net/cert/cert_database_nss.cc

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "net/cert/cert_database.h"
   6
   7 #include <cert.h>
   8 #include <pk11pub.h>
   9 #include <secmod.h>
  10
  11 #include "base/logging.h"
  12 #include "base/observer_list_threadsafe.h"
  13 #include "crypto/nss_util.h"
  14 #include "crypto/scoped_nss_types.h"
  15 #include "net/base/net_errors.h"
  16 #include "net/cert/nss_cert_database.h"
  17 #include "net/cert/x509_certificate.h"
  18 #include "net/cert/x509_util_nss.h"
  19
  20 namespace net {
  21
  22 // Helper that observes events from the NSSCertDatabase and forwards them to
  23 // the given CertDatabase.
  24 class CertDatabase::Notifier : public NSSCertDatabase::Observer {
  25  public:
  26   explicit Notifier(CertDatabase* cert_db) : cert_db_(cert_db) {
  27     NSSCertDatabase::GetInstance()->AddObserver(this);
  28   }
  29
  30   virtual ~Notifier() {
  31     NSSCertDatabase::GetInstance()->RemoveObserver(this);
  32   }
  33
  34   // NSSCertDatabase::Observer implementation:
  35   virtual void OnCertAdded(const X509Certificate* cert) OVERRIDE {
  36     cert_db_->NotifyObserversOfCertAdded(cert);
  37   }
  38
  39   virtual void OnCertRemoved(const X509Certificate* cert) OVERRIDE {
  40     cert_db_->NotifyObserversOfCertRemoved(cert);
  41   }
  42
  43   virtual void OnCertTrustChanged(const X509Certificate* cert) OVERRIDE {
  44     cert_db_->NotifyObserversOfCertTrustChanged(cert);
  45   }
  46
  47  private:
  48   CertDatabase* cert_db_;
  49
  50   DISALLOW_COPY_AND_ASSIGN(Notifier);
  51 };
  52
  53 CertDatabase::CertDatabase()
  54     : observer_list_(new ObserverListThreadSafe<Observer>) {
  55   // Observe NSSCertDatabase events and forward them to observers of
  56   // CertDatabase. This also makes sure that NSS has been initialized.
  57   notifier_.reset(new Notifier(this));
  58 }
  59
  60 CertDatabase::~CertDatabase() {}
  61
  62 int CertDatabase::CheckUserCert(X509Certificate* cert_obj) {
  63   if (!cert_obj)
  64     return ERR_CERT_INVALID;
  65   if (cert_obj->HasExpired())
  66     return ERR_CERT_DATE_INVALID;
  67
  68   // Check if the private key corresponding to the certificate exist
  69   // We shouldn't accept any random client certificate sent by a CA.
  70
  71   // Note: The NSS source documentation wrongly suggests that this
  72   // also imports the certificate if the private key exists. This
  73   // doesn't seem to be the case.
  74
  75   CERTCertificate* cert = cert_obj->os_cert_handle();
  76   PK11SlotInfo* slot = PK11_KeyForCertExists(cert, NULL, NULL);
  77   if (!slot)
  78     return ERR_NO_PRIVATE_KEY_FOR_CERT;
  79
  80   PK11_FreeSlot(slot);
  81
  82   return OK;
  83 }
  84
  85 int CertDatabase::AddUserCert(X509Certificate* cert_obj) {
  86   CERTCertificate* cert = cert_obj->os_cert_handle();
  87   CK_OBJECT_HANDLE key;
  88   crypto::ScopedPK11Slot slot(PK11_KeyForCertExists(cert, &key, NULL));
  89   if (!slot.get())
  90     return ERR_NO_PRIVATE_KEY_FOR_CERT;
  91
  92   std::string nickname = x509_util::GetUniqueNicknameForSlot(
  93       cert_obj->GetDefaultNickname(USER_CERT),
  94       &cert->derSubject,
  95       slot.get());
  96
  97   SECStatus rv;
  98   {
  99     crypto::AutoNSSWriteLock lock;
 100     rv = PK11_ImportCert(slot.get(), cert, key, nickname.c_str(), PR_FALSE);
 101   }
 102
 103   if (rv != SECSuccess) {
 104     LOG(ERROR) << "Couldn't import user certificate. " << PORT_GetError();
 105     return ERR_ADD_USER_CERT_FAILED;
 106   }
 107
 108   NotifyObserversOfCertAdded(cert_obj);
 109   return OK;
 110 }
 111
 112 }  // namespace net