// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef NET_CERT_NSS_CERT_DATABASE_H_
#define NET_CERT_NSS_CERT_DATABASE_H_
#include <string>
#include <vector>
#include "base/basictypes.h"
#include "base/memory/ref_counted.h"
#include "base/strings/string16.h"
#include "crypto/scoped_nss_types.h"
#include "net/base/net_export.h"
#include "net/cert/cert_type.h"
#include "net/cert/x509_certificate.h"
template <typename T> struct DefaultSingletonTraits;
template <class ObserverType> class ObserverListThreadSafe;
namespace net {
class CryptoModule;
typedef std::vector<scoped_refptr<CryptoModule> > CryptoModuleList;
// Provides functions to manipulate the NSS certificate stores.
class NET_EXPORT NSSCertDatabase {
public:
class NET_EXPORT Observer {
public:
virtual ~Observer() {}
// Will be called when a new certificate is added.
// Called with |cert| == NULL after importing a list of certificates
// in ImportFromPKCS12().
virtual void OnCertAdded(const X509Certificate* cert) {}
// Will be called when a certificate is removed.
virtual void OnCertRemoved(const X509Certificate* cert) {}
// Will be called when a CA certificate is changed.
// Called with |cert| == NULL after importing a list of certificates
// in ImportCACerts().
virtual void OnCACertChanged(const X509Certificate* cert) {}
protected:
Observer() {}
private:
DISALLOW_COPY_AND_ASSIGN(Observer);
};
// Stores per-certificate error codes for import failures.
struct NET_EXPORT ImportCertFailure {
public:
ImportCertFailure(const scoped_refptr<X509Certificate>& cert, int err);
~ImportCertFailure();
scoped_refptr<X509Certificate> certificate;
int net_error;
};
typedef std::vector<ImportCertFailure> ImportCertFailureList;
// Constants that define which usages a certificate is trusted for.
// They are used in combination with CertType to specify trust for each type
// of certificate.
// For a CA_CERT, they specify that the CA is trusted for issuing server and
// client certs of each type.
// For SERVER_CERT, only TRUSTED_SSL makes sense, and specifies the cert is
// trusted as a server.
// For EMAIL_CERT, only TRUSTED_EMAIL makes sense, and specifies the cert is
// trusted for email.
// DISTRUSTED_* specifies that the cert should not be trusted for the given
// usage, regardless of whether it would otherwise inherit trust from the
// issuer chain.
// Use TRUST_DEFAULT to inherit trust as normal.
// NOTE: The actual constants are defined using an enum instead of static
// consts due to compilation/linkage constraints with template functions.
typedef uint32 TrustBits;
enum {
TRUST_DEFAULT = 0,
TRUSTED_SSL = 1 << 0,
TRUSTED_EMAIL = 1 << 1,
TRUSTED_OBJ_SIGN = 1 << 2,
DISTRUSTED_SSL = 1 << 3,
DISTRUSTED_EMAIL = 1 << 4,
DISTRUSTED_OBJ_SIGN = 1 << 5,
};
static NSSCertDatabase* GetInstance();
// Get a list of unique certificates in the certificate database (one
// instance of all certificates).
void ListCerts(CertificateList* certs);
// Get the default slot for public key data.
crypto::ScopedPK11Slot GetPublicSlot() const;
// Get the default slot for private key or mixed private/public key data.
crypto::ScopedPK11Slot GetPrivateSlot() const;
// Get the default module for public key data.
// The returned pointer must be stored in a scoped_refptr<CryptoModule>.
// DEPRECATED: use GetPublicSlot instead.
// TODO(mattm): remove usage of this method and remove it.
CryptoModule* GetPublicModule() const;
// Get the default module for private key or mixed private/public key data.
// The returned pointer must be stored in a scoped_refptr<CryptoModule>.
// DEPRECATED: use GetPrivateSlot instead.
// TODO(mattm): remove usage of this method and remove it.
CryptoModule* GetPrivateModule() const;
// Get all modules.
// If |need_rw| is true, only writable modules will be returned.
