This applies GUIDs to certificate and key nicknames when

net/base/x509_certificate_nss.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/x509_certificate.h"
 
 #include <cert.h>
 #include <cryptohi.h>
+#include <keyhi.h>
 #include <nss.h>
 #include <pk11pub.h>
 #include <prerror.h>
 #include <prtime.h>
 #include <secder.h>
 #include <secerr.h>
 #include <sechash.h>
 #include <sslerr.h>
 
 #include "base/logging.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/pickle.h"
 #include "base/time.h"
 #include "crypto/nss_util.h"
 #include "crypto/rsa_private_key.h"
 #include "net/base/asn1_util.h"
 #include "net/base/cert_status_flags.h"
 #include "net/base/cert_verify_result.h"
+#include "net/base/cert_type.h"
 #include "net/base/crl_set.h"
 #include "net/base/ev_root_ca_metadata.h"
 #include "net/base/net_errors.h"
 #include "net/base/x509_util_nss.h"
+#include "net/third_party/mozilla_security_manager/nsNSSCertTrust.h"
+
+namespace msm = mozilla_security_manager;
 
 namespace net {
 
 namespace {
 
 class ScopedCERTCertificatePolicies {
  public:
   explicit ScopedCERTCertificatePolicies(CERTCertificatePolicies* policies)
       : policies_(policies) {}
 
@@ skipping 619 matching lines @@
                            CERTCertificate* root_cert,
                            std::vector<SHA1Fingerprint>* hashes) {
   for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);
        !CERT_LIST_END(node, cert_list);
        node = CERT_LIST_NEXT(node)) {
     hashes->push_back(CertPublicKeyHash(node->cert));
   }
   hashes->push_back(CertPublicKeyHash(root_cert));
 }
 
+bool SetPKCS11Nicknames(CERTCertificate* cert_handle,
+                        const std::string& label) {
+  DCHECK(cert_handle);
+
+  // If the slot isn't initialized, then do nothing.
+  if (!cert_handle->slot)
+    return true;
+
+  // As far as I can tell, there is no API for PKCS11 that allows one
+  // to get the valid public key (that has a valid PKCS11 slot and id)
+  // associated with a certificate.  So, instead, I extract the public
+  // key using CERT_ExtractPublicKey (which returns a key that has no
+  // slot or pkcs11 id set), and then we iterate through all of the
+  // existing public keys (which do have this information), and look
+  // for one that has the same DER encoding as the public key
+  // extracted from this certificate.  I then set the key's nickname
+  // to the given label.

[Ryan Sleevi, 2011/11/22 00:59:03]

Rather than having to extract and encode the DER from the token, would it be
better to use the PK11_ReadRawAttribute() and compare with the CKA_ID? Since you
should have the same CKA_ID between the CKO_PUBLIC_KEY, CKO_PRIVATE_KEY, and
CKO_CERTIFICATE

SECItem key_id;
SECStatus rv = PK11_ReadRawAttribute(cert_handle->slot, cert_handle->pkcs11ID,
CKA_ID, &key_id);
// Alternatively,
// SECItem* key_id = PK11_GetLowLevelKeyIDForCert(
//     cert_handle->slot, cert, NULL);

SECKEYPublicKeyList pubkey_list = NULL;
if (rv == SECSuccess && key_id.len)
  pubkey_list = ...
if (pubkey_list) {
  SECItem node_id;
  for(... node = PUBKEY_LIST_HEAD(pubkey_list); ...) {
    SECStatus rv = PK11_ReadRawAttribute(PK11_TypePubKey, node,
                                         CKA_ID, &node_id);
    if (rv != SECSuccess)
      continue;  // Really, an error
    if (SECITEM_CompareItem(&key_id, &node_id) == 0)
      PK11_SetPublicKeyNickname(node->key, label.c_str());
    SECITEM_FreeItem(&node_id, false);
  }
  SECKEY_DestroyPublicKeyList(pubkey_list)
}


It's a shame too, because NSS has pk11_FindObjectByTemplate exposed via a very
convenient (but private) API PK11_MatchItem.

