app: api to import client certificate
This commit is contained in:
parent
0bf1e56156
commit
e81cec4058
6 changed files with 374 additions and 31 deletions
177
chromium_src/chrome/browser/certificate_manager_model.cc
Normal file
177
chromium_src/chrome/browser/certificate_manager_model.cc
Normal file
|
@ -0,0 +1,177 @@
|
|||
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style license that can be
|
||||
// found in the LICENSE file.
|
||||
|
||||
#include "chrome/browser/certificate_manager_model.h"
|
||||
|
||||
#include <utility>
|
||||
|
||||
#include "base/bind.h"
|
||||
#include "base/i18n/time_formatting.h"
|
||||
#include "base/logging.h"
|
||||
#include "base/strings/utf_string_conversions.h"
|
||||
#include "build/build_config.h"
|
||||
#include "content/public/browser/browser_context.h"
|
||||
#include "content/public/browser/browser_thread.h"
|
||||
#include "content/public/browser/resource_context.h"
|
||||
#include "crypto/nss_util.h"
|
||||
#include "crypto/nss_util_internal.h"
|
||||
#include "net/base/crypto_module.h"
|
||||
#include "net/base/net_errors.h"
|
||||
#include "net/cert/nss_cert_database.h"
|
||||
#include "net/cert/x509_certificate.h"
|
||||
#include "ui/base/l10n/l10n_util.h"
|
||||
|
||||
using content::BrowserThread;
|
||||
|
||||
namespace {
|
||||
|
||||
net::NSSCertDatabase* g_nss_cert_database = nullptr;
|
||||
|
||||
net::NSSCertDatabase* GetNSSCertDatabaseForResourceContext(
|
||||
content::ResourceContext* context,
|
||||
const base::Callback<void(net::NSSCertDatabase*)>& callback) {
|
||||
// This initialization is not thread safe. This CHECK ensures that this code
|
||||
// is only run on a single thread.
|
||||
CHECK(content::BrowserThread::CurrentlyOn(content::BrowserThread::IO));
|
||||
if (!g_nss_cert_database) {
|
||||
// Linux has only a single persistent slot compared to ChromeOS's separate
|
||||
// public and private slot.
|
||||
// Redirect any slot usage to this persistent slot on Linux.
|
||||
g_nss_cert_database = new net::NSSCertDatabase(
|
||||
crypto::ScopedPK11Slot(
|
||||
crypto::GetPersistentNSSKeySlot()) /* public slot */,
|
||||
crypto::ScopedPK11Slot(
|
||||
crypto::GetPersistentNSSKeySlot()) /* private slot */);
|
||||
}
|
||||
return g_nss_cert_database;
|
||||
}
|
||||
|
||||
} // namespace
|
||||
|
||||
// CertificateManagerModel is created on the UI thread. It needs a
|
||||
// NSSCertDatabase handle (and on ChromeOS it needs to get the TPM status) which
|
||||
// needs to be done on the IO thread.
|
||||
//
|
||||
// The initialization flow is roughly:
|
||||
//
|
||||
// UI thread IO Thread
|
||||
//
|
||||
// CertificateManagerModel::Create
|
||||
// \--------------------------------------v
|
||||
// CertificateManagerModel::GetCertDBOnIOThread
|
||||
// |
|
||||
// GetNSSCertDatabaseForResourceContext
|
||||
// |
|
||||
// CertificateManagerModel::DidGetCertDBOnIOThread
|
||||
// |
|
||||
// crypto::IsTPMTokenEnabledForNSS
|
||||
// v--------------------------------------/
|
||||
// CertificateManagerModel::DidGetCertDBOnUIThread
|
||||
// |
|
||||
// new CertificateManagerModel
|
||||
// |
|
||||
// callback
|
||||
|
||||
// static
|
||||
void CertificateManagerModel::Create(
|
||||
content::BrowserContext* browser_context,
|
||||
const CreationCallback& callback) {
|
||||
DCHECK_CURRENTLY_ON(BrowserThread::UI);
|
||||
BrowserThread::PostTask(
|
||||
BrowserThread::IO,
|
||||
FROM_HERE,
|
||||
base::Bind(&CertificateManagerModel::GetCertDBOnIOThread,
|
||||
browser_context->GetResourceContext(),
|
||||
callback));
|
||||
}
|
||||
|
||||
CertificateManagerModel::CertificateManagerModel(
|
||||
net::NSSCertDatabase* nss_cert_database,
|
||||
bool is_user_db_available)
|
||||
: cert_db_(nss_cert_database),
|
||||
is_user_db_available_(is_user_db_available) {
|
||||
DCHECK_CURRENTLY_ON(BrowserThread::UI);
|
||||
}
|
||||
|
||||
