From 1240c83e40c925d643af7f20f6cc137a092f7ddb Mon Sep 17 00:00:00 2001 From: deepak1556 Date: Mon, 18 Apr 2016 21:05:33 +0530 Subject: [PATCH] set trust bits for CA certs --- atom/browser/api/atom_api_app.cc | 91 +++++++++++----------- atom/browser/api/atom_api_app.h | 7 +- atom/browser/atom_browser_client.cc | 1 - .../chrome/browser/certificate_manager_model.cc | 12 +-- .../chrome/browser/certificate_manager_model.h | 7 +- 5 files changed, 56 insertions(+), 62 deletions(-) diff --git a/atom/browser/api/atom_api_app.cc b/atom/browser/api/atom_api_app.cc index 4cbae08..1446d44 100644 --- a/atom/browser/api/atom_api_app.cc +++ b/atom/browser/api/atom_api_app.cc @@ -15,10 +15,11 @@ #include "atom/browser/browser.h" #include "atom/browser/login_handler.h" #include "atom/common/native_mate_converters/callback.h" -#include "atom/common/native_mate_converters/net_converter.h" #include "atom/common/native_mate_converters/file_path_converter.h" #include "atom/common/native_mate_converters/gurl_converter.h" #include "atom/common/native_mate_converters/image_converter.h" +#include "atom/common/native_mate_converters/net_converter.h" +#include "atom/common/native_mate_converters/value_converter.h" #include "atom/common/node_includes.h" #include "atom/common/options_switches.h" #include "base/command_line.h" @@ -158,41 +159,35 @@ void PassLoginInformation(scoped_refptr login_handler, login_handler->CancelAuth(); } -net::CertificateList ImportCertsFromFile( - const base::FilePath& path) { - net::CertificateList certs; - if (path.empty()) - return certs; - - std::string cert_data; - if (!base::ReadFileToString(path, &cert_data)) - return certs; - - certs = net::X509Certificate::CreateCertificateListFromBytes( - cert_data.data(), cert_data.size(), - net::X509Certificate::FORMAT_AUTO); - - return certs; -} - -int ImportCertificateIntoCertStore( +int ImportIntoCertStore( CertificateManagerModel* model, - const base::FilePath& path, - const base::FilePath& ca_path, - const base::string16& password) { - LOG(WARNING) << "importing ...."; - - std::string file_data; - int result = -1; - net::CertificateList ca_certs; - net::NSSCertDatabase::ImportCertFailureList not_imported; - auto module = model->cert_db()->GetPublicModule(); - if (base::ReadFileToString(path, &file_data)) { - result &= model->ImportFromPKCS12(module, file_data, password, true); - ca_certs = ImportCertsFromFile(ca_path); - result &= model->ImportCACerts(ca_certs, net::NSSCertDatabase::TRUST_DEFAULT, ¬_imported); + const base::DictionaryValue& options) { + std::string file_data, cert_path; + base::string16 password; + net::CertificateList imported_certs; + int rv; + options.GetString("clientCertificate", &cert_path); + options.GetString("password", &password); + + if (!cert_path.empty()) { + if (base::ReadFileToString(base::FilePath(cert_path), &file_data)) { + auto module = model->cert_db()->GetPublicModule(); + rv = model->ImportFromPKCS12(module, + file_data, + password, + true, + &imported_certs); + if (imported_certs.size() > 1) { + auto it = imported_certs.begin(); + ++it; // skip first which would be the client certificate. + for (; it != imported_certs.end(); ++it) + rv &= model->SetCertTrust(it->get(), + net::CA_CERT, + net::NSSCertDatabase::TRUSTED_SSL); + } + } } - return result; + return rv; } } // namespace @@ -408,30 +403,30 @@ bool App::MakeSingleInstance( } void App::ImportClientCertificate( - const base::FilePath& path, - const base::FilePath& ca_path, - - const base::string16& password, + const base::DictionaryValue& options, const net::CompletionCallback& callback) { auto browser_context = AtomBrowserMainParts::Get()->browser_context(); if (!certificate_manager_model_) { - CertificateManagerModel::Create(browser_context, base::Bind(&App::OnCertificateManagerModelCreated, base::Unretained(this), path, ca_path, password, callback)); + scoped_ptr copy = options.CreateDeepCopy(); + CertificateManagerModel::Create(browser_context, + base::Bind(&App::OnCertificateManagerModelCreated, + base::Unretained(this), + base::Passed(©), + callback)); return; } - int rv = ImportCertificateIntoCertStore(certificate_manager_model_.get(), path, ca_path, password); + int rv = ImportIntoCertStore(certificate_manager_model_.get(), options); callback.Run(rv); } void App::OnCertificateManagerModelCreated( - const base::FilePath& path, - const base::FilePath& ca_path, - const base::string16& password, + scoped_ptr options, const net::CompletionCallback& callback, scoped_ptr model) { certificate_manager_model_ = std::move(model); - - int rv = ImportCertificateIntoCertStore(certificate_manager_model_.get(), path, ca_path, password); + int rv = ImportIntoCertStore(certificate_manager_model_.get(), + *(options.get())); callback.Run(rv); } @@ -474,8 +469,10 @@ mate::ObjectTemplateBuilder