Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(487)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/third_party/mozilla_security_manager/nsPKCS12Blob.cpp

Issue 7466006: For PKCS#12 imports, only mark key as unextractable if the PKCS#12 file includes it (Closed) Base URL: http://git.chromium.org/git/chromium.git@trunk
Patch Set: Added a unit test Created 9 years, 5 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « net/data/ssl/certificates/client-nokey.p12 ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/third_party/mozilla_security_manager/nsPKCS12Blob.cpp
diff --git a/net/third_party/mozilla_security_manager/nsPKCS12Blob.cpp b/net/third_party/mozilla_security_manager/nsPKCS12Blob.cpp
index d65990025eeaf9ea43016f1f7eddbf112e195fc1..5f3735b21851ca1a7668bd77d17d26aca2427411 100644
--- a/net/third_party/mozilla_security_manager/nsPKCS12Blob.cpp
+++ b/net/third_party/mozilla_security_manager/nsPKCS12Blob.cpp
@@ -197,15 +197,27 @@ nsPKCS12Blob_ImportHelper(const char* pkcs12_data,
CK_BBOOL attribute_data = CK_FALSE;
attribute_value.data = &attribute_data;
attribute_value.len = sizeof(attribute_data);
- CERTCertList* cert_list = SEC_PKCS12DecoderGetCerts(dcx);
-
- // Iterate through each certificate in the chain and mark corresponding
- // private key as unextractable.
- for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);
- !CERT_LIST_END(node, cert_list); node = CERT_LIST_NEXT(node)) {
- SECKEYPrivateKey* privKey = PK11_FindKeyByDERCert(slot,
- node->cert,
- NULL); // wincx
+
+ srv = SEC_PKCS12DecoderIterateInit(dcx);
+ if (srv) goto finish;
+
+ const SEC_PKCS12DecoderItem* decoder_item = NULL;
+ // Iterate through all the imported PKCS12 items and mark any accompanying
+ // private keys as unextractable.
+ while(SEC_PKCS12DecoderIterateNext(dcx, &decoder_item) == SECSuccess) {
Ryan Sleevi 2011/07/29 01:46:27 nit: "while(" -> "while ("
gauravsh 2011/07/29 02:08:47 Done.
+ if (decoder_item->type != SEC_OID_PKCS12_V1_CERT_BAG_ID)
+ continue;
+ if (!decoder_item->hasKey)
+ continue;
+
+ // Once we have determined that the imported certificate has an
+ // associated private key too, only then can we mark the key as
+ // unextractable.
+ CERTCertificate* cert = PK11_FindCertFromDERCertItem(
Ryan Sleevi 2011/07/29 01:46:27 LEAK: |cert| is leaked (line 229 or line 231)
gauravsh 2011/07/29 02:08:47 Done.
+ slot, const_cast<SECItem*>(decoder_item->der),
+ NULL); // wincx
+ SECKEYPrivateKey* privKey = PK11_FindPrivateKeyFromCert(slot, cert,
+ NULL); // wincx
if (privKey) {
// Mark the private key as unextractable.
srv = PK11_WriteRawAttribute(PK11_TypePrivKey, privKey, CKA_EXTRACTABLE,
@@ -218,7 +230,6 @@ nsPKCS12Blob_ImportHelper(const char* pkcs12_data,
}
}
}
- CERT_DestroyCertList(cert_list);
if (srv) goto finish;
}
« no previous file with comments | « net/data/ssl/certificates/client-nokey.p12 ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698