net/base/cert_database_nss.cc

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "net/base/cert_database.h"
   6
   7 #include <cert.h>
   8 #include <pk11pub.h>
   9 #include <secmod.h>
  10
  11 #include "base/logging.h"
  12 #include "base/observer_list_threadsafe.h"
  13 #include "crypto/nss_util.h"
  14 #include "net/base/net_errors.h"
  15 #include "net/base/nss_cert_database.h"
  16 #include "net/base/x509_certificate.h"
  17
  18 namespace net {
  19
  20 // Helper that observes events from the NSSCertDatabase and forwards them to
  21 // the given CertDatabase.
  22 class CertDatabase::Notifier : public NSSCertDatabase::Observer {
  23  public:
  24   explicit Notifier(CertDatabase* cert_db) : cert_db_(cert_db) {
  25     NSSCertDatabase::GetInstance()->AddObserver(this);
  26   }
  27
  28   virtual ~Notifier() {
  29     NSSCertDatabase::GetInstance()->RemoveObserver(this);
  30   }
  31
  32   // NSSCertDatabase::Observer implementation:
  33   virtual void OnCertAdded(const X509Certificate* cert) OVERRIDE {
  34     cert_db_->NotifyObserversOfCertAdded(cert);
  35   }
  36
  37   virtual void OnCertRemoved(const X509Certificate* cert) OVERRIDE {
  38     cert_db_->NotifyObserversOfCertRemoved(cert);
  39   }
  40
  41   virtual void OnCertTrustChanged(const X509Certificate* cert) OVERRIDE {
  42     cert_db_->NotifyObserversOfCertTrustChanged(cert);
  43   }
  44
  45  private:
  46   CertDatabase* cert_db_;
  47
  48   DISALLOW_COPY_AND_ASSIGN(Notifier);
  49 };
  50
  51 CertDatabase::CertDatabase()
  52     : observer_list_(new ObserverListThreadSafe<Observer>) {
  53   // Observe NSSCertDatabase events and forward them to observers of
  54   // CertDatabase. This also makes sure that NSS has been initialized.
  55   notifier_.reset(new Notifier(this));
  56 }
  57
  58 CertDatabase::~CertDatabase() {}
  59
  60 int CertDatabase::CheckUserCert(X509Certificate* cert_obj) {
  61   if (!cert_obj)
  62     return ERR_CERT_INVALID;
  63   if (cert_obj->HasExpired())
  64     return ERR_CERT_DATE_INVALID;
  65
  66   // Check if the private key corresponding to the certificate exist
  67   // We shouldn't accept any random client certificate sent by a CA.
  68
  69   // Note: The NSS source documentation wrongly suggests that this
  70   // also imports the certificate if the private key exists. This
  71   // doesn't seem to be the case.
  72
  73   CERTCertificate* cert = cert_obj->os_cert_handle();
  74   PK11SlotInfo* slot = PK11_KeyForCertExists(cert, NULL, NULL);
  75   if (!slot)
  76     return ERR_NO_PRIVATE_KEY_FOR_CERT;
  77
  78   PK11_FreeSlot(slot);
  79
  80   return OK;
  81 }
  82
  83 int CertDatabase::AddUserCert(X509Certificate* cert_obj) {
  84   CERTCertificate* cert = cert_obj->os_cert_handle();
  85   PK11SlotInfo* slot = NULL;
  86
  87   {
  88     crypto::AutoNSSWriteLock lock;
  89     slot = PK11_ImportCertForKey(
  90         cert,
  91         cert_obj->GetDefaultNickname(net::USER_CERT).c_str(),
  92         NULL);
  93   }
  94
  95   if (!slot) {
  96     LOG(ERROR) << "Couldn't import user certificate.";
  97     return ERR_ADD_USER_CERT_FAILED;
  98   }
  99   PK11_FreeSlot(slot);
 100   NotifyObserversOfCertAdded(cert_obj);
 101   return OK;
 102 }
 103
 104 }  // namespace net