Remember the intermediate CA certs if the server sends them to us....

net/base/ssl_client_socket_nss.cc

 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
+// This file includes code GetDefaultCertNickname(), derived from
+// nsNSSCertificate::defaultServerNickName()
+// in mozilla/security/manager/ssl/src/nsNSSCertificate.cpp
+// and SSLClientSocketNSS::OwnAuthCertHandler() derived from
+// AuthCertificateCallback() in
+// mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
+
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Ian McGreer <mcgreer@netscape.com>
+ *   Javier Delgadillo <javi@netscape.com>
+ *   Kai Engert <kengert@redhat.com>
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
 #include "net/base/ssl_client_socket_nss.h"
 
+#include <certdb.h>
 #include <nspr.h>
 #include <nss.h>
 #include <secerr.h>
 // Work around https://bugzilla.mozilla.org/show_bug.cgi?id=455424
 // until NSS 3.12.2 comes out and we update to it.
 #define Lock FOO_NSS_Lock
 #include <ssl.h>
 #include <sslerr.h>
 #include <pk11pub.h>
 #undef Lock
@@ skipping 23 matching lines @@
                            " leave " << x << "; next_state " << next_state_
 #define GotoState(s) do { LOG(INFO) << (void *)this << " " << __FUNCTION__ << \
                            " jump to state " << s; next_state_ = s; } while (0)
 #define LogData(s, len)   LOG(INFO) << (void *)this << " " << __FUNCTION__ << \
                            " data [" << std::string(s, len) << "]";
 
 #endif
 
 namespace {
 
+// Gets default certificate nickname from cert.
+// Derived from nsNSSCertificate::defaultServerNickname
+// in mozilla/security/manager/ssl/src/nsNSSCertificate.cpp.
+std::string GetDefaultCertNickname(
+    net::X509Certificate::OSCertHandle cert) {
+  if (cert == NULL)
+    return "";
+
+  char* name = CERT_GetCommonName(&cert->subject);
+  if (!name) {
+    // Certs without common names are strange, but they do exist...
+    // Let's try to use another string for the nickname
+    name = CERT_GetOrgUnitName(&cert->subject);
+    if (!name)
+      name = CERT_GetOrgName(&cert->subject);
+    if (!name)
+      name = CERT_GetLocalityName(&cert->subject);
+    if (!name)
+      name = CERT_GetStateName(&cert->subject);
+    if (!name)
+      name = CERT_GetCountryName(&cert->subject);
+    if (!name)
+      return "";
+  }
+  int count = 1;
+  std::string nickname;
+  while (1) {
+    if (count == 1) {
+      nickname = name;
+    } else {
+      nickname = StringPrintf("%s #%d", name, count);
+    }
+    PRBool conflict = SEC_CertNicknameConflict(
+        const_cast<char*>(nickname.c_str()), &cert->derSubject, cert->dbhandle);
+    if (!conflict)
+      break;
+    count++;
+  }
+  PR_FREEIF(name);
+  return nickname;
+}
+
 int NetErrorFromNSPRError(PRErrorCode err) {
   // TODO(port): fill this out as we learn what's important
   switch (err) {
     case PR_WOULD_BLOCK_ERROR:
       return ERR_IO_PENDING;
     case SSL_ERROR_NO_CYPHER_OVERLAP:
       return ERR_SSL_VERSION_OR_CIPHER_MISMATCH;
     case SSL_ERROR_BAD_CERT_DOMAIN:
       return ERR_CERT_COMMON_NAME_INVALID;
     case SEC_ERROR_EXPIRED_CERTIFICATE:
@@ skipping 41 matching lines @@
       buffer_recv_callback_(this, &SSLClientSocketNSS::BufferRecvComplete),
       transport_send_busy_(false),
       transport_recv_busy_(false),
       io_callback_(this, &SSLClientSocketNSS::OnIOComplete),
       transport_(transport_socket),
       hostname_(hostname),
       ssl_config_(ssl_config),
       user_callback_(NULL),
       user_buf_len_(0),
       server_cert_error_(0),
+      cert_list_(NULL),
       completed_handshake_(false),
       next_state_(STATE_NONE),
       nss_fd_(NULL),
       nss_bufs_(NULL) {
   EnterFunction("");
 }
 
 SSLClientSocketNSS::~SSLClientSocketNSS() {
   EnterFunction("");
   Disconnect();
@@ skipping 142 matching lines @@
 void SSLClientSocketNSS::InvalidateSessionIfBadCertificate() {
   if (UpdateServerCert() != NULL &&
       ssl_config_.allowed_bad_certs_.count(server_cert_)) {
     SSL_InvalidateSession(nss_fd_);
   }
 }
 
 void SSLClientSocketNSS::Disconnect() {
   EnterFunction("");
 
