diff options
| author | mattm@chromium.org <mattm@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-04-20 22:14:07 +0000 |
|---|---|---|
| committer | mattm@chromium.org <mattm@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-04-20 22:14:07 +0000 |
| commit | 1e507001a1f4b7e9f96ad4faffd0448a586ac304 (patch) | |
| tree | 3981374091abf45e8ca46a64e678efadc7c1ab38 /chrome/third_party | |
| parent | d64b07bf98e4f27da4c22da6c615b75d4b2e16bc (diff) | |
| download | chromium_src-1e507001a1f4b7e9f96ad4faffd0448a586ac304.zip chromium_src-1e507001a1f4b7e9f96ad4faffd0448a586ac304.tar.gz chromium_src-1e507001a1f4b7e9f96ad4faffd0448a586ac304.tar.bz2 | |
Linux: Populate certificate manager with certificates.
BUG=19991
TEST=manual
Review URL: http://codereview.chromium.org/1660007
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@45095 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'chrome/third_party')
4 files changed, 518 insertions, 0 deletions
diff --git a/chrome/third_party/mozilla_security_manager/nsNSSCertHelper.cpp b/chrome/third_party/mozilla_security_manager/nsNSSCertHelper.cpp index 4058c32..8b8e279 100644 --- a/chrome/third_party/mozilla_security_manager/nsNSSCertHelper.cpp +++ b/chrome/third_party/mozilla_security_manager/nsNSSCertHelper.cpp @@ -46,6 +46,7 @@ #include "app/l10n_util.h" #include "base/i18n/number_formatting.h" #include "base/utf_string_conversions.h" +#include "chrome/third_party/mozilla_security_manager/nsNSSCertTrust.h" #include "grit/generated_resources.h" #include "net/base/net_util.h" @@ -928,4 +929,21 @@ std::string ProcessSubjectPublicKeyInfo(CERTSubjectPublicKeyInfo* spki) { return rv; } +CertType GetCertType(CERTCertificate *cert) { + nsNSSCertTrust trust(cert->trust); + if (cert->nickname && trust.HasAnyUser()) + return USER_CERT; + if (trust.HasAnyCA()) + return CA_CERT; + if (trust.HasPeer(PR_TRUE, PR_FALSE, PR_FALSE)) + return SERVER_CERT; + if (trust.HasPeer(PR_FALSE, PR_TRUE, PR_FALSE) && cert->emailAddr) + return EMAIL_CERT; + if (CERT_IsCACert(cert, NULL)) + return CA_CERT; + if (cert->emailAddr) + return EMAIL_CERT; + return UNKNOWN_CERT; +} + } // namespace mozilla_security_manager diff --git a/chrome/third_party/mozilla_security_manager/nsNSSCertHelper.h b/chrome/third_party/mozilla_security_manager/nsNSSCertHelper.h index eaa6e8b..9c98fbd 100644 --- a/chrome/third_party/mozilla_security_manager/nsNSSCertHelper.h +++ b/chrome/third_party/mozilla_security_manager/nsNSSCertHelper.h @@ -57,6 +57,17 @@ typedef scoped_ptr_malloc<PRArenaPool, FreePRArenaPool> ScopedPRArenaPool; namespace mozilla_security_manager { +// Constants to classify the type of a certificate. (In Mozilla this is actually +// defined in nsIX509Cert.idl) +enum CertType { + UNKNOWN_CERT, + CA_CERT, + USER_CERT, + EMAIL_CERT, + SERVER_CERT, + NUM_CERT_TYPES +}; + extern SECOidTag ms_cert_ext_certtype; extern SECOidTag ms_certsrv_ca_version; extern SECOidTag ms_nt_principal_name; @@ -94,6 +105,8 @@ std::string ProcessExtKeyUsage(SECItem* extension_data); std::string