CertificateManagerModel::~CertificateManagerModel() {
|
||||
}
|
||||
|
||||
int CertificateManagerModel::ImportFromPKCS12(net::CryptoModule* module,
|
||||
const std::string& data,
|
||||
const base::string16& password,
|
||||
bool is_extractable) {
|
||||
return cert_db_->ImportFromPKCS12(module, data, password,
|
||||
is_extractable, NULL);
|
||||
}
|
||||
|
||||
int CertificateManagerModel::ImportUserCert(const std::string& data) {
|
||||
return cert_db_->ImportUserCert(data);
|
||||
}
|
||||
|
||||
bool CertificateManagerModel::ImportCACerts(
|
||||
const net::CertificateList& certificates,
|
||||
net::NSSCertDatabase::TrustBits trust_bits,
|
||||
net::NSSCertDatabase::ImportCertFailureList* not_imported) {
|
||||
return cert_db_->ImportCACerts(certificates, trust_bits, not_imported);
|
||||
}
|
||||
|
||||
bool CertificateManagerModel::ImportServerCert(
|
||||
const net::CertificateList& certificates,
|
||||
net::NSSCertDatabase::TrustBits trust_bits,
|
||||
net::NSSCertDatabase::ImportCertFailureList* not_imported) {
|
||||
return cert_db_->ImportServerCert(certificates, trust_bits,
|
||||
not_imported);
|
||||
}
|
||||
|
||||
bool CertificateManagerModel::SetCertTrust(
|
||||
const net::X509Certificate* cert,
|
||||
net::CertType type,
|
||||
net::NSSCertDatabase::TrustBits trust_bits) {
|
||||
return cert_db_->SetCertTrust(cert, type, trust_bits);
|
||||
}
|
||||
|
||||
bool CertificateManagerModel::Delete(net::X509Certificate* cert) {
|
||||
return cert_db_->DeleteCertAndKey(cert);
|
||||
}
|
||||
|
||||
// static
|
||||
void CertificateManagerModel::DidGetCertDBOnUIThread(
|
||||
net::NSSCertDatabase* cert_db,
|
||||
bool is_user_db_available,
|
||||
const CreationCallback& callback) {
|
||||
DCHECK_CURRENTLY_ON(BrowserThread::UI);
|
||||
|
||||
scoped_ptr<CertificateManagerModel> model(new CertificateManagerModel(
|
||||
cert_db, is_user_db_available));
|
||||
callback.Run(std::move(model));
|
||||
}
|
||||
|
||||
// static
|
||||
void CertificateManagerModel::DidGetCertDBOnIOThread(
|
||||
const CreationCallback& callback,
|
||||
net::NSSCertDatabase* cert_db) {
|
||||
DCHECK_CURRENTLY_ON(BrowserThread::IO);
|
||||
|
||||
bool is_user_db_available = !!cert_db->GetPublicSlot();
|
||||
BrowserThread::PostTask(
|
||||
BrowserThread::UI,
|
||||
FROM_HERE,
|
||||
base::Bind(&CertificateManagerModel::DidGetCertDBOnUIThread,
|
||||
cert_db,
|
||||
is_user_db_available,
|
||||
callback));
|
||||
}
|
||||
|
||||
// static
|
||||
void CertificateManagerModel::GetCertDBOnIOThread(
|
||||
content::ResourceContext* context,
|
||||
const CreationCallback& callback) {
|
||||
DCHECK_CURRENTLY_ON(BrowserThread::IO);
|
||||
net::NSSCertDatabase* cert_db = GetNSSCertDatabaseForResourceContext(
|
||||
context,
|
||||
base::Bind(&CertificateManagerModel::DidGetCertDBOnIOThread,
|
||||
callback));
|
||||
if (cert_db)
|
||||
DidGetCertDBOnIOThread(callback, cert_db);
|
||||
}
|
116
chromium_src/chrome/browser/certificate_manager_model.h
Normal file
116
chromium_src/chrome/browser/certificate_manager_model.h
Normal file
|
@ -0,0 +1,116 @@
|
|||
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style license that can be
|
||||
// found in the LICENSE file.
|
||||
|
||||
#ifndef CHROME_BROWSER_CERTIFICATE_MANAGER_MODEL_H_
|
||||
#define CHROME_BROWSER_CERTIFICATE_MANAGER_MODEL_H_
|
||||
|
||||
#include <map>
|
||||
#include <string>
|
||||
|
||||
#include "base/callback.h"
|
||||
#include "base/macros.h"
|
||||
#include "base/memory/ref_counted.h"
|
||||
#include "base/memory/scoped_ptr.h"
|
||||
#include "base/strings/string16.h"
|
||||
#include "net/cert/nss_cert_database.h"
|
||||
|
||||
namespace content {
|
||||
class BrowserContext;
|
||||
class ResourceContext;
|
||||
} // namespace content
|
||||
|
||||
// CertificateManagerModel provides the data to be displayed in the certificate
|
||||
// manager dialog, and processes changes from the view.
