nss.cc - chromiumos/platform/shill - Git at Google

 // Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #include "shill/nss.h"

 #include <base/string_number_conversions.h>
 #include <base/string_util.h>
 #include <base/stringprintf.h>

 #include "shill/logging.h"
 #include "shill/minijail.h"

 using base::FilePath;
 using base::HexEncode;
 using base::StringPrintf;
 using std::string;
 using std::vector;

 namespace shill {

 namespace {

 base::LazyInstance<NSS> g_nss = LAZY_INSTANCE_INITIALIZER;
 const char kCertfileBasename[] = "/tmp/nss-cert.";
 const char kNSSGetCert[] = SHIMDIR "/nss-get-cert";
 const char kNSSGetCertUser[] = "chronos";

 }  // namespace

 NSS::NSS()
     : minijail_(Minijail::GetInstance()) {
   SLOG(Crypto, 2) << __func__;
 }

 NSS::~NSS() {
   SLOG(Crypto, 2) << __func__;
 }

 // static
 NSS *NSS::GetInstance() {
   return g_nss.Pointer();
 }

 FilePath NSS::GetPEMCertfile(const string &nickname, const vector<char> &id) {
   return GetCertfile(nickname, id, "pem");
 }

 FilePath NSS::GetDERCertfile(const string &nickname, const vector<char> &id) {
   return GetCertfile(nickname, id, "der");
 }

 FilePath NSS::GetCertfile(
     const string &nickname, const vector<char> &id, const string &type) {
   string filename =
       kCertfileBasename + StringToLowerASCII(HexEncode(&id[0], id.size()));
   vector<char *> args;
   args.push_back(const_cast<char *>(kNSSGetCert));
   args.push_back(const_cast<char *>(nickname.c_str()));
   args.push_back(const_cast<char *>(type.c_str()));
   args.push_back(const_cast<char *>(filename.c_str()));
   args.push_back(NULL);

   struct minijail *jail = minijail_->New();
   minijail_->DropRoot(jail, kNSSGetCertUser);

   int status;
   if (!minijail_->RunSyncAndDestroy(jail, args, &status)) {
     LOG(ERROR) << "Unable to spawn " << kNSSGetCert << " in a jail.";
     return FilePath();
   }

   if (!WIFEXITED(status) || WEXITSTATUS(status)) {
     LOG(ERROR) << kNSSGetCert << " failed with status " << status;
     return FilePath();
   }

   return FilePath(filename);
 }

 }  // namespace shill
	// Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#include "shill/nss.h"

	#include <base/string_number_conversions.h>
	#include <base/string_util.h>
	#include <base/stringprintf.h>

	#include "shill/logging.h"
	#include "shill/minijail.h"

	using base::FilePath;
	using base::HexEncode;
	using base::StringPrintf;
	using std::string;
	using std::vector;

	namespace shill {

	namespace {

	base::LazyInstance<NSS> g_nss = LAZY_INSTANCE_INITIALIZER;
	const char kCertfileBasename[] = "/tmp/nss-cert.";
	const char kNSSGetCert[] = SHIMDIR "/nss-get-cert";
	const char kNSSGetCertUser[] = "chronos";

	} // namespace

	NSS::NSS()
	: minijail_(Minijail::GetInstance()) {
	SLOG(Crypto, 2) << __func__;
	}

	NSS::~NSS() {
	SLOG(Crypto, 2) << __func__;
	}

	// static
	NSS *NSS::GetInstance() {
	return g_nss.Pointer();
	}

	FilePath NSS::GetPEMCertfile(const string &nickname, const vector<char> &id) {
	return GetCertfile(nickname, id, "pem");
	}

	FilePath NSS::GetDERCertfile(const string &nickname, const vector<char> &id) {
	return GetCertfile(nickname, id, "der");
	}

	FilePath NSS::GetCertfile(
	const string &nickname, const vector<char> &id, const string &type) {
	string filename =
	kCertfileBasename + StringToLowerASCII(HexEncode(&id[0], id.size()));
	vector<char *> args;
	args.push_back(const_cast<char *>(kNSSGetCert));
	args.push_back(const_cast<char *>(nickname.c_str()));
	args.push_back(const_cast<char *>(type.c_str()));
	args.push_back(const_cast<char *>(filename.c_str()));
	args.push_back(NULL);

	struct minijail *jail = minijail_->New();
	minijail_->DropRoot(jail, kNSSGetCertUser);

	int status;
	if (!minijail_->RunSyncAndDestroy(jail, args, &status)) {
	LOG(ERROR) << "Unable to spawn " << kNSSGetCert << " in a jail.";
	return FilePath();
	}

	if (!WIFEXITED(status) \|\| WEXITSTATUS(status)) {
	LOG(ERROR) << kNSSGetCert << " failed with status " << status;
	return FilePath();
	}

	return FilePath(filename);
	}

	} // namespace shill