• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef NET_CERT_NSS_CERT_DATABASE_H_
6 #define NET_CERT_NSS_CERT_DATABASE_H_
7 
8 #include <string>
9 #include <vector>
10 
11 #include "base/basictypes.h"
12 #include "base/memory/ref_counted.h"
13 #include "base/strings/string16.h"
14 #include "crypto/scoped_nss_types.h"
15 #include "net/base/net_export.h"
16 #include "net/cert/cert_type.h"
17 #include "net/cert/x509_certificate.h"
18 
19 template <typename T> struct DefaultSingletonTraits;
20 template <class ObserverType> class ObserverListThreadSafe;
21 
22 namespace net {
23 
24 class CryptoModule;
25 typedef std::vector<scoped_refptr<CryptoModule> > CryptoModuleList;
26 
27 // Provides functions to manipulate the NSS certificate stores.
28 class NET_EXPORT NSSCertDatabase {
29  public:
30 
31   class NET_EXPORT Observer {
32    public:
~Observer()33     virtual ~Observer() {}
34 
35     // Will be called when a new certificate is added.
36     // Called with |cert| == NULL after importing a list of certificates
37     // in ImportFromPKCS12().
OnCertAdded(const X509Certificate * cert)38     virtual void OnCertAdded(const X509Certificate* cert) {}
39 
40     // Will be called when a certificate is removed.
OnCertRemoved(const X509Certificate * cert)41     virtual void OnCertRemoved(const X509Certificate* cert) {}
42 
43     // Will be called when a CA certificate is changed.
44     // Called with |cert| == NULL after importing a list of certificates
45     // in ImportCACerts().
OnCACertChanged(const X509Certificate * cert)46     virtual void OnCACertChanged(const X509Certificate* cert) {}
47 
48    protected:
Observer()49     Observer() {}
50 
51    private:
52     DISALLOW_COPY_AND_ASSIGN(Observer);
53   };
54 
55   // Stores per-certificate error codes for import failures.
56   struct NET_EXPORT ImportCertFailure {
57    public:
58     ImportCertFailure(const scoped_refptr<X509Certificate>& cert, int err);
59     ~ImportCertFailure();
60 
61     scoped_refptr<X509Certificate> certificate;
62     int net_error;
63   };
64   typedef std::vector<ImportCertFailure> ImportCertFailureList;
65 
66   // Constants that define which usages a certificate is trusted for.
67   // They are used in combination with CertType to specify trust for each type
68   // of certificate.
69   // For a CA_CERT, they specify that the CA is trusted for issuing server and
70   // client certs of each type.
71   // For SERVER_CERT, only TRUSTED_SSL makes sense, and specifies the cert is
72   // trusted as a server.
73   // For EMAIL_CERT, only TRUSTED_EMAIL makes sense, and specifies the cert is
74   // trusted for email.
75   // DISTRUSTED_* specifies that the cert should not be trusted for the given
76   // usage, regardless of whether it would otherwise inherit trust from the
77   // issuer chain.
78   // Use TRUST_DEFAULT to inherit trust as normal.
79   // NOTE: The actual constants are defined using an enum instead of static
80   // consts due to compilation/linkage constraints with template functions.
81   typedef uint32 TrustBits;
82   enum {
83     TRUST_DEFAULT         =      0,
84     TRUSTED_SSL           = 1 << 0,
85     TRUSTED_EMAIL         = 1 << 1,
86     TRUSTED_OBJ_SIGN      = 1 << 2,
87     DISTRUSTED_SSL        = 1 << 3,
88     DISTRUSTED_EMAIL      = 1 << 4,
89     DISTRUSTED_OBJ_SIGN   = 1 << 5,
90   };
91 
92   static NSSCertDatabase* GetInstance();
93 
94   // Get a list of unique certificates in the certificate database (one
95   // instance of all certificates).
96   void ListCerts(CertificateList* certs);
97 
98   // Get the default slot for public key data.
99   crypto::ScopedPK11Slot GetPublicSlot() const;
100 
101   // Get the default slot for private key or mixed private/public key data.
102   crypto::ScopedPK11Slot GetPrivateSlot() const;
103 
104   // Get the default module for public key data.
105   // The returned pointer must be stored in a scoped_refptr<CryptoModule>.
106   // DEPRECATED: use GetPublicSlot instead.
107   // TODO(mattm): remove usage of this method and remove it.
108   CryptoModule* GetPublicModule() const;
109 
110   // Get the default module for private key or mixed private/public key data.
111   // The returned pointer must be stored in a scoped_refptr<CryptoModule>.
112   // DEPRECATED: use GetPrivateSlot instead.
113   // TODO(mattm): remove usage of this method and remove it.
114   CryptoModule* GetPrivateModule() const;
115 
116   // Get all modules.
