blob: 2073de1890bc605b084847dbb9471b95d2b647ae (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
|
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "net/cert/cert_database.h"
#include <cert.h>
#include <pk11pub.h>
#include <secmod.h>
#include <vector>
#include "base/logging.h"
#include "base/observer_list_threadsafe.h"
#include "crypto/nss_util.h"
#include "crypto/scoped_nss_types.h"
#include "net/base/net_errors.h"
#include "net/cert/x509_certificate.h"
#include "net/cert/x509_util_nss.h"
#include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h"
// PSM = Mozilla's Personal Security Manager.
namespace psm = mozilla_security_manager;
namespace net {
CertDatabase::CertDatabase()
: observer_list_(new base::ObserverListThreadSafe<Observer>) {
crypto::EnsureNSSInit();
}
CertDatabase::~CertDatabase() {}
int CertDatabase::CheckUserCert(X509Certificate* cert_obj) {
if (!cert_obj)
return ERR_CERT_INVALID;
if (cert_obj->HasExpired())
return ERR_CERT_DATE_INVALID;
// Check if the private key corresponding to the certificate exist
// We shouldn't accept any random client certificate sent by a CA.
// Note: The NSS source documentation wrongly suggests that this
// also imports the certificate if the private key exists. This
// doesn't seem to be the case.
CERTCertificate* cert = cert_obj->os_cert_handle();
PK11SlotInfo* slot = PK11_KeyForCertExists(cert, NULL, NULL);
if (!slot)
return ERR_NO_PRIVATE_KEY_FOR_CERT;
PK11_FreeSlot(slot);
return OK;
}
int CertDatabase::AddUserCert(X509Certificate* cert_obj) {
CertificateList cert_list;
cert_list.push_back(cert_obj);
int result = psm::ImportUserCert(cert_list);
if (result == OK)
NotifyObserversOfCertAdded(NULL);
return result;
}
} // namespace net
|
