set trust bits for CA certs

2016-04-18 21:05:33 +05:30 · 2016-04-18 21:05:33 +05:30 · 1240c83e40
commit 1240c83e40
parent e81cec4058
5 changed files with 55 additions and 61 deletions
--- a/atom/browser/api/atom_api_app.cc
+++ b/atom/browser/api/atom_api_app.cc
@ -15,10 +15,11 @@
 #include "atom/browser/browser.h"
 #include "atom/browser/login_handler.h"
 #include "atom/common/native_mate_converters/callback.h"
-#include "atom/common/native_mate_converters/net_converter.h"
 #include "atom/common/native_mate_converters/file_path_converter.h"
 #include "atom/common/native_mate_converters/gurl_converter.h"
 #include "atom/common/native_mate_converters/image_converter.h"
+#include "atom/common/native_mate_converters/net_converter.h"
+#include "atom/common/native_mate_converters/value_converter.h"
 #include "atom/common/node_includes.h"
 #include "atom/common/options_switches.h"
 #include "base/command_line.h"
@ -158,41 +159,35 @@ void PassLoginInformation(scoped_refptr<LoginHandler> login_handler,
    login_handler->CancelAuth();
 }

-net::CertificateList ImportCertsFromFile(
-    const base::FilePath& path) {
-  net::CertificateList certs;
-  if (path.empty())
-    return certs;
-
-  std::string cert_data;
-  if (!base::ReadFileToString(path, &cert_data))
-    return certs;
-
-  certs = net::X509Certificate::CreateCertificateListFromBytes(
-      cert_data.data(), cert_data.size(),
-      net::X509Certificate::FORMAT_AUTO);
-
-  return certs;
-}
-
-int ImportCertificateIntoCertStore(
+int ImportIntoCertStore(
    CertificateManagerModel* model,
-    const base::FilePath& path,
-    const base::FilePath& ca_path,
-    const base::string16& password) {
-  LOG(WARNING) << "importing ....";
+    const base::DictionaryValue& options) {
+  std::string file_data, cert_path;
+  base::string16 password;
+  net::CertificateList imported_certs;
+  int rv;
+  options.GetString("clientCertificate", &cert_path);
+  options.GetString("password", &password);

-  std::string file_data;
-  int result = -1;
-  net::CertificateList ca_certs;
-  net::NSSCertDatabase::ImportCertFailureList not_imported;
+  if (!cert_path.empty()) {
+    if (base::ReadFileToString(base::FilePath(cert_path), &file_data)) {
      auto module = model->cert_db()->GetPublicModule();
-  if (base::ReadFileToString(path, &file_data)) {
-    result &= model->ImportFromPKCS12(module, file_data, password, true);
-    ca_certs = ImportCertsFromFile(ca_path);
-    result &= model->ImportCACerts(ca_certs, net::NSSCertDatabase::TRUST_DEFAULT, &not_imported);
+      rv = model->ImportFromPKCS12(module,
+                                   file_data,
+                                   password,
+                                   true,
+                                   &imported_certs);
+      if (imported_certs.size() > 1) {
+        auto it = imported_certs.begin();
+        ++it; // skip first which would  be the client certificate.
+        for (; it != imported_certs.end(); ++it)
+          rv &= model->SetCertTrust(it->get(),
+                                   net::CA_CERT,
+                                   net::NSSCertDatabase::TRUSTED_SSL);
      }
-  return result;
+    }
+  }
+  return rv;
 }

 }  // namespace
@ -408,30 +403,30 @@ bool App::MakeSingleInstance(
 }

 void App::ImportClientCertificate(
-    const base::FilePath& path,
-    const base::FilePath& ca_path,
-
-    const base::string16& password,
+    const base::DictionaryValue& options,
    const net::CompletionCallback& callback) {
  auto browser_context = AtomBrowserMainParts::Get()->browser_context();
  if (!certificate_manager_model_) {
-    CertificateManagerModel::Create(browser_context, base::Bind(&App::OnCertificateManagerModelCreated, base::Unretained(this), path, ca_path, password, callback));
+    scoped_ptr<base::DictionaryValue> copy = options.CreateDeepCopy();
+    CertificateManagerModel::Create(browser_context,
+        base::Bind(&App::OnCertificateManagerModelCreated,
+                   base::Unretained(this),
+                   base::Passed(&copy),
+                   callback));
    return;
  }

-  int rv = ImportCertificateIntoCertStore(certificate_manager_model_.get(), path, ca_path, password);
+  int rv = ImportIntoCertStore(certificate_manager_model_.get(), options);
  callback.Run(rv);
 }

 void App::OnCertificateManagerModelCreated(
-    const base::FilePath& path,
-    const base::FilePath& ca_path,
-    const base::string16& password,
+    scoped_ptr<base::DictionaryValue> options,
    const net::CompletionCallback& callback,
    scoped_ptr<CertificateManagerModel> model) {
  certificate_manager_model_ = std::move(model);
-
-  int rv = ImportCertificateIntoCertStore(certificate_manager_model_.get(), path, ca_path, password);
+  int rv = ImportIntoCertStore(certificate_manager_model_.get(),
+                               *(options.get()));
  callback.Run(rv);
 }

