For PKCS#12 imports, only mark key as unextractable if the PKCS#12 file includes it

net/third_party/mozilla_security_manager/nsPKCS12Blob.cpp

Index: net/third_party/mozilla_security_manager/nsPKCS12Blob.cpp
diff --git a/net/third_party/mozilla_security_manager/nsPKCS12Blob.cpp b/net/third_party/mozilla_security_manager/nsPKCS12Blob.cpp
index d65990025eeaf9ea43016f1f7eddbf112e195fc1..08e72464ba3725d79fbd65921a90d7eebcb9b7aa 100644
--- a/net/third_party/mozilla_security_manager/nsPKCS12Blob.cpp
+++ b/net/third_party/mozilla_security_manager/nsPKCS12Blob.cpp
@@ -197,28 +197,39 @@ nsPKCS12Blob_ImportHelper(const char* pkcs12_data,
     CK_BBOOL attribute_data = CK_FALSE;
     attribute_value.data = &attribute_data;
     attribute_value.len = sizeof(attribute_data);
-    CERTCertList* cert_list = SEC_PKCS12DecoderGetCerts(dcx);
-
-    // Iterate through each certificate in the chain and mark corresponding
-    // private key as unextractable.
-    for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);
-         !CERT_LIST_END(node, cert_list); node = CERT_LIST_NEXT(node)) {
-      SECKEYPrivateKey* privKey =  PK11_FindKeyByDERCert(slot,
-                                                         node->cert,
-                                                         NULL);  // wincx
+
+    srv = SEC_PKCS12DecoderIterateInit(dcx);
+    if (srv) goto finish;
+
+    const SEC_PKCS12DecoderItem* decoder_item = NULL;
+    // Iterate through all the imported PKCS12 items and mark any accompanying
+    // private keys as unextractable.
+    while (SEC_PKCS12DecoderIterateNext(dcx, &decoder_item) == SECSuccess) {
+      if (decoder_item->type != SEC_OID_PKCS12_V1_CERT_BAG_ID)
+        continue;
+      if (!decoder_item->hasKey)
+        continue;
+
+      // Once we have determined that the imported certificate has an
+      // associated private key too, only then can we mark the key as
+      // unextractable.
+      CERTCertificate* cert = PK11_FindCertFromDERCertItem(
+          slot, const_cast<SECItem*>(decoder_item->der),
+          NULL);  // wincx
+      SECKEYPrivateKey* privKey = PK11_FindPrivateKeyFromCert(slot, cert,
+                                                              NULL);  // wincx
       if (privKey) {
         // Mark the private key as unextractable.
         srv = PK11_WriteRawAttribute(PK11_TypePrivKey, privKey, CKA_EXTRACTABLE,
                                      &attribute_value);
         SECKEY_DestroyPrivateKey(privKey);
-        if (srv) {
-          LOG(ERROR) << "Couldn't set CKA_EXTRACTABLE attribute on private "
-                     << "key.";
-          break;
-        }
+      }
+      if (cert) CERT_DestroyCertificate(cert);
+      if (srv) {
+        LOG(ERROR) << "Couldn't set CKA_EXTRACTABLE attribute on private key.";
+        break;
       }

[wtc, 2011/07/29 19:08:37]

The if (srv) statement on lines 228-231 should be moved inside
the if (privKey) block, after line 225.

We should add a null pointer check for 'cert', so I suggest
this code sequence:
    CERTCertificate* cert = PK11_FindCertFromDERCertItem(...);
    if (!cert)
      continue;  // You can add a LOG(ERROR) statement
    SECKEYPrivateKey* privKey = PK11_FindPrivateKeyFromCert(...)
    CERT_DestroyCertificate(cert);
    if (privKey) {
      ...
    }

Also, do you really want to break out of the loop on
line 230 if we get an error with a private key?

[gauravsh, 2011/07/29 20:04:55]

Done.
I guess we could continue with the next PKCS#12 items although my reasoning for
the original break was that a failure to get the private key at this point means
that something failed during the earlier import.

Changed it to continue instead. We can re-visit this if we ever run into this
error case.

     }
-    CERT_DestroyCertList(cert_list);
     if (srv) goto finish;
   }