With PK11_MatchItem, it would simply be

CK_OBJECT_HANDLE key_handle = PK11_MatchItem(cert_handle->slot,
cert_handle->pkcs11ID, CKO_PUBLIC_KEY);
if (key_handle != CK_INVALID_HANDLE)
  PK11_SetPublicKeyNickname(key_handle, label.c_str());

[Greg Spencer (Chromium), 2011/11/29 00:21:49]

That's a great idea, except that there's no way to get the CKA_ID from a cert. 
PK11_ReadRawAttribute isn't implemented for PK11_TypeCert, and
PK11_ReadAttribute is a private interface (in your sample, the first
PK11_ReadRawAttribute function that takes a slot and pkcs11ID doesn't exist).

+  SECKEYPublicKey* public_key = CERT_ExtractPublicKey(cert_handle);
+  if (!public_key)
+    return false;
+
+  SECKEYPublicKeyList* pubkey_list =
+      PK11_ListPublicKeysInSlot(cert_handle->slot, NULL);
+
+  // If there are no public keys, that's OK.
+  if (pubkey_list) {
+    for (SECKEYPublicKeyListNode* node = PUBKEY_LIST_HEAD(pubkey_list);
+        !PUBKEY_LIST_END(node, pubkey_list);
+        node = PUBKEY_LIST_NEXT(node)) {
+      SECItem* der_encoded = PK11_DEREncodePublicKey(node->key);
+      if (SECITEM_CompareItem(der_encoded,
+                              &cert_handle->derPublicKey) == SECEqual)
+        PK11_SetPublicKeyNickname(node->key, label.c_str());
+      SECITEM_FreeItem(der_encoded, PR_TRUE);
+    }
+    SECKEY_DestroyPublicKeyList(pubkey_list);
+  }
+  SECKEY_DestroyPublicKey(public_key);
+
+  // Now set the nickname on the private key (if there is one)
+  SECKEYPrivateKey* private_key =
+      PK11_FindPrivateKeyFromCert(cert_handle->slot, cert_handle, NULL);
+  if (private_key) {
+    PK11_SetPrivateKeyNickname(private_key, label.c_str());
+    SECKEY_DestroyPrivateKey(private_key);
+  }
+  return true;
+}
+
 }  // namespace
 
 void X509Certificate::Initialize() {
   ParsePrincipal(&cert_handle_->subject, &subject_);
   ParsePrincipal(&cert_handle_->issuer, &issuer_);
 
   ParseDate(&cert_handle_->validity.notBefore, &valid_start_);
   ParseDate(&cert_handle_->validity.notAfter, &valid_expiry_);
 
   fingerprint_ = CalculateFingerprint(cert_handle_);
@@ skipping 20 matching lines @@
 
   if (!cert)
     return NULL;
 
   X509Certificate* x509_cert = X509Certificate::CreateFromHandle(
       cert, X509Certificate::OSCertHandles());
   CERT_DestroyCertificate(cert);
   return x509_cert;
 }
 
+bool X509Certificate::SetLabel(const std::string& label) {
+  if (!SetPKCS11Nicknames(cert_handle_, label))
+    return false;
+
+  // Now set the cert's nickname pointer.
+  char* nickname = reinterpret_cast<char*>(
+      PORT_ArenaAlloc(cert_handle_->arena, label.size() + 1));
+  if (!nickname)
+    return false;
+  PORT_Strcpy(nickname, label.c_str());
+  if (cert_handle_->nickname)
+    PORT_ArenaRelease(cert_handle_->arena, cert_handle_->nickname);
+  cert_handle_->nickname = nickname;
+  return true;
+}
+
+std::string X509Certificate::GetLabel() {
+  std::string result;
+  if (cert_handle_->nickname) {
+    // If the cert already has a nickname set, we use that.
+    result = std::string(cert_handle_->nickname);
+  } else {
+    switch(GetCertificateType()) {
+      case CA_CERT: {
+        char *nickname = CERT_MakeCANickname(cert_handle_);
+        result = nickname;
+        PORT_Free(nickname);
+        break;
+      }
+      case USER_CERT: {
+        // Create a nickname for this user certificate.
+        //  We use the scheme used by Firefox:
+        // --> <subject's common name>'s <issuer's common name> ID.
+        // TODO(gspencer): internationalize this: it's wrong to
+        // hard code English.
+
+        std::string username, ca_name;
+        char* temp_username = CERT_GetCommonName(&cert_handle_->subject);
+        char* temp_ca_name = CERT_GetCommonName(&cert_handle_->issuer);
+        if (temp_username) {
+          username = temp_username;
+          PORT_Free(temp_username);
+        }
+        if (temp_ca_name) {
+          ca_name = temp_ca_name;
+          PORT_Free(temp_ca_name);
+        }
+        result = username + "'s " + ca_name + " ID";
+        break;
+      }
+      case SERVER_CERT: {
+        result = subject().GetDisplayName();
+        break;
+      }
+      case UNKNOWN_CERT:
+      default:
+        break;
+    }
+  }
+  return result;
+}
+
+CertType X509Certificate::GetCertificateType() const {
+  msm::nsNSSCertTrust trust(cert_handle_->trust);
+  if (trust.HasAnyUser())
+    return USER_CERT;
+  if (trust.HasAnyCA() || CERT_IsCACert(cert_handle_, NULL))
+    return CA_CERT;
+  if (trust.HasPeer(PR_TRUE, PR_FALSE, PR_FALSE))
+    return SERVER_CERT;
+  return UNKNOWN_CERT;
+}
+
 void X509Certificate::GetSubjectAltName(
     std::vector<std::string>* dns_names,
     std::vector<std::string>* ip_addrs) const {
   if (dns_names)
     dns_names->clear();
   if (ip_addrs)
     ip_addrs->clear();
 