@ -474,8 +469,10 @@ mate::ObjectTemplateBuilder App::GetObjectTemplateBuilder(
      .SetMethod("allowNTLMCredentialsForAllDomains",
                 &App::AllowNTLMCredentialsForAllDomains)
      .SetMethod("getLocale", &App::GetLocale)
-      .SetMethod("makeSingleInstance", &App::MakeSingleInstance)
-      .SetMethod("importClientCertificate", &App::ImportClientCertificate);
+#if defined(OS_LINUX)
+      .SetMethod("importClientCertificate", &App::ImportClientCertificate)
+#endif
+      .SetMethod("makeSingleInstance", &App::MakeSingleInstance);
 }

 // static
--- a/atom/browser/api/atom_api_app.h
+++ b/atom/browser/api/atom_api_app.h
@ -44,9 +44,7 @@ class App : public AtomBrowserClient::Delegate,
                      int render_frame_id);

  void OnCertificateManagerModelCreated(
-      const base::FilePath& path,
-      const base::FilePath& ca_path,
-      const base::string16& password,
+      scoped_ptr<base::DictionaryValue> options,
      const net::CompletionCallback& callback,
      scoped_ptr<CertificateManagerModel> model);

@ -106,7 +104,8 @@ class App : public AtomBrowserClient::Delegate,
  bool MakeSingleInstance(
      const ProcessSingleton::NotificationCallback& callback);
  std::string GetLocale();
-  void ImportClientCertificate(const base::FilePath& path, const base::FilePath& ca_path, const base::string16& password, const net::CompletionCallback& callback);
+  void ImportClientCertificate(const base::DictionaryValue& options,
+                               const net::CompletionCallback& callback);

 #if defined(OS_WIN)
  bool IsAeroGlassEnabled();
--- a/atom/browser/atom_browser_client.cc
+++ b/atom/browser/atom_browser_client.cc
@ -37,7 +37,6 @@
 #include "content/public/browser/site_instance.h"
 #include "content/public/browser/web_contents.h"
 #include "content/public/common/web_preferences.h"
-#include "net/cert/x509_certificate.h"
 #include "net/ssl/ssl_cert_request_info.h"
 #include "ppapi/host/ppapi_host.h"
 #include "ui/base/l10n/l10n_util.h"
--- a/chromium_src/chrome/browser/certificate_manager_model.cc
+++ b/chromium_src/chrome/browser/certificate_manager_model.cc
@ -7,10 +7,8 @@
 #include <utility>

 #include "base/bind.h"
-#include "base/i18n/time_formatting.h"
 #include "base/logging.h"
 #include "base/strings/utf_string_conversions.h"
-#include "build/build_config.h"
 #include "content/public/browser/browser_context.h"
 #include "content/public/browser/browser_thread.h"
 #include "content/public/browser/resource_context.h"
@ -20,7 +18,6 @@
 #include "net/base/net_errors.h"
 #include "net/cert/nss_cert_database.h"
 #include "net/cert/x509_certificate.h"
-#include "ui/base/l10n/l10n_util.h"

 using content::BrowserThread;

@ -64,8 +61,6 @@ net::NSSCertDatabase* GetNSSCertDatabaseForResourceContext(
 //                                     GetNSSCertDatabaseForResourceContext
 //                                                         |
 //                               CertificateManagerModel::DidGetCertDBOnIOThread
-//                                                         |
-//                                       crypto::IsTPMTokenEnabledForNSS
 //                  v--------------------------------------/
 // CertificateManagerModel::DidGetCertDBOnUIThread
 //                  |
@ -100,9 +95,10 @@ CertificateManagerModel::~CertificateManagerModel() {
 int CertificateManagerModel::ImportFromPKCS12(net::CryptoModule* module,
                                              const std::string& data,
                                              const base::string16& password,
-                                              bool is_extractable) {
+                                              bool is_extractable,
+                                              net::CertificateList* imported_certs) {
  return cert_db_->ImportFromPKCS12(module, data, password,
-                                          is_extractable, NULL);
+                                    is_extractable, imported_certs);
 }

 int CertificateManagerModel::ImportUserCert(const std::string& data) {
--- a/chromium_src/chrome/browser/certificate_manager_model.h
+++ b/chromium_src/chrome/browser/certificate_manager_model.h
@ -44,8 +44,11 @@ class CertificateManagerModel {
  // |data|, using the given |password|. If |is_extractable| is false,
  // mark the private key as unextractable from the module.
  // Returns a net error code on failure.
-  int ImportFromPKCS12(net::CryptoModule* module, const std::string& data,
-                       const base::string16& password, bool is_extractable);
+  int ImportFromPKCS12(net::CryptoModule* module,
+                       const std::string& data,
+                       const base::string16& password,
+                       bool is_extractable,
+                       net::CertificateList* imported_certs);

  // Import user certificate from DER encoded |data|.
  // Returns a net error code on failure.