search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Windows should animate when they are about to get docked at screen edges.
[chromium-blink-merge.git] / net / cert / nss_cert_database.cc
blob8e9ef4e6f0159078fc8462002d53f5e0f4b3a592
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/cert/nss_cert_database.h"
6
7 #include <cert.h>
8 #include <certdb.h>
9 #include <keyhi.h>
10 #include <pk11pub.h>
11 #include <secmod.h>
12
13 #include "base/logging.h"
14 #include "base/memory/scoped_ptr.h"
15 #include "base/memory/singleton.h"
16 #include "base/observer_list_threadsafe.h"
17 #include "crypto/nss_util.h"
18 #include "crypto/nss_util_internal.h"
19 #include "net/base/crypto_module.h"
20 #include "net/base/net_errors.h"
21 #include "net/cert/cert_database.h"
22 #include "net/cert/x509_certificate.h"
23 #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h"
24 #include "net/third_party/mozilla_security_manager/nsPKCS12Blob.h"
25
26 // In NSS 3.13, CERTDB_VALID_PEER was renamed CERTDB_TERMINAL_RECORD. So we use
27 // the new name of the macro.
28 #if !defined(CERTDB_TERMINAL_RECORD)
29 #define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER
30 #endif
31
32 // PSM = Mozilla's Personal Security Manager.
33 namespace psm = mozilla_security_manager;
34
35 namespace net {
36
37 NSSCertDatabase::ImportCertFailure::ImportCertFailure(
38 const scoped_refptr<X509Certificate>& cert,
39 int err)
40 : certificate(cert), net_error(err) {}
41
42 NSSCertDatabase::ImportCertFailure::~ImportCertFailure() {}
43
44 // static
45 NSSCertDatabase* NSSCertDatabase::GetInstance() {
46 return Singleton<NSSCertDatabase,
47 LeakySingletonTraits<NSSCertDatabase> >::get();
48 }
49
50 NSSCertDatabase::NSSCertDatabase()
51 : observer_list_(new ObserverListThreadSafe<Observer>) {
52 crypto::EnsureNSSInit();
53 psm::EnsurePKCS12Init();
54 }
55
56 NSSCertDatabase::~NSSCertDatabase() {}
57
58 void NSSCertDatabase::ListCerts(CertificateList* certs) {
59 certs->clear();
60
61 CERTCertList* cert_list = PK11_ListCerts(PK11CertListUnique, NULL);
62 CERTCertListNode* node;
63 for (node = CERT_LIST_HEAD(cert_list);
64 !CERT_LIST_END(node, cert_list);
65 node = CERT_LIST_NEXT(node)) {
66 certs->push_back(X509Certificate::CreateFromHandle(
67 node->cert, X509Certificate::OSCertHandles()));
68 }
69 CERT_DestroyCertList(cert_list);
70 }
71
72 CryptoModule* NSSCertDatabase::GetPublicModule() const {
73 CryptoModule* module =
74 CryptoModule::CreateFromHandle(crypto::GetPublicNSSKeySlot());
75 // The module is already referenced when returned from
76 // GetPublicNSSKeySlot, so we need to deref it once.
77 PK11_FreeSlot(module->os_module_handle());
78
79 return module;
80 }
81
82 CryptoModule* NSSCertDatabase::GetPrivateModule() const {
83 CryptoModule* module =
84 CryptoModule::CreateFromHandle(crypto::GetPrivateNSSKeySlot());
85 // The module is already referenced when returned from
86 // GetPrivateNSSKeySlot, so we need to deref it once.
87 PK11_FreeSlot(module->os_module_handle());
88
89 return module;
90 }
91
92 void NSSCertDatabase::ListModules(CryptoModuleList* modules,
93 bool need_rw) const {
94 modules->clear();
95
96 PK11SlotList* slot_list = NULL;
97 // The wincx arg is unused since we don't call PK11_SetIsLoggedInFunc.
