1// Copyright (c) 2012 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#ifndef NET_CERT_NSS_CERT_DATABASE_H_
6#define NET_CERT_NSS_CERT_DATABASE_H_
7
8#include <string>
9#include <vector>
10
11#include "base/basictypes.h"
12#include "base/memory/ref_counted.h"
13#include "base/strings/string16.h"
14#include "crypto/scoped_nss_types.h"
15#include "net/base/net_export.h"
16#include "net/cert/cert_type.h"
17#include "net/cert/x509_certificate.h"
18
19template <typename T> struct DefaultSingletonTraits;
20template <class ObserverType> class ObserverListThreadSafe;
21
22namespace net {
23
24class CryptoModule;
25typedef std::vector<scoped_refptr<CryptoModule> > CryptoModuleList;
26
27// Provides functions to manipulate the NSS certificate stores.
28class NET_EXPORT NSSCertDatabase {
29 public:
30
31  class NET_EXPORT Observer {
32   public:
33    virtual ~Observer() {}
34
35    // Will be called when a new certificate is added.
36    // Called with |cert| == NULL after importing a list of certificates
37    // in ImportFromPKCS12().
38    virtual void OnCertAdded(const X509Certificate* cert) {}
39
40    // Will be called when a certificate is removed.
41    virtual void OnCertRemoved(const X509Certificate* cert) {}
42
43    // Will be called when a CA certificate is changed.
44    // Called with |cert| == NULL after importing a list of certificates
45    // in ImportCACerts().
46    virtual void OnCACertChanged(const X509Certificate* cert) {}
47
48   protected:
49    Observer() {}
50
51   private:
52    DISALLOW_COPY_AND_ASSIGN(Observer);
53  };
54
55  // Stores per-certificate error codes for import failures.
56  struct NET_EXPORT ImportCertFailure {
57   public:
58    ImportCertFailure(const scoped_refptr<X509Certificate>& cert, int err);
59    ~ImportCertFailure();
60
61    scoped_refptr<X509Certificate> certificate;
62    int net_error;
63  };
64  typedef std::vector<ImportCertFailure> ImportCertFailureList;
65
66  // Constants that define which usages a certificate is trusted for.
67  // They are used in combination with CertType to specify trust for each type
68  // of certificate.
69  // For a CA_CERT, they specify that the CA is trusted for issuing server and
70  // client certs of each type.
71  // For SERVER_CERT, only TRUSTED_SSL makes sense, and specifies the cert is
72  // trusted as a server.
73  // For EMAIL_CERT, only TRUSTED_EMAIL makes sense, and specifies the cert is
74  // trusted for email.
75  // DISTRUSTED_* specifies that the cert should not be trusted for the given
76  // usage, regardless of whether it would otherwise inherit trust from the
77  // issuer chain.
78  // Use TRUST_DEFAULT to inherit trust as normal.
79  // NOTE: The actual constants are defined using an enum instead of static
80  // consts due to compilation/linkage constraints with template functions.
81  typedef uint32 TrustBits;
82  enum {
83    TRUST_DEFAULT         =      0,
84    TRUSTED_SSL           = 1 << 0,
85    TRUSTED_EMAIL         = 1 << 1,
86    TRUSTED_OBJ_SIGN      = 1 << 2,
87    DISTRUSTED_SSL        = 1 << 3,
88    DISTRUSTED_EMAIL      = 1 << 4,
89    DISTRUSTED_OBJ_SIGN   = 1 << 5,
90  };
91
92  static NSSCertDatabase* GetInstance();
93
94  // Get a list of unique certificates in the certificate database (one
95  // instance of all certificates).
96  void ListCerts(CertificateList* certs);
97
98  // Get the default slot for public key data.
99  crypto::ScopedPK11Slot GetPublicSlot() const;
100
101  // Get the default slot for private key or mixed private/public key data.
102  crypto::ScopedPK11Slot GetPrivateSlot() const;
103
104  // Get the default module for public key data.
105  // The returned pointer must be stored in a scoped_refptr<CryptoModule>.
106  // DEPRECATED: use GetPublicSlot instead.
107  // TODO(mattm): remove usage of this method and remove it.
108  CryptoModule* GetPublicModule() const;
109
110  // Get the default module for private key or mixed private/public key data.
111  // The returned pointer must be stored in a scoped_refptr<CryptoModule>.
112  // DEPRECATED: use GetPrivateSlot instead.
113  // TODO(mattm): remove usage of this method and remove it.
114  CryptoModule* GetPrivateModule() const;
115
116  // Get all modules.
117  // If |need_rw| is true, only writable modules will be returned.