ProcessExtensionData(SECOidTag oid_tag, SECItem* extension_data); std::string ProcessSubjectPublicKeyInfo(CERTSubjectPublicKeyInfo* spki); +CertType GetCertType(CERTCertificate *cert); + } // namespace mozilla_security_manager #endif // CHROME_THIRD_PARTY_MOZILLA_SECURITY_MANAGER_NSNSSCERTHELPER_H_ diff --git a/chrome/third_party/mozilla_security_manager/nsNSSCertTrust.cpp b/chrome/third_party/mozilla_security_manager/nsNSSCertTrust.cpp new file mode 100644 index 0000000..3479366 --- /dev/null +++ b/chrome/third_party/mozilla_security_manager/nsNSSCertTrust.cpp @@ -0,0 +1,365 @@ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 2000 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * Ian McGreer <mcgreer@netscape.com> + * Javier Delgadillo <javi@netscape.com> + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ + +#include "chrome/third_party/mozilla_security_manager/nsNSSCertTrust.h" + +void +nsNSSCertTrust::AddCATrust(PRBool ssl, PRBool email, PRBool objSign) +{ + if (ssl) { + addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CA); + addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CLIENT_CA); + } + if (email) { + addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CA); + addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CLIENT_CA); + } + if (objSign) { + addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CA); + addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CLIENT_CA); + } +} + +void +nsNSSCertTrust::AddPeerTrust(PRBool ssl, PRBool email, PRBool objSign) +{ + if (ssl) + addTrust(&mTrust.sslFlags, CERTDB_TRUSTED); + if (email) + addTrust(&mTrust.emailFlags, CERTDB_TRUSTED); + if (objSign) + addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED); +} + +nsNSSCertTrust::nsNSSCertTrust() +{ + memset(&mTrust, 0, sizeof(CERTCertTrust)); +} + +nsNSSCertTrust::nsNSSCertTrust(unsigned int ssl, + unsigned int email, + unsigned int objsign) +{ + memset(&mTrust, 0, sizeof(CERTCertTrust)); + addTrust(&mTrust.sslFlags, ssl); + addTrust(&mTrust.emailFlags, email); + addTrust(&mTrust.objectSigningFlags, objsign); +} + +nsNSSCertTrust::nsNSSCertTrust(CERTCertTrust *t) +{ + if (t) + memcpy(&mTrust, t, sizeof(CERTCertTrust)); + else + memset(&mTrust, 0, sizeof(CERTCertTrust)); +} + +nsNSSCertTrust::~nsNSSCertTrust() +{ +} + +void +nsNSSCertTrust::SetSSLTrust(PRBool peer, PRBool tPeer, + PRBool ca, PRBool tCA, PRBool tClientCA, + PRBool user, PRBool warn) +{ + mTrust.sslFlags = 0; + if (peer || tPeer) + addTrust(&mTrust.sslFlags, CERTDB_VALID_PEER); + if (tPeer) + addTrust(&mTrust.sslFlags, CERTDB_TRUSTED); + if (ca || tCA) + addTrust(&mTrust.sslFlags, CERTDB_VALID_CA); + if (tClientCA) + addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CLIENT_CA); + if (tCA) + addTrust(&mTrust.sslFlags, CERTDB_TRUSTED_CA); + if (user) + addTrust(&mTrust.sslFlags, CERTDB_USER); + if (warn) + addTrust(&mTrust.sslFlags, CERTDB_SEND_WARN); +} + +void +nsNSSCertTrust::SetEmailTrust(PRBool peer, PRBool tPeer, + PRBool ca, PRBool tCA, PRBool tClientCA, + PRBool user, PRBool warn) +{ + mTrust.emailFlags = 0; + if (peer || tPeer) + addTrust(&mTrust.emailFlags, CERTDB_VALID_PEER); + if (tPeer) + addTrust(&mTrust.emailFlags, CERTDB_TRUSTED); + if (ca || tCA) + addTrust(&mTrust.emailFlags, CERTDB_VALID_CA); + if (tClientCA) + addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CLIENT_CA); + if (tCA) + addTrust(&mTrust.emailFlags, CERTDB_TRUSTED_CA); + if (user) + addTrust(&mTrust.emailFlags, CERTDB_USER); + if (warn) + addTrust(&mTrust.emailFlags, CERTDB_SEND_WARN); +} + +void +nsNSSCertTrust::SetObjSignTrust(PRBool peer, PRBool tPeer, + PRBool ca, PRBool tCA, PRBool tClientCA, + PRBool user, PRBool warn) +{ + mTrust.objectSigningFlags = 0; + if (peer || tPeer) + addTrust(&mTrust.objectSigningFlags, CERTDB_VALID_PEER); + if (tPeer) + addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED); + if (ca || tCA) + addTrust(&mTrust.objectSigningFlags, CERTDB_VALID_CA); + if (tClientCA) + addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CLIENT_CA); + if (tCA) + addTrust(&mTrust.objectSigningFlags, CERTDB_TRUSTED_CA); + if (user) + addTrust(&mTrust.objectSigningFlags, CERTDB_USER); + if (warn) + addTrust(&mTrust.objectSigningFlags, CERTDB_SEND_WARN); +} + +void +nsNSSCertTrust::SetValidCA() +{ + SetSSLTrust(PR_FALSE, PR_FALSE, + PR_TRUE, PR_FALSE, PR_FALSE, + PR_FALSE, PR_FALSE); + SetEmailTrust(PR_FALSE, PR_FALSE, + PR_TRUE, PR_FALSE, PR_FALSE, + PR_FALSE, PR_FALSE); + SetObjSignTrust(PR_FALSE, PR_FALSE, + PR_TRUE, PR_FALSE, PR_FALSE, + PR_FALSE, PR_FALSE); +} + +void +nsNSSCertTrust::SetTrustedServerCA() +{ + SetSSLTrust(PR_FALSE, PR_FALSE, + PR_TRUE, PR_TRUE, PR_FALSE, + PR_FALSE, PR_FALSE); + SetEmailTrust(PR_FALSE, PR_FALSE, + PR_TRUE, PR_TRUE, PR_FALSE, + PR_FALSE, PR_FALSE); + SetObjSignTrust(PR_FALSE, PR_FALSE, + PR_TRUE, PR_TRUE, PR_FALSE, + PR_FALSE, PR_FALSE); +} + +void +nsNSSCertTrust::SetTrustedCA() +{ + SetSSLTrust(PR_FALSE, PR_FALSE, + PR_TRUE, PR_TRUE, PR_TRUE, + PR_FALSE, PR_FALSE); + SetEmailTrust(PR_FALSE, PR_FALSE, + PR_TRUE, PR_TRUE, PR_TRUE, + PR_FALSE, PR_FALSE); + SetObjSignTrust(PR_FALSE, PR_FALSE, + PR_TRUE, PR_TRUE, PR_TRUE, + PR_FALSE, PR_FALSE); +} + +void +nsNSSCertTrust::SetValidPeer() +{ + SetSSLTrust(PR_TRUE, PR_FALSE, + PR_FALSE, PR_FALSE, PR_FALSE, + PR_FALSE, PR_FALSE); + SetEmailTrust(PR_TRUE, PR_FALSE, + PR_FALSE, PR_FALSE, PR_FALSE, + PR_FALSE, PR_FALSE); + SetObjSignTrust(PR_TRUE, PR_FALSE, + PR_FALSE, PR_FALSE, PR_FALSE, + PR_FALSE, PR_FALSE); +} + +void +nsNSSCertTrust::SetValidServerPeer() +{ + SetSSLTrust(PR_TRUE, PR_FALSE, + PR_FALSE, PR_FALSE, PR_FALSE, + PR_FALSE, PR_FALSE); + SetEmailTrust(PR_FALSE, PR_FALSE, + PR_FALSE, PR_FALSE, PR_FALSE, + PR_FALSE, PR_FALSE); + SetObjSignTrust(PR_FALSE, PR_FALSE, + PR_FALSE, PR_FALSE, PR_FALSE, + PR_FALSE, PR_FALSE); +} + +void +nsNSSCertTrust::SetTrustedPeer() +{ + SetSSLTrust(PR_TRUE, PR_TRUE, + PR_FALSE, PR_FALSE, PR_FALSE, + PR_FALSE, PR_FALSE); + SetEmailTrust(PR_TRUE, PR_TRUE, + PR_FALSE, PR_FALSE, PR_FALSE, + PR_FALSE, PR_FALSE); + SetObjSignTrust(PR_TRUE, PR_TRUE, + PR_FALSE, PR_FALSE, PR_FALSE, + PR_FALSE, PR_FALSE); +} + +void +nsNSSCertTrust::SetUser() +{ + SetSSLTrust(PR_FALSE, PR_FALSE, + PR_FALSE, PR_FALSE, PR_FALSE, + PR_TRUE, PR_FALSE); + SetEmailTrust(PR_FALSE, PR_FALSE, + PR_FALSE, PR_FALSE, PR_FALSE, + PR_TRUE, PR_FALSE); + SetObjSignTrust(PR_FALSE, PR_FALSE, + PR_FALSE, PR_FALSE, PR_FALSE, + PR_TRUE, PR_FALSE); +} + +PRBool +nsNSSCertTrust::HasAnyCA() +{ + if (hasTrust(mTrust.sslFlags, CERTDB_VALID_CA) || + hasTrust(mTrust.emailFlags, CERTDB_VALID_CA) || + hasTrust(mTrust.objectSigningFlags, CERTDB_VALID_CA)) + return PR_TRUE; + return PR_FALSE; +} + +PRBool +nsNSSCertTrust::HasCA(PRBool checkSSL, + PRBool checkEmail, + PRBool checkObjSign) +{ + if (checkSSL && !hasTrust(mTrust.sslFlags, CERTDB_VALID_CA)) + return PR_FALSE; + if (checkEmail && !hasTrust(mTrust.emailFlags, CERTDB_VALID_CA)) + return PR_FALSE; + if (checkObjSign && !hasTrust(mTrust.objectSigningFlags, CERTDB_VALID_CA)) + return PR_FALSE; + return PR_TRUE; +} + +PRBool +nsNSSCertTrust::HasPeer(PRBool checkSSL, + PRBool checkEmail, + PRBool checkObjSign) +{ + if (checkSSL && !hasTrust(mTrust.sslFlags, CERTDB_VALID_PEER)) + return PR_FALSE; + if (checkEmail && !hasTrust(mTrust.emailFlags, CERTDB_VALID_PEER)) + return PR_FALSE; + if (checkObjSign && !hasTrust(mTrust.objectSigningFlags, CERTDB_VALID_PEER)) + return PR_FALSE; + return PR_TRUE; +} + +PRBool +nsNSSCertTrust::HasAnyUser() +{ + if (hasTrust(mTrust.sslFlags, CERTDB_USER) || + hasTrust(mTrust.emailFlags, CERTDB_USER) || + hasTrust(mTrust.objectSigningFlags, CERTDB_USER)) + return PR_TRUE; + return PR_FALSE; +} + +PRBool +nsNSSCertTrust::HasUser(PRBool checkSSL, + PRBool checkEmail, + PRBool checkObjSign) +{ + if (checkSSL && !hasTrust(mTrust.sslFlags, CERTDB_USER)) + return PR_FALSE; + if (checkEmail && !hasTrust(mTrust.emailFlags, CERTDB_USER)) + return PR_FALSE; + if (checkObjSign && !hasTrust(mTrust.objectSigningFlags, CERTDB_USER)) + return PR_FALSE; + return PR_TRUE; +} + +PRBool +nsNSSCertTrust::HasTrustedCA(PRBool checkSSL, + PRBool checkEmail, + PRBool checkObjSign) +{ + if (checkSSL && !(hasTrust(mTrust.sslFlags, CERTDB_TRUSTED_CA) || + hasTrust(mTrust.sslFlags, CERTDB_TRUSTED_CLIENT_CA))) + return PR_FALSE; + if (checkEmail && !(hasTrust(mTrust.emailFlags, CERTDB_TRUSTED_CA) || + hasTrust(mTrust.emailFlags, CERTDB_TRUSTED_CLIENT_CA))) + return PR_FALSE; + if (checkObjSign && + !(hasTrust(mTrust.objectSigningFlags, CERTDB_TRUSTED_CA) || + hasTrust(mTrust.objectSigningFlags, CERTDB_TRUSTED_CLIENT_CA))) + return PR_FALSE; + return PR_TRUE; +} + +PRBool +nsNSSCertTrust::HasTrustedPeer(PRBool checkSSL, + PRBool checkEmail, + PRBool checkObjSign) +{ + if (checkSSL && !(hasTrust(mTrust.sslFlags, CERTDB_TRUSTED))) + return PR_FALSE; + if (checkEmail && !(hasTrust(mTrust.emailFlags, CERTDB_TRUSTED))) + return PR_FALSE; + if (checkObjSign && + !(hasTrust(mTrust.objectSigningFlags, CERTDB_TRUSTED))) + return PR_FALSE; + return PR_TRUE; +} + +void +nsNSSCertTrust::addTrust(unsigned int *t, unsigned int v) +{ + *t |= v; +} + +PRBool +nsNSSCertTrust::hasTrust(unsigned int t, unsigned int v) +{ + return !!