App::GetObjectTemplateBuilder( .SetMethod("allowNTLMCredentialsForAllDomains", &App::AllowNTLMCredentialsForAllDomains) .SetMethod("getLocale", &App::GetLocale) - .SetMethod("makeSingleInstance", &App::MakeSingleInstance) - .SetMethod("importClientCertificate", &App::ImportClientCertificate); +#if defined(OS_LINUX) + .SetMethod("importClientCertificate", &App::ImportClientCertificate) +#endif + .SetMethod("makeSingleInstance", &App::MakeSingleInstance); } // static diff --git a/atom/browser/api/atom_api_app.h b/atom/browser/api/atom_api_app.h index b5c797d..ce66dae 100644 --- a/atom/browser/api/atom_api_app.h +++ b/atom/browser/api/atom_api_app.h @@ -44,9 +44,7 @@ class App : public AtomBrowserClient::Delegate, int render_frame_id); void OnCertificateManagerModelCreated( - const base::FilePath& path, - const base::FilePath& ca_path, - const base::string16& password, + scoped_ptr options, const net::CompletionCallback& callback, scoped_ptr model); @@ -106,7 +104,8 @@ class App : public AtomBrowserClient::Delegate, bool MakeSingleInstance( const ProcessSingleton::NotificationCallback& callback); std::string GetLocale(); - void ImportClientCertificate(const base::FilePath& path, const base::FilePath& ca_path, const base::string16& password, const net::CompletionCallback& callback); + void ImportClientCertificate(const base::DictionaryValue& options, + const net::CompletionCallback& callback); #if defined(OS_WIN) bool IsAeroGlassEnabled(); diff --git a/atom/browser/atom_browser_client.cc b/atom/browser/atom_browser_client.cc index ddefd06..f4add58 100644 --- a/atom/browser/atom_browser_client.cc +++ b/atom/browser/atom_browser_client.cc @@ -37,7 +37,6 @@ #include "content/public/browser/site_instance.h" #include "content/public/browser/web_contents.h" #include "content/public/common/web_preferences.h" -#include "net/cert/x509_certificate.h" #include "net/ssl/ssl_cert_request_info.h" #include "ppapi/host/ppapi_host.h" #include "ui/base/l10n/l10n_util.h" diff --git a/chromium_src/chrome/browser/certificate_manager_model.cc b/chromium_src/chrome/browser/certificate_manager_model.cc index 83ab12a..b0db6ed 100644 --- a/chromium_src/chrome/browser/certificate_manager_model.cc +++ b/chromium_src/chrome/browser/certificate_manager_model.cc @@ -7,10 +7,8 @@ #include #include "base/bind.h" -#include "base/i18n/time_formatting.h" #include "base/logging.h" #include "base/strings/utf_string_conversions.h" -#include "build/build_config.h" #include "content/public/browser/browser_context.h" #include "content/public/browser/browser_thread.h" #include "content/public/browser/resource_context.h" @@ -20,7 +18,6 @@ #include "net/base/net_errors.h" #include "net/cert/nss_cert_database.h" #include "net/cert/x509_certificate.h" -#include "ui/base/l10n/l10n_util.h" using content::BrowserThread; @@ -64,8 +61,6 @@ net::NSSCertDatabase* GetNSSCertDatabaseForResourceContext( // GetNSSCertDatabaseForResourceContext // | // CertificateManagerModel::DidGetCertDBOnIOThread -// | -// crypto::IsTPMTokenEnabledForNSS // v--------------------------------------/ // CertificateManagerModel::DidGetCertDBOnUIThread // | @@ -100,9 +95,10 @@ CertificateManagerModel::~CertificateManagerModel() { int CertificateManagerModel::ImportFromPKCS12(net::CryptoModule* module, const std::string& data, const base::string16& password, - bool is_extractable) { + bool is_extractable, + net::CertificateList* imported_certs) { return cert_db_->ImportFromPKCS12(module, data, password, - is_extractable, NULL); + is_extractable, imported_certs); } int CertificateManagerModel::ImportUserCert(const std::string& data) { @@ -121,7 +117,7 @@ bool CertificateManagerModel::ImportServerCert( net::NSSCertDatabase::TrustBits trust_bits, net::NSSCertDatabase::ImportCertFailureList* not_imported) { return cert_db_->ImportServerCert(certificates, trust_bits, - not_imported); + not_imported); } bool CertificateManagerModel::SetCertTrust( diff --git a/chromium_src/chrome/browser/certificate_manager_model.h b/chromium_src/chrome/browser/certificate_manager_model.h index bd0d5dd..1eb3508 100644 --- a/chromium_src/chrome/browser/certificate_manager_model.h +++ b/chromium_src/chrome/browser/certificate_manager_model.h @@ -44,8 +44,11 @@ class CertificateManagerModel { // |data|, using the given |password|. If |is_extractable| is false, // mark the private key as unextractable from the module. // Returns a net error code on failure. - int ImportFromPKCS12(net::CryptoModule* module, const std::string& data, - const base::string16& password, bool is_extractable); + int ImportFromPKCS12(net::CryptoModule* module, + const std::string& data, + const base::string16& password, + bool is_extractable, + net::CertificateList* imported_certs); // Import user certificate from DER encoded |data|. // Returns a net error code on failure. -- 2.7.4