// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "net/cert/nss_cert_database.h" #include #include #include #include #include #include "base/bind.h" #include "base/callback.h" #include "base/logging.h" #include "base/memory/scoped_ptr.h" #include "base/observer_list_threadsafe.h" #include "base/task_runner.h" #include "base/task_runner_util.h" #include "base/threading/worker_pool.h" #include "crypto/scoped_nss_types.h" #include "net/base/crypto_module.h" #include "net/base/net_errors.h" #include "net/cert/cert_database.h" #include "net/cert/x509_certificate.h" #include "net/third_party/mozilla_security_manager/nsNSSCertificateDB.h" #include "net/third_party/mozilla_security_manager/nsPKCS12Blob.h" // In NSS 3.13, CERTDB_VALID_PEER was renamed CERTDB_TERMINAL_RECORD. So we use // the new name of the macro. #if !defined(CERTDB_TERMINAL_RECORD) #define CERTDB_TERMINAL_RECORD CERTDB_VALID_PEER #endif // PSM = Mozilla's Personal Security Manager. namespace psm = mozilla_security_manager; namespace net { namespace { // TODO(pneubeck): Move this class out of NSSCertDatabase and to the caller of // the c'tor of NSSCertDatabase, see https://crbug.com/395983 . // Helper that observes events from the NSSCertDatabase and forwards them to // the given CertDatabase. class CertNotificationForwarder : public NSSCertDatabase::Observer { public: explicit CertNotificationForwarder(CertDatabase* cert_db) : cert_db_(cert_db) {} ~CertNotificationForwarder() override {} // NSSCertDatabase::Observer implementation: void OnCertAdded(const X509Certificate* cert) override { cert_db_->NotifyObserversOfCertAdded(cert); } void OnCertRemoved(const X509Certificate* cert) override { cert_db_->NotifyObserversOfCertRemoved(cert); } void OnCACertChanged(const X509Certificate* cert) override { cert_db_->NotifyObserversOfCACertChanged(cert); } private: CertDatabase* cert_db_; DISALLOW_COPY_AND_ASSIGN(CertNotificationForwarder); }; } // namespace NSSCertDatabase::ImportCertFailure::ImportCertFailure( const scoped_refptr& cert, int err) : certificate(cert), net_error(err) {} NSSCertDatabase::ImportCertFailure::~ImportCertFailure() {} NSSCertDatabase::NSSCertDatabase(crypto::ScopedPK11Slot public_slot, crypto::ScopedPK11Slot private_slot) : public_slot_(public_slot.Pass()), private_slot_(private_slot.Pass()), observer_list_(new ObserverListThreadSafe), weak_factory_(this) { CHECK(public_slot_); // This also makes sure that NSS has been initialized. CertDatabase* cert_db = CertDatabase::GetInstance(); cert_notification_forwarder_.reset(new CertNotificationForwarder(cert_db)); AddObserver(cert_notification_forwarder_.get()); psm::EnsurePKCS12Init(); } NSSCertDatabase::~NSSCertDatabase() {} void NSSCertDatabase::ListCertsSync(CertificateList* certs) { ListCertsImpl(crypto::ScopedPK11Slot(), certs); } void NSSCertDatabase::ListCerts( const base::Callback certs)>& callback) { scoped_ptr certs(new CertificateList()); // base::Passed will NULL out |certs|, so cache the underlying pointer here. CertificateList* raw_certs = certs.get(); GetSlowTaskRunner()->PostTaskAndReply( FROM_HERE, base::Bind(&NSSCertDatabase::ListCertsImpl, base::Passed(crypto::ScopedPK11Slot()), base::Unretained(raw_certs)), base::Bind(callback, base::Passed(&certs))); } void NSSCertDatabase::ListCertsInSlot(const ListCertsCallback& callback, PK11SlotInfo* slot) { DCHECK(slot); scoped_ptr certs(new CertificateList()); // base::Passed will NULL out |certs|, so cache the underlying pointer here. CertificateList* raw_certs = certs.get(); GetSlowTaskRunner()->PostTaskAndReply( FROM_HERE, base::Bind(&NSSCertDatabase::ListCertsImpl, base::Passed(crypto::ScopedPK11Slot(PK11_ReferenceSlot(slot))), base::Unretained(raw_certs)), base::Bind(callback, base::Passed(&certs))); } #if defined(OS_CHROMEOS) crypto::ScopedPK11Slot NSSCertDatabase::GetSystemSlot() const { return crypto::ScopedPK11Slot(); } #endif crypto::ScopedPK11Slot NSSCertDatabase::GetPublicSlot() const { return crypto::ScopedPK11Slot(PK11_ReferenceSlot(public_slot_.get())); } crypto::ScopedPK11Slot NSSCertDatabase::GetPrivateSlot() const { if (!private_slot_) return crypto::ScopedPK11Slot(); return crypto::ScopedPK11Slot(PK11_ReferenceSlot(private_slot_.get())); } CryptoModule* NSSCertDatabase::GetPublicModule() const { crypto::ScopedPK11Slot slot(GetPublicSlot()); return CryptoModule::CreateFromHandle(slot.get()); } CryptoModule* NSSCertDatabase::GetPrivateModule() const { crypto::ScopedPK11Slot slot(GetPrivateSlot()); return CryptoModule::CreateFromHandle(slot.get()); } void NSSCertDatabase::ListModules(CryptoModuleList* modules, bool need_rw) const { modules->clear(); // The wincx arg is unused since we don't call PK11_SetIsLoggedInFunc. crypto::ScopedPK11SlotList slot_list( PK11_GetAllTokens(CKM_INVALID_MECHANISM, need_rw ? PR_TRUE : PR_FALSE, // needRW PR_TRUE, // loadCerts (unused) NULL)); // wincx if (!slot_list) { LOG(ERROR) << "PK11_GetAllTokens failed: " << PORT_GetError(); return; } PK11SlotListElement* slot_element = PK11_GetFirstSafe(slot_list.get()); while (slot_element) { modules->push_back(CryptoModule::CreateFromHandle(slot_element->slot)); slot_element = PK11_GetNextSafe(slot_list.get(), slot_element, PR_FALSE); // restart } } int NSSCertDatabase::ImportFromPKCS12( CryptoModule* module, const std::string& data, const base::string16& password, bool is_extractable, net::CertificateList* imported_certs) { DVLOG(1) << __func__ << " " << PK11_GetModuleID(module->os_module_handle()) << ":" << PK11_GetSlotID(module->os_module_handle()); int result = psm::nsPKCS12Blob_Import(module->os_module_handle(), data.data(), data.size(), password, is_extractable, imported_certs); if (result == net::OK) NotifyObserversOfCertAdded(NULL); return result; } int NSSCertDatabase::ExportToPKCS12( const CertificateList& certs, const base::string16& password, std::string* output) const { return psm::nsPKCS12Blob_Export(output, certs, password); } X509Certificate* NSSCertDatabase::FindRootInList( const CertificateList& certificates) const { DCHECK_GT(certificates.size(), 0U); if (certificates.size() == 1) return certificates[0].get(); X509Certificate* cert0 = certificates[0].get(); X509Certificate* cert1 = certificates[1].get(); X509Certificate* certn_2 = certificates[certificates.size() - 2].get(); X509Certificate* certn_1 = certificates[certificates.size() - 1].get(); if (CERT_CompareName(&cert1->os_cert_handle()->issuer, &cert0->os_cert_handle()->subject) == SECEqual) return cert0; if (CERT_CompareName(&certn_2->os_cert_handle()->issuer, &certn_1->os_cert_handle()->subject) == SECEqual) return certn_1; LOG(WARNING) << "certificate list is not a hierarchy"; return cert0; } bool NSSCertDatabase::ImportCACerts(const CertificateList& certificates, TrustBits trust_bits, ImportCertFailureList* not_imported) { crypto::ScopedPK11Slot slot(GetPublicSlot()); X509Certificate* root = FindRootInList(certificates); bool success = psm::ImportCACerts( slot.get(), certificates, root, trust_bits, not_imported); if (success) NotifyObserversOfCACertChanged(NULL); return success; } bool NSSCertDatabase::ImportServerCert(const CertificateList& certificates, TrustBits