diff options
Diffstat (limited to 'net/base/cert_database.h')
-rw-r--r-- | net/base/cert_database.h | 95 |
1 files changed, 95 insertions, 0 deletions
diff --git a/net/base/cert_database.h b/net/base/cert_database.h index 31e3401..52888fe 100644 --- a/net/base/cert_database.h +++ b/net/base/cert_database.h @@ -4,12 +4,37 @@ #ifndef NET_BASE_CERT_DATABASE_H_ #define NET_BASE_CERT_DATABASE_H_ +#pragma once + +#include <string> +#include <vector> #include "base/basictypes.h" +#include "base/string16.h" +#include "base/ref_counted.h" namespace net { class X509Certificate; +typedef std::vector<scoped_refptr<X509Certificate> > CertificateList; + +// Constants to classify the type of a certificate. +// This is only used in the context of CertDatabase, but is defined outside to +// avoid an awkwardly long type name. +// The type is a combination of intrinsic properties, such as the presense of an +// email address or Certificate Authority Basic Constraint, and assigned trust +// values. For example, a cert with no email address, basic constraints, or +// trust, would be classified as UNKNOWN_CERT. If that cert is then trusted +// with SetCertTrust(cert, SERVER_CERT, TRUSTED_SSL), it would become a +// SERVER_CERT. +enum CertType { + UNKNOWN_CERT, + CA_CERT, + USER_CERT, + EMAIL_CERT, + SERVER_CERT, + NUM_CERT_TYPES +}; // This class provides functions to manipulate the local // certificate store. @@ -20,6 +45,32 @@ class X509Certificate; class CertDatabase { public: + // Constants that define which usages a certificate is trusted for. + // They are used in combination with CertType to specify trust for each type + // of certificate. + // For a CA_CERT, they specify that the CA is trusted for issuing server and + // client certs of each type. + // For SERVER_CERT, only TRUSTED_SSL makes sense, and specifies the cert is + // trusted as a server. + // For EMAIL_CERT, only TRUSTED_EMAIL makes sense, and specifies the cert is + // trusted for email. + enum { + UNTRUSTED = 0, + TRUSTED_SSL = 1 << 0, + TRUSTED_EMAIL = 1 << 1, + TRUSTED_OBJ_SIGN = 1 << 2, + }; + + // Stores per-certificate error codes for import failures. + struct ImportCertFailure { + public: + ImportCertFailure(X509Certificate* cert, int err); + + scoped_refptr<X509Certificate> certificate; + int net_error; + }; + typedef std::vector<ImportCertFailure> ImportCertFailureList; + CertDatabase(); // Check whether this is a valid user cert that we have the private key for. @@ -31,6 +82,50 @@ class CertDatabase { // the platform cert database, or possibly other network error codes. int AddUserCert(X509Certificate* cert); +#if defined(USE_NSS) + // Get a list of unique certificates in the certificate database. (One + // instance of all certificates.) + void ListCerts(CertificateList* certs); + + // Import certificates and private keys from PKCS #12 blob. + // Returns OK or a network error code such as ERR_PKCS12_IMPORT_BAD_PASSWORD + // or ERR_PKCS12_IMPORT_ERROR. + int ImportFromPKCS12(const std::string& data, const string16& password); + + // Export the given certificates and private keys into a PKCS #12 blob, + // storing into |output|. + // Returns the number of certificates successfully exported. + int ExportToPKCS12(const CertificateList& certs, const string16& password, + std::string* output); + + // Uses similar logic to nsNSSCertificateDB::handleCACertDownload to find the + // root. Assumes the list is an ordered hierarchy with the root being either + // the first or last element. + // TODO(mattm): improve this to handle any order. + X509Certificate* FindRootInList(const CertificateList& certificates); + + // Import CA certificates. + // Tries to import all the certificates given. The root will be trusted + // according to |trust_bits|. Any certificates that could not be imported + // will be listed in |not_imported|. + // Returns false if there is an internal error, otherwise true is returned and + // |not_imported| should be checked for any certificates that were not + // imported. + bool ImportCACerts(const CertificateList& certificates, + unsigned int trust_bits, + ImportCertFailureList* not_imported); + + // Set trust values for certificate. + // Returns true on success or false on failure. + bool SetCertTrust(const X509Certificate* cert, + CertType type, + unsigned int trust_bits); + + // Delete certificate and associated private key (if one exists). + // Returns true on success or false on failure. + bool DeleteCertAndKey(const X509Certificate* cert); +#endif + private: DISALLOW_COPY_AND_ASSIGN(CertDatabase); }; |