98 slot_list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,
99 need_rw ? PR_TRUE : PR_FALSE, // needRW
100 PR_TRUE, // loadCerts (unused)
101 NULL); // wincx
102 if (!slot_list) {
103 LOG(ERROR) << "PK11_GetAllTokens failed: " << PORT_GetError();
104 return;
105 }
106
107 PK11SlotListElement* slot_element = PK11_GetFirstSafe(slot_list);
108 while (slot_element) {
109 modules->push_back(CryptoModule::CreateFromHandle(slot_element->slot));
110 slot_element = PK11_GetNextSafe(slot_list, slot_element,
111 PR_FALSE); // restart
112 }
113
114 PK11_FreeSlotList(slot_list);
115 }
116
117 int NSSCertDatabase::ImportFromPKCS12(
118 CryptoModule* module,
119 const std::string& data,
120 const base::string16& password,
121 bool is_extractable,
122 net::CertificateList* imported_certs) {
123 int result = psm::nsPKCS12Blob_Import(module->os_module_handle(),
124 data.data(), data.size(),
125 password,
126 is_extractable,
127 imported_certs);
128 if (result == net::OK)
129 NotifyObserversOfCertAdded(NULL);
130
131 return result;
132 }
133
134 int NSSCertDatabase::ExportToPKCS12(
135 const CertificateList& certs,
136 const base::string16& password,
137 std::string* output) const {
138 return psm::nsPKCS12Blob_Export(output, certs, password);
139 }
140
141 X509Certificate* NSSCertDatabase::FindRootInList(
142 const CertificateList& certificates) const {
143 DCHECK_GT(certificates.size(), 0U);
144
145 if (certificates.size() == 1)
146 return certificates[0].get();
147
148 X509Certificate* cert0 = certificates[0].get();
149 X509Certificate* cert1 = certificates[1].get();
150 X509Certificate* certn_2 = certificates[certificates.size() - 2].get();
151 X509Certificate* certn_1 = certificates[certificates.size() - 1].get();
152
153 if (CERT_CompareName(&cert1->os_cert_handle()->issuer,
154 &cert0->os_cert_handle()->subject) == SECEqual)
155 return cert0;
156 if (CERT_CompareName(&certn_2->os_cert_handle()->issuer,
157 &certn_1->os_cert_handle()->subject) == SECEqual)
158 return certn_1;
159
160 VLOG(1) << "certificate list is not a hierarchy";
161 return cert0;
162 }
163
164 bool NSSCertDatabase::ImportCACerts(const CertificateList& certificates,
165 TrustBits trust_bits,
166 ImportCertFailureList* not_imported) {
167 X509Certificate* root = FindRootInList(certificates);
168 bool success = psm::ImportCACerts(certificates, root, trust_bits,
169 not_imported);
170 if (success)
171 NotifyObserversOfCertTrustChanged(NULL);
172
173 return success;
174 }
175
176 bool NSSCertDatabase::ImportServerCert(const CertificateList& certificates,
177 TrustBits trust_bits,
178 ImportCertFailureList* not_imported) {
179 return psm::ImportServerCert(certificates, trust_bits, not_imported);
180 }
181
182 NSSCertDatabase::TrustBits NSSCertDatabase::GetCertTrust(
183 const X509Certificate* cert,
184 CertType type) const {
185 CERTCertTrust trust;
186 SECStatus srv = CERT_GetCertTrust(cert->os_cert_handle(), &trust);
187 if (srv != SECSuccess) {
188 LOG(ERROR) << "CERT_GetCertTrust failed with error " << PORT_GetError();
189 return TRUST_DEFAULT;
190 }
191 // We define our own more "friendly" TrustBits, which means we aren't able to
192 // round-trip all possible NSS trust flag combinations. We try to map them in
193 // a sensible way.
194 switch (type) {
195 case CA_CERT: {
196 const unsigned kTrustedCA = CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA;
197 const unsigned kCAFlags = kTrustedCA | CERTDB_TERMINAL_RECORD;
198
199 TrustBits trust_bits = TRUST_DEFAULT;
200 if ((trust.sslFlags & kCAFlags) == CERTDB_TERMINAL_RECORD)
201 trust_bits |= DISTRUSTED_SSL;
202 else if (trust.sslFlags & kTrustedCA)
203 trust_bits |= TRUSTED_SSL;
204
205 if ((trust.emailFlags & kCAFlags) == CERTDB_TERMINAL_RECORD)
206 trust_bits |= DISTRUSTED_EMAIL;
207 else if (trust.emailFlags & kTrustedCA)
208 trust_bits |= TRUSTED_EMAIL;
209
210 if ((trust.objectSigningFlags & kCAFlags) == CERTDB_TERMINAL_RECORD)
211 trust_bits |= DISTRUSTED_OBJ_SIGN;
212 else if (trust.objectSigningFlags & kTrustedCA)
213 trust_bits |= TRUSTED_OBJ_SIGN;
214
215 return trust_bits;
216 }
217 case SERVER_CERT:
218 if (trust.sslFlags & CERTDB_TERMINAL_RECORD) {
219 if (trust.sslFlags & CERTDB_TRUSTED)
220 return TRUSTED_SSL;
221 return DISTRUSTED_SSL;
222 }
223 return TRUST_DEFAULT;
224 default:
225 return TRUST_DEFAULT;
226 }
227 }
228
229 bool NSSCertDatabase::IsUntrusted(const X509Certificate* cert) const {
230 CERTCertTrust nsstrust;
231 SECStatus rv = CERT_GetCertTrust(cert->os_cert_handle(), &nsstrust);
232 if (rv != SECSuccess) {
233 LOG(ERROR) << "CERT_GetCertTrust failed with error " << PORT_GetError();
234 return false;
235 }
236
237 // The CERTCertTrust structure contains three trust records:
238 // sslFlags, emailFlags, and objectSigningFlags. The three
239 // trust records are independent of each other.