118  // TODO(mattm): come up with better alternative to CryptoModuleList.
119  void ListModules(CryptoModuleList* modules, bool need_rw) const;
120
121  // Import certificates and private keys from PKCS #12 blob into the module.
122  // If |is_extractable| is false, mark the private key as being unextractable
123  // from the module.
124  // Returns OK or a network error code such as ERR_PKCS12_IMPORT_BAD_PASSWORD
125  // or ERR_PKCS12_IMPORT_ERROR. |imported_certs|, if non-NULL, returns a list
126  // of certs that were imported.
127  int ImportFromPKCS12(CryptoModule* module,
128                       const std::string& data,
129                       const base::string16& password,
130                       bool is_extractable,
131                       CertificateList* imported_certs);
132
133  // Export the given certificates and private keys into a PKCS #12 blob,
134  // storing into |output|.
135  // Returns the number of certificates successfully exported.
136  int ExportToPKCS12(const CertificateList& certs,
137                     const base::string16& password,
138                     std::string* output) const;
139
140  // Uses similar logic to nsNSSCertificateDB::handleCACertDownload to find the
141  // root.  Assumes the list is an ordered hierarchy with the root being either
142  // the first or last element.
143  // TODO(mattm): improve this to handle any order.
144  X509Certificate* FindRootInList(const CertificateList& certificates) const;
145
146  // Import CA certificates.
147  // Tries to import all the certificates given.  The root will be trusted
148  // according to |trust_bits|.  Any certificates that could not be imported
149  // will be listed in |not_imported|.
150  // Returns false if there is an internal error, otherwise true is returned and
151  // |not_imported| should be checked for any certificates that were not
152  // imported.
153  bool ImportCACerts(const CertificateList& certificates,
154                     TrustBits trust_bits,
155                     ImportCertFailureList* not_imported);
156
157  // Import server certificate.  The first cert should be the server cert.  Any
158  // additional certs should be intermediate/CA certs and will be imported but
159  // not given any trust.
160  // Any certificates that could not be imported will be listed in
161  // |not_imported|.
162  // |trust_bits| can be set to explicitly trust or distrust the certificate, or
163  // use TRUST_DEFAULT to inherit trust as normal.
164  // Returns false if there is an internal error, otherwise true is returned and
165  // |not_imported| should be checked for any certificates that were not
166  // imported.
167  bool ImportServerCert(const CertificateList& certificates,
168                        TrustBits trust_bits,
169                        ImportCertFailureList* not_imported);
170
171  // Get trust bits for certificate.
172  TrustBits GetCertTrust(const X509Certificate* cert, CertType type) const;
173
174  // IsUntrusted returns true if |cert| is specifically untrusted. These
175  // certificates are stored in the database for the specific purpose of
176  // rejecting them.
177  bool IsUntrusted(const X509Certificate* cert) const;
178
179  // Set trust values for certificate.
180  // Returns true on success or false on failure.
181  bool SetCertTrust(const X509Certificate* cert,
182                    CertType type,
183                    TrustBits trust_bits);
184
185  // Delete certificate and associated private key (if one exists).
186  // |cert| is still valid when this function returns. Returns true on
187  // success.
188  bool DeleteCertAndKey(const X509Certificate* cert);
189
190  // Check whether cert is stored in a readonly slot.
191  bool IsReadOnly(const X509Certificate* cert) const;
192
193  // Check whether cert is stored in a hardware slot.
194  bool IsHardwareBacked(const X509Certificate* cert) const;
195
196  // Registers |observer| to receive notifications of certificate changes.  The
197  // thread on which this is called is the thread on which |observer| will be
198  // called back with notifications.
199  void AddObserver(Observer* observer);
200
201  // Unregisters |observer| from receiving notifications.  This must be called
202  // on the same thread on which AddObserver() was called.
203  void RemoveObserver(Observer* observer);
204
205 private:
206  friend struct DefaultSingletonTraits<NSSCertDatabase>;
207
208  NSSCertDatabase();
209  ~NSSCertDatabase();
210
211  // Broadcasts notifications to all registered observers.
212  void NotifyObserversOfCertAdded(const X509Certificate* cert);
213  void NotifyObserversOfCertRemoved(const X509Certificate* cert);
214  void NotifyObserversOfCACertChanged(const X509Certificate* cert);
215
216  const scoped_refptr<ObserverListThreadSafe<Observer> > observer_list_;
217
218  DISALLOW_COPY_AND_ASSIGN(NSSCertDatabase);
219};
220
221}  // namespace net
222
223#endif  // NET_CERT_NSS_CERT_DATABASE_H_
224