trust_bits, ImportCertFailureList* not_imported) { crypto::ScopedPK11Slot slot(GetPublicSlot()); return psm::ImportServerCert( slot.get(), certificates, trust_bits, not_imported); } NSSCertDatabase::TrustBits NSSCertDatabase::GetCertTrust( const X509Certificate* cert, CertType type) const { CERTCertTrust trust; SECStatus srv = CERT_GetCertTrust(cert->os_cert_handle(), &trust); if (srv != SECSuccess) { LOG(ERROR) << "CERT_GetCertTrust failed with error " << PORT_GetError(); return TRUST_DEFAULT; } // We define our own more "friendly" TrustBits, which means we aren't able to // round-trip all possible NSS trust flag combinations. We try to map them in // a sensible way. switch (type) { case CA_CERT: { const unsigned kTrustedCA = CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA; const unsigned kCAFlags = kTrustedCA | CERTDB_TERMINAL_RECORD; TrustBits trust_bits = TRUST_DEFAULT; if ((trust.sslFlags & kCAFlags) == CERTDB_TERMINAL_RECORD) trust_bits |= DISTRUSTED_SSL; else if (trust.sslFlags & kTrustedCA) trust_bits |= TRUSTED_SSL; if ((trust.emailFlags & kCAFlags) == CERTDB_TERMINAL_RECORD) trust_bits |= DISTRUSTED_EMAIL; else if (trust.emailFlags & kTrustedCA) trust_bits |= TRUSTED_EMAIL; if ((trust.objectSigningFlags & kCAFlags) == CERTDB_TERMINAL_RECORD) trust_bits |= DISTRUSTED_OBJ_SIGN; else if (trust.objectSigningFlags & kTrustedCA) trust_bits |= TRUSTED_OBJ_SIGN; return trust_bits; } case SERVER_CERT: if (trust.sslFlags & CERTDB_TERMINAL_RECORD) { if (trust.sslFlags & CERTDB_TRUSTED) return TRUSTED_SSL; return DISTRUSTED_SSL; } return TRUST_DEFAULT; default: return TRUST_DEFAULT; } } bool NSSCertDatabase::IsUntrusted(const X509Certificate* cert) const { CERTCertTrust nsstrust; SECStatus rv = CERT_GetCertTrust(cert->os_cert_handle(), &nsstrust); if (rv != SECSuccess) { LOG(ERROR) << "CERT_GetCertTrust failed with error " << PORT_GetError(); return false; } // The CERTCertTrust structure contains three trust records: // sslFlags, emailFlags, and objectSigningFlags. The three // trust records are independent of each other. // // If the CERTDB_TERMINAL_RECORD bit in a trust record is set, // then that trust record is a terminal record. A terminal // record is used for explicit trust and distrust of an // end-entity or intermediate CA cert. // // In a terminal record, if neither CERTDB_TRUSTED_CA nor // CERTDB_TRUSTED is set, then the terminal record means // explicit distrust. On the other hand, if the terminal // record has either CERTDB_TRUSTED_CA or CERTDB_TRUSTED bit // set, then the terminal record means explicit trust. // // For a root CA, the trust record does not have // the CERTDB_TERMINAL_RECORD bit set. static const unsigned int kTrusted = CERTDB_TRUSTED_CA | CERTDB_TRUSTED; if ((nsstrust.sslFlags & CERTDB_TERMINAL_RECORD) != 0 && (nsstrust.sslFlags & kTrusted) == 0) { return true; } if ((nsstrust.emailFlags & CERTDB_TERMINAL_RECORD) != 0 && (nsstrust.emailFlags & kTrusted) == 0) { return true; } if ((nsstrust.objectSigningFlags & CERTDB_TERMINAL_RECORD) != 0 && (nsstrust.objectSigningFlags & kTrusted) == 0) { return true; } // Self-signed certificates that don't have any trust bits set are untrusted. // Other certificates that don't have any trust bits set may still be trusted // if they chain up to a trust anchor. if (CERT_CompareName(&cert->os_cert_handle()->issuer, &cert->os_cert_handle()->subject) == SECEqual) { return (nsstrust.sslFlags & kTrusted) == 0 && (nsstrust.emailFlags & kTrusted) == 0 && (nsstrust.objectSigningFlags & kTrusted) == 0; } return false; } bool