240 //
241 // If the CERTDB_TERMINAL_RECORD bit in a trust record is set,
242 // then that trust record is a terminal record. A terminal
243 // record is used for explicit trust and distrust of an
244 // end-entity or intermediate CA cert.
245 //
246 // In a terminal record, if neither CERTDB_TRUSTED_CA nor
247 // CERTDB_TRUSTED is set, then the terminal record means
248 // explicit distrust. On the other hand, if the terminal
249 // record has either CERTDB_TRUSTED_CA or CERTDB_TRUSTED bit
250 // set, then the terminal record means explicit trust.
251 //
252 // For a root CA, the trust record does not have
253 // the CERTDB_TERMINAL_RECORD bit set.
254
255 static const unsigned int kTrusted = CERTDB_TRUSTED_CA | CERTDB_TRUSTED;
256 if ((nsstrust.sslFlags & CERTDB_TERMINAL_RECORD) != 0 &&
257 (nsstrust.sslFlags & kTrusted) == 0) {
258 return true;
259 }
260 if ((nsstrust.emailFlags & CERTDB_TERMINAL_RECORD) != 0 &&
261 (nsstrust.emailFlags & kTrusted) == 0) {
262 return true;
263 }
264 if ((nsstrust.objectSigningFlags & CERTDB_TERMINAL_RECORD) != 0 &&
265 (nsstrust.objectSigningFlags & kTrusted) == 0) {
266 return true;
267 }
268
269 // Self-signed certificates that don't have any trust bits set are untrusted.
270 // Other certificates that don't have any trust bits set may still be trusted
271 // if they chain up to a trust anchor.
272 if (CERT_CompareName(&cert->os_cert_handle()->issuer,
273 &cert->os_cert_handle()->subject) == SECEqual) {
274 return (nsstrust.sslFlags & kTrusted) == 0 &&
275 (nsstrust.emailFlags & kTrusted) == 0 &&
276 (nsstrust.objectSigningFlags & kTrusted) == 0;
277 }
278
279 return false;
280 }
281
282 bool NSSCertDatabase::SetCertTrust(const X509Certificate* cert,
283 CertType type,
284 TrustBits trust_bits) {
285 bool success = psm::SetCertTrust(cert, type, trust_bits);
286 if (success)
287 NotifyObserversOfCertTrustChanged(cert);
288
289 return success;
290 }
291
292 bool NSSCertDatabase::DeleteCertAndKey(const X509Certificate* cert) {
293 // For some reason, PK11_DeleteTokenCertAndKey only calls
294 // SEC_DeletePermCertificate if the private key is found. So, we check
295 // whether a private key exists before deciding which function to call to
296 // delete the cert.
297 SECKEYPrivateKey *privKey = PK11_FindKeyByAnyCert(cert->os_cert_handle(),
298 NULL);
299 if (privKey) {
300 SECKEY_DestroyPrivateKey(privKey);
301 if (PK11_DeleteTokenCertAndKey(cert->os_cert_handle(), NULL)) {
302 LOG(ERROR) << "PK11_DeleteTokenCertAndKey failed: " << PORT_GetError();
303 return false;
304 }
305 } else {
306 if (SEC_DeletePermCertificate(cert->os_cert_handle())) {
307 LOG(ERROR) << "SEC_DeletePermCertificate failed: " << PORT_GetError();
308 return false;
309 }
310 }
311
312 NotifyObserversOfCertRemoved(cert);
313
314 return true;
315 }
316
317 bool NSSCertDatabase::IsReadOnly(const X509Certificate* cert) const {
318 PK11SlotInfo* slot = cert->os_cert_handle()->slot;
319 return slot && PK11_IsReadOnly(slot);
320 }
321
322 void NSSCertDatabase::AddObserver(Observer* observer) {
323 observer_list_->AddObserver(observer);
324 }
325
326 void NSSCertDatabase::RemoveObserver(Observer* observer) {
327 observer_list_->RemoveObserver(observer);
328 }
329
330 void NSSCertDatabase::NotifyObserversOfCertAdded(const X509Certificate* cert) {
331 observer_list_->Notify(&Observer::OnCertAdded, make_scoped_refptr(cert));
332 }
333
334 void NSSCertDatabase::NotifyObserversOfCertRemoved(
335 const X509Certificate* cert) {
336 observer_list_->Notify(&Observer::OnCertRemoved, make_scoped_refptr(cert));
337 }
338
339 void NSSCertDatabase::NotifyObserversOfCertTrustChanged(
340 const X509Certificate* cert) {
341 observer_list_->Notify(
342 &Observer::OnCertTrustChanged, make_scoped_refptr(cert));
343 }
344
345 } // namespace net