-  // Reset object state
-  transport_send_busy_ = false;
-  transport_recv_busy_ = false;
-  user_buf_            = NULL;
-  user_buf_len_        = 0;
-  server_cert_error_   = OK;
-  completed_handshake_ = false;
-  nss_bufs_            = NULL;
-
   // TODO(wtc): Send SSL close_notify alert.
   if (nss_fd_ != NULL) {
     InvalidateSessionIfBadCertificate();
     PR_Close(nss_fd_);
     nss_fd_ = NULL;
   }
 
   transport_->Disconnect();
+
+  // Reset object state
+  transport_send_busy_ = false;
+  transport_recv_busy_ = false;
+  user_buf_            = NULL;
+  user_buf_len_        = 0;
+  server_cert_         = NULL;
+  server_cert_error_   = OK;
+  if (cert_list_) {
+    CERT_DestroyCertList(cert_list_);
+    cert_list_ = NULL;
+  }
+  completed_handshake_ = false;
+  nss_bufs_            = NULL;
+
   LeaveFunction("");
 }
 
 bool SSLClientSocketNSS::IsConnected() const {
   // Ideally, we should also check if we have received the close_notify alert
   // message from the server, and return false in that case.  We're not doing
   // that, so this function may return a false positive.  Since the upper
   // layer (HttpNetworkTransaction) needs to handle a persistent connection
   // closed by the server when we send a request anyway, a false positive in
   // exchange for simpler code is a good trade-off.
@@ skipping 57 matching lines @@
 
 X509Certificate *SSLClientSocketNSS::UpdateServerCert() {
   // We set the server_cert_ from OwnAuthCertHandler(), but this handler
   // does not necessarily get called if we are continuing a cached SSL
   // session.
   if (server_cert_ == NULL) {
     X509Certificate::OSCertHandle nss_cert = SSL_PeerCertificate(nss_fd_);
     if (nss_cert) {
       server_cert_ = X509Certificate::CreateFromHandle(
           nss_cert, X509Certificate::SOURCE_FROM_NETWORK);
+      DCHECK(!cert_list_);
+      cert_list_ = CERT_GetCertChainFromCert(
+          nss_cert, PR_Now(), certUsageSSLCA);
     }
   }
   return server_cert_;
 }
 
 void SSLClientSocketNSS::GetSSLInfo(SSLInfo* ssl_info) {
   EnterFunction("");
   ssl_info->Reset();
   SSLChannelInfo channel_info;
   SECStatus ok = SSL_GetChannelInfo(nss_fd_,
@@ skipping 168 matching lines @@
       network_moved = (nsent > 0 || nreceived >= 0);
     }
   } while ((rv != ERR_IO_PENDING || network_moved) &&
             next_state_ != STATE_NONE);
   LeaveFunction("");
   return rv;
 }
 
 // static
 // NSS calls this if an incoming certificate needs to be verified.
+// Derived from AuthCertificateCallback() in
+// mozilla/source/security/manager/ssl/src/nsNSSCallbacks.cpp.
 SECStatus SSLClientSocketNSS::OwnAuthCertHandler(void* arg,
                                                  PRFileDesc* socket,
                                                  PRBool checksig,
                                                  PRBool is_server) {
   SSLClientSocketNSS* that = reinterpret_cast<SSLClientSocketNSS*>(arg);
 
   // Remember the certificate as it will no longer be accessible if the
   // handshake fails.
-  that->UpdateServerCert();
+  scoped_refptr<X509Certificate> cert = that->UpdateServerCert();
 
-  return SSL_AuthCertificate(CERT_GetDefaultCertDB(), socket, checksig,
+  SECStatus rv = SSL_AuthCertificate(CERT_GetDefaultCertDB(), socket, checksig,
                              is_server);
+  if (rv == SECSuccess && that->cert_list_) {
+    // Remember the intermediate CA certs if the server sends them to us.
+    for (CERTCertListNode* node = CERT_LIST_HEAD(that->cert_list_);
+         !CERT_LIST_END(node, that->cert_list_);
+         node = CERT_LIST_NEXT(node)) {
+      if (node->cert->slot || node->cert->isRoot || node->cert->isperm ||
+          node->cert == cert->os_cert_handle()) {
+        // Some certs we don't want to remember are:
+        // - found on a token.
+        // - the root cert.
+        // - already stored in perm db.
+        // - the server cert itself.
+        continue;
+      }
+
+      // We have found a CA cert that we want to remember.
+      std::string nickname(GetDefaultCertNickname(node->cert));
+      if (!nickname.empty()) {
+        PK11SlotInfo* slot = PK11_GetInternalKeySlot();
+        if (slot) {
+          PK11_ImportCert(slot, node->cert, CK_INVALID_HANDLE,
+                          const_cast<char*>(nickname.c_str()), PR_FALSE);
+          PK11_FreeSlot(slot);
+        }
+      }
+    }
+  }
+
+  return rv;
 }
 
 // static
 // NSS calls this if an incoming certificate is invalid.
 SECStatus SSLClientSocketNSS::OwnBadCertHandler(void* arg,
                                                 PRFileDesc* socket) {
   SSLClientSocketNSS* that = reinterpret_cast<SSLClientSocketNSS*>(arg);
 
   if (that->server_cert_ &&
       that->ssl_config_.allowed_bad_certs_.count(that->server_cert_)) {
@@ skipping 73 matching lines @@
   if (prerr == PR_WOULD_BLOCK_ERROR) {
     GotoState(STATE_PAYLOAD_WRITE);
     return ERR_IO_PENDING;
   }
   user_buf_ = NULL;
   LeaveFunction("");
   return NetErrorFromNSPRError(prerr);
 }
 
 }  // namespace net