 } |
74 | 77 |
75 if (!slot) { | 78 if (!slot) { |
76 LOG(ERROR) << "Couldn't import user certificate."; | 79 LOG(ERROR) << "Couldn't import user certificate."; |
77 return ERR_ADD_USER_CERT_FAILED; | 80 return ERR_ADD_USER_CERT_FAILED; |
78 } | 81 } |
82 const X509Certificate::OSCertHandles& intermediate_certs = | |
83 cert_obj->GetIntermediateCertificates(); | |
84 for (size_t i = 0; i < intermediate_certs.size(); ++i) { | |
85 CERTCertificate* intermediate_cert = intermediate_certs[i]; | |
86 // TODO(wtc): skip intermediate_cert if it is a self-signed root cert? | |
87 // It is not useful to import a root cert without trust settings. | |
88 char* nickname = CERT_MakeCANickname(intermediate_cert); | |
89 PK11_ImportCert(slot, intermediate_cert, CK_INVALID_HANDLE, nickname, | |
Ryan Sleevi
2012/04/27 00:55:48
This is quite dangerous for Linux, in that non-lib
wtc
2012/04/27 21:16:50
We can copy Firefox's behavior. This means if cli
Ryan Sleevi
2012/04/27 21:24:21
What Firefox does is described in my previous comm
| |
90 PR_FALSE); | |
91 PORT_Free(nickname); | |
92 } | |
79 PK11_FreeSlot(slot); | 93 PK11_FreeSlot(slot); |
80 CertDatabase::NotifyObserversOfUserCertAdded(cert_obj); | 94 CertDatabase::NotifyObserversOfUserCertAdded(cert_obj); |
81 return OK; | 95 return OK; |
82 } | 96 } |
83 | 97 |
84 void CertDatabase::ListCerts(CertificateList* certs) { | 98 void CertDatabase::ListCerts(CertificateList* certs) { |
85 certs->clear(); | 99 certs->clear(); |
86 | 100 |
87 CERTCertList* cert_list = PK11_ListCerts(PK11CertListUnique, NULL); | 101 CERTCertList* cert_list = PK11_ListCerts(PK11CertListUnique, NULL); |
88 CERTCertListNode* node; | 102 CERTCertListNode* node; |
(...skipping 224 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
313 | 327 |
314 return true; | 328 return true; |
315 } | 329 } |
316 | 330 |
317 bool CertDatabase::IsReadOnly(const X509Certificate* cert) const { | 331 bool CertDatabase::IsReadOnly(const X509Certificate* cert) const { |
318 PK11SlotInfo* slot = cert->os_cert_handle()->slot; | 332 PK11SlotInfo* slot = cert->os_cert_handle()->slot; |
319 return slot && PK11_IsReadOnly(slot); | 333 return slot && PK11_IsReadOnly(slot); |
320 } | 334 } |
321 | 335 |
322 } // namespace net | 336 } // namespace net |
OLD | NEW |