117   // If |need_rw| is true, only writable modules will be returned.
118   // TODO(mattm): come up with better alternative to CryptoModuleList.
119   void ListModules(CryptoModuleList* modules, bool need_rw) const;
120 
121   // Import certificates and private keys from PKCS #12 blob into the module.
122   // If |is_extractable| is false, mark the private key as being unextractable
123   // from the module.
124   // Returns OK or a network error code such as ERR_PKCS12_IMPORT_BAD_PASSWORD
125   // or ERR_PKCS12_IMPORT_ERROR. |imported_certs|, if non-NULL, returns a list
126   // of certs that were imported.
127   int ImportFromPKCS12(CryptoModule* module,
128                        const std::string& data,
129                        const base::string16& password,
130                        bool is_extractable,
131                        CertificateList* imported_certs);
132 
133   // Export the given certificates and private keys into a PKCS #12 blob,
134   // storing into |output|.
135   // Returns the number of certificates successfully exported.
136   int ExportToPKCS12(const CertificateList& certs,
137                      const base::string16& password,
138                      std::string* output) const;
139 
140   // Uses similar logic to nsNSSCertificateDB::handleCACertDownload to find the
141   // root.  Assumes the list is an ordered hierarchy with the root being either
142   // the first or last element.
143   // TODO(mattm): improve this to handle any order.
144   X509Certificate* FindRootInList(const CertificateList& certificates) const;
145 
146   // Import CA certificates.
147   // Tries to import all the certificates given.  The root will be trusted
148   // according to |trust_bits|.  Any certificates that could not be imported
149   // will be listed in |not_imported|.
150   // Returns false if there is an internal error, otherwise true is returned and
151   // |not_imported| should be checked for any certificates that were not
152   // imported.
153   bool ImportCACerts(const CertificateList& certificates,
154                      TrustBits trust_bits,
155                      ImportCertFailureList* not_imported);
156 
157   // Import server certificate.  The first cert should be the server cert.  Any
158   // additional certs should be intermediate/CA certs and will be imported but
159   // not given any trust.
160   // Any certificates that could not be imported will be listed in
161   // |not_imported|.
162   // |trust_bits| can be set to explicitly trust or distrust the certificate, or
163   // use TRUST_DEFAULT to inherit trust as normal.
164   // Returns false if there is an internal error, otherwise true is returned and
165   // |not_imported| should be checked for any certificates that were not
166   // imported.
167   bool ImportServerCert(const CertificateList& certificates,
168                         TrustBits trust_bits,
169                         ImportCertFailureList* not_imported);
170 
171   // Get trust bits for certificate.
172   TrustBits GetCertTrust(const X509Certificate* cert, CertType type) const;
173 
174   // IsUntrusted returns true if |cert| is specifically untrusted. These
175   // certificates are stored in the database for the specific purpose of
176   // rejecting them.
177   bool IsUntrusted(const X509Certificate* cert) const;
178 
179   // Set trust values for certificate.
180   // Returns true on success or false on failure.
181   bool SetCertTrust(const X509Certificate* cert,
182                     CertType type,
183                     TrustBits trust_bits);
184 
185   // Delete certificate and associated private key (if one exists).
186   // |cert| is still valid when this function returns. Returns true on
187   // success.
188   bool DeleteCertAndKey(const X509Certificate* cert);
189 
190   // Check whether cert is stored in a readonly slot.
191   bool IsReadOnly(const X509Certificate* cert) const;
192 
193   // Check whether cert is stored in a hardware slot.
194   bool IsHardwareBacked(const X509Certificate* cert) const;
195 
196   // Registers |observer| to receive notifications of certificate changes.  The
197   // thread on which this is called is the thread on which |observer| will be
198   // called back with notifications.
199   void AddObserver(Observer* observer);
200 
201   // Unregisters |observer| from receiving notifications.  This must be called
202   // on the same thread on which AddObserver() was called.
203   void RemoveObserver(Observer* observer);
204 
205  private:
206   friend struct DefaultSingletonTraits<NSSCertDatabase>;
207 
208   NSSCertDatabase();
209   ~NSSCertDatabase();
210 
211   // Broadcasts notifications to all registered observers.
212   void NotifyObserversOfCertAdded(const X509Certificate* cert);
213   void NotifyObserversOfCertRemoved(const X509Certificate* cert);
214   void NotifyObserversOfCACertChanged(const X509Certificate* cert);
215 
216   const scoped_refptr<ObserverListThreadSafe<Observer> > observer_list_;
217 
218   DISALLOW_COPY_AND_ASSIGN(NSSCertDatabase);
219 };
220 
221 }  // namespace net
222 
223 #endif  // NET_CERT_NSS_CERT_DATABASE_H_
224