// TODO(mattm): come up with better alternative to CryptoModuleList.
void ListModules(CryptoModuleList* modules, bool need_rw) const;
// Import certificates and private keys from PKCS #12 blob into the module.
// If |is_extractable| is false, mark the private key as being unextractable
// from the module.
// Returns OK or a network error code such as ERR_PKCS12_IMPORT_BAD_PASSWORD
// or ERR_PKCS12_IMPORT_ERROR. |imported_certs|, if non-NULL, returns a list
// of certs that were imported.
int ImportFromPKCS12(CryptoModule* module,
const std::string& data,
const base::string16& password,
bool is_extractable,
CertificateList* imported_certs);
// Export the given certificates and private keys into a PKCS #12 blob,
// storing into |output|.
// Returns the number of certificates successfully exported.
int ExportToPKCS12(const CertificateList& certs,
const base::string16& password,
std::string* output) const;
// Uses similar logic to nsNSSCertificateDB::handleCACertDownload to find the
// root. Assumes the list is an ordered hierarchy with the root being either
// the first or last element.
// TODO(mattm): improve this to handle any order.
X509Certificate* FindRootInList(const CertificateList& certificates) const;
// Import CA certificates.
// Tries to import all the certificates given. The root will be trusted
// according to |trust_bits|. Any certificates that could not be imported
// will be listed in |not_imported|.
// Returns false if there is an internal error, otherwise true is returned and
// |not_imported| should be checked for any certificates that were not
// imported.
bool ImportCACerts(const CertificateList& certificates,
TrustBits trust_bits,
ImportCertFailureList* not_imported);
// Import server certificate. The first cert should be the server cert. Any
// additional certs should be intermediate/CA certs and will be imported but
// not given any trust.
// Any certificates that could not be imported will be listed in
// |not_imported|.
// |trust_bits| can be set to explicitly trust or distrust the certificate, or
// use TRUST_DEFAULT to inherit trust as normal.
// Returns false if there is an internal error, otherwise true is returned and
// |not_imported| should be checked for any certificates that were not
// imported.
bool ImportServerCert(const CertificateList& certificates,
TrustBits trust_bits,
ImportCertFailureList* not_imported);
// Get trust bits for certificate.
TrustBits GetCertTrust(const X509Certificate* cert, CertType type) const;
// IsUntrusted returns true if |cert| is specifically untrusted. These
// certificates are stored in the database for the specific purpose of
// rejecting them.
bool IsUntrusted(const X509Certificate* cert) const;
// Set trust values for certificate.
// Returns true on success or false on failure.
bool SetCertTrust(const X509Certificate* cert,
CertType type,
TrustBits trust_bits);
// Delete certificate and associated private key (if one exists).
// |cert| is still valid when this function returns. Returns true on
// success.
bool DeleteCertAndKey(const X509Certificate* cert);
// Check whether cert is stored in a readonly slot.
bool IsReadOnly(const X509Certificate* cert) const;
// Check whether cert is stored in a hardware slot.
bool IsHardwareBacked(const X509Certificate* cert) const;
// Registers |observer| to receive notifications of certificate changes. The
// thread on which this is called is the thread on which |observer| will be
// called back with notifications.
void AddObserver(Observer* observer);
// Unregisters |observer| from receiving notifications. This must be called
// on the same thread on which AddObserver() was called.
void RemoveObserver(Observer* observer);
private:
friend struct DefaultSingletonTraits<NSSCertDatabase>;
NSSCertDatabase();
~NSSCertDatabase();
// Broadcasts notifications to all registered observers.
void NotifyObserversOfCertAdded(const X509Certificate* cert);
void NotifyObserversOfCertRemoved(const X509Certificate* cert);
void NotifyObserversOfCACertChanged(const X509Certificate* cert);
const scoped_refptr<ObserverListThreadSafe<Observer> > observer_list_;
DISALLOW_COPY_AND_ASSIGN(NSSCertDatabase);
};
} // namespace net
#endif // NET_CERT_NSS_CERT_DATABASE_H_