1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef NET_BASE_CERT_DATABASE_H_ 6 #define NET_BASE_CERT_DATABASE_H_ 7 #pragma once 8 9 #include <string> 10 #include <vector> 11 12 #include "base/basictypes.h" 13 #include "base/memory/ref_counted.h" 14 #include "base/string16.h" 15 #include "net/base/cert_type.h" 16 17 namespace net { 18 19 class CryptoModule; 20 typedef std::vector<scoped_refptr<CryptoModule> > CryptoModuleList; 21 class X509Certificate; 22 typedef std::vector<scoped_refptr<X509Certificate> > CertificateList; 23 24 25 // This class provides functions to manipulate the local 26 // certificate store. 27 28 // TODO(gauravsh): This class could be augmented with methods 29 // for all operations that manipulate the underlying system 30 // certificate store. 31 32 class CertDatabase { 33 public: 34 35 // A CertDatabase::Observer will be notified on certificate database changes. 36 // The change could be either a new user certificate is added or trust on 37 // a certificate is changed. Observers can register themselves 38 // via CertDatabase::AddObserver, and can un-register with 39 // CertDatabase::RemoveObserver. 40 class Observer { 41 public: ~Observer()42 virtual ~Observer() {} 43 44 // Will be called when a new user certificate is added. 45 // Note that |cert| could be NULL when called. OnUserCertAdded(const X509Certificate * cert)46 virtual void OnUserCertAdded(const X509Certificate* cert) {} 47 48 // Will be called when a certificate's trust is changed. 49 // Note that |cert| could be NULL when called. OnCertTrustChanged(const X509Certificate * cert)50 virtual void OnCertTrustChanged(const X509Certificate* cert) {} 51 52 protected: Observer()53 Observer() {} 54 55 private: 56 DISALLOW_COPY_AND_ASSIGN(Observer); 57 }; 58 59 // Stores per-certificate error codes for import failures. 60 struct ImportCertFailure { 61 public: 62 ImportCertFailure(X509Certificate* cert, int err); 63 ~ImportCertFailure(); 64 65 scoped_refptr<X509Certificate> certificate; 66 int net_error; 67 }; 68 typedef std::vector<ImportCertFailure> ImportCertFailureList; 69 70 // Constants that define which usages a certificate is trusted for. 71 // They are used in combination with CertType to specify trust for each type 72 // of certificate. 73 // For a CA_CERT, they specify that the CA is trusted for issuing server and 74 // client certs of each type. 75 // For SERVER_CERT, only TRUSTED_SSL makes sense, and specifies the cert is 76 // trusted as a server. 77 // For EMAIL_CERT, only TRUSTED_EMAIL makes sense, and specifies the cert is 78 // trusted for email. 79 enum { 80 UNTRUSTED = 0, 81 TRUSTED_SSL = 1 << 0, 82 TRUSTED_EMAIL = 1 << 1, 83 TRUSTED_OBJ_SIGN = 1 << 2, 84 }; 85 86 CertDatabase(); 87 88 // Check whether this is a valid user cert that we have the private key for. 89 // Returns OK or a network error code such as ERR_CERT_CONTAINS_ERRORS. 90 int CheckUserCert(X509Certificate* cert); 91 92 // Store user (client) certificate. Assumes CheckUserCert has already passed. 93 // Returns OK, or ERR_ADD_USER_CERT_FAILED if there was a problem saving to 94 // the platform cert database, or possibly other network error codes. 95 int AddUserCert(X509Certificate* cert); 96 97 #if defined(USE_NSS) || defined(USE_OPENSSL) 98 // Get a list of unique certificates in the certificate database. (One 99 // instance of all certificates.) 100 void ListCerts(CertificateList* certs); 101 102 // Get the default module for public key data. 103 // The returned pointer must be stored in a scoped_refptr<CryptoModule>. 104 CryptoModule* GetPublicModule() const; 105 106 // Get the default module for private key or mixed private/public key data. 107 // The returned pointer must be stored in a scoped_refptr<CryptoModule>. 108 CryptoModule* GetPrivateModule() const; 109 110 // Get all modules. 111 // If |need_rw| is true, only writable modules will be returned. 112 void ListModules(CryptoModuleList* modules, bool need_rw) const; 113 114 // Import certificates and private keys from PKCS #12 blob into the module. 115 // Returns OK or a network error code such as ERR_PKCS12_IMPORT_BAD_PASSWORD 116 // or ERR_PKCS12_IMPORT_ERROR. 117 int ImportFromPKCS12(CryptoModule* module, 118 const std::string& data, 119 const string16& password); 120 121 // Export the given certificates and private keys into a PKCS #12 blob, 122 // storing into |output|. 123 // Returns the number of certificates successfully exported. 124 int ExportToPKCS12(const CertificateList& certs, const string16& password, 125 std::string* output) const; 126 127 // Uses similar logic to nsNSSCertificateDB::handleCACertDownload to find the 128 // root. Assumes the list is an ordered hierarchy with the root being either 129 // the first or last element. 130 // TODO(mattm): improve this to handle any order. 131 X509Certificate* FindRootInList(const CertificateList& certificates) const; 132 133 // Import CA certificates. 134 // Tries to import all the certificates given. The root will be trusted 135 // according to |trust_bits|. Any certificates that could not be imported 136 // will be listed in |not_imported|. 137 // Returns false if there is an internal error, otherwise true is returned and 138 // |not_imported| should be checked for any certificates that were not 139 // imported. 140 bool ImportCACerts(const CertificateList& certificates, 141 unsigned int trust_bits, 142 ImportCertFailureList* not_imported); 143 144 // Import server certificate. The first cert should be the server cert. Any 145 // additional certs should be intermediate/CA certs and will be imported but 146 // not given any trust. 147 // Any certificates that could not be imported will be listed in 148 // |not_imported|. 149 // Returns false if there is an internal error, otherwise true is returned and 150 // |not_imported| should be checked for any certificates that were not 151 // imported. 152 bool ImportServerCert(const CertificateList& certificates, 153 ImportCertFailureList* not_imported); 154 155 // Get trust bits for certificate. 156 unsigned int GetCertTrust(const X509Certificate* cert, CertType type) const; 157 158 // Set trust values for certificate. 159 // Returns true on success or false on failure. 160 bool SetCertTrust(const X509Certificate* cert, 161 CertType type, 162 unsigned int trust_bits); 163 164 // Delete certificate and associated private key (if one exists). 165 // Returns true on success or false on failure. 166 // |cert| is still valid when this function returns. 167 bool DeleteCertAndKey(const X509Certificate* cert); 168 169 // Check whether cert is stored in a readonly slot. 170 bool IsReadOnly(const X509Certificate* cert) const; 171 #endif 172 173 // Registers |observer| to receive notifications of certificate changes. The 174 // thread on which this is called is the thread on which |observer| will be 175 // called back with notifications. 176 static void AddObserver(Observer* observer); 177 178 // Unregisters |observer| from receiving notifications. This must be called 179 // on the same thread on which AddObserver() was called. 180 static void RemoveObserver(Observer* observer); 181 182 private: 183 // Broadcasts notifications to all registered observers. 184 static void NotifyObserversOfUserCertAdded(const X509Certificate* cert); 185 static void NotifyObserversOfCertTrustChanged(const X509Certificate* cert); 186 187 DISALLOW_COPY_AND_ASSIGN(CertDatabase); 188 }; 189 190 } // namespace net 191 192 #endif // NET_BASE_CERT_DATABASE_H_ 193