net/cert/cert_database_nss.cc

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "net/cert/cert_database.h"
   6
   7 #include <cert.h>
   8 #include <pk11pub.h>
   9 #include <secmod.h>
  10
  11 #include "base/logging.h"
  12 #include "base/observer_list_threadsafe.h"
  13 #include "crypto/nss_util.h"
  14 #include "crypto/scoped_nss_types.h"
  15 #include "net/base/net_errors.h"
  16 #include "net/cert/nss_cert_database.h"
  17 #include "net/cert/x509_certificate.h"
  18 #include "net/cert/x509_util_nss.h"
  19
  20 namespace net {
  21
  22 // Helper that observes events from the NSSCertDatabase and forwards them to
  23 // the given CertDatabase.
  24 class CertDatabase::Notifier : public NSSCertDatabase::Observer {
  25  public:
  26   explicit Notifier(CertDatabase* cert_db) : cert_db_(cert_db) {}
  27
  28   virtual ~Notifier() {}
  29
  30   // NSSCertDatabase::Observer implementation:
  31   virtual void OnCertAdded(const X509Certificate* cert) OVERRIDE {
  32     cert_db_->NotifyObserversOfCertAdded(cert);
  33   }
  34
  35   virtual void OnCertRemoved(const X509Certificate* cert) OVERRIDE {
  36     cert_db_->NotifyObserversOfCertRemoved(cert);
  37   }
  38
  39   virtual void OnCACertChanged(const X509Certificate* cert) OVERRIDE {
  40     cert_db_->NotifyObserversOfCACertChanged(cert);
  41   }
  42
  43  private:
  44   CertDatabase* cert_db_;
  45
  46   DISALLOW_COPY_AND_ASSIGN(Notifier);
  47 };
  48
  49 CertDatabase::CertDatabase()
  50     : observer_list_(new ObserverListThreadSafe<Observer>),
  51       notifier_(new Notifier(this)) {
  52   crypto::EnsureNSSInit();
  53 }
  54
  55 CertDatabase::~CertDatabase() {}
  56
  57 int CertDatabase::CheckUserCert(X509Certificate* cert_obj) {
  58   if (!cert_obj)
  59     return ERR_CERT_INVALID;
  60   if (cert_obj->HasExpired())
  61     return ERR_CERT_DATE_INVALID;
  62
  63   // Check if the private key corresponding to the certificate exist
  64   // We shouldn't accept any random client certificate sent by a CA.
  65
  66   // Note: The NSS source documentation wrongly suggests that this
  67   // also imports the certificate if the private key exists. This
  68   // doesn't seem to be the case.
  69
  70   CERTCertificate* cert = cert_obj->os_cert_handle();
  71   PK11SlotInfo* slot = PK11_KeyForCertExists(cert, NULL, NULL);
  72   if (!slot)
  73     return ERR_NO_PRIVATE_KEY_FOR_CERT;
  74
  75   PK11_FreeSlot(slot);
  76
  77   return OK;
  78 }
  79
  80 int CertDatabase::AddUserCert(X509Certificate* cert_obj) {
  81   CERTCertificate* cert = cert_obj->os_cert_handle();
  82   CK_OBJECT_HANDLE key;
  83   crypto::ScopedPK11Slot slot(PK11_KeyForCertExists(cert, &key, NULL));
  84   if (!slot.get())
  85     return ERR_NO_PRIVATE_KEY_FOR_CERT;
  86
  87   std::string nickname = x509_util::GetUniqueNicknameForSlot(
  88       cert_obj->GetDefaultNickname(USER_CERT),
  89       &cert->derSubject,
  90       slot.get());
  91
  92   SECStatus rv;
  93   {
  94     crypto::AutoNSSWriteLock lock;
  95     rv = PK11_ImportCert(slot.get(), cert, key, nickname.c_str(), PR_FALSE);
  96   }
  97
  98   if (rv != SECSuccess) {
  99     LOG(ERROR) << "Couldn't import user certificate. " << PORT_GetError();
 100     return ERR_ADD_USER_CERT_FAILED;
 101   }
 102
 103   NotifyObserversOfCertAdded(cert_obj);
 104   return OK;
 105 }
 106
 107 void CertDatabase::ObserveNSSCertDatabase(NSSCertDatabase* source) {
 108   source->AddObserver(this->notifier_.get());
 109 }
 110
 111 }  // namespace net