(t & v); +} diff --git a/chrome/third_party/mozilla_security_manager/nsNSSCertTrust.h b/chrome/third_party/mozilla_security_manager/nsNSSCertTrust.h new file mode 100644 index 0000000..832c6c5 --- /dev/null +++ b/chrome/third_party/mozilla_security_manager/nsNSSCertTrust.h @@ -0,0 +1,122 @@ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 2000 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * Ian McGreer <mcgreer@netscape.com> + * Javier Delgadillo <javi@netscape.com> + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ + +#ifndef CHROME_THIRD_PARTY_MOZILLA_SECURITY_MANAGER_NSNSSCERTTRUST_H_ +#define CHROME_THIRD_PARTY_MOZILLA_SECURITY_MANAGER_NSNSSCERTTRUST_H_ + +#include <certt.h> +#include <certdb.h> + +/* + * nsNSSCertTrust + * + * Class for maintaining trust flags for an NSS certificate. + */ +class nsNSSCertTrust +{ +public: + nsNSSCertTrust(); + nsNSSCertTrust(unsigned int ssl, unsigned int email, unsigned int objsign); + nsNSSCertTrust(CERTCertTrust *t); + virtual ~nsNSSCertTrust(); + + /* query */ + PRBool HasAnyCA(); + PRBool HasAnyUser(); + PRBool HasCA(PRBool checkSSL = PR_TRUE, + PRBool checkEmail = PR_TRUE, + PRBool checkObjSign = PR_TRUE); + PRBool HasPeer(PRBool checkSSL = PR_TRUE, + PRBool checkEmail = PR_TRUE, + PRBool checkObjSign = PR_TRUE); + PRBool HasUser(PRBool checkSSL = PR_TRUE, + PRBool checkEmail = PR_TRUE, + PRBool checkObjSign = PR_TRUE); + PRBool HasTrustedCA(PRBool checkSSL = PR_TRUE, + PRBool checkEmail = PR_TRUE, + PRBool checkObjSign = PR_TRUE); + PRBool HasTrustedPeer(PRBool checkSSL = PR_TRUE, + PRBool checkEmail = PR_TRUE, + PRBool checkObjSign = PR_TRUE); + + /* common defaults */ + /* equivalent to "c,c,c" */ + void SetValidCA(); + /* equivalent to "C,C,C" */ + void SetTrustedServerCA(); + /* equivalent to "CT,CT,CT" */ + void SetTrustedCA(); + /* equivalent to "p,," */ + void SetValidServerPeer(); + /* equivalent to "p,p,p" */ + void SetValidPeer(); + /* equivalent to "P,P,P" */ + void SetTrustedPeer(); + /* equivalent to "u,u,u" */ + void SetUser(); + + /* general setters */ + /* read: "p, P, c, C, T, u, w" */ + void SetSSLTrust(PRBool peer, PRBool tPeer, + PRBool ca, PRBool tCA, PRBool tClientCA, + PRBool user, PRBool warn); + + void SetEmailTrust(PRBool peer, PRBool tPeer, + PRBool ca, PRBool tCA, PRBool tClientCA, + PRBool user, PRBool warn); + + void SetObjSignTrust(PRBool peer, PRBool tPeer, + PRBool ca, PRBool tCA, PRBool tClientCA, + PRBool user, PRBool warn); + + /* set c <--> CT */ + void AddCATrust(PRBool ssl, PRBool email, PRBool objSign); + /* set p <--> P */ + void AddPeerTrust(PRBool ssl, PRBool email, PRBool objSign); + + /* get it (const?) (shallow?) */ + CERTCertTrust * GetTrust() { return &mTrust; } + +private: + void addTrust(unsigned int *t, unsigned int v); + void removeTrust(unsigned int *t, unsigned int v); + PRBool hasTrust(unsigned int t, unsigned int v); + CERTCertTrust mTrust; +}; + +#endif // CHROME_THIRD_PARTY_MOZILLA_SECURITY_MANAGER_NSNSSCERTTRUST_H_ |