This applies GUIDs to certificate and key nicknames when

net/third_party/mozilla_security_manager/nsNSSCertificateDB.cpp

  /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
  *
  * The contents of this file are subject to the Mozilla Public License Version
  * 1.1 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
  * http://www.mozilla.org/MPL/
  *
  * Software distributed under the License is distributed on an "AS IS" basis,
  * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
@@ skipping 29 matching lines @@
 
 #include <cert.h>
 #include <pk11pub.h>
 #include <secerr.h>
 
 #include "base/logging.h"
 #include "crypto/nss_util_internal.h"
 #include "crypto/scoped_nss_types.h"
 #include "net/base/net_errors.h"
 #include "net/base/x509_certificate.h"
+#include "net/base/x509_util_nss.h"
 #include "net/third_party/mozilla_security_manager/nsNSSCertTrust.h"
 
 namespace mozilla_security_manager {
 
 // Based on nsNSSCertificateDB::handleCACertDownload, minus the UI bits.
 bool ImportCACerts(const net::CertificateList& certificates,
                    net::X509Certificate* root,
                    net::CertDatabase::TrustBits trustBits,
                    net::CertDatabase::ImportCertFailureList* not_imported) {
   crypto::ScopedPK11Slot slot(crypto::GetPublicNSSKeySlot());
@@ skipping 13 matching lines @@
     // Mozilla just returns here, but we continue in case there are other certs
     // in the list which aren't already imported.
     // TODO(mattm): should we set/add trust if it differs from the present
     // settings?
     not_imported->push_back(net::CertDatabase::ImportCertFailure(
         root, net::ERR_IMPORT_CERT_ALREADY_EXISTS));
   } else {
     // Mozilla uses CERT_AddTempCertToPerm, however it is privately exported,
     // and it doesn't take the slot as an argument either.  Instead, we use
     // PK11_ImportCert and CERT_ChangeCertTrust.
-    char* nickname = CERT_MakeCANickname(root->os_cert_handle());
-    if (!nickname)
-      return false;
-    SECStatus srv = PK11_ImportCert(slot.get(), root->os_cert_handle(),
-                                    CK_INVALID_HANDLE,
-                                    nickname,
-                                    PR_FALSE /* includeTrust (unused) */);
-    PORT_Free(nickname);
+    SECStatus srv = PK11_ImportCert(

[wtc, 2011/12/08 00:07:43]

Please add a CHECK (non-debug assertion) here to assert that
net::x509_util::GetCertType(root) is net::CA_CERT.

[Greg Spencer (Chromium), 2011/12/09 18:51:38]

Now that we're passing the certificate type instead of detecting it, this is not
necessary.

+        slot.get(),
+        root->os_cert_handle(),
+        CK_INVALID_HANDLE,
+        net::x509_util::GetDefaultCertificateLabel(root).c_str(),
+        PR_FALSE /* includeTrust (unused) */);
     if (srv != SECSuccess) {
       LOG(ERROR) << "PK11_ImportCert failed with error " << PORT_GetError();
       return false;
     }
     if (!SetCertTrust(root, net::CA_CERT, trustBits))
       return false;
   }
 
   PRTime now = PR_Now();
   // Import additional delivered certificates that can be verified.
@@ skipping 31 matching lines @@
       // error value).  (maybe make MapSecurityError or MapCertErrorToCertStatus
       // public.)
       not_imported->push_back(net::CertDatabase::ImportCertFailure(
           cert, net::ERR_FAILED));
       VLOG(1) << "skipping cert (verify) " << PORT_GetError();
       continue;
     }
 
     // Mozilla uses CERT_ImportCerts, which doesn't take a slot arg.  We use
     // PK11_ImportCert instead.
-    char* nickname = CERT_MakeCANickname(cert->os_cert_handle());
-    if (!nickname)
-      return false;
-    SECStatus srv = PK11_ImportCert(slot.get(), cert->os_cert_handle(),
-                                    CK_INVALID_HANDLE,
-                                    nickname,
-                                    PR_FALSE /* includeTrust (unused) */);
-    PORT_Free(nickname);
+    SECStatus srv = PK11_ImportCert(

[wtc, 2011/12/08 00:07:43]

Please add a CHECK (non-debug assertion) here to assert that
net::x509_util::GetCertType(cert) is net::CA_CERT.

[Greg Spencer (Chromium), 2011/12/09 18:51:38]

Now that we pass the certificate type, this is not necessary.

+        slot.get(),
+        cert->os_cert_handle(),
+        CK_INVALID_HANDLE,
+        net::x509_util::GetDefaultCertificateLabel(cert).c_str(),
+        PR_FALSE /* includeTrust (unused) */);
     if (srv != SECSuccess) {
       LOG(ERROR) << "PK11_ImportCert failed with error " << PORT_GetError();
       // TODO(mattm): Should we bail or continue on error here?  Mozilla doesn't
       // check error code at all.
       not_imported->push_back(net::CertDatabase::ImportCertFailure(
           cert, net::ERR_IMPORT_CA_CERT_FAILED));
     }
   }
 
   // Any errors importing individual certs will be in listed in |not_imported|.
   return true;
 }
 
 // Based on nsNSSCertificateDB::ImportServerCertificate.
 bool ImportServerCert(const net::CertificateList& certificates,
                       net::CertDatabase::ImportCertFailureList* not_imported) {
   crypto::ScopedPK11Slot slot(crypto::GetPublicNSSKeySlot());
   if (!slot.get()) {
     LOG(ERROR) << "Couldn't get internal key slot!";
     return false;
   }
 
   for (size_t i = 0; i < certificates.size(); ++i) {
     const scoped_refptr<net::X509Certificate>& cert = certificates[i];
 
     // Mozilla uses CERT_ImportCerts, which doesn't take a slot arg.  We use
     // PK11_ImportCert instead.
-    SECStatus srv = PK11_ImportCert(slot.get(), cert->os_cert_handle(),
-                                    CK_INVALID_HANDLE,
-                                    cert->subject().GetDisplayName().c_str(),
-                                    PR_FALSE /* includeTrust (unused) */);
+    SECStatus srv = PK11_ImportCert(

[wtc, 2011/12/08 00:07:43]

Please add a CHECK (non-debug assertion) here to assert that
net::x509_util::GetCertType(cert) is net::SERVER_CERT.

[Greg Spencer (Chromium), 2011/12/09 18:51:38]

Now that we pass the certificate type, this is not necessary.

+        slot.get(),
+        cert->os_cert_handle(),
+        CK_INVALID_HANDLE,
+        net::x509_util::GetDefaultCertificateLabel(cert).c_str(),
+        PR_FALSE /* includeTrust (unused) */);
     if (srv != SECSuccess) {
       LOG(ERROR) << "PK11_ImportCert failed with error " << PORT_GetError();
       not_imported->push_back(net::CertDatabase::ImportCertFailure(
           cert, net::ERR_IMPORT_SERVER_CERT_FAILED));
       continue;
     }
   }
 
   // Set as valid peer, but without any extra trust.
   SetCertTrust(certificates[0].get(), net::SERVER_CERT,
@@ skipping 33 matching lines @@
   } else {
     // ignore user and email/unknown certs
     return true;
   }
   if (srv != SECSuccess)
     LOG(ERROR) << "SetCertTrust failed with error " << PORT_GetError();
   return srv == SECSuccess;
 }
 
 }  // namespace mozilla_security_manager