|
||||
class CertificateManagerModel {
|
||||
public:
|
||||
typedef base::Callback<void(scoped_ptr<CertificateManagerModel>)>
|
||||
CreationCallback;
|
||||
|
||||
// Creates a CertificateManagerModel. The model will be passed to the callback
|
||||
// when it is ready. The caller must ensure the model does not outlive the
|
||||
// |browser_context|.
|
||||
static void Create(content::BrowserContext* browser_context,
|
||||
const CreationCallback& callback);
|
||||
|
||||
~CertificateManagerModel();
|
||||
|
||||
bool is_user_db_available() const { return is_user_db_available_; }
|
||||
|
||||
// Accessor for read-only access to the underlying NSSCertDatabase.
|
||||
const net::NSSCertDatabase* cert_db() const { return cert_db_; }
|
||||
|
||||
// Import private keys and certificates from PKCS #12 encoded
|
||||
// |data|, using the given |password|. If |is_extractable| is false,
|
||||
// mark the private key as unextractable from the module.
|
||||
// Returns a net error code on failure.
|
||||
int ImportFromPKCS12(net::CryptoModule* module, const std::string& data,
|
||||
const base::string16& password, bool is_extractable);
|
||||
|
||||
// Import user certificate from DER encoded |data|.
|
||||
// Returns a net error code on failure.
|
||||
int ImportUserCert(const std::string& data);
|
||||
|
||||
// Import CA certificates.
|
||||
// Tries to import all the certificates given. The root will be trusted
|
||||
// according to |trust_bits|. Any certificates that could not be imported
|
||||
// will be listed in |not_imported|.
|
||||
// |trust_bits| should be a bit field of TRUST* values from NSSCertDatabase.
|
||||
// Returns false if there is an internal error, otherwise true is returned and
|
||||
// |not_imported| should be checked for any certificates that were not
|
||||
// imported.
|
||||
bool ImportCACerts(const net::CertificateList& certificates,
|
||||
net::NSSCertDatabase::TrustBits trust_bits,
|
||||
net::NSSCertDatabase::ImportCertFailureList* not_imported);
|
||||
|
||||
// Import server certificate. The first cert should be the server cert. Any
|
||||
// additional certs should be intermediate/CA certs and will be imported but
|
||||
// not given any trust.
|
||||
// Any certificates that could not be imported will be listed in
|
||||
// |not_imported|.
|
||||
// |trust_bits| can be set to explicitly trust or distrust the certificate, or
|
||||
// use TRUST_DEFAULT to inherit trust as normal.
|
||||
// Returns false if there is an internal error, otherwise true is returned and
|
||||
// |not_imported| should be checked for any certificates that were not
|
||||
// imported.
|
||||
bool ImportServerCert(
|
||||
const net::CertificateList& certificates,
|
||||
net::NSSCertDatabase::TrustBits trust_bits,
|
||||
net::NSSCertDatabase::ImportCertFailureList* not_imported);
|
||||
|
||||
// Set trust values for certificate.
|
||||
// |trust_bits| should be a bit field of TRUST* values from NSSCertDatabase.
|
||||
// Returns true on success or false on failure.
|
||||
bool SetCertTrust(const net::X509Certificate* cert,
|
||||
net::CertType type,
|
||||
net::NSSCertDatabase::TrustBits trust_bits);
|
||||
|
||||
// Delete the cert. Returns true on success. |cert| is still valid when this
|
||||
// function returns.
|
||||
bool Delete(net::X509Certificate* cert);
|
||||
|
||||
private:
|
||||
CertificateManagerModel(net::NSSCertDatabase* nss_cert_database,
|
||||
bool is_user_db_available);
|
||||
|
||||
// Methods used during initialization, see the comment at the top of the .cc
|
||||
// file for details.
|
||||
static void DidGetCertDBOnUIThread(
|
||||
net::NSSCertDatabase* cert_db,
|
||||
bool is_user_db_available,
|
||||
const CreationCallback& callback);
|
||||
static void DidGetCertDBOnIOThread(
|
||||
const CreationCallback& callback,
|
||||
net::NSSCertDatabase* cert_db);
|
||||
static void GetCertDBOnIOThread(content::ResourceContext* context,
|
||||
const CreationCallback& callback);
|
||||
|
||||
net::NSSCertDatabase* cert_db_;
|
||||
// Whether the certificate database has a public slot associated with the
|
||||
// profile. If not set, importing certificates is not allowed with this model.
|
||||
bool is_user_db_available_;
|
||||
|
||||
DISALLOW_COPY_AND_ASSIGN(CertificateManagerModel);
|
||||
};
|
||||
|
||||
#endif // CHROME_BROWSER_CERTIFICATE_MANAGER_MODEL_H_
|
Loading…
Add table
Add a link
Reference in a new issue