NSSCertDatabase::SetCertTrust(const X509Certificate* cert, CertType type, TrustBits trust_bits) { bool success = psm::SetCertTrust(cert, type, trust_bits); if (success) NotifyObserversOfCACertChanged(cert); return success; } bool NSSCertDatabase::DeleteCertAndKey(X509Certificate* cert) { if (!DeleteCertAndKeyImpl(cert)) return false; NotifyObserversOfCertRemoved(cert); return true; } void NSSCertDatabase::DeleteCertAndKeyAsync( const scoped_refptr& cert, const DeleteCertCallback& callback) { base::PostTaskAndReplyWithResult( GetSlowTaskRunner().get(), FROM_HERE, base::Bind(&NSSCertDatabase::DeleteCertAndKeyImpl, cert), base::Bind(&NSSCertDatabase::NotifyCertRemovalAndCallBack, weak_factory_.GetWeakPtr(), cert, callback)); } bool NSSCertDatabase::IsReadOnly(const X509Certificate* cert) const { PK11SlotInfo* slot = cert->os_cert_handle()->slot; return slot && PK11_IsReadOnly(slot); } bool NSSCertDatabase::IsHardwareBacked(const X509Certificate* cert) const { PK11SlotInfo* slot = cert->os_cert_handle()->slot; return slot && PK11_IsHW(slot); } void NSSCertDatabase::AddObserver(Observer* observer) { observer_list_->AddObserver(observer); } void NSSCertDatabase::RemoveObserver(Observer* observer) { observer_list_->RemoveObserver(observer); } void NSSCertDatabase::SetSlowTaskRunnerForTest( const scoped_refptr& task_runner) { slow_task_runner_for_test_ = task_runner; } // static void NSSCertDatabase::ListCertsImpl(crypto::ScopedPK11Slot slot, CertificateList* certs) { certs->clear(); CERTCertList* cert_list = NULL; if (slot) cert_list = PK11_ListCertsInSlot(slot.get()); else cert_list = PK11_ListCerts(PK11CertListUnique, NULL); CERTCertListNode* node; for (node = CERT_LIST_HEAD(cert_list); !CERT_LIST_END(node, cert_list); node = CERT_LIST_NEXT(node)) { certs->push_back(X509Certificate::CreateFromHandle( node->cert, X509Certificate::OSCertHandles())); } CERT_DestroyCertList(cert_list); } scoped_refptr NSSCertDatabase::GetSlowTaskRunner() const { if (slow_task_runner_for_test_.get()) return slow_task_runner_for_test_; return base::WorkerPool::GetTaskRunner(true /*task is slow*/); } void NSSCertDatabase::NotifyCertRemovalAndCallBack( scoped_refptr cert, const DeleteCertCallback& callback, bool success) { if (success) NotifyObserversOfCertRemoved(cert.get()); callback.Run(success); } void NSSCertDatabase::NotifyObserversOfCertAdded(const X509Certificate* cert) { observer_list_->Notify(&Observer::OnCertAdded, make_scoped_refptr(cert)); } void NSSCertDatabase::NotifyObserversOfCertRemoved( const X509Certificate* cert) { observer_list_->Notify(&Observer::OnCertRemoved, make_scoped_refptr(cert)); } void NSSCertDatabase::NotifyObserversOfCACertChanged( const X509Certificate* cert) { observer_list_->Notify( &Observer::OnCACertChanged, make_scoped_refptr(cert)); } // static bool NSSCertDatabase::DeleteCertAndKeyImpl( scoped_refptr cert) { // For some reason, PK11_DeleteTokenCertAndKey only calls // SEC_DeletePermCertificate if the private key is found. So, we check // whether a private key exists before deciding which function to call to // delete the cert. SECKEYPrivateKey* privKey = PK11_FindKeyByAnyCert(cert->os_cert_handle(), NULL); if (privKey) { SECKEY_DestroyPrivateKey(privKey); if (PK11_DeleteTokenCertAndKey(cert->os_cert_handle(), NULL)) { LOG(ERROR) << "PK11_DeleteTokenCertAndKey failed: " << PORT_GetError(); return false; } } else { if (SEC_DeletePermCertificate(cert->os_cert_handle())) { LOG(ERROR) << "SEC_DeletePermCertificate failed: " << PORT_GetError(); return false; } } return true; } } // namespace net