15821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Copyright (c) 2012 The Chromium Authors. All rights reserved. 25821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Use of this source code is governed by a BSD-style license that can be 35821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// found in the LICENSE file. 45821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 5c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)#include "net/cert/cert_database.h" 65821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 75821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include <cert.h> 85821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include <pk11pub.h> 95821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include <secmod.h> 105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "base/logging.h" 125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "base/observer_list_threadsafe.h" 135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "crypto/nss_util.h" 1490dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)#include "crypto/scoped_nss_types.h" 155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "net/base/net_errors.h" 16c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)#include "net/cert/x509_certificate.h" 1790dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)#include "net/cert/x509_util_nss.h" 185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)namespace net { 205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)CertDatabase::CertDatabase() 22116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch : observer_list_(new ObserverListThreadSafe<Observer>) { 235d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) crypto::EnsureNSSInit(); 245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)CertDatabase::~CertDatabase() {} 275821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)int CertDatabase::CheckUserCert(X509Certificate* cert_obj) { 295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (!cert_obj) 305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return ERR_CERT_INVALID; 315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (cert_obj->HasExpired()) 325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return ERR_CERT_DATE_INVALID; 335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Check if the private key corresponding to the certificate exist 355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // We shouldn't accept any random client certificate sent by a CA. 365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Note: The NSS source documentation wrongly suggests that this 385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // also imports the certificate if the private key exists. This 395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // doesn't seem to be the case. 405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CERTCertificate* cert = cert_obj->os_cert_handle(); 425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PK11SlotInfo* slot = PK11_KeyForCertExists(cert, NULL, NULL); 435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) if (!slot) 445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return ERR_NO_PRIVATE_KEY_FOR_CERT; 455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) PK11_FreeSlot(slot); 475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return OK; 495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)int CertDatabase::AddUserCert(X509Certificate* cert_obj) { 525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) CERTCertificate* cert = cert_obj->os_cert_handle(); 5390dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) CK_OBJECT_HANDLE key; 5490dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) crypto::ScopedPK11Slot slot(PK11_KeyForCertExists(cert, &key, NULL)); 5590dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) if (!slot.get()) 5690dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) return ERR_NO_PRIVATE_KEY_FOR_CERT; 5790dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) 5890dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) std::string nickname = x509_util::GetUniqueNicknameForSlot( 5990dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) cert_obj->GetDefaultNickname(USER_CERT), 6090dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) &cert->derSubject, 6190dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) slot.get()); 625821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 6390dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) SECStatus rv; 645821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) { 655821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) crypto::AutoNSSWriteLock lock; 6690dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) rv = PK11_ImportCert(slot.get(), cert, key, nickname.c_str(), PR_FALSE); 675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 685821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 6990dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) if (rv != SECSuccess) { 7090dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) LOG(ERROR) << "Couldn't import user certificate. " << PORT_GetError(); 715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return ERR_ADD_USER_CERT_FAILED; 725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) } 7390dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) 745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) NotifyObserversOfCertAdded(cert_obj); 755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) return OK; 765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} // namespace net 79