1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/cert/cert_database.h"
6
7 #include <cert.h>
8 #include <pk11pub.h>
9 #include <secmod.h>
10
11 #include "base/logging.h"
12 #include "base/observer_list_threadsafe.h"
13 #include "crypto/nss_util.h"
14 #include "crypto/scoped_nss_types.h"
15 #include "net/base/net_errors.h"
16 #include "net/cert/nss_cert_database.h"
17 #include "net/cert/x509_certificate.h"
18 #include "net/cert/x509_util_nss.h"
19
20 namespace net {
21
22 // Helper that observes events from the NSSCertDatabase and forwards them to
23 // the given CertDatabase.
24 class CertDatabase::Notifier : public NSSCertDatabase::Observer {
25 public:
Notifier(CertDatabase * cert_db)26 explicit Notifier(CertDatabase* cert_db) : cert_db_(cert_db) {
27 NSSCertDatabase::GetInstance()->AddObserver(this);
28 }
29
~Notifier()30 virtual ~Notifier() {
31 NSSCertDatabase::GetInstance()->RemoveObserver(this);
32 }
33
34 // NSSCertDatabase::Observer implementation:
OnCertAdded(const X509Certificate * cert)35 virtual void OnCertAdded(const X509Certificate* cert) OVERRIDE {
36 cert_db_->NotifyObserversOfCertAdded(cert);
37 }
38
OnCertRemoved(const X509Certificate * cert)39 virtual void OnCertRemoved(const X509Certificate* cert) OVERRIDE {
40 cert_db_->NotifyObserversOfCertRemoved(cert);
41 }
42
OnCACertChanged(const X509Certificate * cert)43 virtual void OnCACertChanged(const X509Certificate* cert) OVERRIDE {
44 cert_db_->NotifyObserversOfCACertChanged(cert);
45 }
46
47 private:
48 CertDatabase* cert_db_;
49
50 DISALLOW_COPY_AND_ASSIGN(Notifier);
51 };
52
CertDatabase()53 CertDatabase::CertDatabase()
54 : observer_list_(new ObserverListThreadSafe<Observer>) {
55 // Observe NSSCertDatabase events and forward them to observers of
56 // CertDatabase. This also makes sure that NSS has been initialized.
57 notifier_.reset(new Notifier(this));
58 }
59
~CertDatabase()60 CertDatabase::~CertDatabase() {}
61
CheckUserCert(X509Certificate * cert_obj)62 int CertDatabase::CheckUserCert(X509Certificate* cert_obj) {
63 if (!cert_obj)
64 return ERR_CERT_INVALID;
65 if (cert_obj->HasExpired())
66 return ERR_CERT_DATE_INVALID;
67
68 // Check if the private key corresponding to the certificate exist
69 // We shouldn't accept any random client certificate sent by a CA.
70
71 // Note: The NSS source documentation wrongly suggests that this
72 // also imports the certificate if the private key exists. This
73 // doesn't seem to be the case.
74
75 CERTCertificate* cert = cert_obj->os_cert_handle();
76 PK11SlotInfo* slot = PK11_KeyForCertExists(cert, NULL, NULL);
77 if (!slot)
78 return ERR_NO_PRIVATE_KEY_FOR_CERT;
79
80 PK11_FreeSlot(slot);
81
82 return OK;
83 }
84
AddUserCert(X509Certificate * cert_obj)85 int CertDatabase::AddUserCert(X509Certificate* cert_obj) {
86 CERTCertificate* cert = cert_obj->os_cert_handle();
87 CK_OBJECT_HANDLE key;
88 crypto::ScopedPK11Slot slot(PK11_KeyForCertExists(cert, &key, NULL));
89 if (!slot.get())
90 return ERR_NO_PRIVATE_KEY_FOR_CERT;
91
92 std::string nickname = x509_util::GetUniqueNicknameForSlot(
93 cert_obj->GetDefaultNickname(USER_CERT),
94 &cert->derSubject,
95 slot.get());
96
97 SECStatus rv;
98 {
99 crypto::AutoNSSWriteLock lock;
100 rv = PK11_ImportCert(slot.get(), cert, key, nickname.c_str(), PR_FALSE);
101 }
102
103 if (rv != SECSuccess) {
104 LOG(ERROR) << "Couldn't import user certificate. " << PORT_GetError();
105 return ERR_ADD_USER_CERT_FAILED;
106 }
107
108 NotifyObserversOfCertAdded(cert_obj);
109 return OK;
110 }
111
112 } // namespace net
113