| // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #include "net/cert/cert_database.h" |
| |
| #include <cert.h> |
| #include <pk11pub.h> |
| #include <secmod.h> |
| |
| #include "base/logging.h" |
| #include "base/observer_list_threadsafe.h" |
| #include "crypto/nss_util.h" |
| #include "crypto/scoped_nss_types.h" |
| #include "net/base/net_errors.h" |
| #include "net/cert/x509_certificate.h" |
| #include "net/cert/x509_util_nss.h" |
| |
| namespace net { |
| |
| CertDatabase::CertDatabase() |
| : observer_list_(new ObserverListThreadSafe<Observer>) { |
| crypto::EnsureNSSInit(); |
| } |
| |
| CertDatabase::~CertDatabase() {} |
| |
| int CertDatabase::CheckUserCert(X509Certificate* cert_obj) { |
| if (!cert_obj) |
| return ERR_CERT_INVALID; |
| if (cert_obj->HasExpired()) |
| return ERR_CERT_DATE_INVALID; |
| |
| // Check if the private key corresponding to the certificate exist |
| // We shouldn't accept any random client certificate sent by a CA. |
| |
| // Note: The NSS source documentation wrongly suggests that this |
| // also imports the certificate if the private key exists. This |
| // doesn't seem to be the case. |
| |
| CERTCertificate* cert = cert_obj->os_cert_handle(); |
| PK11SlotInfo* slot = PK11_KeyForCertExists(cert, NULL, NULL); |
| if (!slot) |
| return ERR_NO_PRIVATE_KEY_FOR_CERT; |
| |
| PK11_FreeSlot(slot); |
| |
| return OK; |
| } |
| |
| int CertDatabase::AddUserCert(X509Certificate* cert_obj) { |
| CERTCertificate* cert = cert_obj->os_cert_handle(); |
| CK_OBJECT_HANDLE key; |
| crypto::ScopedPK11Slot slot(PK11_KeyForCertExists(cert, &key, NULL)); |
| if (!slot.get()) |
| return ERR_NO_PRIVATE_KEY_FOR_CERT; |
| |
| std::string nickname = x509_util::GetUniqueNicknameForSlot( |
| cert_obj->GetDefaultNickname(USER_CERT), |
| &cert->derSubject, |
| slot.get()); |
| |
| SECStatus rv; |
| { |
| crypto::AutoNSSWriteLock lock; |
| rv = PK11_ImportCert(slot.get(), cert, key, nickname.c_str(), PR_FALSE); |
| } |
| |
| if (rv != SECSuccess) { |
| LOG(ERROR) << "Couldn't import user certificate. " << PORT_GetError(); |
| return ERR_ADD_USER_CERT_FAILED; |
| } |
| |
| NotifyObserversOfCertAdded(cert_obj); |
| return OK; |
| } |
| |
| } // namespace net |