   SECItem alt_name;
   SECStatus rv = CERT_FindCertExtension(cert_handle_,
@@ skipping 195 matching lines @@
   DCHECK(a && b);
   if (a == b)
     return true;
   return a->derCert.len == b->derCert.len &&
       memcmp(a->derCert.data, b->derCert.data, a->derCert.len) == 0;
 }
 
 // static
 X509Certificate::OSCertHandle X509Certificate::CreateOSCertHandleFromBytes(
     const char* data, int length) {
+  return CreateOSCertHandleFromBytesWithNickname(data, length, NULL);
+}
+
+// static
+X509Certificate::OSCertHandle
+X509Certificate::CreateOSCertHandleFromBytesWithNickname(
+    const char* data, int length, const char* nickname) {
   if (length < 0)
     return NULL;
 
   crypto::EnsureNSSInit();
 
   if (!NSS_IsInitialized())
     return NULL;
 
   SECItem der_cert;
   der_cert.data = reinterpret_cast<unsigned char*>(const_cast<char*>(data));
   der_cert.len  = length;
   der_cert.type = siDERCertBuffer;
 
   // Parse into a certificate structure.
-  return CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &der_cert, NULL,
-                                 PR_FALSE, PR_TRUE);
+  X509Certificate::OSCertHandle result =
+      CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &der_cert,
+                              const_cast<char*>(nickname),
+                              PR_FALSE, PR_TRUE);
+
+  // CERT_NewTempCertificate doesn't always fill in the nickname,
+  // so we have to.
+  if (result->nickname)
+    PORT_ArenaRelease(result->arena, result->nickname);
+  int len = strlen(nickname);

[Ryan Sleevi, 2011/11/22 00:59:03]

Since |nickname| is optional (see line 1052), I believe this means that you're
potentially doing strlen(NULL).

Perhaps a short-circuit before here for when there is no nickname?

[Greg Spencer (Chromium), 2011/11/29 00:21:49]

Good catch.  Fixed.

+  char *arena_nickname = reinterpret_cast<char*>(
+      PORT_ArenaAlloc(result->arena, len + 1));
+  PORT_Strncpy(arena_nickname, nickname, len);
+  result->nickname = arena_nickname;
+
+  return result;
 }
 
 // static
 X509Certificate::OSCertHandles X509Certificate::CreateOSCertHandlesFromBytes(
     const char* data, int length, Format format) {
   OSCertHandles results;
   if (length < 0)
     return results;
 
   crypto::EnsureNSSInit();
@@ skipping 88 matching lines @@
 
 // static
 bool X509Certificate::WriteOSCertHandleToPickle(OSCertHandle cert_handle,
                                                 Pickle* pickle) {
   return pickle->WriteData(
       reinterpret_cast<const char*>(cert_handle->derCert.data),
       cert_handle->derCert.len);
 }
 
 }  // namespace net